Merge branch 'main' into security-hash-revoke_at

security(evm): remove client-controlled wallet_access_id from grant revocation
feat(evm): add wallet_access_id to grant deletion requests and revocation logic
2026-06-09 20:58:20 +02:00 · 2026-06-09 19:36:44 +02:00 · 2026-06-09 19:16:21 +02:00 · 2026-06-09 19:11:39 +02:00 · 2026-06-09 19:10:57 +02:00 · 2026-06-09 18:45:30 +02:00
29 changed files with 458 additions and 605 deletions
--- a/mise.toml
+++ b/mise.toml
@@ -22,5 +22,3 @@ run = '''
 dart pub global activate protoc_plugin && \
 protoc --dart_out=grpc:useragent/lib/proto --proto_path=protobufs/ $(find protobufs -name '*.proto' | sort)
 '''
-
-[tasks.generate_schema]
--- a/protobufs/shared/vault.proto
+++ b/protobufs/shared/vault.proto
@@ -5,8 +5,7 @@ package arbiter.shared;
 enum VaultState {
  VAULT_STATE_UNSPECIFIED = 0;
  VAULT_STATE_UNBOOTSTRAPPED = 1;
-  VAULT_STATE_BOOSTRAPPING = 2;
-  VAULT_STATE_SEALED = 3;
-  VAULT_STATE_UNSEALED = 4;
-  VAULT_STATE_ERROR = 5;
+  VAULT_STATE_SEALED = 2;
+  VAULT_STATE_UNSEALED = 3;
+  VAULT_STATE_ERROR = 4;
 }
--- a/server/Cargo.lock
+++ b/server/Cargo.lock
@@ -24,7 +24,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "d122413f284cf2d62fb1b7db97e02edb8cda96d769b16e443a4f6195e35662b0"
 dependencies = [
 "crypto-common 0.1.7",
- "generic-array 0.14.7",
+ "generic-array",
 ]

 [[package]]
@@ -786,7 +786,6 @@ dependencies = [
 "tonic",
 "tracing",
 "tracing-subscriber",
- "vsss-rs",
 "x25519-dalek 2.0.1",
 ]

@@ -1284,7 +1283,7 @@ version = "0.10.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "3078c7629b62d3f0439517fa394996acacc5cbc91c5a20d8c658e77abd503a71"
 dependencies = [
- "generic-array 0.14.7",
+ "generic-array",
 ]

 [[package]]
@@ -1613,22 +1612,8 @@ version = "0.5.5"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "0dc92fb57ca44df6db8059111ab3af99a63d5d0f8375d9972e319a379c6bab76"
 dependencies = [
- "generic-array 0.14.7",
+ "generic-array",
 "rand_core 0.6.4",
- "serdect 0.2.0",
- "subtle",
- "zeroize",
-]
-
-[[package]]
-name = "crypto-bigint"
-version = "0.6.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "96272c2ff28b807e09250b180ad1fb7889a3258f7455759b5c3c58b719467130"
-dependencies = [
- "num-traits",
- "rand_core 0.6.4",
- "serdect 0.3.0",
 "subtle",
 "zeroize",
 ]
@@ -1639,7 +1624,7 @@ version = "0.1.7"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "78c8292055d1c1df0cce5d180393dc8cce0abec0a7102adb6c7b1eef6016d60a"
 dependencies = [
- "generic-array 0.14.7",
+ "generic-array",
 "rand_core 0.6.4",
 "typenum",
 ]
@@ -1942,7 +1927,7 @@ version = "0.9.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "d3dd60d1080a57a05ab032377049e0591415d2b31afd7028356dbf3cc6dcb066"
 dependencies = [
- "generic-array 0.14.7",
+ "generic-array",
 ]

 [[package]]
@@ -2022,7 +2007,7 @@ dependencies = [
 "digest 0.10.7",
 "elliptic-curve",
 "rfc6979",
- "serdect 0.2.0",
+ "serdect",
 "signature 2.2.0",
 "spki 0.7.3",
 ]
@@ -2055,32 +2040,16 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "b5e6043086bf7973472e0c7dff2142ea0b680d30e18d9cc40f267efbf222bd47"
 dependencies = [
 "base16ct",
- "crypto-bigint 0.5.5",
+ "crypto-bigint",
 "digest 0.10.7",
 "ff",
- "generic-array 0.14.7",
+ "generic-array",
 "group",
- "hkdf",
 "pkcs8 0.10.2",
 "rand_core 0.6.4",
 "sec1",
- "serdect 0.2.0",
+ "serdect",
 "subtle",
- "tap",
- "zeroize",
-]
-
-[[package]]
-name = "elliptic-curve-tools"
-version = "0.2.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "1de2b6fae800f08032a6ea32995b52925b1d451bff9d445c8ab2932323277faf"
-dependencies = [
- "elliptic-curve",
- "heapless",
- "hex",
- "multiexp",
- "serde",
 "zeroize",
 ]

@@ -2154,7 +2123,6 @@ version = "0.13.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "c0b50bfb653653f9ca9095b427bed08ab8d75a137839d9ad64eb11810d5b6393"
 dependencies = [
- "bitvec",
 "rand_core 0.6.4",
 "subtle",
 ]
@@ -2355,17 +2323,6 @@ dependencies = [
 "zeroize",
 ]

-[[package]]
-name = "generic-array"
-version = "1.4.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "dab9e9188e97a93276e1fe7b56401b851e2b45a46d045ca658100c1303ada649"
-dependencies = [
- "rustversion",
- "serde_core",
- "typenum",
-]
-
 [[package]]
 name = "getrandom"
 version = "0.2.17"
@@ -2449,15 +2406,6 @@ dependencies = [
 "tracing",
 ]

-[[package]]
-name = "hash32"
-version = "0.3.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "47d60b12902ba28e2730cd37e95b8c9223af2808df9e902d4df49588d1470606"
-dependencies = [
- "byteorder",
-]
-
 [[package]]
 name = "hashbrown"
 version = "0.12.3"
@@ -2498,16 +2446,6 @@ version = "0.17.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "4f467dd6dccf739c208452f8014c75c18bb8301b050ad1cfb27153803edb0f51"

-[[package]]
-name = "heapless"
-version = "0.8.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "0bfb9eb618601c89945a70e254898da93b13be0388091d42117462b265bb3fad"
-dependencies = [
- "hash32",
- "stable_deref_trait",
-]
-
 [[package]]
 name = "heck"
 version = "0.5.0"
@@ -2535,15 +2473,6 @@ dependencies = [
 "arrayvec",
 ]

-[[package]]
-name = "hkdf"
-version = "0.12.4"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "7b5f8eb2ad728638ea2c7d47a21db23b7b58a72ed6a38256b8a1849f15fbbdf7"
-dependencies = [
- "hmac 0.12.1",
-]
-
 [[package]]
 name = "hmac"
 version = "0.12.1"
@@ -2614,7 +2543,6 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "08d46837a0ed51fe95bd3b05de33cd64a1ee88fc797477ca48446872504507c5"
 dependencies = [
 "ctutils",
- "serde",
 "typenum",
 "zeroize",
 ]
@@ -2880,7 +2808,7 @@ version = "0.1.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "879f10e63c20629ecabbb64a8010319738c66a5cd0c29b02d63d272b03751d01"
 dependencies = [
- "generic-array 0.14.7",
+ "generic-array",
 ]

 [[package]]
@@ -3019,7 +2947,7 @@ dependencies = [
 "ecdsa",
 "elliptic-curve",
 "once_cell",
- "serdect 0.2.0",
+ "serdect",
 "sha2 0.10.9",
 "signature 2.2.0",
 ]
@@ -3362,20 +3290,6 @@ dependencies = [
 "zeroize",
 ]

-[[package]]
-name = "multiexp"
-version = "0.4.2"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "7ec2ce93a6f06ac6cae04c1da3f2a6a24fcfc1f0eb0b4e0f3d302f0df45326cb"
-dependencies = [
- "ff",
- "group",
- "rand_core 0.6.4",
- "rustversion",
- "std-shims",
- "zeroize",
-]
-
 [[package]]
 name = "multimap"
 version = "0.10.1"
@@ -3407,20 +3321,6 @@ dependencies = [
 "windows-sys 0.61.2",
 ]

-[[package]]
-name = "num"
-version = "0.4.3"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "35bd024e8b2ff75562e5f34e7f4905839deb4b22955ef5e73d2fea1b9813cb23"
-dependencies = [
- "num-bigint",
- "num-complex",
- "num-integer",
- "num-iter",
- "num-rational",
- "num-traits",
-]
-
 [[package]]
 name = "num-bigint"
 version = "0.4.6"
@@ -3429,19 +3329,6 @@ checksum = "a5e44f723f1133c9deac646763579fdb3ac745e418f2a7af9cd0c431da1f20b9"
 dependencies = [
 "num-integer",
 "num-traits",
- "rand 0.8.6",
- "serde",
-]
-
-[[package]]
-name = "num-complex"
-version = "0.4.6"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "73f88a1307638156682bada9d7604135552957b7818057dcef22705b4d509495"
-dependencies = [
- "num-traits",
- "rand 0.8.6",
- "serde",
 ]

 [[package]]
@@ -3459,29 +3346,6 @@ dependencies = [
 "num-traits",
 ]

-[[package]]
-name = "num-iter"
-version = "0.1.45"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "1429034a0490724d0075ebb2bc9e875d6503c3cf69e235a8941aa757d83ef5bf"
-dependencies = [
- "autocfg",
- "num-integer",
- "num-traits",
-]
-
-[[package]]
-name = "num-rational"
-version = "0.4.2"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f83d14da390562dca69fc84082e73e548e1ad308d24accdedd2720017cb37824"
-dependencies = [
- "num-bigint",
- "num-integer",
- "num-traits",
- "serde",
-]
-
 [[package]]
 name = "num-traits"
 version = "0.2.19"
@@ -4590,9 +4454,9 @@ checksum = "d3e97a565f76233a6003f9f5c54be1d9c5bdfa3eccfb189469f11ec4901c47dc"
 dependencies = [
 "base16ct",
 "der 0.7.10",
- "generic-array 0.14.7",
+ "generic-array",
 "pkcs8 0.10.2",
- "serdect 0.2.0",
+ "serdect",
 "subtle",
 "zeroize",
 ]
@@ -4758,16 +4622,6 @@ dependencies = [
 "serde",
 ]

-[[package]]
-name = "serdect"
-version = "0.3.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f42f67da2385b51a5f9652db9c93d78aeaf7610bf5ec366080b6de810604af53"
-dependencies = [
- "base16ct",
- "serde",
-]
-
 [[package]]
 name = "sha2"
 version = "0.10.9"
@@ -4933,12 +4787,6 @@ dependencies = [
 "windows-sys 0.61.2",
 ]

-[[package]]
-name = "spin"
-version = "0.10.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d5fe4ccb98d9c292d56fec89a5e07da7fc4cf0dc11e156b41793132775d3e591"
-
 [[package]]
 name = "spki"
 version = "0.7.3"
@@ -4983,17 +4831,6 @@ version = "1.1.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "a2eb9349b6444b326872e140eb1cf5e7c522154d69e7a0ffb0fb81c06b37543f"

-[[package]]
-name = "std-shims"
-version = "0.1.5"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "227c4f8561598188d0df96dbe749824576174bba278b5b6bb2eacff1066067d0"
-dependencies = [
- "hashbrown 0.16.1",
- "rustversion",
- "spin",
-]
-
 [[package]]
 name = "string_morph"
 version = "0.1.0"
@@ -5737,27 +5574,6 @@ version = "0.9.5"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "0b928f33d975fc6ad9f86c8f283853ad26bdd5b10b7f1542aa2fa15e2289105a"

-[[package]]
-name = "vsss-rs"
-version = "5.4.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "6ec751bdcc8bda099e269b24cc6b4ad14f9ce8b0490c1599174070e792ecd70c"
-dependencies = [
- "crypto-bigint 0.5.5",
- "crypto-bigint 0.6.1",
- "elliptic-curve",
- "elliptic-curve-tools",
- "generic-array 1.4.1",
- "hex",
- "hybrid-array",
- "num",
- "rand_core 0.6.4",
- "serde",
- "sha3 0.10.9",
- "subtle",
- "zeroize",
-]
-
 [[package]]
 name = "wait-timeout"
 version = "0.2.1"
--- a/server/Cargo.toml
+++ b/server/Cargo.toml
@@ -76,6 +76,7 @@ needless_pass_by_ref_mut = "allow"
 pub_underscore_fields = "allow"
 redundant_pub_crate = "allow" 
 uninhabited_references = "allow" # safe with unsafe_code = "forbid" and standard uninhabited pattern (match *self {})
+too-many-lines = "allow" # this is a very common pattern in server code, and it's not always possible to break it down into smaller modules without hurting readability

 # restriction lints
 alloc_instead_of_core = "warn"
--- a/server/crates/arbiter-crypto/src/safecell.rs
+++ b/server/crates/arbiter-crypto/src/safecell.rs
@@ -22,7 +22,7 @@ pub trait SafeCellHandle<T> {
    fn read(&mut self) -> Self::CellRead<'_>;
    fn write(&mut self) -> Self::CellWrite<'_>;

-    fn new_inline_default<F>(f: F) -> Self
+    fn new_inline<F>(f: F) -> Self
    where
        Self: Sized,
        T: Default,
@@ -36,14 +36,6 @@ pub trait SafeCellHandle<T> {
        cell
    }

-    fn new_inline<F>(f: Box<F>) -> Self
-    where
-        Self: Sized,
-        F: for<'a> FnOnce() -> T,
-    {
-        Self::new(f())
-    }
-
    #[inline(always)]
    fn read_inline<F, R>(&mut self, f: F) -> R
    where
--- a/server/crates/arbiter-server/Cargo.toml
+++ b/server/crates/arbiter-server/Cargo.toml
@@ -50,7 +50,6 @@ subtle = "2.6.1"
 x25519-dalek.workspace = true
 k256.workspace = true
 kameo_actors.workspace = true
-vsss-rs = "5.4.0"

 [dev-dependencies]
 proptest = "1.11.0"
--- a/server/crates/arbiter-server/migrations/2026-02-14-171124-0000_init/up.sql
+++ b/server/crates/arbiter-server/migrations/2026-02-14-171124-0000_init/up.sql
@@ -43,24 +43,13 @@ create table if not exists arbiter_settings (
 insert into arbiter_settings (id) values (1) on conflict do nothing;
 -- ensure singleton row exists

-create table if not exists operator_identity (
+create table if not exists operator_client (
    id integer not null primary key,
    public_key blob not null,
    created_at integer not null default(unixepoch ('now')),
    updated_at integer not null default(unixepoch ('now'))
 ) STRICT;
-create unique index if not exists uniq_operator_identity_public_key on operator_identity (public_key);
-
-create table if not exists operator (
-    id integer primary key references operator_identity(id) on delete restrict, -- same id as operator_identity
-
-    share blob not null,
-    share_nonce blob not null,
-
-    created_at integer not null default(unixepoch ('now')),
-    updated_at integer not null default(unixepoch ('now'))
-
-) STRICT;
+create unique index if not exists uniq_operator_client_public_key on operator_client (public_key);

 create table if not exists client_metadata (
    id integer not null primary key,
--- a/server/crates/arbiter-server/src/actors/bootstrap.rs
+++ b/server/crates/arbiter-server/src/actors/bootstrap.rs
@@ -48,7 +48,7 @@ impl Bootstrapper {
        let row_count: i64 = {
            let mut conn = db.get().await?;

-            schema::operator::table
+            schema::operator_client::table
                .count()
                .get_result(&mut conn)
                .await?
--- a/server/crates/arbiter-server/src/actors/evm/mod.rs
+++ b/server/crates/arbiter-server/src/actors/evm/mod.rs
@@ -3,7 +3,7 @@ use crate::{
    crypto::integrity,
    db::{
        DatabaseError, DatabasePool,
-        models::{self, EvmWalletId},
+        models::{self},
        schema,
    },
    evm::{
@@ -116,7 +116,7 @@ impl EvmActor {
    }

    #[message]
-    pub async fn list_wallets(&self) -> Result<Vec<(EvmWalletId, Address)>, Error> {
+    pub async fn list_wallets(&self) -> Result<Vec<(i32, Address)>, Error> {
        let mut conn = self.db.get().await.map_err(DatabaseError::from)?;
        let rows: Vec<models::EvmWallet> = schema::evm_wallet::table
            .select(models::EvmWallet::as_select())
@@ -160,29 +160,14 @@ impl EvmActor {
    }

    #[message]
-    #[expect(clippy::unused_async, reason = "reserved for impl")]
-    pub async fn operator_delete_grant(&mut self, _grant_id: i32) -> Result<(), Error> {
-        // let mut conn = self.db.get().await.map_err(DatabaseError::from)?;
-        // let vault = self.vault.clone();
-
-        // diesel_async::AsyncConnection::transaction(&mut conn, |conn| {
-        //     Box::pin(async move {
-        //         diesel::update(schema::evm_basic_grant::table)
-        //             .filter(schema::evm_basic_grant::id.eq(grant_id))
-        //             .set(schema::evm_basic_grant::revoked_at.eq(SqliteTimestamp::now()))
-        //             .execute(conn)
-        //             .await?;
-
-        //         let signed = integrity::evm::load_signed_grant_by_basic_id(conn, grant_id).await?;
-
-        //         diesel::result::QueryResult::Ok(())
-        //     })
-        // })
-        // .await
-        // .map_err(DatabaseError::from)?;
-
-        // Ok(())
-        todo!()
+    pub async fn useragent_delete_grant(
+        &mut self,
+        grant_id: i32,
+    ) -> Result<(), Error> {
+        self.engine
+            .revoke_grant(grant_id)
+            .await
+            .map_err(Error::from)
    }

    #[message]
--- a/server/crates/arbiter-server/src/actors/vault/mod.rs
+++ b/server/crates/arbiter-server/src/actors/vault/mod.rs
@@ -1,5 +1,3 @@
-use std::collections::HashMap;
-
 use crate::{
    crypto::{
        KeyCell, derive_key,
@@ -8,7 +6,7 @@ use crate::{
    },
    db::{
        self,
-        models::{self, OperatorId, OperatorIdentityId, RootKeyHistory, RootKeyHistoryId},
+        models::{self, RootKeyHistory},
        schema::{self},
    },
 };
@@ -17,17 +15,17 @@ use arbiter_crypto::safecell::{SafeCell, SafeCellHandle as _};
 use chrono::Utc;
 use diesel::{
    ExpressionMethods as _, OptionalExtension, QueryDsl, SelectableHelper,
-    dsl::{count, insert_into, update},
-    select,
+    dsl::{insert_into, update},
 };
 use diesel_async::{AsyncConnection, RunQueryDsl};
-use hmac::{KeyInit as _, Mac as _, digest::common};
+use hmac::{KeyInit as _, Mac as _};
 use kameo::{Actor, Reply, actor::ActorRef, messages};
 use kameo_actors::message_bus::{MessageBus, Publish};
 use strum::{EnumDiscriminants, IntoDiscriminant};
 use tracing::{error, info};

 pub mod events {
+
    #[derive(Clone, Copy)]
    pub struct Bootstrapped;

@@ -65,17 +63,8 @@ pub enum Error {
    BrokenDatabase,
 }

-#[derive(Debug, thiserror::Error)]
-pub enum UnsealError {}
-
-#[derive(Debug, thiserror::Error)]
-pub enum BootstrapError {
-    #[error("That operator already contributed his share")]
-    AlreadyContributed,
-}
-
 struct Unsealed {
-    root_key_history_id: RootKeyHistoryId,
+    root_key_history_id: i32,
    root_key: KeyCell,
 }

@@ -84,16 +73,8 @@ struct Unsealed {
 enum State {
    #[default]
    Unbootstrapped,
-
-    Bootstrapping {
-        declared_operators: u64,
-        current_passphrases: HashMap<OperatorIdentityId, SafeCell<Vec<u8>>>,
-    },
-
    Sealed {
-        threshold: u64, // basically, quorum size
-        root_key_history_id: RootKeyHistoryId,
-        current_shares: HashMap<OperatorId, SafeCell<Vec<u8>>>,
+        root_key_history_id: i32,
    },
    Unsealed(Unsealed),
 }
@@ -109,6 +90,7 @@ pub struct Vault {
    events: ActorRef<MessageBus>,
 }

+#[messages]
 impl Vault {
    pub async fn new(db: db::DatabasePool, events: ActorRef<MessageBus>) -> Result<Self, Error> {
        let state = {
@@ -121,17 +103,9 @@ impl Vault {
                .await?;

            match root_key_history {
-                Some(root_key_history) => {
-                    let operator_count: i64 = schema::operator::table
-                        .count()
-                        .get_result(&mut conn)
-                        .await?;
-                    State::Sealed {
-                        root_key_history_id: root_key_history.id,
-                        current_shares: HashMap::default(),
-                        threshold: shamir_threshold(operator_count.cast_unsigned()), // invariant: db couldn't return negative number of rows
-                    }
-                }
+                Some(root_key_history) => State::Sealed {
+                    root_key_history_id: root_key_history.id,
+                },
                None => State::Unbootstrapped,
            }
        };
@@ -141,10 +115,7 @@ impl Vault {

    // Exclusive transaction to avoid race condtions if multiple vaults write
    // additional layer of protection against nonce-reuse
-    async fn get_new_nonce(
-        pool: &db::DatabasePool,
-        root_key_id: RootKeyHistoryId,
-    ) -> Result<Nonce, Error> {
+    async fn get_new_nonce(pool: &db::DatabasePool, root_key_id: i32) -> Result<Nonce, Error> {
        let mut conn = pool.get().await?;

        let nonce = conn
@@ -157,7 +128,7 @@ impl Vault {

                let mut nonce = Nonce::try_from(current_nonce.as_slice()).map_err(|()| {
                    error!(
-                        "Broken database: invalid nonce for root key history id={:#?}",
+                        "Broken database: invalid nonce for root key history id={}",
                        root_key_id
                    );
                    Error::BrokenDatabase
@@ -180,28 +151,19 @@ impl Vault {
    const fn expect_unsealed(state: &mut State) -> Result<&mut Unsealed, Error> {
        match state {
            State::Unsealed(unsealed) => Ok(unsealed),
-            State::Bootstrapping { .. } => Err(Error::NotBootstrapped),
            State::Unbootstrapped => Err(Error::NotBootstrapped),
            State::Sealed { .. } => Err(Error::Sealed),
        }
    }

-    pub async fn finalize_bootstrap(&mut self) -> Result<(), Error> {
-        let State::Bootstrapping {
-            declared_operators,
-            current_passphrases,
-        } = &mut self.state
-        else {
+    #[message]
+    pub async fn bootstrap(&mut self, seal_key_raw: SafeCell<Vec<u8>>) -> Result<(), Error> {
+        if !matches!(self.state, State::Unbootstrapped) {
            return Err(Error::AlreadyBootstrapped);
-        };
+        }
+        let salt = v1::generate_salt();
+        let mut seal_key = derive_key(seal_key_raw, &salt);
        let mut root_key = KeyCell::new_secure_random();
-        let root_key_salt = v1::generate_salt();
-
-        let mut seal_key = KeyCell::new_secure_random();
-
-        let shares = seal_key.0.read_inline(|seal_key| {
-            generate_shamir_shares(current_passphrases.len() as u64, seal_key.as_slice())
-        });

        // Zero nonces are fine because they are one-time
        let root_key_nonce = Nonce::default();
@@ -217,29 +179,19 @@ impl Vault {
                })
        })?;

-        let data_encryption_nonce_bytes = data_encryption_nonce.to_vec();
        let mut conn = self.db.get().await?;

+        let data_encryption_nonce_bytes = data_encryption_nonce.to_vec();
        let root_key_history_id = conn
            .transaction(async |conn| {
-                for ((operator_id, raw_passphrase), raw_share) in
-                    current_passphrases.iter_mut().zip(shares.iter())
-                {
-                    let salt = v1::generate_salt();
-                    let mut share_seal_key = derive_key(&mut raw_passphrase, &salt);
-                    let share_encryption_nonce = Nonce::default();
-
-                    let share_key = derive_key(&mut raw_passphrase, &salt);
-                }
-
-                let root_key_history_id = insert_into(schema::root_key_history::table)
+                let root_key_history_id: i32 = insert_into(schema::root_key_history::table)
                    .values(&models::NewRootKeyHistory {
                        ciphertext: root_key_ciphertext.clone(),
                        tag: v1::ROOT_KEY_TAG.to_vec(),
                        root_key_encryption_nonce: root_key_nonce.to_vec(),
                        data_encryption_nonce: data_encryption_nonce_bytes.clone(),
                        schema_version: 1,
-                        salt: root_key_salt.to_vec(),
+                        salt: salt.to_vec(),
                    })
                    .returning(schema::root_key_history::id)
                    .get_result(&mut *conn)
@@ -250,9 +202,7 @@ impl Vault {
                    .execute(&mut *conn)
                    .await?;

-                Result::<_, diesel::result::Error>::Ok(RootKeyHistoryId::from_raw(
-                    root_key_history_id,
-                ))
+                Result::<_, diesel::result::Error>::Ok(root_key_history_id)
            })
            .await?;

@@ -266,59 +216,11 @@ impl Vault {

        Ok(())
    }
-}
-
-// Seal / unseal / bootstrap stuff. Will be separated into another actor, eventually
-#[messages]
-impl Vault {
-    #[message]
-    pub async fn start_bootstrap(&mut self, declared_operators: u64) -> Result<(), Error> {
-        if !matches!(&self.state, State::Unbootstrapped) {
-            return Err(Error::AlreadyBootstrapped);
-        }
-
-        self.state = State::Bootstrapping {
-            declared_operators,
-            current_passphrases: HashMap::default(),
-        };
-        Ok(())
-    }

    #[message]
-    pub async fn contribute_bootstrap(
-        &mut self,
-        operator: OperatorIdentityId,
-        key_raw: SafeCell<Vec<u8>>,
-    ) -> Result<(), Error> {
-        let State::Bootstrapping {
-            current_passphrases,
-            declared_operators,
-        } = &mut self.state
-        else {
-            return Err(Error::AlreadyBootstrapped);
-        };
-
-        if current_passphrases.contains_key(&operator) {
-            return Err(Error::AlreadyBootstrapped);
-        }
-        current_passphrases.insert(operator, key_raw);
-
-        if current_passphrases.len() == declared_operators {
-            return self.finalize_bootstrap(seal_key_raw);
-        }
-
-        Ok(())
-    }
-
-    #[message]
-    pub async fn contribute_unseal(
-        &mut self,
-        operator: OperatorId,
-        key_raw: SafeCell<Vec<u8>>,
-    ) -> Result<(), Error> {
+    pub async fn try_unseal(&mut self, seal_key_raw: SafeCell<Vec<u8>>) -> Result<(), Error> {
        let State::Sealed {
            root_key_history_id,
-            current_shares,
        } = &self.state
        else {
            return Err(Error::NotBootstrapped);
@@ -339,7 +241,7 @@ impl Vault {
            error!("Broken database: invalid salt for root key");
            Error::BrokenDatabase
        })?;
-        let mut seal_key = derive_key(key_raw, &salt);
+        let mut seal_key = derive_key(seal_key_raw, &salt);

        let mut root_key = SafeCell::new(current_key.ciphertext.clone());

@@ -370,25 +272,6 @@ impl Vault {
        Ok(())
    }

-    #[message]
-    pub async fn seal(&mut self) -> Result<(), Error> {
-        let Unsealed {
-            root_key_history_id,
-            ..
-        } = Self::expect_unsealed(&mut self.state)?;
-
-        self.state = State::Sealed {
-            root_key_history_id: *root_key_history_id,
-            current_shares: HashMap::new(),
-        };
-        let _ = self.events.tell(Publish(events::VaultResealed)).await;
-        Ok(())
-    }
-}
-
-// Server-side cryptographic operations
-#[messages]
-impl Vault {
    #[message]
    pub async fn decrypt(&mut self, aead_id: i32) -> Result<SafeCell<Vec<u8>>, Error> {
        let Unsealed { root_key, .. } = Self::expect_unsealed(&mut self.state)?;
@@ -457,22 +340,17 @@ impl Vault {
    }

    #[message]
-    pub fn sign_integrity(
-        &mut self,
-        mac_input: Vec<u8>,
-    ) -> Result<(RootKeyHistoryId, Vec<u8>), Error> {
+    pub fn sign_integrity(&mut self, mac_input: Vec<u8>) -> Result<(i32, Vec<u8>), Error> {
        let Unsealed {
            root_key,
            root_key_history_id,
        } = Self::expect_unsealed(&mut self.state)?;

-        let mut hmac = root_key
-            .0
-            .read_inline(|k| match HmacSha256::new_from_slice(k) {
-                Ok(v) => v,
-                Err(_) => unreachable!("HMAC accepts keys of any size"),
-            });
-        hmac.update(&root_key_history_id.to_raw().to_be_bytes());
+        let mut hmac = root_key.0.read_inline(|k| {
+            HmacSha256::new_from_slice(k)
+                .unwrap_or_else(|_| unreachable!("HMAC accepts keys of any size"))
+        });
+        hmac.update(&root_key_history_id.to_be_bytes());
        hmac.update(&mac_input);

        let mac = hmac.finalize().into_bytes().to_vec();
@@ -484,7 +362,7 @@ impl Vault {
        &mut self,
        mac_input: Vec<u8>,
        expected_mac: Vec<u8>,
-        key_version: RootKeyHistoryId,
+        key_version: i32,
    ) -> Result<bool, Error> {
        let Unsealed {
            root_key,
@@ -495,53 +373,29 @@ impl Vault {
            return Ok(false);
        }

-        let mut hmac = root_key
-            .0
-            .read_inline(|k| match HmacSha256::new_from_slice(k) {
-                Ok(v) => v,
-                Err(_) => unreachable!("HMAC accepts keys of any size"),
-            });
-        hmac.update(&key_version.to_raw().to_be_bytes());
+        let mut hmac = root_key.0.read_inline(|k| {
+            HmacSha256::new_from_slice(k)
+                .unwrap_or_else(|_| unreachable!("HMAC accepts keys of any size"))
+        });
+        hmac.update(&key_version.to_be_bytes());
        hmac.update(&mac_input);

        Ok(hmac.verify_slice(&expected_mac).is_ok())
    }
-}

-/// According to the spec, the quorum is 50% + 1
-/// with exception for 1 and 2 operators, those require exactly the number of operators registered
-fn shamir_threshold(comittee_size: u64) -> u64 {
-    if comittee_size == 2 || comittee_size == 1 {
-        return comittee_size;
+    #[message]
+    pub async fn seal(&mut self) -> Result<(), Error> {
+        let Unsealed {
+            root_key_history_id,
+            ..
+        } = Self::expect_unsealed(&mut self.state)?;
+
+        self.state = State::Sealed {
+            root_key_history_id: *root_key_history_id,
+        };
+        let _ = self.events.tell(Publish(events::VaultResealed)).await;
+        Ok(())
    }
-
-    let half_comittee = match comittee_size % 2 != 0 {
-        true => (comittee_size - 1) / 2,
-        false => comittee_size / 2,
-    };
-
-    half_comittee + 1
-}
-
-/// Beware: this function accepts raw key references (without memory protection)
-fn generate_shamir_shares(threshold: u64, key: &[u8]) -> Vec<SafeCell<Vec<u8>>> {
-    use vsss_rs::{shamir, *};
-
-    type P256Share = DefaultShare<IdentifierPrimeField<Scalar>, IdentifierPrimeField<Scalar>>;
-
-    let mut osrng = rand_core::OsRng::default();
-    let sk = SecretKey::random(&mut osrng);
-    let nzs = sk.to_nonzero_scalar();
-    let shared_secret = IdentifierPrimeField(*nzs.as_ref());
-    let res = shamir::split_secret::<P256Share>(2, 3, &shared_secret, &mut osrng);
-    assert!(res.is_ok());
-    let shares = res.unwrap();
-    let res = shares.combine();
-    assert!(res.is_ok());
-    let scalar = res.unwrap();
-    let nzs_dup = NonZeroScalar::from_repr(scalar.0.to_repr()).unwrap();
-    let sk_dup = SecretKey::from(nzs_dup);
-    assert_eq!(sk_dup.to_bytes(), sk.to_bytes());
 }

 #[cfg(test)]
@@ -556,7 +410,7 @@ mod tests {
            .await
            .unwrap();
        let seal_key = SafeCell::new(b"test-seal-key".to_vec());
-        actor.finalize_bootstrap(seal_key).await.unwrap();
+        actor.bootstrap(seal_key).await.unwrap();
        actor
    }

@@ -565,12 +419,13 @@ mod tests {
    async fn nonce_monotonic_even_when_nonce_allocation_interleaves() {
        let db = db::create_test_pool().await;
        let mut actor = bootstrapped_actor(&db).await;
-        let root_key_history_id = match actor.state {
-            State::Unsealed(Unsealed {
-                root_key_history_id,
-                ..
-            }) => root_key_history_id,
-            _ => panic!("expected unsealed state"),
+
+        let State::Unsealed(Unsealed {
+            root_key_history_id,
+            ..
+        }) = actor.state
+        else {
+            panic!("expected unsealed state")
        };

        let n1 = Vault::get_new_nonce(&db, root_key_history_id)
--- a/server/crates/arbiter-server/src/crypto/mod.rs
+++ b/server/crates/arbiter-server/src/crypto/mod.rs
@@ -28,7 +28,7 @@ impl TryFrom<SafeCell<Vec<u8>>> for KeyCell {
        if value.len() != size_of::<Key>() {
            return Err(());
        }
-        let cell = SafeCell::new_inline_default(|cell_write: &mut Key| {
+        let cell = SafeCell::new_inline(|cell_write: &mut Key| {
            cell_write.copy_from_slice(&value);
        });
        Ok(Self(cell))
@@ -37,7 +37,7 @@ impl TryFrom<SafeCell<Vec<u8>>> for KeyCell {

 impl KeyCell {
    pub fn new_secure_random() -> Self {
-        let key = SafeCell::new_inline_default(|key_buffer: &mut Key| {
+        let key = SafeCell::new_inline(|key_buffer: &mut Key| {
            let mut rng = StdRng::try_from_rng(&mut SysRng)
                .expect("Rng failure is unrecoverable and should panic");
            rng.fill_bytes(key_buffer);
@@ -94,7 +94,7 @@ impl KeyCell {
 }

 /// Derive a fixed-length key from the password using Argon2id, which is designed for password hashing and key derivation.
-pub fn derive_key(password: &mut SafeCell<Vec<u8>>, salt: &Salt) -> KeyCell {
+pub fn derive_key(mut password: SafeCell<Vec<u8>>, salt: &Salt) -> KeyCell {
    let params = {
        #[cfg(debug_assertions)]
        {
--- a/server/crates/arbiter-server/src/db/models.rs
+++ b/server/crates/arbiter-server/src/db/models.rs
@@ -79,41 +79,10 @@ pub mod types {
        }
    }

-    macro_rules! declare_id {
-        ($name:ident) => {
-            #[derive(Debug, FromSqlRow, AsExpression, Clone, Hash, Copy, PartialEq, Eq)]
-            #[diesel(sql_type = Integer)]
-            #[repr(transparent)] // hint compiler to optimize the wrapper struct away
-            pub struct $name(i32);
-
-            impl $name {
-                pub const fn to_raw(self) -> i32 {
-                    self.0
-                }
-                pub const fn from_raw(raw: i32) -> Self {
-                    Self(raw)
-                }
-            }
-
-            impl FromSql<Integer, Sqlite> for $name {
-                fn from_sql(
-                    bytes: <Sqlite as diesel::backend::Backend>::RawValue<'_>,
-                ) -> diesel::deserialize::Result<Self> {
-                    FromSql::<Integer, Sqlite>::from_sql(bytes).map(Self)
-                }
-            }
-            impl ToSql<Integer, Sqlite> for $name {
-                fn to_sql<'b>(
-                    &'b self,
-                    out: &mut diesel::serialize::Output<'b, '_, Sqlite>,
-                ) -> diesel::serialize::Result {
-                    ToSql::<Integer, Sqlite>::to_sql(&self.0, out)
-                }
-            }
-        };
-    }
-
-    declare_id!(ChainId);
+    #[derive(Debug, FromSqlRow, AsExpression, Clone)]
+    #[diesel(sql_type = Integer)]
+    #[repr(transparent)] // hint compiler to optimize the wrapper struct away
+    pub struct ChainId(pub i32);

    #[expect(
        clippy::cast_sign_loss,
@@ -134,13 +103,21 @@ pub mod types {
        }
    };

-    declare_id!(OperatorId);
-    declare_id!(OperatorIdentityId);
-    declare_id!(AeadEncryptedId);
-    declare_id!(RootKeyHistoryId);
-    declare_id!(TlsHistoryId);
-    declare_id!(EvmWalletId);
-    declare_id!(ClientId);
+    impl FromSql<Integer, Sqlite> for ChainId {
+        fn from_sql(
+            bytes: <Sqlite as diesel::backend::Backend>::RawValue<'_>,
+        ) -> diesel::deserialize::Result<Self> {
+            FromSql::<Integer, Sqlite>::from_sql(bytes).map(Self)
+        }
+    }
+    impl ToSql<Integer, Sqlite> for ChainId {
+        fn to_sql<'b>(
+            &'b self,
+            out: &mut diesel::serialize::Output<'b, '_, Sqlite>,
+        ) -> diesel::serialize::Result {
+            ToSql::<Integer, Sqlite>::to_sql(&self.0, out)
+        }
+    }
 }
 pub use types::*;

@@ -153,12 +130,12 @@ pub use types::*;
 )]
 #[diesel(table_name = aead_encrypted, check_for_backend(Sqlite))]
 pub struct AeadEncrypted {
-    pub id: AeadEncryptedId,
+    pub id: i32,
    pub ciphertext: Vec<u8>,
    pub tag: Vec<u8>,
    pub current_nonce: Vec<u8>,
    pub schema_version: i32,
-    pub associated_root_key_id: RootKeyHistoryId,
+    pub associated_root_key_id: i32, // references root_key_history.id
    pub created_at: SqliteTimestamp,
 }

@@ -171,7 +148,7 @@ pub struct AeadEncrypted {
    attributes_with = "deriveless"
 )]
 pub struct RootKeyHistory {
-    pub id: RootKeyHistoryId,
+    pub id: i32,
    pub ciphertext: Vec<u8>,
    pub tag: Vec<u8>,
    pub root_key_encryption_nonce: Vec<u8>,
@@ -189,7 +166,7 @@ pub struct RootKeyHistory {
    attributes_with = "deriveless"
 )]
 pub struct TlsHistory {
-    pub id: TlsHistoryId,
+    pub id: i32,
    pub cert: String,
    pub cert_key: String, // PEM Encoded private key
    pub ca_cert: String,  // PEM Encoded certificate for cert signing
@@ -214,7 +191,7 @@ pub struct ArbiterSettings {
    attributes_with = "deriveless"
 )]
 pub struct EvmWallet {
-    pub id: EvmWalletId,
+    pub id: i32,
    pub address: Vec<u8>,
    pub aead_encrypted_id: i32,
    pub created_at: SqliteTimestamp,
@@ -236,7 +213,7 @@ pub struct EvmWallet {
 )]
 pub struct EvmWalletAccess {
    pub id: i32,
-    pub wallet_id: EvmWalletId,
+    pub wallet_id: i32,
    pub client_id: i32,
    pub created_at: SqliteTimestamp,
 }
@@ -263,7 +240,7 @@ pub struct ProgramClientMetadataHistory {
 #[derive(Models, Queryable, Debug, Insertable, Selectable)]
 #[diesel(table_name = schema::program_client, check_for_backend(Sqlite))]
 pub struct ProgramClient {
-    pub id: ClientId,
+    pub id: i32,
    pub public_key: Vec<u8>,
    pub metadata_id: i32,
    pub created_at: SqliteTimestamp,
@@ -273,22 +250,12 @@ pub struct ProgramClient {
 #[derive(Queryable, Debug)]
 #[diesel(table_name = schema::operator_client, check_for_backend(Sqlite))]
 pub struct OperatorClient {
-    pub id: OperatorIdentityId,
+    pub id: i32,
    pub public_key: Vec<u8>,
    pub created_at: SqliteTimestamp,
    pub updated_at: SqliteTimestamp,
 }

-#[derive(Queryable, Debug)]
-#[diesel(table_name = schema::operator, check_for_backend(Sqlite))]
-pub struct Operator {
-    pub id: OperatorId,
-    pub share: Vec<u8>,
-    pub share_nonce: Vec<u8>,
-    pub created_at: SqliteTimestamp,
-    pub updated_at: SqliteTimestamp,
-}
-
 #[derive(Models, Queryable, Debug, Insertable, Selectable)]
 #[diesel(table_name = evm_ether_transfer_limit, check_for_backend(Sqlite))]
 #[view(
@@ -432,7 +399,7 @@ pub struct IntegrityEnvelope {
    pub entity_kind: String,
    pub entity_id: Vec<u8>,
    pub payload_version: i32,
-    pub key_version: RootKeyHistoryId,
+    pub key_version: i32,
    pub mac: Vec<u8>,
    pub signed_at: SqliteTimestamp,
    pub created_at: SqliteTimestamp,
--- a/server/crates/arbiter-server/src/db/schema.rs
+++ b/server/crates/arbiter-server/src/db/schema.rs
@@ -152,25 +152,6 @@ diesel::table! {
    }
 }

-diesel::table! {
-    operator (id) {
-        id -> Nullable<Integer>,
-        share -> Binary,
-        share_nonce -> Binary,
-        created_at -> Integer,
-        updated_at -> Integer,
-    }
-}
-
-diesel::table! {
-    operator_identity (id) {
-        id -> Integer,
-        public_key -> Binary,
-        created_at -> Integer,
-        updated_at -> Integer,
-    }
-}
-
 diesel::table! {
    program_client (id) {
        id -> Integer,
@@ -204,6 +185,15 @@ diesel::table! {
    }
 }

+diesel::table! {
+    operator_client (id) {
+        id -> Integer,
+        public_key -> Binary,
+        created_at -> Integer,
+        updated_at -> Integer,
+    }
+}
+
 diesel::joinable!(aead_encrypted -> root_key_history (associated_root_key_id));
 diesel::joinable!(arbiter_settings -> root_key_history (root_key_id));
 diesel::joinable!(arbiter_settings -> tls_history (tls_id));
@@ -222,7 +212,6 @@ diesel::joinable!(evm_transaction_log -> evm_wallet_access (wallet_access_id));
 diesel::joinable!(evm_wallet -> aead_encrypted (aead_encrypted_id));
 diesel::joinable!(evm_wallet_access -> evm_wallet (wallet_id));
 diesel::joinable!(evm_wallet_access -> program_client (client_id));
-diesel::joinable!(operator -> operator_identity (id));
 diesel::joinable!(program_client -> client_metadata (metadata_id));

 diesel::allow_tables_to_appear_in_same_query!(
@@ -241,9 +230,8 @@ diesel::allow_tables_to_appear_in_same_query!(
    evm_wallet,
    evm_wallet_access,
    integrity_envelope,
-    operator,
-    operator_identity,
    program_client,
    root_key_history,
    tls_history,
+    operator_client,
 );
--- a/server/crates/arbiter-server/src/evm/mod.rs
+++ b/server/crates/arbiter-server/src/evm/mod.rs
@@ -1,28 +1,34 @@
+use diesel_async::{AsyncConnection, RunQueryDsl};
+use kameo::actor::ActorRef;
+
 use crate::{
    actors::vault::Vault,
    crypto::integrity,
    db::{
        self, DatabaseError,
        models::{
-            EvmBasicGrant, EvmWalletAccess, NewEvmBasicGrant, NewEvmTransactionLog, SqliteTimestamp,
+            EvmBasicGrant, EvmEtherTransferGrant, EvmEtherTransferGrantTarget,
+            EvmEtherTransferLimit, EvmTokenTransferGrant, EvmTokenTransferVolumeLimit,
+            EvmWalletAccess, NewEvmBasicGrant, NewEvmTransactionLog, SqliteTimestamp,
        },
        schema::{self, evm_transaction_log},
    },
    evm::policies::{
        CombinedSettings, DatabaseID, EvalContext, EvalViolation, Grant, Policy,
-        SharedGrantSettings, SpecificGrant, SpecificMeaning, ether_transfer::EtherTransfer,
-        token_transfers::TokenTransfer,
+        SharedGrantSettings, SpecificGrant, SpecificMeaning, VolumeRateLimit,
+        ether_transfer::EtherTransfer, token_transfers::TokenTransfer,
    },
 };

 use alloy::{
    consensus::TxEip1559,
-    primitives::{TxKind, U256},
+    primitives::{Address, TxKind, U256},
 };
 use chrono::Utc;
-use diesel::{ExpressionMethods as _, QueryDsl as _, QueryResult, insert_into, sqlite::Sqlite};
-use diesel_async::{AsyncConnection, RunQueryDsl};
-use kameo::actor::ActorRef;
+use diesel::{
+    ExpressionMethods as _, OptionalExtension, QueryDsl as _, QueryResult, SelectableHelper,
+    insert_into, sqlite::Sqlite, update,
+};

 pub mod abi;
 pub mod safe_signer;
@@ -272,6 +278,151 @@ impl Engine {
        Ok(id)
    }

+    pub async fn revoke_grant(
+        &self,
+        basic_grant_id: i32,
+    ) -> Result<(), DatabaseError> {
+        let mut conn = self.db.get().await.map_err(DatabaseError::from)?;
+        let vault = self.vault.clone();
+
+        conn.transaction(async move |conn| {
+            use crate::db::schema::{
+                evm_basic_grant, evm_ether_transfer_grant, evm_ether_transfer_grant_target,
+                evm_ether_transfer_limit, evm_token_transfer_grant,
+                evm_token_transfer_volume_limit,
+            };
+
+            update(evm_basic_grant::table)
+                .filter(evm_basic_grant::id.eq(basic_grant_id))
+                .set(evm_basic_grant::revoked_at.eq(SqliteTimestamp(Utc::now())))
+                .execute(&mut *conn)
+                .await?;
+
+            let basic_grant: EvmBasicGrant = evm_basic_grant::table
+                .filter(evm_basic_grant::id.eq(basic_grant_id))
+                .select(EvmBasicGrant::as_select())
+                .first(&mut *conn)
+                .await?;
+
+            let shared = SharedGrantSettings::try_from_model(basic_grant)?;
+
+            if let Some(ether_grant) = evm_ether_transfer_grant::table
+                .filter(evm_ether_transfer_grant::basic_grant_id.eq(basic_grant_id))
+                .select(EvmEtherTransferGrant::as_select())
+                .first(&mut *conn)
+                .await
+                .optional()?
+            {
+                let target_rows: Vec<EvmEtherTransferGrantTarget> =
+                    evm_ether_transfer_grant_target::table
+                        .filter(evm_ether_transfer_grant_target::grant_id.eq(ether_grant.id))
+                        .select(EvmEtherTransferGrantTarget::as_select())
+                        .load(&mut *conn)
+                        .await?;
+                let targets: Vec<Address> = target_rows
+                    .into_iter()
+                    .filter_map(|target| {
+                        let arr: [u8; 20] = target.address.try_into().ok()?;
+                        Some(Address::from(arr))
+                    })
+                    .collect();
+
+                let limit: EvmEtherTransferLimit = evm_ether_transfer_limit::table
+                    .filter(evm_ether_transfer_limit::id.eq(ether_grant.limit_id))
+                    .select(EvmEtherTransferLimit::as_select())
+                    .first(&mut *conn)
+                    .await?;
+
+                let settings = CombinedSettings {
+                    shared: shared.clone(),
+                    specific: policies::ether_transfer::Settings {
+                        target: targets,
+                        limit: VolumeRateLimit {
+                            max_volume: utils::try_bytes_to_u256(&limit.max_volume).map_err(
+                                |err| {
+                                    diesel::result::Error::DeserializationError(Box::new(err))
+                                },
+                            )?,
+                            window: chrono::Duration::seconds(limit.window_secs.into()),
+                        },
+                    },
+                };
+
+                integrity::sign_entity(&mut *conn, &vault, &settings, basic_grant_id)
+                    .await
+                    .map_err(|_| diesel::result::Error::RollbackTransaction)?;
+
+                return QueryResult::Ok(());
+            }
+
+            if let Some(token_grant) = evm_token_transfer_grant::table
+                .filter(evm_token_transfer_grant::basic_grant_id.eq(basic_grant_id))
+                .select(EvmTokenTransferGrant::as_select())
+                .first(&mut *conn)
+                .await
+                .optional()?
+            {
+                let volume_limit_rows: Vec<EvmTokenTransferVolumeLimit> =
+                    evm_token_transfer_volume_limit::table
+                        .filter(evm_token_transfer_volume_limit::grant_id.eq(token_grant.id))
+                        .select(EvmTokenTransferVolumeLimit::as_select())
+                        .load(&mut *conn)
+                        .await?;
+                let volume_limits: Vec<VolumeRateLimit> = volume_limit_rows
+                    .into_iter()
+                    .map(|row| {
+                        Ok(VolumeRateLimit {
+                            max_volume: utils::try_bytes_to_u256(&row.max_volume).map_err(
+                                |err| {
+                                    diesel::result::Error::DeserializationError(Box::new(err))
+                                },
+                            )?,
+                            window: chrono::Duration::seconds(row.window_secs.into()),
+                        })
+                    })
+                    .collect::<QueryResult<Vec<_>>>()?;
+
+                let target: Option<Address> = match token_grant.receiver {
+                    None => None,
+                    Some(bytes) => {
+                        let arr: [u8; 20] = bytes.try_into().map_err(|_| {
+                            diesel::result::Error::DeserializationError(
+                                "Invalid receiver address length".into(),
+                            )
+                        })?;
+                        Some(Address::from(arr))
+                    }
+                };
+
+                let token_contract: [u8; 20] =
+                    token_grant.token_contract.clone().try_into().map_err(|_| {
+                        diesel::result::Error::DeserializationError(
+                            "Invalid token contract address length".into(),
+                        )
+                    })?;
+
+                let settings = CombinedSettings {
+                    shared,
+                    specific: policies::token_transfers::Settings {
+                        token_contract: Address::from(token_contract),
+                        target,
+                        volume_limits,
+                    },
+                };
+
+                integrity::sign_entity(&mut *conn, &vault, &settings, basic_grant_id)
+                    .await
+                    .map_err(|_| diesel::result::Error::RollbackTransaction)?;
+
+                return QueryResult::Ok(());
+            }
+
+            Err(diesel::result::Error::NotFound)
+        })
+        .await
+        .map_err(DatabaseError::from)
+    }
+
    async fn list_one_kind<Kind: Policy, Y>(
        &self,
        conn: &mut impl AsyncConnection<Backend = Sqlite>,
@@ -351,21 +502,26 @@ impl Engine {
 #[cfg(test)]
 mod tests {
    use alloy::primitives::{Address, Bytes, U256, address};
+    use arbiter_crypto::safecell::{SafeCell, SafeCellHandle as _};
    use chrono::{Duration, Utc};
    use diesel::{SelectableHelper, insert_into};
    use diesel_async::RunQueryDsl;
+    use kameo::{actor::ActorRef, prelude::Spawn};
    use rstest::rstest;

+    use crate::actors::{GlobalActors, vault::{Bootstrap, Vault}};
+    use crate::crypto::integrity;
    use crate::db::{
        self, DatabaseConnection,
        models::{
-            EvmBasicGrant, EvmWalletAccess, EvmWalletId, NewEvmBasicGrant, NewEvmTransactionLog,
-            SqliteTimestamp,
+            EvmBasicGrant, EvmWalletAccess, NewEvmBasicGrant, NewEvmTransactionLog, SqliteTimestamp,
        },
        schema::{evm_basic_grant, evm_transaction_log},
    };
+    use crate::evm::policies::ether_transfer::EtherTransfer;
    use crate::evm::policies::{
-        EvalContext, EvalViolation, SharedGrantSettings, TransactionRateLimit,
+        CombinedSettings, EvalContext, EvalViolation, Policy, SharedGrantSettings,
+        TransactionRateLimit, VolumeRateLimit,
    };

    use super::check_shared_constraints;
@@ -378,7 +534,7 @@ mod tests {
        EvalContext {
            target: EvmWalletAccess {
                id: WALLET_ACCESS_ID,
-                wallet_id: EvmWalletId::from_raw(5),
+                wallet_id: 10,
                client_id: 20,
                created_at: SqliteTimestamp(Utc::now()),
            },
@@ -397,6 +553,7 @@ mod tests {
            chain: CHAIN_ID,
            valid_from: None,
            valid_until: None,
+            revoked_at: None,
            max_gas_fee_per_gas: None,
            max_priority_fee_per_gas: None,
            rate_limit: None,
@@ -605,4 +762,115 @@ mod tests {
            assert!(violations.is_empty());
        }
    }
+
+    async fn bootstrapped_vault(db: &db::DatabasePool) -> ActorRef<Vault> {
+        let actor = Vault::spawn(
+            Vault::new(db.clone(), GlobalActors::spawn_message_bus())
+                .await
+                .unwrap(),
+        );
+        actor
+            .ask(Bootstrap {
+                seal_key_raw: SafeCell::new(b"integrity-test-seal-key".to_vec()),
+            })
+            .await
+            .unwrap();
+        actor
+    }
+
+    #[tokio::test]
+    async fn revoke_grant_preserves_revoked_integrity() {
+        use crate::db::schema::evm_basic_grant;
+        use diesel::ExpressionMethods as _;
+
+        let db = db::create_test_pool().await;
+        let vault = bootstrapped_vault(&db).await;
+        let engine = super::Engine::new(db.clone(), vault.clone());
+
+        let full_grant = CombinedSettings {
+            shared: SharedGrantSettings {
+                wallet_access_id: WALLET_ACCESS_ID,
+                chain: CHAIN_ID,
+                valid_from: None,
+                valid_until: None,
+                revoked_at: None,
+                max_gas_fee_per_gas: None,
+                max_priority_fee_per_gas: None,
+                rate_limit: None,
+            },
+            specific: super::policies::ether_transfer::Settings {
+                target: vec![RECIPIENT],
+                limit: VolumeRateLimit {
+                    max_volume: U256::from(100u64),
+                    window: Duration::hours(1),
+                },
+            },
+        };
+
+        let grant_id = engine
+            .create_grant::<EtherTransfer>(full_grant)
+            .await
+            .unwrap();
+
+        engine.revoke_grant(grant_id).await.unwrap();
+
+        let mut conn = db.get().await.unwrap();
+        diesel::update(evm_basic_grant::table)
+            .filter(evm_basic_grant::id.eq(grant_id))
+            .set(evm_basic_grant::revoked_at.eq::<Option<SqliteTimestamp>>(None))
+            .execute(&mut conn)
+            .await
+            .unwrap();
+
+        let wallet_access = EvmWalletAccess {
+            id: WALLET_ACCESS_ID,
+            wallet_id: 10,
+            client_id: 20,
+            created_at: SqliteTimestamp(Utc::now()),
+        };
+        let context = EvalContext {
+            target: wallet_access,
+            chain: CHAIN_ID,
+            to: RECIPIENT,
+            value: U256::ONE,
+            calldata: Bytes::new(),
+            max_fee_per_gas: 1,
+            max_priority_fee_per_gas: 1,
+        };
+
+        let grant = EtherTransfer::try_find_grant(
+            &context, &mut conn,
+        )
+        .await
+        .unwrap()
+        .unwrap();
+
+        let result =
+            integrity::verify_entity(&mut conn, &vault, &grant.settings, grant.id).await;
+
+        assert!(matches!(
+            result,
+            Err(integrity::Error::MacMismatch { .. })
+        ));
+    }
+
+    #[test]
+    fn shared_settings_hash_changes_when_revoked_at_changes() {
+        use arbiter_crypto::hashing::Hashable;
+        use sha2::Digest;
+
+        let active = shared_settings();
+        let revoked = SharedGrantSettings {
+            revoked_at: Some(Utc::now()),
+            ..shared_settings()
+        };
+
+        let mut active_hash = sha2::Sha256::new();
+        active.hash(&mut active_hash);
+
+        let mut revoked_hash = sha2::Sha256::new();
+        revoked.hash(&mut revoked_hash);
+
+        assert_ne!(active_hash.finalize(), revoked_hash.finalize());
+    }
 }
--- a/server/crates/arbiter-server/src/evm/policies.rs
+++ b/server/crates/arbiter-server/src/evm/policies.rs
@@ -144,6 +144,7 @@ pub struct SharedGrantSettings {

    pub valid_from: Option<DateTime<Utc>>,
    pub valid_until: Option<DateTime<Utc>>,
+    pub revoked_at: Option<DateTime<Utc>>,

    pub max_gas_fee_per_gas: Option<U256>,
    pub max_priority_fee_per_gas: Option<U256>,
@@ -158,6 +159,7 @@ impl SharedGrantSettings {
            chain: model.chain_id.into(),
            valid_from: model.valid_from.map(Into::into),
            valid_until: model.valid_until.map(Into::into),
+            revoked_at: model.revoked_at.map(Into::into),
            max_gas_fee_per_gas: model
                .max_gas_fee_per_gas
                .map(|b| utils::try_bytes_to_u256(&b))
--- a/server/crates/arbiter-server/src/evm/policies/ether_transfer/tests.rs
+++ b/server/crates/arbiter-server/src/evm/policies/ether_transfer/tests.rs
@@ -3,8 +3,7 @@ use crate::{
    db::{
        self, DatabaseConnection,
        models::{
-            EvmBasicGrant, EvmWalletAccess, EvmWalletId, NewEvmBasicGrant, NewEvmTransactionLog,
-            SqliteTimestamp,
+            EvmBasicGrant, EvmWalletAccess, NewEvmBasicGrant, NewEvmTransactionLog, SqliteTimestamp,
        },
        schema::{evm_basic_grant, evm_transaction_log},
    },
@@ -32,7 +31,7 @@ fn ctx(to: Address, value: U256) -> EvalContext {
    EvalContext {
        target: EvmWalletAccess {
            id: WALLET_ACCESS_ID,
-            wallet_id: EvmWalletId::from_raw(10),
+            wallet_id: 10,
            client_id: 20,
            created_at: SqliteTimestamp(Utc::now()),
        },
@@ -80,6 +79,7 @@ fn shared() -> SharedGrantSettings {
        chain: CHAIN_ID,
        valid_from: None,
        valid_until: None,
+        revoked_at: None,
        max_gas_fee_per_gas: None,
        max_priority_fee_per_gas: None,
        rate_limit: None,
--- a/server/crates/arbiter-server/src/evm/policies/token_transfers/tests.rs
+++ b/server/crates/arbiter-server/src/evm/policies/token_transfers/tests.rs
@@ -2,7 +2,7 @@ use super::{Settings, TokenTransfer};
 use crate::{
    db::{
        self, DatabaseConnection,
-        models::{EvmBasicGrant, EvmWalletAccess, EvmWalletId, NewEvmBasicGrant, SqliteTimestamp},
+        models::{EvmBasicGrant, EvmWalletAccess, NewEvmBasicGrant, SqliteTimestamp},
        schema::evm_basic_grant,
    },
    evm::{
@@ -45,7 +45,7 @@ fn ctx(to: Address, calldata: Bytes) -> EvalContext {
    EvalContext {
        target: EvmWalletAccess {
            id: WALLET_ACCESS_ID,
-            wallet_id: EvmWalletId::from_raw(10),
+            wallet_id: 10,
            client_id: 20,
            created_at: SqliteTimestamp(Utc::now()),
        },
@@ -98,6 +98,7 @@ fn shared() -> SharedGrantSettings {
        chain: CHAIN_ID,
        valid_from: None,
        valid_until: None,
+        revoked_at: None,
        max_gas_fee_per_gas: None,
        max_priority_fee_per_gas: None,
        rate_limit: None,
--- a/server/crates/arbiter-server/src/evm/safe_signer.rs
+++ b/server/crates/arbiter-server/src/evm/safe_signer.rs
@@ -44,7 +44,7 @@ impl std::fmt::Debug for SafeSigner {
 /// Returns the protected key bytes and the derived Ethereum address.
 pub fn generate(rng: &mut impl rand::Rng) -> (SafeCell<[u8; 32]>, Address) {
    loop {
-        let mut cell = SafeCell::new_inline_default(|w: &mut [u8; 32]| {
+        let mut cell = SafeCell::new_inline(|w: &mut [u8; 32]| {
            rng.fill_bytes(w);
        });

--- a/server/crates/arbiter-server/src/grpc/client/vault.rs
+++ b/server/crates/arbiter-server/src/grpc/client/vault.rs
@@ -31,7 +31,6 @@ pub(super) async fn dispatch(
        VaultRequestPayload::QueryState(()) => {
            let state = match actor.ask(HandleQueryVaultState {}).await {
                Ok(VaultState::Unbootstrapped) => ProtoVaultState::Unbootstrapped,
-                Ok(VaultState::Bootstrapping) => ProtoVaultState::Boostrapping,
                Ok(VaultState::Sealed) => ProtoVaultState::Sealed,
                Ok(VaultState::Unsealed) => ProtoVaultState::Unsealed,
                Err(SendError::HandlerError(Error::Internal)) => ProtoVaultState::Error,
--- a/server/crates/arbiter-server/src/grpc/operator/evm.rs
+++ b/server/crates/arbiter-server/src/grpc/operator/evm.rs
@@ -90,7 +90,7 @@ async fn handle_wallet_list(
                .into_iter()
                .map(|(id, address)| WalletEntry {
                    address: address.to_vec(),
-                    id: id.to_raw(),
+                    id,
                })
                .collect(),
        }),
--- a/server/crates/arbiter-server/src/grpc/operator/inbound.rs
+++ b/server/crates/arbiter-server/src/grpc/operator/inbound.rs
@@ -1,10 +1,11 @@
 use crate::{
-    db::models::{CoreEvmWalletAccess, EvmWalletId, NewEvmWalletAccess},
+    db::models::{CoreEvmWalletAccess, NewEvmWalletAccess},
    evm::policies::{
        SharedGrantSettings, SpecificGrant, TransactionRateLimit, VolumeRateLimit, ether_transfer,
        token_transfers,
    },
-    grpc::{Convert, TryConvert},
+    grpc::Convert,
+    grpc::TryConvert,
 };
 use arbiter_proto::{
    proto::evm::{
@@ -86,6 +87,7 @@ impl TryConvert for ProtoSharedSettings {
                .valid_until
                .map(ProtoTimestamp::try_convert)
                .transpose()?,
+            revoked_at: None,
            max_gas_fee_per_gas: self
                .max_gas_fee_per_gas
                .as_deref()
@@ -149,7 +151,7 @@ impl Convert for WalletAccess {

    fn convert(self) -> Self::Output {
        NewEvmWalletAccess {
-            wallet_id: EvmWalletId::from_raw(self.wallet_id),
+            wallet_id: self.wallet_id,
            client_id: self.sdk_client_id,
        }
    }
@@ -164,7 +166,7 @@ impl TryConvert for SdkClientWalletAccess {
            return Err(Status::invalid_argument("Missing wallet access entry"));
        };
        Ok(CoreEvmWalletAccess {
-            wallet_id: EvmWalletId::from_raw(access.wallet_id),
+            wallet_id: access.wallet_id,
            client_id: access.sdk_client_id,
            id: self.id,
        })
--- a/server/crates/arbiter-server/src/grpc/operator/outbound.rs
+++ b/server/crates/arbiter-server/src/grpc/operator/outbound.rs
@@ -103,7 +103,7 @@ impl Convert for EvmWalletAccess {
        Self::Output {
            id: self.id,
            access: Some(WalletAccess {
-                wallet_id: self.wallet_id.to_raw(),
+                wallet_id: self.wallet_id,
                sdk_client_id: self.client_id,
            }),
        }
--- a/server/crates/arbiter-server/src/grpc/operator/sdk_client.rs
+++ b/server/crates/arbiter-server/src/grpc/operator/sdk_client.rs
@@ -2,7 +2,7 @@ use crate::{
    db::models::NewEvmWalletAccess,
    grpc::Convert,
    peers::operator::{
-        OperatorSession, OutOfBand,
+        OutOfBand, OperatorSession,
        session::handlers::{
            HandleGrantEvmWalletAccess, HandleListWalletAccess, HandleNewClientApprove,
            HandleRevokeEvmWalletAccess, HandleSdkClientList,
@@ -11,8 +11,8 @@ use crate::{
 };
 use arbiter_crypto::authn;
 use arbiter_proto::proto::{
+    shared::ClientInfo as ProtoClientMetadata,
    operator::{
-        operator_response::Payload as OperatorResponsePayload,
        sdk_client::{
            self as proto_sdk_client, ConnectionCancel as ProtoSdkClientConnectionCancel,
            ConnectionRequest as ProtoSdkClientConnectionRequest,
@@ -24,8 +24,8 @@ use arbiter_proto::proto::{
            request::Payload as SdkClientRequestPayload,
            response::Payload as SdkClientResponsePayload,
        },
+        operator_response::Payload as OperatorResponsePayload,
    },
-    shared::ClientInfo as ProtoClientMetadata,
 };

 use kameo::actor::ActorRef;
@@ -115,7 +115,7 @@ async fn handle_list(
            clients: clients
                .into_iter()
                .map(|(client, metadata)| ProtoSdkClientEntry {
-                    id: client.id.to_raw(),
+                    id: client.id,
                    pubkey: client.public_key.clone(),
                    info: Some(ProtoClientMetadata {
                        name: metadata.name,
--- a/server/crates/arbiter-server/src/grpc/operator/vault.rs
+++ b/server/crates/arbiter-server/src/grpc/operator/vault.rs
@@ -3,6 +3,7 @@ use crate::{
    peers::operator::{OperatorSession, session::handlers::HandleQueryVaultState},
 };
 use arbiter_proto::{
+    proto::shared::VaultState as ProtoVaultState,
    proto::operator::{
        operator_response::Payload as OperatorResponsePayload,
        vault::{
@@ -10,7 +11,6 @@ use arbiter_proto::{
            response::Payload as VaultResponsePayload,
        },
    },
-    proto::shared::VaultState as ProtoVaultState,
 };

 use kameo::actor::ActorRef;
@@ -47,7 +47,6 @@ async fn handle_query_vault_state(
    let state = match actor.ask(HandleQueryVaultState {}).await {
        Ok(VaultState::Unbootstrapped) => ProtoVaultState::Unbootstrapped,
        Ok(VaultState::Sealed) => ProtoVaultState::Sealed,
-        Ok(VaultState::Bootstrapping) => ProtoVaultState::Boostrapping,
        Ok(VaultState::Unsealed) => ProtoVaultState::Unsealed,
        Err(err) => {
            warn!(error = ?err, "Failed to query vault state");
--- a/server/crates/arbiter-server/src/grpc/operator/vault_gate/outbound.rs
+++ b/server/crates/arbiter-server/src/grpc/operator/vault_gate/outbound.rs
@@ -4,6 +4,7 @@ use crate::{
    peers::operator::vault_gate::{self as vault_gate},
 };
 use arbiter_proto::proto::{
+    shared::VaultState as ProtoVaultState,
    operator::{
        operator_response::Payload as OperatorResponsePayload,
        vault::{
@@ -16,7 +17,6 @@ use arbiter_proto::proto::{
            },
        },
    },
-    shared::VaultState as ProtoVaultState,
 };

 use tonic::Status;
@@ -46,7 +46,6 @@ impl Convert for VaultState {
    fn convert(self) -> OperatorResponsePayload {
        let proto_state = match self {
            Self::Unbootstrapped => ProtoVaultState::Unbootstrapped,
-            Self::Bootstrapping => ProtoVaultState::Boostrapping,
            Self::Sealed => ProtoVaultState::Sealed,
            Self::Unsealed => ProtoVaultState::Unsealed,
        };
--- a/server/crates/arbiter-server/src/peers/operator/auth/state.rs
+++ b/server/crates/arbiter-server/src/peers/operator/auth/state.rs
@@ -4,7 +4,7 @@ use super::{
 };
 use crate::{
    actors::bootstrap::ConsumeToken,
-    db::{DatabasePool, schema::operator_identity},
+    db::{DatabasePool, schema::operator_client},
    peers::operator::auth::Outbound,
 };
 use arbiter_crypto::authn::{self, AuthChallenge, OPERATOR_CONTEXT};
@@ -19,7 +19,7 @@ pub(super) struct ChallengeRequest {
    pub(super) bootstrap_token: Option<String>,
 }

-pub(super) struct ChallengeContext {
+pub struct ChallengeContext {
    pub(super) challenge: AuthChallenge,
    pub(super) pubkey: authn::PublicKey,
    pub(super) bootstrap_token: Option<String>,
@@ -44,9 +44,9 @@ async fn get_client_id(db: &DatabasePool, pubkey: &authn::PublicKey) -> Result<O
        Error::internal("Database unavailable")
    })?;

-    operator_identity::table
-        .filter(operator_identity::public_key.eq(pubkey.to_bytes()))
-        .select(operator_identity::id)
+    operator_client::table
+        .filter(operator_client::public_key.eq(pubkey.to_bytes()))
+        .select(operator_client::id)
        .first::<i32>(&mut conn)
        .await
        .optional()
@@ -63,9 +63,9 @@ async fn register_key(db: &DatabasePool, pubkey: &authn::PublicKey) -> Result<i3
        Error::internal("Database unavailable")
    })?;

-    let id: i32 = diesel::insert_into(operator_identity::table)
-        .values((operator_identity::public_key.eq(pubkey_bytes),))
-        .returning(operator_identity::id)
+    let id: i32 = diesel::insert_into(operator_client::table)
+        .values((operator_client::public_key.eq(pubkey_bytes),))
+        .returning(operator_client::id)
        .get_result(&mut conn)
        .await
        .map_err(|e| {
--- a/server/crates/arbiter-server/src/peers/operator/session/handlers.rs
+++ b/server/crates/arbiter-server/src/peers/operator/session/handlers.rs
@@ -1,16 +1,12 @@
 use super::{Error, OperatorSession};
 use crate::{
-    actors::{
-        evm::{
-            ClientSignTransaction, Generate, ListWallets, OperatorCreateGrant, OperatorListGrants,
-            SignTransactionError as EvmSignError,
-        },
-        flow_coordinator::client_connect_approval::ClientApprovalAnswer,
-        vault::VaultState,
-    },
-    db::models::{
-        EvmWalletAccess, EvmWalletId, NewEvmWalletAccess, ProgramClient, ProgramClientMetadata,
+    actors::evm::{
+        ClientSignTransaction, Generate, ListWallets, OperatorCreateGrant, OperatorListGrants,
+        SignTransactionError as EvmSignError,
    },
+    actors::flow_coordinator::client_connect_approval::ClientApprovalAnswer,
+    actors::vault::VaultState,
+    db::models::{EvmWalletAccess, NewEvmWalletAccess, ProgramClient, ProgramClientMetadata},
    evm::policies::{Grant, SpecificGrant},
 };
 use arbiter_crypto::authn;
@@ -74,9 +70,7 @@ impl OperatorSession {
    }

    #[message]
-    pub(crate) async fn handle_evm_wallet_list(
-        &mut self,
-    ) -> Result<Vec<(EvmWalletId, Address)>, Error> {
+    pub(crate) async fn handle_evm_wallet_list(&mut self) -> Result<Vec<(i32, Address)>, Error> {
        match self.props.actors.evm.ask(ListWallets {}).await {
            Ok(wallets) => Ok(wallets),
            Err(err) => {
--- a/server/crates/arbiter-server/tests/client/auth.rs
+++ b/server/crates/arbiter-server/tests/client/auth.rs
@@ -86,8 +86,8 @@ async fn insert_bootstrap_sentinel_operator(db: &db::DatabasePool) {
        .0
        .to_vec();

-    insert_into(schema::operator_identity::table)
-        .values((schema::operator_identity::public_key.eq(sentinel_key),))
+    insert_into(schema::operator_client::table)
+        .values((schema::operator_client::public_key.eq(sentinel_key),))
        .execute(&mut conn)
        .await
        .unwrap();
--- a/server/crates/arbiter-server/tests/operator/auth.rs
+++ b/server/crates/arbiter-server/tests/operator/auth.rs
@@ -206,8 +206,8 @@ pub async fn bootstrap_token_auth() {
    task.await.unwrap().unwrap();

    let mut conn = db.get().await.unwrap();
-    let stored_pubkey: Vec<u8> = schema::operator_identity::table
-        .select(schema::operator_identity::public_key)
+    let stored_pubkey: Vec<u8> = schema::operator_client::table
+        .select(schema::operator_client::public_key)
        .first::<Vec<u8>>(&mut conn)
        .await
        .unwrap();
@@ -259,7 +259,7 @@ pub async fn bootstrap_invalid_token_auth() {
    ));

    let mut conn = db.get().await.unwrap();
-    let count: i64 = schema::operator_identity::table
+    let count: i64 = schema::operator_client::table
        .count()
        .get_result::<i64>(&mut conn)
        .await
@@ -285,9 +285,9 @@ pub async fn challenge_auth() {

    {
        let mut conn = db.get().await.unwrap();
-        let id: i32 = insert_into(schema::operator_identity::table)
-            .values((schema::operator_identity::public_key.eq(pubkey_bytes.clone()),))
-            .returning(schema::operator_identity::id)
+        let id: i32 = insert_into(schema::operator_client::table)
+            .values((schema::operator_client::public_key.eq(pubkey_bytes.clone()),))
+            .returning(schema::operator_client::id)
            .get_result(&mut conn)
            .await
            .unwrap();
@@ -371,8 +371,8 @@ pub async fn challenge_auth_rejects_integrity_tag_mismatch_when_unsealed() {

    {
        let mut conn = db.get().await.unwrap();
-        insert_into(schema::operator_identity::table)
-            .values((schema::operator_identity::public_key.eq(pubkey_bytes.clone()),))
+        insert_into(schema::operator_client::table)
+            .values((schema::operator_client::public_key.eq(pubkey_bytes.clone()),))
            .execute(&mut conn)
            .await
            .unwrap();
@@ -444,9 +444,9 @@ pub async fn challenge_auth_rejects_invalid_signature() {

    {
        let mut conn = db.get().await.unwrap();
-        let id: i32 = insert_into(schema::operator_identity::table)
-            .values((schema::operator_identity::public_key.eq(pubkey_bytes.clone()),))
-            .returning(schema::operator_identity::id)
+        let id: i32 = insert_into(schema::operator_client::table)
+            .values((schema::operator_client::public_key.eq(pubkey_bytes.clone()),))
+            .returning(schema::operator_client::id)
            .get_result(&mut conn)
            .await
            .unwrap();
Author	SHA1	Message	Date
CleverWild	303120c9ac	Merge branch 'main' into security-hash-revoke_at Some checks failed ci/woodpecker/pr/server-lint Pipeline failed Details ci/woodpecker/pr/server-audit Pipeline was successful Details ci/woodpecker/pr/server-vet Pipeline failed Details ci/woodpecker/pr/server-test Pipeline was successful Details	2026-06-09 20:58:20 +02:00
CleverWild	32f317384d	security(evm): remove client-controlled wallet_access_id from grant revocation Some checks failed ci/woodpecker/pr/server-audit Pipeline failed Details ci/woodpecker/pr/server-lint Pipeline was successful Details ci/woodpecker/pr/server-vet Pipeline failed Details ci/woodpecker/pr/server-test Pipeline was successful Details	2026-06-09 19:36:44 +02:00
CleverWild	4bb2c062dc	feat(evm): add wallet_access_id to grant deletion requests and revocation logic Some checks failed ci/woodpecker/pr/server-audit Pipeline failed Details ci/woodpecker/pr/server-vet Pipeline failed Details ci/woodpecker/pr/server-lint Pipeline was successful Details ci/woodpecker/pr/server-test Pipeline was successful Details	2026-06-09 19:16:21 +02:00
CleverWild	b0a3f37cea	refactor(evm): implement revoke_grant method for grant revocation	2026-06-09 19:11:39 +02:00
CleverWild	58a72da46c	Merge branch 'security-hash-revoke_at' of ssh://git.markettakers.org:22222/MarketTakers/arbiter into security-hash-revoke_at Some checks failed ci/woodpecker/pr/server-audit Pipeline failed Details ci/woodpecker/pr/server-vet Pipeline failed Details ci/woodpecker/pr/server-lint Pipeline was successful Details ci/woodpecker/pr/server-test Pipeline was successful Details	2026-06-09 19:10:57 +02:00
CleverWild	e287459b10	revert(server): bind grant revocation state (revoked_at) to integrity hash	2026-06-09 18:45:30 +02:00
CleverWild	3c482da917	fix(smlang::statemachine): macro invocation requires inner types to be public Some checks failed ci/woodpecker/pr/server-lint Pipeline failed Details ci/woodpecker/pr/server-audit Pipeline was successful Details ci/woodpecker/pr/server-vet Pipeline failed Details ci/woodpecker/pr/server-test Pipeline was successful Details ci/woodpecker/push/server-audit Pipeline was successful Details ci/woodpecker/push/server-lint Pipeline failed Details ci/woodpecker/push/server-vet Pipeline failed Details ci/woodpecker/push/server-test Pipeline was successful Details	2026-06-08 18:00:52 +02:00
CleverWild	5a34463228	security(server): bind grant revocation state (revoked_at) to integrity hash Some checks failed ci/woodpecker/pr/server-audit Pipeline was successful Details ci/woodpecker/pr/server-lint Pipeline was successful Details ci/woodpecker/pr/server-vet Pipeline failed Details ci/woodpecker/pr/server-test Pipeline was successful Details	2026-04-08 12:09:54 +02:00