Merge pull request 'feat(evm): implement EVM sign transaction handling in client and user agent' (#38) from feat--self-signed-transactions into main

Reviewed-on: #38
Reviewed-by: Stas <business@jexter.tech>

protobufs/client.proto

@@ -49,6 +49,7 @@ message ClientRequest {
     AuthChallengeRequest auth_challenge_request = 1;
     AuthChallengeSolution auth_challenge_solution = 2;
     google.protobuf.Empty query_vault_state = 3;
+    arbiter.evm.EvmSignTransactionRequest evm_sign_transaction = 5;
   }
 }
 

protobufs/user_agent.proto

@@ -154,6 +154,11 @@ message ListWalletAccessResponse {
   repeated SdkClientWalletAccess accesses = 1;
 }
 
+message UserAgentEvmSignTransactionRequest {
+  int32 client_id = 1;
+  arbiter.evm.EvmSignTransactionRequest request = 2;
+}
+
 message UserAgentRequest {
   int32 id = 16;
   oneof payload {
@@ -174,6 +179,7 @@ message UserAgentRequest {
     SdkClientGrantWalletAccess grant_wallet_access = 15;
     SdkClientRevokeWalletAccess revoke_wallet_access = 17;
     google.protobuf.Empty list_wallet_access = 18;
+    UserAgentEvmSignTransactionRequest evm_sign_transaction = 19;
   }
 }
 message UserAgentResponse {
@@ -195,5 +201,6 @@ message UserAgentResponse {
     SdkClientListResponse sdk_client_list_response = 14;
     BootstrapResult bootstrap_result = 15;
     ListWalletAccessResponse list_wallet_access_response = 17;
+    arbiter.evm.EvmSignTransactionResponse evm_sign_transaction = 18;
   }
 }

server/Cargo.lock

@@ -669,56 +669,6 @@ dependencies = [
  "libc",
 ]
 
-[[package]]
-name = "anstream"
-version = "1.0.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "824a212faf96e9acacdbd09febd34438f8f711fb84e09a8916013cd7815ca28d"
-dependencies = [
- "anstyle",
- "anstyle-parse",
- "anstyle-query",
- "anstyle-wincon",
- "colorchoice",
- "is_terminal_polyfill",
- "utf8parse",
-]
-
-[[package]]
-name = "anstyle"
-version = "1.0.14"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "940b3a0ca603d1eade50a4846a2afffd5ef57a9feac2c0e2ec2e14f9ead76000"
-
-[[package]]
-name = "anstyle-parse"
-version = "1.0.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "52ce7f38b242319f7cabaa6813055467063ecdc9d355bbb4ce0c68908cd8130e"
-dependencies = [
- "utf8parse",
-]
-
-[[package]]
-name = "anstyle-query"
-version = "1.1.5"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "40c48f72fd53cd289104fc64099abca73db4166ad86ea0b4341abe65af83dadc"
-dependencies = [
- "windows-sys 0.61.2",
-]
-
-[[package]]
-name = "anstyle-wincon"
-version = "3.0.11"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "291e6a250ff86cd4a820112fb8898808a366d8f9f58ce16d1f538353ad55747d"
-dependencies = [
- "anstyle",
- "once_cell_polyfill",
- "windows-sys 0.61.2",
-]
-
 [[package]]
 name = "anyhow"
 version = "1.0.102"
@@ -780,7 +730,6 @@ dependencies = [
  "async-trait",
  "chacha20poly1305",
  "chrono",
- "clap",
  "dashmap",
  "diesel",
  "diesel-async",
@@ -812,7 +761,6 @@ dependencies = [
  "tonic",
  "tracing",
  "tracing-subscriber",
- "windows-service",
  "x25519-dalek",
  "zeroize",
 ]
@@ -1485,46 +1433,6 @@ dependencies = [
  "zeroize",
 ]
 
-[[package]]
-name = "clap"
-version = "4.6.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b193af5b67834b676abd72466a96c1024e6a6ad978a1f484bd90b85c94041351"
-dependencies = [
- "clap_builder",
- "clap_derive",
-]
-
-[[package]]
-name = "clap_builder"
-version = "4.6.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "714a53001bf66416adb0e2ef5ac857140e7dc3a0c48fb28b2f10762fc4b5069f"
-dependencies = [
- "anstream",
- "anstyle",
- "clap_lex",
- "strsim",
-]
-
-[[package]]
-name = "clap_derive"
-version = "4.6.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "1110bd8a634a1ab8cb04345d8d878267d57c3cf1b38d91b71af6686408bbca6a"
-dependencies = [
- "heck",
- "proc-macro2",
- "quote",
- "syn 2.0.117",
-]
-
-[[package]]
-name = "clap_lex"
-version = "1.1.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c8d4a3bb8b1e0c1050499d1815f5ab16d04f0959b233085fb31653fbfc9d98f9"
-
 [[package]]
 name = "cmake"
 version = "0.1.57"
@@ -1534,12 +1442,6 @@ dependencies = [
  "cc",
 ]
 
-[[package]]
-name = "colorchoice"
-version = "1.0.5"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "1d07550c9036bf2ae0c684c4297d503f838287c83c53686d05370d0e139ae570"
-
 [[package]]
 name = "console"
 version = "0.15.11"
@@ -2149,7 +2051,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "39cab71617ae0d63f51a36d69f866391735b51691dbda63cf6f96d042b63efeb"
 dependencies = [
  "libc",
- "windows-sys 0.61.2",
+ "windows-sys 0.52.0",
 ]
 
 [[package]]
@@ -2951,12 +2853,6 @@ version = "1.2.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "7655c9839580ee829dfacba1d1278c2b7883e50a277ff7541299489d6bdfdc45"
 
-[[package]]
-name = "is_terminal_polyfill"
-version = "1.70.2"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "a6cb138bb79a146c1bd460005623e142ef0181e3d0219cb493e02f7d08a35695"
-
 [[package]]
 name = "itertools"
 version = "0.10.5"
@@ -3290,7 +3186,7 @@ version = "0.50.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "7957b9740744892f114936ab4a57b3f487491bbeafaf8083688b16841a4240e5"
 dependencies = [
- "windows-sys 0.61.2",
+ "windows-sys 0.59.0",
 ]
 
 [[package]]
@@ -3424,12 +3320,6 @@ version = "1.21.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "9f7c3e4beb33f85d45ae3e3a1792185706c8e16d043238c593331cc7cd313b50"
 
-[[package]]
-name = "once_cell_polyfill"
-version = "1.70.2"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "384b8ab6d37215f3c5301a95a4accb5d64aa607f1fcb26a11b5303878451b4fe"
-
 [[package]]
 name = "opaque-debug"
 version = "0.3.1"
@@ -4395,7 +4285,7 @@ dependencies = [
  "errno",
  "libc",
  "linux-raw-sys",
- "windows-sys 0.61.2",
+ "windows-sys 0.52.0",
 ]
 
 [[package]]
@@ -4811,7 +4701,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "3a766e1110788c36f4fa1c2b71b387a7815aa65f88ce0229841826633d93723e"
 dependencies = [
  "libc",
- "windows-sys 0.61.2",
+ "windows-sys 0.60.2",
 ]
 
 [[package]]
@@ -5005,7 +4895,7 @@ dependencies = [
  "getrandom 0.4.2",
  "once_cell",
  "rustix",
- "windows-sys 0.61.2",
+ "windows-sys 0.52.0",
 ]
 
 [[package]]
@@ -5579,12 +5469,6 @@ version = "1.0.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "b6c140620e7ffbb22c2dee59cafe6084a59b5ffc27a8859a5f0d494b5d52b6be"
 
-[[package]]
-name = "utf8parse"
-version = "0.2.2"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "06abde3611657adf66d383f00b093d7faecc7fa57071cce2578660c9f1010821"
-
 [[package]]
 name = "uuid"
 version = "1.22.0"
@@ -5791,12 +5675,6 @@ dependencies = [
  "rustls-pki-types",
 ]
 
-[[package]]
-name = "widestring"
-version = "1.2.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "72069c3113ab32ab29e5584db3c6ec55d416895e60715417b5b883a357c3e471"
-
 [[package]]
 name = "winapi"
 version = "0.3.9"
@@ -5869,17 +5747,6 @@ dependencies = [
  "windows-link",
 ]
 
-[[package]]
-name = "windows-service"
-version = "0.8.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "193cae8e647981c35bc947fdd57ba7928b1fa0d4a79305f6dd2dc55221ac35ac"
-dependencies = [
- "bitflags",
- "widestring",
- "windows-sys 0.59.0",
-]
-
 [[package]]
 name = "windows-strings"
 version = "0.5.1"

server/crates/arbiter-client/src/transport.rs

@@ -1,6 +1,4 @@
-use arbiter_proto::proto::{
+use arbiter_proto::proto::client::{ClientRequest, ClientResponse};
-    client::{ClientRequest, ClientResponse},
-};
 use std::sync::atomic::{AtomicI32, Ordering};
 use tokio::sync::mpsc;
 
@@ -36,9 +34,7 @@ impl ClientTransport {
             .map_err(|_| ClientSignError::ChannelClosed)
     }
 
-    pub(crate) async fn recv(
+    pub(crate) async fn recv(&mut self) -> std::result::Result<ClientResponse, ClientSignError> {
-        &mut self,
-    ) -> std::result::Result<ClientResponse, ClientSignError> {
         match self.receiver.message().await {
             Ok(Some(resp)) => Ok(resp),
             Ok(None) => Err(ClientSignError::ConnectionClosed),

server/crates/arbiter-client/src/wallets/evm.rs

@@ -8,7 +8,15 @@ use async_trait::async_trait;
 use std::sync::Arc;
 use tokio::sync::Mutex;
 
-use crate::transport::ClientTransport;
+use arbiter_proto::proto::{
+    client::{
+        ClientRequest, client_request::Payload as ClientRequestPayload,
+        client_response::Payload as ClientResponsePayload,
+    },
+    evm::evm_sign_transaction_response::Result as EvmSignTransactionResult,
+};
+
+use crate::transport::{ClientTransport, next_request_id};
 
 pub struct ArbiterEvmWallet {
     transport: Arc<Mutex<ClientTransport>>,
@@ -79,11 +87,61 @@ impl TxSigner<Signature> for ArbiterEvmWallet {
         &self,
         tx: &mut dyn SignableTransaction<Signature>,
     ) -> Result<Signature> {
-        let _transport = self.transport.lock().await;
         self.validate_chain_id(tx)?;
 
-        Err(Error::other(
+        let mut transport = self.transport.lock().await;
-            "transaction signing is not supported by current arbiter.client protocol",
+        let request_id = next_request_id();
-        ))
+        let rlp_transaction = tx.encoded_for_signing();
+
+        transport
+            .send(ClientRequest {
+                request_id,
+                payload: Some(ClientRequestPayload::EvmSignTransaction(
+                    arbiter_proto::proto::evm::EvmSignTransactionRequest {
+                        wallet_address: self.address.to_vec(),
+                        rlp_transaction,
+                    },
+                )),
+            })
+            .await
+            .map_err(|_| Error::other("failed to send evm sign transaction request"))?;
+
+        let response = transport
+            .recv()
+            .await
+            .map_err(|_| Error::other("failed to receive evm sign transaction response"))?;
+
+        if response.request_id != Some(request_id) {
+            return Err(Error::other(
+                "received mismatched response id for evm sign transaction",
+            ));
+        }
+
+        let payload = response
+            .payload
+            .ok_or_else(|| Error::other("missing evm sign transaction response payload"))?;
+
+        let ClientResponsePayload::EvmSignTransaction(response) = payload else {
+            return Err(Error::other(
+                "unexpected response payload for evm sign transaction request",
+            ));
+        };
+
+        let result = response
+            .result
+            .ok_or_else(|| Error::other("missing evm sign transaction result"))?;
+
+        match result {
+            EvmSignTransactionResult::Signature(signature) => {
+                Signature::try_from(signature.as_slice())
+                    .map_err(|_| Error::other("invalid signature returned by server"))
+            }
+            EvmSignTransactionResult::EvalError(eval_error) => Err(Error::other(format!(
+                "transaction rejected by policy: {eval_error:?}"
+            ))),
+            EvmSignTransactionResult::Error(code) => Err(Error::other(format!(
+                "server failed to sign transaction with error code {code}"
+            ))),
+        }
     }
 }

server/crates/arbiter-proto/src/lib.rs

@@ -2,10 +2,6 @@ pub mod transport;
 pub mod url;
 
 use base64::{Engine, prelude::BASE64_STANDARD};
-use std::{
-    path::PathBuf,
-    sync::{LazyLock, RwLock},
-};
 
 pub mod proto {
     tonic::include_proto!("arbiter");
@@ -31,27 +27,8 @@ pub struct ClientMetadata {
 }
 
 pub static BOOTSTRAP_PATH: &str = "bootstrap_token";
-pub const DEFAULT_SERVER_PORT: u16 = 50051;
-static HOME_OVERRIDE: LazyLock<RwLock<Option<PathBuf>>> = LazyLock::new(|| RwLock::new(None));
-
-pub fn set_home_path_override(path: Option<PathBuf>) -> Result<(), std::io::Error> {
-    let mut lock = HOME_OVERRIDE
-        .write()
-        .map_err(|_| std::io::Error::other("home path override lock poisoned"))?;
-    *lock = path;
-    Ok(())
-}
 
 pub fn home_path() -> Result<std::path::PathBuf, std::io::Error> {
-    if let Some(path) = HOME_OVERRIDE
-        .read()
-        .map_err(|_| std::io::Error::other("home path override lock poisoned"))?
-        .clone()
-    {
-        std::fs::create_dir_all(&path)?;
-        return Ok(path);
-    }
-
     static ARBITER_HOME: &str = ".arbiter";
     let home_dir = std::env::home_dir().ok_or(std::io::Error::new(
         std::io::ErrorKind::PermissionDenied,

server/crates/arbiter-server/Cargo.toml

@@ -53,11 +53,7 @@ spki.workspace = true
 alloy.workspace = true
 prost-types.workspace = true
 arbiter-tokens-registry.path = "../arbiter-tokens-registry"
-clap = { version = "4.6", features = ["derive"] }
 
 [dev-dependencies]
 insta = "1.46.3"
 test-log = { version = "0.2", default-features = false, features = ["trace"] }
-
-[target.'cfg(windows)'.dependencies]
-windows-service = "0.8"

server/crates/arbiter-server/src/actors/client/auth.rs

@@ -1,5 +1,6 @@
 use arbiter_proto::{
-    ClientMetadata, format_challenge, transport::{Bi, expect_message}
+    ClientMetadata, format_challenge,
+    transport::{Bi, expect_message},
 };
 use chrono::Utc;
 use diesel::{
@@ -83,7 +84,6 @@ async fn get_client_and_nonce(
     })?;
 
     conn.exclusive_transaction(|conn| {
-        let pubkey_bytes = pubkey_bytes.clone();
         Box::pin(async move {
             let Some((client_id, current_nonce)) = program_client::table
                 .filter(program_client::public_key.eq(&pubkey_bytes))
@@ -290,7 +290,7 @@ where
 pub async fn authenticate<T>(
     props: &mut ClientConnection,
     transport: &mut T,
-) -> Result<VerifyingKey, Error>
+) -> Result<i32, Error>
 where
     T: Bi<Inbound, Result<Outbound, Error>> + Send + ?Sized,
 {
@@ -318,7 +318,6 @@ where
     };
 
     sync_client_metadata(&props.db, info.id, &metadata).await?;
-
     challenge_client(transport, pubkey, info.current_nonce).await?;
     
     transport
@@ -329,5 +328,5 @@ where
             Error::Transport
         })?;
 
-    Ok(pubkey)
+    Ok(info.id)
 }

server/crates/arbiter-server/src/actors/client/mod.rs

@@ -3,7 +3,7 @@ use kameo::actor::Spawn;
 use tracing::{error, info};
 
 use crate::{
-    actors::{GlobalActors, client::{ session::ClientSession}},
+    actors::{GlobalActors, client::session::ClientSession},
     db,
 };
 
@@ -20,7 +20,10 @@ pub struct ClientConnection {
 
 impl ClientConnection {
     pub fn new(db: db::DatabasePool, actors: GlobalActors) -> Self {
-        Self { db, actors }
+        Self {
+            db,
+            actors,
+        }
     }
 }
 
@@ -32,8 +35,8 @@ where
     T: Bi<auth::Inbound, Result<auth::Outbound, auth::Error>> + Send + ?Sized,
 {
     match auth::authenticate(&mut props, transport).await {
-        Ok(_pubkey) => {
+        Ok(client_id) => {
-            ClientSession::spawn(ClientSession::new(props));
+            ClientSession::spawn(ClientSession::new(props, client_id));
             info!("Client authenticated, session started");
         }
         Err(err) => {

server/crates/arbiter-server/src/actors/client/session.rs

@@ -1,21 +1,30 @@
+use ed25519_dalek::VerifyingKey;
 use kameo::{Actor, messages};
 use tracing::error;
 
+use alloy::{consensus::TxEip1559, primitives::Address, signers::Signature};
+
 use crate::{
     actors::{
-        GlobalActors, client::ClientConnection, flow_coordinator::RegisterClient,
+        GlobalActors,
+        client::ClientConnection, flow_coordinator::RegisterClient,
+       
+        evm::{ClientSignTransaction, SignTransactionError},
         keyholder::KeyHolderState,
+       
     },
     db,
+    evm::VetError,
 };
 
 pub struct ClientSession {
     props: ClientConnection,
+    client_id: i32,
 }
 
 impl ClientSession {
-    pub(crate) fn new(props: ClientConnection) -> Self {
+    pub(crate) fn new(props: ClientConnection, client_id: i32) -> Self {
-        Self { props }
+        Self { props, client_id }
     }
 }
 
@@ -35,6 +44,34 @@ impl ClientSession {
 
         Ok(vault_state)
     }
+
+    #[message]
+    pub(crate) async fn handle_sign_transaction(
+        &mut self,
+        wallet_address: Address,
+        transaction: TxEip1559,
+    ) -> Result<Signature, SignTransactionRpcError> {
+        match self
+            .props
+            .actors
+            .evm
+            .ask(ClientSignTransaction {
+                client_id: self.client_id,
+                wallet_address,
+                transaction,
+            })
+            .await
+        {
+            Ok(signature) => Ok(signature),
+            Err(kameo::error::SendError::HandlerError(SignTransactionError::Vet(vet_error))) => {
+                Err(SignTransactionRpcError::Vet(vet_error))
+            }
+            Err(err) => {
+                error!(?err, "Failed to sign EVM transaction in client session");
+                Err(SignTransactionRpcError::Internal)
+            }
+        }
+    }
 }
 
 impl Actor for ClientSession {
@@ -59,7 +96,7 @@ impl Actor for ClientSession {
 impl ClientSession {
     pub fn new_test(db: db::DatabasePool, actors: GlobalActors) -> Self {
         let props = ClientConnection::new(db, actors);
-        Self { props }
+        Self { props, client_id: 0 }
     }
 }
 
@@ -70,3 +107,12 @@ pub enum Error {
     #[error("Internal error")]
     Internal,
 }
+
+#[derive(Debug, thiserror::Error)]
+pub enum SignTransactionRpcError {
+    #[error("Policy evaluation failed")]
+    Vet(#[from] VetError),
+
+    #[error("Internal error")]
+    Internal,
+}

server/crates/arbiter-server/src/actors/keyholder/mod.rs

@@ -214,7 +214,6 @@ impl KeyHolder {
             let mut conn = self.db.get().await?;
             schema::root_key_history::table
                 .filter(schema::root_key_history::id.eq(*root_key_history_id))
-                .select(schema::root_key_history::data_encryption_nonce)
                 .select(RootKeyHistory::as_select())
                 .first(&mut conn)
                 .await?

server/crates/arbiter-server/src/actors/user_agent/auth/state.rs

@@ -210,12 +210,15 @@ where
             }
         };
 
-        if valid {
+        if !valid {
+            error!("Invalid challenge solution signature");
+            return Err(Error::InvalidChallengeSolution);
+        }
+
         self.transport
             .send(Ok(Outbound::AuthSuccess))
             .await
             .map_err(|_| Error::Transport)?;
-        }
 
         Ok(key.clone())
     }

server/crates/arbiter-server/src/actors/user_agent/session/connection.rs

@@ -1,6 +1,6 @@
 use std::sync::Mutex;
 
-use alloy::primitives::Address;
+use alloy::{consensus::TxEip1559, primitives::Address, signers::Signature};
 use chacha20poly1305::{AeadInPlace, XChaCha20Poly1305, XNonce, aead::KeyInit};
 use diesel::sql_types::ops::Add;
 use diesel::{BoolExpressionMethods as _, ExpressionMethods as _, QueryDsl as _, SelectableHelper};
@@ -23,7 +23,8 @@ use crate::safe_cell::SafeCell;
 use crate::{
     actors::{
         evm::{
-            Generate, ListWallets, UseragentCreateGrant, UseragentDeleteGrant, UseragentListGrants,
+            ClientSignTransaction, Generate, ListWallets, SignTransactionError as EvmSignError,
+            UseragentCreateGrant, UseragentDeleteGrant, UseragentListGrants,
         },
         keyholder::{self, Bootstrap, TryUnseal},
         user_agent::session::{
@@ -112,6 +113,15 @@ pub enum BootstrapError {
     General(#[from] super::Error),
 }
 
+#[derive(Debug, Error)]
+pub enum SignTransactionError {
+    #[error("Policy evaluation failed")]
+    Vet(#[from] crate::evm::VetError),
+
+    #[error("Internal signing error")]
+    Internal,
+}
+
 #[messages]
 impl UserAgentSession {
     #[message]
@@ -356,6 +366,35 @@ impl UserAgentSession {
         }
     }
 
+    #[message]
+    pub(crate) async fn handle_sign_transaction(
+        &mut self,
+        client_id: i32,
+        wallet_address: Address,
+        transaction: TxEip1559,
+    ) -> Result<Signature, SignTransactionError> {
+        match self
+            .props
+            .actors
+            .evm
+            .ask(ClientSignTransaction {
+                client_id,
+                wallet_address,
+                transaction,
+            })
+            .await
+        {
+            Ok(signature) => Ok(signature),
+            Err(SendError::HandlerError(EvmSignError::Vet(vet_error))) => {
+                Err(SignTransactionError::Vet(vet_error))
+            }
+            Err(err) => {
+                error!(?err, "EVM sign transaction failed in user-agent session");
+                Err(SignTransactionError::Internal)
+            }
+        }
+    }
+
     #[message]
     pub(crate) async fn handle_grant_evm_wallet_access(
         &mut self,

server/crates/arbiter-server/src/cli.rs

@@ -1,72 +0,0 @@
-use std::{
-    net::{Ipv4Addr, SocketAddr, SocketAddrV4},
-    path::PathBuf,
-};
-
-use clap::{Args, Parser, Subcommand};
-
-const DEFAULT_LISTEN_ADDR: SocketAddr = SocketAddr::V4(SocketAddrV4::new(
-    Ipv4Addr::LOCALHOST,
-    arbiter_proto::DEFAULT_SERVER_PORT,
-));
-
-#[derive(Debug, Parser)]
-#[command(name = "arbiter-server")]
-#[command(about = "Arbiter gRPC server")]
-pub struct Cli {
-    #[command(subcommand)]
-    pub command: Option<Command>,
-}
-
-#[derive(Debug, Subcommand)]
-pub enum Command {
-    /// Run server in foreground mode.
-    Run(RunArgs),
-    /// Manage service lifecycle.
-    Service {
-        #[command(subcommand)]
-        command: ServiceCommand,
-    },
-}
-
-#[derive(Debug, Clone, Args)]
-pub struct RunArgs {
-    #[arg(long, default_value_t = DEFAULT_LISTEN_ADDR)]
-    pub listen_addr: SocketAddr,
-    #[arg(long)]
-    pub data_dir: Option<PathBuf>,
-}
-
-impl Default for RunArgs {
-    fn default() -> Self {
-        Self {
-            listen_addr: DEFAULT_LISTEN_ADDR,
-            data_dir: None,
-        }
-    }
-}
-
-#[derive(Debug, Subcommand)]
-pub enum ServiceCommand {
-    /// Install Windows service in Service Control Manager.
-    Install(ServiceInstallArgs),
-    /// Internal service entrypoint. SCM only.
-    #[command(hide = true)]
-    Run(ServiceRunArgs),
-}
-
-#[derive(Debug, Clone, Args)]
-pub struct ServiceInstallArgs {
-    #[arg(long)]
-    pub start: bool,
-    #[arg(long)]
-    pub data_dir: Option<PathBuf>,
-}
-
-#[derive(Debug, Clone, Args)]
-pub struct ServiceRunArgs {
-    #[arg(long, default_value_t = DEFAULT_LISTEN_ADDR)]
-    pub listen_addr: SocketAddr,
-    #[arg(long)]
-    pub data_dir: Option<PathBuf>,
-}

server/crates/arbiter-server/src/evm/mod.rs

@@ -32,7 +32,7 @@ mod utils;
 #[derive(Debug, thiserror::Error, miette::Diagnostic)]
 pub enum PolicyError {
     #[error("Database error")]
-    Error(#[from] crate::db::DatabaseError),
+    Database(#[from] crate::db::DatabaseError),
     #[error("Transaction violates policy: {0:?}")]
     #[diagnostic(code(arbiter_server::evm::policy_error::violation))]
     Violations(Vec<EvalViolation>),

server/crates/arbiter-server/src/evm/policies/ether_transfer/mod.rs

@@ -36,8 +36,8 @@ use super::{DatabaseID, EvalContext, EvalViolation};
 // Plain ether transfer
 #[derive(Clone, Debug, PartialEq, Eq, Hash)]
 pub struct Meaning {
-    to: Address,
+    pub(crate) to: Address,
-    value: U256,
+    pub(crate) value: U256,
 }
 impl Display for Meaning {
     fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
@@ -91,6 +91,7 @@ async fn query_relevant_past_transaction(
 
 async fn check_rate_limits(
     grant: &Grant<Settings>,
+    current_transfer_value: U256,
     db: &mut impl AsyncConnection<Backend = Sqlite>,
 ) -> QueryResult<Vec<EvalViolation>> {
     let mut violations = Vec::new();
@@ -99,12 +100,12 @@ async fn check_rate_limits(
     let past_transaction = query_relevant_past_transaction(grant.id, window, db).await?;
 
     let window_start = chrono::Utc::now() - grant.settings.limit.window;
-    let cumulative_volume: U256 = past_transaction
+    let prospective_cumulative_volume: U256 = past_transaction
         .iter()
         .filter(|(_, timestamp)| timestamp >= &window_start)
-        .fold(U256::default(), |acc, (value, _)| acc + *value);
+        .fold(current_transfer_value, |acc, (value, _)| acc + *value);
 
-    if cumulative_volume > grant.settings.limit.max_volume {
+    if prospective_cumulative_volume > grant.settings.limit.max_volume {
         violations.push(EvalViolation::VolumetricLimitExceeded);
     }
 
@@ -141,7 +142,7 @@ impl Policy for EtherTransfer {
             violations.push(EvalViolation::InvalidTarget { target: meaning.to });
         }
 
-        let rate_violations = check_rate_limits(grant, db).await?;
+        let rate_violations = check_rate_limits(grant, meaning.value, db).await?;
         violations.extend(rate_violations);
 
         Ok(violations)

server/crates/arbiter-server/src/evm/policies/ether_transfer/tests.rs

@@ -198,7 +198,7 @@ async fn evaluate_rejects_volume_over_limit() {
             grant_id,
             wallet_access_id: WALLET_ACCESS_ID,
             chain_id: CHAIN_ID as i32,
-            eth_value: utils::u256_to_bytes(U256::from(1_001u64)).to_vec(),
+            eth_value: utils::u256_to_bytes(U256::from(1_000u64)).to_vec(),
             signed_at: SqliteTimestamp(Utc::now()),
         })
         .execute(&mut *conn)
@@ -211,7 +211,7 @@ async fn evaluate_rejects_volume_over_limit() {
         shared: shared(),
         settings,
     };
-    let context = ctx(ALLOWED, U256::from(100u64));
+    let context = ctx(ALLOWED, U256::from(1u64));
     let m = EtherTransfer::analyze(&context).unwrap();
     let v = EtherTransfer::evaluate(&context, &m, &grant, &mut *conn)
         .await
@@ -233,13 +233,13 @@ async fn evaluate_passes_at_exactly_volume_limit() {
         .await
         .unwrap();
 
-    // Exactly at the limit — the check is `>`, so this should not violate
+    // Exactly at the limit including current transfer — check is `>`, so this should not violate
     insert_into(evm_transaction_log::table)
         .values(NewEvmTransactionLog {
             grant_id,
             wallet_access_id: WALLET_ACCESS_ID,
             chain_id: CHAIN_ID as i32,
-            eth_value: utils::u256_to_bytes(U256::from(1_000u64)).to_vec(),
+            eth_value: utils::u256_to_bytes(U256::from(900u64)).to_vec(),
             signed_at: SqliteTimestamp(Utc::now()),
         })
         .execute(&mut *conn)

server/crates/arbiter-server/src/evm/policies/token_transfers/mod.rs

@@ -38,9 +38,9 @@ fn grant_join() -> _ {
 
 #[derive(Clone, Debug, PartialEq, Eq, Hash)]
 pub struct Meaning {
-    token: &'static TokenInfo,
+    pub(crate) token: &'static TokenInfo,
-    to: Address,
+    pub(crate) to: Address,
-    value: U256,
+    pub(crate) value: U256,
 }
 impl std::fmt::Display for Meaning {
     fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
@@ -101,6 +101,7 @@ async fn query_relevant_past_transfers(
 
 async fn check_volume_rate_limits(
     grant: &Grant<Settings>,
+    current_transfer_value: U256,
     db: &mut impl AsyncConnection<Backend = Sqlite>,
 ) -> QueryResult<Vec<EvalViolation>> {
     let mut violations = Vec::new();
@@ -113,12 +114,12 @@ async fn check_volume_rate_limits(
 
     for limit in &grant.settings.volume_limits {
         let window_start = chrono::Utc::now() - limit.window;
-        let cumulative_volume: U256 = past_transfers
+        let prospective_cumulative_volume: U256 = past_transfers
             .iter()
             .filter(|(_, timestamp)| timestamp >= &window_start)
-            .fold(U256::default(), |acc, (value, _)| acc + *value);
+            .fold(current_transfer_value, |acc, (value, _)| acc + *value);
 
-        if cumulative_volume > limit.max_volume {
+        if prospective_cumulative_volume > limit.max_volume {
             violations.push(EvalViolation::VolumetricLimitExceeded);
             break;
         }
@@ -163,7 +164,7 @@ impl Policy for TokenTransfer {
             violations.push(EvalViolation::InvalidTarget { target: meaning.to });
         }
 
-        let rate_violations = check_volume_rate_limits(grant, db).await?;
+        let rate_violations = check_volume_rate_limits(grant, meaning.value, db).await?;
         violations.extend(rate_violations);
 
         Ok(violations)

server/crates/arbiter-server/src/evm/policies/token_transfers/tests.rs

@@ -220,7 +220,7 @@ async fn evaluate_rejects_wrong_restricted_recipient() {
 }
 
 #[tokio::test]
-async fn evaluate_passes_volume_within_limit() {
+async fn evaluate_passes_volume_at_exact_limit() {
     let db = db::create_test_pool().await;
     let mut conn = db.get().await.unwrap();
 
@@ -230,7 +230,7 @@ async fn evaluate_passes_volume_within_limit() {
         .await
         .unwrap();
 
-    // Record a past transfer of 500 (within 1000 limit)
+    // Record a past transfer of 900, with current transfer 100 => exactly 1000 limit
     use crate::db::{models::NewEvmTokenTransferLog, schema::evm_token_transfer_log};
     insert_into(evm_token_transfer_log::table)
         .values(NewEvmTokenTransferLog {
@@ -239,7 +239,7 @@ async fn evaluate_passes_volume_within_limit() {
             chain_id: CHAIN_ID as i32,
             token_contract: DAI.to_vec(),
             recipient_address: RECIPIENT.to_vec(),
-            value: utils::u256_to_bytes(U256::from(500u64)).to_vec(),
+            value: utils::u256_to_bytes(U256::from(900u64)).to_vec(),
         })
         .execute(&mut *conn)
         .await
@@ -282,7 +282,7 @@ async fn evaluate_rejects_volume_over_limit() {
             chain_id: CHAIN_ID as i32,
             token_contract: DAI.to_vec(),
             recipient_address: RECIPIENT.to_vec(),
-            value: utils::u256_to_bytes(U256::from(1_001u64)).to_vec(),
+            value: utils::u256_to_bytes(U256::from(1_000u64)).to_vec(),
         })
         .execute(&mut *conn)
         .await
@@ -294,7 +294,7 @@ async fn evaluate_rejects_volume_over_limit() {
         shared: shared(),
         settings,
     };
-    let calldata = transfer_calldata(RECIPIENT, U256::from(100u64));
+    let calldata = transfer_calldata(RECIPIENT, U256::from(1u64));
     let context = ctx(DAI, calldata);
     let m = TokenTransfer::analyze(&context).unwrap();
     let v = TokenTransfer::evaluate(&context, &m, &grant, &mut *conn)

server/crates/arbiter-server/src/grpc/client.rs

@@ -1,9 +1,16 @@
+use alloy::primitives::Address;
 use arbiter_proto::{
-    proto::client::{
+    proto::{
+        client::{
             ClientRequest, ClientResponse, VaultState as ProtoVaultState,
             client_request::Payload as ClientRequestPayload,
             client_response::Payload as ClientResponsePayload,
         },
+        evm::{
+            EvmError as ProtoEvmError, EvmSignTransactionResponse,
+            evm_sign_transaction_response::Result as EvmSignTransactionResult,
+        },
+    },
     transport::{Receiver, Sender, grpc::GrpcBi},
 };
 use kameo::{
@@ -17,11 +24,18 @@ use crate::{
     actors::{
         client::{
             self, ClientConnection,
-            session::{ClientSession, Error, HandleQueryVaultState},
+            session::{
+                ClientSession, Error, HandleQueryVaultState, HandleSignTransaction,
+                SignTransactionRpcError,
+            },
         },
         keyholder::KeyHolderState,
     },
-    grpc::request_tracker::RequestTracker,
+    grpc::{
+        Convert, TryConvert,
+        common::inbound::{RawEvmAddress, RawEvmTransaction},
+        request_tracker::RequestTracker,
+    },
 };
 
 mod auth;
@@ -34,7 +48,9 @@ async fn dispatch_loop(
     mut request_tracker: RequestTracker,
 ) {
     loop {
-        let Some(message) = bi.recv().await else { return };
+        let Some(message) = bi.recv().await else {
+            return;
+        };
 
         let conn = match message {
             Ok(conn) => conn,
@@ -53,16 +69,24 @@ async fn dispatch_loop(
         };
 
         let Some(payload) = conn.payload else {
-            let _ = bi.send(Err(Status::invalid_argument("Missing client request payload"))).await;
+            let _ = bi
+                .send(Err(Status::invalid_argument(
+                    "Missing client request payload",
+                )))
+                .await;
             return;
         };
 
         match dispatch_inner(&actor, payload).await {
             Ok(response) => {
-                if bi.send(Ok(ClientResponse {
+                if bi
+                    .send(Ok(ClientResponse {
                         request_id: Some(request_id),
                         payload: Some(response),
-                })).await.is_err() {
+                    }))
+                    .await
+                    .is_err()
+                {
                     return;
                 }
             }
@@ -92,6 +116,47 @@ async fn dispatch_inner(
             };
             Ok(ClientResponsePayload::VaultState(state.into()))
         }
+        ClientRequestPayload::EvmSignTransaction(request) => {
+            let address: Address = RawEvmAddress(request.wallet_address).try_convert()?;
+            let transaction = RawEvmTransaction(request.rlp_transaction).try_convert()?;
+
+            let response = match actor
+                .ask(HandleSignTransaction {
+                    wallet_address: address,
+                    transaction,
+                })
+                .await
+            {
+                Ok(signature) => EvmSignTransactionResponse {
+                    result: Some(EvmSignTransactionResult::Signature(
+                        signature.as_bytes().to_vec(),
+                    )),
+                },
+                Err(kameo::error::SendError::HandlerError(SignTransactionRpcError::Vet(
+                    vet_error,
+                ))) => EvmSignTransactionResponse {
+                    result: Some(vet_error.convert()),
+                },
+
+                Err(kameo::error::SendError::HandlerError(SignTransactionRpcError::Internal)) => {
+                    EvmSignTransactionResponse {
+                        result: Some(EvmSignTransactionResult::Error(
+                            ProtoEvmError::Internal.into(),
+                        )),
+                    }
+                }
+                Err(err) => {
+                    warn!(error = ?err, "Failed to sign EVM transaction");
+                    EvmSignTransactionResponse {
+                        result: Some(EvmSignTransactionResult::Error(
+                            ProtoEvmError::Internal.into(),
+                        )),
+                    }
+                }
+            };
+
+            Ok(ClientResponsePayload::EvmSignTransaction(response))
+        }
         payload => {
             warn!(?payload, "Unsupported post-auth client request");
             Err(Status::invalid_argument("Unsupported client request"))
@@ -102,14 +167,21 @@ async fn dispatch_inner(
 pub async fn start(mut conn: ClientConnection, mut bi: GrpcBi<ClientRequest, ClientResponse>) {
     let mut request_tracker = RequestTracker::default();
 
-    if let Err(e) = auth::start(&mut conn, &mut bi, &mut request_tracker).await {
+    let client_id = match auth::start(&mut conn, &mut bi, &mut request_tracker).await {
-        let mut transport = auth::AuthTransportAdapter::new(&mut bi, &mut request_tracker);
+        Ok(id) => id,
-        let _ = transport.send(Err(e.clone())).await;
+        Err(err) => {
-        warn!(error = ?e, "Client authentication failed");
+            let _ = bi
+                .send(Err(Status::unauthenticated(format!(
+                    "Authentication failed: {}",
+                    err
+                ))))
+                .await;
+            warn!(error = ?err, "Client authentication failed");
             return;
+        }
     };
 
-    let actor = client::session::ClientSession::spawn(client::session::ClientSession::new(conn));
+    let actor = ClientSession::spawn(ClientSession::new(conn, client_id));
     let actor_for_cleanup = actor.clone();
 
     info!("Client authenticated successfully");

server/crates/arbiter-server/src/grpc/client/auth.rs

@@ -1,11 +1,13 @@
 use arbiter_proto::{
-    ClientMetadata, proto::client::{
+    ClientMetadata,
+    proto::client::{
         AuthChallenge as ProtoAuthChallenge, AuthChallengeRequest as ProtoAuthChallengeRequest,
         AuthChallengeSolution as ProtoAuthChallengeSolution, AuthResult as ProtoAuthResult,
         ClientInfo as ProtoClientInfo, ClientRequest, ClientResponse,
         client_request::Payload as ClientRequestPayload,
         client_response::Payload as ClientResponsePayload,
-    }, transport::{Bi, Error as TransportError, Receiver, Sender, grpc::GrpcBi}
+    },
+    transport::{Bi, Error as TransportError, Receiver, Sender, grpc::GrpcBi},
 };
 use async_trait::async_trait;
 use tonic::Status;
@@ -181,8 +183,7 @@ pub async fn start(
     conn: &mut ClientConnection,
     bi: &mut GrpcBi<ClientRequest, ClientResponse>,
     request_tracker: &mut RequestTracker,
-) -> Result<(), auth::Error> {
+) -> Result<i32, auth::Error> {
     let mut transport = AuthTransportAdapter::new(bi, request_tracker);
-    client::auth::authenticate(conn, &mut transport).await?;
+    client::auth::authenticate(conn, &mut transport).await
-    Ok(())
 }

server/crates/arbiter-server/src/grpc/common.rs

@@ -0,0 +1,2 @@
+pub mod inbound;
+pub mod outbound;

server/crates/arbiter-server/src/grpc/common/inbound.rs

@@ -0,0 +1,36 @@
+use alloy::{consensus::TxEip1559, primitives::Address, rlp::Decodable as _};
+
+use crate::grpc::TryConvert;
+
+pub struct RawEvmAddress(pub Vec<u8>);
+impl TryConvert for RawEvmAddress {
+    type Output = Address;
+
+    type Error = tonic::Status;
+
+    fn try_convert(self) -> Result<Self::Output, Self::Error> {
+        let wallet_address = match <[u8; 20]>::try_from(self.0.as_slice()) {
+            Ok(address) => Address::from(address),
+            Err(_) => {
+                return Err(tonic::Status::invalid_argument(
+                    "Invalid EVM wallet address",
+                ));
+            }
+        };
+        Ok(wallet_address)
+    }
+}
+
+pub struct RawEvmTransaction(pub Vec<u8>);
+impl TryConvert for RawEvmTransaction {
+    type Output = TxEip1559;
+
+    type Error = tonic::Status;
+
+    fn try_convert(mut self) -> Result<Self::Output, Self::Error> {
+        let tx = TxEip1559::decode(&mut self.0.as_slice()).map_err(|_| {
+            tonic::Status::invalid_argument("Invalid EVM transaction format")
+        })?;
+        Ok(tx)
+    }
+}

server/crates/arbiter-server/src/grpc/common/outbound.rs

@@ -0,0 +1,114 @@
+use alloy::primitives::U256;
+use arbiter_proto::proto::evm::{
+    EvalViolation as ProtoEvalViolation, EvmError as ProtoEvmError, GasLimitExceededViolation,
+    NoMatchingGrantError, PolicyViolationsError, SpecificMeaning as ProtoSpecificMeaning,
+    TokenInfo as ProtoTokenInfo, TransactionEvalError as ProtoTransactionEvalError,
+    eval_violation::Kind as ProtoEvalViolationKind,
+    evm_sign_transaction_response::Result as EvmSignTransactionResult,
+    specific_meaning::Meaning as ProtoSpecificMeaningKind,
+    transaction_eval_error::Kind as ProtoTransactionEvalErrorKind,
+};
+
+use crate::{
+    evm::{
+        PolicyError, VetError,
+        policies::{EvalViolation, SpecificMeaning},
+    },
+    grpc::Convert,
+};
+
+fn u256_to_proto_bytes(value: U256) -> Vec<u8> {
+    value.to_be_bytes::<32>().to_vec()
+}
+
+impl Convert for SpecificMeaning {
+    type Output = ProtoSpecificMeaning;
+
+    fn convert(self) -> Self::Output {
+        let kind = match self {
+            SpecificMeaning::EtherTransfer(meaning) => ProtoSpecificMeaningKind::EtherTransfer(
+                arbiter_proto::proto::evm::EtherTransferMeaning {
+                    to: meaning.to.to_vec(),
+                    value: u256_to_proto_bytes(meaning.value),
+                },
+            ),
+            SpecificMeaning::TokenTransfer(meaning) => ProtoSpecificMeaningKind::TokenTransfer(
+                arbiter_proto::proto::evm::TokenTransferMeaning {
+                    token: Some(ProtoTokenInfo {
+                        symbol: meaning.token.symbol.to_string(),
+                        address: meaning.token.contract.to_vec(),
+                        chain_id: meaning.token.chain,
+                    }),
+                    to: meaning.to.to_vec(),
+                    value: u256_to_proto_bytes(meaning.value),
+                },
+            ),
+        };
+
+        ProtoSpecificMeaning {
+            meaning: Some(kind),
+        }
+    }
+}
+
+impl Convert for EvalViolation {
+    type Output = ProtoEvalViolation;
+
+    fn convert(self) -> Self::Output {
+        let kind = match self {
+            EvalViolation::InvalidTarget { target } => {
+                ProtoEvalViolationKind::InvalidTarget(target.to_vec())
+            }
+            EvalViolation::GasLimitExceeded {
+                max_gas_fee_per_gas,
+                max_priority_fee_per_gas,
+            } => ProtoEvalViolationKind::GasLimitExceeded(GasLimitExceededViolation {
+                max_gas_fee_per_gas: max_gas_fee_per_gas.map(u256_to_proto_bytes),
+                max_priority_fee_per_gas: max_priority_fee_per_gas.map(u256_to_proto_bytes),
+            }),
+            EvalViolation::RateLimitExceeded => ProtoEvalViolationKind::RateLimitExceeded(()),
+            EvalViolation::VolumetricLimitExceeded => {
+                ProtoEvalViolationKind::VolumetricLimitExceeded(())
+            }
+            EvalViolation::InvalidTime => ProtoEvalViolationKind::InvalidTime(()),
+            EvalViolation::InvalidTransactionType => {
+                ProtoEvalViolationKind::InvalidTransactionType(())
+            }
+        };
+
+        ProtoEvalViolation { kind: Some(kind) }
+    }
+}
+
+impl Convert for VetError {
+    type Output = EvmSignTransactionResult;
+
+    fn convert(self) -> Self::Output {
+        let kind = match self {
+            VetError::ContractCreationNotSupported => {
+                ProtoTransactionEvalErrorKind::ContractCreationNotSupported(())
+            }
+            VetError::UnsupportedTransactionType => {
+                ProtoTransactionEvalErrorKind::UnsupportedTransactionType(())
+            }
+            VetError::Evaluated(meaning, policy_error) => match policy_error {
+                PolicyError::NoMatchingGrant => {
+                    ProtoTransactionEvalErrorKind::NoMatchingGrant(NoMatchingGrantError {
+                        meaning: Some(meaning.convert()),
+                    })
+                }
+                PolicyError::Violations(violations) => {
+                    ProtoTransactionEvalErrorKind::PolicyViolations(PolicyViolationsError {
+                        meaning: Some(meaning.convert()),
+                        violations: violations.into_iter().map(Convert::convert).collect(),
+                    })
+                }
+                PolicyError::Database(_) => {
+                    return EvmSignTransactionResult::Error(ProtoEvmError::Internal.into());
+                }
+            },
+        };
+
+        EvmSignTransactionResult::EvalError(ProtoTransactionEvalError { kind: Some(kind) }.into())
+    }
+}

server/crates/arbiter-server/src/grpc/mod.rs

@@ -14,10 +14,13 @@ use crate::{
     grpc::user_agent::start,
 };
 
-pub mod client;
 mod request_tracker;
+
+pub mod client;
 pub mod user_agent;
 
+mod common;
+
 pub trait Convert {
     type Output;
 

server/crates/arbiter-server/src/grpc/user_agent.rs

@@ -6,10 +6,11 @@ use arbiter_proto::{
         evm::{
             EvmError as ProtoEvmError, EvmGrantCreateRequest, EvmGrantCreateResponse,
             EvmGrantDeleteRequest, EvmGrantDeleteResponse, EvmGrantList, EvmGrantListResponse,
-            GrantEntry, WalletCreateResponse, WalletEntry, WalletList, WalletListResponse,
+            EvmSignTransactionResponse, GrantEntry, WalletCreateResponse, WalletEntry, WalletList,
-            evm_grant_create_response::Result as EvmGrantCreateResult,
+            WalletListResponse, evm_grant_create_response::Result as EvmGrantCreateResult,
             evm_grant_delete_response::Result as EvmGrantDeleteResult,
             evm_grant_list_response::Result as EvmGrantListResult,
+            evm_sign_transaction_response::Result as EvmSignTransactionResult,
             wallet_create_response::Result as WalletCreateResult,
             wallet_list_response::Result as WalletListResult,
         },
@@ -22,8 +23,8 @@ use arbiter_proto::{
             SdkClientGrantWalletAccess, SdkClientList as ProtoSdkClientList,
             SdkClientListResponse as ProtoSdkClientListResponse, SdkClientRevokeWalletAccess,
             SdkClientWalletAccess, UnsealEncryptedKey as ProtoUnsealEncryptedKey,
-            UnsealResult as ProtoUnsealResult, UnsealStart, UserAgentRequest, UserAgentResponse,
+            UnsealResult as ProtoUnsealResult, UnsealStart, UserAgentEvmSignTransactionRequest,
-            VaultState as ProtoVaultState,
+            UserAgentRequest, UserAgentResponse, VaultState as ProtoVaultState,
             sdk_client_list_response::Result as ProtoSdkClientListResult,
             user_agent_request::Payload as UserAgentRequestPayload,
             user_agent_response::Payload as UserAgentResponsePayload,
@@ -49,12 +50,24 @@ use crate::{
                 HandleEvmWalletList, HandleGrantCreate, HandleGrantDelete,
                 HandleGrantEvmWalletAccess, HandleGrantList, HandleListWalletAccess,
                 HandleNewClientApprove, HandleQueryVaultState, HandleRevokeEvmWalletAccess,
-                HandleSdkClientList, HandleUnsealEncryptedKey, HandleUnsealRequest, UnsealError,
+                HandleSdkClientList, HandleSignTransaction, HandleUnsealEncryptedKey,
+                HandleUnsealRequest, SignTransactionError as SessionSignTransactionError,
+                UnsealError,
             },
         },
     },
     db::models::{CoreEvmWalletAccess, NewEvmWalletAccess},
-    grpc::{Convert, TryConvert, request_tracker::RequestTracker},
+    evm::{PolicyError, VetError, policies::EvalViolation},
+    grpc::{
+        Convert, TryConvert,
+        common::inbound::{RawEvmAddress, RawEvmTransaction},
+        request_tracker::RequestTracker,
+    },
+};
+use alloy::{
+    consensus::TxEip1559,
+    primitives::{Address, U256},
+    rlp::Decodable,
 };
 mod auth;
 mod inbound;
@@ -178,7 +191,6 @@ async fn dispatch_inner(
                 },
             )
         }
-
         UserAgentRequestPayload::UnsealEncryptedKey(ProtoUnsealEncryptedKey {
             nonce,
             ciphertext,
@@ -203,7 +215,6 @@ async fn dispatch_inner(
             };
             UserAgentResponsePayload::UnsealResult(result.into())
         }
-
         UserAgentRequestPayload::BootstrapEncryptedKey(ProtoBootstrapEncryptedKey {
             nonce,
             ciphertext,
@@ -231,7 +242,6 @@ async fn dispatch_inner(
             };
             UserAgentResponsePayload::BootstrapResult(result.into())
         }
-
         UserAgentRequestPayload::QueryVaultState(_) => {
             let state = match actor.ask(HandleQueryVaultState {}).await {
                 Ok(KeyHolderState::Unbootstrapped) => ProtoVaultState::Unbootstrapped,
@@ -244,7 +254,6 @@ async fn dispatch_inner(
             };
             UserAgentResponsePayload::VaultState(state.into())
         }
-
         UserAgentRequestPayload::EvmWalletCreate(_) => {
             let result = match actor.ask(HandleEvmWalletCreate {}).await {
                 Ok((wallet_id, address)) => WalletCreateResult::Wallet(WalletEntry {
@@ -260,7 +269,6 @@ async fn dispatch_inner(
                 result: Some(result),
             })
         }
-
         UserAgentRequestPayload::EvmWalletList(_) => {
             let result = match actor.ask(HandleEvmWalletList {}).await {
                 Ok(wallets) => WalletListResult::Wallets(WalletList {
@@ -281,7 +289,6 @@ async fn dispatch_inner(
                 result: Some(result),
             })
         }
-
         UserAgentRequestPayload::EvmGrantList(_) => {
             let result = match actor.ask(HandleGrantList {}).await {
                 Ok(grants) => EvmGrantListResult::Grants(EvmGrantList {
@@ -304,7 +311,6 @@ async fn dispatch_inner(
                 result: Some(result),
             })
         }
-
         UserAgentRequestPayload::EvmGrantCreate(EvmGrantCreateRequest { shared, specific }) => {
             let basic = shared
                 .ok_or_else(|| Status::invalid_argument("Missing shared grant settings"))?
@@ -324,7 +330,6 @@ async fn dispatch_inner(
                 result: Some(result),
             })
         }
-
         UserAgentRequestPayload::EvmGrantDelete(EvmGrantDeleteRequest { grant_id }) => {
             let result = match actor.ask(HandleGrantDelete { grant_id }).await {
                 Ok(()) => EvmGrantDeleteResult::Ok(()),
@@ -337,7 +342,6 @@ async fn dispatch_inner(
                 result: Some(result),
             })
         }
-
         UserAgentRequestPayload::SdkClientConnectionResponse(resp) => {
             let pubkey_bytes = <[u8; 32]>::try_from(resp.pubkey)
                 .map_err(|_| Status::invalid_argument("Invalid Ed25519 public key length"))?;
@@ -357,9 +361,7 @@ async fn dispatch_inner(
 
             return Ok(None);
         }
-
         UserAgentRequestPayload::SdkClientRevoke(_) => todo!(),
-
         UserAgentRequestPayload::SdkClientList(_) => {
             let result = match actor.ask(HandleSdkClientList {}).await {
                 Ok(clients) => ProtoSdkClientListResult::Clients(ProtoSdkClientList {
@@ -386,7 +388,6 @@ async fn dispatch_inner(
                 result: Some(result),
             })
         }
-
         UserAgentRequestPayload::GrantWalletAccess(SdkClientGrantWalletAccess { accesses }) => {
             let entries: Vec<NewEvmWalletAccess> =
                 accesses.into_iter().map(|a| a.convert()).collect();
@@ -402,9 +403,11 @@ async fn dispatch_inner(
                 }
             }
         }
-
         UserAgentRequestPayload::RevokeWalletAccess(SdkClientRevokeWalletAccess { accesses }) => {
-            match actor.ask(HandleRevokeEvmWalletAccess { entries: accesses }).await {
+            match actor
+                .ask(HandleRevokeEvmWalletAccess { entries: accesses })
+                .await
+            {
                 Ok(()) => {
                     info!("Successfully revoked wallet access");
                     return Ok(None);
@@ -415,7 +418,6 @@ async fn dispatch_inner(
                 }
             }
         }
-
         UserAgentRequestPayload::ListWalletAccess(_) => {
             let result = match actor.ask(HandleListWalletAccess {}).await {
                 Ok(accesses) => ListWalletAccessResponse {
@@ -428,12 +430,59 @@ async fn dispatch_inner(
             };
             UserAgentResponsePayload::ListWalletAccessResponse(result)
         }
-
         UserAgentRequestPayload::AuthChallengeRequest(..)
         | UserAgentRequestPayload::AuthChallengeSolution(..) => {
             warn!(?payload, "Unsupported post-auth user agent request");
             return Err(Status::invalid_argument("Unsupported user-agent request"));
         }
+        UserAgentRequestPayload::EvmSignTransaction(UserAgentEvmSignTransactionRequest {
+            client_id,
+            request,
+        }) => {
+            let Some(request) = request else {
+                warn!("Missing transaction signing request");
+                return Err(Status::invalid_argument(
+                    "Missing transaction signing request",
+                ));
+            };
+
+            let address: Address = RawEvmAddress(request.wallet_address).try_convert()?;
+            let transaction = RawEvmTransaction(request.rlp_transaction).try_convert()?;
+
+            let response = match actor
+                .ask(HandleSignTransaction {
+                    client_id,
+                    wallet_address: address,
+                    transaction,
+                })
+                .await
+            {
+                Ok(signature) => EvmSignTransactionResponse {
+                    result: Some(EvmSignTransactionResult::Signature(
+                        signature.as_bytes().to_vec(),
+                    )),
+                },
+                Err(SendError::HandlerError(SessionSignTransactionError::Vet(vet_error))) => {
+                    EvmSignTransactionResponse { result: Some(vet_error.convert()) }
+                }
+                Err(SendError::HandlerError(SessionSignTransactionError::Internal)) => {
+                    EvmSignTransactionResponse {
+                        result: Some(EvmSignTransactionResult::Error(
+                            ProtoEvmError::Internal.into(),
+                        )),
+                    }
+                }
+                Err(err) => {
+                    warn!(error = ?err, "Failed to sign EVM transaction via user-agent");
+                    EvmSignTransactionResponse {
+                        result: Some(EvmSignTransactionResult::Error(
+                            ProtoEvmError::Internal.into(),
+                        )),
+                    }
+                }
+            };
+            UserAgentResponsePayload::EvmSignTransaction(response)
+        }
     };
 
     Ok(Some(response))

server/crates/arbiter-server/src/lib.rs

@@ -1,13 +1,5 @@
 #![forbid(unsafe_code)]
-
+use crate::context::ServerContext;
-use std::{net::SocketAddr, path::PathBuf};
-
-use arbiter_proto::{proto::arbiter_service_server::ArbiterServiceServer, url::ArbiterUrl};
-use miette::miette;
-use tonic::transport::{Identity, ServerTlsConfig};
-use tracing::info;
-
-use crate::{actors::bootstrap::GetToken, context::ServerContext};
 
 pub mod actors;
 pub mod context;
@@ -26,64 +18,3 @@ impl Server {
         Self { context }
     }
 }
-
-#[derive(Debug, Clone)]
-pub struct RunConfig {
-    pub addr: SocketAddr,
-    pub data_dir: Option<PathBuf>,
-    pub log_arbiter_url: bool,
-}
-
-impl RunConfig {
-    pub fn new(addr: SocketAddr, data_dir: Option<PathBuf>) -> Self {
-        Self {
-            addr,
-            data_dir,
-            log_arbiter_url: true,
-        }
-    }
-}
-
-pub async fn run_server_until_shutdown<F>(config: RunConfig, shutdown: F) -> miette::Result<()>
-where
-    F: Future<Output = ()> + Send + 'static,
-{
-    arbiter_proto::set_home_path_override(config.data_dir.clone())
-        .map_err(|err| miette!("failed to set home path override: {err}"))?;
-
-    let db = db::create_pool(None).await?;
-    info!(addr = %config.addr, "Database ready");
-
-    let context = ServerContext::new(db).await?;
-    info!(addr = %config.addr, "Server context ready");
-
-    if config.log_arbiter_url {
-        let url = ArbiterUrl {
-            host: config.addr.ip().to_string(),
-            port: config.addr.port(),
-            ca_cert: context.tls.ca_cert().clone().into_owned(),
-            bootstrap_token: context
-                .actors
-                .bootstrapper
-                .ask(GetToken)
-                .await
-                .map_err(|err| miette!("failed to get bootstrap token from actor: {err}"))?,
-        };
-        info!(%url, "Server URL");
-    }
-
-    let tls = ServerTlsConfig::new().identity(Identity::from_pem(
-        context.tls.cert_pem(),
-        context.tls.key_pem(),
-    ));
-
-    tonic::transport::Server::builder()
-        .tls_config(tls)
-        .map_err(|err| miette!("Failed to setup TLS: {err}"))?
-        .add_service(ArbiterServiceServer::new(Server::new(context)))
-        .serve_with_shutdown(config.addr, shutdown)
-        .await
-        .map_err(|e| miette!("gRPC server error: {e}"))?;
-
-    Ok(())
-}

server/crates/arbiter-server/src/main.rs

@@ -1,42 +1,56 @@
-mod cli;
+use std::net::SocketAddr;
-mod service;
 
-use clap::Parser;
+use arbiter_proto::{proto::arbiter_service_server::ArbiterServiceServer, url::ArbiterUrl};
-use cli::{Cli, Command, RunArgs, ServiceCommand};
+use arbiter_server::{Server, actors::bootstrap::GetToken, context::ServerContext, db};
+use miette::miette;
 use rustls::crypto::aws_lc_rs;
+use tonic::transport::{Identity, ServerTlsConfig};
 use tracing::info;
 
+const PORT: u16 = 50051;
+
 #[tokio::main]
 async fn main() -> miette::Result<()> {
     aws_lc_rs::default_provider().install_default().unwrap();
-    init_logging();
 
-    let cli = Cli::parse();
+    tracing_subscriber::fmt()
-
-    match cli.command {
-        None => run_foreground(RunArgs::default()).await,
-        Some(Command::Run(args)) => run_foreground(args).await,
-        Some(Command::Service { command }) => match command {
-            ServiceCommand::Install(args) => service::install_service(args),
-            ServiceCommand::Run(args) => service::run_service_dispatcher(args),
-        },
-    }
-}
-
-async fn run_foreground(args: RunArgs) -> miette::Result<()> {
-    info!(addr = %args.listen_addr, "Starting arbiter server");
-    arbiter_server::run_server_until_shutdown(
-        arbiter_server::RunConfig::new(args.listen_addr, args.data_dir),
-        std::future::pending::<()>(),
-    )
-    .await
-}
-
-fn init_logging() {
-    let _ = tracing_subscriber::fmt()
         .with_env_filter(
             tracing_subscriber::EnvFilter::try_from_default_env()
                 .unwrap_or_else(|_| tracing_subscriber::EnvFilter::new("info")),
         )
-        .try_init();
+        .init();
+
+    info!("Starting arbiter server");
+
+    let db = db::create_pool(None).await?;
+    info!("Database ready");
+
+    let context = ServerContext::new(db).await?;
+
+    let addr: SocketAddr = format!("127.0.0.1:{PORT}").parse().expect("valid address");
+    info!(%addr, "Starting gRPC server");
+
+    let url = ArbiterUrl {
+        host: addr.ip().to_string(),
+        port: addr.port(),
+        ca_cert: context.tls.ca_cert().clone().into_owned(),
+        bootstrap_token: context.actors.bootstrapper.ask(GetToken).await.unwrap(),
+    };
+
+    info!(%url, "Server URL");
+
+    let tls = ServerTlsConfig::new().identity(Identity::from_pem(
+        context.tls.cert_pem(),
+        context.tls.key_pem(),
+    ));
+
+    tonic::transport::Server::builder()
+        .tls_config(tls)
+        .map_err(|err| miette!("Faild to setup TLS: {err}"))?
+        .add_service(ArbiterServiceServer::new(Server::new(context)))
+        .serve(addr)
+        .await
+        .map_err(|e| miette::miette!("gRPC server error: {e}"))?;
+
+    unreachable!("gRPC server should run indefinitely");
 }

server/crates/arbiter-server/src/service/mod.rs

@@ -1,19 +0,0 @@
-#[cfg(windows)]
-mod windows;
-
-#[cfg(windows)]
-pub use windows::{install_service, run_service_dispatcher};
-
-#[cfg(not(windows))]
-pub fn install_service(_: crate::cli::ServiceInstallArgs) -> miette::Result<()> {
-    Err(miette::miette!(
-        "service install is currently supported only on Windows"
-    ))
-}
-
-#[cfg(not(windows))]
-pub fn run_service_dispatcher(_: crate::cli::ServiceRunArgs) -> miette::Result<()> {
-    Err(miette::miette!(
-        "service run entrypoint is currently supported only on Windows"
-    ))
-}

server/crates/arbiter-server/src/service/windows.rs

@@ -1,230 +0,0 @@
-use std::{
-    ffi::OsString,
-    path::{Path, PathBuf},
-    process::Command,
-    sync::mpsc,
-    time::Duration,
-};
-
-use miette::{Context as _, IntoDiagnostic as _, miette};
-use windows_service::{
-    define_windows_service,
-    service::{
-        ServiceAccess, ServiceControl, ServiceControlAccept, ServiceErrorControl, ServiceExitCode,
-        ServiceInfo, ServiceStartType, ServiceState, ServiceStatus, ServiceType,
-    },
-    service_control_handler::{self, ServiceControlHandlerResult},
-    service_dispatcher,
-    service_manager::{ServiceManager, ServiceManagerAccess},
-};
-
-use crate::cli::{ServiceInstallArgs, ServiceRunArgs};
-use arbiter_server::{RunConfig, run_server_until_shutdown};
-
-const SERVICE_NAME: &str = "ArbiterServer";
-const SERVICE_DISPLAY_NAME: &str = "Arbiter Server";
-
-pub fn default_service_data_dir() -> PathBuf {
-    let base = std::env::var_os("PROGRAMDATA")
-        .map(PathBuf::from)
-        .unwrap_or_else(|| PathBuf::from(r"C:\ProgramData"));
-    base.join("Arbiter")
-}
-
-pub fn install_service(args: ServiceInstallArgs) -> miette::Result<()> {
-    ensure_admin_rights()?;
-
-    let executable = std::env::current_exe().into_diagnostic()?;
-    let data_dir = args.data_dir.unwrap_or_else(default_service_data_dir);
-
-    std::fs::create_dir_all(&data_dir)
-        .into_diagnostic()
-        .with_context(|| format!("failed to create service data dir: {}", data_dir.display()))?;
-    ensure_token_acl_contract(&data_dir)?;
-
-    let manager_access = ServiceManagerAccess::CONNECT | ServiceManagerAccess::CREATE_SERVICE;
-    let manager = ServiceManager::local_computer(None::<&str>, manager_access)
-        .into_diagnostic()
-        .wrap_err("failed to open Service Control Manager")?;
-
-    let launch_arguments = vec![
-        OsString::from("service"),
-        OsString::from("run"),
-        OsString::from("--data-dir"),
-        data_dir.as_os_str().to_os_string(),
-    ];
-
-    let service_info = ServiceInfo {
-        name: OsString::from(SERVICE_NAME),
-        display_name: OsString::from(SERVICE_DISPLAY_NAME),
-        service_type: ServiceType::OWN_PROCESS,
-        start_type: ServiceStartType::AutoStart,
-        error_control: ServiceErrorControl::Normal,
-        executable_path: executable,
-        launch_arguments,
-        dependencies: vec![],
-        account_name: Some(OsString::from(r"NT AUTHORITY\LocalService")),
-        account_password: None,
-    };
-
-    let service = manager
-        .create_service(
-            &service_info,
-            ServiceAccess::QUERY_STATUS | ServiceAccess::START,
-        )
-        .into_diagnostic()
-        .wrap_err("failed to create Windows service in SCM")?;
-
-    if args.start {
-        service
-            .start::<&str>(&[])
-            .into_diagnostic()
-            .wrap_err("service created but failed to start")?;
-    }
-
-    Ok(())
-}
-
-pub fn run_service_dispatcher(args: ServiceRunArgs) -> miette::Result<()> {
-    SERVICE_RUN_ARGS
-        .set(args)
-        .map_err(|_| miette!("service runtime args are already initialized"))?;
-
-    service_dispatcher::start(SERVICE_NAME, ffi_service_main)
-        .into_diagnostic()
-        .wrap_err("failed to start service dispatcher")?;
-
-    Ok(())
-}
-
-define_windows_service!(ffi_service_main, service_main);
-
-static SERVICE_RUN_ARGS: std::sync::OnceLock<ServiceRunArgs> = std::sync::OnceLock::new();
-
-fn service_main(_arguments: Vec<OsString>) {
-    if let Err(error) = run_service_main() {
-        tracing::error!(error = ?error, "Windows service main failed");
-    }
-}
-
-fn run_service_main() -> miette::Result<()> {
-    let args = SERVICE_RUN_ARGS
-        .get()
-        .cloned()
-        .ok_or_else(|| miette!("service run args are missing"))?;
-
-    let (shutdown_tx, shutdown_rx) = mpsc::channel::<()>();
-
-    let status_handle =
-        service_control_handler::register(SERVICE_NAME, move |control| match control {
-            ServiceControl::Stop => {
-                let _ = shutdown_tx.send(());
-                ServiceControlHandlerResult::NoError
-            }
-            ServiceControl::Interrogate => ServiceControlHandlerResult::NoError,
-            _ => ServiceControlHandlerResult::NotImplemented,
-        })
-        .into_diagnostic()
-        .wrap_err("failed to register service control handler")?;
-
-    set_status(
-        &status_handle,
-        ServiceState::StartPending,
-        ServiceControlAccept::empty(),
-    )?;
-
-    let runtime = tokio::runtime::Builder::new_multi_thread()
-        .enable_all()
-        .build()
-        .into_diagnostic()
-        .wrap_err("failed to build tokio runtime for service")?;
-
-    set_status(
-        &status_handle,
-        ServiceState::Running,
-        ServiceControlAccept::STOP,
-    )?;
-
-    let data_dir = args.data_dir.unwrap_or_else(default_service_data_dir);
-    let config = RunConfig {
-        addr: args.listen_addr,
-        data_dir: Some(data_dir),
-        log_arbiter_url: true,
-    };
-
-    let result = runtime.block_on(run_server_until_shutdown(config, async move {
-        let _ = tokio::task::spawn_blocking(move || shutdown_rx.recv()).await;
-    }));
-
-    set_status(
-        &status_handle,
-        ServiceState::Stopped,
-        ServiceControlAccept::empty(),
-    )?;
-
-    result
-}
-
-fn set_status(
-    status_handle: &service_control_handler::ServiceStatusHandle,
-    current_state: ServiceState,
-    controls_accepted: ServiceControlAccept,
-) -> miette::Result<()> {
-    status_handle
-        .set_service_status(ServiceStatus {
-            service_type: ServiceType::OWN_PROCESS,
-            current_state,
-            controls_accepted,
-            exit_code: ServiceExitCode::Win32(0),
-            checkpoint: 0,
-            wait_hint: Duration::from_secs(10),
-            process_id: None,
-        })
-        .into_diagnostic()
-        .wrap_err("failed to update service state")?;
-
-    Ok(())
-}
-
-fn ensure_admin_rights() -> miette::Result<()> {
-    let status = Command::new("net")
-        .arg("session")
-        .status()
-        .into_diagnostic()
-        .wrap_err("failed to check administrator rights")?;
-
-    if status.success() {
-        Ok(())
-    } else {
-        Err(miette!(
-            "administrator privileges are required to install Windows service"
-        ))
-    }
-}
-
-fn ensure_token_acl_contract(data_dir: &Path) -> miette::Result<()> {
-    // IMPORTANT: Keep this ACL setup explicit.
-    // The service account needs write access, while the interactive user only needs read access
-    // to the bootstrap token and service data directory.
-    let target = data_dir.as_os_str();
-
-    let status = Command::new("icacls")
-        .arg(target)
-        .arg("/grant")
-        .arg("*S-1-5-19:(OI)(CI)M")
-        .arg("/grant")
-        .arg("*S-1-5-32-545:(OI)(CI)RX")
-        .arg("/T")
-        .arg("/C")
-        .status()
-        .into_diagnostic()
-        .wrap_err("failed to apply ACLs for service data directory")?;
-
-    if status.success() {
-        Ok(())
-    } else {
-        Err(miette!(
-            "failed to ensure ACL contract for service data directory"
-        ))
-    }
-}

server/crates/arbiter-server/tests/user_agent/auth.rs

@@ -165,3 +165,69 @@ pub async fn test_challenge_auth() {
 
     task.await.unwrap().unwrap();
 }
+
+#[tokio::test]
+#[test_log::test]
+pub async fn test_challenge_auth_rejects_invalid_signature() {
+    let db = db::create_test_pool().await;
+    let actors = GlobalActors::spawn(db.clone()).await.unwrap();
+
+    let new_key = ed25519_dalek::SigningKey::generate(&mut rand::rng());
+    let pubkey_bytes = new_key.verifying_key().to_bytes().to_vec();
+
+    // Pre-register key with key_type
+    {
+        let mut conn = db.get().await.unwrap();
+        insert_into(schema::useragent_client::table)
+            .values((
+                schema::useragent_client::public_key.eq(pubkey_bytes.clone()),
+                schema::useragent_client::key_type.eq(1i32),
+            ))
+            .execute(&mut conn)
+            .await
+            .unwrap();
+    }
+
+    let (server_transport, mut test_transport) = ChannelTransport::new();
+    let db_for_task = db.clone();
+    let task = tokio::spawn(async move {
+        let mut props = UserAgentConnection::new(db_for_task, actors);
+        auth::authenticate(&mut props, server_transport).await
+    });
+
+    test_transport
+        .send(auth::Inbound::AuthChallengeRequest {
+            pubkey: AuthPublicKey::Ed25519(new_key.verifying_key()),
+            bootstrap_token: None,
+        })
+        .await
+        .unwrap();
+
+    let response = test_transport
+        .recv()
+        .await
+        .expect("should receive challenge");
+    let challenge = match response {
+        Ok(resp) => match resp {
+            auth::Outbound::AuthChallenge { nonce } => nonce,
+            other => panic!("Expected AuthChallenge, got {other:?}"),
+        },
+        Err(err) => panic!("Expected Ok response, got Err({err:?})"),
+    };
+
+    // Sign a different challenge value so signature format is valid but verification must fail.
+    let wrong_challenge = arbiter_proto::format_challenge(challenge + 1, &pubkey_bytes);
+    let signature = new_key.sign(&wrong_challenge);
+
+    test_transport
+        .send(auth::Inbound::AuthChallengeSolution {
+            signature: signature.to_bytes().to_vec(),
+        })
+        .await
+        .unwrap();
+
+    assert!(matches!(
+        task.await.unwrap(),
+        Err(auth::Error::InvalidChallengeSolution)
+    ));
+}