@provablehq/sdk 0.10.5 → 0.11.0

package/dist/mainnet/browser.cjs

@@ -5,6 +5,431 @@ var mainnet_js = require('@provablehq/wasm/mainnet.js');
 var nobleSodium = require('@serenity-kit/noble-sodium');
 var base = require('@scure/base');
 
+const LEVEL_PRIORITY = {
+    silent: 0,
+    error: 1,
+    warn: 2,
+    info: 3,
+    debug: 4,
+};
+let currentLevel = "info";
+/**
+ * Set the SDK log level. Levels are hierarchical:
+ * - "silent" — suppress all SDK logging
+ * - "error"  — only errors
+ * - "warn"   — errors + warnings
+ * - "info"   — errors + warnings + info (default)
+ * - "debug"  — everything including debug traces
+ *
+ * This controls both TS-side and WASM-side logging. WASM log calls
+ * (e.g., "Loading program", "Executing program") are silenced when
+ * the level is below "info".
+ */
+function setLogLevel(level) {
+    currentLevel = level;
+    Promise.resolve().then(function () { return require('./wasm.cjs'); })
+        .then(({ setWasmLogLevel }) => setWasmLogLevel(LEVEL_PRIORITY[level]))
+        .catch(() => { }); // WASM not loaded yet — will use default level (info)
+}
+/** Returns the current SDK log level. */
+function getLogLevel() {
+    return currentLevel;
+}
+function shouldLog(level) {
+    return LEVEL_PRIORITY[level] <= LEVEL_PRIORITY[currentLevel];
+}
+/**
+ * SDK logger object following console.log/warn/error/debug syntax.
+ * Respects the current log level set via setLogLevel().
+ */
+const logger = {
+    log(...args) {
+        if (shouldLog("info"))
+            console.log(...args);
+    },
+    warn(...args) {
+        if (shouldLog("warn"))
+            console.warn(...args);
+    },
+    error(...args) {
+        if (shouldLog("error"))
+            console.error(...args);
+    },
+    debug(...args) {
+        if (shouldLog("debug"))
+            console.debug(...args);
+    },
+};
+
+/**
+ * Error thrown when a key locator is invalid for filesystem use.
+ * Used to prevent path traversal and other filesystem injection when deriving paths from locators.
+ *
+ * @extends Error
+ */
+class InvalidLocatorError extends Error {
+    locator;
+    reason;
+    /**
+     * @param message - Human-readable description of the validation failure.
+     * @param locator - The invalid locator string that failed validation.
+     * @param reason - Machine-readable reason code for the failure.
+     */
+    constructor(message, locator, reason) {
+        super(message);
+        this.locator = locator;
+        this.reason = reason;
+        this.name = "InvalidLocatorError";
+        Object.setPrototypeOf(this, InvalidLocatorError.prototype);
+    }
+}
+
+/**
+ * Error thrown when there is a mismatch between expected and actual key metadata.
+ * This can occur during verification of either the checksum or size of a key.
+ *
+ * @extends Error
+ */
+class KeyVerificationError extends Error {
+    locator;
+    field;
+    expected;
+    actual;
+    /**
+     * Creates a new KeyVerificationError instance (error.name is "ChecksumMismatchError").
+     *
+     * @param {string} locator - The key locator where the mismatch occurred.
+     * @param {"checksum" | "size"} field - The field that failed verification (either "checksum" or "size").
+     * @param {string} expected - The expected value of the field.
+     * @param {string} actual - The actual value encountered.
+     */
+    constructor(locator, field, expected, actual) {
+        super(`Key verification ${locator} ${field} mismatch: expected ${expected}, got ${actual}`);
+        this.locator = locator;
+        this.field = field;
+        this.expected = expected;
+        this.actual = actual;
+        this.name = "ChecksumMismatchError";
+        Object.setPrototypeOf(this, KeyVerificationError.prototype);
+    }
+}
+/**
+ * Computes the SHA-256 checksum of a given set of bytes.
+ *
+ * @param {Uint8Array} bytes - The bytes to compute the checksum of.
+ */
+async function sha256Hex(bytes) {
+    const hash = await crypto.subtle.digest("SHA-256", bytes);
+    return Array.from(new Uint8Array(hash))
+        .map((b) => b.toString(16).padStart(2, "0"))
+        .join("");
+}
+
+/**
+ * In-memory implementation of KeyVerifier that stores and verifies key fingerprints.
+ * Provides functionality to compute and verify cryptographic checksums of keys, storing them
+ * in memory for subsequent verification. This implementation is primarily used for testing
+ * and development purposes where persistence is not required.
+ *
+ * Key features:
+ * - Computes SHA-256 checksums and sizes for key bytes.
+ * - Stores key fingerprints in memory using string locators.
+ * - Verifies key bytes against stored or provided fingerprints.
+ *
+ * @implements {KeyVerifier}
+ */
+class MemKeyVerifier {
+    keyStore = {};
+    /**
+     * Computes and optionally stores key metadata. If a keyFingerprint is provided, this function will verify the computed checksum against it before storing it.
+     *
+     * @param {KeyMetadata} keyMetadata - Object containing key bytes and optional verification data.
+     * @throws {KeyVerificationError} When provided keyFingerprint doesn't match computed values.
+     * @returns {Promise<KeyFingerprint>} Computed key metadata.
+     */
+    async computeKeyMetadata(keyMetadata) {
+        // Compute the metadata from the key bytes
+        const computedFingerprint = {
+            checksum: await sha256Hex(keyMetadata.keyBytes),
+            size: keyMetadata.keyBytes.length
+        };
+        // If a KeyFingerprint is provided, verify it matches computed values.
+        if (keyMetadata.fingerprint) {
+            if (keyMetadata.fingerprint.size !== computedFingerprint.size) {
+                throw new KeyVerificationError(keyMetadata.locator ? keyMetadata.locator : "", "size", String(keyMetadata.fingerprint.size), String(computedFingerprint.size));
+            }
+            if (keyMetadata.fingerprint.checksum !== computedFingerprint.checksum) {
+                throw new KeyVerificationError(keyMetadata.locator ? keyMetadata.locator : "", "checksum", keyMetadata.fingerprint.checksum, computedFingerprint.checksum);
+            }
+        }
+        // If locator is provided, store only the fingerprint
+        if (keyMetadata.locator) {
+            this.keyStore[keyMetadata.locator] = computedFingerprint;
+        }
+        return computedFingerprint;
+    }
+    /**
+     * Verifies key bytes against stored or provided metadata. Follows a priority verification scheme:
+     * 1. If KeyFingerprint is provided in the metadata, this method verifies against that first.
+     * 2. If a locator is provided, attempts to verify against stored fingerprint.
+     * 3. If neither is available, throws an error.
+     *
+     * @param {KeyMetadata} keyMetadata - Object containing the key bytes and optional verification metadata.
+     * @throws {Error} When neither fingerprint nor valid locator is provided for verification.
+     * @throws {KeyVerificationError} When size or checksum verification fails.
+     * @returns {Promise<void>} Promise that resolves when verification succeeds.
+     */
+    async verifyKeyBytes(keyMetadata) {
+        if (!keyMetadata.keyBytes) {
+            throw new Error("Key bytes must be provided for verification.");
+        }
+        // Compute the fingerprint for the provided bytes.
+        const computedFingerprint = await this.computeKeyMetadata({
+            keyBytes: keyMetadata.keyBytes
+        });
+        // Determine which fingerprint to verify against.
+        let fingerprintToVerify;
+        if (keyMetadata.fingerprint) {
+            // If a key fingerprint is provided, use it.
+            fingerprintToVerify = keyMetadata.fingerprint;
+        }
+        else if (keyMetadata.locator) {
+            // Otherwise try to get stored fingerprint by locator.
+            fingerprintToVerify = this.keyStore[keyMetadata.locator];
+        }
+        if (!fingerprintToVerify) {
+            throw new Error("Either fingerprint or a valid locator must be provided for verification.");
+        }
+        // Verify the key size.
+        if (fingerprintToVerify.size !== computedFingerprint.size) {
+            throw new KeyVerificationError(keyMetadata.locator || "", "size", String(fingerprintToVerify.size), String(computedFingerprint.size));
+        }
+        // Verify the key checksum.
+        if (fingerprintToVerify.checksum !== computedFingerprint.checksum) {
+            throw new KeyVerificationError(keyMetadata.locator || "", "checksum", fingerprintToVerify.checksum, computedFingerprint.checksum);
+        }
+    }
+}
+
+/**
+ * Browser-compatible {@link KeyStore} backed by IndexedDB.
+ *
+ * This is the browser counterpart to {@link LocalFileKeyStore} (which requires Node.js `fs`).
+ * It persists proving and verifying keys across page reloads and browser sessions using the
+ * IndexedDB API available in all modern browsers and Web Workers.
+ *
+ * **Environment**: Browser / Web Worker only. Instantiating this class is safe in any
+ * environment, but the first IndexedDB operation will reject with a clear error when
+ * `globalThis.indexedDB` is not available (e.g., Node.js, SSR contexts). Guard your
+ * imports accordingly if you bundle for server-side rendering.
+ *
+ * **Security**: Keys are stored as plaintext `Uint8Array` in IndexedDB. Any script
+ * running on the same origin — including scripts injected via XSS — can read the stored
+ * proving and verifying keys. Do **not** use this keystore for data that must remain
+ * confidential under an XSS-capable adversary; encrypt sensitive material at the
+ * application layer before persisting, or use an in-memory store.
+ *
+ * @example
+ * ```ts
+ * import { IndexedDBKeyStore, ProgramManager } from "@provablehq/sdk";
+ *
+ * const keyStore = new IndexedDBKeyStore();
+ * const pm = new ProgramManager();
+ * pm.setKeyStore(keyStore);
+ * // Keys synthesized during execution are now cached in IndexedDB
+ * // and reloaded automatically on subsequent runs.
+ * ```
+ */
+class IndexedDBKeyStore {
+    dbName;
+    storeName = "keys";
+    keyVerifier = new MemKeyVerifier();
+    dbPromise = null;
+    /**
+     * @param dbName IndexedDB database name. Defaults to `"aleo-keystore"`.
+     */
+    constructor(dbName = "aleo-keystore") {
+        this.dbName = dbName;
+    }
+    // -------------------------------------------------------
+    // IndexedDB helpers
+    // -------------------------------------------------------
+    /** Opens (or creates) the database, returning a cached promise. */
+    openDB() {
+        if (this.dbPromise)
+            return this.dbPromise;
+        // Env check sits outside the Promise constructor so a failure doesn't
+        // poison the cache; a later call (e.g. after a polyfill loads) can retry.
+        if (typeof indexedDB === "undefined") {
+            return Promise.reject(new Error("IndexedDBKeyStore requires a browser or Web Worker environment: " +
+                "`indexedDB` is not defined. If you are in Node.js or an SSR " +
+                "context, use LocalFileKeyStore or an in-memory key provider instead."));
+        }
+        this.dbPromise = new Promise((resolve, reject) => {
+            const request = indexedDB.open(this.dbName, 1);
+            request.onupgradeneeded = () => {
+                const db = request.result;
+                if (!db.objectStoreNames.contains(this.storeName)) {
+                    db.createObjectStore(this.storeName, { keyPath: "locator" });
+                }
+            };
+            request.onsuccess = () => resolve(request.result);
+            request.onerror = () => {
+                this.dbPromise = null;
+                reject(request.error);
+            };
+            request.onblocked = () => {
+                this.dbPromise = null;
+                reject(new DOMException("Database open blocked", "AbortError"));
+            };
+        });
+        return this.dbPromise;
+    }
+    /** Runs a single read-write transaction and returns the request result. */
+    async tx(mode, fn) {
+        const db = await this.openDB();
+        return new Promise((resolve, reject) => {
+            const txn = db.transaction(this.storeName, mode);
+            const store = txn.objectStore(this.storeName);
+            const req = fn(store);
+            let result;
+            req.onsuccess = () => { result = req.result; };
+            txn.oncomplete = () => resolve(result);
+            txn.onerror = () => reject(txn.error);
+            txn.onabort = () => reject(txn.error ?? new DOMException("Transaction aborted", "AbortError"));
+        });
+    }
+    // -------------------------------------------------------
+    // Locator serialization (mirrors LocalFileKeyStore)
+    // -------------------------------------------------------
+    validateComponent(value, label) {
+        if (value === "" || value === ".") {
+            throw new InvalidLocatorError(`KeyLocator ${label} must not be empty or "." (got "${value}")`, value, "reserved_name");
+        }
+        if (value.includes("..")) {
+            throw new InvalidLocatorError(`KeyLocator ${label} must not contain ".." (got "${value}")`, value, "path_traversal");
+        }
+        if (value.includes("/") || value.includes("\\") || value.includes("\0")) {
+            throw new InvalidLocatorError(`KeyLocator ${label} must not contain path separators or null bytes (got "${value}")`, value, "path_separator");
+        }
+    }
+    validateNonNegative(value, label) {
+        if (!Number.isInteger(value) || value < 0) {
+            throw new InvalidLocatorError(`KeyLocator ${label} must be a non-negative integer (got ${value})`, String(value), "negative_value");
+        }
+    }
+    serializeLocator(locator) {
+        this.validateComponent(locator.program, "program");
+        this.validateComponent(locator.functionName, "functionName");
+        this.validateComponent(locator.network, "network");
+        this.validateNonNegative(locator.edition, "edition");
+        this.validateNonNegative(locator.amendment, "amendment");
+        const base = `${locator.program}.${locator.functionName}.e${locator.edition}.a${locator.amendment}.${locator.network}.${locator.keyType}`;
+        if (locator.keyType === "translation") {
+            this.validateComponent(locator.recordName, "recordName");
+            this.validateNonNegative(locator.recordInputPosition, "recordInputPosition");
+            return `${base}.${locator.recordName}.${locator.recordInputPosition}`;
+        }
+        return base;
+    }
+    checksumToFingerprint(checksum, keyBytes) {
+        if (!checksum)
+            return undefined;
+        return { checksum, size: keyBytes.length };
+    }
+    // -------------------------------------------------------
+    // KeyStore interface
+    // -------------------------------------------------------
+    async getKeyBytes(locator) {
+        const key = this.serializeLocator(locator);
+        const record = await this.tx("readonly", (store) => store.get(key));
+        if (!record)
+            return null;
+        const fingerprint = this.checksumToFingerprint(locator.checksum, record.bytes) ?? record.metadata;
+        if (fingerprint) {
+            await this.keyVerifier.verifyKeyBytes({
+                keyBytes: record.bytes,
+                locator: key,
+                fingerprint,
+            });
+        }
+        return record.bytes;
+    }
+    async getProvingKey(locator) {
+        const bytes = await this.getKeyBytes(locator);
+        if (!bytes)
+            return null;
+        return mainnet_js.ProvingKey.fromBytes(bytes);
+    }
+    async getVerifyingKey(locator) {
+        const bytes = await this.getKeyBytes(locator);
+        if (!bytes)
+            return null;
+        return mainnet_js.VerifyingKey.fromBytes(bytes);
+    }
+    async setKeys(proverLocator, verifierLocator, keys) {
+        const proverKey = this.serializeLocator(proverLocator);
+        const verifierKey = this.serializeLocator(verifierLocator);
+        const [provingKey, verifyingKey] = keys;
+        const [provingKeyBytes, verifyingKeyBytes] = [
+            provingKey.toBytes(),
+            verifyingKey.toBytes(),
+        ];
+        const [proverFingerprint, verifierFingerprint] = await Promise.all([
+            this.keyVerifier.computeKeyMetadata({
+                keyBytes: provingKeyBytes,
+                locator: proverKey,
+                fingerprint: this.checksumToFingerprint(proverLocator.checksum, provingKeyBytes),
+            }),
+            this.keyVerifier.computeKeyMetadata({
+                keyBytes: verifyingKeyBytes,
+                locator: verifierKey,
+                fingerprint: this.checksumToFingerprint(verifierLocator.checksum, verifyingKeyBytes),
+            }),
+        ]);
+        const proverRecord = { locator: proverKey, bytes: provingKeyBytes, metadata: proverFingerprint };
+        const verifierRecord = { locator: verifierKey, bytes: verifyingKeyBytes, metadata: verifierFingerprint };
+        // Write both in a single transaction for atomicity.
+        const db = await this.openDB();
+        await new Promise((resolve, reject) => {
+            const txn = db.transaction(this.storeName, "readwrite");
+            const store = txn.objectStore(this.storeName);
+            store.put(proverRecord);
+            store.put(verifierRecord);
+            txn.oncomplete = () => resolve();
+            txn.onerror = () => reject(txn.error);
+            txn.onabort = () => reject(txn.error ?? new DOMException("Transaction aborted", "AbortError"));
+        });
+    }
+    async setKeyBytes(keyBytes, locator) {
+        const key = this.serializeLocator(locator);
+        const computedMetadata = await this.keyVerifier.computeKeyMetadata({
+            keyBytes,
+            locator: key,
+            fingerprint: this.checksumToFingerprint(locator.checksum, keyBytes),
+        });
+        const record = { locator: key, bytes: keyBytes, metadata: computedMetadata };
+        await this.tx("readwrite", (store) => store.put(record));
+    }
+    async getKeyMetadata(locator) {
+        const key = this.serializeLocator(locator);
+        const record = await this.tx("readonly", (store) => store.get(key));
+        return record?.metadata ?? null;
+    }
+    async has(locator) {
+        const key = this.serializeLocator(locator);
+        const count = await this.tx("readonly", (store) => store.count(IDBKeyRange.only(key)));
+        return count > 0;
+    }
+    async delete(locator) {
+        const key = this.serializeLocator(locator);
+        await this.tx("readwrite", (store) => store.delete(key));
+    }
+    async clear() {
+        await this.tx("readwrite", (store) => store.clear());
+    }
+}
+
 /**
  * Encrypt an authorization with a cryptobox X25519 public key (libsodium-compatible wire format).
  *
@@ -164,7 +589,7 @@ class Account {
             this._privateKey = this.privateKeyFromParams(params);
         }
         catch (e) {
-            console.error("Wrong parameter", e);
+            logger.error("Wrong parameter", e);
             throw new Error("Wrong Parameter");
         }
         this._viewKey = mainnet_js.ViewKey.from_private_key(this._privateKey);
@@ -635,7 +1060,7 @@ function environment() {
     }
 }
 function logAndThrow(message) {
-    console.error(message);
+    logger.error(message);
     throw new Error(message);
 }
 /** Default transport — wraps global fetch to avoid illegal-invocation errors in browsers. */
@@ -696,7 +1121,7 @@ async function retryWithBackoff(fn, { maxAttempts = 5, baseDelay = 100, jitter,
             const jitterAmount = jitter ?? baseDelay;
             const actualJitter = Math.floor(Math.random() * jitterAmount);
             const delay = baseDelay * 2 ** (attempt - 1) + actualJitter;
-            console.warn(`Retry ${attempt}/${maxAttempts} failed. Retrying in ${delay}ms...`);
+            logger.warn(`Retry ${attempt}/${maxAttempts} failed. Retrying in ${delay}ms...`);
             await new Promise((res) => setTimeout(res, delay));
         }
     }
@@ -865,7 +1290,7 @@ class AleoNetworkClient {
             else {
                 this.headers = {
                     // This is replaced by the actual version by a Rollup plugin
-                    "X-Aleo-SDK-Version": "0.10.5",
+                    "X-Aleo-SDK-Version": "0.11.0",
                     "X-Aleo-environment": environment(),
                 };
             }
@@ -881,7 +1306,7 @@ class AleoNetworkClient {
         else {
             this.headers = {
                 // This is replaced by the actual version by a Rollup plugin
-                "X-Aleo-SDK-Version": "0.10.5",
+                "X-Aleo-SDK-Version": "0.11.0",
                 "X-Aleo-environment": environment(),
             };
         }
@@ -1197,7 +1622,7 @@ class AleoNetworkClient {
                                                                     continue;
                                                                 }
                                                                 catch (error) {
-                                                                    console.log("Found unspent record!");
+                                                                    logger.log("Found unspent record!");
                                                                 }
                                                             }
                                                             // Add the record to the list of records if the user did not specify amounts.
@@ -1257,14 +1682,14 @@ class AleoNetworkClient {
             }
             catch (error) {
                 // If there is an error fetching blocks, log it and keep searching
-                console.warn("Error fetching blocks in range: " +
+                logger.warn("Error fetching blocks in range: " +
                     start.toString() +
                     "-" +
                     end.toString());
-                console.warn("Error: ", error);
+                logger.warn("Error: ", error);
                 failures += 1;
                 if (failures > 10) {
-                    console.warn("10 failures fetching records reached. Returning records fetched so far");
+                    logger.warn("10 failures fetching records reached. Returning records fetched so far");
                     return records;
                 }
             }
@@ -1714,6 +2139,30 @@ class AleoNetworkClient {
             this.ctx = {};
         }
     }
+    /**
+     * Returns the current edition and amendment count for a program.
+     *
+     * @param {string} programId - The program ID (e.g. "hello_hello.aleo")
+     * @returns {{ program_id: string, edition: number, amendment_count: number }}
+     *
+     * @example
+     * const networkClient = new AleoNetworkClient("https://api.provable.com/v2");
+     * const info = await networkClient.getProgramAmendmentCount("hello_hello.aleo");
+     * console.log(info.edition, info.amendment_count);
+     */
+    async getProgramAmendmentCount(programId) {
+        try {
+            this.ctx = { "X-ALEO-METHOD": "getProgramAmendmentCount" };
+            const raw = await this.fetchRaw("/programs/" + programId + "/amendment_count");
+            return JSON.parse(raw);
+        }
+        catch (error) {
+            throw new Error(`Error fetching amendment count for ${programId}: ${error}`);
+        }
+        finally {
+            this.ctx = {};
+        }
+    }
     /**
      * Returns a program object from a program ID or program source code.
      *
@@ -2304,7 +2753,7 @@ class AleoNetworkClient {
         };
     }
     /**
-     * Parses a /prove or /prove/encrypted response. Returns a result object (never throws for 200/400/500/503).
+     * Parses a /prove/authorization or /prove/request response. Returns a result object (never throws for 200/400/500/503).
      */
     async handleProvingResponse(response) {
         // Get the proving response text.
@@ -2365,14 +2814,12 @@ class AleoNetworkClient {
     async submitProvingRequestSafe(options) {
         // Attempt to get the Prover URI first from the options, then from any configured globally, or third try the main configured host.
         const proverUri = (options.url ?? this.proverUri) ?? this.host;
-        const provingRequestString = options.provingRequest instanceof mainnet_js.ProvingRequest
-            ? options.provingRequest.toString()
-            : options.provingRequest;
         // Try to get JWT data to access the Provable API.
         const apiKey = options.apiKey ?? this.apiKey;
         const consumerId = options.consumerId ?? this.consumerId;
         let jwtData = options.jwtData ?? this.jwtData;
-        // Check to see if the JWT needs refreshing.
+        // Check to see if the JWT needs refreshing. Runs before parsing the
+        // proving request so JWT refresh errors propagate as they always have.
         const isExpired = jwtData && Date.now() >= jwtData.expiration - FIVE_MINUTES;
         if (!jwtData || isExpired) {
             if (apiKey && consumerId) {
@@ -2381,7 +2828,7 @@ class AleoNetworkClient {
                 options.jwtData = jwtData;
             }
             else {
-                console.warn('JWT or both apiKey and consumerId are required when using the Provable API');
+                logger.warn('JWT or both apiKey and consumerId are required when using the Provable API');
             }
         }
         // Create the necessary headers to hit the provable api.
@@ -2393,59 +2840,58 @@ class AleoNetworkClient {
         if (jwtData?.jwt) {
             headers["Authorization"] = jwtData.jwt;
         }
-        // Encapsulate the requests in a locally scoped function that can be run with a retry closure.
-        const runRequest = async () => {
-            // If DPS privacy is set, call invoke the encrypted flow.
-            if (options.dpsPrivacy) {
-                // Get an ephemeral public key from a DPS service.
-                const pubKeyResponse = await get(proverUri + "/pubkey", {
-                    headers,
-                    credentials: "include",
-                }, this.transport);
-                // Encrypt the provingRequest.
-                const pubkey = parseJSON(await pubKeyResponse.text());
-                const ciphertext = encryptProvingRequest(pubkey.public_key, mainnet_js.ProvingRequest.fromString(provingRequestString));
-                // Form the expected query a DPS service expects (including the key_id).
-                const payload = {
-                    key_id: pubkey.key_id,
-                    ciphertext: ciphertext,
-                };
-                // We're in node, attempt to set the cookie manually.
-                const cookie = isNode() ? pubKeyResponse.headers.get("set-cookie") : undefined;
-                // Send the encrypted proving request to the DPS service.
-                const res = await this.transport(`${proverUri}/prove/encrypted`, {
-                    method: "POST",
-                    body: JSON.stringify(payload),
-                    headers: {
-                        ...headers,
-                        ...(cookie ? { Cookie: cookie } : {})
-                    },
-                    credentials: "include",
-                });
-                // Properly handle the proving response.
-                return this.handleProvingResponse(res);
-            }
-            // If encrypted usage is not specified use the unencrypted endpoint.
-            const proveEndpoint = proverUri.endsWith("/prove")
-                ? proverUri
-                : proverUri + "/prove";
-            const res = await this.transport(proveEndpoint, {
-                method: "POST",
-                body: provingRequestString,
+        // Send the proving request encrypted (libsodium-compatible sealed box).
+        // Used by both `/prove/authorization` (Authorization variant) and
+        // `/prove/request` (Request variant). The legacy plaintext `/prove`
+        // route is no longer used.
+        const sendEncrypted = async (endpoint, provingRequestObj) => {
+            // Get an ephemeral public key from the DPS.
+            const pubKeyResponse = await get(proverUri + "/pubkey", {
                 headers,
+                credentials: "include",
+            }, this.transport);
+            // Encrypt the provingRequest using the ephemeral pubkey.
+            const pubkey = parseJSON(await pubKeyResponse.text());
+            const ciphertext = encryptProvingRequest(pubkey.public_key, provingRequestObj);
+            const payload = {
+                key_id: pubkey.key_id,
+                ciphertext: ciphertext,
+            };
+            // We're in node, attempt to set the cookie manually.
+            const cookie = isNode() ? pubKeyResponse.headers.get("set-cookie") : undefined;
+            const res = await this.transport(`${proverUri}${endpoint}`, {
+                method: "POST",
+                body: JSON.stringify(payload),
+                headers: {
+                    ...headers,
+                    ...(cookie ? { Cookie: cookie } : {})
+                },
+                credentials: "include",
             });
-            // Properly handle the proving response.
             return this.handleProvingResponse(res);
         };
+        // Parse the proving request once, up front, so the variant the SDK
+        // routes on matches the bytes it will eventually send (a Request-
+        // variant string must hit /prove/request, not /prove/authorization).
+        // A malformed input string throws synchronously — the safe-API
+        // contract only promises to return `{ ok: false, ... }` for HTTP
+        // failures (400/500/503); a parse error is a caller-side bug and
+        // surfacing it as a fake 500 would mislead callers debugging it.
+        // `options.dpsPrivacy` is ignored; the legacy plaintext `/prove`
+        // route is deprecated.
+        const provingRequestObj = options.provingRequest instanceof mainnet_js.ProvingRequest
+            ? options.provingRequest
+            : mainnet_js.ProvingRequest.fromString(options.provingRequest);
+        const endpoint = provingRequestObj.kind() === "request"
+            ? "/prove/request"
+            : "/prove/authorization";
         try {
-            // Run the request with retries.
             return await retryWithBackoff(async () => {
-                // Run the encrypted or non-encrypted flow as specified by the flags.
-                const result = await runRequest();
+                const result = await sendEncrypted(endpoint, provingRequestObj);
                 if (result.ok) {
                     return result;
                 }
-                // If 500s are hit responses are returned, attempt retries.
+                // Retry on 500/503; surface 400 verbatim.
                 if (result.status === 500 || result.status === 503) {
                     const err = new Error(result.error.message);
                     err.status = result.status;
@@ -2455,7 +2901,7 @@ class AleoNetworkClient {
             });
         }
         catch (err) {
-            // If an error is returned, provide usable information to the caller.
+            // HTTP failure inside the retry loop — convert to a result object.
             const e = err;
             return {
                 ok: false,
@@ -2511,10 +2957,10 @@ class AleoNetworkClient {
                         let text = "";
                         try {
                             text = await res.text();
-                            console.warn("Response text from server:", text);
+                            logger.warn("Response text from server:", text);
                         }
                         catch (err) {
-                            console.warn("Failed to read response text:", err);
+                            logger.warn("Failed to read response text:", err);
                         }
                         // If the transaction ID is malformed (e.g. invalid checksum, wrong length),
                         // the API returns a 4XX with "Invalid URL" — we treat this as a fatal error and stop polling.
@@ -2525,7 +2971,7 @@ class AleoNetworkClient {
                             return reject(new Error(`Malformed transaction ID: ${text}`));
                         }
                         // Log and continue polling for 404s or 5XX errors in case a tx doesn't exist yet
-                        console.warn("Non-OK response (retrying):", res.status, text);
+                        logger.warn("Non-OK response (retrying):", res.status, text);
                         return;
                     }
                     const data = parseJSON(await res.text());
@@ -2539,7 +2985,7 @@ class AleoNetworkClient {
                     }
                 }
                 catch (err) {
-                    console.error("Polling error:", err);
+                    logger.error("Polling error:", err);
                 }
             }, checkInterval);
         });
@@ -2547,7 +2993,7 @@ class AleoNetworkClient {
 }
 
 /**
- * Error thrown when a record scanner request fails (e.g. /register, /register/encrypted).
+ * Error thrown when a record scanner request fails (e.g. /register/encrypted).
  * Includes HTTP status so callers can handle 422 vs 500 etc.
  */
 class RecordScannerRequestError extends Error {
@@ -2707,7 +3153,7 @@ class AleoKeyProvider {
      * @returns {FunctionKeyPair} Proving and verifying keys for the specified program
      */
     getKeys(keyId) {
-        console.debug(`Checking if key exists in cache. KeyId: ${keyId}`);
+        logger.debug(`Checking if key exists in cache. KeyId: ${keyId}`);
         if (this.cache.has(keyId)) {
             const [provingKeyBytes, verifyingKeyBytes] = (this.cache.get(keyId));
             return [
@@ -2808,9 +3254,9 @@ class AleoKeyProvider {
                     ];
                 }
                 else {
-                    console.debug("Fetching proving keys from url " + proverUrl);
+                    logger.debug("Fetching proving keys from url " + proverUrl);
                     const provingKey = (mainnet_js.ProvingKey.fromBytes(await this.fetchBytes(proverUrl)));
-                    console.debug("Fetching verifying keys " + verifierUrl);
+                    logger.debug("Fetching verifying keys " + verifierUrl);
                     const verifyingKey = (await this.getVerifyingKey(verifierUrl));
                     this.cache.set(cacheKey, [
                         provingKey.toBytes(),
@@ -2850,7 +3296,7 @@ class AleoKeyProvider {
                     return mainnet_js.ProvingKey.fromBytes(value[0]);
                 }
                 else {
-                    console.debug("Fetching proving keys from url " + proverUrl);
+                    logger.debug("Fetching proving keys from url " + proverUrl);
                     const provingKey = (mainnet_js.ProvingKey.fromBytes(await this.fetchBytes(proverUrl)));
                     return provingKey;
                 }
@@ -3023,172 +3469,22 @@ class AleoKeyProvider {
                 try {
                     /// Try to fetch the verifying key from the network as a string
                     const response = await get(verifierUri, undefined, this.transport);
-                    const text = await response.text();
-                    return mainnet_js.VerifyingKey.fromString(text);
-                }
-                catch (e) {
-                    /// If that fails, try to fetch the verifying key from the network as bytes
-                    try {
-                        return (mainnet_js.VerifyingKey.fromBytes(await this.fetchBytes(verifierUri)));
-                    }
-                    catch (inner) {
-                        throw new Error("Invalid verifying key. Error: " + inner.message);
-                    }
-                }
-        }
-    }
-    unBondPublicKeys() {
-        return this.fetchCreditsKeys(CREDITS_PROGRAM_KEYS.unbond_public);
-    }
-}
-
-/**
- * Error thrown when there is a mismatch between expected and actual key metadata.
- * This can occur during verification of either the checksum or size of a key.
- *
- * @extends Error
- */
-class KeyVerificationError extends Error {
-    locator;
-    field;
-    expected;
-    actual;
-    /**
-     * Creates a new KeyVerificationError instance (error.name is "ChecksumMismatchError").
-     *
-     * @param {string} locator - The key locator where the mismatch occurred.
-     * @param {"checksum" | "size"} field - The field that failed verification (either "checksum" or "size").
-     * @param {string} expected - The expected value of the field.
-     * @param {string} actual - The actual value encountered.
-     */
-    constructor(locator, field, expected, actual) {
-        super(`Key verification ${locator} ${field} mismatch: expected ${expected}, got ${actual}`);
-        this.locator = locator;
-        this.field = field;
-        this.expected = expected;
-        this.actual = actual;
-        this.name = "ChecksumMismatchError";
-        Object.setPrototypeOf(this, KeyVerificationError.prototype);
-    }
-}
-/**
- * Computes the SHA-256 checksum of a given set of bytes.
- *
- * @param {Uint8Array} bytes - The bytes to compute the checksum of.
- */
-async function sha256Hex(bytes) {
-    const hash = await crypto.subtle.digest("SHA-256", bytes);
-    return Array.from(new Uint8Array(hash))
-        .map((b) => b.toString(16).padStart(2, "0"))
-        .join("");
-}
-
-/**
- * In-memory implementation of KeyVerifier that stores and verifies key fingerprints.
- * Provides functionality to compute and verify cryptographic checksums of keys, storing them
- * in memory for subsequent verification. This implementation is primarily used for testing
- * and development purposes where persistence is not required.
- *
- * Key features:
- * - Computes SHA-256 checksums and sizes for key bytes.
- * - Stores key fingerprints in memory using string locators.
- * - Verifies key bytes against stored or provided fingerprints.
- *
- * @implements {KeyVerifier}
- */
-class MemKeyVerifier {
-    keyStore = {};
-    /**
-     * Computes and optionally stores key metadata. If a keyFingerprint is provided, this function will verify the computed checksum against it before storing it.
-     *
-     * @param {KeyMetadata} keyMetadata - Object containing key bytes and optional verification data.
-     * @throws {KeyVerificationError} When provided keyFingerprint doesn't match computed values.
-     * @returns {Promise<KeyFingerprint>} Computed key metadata.
-     */
-    async computeKeyMetadata(keyMetadata) {
-        // Compute the metadata from the key bytes
-        const computedFingerprint = {
-            checksum: await sha256Hex(keyMetadata.keyBytes),
-            size: keyMetadata.keyBytes.length
-        };
-        // If a KeyFingerprint is provided, verify it matches computed values.
-        if (keyMetadata.fingerprint) {
-            if (keyMetadata.fingerprint.size !== computedFingerprint.size) {
-                throw new KeyVerificationError(keyMetadata.locator ? keyMetadata.locator : "", "size", String(keyMetadata.fingerprint.size), String(computedFingerprint.size));
-            }
-            if (keyMetadata.fingerprint.checksum !== computedFingerprint.checksum) {
-                throw new KeyVerificationError(keyMetadata.locator ? keyMetadata.locator : "", "checksum", keyMetadata.fingerprint.checksum, computedFingerprint.checksum);
-            }
-        }
-        // If locator is provided, store only the fingerprint
-        if (keyMetadata.locator) {
-            this.keyStore[keyMetadata.locator] = computedFingerprint;
-        }
-        return computedFingerprint;
-    }
-    /**
-     * Verifies key bytes against stored or provided metadata. Follows a priority verification scheme:
-     * 1. If KeyFingerprint is provided in the metadata, this method verifies against that first.
-     * 2. If a locator is provided, attempts to verify against stored fingerprint.
-     * 3. If neither is available, throws an error.
-     *
-     * @param {KeyMetadata} keyMetadata - Object containing the key bytes and optional verification metadata.
-     * @throws {Error} When neither fingerprint nor valid locator is provided for verification.
-     * @throws {KeyVerificationError} When size or checksum verification fails.
-     * @returns {Promise<void>} Promise that resolves when verification succeeds.
-     */
-    async verifyKeyBytes(keyMetadata) {
-        if (!keyMetadata.keyBytes) {
-            throw new Error("Key bytes must be provided for verification.");
-        }
-        // Compute the fingerprint for the provided bytes.
-        const computedFingerprint = await this.computeKeyMetadata({
-            keyBytes: keyMetadata.keyBytes
-        });
-        // Determine which fingerprint to verify against.
-        let fingerprintToVerify;
-        if (keyMetadata.fingerprint) {
-            // If a key fingerprint is provided, use it.
-            fingerprintToVerify = keyMetadata.fingerprint;
-        }
-        else if (keyMetadata.locator) {
-            // Otherwise try to get stored fingerprint by locator.
-            fingerprintToVerify = this.keyStore[keyMetadata.locator];
-        }
-        if (!fingerprintToVerify) {
-            throw new Error("Either fingerprint or a valid locator must be provided for verification.");
-        }
-        // Verify the key size.
-        if (fingerprintToVerify.size !== computedFingerprint.size) {
-            throw new KeyVerificationError(keyMetadata.locator || "", "size", String(fingerprintToVerify.size), String(computedFingerprint.size));
-        }
-        // Verify the key checksum.
-        if (fingerprintToVerify.checksum !== computedFingerprint.checksum) {
-            throw new KeyVerificationError(keyMetadata.locator || "", "checksum", fingerprintToVerify.checksum, computedFingerprint.checksum);
-        }
-    }
-}
-
-/**
- * Error thrown when a key locator is invalid for filesystem use.
- * Used to prevent path traversal and other filesystem injection when deriving paths from locators.
- *
- * @extends Error
- */
-class InvalidLocatorError extends Error {
-    locator;
-    reason;
-    /**
-     * @param message - Human-readable description of the validation failure.
-     * @param locator - The invalid locator string that failed validation.
-     * @param reason - Machine-readable reason code for the failure.
-     */
-    constructor(message, locator, reason) {
-        super(message);
-        this.locator = locator;
-        this.reason = reason;
-        this.name = "InvalidLocatorError";
-        Object.setPrototypeOf(this, InvalidLocatorError.prototype);
+                    const text = await response.text();
+                    return mainnet_js.VerifyingKey.fromString(text);
+                }
+                catch (e) {
+                    /// If that fails, try to fetch the verifying key from the network as bytes
+                    try {
+                        return (mainnet_js.VerifyingKey.fromBytes(await this.fetchBytes(verifierUri)));
+                    }
+                    catch (inner) {
+                        throw new Error("Invalid verifying key. Error: " + inner.message);
+                    }
+                }
+        }
+    }
+    unBondPublicKeys() {
+        return this.fetchCreditsKeys(CREDITS_PROGRAM_KEYS.unbond_public);
     }
 }
 
@@ -3945,12 +4241,12 @@ class NetworkRecordProvider {
             records = await this.findCreditsRecords([microcredits], searchParameters);
         }
         catch (e) {
-            console.log("No records found with error:", e);
+            logger.log("No records found with error:", e);
         }
         if (records && records.length > 0) {
             return records[0];
         }
-        console.error("Record not found with error:", records);
+        logger.error("Record not found with error:", records);
         throw new Error("Record not found");
     }
     /**
@@ -3962,12 +4258,12 @@ class NetworkRecordProvider {
             records = await this.findRecords(searchParameters);
         }
         catch (e) {
-            console.log("No records found with error:", e);
+            logger.log("No records found with error:", e);
         }
         if (records && records.length > 0) {
             return records[0];
         }
-        console.error("Record not found with error:", records);
+        logger.error("Record not found with error:", records);
         throw new Error("Record not found");
     }
     /**
@@ -4062,7 +4358,7 @@ class BlockHeightSearch {
  * const recordScanner = new RecordScanner({ url: "https://record-scanner.aleo.org" });
  * recordScanner.setAccount(account);
  * recordScanner.setApiKey("example-api-key");
- * const result = await recordScanner.register(viewKey, 0);
+ * const result = await recordScanner.registerEncrypted(viewKey, 0);
  * if (result.ok) { const uuid = result.data.uuid; }
  *
  * const filter = {
@@ -4317,40 +4613,6 @@ class RecordScanner {
         }
         throw err;
     }
-    /**
-     * Register the account with the record scanning service (unencrypted POST /register). Does not throw if a valid error response from the record scanner is received; returns a result object instead.
-     *
-     * @param {ViewKey} viewKey The view key to register.
-     * @param {number} startBlock The block height to start scanning from.
-     * @returns {Promise<RegisterResult>} `{ ok: true, data }` on success, or `{ ok: false, status, error }` on failure.
-     */
-    async register(viewKey, startBlock) {
-        try {
-            const request = {
-                view_key: viewKey.to_string(),
-                start: startBlock,
-            };
-            const response = await this.request(new Request(`${this.url}/register`, {
-                method: "POST",
-                headers: { "Content-Type": "application/json" },
-                body: JSON.stringify(request),
-            }));
-            const data = await response.json();
-            // If the uuid is not set, set it on the scanner.
-            if (!this.uuid) {
-                this.uuid = data.uuid;
-            }
-            // Add the view key to the local scanner's view keys if configured to do so.
-            if (this.cacheViewKeysOnRegister) {
-                this.addViewKey(viewKey);
-            }
-            return { ok: true, data };
-        }
-        catch (err) {
-            console.error(`Failed to register view key: ${err}`);
-            return this.handleRequestError(err);
-        }
-    }
     /**
      * Fetches an ephemeral public key from the record scanning service for use with registerEncrypted.
      * Follows the same pattern as the delegated proving service /pubkey endpoint.
@@ -4361,6 +4623,19 @@ class RecordScanner {
         const response = await this.request(new Request(`${this.url}/pubkey`, { method: "GET" }));
         return parseJSON(await response.text());
     }
+    /**
+     * Registers the account with the record scanning service using the encrypted flow.
+     * Alias of {@link registerEncrypted} — preserved so existing callers using the
+     * previous unencrypted `register(viewKey, startBlock)` API continue to work
+     * unchanged while transparently using the encrypted endpoint.
+     *
+     * @param {ViewKey} viewKey The view key to register.
+     * @param {number} startBlock The block height to start scanning from.
+     * @returns {Promise<RegisterResult>} `{ ok: true, data }` on success, or `{ ok: false, status, error }` on failure.
+     */
+    async register(viewKey, startBlock) {
+        return this.registerEncrypted(viewKey, startBlock);
+    }
     /**
      * Registers the account with the record scanning service using the encrypted flow: 1. fetches an ephemeral public key from /pubkey - 2. encrypts the registration request (view key + start block) - 3. POSTs to /register/encrypted. Does not HTTP error on a proper error response from the record scanner; returns a result object instead.
      *
@@ -4592,7 +4867,7 @@ class RecordScanner {
             throw new Error("Record not found");
         }
         catch (error) {
-            console.error(`Failed to find record: ${error}`);
+            logger.error(`Failed to find record: ${error}`);
             throw error;
         }
     }
@@ -4753,7 +5028,7 @@ class RecordScanner {
             return record;
         }
         catch (error) {
-            console.error(`Failed to find credits record: ${error}`);
+            logger.error(`Failed to find credits record: ${error}`);
             throw error;
         }
     }
@@ -4802,7 +5077,7 @@ class RecordScanner {
             });
         }
         catch (error) {
-            console.error(`Failed to find credits records: ${error}`);
+            logger.error(`Failed to find credits records: ${error}`);
             throw error;
         }
     }
@@ -4840,7 +5115,7 @@ class RecordScanner {
             return response;
         }
         catch (error) {
-            console.error(`Failed to make request to ${req.url}: ${error}`);
+            logger.error(`Failed to make request to ${req.url}: ${error}`);
             throw error;
         }
     }
@@ -5197,17 +5472,19 @@ class ProgramManager {
     networkClient;
     recordProvider;
     inclusionKeysLoaded = false;
+    _keyStore;
     /** Create a new instance of the ProgramManager
      *
      * @param { string | undefined } host A host uri running the official Aleo API
      * @param { FunctionKeyProvider | undefined } keyProvider A key provider that implements {@link FunctionKeyProvider} interface
      * @param { RecordProvider | undefined } recordProvider A record provider that implements {@link RecordProvider} interface
      */
-    constructor(host, keyProvider, recordProvider, networkClientOptions) {
+    constructor(host, keyProvider, recordProvider, networkClientOptions, keyStore) {
         this.host = host ? host : "https://api.provable.com/v2";
         this.networkClient = new AleoNetworkClient(this.host, networkClientOptions);
         this.keyProvider = keyProvider ? keyProvider : new AleoKeyProvider({ transport: networkClientOptions?.transport });
         this.recordProvider = recordProvider;
+        this._keyStore = keyStore;
     }
     /**
      * Pre-load the inclusion prover for offline execution. Required when the
@@ -5285,6 +5562,330 @@ class ProgramManager {
     setRecordProvider(recordProvider) {
         this.recordProvider = recordProvider;
     }
+    /**
+     * Set the key store for automatic key caching across executions.
+     *
+     * @param {KeyStore} keyStore
+     */
+    setKeyStore(keyStore) {
+        this._keyStore = keyStore;
+    }
+    /**
+     * Build a ProgramImportsBuilder from a program and its imports.
+     * Fetches imports from the network if not provided, resolves transitive
+     * dependencies, and optionally pre-loads cached keys from the KeyStore.
+     *
+     * @param loadKeys When true (default), loads cached proving/verifying keys
+     *   from the KeyStore into the builder. Set to false for authorization and
+     *   proving request paths where keys are not synthesized.
+     */
+    async buildProgramImports(program, imports, loadKeys, entryFunction) {
+        const builder = new mainnet_js.ProgramImports();
+        const programSource = typeof program === "string" ? program : program.toString();
+        const programObj = mainnet_js.Program.fromString(programSource);
+        const importNames = programObj.getImports();
+        if (importNames.length === 0 && (!imports || Object.keys(imports).length === 0)) {
+            return { builder, importEditions: new Map() };
+        }
+        let resolvedImports = {};
+        if (imports) {
+            resolvedImports = { ...imports };
+        }
+        if (importNames.length > 0 && !imports) {
+            try {
+                resolvedImports = await this.networkClient.getProgramImports(programSource);
+            }
+            catch (e) {
+                logger.warn(`Failed to resolve program imports from network: ${e}.`);
+            }
+        }
+        // Build a map of which functions each import actually calls,
+        // so we only load keys for functions in the call chain.
+        const calledFunctions = ProgramManager.callGraphToMap(programObj.getCallGraph(entryFunction));
+        // Phase 1: Collect all programs via BFS, discovering transitive imports.
+        // The initial getProgramImports call above already resolves the full
+        // transitive closure via recursive DFS.  The BFS loop here only needs
+        // to handle user-provided imports whose transitive deps may not yet be
+        // known.  For each unknown import we issue a single getProgram() call
+        // (not a full recursive getProgramImports) and fetch siblings in
+        // parallel to minimize round-trips.
+        const collected = new Map();
+        const collectQueue = Object.entries(resolvedImports).map(([name, src]) => [name, typeof src === "string" ? src : src.toString()]);
+        while (collectQueue.length > 0) {
+            const [name, source] = collectQueue.shift();
+            if (collected.has(name))
+                continue;
+            collected.set(name, source);
+            // Discover transitive imports for collection (call-graph tracing
+            // happens in a separate pass after topological sorting).
+            try {
+                const subImports = ProgramManager.getImportNames(source);
+                if (subImports.length > 0) {
+                    // Fetch only unknown transitive imports — the source for
+                    // programs already in collected/resolvedImports is known, so
+                    // we skip them.  Fetches within a BFS level run in parallel.
+                    const unknownImports = subImports.filter((id) => !collected.has(id) && !(id in resolvedImports));
+                    if (unknownImports.length > 0) {
+                        const fetched = await Promise.all(unknownImports.map(async (id) => {
+                            try {
+                                const src = await this.networkClient.getProgram(id);
+                                return [id, src];
+                            }
+                            catch {
+                                return null;
+                            }
+                        }));
+                        for (const entry of fetched) {
+                            if (entry && !collected.has(entry[0])) {
+                                collectQueue.push(entry);
+                            }
+                        }
+                    }
+                }
+            }
+            catch (e) {
+                logger.warn(`Failed to resolve transitive imports for ${name}: ${e}`);
+            }
+        }
+        // Phase 2: Add programs in topological order (leaves first).
+        // A simple DFS post-order ensures dependencies are added before
+        // dependents, regardless of the order collected entries arrived.
+        const sorted = [];
+        const visited = new Set();
+        const visit = (name) => {
+            if (visited.has(name))
+                return;
+            visited.add(name);
+            const source = collected.get(name);
+            if (!source)
+                return;
+            for (const dep of ProgramManager.getImportNames(source)) {
+                if (collected.has(dep))
+                    visit(dep);
+            }
+            sorted.push([name, source]);
+        };
+        for (const [name] of collected)
+            visit(name);
+        // When scoped, trace call graphs in reverse topological order
+        // (dependents before leaves) so parent calls propagate before
+        // children are traced. sorted is leaves-first, so reverse it.
+        if (entryFunction) {
+            for (let i = sorted.length - 1; i >= 0; i--) {
+                const [name, source] = sorted[i];
+                const functionsNeeded = calledFunctions.get(name);
+                if (!functionsNeeded)
+                    continue;
+                try {
+                    const importProgram = mainnet_js.Program.fromString(source);
+                    for (const fn of functionsNeeded) {
+                        const reachable = ProgramManager.callGraphToMap(importProgram.getCallGraph(fn));
+                        for (const [p, fns] of reachable) {
+                            if (!calledFunctions.has(p)) {
+                                calledFunctions.set(p, new Set(fns));
+                            }
+                            else {
+                                for (const f of fns)
+                                    calledFunctions.get(p).add(f);
+                            }
+                        }
+                    }
+                }
+                catch (e) {
+                    logger.warn(`Failed to trace call graph for ${name}: ${e}`);
+                }
+            }
+        }
+        // Resolve editions for all imports in parallel (each import may have
+        // a different edition than the top-level program).
+        const importEditions = new Map();
+        await Promise.all(sorted.map(async ([name]) => {
+            importEditions.set(name, await this.resolveEditionAndAmendment(name));
+        }));
+        for (const [name, source] of sorted) {
+            if (builder.contains(name))
+                continue;
+            const { edition: importEdition, amendment: importAmendment } = importEditions.get(name);
+            try {
+                builder.addProgram(name, source, importEdition);
+            }
+            catch (e) {
+                logger.warn(`Failed to add import ${name} to builder: ${e}`);
+                continue;
+            }
+            if (loadKeys) {
+                const calledFns = calledFunctions.get(name);
+                await this.loadKeysFromStore(builder, name, calledFns ? [...calledFns] : [], importEdition, importAmendment);
+            }
+        }
+        return { builder, importEditions };
+    }
+    /**
+     * Extract `import program_name.aleo;` names from program source via regex.
+     * Avoids a WASM round-trip compared to Program.fromString + getImports.
+     */
+    static getImportNames(programSource) {
+        const result = [];
+        const importPattern = /^\s*import\s+([a-zA-Z_][a-zA-Z0-9_]*\.aleo)\s*;/gm;
+        let match;
+        while ((match = importPattern.exec(programSource)) !== null) {
+            result.push(match[1]);
+        }
+        return result;
+    }
+    /**
+     * Convert the JS object returned by Program.getCallGraph() into a
+     * Map<string, Set<string>> for use in buildProgramImports.
+     */
+    static callGraphToMap(callGraph) {
+        const result = new Map();
+        for (const [programName, functions] of Object.entries(callGraph)) {
+            result.set(programName, new Set(functions));
+        }
+        return result;
+    }
+    /**
+     * Resolve the active KeyStore, preferring the directly-set _keyStore
+     * over the KeyProvider's keyStore().
+     */
+    async resolveKeyStore() {
+        if (this._keyStore)
+            return this._keyStore;
+        try {
+            return await this.keyProvider?.keyStore?.();
+        }
+        catch {
+            return undefined;
+        }
+    }
+    /**
+     * Resolve the edition and amendment count for a program from the network.
+     * Returns `{ edition, amendment }` or falls back to `{ edition: 1, amendment: 0 }`.
+     */
+    async resolveEditionAndAmendment(programName, fallbackEdition) {
+        try {
+            const info = await this.networkClient.getProgramAmendmentCount(programName);
+            return { edition: info.edition, amendment: info.amendment_count };
+        }
+        catch (e) {
+            logger.warn(`Error finding edition/amendment for ${programName}. Network response: '${e.message}'. Defaulting to edition ${fallbackEdition ?? 1}, amendment 0.`);
+            return { edition: fallbackEdition ?? 1, amendment: 0 };
+        }
+    }
+    /**
+     * Load cached proving/verifying keys from the KeyStore into a ProgramImportsBuilder.
+     * Only loads keys for the specified functions — returns immediately if
+     * functionNames is empty or undefined.
+     * Resolves edition and amendment from the network for accurate key locator
+     * construction when not explicitly provided.
+     */
+    async loadKeysFromStore(builder, programName, functionNames, edition, amendment) {
+        if (!functionNames || functionNames.length === 0)
+            return;
+        const keyStore = await this.resolveKeyStore();
+        if (!keyStore)
+            return;
+        // Resolve edition and amendment from the network if not fully provided.
+        if (edition === undefined || amendment === undefined) {
+            const resolved = await this.resolveEditionAndAmendment(programName, edition);
+            edition = edition ?? resolved.edition;
+            amendment = amendment ?? resolved.amendment;
+        }
+        for (const fnName of functionNames) {
+            const pkLocator = provingKeyLocator(programName, fnName, edition, amendment);
+            const vkLocator = verifyingKeyLocator(programName, fnName, edition, amendment);
+            try {
+                const pk = await keyStore.getProvingKey(pkLocator);
+                if (pk)
+                    builder.addProvingKey(programName, fnName, pk);
+                const vk = await keyStore.getVerifyingKey(vkLocator);
+                if (vk)
+                    builder.addVerifyingKey(programName, fnName, vk);
+            }
+            catch (e) {
+                logger.debug(`Failed to load keys for ${programName}/${fnName}: ${e}`);
+            }
+        }
+    }
+    /**
+     * Persist newly synthesized keys from the returned ProgramImportsBuilder
+     * into the KeyStore. Only writes keys that are not already in the store,
+     * avoiding unnecessary writes of large proving keys.
+     * Fetches each program's current edition and amendment count from the network
+     * for accurate key locator construction.
+     */
+    async persistExtractedKeys(builder, importEditions) {
+        const keyStore = await this.resolveKeyStore();
+        if (!keyStore)
+            return;
+        const programNames = Array.from(builder.programNames());
+        // Reuse editions resolved during buildProgramImports when available,
+        // falling back to parallel network resolution for any missing programs.
+        const editionMap = importEditions ?? new Map();
+        const missing = programNames.filter((name) => !editionMap.has(name));
+        if (missing.length > 0) {
+            await Promise.all(missing.map(async (name) => {
+                editionMap.set(name, await this.resolveEditionAndAmendment(name));
+            }));
+        }
+        for (const programName of programNames) {
+            const { edition, amendment } = editionMap.get(programName);
+            let fns;
+            try {
+                fns = Array.from(builder.functionKeysAvailable(programName));
+            }
+            catch (e) {
+                logger.debug(`Failed to query keys for ${programName}: ${e}`);
+                continue;
+            }
+            for (const fnName of fns) {
+                try {
+                    const pkLocator = provingKeyLocator(programName, fnName, edition, amendment);
+                    const vkLocator = verifyingKeyLocator(programName, fnName, edition, amendment);
+                    // Skip keys already in the store.
+                    if (await keyStore.has(pkLocator) && await keyStore.has(vkLocator)) {
+                        continue;
+                    }
+                    const pk = builder.getProvingKey(programName, fnName);
+                    const vk = builder.getVerifyingKey(programName, fnName);
+                    if (pk && vk) {
+                        await keyStore.setKeys(pkLocator, vkLocator, [pk, vk]);
+                    }
+                }
+                catch (e) {
+                    logger.debug(`Failed to persist key for ${programName}/${fnName}: ${e}`);
+                }
+            }
+        }
+    }
+    /**
+     * Resolve top-level function keys, checking the KeyStore first and
+     * falling back to the KeyProvider.
+     */
+    async resolveTopLevelKeys(programName, functionName, keySearchParams, edition, amendment) {
+        const keyStore = await this.resolveKeyStore();
+        if (keyStore) {
+            try {
+                const pkLocator = provingKeyLocator(programName, functionName, edition, amendment);
+                const vkLocator = verifyingKeyLocator(programName, functionName, edition, amendment);
+                if (await keyStore.has(pkLocator) && await keyStore.has(vkLocator)) {
+                    const pk = await keyStore.getProvingKey(pkLocator);
+                    const vk = await keyStore.getVerifyingKey(vkLocator);
+                    if (pk && vk)
+                        return [pk, vk];
+                }
+            }
+            catch {
+                // Fall through to KeyProvider
+            }
+        }
+        try {
+            return (await this.keyProvider.functionKeys(keySearchParams));
+        }
+        catch {
+            return undefined;
+        }
+    }
     /**
      * Set a header in the `AleoNetworkClient`s header map
      *
@@ -5338,7 +5939,7 @@ class ProgramManager {
             return;
         }
         catch {
-            console.log("Setting the inclusion prover requires either a key provider to be configured for the ProgramManager OR to pass the inclusion prover directly");
+            logger.log("Setting the inclusion prover requires either a key provider to be configured for the ProgramManager OR to pass the inclusion prover directly");
         }
     }
     /**
@@ -5413,7 +6014,7 @@ class ProgramManager {
             }
             catch (e) {
                 // Program does not exist on the network, deployment can proceed
-                console.log(`Program ${programObject.id()} does not exist on the network, deploying...`);
+                logger.log(`Program ${programObject.id()} does not exist on the network, deploying...`);
             }
             if (typeof programSource === "string") {
                 throw Error(`Program ${programObject.id()} already exists on the network, please rename your program`);
@@ -5437,7 +6038,7 @@ class ProgramManager {
                 let fee = priorityFee;
                 // If a private fee is specified, but no fee record is provided, estimate the fee and find a matching record.
                 if (!feeRecord) {
-                    console.log("Private fee specified, but no private fee record provided, estimating fee and finding a matching fee record.");
+                    logger.log("Private fee specified, but no private fee record provided, estimating fee and finding a matching fee record.");
                     const programString = programObject.toString();
                     const imports = await this.networkClient.getProgramImports(programString);
                     const baseFee = Number(mainnet_js.ProgramManager.estimateDeploymentFee(programString, imports));
@@ -5528,7 +6129,7 @@ class ProgramManager {
             }
             catch (e) {
                 // Program does not exist on the network, deployment can proceed
-                console.log(`Program ${programObject.id()} does not exist on the network...`);
+                logger.log(`Program ${programObject.id()} does not exist on the network...`);
             }
         }
         catch (e) {
@@ -5549,7 +6150,7 @@ class ProgramManager {
                 let fee = priorityFee;
                 // If a private fee is specified, but no fee record is provided, estimate the fee and find a matching record.
                 if (!feeRecord) {
-                    console.log("Private fee specified, but no private fee record provided, estimating fee and finding a matching fee record.");
+                    logger.log("Private fee specified, but no private fee record provided, estimating fee and finding a matching fee record.");
                     const programString = programObject.toString();
                     const imports = await this.networkClient.getProgramImports(programString);
                     const baseFee = Number(mainnet_js.ProgramManager.estimateDeploymentFee(programString, imports));
@@ -5719,15 +6320,9 @@ class ProgramManager {
         if (programName === undefined) {
             programName = programObject.id();
         }
-        if (edition == undefined) {
-            try {
-                edition = await this.networkClient.getLatestProgramEdition(programName);
-            }
-            catch (e) {
-                console.warn(`Error finding edition for ${programName}. Network response: '${e.message}'. Assuming edition 0.`);
-                edition = 0;
-            }
-        }
+        const resolved = await this.resolveEditionAndAmendment(programName, edition);
+        edition = edition ?? resolved.edition;
+        const { amendment } = resolved;
         // Get the private key from the account if it is not provided in the parameters
         let executionPrivateKey = privateKey;
         if (typeof privateKey === "undefined" &&
@@ -5748,23 +6343,19 @@ class ProgramManager {
             logAndThrow(`Error finding fee keys. Key finder response: '${e.message}'. Please ensure your key provider is configured correctly.`);
         }
         const [feeProvingKey, feeVerifyingKey] = feeKeys;
-        // If the function proving and verifying keys are not provided, attempt to find them using the key provider
+        // Build the ProgramImportsBuilder for import resolution and key caching.
+        const { builder: programImportsBuilder, importEditions } = await this.buildProgramImports(program, imports, true, functionName);
+        // Include the top-level program's already-resolved edition so
+        // persistExtractedKeys doesn't make a redundant network call for it.
+        importEditions.set(programName, { edition: edition, amendment });
+        // If the function proving and verifying keys are not provided, attempt to find them
         if (!provingKey || !verifyingKey) {
-            try {
-                [provingKey, verifyingKey] = (await this.keyProvider.functionKeys(keySearchParams));
-            }
-            catch (e) {
-                console.log(`Function keys not found. Key finder response: '${e}'. The function keys will be synthesized`);
-            }
-        }
-        // Resolve the program imports if they exist
-        const numberOfImports = programObject.getImports().length;
-        if (numberOfImports > 0 && !imports) {
-            try {
-                imports = (await this.networkClient.getProgramImports(programName));
+            const keys = await this.resolveTopLevelKeys(programName, functionName, keySearchParams, edition, amendment);
+            if (keys) {
+                [provingKey, verifyingKey] = keys;
             }
-            catch (e) {
-                logAndThrow(`Error finding program imports. Network response: '${e.message}'. Please ensure you're connected to a valid Aleo network and the program is deployed to the network.`);
+            else {
+                logger.log("Function keys not found in KeyStore or KeyProvider. The function keys will be synthesized");
             }
         }
         // Get the fee record from the account if it is not provided in the parameters
@@ -5789,17 +6380,23 @@ class ProgramManager {
         }
         // Auto-convert bare string inputs to field elements where the function expects field type.
         const preparedInputs = this.prepareInputs(program, functionName, inputs);
-        // Build the query: user-provided OfflineQuery for truly offline execution,
-        // CallbackQuery when a custom transport is configured, or undefined to
-        // let WASM use its internal SnapshotQuery with the default fetch.
         const query = offlineQuery
             ? mainnet_js.QueryOption.offlineQuery(offlineQuery)
             : this.networkClient.hasCustomTransport
                 ? mainnet_js.QueryOption.callbackQuery(this.buildCallbackQuery())
                 : undefined;
         await this.ensureInclusionKeys(!!offlineQuery);
-        // Build an execution transaction
-        return await mainnet_js.ProgramManager.buildExecutionTransaction(executionPrivateKey, program, functionName, preparedInputs, priorityFee, feeRecord, this.host, imports, provingKey, verifyingKey, feeProvingKey, feeVerifyingKey, query, edition);
+        const result = await mainnet_js.ProgramManager.buildExecutionTransaction(executionPrivateKey, program, functionName, preparedInputs, priorityFee, feeRecord, this.host, undefined, // imports (legacy Object path — builder handles resolution)
+        provingKey, verifyingKey, feeProvingKey, feeVerifyingKey, query, edition, programImportsBuilder?.clone());
+        // The clone passed to WASM shares state with the original via
+        // Rc<RefCell<>> — synthesized keys are already visible.
+        try {
+            await this.persistExtractedKeys(programImportsBuilder, importEditions);
+        }
+        catch (e) {
+            logger.debug(`Failed to persist extracted keys: ${e}`);
+        }
+        return result;
     }
     /**
      * Builds an execution transaction for submission to the Aleo network from an Authorization and Fee Authorization.
@@ -5877,6 +6474,10 @@ class ProgramManager {
         const feeAuthorization = options.feeAuthorization;
         const keySearchParams = options.keySearchParams;
         const offlineQuery = options.offlineQuery;
+        let edition = options.edition;
+        const resolved = await this.resolveEditionAndAmendment(programName, edition);
+        edition = edition ?? resolved.edition;
+        const { amendment } = resolved;
         let provingKey = options.provingKey;
         let verifyingKey = options.verifyingKey;
         let program = options.program;
@@ -5905,24 +6506,17 @@ class ProgramManager {
             logAndThrow(`Error finding fee keys. Key finder response: '${e.message}'. Please ensure your key provider is configured correctly.`);
         }
         const [feeProvingKey, feeVerifyingKey] = feeKeys;
-        // If the function proving and verifying keys are not provided, attempt to find them using the key provider.
+        // Build the ProgramImportsBuilder for import resolution and key caching.
+        const { builder: programImportsBuilder, importEditions } = await this.buildProgramImports(program, imports, true, authorization.functionName());
+        importEditions.set(programName, { edition: edition, amendment });
+        // If the function proving and verifying keys are not provided, attempt to find them.
         if (!provingKey || !verifyingKey) {
-            try {
-                [provingKey, verifyingKey] = (await this.keyProvider.functionKeys(keySearchParams));
-            }
-            catch (e) {
-                console.log(`Function keys not found. Key finder response: '${e}'. The function keys will be synthesized`);
-            }
-        }
-        // Resolve the program imports if they exist.
-        console.log("Resolving program imports");
-        const numberOfImports = mainnet_js.Program.fromString(program).getImports().length;
-        if (numberOfImports > 0 && !imports) {
-            try {
-                imports = (await this.networkClient.getProgramImports(programName));
+            const keys = await this.resolveTopLevelKeys(programName, authorization.functionName(), keySearchParams, edition, amendment);
+            if (keys) {
+                [provingKey, verifyingKey] = keys;
             }
-            catch (e) {
-                logAndThrow(`Error finding program imports. Network response: '${e.message}'. Please ensure you're connected to a valid Aleo network and the program is deployed to the network.`);
+            else {
+                logger.log("Function keys not found in KeyStore or KeyProvider. The function keys will be synthesized");
             }
         }
         const query = offlineQuery
@@ -5931,9 +6525,18 @@ class ProgramManager {
                 ? mainnet_js.QueryOption.callbackQuery(this.buildCallbackQuery())
                 : undefined;
         await this.ensureInclusionKeys(!!offlineQuery);
-        // Build an execution transaction from the authorization.
-        console.log("Executing authorizations");
-        return await mainnet_js.ProgramManager.executeAuthorization(authorization, feeAuthorization, program, provingKey, verifyingKey, feeProvingKey, feeVerifyingKey, imports, this.host, query);
+        // Build an execution transaction from the authorization. The
+        // ProgramImportsBuilder is consumed by value (ownership transfers to WASM)
+        // and returned enriched with any keys synthesized during execution.
+        const result = await mainnet_js.ProgramManager.executeAuthorization(authorization, feeAuthorization, program, provingKey, verifyingKey, feeProvingKey, feeVerifyingKey, undefined, // imports (legacy Object path — builder handles resolution)
+        this.host, query, programImportsBuilder?.clone(), edition);
+        try {
+            await this.persistExtractedKeys(programImportsBuilder, importEditions);
+        }
+        catch (e) {
+            logger.debug(`Failed to persist extracted keys: ${e}`);
+        }
+        return result;
     }
     /**
      * Builds a SnarkVM `Authorization` for a specific function.
@@ -5996,29 +6599,17 @@ class ProgramManager {
         if (typeof executionPrivateKey === "undefined") {
             throw "No private key provided and no private key set in the ProgramManager";
         }
-        if (edition == undefined) {
-            try {
-                edition = await this.networkClient.getLatestProgramEdition(programName);
-            }
-            catch (e) {
-                console.warn(`Error finding edition for ${programName}. Network response: '${e.message}'. Assuming edition 0.`);
-                edition = 0;
-            }
-        }
-        // Resolve the program imports if they exist.
-        const numberOfImports = mainnet_js.Program.fromString(program).getImports().length;
-        if (numberOfImports > 0 && !imports) {
-            try {
-                imports = (await this.networkClient.getProgramImports(programName));
-            }
-            catch (e) {
-                logAndThrow(`Error finding program imports. Network response: '${e.message}'. Please ensure you're connected to a valid Aleo network and the program is deployed to the network.`);
-            }
-        }
+        const resolved = await this.resolveEditionAndAmendment(programName, edition);
+        edition = edition ?? resolved.edition;
         // Auto-convert bare string inputs to field elements where the function expects field type.
         const preparedInputs = this.prepareInputs(program, functionName, inputs);
+        // Build ProgramImportsBuilder for import resolution (no key loading —
+        // authorizations don't synthesize keys).
+        const { builder } = await this.buildProgramImports(program, imports, false, functionName);
+        const hasImports = !builder.isEmpty();
         // Build and return an `Authorization` for the desired function.
-        return await mainnet_js.ProgramManager.authorize(executionPrivateKey, program, functionName, preparedInputs, imports, edition);
+        const authorization = await mainnet_js.ProgramManager.authorize(executionPrivateKey, program, functionName, preparedInputs, hasImports ? undefined : imports, edition, hasImports ? builder?.clone() : undefined);
+        return authorization;
     }
     /**
      * Builds a SnarkVM `Authorization` for a specific function without building a circuit first. This should be used when fast authorization generation is needed and the invoker is confident inputs are coorect.
@@ -6081,29 +6672,17 @@ class ProgramManager {
         if (typeof executionPrivateKey === "undefined") {
             throw "No private key provided and no private key set in the ProgramManager";
         }
-        // Resolve the program imports if they exist.
-        const numberOfImports = mainnet_js.Program.fromString(program).getImports().length;
-        if (numberOfImports > 0 && !imports) {
-            try {
-                imports = (await this.networkClient.getProgramImports(programName));
-            }
-            catch (e) {
-                logAndThrow(`Error finding program imports. Network response: '${e.message}'. Please ensure you're connected to a valid Aleo network and the program is deployed to the network.`);
-            }
-        }
-        if (edition == undefined) {
-            try {
-                edition = await this.networkClient.getLatestProgramEdition(programName);
-            }
-            catch (e) {
-                console.warn(`Error finding edition for ${programName}. Network response: '${e.message}'. Assuming edition 0.`);
-                edition = 0;
-            }
-        }
+        const resolved = await this.resolveEditionAndAmendment(programName, edition);
+        edition = edition ?? resolved.edition;
         // Auto-convert bare string inputs to field elements where the function expects field type.
         const preparedInputs = this.prepareInputs(program, functionName, inputs);
+        // Build ProgramImportsBuilder for import resolution (no key loading —
+        // authorizations don't synthesize keys).
+        const { builder } = await this.buildProgramImports(program, imports, false, functionName);
+        const hasImports = !builder.isEmpty();
         // Build and return an `Authorization` for the desired function.
-        return await mainnet_js.ProgramManager.buildAuthorizationUnchecked(executionPrivateKey, program, functionName, preparedInputs, imports, edition);
+        const authorization = await mainnet_js.ProgramManager.buildAuthorizationUnchecked(executionPrivateKey, program, functionName, preparedInputs, hasImports ? undefined : imports, edition, hasImports ? builder?.clone() : undefined);
+        return authorization;
     }
     /**
      * Builds a `ProvingRequest` for submission to a prover for execution. If building a proving request with an ExecutionRequest, a private key must be explicitly provided.
@@ -6166,15 +6745,8 @@ class ProgramManager {
         if (programName === undefined) {
             programName = mainnet_js.Program.fromString(program).id();
         }
-        if (edition == undefined) {
-            try {
-                edition = await this.networkClient.getLatestProgramEdition(programName);
-            }
-            catch (e) {
-                console.warn(`Error finding edition for ${programName}. Network response: '${e.message}'. Assuming edition 0.`);
-                edition = 0;
-            }
-        }
+        const resolved = await this.resolveEditionAndAmendment(programName, edition);
+        edition = edition ?? resolved.edition;
         // Get the private key from the account if it is not provided in the parameters.
         let executionPrivateKey = privateKey;
         if (typeof privateKey === "undefined" &&
@@ -6212,8 +6784,30 @@ class ProgramManager {
         catch (e) {
             logAndThrow(`Error finding fee record. Record finder response: '${e.message}'. Please ensure you're connected to a valid Aleo network and a record with enough balance exists.`);
         }
+        // Build ProgramImportsBuilder for import resolution (no key loading —
+        // proving requests don't synthesize keys).
+        // Note: imports is kept for the Rust-side fee estimation fallback
+        // (estimate_fee_for_authorization uses the legacy imports Object to avoid
+        // a RefCell double-borrow — see proving_request.rs).
+        const { builder } = await this.buildProgramImports(program, imports, false, functionName);
+        const hasImports = !builder.isEmpty();
+        // Normalize imports to the full merged set from the builder so the
+        // Rust fee estimator sees all transitive imports, not just the
+        // caller's partial set. Use programNames + getProgram to avoid
+        // serializing key bytes (toObject would serialize all proving/
+        // verifying keys, which can be tens of MB).
+        if (hasImports) {
+            const merged = {};
+            for (const name of Array.from(builder.programNames())) {
+                const src = builder.getProgram(name);
+                if (src)
+                    merged[name] = src;
+            }
+            imports = merged;
+        }
         if (options.executionRequest instanceof mainnet_js.ExecutionRequest) {
-            return await mainnet_js.ProgramManager.buildProvingRequestFromExecutionRequest(options.executionRequest, program, unchecked, broadcast, edition, imports, executionPrivateKey);
+            return await mainnet_js.ProgramManager.buildProvingRequestFromExecutionRequest(options.executionRequest, program, unchecked, broadcast, edition, imports, // kept for fee estimation in Rust
+            executionPrivateKey, hasImports ? builder?.clone() : undefined);
         }
         else {
             // Ensure the private key exists.
@@ -6227,7 +6821,8 @@ class ProgramManager {
             // Auto-convert bare string inputs to field elements where the function expects field type.
             const preparedInputs = this.prepareInputs(program, functionName, inputs);
             // Build and return the `ProvingRequest`.
-            return await mainnet_js.ProgramManager.buildProvingRequest(executionPrivateKey, program, functionName, preparedInputs, baseFee, priorityFee, feeRecord, imports, broadcast, unchecked, edition, useFeeMaster);
+            return await mainnet_js.ProgramManager.buildProvingRequest(executionPrivateKey, program, functionName, preparedInputs, baseFee, priorityFee, feeRecord, imports, // kept for fee estimation in Rust
+            broadcast, unchecked, edition, useFeeMaster, hasImports ? builder?.clone() : undefined);
         }
     }
     /**
@@ -6400,6 +6995,10 @@ class ProgramManager {
      * assert(result === ["10u32"]);
      */
     async run(program, function_name, inputs, proveExecution, imports, keySearchParams, provingKey, verifyingKey, privateKey, offlineQuery, edition) {
+        const programName = mainnet_js.Program.fromString(program).id();
+        const resolved = await this.resolveEditionAndAmendment(programName, edition);
+        edition = edition ?? resolved.edition;
+        const { amendment } = resolved;
         // Get the private key from the account if it is not provided in the parameters
         let executionPrivateKey = privateKey;
         if (typeof privateKey === "undefined" &&
@@ -6409,13 +7008,16 @@ class ProgramManager {
         if (typeof executionPrivateKey === "undefined") {
             throw "No private key provided and no private key set in the ProgramManager";
         }
-        // If the function proving and verifying keys are not provided, attempt to find them using the key provider
+        // Build the ProgramImportsBuilder for import resolution and key caching.
+        const { builder, importEditions } = await this.buildProgramImports(program, imports, true, function_name);
+        importEditions.set(programName, { edition: edition, amendment });
         if (!provingKey || !verifyingKey) {
-            try {
-                [provingKey, verifyingKey] = (await this.keyProvider.functionKeys(keySearchParams));
+            const keys = await this.resolveTopLevelKeys(programName, function_name, keySearchParams, edition, amendment);
+            if (keys) {
+                [provingKey, verifyingKey] = keys;
             }
-            catch (e) {
-                console.log(`Function keys not found. Key finder response: '${e}'. The function keys will be synthesized`);
+            else {
+                logger.log("Function keys not found in KeyStore or KeyProvider. The function keys will be synthesized");
             }
         }
         // Auto-convert bare string inputs to field elements where the function expects field type.
@@ -6426,11 +7028,17 @@ class ProgramManager {
                 ? mainnet_js.QueryOption.callbackQuery(this.buildCallbackQuery())
                 : undefined;
         await this.ensureInclusionKeys(!!offlineQuery);
-        // Run the program offline and return the result
-        console.log("Running program offline");
-        console.log("Proving key: ", provingKey);
-        console.log("Verifying key: ", verifyingKey);
-        return mainnet_js.ProgramManager.executeFunctionOffline(executionPrivateKey, program, function_name, preparedInputs, proveExecution, false, imports, provingKey, verifyingKey, this.host, query, edition);
+        const result = await mainnet_js.ProgramManager.executeFunctionOffline(executionPrivateKey, program, function_name, preparedInputs, proveExecution, false, undefined, // imports (legacy Object path — builder handles resolution)
+        provingKey, verifyingKey, this.host, query, edition, builder?.clone());
+        // The clone passed to WASM shares state with the original via
+        // Rc<RefCell<>> — synthesized keys are already visible.
+        try {
+            await this.persistExtractedKeys(builder, importEditions);
+        }
+        catch (e) {
+            logger.debug(`Failed to persist extracted keys: ${e}`);
+        }
+        return result;
     }
     /**
      * Join two credits records into a single credits record
@@ -7419,7 +8027,7 @@ class ProgramManager {
             return mainnet_js.verifyFunctionExecution(execution, verifyingKey, program, function_id, imports, importedVerifyingKeys, blockHeight);
         }
         catch (e) {
-            console.warn(`The execution was not found in the response, cannot verify the execution: ${e}`);
+            logger.warn(`The execution was not found in the response, cannot verify the execution: ${e}`);
             return false;
         }
     }
@@ -7512,12 +8120,8 @@ class ProgramManager {
             throw new Error("Authorization must be provided if estimating fee for Authorization.");
         }
         const programSource = program ? program.toString() : await this.networkClient.getProgram(programName, edition);
-        const programImports = imports ? imports : await this.networkClient.getProgramImports(programSource);
-        console.log(JSON.stringify(programImports));
-        if (Object.keys(programImports)) {
-            return mainnet_js.ProgramManager.estimateFeeForAuthorization(authorization, programSource, programImports, edition);
-        }
-        return mainnet_js.ProgramManager.estimateFeeForAuthorization(authorization, programSource, imports, edition);
+        const programImports = imports ?? await this.networkClient.getProgramImports(programSource);
+        return mainnet_js.ProgramManager.estimateFeeForAuthorization(authorization, programSource, programImports, edition);
     }
     /**
      * Estimate the execution fee for an Aleo function.
@@ -7552,10 +8156,7 @@ class ProgramManager {
         }
         const programSource = program ? program.toString() : await this.networkClient.getProgram(programName, edition);
         const programImports = imports ? imports : await this.networkClient.getProgramImports(programSource);
-        if (Object.keys(programImports)) {
-            return mainnet_js.ProgramManager.estimateExecutionFee(programSource, functionName, programImports, edition);
-        }
-        return mainnet_js.ProgramManager.estimateExecutionFee(programSource, functionName, imports, edition);
+        return mainnet_js.ProgramManager.estimateExecutionFee(programSource, functionName, programImports, edition);
     }
     // Internal utility function for getting a credits.aleo record
     async getCreditsRecord(amount, nonces, record, params) {
@@ -7663,15 +8264,8 @@ class ProgramManager {
         if (programName === undefined) {
             programName = programObject.id();
         }
-        if (edition == undefined) {
-            try {
-                edition = await this.networkClient.getLatestProgramEdition(programName);
-            }
-            catch (e) {
-                console.warn(`Error finding edition for ${programName}. Network response: '${e.message}'. Assuming edition 0.`);
-                edition = 0;
-            }
-        }
+        const resolved = await this.resolveEditionAndAmendment(programName, edition);
+        edition = edition ?? resolved.edition;
         // Get the private key from the account if it is not provided in the parameters.
         let executionPrivateKey = privateKey;
         if (typeof privateKey === "undefined" &&
@@ -7687,7 +8281,7 @@ class ProgramManager {
                 let fee = priorityFee;
                 // If a private fee is specified, but no fee record is provided, estimate the fee and find a matching record.
                 if (!feeRecord) {
-                    console.log("Private fee specified, but no private fee record provided, estimating fee and finding a matching fee record.");
+                    logger.log("Private fee specified, but no private fee record provided, estimating fee and finding a matching fee record.");
                     const programString = programObject.toString();
                     const imports = await this.networkClient.getProgramImports(programString);
                     const baseFee = Number(mainnet_js.ProgramManager.estimateDeploymentFee(programString, imports));
@@ -7776,7 +8370,7 @@ class ProgramManager {
             }
             catch (e) {
                 // Program does not exist on the network, deployment can proceed
-                console.log(`Program ${programObject.id()} does not exist on the network, deploying...`);
+                logger.log(`Program ${programObject.id()} does not exist on the network, deploying...`);
             }
             if (typeof programSource === "string") {
                 throw Error(`Program ${programObject.id()} already exists on the network, please rename your program`);
@@ -7800,7 +8394,7 @@ class ProgramManager {
                 let fee = priorityFee;
                 // If a private fee is specified, but no fee record is provided, estimate the fee and find a matching record.
                 if (!feeRecord) {
-                    console.log("Private fee specified, but no private fee record provided, estimating fee and finding a matching fee record.");
+                    logger.log("Private fee specified, but no private fee record provided, estimating fee and finding a matching fee record.");
                     const programString = programObject.toString();
                     const imports = await this.networkClient.getProgramImports(programString);
                     const baseFee = Number(mainnet_js.ProgramManager.estimateDeploymentFee(programString, imports));
@@ -7901,7 +8495,7 @@ class ProgramManager {
                 let fee = priorityFee;
                 // If a private fee is specified, but no fee record is provided, estimate the fee and find a matching record.
                 if (!feeRecord) {
-                    console.log("Private fee specified, but no private fee record provided, estimating fee and finding a matching fee record.");
+                    logger.log("Private fee specified, but no private fee record provided, estimating fee and finding a matching fee record.");
                     const programString = programObject.toString();
                     const imports = await this.networkClient.getProgramImports(programString);
                     const baseFee = Number(mainnet_js.ProgramManager.estimateDeploymentFee(programString, imports));
@@ -8275,7 +8869,7 @@ function serializeRequestSignInputToBytes(input) {
 
 // @TODO: This function is no longer needed, remove it.
 async function initializeWasm() {
-    console.warn("initializeWasm is deprecated, you no longer need to use it");
+    logger.warn("initializeWasm is deprecated, you no longer need to use it");
 }
 
 Object.defineProperty(exports, "Address", {
@@ -8406,6 +9000,10 @@ Object.defineProperty(exports, "Program", {
     enumerable: true,
     get: function () { return mainnet_js.Program; }
 });
+Object.defineProperty(exports, "ProgramImportsBuilder", {
+    enumerable: true,
+    get: function () { return mainnet_js.ProgramImports; }
+});
 Object.defineProperty(exports, "ProgramManagerBase", {
     enumerable: true,
     get: function () { return mainnet_js.ProgramManager; }
@@ -8422,6 +9020,10 @@ Object.defineProperty(exports, "ProvingRequest", {
     enumerable: true,
     get: function () { return mainnet_js.ProvingRequest; }
 });
+Object.defineProperty(exports, "QueryOption", {
+    enumerable: true,
+    get: function () { return mainnet_js.QueryOption; }
+});
 Object.defineProperty(exports, "RecordCiphertext", {
     enumerable: true,
     get: function () { return mainnet_js.RecordCiphertext; }
@@ -8486,6 +9088,10 @@ Object.defineProperty(exports, "initThreadPool", {
     enumerable: true,
     get: function () { return mainnet_js.initThreadPool; }
 });
+Object.defineProperty(exports, "setWasmLogLevel", {
+    enumerable: true,
+    get: function () { return mainnet_js.setWasmLogLevel; }
+});
 Object.defineProperty(exports, "snarkVerify", {
     enumerable: true,
     get: function () { return mainnet_js.snarkVerify; }
@@ -8510,6 +9116,7 @@ exports.BlockHeightSearch = BlockHeightSearch;
 exports.CREDITS_PROGRAM_KEYS = CREDITS_PROGRAM_KEYS;
 exports.ChecksumMismatchError = KeyVerificationError;
 exports.DecryptionNotEnabledError = DecryptionNotEnabledError;
+exports.IndexedDBKeyStore = IndexedDBKeyStore;
 exports.InvalidLocatorError = InvalidLocatorError;
 exports.KEY_STORE = KEY_STORE;
 exports.KeyVerificationError = KeyVerificationError;
@@ -8538,6 +9145,7 @@ exports.encryptAuthorization = encryptAuthorization;
 exports.encryptProvingRequest = encryptProvingRequest;
 exports.encryptRegistrationRequest = encryptRegistrationRequest;
 exports.encryptViewKey = encryptViewKey;
+exports.getLogLevel = getLogLevel;
 exports.initializeWasm = initializeWasm;
 exports.inputsToFields = inputsToFields;
 exports.isInputIdStrategy = isInputIdStrategy;
@@ -8548,6 +9156,7 @@ exports.isViewKeyStrategy = isViewKeyStrategy;
 exports.logAndThrow = logAndThrow;
 exports.programChecksum = programChecksum;
 exports.provingKeyLocator = provingKeyLocator;
+exports.setLogLevel = setLogLevel;
 exports.sha256Hex = sha256Hex;
 exports.toAddress = toAddress;
 exports.toField = toField;