lints(clippy)

feat(server): integrate X25519 unseal handler in UserAgentActor
feat(server): add X25519 ECDH for secure unseal protocol
2026-03-11 14:05:03 +01:00 · 2026-03-11 14:05:03 +01:00 · 2026-03-11 14:05:03 +01:00 · 2026-03-11 14:04:46 +01:00 · 2026-03-11 14:04:46 +01:00
313 changed files with 4132 additions and 49942 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -1,5 +1 @@
-target/
+target/
 scripts/__pycache__/
 .DS_Store
 .cargo/config.toml
 .vscode/
--- a/.woodpecker/server-audit.yaml
+++ b/.woodpecker/server-audit.yaml
@@ -8,7 +8,7 @@ when:
      include: ['.woodpecker/server-*.yaml', 'server/**']
 steps:
-  - name: audit
+  - name: test
    image: jdxcode/mise:latest
    directory: server
    environment:
--- a/.woodpecker/server-lint.yaml
+++ b/.woodpecker/server-lint.yaml
@@ -1,25 +0,0 @@
 when:
  - event: pull_request
    path:
      include: ['.woodpecker/server-*.yaml', 'server/**']
  - event: push
    branch: main
    path:
      include: ['.woodpecker/server-*.yaml', 'server/**']
 steps:
  - name: lint
    image: jdxcode/mise:latest
    directory: server
    environment:
      CARGO_TERM_COLOR: always
      CARGO_TARGET_DIR: /usr/local/cargo/target
      CARGO_HOME: /usr/local/cargo/registry
    volumes:
      - cargo-target:/usr/local/cargo/target
      - cargo-registry:/usr/local/cargo/registry
    commands:
      - apt-get update && apt-get install -y pkg-config
      - mise install rust 
      - mise install protoc
      - mise exec rust -- cargo clippy --all -- -D warnings
--- a/.woodpecker/server-vet.yaml
+++ b/.woodpecker/server-vet.yaml
@@ -8,7 +8,7 @@ when:
      include: ['.woodpecker/server-*.yaml', 'server/**']
 steps:
-  - name: vet
+  - name: test
    image: jdxcode/mise:latest
    directory: server
    environment:
--- a/.woodpecker/useragent-analyze.yaml
+++ b/.woodpecker/useragent-analyze.yaml
@@ -1,18 +0,0 @@
 when:
  - event: pull_request
    path:
      include: ['.woodpecker/useragent-*.yaml', 'useragent/**']
  - event: push
    branch: main
    path:
      include: ['.woodpecker/useragent-*.yaml', 'useragent/**']
 steps:
  - name: analyze
    image: jdxcode/mise:latest
    commands:
      - mise install flutter 
      - mise install protoc
      # Reruns codegen to catch protocol drift
      - mise codegen 
      - cd useragent/ && flutter analyze
--- a/AGENTS.md
+++ b/AGENTS.md
@@ -1,128 +0,0 @@
 # AGENTS.md
 This file provides guidance to Codex (Codex.ai/code) when working with code in this repository.
 ## Project Overview
 Arbiter is a **permissioned signing service** for cryptocurrency wallets. It consists of:
 - **`server/`** — Rust gRPC daemon that holds encrypted keys and enforces policies
 - **`useragent/`** — Flutter desktop app (macOS/Windows) with a Rust backend via Rinf
 - **`protobufs/`** — Protocol Buffer definitions shared between server and client
 The vault never exposes key material; it only produces signatures when requests satisfy configured policies.
 ## Toolchain Setup
 Tools are managed via [mise](https://mise.jdx.dev/). Install all required tools:
 ```sh
 mise install
 ```
 Key versions: Rust 1.93.0 (with clippy), Flutter 3.38.9-stable, protoc 29.6, diesel_cli 2.3.6 (sqlite).
 ## Server (Rust workspace at `server/`)
 ### Crates
 | Crate | Purpose |
 |---|---|
 | `arbiter-proto` | Generated gRPC stubs + protobuf types; compiled from `protobufs/*.proto` via `tonic-prost-build` |
 | `arbiter-server` | Main daemon — actors, DB, EVM policy engine, gRPC service implementation |
 | `arbiter-useragent` | Rust client library for the user agent side of the gRPC protocol |
 | `arbiter-client` | Rust client library for SDK clients |
 ### Common Commands
 ```sh
 cd server
 # Build
 cargo build
 # Run the server daemon
 cargo run -p arbiter-server
 # Run all tests (preferred over cargo test)
 cargo nextest run
 # Run a single test
 cargo nextest run <test_name>
 # Lint
 cargo clippy
 # Security audit
 cargo audit
 # Check unused dependencies
 cargo shear
 # Run snapshot tests and update snapshots
 cargo insta review
 ```
 ### Architecture
 The server is actor-based using the **kameo** crate. All long-lived state lives in `GlobalActors`:
 - **`Bootstrapper`** — Manages the one-time bootstrap token written to `~/.arbiter/bootstrap_token` on first run.
 - **`KeyHolder`** — Holds the encrypted root key and manages the Sealed/Unsealed vault state machine. On unseal, decrypts the root key into a `memsafe` hardened memory cell.
 - **`FlowCoordinator`** — Coordinates cross-connection flow between user agents and SDK clients.
 - **`EvmActor`** — Handles EVM transaction policy enforcement and signing.
 Per-connection actors live under `actors/user_agent/` and `actors/client/`, each with `auth` (challenge-response authentication) and `session` (post-auth operations) sub-modules.
 **Database:** SQLite via `diesel-async` + `bb8` connection pool. Schema managed by embedded Diesel migrations in `crates/arbiter-server/migrations/`. DB file lives at `~/.arbiter/arbiter.sqlite`. Tests use a temp-file DB via `db::create_test_pool()`.
 **Cryptography:**
 - Authentication: ed25519 (challenge-response, nonce-tracked per peer)
 - Encryption at rest: XChaCha20-Poly1305 (versioned via `scheme` field for transparent migration on unseal)
 - Password KDF: Argon2
 - Unseal transport: X25519 ephemeral key exchange
 - TLS: self-signed certificate (aws-lc-rs backend), fingerprint distributed via `ArbiterUrl`
 **Protocol:** gRPC with Protocol Buffers. The `ArbiterUrl` type encodes host, port, CA cert, and bootstrap token into a single shareable string (printed to console on first run).
 ### Proto Regeneration
 When `.proto` files in `protobufs/` change, rebuild to regenerate:
 ```sh
 cd server && cargo build -p arbiter-proto
 ```
 ### Database Migrations
 ```sh
 # Create a new migration
 diesel migration generate <name> --migration-dir crates/arbiter-server/migrations
 # Run migrations manually (server also runs them on startup)
 diesel migration run --migration-dir crates/arbiter-server/migrations
 ```
 ## User Agent (Flutter + Rinf at `useragent/`)
 The Flutter app uses [Rinf](https://rinf.cunarist.org) to call Rust code. The Rust logic lives in `useragent/native/hub/` as a separate crate that uses `arbiter-useragent` for the gRPC client.
 Communication between Dart and Rust uses typed **signals** defined in `useragent/native/hub/src/signals/`. After modifying signal structs, regenerate Dart bindings:
 ```sh
 cd useragent && rinf gen
 ```
 ### Common Commands
 ```sh
 cd useragent
 # Run the app (macOS or Windows)
 flutter run
 # Regenerate Rust↔Dart signal bindings
 rinf gen
 # Analyze Dart code
 flutter analyze
 ```
 The Rinf Rust entry point is `useragent/native/hub/src/lib.rs`. It spawns actors defined in `useragent/native/hub/src/actors/` which handle Dart↔server communication via signals.
--- a/ARCHITECTURE.md
+++ b/ARCHITECTURE.md
@@ -3,6 +3,7 @@
 Arbiter is a permissioned signing service for cryptocurrency wallets. It runs as a background service on the user's machine with an optional client application for vault management.
 **Core principle:** The vault NEVER exposes key material. It only produces signatures when a request satisfies the configured policies.
 ---
 ## 1. Peer Types
--- a/CLAUDE.md
+++ b/CLAUDE.md
@@ -1,128 +0,0 @@
 # CLAUDE.md
 This file provides guidance to Claude Code (claude.ai/code) when working with code in this repository.
 ## Project Overview
 Arbiter is a **permissioned signing service** for cryptocurrency wallets. It consists of:
 - **`server/`** — Rust gRPC daemon that holds encrypted keys and enforces policies
 - **`useragent/`** — Flutter desktop app (macOS/Windows) with a Rust backend via Rinf
 - **`protobufs/`** — Protocol Buffer definitions shared between server and client
 The vault never exposes key material; it only produces signatures when requests satisfy configured policies.
 ## Toolchain Setup
 Tools are managed via [mise](https://mise.jdx.dev/). Install all required tools:
 ```sh
 mise install
 ```
 Key versions: Rust 1.93.0 (with clippy), Flutter 3.38.9-stable, protoc 29.6, diesel_cli 2.3.6 (sqlite).
 ## Server (Rust workspace at `server/`)
 ### Crates
 | Crate | Purpose |
 |---|---|
 | `arbiter-proto` | Generated gRPC stubs + protobuf types; compiled from `protobufs/*.proto` via `tonic-prost-build` |
 | `arbiter-server` | Main daemon — actors, DB, EVM policy engine, gRPC service implementation |
 | `arbiter-useragent` | Rust client library for the user agent side of the gRPC protocol |
 | `arbiter-client` | Rust client library for SDK clients |
 ### Common Commands
 ```sh
 cd server
 # Build
 cargo build
 # Run the server daemon
 cargo run -p arbiter-server
 # Run all tests (preferred over cargo test)
 cargo nextest run
 # Run a single test
 cargo nextest run <test_name>
 # Lint
 cargo clippy
 # Security audit
 cargo audit
 # Check unused dependencies
 cargo shear
 # Run snapshot tests and update snapshots
 cargo insta review
 ```
 ### Architecture
 The server is actor-based using the **kameo** crate. All long-lived state lives in `GlobalActors`:
 - **`Bootstrapper`** — Manages the one-time bootstrap token written to `~/.arbiter/bootstrap_token` on first run.
 - **`KeyHolder`** — Holds the encrypted root key and manages the Sealed/Unsealed vault state machine. On unseal, decrypts the root key into a `memsafe` hardened memory cell.
 - **`FlowCoordinator`** — Coordinates cross-connection flow between user agents and SDK clients.
 - **`EvmActor`** — Handles EVM transaction policy enforcement and signing.
 Per-connection actors live under `actors/user_agent/` and `actors/client/`, each with `auth` (challenge-response authentication) and `session` (post-auth operations) sub-modules.
 **Database:** SQLite via `diesel-async` + `bb8` connection pool. Schema managed by embedded Diesel migrations in `crates/arbiter-server/migrations/`. DB file lives at `~/.arbiter/arbiter.sqlite`. Tests use a temp-file DB via `db::create_test_pool()`.
 **Cryptography:**
 - Authentication: ed25519 (challenge-response, nonce-tracked per peer)
 - Encryption at rest: XChaCha20-Poly1305 (versioned via `scheme` field for transparent migration on unseal)
 - Password KDF: Argon2
 - Unseal transport: X25519 ephemeral key exchange
 - TLS: self-signed certificate (aws-lc-rs backend), fingerprint distributed via `ArbiterUrl`
 **Protocol:** gRPC with Protocol Buffers. The `ArbiterUrl` type encodes host, port, CA cert, and bootstrap token into a single shareable string (printed to console on first run).
 ### Proto Regeneration
 When `.proto` files in `protobufs/` change, rebuild to regenerate:
 ```sh
 cd server && cargo build -p arbiter-proto
 ```
 ### Database Migrations
 ```sh
 # Create a new migration
 diesel migration generate <name> --migration-dir crates/arbiter-server/migrations
 # Run migrations manually (server also runs them on startup)
 diesel migration run --migration-dir crates/arbiter-server/migrations
 ```
 ## User Agent (Flutter + Rinf at `useragent/`)
 The Flutter app uses [Rinf](https://rinf.cunarist.org) to call Rust code. The Rust logic lives in `useragent/native/hub/` as a separate crate that uses `arbiter-useragent` for the gRPC client.
 Communication between Dart and Rust uses typed **signals** defined in `useragent/native/hub/src/signals/`. After modifying signal structs, regenerate Dart bindings:
 ```sh
 cd useragent && rinf gen
 ```
 ### Common Commands
 ```sh
 cd useragent
 # Run the app (macOS or Windows)
 flutter run
 # Regenerate Rust↔Dart signal bindings
 rinf gen
 # Analyze Dart code
 flutter analyze
 ```
 The Rinf Rust entry point is `useragent/native/hub/src/lib.rs`. It spawns actors defined in `useragent/native/hub/src/actors/` which handle Dart↔server communication via signals.
--- a/IMPLEMENTATION.md
+++ b/IMPLEMENTATION.md
@@ -4,66 +4,6 @@ This document covers concrete technology choices and dependencies. For the archi
 ---
 ## Client Connection Flow
 ### Authentication Result Semantics
 Authentication no longer uses an implicit success-only response shape. Both `client` and `user-agent` return explicit auth status enums over the wire.
 - **Client:** `AuthResult` may return `SUCCESS`, `INVALID_KEY`, `INVALID_SIGNATURE`, `APPROVAL_DENIED`, `NO_USER_AGENTS_ONLINE`, or `INTERNAL`
 - **User-agent:** `AuthResult` may return `SUCCESS`, `INVALID_KEY`, `INVALID_SIGNATURE`, `BOOTSTRAP_REQUIRED`, `TOKEN_INVALID`, or `INTERNAL`
 This makes transport-level failures and actor/domain-level auth failures distinct:
 - **Transport/protocol failures** are surfaced as stream/status errors
 - **Authentication failures** are surfaced as successful protocol responses carrying an explicit auth status
 Clients are expected to handle these status codes directly and present the concrete failure reason to the user.
 ### New Client Approval
 When a client whose public key is not yet in the database connects, all connected user agents are asked to approve the connection. The first agent to respond determines the outcome; remaining requests are cancelled via a watch channel.
 ```mermaid
 flowchart TD
    A([Client connects]) --> B[Receive AuthChallengeRequest]
    B --> C{pubkey in DB?}
    C -- yes --> D[Read nonce\nIncrement nonce in DB]
    D --> G
    C -- no --> E[Ask all UserAgents:\nClientConnectionRequest]
    E --> F{First response}
    F -- denied --> Z([Reject connection])
    F -- approved --> F2[Cancel remaining\nUserAgent requests]
    F2 --> F3[INSERT client\nnonce = 1]
    F3 --> G[Send AuthChallenge\nwith nonce]
    G --> H[Receive AuthChallengeSolution]
    H --> I{Signature valid?}
    I -- no --> Z
    I -- yes --> J([Session started])
 ```
 ### Known Issue: Concurrent Registration Race (TOCTOU)
 Two connections presenting the same previously-unknown public key can race through the approval flow simultaneously:
 1. Both check the DB → neither is registered.
 2. Both request approval from user agents → both receive approval.
 3. Both `INSERT` the client record → the second insert silently overwrites the first, resetting the nonce.
 This means the first connection's nonce is invalidated by the second, causing its challenge verification to fail. A fix requires either serialising new-client registration (e.g. an in-memory lock keyed on pubkey) or replacing the separate check + insert with an `INSERT OR IGNORE` / upsert guarded by a unique constraint on `public_key`.
 ### Nonce Semantics
 The `program_client.nonce` column stores the **next usable nonce** — i.e. it is always one ahead of the nonce last issued in a challenge.
 - **New client:** inserted with `nonce = 1`; the first challenge is issued with `nonce = 0`.
 - **Existing client:** the current DB value is read and used as the challenge nonce, then immediately incremented within the same exclusive transaction, preventing replay.
 ---
 ## Cryptography
 ### Authentication
@@ -82,97 +22,9 @@ The `program_client.nonce` column stores the **next usable nonce** — i.e. it i
 ## Communication
 - **Protocol:** gRPC with Protocol Buffers
 - **Request/response matching:** multiplexed over a single bidirectional stream using per-connection request IDs
 - **Server identity distribution:** `ServerInfo` protobuf struct containing the TLS public key fingerprint
 - **Future consideration:** grpc-web lacks bidirectional stream support, so a browser-based wallet may require protojson over WebSocket
 ### Request Multiplexing
 Both `client` and `user-agent` connections support multiple in-flight requests over one gRPC bidi stream.
 - Every request carries a monotonically increasing request ID
 - Every normal response echoes the request ID it corresponds to
 - Out-of-band server messages omit the response ID entirely
 - The server rejects already-seen request IDs at the transport adapter boundary before business logic sees the message
 This keeps request correlation entirely in transport/client connection code while leaving actor and domain handlers unaware of request IDs.
 ---
 ## EVM Policy Engine
 ### Overview
 The EVM engine classifies incoming transactions, enforces grant constraints, and records executions. It is the sole path through which a wallet key is used for signing.
 The central abstraction is the `Policy` trait. Each implementation handles one semantic transaction category and owns its own database tables for grant storage and transaction logging.
 ### Transaction Evaluation Flow
 `Engine::evaluate_transaction` runs the following steps in order:
 1. **Classify** — Each registered policy's `analyze(context)` inspects the transaction fields (`chain`, `to`, `value`, `calldata`). The first one returning `Some(meaning)` wins. If none match, the transaction is rejected as `UnsupportedTransactionType`.
 2. **Find grant** — `Policy::try_find_grant` queries for a non-revoked grant covering this wallet, client, chain, and target address.
 3. **Check shared constraints** — `check_shared_constraints` runs in the engine before any policy-specific logic. It enforces the validity window, gas fee caps, and transaction count rate limit (see below).
 4. **Evaluate** — `Policy::evaluate` checks the decoded meaning against the grant's policy-specific constraints and returns any violations.
 5. **Record** — If `RunKind::Execution` and there are no violations, the engine writes to `evm_transaction_log` and calls `Policy::record_transaction` for any policy-specific logging (e.g., token transfer volume).
 ### Policy Trait
 | Method | Purpose |
 |---|---|
 | `analyze` | Pure — classifies a transaction into a typed `Meaning`, or `None` if this policy doesn't apply |
 | `evaluate` | Checks the `Meaning` against a `Grant`; returns a list of `EvalViolation`s |
 | `create_grant` | Inserts policy-specific rows; returns the specific grant ID |
 | `try_find_grant` | Finds a matching non-revoked grant for the given `EvalContext` |
 | `find_all_grants` | Returns all non-revoked grants (used for listing) |
 | `record_transaction` | Persists policy-specific data after execution |
 `analyze` and `evaluate` are intentionally separate: classification is pure and cheap, while evaluation may involve DB queries (e.g., fetching past transfer volume).
 ### Registered Policies
 **EtherTransfer** — plain ETH transfers (empty calldata)
 - Grant requires: allowlist of recipient addresses + one volumetric rate limit (max ETH over a time window)
 - Violations: recipient not in allowlist, cumulative ETH volume exceeded
 **TokenTransfer** — ERC-20 `transfer(address,uint256)` calls
 - Recognised by ABI-decoding the `transfer(address,uint256)` selector against a static registry of known token contracts (`arbiter_tokens_registry`)
 - Grant requires: token contract address, optional recipient restriction, zero or more volumetric rate limits
 - Violations: recipient mismatch, any volumetric limit exceeded
 ### Grant Model
 Every grant has two layers:
 - **Shared (`evm_basic_grant`)** — wallet, chain, validity period, gas fee caps, transaction count rate limit. One row per grant regardless of type.
 - **Specific** — policy-owned tables (`evm_ether_transfer_grant`, `evm_token_transfer_grant`, etc.) holding type-specific configuration.
 `find_all_grants` uses a `#[diesel::auto_type]` base join between the specific and shared tables, then batch-loads related rows (targets, volume limits) in two additional queries to avoid N+1.
 The engine exposes `list_all_grants` which collects across all policy types into `Vec<Grant<SpecificGrant>>` via a blanket `From<Grant<S>> for Grant<SpecificGrant>` conversion.
 ### Shared Constraints (enforced by the engine)
 These are checked centrally in `check_shared_constraints` before policy evaluation:
 | Constraint | Fields | Behaviour |
 |---|---|---|
 | Validity window | `valid_from`, `valid_until` | Emits `InvalidTime` if current time is outside the range |
 | Gas fee cap | `max_gas_fee_per_gas`, `max_priority_fee_per_gas` | Emits `GasLimitExceeded` if either cap is breached |
 | Tx count rate limit | `rate_limit` (`count` + `window`) | Counts rows in `evm_transaction_log` within the window; emits `RateLimitExceeded` if at or above the limit |
 ---
 ### Known Limitations
 - **Only EIP-1559 transactions are supported.** Legacy and EIP-2930 types are rejected outright.
 - **No opaque-calldata (unknown contract) grant type.** The architecture describes a category for unrecognised contracts, but no policy implements it yet. Any transaction that is not a plain ETH transfer or a known ERC-20 transfer is unconditionally rejected.
 - **Token registry is static.** Tokens are recognised only if they appear in the hard-coded `arbiter_tokens_registry` crate. There is no mechanism to register additional contracts at runtime.
 - **Nonce management is not implemented.** The architecture lists nonce deduplication as a core responsibility, but no nonce tracking or enforcement exists yet.
 ---
 ## Memory Protection
--- a/190
+++ b/190
@@ -1,190 +0,0 @@
                                 Apache License
                           Version 2.0, January 2004
                        http://www.apache.org/licenses/
   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
   1. Definitions.
      "License" shall mean the terms and conditions for use, reproduction,
      and distribution as defined by Sections 1 through 9 of this document.
      "Licensor" shall mean the copyright owner or entity authorized by
      the copyright owner that is granting the License.
      "Legal Entity" shall mean the union of the acting entity and all
      other entities that control, are controlled by, or are under common
      control with that entity. For the purposes of this definition,
      "control" means (i) the power, direct or indirect, to cause the
      direction or management of such entity, whether by contract or
      otherwise, or (ii) ownership of fifty percent (50%) or more of the
      outstanding shares, or (iii) beneficial ownership of such entity.
      "You" (or "Your") shall mean an individual or Legal Entity
      exercising permissions granted by this License.
      "Source" form shall mean the preferred form for making modifications,
      including but not limited to software source code, documentation
      source, and configuration files.
      "Object" form shall mean any form resulting from mechanical
      transformation or translation of a Source form, including but
      not limited to compiled object code, generated documentation,
      and conversions to other media types.
      "Work" shall mean the work of authorship, whether in Source or
      Object form, made available under the License, as indicated by a
      copyright notice that is included in or attached to the work
      (an example is provided in the Appendix below).
      "Derivative Works" shall mean any work, whether in Source or Object
      form, that is based on (or derived from) the Work and for which the
      editorial revisions, annotations, elaborations, or other modifications
      represent, as a whole, an original work of authorship. For the purposes
      of this License, Derivative Works shall not include works that remain
      separable from, or merely link (or bind by name) to the interfaces of,
      the Work and Derivative Works thereof.
      "Contribution" shall mean any work of authorship, including
      the original version of the Work and any modifications or additions
      to that Work or Derivative Works thereof, that is intentionally
      submitted to Licensor for inclusion in the Work by the copyright owner
      or by an individual or Legal Entity authorized to submit on behalf of
      the copyright owner. For the purposes of this definition, "submitted"
      means any form of electronic, verbal, or written communication sent
      to the Licensor or its representatives, including but not limited to
      communication on electronic mailing lists, source code control systems,
      and issue tracking systems that are managed by, or on behalf of, the
      Licensor for the purpose of discussing and improving the Work, but
      excluding communication that is conspicuously marked or otherwise
      designated in writing by the copyright owner as "Not a Contribution."
      "Contributor" shall mean Licensor and any individual or Legal Entity
      on behalf of whom a Contribution has been received by Licensor and
      subsequently incorporated within the Work.
   2. Grant of Copyright License. Subject to the terms and conditions of
      this License, each Contributor hereby grants to You a perpetual,
      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
      copyright license to reproduce, prepare Derivative Works of,
      publicly display, publicly perform, sublicense, and distribute the
      Work and such Derivative Works in Source or Object form.
   3. Grant of Patent License. Subject to the terms and conditions of
      this License, each Contributor hereby grants to You a perpetual,
      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
      (except as stated in this section) patent license to make, have made,
      use, offer to sell, sell, import, and otherwise transfer the Work,
      where such license applies only to those patent claims licensable
      by such Contributor that are necessarily infringed by their
      Contribution(s) alone or by combination of their Contribution(s)
      with the Work to which such Contribution(s) was submitted. If You
      institute patent litigation against any entity (including a
      cross-claim or counterclaim in a lawsuit) alleging that the Work
      or a Contribution incorporated within the Work constitutes direct
      or contributory patent infringement, then any patent licenses
      granted to You under this License for that Work shall terminate
      as of the date such litigation is filed.
   4. Redistribution. You may reproduce and distribute copies of the
      Work or Derivative Works thereof in any medium, with or without
      modifications, and in Source or Object form, provided that You
      meet the following conditions:
      (a) You must give any other recipients of the Work or
          Derivative Works a copy of this License; and
      (b) You must cause any modified files to carry prominent notices
          stating that You changed the files; and
      (c) You must retain, in the Source form of any Derivative Works
          that You distribute, all copyright, patent, trademark, and
          attribution notices from the Source form of the Work,
          excluding those notices that do not pertain to any part of
          the Derivative Works; and
      (d) If the Work includes a "NOTICE" text file as part of its
          distribution, then any Derivative Works that You distribute must
          include a readable copy of the attribution notices contained
          within such NOTICE file, excluding those notices that do not
          pertain to any part of the Derivative Works, in at least one
          of the following places: within a NOTICE text file distributed
          as part of the Derivative Works; within the Source form or
          documentation, if provided along with the Derivative Works; or,
          within a display generated by the Derivative Works, if and
          wherever such third-party notices normally appear. The contents
          of the NOTICE file are for informational purposes only and
          do not modify the License. You may add Your own attribution
          notices within Derivative Works that You distribute, alongside
          or as an addendum to the NOTICE text from the Work, provided
          that such additional attribution notices cannot be construed
          as modifying the License.
      You may add Your own copyright statement to Your modifications and
      may provide additional or different license terms and conditions
      for use, reproduction, or distribution of Your modifications, or
      for any such Derivative Works as a whole, provided Your use,
      reproduction, and distribution of the Work otherwise complies with
      the conditions stated in this License.
   5. Submission of Contributions. Unless You explicitly state otherwise,
      any Contribution intentionally submitted for inclusion in the Work
      by You to the Licensor shall be under the terms and conditions of
      this License, without any additional terms or conditions.
      Notwithstanding the above, nothing herein shall supersede or modify
      the terms of any separate license agreement you may have executed
      with Licensor regarding such Contributions.
   6. Trademarks. This License does not grant permission to use the trade
      names, trademarks, service marks, or product names of the Licensor,
      except as required for reasonable and customary use in describing the
      origin of the Work and reproducing the content of the NOTICE file.
   7. Disclaimer of Warranty. Unless required by applicable law or
      agreed to in writing, Licensor provides the Work (and each
      Contributor provides its Contributions) on an "AS IS" BASIS,
      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
      implied, including, without limitation, any warranties or conditions
      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
      PARTICULAR PURPOSE. You are solely responsible for determining the
      appropriateness of using or redistributing the Work and assume any
      risks associated with Your exercise of permissions under this License.
   8. Limitation of Liability. In no event and under no legal theory,
      whether in tort (including negligence), contract, or otherwise,
      unless required by applicable law (such as deliberate and grossly
      negligent acts) or agreed to in writing, shall any Contributor be
      liable to You for damages, including any direct, indirect, special,
      incidental, or consequential damages of any character arising as a
      result of this License or out of the use or inability to use the
      Work (including but not limited to damages for loss of goodwill,
      work stoppage, computer failure or malfunction, or any and all
      other commercial damages or losses), even if such Contributor
      has been advised of the possibility of such damages.
   9. Accepting Warranty or Additional Liability. While redistributing
      the Work or Derivative Works thereof, You may choose to offer,
      and charge a fee for, acceptance of support, warranty, indemnity,
      or other liability obligations and/or rights consistent with this
      License. However, in accepting such obligations, You may act only
      on Your own behalf and on Your sole responsibility, not on behalf
      of any other Contributor, and only if You agree to indemnify,
      defend, and hold each Contributor harmless for any liability
      incurred by, or claims asserted against, such Contributor by reason
      of your accepting any such warranty or additional liability.
   END OF TERMS AND CONDITIONS
   Copyright 2026 MarketTakers
   Licensed under the Apache License, Version 2.0 (the "License");
   you may not use this file except in compliance with the License.
   You may obtain a copy of the License at
       http://www.apache.org/licenses/LICENSE-2.0
   Unless required by applicable law or agreed to in writing, software
   distributed under the License is distributed on an "AS IS" BASIS,
   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
   See the License for the specific language governing permissions and
   limitations under the License.
--- a/README.md
+++ b/README.md
@@ -1,13 +0,0 @@
 # Arbiter
 > Policy-first multi-client wallet daemon, allowing permissioned transactions across blockchains
 ## Security warning
 Arbiter can't meaningfully protect against host compromise. Potential attack flow:
 - Attacker steals TLS keys from database
 - Pretends to be server; just accepts user agent challenge solutions
 - Pretend to be in sealed state and performing DH with client
 - Steals user password and derives seal key
 While this attack is highly targetive, it's still possible. 
 > This software is experimental. Do not use with funds you cannot afford to lose.
--- a/app/.dart_tool/extension_discovery/vs_code.json
+++ b/app/.dart_tool/extension_discovery/vs_code.json
@@ -1 +0,0 @@
 {"version":2,"entries":[{"package":"app","rootUri":"../","packageUri":"lib/"}]}
--- a/useragent/.gitignore
+++ b/useragent/.gitignore
--- a/useragent/.metadata
+++ b/useragent/.metadata
--- a/useragent/README.md
+++ b/useragent/README.md
@@ -1,4 +1,4 @@
-# useragent
+# app
 A new Flutter project.
--- a/useragent/analysis_options.yaml
+++ b/useragent/analysis_options.yaml
--- a/app/lib/main.dart
+++ b/app/lib/main.dart
@@ -0,0 +1,122 @@
 import 'package:flutter/material.dart';
 void main() {
  runApp(const MyApp());
 }
 class MyApp extends StatelessWidget {
  const MyApp({super.key});
  // This widget is the root of your application.
  @override
  Widget build(BuildContext context) {
    return MaterialApp(
      title: 'Flutter Demo',
      theme: ThemeData(
        // This is the theme of your application.
        //
        // TRY THIS: Try running your application with "flutter run". You'll see
        // the application has a purple toolbar. Then, without quitting the app,
        // try changing the seedColor in the colorScheme below to Colors.green
        // and then invoke "hot reload" (save your changes or press the "hot
        // reload" button in a Flutter-supported IDE, or press "r" if you used
        // the command line to start the app).
        //
        // Notice that the counter didn't reset back to zero; the application
        // state is not lost during the reload. To reset the state, use hot
        // restart instead.
        //
        // This works for code too, not just values: Most code changes can be
        // tested with just a hot reload.
        colorScheme: .fromSeed(seedColor: Colors.deepPurple),
      ),
      home: const MyHomePage(title: 'Flutter Demo Home Page'),
    );
  }
 }
 class MyHomePage extends StatefulWidget {
  const MyHomePage({super.key, required this.title});
  // This widget is the home page of your application. It is stateful, meaning
  // that it has a State object (defined below) that contains fields that affect
  // how it looks.
  // This class is the configuration for the state. It holds the values (in this
  // case the title) provided by the parent (in this case the App widget) and
  // used by the build method of the State. Fields in a Widget subclass are
  // always marked "final".
  final String title;
  @override
  State<MyHomePage> createState() => _MyHomePageState();
 }
 class _MyHomePageState extends State<MyHomePage> {
  int _counter = 0;
  void _incrementCounter() {
    setState(() {
      // This call to setState tells the Flutter framework that something has
      // changed in this State, which causes it to rerun the build method below
      // so that the display can reflect the updated values. If we changed
      // _counter without calling setState(), then the build method would not be
      // called again, and so nothing would appear to happen.
      _counter++;
    });
  }
  @override
  Widget build(BuildContext context) {
    // This method is rerun every time setState is called, for instance as done
    // by the _incrementCounter method above.
    //
    // The Flutter framework has been optimized to make rerunning build methods
    // fast, so that you can just rebuild anything that needs updating rather
    // than having to individually change instances of widgets.
    return Scaffold(
      appBar: AppBar(
        // TRY THIS: Try changing the color here to a specific color (to
        // Colors.amber, perhaps?) and trigger a hot reload to see the AppBar
        // change color while the other colors stay the same.
        backgroundColor: Theme.of(context).colorScheme.inversePrimary,
        // Here we take the value from the MyHomePage object that was created by
        // the App.build method, and use it to set our appbar title.
        title: Text(widget.title),
      ),
      body: Center(
        // Center is a layout widget. It takes a single child and positions it
        // in the middle of the parent.
        child: Column(
          // Column is also a layout widget. It takes a list of children and
          // arranges them vertically. By default, it sizes itself to fit its
          // children horizontally, and tries to be as tall as its parent.
          //
          // Column has various properties to control how it sizes itself and
          // how it positions its children. Here we use mainAxisAlignment to
          // center the children vertically; the main axis here is the vertical
          // axis because Columns are vertical (the cross axis would be
          // horizontal).
          //
          // TRY THIS: Invoke "debug painting" (choose the "Toggle Debug Paint"
          // action in the IDE, or press "p" in the console), to see the
          // wireframe for each widget.
          mainAxisAlignment: .center,
          children: [
            const Text('You have pushed the button this many times:'),
            Text(
              '$_counter',
              style: Theme.of(context).textTheme.headlineMedium,
            ),
          ],
        ),
      ),
      floatingActionButton: FloatingActionButton(
        onPressed: _incrementCounter,
        tooltip: 'Increment',
        child: const Icon(Icons.add),
      ),
    );
  }
 }
--- a/useragent/macos/.gitignore
+++ b/useragent/macos/.gitignore
--- a/app/macos/Flutter/Flutter-Debug.xcconfig
+++ b/app/macos/Flutter/Flutter-Debug.xcconfig
@@ -0,0 +1 @@
 #include "ephemeral/Flutter-Generated.xcconfig"
--- a/app/macos/Flutter/Flutter-Release.xcconfig
+++ b/app/macos/Flutter/Flutter-Release.xcconfig
@@ -0,0 +1 @@
 #include "ephemeral/Flutter-Generated.xcconfig"
--- a/app/macos/Flutter/GeneratedPluginRegistrant.swift
+++ b/app/macos/Flutter/GeneratedPluginRegistrant.swift
@@ -0,0 +1,10 @@
 //
 //  Generated file. Do not edit.
 //
 import FlutterMacOS
 import Foundation
 func RegisterGeneratedPlugins(registry: FlutterPluginRegistry) {
 }
--- a/useragent/macos/Runner.xcodeproj/project.pbxproj
+++ b/useragent/macos/Runner.xcodeproj/project.pbxproj
@@ -27,8 +27,6 @@
 		33CC10F32044A3C60003C045 /* Assets.xcassets in Resources */ = {isa = PBXBuildFile; fileRef = 33CC10F22044A3C60003C045 /* Assets.xcassets */; };
 		33CC10F62044A3C60003C045 /* MainMenu.xib in Resources */ = {isa = PBXBuildFile; fileRef = 33CC10F42044A3C60003C045 /* MainMenu.xib */; };
 		33CC11132044BFA00003C045 /* MainFlutterWindow.swift in Sources */ = {isa = PBXBuildFile; fileRef = 33CC11122044BFA00003C045 /* MainFlutterWindow.swift */; };
 		89374438F7FC24C1E409AC55 /* Pods_RunnerTests.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 84BA779FA182F4B90ADDD656 /* Pods_RunnerTests.framework */; };
 		9812E904D4443BD8157BA2CD /* Pods_Runner.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = FFE2551831D6F491FC95F4C0 /* Pods_Runner.framework */; };
 /* End PBXBuildFile section */
 /* Begin PBXContainerItemProxy section */
@@ -66,7 +64,7 @@
 		331C80D7294CF71000263BE5 /* RunnerTests.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = RunnerTests.swift; sourceTree = "<group>"; };
 		333000ED22D3DE5D00554162 /* Warnings.xcconfig */ = {isa = PBXFileReference; lastKnownFileType = text.xcconfig; path = Warnings.xcconfig; sourceTree = "<group>"; };
 		335BBD1A22A9A15E00E9071D /* GeneratedPluginRegistrant.swift */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.swift; path = GeneratedPluginRegistrant.swift; sourceTree = "<group>"; };
-		33CC10ED2044A3C60003C045 /* useragent.app */ = {isa = PBXFileReference; explicitFileType = wrapper.application; includeInIndex = 0; path = useragent.app; sourceTree = BUILT_PRODUCTS_DIR; };
+		33CC10ED2044A3C60003C045 /* app.app */ = {isa = PBXFileReference; explicitFileType = wrapper.application; includeInIndex = 0; path = "app.app"; sourceTree = BUILT_PRODUCTS_DIR; };
 		33CC10F02044A3C60003C045 /* AppDelegate.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = AppDelegate.swift; sourceTree = "<group>"; };
 		33CC10F22044A3C60003C045 /* Assets.xcassets */ = {isa = PBXFileReference; lastKnownFileType = folder.assetcatalog; name = Assets.xcassets; path = Runner/Assets.xcassets; sourceTree = "<group>"; };
 		33CC10F52044A3C60003C045 /* Base */ = {isa = PBXFileReference; lastKnownFileType = file.xib; name = Base; path = Base.lproj/MainMenu.xib; sourceTree = "<group>"; };
@@ -78,16 +76,8 @@
 		33E51913231747F40026EE4D /* DebugProfile.entitlements */ = {isa = PBXFileReference; lastKnownFileType = text.plist.entitlements; path = DebugProfile.entitlements; sourceTree = "<group>"; };
 		33E51914231749380026EE4D /* Release.entitlements */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.plist.entitlements; path = Release.entitlements; sourceTree = "<group>"; };
 		33E5194F232828860026EE4D /* AppInfo.xcconfig */ = {isa = PBXFileReference; lastKnownFileType = text.xcconfig; path = AppInfo.xcconfig; sourceTree = "<group>"; };
 		5385F9987FF8E7FD3BA4E87E /* Pods-RunnerTests.release.xcconfig */ = {isa = PBXFileReference; includeInIndex = 1; lastKnownFileType = text.xcconfig; name = "Pods-RunnerTests.release.xcconfig"; path = "Target Support Files/Pods-RunnerTests/Pods-RunnerTests.release.xcconfig"; sourceTree = "<group>"; };
 		7AFA3C8E1D35360C0083082E /* Release.xcconfig */ = {isa = PBXFileReference; lastKnownFileType = text.xcconfig; path = Release.xcconfig; sourceTree = "<group>"; };
 		84BA779FA182F4B90ADDD656 /* Pods_RunnerTests.framework */ = {isa = PBXFileReference; explicitFileType = wrapper.framework; includeInIndex = 0; path = Pods_RunnerTests.framework; sourceTree = BUILT_PRODUCTS_DIR; };
 		9740EEB21CF90195004384FC /* Debug.xcconfig */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.xcconfig; path = Debug.xcconfig; sourceTree = "<group>"; };
 		989E0AE288EA0AECFF244CAB /* Pods-Runner.debug.xcconfig */ = {isa = PBXFileReference; includeInIndex = 1; lastKnownFileType = text.xcconfig; name = "Pods-Runner.debug.xcconfig"; path = "Target Support Files/Pods-Runner/Pods-Runner.debug.xcconfig"; sourceTree = "<group>"; };
 		ADF8B0EB51CA38AE67931C44 /* Pods-RunnerTests.profile.xcconfig */ = {isa = PBXFileReference; includeInIndex = 1; lastKnownFileType = text.xcconfig; name = "Pods-RunnerTests.profile.xcconfig"; path = "Target Support Files/Pods-RunnerTests/Pods-RunnerTests.profile.xcconfig"; sourceTree = "<group>"; };
 		DC537F8D4AE9B12FB802E110 /* Pods-RunnerTests.debug.xcconfig */ = {isa = PBXFileReference; includeInIndex = 1; lastKnownFileType = text.xcconfig; name = "Pods-RunnerTests.debug.xcconfig"; path = "Target Support Files/Pods-RunnerTests/Pods-RunnerTests.debug.xcconfig"; sourceTree = "<group>"; };
 		F06E58390BD453D6E42AD67C /* Pods-Runner.release.xcconfig */ = {isa = PBXFileReference; includeInIndex = 1; lastKnownFileType = text.xcconfig; name = "Pods-Runner.release.xcconfig"; path = "Target Support Files/Pods-Runner/Pods-Runner.release.xcconfig"; sourceTree = "<group>"; };
 		F9C83BBEBB84A7F9ACC93B93 /* Pods-Runner.profile.xcconfig */ = {isa = PBXFileReference; includeInIndex = 1; lastKnownFileType = text.xcconfig; name = "Pods-Runner.profile.xcconfig"; path = "Target Support Files/Pods-Runner/Pods-Runner.profile.xcconfig"; sourceTree = "<group>"; };
 		FFE2551831D6F491FC95F4C0 /* Pods_Runner.framework */ = {isa = PBXFileReference; explicitFileType = wrapper.framework; includeInIndex = 0; path = Pods_Runner.framework; sourceTree = BUILT_PRODUCTS_DIR; };
 /* End PBXFileReference section */
 /* Begin PBXFrameworksBuildPhase section */
@@ -95,7 +85,6 @@
 			isa = PBXFrameworksBuildPhase;
 			buildActionMask = 2147483647;
 			files = (
 				89374438F7FC24C1E409AC55 /* Pods_RunnerTests.framework in Frameworks */,
 			);
 			runOnlyForDeploymentPostprocessing = 0;
 		};
@@ -103,7 +92,6 @@
 			isa = PBXFrameworksBuildPhase;
 			buildActionMask = 2147483647;
 			files = (
 				9812E904D4443BD8157BA2CD /* Pods_Runner.framework in Frameworks */,
 			);
 			runOnlyForDeploymentPostprocessing = 0;
 		};
@@ -137,14 +125,13 @@
 				331C80D6294CF71000263BE5 /* RunnerTests */,
 				33CC10EE2044A3C60003C045 /* Products */,
 				D73912EC22F37F3D000D13A0 /* Frameworks */,
 				C5764DB16A5CAE65539863D1 /* Pods */,
 			);
 			sourceTree = "<group>";
 		};
 		33CC10EE2044A3C60003C045 /* Products */ = {
 			isa = PBXGroup;
 			children = (
-				33CC10ED2044A3C60003C045 /* useragent.app */,
+				33CC10ED2044A3C60003C045 /* app.app */,
 				331C80D5294CF71000263BE5 /* RunnerTests.xctest */,
 			);
 			name = Products;
@@ -185,24 +172,9 @@
 			path = Runner;
 			sourceTree = "<group>";
 		};
 		C5764DB16A5CAE65539863D1 /* Pods */ = {
 			isa = PBXGroup;
 			children = (
 				989E0AE288EA0AECFF244CAB /* Pods-Runner.debug.xcconfig */,
 				F06E58390BD453D6E42AD67C /* Pods-Runner.release.xcconfig */,
 				F9C83BBEBB84A7F9ACC93B93 /* Pods-Runner.profile.xcconfig */,
 				DC537F8D4AE9B12FB802E110 /* Pods-RunnerTests.debug.xcconfig */,
 				5385F9987FF8E7FD3BA4E87E /* Pods-RunnerTests.release.xcconfig */,
 				ADF8B0EB51CA38AE67931C44 /* Pods-RunnerTests.profile.xcconfig */,
 			);
 			path = Pods;
 			sourceTree = "<group>";
 		};
 		D73912EC22F37F3D000D13A0 /* Frameworks */ = {
 			isa = PBXGroup;
 			children = (
 				FFE2551831D6F491FC95F4C0 /* Pods_Runner.framework */,
 				84BA779FA182F4B90ADDD656 /* Pods_RunnerTests.framework */,
 			);
 			name = Frameworks;
 			sourceTree = "<group>";
@@ -214,7 +186,6 @@
 			isa = PBXNativeTarget;
 			buildConfigurationList = 331C80DE294CF71000263BE5 /* Build configuration list for PBXNativeTarget "RunnerTests" */;
 			buildPhases = (
 				72217D999FDDB4A0040A839E /* [CP] Check Pods Manifest.lock */,
 				331C80D1294CF70F00263BE5 /* Sources */,
 				331C80D2294CF70F00263BE5 /* Frameworks */,
 				331C80D3294CF70F00263BE5 /* Resources */,
@@ -233,13 +204,11 @@
 			isa = PBXNativeTarget;
 			buildConfigurationList = 33CC10FB2044A3C60003C045 /* Build configuration list for PBXNativeTarget "Runner" */;
 			buildPhases = (
 				4909404BD2C11CE7688B3B73 /* [CP] Check Pods Manifest.lock */,
 				33CC10E92044A3C60003C045 /* Sources */,
 				33CC10EA2044A3C60003C045 /* Frameworks */,
 				33CC10EB2044A3C60003C045 /* Resources */,
 				33CC110E2044A8840003C045 /* Bundle Framework */,
 				3399D490228B24CF009A79C7 /* ShellScript */,
 				2AF2BC4AB258588AFC797EA4 /* [CP] Embed Pods Frameworks */,
 			);
 			buildRules = (
 			);
@@ -248,7 +217,7 @@
 			);
 			name = Runner;
 			productName = Runner;
-			productReference = 33CC10ED2044A3C60003C045 /* useragent.app */;
+			productReference = 33CC10ED2044A3C60003C045 /* app.app */;
 			productType = "com.apple.product-type.application";
 		};
 /* End PBXNativeTarget section */
@@ -322,23 +291,6 @@
 /* End PBXResourcesBuildPhase section */
 /* Begin PBXShellScriptBuildPhase section */
 		2AF2BC4AB258588AFC797EA4 /* [CP] Embed Pods Frameworks */ = {
 			isa = PBXShellScriptBuildPhase;
 			buildActionMask = 2147483647;
 			files = (
 			);
 			inputFileListPaths = (
 				"${PODS_ROOT}/Target Support Files/Pods-Runner/Pods-Runner-frameworks-${CONFIGURATION}-input-files.xcfilelist",
 			);
 			name = "[CP] Embed Pods Frameworks";
 			outputFileListPaths = (
 				"${PODS_ROOT}/Target Support Files/Pods-Runner/Pods-Runner-frameworks-${CONFIGURATION}-output-files.xcfilelist",
 			);
 			runOnlyForDeploymentPostprocessing = 0;
 			shellPath = /bin/sh;
 			shellScript = "\"${PODS_ROOT}/Target Support Files/Pods-Runner/Pods-Runner-frameworks.sh\"\n";
 			showEnvVarsInLog = 0;
 		};
 		3399D490228B24CF009A79C7 /* ShellScript */ = {
 			isa = PBXShellScriptBuildPhase;
 			alwaysOutOfDate = 1;
@@ -377,50 +329,6 @@
 			shellPath = /bin/sh;
 			shellScript = "\"$FLUTTER_ROOT\"/packages/flutter_tools/bin/macos_assemble.sh && touch Flutter/ephemeral/tripwire";
 		};
 		4909404BD2C11CE7688B3B73 /* [CP] Check Pods Manifest.lock */ = {
 			isa = PBXShellScriptBuildPhase;
 			buildActionMask = 2147483647;
 			files = (
 			);
 			inputFileListPaths = (
 			);
 			inputPaths = (
 				"${PODS_PODFILE_DIR_PATH}/Podfile.lock",
 				"${PODS_ROOT}/Manifest.lock",
 			);
 			name = "[CP] Check Pods Manifest.lock";
 			outputFileListPaths = (
 			);
 			outputPaths = (
 				"$(DERIVED_FILE_DIR)/Pods-Runner-checkManifestLockResult.txt",
 			);
 			runOnlyForDeploymentPostprocessing = 0;
 			shellPath = /bin/sh;
 			shellScript = "diff \"${PODS_PODFILE_DIR_PATH}/Podfile.lock\" \"${PODS_ROOT}/Manifest.lock\" > /dev/null\nif [ $? != 0 ] ; then\n    # print error to STDERR\n    echo \"error: The sandbox is not in sync with the Podfile.lock. Run 'pod install' or update your CocoaPods installation.\" >&2\n    exit 1\nfi\n# This output is used by Xcode 'outputs' to avoid re-running this script phase.\necho \"SUCCESS\" > \"${SCRIPT_OUTPUT_FILE_0}\"\n";
 			showEnvVarsInLog = 0;
 		};
 		72217D999FDDB4A0040A839E /* [CP] Check Pods Manifest.lock */ = {
 			isa = PBXShellScriptBuildPhase;
 			buildActionMask = 2147483647;
 			files = (
 			);
 			inputFileListPaths = (
 			);
 			inputPaths = (
 				"${PODS_PODFILE_DIR_PATH}/Podfile.lock",
 				"${PODS_ROOT}/Manifest.lock",
 			);
 			name = "[CP] Check Pods Manifest.lock";
 			outputFileListPaths = (
 			);
 			outputPaths = (
 				"$(DERIVED_FILE_DIR)/Pods-RunnerTests-checkManifestLockResult.txt",
 			);
 			runOnlyForDeploymentPostprocessing = 0;
 			shellPath = /bin/sh;
 			shellScript = "diff \"${PODS_PODFILE_DIR_PATH}/Podfile.lock\" \"${PODS_ROOT}/Manifest.lock\" > /dev/null\nif [ $? != 0 ] ; then\n    # print error to STDERR\n    echo \"error: The sandbox is not in sync with the Podfile.lock. Run 'pod install' or update your CocoaPods installation.\" >&2\n    exit 1\nfi\n# This output is used by Xcode 'outputs' to avoid re-running this script phase.\necho \"SUCCESS\" > \"${SCRIPT_OUTPUT_FILE_0}\"\n";
 			showEnvVarsInLog = 0;
 		};
 /* End PBXShellScriptBuildPhase section */
 /* Begin PBXSourcesBuildPhase section */
@@ -472,49 +380,43 @@
 /* Begin XCBuildConfiguration section */
 		331C80DB294CF71000263BE5 /* Debug */ = {
 			isa = XCBuildConfiguration;
 			baseConfigurationReference = DC537F8D4AE9B12FB802E110 /* Pods-RunnerTests.debug.xcconfig */;
 			buildSettings = {
 				BUNDLE_LOADER = "$(TEST_HOST)";
 				CURRENT_PROJECT_VERSION = 1;
 				GENERATE_INFOPLIST_FILE = YES;
 				MACOSX_DEPLOYMENT_TARGET = 11.0;
 				MARKETING_VERSION = 1.0;
-				PRODUCT_BUNDLE_IDENTIFIER = com.example.useragent.RunnerTests;
+				PRODUCT_BUNDLE_IDENTIFIER = com.example.app.RunnerTests;
 				PRODUCT_NAME = "$(TARGET_NAME)";
 				SWIFT_VERSION = 5.0;
-				TEST_HOST = "$(BUILT_PRODUCTS_DIR)/useragent.app/$(BUNDLE_EXECUTABLE_FOLDER_PATH)/useragent";
+				TEST_HOST = "$(BUILT_PRODUCTS_DIR)/app.app/$(BUNDLE_EXECUTABLE_FOLDER_PATH)/app";
 			};
 			name = Debug;
 		};
 		331C80DC294CF71000263BE5 /* Release */ = {
 			isa = XCBuildConfiguration;
 			baseConfigurationReference = 5385F9987FF8E7FD3BA4E87E /* Pods-RunnerTests.release.xcconfig */;
 			buildSettings = {
 				BUNDLE_LOADER = "$(TEST_HOST)";
 				CURRENT_PROJECT_VERSION = 1;
 				GENERATE_INFOPLIST_FILE = YES;
 				MACOSX_DEPLOYMENT_TARGET = 11.0;
 				MARKETING_VERSION = 1.0;
-				PRODUCT_BUNDLE_IDENTIFIER = com.example.useragent.RunnerTests;
+				PRODUCT_BUNDLE_IDENTIFIER = com.example.app.RunnerTests;
 				PRODUCT_NAME = "$(TARGET_NAME)";
 				SWIFT_VERSION = 5.0;
-				TEST_HOST = "$(BUILT_PRODUCTS_DIR)/useragent.app/$(BUNDLE_EXECUTABLE_FOLDER_PATH)/useragent";
+				TEST_HOST = "$(BUILT_PRODUCTS_DIR)/app.app/$(BUNDLE_EXECUTABLE_FOLDER_PATH)/app";
 			};
 			name = Release;
 		};
 		331C80DD294CF71000263BE5 /* Profile */ = {
 			isa = XCBuildConfiguration;
 			baseConfigurationReference = ADF8B0EB51CA38AE67931C44 /* Pods-RunnerTests.profile.xcconfig */;
 			buildSettings = {
 				BUNDLE_LOADER = "$(TEST_HOST)";
 				CURRENT_PROJECT_VERSION = 1;
 				GENERATE_INFOPLIST_FILE = YES;
 				MACOSX_DEPLOYMENT_TARGET = 11.0;
 				MARKETING_VERSION = 1.0;
-				PRODUCT_BUNDLE_IDENTIFIER = com.example.useragent.RunnerTests;
+				PRODUCT_BUNDLE_IDENTIFIER = com.example.app.RunnerTests;
 				PRODUCT_NAME = "$(TARGET_NAME)";
 				SWIFT_VERSION = 5.0;
-				TEST_HOST = "$(BUILT_PRODUCTS_DIR)/useragent.app/$(BUNDLE_EXECUTABLE_FOLDER_PATH)/useragent";
+				TEST_HOST = "$(BUILT_PRODUCTS_DIR)/app.app/$(BUNDLE_EXECUTABLE_FOLDER_PATH)/app";
 			};
 			name = Profile;
 		};
@@ -562,7 +464,6 @@
 				MACOSX_DEPLOYMENT_TARGET = 10.15;
 				MTL_ENABLE_DEBUG_INFO = NO;
 				SDKROOT = macosx;
 				STRING_CATALOG_GENERATE_SYMBOLS = YES;
 				SWIFT_COMPILATION_MODE = wholemodule;
 				SWIFT_OPTIMIZATION_LEVEL = "-O";
 			};
@@ -575,23 +476,14 @@
 				ASSETCATALOG_COMPILER_APPICON_NAME = AppIcon;
 				CLANG_ENABLE_MODULES = YES;
 				CODE_SIGN_ENTITLEMENTS = Runner/DebugProfile.entitlements;
 				"CODE_SIGN_IDENTITY[sdk=macosx*]" = "Apple Development";
 				CODE_SIGN_STYLE = Automatic;
 				COMBINE_HIDPI_IMAGES = YES;
 				DEVELOPMENT_TEAM = 8L884L537J;
 				ENABLE_APP_SANDBOX = YES;
 				ENABLE_INCOMING_NETWORK_CONNECTIONS = YES;
 				ENABLE_OUTGOING_NETWORK_CONNECTIONS = YES;
 				INFOPLIST_FILE = Runner/Info.plist;
 				INFOPLIST_KEY_LSApplicationCategoryType = "public.app-category.productivity";
 				LD_RUNPATH_SEARCH_PATHS = (
 					"$(inherited)",
 					"@executable_path/../Frameworks",
 				);
 				MACOSX_DEPLOYMENT_TARGET = 26.0;
 				PRODUCT_BUNDLE_IDENTIFIER = org.markettakers.arbiter;
 				PROVISIONING_PROFILE_SPECIFIER = "";
 				RUNTIME_EXCEPTION_ALLOW_JIT = YES;
 				SWIFT_VERSION = 5.0;
 			};
 			name = Profile;
@@ -600,7 +492,6 @@
 			isa = XCBuildConfiguration;
 			buildSettings = {
 				CODE_SIGN_STYLE = Manual;
 				MACOSX_DEPLOYMENT_TARGET = 11.0;
 				PRODUCT_NAME = "$(TARGET_NAME)";
 			};
 			name = Profile;
@@ -656,7 +547,6 @@
 				MTL_ENABLE_DEBUG_INFO = YES;
 				ONLY_ACTIVE_ARCH = YES;
 				SDKROOT = macosx;
 				STRING_CATALOG_GENERATE_SYMBOLS = YES;
 				SWIFT_ACTIVE_COMPILATION_CONDITIONS = DEBUG;
 				SWIFT_OPTIMIZATION_LEVEL = "-Onone";
 			};
@@ -706,7 +596,6 @@
 				MACOSX_DEPLOYMENT_TARGET = 10.15;
 				MTL_ENABLE_DEBUG_INFO = NO;
 				SDKROOT = macosx;
 				STRING_CATALOG_GENERATE_SYMBOLS = YES;
 				SWIFT_COMPILATION_MODE = wholemodule;
 				SWIFT_OPTIMIZATION_LEVEL = "-O";
 			};
@@ -719,23 +608,14 @@
 				ASSETCATALOG_COMPILER_APPICON_NAME = AppIcon;
 				CLANG_ENABLE_MODULES = YES;
 				CODE_SIGN_ENTITLEMENTS = Runner/DebugProfile.entitlements;
 				"CODE_SIGN_IDENTITY[sdk=macosx*]" = "Apple Development";
 				CODE_SIGN_STYLE = Automatic;
 				COMBINE_HIDPI_IMAGES = YES;
 				DEVELOPMENT_TEAM = 8L884L537J;
 				ENABLE_APP_SANDBOX = YES;
 				ENABLE_INCOMING_NETWORK_CONNECTIONS = YES;
 				ENABLE_OUTGOING_NETWORK_CONNECTIONS = YES;
 				INFOPLIST_FILE = Runner/Info.plist;
 				INFOPLIST_KEY_LSApplicationCategoryType = "public.app-category.productivity";
 				LD_RUNPATH_SEARCH_PATHS = (
 					"$(inherited)",
 					"@executable_path/../Frameworks",
 				);
 				MACOSX_DEPLOYMENT_TARGET = 26.0;
 				PRODUCT_BUNDLE_IDENTIFIER = org.markettakers.arbiter;
 				PROVISIONING_PROFILE_SPECIFIER = "";
 				RUNTIME_EXCEPTION_ALLOW_JIT = YES;
 				SWIFT_OPTIMIZATION_LEVEL = "-Onone";
 				SWIFT_VERSION = 5.0;
 			};
@@ -748,23 +628,14 @@
 				ASSETCATALOG_COMPILER_APPICON_NAME = AppIcon;
 				CLANG_ENABLE_MODULES = YES;
 				CODE_SIGN_ENTITLEMENTS = Runner/Release.entitlements;
 				"CODE_SIGN_IDENTITY[sdk=macosx*]" = "Apple Development";
 				CODE_SIGN_STYLE = Automatic;
 				COMBINE_HIDPI_IMAGES = YES;
 				DEVELOPMENT_TEAM = 8L884L537J;
 				ENABLE_APP_SANDBOX = YES;
 				ENABLE_INCOMING_NETWORK_CONNECTIONS = YES;
 				ENABLE_OUTGOING_NETWORK_CONNECTIONS = YES;
 				INFOPLIST_FILE = Runner/Info.plist;
 				INFOPLIST_KEY_LSApplicationCategoryType = "public.app-category.productivity";
 				LD_RUNPATH_SEARCH_PATHS = (
 					"$(inherited)",
 					"@executable_path/../Frameworks",
 				);
 				MACOSX_DEPLOYMENT_TARGET = 26.0;
 				PRODUCT_BUNDLE_IDENTIFIER = org.markettakers.arbiter;
 				PROVISIONING_PROFILE_SPECIFIER = "";
 				RUNTIME_EXCEPTION_ALLOW_JIT = YES;
 				SWIFT_VERSION = 5.0;
 			};
 			name = Release;
@@ -773,7 +644,6 @@
 			isa = XCBuildConfiguration;
 			buildSettings = {
 				CODE_SIGN_STYLE = Manual;
 				MACOSX_DEPLOYMENT_TARGET = 11.0;
 				PRODUCT_NAME = "$(TARGET_NAME)";
 			};
 			name = Debug;
@@ -782,7 +652,6 @@
 			isa = XCBuildConfiguration;
 			buildSettings = {
 				CODE_SIGN_STYLE = Automatic;
 				MACOSX_DEPLOYMENT_TARGET = 11.0;
 				PRODUCT_NAME = "$(TARGET_NAME)";
 			};
 			name = Release;
--- a/useragent/macos/Runner.xcodeproj/project.xcworkspace/xcshareddata/IDEWorkspaceChecks.plist
+++ b/useragent/macos/Runner.xcodeproj/project.xcworkspace/xcshareddata/IDEWorkspaceChecks.plist
--- a/useragent/macos/Runner.xcodeproj/xcshareddata/xcschemes/Runner.xcscheme
+++ b/useragent/macos/Runner.xcodeproj/xcshareddata/xcschemes/Runner.xcscheme
@@ -15,7 +15,7 @@
            <BuildableReference
               BuildableIdentifier = "primary"
               BlueprintIdentifier = "33CC10EC2044A3C60003C045"
-               BuildableName = "useragent.app"
+               BuildableName = "app.app"
               BlueprintName = "Runner"
               ReferencedContainer = "container:Runner.xcodeproj">
            </BuildableReference>
@@ -31,7 +31,7 @@
         <BuildableReference
            BuildableIdentifier = "primary"
            BlueprintIdentifier = "33CC10EC2044A3C60003C045"
-            BuildableName = "useragent.app"
+            BuildableName = "app.app"
            BlueprintName = "Runner"
            ReferencedContainer = "container:Runner.xcodeproj">
         </BuildableReference>
@@ -66,7 +66,7 @@
         <BuildableReference
            BuildableIdentifier = "primary"
            BlueprintIdentifier = "33CC10EC2044A3C60003C045"
-            BuildableName = "useragent.app"
+            BuildableName = "app.app"
            BlueprintName = "Runner"
            ReferencedContainer = "container:Runner.xcodeproj">
         </BuildableReference>
@@ -83,7 +83,7 @@
         <BuildableReference
            BuildableIdentifier = "primary"
            BlueprintIdentifier = "33CC10EC2044A3C60003C045"
-            BuildableName = "useragent.app"
+            BuildableName = "app.app"
            BlueprintName = "Runner"
            ReferencedContainer = "container:Runner.xcodeproj">
         </BuildableReference>
--- a/useragent/macos/Runner.xcworkspace/contents.xcworkspacedata
+++ b/useragent/macos/Runner.xcworkspace/contents.xcworkspacedata
@@ -4,7 +4,4 @@
   <FileRef
      location = "group:Runner.xcodeproj">
   </FileRef>
   <FileRef
      location = "group:Pods/Pods.xcodeproj">
   </FileRef>
 </Workspace>
--- a/useragent/macos/Runner.xcworkspace/xcshareddata/IDEWorkspaceChecks.plist
+++ b/useragent/macos/Runner.xcworkspace/xcshareddata/IDEWorkspaceChecks.plist
--- a/useragent/macos/Runner/AppDelegate.swift
+++ b/useragent/macos/Runner/AppDelegate.swift
--- a/useragent/macos/Runner/Assets.xcassets/AppIcon.appiconset/Contents.json
+++ b/useragent/macos/Runner/Assets.xcassets/AppIcon.appiconset/Contents.json
--- a/useragent/macos/Runner/Assets.xcassets/AppIcon.appiconset/app_icon_1024.png
+++ b/useragent/macos/Runner/Assets.xcassets/AppIcon.appiconset/app_icon_1024.png
--- a/useragent/macos/Runner/Assets.xcassets/AppIcon.appiconset/app_icon_128.png
+++ b/useragent/macos/Runner/Assets.xcassets/AppIcon.appiconset/app_icon_128.png
--- a/useragent/macos/Runner/Assets.xcassets/AppIcon.appiconset/app_icon_16.png
+++ b/useragent/macos/Runner/Assets.xcassets/AppIcon.appiconset/app_icon_16.png
--- a/useragent/macos/Runner/Assets.xcassets/AppIcon.appiconset/app_icon_256.png
+++ b/useragent/macos/Runner/Assets.xcassets/AppIcon.appiconset/app_icon_256.png
--- a/useragent/macos/Runner/Assets.xcassets/AppIcon.appiconset/app_icon_32.png
+++ b/useragent/macos/Runner/Assets.xcassets/AppIcon.appiconset/app_icon_32.png
--- a/useragent/macos/Runner/Assets.xcassets/AppIcon.appiconset/app_icon_512.png
+++ b/useragent/macos/Runner/Assets.xcassets/AppIcon.appiconset/app_icon_512.png
--- a/useragent/macos/Runner/Assets.xcassets/AppIcon.appiconset/app_icon_64.png
+++ b/useragent/macos/Runner/Assets.xcassets/AppIcon.appiconset/app_icon_64.png
--- a/useragent/macos/Runner/Base.lproj/MainMenu.xib
+++ b/useragent/macos/Runner/Base.lproj/MainMenu.xib
--- a/useragent/macos/Runner/Configs/AppInfo.xcconfig
+++ b/useragent/macos/Runner/Configs/AppInfo.xcconfig
@@ -5,10 +5,10 @@
 // 'flutter create' template.
 // The application's name. By default this is also the title of the Flutter window.
-PRODUCT_NAME = useragent
+PRODUCT_NAME = app
 // The application's bundle identifier
-PRODUCT_BUNDLE_IDENTIFIER = com.example.useragent
+PRODUCT_BUNDLE_IDENTIFIER = com.example.app
 // The copyright displayed in application information
 PRODUCT_COPYRIGHT = Copyright © 2026 com.example. All rights reserved.
--- a/useragent/macos/Runner/Configs/Debug.xcconfig
+++ b/useragent/macos/Runner/Configs/Debug.xcconfig
--- a/useragent/macos/Runner/Configs/Release.xcconfig
+++ b/useragent/macos/Runner/Configs/Release.xcconfig
--- a/useragent/macos/Runner/Configs/Warnings.xcconfig
+++ b/useragent/macos/Runner/Configs/Warnings.xcconfig
--- a/useragent/macos/Runner/DebugProfile.entitlements
+++ b/useragent/macos/Runner/DebugProfile.entitlements
@@ -2,7 +2,11 @@
 <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
 <plist version="1.0">
 <dict>
-	<key>keychain-access-groups</key>
+	<key>com.apple.security.app-sandbox</key>
-	<array/>
+	<true/>
 	<key>com.apple.security.cs.allow-jit</key>
 	<true/>
 	<key>com.apple.security.network.server</key>
 	<true/>
 </dict>
 </plist>
--- a/useragent/macos/Runner/Info.plist
+++ b/useragent/macos/Runner/Info.plist
--- a/useragent/macos/Runner/MainFlutterWindow.swift
+++ b/useragent/macos/Runner/MainFlutterWindow.swift
--- a/useragent/macos/Runner/Release.entitlements
+++ b/useragent/macos/Runner/Release.entitlements
@@ -2,7 +2,7 @@
 <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
 <plist version="1.0">
 <dict>
-	<key>keychain-access-groups</key>
+	<key>com.apple.security.app-sandbox</key>
-	<array/>
+	<true/>
 </dict>
 </plist>
--- a/useragent/macos/RunnerTests/RunnerTests.swift
+++ b/useragent/macos/RunnerTests/RunnerTests.swift
--- a/app/pubspec.lock
+++ b/app/pubspec.lock
@@ -0,0 +1,213 @@
 # Generated by pub
 # See https://dart.dev/tools/pub/glossary#lockfile
 packages:
  async:
    dependency: transitive
    description:
      name: async
      sha256: "758e6d74e971c3e5aceb4110bfd6698efc7f501675bcfe0c775459a8140750eb"
      url: "https://pub.dev"
    source: hosted
    version: "2.13.0"
  boolean_selector:
    dependency: transitive
    description:
      name: boolean_selector
      sha256: "8aab1771e1243a5063b8b0ff68042d67334e3feab9e95b9490f9a6ebf73b42ea"
      url: "https://pub.dev"
    source: hosted
    version: "2.1.2"
  characters:
    dependency: transitive
    description:
      name: characters
      sha256: f71061c654a3380576a52b451dd5532377954cf9dbd272a78fc8479606670803
      url: "https://pub.dev"
    source: hosted
    version: "1.4.0"
  clock:
    dependency: transitive
    description:
      name: clock
      sha256: fddb70d9b5277016c77a80201021d40a2247104d9f4aa7bab7157b7e3f05b84b
      url: "https://pub.dev"
    source: hosted
    version: "1.1.2"
  collection:
    dependency: transitive
    description:
      name: collection
      sha256: "2f5709ae4d3d59dd8f7cd309b4e023046b57d8a6c82130785d2b0e5868084e76"
      url: "https://pub.dev"
    source: hosted
    version: "1.19.1"
  cupertino_icons:
    dependency: "direct main"
    description:
      name: cupertino_icons
      sha256: ba631d1c7f7bef6b729a622b7b752645a2d076dba9976925b8f25725a30e1ee6
      url: "https://pub.dev"
    source: hosted
    version: "1.0.8"
  fake_async:
    dependency: transitive
    description:
      name: fake_async
      sha256: "5368f224a74523e8d2e7399ea1638b37aecfca824a3cc4dfdf77bf1fa905ac44"
      url: "https://pub.dev"
    source: hosted
    version: "1.3.3"
  flutter:
    dependency: "direct main"
    description: flutter
    source: sdk
    version: "0.0.0"
  flutter_lints:
    dependency: "direct dev"
    description:
      name: flutter_lints
      sha256: "3105dc8492f6183fb076ccf1f351ac3d60564bff92e20bfc4af9cc1651f4e7e1"
      url: "https://pub.dev"
    source: hosted
    version: "6.0.0"
  flutter_test:
    dependency: "direct dev"
    description: flutter
    source: sdk
    version: "0.0.0"
  leak_tracker:
    dependency: transitive
    description:
      name: leak_tracker
      sha256: "33e2e26bdd85a0112ec15400c8cbffea70d0f9c3407491f672a2fad47915e2de"
      url: "https://pub.dev"
    source: hosted
    version: "11.0.2"
  leak_tracker_flutter_testing:
    dependency: transitive
    description:
      name: leak_tracker_flutter_testing
      sha256: "1dbc140bb5a23c75ea9c4811222756104fbcd1a27173f0c34ca01e16bea473c1"
      url: "https://pub.dev"
    source: hosted
    version: "3.0.10"
  leak_tracker_testing:
    dependency: transitive
    description:
      name: leak_tracker_testing
      sha256: "8d5a2d49f4a66b49744b23b018848400d23e54caf9463f4eb20df3eb8acb2eb1"
      url: "https://pub.dev"
    source: hosted
    version: "3.0.2"
  lints:
    dependency: transitive
    description:
      name: lints
      sha256: "12f842a479589fea194fe5c5a3095abc7be0c1f2ddfa9a0e76aed1dbd26a87df"
      url: "https://pub.dev"
    source: hosted
    version: "6.1.0"
  matcher:
    dependency: transitive
    description:
      name: matcher
      sha256: dc58c723c3c24bf8d3e2d3ad3f2f9d7bd9cf43ec6feaa64181775e60190153f2
      url: "https://pub.dev"
    source: hosted
    version: "0.12.17"
  material_color_utilities:
    dependency: transitive
    description:
      name: material_color_utilities
      sha256: f7142bb1154231d7ea5f96bc7bde4bda2a0945d2806bb11670e30b850d56bdec
      url: "https://pub.dev"
    source: hosted
    version: "0.11.1"
  meta:
    dependency: transitive
    description:
      name: meta
      sha256: "23f08335362185a5ea2ad3a4e597f1375e78bce8a040df5c600c8d3552ef2394"
      url: "https://pub.dev"
    source: hosted
    version: "1.17.0"
  path:
    dependency: transitive
    description:
      name: path
      sha256: "75cca69d1490965be98c73ceaea117e8a04dd21217b37b292c9ddbec0d955bc5"
      url: "https://pub.dev"
    source: hosted
    version: "1.9.1"
  sky_engine:
    dependency: transitive
    description: flutter
    source: sdk
    version: "0.0.0"
  source_span:
    dependency: transitive
    description:
      name: source_span
      sha256: "56a02f1f4cd1a2d96303c0144c93bd6d909eea6bee6bf5a0e0b685edbd4c47ab"
      url: "https://pub.dev"
    source: hosted
    version: "1.10.2"
  stack_trace:
    dependency: transitive
    description:
      name: stack_trace
      sha256: "8b27215b45d22309b5cddda1aa2b19bdfec9df0e765f2de506401c071d38d1b1"
      url: "https://pub.dev"
    source: hosted
    version: "1.12.1"
  stream_channel:
    dependency: transitive
    description:
      name: stream_channel
      sha256: "969e04c80b8bcdf826f8f16579c7b14d780458bd97f56d107d3950fdbeef059d"
      url: "https://pub.dev"
    source: hosted
    version: "2.1.4"
  string_scanner:
    dependency: transitive
    description:
      name: string_scanner
      sha256: "921cd31725b72fe181906c6a94d987c78e3b98c2e205b397ea399d4054872b43"
      url: "https://pub.dev"
    source: hosted
    version: "1.4.1"
  term_glyph:
    dependency: transitive
    description:
      name: term_glyph
      sha256: "7f554798625ea768a7518313e58f83891c7f5024f88e46e7182a4558850a4b8e"
      url: "https://pub.dev"
    source: hosted
    version: "1.2.2"
  test_api:
    dependency: transitive
    description:
      name: test_api
      sha256: ab2726c1a94d3176a45960b6234466ec367179b87dd74f1611adb1f3b5fb9d55
      url: "https://pub.dev"
    source: hosted
    version: "0.7.7"
  vector_math:
    dependency: transitive
    description:
      name: vector_math
      sha256: d530bd74fea330e6e364cda7a85019c434070188383e1cd8d9777ee586914c5b
      url: "https://pub.dev"
    source: hosted
    version: "2.2.0"
  vm_service:
    dependency: transitive
    description:
      name: vm_service
      sha256: "45caa6c5917fa127b5dbcfbd1fa60b14e583afdc08bfc96dda38886ca252eb60"
      url: "https://pub.dev"
    source: hosted
    version: "15.0.2"
 sdks:
  dart: ">=3.10.8 <4.0.0"
  flutter: ">=3.18.0-18.0.pre.54"
--- a/app/pubspec.yaml
+++ b/app/pubspec.yaml
@@ -0,0 +1,89 @@
 name: app
 description: "A new Flutter project."
 # The following line prevents the package from being accidentally published to
 # pub.dev using `flutter pub publish`. This is preferred for private packages.
 publish_to: 'none' # Remove this line if you wish to publish to pub.dev
 # The following defines the version and build number for your application.
 # A version number is three numbers separated by dots, like 1.2.43
 # followed by an optional build number separated by a +.
 # Both the version and the builder number may be overridden in flutter
 # build by specifying --build-name and --build-number, respectively.
 # In Android, build-name is used as versionName while build-number used as versionCode.
 # Read more about Android versioning at https://developer.android.com/studio/publish/versioning
 # In iOS, build-name is used as CFBundleShortVersionString while build-number is used as CFBundleVersion.
 # Read more about iOS versioning at
 # https://developer.apple.com/library/archive/documentation/General/Reference/InfoPlistKeyReference/Articles/CoreFoundationKeys.html
 # In Windows, build-name is used as the major, minor, and patch parts
 # of the product and file versions while build-number is used as the build suffix.
 version: 1.0.0+1
 environment:
  sdk: ^3.10.8
 # Dependencies specify other packages that your package needs in order to work.
 # To automatically upgrade your package dependencies to the latest versions
 # consider running `flutter pub upgrade --major-versions`. Alternatively,
 # dependencies can be manually updated by changing the version numbers below to
 # the latest version available on pub.dev. To see which dependencies have newer
 # versions available, run `flutter pub outdated`.
 dependencies:
  flutter:
    sdk: flutter
  # The following adds the Cupertino Icons font to your application.
  # Use with the CupertinoIcons class for iOS style icons.
  cupertino_icons: ^1.0.8
 dev_dependencies:
  flutter_test:
    sdk: flutter
  # The "flutter_lints" package below contains a set of recommended lints to
  # encourage good coding practices. The lint set provided by the package is
  # activated in the `analysis_options.yaml` file located at the root of your
  # package. See that file for information about deactivating specific lint
  # rules and activating additional ones.
  flutter_lints: ^6.0.0
 # For information on the generic Dart part of this file, see the
 # following page: https://dart.dev/tools/pub/pubspec
 # The following section is specific to Flutter packages.
 flutter:
  # The following line ensures that the Material Icons font is
  # included with your application, so that you can use the icons in
  # the material Icons class.
  uses-material-design: true
  # To add assets to your application, add an assets section, like this:
  # assets:
  #   - images/a_dot_burr.jpeg
  #   - images/a_dot_ham.jpeg
  # An image asset can refer to one or more resolution-specific "variants", see
  # https://flutter.dev/to/resolution-aware-images
  # For details regarding adding assets from package dependencies, see
  # https://flutter.dev/to/asset-from-package
  # To add custom fonts to your application, add a fonts section here,
  # in this "flutter" section. Each entry in this list should have a
  # "family" key with the font family name, and a "fonts" key with a
  # list giving the asset and other descriptors for the font. For
  # example:
  # fonts:
  #   - family: Schyler
  #     fonts:
  #       - asset: fonts/Schyler-Regular.ttf
  #       - asset: fonts/Schyler-Italic.ttf
  #         style: italic
  #   - family: Trajan Pro
  #     fonts:
  #       - asset: fonts/TrajanPro.ttf
  #       - asset: fonts/TrajanPro_Bold.ttf
  #         weight: 700
  #
  # For details regarding fonts from package dependencies,
  # see https://flutter.dev/to/font-from-package
--- a/useragent/windows/.gitignore
+++ b/useragent/windows/.gitignore
--- a/useragent/windows/CMakeLists.txt
+++ b/useragent/windows/CMakeLists.txt
@@ -1,10 +1,10 @@
 # Project-level configuration.
 cmake_minimum_required(VERSION 3.14)
-project(useragent LANGUAGES CXX)
+project(app LANGUAGES CXX)
 # The name of the executable created for the application. Change this to change
 # the on-disk name of your application.
-set(BINARY_NAME "useragent")
+set(BINARY_NAME "app")
 # Explicitly opt in to modern CMake behaviors to avoid warnings with recent
 # versions of CMake.
--- a/useragent/windows/flutter/CMakeLists.txt
+++ b/useragent/windows/flutter/CMakeLists.txt
--- a/app/windows/flutter/generated_plugin_registrant.cc
+++ b/app/windows/flutter/generated_plugin_registrant.cc
@@ -0,0 +1,11 @@
 //
 //  Generated file. Do not edit.
 //
 // clang-format off
 #include "generated_plugin_registrant.h"
 void RegisterPlugins(flutter::PluginRegistry* registry) {
 }
--- a/useragent/windows/flutter/generated_plugin_registrant.h
+++ b/useragent/windows/flutter/generated_plugin_registrant.h
--- a/useragent/windows/flutter/generated_plugins.cmake
+++ b/useragent/windows/flutter/generated_plugins.cmake
@@ -3,11 +3,6 @@
 #
 list(APPEND FLUTTER_PLUGIN_LIST
  biometric_signature
  flutter_secure_storage_windows
  rive_native
  share_plus
  url_launcher_windows
 )
 list(APPEND FLUTTER_FFI_PLUGIN_LIST
--- a/useragent/windows/runner/CMakeLists.txt
+++ b/useragent/windows/runner/CMakeLists.txt
--- a/useragent/windows/runner/Runner.rc
+++ b/useragent/windows/runner/Runner.rc
@@ -90,12 +90,12 @@ BEGIN
        BLOCK "040904e4"
        BEGIN
            VALUE "CompanyName", "com.example" "\0"
-            VALUE "FileDescription", "useragent" "\0"
+            VALUE "FileDescription", "app" "\0"
            VALUE "FileVersion", VERSION_AS_STRING "\0"
-            VALUE "InternalName", "useragent" "\0"
+            VALUE "InternalName", "app" "\0"
            VALUE "LegalCopyright", "Copyright (C) 2026 com.example. All rights reserved." "\0"
-            VALUE "OriginalFilename", "useragent.exe" "\0"
+            VALUE "OriginalFilename", "app.exe" "\0"
-            VALUE "ProductName", "useragent" "\0"
+            VALUE "ProductName", "app" "\0"
            VALUE "ProductVersion", VERSION_AS_STRING "\0"
        END
    END
--- a/useragent/windows/runner/flutter_window.cpp
+++ b/useragent/windows/runner/flutter_window.cpp
--- a/useragent/windows/runner/flutter_window.h
+++ b/useragent/windows/runner/flutter_window.h
--- a/useragent/windows/runner/main.cpp
+++ b/useragent/windows/runner/main.cpp
@@ -27,7 +27,7 @@ int APIENTRY wWinMain(_In_ HINSTANCE instance, _In_opt_ HINSTANCE prev,
  FlutterWindow window(project);
  Win32Window::Point origin(10, 10);
  Win32Window::Size size(1280, 720);
-  if (!window.Create(L"useragent", origin, size)) {
+  if (!window.Create(L"app", origin, size)) {
    return EXIT_FAILURE;
  }
  window.SetQuitOnClose(true);
--- a/useragent/windows/runner/resource.h
+++ b/useragent/windows/runner/resource.h
--- a/useragent/windows/runner/resources/app_icon.ico
+++ b/useragent/windows/runner/resources/app_icon.ico
--- a/useragent/windows/runner/runner.exe.manifest
+++ b/useragent/windows/runner/runner.exe.manifest
--- a/useragent/windows/runner/utils.cpp
+++ b/useragent/windows/runner/utils.cpp
--- a/useragent/windows/runner/utils.h
+++ b/useragent/windows/runner/utils.h
--- a/useragent/windows/runner/win32_window.cpp
+++ b/useragent/windows/runner/win32_window.cpp
--- a/useragent/windows/runner/win32_window.h
+++ b/useragent/windows/runner/win32_window.h
--- a/mise.lock
+++ b/mise.lock
@@ -1,37 +1,7 @@
 # @generated - this file is auto-generated by `mise lock` https://mise.jdx.dev/dev-tools/mise-lock.html
 [[tools.ast-grep]]
 version = "0.42.0"
 backend = "aqua:ast-grep/ast-grep"
 [tools.ast-grep."platforms.linux-arm64"]
 checksum = "sha256:5c830eae8456569e2f7212434ed9c238f58dca412d76045418ed6d394a755836"
 url = "https://github.com/ast-grep/ast-grep/releases/download/0.42.0/app-aarch64-unknown-linux-gnu.zip"
 [tools.ast-grep."platforms.linux-x64"]
 checksum = "sha256:e825a05603f0bcc4cd9076c4cc8c9abd6d008b7cd07d9aa3cc323ba4b8606651"
 url = "https://github.com/ast-grep/ast-grep/releases/download/0.42.0/app-x86_64-unknown-linux-gnu.zip"
 [tools.ast-grep."platforms.macos-arm64"]
 checksum = "sha256:fc300d5293b1c770a5aece03a8a193b92e71e87cec726c28096990691a582620"
 url = "https://github.com/ast-grep/ast-grep/releases/download/0.42.0/app-aarch64-apple-darwin.zip"
 [tools.ast-grep."platforms.macos-x64"]
 checksum = "sha256:979ffe611327056f4730a1ae71b0209b3b830f58b22c6ed194cda34f55400db2"
 url = "https://github.com/ast-grep/ast-grep/releases/download/0.42.0/app-x86_64-apple-darwin.zip"
 [tools.ast-grep."platforms.windows-x64"]
 checksum = "sha256:55836fa1b2c65dc7d61615a4d9368622a0d2371a76d28b9a165e5a3ab6ae32a4"
 url = "https://github.com/ast-grep/ast-grep/releases/download/0.42.0/app-x86_64-pc-windows-msvc.zip"
 [[tools."cargo:cargo-audit"]]
 version = "0.22.1"
 backend = "cargo:cargo-audit"
 [[tools."cargo:cargo-edit"]]
 version = "0.13.9"
 backend = "cargo:cargo-edit"
 [[tools."cargo:cargo-features"]]
 version = "1.0.0"
 backend = "cargo:cargo-features"
@@ -40,10 +10,6 @@ backend = "cargo:cargo-features"
 version = "0.11.1"
 backend = "cargo:cargo-features-manager"
 [[tools."cargo:cargo-insta"]]
 version = "1.46.3"
 backend = "cargo:cargo-insta"
 [[tools."cargo:cargo-nextest"]]
 version = "0.9.126"
 backend = "cargo:cargo-nextest"
@@ -72,10 +38,6 @@ backend = "cargo:diesel_cli"
 default-features = "false"
 features = "sqlite,sqlite-bundled"
 [[tools."cargo:rinf_cli"]]
 version = "8.9.1"
 backend = "cargo:rinf_cli"
 [[tools.flutter]]
 version = "3.38.9-stable"
 backend = "asdf:flutter"
@@ -83,50 +45,11 @@ backend = "asdf:flutter"
 [[tools.protoc]]
 version = "29.6"
 backend = "aqua:protocolbuffers/protobuf/protoc"
-
+"platforms.linux-arm64" = { checksum = "sha256:2594ff4fcae8cb57310d394d0961b236190ad9c5efbfdf1f597ea471d424fe79", url = "https://github.com/protocolbuffers/protobuf/releases/download/v29.6/protoc-29.6-linux-aarch_64.zip"}
-[tools.protoc."platforms.linux-arm64"]
+"platforms.linux-x64" = { checksum = "sha256:48785a926e73ffa3f68e2f22b14e7b849620c7a1d36809ac9249a5495e280323", url = "https://github.com/protocolbuffers/protobuf/releases/download/v29.6/protoc-29.6-linux-x86_64.zip"}
-checksum = "sha256:2594ff4fcae8cb57310d394d0961b236190ad9c5efbfdf1f597ea471d424fe79"
+"platforms.macos-arm64" = { checksum = "sha256:b9576b5fa1a1ef3fe13a8c91d9d8204b46545759bea5ae155cd6ba2ea4cdaeed", url = "https://github.com/protocolbuffers/protobuf/releases/download/v29.6/protoc-29.6-osx-aarch_64.zip"}
-url = "https://github.com/protocolbuffers/protobuf/releases/download/v29.6/protoc-29.6-linux-aarch_64.zip"
+"platforms.macos-x64" = { checksum = "sha256:312f04713946921cc0187ef34df80241ddca1bab6f564c636885fd2cc90d3f88", url = "https://github.com/protocolbuffers/protobuf/releases/download/v29.6/protoc-29.6-osx-x86_64.zip"}
-
+"platforms.windows-x64" = { checksum = "sha256:1ebd7c87baffb9f1c47169b640872bf5fb1e4408079c691af527be9561d8f6f7", url = "https://github.com/protocolbuffers/protobuf/releases/download/v29.6/protoc-29.6-win64.zip"}
 [tools.protoc."platforms.linux-x64"]
 checksum = "sha256:48785a926e73ffa3f68e2f22b14e7b849620c7a1d36809ac9249a5495e280323"
 url = "https://github.com/protocolbuffers/protobuf/releases/download/v29.6/protoc-29.6-linux-x86_64.zip"
 [tools.protoc."platforms.macos-arm64"]
 checksum = "sha256:b9576b5fa1a1ef3fe13a8c91d9d8204b46545759bea5ae155cd6ba2ea4cdaeed"
 url = "https://github.com/protocolbuffers/protobuf/releases/download/v29.6/protoc-29.6-osx-aarch_64.zip"
 [tools.protoc."platforms.macos-x64"]
 checksum = "sha256:312f04713946921cc0187ef34df80241ddca1bab6f564c636885fd2cc90d3f88"
 url = "https://github.com/protocolbuffers/protobuf/releases/download/v29.6/protoc-29.6-osx-x86_64.zip"
 [tools.protoc."platforms.windows-x64"]
 checksum = "sha256:1ebd7c87baffb9f1c47169b640872bf5fb1e4408079c691af527be9561d8f6f7"
 url = "https://github.com/protocolbuffers/protobuf/releases/download/v29.6/protoc-29.6-win64.zip"
 [[tools.python]]
 version = "3.14.3"
 backend = "core:python"
 [tools.python."platforms.linux-arm64"]
 checksum = "sha256:be0f4dc2932f762292b27d46ea7d3e8e66ddf3969a5eb0254a229015ed402625"
 url = "https://github.com/astral-sh/python-build-standalone/releases/download/20260303/cpython-3.14.3+20260303-aarch64-unknown-linux-gnu-install_only_stripped.tar.gz"
 [tools.python."platforms.linux-x64"]
 checksum = "sha256:0a73413f89efd417871876c9accaab28a9d1e3cd6358fbfff171a38ec99302f0"
 url = "https://github.com/astral-sh/python-build-standalone/releases/download/20260303/cpython-3.14.3+20260303-x86_64-unknown-linux-gnu-install_only_stripped.tar.gz"
 [tools.python."platforms.macos-arm64"]
 checksum = "sha256:4703cdf18b26798fde7b49b6b66149674c25f97127be6a10dbcf29309bdcdcdb"
 url = "https://github.com/astral-sh/python-build-standalone/releases/download/20260303/cpython-3.14.3+20260303-aarch64-apple-darwin-install_only_stripped.tar.gz"
 [tools.python."platforms.macos-x64"]
 checksum = "sha256:76f1cc26e3d262eae8ca546a93e8bded10cf0323613f7e246fea2e10a8115eb7"
 url = "https://github.com/astral-sh/python-build-standalone/releases/download/20260303/cpython-3.14.3+20260303-x86_64-apple-darwin-install_only_stripped.tar.gz"
 [tools.python."platforms.windows-x64"]
 checksum = "sha256:950c5f21a015c1bdd1337f233456df2470fab71e4d794407d27a84cb8b9909a0"
 url = "https://github.com/astral-sh/python-build-standalone/releases/download/20260303/cpython-3.14.3+20260303-x86_64-pc-windows-msvc-install_only_stripped.tar.gz"
 [[tools.rust]]
 version = "1.93.0"
--- a/mise.toml
+++ b/mise.toml
@@ -2,21 +2,10 @@
 "cargo:diesel_cli" = { version = "2.3.6", features = "sqlite,sqlite-bundled", default-features = false }
 "cargo:cargo-audit" = "0.22.1"
 "cargo:cargo-vet" = "0.10.2"
 flutter = "3.38.9-stable"
 protoc = "29.6"
-"rust" = {version = "1.93.0", components = "clippy"}
+rust = "1.93.1"
 "cargo:cargo-features-manager" = "0.11.1"
 "cargo:cargo-nextest" = "0.9.126"
 "cargo:cargo-shear" = "latest"
 "cargo:cargo-insta" = "1.46.3"
 python = "3.14.3"
 ast-grep = "0.42.0"
 "cargo:cargo-edit" = "0.13.9"
 [tasks.codegen]
 sources = ['protobufs/*.proto']
 outputs = ['useragent/lib/proto/*']
 run = '''
 dart pub global activate protoc_plugin && \
 protoc --dart_out=grpc:useragent/lib/proto --proto_path=protobufs/ protobufs/*.proto
 '''
--- a/protobufs/arbiter.proto
+++ b/protobufs/arbiter.proto
@@ -2,15 +2,113 @@ syntax = "proto3";
 package arbiter;
-import "client.proto";
+import "auth.proto";
-import "user_agent.proto";
+
 message ClientRequest {
  oneof payload {
    arbiter.auth.ClientMessage auth_message = 1;
    CertRotationAck cert_rotation_ack = 2;
  }
 }
 message ClientResponse {
  oneof payload {
    arbiter.auth.ServerMessage auth_message = 1;
    CertRotationNotification cert_rotation_notification = 2;
  }
 }
 message UserAgentRequest {
  oneof payload {
    arbiter.auth.ClientMessage auth_message = 1;
    CertRotationAck cert_rotation_ack = 2;
    UnsealRequest unseal_request = 3;
  }
 }
 message UserAgentResponse {
  oneof payload {
    arbiter.auth.ServerMessage auth_message = 1;
    CertRotationNotification cert_rotation_notification = 2;
    UnsealResponse unseal_response = 3;
  }
 }
 message ServerInfo {
  string version = 1;
  bytes cert_public_key = 2;
 }
-service ArbiterService {
+// TLS Certificate Rotation Protocol
-  rpc Client(stream arbiter.client.ClientRequest) returns (stream arbiter.client.ClientResponse);
+message CertRotationNotification {
-  rpc UserAgent(stream arbiter.user_agent.UserAgentRequest) returns (stream arbiter.user_agent.UserAgentResponse);
+  // New public certificate (DER-encoded)
  bytes new_cert = 1;
  // Unix timestamp when rotation will be executed (if all ACKs received)
  int64 rotation_scheduled_at = 2;
  // Unix timestamp deadline for ACK (7 days from now)
  int64 ack_deadline = 3;
  // Rotation ID for tracking
  int32 rotation_id = 4;
 }
 message CertRotationAck {
  // Rotation ID (from CertRotationNotification)
  int32 rotation_id = 1;
  // Client public key for identification
  bytes client_public_key = 2;
  // Confirmation that client saved the new certificate
  bool cert_saved = 3;
 }
 // Vault Unseal Protocol (X25519 ECDH + ChaCha20Poly1305)
 message UnsealRequest {
  oneof payload {
    EphemeralKeyRequest ephemeral_key_request = 1;
    SealedPassword sealed_password = 2;
  }
 }
 message UnsealResponse {
  oneof payload {
    EphemeralKeyResponse ephemeral_key_response = 1;
    UnsealResult unseal_result = 2;
  }
 }
 message EphemeralKeyRequest {}
 message EphemeralKeyResponse {
  // Server's X25519 ephemeral public key (32 bytes)
  bytes server_pubkey = 1;
  // Unix timestamp when this key expires (60 seconds from generation)
  int64 expires_at = 2;
 }
 message SealedPassword {
  // Client's X25519 ephemeral public key (32 bytes)
  bytes client_pubkey = 1;
  // ChaCha20Poly1305 encrypted password (ciphertext + tag)
  bytes encrypted_password = 2;
  // 12-byte nonce for ChaCha20Poly1305
  bytes nonce = 3;
 }
 message UnsealResult {
  // Whether unseal was successful
  bool success = 1;
  // Error message if unseal failed
  optional string error_message = 2;
 }
 service ArbiterService {
  rpc Client(stream ClientRequest) returns (stream ClientResponse);
  rpc UserAgent(stream UserAgentRequest) returns (stream UserAgentResponse);
 }
--- a/protobufs/auth.proto
+++ b/protobufs/auth.proto
@@ -0,0 +1,35 @@
 syntax = "proto3";
 package arbiter.auth;
 import "google/protobuf/timestamp.proto";
 message AuthChallengeRequest {
  bytes pubkey = 1;
  optional string bootstrap_token = 2;
 }
 message AuthChallenge {
  bytes pubkey = 1;
  int32 nonce = 2;
 }
 message AuthChallengeSolution {
  bytes signature = 1;
 }
 message AuthOk {}
 message ClientMessage {
  oneof payload {
    AuthChallengeRequest auth_challenge_request = 1;
    AuthChallengeSolution auth_challenge_solution = 2;
  }
 }
 message ServerMessage {
  oneof payload {
    AuthChallenge auth_challenge = 1;
    AuthOk auth_ok = 2;
  }
 }
--- a/protobufs/client.proto
+++ b/protobufs/client.proto
@@ -1,64 +0,0 @@
 syntax = "proto3";
 package arbiter.client;
 import "evm.proto";
 import "google/protobuf/empty.proto";
 message ClientInfo {
  string name = 1;
  optional string description = 2;
  optional string version = 3;
 }
 message AuthChallengeRequest {
  bytes pubkey = 1;
  ClientInfo client_info = 2;
 }
 message AuthChallenge {
  bytes pubkey = 1;
  int32 nonce = 2;
 }
 message AuthChallengeSolution {
  bytes signature = 1;
 }
 enum AuthResult {
  AUTH_RESULT_UNSPECIFIED = 0;
  AUTH_RESULT_SUCCESS = 1;
  AUTH_RESULT_INVALID_KEY = 2;
  AUTH_RESULT_INVALID_SIGNATURE = 3;
  AUTH_RESULT_APPROVAL_DENIED = 4;
  AUTH_RESULT_NO_USER_AGENTS_ONLINE = 5;
  AUTH_RESULT_INTERNAL = 6;
 }
 enum VaultState {
  VAULT_STATE_UNSPECIFIED = 0;
  VAULT_STATE_UNBOOTSTRAPPED = 1;
  VAULT_STATE_SEALED = 2;
  VAULT_STATE_UNSEALED = 3;
  VAULT_STATE_ERROR = 4;
 }
 message ClientRequest {
  int32 request_id = 4;
  oneof payload {
    AuthChallengeRequest auth_challenge_request = 1;
    AuthChallengeSolution auth_challenge_solution = 2;
    google.protobuf.Empty query_vault_state = 3;
  }
 }
 message ClientResponse {
  optional int32 request_id = 7;
  oneof payload {
    AuthChallenge auth_challenge = 1;
    AuthResult auth_result = 2;
    arbiter.evm.EvmSignTransactionResponse evm_sign_transaction = 3;
    arbiter.evm.EvmAnalyzeTransactionResponse evm_analyze_transaction = 4;
    VaultState vault_state = 6;
  }
 }
--- a/protobufs/evm.proto
+++ b/protobufs/evm.proto
@@ -1,216 +0,0 @@
 syntax = "proto3";
 package arbiter.evm;
 import "google/protobuf/empty.proto";
 import "google/protobuf/timestamp.proto";
 enum EvmError {
  EVM_ERROR_UNSPECIFIED = 0;
  EVM_ERROR_VAULT_SEALED = 1;
  EVM_ERROR_INTERNAL = 2;
 }
 message WalletEntry {
  int32 id = 1;
  bytes address = 2; // 20-byte Ethereum address
 }
 message WalletList {
  repeated WalletEntry wallets = 1;
 }
 message WalletCreateResponse {
  oneof result {
    WalletEntry wallet = 1;
    EvmError error = 2;
  }
 }
 message WalletListResponse {
  oneof result {
    WalletList wallets = 1;
    EvmError error = 2;
  }
 }
 // --- Grant types ---
 message TransactionRateLimit {
  uint32 count = 1;
  int64 window_secs = 2;
 }
 message VolumeRateLimit {
  bytes max_volume = 1; // U256 as big-endian bytes
  int64 window_secs = 2;
 }
 message SharedSettings {
  int32 wallet_access_id = 1;
  uint64 chain_id = 2;
  optional google.protobuf.Timestamp valid_from = 3;
  optional google.protobuf.Timestamp valid_until = 4;
  optional bytes max_gas_fee_per_gas = 5; // U256 as big-endian bytes
  optional bytes max_priority_fee_per_gas = 6; // U256 as big-endian bytes
  optional TransactionRateLimit rate_limit = 7;
 }
 message EtherTransferSettings {
  repeated bytes targets = 1; // list of 20-byte Ethereum addresses
  VolumeRateLimit limit = 2;
 }
 message TokenTransferSettings {
  bytes token_contract = 1; // 20-byte Ethereum address
  optional bytes target = 2; // 20-byte Ethereum address; absent means any recipient allowed
  repeated VolumeRateLimit volume_limits = 3;
 }
 message SpecificGrant {
  oneof grant {
    EtherTransferSettings ether_transfer = 1;
    TokenTransferSettings token_transfer = 2;
  }
 }
 message EtherTransferMeaning {
  bytes to = 1; // 20-byte Ethereum address
  bytes value = 2; // U256 as big-endian bytes
 }
 message TokenInfo {
  string symbol = 1;
  bytes address = 2; // 20-byte Ethereum address
  uint64 chain_id = 3;
 }
 // Mirror of token_transfers::Meaning
 message TokenTransferMeaning {
  TokenInfo token = 1;
  bytes to = 2; // 20-byte Ethereum address
  bytes value = 3; // U256 as big-endian bytes
 }
 // Mirror of policies::SpecificMeaning
 message SpecificMeaning {
  oneof meaning {
    EtherTransferMeaning ether_transfer = 1;
    TokenTransferMeaning token_transfer = 2;
  }
 }
 // --- Eval error types ---
 message GasLimitExceededViolation {
  optional bytes max_gas_fee_per_gas = 1; // U256 as big-endian bytes
  optional bytes max_priority_fee_per_gas = 2; // U256 as big-endian bytes
 }
 message EvalViolation {
  oneof kind {
    bytes invalid_target = 1; // 20-byte Ethereum address
    GasLimitExceededViolation gas_limit_exceeded = 2;
    google.protobuf.Empty rate_limit_exceeded = 3;
    google.protobuf.Empty volumetric_limit_exceeded = 4;
    google.protobuf.Empty invalid_time = 5;
    google.protobuf.Empty invalid_transaction_type = 6;
  }
 }
 // Transaction was classified but no grant covers it
 message NoMatchingGrantError {
  SpecificMeaning meaning = 1;
 }
 // Transaction was classified and a grant was found, but constraints were violated
 message PolicyViolationsError {
  SpecificMeaning meaning = 1;
  repeated EvalViolation violations = 2;
 }
 // top-level error returned when transaction evaluation fails
 message TransactionEvalError {
  oneof kind {
    google.protobuf.Empty contract_creation_not_supported = 1;
    google.protobuf.Empty unsupported_transaction_type = 2;
    NoMatchingGrantError no_matching_grant = 3;
    PolicyViolationsError policy_violations = 4;
  }
 }
 // --- UserAgent grant management ---
 message EvmGrantCreateRequest {
  SharedSettings shared = 1;
  SpecificGrant specific = 2;
 }
 message EvmGrantCreateResponse {
  oneof result {
    int32 grant_id = 1;
    EvmError error = 2;
  }
 }
 message EvmGrantDeleteRequest {
  int32 grant_id = 1;
 }
 message EvmGrantDeleteResponse {
  oneof result {
    google.protobuf.Empty ok = 1;
    EvmError error = 2;
  }
 }
 // Basic grant info returned in grant listings
 message GrantEntry {
  int32 id = 1;
  int32 wallet_access_id = 2;
  SharedSettings shared = 3;
  SpecificGrant specific = 4;
 }
 message EvmGrantListRequest {
  optional int32 wallet_access_id = 1;
 }
 message EvmGrantListResponse {
  oneof result {
    EvmGrantList grants = 1;
    EvmError error = 2;
  }
 }
 message EvmGrantList {
  repeated GrantEntry grants = 1;
 }
 // --- Client transaction operations ---
 message EvmSignTransactionRequest {
  bytes wallet_address = 1; // 20-byte Ethereum address
  bytes rlp_transaction = 2; // RLP-encoded EIP-1559 transaction (unsigned)
 }
 // oneof because signing and evaluation happen atomically — a signing failure
 // is always either an eval error or an internal error, never a partial success
 message EvmSignTransactionResponse {
  oneof result {
    bytes signature = 1; // 65-byte signature: r[32] || s[32] || v[1]
    TransactionEvalError eval_error = 2;
    EvmError error = 3;
  }
 }
 message EvmAnalyzeTransactionRequest {
  bytes wallet_address = 1; // 20-byte Ethereum address
  bytes rlp_transaction = 2; // RLP-encoded EIP-1559 transaction
 }
 message EvmAnalyzeTransactionResponse {
  oneof result {
    SpecificMeaning meaning = 1;
    TransactionEvalError eval_error = 2;
    EvmError error = 3;
  }
 }
--- a/protobufs/google/protobuf/timestamp.proto
+++ b/protobufs/google/protobuf/timestamp.proto
@@ -0,0 +1,46 @@
 // Protocol Buffers - Google's data interchange format
 // Copyright 2008 Google Inc.  All rights reserved.
 //
 // Redistribution and use in source and binary forms, with or without
 // modification, are permitted provided that the following conditions are
 // met:
 //
 //     * Redistributions of source code must retain the above copyright
 // notice, this list of conditions and the following disclaimer.
 //     * Redistributions in binary form must reproduce the above
 // copyright notice, this list of conditions and the following disclaimer
 // in the documentation and/or other materials provided with the
 // distribution.
 //     * Neither the name of Google Inc. nor the names of its
 // contributors may be used to endorse or promote products derived from
 // this software without specific prior written permission.
 syntax = "proto3";
 package google.protobuf;
 option csharp_namespace = "Google.Protobuf.WellKnownTypes";
 option cc_enable_arenas = true;
 option go_package = "google.golang.org/protobuf/types/known/timestamppb";
 option java_package = "com.google.protobuf";
 option java_outer_classname = "TimestampProto";
 option java_multiple_files = true;
 option objc_class_prefix = "GPB";
 // A Timestamp represents a point in time independent of any time zone or local
 // calendar, encoded as a count of seconds and fractions of seconds at
 // nanosecond resolution. The count is relative to an epoch at UTC midnight on
 // January 1, 1970, in the proleptic Gregorian calendar which extends the
 // Gregorian calendar backwards to year one.
 message Timestamp {
  // Represents seconds of UTC time since Unix epoch
  // 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to
  // 9999-12-31T23:59:59Z inclusive.
  int64 seconds = 1;
  // Non-negative fractions of a second at nanosecond resolution. Negative
  // second values with fractions must still have non-negative nanos values
  // that count forward in time. Must be from 0 to 999,999,999
  // inclusive.
  int32 nanos = 2;
 }
--- a/protobufs/unseal.proto
+++ b/protobufs/unseal.proto
@@ -0,0 +1,14 @@
 syntax = "proto3";
 package arbiter.unseal;
 message UserAgentKeyRequest {}
 message ServerKeyResponse {
  bytes pubkey = 1;
 }
 message UserAgentSealedKey {
  bytes sealed_key = 1;
  bytes pubkey = 2;
  bytes nonce = 3;
 }
--- a/protobufs/user_agent.proto
+++ b/protobufs/user_agent.proto
@@ -1,194 +0,0 @@
 syntax = "proto3";
 package arbiter.user_agent;
 import "client.proto";
 import "evm.proto";
 import "google/protobuf/empty.proto";
 enum KeyType {
  KEY_TYPE_UNSPECIFIED = 0;
  KEY_TYPE_ED25519 = 1;
  KEY_TYPE_ECDSA_SECP256K1 = 2;
  KEY_TYPE_RSA = 3;
 }
 // --- SDK client management ---
 enum SdkClientError {
  SDK_CLIENT_ERROR_UNSPECIFIED = 0;
  SDK_CLIENT_ERROR_ALREADY_EXISTS = 1;
  SDK_CLIENT_ERROR_NOT_FOUND = 2;
  SDK_CLIENT_ERROR_HAS_RELATED_DATA = 3; // hard-delete blocked by FK (client has grants or transaction logs)
  SDK_CLIENT_ERROR_INTERNAL = 4;
 }
 message SdkClientRevokeRequest {
  int32 client_id = 1;
 }
 message SdkClientEntry {
  int32 id = 1;
  bytes pubkey = 2;
  arbiter.client.ClientInfo info = 3;
  int32 created_at = 4;
 }
 message SdkClientList {
  repeated SdkClientEntry clients = 1;
 }
 message SdkClientRevokeResponse {
  oneof result {
    google.protobuf.Empty ok = 1;
    SdkClientError error = 2;
  }
 }
 message SdkClientListResponse {
  oneof result {
    SdkClientList clients = 1;
    SdkClientError error = 2;
  }
 }
 message AuthChallengeRequest {
  bytes pubkey = 1;
  optional string bootstrap_token = 2;
  KeyType key_type = 3;
 }
 message AuthChallenge {
  int32 nonce = 2;
  reserved 1;
 }
 message AuthChallengeSolution {
  bytes signature = 1;
 }
 enum AuthResult {
  AUTH_RESULT_UNSPECIFIED = 0;
  AUTH_RESULT_SUCCESS = 1;
  AUTH_RESULT_INVALID_KEY = 2;
  AUTH_RESULT_INVALID_SIGNATURE = 3;
  AUTH_RESULT_BOOTSTRAP_REQUIRED = 4;
  AUTH_RESULT_TOKEN_INVALID = 5;
  AUTH_RESULT_INTERNAL = 6;
 }
 message UnsealStart {
  bytes client_pubkey = 1;
 }
 message UnsealStartResponse {
  bytes server_pubkey = 1;
 }
 message UnsealEncryptedKey {
  bytes nonce = 1;
  bytes ciphertext = 2;
  bytes associated_data = 3;
 }
 message BootstrapEncryptedKey {
  bytes nonce = 1;
  bytes ciphertext = 2;
  bytes associated_data = 3;
 }
 enum UnsealResult {
  UNSEAL_RESULT_UNSPECIFIED = 0;
  UNSEAL_RESULT_SUCCESS = 1;
  UNSEAL_RESULT_INVALID_KEY = 2;
  UNSEAL_RESULT_UNBOOTSTRAPPED = 3;
 }
 enum BootstrapResult {
  BOOTSTRAP_RESULT_UNSPECIFIED = 0;
  BOOTSTRAP_RESULT_SUCCESS = 1;
  BOOTSTRAP_RESULT_ALREADY_BOOTSTRAPPED = 2;
  BOOTSTRAP_RESULT_INVALID_KEY = 3;
 }
 enum VaultState {
  VAULT_STATE_UNSPECIFIED = 0;
  VAULT_STATE_UNBOOTSTRAPPED = 1;
  VAULT_STATE_SEALED = 2;
  VAULT_STATE_UNSEALED = 3;
  VAULT_STATE_ERROR = 4;
 }
 message SdkClientConnectionRequest {
  bytes pubkey = 1;
  arbiter.client.ClientInfo info = 2;
 }
 message SdkClientConnectionResponse {
  bool approved = 1;
  bytes pubkey = 2;
 }
 message SdkClientConnectionCancel {
  bytes pubkey = 1;
 }
 message SdkClientWalletAccess {
  int32 client_id = 1;
  int32 wallet_id = 2;
 }
 message SdkClientGrantWalletAccess {
  repeated SdkClientWalletAccess accesses = 1;
 }
 message SdkClientRevokeWalletAccess {
  repeated SdkClientWalletAccess accesses = 1;
 }
 message ListWalletAccessResponse {
  repeated SdkClientWalletAccess accesses = 1;
 }
 message UserAgentRequest {
  int32 id = 16;
  oneof payload {
    AuthChallengeRequest auth_challenge_request = 1;
    AuthChallengeSolution auth_challenge_solution = 2;
    UnsealStart unseal_start = 3;
    UnsealEncryptedKey unseal_encrypted_key = 4;
    google.protobuf.Empty query_vault_state = 5;
    google.protobuf.Empty evm_wallet_create = 6;
    google.protobuf.Empty evm_wallet_list = 7;
    arbiter.evm.EvmGrantCreateRequest evm_grant_create = 8;
    arbiter.evm.EvmGrantDeleteRequest evm_grant_delete = 9;
    arbiter.evm.EvmGrantListRequest evm_grant_list = 10;
    SdkClientConnectionResponse sdk_client_connection_response = 11;
    SdkClientRevokeRequest sdk_client_revoke = 12;
    google.protobuf.Empty sdk_client_list = 13;
    BootstrapEncryptedKey bootstrap_encrypted_key = 14;
    SdkClientGrantWalletAccess grant_wallet_access = 15;
    SdkClientRevokeWalletAccess revoke_wallet_access = 17;
    google.protobuf.Empty list_wallet_access = 18;
  }
 }
 message UserAgentResponse {
  optional int32 id = 16;
  oneof payload {
    AuthChallenge auth_challenge = 1;
    AuthResult auth_result = 2;
    UnsealStartResponse unseal_start_response = 3;
    UnsealResult unseal_result = 4;
    VaultState vault_state = 5;
    arbiter.evm.WalletCreateResponse evm_wallet_create = 6;
    arbiter.evm.WalletListResponse evm_wallet_list = 7;
    arbiter.evm.EvmGrantCreateResponse evm_grant_create = 8;
    arbiter.evm.EvmGrantDeleteResponse evm_grant_delete = 9;
    arbiter.evm.EvmGrantListResponse evm_grant_list = 10;
    SdkClientConnectionRequest sdk_client_connection_request = 11;
    SdkClientConnectionCancel sdk_client_connection_cancel = 12;
    SdkClientRevokeResponse sdk_client_revoke_response = 13;
    SdkClientListResponse sdk_client_list_response = 14;
    BootstrapResult bootstrap_result = 15;
    ListWalletAccessResponse list_wallet_access_response = 17;
  }
 }
--- a/scripts/gen_erc20_registry.py
+++ b/scripts/gen_erc20_registry.py
@@ -1,150 +0,0 @@
 #!/usr/bin/env python3
 """
 Fetch the Uniswap default token list and emit Rust `TokenInfo` statics.
 Usage:
    python3 gen_erc20_registry.py                       # fetch from IPFS
    python3 gen_erc20_registry.py tokens.json           # local file
    python3 gen_erc20_registry.py tokens.json out.rs    # custom output file
 """
 import json
 import re
 import sys
 import unicodedata
 import urllib.request
 UNISWAP_URL = "https://ipfs.io/ipns/tokens.uniswap.org"
 SOLANA_CHAIN_ID = 501000101
 IDENTIFIER_RE = re.compile(r"[^A-Za-z0-9]+")
 def load_tokens(source=None):
    if source:
        with open(source) as f:
            return json.load(f)
    req = urllib.request.Request(
        UNISWAP_URL,
        headers={"Accept": "application/json", "User-Agent": "gen_tokens/1.0"},
    )
    with urllib.request.urlopen(req, timeout=60) as resp:
        return json.loads(resp.read())
 def escape(s: str) -> str:
    return s.replace("\\", "\\\\").replace('"', '\\"')
 def to_screaming_case(name: str) -> str:
    normalized = unicodedata.normalize("NFKD", name or "")
    ascii_name = normalized.encode("ascii", "ignore").decode("ascii")
    snake = IDENTIFIER_RE.sub("_", ascii_name).strip("_").upper()
    if not snake:
        snake = "TOKEN"
    if snake[0].isdigit():
        snake = f"TOKEN_{snake}"
    return snake
 def static_name_for_token(token: dict, used_names: set[str]) -> str:
    base = to_screaming_case(token.get("name", ""))
    if base not in used_names:
        used_names.add(base)
        return base
    address = token["address"]
    suffix = f"{token['chainId']}_{address[2:].upper()[-8:]}"
    candidate = f"{base}_{suffix}"
    i = 2
    while candidate in used_names:
        candidate = f"{base}_{suffix}_{i}"
        i += 1
    used_names.add(candidate)
    return candidate
 def main():
    source = sys.argv[1] if len(sys.argv) > 1 else None
    output = sys.argv[2] if len(sys.argv) > 2 else "generated_tokens.rs"
    data = load_tokens(source)
    tokens = data["tokens"]
    # Deduplicate by (chainId, address)
    seen = set()
    unique = []
    for t in tokens:
        key = (t["chainId"], t["address"].lower())
        if key not in seen:
            seen.add(key)
            unique.append(t)
    unique.sort(key=lambda t: (t["chainId"], t.get("symbol", "").upper()))
    evm_tokens = [t for t in unique if t["chainId"] != SOLANA_CHAIN_ID]
    ver = data["version"]
    lines = []
    w = lines.append
    w(
        f"// Auto-generated from Uniswap token list v{ver['major']}.{ver['minor']}.{ver['patch']}"
    )
    w(f"// {len(evm_tokens)} tokens")
    w("// DO NOT EDIT - regenerate with gen_erc20_registry.py")
    w("")
    used_static_names = set()
    token_statics = []
    for t in evm_tokens:
        static_name = static_name_for_token(t, used_static_names)
        token_statics.append((static_name, t))
    for static_name, t in token_statics:
        addr = t["address"]
        name = escape(t.get("name", ""))
        symbol = escape(t.get("symbol", ""))
        decimals = t.get("decimals", 18)
        logo = t.get("logoURI")
        chain = t["chainId"]
        logo_val = f'Some("{escape(logo)}")' if logo else "None"
        w(f"pub static {static_name}: TokenInfo = TokenInfo {{")
        w(f'    name: "{name}",')
        w(f'    symbol: "{symbol}",')
        w(f"    decimals: {decimals},")
        w(f'    contract: address!("{addr}"),')
        w(f"    chain: {chain},")
        w(f"    logo_uri: {logo_val},")
        w("};")
        w("")
    w("pub static TOKENS: &[&TokenInfo] = &[")
    for static_name, _ in token_statics:
        w(f"    &{static_name},")
    w("];")
    w("")
    w("pub fn get_token(")
    w("    chain_id: alloy::primitives::ChainId,")
    w("    address: alloy::primitives::Address,")
    w(") -> Option<&'static TokenInfo> {")
    w("    match (chain_id, address) {")
    for static_name, t in token_statics:
        w(
            f'        ({t["chainId"]}, addr) if addr == address!("{t["address"]}") => Some(&{static_name}),'
        )
    w("        _ => None,")
    w("    }")
    w("}")
    w("")
    with open(output, "w") as f:
        f.write("\n".join(lines))
    print(f"Wrote {len(token_statics)} tokens to {output}")
 if __name__ == "__main__":
    main()
--- a/server/.cargo/audit.toml
+++ b/server/.cargo/audit.toml
@@ -1,13 +0,0 @@
 [advisories]
 # RUSTSEC-2023-0071: Marvin Attack timing side-channel in rsa crate.
 # No fixed version is available upstream.
 # RSA support is required for Windows Hello / KeyCredentialManager
 # (https://learn.microsoft.com/en-us/uwp/api/windows.security.credentials.keycredentialmanager.requestcreateasync),
 # which only issues RSA-2048 keys.
 # Mitigations in place:
 #   - Signing uses BlindedSigningKey (PSS+SHA-256), which applies blinding to
 #     protect the private key from timing recovery during signing.
 #   - RSA decryption is never performed; we only verify public-key signatures.
 #   - The attack requires local, high-resolution timing access against the
 #     signing process, which is not exposed in our threat model.
 ignore = ["RUSTSEC-2023-0071"]
--- a/server/Cargo.lock
+++ b/server/Cargo.lock
--- a/server/Cargo.toml
+++ b/server/Cargo.toml
@@ -1,45 +1,26 @@
 [workspace]
 members = [
-    "crates/*",
+    "crates/arbiter-client",
    "crates/arbiter-proto",
    "crates/arbiter-server",
    "crates/arbiter-useragent",
 ]
 resolver = "3"
 [workspace.lints.clippy]
 disallowed-methods = "deny"
 [workspace.dependencies]
-tonic = { version = "0.14.5", features = [
+tonic = { version = "0.14.3", features = ["deflate", "gzip", "tls-connect-info", "zstd"] }
    "deflate",
    "gzip",
    "tls-connect-info",
    "zstd",
 ] }
 tracing = "0.1.44"
-tokio = { version = "1.50.0", features = ["full"] }
+tokio = { version = "1.49.0", features = ["full"] }
 ed25519-dalek = { version = "3.0.0-pre.6", features = ["rand_core"] }
-chrono = { version = "0.4.44", features = ["serde"] }
+chrono = { version = "0.4.43", features = ["serde"] }
 rand = "0.10.0"
-rustls = { version = "0.23.37", features = ["aws-lc-rs"] }
+rustls = "0.23.36"
 smlang = "0.8.0"
 miette = { version = "7.6.0", features = ["fancy", "serde"] }
 thiserror = "2.0.18"
 async-trait = "0.1.89"
-futures = "0.3.32"
+futures = "0.3.31"
 tokio-stream = { version = "0.1.18", features = ["full"] }
 kameo = "0.19.2"
 prost-types = { version = "0.14.3", features = ["chrono"] }
 x25519-dalek = { version = "2.0.1", features = ["getrandom"] }
 rstest = "0.26.1"
 rustls-pki-types = "1.14.0"
 alloy = "1.7.3"
 rcgen = { version = "0.14.7", features = [
    "aws_lc_rs",
    "pem",
    "x509-parser",
    "zeroize",
 ], default-features = false }
 k256 = { version = "0.13.4", features = ["ecdsa", "pkcs8"] }
 rsa = { version = "0.9", features = ["sha2"] }
 sha2 = "0.10"
 spki = "0.7"
--- a/server/clippy.toml
+++ b/server/clippy.toml
@@ -1,9 +0,0 @@
 disallowed-methods = [
    # RSA decryption is forbidden: the rsa crate has RUSTSEC-2023-0071 (Marvin Attack).
    # We only use RSA for Windows Hello (KeyCredentialManager) public-key verification — decryption
    # is never required and must not be introduced.
    { path = "rsa::RsaPrivateKey::decrypt", reason = "RSA decryption is forbidden (RUSTSEC-2023-0071 Marvin Attack). Only PSS signing/verification is permitted." },
    { path = "rsa::RsaPrivateKey::decrypt_blinded", reason = "RSA decryption is forbidden (RUSTSEC-2023-0071 Marvin Attack). Only PSS signing/verification is permitted." },
    { path = "rsa::traits::Decryptor::decrypt", reason = "RSA decryption is forbidden (RUSTSEC-2023-0071 Marvin Attack). This blocks decrypt() on rsa::{pkcs1v15,oaep}::DecryptingKey." },
    { path = "rsa::traits::RandomizedDecryptor::decrypt_with_rng", reason = "RSA decryption is forbidden (RUSTSEC-2023-0071 Marvin Attack). This blocks decrypt_with_rng() on rsa::{pkcs1v15,oaep}::DecryptingKey." },
 ]
--- a/server/crates/arbiter-client/Cargo.toml
+++ b/server/crates/arbiter-client/Cargo.toml
@@ -3,24 +3,5 @@ name = "arbiter-client"
 version = "0.1.0"
 edition = "2024"
 repository = "https://git.markettakers.org/MarketTakers/arbiter"
 license = "Apache-2.0"
 [lints]
 workspace = true
 [features]
 evm = ["dep:alloy"]
 [dependencies]
 arbiter-proto.path = "../arbiter-proto"
 alloy = { workspace = true, optional = true }
 tonic.workspace = true
 tonic.features = ["tls-aws-lc"]
 tokio.workspace = true
 tokio-stream.workspace = true
 ed25519-dalek.workspace = true
 thiserror.workspace = true
 http = "1.4.0"
 rustls-webpki = { version = "0.103.10", features = ["aws-lc-rs"] }
 async-trait.workspace = true
 rand.workspace = true
--- a/server/crates/arbiter-client/src/auth.rs
+++ b/server/crates/arbiter-client/src/auth.rs
@@ -1,135 +0,0 @@
 use arbiter_proto::{
    ClientMetadata, format_challenge,
    proto::client::{
        AuthChallengeRequest, AuthChallengeSolution, AuthResult, ClientInfo as ProtoClientInfo,
        ClientRequest, client_request::Payload as ClientRequestPayload,
        client_response::Payload as ClientResponsePayload,
    },
 };
 use ed25519_dalek::Signer as _;
 use crate::{
    storage::StorageError,
    transport::{ClientTransport, next_request_id},
 };
 #[derive(Debug, thiserror::Error)]
 pub enum AuthError {
    #[error("Auth challenge was not returned by server")]
    MissingAuthChallenge,
    #[error("Client approval denied by User Agent")]
    ApprovalDenied,
    #[error("No User Agents online to approve client")]
    NoUserAgentsOnline,
    #[error("Unexpected auth response payload")]
    UnexpectedAuthResponse,
    #[error("Signing key storage error")]
    Storage(#[from] StorageError),
 }
 fn map_auth_result(code: i32) -> AuthError {
    match AuthResult::try_from(code).unwrap_or(AuthResult::Unspecified) {
        AuthResult::ApprovalDenied => AuthError::ApprovalDenied,
        AuthResult::NoUserAgentsOnline => AuthError::NoUserAgentsOnline,
        AuthResult::Unspecified
        | AuthResult::Success
        | AuthResult::InvalidKey
        | AuthResult::InvalidSignature
        | AuthResult::Internal => AuthError::UnexpectedAuthResponse,
    }
 }
 async fn send_auth_challenge_request(
    transport: &mut ClientTransport,
    metadata: ClientMetadata,
    key: &ed25519_dalek::SigningKey,
 ) -> std::result::Result<(), AuthError> {
    transport
        .send(ClientRequest {
            request_id: next_request_id(),
            payload: Some(ClientRequestPayload::AuthChallengeRequest(
                AuthChallengeRequest {
                    pubkey: key.verifying_key().to_bytes().to_vec(),
                    client_info: Some(ProtoClientInfo {
                        name: metadata.name,
                        description: metadata.description,
                        version: metadata.version,
                    }),
                },
            )),
        })
        .await
        .map_err(|_| AuthError::UnexpectedAuthResponse)
 }
 async fn receive_auth_challenge(
    transport: &mut ClientTransport,
 ) -> std::result::Result<arbiter_proto::proto::client::AuthChallenge, AuthError> {
    let response = transport
        .recv()
        .await
        .map_err(|_| AuthError::MissingAuthChallenge)?;
    let payload = response.payload.ok_or(AuthError::MissingAuthChallenge)?;
    match payload {
        ClientResponsePayload::AuthChallenge(challenge) => Ok(challenge),
        ClientResponsePayload::AuthResult(result) => Err(map_auth_result(result)),
        _ => Err(AuthError::UnexpectedAuthResponse),
    }
 }
 async fn send_auth_challenge_solution(
    transport: &mut ClientTransport,
    key: &ed25519_dalek::SigningKey,
    challenge: arbiter_proto::proto::client::AuthChallenge,
 ) -> std::result::Result<(), AuthError> {
    let challenge_payload = format_challenge(challenge.nonce, &challenge.pubkey);
    let signature = key.sign(&challenge_payload).to_bytes().to_vec();
    transport
        .send(ClientRequest {
            request_id: next_request_id(),
            payload: Some(ClientRequestPayload::AuthChallengeSolution(
                AuthChallengeSolution { signature },
            )),
        })
        .await
        .map_err(|_| AuthError::UnexpectedAuthResponse)
 }
 async fn receive_auth_confirmation(
    transport: &mut ClientTransport,
 ) -> std::result::Result<(), AuthError> {
    let response = transport
        .recv()
        .await
        .map_err(|_| AuthError::UnexpectedAuthResponse)?;
    let payload = response
        .payload
        .ok_or(AuthError::UnexpectedAuthResponse)?;
    match payload {
        ClientResponsePayload::AuthResult(result)
            if AuthResult::try_from(result).ok() == Some(AuthResult::Success) =>
        {
            Ok(())
        }
        ClientResponsePayload::AuthResult(result) => Err(map_auth_result(result)),
        _ => Err(AuthError::UnexpectedAuthResponse),
    }
 }
 pub(crate) async fn authenticate(
    transport: &mut ClientTransport,
    metadata: ClientMetadata,
    key: &ed25519_dalek::SigningKey,
 ) -> std::result::Result<(), AuthError> {
    send_auth_challenge_request(transport, metadata, key).await?;
    let challenge = receive_auth_challenge(transport).await?;
    send_auth_challenge_solution(transport, key, challenge).await?;
    receive_auth_confirmation(transport).await
 }
--- a/server/crates/arbiter-client/src/bin/test_connect.rs
+++ b/server/crates/arbiter-client/src/bin/test_connect.rs
@@ -1,48 +0,0 @@
 use std::io::{self, Write};
 use arbiter_client::ArbiterClient;
 use arbiter_proto::{ClientMetadata, url::ArbiterUrl};
 use tonic::ConnectError;
 #[tokio::main]
 async fn main() {
    println!("Testing connection to Arbiter server...");
    print!("Enter ArbiterUrl: ");
    let _ = io::stdout().flush();
    let mut input = String::new();
    if let Err(err) = io::stdin().read_line(&mut input) {
        eprintln!("Failed to read input: {err}");
        return;
    }
    let input = input.trim();
    if input.is_empty() {
        eprintln!("ArbiterUrl cannot be empty");
        return;
    }
    let url = match ArbiterUrl::try_from(input) {
        Ok(url) => url,
        Err(err) => {
            eprintln!("Invalid ArbiterUrl: {err}");
            return;
        }
    };
     println!("{:#?}", url);
    let metadata = ClientMetadata {
        name: "arbiter-client test_connect".to_string(),
        description: Some("Manual connection smoke test".to_string()),
        version: Some(env!("CARGO_PKG_VERSION").to_string()),
    };
    match ArbiterClient::connect(url, metadata).await {
        Ok(_) => println!("Connected and authenticated successfully."),
        Err(err) => eprintln!("Failed to connect: {:#?}", err),
    }
 }
--- a/server/crates/arbiter-client/src/client.rs
+++ b/server/crates/arbiter-client/src/client.rs
@@ -1,89 +0,0 @@
 use arbiter_proto::{ClientMetadata, proto::arbiter_service_client::ArbiterServiceClient, url::ArbiterUrl};
 use std::sync::Arc;
 use tokio::sync::{Mutex, mpsc};
 use tokio_stream::wrappers::ReceiverStream;
 use tonic::transport::ClientTlsConfig;
 use crate::{
    StorageError, auth::{AuthError, authenticate}, storage::{FileSigningKeyStorage, SigningKeyStorage}, transport::{BUFFER_LENGTH, ClientTransport}
 };
 #[cfg(feature = "evm")]
 use crate::wallets::evm::ArbiterEvmWallet;
 #[derive(Debug, thiserror::Error)]
 pub enum Error {
    #[error("gRPC error")]
    Grpc(#[from] tonic::Status),
    #[error("Could not establish connection")]
    Connection(#[from] tonic::transport::Error),
    #[error("Invalid server URI")]
    InvalidUri(#[from] http::uri::InvalidUri),
    #[error("Invalid CA certificate")]
    InvalidCaCert(#[from] webpki::Error),
    #[error("Authentication error")]
    Authentication(#[from] AuthError),
    #[error("Storage error")]
    Storage(#[from] StorageError),
 }
 pub struct ArbiterClient {
    #[allow(dead_code)]
    transport: Arc<Mutex<ClientTransport>>,
 }
 impl ArbiterClient {
    pub async fn connect(url: ArbiterUrl, metadata: ClientMetadata) -> Result<Self, Error> {
        let storage = FileSigningKeyStorage::from_default_location()?;
        Self::connect_with_storage(url, metadata, &storage).await
    }
    pub async fn connect_with_storage<S: SigningKeyStorage>(
        url: ArbiterUrl,
        metadata: ClientMetadata,
        storage: &S,
    ) -> Result<Self, Error> {
        let key = storage.load_or_create()?;
        Self::connect_with_key(url, metadata, key).await
    }
    pub async fn connect_with_key(
        url: ArbiterUrl,
        metadata: ClientMetadata,
        key: ed25519_dalek::SigningKey,
    ) -> Result<Self, Error> {
        let anchor = webpki::anchor_from_trusted_cert(&url.ca_cert)?.to_owned();
        let tls = ClientTlsConfig::new().trust_anchor(anchor);
        let channel = tonic::transport::Channel::from_shared(format!("https://{}:{}", url.host, url.port))?
            .tls_config(tls)?
            .connect()
            .await?;
        let mut client = ArbiterServiceClient::new(channel);
        let (tx, rx) = mpsc::channel(BUFFER_LENGTH);
        let response_stream = client.client(ReceiverStream::new(rx)).await?.into_inner();
        let mut transport = ClientTransport {
            sender: tx,
            receiver: response_stream,
        };
        authenticate(&mut transport, metadata, &key).await?;
        Ok(Self {
            transport: Arc::new(Mutex::new(transport)),
        })
    }
    #[cfg(feature = "evm")]
    pub async fn evm_wallets(&self) -> Result<Vec<ArbiterEvmWallet>, Error> {
        todo!("fetch EVM wallet list from server")
    }
 }
--- a/server/crates/arbiter-client/src/lib.rs
+++ b/server/crates/arbiter-client/src/lib.rs
@@ -1,12 +1,14 @@
-mod auth;
+pub fn add(left: u64, right: u64) -> u64 {
-mod client;
+    left + right
-mod storage;
+}
 mod transport;
 pub mod wallets;
-pub use auth::AuthError;
+#[cfg(test)]
-pub use client::{ArbiterClient, Error};
+mod tests {
-pub use storage::{FileSigningKeyStorage, SigningKeyStorage, StorageError};
+    use super::*;
-#[cfg(feature = "evm")]
+    #[test]
-pub use wallets::evm::ArbiterEvmWallet;
+    fn it_works() {
        let result = add(2, 2);
        assert_eq!(result, 4);
    }
 }
--- a/server/crates/arbiter-client/src/storage.rs
+++ b/server/crates/arbiter-client/src/storage.rs
@@ -1,132 +0,0 @@
 use arbiter_proto::home_path;
 use std::path::{Path, PathBuf};
 #[derive(Debug, thiserror::Error)]
 pub enum StorageError {
    #[error("I/O error")]
    Io(#[from] std::io::Error),
    #[error("Invalid signing key length in storage: expected {expected} bytes, got {actual} bytes")]
    InvalidKeyLength { expected: usize, actual: usize },
 }
 pub trait SigningKeyStorage {
    fn load_or_create(&self) -> std::result::Result<ed25519_dalek::SigningKey, StorageError>;
 }
 #[derive(Debug, Clone)]
 pub struct FileSigningKeyStorage {
    path: PathBuf,
 }
 impl FileSigningKeyStorage {
    pub const DEFAULT_FILE_NAME: &str = "sdk_client_ed25519.key";
    pub fn new(path: impl Into<PathBuf>) -> Self {
        Self { path: path.into() }
    }
    pub fn from_default_location() -> std::result::Result<Self, StorageError> {
        Ok(Self::new(home_path()?.join(Self::DEFAULT_FILE_NAME)))
    }
    fn read_key(path: &Path) -> std::result::Result<ed25519_dalek::SigningKey, StorageError> {
        let bytes = std::fs::read(path)?;
        let raw: [u8; 32] =
            bytes
                .try_into()
                .map_err(|v: Vec<u8>| StorageError::InvalidKeyLength {
                    expected: 32,
                    actual: v.len(),
                })?;
        Ok(ed25519_dalek::SigningKey::from_bytes(&raw))
    }
 }
 impl SigningKeyStorage for FileSigningKeyStorage {
    fn load_or_create(&self) -> std::result::Result<ed25519_dalek::SigningKey, StorageError> {
        if let Some(parent) = self.path.parent() {
            std::fs::create_dir_all(parent)?;
        }
        if self.path.exists() {
            return Self::read_key(&self.path);
        }
        let key = ed25519_dalek::SigningKey::generate(&mut rand::rng());
        let raw_key = key.to_bytes();
        // Use create_new to prevent accidental overwrite if another process creates the key first.
        match std::fs::OpenOptions::new()
            .create_new(true)
            .write(true)
            .open(&self.path)
        {
            Ok(mut file) => {
                use std::io::Write as _;
                file.write_all(&raw_key)?;
                Ok(key)
            }
            Err(err) if err.kind() == std::io::ErrorKind::AlreadyExists => {
                Self::read_key(&self.path)
            }
            Err(err) => Err(StorageError::Io(err)),
        }
    }
 }
 #[cfg(test)]
 mod tests {
    use super::{FileSigningKeyStorage, SigningKeyStorage, StorageError};
    fn unique_temp_key_path() -> std::path::PathBuf {
        let nanos = std::time::SystemTime::now()
            .duration_since(std::time::UNIX_EPOCH)
            .expect("clock should be after unix epoch")
            .as_nanos();
        std::env::temp_dir().join(format!(
            "arbiter-client-key-{}-{}.bin",
            std::process::id(),
            nanos
        ))
    }
    #[test]
    fn file_storage_creates_and_reuses_key() {
        let path = unique_temp_key_path();
        let storage = FileSigningKeyStorage::new(path.clone());
        let key_a = storage
            .load_or_create()
            .expect("first load_or_create should create key");
        let key_b = storage
            .load_or_create()
            .expect("second load_or_create should read same key");
        assert_eq!(key_a.to_bytes(), key_b.to_bytes());
        assert!(path.exists());
        std::fs::remove_file(path).expect("temp key file should be removable");
    }
    #[test]
    fn file_storage_rejects_invalid_key_length() {
        let path = unique_temp_key_path();
        std::fs::write(&path, [42u8; 31]).expect("should write invalid key file");
        let storage = FileSigningKeyStorage::new(path.clone());
        let err = storage
            .load_or_create()
            .expect_err("storage should reject non-32-byte key file");
        match err {
            StorageError::InvalidKeyLength { expected, actual } => {
                assert_eq!(expected, 32);
                assert_eq!(actual, 31);
            }
            other => panic!("unexpected error: {other:?}"),
        }
        std::fs::remove_file(path).expect("temp key file should be removable");
    }
 }
--- a/server/crates/arbiter-client/src/transport.rs
+++ b/server/crates/arbiter-client/src/transport.rs
@@ -1,48 +0,0 @@
 use arbiter_proto::proto::{
    client::{ClientRequest, ClientResponse},
 };
 use std::sync::atomic::{AtomicI32, Ordering};
 use tokio::sync::mpsc;
 pub(crate) const BUFFER_LENGTH: usize = 16;
 static NEXT_REQUEST_ID: AtomicI32 = AtomicI32::new(1);
 pub(crate) fn next_request_id() -> i32 {
    NEXT_REQUEST_ID.fetch_add(1, Ordering::Relaxed)
 }
 #[derive(Debug, thiserror::Error)]
 pub(crate) enum ClientSignError {
    #[error("Transport channel closed")]
    ChannelClosed,
    #[error("Connection closed by server")]
    ConnectionClosed,
 }
 pub(crate) struct ClientTransport {
    pub(crate) sender: mpsc::Sender<ClientRequest>,
    pub(crate) receiver: tonic::Streaming<ClientResponse>,
 }
 impl ClientTransport {
    pub(crate) async fn send(
        &mut self,
        request: ClientRequest,
    ) -> std::result::Result<(), ClientSignError> {
        self.sender
            .send(request)
            .await
            .map_err(|_| ClientSignError::ChannelClosed)
    }
    pub(crate) async fn recv(
        &mut self,
    ) -> std::result::Result<ClientResponse, ClientSignError> {
        match self.receiver.message().await {
            Ok(Some(resp)) => Ok(resp),
            Ok(None) => Err(ClientSignError::ConnectionClosed),
            Err(_) => Err(ClientSignError::ConnectionClosed),
        }
    }
 }
--- a/server/crates/arbiter-client/src/wallets/evm.rs
+++ b/server/crates/arbiter-client/src/wallets/evm.rs
@@ -1,89 +0,0 @@
 use alloy::{
    consensus::SignableTransaction,
    network::TxSigner,
    primitives::{Address, B256, ChainId, Signature},
    signers::{Error, Result, Signer},
 };
 use async_trait::async_trait;
 use std::sync::Arc;
 use tokio::sync::Mutex;
 use crate::transport::ClientTransport;
 pub struct ArbiterEvmWallet {
    transport: Arc<Mutex<ClientTransport>>,
    address: Address,
    chain_id: Option<ChainId>,
 }
 impl ArbiterEvmWallet {
    pub(crate) fn new(transport: Arc<Mutex<ClientTransport>>, address: Address) -> Self {
        Self {
            transport,
            address,
            chain_id: None,
        }
    }
    pub fn address(&self) -> Address {
        self.address
    }
    pub fn with_chain_id(mut self, chain_id: ChainId) -> Self {
        self.chain_id = Some(chain_id);
        self
    }
    fn validate_chain_id(&self, tx: &mut dyn SignableTransaction<Signature>) -> Result<()> {
        if let Some(chain_id) = self.chain_id
            && !tx.set_chain_id_checked(chain_id)
        {
            return Err(Error::TransactionChainIdMismatch {
                signer: chain_id,
                tx: tx.chain_id().unwrap(),
            });
        }
        Ok(())
    }
 }
 #[async_trait]
 impl Signer for ArbiterEvmWallet {
    async fn sign_hash(&self, _hash: &B256) -> Result<Signature> {
        Err(Error::other(
            "hash-only signing is not supported for ArbiterEvmWallet; use transaction signing",
        ))
    }
    fn address(&self) -> Address {
        self.address
    }
    fn chain_id(&self) -> Option<ChainId> {
        self.chain_id
    }
    fn set_chain_id(&mut self, chain_id: Option<ChainId>) {
        self.chain_id = chain_id;
    }
 }
 #[async_trait]
 impl TxSigner<Signature> for ArbiterEvmWallet {
    fn address(&self) -> Address {
        self.address
    }
    async fn sign_transaction(
        &self,
        tx: &mut dyn SignableTransaction<Signature>,
    ) -> Result<Signature> {
        let _transport = self.transport.lock().await;
        self.validate_chain_id(tx)?;
        Err(Error::other(
            "transaction signing is not supported by current arbiter.client protocol",
        ))
    }
 }
--- a/server/crates/arbiter-client/src/wallets/mod.rs
+++ b/server/crates/arbiter-client/src/wallets/mod.rs
@@ -1,2 +0,0 @@
 #[cfg(feature = "evm")]
 pub mod evm;
--- a/server/crates/arbiter-proto/Cargo.toml
+++ b/server/crates/arbiter-proto/Cargo.toml
@@ -3,34 +3,20 @@ name = "arbiter-proto"
 version = "0.1.0"
 edition = "2024"
 repository = "https://git.markettakers.org/MarketTakers/arbiter"
 license = "Apache-2.0"
 [dependencies]
 tonic.workspace = true
 tokio.workspace = true
 futures.workspace = true
 hex = "0.4.3"
-tonic-prost = "0.14.5"
+tonic-prost = "0.14.3"
 prost = "0.14.3"
 kameo.workspace = true
 url = "2.5.8"
 miette.workspace = true
 thiserror.workspace = true
 rustls-pki-types.workspace = true
 base64 = "0.22.1"
 prost-types.workspace = true
 tracing.workspace = true
 async-trait.workspace = true
 tokio-stream.workspace = true
 [build-dependencies]
-tonic-prost-build = "0.14.5"
+prost-build = "0.14.3"
-protoc-bin-vendored = "3"
+serde_json = "1"
 tonic-prost-build = "0.14.3"
 [dev-dependencies]
 rstest.workspace = true
 rand.workspace = true
 rcgen.workspace = true
 [package.metadata.cargo-shear]
 ignored = ["tonic-prost", "prost", "kameo"]
--- a/server/crates/arbiter-proto/build.rs
+++ b/server/crates/arbiter-proto/build.rs
@@ -1,28 +1,15 @@
 use std::path::PathBuf;
 use tonic_prost_build::{Config, configure};
 static PROTOBUF_DIR: &str = "../../../protobufs";
 fn main() -> Result<(), Box<dyn std::error::Error>> {
-    println!("cargo::rerun-if-changed={PROTOBUF_DIR}");
+    let proto_files = vec![
-
+        format!("{}/arbiter.proto", PROTOBUF_DIR),
-    let protoc_path = protoc_bin_vendored::protoc_bin_path()?;
+        format!("{}/auth.proto", PROTOBUF_DIR),
    let protoc_include = protoc_bin_vendored::include_path()?;
    let mut config = Config::new();
    config.protoc_executable(protoc_path);
    let protos = [
        PathBuf::from(format!("{}/arbiter.proto", PROTOBUF_DIR)),
        PathBuf::from(format!("{}/user_agent.proto", PROTOBUF_DIR)),
        PathBuf::from(format!("{}/client.proto", PROTOBUF_DIR)),
        PathBuf::from(format!("{}/evm.proto", PROTOBUF_DIR)),
    ];
-    let includes = [PathBuf::from(PROTOBUF_DIR), protoc_include];
+    // Компилируем protobuf (tonic-prost-build автоматически использует prost_types для google.protobuf)
-
+    tonic_prost_build::configure()
    configure()
        .message_attribute(".", "#[derive(::kameo::Reply)]")
-        .compile_with_config(config, &protos, &includes)?;
+        .compile_protos(&proto_files, &[PROTOBUF_DIR.to_string()])?;
    Ok(())
 }
--- a/server/crates/arbiter-proto/src/lib.rs
+++ b/server/crates/arbiter-proto/src/lib.rs
@@ -1,32 +1,16 @@
-pub mod transport;
+use crate::proto::auth::AuthChallenge;
 pub mod url;
 use base64::{Engine, prelude::BASE64_STANDARD};
 pub mod proto {
    tonic::include_proto!("arbiter");
-    pub mod user_agent {
+    pub mod auth {
-        tonic::include_proto!("arbiter.user_agent");
+        tonic::include_proto!("arbiter.auth");
    }
    pub mod client {
        tonic::include_proto!("arbiter.client");
    }
    pub mod evm {
        tonic::include_proto!("arbiter.evm");
    }
 }
-#[derive(Debug, Clone, PartialEq, Eq)]
+pub mod transport;
 pub struct ClientMetadata {
    pub name: String,
    pub description: Option<String>,
    pub version: Option<String>,
 }
-pub static BOOTSTRAP_PATH: &str = "bootstrap_token";
+pub static BOOTSTRAP_TOKEN_PATH: &str = "bootstrap_token";
 pub fn home_path() -> Result<std::path::PathBuf, std::io::Error> {
    static ARBITER_HOME: &str = ".arbiter";
@@ -41,7 +25,7 @@ pub fn home_path() -> Result<std::path::PathBuf, std::io::Error> {
    Ok(arbiter_home)
 }
-pub fn format_challenge(nonce: i32, pubkey: &[u8]) -> Vec<u8> {
+pub fn format_challenge(challenge: &AuthChallenge) -> Vec<u8> {
-    let concat_form = format!("{}:{}", nonce, BASE64_STANDARD.encode(pubkey));
+    let concat_form = format!("{}:{}", challenge.nonce, hex::encode(&challenge.pubkey));
-    concat_form.into_bytes()
+    concat_form.into_bytes().to_vec()
 }
--- a/server/crates/arbiter-proto/src/transport.rs
+++ b/server/crates/arbiter-proto/src/transport.rs
@@ -1,163 +1,46 @@
-//! Transport-facing abstractions shared by protocol/session code.
+use futures::{Stream, StreamExt};
-//!
+use tokio::sync::mpsc::{self, error::SendError};
-//! This module defines a small set of transport traits that actors and other
+use tonic::{Status, Streaming};
 //! protocol code can depend on without knowing anything about the concrete
 //! transport underneath.
 //!
 //! The abstraction is split into:
 //! - [`Sender`] for outbound delivery
 //! - [`Receiver`] for inbound delivery
 //! - [`Bi`] as the combined duplex form (`Sender + Receiver`)
 //!
 //! This split lets code depend only on the half it actually needs. For
 //! example, some actor/session code only sends out-of-band messages, while
 //! auth/state-machine code may need full duplex access.
 //!
 //! [`Bi`] remains intentionally minimal and transport-agnostic:
 //! - [`Receiver::recv`] yields inbound messages
 //! - [`Sender::send`] accepts outbound messages
 //!
 //! Transport-specific adapters, including protobuf or gRPC bridges, live in the
 //! crates that own those boundaries rather than in `arbiter-proto`.
 //!
 //! [`Bi`] deliberately does not model request/response correlation. Some
 //! transports may carry multiplexed request/response traffic, some may emit
 //! out-of-band messages, and some may be one-message-at-a-time state machines.
 //! Correlation concerns such as request IDs, pending response maps, and
 //! out-of-band routing belong in the adapter or connection layer built on top
 //! of [`Bi`], not in this abstraction itself.
 //!
 //! # Generic Ordering Rule
 //!
 //! This module consistently uses `Inbound` first and `Outbound` second in
 //! generic parameter lists.
 //!
 //! For [`Receiver`], [`Sender`], and [`Bi`], this means:
 //! - `Receiver<Inbound>`
 //! - `Sender<Outbound>`
 //! - `Bi<Inbound, Outbound>`
 //!
 //! Concretely, for [`Bi`]:
 //! - `recv() -> Option<Inbound>`
 //! - `send(Outbound)`
 //!
 //! [`expect_message`] is a small helper for linear protocol steps: it reads one
 //! inbound message from a transport and extracts a typed value from it, failing
 //! if the channel closes or the message shape is not what the caller expected.
 //!
 //! [`DummyTransport`] is a no-op implementation useful for tests and local
 //! actor execution where no real stream exists.
 //!
 //! # Design Notes
 //!
 //! - [`Bi::send`] returns [`Error`] only for transport delivery failures, such
 //!   as a closed outbound channel.
 //! - [`Bi::recv`] returns `None` when the underlying transport closes.
 //! - Message translation is intentionally out of scope for this module.
 use std::marker::PhantomData;
-use async_trait::async_trait;
+// Abstraction for stream for sans-io capabilities
-
+pub trait Bi<T, U>: Stream<Item = Result<T, Status>> + Send + Sync + 'static {
-/// Errors returned by transport adapters implementing [`Bi`].
+    type Error;
-#[derive(thiserror::Error, Debug)]
+    fn send(
-pub enum Error {
+        &mut self,
-    #[error("Transport channel is closed")]
+        item: Result<U, Status>,
-    ChannelClosed,
+    ) -> impl std::future::Future<Output = Result<(), Self::Error>> + Send;
    #[error("Unexpected message received")]
    UnexpectedMessage,
 }
-/// Receives one message from `transport` and extracts a value from it using
+// Bi-directional stream abstraction for handling gRPC streaming requests and responses
-/// `extractor`. Returns [`Error::ChannelClosed`] if the transport closes and
+pub struct BiStream<T, U> {
-/// [`Error::UnexpectedMessage`] if `extractor` returns `None`.
+    pub request_stream: Streaming<T>,
-pub async fn expect_message<T, Inbound, Outbound, Target, F>(
+    pub response_sender: mpsc::Sender<Result<U, Status>>,
-    transport: &mut T,
+}
-    extractor: F,
+
-) -> Result<Target, Error>
+impl<T, U> Stream for BiStream<T, U>
 where
-    T: Bi<Inbound, Outbound> + ?Sized,
+    T: Send + 'static,
-    F: FnOnce(Inbound) -> Option<Target>,
+    U: Send + 'static,
 {
-    let msg = transport.recv().await.ok_or(Error::ChannelClosed)?;
+    type Item = Result<T, Status>;
    extractor(msg).ok_or(Error::UnexpectedMessage)
 }
-#[async_trait]
+    fn poll_next(
-pub trait Sender<Outbound>: Send + Sync {
+        mut self: std::pin::Pin<&mut Self>,
-    async fn send(&mut self, item: Outbound) -> Result<(), Error>;
+        cx: &mut std::task::Context<'_>,
-}
+    ) -> std::task::Poll<Option<Self::Item>> {
-
+        self.request_stream.poll_next_unpin(cx)
 #[async_trait]
 pub trait Receiver<Inbound>: Send + Sync {
    async fn recv(&mut self) -> Option<Inbound>;
 }
 /// Minimal bidirectional transport abstraction used by protocol code.
 ///
 /// `Bi<Inbound, Outbound>` is the combined duplex form of [`Sender`] and
 /// [`Receiver`].
 ///
 /// It models a channel with:
 /// - inbound items of type `Inbound` read via [`Bi::recv`]
 /// - outbound items of type `Outbound` written via [`Bi::send`]
 ///
 /// It does not imply request/response sequencing, one-at-a-time exchange, or
 /// any built-in correlation mechanism between inbound and outbound items.
 pub trait Bi<Inbound, Outbound>: Sender<Outbound> + Receiver<Inbound> + Send + Sync {}
 pub trait SplittableBi<Inbound, Outbound>: Bi<Inbound, Outbound> {
    type Sender: Sender<Outbound>;
    type Receiver: Receiver<Inbound>;
    fn split(self) -> (Self::Sender, Self::Receiver);
    fn from_parts(sender: Self::Sender, receiver: Self::Receiver) -> Self;
 }
 /// No-op [`Bi`] transport for tests and manual actor usage.
 ///
 /// `send` drops all items and succeeds. [`Bi::recv`] never resolves and therefore
 /// does not busy-wait or spuriously close the stream.
 pub struct DummyTransport<Inbound, Outbound> {
    _marker: PhantomData<(Inbound, Outbound)>,
 }
 impl<Inbound, Outbound> Default for DummyTransport<Inbound, Outbound> {
    fn default() -> Self {
        Self {
            _marker: PhantomData,
        }
    }
 }
-#[async_trait]
+impl<T, U> Bi<T, U> for BiStream<T, U>
 impl<Inbound, Outbound> Sender<Outbound> for DummyTransport<Inbound, Outbound>
 where
-    Inbound: Send + Sync + 'static,
+    T: Send + 'static,
-    Outbound: Send + Sync + 'static,
+    U: Send + 'static,
 {
-    async fn send(&mut self, _item: Outbound) -> Result<(), Error> {
+    type Error = SendError<Result<U, Status>>;
-        Ok(())
+
    async fn send(&mut self, item: Result<U, Status>) -> Result<(), Self::Error> {
        self.response_sender.send(item).await
    }
 }
 #[async_trait]
 impl<Inbound, Outbound> Receiver<Inbound> for DummyTransport<Inbound, Outbound>
 where
    Inbound: Send + Sync + 'static,
    Outbound: Send + Sync + 'static,
 {
    async fn recv(&mut self) -> Option<Inbound> {
        std::future::pending::<()>().await;
        None
    }
 }
 impl<Inbound, Outbound> Bi<Inbound, Outbound> for DummyTransport<Inbound, Outbound>
 where
    Inbound: Send + Sync + 'static,
    Outbound: Send + Sync + 'static,
 {
 }
 pub mod grpc;
--- a/server/crates/arbiter-proto/src/transport/grpc.rs
+++ b/server/crates/arbiter-proto/src/transport/grpc.rs
@@ -1,106 +0,0 @@
 use async_trait::async_trait;
 use futures::StreamExt;
 use tokio::sync::mpsc;
 use tokio_stream::wrappers::ReceiverStream;
 use super::{Bi, Receiver, Sender};
 pub struct GrpcSender<Outbound> {
    tx: mpsc::Sender<Result<Outbound, tonic::Status>>,
 }
 #[async_trait]
 impl<Outbound> Sender<Result<Outbound, tonic::Status>> for GrpcSender<Outbound>
 where
    Outbound: Send + Sync + 'static,
 {
    async fn send(&mut self, item: Result<Outbound, tonic::Status>) -> Result<(), super::Error> {
        self.tx
            .send(item)
            .await
            .map_err(|_| super::Error::ChannelClosed)
    }
 }
 pub struct GrpcReceiver<Inbound> {
    rx: tonic::Streaming<Inbound>,
 }
 #[async_trait]
 impl<Inbound> Receiver<Result<Inbound, tonic::Status>> for GrpcReceiver<Inbound>
 where
    Inbound: Send + Sync + 'static,
 {
    async fn recv(&mut self) -> Option<Result<Inbound, tonic::Status>> {
        self.rx.next().await
    }
 }
 pub struct GrpcBi<Inbound, Outbound> {
    sender: GrpcSender<Outbound>,
    receiver: GrpcReceiver<Inbound>,
 }
 impl<Inbound, Outbound> GrpcBi<Inbound, Outbound>
 where
    Inbound: Send + Sync + 'static,
    Outbound: Send + Sync + 'static,
 {
    pub fn from_bi_stream(
        receiver: tonic::Streaming<Inbound>,
    ) -> (Self, ReceiverStream<Result<Outbound, tonic::Status>>) {
        let (tx, rx) = mpsc::channel(10);
        let sender = GrpcSender { tx };
        let receiver = GrpcReceiver { rx: receiver };
        let bi = GrpcBi { sender, receiver };
        (bi, ReceiverStream::new(rx))
    }
 }
 #[async_trait]
 impl<Inbound, Outbound> Sender<Result<Outbound, tonic::Status>> for GrpcBi<Inbound, Outbound>
 where
    Inbound: Send + Sync + 'static,
    Outbound: Send + Sync + 'static,
 {
    async fn send(&mut self, item: Result<Outbound, tonic::Status>) -> Result<(), super::Error> {
        self.sender.send(item).await
    }
 }
 #[async_trait]
 impl<Inbound, Outbound> Receiver<Result<Inbound, tonic::Status>> for GrpcBi<Inbound, Outbound>
 where
    Inbound: Send + Sync + 'static,
    Outbound: Send + Sync + 'static,
 {
    async fn recv(&mut self) -> Option<Result<Inbound, tonic::Status>> {
        self.receiver.recv().await
    }
 }
 impl<Inbound, Outbound> Bi<Result<Inbound, tonic::Status>, Result<Outbound, tonic::Status>>
    for GrpcBi<Inbound, Outbound>
 where
    Inbound: Send + Sync + 'static,
    Outbound: Send + Sync + 'static,
 {
 }
 impl<Inbound, Outbound>
    super::SplittableBi<Result<Inbound, tonic::Status>, Result<Outbound, tonic::Status>>
    for GrpcBi<Inbound, Outbound>
 where
    Inbound: Send + Sync + 'static,
    Outbound: Send + Sync + 'static,
 {
    type Sender = GrpcSender<Outbound>;
    type Receiver = GrpcReceiver<Inbound>;
    fn split(self) -> (Self::Sender, Self::Receiver) {
        (self.sender, self.receiver)
    }
    fn from_parts(sender: Self::Sender, receiver: Self::Receiver) -> Self {
        GrpcBi { sender, receiver }
    }
 }
--- a/server/crates/arbiter-proto/src/url.rs
+++ b/server/crates/arbiter-proto/src/url.rs
@@ -1,130 +0,0 @@
 use std::fmt::Display;
 use base64::{Engine as _, prelude::BASE64_URL_SAFE};
 use rustls_pki_types::CertificateDer;
 const ARBITER_URL_SCHEME: &str = "arbiter";
 const CERT_QUERY_KEY: &str = "cert";
 const BOOTSTRAP_TOKEN_QUERY_KEY: &str = "bootstrap_token";
 #[derive(Debug, Clone)]
 pub struct ArbiterUrl {
    pub host: String,
    pub port: u16,
    pub ca_cert: CertificateDer<'static>,
    pub bootstrap_token: Option<String>,
 }
 impl Display for ArbiterUrl {
    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
        let mut base = format!(
            "{ARBITER_URL_SCHEME}://{}:{}?{CERT_QUERY_KEY}={}",
            self.host,
            self.port,
            BASE64_URL_SAFE.encode(&self.ca_cert)
        );
        if let Some(token) = &self.bootstrap_token {
            base.push_str(&format!("&{BOOTSTRAP_TOKEN_QUERY_KEY}={}", token));
        }
        f.write_str(&base)
    }
 }
 #[derive(Debug, thiserror::Error, miette::Diagnostic)]
 pub enum Error {
    #[error("Invalid URL scheme, expected '{ARBITER_URL_SCHEME}://'")]
    #[diagnostic(
        code(arbiter::url::invalid_scheme),
        help("The URL must start with '{ARBITER_URL_SCHEME}://'")
    )]
    InvalidScheme,
    #[error("Missing host in URL")]
    #[diagnostic(
        code(arbiter::url::missing_host),
        help("The URL must include a host, e.g., '{ARBITER_URL_SCHEME}://127.0.0.1:<port>'")
    )]
    MissingHost,
    #[error("Missing port in URL")]
    #[diagnostic(
        code(arbiter::url::missing_port),
        help("The URL must include a port, e.g., '{ARBITER_URL_SCHEME}://127.0.0.1:1234'")
    )]
    MissingPort,
    #[error("Missing 'cert' query parameter in URL")]
    #[diagnostic(
        code(arbiter::url::missing_cert),
        help("The URL must include a 'cert' query parameter")
    )]
    MissingCert,
    #[error("Invalid base64 in 'cert' query parameter: {0}")]
    #[diagnostic(code(arbiter::url::invalid_cert_base64))]
    InvalidCertBase64(#[from] base64::DecodeError),
 }
 impl<'a> TryFrom<&'a str> for ArbiterUrl {
    type Error = Error;
    fn try_from(value: &'a str) -> Result<Self, Self::Error> {
        let url = url::Url::parse(value).map_err(|_| Error::InvalidScheme)?;
        if url.scheme() != ARBITER_URL_SCHEME {
            return Err(Error::InvalidScheme);
        }
        let host = url.host_str().ok_or(Error::MissingHost)?.to_string();
        let port = url.port().ok_or(Error::MissingPort)?;
        let cert_str = url
            .query_pairs()
            .find(|(k, _)| k == CERT_QUERY_KEY)
            .ok_or(Error::MissingCert)?
            .1;
        let cert = BASE64_URL_SAFE.decode(cert_str.as_ref())?;
        let cert = CertificateDer::from_slice(&cert).into_owned();
        let bootstrap_token = url
            .query_pairs()
            .find(|(k, _)| k == BOOTSTRAP_TOKEN_QUERY_KEY)
            .map(|(_, v)| v.to_string());
        Ok(ArbiterUrl {
            host,
            port,
            ca_cert: cert,
            bootstrap_token,
        })
    }
 }
 #[cfg(test)]
 mod tests {
    use rcgen::generate_simple_self_signed;
    use rstest::rstest;
    use super::*;
    #[rstest]
    fn test_parsing_correctness(
        #[values("127.0.0.1", "localhost", "192.168.1.1", "some.domain.com")] host: &str,
        #[values(None, Some("token123".to_string()))] bootstrap_token: Option<String>,
    ) {
        let cert = generate_simple_self_signed(&["Arbiter CA".into()]).unwrap();
        let cert = cert.cert.der();
        let url = ArbiterUrl {
            host: host.to_string(),
            port: 1234,
            ca_cert: cert.clone().into_owned(),
            bootstrap_token,
        };
        let url_str = url.to_string();
        let parsed_url = ArbiterUrl::try_from(url_str.as_str()).unwrap();
        assert_eq!(url.host, parsed_url.host);
        assert_eq!(url.port, parsed_url.port);
        assert_eq!(url.ca_cert.to_vec(), parsed_url.ca_cert.to_vec());
        assert_eq!(url.bootstrap_token, parsed_url.bootstrap_token);
    }
 }
--- a/server/crates/arbiter-server/.DS_Store
+++ b/server/crates/arbiter-server/.DS_Store
--- a/server/crates/arbiter-server/Cargo.toml
+++ b/server/crates/arbiter-server/Cargo.toml
@@ -3,14 +3,16 @@ name = "arbiter-server"
 version = "0.1.0"
 edition = "2024"
 repository = "https://git.markettakers.org/MarketTakers/arbiter"
 license = "Apache-2.0"
 [lints]
 workspace = true
 [dependencies]
-diesel = { version = "2.3.7", features = ["chrono", "returning_clauses_for_sqlite_3_35", "serde_json", "time", "uuid"] }
+diesel = { version = "2.3.6", features = [
-diesel-async = { version = "0.8.0", features = [
+    "sqlite",
    "uuid",
    "time",
    "chrono",
    "serde_json",
 ] }
 diesel-async = { version = "0.7.4", features = [
    "bb8",
    "migrations",
    "sqlite",
@@ -19,15 +21,12 @@ diesel-async = { version = "0.8.0", features = [
 ed25519-dalek.workspace = true
 arbiter-proto.path = "../arbiter-proto"
 tracing.workspace = true
 tracing-subscriber = { version = "0.3", features = ["env-filter"] }
 tonic.workspace = true
 tonic.features = ["tls-aws-lc"]
 tokio.workspace = true
 rustls.workspace = true
 smlang.workspace = true
 miette.workspace = true
 thiserror.workspace = true
 fatality = "0.1.1"
 diesel_migrations = { version = "2.3.1", features = ["sqlite"] }
 async-trait.workspace = true
 secrecy = "0.10.3"
@@ -35,25 +34,20 @@ futures.workspace = true
 tokio-stream.workspace = true
 dashmap = "6.1.0"
 rand.workspace = true
-rcgen.workspace = true
+rcgen = { version = "0.14.7", features = [
    "aws_lc_rs",
    "pem",
    "x509-parser",
    "zeroize",
 ], default-features = false }
 chrono.workspace = true
 memsafe = "0.4.0"
 zeroize = { version = "1.8.2", features = ["std", "simd"] }
 argon2 = { version = "0.5", features = ["std"] }
 kameo.workspace = true
-x25519-dalek.workspace = true
+hex = "0.4.3"
-chacha20poly1305 = { version = "0.10.1", features = ["std"] }
+chacha20poly1305 = "0.10.1"
-argon2 = { version = "0.5.3", features = ["zeroize"] }
+x25519-dalek = { version = "2.0", features = ["static_secrets"] }
 restructed = "0.2.2"
 strum = { version = "0.28.0", features = ["derive"] }
 pem = "3.0.6"
 k256.workspace = true
 rsa.workspace = true
 sha2.workspace = true
 spki.workspace = true
 alloy.workspace = true
 prost-types.workspace = true
 arbiter-tokens-registry.path = "../arbiter-tokens-registry"
 [dev-dependencies]
 insta = "1.46.3"
 test-log = { version = "0.2", default-features = false, features = ["trace"] }
--- a/server/crates/arbiter-server/migrations/2026-02-13-155546-0000_add_tls_rotation/down.sql
+++ b/server/crates/arbiter-server/migrations/2026-02-13-155546-0000_add_tls_rotation/down.sql
@@ -0,0 +1,11 @@
 -- Rollback TLS rotation tables
 -- Удалить добавленную колонку из arbiter_settings
 ALTER TABLE arbiter_settings DROP COLUMN current_cert_id;
 -- Удалить таблицы в обратном порядке
 DROP TABLE IF EXISTS tls_rotation_history;
 DROP TABLE IF EXISTS rotation_client_acks;
 DROP TABLE IF EXISTS tls_rotation_state;
 DROP INDEX IF EXISTS idx_tls_certificates_active;
 DROP TABLE IF EXISTS tls_certificates;
--- a/server/crates/arbiter-server/migrations/2026-02-13-155546-0000_add_tls_rotation/up.sql
+++ b/server/crates/arbiter-server/migrations/2026-02-13-155546-0000_add_tls_rotation/up.sql
@@ -0,0 +1,57 @@
 -- История всех сертификатов
 CREATE TABLE IF NOT EXISTS tls_certificates (
    id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
    cert BLOB NOT NULL,              -- DER-encoded
    cert_key BLOB NOT NULL,          -- PEM-encoded
    not_before INTEGER NOT NULL,     -- Unix timestamp
    not_after INTEGER NOT NULL,      -- Unix timestamp
    created_at INTEGER NOT NULL DEFAULT(unixepoch('now')),
    is_active BOOLEAN NOT NULL DEFAULT 0  -- Только один active=1
 ) STRICT;
 CREATE INDEX idx_tls_certificates_active ON tls_certificates(is_active, not_after);
 -- Tracking процесса ротации
 CREATE TABLE IF NOT EXISTS tls_rotation_state (
    id INTEGER NOT NULL PRIMARY KEY CHECK(id = 1),  -- Singleton
    state TEXT NOT NULL DEFAULT('normal') CHECK(state IN ('normal', 'initiated', 'waiting_acks', 'ready')),
    new_cert_id INTEGER REFERENCES tls_certificates(id),
    initiated_at INTEGER,
    timeout_at INTEGER  -- Таймаут для ожидания ACKs (initiated_at + 7 дней)
 ) STRICT;
 -- Tracking ACKs от клиентов
 CREATE TABLE IF NOT EXISTS rotation_client_acks (
    rotation_id INTEGER NOT NULL,    -- Ссылка на new_cert_id
    client_key TEXT NOT NULL,        -- Публичный ключ клиента (hex)
    ack_received_at INTEGER NOT NULL DEFAULT(unixepoch('now')),
    PRIMARY KEY (rotation_id, client_key)
 ) STRICT;
 -- Audit trail событий ротации
 CREATE TABLE IF NOT EXISTS tls_rotation_history (
    id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
    cert_id INTEGER NOT NULL REFERENCES tls_certificates(id),
    event_type TEXT NOT NULL CHECK(event_type IN ('created', 'rotation_initiated', 'acks_complete', 'activated', 'timeout')),
    timestamp INTEGER NOT NULL DEFAULT(unixepoch('now')),
    details TEXT  -- JSON с доп. информацией
 ) STRICT;
 -- Миграция существующего сертификата
 INSERT INTO tls_certificates (id, cert, cert_key, not_before, not_after, is_active, created_at)
 SELECT
    1,
    cert,
    cert_key,
    unixepoch('now') as not_before,
    unixepoch('now') + (90 * 24 * 60 * 60) as not_after,  -- 90 дней
    1 as is_active,
    unixepoch('now')
 FROM arbiter_settings WHERE id = 1;
 -- Инициализация rotation_state
 INSERT INTO tls_rotation_state (id, state) VALUES (1, 'normal');
 -- Добавить ссылку на текущий сертификат
 ALTER TABLE arbiter_settings ADD COLUMN current_cert_id INTEGER REFERENCES tls_certificates(id);
 UPDATE arbiter_settings SET current_cert_id = 1 WHERE id = 1;
--- a/server/crates/arbiter-server/migrations/2026-02-14-171124-0000_init/up.sql
+++ b/server/crates/arbiter-server/migrations/2026-02-14-171124-0000_init/up.sql
@@ -1,193 +1,31 @@
 create table if not exists root_key_history (
    id INTEGER not null PRIMARY KEY,
    -- root key stored as aead encrypted artifact, with only difference that it's decrypted by unseal key (derived from user password)
    root_key_encryption_nonce blob not null default(1), -- if re-encrypted, this should be incremented. Used for encrypting root key
    data_encryption_nonce blob not null default(1), -- nonce used for encrypting with key itself
    ciphertext blob not null,
    tag blob not null,
    schema_version integer not null default(1), -- server would need to reencrypt, because this means that we have changed algorithm
    salt blob not null -- for key deriviation 
 ) STRICT;
 create table if not exists aead_encrypted (
    id INTEGER not null PRIMARY KEY,
-    current_nonce blob not null default(1), -- if re-encrypted, this should be incremented
+    current_nonce integer not null default(1), -- if re-encrypted, this should be incremented
    ciphertext blob not null,
    tag blob not null,
-    schema_version integer not null default(1), -- server would need to reencrypt, because this means that we have changed algorithm
+    schema_version integer not null default(1) -- server would need to reencrypt, because this means that we have changed algorithm
    associated_root_key_id integer not null references root_key_history (id) on delete RESTRICT,
    created_at integer not null default(unixepoch ('now'))
 ) STRICT;
 create unique index if not exists uniq_nonce_per_root_key on aead_encrypted (
    current_nonce,
    associated_root_key_id
 );
 create table if not exists tls_history (
    id INTEGER not null PRIMARY KEY,
    cert text not null,
    cert_key text not null, -- PEM Encoded private key
    ca_cert text not null,
    ca_key text not null, -- PEM Encoded private key
    created_at integer not null default(unixepoch ('now'))
 ) STRICT;
 -- This is a singleton
 create table if not exists arbiter_settings (
    id INTEGER not null PRIMARY KEY CHECK (id = 1), -- singleton row, id must be 1
-    root_key_id integer references root_key_history (id) on delete RESTRICT, -- if null, means wasn't bootstrapped yet
+    root_key_id integer references aead_encrypted (id) on delete RESTRICT, -- if null, means wasn't bootstrapped yet
-    tls_id integer references tls_history (id) on delete RESTRICT
+    cert_key blob not null,
    cert blob not null
 ) STRICT;
 insert into arbiter_settings (id) values (1) on conflict do nothing;
 -- ensure singleton row exists
 create table if not exists useragent_client (
    id integer not null primary key,
-    nonce integer not null default(1), -- used for auth challenge
+    nonce integer not null default (1), -- used for auth challenge
    public_key blob not null,
    key_type integer not null default(1), -- 1=Ed25519, 2=ECDSA(secp256k1)
    created_at integer not null default(unixepoch ('now')),
    updated_at integer not null default(unixepoch ('now'))
 ) STRICT;
 create unique index if not exists uniq_useragent_client_public_key on useragent_client (public_key, key_type);
 create table if not exists client_metadata (
    id integer not null primary key,
    name text not null, -- human-readable name for the client
    description text, -- optional description for the client
    version text, -- client version for tracking and debugging
    created_at integer not null default(unixepoch ('now'))
 ) STRICT;
 -- created to track history of changes
 create table if not exists client_metadata_history (
    id integer not null primary key,
    metadata_id integer not null references client_metadata (id) on delete cascade,
    client_id integer not null references program_client (id) on delete cascade,
    created_at integer not null default(unixepoch ('now'))
 ) STRICT;
 create unique index if not exists uniq_metadata_binding_client on client_metadata_history (client_id);
 create table if not exists program_client (
    id integer not null primary key,
-    nonce integer not null default(1), -- used for auth challenge
+    nonce integer not null default (1), -- used for auth challenge
    public_key blob not null,
    metadata_id integer not null references client_metadata (id) on delete cascade,
    created_at integer not null default(unixepoch ('now')),
    updated_at integer not null default(unixepoch ('now'))
-) STRICT;
+) STRICT;
 create unique index if not exists program_client_public_key_unique
    on program_client (public_key);
 create unique index if not exists uniq_program_client_public_key on program_client (public_key);
 create table if not exists evm_wallet (
    id integer not null primary key,
    address blob not null, -- 20-byte Ethereum address
    aead_encrypted_id integer not null references aead_encrypted (id) on delete RESTRICT,
    created_at integer not null default(unixepoch ('now'))
 ) STRICT;
 create unique index if not exists uniq_evm_wallet_address on evm_wallet (address);
 create unique index if not exists uniq_evm_wallet_aead on evm_wallet (aead_encrypted_id);
 create table if not exists evm_wallet_access (
    id integer not null primary key,
    wallet_id integer not null references evm_wallet (id) on delete cascade,
    client_id integer not null references program_client (id) on delete cascade,
    created_at integer not null default(unixepoch ('now'))
 ) STRICT;
 create unique index if not exists uniq_wallet_access on evm_wallet_access (wallet_id, client_id);
 create table if not exists evm_ether_transfer_limit (
    id integer not null primary key,
    window_secs integer not null, -- window duration in seconds
    max_volume blob not null -- big-endian 32-byte U256
 ) STRICT;
 -- Shared grant properties: client scope, timeframe, fee caps, and rate limit
 create table if not exists evm_basic_grant (
    id integer not null primary key,
    wallet_access_id integer not null references evm_wallet_access (id) on delete restrict,
    chain_id integer not null, -- EIP-155 chain ID
    valid_from integer, -- unix timestamp (seconds), null = no lower bound
    valid_until integer, -- unix timestamp (seconds), null = no upper bound
    max_gas_fee_per_gas blob, -- big-endian 32-byte U256, null = unlimited
    max_priority_fee_per_gas blob, -- big-endian 32-byte U256, null = unlimited
    rate_limit_count integer, -- max transactions in window, null = unlimited
    rate_limit_window_secs integer, -- window duration in seconds, null = unlimited
    revoked_at integer, -- unix timestamp when revoked, null = still active
    created_at integer not null default(unixepoch ('now'))
 ) STRICT;
 -- Shared transaction log for all EVM grants, used for rate limit tracking and auditing
 create table if not exists evm_transaction_log (
    id integer not null primary key,
    wallet_access_id integer not null references evm_wallet_access (id) on delete restrict,
    grant_id integer not null references evm_basic_grant (id) on delete restrict,
    chain_id integer not null,
    eth_value blob not null, -- always present on any EVM tx
    signed_at integer not null default(unixepoch ('now'))
 ) STRICT;
 create index if not exists idx_evm_basic_grant_access_chain on evm_basic_grant (wallet_access_id, chain_id);
 -- ===============================
 -- ERC20 token transfer grant
 -- ===============================
 create table if not exists evm_token_transfer_grant (
    id integer not null primary key,
    basic_grant_id integer not null unique references evm_basic_grant (id) on delete cascade,
    token_contract blob not null, -- 20-byte ERC20 contract address
    receiver blob -- 20-byte recipient address or null if every recipient allowed
 ) STRICT;
 -- Per-window volume limits for token transfer grants
 create table if not exists evm_token_transfer_volume_limit (
    id integer not null primary key,
    grant_id integer not null references evm_token_transfer_grant (id) on delete cascade,
    window_secs integer not null, -- window duration in seconds
    max_volume blob not null -- big-endian 32-byte U256
 ) STRICT;
 -- Log table for token transfer grant usage
 create table if not exists evm_token_transfer_log (
    id integer not null primary key,
    grant_id integer not null references evm_token_transfer_grant (id) on delete restrict,
    log_id integer not null references evm_transaction_log (id) on delete restrict,
    chain_id integer not null, -- EIP-155 chain ID
    token_contract blob not null, -- 20-byte ERC20 contract address
    recipient_address blob not null, -- 20-byte recipient address
    value blob not null, -- big-endian 32-byte U256
    created_at integer not null default(unixepoch ('now'))
 ) STRICT;
 create index if not exists idx_token_transfer_log_grant on evm_token_transfer_log (grant_id);
 create index if not exists idx_token_transfer_log_log_id on evm_token_transfer_log (log_id);
 create index if not exists idx_token_transfer_log_chain on evm_token_transfer_log (chain_id);
 -- ===============================
 -- Ether transfer grant (uses base log)
 -- ===============================
 create table if not exists evm_ether_transfer_grant (
    id integer not null primary key,
    basic_grant_id integer not null unique references evm_basic_grant (id) on delete cascade,
    limit_id integer not null references evm_ether_transfer_limit (id) on delete restrict
 ) STRICT;
 -- Specific recipient addresses for an ether transfer grant
 create table if not exists evm_ether_transfer_grant_target (
    id integer not null primary key,
    grant_id integer not null references evm_ether_transfer_grant (id) on delete cascade,
    address blob not null -- 20-byte recipient address
 ) STRICT;
 create unique index if not exists uniq_ether_transfer_target on evm_ether_transfer_grant_target (grant_id, address);
--- a/server/crates/arbiter-server/migrations/2026-02-16-160000-0000_add_argon2_salt/down.sql
+++ b/server/crates/arbiter-server/migrations/2026-02-16-160000-0000_add_argon2_salt/down.sql
@@ -0,0 +1,2 @@
 -- Remove argon2_salt column
 ALTER TABLE aead_encrypted DROP COLUMN argon2_salt;
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
CleverWild	d65e9319d9	lints(clippy)	2026-03-11 14:05:03 +01:00
CleverWild	dfc852e815	feat(server): integrate X25519 unseal handler in UserAgentActor	2026-03-11 14:05:03 +01:00
CleverWild	5b711acb15	feat(server): add X25519 ECDH for secure unseal protocol	2026-03-11 14:05:03 +01:00
CleverWild	19f19a56e5	feat(server): implement KeyStorage and state machine lifecycle	2026-03-11 14:04:46 +01:00
CleverWild	f108e64d13	feat(tls): implement TLS certificate management and rotation	2026-03-11 14:04:46 +01:00
		`@@ -1 +0,0 @@`
			`{"version":2,"entries":[{"package":"app","rootUri":"../","packageUri":"lib/"}]}`
`@@ -1,4 +1,4 @@`
	`# useragent`	`# app`

	`A new Flutter project.`	`A new Flutter project.`
		`@@ -0,0 +1 @@`
							`#include "ephemeral/Flutter-Generated.xcconfig"`
		`@@ -0,0 +1,2 @@`
							`-- Remove argon2_salt column`
							`ALTER TABLE aead_encrypted DROP COLUMN argon2_salt;`