merge: @main into client-integrity-verification

Reviewed-on: #45

.woodpecker/server-test.yaml

@@ -24,4 +24,4 @@ steps:
       - mise install rust 
       - mise install protoc
       - mise install cargo:cargo-nextest
-      - mise exec cargo:cargo-nextest -- cargo nextest run --no-fail-fast
+      - mise exec cargo:cargo-nextest -- cargo nextest run --no-fail-fast --all-features

IMPLEMENTATION.md

@@ -67,7 +67,18 @@ The `program_client.nonce` column stores the **next usable nonce** — i.e. it i
 ## Cryptography
 
 ### Authentication
-- **Signature scheme:** ed25519
+- **Client protocol:** ed25519
+
+### User-Agent Authentication
+
+User-agent authentication supports multiple signature schemes because platform-provided "hardware-bound" keys do not expose a uniform algorithm across operating systems and hardware.
+
+- **Supported schemes:** RSA, Ed25519, ECDSA (secp256k1)
+- **Why:** the user agent authenticates with keys backed by platform facilities, and those facilities differ by platform
+- **Apple Silicon Secure Enclave / Secure Element:** ECDSA-only in practice
+- **Windows Hello / TPM 2.0:** currently RSA-backed in our integration
+
+This is why the user-agent auth protocol carries an explicit `KeyType`, while the SDK client protocol remains fixed to ed25519.
 
 ### Encryption at Rest
 - **Scheme:** Symmetric AEAD — currently **XChaCha20-Poly1305**
@@ -148,7 +159,7 @@ The central abstraction is the `Policy` trait. Each implementation handles one s
 Every grant has two layers:
 
 - **Shared (`evm_basic_grant`)** — wallet, chain, validity period, gas fee caps, transaction count rate limit. One row per grant regardless of type.
-- **Specific** — policy-owned tables (`evm_ether_transfer_grant`, `evm_token_transfer_grant`, etc.) holding type-specific configuration.
+- **Specific** — policy-owned tables (`evm_ether_transfer_grant`, `evm_token_transfer_grant`) holding type-specific configuration.
 
 `find_all_grants` uses a `#[diesel::auto_type]` base join between the specific and shared tables, then batch-loads related rows (targets, volume limits) in two additional queries to avoid N+1.
 
@@ -171,7 +182,6 @@ These are checked centrally in `check_shared_constraints` before policy evaluati
 - **Only EIP-1559 transactions are supported.** Legacy and EIP-2930 types are rejected outright.
 - **No opaque-calldata (unknown contract) grant type.** The architecture describes a category for unrecognised contracts, but no policy implements it yet. Any transaction that is not a plain ETH transfer or a known ERC-20 transfer is unconditionally rejected.
 - **Token registry is static.** Tokens are recognised only if they appear in the hard-coded `arbiter_tokens_registry` crate. There is no mechanism to register additional contracts at runtime.
-- **Nonce management is not implemented.** The architecture lists nonce deduplication as a core responsibility, but no nonce tracking or enforcement exists yet.
 
 ---
 
@@ -179,5 +189,5 @@ These are checked centrally in `check_shared_constraints` before policy evaluati
 
 The unsealed root key must be held in a hardened memory cell resistant to dumps, page swaps, and hibernation.
 
-- **Current:** Using the `memsafe` crate as an interim solution
+- **Current:** A dedicated memory-protection abstraction is in place, with `memsafe` used behind that abstraction today
-- **Planned:** Custom implementation based on `mlock` (Unix) and `VirtualProtect` (Windows)
+- **Planned:** Additional backends can be introduced behind the same abstraction, including a custom implementation based on `mlock` (Unix) and `VirtualProtect` (Windows)

mise.lock

@@ -8,10 +8,18 @@ backend = "aqua:ast-grep/ast-grep"
 checksum = "sha256:5c830eae8456569e2f7212434ed9c238f58dca412d76045418ed6d394a755836"
 url = "https://github.com/ast-grep/ast-grep/releases/download/0.42.0/app-aarch64-unknown-linux-gnu.zip"
 
+[tools.ast-grep."platforms.linux-arm64-musl"]
+checksum = "sha256:5c830eae8456569e2f7212434ed9c238f58dca412d76045418ed6d394a755836"
+url = "https://github.com/ast-grep/ast-grep/releases/download/0.42.0/app-aarch64-unknown-linux-gnu.zip"
+
 [tools.ast-grep."platforms.linux-x64"]
 checksum = "sha256:e825a05603f0bcc4cd9076c4cc8c9abd6d008b7cd07d9aa3cc323ba4b8606651"
 url = "https://github.com/ast-grep/ast-grep/releases/download/0.42.0/app-x86_64-unknown-linux-gnu.zip"
 
+[tools.ast-grep."platforms.linux-x64-musl"]
+checksum = "sha256:e825a05603f0bcc4cd9076c4cc8c9abd6d008b7cd07d9aa3cc323ba4b8606651"
+url = "https://github.com/ast-grep/ast-grep/releases/download/0.42.0/app-x86_64-unknown-linux-gnu.zip"
+
 [tools.ast-grep."platforms.macos-arm64"]
 checksum = "sha256:fc300d5293b1c770a5aece03a8a193b92e71e87cec726c28096990691a582620"
 url = "https://github.com/ast-grep/ast-grep/releases/download/0.42.0/app-aarch64-apple-darwin.zip"
@@ -32,10 +40,6 @@ backend = "cargo:cargo-audit"
 version = "0.13.9"
 backend = "cargo:cargo-edit"
 
-[[tools."cargo:cargo-features"]]
-version = "1.0.0"
-backend = "cargo:cargo-features"
-
 [[tools."cargo:cargo-features-manager"]]
 version = "0.11.1"
 backend = "cargo:cargo-features-manager"
@@ -49,21 +53,13 @@ version = "0.9.126"
 backend = "cargo:cargo-nextest"
 
 [[tools."cargo:cargo-shear"]]
-version = "1.9.1"
+version = "1.11.2"
 backend = "cargo:cargo-shear"
 
 [[tools."cargo:cargo-vet"]]
 version = "0.10.2"
 backend = "cargo:cargo-vet"
 
-[[tools."cargo:diesel-cli"]]
-version = "2.3.6"
-backend = "cargo:diesel-cli"
-
-[tools."cargo:diesel-cli".options]
-default-features = "false"
-features = "sqlite,sqlite-bundled"
-
 [[tools."cargo:diesel_cli"]]
 version = "2.3.6"
 backend = "cargo:diesel_cli"
@@ -72,10 +68,6 @@ backend = "cargo:diesel_cli"
 default-features = "false"
 features = "sqlite,sqlite-bundled"
 
-[[tools."cargo:rinf_cli"]]
-version = "8.9.1"
-backend = "cargo:rinf_cli"
-
 [[tools.flutter]]
 version = "3.38.9-stable"
 backend = "asdf:flutter"
@@ -88,10 +80,18 @@ backend = "aqua:protocolbuffers/protobuf/protoc"
 checksum = "sha256:2594ff4fcae8cb57310d394d0961b236190ad9c5efbfdf1f597ea471d424fe79"
 url = "https://github.com/protocolbuffers/protobuf/releases/download/v29.6/protoc-29.6-linux-aarch_64.zip"
 
+[tools.protoc."platforms.linux-arm64-musl"]
+checksum = "sha256:2594ff4fcae8cb57310d394d0961b236190ad9c5efbfdf1f597ea471d424fe79"
+url = "https://github.com/protocolbuffers/protobuf/releases/download/v29.6/protoc-29.6-linux-aarch_64.zip"
+
 [tools.protoc."platforms.linux-x64"]
 checksum = "sha256:48785a926e73ffa3f68e2f22b14e7b849620c7a1d36809ac9249a5495e280323"
 url = "https://github.com/protocolbuffers/protobuf/releases/download/v29.6/protoc-29.6-linux-x86_64.zip"
 
+[tools.protoc."platforms.linux-x64-musl"]
+checksum = "sha256:48785a926e73ffa3f68e2f22b14e7b849620c7a1d36809ac9249a5495e280323"
+url = "https://github.com/protocolbuffers/protobuf/releases/download/v29.6/protoc-29.6-linux-x86_64.zip"
+
 [tools.protoc."platforms.macos-arm64"]
 checksum = "sha256:b9576b5fa1a1ef3fe13a8c91d9d8204b46545759bea5ae155cd6ba2ea4cdaeed"
 url = "https://github.com/protocolbuffers/protobuf/releases/download/v29.6/protoc-29.6-osx-aarch_64.zip"
@@ -109,24 +109,32 @@ version = "3.14.3"
 backend = "core:python"
 
 [tools.python."platforms.linux-arm64"]
-checksum = "sha256:be0f4dc2932f762292b27d46ea7d3e8e66ddf3969a5eb0254a229015ed402625"
+checksum = "sha256:53700338695e402a1a1fe22be4a41fbdacc70e22bb308a48eca8ed67cb7992be"
-url = "https://github.com/astral-sh/python-build-standalone/releases/download/20260303/cpython-3.14.3+20260303-aarch64-unknown-linux-gnu-install_only_stripped.tar.gz"
+url = "https://github.com/astral-sh/python-build-standalone/releases/download/20260324/cpython-3.14.3+20260324-aarch64-unknown-linux-gnu-install_only_stripped.tar.gz"
+
+[tools.python."platforms.linux-arm64-musl"]
+checksum = "sha256:53700338695e402a1a1fe22be4a41fbdacc70e22bb308a48eca8ed67cb7992be"
+url = "https://github.com/astral-sh/python-build-standalone/releases/download/20260324/cpython-3.14.3+20260324-aarch64-unknown-linux-gnu-install_only_stripped.tar.gz"
 
 [tools.python."platforms.linux-x64"]
-checksum = "sha256:0a73413f89efd417871876c9accaab28a9d1e3cd6358fbfff171a38ec99302f0"
+checksum = "sha256:d7a9f970914bb4c88756fe3bdcc186d4feb90e9500e54f1db47dae4dc9687e39"
-url = "https://github.com/astral-sh/python-build-standalone/releases/download/20260303/cpython-3.14.3+20260303-x86_64-unknown-linux-gnu-install_only_stripped.tar.gz"
+url = "https://github.com/astral-sh/python-build-standalone/releases/download/20260324/cpython-3.14.3+20260324-x86_64-unknown-linux-gnu-install_only_stripped.tar.gz"
+
+[tools.python."platforms.linux-x64-musl"]
+checksum = "sha256:d7a9f970914bb4c88756fe3bdcc186d4feb90e9500e54f1db47dae4dc9687e39"
+url = "https://github.com/astral-sh/python-build-standalone/releases/download/20260324/cpython-3.14.3+20260324-x86_64-unknown-linux-gnu-install_only_stripped.tar.gz"
 
 [tools.python."platforms.macos-arm64"]
-checksum = "sha256:4703cdf18b26798fde7b49b6b66149674c25f97127be6a10dbcf29309bdcdcdb"
+checksum = "sha256:c43aecde4a663aebff99b9b83da0efec506479f1c3f98331442f33d2c43501f9"
-url = "https://github.com/astral-sh/python-build-standalone/releases/download/20260303/cpython-3.14.3+20260303-aarch64-apple-darwin-install_only_stripped.tar.gz"
+url = "https://github.com/astral-sh/python-build-standalone/releases/download/20260324/cpython-3.14.3+20260324-aarch64-apple-darwin-install_only_stripped.tar.gz"
 
 [tools.python."platforms.macos-x64"]
-checksum = "sha256:76f1cc26e3d262eae8ca546a93e8bded10cf0323613f7e246fea2e10a8115eb7"
+checksum = "sha256:9ab41dbc2f100a2a45d1833b9c11165f51051c558b5213eda9a9731d5948a0c0"
-url = "https://github.com/astral-sh/python-build-standalone/releases/download/20260303/cpython-3.14.3+20260303-x86_64-apple-darwin-install_only_stripped.tar.gz"
+url = "https://github.com/astral-sh/python-build-standalone/releases/download/20260324/cpython-3.14.3+20260324-x86_64-apple-darwin-install_only_stripped.tar.gz"
 
 [tools.python."platforms.windows-x64"]
-checksum = "sha256:950c5f21a015c1bdd1337f233456df2470fab71e4d794407d27a84cb8b9909a0"
+checksum = "sha256:bbe19034b35b0267176a7442575ae7dc6343480fd4d35598cb7700173d431e09"
-url = "https://github.com/astral-sh/python-build-standalone/releases/download/20260303/cpython-3.14.3+20260303-x86_64-pc-windows-msvc-install_only_stripped.tar.gz"
+url = "https://github.com/astral-sh/python-build-standalone/releases/download/20260324/cpython-3.14.3+20260324-x86_64-pc-windows-msvc-install_only_stripped.tar.gz"
 
 [[tools.rust]]
 version = "1.93.0"

mise.toml

@@ -14,9 +14,9 @@ ast-grep = "0.42.0"
 "cargo:cargo-edit" = "0.13.9"
 
 [tasks.codegen]
-sources = ['protobufs/*.proto']
+sources = ['protobufs/*.proto', 'protobufs/**/*.proto']
-outputs = ['useragent/lib/proto/*']
+outputs = ['useragent/lib/proto/**']
 run = '''
 dart pub global activate protoc_plugin && \
-protoc --dart_out=grpc:useragent/lib/proto --proto_path=protobufs/ protobufs/*.proto
+protoc --dart_out=grpc:useragent/lib/proto --proto_path=protobufs/ $(find protobufs -name '*.proto' | sort)
 '''

protobufs/client.proto

@@ -2,63 +2,24 @@ syntax = "proto3";
 
 package arbiter.client;
 
-import "evm.proto";
+import "client/auth.proto";
-import "google/protobuf/empty.proto";
+import "client/evm.proto";
-
+import "client/vault.proto";
-message ClientInfo {
-  string name = 1;
-  optional string description = 2;
-  optional string version = 3;
-}
-
-message AuthChallengeRequest {
-  bytes pubkey = 1;
-  ClientInfo client_info = 2;
-}
-
-message AuthChallenge {
-  bytes pubkey = 1;
-  int32 nonce = 2;
-}
-
-message AuthChallengeSolution {
-  bytes signature = 1;
-}
-
-enum AuthResult {
-  AUTH_RESULT_UNSPECIFIED = 0;
-  AUTH_RESULT_SUCCESS = 1;
-  AUTH_RESULT_INVALID_KEY = 2;
-  AUTH_RESULT_INVALID_SIGNATURE = 3;
-  AUTH_RESULT_APPROVAL_DENIED = 4;
-  AUTH_RESULT_NO_USER_AGENTS_ONLINE = 5;
-  AUTH_RESULT_INTERNAL = 6;
-}
-
-enum VaultState {
-  VAULT_STATE_UNSPECIFIED = 0;
-  VAULT_STATE_UNBOOTSTRAPPED = 1;
-  VAULT_STATE_SEALED = 2;
-  VAULT_STATE_UNSEALED = 3;
-  VAULT_STATE_ERROR = 4;
-}
 
 message ClientRequest {
   int32 request_id = 4;
   oneof payload {
-    AuthChallengeRequest auth_challenge_request = 1;
+    auth.Request auth = 1;
-    AuthChallengeSolution auth_challenge_solution = 2;
+    vault.Request vault = 2;
-    google.protobuf.Empty query_vault_state = 3;
+    evm.Request evm = 3;
   }
 }
 
 message ClientResponse {
   optional int32 request_id = 7;
   oneof payload {
-    AuthChallenge auth_challenge = 1;
+    auth.Response auth = 1;
-    AuthResult auth_result = 2;
+    vault.Response vault = 2;
-    arbiter.evm.EvmSignTransactionResponse evm_sign_transaction = 3;
+    evm.Response evm = 3;
-    arbiter.evm.EvmAnalyzeTransactionResponse evm_analyze_transaction = 4;
-    VaultState vault_state = 6;
   }
 }

protobufs/client/auth.proto

@@ -0,0 +1,43 @@
+syntax = "proto3";
+
+package arbiter.client.auth;
+
+import "shared/client.proto";
+
+message AuthChallengeRequest {
+  bytes pubkey = 1;
+  arbiter.shared.ClientInfo client_info = 2;
+}
+
+message AuthChallenge {
+  bytes pubkey = 1;
+  int32 nonce = 2;
+}
+
+message AuthChallengeSolution {
+  bytes signature = 1;
+}
+
+enum AuthResult {
+  AUTH_RESULT_UNSPECIFIED = 0;
+  AUTH_RESULT_SUCCESS = 1;
+  AUTH_RESULT_INVALID_KEY = 2;
+  AUTH_RESULT_INVALID_SIGNATURE = 3;
+  AUTH_RESULT_APPROVAL_DENIED = 4;
+  AUTH_RESULT_NO_USER_AGENTS_ONLINE = 5;
+  AUTH_RESULT_INTERNAL = 6;
+}
+
+message Request {
+  oneof payload {
+    AuthChallengeRequest challenge_request = 1;
+    AuthChallengeSolution challenge_solution = 2;
+  }
+}
+
+message Response {
+  oneof payload {
+    AuthChallenge challenge = 1;
+    AuthResult result = 2;
+  }
+}

protobufs/client/evm.proto

@@ -0,0 +1,19 @@
+syntax = "proto3";
+
+package arbiter.client.evm;
+
+import "evm.proto";
+
+message Request {
+  oneof payload {
+    arbiter.evm.EvmSignTransactionRequest sign_transaction = 1;
+    arbiter.evm.EvmAnalyzeTransactionRequest analyze_transaction = 2;
+  }
+}
+
+message Response {
+  oneof payload {
+    arbiter.evm.EvmSignTransactionResponse sign_transaction = 1;
+    arbiter.evm.EvmAnalyzeTransactionResponse analyze_transaction = 2;
+  }
+}

protobufs/client/vault.proto

@@ -0,0 +1,18 @@
+syntax = "proto3";
+
+package arbiter.client.vault;
+
+import "google/protobuf/empty.proto";
+import "shared/vault.proto";
+
+message Request {
+  oneof payload {
+    google.protobuf.Empty query_state = 1;
+  }
+}
+
+message Response {
+  oneof payload {
+    arbiter.shared.VaultState state = 1;
+  }
+}

protobufs/evm.proto

@@ -4,6 +4,7 @@ package arbiter.evm;
 
 import "google/protobuf/empty.proto";
 import "google/protobuf/timestamp.proto";
+import "shared/evm.proto";
 
 enum EvmError {
   EVM_ERROR_UNSPECIFIED = 0;
@@ -74,70 +75,6 @@ message SpecificGrant {
   }
 }
 
-message EtherTransferMeaning {
-  bytes to = 1; // 20-byte Ethereum address
-  bytes value = 2; // U256 as big-endian bytes
-}
-
-message TokenInfo {
-  string symbol = 1;
-  bytes address = 2; // 20-byte Ethereum address
-  uint64 chain_id = 3;
-}
-
-// Mirror of token_transfers::Meaning
-message TokenTransferMeaning {
-  TokenInfo token = 1;
-  bytes to = 2; // 20-byte Ethereum address
-  bytes value = 3; // U256 as big-endian bytes
-}
-
-// Mirror of policies::SpecificMeaning
-message SpecificMeaning {
-  oneof meaning {
-    EtherTransferMeaning ether_transfer = 1;
-    TokenTransferMeaning token_transfer = 2;
-  }
-}
-
-// --- Eval error types ---
-message GasLimitExceededViolation {
-  optional bytes max_gas_fee_per_gas = 1; // U256 as big-endian bytes
-  optional bytes max_priority_fee_per_gas = 2; // U256 as big-endian bytes
-}
-
-message EvalViolation {
-  oneof kind {
-    bytes invalid_target = 1; // 20-byte Ethereum address
-    GasLimitExceededViolation gas_limit_exceeded = 2;
-    google.protobuf.Empty rate_limit_exceeded = 3;
-    google.protobuf.Empty volumetric_limit_exceeded = 4;
-    google.protobuf.Empty invalid_time = 5;
-    google.protobuf.Empty invalid_transaction_type = 6;
-  }
-}
-
-// Transaction was classified but no grant covers it
-message NoMatchingGrantError {
-  SpecificMeaning meaning = 1;
-}
-
-// Transaction was classified and a grant was found, but constraints were violated
-message PolicyViolationsError {
-  SpecificMeaning meaning = 1;
-  repeated EvalViolation violations = 2;
-}
-
-// top-level error returned when transaction evaluation fails
-message TransactionEvalError {
-  oneof kind {
-    google.protobuf.Empty contract_creation_not_supported = 1;
-    google.protobuf.Empty unsupported_transaction_type = 2;
-    NoMatchingGrantError no_matching_grant = 3;
-    PolicyViolationsError policy_violations = 4;
-  }
-}
-
 // --- UserAgent grant management ---
 message EvmGrantCreateRequest {
   SharedSettings shared = 1;
@@ -197,7 +134,7 @@ message EvmSignTransactionRequest {
 message EvmSignTransactionResponse {
   oneof result {
     bytes signature = 1; // 65-byte signature: r[32] || s[32] || v[1]
-    TransactionEvalError eval_error = 2;
+    arbiter.shared.evm.TransactionEvalError eval_error = 2;
     EvmError error = 3;
   }
 }
@@ -209,8 +146,8 @@ message EvmAnalyzeTransactionRequest {
 
 message EvmAnalyzeTransactionResponse {
   oneof result {
-    SpecificMeaning meaning = 1;
+    arbiter.shared.evm.SpecificMeaning meaning = 1;
-    TransactionEvalError eval_error = 2;
+    arbiter.shared.evm.TransactionEvalError eval_error = 2;
     EvmError error = 3;
   }
 }

protobufs/shared/client.proto

@@ -0,0 +1,9 @@
+syntax = "proto3";
+
+package arbiter.shared;
+
+message ClientInfo {
+  string name = 1;
+  optional string description = 2;
+  optional string version = 3;
+}

protobufs/shared/evm.proto

@@ -0,0 +1,68 @@
+syntax = "proto3";
+
+package arbiter.shared.evm;
+
+import "google/protobuf/empty.proto";
+
+message EtherTransferMeaning {
+  bytes to = 1; // 20-byte Ethereum address
+  bytes value = 2; // U256 as big-endian bytes
+}
+
+message TokenInfo {
+  string symbol = 1;
+  bytes address = 2; // 20-byte Ethereum address
+  uint64 chain_id = 3;
+}
+
+// Mirror of token_transfers::Meaning
+message TokenTransferMeaning {
+  TokenInfo token = 1;
+  bytes to = 2; // 20-byte Ethereum address
+  bytes value = 3; // U256 as big-endian bytes
+}
+
+// Mirror of policies::SpecificMeaning
+message SpecificMeaning {
+  oneof meaning {
+    EtherTransferMeaning ether_transfer = 1;
+    TokenTransferMeaning token_transfer = 2;
+  }
+}
+
+message GasLimitExceededViolation {
+  optional bytes max_gas_fee_per_gas = 1; // U256 as big-endian bytes
+  optional bytes max_priority_fee_per_gas = 2; // U256 as big-endian bytes
+}
+
+message EvalViolation {
+  oneof kind {
+    bytes invalid_target = 1; // 20-byte Ethereum address
+    GasLimitExceededViolation gas_limit_exceeded = 2;
+    google.protobuf.Empty rate_limit_exceeded = 3;
+    google.protobuf.Empty volumetric_limit_exceeded = 4;
+    google.protobuf.Empty invalid_time = 5;
+    google.protobuf.Empty invalid_transaction_type = 6;
+  }
+}
+
+// Transaction was classified but no grant covers it
+message NoMatchingGrantError {
+  SpecificMeaning meaning = 1;
+}
+
+// Transaction was classified and a grant was found, but constraints were violated
+message PolicyViolationsError {
+  SpecificMeaning meaning = 1;
+  repeated EvalViolation violations = 2;
+}
+
+// top-level error returned when transaction evaluation fails
+message TransactionEvalError {
+  oneof kind {
+    google.protobuf.Empty contract_creation_not_supported = 1;
+    google.protobuf.Empty unsupported_transaction_type = 2;
+    NoMatchingGrantError no_matching_grant = 3;
+    PolicyViolationsError policy_violations = 4;
+  }
+}

protobufs/shared/vault.proto

@@ -0,0 +1,11 @@
+syntax = "proto3";
+
+package arbiter.shared;
+
+enum VaultState {
+  VAULT_STATE_UNSPECIFIED = 0;
+  VAULT_STATE_UNBOOTSTRAPPED = 1;
+  VAULT_STATE_SEALED = 2;
+  VAULT_STATE_UNSEALED = 3;
+  VAULT_STATE_ERROR = 4;
+}

protobufs/user_agent.proto

@@ -2,198 +2,27 @@ syntax = "proto3";
 
 package arbiter.user_agent;
 
-import "client.proto";
+import "user_agent/auth.proto";
-import "evm.proto";
+import "user_agent/evm.proto";
-import "google/protobuf/empty.proto";
+import "user_agent/sdk_client.proto";
-
+import "user_agent/vault/vault.proto";
-enum KeyType {
-  KEY_TYPE_UNSPECIFIED = 0;
-  KEY_TYPE_ED25519 = 1;
-  KEY_TYPE_ECDSA_SECP256K1 = 2;
-  KEY_TYPE_RSA = 3;
-}
-
-// --- SDK client management ---
-
-enum SdkClientError {
-  SDK_CLIENT_ERROR_UNSPECIFIED = 0;
-  SDK_CLIENT_ERROR_ALREADY_EXISTS = 1;
-  SDK_CLIENT_ERROR_NOT_FOUND = 2;
-  SDK_CLIENT_ERROR_HAS_RELATED_DATA = 3; // hard-delete blocked by FK (client has grants or transaction logs)
-  SDK_CLIENT_ERROR_INTERNAL = 4;
-}
-
-message SdkClientRevokeRequest {
-  int32 client_id = 1;
-}
-
-message SdkClientEntry {
-  int32 id = 1;
-  bytes pubkey = 2;
-  arbiter.client.ClientInfo info = 3;
-  int32 created_at = 4;
-}
-
-message SdkClientList {
-  repeated SdkClientEntry clients = 1;
-}
-
-message SdkClientRevokeResponse {
-  oneof result {
-    google.protobuf.Empty ok = 1;
-    SdkClientError error = 2;
-  }
-}
-
-message SdkClientListResponse {
-  oneof result {
-    SdkClientList clients = 1;
-    SdkClientError error = 2;
-  }
-}
-
-message AuthChallengeRequest {
-  bytes pubkey = 1;
-  optional string bootstrap_token = 2;
-  KeyType key_type = 3;
-}
-
-message AuthChallenge {
-  int32 nonce = 2;
-  reserved 1;
-}
-
-message AuthChallengeSolution {
-  bytes signature = 1;
-}
-
-enum AuthResult {
-  AUTH_RESULT_UNSPECIFIED = 0;
-  AUTH_RESULT_SUCCESS = 1;
-  AUTH_RESULT_INVALID_KEY = 2;
-  AUTH_RESULT_INVALID_SIGNATURE = 3;
-  AUTH_RESULT_BOOTSTRAP_REQUIRED = 4;
-  AUTH_RESULT_TOKEN_INVALID = 5;
-  AUTH_RESULT_INTERNAL = 6;
-}
-
-message UnsealStart {
-  bytes client_pubkey = 1;
-}
-
-message UnsealStartResponse {
-  bytes server_pubkey = 1;
-}
-message UnsealEncryptedKey {
-  bytes nonce = 1;
-  bytes ciphertext = 2;
-  bytes associated_data = 3;
-}
-
-message BootstrapEncryptedKey {
-  bytes nonce = 1;
-  bytes ciphertext = 2;
-  bytes associated_data = 3;
-}
-
-enum UnsealResult {
-  UNSEAL_RESULT_UNSPECIFIED = 0;
-  UNSEAL_RESULT_SUCCESS = 1;
-  UNSEAL_RESULT_INVALID_KEY = 2;
-  UNSEAL_RESULT_UNBOOTSTRAPPED = 3;
-}
-
-enum BootstrapResult {
-  BOOTSTRAP_RESULT_UNSPECIFIED = 0;
-  BOOTSTRAP_RESULT_SUCCESS = 1;
-  BOOTSTRAP_RESULT_ALREADY_BOOTSTRAPPED = 2;
-  BOOTSTRAP_RESULT_INVALID_KEY = 3;
-}
-
-enum VaultState {
-  VAULT_STATE_UNSPECIFIED = 0;
-  VAULT_STATE_UNBOOTSTRAPPED = 1;
-  VAULT_STATE_SEALED = 2;
-  VAULT_STATE_UNSEALED = 3;
-  VAULT_STATE_ERROR = 4;
-}
-
-message SdkClientConnectionRequest {
-  bytes pubkey = 1;
-  arbiter.client.ClientInfo info = 2;
-}
-
-message SdkClientConnectionResponse {
-  bool approved = 1;
-  bytes pubkey = 2;
-}
-
-message SdkClientConnectionCancel {
-  bytes pubkey = 1;
-}
-
-message WalletAccess {
-  int32 wallet_id = 1;
-  int32 sdk_client_id = 2;
-}
-
-message SdkClientWalletAccess {
-  int32 id = 1;
-  WalletAccess access = 2;
-}
-
-message SdkClientGrantWalletAccess {
-  repeated WalletAccess accesses = 1;
-}
-
-message SdkClientRevokeWalletAccess {
-  repeated int32 accesses = 1;
-}
-
-message ListWalletAccessResponse {
-  repeated SdkClientWalletAccess accesses = 1;
-}
 
 message UserAgentRequest {
   int32 id = 16;
   oneof payload {
-    AuthChallengeRequest auth_challenge_request = 1;
+    auth.Request auth = 1;
-    AuthChallengeSolution auth_challenge_solution = 2;
+    vault.Request vault = 2;
-    UnsealStart unseal_start = 3;
+    evm.Request evm = 3;
-    UnsealEncryptedKey unseal_encrypted_key = 4;
+    sdk_client.Request sdk_client = 4;
-    google.protobuf.Empty query_vault_state = 5;
-    google.protobuf.Empty evm_wallet_create = 6;
-    google.protobuf.Empty evm_wallet_list = 7;
-    arbiter.evm.EvmGrantCreateRequest evm_grant_create = 8;
-    arbiter.evm.EvmGrantDeleteRequest evm_grant_delete = 9;
-    arbiter.evm.EvmGrantListRequest evm_grant_list = 10;
-    SdkClientConnectionResponse sdk_client_connection_response = 11;
-    SdkClientRevokeRequest sdk_client_revoke = 12;
-    google.protobuf.Empty sdk_client_list = 13;
-    BootstrapEncryptedKey bootstrap_encrypted_key = 14;
-    SdkClientGrantWalletAccess grant_wallet_access = 15;
-    SdkClientRevokeWalletAccess revoke_wallet_access = 17;
-    google.protobuf.Empty list_wallet_access = 18;
   }
 }
+
 message UserAgentResponse {
   optional int32 id = 16;
   oneof payload {
-    AuthChallenge auth_challenge = 1;
+    auth.Response auth = 1;
-    AuthResult auth_result = 2;
+    vault.Response vault = 2;
-    UnsealStartResponse unseal_start_response = 3;
+    evm.Response evm = 3;
-    UnsealResult unseal_result = 4;
+    sdk_client.Response sdk_client = 4;
-    VaultState vault_state = 5;
-    arbiter.evm.WalletCreateResponse evm_wallet_create = 6;
-    arbiter.evm.WalletListResponse evm_wallet_list = 7;
-    arbiter.evm.EvmGrantCreateResponse evm_grant_create = 8;
-    arbiter.evm.EvmGrantDeleteResponse evm_grant_delete = 9;
-    arbiter.evm.EvmGrantListResponse evm_grant_list = 10;
-    SdkClientConnectionRequest sdk_client_connection_request = 11;
-    SdkClientConnectionCancel sdk_client_connection_cancel = 12;
-    SdkClientRevokeResponse sdk_client_revoke_response = 13;
-    SdkClientListResponse sdk_client_list_response = 14;
-    BootstrapResult bootstrap_result = 15;
-    ListWalletAccessResponse list_wallet_access_response = 17;
   }
 }

protobufs/user_agent/auth.proto

@@ -0,0 +1,48 @@
+syntax = "proto3";
+
+package arbiter.user_agent.auth;
+
+enum KeyType {
+  KEY_TYPE_UNSPECIFIED = 0;
+  KEY_TYPE_ED25519 = 1;
+  KEY_TYPE_ECDSA_SECP256K1 = 2;
+  KEY_TYPE_RSA = 3;
+}
+
+message AuthChallengeRequest {
+  bytes pubkey = 1;
+  optional string bootstrap_token = 2;
+  KeyType key_type = 3;
+}
+
+message AuthChallenge {
+  int32 nonce = 1;
+}
+
+message AuthChallengeSolution {
+  bytes signature = 1;
+}
+
+enum AuthResult {
+  AUTH_RESULT_UNSPECIFIED = 0;
+  AUTH_RESULT_SUCCESS = 1;
+  AUTH_RESULT_INVALID_KEY = 2;
+  AUTH_RESULT_INVALID_SIGNATURE = 3;
+  AUTH_RESULT_BOOTSTRAP_REQUIRED = 4;
+  AUTH_RESULT_TOKEN_INVALID = 5;
+  AUTH_RESULT_INTERNAL = 6;
+}
+
+message Request {
+  oneof payload {
+    AuthChallengeRequest challenge_request = 1;
+    AuthChallengeSolution challenge_solution = 2;
+  }
+}
+
+message Response {
+  oneof payload {
+    AuthChallenge challenge = 1;
+    AuthResult result = 2;
+  }
+}

protobufs/user_agent/evm.proto

@@ -0,0 +1,33 @@
+syntax = "proto3";
+
+package arbiter.user_agent.evm;
+
+import "evm.proto";
+import "google/protobuf/empty.proto";
+
+message SignTransactionRequest {
+  int32 client_id = 1;
+  arbiter.evm.EvmSignTransactionRequest request = 2;
+}
+
+message Request {
+  oneof payload {
+    google.protobuf.Empty wallet_create = 1;
+    google.protobuf.Empty wallet_list = 2;
+    arbiter.evm.EvmGrantCreateRequest grant_create = 3;
+    arbiter.evm.EvmGrantDeleteRequest grant_delete = 4;
+    arbiter.evm.EvmGrantListRequest grant_list = 5;
+    SignTransactionRequest sign_transaction = 6;
+  }
+}
+
+message Response {
+  oneof payload {
+    arbiter.evm.WalletCreateResponse wallet_create = 1;
+    arbiter.evm.WalletListResponse wallet_list = 2;
+    arbiter.evm.EvmGrantCreateResponse grant_create = 3;
+    arbiter.evm.EvmGrantDeleteResponse grant_delete = 4;
+    arbiter.evm.EvmGrantListResponse grant_list = 5;
+    arbiter.evm.EvmSignTransactionResponse sign_transaction = 6;
+  }
+}

protobufs/user_agent/sdk_client.proto

@@ -0,0 +1,100 @@
+syntax = "proto3";
+
+package arbiter.user_agent.sdk_client;
+
+import "shared/client.proto";
+import "google/protobuf/empty.proto";
+
+enum Error {
+  ERROR_UNSPECIFIED = 0;
+  ERROR_ALREADY_EXISTS = 1;
+  ERROR_NOT_FOUND = 2;
+  ERROR_HAS_RELATED_DATA = 3; // hard-delete blocked by FK (client has grants or transaction logs)
+  ERROR_INTERNAL = 4;
+}
+
+message RevokeRequest {
+  int32 client_id = 1;
+}
+
+message Entry {
+  int32 id = 1;
+  bytes pubkey = 2;
+  arbiter.shared.ClientInfo info = 3;
+  int32 created_at = 4;
+}
+
+message List {
+  repeated Entry clients = 1;
+}
+
+message RevokeResponse {
+  oneof result {
+    google.protobuf.Empty ok = 1;
+    Error error = 2;
+  }
+}
+
+message ListResponse {
+  oneof result {
+    List clients = 1;
+    Error error = 2;
+  }
+}
+
+message ConnectionRequest {
+  bytes pubkey = 1;
+  arbiter.shared.ClientInfo info = 2;
+}
+
+message ConnectionResponse {
+  bool approved = 1;
+  bytes pubkey = 2;
+}
+
+message ConnectionCancel {
+  bytes pubkey = 1;
+}
+
+message WalletAccess {
+  int32 wallet_id = 1;
+  int32 sdk_client_id = 2;
+}
+
+message WalletAccessEntry {
+  int32 id = 1;
+  WalletAccess access = 2;
+}
+
+message GrantWalletAccess {
+  repeated WalletAccess accesses = 1;
+}
+
+message RevokeWalletAccess {
+  repeated int32 accesses = 1;
+}
+
+message ListWalletAccessResponse {
+  repeated WalletAccessEntry accesses = 1;
+}
+
+message Request {
+  oneof payload {
+    ConnectionResponse connection_response = 1;
+    RevokeRequest revoke = 2;
+    google.protobuf.Empty list = 3;
+    GrantWalletAccess grant_wallet_access = 4;
+    RevokeWalletAccess revoke_wallet_access = 5;
+    google.protobuf.Empty list_wallet_access = 6;
+  }
+}
+
+message Response {
+  oneof payload {
+    ConnectionRequest connection_request = 1;
+    ConnectionCancel connection_cancel = 2;
+    RevokeResponse revoke = 3;
+    ListResponse list = 4;
+    ListWalletAccessResponse list_wallet_access = 5;
+  }
+}

protobufs/user_agent/vault/bootstrap.proto

@@ -0,0 +1,24 @@
+syntax = "proto3";
+
+package arbiter.user_agent.vault.bootstrap;
+
+message BootstrapEncryptedKey {
+  bytes nonce = 1;
+  bytes ciphertext = 2;
+  bytes associated_data = 3;
+}
+
+enum BootstrapResult {
+  BOOTSTRAP_RESULT_UNSPECIFIED = 0;
+  BOOTSTRAP_RESULT_SUCCESS = 1;
+  BOOTSTRAP_RESULT_ALREADY_BOOTSTRAPPED = 2;
+  BOOTSTRAP_RESULT_INVALID_KEY = 3;
+}
+
+message Request {
+  BootstrapEncryptedKey encrypted_key = 2;
+}
+
+message Response {
+  BootstrapResult result = 1;
+}

protobufs/user_agent/vault/unseal.proto

@@ -0,0 +1,37 @@
+syntax = "proto3";
+
+package arbiter.user_agent.vault.unseal;
+
+message UnsealStart {
+  bytes client_pubkey = 1;
+}
+
+message UnsealStartResponse {
+  bytes server_pubkey = 1;
+}
+message UnsealEncryptedKey {
+  bytes nonce = 1;
+  bytes ciphertext = 2;
+  bytes associated_data = 3;
+}
+
+enum UnsealResult {
+  UNSEAL_RESULT_UNSPECIFIED = 0;
+  UNSEAL_RESULT_SUCCESS = 1;
+  UNSEAL_RESULT_INVALID_KEY = 2;
+  UNSEAL_RESULT_UNBOOTSTRAPPED = 3;
+}
+
+message Request {
+  oneof payload {
+    UnsealStart start = 1;
+    UnsealEncryptedKey encrypted_key = 2;
+  }
+}
+
+message Response {
+  oneof payload {
+    UnsealStartResponse start = 1;
+    UnsealResult result = 2;
+  }
+}

protobufs/user_agent/vault/vault.proto

@@ -0,0 +1,24 @@
+syntax = "proto3";
+
+package arbiter.user_agent.vault;
+
+import "google/protobuf/empty.proto";
+import "shared/vault.proto";
+import "user_agent/vault/bootstrap.proto";
+import "user_agent/vault/unseal.proto";
+
+message Request {
+  oneof payload {
+    google.protobuf.Empty query_state = 1;
+    unseal.Request unseal = 2;
+    bootstrap.Request bootstrap = 3;
+  }
+}
+
+message Response {
+  oneof payload {
+    arbiter.shared.VaultState state = 1;
+    unseal.Response unseal = 2;
+    bootstrap.Response bootstrap = 3;
+  }
+}

server/Cargo.lock

@@ -724,6 +724,7 @@ name = "arbiter-server"
 version = "0.1.0"
 dependencies = [
  "alloy",
+ "anyhow",
  "arbiter-proto",
  "arbiter-tokens-registry",
  "argon2",
@@ -737,11 +738,11 @@ dependencies = [
  "ed25519-dalek",
  "fatality",
  "futures",
+ "hmac",
  "insta",
  "k256",
  "kameo",
  "memsafe",
- "miette",
  "pem",
  "prost-types",
  "rand 0.10.0",

server/Cargo.toml

@@ -22,7 +22,6 @@ chrono = { version = "0.4.44", features = ["serde"] }
 rand = "0.10.0"
 rustls = { version = "0.23.37", features = ["aws-lc-rs"] }
 smlang = "0.8.0"
-miette = { version = "7.6.0", features = ["fancy", "serde"] }
 thiserror = "2.0.18"
 async-trait = "0.1.89"
 futures = "0.3.32"
@@ -43,3 +42,4 @@ k256 = { version = "0.13.4", features = ["ecdsa", "pkcs8"] }
 rsa = { version = "0.9", features = ["sha2"] }
 sha2 = "0.10"
 spki = "0.7"
+miette = { version = "7.6.0", features = ["fancy", "serde"] }

server/crates/arbiter-client/src/auth.rs

@@ -1,9 +1,17 @@
 use arbiter_proto::{
     ClientMetadata, format_challenge,
-    proto::client::{
+    proto::{
-        AuthChallengeRequest, AuthChallengeSolution, AuthResult, ClientInfo as ProtoClientInfo,
+        client::{
-        ClientRequest, client_request::Payload as ClientRequestPayload,
+            ClientRequest,
-        client_response::Payload as ClientResponsePayload,
+            auth::{
+                self as proto_auth, AuthChallenge, AuthChallengeRequest, AuthChallengeSolution,
+                AuthResult, request::Payload as AuthRequestPayload,
+                response::Payload as AuthResponsePayload,
+            },
+            client_request::Payload as ClientRequestPayload,
+            client_response::Payload as ClientResponsePayload,
+        },
+        shared::ClientInfo as ProtoClientInfo,
     },
 };
 use ed25519_dalek::Signer as _;
@@ -51,16 +59,16 @@ async fn send_auth_challenge_request(
     transport
         .send(ClientRequest {
             request_id: next_request_id(),
-            payload: Some(ClientRequestPayload::AuthChallengeRequest(
+            payload: Some(ClientRequestPayload::Auth(proto_auth::Request {
-                AuthChallengeRequest {
+                payload: Some(AuthRequestPayload::ChallengeRequest(AuthChallengeRequest {
                     pubkey: key.verifying_key().to_bytes().to_vec(),
                     client_info: Some(ProtoClientInfo {
                         name: metadata.name,
                         description: metadata.description,
                         version: metadata.version,
                     }),
-                },
+                })),
-            )),
+            })),
         })
         .await
         .map_err(|_| AuthError::UnexpectedAuthResponse)
@@ -68,7 +76,7 @@ async fn send_auth_challenge_request(
 
 async fn receive_auth_challenge(
     transport: &mut ClientTransport,
-) -> std::result::Result<arbiter_proto::proto::client::AuthChallenge, AuthError> {
+) -> std::result::Result<AuthChallenge, AuthError> {
     let response = transport
         .recv()
         .await
@@ -76,8 +84,11 @@ async fn receive_auth_challenge(
 
     let payload = response.payload.ok_or(AuthError::MissingAuthChallenge)?;
     match payload {
-        ClientResponsePayload::AuthChallenge(challenge) => Ok(challenge),
+        ClientResponsePayload::Auth(response) => match response.payload {
-        ClientResponsePayload::AuthResult(result) => Err(map_auth_result(result)),
+            Some(AuthResponsePayload::Challenge(challenge)) => Ok(challenge),
+            Some(AuthResponsePayload::Result(result)) => Err(map_auth_result(result)),
+            None => Err(AuthError::MissingAuthChallenge),
+        },
         _ => Err(AuthError::UnexpectedAuthResponse),
     }
 }
@@ -85,7 +96,7 @@ async fn receive_auth_challenge(
 async fn send_auth_challenge_solution(
     transport: &mut ClientTransport,
     key: &ed25519_dalek::SigningKey,
-    challenge: arbiter_proto::proto::client::AuthChallenge,
+    challenge: AuthChallenge,
 ) -> std::result::Result<(), AuthError> {
     let challenge_payload = format_challenge(challenge.nonce, &challenge.pubkey);
     let signature = key.sign(&challenge_payload).to_bytes().to_vec();
@@ -93,9 +104,11 @@ async fn send_auth_challenge_solution(
     transport
         .send(ClientRequest {
             request_id: next_request_id(),
-            payload: Some(ClientRequestPayload::AuthChallengeSolution(
+            payload: Some(ClientRequestPayload::Auth(proto_auth::Request {
-                AuthChallengeSolution { signature },
+                payload: Some(AuthRequestPayload::ChallengeSolution(
-            )),
+                    AuthChallengeSolution { signature },
+                )),
+            })),
         })
         .await
         .map_err(|_| AuthError::UnexpectedAuthResponse)
@@ -109,16 +122,17 @@ async fn receive_auth_confirmation(
         .await
         .map_err(|_| AuthError::UnexpectedAuthResponse)?;
 
-    let payload = response
+    let payload = response.payload.ok_or(AuthError::UnexpectedAuthResponse)?;
-        .payload
-        .ok_or(AuthError::UnexpectedAuthResponse)?;
     match payload {
-        ClientResponsePayload::AuthResult(result)
+        ClientResponsePayload::Auth(response) => match response.payload {
-            if AuthResult::try_from(result).ok() == Some(AuthResult::Success) =>
+            Some(AuthResponsePayload::Result(result))
-        {
+                if AuthResult::try_from(result).ok() == Some(AuthResult::Success) =>
-            Ok(())
+            {
-        }
+                Ok(())
-        ClientResponsePayload::AuthResult(result) => Err(map_auth_result(result)),
+            }
+            Some(AuthResponsePayload::Result(result)) => Err(map_auth_result(result)),
+            _ => Err(AuthError::UnexpectedAuthResponse),
+        },
         _ => Err(AuthError::UnexpectedAuthResponse),
     }
 }

server/crates/arbiter-client/src/bin/test_connect.rs

@@ -1,9 +1,7 @@
-
 use std::io::{self, Write};
 
 use arbiter_client::ArbiterClient;
 use arbiter_proto::{ClientMetadata, url::ArbiterUrl};
-use tonic::ConnectError;
 
 #[tokio::main]
 async fn main() {
@@ -23,8 +21,6 @@ async fn main() {
         return;
     }
 
-   
-
     let url = match ArbiterUrl::try_from(input) {
         Ok(url) => url,
         Err(err) => {
@@ -33,7 +29,7 @@ async fn main() {
         }
     };
 
-     println!("{:#?}", url);
+    println!("{:#?}", url);
 
     let metadata = ClientMetadata {
         name: "arbiter-client test_connect".to_string(),
@@ -45,4 +41,4 @@ async fn main() {
         Ok(_) => println!("Connected and authenticated successfully."),
         Err(err) => eprintln!("Failed to connect: {:#?}", err),
     }
-}
+}

server/crates/arbiter-client/src/client.rs

@@ -1,11 +1,16 @@
-use arbiter_proto::{ClientMetadata, proto::arbiter_service_client::ArbiterServiceClient, url::ArbiterUrl};
+use arbiter_proto::{
+    ClientMetadata, proto::arbiter_service_client::ArbiterServiceClient, url::ArbiterUrl,
+};
 use std::sync::Arc;
 use tokio::sync::{Mutex, mpsc};
 use tokio_stream::wrappers::ReceiverStream;
 use tonic::transport::ClientTlsConfig;
 
 use crate::{
-    StorageError, auth::{AuthError, authenticate}, storage::{FileSigningKeyStorage, SigningKeyStorage}, transport::{BUFFER_LENGTH, ClientTransport}
+    StorageError,
+    auth::{AuthError, authenticate},
+    storage::{FileSigningKeyStorage, SigningKeyStorage},
+    transport::{BUFFER_LENGTH, ClientTransport},
 };
 
 #[cfg(feature = "evm")]
@@ -30,7 +35,6 @@ pub enum Error {
 
     #[error("Storage error")]
     Storage(#[from] StorageError),
-    
 }
 
 pub struct ArbiterClient {
@@ -61,10 +65,11 @@ impl ArbiterClient {
         let anchor = webpki::anchor_from_trusted_cert(&url.ca_cert)?.to_owned();
         let tls = ClientTlsConfig::new().trust_anchor(anchor);
 
-        let channel = tonic::transport::Channel::from_shared(format!("https://{}:{}", url.host, url.port))?
+        let channel =
-            .tls_config(tls)?
+            tonic::transport::Channel::from_shared(format!("https://{}:{}", url.host, url.port))?
-            .connect()
+                .tls_config(tls)?
-            .await?;
+                .connect()
+                .await?;
 
         let mut client = ArbiterServiceClient::new(channel);
         let (tx, rx) = mpsc::channel(BUFFER_LENGTH);

server/crates/arbiter-client/src/lib.rs

@@ -9,4 +9,4 @@ pub use client::{ArbiterClient, Error};
 pub use storage::{FileSigningKeyStorage, SigningKeyStorage, StorageError};
 
 #[cfg(feature = "evm")]
-pub use wallets::evm::ArbiterEvmWallet;
+pub use wallets::evm::{ArbiterEvmSignTransactionError, ArbiterEvmWallet};

server/crates/arbiter-client/src/transport.rs

@@ -1,6 +1,4 @@
-use arbiter_proto::proto::{
+use arbiter_proto::proto::client::{ClientRequest, ClientResponse};
-    client::{ClientRequest, ClientResponse},
-};
 use std::sync::atomic::{AtomicI32, Ordering};
 use tokio::sync::mpsc;
 
@@ -36,9 +34,7 @@ impl ClientTransport {
             .map_err(|_| ClientSignError::ChannelClosed)
     }
 
-    pub(crate) async fn recv(
+    pub(crate) async fn recv(&mut self) -> std::result::Result<ClientResponse, ClientSignError> {
-        &mut self,
-    ) -> std::result::Result<ClientResponse, ClientSignError> {
         match self.receiver.message().await {
             Ok(Some(resp)) => Ok(resp),
             Ok(None) => Err(ClientSignError::ConnectionClosed),

server/crates/arbiter-client/src/wallets/evm.rs

@@ -8,7 +8,49 @@ use async_trait::async_trait;
 use std::sync::Arc;
 use tokio::sync::Mutex;
 
-use crate::transport::ClientTransport;
+use arbiter_proto::proto::{
+    client::{
+        ClientRequest,
+        client_request::Payload as ClientRequestPayload,
+        client_response::Payload as ClientResponsePayload,
+        evm::{
+            self as proto_evm, request::Payload as EvmRequestPayload,
+            response::Payload as EvmResponsePayload,
+        },
+    },
+    evm::{
+        EvmSignTransactionRequest,
+        evm_sign_transaction_response::Result as EvmSignTransactionResult,
+    },
+    shared::evm::TransactionEvalError,
+};
+
+use crate::transport::{ClientTransport, next_request_id};
+
+/// A typed error payload returned by [`ArbiterEvmWallet`] transaction signing.
+///
+/// This is wrapped into `alloy::signers::Error::Other`, so consumers can downcast by [`TryFrom`] and
+/// interpret the concrete policy evaluation failure instead of parsing strings.
+#[derive(Debug, thiserror::Error)]
+#[non_exhaustive]
+pub enum ArbiterEvmSignTransactionError {
+    #[error("transaction rejected by policy: {0:?}")]
+    PolicyEval(TransactionEvalError),
+}
+
+impl<'a> TryFrom<&'a Error> for &'a ArbiterEvmSignTransactionError {
+    type Error = ();
+
+    fn try_from(value: &'a Error) -> Result<Self, Self::Error> {
+        if let Error::Other(inner) = value
+            && let Some(eval_error) = inner.downcast_ref()
+        {
+            Ok(eval_error)
+        } else {
+            Err(())
+        }
+    }
+}
 
 pub struct ArbiterEvmWallet {
     transport: Arc<Mutex<ClientTransport>>,
@@ -79,11 +121,72 @@ impl TxSigner<Signature> for ArbiterEvmWallet {
         &self,
         tx: &mut dyn SignableTransaction<Signature>,
     ) -> Result<Signature> {
-        let _transport = self.transport.lock().await;
         self.validate_chain_id(tx)?;
 
-        Err(Error::other(
+        let mut transport = self.transport.lock().await;
-            "transaction signing is not supported by current arbiter.client protocol",
+        let request_id = next_request_id();
-        ))
+        let rlp_transaction = tx.encoded_for_signing();
+
+        transport
+            .send(ClientRequest {
+                request_id,
+                payload: Some(ClientRequestPayload::Evm(proto_evm::Request {
+                    payload: Some(EvmRequestPayload::SignTransaction(
+                        EvmSignTransactionRequest {
+                            wallet_address: self.address.to_vec(),
+                            rlp_transaction,
+                        },
+                    )),
+                })),
+            })
+            .await
+            .map_err(|_| Error::other("failed to send evm sign transaction request"))?;
+
+        let response = transport
+            .recv()
+            .await
+            .map_err(|_| Error::other("failed to receive evm sign transaction response"))?;
+
+        if response.request_id != Some(request_id) {
+            return Err(Error::other(
+                "received mismatched response id for evm sign transaction",
+            ));
+        }
+
+        let payload = response
+            .payload
+            .ok_or_else(|| Error::other("missing evm sign transaction response payload"))?;
+
+        let ClientResponsePayload::Evm(proto_evm::Response {
+            payload: Some(payload),
+        }) = payload
+        else {
+            return Err(Error::other(
+                "unexpected response payload for evm sign transaction request",
+            ));
+        };
+
+        let EvmResponsePayload::SignTransaction(response) = payload else {
+            return Err(Error::other(
+                "unexpected evm response payload for sign transaction request",
+            ));
+        };
+
+        let result = response
+            .result
+            .ok_or_else(|| Error::other("missing evm sign transaction result"))?;
+
+        match result {
+            EvmSignTransactionResult::Signature(signature) => {
+                Signature::try_from(signature.as_slice())
+                    .map_err(|_| Error::other("invalid signature returned by server"))
+            }
+            EvmSignTransactionResult::EvalError(eval_error) => Err(Error::other(
+                ArbiterEvmSignTransactionError::PolicyEval(eval_error),
+            )),
+            EvmSignTransactionResult::Error(code) => Err(Error::other(format!(
+                "server failed to sign transaction with error code {code}"
+            ))),
+        }
     }
 }

server/crates/arbiter-proto/src/lib.rs

@@ -6,12 +6,56 @@ use base64::{Engine, prelude::BASE64_STANDARD};
 pub mod proto {
     tonic::include_proto!("arbiter");
 
+    pub mod shared {
+        tonic::include_proto!("arbiter.shared");
+
+        pub mod evm {
+            tonic::include_proto!("arbiter.shared.evm");
+        }
+    }
+
     pub mod user_agent {
         tonic::include_proto!("arbiter.user_agent");
+
+        pub mod auth {
+            tonic::include_proto!("arbiter.user_agent.auth");
+        }
+
+        pub mod evm {
+            tonic::include_proto!("arbiter.user_agent.evm");
+        }
+
+        pub mod sdk_client {
+            tonic::include_proto!("arbiter.user_agent.sdk_client");
+        }
+
+        pub mod vault {
+            tonic::include_proto!("arbiter.user_agent.vault");
+
+            pub mod bootstrap {
+                tonic::include_proto!("arbiter.user_agent.vault.bootstrap");
+            }
+
+            pub mod unseal {
+                tonic::include_proto!("arbiter.user_agent.vault.unseal");
+            }
+        }
     }
 
     pub mod client {
         tonic::include_proto!("arbiter.client");
+
+        pub mod auth {
+            tonic::include_proto!("arbiter.client.auth");
+        }
+
+        pub mod evm {
+            tonic::include_proto!("arbiter.client.evm");
+        }
+
+        pub mod vault {
+            tonic::include_proto!("arbiter.client.vault");
+        }
     }
 
     pub mod evm {

server/crates/arbiter-proto/src/url.rs

@@ -7,7 +7,6 @@ const ARBITER_URL_SCHEME: &str = "arbiter";
 const CERT_QUERY_KEY: &str = "cert";
 const BOOTSTRAP_TOKEN_QUERY_KEY: &str = "bootstrap_token";
 
-
 #[derive(Debug, Clone)]
 pub struct ArbiterUrl {
     pub host: String,

server/crates/arbiter-server/Cargo.toml

@@ -25,7 +25,6 @@ tonic.features = ["tls-aws-lc"]
 tokio.workspace = true
 rustls.workspace = true
 smlang.workspace = true
-miette.workspace = true
 thiserror.workspace = true
 fatality = "0.1.1"
 diesel_migrations = { version = "2.3.1", features = ["sqlite"] }
@@ -49,10 +48,12 @@ pem = "3.0.6"
 k256.workspace = true
 rsa.workspace = true
 sha2.workspace = true
+hmac = "0.12"
 spki.workspace = true
 alloy.workspace = true
 prost-types.workspace = true
 arbiter-tokens-registry.path = "../arbiter-tokens-registry"
+anyhow = "1.0.102"
 
 [dev-dependencies]
 insta = "1.46.3"

server/crates/arbiter-server/migrations/2026-02-14-171124-0000_init/up.sql

@@ -47,6 +47,7 @@ create table if not exists useragent_client (
     id integer not null primary key,
     nonce integer not null default(1), -- used for auth challenge
     public_key blob not null,
+    pubkey_integrity_tag blob,
     key_type integer not null default(1), -- 1=Ed25519, 2=ECDSA(secp256k1)
     created_at integer not null default(unixepoch ('now')),
     updated_at integer not null default(unixepoch ('now'))

server/crates/arbiter-server/src/actors/bootstrap.rs

@@ -2,7 +2,7 @@ use arbiter_proto::{BOOTSTRAP_PATH, home_path};
 use diesel::QueryDsl;
 use diesel_async::RunQueryDsl;
 use kameo::{Actor, messages};
-use miette::Diagnostic;
+
 use rand::{RngExt, distr::Alphanumeric, make_rng, rngs::StdRng};
 use thiserror::Error;
 
@@ -25,18 +25,15 @@ pub async fn generate_token() -> Result<String, std::io::Error> {
     Ok(token)
 }
 
-#[derive(Error, Debug, Diagnostic)]
+#[derive(Error, Debug)]
 pub enum Error {
     #[error("Database error: {0}")]
-    #[diagnostic(code(arbiter_server::bootstrap::database))]
     Database(#[from] db::PoolError),
 
     #[error("Database query error: {0}")]
-    #[diagnostic(code(arbiter_server::bootstrap::database_query))]
     Query(#[from] diesel::result::Error),
 
     #[error("I/O error: {0}")]
-    #[diagnostic(code(arbiter_server::bootstrap::io))]
     Io(#[from] std::io::Error),
 }
 

server/crates/arbiter-server/src/actors/client/auth.rs

@@ -1,5 +1,6 @@
 use arbiter_proto::{
-    ClientMetadata, format_challenge, transport::{Bi, expect_message}
+    ClientMetadata, format_challenge,
+    transport::{Bi, expect_message},
 };
 use chrono::Utc;
 use diesel::{
@@ -83,7 +84,6 @@ async fn get_client_and_nonce(
     })?;
 
     conn.exclusive_transaction(|conn| {
-        let pubkey_bytes = pubkey_bytes.clone();
         Box::pin(async move {
             let Some((client_id, current_nonce)) = program_client::table
                 .filter(program_client::public_key.eq(&pubkey_bytes))
@@ -287,10 +287,7 @@ where
     Ok(())
 }
 
-pub async fn authenticate<T>(
+pub async fn authenticate<T>(props: &mut ClientConnection, transport: &mut T) -> Result<i32, Error>
-    props: &mut ClientConnection,
-    transport: &mut T,
-) -> Result<VerifyingKey, Error>
 where
     T: Bi<Inbound, Result<Outbound, Error>> + Send + ?Sized,
 {
@@ -318,9 +315,8 @@ where
     };
 
     sync_client_metadata(&props.db, info.id, &metadata).await?;
-
     challenge_client(transport, pubkey, info.current_nonce).await?;
-    
+
     transport
         .send(Ok(Outbound::AuthSuccess))
         .await
@@ -329,5 +325,5 @@ where
             Error::Transport
         })?;
 
-    Ok(pubkey)
+    Ok(info.id)
 }

server/crates/arbiter-server/src/actors/client/mod.rs

@@ -3,7 +3,7 @@ use kameo::actor::Spawn;
 use tracing::{error, info};
 
 use crate::{
-    actors::{GlobalActors, client::{ session::ClientSession}},
+    actors::{GlobalActors, client::session::ClientSession},
     db,
 };
 
@@ -32,8 +32,8 @@ where
     T: Bi<auth::Inbound, Result<auth::Outbound, auth::Error>> + Send + ?Sized,
 {
     match auth::authenticate(&mut props, transport).await {
-        Ok(_pubkey) => {
+        Ok(client_id) => {
-            ClientSession::spawn(ClientSession::new(props));
+            ClientSession::spawn(ClientSession::new(props, client_id));
             info!("Client authenticated, session started");
         }
         Err(err) => {

server/crates/arbiter-server/src/actors/client/session.rs

@@ -1,21 +1,28 @@
 use kameo::{Actor, messages};
 use tracing::error;
 
+use alloy::{consensus::TxEip1559, primitives::Address, signers::Signature};
+
 use crate::{
     actors::{
-        GlobalActors, client::ClientConnection, flow_coordinator::RegisterClient,
+        GlobalActors,
+        client::ClientConnection,
+        evm::{ClientSignTransaction, SignTransactionError},
+        flow_coordinator::RegisterClient,
         keyholder::KeyHolderState,
     },
     db,
+    evm::VetError,
 };
 
 pub struct ClientSession {
     props: ClientConnection,
+    client_id: i32,
 }
 
 impl ClientSession {
-    pub(crate) fn new(props: ClientConnection) -> Self {
+    pub(crate) fn new(props: ClientConnection, client_id: i32) -> Self {
-        Self { props }
+        Self { props, client_id }
     }
 }
 
@@ -35,6 +42,34 @@ impl ClientSession {
 
         Ok(vault_state)
     }
+
+    #[message]
+    pub(crate) async fn handle_sign_transaction(
+        &mut self,
+        wallet_address: Address,
+        transaction: TxEip1559,
+    ) -> Result<Signature, SignTransactionRpcError> {
+        match self
+            .props
+            .actors
+            .evm
+            .ask(ClientSignTransaction {
+                client_id: self.client_id,
+                wallet_address,
+                transaction,
+            })
+            .await
+        {
+            Ok(signature) => Ok(signature),
+            Err(kameo::error::SendError::HandlerError(SignTransactionError::Vet(vet_error))) => {
+                Err(SignTransactionRpcError::Vet(vet_error))
+            }
+            Err(err) => {
+                error!(?err, "Failed to sign EVM transaction in client session");
+                Err(SignTransactionRpcError::Internal)
+            }
+        }
+    }
 }
 
 impl Actor for ClientSession {
@@ -59,7 +94,10 @@ impl Actor for ClientSession {
 impl ClientSession {
     pub fn new_test(db: db::DatabasePool, actors: GlobalActors) -> Self {
         let props = ClientConnection::new(db, actors);
-        Self { props }
+        Self {
+            props,
+            client_id: 0,
+        }
     }
 }
 
@@ -70,3 +108,12 @@ pub enum Error {
     #[error("Internal error")]
     Internal,
 }
+
+#[derive(Debug, thiserror::Error)]
+pub enum SignTransactionRpcError {
+    #[error("Policy evaluation failed")]
+    Vet(#[from] VetError),
+
+    #[error("Internal error")]
+    Internal,
+}

server/crates/arbiter-server/src/actors/evm/mod.rs

@@ -9,7 +9,7 @@ use rand::{SeedableRng, rng, rngs::StdRng};
 use crate::{
     actors::keyholder::{CreateNew, Decrypt, KeyHolder},
     db::{
-        self, DatabaseError, DatabasePool,
+        DatabaseError, DatabasePool,
         models::{self, SqliteTimestamp},
         schema,
     },
@@ -25,45 +25,36 @@ use crate::{
 
 pub use crate::evm::safe_signer;
 
-#[derive(Debug, thiserror::Error, miette::Diagnostic)]
+#[derive(Debug, thiserror::Error)]
 pub enum SignTransactionError {
     #[error("Wallet not found")]
-    #[diagnostic(code(arbiter::evm::sign::wallet_not_found))]
     WalletNotFound,
 
     #[error("Database error: {0}")]
-    #[diagnostic(code(arbiter::evm::sign::database))]
     Database(#[from] DatabaseError),
 
     #[error("Keyholder error: {0}")]
-    #[diagnostic(code(arbiter::evm::sign::keyholder))]
     Keyholder(#[from] crate::actors::keyholder::Error),
 
     #[error("Keyholder mailbox error")]
-    #[diagnostic(code(arbiter::evm::sign::keyholder_send))]
     KeyholderSend,
 
     #[error("Signing error: {0}")]
-    #[diagnostic(code(arbiter::evm::sign::signing))]
     Signing(#[from] alloy::signers::Error),
 
     #[error("Policy error: {0}")]
-    #[diagnostic(code(arbiter::evm::sign::vet))]
     Vet(#[from] evm::VetError),
 }
 
-#[derive(Debug, thiserror::Error, miette::Diagnostic)]
+#[derive(Debug, thiserror::Error)]
 pub enum Error {
     #[error("Keyholder error: {0}")]
-    #[diagnostic(code(arbiter::evm::keyholder))]
     Keyholder(#[from] crate::actors::keyholder::Error),
 
     #[error("Keyholder mailbox error")]
-    #[diagnostic(code(arbiter::evm::keyholder_send))]
     KeyholderSend,
 
     #[error("Database error: {0}")]
-    #[diagnostic(code(arbiter::evm::database))]
     Database(#[from] DatabaseError),
 }
 

server/crates/arbiter-server/src/actors/flow_coordinator/client_connect_approval.rs

@@ -15,7 +15,7 @@ use crate::actors::{
 pub struct Args {
     pub client: ClientProfile,
     pub user_agents: Vec<ActorRef<UserAgentSession>>,
-    pub reply: ReplySender<Result<bool, ApprovalError>>
+    pub reply: ReplySender<Result<bool, ApprovalError>>,
 }
 
 pub struct ClientApprovalController {
@@ -39,7 +39,11 @@ impl Actor for ClientApprovalController {
     type Error = ();
 
     async fn on_start(
-        Args { client, mut user_agents, reply }: Self::Args,
+        Args {
+            client,
+            mut user_agents,
+            reply,
+        }: Self::Args,
         actor_ref: ActorRef<Self>,
     ) -> Result<Self, Self::Error> {
         let this = Self {

server/crates/arbiter-server/src/actors/keyholder/mod.rs

@@ -8,7 +8,14 @@ use kameo::{Actor, Reply, messages};
 use strum::{EnumDiscriminants, IntoDiscriminant};
 use tracing::{error, info};
 
-use crate::safe_cell::SafeCell;
+use crate::{
+    crypto::{
+        KeyCell, derive_key,
+        encryption::v1::{self, Nonce},
+        integrity::v1::compute_integrity_tag,
+    },
+    safe_cell::SafeCell,
+};
 use crate::{
     db::{
         self,
@@ -17,9 +24,6 @@ use crate::{
     },
     safe_cell::SafeCellHandle as _,
 };
-use encryption::v1::{self, KeyCell, Nonce};
-
-pub mod encryption;
 
 #[derive(Default, EnumDiscriminants)]
 #[strum_discriminants(derive(Reply), vis(pub), name(KeyHolderState))]
@@ -35,36 +39,28 @@ enum State {
     },
 }
 
-#[derive(Debug, thiserror::Error, miette::Diagnostic)]
+#[derive(Debug, thiserror::Error)]
 pub enum Error {
     #[error("Keyholder is already bootstrapped")]
-    #[diagnostic(code(arbiter::keyholder::already_bootstrapped))]
     AlreadyBootstrapped,
     #[error("Keyholder is not bootstrapped")]
-    #[diagnostic(code(arbiter::keyholder::not_bootstrapped))]
     NotBootstrapped,
     #[error("Invalid key provided")]
-    #[diagnostic(code(arbiter::keyholder::invalid_key))]
     InvalidKey,
 
     #[error("Requested aead entry not found")]
-    #[diagnostic(code(arbiter::keyholder::aead_not_found))]
     NotFound,
 
     #[error("Encryption error: {0}")]
-    #[diagnostic(code(arbiter::keyholder::encryption_error))]
     Encryption(#[from] chacha20poly1305::aead::Error),
 
     #[error("Database error: {0}")]
-    #[diagnostic(code(arbiter::keyholder::database_error))]
     DatabaseConnection(#[from] db::PoolError),
 
     #[error("Database transaction error: {0}")]
-    #[diagnostic(code(arbiter::keyholder::database_transaction_error))]
     DatabaseTransaction(#[from] diesel::result::Error),
 
     #[error("Broken database")]
-    #[diagnostic(code(arbiter::keyholder::broken_database))]
     BrokenDatabase,
 }
 
@@ -114,14 +110,13 @@ impl KeyHolder {
                         .first(conn)
                         .await?;
 
-                    let mut nonce =
+                    let mut nonce = Nonce::try_from(current_nonce.as_slice()).map_err(|_| {
-                        v1::Nonce::try_from(current_nonce.as_slice()).map_err(|_| {
+                        error!(
-                            error!(
+                            "Broken database: invalid nonce for root key history id={}",
-                                "Broken database: invalid nonce for root key history id={}",
+                            root_key_id
-                                root_key_id
+                        );
-                            );
+                        Error::BrokenDatabase
-                            Error::BrokenDatabase
+                    })?;
-                        })?;
                     nonce.increment();
 
                     update(schema::root_key_history::table)
@@ -144,12 +139,12 @@ impl KeyHolder {
             return Err(Error::AlreadyBootstrapped);
         }
         let salt = v1::generate_salt();
-        let mut seal_key = v1::derive_seal_key(seal_key_raw, &salt);
+        let mut seal_key = derive_key(seal_key_raw, &salt);
         let mut root_key = KeyCell::new_secure_random();
 
         // Zero nonces are fine because they are one-time
-        let root_key_nonce = v1::Nonce::default();
+        let root_key_nonce = Nonce::default();
-        let data_encryption_nonce = v1::Nonce::default();
+        let data_encryption_nonce = Nonce::default();
 
         let root_key_ciphertext: Vec<u8> = root_key.0.read_inline(|reader| {
             let root_key_reader = reader.as_slice();
@@ -214,7 +209,6 @@ impl KeyHolder {
             let mut conn = self.db.get().await?;
             schema::root_key_history::table
                 .filter(schema::root_key_history::id.eq(*root_key_history_id))
-                .select(schema::root_key_history::data_encryption_nonce)
                 .select(RootKeyHistory::as_select())
                 .first(&mut conn)
                 .await?
@@ -225,7 +219,7 @@ impl KeyHolder {
             error!("Broken database: invalid salt for root key");
             Error::BrokenDatabase
         })?;
-        let mut seal_key = v1::derive_seal_key(seal_key_raw, &salt);
+        let mut seal_key = derive_key(seal_key_raw, &salt);
 
         let mut root_key = SafeCell::new(current_key.ciphertext.clone());
 
@@ -245,7 +239,7 @@ impl KeyHolder {
 
         self.state = State::Unsealed {
             root_key_history_id: current_key.id,
-            root_key: v1::KeyCell::try_from(root_key).map_err(|err| {
+            root_key: KeyCell::try_from(root_key).map_err(|err| {
                 error!(?err, "Broken database: invalid encryption key size");
                 Error::BrokenDatabase
             })?,
@@ -256,7 +250,22 @@ impl KeyHolder {
         Ok(())
     }
 
-    // Decrypts the `aead_encrypted` entry with the given ID and returns the plaintext
+    // Signs a generic integrity payload using the vault-derived integrity key
+    #[message]
+    pub fn sign_integrity_tag(
+        &mut self,
+        purpose_tag: Vec<u8>,
+        data_parts: Vec<Vec<u8>>,
+    ) -> Result<Vec<u8>, Error> {
+        let State::Unsealed { root_key, .. } = &mut self.state else {
+            return Err(Error::NotBootstrapped);
+        };
+
+        let tag =
+            compute_integrity_tag(root_key, &purpose_tag, data_parts.iter().map(Vec::as_slice));
+        Ok(tag.to_vec())
+    }
+
     #[message]
     pub async fn decrypt(&mut self, aead_id: i32) -> Result<SafeCell<Vec<u8>>, Error> {
         let State::Unsealed { root_key, .. } = &mut self.state else {
@@ -292,6 +301,7 @@ impl KeyHolder {
         let State::Unsealed {
             root_key,
             root_key_history_id,
+            ..
         } = &mut self.state
         else {
             return Err(Error::NotBootstrapped);

server/crates/arbiter-server/src/actors/mod.rs

@@ -1,5 +1,4 @@
 use kameo::actor::{ActorRef, Spawn};
-use miette::Diagnostic;
 use thiserror::Error;
 
 use crate::{
@@ -17,14 +16,12 @@ pub mod flow_coordinator;
 pub mod keyholder;
 pub mod user_agent;
 
-#[derive(Error, Debug, Diagnostic)]
+#[derive(Error, Debug)]
 pub enum SpawnError {
     #[error("Failed to spawn Bootstrapper actor")]
-    #[diagnostic(code(SpawnError::Bootstrapper))]
     Bootstrapper(#[from] bootstrap::Error),
 
     #[error("Failed to spawn KeyHolder actor")]
-    #[diagnostic(code(SpawnError::KeyHolder))]
     KeyHolder(#[from] keyholder::Error),
 }
 

server/crates/arbiter-server/src/actors/user_agent/auth/state.rs

@@ -1,17 +1,27 @@
 use arbiter_proto::transport::Bi;
 use diesel::{ExpressionMethods as _, OptionalExtension as _, QueryDsl, update};
 use diesel_async::RunQueryDsl;
+use kameo::error::SendError;
 use tracing::error;
 
 use super::Error;
 use crate::{
     actors::{
         bootstrap::ConsumeToken,
+        keyholder::{self, SignIntegrityTag},
         user_agent::{AuthPublicKey, UserAgentConnection, auth::Outbound},
     },
+    crypto::integrity::v1::USERAGENT_INTEGRITY_TAG,
     db::schema,
 };
 
+#[derive(Debug, Clone, Copy, PartialEq, Eq)]
+pub enum AttestationStatus {
+    Attested,
+    NotAttested,
+    Unavailable,
+}
+
 pub struct ChallengeRequest {
     pub pubkey: AuthPublicKey,
 }
@@ -40,7 +50,11 @@ smlang::statemachine!(
     }
 );
 
-async fn create_nonce(db: &crate::db::DatabasePool, pubkey_bytes: &[u8]) -> Result<i32, Error> {
+async fn create_nonce(
+    db: &crate::db::DatabasePool,
+    pubkey_bytes: &[u8],
+    key_type: crate::db::models::KeyType,
+) -> Result<i32, Error> {
     let mut db_conn = db.get().await.map_err(|e| {
         error!(error = ?e, "Database pool error");
         Error::internal("Database unavailable")
@@ -50,12 +64,14 @@ async fn create_nonce(db: &crate::db::DatabasePool, pubkey_bytes: &[u8]) -> Resu
             Box::pin(async move {
                 let current_nonce = schema::useragent_client::table
                     .filter(schema::useragent_client::public_key.eq(pubkey_bytes.to_vec()))
+                    .filter(schema::useragent_client::key_type.eq(key_type))
                     .select(schema::useragent_client::nonce)
                     .first::<i32>(conn)
                     .await?;
 
                 update(schema::useragent_client::table)
                     .filter(schema::useragent_client::public_key.eq(pubkey_bytes.to_vec()))
+                    .filter(schema::useragent_client::key_type.eq(key_type))
                     .set(schema::useragent_client::nonce.eq(current_nonce + 1))
                     .execute(conn)
                     .await?;
@@ -75,7 +91,11 @@ async fn create_nonce(db: &crate::db::DatabasePool, pubkey_bytes: &[u8]) -> Resu
         })
 }
 
-async fn register_key(db: &crate::db::DatabasePool, pubkey: &AuthPublicKey) -> Result<(), Error> {
+async fn register_key(
+    db: &crate::db::DatabasePool,
+    pubkey: &AuthPublicKey,
+    integrity_tag: Option<Vec<u8>>,
+) -> Result<(), Error> {
     let pubkey_bytes = pubkey.to_stored_bytes();
     let key_type = pubkey.key_type();
     let mut conn = db.get().await.map_err(|e| {
@@ -88,6 +108,7 @@ async fn register_key(db: &crate::db::DatabasePool, pubkey: &AuthPublicKey) -> R
             schema::useragent_client::public_key.eq(pubkey_bytes),
             schema::useragent_client::nonce.eq(1),
             schema::useragent_client::key_type.eq(key_type),
+            schema::useragent_client::pubkey_integrity_tag.eq(integrity_tag),
         ))
         .execute(&mut conn)
         .await
@@ -120,8 +141,15 @@ where
         &mut self,
         ChallengeRequest { pubkey }: ChallengeRequest,
     ) -> Result<ChallengeContext, Self::Error> {
+        match self.verify_pubkey_attestation_status(&pubkey).await? {
+            AttestationStatus::Attested | AttestationStatus::Unavailable => {}
+            AttestationStatus::NotAttested => {
+                return Err(Error::InvalidChallengeSolution);
+            }
+        }
+
         let stored_bytes = pubkey.to_stored_bytes();
-        let nonce = create_nonce(&self.conn.db, &stored_bytes).await?;
+        let nonce = create_nonce(&self.conn.db, &stored_bytes, pubkey.key_type()).await?;
 
         self.transport
             .send(Ok(Outbound::AuthChallenge { nonce }))
@@ -161,7 +189,15 @@ where
             return Err(Error::InvalidBootstrapToken);
         }
 
-        register_key(&self.conn.db, &pubkey).await?;
+        let integrity_tag = self
+            .try_sign_pubkey_integrity_tag(&pubkey)
+            .await
+            .map_err(|err| {
+                error!(?err, "Failed to sign user-agent pubkey integrity tag");
+                Error::internal("Failed to sign user-agent pubkey integrity tag")
+            })?;
+
+        register_key(&self.conn.db, &pubkey, integrity_tag).await?;
 
         self.transport
             .send(Ok(Outbound::AuthSuccess))
@@ -210,13 +246,111 @@ where
             }
         };
 
-        if valid {
+        match valid {
-            self.transport
+            true => {
-                .send(Ok(Outbound::AuthSuccess))
+                self.transport
-                .await
+                    .send(Ok(Outbound::AuthSuccess))
-                .map_err(|_| Error::Transport)?;
+                    .await
+                    .map_err(|_| Error::Transport)?;
+                Ok(key.clone())
+            }
+            false => {
+                self.transport
+                    .send(Err(Error::InvalidChallengeSolution))
+                    .await
+                    .map_err(|_| Error::Transport)?;
+                Err(Error::InvalidChallengeSolution)
+            }
+        }
+    }
+}
+
+impl<T> AuthContext<'_, T>
+where
+    T: Bi<super::Inbound, Result<super::Outbound, Error>> + Send,
+{
+    async fn try_sign_pubkey_integrity_tag(
+        &self,
+        pubkey: &AuthPublicKey,
+    ) -> Result<Option<Vec<u8>>, Error> {
+        let signed = self
+            .conn
+            .actors
+            .key_holder
+            .ask(SignIntegrityTag {
+                purpose_tag: USERAGENT_INTEGRITY_TAG.to_vec(),
+                data_parts: vec![
+                    (pubkey.key_type() as i32).to_be_bytes().to_vec(),
+                    pubkey.to_stored_bytes(),
+                ],
+            })
+            .await;
+
+        match signed {
+            Ok(tag) => Ok(Some(tag)),
+            Err(SendError::HandlerError(keyholder::Error::NotBootstrapped)) => Ok(None),
+            Err(SendError::HandlerError(err)) => {
+                error!(
+                    ?err,
+                    "Keyholder failed to sign user-agent pubkey integrity tag"
+                );
+                Err(Error::internal(
+                    "Keyholder failed to sign user-agent pubkey integrity tag",
+                ))
+            }
+            Err(err) => {
+                error!(
+                    ?err,
+                    "Failed to contact keyholder for user-agent pubkey integrity tag"
+                );
+                Err(Error::internal(
+                    "Failed to contact keyholder for user-agent pubkey integrity tag",
+                ))
+            }
+        }
+    }
+
+    async fn verify_pubkey_attestation_status(
+        &self,
+        pubkey: &AuthPublicKey,
+    ) -> Result<AttestationStatus, Error> {
+        let stored_tag: Option<Option<Vec<u8>>> = {
+            let mut conn = self.conn.db.get().await.map_err(|e| {
+                error!(error = ?e, "Database pool error");
+                Error::internal("Database unavailable")
+            })?;
+
+            schema::useragent_client::table
+                .filter(schema::useragent_client::public_key.eq(pubkey.to_stored_bytes()))
+                .filter(schema::useragent_client::key_type.eq(pubkey.key_type()))
+                .select(schema::useragent_client::pubkey_integrity_tag)
+                .first::<Option<Vec<u8>>>(&mut conn)
+                .await
+                .optional()
+                .map_err(|e| {
+                    error!(error = ?e, "Database error");
+                    Error::internal("Database operation failed")
+                })?
+        };
+
+        let Some(stored_tag) = stored_tag else {
+            return Err(Error::UnregisteredPublicKey);
+        };
+
+        let Some(expected_tag) = self.try_sign_pubkey_integrity_tag(pubkey).await? else {
+            return Ok(AttestationStatus::Unavailable);
+        };
+
+        match stored_tag {
+            Some(stored_tag) if stored_tag == expected_tag => Ok(AttestationStatus::Attested),
+            Some(_) => {
+                error!("User-agent pubkey integrity tag mismatch");
+                Ok(AttestationStatus::NotAttested)
+            }
+            None => {
+                error!("Missing pubkey integrity tag for registered key while vault is unsealed");
+                Ok(AttestationStatus::NotAttested)
+            }
         }
-
-        Ok(key.clone())
     }
 }

server/crates/arbiter-server/src/actors/user_agent/session/connection.rs

@@ -1,13 +1,12 @@
 use std::sync::Mutex;
 
-use alloy::primitives::Address;
+use alloy::{consensus::TxEip1559, primitives::Address, signers::Signature};
 use chacha20poly1305::{AeadInPlace, XChaCha20Poly1305, XNonce, aead::KeyInit};
-use diesel::sql_types::ops::Add;
+use diesel::{ExpressionMethods as _, QueryDsl as _, SelectableHelper};
-use diesel::{BoolExpressionMethods as _, ExpressionMethods as _, QueryDsl as _, SelectableHelper};
 use diesel_async::{AsyncConnection, RunQueryDsl};
 use kameo::error::SendError;
+use kameo::messages;
 use kameo::prelude::Context;
-use kameo::{message, messages};
 use tracing::{error, info};
 use x25519_dalek::{EphemeralSecret, PublicKey};
 
@@ -15,15 +14,15 @@ use crate::actors::flow_coordinator::client_connect_approval::ClientApprovalAnsw
 use crate::actors::keyholder::KeyHolderState;
 use crate::actors::user_agent::session::Error;
 use crate::db::models::{
-    CoreEvmWalletAccess, EvmWalletAccess, NewEvmWalletAccess, ProgramClient, ProgramClientMetadata,
+    EvmWalletAccess, NewEvmWalletAccess, ProgramClient, ProgramClientMetadata,
 };
-use crate::db::schema::evm_wallet_access;
 use crate::evm::policies::{Grant, SpecificGrant};
 use crate::safe_cell::SafeCell;
 use crate::{
     actors::{
         evm::{
-            Generate, ListWallets, UseragentCreateGrant, UseragentDeleteGrant, UseragentListGrants,
+            ClientSignTransaction, Generate, ListWallets, SignTransactionError as EvmSignError,
+            UseragentCreateGrant, UseragentDeleteGrant, UseragentListGrants,
         },
         keyholder::{self, Bootstrap, TryUnseal},
         user_agent::session::{
@@ -112,6 +111,15 @@ pub enum BootstrapError {
     General(#[from] super::Error),
 }
 
+#[derive(Debug, Error)]
+pub enum SignTransactionError {
+    #[error("Policy evaluation failed")]
+    Vet(#[from] crate::evm::VetError),
+
+    #[error("Internal signing error")]
+    Internal,
+}
+
 #[messages]
 impl UserAgentSession {
     #[message]
@@ -356,6 +364,35 @@ impl UserAgentSession {
         }
     }
 
+    #[message]
+    pub(crate) async fn handle_sign_transaction(
+        &mut self,
+        client_id: i32,
+        wallet_address: Address,
+        transaction: TxEip1559,
+    ) -> Result<Signature, SignTransactionError> {
+        match self
+            .props
+            .actors
+            .evm
+            .ask(ClientSignTransaction {
+                client_id,
+                wallet_address,
+                transaction,
+            })
+            .await
+        {
+            Ok(signature) => Ok(signature),
+            Err(SendError::HandlerError(EvmSignError::Vet(vet_error))) => {
+                Err(SignTransactionError::Vet(vet_error))
+            }
+            Err(err) => {
+                error!(?err, "EVM sign transaction failed in user-agent session");
+                Err(SignTransactionError::Internal)
+            }
+        }
+    }
+
     #[message]
     pub(crate) async fn handle_grant_evm_wallet_access(
         &mut self,

server/crates/arbiter-server/src/context/mod.rs

@@ -1,6 +1,5 @@
 use std::sync::Arc;
 
-use miette::Diagnostic;
 use thiserror::Error;
 
 use crate::{
@@ -11,30 +10,24 @@ use crate::{
 
 pub mod tls;
 
-#[derive(Error, Debug, Diagnostic)]
+#[derive(Error, Debug)]
 pub enum InitError {
     #[error("Database setup failed: {0}")]
-    #[diagnostic(code(arbiter_server::init::database_setup))]
     DatabaseSetup(#[from] db::DatabaseSetupError),
 
     #[error("Connection acquire failed: {0}")]
-    #[diagnostic(code(arbiter_server::init::database_pool))]
     DatabasePool(#[from] db::PoolError),
 
     #[error("Database query error: {0}")]
-    #[diagnostic(code(arbiter_server::init::database_query))]
     DatabaseQuery(#[from] diesel::result::Error),
 
     #[error("TLS initialization failed: {0}")]
-    #[diagnostic(code(arbiter_server::init::tls_init))]
     Tls(#[from] tls::InitError),
 
     #[error("Actor spawn failed: {0}")]
-    #[diagnostic(code(arbiter_server::init::actor_spawn))]
     ActorSpawn(#[from] crate::actors::SpawnError),
 
     #[error("I/O Error: {0}")]
-    #[diagnostic(code(arbiter_server::init::io))]
     Io(#[from] std::io::Error),
 }
 

server/crates/arbiter-server/src/context/tls.rs

@@ -1,8 +1,8 @@
-use std::{net::IpAddr, string::FromUtf8Error};
+use std::{net::Ipv4Addr, string::FromUtf8Error};
 
 use diesel::{ExpressionMethods as _, QueryDsl, SelectableHelper as _};
 use diesel_async::{AsyncConnection, RunQueryDsl};
-use miette::Diagnostic;
+
 use pem::Pem;
 use rcgen::{
     BasicConstraints, Certificate, CertificateParams, CertifiedIssuer, DistinguishedName, DnType,
@@ -29,30 +29,24 @@ const ENCODE_CONFIG: pem::EncodeConfig = {
     pem::EncodeConfig::new().set_line_ending(line_ending)
 };
 
-#[derive(Error, Debug, Diagnostic)]
+#[derive(Error, Debug)]
 pub enum InitError {
     #[error("Key generation error during TLS initialization: {0}")]
-    #[diagnostic(code(arbiter_server::tls_init::key_generation))]
     KeyGeneration(#[from] rcgen::Error),
 
     #[error("Key invalid format: {0}")]
-    #[diagnostic(code(arbiter_server::tls_init::key_invalid_format))]
     KeyInvalidFormat(#[from] FromUtf8Error),
 
     #[error("Key deserialization error: {0}")]
-    #[diagnostic(code(arbiter_server::tls_init::key_deserialization))]
     KeyDeserializationError(rcgen::Error),
 
     #[error("Database error during TLS initialization: {0}")]
-    #[diagnostic(code(arbiter_server::tls_init::database_error))]
     DatabaseError(#[from] diesel::result::Error),
 
     #[error("Pem deserialization error during TLS initialization: {0}")]
-    #[diagnostic(code(arbiter_server::tls_init::pem_deserialization))]
     PemDeserializationError(#[from] rustls::pki_types::pem::Error),
 
     #[error("Database pool acquire error during TLS initialization: {0}")]
-    #[diagnostic(code(arbiter_server::tls_init::database_pool_acquire))]
     DatabasePoolAcquire(#[from] db::PoolError),
 }
 
@@ -116,9 +110,7 @@ impl TlsCa {
         ];
         params
             .subject_alt_names
-            .push(SanType::IpAddress(IpAddr::from([
+            .push(SanType::IpAddress(Ipv4Addr::LOCALHOST.into()));
-                127, 0, 0, 1,
-            ])));
 
         let mut dn = DistinguishedName::new();
         dn.push(DnType::CommonName, "Arbiter Instance Leaf");

server/crates/arbiter-server/src/crypto/encryption/v1.rs

@@ -0,0 +1,109 @@
+use argon2::password_hash::Salt as ArgonSalt;
+
+use rand::{
+    Rng as _, SeedableRng,
+    rngs::{StdRng, SysRng},
+};
+
+pub const ROOT_KEY_TAG: &[u8] = "arbiter/seal/v1".as_bytes();
+pub const TAG: &[u8] = "arbiter/private-key/v1".as_bytes();
+
+pub const NONCE_LENGTH: usize = 24;
+
+#[derive(Default)]
+pub struct Nonce(pub [u8; NONCE_LENGTH]);
+impl Nonce {
+    pub fn increment(&mut self) {
+        for i in (0..self.0.len()).rev() {
+            if self.0[i] == 0xFF {
+                self.0[i] = 0;
+            } else {
+                self.0[i] += 1;
+                break;
+            }
+        }
+    }
+
+    pub fn to_vec(&self) -> Vec<u8> {
+        self.0.to_vec()
+    }
+}
+impl<'a> TryFrom<&'a [u8]> for Nonce {
+    type Error = ();
+
+    fn try_from(value: &'a [u8]) -> Result<Self, Self::Error> {
+        if value.len() != NONCE_LENGTH {
+            return Err(());
+        }
+        let mut nonce = [0u8; NONCE_LENGTH];
+        nonce.copy_from_slice(value);
+        Ok(Self(nonce))
+    }
+}
+
+pub type Salt = [u8; ArgonSalt::RECOMMENDED_LENGTH];
+
+pub fn generate_salt() -> Salt {
+    let mut salt = Salt::default();
+    #[allow(
+        clippy::unwrap_used,
+        reason = "Rng failure is unrecoverable and should panic"
+    )]
+    let mut rng = StdRng::try_from_rng(&mut SysRng).unwrap();
+    rng.fill_bytes(&mut salt);
+    salt
+}
+
+#[cfg(test)]
+mod tests {
+    use std::ops::Deref as _;
+
+    use super::*;
+    use crate::{
+        crypto::derive_key,
+        safe_cell::{SafeCell, SafeCellHandle as _},
+    };
+
+    #[test]
+    pub fn derive_seal_key_deterministic() {
+        static PASSWORD: &[u8] = b"password";
+        let password = SafeCell::new(PASSWORD.to_vec());
+        let password2 = SafeCell::new(PASSWORD.to_vec());
+        let salt = generate_salt();
+
+        let mut key1 = derive_key(password, &salt);
+        let mut key2 = derive_key(password2, &salt);
+
+        let key1_reader = key1.0.read();
+        let key2_reader = key2.0.read();
+
+        assert_eq!(key1_reader.deref(), key2_reader.deref());
+    }
+
+    #[test]
+    pub fn successful_derive() {
+        static PASSWORD: &[u8] = b"password";
+        let password = SafeCell::new(PASSWORD.to_vec());
+        let salt = generate_salt();
+
+        let mut key = derive_key(password, &salt);
+        let key_reader = key.0.read();
+        let key_ref = key_reader.deref();
+
+        assert_ne!(key_ref.as_slice(), &[0u8; 32][..]);
+    }
+
+    #[test]
+    // We should fuzz this
+    pub fn test_nonce_increment() {
+        let mut nonce = Nonce([0u8; NONCE_LENGTH]);
+        nonce.increment();
+
+        assert_eq!(
+            nonce.0,
+            [
+                0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1
+            ]
+        );
+    }
+}

server/crates/arbiter-server/src/crypto/integrity/mod.rs

@@ -0,0 +1 @@
+pub mod v1;

server/crates/arbiter-server/src/crypto/integrity/v1.rs

@@ -0,0 +1,78 @@
+use crate::{crypto::KeyCell, safe_cell::SafeCellHandle as _};
+use chacha20poly1305::Key;
+use hmac::Mac as _;
+
+pub const USERAGENT_INTEGRITY_DERIVE_TAG: &[u8] = "arbiter/useragent/integrity-key/v1".as_bytes();
+pub const USERAGENT_INTEGRITY_TAG: &[u8] = "arbiter/useragent/pubkey-entry/v1".as_bytes();
+
+/// Computes an integrity tag for a specific domain and payload shape.
+pub fn compute_integrity_tag<'a, I>(
+    integrity_key: &mut KeyCell,
+    purpose_tag: &[u8],
+    data_parts: I,
+) -> [u8; 32]
+where
+    I: IntoIterator<Item = &'a [u8]>,
+{
+    type HmacSha256 = hmac::Hmac<sha2::Sha256>;
+
+    let mut output_tag = [0u8; 32];
+    integrity_key.0.read_inline(|integrity_key_bytes: &Key| {
+        let mut mac = <HmacSha256 as hmac::Mac>::new_from_slice(integrity_key_bytes.as_ref())
+            .expect("HMAC key initialization must not fail for 32-byte key");
+        mac.update(purpose_tag);
+        for data_part in data_parts {
+            mac.update(data_part);
+        }
+        output_tag.copy_from_slice(&mac.finalize().into_bytes());
+    });
+
+    output_tag
+}
+
+#[cfg(test)]
+mod tests {
+    use crate::{
+        crypto::{derive_key, encryption::v1::generate_salt},
+        safe_cell::{SafeCell, SafeCellHandle as _},
+    };
+
+    use super::{USERAGENT_INTEGRITY_TAG, compute_integrity_tag};
+
+    #[test]
+    pub fn integrity_tag_deterministic() {
+        let salt = generate_salt();
+        let mut integrity_key = derive_key(SafeCell::new(b"password".to_vec()), &salt);
+        let key_type = 1i32.to_be_bytes();
+        let t1 = compute_integrity_tag(
+            &mut integrity_key,
+            USERAGENT_INTEGRITY_TAG,
+            [key_type.as_slice(), b"pubkey".as_ref()],
+        );
+        let t2 = compute_integrity_tag(
+            &mut integrity_key,
+            USERAGENT_INTEGRITY_TAG,
+            [key_type.as_slice(), b"pubkey".as_ref()],
+        );
+        assert_eq!(t1, t2);
+    }
+
+    #[test]
+    pub fn integrity_tag_changes_with_payload() {
+        let salt = generate_salt();
+        let mut integrity_key = derive_key(SafeCell::new(b"password".to_vec()), &salt);
+        let key_type_1 = 1i32.to_be_bytes();
+        let key_type_2 = 2i32.to_be_bytes();
+        let t1 = compute_integrity_tag(
+            &mut integrity_key,
+            USERAGENT_INTEGRITY_TAG,
+            [key_type_1.as_slice(), b"pubkey".as_ref()],
+        );
+        let t2 = compute_integrity_tag(
+            &mut integrity_key,
+            USERAGENT_INTEGRITY_TAG,
+            [key_type_2.as_slice(), b"pubkey".as_ref()],
+        );
+        assert_ne!(t1, t2);
+    }
+}

server/crates/arbiter-server/src/crypto/mod.rs

@@ -1,52 +1,21 @@
 use std::ops::Deref as _;
 
-use argon2::{Algorithm, Argon2, password_hash::Salt as ArgonSalt};
+use argon2::{Algorithm, Argon2};
 use chacha20poly1305::{
     AeadInPlace, Key, KeyInit as _, XChaCha20Poly1305, XNonce,
     aead::{AeadMut, Error, Payload},
 };
 use rand::{
-    Rng as _, SeedableRng,
+    Rng as _, SeedableRng as _,
     rngs::{StdRng, SysRng},
 };
 
 use crate::safe_cell::{SafeCell, SafeCellHandle as _};
 
-pub const ROOT_KEY_TAG: &[u8] = "arbiter/seal/v1".as_bytes();
+pub mod encryption;
-pub const TAG: &[u8] = "arbiter/private-key/v1".as_bytes();
+pub mod integrity;
 
-pub const NONCE_LENGTH: usize = 24;
+use encryption::v1::{Nonce, Salt};
-
-#[derive(Default)]
-pub struct Nonce([u8; NONCE_LENGTH]);
-impl Nonce {
-    pub fn increment(&mut self) {
-        for i in (0..self.0.len()).rev() {
-            if self.0[i] == 0xFF {
-                self.0[i] = 0;
-            } else {
-                self.0[i] += 1;
-                break;
-            }
-        }
-    }
-
-    pub fn to_vec(&self) -> Vec<u8> {
-        self.0.to_vec()
-    }
-}
-impl<'a> TryFrom<&'a [u8]> for Nonce {
-    type Error = ();
-
-    fn try_from(value: &'a [u8]) -> Result<Self, Self::Error> {
-        if value.len() != NONCE_LENGTH {
-            return Err(());
-        }
-        let mut nonce = [0u8; NONCE_LENGTH];
-        nonce.copy_from_slice(value);
-        Ok(Self(nonce))
-    }
-}
 
 pub struct KeyCell(pub SafeCell<Key>);
 impl From<SafeCell<Key>> for KeyCell {
@@ -133,22 +102,9 @@ impl KeyCell {
     }
 }
 
-pub type Salt = [u8; ArgonSalt::RECOMMENDED_LENGTH];
-
-pub fn generate_salt() -> Salt {
-    let mut salt = Salt::default();
-    #[allow(
-        clippy::unwrap_used,
-        reason = "Rng failure is unrecoverable and should panic"
-    )]
-    let mut rng = StdRng::try_from_rng(&mut SysRng).unwrap();
-    rng.fill_bytes(&mut salt);
-    salt
-}
-
 /// User password might be of different length, have not enough entropy, etc...
 /// Derive a fixed-length key from the password using Argon2id, which is designed for password hashing and key derivation.
-pub fn derive_seal_key(mut password: SafeCell<Vec<u8>>, salt: &Salt) -> KeyCell {
+pub fn derive_key(mut password: SafeCell<Vec<u8>>, salt: &Salt) -> KeyCell {
     #[allow(clippy::unwrap_used)]
     let params = argon2::Params::new(262_144, 3, 4, None).unwrap();
     let hasher = Argon2::new(Algorithm::Argon2id, argon2::Version::V0x13, params);
@@ -171,37 +127,11 @@ pub fn derive_seal_key(mut password: SafeCell<Vec<u8>>, salt: &Salt) -> KeyCell
 
 #[cfg(test)]
 mod tests {
-    use super::*;
+    use super::{
-    use crate::safe_cell::SafeCell;
+        derive_key,
-
+        encryption::v1::{Nonce, generate_salt},
-    #[test]
+    };
-    pub fn derive_seal_key_deterministic() {
+    use crate::safe_cell::{SafeCell, SafeCellHandle as _};
-        static PASSWORD: &[u8] = b"password";
-        let password = SafeCell::new(PASSWORD.to_vec());
-        let password2 = SafeCell::new(PASSWORD.to_vec());
-        let salt = generate_salt();
-
-        let mut key1 = derive_seal_key(password, &salt);
-        let mut key2 = derive_seal_key(password2, &salt);
-
-        let key1_reader = key1.0.read();
-        let key2_reader = key2.0.read();
-
-        assert_eq!(key1_reader.deref(), key2_reader.deref());
-    }
-
-    #[test]
-    pub fn successful_derive() {
-        static PASSWORD: &[u8] = b"password";
-        let password = SafeCell::new(PASSWORD.to_vec());
-        let salt = generate_salt();
-
-        let mut key = derive_seal_key(password, &salt);
-        let key_reader = key.0.read();
-        let key_ref = key_reader.deref();
-
-        assert_ne!(key_ref.as_slice(), &[0u8; 32][..]);
-    }
 
     #[test]
     pub fn encrypt_decrypt() {
@@ -209,7 +139,7 @@ mod tests {
         let password = SafeCell::new(PASSWORD.to_vec());
         let salt = generate_salt();
 
-        let mut key = derive_seal_key(password, &salt);
+        let mut key = derive_key(password, &salt);
         let nonce = Nonce(*b"unique nonce 123 1231233"); // 24 bytes for XChaCha20Poly1305
         let associated_data = b"associated data";
         let mut buffer = b"secret data".to_vec();
@@ -226,18 +156,4 @@ mod tests {
         let buffer = buffer.read();
         assert_eq!(*buffer, b"secret data");
     }
-
-    #[test]
-    // We should fuzz this
-    pub fn test_nonce_increment() {
-        let mut nonce = Nonce([0u8; NONCE_LENGTH]);
-        nonce.increment();
-
-        assert_eq!(
-            nonce.0,
-            [
-                0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1
-            ]
-        );
-    }
 }

server/crates/arbiter-server/src/db/mod.rs

@@ -5,7 +5,7 @@ use diesel_async::{
     sync_connection_wrapper::SyncConnectionWrapper,
 };
 use diesel_migrations::{EmbeddedMigrations, MigrationHarness, embed_migrations};
-use miette::Diagnostic;
+
 use thiserror::Error;
 use tracing::info;
 
@@ -21,26 +21,21 @@ static DB_FILE: &str = "arbiter.sqlite";
 
 const MIGRATIONS: EmbeddedMigrations = embed_migrations!("migrations");
 
-#[derive(Error, Diagnostic, Debug)]
+#[derive(Error, Debug)]
 pub enum DatabaseSetupError {
     #[error("Failed to determine home directory")]
-    #[diagnostic(code(arbiter::db::home_dir))]
     HomeDir(std::io::Error),
 
     #[error(transparent)]
-    #[diagnostic(code(arbiter::db::connection))]
     Connection(diesel::ConnectionError),
 
     #[error(transparent)]
-    #[diagnostic(code(arbiter::db::concurrency))]
     ConcurrencySetup(diesel::result::Error),
 
     #[error(transparent)]
-    #[diagnostic(code(arbiter::db::migration))]
     Migration(Box<dyn std::error::Error + Send + Sync>),
 
     #[error(transparent)]
-    #[diagnostic(code(arbiter::db::pool))]
     Pool(#[from] PoolInitError),
 }
 

server/crates/arbiter-server/src/db/models.rs

@@ -242,6 +242,7 @@ pub struct UseragentClient {
     pub id: i32,
     pub nonce: i32,
     pub public_key: Vec<u8>,
+    pub pubkey_integrity_tag: Option<Vec<u8>>,
     pub created_at: SqliteTimestamp,
     pub updated_at: SqliteTimestamp,
     pub key_type: KeyType,

server/crates/arbiter-server/src/db/schema.rs

@@ -178,6 +178,7 @@ diesel::table! {
         id -> Integer,
         nonce -> Integer,
         public_key -> Binary,
+        pubkey_integrity_tag -> Nullable<Binary>,
         key_type -> Integer,
         created_at -> Integer,
         updated_at -> Integer,

server/crates/arbiter-server/src/evm/mod.rs

@@ -8,7 +8,6 @@ use alloy::{
 use chrono::Utc;
 use diesel::{ExpressionMethods as _, QueryDsl as _, QueryResult, insert_into, sqlite::Sqlite};
 use diesel_async::{AsyncConnection, RunQueryDsl};
-use tracing_subscriber::registry::Data;
 
 use crate::{
     db::{
@@ -29,39 +28,32 @@ pub mod policies;
 mod utils;
 
 /// Errors that can only occur once the transaction meaning is known (during policy evaluation)
-#[derive(Debug, thiserror::Error, miette::Diagnostic)]
+#[derive(Debug, thiserror::Error)]
 pub enum PolicyError {
     #[error("Database error")]
-    Error(#[from] crate::db::DatabaseError),
+    Database(#[from] crate::db::DatabaseError),
     #[error("Transaction violates policy: {0:?}")]
-    #[diagnostic(code(arbiter_server::evm::policy_error::violation))]
     Violations(Vec<EvalViolation>),
     #[error("No matching grant found")]
-    #[diagnostic(code(arbiter_server::evm::policy_error::no_matching_grant))]
     NoMatchingGrant,
 }
 
-#[derive(Debug, thiserror::Error, miette::Diagnostic)]
+#[derive(Debug, thiserror::Error)]
 pub enum VetError {
     #[error("Contract creation transactions are not supported")]
-    #[diagnostic(code(arbiter_server::evm::vet_error::contract_creation_unsupported))]
     ContractCreationNotSupported,
     #[error("Engine can't classify this transaction")]
-    #[diagnostic(code(arbiter_server::evm::vet_error::unsupported))]
     UnsupportedTransactionType,
     #[error("Policy evaluation failed: {1}")]
-    #[diagnostic(code(arbiter_server::evm::vet_error::evaluated))]
     Evaluated(SpecificMeaning, #[source] PolicyError),
 }
 
-#[derive(Debug, thiserror::Error, miette::Diagnostic)]
+#[derive(Debug, thiserror::Error)]
 pub enum AnalyzeError {
     #[error("Engine doesn't support granting permissions for contract creation")]
-    #[diagnostic(code(arbiter_server::evm::analyze_error::contract_creation_not_supported))]
     ContractCreationNotSupported,
 
     #[error("Unsupported transaction type")]
-    #[diagnostic(code(arbiter_server::evm::analyze_error::unsupported_transaction_type))]
     UnsupportedTransactionType,
 }
 

server/crates/arbiter-server/src/evm/policies.rs

@@ -6,7 +6,7 @@ use diesel::{
     ExpressionMethods as _, QueryDsl, SelectableHelper, result::QueryResult, sqlite::Sqlite,
 };
 use diesel_async::{AsyncConnection, RunQueryDsl};
-use miette::Diagnostic;
+
 use thiserror::Error;
 
 use crate::{
@@ -33,33 +33,27 @@ pub struct EvalContext {
     pub max_priority_fee_per_gas: u128,
 }
 
-#[derive(Debug, Error, Diagnostic)]
+#[derive(Debug, Error)]
 pub enum EvalViolation {
     #[error("This grant doesn't allow transactions to the target address {target}")]
-    #[diagnostic(code(arbiter_server::evm::eval_violation::invalid_target))]
     InvalidTarget { target: Address },
 
     #[error("Gas limit exceeded for this grant")]
-    #[diagnostic(code(arbiter_server::evm::eval_violation::gas_limit_exceeded))]
     GasLimitExceeded {
         max_gas_fee_per_gas: Option<U256>,
         max_priority_fee_per_gas: Option<U256>,
     },
 
     #[error("Rate limit exceeded for this grant")]
-    #[diagnostic(code(arbiter_server::evm::eval_violation::rate_limit_exceeded))]
     RateLimitExceeded,
 
     #[error("Transaction exceeds volumetric limits of the grant")]
-    #[diagnostic(code(arbiter_server::evm::eval_violation::volumetric_limit_exceeded))]
     VolumetricLimitExceeded,
 
     #[error("Transaction is outside of the grant's validity period")]
-    #[diagnostic(code(arbiter_server::evm::eval_violation::invalid_time))]
     InvalidTime,
 
     #[error("Transaction type is not allowed by this grant")]
-    #[diagnostic(code(arbiter_server::evm::eval_violation::invalid_transaction_type))]
     InvalidTransactionType,
 }
 

server/crates/arbiter-server/src/evm/policies/ether_transfer/mod.rs

@@ -36,8 +36,8 @@ use super::{DatabaseID, EvalContext, EvalViolation};
 // Plain ether transfer
 #[derive(Clone, Debug, PartialEq, Eq, Hash)]
 pub struct Meaning {
-    to: Address,
+    pub(crate) to: Address,
-    value: U256,
+    pub(crate) value: U256,
 }
 impl Display for Meaning {
     fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
@@ -91,6 +91,7 @@ async fn query_relevant_past_transaction(
 
 async fn check_rate_limits(
     grant: &Grant<Settings>,
+    current_transfer_value: U256,
     db: &mut impl AsyncConnection<Backend = Sqlite>,
 ) -> QueryResult<Vec<EvalViolation>> {
     let mut violations = Vec::new();
@@ -99,12 +100,12 @@ async fn check_rate_limits(
     let past_transaction = query_relevant_past_transaction(grant.id, window, db).await?;
 
     let window_start = chrono::Utc::now() - grant.settings.limit.window;
-    let cumulative_volume: U256 = past_transaction
+    let prospective_cumulative_volume: U256 = past_transaction
         .iter()
         .filter(|(_, timestamp)| timestamp >= &window_start)
-        .fold(U256::default(), |acc, (value, _)| acc + *value);
+        .fold(current_transfer_value, |acc, (value, _)| acc + *value);
 
-    if cumulative_volume > grant.settings.limit.max_volume {
+    if prospective_cumulative_volume > grant.settings.limit.max_volume {
         violations.push(EvalViolation::VolumetricLimitExceeded);
     }
 
@@ -141,7 +142,7 @@ impl Policy for EtherTransfer {
             violations.push(EvalViolation::InvalidTarget { target: meaning.to });
         }
 
-        let rate_violations = check_rate_limits(grant, db).await?;
+        let rate_violations = check_rate_limits(grant, meaning.value, db).await?;
         violations.extend(rate_violations);
 
         Ok(violations)

server/crates/arbiter-server/src/evm/policies/ether_transfer/tests.rs

@@ -198,7 +198,7 @@ async fn evaluate_rejects_volume_over_limit() {
             grant_id,
             wallet_access_id: WALLET_ACCESS_ID,
             chain_id: CHAIN_ID as i32,
-            eth_value: utils::u256_to_bytes(U256::from(1_001u64)).to_vec(),
+            eth_value: utils::u256_to_bytes(U256::from(1_000u64)).to_vec(),
             signed_at: SqliteTimestamp(Utc::now()),
         })
         .execute(&mut *conn)
@@ -211,7 +211,7 @@ async fn evaluate_rejects_volume_over_limit() {
         shared: shared(),
         settings,
     };
-    let context = ctx(ALLOWED, U256::from(100u64));
+    let context = ctx(ALLOWED, U256::from(1u64));
     let m = EtherTransfer::analyze(&context).unwrap();
     let v = EtherTransfer::evaluate(&context, &m, &grant, &mut *conn)
         .await
@@ -233,13 +233,13 @@ async fn evaluate_passes_at_exactly_volume_limit() {
         .await
         .unwrap();
 
-    // Exactly at the limit — the check is `>`, so this should not violate
+    // Exactly at the limit including current transfer — check is `>`, so this should not violate
     insert_into(evm_transaction_log::table)
         .values(NewEvmTransactionLog {
             grant_id,
             wallet_access_id: WALLET_ACCESS_ID,
             chain_id: CHAIN_ID as i32,
-            eth_value: utils::u256_to_bytes(U256::from(1_000u64)).to_vec(),
+            eth_value: utils::u256_to_bytes(U256::from(900u64)).to_vec(),
             signed_at: SqliteTimestamp(Utc::now()),
         })
         .execute(&mut *conn)

server/crates/arbiter-server/src/evm/policies/token_transfers/mod.rs

@@ -38,9 +38,9 @@ fn grant_join() -> _ {
 
 #[derive(Clone, Debug, PartialEq, Eq, Hash)]
 pub struct Meaning {
-    token: &'static TokenInfo,
+    pub(crate) token: &'static TokenInfo,
-    to: Address,
+    pub(crate) to: Address,
-    value: U256,
+    pub(crate) value: U256,
 }
 impl std::fmt::Display for Meaning {
     fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
@@ -101,6 +101,7 @@ async fn query_relevant_past_transfers(
 
 async fn check_volume_rate_limits(
     grant: &Grant<Settings>,
+    current_transfer_value: U256,
     db: &mut impl AsyncConnection<Backend = Sqlite>,
 ) -> QueryResult<Vec<EvalViolation>> {
     let mut violations = Vec::new();
@@ -113,12 +114,12 @@ async fn check_volume_rate_limits(
 
     for limit in &grant.settings.volume_limits {
         let window_start = chrono::Utc::now() - limit.window;
-        let cumulative_volume: U256 = past_transfers
+        let prospective_cumulative_volume: U256 = past_transfers
             .iter()
             .filter(|(_, timestamp)| timestamp >= &window_start)
-            .fold(U256::default(), |acc, (value, _)| acc + *value);
+            .fold(current_transfer_value, |acc, (value, _)| acc + *value);
 
-        if cumulative_volume > limit.max_volume {
+        if prospective_cumulative_volume > limit.max_volume {
             violations.push(EvalViolation::VolumetricLimitExceeded);
             break;
         }
@@ -163,7 +164,7 @@ impl Policy for TokenTransfer {
             violations.push(EvalViolation::InvalidTarget { target: meaning.to });
         }
 
-        let rate_violations = check_volume_rate_limits(grant, db).await?;
+        let rate_violations = check_volume_rate_limits(grant, meaning.value, db).await?;
         violations.extend(rate_violations);
 
         Ok(violations)

server/crates/arbiter-server/src/evm/policies/token_transfers/tests.rs

@@ -220,7 +220,7 @@ async fn evaluate_rejects_wrong_restricted_recipient() {
 }
 
 #[tokio::test]
-async fn evaluate_passes_volume_within_limit() {
+async fn evaluate_passes_volume_at_exact_limit() {
     let db = db::create_test_pool().await;
     let mut conn = db.get().await.unwrap();
 
@@ -230,7 +230,7 @@ async fn evaluate_passes_volume_within_limit() {
         .await
         .unwrap();
 
-    // Record a past transfer of 500 (within 1000 limit)
+    // Record a past transfer of 900, with current transfer 100 => exactly 1000 limit
     use crate::db::{models::NewEvmTokenTransferLog, schema::evm_token_transfer_log};
     insert_into(evm_token_transfer_log::table)
         .values(NewEvmTokenTransferLog {
@@ -239,7 +239,7 @@ async fn evaluate_passes_volume_within_limit() {
             chain_id: CHAIN_ID as i32,
             token_contract: DAI.to_vec(),
             recipient_address: RECIPIENT.to_vec(),
-            value: utils::u256_to_bytes(U256::from(500u64)).to_vec(),
+            value: utils::u256_to_bytes(U256::from(900u64)).to_vec(),
         })
         .execute(&mut *conn)
         .await
@@ -282,7 +282,7 @@ async fn evaluate_rejects_volume_over_limit() {
             chain_id: CHAIN_ID as i32,
             token_contract: DAI.to_vec(),
             recipient_address: RECIPIENT.to_vec(),
-            value: utils::u256_to_bytes(U256::from(1_001u64)).to_vec(),
+            value: utils::u256_to_bytes(U256::from(1_000u64)).to_vec(),
         })
         .execute(&mut *conn)
         .await
@@ -294,7 +294,7 @@ async fn evaluate_rejects_volume_over_limit() {
         shared: shared(),
         settings,
     };
-    let calldata = transfer_calldata(RECIPIENT, U256::from(100u64));
+    let calldata = transfer_calldata(RECIPIENT, U256::from(1u64));
     let context = ctx(DAI, calldata);
     let m = TokenTransfer::analyze(&context).unwrap();
     let v = TokenTransfer::evaluate(&context, &m, &grant, &mut *conn)

server/crates/arbiter-server/src/grpc/client.rs

@@ -1,32 +1,24 @@
 use arbiter_proto::{
     proto::client::{
-        ClientRequest, ClientResponse, VaultState as ProtoVaultState,
+        ClientRequest, ClientResponse, client_request::Payload as ClientRequestPayload,
-        client_request::Payload as ClientRequestPayload,
         client_response::Payload as ClientResponsePayload,
     },
     transport::{Receiver, Sender, grpc::GrpcBi},
 };
-use kameo::{
+use kameo::actor::{ActorRef, Spawn as _};
-    actor::{ActorRef, Spawn as _},
-    error::SendError,
-};
 use tonic::Status;
 use tracing::{info, warn};
 
 use crate::{
-    actors::{
+    actors::client::{ClientConnection, session::ClientSession},
-        client::{
-            self, ClientConnection,
-            session::{ClientSession, Error, HandleQueryVaultState},
-        },
-        keyholder::KeyHolderState,
-    },
     grpc::request_tracker::RequestTracker,
 };
 
 mod auth;
+mod evm;
 mod inbound;
 mod outbound;
+mod vault;
 
 async fn dispatch_loop(
     mut bi: GrpcBi<ClientRequest, ClientResponse>,
@@ -34,7 +26,9 @@ async fn dispatch_loop(
     mut request_tracker: RequestTracker,
 ) {
     loop {
-        let Some(message) = bi.recv().await else { return };
+        let Some(message) = bi.recv().await else {
+            return;
+        };
 
         let conn = match message {
             Ok(conn) => conn,
@@ -53,16 +47,24 @@ async fn dispatch_loop(
         };
 
         let Some(payload) = conn.payload else {
-            let _ = bi.send(Err(Status::invalid_argument("Missing client request payload"))).await;
+            let _ = bi
+                .send(Err(Status::invalid_argument(
+                    "Missing client request payload",
+                )))
+                .await;
             return;
         };
 
         match dispatch_inner(&actor, payload).await {
             Ok(response) => {
-                if bi.send(Ok(ClientResponse {
+                if bi
-                    request_id: Some(request_id),
+                    .send(Ok(ClientResponse {
-                    payload: Some(response),
+                        request_id: Some(request_id),
-                })).await.is_err() {
+                        payload: Some(response),
+                    }))
+                    .await
+                    .is_err()
+                {
                     return;
                 }
             }
@@ -79,21 +81,10 @@ async fn dispatch_inner(
     payload: ClientRequestPayload,
 ) -> Result<ClientResponsePayload, Status> {
     match payload {
-        ClientRequestPayload::QueryVaultState(_) => {
+        ClientRequestPayload::Vault(req) => vault::dispatch(actor, req).await,
-            let state = match actor.ask(HandleQueryVaultState {}).await {
+        ClientRequestPayload::Evm(req) => evm::dispatch(actor, req).await,
-                Ok(KeyHolderState::Unbootstrapped) => ProtoVaultState::Unbootstrapped,
+        ClientRequestPayload::Auth(..) => {
-                Ok(KeyHolderState::Sealed) => ProtoVaultState::Sealed,
+            warn!("Unsupported post-auth client auth request");
-                Ok(KeyHolderState::Unsealed) => ProtoVaultState::Unsealed,
-                Err(SendError::HandlerError(Error::Internal)) => ProtoVaultState::Error,
-                Err(err) => {
-                    warn!(error = ?err, "Failed to query vault state");
-                    ProtoVaultState::Error
-                }
-            };
-            Ok(ClientResponsePayload::VaultState(state.into()))
-        }
-        payload => {
-            warn!(?payload, "Unsupported post-auth client request");
             Err(Status::invalid_argument("Unsupported client request"))
         }
     }
@@ -102,14 +93,21 @@ async fn dispatch_inner(
 pub async fn start(mut conn: ClientConnection, mut bi: GrpcBi<ClientRequest, ClientResponse>) {
     let mut request_tracker = RequestTracker::default();
 
-    if let Err(e) = auth::start(&mut conn, &mut bi, &mut request_tracker).await {
+    let client_id = match auth::start(&mut conn, &mut bi, &mut request_tracker).await {
-        let mut transport = auth::AuthTransportAdapter::new(&mut bi, &mut request_tracker);
+        Ok(id) => id,
-        let _ = transport.send(Err(e.clone())).await;
+        Err(err) => {
-        warn!(error = ?e, "Client authentication failed");
+            let _ = bi
-        return;
+                .send(Err(Status::unauthenticated(format!(
+                    "Authentication failed: {}",
+                    err
+                ))))
+                .await;
+            warn!(error = ?err, "Client authentication failed");
+            return;
+        }
     };
 
-    let actor = client::session::ClientSession::spawn(client::session::ClientSession::new(conn));
+    let actor = ClientSession::spawn(ClientSession::new(conn, client_id));
     let actor_for_cleanup = actor.clone();
 
     info!("Client authenticated successfully");

server/crates/arbiter-server/src/grpc/client/auth.rs

@@ -1,11 +1,20 @@
 use arbiter_proto::{
-    ClientMetadata, proto::client::{
+    ClientMetadata,
-        AuthChallenge as ProtoAuthChallenge, AuthChallengeRequest as ProtoAuthChallengeRequest,
+    proto::{
-        AuthChallengeSolution as ProtoAuthChallengeSolution, AuthResult as ProtoAuthResult,
+        client::{
-        ClientInfo as ProtoClientInfo, ClientRequest, ClientResponse,
+            ClientRequest, ClientResponse,
-        client_request::Payload as ClientRequestPayload,
+            auth::{
-        client_response::Payload as ClientResponsePayload,
+                self as proto_auth, AuthChallenge as ProtoAuthChallenge,
-    }, transport::{Bi, Error as TransportError, Receiver, Sender, grpc::GrpcBi}
+                AuthChallengeRequest as ProtoAuthChallengeRequest,
+                AuthChallengeSolution as ProtoAuthChallengeSolution, AuthResult as ProtoAuthResult,
+                request::Payload as AuthRequestPayload, response::Payload as AuthResponsePayload,
+            },
+            client_request::Payload as ClientRequestPayload,
+            client_response::Payload as ClientResponsePayload,
+        },
+        shared::ClientInfo as ProtoClientInfo,
+    },
+    transport::{Bi, Error as TransportError, Receiver, Sender, grpc::GrpcBi},
 };
 use async_trait::async_trait;
 use tonic::Status;
@@ -32,22 +41,22 @@ impl<'a> AuthTransportAdapter<'a> {
         }
     }
 
-    fn response_to_proto(response: auth::Outbound) -> ClientResponsePayload {
+    fn response_to_proto(response: auth::Outbound) -> AuthResponsePayload {
         match response {
             auth::Outbound::AuthChallenge { pubkey, nonce } => {
-                ClientResponsePayload::AuthChallenge(ProtoAuthChallenge {
+                AuthResponsePayload::Challenge(ProtoAuthChallenge {
                     pubkey: pubkey.to_bytes().to_vec(),
                     nonce,
                 })
             }
             auth::Outbound::AuthSuccess => {
-                ClientResponsePayload::AuthResult(ProtoAuthResult::Success.into())
+                AuthResponsePayload::Result(ProtoAuthResult::Success.into())
             }
         }
     }
 
-    fn error_to_proto(error: auth::Error) -> ClientResponsePayload {
+    fn error_to_proto(error: auth::Error) -> AuthResponsePayload {
-        ClientResponsePayload::AuthResult(
+        AuthResponsePayload::Result(
             match error {
                 auth::Error::InvalidChallengeSolution => ProtoAuthResult::InvalidSignature,
                 auth::Error::ApproveError(auth::ApproveError::Denied) => {
@@ -67,18 +76,20 @@ impl<'a> AuthTransportAdapter<'a> {
 
     async fn send_client_response(
         &mut self,
-        payload: ClientResponsePayload,
+        payload: AuthResponsePayload,
     ) -> Result<(), TransportError> {
         self.bi
             .send(Ok(ClientResponse {
                 request_id: Some(self.request_tracker.current_request_id()),
-                payload: Some(payload),
+                payload: Some(ClientResponsePayload::Auth(proto_auth::Response {
+                    payload: Some(payload),
+                })),
             }))
             .await
     }
 
     async fn send_auth_result(&mut self, result: ProtoAuthResult) -> Result<(), TransportError> {
-        self.send_client_response(ClientResponsePayload::AuthResult(result.into()))
+        self.send_client_response(AuthResponsePayload::Result(result.into()))
             .await
     }
 }
@@ -117,9 +128,27 @@ impl Receiver<auth::Inbound> for AuthTransportAdapter<'_> {
             }
         };
         let payload = request.payload?;
+        let ClientRequestPayload::Auth(auth_request) = payload else {
+            let _ = self
+                .bi
+                .send(Err(Status::invalid_argument(
+                    "Unsupported client auth request",
+                )))
+                .await;
+            return None;
+        };
+        let Some(payload) = auth_request.payload else {
+            let _ = self
+                .bi
+                .send(Err(Status::invalid_argument(
+                    "Missing client auth request payload",
+                )))
+                .await;
+            return None;
+        };
 
         match payload {
-            ClientRequestPayload::AuthChallengeRequest(ProtoAuthChallengeRequest {
+            AuthRequestPayload::ChallengeRequest(ProtoAuthChallengeRequest {
                 pubkey,
                 client_info,
             }) => {
@@ -143,9 +172,7 @@ impl Receiver<auth::Inbound> for AuthTransportAdapter<'_> {
                     metadata: client_metadata_from_proto(client_info),
                 })
             }
-            ClientRequestPayload::AuthChallengeSolution(ProtoAuthChallengeSolution {
+            AuthRequestPayload::ChallengeSolution(ProtoAuthChallengeSolution { signature }) => {
-                signature,
-            }) => {
                 let Ok(signature) = ed25519_dalek::Signature::try_from(signature.as_slice()) else {
                     let _ = self
                         .send_auth_result(ProtoAuthResult::InvalidSignature)
@@ -154,15 +181,6 @@ impl Receiver<auth::Inbound> for AuthTransportAdapter<'_> {
                 };
                 Some(auth::Inbound::AuthChallengeSolution { signature })
             }
-            _ => {
-                let _ = self
-                    .bi
-                    .send(Err(Status::invalid_argument(
-                        "Unsupported client auth request",
-                    )))
-                    .await;
-                None
-            }
         }
     }
 }
@@ -181,8 +199,7 @@ pub async fn start(
     conn: &mut ClientConnection,
     bi: &mut GrpcBi<ClientRequest, ClientResponse>,
     request_tracker: &mut RequestTracker,
-) -> Result<(), auth::Error> {
+) -> Result<i32, auth::Error> {
     let mut transport = AuthTransportAdapter::new(bi, request_tracker);
-    client::auth::authenticate(conn, &mut transport).await?;
+    client::auth::authenticate(conn, &mut transport).await
-    Ok(())
 }

server/crates/arbiter-server/src/grpc/client/evm.rs

@@ -0,0 +1,87 @@
+use arbiter_proto::proto::{
+    client::{
+        client_response::Payload as ClientResponsePayload,
+        evm::{
+            self as proto_evm, request::Payload as EvmRequestPayload,
+            response::Payload as EvmResponsePayload,
+        },
+    },
+    evm::{
+        EvmError as ProtoEvmError, EvmSignTransactionResponse,
+        evm_sign_transaction_response::Result as EvmSignTransactionResult,
+    },
+};
+use kameo::actor::ActorRef;
+use tonic::Status;
+use tracing::warn;
+
+use crate::{
+    actors::client::session::{ClientSession, HandleSignTransaction, SignTransactionRpcError},
+    grpc::{
+        Convert, TryConvert,
+        common::inbound::{RawEvmAddress, RawEvmTransaction},
+    },
+};
+
+fn wrap_response(payload: EvmResponsePayload) -> ClientResponsePayload {
+    ClientResponsePayload::Evm(proto_evm::Response {
+        payload: Some(payload),
+    })
+}
+
+pub(super) async fn dispatch(
+    actor: &ActorRef<ClientSession>,
+    req: proto_evm::Request,
+) -> Result<ClientResponsePayload, Status> {
+    let Some(payload) = req.payload else {
+        return Err(Status::invalid_argument(
+            "Missing client EVM request payload",
+        ));
+    };
+
+    match payload {
+        EvmRequestPayload::SignTransaction(request) => {
+            let address = RawEvmAddress(request.wallet_address).try_convert()?;
+            let transaction = RawEvmTransaction(request.rlp_transaction).try_convert()?;
+
+            let response = match actor
+                .ask(HandleSignTransaction {
+                    wallet_address: address,
+                    transaction,
+                })
+                .await
+            {
+                Ok(signature) => EvmSignTransactionResponse {
+                    result: Some(EvmSignTransactionResult::Signature(
+                        signature.as_bytes().to_vec(),
+                    )),
+                },
+                Err(kameo::error::SendError::HandlerError(SignTransactionRpcError::Vet(
+                    vet_error,
+                ))) => EvmSignTransactionResponse {
+                    result: Some(vet_error.convert()),
+                },
+                Err(kameo::error::SendError::HandlerError(SignTransactionRpcError::Internal)) => {
+                    EvmSignTransactionResponse {
+                        result: Some(EvmSignTransactionResult::Error(
+                            ProtoEvmError::Internal.into(),
+                        )),
+                    }
+                }
+                Err(err) => {
+                    warn!(error = ?err, "Failed to sign EVM transaction");
+                    EvmSignTransactionResponse {
+                        result: Some(EvmSignTransactionResult::Error(
+                            ProtoEvmError::Internal.into(),
+                        )),
+                    }
+                }
+            };
+
+            Ok(wrap_response(EvmResponsePayload::SignTransaction(response)))
+        }
+        EvmRequestPayload::AnalyzeTransaction(_) => Err(Status::unimplemented(
+            "EVM transaction analysis is not yet implemented",
+        )),
+    }
+}

server/crates/arbiter-server/src/grpc/client/inbound.rs

@@ -0,0 +1 @@
+

server/crates/arbiter-server/src/grpc/client/outbound.rs

@@ -0,0 +1 @@
+

server/crates/arbiter-server/src/grpc/client/vault.rs

@@ -0,0 +1,47 @@
+use arbiter_proto::proto::{
+    client::{
+        client_response::Payload as ClientResponsePayload,
+        vault::{
+            self as proto_vault, request::Payload as VaultRequestPayload,
+            response::Payload as VaultResponsePayload,
+        },
+    },
+    shared::VaultState as ProtoVaultState,
+};
+use kameo::{actor::ActorRef, error::SendError};
+use tonic::Status;
+use tracing::warn;
+
+use crate::actors::{
+    client::session::{ClientSession, Error, HandleQueryVaultState},
+    keyholder::KeyHolderState,
+};
+
+pub(super) async fn dispatch(
+    actor: &ActorRef<ClientSession>,
+    req: proto_vault::Request,
+) -> Result<ClientResponsePayload, Status> {
+    let Some(payload) = req.payload else {
+        return Err(Status::invalid_argument(
+            "Missing client vault request payload",
+        ));
+    };
+
+    match payload {
+        VaultRequestPayload::QueryState(_) => {
+            let state = match actor.ask(HandleQueryVaultState {}).await {
+                Ok(KeyHolderState::Unbootstrapped) => ProtoVaultState::Unbootstrapped,
+                Ok(KeyHolderState::Sealed) => ProtoVaultState::Sealed,
+                Ok(KeyHolderState::Unsealed) => ProtoVaultState::Unsealed,
+                Err(SendError::HandlerError(Error::Internal)) => ProtoVaultState::Error,
+                Err(err) => {
+                    warn!(error = ?err, "Failed to query vault state");
+                    ProtoVaultState::Error
+                }
+            };
+            Ok(ClientResponsePayload::Vault(proto_vault::Response {
+                payload: Some(VaultResponsePayload::State(state.into())),
+            }))
+        }
+    }
+}

server/crates/arbiter-server/src/grpc/common.rs

@@ -0,0 +1,2 @@
+pub mod inbound;
+pub mod outbound;

server/crates/arbiter-server/src/grpc/common/inbound.rs

@@ -0,0 +1,35 @@
+use alloy::{consensus::TxEip1559, primitives::Address, rlp::Decodable as _};
+
+use crate::grpc::TryConvert;
+
+pub struct RawEvmAddress(pub Vec<u8>);
+impl TryConvert for RawEvmAddress {
+    type Output = Address;
+
+    type Error = tonic::Status;
+
+    fn try_convert(self) -> Result<Self::Output, Self::Error> {
+        let wallet_address = match <[u8; 20]>::try_from(self.0.as_slice()) {
+            Ok(address) => Address::from(address),
+            Err(_) => {
+                return Err(tonic::Status::invalid_argument(
+                    "Invalid EVM wallet address",
+                ));
+            }
+        };
+        Ok(wallet_address)
+    }
+}
+
+pub struct RawEvmTransaction(pub Vec<u8>);
+impl TryConvert for RawEvmTransaction {
+    type Output = TxEip1559;
+
+    type Error = tonic::Status;
+
+    fn try_convert(self) -> Result<Self::Output, Self::Error> {
+        let tx = TxEip1559::decode(&mut self.0.as_slice())
+            .map_err(|_| tonic::Status::invalid_argument("Invalid EVM transaction format"))?;
+        Ok(tx)
+    }
+}

server/crates/arbiter-server/src/grpc/common/outbound.rs

@@ -0,0 +1,119 @@
+use alloy::primitives::U256;
+use arbiter_proto::proto::{
+    evm::{
+        EvmError as ProtoEvmError,
+        evm_sign_transaction_response::Result as EvmSignTransactionResult,
+    },
+    shared::evm::{
+        EvalViolation as ProtoEvalViolation, GasLimitExceededViolation, NoMatchingGrantError,
+        PolicyViolationsError, SpecificMeaning as ProtoSpecificMeaning,
+        TokenInfo as ProtoTokenInfo, TransactionEvalError as ProtoTransactionEvalError,
+        eval_violation::Kind as ProtoEvalViolationKind,
+        specific_meaning::Meaning as ProtoSpecificMeaningKind,
+        transaction_eval_error::Kind as ProtoTransactionEvalErrorKind,
+    },
+};
+
+use crate::{
+    evm::{
+        PolicyError, VetError,
+        policies::{EvalViolation, SpecificMeaning},
+    },
+    grpc::Convert,
+};
+
+fn u256_to_proto_bytes(value: U256) -> Vec<u8> {
+    value.to_be_bytes::<32>().to_vec()
+}
+
+impl Convert for SpecificMeaning {
+    type Output = ProtoSpecificMeaning;
+
+    fn convert(self) -> Self::Output {
+        let kind = match self {
+            SpecificMeaning::EtherTransfer(meaning) => ProtoSpecificMeaningKind::EtherTransfer(
+                arbiter_proto::proto::shared::evm::EtherTransferMeaning {
+                    to: meaning.to.to_vec(),
+                    value: u256_to_proto_bytes(meaning.value),
+                },
+            ),
+            SpecificMeaning::TokenTransfer(meaning) => ProtoSpecificMeaningKind::TokenTransfer(
+                arbiter_proto::proto::shared::evm::TokenTransferMeaning {
+                    token: Some(ProtoTokenInfo {
+                        symbol: meaning.token.symbol.to_string(),
+                        address: meaning.token.contract.to_vec(),
+                        chain_id: meaning.token.chain,
+                    }),
+                    to: meaning.to.to_vec(),
+                    value: u256_to_proto_bytes(meaning.value),
+                },
+            ),
+        };
+
+        ProtoSpecificMeaning {
+            meaning: Some(kind),
+        }
+    }
+}
+
+impl Convert for EvalViolation {
+    type Output = ProtoEvalViolation;
+
+    fn convert(self) -> Self::Output {
+        let kind = match self {
+            EvalViolation::InvalidTarget { target } => {
+                ProtoEvalViolationKind::InvalidTarget(target.to_vec())
+            }
+            EvalViolation::GasLimitExceeded {
+                max_gas_fee_per_gas,
+                max_priority_fee_per_gas,
+            } => ProtoEvalViolationKind::GasLimitExceeded(GasLimitExceededViolation {
+                max_gas_fee_per_gas: max_gas_fee_per_gas.map(u256_to_proto_bytes),
+                max_priority_fee_per_gas: max_priority_fee_per_gas.map(u256_to_proto_bytes),
+            }),
+            EvalViolation::RateLimitExceeded => ProtoEvalViolationKind::RateLimitExceeded(()),
+            EvalViolation::VolumetricLimitExceeded => {
+                ProtoEvalViolationKind::VolumetricLimitExceeded(())
+            }
+            EvalViolation::InvalidTime => ProtoEvalViolationKind::InvalidTime(()),
+            EvalViolation::InvalidTransactionType => {
+                ProtoEvalViolationKind::InvalidTransactionType(())
+            }
+        };
+
+        ProtoEvalViolation { kind: Some(kind) }
+    }
+}
+
+impl Convert for VetError {
+    type Output = EvmSignTransactionResult;
+
+    fn convert(self) -> Self::Output {
+        let kind = match self {
+            VetError::ContractCreationNotSupported => {
+                ProtoTransactionEvalErrorKind::ContractCreationNotSupported(())
+            }
+            VetError::UnsupportedTransactionType => {
+                ProtoTransactionEvalErrorKind::UnsupportedTransactionType(())
+            }
+            VetError::Evaluated(meaning, policy_error) => match policy_error {
+                PolicyError::NoMatchingGrant => {
+                    ProtoTransactionEvalErrorKind::NoMatchingGrant(NoMatchingGrantError {
+                        meaning: Some(meaning.convert()),
+                    })
+                }
+                PolicyError::Violations(violations) => {
+                    ProtoTransactionEvalErrorKind::PolicyViolations(PolicyViolationsError {
+                        meaning: Some(meaning.convert()),
+                        violations: violations.into_iter().map(Convert::convert).collect(),
+                    })
+                }
+                PolicyError::Database(_) => {
+                    return EvmSignTransactionResult::Error(ProtoEvmError::Internal.into());
+                }
+            },
+        };
+
+        EvmSignTransactionResult::EvalError(ProtoTransactionEvalError { kind: Some(kind) }.into())
+    }
+}

server/crates/arbiter-server/src/grpc/mod.rs

@@ -14,10 +14,13 @@ use crate::{
     grpc::user_agent::start,
 };
 
-pub mod client;
 mod request_tracker;
+
+pub mod client;
 pub mod user_agent;
 
+mod common;
+
 pub trait Convert {
     type Output;
 

server/crates/arbiter-server/src/grpc/user_agent.rs

@@ -1,64 +1,29 @@
 use tokio::sync::mpsc;
 
 use arbiter_proto::{
-    proto::{
+    proto::user_agent::{
-        client::ClientInfo as ProtoClientMetadata,
+        UserAgentRequest, UserAgentResponse,
-        evm::{
+        user_agent_request::Payload as UserAgentRequestPayload,
-            EvmError as ProtoEvmError, EvmGrantCreateRequest, EvmGrantCreateResponse,
+        user_agent_response::Payload as UserAgentResponsePayload,
-            EvmGrantDeleteRequest, EvmGrantDeleteResponse, EvmGrantList, EvmGrantListResponse,
-            GrantEntry, WalletCreateResponse, WalletEntry, WalletList, WalletListResponse,
-            evm_grant_create_response::Result as EvmGrantCreateResult,
-            evm_grant_delete_response::Result as EvmGrantDeleteResult,
-            evm_grant_list_response::Result as EvmGrantListResult,
-            wallet_create_response::Result as WalletCreateResult,
-            wallet_list_response::Result as WalletListResult,
-        },
-        user_agent::{
-            BootstrapEncryptedKey as ProtoBootstrapEncryptedKey,
-            BootstrapResult as ProtoBootstrapResult, ListWalletAccessResponse,
-            SdkClientConnectionCancel as ProtoSdkClientConnectionCancel,
-            SdkClientConnectionRequest as ProtoSdkClientConnectionRequest,
-            SdkClientEntry as ProtoSdkClientEntry, SdkClientError as ProtoSdkClientError,
-            SdkClientGrantWalletAccess, SdkClientList as ProtoSdkClientList,
-            SdkClientListResponse as ProtoSdkClientListResponse, SdkClientRevokeWalletAccess,
-            SdkClientWalletAccess, UnsealEncryptedKey as ProtoUnsealEncryptedKey,
-            UnsealResult as ProtoUnsealResult, UnsealStart, UserAgentRequest, UserAgentResponse,
-            VaultState as ProtoVaultState,
-            sdk_client_list_response::Result as ProtoSdkClientListResult,
-            user_agent_request::Payload as UserAgentRequestPayload,
-            user_agent_response::Payload as UserAgentResponsePayload,
-        },
     },
     transport::{Error as TransportError, Receiver, Sender, grpc::GrpcBi},
 };
 use async_trait::async_trait;
-use kameo::{
+use kameo::actor::{ActorRef, Spawn as _};
-    actor::{ActorRef, Spawn as _},
-    error::SendError,
-};
 use tonic::Status;
 use tracing::{error, info, warn};
 
 use crate::{
-    actors::{
+    actors::user_agent::{OutOfBand, UserAgentConnection, UserAgentSession},
-        keyholder::KeyHolderState,
+    grpc::request_tracker::RequestTracker,
-        user_agent::{
-            OutOfBand, UserAgentConnection, UserAgentSession,
-            session::connection::{
-                BootstrapError, HandleBootstrapEncryptedKey, HandleEvmWalletCreate,
-                HandleEvmWalletList, HandleGrantCreate, HandleGrantDelete,
-                HandleGrantEvmWalletAccess, HandleGrantList, HandleListWalletAccess,
-                HandleNewClientApprove, HandleQueryVaultState, HandleRevokeEvmWalletAccess,
-                HandleSdkClientList, HandleUnsealEncryptedKey, HandleUnsealRequest, UnsealError,
-            },
-        },
-    },
-    db::models::{CoreEvmWalletAccess, NewEvmWalletAccess},
-    grpc::{Convert, TryConvert, request_tracker::RequestTracker},
 };
+
 mod auth;
+mod evm;
 mod inbound;
 mod outbound;
+mod sdk_client;
+mod vault;
 
 pub struct OutOfBandAdapter(mpsc::Sender<OutOfBand>);
 
@@ -86,23 +51,7 @@ async fn dispatch_loop(
                     return;
                 };
 
-                let payload = match oob {
+                let payload = sdk_client::out_of_band_payload(oob);
-                    OutOfBand::ClientConnectionRequest { profile } => {
-                        UserAgentResponsePayload::SdkClientConnectionRequest(ProtoSdkClientConnectionRequest {
-                            pubkey: profile.pubkey.to_bytes().to_vec(),
-                            info: Some(ProtoClientMetadata {
-                                name: profile.metadata.name,
-                                description: profile.metadata.description,
-                                version: profile.metadata.version,
-                            }),
-                        })
-                    }
-                    OutOfBand::ClientConnectionCancel { pubkey } => {
-                        UserAgentResponsePayload::SdkClientConnectionCancel(ProtoSdkClientConnectionCancel {
-                            pubkey: pubkey.to_bytes().to_vec(),
-                        })
-                    }
-                };
 
                 if bi.send(Ok(UserAgentResponse { id: None, payload: Some(payload) })).await.is_err() {
                     return;
@@ -144,7 +93,7 @@ async fn dispatch_loop(
                     }
                     Ok(None) => {}
                     Err(status) => {
-                         error!(?status, "Failed to process user agent request");
+                        error!(?status, "Failed to process user agent request");
                         let _ = bi.send(Err(status)).await;
                         return;
                     }
@@ -158,285 +107,15 @@ async fn dispatch_inner(
     actor: &ActorRef<UserAgentSession>,
     payload: UserAgentRequestPayload,
 ) -> Result<Option<UserAgentResponsePayload>, Status> {
-    let response = match payload {
+    match payload {
-        UserAgentRequestPayload::UnsealStart(UnsealStart { client_pubkey }) => {
+        UserAgentRequestPayload::Vault(req) => vault::dispatch(actor, req).await,
-            let client_pubkey = <[u8; 32]>::try_from(client_pubkey)
+        UserAgentRequestPayload::Evm(req) => evm::dispatch(actor, req).await,
-                .map(x25519_dalek::PublicKey::from)
+        UserAgentRequestPayload::SdkClient(req) => sdk_client::dispatch(actor, req).await,
-                .map_err(|_| Status::invalid_argument("Invalid X25519 public key"))?;
+        UserAgentRequestPayload::Auth(..) => {
-
+            warn!("Unsupported post-auth user agent auth request");
-            let response = actor
+            Err(Status::invalid_argument("Unsupported user-agent request"))
-                .ask(HandleUnsealRequest { client_pubkey })
-                .await
-                .map_err(|err| {
-                    warn!(error = ?err, "Failed to handle unseal start request");
-                    Status::internal("Failed to start unseal flow")
-                })?;
-
-            UserAgentResponsePayload::UnsealStartResponse(
-                arbiter_proto::proto::user_agent::UnsealStartResponse {
-                    server_pubkey: response.server_pubkey.as_bytes().to_vec(),
-                },
-            )
         }
-
+    }
-        UserAgentRequestPayload::UnsealEncryptedKey(ProtoUnsealEncryptedKey {
-            nonce,
-            ciphertext,
-            associated_data,
-        }) => {
-            let result = match actor
-                .ask(HandleUnsealEncryptedKey {
-                    nonce,
-                    ciphertext,
-                    associated_data,
-                })
-                .await
-            {
-                Ok(()) => ProtoUnsealResult::Success,
-                Err(SendError::HandlerError(UnsealError::InvalidKey)) => {
-                    ProtoUnsealResult::InvalidKey
-                }
-                Err(err) => {
-                    warn!(error = ?err, "Failed to handle unseal request");
-                    return Err(Status::internal("Failed to unseal vault"));
-                }
-            };
-            UserAgentResponsePayload::UnsealResult(result.into())
-        }
-
-        UserAgentRequestPayload::BootstrapEncryptedKey(ProtoBootstrapEncryptedKey {
-            nonce,
-            ciphertext,
-            associated_data,
-        }) => {
-            let result = match actor
-                .ask(HandleBootstrapEncryptedKey {
-                    nonce,
-                    ciphertext,
-                    associated_data,
-                })
-                .await
-            {
-                Ok(()) => ProtoBootstrapResult::Success,
-                Err(SendError::HandlerError(BootstrapError::InvalidKey)) => {
-                    ProtoBootstrapResult::InvalidKey
-                }
-                Err(SendError::HandlerError(BootstrapError::AlreadyBootstrapped)) => {
-                    ProtoBootstrapResult::AlreadyBootstrapped
-                }
-                Err(err) => {
-                    warn!(error = ?err, "Failed to handle bootstrap request");
-                    return Err(Status::internal("Failed to bootstrap vault"));
-                }
-            };
-            UserAgentResponsePayload::BootstrapResult(result.into())
-        }
-
-        UserAgentRequestPayload::QueryVaultState(_) => {
-            let state = match actor.ask(HandleQueryVaultState {}).await {
-                Ok(KeyHolderState::Unbootstrapped) => ProtoVaultState::Unbootstrapped,
-                Ok(KeyHolderState::Sealed) => ProtoVaultState::Sealed,
-                Ok(KeyHolderState::Unsealed) => ProtoVaultState::Unsealed,
-                Err(err) => {
-                    warn!(error = ?err, "Failed to query vault state");
-                    ProtoVaultState::Error
-                }
-            };
-            UserAgentResponsePayload::VaultState(state.into())
-        }
-
-        UserAgentRequestPayload::EvmWalletCreate(_) => {
-            let result = match actor.ask(HandleEvmWalletCreate {}).await {
-                Ok((wallet_id, address)) => WalletCreateResult::Wallet(WalletEntry {
-                    id: wallet_id,
-                    address: address.to_vec(),
-                }),
-                Err(err) => {
-                    warn!(error = ?err, "Failed to create EVM wallet");
-                    WalletCreateResult::Error(ProtoEvmError::Internal.into())
-                }
-            };
-            UserAgentResponsePayload::EvmWalletCreate(WalletCreateResponse {
-                result: Some(result),
-            })
-        }
-
-        UserAgentRequestPayload::EvmWalletList(_) => {
-            let result = match actor.ask(HandleEvmWalletList {}).await {
-                Ok(wallets) => WalletListResult::Wallets(WalletList {
-                    wallets: wallets
-                        .into_iter()
-                        .map(|(id, address)| WalletEntry {
-                            address: address.to_vec(),
-                            id,
-                        })
-                        .collect(),
-                }),
-                Err(err) => {
-                    warn!(error = ?err, "Failed to list EVM wallets");
-                    WalletListResult::Error(ProtoEvmError::Internal.into())
-                }
-            };
-            UserAgentResponsePayload::EvmWalletList(WalletListResponse {
-                result: Some(result),
-            })
-        }
-
-        UserAgentRequestPayload::EvmGrantList(_) => {
-            let result = match actor.ask(HandleGrantList {}).await {
-                Ok(grants) => EvmGrantListResult::Grants(EvmGrantList {
-                    grants: grants
-                        .into_iter()
-                        .map(|grant| GrantEntry {
-                            id: grant.id,
-                            wallet_access_id: grant.shared.wallet_access_id,
-                            shared: Some(grant.shared.convert()),
-                            specific: Some(grant.settings.convert()),
-                        })
-                        .collect(),
-                }),
-                Err(err) => {
-                    warn!(error = ?err, "Failed to list EVM grants");
-                    EvmGrantListResult::Error(ProtoEvmError::Internal.into())
-                }
-            };
-            UserAgentResponsePayload::EvmGrantList(EvmGrantListResponse {
-                result: Some(result),
-            })
-        }
-
-        UserAgentRequestPayload::EvmGrantCreate(EvmGrantCreateRequest { shared, specific }) => {
-            let basic = shared
-                .ok_or_else(|| Status::invalid_argument("Missing shared grant settings"))?
-                .try_convert()?;
-            let grant = specific
-                .ok_or_else(|| Status::invalid_argument("Missing specific grant settings"))?
-                .try_convert()?;
-
-            let result = match actor.ask(HandleGrantCreate { basic, grant }).await {
-                Ok(grant_id) => EvmGrantCreateResult::GrantId(grant_id),
-                Err(err) => {
-                    warn!(error = ?err, "Failed to create EVM grant");
-                    EvmGrantCreateResult::Error(ProtoEvmError::Internal.into())
-                }
-            };
-            UserAgentResponsePayload::EvmGrantCreate(EvmGrantCreateResponse {
-                result: Some(result),
-            })
-        }
-
-        UserAgentRequestPayload::EvmGrantDelete(EvmGrantDeleteRequest { grant_id }) => {
-            let result = match actor.ask(HandleGrantDelete { grant_id }).await {
-                Ok(()) => EvmGrantDeleteResult::Ok(()),
-                Err(err) => {
-                    warn!(error = ?err, "Failed to delete EVM grant");
-                    EvmGrantDeleteResult::Error(ProtoEvmError::Internal.into())
-                }
-            };
-            UserAgentResponsePayload::EvmGrantDelete(EvmGrantDeleteResponse {
-                result: Some(result),
-            })
-        }
-
-        UserAgentRequestPayload::SdkClientConnectionResponse(resp) => {
-            let pubkey_bytes = <[u8; 32]>::try_from(resp.pubkey)
-                .map_err(|_| Status::invalid_argument("Invalid Ed25519 public key length"))?;
-            let pubkey = ed25519_dalek::VerifyingKey::from_bytes(&pubkey_bytes)
-                .map_err(|_| Status::invalid_argument("Invalid Ed25519 public key"))?;
-
-            actor
-                .ask(HandleNewClientApprove {
-                    approved: resp.approved,
-                    pubkey,
-                })
-                .await
-                .map_err(|err| {
-                    warn!(?err, "Failed to process client connection response");
-                    Status::internal("Failed to process response")
-                })?;
-
-            return Ok(None);
-        }
-
-        UserAgentRequestPayload::SdkClientRevoke(_) => todo!(),
-
-        UserAgentRequestPayload::SdkClientList(_) => {
-            let result = match actor.ask(HandleSdkClientList {}).await {
-                Ok(clients) => ProtoSdkClientListResult::Clients(ProtoSdkClientList {
-                    clients: clients
-                        .into_iter()
-                        .map(|(client, metadata)| ProtoSdkClientEntry {
-                            id: client.id,
-                            pubkey: client.public_key,
-                            info: Some(ProtoClientMetadata {
-                                name: metadata.name,
-                                description: metadata.description,
-                                version: metadata.version,
-                            }),
-                            created_at: client.created_at.0.timestamp() as i32,
-                        })
-                        .collect(),
-                }),
-                Err(err) => {
-                    warn!(error = ?err, "Failed to list SDK clients");
-                    ProtoSdkClientListResult::Error(ProtoSdkClientError::Internal.into())
-                }
-            };
-            UserAgentResponsePayload::SdkClientListResponse(ProtoSdkClientListResponse {
-                result: Some(result),
-            })
-        }
-
-        UserAgentRequestPayload::GrantWalletAccess(SdkClientGrantWalletAccess { accesses }) => {
-            let entries: Vec<NewEvmWalletAccess> =
-                accesses.into_iter().map(|a| a.convert()).collect();
-
-            match actor.ask(HandleGrantEvmWalletAccess { entries }).await {
-                Ok(()) => {
-                    info!("Successfully granted wallet access");
-                    return Ok(None);
-                }
-                Err(err) => {
-                    warn!(error = ?err, "Failed to grant wallet access");
-                    return Err(Status::internal("Failed to grant wallet access"));
-                }
-            }
-        }
-
-        UserAgentRequestPayload::RevokeWalletAccess(SdkClientRevokeWalletAccess { accesses }) => {
-            match actor.ask(HandleRevokeEvmWalletAccess { entries: accesses }).await {
-                Ok(()) => {
-                    info!("Successfully revoked wallet access");
-                    return Ok(None);
-                }
-                Err(err) => {
-                    warn!(error = ?err, "Failed to revoke wallet access");
-                    return Err(Status::internal("Failed to revoke wallet access"));
-                }
-            }
-        }
-
-        UserAgentRequestPayload::ListWalletAccess(_) => {
-            let result = match actor.ask(HandleListWalletAccess {}).await {
-                Ok(accesses) => ListWalletAccessResponse {
-                    accesses: accesses.into_iter().map(|a| a.convert()).collect(),
-                },
-                Err(err) => {
-                    warn!(error = ?err, "Failed to list wallet access");
-                    return Err(Status::internal("Failed to list wallet access"));
-                }
-            };
-            UserAgentResponsePayload::ListWalletAccessResponse(result)
-        }
-
-        UserAgentRequestPayload::AuthChallengeRequest(..)
-        | UserAgentRequestPayload::AuthChallengeSolution(..) => {
-            warn!(?payload, "Unsupported post-auth user agent request");
-            return Err(Status::invalid_argument("Unsupported user-agent request"));
-        }
-    };
-
-    Ok(Some(response))
 }
 
 pub async fn start(

server/crates/arbiter-server/src/grpc/user_agent/auth.rs

@@ -1,8 +1,13 @@
 use arbiter_proto::{
     proto::user_agent::{
-        AuthChallenge as ProtoAuthChallenge, AuthChallengeRequest as ProtoAuthChallengeRequest,
+        UserAgentRequest, UserAgentResponse,
-        AuthChallengeSolution as ProtoAuthChallengeSolution, AuthResult as ProtoAuthResult,
+        auth::{
-        KeyType as ProtoKeyType, UserAgentRequest, UserAgentResponse,
+            self as proto_auth, AuthChallenge as ProtoAuthChallenge,
+            AuthChallengeRequest as ProtoAuthChallengeRequest,
+            AuthChallengeSolution as ProtoAuthChallengeSolution, AuthResult as ProtoAuthResult,
+            KeyType as ProtoKeyType, request::Payload as AuthRequestPayload,
+            response::Payload as AuthResponsePayload,
+        },
         user_agent_request::Payload as UserAgentRequestPayload,
         user_agent_response::Payload as UserAgentResponsePayload,
     },
@@ -36,12 +41,14 @@ impl<'a> AuthTransportAdapter<'a> {
 
     async fn send_user_agent_response(
         &mut self,
-        payload: UserAgentResponsePayload,
+        payload: AuthResponsePayload,
     ) -> Result<(), TransportError> {
         self.bi
             .send(Ok(UserAgentResponse {
                 id: Some(self.request_tracker.current_request_id()),
-                payload: Some(payload),
+                payload: Some(UserAgentResponsePayload::Auth(proto_auth::Response {
+                    payload: Some(payload),
+                })),
             }))
             .await
     }
@@ -56,19 +63,19 @@ impl Sender<Result<auth::Outbound, auth::Error>> for AuthTransportAdapter<'_> {
         use auth::{Error, Outbound};
         let payload = match item {
             Ok(Outbound::AuthChallenge { nonce }) => {
-                UserAgentResponsePayload::AuthChallenge(ProtoAuthChallenge { nonce })
+                AuthResponsePayload::Challenge(ProtoAuthChallenge { nonce })
             }
             Ok(Outbound::AuthSuccess) => {
-                UserAgentResponsePayload::AuthResult(ProtoAuthResult::Success.into())
+                AuthResponsePayload::Result(ProtoAuthResult::Success.into())
             }
             Err(Error::UnregisteredPublicKey) => {
-                UserAgentResponsePayload::AuthResult(ProtoAuthResult::InvalidKey.into())
+                AuthResponsePayload::Result(ProtoAuthResult::InvalidKey.into())
             }
             Err(Error::InvalidChallengeSolution) => {
-                UserAgentResponsePayload::AuthResult(ProtoAuthResult::InvalidSignature.into())
+                AuthResponsePayload::Result(ProtoAuthResult::InvalidSignature.into())
             }
             Err(Error::InvalidBootstrapToken) => {
-                UserAgentResponsePayload::AuthResult(ProtoAuthResult::TokenInvalid.into())
+                AuthResponsePayload::Result(ProtoAuthResult::TokenInvalid.into())
             }
             Err(Error::Internal { details }) => {
                 return self.bi.send(Err(Status::internal(details))).await;
@@ -112,8 +119,26 @@ impl Receiver<auth::Inbound> for AuthTransportAdapter<'_> {
             return None;
         };
 
+        let UserAgentRequestPayload::Auth(auth_request) = payload else {
+            let _ = self
+                .bi
+                .send(Err(Status::invalid_argument(
+                    "Unsupported user-agent auth request",
+                )))
+                .await;
+            return None;
+        };
+
+        let Some(payload) = auth_request.payload else {
+            warn!(
+                event = "received auth request with empty payload",
+                "grpc.useragent.auth_adapter"
+            );
+            return None;
+        };
+
         match payload {
-            UserAgentRequestPayload::AuthChallengeRequest(ProtoAuthChallengeRequest {
+            AuthRequestPayload::ChallengeRequest(ProtoAuthChallengeRequest {
                 pubkey,
                 bootstrap_token,
                 key_type,
@@ -150,17 +175,8 @@ impl Receiver<auth::Inbound> for AuthTransportAdapter<'_> {
                     bootstrap_token,
                 })
             }
-            UserAgentRequestPayload::AuthChallengeSolution(ProtoAuthChallengeSolution {
+            AuthRequestPayload::ChallengeSolution(ProtoAuthChallengeSolution { signature }) => {
-                signature,
+                Some(auth::Inbound::AuthChallengeSolution { signature })
-            }) => Some(auth::Inbound::AuthChallengeSolution { signature }),
-            _ => {
-                let _ = self
-                    .bi
-                    .send(Err(Status::invalid_argument(
-                        "Unsupported user-agent auth request",
-                    )))
-                    .await;
-                None
             }
         }
     }

server/crates/arbiter-server/src/grpc/user_agent/evm.rs

@@ -0,0 +1,234 @@
+use arbiter_proto::proto::{
+    evm::{
+        EvmError as ProtoEvmError, EvmGrantCreateRequest, EvmGrantCreateResponse,
+        EvmGrantDeleteRequest, EvmGrantDeleteResponse, EvmGrantList, EvmGrantListResponse,
+        EvmSignTransactionResponse, GrantEntry, WalletCreateResponse, WalletEntry, WalletList,
+        WalletListResponse, evm_grant_create_response::Result as EvmGrantCreateResult,
+        evm_grant_delete_response::Result as EvmGrantDeleteResult,
+        evm_grant_list_response::Result as EvmGrantListResult,
+        evm_sign_transaction_response::Result as EvmSignTransactionResult,
+        wallet_create_response::Result as WalletCreateResult,
+        wallet_list_response::Result as WalletListResult,
+    },
+    user_agent::{
+        evm::{
+            self as proto_evm, SignTransactionRequest as ProtoSignTransactionRequest,
+            request::Payload as EvmRequestPayload, response::Payload as EvmResponsePayload,
+        },
+        user_agent_response::Payload as UserAgentResponsePayload,
+    },
+};
+use kameo::actor::ActorRef;
+use tonic::Status;
+use tracing::warn;
+
+use crate::{
+    actors::user_agent::{
+        UserAgentSession,
+        session::connection::{
+            HandleEvmWalletCreate, HandleEvmWalletList, HandleGrantCreate, HandleGrantDelete,
+            HandleGrantList, HandleSignTransaction,
+            SignTransactionError as SessionSignTransactionError,
+        },
+    },
+    grpc::{
+        Convert, TryConvert,
+        common::inbound::{RawEvmAddress, RawEvmTransaction},
+    },
+};
+
+fn wrap_evm_response(payload: EvmResponsePayload) -> UserAgentResponsePayload {
+    UserAgentResponsePayload::Evm(proto_evm::Response {
+        payload: Some(payload),
+    })
+}
+
+pub(super) async fn dispatch(
+    actor: &ActorRef<UserAgentSession>,
+    req: proto_evm::Request,
+) -> Result<Option<UserAgentResponsePayload>, Status> {
+    let Some(payload) = req.payload else {
+        return Err(Status::invalid_argument("Missing EVM request payload"));
+    };
+
+    match payload {
+        EvmRequestPayload::WalletCreate(_) => handle_wallet_create(actor).await,
+        EvmRequestPayload::WalletList(_) => handle_wallet_list(actor).await,
+        EvmRequestPayload::GrantCreate(req) => handle_grant_create(actor, req).await,
+        EvmRequestPayload::GrantDelete(req) => handle_grant_delete(actor, req).await,
+        EvmRequestPayload::GrantList(_) => handle_grant_list(actor).await,
+        EvmRequestPayload::SignTransaction(req) => handle_sign_transaction(actor, req).await,
+    }
+}
+
+async fn handle_wallet_create(
+    actor: &ActorRef<UserAgentSession>,
+) -> Result<Option<UserAgentResponsePayload>, Status> {
+    let result = match actor.ask(HandleEvmWalletCreate {}).await {
+        Ok((wallet_id, address)) => WalletCreateResult::Wallet(WalletEntry {
+            id: wallet_id,
+            address: address.to_vec(),
+        }),
+        Err(err) => {
+            warn!(error = ?err, "Failed to create EVM wallet");
+            WalletCreateResult::Error(ProtoEvmError::Internal.into())
+        }
+    };
+    Ok(Some(wrap_evm_response(EvmResponsePayload::WalletCreate(
+        WalletCreateResponse {
+            result: Some(result),
+        },
+    ))))
+}
+
+async fn handle_wallet_list(
+    actor: &ActorRef<UserAgentSession>,
+) -> Result<Option<UserAgentResponsePayload>, Status> {
+    let result = match actor.ask(HandleEvmWalletList {}).await {
+        Ok(wallets) => WalletListResult::Wallets(WalletList {
+            wallets: wallets
+                .into_iter()
+                .map(|(id, address)| WalletEntry {
+                    address: address.to_vec(),
+                    id,
+                })
+                .collect(),
+        }),
+        Err(err) => {
+            warn!(error = ?err, "Failed to list EVM wallets");
+            WalletListResult::Error(ProtoEvmError::Internal.into())
+        }
+    };
+    Ok(Some(wrap_evm_response(EvmResponsePayload::WalletList(
+        WalletListResponse {
+            result: Some(result),
+        },
+    ))))
+}
+
+async fn handle_grant_list(
+    actor: &ActorRef<UserAgentSession>,
+) -> Result<Option<UserAgentResponsePayload>, Status> {
+    let result = match actor.ask(HandleGrantList {}).await {
+        Ok(grants) => EvmGrantListResult::Grants(EvmGrantList {
+            grants: grants
+                .into_iter()
+                .map(|grant| GrantEntry {
+                    id: grant.id,
+                    wallet_access_id: grant.shared.wallet_access_id,
+                    shared: Some(grant.shared.convert()),
+                    specific: Some(grant.settings.convert()),
+                })
+                .collect(),
+        }),
+        Err(err) => {
+            warn!(error = ?err, "Failed to list EVM grants");
+            EvmGrantListResult::Error(ProtoEvmError::Internal.into())
+        }
+    };
+    Ok(Some(wrap_evm_response(EvmResponsePayload::GrantList(
+        EvmGrantListResponse {
+            result: Some(result),
+        },
+    ))))
+}
+
+async fn handle_grant_create(
+    actor: &ActorRef<UserAgentSession>,
+    req: EvmGrantCreateRequest,
+) -> Result<Option<UserAgentResponsePayload>, Status> {
+    let basic = req
+        .shared
+        .ok_or_else(|| Status::invalid_argument("Missing shared grant settings"))?
+        .try_convert()?;
+    let grant = req
+        .specific
+        .ok_or_else(|| Status::invalid_argument("Missing specific grant settings"))?
+        .try_convert()?;
+
+    let result = match actor.ask(HandleGrantCreate { basic, grant }).await {
+        Ok(grant_id) => EvmGrantCreateResult::GrantId(grant_id),
+        Err(err) => {
+            warn!(error = ?err, "Failed to create EVM grant");
+            EvmGrantCreateResult::Error(ProtoEvmError::Internal.into())
+        }
+    };
+    Ok(Some(wrap_evm_response(EvmResponsePayload::GrantCreate(
+        EvmGrantCreateResponse {
+            result: Some(result),
+        },
+    ))))
+}
+
+async fn handle_grant_delete(
+    actor: &ActorRef<UserAgentSession>,
+    req: EvmGrantDeleteRequest,
+) -> Result<Option<UserAgentResponsePayload>, Status> {
+    let result = match actor
+        .ask(HandleGrantDelete {
+            grant_id: req.grant_id,
+        })
+        .await
+    {
+        Ok(()) => EvmGrantDeleteResult::Ok(()),
+        Err(err) => {
+            warn!(error = ?err, "Failed to delete EVM grant");
+            EvmGrantDeleteResult::Error(ProtoEvmError::Internal.into())
+        }
+    };
+    Ok(Some(wrap_evm_response(EvmResponsePayload::GrantDelete(
+        EvmGrantDeleteResponse {
+            result: Some(result),
+        },
+    ))))
+}
+
+async fn handle_sign_transaction(
+    actor: &ActorRef<UserAgentSession>,
+    req: ProtoSignTransactionRequest,
+) -> Result<Option<UserAgentResponsePayload>, Status> {
+    let request = req
+        .request
+        .ok_or_else(|| Status::invalid_argument("Missing sign transaction request"))?;
+    let wallet_address = RawEvmAddress(request.wallet_address).try_convert()?;
+    let transaction = RawEvmTransaction(request.rlp_transaction).try_convert()?;
+
+    let response = match actor
+        .ask(HandleSignTransaction {
+            client_id: req.client_id,
+            wallet_address,
+            transaction,
+        })
+        .await
+    {
+        Ok(signature) => EvmSignTransactionResponse {
+            result: Some(EvmSignTransactionResult::Signature(
+                signature.as_bytes().to_vec(),
+            )),
+        },
+        Err(kameo::error::SendError::HandlerError(SessionSignTransactionError::Vet(vet_error))) => {
+            EvmSignTransactionResponse {
+                result: Some(vet_error.convert()),
+            }
+        }
+        Err(kameo::error::SendError::HandlerError(SessionSignTransactionError::Internal)) => {
+            EvmSignTransactionResponse {
+                result: Some(EvmSignTransactionResult::Error(
+                    ProtoEvmError::Internal.into(),
+                )),
+            }
+        }
+        Err(err) => {
+            warn!(error = ?err, "Failed to sign EVM transaction");
+            EvmSignTransactionResponse {
+                result: Some(EvmSignTransactionResult::Error(
+                    ProtoEvmError::Internal.into(),
+                )),
+            }
+        }
+    };
+
+    Ok(Some(wrap_evm_response(
+        EvmResponsePayload::SignTransaction(response),
+    )))
+}

server/crates/arbiter-server/src/grpc/user_agent/inbound.rs

@@ -5,12 +5,14 @@ use arbiter_proto::proto::evm::{
     TransactionRateLimit as ProtoTransactionRateLimit, VolumeRateLimit as ProtoVolumeRateLimit,
     specific_grant::Grant as ProtoSpecificGrantType,
 };
-use arbiter_proto::proto::user_agent::{SdkClientWalletAccess, WalletAccess};
+use arbiter_proto::proto::user_agent::sdk_client::{
+    WalletAccess, WalletAccessEntry as SdkClientWalletAccess,
+};
 use chrono::{DateTime, TimeZone, Utc};
 use prost_types::Timestamp as ProtoTimestamp;
 use tonic::Status;
 
-use crate::db::models::{CoreEvmWalletAccess, NewEvmWallet, NewEvmWalletAccess};
+use crate::db::models::{CoreEvmWalletAccess, NewEvmWalletAccess};
 use crate::grpc::Convert;
 use crate::{
     evm::policies::{

server/crates/arbiter-server/src/grpc/user_agent/outbound.rs

@@ -5,7 +5,7 @@ use arbiter_proto::proto::{
         TransactionRateLimit as ProtoTransactionRateLimit, VolumeRateLimit as ProtoVolumeRateLimit,
         specific_grant::Grant as ProtoSpecificGrantType,
     },
-    user_agent::{SdkClientWalletAccess as ProtoSdkClientWalletAccess, WalletAccess},
+    user_agent::sdk_client::{WalletAccess, WalletAccessEntry as ProtoSdkClientWalletAccess},
 };
 use chrono::{DateTime, Utc};
 use prost_types::Timestamp as ProtoTimestamp;

server/crates/arbiter-server/src/grpc/user_agent/sdk_client.rs

@@ -0,0 +1,194 @@
+use arbiter_proto::proto::{
+    shared::ClientInfo as ProtoClientMetadata,
+    user_agent::{
+        sdk_client::{
+            self as proto_sdk_client, ConnectionCancel as ProtoSdkClientConnectionCancel,
+            ConnectionRequest as ProtoSdkClientConnectionRequest,
+            ConnectionResponse as ProtoSdkClientConnectionResponse, Entry as ProtoSdkClientEntry,
+            Error as ProtoSdkClientError, GrantWalletAccess as ProtoSdkClientGrantWalletAccess,
+            List as ProtoSdkClientList, ListResponse as ProtoSdkClientListResponse,
+            ListWalletAccessResponse, RevokeWalletAccess as ProtoSdkClientRevokeWalletAccess,
+            list_response::Result as ProtoSdkClientListResult,
+            request::Payload as SdkClientRequestPayload,
+            response::Payload as SdkClientResponsePayload,
+        },
+        user_agent_response::Payload as UserAgentResponsePayload,
+    },
+};
+use kameo::actor::ActorRef;
+use tonic::Status;
+use tracing::{info, warn};
+
+use crate::{
+    actors::user_agent::{
+        OutOfBand, UserAgentSession,
+        session::connection::{
+            HandleGrantEvmWalletAccess, HandleListWalletAccess, HandleNewClientApprove,
+            HandleRevokeEvmWalletAccess, HandleSdkClientList,
+        },
+    },
+    db::models::NewEvmWalletAccess,
+    grpc::Convert,
+};
+
+fn wrap_sdk_client_response(payload: SdkClientResponsePayload) -> UserAgentResponsePayload {
+    UserAgentResponsePayload::SdkClient(proto_sdk_client::Response {
+        payload: Some(payload),
+    })
+}
+
+pub(super) fn out_of_band_payload(oob: OutOfBand) -> UserAgentResponsePayload {
+    match oob {
+        OutOfBand::ClientConnectionRequest { profile } => wrap_sdk_client_response(
+            SdkClientResponsePayload::ConnectionRequest(ProtoSdkClientConnectionRequest {
+                pubkey: profile.pubkey.to_bytes().to_vec(),
+                info: Some(ProtoClientMetadata {
+                    name: profile.metadata.name,
+                    description: profile.metadata.description,
+                    version: profile.metadata.version,
+                }),
+            }),
+        ),
+        OutOfBand::ClientConnectionCancel { pubkey } => wrap_sdk_client_response(
+            SdkClientResponsePayload::ConnectionCancel(ProtoSdkClientConnectionCancel {
+                pubkey: pubkey.to_bytes().to_vec(),
+            }),
+        ),
+    }
+}
+
+pub(super) async fn dispatch(
+    actor: &ActorRef<UserAgentSession>,
+    req: proto_sdk_client::Request,
+) -> Result<Option<UserAgentResponsePayload>, Status> {
+    let Some(payload) = req.payload else {
+        return Err(Status::invalid_argument(
+            "Missing SDK client request payload",
+        ));
+    };
+
+    match payload {
+        SdkClientRequestPayload::ConnectionResponse(resp) => {
+            handle_connection_response(actor, resp).await
+        }
+        SdkClientRequestPayload::Revoke(_) => Err(Status::unimplemented(
+            "SdkClientRevoke is not yet implemented",
+        )),
+        SdkClientRequestPayload::List(_) => handle_list(actor).await,
+        SdkClientRequestPayload::GrantWalletAccess(req) => {
+            handle_grant_wallet_access(actor, req).await
+        }
+        SdkClientRequestPayload::RevokeWalletAccess(req) => {
+            handle_revoke_wallet_access(actor, req).await
+        }
+        SdkClientRequestPayload::ListWalletAccess(_) => handle_list_wallet_access(actor).await,
+    }
+}
+
+async fn handle_connection_response(
+    actor: &ActorRef<UserAgentSession>,
+    resp: ProtoSdkClientConnectionResponse,
+) -> Result<Option<UserAgentResponsePayload>, Status> {
+    let pubkey_bytes = <[u8; 32]>::try_from(resp.pubkey)
+        .map_err(|_| Status::invalid_argument("Invalid Ed25519 public key length"))?;
+    let pubkey = ed25519_dalek::VerifyingKey::from_bytes(&pubkey_bytes)
+        .map_err(|_| Status::invalid_argument("Invalid Ed25519 public key"))?;
+
+    actor
+        .ask(HandleNewClientApprove {
+            approved: resp.approved,
+            pubkey,
+        })
+        .await
+        .map_err(|err| {
+            warn!(?err, "Failed to process client connection response");
+            Status::internal("Failed to process response")
+        })?;
+
+    Ok(None)
+}
+
+async fn handle_list(
+    actor: &ActorRef<UserAgentSession>,
+) -> Result<Option<UserAgentResponsePayload>, Status> {
+    let result = match actor.ask(HandleSdkClientList {}).await {
+        Ok(clients) => ProtoSdkClientListResult::Clients(ProtoSdkClientList {
+            clients: clients
+                .into_iter()
+                .map(|(client, metadata)| ProtoSdkClientEntry {
+                    id: client.id,
+                    pubkey: client.public_key,
+                    info: Some(ProtoClientMetadata {
+                        name: metadata.name,
+                        description: metadata.description,
+                        version: metadata.version,
+                    }),
+                    created_at: client.created_at.0.timestamp() as i32,
+                })
+                .collect(),
+        }),
+        Err(err) => {
+            warn!(error = ?err, "Failed to list SDK clients");
+            ProtoSdkClientListResult::Error(ProtoSdkClientError::Internal.into())
+        }
+    };
+    Ok(Some(wrap_sdk_client_response(
+        SdkClientResponsePayload::List(ProtoSdkClientListResponse {
+            result: Some(result),
+        }),
+    )))
+}
+
+async fn handle_grant_wallet_access(
+    actor: &ActorRef<UserAgentSession>,
+    req: ProtoSdkClientGrantWalletAccess,
+) -> Result<Option<UserAgentResponsePayload>, Status> {
+    let entries: Vec<NewEvmWalletAccess> = req.accesses.into_iter().map(|a| a.convert()).collect();
+    match actor.ask(HandleGrantEvmWalletAccess { entries }).await {
+        Ok(()) => {
+            info!("Successfully granted wallet access");
+            Ok(None)
+        }
+        Err(err) => {
+            warn!(error = ?err, "Failed to grant wallet access");
+            Err(Status::internal("Failed to grant wallet access"))
+        }
+    }
+}
+
+async fn handle_revoke_wallet_access(
+    actor: &ActorRef<UserAgentSession>,
+    req: ProtoSdkClientRevokeWalletAccess,
+) -> Result<Option<UserAgentResponsePayload>, Status> {
+    match actor
+        .ask(HandleRevokeEvmWalletAccess {
+            entries: req.accesses,
+        })
+        .await
+    {
+        Ok(()) => {
+            info!("Successfully revoked wallet access");
+            Ok(None)
+        }
+        Err(err) => {
+            warn!(error = ?err, "Failed to revoke wallet access");
+            Err(Status::internal("Failed to revoke wallet access"))
+        }
+    }
+}
+
+async fn handle_list_wallet_access(
+    actor: &ActorRef<UserAgentSession>,
+) -> Result<Option<UserAgentResponsePayload>, Status> {
+    match actor.ask(HandleListWalletAccess {}).await {
+        Ok(accesses) => Ok(Some(wrap_sdk_client_response(
+            SdkClientResponsePayload::ListWalletAccess(ListWalletAccessResponse {
+                accesses: accesses.into_iter().map(|a| a.convert()).collect(),
+            }),
+        ))),
+        Err(err) => {
+            warn!(error = ?err, "Failed to list wallet access");
+            Err(Status::internal("Failed to list wallet access"))
+        }
+    }
+}

server/crates/arbiter-server/src/grpc/user_agent/vault.rs

@@ -0,0 +1,180 @@
+use arbiter_proto::proto::shared::VaultState as ProtoVaultState;
+use arbiter_proto::proto::user_agent::{
+    user_agent_response::Payload as UserAgentResponsePayload,
+    vault::{
+        self as proto_vault,
+        bootstrap::{
+            self as proto_bootstrap, BootstrapEncryptedKey as ProtoBootstrapEncryptedKey,
+            BootstrapResult as ProtoBootstrapResult,
+        },
+        request::Payload as VaultRequestPayload,
+        response::Payload as VaultResponsePayload,
+        unseal::{
+            self as proto_unseal, UnsealEncryptedKey as ProtoUnsealEncryptedKey,
+            UnsealResult as ProtoUnsealResult, UnsealStart,
+            request::Payload as UnsealRequestPayload, response::Payload as UnsealResponsePayload,
+        },
+    },
+};
+use kameo::{actor::ActorRef, error::SendError};
+use tonic::Status;
+use tracing::warn;
+
+use crate::actors::{
+    keyholder::KeyHolderState,
+    user_agent::{
+        UserAgentSession,
+        session::connection::{
+            BootstrapError, HandleBootstrapEncryptedKey, HandleQueryVaultState,
+            HandleUnsealEncryptedKey, HandleUnsealRequest, UnsealError,
+        },
+    },
+};
+
+fn wrap_vault_response(payload: VaultResponsePayload) -> UserAgentResponsePayload {
+    UserAgentResponsePayload::Vault(proto_vault::Response {
+        payload: Some(payload),
+    })
+}
+
+fn wrap_unseal_response(payload: UnsealResponsePayload) -> UserAgentResponsePayload {
+    wrap_vault_response(VaultResponsePayload::Unseal(proto_unseal::Response {
+        payload: Some(payload),
+    }))
+}
+
+fn wrap_bootstrap_response(result: ProtoBootstrapResult) -> UserAgentResponsePayload {
+    wrap_vault_response(VaultResponsePayload::Bootstrap(proto_bootstrap::Response {
+        result: result.into(),
+    }))
+}
+
+pub(super) async fn dispatch(
+    actor: &ActorRef<UserAgentSession>,
+    req: proto_vault::Request,
+) -> Result<Option<UserAgentResponsePayload>, Status> {
+    let Some(payload) = req.payload else {
+        return Err(Status::invalid_argument("Missing vault request payload"));
+    };
+
+    match payload {
+        VaultRequestPayload::QueryState(_) => handle_query_vault_state(actor).await,
+        VaultRequestPayload::Unseal(req) => dispatch_unseal_request(actor, req).await,
+        VaultRequestPayload::Bootstrap(req) => handle_bootstrap_request(actor, req).await,
+    }
+}
+
+async fn dispatch_unseal_request(
+    actor: &ActorRef<UserAgentSession>,
+    req: proto_unseal::Request,
+) -> Result<Option<UserAgentResponsePayload>, Status> {
+    let Some(payload) = req.payload else {
+        return Err(Status::invalid_argument("Missing unseal request payload"));
+    };
+
+    match payload {
+        UnsealRequestPayload::Start(req) => handle_unseal_start(actor, req).await,
+        UnsealRequestPayload::EncryptedKey(req) => handle_unseal_encrypted_key(actor, req).await,
+    }
+}
+
+async fn handle_unseal_start(
+    actor: &ActorRef<UserAgentSession>,
+    req: UnsealStart,
+) -> Result<Option<UserAgentResponsePayload>, Status> {
+    let client_pubkey = <[u8; 32]>::try_from(req.client_pubkey)
+        .map(x25519_dalek::PublicKey::from)
+        .map_err(|_| Status::invalid_argument("Invalid X25519 public key"))?;
+
+    let response = actor
+        .ask(HandleUnsealRequest { client_pubkey })
+        .await
+        .map_err(|err| {
+            warn!(error = ?err, "Failed to handle unseal start request");
+            Status::internal("Failed to start unseal flow")
+        })?;
+
+    Ok(Some(wrap_unseal_response(UnsealResponsePayload::Start(
+        proto_unseal::UnsealStartResponse {
+            server_pubkey: response.server_pubkey.as_bytes().to_vec(),
+        },
+    ))))
+}
+
+async fn handle_unseal_encrypted_key(
+    actor: &ActorRef<UserAgentSession>,
+    req: ProtoUnsealEncryptedKey,
+) -> Result<Option<UserAgentResponsePayload>, Status> {
+    let result = match actor
+        .ask(HandleUnsealEncryptedKey {
+            nonce: req.nonce,
+            ciphertext: req.ciphertext,
+            associated_data: req.associated_data,
+        })
+        .await
+    {
+        Ok(()) => ProtoUnsealResult::Success,
+        Err(SendError::HandlerError(UnsealError::InvalidKey)) => ProtoUnsealResult::InvalidKey,
+        Err(err) => {
+            warn!(error = ?err, "Failed to handle unseal request");
+            return Err(Status::internal("Failed to unseal vault"));
+        }
+    };
+    Ok(Some(wrap_unseal_response(UnsealResponsePayload::Result(
+        result.into(),
+    ))))
+}
+
+async fn handle_bootstrap_request(
+    actor: &ActorRef<UserAgentSession>,
+    req: proto_bootstrap::Request,
+) -> Result<Option<UserAgentResponsePayload>, Status> {
+    let encrypted_key = req
+        .encrypted_key
+        .ok_or_else(|| Status::invalid_argument("Missing bootstrap encrypted key"))?;
+    handle_bootstrap_encrypted_key(actor, encrypted_key).await
+}
+
+async fn handle_bootstrap_encrypted_key(
+    actor: &ActorRef<UserAgentSession>,
+    req: ProtoBootstrapEncryptedKey,
+) -> Result<Option<UserAgentResponsePayload>, Status> {
+    let result = match actor
+        .ask(HandleBootstrapEncryptedKey {
+            nonce: req.nonce,
+            ciphertext: req.ciphertext,
+            associated_data: req.associated_data,
+        })
+        .await
+    {
+        Ok(()) => ProtoBootstrapResult::Success,
+        Err(SendError::HandlerError(BootstrapError::InvalidKey)) => {
+            ProtoBootstrapResult::InvalidKey
+        }
+        Err(SendError::HandlerError(BootstrapError::AlreadyBootstrapped)) => {
+            ProtoBootstrapResult::AlreadyBootstrapped
+        }
+        Err(err) => {
+            warn!(error = ?err, "Failed to handle bootstrap request");
+            return Err(Status::internal("Failed to bootstrap vault"));
+        }
+    };
+    Ok(Some(wrap_bootstrap_response(result)))
+}
+
+async fn handle_query_vault_state(
+    actor: &ActorRef<UserAgentSession>,
+) -> Result<Option<UserAgentResponsePayload>, Status> {
+    let state = match actor.ask(HandleQueryVaultState {}).await {
+        Ok(KeyHolderState::Unbootstrapped) => ProtoVaultState::Unbootstrapped,
+        Ok(KeyHolderState::Sealed) => ProtoVaultState::Sealed,
+        Ok(KeyHolderState::Unsealed) => ProtoVaultState::Unsealed,
+        Err(err) => {
+            warn!(error = ?err, "Failed to query vault state");
+            ProtoVaultState::Error
+        }
+    };
+    Ok(Some(wrap_vault_response(VaultResponsePayload::State(
+        state.into(),
+    ))))
+}

server/crates/arbiter-server/src/lib.rs

@@ -3,6 +3,7 @@ use crate::context::ServerContext;
 
 pub mod actors;
 pub mod context;
+pub mod crypto;
 pub mod db;
 pub mod evm;
 pub mod grpc;

server/crates/arbiter-server/src/main.rs

@@ -1,8 +1,8 @@
 use std::net::SocketAddr;
 
+use anyhow::anyhow;
 use arbiter_proto::{proto::arbiter_service_server::ArbiterServiceServer, url::ArbiterUrl};
 use arbiter_server::{Server, actors::bootstrap::GetToken, context::ServerContext, db};
-use miette::miette;
 use rustls::crypto::aws_lc_rs;
 use tonic::transport::{Identity, ServerTlsConfig};
 use tracing::info;
@@ -10,7 +10,7 @@ use tracing::info;
 const PORT: u16 = 50051;
 
 #[tokio::main]
-async fn main() -> miette::Result<()> {
+async fn main() -> anyhow::Result<()> {
     aws_lc_rs::default_provider().install_default().unwrap();
 
     tracing_subscriber::fmt()
@@ -46,11 +46,11 @@ async fn main() -> miette::Result<()> {
 
     tonic::transport::Server::builder()
         .tls_config(tls)
-        .map_err(|err| miette!("Faild to setup TLS: {err}"))?
+        .map_err(|err| anyhow!("Failed to setup TLS: {err}"))?
         .add_service(ArbiterServiceServer::new(Server::new(context)))
         .serve(addr)
         .await
-        .map_err(|e| miette::miette!("gRPC server error: {e}"))?;
+        .map_err(|e| anyhow!("gRPC server error: {e}"))?;
 
     unreachable!("gRPC server should run indefinitely");
 }

server/crates/arbiter-server/tests/keyholder/lifecycle.rs

@@ -1,5 +1,6 @@
 use arbiter_server::{
     actors::keyholder::{Error, KeyHolder},
+    crypto::encryption::v1::{Nonce, ROOT_KEY_TAG},
     db::{self, models, schema},
     safe_cell::{SafeCell, SafeCellHandle as _},
 };
@@ -25,16 +26,10 @@ async fn test_bootstrap() {
         .unwrap();
 
     assert_eq!(row.schema_version, 1);
-    assert_eq!(
+    assert_eq!(row.tag, ROOT_KEY_TAG);
-        row.tag,
-        arbiter_server::actors::keyholder::encryption::v1::ROOT_KEY_TAG
-    );
     assert!(!row.ciphertext.is_empty());
     assert!(!row.salt.is_empty());
-    assert_eq!(
+    assert_eq!(row.data_encryption_nonce, Nonce::default().to_vec());
-        row.data_encryption_nonce,
-        arbiter_server::actors::keyholder::encryption::v1::Nonce::default().to_vec()
-    );
 }
 
 #[tokio::test]

server/crates/arbiter-server/tests/keyholder/storage.rs

@@ -1,7 +1,8 @@
 use std::collections::HashSet;
 
 use arbiter_server::{
-    actors::keyholder::{Error, encryption::v1},
+    actors::keyholder::Error,
+    crypto::encryption::v1::Nonce,
     db::{self, models, schema},
     safe_cell::{SafeCell, SafeCellHandle as _},
 };
@@ -102,7 +103,7 @@ async fn test_nonce_never_reused() {
     assert_eq!(nonces.len(), unique.len(), "all nonces must be unique");
 
     for (i, row) in rows.iter().enumerate() {
-        let mut expected = v1::Nonce::default();
+        let mut expected = Nonce::default();
         for _ in 0..=i {
             expected.increment();
         }

server/crates/arbiter-server/tests/user_agent/auth.rs

@@ -3,9 +3,11 @@ use arbiter_server::{
     actors::{
         GlobalActors,
         bootstrap::GetToken,
+        keyholder::Bootstrap,
         user_agent::{AuthPublicKey, UserAgentConnection, auth},
     },
     db::{self, schema},
+    safe_cell::{SafeCell, SafeCellHandle as _},
 };
 use diesel::{ExpressionMethods as _, QueryDsl, insert_into};
 use diesel_async::RunQueryDsl;
@@ -83,7 +85,6 @@ pub async fn test_bootstrap_invalid_token_auth() {
         Err(auth::Error::InvalidBootstrapToken)
     ));
 
-    // Verify no key was registered
     let mut conn = db.get().await.unwrap();
     let count: i64 = schema::useragent_client::table
         .count()
@@ -102,7 +103,6 @@ pub async fn test_challenge_auth() {
     let new_key = ed25519_dalek::SigningKey::generate(&mut rand::rng());
     let pubkey_bytes = new_key.verifying_key().to_bytes().to_vec();
 
-    // Pre-register key with key_type
     {
         let mut conn = db.get().await.unwrap();
         insert_into(schema::useragent_client::table)
@@ -122,7 +122,6 @@ pub async fn test_challenge_auth() {
         auth::authenticate(&mut props, server_transport).await
     });
 
-    // Send challenge request
     test_transport
         .send(auth::Inbound::AuthChallengeRequest {
             pubkey: AuthPublicKey::Ed25519(new_key.verifying_key()),
@@ -131,7 +130,6 @@ pub async fn test_challenge_auth() {
         .await
         .unwrap();
 
-    // Read the challenge response
     let response = test_transport
         .recv()
         .await
@@ -165,3 +163,120 @@ pub async fn test_challenge_auth() {
 
     task.await.unwrap().unwrap();
 }
+
+#[tokio::test]
+#[test_log::test]
+pub async fn test_challenge_auth_rejects_integrity_tag_mismatch_when_unsealed() {
+    let db = db::create_test_pool().await;
+    let actors = GlobalActors::spawn(db.clone()).await.unwrap();
+
+    actors
+        .key_holder
+        .ask(Bootstrap {
+            seal_key_raw: SafeCell::new(b"test-seal-key".to_vec()),
+        })
+        .await
+        .unwrap();
+
+    let new_key = ed25519_dalek::SigningKey::generate(&mut rand::rng());
+    let pubkey_bytes = new_key.verifying_key().to_bytes().to_vec();
+
+    {
+        let mut conn = db.get().await.unwrap();
+        insert_into(schema::useragent_client::table)
+            .values((
+                schema::useragent_client::public_key.eq(pubkey_bytes.clone()),
+                schema::useragent_client::key_type.eq(1i32),
+                schema::useragent_client::pubkey_integrity_tag.eq(Some(vec![0u8; 32])),
+            ))
+            .execute(&mut conn)
+            .await
+            .unwrap();
+    }
+
+    let (server_transport, mut test_transport) = ChannelTransport::new();
+    let db_for_task = db.clone();
+    let task = tokio::spawn(async move {
+        let mut props = UserAgentConnection::new(db_for_task, actors);
+        auth::authenticate(&mut props, server_transport).await
+    });
+
+    test_transport
+        .send(auth::Inbound::AuthChallengeRequest {
+            pubkey: AuthPublicKey::Ed25519(new_key.verifying_key()),
+            bootstrap_token: None,
+        })
+        .await
+        .unwrap();
+
+    assert!(matches!(
+        task.await.unwrap(),
+        Err(auth::Error::InvalidChallengeSolution)
+    ));
+}
+
+#[tokio::test]
+#[test_log::test]
+pub async fn test_challenge_auth_rejects_invalid_signature() {
+    let db = db::create_test_pool().await;
+    let actors = GlobalActors::spawn(db.clone()).await.unwrap();
+
+    let new_key = ed25519_dalek::SigningKey::generate(&mut rand::rng());
+    let pubkey_bytes = new_key.verifying_key().to_bytes().to_vec();
+
+    {
+        let mut conn = db.get().await.unwrap();
+        insert_into(schema::useragent_client::table)
+            .values((
+                schema::useragent_client::public_key.eq(pubkey_bytes.clone()),
+                schema::useragent_client::key_type.eq(1i32),
+            ))
+            .execute(&mut conn)
+            .await
+            .unwrap();
+    }
+
+    let (server_transport, mut test_transport) = ChannelTransport::new();
+    let db_for_task = db.clone();
+    let task = tokio::spawn(async move {
+        let mut props = UserAgentConnection::new(db_for_task, actors);
+        auth::authenticate(&mut props, server_transport).await
+    });
+
+    test_transport
+        .send(auth::Inbound::AuthChallengeRequest {
+            pubkey: AuthPublicKey::Ed25519(new_key.verifying_key()),
+            bootstrap_token: None,
+        })
+        .await
+        .unwrap();
+
+    let response = test_transport
+        .recv()
+        .await
+        .expect("should receive challenge");
+    let challenge = match response {
+        Ok(resp) => match resp {
+            auth::Outbound::AuthChallenge { nonce } => nonce,
+            other => panic!("Expected AuthChallenge, got {other:?}"),
+        },
+        Err(err) => panic!("Expected Ok response, got Err({err:?})"),
+    };
+
+    let wrong_challenge = arbiter_proto::format_challenge(challenge + 1, &pubkey_bytes);
+    let signature = new_key.sign(&wrong_challenge);
+
+    test_transport
+        .send(auth::Inbound::AuthChallengeSolution {
+            signature: signature.to_bytes().to_vec(),
+        })
+        .await
+        .unwrap();
+
+    let expected_err = task.await.unwrap();
+    println!("Received expected error: {expected_err:#?}");
+    assert!(matches!(
+        expected_err,
+        Err(auth::Error::InvalidChallengeSolution)
+    ));
+}

server/crates/arbiter-server/tests/user_agent/unseal.rs

@@ -2,14 +2,17 @@ use arbiter_server::{
     actors::{
         GlobalActors,
         keyholder::{Bootstrap, Seal},
-        user_agent::{UserAgentSession, session::connection::{
+        user_agent::{
-            HandleUnsealEncryptedKey, HandleUnsealRequest, UnsealError,
+            UserAgentSession,
-        }},
+            session::connection::{HandleUnsealEncryptedKey, HandleUnsealRequest, UnsealError},
+        },
     },
     db,
     safe_cell::{SafeCell, SafeCellHandle as _},
 };
 use chacha20poly1305::{AeadInPlace, XChaCha20Poly1305, XNonce, aead::KeyInit};
+use diesel::{ExpressionMethods as _, QueryDsl as _, insert_into};
+use diesel_async::RunQueryDsl;
 use kameo::actor::Spawn as _;
 use x25519_dalek::{EphemeralSecret, PublicKey};
 
@@ -149,3 +152,42 @@ pub async fn test_unseal_retry_after_invalid_key() {
         assert!(matches!(response, Ok(())));
     }
 }
+
+#[tokio::test]
+#[test_log::test]
+pub async fn test_unseal_backfills_missing_pubkey_integrity_tags() {
+    let seal_key = b"test-seal-key";
+    let (db, user_agent) = setup_sealed_user_agent(seal_key).await;
+
+    {
+        let mut conn = db.get().await.unwrap();
+        insert_into(arbiter_server::db::schema::useragent_client::table)
+            .values((
+                arbiter_server::db::schema::useragent_client::public_key
+                    .eq(vec![1u8, 2u8, 3u8, 4u8]),
+                arbiter_server::db::schema::useragent_client::key_type.eq(1i32),
+                arbiter_server::db::schema::useragent_client::pubkey_integrity_tag
+                    .eq(Option::<Vec<u8>>::None),
+            ))
+            .execute(&mut conn)
+            .await
+            .unwrap();
+    }
+
+    let encrypted_key = client_dh_encrypt(&user_agent, seal_key).await;
+    let response = user_agent.ask(encrypted_key).await;
+    assert!(matches!(response, Ok(())));
+
+    {
+        let mut conn = db.get().await.unwrap();
+        let tags: Vec<Option<Vec<u8>>> = arbiter_server::db::schema::useragent_client::table
+            .select(arbiter_server::db::schema::useragent_client::pubkey_integrity_tag)
+            .load(&mut conn)
+            .await
+            .unwrap();
+        assert!(
+            tags.iter()
+                .all(|tag| matches!(tag, Some(v) if v.len() == 32))
+        );
+    }
+}

useragent/lib/features/callouts/callout_event.dart

@@ -1,6 +1,5 @@
-import 'package:arbiter/proto/client.pb.dart';
+import 'package:arbiter/proto/shared/client.pb.dart';
 import 'package:freezed_annotation/freezed_annotation.dart';
-import 'package:hooks_riverpod/experimental/mutation.dart';
 
 part 'callout_event.freezed.dart';
 

useragent/lib/features/callouts/callout_manager.dart

@@ -2,7 +2,7 @@ import 'package:arbiter/features/callouts/active_callout.dart';
 import 'package:arbiter/features/callouts/callout_event.dart';
 import 'package:arbiter/features/callouts/types/sdk_connect_approve.dart'
     as connect_approve;
-import 'package:arbiter/proto/client.pb.dart';
+import 'package:arbiter/proto/shared/client.pb.dart';
 import 'package:riverpod_annotation/riverpod_annotation.dart';
 
 part 'callout_manager.g.dart';

useragent/lib/features/callouts/types/sdk_connect_approve.dart

@@ -1,6 +1,7 @@
 import 'dart:convert';
 
 import 'package:arbiter/features/callouts/callout_event.dart';
+import 'package:arbiter/proto/user_agent/sdk_client.pb.dart' as ua_sdk;
 import 'package:arbiter/proto/user_agent.pb.dart';
 import 'package:arbiter/providers/connection/connection_manager.dart';
 import 'package:riverpod_annotation/riverpod_annotation.dart';
@@ -14,20 +15,27 @@ Stream<CalloutEvent> connectApproveEvents(Ref ref) async* {
 
   await for (final message in connection.outOfBandMessages) {
     switch (message.whichPayload()) {
-      case UserAgentResponse_Payload.sdkClientConnectionRequest:
+      case UserAgentResponse_Payload.sdkClient:
-        final body = message.sdkClientConnectionRequest;
+        final sdkClientMessage = message.sdkClient;
-        final id = base64Encode(body.pubkey);
+        switch (sdkClientMessage.whichPayload()) {
-        yield CalloutEvent.added(
+          case ua_sdk.Response_Payload.connectionRequest:
-          id: 'connect_approve:$id',
+            final body = sdkClientMessage.connectionRequest;
-          data: CalloutData.connectApproval(
+            final id = base64Encode(body.pubkey);
-            pubkey: id,
+            yield CalloutEvent.added(
-            clientInfo: body.info,
+              id: 'connect_approve:$id',
-          ),
+              data: CalloutData.connectApproval(
-        );
+                pubkey: id,
+                clientInfo: body.info,
+              ),
+            );
 
-      case UserAgentResponse_Payload.sdkClientConnectionCancel:
+          case ua_sdk.Response_Payload.connectionCancel:
-        final id = base64Encode(message.sdkClientConnectionCancel.pubkey);
+            final id = base64Encode(sdkClientMessage.connectionCancel.pubkey);
-        yield CalloutEvent.cancelled(id: 'connect_approve:$id');
+            yield CalloutEvent.cancelled(id: 'connect_approve:$id');
+
+          default:
+            break;
+        }
 
       default:
         break;
@@ -41,11 +49,14 @@ Future<void> sendDecision(Ref ref, String pubkey, bool approved) async {
 
   final bytes = base64Decode(pubkey);
 
-  final req = UserAgentRequest(sdkClientConnectionResponse: SdkClientConnectionResponse(
+  final req = UserAgentRequest(
-    approved: approved,
+    sdkClient: ua_sdk.Request(
-    pubkey: bytes
+      connectionResponse: ua_sdk.ConnectionResponse(
-  ));
+        approved: approved,
+        pubkey: bytes,
+      ),
+    ),
+  );
 
   await connection.tell(req);
-
+}
-}

useragent/lib/features/callouts/types/sdk_connect_approve.g.dart

@@ -47,4 +47,4 @@ final class ConnectApproveEventsProvider
 }
 
 String _$connectApproveEventsHash() =>
-    r'6a0998288afc0836a7c1701a983f64c33d318fd6';
+    r'abab87cc875a9a4834f836c2c0eba4aa7671d82e';

useragent/lib/features/connection/auth.dart

@@ -5,6 +5,7 @@ import 'package:arbiter/features/connection/connection.dart';
 import 'package:arbiter/features/connection/server_info_storage.dart';
 import 'package:arbiter/features/identity/pk_manager.dart';
 import 'package:arbiter/proto/arbiter.pbgrpc.dart';
+import 'package:arbiter/proto/user_agent/auth.pb.dart' as ua_auth;
 import 'package:arbiter/proto/user_agent.pb.dart';
 import 'package:grpc/grpc.dart';
 import 'package:mtcore/markettakers.dart';
@@ -12,22 +13,22 @@ import 'package:mtcore/markettakers.dart';
 class AuthorizationException implements Exception {
   const AuthorizationException(this.result);
 
-  final AuthResult result;
+  final ua_auth.AuthResult result;
 
   String get message => switch (result) {
-    AuthResult.AUTH_RESULT_INVALID_KEY =>
+    ua_auth.AuthResult.AUTH_RESULT_INVALID_KEY =>
       'Authentication failed: this device key is not registered on the server.',
-    AuthResult.AUTH_RESULT_INVALID_SIGNATURE =>
+    ua_auth.AuthResult.AUTH_RESULT_INVALID_SIGNATURE =>
       'Authentication failed: the server rejected the signature for this device key.',
-    AuthResult.AUTH_RESULT_BOOTSTRAP_REQUIRED =>
+    ua_auth.AuthResult.AUTH_RESULT_BOOTSTRAP_REQUIRED =>
       'Authentication failed: the server requires bootstrap before this device can connect.',
-    AuthResult.AUTH_RESULT_TOKEN_INVALID =>
+    ua_auth.AuthResult.AUTH_RESULT_TOKEN_INVALID =>
       'Authentication failed: the bootstrap token is invalid.',
-    AuthResult.AUTH_RESULT_INTERNAL =>
+    ua_auth.AuthResult.AUTH_RESULT_INTERNAL =>
       'Authentication failed: the server hit an internal error.',
-    AuthResult.AUTH_RESULT_UNSPECIFIED =>
+    ua_auth.AuthResult.AUTH_RESULT_UNSPECIFIED =>
       'Authentication failed: the server returned an unspecified auth error.',
-    AuthResult.AUTH_RESULT_SUCCESS => 'Authentication succeeded.',
+    ua_auth.AuthResult.AUTH_RESULT_SUCCESS => 'Authentication succeeded.',
     _ => 'Authentication failed: ${result.name}.',
   };
 
@@ -57,56 +58,76 @@ Future<Connection> connectAndAuthorize(
     );
     final pubkey = await key.getPublicKey();
 
-    final req = AuthChallengeRequest(
+    final req = ua_auth.AuthChallengeRequest(
       pubkey: pubkey,
       bootstrapToken: bootstrapToken,
       keyType: switch (key.alg) {
-        KeyAlgorithm.rsa => KeyType.KEY_TYPE_RSA,
+        KeyAlgorithm.rsa => ua_auth.KeyType.KEY_TYPE_RSA,
-        KeyAlgorithm.ecdsa => KeyType.KEY_TYPE_ECDSA_SECP256K1,
+        KeyAlgorithm.ecdsa => ua_auth.KeyType.KEY_TYPE_ECDSA_SECP256K1,
-        KeyAlgorithm.ed25519 => KeyType.KEY_TYPE_ED25519,
+        KeyAlgorithm.ed25519 => ua_auth.KeyType.KEY_TYPE_ED25519,
       },
     );
     final response = await connection.ask(
-      UserAgentRequest(authChallengeRequest: req),
+      UserAgentRequest(auth: ua_auth.Request(challengeRequest: req)),
     );
     talker.info(
       "Sent auth challenge request with pubkey ${base64Encode(pubkey)}",
     );
     talker.info('Received response from server, checking auth flow...');
 
-    if (response.hasAuthResult()) {
+    if (!response.hasAuth()) {
-      if (response.authResult != AuthResult.AUTH_RESULT_SUCCESS) {
+      throw ConnectionException(
-        throw AuthorizationException(response.authResult);
+        'Expected auth response, got ${response.whichPayload()}',
+      );
+    }
+
+    final authResponse = response.auth;
+
+    if (authResponse.hasResult()) {
+      if (authResponse.result != ua_auth.AuthResult.AUTH_RESULT_SUCCESS) {
+        throw AuthorizationException(authResponse.result);
       }
       talker.info('Authentication successful, connection established');
       return connection;
     }
 
-    if (!response.hasAuthChallenge()) {
+    if (!authResponse.hasChallenge()) {
       throw ConnectionException(
-        'Expected AuthChallengeResponse, got ${response.whichPayload()}',
+        'Expected auth challenge response, got ${authResponse.whichPayload()}',
       );
     }
 
-    final challenge = _formatChallenge(response.authChallenge, pubkey);
+    final challenge = _formatChallenge(authResponse.challenge, pubkey);
     talker.info(
       'Received auth challenge, signing with key ${base64Encode(pubkey)}',
     );
 
     final signature = await key.sign(challenge);
     final solutionResponse = await connection.ask(
-      UserAgentRequest(authChallengeSolution: AuthChallengeSolution(signature: signature)),
+      UserAgentRequest(
+        auth: ua_auth.Request(
+          challengeSolution: ua_auth.AuthChallengeSolution(signature: signature),
+        ),
+      ),
     );
 
     talker.info('Sent auth challenge solution, waiting for server response...');
 
-    if (!solutionResponse.hasAuthResult()) {
+    if (!solutionResponse.hasAuth()) {
       throw ConnectionException(
-        'Expected AuthChallengeSolutionResponse, got ${solutionResponse.whichPayload()}',
+        'Expected auth solution response, got ${solutionResponse.whichPayload()}',
       );
     }
-    if (solutionResponse.authResult != AuthResult.AUTH_RESULT_SUCCESS) {
+
-      throw AuthorizationException(solutionResponse.authResult);
+    final authSolutionResponse = solutionResponse.auth;
+
+    if (!authSolutionResponse.hasResult()) {
+      throw ConnectionException(
+        'Expected auth solution result, got ${authSolutionResponse.whichPayload()}',
+      );
+    }
+    if (authSolutionResponse.result != ua_auth.AuthResult.AUTH_RESULT_SUCCESS) {
+      throw AuthorizationException(authSolutionResponse.result);
     }
 
     talker.info('Authentication successful, connection established');
@@ -147,7 +168,7 @@ Future<Connection> _connect(StoredServerInfo serverInfo) async {
   return Connection(channel: channel, tx: tx, rx: rx);
 }
 
-List<int> _formatChallenge(AuthChallenge challenge, List<int> pubkey) {
+List<int> _formatChallenge(ua_auth.AuthChallenge challenge, List<int> pubkey) {
   final encodedPubkey = base64Encode(pubkey);
   final payload = "${challenge.nonce}:$encodedPubkey";
   return utf8.encode(payload);

useragent/lib/features/connection/evm.dart

@@ -1,19 +1,27 @@
 import 'package:arbiter/features/connection/connection.dart';
 import 'package:arbiter/proto/evm.pb.dart';
+import 'package:arbiter/proto/user_agent/evm.pb.dart' as ua_evm;
 import 'package:arbiter/proto/user_agent.pb.dart';
 import 'package:protobuf/well_known_types/google/protobuf/empty.pb.dart';
 
 Future<List<WalletEntry>> listEvmWallets(Connection connection) async {
   final response = await connection.ask(
-    UserAgentRequest(evmWalletList: Empty()),
+    UserAgentRequest(evm: ua_evm.Request(walletList: Empty())),
   );
-  if (!response.hasEvmWalletList()) {
+  if (!response.hasEvm()) {
     throw Exception(
-      'Expected EVM wallet list response, got ${response.whichPayload()}',
+      'Expected EVM response, got ${response.whichPayload()}',
     );
   }
 
-  final result = response.evmWalletList;
+  final evmResponse = response.evm;
+  if (!evmResponse.hasWalletList()) {
+    throw Exception(
+      'Expected EVM wallet list response, got ${evmResponse.whichPayload()}',
+    );
+  }
+
+  final result = evmResponse.walletList;
   switch (result.whichResult()) {
     case WalletListResponse_Result.wallets:
       return result.wallets.wallets.toList(growable: false);
@@ -26,15 +34,22 @@ Future<List<WalletEntry>> listEvmWallets(Connection connection) async {
 
 Future<void> createEvmWallet(Connection connection) async {
   final response = await connection.ask(
-    UserAgentRequest(evmWalletCreate: Empty()),
+    UserAgentRequest(evm: ua_evm.Request(walletCreate: Empty())),
   );
-  if (!response.hasEvmWalletCreate()) {
+  if (!response.hasEvm()) {
     throw Exception(
-      'Expected EVM wallet create response, got ${response.whichPayload()}',
+      'Expected EVM response, got ${response.whichPayload()}',
     );
   }
 
-  final result = response.evmWalletCreate;
+  final evmResponse = response.evm;
+  if (!evmResponse.hasWalletCreate()) {
+    throw Exception(
+      'Expected EVM wallet create response, got ${evmResponse.whichPayload()}',
+    );
+  }
+
+  final result = evmResponse.walletCreate;
   switch (result.whichResult()) {
     case WalletCreateResponse_Result.wallet:
       return;

useragent/lib/features/connection/evm/grants.dart

@@ -1,22 +1,28 @@
 import 'package:arbiter/features/connection/connection.dart';
 import 'package:arbiter/proto/evm.pb.dart';
+import 'package:arbiter/proto/user_agent/evm.pb.dart' as ua_evm;
 import 'package:arbiter/proto/user_agent.pb.dart';
-import 'package:fixnum/fixnum.dart';
-import 'package:protobuf/well_known_types/google/protobuf/timestamp.pb.dart';
 
 Future<List<GrantEntry>> listEvmGrants(Connection connection) async {
   final request = EvmGrantListRequest();
 
   final response = await connection.ask(
-    UserAgentRequest(evmGrantList: request),
+    UserAgentRequest(evm: ua_evm.Request(grantList: request)),
   );
-  if (!response.hasEvmGrantList()) {
+  if (!response.hasEvm()) {
     throw Exception(
-      'Expected EVM grant list response, got ${response.whichPayload()}',
+      'Expected EVM response, got ${response.whichPayload()}',
     );
   }
 
-  final result = response.evmGrantList;
+  final evmResponse = response.evm;
+  if (!evmResponse.hasGrantList()) {
+    throw Exception(
+      'Expected EVM grant list response, got ${evmResponse.whichPayload()}',
+    );
+  }
+
+  final result = evmResponse.grantList;
   switch (result.whichResult()) {
     case EvmGrantListResponse_Result.grants:
       return result.grants.grants.toList(growable: false);
@@ -33,36 +39,56 @@ Future<int> createEvmGrant(
   required SpecificGrant specific,
 }) async {
   final request = UserAgentRequest(
-    evmGrantCreate: EvmGrantCreateRequest(
+    evm: ua_evm.Request(
-      shared: sharedSettings,
+      grantCreate: EvmGrantCreateRequest(
-      specific: specific,
+        shared: sharedSettings,
+        specific: specific,
+      ),
     ),
   );
 
   final resp = await connection.ask(request);
 
-  if (!resp.hasEvmGrantCreate()) {
+  if (!resp.hasEvm()) {
     throw Exception(
-      'Expected EVM grant create response, got ${resp.whichPayload()}',
+      'Expected EVM response, got ${resp.whichPayload()}',
     );
   }
 
-  final result = resp.evmGrantCreate;
+  final evmResponse = resp.evm;
+  if (!evmResponse.hasGrantCreate()) {
+    throw Exception(
+      'Expected EVM grant create response, got ${evmResponse.whichPayload()}',
+    );
+  }
+
+  final result = evmResponse.grantCreate;
 
   return result.grantId;
 }
 
 Future<void> deleteEvmGrant(Connection connection, int grantId) async {
   final response = await connection.ask(
-    UserAgentRequest(evmGrantDelete: EvmGrantDeleteRequest(grantId: grantId)),
+    UserAgentRequest(
+      evm: ua_evm.Request(
+        grantDelete: EvmGrantDeleteRequest(grantId: grantId),
+      ),
+    ),
   );
-  if (!response.hasEvmGrantDelete()) {
+  if (!response.hasEvm()) {
     throw Exception(
-      'Expected EVM grant delete response, got ${response.whichPayload()}',
+      'Expected EVM response, got ${response.whichPayload()}',
     );
   }
 
-  final result = response.evmGrantDelete;
+  final evmResponse = response.evm;
+  if (!evmResponse.hasGrantDelete()) {
+    throw Exception(
+      'Expected EVM grant delete response, got ${evmResponse.whichPayload()}',
+    );
+  }
+
+  final result = evmResponse.grantDelete;
   switch (result.whichResult()) {
     case EvmGrantDeleteResponse_Result.ok:
       return;
@@ -73,13 +99,6 @@ Future<void> deleteEvmGrant(Connection connection, int grantId) async {
   }
 }
 
-Timestamp _toTimestamp(DateTime value) {
-  final utc = value.toUtc();
-  return Timestamp()
-    ..seconds = Int64(utc.millisecondsSinceEpoch ~/ 1000)
-    ..nanos = (utc.microsecondsSinceEpoch % 1000000) * 1000;
-}
-
 String _describeGrantError(EvmError error) {
   return switch (error) {
     EvmError.EVM_ERROR_VAULT_SEALED =>

useragent/lib/features/connection/evm/wallet_access.dart

@@ -1,4 +1,5 @@
 import 'package:arbiter/features/connection/connection.dart';
+import 'package:arbiter/proto/user_agent/sdk_client.pb.dart' as ua_sdk;
 import 'package:arbiter/proto/user_agent.pb.dart';
 import 'package:protobuf/well_known_types/google/protobuf/empty.pb.dart';
 
@@ -7,31 +8,47 @@ Future<Set<int>> readClientWalletAccess(
   required int clientId,
 }) async {
   final response = await connection.ask(
-    UserAgentRequest(listWalletAccess: Empty()),
+    UserAgentRequest(
+      sdkClient: ua_sdk.Request(listWalletAccess: Empty()),
+    ),
   );
-  if (!response.hasListWalletAccessResponse()) {
+  if (!response.hasSdkClient()) {
     throw Exception(
-      'Expected list wallet access response, got ${response.whichPayload()}',
+      'Expected SDK client response, got ${response.whichPayload()}',
+    );
+  }
+  final sdkClientResponse = response.sdkClient;
+  if (!sdkClientResponse.hasListWalletAccess()) {
+    throw Exception(
+      'Expected list wallet access response, got ${sdkClientResponse.whichPayload()}',
     );
   }
   return {
-    for (final entry in response.listWalletAccessResponse.accesses)
+    for (final entry in sdkClientResponse.listWalletAccess.accesses)
       if (entry.access.sdkClientId == clientId) entry.access.walletId,
   };
 }
 
-Future<List<SdkClientWalletAccess>> listAllWalletAccesses(
+Future<List<ua_sdk.WalletAccessEntry>> listAllWalletAccesses(
   Connection connection,
 ) async {
   final response = await connection.ask(
-    UserAgentRequest(listWalletAccess: Empty()),
+    UserAgentRequest(
+      sdkClient: ua_sdk.Request(listWalletAccess: Empty()),
+    ),
   );
-  if (!response.hasListWalletAccessResponse()) {
+  if (!response.hasSdkClient()) {
     throw Exception(
-      'Expected list wallet access response, got ${response.whichPayload()}',
+      'Expected SDK client response, got ${response.whichPayload()}',
     );
   }
-  return response.listWalletAccessResponse.accesses.toList(growable: false);
+  final sdkClientResponse = response.sdkClient;
+  if (!sdkClientResponse.hasListWalletAccess()) {
+    throw Exception(
+      'Expected list wallet access response, got ${sdkClientResponse.whichPayload()}',
+    );
+  }
+  return sdkClientResponse.listWalletAccess.accesses.toList(growable: false);
 }
 
 Future<void> writeClientWalletAccess(
@@ -47,11 +64,13 @@ Future<void> writeClientWalletAccess(
   if (toGrant.isNotEmpty) {
     await connection.tell(
       UserAgentRequest(
-        grantWalletAccess: SdkClientGrantWalletAccess(
+        sdkClient: ua_sdk.Request(
-          accesses: [
+          grantWalletAccess: ua_sdk.GrantWalletAccess(
-            for (final walletId in toGrant)
+            accesses: [
-              WalletAccess(sdkClientId: clientId, walletId: walletId),
+              for (final walletId in toGrant)
-          ],
+                ua_sdk.WalletAccess(sdkClientId: clientId, walletId: walletId),
+            ],
+          ),
         ),
       ),
     );
@@ -60,11 +79,12 @@ Future<void> writeClientWalletAccess(
   if (toRevoke.isNotEmpty) {
     await connection.tell(
       UserAgentRequest(
-        revokeWalletAccess: SdkClientRevokeWalletAccess(
+        sdkClient: ua_sdk.Request(
-          accesses: [
+          revokeWalletAccess: ua_sdk.RevokeWalletAccess(
-            for (final walletId in toRevoke)
+            accesses: [
-              walletId
+              for (final walletId in toRevoke) walletId,
-          ],
+            ],
+          ),
         ),
       ),
     );

useragent/lib/features/connection/vault.dart

@@ -1,10 +1,13 @@
 import 'package:arbiter/features/connection/connection.dart';
+import 'package:arbiter/proto/user_agent/vault/bootstrap.pb.dart' as ua_bootstrap;
+import 'package:arbiter/proto/user_agent/vault/unseal.pb.dart' as ua_unseal;
+import 'package:arbiter/proto/user_agent/vault/vault.pb.dart' as ua_vault;
 import 'package:arbiter/proto/user_agent.pb.dart';
 import 'package:cryptography/cryptography.dart';
 
 const _vaultKeyAssociatedData = 'arbiter.vault.password';
 
-Future<BootstrapResult> bootstrapVault(
+Future<ua_bootstrap.BootstrapResult> bootstrapVault(
   Connection connection,
   String password,
 ) async {
@@ -12,39 +15,76 @@ Future<BootstrapResult> bootstrapVault(
 
   final response = await connection.ask(
     UserAgentRequest(
-      bootstrapEncryptedKey: BootstrapEncryptedKey(
+      vault: ua_vault.Request(
-        nonce: encryptedKey.nonce,
+        bootstrap: ua_bootstrap.Request(
-        ciphertext: encryptedKey.ciphertext,
+          encryptedKey: ua_bootstrap.BootstrapEncryptedKey(
-        associatedData: encryptedKey.associatedData,
+            nonce: encryptedKey.nonce,
+            ciphertext: encryptedKey.ciphertext,
+            associatedData: encryptedKey.associatedData,
+          ),
+        ),
       ),
     ),
   );
-  if (!response.hasBootstrapResult()) {
+  if (!response.hasVault()) {
     throw Exception(
-      'Expected bootstrap result, got ${response.whichPayload()}',
+      'Expected vault response, got ${response.whichPayload()}',
     );
   }
 
-  return response.bootstrapResult;
+  final vaultResponse = response.vault;
+  if (!vaultResponse.hasBootstrap()) {
+    throw Exception(
+      'Expected bootstrap result, got ${vaultResponse.whichPayload()}',
+    );
+  }
+
+  final bootstrapResponse = vaultResponse.bootstrap;
+  if (!bootstrapResponse.hasResult()) {
+    throw Exception('Expected bootstrap result payload.');
+  }
+
+  return bootstrapResponse.result;
 }
 
-Future<UnsealResult> unsealVault(Connection connection, String password) async {
+Future<ua_unseal.UnsealResult> unsealVault(
+  Connection connection,
+  String password,
+) async {
   final encryptedKey = await _encryptVaultKeyMaterial(connection, password);
 
   final response = await connection.ask(
     UserAgentRequest(
-      unsealEncryptedKey: UnsealEncryptedKey(
+      vault: ua_vault.Request(
-        nonce: encryptedKey.nonce,
+        unseal: ua_unseal.Request(
-        ciphertext: encryptedKey.ciphertext,
+          encryptedKey: ua_unseal.UnsealEncryptedKey(
-        associatedData: encryptedKey.associatedData,
+            nonce: encryptedKey.nonce,
+            ciphertext: encryptedKey.ciphertext,
+            associatedData: encryptedKey.associatedData,
+          ),
+        ),
       ),
     ),
   );
-  if (!response.hasUnsealResult()) {
+  if (!response.hasVault()) {
-    throw Exception('Expected unseal result, got ${response.whichPayload()}');
+    throw Exception('Expected vault response, got ${response.whichPayload()}');
   }
 
-  return response.unsealResult;
+  final vaultResponse = response.vault;
+  if (!vaultResponse.hasUnseal()) {
+    throw Exception(
+      'Expected unseal result, got ${vaultResponse.whichPayload()}',
+    );
+  }
+
+  final unsealResponse = vaultResponse.unseal;
+  if (!unsealResponse.hasResult()) {
+    throw Exception(
+      'Expected unseal result payload, got ${unsealResponse.whichPayload()}',
+    );
+  }
+
+  return unsealResponse.result;
 }
 
 Future<_EncryptedVaultKey> _encryptVaultKeyMaterial(
@@ -57,16 +97,36 @@ Future<_EncryptedVaultKey> _encryptVaultKeyMaterial(
   final clientPublicKey = await clientKeyPair.extractPublicKey();
 
   final handshakeResponse = await connection.ask(
-    UserAgentRequest(unsealStart: UnsealStart(clientPubkey: clientPublicKey.bytes)),
+    UserAgentRequest(
+      vault: ua_vault.Request(
+        unseal: ua_unseal.Request(
+          start: ua_unseal.UnsealStart(clientPubkey: clientPublicKey.bytes),
+        ),
+      ),
+    ),
   );
-  if (!handshakeResponse.hasUnsealStartResponse()) {
+  if (!handshakeResponse.hasVault()) {
     throw Exception(
-      'Expected unseal handshake response, got ${handshakeResponse.whichPayload()}',
+      'Expected vault response, got ${handshakeResponse.whichPayload()}',
+    );
+  }
+
+  final vaultResponse = handshakeResponse.vault;
+  if (!vaultResponse.hasUnseal()) {
+    throw Exception(
+      'Expected unseal handshake response, got ${vaultResponse.whichPayload()}',
+    );
+  }
+
+  final unsealResponse = vaultResponse.unseal;
+  if (!unsealResponse.hasStart()) {
+    throw Exception(
+      'Expected unseal handshake payload, got ${unsealResponse.whichPayload()}',
     );
   }
 
   final serverPublicKey = SimplePublicKey(
-    handshakeResponse.unsealStartResponse.serverPubkey,
+    unsealResponse.start.serverPubkey,
     type: KeyPairType.x25519,
   );
   final sharedSecret = await keyExchange.sharedSecretKey(

useragent/lib/proto/client.pb.dart

@@ -13,305 +13,26 @@
 import 'dart:core' as $core;
 
 import 'package:protobuf/protobuf.dart' as $pb;
-import 'package:protobuf/well_known_types/google/protobuf/empty.pb.dart' as $0;
 
-import 'client.pbenum.dart';
+import 'client/auth.pb.dart' as $0;
-import 'evm.pb.dart' as $1;
+import 'client/evm.pb.dart' as $2;
+import 'client/vault.pb.dart' as $1;
 
 export 'package:protobuf/protobuf.dart' show GeneratedMessageGenericExtensions;
 
-export 'client.pbenum.dart';
+enum ClientRequest_Payload { auth, vault, evm, notSet }
-
-class ClientInfo extends $pb.GeneratedMessage {
-  factory ClientInfo({
-    $core.String? name,
-    $core.String? description,
-    $core.String? version,
-  }) {
-    final result = create();
-    if (name != null) result.name = name;
-    if (description != null) result.description = description;
-    if (version != null) result.version = version;
-    return result;
-  }
-
-  ClientInfo._();
-
-  factory ClientInfo.fromBuffer($core.List<$core.int> data,
-          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
-      create()..mergeFromBuffer(data, registry);
-  factory ClientInfo.fromJson($core.String json,
-          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
-      create()..mergeFromJson(json, registry);
-
-  static final $pb.BuilderInfo _i = $pb.BuilderInfo(
-      _omitMessageNames ? '' : 'ClientInfo',
-      package: const $pb.PackageName(_omitMessageNames ? '' : 'arbiter.client'),
-      createEmptyInstance: create)
-    ..aOS(1, _omitFieldNames ? '' : 'name')
-    ..aOS(2, _omitFieldNames ? '' : 'description')
-    ..aOS(3, _omitFieldNames ? '' : 'version')
-    ..hasRequiredFields = false;
-
-  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
-  ClientInfo clone() => deepCopy();
-  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
-  ClientInfo copyWith(void Function(ClientInfo) updates) =>
-      super.copyWith((message) => updates(message as ClientInfo)) as ClientInfo;
-
-  @$core.override
-  $pb.BuilderInfo get info_ => _i;
-
-  @$core.pragma('dart2js:noInline')
-  static ClientInfo create() => ClientInfo._();
-  @$core.override
-  ClientInfo createEmptyInstance() => create();
-  @$core.pragma('dart2js:noInline')
-  static ClientInfo getDefault() => _defaultInstance ??=
-      $pb.GeneratedMessage.$_defaultFor<ClientInfo>(create);
-  static ClientInfo? _defaultInstance;
-
-  @$pb.TagNumber(1)
-  $core.String get name => $_getSZ(0);
-  @$pb.TagNumber(1)
-  set name($core.String value) => $_setString(0, value);
-  @$pb.TagNumber(1)
-  $core.bool hasName() => $_has(0);
-  @$pb.TagNumber(1)
-  void clearName() => $_clearField(1);
-
-  @$pb.TagNumber(2)
-  $core.String get description => $_getSZ(1);
-  @$pb.TagNumber(2)
-  set description($core.String value) => $_setString(1, value);
-  @$pb.TagNumber(2)
-  $core.bool hasDescription() => $_has(1);
-  @$pb.TagNumber(2)
-  void clearDescription() => $_clearField(2);
-
-  @$pb.TagNumber(3)
-  $core.String get version => $_getSZ(2);
-  @$pb.TagNumber(3)
-  set version($core.String value) => $_setString(2, value);
-  @$pb.TagNumber(3)
-  $core.bool hasVersion() => $_has(2);
-  @$pb.TagNumber(3)
-  void clearVersion() => $_clearField(3);
-}
-
-class AuthChallengeRequest extends $pb.GeneratedMessage {
-  factory AuthChallengeRequest({
-    $core.List<$core.int>? pubkey,
-    ClientInfo? clientInfo,
-  }) {
-    final result = create();
-    if (pubkey != null) result.pubkey = pubkey;
-    if (clientInfo != null) result.clientInfo = clientInfo;
-    return result;
-  }
-
-  AuthChallengeRequest._();
-
-  factory AuthChallengeRequest.fromBuffer($core.List<$core.int> data,
-          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
-      create()..mergeFromBuffer(data, registry);
-  factory AuthChallengeRequest.fromJson($core.String json,
-          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
-      create()..mergeFromJson(json, registry);
-
-  static final $pb.BuilderInfo _i = $pb.BuilderInfo(
-      _omitMessageNames ? '' : 'AuthChallengeRequest',
-      package: const $pb.PackageName(_omitMessageNames ? '' : 'arbiter.client'),
-      createEmptyInstance: create)
-    ..a<$core.List<$core.int>>(
-        1, _omitFieldNames ? '' : 'pubkey', $pb.PbFieldType.OY)
-    ..aOM<ClientInfo>(2, _omitFieldNames ? '' : 'clientInfo',
-        subBuilder: ClientInfo.create)
-    ..hasRequiredFields = false;
-
-  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
-  AuthChallengeRequest clone() => deepCopy();
-  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
-  AuthChallengeRequest copyWith(void Function(AuthChallengeRequest) updates) =>
-      super.copyWith((message) => updates(message as AuthChallengeRequest))
-          as AuthChallengeRequest;
-
-  @$core.override
-  $pb.BuilderInfo get info_ => _i;
-
-  @$core.pragma('dart2js:noInline')
-  static AuthChallengeRequest create() => AuthChallengeRequest._();
-  @$core.override
-  AuthChallengeRequest createEmptyInstance() => create();
-  @$core.pragma('dart2js:noInline')
-  static AuthChallengeRequest getDefault() => _defaultInstance ??=
-      $pb.GeneratedMessage.$_defaultFor<AuthChallengeRequest>(create);
-  static AuthChallengeRequest? _defaultInstance;
-
-  @$pb.TagNumber(1)
-  $core.List<$core.int> get pubkey => $_getN(0);
-  @$pb.TagNumber(1)
-  set pubkey($core.List<$core.int> value) => $_setBytes(0, value);
-  @$pb.TagNumber(1)
-  $core.bool hasPubkey() => $_has(0);
-  @$pb.TagNumber(1)
-  void clearPubkey() => $_clearField(1);
-
-  @$pb.TagNumber(2)
-  ClientInfo get clientInfo => $_getN(1);
-  @$pb.TagNumber(2)
-  set clientInfo(ClientInfo value) => $_setField(2, value);
-  @$pb.TagNumber(2)
-  $core.bool hasClientInfo() => $_has(1);
-  @$pb.TagNumber(2)
-  void clearClientInfo() => $_clearField(2);
-  @$pb.TagNumber(2)
-  ClientInfo ensureClientInfo() => $_ensure(1);
-}
-
-class AuthChallenge extends $pb.GeneratedMessage {
-  factory AuthChallenge({
-    $core.List<$core.int>? pubkey,
-    $core.int? nonce,
-  }) {
-    final result = create();
-    if (pubkey != null) result.pubkey = pubkey;
-    if (nonce != null) result.nonce = nonce;
-    return result;
-  }
-
-  AuthChallenge._();
-
-  factory AuthChallenge.fromBuffer($core.List<$core.int> data,
-          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
-      create()..mergeFromBuffer(data, registry);
-  factory AuthChallenge.fromJson($core.String json,
-          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
-      create()..mergeFromJson(json, registry);
-
-  static final $pb.BuilderInfo _i = $pb.BuilderInfo(
-      _omitMessageNames ? '' : 'AuthChallenge',
-      package: const $pb.PackageName(_omitMessageNames ? '' : 'arbiter.client'),
-      createEmptyInstance: create)
-    ..a<$core.List<$core.int>>(
-        1, _omitFieldNames ? '' : 'pubkey', $pb.PbFieldType.OY)
-    ..aI(2, _omitFieldNames ? '' : 'nonce')
-    ..hasRequiredFields = false;
-
-  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
-  AuthChallenge clone() => deepCopy();
-  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
-  AuthChallenge copyWith(void Function(AuthChallenge) updates) =>
-      super.copyWith((message) => updates(message as AuthChallenge))
-          as AuthChallenge;
-
-  @$core.override
-  $pb.BuilderInfo get info_ => _i;
-
-  @$core.pragma('dart2js:noInline')
-  static AuthChallenge create() => AuthChallenge._();
-  @$core.override
-  AuthChallenge createEmptyInstance() => create();
-  @$core.pragma('dart2js:noInline')
-  static AuthChallenge getDefault() => _defaultInstance ??=
-      $pb.GeneratedMessage.$_defaultFor<AuthChallenge>(create);
-  static AuthChallenge? _defaultInstance;
-
-  @$pb.TagNumber(1)
-  $core.List<$core.int> get pubkey => $_getN(0);
-  @$pb.TagNumber(1)
-  set pubkey($core.List<$core.int> value) => $_setBytes(0, value);
-  @$pb.TagNumber(1)
-  $core.bool hasPubkey() => $_has(0);
-  @$pb.TagNumber(1)
-  void clearPubkey() => $_clearField(1);
-
-  @$pb.TagNumber(2)
-  $core.int get nonce => $_getIZ(1);
-  @$pb.TagNumber(2)
-  set nonce($core.int value) => $_setSignedInt32(1, value);
-  @$pb.TagNumber(2)
-  $core.bool hasNonce() => $_has(1);
-  @$pb.TagNumber(2)
-  void clearNonce() => $_clearField(2);
-}
-
-class AuthChallengeSolution extends $pb.GeneratedMessage {
-  factory AuthChallengeSolution({
-    $core.List<$core.int>? signature,
-  }) {
-    final result = create();
-    if (signature != null) result.signature = signature;
-    return result;
-  }
-
-  AuthChallengeSolution._();
-
-  factory AuthChallengeSolution.fromBuffer($core.List<$core.int> data,
-          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
-      create()..mergeFromBuffer(data, registry);
-  factory AuthChallengeSolution.fromJson($core.String json,
-          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
-      create()..mergeFromJson(json, registry);
-
-  static final $pb.BuilderInfo _i = $pb.BuilderInfo(
-      _omitMessageNames ? '' : 'AuthChallengeSolution',
-      package: const $pb.PackageName(_omitMessageNames ? '' : 'arbiter.client'),
-      createEmptyInstance: create)
-    ..a<$core.List<$core.int>>(
-        1, _omitFieldNames ? '' : 'signature', $pb.PbFieldType.OY)
-    ..hasRequiredFields = false;
-
-  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
-  AuthChallengeSolution clone() => deepCopy();
-  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
-  AuthChallengeSolution copyWith(
-          void Function(AuthChallengeSolution) updates) =>
-      super.copyWith((message) => updates(message as AuthChallengeSolution))
-          as AuthChallengeSolution;
-
-  @$core.override
-  $pb.BuilderInfo get info_ => _i;
-
-  @$core.pragma('dart2js:noInline')
-  static AuthChallengeSolution create() => AuthChallengeSolution._();
-  @$core.override
-  AuthChallengeSolution createEmptyInstance() => create();
-  @$core.pragma('dart2js:noInline')
-  static AuthChallengeSolution getDefault() => _defaultInstance ??=
-      $pb.GeneratedMessage.$_defaultFor<AuthChallengeSolution>(create);
-  static AuthChallengeSolution? _defaultInstance;
-
-  @$pb.TagNumber(1)
-  $core.List<$core.int> get signature => $_getN(0);
-  @$pb.TagNumber(1)
-  set signature($core.List<$core.int> value) => $_setBytes(0, value);
-  @$pb.TagNumber(1)
-  $core.bool hasSignature() => $_has(0);
-  @$pb.TagNumber(1)
-  void clearSignature() => $_clearField(1);
-}
-
-enum ClientRequest_Payload {
-  authChallengeRequest,
-  authChallengeSolution,
-  queryVaultState,
-  notSet
-}
 
 class ClientRequest extends $pb.GeneratedMessage {
   factory ClientRequest({
-    AuthChallengeRequest? authChallengeRequest,
+    $0.Request? auth,
-    AuthChallengeSolution? authChallengeSolution,
+    $1.Request? vault,
-    $0.Empty? queryVaultState,
+    $2.Request? evm,
     $core.int? requestId,
   }) {
     final result = create();
-    if (authChallengeRequest != null)
+    if (auth != null) result.auth = auth;
-      result.authChallengeRequest = authChallengeRequest;
+    if (vault != null) result.vault = vault;
-    if (authChallengeSolution != null)
+    if (evm != null) result.evm = evm;
-      result.authChallengeSolution = authChallengeSolution;
-    if (queryVaultState != null) result.queryVaultState = queryVaultState;
     if (requestId != null) result.requestId = requestId;
     return result;
   }
@@ -327,9 +48,9 @@ class ClientRequest extends $pb.GeneratedMessage {
 
   static const $core.Map<$core.int, ClientRequest_Payload>
       _ClientRequest_PayloadByTag = {
-    1: ClientRequest_Payload.authChallengeRequest,
+    1: ClientRequest_Payload.auth,
-    2: ClientRequest_Payload.authChallengeSolution,
+    2: ClientRequest_Payload.vault,
-    3: ClientRequest_Payload.queryVaultState,
+    3: ClientRequest_Payload.evm,
     0: ClientRequest_Payload.notSet
   };
   static final $pb.BuilderInfo _i = $pb.BuilderInfo(
@@ -337,14 +58,12 @@ class ClientRequest extends $pb.GeneratedMessage {
       package: const $pb.PackageName(_omitMessageNames ? '' : 'arbiter.client'),
       createEmptyInstance: create)
     ..oo(0, [1, 2, 3])
-    ..aOM<AuthChallengeRequest>(
+    ..aOM<$0.Request>(1, _omitFieldNames ? '' : 'auth',
-        1, _omitFieldNames ? '' : 'authChallengeRequest',
+        subBuilder: $0.Request.create)
-        subBuilder: AuthChallengeRequest.create)
+    ..aOM<$1.Request>(2, _omitFieldNames ? '' : 'vault',
-    ..aOM<AuthChallengeSolution>(
+        subBuilder: $1.Request.create)
-        2, _omitFieldNames ? '' : 'authChallengeSolution',
+    ..aOM<$2.Request>(3, _omitFieldNames ? '' : 'evm',
-        subBuilder: AuthChallengeSolution.create)
+        subBuilder: $2.Request.create)
-    ..aOM<$0.Empty>(3, _omitFieldNames ? '' : 'queryVaultState',
-        subBuilder: $0.Empty.create)
     ..aI(4, _omitFieldNames ? '' : 'requestId')
     ..hasRequiredFields = false;
 
@@ -378,38 +97,37 @@ class ClientRequest extends $pb.GeneratedMessage {
   void clearPayload() => $_clearField($_whichOneof(0));
 
   @$pb.TagNumber(1)
-  AuthChallengeRequest get authChallengeRequest => $_getN(0);
+  $0.Request get auth => $_getN(0);
   @$pb.TagNumber(1)
-  set authChallengeRequest(AuthChallengeRequest value) => $_setField(1, value);
+  set auth($0.Request value) => $_setField(1, value);
   @$pb.TagNumber(1)
-  $core.bool hasAuthChallengeRequest() => $_has(0);
+  $core.bool hasAuth() => $_has(0);
   @$pb.TagNumber(1)
-  void clearAuthChallengeRequest() => $_clearField(1);
+  void clearAuth() => $_clearField(1);
   @$pb.TagNumber(1)
-  AuthChallengeRequest ensureAuthChallengeRequest() => $_ensure(0);
+  $0.Request ensureAuth() => $_ensure(0);
 
   @$pb.TagNumber(2)
-  AuthChallengeSolution get authChallengeSolution => $_getN(1);
+  $1.Request get vault => $_getN(1);
   @$pb.TagNumber(2)
-  set authChallengeSolution(AuthChallengeSolution value) =>
+  set vault($1.Request value) => $_setField(2, value);
-      $_setField(2, value);
   @$pb.TagNumber(2)
-  $core.bool hasAuthChallengeSolution() => $_has(1);
+  $core.bool hasVault() => $_has(1);
   @$pb.TagNumber(2)
-  void clearAuthChallengeSolution() => $_clearField(2);
+  void clearVault() => $_clearField(2);
   @$pb.TagNumber(2)
-  AuthChallengeSolution ensureAuthChallengeSolution() => $_ensure(1);
+  $1.Request ensureVault() => $_ensure(1);
 
   @$pb.TagNumber(3)
-  $0.Empty get queryVaultState => $_getN(2);
+  $2.Request get evm => $_getN(2);
   @$pb.TagNumber(3)
-  set queryVaultState($0.Empty value) => $_setField(3, value);
+  set evm($2.Request value) => $_setField(3, value);
   @$pb.TagNumber(3)
-  $core.bool hasQueryVaultState() => $_has(2);
+  $core.bool hasEvm() => $_has(2);
   @$pb.TagNumber(3)
-  void clearQueryVaultState() => $_clearField(3);
+  void clearEvm() => $_clearField(3);
   @$pb.TagNumber(3)
-  $0.Empty ensureQueryVaultState() => $_ensure(2);
+  $2.Request ensureEvm() => $_ensure(2);
 
   @$pb.TagNumber(4)
   $core.int get requestId => $_getIZ(3);
@@ -421,32 +139,19 @@ class ClientRequest extends $pb.GeneratedMessage {
   void clearRequestId() => $_clearField(4);
 }
 
-enum ClientResponse_Payload {
+enum ClientResponse_Payload { auth, vault, evm, notSet }
-  authChallenge,
-  authResult,
-  evmSignTransaction,
-  evmAnalyzeTransaction,
-  vaultState,
-  notSet
-}
 
 class ClientResponse extends $pb.GeneratedMessage {
   factory ClientResponse({
-    AuthChallenge? authChallenge,
+    $0.Response? auth,
-    AuthResult? authResult,
+    $1.Response? vault,
-    $1.EvmSignTransactionResponse? evmSignTransaction,
+    $2.Response? evm,
-    $1.EvmAnalyzeTransactionResponse? evmAnalyzeTransaction,
-    VaultState? vaultState,
     $core.int? requestId,
   }) {
     final result = create();
-    if (authChallenge != null) result.authChallenge = authChallenge;
+    if (auth != null) result.auth = auth;
-    if (authResult != null) result.authResult = authResult;
+    if (vault != null) result.vault = vault;
-    if (evmSignTransaction != null)
+    if (evm != null) result.evm = evm;
-      result.evmSignTransaction = evmSignTransaction;
-    if (evmAnalyzeTransaction != null)
-      result.evmAnalyzeTransaction = evmAnalyzeTransaction;
-    if (vaultState != null) result.vaultState = vaultState;
     if (requestId != null) result.requestId = requestId;
     return result;
   }
@@ -462,30 +167,22 @@ class ClientResponse extends $pb.GeneratedMessage {
 
   static const $core.Map<$core.int, ClientResponse_Payload>
       _ClientResponse_PayloadByTag = {
-    1: ClientResponse_Payload.authChallenge,
+    1: ClientResponse_Payload.auth,
-    2: ClientResponse_Payload.authResult,
+    2: ClientResponse_Payload.vault,
-    3: ClientResponse_Payload.evmSignTransaction,
+    3: ClientResponse_Payload.evm,
-    4: ClientResponse_Payload.evmAnalyzeTransaction,
-    6: ClientResponse_Payload.vaultState,
     0: ClientResponse_Payload.notSet
   };
   static final $pb.BuilderInfo _i = $pb.BuilderInfo(
       _omitMessageNames ? '' : 'ClientResponse',
       package: const $pb.PackageName(_omitMessageNames ? '' : 'arbiter.client'),
       createEmptyInstance: create)
-    ..oo(0, [1, 2, 3, 4, 6])
+    ..oo(0, [1, 2, 3])
-    ..aOM<AuthChallenge>(1, _omitFieldNames ? '' : 'authChallenge',
+    ..aOM<$0.Response>(1, _omitFieldNames ? '' : 'auth',
-        subBuilder: AuthChallenge.create)
+        subBuilder: $0.Response.create)
-    ..aE<AuthResult>(2, _omitFieldNames ? '' : 'authResult',
+    ..aOM<$1.Response>(2, _omitFieldNames ? '' : 'vault',
-        enumValues: AuthResult.values)
+        subBuilder: $1.Response.create)
-    ..aOM<$1.EvmSignTransactionResponse>(
+    ..aOM<$2.Response>(3, _omitFieldNames ? '' : 'evm',
-        3, _omitFieldNames ? '' : 'evmSignTransaction',
+        subBuilder: $2.Response.create)
-        subBuilder: $1.EvmSignTransactionResponse.create)
-    ..aOM<$1.EvmAnalyzeTransactionResponse>(
-        4, _omitFieldNames ? '' : 'evmAnalyzeTransaction',
-        subBuilder: $1.EvmAnalyzeTransactionResponse.create)
-    ..aE<VaultState>(6, _omitFieldNames ? '' : 'vaultState',
-        enumValues: VaultState.values)
     ..aI(7, _omitFieldNames ? '' : 'requestId')
     ..hasRequiredFields = false;
 
@@ -511,76 +208,52 @@ class ClientResponse extends $pb.GeneratedMessage {
   @$pb.TagNumber(1)
   @$pb.TagNumber(2)
   @$pb.TagNumber(3)
-  @$pb.TagNumber(4)
-  @$pb.TagNumber(6)
   ClientResponse_Payload whichPayload() =>
       _ClientResponse_PayloadByTag[$_whichOneof(0)]!;
   @$pb.TagNumber(1)
   @$pb.TagNumber(2)
   @$pb.TagNumber(3)
-  @$pb.TagNumber(4)
-  @$pb.TagNumber(6)
   void clearPayload() => $_clearField($_whichOneof(0));
 
   @$pb.TagNumber(1)
-  AuthChallenge get authChallenge => $_getN(0);
+  $0.Response get auth => $_getN(0);
   @$pb.TagNumber(1)
-  set authChallenge(AuthChallenge value) => $_setField(1, value);
+  set auth($0.Response value) => $_setField(1, value);
   @$pb.TagNumber(1)
-  $core.bool hasAuthChallenge() => $_has(0);
+  $core.bool hasAuth() => $_has(0);
   @$pb.TagNumber(1)
-  void clearAuthChallenge() => $_clearField(1);
+  void clearAuth() => $_clearField(1);
   @$pb.TagNumber(1)
-  AuthChallenge ensureAuthChallenge() => $_ensure(0);
+  $0.Response ensureAuth() => $_ensure(0);
 
   @$pb.TagNumber(2)
-  AuthResult get authResult => $_getN(1);
+  $1.Response get vault => $_getN(1);
   @$pb.TagNumber(2)
-  set authResult(AuthResult value) => $_setField(2, value);
+  set vault($1.Response value) => $_setField(2, value);
   @$pb.TagNumber(2)
-  $core.bool hasAuthResult() => $_has(1);
+  $core.bool hasVault() => $_has(1);
   @$pb.TagNumber(2)
-  void clearAuthResult() => $_clearField(2);
+  void clearVault() => $_clearField(2);
+  @$pb.TagNumber(2)
+  $1.Response ensureVault() => $_ensure(1);
 
   @$pb.TagNumber(3)
-  $1.EvmSignTransactionResponse get evmSignTransaction => $_getN(2);
+  $2.Response get evm => $_getN(2);
   @$pb.TagNumber(3)
-  set evmSignTransaction($1.EvmSignTransactionResponse value) =>
+  set evm($2.Response value) => $_setField(3, value);
-      $_setField(3, value);
   @$pb.TagNumber(3)
-  $core.bool hasEvmSignTransaction() => $_has(2);
+  $core.bool hasEvm() => $_has(2);
   @$pb.TagNumber(3)
-  void clearEvmSignTransaction() => $_clearField(3);
+  void clearEvm() => $_clearField(3);
   @$pb.TagNumber(3)
-  $1.EvmSignTransactionResponse ensureEvmSignTransaction() => $_ensure(2);
+  $2.Response ensureEvm() => $_ensure(2);
-
-  @$pb.TagNumber(4)
-  $1.EvmAnalyzeTransactionResponse get evmAnalyzeTransaction => $_getN(3);
-  @$pb.TagNumber(4)
-  set evmAnalyzeTransaction($1.EvmAnalyzeTransactionResponse value) =>
-      $_setField(4, value);
-  @$pb.TagNumber(4)
-  $core.bool hasEvmAnalyzeTransaction() => $_has(3);
-  @$pb.TagNumber(4)
-  void clearEvmAnalyzeTransaction() => $_clearField(4);
-  @$pb.TagNumber(4)
-  $1.EvmAnalyzeTransactionResponse ensureEvmAnalyzeTransaction() => $_ensure(3);
-
-  @$pb.TagNumber(6)
-  VaultState get vaultState => $_getN(4);
-  @$pb.TagNumber(6)
-  set vaultState(VaultState value) => $_setField(6, value);
-  @$pb.TagNumber(6)
-  $core.bool hasVaultState() => $_has(4);
-  @$pb.TagNumber(6)
-  void clearVaultState() => $_clearField(6);
 
   @$pb.TagNumber(7)
-  $core.int get requestId => $_getIZ(5);
+  $core.int get requestId => $_getIZ(3);
   @$pb.TagNumber(7)
-  set requestId($core.int value) => $_setSignedInt32(5, value);
+  set requestId($core.int value) => $_setSignedInt32(3, value);
   @$pb.TagNumber(7)
-  $core.bool hasRequestId() => $_has(5);
+  $core.bool hasRequestId() => $_has(3);
   @$pb.TagNumber(7)
   void clearRequestId() => $_clearField(7);
 }

useragent/lib/proto/client.pbenum.dart

@@ -9,72 +9,3 @@
 // ignore_for_file: curly_braces_in_flow_control_structures
 // ignore_for_file: deprecated_member_use_from_same_package, library_prefixes
 // ignore_for_file: non_constant_identifier_names, prefer_relative_imports
-
-import 'dart:core' as $core;
-
-import 'package:protobuf/protobuf.dart' as $pb;
-
-class AuthResult extends $pb.ProtobufEnum {
-  static const AuthResult AUTH_RESULT_UNSPECIFIED =
-      AuthResult._(0, _omitEnumNames ? '' : 'AUTH_RESULT_UNSPECIFIED');
-  static const AuthResult AUTH_RESULT_SUCCESS =
-      AuthResult._(1, _omitEnumNames ? '' : 'AUTH_RESULT_SUCCESS');
-  static const AuthResult AUTH_RESULT_INVALID_KEY =
-      AuthResult._(2, _omitEnumNames ? '' : 'AUTH_RESULT_INVALID_KEY');
-  static const AuthResult AUTH_RESULT_INVALID_SIGNATURE =
-      AuthResult._(3, _omitEnumNames ? '' : 'AUTH_RESULT_INVALID_SIGNATURE');
-  static const AuthResult AUTH_RESULT_APPROVAL_DENIED =
-      AuthResult._(4, _omitEnumNames ? '' : 'AUTH_RESULT_APPROVAL_DENIED');
-  static const AuthResult AUTH_RESULT_NO_USER_AGENTS_ONLINE = AuthResult._(
-      5, _omitEnumNames ? '' : 'AUTH_RESULT_NO_USER_AGENTS_ONLINE');
-  static const AuthResult AUTH_RESULT_INTERNAL =
-      AuthResult._(6, _omitEnumNames ? '' : 'AUTH_RESULT_INTERNAL');
-
-  static const $core.List<AuthResult> values = <AuthResult>[
-    AUTH_RESULT_UNSPECIFIED,
-    AUTH_RESULT_SUCCESS,
-    AUTH_RESULT_INVALID_KEY,
-    AUTH_RESULT_INVALID_SIGNATURE,
-    AUTH_RESULT_APPROVAL_DENIED,
-    AUTH_RESULT_NO_USER_AGENTS_ONLINE,
-    AUTH_RESULT_INTERNAL,
-  ];
-
-  static final $core.List<AuthResult?> _byValue =
-      $pb.ProtobufEnum.$_initByValueList(values, 6);
-  static AuthResult? valueOf($core.int value) =>
-      value < 0 || value >= _byValue.length ? null : _byValue[value];
-
-  const AuthResult._(super.value, super.name);
-}
-
-class VaultState extends $pb.ProtobufEnum {
-  static const VaultState VAULT_STATE_UNSPECIFIED =
-      VaultState._(0, _omitEnumNames ? '' : 'VAULT_STATE_UNSPECIFIED');
-  static const VaultState VAULT_STATE_UNBOOTSTRAPPED =
-      VaultState._(1, _omitEnumNames ? '' : 'VAULT_STATE_UNBOOTSTRAPPED');
-  static const VaultState VAULT_STATE_SEALED =
-      VaultState._(2, _omitEnumNames ? '' : 'VAULT_STATE_SEALED');
-  static const VaultState VAULT_STATE_UNSEALED =
-      VaultState._(3, _omitEnumNames ? '' : 'VAULT_STATE_UNSEALED');
-  static const VaultState VAULT_STATE_ERROR =
-      VaultState._(4, _omitEnumNames ? '' : 'VAULT_STATE_ERROR');
-
-  static const $core.List<VaultState> values = <VaultState>[
-    VAULT_STATE_UNSPECIFIED,
-    VAULT_STATE_UNBOOTSTRAPPED,
-    VAULT_STATE_SEALED,
-    VAULT_STATE_UNSEALED,
-    VAULT_STATE_ERROR,
-  ];
-
-  static final $core.List<VaultState?> _byValue =
-      $pb.ProtobufEnum.$_initByValueList(values, 4);
-  static VaultState? valueOf($core.int value) =>
-      value < 0 || value >= _byValue.length ? null : _byValue[value];
-
-  const VaultState._(super.value, super.name);
-}
-
-const $core.bool _omitEnumNames =
-    $core.bool.fromEnvironment('protobuf.omit_enum_names');

useragent/lib/proto/client.pbjson.dart

@@ -15,160 +15,37 @@ import 'dart:convert' as $convert;
 import 'dart:core' as $core;
 import 'dart:typed_data' as $typed_data;
 
-@$core.Deprecated('Use authResultDescriptor instead')
-const AuthResult$json = {
-  '1': 'AuthResult',
-  '2': [
-    {'1': 'AUTH_RESULT_UNSPECIFIED', '2': 0},
-    {'1': 'AUTH_RESULT_SUCCESS', '2': 1},
-    {'1': 'AUTH_RESULT_INVALID_KEY', '2': 2},
-    {'1': 'AUTH_RESULT_INVALID_SIGNATURE', '2': 3},
-    {'1': 'AUTH_RESULT_APPROVAL_DENIED', '2': 4},
-    {'1': 'AUTH_RESULT_NO_USER_AGENTS_ONLINE', '2': 5},
-    {'1': 'AUTH_RESULT_INTERNAL', '2': 6},
-  ],
-};
-
-/// Descriptor for `AuthResult`. Decode as a `google.protobuf.EnumDescriptorProto`.
-final $typed_data.Uint8List authResultDescriptor = $convert.base64Decode(
-    'CgpBdXRoUmVzdWx0EhsKF0FVVEhfUkVTVUxUX1VOU1BFQ0lGSUVEEAASFwoTQVVUSF9SRVNVTF'
-    'RfU1VDQ0VTUxABEhsKF0FVVEhfUkVTVUxUX0lOVkFMSURfS0VZEAISIQodQVVUSF9SRVNVTFRf'
-    'SU5WQUxJRF9TSUdOQVRVUkUQAxIfChtBVVRIX1JFU1VMVF9BUFBST1ZBTF9ERU5JRUQQBBIlCi'
-    'FBVVRIX1JFU1VMVF9OT19VU0VSX0FHRU5UU19PTkxJTkUQBRIYChRBVVRIX1JFU1VMVF9JTlRF'
-    'Uk5BTBAG');
-
-@$core.Deprecated('Use vaultStateDescriptor instead')
-const VaultState$json = {
-  '1': 'VaultState',
-  '2': [
-    {'1': 'VAULT_STATE_UNSPECIFIED', '2': 0},
-    {'1': 'VAULT_STATE_UNBOOTSTRAPPED', '2': 1},
-    {'1': 'VAULT_STATE_SEALED', '2': 2},
-    {'1': 'VAULT_STATE_UNSEALED', '2': 3},
-    {'1': 'VAULT_STATE_ERROR', '2': 4},
-  ],
-};
-
-/// Descriptor for `VaultState`. Decode as a `google.protobuf.EnumDescriptorProto`.
-final $typed_data.Uint8List vaultStateDescriptor = $convert.base64Decode(
-    'CgpWYXVsdFN0YXRlEhsKF1ZBVUxUX1NUQVRFX1VOU1BFQ0lGSUVEEAASHgoaVkFVTFRfU1RBVE'
-    'VfVU5CT09UU1RSQVBQRUQQARIWChJWQVVMVF9TVEFURV9TRUFMRUQQAhIYChRWQVVMVF9TVEFU'
-    'RV9VTlNFQUxFRBADEhUKEVZBVUxUX1NUQVRFX0VSUk9SEAQ=');
-
-@$core.Deprecated('Use clientInfoDescriptor instead')
-const ClientInfo$json = {
-  '1': 'ClientInfo',
-  '2': [
-    {'1': 'name', '3': 1, '4': 1, '5': 9, '10': 'name'},
-    {
-      '1': 'description',
-      '3': 2,
-      '4': 1,
-      '5': 9,
-      '9': 0,
-      '10': 'description',
-      '17': true
-    },
-    {
-      '1': 'version',
-      '3': 3,
-      '4': 1,
-      '5': 9,
-      '9': 1,
-      '10': 'version',
-      '17': true
-    },
-  ],
-  '8': [
-    {'1': '_description'},
-    {'1': '_version'},
-  ],
-};
-
-/// Descriptor for `ClientInfo`. Decode as a `google.protobuf.DescriptorProto`.
-final $typed_data.Uint8List clientInfoDescriptor = $convert.base64Decode(
-    'CgpDbGllbnRJbmZvEhIKBG5hbWUYASABKAlSBG5hbWUSJQoLZGVzY3JpcHRpb24YAiABKAlIAF'
-    'ILZGVzY3JpcHRpb26IAQESHQoHdmVyc2lvbhgDIAEoCUgBUgd2ZXJzaW9uiAEBQg4KDF9kZXNj'
-    'cmlwdGlvbkIKCghfdmVyc2lvbg==');
-
-@$core.Deprecated('Use authChallengeRequestDescriptor instead')
-const AuthChallengeRequest$json = {
-  '1': 'AuthChallengeRequest',
-  '2': [
-    {'1': 'pubkey', '3': 1, '4': 1, '5': 12, '10': 'pubkey'},
-    {
-      '1': 'client_info',
-      '3': 2,
-      '4': 1,
-      '5': 11,
-      '6': '.arbiter.client.ClientInfo',
-      '10': 'clientInfo'
-    },
-  ],
-};
-
-/// Descriptor for `AuthChallengeRequest`. Decode as a `google.protobuf.DescriptorProto`.
-final $typed_data.Uint8List authChallengeRequestDescriptor = $convert.base64Decode(
-    'ChRBdXRoQ2hhbGxlbmdlUmVxdWVzdBIWCgZwdWJrZXkYASABKAxSBnB1YmtleRI7CgtjbGllbn'
-    'RfaW5mbxgCIAEoCzIaLmFyYml0ZXIuY2xpZW50LkNsaWVudEluZm9SCmNsaWVudEluZm8=');
-
-@$core.Deprecated('Use authChallengeDescriptor instead')
-const AuthChallenge$json = {
-  '1': 'AuthChallenge',
-  '2': [
-    {'1': 'pubkey', '3': 1, '4': 1, '5': 12, '10': 'pubkey'},
-    {'1': 'nonce', '3': 2, '4': 1, '5': 5, '10': 'nonce'},
-  ],
-};
-
-/// Descriptor for `AuthChallenge`. Decode as a `google.protobuf.DescriptorProto`.
-final $typed_data.Uint8List authChallengeDescriptor = $convert.base64Decode(
-    'Cg1BdXRoQ2hhbGxlbmdlEhYKBnB1YmtleRgBIAEoDFIGcHVia2V5EhQKBW5vbmNlGAIgASgFUg'
-    'Vub25jZQ==');
-
-@$core.Deprecated('Use authChallengeSolutionDescriptor instead')
-const AuthChallengeSolution$json = {
-  '1': 'AuthChallengeSolution',
-  '2': [
-    {'1': 'signature', '3': 1, '4': 1, '5': 12, '10': 'signature'},
-  ],
-};
-
-/// Descriptor for `AuthChallengeSolution`. Decode as a `google.protobuf.DescriptorProto`.
-final $typed_data.Uint8List authChallengeSolutionDescriptor = $convert.base64Decode(
-    'ChVBdXRoQ2hhbGxlbmdlU29sdXRpb24SHAoJc2lnbmF0dXJlGAEgASgMUglzaWduYXR1cmU=');
-
 @$core.Deprecated('Use clientRequestDescriptor instead')
 const ClientRequest$json = {
   '1': 'ClientRequest',
   '2': [
     {'1': 'request_id', '3': 4, '4': 1, '5': 5, '10': 'requestId'},
     {
-      '1': 'auth_challenge_request',
+      '1': 'auth',
       '3': 1,
       '4': 1,
       '5': 11,
-      '6': '.arbiter.client.AuthChallengeRequest',
+      '6': '.arbiter.client.auth.Request',
       '9': 0,
-      '10': 'authChallengeRequest'
+      '10': 'auth'
     },
     {
-      '1': 'auth_challenge_solution',
+      '1': 'vault',
       '3': 2,
       '4': 1,
       '5': 11,
-      '6': '.arbiter.client.AuthChallengeSolution',
+      '6': '.arbiter.client.vault.Request',
       '9': 0,
-      '10': 'authChallengeSolution'
+      '10': 'vault'
     },
     {
-      '1': 'query_vault_state',
+      '1': 'evm',
       '3': 3,
       '4': 1,
       '5': 11,
-      '6': '.google.protobuf.Empty',
+      '6': '.arbiter.client.evm.Request',
       '9': 0,
-      '10': 'queryVaultState'
+      '10': 'evm'
     },
   ],
   '8': [
@@ -178,12 +55,10 @@ const ClientRequest$json = {
 
 /// Descriptor for `ClientRequest`. Decode as a `google.protobuf.DescriptorProto`.
 final $typed_data.Uint8List clientRequestDescriptor = $convert.base64Decode(
-    'Cg1DbGllbnRSZXF1ZXN0Eh0KCnJlcXVlc3RfaWQYBCABKAVSCXJlcXVlc3RJZBJcChZhdXRoX2'
+    'Cg1DbGllbnRSZXF1ZXN0Eh0KCnJlcXVlc3RfaWQYBCABKAVSCXJlcXVlc3RJZBIyCgRhdXRoGA'
-    'NoYWxsZW5nZV9yZXF1ZXN0GAEgASgLMiQuYXJiaXRlci5jbGllbnQuQXV0aENoYWxsZW5nZVJl'
+    'EgASgLMhwuYXJiaXRlci5jbGllbnQuYXV0aC5SZXF1ZXN0SABSBGF1dGgSNQoFdmF1bHQYAiAB'
-    'cXVlc3RIAFIUYXV0aENoYWxsZW5nZVJlcXVlc3QSXwoXYXV0aF9jaGFsbGVuZ2Vfc29sdXRpb2'
+    'KAsyHS5hcmJpdGVyLmNsaWVudC52YXVsdC5SZXF1ZXN0SABSBXZhdWx0Ei8KA2V2bRgDIAEoCz'
-    '4YAiABKAsyJS5hcmJpdGVyLmNsaWVudC5BdXRoQ2hhbGxlbmdlU29sdXRpb25IAFIVYXV0aENo'
+    'IbLmFyYml0ZXIuY2xpZW50LmV2bS5SZXF1ZXN0SABSA2V2bUIJCgdwYXlsb2Fk');
-    'YWxsZW5nZVNvbHV0aW9uEkQKEXF1ZXJ5X3ZhdWx0X3N0YXRlGAMgASgLMhYuZ29vZ2xlLnByb3'
-    'RvYnVmLkVtcHR5SABSD3F1ZXJ5VmF1bHRTdGF0ZUIJCgdwYXlsb2Fk');
 
 @$core.Deprecated('Use clientResponseDescriptor instead')
 const ClientResponse$json = {
@@ -199,49 +74,31 @@ const ClientResponse$json = {
       '17': true
     },
     {
-      '1': 'auth_challenge',
+      '1': 'auth',
       '3': 1,
       '4': 1,
       '5': 11,
-      '6': '.arbiter.client.AuthChallenge',
+      '6': '.arbiter.client.auth.Response',
       '9': 0,
-      '10': 'authChallenge'
+      '10': 'auth'
     },
     {
-      '1': 'auth_result',
+      '1': 'vault',
       '3': 2,
       '4': 1,
-      '5': 14,
+      '5': 11,
-      '6': '.arbiter.client.AuthResult',
+      '6': '.arbiter.client.vault.Response',
       '9': 0,
-      '10': 'authResult'
+      '10': 'vault'
     },
     {
-      '1': 'evm_sign_transaction',
+      '1': 'evm',
       '3': 3,
       '4': 1,
       '5': 11,
-      '6': '.arbiter.evm.EvmSignTransactionResponse',
+      '6': '.arbiter.client.evm.Response',
       '9': 0,
-      '10': 'evmSignTransaction'
+      '10': 'evm'
-    },
-    {
-      '1': 'evm_analyze_transaction',
-      '3': 4,
-      '4': 1,
-      '5': 11,
-      '6': '.arbiter.evm.EvmAnalyzeTransactionResponse',
-      '9': 0,
-      '10': 'evmAnalyzeTransaction'
-    },
-    {
-      '1': 'vault_state',
-      '3': 6,
-      '4': 1,
-      '5': 14,
-      '6': '.arbiter.client.VaultState',
-      '9': 0,
-      '10': 'vaultState'
     },
   ],
   '8': [
@@ -252,12 +109,8 @@ const ClientResponse$json = {
 
 /// Descriptor for `ClientResponse`. Decode as a `google.protobuf.DescriptorProto`.
 final $typed_data.Uint8List clientResponseDescriptor = $convert.base64Decode(
-    'Cg5DbGllbnRSZXNwb25zZRIiCgpyZXF1ZXN0X2lkGAcgASgFSAFSCXJlcXVlc3RJZIgBARJGCg'
+    'Cg5DbGllbnRSZXNwb25zZRIiCgpyZXF1ZXN0X2lkGAcgASgFSAFSCXJlcXVlc3RJZIgBARIzCg'
-    '5hdXRoX2NoYWxsZW5nZRgBIAEoCzIdLmFyYml0ZXIuY2xpZW50LkF1dGhDaGFsbGVuZ2VIAFIN'
+    'RhdXRoGAEgASgLMh0uYXJiaXRlci5jbGllbnQuYXV0aC5SZXNwb25zZUgAUgRhdXRoEjYKBXZh'
-    'YXV0aENoYWxsZW5nZRI9CgthdXRoX3Jlc3VsdBgCIAEoDjIaLmFyYml0ZXIuY2xpZW50LkF1dG'
+    'dWx0GAIgASgLMh4uYXJiaXRlci5jbGllbnQudmF1bHQuUmVzcG9uc2VIAFIFdmF1bHQSMAoDZX'
-    'hSZXN1bHRIAFIKYXV0aFJlc3VsdBJbChRldm1fc2lnbl90cmFuc2FjdGlvbhgDIAEoCzInLmFy'
+    'ZtGAMgASgLMhwuYXJiaXRlci5jbGllbnQuZXZtLlJlc3BvbnNlSABSA2V2bUIJCgdwYXlsb2Fk'
-    'Yml0ZXIuZXZtLkV2bVNpZ25UcmFuc2FjdGlvblJlc3BvbnNlSABSEmV2bVNpZ25UcmFuc2FjdG'
+    'Qg0KC19yZXF1ZXN0X2lk');
-    'lvbhJkChdldm1fYW5hbHl6ZV90cmFuc2FjdGlvbhgEIAEoCzIqLmFyYml0ZXIuZXZtLkV2bUFu'
-    'YWx5emVUcmFuc2FjdGlvblJlc3BvbnNlSABSFWV2bUFuYWx5emVUcmFuc2FjdGlvbhI9Cgt2YX'
-    'VsdF9zdGF0ZRgGIAEoDjIaLmFyYml0ZXIuY2xpZW50LlZhdWx0U3RhdGVIAFIKdmF1bHRTdGF0'
-    'ZUIJCgdwYXlsb2FkQg0KC19yZXF1ZXN0X2lk');

useragent/lib/proto/client/auth.pb.dart

@@ -0,0 +1,395 @@
+// This is a generated file - do not edit.
+//
+// Generated from client/auth.proto.
+
+// @dart = 3.3
+
+// ignore_for_file: annotate_overrides, camel_case_types, comment_references
+// ignore_for_file: constant_identifier_names
+// ignore_for_file: curly_braces_in_flow_control_structures
+// ignore_for_file: deprecated_member_use_from_same_package, library_prefixes
+// ignore_for_file: non_constant_identifier_names, prefer_relative_imports
+
+import 'dart:core' as $core;
+
+import 'package:protobuf/protobuf.dart' as $pb;
+
+import '../shared/client.pb.dart' as $0;
+import 'auth.pbenum.dart';
+
+export 'package:protobuf/protobuf.dart' show GeneratedMessageGenericExtensions;
+
+export 'auth.pbenum.dart';
+
+class AuthChallengeRequest extends $pb.GeneratedMessage {
+  factory AuthChallengeRequest({
+    $core.List<$core.int>? pubkey,
+    $0.ClientInfo? clientInfo,
+  }) {
+    final result = create();
+    if (pubkey != null) result.pubkey = pubkey;
+    if (clientInfo != null) result.clientInfo = clientInfo;
+    return result;
+  }
+
+  AuthChallengeRequest._();
+
+  factory AuthChallengeRequest.fromBuffer($core.List<$core.int> data,
+          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
+      create()..mergeFromBuffer(data, registry);
+  factory AuthChallengeRequest.fromJson($core.String json,
+          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
+      create()..mergeFromJson(json, registry);
+
+  static final $pb.BuilderInfo _i = $pb.BuilderInfo(
+      _omitMessageNames ? '' : 'AuthChallengeRequest',
+      package:
+          const $pb.PackageName(_omitMessageNames ? '' : 'arbiter.client.auth'),
+      createEmptyInstance: create)
+    ..a<$core.List<$core.int>>(
+        1, _omitFieldNames ? '' : 'pubkey', $pb.PbFieldType.OY)
+    ..aOM<$0.ClientInfo>(2, _omitFieldNames ? '' : 'clientInfo',
+        subBuilder: $0.ClientInfo.create)
+    ..hasRequiredFields = false;
+
+  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
+  AuthChallengeRequest clone() => deepCopy();
+  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
+  AuthChallengeRequest copyWith(void Function(AuthChallengeRequest) updates) =>
+      super.copyWith((message) => updates(message as AuthChallengeRequest))
+          as AuthChallengeRequest;
+
+  @$core.override
+  $pb.BuilderInfo get info_ => _i;
+
+  @$core.pragma('dart2js:noInline')
+  static AuthChallengeRequest create() => AuthChallengeRequest._();
+  @$core.override
+  AuthChallengeRequest createEmptyInstance() => create();
+  @$core.pragma('dart2js:noInline')
+  static AuthChallengeRequest getDefault() => _defaultInstance ??=
+      $pb.GeneratedMessage.$_defaultFor<AuthChallengeRequest>(create);
+  static AuthChallengeRequest? _defaultInstance;
+
+  @$pb.TagNumber(1)
+  $core.List<$core.int> get pubkey => $_getN(0);
+  @$pb.TagNumber(1)
+  set pubkey($core.List<$core.int> value) => $_setBytes(0, value);
+  @$pb.TagNumber(1)
+  $core.bool hasPubkey() => $_has(0);
+  @$pb.TagNumber(1)
+  void clearPubkey() => $_clearField(1);
+
+  @$pb.TagNumber(2)
+  $0.ClientInfo get clientInfo => $_getN(1);
+  @$pb.TagNumber(2)
+  set clientInfo($0.ClientInfo value) => $_setField(2, value);
+  @$pb.TagNumber(2)
+  $core.bool hasClientInfo() => $_has(1);
+  @$pb.TagNumber(2)
+  void clearClientInfo() => $_clearField(2);
+  @$pb.TagNumber(2)
+  $0.ClientInfo ensureClientInfo() => $_ensure(1);
+}
+
+class AuthChallenge extends $pb.GeneratedMessage {
+  factory AuthChallenge({
+    $core.List<$core.int>? pubkey,
+    $core.int? nonce,
+  }) {
+    final result = create();
+    if (pubkey != null) result.pubkey = pubkey;
+    if (nonce != null) result.nonce = nonce;
+    return result;
+  }
+
+  AuthChallenge._();
+
+  factory AuthChallenge.fromBuffer($core.List<$core.int> data,
+          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
+      create()..mergeFromBuffer(data, registry);
+  factory AuthChallenge.fromJson($core.String json,
+          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
+      create()..mergeFromJson(json, registry);
+
+  static final $pb.BuilderInfo _i = $pb.BuilderInfo(
+      _omitMessageNames ? '' : 'AuthChallenge',
+      package:
+          const $pb.PackageName(_omitMessageNames ? '' : 'arbiter.client.auth'),
+      createEmptyInstance: create)
+    ..a<$core.List<$core.int>>(
+        1, _omitFieldNames ? '' : 'pubkey', $pb.PbFieldType.OY)
+    ..aI(2, _omitFieldNames ? '' : 'nonce')
+    ..hasRequiredFields = false;
+
+  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
+  AuthChallenge clone() => deepCopy();
+  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
+  AuthChallenge copyWith(void Function(AuthChallenge) updates) =>
+      super.copyWith((message) => updates(message as AuthChallenge))
+          as AuthChallenge;
+
+  @$core.override
+  $pb.BuilderInfo get info_ => _i;
+
+  @$core.pragma('dart2js:noInline')
+  static AuthChallenge create() => AuthChallenge._();
+  @$core.override
+  AuthChallenge createEmptyInstance() => create();
+  @$core.pragma('dart2js:noInline')
+  static AuthChallenge getDefault() => _defaultInstance ??=
+      $pb.GeneratedMessage.$_defaultFor<AuthChallenge>(create);
+  static AuthChallenge? _defaultInstance;
+
+  @$pb.TagNumber(1)
+  $core.List<$core.int> get pubkey => $_getN(0);
+  @$pb.TagNumber(1)
+  set pubkey($core.List<$core.int> value) => $_setBytes(0, value);
+  @$pb.TagNumber(1)
+  $core.bool hasPubkey() => $_has(0);
+  @$pb.TagNumber(1)
+  void clearPubkey() => $_clearField(1);
+
+  @$pb.TagNumber(2)
+  $core.int get nonce => $_getIZ(1);
+  @$pb.TagNumber(2)
+  set nonce($core.int value) => $_setSignedInt32(1, value);
+  @$pb.TagNumber(2)
+  $core.bool hasNonce() => $_has(1);
+  @$pb.TagNumber(2)
+  void clearNonce() => $_clearField(2);
+}
+
+class AuthChallengeSolution extends $pb.GeneratedMessage {
+  factory AuthChallengeSolution({
+    $core.List<$core.int>? signature,
+  }) {
+    final result = create();
+    if (signature != null) result.signature = signature;
+    return result;
+  }
+
+  AuthChallengeSolution._();
+
+  factory AuthChallengeSolution.fromBuffer($core.List<$core.int> data,
+          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
+      create()..mergeFromBuffer(data, registry);
+  factory AuthChallengeSolution.fromJson($core.String json,
+          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
+      create()..mergeFromJson(json, registry);
+
+  static final $pb.BuilderInfo _i = $pb.BuilderInfo(
+      _omitMessageNames ? '' : 'AuthChallengeSolution',
+      package:
+          const $pb.PackageName(_omitMessageNames ? '' : 'arbiter.client.auth'),
+      createEmptyInstance: create)
+    ..a<$core.List<$core.int>>(
+        1, _omitFieldNames ? '' : 'signature', $pb.PbFieldType.OY)
+    ..hasRequiredFields = false;
+
+  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
+  AuthChallengeSolution clone() => deepCopy();
+  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
+  AuthChallengeSolution copyWith(
+          void Function(AuthChallengeSolution) updates) =>
+      super.copyWith((message) => updates(message as AuthChallengeSolution))
+          as AuthChallengeSolution;
+
+  @$core.override
+  $pb.BuilderInfo get info_ => _i;
+
+  @$core.pragma('dart2js:noInline')
+  static AuthChallengeSolution create() => AuthChallengeSolution._();
+  @$core.override
+  AuthChallengeSolution createEmptyInstance() => create();
+  @$core.pragma('dart2js:noInline')
+  static AuthChallengeSolution getDefault() => _defaultInstance ??=
+      $pb.GeneratedMessage.$_defaultFor<AuthChallengeSolution>(create);
+  static AuthChallengeSolution? _defaultInstance;
+
+  @$pb.TagNumber(1)
+  $core.List<$core.int> get signature => $_getN(0);
+  @$pb.TagNumber(1)
+  set signature($core.List<$core.int> value) => $_setBytes(0, value);
+  @$pb.TagNumber(1)
+  $core.bool hasSignature() => $_has(0);
+  @$pb.TagNumber(1)
+  void clearSignature() => $_clearField(1);
+}
+
+enum Request_Payload { challengeRequest, challengeSolution, notSet }
+
+class Request extends $pb.GeneratedMessage {
+  factory Request({
+    AuthChallengeRequest? challengeRequest,
+    AuthChallengeSolution? challengeSolution,
+  }) {
+    final result = create();
+    if (challengeRequest != null) result.challengeRequest = challengeRequest;
+    if (challengeSolution != null) result.challengeSolution = challengeSolution;
+    return result;
+  }
+
+  Request._();
+
+  factory Request.fromBuffer($core.List<$core.int> data,
+          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
+      create()..mergeFromBuffer(data, registry);
+  factory Request.fromJson($core.String json,
+          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
+      create()..mergeFromJson(json, registry);
+
+  static const $core.Map<$core.int, Request_Payload> _Request_PayloadByTag = {
+    1: Request_Payload.challengeRequest,
+    2: Request_Payload.challengeSolution,
+    0: Request_Payload.notSet
+  };
+  static final $pb.BuilderInfo _i = $pb.BuilderInfo(
+      _omitMessageNames ? '' : 'Request',
+      package:
+          const $pb.PackageName(_omitMessageNames ? '' : 'arbiter.client.auth'),
+      createEmptyInstance: create)
+    ..oo(0, [1, 2])
+    ..aOM<AuthChallengeRequest>(1, _omitFieldNames ? '' : 'challengeRequest',
+        subBuilder: AuthChallengeRequest.create)
+    ..aOM<AuthChallengeSolution>(2, _omitFieldNames ? '' : 'challengeSolution',
+        subBuilder: AuthChallengeSolution.create)
+    ..hasRequiredFields = false;
+
+  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
+  Request clone() => deepCopy();
+  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
+  Request copyWith(void Function(Request) updates) =>
+      super.copyWith((message) => updates(message as Request)) as Request;
+
+  @$core.override
+  $pb.BuilderInfo get info_ => _i;
+
+  @$core.pragma('dart2js:noInline')
+  static Request create() => Request._();
+  @$core.override
+  Request createEmptyInstance() => create();
+  @$core.pragma('dart2js:noInline')
+  static Request getDefault() =>
+      _defaultInstance ??= $pb.GeneratedMessage.$_defaultFor<Request>(create);
+  static Request? _defaultInstance;
+
+  @$pb.TagNumber(1)
+  @$pb.TagNumber(2)
+  Request_Payload whichPayload() => _Request_PayloadByTag[$_whichOneof(0)]!;
+  @$pb.TagNumber(1)
+  @$pb.TagNumber(2)
+  void clearPayload() => $_clearField($_whichOneof(0));
+
+  @$pb.TagNumber(1)
+  AuthChallengeRequest get challengeRequest => $_getN(0);
+  @$pb.TagNumber(1)
+  set challengeRequest(AuthChallengeRequest value) => $_setField(1, value);
+  @$pb.TagNumber(1)
+  $core.bool hasChallengeRequest() => $_has(0);
+  @$pb.TagNumber(1)
+  void clearChallengeRequest() => $_clearField(1);
+  @$pb.TagNumber(1)
+  AuthChallengeRequest ensureChallengeRequest() => $_ensure(0);
+
+  @$pb.TagNumber(2)
+  AuthChallengeSolution get challengeSolution => $_getN(1);
+  @$pb.TagNumber(2)
+  set challengeSolution(AuthChallengeSolution value) => $_setField(2, value);
+  @$pb.TagNumber(2)
+  $core.bool hasChallengeSolution() => $_has(1);
+  @$pb.TagNumber(2)
+  void clearChallengeSolution() => $_clearField(2);
+  @$pb.TagNumber(2)
+  AuthChallengeSolution ensureChallengeSolution() => $_ensure(1);
+}
+
+enum Response_Payload { challenge, result, notSet }
+
+class Response extends $pb.GeneratedMessage {
+  factory Response({
+    AuthChallenge? challenge,
+    AuthResult? result,
+  }) {
+    final result$ = create();
+    if (challenge != null) result$.challenge = challenge;
+    if (result != null) result$.result = result;
+    return result$;
+  }
+
+  Response._();
+
+  factory Response.fromBuffer($core.List<$core.int> data,
+          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
+      create()..mergeFromBuffer(data, registry);
+  factory Response.fromJson($core.String json,
+          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
+      create()..mergeFromJson(json, registry);
+
+  static const $core.Map<$core.int, Response_Payload> _Response_PayloadByTag = {
+    1: Response_Payload.challenge,
+    2: Response_Payload.result,
+    0: Response_Payload.notSet
+  };
+  static final $pb.BuilderInfo _i = $pb.BuilderInfo(
+      _omitMessageNames ? '' : 'Response',
+      package:
+          const $pb.PackageName(_omitMessageNames ? '' : 'arbiter.client.auth'),
+      createEmptyInstance: create)
+    ..oo(0, [1, 2])
+    ..aOM<AuthChallenge>(1, _omitFieldNames ? '' : 'challenge',
+        subBuilder: AuthChallenge.create)
+    ..aE<AuthResult>(2, _omitFieldNames ? '' : 'result',
+        enumValues: AuthResult.values)
+    ..hasRequiredFields = false;
+
+  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
+  Response clone() => deepCopy();
+  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
+  Response copyWith(void Function(Response) updates) =>
+      super.copyWith((message) => updates(message as Response)) as Response;
+
+  @$core.override
+  $pb.BuilderInfo get info_ => _i;
+
+  @$core.pragma('dart2js:noInline')
+  static Response create() => Response._();
+  @$core.override
+  Response createEmptyInstance() => create();
+  @$core.pragma('dart2js:noInline')
+  static Response getDefault() =>
+      _defaultInstance ??= $pb.GeneratedMessage.$_defaultFor<Response>(create);
+  static Response? _defaultInstance;
+
+  @$pb.TagNumber(1)
+  @$pb.TagNumber(2)
+  Response_Payload whichPayload() => _Response_PayloadByTag[$_whichOneof(0)]!;
+  @$pb.TagNumber(1)
+  @$pb.TagNumber(2)
+  void clearPayload() => $_clearField($_whichOneof(0));
+
+  @$pb.TagNumber(1)
+  AuthChallenge get challenge => $_getN(0);
+  @$pb.TagNumber(1)
+  set challenge(AuthChallenge value) => $_setField(1, value);
+  @$pb.TagNumber(1)
+  $core.bool hasChallenge() => $_has(0);
+  @$pb.TagNumber(1)
+  void clearChallenge() => $_clearField(1);
+  @$pb.TagNumber(1)
+  AuthChallenge ensureChallenge() => $_ensure(0);
+
+  @$pb.TagNumber(2)
+  AuthResult get result => $_getN(1);
+  @$pb.TagNumber(2)
+  set result(AuthResult value) => $_setField(2, value);
+  @$pb.TagNumber(2)
+  $core.bool hasResult() => $_has(1);
+  @$pb.TagNumber(2)
+  void clearResult() => $_clearField(2);
+}
+
+const $core.bool _omitFieldNames =
+    $core.bool.fromEnvironment('protobuf.omit_field_names');
+const $core.bool _omitMessageNames =
+    $core.bool.fromEnvironment('protobuf.omit_message_names');

useragent/lib/proto/client/auth.pbenum.dart

@@ -0,0 +1,52 @@
+// This is a generated file - do not edit.
+//
+// Generated from client/auth.proto.
+
+// @dart = 3.3
+
+// ignore_for_file: annotate_overrides, camel_case_types, comment_references
+// ignore_for_file: constant_identifier_names
+// ignore_for_file: curly_braces_in_flow_control_structures
+// ignore_for_file: deprecated_member_use_from_same_package, library_prefixes
+// ignore_for_file: non_constant_identifier_names, prefer_relative_imports
+
+import 'dart:core' as $core;
+
+import 'package:protobuf/protobuf.dart' as $pb;
+
+class AuthResult extends $pb.ProtobufEnum {
+  static const AuthResult AUTH_RESULT_UNSPECIFIED =
+      AuthResult._(0, _omitEnumNames ? '' : 'AUTH_RESULT_UNSPECIFIED');
+  static const AuthResult AUTH_RESULT_SUCCESS =
+      AuthResult._(1, _omitEnumNames ? '' : 'AUTH_RESULT_SUCCESS');
+  static const AuthResult AUTH_RESULT_INVALID_KEY =
+      AuthResult._(2, _omitEnumNames ? '' : 'AUTH_RESULT_INVALID_KEY');
+  static const AuthResult AUTH_RESULT_INVALID_SIGNATURE =
+      AuthResult._(3, _omitEnumNames ? '' : 'AUTH_RESULT_INVALID_SIGNATURE');
+  static const AuthResult AUTH_RESULT_APPROVAL_DENIED =
+      AuthResult._(4, _omitEnumNames ? '' : 'AUTH_RESULT_APPROVAL_DENIED');
+  static const AuthResult AUTH_RESULT_NO_USER_AGENTS_ONLINE = AuthResult._(
+      5, _omitEnumNames ? '' : 'AUTH_RESULT_NO_USER_AGENTS_ONLINE');
+  static const AuthResult AUTH_RESULT_INTERNAL =
+      AuthResult._(6, _omitEnumNames ? '' : 'AUTH_RESULT_INTERNAL');
+
+  static const $core.List<AuthResult> values = <AuthResult>[
+    AUTH_RESULT_UNSPECIFIED,
+    AUTH_RESULT_SUCCESS,
+    AUTH_RESULT_INVALID_KEY,
+    AUTH_RESULT_INVALID_SIGNATURE,
+    AUTH_RESULT_APPROVAL_DENIED,
+    AUTH_RESULT_NO_USER_AGENTS_ONLINE,
+    AUTH_RESULT_INTERNAL,
+  ];
+
+  static final $core.List<AuthResult?> _byValue =
+      $pb.ProtobufEnum.$_initByValueList(values, 6);
+  static AuthResult? valueOf($core.int value) =>
+      value < 0 || value >= _byValue.length ? null : _byValue[value];
+
+  const AuthResult._(super.value, super.name);
+}
+
+const $core.bool _omitEnumNames =
+    $core.bool.fromEnvironment('protobuf.omit_enum_names');

useragent/lib/proto/client/auth.pbjson.dart

@@ -0,0 +1,154 @@
+// This is a generated file - do not edit.
+//
+// Generated from client/auth.proto.
+
+// @dart = 3.3
+
+// ignore_for_file: annotate_overrides, camel_case_types, comment_references
+// ignore_for_file: constant_identifier_names
+// ignore_for_file: curly_braces_in_flow_control_structures
+// ignore_for_file: deprecated_member_use_from_same_package, library_prefixes
+// ignore_for_file: non_constant_identifier_names, prefer_relative_imports
+// ignore_for_file: unused_import
+
+import 'dart:convert' as $convert;
+import 'dart:core' as $core;
+import 'dart:typed_data' as $typed_data;
+
+@$core.Deprecated('Use authResultDescriptor instead')
+const AuthResult$json = {
+  '1': 'AuthResult',
+  '2': [
+    {'1': 'AUTH_RESULT_UNSPECIFIED', '2': 0},
+    {'1': 'AUTH_RESULT_SUCCESS', '2': 1},
+    {'1': 'AUTH_RESULT_INVALID_KEY', '2': 2},
+    {'1': 'AUTH_RESULT_INVALID_SIGNATURE', '2': 3},
+    {'1': 'AUTH_RESULT_APPROVAL_DENIED', '2': 4},
+    {'1': 'AUTH_RESULT_NO_USER_AGENTS_ONLINE', '2': 5},
+    {'1': 'AUTH_RESULT_INTERNAL', '2': 6},
+  ],
+};
+
+/// Descriptor for `AuthResult`. Decode as a `google.protobuf.EnumDescriptorProto`.
+final $typed_data.Uint8List authResultDescriptor = $convert.base64Decode(
+    'CgpBdXRoUmVzdWx0EhsKF0FVVEhfUkVTVUxUX1VOU1BFQ0lGSUVEEAASFwoTQVVUSF9SRVNVTF'
+    'RfU1VDQ0VTUxABEhsKF0FVVEhfUkVTVUxUX0lOVkFMSURfS0VZEAISIQodQVVUSF9SRVNVTFRf'
+    'SU5WQUxJRF9TSUdOQVRVUkUQAxIfChtBVVRIX1JFU1VMVF9BUFBST1ZBTF9ERU5JRUQQBBIlCi'
+    'FBVVRIX1JFU1VMVF9OT19VU0VSX0FHRU5UU19PTkxJTkUQBRIYChRBVVRIX1JFU1VMVF9JTlRF'
+    'Uk5BTBAG');
+
+@$core.Deprecated('Use authChallengeRequestDescriptor instead')
+const AuthChallengeRequest$json = {
+  '1': 'AuthChallengeRequest',
+  '2': [
+    {'1': 'pubkey', '3': 1, '4': 1, '5': 12, '10': 'pubkey'},
+    {
+      '1': 'client_info',
+      '3': 2,
+      '4': 1,
+      '5': 11,
+      '6': '.arbiter.shared.ClientInfo',
+      '10': 'clientInfo'
+    },
+  ],
+};
+
+/// Descriptor for `AuthChallengeRequest`. Decode as a `google.protobuf.DescriptorProto`.
+final $typed_data.Uint8List authChallengeRequestDescriptor = $convert.base64Decode(
+    'ChRBdXRoQ2hhbGxlbmdlUmVxdWVzdBIWCgZwdWJrZXkYASABKAxSBnB1YmtleRI7CgtjbGllbn'
+    'RfaW5mbxgCIAEoCzIaLmFyYml0ZXIuc2hhcmVkLkNsaWVudEluZm9SCmNsaWVudEluZm8=');
+
+@$core.Deprecated('Use authChallengeDescriptor instead')
+const AuthChallenge$json = {
+  '1': 'AuthChallenge',
+  '2': [
+    {'1': 'pubkey', '3': 1, '4': 1, '5': 12, '10': 'pubkey'},
+    {'1': 'nonce', '3': 2, '4': 1, '5': 5, '10': 'nonce'},
+  ],
+};
+
+/// Descriptor for `AuthChallenge`. Decode as a `google.protobuf.DescriptorProto`.
+final $typed_data.Uint8List authChallengeDescriptor = $convert.base64Decode(
+    'Cg1BdXRoQ2hhbGxlbmdlEhYKBnB1YmtleRgBIAEoDFIGcHVia2V5EhQKBW5vbmNlGAIgASgFUg'
+    'Vub25jZQ==');
+
+@$core.Deprecated('Use authChallengeSolutionDescriptor instead')
+const AuthChallengeSolution$json = {
+  '1': 'AuthChallengeSolution',
+  '2': [
+    {'1': 'signature', '3': 1, '4': 1, '5': 12, '10': 'signature'},
+  ],
+};
+
+/// Descriptor for `AuthChallengeSolution`. Decode as a `google.protobuf.DescriptorProto`.
+final $typed_data.Uint8List authChallengeSolutionDescriptor = $convert.base64Decode(
+    'ChVBdXRoQ2hhbGxlbmdlU29sdXRpb24SHAoJc2lnbmF0dXJlGAEgASgMUglzaWduYXR1cmU=');
+
+@$core.Deprecated('Use requestDescriptor instead')
+const Request$json = {
+  '1': 'Request',
+  '2': [
+    {
+      '1': 'challenge_request',
+      '3': 1,
+      '4': 1,
+      '5': 11,
+      '6': '.arbiter.client.auth.AuthChallengeRequest',
+      '9': 0,
+      '10': 'challengeRequest'
+    },
+    {
+      '1': 'challenge_solution',
+      '3': 2,
+      '4': 1,
+      '5': 11,
+      '6': '.arbiter.client.auth.AuthChallengeSolution',
+      '9': 0,
+      '10': 'challengeSolution'
+    },
+  ],
+  '8': [
+    {'1': 'payload'},
+  ],
+};
+
+/// Descriptor for `Request`. Decode as a `google.protobuf.DescriptorProto`.
+final $typed_data.Uint8List requestDescriptor = $convert.base64Decode(
+    'CgdSZXF1ZXN0ElgKEWNoYWxsZW5nZV9yZXF1ZXN0GAEgASgLMikuYXJiaXRlci5jbGllbnQuYX'
+    'V0aC5BdXRoQ2hhbGxlbmdlUmVxdWVzdEgAUhBjaGFsbGVuZ2VSZXF1ZXN0ElsKEmNoYWxsZW5n'
+    'ZV9zb2x1dGlvbhgCIAEoCzIqLmFyYml0ZXIuY2xpZW50LmF1dGguQXV0aENoYWxsZW5nZVNvbH'
+    'V0aW9uSABSEWNoYWxsZW5nZVNvbHV0aW9uQgkKB3BheWxvYWQ=');
+
+@$core.Deprecated('Use responseDescriptor instead')
+const Response$json = {
+  '1': 'Response',
+  '2': [
+    {
+      '1': 'challenge',
+      '3': 1,
+      '4': 1,
+      '5': 11,
+      '6': '.arbiter.client.auth.AuthChallenge',
+      '9': 0,
+      '10': 'challenge'
+    },
+    {
+      '1': 'result',
+      '3': 2,
+      '4': 1,
+      '5': 14,
+      '6': '.arbiter.client.auth.AuthResult',
+      '9': 0,
+      '10': 'result'
+    },
+  ],
+  '8': [
+    {'1': 'payload'},
+  ],
+};
+
+/// Descriptor for `Response`. Decode as a `google.protobuf.DescriptorProto`.
+final $typed_data.Uint8List responseDescriptor = $convert.base64Decode(
+    'CghSZXNwb25zZRJCCgljaGFsbGVuZ2UYASABKAsyIi5hcmJpdGVyLmNsaWVudC5hdXRoLkF1dG'
+    'hDaGFsbGVuZ2VIAFIJY2hhbGxlbmdlEjkKBnJlc3VsdBgCIAEoDjIfLmFyYml0ZXIuY2xpZW50'
+    'LmF1dGguQXV0aFJlc3VsdEgAUgZyZXN1bHRCCQoHcGF5bG9hZA==');

useragent/lib/proto/client/evm.pb.dart

@@ -0,0 +1,208 @@
+// This is a generated file - do not edit.
+//
+// Generated from client/evm.proto.
+
+// @dart = 3.3
+
+// ignore_for_file: annotate_overrides, camel_case_types, comment_references
+// ignore_for_file: constant_identifier_names
+// ignore_for_file: curly_braces_in_flow_control_structures
+// ignore_for_file: deprecated_member_use_from_same_package, library_prefixes
+// ignore_for_file: non_constant_identifier_names, prefer_relative_imports
+
+import 'dart:core' as $core;
+
+import 'package:protobuf/protobuf.dart' as $pb;
+
+import '../evm.pb.dart' as $0;
+
+export 'package:protobuf/protobuf.dart' show GeneratedMessageGenericExtensions;
+
+enum Request_Payload { signTransaction, analyzeTransaction, notSet }
+
+class Request extends $pb.GeneratedMessage {
+  factory Request({
+    $0.EvmSignTransactionRequest? signTransaction,
+    $0.EvmAnalyzeTransactionRequest? analyzeTransaction,
+  }) {
+    final result = create();
+    if (signTransaction != null) result.signTransaction = signTransaction;
+    if (analyzeTransaction != null)
+      result.analyzeTransaction = analyzeTransaction;
+    return result;
+  }
+
+  Request._();
+
+  factory Request.fromBuffer($core.List<$core.int> data,
+          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
+      create()..mergeFromBuffer(data, registry);
+  factory Request.fromJson($core.String json,
+          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
+      create()..mergeFromJson(json, registry);
+
+  static const $core.Map<$core.int, Request_Payload> _Request_PayloadByTag = {
+    1: Request_Payload.signTransaction,
+    2: Request_Payload.analyzeTransaction,
+    0: Request_Payload.notSet
+  };
+  static final $pb.BuilderInfo _i = $pb.BuilderInfo(
+      _omitMessageNames ? '' : 'Request',
+      package:
+          const $pb.PackageName(_omitMessageNames ? '' : 'arbiter.client.evm'),
+      createEmptyInstance: create)
+    ..oo(0, [1, 2])
+    ..aOM<$0.EvmSignTransactionRequest>(
+        1, _omitFieldNames ? '' : 'signTransaction',
+        subBuilder: $0.EvmSignTransactionRequest.create)
+    ..aOM<$0.EvmAnalyzeTransactionRequest>(
+        2, _omitFieldNames ? '' : 'analyzeTransaction',
+        subBuilder: $0.EvmAnalyzeTransactionRequest.create)
+    ..hasRequiredFields = false;
+
+  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
+  Request clone() => deepCopy();
+  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
+  Request copyWith(void Function(Request) updates) =>
+      super.copyWith((message) => updates(message as Request)) as Request;
+
+  @$core.override
+  $pb.BuilderInfo get info_ => _i;
+
+  @$core.pragma('dart2js:noInline')
+  static Request create() => Request._();
+  @$core.override
+  Request createEmptyInstance() => create();
+  @$core.pragma('dart2js:noInline')
+  static Request getDefault() =>
+      _defaultInstance ??= $pb.GeneratedMessage.$_defaultFor<Request>(create);
+  static Request? _defaultInstance;
+
+  @$pb.TagNumber(1)
+  @$pb.TagNumber(2)
+  Request_Payload whichPayload() => _Request_PayloadByTag[$_whichOneof(0)]!;
+  @$pb.TagNumber(1)
+  @$pb.TagNumber(2)
+  void clearPayload() => $_clearField($_whichOneof(0));
+
+  @$pb.TagNumber(1)
+  $0.EvmSignTransactionRequest get signTransaction => $_getN(0);
+  @$pb.TagNumber(1)
+  set signTransaction($0.EvmSignTransactionRequest value) =>
+      $_setField(1, value);
+  @$pb.TagNumber(1)
+  $core.bool hasSignTransaction() => $_has(0);
+  @$pb.TagNumber(1)
+  void clearSignTransaction() => $_clearField(1);
+  @$pb.TagNumber(1)
+  $0.EvmSignTransactionRequest ensureSignTransaction() => $_ensure(0);
+
+  @$pb.TagNumber(2)
+  $0.EvmAnalyzeTransactionRequest get analyzeTransaction => $_getN(1);
+  @$pb.TagNumber(2)
+  set analyzeTransaction($0.EvmAnalyzeTransactionRequest value) =>
+      $_setField(2, value);
+  @$pb.TagNumber(2)
+  $core.bool hasAnalyzeTransaction() => $_has(1);
+  @$pb.TagNumber(2)
+  void clearAnalyzeTransaction() => $_clearField(2);
+  @$pb.TagNumber(2)
+  $0.EvmAnalyzeTransactionRequest ensureAnalyzeTransaction() => $_ensure(1);
+}
+
+enum Response_Payload { signTransaction, analyzeTransaction, notSet }
+
+class Response extends $pb.GeneratedMessage {
+  factory Response({
+    $0.EvmSignTransactionResponse? signTransaction,
+    $0.EvmAnalyzeTransactionResponse? analyzeTransaction,
+  }) {
+    final result = create();
+    if (signTransaction != null) result.signTransaction = signTransaction;
+    if (analyzeTransaction != null)
+      result.analyzeTransaction = analyzeTransaction;
+    return result;
+  }
+
+  Response._();
+
+  factory Response.fromBuffer($core.List<$core.int> data,
+          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
+      create()..mergeFromBuffer(data, registry);
+  factory Response.fromJson($core.String json,
+          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
+      create()..mergeFromJson(json, registry);
+
+  static const $core.Map<$core.int, Response_Payload> _Response_PayloadByTag = {
+    1: Response_Payload.signTransaction,
+    2: Response_Payload.analyzeTransaction,
+    0: Response_Payload.notSet
+  };
+  static final $pb.BuilderInfo _i = $pb.BuilderInfo(
+      _omitMessageNames ? '' : 'Response',
+      package:
+          const $pb.PackageName(_omitMessageNames ? '' : 'arbiter.client.evm'),
+      createEmptyInstance: create)
+    ..oo(0, [1, 2])
+    ..aOM<$0.EvmSignTransactionResponse>(
+        1, _omitFieldNames ? '' : 'signTransaction',
+        subBuilder: $0.EvmSignTransactionResponse.create)
+    ..aOM<$0.EvmAnalyzeTransactionResponse>(
+        2, _omitFieldNames ? '' : 'analyzeTransaction',
+        subBuilder: $0.EvmAnalyzeTransactionResponse.create)
+    ..hasRequiredFields = false;
+
+  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
+  Response clone() => deepCopy();
+  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
+  Response copyWith(void Function(Response) updates) =>
+      super.copyWith((message) => updates(message as Response)) as Response;
+
+  @$core.override
+  $pb.BuilderInfo get info_ => _i;
+
+  @$core.pragma('dart2js:noInline')
+  static Response create() => Response._();
+  @$core.override
+  Response createEmptyInstance() => create();
+  @$core.pragma('dart2js:noInline')
+  static Response getDefault() =>
+      _defaultInstance ??= $pb.GeneratedMessage.$_defaultFor<Response>(create);
+  static Response? _defaultInstance;
+
+  @$pb.TagNumber(1)
+  @$pb.TagNumber(2)
+  Response_Payload whichPayload() => _Response_PayloadByTag[$_whichOneof(0)]!;
+  @$pb.TagNumber(1)
+  @$pb.TagNumber(2)
+  void clearPayload() => $_clearField($_whichOneof(0));
+
+  @$pb.TagNumber(1)
+  $0.EvmSignTransactionResponse get signTransaction => $_getN(0);
+  @$pb.TagNumber(1)
+  set signTransaction($0.EvmSignTransactionResponse value) =>
+      $_setField(1, value);
+  @$pb.TagNumber(1)
+  $core.bool hasSignTransaction() => $_has(0);
+  @$pb.TagNumber(1)
+  void clearSignTransaction() => $_clearField(1);
+  @$pb.TagNumber(1)
+  $0.EvmSignTransactionResponse ensureSignTransaction() => $_ensure(0);
+
+  @$pb.TagNumber(2)
+  $0.EvmAnalyzeTransactionResponse get analyzeTransaction => $_getN(1);
+  @$pb.TagNumber(2)
+  set analyzeTransaction($0.EvmAnalyzeTransactionResponse value) =>
+      $_setField(2, value);
+  @$pb.TagNumber(2)
+  $core.bool hasAnalyzeTransaction() => $_has(1);
+  @$pb.TagNumber(2)
+  void clearAnalyzeTransaction() => $_clearField(2);
+  @$pb.TagNumber(2)
+  $0.EvmAnalyzeTransactionResponse ensureAnalyzeTransaction() => $_ensure(1);
+}
+
+const $core.bool _omitFieldNames =
+    $core.bool.fromEnvironment('protobuf.omit_field_names');
+const $core.bool _omitMessageNames =
+    $core.bool.fromEnvironment('protobuf.omit_message_names');

useragent/lib/proto/client/evm.pbenum.dart

@@ -0,0 +1,11 @@
+// This is a generated file - do not edit.
+//
+// Generated from client/evm.proto.
+
+// @dart = 3.3
+
+// ignore_for_file: annotate_overrides, camel_case_types, comment_references
+// ignore_for_file: constant_identifier_names
+// ignore_for_file: curly_braces_in_flow_control_structures
+// ignore_for_file: deprecated_member_use_from_same_package, library_prefixes
+// ignore_for_file: non_constant_identifier_names, prefer_relative_imports

useragent/lib/proto/client/evm.pbjson.dart

@@ -0,0 +1,86 @@
+// This is a generated file - do not edit.
+//
+// Generated from client/evm.proto.
+
+// @dart = 3.3
+
+// ignore_for_file: annotate_overrides, camel_case_types, comment_references
+// ignore_for_file: constant_identifier_names
+// ignore_for_file: curly_braces_in_flow_control_structures
+// ignore_for_file: deprecated_member_use_from_same_package, library_prefixes
+// ignore_for_file: non_constant_identifier_names, prefer_relative_imports
+// ignore_for_file: unused_import
+
+import 'dart:convert' as $convert;
+import 'dart:core' as $core;
+import 'dart:typed_data' as $typed_data;
+
+@$core.Deprecated('Use requestDescriptor instead')
+const Request$json = {
+  '1': 'Request',
+  '2': [
+    {
+      '1': 'sign_transaction',
+      '3': 1,
+      '4': 1,
+      '5': 11,
+      '6': '.arbiter.evm.EvmSignTransactionRequest',
+      '9': 0,
+      '10': 'signTransaction'
+    },
+    {
+      '1': 'analyze_transaction',
+      '3': 2,
+      '4': 1,
+      '5': 11,
+      '6': '.arbiter.evm.EvmAnalyzeTransactionRequest',
+      '9': 0,
+      '10': 'analyzeTransaction'
+    },
+  ],
+  '8': [
+    {'1': 'payload'},
+  ],
+};
+
+/// Descriptor for `Request`. Decode as a `google.protobuf.DescriptorProto`.
+final $typed_data.Uint8List requestDescriptor = $convert.base64Decode(
+    'CgdSZXF1ZXN0ElMKEHNpZ25fdHJhbnNhY3Rpb24YASABKAsyJi5hcmJpdGVyLmV2bS5Fdm1TaW'
+    'duVHJhbnNhY3Rpb25SZXF1ZXN0SABSD3NpZ25UcmFuc2FjdGlvbhJcChNhbmFseXplX3RyYW5z'
+    'YWN0aW9uGAIgASgLMikuYXJiaXRlci5ldm0uRXZtQW5hbHl6ZVRyYW5zYWN0aW9uUmVxdWVzdE'
+    'gAUhJhbmFseXplVHJhbnNhY3Rpb25CCQoHcGF5bG9hZA==');
+
+@$core.Deprecated('Use responseDescriptor instead')
+const Response$json = {
+  '1': 'Response',
+  '2': [
+    {
+      '1': 'sign_transaction',
+      '3': 1,
+      '4': 1,
+      '5': 11,
+      '6': '.arbiter.evm.EvmSignTransactionResponse',
+      '9': 0,
+      '10': 'signTransaction'
+    },
+    {
+      '1': 'analyze_transaction',
+      '3': 2,
+      '4': 1,
+      '5': 11,
+      '6': '.arbiter.evm.EvmAnalyzeTransactionResponse',
+      '9': 0,
+      '10': 'analyzeTransaction'
+    },
+  ],
+  '8': [
+    {'1': 'payload'},
+  ],
+};
+
+/// Descriptor for `Response`. Decode as a `google.protobuf.DescriptorProto`.
+final $typed_data.Uint8List responseDescriptor = $convert.base64Decode(
+    'CghSZXNwb25zZRJUChBzaWduX3RyYW5zYWN0aW9uGAEgASgLMicuYXJiaXRlci5ldm0uRXZtU2'
+    'lnblRyYW5zYWN0aW9uUmVzcG9uc2VIAFIPc2lnblRyYW5zYWN0aW9uEl0KE2FuYWx5emVfdHJh'
+    'bnNhY3Rpb24YAiABKAsyKi5hcmJpdGVyLmV2bS5Fdm1BbmFseXplVHJhbnNhY3Rpb25SZXNwb2'
+    '5zZUgAUhJhbmFseXplVHJhbnNhY3Rpb25CCQoHcGF5bG9hZA==');

useragent/lib/proto/client/vault.pb.dart

@@ -0,0 +1,161 @@
+// This is a generated file - do not edit.
+//
+// Generated from client/vault.proto.
+
+// @dart = 3.3
+
+// ignore_for_file: annotate_overrides, camel_case_types, comment_references
+// ignore_for_file: constant_identifier_names
+// ignore_for_file: curly_braces_in_flow_control_structures
+// ignore_for_file: deprecated_member_use_from_same_package, library_prefixes
+// ignore_for_file: non_constant_identifier_names, prefer_relative_imports
+
+import 'dart:core' as $core;
+
+import 'package:protobuf/protobuf.dart' as $pb;
+import 'package:protobuf/well_known_types/google/protobuf/empty.pb.dart' as $0;
+
+import '../shared/vault.pbenum.dart' as $1;
+
+export 'package:protobuf/protobuf.dart' show GeneratedMessageGenericExtensions;
+
+enum Request_Payload { queryState, notSet }
+
+class Request extends $pb.GeneratedMessage {
+  factory Request({
+    $0.Empty? queryState,
+  }) {
+    final result = create();
+    if (queryState != null) result.queryState = queryState;
+    return result;
+  }
+
+  Request._();
+
+  factory Request.fromBuffer($core.List<$core.int> data,
+          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
+      create()..mergeFromBuffer(data, registry);
+  factory Request.fromJson($core.String json,
+          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
+      create()..mergeFromJson(json, registry);
+
+  static const $core.Map<$core.int, Request_Payload> _Request_PayloadByTag = {
+    1: Request_Payload.queryState,
+    0: Request_Payload.notSet
+  };
+  static final $pb.BuilderInfo _i = $pb.BuilderInfo(
+      _omitMessageNames ? '' : 'Request',
+      package: const $pb.PackageName(
+          _omitMessageNames ? '' : 'arbiter.client.vault'),
+      createEmptyInstance: create)
+    ..oo(0, [1])
+    ..aOM<$0.Empty>(1, _omitFieldNames ? '' : 'queryState',
+        subBuilder: $0.Empty.create)
+    ..hasRequiredFields = false;
+
+  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
+  Request clone() => deepCopy();
+  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
+  Request copyWith(void Function(Request) updates) =>
+      super.copyWith((message) => updates(message as Request)) as Request;
+
+  @$core.override
+  $pb.BuilderInfo get info_ => _i;
+
+  @$core.pragma('dart2js:noInline')
+  static Request create() => Request._();
+  @$core.override
+  Request createEmptyInstance() => create();
+  @$core.pragma('dart2js:noInline')
+  static Request getDefault() =>
+      _defaultInstance ??= $pb.GeneratedMessage.$_defaultFor<Request>(create);
+  static Request? _defaultInstance;
+
+  @$pb.TagNumber(1)
+  Request_Payload whichPayload() => _Request_PayloadByTag[$_whichOneof(0)]!;
+  @$pb.TagNumber(1)
+  void clearPayload() => $_clearField($_whichOneof(0));
+
+  @$pb.TagNumber(1)
+  $0.Empty get queryState => $_getN(0);
+  @$pb.TagNumber(1)
+  set queryState($0.Empty value) => $_setField(1, value);
+  @$pb.TagNumber(1)
+  $core.bool hasQueryState() => $_has(0);
+  @$pb.TagNumber(1)
+  void clearQueryState() => $_clearField(1);
+  @$pb.TagNumber(1)
+  $0.Empty ensureQueryState() => $_ensure(0);
+}
+
+enum Response_Payload { state, notSet }
+
+class Response extends $pb.GeneratedMessage {
+  factory Response({
+    $1.VaultState? state,
+  }) {
+    final result = create();
+    if (state != null) result.state = state;
+    return result;
+  }
+
+  Response._();
+
+  factory Response.fromBuffer($core.List<$core.int> data,
+          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
+      create()..mergeFromBuffer(data, registry);
+  factory Response.fromJson($core.String json,
+          [$pb.ExtensionRegistry registry = $pb.ExtensionRegistry.EMPTY]) =>
+      create()..mergeFromJson(json, registry);
+
+  static const $core.Map<$core.int, Response_Payload> _Response_PayloadByTag = {
+    1: Response_Payload.state,
+    0: Response_Payload.notSet
+  };
+  static final $pb.BuilderInfo _i = $pb.BuilderInfo(
+      _omitMessageNames ? '' : 'Response',
+      package: const $pb.PackageName(
+          _omitMessageNames ? '' : 'arbiter.client.vault'),
+      createEmptyInstance: create)
+    ..oo(0, [1])
+    ..aE<$1.VaultState>(1, _omitFieldNames ? '' : 'state',
+        enumValues: $1.VaultState.values)
+    ..hasRequiredFields = false;
+
+  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
+  Response clone() => deepCopy();
+  @$core.Deprecated('See https://github.com/google/protobuf.dart/issues/998.')
+  Response copyWith(void Function(Response) updates) =>
+      super.copyWith((message) => updates(message as Response)) as Response;
+
+  @$core.override
+  $pb.BuilderInfo get info_ => _i;
+
+  @$core.pragma('dart2js:noInline')
+  static Response create() => Response._();
+  @$core.override
+  Response createEmptyInstance() => create();
+  @$core.pragma('dart2js:noInline')
+  static Response getDefault() =>
+      _defaultInstance ??= $pb.GeneratedMessage.$_defaultFor<Response>(create);
+  static Response? _defaultInstance;
+
+  @$pb.TagNumber(1)
+  Response_Payload whichPayload() => _Response_PayloadByTag[$_whichOneof(0)]!;
+  @$pb.TagNumber(1)
+  void clearPayload() => $_clearField($_whichOneof(0));
+
+  @$pb.TagNumber(1)
+  $1.VaultState get state => $_getN(0);
+  @$pb.TagNumber(1)
+  set state($1.VaultState value) => $_setField(1, value);
+  @$pb.TagNumber(1)
+  $core.bool hasState() => $_has(0);
+  @$pb.TagNumber(1)
+  void clearState() => $_clearField(1);
+}
+
+const $core.bool _omitFieldNames =
+    $core.bool.fromEnvironment('protobuf.omit_field_names');
+const $core.bool _omitMessageNames =
+    $core.bool.fromEnvironment('protobuf.omit_message_names');

useragent/lib/proto/client/vault.pbenum.dart

@@ -0,0 +1,11 @@
+// This is a generated file - do not edit.
+//
+// Generated from client/vault.proto.
+
+// @dart = 3.3
+
+// ignore_for_file: annotate_overrides, camel_case_types, comment_references
+// ignore_for_file: constant_identifier_names
+// ignore_for_file: curly_braces_in_flow_control_structures
+// ignore_for_file: deprecated_member_use_from_same_package, library_prefixes
+// ignore_for_file: non_constant_identifier_names, prefer_relative_imports