anda_web3_client 0.12.0

The Rust SDK for Web3 integration in non-TEE environments.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697

use anda_core::{BoxError, BoxPinFut, HttpFeatures, RPCRequestRef, cbor_rpc};
use anda_engine::context::Web3ClientFeatures;
use candid::{
    CandidType, Decode, Principal,
    utils::{ArgumentEncoder, encode_args},
};
use ciborium::from_reader;
use ic_agent::identity::{AnonymousIdentity, BasicIdentity, Secp256k1Identity};
use ic_auth_types::deterministic_cbor_into_vec;
use ic_auth_verifier::envelope::SignedEnvelope;
use ic_cose::client::CoseSDK;
use ic_cose_types::{
    CanisterCaller,
    cose::{
        ed25519::ed25519_verify,
        k256::{secp256k1_verify_bip340, secp256k1_verify_ecdsa},
        sha3_256,
    },
};
use ic_tee_gateway_sdk::crypto;
use serde::{Serialize, de::DeserializeOwned};
use std::{sync::Arc, time::Duration};

pub use ic_agent::{Agent, Identity};

use anda_engine::APP_USER_AGENT;

/// Client for interacting with outside services (includes ICP and other blockchains)
///
/// Provides cryptographic operations, canister communication, and HTTP features.
/// Manages both internal and external HTTP clients
/// with different configurations for secure communication.
#[derive(Clone)]
pub struct Client {
    outer_http: reqwest::Client,
    root_secret: [u8; 48],
    identity: Arc<dyn Identity>,
    agent: Agent,
    cose_canister: Principal,
    allow_http: bool,
}

/// Builder for creating a new Client with custom configuration
#[non_exhaustive]
pub struct ClientBuilder {
    ic_host: String,
    root_secret: [u8; 48],
    identity: Option<Arc<dyn Identity>>,
    agent: Option<Agent>,
    cose_canister: Principal,
    outer_http: Option<reqwest::Client>,
    allow_http: bool,
}

/// Returns a new Ed25519 identity from a 32-byte secret
pub fn identity_from_secret(id_secret: [u8; 32]) -> Box<dyn Identity> {
    Box::new(BasicIdentity::from_raw_key(&id_secret))
}

/// Loads an ICP identity from a PEM file (generated by dfx or other tools, supports both Ed25519 and Secp256k1)
pub fn identity_from_pem(path: &str) -> Result<Box<dyn Identity>, BoxError> {
    let content = std::fs::read_to_string(path)?;
    match Secp256k1Identity::from_pem(content.as_bytes()) {
        Ok(identity) => Ok(Box::new(identity)),
        Err(_) => match BasicIdentity::from_pem(content.as_bytes()) {
            Ok(identity) => Ok(Box::new(identity)),
            Err(err) => Err(err.into()),
        },
    }
}

/// Loads an identity from a 32-byte hex-encoded secret or PEM file
pub fn load_identity(id_secret_or_path: &str) -> Result<Box<dyn Identity>, BoxError> {
    if id_secret_or_path == "Anonymous" {
        return Ok(Box::new(AnonymousIdentity));
    }

    match identity_from_pem(id_secret_or_path) {
        Ok(identity) => Ok(identity),
        Err(_) => {
            let id_secret = hex::decode(id_secret_or_path)?;
            let id_secret: [u8; 32] = id_secret
                .try_into()
                .map_err(|_| format!("invalid id_secret: {id_secret_or_path:?}"))?;
            Ok(identity_from_secret(id_secret))
        }
    }
}

impl Default for ClientBuilder {
    fn default() -> Self {
        Self {
            ic_host: "https://icp-api.io".to_string(),
            root_secret: [0; 48],
            identity: None,
            agent: None,
            cose_canister: Principal::anonymous(),
            outer_http: None,
            allow_http: false,
        }
    }
}

impl ClientBuilder {
    /// Sets the base URL of the ICP network, default is `https://icp-api.io`
    pub fn with_ic_host(mut self, ic_host: &str) -> Self {
        self.ic_host = ic_host.to_string();
        self
    }

    /// Sets the 48-byte root secret for key derivation, default is all zeros
    pub fn with_root_secret(mut self, root_secret: [u8; 48]) -> Self {
        self.root_secret = root_secret;
        self
    }

    /// Sets the principal of the COSE canister, default is anonymous, which disables COSE operations
    pub fn with_cose_canister(mut self, cose_canister: Principal) -> Self {
        self.cose_canister = cose_canister;
        self
    }

    /// Sets the identity for cryptographic operations, default is anonymous
    pub fn with_identity(mut self, identity: Arc<dyn Identity>) -> Self {
        self.identity = Some(identity);
        self
    }

    /// Sets the agent for canister communication
    pub fn with_agent(mut self, agent: Agent) -> Self {
        self.agent = Some(agent);
        self
    }

    /// Sets the external HTTP client for making requests, default is a secure client
    pub fn with_http_client(mut self, http_client: reqwest::Client) -> Self {
        self.outer_http = Some(http_client);
        self
    }

    /// Allow HTTP connections (default is false)
    pub fn with_allow_http(mut self, allow_http: bool) -> Self {
        self.allow_http = allow_http;
        self
    }

    pub async fn build(self) -> Result<Client, BoxError> {
        let identity = match self.identity {
            Some(identity) => identity,
            None => Arc::new(identity_from_secret(sha3_256(&self.root_secret))),
        };

        let agent = match self.agent {
            Some(agent) => agent,
            None => {
                let agent = Agent::builder()
                    .with_url(self.ic_host.clone())
                    .with_arc_identity(identity.clone())
                    .with_verify_query_signatures(false)
                    .build()?;

                // let agent = if self.ic_host.starts_with("https://") {
                //     agent.with_background_dynamic_routing().build()?
                // } else {
                //     agent.build()?
                // };

                if self.ic_host.starts_with("http://") {
                    // ignore error
                    let _ = agent.fetch_root_key().await;
                }
                agent
            }
        };

        let outer_http = match self.outer_http {
            Some(http_client) => http_client,
            None => reqwest::Client::builder()
                .use_rustls_tls()
                .https_only(!self.allow_http)
                .http2_keep_alive_interval(Some(Duration::from_secs(25)))
                .http2_keep_alive_timeout(Duration::from_secs(15))
                .http2_keep_alive_while_idle(true)
                .connect_timeout(Duration::from_secs(10))
                .timeout(Duration::from_secs(120))
                .gzip(true)
                .user_agent(APP_USER_AGENT)
                .build()?,
        };

        Ok(Client {
            outer_http,
            root_secret: self.root_secret,
            identity,
            agent,
            cose_canister: self.cose_canister,
            allow_http: self.allow_http,
        })
    }
}

impl Client {
    pub fn builder() -> ClientBuilder {
        ClientBuilder::default()
    }

    pub fn get_principal(&self) -> Principal {
        self.identity
            .sender()
            .expect("Failed to get sender principal")
    }

    pub async fn sign_envelope(
        &self,
        message_digest: [u8; 32],
    ) -> Result<SignedEnvelope, BoxError> {
        let se = SignedEnvelope::sign_digest(&self.identity, message_digest.into())?;
        Ok(se)
    }
}

impl Web3ClientFeatures for Client {
    fn get_principal(&self) -> Principal {
        self.identity
            .sender()
            .expect("Failed to get sender principal")
    }

    fn sign_envelope(
        &self,
        message_digest: [u8; 32],
    ) -> BoxPinFut<Result<SignedEnvelope, BoxError>> {
        let identity = self.identity.clone();
        Box::pin(async move {
            let se = SignedEnvelope::sign_digest(&identity, message_digest.into())?;
            Ok(se)
        })
    }

    /// Derives a 256-bit AES-GCM key from the given derivation path
    ///
    /// # Arguments
    /// * `derivation_path` - Additional path components for key derivation
    ///
    /// # Returns
    /// Result containing the derived 256-bit key or an error
    fn a256gcm_key(&self, derivation_path: Vec<Vec<u8>>) -> BoxPinFut<Result<[u8; 32], BoxError>> {
        let res = crypto::a256gcm_key(&self.root_secret, derivation_path);
        Box::pin(futures::future::ready(Ok(res)))
    }

    /// Signs a message using Ed25519 signature scheme
    ///
    /// # Arguments
    /// * `derivation_path` - Additional path components for key derivation
    /// * `message` - Message to be signed
    ///
    /// # Returns
    /// Result containing the 64-byte signature or an error
    fn ed25519_sign_message(
        &self,
        derivation_path: Vec<Vec<u8>>,
        message: &[u8],
    ) -> BoxPinFut<Result<[u8; 64], BoxError>> {
        let res = crypto::ed25519_sign_message(&self.root_secret, derivation_path, message);
        Box::pin(futures::future::ready(Ok(res)))
    }

    /// Verifies an Ed25519 signature
    ///
    /// # Arguments
    /// * `derivation_path` - Additional path components for key derivation
    /// * `message` - Original message that was signed
    /// * `signature` - Signature to verify
    ///
    /// # Returns
    /// Result indicating success or failure of verification
    fn ed25519_verify(
        &self,
        derivation_path: Vec<Vec<u8>>,
        message: &[u8],
        signature: &[u8],
    ) -> BoxPinFut<Result<(), BoxError>> {
        let res = crypto::ed25519_public_key(&self.root_secret, derivation_path);
        Box::pin(futures::future::ready(
            ed25519_verify(&res.0, message, signature).map_err(|e| e.into()),
        ))
    }

    /// Gets the public key for Ed25519
    ///
    /// # Arguments
    /// * `derivation_path` - Additional path components for key derivation
    ///
    /// # Returns
    /// Result containing the 32-byte public key or an error
    fn ed25519_public_key(
        &self,
        derivation_path: Vec<Vec<u8>>,
    ) -> BoxPinFut<Result<[u8; 32], BoxError>> {
        let res = crypto::ed25519_public_key(&self.root_secret, derivation_path);
        Box::pin(futures::future::ready(Ok(res.0)))
    }

    /// Signs a message using Secp256k1 BIP340 Schnorr signature
    ///
    /// # Arguments
    /// * `derivation_path` - Additional path components for key derivation
    /// * `message` - Message to be signed
    ///
    /// # Returns
    /// Result containing the 64-byte signature or an error
    fn secp256k1_sign_message_bip340(
        &self,
        derivation_path: Vec<Vec<u8>>,
        message: &[u8],
    ) -> BoxPinFut<Result<[u8; 64], BoxError>> {
        let res =
            crypto::secp256k1_sign_message_bip340(&self.root_secret, derivation_path, message);
        Box::pin(futures::future::ready(Ok(res)))
    }

    /// Verifies a Secp256k1 BIP340 Schnorr signature
    ///
    /// # Arguments
    /// * `derivation_path` - Additional path components for key derivation
    /// * `message` - Original message that was signed
    /// * `signature` - Signature to verify
    ///
    /// # Returns
    /// Result indicating success or failure of verification
    fn secp256k1_verify_bip340(
        &self,
        derivation_path: Vec<Vec<u8>>,
        message: &[u8],
        signature: &[u8],
    ) -> BoxPinFut<Result<(), BoxError>> {
        let res = crypto::secp256k1_public_key(&self.root_secret, derivation_path);
        Box::pin(futures::future::ready(
            secp256k1_verify_bip340(res.0.as_slice(), message, signature).map_err(|e| e.into()),
        ))
    }

    /// Signs a message using Secp256k1 ECDSA signature
    ///
    /// # Arguments
    /// * `derivation_path` - Additional path components for key derivation
    /// * `message` - Message to be signed
    ///
    /// # Returns
    /// Result containing the 64-byte signature or an error
    fn secp256k1_sign_message_ecdsa(
        &self,
        derivation_path: Vec<Vec<u8>>,
        message: &[u8],
    ) -> BoxPinFut<Result<[u8; 64], BoxError>> {
        let res = crypto::secp256k1_sign_message_ecdsa(&self.root_secret, derivation_path, message);
        Box::pin(futures::future::ready(Ok(res)))
    }

    fn secp256k1_sign_digest_ecdsa(
        &self,
        derivation_path: Vec<Vec<u8>>,
        message_hash: &[u8],
    ) -> BoxPinFut<Result<[u8; 64], BoxError>> {
        let res =
            crypto::secp256k1_sign_digest_ecdsa(&self.root_secret, derivation_path, message_hash);
        Box::pin(futures::future::ready(Ok(res)))
    }

    /// Verifies a Secp256k1 ECDSA signature
    ///
    /// # Arguments
    /// * `derivation_path` - Additional path components for key derivation
    /// * `message` - Original message that was signed
    /// * `signature` - Signature to verify
    ///
    /// # Returns
    /// Result indicating success or failure of verification
    fn secp256k1_verify_ecdsa(
        &self,
        derivation_path: Vec<Vec<u8>>,
        message: &[u8],
        signature: &[u8],
    ) -> BoxPinFut<Result<(), BoxError>> {
        let res = crypto::secp256k1_public_key(&self.root_secret, derivation_path);
        Box::pin(futures::future::ready(
            secp256k1_verify_ecdsa(res.0.as_slice(), message, signature).map_err(|e| e.into()),
        ))
    }

    /// Gets the compressed SEC1-encoded public key for Secp256k1
    ///
    /// # Arguments
    /// * `path` - Base path for key derivation
    /// * `derivation_path` - Additional path components for key derivation
    ///
    /// # Returns
    /// Result containing the 33-byte public key or an error
    fn secp256k1_public_key(
        &self,
        derivation_path: Vec<Vec<u8>>,
    ) -> BoxPinFut<Result<[u8; 33], BoxError>> {
        let res = crypto::secp256k1_public_key(&self.root_secret, derivation_path);
        Box::pin(futures::future::ready(Ok(res.0)))
    }

    fn canister_query_raw(
        &self,
        canister: Principal,
        method: String,
        args: Vec<u8>,
    ) -> BoxPinFut<Result<Vec<u8>, BoxError>> {
        let agent = self.agent.clone();
        Box::pin(async move {
            let res = agent.query(&canister, method).with_arg(args).call().await?;
            Ok(res)
        })
    }

    fn canister_update_raw(
        &self,
        canister: Principal,
        method: String,
        args: Vec<u8>,
    ) -> BoxPinFut<Result<Vec<u8>, BoxError>> {
        let agent = self.agent.clone();
        Box::pin(async move {
            let res = agent
                .update(&canister, method)
                .with_arg(args)
                .call_and_wait()
                .await?;
            Ok(res)
        })
    }

    fn https_call(
        &self,
        url: String,
        method: http::Method,
        headers: Option<http::HeaderMap>,
        body: Option<Vec<u8>>, // default is empty
    ) -> BoxPinFut<Result<reqwest::Response, BoxError>> {
        if !self.allow_http && !url.starts_with("https://") {
            return Box::pin(futures::future::ready(Err(
                "Invalid url, must start with https://".into(),
            )));
        }

        let outer_http = self.outer_http.clone();
        Box::pin(async move {
            let mut req = outer_http.request(method, url);
            if let Some(headers) = headers {
                req = req.headers(headers);
            }
            if let Some(body) = body {
                req = req.body(body);
            }

            req.send().await.map_err(|e| e.into())
        })
    }

    fn https_signed_call(
        &self,
        url: String,
        method: http::Method,
        message_digest: [u8; 32],
        headers: Option<http::HeaderMap>,
        body: Option<Vec<u8>>, // default is empty
    ) -> BoxPinFut<Result<reqwest::Response, BoxError>> {
        if !self.allow_http && !url.starts_with("https://") {
            return Box::pin(futures::future::ready(Err(
                "Invalid url, must start with https://".into(),
            )));
        }

        let se = match SignedEnvelope::sign_digest(&self.identity, message_digest.into()) {
            Ok(se) => se,
            Err(err) => return Box::pin(futures::future::ready(Err(err.into()))),
        };
        let mut headers = headers.unwrap_or_default();
        if let Err(err) = se.to_authorization(&mut headers) {
            return Box::pin(futures::future::ready(Err(err.into())));
        }

        let outer_http = self.outer_http.clone();
        Box::pin(async move {
            let mut req = outer_http.request(method, url);
            req = req.headers(headers);
            if let Some(body) = body {
                req = req.body(body);
            }

            req.send().await.map_err(|e| e.into())
        })
    }

    fn https_signed_rpc_raw(
        &self,
        endpoint: String,
        method: String,
        args: Vec<u8>,
    ) -> BoxPinFut<Result<Vec<u8>, BoxError>> {
        if !self.allow_http && !endpoint.starts_with("https://") {
            return Box::pin(futures::future::ready(Err(
                "Invalid endpoint, must start with https://".into(),
            )));
        }

        let req = RPCRequestRef {
            method: &method,
            params: &args.into(),
        };
        let body = match deterministic_cbor_into_vec(&req) {
            Ok(body) => body,
            Err(err) => return Box::pin(futures::future::ready(Err(err.into()))),
        };
        let digest: [u8; 32] = sha3_256(&body);
        let se = match SignedEnvelope::sign_digest(&self.identity, digest.into()) {
            Ok(se) => se,
            Err(err) => return Box::pin(futures::future::ready(Err(err.into()))),
        };
        let mut headers = http::HeaderMap::new();
        if let Err(err) = se.to_authorization(&mut headers) {
            return Box::pin(futures::future::ready(Err(err.into())));
        }

        let outer_http = self.outer_http.clone();
        Box::pin(async move {
            let res = cbor_rpc(&outer_http, &endpoint, &method, Some(headers), body).await?;
            Ok(res.into_vec())
        })
    }
}

impl HttpFeatures for Client {
    /// Makes an HTTPs request
    ///
    /// # Arguments
    /// * `url` - Target URL, should start with `https://`
    /// * `method` - HTTP method (GET, POST, etc.)
    /// * `headers` - Optional HTTP headers
    /// * `body` - Optional request body (default empty)
    async fn https_call(
        &self,
        url: &str,
        method: http::Method,
        headers: Option<http::HeaderMap>,
        body: Option<Vec<u8>>, // default is empty
    ) -> Result<reqwest::Response, BoxError> {
        if !self.allow_http && !url.starts_with("https://") {
            return Err("Invalid url, must start with https://".into());
        }
        let mut req = self.outer_http.request(method, url);
        if let Some(headers) = headers {
            req = req.headers(headers);
        }
        if let Some(body) = body {
            req = req.body(body);
        }

        req.send().await.map_err(|e| e.into())
    }

    /// Makes a signed HTTPs request with message authentication
    ///
    /// # Arguments
    /// * `url` - Target URL
    /// * `method` - HTTP method (GET, POST, etc.)
    /// * `message_digest` - 32-byte message digest for signing
    /// * `headers` - Optional HTTP headers
    /// * `body` - Optional request body (default empty)
    async fn https_signed_call(
        &self,
        url: &str,
        method: http::Method,
        message_digest: [u8; 32],
        headers: Option<http::HeaderMap>,
        body: Option<Vec<u8>>, // default is empty
    ) -> Result<reqwest::Response, BoxError> {
        if !self.allow_http && !url.starts_with("https://") {
            return Err("Invalid url, must start with https://".into());
        }

        let se = SignedEnvelope::sign_digest(&self.identity, message_digest.into())?;
        let mut headers = headers.unwrap_or_default();
        se.to_authorization(&mut headers)?;

        let mut req = self.outer_http.request(method, url);
        req = req.headers(headers);
        if let Some(body) = body {
            req = req.body(body);
        }

        req.send().await.map_err(|e| e.into())
    }

    /// Makes a signed CBOR-encoded RPC call
    ///
    /// # Arguments
    /// * `endpoint` - URL endpoint to send the request to
    /// * `method` - RPC method name to call
    /// * `args` - Arguments to serialize as CBOR and send with the request
    async fn https_signed_rpc<T>(
        &self,
        endpoint: &str,
        method: &str,
        args: impl Serialize + Send,
    ) -> Result<T, BoxError>
    where
        T: DeserializeOwned,
    {
        if !self.allow_http && !endpoint.starts_with("https://") {
            return Err("Invalid endpoint, must start with https://".into());
        }
        let args = deterministic_cbor_into_vec(&args)?;
        let req = RPCRequestRef {
            method,
            params: &args.into(),
        };
        let body = deterministic_cbor_into_vec(&req)?;
        let digest: [u8; 32] = sha3_256(&body);
        let se = SignedEnvelope::sign_digest(&self.identity, digest.into())?;
        let mut headers = http::HeaderMap::new();
        se.to_authorization(&mut headers)?;
        let res = cbor_rpc(&self.outer_http, endpoint, &method, Some(headers), body).await?;
        let res = from_reader(&res[..])?;
        Ok(res)
    }
}

/// Implements the `CoseSDK` trait for Client to enable IC-COSE canister API calls
///
/// This implementation provides the necessary interface to interact with the
/// [IC-COSE](https://github.com/ldclabs/ic-cose) canister, allowing cryptographic
/// operations through the COSE (CBOR Object Signing and Encryption) protocol.
impl CoseSDK for Client {
    fn canister(&self) -> &Principal {
        &self.cose_canister
    }
}

impl CanisterCaller for Client {
    /// Performs a query call to a canister (read-only, no state changes)
    ///
    /// # Arguments
    /// * `canister` - Target canister principal
    /// * `method` - Method name to call
    /// * `args` - Input arguments encoded in Candid format
    async fn canister_query<
        In: ArgumentEncoder + Send,
        Out: CandidType + for<'a> candid::Deserialize<'a>,
    >(
        &self,
        canister: &Principal,
        method: &str,
        args: In,
    ) -> Result<Out, BoxError> {
        let input = encode_args(args)?;
        let res = self
            .agent
            .query(canister, method)
            .with_arg(input)
            .call()
            .await?;
        let output = Decode!(res.as_slice(), Out)?;
        Ok(output)
    }

    /// Performs an update call to a canister (may modify state)
    ///
    /// # Arguments
    /// * `canister` - Target canister principal
    /// * `method` - Method name to call
    /// * `args` - Input arguments encoded in Candid format
    async fn canister_update<
        In: ArgumentEncoder + Send,
        Out: CandidType + for<'a> candid::Deserialize<'a>,
    >(
        &self,
        canister: &Principal,
        method: &str,
        args: In,
    ) -> Result<Out, BoxError> {
        let input = encode_args(args)?;
        let res = self
            .agent
            .update(canister, method)
            .with_arg(input)
            .call_and_wait()
            .await?;
        let output = Decode!(res.as_slice(), Out)?;
        Ok(output)
    }
}