@aztec/wallets 0.0.1-commit.b2a5d0dd1 → 0.0.1-commit.b3d3157a

package/dest/embedded/store_encryption.d.ts

@@ -0,0 +1,67 @@
+/**
+ * Wallet-layer helpers for opening the embedded wallet's two encrypted stores (PXE + walletDB) as a cohesive unit.
+ *
+ * Sits on top of `@aztec/kv-store/sqlite-opfs`'s typed `SqliteEncryptionError` and adds:
+ *
+ *   - `storeName: 'pxe' | 'wallet'`, telling callers WHICH store failed.
+ *   - Cleanup: when the wallet store fails to open, ensures the already-opened PXE store is closed before the error
+ *     surfaces, so callers don't leak the SAH Pool's OPFS lock.
+ */
+import type { Logger } from '@aztec/foundation/log';
+import { AztecSQLiteOPFSStore, SqliteEncryptionError } from '@aztec/kv-store/sqlite-opfs';
+/** Which of the embedded wallet's two stores failed to open. */
+export type EmbeddedStoreName = 'pxe' | 'wallet';
+/**
+ * Thrown by {@link openEncryptedEmbeddedStores} when one of the two stores cannot be decrypted with the supplied
+ * key. The original {@link SqliteEncryptionError} is preserved as `cause`.
+ */
+export declare class EmbeddedWalletEncryptionError extends Error {
+    readonly storeName: EmbeddedStoreName;
+    constructor(storeName: EmbeddedStoreName, opts: {
+        cause: SqliteEncryptionError;
+    });
+}
+/** Configuration for {@link openEncryptedEmbeddedStores}. */
+export interface OpenEncryptedEmbeddedStoresOptions {
+    pxe: {
+        name: string;
+        poolDirectory?: string;
+    };
+    wallet: {
+        name: string;
+        poolDirectory?: string;
+    };
+}
+/**
+ * Internal seam for tests to inject a fake store opener. Defaults to `AztecSQLiteOPFSStore.open`. Not part of the
+ * public API.
+ *
+ * @internal
+ */
+export type OpenSqliteEncryptedStoreFn = (log: Logger, name: string, poolDirectory: string | undefined, encryptionKey: Uint8Array) => Promise<AztecSQLiteOPFSStore>;
+/**
+ * Opens the PXE and wallet stores in sequence, both encrypted with keys obtained from `getEncryptionKey`.
+ *
+ * The callback is invoked once per store (twice total per call) because `AztecSQLiteOPFSStore.open` *transfers*
+ * the key buffer to its worker. A single buffer would detach between the two opens.
+ *
+ * Failure modes:
+ *
+ *   - PXE store fails to decrypt → throws `EmbeddedWalletEncryptionError({ storeName: 'pxe', cause })`. No cleanup
+ *     needed (nothing was opened).
+ *   - Wallet store fails to decrypt → closes the already-opened PXE store then throws
+ *     `EmbeddedWalletEncryptionError({ storeName: 'wallet', cause })`.
+ *   - Any non-decrypt error during the wallet open → still closes PXE, then re-throws the original error unwrapped
+ *     (preserves callers' existing untyped error handling for non-encryption faults).
+ *
+ * @param config           - Per-store name/poolDirectory.
+ * @param getEncryptionKey - Returns a fresh 32-byte key per call (the buffer
+ *                           detaches on transfer, so each call must allocate).
+ * @param log              - Logger for both stores.
+ * @param openStore        - Internal test seam. Do not pass in production code.
+ */
+export declare function openEncryptedEmbeddedStores(config: OpenEncryptedEmbeddedStoresOptions, getEncryptionKey: () => Promise<Uint8Array>, log: Logger, openStore?: OpenSqliteEncryptedStoreFn): Promise<{
+    pxeStore: AztecSQLiteOPFSStore;
+    walletStore: AztecSQLiteOPFSStore;
+}>;
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoic3RvcmVfZW5jcnlwdGlvbi5kLnRzIiwic291cmNlUm9vdCI6IiIsInNvdXJjZXMiOlsiLi4vLi4vc3JjL2VtYmVkZGVkL3N0b3JlX2VuY3J5cHRpb24udHMiXSwibmFtZXMiOltdLCJtYXBwaW5ncyI6IkFBQUE7Ozs7Ozs7O0dBUUc7QUFDSCxPQUFPLEtBQUssRUFBRSxNQUFNLEVBQUUsTUFBTSx1QkFBdUIsQ0FBQztBQUNwRCxPQUFPLEVBQUUsb0JBQW9CLEVBQUUscUJBQXFCLEVBQUUsTUFBTSw2QkFBNkIsQ0FBQztBQUUxRixnRUFBZ0U7QUFDaEUsTUFBTSxNQUFNLGlCQUFpQixHQUFHLEtBQUssR0FBRyxRQUFRLENBQUM7QUFFakQ7OztHQUdHO0FBQ0gscUJBQWEsNkJBQThCLFNBQVEsS0FBSztJQUN0RCxRQUFRLENBQUMsU0FBUyxFQUFFLGlCQUFpQixDQUFDO0lBRXRDLFlBQVksU0FBUyxFQUFFLGlCQUFpQixFQUFFLElBQUksRUFBRTtRQUFFLEtBQUssRUFBRSxxQkFBcUIsQ0FBQTtLQUFFLEVBSS9FO0NBQ0Y7QUFFRCw2REFBNkQ7QUFDN0QsTUFBTSxXQUFXLGtDQUFrQztJQUNqRCxHQUFHLEVBQUU7UUFBRSxJQUFJLEVBQUUsTUFBTSxDQUFDO1FBQUMsYUFBYSxDQUFDLEVBQUUsTUFBTSxDQUFBO0tBQUUsQ0FBQztJQUM5QyxNQUFNLEVBQUU7UUFBRSxJQUFJLEVBQUUsTUFBTSxDQUFDO1FBQUMsYUFBYSxDQUFDLEVBQUUsTUFBTSxDQUFBO0tBQUUsQ0FBQztDQUNsRDtBQUVEOzs7OztHQUtHO0FBQ0gsTUFBTSxNQUFNLDBCQUEwQixHQUFHLENBQ3ZDLEdBQUcsRUFBRSxNQUFNLEVBQ1gsSUFBSSxFQUFFLE1BQU0sRUFDWixhQUFhLEVBQUUsTUFBTSxHQUFHLFNBQVMsRUFDakMsYUFBYSxFQUFFLFVBQVUsS0FDdEIsT0FBTyxDQUFDLG9CQUFvQixDQUFDLENBQUM7QUFLbkM7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7O0dBb0JHO0FBQ0gsd0JBQXNCLDJCQUEyQixDQUMvQyxNQUFNLEVBQUUsa0NBQWtDLEVBQzFDLGdCQUFnQixFQUFFLE1BQU0sT0FBTyxDQUFDLFVBQVUsQ0FBQyxFQUMzQyxHQUFHLEVBQUUsTUFBTSxFQUNYLFNBQVMsR0FBRSwwQkFBNkMsR0FDdkQsT0FBTyxDQUFDO0lBQUUsUUFBUSxFQUFFLG9CQUFvQixDQUFDO0lBQUMsV0FBVyxFQUFFLG9CQUFvQixDQUFBO0NBQUUsQ0FBQyxDQVdoRiJ9

package/dest/embedded/store_encryption.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"store_encryption.d.ts","sourceRoot":"","sources":["../../src/embedded/store_encryption.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AACH,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,uBAAuB,CAAC;AACpD,OAAO,EAAE,oBAAoB,EAAE,qBAAqB,EAAE,MAAM,6BAA6B,CAAC;AAE1F,gEAAgE;AAChE,MAAM,MAAM,iBAAiB,GAAG,KAAK,GAAG,QAAQ,CAAC;AAEjD;;;GAGG;AACH,qBAAa,6BAA8B,SAAQ,KAAK;IACtD,QAAQ,CAAC,SAAS,EAAE,iBAAiB,CAAC;IAEtC,YAAY,SAAS,EAAE,iBAAiB,EAAE,IAAI,EAAE;QAAE,KAAK,EAAE,qBAAqB,CAAA;KAAE,EAI/E;CACF;AAED,6DAA6D;AAC7D,MAAM,WAAW,kCAAkC;IACjD,GAAG,EAAE;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,aAAa,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC;IAC9C,MAAM,EAAE;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,aAAa,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC;CAClD;AAED;;;;;GAKG;AACH,MAAM,MAAM,0BAA0B,GAAG,CACvC,GAAG,EAAE,MAAM,EACX,IAAI,EAAE,MAAM,EACZ,aAAa,EAAE,MAAM,GAAG,SAAS,EACjC,aAAa,EAAE,UAAU,KACtB,OAAO,CAAC,oBAAoB,CAAC,CAAC;AAKnC;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,wBAAsB,2BAA2B,CAC/C,MAAM,EAAE,kCAAkC,EAC1C,gBAAgB,EAAE,MAAM,OAAO,CAAC,UAAU,CAAC,EAC3C,GAAG,EAAE,MAAM,EACX,SAAS,GAAE,0BAA6C,GACvD,OAAO,CAAC;IAAE,QAAQ,EAAE,oBAAoB,CAAC;IAAC,WAAW,EAAE,oBAAoB,CAAA;CAAE,CAAC,CAWhF"}

package/dest/embedded/store_encryption.js

@@ -0,0 +1,71 @@
+/**
+ * Wallet-layer helpers for opening the embedded wallet's two encrypted stores (PXE + walletDB) as a cohesive unit.
+ *
+ * Sits on top of `@aztec/kv-store/sqlite-opfs`'s typed `SqliteEncryptionError` and adds:
+ *
+ *   - `storeName: 'pxe' | 'wallet'`, telling callers WHICH store failed.
+ *   - Cleanup: when the wallet store fails to open, ensures the already-opened PXE store is closed before the error
+ *     surfaces, so callers don't leak the SAH Pool's OPFS lock.
+ */ import { AztecSQLiteOPFSStore, SqliteEncryptionError } from '@aztec/kv-store/sqlite-opfs';
+/**
+ * Thrown by {@link openEncryptedEmbeddedStores} when one of the two stores cannot be decrypted with the supplied
+ * key. The original {@link SqliteEncryptionError} is preserved as `cause`.
+ */ export class EmbeddedWalletEncryptionError extends Error {
+    storeName;
+    constructor(storeName, opts){
+        super(`Embedded wallet '${storeName}' store could not be decrypted with the provided key`, {
+            cause: opts.cause
+        });
+        this.name = 'EmbeddedWalletEncryptionError';
+        this.storeName = storeName;
+    }
+}
+const defaultOpenStore = (log, name, poolDirectory, encryptionKey)=>AztecSQLiteOPFSStore.open(log, name, false, poolDirectory, encryptionKey);
+/**
+ * Opens the PXE and wallet stores in sequence, both encrypted with keys obtained from `getEncryptionKey`.
+ *
+ * The callback is invoked once per store (twice total per call) because `AztecSQLiteOPFSStore.open` *transfers*
+ * the key buffer to its worker. A single buffer would detach between the two opens.
+ *
+ * Failure modes:
+ *
+ *   - PXE store fails to decrypt → throws `EmbeddedWalletEncryptionError({ storeName: 'pxe', cause })`. No cleanup
+ *     needed (nothing was opened).
+ *   - Wallet store fails to decrypt → closes the already-opened PXE store then throws
+ *     `EmbeddedWalletEncryptionError({ storeName: 'wallet', cause })`.
+ *   - Any non-decrypt error during the wallet open → still closes PXE, then re-throws the original error unwrapped
+ *     (preserves callers' existing untyped error handling for non-encryption faults).
+ *
+ * @param config           - Per-store name/poolDirectory.
+ * @param getEncryptionKey - Returns a fresh 32-byte key per call (the buffer
+ *                           detaches on transfer, so each call must allocate).
+ * @param log              - Logger for both stores.
+ * @param openStore        - Internal test seam. Do not pass in production code.
+ */ export async function openEncryptedEmbeddedStores(config, getEncryptionKey, log, openStore = defaultOpenStore) {
+    const pxeStore = await openOneStore('pxe', config.pxe, getEncryptionKey, log, openStore);
+    try {
+        const walletStore = await openOneStore('wallet', config.wallet, getEncryptionKey, log, openStore);
+        return {
+            pxeStore,
+            walletStore
+        };
+    } catch (err) {
+        // Cleanup is best-effort — if close() itself throws (e.g. worker already dead), swallow it so the original error
+        // surfaces unobstructed.
+        await pxeStore.close().catch(()=>{});
+        throw err;
+    }
+}
+async function openOneStore(storeName, { name, poolDirectory }, getEncryptionKey, log, openStore) {
+    const key = await getEncryptionKey();
+    try {
+        return await openStore(log, name, poolDirectory, key);
+    } catch (err) {
+        if (err instanceof SqliteEncryptionError && err.code === 'decrypt_failed') {
+            throw new EmbeddedWalletEncryptionError(storeName, {
+                cause: err
+            });
+        }
+        throw err;
+    }
+}

package/dest/embedded/wallet_db.d.ts

@@ -7,11 +7,11 @@ export declare const AccountTypes: readonly ["schnorr", "ecdsasecp256r1", "ecdsa
 export type AccountType = (typeof AccountTypes)[number];
 export declare class WalletDB {
     #private;
+    private store;
+    private userLog;
     private accounts;
     private aliases;
-    private userLog;
-    private constructor();
-    static init(store: AztecAsyncKVStore, userLog: LogFn): WalletDB;
+    constructor(store: AztecAsyncKVStore, userLog: LogFn);
     storeAccount(address: AztecAddress, { type, secretKey, salt, alias, signingKey }: {
         type: AccountType;
         secretKey: Fr;
@@ -30,5 +30,6 @@ export declare class WalletDB {
     listAccounts(): Promise<Aliased<AztecAddress>[]>;
     listSenders(): Promise<Aliased<AztecAddress>[]>;
     deleteAccount(address: AztecAddress): Promise<void>;
+    close(): Promise<void>;
 }
-//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoid2FsbGV0X2RiLmQudHMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi8uLi9zcmMvZW1iZWRkZWQvd2FsbGV0X2RiLnRzIl0sIm5hbWVzIjpbXSwibWFwcGluZ3MiOiJBQUFBLE9BQU8sS0FBSyxFQUFFLE9BQU8sRUFBRSxNQUFNLHdCQUF3QixDQUFDO0FBQ3RELE9BQU8sRUFBRSxFQUFFLEVBQUUsRUFBRSxFQUFFLE1BQU0sZ0NBQWdDLENBQUM7QUFDeEQsT0FBTyxLQUFLLEVBQUUsS0FBSyxFQUFFLE1BQU0sdUJBQXVCLENBQUM7QUFDbkQsT0FBTyxLQUFLLEVBQUUsaUJBQWlCLEVBQWlCLE1BQU0saUJBQWlCLENBQUM7QUFDeEUsT0FBTyxFQUFFLFlBQVksRUFBRSxNQUFNLDZCQUE2QixDQUFDO0FBRTNELGVBQU8sTUFBTSxZQUFZLDBEQUEyRCxDQUFDO0FBQ3JGLE1BQU0sTUFBTSxXQUFXLEdBQUcsQ0FBQyxPQUFPLFlBQVksQ0FBQyxDQUFDLE1BQU0sQ0FBQyxDQUFDO0FBTXhELHFCQUFhLFFBQVE7O0lBRWpCLE9BQU8sQ0FBQyxRQUFRO0lBQ2hCLE9BQU8sQ0FBQyxPQUFPO0lBQ2YsT0FBTyxDQUFDLE9BQU87SUFIakIsT0FBTyxlQUlIO0lBRUosTUFBTSxDQUFDLElBQUksQ0FBQyxLQUFLLEVBQUUsaUJBQWlCLEVBQUUsT0FBTyxFQUFFLEtBQUssWUFJbkQ7SUFFSyxZQUFZLENBQ2hCLE9BQU8sRUFBRSxZQUFZLEVBQ3JCLEVBQ0UsSUFBSSxFQUNKLFNBQVMsRUFDVCxJQUFJLEVBQ0osS0FBSyxFQUNMLFVBQVUsRUFDWCxFQUFFO1FBQ0QsSUFBSSxFQUFFLFdBQVcsQ0FBQztRQUNsQixTQUFTLEVBQUUsRUFBRSxDQUFDO1FBQ2QsSUFBSSxFQUFFLEVBQUUsQ0FBQztRQUNULFVBQVUsRUFBRSxFQUFFLEdBQUcsTUFBTSxDQUFDO1FBQ3hCLEtBQUssRUFBRSxNQUFNLEdBQUcsU0FBUyxDQUFDO0tBQzNCLEVBQ0QsR0FBRyxHQUFFLEtBQW9CLGlCQWExQjtJQUVLLFdBQVcsQ0FBQyxPQUFPLEVBQUUsWUFBWSxFQUFFLEtBQUssRUFBRSxNQUFNLEVBQUUsR0FBRyxHQUFFLEtBQW9CLGlCQUdoRjtJQUVLLGVBQWUsQ0FBQyxPQUFPLEVBQUUsWUFBWSxHQUFHLE1BQU07Ozs7OztPQWNuRDtJQUVLLFlBQVksSUFBSSxPQUFPLENBQUMsT0FBTyxDQUFDLFlBQVksQ0FBQyxFQUFFLENBQUMsQ0FXckQ7SUFFSyxXQUFXLElBQUksT0FBTyxDQUFDLE9BQU8sQ0FBQyxZQUFZLENBQUMsRUFBRSxDQUFDLENBU3BEO0lBb0JLLGFBQWEsQ0FBQyxPQUFPLEVBQUUsWUFBWSxpQkFheEM7Q0FDRiJ9
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoid2FsbGV0X2RiLmQudHMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi8uLi9zcmMvZW1iZWRkZWQvd2FsbGV0X2RiLnRzIl0sIm5hbWVzIjpbXSwibWFwcGluZ3MiOiJBQUFBLE9BQU8sS0FBSyxFQUFFLE9BQU8sRUFBRSxNQUFNLHdCQUF3QixDQUFDO0FBQ3RELE9BQU8sRUFBRSxFQUFFLEVBQUUsRUFBRSxFQUFFLE1BQU0sZ0NBQWdDLENBQUM7QUFDeEQsT0FBTyxLQUFLLEVBQUUsS0FBSyxFQUFFLE1BQU0sdUJBQXVCLENBQUM7QUFDbkQsT0FBTyxLQUFLLEVBQUUsaUJBQWlCLEVBQWlCLE1BQU0saUJBQWlCLENBQUM7QUFDeEUsT0FBTyxFQUFFLFlBQVksRUFBRSxNQUFNLDZCQUE2QixDQUFDO0FBRTNELGVBQU8sTUFBTSxZQUFZLDBEQUEyRCxDQUFDO0FBQ3JGLE1BQU0sTUFBTSxXQUFXLEdBQUcsQ0FBQyxPQUFPLFlBQVksQ0FBQyxDQUFDLE1BQU0sQ0FBQyxDQUFDO0FBTXhELHFCQUFhLFFBQVE7O0lBS2pCLE9BQU8sQ0FBQyxLQUFLO0lBQ2IsT0FBTyxDQUFDLE9BQU87SUFMakIsT0FBTyxDQUFDLFFBQVEsQ0FBZ0M7SUFDaEQsT0FBTyxDQUFDLE9BQU8sQ0FBZ0M7SUFFL0MsWUFDVSxLQUFLLEVBQUUsaUJBQWlCLEVBQ3hCLE9BQU8sRUFBRSxLQUFLLEVBSXZCO0lBRUssWUFBWSxDQUNoQixPQUFPLEVBQUUsWUFBWSxFQUNyQixFQUNFLElBQUksRUFDSixTQUFTLEVBQ1QsSUFBSSxFQUNKLEtBQUssRUFDTCxVQUFVLEVBQ1gsRUFBRTtRQUNELElBQUksRUFBRSxXQUFXLENBQUM7UUFDbEIsU0FBUyxFQUFFLEVBQUUsQ0FBQztRQUNkLElBQUksRUFBRSxFQUFFLENBQUM7UUFDVCxVQUFVLEVBQUUsRUFBRSxHQUFHLE1BQU0sQ0FBQztRQUN4QixLQUFLLEVBQUUsTUFBTSxHQUFHLFNBQVMsQ0FBQztLQUMzQixFQUNELEdBQUcsR0FBRSxLQUFvQixpQkFhMUI7SUFFSyxXQUFXLENBQUMsT0FBTyxFQUFFLFlBQVksRUFBRSxLQUFLLEVBQUUsTUFBTSxFQUFFLEdBQUcsR0FBRSxLQUFvQixpQkFHaEY7SUFFSyxlQUFlLENBQUMsT0FBTyxFQUFFLFlBQVksR0FBRyxNQUFNOzs7Ozs7T0FjbkQ7SUFFSyxZQUFZLElBQUksT0FBTyxDQUFDLE9BQU8sQ0FBQyxZQUFZLENBQUMsRUFBRSxDQUFDLENBV3JEO0lBRUssV0FBVyxJQUFJLE9BQU8sQ0FBQyxPQUFPLENBQUMsWUFBWSxDQUFDLEVBQUUsQ0FBQyxDQVNwRDtJQW9CSyxhQUFhLENBQUMsT0FBTyxFQUFFLFlBQVksaUJBYXhDO0lBRUssS0FBSyxrQkFFVjtDQUNGIn0=

package/dest/embedded/wallet_db.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"wallet_db.d.ts","sourceRoot":"","sources":["../../src/embedded/wallet_db.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,wBAAwB,CAAC;AACtD,OAAO,EAAE,EAAE,EAAE,EAAE,EAAE,MAAM,gCAAgC,CAAC;AACxD,OAAO,KAAK,EAAE,KAAK,EAAE,MAAM,uBAAuB,CAAC;AACnD,OAAO,KAAK,EAAE,iBAAiB,EAAiB,MAAM,iBAAiB,CAAC;AACxE,OAAO,EAAE,YAAY,EAAE,MAAM,6BAA6B,CAAC;AAE3D,eAAO,MAAM,YAAY,0DAA2D,CAAC;AACrF,MAAM,MAAM,WAAW,GAAG,CAAC,OAAO,YAAY,CAAC,CAAC,MAAM,CAAC,CAAC;AAMxD,qBAAa,QAAQ;;IAEjB,OAAO,CAAC,QAAQ;IAChB,OAAO,CAAC,OAAO;IACf,OAAO,CAAC,OAAO;IAHjB,OAAO,eAIH;IAEJ,MAAM,CAAC,IAAI,CAAC,KAAK,EAAE,iBAAiB,EAAE,OAAO,EAAE,KAAK,YAInD;IAEK,YAAY,CAChB,OAAO,EAAE,YAAY,EACrB,EACE,IAAI,EACJ,SAAS,EACT,IAAI,EACJ,KAAK,EACL,UAAU,EACX,EAAE;QACD,IAAI,EAAE,WAAW,CAAC;QAClB,SAAS,EAAE,EAAE,CAAC;QACd,IAAI,EAAE,EAAE,CAAC;QACT,UAAU,EAAE,EAAE,GAAG,MAAM,CAAC;QACxB,KAAK,EAAE,MAAM,GAAG,SAAS,CAAC;KAC3B,EACD,GAAG,GAAE,KAAoB,iBAa1B;IAEK,WAAW,CAAC,OAAO,EAAE,YAAY,EAAE,KAAK,EAAE,MAAM,EAAE,GAAG,GAAE,KAAoB,iBAGhF;IAEK,eAAe,CAAC,OAAO,EAAE,YAAY,GAAG,MAAM;;;;;;OAcnD;IAEK,YAAY,IAAI,OAAO,CAAC,OAAO,CAAC,YAAY,CAAC,EAAE,CAAC,CAWrD;IAEK,WAAW,IAAI,OAAO,CAAC,OAAO,CAAC,YAAY,CAAC,EAAE,CAAC,CASpD;IAoBK,aAAa,CAAC,OAAO,EAAE,YAAY,iBAaxC;CACF"}
+{"version":3,"file":"wallet_db.d.ts","sourceRoot":"","sources":["../../src/embedded/wallet_db.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,wBAAwB,CAAC;AACtD,OAAO,EAAE,EAAE,EAAE,EAAE,EAAE,MAAM,gCAAgC,CAAC;AACxD,OAAO,KAAK,EAAE,KAAK,EAAE,MAAM,uBAAuB,CAAC;AACnD,OAAO,KAAK,EAAE,iBAAiB,EAAiB,MAAM,iBAAiB,CAAC;AACxE,OAAO,EAAE,YAAY,EAAE,MAAM,6BAA6B,CAAC;AAE3D,eAAO,MAAM,YAAY,0DAA2D,CAAC;AACrF,MAAM,MAAM,WAAW,GAAG,CAAC,OAAO,YAAY,CAAC,CAAC,MAAM,CAAC,CAAC;AAMxD,qBAAa,QAAQ;;IAKjB,OAAO,CAAC,KAAK;IACb,OAAO,CAAC,OAAO;IALjB,OAAO,CAAC,QAAQ,CAAgC;IAChD,OAAO,CAAC,OAAO,CAAgC;IAE/C,YACU,KAAK,EAAE,iBAAiB,EACxB,OAAO,EAAE,KAAK,EAIvB;IAEK,YAAY,CAChB,OAAO,EAAE,YAAY,EACrB,EACE,IAAI,EACJ,SAAS,EACT,IAAI,EACJ,KAAK,EACL,UAAU,EACX,EAAE;QACD,IAAI,EAAE,WAAW,CAAC;QAClB,SAAS,EAAE,EAAE,CAAC;QACd,IAAI,EAAE,EAAE,CAAC;QACT,UAAU,EAAE,EAAE,GAAG,MAAM,CAAC;QACxB,KAAK,EAAE,MAAM,GAAG,SAAS,CAAC;KAC3B,EACD,GAAG,GAAE,KAAoB,iBAa1B;IAEK,WAAW,CAAC,OAAO,EAAE,YAAY,EAAE,KAAK,EAAE,MAAM,EAAE,GAAG,GAAE,KAAoB,iBAGhF;IAEK,eAAe,CAAC,OAAO,EAAE,YAAY,GAAG,MAAM;;;;;;OAcnD;IAEK,YAAY,IAAI,OAAO,CAAC,OAAO,CAAC,YAAY,CAAC,EAAE,CAAC,CAWrD;IAEK,WAAW,IAAI,OAAO,CAAC,OAAO,CAAC,YAAY,CAAC,EAAE,CAAC,CASpD;IAoBK,aAAa,CAAC,OAAO,EAAE,YAAY,iBAaxC;IAEK,KAAK,kBAEV;CACF"}

package/dest/embedded/wallet_db.js

@@ -9,18 +9,15 @@ function accountKey(field, address) {
     return `${field}:${address.toString()}`;
 }
 export class WalletDB {
+    store;
+    userLog;
     accounts;
     aliases;
-    userLog;
-    constructor(accounts, aliases, userLog){
-        this.accounts = accounts;
-        this.aliases = aliases;
+    constructor(store, userLog){
+        this.store = store;
         this.userLog = userLog;
-    }
-    static init(store, userLog) {
-        const accounts = store.openMap('accounts');
-        const aliases = store.openMap('aliases');
-        return new WalletDB(accounts, aliases, userLog);
+        this.accounts = store.openMap('accounts');
+        this.aliases = store.openMap('aliases');
     }
     async storeAccount(address, { type, secretKey, salt, alias, signingKey }, log = this.userLog) {
         if (alias) {
@@ -117,4 +114,7 @@ export class WalletDB {
             await this.aliases.delete(`accounts:${alias}`);
         }
     }
+    async close() {
+        await this.store.close();
+    }
 }

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@aztec/wallets",
   "homepage": "https://github.com/AztecProtocol/aztec-packages/tree/master/yarn-project/wallets",
-  "version": "0.0.1-commit.b2a5d0dd1",
+  "version": "0.0.1-commit.b3d3157a",
   "type": "module",
   "exports": {
     "./embedded": {
@@ -14,6 +14,7 @@
         "default": "./dest/embedded/entrypoints/node.js"
       }
     },
+    "./embedded/store-encryption": "./dest/embedded/store_encryption.js",
     "./testing": "./dest/testing.js"
   },
   "scripts": {
@@ -27,15 +28,16 @@
     "../package.common.json"
   ],
   "dependencies": {
-    "@aztec/accounts": "0.0.1-commit.b2a5d0dd1",
-    "@aztec/aztec.js": "0.0.1-commit.b2a5d0dd1",
-    "@aztec/entrypoints": "0.0.1-commit.b2a5d0dd1",
-    "@aztec/foundation": "0.0.1-commit.b2a5d0dd1",
-    "@aztec/kv-store": "0.0.1-commit.b2a5d0dd1",
-    "@aztec/protocol-contracts": "0.0.1-commit.b2a5d0dd1",
-    "@aztec/pxe": "0.0.1-commit.b2a5d0dd1",
-    "@aztec/stdlib": "0.0.1-commit.b2a5d0dd1",
-    "@aztec/wallet-sdk": "0.0.1-commit.b2a5d0dd1"
+    "@aztec/accounts": "0.0.1-commit.b3d3157a",
+    "@aztec/aztec.js": "0.0.1-commit.b3d3157a",
+    "@aztec/entrypoints": "0.0.1-commit.b3d3157a",
+    "@aztec/foundation": "0.0.1-commit.b3d3157a",
+    "@aztec/kv-store": "0.0.1-commit.b3d3157a",
+    "@aztec/protocol-contracts": "0.0.1-commit.b3d3157a",
+    "@aztec/pxe": "0.0.1-commit.b3d3157a",
+    "@aztec/standard-contracts": "0.0.1-commit.b3d3157a",
+    "@aztec/stdlib": "0.0.1-commit.b3d3157a",
+    "@aztec/wallet-sdk": "0.0.1-commit.b3d3157a"
   },
   "devDependencies": {
     "@jest/globals": "^30.0.0",

package/src/embedded/account-contract-providers/bundle.ts

@@ -4,9 +4,8 @@ import { StubEcdsaAccountContractArtifact, createStubEcdsaAccount } from '@aztec
 import { StubSchnorrAccountContractArtifact, createStubSchnorrAccount } from '@aztec/accounts/stub/schnorr';
 import type { Account, AccountContract } from '@aztec/aztec.js/account';
 import type { Fq } from '@aztec/foundation/curves/bn254';
-import { getCanonicalMultiCallEntrypoint } from '@aztec/protocol-contracts/multi-call-entrypoint';
 import type { ContractArtifact } from '@aztec/stdlib/abi';
-import type { CompleteAddress, ContractInstanceWithAddress } from '@aztec/stdlib/contract';
+import type { CompleteAddress } from '@aztec/stdlib/contract';
 
 import type { AccountType } from '../wallet_db.js';
 import type { AccountContractsProvider } from './types.js';
@@ -35,8 +34,4 @@ export class BundleAccountContractsProvider implements AccountContractsProvider
   createStubAccount(address: CompleteAddress, type: AccountType): Promise<Account> {
     return Promise.resolve(type === 'schnorr' ? createStubSchnorrAccount(address) : createStubEcdsaAccount(address));
   }
-
-  getMulticallContract(): Promise<{ instance: ContractInstanceWithAddress; artifact: ContractArtifact }> {
-    return getCanonicalMultiCallEntrypoint();
-  }
 }

package/src/embedded/account-contract-providers/lazy.ts

@@ -1,8 +1,7 @@
 import type { Account, AccountContract } from '@aztec/aztec.js/account';
 import type { Fq } from '@aztec/foundation/curves/bn254';
-import { getCanonicalMultiCallEntrypoint } from '@aztec/protocol-contracts/multi-call-entrypoint/lazy';
 import type { ContractArtifact } from '@aztec/stdlib/abi';
-import type { CompleteAddress, ContractInstanceWithAddress } from '@aztec/stdlib/contract';
+import type { CompleteAddress } from '@aztec/stdlib/contract';
 
 import type { AccountType } from '../wallet_db.js';
 import type { AccountContractsProvider } from './types.js';
@@ -46,8 +45,4 @@ export class LazyAccountContractsProvider implements AccountContractsProvider {
       return createStubEcdsaAccount(address);
     }
   }
-
-  getMulticallContract(): Promise<{ instance: ContractInstanceWithAddress; artifact: ContractArtifact }> {
-    return getCanonicalMultiCallEntrypoint();
-  }
 }

package/src/embedded/account-contract-providers/types.ts

@@ -1,7 +1,7 @@
 import type { Account, AccountContract } from '@aztec/aztec.js/account';
 import type { Fq } from '@aztec/foundation/curves/bn254';
 import type { ContractArtifact } from '@aztec/stdlib/abi';
-import type { CompleteAddress, ContractInstanceWithAddress } from '@aztec/stdlib/contract';
+import type { CompleteAddress } from '@aztec/stdlib/contract';
 
 import type { AccountType } from '../wallet_db.js';
 
@@ -16,6 +16,5 @@ export interface AccountContractsProvider {
   getEcdsaRAccountContract(signingKey: Buffer): Promise<AccountContract>;
   getEcdsaKAccountContract(signingKey: Buffer): Promise<AccountContract>;
   getStubAccountContractArtifact(type: AccountType): Promise<ContractArtifact>;
-  getMulticallContract(): Promise<{ instance: ContractInstanceWithAddress; artifact: ContractArtifact }>;
   createStubAccount(address: CompleteAddress, type: AccountType): Promise<Account>;
 }

package/src/embedded/embedded_wallet.ts

@@ -1,7 +1,21 @@
 import { type Account, NO_FROM } from '@aztec/aztec.js/account';
 import { CallAuthorizationRequest } from '@aztec/aztec.js/authorization';
-import { type InteractionWaitOptions, type SendReturn, type WaitOpts, getGasLimits } from '@aztec/aztec.js/contracts';
-import type { Aliased, SendOptions } from '@aztec/aztec.js/wallet';
+import {
+  type InteractionWaitOptions,
+  NO_WAIT,
+  type SendReturn,
+  type WaitOpts,
+  getGasLimits,
+} from '@aztec/aztec.js/contracts';
+import type {
+  Aliased,
+  ExecuteUtilityOptions,
+  PrivateEvent,
+  PrivateEventFilter,
+  ProfileOptions,
+  SendOptions,
+  SimulateOptions,
+} from '@aztec/aztec.js/wallet';
 import { AccountManager, TxSimulationResultWithAppOffset } from '@aztec/aztec.js/wallet';
 import type { DefaultAccountEntrypointOptions } from '@aztec/entrypoints/account';
 import { DefaultEntrypoint } from '@aztec/entrypoints/default';
@@ -10,8 +24,9 @@ import type { Logger } from '@aztec/foundation/log';
 import type { AztecAsyncKVStore } from '@aztec/kv-store';
 import type { PXEConfig, PXECreationOptions } from '@aztec/pxe/client/lazy';
 import type { PXE } from '@aztec/pxe/server';
+import type { ContractArtifact, EventMetadataDefinition, FunctionCall } from '@aztec/stdlib/abi';
 import { AztecAddress } from '@aztec/stdlib/aztec-address';
-import { getContractInstanceFromInstantiationParams } from '@aztec/stdlib/contract';
+import { type ContractInstanceWithAddress, getContractClassFromArtifact } from '@aztec/stdlib/contract';
 import { GasSettings } from '@aztec/stdlib/gas';
 import type { AztecNode } from '@aztec/stdlib/interfaces/client';
 import { deriveSigningKey } from '@aztec/stdlib/keys';
@@ -20,7 +35,9 @@ import {
   ExecutionPayload,
   SimulationOverrides,
   type TxExecutionRequest,
+  type TxProfileResult,
   TxStatus,
+  type UtilityExecutionResult,
   collectOffchainEffects,
   mergeExecutionPayloads,
 } from '@aztec/stdlib/tx';
@@ -40,8 +57,12 @@ export function splitPxeOptions(pxe?: EmbeddedWalletPXEOptions): {
   if (!pxe) {
     return { config: {}, creation: {} };
   }
-  const { loggers, loggerActorLabel, proverOrOptions, store, simulator, ...config } = pxe;
-  return { config, creation: { loggers, loggerActorLabel, proverOrOptions, store, simulator } };
+  const { loggers, loggerActorLabel, proverOrOptions, store, simulator, hooks, preloadedContractsProvider, ...config } =
+    pxe;
+  return {
+    config,
+    creation: { loggers, loggerActorLabel, proverOrOptions, store, simulator, hooks, preloadedContractsProvider },
+  };
 }
 
 /** Options for the EmbeddedWallet's own DB (accounts, senders — distinct from PXE state). */
@@ -76,6 +97,10 @@ const DEFAULT_ESTIMATED_GAS_PADDING = 0.1;
 export class EmbeddedWallet extends BaseWallet {
   protected estimatedGasPadding = DEFAULT_ESTIMATED_GAS_PADDING;
 
+  // Stub class ids, populated on wallet startup
+  // to avoid redundant work per simulation
+  protected stubClassIds = new Map<AccountType, Fr>();
+
   constructor(
     pxe: PXE,
     aztecNode: AztecNode,
@@ -127,6 +152,9 @@ export class EmbeddedWallet extends BaseWallet {
     executionPayload: ExecutionPayload,
     opts: SendOptions<W>,
   ): Promise<SendReturn<W>> {
+    // PXE has autoSync disabled by the embedded wallet entrypoints, so we sync once here to cover
+    // both the inner simulateTx (via simulateViaEntrypoint) and the proveTx that super.sendTx
+    await this.pxe.sync();
     const feeOptions = await this.completeFeeOptions({
       from: opts.from,
       feePayer: executionPayload.feePayer,
@@ -141,6 +169,7 @@ export class EmbeddedWallet extends BaseWallet {
       feeOptions,
       additionalScopes: opts.additionalScopes,
       skipTxValidation: true,
+      sendMessagesAs: opts.sendMessagesAs,
     });
 
     const offchainEffects = collectOffchainEffects(simulationResult.privateExecutionResult);
@@ -173,24 +202,92 @@ export class EmbeddedWallet extends BaseWallet {
       gasLimits: opts.fee?.gasSettings?.gasLimits ?? estimated.gasLimits,
       teardownGasLimits: opts.fee?.gasSettings?.teardownGasLimits ?? estimated.teardownGasLimits,
     });
-    const waitOpts: WaitOpts = typeof opts.wait === 'object' ? opts.wait : {};
-
-    if (!waitOpts?.waitForStatus) {
-      // Default to PROPOSED so the wait returns as soon as the tx lands in a proposed L2 block,
-      // rather than waiting until the end of the slot for the checkpoint to be published to L1.
-      // This is what makes MBPS (Multiple Blocks Per Slot) actually improve UX: with CHECKPOINTED
-      // we'd block until L1 inclusion regardless of how early in the slot the tx was sequenced.
-      // The tradeoff is a weaker guarantee — a proposed block only becomes canonical once it (or
-      // a later block in the same slot) is checkpointed, so a tx could be re-orged out if the
-      // proposer fails to publish to L1 (which should be rare, since they'd get slashed for it).
-      waitOpts!.waitForStatus = TxStatus.PROPOSED;
+    let wait: InteractionWaitOptions = opts.wait;
+    if (wait !== NO_WAIT) {
+      const callerWaitOpts: WaitOpts = typeof wait === 'object' ? wait : {};
+      wait = {
+        ...callerWaitOpts,
+        // Default to PROPOSED so the wait returns as soon as the tx lands in a proposed L2 block,
+        // rather than waiting until the end of the slot for the checkpoint to be published to L1.
+        // This is what makes MBPS (Multiple Blocks Per Slot) actually improve UX: with CHECKPOINTED
+        // we'd block until L1 inclusion regardless of how early in the slot the tx was sequenced.
+        // The tradeoff is a weaker guarantee — a proposed block only becomes canonical once it (or
+        // a later block in the same slot) is checkpointed, so a tx could be re-orged out if the
+        // proposer fails to publish to L1 (which should be rare, since they'd get slashed for it).
+        waitForStatus: callerWaitOpts.waitForStatus ?? TxStatus.PROPOSED,
+      };
     }
     return super.sendTx(executionPayload, {
       ...opts,
+      wait: wait as W,
       fee: { ...opts.fee, gasSettings },
     });
   }
 
+  /**
+   * Overrides the base simulateTx to drive PXE syncing explicitly. The PXE created by the embedded
+   * wallet has autoSync disabled (so we can share one sync across simulate+send in sendTx); for
+   * standalone simulations we still need a fresh anchor block, which we provide here.
+   */
+  public override async simulateTx(
+    executionPayload: ExecutionPayload,
+    opts: SimulateOptions,
+  ): Promise<TxSimulationResultWithAppOffset> {
+    await this.pxe.sync();
+    return super.simulateTx(executionPayload, opts);
+  }
+
+  public override async profileTx(executionPayload: ExecutionPayload, opts: ProfileOptions): Promise<TxProfileResult> {
+    await this.pxe.sync();
+    return super.profileTx(executionPayload, opts);
+  }
+
+  public override async executeUtility(
+    call: FunctionCall,
+    opts: ExecuteUtilityOptions,
+  ): Promise<UtilityExecutionResult> {
+    await this.pxe.sync();
+    return super.executeUtility(call, opts);
+  }
+
+  public override async getPrivateEvents<T>(
+    eventDef: EventMetadataDefinition,
+    eventFilter: PrivateEventFilter,
+  ): Promise<PrivateEvent<T>[]> {
+    await this.pxe.sync();
+    return super.getPrivateEvents<T>(eventDef, eventFilter);
+  }
+
+  public override async registerContract(
+    instance: ContractInstanceWithAddress,
+    artifact?: ContractArtifact,
+    secretKey?: Fr,
+  ): Promise<ContractInstanceWithAddress> {
+    // registerContract may call pxe.updateContract under the hood, which depends on a fresh anchor
+    // block to verify the current class id from the node.
+    await this.pxe.sync();
+    return super.registerContract(instance, artifact, secretKey);
+  }
+
+  /**
+   * Hashes and registers the stub class for every supported account type with PXE, populating
+   * stubClassIds. Called on wallet initialization.
+   */
+  async initStubClasses(): Promise<void> {
+    const schnorrArtifact = await this.accountContracts.getStubAccountContractArtifact('schnorr');
+    const { id: schnorrClassId } = await getContractClassFromArtifact(schnorrArtifact);
+    await this.pxe.registerContractClass(schnorrArtifact);
+
+    // ecdsa stubs share the same class id
+    const ecdsaArtifact = await this.accountContracts.getStubAccountContractArtifact('ecdsasecp256r1');
+    const { id: ecdsaClassId } = await getContractClassFromArtifact(ecdsaArtifact);
+    await this.pxe.registerContractClass(ecdsaArtifact);
+
+    this.stubClassIds.set('schnorr', schnorrClassId);
+    this.stubClassIds.set('ecdsasecp256k1', ecdsaClassId);
+    this.stubClassIds.set('ecdsasecp256r1', ecdsaClassId);
+  }
+
   /**
    * Builds contract overrides for all provided addresses by replacing their account contracts with stub implementations.
    * Uses a type-specific stub artifact so that the stub's constructor selector matches the real account's constructor.
@@ -204,7 +301,12 @@ export class EmbeddedWallet extends BaseWallet {
     for (const account of filtered) {
       const address = account.item;
       const { type } = await this.walletDB.retrieveAccount(address);
-      const stubArtifact = await this.accountContracts.getStubAccountContractArtifact(type);
+      const stubClassId = this.stubClassIds.get(type);
+      if (!stubClassId) {
+        throw new Error(
+          `Stub class for account type '${type}' was not registered at wallet init. This is a bug — initStubClasses should cover every supported AccountType.`,
+        );
+      }
 
       const originalAccount = await this.getAccountFromAddress(address);
       const completeAddress = originalAccount.getCompleteAddress();
@@ -215,15 +317,8 @@ export class EmbeddedWallet extends BaseWallet {
         );
       }
 
-      const stubConstructorArgs = type === 'schnorr' ? [Fr.ZERO, Fr.ZERO] : [Buffer.alloc(32), Buffer.alloc(32)];
-      const stubInstance = await getContractInstanceFromInstantiationParams(stubArtifact, {
-        salt: Fr.random(),
-        constructorArgs: stubConstructorArgs,
-      });
-
       contracts[address.toString()] = {
-        instance: stubInstance,
-        artifact: stubArtifact,
+        instance: { ...contractInstance, currentContractClassId: stubClassId },
       };
     }
 
@@ -239,7 +334,7 @@ export class EmbeddedWallet extends BaseWallet {
     executionPayload: ExecutionPayload,
     opts: SimulateViaEntrypointOptions,
   ): Promise<TxSimulationResultWithAppOffset> {
-    const { from, feeOptions, additionalScopes, skipTxValidation, skipFeeEnforcement } = opts;
+    const { from, feeOptions, additionalScopes, skipTxValidation, skipFeeEnforcement, sendMessagesAs } = opts;
     const scopes = this.scopesFrom(from, additionalScopes);
 
     const feeExecutionPayload = await feeOptions.walletFeePaymentMethod?.getExecutionPayload();
@@ -249,7 +344,7 @@ export class EmbeddedWallet extends BaseWallet {
     const chainInfo = await this.getChainInfo();
 
     const accountOverrides = await this.buildAccountOverrides(scopes);
-    const overrides = new SimulationOverrides(accountOverrides);
+    const overrides = new SimulationOverrides({ contracts: accountOverrides });
 
     let txRequest: TxExecutionRequest;
     if (from === NO_FROM) {
@@ -280,6 +375,7 @@ export class EmbeddedWallet extends BaseWallet {
       skipTxValidation,
       overrides,
       scopes,
+      senderForTags: this.senderForTagsFrom(from, sendMessagesAs),
     });
     const appCallOffset = await this.computeAppCallOffset(from, feeOptions);
     return TxSimulationResultWithAppOffset.fromResultAndOffset(result, appCallOffset);
@@ -310,7 +406,7 @@ export class EmbeddedWallet extends BaseWallet {
       }
     }
 
-    const accountManager = await AccountManager.create(this, secret, contract, salt);
+    const accountManager = await AccountManager.create(this, secret, contract, { salt });
 
     const instance = accountManager.getInstance();
     const existingInstance = await this.pxe.getContractInstance(instance.address);
@@ -358,7 +454,8 @@ export class EmbeddedWallet extends BaseWallet {
     this.estimatedGasPadding = value ?? DEFAULT_ESTIMATED_GAS_PADDING;
   }
 
-  stop() {
-    return this.pxe.stop();
+  async stop(): Promise<void> {
+    await this.pxe.stop();
+    await this.walletDB.close();
   }
 }

package/src/embedded/entrypoints/browser.ts

@@ -3,6 +3,8 @@ import { type Logger, createLogger } from '@aztec/foundation/log';
 import { createStore, openTmpStore } from '@aztec/kv-store/indexeddb';
 import { type PXE, type PXECreationOptions, createPXE } from '@aztec/pxe/client/lazy';
 import { type PXEConfig, getPXEConfig } from '@aztec/pxe/config';
+import { getStandardAuthRegistry } from '@aztec/standard-contracts/auth-registry/lazy';
+import { getStandardMultiCallEntrypoint } from '@aztec/standard-contracts/multi-call-entrypoint/lazy';
 
 import { LazyAccountContractsProvider } from '../account-contract-providers/lazy.js';
 import type { AccountContractsProvider } from '../account-contract-providers/types.js';
@@ -34,6 +36,7 @@ export class BrowserEmbeddedWallet extends EmbeddedWallet {
     const pxeConfig: PXEConfig = Object.assign(getPXEConfig(), {
       proverEnabled: mergedConfigOverrides.proverEnabled ?? false,
       dataDirectory: `pxe_data_${l1Contracts.rollupAddress}`,
+      autoSync: false,
       ...mergedConfigOverrides,
     });
 
@@ -43,6 +46,9 @@ export class BrowserEmbeddedWallet extends EmbeddedWallet {
 
     const pxeOptions: PXECreationOptions = {
       ...mergedCreationOverrides,
+      preloadedContractsProvider: mergedCreationOverrides.preloadedContractsProvider ?? {
+        getPreloadedContracts: async () => [await getStandardMultiCallEntrypoint(), await getStandardAuthRegistry()],
+      },
       loggers: {
         store: rootLogger.createChild('pxe:data'),
         pxe: rootLogger.createChild('pxe:service'),
@@ -62,14 +68,16 @@ export class BrowserEmbeddedWallet extends EmbeddedWallet {
             {
               dataDirectory: `wallet_data_${l1Contracts.rollupAddress}`,
               dataStoreMapSizeKb: pxeConfig.dataStoreMapSizeKb,
-              l1Contracts,
+              rollupAddress: l1Contracts.rollupAddress,
             },
             1,
             rootLogger.createChild('wallet:data'),
           ));
-    const walletDB = WalletDB.init(walletDBStore, rootLogger.createChild('wallet:db').info);
+    const walletDB = new WalletDB(walletDBStore, rootLogger.createChild('wallet:db').info);
 
-    return new this(pxe, aztecNode, walletDB, new LazyAccountContractsProvider(), rootLogger) as T;
+    const wallet = new this(pxe, aztecNode, walletDB, new LazyAccountContractsProvider(), rootLogger) as T;
+    await wallet.initStubClasses();
+    return wallet;
   }
 }
 
@@ -77,3 +85,10 @@ export { BrowserEmbeddedWallet as EmbeddedWallet };
 export type { EmbeddedWalletOptions, EmbeddedWalletPXEOptions } from '../embedded_wallet.js';
 export { WalletDB } from '../wallet_db.js';
 export type { AccountType } from '../wallet_db.js';
+
+// At-rest encryption helpers are intentionally NOT re-exported here. They live
+// on the `@aztec/wallets/embedded/store-encryption` sub-path so consumers
+// (and bundlers) of this entrypoint don't transitively pull in
+// `@aztec/kv-store/sqlite-opfs` and its `new Worker(new URL('./worker.js'))`
+// chain into `@aztec/sqlite3mc-wasm`. Apps that don't use encryption-at-rest
+// (e.g. the playground) should never see sqlite-opfs in their bundle.