@dynamic-labs/aleo 4.79.2 → 4.80.0

package/src/connectors/DynamicWaasAleoConnector/DynamicWaasAleoConnector.js

@@ -0,0 +1,794 @@
+'use client'
+import { __awaiter } from '../../../_virtual/_tslib.js';
+import { DynamicError } from '@dynamic-labs/utils';
+import { withDynamicWaas } from '@dynamic-labs/waas';
+import { isSameAddress } from '@dynamic-labs/wallet-connector-core';
+import { Logger } from '@dynamic-labs/logger';
+import { WaasAleoWalletConnector } from '../WaasAleoWalletConnector/WaasAleoWalletConnector.js';
+import { AleoWallet } from '../../wallet/AleoWallet/AleoWallet.js';
+import { AleoUiTransaction } from '../../utils/AleoUiTransaction/AleoUiTransaction.js';
+import { ALEO_TOKEN_REGISTRY_PROGRAM } from '../../utils/aleoSendableTokens/aleoSendableTokens.js';
+import { findAleoShieldableToken } from '../../utils/aleoShieldableTokens/aleoShieldableTokens.js';
+
+/**
+ * Per-program record shape for `<program>/join`. The `join` transition
+ * consumes 2 records of the program's "balance" record type and emits
+ * 1 merged record of the same type. The credits program calls this
+ * record `credits` (`credits.record`); Sealance stablecoins call it
+ * `Token` (`Token.record`).
+ *
+ * To support a new program (e.g. ARC-21 / token_registry.aleo) add an
+ * entry here matching the on-chain record name in the program's source.
+ */
+const JOIN_PROGRAM_SHAPES = {
+    // ARC-21 (token_registry.aleo) — multiple tokens share this program. The
+    // join transition's record type is the same across tokens (`Token.record`),
+    // so the shape is registered once here. The per-token `token_id` filter
+    // lives in `joinRecords` below, since records of different tokens cannot
+    // be merged with each other (the on-chain `join` enforces token_id match).
+    [ALEO_TOKEN_REGISTRY_PROGRAM]: {
+        expectedRecordName: 'Token',
+        recordTypeLiteral: 'Token.record',
+    },
+    'credits.aleo': {
+        expectedRecordName: 'credits',
+        recordTypeLiteral: 'credits.record',
+    },
+    'test_usad_stablecoin.aleo': {
+        expectedRecordName: 'Token',
+        recordTypeLiteral: 'Token.record',
+    },
+    'test_usdcx_stablecoin.aleo': {
+        expectedRecordName: 'Token',
+        recordTypeLiteral: 'Token.record',
+    },
+    'usad_stablecoin.aleo': {
+        expectedRecordName: 'Token',
+        recordTypeLiteral: 'Token.record',
+    },
+    'usdcx_stablecoin.aleo': {
+        expectedRecordName: 'Token',
+        recordTypeLiteral: 'Token.record',
+    },
+};
+const isJoinSupportedProgram = (programId) => programId in JOIN_PROGRAM_SHAPES;
+/**
+ * Builds the `(functionName, inputs, inputTypes)` triple for a Send
+ * transition based on the picker-selected token's `programKind`. Lives
+ * at module scope so the closure body in `createUiTransaction` stays
+ * focused on wiring; the per-kind signatures are documented inline.
+ *
+ *  - `credits`     u64 amounts. inputs are `[record, recipient, amount]`,
+ *                  matching `credits.aleo`'s historical signature.
+ *  - `stablecoin`  u128 amounts. inputs are `[recipient, amount, record]`.
+ *                  The iframe appends the Sealance proof literal +
+ *                  `[MerkleProof; 2u32].private` type — caller does NOT
+ *                  pass them. Verified against
+ *                  `dynamic-waas-sdk/packages/aleo/src/client/client.ts`'s
+ *                  `proveTransaction` Sealance auto-injection block.
+ *  - `arc21`       u128 amounts. inputs are `[recipient, amount, record]`.
+ *                  Token_id is encoded inside the record plaintext, so
+ *                  the transition signature does NOT include it.
+ *                  Verified against `token_registry.aleo` source via the
+ *                  Provable explorer `/program` endpoint.
+ */
+const buildTransferInputs = (args) => {
+    const { mode, to, value, recordPlaintext, token } = args;
+    const functionName = mode === 'individual' ? 'transfer_private' : 'transfer_private_to_public';
+    if (token.programKind === 'credits') {
+        const recipientType = mode === 'individual' ? 'address.private' : 'address.public';
+        const amountType = mode === 'individual' ? 'u64.private' : 'u64.public';
+        return {
+            functionName,
+            inputTypes: ['credits.record', recipientType, amountType],
+            inputs: [recordPlaintext, to, `${value.toString()}u64`],
+        };
+    }
+    // Stablecoin + ARC-21 share the same outer signature; the iframe's
+    // Sealance auto-injection only fires for the four registered
+    // stablecoin program ids, so ARC-21 records pass through unchanged.
+    const recipientType = mode === 'individual' ? 'address.private' : 'address.public';
+    const amountType = mode === 'individual' ? 'u128.private' : 'u128.public';
+    return {
+        functionName,
+        inputTypes: [recipientType, amountType, 'Token.record'],
+        inputs: [to, `${value.toString()}u128`, recordPlaintext],
+    };
+};
+/**
+ * Builds the `(functionName, inputs, inputTypes)` triple for a
+ * `<program>/transfer_public_to_private` shield call to self. Mirrors
+ * `buildTransferInputs` shape — three program kinds, three signatures:
+ *
+ *  - `credits`     u64 amounts. inputs `[recipient, amount]`.
+ *  - `stablecoin`  u128 amounts. inputs `[recipient, amount]`. Sealance
+ *                  proof is NOT appended for `transfer_public_to_private`
+ *                  (verified against the iframe's
+ *                  `SEALANCE_FUNCTIONS_REQUIRING_PROOF` set, which only
+ *                  covers `transfer_private` / `transfer_private_to_public`).
+ *  - `arc21`       u128 amounts. inputs `[token_id, recipient, amount,
+ *                  external_auth_required]`. Token_id from the registry;
+ *                  external_auth from the per-token registry entry
+ *                  (defaults to `false` when unset). Verified against
+ *                  `token_registry.aleo` source via the Provable explorer.
+ */
+const buildShieldInputs = (args) => {
+    const { to, value, token } = args;
+    const functionName = 'transfer_public_to_private';
+    if (token.programKind === 'credits') {
+        return {
+            functionName,
+            inputTypes: ['address.private', 'u64.public'],
+            inputs: [to, `${value.toString()}u64`],
+        };
+    }
+    if (token.programKind === 'stablecoin') {
+        return {
+            functionName,
+            inputTypes: ['address.private', 'u128.public'],
+            inputs: [to, `${value.toString()}u128`],
+        };
+    }
+    // arc21
+    if (!token.tokenId) {
+        throw new DynamicError(`shieldToken: ARC-21 token ${token.contractAddress} is missing tokenId in registry.`);
+    }
+    const externalAuth = token.externalAuthRequired ? 'true' : 'false';
+    return {
+        functionName,
+        inputTypes: [
+            'field.public',
+            'address.private',
+            'u128.public',
+            'boolean.public',
+        ],
+        inputs: [token.tokenId, to, `${value.toString()}u128`, externalAuth],
+    };
+};
+const joinShapeForProgram = (programId) => {
+    const shape = JOIN_PROGRAM_SHAPES[programId];
+    if (!shape) {
+        throw new DynamicError(`joinRecords: program ${programId} has no registered join-record shape.`);
+    }
+    return shape;
+};
+const hasUsableRecordShape = (r) => {
+    const rec = r;
+    return (typeof (rec === null || rec === void 0 ? void 0 : rec.record_plaintext) === 'string' &&
+        rec.record_plaintext.length > 0 &&
+        typeof (rec === null || rec === void 0 ? void 0 : rec.program_name) === 'string');
+};
+/**
+ * Dynamic WaaS connector for Aleo.
+ * Phase 1: supports wallet creation (MPC keygen → aleo1... address) and
+ * retrieval of the active WaaS wallet. signMessage and signTransaction
+ * throw NotSupported until Sodot adds `EdBls12377.sign(bytes)` and we wire up
+ * the Aleo `signRequest` ceremony.
+ */
+class DynamicWaasAleoConnector extends withDynamicWaas(WaasAleoWalletConnector) {
+    constructor(props) {
+        super('Dynamic Waas', props);
+        this.ChainWallet = AleoWallet;
+        this.name = 'Dynamic Waas';
+        this.overrideKey = 'dynamicwaas';
+        this.isEmbeddedWallet = true;
+        this.logger = new Logger('DynamicWaasAleoConnector');
+        this.walletUiUtils = props.walletUiUtils;
+    }
+    setVerifiedCredentials(verifiedCredentials) {
+        this.verifiedCredentials = verifiedCredentials.filter((vc) => vc.walletName === 'dynamicwaas' && vc.chain === 'aleo');
+    }
+    getWalletClientByAddress(_a) {
+        return __awaiter(this, arguments, void 0, function* ({ accountAddress, }) {
+            this.setActiveAccountAddress(accountAddress);
+            return this.getWaasWalletClient();
+        });
+    }
+    getActiveAccountAddress() {
+        return __awaiter(this, void 0, void 0, function* () {
+            return this.activeAccountAddress;
+        });
+    }
+    setActiveAccountAddress(accountAddress) {
+        this.activeAccountAddress = accountAddress;
+    }
+    afterWalletSelectHook(walletAddress) {
+        this.setActiveAccountAddress(walletAddress);
+    }
+    requireSignedSessionId() {
+        return __awaiter(this, void 0, void 0, function* () {
+            var _a;
+            const signedSessionId = yield ((_a = this.getSignedSessionId) === null || _a === void 0 ? void 0 : _a.call(this));
+            if (!signedSessionId) {
+                throw new DynamicError('Signed session ID is required');
+            }
+            return signedSessionId;
+        });
+    }
+    validateActiveWallet(expectedAddress) {
+        return __awaiter(this, void 0, void 0, function* () {
+            var _a;
+            const walletClient = yield this.getWaasWalletClient();
+            const signedSessionId = yield this.requireSignedSessionId();
+            const targetWallet = yield walletClient.getWallet({
+                accountAddress: expectedAddress,
+                authToken: (_a = this.getAuthToken) === null || _a === void 0 ? void 0 : _a.call(this),
+                signedSessionId,
+            });
+            if (!targetWallet) {
+                throw new DynamicError('Account not found');
+            }
+            const isWalletActive = isSameAddress(targetWallet.accountAddress, this.activeAccountAddress || '', this.connectedChain);
+            if (!isWalletActive) {
+                this.activeAccountAddress = targetWallet.accountAddress;
+            }
+        });
+    }
+    ensureActiveAccountFromVerifiedCredentials() {
+        var _a, _b;
+        if (this.activeAccountAddress)
+            return;
+        const address = (_b = (_a = this.verifiedCredentials) === null || _a === void 0 ? void 0 : _a[0]) === null || _b === void 0 ? void 0 : _b.address;
+        if (typeof address === 'string') {
+            this.setActiveAccountAddress(address);
+        }
+    }
+    getAddress() {
+        return __awaiter(this, void 0, void 0, function* () {
+            this.ensureActiveAccountFromVerifiedCredentials();
+            return this.activeAccountAddress || '';
+        });
+    }
+    connect() {
+        return __awaiter(this, void 0, void 0, function* () {
+            yield this.getWaasWalletClient();
+        });
+    }
+    getConnectedAccounts() {
+        return __awaiter(this, void 0, void 0, function* () {
+            this.ensureActiveAccountFromVerifiedCredentials();
+            return this.activeAccountAddress ? [this.activeAccountAddress] : [];
+        });
+    }
+    // Phase 1: signMessage not supported (Sodot EdBls12377 lacks sign(bytes))
+    // eslint-disable-next-line @typescript-eslint/no-unused-vars
+    signMessage(message) {
+        return __awaiter(this, void 0, void 0, function* () {
+            throw new DynamicError('Aleo signMessage is not supported yet — pending EdBls12377.sign(bytes) from Sodot');
+        });
+    }
+    /* eslint-disable @typescript-eslint/no-unused-vars */
+    signMessageWithContext({ message, context, }) {
+        /* eslint-enable @typescript-eslint/no-unused-vars */
+        throw new DynamicError('Method not implemented.');
+    }
+    // Phase 1: signTransaction not supported (signAleoRequest ceremony not wired up)
+    // eslint-disable-next-line @typescript-eslint/no-unused-vars
+    signTransaction(_transaction) {
+        return __awaiter(this, void 0, void 0, function* () {
+            throw new DynamicError('Aleo signTransaction is not supported yet — coming in Phase 2');
+        });
+    }
+    /**
+     * Aleo full transaction flow: view key → MPC sign → prove + broadcast via DPS.
+     * Delegates to the iframe's DynamicAleoWalletClient.proveTransaction.
+     */
+    proveTransaction(params) {
+        return __awaiter(this, void 0, void 0, function* () {
+            var _a, _b;
+            this.ensureActiveAccountFromVerifiedCredentials();
+            if (!this.activeAccountAddress) {
+                throw new DynamicError('Active account address is required');
+            }
+            const walletClient = yield this.getWaasWalletClient();
+            const signedSessionId = yield this.requireSignedSessionId();
+            // Pass the currently-selected Aleo network on every call. The iframe
+            // uses this to route the SDK build, the Feemaster policy, and proving
+            // endpoints. Critical for `credits.aleo` whose program name doesn't
+            // vary by network — without `chainId` the iframe defaulted to mainnet
+            // for credits flows, which means testnet credits transactions
+            // consulted the wrong Feemaster policy and would silently miss
+            // sponsorship coverage.
+            const chainId = (_a = this.getSelectedNetwork()) === null || _a === void 0 ? void 0 : _a.chainId;
+            return walletClient.proveTransaction({
+                accountAddress: this.activeAccountAddress,
+                authToken: (_b = this.getAuthToken) === null || _b === void 0 ? void 0 : _b.call(this),
+                broadcast: params.broadcast,
+                chainId,
+                functionName: params.functionName,
+                inputTypes: params.inputTypes,
+                inputs: params.inputs,
+                programId: params.programId,
+                signedSessionId,
+            });
+        });
+    }
+    /**
+     * List this wallet's Aleo records across all programs (credits + custom
+     * tokens). Delegates into the iframe's DynamicAleoWalletClient.
+     * findOwnedRecords, which uses Provable's hosted RecordScanner. View key
+     * never leaves the iframe.
+     *
+     * Each returned record carries `program_name` + `record_name` so callers
+     * can group/display by token. Credits records additionally get a parsed
+     * `microcredits` field. Other tokens are returned raw — caller parses the
+     * plaintext per program schema.
+     *
+     * First call per wallet registers the view key with Provable (one-time,
+     * cached UUID in iframe IndexedDB). Subsequent calls reuse the UUID.
+     */
+    listOwnedRecords() {
+        return __awaiter(this, void 0, void 0, function* () {
+            var _a, _b;
+            this.ensureActiveAccountFromVerifiedCredentials();
+            if (!this.activeAccountAddress) {
+                throw new DynamicError('Active account address is required');
+            }
+            const walletClient = yield this.getWaasWalletClient();
+            const signedSessionId = yield this.requireSignedSessionId();
+            // Pass the currently-selected Aleo network (`'0'` mainnet, `'1'`
+            // testnet) on every call. The iframe routes the scanner instance +
+            // walletState cache by this id; toggling networks at runtime just
+            // lands on the matching scanner. Mirrors the SVM/Stellar pattern of
+            // chainId per call.
+            const chainId = (_a = this.getSelectedNetwork()) === null || _a === void 0 ? void 0 : _a.chainId;
+            return walletClient.findOwnedRecords({
+                accountAddress: this.activeAccountAddress,
+                authToken: (_b = this.getAuthToken) === null || _b === void 0 ? void 0 : _b.call(this),
+                chainId,
+                signedSessionId,
+            });
+        });
+    }
+    /**
+     * Merge the wallet's owned records down — one final record per Aleo
+     * program — by recursively running `<program>/join` two-at-a-time.
+     * Mirrors the basic pairwise strategy from Provable's `example-autojoin`:
+     * at each round we pair records, run joins concurrently, wait for the
+     * outputs to surface from Provable's RecordScanner, and recurse until one
+     * record remains for that program. Odd-one-out is carried forward.
+     *
+     * Cross-program records can't combine on-chain (a `credits.aleo/credits`
+     * record and a `test_usad_stablecoin.aleo/Token` record have different
+     * record types), so the result is always one record per program.
+     *
+     * Fees are sponsored by ANF's Feemaster when its policy covers the
+     * `(programId, 'join')` pair (today: `credits.aleo`). Programs not in
+     * the policy fall through to the user-paid path inside `proveTransaction`.
+     *
+     * Today: only `credits.aleo` is allowed end-to-end. Stablecoin / ARC-21
+     * joins are blocked on snarkVM's `Stack::authorize_request` credits-only
+     * check — Provable is tracking the relaxation. Until then non-credits
+     * programs are reported as `skipped: 'unsupported'` rather than thrown,
+     * so callers can iterate the result and surface what merged vs. what
+     * didn't without try/catch noise.
+     *
+     * @param opts.programIds  Programs to merge. Omit (default) to merge
+     *   every owned program with ≥2 records. Programs with <2 records are
+     *   reported as `skipped: 'insufficient_records'`.
+     * @param opts.filterRecord  Optional per-record predicate that narrows
+     *   the candidate set BEFORE pairing. Used by ARC-21 where one program
+     *   (`token_registry.aleo`) hosts many tokens — the on-chain `join`
+     *   refuses to combine records with different `token_id` fields, so we
+     *   filter by token_id first and never broadcast a doomed merge.
+     */
+    joinRecords(opts) {
+        return __awaiter(this, void 0, void 0, function* () {
+            var _a;
+            this.ensureActiveAccountFromVerifiedCredentials();
+            if (!this.activeAccountAddress) {
+                throw new DynamicError('Active account address is required');
+            }
+            const byProgram = yield this.fetchAndGroupOwnedRecords(opts === null || opts === void 0 ? void 0 : opts.filterRecord);
+            // Caller-supplied list takes precedence; default merges every program
+            // we observed. We process programs sequentially so Feemaster quota and
+            // logs stay readable — concurrency lives inside each program's
+            // pairwise round (`Promise.all` over pairs).
+            const requested = (opts === null || opts === void 0 ? void 0 : opts.programIds) && opts.programIds.length > 0
+                ? opts.programIds
+                : [...byProgram.keys()];
+            const results = [];
+            for (const programId of requested) {
+                const records = (_a = byProgram.get(programId)) !== null && _a !== void 0 ? _a : [];
+                results.push(yield this.processProgramJoin(programId, records));
+            }
+            return { results };
+        });
+    }
+    /**
+     * Pre-fork: only `credits.aleo` made it past `Stack::authorize_request`.
+     * Post-fork (Roy's snarkVM @32ad6c4 + the file:-overrides in
+     * dynamic-waas-sdk's pnpm workspace), stablecoin joins authorize too.
+     * Programs that *aren't* credits and aren't a known stablecoin still
+     * 404 on shape — we'd hit `record name doesn't match` or similar
+     * mid-MPC, which is wasteful, so we keep an allowlist.
+     */
+    processProgramJoin(programId, records) {
+        return __awaiter(this, void 0, void 0, function* () {
+            if (!isJoinSupportedProgram(programId)) {
+                return { programId, rounds: 0, skipped: 'unsupported' };
+            }
+            if (records.length < 2) {
+                return { programId, rounds: 0, skipped: 'insufficient_records' };
+            }
+            try {
+                const { rounds, finalRecordPlaintext } = yield this.joinProgramRecords(programId, records);
+                return { finalRecordPlaintext, programId, rounds };
+            }
+            catch (err) {
+                return {
+                    error: err instanceof Error ? err.message : String(err),
+                    programId,
+                    rounds: 0,
+                };
+            }
+        });
+    }
+    /**
+     * Reads the wallet's owned records, applies the optional caller predicate,
+     * and groups by program. The `filterRecord` predicate runs first so callers
+     * can scope the merge to a sub-set within a program (ARC-21 token_id filter).
+     */
+    fetchAndGroupOwnedRecords(filterRecord) {
+        return __awaiter(this, void 0, void 0, function* () {
+            var _a;
+            const allRecords = (yield this.listOwnedRecords()).records
+                .filter(hasUsableRecordShape)
+                .filter((r) => (filterRecord ? filterRecord(r) : true));
+            const byProgram = new Map();
+            for (const r of allRecords) {
+                const list = (_a = byProgram.get(r.program_name)) !== null && _a !== void 0 ? _a : [];
+                list.push(r);
+                byProgram.set(r.program_name, list);
+            }
+            return byProgram;
+        });
+    }
+    /**
+     * Pairwise-merges `records` (all from `programId`) until one remains.
+     * Each round runs every pair's join concurrently, then polls the
+     * RecordScanner until the round's output records have surfaced.
+     * Caller validates the list shape and ≥2 length.
+     *
+     * We track every plaintext we've consumed across the entire call in
+     * `consumedAcrossCall` and exclude them from each poll result. Provable's
+     * RecordScanner indexes a transaction's new outputs and its spent inputs
+     * separately — outputs typically surface 5–15 s after broadcast, but the
+     * spend index for the consumed inputs can lag much longer (we've seen
+     * 30 s+). Without local consumed-tracking, polling either (a) waits for
+     * the laggy spend index, slowing every round to its slowest piece, or
+     * (b) lets a stale consumed record leak into the next round's polling
+     * and mis-count it as a fresh output.
+     *
+     * Per-program shape (record name + input types) comes from
+     * `joinShapeForProgram(programId)`. Today that supports `credits.aleo`
+     * and the four Sealance-compliant stablecoin program ids; extending
+     * to ARC-21 / token_registry would be another entry there.
+     */
+    joinProgramRecords(programId, records) {
+        return __awaiter(this, void 0, void 0, function* () {
+            var _a, _b, _c;
+            const { recordTypeLiteral, expectedRecordName } = joinShapeForProgram(programId);
+            const inputTypes = [recordTypeLiteral, recordTypeLiteral];
+            const consumedAcrossCall = new Set();
+            let current = records;
+            let rounds = 0;
+            while (current.length > 1) {
+                rounds += 1;
+                const pairs = [];
+                for (let i = 0; i + 1 < current.length; i += 2) {
+                    pairs.push([current[i], current[i + 1]]);
+                }
+                const carry = current.length % 2 === 1 ? [current[current.length - 1]] : [];
+                // Mark these plaintexts consumed BEFORE broadcasting so subsequent
+                // polls (this round and any future rounds) ignore them no matter
+                // how stale the scanner's spend-index is.
+                for (const [a, b] of pairs) {
+                    consumedAcrossCall.add(a.record_plaintext);
+                    consumedAcrossCall.add(b.record_plaintext);
+                }
+                const knownPlaintextsBeforeRound = new Set(current.map((r) => r.record_plaintext));
+                (_b = (_a = this.logger).debug) === null || _b === void 0 ? void 0 : _b.call(_a, `[joinRecords:${programId}] round ${rounds}: pairs=${pairs.length}, carry=${carry.length}`);
+                yield Promise.all(pairs.map((_d) => __awaiter(this, [_d], void 0, function* ([a, b]) {
+                    var _e, _f;
+                    const { txId } = yield this.proveTransaction({
+                        broadcast: true,
+                        functionName: 'join',
+                        inputTypes,
+                        inputs: [a.record_plaintext, b.record_plaintext],
+                        programId,
+                    });
+                    (_f = (_e = this.logger).debug) === null || _f === void 0 ? void 0 : _f.call(_e, `[joinRecords:${programId}] round ${rounds} pair joined: txId=${txId !== null && txId !== void 0 ? txId : '(none)'}`);
+                })));
+                const next = yield this.waitForJoinRoundOutputs({
+                    consumedAcrossCall,
+                    expectedNewCount: pairs.length,
+                    expectedProgramName: programId,
+                    expectedRecordName,
+                    knownPlaintextsBeforeRound,
+                });
+                current = [...next, ...carry];
+            }
+            return {
+                finalRecordPlaintext: (_c = current[0]) === null || _c === void 0 ? void 0 : _c.record_plaintext,
+                rounds,
+            };
+        });
+    }
+    /**
+     * Polls `listOwnedRecords` until `expectedNewCount` previously-unseen
+     * records of the right program/record-name have surfaced. We do NOT
+     * wait for the scanner to mark consumed inputs as spent — that index
+     * is independently delayed, and waiting on it stalls rounds whose
+     * outputs are already visible. `consumedAcrossCall` is the local-spent
+     * set tracked in `joinProgramRecords`; we filter against it explicitly.
+     */
+    waitForJoinRoundOutputs(args) {
+        return __awaiter(this, void 0, void 0, function* () {
+            var _a, _b;
+            const { consumedAcrossCall, expectedNewCount, expectedProgramName, expectedRecordName, knownPlaintextsBeforeRound, } = args;
+            const POLL_INTERVAL_MS = 2000;
+            const TIMEOUT_MS = 120000;
+            const start = Date.now();
+            const isMatch = (r) => {
+                const rec = r;
+                return ((rec === null || rec === void 0 ? void 0 : rec.program_name) === expectedProgramName &&
+                    (rec === null || rec === void 0 ? void 0 : rec.record_name) === expectedRecordName &&
+                    typeof (rec === null || rec === void 0 ? void 0 : rec.record_plaintext) === 'string' &&
+                    rec.record_plaintext.length > 0);
+            };
+            while (Date.now() - start < TIMEOUT_MS) {
+                const { records } = yield this.listOwnedRecords();
+                const fresh = records
+                    .filter(isMatch)
+                    .filter((r) => !consumedAcrossCall.has(r.record_plaintext))
+                    .filter((r) => !knownPlaintextsBeforeRound.has(r.record_plaintext));
+                if (fresh.length >= expectedNewCount) {
+                    return fresh;
+                }
+                (_b = (_a = this.logger).debug) === null || _b === void 0 ? void 0 : _b.call(_a, `[joinRecords:${expectedProgramName}] polling: fresh=${fresh.length}/${expectedNewCount}`);
+                yield new Promise((resolve) => setTimeout(resolve, POLL_INTERVAL_MS));
+            }
+            throw new DynamicError(`joinRecords timed out waiting for ${expectedProgramName} joined outputs from RecordScanner. The transactions may have broadcast successfully — try calling joinRecords again after the network settles.`);
+        });
+    }
+    /**
+     * Returns the IUITransaction the widget's Send flow drives. Implementing
+     * this method is the *only* signal the widget needs to render the "Send"
+     * button next to "Deposit" — `isSendBalanceWalletConnector` is duck-typed
+     * on the presence of `createUiTransaction`.
+     *
+     * The widget's send view picks one token from the per-network registry
+     * (credits + USAD/USDCx always; mainnet additionally exposes 5 ARC-21
+     * hyp_warp tokens). At submit time the picked token's `programKind`
+     * drives the transition signature:
+     *
+     *  - `credits`     → `credits.aleo/transfer_private(_to_public)`,
+     *                    inputs `[record, recipient, amount]` (u64).
+     *  - `stablecoin`  → `<token>.aleo/transfer_private(_to_public)`,
+     *                    inputs `[recipient, amount, record]` (u128). The
+     *                    iframe appends a Sealance freeze-list exclusion
+     *                    proof + its `[MerkleProof; 2u32].private` type
+     *                    automatically.
+     *  - `arc21`       → `token_registry.aleo/transfer_private(_to_public)`,
+     *                    inputs `[recipient, amount, record]` (u128). The
+     *                    token_id is encoded inside the record plaintext;
+     *                    the transition signature does NOT take it as an
+     *                    explicit argument.
+     *
+     * Submission path: AleoUiTransaction.submit → onSubmit closure below →
+     * this.proveTransaction → iframe (Sodot MPC sign + optional Sealance
+     * proof injection) → Feemaster (when policy covers it) → Provable DPS
+     * (proves + broadcasts) → returns txId.
+     */
+    createUiTransaction(from) {
+        return __awaiter(this, void 0, void 0, function* () {
+            var _a;
+            yield this.validateActiveWallet(from);
+            // Aleo network ids: 0 = mainnet, 1 = testnet. The registry is keyed
+            // by these numeric ids; the connector exposes them via
+            // `getSelectedNetwork().chainId` (string-or-number depending on env
+            // config). Default to testnet when unset — the widget is already
+            // gating on a connected wallet so this only matters during the
+            // brief window before the network selection has hydrated.
+            const networkChainId = (_a = this.getSelectedNetwork()) === null || _a === void 0 ? void 0 : _a.chainId;
+            const networkId = typeof networkChainId === 'number'
+                ? networkChainId
+                : Number(networkChainId !== null && networkChainId !== void 0 ? networkChainId : 1);
+            return new AleoUiTransaction({
+                from,
+                // Merge CTA: scope the join to the selected token. For credits +
+                // stablecoins the program id alone is enough. For ARC-21 the
+                // program (`token_registry.aleo`) hosts many tokens, so we
+                // additionally pass a token_id-aware predicate — without it the
+                // pairwise join would try to combine records of different tokens
+                // and the on-chain `join` would reject.
+                joinAllRecordsForToken: (token) => __awaiter(this, void 0, void 0, function* () {
+                    this.activeAccountAddress = from;
+                    const filterRecord = token.programKind === 'arc21' && token.tokenId
+                        ? (r) => typeof r.record_plaintext === 'string' &&
+                            r.record_plaintext.includes(`token_id: ${token.tokenId}`)
+                        : undefined;
+                    yield this.joinRecords({
+                        filterRecord,
+                        programIds: [token.programId],
+                    });
+                }),
+                // Surfaces every owned record (across all programs) to the
+                // transaction. AleoUiTransaction filters per selected token via
+                // `recordMatchesSendableToken`, including the ARC-21 token_id
+                // check on the record plaintext.
+                listOwnedRecords: () => __awaiter(this, void 0, void 0, function* () {
+                    this.activeAccountAddress = from;
+                    const { records } = yield this.listOwnedRecords();
+                    return records;
+                }),
+                networkId,
+                onSubmit: (_b) => __awaiter(this, [_b], void 0, function* ({ mode, to, value, recordPlaintext, token, }) {
+                    // The proveTransaction path keys off `this.activeAccountAddress`,
+                    // which validateActiveWallet has already aligned with `from`.
+                    // Setting it explicitly keeps the contract obvious to readers.
+                    this.activeAccountAddress = from;
+                    const { functionName, inputs, inputTypes } = buildTransferInputs({
+                        mode,
+                        recordPlaintext,
+                        to,
+                        token,
+                        value,
+                    });
+                    const result = yield this.proveTransaction({
+                        broadcast: true,
+                        functionName,
+                        inputTypes,
+                        inputs,
+                        programId: token.programId,
+                    });
+                    if (!result.txId) {
+                        throw new DynamicError('Aleo transfer broadcast did not return a transaction id.');
+                    }
+                    return result.txId;
+                }),
+            });
+        });
+    }
+    /**
+     * True when the given token is registered as shieldable on the
+     * currently-selected Aleo network. The widget's Unshielded tab uses this
+     * to gate the "Shield Manually" CTA — unregistered tokens (e.g. random
+     * third-party Aleo programs surfaced by the redcoast public-balance feed)
+     * don't get a CTA they couldn't successfully act on.
+     *
+     * Native ALEO doesn't have a contract address in redcoast's public-balance
+     * feed (it surfaces as `isNative: true` with a sentinel like `'0x0'`),
+     * so we recognise it via `isNative` and fall back to the registry's
+     * `credits.aleo` entry when the literal address misses.
+     */
+    canShieldToken(token) {
+        return Boolean(this.resolveShieldableToken(token));
+    }
+    /**
+     * True when the Feemaster currently sponsors a shield (
+     * `transfer_public_to_private`) of the given token. Wraps the generic
+     * `isFeemasterSponsored` and looks up the token's `programId` from the
+     * shieldable registry. Used by the widget to decide whether the
+     * "Shield Manually" CTA can dispatch silently or needs a user-paid fee
+     * confirmation modal first.
+     */
+    isShieldSponsored(token) {
+        return __awaiter(this, void 0, void 0, function* () {
+            const resolved = this.resolveShieldableToken(token);
+            if (!resolved)
+                return false;
+            return this.isFeemasterSponsored({
+                functionName: 'transfer_public_to_private',
+                programId: resolved.programId,
+            });
+        });
+    }
+    /**
+     * True when ANF's Feemaster policy currently sponsors `(programId,
+     * functionName)` on the connector-selected network. Used by the widget
+     * to decide whether to show a user-paid confirmation modal before a
+     * shield/send/join. Generic — applies to any (program, function) pair,
+     * not shield-specific. Never throws — returns `false` on any failure so
+     * callers default to "show modal" rather than silently dispatching.
+     */
+    isFeemasterSponsored(args) {
+        return __awaiter(this, void 0, void 0, function* () {
+            var _a;
+            const walletClient = yield this.getWaasWalletClient();
+            if (!walletClient)
+                return false;
+            const chainId = (_a = this.getSelectedNetwork()) === null || _a === void 0 ? void 0 : _a.chainId;
+            try {
+                return yield walletClient.isAleoFeemasterCovered({
+                    chainId,
+                    functionName: args.functionName,
+                    programId: args.programId,
+                });
+            }
+            catch (_b) {
+                return false;
+            }
+        });
+    }
+    resolveShieldableToken(token) {
+        var _a;
+        const networkChainId = (_a = this.getSelectedNetwork()) === null || _a === void 0 ? void 0 : _a.chainId;
+        const networkId = typeof networkChainId === 'number'
+            ? networkChainId
+            : Number(networkChainId !== null && networkChainId !== void 0 ? networkChainId : 1);
+        if (token.address) {
+            const direct = findAleoShieldableToken(networkId, token.address);
+            if (direct)
+                return direct;
+        }
+        if (token.isNative) {
+            return findAleoShieldableToken(networkId, 'credits.aleo');
+        }
+        return undefined;
+    }
+    /**
+     * Shield (`transfer_public_to_private`) `amount` of the given token from
+     * the wallet's public balance into a fresh private record owned by self.
+     * Drives the widget's "Shield Manually" CTA on the Unshielded tab.
+     *
+     * `amount` is in the token's atomic units (microcredits for credits;
+     * `10^decimals` for stablecoin / ARC-21). The connector resolves the
+     * shield-shape registry by `tokenAddress` (matching the unshielded
+     * `TokenBalance.address` redcoast surfaces). Recipient is always self.
+     *
+     * Throws `DynamicError` if the token has no shield shape registered for
+     * the current network — those tokens shouldn't have rendered the CTA in
+     * the first place, but the throw is a safety net against a stale UI
+     * state slipping a doomed transaction past us.
+     */
+    shieldToken(args) {
+        return __awaiter(this, void 0, void 0, function* () {
+            this.ensureActiveAccountFromVerifiedCredentials();
+            if (!this.activeAccountAddress) {
+                throw new DynamicError('Active account address is required');
+            }
+            if (args.amount <= BigInt(0)) {
+                throw new DynamicError('Shield amount must be > 0.');
+            }
+            const token = this.resolveShieldableToken({
+                address: args.tokenAddress,
+                isNative: args.isNative,
+            });
+            if (!token) {
+                throw new DynamicError(`shieldToken: ${args.tokenAddress} is not a registered shieldable Aleo token on the current network.`);
+            }
+            const { functionName, inputs, inputTypes } = buildShieldInputs({
+                to: this.activeAccountAddress,
+                token,
+                value: args.amount,
+            });
+            const result = yield this.proveTransaction({
+                broadcast: true,
+                functionName,
+                inputTypes,
+                inputs,
+                programId: token.programId,
+            });
+            if (!result.txId) {
+                throw new DynamicError('Aleo shield broadcast did not return a transaction id.');
+            }
+            return result.txId;
+        });
+    }
+    endSession(reason) {
+        const _super = Object.create(null, {
+            endSession: { get: () => super.endSession }
+        });
+        return __awaiter(this, void 0, void 0, function* () {
+            yield _super.endSession.call(this, reason);
+            this.activeAccountAddress = undefined;
+        });
+    }
+    getProvider() {
+        return undefined;
+    }
+}
+
+export { DynamicWaasAleoConnector };