@provablehq/sdk 0.11.0 → 0.11.2

package/dist/mainnet/browser.cjs

@@ -1023,13 +1023,15 @@ class Account {
 
 function detectBrowser() {
     const userAgent = navigator.userAgent;
-    if (/chrome|crios|crmo/i.test(userAgent) && !/edge|edg|opr/i.test(userAgent)) {
+    if (/chrome|crios|crmo/i.test(userAgent) &&
+        !/edge|edg|opr/i.test(userAgent)) {
         return "chrome";
     }
     else if (/firefox|fxios/i.test(userAgent)) {
         return "firefox";
     }
-    else if (/safari/i.test(userAgent) && !/chrome|crios|crmo|android/i.test(userAgent)) {
+    else if (/safari/i.test(userAgent) &&
+        !/chrome|crios|crmo|android/i.test(userAgent)) {
         return "safari";
     }
     else if (/edg/i.test(userAgent)) {
@@ -1043,28 +1045,263 @@ function detectBrowser() {
     }
 }
 function isNode() {
-    return typeof process !== "undefined" &&
+    return (typeof process !== "undefined" &&
         process.versions != null &&
-        process.versions.node != null;
+        process.versions.node != null);
 }
 function environment() {
-    if ((typeof process !== 'undefined') &&
-        (process.release?.name === 'node')) {
-        return 'node';
+    if (typeof process !== "undefined" && process.release?.name === "node") {
+        return "node";
     }
-    else if (typeof window !== 'undefined') {
+    else if (typeof window !== "undefined") {
         return detectBrowser();
     }
     else {
-        return 'unknown';
+        return "unknown";
     }
 }
 function logAndThrow(message) {
     logger.error(message);
     throw new Error(message);
 }
+/*
+ * Per-origin cookie jar used by `cookieAffinityTransport`.
+ *
+ * Some Aleo backends sit behind a gateway (e.g. Kong) that uses cookie-based
+ * session affinity: the server sets a routing cookie on the first response and
+ * expects it back on subsequent requests so per-session state stays on the same
+ * upstream instance. Browsers and iOS NSURLSession persist cookies automatically,
+ * but Node `fetch` and bare React Native do not — without a jar, those runtimes
+ * land on a random upstream per request.
+ *
+ * Only cookies named in `AFFINITY_COOKIE_NAMES` are captured. The jar is
+ * module-scoped — the same process shares routing cookies per origin — but the
+ * whitelist keeps unrelated cookies (auth, session, CSRF) out of it, so other
+ * SDK clients hitting the same origin can't accidentally inherit caller state.
+ *
+ * In a browser this jar is effectively a no-op: `Cookie` is a forbidden request
+ * header, so the manual value set here is dropped by the browser and the
+ * browser's own cookie store takes over.
+ */
+const AFFINITY_COOKIE_NAMES = new Set(["route"]);
+const cookieJar = new Map();
+function isRequestLike(value) {
+    return (typeof Request !== "undefined" &&
+        value !== null &&
+        typeof value === "object" &&
+        value instanceof Request);
+}
+function isHeadersLike(value) {
+    return (typeof Headers !== "undefined" &&
+        value !== null &&
+        typeof value === "object" &&
+        value instanceof Headers);
+}
+function originOf(urlOrReq) {
+    try {
+        const raw = typeof urlOrReq === "string"
+            ? urlOrReq
+            : urlOrReq instanceof URL
+                ? urlOrReq.toString()
+                : isRequestLike(urlOrReq)
+                    ? urlOrReq.url
+                    : String(urlOrReq);
+        const parsed = new URL(raw);
+        return `${parsed.protocol}//${parsed.host}`;
+    }
+    catch {
+        return null;
+    }
+}
+/*
+ * Derives the origin a response's `Set-Cookie` belongs to. `fetch` may follow
+ * redirects across origins (or http→https), in which case the final response
+ * headers belong to `response.url`'s origin, not the request input's. Returns
+ * null when the response has no usable `url` (e.g. the minimal response-like
+ * objects existing SDK tests stub fetch with), so callers can fall back to the
+ * request-derived origin.
+ */
+function responseOriginOf(response) {
+    if (!response || typeof response !== "object")
+        return null;
+    const url = response.url;
+    if (typeof url !== "string" || url.length === 0)
+        return null;
+    return originOf(url);
+}
+function cookieHeaderFor(origin) {
+    if (!origin)
+        return null;
+    const jar = cookieJar.get(origin);
+    if (!jar || jar.size === 0)
+        return null;
+    const parts = [];
+    for (const [name, value] of jar)
+        parts.push(`${name}=${value}`);
+    return parts.join("; ");
+}
+/*
+ * Reads Set-Cookie values from a fetch-style response in a defensive way.
+ * Existing test mocks return minimal response-like objects without a
+ * `headers` field, and Node's fetch surfaces multiple Set-Cookie headers via
+ * `getSetCookie()` (not `get('set-cookie')`, which returns null or a
+ * comma-joined string depending on the implementation).
+ */
+function readSetCookies(response) {
+    if (!response || typeof response !== "object")
+        return [];
+    const headers = response.headers;
+    if (!headers || typeof headers !== "object")
+        return [];
+    const getSetCookie = headers
+        .getSetCookie;
+    if (typeof getSetCookie === "function") {
+        try {
+            const list = getSetCookie.call(headers);
+            if (Array.isArray(list) && list.length > 0)
+                return list;
+        }
+        catch {
+            // fall through to .get()
+        }
+    }
+    const get = headers.get;
+    if (typeof get !== "function")
+        return [];
+    let raw;
+    try {
+        raw = get.call(headers, "set-cookie");
+    }
+    catch {
+        return [];
+    }
+    if (!raw)
+        return [];
+    // Some older runtimes comma-join multiple Set-Cookie headers into a
+    // single string. Split only when the comma is followed by a likely
+    // new cookie name (`alpha[\w-]*=`), which excludes commas inside
+    // `Expires=Wed, 21 Oct 2015 …` date attributes.
+    return raw.split(/, (?=[A-Za-z][\w-]*=)/);
+}
+function storeSetCookies(origin, cookies) {
+    if (!origin || cookies.length === 0)
+        return;
+    let jar;
+    for (const cookie of cookies) {
+        if (typeof cookie !== "string" || !cookie)
+            continue;
+        const head = cookie.split(";")[0];
+        const eq = head.indexOf("=");
+        if (eq <= 0)
+            continue;
+        const name = head.slice(0, eq).trim();
+        if (!AFFINITY_COOKIE_NAMES.has(name))
+            continue;
+        if (!jar) {
+            jar = cookieJar.get(origin);
+            if (!jar) {
+                jar = new Map();
+                cookieJar.set(origin, jar);
+            }
+        }
+        jar.set(name, head.slice(eq + 1).trim());
+    }
+}
+/*
+ * Returns a fresh HeadersInit with `cookie` attached when the input doesn't
+ * already carry one. NEVER mutates the caller's input — a caller reusing the
+ * same Headers/init across calls to different origins must not see origin A's
+ * jar cookie persist into the call for origin B.
+ */
+function attachCookie(headersInit, cookie) {
+    if (isHeadersLike(headersInit)) {
+        if (headersInit.has("cookie"))
+            return headersInit;
+        const cloned = new Headers(headersInit);
+        cloned.set("cookie", cookie);
+        return cloned;
+    }
+    if (Array.isArray(headersInit)) {
+        const hasCookie = headersInit.some((pair) => Array.isArray(pair) &&
+            typeof pair[0] === "string" &&
+            pair[0].toLowerCase() === "cookie");
+        return hasCookie ? headersInit : [...headersInit, ["cookie", cookie]];
+    }
+    if (headersInit && typeof headersInit === "object") {
+        const hasCookie = Object.keys(headersInit).some((key) => key.toLowerCase() === "cookie");
+        return hasCookie ? headersInit : { ...headersInit, cookie };
+    }
+    return { cookie };
+}
 /** Default transport — wraps global fetch to avoid illegal-invocation errors in browsers. */
 const defaultTransport = (...args) => fetch(...args);
+/**
+ * Opt-in transport that layers a per-origin cookie jar on top of `fetch`.
+ *
+ * Not wired in by default — pass it explicitly as the `transport` option to
+ * `AleoNetworkClient`, `RecordScanner`, `AleoKeyProvider`, etc. (or to the
+ * `get`/`post` helpers) when talking to a backend that uses cookie-based
+ * session affinity. Browsers and iOS NSURLSession persist cookies on their own,
+ * so this is targeted at Node and bare React Native consumers.
+ *
+ * Wraps the global `fetch` (avoiding illegal-invocation errors in browsers when
+ * `fetch` is passed around as a bare reference) and layers a per-origin cookie
+ * jar on top. Responses' `Set-Cookie` headers are captured (filtered by
+ * `AFFINITY_COOKIE_NAMES`) and replayed as a `Cookie` header on subsequent
+ * same-origin requests, which is required for backends that use cookie-based
+ * session affinity (see `cookieJar` above).
+ *
+ * A caller-supplied `Cookie` header is never overwritten — `network-client.ts`
+ * forwards the pubkey-response cookie manually onto delegated-prove requests
+ * for Node compatibility, and that path takes precedence over the jar.
+ */
+const cookieAffinityTransport = async (input, init) => {
+    const origin = originOf(input);
+    const cookie = cookieHeaderFor(origin);
+    if (cookie) {
+        // Always operate on shallow clones so callers reusing the same
+        // `init` / `Headers` / `Request` across origins don't end up with
+        // origin A's jar cookie persisting into the object and blocking
+        // origin B's correct cookie.
+        if (init?.headers !== undefined && init.headers !== null) {
+            // init.headers, when explicitly set, REPLACES the Request's
+            // headers per the Fetch spec — attach there.
+            init = { ...init, headers: attachCookie(init.headers, cookie) };
+        }
+        else if (isRequestLike(input)) {
+            // Merge the Request's existing headers with the cookie and
+            // pass them via `init.headers` instead of mutating the
+            // Request itself. (Fetch spec: an explicit `init.headers`
+            // replaces Request.headers entirely, so we copy the
+            // originals into the merged set first.)
+            try {
+                const merged = new Headers(input.headers);
+                if (!merged.has("cookie")) {
+                    merged.set("cookie", cookie);
+                    init = { ...(init ?? {}), headers: merged };
+                }
+            }
+            catch {
+                // Some runtimes restrict Headers construction from a
+                // Request; skip rather than failing the request.
+            }
+        }
+        else if (init) {
+            init = { ...init, headers: attachCookie(undefined, cookie) };
+        }
+        else {
+            init = { headers: attachCookie(undefined, cookie) };
+        }
+    }
+    const response = await fetch(input, init);
+    // A response's `Set-Cookie` belongs to the final response URL's origin,
+    // which can differ from the request input's when fetch follows redirects
+    // (cross-origin or http→https). Prefer `response.url`; fall back to the
+    // request origin for minimal mocked responses that don't expose a `url`.
+    const responseOrigin = responseOriginOf(response) ?? origin;
+    storeSetCookies(responseOrigin, readSetCookies(response));
+    return response;
+};
 function parseJSON(json) {
     function revive(key, value, context) {
         if (Number.isInteger(value)) {
@@ -1243,6 +1480,11 @@ const RECORD_DOMAIN = "RecordScannerV0";
 const ZERO_ADDRESS = "aleo1qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqq3ljyzc";
 const FIVE_MINUTES = 5 * 60 * 1000; // 5 minutes in milliseconds
 
+const HEADERS = new Set([
+    "x-aleo-sdk-version",
+    "x-aleo-environment",
+    "x-aleo-method",
+]);
 /**
  * Client library that encapsulates REST calls to publicly exposed endpoints of Aleo nodes. The methods provided in this
  * allow users to query public information from the Aleo blockchain and submit transactions to the network.
@@ -1290,7 +1532,7 @@ class AleoNetworkClient {
             else {
                 this.headers = {
                     // This is replaced by the actual version by a Rollup plugin
-                    "X-Aleo-SDK-Version": "0.11.0",
+                    "X-Aleo-SDK-Version": "0.11.2",
                     "X-Aleo-environment": environment(),
                 };
             }
@@ -1306,7 +1548,7 @@ class AleoNetworkClient {
         else {
             this.headers = {
                 // This is replaced by the actual version by a Rollup plugin
-                "X-Aleo-SDK-Version": "0.11.0",
+                "X-Aleo-SDK-Version": "0.11.2",
                 "X-Aleo-environment": environment(),
             };
         }
@@ -1422,6 +1664,21 @@ class AleoNetworkClient {
     removeHeader(headerName) {
         delete this.headers[headerName];
     }
+    userHeaders() {
+        const result = {};
+        for (const [key, value] of Object.entries(this.headers)) {
+            if (!HEADERS.has(key.toLowerCase())) {
+                result[key] = value;
+            }
+        }
+        return result;
+    }
+    method(method) {
+        if (this.hasCustomTransport) {
+            return this.userHeaders();
+        }
+        return { ...this.headers, "X-ALEO-METHOD": method };
+    }
     /**
      * Fetches data from the Aleo network and returns it as a JSON object.
      *
@@ -1449,10 +1706,9 @@ class AleoNetworkClient {
             const ctx = { ...this.ctx };
             return await retryWithBackoff(async () => {
                 const response = await get(this.host + url, {
-                    headers: {
-                        ...this.headers,
-                        ...ctx,
-                    },
+                    headers: this.hasCustomTransport
+                        ? this.userHeaders()
+                        : { ...this.headers, ...ctx },
                 }, this.transport);
                 return await response.text();
             });
@@ -2684,7 +2940,7 @@ class AleoNetworkClient {
             const endpoint = this.verboseErrors ? "transaction/broadcast?check_transaction=true" : "transaction/broadcast";
             const response = await retryWithBackoff(() => this._sendPost(`${this.host}/${endpoint}`, {
                 body: transactionString,
-                headers: Object.assign({}, { ...this.headers, "X-ALEO-METHOD": "submitTransaction" }, {
+                headers: Object.assign({}, this.method("submitTransaction"), {
                     "Content-Type": "application/json",
                 }),
             }));
@@ -2710,7 +2966,7 @@ class AleoNetworkClient {
         try {
             const response = await retryWithBackoff(() => post(this.host + "/solution/broadcast", {
                 body: solution,
-                headers: Object.assign({}, { ...this.headers, "X-ALEO-METHOD": "submitSolution" }, {
+                headers: Object.assign({}, this.method("submitSolution"), {
                     "Content-Type": "application/json",
                 }),
             }, this.transport));
@@ -2739,7 +2995,8 @@ class AleoNetworkClient {
         }
         const response = await post(`${this.baseUrl}/jwts/${consumerId}`, {
             headers: {
-                'X-Provable-API-Key': apiKey
+                ...this.method("refreshJwt"),
+                'X-Provable-API-Key': apiKey,
             }
         }, this.transport);
         const authHeader = response.headers.get('authorization');
@@ -2833,8 +3090,7 @@ class AleoNetworkClient {
         }
         // Create the necessary headers to hit the provable api.
         const headers = {
-            ...this.headers,
-            "X-ALEO-METHOD": "submitProvingRequest",
+            ...this.method("submitProvingRequest"),
             "Content-Type": "application/json",
         };
         if (jwtData?.jwt) {
@@ -2948,10 +3204,7 @@ class AleoNetworkClient {
                 }
                 try {
                     const res = await this.transport(`${this.host}/transaction/confirmed/${transactionId}`, {
-                        headers: {
-                            ...this.headers,
-                            "X-ALEO-METHOD": "waitForTransactionConfirmation",
-                        },
+                        headers: this.method("waitForTransactionConfirmation"),
                     });
                     if (!res.ok) {
                         let text = "";
@@ -5462,6 +5715,19 @@ class SealanceMerkleTree {
     }
 }
 
+// This method generates the hook data for the Circle USDCx shielded mint flow.  
+function generateHookData(recipientAddress, secretNonce) {
+    // Leo's BHP256::commit_to_field uses the typed plaintext bits, not raw address bits.
+    const recipientBits = mainnet_js.Plaintext.fromString(recipientAddress).toBitsLe();
+    const secret = mainnet_js.Scalar.fromString(secretNonce);
+    const committedField = new mainnet_js.BHP256().commit(recipientBits, secret);
+    const committedBytes = committedField.toBytesLe();
+    const hookData = new Uint8Array(65);
+    hookData[0] = 2;
+    hookData.set(committedBytes, 1);
+    return hookData;
+}
+
 /**
  * The ProgramManager class is used to execute and deploy programs on the Aleo network and create value transfers.
  */
@@ -8199,7 +8465,7 @@ class ProgramManager {
      * import { AleoKeyProvider, getOrInitConsensusVersionTestHeights, ProgramManager, NetworkRecordProvider } from "@provablehq/sdk/mainnet.js";
      *
      * // Initialize the development consensus heights in order to work with devnode.
-     * getOrInitConsensusVersionTestHeights("0,1,2,3,4,5,6,7,8,9,10,11,12,13");
+     * getOrInitConsensusVersionTestHeights("0,1,2,3,4,5,6,7,8,9,10,11,12,13,14");
      *
      * // Create a new NetworkClient and RecordProvider.
      * const recordProvider = new NetworkRecordProvider(account, networkClient);
@@ -8326,7 +8592,7 @@ class ProgramManager {
      * import { ProgramManager, NetworkRecordProvider, getOrInitConsensusVersionTestHeights } from "@provablehq/sdk/mainnet.js";
      *
      * // Initialize the development consensus heights in order to work with a local devnode.
-     * getOrInitConsensusVersionTestHeights("0,1,2,3,4,5,6,7,8,9,10,11,12,13");
+     * getOrInitConsensusVersionTestHeights("0,1,2,3,4,5,6,7,8,9,10,11,12,13,14");
      *
      * // Create a new NetworkClient, and RecordProvider
      * const recordProvider = new NetworkRecordProvider(account, networkClient);
@@ -9141,10 +9407,13 @@ exports.VALID_TRANSFER_TYPES = VALID_TRANSFER_TYPES;
 exports.ViewKeyNotStoredError = ViewKeyNotStoredError;
 exports.buildExecutionRequestFromExternallySignedData = buildExecutionRequestFromExternallySignedData;
 exports.computeExternalSigningInputs = computeExternalSigningInputs;
+exports.cookieAffinityTransport = cookieAffinityTransport;
+exports.defaultTransport = defaultTransport;
 exports.encryptAuthorization = encryptAuthorization;
 exports.encryptProvingRequest = encryptProvingRequest;
 exports.encryptRegistrationRequest = encryptRegistrationRequest;
 exports.encryptViewKey = encryptViewKey;
+exports.generateHookData = generateHookData;
 exports.getLogLevel = getLogLevel;
 exports.initializeWasm = initializeWasm;
 exports.inputsToFields = inputsToFields;