docs: document explicit AuthResult enums and request multiplexing

feat(useragent): showing auth error when something went wrong
refactor(useragent): using request/response for correct multiplexing behaviour
2026-03-19 00:31:42 +01:00 · 2026-03-19 00:20:53 +01:00 · 2026-03-19 00:18:22 +01:00 · 2026-03-19 00:05:35 +01:00 · 2026-03-18 23:43:24 +01:00 · 2026-03-18 23:35:20 +01:00
34 changed files with 217 additions and 1172 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -2,4 +2,3 @@ target/
 scripts/__pycache__/
 .DS_Store
 .cargo/config.toml
 .vscode/
--- a/.vscode/settings.json
+++ b/.vscode/settings.json
@@ -0,0 +1,2 @@
 {
 }
--- a/.woodpecker/server-lint.yaml
+++ b/.woodpecker/server-lint.yaml
@@ -22,4 +22,4 @@ steps:
      - apt-get update && apt-get install -y pkg-config
      - mise install rust 
      - mise install protoc
-      - mise exec rust -- cargo clippy --all -- -D warnings
+      - mise exec rust -- cargo clippy --all-targets --all-features -- -D warnings
--- a/.woodpecker/useragent-analyze.yaml
+++ b/.woodpecker/useragent-analyze.yaml
@@ -1,18 +0,0 @@
 when:
  - event: pull_request
    path:
      include: ['.woodpecker/useragent-*.yaml', 'useragent/**']
  - event: push
    branch: main
    path:
      include: ['.woodpecker/useragent-*.yaml', 'useragent/**']
 steps:
  - name: analyze
    image: jdxcode/mise:latest
    commands:
      - mise install flutter 
      - mise install protoc
      # Reruns codegen to catch protocol drift
      - mise codegen 
      - cd useragent/ && flutter analyze
--- a/mise.lock
+++ b/mise.lock
@@ -1,37 +1,16 @@
 # @generated - this file is auto-generated by `mise lock` https://mise.jdx.dev/dev-tools/mise-lock.html
 [[tools.ast-grep]]
 version = "0.42.0"
 backend = "aqua:ast-grep/ast-grep"
-
+"platforms.linux-arm64" = { checksum = "sha256:5c830eae8456569e2f7212434ed9c238f58dca412d76045418ed6d394a755836", url = "https://github.com/ast-grep/ast-grep/releases/download/0.42.0/app-aarch64-unknown-linux-gnu.zip"}
-[tools.ast-grep."platforms.linux-arm64"]
+"platforms.linux-x64" = { checksum = "sha256:e825a05603f0bcc4cd9076c4cc8c9abd6d008b7cd07d9aa3cc323ba4b8606651", url = "https://github.com/ast-grep/ast-grep/releases/download/0.42.0/app-x86_64-unknown-linux-gnu.zip"}
-checksum = "sha256:5c830eae8456569e2f7212434ed9c238f58dca412d76045418ed6d394a755836"
+"platforms.macos-arm64" = { checksum = "sha256:fc300d5293b1c770a5aece03a8a193b92e71e87cec726c28096990691a582620", url = "https://github.com/ast-grep/ast-grep/releases/download/0.42.0/app-aarch64-apple-darwin.zip"}
-url = "https://github.com/ast-grep/ast-grep/releases/download/0.42.0/app-aarch64-unknown-linux-gnu.zip"
+"platforms.macos-x64" = { checksum = "sha256:979ffe611327056f4730a1ae71b0209b3b830f58b22c6ed194cda34f55400db2", url = "https://github.com/ast-grep/ast-grep/releases/download/0.42.0/app-x86_64-apple-darwin.zip"}
-
+"platforms.windows-x64" = { checksum = "sha256:55836fa1b2c65dc7d61615a4d9368622a0d2371a76d28b9a165e5a3ab6ae32a4", url = "https://github.com/ast-grep/ast-grep/releases/download/0.42.0/app-x86_64-pc-windows-msvc.zip"}
 [tools.ast-grep."platforms.linux-x64"]
 checksum = "sha256:e825a05603f0bcc4cd9076c4cc8c9abd6d008b7cd07d9aa3cc323ba4b8606651"
 url = "https://github.com/ast-grep/ast-grep/releases/download/0.42.0/app-x86_64-unknown-linux-gnu.zip"
 [tools.ast-grep."platforms.macos-arm64"]
 checksum = "sha256:fc300d5293b1c770a5aece03a8a193b92e71e87cec726c28096990691a582620"
 url = "https://github.com/ast-grep/ast-grep/releases/download/0.42.0/app-aarch64-apple-darwin.zip"
 [tools.ast-grep."platforms.macos-x64"]
 checksum = "sha256:979ffe611327056f4730a1ae71b0209b3b830f58b22c6ed194cda34f55400db2"
 url = "https://github.com/ast-grep/ast-grep/releases/download/0.42.0/app-x86_64-apple-darwin.zip"
 [tools.ast-grep."platforms.windows-x64"]
 checksum = "sha256:55836fa1b2c65dc7d61615a4d9368622a0d2371a76d28b9a165e5a3ab6ae32a4"
 url = "https://github.com/ast-grep/ast-grep/releases/download/0.42.0/app-x86_64-pc-windows-msvc.zip"
 [[tools."cargo:cargo-audit"]]
 version = "0.22.1"
 backend = "cargo:cargo-audit"
 [[tools."cargo:cargo-edit"]]
 version = "0.13.9"
 backend = "cargo:cargo-edit"
 [[tools."cargo:cargo-features"]]
 version = "1.0.0"
 backend = "cargo:cargo-features"
@@ -83,50 +62,20 @@ backend = "asdf:flutter"
 [[tools.protoc]]
 version = "29.6"
 backend = "aqua:protocolbuffers/protobuf/protoc"
-
+"platforms.linux-arm64" = { checksum = "sha256:2594ff4fcae8cb57310d394d0961b236190ad9c5efbfdf1f597ea471d424fe79", url = "https://github.com/protocolbuffers/protobuf/releases/download/v29.6/protoc-29.6-linux-aarch_64.zip"}
-[tools.protoc."platforms.linux-arm64"]
+"platforms.linux-x64" = { checksum = "sha256:48785a926e73ffa3f68e2f22b14e7b849620c7a1d36809ac9249a5495e280323", url = "https://github.com/protocolbuffers/protobuf/releases/download/v29.6/protoc-29.6-linux-x86_64.zip"}
-checksum = "sha256:2594ff4fcae8cb57310d394d0961b236190ad9c5efbfdf1f597ea471d424fe79"
+"platforms.macos-arm64" = { checksum = "sha256:b9576b5fa1a1ef3fe13a8c91d9d8204b46545759bea5ae155cd6ba2ea4cdaeed", url = "https://github.com/protocolbuffers/protobuf/releases/download/v29.6/protoc-29.6-osx-aarch_64.zip"}
-url = "https://github.com/protocolbuffers/protobuf/releases/download/v29.6/protoc-29.6-linux-aarch_64.zip"
+"platforms.macos-x64" = { checksum = "sha256:312f04713946921cc0187ef34df80241ddca1bab6f564c636885fd2cc90d3f88", url = "https://github.com/protocolbuffers/protobuf/releases/download/v29.6/protoc-29.6-osx-x86_64.zip"}
-
+"platforms.windows-x64" = { checksum = "sha256:1ebd7c87baffb9f1c47169b640872bf5fb1e4408079c691af527be9561d8f6f7", url = "https://github.com/protocolbuffers/protobuf/releases/download/v29.6/protoc-29.6-win64.zip"}
 [tools.protoc."platforms.linux-x64"]
 checksum = "sha256:48785a926e73ffa3f68e2f22b14e7b849620c7a1d36809ac9249a5495e280323"
 url = "https://github.com/protocolbuffers/protobuf/releases/download/v29.6/protoc-29.6-linux-x86_64.zip"
 [tools.protoc."platforms.macos-arm64"]
 checksum = "sha256:b9576b5fa1a1ef3fe13a8c91d9d8204b46545759bea5ae155cd6ba2ea4cdaeed"
 url = "https://github.com/protocolbuffers/protobuf/releases/download/v29.6/protoc-29.6-osx-aarch_64.zip"
 [tools.protoc."platforms.macos-x64"]
 checksum = "sha256:312f04713946921cc0187ef34df80241ddca1bab6f564c636885fd2cc90d3f88"
 url = "https://github.com/protocolbuffers/protobuf/releases/download/v29.6/protoc-29.6-osx-x86_64.zip"
 [tools.protoc."platforms.windows-x64"]
 checksum = "sha256:1ebd7c87baffb9f1c47169b640872bf5fb1e4408079c691af527be9561d8f6f7"
 url = "https://github.com/protocolbuffers/protobuf/releases/download/v29.6/protoc-29.6-win64.zip"
 [[tools.python]]
 version = "3.14.3"
 backend = "core:python"
-
+"platforms.linux-arm64" = { checksum = "sha256:be0f4dc2932f762292b27d46ea7d3e8e66ddf3969a5eb0254a229015ed402625", url = "https://github.com/astral-sh/python-build-standalone/releases/download/20260303/cpython-3.14.3+20260303-aarch64-unknown-linux-gnu-install_only_stripped.tar.gz"}
-[tools.python."platforms.linux-arm64"]
+"platforms.linux-x64" = { checksum = "sha256:0a73413f89efd417871876c9accaab28a9d1e3cd6358fbfff171a38ec99302f0", url = "https://github.com/astral-sh/python-build-standalone/releases/download/20260303/cpython-3.14.3+20260303-x86_64-unknown-linux-gnu-install_only_stripped.tar.gz"}
-checksum = "sha256:be0f4dc2932f762292b27d46ea7d3e8e66ddf3969a5eb0254a229015ed402625"
+"platforms.macos-arm64" = { checksum = "sha256:4703cdf18b26798fde7b49b6b66149674c25f97127be6a10dbcf29309bdcdcdb", url = "https://github.com/astral-sh/python-build-standalone/releases/download/20260303/cpython-3.14.3+20260303-aarch64-apple-darwin-install_only_stripped.tar.gz"}
-url = "https://github.com/astral-sh/python-build-standalone/releases/download/20260303/cpython-3.14.3+20260303-aarch64-unknown-linux-gnu-install_only_stripped.tar.gz"
+"platforms.macos-x64" = { checksum = "sha256:76f1cc26e3d262eae8ca546a93e8bded10cf0323613f7e246fea2e10a8115eb7", url = "https://github.com/astral-sh/python-build-standalone/releases/download/20260303/cpython-3.14.3+20260303-x86_64-apple-darwin-install_only_stripped.tar.gz"}
-
+"platforms.windows-x64" = { checksum = "sha256:950c5f21a015c1bdd1337f233456df2470fab71e4d794407d27a84cb8b9909a0", url = "https://github.com/astral-sh/python-build-standalone/releases/download/20260303/cpython-3.14.3+20260303-x86_64-pc-windows-msvc-install_only_stripped.tar.gz"}
 [tools.python."platforms.linux-x64"]
 checksum = "sha256:0a73413f89efd417871876c9accaab28a9d1e3cd6358fbfff171a38ec99302f0"
 url = "https://github.com/astral-sh/python-build-standalone/releases/download/20260303/cpython-3.14.3+20260303-x86_64-unknown-linux-gnu-install_only_stripped.tar.gz"
 [tools.python."platforms.macos-arm64"]
 checksum = "sha256:4703cdf18b26798fde7b49b6b66149674c25f97127be6a10dbcf29309bdcdcdb"
 url = "https://github.com/astral-sh/python-build-standalone/releases/download/20260303/cpython-3.14.3+20260303-aarch64-apple-darwin-install_only_stripped.tar.gz"
 [tools.python."platforms.macos-x64"]
 checksum = "sha256:76f1cc26e3d262eae8ca546a93e8bded10cf0323613f7e246fea2e10a8115eb7"
 url = "https://github.com/astral-sh/python-build-standalone/releases/download/20260303/cpython-3.14.3+20260303-x86_64-apple-darwin-install_only_stripped.tar.gz"
 [tools.python."platforms.windows-x64"]
 checksum = "sha256:950c5f21a015c1bdd1337f233456df2470fab71e4d794407d27a84cb8b9909a0"
 url = "https://github.com/astral-sh/python-build-standalone/releases/download/20260303/cpython-3.14.3+20260303-x86_64-pc-windows-msvc-install_only_stripped.tar.gz"
 [[tools.rust]]
 version = "1.93.0"
--- a/mise.toml
+++ b/mise.toml
@@ -11,7 +11,6 @@ protoc = "29.6"
 "cargo:cargo-insta" = "1.46.3"
 python = "3.14.3"
 ast-grep = "0.42.0"
 "cargo:cargo-edit" = "0.13.9"
 [tasks.codegen]
 sources = ['protobufs/*.proto']
--- a/protobufs/user_agent.proto
+++ b/protobufs/user_agent.proto
@@ -12,55 +12,6 @@ enum KeyType {
  KEY_TYPE_RSA = 3;
 }
 // --- SDK client management ---
 enum SdkClientError {
  SDK_CLIENT_ERROR_UNSPECIFIED = 0;
  SDK_CLIENT_ERROR_ALREADY_EXISTS = 1;
  SDK_CLIENT_ERROR_NOT_FOUND = 2;
  SDK_CLIENT_ERROR_HAS_RELATED_DATA = 3; // hard-delete blocked by FK (client has grants or transaction logs)
  SDK_CLIENT_ERROR_INTERNAL = 4;
 }
 message SdkClientApproveRequest {
  bytes pubkey = 1; // 32-byte ed25519 public key
 }
 message SdkClientRevokeRequest {
  int32 client_id = 1;
 }
 message SdkClientEntry {
  int32 id = 1;
  bytes pubkey = 2;
  int32 created_at = 3;
 }
 message SdkClientList {
  repeated SdkClientEntry clients = 1;
 }
 message SdkClientApproveResponse {
  oneof result {
    SdkClientEntry client = 1;
    SdkClientError error = 2;
  }
 }
 message SdkClientRevokeResponse {
  oneof result {
    google.protobuf.Empty ok = 1;
    SdkClientError error = 2;
  }
 }
 message SdkClientListResponse {
  oneof result {
    SdkClientList clients = 1;
    SdkClientError error = 2;
  }
 }
 message AuthChallengeRequest {
  bytes pubkey = 1;
  optional string bootstrap_token = 2;
@@ -127,18 +78,18 @@ enum VaultState {
  VAULT_STATE_ERROR = 4;
 }
-message SdkClientConnectionRequest {
+message ClientConnectionRequest {
  bytes pubkey = 1;
 }
-message SdkClientConnectionResponse {
+message ClientConnectionResponse {
  bool approved = 1;
 }
-message SdkClientConnectionCancel {}
+message ClientConnectionCancel {}
 message UserAgentRequest {
-  int32 id = 16;
+  int32 id = 14;
  oneof payload {
    AuthChallengeRequest auth_challenge_request = 1;
    AuthChallengeSolution auth_challenge_solution = 2;
@@ -150,15 +101,12 @@ message UserAgentRequest {
    arbiter.evm.EvmGrantCreateRequest evm_grant_create = 8;
    arbiter.evm.EvmGrantDeleteRequest evm_grant_delete = 9;
    arbiter.evm.EvmGrantListRequest evm_grant_list = 10;
-    SdkClientConnectionResponse sdk_client_connection_response = 11;
+    ClientConnectionResponse client_connection_response = 11;
-    SdkClientApproveRequest sdk_client_approve = 12;
+    BootstrapEncryptedKey bootstrap_encrypted_key = 12;
    SdkClientRevokeRequest sdk_client_revoke = 13;
    google.protobuf.Empty sdk_client_list = 14;
    BootstrapEncryptedKey bootstrap_encrypted_key = 15;
  }
 }
 message UserAgentResponse {
-  optional int32 id = 16;
+  optional int32 id = 14;
  oneof payload {
    AuthChallenge auth_challenge = 1;
    AuthResult auth_result = 2;
@@ -170,10 +118,8 @@ message UserAgentResponse {
    arbiter.evm.EvmGrantCreateResponse evm_grant_create = 8;
    arbiter.evm.EvmGrantDeleteResponse evm_grant_delete = 9;
    arbiter.evm.EvmGrantListResponse evm_grant_list = 10;
-    SdkClientConnectionResponse sdk_client_connection_response = 11;
+    ClientConnectionRequest client_connection_request = 11;
-    SdkClientApproveResponse sdk_client_approve_response = 12;
+    ClientConnectionCancel client_connection_cancel = 12;
-    SdkClientRevokeResponse sdk_client_revoke_response = 13;
+    BootstrapResult bootstrap_result = 13;
    SdkClientListResponse sdk_client_list_response = 14;
    BootstrapResult bootstrap_result = 15;
  }
 }
--- a/server/Cargo.lock
+++ b/server/Cargo.lock
@@ -67,13 +67,13 @@ dependencies = [
 [[package]]
 name = "alloy-chains"
-version = "0.2.32"
+version = "0.2.31"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "9247f0a399ef71aeb68f497b2b8fb348014f742b50d3b83b1e00dfe1b7d64b3d"
+checksum = "6d9d22005bf31b018f31ef9ecadb5d2c39cf4f6acc8db0456f72c815f3d7f757"
 dependencies = [
 "alloy-primitives",
 "num_enum",
- "strum 0.27.2",
+ "strum",
 ]
 [[package]]
@@ -100,7 +100,7 @@ dependencies = [
 "serde",
 "serde_json",
 "serde_with",
- "thiserror 2.0.18",
+ "thiserror",
 ]
 [[package]]
@@ -136,7 +136,7 @@ dependencies = [
 "futures",
 "futures-util",
 "serde_json",
- "thiserror 2.0.18",
+ "thiserror",
 ]
 [[package]]
@@ -165,7 +165,7 @@ dependencies = [
 "itoa",
 "serde",
 "serde_json",
- "winnow 0.7.15",
+ "winnow",
 ]
 [[package]]
@@ -178,7 +178,7 @@ dependencies = [
 "alloy-rlp",
 "crc",
 "serde",
- "thiserror 2.0.18",
+ "thiserror",
 ]
 [[package]]
@@ -203,7 +203,7 @@ dependencies = [
 "alloy-rlp",
 "borsh",
 "serde",
- "thiserror 2.0.18",
+ "thiserror",
 ]
 [[package]]
@@ -239,7 +239,7 @@ dependencies = [
 "serde",
 "serde_with",
 "sha2 0.10.9",
- "thiserror 2.0.18",
+ "thiserror",
 ]
 [[package]]
@@ -280,7 +280,7 @@ dependencies = [
 "http",
 "serde",
 "serde_json",
- "thiserror 2.0.18",
+ "thiserror",
 "tracing",
 ]
@@ -307,7 +307,7 @@ dependencies = [
 "futures-utils-wasm",
 "serde",
 "serde_json",
- "thiserror 2.0.18",
+ "thiserror",
 ]
 [[package]]
@@ -382,7 +382,7 @@ dependencies = [
 "reqwest",
 "serde",
 "serde_json",
- "thiserror 2.0.18",
+ "thiserror",
 "tokio",
 "tracing",
 "url",
@@ -471,11 +471,11 @@ dependencies = [
 "alloy-rlp",
 "alloy-serde",
 "alloy-sol-types",
- "itertools 0.13.0",
+ "itertools 0.14.0",
 "serde",
 "serde_json",
 "serde_with",
- "thiserror 2.0.18",
+ "thiserror",
 ]
 [[package]]
@@ -501,7 +501,7 @@ dependencies = [
 "either",
 "elliptic-curve",
 "k256",
- "thiserror 2.0.18",
+ "thiserror",
 ]
 [[package]]
@@ -517,7 +517,7 @@ dependencies = [
 "async-trait",
 "k256",
 "rand 0.8.5",
- "thiserror 2.0.18",
+ "thiserror",
 ]
 [[package]]
@@ -578,7 +578,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "a6df77fea9d6a2a75c0ef8d2acbdfd92286cc599983d3175ccdc170d3433d249"
 dependencies = [
 "serde",
- "winnow 0.7.15",
+ "winnow",
 ]
 [[package]]
@@ -608,7 +608,7 @@ dependencies = [
 "parking_lot",
 "serde",
 "serde_json",
- "thiserror 2.0.18",
+ "thiserror",
 "tokio",
 "tower",
 "tracing",
@@ -624,7 +624,7 @@ checksum = "aa501ad58dd20acddbfebc65b52e60f05ebf97c52fa40d1b35e91f5e2da0ad0e"
 dependencies = [
 "alloy-json-rpc",
 "alloy-transport",
- "itertools 0.13.0",
+ "itertools 0.14.0",
 "reqwest",
 "serde_json",
 "tower",
@@ -644,7 +644,7 @@ dependencies = [
 "nybbles",
 "serde",
 "smallvec",
- "thiserror 2.0.18",
+ "thiserror",
 "tracing",
 ]
@@ -678,20 +678,6 @@ checksum = "7f202df86484c868dbad7eaa557ef785d5c66295e41b460ef922eca0723b842c"
 [[package]]
 name = "arbiter-client"
 version = "0.1.0"
 dependencies = [
 "alloy",
 "arbiter-proto",
 "async-trait",
 "ed25519-dalek",
 "http",
 "rand 0.10.0",
 "rustls-webpki",
 "terrors",
 "thiserror 2.0.18",
 "tokio",
 "tokio-stream",
 "tonic",
 ]
 [[package]]
 name = "arbiter-proto"
@@ -705,12 +691,11 @@ dependencies = [
 "miette",
 "prost",
 "prost-types",
 "protoc-bin-vendored",
 "rand 0.10.0",
 "rcgen",
 "rstest",
 "rustls-pki-types",
- "thiserror 2.0.18",
+ "thiserror",
 "tokio",
 "tokio-stream",
 "tonic",
@@ -736,7 +721,6 @@ dependencies = [
 "diesel-async",
 "diesel_migrations",
 "ed25519-dalek",
 "fatality",
 "futures",
 "insta",
 "k256",
@@ -754,9 +738,9 @@ dependencies = [
 "sha2 0.10.9",
 "smlang",
 "spki",
- "strum 0.28.0",
+ "strum",
 "test-log",
- "thiserror 2.0.18",
+ "thiserror",
 "tokio",
 "tokio-stream",
 "tonic",
@@ -993,7 +977,7 @@ dependencies = [
 "nom",
 "num-traits",
 "rusticata-macros",
- "thiserror 2.0.18",
+ "thiserror",
 "time",
 ]
@@ -1078,9 +1062,9 @@ checksum = "c08606f8c3cbf4ce6ec8e28fb0014a2c086708fe954eaa885384a6165172e7e8"
 [[package]]
 name = "aws-lc-rs"
-version = "1.16.2"
+version = "1.16.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "a054912289d18629dc78375ba2c3726a3afe3ff71b4edba9dedfca0e3446d1fc"
+checksum = "94bffc006df10ac2a68c83692d734a465f8ee6c5b384d8545a636f81d858f4bf"
 dependencies = [
 "aws-lc-sys",
 "untrusted 0.7.1",
@@ -1089,9 +1073,9 @@ dependencies = [
 [[package]]
 name = "aws-lc-sys"
-version = "0.39.0"
+version = "0.38.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "1fa7e52a4c5c547c741610a2c6f123f3881e409b714cd27e6798ef020c514f0a"
+checksum = "4321e568ed89bb5a7d291a7f37997c2c0df89809d7b6d12062c81ddb54aa782e"
 dependencies = [
 "cc",
 "cmake",
@@ -1286,20 +1270,19 @@ dependencies = [
 [[package]]
 name = "borsh"
-version = "1.6.1"
+version = "1.6.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "cfd1e3f8955a5d7de9fab72fc8373fade9fb8a703968cb200ae3dc6cf08e185a"
+checksum = "d1da5ab77c1437701eeff7c88d968729e7766172279eab0676857b3d63af7a6f"
 dependencies = [
 "borsh-derive",
 "bytes",
 "cfg_aliases",
 ]
 [[package]]
 name = "borsh-derive"
-version = "1.6.1"
+version = "1.6.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "bfcfdc083699101d5a7965e49925975f2f55060f94f9a05e7187be95d530ca59"
+checksum = "0686c856aa6aac0c4498f936d7d6a02df690f614c03e4d906d1018062b5c5e2c"
 dependencies = [
 "once_cell",
 "proc-macro-crate",
@@ -1813,16 +1796,15 @@ dependencies = [
 [[package]]
 name = "diesel-async"
-version = "0.8.0"
+version = "0.7.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b95864e58597509106f1fddfe0600de7e589e1fddddd87f54eee0a49fd111bbc"
+checksum = "13096fb8dae53f2d411c4b523bec85f45552ed3044a2ab4d85fb2092d9cb4f34"
 dependencies = [
 "bb8",
 "diesel",
 "diesel_migrations",
 "futures-core",
 "futures-util",
 "pin-project-lite",
 "scoped-futures",
 "tokio",
 ]
@@ -2052,22 +2034,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "39cab71617ae0d63f51a36d69f866391735b51691dbda63cf6f96d042b63efeb"
 dependencies = [
 "libc",
- "windows-sys 0.52.0",
+ "windows-sys 0.61.2",
 ]
 [[package]]
 name = "expander"
 version = "2.2.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "e2c470c71d91ecbd179935b24170459e926382eaaa86b590b78814e180d8a8e2"
 dependencies = [
 "blake2",
 "file-guard",
 "fs-err",
 "prettyplease",
 "proc-macro2",
 "quote",
 "syn 2.0.117",
 ]
 [[package]]
@@ -2098,30 +2065,6 @@ dependencies = [
 "bytes",
 ]
 [[package]]
 name = "fatality"
 version = "0.1.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "ec6f82451ff7f0568c6181287189126d492b5654e30a788add08027b6363d019"
 dependencies = [
 "fatality-proc-macro",
 "thiserror 1.0.69",
 ]
 [[package]]
 name = "fatality-proc-macro"
 version = "0.1.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "eb42427514b063d97ce21d5199f36c0c307d981434a6be32582bc79fe5bd2303"
 dependencies = [
 "expander",
 "indexmap 2.13.0",
 "proc-macro-crate",
 "proc-macro2",
 "quote",
 "syn 2.0.117",
 ]
 [[package]]
 name = "ff"
 version = "0.13.1"
@@ -2144,16 +2087,6 @@ version = "0.3.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "64cd1e32ddd350061ae6edb1b082d7c54915b5c672c389143b9a63403a109f24"
 [[package]]
 name = "file-guard"
 version = "0.2.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "21ef72acf95ec3d7dbf61275be556299490a245f017cf084bd23b4f68cf9407c"
 dependencies = [
 "libc",
 "winapi",
 ]
 [[package]]
 name = "find-msvc-tools"
 version = "0.1.9"
@@ -2215,15 +2148,6 @@ dependencies = [
 "percent-encoding",
 ]
 [[package]]
 name = "fs-err"
 version = "2.11.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "88a41f105fe1d5b6b34b2055e3dc59bb79b46b48b2040b9e6c7b4b5de097aa41"
 dependencies = [
 "autocfg",
 ]
 [[package]]
 name = "fs_extra"
 version = "1.3.0"
@@ -2873,10 +2797,19 @@ dependencies = [
 ]
 [[package]]
-name = "itoa"
+name = "itertools"
-version = "1.0.18"
+version = "0.14.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "8f42a60cbdf9a97f5d2305f08a87dc4e09308d1276d28c869c684d7777685682"
+checksum = "2b192c782037fadd9cfa75548310488aabdbf3d2da73885b31bd0abd03351285"
 dependencies = [
 "either",
 ]
 [[package]]
 name = "itoa"
 version = "1.0.17"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "92ecc6618181def0457392ccd0ee51198e065e016d1d527a7ac1b6dc7c1f09d2"
 [[package]]
 name = "jobserver"
@@ -3187,7 +3120,7 @@ version = "0.50.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "7957b9740744892f114936ab4a57b3f487491bbeafaf8083688b16841a4240e5"
 dependencies = [
- "windows-sys 0.59.0",
+ "windows-sys 0.61.2",
 ]
 [[package]]
@@ -3264,9 +3197,9 @@ dependencies = [
 [[package]]
 name = "num_enum"
-version = "0.7.6"
+version = "0.7.5"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "5d0bca838442ec211fa11de3a8b0e0e8f3a4522575b5c4c06ed722e005036f26"
+checksum = "b1207a7e20ad57b847bbddc6776b968420d38292bbfe2089accff5e19e82454c"
 dependencies = [
 "num_enum_derive",
 "rustversion",
@@ -3274,9 +3207,9 @@ dependencies = [
 [[package]]
 name = "num_enum_derive"
-version = "0.7.6"
+version = "0.7.5"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "680998035259dcfcafe653688bf2aa6d3e2dc05e98be6ab46afb089dc84f1df8"
+checksum = "ff32365de1b6743cb203b710788263c44a03de03802daf96092f2da4fe6ba4d7"
 dependencies = [
 "proc-macro2",
 "quote",
@@ -3668,7 +3601,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "343d3bd7056eda839b03204e68deff7d1b13aba7af2b2fd16890697274262ee7"
 dependencies = [
 "heck",
- "itertools 0.13.0",
+ "itertools 0.14.0",
 "log",
 "multimap",
 "petgraph",
@@ -3689,7 +3622,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "27c6023962132f4b30eb4c172c91ce92d933da334c59c23cddee82358ddafb0b"
 dependencies = [
 "anyhow",
- "itertools 0.13.0",
+ "itertools 0.14.0",
 "proc-macro2",
 "quote",
 "syn 2.0.117",
@@ -3705,75 +3638,11 @@ dependencies = [
 "prost",
 ]
 [[package]]
 name = "protoc-bin-vendored"
 version = "3.2.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "d1c381df33c98266b5f08186583660090a4ffa0889e76c7e9a5e175f645a67fa"
 dependencies = [
 "protoc-bin-vendored-linux-aarch_64",
 "protoc-bin-vendored-linux-ppcle_64",
 "protoc-bin-vendored-linux-s390_64",
 "protoc-bin-vendored-linux-x86_32",
 "protoc-bin-vendored-linux-x86_64",
 "protoc-bin-vendored-macos-aarch_64",
 "protoc-bin-vendored-macos-x86_64",
 "protoc-bin-vendored-win32",
 ]
 [[package]]
 name = "protoc-bin-vendored-linux-aarch_64"
 version = "3.2.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "c350df4d49b5b9e3ca79f7e646fde2377b199e13cfa87320308397e1f37e1a4c"
 [[package]]
 name = "protoc-bin-vendored-linux-ppcle_64"
 version = "3.2.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "a55a63e6c7244f19b5c6393f025017eb5d793fd5467823a099740a7a4222440c"
 [[package]]
 name = "protoc-bin-vendored-linux-s390_64"
 version = "3.2.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "1dba5565db4288e935d5330a07c264a4ee8e4a5b4a4e6f4e83fad824cc32f3b0"
 [[package]]
 name = "protoc-bin-vendored-linux-x86_32"
 version = "3.2.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "8854774b24ee28b7868cd71dccaae8e02a2365e67a4a87a6cd11ee6cdbdf9cf5"
 [[package]]
 name = "protoc-bin-vendored-linux-x86_64"
 version = "3.2.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "b38b07546580df720fa464ce124c4b03630a6fb83e05c336fea2a241df7e5d78"
 [[package]]
 name = "protoc-bin-vendored-macos-aarch_64"
 version = "3.2.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "89278a9926ce312e51f1d999fee8825d324d603213344a9a706daa009f1d8092"
 [[package]]
 name = "protoc-bin-vendored-macos-x86_64"
 version = "3.2.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "81745feda7ccfb9471d7a4de888f0652e806d5795b61480605d4943176299756"
 [[package]]
 name = "protoc-bin-vendored-win32"
 version = "3.2.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "95067976aca6421a523e491fce939a3e65249bac4b977adee0ee9771568e8aa3"
 [[package]]
 name = "pulldown-cmark"
-version = "0.13.2"
+version = "0.13.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "14104c5a24d9bcf7eb2c24753e0f49fe14555d8bd565ea3d38e4b4303267259d"
+checksum = "83c41efbf8f90ac44de7f3a868f0867851d261b56291732d0cbf7cceaaeb55a6"
 dependencies = [
 "bitflags",
 "memchr",
@@ -3809,7 +3678,7 @@ dependencies = [
 "rustc-hash",
 "rustls",
 "socket2",
- "thiserror 2.0.18",
+ "thiserror",
 "tokio",
 "tracing",
 "web-time",
@@ -3830,7 +3699,7 @@ dependencies = [
 "rustls",
 "rustls-pki-types",
 "slab",
- "thiserror 2.0.18",
+ "thiserror",
 "tinyvec",
 "tracing",
 "web-time",
@@ -4165,7 +4034,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "a8a1f2315036ef6b1fbacd1972e8ee7688030b0a2121edfc2a6550febd41574d"
 dependencies = [
 "hashbrown 0.16.1",
- "thiserror 2.0.18",
+ "thiserror",
 ]
 [[package]]
@@ -4286,7 +4155,7 @@ dependencies = [
 "errno",
 "libc",
 "linux-raw-sys",
- "windows-sys 0.52.0",
+ "windows-sys 0.61.2",
 ]
 [[package]]
@@ -4317,9 +4186,9 @@ dependencies = [
 [[package]]
 name = "rustls-webpki"
-version = "0.103.10"
+version = "0.103.9"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "df33b2b81ac578cabaf06b89b0631153a3f416b0a886e8a7a1707fb51abbd1ef"
+checksum = "d7df23109aa6c1567d1c575b9952556388da57401e4ace1d15f79eedad0d8f53"
 dependencies = [
 "aws-lc-rs",
 "ring",
@@ -4702,7 +4571,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "3a766e1110788c36f4fa1c2b71b387a7815aa65f88ce0229841826633d93723e"
 dependencies = [
 "libc",
- "windows-sys 0.60.2",
+ "windows-sys 0.61.2",
 ]
 [[package]]
@@ -4763,16 +4632,7 @@ version = "0.27.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "af23d6f6c1a224baef9d3f61e287d2761385a5b88fdab4eb4c6f11aeb54c4bcf"
 dependencies = [
- "strum_macros 0.27.2",
+ "strum_macros",
 ]
 [[package]]
 name = "strum"
 version = "0.28.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "9628de9b8791db39ceda2b119bbe13134770b56c138ec1d3af810d045c04f9bd"
 dependencies = [
 "strum_macros 0.28.0",
 ]
 [[package]]
@@ -4787,18 +4647,6 @@ dependencies = [
 "syn 2.0.117",
 ]
 [[package]]
 name = "strum_macros"
 version = "0.28.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "ab85eea0270ee17587ed4156089e10b9e6880ee688791d45a905f5b1ca36f664"
 dependencies = [
 "heck",
 "proc-macro2",
 "quote",
 "syn 2.0.117",
 ]
 [[package]]
 name = "subtle"
 version = "2.6.1"
@@ -4896,7 +4744,7 @@ dependencies = [
 "getrandom 0.4.2",
 "once_cell",
 "rustix",
- "windows-sys 0.52.0",
+ "windows-sys 0.61.2",
 ]
 [[package]]
@@ -4909,11 +4757,6 @@ dependencies = [
 "windows-sys 0.60.2",
 ]
 [[package]]
 name = "terrors"
 version = "0.5.1"
 source = "git+https://github.com/CleverWild/terrors#a0867fd9ca3fbb44c32e92113a917f1577b5716a"
 [[package]]
 name = "test-log"
 version = "0.2.19"
@@ -4945,33 +4788,13 @@ dependencies = [
 "unicode-width 0.2.2",
 ]
 [[package]]
 name = "thiserror"
 version = "1.0.69"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "b6aaf5339b578ea85b50e080feb250a3e8ae8cfcdff9a461c9ec2904bc923f52"
 dependencies = [
 "thiserror-impl 1.0.69",
 ]
 [[package]]
 name = "thiserror"
 version = "2.0.18"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "4288b5bcbc7920c07a1149a35cf9590a2aa808e0bc1eafaade0b80947865fbc4"
 dependencies = [
- "thiserror-impl 2.0.18",
+ "thiserror-impl",
 ]
 [[package]]
 name = "thiserror-impl"
 version = "1.0.69"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "4fee6c4efc90059e10f81e6d42c60a18f76588c3d74cb83a0b242a2b6c7504c1"
 dependencies = [
 "proc-macro2",
 "quote",
 "syn 2.0.117",
 ]
 [[package]]
@@ -5133,7 +4956,7 @@ dependencies = [
 "serde_spanned",
 "toml_datetime 0.7.5+spec-1.1.0",
 "toml_parser",
- "winnow 0.7.15",
+ "winnow",
 ]
 [[package]]
@@ -5147,32 +4970,32 @@ dependencies = [
 [[package]]
 name = "toml_datetime"
-version = "1.0.1+spec-1.1.0"
+version = "1.0.0+spec-1.1.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "9b320e741db58cac564e26c607d3cc1fdc4a88fd36c879568c07856ed83ff3e9"
+checksum = "32c2555c699578a4f59f0cc68e5116c8d7cabbd45e1409b989d4be085b53f13e"
 dependencies = [
 "serde_core",
 ]
 [[package]]
 name = "toml_edit"
-version = "0.25.5+spec-1.1.0"
+version = "0.25.4+spec-1.1.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "8ca1a40644a28bce036923f6a431df0b34236949d111cc07cb6dca830c9ef2e1"
+checksum = "7193cbd0ce53dc966037f54351dbbcf0d5a642c7f0038c382ef9e677ce8c13f2"
 dependencies = [
 "indexmap 2.13.0",
- "toml_datetime 1.0.1+spec-1.1.0",
+ "toml_datetime 1.0.0+spec-1.1.0",
 "toml_parser",
- "winnow 1.0.0",
+ "winnow",
 ]
 [[package]]
 name = "toml_parser"
-version = "1.0.10+spec-1.1.0"
+version = "1.0.9+spec-1.1.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "7df25b4befd31c4816df190124375d5a20c6b6921e2cad937316de3fccd63420"
+checksum = "702d4415e08923e7e1ef96cd5727c0dfed80b4d2fa25db9647fe5eb6f7c5a4c4"
 dependencies = [
- "winnow 1.0.0",
+ "winnow",
 ]
 [[package]]
@@ -5936,15 +5759,6 @@ dependencies = [
 "memchr",
 ]
 [[package]]
 name = "winnow"
 version = "1.0.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "a90e88e4667264a994d34e6d1ab2d26d398dcdca8b7f52bec8668957517fc7d8"
 dependencies = [
 "memchr",
 ]
 [[package]]
 name = "wit-bindgen"
 version = "0.51.0"
@@ -6074,7 +5888,7 @@ dependencies = [
 "nom",
 "oid-registry",
 "rusticata-macros",
- "thiserror 2.0.18",
+ "thiserror",
 "time",
 ]
@@ -6112,18 +5926,18 @@ dependencies = [
 [[package]]
 name = "zerocopy"
-version = "0.8.47"
+version = "0.8.42"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "efbb2a062be311f2ba113ce66f697a4dc589f85e78a4aea276200804cea0ed87"
+checksum = "f2578b716f8a7a858b7f02d5bd870c14bf4ddbbcf3a4c05414ba6503640505e3"
 dependencies = [
 "zerocopy-derive",
 ]
 [[package]]
 name = "zerocopy-derive"
-version = "0.8.47"
+version = "0.8.42"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "0e8bc7269b54418e7aeeef514aa68f8690b8c0489a06b0136e5f57c4c5ccab89"
+checksum = "7e6cc098ea4d3bd6246687de65af3f920c430e236bee1e3bf2e441463f08a02f"
 dependencies = [
 "proc-macro2",
 "quote",
--- a/server/Cargo.toml
+++ b/server/Cargo.toml
@@ -1,5 +1,7 @@
 [workspace]
-members = ["crates/*"]
+members = [
    "crates/*",
 ]
 resolver = "3"
 [workspace.lints.clippy]
@@ -7,23 +9,23 @@ disallowed-methods = "deny"
 [workspace.dependencies]
-tonic = { version = "0.14.5", features = [
+tonic = { version = "0.14.3", features = [
    "deflate",
    "gzip",
    "tls-connect-info",
    "zstd",
 ] }
 tracing = "0.1.44"
-tokio = { version = "1.50.0", features = ["full"] }
+tokio = { version = "1.49.0", features = ["full"] }
 ed25519-dalek = { version = "3.0.0-pre.6", features = ["rand_core"] }
-chrono = { version = "0.4.44", features = ["serde"] }
+chrono = { version = "0.4.43", features = ["serde"] }
 rand = "0.10.0"
-rustls = { version = "0.23.37", features = ["aws-lc-rs"] }
+rustls = { version = "0.23.36", features = ["aws-lc-rs"] }
 smlang = "0.8.0"
 miette = { version = "7.6.0", features = ["fancy", "serde"] }
 thiserror = "2.0.18"
 async-trait = "0.1.89"
-futures = "0.3.32"
+futures = "0.3.31"
 tokio-stream = { version = "0.1.18", features = ["full"] }
 kameo = "0.19.2"
 prost-types = { version = "0.14.3", features = ["chrono"] }
@@ -41,4 +43,3 @@ k256 = { version = "0.13.4", features = ["ecdsa", "pkcs8"] }
 rsa = { version = "0.9", features = ["sha2"] }
 sha2 = "0.10"
 spki = "0.7"
 terrors = { version = "0.5", git = "https://github.com/CleverWild/terrors" }
--- a/server/crates/arbiter-client/Cargo.toml
+++ b/server/crates/arbiter-client/Cargo.toml
@@ -5,23 +5,4 @@ edition = "2024"
 repository = "https://git.markettakers.org/MarketTakers/arbiter"
 license = "Apache-2.0"
 [lints]
 workspace = true
 [features]
 evm = ["dep:alloy"]
 [dependencies]
 arbiter-proto.path = "../arbiter-proto"
 alloy = { workspace = true, optional = true }
 tonic.workspace = true
 tonic.features = ["tls-aws-lc"]
 tokio.workspace = true
 tokio-stream.workspace = true
 ed25519-dalek.workspace = true
 thiserror.workspace = true
 http = "1.4.0"
 rustls-webpki = { version = "0.103.10", features = ["aws-lc-rs"] }
 async-trait.workspace = true
 rand.workspace = true
 terrors.workspace = true
--- a/server/crates/arbiter-client/src/auth.rs
+++ b/server/crates/arbiter-client/src/auth.rs
@@ -1,103 +0,0 @@
 use arbiter_proto::{
    format_challenge,
    proto::client::{
        AuthChallengeRequest, AuthChallengeSolution, AuthResult, ClientRequest,
        client_request::Payload as ClientRequestPayload,
        client_response::Payload as ClientResponsePayload,
    },
 };
 use ed25519_dalek::Signer as _;
 use terrors::OneOf;
 use crate::{
    errors::{
        ConnectError, MissingAuthChallengeError, UnexpectedAuthResponseError, map_auth_code_error,
    },
    transport::{ClientTransport, next_request_id},
 };
 async fn send_auth_challenge_request(
    transport: &mut ClientTransport,
    key: &ed25519_dalek::SigningKey,
 ) -> std::result::Result<(), ConnectError> {
    transport
        .send(ClientRequest {
            request_id: next_request_id(),
            payload: Some(ClientRequestPayload::AuthChallengeRequest(
                AuthChallengeRequest {
                    pubkey: key.verifying_key().to_bytes().to_vec(),
                },
            )),
        })
        .await
        .map_err(|_| OneOf::new(UnexpectedAuthResponseError))
 }
 async fn receive_auth_challenge(
    transport: &mut ClientTransport,
 ) -> std::result::Result<arbiter_proto::proto::client::AuthChallenge, ConnectError> {
    let response = transport
        .recv()
        .await
        .map_err(|_| OneOf::new(MissingAuthChallengeError))?;
    let payload = response
        .payload
        .ok_or_else(|| OneOf::new(MissingAuthChallengeError))?;
    match payload {
        ClientResponsePayload::AuthChallenge(challenge) => Ok(challenge),
        ClientResponsePayload::AuthResult(result) => Err(map_auth_code_error(result)),
        _ => Err(OneOf::new(UnexpectedAuthResponseError)),
    }
 }
 async fn send_auth_challenge_solution(
    transport: &mut ClientTransport,
    key: &ed25519_dalek::SigningKey,
    challenge: arbiter_proto::proto::client::AuthChallenge,
 ) -> std::result::Result<(), ConnectError> {
    let challenge_payload = format_challenge(challenge.nonce, &challenge.pubkey);
    let signature = key.sign(&challenge_payload).to_bytes().to_vec();
    transport
        .send(ClientRequest {
            request_id: next_request_id(),
            payload: Some(ClientRequestPayload::AuthChallengeSolution(
                AuthChallengeSolution { signature },
            )),
        })
        .await
        .map_err(|_| OneOf::new(UnexpectedAuthResponseError))
 }
 async fn receive_auth_confirmation(
    transport: &mut ClientTransport,
 ) -> std::result::Result<(), ConnectError> {
    let response = transport
        .recv()
        .await
        .map_err(|_| OneOf::new(UnexpectedAuthResponseError))?;
    let payload = response
        .payload
        .ok_or_else(|| OneOf::new(UnexpectedAuthResponseError))?;
    match payload {
        ClientResponsePayload::AuthResult(result)
            if AuthResult::try_from(result).ok() == Some(AuthResult::Success) =>
        {
            Ok(())
        }
        ClientResponsePayload::AuthResult(result) => Err(map_auth_code_error(result)),
        _ => Err(OneOf::new(UnexpectedAuthResponseError)),
    }
 }
 pub(crate) async fn authenticate(
    transport: &mut ClientTransport,
    key: &ed25519_dalek::SigningKey,
 ) -> std::result::Result<(), ConnectError> {
    send_auth_challenge_request(transport, key).await?;
    let challenge = receive_auth_challenge(transport).await?;
    send_auth_challenge_solution(transport, key, challenge).await?;
    receive_auth_confirmation(transport).await
 }
--- a/server/crates/arbiter-client/src/client.rs
+++ b/server/crates/arbiter-client/src/client.rs
@@ -1,82 +0,0 @@
 use arbiter_proto::{proto::arbiter_service_client::ArbiterServiceClient, url::ArbiterUrl};
 use std::sync::Arc;
 use terrors::{Broaden as _, OneOf};
 use tokio::sync::{Mutex, mpsc};
 use tokio_stream::wrappers::ReceiverStream;
 use tonic::transport::ClientTlsConfig;
 use crate::{
    auth::authenticate,
    errors::ConnectError,
    storage::{FileSigningKeyStorage, SigningKeyStorage},
    transport::{BUFFER_LENGTH, ClientTransport},
 };
 #[cfg(feature = "evm")]
 use crate::errors::{ClientConnectionClosedError, ClientError};
 #[cfg(feature = "evm")]
 use crate::wallets::evm::ArbiterEvmWallet;
 pub struct ArbiterClient {
    #[allow(dead_code)]
    transport: Arc<Mutex<ClientTransport>>,
 }
 impl ArbiterClient {
    pub async fn connect(url: ArbiterUrl) -> Result<Self, ConnectError> {
        let storage = FileSigningKeyStorage::from_default_location().broaden()?;
        Self::connect_with_storage(url, &storage).await
    }
    pub async fn connect_with_storage<S: SigningKeyStorage>(
        url: ArbiterUrl,
        storage: &S,
    ) -> Result<Self, ConnectError> {
        let key = storage.load_or_create().broaden()?;
        Self::connect_with_key(url, key).await
    }
    pub async fn connect_with_key(
        url: ArbiterUrl,
        key: ed25519_dalek::SigningKey,
    ) -> Result<Self, ConnectError> {
        let anchor = webpki::anchor_from_trusted_cert(&url.ca_cert)
            .map_err(OneOf::new)?
            .to_owned();
        let tls = ClientTlsConfig::new().trust_anchor(anchor);
        let channel = tonic::transport::Channel::from_shared(format!("{}:{}", url.host, url.port))
            .map_err(OneOf::new)?
            .tls_config(tls)
            .map_err(OneOf::new)?
            .connect()
            .await
            .map_err(OneOf::new)?;
        let mut client = ArbiterServiceClient::new(channel);
        let (tx, rx) = mpsc::channel(BUFFER_LENGTH);
        let response_stream = client
            .client(ReceiverStream::new(rx))
            .await
            .map_err(OneOf::new)?
            .into_inner();
        let mut transport = ClientTransport {
            sender: tx,
            receiver: response_stream,
        };
        authenticate(&mut transport, &key).await?;
        Ok(Self {
            transport: Arc::new(Mutex::new(transport)),
        })
    }
    #[cfg(feature = "evm")]
    pub async fn evm_wallets(&self) -> Result<Vec<ArbiterEvmWallet>, ClientError> {
        let _ = &self.transport;
        Err(OneOf::new(ClientConnectionClosedError))
    }
 }
--- a/server/crates/arbiter-client/src/errors.rs
+++ b/server/crates/arbiter-client/src/errors.rs
@@ -1,127 +0,0 @@
 use terrors::OneOf;
 use thiserror::Error;
 #[cfg(feature = "evm")]
 use alloy::{primitives::ChainId, signers::Error as AlloySignerError};
 pub type StorageError = OneOf<(std::io::Error, InvalidKeyLengthError)>;
 pub type ConnectError = OneOf<(
    tonic::transport::Error,
    http::uri::InvalidUri,
    webpki::Error,
    tonic::Status,
    MissingAuthChallengeError,
    ApprovalDeniedError,
    NoUserAgentsOnlineError,
    UnexpectedAuthResponseError,
    std::io::Error,
    InvalidKeyLengthError,
 )>;
 pub type ClientError = OneOf<(tonic::Status, ClientConnectionClosedError)>;
 pub(crate) type ClientTransportError =
    OneOf<(TransportChannelClosedError, TransportConnectionClosedError)>;
 #[cfg(feature = "evm")]
 pub(crate) type EvmWalletError = OneOf<(
    EvmChainIdMismatchError,
    EvmHashSigningUnsupportedError,
    EvmTransactionSigningUnsupportedError,
 )>;
 #[derive(Debug, Clone, Copy, PartialEq, Eq, Error)]
 #[error("Invalid signing key length in storage: expected {expected} bytes, got {actual} bytes")]
 pub struct InvalidKeyLengthError {
    pub expected: usize,
    pub actual: usize,
 }
 #[derive(Debug, Clone, Copy, PartialEq, Eq, Error)]
 #[error("Auth challenge was not returned by server")]
 pub struct MissingAuthChallengeError;
 #[derive(Debug, Clone, Copy, PartialEq, Eq, Error)]
 #[error("Client approval denied by User Agent")]
 pub struct ApprovalDeniedError;
 #[derive(Debug, Clone, Copy, PartialEq, Eq, Error)]
 #[error("No User Agents online to approve client")]
 pub struct NoUserAgentsOnlineError;
 #[derive(Debug, Clone, Copy, PartialEq, Eq, Error)]
 #[error("Unexpected auth response payload")]
 pub struct UnexpectedAuthResponseError;
 #[derive(Debug, Clone, Copy, PartialEq, Eq, Error)]
 #[error("Connection closed by server")]
 pub struct ClientConnectionClosedError;
 #[derive(Debug, Clone, Copy, PartialEq, Eq, Error)]
 #[error("Transport channel closed")]
 pub struct TransportChannelClosedError;
 #[derive(Debug, Clone, Copy, PartialEq, Eq, Error)]
 #[error("Connection closed by server")]
 pub struct TransportConnectionClosedError;
 #[cfg(feature = "evm")]
 #[derive(Debug, Clone, Copy, PartialEq, Eq, Error)]
 #[error("Transaction chain id mismatch: signer {signer}, tx {tx}")]
 pub struct EvmChainIdMismatchError {
    pub signer: ChainId,
    pub tx: ChainId,
 }
 #[cfg(feature = "evm")]
 #[derive(Debug, Clone, Copy, PartialEq, Eq, Error)]
 #[error("hash-only signing is not supported for ArbiterEvmWallet; use transaction signing")]
 pub struct EvmHashSigningUnsupportedError;
 #[cfg(feature = "evm")]
 #[derive(Debug, Clone, Copy, PartialEq, Eq, Error)]
 #[error("transaction signing is not supported by current arbiter.client protocol")]
 pub struct EvmTransactionSigningUnsupportedError;
 pub(crate) fn map_auth_code_error(code: i32) -> ConnectError {
    use arbiter_proto::proto::client::AuthResult;
    match AuthResult::try_from(code).unwrap_or(AuthResult::Unspecified) {
        AuthResult::ApprovalDenied => OneOf::new(ApprovalDeniedError),
        AuthResult::NoUserAgentsOnline => OneOf::new(NoUserAgentsOnlineError),
        AuthResult::Unspecified
        | AuthResult::Success
        | AuthResult::InvalidKey
        | AuthResult::InvalidSignature
        | AuthResult::Internal => OneOf::new(UnexpectedAuthResponseError),
    }
 }
 #[cfg(feature = "evm")]
 impl From<EvmChainIdMismatchError> for AlloySignerError {
    fn from(value: EvmChainIdMismatchError) -> Self {
        AlloySignerError::TransactionChainIdMismatch {
            signer: value.signer,
            tx: value.tx,
        }
    }
 }
 #[cfg(feature = "evm")]
 impl From<EvmHashSigningUnsupportedError> for AlloySignerError {
    fn from(_value: EvmHashSigningUnsupportedError) -> Self {
        AlloySignerError::other(
            "hash-only signing is not supported for ArbiterEvmWallet; use transaction signing",
        )
    }
 }
 #[cfg(feature = "evm")]
 impl From<EvmTransactionSigningUnsupportedError> for AlloySignerError {
    fn from(_value: EvmTransactionSigningUnsupportedError) -> Self {
        AlloySignerError::other(
            "transaction signing is not supported by current arbiter.client protocol",
        )
    }
 }
--- a/server/crates/arbiter-client/src/lib.rs
+++ b/server/crates/arbiter-client/src/lib.rs
@@ -1,13 +1,14 @@
-mod auth;
+pub fn add(left: u64, right: u64) -> u64 {
-mod client;
+    left + right
-mod errors;
+}
 mod storage;
 mod transport;
 pub mod wallets;
-pub use client::ArbiterClient;
+#[cfg(test)]
-pub use errors::{ClientError, ConnectError, StorageError};
+mod tests {
-pub use storage::{FileSigningKeyStorage, SigningKeyStorage};
+    use super::*;
-#[cfg(feature = "evm")]
+    #[test]
-pub use wallets::evm::ArbiterEvmWallet;
+    fn it_works() {
        let result = add(2, 2);
        assert_eq!(result, 4);
    }
 }
--- a/server/crates/arbiter-client/src/storage.rs
+++ b/server/crates/arbiter-client/src/storage.rs
@@ -1,130 +0,0 @@
 use arbiter_proto::home_path;
 use std::path::{Path, PathBuf};
 use terrors::OneOf;
 use crate::errors::{InvalidKeyLengthError, StorageError};
 pub trait SigningKeyStorage {
    fn load_or_create(&self) -> std::result::Result<ed25519_dalek::SigningKey, StorageError>;
 }
 #[derive(Debug, Clone)]
 pub struct FileSigningKeyStorage {
    path: PathBuf,
 }
 impl FileSigningKeyStorage {
    pub const DEFAULT_FILE_NAME: &str = "sdk_client_ed25519.key";
    pub fn new(path: impl Into<PathBuf>) -> Self {
        Self { path: path.into() }
    }
    pub fn from_default_location() -> std::result::Result<Self, StorageError> {
        Ok(Self::new(
            home_path()
                .map_err(OneOf::new)?
                .join(Self::DEFAULT_FILE_NAME),
        ))
    }
    fn read_key(path: &Path) -> std::result::Result<ed25519_dalek::SigningKey, StorageError> {
        let bytes = std::fs::read(path).map_err(OneOf::new)?;
        let raw: [u8; 32] = bytes.try_into().map_err(|v: Vec<u8>| {
            OneOf::new(InvalidKeyLengthError {
                expected: 32,
                actual: v.len(),
            })
        })?;
        Ok(ed25519_dalek::SigningKey::from_bytes(&raw))
    }
 }
 impl SigningKeyStorage for FileSigningKeyStorage {
    fn load_or_create(&self) -> std::result::Result<ed25519_dalek::SigningKey, StorageError> {
        if let Some(parent) = self.path.parent() {
            std::fs::create_dir_all(parent).map_err(OneOf::new)?;
        }
        if self.path.exists() {
            return Self::read_key(&self.path);
        }
        let key = ed25519_dalek::SigningKey::generate(&mut rand::rng());
        let raw_key = key.to_bytes();
        // Use create_new to prevent accidental overwrite if another process creates the key first.
        match std::fs::OpenOptions::new()
            .create_new(true)
            .write(true)
            .open(&self.path)
        {
            Ok(mut file) => {
                use std::io::Write as _;
                file.write_all(&raw_key).map_err(OneOf::new)?;
                Ok(key)
            }
            Err(err) if err.kind() == std::io::ErrorKind::AlreadyExists => {
                Self::read_key(&self.path)
            }
            Err(err) => Err(OneOf::new(err)),
        }
    }
 }
 #[cfg(test)]
 mod tests {
    use super::{FileSigningKeyStorage, SigningKeyStorage};
    use crate::errors::InvalidKeyLengthError;
    fn unique_temp_key_path() -> std::path::PathBuf {
        let nanos = std::time::SystemTime::now()
            .duration_since(std::time::UNIX_EPOCH)
            .expect("clock should be after unix epoch")
            .as_nanos();
        std::env::temp_dir().join(format!(
            "arbiter-client-key-{}-{}.bin",
            std::process::id(),
            nanos
        ))
    }
    #[test]
    fn file_storage_creates_and_reuses_key() {
        let path = unique_temp_key_path();
        let storage = FileSigningKeyStorage::new(path.clone());
        let key_a = storage
            .load_or_create()
            .expect("first load_or_create should create key");
        let key_b = storage
            .load_or_create()
            .expect("second load_or_create should read same key");
        assert_eq!(key_a.to_bytes(), key_b.to_bytes());
        assert!(path.exists());
        std::fs::remove_file(path).expect("temp key file should be removable");
    }
    #[test]
    fn file_storage_rejects_invalid_key_length() {
        let path = unique_temp_key_path();
        std::fs::write(&path, [42u8; 31]).expect("should write invalid key file");
        let storage = FileSigningKeyStorage::new(path.clone());
        let err = storage
            .load_or_create()
            .expect_err("storage should reject non-32-byte key file");
        match err.narrow::<InvalidKeyLengthError, _>() {
            Ok(invalid_len) => {
                assert_eq!(invalid_len.expected, 32);
                assert_eq!(invalid_len.actual, 31);
            }
            Err(other) => panic!("unexpected io error: {other:?}"),
        }
        std::fs::remove_file(path).expect("temp key file should be removable");
    }
 }
--- a/server/crates/arbiter-client/src/transport.rs
+++ b/server/crates/arbiter-client/src/transport.rs
@@ -1,42 +0,0 @@
 use arbiter_proto::proto::client::{ClientRequest, ClientResponse};
 use std::sync::atomic::{AtomicI32, Ordering};
 use terrors::OneOf;
 use tokio::sync::mpsc;
 use crate::errors::{
    ClientTransportError, TransportChannelClosedError, TransportConnectionClosedError,
 };
 pub(crate) const BUFFER_LENGTH: usize = 16;
 static NEXT_REQUEST_ID: AtomicI32 = AtomicI32::new(1);
 pub(crate) fn next_request_id() -> i32 {
    NEXT_REQUEST_ID.fetch_add(1, Ordering::Relaxed)
 }
 pub(crate) struct ClientTransport {
    pub(crate) sender: mpsc::Sender<ClientRequest>,
    pub(crate) receiver: tonic::Streaming<ClientResponse>,
 }
 impl ClientTransport {
    pub(crate) async fn send(
        &mut self,
        request: ClientRequest,
    ) -> std::result::Result<(), ClientTransportError> {
        self.sender
            .send(request)
            .await
            .map_err(|_| OneOf::new(TransportChannelClosedError))
    }
    pub(crate) async fn recv(
        &mut self,
    ) -> std::result::Result<ClientResponse, ClientTransportError> {
        match self.receiver.message().await {
            Ok(Some(resp)) => Ok(resp),
            Ok(None) => Err(OneOf::new(TransportConnectionClosedError)),
            Err(_) => Err(OneOf::new(TransportConnectionClosedError)),
        }
    }
 }
--- a/server/crates/arbiter-client/src/wallets/evm.rs
+++ b/server/crates/arbiter-client/src/wallets/evm.rs
@@ -1,97 +0,0 @@
 use alloy::{
    consensus::SignableTransaction,
    network::TxSigner,
    primitives::{Address, B256, ChainId, Signature},
    signers::{Result, Signer},
 };
 use async_trait::async_trait;
 use std::sync::Arc;
 use terrors::OneOf;
 use tokio::sync::Mutex;
 use crate::{
    errors::{
        EvmChainIdMismatchError, EvmHashSigningUnsupportedError,
        EvmTransactionSigningUnsupportedError, EvmWalletError,
    },
    transport::ClientTransport,
 };
 pub struct ArbiterEvmWallet {
    transport: Arc<Mutex<ClientTransport>>,
    address: Address,
    chain_id: Option<ChainId>,
 }
 impl ArbiterEvmWallet {
    #[allow(dead_code)]
    pub(crate) fn new(transport: Arc<Mutex<ClientTransport>>, address: Address) -> Self {
        Self {
            transport,
            address,
            chain_id: None,
        }
    }
    pub fn address(&self) -> Address {
        self.address
    }
    pub fn with_chain_id(mut self, chain_id: ChainId) -> Self {
        self.chain_id = Some(chain_id);
        self
    }
    fn validate_chain_id(
        &self,
        tx: &mut dyn SignableTransaction<Signature>,
    ) -> std::result::Result<(), EvmWalletError> {
        if let Some(chain_id) = self.chain_id
            && !tx.set_chain_id_checked(chain_id)
        {
            return Err(OneOf::new(EvmChainIdMismatchError {
                signer: chain_id,
                tx: tx.chain_id().unwrap(),
            }));
        }
        Ok(())
    }
 }
 #[async_trait]
 impl Signer for ArbiterEvmWallet {
    async fn sign_hash(&self, _hash: &B256) -> Result<Signature> {
        Err(EvmWalletError::new(EvmHashSigningUnsupportedError).into())
    }
    fn address(&self) -> Address {
        self.address
    }
    fn chain_id(&self) -> Option<ChainId> {
        self.chain_id
    }
    fn set_chain_id(&mut self, chain_id: Option<ChainId>) {
        self.chain_id = chain_id;
    }
 }
 #[async_trait]
 impl TxSigner<Signature> for ArbiterEvmWallet {
    fn address(&self) -> Address {
        self.address
    }
    async fn sign_transaction(
        &self,
        tx: &mut dyn SignableTransaction<Signature>,
    ) -> Result<Signature> {
        let _transport = self.transport.lock().await;
        self.validate_chain_id(tx)
            .map_err(OneOf::into::<alloy::signers::Error>)?;
        Err(EvmWalletError::new(EvmTransactionSigningUnsupportedError).into())
    }
 }
--- a/server/crates/arbiter-client/src/wallets/mod.rs
+++ b/server/crates/arbiter-client/src/wallets/mod.rs
@@ -1,2 +0,0 @@
 #[cfg(feature = "evm")]
 pub mod evm;
--- a/server/crates/arbiter-proto/Cargo.toml
+++ b/server/crates/arbiter-proto/Cargo.toml
@@ -10,7 +10,7 @@ tonic.workspace = true
 tokio.workspace = true
 futures.workspace = true
 hex = "0.4.3"
-tonic-prost = "0.14.5"
+tonic-prost = "0.14.3"
 prost = "0.14.3"
 kameo.workspace = true
 url = "2.5.8"
@@ -24,8 +24,7 @@ async-trait.workspace = true
 tokio-stream.workspace = true
 [build-dependencies]
-tonic-prost-build = "0.14.5"
+tonic-prost-build = "0.14.3"
 protoc-bin-vendored = "3"
 [dev-dependencies]
 rstest.workspace = true
@@ -34,3 +33,5 @@ rcgen.workspace = true
 [package.metadata.cargo-shear]
 ignored = ["tonic-prost", "prost", "kameo"]
--- a/server/crates/arbiter-proto/build.rs
+++ b/server/crates/arbiter-proto/build.rs
@@ -1,32 +1,21 @@
 use std::path::PathBuf;
 use tonic_prost_build::configure;
 static PROTOBUF_DIR: &str = "../../../protobufs";
 fn main() -> Result<(), Box<dyn std::error::Error>> {
-    let manifest_dir = PathBuf::from(std::env::var("CARGO_MANIFEST_DIR")?);
+    println!("cargo::rerun-if-changed={PROTOBUF_DIR}");
    let protobuf_dir = manifest_dir.join(PROTOBUF_DIR);
    let protoc_include = protoc_bin_vendored::include_path()?;
    let protoc_path = protoc_bin_vendored::protoc_bin_path()?;
    unsafe {
        std::env::set_var("PROTOC", &protoc_path);
        std::env::set_var("PROTOC_INCLUDE", &protoc_include);
    }
    println!("cargo::rerun-if-changed={}", protobuf_dir.display());
    configure()
        .message_attribute(".", "#[derive(::kameo::Reply)]")
        .compile_well_known_types(true)
        .compile_protos(
            &[
-                protobuf_dir.join("arbiter.proto"),
+                format!("{}/arbiter.proto", PROTOBUF_DIR),
-                protobuf_dir.join("user_agent.proto"),
+                format!("{}/user_agent.proto", PROTOBUF_DIR),
-                protobuf_dir.join("client.proto"),
+                format!("{}/client.proto", PROTOBUF_DIR),
-                protobuf_dir.join("evm.proto"),
+                format!("{}/evm.proto", PROTOBUF_DIR),
            ],
-            &[protobuf_dir],
+            &[PROTOBUF_DIR.to_string()],
-        )?;
+        )
        .unwrap();
    Ok(())
 }
--- a/server/crates/arbiter-proto/src/lib.rs
+++ b/server/crates/arbiter-proto/src/lib.rs
@@ -3,12 +3,6 @@ pub mod url;
 use base64::{Engine, prelude::BASE64_STANDARD};
 pub mod google {
    pub mod protobuf {
        tonic::include_proto!("google.protobuf");
    }
 }
 pub mod proto {
    tonic::include_proto!("arbiter");
--- a/server/crates/arbiter-server/Cargo.toml
+++ b/server/crates/arbiter-server/Cargo.toml
@@ -9,8 +9,8 @@ license = "Apache-2.0"
 workspace = true
 [dependencies]
-diesel = { version = "2.3.7", features = ["chrono", "returning_clauses_for_sqlite_3_35", "serde_json", "time", "uuid"] }
+diesel = { version = "2.3.6", features = ["chrono", "returning_clauses_for_sqlite_3_35", "serde_json", "time", "uuid"] }
-diesel-async = { version = "0.8.0", features = [
+diesel-async = { version = "0.7.4", features = [
    "bb8",
    "migrations",
    "sqlite",
@@ -27,7 +27,6 @@ rustls.workspace = true
 smlang.workspace = true
 miette.workspace = true
 thiserror.workspace = true
 fatality = "0.1.1"
 diesel_migrations = { version = "2.3.1", features = ["sqlite"] }
 async-trait.workspace = true
 secrecy = "0.10.3"
@@ -44,7 +43,7 @@ x25519-dalek.workspace = true
 chacha20poly1305 = { version = "0.10.1", features = ["std"] }
 argon2 = { version = "0.5.3", features = ["zeroize"] }
 restructed = "0.2.2"
-strum = { version = "0.28.0", features = ["derive"] }
+strum = { version = "0.27.2", features = ["derive"] }
 pem = "3.0.6"
 k256.workspace = true
 rsa.workspace = true
--- a/server/crates/arbiter-server/migrations/2026-02-14-171124-0000_init/up.sql
+++ b/server/crates/arbiter-server/migrations/2026-02-14-171124-0000_init/up.sql
@@ -157,5 +157,3 @@ create table if not exists evm_ether_transfer_grant_target (
 create unique index if not exists uniq_ether_transfer_target on evm_ether_transfer_grant_target(grant_id, address);
 CREATE UNIQUE INDEX program_client_public_key_unique
    ON program_client (public_key);
--- a/server/crates/arbiter-server/src/actors/client/auth.rs
+++ b/server/crates/arbiter-server/src/actors/client/auth.rs
@@ -67,10 +67,10 @@ async fn get_nonce(db: &db::DatabasePool, pubkey: &VerifyingKey) -> Result<Optio
    conn.exclusive_transaction(|conn| {
        let pubkey_bytes = pubkey_bytes.clone();
        Box::pin(async move {
-            let Some((client_id, current_nonce)) = program_client::table
+            let Some(current_nonce) = program_client::table
                .filter(program_client::public_key.eq(&pubkey_bytes))
-                .select((program_client::id, program_client::nonce))
+                .select(program_client::nonce)
-                .first::<(i32, i32)>(conn)
+                .first::<i32>(conn)
                .await
                .optional()?
            else {
@@ -83,7 +83,6 @@ async fn get_nonce(db: &db::DatabasePool, pubkey: &VerifyingKey) -> Result<Optio
                .execute(conn)
                .await?;
            let _ = client_id;
            Ok(Some(current_nonce))
        })
    })
@@ -119,15 +118,7 @@ async fn approve_new_client(
    }
 }
-enum InsertClientResult {
+async fn insert_client(db: &db::DatabasePool, pubkey: &VerifyingKey) -> Result<(), Error> {
    Inserted,
    AlreadyExists,
 }
 async fn insert_client(
    db: &db::DatabasePool,
    pubkey: &VerifyingKey,
 ) -> Result<InsertClientResult, Error> {
    let now = std::time::SystemTime::now()
        .duration_since(std::time::UNIX_EPOCH)
        .unwrap_or_default()
@@ -138,7 +129,7 @@ async fn insert_client(
        Error::DatabasePoolUnavailable
    })?;
-    match insert_into(program_client::table)
+    insert_into(program_client::table)
        .values((
            program_client::public_key.eq(pubkey.as_bytes().to_vec()),
            program_client::nonce.eq(1), // pre-incremented; challenge uses 0
@@ -147,31 +138,12 @@ async fn insert_client(
        ))
        .execute(&mut conn)
        .await
    {
        Ok(_) => {}
        Err(diesel::result::Error::DatabaseError(
            diesel::result::DatabaseErrorKind::UniqueViolation,
            _,
        )) => return Ok(InsertClientResult::AlreadyExists),
        Err(e) => {
            error!(error = ?e, "Failed to insert new client");
            return Err(Error::DatabaseOperationFailed);
        }
    }
    let client_id = program_client::table
        .filter(program_client::public_key.eq(pubkey.as_bytes().to_vec()))
        .order(program_client::id.desc())
        .select(program_client::id)
        .first::<i32>(&mut conn)
        .await
        .map_err(|e| {
-            error!(error = ?e, "Failed to load inserted client id");
+            error!(error = ?e, "Failed to insert new client");
            Error::DatabaseOperationFailed
        })?;
-    let _ = client_id;
+    Ok(())
    Ok(InsertClientResult::Inserted)
 }
 async fn challenge_client<T>(
@@ -217,8 +189,7 @@ pub async fn authenticate<T>(
 where
    T: Bi<Inbound, Result<Outbound, Error>> + Send + ?Sized,
 {
-    let Some(Inbound::AuthChallengeRequest { pubkey }) = transport.recv().await
+    let Some(Inbound::AuthChallengeRequest { pubkey }) = transport.recv().await else {
    else {
        return Err(Error::Transport);
    };
@@ -226,13 +197,8 @@ where
        Some(nonce) => nonce,
        None => {
            approve_new_client(&props.actors, pubkey).await?;
-            match insert_client(&props.db, &pubkey).await? {
+            insert_client(&props.db, &pubkey).await?;
-                InsertClientResult::Inserted => 0,
+            0
                InsertClientResult::AlreadyExists => match get_nonce(&props.db, &pubkey).await? {
                    Some(nonce) => nonce,
                    None => return Err(Error::DatabaseOperationFailed),
                },
            }
        }
    };
--- a/server/crates/arbiter-server/src/actors/router/mod.rs
+++ b/server/crates/arbiter-server/src/actors/router/mod.rs
@@ -163,6 +163,7 @@ impl MessageRouter {
            .map(|agent| agent.downgrade())
            .collect::<Vec<_>>();
        // handle in subtask to not to lock the actor
        tokio::task::spawn(async move {
            let result = request_client_approval(&weak_refs, client_pubkey).await;
            reply_sender.send(result);
--- a/server/crates/arbiter-server/src/actors/user_agent/auth/state.rs
+++ b/server/crates/arbiter-server/src/actors/user_agent/auth/state.rs
@@ -1,3 +1,4 @@
 use alloy::transports::Transport;
 use arbiter_proto::transport::Bi;
 use diesel::{ExpressionMethods as _, OptionalExtension as _, QueryDsl, update};
 use diesel_async::RunQueryDsl;
@@ -7,7 +8,7 @@ use super::Error;
 use crate::{
    actors::{
        bootstrap::ConsumeToken,
-        user_agent::{AuthPublicKey, UserAgentConnection, auth::Outbound},
+        user_agent::{AuthPublicKey, OutOfBand, UserAgentConnection, auth::Outbound},
    },
    db::schema,
 };
--- a/server/crates/arbiter-server/src/actors/user_agent/mod.rs
+++ b/server/crates/arbiter-server/src/actors/user_agent/mod.rs
@@ -1,6 +1,13 @@
 use alloy::primitives::Address;
 use arbiter_proto::transport::{Bi, Sender};
 use kameo::actor::Spawn as _;
 use tracing::{error, info};
 use crate::{
-    actors::GlobalActors,
+    actors::{GlobalActors, evm},
    db::{self, models::KeyType},
    evm::policies::SharedGrantSettings,
    evm::policies::{Grant, SpecificGrant},
 };
 /// Abstraction over Ed25519 / ECDSA-secp256k1 / RSA public keys used during the auth handshake.
@@ -49,20 +56,20 @@ impl TryFrom<(KeyType, Vec<u8>)> for AuthPublicKey {
            KeyType::Ed25519 => {
                let bytes: [u8; 32] = bytes.try_into().map_err(|_| "invalid Ed25519 key length")?;
                let key = ed25519_dalek::VerifyingKey::from_bytes(&bytes)
-                    .map_err(|_e| "invalid Ed25519 key")?;
+                    .map_err(|e| "invalid Ed25519 key")?;
                Ok(AuthPublicKey::Ed25519(key))
            }
            KeyType::EcdsaSecp256k1 => {
                let point =
-                    k256::EncodedPoint::from_bytes(&bytes).map_err(|_e| "invalid ECDSA key")?;
+                    k256::EncodedPoint::from_bytes(&bytes).map_err(|e| "invalid ECDSA key")?;
                let key = k256::ecdsa::VerifyingKey::from_encoded_point(&point)
-                    .map_err(|_e| "invalid ECDSA key")?;
+                    .map_err(|e| "invalid ECDSA key")?;
                Ok(AuthPublicKey::EcdsaSecp256k1(key))
            }
            KeyType::Rsa => {
                use rsa::pkcs8::DecodePublicKey as _;
                let key = rsa::RsaPublicKey::from_public_key_der(&bytes)
-                    .map_err(|_e| "invalid RSA key")?;
+                    .map_err(|e| "invalid RSA key")?;
                Ok(AuthPublicKey::Rsa(key))
            }
        }
--- a/server/crates/arbiter-server/src/actors/user_agent/session.rs
+++ b/server/crates/arbiter-server/src/actors/user_agent/session.rs
@@ -1,12 +1,12 @@
-use std::borrow::Cow;
+use std::{borrow::Cow, convert::Infallible};
 use arbiter_proto::transport::Sender;
 use async_trait::async_trait;
 use ed25519_dalek::VerifyingKey;
-use kameo::{Actor, messages};
+use kameo::{Actor, messages, prelude::Context};
 use thiserror::Error;
-use tokio::sync::watch;
+use tokio::{select, sync::watch};
-use tracing::error;
+use tracing::{error, info};
 use crate::actors::{
    router::RegisterUserAgent,
@@ -36,7 +36,6 @@ impl Error {
 pub struct UserAgentSession {
    props: UserAgentConnection,
    state: UserAgentStateMachine<DummyContext>,
    #[allow(dead_code, reason = "The session keeps ownership of the outbound transport even before the state-machine flow starts using it directly")]
    sender: Box<dyn Sender<OutOfBand>>,
 }
@@ -83,27 +82,14 @@ impl UserAgentSession {
 #[messages]
 impl UserAgentSession {
-    #[message]
+    #[message(ctx)]
    pub async fn request_new_client_approval(
        &mut self,
        client_pubkey: VerifyingKey,
        mut cancel_flag: watch::Receiver<()>,
        ctx: &mut Context<Self, Result<bool, ()>>,
    ) -> Result<bool, ()> {
-        if self
+        todo!("Think about refactoring it to state-machine based flow, as we already have one")
            .sender
            .send(OutOfBand::ClientConnectionRequest {
                pubkey: client_pubkey,
            })
            .await
            .is_err()
        {
            return Err(());
        }
        let _ = cancel_flag.changed().await;
        let _ = self.sender.send(OutOfBand::ClientConnectionCancel).await;
        Ok(false)
    }
 }
--- a/server/crates/arbiter-server/src/actors/user_agent/session/connection.rs
+++ b/server/crates/arbiter-server/src/actors/user_agent/session/connection.rs
@@ -17,11 +17,14 @@ use crate::{
            Generate, ListWallets, UseragentCreateGrant, UseragentDeleteGrant, UseragentListGrants,
        },
        keyholder::{self, Bootstrap, TryUnseal},
-        user_agent::session::{
+        user_agent::{
            OutOfBand,
            session::{
                UserAgentSession,
                state::{UnsealContext, UserAgentEvents, UserAgentStates},
            },
        },
    },
    safe_cell::SafeCellHandle as _,
 };
@@ -136,7 +139,7 @@ impl UserAgentSession {
                self.transition(UserAgentEvents::ReceivedInvalidKey)?;
                return Err(UnsealError::InvalidKey);
            }
-            Err(_err) => {
+            Err(err) => {
                return Err(Error::internal("Failed to take unseal secret").into());
            }
        };
@@ -260,7 +263,7 @@ impl UserAgentSession {
            Ok(state) => state,
            Err(err) => {
                error!(?err, actor = "useragent", "keyholder.query.failed");
-                return Err(Error::internal("Vault is in broken state"));
+                return Err(Error::internal("Vault is in broken state").into());
            }
        };
@@ -273,13 +276,13 @@ impl UserAgentSession {
    #[message]
    pub(crate) async fn handle_evm_wallet_create(&mut self) -> Result<Address, Error> {
        match self.props.actors.evm.ask(Generate {}).await {
-            Ok(address) => Ok(address),
+            Ok(address) => return Ok(address),
            Err(SendError::HandlerError(err)) => Err(Error::internal(format!(
                "EVM wallet generation failed: {err}"
            ))),
            Err(err) => {
                error!(?err, "EVM actor unreachable during wallet create");
-                Err(Error::internal("EVM actor unreachable"))
+                return Err(Error::internal("EVM actor unreachable"));
            }
        }
    }
--- a/server/crates/arbiter-server/src/grpc/client.rs
+++ b/server/crates/arbiter-server/src/grpc/client.rs
@@ -132,6 +132,7 @@ pub async fn start(conn: ClientConnection, mut bi: GrpcBi<ClientRequest, ClientR
            );
            let _ = transport.send(Err(e.clone())).await;
            warn!(error = ?e, "Authentication failed");
            return;
        }
    }
 }
--- a/server/crates/arbiter-server/src/grpc/mod.rs
+++ b/server/crates/arbiter-server/src/grpc/mod.rs
@@ -5,13 +5,15 @@ use arbiter_proto::{
    },
    transport::grpc::GrpcBi,
 };
 use tokio::sync::mpsc;
 use tokio_stream::wrappers::ReceiverStream;
 use tonic::{Request, Response, Status, async_trait};
 use tracing::info;
 use crate::{
    DEFAULT_CHANNEL_SIZE,
    actors::{client::ClientConnection, user_agent::UserAgentConnection},
-    grpc::user_agent::start,
+    grpc::{self, user_agent::start},
 };
 pub mod client;
--- a/server/crates/arbiter-server/src/grpc/user_agent.rs
+++ b/server/crates/arbiter-server/src/grpc/user_agent.rs
@@ -1,7 +1,6 @@
 use tokio::sync::mpsc;
 use arbiter_proto::{
    google::protobuf::{Empty as ProtoEmpty, Timestamp as ProtoTimestamp},
    proto::{
        evm::{
            EtherTransferSettings as ProtoEtherTransferSettings, EvmError as ProtoEvmError,
@@ -20,11 +19,10 @@ use arbiter_proto::{
        },
        user_agent::{
            BootstrapEncryptedKey as ProtoBootstrapEncryptedKey,
-            BootstrapResult as ProtoBootstrapResult,
+            BootstrapResult as ProtoBootstrapResult, ClientConnectionCancel,
-            SdkClientConnectionResponse as ProtoSdkClientConnectionResponse,
+            ClientConnectionRequest, UnsealEncryptedKey as ProtoUnsealEncryptedKey,
-            UnsealEncryptedKey as ProtoUnsealEncryptedKey, UnsealResult as ProtoUnsealResult,
+            UnsealResult as ProtoUnsealResult, UnsealStart, UserAgentRequest, UserAgentResponse,
-            UnsealStart, UserAgentRequest, UserAgentResponse, VaultState as ProtoVaultState,
+            VaultState as ProtoVaultState, user_agent_request::Payload as UserAgentRequestPayload,
            user_agent_request::Payload as UserAgentRequestPayload,
            user_agent_response::Payload as UserAgentResponsePayload,
        },
    },
@@ -295,17 +293,14 @@ async fn send_out_of_band(
    oob: OutOfBand,
 ) -> Result<(), ()> {
    let payload = match oob {
-        // The current protobuf response payload carries only an approval boolean.
+        OutOfBand::ClientConnectionRequest { pubkey } => {
-        // Keep emitting this shape until a dedicated out-of-band request/cancel payload
+            UserAgentResponsePayload::ClientConnectionRequest(ClientConnectionRequest {
-        // is reintroduced in the protocol definition.
+                pubkey: pubkey.to_bytes().to_vec(),
-        OutOfBand::ClientConnectionRequest { pubkey: _ } => {
+            })
-            UserAgentResponsePayload::SdkClientConnectionResponse(
+        }
-                ProtoSdkClientConnectionResponse { approved: false },
+        OutOfBand::ClientConnectionCancel => {
-            )
+            UserAgentResponsePayload::ClientConnectionCancel(ClientConnectionCancel {})
        }
        OutOfBand::ClientConnectionCancel => UserAgentResponsePayload::SdkClientConnectionResponse(
            ProtoSdkClientConnectionResponse { approved: false },
        ),
    };
    bi.send(Ok(UserAgentResponse {
@@ -407,7 +402,9 @@ fn u256_from_proto_bytes(bytes: &[u8]) -> Result<U256, Status> {
    Ok(U256::from_be_slice(bytes))
 }
-fn proto_timestamp_to_utc(timestamp: ProtoTimestamp) -> Result<chrono::DateTime<Utc>, Status> {
+fn proto_timestamp_to_utc(
    timestamp: prost_types::Timestamp,
 ) -> Result<chrono::DateTime<Utc>, Status> {
    Utc.timestamp_opt(timestamp.seconds, timestamp.nanos as u32)
        .single()
        .ok_or_else(|| Status::invalid_argument("Invalid timestamp"))
@@ -417,11 +414,11 @@ fn shared_settings_to_proto(shared: SharedGrantSettings) -> ProtoSharedSettings
    ProtoSharedSettings {
        wallet_id: shared.wallet_id,
        chain_id: shared.chain,
-        valid_from: shared.valid_from.map(|time| ProtoTimestamp {
+        valid_from: shared.valid_from.map(|time| prost_types::Timestamp {
            seconds: time.timestamp(),
            nanos: time.timestamp_subsec_nanos() as i32,
        }),
-        valid_until: shared.valid_until.map(|time| ProtoTimestamp {
+        valid_until: shared.valid_until.map(|time| prost_types::Timestamp {
            seconds: time.timestamp(),
            nanos: time.timestamp_subsec_nanos() as i32,
        }),
@@ -534,7 +531,7 @@ impl EvmGrantOrWallet {
    fn grant_delete_response<M>(result: Result<(), SendError<M, Error>>) -> EvmGrantDeleteResponse {
        let result = match result {
-            Ok(()) => EvmGrantDeleteResult::Ok(ProtoEmpty {}),
+            Ok(()) => EvmGrantDeleteResult::Ok(()),
            Err(err) => {
                warn!(error = ?err, "Failed to delete EVM grant");
                EvmGrantDeleteResult::Error(ProtoEvmError::Internal.into())
@@ -580,7 +577,13 @@ pub async fn start(
    let mut request_tracker = RequestTracker::default();
    let mut response_id = None;
-    let pubkey = match auth::start(&mut conn, &mut bi, &mut request_tracker, &mut response_id).await
+    let pubkey = match auth::start(
        &mut conn,
        &mut bi,
        &mut request_tracker,
        &mut response_id,
    )
    .await
    {
        Ok(pubkey) => pubkey,
        Err(e) => {
--- a/server/crates/arbiter-server/src/lib.rs
+++ b/server/crates/arbiter-server/src/lib.rs
@@ -1,4 +1,6 @@
 #![forbid(unsafe_code)]
 #![deny(clippy::unwrap_used, clippy::expect_used, clippy::panic)]
 use crate::context::ServerContext;
 pub mod actors;
@@ -9,6 +11,8 @@ pub mod grpc;
 pub mod safe_cell;
 pub mod utils;
 const DEFAULT_CHANNEL_SIZE: usize = 1000;
 pub struct Server {
    context: ServerContext,
 }
--- a/server/crates/arbiter-server/tests/client/auth.rs
+++ b/server/crates/arbiter-server/tests/client/auth.rs
@@ -105,4 +105,3 @@ pub async fn test_challenge_auth() {
    // Auth completes, session spawned
    task.await.unwrap();
 }
Author	SHA1	Message	Date
hdbg	931facb5c4	docs: document explicit AuthResult enums and request multiplexing Some checks failed ci/woodpecker/pr/server-vet Pipeline failed Details ci/woodpecker/pr/server-test Pipeline failed Details ci/woodpecker/pr/server-audit Pipeline failed Details ci/woodpecker/pr/server-lint Pipeline failed Details	2026-03-19 00:31:42 +01:00
hdbg	8c5248c8e4	feat(useragent): showing auth error when something went wrong	2026-03-19 00:20:53 +01:00
hdbg	3594edfb88	refactor(useragent): using request/response for correct multiplexing behaviour	2026-03-19 00:18:22 +01:00
hdbg	ee04c6b422	feat(proto): request / response pair tracking by assigning id	2026-03-19 00:05:35 +01:00
hdbg	b3267c60fa	test(user-agent): add test helpers and update actor integration tests	2026-03-18 23:43:24 +01:00
hdbg	7efeede53f	refactor(server::client): migrated to new connection design	2026-03-18 23:35:20 +01:00
hdbg	a224d0621c	refactor(server::useragent): migrated to new connection design	2026-03-18 22:20:52 +01:00