@provablehq/sdk 0.10.6-rc.1 → 0.11.0

package/dist/mainnet/browser.cjs

@@ -20,9 +20,16 @@ let currentLevel = "info";
  * - "warn"   — errors + warnings
  * - "info"   — errors + warnings + info (default)
  * - "debug"  — everything including debug traces
+ *
+ * This controls both TS-side and WASM-side logging. WASM log calls
+ * (e.g., "Loading program", "Executing program") are silenced when
+ * the level is below "info".
  */
 function setLogLevel(level) {
     currentLevel = level;
+    Promise.resolve().then(function () { return require('./wasm.cjs'); })
+        .then(({ setWasmLogLevel }) => setWasmLogLevel(LEVEL_PRIORITY[level]))
+        .catch(() => { }); // WASM not loaded yet — will use default level (info)
 }
 /** Returns the current SDK log level. */
 function getLogLevel() {
@@ -211,6 +218,17 @@ class MemKeyVerifier {
  * It persists proving and verifying keys across page reloads and browser sessions using the
  * IndexedDB API available in all modern browsers and Web Workers.
  *
+ * **Environment**: Browser / Web Worker only. Instantiating this class is safe in any
+ * environment, but the first IndexedDB operation will reject with a clear error when
+ * `globalThis.indexedDB` is not available (e.g., Node.js, SSR contexts). Guard your
+ * imports accordingly if you bundle for server-side rendering.
+ *
+ * **Security**: Keys are stored as plaintext `Uint8Array` in IndexedDB. Any script
+ * running on the same origin — including scripts injected via XSS — can read the stored
+ * proving and verifying keys. Do **not** use this keystore for data that must remain
+ * confidential under an XSS-capable adversary; encrypt sensitive material at the
+ * application layer before persisting, or use an in-memory store.
+ *
  * @example
  * ```ts
  * import { IndexedDBKeyStore, ProgramManager } from "@provablehq/sdk";
@@ -240,6 +258,13 @@ class IndexedDBKeyStore {
     openDB() {
         if (this.dbPromise)
             return this.dbPromise;
+        // Env check sits outside the Promise constructor so a failure doesn't
+        // poison the cache; a later call (e.g. after a polyfill loads) can retry.
+        if (typeof indexedDB === "undefined") {
+            return Promise.reject(new Error("IndexedDBKeyStore requires a browser or Web Worker environment: " +
+                "`indexedDB` is not defined. If you are in Node.js or an SSR " +
+                "context, use LocalFileKeyStore or an in-memory key provider instead."));
+        }
         this.dbPromise = new Promise((resolve, reject) => {
             const request = indexedDB.open(this.dbName, 1);
             request.onupgradeneeded = () => {
@@ -1265,7 +1290,7 @@ class AleoNetworkClient {
             else {
                 this.headers = {
                     // This is replaced by the actual version by a Rollup plugin
-                    "X-Aleo-SDK-Version": "0.10.6-rc.1",
+                    "X-Aleo-SDK-Version": "0.11.0",
                     "X-Aleo-environment": environment(),
                 };
             }
@@ -1281,7 +1306,7 @@ class AleoNetworkClient {
         else {
             this.headers = {
                 // This is replaced by the actual version by a Rollup plugin
-                "X-Aleo-SDK-Version": "0.10.6-rc.1",
+                "X-Aleo-SDK-Version": "0.11.0",
                 "X-Aleo-environment": environment(),
             };
         }
@@ -2728,7 +2753,7 @@ class AleoNetworkClient {
         };
     }
     /**
-     * Parses a /prove or /prove/encrypted response. Returns a result object (never throws for 200/400/500/503).
+     * Parses a /prove/authorization or /prove/request response. Returns a result object (never throws for 200/400/500/503).
      */
     async handleProvingResponse(response) {
         // Get the proving response text.
@@ -2789,14 +2814,12 @@ class AleoNetworkClient {
     async submitProvingRequestSafe(options) {
         // Attempt to get the Prover URI first from the options, then from any configured globally, or third try the main configured host.
         const proverUri = (options.url ?? this.proverUri) ?? this.host;
-        const provingRequestString = options.provingRequest instanceof mainnet_js.ProvingRequest
-            ? options.provingRequest.toString()
-            : options.provingRequest;
         // Try to get JWT data to access the Provable API.
         const apiKey = options.apiKey ?? this.apiKey;
         const consumerId = options.consumerId ?? this.consumerId;
         let jwtData = options.jwtData ?? this.jwtData;
-        // Check to see if the JWT needs refreshing.
+        // Check to see if the JWT needs refreshing. Runs before parsing the
+        // proving request so JWT refresh errors propagate as they always have.
         const isExpired = jwtData && Date.now() >= jwtData.expiration - FIVE_MINUTES;
         if (!jwtData || isExpired) {
             if (apiKey && consumerId) {
@@ -2817,59 +2840,58 @@ class AleoNetworkClient {
         if (jwtData?.jwt) {
             headers["Authorization"] = jwtData.jwt;
         }
-        // Encapsulate the requests in a locally scoped function that can be run with a retry closure.
-        const runRequest = async () => {
-            // If DPS privacy is set, call invoke the encrypted flow.
-            if (options.dpsPrivacy) {
-                // Get an ephemeral public key from a DPS service.
-                const pubKeyResponse = await get(proverUri + "/pubkey", {
-                    headers,
-                    credentials: "include",
-                }, this.transport);
-                // Encrypt the provingRequest.
-                const pubkey = parseJSON(await pubKeyResponse.text());
-                const ciphertext = encryptProvingRequest(pubkey.public_key, mainnet_js.ProvingRequest.fromString(provingRequestString));
-                // Form the expected query a DPS service expects (including the key_id).
-                const payload = {
-                    key_id: pubkey.key_id,
-                    ciphertext: ciphertext,
-                };
-                // We're in node, attempt to set the cookie manually.
-                const cookie = isNode() ? pubKeyResponse.headers.get("set-cookie") : undefined;
-                // Send the encrypted proving request to the DPS service.
-                const res = await this.transport(`${proverUri}/prove/encrypted`, {
-                    method: "POST",
-                    body: JSON.stringify(payload),
-                    headers: {
-                        ...headers,
-                        ...(cookie ? { Cookie: cookie } : {})
-                    },
-                    credentials: "include",
-                });
-                // Properly handle the proving response.
-                return this.handleProvingResponse(res);
-            }
-            // If encrypted usage is not specified use the unencrypted endpoint.
-            const proveEndpoint = proverUri.endsWith("/prove")
-                ? proverUri
-                : proverUri + "/prove";
-            const res = await this.transport(proveEndpoint, {
-                method: "POST",
-                body: provingRequestString,
+        // Send the proving request encrypted (libsodium-compatible sealed box).
+        // Used by both `/prove/authorization` (Authorization variant) and
+        // `/prove/request` (Request variant). The legacy plaintext `/prove`
+        // route is no longer used.
+        const sendEncrypted = async (endpoint, provingRequestObj) => {
+            // Get an ephemeral public key from the DPS.
+            const pubKeyResponse = await get(proverUri + "/pubkey", {
                 headers,
+                credentials: "include",
+            }, this.transport);
+            // Encrypt the provingRequest using the ephemeral pubkey.
+            const pubkey = parseJSON(await pubKeyResponse.text());
+            const ciphertext = encryptProvingRequest(pubkey.public_key, provingRequestObj);
+            const payload = {
+                key_id: pubkey.key_id,
+                ciphertext: ciphertext,
+            };
+            // We're in node, attempt to set the cookie manually.
+            const cookie = isNode() ? pubKeyResponse.headers.get("set-cookie") : undefined;
+            const res = await this.transport(`${proverUri}${endpoint}`, {
+                method: "POST",
+                body: JSON.stringify(payload),
+                headers: {
+                    ...headers,
+                    ...(cookie ? { Cookie: cookie } : {})
+                },
+                credentials: "include",
             });
-            // Properly handle the proving response.
             return this.handleProvingResponse(res);
         };
+        // Parse the proving request once, up front, so the variant the SDK
+        // routes on matches the bytes it will eventually send (a Request-
+        // variant string must hit /prove/request, not /prove/authorization).
+        // A malformed input string throws synchronously — the safe-API
+        // contract only promises to return `{ ok: false, ... }` for HTTP
+        // failures (400/500/503); a parse error is a caller-side bug and
+        // surfacing it as a fake 500 would mislead callers debugging it.
+        // `options.dpsPrivacy` is ignored; the legacy plaintext `/prove`
+        // route is deprecated.
+        const provingRequestObj = options.provingRequest instanceof mainnet_js.ProvingRequest
+            ? options.provingRequest
+            : mainnet_js.ProvingRequest.fromString(options.provingRequest);
+        const endpoint = provingRequestObj.kind() === "request"
+            ? "/prove/request"
+            : "/prove/authorization";
         try {
-            // Run the request with retries.
             return await retryWithBackoff(async () => {
-                // Run the encrypted or non-encrypted flow as specified by the flags.
-                const result = await runRequest();
+                const result = await sendEncrypted(endpoint, provingRequestObj);
                 if (result.ok) {
                     return result;
                 }
-                // If 500s are hit responses are returned, attempt retries.
+                // Retry on 500/503; surface 400 verbatim.
                 if (result.status === 500 || result.status === 503) {
                     const err = new Error(result.error.message);
                     err.status = result.status;
@@ -2879,7 +2901,7 @@ class AleoNetworkClient {
             });
         }
         catch (err) {
-            // If an error is returned, provide usable information to the caller.
+            // HTTP failure inside the retry loop — convert to a result object.
             const e = err;
             return {
                 ok: false,
@@ -4601,6 +4623,19 @@ class RecordScanner {
         const response = await this.request(new Request(`${this.url}/pubkey`, { method: "GET" }));
         return parseJSON(await response.text());
     }
+    /**
+     * Registers the account with the record scanning service using the encrypted flow.
+     * Alias of {@link registerEncrypted} — preserved so existing callers using the
+     * previous unencrypted `register(viewKey, startBlock)` API continue to work
+     * unchanged while transparently using the encrypted endpoint.
+     *
+     * @param {ViewKey} viewKey The view key to register.
+     * @param {number} startBlock The block height to start scanning from.
+     * @returns {Promise<RegisterResult>} `{ ok: true, data }` on success, or `{ ok: false, status, error }` on failure.
+     */
+    async register(viewKey, startBlock) {
+        return this.registerEncrypted(viewKey, startBlock);
+    }
     /**
      * Registers the account with the record scanning service using the encrypted flow: 1. fetches an ephemeral public key from /pubkey - 2. encrypts the registration request (view key + start block) - 3. POSTs to /register/encrypted. Does not HTTP error on a proper error response from the record scanner; returns a result object instead.
      *
@@ -5561,7 +5596,7 @@ class ProgramManager {
                 resolvedImports = await this.networkClient.getProgramImports(programSource);
             }
             catch (e) {
-                console.warn(`Failed to resolve program imports from network: ${e}.`);
+                logger.warn(`Failed to resolve program imports from network: ${e}.`);
             }
         }
         // Build a map of which functions each import actually calls,
@@ -5609,7 +5644,7 @@ class ProgramManager {
                 }
             }
             catch (e) {
-                console.warn(`Failed to resolve transitive imports for ${name}: ${e}`);
+                logger.warn(`Failed to resolve transitive imports for ${name}: ${e}`);
             }
         }
         // Phase 2: Add programs in topological order (leaves first).
@@ -5657,7 +5692,7 @@ class ProgramManager {
                     }
                 }
                 catch (e) {
-                    console.warn(`Failed to trace call graph for ${name}: ${e}`);
+                    logger.warn(`Failed to trace call graph for ${name}: ${e}`);
                 }
             }
         }
@@ -5675,7 +5710,7 @@ class ProgramManager {
                 builder.addProgram(name, source, importEdition);
             }
             catch (e) {
-                console.warn(`Failed to add import ${name} to builder: ${e}`);
+                logger.warn(`Failed to add import ${name} to builder: ${e}`);
                 continue;
             }
             if (loadKeys) {
@@ -5733,7 +5768,7 @@ class ProgramManager {
             return { edition: info.edition, amendment: info.amendment_count };
         }
         catch (e) {
-            console.warn(`Error finding edition/amendment for ${programName}. Network response: '${e.message}'. Defaulting to edition ${fallbackEdition ?? 1}, amendment 0.`);
+            logger.warn(`Error finding edition/amendment for ${programName}. Network response: '${e.message}'. Defaulting to edition ${fallbackEdition ?? 1}, amendment 0.`);
             return { edition: fallbackEdition ?? 1, amendment: 0 };
         }
     }
@@ -5768,7 +5803,7 @@ class ProgramManager {
                     builder.addVerifyingKey(programName, fnName, vk);
             }
             catch (e) {
-                console.debug(`Failed to load keys for ${programName}/${fnName}: ${e}`);
+                logger.debug(`Failed to load keys for ${programName}/${fnName}: ${e}`);
             }
         }
     }
@@ -5800,7 +5835,7 @@ class ProgramManager {
                 fns = Array.from(builder.functionKeysAvailable(programName));
             }
             catch (e) {
-                console.debug(`Failed to query keys for ${programName}: ${e}`);
+                logger.debug(`Failed to query keys for ${programName}: ${e}`);
                 continue;
             }
             for (const fnName of fns) {
@@ -5818,7 +5853,7 @@ class ProgramManager {
                     }
                 }
                 catch (e) {
-                    console.debug(`Failed to persist key for ${programName}/${fnName}: ${e}`);
+                    logger.debug(`Failed to persist key for ${programName}/${fnName}: ${e}`);
                 }
             }
         }
@@ -6320,7 +6355,7 @@ class ProgramManager {
                 [provingKey, verifyingKey] = keys;
             }
             else {
-                console.log("Function keys not found in KeyStore or KeyProvider. The function keys will be synthesized");
+                logger.log("Function keys not found in KeyStore or KeyProvider. The function keys will be synthesized");
             }
         }
         // Get the fee record from the account if it is not provided in the parameters
@@ -6359,7 +6394,7 @@ class ProgramManager {
             await this.persistExtractedKeys(programImportsBuilder, importEditions);
         }
         catch (e) {
-            console.debug(`Failed to persist extracted keys: ${e}`);
+            logger.debug(`Failed to persist extracted keys: ${e}`);
         }
         return result;
     }
@@ -6481,7 +6516,7 @@ class ProgramManager {
                 [provingKey, verifyingKey] = keys;
             }
             else {
-                console.log("Function keys not found in KeyStore or KeyProvider. The function keys will be synthesized");
+                logger.log("Function keys not found in KeyStore or KeyProvider. The function keys will be synthesized");
             }
         }
         const query = offlineQuery
@@ -6499,7 +6534,7 @@ class ProgramManager {
             await this.persistExtractedKeys(programImportsBuilder, importEditions);
         }
         catch (e) {
-            console.debug(`Failed to persist extracted keys: ${e}`);
+            logger.debug(`Failed to persist extracted keys: ${e}`);
         }
         return result;
     }
@@ -6982,7 +7017,7 @@ class ProgramManager {
                 [provingKey, verifyingKey] = keys;
             }
             else {
-                console.log("Function keys not found in KeyStore or KeyProvider. The function keys will be synthesized");
+                logger.log("Function keys not found in KeyStore or KeyProvider. The function keys will be synthesized");
             }
         }
         // Auto-convert bare string inputs to field elements where the function expects field type.
@@ -7001,7 +7036,7 @@ class ProgramManager {
             await this.persistExtractedKeys(builder, importEditions);
         }
         catch (e) {
-            console.debug(`Failed to persist extracted keys: ${e}`);
+            logger.debug(`Failed to persist extracted keys: ${e}`);
         }
         return result;
     }
@@ -9053,6 +9088,10 @@ Object.defineProperty(exports, "initThreadPool", {
     enumerable: true,
     get: function () { return mainnet_js.initThreadPool; }
 });
+Object.defineProperty(exports, "setWasmLogLevel", {
+    enumerable: true,
+    get: function () { return mainnet_js.setWasmLogLevel; }
+});
 Object.defineProperty(exports, "snarkVerify", {
     enumerable: true,
     get: function () { return mainnet_js.snarkVerify; }