@auditable/privacy-pool-zk-sdk 0.1.0 → 0.6.1-rc.5

package/dist/cli.js

@@ -2,6 +2,7 @@
 'use strict';
 
 var fs = require('fs');
+var stellarSdk = require('@stellar/stellar-sdk');
 var snarkjs = require('snarkjs');
 
 var _documentCurrentScript = typeof document !== 'undefined' ? document.currentScript : null;
@@ -397,7 +398,68 @@ function decodeDepositorSharedSecretPreimage(encoded) {
     };
 }
 
-/** Matches `Transaction(20, 2, 2)` in `circuits/main.circom`. */
+const DEFAULT_APPLICATION_ID = '101';
+/** BabyJub audit public key (decimal Fr) used in BDD / local demo when env is unset. */
+const DEMO_AUDIT_PUBLIC_KEY = [
+    '21605515851820432880964235241069234202284600780825340516808373216881770219365',
+    '18856460861531942120859708048677603751294231190189224157283439874962410808705',
+];
+function isActiveWithdraw(slot) {
+    return slot.value !== '0';
+}
+function isActiveDeposit(slot) {
+    return slot.value !== '0';
+}
+function resolveWithdrawSlot(slot) {
+    if (slot === 'dummy') {
+        return null;
+    }
+    return slot;
+}
+function resolveDepositSlot(slot) {
+    if (slot === 'dummy') {
+        return null;
+    }
+    return slot;
+}
+function buildUniformAuditParams(applicationId = DEFAULT_APPLICATION_ID, auditPublicKey) {
+    return {
+        applicationId,
+        noteAuditPublicKeys: [
+            auditPublicKey,
+            auditPublicKey,
+            auditPublicKey,
+            auditPublicKey,
+        ],
+        auditEphemeralScalars: [
+            randomFrDecimal253(),
+            randomFrDecimal253(),
+            randomFrDecimal253(),
+            randomFrDecimal253(),
+        ],
+    };
+}
+function resolveSlotApplicationIds(audit, withdrawSlots, depositSlots) {
+    const w0 = resolveWithdrawSlot(withdrawSlots[0]);
+    const w1 = resolveWithdrawSlot(withdrawSlots[1]);
+    const d0 = resolveDepositSlot(depositSlots[0]);
+    const d1 = resolveDepositSlot(depositSlots[1]);
+    return {
+        inputApplicationIds: [
+            w0 && isActiveWithdraw(w0) ? audit.applicationId : '0',
+            w1 && isActiveWithdraw(w1) ? audit.applicationId : '0',
+        ],
+        outputApplicationIds: [
+            d0 && isActiveDeposit(d0) ? audit.applicationId : '0',
+            d1 && isActiveDeposit(d1) ? audit.applicationId : '0',
+        ],
+    };
+}
+function resolveTransactionAuditParams(applicationId, auditPublicKey) {
+    return buildUniformAuditParams(applicationId, auditPublicKey ?? DEMO_AUDIT_PUBLIC_KEY);
+}
+
+/** Matches `Transaction(20, 2, 2, publicNInputs, publicNOutputs, 4, 9)` in `circuits/main.circom`. */
 const TRANSACTION_TREE_DEPTH = 20;
 /** BN254 scalar field modulus (ark `Fr`, circom signals). */
 const BN254_SCALAR_MOD = 21888242871839275222246405745257275088548364400416034343698204186575808495617n;
@@ -447,6 +509,15 @@ function ed25519PubkeyPayloadHexToWithdrawFrDecimals(hex) {
     const lo = BigInt(`0x${h.slice(32, 64)}`);
     return { hi: hi.toString(10), lo: lo.toString(10) };
 }
+/**
+ * Stellar contract id (`C…`) → two circom field decimals for `asset[0]`, `asset[1]` (same 32-byte split as accounts).
+ */
+function stellarContractAddressToAssetFrDecimals(address) {
+    const raw = stellarSdk.StrKey.decodeContract(address);
+    const hex = Buffer.from(raw).toString('hex');
+    const { hi, lo } = ed25519PubkeyPayloadHexToWithdrawFrDecimals(hex);
+    return [hi, lo];
+}
 /** Uniform random `Fr` as decimal (32 random bytes, mod r). For Poseidon-only inputs (e.g. nullifiers). */
 function randomFrDecimal() {
     const hex = generateRandomScalarHex32();
@@ -470,6 +541,8 @@ function dummyWithdraw(wasm) {
         value: '0',
         nullifier,
         secret,
+        asset: ['0', '0'],
+        applicationId: '0',
         ephemeralKeys: [coordHexToDecimal(pt.x), coordHexToDecimal(pt.y)],
         stateSiblings: zerosTreeSiblings(),
         stateIndex: '0',
@@ -484,6 +557,8 @@ function dummyDeposit(wasm) {
         value: '0',
         nullifier,
         ephemeralKeyScalar,
+        asset: ['0', '0'],
+        applicationId: '0',
         recipientPublicKeys: [coordHexToDecimal(pt.x), coordHexToDecimal(pt.y)],
     };
 }
@@ -493,11 +568,12 @@ function resolveWithdraw(slot, wasm) {
 function resolveDeposit(slot, wasm) {
     return slot === 'dummy' ? dummyDeposit(wasm) : slot;
 }
-function buildTransactionWitnessInput(publicParams, withdrawSlots, depositSlots, wasm) {
+function buildTransactionWitnessInput(publicParams, publicLegs, withdrawSlots, depositSlots, audit, wasm) {
     const w0 = resolveWithdraw(withdrawSlots[0], wasm);
     const w1 = resolveWithdraw(withdrawSlots[1], wasm);
     const d0 = resolveDeposit(depositSlots[0], wasm);
     const d1 = resolveDeposit(depositSlots[1], wasm);
+    const appIds = resolveSlotApplicationIds(audit, withdrawSlots, depositSlots);
     return {
         stateRoot: publicParams.stateRoot,
         withdrawAddressHi: publicParams.withdrawAddressHi,
@@ -506,13 +582,23 @@ function buildTransactionWitnessInput(publicParams, withdrawSlots, depositSlots,
         withdrawnValues: [w0.value, w1.value],
         withdrawnNullifiers: [w0.nullifier, w1.nullifier],
         withdrawnSecrets: [w0.secret, w1.secret],
+        withdrawnAssets: [w0.asset, w1.asset],
         ephemeralKeys: [w0.ephemeralKeys, w1.ephemeralKeys],
         stateSiblings: [w0.stateSiblings, w1.stateSiblings],
         stateIndex: [w0.stateIndex, w1.stateIndex],
         depositedValues: [d0.value, d1.value],
         depositedNullifiers: [d0.nullifier, d1.nullifier],
+        depositedAssets: [d0.asset, d1.asset],
         depositedEphemeralKeyScalars: [d0.ephemeralKeyScalar, d1.ephemeralKeyScalar],
         depositedRecipientPublicKeys: [d0.recipientPublicKeys, d1.recipientPublicKeys],
+        inputApplicationIds: appIds.inputApplicationIds,
+        outputApplicationIds: appIds.outputApplicationIds,
+        auditEphemeralScalars: audit.auditEphemeralScalars,
+        noteAuditPublicKeys: audit.noteAuditPublicKeys,
+        publicWithdrawnAssets: publicLegs.publicWithdrawnAssets,
+        publicDepositedAssets: publicLegs.publicDepositedAssets,
+        publicDeposits: publicLegs.publicDeposits,
+        publicWithdrawals: publicLegs.publicWithdrawals,
     };
 }
 /** `stpl1…` stealth address → `[x, y]` as decimal field strings for `depositedRecipientPublicKeys`. */
@@ -521,11 +607,13 @@ function recipientPublicKeysDecimalFromStealthAddress(stealthAddress) {
     return [coordHexToDecimal(x), coordHexToDecimal(y)];
 }
 /** First withdraw leg: Merkle witness + depositor ECDH point coordinates (hex). */
-function withdrawObjectFromMerkleWitness(witness, depositorEphemeralHex) {
+function withdrawObjectFromMerkleWitness(witness, depositorEphemeralHex, applicationId) {
     return {
         value: witness.value,
         nullifier: witness.nullifier,
         secret: witness.secret,
+        asset: witness.withdrawnAsset,
+        applicationId,
         ephemeralKeys: [
             coordHexToDecimal(depositorEphemeralHex.x),
             coordHexToDecimal(depositorEphemeralHex.y),
@@ -766,13 +854,34 @@ function ecdhSharedKey(priv_hex, pub_x_hex, pub_y_hex) {
 /**
  * Generate a new coin with random nullifier, secret, and shared-secret field elements.
  * `amount` is stroops (u64); JS passes `bigint`.
- * Returns JSON: { coin: { value, nullifier, secret, commitment }, commitment_hex }
+ * `asset_hi_decimal` / `asset_lo_decimal` are decimal Fr strings for the Stellar asset contract id (two limbs).
+ * Returns JSON: { coin: { value, nullifier, secret, commitment, asset_hi, asset_lo }, commitment_hex, precommitement_hex }
  * @param {bigint} amount
+ * @param {string} asset_hi_decimal
+ * @param {string} asset_lo_decimal
+ * @param {string} application_id_decimal
  * @returns {any}
  */
-function generateCoin(amount) {
-    const ret = wasm.generateCoin(amount);
-    return takeObject(ret);
+function generateCoin(amount, asset_hi_decimal, asset_lo_decimal, application_id_decimal) {
+    try {
+        const retptr = wasm.__wbindgen_add_to_stack_pointer(-16);
+        const ptr0 = passStringToWasm0(asset_hi_decimal, wasm.__wbindgen_export, wasm.__wbindgen_export2);
+        const len0 = WASM_VECTOR_LEN;
+        const ptr1 = passStringToWasm0(asset_lo_decimal, wasm.__wbindgen_export, wasm.__wbindgen_export2);
+        const len1 = WASM_VECTOR_LEN;
+        const ptr2 = passStringToWasm0(application_id_decimal, wasm.__wbindgen_export, wasm.__wbindgen_export2);
+        const len2 = WASM_VECTOR_LEN;
+        wasm.generateCoin(retptr, amount, ptr0, len0, ptr1, len1, ptr2, len2);
+        var r0 = getDataViewMemory0().getInt32(retptr + 4 * 0, true);
+        var r1 = getDataViewMemory0().getInt32(retptr + 4 * 1, true);
+        var r2 = getDataViewMemory0().getInt32(retptr + 4 * 2, true);
+        if (r2) {
+            throw takeObject(r1);
+        }
+        return takeObject(r0);
+    } finally {
+        wasm.__wbindgen_add_to_stack_pointer(16);
+    }
 }
 
 /**
@@ -781,9 +890,12 @@ function generateCoin(amount) {
  * @param {string} shared_x_hex
  * @param {string} shared_y_hex
  * @param {bigint} amount
+ * @param {string} asset_hi_decimal
+ * @param {string} asset_lo_decimal
+ * @param {string} application_id_decimal
  * @returns {any}
  */
-function generateCoinForDepositWithSharedHex(scalar_hex, shared_x_hex, shared_y_hex, amount) {
+function generateCoinForDepositWithSharedHex(scalar_hex, shared_x_hex, shared_y_hex, amount, asset_hi_decimal, asset_lo_decimal, application_id_decimal) {
     try {
         const retptr = wasm.__wbindgen_add_to_stack_pointer(-16);
         const ptr0 = passStringToWasm0(scalar_hex, wasm.__wbindgen_export, wasm.__wbindgen_export2);
@@ -792,7 +904,13 @@ function generateCoinForDepositWithSharedHex(scalar_hex, shared_x_hex, shared_y_
         const len1 = WASM_VECTOR_LEN;
         const ptr2 = passStringToWasm0(shared_y_hex, wasm.__wbindgen_export, wasm.__wbindgen_export2);
         const len2 = WASM_VECTOR_LEN;
-        wasm.generateCoinForDepositWithSharedHex(retptr, ptr0, len0, ptr1, len1, ptr2, len2, amount);
+        const ptr3 = passStringToWasm0(asset_hi_decimal, wasm.__wbindgen_export, wasm.__wbindgen_export2);
+        const len3 = WASM_VECTOR_LEN;
+        const ptr4 = passStringToWasm0(asset_lo_decimal, wasm.__wbindgen_export, wasm.__wbindgen_export2);
+        const len4 = WASM_VECTOR_LEN;
+        const ptr5 = passStringToWasm0(application_id_decimal, wasm.__wbindgen_export, wasm.__wbindgen_export2);
+        const len5 = WASM_VECTOR_LEN;
+        wasm.generateCoinForDepositWithSharedHex(retptr, ptr0, len0, ptr1, len1, ptr2, len2, amount, ptr3, len3, ptr4, len4, ptr5, len5);
         var r0 = getDataViewMemory0().getInt32(retptr + 4 * 0, true);
         var r1 = getDataViewMemory0().getInt32(retptr + 4 * 1, true);
         var r2 = getDataViewMemory0().getInt32(retptr + 4 * 2, true);
@@ -809,14 +927,23 @@ function generateCoinForDepositWithSharedHex(scalar_hex, shared_x_hex, shared_y_
  * `secret` in coin = `Poseidon255(1)(scalar)` per `deposit.circom`; scalar is 32-byte hex (64 chars, optional `0x`).
  * @param {string} scalar_hex
  * @param {bigint} amount
+ * @param {string} asset_hi_decimal
+ * @param {string} asset_lo_decimal
+ * @param {string} application_id_decimal
  * @returns {any}
  */
-function generateCoinFromDepositEphemeralScalarHex(scalar_hex, amount) {
+function generateCoinFromDepositEphemeralScalarHex(scalar_hex, amount, asset_hi_decimal, asset_lo_decimal, application_id_decimal) {
     try {
         const retptr = wasm.__wbindgen_add_to_stack_pointer(-16);
         const ptr0 = passStringToWasm0(scalar_hex, wasm.__wbindgen_export, wasm.__wbindgen_export2);
         const len0 = WASM_VECTOR_LEN;
-        wasm.generateCoinFromDepositEphemeralScalarHex(retptr, ptr0, len0, amount);
+        const ptr1 = passStringToWasm0(asset_hi_decimal, wasm.__wbindgen_export, wasm.__wbindgen_export2);
+        const len1 = WASM_VECTOR_LEN;
+        const ptr2 = passStringToWasm0(asset_lo_decimal, wasm.__wbindgen_export, wasm.__wbindgen_export2);
+        const len2 = WASM_VECTOR_LEN;
+        const ptr3 = passStringToWasm0(application_id_decimal, wasm.__wbindgen_export, wasm.__wbindgen_export2);
+        const len3 = WASM_VECTOR_LEN;
+        wasm.generateCoinFromDepositEphemeralScalarHex(retptr, ptr0, len0, amount, ptr1, len1, ptr2, len2, ptr3, len3);
         var r0 = getDataViewMemory0().getInt32(retptr + 4 * 0, true);
         var r1 = getDataViewMemory0().getInt32(retptr + 4 * 1, true);
         var r2 = getDataViewMemory0().getInt32(retptr + 4 * 2, true);
@@ -834,16 +961,25 @@ function generateCoinFromDepositEphemeralScalarHex(scalar_hex, amount) {
  * @param {string} shared_x_hex
  * @param {string} shared_y_hex
  * @param {bigint} amount
+ * @param {string} asset_hi_decimal
+ * @param {string} asset_lo_decimal
+ * @param {string} application_id_decimal
  * @returns {any}
  */
-function generateCoinWithSharedSecretHex(shared_x_hex, shared_y_hex, amount) {
+function generateCoinWithSharedSecretHex(shared_x_hex, shared_y_hex, amount, asset_hi_decimal, asset_lo_decimal, application_id_decimal) {
     try {
         const retptr = wasm.__wbindgen_add_to_stack_pointer(-16);
         const ptr0 = passStringToWasm0(shared_x_hex, wasm.__wbindgen_export, wasm.__wbindgen_export2);
         const len0 = WASM_VECTOR_LEN;
         const ptr1 = passStringToWasm0(shared_y_hex, wasm.__wbindgen_export, wasm.__wbindgen_export2);
         const len1 = WASM_VECTOR_LEN;
-        wasm.generateCoinWithSharedSecretHex(retptr, ptr0, len0, ptr1, len1, amount);
+        const ptr2 = passStringToWasm0(asset_hi_decimal, wasm.__wbindgen_export, wasm.__wbindgen_export2);
+        const len2 = WASM_VECTOR_LEN;
+        const ptr3 = passStringToWasm0(asset_lo_decimal, wasm.__wbindgen_export, wasm.__wbindgen_export2);
+        const len3 = WASM_VECTOR_LEN;
+        const ptr4 = passStringToWasm0(application_id_decimal, wasm.__wbindgen_export, wasm.__wbindgen_export2);
+        const len4 = WASM_VECTOR_LEN;
+        wasm.generateCoinWithSharedSecretHex(retptr, ptr0, len0, ptr1, len1, amount, ptr2, len2, ptr3, len3, ptr4, len4);
         var r0 = getDataViewMemory0().getInt32(retptr + 4 * 0, true);
         var r1 = getDataViewMemory0().getInt32(retptr + 4 * 1, true);
         var r2 = getDataViewMemory0().getInt32(retptr + 4 * 2, true);
@@ -914,13 +1050,6 @@ function __wbg_get_imports() {
             getDataViewMemory0().setInt32(arg0 + 4 * 1, len1, true);
             getDataViewMemory0().setInt32(arg0 + 4 * 0, ptr1, true);
         },
-        __wbg___wbindgen_debug_string_5398f5bb970e0daa: function(arg0, arg1) {
-            const ret = debugString(getObject(arg1));
-            const ptr1 = passStringToWasm0(ret, wasm.__wbindgen_export, wasm.__wbindgen_export2);
-            const len1 = WASM_VECTOR_LEN;
-            getDataViewMemory0().setInt32(arg0 + 4 * 1, len1, true);
-            getDataViewMemory0().setInt32(arg0 + 4 * 0, ptr1, true);
-        },
         __wbg___wbindgen_is_function_3c846841762788c1: function(arg0) {
             const ret = typeof(getObject(arg0)) === 'function';
             return ret;
@@ -1046,71 +1175,6 @@ function addHeapObject(obj) {
     return idx;
 }
 
-function debugString(val) {
-    // primitive types
-    const type = typeof val;
-    if (type == 'number' || type == 'boolean' || val == null) {
-        return  `${val}`;
-    }
-    if (type == 'string') {
-        return `"${val}"`;
-    }
-    if (type == 'symbol') {
-        const description = val.description;
-        if (description == null) {
-            return 'Symbol';
-        } else {
-            return `Symbol(${description})`;
-        }
-    }
-    if (type == 'function') {
-        const name = val.name;
-        if (typeof name == 'string' && name.length > 0) {
-            return `Function(${name})`;
-        } else {
-            return 'Function';
-        }
-    }
-    // objects
-    if (Array.isArray(val)) {
-        const length = val.length;
-        let debug = '[';
-        if (length > 0) {
-            debug += debugString(val[0]);
-        }
-        for(let i = 1; i < length; i++) {
-            debug += ', ' + debugString(val[i]);
-        }
-        debug += ']';
-        return debug;
-    }
-    // Test for built-in
-    const builtInMatches = /\[object ([^\]]+)\]/.exec(toString.call(val));
-    let className;
-    if (builtInMatches && builtInMatches.length > 1) {
-        className = builtInMatches[1];
-    } else {
-        // Failed to match the standard '[object ClassName]'
-        return toString.call(val);
-    }
-    if (className == 'Object') {
-        // we're a user defined class or Object
-        // JSON.stringify avoids problems with cycles, and is generally much
-        // easier than looping through ownProperties of `val`.
-        try {
-            return 'Object(' + JSON.stringify(val) + ')';
-        } catch (_) {
-            return 'Object';
-        }
-    }
-    // errors
-    if (val instanceof Error) {
-        return `${val.name}: ${val.message}\n${val.stack}`;
-    }
-    // TODO we could test for more things here, like `Set`s and `Map`s.
-    return className;
-}
-
 function dropObject(idx) {
     if (idx < 1028) return;
     heap[idx] = heap_next;
@@ -1893,30 +1957,31 @@ class PrivacyPoolSDK {
     /**
      * Generate a new coin with random nullifier, secret, and random shared-secret field elements (dev / self-contained tests).
      * @param amount Stroops encoded as `bigint` or integer `number` (WASM `u64`).
+     * @param assetHiDecimal / assetLoDecimal Decimal Fr strings for Stellar asset contract id (two limbs).
      */
-    generateCoin(amount) {
-        return this.wasm.generateCoin(wasmU64Stroops(amount));
+    generateCoin(amount, assetHiDecimal, assetLoDecimal, applicationIdDecimal = '0') {
+        return this.wasm.generateCoin(wasmU64Stroops(amount), assetHiDecimal, assetLoDecimal, applicationIdDecimal);
     }
     /**
      * Generate a coin with the same commitment shape as on-chain deposit: pass `ecdhSharedKey` output (hex x, y).
      * @param amount Stroops (`bigint` | `number`).
      */
-    generateCoinWithSharedSecret(shared, amount) {
-        return this.wasm.generateCoinWithSharedSecretHex(shared.x, shared.y, wasmU64Stroops(amount));
+    generateCoinWithSharedSecret(shared, amount, assetHiDecimal, assetLoDecimal, applicationIdDecimal = '0') {
+        return this.wasm.generateCoinWithSharedSecretHex(shared.x, shared.y, wasmU64Stroops(amount), assetHiDecimal, assetLoDecimal, applicationIdDecimal);
     }
     /**
      * Coin for a depositor `ephemeralKeyScalar` (32-byte hex): `coin.secret = Poseidon255(1)(scalar)` as in `deposit.circom`.
      * @param amount Stroops (`bigint` | `number`).
      */
-    generateCoinFromDepositEphemeralScalarHex(scalarHex, amount) {
-        return this.wasm.generateCoinFromDepositEphemeralScalarHex(scalarHex, wasmU64Stroops(amount));
+    generateCoinFromDepositEphemeralScalarHex(scalarHex, amount, assetHiDecimal, assetLoDecimal, applicationIdDecimal = '0') {
+        return this.wasm.generateCoinFromDepositEphemeralScalarHex(scalarHex, wasmU64Stroops(amount), assetHiDecimal, assetLoDecimal, applicationIdDecimal);
     }
     /**
      * Aligned deposit coin: `secret = Poseidon₁(scalar)` and ECDH shared key from hex coords (e.g. `ecdhSharedKey(scalar, recipient_x, recipient_y)`).
      * @param amount Stroops (`bigint` | `number`).
      */
-    generateCoinForDepositWithSharedHex(scalarHex, sharedXHex, sharedYHex, amount) {
-        return this.wasm.generateCoinForDepositWithSharedHex(scalarHex, sharedXHex, sharedYHex, wasmU64Stroops(amount));
+    generateCoinForDepositWithSharedHex(scalarHex, sharedXHex, sharedYHex, amount, assetHiDecimal, assetLoDecimal, applicationIdDecimal = '0') {
+        return this.wasm.generateCoinForDepositWithSharedHex(scalarHex, sharedXHex, sharedYHex, wasmU64Stroops(amount), assetHiDecimal, assetLoDecimal, applicationIdDecimal);
     }
     /**
      * Merkle root, path, and coin fields for the first withdraw leg (Rust LeanIMT + Poseidon).
@@ -1929,19 +1994,57 @@ class PrivacyPoolSDK {
     }
     /**
      * Full `Transaction(20,2,2)` withdrawal proof: one real withdraw + dummies, using coin/state and depositor ECDH point (hex).
+     *
+     * Optional **partial public withdraw**: spend the full coin commitment `coin.value` (V), send `publicWithdrawStroops` (W) to the
+     * Stellar receiver, and re-deposit the remainder (V−W) as a new private note to `changeRecipientStealthAddress` (same circuit balance).
      */
     async proveWithdrawal(coin, state, params) {
         const witness = this.buildWithdrawMerkleWitness(coin, state);
         const w0 = withdrawObjectFromMerkleWitness(witness, {
             x: params.ephemeralXHex,
             y: params.ephemeralYHex,
-        });
+        }, params.applicationId ?? coin.application_id ?? '0');
+        const fullV = BigInt(coin.value);
+        let publicWithdrawals;
+        let deposits;
+        if (params.publicWithdrawStroops !== undefined) {
+            const W = params.publicWithdrawStroops;
+            if (params.changeRecipientStealthAddress === undefined) {
+                throw new Error('proveWithdrawal: changeRecipientStealthAddress is required when publicWithdrawStroops is set');
+            }
+            if (W <= 0n || W >= fullV) {
+                throw new Error('proveWithdrawal: publicWithdrawStroops must be strictly between 0 and coin.value');
+            }
+            const change = fullV - W;
+            publicWithdrawals = [W.toString()];
+            const changeDeposit = {
+                value: change.toString(),
+                nullifier: randomFrDecimal(),
+                ephemeralKeyScalar: randomFrDecimal253(),
+                asset: [coin.asset_hi, coin.asset_lo],
+                applicationId: params.applicationId ?? '0',
+                recipientPublicKeys: recipientPublicKeysDecimalFromStealthAddress(params.changeRecipientStealthAddress),
+            };
+            deposits = [changeDeposit, 'dummy'];
+        }
+        else {
+            publicWithdrawals = [coin.value];
+            deposits = ['dummy', 'dummy'];
+        }
+        // On-chain `transact` sends `publicWithdrawals` / `publicWithdrawnAssets` to the withdraw account.
+        const publicLegs = {
+            publicWithdrawnAssets: [[coin.asset_hi, coin.asset_lo]],
+            publicDepositedAssets: [['0', '0']],
+            publicDeposits: ['0'],
+            publicWithdrawals,
+        };
         return this.proveTransaction({
             stateRoot: witness.stateRoot,
             withdrawAddressHi: params.withdrawAddressHi,
             withdrawAddressLo: params.withdrawAddressLo,
             privKeyScalar: params.privKeyScalar,
-        }, [w0, 'dummy'], ['dummy', 'dummy']);
+        }, publicLegs, [w0, 'dummy'], deposits, params.audit
+            ?? resolveTransactionAuditParams(params.applicationId ?? coin.application_id ?? DEFAULT_APPLICATION_ID, DEMO_AUDIT_PUBLIC_KEY));
     }
     /**
      * Convert a snarkjs proof JSON to hex bytes for Soroban.
@@ -1969,14 +2072,15 @@ class PrivacyPoolSDK {
      * `Transaction(20,2,2)` proof from high-level legs: maps to witness input (incl. `"dummy"` ECDH via WASM), then Groth16 → Soroban hex.
      *
      * @param publicParams Public inputs: `stateRoot`, `withdrawAddressHi` / `withdrawAddressLo`, `privKeyScalar` (decimal field strings).
+     * @param publicLegs Public token legs (`publicWithdrawnAssets`, `publicDepositedAssets`, `publicDeposits`, `publicWithdrawals`).
      * @param withdraws Exactly two withdraw slots (`WithdrawObject` or `"dummy"`).
      * @param deposits Exactly two deposit slots (`DepositObject` or `"dummy"`).
      */
-    async proveTransaction(publicParams, withdraws, deposits) {
+    async proveTransaction(publicParams, publicLegs, withdraws, deposits, audit) {
         const wasmEcdh = {
             ecdhEphemeralPublicKeyFromScalarHex: (h) => this.wasm.ecdhEphemeralPublicKeyFromScalarHex(h),
         };
-        const witnessInput = buildTransactionWitnessInput(publicParams, withdraws, deposits, wasmEcdh);
+        const witnessInput = buildTransactionWitnessInput(publicParams, publicLegs, withdraws, deposits, audit, wasmEcdh);
         const wtns = await generateWitness(witnessInput, this.options.circuitWasm);
         const { proof, publicSignals } = await generateProof(wtns, this.options.zkey);
         return {
@@ -2019,10 +2123,191 @@ class PrivacyPoolSDK {
     }
 }
 
+function onboardingContractValue(onboarding) {
+    return {
+        owner: onboarding.owner,
+        temp_public_key_x: onboarding.temp_public_key_x,
+        temp_public_key_y: onboarding.temp_public_key_y,
+        encrypted_private_key: onboarding.encrypted_private_key,
+        notes: {
+            notes: onboarding.notes.map((note) => ({
+                value: note.value,
+                asset_hi: note.asset_hi,
+                asset_lo: note.asset_lo,
+                nullifier: note.nullifier,
+                secret: note.secret,
+                deposited_ephemeral_scalar: note.deposited_ephemeral_scalar,
+            })),
+        },
+        private_address_registration: onboarding.private_address_registration,
+    };
+}
+function onboardingToScVal(onboarding) {
+    return stellarSdk.nativeToScVal(onboardingContractValue(onboarding));
+}
+function onboardingOptionToScVal(onboarding) {
+    if (onboarding === null || onboarding === undefined) {
+        return stellarSdk.xdr.ScVal.scvVoid();
+    }
+    return onboardingToScVal(onboarding);
+}
+function addressToScVal(address) {
+    return stellarSdk.nativeToScVal(address, { type: 'address' });
+}
+
+function signatureBase64ToBytes(signature) {
+    const value = signature.trim();
+    if (/^(0x)?[0-9a-fA-F]{128}$/.test(value)) {
+        return Buffer.from(value.replace(/^0x/i, ''), 'hex');
+    }
+    return Buffer.from(value, 'base64');
+}
+
+function passageIdHexToScVal(passageIdHex) {
+    const bytes = Buffer.from(passageIdHex.replace(/^0x/, ''), 'hex');
+    return stellarSdk.xdr.ScVal.scvBytes(bytes);
+}
+function signatureToScVal(signature) {
+    return stellarSdk.xdr.ScVal.scvBytes(signature);
+}
+function helperSubmitWithPassageOperation(helperContractId, params, passageId, expiresAtLedger, signature) {
+    return stellarSdk.Operation.invokeContractFunction({
+        contract: helperContractId,
+        function: 'submit_with_passage',
+        args: [
+            addressToScVal(params.owner),
+            stellarSdk.xdr.ScVal.scvBytes(params.proofBytes),
+            stellarSdk.xdr.ScVal.scvBytes(params.publicSignalsBytes),
+            onboardingOptionToScVal(params.onboarding),
+            passageIdHexToScVal(passageId),
+            stellarSdk.xdr.ScVal.scvU32(expiresAtLedger),
+            signatureToScVal(signatureBase64ToBytes(signature)),
+        ],
+    });
+}
+async function submitTransaction(params) {
+    const server = new stellarSdk.rpc.Server(params.rpcUrl);
+    const sourceAccount = await server.getAccount(params.source.publicKey());
+    let builder = new stellarSdk.TransactionBuilder(sourceAccount, {
+        fee: params.fee,
+        networkPassphrase: params.networkPassphrase,
+    });
+    for (const operation of params.operations) {
+        builder = builder.addOperation(operation);
+    }
+    const tx = builder.setTimeout(300).build();
+    const prepared = await prepareTransactionAllowingNonRootAuth(server, params.rpcUrl, tx, params.source, params.networkPassphrase)
+        ;
+    prepared.sign(params.source);
+    const result = await server.sendTransaction(prepared);
+    const status = String(result.status);
+    if (status !== 'PENDING' && status !== 'SUCCESS') {
+        throw new Error(`transaction submit failed: ${status}`);
+    }
+    await waitForTransaction(server, result.hash);
+    return result.hash;
+}
+async function prepareTransactionAllowingNonRootAuth(server, rpcUrl, tx, source, networkPassphrase) {
+    const recording = await simulateTransactionRecordingNonRoot(rpcUrl, tx.toXDR());
+    const validUntilLedgerSeq = recording.latestLedger + 1000;
+    const signedAuth = await Promise.all(recording.auth.map((entry) => {
+        if (entry.credentials().switch()
+            === stellarSdk.xdr.SorobanCredentialsType.sorobanCredentialsSourceAccount()) {
+            return entry;
+        }
+        return stellarSdk.authorizeEntry(entry, source, validUntilLedgerSeq, networkPassphrase);
+    }));
+    const invokeOp = tx.operations[0];
+    if (tx.operations.length !== 1 || invokeOp.type !== 'invokeHostFunction') {
+        throw new Error('Soroban transactions must contain exactly one invokeHostFunction operation');
+    }
+    const sourceAccount = await server.getAccount(source.publicKey());
+    const signedTx = new stellarSdk.TransactionBuilder(sourceAccount, {
+        fee: tx.fee,
+        networkPassphrase,
+    })
+        .addOperation(stellarSdk.Operation.invokeHostFunction({
+        func: invokeOp.func,
+        auth: signedAuth,
+        source: invokeOp.source,
+    }))
+        .setTimeout(300)
+        .build();
+    const enforcedSimulation = await server.simulateTransaction(signedTx);
+    if (stellarSdk.rpc.Api.isSimulationError(enforcedSimulation)) {
+        throw new Error(`signed authorization simulation failed: ${enforcedSimulation.error}`);
+    }
+    return stellarSdk.rpc.assembleTransaction(signedTx, enforcedSimulation).build();
+}
+async function simulateTransactionRecordingNonRoot(rpcUrl, transactionXdr) {
+    const response = await fetch(rpcUrl, {
+        method: 'POST',
+        headers: { 'content-type': 'application/json' },
+        body: JSON.stringify({
+            jsonrpc: '2.0',
+            id: 1,
+            method: 'simulateTransaction',
+            params: {
+                transaction: transactionXdr,
+                authMode: 'record_allow_nonroot',
+            },
+        }),
+    });
+    const body = await response.json();
+    if (!response.ok || body.error) {
+        throw new Error(`transaction simulation failed: ${body.error?.message ?? response.statusText}`);
+    }
+    if (!body.result) {
+        throw new Error('transaction simulation failed: missing RPC result');
+    }
+    if (body.result.error) {
+        throw new Error(`transaction simulation failed: ${body.result.error}`);
+    }
+    const latestLedger = Number(body.result.latestLedger);
+    if (!Number.isFinite(latestLedger)) {
+        throw new Error('transaction simulation failed: missing latest ledger');
+    }
+    return {
+        latestLedger,
+        auth: (body.result.results?.[0]?.auth ?? []).map((entry) => stellarSdk.xdr.SorobanAuthorizationEntry.fromXDR(entry, 'base64')),
+    };
+}
+async function waitForTransaction(server, hash) {
+    for (let attempt = 0; attempt < 60; attempt++) {
+        const result = await server.getTransaction(hash);
+        const status = String(result.status);
+        if (status === 'SUCCESS') {
+            return;
+        }
+        if (status === 'FAILED') {
+            throw new Error(`transaction failed: ${hash}`);
+        }
+        await new Promise((resolve) => setTimeout(resolve, 1000));
+    }
+    throw new Error(`transaction did not confirm in time: ${hash}`);
+}
+async function submitApprovedKytPassage(params) {
+    if (params.source.publicKey() !== params.owner) {
+        throw new Error('KYT submit source keypair must match pool transact owner');
+    }
+    return submitTransaction({
+        source: params.source,
+        networkPassphrase: params.networkPassphrase,
+        rpcUrl: params.rpcUrl,
+        fee: '12000000',
+        operations: [
+            helperSubmitWithPassageOperation(params.kytSubmitHelperId, params, params.passageId, params.expiresAtLedger, params.signature),
+        ],
+    });
+}
+
 /** Pool Merkle tree depth (matches `coin::TREE_DEPTH` / `Transaction` circuit). */
 /** Default coin value in stroops (1 XLM); matches Rust `coin::COIN_VALUE`. */
 const COIN_VALUE_STROOPS = 1000000000;
 
+function resolveApplicationIdFromCli(parsed) {
+    return parsed['application-id'] ?? process.env.APPLICATION_ID ?? DEFAULT_APPLICATION_ID;
+}
 async function main() {
     const args = process.argv.slice(2);
     if (args.length === 0 || args[0] === '--help' || args[0] === '-h') {
@@ -2051,6 +2336,9 @@ async function main() {
     else if (command === 'priv-scalar-from-signature') {
         await handlePrivScalarFromSignature(args.slice(1));
     }
+    else if (command === 'kyt-submit-approved') {
+        await handleKytSubmitApproved(args.slice(1));
+    }
     else {
         console.error(`Unknown command: ${command}`);
         printUsage();
@@ -2066,6 +2354,8 @@ Commands:
   generate                         Generate a new coin
     --output, -o <file>            Output coin to file (default: stdout)
     --amount <stroops>             Coin value in stroops (u64); default: 1000000000 (1 XLM)
+    --token <C...>                 Stellar asset contract id (or set TOKEN_ADDRESS)
+    --application-id <dec>         Application id (decimal Fr); default: APPLICATION_ID env or 101
     --scalar <hex>                 32-byte depositor ephemeral scalar (64 hex, optional 0x); coin.secret = Poseidon₁(scalar) (deposit.circom)
     --stealth <stpl1...>           With --scalar: ECDH(scalar, recipient) shared secret + aligned commitment (requires WASM ecdhSharedKey)
 
@@ -2081,6 +2371,19 @@ Commands:
 
   priv-scalar-from-signature       Print privKeyScalar (decimal Fr) from Stellar Ed25519 signature (SHA-256(sig) mod r)
 
+  kyt-submit-approved              Submit helper.register_passage + pool.transact with signed non-root auth
+    --source-secret <S...>         Secret seed for the depositing/withdrawing Stellar account (or SOURCE_SECRET env)
+    --owner <G...>                 Same account address passed to pool.transact as from
+    --pool <C...>                  Privacy pool contract id
+    --helper <C...>                KYT submit helper contract id
+    --proof <hex>                  Groth16 proof bytes
+    --public-signals <hex>         Public signals bytes
+    --passage-id <hex>             KYT passage id
+    --expires-at-ledger <u32>      Passage expiration ledger
+    --signature <hex|base64>       KYT registry signature
+    --rpc-url <url>                Soroban RPC URL
+    --network <testnet|public|local> or --network-passphrase <string>
+
   withdraw                         Generate a withdrawal proof
     --coin <file>                  Path to coin JSON file
     --state <file>                 Path to state JSON file
@@ -2090,15 +2393,20 @@ Commands:
     --priv-key-scalar <dec>        privKeyScalar (decimal Fr)
     --ephemeral-x <hex>            Depositor ECDH point x (64 hex chars, optional 0x)
     --ephemeral-y <hex>            Depositor ECDH point y (64 hex chars, optional 0x)
+    --public-withdraw-stroops <u64> Optional: amount to withdraw publicly (must be < coin.value). Rest stays in pool as change.
+    --change-stealth <stpl1...>    Required with --public-withdraw-stroops: stealth for the change note (same as deposit)
+    --application-id <dec>         Application id (decimal Fr); default: APPLICATION_ID env or 101
     --output-proof <file>          Write proof hex to file
     --output-public <file>         Write public signals hex to file
 
   deposit-proof                  Groth16 proof for deposit-only transact (2 dummy withdraws, 1 deposit + dummy)
     --state-root <dec>           Current Merkle root (decimal Fr), must match pool on submit
     --stealth <stpl1...>         Recipient stealth address (decodes to recipient public key)
+    --token <C...>               Asset contract id (or set TOKEN_ADDRESS)
     --coin <file>                With --ephemeral-scalar-hex: use coin nullifier/value (aligned with generate --scalar --stealth)
     --ephemeral-scalar-hex <hex>  Same 32-byte hex as deposit / generate --scalar
     --value <dec>                Deposit amount (stroops as decimal Fr); optional if --coin (must match coin)
+    --application-id <dec>       Application id (decimal Fr); default: APPLICATION_ID env or 101
     --output-proof <file>        Write proof hex to file
     --output-public <file>       Write public signals hex to file
 
@@ -2106,6 +2414,39 @@ Output (withdraw, deposit-proof):
   Prints proof_hex on first line and public_hex on second line to stdout.
 `);
 }
+function requireParsedArg(parsed, name) {
+    const value = parsed[name]?.trim();
+    if (!value) {
+        console.error(`Error: --${name} is required`);
+        process.exit(1);
+    }
+    return value;
+}
+function networkPassphraseFromArgs(parsed) {
+    if (parsed['network-passphrase']) {
+        return parsed['network-passphrase'];
+    }
+    const network = parsed['network'] ?? 'testnet';
+    if (network === 'testnet') {
+        return stellarSdk.Networks.TESTNET;
+    }
+    if (network === 'public') {
+        return stellarSdk.Networks.PUBLIC;
+    }
+    if (network === 'local') {
+        return 'Standalone Network ; February 2017';
+    }
+    console.error('Error: --network must be testnet, public, or local');
+    process.exit(1);
+}
+function hexToBuffer(label, value) {
+    const hex = value.trim().replace(/^0x/i, '');
+    if (!/^[0-9a-fA-F]*$/.test(hex) || hex.length % 2 !== 0) {
+        console.error(`Error: --${label} must be even-length hex`);
+        process.exit(1);
+    }
+    return Buffer.from(hex, 'hex');
+}
 function parseArgs(args) {
     const parsed = {};
     for (let i = 0; i < args.length; i++) {
@@ -2176,6 +2517,28 @@ async function handlePrivScalarFromSignature(args) {
 function handleRandomScalar() {
     console.log(PrivacyPoolSDK.generateRandomScalarHex32());
 }
+async function handleKytSubmitApproved(args) {
+    const parsed = parseArgs(args);
+    const sourceSecret = parsed['source-secret']?.trim() ?? process.env.SOURCE_SECRET?.trim();
+    if (!sourceSecret) {
+        console.error('Error: --source-secret <S...> or SOURCE_SECRET env is required');
+        process.exit(1);
+    }
+    const txHash = await submitApprovedKytPassage({
+        source: stellarSdk.Keypair.fromSecret(sourceSecret),
+        networkPassphrase: networkPassphraseFromArgs(parsed),
+        rpcUrl: parsed['rpc-url'] ?? 'https://soroban-testnet.stellar.org',
+        poolContract: requireParsedArg(parsed, 'pool'),
+        owner: requireParsedArg(parsed, 'owner'),
+        proofBytes: hexToBuffer('proof', requireParsedArg(parsed, 'proof')),
+        publicSignalsBytes: hexToBuffer('public-signals', requireParsedArg(parsed, 'public-signals')),
+        kytSubmitHelperId: requireParsedArg(parsed, 'helper'),
+        passageId: requireParsedArg(parsed, 'passage-id'),
+        expiresAtLedger: Number(requireParsedArg(parsed, 'expires-at-ledger')),
+        signature: requireParsedArg(parsed, 'signature'),
+    });
+    console.log(txHash);
+}
 function parseStroopsU64(label, raw, defaultStroops) {
     if (raw === undefined) {
         return defaultStroops;
@@ -2203,6 +2566,13 @@ async function handleGenerate(args) {
     const scalar = parsed['scalar'];
     const stealth = parsed['stealth'];
     const amount = parseStroopsU64('--amount', parsed['amount'], BigInt(COIN_VALUE_STROOPS));
+    const applicationId = resolveApplicationIdFromCli(parsed);
+    const token = parsed['token'] ?? process.env.TOKEN_ADDRESS;
+    if (!token) {
+        console.error('Error: --token <C...> or TOKEN_ADDRESS is required');
+        process.exit(1);
+    }
+    const [assetHi, assetLo] = stellarContractAddressToAssetFrDecimals(token);
     if (stealth && !scalar) {
         console.error('Error: --stealth requires --scalar');
         process.exit(1);
@@ -2211,13 +2581,13 @@ async function handleGenerate(args) {
     if (scalar && stealth) {
         const { x, y } = decodeStealthAddress(stealth);
         const shared = sdk.ecdhSharedKey(scalar, x, y);
-        coin = sdk.generateCoinForDepositWithSharedHex(scalar, shared.x, shared.y, amount);
+        coin = sdk.generateCoinForDepositWithSharedHex(scalar, shared.x, shared.y, amount, assetHi, assetLo, applicationId);
     }
     else if (scalar) {
-        coin = sdk.generateCoinFromDepositEphemeralScalarHex(scalar, amount);
+        coin = sdk.generateCoinFromDepositEphemeralScalarHex(scalar, amount, assetHi, assetLo, applicationId);
     }
     else {
-        coin = sdk.generateCoin(amount);
+        coin = sdk.generateCoin(amount, assetHi, assetLo, applicationId);
     }
     const json = JSON.stringify(coin, null, 2);
     if (parsed['output']) {
@@ -2262,13 +2632,33 @@ async function handleWithdraw(args) {
     const coinFile = JSON.parse(fs__namespace.readFileSync(parsed['coin'], 'utf-8'));
     const coin = coinFile.coin || coinFile;
     const state = JSON.parse(fs__namespace.readFileSync(parsed['state'], 'utf-8'));
+    const pubW = parsed['public-withdraw-stroops'];
+    const changeStealth = parsed['change-stealth'];
+    if (pubW !== undefined && changeStealth === undefined) {
+        console.error('Error: --change-stealth <stpl1...> is required when using --public-withdraw-stroops');
+        process.exit(1);
+    }
+    if (pubW === undefined && changeStealth !== undefined) {
+        console.error('Error: --change-stealth is only valid with --public-withdraw-stroops');
+        process.exit(1);
+    }
     const sdk = await PrivacyPoolSDK.init();
+    const applicationId = resolveApplicationIdFromCli(parsed);
+    const audit = resolveTransactionAuditParams(applicationId);
     const result = await sdk.proveWithdrawal(coin, state, {
         withdrawAddressHi: withdrawHi,
         withdrawAddressLo: withdrawLo,
         privKeyScalar: parsed['priv-key-scalar'],
         ephemeralXHex: parsed['ephemeral-x'],
         ephemeralYHex: parsed['ephemeral-y'],
+        applicationId,
+        audit,
+        ...(pubW !== undefined
+            ? {
+                publicWithdrawStroops: parseStroopsU64('--public-withdraw-stroops', pubW, 0n),
+                changeRecipientStealthAddress: changeStealth,
+            }
+            : {}),
     });
     // Output proof and public hex to stdout (newline-separated)
     console.log(result.proof_hex);
@@ -2293,7 +2683,15 @@ async function handleDepositProof(args) {
         console.error('Error: --stealth <stpl1...> is required');
         process.exit(1);
     }
+    const token = parsed['token'] ?? process.env.TOKEN_ADDRESS;
+    if (!token) {
+        console.error('Error: --token <C...> or TOKEN_ADDRESS is required');
+        process.exit(1);
+    }
+    const [assetHi, assetLo] = stellarContractAddressToAssetFrDecimals(token);
     const sdk = await PrivacyPoolSDK.init();
+    const applicationId = resolveApplicationIdFromCli(parsed);
+    const audit = resolveTransactionAuditParams(applicationId);
     const recipientPublicKeys = recipientPublicKeysDecimalFromStealthAddress(parsed['stealth']);
     const coinPath = parsed['coin'];
     const ephemeralScalarHex = parsed['ephemeral-scalar-hex'];
@@ -2310,11 +2708,15 @@ async function handleDepositProof(args) {
             console.error('Error: --value must match coin.value when using --coin');
             process.exit(1);
         }
+        const ah = c.asset_hi ?? assetHi;
+        const al = c.asset_lo ?? assetLo;
         deposit = {
             value,
             nullifier: c.nullifier,
             ephemeralKeyScalar: scalarHexToFrDecimal(ephemeralScalarHex),
             recipientPublicKeys,
+            asset: [ah, al],
+            applicationId,
         };
     }
     else {
@@ -2327,14 +2729,22 @@ async function handleDepositProof(args) {
             nullifier: randomFrDecimal(),
             ephemeralKeyScalar: randomFrDecimal253(),
             recipientPublicKeys,
+            asset: [assetHi, assetLo],
+            applicationId,
         };
     }
+    const publicLegs = {
+        publicWithdrawnAssets: [['0', '0']],
+        publicDepositedAssets: [[deposit.asset[0], deposit.asset[1]]],
+        publicDeposits: [deposit.value],
+        publicWithdrawals: ['0'],
+    };
     const result = await sdk.proveTransaction({
         stateRoot: parsed['state-root'],
         withdrawAddressHi: '0',
         withdrawAddressLo: '0',
         privKeyScalar: randomFrDecimal253(),
-    }, ['dummy', 'dummy'], [deposit, 'dummy']);
+    }, publicLegs, ['dummy', 'dummy'], [deposit, 'dummy'], audit);
     console.log(result.proof_hex);
     console.log(result.public_hex);
     if (parsed['output-proof']) {