@provablehq/sdk 0.10.5 → 0.11.0

package/dist/mainnet/browser.js

@@ -1,9 +1,434 @@
 import 'core-js/proposals/json-parse-with-source.js';
-import { ViewKey, ComputeKey, Address, PrivateKeyCiphertext, PrivateKey, RecordCiphertext, EncryptionToolkit, Group, Metadata, VerifyingKey, Program, Plaintext, Transaction, ProvingRequest, ProvingKey, RecordPlaintext, Field, Poseidon4, ProgramManager as ProgramManager$1, CallbackQuery, QueryOption, ExecutionRequest, stringToField, verifyFunctionExecution, Value, Proof, Signature } from '@provablehq/wasm/mainnet.js';
-export { Address, Authorization, BHP1024, BHP256, BHP512, BHP768, Boolean, Ciphertext, ComputeKey, DynamicRecord, EncryptionToolkit, ExecutionRequest, ExecutionResponse, Field, Execution as FunctionExecution, GraphKey, Group, I128, I16, I32, I64, I8, OfflineQuery, Pedersen128, Pedersen64, Plaintext, Poseidon2, Poseidon4, Poseidon8, PrivateKey, PrivateKeyCiphertext, Program, ProgramManager as ProgramManagerBase, Proof, ProvingKey, ProvingRequest, RecordCiphertext, RecordPlaintext, Scalar, Signature, Transaction, Transition, U128, U16, U32, U64, U8, Value, VerifyingKey, ViewKey, getOrInitConsensusVersionTestHeights, initThreadPool, snarkVerify, snarkVerifyBatch, stringToField, verifyFunctionExecution } from '@provablehq/wasm/mainnet.js';
+import { ProvingKey, VerifyingKey, ViewKey, ComputeKey, Address, PrivateKeyCiphertext, PrivateKey, RecordCiphertext, EncryptionToolkit, Group, Metadata, Program, Plaintext, Transaction, ProvingRequest, RecordPlaintext, Field, Poseidon4, ProgramManager as ProgramManager$1, CallbackQuery, ProgramImports, QueryOption, ExecutionRequest, stringToField, verifyFunctionExecution, Value, Proof, Signature } from '@provablehq/wasm/mainnet.js';
+export { Address, Authorization, BHP1024, BHP256, BHP512, BHP768, Boolean, Ciphertext, ComputeKey, DynamicRecord, EncryptionToolkit, ExecutionRequest, ExecutionResponse, Field, Execution as FunctionExecution, GraphKey, Group, I128, I16, I32, I64, I8, OfflineQuery, Pedersen128, Pedersen64, Plaintext, Poseidon2, Poseidon4, Poseidon8, PrivateKey, PrivateKeyCiphertext, Program, ProgramImports as ProgramImportsBuilder, ProgramManager as ProgramManagerBase, Proof, ProvingKey, ProvingRequest, QueryOption, RecordCiphertext, RecordPlaintext, Scalar, Signature, Transaction, Transition, U128, U16, U32, U64, U8, Value, VerifyingKey, ViewKey, getOrInitConsensusVersionTestHeights, initThreadPool, setWasmLogLevel, snarkVerify, snarkVerifyBatch, stringToField, verifyFunctionExecution } from '@provablehq/wasm/mainnet.js';
 import { cryptoBoxSeal } from '@serenity-kit/noble-sodium';
 import { base64, bech32m } from '@scure/base';
 
+const LEVEL_PRIORITY = {
+    silent: 0,
+    error: 1,
+    warn: 2,
+    info: 3,
+    debug: 4,
+};
+let currentLevel = "info";
+/**
+ * Set the SDK log level. Levels are hierarchical:
+ * - "silent" — suppress all SDK logging
+ * - "error"  — only errors
+ * - "warn"   — errors + warnings
+ * - "info"   — errors + warnings + info (default)
+ * - "debug"  — everything including debug traces
+ *
+ * This controls both TS-side and WASM-side logging. WASM log calls
+ * (e.g., "Loading program", "Executing program") are silenced when
+ * the level is below "info".
+ */
+function setLogLevel(level) {
+    currentLevel = level;
+    import('./wasm-Bnb_v1_O.js')
+        .then(({ setWasmLogLevel }) => setWasmLogLevel(LEVEL_PRIORITY[level]))
+        .catch(() => { }); // WASM not loaded yet — will use default level (info)
+}
+/** Returns the current SDK log level. */
+function getLogLevel() {
+    return currentLevel;
+}
+function shouldLog(level) {
+    return LEVEL_PRIORITY[level] <= LEVEL_PRIORITY[currentLevel];
+}
+/**
+ * SDK logger object following console.log/warn/error/debug syntax.
+ * Respects the current log level set via setLogLevel().
+ */
+const logger = {
+    log(...args) {
+        if (shouldLog("info"))
+            console.log(...args);
+    },
+    warn(...args) {
+        if (shouldLog("warn"))
+            console.warn(...args);
+    },
+    error(...args) {
+        if (shouldLog("error"))
+            console.error(...args);
+    },
+    debug(...args) {
+        if (shouldLog("debug"))
+            console.debug(...args);
+    },
+};
+
+/**
+ * Error thrown when a key locator is invalid for filesystem use.
+ * Used to prevent path traversal and other filesystem injection when deriving paths from locators.
+ *
+ * @extends Error
+ */
+class InvalidLocatorError extends Error {
+    locator;
+    reason;
+    /**
+     * @param message - Human-readable description of the validation failure.
+     * @param locator - The invalid locator string that failed validation.
+     * @param reason - Machine-readable reason code for the failure.
+     */
+    constructor(message, locator, reason) {
+        super(message);
+        this.locator = locator;
+        this.reason = reason;
+        this.name = "InvalidLocatorError";
+        Object.setPrototypeOf(this, InvalidLocatorError.prototype);
+    }
+}
+
+/**
+ * Error thrown when there is a mismatch between expected and actual key metadata.
+ * This can occur during verification of either the checksum or size of a key.
+ *
+ * @extends Error
+ */
+class KeyVerificationError extends Error {
+    locator;
+    field;
+    expected;
+    actual;
+    /**
+     * Creates a new KeyVerificationError instance (error.name is "ChecksumMismatchError").
+     *
+     * @param {string} locator - The key locator where the mismatch occurred.
+     * @param {"checksum" | "size"} field - The field that failed verification (either "checksum" or "size").
+     * @param {string} expected - The expected value of the field.
+     * @param {string} actual - The actual value encountered.
+     */
+    constructor(locator, field, expected, actual) {
+        super(`Key verification ${locator} ${field} mismatch: expected ${expected}, got ${actual}`);
+        this.locator = locator;
+        this.field = field;
+        this.expected = expected;
+        this.actual = actual;
+        this.name = "ChecksumMismatchError";
+        Object.setPrototypeOf(this, KeyVerificationError.prototype);
+    }
+}
+/**
+ * Computes the SHA-256 checksum of a given set of bytes.
+ *
+ * @param {Uint8Array} bytes - The bytes to compute the checksum of.
+ */
+async function sha256Hex(bytes) {
+    const hash = await crypto.subtle.digest("SHA-256", bytes);
+    return Array.from(new Uint8Array(hash))
+        .map((b) => b.toString(16).padStart(2, "0"))
+        .join("");
+}
+
+/**
+ * In-memory implementation of KeyVerifier that stores and verifies key fingerprints.
+ * Provides functionality to compute and verify cryptographic checksums of keys, storing them
+ * in memory for subsequent verification. This implementation is primarily used for testing
+ * and development purposes where persistence is not required.
+ *
+ * Key features:
+ * - Computes SHA-256 checksums and sizes for key bytes.
+ * - Stores key fingerprints in memory using string locators.
+ * - Verifies key bytes against stored or provided fingerprints.
+ *
+ * @implements {KeyVerifier}
+ */
+class MemKeyVerifier {
+    keyStore = {};
+    /**
+     * Computes and optionally stores key metadata. If a keyFingerprint is provided, this function will verify the computed checksum against it before storing it.
+     *
+     * @param {KeyMetadata} keyMetadata - Object containing key bytes and optional verification data.
+     * @throws {KeyVerificationError} When provided keyFingerprint doesn't match computed values.
+     * @returns {Promise<KeyFingerprint>} Computed key metadata.
+     */
+    async computeKeyMetadata(keyMetadata) {
+        // Compute the metadata from the key bytes
+        const computedFingerprint = {
+            checksum: await sha256Hex(keyMetadata.keyBytes),
+            size: keyMetadata.keyBytes.length
+        };
+        // If a KeyFingerprint is provided, verify it matches computed values.
+        if (keyMetadata.fingerprint) {
+            if (keyMetadata.fingerprint.size !== computedFingerprint.size) {
+                throw new KeyVerificationError(keyMetadata.locator ? keyMetadata.locator : "", "size", String(keyMetadata.fingerprint.size), String(computedFingerprint.size));
+            }
+            if (keyMetadata.fingerprint.checksum !== computedFingerprint.checksum) {
+                throw new KeyVerificationError(keyMetadata.locator ? keyMetadata.locator : "", "checksum", keyMetadata.fingerprint.checksum, computedFingerprint.checksum);
+            }
+        }
+        // If locator is provided, store only the fingerprint
+        if (keyMetadata.locator) {
+            this.keyStore[keyMetadata.locator] = computedFingerprint;
+        }
+        return computedFingerprint;
+    }
+    /**
+     * Verifies key bytes against stored or provided metadata. Follows a priority verification scheme:
+     * 1. If KeyFingerprint is provided in the metadata, this method verifies against that first.
+     * 2. If a locator is provided, attempts to verify against stored fingerprint.
+     * 3. If neither is available, throws an error.
+     *
+     * @param {KeyMetadata} keyMetadata - Object containing the key bytes and optional verification metadata.
+     * @throws {Error} When neither fingerprint nor valid locator is provided for verification.
+     * @throws {KeyVerificationError} When size or checksum verification fails.
+     * @returns {Promise<void>} Promise that resolves when verification succeeds.
+     */
+    async verifyKeyBytes(keyMetadata) {
+        if (!keyMetadata.keyBytes) {
+            throw new Error("Key bytes must be provided for verification.");
+        }
+        // Compute the fingerprint for the provided bytes.
+        const computedFingerprint = await this.computeKeyMetadata({
+            keyBytes: keyMetadata.keyBytes
+        });
+        // Determine which fingerprint to verify against.
+        let fingerprintToVerify;
+        if (keyMetadata.fingerprint) {
+            // If a key fingerprint is provided, use it.
+            fingerprintToVerify = keyMetadata.fingerprint;
+        }
+        else if (keyMetadata.locator) {
+            // Otherwise try to get stored fingerprint by locator.
+            fingerprintToVerify = this.keyStore[keyMetadata.locator];
+        }
+        if (!fingerprintToVerify) {
+            throw new Error("Either fingerprint or a valid locator must be provided for verification.");
+        }
+        // Verify the key size.
+        if (fingerprintToVerify.size !== computedFingerprint.size) {
+            throw new KeyVerificationError(keyMetadata.locator || "", "size", String(fingerprintToVerify.size), String(computedFingerprint.size));
+        }
+        // Verify the key checksum.
+        if (fingerprintToVerify.checksum !== computedFingerprint.checksum) {
+            throw new KeyVerificationError(keyMetadata.locator || "", "checksum", fingerprintToVerify.checksum, computedFingerprint.checksum);
+        }
+    }
+}
+
+/**
+ * Browser-compatible {@link KeyStore} backed by IndexedDB.
+ *
+ * This is the browser counterpart to {@link LocalFileKeyStore} (which requires Node.js `fs`).
+ * It persists proving and verifying keys across page reloads and browser sessions using the
+ * IndexedDB API available in all modern browsers and Web Workers.
+ *
+ * **Environment**: Browser / Web Worker only. Instantiating this class is safe in any
+ * environment, but the first IndexedDB operation will reject with a clear error when
+ * `globalThis.indexedDB` is not available (e.g., Node.js, SSR contexts). Guard your
+ * imports accordingly if you bundle for server-side rendering.
+ *
+ * **Security**: Keys are stored as plaintext `Uint8Array` in IndexedDB. Any script
+ * running on the same origin — including scripts injected via XSS — can read the stored
+ * proving and verifying keys. Do **not** use this keystore for data that must remain
+ * confidential under an XSS-capable adversary; encrypt sensitive material at the
+ * application layer before persisting, or use an in-memory store.
+ *
+ * @example
+ * ```ts
+ * import { IndexedDBKeyStore, ProgramManager } from "@provablehq/sdk";
+ *
+ * const keyStore = new IndexedDBKeyStore();
+ * const pm = new ProgramManager();
+ * pm.setKeyStore(keyStore);
+ * // Keys synthesized during execution are now cached in IndexedDB
+ * // and reloaded automatically on subsequent runs.
+ * ```
+ */
+class IndexedDBKeyStore {
+    dbName;
+    storeName = "keys";
+    keyVerifier = new MemKeyVerifier();
+    dbPromise = null;
+    /**
+     * @param dbName IndexedDB database name. Defaults to `"aleo-keystore"`.
+     */
+    constructor(dbName = "aleo-keystore") {
+        this.dbName = dbName;
+    }
+    // -------------------------------------------------------
+    // IndexedDB helpers
+    // -------------------------------------------------------
+    /** Opens (or creates) the database, returning a cached promise. */
+    openDB() {
+        if (this.dbPromise)
+            return this.dbPromise;
+        // Env check sits outside the Promise constructor so a failure doesn't
+        // poison the cache; a later call (e.g. after a polyfill loads) can retry.
+        if (typeof indexedDB === "undefined") {
+            return Promise.reject(new Error("IndexedDBKeyStore requires a browser or Web Worker environment: " +
+                "`indexedDB` is not defined. If you are in Node.js or an SSR " +
+                "context, use LocalFileKeyStore or an in-memory key provider instead."));
+        }
+        this.dbPromise = new Promise((resolve, reject) => {
+            const request = indexedDB.open(this.dbName, 1);
+            request.onupgradeneeded = () => {
+                const db = request.result;
+                if (!db.objectStoreNames.contains(this.storeName)) {
+                    db.createObjectStore(this.storeName, { keyPath: "locator" });
+                }
+            };
+            request.onsuccess = () => resolve(request.result);
+            request.onerror = () => {
+                this.dbPromise = null;
+                reject(request.error);
+            };
+            request.onblocked = () => {
+                this.dbPromise = null;
+                reject(new DOMException("Database open blocked", "AbortError"));
+            };
+        });
+        return this.dbPromise;
+    }
+    /** Runs a single read-write transaction and returns the request result. */
+    async tx(mode, fn) {
+        const db = await this.openDB();
+        return new Promise((resolve, reject) => {
+            const txn = db.transaction(this.storeName, mode);
+            const store = txn.objectStore(this.storeName);
+            const req = fn(store);
+            let result;
+            req.onsuccess = () => { result = req.result; };
+            txn.oncomplete = () => resolve(result);
+            txn.onerror = () => reject(txn.error);
+            txn.onabort = () => reject(txn.error ?? new DOMException("Transaction aborted", "AbortError"));
+        });
+    }
+    // -------------------------------------------------------
+    // Locator serialization (mirrors LocalFileKeyStore)
+    // -------------------------------------------------------
+    validateComponent(value, label) {
+        if (value === "" || value === ".") {
+            throw new InvalidLocatorError(`KeyLocator ${label} must not be empty or "." (got "${value}")`, value, "reserved_name");
+        }
+        if (value.includes("..")) {
+            throw new InvalidLocatorError(`KeyLocator ${label} must not contain ".." (got "${value}")`, value, "path_traversal");
+        }
+        if (value.includes("/") || value.includes("\\") || value.includes("\0")) {
+            throw new InvalidLocatorError(`KeyLocator ${label} must not contain path separators or null bytes (got "${value}")`, value, "path_separator");
+        }
+    }
+    validateNonNegative(value, label) {
+        if (!Number.isInteger(value) || value < 0) {
+            throw new InvalidLocatorError(`KeyLocator ${label} must be a non-negative integer (got ${value})`, String(value), "negative_value");
+        }
+    }
+    serializeLocator(locator) {
+        this.validateComponent(locator.program, "program");
+        this.validateComponent(locator.functionName, "functionName");
+        this.validateComponent(locator.network, "network");
+        this.validateNonNegative(locator.edition, "edition");
+        this.validateNonNegative(locator.amendment, "amendment");
+        const base = `${locator.program}.${locator.functionName}.e${locator.edition}.a${locator.amendment}.${locator.network}.${locator.keyType}`;
+        if (locator.keyType === "translation") {
+            this.validateComponent(locator.recordName, "recordName");
+            this.validateNonNegative(locator.recordInputPosition, "recordInputPosition");
+            return `${base}.${locator.recordName}.${locator.recordInputPosition}`;
+        }
+        return base;
+    }
+    checksumToFingerprint(checksum, keyBytes) {
+        if (!checksum)
+            return undefined;
+        return { checksum, size: keyBytes.length };
+    }
+    // -------------------------------------------------------
+    // KeyStore interface
+    // -------------------------------------------------------
+    async getKeyBytes(locator) {
+        const key = this.serializeLocator(locator);
+        const record = await this.tx("readonly", (store) => store.get(key));
+        if (!record)
+            return null;
+        const fingerprint = this.checksumToFingerprint(locator.checksum, record.bytes) ?? record.metadata;
+        if (fingerprint) {
+            await this.keyVerifier.verifyKeyBytes({
+                keyBytes: record.bytes,
+                locator: key,
+                fingerprint,
+            });
+        }
+        return record.bytes;
+    }
+    async getProvingKey(locator) {
+        const bytes = await this.getKeyBytes(locator);
+        if (!bytes)
+            return null;
+        return ProvingKey.fromBytes(bytes);
+    }
+    async getVerifyingKey(locator) {
+        const bytes = await this.getKeyBytes(locator);
+        if (!bytes)
+            return null;
+        return VerifyingKey.fromBytes(bytes);
+    }
+    async setKeys(proverLocator, verifierLocator, keys) {
+        const proverKey = this.serializeLocator(proverLocator);
+        const verifierKey = this.serializeLocator(verifierLocator);
+        const [provingKey, verifyingKey] = keys;
+        const [provingKeyBytes, verifyingKeyBytes] = [
+            provingKey.toBytes(),
+            verifyingKey.toBytes(),
+        ];
+        const [proverFingerprint, verifierFingerprint] = await Promise.all([
+            this.keyVerifier.computeKeyMetadata({
+                keyBytes: provingKeyBytes,
+                locator: proverKey,
+                fingerprint: this.checksumToFingerprint(proverLocator.checksum, provingKeyBytes),
+            }),
+            this.keyVerifier.computeKeyMetadata({
+                keyBytes: verifyingKeyBytes,
+                locator: verifierKey,
+                fingerprint: this.checksumToFingerprint(verifierLocator.checksum, verifyingKeyBytes),
+            }),
+        ]);
+        const proverRecord = { locator: proverKey, bytes: provingKeyBytes, metadata: proverFingerprint };
+        const verifierRecord = { locator: verifierKey, bytes: verifyingKeyBytes, metadata: verifierFingerprint };
+        // Write both in a single transaction for atomicity.
+        const db = await this.openDB();
+        await new Promise((resolve, reject) => {
+            const txn = db.transaction(this.storeName, "readwrite");
+            const store = txn.objectStore(this.storeName);
+            store.put(proverRecord);
+            store.put(verifierRecord);
+            txn.oncomplete = () => resolve();
+            txn.onerror = () => reject(txn.error);
+            txn.onabort = () => reject(txn.error ?? new DOMException("Transaction aborted", "AbortError"));
+        });
+    }
+    async setKeyBytes(keyBytes, locator) {
+        const key = this.serializeLocator(locator);
+        const computedMetadata = await this.keyVerifier.computeKeyMetadata({
+            keyBytes,
+            locator: key,
+            fingerprint: this.checksumToFingerprint(locator.checksum, keyBytes),
+        });
+        const record = { locator: key, bytes: keyBytes, metadata: computedMetadata };
+        await this.tx("readwrite", (store) => store.put(record));
+    }
+    async getKeyMetadata(locator) {
+        const key = this.serializeLocator(locator);
+        const record = await this.tx("readonly", (store) => store.get(key));
+        return record?.metadata ?? null;
+    }
+    async has(locator) {
+        const key = this.serializeLocator(locator);
+        const count = await this.tx("readonly", (store) => store.count(IDBKeyRange.only(key)));
+        return count > 0;
+    }
+    async delete(locator) {
+        const key = this.serializeLocator(locator);
+        await this.tx("readwrite", (store) => store.delete(key));
+    }
+    async clear() {
+        await this.tx("readwrite", (store) => store.clear());
+    }
+}
+
 /**
  * Encrypt an authorization with a cryptobox X25519 public key (libsodium-compatible wire format).
  *
@@ -163,7 +588,7 @@ class Account {
             this._privateKey = this.privateKeyFromParams(params);
         }
         catch (e) {
-            console.error("Wrong parameter", e);
+            logger.error("Wrong parameter", e);
             throw new Error("Wrong Parameter");
         }
         this._viewKey = ViewKey.from_private_key(this._privateKey);
@@ -634,7 +1059,7 @@ function environment() {
     }
 }
 function logAndThrow(message) {
-    console.error(message);
+    logger.error(message);
     throw new Error(message);
 }
 /** Default transport — wraps global fetch to avoid illegal-invocation errors in browsers. */
@@ -695,7 +1120,7 @@ async function retryWithBackoff(fn, { maxAttempts = 5, baseDelay = 100, jitter,
             const jitterAmount = jitter ?? baseDelay;
             const actualJitter = Math.floor(Math.random() * jitterAmount);
             const delay = baseDelay * 2 ** (attempt - 1) + actualJitter;
-            console.warn(`Retry ${attempt}/${maxAttempts} failed. Retrying in ${delay}ms...`);
+            logger.warn(`Retry ${attempt}/${maxAttempts} failed. Retrying in ${delay}ms...`);
             await new Promise((res) => setTimeout(res, delay));
         }
     }
@@ -864,7 +1289,7 @@ class AleoNetworkClient {
             else {
                 this.headers = {
                     // This is replaced by the actual version by a Rollup plugin
-                    "X-Aleo-SDK-Version": "0.10.5",
+                    "X-Aleo-SDK-Version": "0.11.0",
                     "X-Aleo-environment": environment(),
                 };
             }
@@ -880,7 +1305,7 @@ class AleoNetworkClient {
         else {
             this.headers = {
                 // This is replaced by the actual version by a Rollup plugin
-                "X-Aleo-SDK-Version": "0.10.5",
+                "X-Aleo-SDK-Version": "0.11.0",
                 "X-Aleo-environment": environment(),
             };
         }
@@ -1196,7 +1621,7 @@ class AleoNetworkClient {
                                                                     continue;
                                                                 }
                                                                 catch (error) {
-                                                                    console.log("Found unspent record!");
+                                                                    logger.log("Found unspent record!");
                                                                 }
                                                             }
                                                             // Add the record to the list of records if the user did not specify amounts.
@@ -1256,14 +1681,14 @@ class AleoNetworkClient {
             }
             catch (error) {
                 // If there is an error fetching blocks, log it and keep searching
-                console.warn("Error fetching blocks in range: " +
+                logger.warn("Error fetching blocks in range: " +
                     start.toString() +
                     "-" +
                     end.toString());
-                console.warn("Error: ", error);
+                logger.warn("Error: ", error);
                 failures += 1;
                 if (failures > 10) {
-                    console.warn("10 failures fetching records reached. Returning records fetched so far");
+                    logger.warn("10 failures fetching records reached. Returning records fetched so far");
                     return records;
                 }
             }
@@ -1713,6 +2138,30 @@ class AleoNetworkClient {
             this.ctx = {};
         }
     }
+    /**
+     * Returns the current edition and amendment count for a program.
+     *
+     * @param {string} programId - The program ID (e.g. "hello_hello.aleo")
+     * @returns {{ program_id: string, edition: number, amendment_count: number }}
+     *
+     * @example
+     * const networkClient = new AleoNetworkClient("https://api.provable.com/v2");
+     * const info = await networkClient.getProgramAmendmentCount("hello_hello.aleo");
+     * console.log(info.edition, info.amendment_count);
+     */
+    async getProgramAmendmentCount(programId) {
+        try {
+            this.ctx = { "X-ALEO-METHOD": "getProgramAmendmentCount" };
+            const raw = await this.fetchRaw("/programs/" + programId + "/amendment_count");
+            return JSON.parse(raw);
+        }
+        catch (error) {
+            throw new Error(`Error fetching amendment count for ${programId}: ${error}`);
+        }
+        finally {
+            this.ctx = {};
+        }
+    }
     /**
      * Returns a program object from a program ID or program source code.
      *
@@ -2303,7 +2752,7 @@ class AleoNetworkClient {
         };
     }
     /**
-     * Parses a /prove or /prove/encrypted response. Returns a result object (never throws for 200/400/500/503).
+     * Parses a /prove/authorization or /prove/request response. Returns a result object (never throws for 200/400/500/503).
      */
     async handleProvingResponse(response) {
         // Get the proving response text.
@@ -2364,14 +2813,12 @@ class AleoNetworkClient {
     async submitProvingRequestSafe(options) {
         // Attempt to get the Prover URI first from the options, then from any configured globally, or third try the main configured host.
         const proverUri = (options.url ?? this.proverUri) ?? this.host;
-        const provingRequestString = options.provingRequest instanceof ProvingRequest
-            ? options.provingRequest.toString()
-            : options.provingRequest;
         // Try to get JWT data to access the Provable API.
         const apiKey = options.apiKey ?? this.apiKey;
         const consumerId = options.consumerId ?? this.consumerId;
         let jwtData = options.jwtData ?? this.jwtData;
-        // Check to see if the JWT needs refreshing.
+        // Check to see if the JWT needs refreshing. Runs before parsing the
+        // proving request so JWT refresh errors propagate as they always have.
         const isExpired = jwtData && Date.now() >= jwtData.expiration - FIVE_MINUTES;
         if (!jwtData || isExpired) {
             if (apiKey && consumerId) {
@@ -2380,7 +2827,7 @@ class AleoNetworkClient {
                 options.jwtData = jwtData;
             }
             else {
-                console.warn('JWT or both apiKey and consumerId are required when using the Provable API');
+                logger.warn('JWT or both apiKey and consumerId are required when using the Provable API');
             }
         }
         // Create the necessary headers to hit the provable api.
@@ -2392,59 +2839,58 @@ class AleoNetworkClient {
         if (jwtData?.jwt) {
             headers["Authorization"] = jwtData.jwt;
         }
-        // Encapsulate the requests in a locally scoped function that can be run with a retry closure.
-        const runRequest = async () => {
-            // If DPS privacy is set, call invoke the encrypted flow.
-            if (options.dpsPrivacy) {
-                // Get an ephemeral public key from a DPS service.
-                const pubKeyResponse = await get(proverUri + "/pubkey", {
-                    headers,
-                    credentials: "include",
-                }, this.transport);
-                // Encrypt the provingRequest.
-                const pubkey = parseJSON(await pubKeyResponse.text());
-                const ciphertext = encryptProvingRequest(pubkey.public_key, ProvingRequest.fromString(provingRequestString));
-                // Form the expected query a DPS service expects (including the key_id).
-                const payload = {
-                    key_id: pubkey.key_id,
-                    ciphertext: ciphertext,
-                };
-                // We're in node, attempt to set the cookie manually.
-                const cookie = isNode() ? pubKeyResponse.headers.get("set-cookie") : undefined;
-                // Send the encrypted proving request to the DPS service.
-                const res = await this.transport(`${proverUri}/prove/encrypted`, {
-                    method: "POST",
-                    body: JSON.stringify(payload),
-                    headers: {
-                        ...headers,
-                        ...(cookie ? { Cookie: cookie } : {})
-                    },
-                    credentials: "include",
-                });
-                // Properly handle the proving response.
-                return this.handleProvingResponse(res);
-            }
-            // If encrypted usage is not specified use the unencrypted endpoint.
-            const proveEndpoint = proverUri.endsWith("/prove")
-                ? proverUri
-                : proverUri + "/prove";
-            const res = await this.transport(proveEndpoint, {
-                method: "POST",
-                body: provingRequestString,
+        // Send the proving request encrypted (libsodium-compatible sealed box).
+        // Used by both `/prove/authorization` (Authorization variant) and
+        // `/prove/request` (Request variant). The legacy plaintext `/prove`
+        // route is no longer used.
+        const sendEncrypted = async (endpoint, provingRequestObj) => {
+            // Get an ephemeral public key from the DPS.
+            const pubKeyResponse = await get(proverUri + "/pubkey", {
                 headers,
+                credentials: "include",
+            }, this.transport);
+            // Encrypt the provingRequest using the ephemeral pubkey.
+            const pubkey = parseJSON(await pubKeyResponse.text());
+            const ciphertext = encryptProvingRequest(pubkey.public_key, provingRequestObj);
+            const payload = {
+                key_id: pubkey.key_id,
+                ciphertext: ciphertext,
+            };
+            // We're in node, attempt to set the cookie manually.
+            const cookie = isNode() ? pubKeyResponse.headers.get("set-cookie") : undefined;
+            const res = await this.transport(`${proverUri}${endpoint}`, {
+                method: "POST",
+                body: JSON.stringify(payload),
+                headers: {
+                    ...headers,
+                    ...(cookie ? { Cookie: cookie } : {})
+                },
+                credentials: "include",
             });
-            // Properly handle the proving response.
             return this.handleProvingResponse(res);
         };
+        // Parse the proving request once, up front, so the variant the SDK
+        // routes on matches the bytes it will eventually send (a Request-
+        // variant string must hit /prove/request, not /prove/authorization).
+        // A malformed input string throws synchronously — the safe-API
+        // contract only promises to return `{ ok: false, ... }` for HTTP
+        // failures (400/500/503); a parse error is a caller-side bug and
+        // surfacing it as a fake 500 would mislead callers debugging it.
+        // `options.dpsPrivacy` is ignored; the legacy plaintext `/prove`
+        // route is deprecated.
+        const provingRequestObj = options.provingRequest instanceof ProvingRequest
+            ? options.provingRequest
+            : ProvingRequest.fromString(options.provingRequest);
+        const endpoint = provingRequestObj.kind() === "request"
+            ? "/prove/request"
+            : "/prove/authorization";
         try {
-            // Run the request with retries.
             return await retryWithBackoff(async () => {
-                // Run the encrypted or non-encrypted flow as specified by the flags.
-                const result = await runRequest();
+                const result = await sendEncrypted(endpoint, provingRequestObj);
                 if (result.ok) {
                     return result;
                 }
-                // If 500s are hit responses are returned, attempt retries.
+                // Retry on 500/503; surface 400 verbatim.
                 if (result.status === 500 || result.status === 503) {
                     const err = new Error(result.error.message);
                     err.status = result.status;
@@ -2454,7 +2900,7 @@ class AleoNetworkClient {
             });
         }
         catch (err) {
-            // If an error is returned, provide usable information to the caller.
+            // HTTP failure inside the retry loop — convert to a result object.
             const e = err;
             return {
                 ok: false,
@@ -2510,10 +2956,10 @@ class AleoNetworkClient {
                         let text = "";
                         try {
                             text = await res.text();
-                            console.warn("Response text from server:", text);
+                            logger.warn("Response text from server:", text);
                         }
                         catch (err) {
-                            console.warn("Failed to read response text:", err);
+                            logger.warn("Failed to read response text:", err);
                         }
                         // If the transaction ID is malformed (e.g. invalid checksum, wrong length),
                         // the API returns a 4XX with "Invalid URL" — we treat this as a fatal error and stop polling.
@@ -2524,7 +2970,7 @@ class AleoNetworkClient {
                             return reject(new Error(`Malformed transaction ID: ${text}`));
                         }
                         // Log and continue polling for 404s or 5XX errors in case a tx doesn't exist yet
-                        console.warn("Non-OK response (retrying):", res.status, text);
+                        logger.warn("Non-OK response (retrying):", res.status, text);
                         return;
                     }
                     const data = parseJSON(await res.text());
@@ -2538,7 +2984,7 @@ class AleoNetworkClient {
                     }
                 }
                 catch (err) {
-                    console.error("Polling error:", err);
+                    logger.error("Polling error:", err);
                 }
             }, checkInterval);
         });
@@ -2546,7 +2992,7 @@ class AleoNetworkClient {
 }
 
 /**
- * Error thrown when a record scanner request fails (e.g. /register, /register/encrypted).
+ * Error thrown when a record scanner request fails (e.g. /register/encrypted).
  * Includes HTTP status so callers can handle 422 vs 500 etc.
  */
 class RecordScannerRequestError extends Error {
@@ -2706,7 +3152,7 @@ class AleoKeyProvider {
      * @returns {FunctionKeyPair} Proving and verifying keys for the specified program
      */
     getKeys(keyId) {
-        console.debug(`Checking if key exists in cache. KeyId: ${keyId}`);
+        logger.debug(`Checking if key exists in cache. KeyId: ${keyId}`);
         if (this.cache.has(keyId)) {
             const [provingKeyBytes, verifyingKeyBytes] = (this.cache.get(keyId));
             return [
@@ -2807,9 +3253,9 @@ class AleoKeyProvider {
                     ];
                 }
                 else {
-                    console.debug("Fetching proving keys from url " + proverUrl);
+                    logger.debug("Fetching proving keys from url " + proverUrl);
                     const provingKey = (ProvingKey.fromBytes(await this.fetchBytes(proverUrl)));
-                    console.debug("Fetching verifying keys " + verifierUrl);
+                    logger.debug("Fetching verifying keys " + verifierUrl);
                     const verifyingKey = (await this.getVerifyingKey(verifierUrl));
                     this.cache.set(cacheKey, [
                         provingKey.toBytes(),
@@ -2849,7 +3295,7 @@ class AleoKeyProvider {
                     return ProvingKey.fromBytes(value[0]);
                 }
                 else {
-                    console.debug("Fetching proving keys from url " + proverUrl);
+                    logger.debug("Fetching proving keys from url " + proverUrl);
                     const provingKey = (ProvingKey.fromBytes(await this.fetchBytes(proverUrl)));
                     return provingKey;
                 }
@@ -3016,178 +3462,28 @@ class AleoKeyProvider {
                 return CREDITS_PROGRAM_KEYS.transfer_public_as_signer.verifyingKey();
             case CREDITS_PROGRAM_KEYS.transfer_public_to_private.verifier:
                 return CREDITS_PROGRAM_KEYS.transfer_public_to_private.verifyingKey();
-            case CREDITS_PROGRAM_KEYS.unbond_public.verifier:
-                return CREDITS_PROGRAM_KEYS.unbond_public.verifyingKey();
-            default:
-                try {
-                    /// Try to fetch the verifying key from the network as a string
-                    const response = await get(verifierUri, undefined, this.transport);
-                    const text = await response.text();
-                    return VerifyingKey.fromString(text);
-                }
-                catch (e) {
-                    /// If that fails, try to fetch the verifying key from the network as bytes
-                    try {
-                        return (VerifyingKey.fromBytes(await this.fetchBytes(verifierUri)));
-                    }
-                    catch (inner) {
-                        throw new Error("Invalid verifying key. Error: " + inner.message);
-                    }
-                }
-        }
-    }
-    unBondPublicKeys() {
-        return this.fetchCreditsKeys(CREDITS_PROGRAM_KEYS.unbond_public);
-    }
-}
-
-/**
- * Error thrown when there is a mismatch between expected and actual key metadata.
- * This can occur during verification of either the checksum or size of a key.
- *
- * @extends Error
- */
-class KeyVerificationError extends Error {
-    locator;
-    field;
-    expected;
-    actual;
-    /**
-     * Creates a new KeyVerificationError instance (error.name is "ChecksumMismatchError").
-     *
-     * @param {string} locator - The key locator where the mismatch occurred.
-     * @param {"checksum" | "size"} field - The field that failed verification (either "checksum" or "size").
-     * @param {string} expected - The expected value of the field.
-     * @param {string} actual - The actual value encountered.
-     */
-    constructor(locator, field, expected, actual) {
-        super(`Key verification ${locator} ${field} mismatch: expected ${expected}, got ${actual}`);
-        this.locator = locator;
-        this.field = field;
-        this.expected = expected;
-        this.actual = actual;
-        this.name = "ChecksumMismatchError";
-        Object.setPrototypeOf(this, KeyVerificationError.prototype);
-    }
-}
-/**
- * Computes the SHA-256 checksum of a given set of bytes.
- *
- * @param {Uint8Array} bytes - The bytes to compute the checksum of.
- */
-async function sha256Hex(bytes) {
-    const hash = await crypto.subtle.digest("SHA-256", bytes);
-    return Array.from(new Uint8Array(hash))
-        .map((b) => b.toString(16).padStart(2, "0"))
-        .join("");
-}
-
-/**
- * In-memory implementation of KeyVerifier that stores and verifies key fingerprints.
- * Provides functionality to compute and verify cryptographic checksums of keys, storing them
- * in memory for subsequent verification. This implementation is primarily used for testing
- * and development purposes where persistence is not required.
- *
- * Key features:
- * - Computes SHA-256 checksums and sizes for key bytes.
- * - Stores key fingerprints in memory using string locators.
- * - Verifies key bytes against stored or provided fingerprints.
- *
- * @implements {KeyVerifier}
- */
-class MemKeyVerifier {
-    keyStore = {};
-    /**
-     * Computes and optionally stores key metadata. If a keyFingerprint is provided, this function will verify the computed checksum against it before storing it.
-     *
-     * @param {KeyMetadata} keyMetadata - Object containing key bytes and optional verification data.
-     * @throws {KeyVerificationError} When provided keyFingerprint doesn't match computed values.
-     * @returns {Promise<KeyFingerprint>} Computed key metadata.
-     */
-    async computeKeyMetadata(keyMetadata) {
-        // Compute the metadata from the key bytes
-        const computedFingerprint = {
-            checksum: await sha256Hex(keyMetadata.keyBytes),
-            size: keyMetadata.keyBytes.length
-        };
-        // If a KeyFingerprint is provided, verify it matches computed values.
-        if (keyMetadata.fingerprint) {
-            if (keyMetadata.fingerprint.size !== computedFingerprint.size) {
-                throw new KeyVerificationError(keyMetadata.locator ? keyMetadata.locator : "", "size", String(keyMetadata.fingerprint.size), String(computedFingerprint.size));
-            }
-            if (keyMetadata.fingerprint.checksum !== computedFingerprint.checksum) {
-                throw new KeyVerificationError(keyMetadata.locator ? keyMetadata.locator : "", "checksum", keyMetadata.fingerprint.checksum, computedFingerprint.checksum);
-            }
-        }
-        // If locator is provided, store only the fingerprint
-        if (keyMetadata.locator) {
-            this.keyStore[keyMetadata.locator] = computedFingerprint;
-        }
-        return computedFingerprint;
-    }
-    /**
-     * Verifies key bytes against stored or provided metadata. Follows a priority verification scheme:
-     * 1. If KeyFingerprint is provided in the metadata, this method verifies against that first.
-     * 2. If a locator is provided, attempts to verify against stored fingerprint.
-     * 3. If neither is available, throws an error.
-     *
-     * @param {KeyMetadata} keyMetadata - Object containing the key bytes and optional verification metadata.
-     * @throws {Error} When neither fingerprint nor valid locator is provided for verification.
-     * @throws {KeyVerificationError} When size or checksum verification fails.
-     * @returns {Promise<void>} Promise that resolves when verification succeeds.
-     */
-    async verifyKeyBytes(keyMetadata) {
-        if (!keyMetadata.keyBytes) {
-            throw new Error("Key bytes must be provided for verification.");
-        }
-        // Compute the fingerprint for the provided bytes.
-        const computedFingerprint = await this.computeKeyMetadata({
-            keyBytes: keyMetadata.keyBytes
-        });
-        // Determine which fingerprint to verify against.
-        let fingerprintToVerify;
-        if (keyMetadata.fingerprint) {
-            // If a key fingerprint is provided, use it.
-            fingerprintToVerify = keyMetadata.fingerprint;
-        }
-        else if (keyMetadata.locator) {
-            // Otherwise try to get stored fingerprint by locator.
-            fingerprintToVerify = this.keyStore[keyMetadata.locator];
-        }
-        if (!fingerprintToVerify) {
-            throw new Error("Either fingerprint or a valid locator must be provided for verification.");
-        }
-        // Verify the key size.
-        if (fingerprintToVerify.size !== computedFingerprint.size) {
-            throw new KeyVerificationError(keyMetadata.locator || "", "size", String(fingerprintToVerify.size), String(computedFingerprint.size));
-        }
-        // Verify the key checksum.
-        if (fingerprintToVerify.checksum !== computedFingerprint.checksum) {
-            throw new KeyVerificationError(keyMetadata.locator || "", "checksum", fingerprintToVerify.checksum, computedFingerprint.checksum);
-        }
-    }
-}
-
-/**
- * Error thrown when a key locator is invalid for filesystem use.
- * Used to prevent path traversal and other filesystem injection when deriving paths from locators.
- *
- * @extends Error
- */
-class InvalidLocatorError extends Error {
-    locator;
-    reason;
-    /**
-     * @param message - Human-readable description of the validation failure.
-     * @param locator - The invalid locator string that failed validation.
-     * @param reason - Machine-readable reason code for the failure.
-     */
-    constructor(message, locator, reason) {
-        super(message);
-        this.locator = locator;
-        this.reason = reason;
-        this.name = "InvalidLocatorError";
-        Object.setPrototypeOf(this, InvalidLocatorError.prototype);
+            case CREDITS_PROGRAM_KEYS.unbond_public.verifier:
+                return CREDITS_PROGRAM_KEYS.unbond_public.verifyingKey();
+            default:
+                try {
+                    /// Try to fetch the verifying key from the network as a string
+                    const response = await get(verifierUri, undefined, this.transport);
+                    const text = await response.text();
+                    return VerifyingKey.fromString(text);
+                }
+                catch (e) {
+                    /// If that fails, try to fetch the verifying key from the network as bytes
+                    try {
+                        return (VerifyingKey.fromBytes(await this.fetchBytes(verifierUri)));
+                    }
+                    catch (inner) {
+                        throw new Error("Invalid verifying key. Error: " + inner.message);
+                    }
+                }
+        }
+    }
+    unBondPublicKeys() {
+        return this.fetchCreditsKeys(CREDITS_PROGRAM_KEYS.unbond_public);
     }
 }
 
@@ -3944,12 +4240,12 @@ class NetworkRecordProvider {
             records = await this.findCreditsRecords([microcredits], searchParameters);
         }
         catch (e) {
-            console.log("No records found with error:", e);
+            logger.log("No records found with error:", e);
         }
         if (records && records.length > 0) {
             return records[0];
         }
-        console.error("Record not found with error:", records);
+        logger.error("Record not found with error:", records);
         throw new Error("Record not found");
     }
     /**
@@ -3961,12 +4257,12 @@ class NetworkRecordProvider {
             records = await this.findRecords(searchParameters);
         }
         catch (e) {
-            console.log("No records found with error:", e);
+            logger.log("No records found with error:", e);
         }
         if (records && records.length > 0) {
             return records[0];
         }
-        console.error("Record not found with error:", records);
+        logger.error("Record not found with error:", records);
         throw new Error("Record not found");
     }
     /**
@@ -4061,7 +4357,7 @@ class BlockHeightSearch {
  * const recordScanner = new RecordScanner({ url: "https://record-scanner.aleo.org" });
  * recordScanner.setAccount(account);
  * recordScanner.setApiKey("example-api-key");
- * const result = await recordScanner.register(viewKey, 0);
+ * const result = await recordScanner.registerEncrypted(viewKey, 0);
  * if (result.ok) { const uuid = result.data.uuid; }
  *
  * const filter = {
@@ -4316,40 +4612,6 @@ class RecordScanner {
         }
         throw err;
     }
-    /**
-     * Register the account with the record scanning service (unencrypted POST /register). Does not throw if a valid error response from the record scanner is received; returns a result object instead.
-     *
-     * @param {ViewKey} viewKey The view key to register.
-     * @param {number} startBlock The block height to start scanning from.
-     * @returns {Promise<RegisterResult>} `{ ok: true, data }` on success, or `{ ok: false, status, error }` on failure.
-     */
-    async register(viewKey, startBlock) {
-        try {
-            const request = {
-                view_key: viewKey.to_string(),
-                start: startBlock,
-            };
-            const response = await this.request(new Request(`${this.url}/register`, {
-                method: "POST",
-                headers: { "Content-Type": "application/json" },
-                body: JSON.stringify(request),
-            }));
-            const data = await response.json();
-            // If the uuid is not set, set it on the scanner.
-            if (!this.uuid) {
-                this.uuid = data.uuid;
-            }
-            // Add the view key to the local scanner's view keys if configured to do so.
-            if (this.cacheViewKeysOnRegister) {
-                this.addViewKey(viewKey);
-            }
-            return { ok: true, data };
-        }
-        catch (err) {
-            console.error(`Failed to register view key: ${err}`);
-            return this.handleRequestError(err);
-        }
-    }
     /**
      * Fetches an ephemeral public key from the record scanning service for use with registerEncrypted.
      * Follows the same pattern as the delegated proving service /pubkey endpoint.
@@ -4360,6 +4622,19 @@ class RecordScanner {
         const response = await this.request(new Request(`${this.url}/pubkey`, { method: "GET" }));
         return parseJSON(await response.text());
     }
+    /**
+     * Registers the account with the record scanning service using the encrypted flow.
+     * Alias of {@link registerEncrypted} — preserved so existing callers using the
+     * previous unencrypted `register(viewKey, startBlock)` API continue to work
+     * unchanged while transparently using the encrypted endpoint.
+     *
+     * @param {ViewKey} viewKey The view key to register.
+     * @param {number} startBlock The block height to start scanning from.
+     * @returns {Promise<RegisterResult>} `{ ok: true, data }` on success, or `{ ok: false, status, error }` on failure.
+     */
+    async register(viewKey, startBlock) {
+        return this.registerEncrypted(viewKey, startBlock);
+    }
     /**
      * Registers the account with the record scanning service using the encrypted flow: 1. fetches an ephemeral public key from /pubkey - 2. encrypts the registration request (view key + start block) - 3. POSTs to /register/encrypted. Does not HTTP error on a proper error response from the record scanner; returns a result object instead.
      *
@@ -4591,7 +4866,7 @@ class RecordScanner {
             throw new Error("Record not found");
         }
         catch (error) {
-            console.error(`Failed to find record: ${error}`);
+            logger.error(`Failed to find record: ${error}`);
             throw error;
         }
     }
@@ -4752,7 +5027,7 @@ class RecordScanner {
             return record;
         }
         catch (error) {
-            console.error(`Failed to find credits record: ${error}`);
+            logger.error(`Failed to find credits record: ${error}`);
             throw error;
         }
     }
@@ -4801,7 +5076,7 @@ class RecordScanner {
             });
         }
         catch (error) {
-            console.error(`Failed to find credits records: ${error}`);
+            logger.error(`Failed to find credits records: ${error}`);
             throw error;
         }
     }
@@ -4839,7 +5114,7 @@ class RecordScanner {
             return response;
         }
         catch (error) {
-            console.error(`Failed to make request to ${req.url}: ${error}`);
+            logger.error(`Failed to make request to ${req.url}: ${error}`);
             throw error;
         }
     }
@@ -5196,17 +5471,19 @@ class ProgramManager {
     networkClient;
     recordProvider;
     inclusionKeysLoaded = false;
+    _keyStore;
     /** Create a new instance of the ProgramManager
      *
      * @param { string | undefined } host A host uri running the official Aleo API
      * @param { FunctionKeyProvider | undefined } keyProvider A key provider that implements {@link FunctionKeyProvider} interface
      * @param { RecordProvider | undefined } recordProvider A record provider that implements {@link RecordProvider} interface
      */
-    constructor(host, keyProvider, recordProvider, networkClientOptions) {
+    constructor(host, keyProvider, recordProvider, networkClientOptions, keyStore) {
         this.host = host ? host : "https://api.provable.com/v2";
         this.networkClient = new AleoNetworkClient(this.host, networkClientOptions);
         this.keyProvider = keyProvider ? keyProvider : new AleoKeyProvider({ transport: networkClientOptions?.transport });
         this.recordProvider = recordProvider;
+        this._keyStore = keyStore;
     }
     /**
      * Pre-load the inclusion prover for offline execution. Required when the
@@ -5284,6 +5561,330 @@ class ProgramManager {
     setRecordProvider(recordProvider) {
         this.recordProvider = recordProvider;
     }
+    /**
+     * Set the key store for automatic key caching across executions.
+     *
+     * @param {KeyStore} keyStore
+     */
+    setKeyStore(keyStore) {
+        this._keyStore = keyStore;
+    }
+    /**
+     * Build a ProgramImportsBuilder from a program and its imports.
+     * Fetches imports from the network if not provided, resolves transitive
+     * dependencies, and optionally pre-loads cached keys from the KeyStore.
+     *
+     * @param loadKeys When true (default), loads cached proving/verifying keys
+     *   from the KeyStore into the builder. Set to false for authorization and
+     *   proving request paths where keys are not synthesized.
+     */
+    async buildProgramImports(program, imports, loadKeys, entryFunction) {
+        const builder = new ProgramImports();
+        const programSource = typeof program === "string" ? program : program.toString();
+        const programObj = Program.fromString(programSource);
+        const importNames = programObj.getImports();
+        if (importNames.length === 0 && (!imports || Object.keys(imports).length === 0)) {
+            return { builder, importEditions: new Map() };
+        }
+        let resolvedImports = {};
+        if (imports) {
+            resolvedImports = { ...imports };
+        }
+        if (importNames.length > 0 && !imports) {
+            try {
+                resolvedImports = await this.networkClient.getProgramImports(programSource);
+            }
+            catch (e) {
+                logger.warn(`Failed to resolve program imports from network: ${e}.`);
+            }
+        }
+        // Build a map of which functions each import actually calls,
+        // so we only load keys for functions in the call chain.
+        const calledFunctions = ProgramManager.callGraphToMap(programObj.getCallGraph(entryFunction));
+        // Phase 1: Collect all programs via BFS, discovering transitive imports.
+        // The initial getProgramImports call above already resolves the full
+        // transitive closure via recursive DFS.  The BFS loop here only needs
+        // to handle user-provided imports whose transitive deps may not yet be
+        // known.  For each unknown import we issue a single getProgram() call
+        // (not a full recursive getProgramImports) and fetch siblings in
+        // parallel to minimize round-trips.
+        const collected = new Map();
+        const collectQueue = Object.entries(resolvedImports).map(([name, src]) => [name, typeof src === "string" ? src : src.toString()]);
+        while (collectQueue.length > 0) {
+            const [name, source] = collectQueue.shift();
+            if (collected.has(name))
+                continue;
+            collected.set(name, source);
+            // Discover transitive imports for collection (call-graph tracing
+            // happens in a separate pass after topological sorting).
+            try {
+                const subImports = ProgramManager.getImportNames(source);
+                if (subImports.length > 0) {
+                    // Fetch only unknown transitive imports — the source for
+                    // programs already in collected/resolvedImports is known, so
+                    // we skip them.  Fetches within a BFS level run in parallel.
+                    const unknownImports = subImports.filter((id) => !collected.has(id) && !(id in resolvedImports));
+                    if (unknownImports.length > 0) {
+                        const fetched = await Promise.all(unknownImports.map(async (id) => {
+                            try {
+                                const src = await this.networkClient.getProgram(id);
+                                return [id, src];
+                            }
+                            catch {
+                                return null;
+                            }
+                        }));
+                        for (const entry of fetched) {
+                            if (entry && !collected.has(entry[0])) {
+                                collectQueue.push(entry);
+                            }
+                        }
+                    }
+                }
+            }
+            catch (e) {
+                logger.warn(`Failed to resolve transitive imports for ${name}: ${e}`);
+            }
+        }
+        // Phase 2: Add programs in topological order (leaves first).
+        // A simple DFS post-order ensures dependencies are added before
+        // dependents, regardless of the order collected entries arrived.
+        const sorted = [];
+        const visited = new Set();
+        const visit = (name) => {
+            if (visited.has(name))
+                return;
+            visited.add(name);
+            const source = collected.get(name);
+            if (!source)
+                return;
+            for (const dep of ProgramManager.getImportNames(source)) {
+                if (collected.has(dep))
+                    visit(dep);
+            }
+            sorted.push([name, source]);
+        };
+        for (const [name] of collected)
+            visit(name);
+        // When scoped, trace call graphs in reverse topological order
+        // (dependents before leaves) so parent calls propagate before
+        // children are traced. sorted is leaves-first, so reverse it.
+        if (entryFunction) {
+            for (let i = sorted.length - 1; i >= 0; i--) {
+                const [name, source] = sorted[i];
+                const functionsNeeded = calledFunctions.get(name);
+                if (!functionsNeeded)
+                    continue;
+                try {
+                    const importProgram = Program.fromString(source);
+                    for (const fn of functionsNeeded) {
+                        const reachable = ProgramManager.callGraphToMap(importProgram.getCallGraph(fn));
+                        for (const [p, fns] of reachable) {
+                            if (!calledFunctions.has(p)) {
+                                calledFunctions.set(p, new Set(fns));
+                            }
+                            else {
+                                for (const f of fns)
+                                    calledFunctions.get(p).add(f);
+                            }
+                        }
+                    }
+                }
+                catch (e) {
+                    logger.warn(`Failed to trace call graph for ${name}: ${e}`);
+                }
+            }
+        }
+        // Resolve editions for all imports in parallel (each import may have
+        // a different edition than the top-level program).
+        const importEditions = new Map();
+        await Promise.all(sorted.map(async ([name]) => {
+            importEditions.set(name, await this.resolveEditionAndAmendment(name));
+        }));
+        for (const [name, source] of sorted) {
+            if (builder.contains(name))
+                continue;
+            const { edition: importEdition, amendment: importAmendment } = importEditions.get(name);
+            try {
+                builder.addProgram(name, source, importEdition);
+            }
+            catch (e) {
+                logger.warn(`Failed to add import ${name} to builder: ${e}`);
+                continue;
+            }
+            if (loadKeys) {
+                const calledFns = calledFunctions.get(name);
+                await this.loadKeysFromStore(builder, name, calledFns ? [...calledFns] : [], importEdition, importAmendment);
+            }
+        }
+        return { builder, importEditions };
+    }
+    /**
+     * Extract `import program_name.aleo;` names from program source via regex.
+     * Avoids a WASM round-trip compared to Program.fromString + getImports.
+     */
+    static getImportNames(programSource) {
+        const result = [];
+        const importPattern = /^\s*import\s+([a-zA-Z_][a-zA-Z0-9_]*\.aleo)\s*;/gm;
+        let match;
+        while ((match = importPattern.exec(programSource)) !== null) {
+            result.push(match[1]);
+        }
+        return result;
+    }
+    /**
+     * Convert the JS object returned by Program.getCallGraph() into a
+     * Map<string, Set<string>> for use in buildProgramImports.
+     */
+    static callGraphToMap(callGraph) {
+        const result = new Map();
+        for (const [programName, functions] of Object.entries(callGraph)) {
+            result.set(programName, new Set(functions));
+        }
+        return result;
+    }
+    /**
+     * Resolve the active KeyStore, preferring the directly-set _keyStore
+     * over the KeyProvider's keyStore().
+     */
+    async resolveKeyStore() {
+        if (this._keyStore)
+            return this._keyStore;
+        try {
+            return await this.keyProvider?.keyStore?.();
+        }
+        catch {
+            return undefined;
+        }
+    }
+    /**
+     * Resolve the edition and amendment count for a program from the network.
+     * Returns `{ edition, amendment }` or falls back to `{ edition: 1, amendment: 0 }`.
+     */
+    async resolveEditionAndAmendment(programName, fallbackEdition) {
+        try {
+            const info = await this.networkClient.getProgramAmendmentCount(programName);
+            return { edition: info.edition, amendment: info.amendment_count };
+        }
+        catch (e) {
+            logger.warn(`Error finding edition/amendment for ${programName}. Network response: '${e.message}'. Defaulting to edition ${fallbackEdition ?? 1}, amendment 0.`);
+            return { edition: fallbackEdition ?? 1, amendment: 0 };
+        }
+    }
+    /**
+     * Load cached proving/verifying keys from the KeyStore into a ProgramImportsBuilder.
+     * Only loads keys for the specified functions — returns immediately if
+     * functionNames is empty or undefined.
+     * Resolves edition and amendment from the network for accurate key locator
+     * construction when not explicitly provided.
+     */
+    async loadKeysFromStore(builder, programName, functionNames, edition, amendment) {
+        if (!functionNames || functionNames.length === 0)
+            return;
+        const keyStore = await this.resolveKeyStore();
+        if (!keyStore)
+            return;
+        // Resolve edition and amendment from the network if not fully provided.
+        if (edition === undefined || amendment === undefined) {
+            const resolved = await this.resolveEditionAndAmendment(programName, edition);
+            edition = edition ?? resolved.edition;
+            amendment = amendment ?? resolved.amendment;
+        }
+        for (const fnName of functionNames) {
+            const pkLocator = provingKeyLocator(programName, fnName, edition, amendment);
+            const vkLocator = verifyingKeyLocator(programName, fnName, edition, amendment);
+            try {
+                const pk = await keyStore.getProvingKey(pkLocator);
+                if (pk)
+                    builder.addProvingKey(programName, fnName, pk);
+                const vk = await keyStore.getVerifyingKey(vkLocator);
+                if (vk)
+                    builder.addVerifyingKey(programName, fnName, vk);
+            }
+            catch (e) {
+                logger.debug(`Failed to load keys for ${programName}/${fnName}: ${e}`);
+            }
+        }
+    }
+    /**
+     * Persist newly synthesized keys from the returned ProgramImportsBuilder
+     * into the KeyStore. Only writes keys that are not already in the store,
+     * avoiding unnecessary writes of large proving keys.
+     * Fetches each program's current edition and amendment count from the network
+     * for accurate key locator construction.
+     */
+    async persistExtractedKeys(builder, importEditions) {
+        const keyStore = await this.resolveKeyStore();
+        if (!keyStore)
+            return;
+        const programNames = Array.from(builder.programNames());
+        // Reuse editions resolved during buildProgramImports when available,
+        // falling back to parallel network resolution for any missing programs.
+        const editionMap = importEditions ?? new Map();
+        const missing = programNames.filter((name) => !editionMap.has(name));
+        if (missing.length > 0) {
+            await Promise.all(missing.map(async (name) => {
+                editionMap.set(name, await this.resolveEditionAndAmendment(name));
+            }));
+        }
+        for (const programName of programNames) {
+            const { edition, amendment } = editionMap.get(programName);
+            let fns;
+            try {
+                fns = Array.from(builder.functionKeysAvailable(programName));
+            }
+            catch (e) {
+                logger.debug(`Failed to query keys for ${programName}: ${e}`);
+                continue;
+            }
+            for (const fnName of fns) {
+                try {
+                    const pkLocator = provingKeyLocator(programName, fnName, edition, amendment);
+                    const vkLocator = verifyingKeyLocator(programName, fnName, edition, amendment);
+                    // Skip keys already in the store.
+                    if (await keyStore.has(pkLocator) && await keyStore.has(vkLocator)) {
+                        continue;
+                    }
+                    const pk = builder.getProvingKey(programName, fnName);
+                    const vk = builder.getVerifyingKey(programName, fnName);
+                    if (pk && vk) {
+                        await keyStore.setKeys(pkLocator, vkLocator, [pk, vk]);
+                    }
+                }
+                catch (e) {
+                    logger.debug(`Failed to persist key for ${programName}/${fnName}: ${e}`);
+                }
+            }
+        }
+    }
+    /**
+     * Resolve top-level function keys, checking the KeyStore first and
+     * falling back to the KeyProvider.
+     */
+    async resolveTopLevelKeys(programName, functionName, keySearchParams, edition, amendment) {
+        const keyStore = await this.resolveKeyStore();
+        if (keyStore) {
+            try {
+                const pkLocator = provingKeyLocator(programName, functionName, edition, amendment);
+                const vkLocator = verifyingKeyLocator(programName, functionName, edition, amendment);
+                if (await keyStore.has(pkLocator) && await keyStore.has(vkLocator)) {
+                    const pk = await keyStore.getProvingKey(pkLocator);
+                    const vk = await keyStore.getVerifyingKey(vkLocator);
+                    if (pk && vk)
+                        return [pk, vk];
+                }
+            }
+            catch {
+                // Fall through to KeyProvider
+            }
+        }
+        try {
+            return (await this.keyProvider.functionKeys(keySearchParams));
+        }
+        catch {
+            return undefined;
+        }
+    }
     /**
      * Set a header in the `AleoNetworkClient`s header map
      *
@@ -5337,7 +5938,7 @@ class ProgramManager {
             return;
         }
         catch {
-            console.log("Setting the inclusion prover requires either a key provider to be configured for the ProgramManager OR to pass the inclusion prover directly");
+            logger.log("Setting the inclusion prover requires either a key provider to be configured for the ProgramManager OR to pass the inclusion prover directly");
         }
     }
     /**
@@ -5412,7 +6013,7 @@ class ProgramManager {
             }
             catch (e) {
                 // Program does not exist on the network, deployment can proceed
-                console.log(`Program ${programObject.id()} does not exist on the network, deploying...`);
+                logger.log(`Program ${programObject.id()} does not exist on the network, deploying...`);
             }
             if (typeof programSource === "string") {
                 throw Error(`Program ${programObject.id()} already exists on the network, please rename your program`);
@@ -5436,7 +6037,7 @@ class ProgramManager {
                 let fee = priorityFee;
                 // If a private fee is specified, but no fee record is provided, estimate the fee and find a matching record.
                 if (!feeRecord) {
-                    console.log("Private fee specified, but no private fee record provided, estimating fee and finding a matching fee record.");
+                    logger.log("Private fee specified, but no private fee record provided, estimating fee and finding a matching fee record.");
                     const programString = programObject.toString();
                     const imports = await this.networkClient.getProgramImports(programString);
                     const baseFee = Number(ProgramManager$1.estimateDeploymentFee(programString, imports));
@@ -5527,7 +6128,7 @@ class ProgramManager {
             }
             catch (e) {
                 // Program does not exist on the network, deployment can proceed
-                console.log(`Program ${programObject.id()} does not exist on the network...`);
+                logger.log(`Program ${programObject.id()} does not exist on the network...`);
             }
         }
         catch (e) {
@@ -5548,7 +6149,7 @@ class ProgramManager {
                 let fee = priorityFee;
                 // If a private fee is specified, but no fee record is provided, estimate the fee and find a matching record.
                 if (!feeRecord) {
-                    console.log("Private fee specified, but no private fee record provided, estimating fee and finding a matching fee record.");
+                    logger.log("Private fee specified, but no private fee record provided, estimating fee and finding a matching fee record.");
                     const programString = programObject.toString();
                     const imports = await this.networkClient.getProgramImports(programString);
                     const baseFee = Number(ProgramManager$1.estimateDeploymentFee(programString, imports));
@@ -5718,15 +6319,9 @@ class ProgramManager {
         if (programName === undefined) {
             programName = programObject.id();
         }
-        if (edition == undefined) {
-            try {
-                edition = await this.networkClient.getLatestProgramEdition(programName);
-            }
-            catch (e) {
-                console.warn(`Error finding edition for ${programName}. Network response: '${e.message}'. Assuming edition 0.`);
-                edition = 0;
-            }
-        }
+        const resolved = await this.resolveEditionAndAmendment(programName, edition);
+        edition = edition ?? resolved.edition;
+        const { amendment } = resolved;
         // Get the private key from the account if it is not provided in the parameters
         let executionPrivateKey = privateKey;
         if (typeof privateKey === "undefined" &&
@@ -5747,23 +6342,19 @@ class ProgramManager {
             logAndThrow(`Error finding fee keys. Key finder response: '${e.message}'. Please ensure your key provider is configured correctly.`);
         }
         const [feeProvingKey, feeVerifyingKey] = feeKeys;
-        // If the function proving and verifying keys are not provided, attempt to find them using the key provider
+        // Build the ProgramImportsBuilder for import resolution and key caching.
+        const { builder: programImportsBuilder, importEditions } = await this.buildProgramImports(program, imports, true, functionName);
+        // Include the top-level program's already-resolved edition so
+        // persistExtractedKeys doesn't make a redundant network call for it.
+        importEditions.set(programName, { edition: edition, amendment });
+        // If the function proving and verifying keys are not provided, attempt to find them
         if (!provingKey || !verifyingKey) {
-            try {
-                [provingKey, verifyingKey] = (await this.keyProvider.functionKeys(keySearchParams));
-            }
-            catch (e) {
-                console.log(`Function keys not found. Key finder response: '${e}'. The function keys will be synthesized`);
-            }
-        }
-        // Resolve the program imports if they exist
-        const numberOfImports = programObject.getImports().length;
-        if (numberOfImports > 0 && !imports) {
-            try {
-                imports = (await this.networkClient.getProgramImports(programName));
+            const keys = await this.resolveTopLevelKeys(programName, functionName, keySearchParams, edition, amendment);
+            if (keys) {
+                [provingKey, verifyingKey] = keys;
             }
-            catch (e) {
-                logAndThrow(`Error finding program imports. Network response: '${e.message}'. Please ensure you're connected to a valid Aleo network and the program is deployed to the network.`);
+            else {
+                logger.log("Function keys not found in KeyStore or KeyProvider. The function keys will be synthesized");
             }
         }
         // Get the fee record from the account if it is not provided in the parameters
@@ -5788,17 +6379,23 @@ class ProgramManager {
         }
         // Auto-convert bare string inputs to field elements where the function expects field type.
         const preparedInputs = this.prepareInputs(program, functionName, inputs);
-        // Build the query: user-provided OfflineQuery for truly offline execution,
-        // CallbackQuery when a custom transport is configured, or undefined to
-        // let WASM use its internal SnapshotQuery with the default fetch.
         const query = offlineQuery
             ? QueryOption.offlineQuery(offlineQuery)
             : this.networkClient.hasCustomTransport
                 ? QueryOption.callbackQuery(this.buildCallbackQuery())
                 : undefined;
         await this.ensureInclusionKeys(!!offlineQuery);
-        // Build an execution transaction
-        return await ProgramManager$1.buildExecutionTransaction(executionPrivateKey, program, functionName, preparedInputs, priorityFee, feeRecord, this.host, imports, provingKey, verifyingKey, feeProvingKey, feeVerifyingKey, query, edition);
+        const result = await ProgramManager$1.buildExecutionTransaction(executionPrivateKey, program, functionName, preparedInputs, priorityFee, feeRecord, this.host, undefined, // imports (legacy Object path — builder handles resolution)
+        provingKey, verifyingKey, feeProvingKey, feeVerifyingKey, query, edition, programImportsBuilder?.clone());
+        // The clone passed to WASM shares state with the original via
+        // Rc<RefCell<>> — synthesized keys are already visible.
+        try {
+            await this.persistExtractedKeys(programImportsBuilder, importEditions);
+        }
+        catch (e) {
+            logger.debug(`Failed to persist extracted keys: ${e}`);
+        }
+        return result;
     }
     /**
      * Builds an execution transaction for submission to the Aleo network from an Authorization and Fee Authorization.
@@ -5876,6 +6473,10 @@ class ProgramManager {
         const feeAuthorization = options.feeAuthorization;
         const keySearchParams = options.keySearchParams;
         const offlineQuery = options.offlineQuery;
+        let edition = options.edition;
+        const resolved = await this.resolveEditionAndAmendment(programName, edition);
+        edition = edition ?? resolved.edition;
+        const { amendment } = resolved;
         let provingKey = options.provingKey;
         let verifyingKey = options.verifyingKey;
         let program = options.program;
@@ -5904,24 +6505,17 @@ class ProgramManager {
             logAndThrow(`Error finding fee keys. Key finder response: '${e.message}'. Please ensure your key provider is configured correctly.`);
         }
         const [feeProvingKey, feeVerifyingKey] = feeKeys;
-        // If the function proving and verifying keys are not provided, attempt to find them using the key provider.
+        // Build the ProgramImportsBuilder for import resolution and key caching.
+        const { builder: programImportsBuilder, importEditions } = await this.buildProgramImports(program, imports, true, authorization.functionName());
+        importEditions.set(programName, { edition: edition, amendment });
+        // If the function proving and verifying keys are not provided, attempt to find them.
         if (!provingKey || !verifyingKey) {
-            try {
-                [provingKey, verifyingKey] = (await this.keyProvider.functionKeys(keySearchParams));
-            }
-            catch (e) {
-                console.log(`Function keys not found. Key finder response: '${e}'. The function keys will be synthesized`);
-            }
-        }
-        // Resolve the program imports if they exist.
-        console.log("Resolving program imports");
-        const numberOfImports = Program.fromString(program).getImports().length;
-        if (numberOfImports > 0 && !imports) {
-            try {
-                imports = (await this.networkClient.getProgramImports(programName));
+            const keys = await this.resolveTopLevelKeys(programName, authorization.functionName(), keySearchParams, edition, amendment);
+            if (keys) {
+                [provingKey, verifyingKey] = keys;
             }
-            catch (e) {
-                logAndThrow(`Error finding program imports. Network response: '${e.message}'. Please ensure you're connected to a valid Aleo network and the program is deployed to the network.`);
+            else {
+                logger.log("Function keys not found in KeyStore or KeyProvider. The function keys will be synthesized");
             }
         }
         const query = offlineQuery
@@ -5930,9 +6524,18 @@ class ProgramManager {
                 ? QueryOption.callbackQuery(this.buildCallbackQuery())
                 : undefined;
         await this.ensureInclusionKeys(!!offlineQuery);
-        // Build an execution transaction from the authorization.
-        console.log("Executing authorizations");
-        return await ProgramManager$1.executeAuthorization(authorization, feeAuthorization, program, provingKey, verifyingKey, feeProvingKey, feeVerifyingKey, imports, this.host, query);
+        // Build an execution transaction from the authorization. The
+        // ProgramImportsBuilder is consumed by value (ownership transfers to WASM)
+        // and returned enriched with any keys synthesized during execution.
+        const result = await ProgramManager$1.executeAuthorization(authorization, feeAuthorization, program, provingKey, verifyingKey, feeProvingKey, feeVerifyingKey, undefined, // imports (legacy Object path — builder handles resolution)
+        this.host, query, programImportsBuilder?.clone(), edition);
+        try {
+            await this.persistExtractedKeys(programImportsBuilder, importEditions);
+        }
+        catch (e) {
+            logger.debug(`Failed to persist extracted keys: ${e}`);
+        }
+        return result;
     }
     /**
      * Builds a SnarkVM `Authorization` for a specific function.
@@ -5995,29 +6598,17 @@ class ProgramManager {
         if (typeof executionPrivateKey === "undefined") {
             throw "No private key provided and no private key set in the ProgramManager";
         }
-        if (edition == undefined) {
-            try {
-                edition = await this.networkClient.getLatestProgramEdition(programName);
-            }
-            catch (e) {
-                console.warn(`Error finding edition for ${programName}. Network response: '${e.message}'. Assuming edition 0.`);
-                edition = 0;
-            }
-        }
-        // Resolve the program imports if they exist.
-        const numberOfImports = Program.fromString(program).getImports().length;
-        if (numberOfImports > 0 && !imports) {
-            try {
-                imports = (await this.networkClient.getProgramImports(programName));
-            }
-            catch (e) {
-                logAndThrow(`Error finding program imports. Network response: '${e.message}'. Please ensure you're connected to a valid Aleo network and the program is deployed to the network.`);
-            }
-        }
+        const resolved = await this.resolveEditionAndAmendment(programName, edition);
+        edition = edition ?? resolved.edition;
         // Auto-convert bare string inputs to field elements where the function expects field type.
         const preparedInputs = this.prepareInputs(program, functionName, inputs);
+        // Build ProgramImportsBuilder for import resolution (no key loading —
+        // authorizations don't synthesize keys).
+        const { builder } = await this.buildProgramImports(program, imports, false, functionName);
+        const hasImports = !builder.isEmpty();
         // Build and return an `Authorization` for the desired function.
-        return await ProgramManager$1.authorize(executionPrivateKey, program, functionName, preparedInputs, imports, edition);
+        const authorization = await ProgramManager$1.authorize(executionPrivateKey, program, functionName, preparedInputs, hasImports ? undefined : imports, edition, hasImports ? builder?.clone() : undefined);
+        return authorization;
     }
     /**
      * Builds a SnarkVM `Authorization` for a specific function without building a circuit first. This should be used when fast authorization generation is needed and the invoker is confident inputs are coorect.
@@ -6080,29 +6671,17 @@ class ProgramManager {
         if (typeof executionPrivateKey === "undefined") {
             throw "No private key provided and no private key set in the ProgramManager";
         }
-        // Resolve the program imports if they exist.
-        const numberOfImports = Program.fromString(program).getImports().length;
-        if (numberOfImports > 0 && !imports) {
-            try {
-                imports = (await this.networkClient.getProgramImports(programName));
-            }
-            catch (e) {
-                logAndThrow(`Error finding program imports. Network response: '${e.message}'. Please ensure you're connected to a valid Aleo network and the program is deployed to the network.`);
-            }
-        }
-        if (edition == undefined) {
-            try {
-                edition = await this.networkClient.getLatestProgramEdition(programName);
-            }
-            catch (e) {
-                console.warn(`Error finding edition for ${programName}. Network response: '${e.message}'. Assuming edition 0.`);
-                edition = 0;
-            }
-        }
+        const resolved = await this.resolveEditionAndAmendment(programName, edition);
+        edition = edition ?? resolved.edition;
         // Auto-convert bare string inputs to field elements where the function expects field type.
         const preparedInputs = this.prepareInputs(program, functionName, inputs);
+        // Build ProgramImportsBuilder for import resolution (no key loading —
+        // authorizations don't synthesize keys).
+        const { builder } = await this.buildProgramImports(program, imports, false, functionName);
+        const hasImports = !builder.isEmpty();
         // Build and return an `Authorization` for the desired function.
-        return await ProgramManager$1.buildAuthorizationUnchecked(executionPrivateKey, program, functionName, preparedInputs, imports, edition);
+        const authorization = await ProgramManager$1.buildAuthorizationUnchecked(executionPrivateKey, program, functionName, preparedInputs, hasImports ? undefined : imports, edition, hasImports ? builder?.clone() : undefined);
+        return authorization;
     }
     /**
      * Builds a `ProvingRequest` for submission to a prover for execution. If building a proving request with an ExecutionRequest, a private key must be explicitly provided.
@@ -6165,15 +6744,8 @@ class ProgramManager {
         if (programName === undefined) {
             programName = Program.fromString(program).id();
         }
-        if (edition == undefined) {
-            try {
-                edition = await this.networkClient.getLatestProgramEdition(programName);
-            }
-            catch (e) {
-                console.warn(`Error finding edition for ${programName}. Network response: '${e.message}'. Assuming edition 0.`);
-                edition = 0;
-            }
-        }
+        const resolved = await this.resolveEditionAndAmendment(programName, edition);
+        edition = edition ?? resolved.edition;
         // Get the private key from the account if it is not provided in the parameters.
         let executionPrivateKey = privateKey;
         if (typeof privateKey === "undefined" &&
@@ -6211,8 +6783,30 @@ class ProgramManager {
         catch (e) {
             logAndThrow(`Error finding fee record. Record finder response: '${e.message}'. Please ensure you're connected to a valid Aleo network and a record with enough balance exists.`);
         }
+        // Build ProgramImportsBuilder for import resolution (no key loading —
+        // proving requests don't synthesize keys).
+        // Note: imports is kept for the Rust-side fee estimation fallback
+        // (estimate_fee_for_authorization uses the legacy imports Object to avoid
+        // a RefCell double-borrow — see proving_request.rs).
+        const { builder } = await this.buildProgramImports(program, imports, false, functionName);
+        const hasImports = !builder.isEmpty();
+        // Normalize imports to the full merged set from the builder so the
+        // Rust fee estimator sees all transitive imports, not just the
+        // caller's partial set. Use programNames + getProgram to avoid
+        // serializing key bytes (toObject would serialize all proving/
+        // verifying keys, which can be tens of MB).
+        if (hasImports) {
+            const merged = {};
+            for (const name of Array.from(builder.programNames())) {
+                const src = builder.getProgram(name);
+                if (src)
+                    merged[name] = src;
+            }
+            imports = merged;
+        }
         if (options.executionRequest instanceof ExecutionRequest) {
-            return await ProgramManager$1.buildProvingRequestFromExecutionRequest(options.executionRequest, program, unchecked, broadcast, edition, imports, executionPrivateKey);
+            return await ProgramManager$1.buildProvingRequestFromExecutionRequest(options.executionRequest, program, unchecked, broadcast, edition, imports, // kept for fee estimation in Rust
+            executionPrivateKey, hasImports ? builder?.clone() : undefined);
         }
         else {
             // Ensure the private key exists.
@@ -6226,7 +6820,8 @@ class ProgramManager {
             // Auto-convert bare string inputs to field elements where the function expects field type.
             const preparedInputs = this.prepareInputs(program, functionName, inputs);
             // Build and return the `ProvingRequest`.
-            return await ProgramManager$1.buildProvingRequest(executionPrivateKey, program, functionName, preparedInputs, baseFee, priorityFee, feeRecord, imports, broadcast, unchecked, edition, useFeeMaster);
+            return await ProgramManager$1.buildProvingRequest(executionPrivateKey, program, functionName, preparedInputs, baseFee, priorityFee, feeRecord, imports, // kept for fee estimation in Rust
+            broadcast, unchecked, edition, useFeeMaster, hasImports ? builder?.clone() : undefined);
         }
     }
     /**
@@ -6399,6 +6994,10 @@ class ProgramManager {
      * assert(result === ["10u32"]);
      */
     async run(program, function_name, inputs, proveExecution, imports, keySearchParams, provingKey, verifyingKey, privateKey, offlineQuery, edition) {
+        const programName = Program.fromString(program).id();
+        const resolved = await this.resolveEditionAndAmendment(programName, edition);
+        edition = edition ?? resolved.edition;
+        const { amendment } = resolved;
         // Get the private key from the account if it is not provided in the parameters
         let executionPrivateKey = privateKey;
         if (typeof privateKey === "undefined" &&
@@ -6408,13 +7007,16 @@ class ProgramManager {
         if (typeof executionPrivateKey === "undefined") {
             throw "No private key provided and no private key set in the ProgramManager";
         }
-        // If the function proving and verifying keys are not provided, attempt to find them using the key provider
+        // Build the ProgramImportsBuilder for import resolution and key caching.
+        const { builder, importEditions } = await this.buildProgramImports(program, imports, true, function_name);
+        importEditions.set(programName, { edition: edition, amendment });
         if (!provingKey || !verifyingKey) {
-            try {
-                [provingKey, verifyingKey] = (await this.keyProvider.functionKeys(keySearchParams));
+            const keys = await this.resolveTopLevelKeys(programName, function_name, keySearchParams, edition, amendment);
+            if (keys) {
+                [provingKey, verifyingKey] = keys;
             }
-            catch (e) {
-                console.log(`Function keys not found. Key finder response: '${e}'. The function keys will be synthesized`);
+            else {
+                logger.log("Function keys not found in KeyStore or KeyProvider. The function keys will be synthesized");
             }
         }
         // Auto-convert bare string inputs to field elements where the function expects field type.
@@ -6425,11 +7027,17 @@ class ProgramManager {
                 ? QueryOption.callbackQuery(this.buildCallbackQuery())
                 : undefined;
         await this.ensureInclusionKeys(!!offlineQuery);
-        // Run the program offline and return the result
-        console.log("Running program offline");
-        console.log("Proving key: ", provingKey);
-        console.log("Verifying key: ", verifyingKey);
-        return ProgramManager$1.executeFunctionOffline(executionPrivateKey, program, function_name, preparedInputs, proveExecution, false, imports, provingKey, verifyingKey, this.host, query, edition);
+        const result = await ProgramManager$1.executeFunctionOffline(executionPrivateKey, program, function_name, preparedInputs, proveExecution, false, undefined, // imports (legacy Object path — builder handles resolution)
+        provingKey, verifyingKey, this.host, query, edition, builder?.clone());
+        // The clone passed to WASM shares state with the original via
+        // Rc<RefCell<>> — synthesized keys are already visible.
+        try {
+            await this.persistExtractedKeys(builder, importEditions);
+        }
+        catch (e) {
+            logger.debug(`Failed to persist extracted keys: ${e}`);
+        }
+        return result;
     }
     /**
      * Join two credits records into a single credits record
@@ -7418,7 +8026,7 @@ class ProgramManager {
             return verifyFunctionExecution(execution, verifyingKey, program, function_id, imports, importedVerifyingKeys, blockHeight);
         }
         catch (e) {
-            console.warn(`The execution was not found in the response, cannot verify the execution: ${e}`);
+            logger.warn(`The execution was not found in the response, cannot verify the execution: ${e}`);
             return false;
         }
     }
@@ -7511,12 +8119,8 @@ class ProgramManager {
             throw new Error("Authorization must be provided if estimating fee for Authorization.");
         }
         const programSource = program ? program.toString() : await this.networkClient.getProgram(programName, edition);
-        const programImports = imports ? imports : await this.networkClient.getProgramImports(programSource);
-        console.log(JSON.stringify(programImports));
-        if (Object.keys(programImports)) {
-            return ProgramManager$1.estimateFeeForAuthorization(authorization, programSource, programImports, edition);
-        }
-        return ProgramManager$1.estimateFeeForAuthorization(authorization, programSource, imports, edition);
+        const programImports = imports ?? await this.networkClient.getProgramImports(programSource);
+        return ProgramManager$1.estimateFeeForAuthorization(authorization, programSource, programImports, edition);
     }
     /**
      * Estimate the execution fee for an Aleo function.
@@ -7551,10 +8155,7 @@ class ProgramManager {
         }
         const programSource = program ? program.toString() : await this.networkClient.getProgram(programName, edition);
         const programImports = imports ? imports : await this.networkClient.getProgramImports(programSource);
-        if (Object.keys(programImports)) {
-            return ProgramManager$1.estimateExecutionFee(programSource, functionName, programImports, edition);
-        }
-        return ProgramManager$1.estimateExecutionFee(programSource, functionName, imports, edition);
+        return ProgramManager$1.estimateExecutionFee(programSource, functionName, programImports, edition);
     }
     // Internal utility function for getting a credits.aleo record
     async getCreditsRecord(amount, nonces, record, params) {
@@ -7662,15 +8263,8 @@ class ProgramManager {
         if (programName === undefined) {
             programName = programObject.id();
         }
-        if (edition == undefined) {
-            try {
-                edition = await this.networkClient.getLatestProgramEdition(programName);
-            }
-            catch (e) {
-                console.warn(`Error finding edition for ${programName}. Network response: '${e.message}'. Assuming edition 0.`);
-                edition = 0;
-            }
-        }
+        const resolved = await this.resolveEditionAndAmendment(programName, edition);
+        edition = edition ?? resolved.edition;
         // Get the private key from the account if it is not provided in the parameters.
         let executionPrivateKey = privateKey;
         if (typeof privateKey === "undefined" &&
@@ -7686,7 +8280,7 @@ class ProgramManager {
                 let fee = priorityFee;
                 // If a private fee is specified, but no fee record is provided, estimate the fee and find a matching record.
                 if (!feeRecord) {
-                    console.log("Private fee specified, but no private fee record provided, estimating fee and finding a matching fee record.");
+                    logger.log("Private fee specified, but no private fee record provided, estimating fee and finding a matching fee record.");
                     const programString = programObject.toString();
                     const imports = await this.networkClient.getProgramImports(programString);
                     const baseFee = Number(ProgramManager$1.estimateDeploymentFee(programString, imports));
@@ -7775,7 +8369,7 @@ class ProgramManager {
             }
             catch (e) {
                 // Program does not exist on the network, deployment can proceed
-                console.log(`Program ${programObject.id()} does not exist on the network, deploying...`);
+                logger.log(`Program ${programObject.id()} does not exist on the network, deploying...`);
             }
             if (typeof programSource === "string") {
                 throw Error(`Program ${programObject.id()} already exists on the network, please rename your program`);
@@ -7799,7 +8393,7 @@ class ProgramManager {
                 let fee = priorityFee;
                 // If a private fee is specified, but no fee record is provided, estimate the fee and find a matching record.
                 if (!feeRecord) {
-                    console.log("Private fee specified, but no private fee record provided, estimating fee and finding a matching fee record.");
+                    logger.log("Private fee specified, but no private fee record provided, estimating fee and finding a matching fee record.");
                     const programString = programObject.toString();
                     const imports = await this.networkClient.getProgramImports(programString);
                     const baseFee = Number(ProgramManager$1.estimateDeploymentFee(programString, imports));
@@ -7900,7 +8494,7 @@ class ProgramManager {
                 let fee = priorityFee;
                 // If a private fee is specified, but no fee record is provided, estimate the fee and find a matching record.
                 if (!feeRecord) {
-                    console.log("Private fee specified, but no private fee record provided, estimating fee and finding a matching fee record.");
+                    logger.log("Private fee specified, but no private fee record provided, estimating fee and finding a matching fee record.");
                     const programString = programObject.toString();
                     const imports = await this.networkClient.getProgramImports(programString);
                     const baseFee = Number(ProgramManager$1.estimateDeploymentFee(programString, imports));
@@ -8274,8 +8868,8 @@ function serializeRequestSignInputToBytes(input) {
 
 // @TODO: This function is no longer needed, remove it.
 async function initializeWasm() {
-    console.warn("initializeWasm is deprecated, you no longer need to use it");
+    logger.warn("initializeWasm is deprecated, you no longer need to use it");
 }
 
-export { Account, AleoKeyProvider, AleoKeyProviderParams, AleoNetworkClient, BlockHeightSearch, CREDITS_PROGRAM_KEYS, KeyVerificationError as ChecksumMismatchError, DecryptionNotEnabledError, InvalidLocatorError, KEY_STORE, KeyVerificationError, MemKeyVerifier, NetworkRecordProvider, OfflineKeyProvider, OfflineSearchParams, PRIVATE_TO_PUBLIC_TRANSFER, PRIVATE_TRANSFER, PRIVATE_TRANSFER_TYPES, PUBLIC_TO_PRIVATE_TRANSFER, PUBLIC_TRANSFER, PUBLIC_TRANSFER_AS_SIGNER, ProgramManager, RECORD_DOMAIN, RecordNotFoundError, RecordScanner, RecordScannerRequestError, SealanceMerkleTree, UUIDError, VALID_TRANSFER_TYPES, ViewKeyNotStoredError, buildExecutionRequestFromExternallySignedData, computeExternalSigningInputs, encryptAuthorization, encryptProvingRequest, encryptRegistrationRequest, encryptViewKey, initializeWasm, inputsToFields, isInputIdStrategy, isProveApiErrorBody, isProvingResponse, isRecordViewKeyStrategy, isViewKeyStrategy, logAndThrow, programChecksum, provingKeyLocator, sha256Hex, toAddress, toField, toGroup, toSignature, toViewKey, translationKeyLocator, verifyBatchProof, verifyProof, verifyingKeyLocator, zeroizeBytes };
+export { Account, AleoKeyProvider, AleoKeyProviderParams, AleoNetworkClient, BlockHeightSearch, CREDITS_PROGRAM_KEYS, KeyVerificationError as ChecksumMismatchError, DecryptionNotEnabledError, IndexedDBKeyStore, InvalidLocatorError, KEY_STORE, KeyVerificationError, MemKeyVerifier, NetworkRecordProvider, OfflineKeyProvider, OfflineSearchParams, PRIVATE_TO_PUBLIC_TRANSFER, PRIVATE_TRANSFER, PRIVATE_TRANSFER_TYPES, PUBLIC_TO_PRIVATE_TRANSFER, PUBLIC_TRANSFER, PUBLIC_TRANSFER_AS_SIGNER, ProgramManager, RECORD_DOMAIN, RecordNotFoundError, RecordScanner, RecordScannerRequestError, SealanceMerkleTree, UUIDError, VALID_TRANSFER_TYPES, ViewKeyNotStoredError, buildExecutionRequestFromExternallySignedData, computeExternalSigningInputs, encryptAuthorization, encryptProvingRequest, encryptRegistrationRequest, encryptViewKey, getLogLevel, initializeWasm, inputsToFields, isInputIdStrategy, isProveApiErrorBody, isProvingResponse, isRecordViewKeyStrategy, isViewKeyStrategy, logAndThrow, programChecksum, provingKeyLocator, setLogLevel, sha256Hex, toAddress, toField, toGroup, toSignature, toViewKey, translationKeyLocator, verifyBatchProof, verifyProof, verifyingKeyLocator, zeroizeBytes };
 //# sourceMappingURL=browser.js.map