feat(server): implement useragent_delete_grant hard delete cleanup

2026-04-05 17:52:44 +02:00
22 changed files with 435 additions and 382 deletions
--- a/mise.lock
+++ b/mise.lock
@@ -48,10 +48,6 @@ backend = "cargo:cargo-features-manager"
 version = "1.46.3"
 backend = "cargo:cargo-insta"

-[[tools."cargo:cargo-mutants"]]
-version = "27.0.0"
-backend = "cargo:cargo-mutants"
-
 [[tools."cargo:cargo-nextest"]]
 version = "0.9.126"
 backend = "cargo:cargo-nextest"
@@ -115,37 +111,30 @@ backend = "core:python"
 [tools.python."platforms.linux-arm64"]
 checksum = "sha256:53700338695e402a1a1fe22be4a41fbdacc70e22bb308a48eca8ed67cb7992be"
 url = "https://github.com/astral-sh/python-build-standalone/releases/download/20260324/cpython-3.14.3+20260324-aarch64-unknown-linux-gnu-install_only_stripped.tar.gz"
-provenance = "github-attestations"

 [tools.python."platforms.linux-arm64-musl"]
 checksum = "sha256:53700338695e402a1a1fe22be4a41fbdacc70e22bb308a48eca8ed67cb7992be"
 url = "https://github.com/astral-sh/python-build-standalone/releases/download/20260324/cpython-3.14.3+20260324-aarch64-unknown-linux-gnu-install_only_stripped.tar.gz"
-provenance = "github-attestations"

 [tools.python."platforms.linux-x64"]
 checksum = "sha256:d7a9f970914bb4c88756fe3bdcc186d4feb90e9500e54f1db47dae4dc9687e39"
 url = "https://github.com/astral-sh/python-build-standalone/releases/download/20260324/cpython-3.14.3+20260324-x86_64-unknown-linux-gnu-install_only_stripped.tar.gz"
-provenance = "github-attestations"

 [tools.python."platforms.linux-x64-musl"]
 checksum = "sha256:d7a9f970914bb4c88756fe3bdcc186d4feb90e9500e54f1db47dae4dc9687e39"
 url = "https://github.com/astral-sh/python-build-standalone/releases/download/20260324/cpython-3.14.3+20260324-x86_64-unknown-linux-gnu-install_only_stripped.tar.gz"
-provenance = "github-attestations"

 [tools.python."platforms.macos-arm64"]
 checksum = "sha256:c43aecde4a663aebff99b9b83da0efec506479f1c3f98331442f33d2c43501f9"
 url = "https://github.com/astral-sh/python-build-standalone/releases/download/20260324/cpython-3.14.3+20260324-aarch64-apple-darwin-install_only_stripped.tar.gz"
-provenance = "github-attestations"

 [tools.python."platforms.macos-x64"]
 checksum = "sha256:9ab41dbc2f100a2a45d1833b9c11165f51051c558b5213eda9a9731d5948a0c0"
 url = "https://github.com/astral-sh/python-build-standalone/releases/download/20260324/cpython-3.14.3+20260324-x86_64-apple-darwin-install_only_stripped.tar.gz"
-provenance = "github-attestations"

 [tools.python."platforms.windows-x64"]
 checksum = "sha256:bbe19034b35b0267176a7442575ae7dc6343480fd4d35598cb7700173d431e09"
 url = "https://github.com/astral-sh/python-build-standalone/releases/download/20260324/cpython-3.14.3+20260324-x86_64-pc-windows-msvc-install_only_stripped.tar.gz"
-provenance = "github-attestations"

 [[tools.rust]]
 version = "1.93.0"
--- a/mise.toml
+++ b/mise.toml
@@ -12,7 +12,6 @@ protoc = "29.6"
 python = "3.14.3"
 ast-grep = "0.42.0"
 "cargo:cargo-edit" = "0.13.9"
-"cargo:cargo-mutants" = "27.0.0"

 [tasks.codegen]
 sources = ['protobufs/*.proto', 'protobufs/**/*.proto']
--- a/protobufs/shared/evm.proto
+++ b/protobufs/shared/evm.proto
@@ -36,10 +36,6 @@ message GasLimitExceededViolation {
 }

 message EvalViolation {
-  message ChainIdMismatch {
-    uint64 expected = 1;
-    uint64 actual = 2;
-  }
  oneof kind {
    bytes invalid_target = 1; // 20-byte Ethereum address
    GasLimitExceededViolation gas_limit_exceeded = 2;
@@ -47,8 +43,6 @@ message EvalViolation {
    google.protobuf.Empty volumetric_limit_exceeded = 4;
    google.protobuf.Empty invalid_time = 5;
    google.protobuf.Empty invalid_transaction_type = 6;
-
-    ChainIdMismatch chain_id_mismatch = 7;
  }
 }

--- a/server/.cargo/mutants.toml
+++ b/server/.cargo/mutants.toml
@@ -1 +0,0 @@
-test_tool = "nextest"
--- a/server/.gitignore
+++ b/server/.gitignore
@@ -1,2 +0,0 @@
-mutants.out/
-mutants.out.old/
--- a/server/Cargo.lock
+++ b/server/Cargo.lock
@@ -743,7 +743,6 @@ dependencies = [
 "k256",
 "kameo",
 "memsafe",
- "mutants",
 "pem",
 "postcard",
 "prost",
@@ -752,7 +751,6 @@ dependencies = [
 "rcgen",
 "restructed",
 "rsa",
- "rstest",
 "rustls",
 "secrecy",
 "serde",
@@ -3238,12 +3236,6 @@ version = "0.10.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "1d87ecb2933e8aeadb3e3a02b828fed80a7528047e68b4f424523a0981a3a084"

-[[package]]
-name = "mutants"
-version = "0.0.4"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "add0ac067452ff1aca8c5002111bd6b1c895baee6e45fcbc44e0193aea17be56"
-
 [[package]]
 name = "nom"
 version = "7.1.3"
--- a/server/Cargo.toml
+++ b/server/Cargo.toml
@@ -44,4 +44,3 @@ sha2 = "0.10"
 spki = "0.7"
 prost = "0.14.3"
 miette = { version = "7.6.0", features = ["fancy", "serde"] }
-mutants = "0.0.4"
--- a/server/crates/arbiter-server/Cargo.toml
+++ b/server/crates/arbiter-server/Cargo.toml
@@ -61,9 +61,7 @@ anyhow = "1.0.102"
 postcard = { version = "1.1.3", features = ["use-std"] }
 serde = { version = "1.0.228", features = ["derive"] }
 serde_with = "3.18.0"
-mutants.workspace = true

 [dev-dependencies]
 insta = "1.46.3"
-rstest.workspace = true
 test-log = { version = "0.2", default-features = false, features = ["trace"] }
--- a/server/crates/arbiter-server/src/actors/evm/mod.rs
+++ b/server/crates/arbiter-server/src/actors/evm/mod.rs
@@ -1,17 +1,18 @@
 use alloy::{consensus::TxEip1559, primitives::Address, signers::Signature};
 use diesel::{
-    ExpressionMethods, OptionalExtension as _, QueryDsl, SelectableHelper as _, dsl::insert_into,
+    BoolExpressionMethods as _, ExpressionMethods, OptionalExtension as _, QueryDsl,
+    SelectableHelper as _, dsl::insert_into,
 };
-use diesel_async::RunQueryDsl;
+use diesel_async::{AsyncConnection as _, RunQueryDsl};
 use kameo::{Actor, actor::ActorRef, messages};
 use rand::{SeedableRng, rng, rngs::StdRng};

 use crate::{
-    actors::keyholder::{CreateNew, Decrypt, GetState, KeyHolder, KeyHolderState},
+    actors::keyholder::{CreateNew, Decrypt, KeyHolder},
    crypto::integrity,
    db::{
        DatabaseError, DatabasePool,
-        models::{self, SqliteTimestamp},
+        models::{self},
        schema,
    },
    evm::{
@@ -159,27 +160,114 @@ impl EvmActor {

    #[message]
    pub async fn useragent_delete_grant(&mut self, grant_id: i32) -> Result<(), Error> {
-        // let mut conn = self.db.get().await.map_err(DatabaseError::from)?;
-        // let keyholder = self.keyholder.clone();
+        let mut conn = self.db.get().await.map_err(DatabaseError::from)?;

-        // diesel_async::AsyncConnection::transaction(&mut conn, |conn| {
-        //     Box::pin(async move {
-        //         diesel::update(schema::evm_basic_grant::table)
-        //             .filter(schema::evm_basic_grant::id.eq(grant_id))
-        //             .set(schema::evm_basic_grant::revoked_at.eq(SqliteTimestamp::now()))
-        //             .execute(conn)
-        //             .await?;
+        // We intentionally perform a hard delete here to avoid leaving revoked grants and their
+        // related rows as long-lived DB garbage. We also don't rely on SQLite FK cascades because
+        // they can be disabled per-connection.
+        conn.transaction(|conn| {
+            Box::pin(async move {
+                // First, resolve policy-specific rows by basic grant id.
+                let token_grant_id: Option<i32> = schema::evm_token_transfer_grant::table
+                    .select(schema::evm_token_transfer_grant::id)
+                    .filter(schema::evm_token_transfer_grant::basic_grant_id.eq(grant_id))
+                    .first::<i32>(conn)
+                    .await
+                    .optional()?;

-        //         let signed = integrity::evm::load_signed_grant_by_basic_id(conn, grant_id).await?;
+                let ether_grant: Option<(i32, i32)> = schema::evm_ether_transfer_grant::table
+                    .select((
+                        schema::evm_ether_transfer_grant::id,
+                        schema::evm_ether_transfer_grant::limit_id,
+                    ))
+                    .filter(schema::evm_ether_transfer_grant::basic_grant_id.eq(grant_id))
+                    .first::<(i32, i32)>(conn)
+                    .await
+                    .optional()?;

-        //         diesel::result::QueryResult::Ok(())
-        //     })
-        // })
-        // .await
-        // .map_err(DatabaseError::from)?;
+                // Token-transfer: logs must be deleted before transaction logs (FK restrict).
+                if let Some(token_grant_id) = token_grant_id {
+                    diesel::delete(
+                        schema::evm_token_transfer_log::table
+                            .filter(schema::evm_token_transfer_log::grant_id.eq(token_grant_id)),
+                    )
+                    .execute(conn)
+                    .await?;

-        // Ok(())
-        todo!()
+                    diesel::delete(schema::evm_token_transfer_volume_limit::table.filter(
+                        schema::evm_token_transfer_volume_limit::grant_id.eq(token_grant_id),
+                    ))
+                    .execute(conn)
+                    .await?;
+
+                    diesel::delete(
+                        schema::evm_token_transfer_grant::table
+                            .filter(schema::evm_token_transfer_grant::id.eq(token_grant_id)),
+                    )
+                    .execute(conn)
+                    .await?;
+                }
+
+                // Shared transaction logs for any grant kind.
+                diesel::delete(
+                    schema::evm_transaction_log::table
+                        .filter(schema::evm_transaction_log::grant_id.eq(grant_id)),
+                )
+                .execute(conn)
+                .await?;
+
+                // Ether-transfer: delete targets, grant row, then its limit row.
+                if let Some((ether_grant_id, limit_id)) = ether_grant {
+                    diesel::delete(schema::evm_ether_transfer_grant_target::table.filter(
+                        schema::evm_ether_transfer_grant_target::grant_id.eq(ether_grant_id),
+                    ))
+                    .execute(conn)
+                    .await?;
+
+                    diesel::delete(
+                        schema::evm_ether_transfer_grant::table
+                            .filter(schema::evm_ether_transfer_grant::id.eq(ether_grant_id)),
+                    )
+                    .execute(conn)
+                    .await?;
+
+                    diesel::delete(
+                        schema::evm_ether_transfer_limit::table
+                            .filter(schema::evm_ether_transfer_limit::id.eq(limit_id)),
+                    )
+                    .execute(conn)
+                    .await?;
+                }
+
+                // Integrity envelopes are not FK-constrained; delete only grant-related kinds to
+                // avoid accidentally deleting other entities that share the same integer ID.
+                let entity_id = grant_id.to_be_bytes().to_vec();
+                diesel::delete(
+                    schema::integrity_envelope::table
+                        .filter(schema::integrity_envelope::entity_id.eq(entity_id))
+                        .filter(
+                            schema::integrity_envelope::entity_kind
+                                .eq("EtherTransfer")
+                                .or(schema::integrity_envelope::entity_kind.eq("TokenTransfer")),
+                        ),
+                )
+                .execute(conn)
+                .await?;
+
+                // Finally remove the basic grant row itself (idempotent if it doesn't exist).
+                diesel::delete(
+                    schema::evm_basic_grant::table.filter(schema::evm_basic_grant::id.eq(grant_id)),
+                )
+                .execute(conn)
+                .await?;
+
+                diesel::result::QueryResult::Ok(())
+            })
+        })
+        .await
+        .map_err(DatabaseError::from)?;
+
+        Ok(())
    }

    #[message]
@@ -271,3 +359,6 @@ impl EvmActor {
        Ok(signer.sign_transaction_sync(&mut transaction)?)
    }
 }
+
+#[cfg(test)]
+mod tests;
--- a/server/crates/arbiter-server/src/actors/evm/tests.rs
+++ b/server/crates/arbiter-server/src/actors/evm/tests.rs
@@ -0,0 +1,283 @@
+use diesel::{ExpressionMethods as _, QueryDsl as _, dsl::insert_into};
+use diesel_async::RunQueryDsl;
+use kameo::actor::Spawn as _;
+
+use crate::{
+    actors::{evm::EvmActor, keyholder::KeyHolder},
+    db::{self, models, schema},
+};
+
+#[tokio::test]
+async fn delete_ether_grant_cleans_related_tables() {
+    let db = db::create_test_pool().await;
+    let keyholder = KeyHolder::spawn(KeyHolder::new(db.clone()).await.unwrap());
+    let mut actor = EvmActor::new(keyholder, db.clone());
+
+    let mut conn = db.get().await.unwrap();
+
+    let basic_id: i32 = insert_into(schema::evm_basic_grant::table)
+        .values(&models::NewEvmBasicGrant {
+            wallet_access_id: 1,
+            chain_id: 1,
+            valid_from: None,
+            valid_until: None,
+            max_gas_fee_per_gas: None,
+            max_priority_fee_per_gas: None,
+            rate_limit_count: None,
+            rate_limit_window_secs: None,
+            revoked_at: None,
+        })
+        .returning(schema::evm_basic_grant::id)
+        .get_result(&mut conn)
+        .await
+        .unwrap();
+
+    let limit_id: i32 = insert_into(schema::evm_ether_transfer_limit::table)
+        .values(&models::NewEvmEtherTransferLimit {
+            window_secs: 60,
+            max_volume: vec![1],
+        })
+        .returning(schema::evm_ether_transfer_limit::id)
+        .get_result(&mut conn)
+        .await
+        .unwrap();
+
+    let ether_grant_id: i32 = insert_into(schema::evm_ether_transfer_grant::table)
+        .values(&models::NewEvmEtherTransferGrant {
+            basic_grant_id: basic_id,
+            limit_id,
+        })
+        .returning(schema::evm_ether_transfer_grant::id)
+        .get_result(&mut conn)
+        .await
+        .unwrap();
+
+    insert_into(schema::evm_ether_transfer_grant_target::table)
+        .values(&models::NewEvmEtherTransferGrantTarget {
+            grant_id: ether_grant_id,
+            address: vec![0u8; 20],
+        })
+        .execute(&mut conn)
+        .await
+        .unwrap();
+
+    insert_into(schema::evm_transaction_log::table)
+        .values(&models::NewEvmTransactionLog {
+            grant_id: basic_id,
+            wallet_access_id: 1,
+            chain_id: 1,
+            eth_value: vec![0],
+            signed_at: models::SqliteTimestamp::now(),
+        })
+        .execute(&mut conn)
+        .await
+        .unwrap();
+
+    insert_into(schema::integrity_envelope::table)
+        .values(&models::NewIntegrityEnvelope {
+            entity_kind: "EtherTransfer".to_owned(),
+            entity_id: basic_id.to_be_bytes().to_vec(),
+            payload_version: 1,
+            key_version: 1,
+            mac: vec![0u8; 32],
+        })
+        .execute(&mut conn)
+        .await
+        .unwrap();
+
+    drop(conn);
+
+    actor.useragent_delete_grant(basic_id).await.unwrap();
+
+    // Idempotency: second delete should be a no-op.
+    actor.useragent_delete_grant(basic_id).await.unwrap();
+
+    let mut conn = db.get().await.unwrap();
+
+    let basic_count: i64 = schema::evm_basic_grant::table
+        .count()
+        .get_result(&mut conn)
+        .await
+        .unwrap();
+    assert_eq!(basic_count, 0);
+
+    let ether_grant_count: i64 = schema::evm_ether_transfer_grant::table
+        .count()
+        .get_result(&mut conn)
+        .await
+        .unwrap();
+    assert_eq!(ether_grant_count, 0);
+
+    let target_count: i64 = schema::evm_ether_transfer_grant_target::table
+        .count()
+        .get_result(&mut conn)
+        .await
+        .unwrap();
+    assert_eq!(target_count, 0);
+
+    let limit_count: i64 = schema::evm_ether_transfer_limit::table
+        .count()
+        .get_result(&mut conn)
+        .await
+        .unwrap();
+    assert_eq!(limit_count, 0);
+
+    let log_count: i64 = schema::evm_transaction_log::table
+        .count()
+        .get_result(&mut conn)
+        .await
+        .unwrap();
+    assert_eq!(log_count, 0);
+
+    let envelope_count: i64 = schema::integrity_envelope::table
+        .filter(schema::integrity_envelope::entity_kind.eq("EtherTransfer"))
+        .count()
+        .get_result(&mut conn)
+        .await
+        .unwrap();
+    assert_eq!(envelope_count, 0);
+}
+
+#[tokio::test]
+async fn delete_token_grant_cleans_related_tables() {
+    let db = db::create_test_pool().await;
+    let keyholder = KeyHolder::spawn(KeyHolder::new(db.clone()).await.unwrap());
+    let mut actor = EvmActor::new(keyholder, db.clone());
+
+    let mut conn = db.get().await.unwrap();
+
+    let basic_id: i32 = insert_into(schema::evm_basic_grant::table)
+        .values(&models::NewEvmBasicGrant {
+            wallet_access_id: 1,
+            chain_id: 1,
+            valid_from: None,
+            valid_until: None,
+            max_gas_fee_per_gas: None,
+            max_priority_fee_per_gas: None,
+            rate_limit_count: None,
+            rate_limit_window_secs: None,
+            revoked_at: None,
+        })
+        .returning(schema::evm_basic_grant::id)
+        .get_result(&mut conn)
+        .await
+        .unwrap();
+
+    let token_grant_id: i32 = insert_into(schema::evm_token_transfer_grant::table)
+        .values(&models::NewEvmTokenTransferGrant {
+            basic_grant_id: basic_id,
+            token_contract: vec![1u8; 20],
+            receiver: None,
+        })
+        .returning(schema::evm_token_transfer_grant::id)
+        .get_result(&mut conn)
+        .await
+        .unwrap();
+
+    insert_into(schema::evm_token_transfer_volume_limit::table)
+        .values(&models::NewEvmTokenTransferVolumeLimit {
+            grant_id: token_grant_id,
+            window_secs: 60,
+            max_volume: vec![1],
+        })
+        .execute(&mut conn)
+        .await
+        .unwrap();
+
+    insert_into(schema::evm_token_transfer_volume_limit::table)
+        .values(&models::NewEvmTokenTransferVolumeLimit {
+            grant_id: token_grant_id,
+            window_secs: 3600,
+            max_volume: vec![2],
+        })
+        .execute(&mut conn)
+        .await
+        .unwrap();
+
+    let tx_log_id: i32 = insert_into(schema::evm_transaction_log::table)
+        .values(&models::NewEvmTransactionLog {
+            grant_id: basic_id,
+            wallet_access_id: 1,
+            chain_id: 1,
+            eth_value: vec![0],
+            signed_at: models::SqliteTimestamp::now(),
+        })
+        .returning(schema::evm_transaction_log::id)
+        .get_result(&mut conn)
+        .await
+        .unwrap();
+
+    insert_into(schema::evm_token_transfer_log::table)
+        .values(&models::NewEvmTokenTransferLog {
+            grant_id: token_grant_id,
+            log_id: tx_log_id,
+            chain_id: 1,
+            token_contract: vec![1u8; 20],
+            recipient_address: vec![2u8; 20],
+            value: vec![3],
+        })
+        .execute(&mut conn)
+        .await
+        .unwrap();
+
+    insert_into(schema::integrity_envelope::table)
+        .values(&models::NewIntegrityEnvelope {
+            entity_kind: "TokenTransfer".to_owned(),
+            entity_id: basic_id.to_be_bytes().to_vec(),
+            payload_version: 1,
+            key_version: 1,
+            mac: vec![0u8; 32],
+        })
+        .execute(&mut conn)
+        .await
+        .unwrap();
+
+    drop(conn);
+
+    actor.useragent_delete_grant(basic_id).await.unwrap();
+
+    let mut conn = db.get().await.unwrap();
+
+    let basic_count: i64 = schema::evm_basic_grant::table
+        .count()
+        .get_result(&mut conn)
+        .await
+        .unwrap();
+    assert_eq!(basic_count, 0);
+
+    let token_grant_count: i64 = schema::evm_token_transfer_grant::table
+        .count()
+        .get_result(&mut conn)
+        .await
+        .unwrap();
+    assert_eq!(token_grant_count, 0);
+
+    let token_limits_count: i64 = schema::evm_token_transfer_volume_limit::table
+        .count()
+        .get_result(&mut conn)
+        .await
+        .unwrap();
+    assert_eq!(token_limits_count, 0);
+
+    let token_logs_count: i64 = schema::evm_token_transfer_log::table
+        .count()
+        .get_result(&mut conn)
+        .await
+        .unwrap();
+    assert_eq!(token_logs_count, 0);
+
+    let tx_logs_count: i64 = schema::evm_transaction_log::table
+        .count()
+        .get_result(&mut conn)
+        .await
+        .unwrap();
+    assert_eq!(tx_logs_count, 0);
+
+    let envelope_count: i64 = schema::integrity_envelope::table
+        .filter(schema::integrity_envelope::entity_kind.eq("TokenTransfer"))
+        .count()
+        .get_result(&mut conn)
+        .await
+        .unwrap();
+    assert_eq!(envelope_count, 0);
+}
--- a/server/crates/arbiter-server/src/actors/user_agent/auth/state.rs
+++ b/server/crates/arbiter-server/src/actors/user_agent/auth/state.rs
@@ -103,6 +103,7 @@ async fn verify_integrity(
    })?;

    Ok(())
+
 }

 async fn create_nonce(
--- a/server/crates/arbiter-server/src/actors/user_agent/mod.rs
+++ b/server/crates/arbiter-server/src/actors/user_agent/mod.rs
@@ -1,7 +1,5 @@
 use crate::{
-    actors::{GlobalActors, client::ClientProfile},
-    crypto::integrity::Integrable,
-    db::{self, models::KeyType},
+    actors::{GlobalActors, client::ClientProfile}, crypto::integrity::Integrable, db::{self, models::KeyType}
 };

 fn serialize_ecdsa<S>(key: &k256::ecdsa::VerifyingKey, serializer: S) -> Result<S::Ok, S::Error>
@@ -46,10 +44,7 @@ where
 pub enum AuthPublicKey {
    Ed25519(ed25519_dalek::VerifyingKey),
    /// Compressed SEC1 public key; signature bytes are raw 64-byte (r||s).
-    #[serde(
-        serialize_with = "serialize_ecdsa",
-        deserialize_with = "deserialize_ecdsa"
-    )]
+    #[serde(serialize_with = "serialize_ecdsa", deserialize_with = "deserialize_ecdsa")]
    EcdsaSecp256k1(k256::ecdsa::VerifyingKey),
    /// RSA-2048+ public key (Windows Hello / KeyCredentialManager); signature bytes are PSS+SHA-256.
    Rsa(rsa::RsaPublicKey),
@@ -58,7 +53,7 @@ pub enum AuthPublicKey {
 #[derive(Debug, Serialize)]
 pub struct UserAgentCredentials {
    pub pubkey: AuthPublicKey,
-    pub nonce: i32,
+    pub nonce: i32
 }

 impl Integrable for UserAgentCredentials {
--- a/server/crates/arbiter-server/src/crypto/integrity/v1.rs
+++ b/server/crates/arbiter-server/src/crypto/integrity/v1.rs
@@ -1,4 +1,4 @@
-use crate::{actors::keyholder, crypto::KeyCell, safe_cell::SafeCellHandle as _};
+use crate::{actors::keyholder, crypto::KeyCell,safe_cell::SafeCellHandle as _};
 use chacha20poly1305::Key;
 use hmac::{Hmac, Mac as _};
 use serde::Serialize;
@@ -128,7 +128,7 @@ pub async fn sign_entity<E: Integrable>(
        .values(NewIntegrityEnvelope {
            entity_kind: E::KIND.to_owned(),
            entity_id: entity_id,
-            payload_version: E::VERSION,
+            payload_version: E::VERSION ,
            key_version,
            mac: mac.to_vec(),
        })
@@ -162,9 +162,7 @@ pub async fn verify_entity<E: Integrable>(
        .first(conn)
        .await
        .map_err(|err| match err {
-            diesel::result::Error::NotFound => Error::MissingEnvelope {
-                entity_kind: E::KIND,
-            },
+            diesel::result::Error::NotFound => Error::MissingEnvelope { entity_kind: E::KIND },
            other => Error::Database(db::DatabaseError::from(other)),
        })?;

@@ -178,7 +176,12 @@ pub async fn verify_entity<E: Integrable>(

    let payload = postcard::to_stdvec(entity)?;
    let payload_hash = payload_hash(&payload);
-    let mac_input = build_mac_input(E::KIND, &entity_id, envelope.payload_version, &payload_hash);
+    let mac_input = build_mac_input(
+        E::KIND,
+        &entity_id,
+        envelope.payload_version,
+        &payload_hash,
+    );

    let result = keyholder
        .ask(VerifyIntegrity {
@@ -186,16 +189,13 @@ pub async fn verify_entity<E: Integrable>(
            expected_mac: envelope.mac,
            key_version: envelope.key_version,
        })
-        .await;
+        .await
+        ;

    match result {
        Ok(true) => Ok(AttestationStatus::Attested),
-        Ok(false) => Err(Error::MacMismatch {
-            entity_kind: E::KIND,
-        }),
-        Err(SendError::HandlerError(keyholder::Error::NotBootstrapped)) => {
-            Ok(AttestationStatus::Unavailable)
-        }
+        Ok(false) => Err(Error::MacMismatch { entity_kind: E::KIND }),
+        Err(SendError::HandlerError(keyholder::Error::NotBootstrapped)) => Ok(AttestationStatus::Unavailable),
        Err(_) => Err(Error::KeyholderSend),
    }
 }
@@ -248,9 +248,7 @@ mod tests {
            payload: b"payload-v1".to_vec(),
        };

-        sign_entity(&mut conn, &keyholder, &entity, ENTITY_ID)
-            .await
-            .unwrap();
+        sign_entity(&mut conn, &keyholder, &entity, ENTITY_ID).await.unwrap();

        let count: i64 = schema::integrity_envelope::table
            .filter(schema::integrity_envelope::entity_kind.eq("dummy_entity"))
@@ -261,9 +259,7 @@ mod tests {
            .unwrap();

        assert_eq!(count, 1, "envelope row must be created exactly once");
-        verify_entity(&mut conn, &keyholder, &entity, ENTITY_ID)
-            .await
-            .unwrap();
+        verify_entity(&mut conn, &keyholder, &entity, ENTITY_ID).await.unwrap();
    }

    #[tokio::test]
@@ -279,9 +275,7 @@ mod tests {
            payload: b"payload-v1".to_vec(),
        };

-        sign_entity(&mut conn, &keyholder, &entity, ENTITY_ID)
-            .await
-            .unwrap();
+        sign_entity(&mut conn, &keyholder, &entity, ENTITY_ID).await.unwrap();

        diesel::update(schema::integrity_envelope::table)
            .filter(schema::integrity_envelope::entity_kind.eq("dummy_entity"))
@@ -310,9 +304,7 @@ mod tests {
            payload: b"payload-v1".to_vec(),
        };

-        sign_entity(&mut conn, &keyholder, &entity, ENTITY_ID)
-            .await
-            .unwrap();
+        sign_entity(&mut conn, &keyholder, &entity, ENTITY_ID).await.unwrap();

        let tampered = DummyEntity {
            payload: b"payload-v1-but-tampered".to_vec(),
--- a/server/crates/arbiter-server/src/crypto/mod.rs
+++ b/server/crates/arbiter-server/src/crypto/mod.rs
@@ -102,21 +102,11 @@ impl KeyCell {
    }
 }

+/// User password might be of different length, have not enough entropy, etc...
 /// Derive a fixed-length key from the password using Argon2id, which is designed for password hashing and key derivation.
 pub fn derive_key(mut password: SafeCell<Vec<u8>>, salt: &Salt) -> KeyCell {
-    let params = {
-        #[cfg(debug_assertions)]
-        {
-            argon2::Params::new(8, 1, 1, None).unwrap()
-        }
-
-        #[cfg(not(debug_assertions))]
-        {
-            argon2::Params::new(262_144, 3, 4, None).unwrap()
-        }
-    };
-
    #[allow(clippy::unwrap_used)]
+    let params = argon2::Params::new(262_144, 3, 4, None).unwrap();
    let hasher = Argon2::new(Algorithm::Argon2id, argon2::Version::V0x13, params);
    let mut key = SafeCell::new(Key::default());
    password.read_inline(|password_source| {
--- a/server/crates/arbiter-server/src/db/mod.rs
+++ b/server/crates/arbiter-server/src/db/mod.rs
@@ -133,7 +133,6 @@ pub async fn create_pool(url: Option<&str>) -> Result<DatabasePool, DatabaseSetu
    Ok(pool)
 }

-#[mutants::skip]
 pub async fn create_test_pool() -> DatabasePool {
    use rand::distr::{Alphanumeric, SampleString as _};

--- a/server/crates/arbiter-server/src/evm/mod.rs
+++ b/server/crates/arbiter-server/src/evm/mod.rs
@@ -21,8 +21,8 @@ use crate::{
        schema::{self, evm_transaction_log},
    },
    evm::policies::{
-        CombinedSettings, DatabaseID, EvalContext, EvalViolation, Grant, Policy,
-        SharedGrantSettings, SpecificGrant, SpecificMeaning, ether_transfer::EtherTransfer,
+        DatabaseID, EvalContext, EvalViolation, Grant, Policy, CombinedSettings, SharedGrantSettings,
+        SpecificGrant, SpecificMeaning, ether_transfer::EtherTransfer,
        token_transfers::TokenTransfer,
    },
 };
@@ -90,14 +90,6 @@ async fn check_shared_constraints(
    let mut violations = Vec::new();
    let now = Utc::now();

-    if shared.chain != context.chain {
-        violations.push(EvalViolation::MismatchingChainId {
-            expected: shared.chain,
-            actual: context.chain,
-        });
-        return Ok(violations);
-    }
-
    // Validity window
    if shared.valid_from.is_some_and(|t| now < t) || shared.valid_until.is_some_and(|t| now > t) {
        violations.push(EvalViolation::InvalidTime);
@@ -258,7 +250,12 @@ impl Engine {

                    P::create_grant(&basic_grant, &full_grant.specific, conn).await?;

-                    integrity::sign_entity(conn, &keyholder, &full_grant, basic_grant.id)
+                    integrity::sign_entity(
+                        conn,
+                        &keyholder,
+                        &full_grant,
+                    basic_grant.id,
+                    )
                    .await
                    .map_err(|_| diesel::result::Error::RollbackTransaction)?;

@@ -345,255 +342,3 @@ impl Engine {
        Err(VetError::UnsupportedTransactionType)
    }
 }
-
-#[cfg(test)]
-mod tests {
-    use alloy::primitives::{Address, Bytes, U256, address};
-    use chrono::{Duration, Utc};
-    use diesel::{SelectableHelper, insert_into};
-    use diesel_async::RunQueryDsl;
-    use rstest::rstest;
-
-    use crate::db::{
-        self, DatabaseConnection,
-        models::{
-            EvmBasicGrant, EvmWalletAccess, NewEvmBasicGrant, NewEvmTransactionLog, SqliteTimestamp,
-        },
-        schema::{evm_basic_grant, evm_transaction_log},
-    };
-    use crate::evm::policies::{
-        EvalContext, EvalViolation, SharedGrantSettings, TransactionRateLimit,
-    };
-
-    use super::check_shared_constraints;
-
-    const WALLET_ACCESS_ID: i32 = 1;
-    const CHAIN_ID: u64 = 1;
-    const RECIPIENT: Address = address!("1111111111111111111111111111111111111111");
-
-    fn context() -> EvalContext {
-        EvalContext {
-            target: EvmWalletAccess {
-                id: WALLET_ACCESS_ID,
-                wallet_id: 10,
-                client_id: 20,
-                created_at: SqliteTimestamp(Utc::now()),
-            },
-            chain: CHAIN_ID,
-            to: RECIPIENT,
-            value: U256::ZERO,
-            calldata: Bytes::new(),
-            max_fee_per_gas: 100,
-            max_priority_fee_per_gas: 10,
-        }
-    }
-
-    fn shared_settings() -> SharedGrantSettings {
-        SharedGrantSettings {
-            wallet_access_id: WALLET_ACCESS_ID,
-            chain: CHAIN_ID,
-            valid_from: None,
-            valid_until: None,
-            max_gas_fee_per_gas: None,
-            max_priority_fee_per_gas: None,
-            rate_limit: None,
-        }
-    }
-
-    async fn insert_basic_grant(
-        conn: &mut DatabaseConnection,
-        shared: &SharedGrantSettings,
-    ) -> EvmBasicGrant {
-        insert_into(evm_basic_grant::table)
-            .values(NewEvmBasicGrant {
-                wallet_access_id: shared.wallet_access_id,
-                chain_id: shared.chain as i32,
-                valid_from: shared.valid_from.map(SqliteTimestamp),
-                valid_until: shared.valid_until.map(SqliteTimestamp),
-                max_gas_fee_per_gas: shared
-                    .max_gas_fee_per_gas
-                    .map(|fee| super::utils::u256_to_bytes(fee).to_vec()),
-                max_priority_fee_per_gas: shared
-                    .max_priority_fee_per_gas
-                    .map(|fee| super::utils::u256_to_bytes(fee).to_vec()),
-                rate_limit_count: shared.rate_limit.as_ref().map(|limit| limit.count as i32),
-                rate_limit_window_secs: shared
-                    .rate_limit
-                    .as_ref()
-                    .map(|limit| limit.window.num_seconds() as i32),
-                revoked_at: None,
-            })
-            .returning(EvmBasicGrant::as_select())
-            .get_result(conn)
-            .await
-            .unwrap()
-    }
-
-    #[rstest]
-    #[case::matching_chain(CHAIN_ID, false)]
-    #[case::mismatching_chain(CHAIN_ID + 1, true)]
-    #[tokio::test]
-    async fn check_shared_constraints_enforces_chain_id(
-        #[case] context_chain: u64,
-        #[case] expect_mismatch: bool,
-    ) {
-        let db = db::create_test_pool().await;
-        let mut conn = db.get().await.unwrap();
-
-        let context = EvalContext {
-            chain: context_chain,
-            ..context()
-        };
-
-        let violations = check_shared_constraints(&context, &shared_settings(), 999, &mut *conn)
-            .await
-            .unwrap();
-
-        assert_eq!(
-            violations
-                .iter()
-                .any(|violation| matches!(violation, EvalViolation::MismatchingChainId { .. })),
-            expect_mismatch
-        );
-
-        if expect_mismatch {
-            assert_eq!(violations.len(), 1);
-        } else {
-            assert!(violations.is_empty());
-        }
-    }
-
-    #[rstest]
-    #[case::valid_from_in_bounds(Some(Utc::now() - Duration::hours(1)), None, false)]
-    #[case::valid_from_out_of_bounds(Some(Utc::now() + Duration::hours(1)), None, true)]
-    #[case::valid_until_in_bounds(None, Some(Utc::now() + Duration::hours(1)), false)]
-    #[case::valid_until_out_of_bounds(None, Some(Utc::now() - Duration::hours(1)), true)]
-    #[tokio::test]
-    async fn check_shared_constraints_enforces_validity_window(
-        #[case] valid_from: Option<chrono::DateTime<Utc>>,
-        #[case] valid_until: Option<chrono::DateTime<Utc>>,
-        #[case] expect_invalid_time: bool,
-    ) {
-        let db = db::create_test_pool().await;
-        let mut conn = db.get().await.unwrap();
-
-        let shared = SharedGrantSettings {
-            valid_from,
-            valid_until,
-            ..shared_settings()
-        };
-
-        let violations = check_shared_constraints(&context(), &shared, 999, &mut *conn)
-            .await
-            .unwrap();
-
-        assert_eq!(
-            violations
-                .iter()
-                .any(|violation| matches!(violation, EvalViolation::InvalidTime)),
-            expect_invalid_time
-        );
-
-        if expect_invalid_time {
-            assert_eq!(violations.len(), 1);
-        } else {
-            assert!(violations.is_empty());
-        }
-    }
-
-    #[rstest]
-    #[case::max_fee_within_limit(Some(U256::from(100u64)), None, 100, 10, false)]
-    #[case::max_fee_exceeded(Some(U256::from(99u64)), None, 100, 10, true)]
-    #[case::priority_fee_within_limit(None, Some(U256::from(10u64)), 100, 10, false)]
-    #[case::priority_fee_exceeded(None, Some(U256::from(9u64)), 100, 10, true)]
-    #[tokio::test]
-    async fn check_shared_constraints_enforces_gas_fee_caps(
-        #[case] max_gas_fee_per_gas: Option<U256>,
-        #[case] max_priority_fee_per_gas: Option<U256>,
-        #[case] actual_max_fee_per_gas: u128,
-        #[case] actual_max_priority_fee_per_gas: u128,
-        #[case] expect_gas_limit_violation: bool,
-    ) {
-        let db = db::create_test_pool().await;
-        let mut conn = db.get().await.unwrap();
-
-        let context = EvalContext {
-            max_fee_per_gas: actual_max_fee_per_gas,
-            max_priority_fee_per_gas: actual_max_priority_fee_per_gas,
-            ..context()
-        };
-
-        let shared = SharedGrantSettings {
-            max_gas_fee_per_gas,
-            max_priority_fee_per_gas,
-            ..shared_settings()
-        };
-        let violations = check_shared_constraints(&context, &shared, 999, &mut *conn)
-            .await
-            .unwrap();
-
-        assert_eq!(
-            violations
-                .iter()
-                .any(|violation| matches!(violation, EvalViolation::GasLimitExceeded { .. })),
-            expect_gas_limit_violation
-        );
-
-        if expect_gas_limit_violation {
-            assert_eq!(violations.len(), 1);
-        } else {
-            assert!(violations.is_empty());
-        }
-    }
-
-    #[rstest]
-    #[case::under_rate_limit(2, false)]
-    #[case::at_rate_limit(1, true)]
-    #[tokio::test]
-    async fn check_shared_constraints_enforces_rate_limit(
-        #[case] rate_limit_count: u32,
-        #[case] expect_rate_limit_violation: bool,
-    ) {
-        let db = db::create_test_pool().await;
-        let mut conn = db.get().await.unwrap();
-
-        let shared = SharedGrantSettings {
-            rate_limit: Some(TransactionRateLimit {
-                count: rate_limit_count,
-                window: Duration::hours(1),
-            }),
-            ..shared_settings()
-        };
-
-        let basic_grant = insert_basic_grant(&mut conn, &shared).await;
-
-        insert_into(evm_transaction_log::table)
-            .values(NewEvmTransactionLog {
-                grant_id: basic_grant.id,
-                wallet_access_id: WALLET_ACCESS_ID,
-                chain_id: CHAIN_ID as i32,
-                eth_value: super::utils::u256_to_bytes(U256::ZERO).to_vec(),
-                signed_at: SqliteTimestamp(Utc::now()),
-            })
-            .execute(&mut *conn)
-            .await
-            .unwrap();
-
-        let violations = check_shared_constraints(&context(), &shared, basic_grant.id, &mut *conn)
-            .await
-            .unwrap();
-
-        assert_eq!(
-            violations
-                .iter()
-                .any(|violation| matches!(violation, EvalViolation::RateLimitExceeded)),
-            expect_rate_limit_violation
-        );
-
-        if expect_rate_limit_violation {
-            assert_eq!(violations.len(), 1);
-        } else {
-            assert!(violations.is_empty());
-        }
-    }
-}
--- a/server/crates/arbiter-server/src/evm/policies.rs
+++ b/server/crates/arbiter-server/src/evm/policies.rs
@@ -11,9 +11,7 @@ use serde::Serialize;
 use thiserror::Error;

 use crate::{
-    crypto::integrity::v1::Integrable,
-    db::models::{self, EvmBasicGrant, EvmWalletAccess},
-    evm::utils,
+    crypto::integrity::v1::Integrable, db::models::{self, EvmBasicGrant, EvmWalletAccess}, evm::utils
 };

 pub mod ether_transfer;
@@ -57,9 +55,6 @@ pub enum EvalViolation {

    #[error("Transaction type is not allowed by this grant")]
    InvalidTransactionType,
-
-    #[error("Mismatching chain ID")]
-    MismatchingChainId { expected: ChainId, actual: ChainId },
 }

 pub type DatabaseID = i32;
@@ -220,3 +215,4 @@ impl<P: Integrable> Integrable for CombinedSettings<P> {
    const KIND: &'static str = P::KIND;
    const VERSION: i32 = P::VERSION;
 }
+
--- a/server/crates/arbiter-server/src/grpc/common/outbound.rs
+++ b/server/crates/arbiter-server/src/grpc/common/outbound.rs
@@ -8,7 +8,7 @@ use arbiter_proto::proto::{
        EvalViolation as ProtoEvalViolation, GasLimitExceededViolation, NoMatchingGrantError,
        PolicyViolationsError, SpecificMeaning as ProtoSpecificMeaning,
        TokenInfo as ProtoTokenInfo, TransactionEvalError as ProtoTransactionEvalError,
-        eval_violation as proto_eval_violation, eval_violation::Kind as ProtoEvalViolationKind,
+        eval_violation::Kind as ProtoEvalViolationKind,
        specific_meaning::Meaning as ProtoSpecificMeaningKind,
        transaction_eval_error::Kind as ProtoTransactionEvalErrorKind,
    },
@@ -79,12 +79,6 @@ impl Convert for EvalViolation {
            EvalViolation::InvalidTransactionType => {
                ProtoEvalViolationKind::InvalidTransactionType(())
            }
-            EvalViolation::MismatchingChainId { expected, actual } => {
-                ProtoEvalViolationKind::ChainIdMismatch(proto_eval_violation::ChainIdMismatch {
-                    expected,
-                    actual,
-                })
-            }
        };

        ProtoEvalViolation { kind: Some(kind) }
@@ -114,7 +108,7 @@ impl Convert for VetError {
                        violations: violations.into_iter().map(Convert::convert).collect(),
                    })
                }
-                PolicyError::Database(_) | PolicyError::Integrity(_) => {
+                PolicyError::Database(_)| PolicyError::Integrity(_) => {
                    return EvmSignTransactionResult::Error(ProtoEvmError::Internal.into());
                }
            },
--- a/server/crates/arbiter-server/src/main.rs
+++ b/server/crates/arbiter-server/src/main.rs
@@ -10,7 +10,6 @@ use tracing::info;
 const PORT: u16 = 50051;

 #[tokio::main]
-#[mutants::skip]
 async fn main() -> anyhow::Result<()> {
    aws_lc_rs::default_provider().install_default().unwrap();