housekeeping(server): fixed clippy warns

server/Cargo.lock

@@ -680,10 +680,10 @@ name = "arbiter-client"
 version = "0.1.0"
 dependencies = [
  "alloy",
+ "arbiter-crypto",
  "arbiter-proto",
  "async-trait",
  "http",
- "ml-dsa",
  "rand 0.10.0",
  "rustls-webpki",
  "thiserror 2.0.18",
@@ -692,6 +692,16 @@ dependencies = [
  "tonic",
 ]
 
+[[package]]
+name = "arbiter-crypto"
+version = "0.1.0"
+dependencies = [
+ "base64",
+ "memsafe",
+ "ml-dsa",
+ "rand 0.10.0",
+]
+
 [[package]]
 name = "arbiter-proto"
 version = "0.1.0"
@@ -725,6 +735,7 @@ version = "0.1.0"
 dependencies = [
  "alloy",
  "anyhow",
+ "arbiter-crypto",
  "arbiter-proto",
  "arbiter-tokens-registry",
  "argon2",
@@ -742,7 +753,6 @@ dependencies = [
  "insta",
  "k256",
  "kameo",
- "memsafe",
  "ml-dsa",
  "mutants",
  "pem",

server/Cargo.toml

@@ -46,3 +46,4 @@ prost = "0.14.3"
 miette = { version = "7.6.0", features = ["fancy", "serde"] }
 mutants = "0.0.4"
 ml-dsa = { version = "0.1.0-rc.8", features = ["zeroize"] }
+base64 = "0.22.1"

server/crates/arbiter-client/Cargo.toml

@@ -13,12 +13,12 @@ evm = ["dep:alloy"]
 
 [dependencies]
 arbiter-proto.path = "../arbiter-proto"
+arbiter-crypto.path = "../arbiter-crypto"
 alloy = { workspace = true, optional = true }
 tonic.workspace = true
 tonic.features = ["tls-aws-lc"]
 tokio.workspace = true
 tokio-stream.workspace = true
-ml-dsa.workspace = true
 thiserror.workspace = true
 http = "1.4.0"
 rustls-webpki = { version = "0.103.10", features = ["aws-lc-rs"] }

server/crates/arbiter-client/src/auth.rs

@@ -1,5 +1,6 @@
+use arbiter_crypto::authn::{CLIENT_CONTEXT, SigningKey, format_challenge};
 use arbiter_proto::{
-    CLIENT_CONTEXT, ClientMetadata, format_challenge,
+    ClientMetadata,
     proto::{
         client::{
             ClientRequest,
@@ -14,7 +15,6 @@ use arbiter_proto::{
         shared::ClientInfo as ProtoClientInfo,
     },
 };
-use ml_dsa::{MlDsa87, SigningKey, signature::Keypair as _};
 
 use crate::{
     storage::StorageError,
@@ -54,14 +54,14 @@ fn map_auth_result(code: i32) -> AuthError {
 async fn send_auth_challenge_request(
     transport: &mut ClientTransport,
     metadata: ClientMetadata,
-    key: &SigningKey<MlDsa87>,
+    key: &SigningKey,
 ) -> std::result::Result<(), AuthError> {
     transport
         .send(ClientRequest {
             request_id: next_request_id(),
             payload: Some(ClientRequestPayload::Auth(proto_auth::Request {
                 payload: Some(AuthRequestPayload::ChallengeRequest(AuthChallengeRequest {
-                    pubkey: key.verifying_key().encode().to_vec(),
+                    pubkey: key.public_key().to_bytes(),
                     client_info: Some(ProtoClientInfo {
                         name: metadata.name,
                         description: metadata.description,
@@ -95,16 +95,14 @@ async fn receive_auth_challenge(
 
 async fn send_auth_challenge_solution(
     transport: &mut ClientTransport,
-    key: &SigningKey<MlDsa87>,
+    key: &SigningKey,
     challenge: AuthChallenge,
 ) -> std::result::Result<(), AuthError> {
     let challenge_payload = format_challenge(challenge.nonce, &challenge.pubkey);
     let signature = key
-        .signing_key()
+        .sign_message(&challenge_payload, CLIENT_CONTEXT)
-        .sign_deterministic(&challenge_payload, CLIENT_CONTEXT)
         .map_err(|_| AuthError::UnexpectedAuthResponse)?
-        .encode()
+        .to_bytes();
-        .to_vec();
 
     transport
         .send(ClientRequest {
@@ -145,7 +143,7 @@ async fn receive_auth_confirmation(
 pub(crate) async fn authenticate(
     transport: &mut ClientTransport,
     metadata: ClientMetadata,
-    key: &SigningKey<MlDsa87>,
+    key: &SigningKey,
 ) -> std::result::Result<(), AuthError> {
     send_auth_challenge_request(transport, metadata, key).await?;
     let challenge = receive_auth_challenge(transport).await?;

server/crates/arbiter-client/src/client.rs

@@ -1,7 +1,7 @@
+use arbiter_crypto::authn::SigningKey;
 use arbiter_proto::{
     ClientMetadata, proto::arbiter_service_client::ArbiterServiceClient, url::ArbiterUrl,
 };
-use ml_dsa::{MlDsa87, SigningKey};
 use std::sync::Arc;
 use tokio::sync::{Mutex, mpsc};
 use tokio_stream::wrappers::ReceiverStream;
@@ -61,7 +61,7 @@ impl ArbiterClient {
     pub async fn connect_with_key(
         url: ArbiterUrl,
         metadata: ClientMetadata,
-        key: SigningKey<MlDsa87>,
+        key: SigningKey,
     ) -> Result<Self, Error> {
         let anchor = webpki::anchor_from_trusted_cert(&url.ca_cert)?.to_owned();
         let tls = ClientTlsConfig::new().trust_anchor(anchor);

server/crates/arbiter-client/src/storage.rs

@@ -1,5 +1,5 @@
+use arbiter_crypto::authn::SigningKey;
 use arbiter_proto::home_path;
-use ml_dsa::{KeyGen, MlDsa87, Seed, SigningKey};
 use std::path::{Path, PathBuf};
 
 #[derive(Debug, thiserror::Error)]
@@ -12,7 +12,7 @@ pub enum StorageError {
 }
 
 pub trait SigningKeyStorage {
-    fn load_or_create(&self) -> std::result::Result<SigningKey<MlDsa87>, StorageError>;
+    fn load_or_create(&self) -> std::result::Result<SigningKey, StorageError>;
 }
 
 #[derive(Debug, Clone)]
@@ -31,20 +31,21 @@ impl FileSigningKeyStorage {
         Ok(Self::new(home_path()?.join(Self::DEFAULT_FILE_NAME)))
     }
 
-    fn read_key(path: &Path) -> std::result::Result<SigningKey<MlDsa87>, StorageError> {
+    fn read_key(path: &Path) -> std::result::Result<SigningKey, StorageError> {
         let bytes = std::fs::read(path)?;
-        let raw: [u8; 32] = bytes
+        let raw: [u8; 32] =
-            .try_into()
+            bytes
-            .map_err(|v: Vec<u8>| StorageError::InvalidKeyLength {
+                .try_into()
-                expected: 32,
+                .map_err(|v: Vec<u8>| StorageError::InvalidKeyLength {
-                actual: v.len(),
+                    expected: 32,
-            })?;
+                    actual: v.len(),
-        Ok(MlDsa87::from_seed(&Seed::from(raw)))
+                })?;
+        Ok(SigningKey::from_seed(raw))
     }
 }
 
 impl SigningKeyStorage for FileSigningKeyStorage {
-    fn load_or_create(&self) -> std::result::Result<SigningKey<MlDsa87>, StorageError> {
+    fn load_or_create(&self) -> std::result::Result<SigningKey, StorageError> {
         if let Some(parent) = self.path.parent() {
             std::fs::create_dir_all(parent)?;
         }
@@ -53,7 +54,7 @@ impl SigningKeyStorage for FileSigningKeyStorage {
             return Self::read_key(&self.path);
         }
 
-        let key = MlDsa87::key_gen(&mut rand::rng());
+        let key = SigningKey::generate();
         let raw_key = key.to_seed();
 
         // Use create_new to prevent accidental overwrite if another process creates the key first.

server/crates/arbiter-crypto/.gitignore

@@ -0,0 +1 @@
+/target

server/crates/arbiter-crypto/Cargo.toml

@@ -0,0 +1,18 @@
+[package]
+name = "arbiter-crypto"
+version = "0.1.0"
+edition = "2024"
+
+[dependencies]
+ml-dsa = {workspace = true, optional = true }
+rand = {workspace = true, optional = true}
+base64 = {workspace = true, optional = true }
+memsafe = {version = "0.4.0", optional = true}
+
+[lints]
+workspace = true
+
+[features]
+default = ["authn", "safecell"]
+authn = ["dep:ml-dsa", "dep:rand", "dep:base64"]
+safecell = ["dep:memsafe"]

server/crates/arbiter-crypto/src/authn/mod.rs

@@ -1,3 +1,2 @@
 pub mod v1;
-
 pub use v1::*;

server/crates/arbiter-crypto/src/authn/v1.rs

@@ -0,0 +1,186 @@
+use base64::{Engine as _, prelude::BASE64_STANDARD};
+use ml_dsa::{
+    EncodedVerifyingKey, Error, KeyGen, MlDsa87, Seed, Signature as MlDsaSignature,
+    SigningKey as MlDsaSigningKey, VerifyingKey as MlDsaVerifyingKey, signature::Keypair as _,
+};
+
+pub static CLIENT_CONTEXT: &[u8] = b"arbiter_client";
+pub static USERAGENT_CONTEXT: &[u8] = b"arbiter_user_agent";
+
+pub fn format_challenge(nonce: i32, pubkey: &[u8]) -> Vec<u8> {
+    let concat_form = format!("{}:{}", nonce, BASE64_STANDARD.encode(pubkey));
+    concat_form.into_bytes()
+}
+
+pub type KeyParams = MlDsa87;
+
+#[derive(Clone, Debug, PartialEq)]
+pub struct PublicKey(Box<MlDsaVerifyingKey<KeyParams>>);
+
+#[derive(Clone, Debug, PartialEq)]
+pub struct Signature(Box<MlDsaSignature<KeyParams>>);
+
+#[derive(Debug)]
+pub struct SigningKey(Box<MlDsaSigningKey<KeyParams>>);
+
+impl PublicKey {
+    pub fn to_bytes(&self) -> Vec<u8> {
+        self.0.encode().to_vec()
+    }
+
+    pub fn verify(&self, nonce: i32, context: &[u8], signature: &Signature) -> bool {
+        self.0.verify_with_context(
+            &format_challenge(nonce, &self.to_bytes()),
+            context,
+            &signature.0,
+        )
+    }
+}
+
+impl Signature {
+    pub fn to_bytes(&self) -> Vec<u8> {
+        self.0.encode().to_vec()
+    }
+}
+
+impl SigningKey {
+    pub fn generate() -> Self {
+        Self(Box::new(KeyParams::key_gen(&mut rand::rng())))
+    }
+
+    pub fn from_seed(seed: [u8; 32]) -> Self {
+        Self(Box::new(KeyParams::from_seed(&Seed::from(seed))))
+    }
+
+    pub fn to_seed(&self) -> [u8; 32] {
+        self.0.to_seed().into()
+    }
+
+    pub fn public_key(&self) -> PublicKey {
+        self.0.verifying_key().into()
+    }
+
+    pub fn sign_message(&self, message: &[u8], context: &[u8]) -> Result<Signature, Error> {
+        self.0
+            .signing_key()
+            .sign_deterministic(message, context)
+            .map(Into::into)
+    }
+
+    pub fn sign_challenge(&self, nonce: i32, context: &[u8]) -> Result<Signature, Error> {
+        self.sign_message(
+            &format_challenge(nonce, &self.public_key().to_bytes()),
+            context,
+        )
+    }
+}
+
+impl From<MlDsaVerifyingKey<KeyParams>> for PublicKey {
+    fn from(value: MlDsaVerifyingKey<KeyParams>) -> Self {
+        Self(Box::new(value))
+    }
+}
+
+impl From<MlDsaSignature<KeyParams>> for Signature {
+    fn from(value: MlDsaSignature<KeyParams>) -> Self {
+        Self(Box::new(value))
+    }
+}
+
+impl From<MlDsaSigningKey<KeyParams>> for SigningKey {
+    fn from(value: MlDsaSigningKey<KeyParams>) -> Self {
+        Self(Box::new(value))
+    }
+}
+
+impl TryFrom<Vec<u8>> for PublicKey {
+    type Error = ();
+
+    fn try_from(value: Vec<u8>) -> Result<Self, Self::Error> {
+        Self::try_from(value.as_slice())
+    }
+}
+
+impl TryFrom<&'_ [u8]> for PublicKey {
+    type Error = ();
+
+    fn try_from(value: &[u8]) -> Result<Self, Self::Error> {
+        let encoded = EncodedVerifyingKey::<KeyParams>::try_from(value).map_err(|_| ())?;
+        Ok(Self(Box::new(MlDsaVerifyingKey::decode(&encoded))))
+    }
+}
+
+impl TryFrom<Vec<u8>> for Signature {
+    type Error = ();
+
+    fn try_from(value: Vec<u8>) -> Result<Self, Self::Error> {
+        Self::try_from(value.as_slice())
+    }
+}
+
+impl TryFrom<&'_ [u8]> for Signature {
+    type Error = ();
+
+    fn try_from(value: &[u8]) -> Result<Self, Self::Error> {
+        MlDsaSignature::try_from(value)
+            .map(|sig| Self(Box::new(sig)))
+            .map_err(|_| ())
+    }
+}
+
+#[cfg(test)]
+mod tests {
+    use ml_dsa::{KeyGen, MlDsa87, signature::Keypair as _};
+
+    use super::{CLIENT_CONTEXT, PublicKey, Signature, SigningKey, USERAGENT_CONTEXT};
+
+    #[test]
+    fn public_key_round_trip_decodes() {
+        let key = MlDsa87::key_gen(&mut rand::rng());
+        let encoded = PublicKey::from(key.verifying_key()).to_bytes();
+
+        let decoded = PublicKey::try_from(encoded.as_slice()).expect("public key should decode");
+
+        assert_eq!(decoded, PublicKey::from(key.verifying_key()));
+    }
+
+    #[test]
+    fn signature_round_trip_decodes() {
+        let key = SigningKey::generate();
+        let signature = key
+            .sign_message(b"challenge", CLIENT_CONTEXT)
+            .expect("signature should be created");
+
+        let decoded =
+            Signature::try_from(signature.to_bytes().as_slice()).expect("signature should decode");
+
+        assert_eq!(decoded, signature);
+    }
+
+    #[test]
+    fn challenge_verification_uses_context_and_canonical_key_bytes() {
+        let key = SigningKey::generate();
+        let public_key = key.public_key();
+        let nonce = 17;
+        let signature = key
+            .sign_challenge(nonce, CLIENT_CONTEXT)
+            .expect("signature should be created");
+
+        assert!(public_key.verify(nonce, CLIENT_CONTEXT, &signature));
+        assert!(!public_key.verify(nonce, USERAGENT_CONTEXT, &signature));
+    }
+
+    #[test]
+    fn signing_key_round_trip_seed_preserves_public_key_and_signing() {
+        let original = SigningKey::generate();
+        let restored = SigningKey::from_seed(original.to_seed());
+
+        assert_eq!(restored.public_key(), original.public_key());
+
+        let signature = restored
+            .sign_challenge(9, CLIENT_CONTEXT)
+            .expect("signature should be created");
+
+        assert!(restored.public_key().verify(9, CLIENT_CONTEXT, &signature));
+    }
+}

server/crates/arbiter-crypto/src/lib.rs

@@ -0,0 +1,5 @@
+#[cfg(feature = "authn")]
+pub mod authn;
+
+#[cfg(feature = "safecell")]
+pub mod safecell;

server/crates/arbiter-crypto/src/safecell.rs

@@ -105,6 +105,11 @@ impl<T> SafeCellHandle<T> for MemSafeCell<T> {
 
 fn abort_memory_breach(action: &str, err: &memsafe::error::MemoryError) -> ! {
     eprintln!("fatal {action}: {err}");
+    // SAFETY: Intentionally cause a segmentation fault to prevent further execution in a compromised state.
+    unsafe {
+        let unsafe_pointer = std::ptr::null_mut::<u8>();
+        std::ptr::write_volatile(unsafe_pointer, 0);
+    }
     std::process::abort();
 }
 

server/crates/arbiter-proto/Cargo.toml

@@ -17,7 +17,7 @@ url = "2.5.8"
 miette.workspace = true
 thiserror.workspace = true
 rustls-pki-types.workspace = true
-base64 = "0.22.1"
+base64.workspace = true
 prost-types.workspace = true
 tracing.workspace = true
 async-trait.workspace = true

server/crates/arbiter-proto/src/lib.rs

@@ -1,8 +1,6 @@
 pub mod transport;
 pub mod url;
 
-use base64::{Engine, prelude::BASE64_STANDARD};
-
 pub mod proto {
     tonic::include_proto!("arbiter");
 
@@ -63,9 +61,6 @@ pub mod proto {
     }
 }
 
-pub static CLIENT_CONTEXT: &[u8] = b"arbiter_client";
-pub static USERAGENT_CONTEXT: &[u8] = b"arbiter_user_agent";
-
 #[derive(Debug, Clone, PartialEq, Eq)]
 pub struct ClientMetadata {
     pub name: String,
@@ -87,8 +82,3 @@ pub fn home_path() -> Result<std::path::PathBuf, std::io::Error> {
 
     Ok(arbiter_home)
 }
-
-pub fn format_challenge(nonce: i32, pubkey: &[u8]) -> Vec<u8> {
-    let concat_form = format!("{}:{}", nonce, BASE64_STANDARD.encode(pubkey));
-    concat_form.into_bytes()
-}

server/crates/arbiter-server/Cargo.toml

@@ -17,6 +17,7 @@ diesel-async = { version = "0.8.0", features = [
     "tokio",
 ] }
 arbiter-proto.path = "../arbiter-proto"
+arbiter-crypto.path = "../arbiter-crypto"
 tracing.workspace = true
 tracing-subscriber = { version = "0.3", features = ["env-filter"] }
 tonic.workspace = true
@@ -35,7 +36,6 @@ dashmap = "6.1.0"
 rand.workspace = true
 rcgen.workspace = true
 chrono.workspace = true
-memsafe = "0.4.0"
 zeroize = { version = "1.8.2", features = ["std", "simd"] }
 kameo.workspace = true
 chacha20poly1305 = { version = "0.10.1", features = ["std"] }

server/crates/arbiter-server/src/actors/client/auth.rs

@@ -1,5 +1,6 @@
+use arbiter_crypto::authn::{self, CLIENT_CONTEXT};
 use arbiter_proto::{
-    CLIENT_CONTEXT, ClientMetadata,
+    ClientMetadata,
     transport::{Bi, expect_message},
 };
 use chrono::Utc;
@@ -17,7 +18,6 @@ use crate::{
         flow_coordinator::{self, RequestClientApproval},
         keyholder::KeyHolder,
     },
-    crypto::authn,
     crypto::integrity::{self, AttestationStatus},
     db::{
         self,
@@ -26,8 +26,6 @@ use crate::{
     },
 };
 
-
-
 #[derive(thiserror::Error, Debug, Clone, PartialEq, Eq)]
 pub enum Error {
     #[error("Database pool unavailable")]
@@ -355,7 +353,10 @@ where
     T: Bi<Inbound, Result<Outbound, Error>> + ?Sized,
 {
     transport
-        .send(Ok(Outbound::AuthChallenge { pubkey: pubkey.clone(), nonce }))
+        .send(Ok(Outbound::AuthChallenge {
+            pubkey: pubkey.clone(),
+            nonce,
+        }))
         .await
         .map_err(|e| {
             error!(error = ?e, "Failed to send auth challenge");

server/crates/arbiter-server/src/actors/client/mod.rs

@@ -1,10 +1,10 @@
+use arbiter_crypto::authn;
 use arbiter_proto::{ClientMetadata, transport::Bi};
 use kameo::actor::Spawn;
 use tracing::{error, info};
 
 use crate::{
     actors::{GlobalActors, client::session::ClientSession},
-    crypto::authn,
     crypto::integrity::{Integrable, hashing::Hashable},
     db,
 };
@@ -50,10 +50,7 @@ where
     T: Bi<auth::Inbound, Result<auth::Outbound, auth::Error>> + Send + ?Sized,
 {
     let fut = auth::authenticate(&mut props, transport);
-    println!(
+    println!("authenticate future size: {}", std::mem::size_of_val(&fut));
-        "authenticate future size: {}",
-        std::mem::size_of_val(&fut)
-    );
     match fut.await {
         Ok(client_id) => {
             ClientSession::spawn(ClientSession::new(props, client_id));

server/crates/arbiter-server/src/actors/evm/mod.rs

@@ -7,11 +7,11 @@ use kameo::{Actor, actor::ActorRef, messages};
 use rand::{SeedableRng, rng, rngs::StdRng};
 
 use crate::{
-    actors::keyholder::{CreateNew, Decrypt, GetState, KeyHolder, KeyHolderState},
+    actors::keyholder::{CreateNew, Decrypt, KeyHolder},
     crypto::integrity,
     db::{
         DatabaseError, DatabasePool,
-        models::{self, SqliteTimestamp},
+        models::{self},
         schema,
     },
     evm::{
@@ -21,8 +21,8 @@ use crate::{
             ether_transfer::EtherTransfer, token_transfers::TokenTransfer,
         },
     },
-    safe_cell::{SafeCell, SafeCellHandle as _},
 };
+use arbiter_crypto::safecell::{SafeCell, SafeCellHandle as _};
 
 pub use crate::evm::safe_signer;
 
@@ -158,7 +158,7 @@ impl EvmActor {
     }
 
     #[message]
-    pub async fn useragent_delete_grant(&mut self, grant_id: i32) -> Result<(), Error> {
+    pub async fn useragent_delete_grant(&mut self, _grant_id: i32) -> Result<(), Error> {
         // let mut conn = self.db.get().await.map_err(DatabaseError::from)?;
         // let keyholder = self.keyholder.clone();
 

server/crates/arbiter-server/src/actors/keyholder/mod.rs

@@ -9,22 +9,17 @@ use kameo::{Actor, Reply, messages};
 use strum::{EnumDiscriminants, IntoDiscriminant};
 use tracing::{error, info};
 
-use crate::{
+use crate::crypto::{
-    crypto::{
+    KeyCell, derive_key,
-        KeyCell, derive_key,
+    encryption::v1::{self, Nonce},
-        encryption::v1::{self, Nonce},
+    integrity::v1::HmacSha256,
-        integrity::v1::HmacSha256,
-    },
-    safe_cell::SafeCell,
 };
-use crate::{
+use crate::db::{
-    db::{
+    self,
-        self,
+    models::{self, RootKeyHistory},
-        models::{self, RootKeyHistory},
+    schema::{self},
-        schema::{self},
-    },
-    safe_cell::SafeCellHandle as _,
 };
+use arbiter_crypto::safecell::{SafeCell, SafeCellHandle as _};
 
 #[derive(Default, EnumDiscriminants)]
 #[strum_discriminants(derive(Reply), vis(pub), name(KeyHolderState))]
@@ -400,10 +395,8 @@ mod tests {
 
     use diesel_async::RunQueryDsl;
 
-    use crate::{
+    use crate::db::{self};
-        db::{self},
+    use arbiter_crypto::safecell::{SafeCell, SafeCellHandle as _};
-        safe_cell::SafeCell,
-    };
 
     use super::*;
 

server/crates/arbiter-server/src/actors/user_agent/auth.rs

@@ -1,3 +1,4 @@
+use arbiter_crypto::authn;
 use arbiter_proto::transport::Bi;
 use tracing::error;
 
@@ -5,8 +6,6 @@ use crate::actors::user_agent::{
     UserAgentConnection,
     auth::state::{AuthContext, AuthStateMachine},
 };
-use crate::crypto::authn;
-
 mod state;
 use state::*;
 

server/crates/arbiter-server/src/actors/user_agent/auth/state.rs

@@ -1,4 +1,5 @@
-use arbiter_proto::{USERAGENT_CONTEXT, transport::Bi};
+use arbiter_crypto::authn::{self, USERAGENT_CONTEXT};
+use arbiter_proto::transport::Bi;
 use diesel::{ExpressionMethods as _, OptionalExtension as _, QueryDsl, update};
 use diesel_async::{AsyncConnection, RunQueryDsl};
 use kameo::actor::ActorRef;
@@ -11,7 +12,6 @@ use crate::{
         keyholder::KeyHolder,
         user_agent::{UserAgentConnection, UserAgentCredentials, auth::Outbound},
     },
-    crypto::authn,
     crypto::integrity,
     db::{DatabasePool, schema::useragent_client},
 };
@@ -183,7 +183,7 @@ async fn register_key(
                 nonce: NONCE_START,
             };
 
-            integrity::sign_entity(conn, &keyholder, &entity, id)
+            integrity::sign_entity(conn, keyholder, &entity, id)
                 .await
                 .map_err(|e| {
                     error!(error = ?e, "Failed to sign integrity tag for new user-agent key");

server/crates/arbiter-server/src/actors/user_agent/mod.rs

@@ -1,9 +1,9 @@
 use crate::{
     actors::{GlobalActors, client::ClientProfile},
-    crypto::authn,
     crypto::integrity::Integrable,
     db,
 };
+use arbiter_crypto::authn;
 
 #[derive(Debug)]
 pub struct UserAgentCredentials {

server/crates/arbiter-server/src/actors/user_agent/session.rs

@@ -1,3 +1,5 @@
+use arbiter_crypto::authn;
+
 use std::{borrow::Cow, collections::HashMap};
 
 use arbiter_proto::transport::Sender;
@@ -11,8 +13,6 @@ use crate::actors::{
     flow_coordinator::{RegisterUserAgent, client_connect_approval::ClientApprovalController},
     user_agent::{OutOfBand, UserAgentConnection},
 };
-use crate::crypto::authn;
-
 mod state;
 use state::{DummyContext, UserAgentEvents, UserAgentStateMachine};
 
@@ -119,14 +119,13 @@ impl UserAgentSession {
             return;
         }
 
-        self.pending_client_approvals
+        self.pending_client_approvals.insert(
-            .insert(
+            client.pubkey.to_bytes(),
-                client.pubkey.to_bytes(),
+            PendingClientApproval {
-                PendingClientApproval {
+                pubkey: client.pubkey,
-                    pubkey: client.pubkey,
+                controller,
-                    controller,
+            },
-                },
+        );
-            );
     }
 }
 

server/crates/arbiter-server/src/actors/user_agent/session/connection.rs

@@ -1,6 +1,10 @@
 use std::sync::Mutex;
 
 use alloy::{consensus::TxEip1559, primitives::Address, signers::Signature};
+use arbiter_crypto::{
+    authn,
+    safecell::{SafeCell, SafeCellHandle as _},
+};
 use chacha20poly1305::{AeadInPlace, XChaCha20Poly1305, XNonce, aead::KeyInit};
 use diesel::{ExpressionMethods as _, QueryDsl as _, SelectableHelper};
 use diesel_async::{AsyncConnection, RunQueryDsl};
@@ -13,26 +17,21 @@ use x25519_dalek::{EphemeralSecret, PublicKey};
 use crate::actors::flow_coordinator::client_connect_approval::ClientApprovalAnswer;
 use crate::actors::keyholder::KeyHolderState;
 use crate::actors::user_agent::session::Error;
-use crate::crypto::authn;
+use crate::actors::{
+    evm::{
+        ClientSignTransaction, Generate, ListWallets, SignTransactionError as EvmSignError,
+        UseragentCreateGrant, UseragentListGrants,
+    },
+    keyholder::{self, Bootstrap, TryUnseal},
+    user_agent::session::{
+        UserAgentSession,
+        state::{UnsealContext, UserAgentEvents, UserAgentStates},
+    },
+};
 use crate::db::models::{
     EvmWalletAccess, NewEvmWalletAccess, ProgramClient, ProgramClientMetadata,
 };
 use crate::evm::policies::{Grant, SpecificGrant};
-use crate::safe_cell::SafeCell;
-use crate::{
-    actors::{
-        evm::{
-            ClientSignTransaction, Generate, ListWallets, SignTransactionError as EvmSignError,
-            UseragentCreateGrant, UseragentDeleteGrant, UseragentListGrants,
-        },
-        keyholder::{self, Bootstrap, TryUnseal},
-        user_agent::session::{
-            UserAgentSession,
-            state::{UnsealContext, UserAgentEvents, UserAgentStates},
-        },
-    },
-    safe_cell::SafeCellHandle as _,
-};
 
 impl UserAgentSession {
     fn take_unseal_secret(&mut self) -> Result<(EphemeralSecret, PublicKey), Error> {
@@ -362,19 +361,21 @@ impl UserAgentSession {
         &mut self,
         grant_id: i32,
     ) -> Result<(), GrantMutationError> {
-        match self
+        // match self
-            .props
+        //     .props
-            .actors
+        //     .actors
-            .evm
+        //     .evm
-            .ask(UseragentDeleteGrant { grant_id })
+        //     .ask(UseragentDeleteGrant { grant_id })
-            .await
+        //     .await
-        {
+        // {
-            Ok(()) => Ok(()),
+        //     Ok(()) => Ok(()),
-            Err(err) => {
+        //     Err(err) => {
-                error!(?err, "EVM grant delete failed");
+        //         error!(?err, "EVM grant delete failed");
-                Err(GrantMutationError::Internal)
+        //         Err(GrantMutationError::Internal)
-            }
+        //     }
-        }
+        // }
+       let _ = grant_id;
+        todo!()
     }
 
     #[message]
@@ -477,10 +478,7 @@ impl UserAgentSession {
         pubkey: authn::PublicKey,
         ctx: &mut Context<Self, Result<(), Error>>,
     ) -> Result<(), Error> {
-        let pending_approval = match self
+        let pending_approval = match self.pending_client_approvals.remove(&pubkey.to_bytes()) {
-            .pending_client_approvals
-            .remove(&pubkey.to_bytes())
-        {
             Some(approval) => approval,
             None => {
                 error!("Received client connection response for unknown client");

server/crates/arbiter-server/src/crypto/authn/v1/mod.rs

@@ -1,110 +0,0 @@
-use ml_dsa::{
-    EncodedVerifyingKey, MlDsa87, Signature as MlDsaSignature, VerifyingKey as MlDsaVerifyingKey,
-};
-
-pub type KeyParams = MlDsa87;
-
-#[derive(Clone, Debug, PartialEq)]
-pub struct PublicKey(Box<MlDsaVerifyingKey<KeyParams>>);
-
-#[derive(Clone, Debug, PartialEq)]
-pub struct Signature(Box<MlDsaSignature<KeyParams>>);
-
-impl PublicKey {
-    pub fn to_bytes(&self) -> Vec<u8> {
-        self.0.encode().to_vec()
-    }
-
-    pub fn verify(&self, nonce: i32, context: &[u8], signature: &Signature) -> bool {
-        self.0.verify_with_context(&format_challenge(nonce, self), context, &signature.0)
-    }
-}
-
-impl Signature {
-    pub fn to_bytes(&self) -> Vec<u8> {
-        self.0.encode().to_vec()
-    }
-}
-
-impl From<MlDsaVerifyingKey<KeyParams>> for PublicKey {
-    fn from(value: MlDsaVerifyingKey<KeyParams>) -> Self {
-        Self(Box::new(value))
-    }
-}
-
-impl From<MlDsaSignature<KeyParams>> for Signature {
-    fn from(value: MlDsaSignature<KeyParams>) -> Self {
-        Self(Box::new(value))
-    }
-}
-
-impl TryFrom<&'_ [u8]> for PublicKey {
-    type Error = ();
-
-    fn try_from(value: &[u8]) -> Result<Self, Self::Error> {
-        let encoded = EncodedVerifyingKey::<KeyParams>::try_from(value).map_err(|_| ())?;
-        Ok(Self(Box::new(MlDsaVerifyingKey::decode(&encoded))))
-    }
-}
-
-impl TryFrom<&'_ [u8]> for Signature {
-    type Error = ();
-
-    fn try_from(value: &[u8]) -> Result<Self, Self::Error> {
-        MlDsaSignature::try_from(value)
-            .map(|sig| Self(Box::new(sig)))
-            .map_err(|_| ())
-    }
-}
-
-pub fn format_challenge(nonce: i32, pubkey: &PublicKey) -> Vec<u8> {
-    arbiter_proto::format_challenge(nonce, &pubkey.to_bytes())
-}
-
-#[cfg(test)]
-mod tests {
-    use ml_dsa::{KeyGen, MlDsa87, signature::Keypair as _};
-
-    use super::{PublicKey, Signature};
-
-    #[test]
-    fn public_key_round_trip_decodes() {
-        let key = MlDsa87::key_gen(&mut rand::rng());
-        let encoded = PublicKey::from(key.verifying_key()).to_bytes();
-
-        let decoded = PublicKey::try_from(encoded.as_slice()).expect("public key should decode");
-
-        assert_eq!(decoded, PublicKey::from(key.verifying_key()));
-    }
-
-    #[test]
-    fn signature_round_trip_decodes() {
-        let key = MlDsa87::key_gen(&mut rand::rng());
-        let challenge = b"challenge";
-        let signature = key
-            .signing_key()
-            .sign_deterministic(challenge, arbiter_proto::CLIENT_CONTEXT)
-            .expect("signature should be created");
-
-        let decoded = Signature::try_from(signature.encode().to_vec().as_slice()).expect("signature should decode");
-
-        assert_eq!(decoded, Signature::from(signature));
-    }
-
-    #[test]
-    fn challenge_verification_uses_context_and_canonical_key_bytes() {
-        let key = MlDsa87::key_gen(&mut rand::rng());
-        let public_key = PublicKey::from(key.verifying_key());
-        let nonce = 17;
-        let challenge =
-            arbiter_proto::format_challenge(nonce, &public_key.to_bytes());
-        let signature = key
-            .signing_key()
-            .sign_deterministic(&challenge, arbiter_proto::CLIENT_CONTEXT)
-            .expect("signature should be created")
-            .into();
-
-        assert!(public_key.verify(nonce, arbiter_proto::CLIENT_CONTEXT, &signature));
-        assert!(!public_key.verify(nonce, arbiter_proto::USERAGENT_CONTEXT, &signature));
-    }
-}

server/crates/arbiter-server/src/crypto/encryption/v1.rs

@@ -59,10 +59,8 @@ mod tests {
     use std::ops::Deref as _;
 
     use super::*;
-    use crate::{
+    use crate::crypto::derive_key;
-        crypto::derive_key,
+    use arbiter_crypto::safecell::{SafeCell, SafeCellHandle as _};
-        safe_cell::{SafeCell, SafeCellHandle as _},
-    };
 
     #[test]
     pub fn derive_seal_key_deterministic() {

server/crates/arbiter-server/src/crypto/integrity/v1.rs

@@ -1,6 +1,5 @@
-use crate::{
+use crate::{actors::keyholder, crypto::integrity::hashing::Hashable};
-    actors::keyholder, crypto::integrity::hashing::Hashable, safe_cell::SafeCellHandle as _,
+use arbiter_crypto::safecell::SafeCellHandle as _;
-};
 use hmac::{Hmac, Mac as _};
 use sha2::Sha256;
 
@@ -127,7 +126,7 @@ pub async fn sign_entity<E: Integrable>(
     insert_into(integrity_envelope::table)
         .values(NewIntegrityEnvelope {
             entity_kind: E::KIND.to_owned(),
-            entity_id: entity_id,
+            entity_id,
             payload_version: E::VERSION,
             key_version,
             mac: mac.to_vec(),
@@ -204,19 +203,19 @@ mod tests {
     use diesel::{ExpressionMethods as _, QueryDsl};
     use diesel_async::RunQueryDsl;
     use kameo::{actor::ActorRef, prelude::Spawn};
-    use rand::seq::SliceRandom;
+    
     use sha2::Digest;
 
-    use proptest::prelude::*;
+    
 
     use crate::{
         actors::keyholder::{Bootstrap, KeyHolder},
         db::{self, schema},
-        safe_cell::{SafeCell, SafeCellHandle as _},
     };
+    use arbiter_crypto::safecell::{SafeCell, SafeCellHandle as _};
 
     use super::{Error, Integrable, sign_entity, verify_entity};
-    use super::{hashing::Hashable, payload_hash};
+    use super::hashing::Hashable;
 
     #[derive(Clone)]
     struct DummyEntity {

server/crates/arbiter-server/src/crypto/integrity/v1/hashing.rs

@@ -62,10 +62,10 @@ impl<T: Hashable> Hashable for Option<T> {
     fn hash<H: Digest>(&self, hasher: &mut H) {
         match self {
             Some(value) => {
-                hasher.update(&[1]);
+                hasher.update([1]);
                 value.hash(hasher);
             }
-            None => hasher.update(&[0]),
+            None => hasher.update([0]),
         }
     }
 }
@@ -96,12 +96,12 @@ impl Hashable for alloy::primitives::U256 {
 
 impl Hashable for chrono::Duration {
     fn hash<H: Digest>(&self, hasher: &mut H) {
-        hasher.update(&self.num_seconds().to_be_bytes());
+        hasher.update(self.num_seconds().to_be_bytes());
     }
 }
 
 impl Hashable for chrono::DateTime<chrono::Utc> {
     fn hash<H: Digest>(&self, hasher: &mut H) {
-        hasher.update(&self.timestamp_millis().to_be_bytes());
+        hasher.update(self.timestamp_millis().to_be_bytes());
     }
 }

server/crates/arbiter-server/src/crypto/mod.rs

@@ -10,9 +10,8 @@ use rand::{
     rngs::{StdRng, SysRng},
 };
 
-use crate::safe_cell::{SafeCell, SafeCellHandle as _};
+use arbiter_crypto::safecell::{SafeCell, SafeCellHandle as _};
 
-pub mod authn;
 pub mod encryption;
 pub mod integrity;
 
@@ -142,7 +141,7 @@ mod tests {
         derive_key,
         encryption::v1::{Nonce, generate_salt},
     };
-    use crate::safe_cell::{SafeCell, SafeCellHandle as _};
+    use arbiter_crypto::safecell::{SafeCell, SafeCellHandle as _};
 
     #[test]
     pub fn encrypt_decrypt() {

server/crates/arbiter-server/src/evm/safe_signer.rs

@@ -1,12 +1,12 @@
 use std::sync::Mutex;
 
-use crate::safe_cell::{SafeCell, SafeCellHandle as _};
 use alloy::{
     consensus::SignableTransaction,
     network::{TxSigner, TxSignerSync},
     primitives::{Address, B256, ChainId, Signature},
     signers::{Error, Result, Signer, SignerSync, utils::secret_key_to_address},
 };
+use arbiter_crypto::safecell::{SafeCell, SafeCellHandle as _};
 use async_trait::async_trait;
 use k256::ecdsa::{self, RecoveryId, SigningKey, signature::hazmat::PrehashSigner};
 

server/crates/arbiter-server/src/grpc/client/auth.rs

@@ -1,3 +1,4 @@
+use arbiter_crypto::authn;
 use arbiter_proto::{
     ClientMetadata,
     proto::{
@@ -22,7 +23,6 @@ use tracing::warn;
 
 use crate::{
     actors::client::{self, ClientConnection, auth},
-    crypto::authn,
     grpc::request_tracker::RequestTracker,
 };
 

server/crates/arbiter-server/src/grpc/user_agent/auth.rs

@@ -1,3 +1,4 @@
+use arbiter_crypto::authn;
 use arbiter_proto::{
     proto::user_agent::{
         UserAgentRequest, UserAgentResponse,
@@ -18,7 +19,6 @@ use tracing::warn;
 
 use crate::{
     actors::user_agent::{UserAgentConnection, auth},
-    crypto::authn,
     grpc::request_tracker::RequestTracker,
 };
 

server/crates/arbiter-server/src/grpc/user_agent/sdk_client.rs

@@ -1,3 +1,4 @@
+use arbiter_crypto::authn;
 use arbiter_proto::proto::{
     shared::ClientInfo as ProtoClientMetadata,
     user_agent::{
@@ -27,7 +28,6 @@ use crate::{
             HandleRevokeEvmWalletAccess, HandleSdkClientList,
         },
     },
-    crypto::authn,
     db::models::NewEvmWalletAccess,
     grpc::Convert,
 };

server/crates/arbiter-server/src/lib.rs

@@ -7,7 +7,6 @@ pub mod crypto;
 pub mod db;
 pub mod evm;
 pub mod grpc;
-pub mod safe_cell;
 pub mod utils;
 
 pub struct Server {

server/crates/arbiter-server/tests/client/auth.rs

@@ -1,3 +1,7 @@
+use arbiter_crypto::{
+    authn::{self, CLIENT_CONTEXT, format_challenge},
+    safecell::{SafeCell, SafeCellHandle as _},
+};
 use arbiter_proto::ClientMetadata;
 use arbiter_proto::transport::{Receiver, Sender};
 use arbiter_server::{
@@ -6,10 +10,8 @@ use arbiter_server::{
         client::{ClientConnection, ClientCredentials, auth, connect_client},
         keyholder::Bootstrap,
     },
-    crypto::authn,
     crypto::integrity,
     db::{self, schema},
-    safe_cell::{SafeCell, SafeCellHandle as _},
 };
 use diesel::{ExpressionMethods as _, NullableExpressionMethods as _, QueryDsl as _, insert_into};
 use diesel_async::RunQueryDsl;
@@ -72,9 +74,9 @@ fn sign_client_challenge(
     nonce: i32,
     pubkey: &authn::PublicKey,
 ) -> authn::Signature {
-    let challenge = arbiter_proto::format_challenge(nonce, &pubkey.to_bytes());
+    let challenge = format_challenge(nonce, &pubkey.to_bytes());
     key.signing_key()
-        .sign_deterministic(&challenge, arbiter_proto::CLIENT_CONTEXT)
+        .sign_deterministic(&challenge, CLIENT_CONTEXT)
         .unwrap()
         .into()
 }

server/crates/arbiter-server/tests/common/mod.rs

@@ -1,9 +1,10 @@
+use arbiter_crypto::safecell::{SafeCell, SafeCellHandle as _};
 use arbiter_proto::transport::{Bi, Error, Receiver, Sender};
 use arbiter_server::{
     actors::keyholder::KeyHolder,
     db::{self, schema},
-    safe_cell::{SafeCell, SafeCellHandle as _},
 };
+
 use async_trait::async_trait;
 use diesel::QueryDsl;
 use diesel_async::RunQueryDsl;

server/crates/arbiter-server/tests/keyholder/concurrency.rs

@@ -1,10 +1,11 @@
 use std::collections::{HashMap, HashSet};
 
+use arbiter_crypto::safecell::{SafeCell, SafeCellHandle as _};
 use arbiter_server::{
     actors::keyholder::{CreateNew, Error, KeyHolder},
     db::{self, models, schema},
-    safe_cell::{SafeCell, SafeCellHandle as _},
 };
+
 use diesel::{ExpressionMethods as _, QueryDsl, SelectableHelper, dsl::sql_query};
 use diesel_async::RunQueryDsl;
 use kameo::actor::{ActorRef, Spawn as _};

server/crates/arbiter-server/tests/keyholder/lifecycle.rs

@@ -1,9 +1,10 @@
+use arbiter_crypto::safecell::{SafeCell, SafeCellHandle as _};
 use arbiter_server::{
     actors::keyholder::{Error, KeyHolder},
     crypto::encryption::v1::{Nonce, ROOT_KEY_TAG},
     db::{self, models, schema},
-    safe_cell::{SafeCell, SafeCellHandle as _},
 };
+
 use diesel::{QueryDsl, SelectableHelper};
 use diesel_async::RunQueryDsl;
 

server/crates/arbiter-server/tests/keyholder/storage.rs

@@ -1,11 +1,12 @@
 use std::collections::HashSet;
 
+use arbiter_crypto::safecell::{SafeCell, SafeCellHandle as _};
 use arbiter_server::{
     actors::keyholder::Error,
     crypto::encryption::v1::Nonce,
     db::{self, models, schema},
-    safe_cell::{SafeCell, SafeCellHandle as _},
 };
+
 use diesel::{ExpressionMethods as _, QueryDsl, SelectableHelper, dsl::update};
 use diesel_async::RunQueryDsl;
 

server/crates/arbiter-server/tests/user_agent/auth.rs

@@ -1,3 +1,8 @@
+use arbiter_crypto::{
+    authn::{self, USERAGENT_CONTEXT, format_challenge},
+    safecell::{SafeCell, SafeCellHandle as _},
+};
+
 use arbiter_proto::transport::{Receiver, Sender};
 use arbiter_server::{
     actors::{
@@ -6,10 +11,8 @@ use arbiter_server::{
         keyholder::Bootstrap,
         user_agent::{UserAgentConnection, UserAgentCredentials, auth},
     },
-    crypto::authn,
     crypto::integrity,
     db::{self, schema},
-    safe_cell::{SafeCell, SafeCellHandle as _},
 };
 use diesel::{ExpressionMethods as _, QueryDsl, insert_into};
 use diesel_async::RunQueryDsl;
@@ -22,9 +25,9 @@ fn sign_useragent_challenge(
     nonce: i32,
     pubkey_bytes: &[u8],
 ) -> authn::Signature {
-    let challenge = arbiter_proto::format_challenge(nonce, pubkey_bytes);
+    let challenge = format_challenge(nonce, pubkey_bytes);
     key.signing_key()
-        .sign_deterministic(&challenge, arbiter_proto::USERAGENT_CONTEXT)
+        .sign_deterministic(&challenge, USERAGENT_CONTEXT)
         .unwrap()
         .into()
 }

server/crates/arbiter-server/tests/user_agent/unseal.rs

@@ -1,3 +1,4 @@
+use arbiter_crypto::safecell::{SafeCell, SafeCellHandle as _};
 use arbiter_server::{
     actors::{
         GlobalActors,
@@ -8,11 +9,9 @@ use arbiter_server::{
         },
     },
     db,
-    safe_cell::{SafeCell, SafeCellHandle as _},
 };
+
 use chacha20poly1305::{AeadInPlace, XChaCha20Poly1305, XNonce, aead::KeyInit};
-use diesel::{ExpressionMethods as _, QueryDsl as _, insert_into};
-use diesel_async::RunQueryDsl;
 use kameo::actor::Spawn as _;
 use x25519_dalek::{EphemeralSecret, PublicKey};