@provablehq/sdk 0.11.0 → 0.11.2

package/dist/testnet/browser.d.cts

@@ -59,15 +59,16 @@ import { OfflineKeyProvider, OfflineSearchParams } from "./keys/provider/offline
 import { BlockHeightSearch, NetworkRecordProvider, RecordProvider } from "./record-provider.js";
 import { RecordScanner, RecordScannerJWTData, RecordScannerOptions } from "./record-scanner.js";
 import { SealanceMerkleTree } from "./integrations/sealance/merkle-tree.js";
+import { generateHookData } from "./integrations/circle/hook-data.js";
 declare function initializeWasm(): Promise<void>;
 export { ProgramManager, ProvingRequestOptions, ExecuteOptions, FeeAuthorizationOptions, AuthorizationOptions, VerificationOptions, BatchVerificationOptions, inputsToFields, verifyProof, verifyBatchProof, programChecksum } from "./program-manager.js";
-export { logAndThrow, TransportFunction } from "./utils/utils.js";
+export { logAndThrow, TransportFunction, defaultTransport, cookieAffinityTransport } from "./utils/utils.js";
 export { setLogLevel, getLogLevel } from "./utils/logger.js";
 export type { LogLevel } from "./utils/logger.js";
 export { Address, Authorization, Boolean, BHP256, BHP512, BHP768, BHP1024, Ciphertext, ComputeKey, DynamicRecord, Execution as FunctionExecution, ExecutionRequest, ExecutionResponse, EncryptionToolkit, Field, GraphKey, Group, I8, I16, I32, I64, I128, OfflineQuery, QueryOption, Pedersen64, Pedersen128, Plaintext, Poseidon2, Poseidon4, Poseidon8, PrivateKey, PrivateKeyCiphertext, Program, ProgramImportsBuilder, ProgramManager as ProgramManagerBase, Proof, ProvingKey, ProvingRequest, RecordCiphertext, RecordPlaintext, Signature, Scalar, stringToField, Transaction, Transition, U8, U16, U32, U64, U128, Value, VerifyingKey, ViewKey, initThreadPool, getOrInitConsensusVersionTestHeights, setWasmLogLevel, snarkVerify, snarkVerifyBatch, verifyFunctionExecution, } from "./wasm.js";
 export { initializeWasm };
 export { Key, CREDITS_PROGRAM_KEYS, KEY_STORE, PRIVATE_TRANSFER, PRIVATE_TO_PUBLIC_TRANSFER, PRIVATE_TRANSFER_TYPES, PUBLIC_TRANSFER, PUBLIC_TRANSFER_AS_SIGNER, PUBLIC_TO_PRIVATE_TRANSFER, RECORD_DOMAIN, VALID_TRANSFER_TYPES, } from "./constants.js";
-export { Account, AleoKeyProvider, AleoKeyProviderParams, AleoKeyProviderInitParams, AleoNetworkClient, BlockJSON, BlockHeightSearch, BroadcastResponse, BroadcastResult, CachedKeyPair, ConfirmedTransactionJSON, CryptoBoxPubKey, DecryptionNotEnabledError, DeploymentJSON, DeploymentObject, EncryptedProvingRequest, EncryptedRecord, EncryptedRegistrationRequest, EncryptedRecordsResult, EncryptedRecordsSuccess, ExecutionJSON, ExecutionObject, FeeExecutionJSON, FeeExecutionObject, FinalizeJSON, FunctionInput, FunctionObject, FunctionKeyPair, FunctionKeyProvider, Header, isProvingResponse, isProveApiErrorBody, ImportedPrograms, ImportedVerifyingKeys, IndexedDBKeyStore, InputJSON, InputObject, InvalidLocatorError, InvalidLocatorReason, BaseFunctionKeyLocator, KeyFingerprint, KeyLocator, KeyMetadata, KeySearchParams, KeyStore, KeyType, KeyVerificationError, ProvingKeyLocator, provingKeyLocator, TranslationKeyLocator, translationKeyLocator, VerifyingKeyLocator, verifyingKeyLocator, KeyVerifier, MemKeyVerifier, Metadata, NetworkRecordProvider, OfflineKeyProvider, OfflineSearchParams, OutputJSON, OutputObject, OwnedFilter, OwnedRecord, OwnedRecordsResult, OwnedRecordsResponseFilter, OwnedRecordsSuccess, OwnerJSON, PartialSolutionJSON, PlaintextArray, PlaintextLiteral, PlaintextObject, PlaintextStruct, ProgramImports, ProveApiErrorBody, ProvingFailure, ProvingRequestError, ProvingRequestJSON, ProvingResult, ProvingSuccess, ProvingResponse, RatificationJSON, RecordsFilter, RecordsResponseFilter, RecordProvider, RecordScanner, RecordScannerErrorBody, RecordScannerFailure, RecordScannerJWTData, RecordScannerOptions, RecordNotFoundError, RecordScannerRequestError, ViewKeyNotStoredError, RecordSearchParams, RegisterResult, RegisterSuccess, RegistrationResponse, RevokeResult, RevokeSuccess, RevokeResponse, SealanceMerkleTree, SerialNumbersResult, SerialNumbersSuccess, sha256Hex, SolutionJSON, SolutionsJSON, StatusResponse, StatusResult, StatusSuccess, TagsResult, TagsSuccess, TransactionJSON, TransactionObject, TransitionJSON, TransitionObject, UUIDError, VerifyingKeys, };
+export { Account, AleoKeyProvider, AleoKeyProviderParams, AleoKeyProviderInitParams, AleoNetworkClient, BlockJSON, BlockHeightSearch, BroadcastResponse, BroadcastResult, CachedKeyPair, ConfirmedTransactionJSON, CryptoBoxPubKey, DecryptionNotEnabledError, DeploymentJSON, DeploymentObject, EncryptedProvingRequest, EncryptedRecord, EncryptedRegistrationRequest, EncryptedRecordsResult, EncryptedRecordsSuccess, ExecutionJSON, ExecutionObject, FeeExecutionJSON, FeeExecutionObject, FinalizeJSON, FunctionInput, FunctionObject, FunctionKeyPair, FunctionKeyProvider, generateHookData, Header, isProvingResponse, isProveApiErrorBody, ImportedPrograms, ImportedVerifyingKeys, IndexedDBKeyStore, InputJSON, InputObject, InvalidLocatorError, InvalidLocatorReason, BaseFunctionKeyLocator, KeyFingerprint, KeyLocator, KeyMetadata, KeySearchParams, KeyStore, KeyType, KeyVerificationError, ProvingKeyLocator, provingKeyLocator, TranslationKeyLocator, translationKeyLocator, VerifyingKeyLocator, verifyingKeyLocator, KeyVerifier, MemKeyVerifier, Metadata, NetworkRecordProvider, OfflineKeyProvider, OfflineSearchParams, OutputJSON, OutputObject, OwnedFilter, OwnedRecord, OwnedRecordsResult, OwnedRecordsResponseFilter, OwnedRecordsSuccess, OwnerJSON, PartialSolutionJSON, PlaintextArray, PlaintextLiteral, PlaintextObject, PlaintextStruct, ProgramImports, ProveApiErrorBody, ProvingFailure, ProvingRequestError, ProvingRequestJSON, ProvingResult, ProvingSuccess, ProvingResponse, RatificationJSON, RecordsFilter, RecordsResponseFilter, RecordProvider, RecordScanner, RecordScannerErrorBody, RecordScannerFailure, RecordScannerJWTData, RecordScannerOptions, RecordNotFoundError, RecordScannerRequestError, ViewKeyNotStoredError, RecordSearchParams, RegisterResult, RegisterSuccess, RegistrationResponse, RevokeResult, RevokeSuccess, RevokeResponse, SealanceMerkleTree, SerialNumbersResult, SerialNumbersSuccess, sha256Hex, SolutionJSON, SolutionsJSON, StatusResponse, StatusResult, StatusSuccess, TagsResult, TagsSuccess, TransactionJSON, TransactionObject, TransitionJSON, TransitionObject, UUIDError, VerifyingKeys, };
 export { KeyVerificationError as ChecksumMismatchError, KeyVerifier as FunctionKeyVerifier, } from "./keys/verifier/interface.js";
 export { encryptAuthorization, encryptProvingRequest, encryptViewKey, encryptRegistrationRequest, zeroizeBytes } from "./security.js";
 export { toField, toGroup, toViewKey, toSignature, toAddress, isViewKeyStrategy, isInputIdStrategy, isRecordViewKeyStrategy, buildExecutionRequestFromExternallySignedData, computeExternalSigningInputs, } from "./external-signing.js";

package/dist/testnet/browser.d.ts

@@ -59,15 +59,16 @@ import { OfflineKeyProvider, OfflineSearchParams } from "./keys/provider/offline
 import { BlockHeightSearch, NetworkRecordProvider, RecordProvider } from "./record-provider.js";
 import { RecordScanner, RecordScannerJWTData, RecordScannerOptions } from "./record-scanner.js";
 import { SealanceMerkleTree } from "./integrations/sealance/merkle-tree.js";
+import { generateHookData } from "./integrations/circle/hook-data.js";
 declare function initializeWasm(): Promise<void>;
 export { ProgramManager, ProvingRequestOptions, ExecuteOptions, FeeAuthorizationOptions, AuthorizationOptions, VerificationOptions, BatchVerificationOptions, inputsToFields, verifyProof, verifyBatchProof, programChecksum } from "./program-manager.js";
-export { logAndThrow, TransportFunction } from "./utils/utils.js";
+export { logAndThrow, TransportFunction, defaultTransport, cookieAffinityTransport } from "./utils/utils.js";
 export { setLogLevel, getLogLevel } from "./utils/logger.js";
 export type { LogLevel } from "./utils/logger.js";
 export { Address, Authorization, Boolean, BHP256, BHP512, BHP768, BHP1024, Ciphertext, ComputeKey, DynamicRecord, Execution as FunctionExecution, ExecutionRequest, ExecutionResponse, EncryptionToolkit, Field, GraphKey, Group, I8, I16, I32, I64, I128, OfflineQuery, QueryOption, Pedersen64, Pedersen128, Plaintext, Poseidon2, Poseidon4, Poseidon8, PrivateKey, PrivateKeyCiphertext, Program, ProgramImportsBuilder, ProgramManager as ProgramManagerBase, Proof, ProvingKey, ProvingRequest, RecordCiphertext, RecordPlaintext, Signature, Scalar, stringToField, Transaction, Transition, U8, U16, U32, U64, U128, Value, VerifyingKey, ViewKey, initThreadPool, getOrInitConsensusVersionTestHeights, setWasmLogLevel, snarkVerify, snarkVerifyBatch, verifyFunctionExecution, } from "./wasm.js";
 export { initializeWasm };
 export { Key, CREDITS_PROGRAM_KEYS, KEY_STORE, PRIVATE_TRANSFER, PRIVATE_TO_PUBLIC_TRANSFER, PRIVATE_TRANSFER_TYPES, PUBLIC_TRANSFER, PUBLIC_TRANSFER_AS_SIGNER, PUBLIC_TO_PRIVATE_TRANSFER, RECORD_DOMAIN, VALID_TRANSFER_TYPES, } from "./constants.js";
-export { Account, AleoKeyProvider, AleoKeyProviderParams, AleoKeyProviderInitParams, AleoNetworkClient, BlockJSON, BlockHeightSearch, BroadcastResponse, BroadcastResult, CachedKeyPair, ConfirmedTransactionJSON, CryptoBoxPubKey, DecryptionNotEnabledError, DeploymentJSON, DeploymentObject, EncryptedProvingRequest, EncryptedRecord, EncryptedRegistrationRequest, EncryptedRecordsResult, EncryptedRecordsSuccess, ExecutionJSON, ExecutionObject, FeeExecutionJSON, FeeExecutionObject, FinalizeJSON, FunctionInput, FunctionObject, FunctionKeyPair, FunctionKeyProvider, Header, isProvingResponse, isProveApiErrorBody, ImportedPrograms, ImportedVerifyingKeys, IndexedDBKeyStore, InputJSON, InputObject, InvalidLocatorError, InvalidLocatorReason, BaseFunctionKeyLocator, KeyFingerprint, KeyLocator, KeyMetadata, KeySearchParams, KeyStore, KeyType, KeyVerificationError, ProvingKeyLocator, provingKeyLocator, TranslationKeyLocator, translationKeyLocator, VerifyingKeyLocator, verifyingKeyLocator, KeyVerifier, MemKeyVerifier, Metadata, NetworkRecordProvider, OfflineKeyProvider, OfflineSearchParams, OutputJSON, OutputObject, OwnedFilter, OwnedRecord, OwnedRecordsResult, OwnedRecordsResponseFilter, OwnedRecordsSuccess, OwnerJSON, PartialSolutionJSON, PlaintextArray, PlaintextLiteral, PlaintextObject, PlaintextStruct, ProgramImports, ProveApiErrorBody, ProvingFailure, ProvingRequestError, ProvingRequestJSON, ProvingResult, ProvingSuccess, ProvingResponse, RatificationJSON, RecordsFilter, RecordsResponseFilter, RecordProvider, RecordScanner, RecordScannerErrorBody, RecordScannerFailure, RecordScannerJWTData, RecordScannerOptions, RecordNotFoundError, RecordScannerRequestError, ViewKeyNotStoredError, RecordSearchParams, RegisterResult, RegisterSuccess, RegistrationResponse, RevokeResult, RevokeSuccess, RevokeResponse, SealanceMerkleTree, SerialNumbersResult, SerialNumbersSuccess, sha256Hex, SolutionJSON, SolutionsJSON, StatusResponse, StatusResult, StatusSuccess, TagsResult, TagsSuccess, TransactionJSON, TransactionObject, TransitionJSON, TransitionObject, UUIDError, VerifyingKeys, };
+export { Account, AleoKeyProvider, AleoKeyProviderParams, AleoKeyProviderInitParams, AleoNetworkClient, BlockJSON, BlockHeightSearch, BroadcastResponse, BroadcastResult, CachedKeyPair, ConfirmedTransactionJSON, CryptoBoxPubKey, DecryptionNotEnabledError, DeploymentJSON, DeploymentObject, EncryptedProvingRequest, EncryptedRecord, EncryptedRegistrationRequest, EncryptedRecordsResult, EncryptedRecordsSuccess, ExecutionJSON, ExecutionObject, FeeExecutionJSON, FeeExecutionObject, FinalizeJSON, FunctionInput, FunctionObject, FunctionKeyPair, FunctionKeyProvider, generateHookData, Header, isProvingResponse, isProveApiErrorBody, ImportedPrograms, ImportedVerifyingKeys, IndexedDBKeyStore, InputJSON, InputObject, InvalidLocatorError, InvalidLocatorReason, BaseFunctionKeyLocator, KeyFingerprint, KeyLocator, KeyMetadata, KeySearchParams, KeyStore, KeyType, KeyVerificationError, ProvingKeyLocator, provingKeyLocator, TranslationKeyLocator, translationKeyLocator, VerifyingKeyLocator, verifyingKeyLocator, KeyVerifier, MemKeyVerifier, Metadata, NetworkRecordProvider, OfflineKeyProvider, OfflineSearchParams, OutputJSON, OutputObject, OwnedFilter, OwnedRecord, OwnedRecordsResult, OwnedRecordsResponseFilter, OwnedRecordsSuccess, OwnerJSON, PartialSolutionJSON, PlaintextArray, PlaintextLiteral, PlaintextObject, PlaintextStruct, ProgramImports, ProveApiErrorBody, ProvingFailure, ProvingRequestError, ProvingRequestJSON, ProvingResult, ProvingSuccess, ProvingResponse, RatificationJSON, RecordsFilter, RecordsResponseFilter, RecordProvider, RecordScanner, RecordScannerErrorBody, RecordScannerFailure, RecordScannerJWTData, RecordScannerOptions, RecordNotFoundError, RecordScannerRequestError, ViewKeyNotStoredError, RecordSearchParams, RegisterResult, RegisterSuccess, RegistrationResponse, RevokeResult, RevokeSuccess, RevokeResponse, SealanceMerkleTree, SerialNumbersResult, SerialNumbersSuccess, sha256Hex, SolutionJSON, SolutionsJSON, StatusResponse, StatusResult, StatusSuccess, TagsResult, TagsSuccess, TransactionJSON, TransactionObject, TransitionJSON, TransitionObject, UUIDError, VerifyingKeys, };
 export { KeyVerificationError as ChecksumMismatchError, KeyVerifier as FunctionKeyVerifier, } from "./keys/verifier/interface.js";
 export { encryptAuthorization, encryptProvingRequest, encryptViewKey, encryptRegistrationRequest, zeroizeBytes } from "./security.js";
 export { toField, toGroup, toViewKey, toSignature, toAddress, isViewKeyStrategy, isInputIdStrategy, isRecordViewKeyStrategy, buildExecutionRequestFromExternallySignedData, computeExternalSigningInputs, } from "./external-signing.js";

package/dist/testnet/browser.js

@@ -1,5 +1,5 @@
 import 'core-js/proposals/json-parse-with-source.js';
-import { ProvingKey, VerifyingKey, ViewKey, ComputeKey, Address, PrivateKeyCiphertext, PrivateKey, RecordCiphertext, EncryptionToolkit, Group, Metadata, Program, Plaintext, Transaction, ProvingRequest, RecordPlaintext, Field, Poseidon4, ProgramManager as ProgramManager$1, CallbackQuery, ProgramImports, QueryOption, ExecutionRequest, stringToField, verifyFunctionExecution, Value, Proof, Signature } from '@provablehq/wasm/testnet.js';
+import { ProvingKey, VerifyingKey, ViewKey, ComputeKey, Address, PrivateKeyCiphertext, PrivateKey, RecordCiphertext, EncryptionToolkit, Group, Metadata, Program, Plaintext, Transaction, ProvingRequest, RecordPlaintext, Field, Poseidon4, Scalar, BHP256, ProgramManager as ProgramManager$1, CallbackQuery, ProgramImports, QueryOption, ExecutionRequest, stringToField, verifyFunctionExecution, Value, Proof, Signature } from '@provablehq/wasm/testnet.js';
 export { Address, Authorization, BHP1024, BHP256, BHP512, BHP768, Boolean, Ciphertext, ComputeKey, DynamicRecord, EncryptionToolkit, ExecutionRequest, ExecutionResponse, Field, Execution as FunctionExecution, GraphKey, Group, I128, I16, I32, I64, I8, OfflineQuery, Pedersen128, Pedersen64, Plaintext, Poseidon2, Poseidon4, Poseidon8, PrivateKey, PrivateKeyCiphertext, Program, ProgramImports as ProgramImportsBuilder, ProgramManager as ProgramManagerBase, Proof, ProvingKey, ProvingRequest, QueryOption, RecordCiphertext, RecordPlaintext, Scalar, Signature, Transaction, Transition, U128, U16, U32, U64, U8, Value, VerifyingKey, ViewKey, getOrInitConsensusVersionTestHeights, initThreadPool, setWasmLogLevel, snarkVerify, snarkVerifyBatch, stringToField, verifyFunctionExecution } from '@provablehq/wasm/testnet.js';
 import { cryptoBoxSeal } from '@serenity-kit/noble-sodium';
 import { base64, bech32m } from '@scure/base';
@@ -1022,13 +1022,15 @@ class Account {
 
 function detectBrowser() {
     const userAgent = navigator.userAgent;
-    if (/chrome|crios|crmo/i.test(userAgent) && !/edge|edg|opr/i.test(userAgent)) {
+    if (/chrome|crios|crmo/i.test(userAgent) &&
+        !/edge|edg|opr/i.test(userAgent)) {
         return "chrome";
     }
     else if (/firefox|fxios/i.test(userAgent)) {
         return "firefox";
     }
-    else if (/safari/i.test(userAgent) && !/chrome|crios|crmo|android/i.test(userAgent)) {
+    else if (/safari/i.test(userAgent) &&
+        !/chrome|crios|crmo|android/i.test(userAgent)) {
         return "safari";
     }
     else if (/edg/i.test(userAgent)) {
@@ -1042,28 +1044,263 @@ function detectBrowser() {
     }
 }
 function isNode() {
-    return typeof process !== "undefined" &&
+    return (typeof process !== "undefined" &&
         process.versions != null &&
-        process.versions.node != null;
+        process.versions.node != null);
 }
 function environment() {
-    if ((typeof process !== 'undefined') &&
-        (process.release?.name === 'node')) {
-        return 'node';
+    if (typeof process !== "undefined" && process.release?.name === "node") {
+        return "node";
     }
-    else if (typeof window !== 'undefined') {
+    else if (typeof window !== "undefined") {
         return detectBrowser();
     }
     else {
-        return 'unknown';
+        return "unknown";
     }
 }
 function logAndThrow(message) {
     logger.error(message);
     throw new Error(message);
 }
+/*
+ * Per-origin cookie jar used by `cookieAffinityTransport`.
+ *
+ * Some Aleo backends sit behind a gateway (e.g. Kong) that uses cookie-based
+ * session affinity: the server sets a routing cookie on the first response and
+ * expects it back on subsequent requests so per-session state stays on the same
+ * upstream instance. Browsers and iOS NSURLSession persist cookies automatically,
+ * but Node `fetch` and bare React Native do not — without a jar, those runtimes
+ * land on a random upstream per request.
+ *
+ * Only cookies named in `AFFINITY_COOKIE_NAMES` are captured. The jar is
+ * module-scoped — the same process shares routing cookies per origin — but the
+ * whitelist keeps unrelated cookies (auth, session, CSRF) out of it, so other
+ * SDK clients hitting the same origin can't accidentally inherit caller state.
+ *
+ * In a browser this jar is effectively a no-op: `Cookie` is a forbidden request
+ * header, so the manual value set here is dropped by the browser and the
+ * browser's own cookie store takes over.
+ */
+const AFFINITY_COOKIE_NAMES = new Set(["route"]);
+const cookieJar = new Map();
+function isRequestLike(value) {
+    return (typeof Request !== "undefined" &&
+        value !== null &&
+        typeof value === "object" &&
+        value instanceof Request);
+}
+function isHeadersLike(value) {
+    return (typeof Headers !== "undefined" &&
+        value !== null &&
+        typeof value === "object" &&
+        value instanceof Headers);
+}
+function originOf(urlOrReq) {
+    try {
+        const raw = typeof urlOrReq === "string"
+            ? urlOrReq
+            : urlOrReq instanceof URL
+                ? urlOrReq.toString()
+                : isRequestLike(urlOrReq)
+                    ? urlOrReq.url
+                    : String(urlOrReq);
+        const parsed = new URL(raw);
+        return `${parsed.protocol}//${parsed.host}`;
+    }
+    catch {
+        return null;
+    }
+}
+/*
+ * Derives the origin a response's `Set-Cookie` belongs to. `fetch` may follow
+ * redirects across origins (or http→https), in which case the final response
+ * headers belong to `response.url`'s origin, not the request input's. Returns
+ * null when the response has no usable `url` (e.g. the minimal response-like
+ * objects existing SDK tests stub fetch with), so callers can fall back to the
+ * request-derived origin.
+ */
+function responseOriginOf(response) {
+    if (!response || typeof response !== "object")
+        return null;
+    const url = response.url;
+    if (typeof url !== "string" || url.length === 0)
+        return null;
+    return originOf(url);
+}
+function cookieHeaderFor(origin) {
+    if (!origin)
+        return null;
+    const jar = cookieJar.get(origin);
+    if (!jar || jar.size === 0)
+        return null;
+    const parts = [];
+    for (const [name, value] of jar)
+        parts.push(`${name}=${value}`);
+    return parts.join("; ");
+}
+/*
+ * Reads Set-Cookie values from a fetch-style response in a defensive way.
+ * Existing test mocks return minimal response-like objects without a
+ * `headers` field, and Node's fetch surfaces multiple Set-Cookie headers via
+ * `getSetCookie()` (not `get('set-cookie')`, which returns null or a
+ * comma-joined string depending on the implementation).
+ */
+function readSetCookies(response) {
+    if (!response || typeof response !== "object")
+        return [];
+    const headers = response.headers;
+    if (!headers || typeof headers !== "object")
+        return [];
+    const getSetCookie = headers
+        .getSetCookie;
+    if (typeof getSetCookie === "function") {
+        try {
+            const list = getSetCookie.call(headers);
+            if (Array.isArray(list) && list.length > 0)
+                return list;
+        }
+        catch {
+            // fall through to .get()
+        }
+    }
+    const get = headers.get;
+    if (typeof get !== "function")
+        return [];
+    let raw;
+    try {
+        raw = get.call(headers, "set-cookie");
+    }
+    catch {
+        return [];
+    }
+    if (!raw)
+        return [];
+    // Some older runtimes comma-join multiple Set-Cookie headers into a
+    // single string. Split only when the comma is followed by a likely
+    // new cookie name (`alpha[\w-]*=`), which excludes commas inside
+    // `Expires=Wed, 21 Oct 2015 …` date attributes.
+    return raw.split(/, (?=[A-Za-z][\w-]*=)/);
+}
+function storeSetCookies(origin, cookies) {
+    if (!origin || cookies.length === 0)
+        return;
+    let jar;
+    for (const cookie of cookies) {
+        if (typeof cookie !== "string" || !cookie)
+            continue;
+        const head = cookie.split(";")[0];
+        const eq = head.indexOf("=");
+        if (eq <= 0)
+            continue;
+        const name = head.slice(0, eq).trim();
+        if (!AFFINITY_COOKIE_NAMES.has(name))
+            continue;
+        if (!jar) {
+            jar = cookieJar.get(origin);
+            if (!jar) {
+                jar = new Map();
+                cookieJar.set(origin, jar);
+            }
+        }
+        jar.set(name, head.slice(eq + 1).trim());
+    }
+}
+/*
+ * Returns a fresh HeadersInit with `cookie` attached when the input doesn't
+ * already carry one. NEVER mutates the caller's input — a caller reusing the
+ * same Headers/init across calls to different origins must not see origin A's
+ * jar cookie persist into the call for origin B.
+ */
+function attachCookie(headersInit, cookie) {
+    if (isHeadersLike(headersInit)) {
+        if (headersInit.has("cookie"))
+            return headersInit;
+        const cloned = new Headers(headersInit);
+        cloned.set("cookie", cookie);
+        return cloned;
+    }
+    if (Array.isArray(headersInit)) {
+        const hasCookie = headersInit.some((pair) => Array.isArray(pair) &&
+            typeof pair[0] === "string" &&
+            pair[0].toLowerCase() === "cookie");
+        return hasCookie ? headersInit : [...headersInit, ["cookie", cookie]];
+    }
+    if (headersInit && typeof headersInit === "object") {
+        const hasCookie = Object.keys(headersInit).some((key) => key.toLowerCase() === "cookie");
+        return hasCookie ? headersInit : { ...headersInit, cookie };
+    }
+    return { cookie };
+}
 /** Default transport — wraps global fetch to avoid illegal-invocation errors in browsers. */
 const defaultTransport = (...args) => fetch(...args);
+/**
+ * Opt-in transport that layers a per-origin cookie jar on top of `fetch`.
+ *
+ * Not wired in by default — pass it explicitly as the `transport` option to
+ * `AleoNetworkClient`, `RecordScanner`, `AleoKeyProvider`, etc. (or to the
+ * `get`/`post` helpers) when talking to a backend that uses cookie-based
+ * session affinity. Browsers and iOS NSURLSession persist cookies on their own,
+ * so this is targeted at Node and bare React Native consumers.
+ *
+ * Wraps the global `fetch` (avoiding illegal-invocation errors in browsers when
+ * `fetch` is passed around as a bare reference) and layers a per-origin cookie
+ * jar on top. Responses' `Set-Cookie` headers are captured (filtered by
+ * `AFFINITY_COOKIE_NAMES`) and replayed as a `Cookie` header on subsequent
+ * same-origin requests, which is required for backends that use cookie-based
+ * session affinity (see `cookieJar` above).
+ *
+ * A caller-supplied `Cookie` header is never overwritten — `network-client.ts`
+ * forwards the pubkey-response cookie manually onto delegated-prove requests
+ * for Node compatibility, and that path takes precedence over the jar.
+ */
+const cookieAffinityTransport = async (input, init) => {
+    const origin = originOf(input);
+    const cookie = cookieHeaderFor(origin);
+    if (cookie) {
+        // Always operate on shallow clones so callers reusing the same
+        // `init` / `Headers` / `Request` across origins don't end up with
+        // origin A's jar cookie persisting into the object and blocking
+        // origin B's correct cookie.
+        if (init?.headers !== undefined && init.headers !== null) {
+            // init.headers, when explicitly set, REPLACES the Request's
+            // headers per the Fetch spec — attach there.
+            init = { ...init, headers: attachCookie(init.headers, cookie) };
+        }
+        else if (isRequestLike(input)) {
+            // Merge the Request's existing headers with the cookie and
+            // pass them via `init.headers` instead of mutating the
+            // Request itself. (Fetch spec: an explicit `init.headers`
+            // replaces Request.headers entirely, so we copy the
+            // originals into the merged set first.)
+            try {
+                const merged = new Headers(input.headers);
+                if (!merged.has("cookie")) {
+                    merged.set("cookie", cookie);
+                    init = { ...(init ?? {}), headers: merged };
+                }
+            }
+            catch {
+                // Some runtimes restrict Headers construction from a
+                // Request; skip rather than failing the request.
+            }
+        }
+        else if (init) {
+            init = { ...init, headers: attachCookie(undefined, cookie) };
+        }
+        else {
+            init = { headers: attachCookie(undefined, cookie) };
+        }
+    }
+    const response = await fetch(input, init);
+    // A response's `Set-Cookie` belongs to the final response URL's origin,
+    // which can differ from the request input's when fetch follows redirects
+    // (cross-origin or http→https). Prefer `response.url`; fall back to the
+    // request origin for minimal mocked responses that don't expose a `url`.
+    const responseOrigin = responseOriginOf(response) ?? origin;
+    storeSetCookies(responseOrigin, readSetCookies(response));
+    return response;
+};
 function parseJSON(json) {
     function revive(key, value, context) {
         if (Number.isInteger(value)) {
@@ -1242,6 +1479,11 @@ const RECORD_DOMAIN = "RecordScannerV0";
 const ZERO_ADDRESS = "aleo1qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqq3ljyzc";
 const FIVE_MINUTES = 5 * 60 * 1000; // 5 minutes in milliseconds
 
+const HEADERS = new Set([
+    "x-aleo-sdk-version",
+    "x-aleo-environment",
+    "x-aleo-method",
+]);
 /**
  * Client library that encapsulates REST calls to publicly exposed endpoints of Aleo nodes. The methods provided in this
  * allow users to query public information from the Aleo blockchain and submit transactions to the network.
@@ -1289,7 +1531,7 @@ class AleoNetworkClient {
             else {
                 this.headers = {
                     // This is replaced by the actual version by a Rollup plugin
-                    "X-Aleo-SDK-Version": "0.11.0",
+                    "X-Aleo-SDK-Version": "0.11.2",
                     "X-Aleo-environment": environment(),
                 };
             }
@@ -1305,7 +1547,7 @@ class AleoNetworkClient {
         else {
             this.headers = {
                 // This is replaced by the actual version by a Rollup plugin
-                "X-Aleo-SDK-Version": "0.11.0",
+                "X-Aleo-SDK-Version": "0.11.2",
                 "X-Aleo-environment": environment(),
             };
         }
@@ -1421,6 +1663,21 @@ class AleoNetworkClient {
     removeHeader(headerName) {
         delete this.headers[headerName];
     }
+    userHeaders() {
+        const result = {};
+        for (const [key, value] of Object.entries(this.headers)) {
+            if (!HEADERS.has(key.toLowerCase())) {
+                result[key] = value;
+            }
+        }
+        return result;
+    }
+    method(method) {
+        if (this.hasCustomTransport) {
+            return this.userHeaders();
+        }
+        return { ...this.headers, "X-ALEO-METHOD": method };
+    }
     /**
      * Fetches data from the Aleo network and returns it as a JSON object.
      *
@@ -1448,10 +1705,9 @@ class AleoNetworkClient {
             const ctx = { ...this.ctx };
             return await retryWithBackoff(async () => {
                 const response = await get(this.host + url, {
-                    headers: {
-                        ...this.headers,
-                        ...ctx,
-                    },
+                    headers: this.hasCustomTransport
+                        ? this.userHeaders()
+                        : { ...this.headers, ...ctx },
                 }, this.transport);
                 return await response.text();
             });
@@ -2683,7 +2939,7 @@ class AleoNetworkClient {
             const endpoint = this.verboseErrors ? "transaction/broadcast?check_transaction=true" : "transaction/broadcast";
             const response = await retryWithBackoff(() => this._sendPost(`${this.host}/${endpoint}`, {
                 body: transactionString,
-                headers: Object.assign({}, { ...this.headers, "X-ALEO-METHOD": "submitTransaction" }, {
+                headers: Object.assign({}, this.method("submitTransaction"), {
                     "Content-Type": "application/json",
                 }),
             }));
@@ -2709,7 +2965,7 @@ class AleoNetworkClient {
         try {
             const response = await retryWithBackoff(() => post(this.host + "/solution/broadcast", {
                 body: solution,
-                headers: Object.assign({}, { ...this.headers, "X-ALEO-METHOD": "submitSolution" }, {
+                headers: Object.assign({}, this.method("submitSolution"), {
                     "Content-Type": "application/json",
                 }),
             }, this.transport));
@@ -2738,7 +2994,8 @@ class AleoNetworkClient {
         }
         const response = await post(`${this.baseUrl}/jwts/${consumerId}`, {
             headers: {
-                'X-Provable-API-Key': apiKey
+                ...this.method("refreshJwt"),
+                'X-Provable-API-Key': apiKey,
             }
         }, this.transport);
         const authHeader = response.headers.get('authorization');
@@ -2832,8 +3089,7 @@ class AleoNetworkClient {
         }
         // Create the necessary headers to hit the provable api.
         const headers = {
-            ...this.headers,
-            "X-ALEO-METHOD": "submitProvingRequest",
+            ...this.method("submitProvingRequest"),
             "Content-Type": "application/json",
         };
         if (jwtData?.jwt) {
@@ -2947,10 +3203,7 @@ class AleoNetworkClient {
                 }
                 try {
                     const res = await this.transport(`${this.host}/transaction/confirmed/${transactionId}`, {
-                        headers: {
-                            ...this.headers,
-                            "X-ALEO-METHOD": "waitForTransactionConfirmation",
-                        },
+                        headers: this.method("waitForTransactionConfirmation"),
                     });
                     if (!res.ok) {
                         let text = "";
@@ -5461,6 +5714,19 @@ class SealanceMerkleTree {
     }
 }
 
+// This method generates the hook data for the Circle USDCx shielded mint flow.  
+function generateHookData(recipientAddress, secretNonce) {
+    // Leo's BHP256::commit_to_field uses the typed plaintext bits, not raw address bits.
+    const recipientBits = Plaintext.fromString(recipientAddress).toBitsLe();
+    const secret = Scalar.fromString(secretNonce);
+    const committedField = new BHP256().commit(recipientBits, secret);
+    const committedBytes = committedField.toBytesLe();
+    const hookData = new Uint8Array(65);
+    hookData[0] = 2;
+    hookData.set(committedBytes, 1);
+    return hookData;
+}
+
 /**
  * The ProgramManager class is used to execute and deploy programs on the Aleo network and create value transfers.
  */
@@ -8198,7 +8464,7 @@ class ProgramManager {
      * import { AleoKeyProvider, getOrInitConsensusVersionTestHeights, ProgramManager, NetworkRecordProvider } from "@provablehq/sdk/mainnet.js";
      *
      * // Initialize the development consensus heights in order to work with devnode.
-     * getOrInitConsensusVersionTestHeights("0,1,2,3,4,5,6,7,8,9,10,11,12,13");
+     * getOrInitConsensusVersionTestHeights("0,1,2,3,4,5,6,7,8,9,10,11,12,13,14");
      *
      * // Create a new NetworkClient and RecordProvider.
      * const recordProvider = new NetworkRecordProvider(account, networkClient);
@@ -8325,7 +8591,7 @@ class ProgramManager {
      * import { ProgramManager, NetworkRecordProvider, getOrInitConsensusVersionTestHeights } from "@provablehq/sdk/mainnet.js";
      *
      * // Initialize the development consensus heights in order to work with a local devnode.
-     * getOrInitConsensusVersionTestHeights("0,1,2,3,4,5,6,7,8,9,10,11,12,13");
+     * getOrInitConsensusVersionTestHeights("0,1,2,3,4,5,6,7,8,9,10,11,12,13,14");
      *
      * // Create a new NetworkClient, and RecordProvider
      * const recordProvider = new NetworkRecordProvider(account, networkClient);
@@ -8871,5 +9137,5 @@ async function initializeWasm() {
     logger.warn("initializeWasm is deprecated, you no longer need to use it");
 }
 
-export { Account, AleoKeyProvider, AleoKeyProviderParams, AleoNetworkClient, BlockHeightSearch, CREDITS_PROGRAM_KEYS, KeyVerificationError as ChecksumMismatchError, DecryptionNotEnabledError, IndexedDBKeyStore, InvalidLocatorError, KEY_STORE, KeyVerificationError, MemKeyVerifier, NetworkRecordProvider, OfflineKeyProvider, OfflineSearchParams, PRIVATE_TO_PUBLIC_TRANSFER, PRIVATE_TRANSFER, PRIVATE_TRANSFER_TYPES, PUBLIC_TO_PRIVATE_TRANSFER, PUBLIC_TRANSFER, PUBLIC_TRANSFER_AS_SIGNER, ProgramManager, RECORD_DOMAIN, RecordNotFoundError, RecordScanner, RecordScannerRequestError, SealanceMerkleTree, UUIDError, VALID_TRANSFER_TYPES, ViewKeyNotStoredError, buildExecutionRequestFromExternallySignedData, computeExternalSigningInputs, encryptAuthorization, encryptProvingRequest, encryptRegistrationRequest, encryptViewKey, getLogLevel, initializeWasm, inputsToFields, isInputIdStrategy, isProveApiErrorBody, isProvingResponse, isRecordViewKeyStrategy, isViewKeyStrategy, logAndThrow, programChecksum, provingKeyLocator, setLogLevel, sha256Hex, toAddress, toField, toGroup, toSignature, toViewKey, translationKeyLocator, verifyBatchProof, verifyProof, verifyingKeyLocator, zeroizeBytes };
+export { Account, AleoKeyProvider, AleoKeyProviderParams, AleoNetworkClient, BlockHeightSearch, CREDITS_PROGRAM_KEYS, KeyVerificationError as ChecksumMismatchError, DecryptionNotEnabledError, IndexedDBKeyStore, InvalidLocatorError, KEY_STORE, KeyVerificationError, MemKeyVerifier, NetworkRecordProvider, OfflineKeyProvider, OfflineSearchParams, PRIVATE_TO_PUBLIC_TRANSFER, PRIVATE_TRANSFER, PRIVATE_TRANSFER_TYPES, PUBLIC_TO_PRIVATE_TRANSFER, PUBLIC_TRANSFER, PUBLIC_TRANSFER_AS_SIGNER, ProgramManager, RECORD_DOMAIN, RecordNotFoundError, RecordScanner, RecordScannerRequestError, SealanceMerkleTree, UUIDError, VALID_TRANSFER_TYPES, ViewKeyNotStoredError, buildExecutionRequestFromExternallySignedData, computeExternalSigningInputs, cookieAffinityTransport, defaultTransport, encryptAuthorization, encryptProvingRequest, encryptRegistrationRequest, encryptViewKey, generateHookData, getLogLevel, initializeWasm, inputsToFields, isInputIdStrategy, isProveApiErrorBody, isProvingResponse, isRecordViewKeyStrategy, isViewKeyStrategy, logAndThrow, programChecksum, provingKeyLocator, setLogLevel, sha256Hex, toAddress, toField, toGroup, toSignature, toViewKey, translationKeyLocator, verifyBatchProof, verifyProof, verifyingKeyLocator, zeroizeBytes };
 //# sourceMappingURL=browser.js.map