Merge pull request 'security(server): bind grant revocation state (revoked_at) to integrity hash' (#83) from security-hash-revoke_at into main

Reviewed-on: #83

mise.toml

@@ -22,5 +22,3 @@ run = '''
 dart pub global activate protoc_plugin && \
 protoc --dart_out=grpc:useragent/lib/proto --proto_path=protobufs/ $(find protobufs -name '*.proto' | sort)
 '''
-
-[tasks.generate_schema]

server/Cargo.toml

@@ -6,7 +6,7 @@ resolver = "3"
 
 
 [workspace.dependencies]
-alloy = "2.0.0"
+alloy = "2.0.4"
 async-trait = "0.1.89"
 base64 = "0.22.1"
 chrono = { version = "0.4.44", features = ["serde"] }
@@ -16,15 +16,15 @@ kameo = {git = "https://github.com/hdbg/kameo.git", rev = "805b417"}
 kameo_actors = {git = "https://github.com/hdbg/kameo.git", rev = "805b417"}
 hmac = "0.13.0"
 miette = { version = "7.6.0", features = ["fancy", "serde"] }
-ml-dsa = { version = "0.1.0-rc.8", features = ["zeroize"] }
+ml-dsa = { version = "0.1.0-rc.9", features = ["zeroize"] }
 mutants = "0.0.4"
 prost = "0.14.3"
 prost-types = { version = "0.14.3", features = ["chrono"] }
 rand = "0.10.1"
 rcgen = { version = "0.14.7", features = [ "aws_lc_rs",  "pem", "x509-parser", "zeroize" ], default-features = false }
 rstest = "0.26.1"
-rustls = { version = "0.23.38", features = ["aws-lc-rs", "logging", "prefer-post-quantum", "std"], default-features = false }
+rustls = { version = "0.23.40", features = ["aws-lc-rs", "logging", "prefer-post-quantum", "std"], default-features = false }
-rustls-pki-types = "1.14.0"
+rustls-pki-types = "1.14.1"
 sha2 = "0.11"
 smlang = "0.8.0"
 thiserror = "2.0.18"
@@ -76,6 +76,7 @@ needless_pass_by_ref_mut = "allow"
 pub_underscore_fields = "allow"
 redundant_pub_crate = "allow" 
 uninhabited_references = "allow" # safe with unsafe_code = "forbid" and standard uninhabited pattern (match *self {})
+too-many-lines = "allow" # this is a very common pattern in server code, and it's not always possible to break it down into smaller modules without hurting readability
 
 # restriction lints
 alloc_instead_of_core = "warn"

server/crates/arbiter-client/Cargo.toml

@@ -21,7 +21,7 @@ tokio.workspace = true
 tokio-stream.workspace = true
 thiserror.workspace = true
 http = "1.4.0"
-rustls-webpki = { version = "0.103.12", features = ["aws-lc-rs"] }
+rustls-webpki = { version = "0.103.13", features = ["aws-lc-rs"] }
 async-trait.workspace = true
 chrono.workspace = true
 

server/crates/arbiter-client/src/auth.rs

@@ -100,7 +100,7 @@ async fn send_auth_challenge_solution(
     key: &SigningKey,
     challenge: AuthChallenge,
 ) -> Result<(), AuthError> {
-    let timestamp = DateTime::from_timestamp_nanos(challenge.timestamp_nanos as i64);
+    let timestamp = DateTime::from_timestamp_nanos(challenge.timestamp_nanos.cast_signed());
     let challenge = authn::AuthChallenge {
         nonce: *challenge
             .random

server/crates/arbiter-server/Cargo.toml

@@ -9,8 +9,8 @@ license = "Apache-2.0"
 workspace = true
 
 [dependencies]
-diesel = { version = "2.3.7", features = ["chrono", "returning_clauses_for_sqlite_3_35", "serde_json", "time", "uuid"] }
+diesel = { version = "2.3.9", features = ["chrono", "returning_clauses_for_sqlite_3_35", "serde_json", "time", "uuid"] }
-diesel-async = { version = "0.8.0", features = [
+diesel-async = { version = "0.9.0", features = [
     "bb8",
     "migrations",
     "sqlite",
@@ -27,7 +27,7 @@ tokio.workspace = true
 rustls.workspace = true
 smlang.workspace = true
 thiserror.workspace = true
-diesel_migrations = { version = "2.3.1", features = ["sqlite"] }
+diesel_migrations = { version = "2.3.2", features = ["sqlite"] }
 async-trait.workspace = true
 tokio-stream.workspace = true
 rand.workspace = true
@@ -50,7 +50,6 @@ subtle = "2.6.1"
 x25519-dalek.workspace = true
 k256.workspace = true
 kameo_actors.workspace = true
-blahaj = "0.6.0"
 
 [dev-dependencies]
 proptest = "1.11.0"

server/crates/arbiter-server/migrations/2026-02-14-171124-0000_init/up.sql

@@ -43,24 +43,13 @@ create table if not exists arbiter_settings (
 insert into arbiter_settings (id) values (1) on conflict do nothing;
 -- ensure singleton row exists
 
-create table if not exists operator_identity (
+create table if not exists operator_client (
     id integer not null primary key,
     public_key blob not null,
     created_at integer not null default(unixepoch ('now')),
     updated_at integer not null default(unixepoch ('now'))
 ) STRICT;
-create unique index if not exists uniq_operator_client_public_key on operator_identity (public_key);
+create unique index if not exists uniq_operator_client_public_key on operator_client (public_key);
-
-create table if not exists operator (
-    id integer primary key references operator_identity(id) on delete restrict, -- same id as operator_identity
-
-    share blob not null,
-    share_nonce blob not null,
-
-    created_at integer not null default(unixepoch ('now')),
-    updated_at integer not null default(unixepoch ('now'))
-
-) STRICT;
 
 create table if not exists client_metadata (
     id integer not null primary key,

server/crates/arbiter-server/src/actors/bootstrap.rs

@@ -48,7 +48,7 @@ impl Bootstrapper {
         let row_count: i64 = {
             let mut conn = db.get().await?;
 
-            schema::operator_identity::table
+            schema::operator_client::table
                 .count()
                 .get_result(&mut conn)
                 .await?

server/crates/arbiter-server/src/actors/evm/mod.rs

@@ -3,7 +3,7 @@ use crate::{
     crypto::integrity,
     db::{
         DatabaseError, DatabasePool,
-        models::{self, EvmWalletId},
+        models::{self},
         schema,
     },
     evm::{
@@ -116,7 +116,7 @@ impl EvmActor {
     }
 
     #[message]
-    pub async fn list_wallets(&self) -> Result<Vec<(EvmWalletId, Address)>, Error> {
+    pub async fn list_wallets(&self) -> Result<Vec<(i32, Address)>, Error> {
         let mut conn = self.db.get().await.map_err(DatabaseError::from)?;
         let rows: Vec<models::EvmWallet> = schema::evm_wallet::table
             .select(models::EvmWallet::as_select())
@@ -160,29 +160,14 @@ impl EvmActor {
     }
 
     #[message]
-    #[expect(clippy::unused_async, reason = "reserved for impl")]
+    pub async fn useragent_delete_grant(
-    pub async fn operator_delete_grant(&mut self, _grant_id: i32) -> Result<(), Error> {
+        &mut self,
-        // let mut conn = self.db.get().await.map_err(DatabaseError::from)?;
+        grant_id: i32,
-        // let vault = self.vault.clone();
+    ) -> Result<(), Error> {
-
+        self.engine
-        // diesel_async::AsyncConnection::transaction(&mut conn, |conn| {
+            .revoke_grant(grant_id)
-        //     Box::pin(async move {
+            .await
-        //         diesel::update(schema::evm_basic_grant::table)
+            .map_err(Error::from)
-        //             .filter(schema::evm_basic_grant::id.eq(grant_id))
-        //             .set(schema::evm_basic_grant::revoked_at.eq(SqliteTimestamp::now()))
-        //             .execute(conn)
-        //             .await?;
-
-        //         let signed = integrity::evm::load_signed_grant_by_basic_id(conn, grant_id).await?;
-
-        //         diesel::result::QueryResult::Ok(())
-        //     })
-        // })
-        // .await
-        // .map_err(DatabaseError::from)?;
-
-        // Ok(())
-        todo!()
     }
 
     #[message]

server/crates/arbiter-server/src/actors/vault/mod.rs

@@ -6,7 +6,7 @@ use crate::{
     },
     db::{
         self,
-        models::{self, RootKeyHistory, RootKeyHistoryId},
+        models::{self, RootKeyHistory},
         schema::{self},
     },
 };
@@ -25,6 +25,7 @@ use strum::{EnumDiscriminants, IntoDiscriminant};
 use tracing::{error, info};
 
 pub mod events {
+
     #[derive(Clone, Copy)]
     pub struct Bootstrapped;
 
@@ -63,7 +64,7 @@ pub enum Error {
 }
 
 struct Unsealed {
-    root_key_history_id: RootKeyHistoryId,
+    root_key_history_id: i32,
     root_key: KeyCell,
 }
 
@@ -72,9 +73,8 @@ struct Unsealed {
 enum State {
     #[default]
     Unbootstrapped,
-
     Sealed {
-        root_key_history_id: RootKeyHistoryId,
+        root_key_history_id: i32,
     },
     Unsealed(Unsealed),
 }
@@ -115,24 +115,20 @@ impl Vault {
 
     // Exclusive transaction to avoid race condtions if multiple vaults write
     // additional layer of protection against nonce-reuse
-    async fn get_new_nonce(
+    async fn get_new_nonce(pool: &db::DatabasePool, root_key_id: i32) -> Result<Nonce, Error> {
-        pool: &db::DatabasePool,
-        root_key_id: RootKeyHistoryId,
-    ) -> Result<Nonce, Error> {
         let mut conn = pool.get().await?;
 
         let nonce = conn
-            .exclusive_transaction(|conn| {
+            .exclusive_transaction(async |conn| {
-                Box::pin(async move {
                 let current_nonce: Vec<u8> = schema::root_key_history::table
                     .filter(schema::root_key_history::id.eq(root_key_id))
                     .select(schema::root_key_history::data_encryption_nonce)
-                        .first(conn)
+                    .first(&mut *conn)
                     .await?;
 
                 let mut nonce = Nonce::try_from(current_nonce.as_slice()).map_err(|()| {
                     error!(
-                            "Broken database: invalid nonce for root key history id={:#?}",
+                        "Broken database: invalid nonce for root key history id={}",
                         root_key_id
                     );
                     Error::BrokenDatabase
@@ -142,12 +138,11 @@ impl Vault {
                 update(schema::root_key_history::table)
                     .filter(schema::root_key_history::id.eq(root_key_id))
                     .set(schema::root_key_history::data_encryption_nonce.eq(nonce.to_vec()))
-                        .execute(conn)
+                    .execute(&mut *conn)
                     .await?;
 
                 Result::<_, Error>::Ok(nonce)
             })
-            })
             .await?;
 
         Ok(nonce)
@@ -188,30 +183,27 @@ impl Vault {
 
         let data_encryption_nonce_bytes = data_encryption_nonce.to_vec();
         let root_key_history_id = conn
-            .transaction(|conn| {
+            .transaction(async |conn| {
-                Box::pin(async move {
+                let root_key_history_id: i32 = insert_into(schema::root_key_history::table)
-                    let root_key_history_id: RootKeyHistoryId =
-                        insert_into(schema::root_key_history::table)
                     .values(&models::NewRootKeyHistory {
-                                ciphertext: root_key_ciphertext,
+                        ciphertext: root_key_ciphertext.clone(),
                         tag: v1::ROOT_KEY_TAG.to_vec(),
                         root_key_encryption_nonce: root_key_nonce.to_vec(),
-                                data_encryption_nonce: data_encryption_nonce_bytes,
+                        data_encryption_nonce: data_encryption_nonce_bytes.clone(),
                         schema_version: 1,
                         salt: salt.to_vec(),
                     })
                     .returning(schema::root_key_history::id)
-                            .get_result(conn)
+                    .get_result(&mut *conn)
                     .await?;
 
                 update(schema::arbiter_settings::table)
                     .set(schema::arbiter_settings::root_key_id.eq(root_key_history_id))
-                        .execute(conn)
+                    .execute(&mut *conn)
                     .await?;
 
                 Result::<_, diesel::result::Error>::Ok(root_key_history_id)
             })
-            })
             .await?;
 
         self.state = State::Unsealed(Unsealed {
@@ -348,22 +340,17 @@ impl Vault {
     }
 
     #[message]
-    pub fn sign_integrity(
+    pub fn sign_integrity(&mut self, mac_input: Vec<u8>) -> Result<(i32, Vec<u8>), Error> {
-        &mut self,
-        mac_input: Vec<u8>,
-    ) -> Result<(RootKeyHistoryId, Vec<u8>), Error> {
         let Unsealed {
             root_key,
             root_key_history_id,
         } = Self::expect_unsealed(&mut self.state)?;
 
-        let mut hmac = root_key
+        let mut hmac = root_key.0.read_inline(|k| {
-            .0
+            HmacSha256::new_from_slice(k)
-            .read_inline(|k| match HmacSha256::new_from_slice(k) {
+                .unwrap_or_else(|_| unreachable!("HMAC accepts keys of any size"))
-                Ok(v) => v,
-                Err(_) => unreachable!("HMAC accepts keys of any size"),
         });
-        hmac.update(&root_key_history_id.to_raw().to_be_bytes());
+        hmac.update(&root_key_history_id.to_be_bytes());
         hmac.update(&mac_input);
 
         let mac = hmac.finalize().into_bytes().to_vec();
@@ -375,7 +362,7 @@ impl Vault {
         &mut self,
         mac_input: Vec<u8>,
         expected_mac: Vec<u8>,
-        key_version: RootKeyHistoryId,
+        key_version: i32,
     ) -> Result<bool, Error> {
         let Unsealed {
             root_key,
@@ -386,13 +373,11 @@ impl Vault {
             return Ok(false);
         }
 
-        let mut hmac = root_key
+        let mut hmac = root_key.0.read_inline(|k| {
-            .0
+            HmacSha256::new_from_slice(k)
-            .read_inline(|k| match HmacSha256::new_from_slice(k) {
+                .unwrap_or_else(|_| unreachable!("HMAC accepts keys of any size"))
-                Ok(v) => v,
-                Err(_) => unreachable!("HMAC accepts keys of any size"),
         });
-        hmac.update(&key_version.to_raw().to_be_bytes());
+        hmac.update(&key_version.to_be_bytes());
         hmac.update(&mac_input);
 
         Ok(hmac.verify_slice(&expected_mac).is_ok())
@@ -415,7 +400,7 @@ impl Vault {
 
 #[cfg(test)]
 mod tests {
-    use crate::{actors::GlobalActors, db::models::RootKeyHistory};
+    use crate::actors::GlobalActors;
     use arbiter_crypto::safecell::SafeCellHandle as _;
 
     use super::*;
@@ -434,12 +419,13 @@ mod tests {
     async fn nonce_monotonic_even_when_nonce_allocation_interleaves() {
         let db = db::create_test_pool().await;
         let mut actor = bootstrapped_actor(&db).await;
-        let root_key_history_id = match actor.state {
+
-            State::Unsealed(Unsealed {
+        let State::Unsealed(Unsealed {
             root_key_history_id,
             ..
-            }) => root_key_history_id,
+        }) = actor.state
-            _ => panic!("expected unsealed state"),
+        else {
+            panic!("expected unsealed state")
         };
 
         let n1 = Vault::get_new_nonce(&db, root_key_history_id)

server/crates/arbiter-server/src/context/tls.rs

@@ -174,8 +174,7 @@ impl TlsManager {
 
         {
             let mut conn = db.get().await?;
-            conn.transaction(|conn| {
+            conn.transaction(async |conn| {
-                Box::pin(async {
                 let new_tls_history = NewTlsHistory {
                     cert: new_cert.cert.pem(),
                     cert_key: new_cert.cert_key.serialize_pem(),
@@ -186,17 +185,16 @@ impl TlsManager {
                 let inserted_tls_history: i32 = diesel::insert_into(tls_history::table)
                     .values(&new_tls_history)
                     .returning(tls_history::id)
-                        .get_result(conn)
+                    .get_result(&mut *conn)
                     .await?;
 
                 diesel::update(arbiter_settings::table)
                     .set(arbiter_settings::tls_id.eq(inserted_tls_history))
-                        .execute(conn)
+                    .execute(&mut *conn)
                     .await?;
 
                 Result::<_, diesel::result::Error>::Ok(())
             })
-            })
             .await?;
         }
 

server/crates/arbiter-server/src/db/models.rs

@@ -79,41 +79,10 @@ pub mod types {
         }
     }
 
-    macro_rules! declare_id {
+    #[derive(Debug, FromSqlRow, AsExpression, Clone)]
-        ($name:ident) => {
-            #[derive(Debug, FromSqlRow, AsExpression, Clone, Hash, Copy, PartialEq, Eq)]
     #[diesel(sql_type = Integer)]
     #[repr(transparent)] // hint compiler to optimize the wrapper struct away
-            pub struct $name(i32);
+    pub struct ChainId(pub i32);
-
-            impl $name {
-                pub const fn to_raw(self) -> i32 {
-                    self.0
-                }
-                pub const fn from_raw(raw: i32) -> Self {
-                    Self(raw)
-                }
-            }
-
-            impl FromSql<Integer, Sqlite> for $name {
-                fn from_sql(
-                    bytes: <Sqlite as diesel::backend::Backend>::RawValue<'_>,
-                ) -> diesel::deserialize::Result<Self> {
-                    FromSql::<Integer, Sqlite>::from_sql(bytes).map(Self)
-                }
-            }
-            impl ToSql<Integer, Sqlite> for $name {
-                fn to_sql<'b>(
-                    &'b self,
-                    out: &mut diesel::serialize::Output<'b, '_, Sqlite>,
-                ) -> diesel::serialize::Result {
-                    ToSql::<Integer, Sqlite>::to_sql(&self.0, out)
-                }
-            }
-        };
-    }
-
-    declare_id!(ChainId);
 
     #[expect(
         clippy::cast_sign_loss,
@@ -134,13 +103,21 @@ pub mod types {
         }
     };
 
-    declare_id!(OperatorId);
+    impl FromSql<Integer, Sqlite> for ChainId {
-    declare_id!(OperatorIdentityId);
+        fn from_sql(
-    declare_id!(AeadEncryptedId);
+            bytes: <Sqlite as diesel::backend::Backend>::RawValue<'_>,
-    declare_id!(RootKeyHistoryId);
+        ) -> diesel::deserialize::Result<Self> {
-    declare_id!(TlsHistoryId);
+            FromSql::<Integer, Sqlite>::from_sql(bytes).map(Self)
-    declare_id!(EvmWalletId);
+        }
-    declare_id!(ClientId);
+    }
+    impl ToSql<Integer, Sqlite> for ChainId {
+        fn to_sql<'b>(
+            &'b self,
+            out: &mut diesel::serialize::Output<'b, '_, Sqlite>,
+        ) -> diesel::serialize::Result {
+            ToSql::<Integer, Sqlite>::to_sql(&self.0, out)
+        }
+    }
 }
 pub use types::*;
 
@@ -153,12 +130,12 @@ pub use types::*;
 )]
 #[diesel(table_name = aead_encrypted, check_for_backend(Sqlite))]
 pub struct AeadEncrypted {
-    pub id: AeadEncryptedId,
+    pub id: i32,
     pub ciphertext: Vec<u8>,
     pub tag: Vec<u8>,
     pub current_nonce: Vec<u8>,
     pub schema_version: i32,
-    pub associated_root_key_id: RootKeyHistoryId,
+    pub associated_root_key_id: i32, // references root_key_history.id
     pub created_at: SqliteTimestamp,
 }
 
@@ -171,7 +148,7 @@ pub struct AeadEncrypted {
     attributes_with = "deriveless"
 )]
 pub struct RootKeyHistory {
-    pub id: RootKeyHistoryId,
+    pub id: i32,
     pub ciphertext: Vec<u8>,
     pub tag: Vec<u8>,
     pub root_key_encryption_nonce: Vec<u8>,
@@ -189,7 +166,7 @@ pub struct RootKeyHistory {
     attributes_with = "deriveless"
 )]
 pub struct TlsHistory {
-    pub id: TlsHistoryId,
+    pub id: i32,
     pub cert: String,
     pub cert_key: String, // PEM Encoded private key
     pub ca_cert: String,  // PEM Encoded certificate for cert signing
@@ -214,7 +191,7 @@ pub struct ArbiterSettings {
     attributes_with = "deriveless"
 )]
 pub struct EvmWallet {
-    pub id: EvmWalletId,
+    pub id: i32,
     pub address: Vec<u8>,
     pub aead_encrypted_id: i32,
     pub created_at: SqliteTimestamp,
@@ -236,7 +213,7 @@ pub struct EvmWallet {
 )]
 pub struct EvmWalletAccess {
     pub id: i32,
-    pub wallet_id: EvmWalletId,
+    pub wallet_id: i32,
     pub client_id: i32,
     pub created_at: SqliteTimestamp,
 }
@@ -263,7 +240,7 @@ pub struct ProgramClientMetadataHistory {
 #[derive(Models, Queryable, Debug, Insertable, Selectable)]
 #[diesel(table_name = schema::program_client, check_for_backend(Sqlite))]
 pub struct ProgramClient {
-    pub id: ClientId,
+    pub id: i32,
     pub public_key: Vec<u8>,
     pub metadata_id: i32,
     pub created_at: SqliteTimestamp,
@@ -271,24 +248,14 @@ pub struct ProgramClient {
 }
 
 #[derive(Queryable, Debug)]
-#[diesel(table_name = schema::operator_identity, check_for_backend(Sqlite))]
+#[diesel(table_name = schema::operator_client, check_for_backend(Sqlite))]
-pub struct OperatorIdentity {
+pub struct OperatorClient {
-    pub id: OperatorIdentityId,
+    pub id: i32,
     pub public_key: Vec<u8>,
     pub created_at: SqliteTimestamp,
     pub updated_at: SqliteTimestamp,
 }
 
-#[derive(Queryable, Debug)]
-#[diesel(table_name = schema::operator, check_for_backend(Sqlite))]
-pub struct Operator {
-    pub id: OperatorId,
-    pub share: Vec<u8>,
-    pub share_nonce: Vec<u8>,
-    pub created_at: SqliteTimestamp,
-    pub updated_at: SqliteTimestamp,
-}
-
 #[derive(Models, Queryable, Debug, Insertable, Selectable)]
 #[diesel(table_name = evm_ether_transfer_limit, check_for_backend(Sqlite))]
 #[view(
@@ -432,7 +399,7 @@ pub struct IntegrityEnvelope {
     pub entity_kind: String,
     pub entity_id: Vec<u8>,
     pub payload_version: i32,
-    pub key_version: RootKeyHistoryId,
+    pub key_version: i32,
     pub mac: Vec<u8>,
     pub signed_at: SqliteTimestamp,
     pub created_at: SqliteTimestamp,

server/crates/arbiter-server/src/db/schema.rs

@@ -152,25 +152,6 @@ diesel::table! {
     }
 }
 
-diesel::table! {
-    operator (id) {
-        id -> Nullable<Integer>,
-        share -> Binary,
-        share_nonce -> Binary,
-        created_at -> Integer,
-        updated_at -> Integer,
-    }
-}
-
-diesel::table! {
-    operator_identity (id) {
-        id -> Integer,
-        public_key -> Binary,
-        created_at -> Integer,
-        updated_at -> Integer,
-    }
-}
-
 diesel::table! {
     program_client (id) {
         id -> Integer,
@@ -204,6 +185,15 @@ diesel::table! {
     }
 }
 
+diesel::table! {
+    operator_client (id) {
+        id -> Integer,
+        public_key -> Binary,
+        created_at -> Integer,
+        updated_at -> Integer,
+    }
+}
+
 diesel::joinable!(aead_encrypted -> root_key_history (associated_root_key_id));
 diesel::joinable!(arbiter_settings -> root_key_history (root_key_id));
 diesel::joinable!(arbiter_settings -> tls_history (tls_id));
@@ -222,7 +212,6 @@ diesel::joinable!(evm_transaction_log -> evm_wallet_access (wallet_access_id));
 diesel::joinable!(evm_wallet -> aead_encrypted (aead_encrypted_id));
 diesel::joinable!(evm_wallet_access -> evm_wallet (wallet_id));
 diesel::joinable!(evm_wallet_access -> program_client (client_id));
-diesel::joinable!(operator -> operator_identity (id));
 diesel::joinable!(program_client -> client_metadata (metadata_id));
 
 diesel::allow_tables_to_appear_in_same_query!(
@@ -241,9 +230,8 @@ diesel::allow_tables_to_appear_in_same_query!(
     evm_wallet,
     evm_wallet_access,
     integrity_envelope,
-    operator,
-    operator_identity,
     program_client,
     root_key_history,
     tls_history,
+    operator_client,
 );

server/crates/arbiter-server/src/evm/mod.rs

@@ -1,28 +1,34 @@
+use diesel_async::{AsyncConnection, RunQueryDsl};
+use kameo::actor::ActorRef;
+
 use crate::{
     actors::vault::Vault,
     crypto::integrity,
     db::{
         self, DatabaseError,
         models::{
-            EvmBasicGrant, EvmWalletAccess, NewEvmBasicGrant, NewEvmTransactionLog, SqliteTimestamp,
+            EvmBasicGrant, EvmEtherTransferGrant, EvmEtherTransferGrantTarget,
+            EvmEtherTransferLimit, EvmTokenTransferGrant, EvmTokenTransferVolumeLimit,
+            EvmWalletAccess, NewEvmBasicGrant, NewEvmTransactionLog, SqliteTimestamp,
         },
         schema::{self, evm_transaction_log},
     },
     evm::policies::{
         CombinedSettings, DatabaseID, EvalContext, EvalViolation, Grant, Policy,
-        SharedGrantSettings, SpecificGrant, SpecificMeaning, ether_transfer::EtherTransfer,
+        SharedGrantSettings, SpecificGrant, SpecificMeaning, VolumeRateLimit,
-        token_transfers::TokenTransfer,
+        ether_transfer::EtherTransfer, token_transfers::TokenTransfer,
     },
 };
 
 use alloy::{
     consensus::TxEip1559,
-    primitives::{TxKind, U256},
+    primitives::{Address, TxKind, U256},
 };
 use chrono::Utc;
-use diesel::{ExpressionMethods as _, QueryDsl as _, QueryResult, insert_into, sqlite::Sqlite};
+use diesel::{
-use diesel_async::{AsyncConnection, RunQueryDsl};
+    ExpressionMethods as _, OptionalExtension, QueryDsl as _, QueryResult, SelectableHelper,
-use kameo::actor::ActorRef;
+    insert_into, sqlite::Sqlite, update,
+};
 
 pub mod abi;
 pub mod safe_signer;
@@ -179,8 +185,7 @@ impl Engine {
         }
 
         if run_kind == RunKind::Execution {
-            conn.transaction(|conn| {
+            conn.transaction(async |conn| {
-                Box::pin(async move {
                 let log_id: i32 = insert_into(evm_transaction_log::table)
                     .values(&NewEvmTransactionLog {
                         grant_id: grant.common_settings_id,
@@ -190,14 +195,13 @@ impl Engine {
                         signed_at: Utc::now().into(),
                     })
                     .returning(evm_transaction_log::id)
-                        .get_result(conn)
+                    .get_result(&mut *conn)
                     .await?;
 
-                    P::record_transaction(&context, meaning, log_id, &grant, conn).await?;
+                P::record_transaction(&context, meaning, log_id, &grant, &mut *conn).await?;
 
                 QueryResult::Ok(())
             })
-            })
             .await
             .map_err(DatabaseError::from)?;
         }
@@ -222,8 +226,7 @@ impl Engine {
         let vault = self.vault.clone();
 
         let id = conn
-            .transaction(|conn| {
+            .transaction(async |conn| {
-                Box::pin(async move {
                 use schema::evm_basic_grant;
 
                 #[expect(
@@ -259,23 +262,167 @@ impl Engine {
                         revoked_at: None,
                     })
                     .returning(evm_basic_grant::all_columns)
-                        .get_result(conn)
+                    .get_result(&mut *conn)
                     .await?;
 
-                    P::create_grant(&basic_grant, &full_grant.specific, conn).await?;
+                P::create_grant(&basic_grant, &full_grant.specific, &mut *conn).await?;
 
-                    integrity::sign_entity(conn, &vault, &full_grant, basic_grant.id)
+                integrity::sign_entity(&mut *conn, &vault, &full_grant, basic_grant.id)
                     .await
                     .map_err(|_| diesel::result::Error::RollbackTransaction)?;
 
                 QueryResult::Ok(basic_grant.id)
             })
-            })
             .await?;
 
         Ok(id)
     }
 
+    pub async fn revoke_grant(
+        &self,
+        basic_grant_id: i32,
+    ) -> Result<(), DatabaseError> {
+        let mut conn = self.db.get().await.map_err(DatabaseError::from)?;
+        let vault = self.vault.clone();
+
+        conn.transaction(async move |conn| {
+            use crate::db::schema::{
+                evm_basic_grant, evm_ether_transfer_grant, evm_ether_transfer_grant_target,
+                evm_ether_transfer_limit, evm_token_transfer_grant,
+                evm_token_transfer_volume_limit,
+            };
+
+            update(evm_basic_grant::table)
+                .filter(evm_basic_grant::id.eq(basic_grant_id))
+                .set(evm_basic_grant::revoked_at.eq(SqliteTimestamp(Utc::now())))
+                .execute(&mut *conn)
+                .await?;
+
+            let basic_grant: EvmBasicGrant = evm_basic_grant::table
+                .filter(evm_basic_grant::id.eq(basic_grant_id))
+                .select(EvmBasicGrant::as_select())
+                .first(&mut *conn)
+                .await?;
+
+            let shared = SharedGrantSettings::try_from_model(basic_grant)?;
+
+            if let Some(ether_grant) = evm_ether_transfer_grant::table
+                .filter(evm_ether_transfer_grant::basic_grant_id.eq(basic_grant_id))
+                .select(EvmEtherTransferGrant::as_select())
+                .first(&mut *conn)
+                .await
+                .optional()?
+            {
+                let target_rows: Vec<EvmEtherTransferGrantTarget> =
+                    evm_ether_transfer_grant_target::table
+                        .filter(evm_ether_transfer_grant_target::grant_id.eq(ether_grant.id))
+                        .select(EvmEtherTransferGrantTarget::as_select())
+                        .load(&mut *conn)
+                        .await?;
+                let targets: Vec<Address> = target_rows
+                    .into_iter()
+                    .filter_map(|target| {
+                        let arr: [u8; 20] = target.address.try_into().ok()?;
+                        Some(Address::from(arr))
+                    })
+                    .collect();
+
+                let limit: EvmEtherTransferLimit = evm_ether_transfer_limit::table
+                    .filter(evm_ether_transfer_limit::id.eq(ether_grant.limit_id))
+                    .select(EvmEtherTransferLimit::as_select())
+                    .first(&mut *conn)
+                    .await?;
+
+                let settings = CombinedSettings {
+                    shared: shared.clone(),
+                    specific: policies::ether_transfer::Settings {
+                        target: targets,
+                        limit: VolumeRateLimit {
+                            max_volume: utils::try_bytes_to_u256(&limit.max_volume).map_err(
+                                |err| {
+                                    diesel::result::Error::DeserializationError(Box::new(err))
+                                },
+                            )?,
+                            window: chrono::Duration::seconds(limit.window_secs.into()),
+                        },
+                    },
+                };
+
+                integrity::sign_entity(&mut *conn, &vault, &settings, basic_grant_id)
+                    .await
+                    .map_err(|_| diesel::result::Error::RollbackTransaction)?;
+
+                return QueryResult::Ok(());
+            }
+
+            if let Some(token_grant) = evm_token_transfer_grant::table
+                .filter(evm_token_transfer_grant::basic_grant_id.eq(basic_grant_id))
+                .select(EvmTokenTransferGrant::as_select())
+                .first(&mut *conn)
+                .await
+                .optional()?
+            {
+                let volume_limit_rows: Vec<EvmTokenTransferVolumeLimit> =
+                    evm_token_transfer_volume_limit::table
+                        .filter(evm_token_transfer_volume_limit::grant_id.eq(token_grant.id))
+                        .select(EvmTokenTransferVolumeLimit::as_select())
+                        .load(&mut *conn)
+                        .await?;
+                let volume_limits: Vec<VolumeRateLimit> = volume_limit_rows
+                    .into_iter()
+                    .map(|row| {
+                        Ok(VolumeRateLimit {
+                            max_volume: utils::try_bytes_to_u256(&row.max_volume).map_err(
+                                |err| {
+                                    diesel::result::Error::DeserializationError(Box::new(err))
+                                },
+                            )?,
+                            window: chrono::Duration::seconds(row.window_secs.into()),
+                        })
+                    })
+                    .collect::<QueryResult<Vec<_>>>()?;
+
+                let target: Option<Address> = match token_grant.receiver {
+                    None => None,
+                    Some(bytes) => {
+                        let arr: [u8; 20] = bytes.try_into().map_err(|_| {
+                            diesel::result::Error::DeserializationError(
+                                "Invalid receiver address length".into(),
+                            )
+                        })?;
+                        Some(Address::from(arr))
+                    }
+                };
+
+                let token_contract: [u8; 20] =
+                    token_grant.token_contract.clone().try_into().map_err(|_| {
+                        diesel::result::Error::DeserializationError(
+                            "Invalid token contract address length".into(),
+                        )
+                    })?;
+
+                let settings = CombinedSettings {
+                    shared,
+                    specific: policies::token_transfers::Settings {
+                        token_contract: Address::from(token_contract),
+                        target,
+                        volume_limits,
+                    },
+                };
+
+                integrity::sign_entity(&mut *conn, &vault, &settings, basic_grant_id)
+                    .await
+                    .map_err(|_| diesel::result::Error::RollbackTransaction)?;
+
+                return QueryResult::Ok(());
+            }
+
+            Err(diesel::result::Error::NotFound)
+        })
+        .await
+        .map_err(DatabaseError::from)
+    }
+
     async fn list_one_kind<Kind: Policy, Y>(
         &self,
         conn: &mut impl AsyncConnection<Backend = Sqlite>,
@@ -355,21 +502,26 @@ impl Engine {
 #[cfg(test)]
 mod tests {
     use alloy::primitives::{Address, Bytes, U256, address};
+    use arbiter_crypto::safecell::{SafeCell, SafeCellHandle as _};
     use chrono::{Duration, Utc};
     use diesel::{SelectableHelper, insert_into};
     use diesel_async::RunQueryDsl;
+    use kameo::{actor::ActorRef, prelude::Spawn};
     use rstest::rstest;
 
+    use crate::actors::{GlobalActors, vault::{Bootstrap, Vault}};
+    use crate::crypto::integrity;
     use crate::db::{
         self, DatabaseConnection,
         models::{
-            EvmBasicGrant, EvmWalletAccess, EvmWalletId, NewEvmBasicGrant, NewEvmTransactionLog,
+            EvmBasicGrant, EvmWalletAccess, NewEvmBasicGrant, NewEvmTransactionLog, SqliteTimestamp,
-            SqliteTimestamp,
         },
         schema::{evm_basic_grant, evm_transaction_log},
     };
+    use crate::evm::policies::ether_transfer::EtherTransfer;
     use crate::evm::policies::{
-        EvalContext, EvalViolation, SharedGrantSettings, TransactionRateLimit,
+        CombinedSettings, EvalContext, EvalViolation, Policy, SharedGrantSettings,
+        TransactionRateLimit, VolumeRateLimit,
     };
 
     use super::check_shared_constraints;
@@ -382,7 +534,7 @@ mod tests {
         EvalContext {
             target: EvmWalletAccess {
                 id: WALLET_ACCESS_ID,
-                wallet_id: EvmWalletId::from_raw(5),
+                wallet_id: 10,
                 client_id: 20,
                 created_at: SqliteTimestamp(Utc::now()),
             },
@@ -401,6 +553,7 @@ mod tests {
             chain: CHAIN_ID,
             valid_from: None,
             valid_until: None,
+            revoked_at: None,
             max_gas_fee_per_gas: None,
             max_priority_fee_per_gas: None,
             rate_limit: None,
@@ -609,4 +762,115 @@ mod tests {
             assert!(violations.is_empty());
         }
     }
+
+    async fn bootstrapped_vault(db: &db::DatabasePool) -> ActorRef<Vault> {
+        let actor = Vault::spawn(
+            Vault::new(db.clone(), GlobalActors::spawn_message_bus())
+                .await
+                .unwrap(),
+        );
+        actor
+            .ask(Bootstrap {
+                seal_key_raw: SafeCell::new(b"integrity-test-seal-key".to_vec()),
+            })
+            .await
+            .unwrap();
+        actor
+    }
+
+    #[tokio::test]
+    async fn revoke_grant_preserves_revoked_integrity() {
+        use crate::db::schema::evm_basic_grant;
+        use diesel::ExpressionMethods as _;
+
+        let db = db::create_test_pool().await;
+        let vault = bootstrapped_vault(&db).await;
+        let engine = super::Engine::new(db.clone(), vault.clone());
+
+        let full_grant = CombinedSettings {
+            shared: SharedGrantSettings {
+                wallet_access_id: WALLET_ACCESS_ID,
+                chain: CHAIN_ID,
+                valid_from: None,
+                valid_until: None,
+                revoked_at: None,
+                max_gas_fee_per_gas: None,
+                max_priority_fee_per_gas: None,
+                rate_limit: None,
+            },
+            specific: super::policies::ether_transfer::Settings {
+                target: vec![RECIPIENT],
+                limit: VolumeRateLimit {
+                    max_volume: U256::from(100u64),
+                    window: Duration::hours(1),
+                },
+            },
+        };
+
+        let grant_id = engine
+            .create_grant::<EtherTransfer>(full_grant)
+            .await
+            .unwrap();
+
+        engine.revoke_grant(grant_id).await.unwrap();
+
+        let mut conn = db.get().await.unwrap();
+        diesel::update(evm_basic_grant::table)
+            .filter(evm_basic_grant::id.eq(grant_id))
+            .set(evm_basic_grant::revoked_at.eq::<Option<SqliteTimestamp>>(None))
+            .execute(&mut conn)
+            .await
+            .unwrap();
+
+        let wallet_access = EvmWalletAccess {
+            id: WALLET_ACCESS_ID,
+            wallet_id: 10,
+            client_id: 20,
+            created_at: SqliteTimestamp(Utc::now()),
+        };
+        let context = EvalContext {
+            target: wallet_access,
+            chain: CHAIN_ID,
+            to: RECIPIENT,
+            value: U256::ONE,
+            calldata: Bytes::new(),
+            max_fee_per_gas: 1,
+            max_priority_fee_per_gas: 1,
+        };
+
+        let grant = EtherTransfer::try_find_grant(
+            &context, &mut conn,
+        )
+        .await
+        .unwrap()
+        .unwrap();
+
+        let result =
+            integrity::verify_entity(&mut conn, &vault, &grant.settings, grant.id).await;
+
+        assert!(matches!(
+            result,
+            Err(integrity::Error::MacMismatch { .. })
+        ));
+    }
+
+    #[test]
+    fn shared_settings_hash_changes_when_revoked_at_changes() {
+        use arbiter_crypto::hashing::Hashable;
+        use sha2::Digest;
+
+        let active = shared_settings();
+        let revoked = SharedGrantSettings {
+            revoked_at: Some(Utc::now()),
+            ..shared_settings()
+        };
+
+        let mut active_hash = sha2::Sha256::new();
+        active.hash(&mut active_hash);
+
+        let mut revoked_hash = sha2::Sha256::new();
+        revoked.hash(&mut revoked_hash);
+
+        assert_ne!(active_hash.finalize(), revoked_hash.finalize());
+    }
 }

server/crates/arbiter-server/src/evm/policies.rs

@@ -144,6 +144,7 @@ pub struct SharedGrantSettings {
 
     pub valid_from: Option<DateTime<Utc>>,
     pub valid_until: Option<DateTime<Utc>>,
+    pub revoked_at: Option<DateTime<Utc>>,
 
     pub max_gas_fee_per_gas: Option<U256>,
     pub max_priority_fee_per_gas: Option<U256>,
@@ -158,6 +159,7 @@ impl SharedGrantSettings {
             chain: model.chain_id.into(),
             valid_from: model.valid_from.map(Into::into),
             valid_until: model.valid_until.map(Into::into),
+            revoked_at: model.revoked_at.map(Into::into),
             max_gas_fee_per_gas: model
                 .max_gas_fee_per_gas
                 .map(|b| utils::try_bytes_to_u256(&b))

server/crates/arbiter-server/src/evm/policies/ether_transfer/tests.rs

@@ -3,8 +3,7 @@ use crate::{
     db::{
         self, DatabaseConnection,
         models::{
-            EvmBasicGrant, EvmWalletAccess, EvmWalletId, NewEvmBasicGrant, NewEvmTransactionLog,
+            EvmBasicGrant, EvmWalletAccess, NewEvmBasicGrant, NewEvmTransactionLog, SqliteTimestamp,
-            SqliteTimestamp,
         },
         schema::{evm_basic_grant, evm_transaction_log},
     },
@@ -32,7 +31,7 @@ fn ctx(to: Address, value: U256) -> EvalContext {
     EvalContext {
         target: EvmWalletAccess {
             id: WALLET_ACCESS_ID,
-            wallet_id: EvmWalletId::from_raw(10),
+            wallet_id: 10,
             client_id: 20,
             created_at: SqliteTimestamp(Utc::now()),
         },
@@ -80,6 +79,7 @@ fn shared() -> SharedGrantSettings {
         chain: CHAIN_ID,
         valid_from: None,
         valid_until: None,
+        revoked_at: None,
         max_gas_fee_per_gas: None,
         max_priority_fee_per_gas: None,
         rate_limit: None,

server/crates/arbiter-server/src/evm/policies/token_transfers/tests.rs

@@ -2,7 +2,7 @@ use super::{Settings, TokenTransfer};
 use crate::{
     db::{
         self, DatabaseConnection,
-        models::{EvmBasicGrant, EvmWalletAccess, EvmWalletId, NewEvmBasicGrant, SqliteTimestamp},
+        models::{EvmBasicGrant, EvmWalletAccess, NewEvmBasicGrant, SqliteTimestamp},
         schema::evm_basic_grant,
     },
     evm::{
@@ -45,7 +45,7 @@ fn ctx(to: Address, calldata: Bytes) -> EvalContext {
     EvalContext {
         target: EvmWalletAccess {
             id: WALLET_ACCESS_ID,
-            wallet_id: EvmWalletId::from_raw(10),
+            wallet_id: 10,
             client_id: 20,
             created_at: SqliteTimestamp(Utc::now()),
         },
@@ -98,6 +98,7 @@ fn shared() -> SharedGrantSettings {
         chain: CHAIN_ID,
         valid_from: None,
         valid_until: None,
+        revoked_at: None,
         max_gas_fee_per_gas: None,
         max_priority_fee_per_gas: None,
         rate_limit: None,

server/crates/arbiter-server/src/grpc/client/auth.rs

@@ -200,7 +200,7 @@ impl Convert for auth::Outbound {
                         .timestamp
                         .timestamp_nanos_opt()
                         .expect("timestamp within range")
-                        as u64,
+                        .cast_unsigned(),
                     random: challenge.nonce.to_vec(),
                 })
             }

server/crates/arbiter-server/src/grpc/operator/auth.rs

@@ -80,7 +80,7 @@ impl Sender<Result<auth::Outbound, auth::Error>> for AuthTransportAdapter<'_> {
                         .timestamp
                         .timestamp_nanos_opt()
                         .expect("timestamp within range")
-                        as u64,
+                        .cast_unsigned(),
                     random: challenge.nonce.to_vec(),
                 })
             }

server/crates/arbiter-server/src/grpc/operator/evm.rs

@@ -90,7 +90,7 @@ async fn handle_wallet_list(
                 .into_iter()
                 .map(|(id, address)| WalletEntry {
                     address: address.to_vec(),
-                    id: id.to_raw(),
+                    id,
                 })
                 .collect(),
         }),

server/crates/arbiter-server/src/grpc/operator/inbound.rs

@@ -1,10 +1,11 @@
 use crate::{
-    db::models::{CoreEvmWalletAccess, EvmWalletId, NewEvmWalletAccess},
+    db::models::{CoreEvmWalletAccess, NewEvmWalletAccess},
     evm::policies::{
         SharedGrantSettings, SpecificGrant, TransactionRateLimit, VolumeRateLimit, ether_transfer,
         token_transfers,
     },
-    grpc::{Convert, TryConvert},
+    grpc::Convert,
+    grpc::TryConvert,
 };
 use arbiter_proto::{
     proto::evm::{
@@ -86,6 +87,7 @@ impl TryConvert for ProtoSharedSettings {
                 .valid_until
                 .map(ProtoTimestamp::try_convert)
                 .transpose()?,
+            revoked_at: None,
             max_gas_fee_per_gas: self
                 .max_gas_fee_per_gas
                 .as_deref()
@@ -149,7 +151,7 @@ impl Convert for WalletAccess {
 
     fn convert(self) -> Self::Output {
         NewEvmWalletAccess {
-            wallet_id: EvmWalletId::from_raw(self.wallet_id),
+            wallet_id: self.wallet_id,
             client_id: self.sdk_client_id,
         }
     }
@@ -164,7 +166,7 @@ impl TryConvert for SdkClientWalletAccess {
             return Err(Status::invalid_argument("Missing wallet access entry"));
         };
         Ok(CoreEvmWalletAccess {
-            wallet_id: EvmWalletId::from_raw(access.wallet_id),
+            wallet_id: access.wallet_id,
             client_id: access.sdk_client_id,
             id: self.id,
         })

server/crates/arbiter-server/src/grpc/operator/outbound.rs

@@ -1,5 +1,5 @@
 use crate::{
-    db::models::{EvmWalletAccess, EvmWalletId},
+    db::models::EvmWalletAccess,
     evm::policies::{SharedGrantSettings, SpecificGrant, TransactionRateLimit, VolumeRateLimit},
     grpc::Convert,
 };
@@ -103,7 +103,7 @@ impl Convert for EvmWalletAccess {
         Self::Output {
             id: self.id,
             access: Some(WalletAccess {
-                wallet_id: self.wallet_id.to_raw(),
+                wallet_id: self.wallet_id,
                 sdk_client_id: self.client_id,
             }),
         }

server/crates/arbiter-server/src/grpc/operator/sdk_client.rs

@@ -1,8 +1,8 @@
 use crate::{
-    db::models::{ClientId, NewEvmWalletAccess},
+    db::models::NewEvmWalletAccess,
     grpc::Convert,
     peers::operator::{
-        OperatorSession, OutOfBand,
+        OutOfBand, OperatorSession,
         session::handlers::{
             HandleGrantEvmWalletAccess, HandleListWalletAccess, HandleNewClientApprove,
             HandleRevokeEvmWalletAccess, HandleSdkClientList,
@@ -11,8 +11,8 @@ use crate::{
 };
 use arbiter_crypto::authn;
 use arbiter_proto::proto::{
+    shared::ClientInfo as ProtoClientMetadata,
     operator::{
-        operator_response::Payload as OperatorResponsePayload,
         sdk_client::{
             self as proto_sdk_client, ConnectionCancel as ProtoSdkClientConnectionCancel,
             ConnectionRequest as ProtoSdkClientConnectionRequest,
@@ -24,8 +24,8 @@ use arbiter_proto::proto::{
             request::Payload as SdkClientRequestPayload,
             response::Payload as SdkClientResponsePayload,
         },
+        operator_response::Payload as OperatorResponsePayload,
     },
-    shared::ClientInfo as ProtoClientMetadata,
 };
 
 use kameo::actor::ActorRef;
@@ -115,7 +115,7 @@ async fn handle_list(
             clients: clients
                 .into_iter()
                 .map(|(client, metadata)| ProtoSdkClientEntry {
-                    id: client.id.to_raw(),
+                    id: client.id,
                     pubkey: client.public_key.clone(),
                     info: Some(ProtoClientMetadata {
                         name: metadata.name,

server/crates/arbiter-server/src/peers/client/auth.rs

@@ -171,10 +171,7 @@ async fn insert_client(
         Error::DatabasePoolUnavailable
     })?;
 
-    conn.exclusive_transaction(|conn| {
+    conn.exclusive_transaction(async |conn| {
-        let vault = vault.clone();
-        let pubkey = pubkey.clone();
-        Box::pin(async move {
         let metadata_id = insert_into(client_metadata::table)
             .values((
                 client_metadata::name.eq(&metadata.name),
@@ -182,7 +179,7 @@ async fn insert_client(
                 client_metadata::version.eq(&metadata.version),
             ))
             .returning(client_metadata::id)
-                .get_result::<i32>(conn)
+            .get_result::<i32>(&mut *conn)
             .await?;
 
         let client_id = insert_into(program_client::table)
@@ -192,12 +189,12 @@ async fn insert_client(
             ))
             .on_conflict_do_nothing()
             .returning(program_client::id)
-                .get_result::<i32>(conn)
+            .get_result::<i32>(&mut *conn)
             .await?;
 
         integrity::sign_entity(
-                conn,
+            &mut *conn,
-                &vault,
+            vault,
             &ClientCredentials {
                 pubkey: pubkey.clone(),
             },
@@ -211,7 +208,6 @@ async fn insert_client(
 
         Ok(client_id)
     })
-    })
     .await
 }
 
@@ -229,18 +225,15 @@ async fn sync_client_metadata(
         Error::DatabasePoolUnavailable
     })?;
 
-    conn.exclusive_transaction(|conn| {
+    conn.exclusive_transaction(async |conn| {
-        let metadata = metadata.clone();
+        let (current_metadata_id, current): (i32, ProgramClientMetadata) = program_client::table
-        Box::pin(async move {
-            let (current_metadata_id, current): (i32, ProgramClientMetadata) =
-                program_client::table
             .find(client_id)
             .inner_join(client_metadata::table)
             .select((
                 program_client::metadata_id,
                 ProgramClientMetadata::as_select(),
             ))
-                    .first(conn)
+            .first(&mut *conn)
             .await?;
 
         let unchanged = current.name == metadata.name
@@ -255,7 +248,7 @@ async fn sync_client_metadata(
                 client_metadata_history::metadata_id.eq(current_metadata_id),
                 client_metadata_history::client_id.eq(client_id),
             ))
-                .execute(conn)
+            .execute(&mut *conn)
             .await?;
 
         let metadata_id = insert_into(client_metadata::table)
@@ -265,7 +258,7 @@ async fn sync_client_metadata(
                 client_metadata::version.eq(&metadata.version),
             ))
             .returning(client_metadata::id)
-                .get_result::<i32>(conn)
+            .get_result::<i32>(&mut *conn)
             .await?;
 
         update(program_client::table.find(client_id))
@@ -273,12 +266,11 @@ async fn sync_client_metadata(
                 program_client::metadata_id.eq(metadata_id),
                 program_client::updated_at.eq(now),
             ))
-                .execute(conn)
+            .execute(&mut *conn)
             .await?;
 
         Ok::<(), diesel::result::Error>(())
     })
-    })
     .await
     .map_err(|e| {
         error!(error = ?e, "Database error");
@@ -306,7 +298,7 @@ where
 
     let signature = expect_message(transport, |req: Inbound| match req {
         Inbound::AuthChallengeSolution { signature } => Some(signature),
-        _ => None,
+        Inbound::AuthChallengeRequest { .. } => None,
     })
     .await
     .map_err(|e| {

server/crates/arbiter-server/src/peers/operator/auth/state.rs

@@ -4,7 +4,7 @@ use super::{
 };
 use crate::{
     actors::bootstrap::ConsumeToken,
-    db::{DatabasePool, schema::operator_identity},
+    db::{DatabasePool, schema::operator_client},
     peers::operator::auth::Outbound,
 };
 use arbiter_crypto::authn::{self, AuthChallenge, OPERATOR_CONTEXT};
@@ -19,7 +19,7 @@ pub(super) struct ChallengeRequest {
     pub(super) bootstrap_token: Option<String>,
 }
 
-pub(super) struct ChallengeContext {
+pub struct ChallengeContext {
     pub(super) challenge: AuthChallenge,
     pub(super) pubkey: authn::PublicKey,
     pub(super) bootstrap_token: Option<String>,
@@ -44,9 +44,9 @@ async fn get_client_id(db: &DatabasePool, pubkey: &authn::PublicKey) -> Result<O
         Error::internal("Database unavailable")
     })?;
 
-    operator_identity::table
+    operator_client::table
-        .filter(operator_identity::public_key.eq(pubkey.to_bytes()))
+        .filter(operator_client::public_key.eq(pubkey.to_bytes()))
-        .select(operator_identity::id)
+        .select(operator_client::id)
         .first::<i32>(&mut conn)
         .await
         .optional()
@@ -63,9 +63,9 @@ async fn register_key(db: &DatabasePool, pubkey: &authn::PublicKey) -> Result<i3
         Error::internal("Database unavailable")
     })?;
 
-    let id: i32 = diesel::insert_into(operator_identity::table)
+    let id: i32 = diesel::insert_into(operator_client::table)
-        .values((operator_identity::public_key.eq(pubkey_bytes),))
+        .values((operator_client::public_key.eq(pubkey_bytes),))
-        .returning(operator_identity::id)
+        .returning(operator_client::id)
         .get_result(&mut conn)
         .await
         .map_err(|e| {
@@ -127,8 +127,6 @@ where
         })
     }
 
-    #[allow(missing_docs)]
-    #[allow(clippy::unused_unit)]
     async fn verify_solution(
         &mut self,
         ChallengeContext {

server/crates/arbiter-server/src/peers/operator/session/handlers.rs

@@ -1,16 +1,12 @@
 use super::{Error, OperatorSession};
 use crate::{
-    actors::{
+    actors::evm::{
-        evm::{
         ClientSignTransaction, Generate, ListWallets, OperatorCreateGrant, OperatorListGrants,
         SignTransactionError as EvmSignError,
     },
-        flow_coordinator::client_connect_approval::ClientApprovalAnswer,
+    actors::flow_coordinator::client_connect_approval::ClientApprovalAnswer,
-        vault::VaultState,
+    actors::vault::VaultState,
-    },
+    db::models::{EvmWalletAccess, NewEvmWalletAccess, ProgramClient, ProgramClientMetadata},
-    db::models::{
-        EvmWalletAccess, EvmWalletId, NewEvmWalletAccess, ProgramClient, ProgramClientMetadata,
-    },
     evm::policies::{Grant, SpecificGrant},
 };
 use arbiter_crypto::authn;
@@ -74,9 +70,7 @@ impl OperatorSession {
     }
 
     #[message]
-    pub(crate) async fn handle_evm_wallet_list(
+    pub(crate) async fn handle_evm_wallet_list(&mut self) -> Result<Vec<(i32, Address)>, Error> {
-        &mut self,
-    ) -> Result<Vec<(EvmWalletId, Address)>, Error> {
         match self.props.actors.evm.ask(ListWallets {}).await {
             Ok(wallets) => Ok(wallets),
             Err(err) => {
@@ -175,21 +169,19 @@ impl OperatorSession {
         entries: Vec<NewEvmWalletAccess>,
     ) -> Result<(), Error> {
         let mut conn = self.props.db.get().await?;
-        conn.transaction(|conn| {
+        conn.transaction(async |conn| {
-            Box::pin(async move {
             use crate::db::schema::evm_wallet_access;
 
             for entry in entries {
                 diesel::insert_into(evm_wallet_access::table)
                     .values(&entry)
                     .on_conflict_do_nothing()
-                        .execute(conn)
+                    .execute(&mut *conn)
                     .await?;
             }
 
             Result::<_, Error>::Ok(())
         })
-        })
         .await?;
         Ok(())
     }
@@ -200,19 +192,17 @@ impl OperatorSession {
         entries: Vec<i32>,
     ) -> Result<(), Error> {
         let mut conn = self.props.db.get().await?;
-        conn.transaction(|conn| {
+        conn.transaction(async |conn| {
-            Box::pin(async move {
             use crate::db::schema::evm_wallet_access;
             for entry in entries {
                 diesel::delete(evm_wallet_access::table)
                     .filter(evm_wallet_access::wallet_id.eq(entry))
-                        .execute(conn)
+                    .execute(&mut *conn)
                     .await?;
             }
 
             Result::<_, Error>::Ok(())
         })
-        })
         .await?;
         Ok(())
     }
@@ -222,8 +212,7 @@ impl OperatorSession {
         &mut self,
     ) -> Result<Vec<EvmWalletAccess>, Error> {
         let mut conn = self.props.db.get().await?;
-        use crate::db::schema::evm_wallet_access;
+        let access_entries = crate::db::schema::evm_wallet_access::table
-        let access_entries = evm_wallet_access::table
             .select(EvmWalletAccess::as_select())
             .load::<_>(&mut conn)
             .await?;

server/crates/arbiter-server/src/peers/operator/session/mod.rs

@@ -63,7 +63,7 @@ impl OperatorSession {
         Self {
             props,
             sender,
-            pending_client_approvals: Default::default(),
+            pending_client_approvals: HashMap::default(),
         }
     }
 }

server/crates/arbiter-server/tests/client/auth.rs

@@ -86,8 +86,8 @@ async fn insert_bootstrap_sentinel_operator(db: &db::DatabasePool) {
         .0
         .to_vec();
 
-    insert_into(schema::operator_identity::table)
+    insert_into(schema::operator_client::table)
-        .values((schema::operator_identity::public_key.eq(sentinel_key),))
+        .values((schema::operator_client::public_key.eq(sentinel_key),))
         .execute(&mut conn)
         .await
         .unwrap();

server/crates/arbiter-server/tests/operator/auth.rs

@@ -206,8 +206,8 @@ pub async fn bootstrap_token_auth() {
     task.await.unwrap().unwrap();
 
     let mut conn = db.get().await.unwrap();
-    let stored_pubkey: Vec<u8> = schema::operator_identity::table
+    let stored_pubkey: Vec<u8> = schema::operator_client::table
-        .select(schema::operator_identity::public_key)
+        .select(schema::operator_client::public_key)
         .first::<Vec<u8>>(&mut conn)
         .await
         .unwrap();
@@ -259,7 +259,7 @@ pub async fn bootstrap_invalid_token_auth() {
     ));
 
     let mut conn = db.get().await.unwrap();
-    let count: i64 = schema::operator_identity::table
+    let count: i64 = schema::operator_client::table
         .count()
         .get_result::<i64>(&mut conn)
         .await
@@ -285,9 +285,9 @@ pub async fn challenge_auth() {
 
     {
         let mut conn = db.get().await.unwrap();
-        let id: i32 = insert_into(schema::operator_identity::table)
+        let id: i32 = insert_into(schema::operator_client::table)
-            .values((schema::operator_identity::public_key.eq(pubkey_bytes.clone()),))
+            .values((schema::operator_client::public_key.eq(pubkey_bytes.clone()),))
-            .returning(schema::operator_identity::id)
+            .returning(schema::operator_client::id)
             .get_result(&mut conn)
             .await
             .unwrap();
@@ -371,8 +371,8 @@ pub async fn challenge_auth_rejects_integrity_tag_mismatch_when_unsealed() {
 
     {
         let mut conn = db.get().await.unwrap();
-        insert_into(schema::operator_identity::table)
+        insert_into(schema::operator_client::table)
-            .values((schema::operator_identity::public_key.eq(pubkey_bytes.clone()),))
+            .values((schema::operator_client::public_key.eq(pubkey_bytes.clone()),))
             .execute(&mut conn)
             .await
             .unwrap();
@@ -400,7 +400,7 @@ pub async fn challenge_auth_rejects_integrity_tag_mismatch_when_unsealed() {
     let challenge = match response {
         Ok(resp) => match resp {
             auth::Outbound::AuthChallenge { challenge } => challenge,
-            other => panic!("Expected AuthChallenge, got {other:?}"),
+            other @ auth::Outbound::AuthSuccess => panic!("Expected AuthChallenge, got {other:?}"),
         },
         Err(err) => panic!("Expected Ok response, got Err({err:?})"),
     };
@@ -444,9 +444,9 @@ pub async fn challenge_auth_rejects_invalid_signature() {
 
     {
         let mut conn = db.get().await.unwrap();
-        let id: i32 = insert_into(schema::operator_identity::table)
+        let id: i32 = insert_into(schema::operator_client::table)
-            .values((schema::operator_identity::public_key.eq(pubkey_bytes.clone()),))
+            .values((schema::operator_client::public_key.eq(pubkey_bytes.clone()),))
-            .returning(schema::operator_identity::id)
+            .returning(schema::operator_client::id)
             .get_result(&mut conn)
             .await
             .unwrap();

server/crates/arbiter-server/tests/vault/lifecycle.rs

@@ -14,7 +14,7 @@ use diesel_async::RunQueryDsl;
 
 #[tokio::test]
 #[test_log::test]
-async fn test_bootstrap() {
+async fn bootstrap() {
     let db = db::create_test_pool().await;
     let mut actor = Vault::new(db.clone(), GlobalActors::spawn_message_bus())
         .await
@@ -39,7 +39,7 @@ async fn test_bootstrap() {
 
 #[tokio::test]
 #[test_log::test]
-async fn test_bootstrap_rejects_double() {
+async fn bootstrap_rejects_double() {
     let db = db::create_test_pool().await;
     let mut actor = common::bootstrapped_vault(&db).await;
 
@@ -50,7 +50,7 @@ async fn test_bootstrap_rejects_double() {
 
 #[tokio::test]
 #[test_log::test]
-async fn test_create_new_before_bootstrap_fails() {
+async fn create_new_before_bootstrap_fails() {
     let db = db::create_test_pool().await;
     let mut actor = Vault::new(db, GlobalActors::spawn_message_bus())
         .await
@@ -65,7 +65,7 @@ async fn test_create_new_before_bootstrap_fails() {
 
 #[tokio::test]
 #[test_log::test]
-async fn test_decrypt_before_bootstrap_fails() {
+async fn decrypt_before_bootstrap_fails() {
     let db = db::create_test_pool().await;
     let mut actor = Vault::new(db, GlobalActors::spawn_message_bus())
         .await
@@ -77,7 +77,7 @@ async fn test_decrypt_before_bootstrap_fails() {
 
 #[tokio::test]
 #[test_log::test]
-async fn test_new_restores_sealed_state() {
+async fn new_restores_sealed_state() {
     let db = db::create_test_pool().await;
     let actor = common::bootstrapped_vault(&db).await;
     drop(actor);
@@ -91,7 +91,7 @@ async fn test_new_restores_sealed_state() {
 
 #[tokio::test]
 #[test_log::test]
-async fn test_unseal_correct_password() {
+async fn unseal_correct_password() {
     let db = db::create_test_pool().await;
     let mut actor = common::bootstrapped_vault(&db).await;
 
@@ -114,7 +114,7 @@ async fn test_unseal_correct_password() {
 
 #[tokio::test]
 #[test_log::test]
-async fn test_unseal_wrong_then_correct_password() {
+async fn unseal_wrong_then_correct_password() {
     let db = db::create_test_pool().await;
     let mut actor = common::bootstrapped_vault(&db).await;
 

server/crates/arbiter-server/tests/vault/storage.rs

@@ -12,7 +12,7 @@ use std::collections::HashSet;
 
 #[tokio::test]
 #[test_log::test]
-async fn test_create_decrypt_roundtrip() {
+async fn create_decrypt_roundtrip() {
     let db = db::create_test_pool().await;
     let mut actor = common::bootstrapped_vault(&db).await;
 
@@ -28,7 +28,7 @@ async fn test_create_decrypt_roundtrip() {
 
 #[tokio::test]
 #[test_log::test]
-async fn test_decrypt_nonexistent_returns_not_found() {
+async fn decrypt_nonexistent_returns_not_found() {
     let db = db::create_test_pool().await;
     let mut actor = common::bootstrapped_vault(&db).await;
 
@@ -38,7 +38,7 @@ async fn test_decrypt_nonexistent_returns_not_found() {
 
 #[tokio::test]
 #[test_log::test]
-async fn test_ciphertext_differs_across_entries() {
+async fn ciphertext_differs_across_entries() {
     let db = db::create_test_pool().await;
     let mut actor = common::bootstrapped_vault(&db).await;
 
@@ -76,7 +76,7 @@ async fn test_ciphertext_differs_across_entries() {
 
 #[tokio::test]
 #[test_log::test]
-async fn test_nonce_never_reused() {
+async fn nonce_never_reused() {
     let db = db::create_test_pool().await;
     let mut actor = common::bootstrapped_vault(&db).await;