npm - @provablehq/sdk - Versions diffs - 0.9.16 → 0.9.18 - Mend

@provablehq/sdk 0.9.16 → 0.9.18

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (45) hide show

package/dist/mainnet/account.d.ts +43 -3
package/dist/mainnet/browser.d.ts +11 -4
package/dist/mainnet/browser.js +460 -109
package/dist/mainnet/browser.js.map +1 -1
package/dist/mainnet/keys/keystore/error.d.ts +23 -0
package/dist/mainnet/keys/keystore/file.d.ts +217 -0
package/dist/mainnet/keys/keystore/interface.d.ts +85 -0
package/dist/mainnet/keys/provider/interface.d.ts +170 -0
package/dist/mainnet/{function-key-provider.d.ts → keys/provider/memory.d.ts} +9 -167
package/dist/mainnet/{offline-key-provider.d.ts → keys/provider/offline.d.ts} +6 -3
package/dist/mainnet/keys/verifier/interface.d.ts +70 -0
package/dist/mainnet/keys/verifier/memory.d.ts +37 -0
package/dist/mainnet/models/keyHolder.d.ts +2 -0
package/dist/mainnet/models/keyPair.d.ts +4 -0
package/dist/mainnet/models/record-scanner/error.d.ts +1 -1
package/dist/mainnet/models/record-scanner/revokeResult.d.ts +17 -0
package/dist/mainnet/node.d.ts +1 -0
package/dist/mainnet/node.js +399 -2
package/dist/mainnet/node.js.map +1 -1
package/dist/mainnet/program-manager.d.ts +4 -3
package/dist/mainnet/record-scanner.d.ts +16 -0
package/dist/mainnet/security.d.ts +24 -0
package/dist/testnet/account.d.ts +43 -3
package/dist/testnet/browser.d.ts +11 -4
package/dist/testnet/browser.js +460 -109
package/dist/testnet/browser.js.map +1 -1
package/dist/testnet/keys/keystore/error.d.ts +23 -0
package/dist/testnet/keys/keystore/file.d.ts +217 -0
package/dist/testnet/keys/keystore/interface.d.ts +85 -0
package/dist/testnet/keys/provider/interface.d.ts +170 -0
package/dist/testnet/{function-key-provider.d.ts → keys/provider/memory.d.ts} +9 -167
package/dist/testnet/{offline-key-provider.d.ts → keys/provider/offline.d.ts} +6 -3
package/dist/testnet/keys/verifier/interface.d.ts +70 -0
package/dist/testnet/keys/verifier/memory.d.ts +37 -0
package/dist/testnet/models/keyHolder.d.ts +2 -0
package/dist/testnet/models/keyPair.d.ts +4 -0
package/dist/testnet/models/record-scanner/error.d.ts +1 -1
package/dist/testnet/models/record-scanner/revokeResult.d.ts +17 -0
package/dist/testnet/node.d.ts +1 -0
package/dist/testnet/node.js +399 -2
package/dist/testnet/node.js.map +1 -1
package/dist/testnet/program-manager.d.ts +4 -3
package/dist/testnet/record-scanner.d.ts +16 -0
package/dist/testnet/security.d.ts +24 -0
package/package.json +3 -3

package/dist/mainnet/node.js CHANGED Viewed

@@ -1,13 +1,410 @@
 import './node-polyfill.js';
-export { Account, AleoKeyProvider, AleoKeyProviderParams, AleoNetworkClient, BlockHeightSearch, CREDITS_PROGRAM_KEYS, DecryptionNotEnabledError, KEY_STORE, NetworkRecordProvider, OfflineKeyProvider, OfflineSearchParams, PRIVATE_TO_PUBLIC_TRANSFER, PRIVATE_TRANSFER, PRIVATE_TRANSFER_TYPES, PUBLIC_TO_PRIVATE_TRANSFER, PUBLIC_TRANSFER, PUBLIC_TRANSFER_AS_SIGNER, ProgramManager, RECORD_DOMAIN, RecordNotFoundError, RecordScanner, RecordScannerRequestError, SealanceMerkleTree, UUIDError, VALID_TRANSFER_TYPES, ViewKeyNotStoredError, encryptAuthorization, encryptProvingRequest, encryptRegistrationRequest, encryptViewKey, initializeWasm, isProveApiErrorBody, isProvingResponse, logAndThrow } from './browser.js';
+import * as fs from 'node:fs/promises';
+import * as $fs from 'node:fs';
+import * as path from 'path';
+import { MemKeyVerifier, InvalidLocatorError } from './browser.js';
+export { Account, AleoKeyProvider, AleoKeyProviderParams, AleoNetworkClient, BlockHeightSearch, CREDITS_PROGRAM_KEYS, KeyVerificationError as ChecksumMismatchError, DecryptionNotEnabledError, KEY_STORE, KeyVerificationError, NetworkRecordProvider, OfflineKeyProvider, OfflineSearchParams, PRIVATE_TO_PUBLIC_TRANSFER, PRIVATE_TRANSFER, PRIVATE_TRANSFER_TYPES, PUBLIC_TO_PRIVATE_TRANSFER, PUBLIC_TRANSFER, PUBLIC_TRANSFER_AS_SIGNER, ProgramManager, RECORD_DOMAIN, RecordNotFoundError, RecordScanner, RecordScannerRequestError, SealanceMerkleTree, UUIDError, VALID_TRANSFER_TYPES, ViewKeyNotStoredError, encryptAuthorization, encryptProvingRequest, encryptRegistrationRequest, encryptViewKey, initializeWasm, isProveApiErrorBody, isProvingResponse, logAndThrow, sha256Hex, zeroizeBytes } from './browser.js';
+import { ProvingKey, VerifyingKey } from '@provablehq/wasm/mainnet.js';
 export { Address, Authorization, BHP1024, BHP256, BHP512, BHP768, Boolean, Ciphertext, ComputeKey, EncryptionToolkit, ExecutionRequest, ExecutionResponse, Field, Execution as FunctionExecution, GraphKey, Group, I128, I16, I32, I64, I8, OfflineQuery, Pedersen128, Pedersen64, Plaintext, Poseidon2, Poseidon4, Poseidon8, PrivateKey, PrivateKeyCiphertext, Program, ProgramManager as ProgramManagerBase, ProvingKey, ProvingRequest, RecordCiphertext, RecordPlaintext, Scalar, Signature, Transaction, Transition, U128, U16, U32, U64, U8, VerifyingKey, ViewKey, getOrInitConsensusVersionTestHeights, initThreadPool, verifyFunctionExecution } from '@provablehq/wasm/mainnet.js';
 import 'core-js/proposals/json-parse-with-source.js';
 import 'node:crypto';
-import 'node:fs';
 import 'mime/lite';
 import 'xmlhttprequest-ssl';
 import 'node:worker_threads';
 import 'node:os';
 import 'libsodium-wrappers';
 import '@scure/base';
+class LocalFileKeyStore {
+    directory;
+    keyVerifier = new MemKeyVerifier();
+    /**
+     * Creates a new directory at the given path or CURRENTDIR/.aleo if none is provided to store keys.
+     * If a custom directory is passed and its last path segment is not ".aleo", ".aleo" is appended
+     * so keys are stored under that subdirectory (e.g. /home/project → /home/project/.aleo).
+     *
+     * @param {string} [directory] - Optional custom directory path for key storage. Defaults to ".aleo" in current working directory.
+     * @throws {Error} If directory creation fails.
+     */
+    constructor(directory) {
+        this.directory = directory ?? path.join(process.cwd(), ".aleo");
+        if (directory !== undefined && path.basename(this.directory) !== ".aleo") {
+            this.directory = path.join(this.directory, ".aleo");
+        }
+        $fs.mkdirSync(this.directory, { recursive: true });
+    }
+    /**
+     * Validates that a locator is a safe filesystem identifier.
+     *
+     * @private
+     * @param {string} locator - Unique identifier used to derive a metadata file path.
+     * @throws {InvalidLocatorError} If the locator could cause path traversal.
+     */
+    validateLocator(locator) {
+        // Reject empty and reserved names that could resolve to the directory or parent
+        if (locator === "" || locator === "." || locator === "..") {
+            throw new InvalidLocatorError(`Invalid locator: reserved or empty name "${locator}"`, locator, "reserved_name");
+        }
+        // Explicitly block traversal attempts
+        if (locator.includes("..")) {
+            throw new InvalidLocatorError("Invalid locator: path traversal detected", locator, "path_traversal");
+        }
+        // Block path separators and null byte
+        if (locator.includes("/") || locator.includes("\\") || locator.includes("\0")) {
+            throw new InvalidLocatorError("Invalid locator: path separator or null byte not allowed", locator, "path_separator");
+        }
+    }
+    /**
+     * Generates the path for a key metadata file based on the locator.
+     *
+     * @private
+     * @param {string} locator - Unique identifier for the key.
+     * @returns {string} Full filesystem path to the metadata file.
+     */
+    metadataPath(locator) {
+        return path.join(this.directory, `${locator}.metadata`);
+    }
+    /**
+     * Reads and parses the key fingerprint metadata from storage.
+     *
+     * @private
+     * @param {string} locator - Unique identifier for the key.
+     * @returns {Promise<KeyFingerprint | null>} The key fingerprint if found, null if file doesn't exist.
+     * @throws {Error} If file read fails for any reason other than not found.
+     */
+    async readKeyMetadata(locator) {
+        try {
+            const data = await fs.readFile(this.metadataPath(locator), "utf-8");
+            return JSON.parse(data);
+        }
+        catch (err) {
+            if (err &&
+                typeof err === "object" &&
+                "code" in err &&
+                err.code === "ENOENT")
+                return null;
+            throw err;
+        }
+    }
+    /**
+     * Writes key fingerprint metadata to storage.
+     *
+     * @private
+     * @param {string} locator - Unique identifier for the key.
+     * @param {KeyFingerprint} metadata - Key fingerprint metadata to store.
+     * @returns {Promise<void>}
+     * @throws {Error} If directory creation or file write fails.
+     */
+    async writeKeyMetadata(locator, metadata) {
+        await fs.mkdir(path.dirname(this.metadataPath(locator)), {
+            recursive: true,
+        });
+        await fs.writeFile(this.metadataPath(locator), JSON.stringify(metadata, null, 0), "utf-8");
+    }
+    async readFileOptional(filepath) {
+        try {
+            const data = await fs.readFile(filepath);
+            return new Uint8Array(data);
+        }
+        catch (err) {
+            if (err.code === "ENOENT")
+                return null;
+            throw err;
+        }
+    }
+    /**
+     * Atomically writes data to a file, ensuring the parent directories exist.
+     *
+     * @private
+     * @param {string} filepath - Full path to the file to write
+     * @param {Uint8Array} data - Binary data to write to the file
+     * @returns {Promise<void>} Resolves when write is complete
+     * @throws {Error} If directory creation or file write fails
+     */
+    async writeFileAtomic(filepath, data) {
+        const dir = path.dirname(filepath);
+        await fs.mkdir(dir, { recursive: true });
+        const tempPath = path.join(dir, `.${path.basename(filepath)}.${process.pid}.${Date.now()}.${Math.random().toString(16).slice(2)}.tmp`);
+        await fs.writeFile(tempPath, data);
+        try {
+            await fs.rename(tempPath, filepath);
+        }
+        catch (err) {
+            const code = err && typeof err === "object" && "code" in err ? err.code : undefined;
+            // Windows often throws EEXIST when target exists; EPERM/EACCES happen with locks/AV.
+            if (code === "EEXIST" || code === "EPERM" || code === "EACCES") {
+                await fs.unlink(filepath).catch(() => { });
+                try {
+                    await fs.rename(tempPath, filepath);
+                }
+                catch (err2) {
+                    await fs.unlink(tempPath).catch(() => { });
+                    throw err2;
+                }
+            }
+            else {
+                await fs.unlink(tempPath).catch(() => { });
+                throw err;
+            }
+        }
+    }
+    /**
+     * Recursively removes all files and subdirectories under the given directory, then removes the directory itself.
+     * Uses fs.rm with recursive: true and force: true so that symbolic links are removed without following them,
+     * avoiding deletion of content outside the keystore.
+     *
+     * @private
+     * @param {string} dir - Directory path to clear
+     * @returns {Promise<void>} Resolves when clearing is complete
+     * @throws {Error} If directory removal fails for reasons other than non-existence
+     */
+    async clearDirectory(dir) {
+        try {
+            await fs.rm(dir, { recursive: true, force: true });
+        }
+        catch (err) {
+            const code = err && typeof err === "object" && "code" in err ? err.code : undefined;
+            if (code === "ENOENT") {
+                return;
+            }
+            throw err;
+        }
+    }
+    // -------------------------------------------------------
+    // KEYSTORE INTERFACE
+    // -------------------------------------------------------
+    /**
+     * Retrieves the key bytes from storage and optionally verifies them against a fingerprint.
+     *
+     * @param {KeyLocator} locator - Object containing a locator string for the key + optional fingerprint for verification.
+     * @returns {Promise<Uint8Array | null>} The key bytes if found and verified (if fingerprint provided), null if not found.
+     * @throws {KeyVerificationError} If fingerprint verification fails.
+     * @example
+     * const keyBytes = await getKeyBytes({
+     *   locator: 'transfer_private.prover.421e5a5',
+     *   fingerprint: { checksum: '421e5a52f01a1eeb068bbf56d15e19477ff7290e4b988d1013e15563f2b77801', size: 116746954 }
+     * });
+     * if (keyBytes) {
+     *   // Use the verified key bytes
+     * }
+     */
+    async getKeyBytes(locator) {
+        this.validateLocator(locator.locator);
+        // Attempt to read key bytes from storage (under this.directory).
+        const keyBytes = await this.readFileOptional(path.join(this.directory, locator.locator));
+        // If no key bytes were found, return null.
+        if (!keyBytes)
+            return null;
+        // Use caller-provided fingerprint or metadata stored on disk for verification.
+        const fingerprint = locator.fingerprint ?? (await this.getKeyMetadata(locator.locator));
+        if (fingerprint) {
+            await this.keyVerifier.verifyKeyBytes({
+                keyBytes,
+                locator: locator.locator,
+                fingerprint,
+            });
+        }
+        // Return the verified key bytes.
+        return keyBytes;
+    }
+    /**
+     * Retrieves and verifies a proving key from storage.
+     *
+     * @param {KeyLocator} locator - Object containing the proving key location and optional fingerprint.
+     * @returns {Promise<ProvingKey | null>} The proving key if found and verified, null if not found.
+     * @throws {KeyVerificationError} If fingerprint verification fails.
+     * @throws {Error} If key bytes cannot be parsed into a valid ProvingKey.
+     *
+     * @example
+     * try {
+     *   const key = await getProvingKey({
+     *     locator: 'transfer_private.prover.421e5a5'
+     *   });
+     *   if (key) {
+     *     // Use the verified proving key
+     *   }
+     * } catch (err) {
+     *   if (err instanceof KeyVerificationError) {
+     *     // Handle verification failure.
+     *   } else {
+     *     // Handle key parsing error.
+     *   }
+     * }
+     */
+    async getProvingKey(locator) {
+        // Get the key bytes from storage.
+        const proverBytes = await this.getKeyBytes(locator);
+        if (!proverBytes)
+            return null;
+        // Attempt to parse the key bytes as a WASM ProvingKey (throws if invalid).
+        return ProvingKey.fromBytes(proverBytes);
+    }
+    /**
+     * Retrieves and verifies a verifying key from storage.
+     *
+     * @param {KeyLocator} locator - Object containing the verifying key location and optional fingerprint.
+     * @returns {Promise<VerifyingKey | null>} The verifying key if found and verified, null if not found.
+     * @throws {KeyVerificationError} If fingerprint verification fails.
+     * @throws {Error} If key bytes cannot be parsed into a valid VerifyingKey.
+     *
+     * @example
+     * try {
+     *   const key = await getVerifyingKey({
+     *     locator: 'transfer_private.verifier.4ac2f71'
+     *   });
+     *   if (key) {
+     *     // Use the verified verifying key
+     *   }
+     * } catch (err) {
+     *   if (err instanceof KeyVerificationError) {
+     *     // Handle verification failure.
+     *   } else {
+     *     // Handle key parsing error.
+     *   }
+     * }
+     */
+    async getVerifyingKey(locator) {
+        // Get the key bytes from storage.
+        const verifierBytes = await this.getKeyBytes(locator);
+        if (!verifierBytes)
+            return null;
+        // Attempt to parse the key bytes as a WASM VerifyingKey (throws if invalid).
+        return VerifyingKey.fromBytes(verifierBytes);
+    }
+    /**
+     * Stores proving and verifying keys in key storage.
+     *
+     * @param {KeyLocator} proverLocator The unique locator for the desired proving key.
+     * @param {KeyLocator} verifierLocator The unique locator for the desired verifying key.
+     * @param {FunctionKeyPair} keys The proving and verifying keys.
+     *
+     * @example
+     * const keys = await generateKeys();
+     * await setKeys(
+     *   { locator: 'transfer_private.prover' },
+     *   { locator: 'transfer_private.verifier' },
+     *   keys
+     * );
+     */
+    async setKeys(proverLocator, verifierLocator, keys) {
+        this.validateLocator(proverLocator.locator);
+        this.validateLocator(verifierLocator.locator);
+        // Convert the WASM keys to raw bytes.
+        const [provingKey, verifyingKey] = keys;
+        const [provingKeyBytes, verifyingKeyBytes] = [
+            provingKey.toBytes(),
+            verifyingKey.toBytes(),
+        ];
+        // Compute the fingerprints for the proving and verifying keys, verify against expected fingerprints if provided.
+        const [proverFingerPrint, verifierFingerPrint] = await Promise.all([
+            this.keyVerifier.computeKeyMetadata({
+                keyBytes: provingKeyBytes,
+                locator: proverLocator.locator,
+                fingerprint: proverLocator.fingerprint,
+            }),
+            this.keyVerifier.computeKeyMetadata({
+                keyBytes: verifyingKeyBytes,
+                locator: verifierLocator.locator,
+                fingerprint: verifierLocator.fingerprint,
+            }),
+        ]);
+        // Write the proving and verifying key bytes and their metadata to storage (under this.directory).
+        await this.writeFileAtomic(path.join(this.directory, proverLocator.locator), provingKeyBytes);
+        await this.writeFileAtomic(path.join(this.directory, verifierLocator.locator), verifyingKeyBytes);
+        await this.writeKeyMetadata(proverLocator.locator, proverFingerPrint);
+        await this.writeKeyMetadata(verifierLocator.locator, verifierFingerPrint);
+    }
+    /**
+     * Store a raw proving or verifying key in storage along with its fingerprint metadata for future verification.
+     *
+     * @param {Uint8Array} keyBytes The raw proving and verifying key bytes.
+     * @param {KeyLocator} locator The unique locator for the desired key pair.
+     * @returns {Promise<void>}
+     * @throws {Error} If computing key metadata or writing to storage fails
+     *
+     * @example
+     * const keys = await generateKeys();
+     * await setKeyBytes(keys.provingKey.toBytes(), { locator: 'transfer_private.prover' });
+     */
+    async setKeyBytes(keyBytes, locator) {
+        this.validateLocator(locator.locator);
+        // Compute the key metadata including fingerprint
+        const computedMetadata = await this.keyVerifier.computeKeyMetadata({
+            keyBytes: keyBytes,
+            locator: locator.locator,
+            fingerprint: locator.fingerprint,
+        });
+        // Write the key bytes and metadata atomically (key file under this.directory).
+        await this.writeFileAtomic(path.join(this.directory, locator.locator), keyBytes);
+        await this.writeKeyMetadata(locator.locator, computedMetadata);
+    }
+    /**
+     * Returns stored metadata for a key, if any.
+     *
+     * @param {string} locator The unique locator for the key.
+     * @returns {Promise<KeyFingerprint | null>} The stored fingerprint metadata for that locator, or null if none exists.
+     *
+     * @example
+     * const metadata = await getKeyMetadata('transfer_private.prover.421e5a5');
+     * if (metadata) {
+     *   // Use the stored metadata.
+     * }
+     */
+    async getKeyMetadata(locator) {
+        this.validateLocator(locator);
+        return this.readKeyMetadata(locator);
+    }
+    /**
+     * Checks if a key exists at the specified locator path.
+     *
+     * @param {string} locator - Unique identifier for the key location.
+     * @returns {Promise<boolean>} True if key exists at location, false otherwise.
+     *
+     * @example
+     * const exists = await has('transfer_private.prover.421e5a5');
+     * if (exists) {
+     *   // Key exists at location.
+     * } else {
+     *   // Key does not exist at location.
+     * }
+     */
+    async has(locator) {
+        this.validateLocator(locator);
+        const keyPath = path.join(this.directory, locator);
+        return await fs
+            .access(keyPath)
+            .then(() => true)
+            .catch(() => false);
+    }
+    /**
+     * Deletes a key and its associated metadata from storage. Silently ignores errors if files don't exist.
+     *
+     * @param {string} locator - Unique identifier for the key to delete.
+     * @returns {Promise<void>}
+     *
+     * @example
+     * await delete('transfer_private.prover.421e5a5');
+     */
+    async delete(locator) {
+        this.validateLocator(locator);
+        const p = path.join(this.directory, locator);
+        const m = this.metadataPath(locator);
+        await fs.unlink(p).catch(() => { });
+        await fs.unlink(m).catch(() => { });
+    }
+    /**
+     * Clears the key storage directory by recursively removing all files and subdirectories under it, then removes the keystore directory itself.
+     *
+     * @returns {Promise<void>}
+     * @throws {Error} If directory listing fails for reasons other than non-existence.
+     *
+     * @example
+     * await clear(); // Removes all files under the keystore directory.
+     */
+    async clear() {
+        await this.clearDirectory(this.directory);
+    }
+}
+export { InvalidLocatorError, LocalFileKeyStore, MemKeyVerifier };
 //# sourceMappingURL=node.js.map

package/dist/mainnet/node.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"node.js","sources":[],"sourcesContent":[],"names":[],"mappings":";;;;;;;;;;;"}
1	+ {"version":3,"file":"node.js","sources":["../../src/keys/keystore/file.ts"],"sourcesContent":["import * as fs from \"node:fs/promises\";\nimport * as fsSync from \"node:fs\";\nimport * as path from \"path\";\n\nimport { FunctionKeyPair } from \"../../models/keyPair.js\";\nimport { KeyFingerprint } from \"../verifier/interface.js\";\nimport { InvalidLocatorError } from \"./error.js\";\nimport { KeyLocator, KeyStore } from \"./interface.js\";\nimport { MemKeyVerifier } from \"../verifier/memory.js\";\nimport { ProvingKey, VerifyingKey } from \"../../wasm.js\";\n\nexport class LocalFileKeyStore implements KeyStore {\n private directory: string;\n private readonly keyVerifier = new MemKeyVerifier();\n\n /*\n Creates a new directory at the given path or CURRENTDIR/.aleo if none is provided to store keys.\n * If a custom directory is passed and its last path segment is not \".aleo\", \".aleo\" is appended\n * so keys are stored under that subdirectory (e.g. /home/project → /home/project/.aleo).\n \n @param {string} [directory] - Optional custom directory path for key storage. Defaults to \".aleo\" in current working directory.\n * @throws {Error} If directory creation fails.\n /\n constructor(directory?: string) {\n this.directory = directory ?? path.join(process.cwd(), \".aleo\");\n if (directory !== undefined && path.basename(this.directory) !== \".aleo\") {\n this.directory = path.join(this.directory, \".aleo\");\n }\n fsSync.mkdirSync(this.directory, { recursive: true });\n }\n\n /\n Validates that a locator is a safe filesystem identifier.\n \n @private\n * @param {string} locator - Unique identifier used to derive a metadata file path.\n * @throws {InvalidLocatorError} If the locator could cause path traversal.\n /\n private validateLocator(locator: string): void {\n // Reject empty and reserved names that could resolve to the directory or parent\n if (locator === \"\" \|\| locator === \".\" \|\| locator === \"..\") {\n throw new InvalidLocatorError(\n `Invalid locator: reserved or empty name \"${locator}\"`,\n locator,\n \"reserved_name\"\n );\n }\n\n // Explicitly block traversal attempts\n if (locator.includes(\"..\")) {\n throw new InvalidLocatorError(\n \"Invalid locator: path traversal detected\",\n locator,\n \"path_traversal\"\n );\n }\n\n // Block path separators and null byte\n if (locator.includes(\"/\") \|\| locator.includes(\"\\\\\") \|\| locator.includes(\"\\0\")) {\n throw new InvalidLocatorError(\n \"Invalid locator: path separator or null byte not allowed\",\n locator,\n \"path_separator\"\n );\n }\n }\n\n /\n Generates the path for a key metadata file based on the locator.\n \n @private\n * @param {string} locator - Unique identifier for the key.\n * @returns {string} Full filesystem path to the metadata file.\n /\n private metadataPath(locator: string): string {\n return path.join(this.directory, `${locator}.metadata`);\n }\n\n /\n Reads and parses the key fingerprint metadata from storage.\n \n @private\n * @param {string} locator - Unique identifier for the key.\n * @returns {Promise<KeyFingerprint \| null>} The key fingerprint if found, null if file doesn't exist.\n * @throws {Error} If file read fails for any reason other than not found.\n /\n private async readKeyMetadata(\n locator: string,\n ): Promise<KeyFingerprint \| null> {\n try {\n const data = await fs.readFile(this.metadataPath(locator), \"utf-8\");\n return JSON.parse(data) as KeyFingerprint;\n } catch (err: unknown) {\n if (\n err &&\n typeof err === \"object\" &&\n \"code\" in err &&\n err.code === \"ENOENT\"\n )\n return null;\n throw err;\n }\n }\n\n /\n Writes key fingerprint metadata to storage.\n \n @private\n * @param {string} locator - Unique identifier for the key.\n * @param {KeyFingerprint} metadata - Key fingerprint metadata to store.\n * @returns {Promise<void>}\n * @throws {Error} If directory creation or file write fails.\n /\n private async writeKeyMetadata(\n locator: string,\n metadata: KeyFingerprint,\n ): Promise<void> {\n await fs.mkdir(path.dirname(this.metadataPath(locator)), {\n recursive: true,\n });\n await fs.writeFile(\n this.metadataPath(locator),\n JSON.stringify(metadata, null, 0),\n \"utf-8\",\n );\n }\n\n private async readFileOptional(\n filepath: string,\n ): Promise<Uint8Array \| null> {\n try {\n const data = await fs.readFile(filepath);\n return new Uint8Array(data);\n } catch (err: any) {\n if (err.code === \"ENOENT\") return null;\n throw err;\n }\n }\n \n /\n Atomically writes data to a file, ensuring the parent directories exist.\n \n @private\n * @param {string} filepath - Full path to the file to write\n * @param {Uint8Array} data - Binary data to write to the file\n * @returns {Promise<void>} Resolves when write is complete\n * @throws {Error} If directory creation or file write fails\n /\n private async writeFileAtomic(\n filepath: string,\n data: Uint8Array,\n ): Promise<void> {\n const dir = path.dirname(filepath);\n await fs.mkdir(dir, { recursive: true });\n const tempPath = path.join(\n dir,\n `.${path.basename(filepath)}.${process.pid}.${Date.now()}.${Math.random().toString(16).slice(2)}.tmp`\n );\n await fs.writeFile(tempPath, data);\n try {\n await fs.rename(tempPath, filepath);\n } catch (err: unknown) {\n const code = err && typeof err === \"object\" && \"code\" in err ? (err as NodeJS.ErrnoException).code : undefined;\n // Windows often throws EEXIST when target exists; EPERM/EACCES happen with locks/AV.\n if (code === \"EEXIST\" \|\| code === \"EPERM\" \|\| code === \"EACCES\") {\n await fs.unlink(filepath).catch(() => {});\n try {\n await fs.rename(tempPath, filepath);\n } catch (err2) {\n await fs.unlink(tempPath).catch(() => {});\n throw err2;\n }\n } else {\n await fs.unlink(tempPath).catch(() => {});\n throw err;\n }\n }\n }\n\n /\n Recursively removes all files and subdirectories under the given directory, then removes the directory itself.\n * Uses fs.rm with recursive: true and force: true so that symbolic links are removed without following them,\n * avoiding deletion of content outside the keystore.\n \n @private\n * @param {string} dir - Directory path to clear\n * @returns {Promise<void>} Resolves when clearing is complete\n * @throws {Error} If directory removal fails for reasons other than non-existence\n /\n private async clearDirectory(dir: string): Promise<void> {\n try {\n await fs.rm(dir, { recursive: true, force: true });\n } catch (err: unknown) {\n const code = err && typeof err === \"object\" && \"code\" in err ? (err as NodeJS.ErrnoException).code : undefined;\n if (code === \"ENOENT\") {\n return;\n }\n throw err;\n }\n }\n\n // -------------------------------------------------------\n // KEYSTORE INTERFACE\n // -------------------------------------------------------\n\n /\n Retrieves the key bytes from storage and optionally verifies them against a fingerprint.\n \n @param {KeyLocator} locator - Object containing a locator string for the key + optional fingerprint for verification.\n * @returns {Promise<Uint8Array \| null>} The key bytes if found and verified (if fingerprint provided), null if not found.\n * @throws {KeyVerificationError} If fingerprint verification fails.\n * @example\n * const keyBytes = await getKeyBytes({\n * locator: 'transfer_private.prover.421e5a5',\n * fingerprint: { checksum: '421e5a52f01a1eeb068bbf56d15e19477ff7290e4b988d1013e15563f2b77801', size: 116746954 }\n * });\n * if (keyBytes) {\n * // Use the verified key bytes\n * }\n /\n async getKeyBytes(locator: KeyLocator): Promise<Uint8Array \| null> {\n this.validateLocator(locator.locator);\n // Attempt to read key bytes from storage (under this.directory).\n const keyBytes = await this.readFileOptional(path.join(this.directory, locator.locator));\n\n // If no key bytes were found, return null.\n if (!keyBytes) return null;\n\n // Use caller-provided fingerprint or metadata stored on disk for verification.\n const fingerprint =\n locator.fingerprint ?? (await this.getKeyMetadata(locator.locator));\n if (fingerprint) {\n await this.keyVerifier.verifyKeyBytes({\n keyBytes,\n locator: locator.locator,\n fingerprint,\n });\n }\n\n // Return the verified key bytes.\n return keyBytes;\n }\n\n /\n Retrieves and verifies a proving key from storage.\n \n @param {KeyLocator} locator - Object containing the proving key location and optional fingerprint.\n * @returns {Promise<ProvingKey \| null>} The proving key if found and verified, null if not found.\n * @throws {KeyVerificationError} If fingerprint verification fails.\n * @throws {Error} If key bytes cannot be parsed into a valid ProvingKey.\n \n @example\n * try {\n * const key = await getProvingKey({\n * locator: 'transfer_private.prover.421e5a5'\n * });\n * if (key) {\n * // Use the verified proving key\n * }\n * } catch (err) {\n * if (err instanceof KeyVerificationError) {\n * // Handle verification failure.\n * } else {\n * // Handle key parsing error.\n * }\n * }\n /\n async getProvingKey(locator: KeyLocator): Promise<ProvingKey \| null> {\n // Get the key bytes from storage.\n const proverBytes = await this.getKeyBytes(locator);\n if (!proverBytes) return null;\n\n // Attempt to parse the key bytes as a WASM ProvingKey (throws if invalid).\n return ProvingKey.fromBytes(proverBytes);\n }\n\n /\n Retrieves and verifies a verifying key from storage.\n \n @param {KeyLocator} locator - Object containing the verifying key location and optional fingerprint.\n * @returns {Promise<VerifyingKey \| null>} The verifying key if found and verified, null if not found.\n * @throws {KeyVerificationError} If fingerprint verification fails.\n * @throws {Error} If key bytes cannot be parsed into a valid VerifyingKey.\n \n @example\n * try {\n * const key = await getVerifyingKey({\n * locator: 'transfer_private.verifier.4ac2f71'\n * });\n * if (key) {\n * // Use the verified verifying key\n * }\n * } catch (err) {\n * if (err instanceof KeyVerificationError) {\n * // Handle verification failure.\n * } else {\n * // Handle key parsing error.\n * }\n * }\n /\n async getVerifyingKey(locator: KeyLocator): Promise<VerifyingKey \| null> {\n // Get the key bytes from storage.\n const verifierBytes = await this.getKeyBytes(locator);\n if (!verifierBytes) return null;\n\n // Attempt to parse the key bytes as a WASM VerifyingKey (throws if invalid).\n return VerifyingKey.fromBytes(verifierBytes);\n }\n\n /\n Stores proving and verifying keys in key storage.\n \n @param {KeyLocator} proverLocator The unique locator for the desired proving key.\n * @param {KeyLocator} verifierLocator The unique locator for the desired verifying key.\n * @param {FunctionKeyPair} keys The proving and verifying keys.\n \n @example\n * const keys = await generateKeys();\n * await setKeys(\n * { locator: 'transfer_private.prover' },\n * { locator: 'transfer_private.verifier' },\n * keys\n * );\n /\n async setKeys(\n proverLocator: KeyLocator,\n verifierLocator: KeyLocator,\n keys: FunctionKeyPair,\n ): Promise<void> {\n this.validateLocator(proverLocator.locator);\n this.validateLocator(verifierLocator.locator);\n // Convert the WASM keys to raw bytes.\n const [provingKey, verifyingKey] = keys;\n const [provingKeyBytes, verifyingKeyBytes] = [\n provingKey.toBytes(),\n verifyingKey.toBytes(),\n ];\n\n // Compute the fingerprints for the proving and verifying keys, verify against expected fingerprints if provided.\n const [proverFingerPrint, verifierFingerPrint] = await Promise.all([\n this.keyVerifier.computeKeyMetadata({\n keyBytes: provingKeyBytes,\n locator: proverLocator.locator,\n fingerprint: proverLocator.fingerprint,\n }),\n this.keyVerifier.computeKeyMetadata({\n keyBytes: verifyingKeyBytes,\n locator: verifierLocator.locator,\n fingerprint: verifierLocator.fingerprint,\n }),\n ]);\n\n // Write the proving and verifying key bytes and their metadata to storage (under this.directory).\n await this.writeFileAtomic(path.join(this.directory, proverLocator.locator), provingKeyBytes);\n await this.writeFileAtomic(path.join(this.directory, verifierLocator.locator), verifyingKeyBytes);\n await this.writeKeyMetadata(proverLocator.locator, proverFingerPrint);\n await this.writeKeyMetadata(\n verifierLocator.locator,\n verifierFingerPrint,\n );\n }\n\n /\n Store a raw proving or verifying key in storage along with its fingerprint metadata for future verification.\n \n @param {Uint8Array} keyBytes The raw proving and verifying key bytes.\n * @param {KeyLocator} locator The unique locator for the desired key pair.\n * @returns {Promise<void>}\n * @throws {Error} If computing key metadata or writing to storage fails\n \n @example\n * const keys = await generateKeys();\n * await setKeyBytes(keys.provingKey.toBytes(), { locator: 'transfer_private.prover' });\n /\n async setKeyBytes(keyBytes: Uint8Array, locator: KeyLocator): Promise<void> {\n this.validateLocator(locator.locator);\n // Compute the key metadata including fingerprint\n const computedMetadata = await this.keyVerifier.computeKeyMetadata({\n keyBytes: keyBytes,\n locator: locator.locator,\n fingerprint: locator.fingerprint,\n });\n\n // Write the key bytes and metadata atomically (key file under this.directory).\n await this.writeFileAtomic(path.join(this.directory, locator.locator), keyBytes);\n await this.writeKeyMetadata(locator.locator, computedMetadata);\n }\n\n /\n Returns stored metadata for a key, if any.\n \n @param {string} locator The unique locator for the key.\n * @returns {Promise<KeyFingerprint \| null>} The stored fingerprint metadata for that locator, or null if none exists.\n \n @example\n * const metadata = await getKeyMetadata('transfer_private.prover.421e5a5');\n * if (metadata) {\n * // Use the stored metadata.\n * }\n /\n async getKeyMetadata(locator: string): Promise<KeyFingerprint \| null> {\n this.validateLocator(locator);\n return this.readKeyMetadata(locator);\n }\n\n /\n Checks if a key exists at the specified locator path.\n \n @param {string} locator - Unique identifier for the key location.\n * @returns {Promise<boolean>} True if key exists at location, false otherwise.\n \n @example\n * const exists = await has('transfer_private.prover.421e5a5');\n * if (exists) {\n * // Key exists at location.\n * } else {\n * // Key does not exist at location.\n * }\n /\n async has(locator: string): Promise<boolean> {\n this.validateLocator(locator);\n const keyPath = path.join(this.directory, locator);\n return await fs\n .access(keyPath)\n .then(() => true)\n .catch(() => false);\n }\n\n /\n Deletes a key and its associated metadata from storage. Silently ignores errors if files don't exist.\n \n @param {string} locator - Unique identifier for the key to delete.\n * @returns {Promise<void>}\n \n @example\n * await delete('transfer_private.prover.421e5a5');\n /\n async delete(locator: string): Promise<void> {\n this.validateLocator(locator);\n const p = path.join(this.directory, locator);\n const m = this.metadataPath(locator);\n\n await fs.unlink(p).catch(() => {});\n await fs.unlink(m).catch(() => {});\n }\n\n /\n Clears the key storage directory by recursively removing all files and subdirectories under it, then removes the keystore directory itself.\n \n @returns {Promise<void>}\n * @throws {Error} If directory listing fails for reasons other than non-existence.\n \n @example\n * await clear(); // Removes all files under the keystore directory.\n */\n async clear(): Promise<void> {\n await this.clearDirectory(this.directory);\n }\n}"],"names":["fsSync"],"mappings":";;;;;;;;;;;;;;;;;MAWa,iBAAiB,CAAA;AAClB,IAAA,SAAS;AACA,IAAA,WAAW,GAAG,IAAI,cAAc,EAAE;AAEnD;;;;;;;AAOG;AACH,IAAA,WAAA,CAAY,SAAkB,EAAA;AAC1B,QAAA,IAAI,CAAC,SAAS,GAAG,SAAS,IAAI,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,OAAO,CAAC;AAC/D,QAAA,IAAI,SAAS,KAAK,SAAS,IAAI,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,SAAS,CAAC,KAAK,OAAO,EAAE;AACtE,YAAA,IAAI,CAAC,SAAS,GAAG,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,OAAO,CAAC;QACvD;AACA,QAAAA,GAAM,CAAC,SAAS,CAAC,IAAI,CAAC,SAAS,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC;IACzD;AAEA;;;;;;AAMG;AACK,IAAA,eAAe,CAAC,OAAe,EAAA;;AAEnC,QAAA,IAAI,OAAO,KAAK,EAAE,IAAI,OAAO,KAAK,GAAG,IAAI,OAAO,KAAK,IAAI,EAAE;YACvD,MAAM,IAAI,mBAAmB,CACzB,CAAA,yCAAA,EAA4C,OAAO,CAAA,CAAA,CAAG,EACtD,OAAO,EACP,eAAe,CAClB;QACL;;AAGA,QAAA,IAAI,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE;YACxB,MAAM,IAAI,mBAAmB,CACzB,0CAA0C,EAC1C,OAAO,EACP,gBAAgB,CACnB;QACL;;QAGA,IAAI,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE;YAC3E,MAAM,IAAI,mBAAmB,CACzB,0DAA0D,EAC1D,OAAO,EACP,gBAAgB,CACnB;QACL;IACJ;AAEA;;;;;;AAMG;AACK,IAAA,YAAY,CAAC,OAAe,EAAA;AAChC,QAAA,OAAO,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,CAAA,EAAG,OAAO,CAAA,SAAA,CAAW,CAAC;IAC3D;AAEA;;;;;;;AAOG;IACK,MAAM,eAAe,CACzB,OAAe,EAAA;AAEf,QAAA,IAAI;AACA,YAAA,MAAM,IAAI,GAAG,MAAM,EAAE,CAAC,QAAQ,CAAC,IAAI,CAAC,YAAY,CAAC,OAAO,CAAC,EAAE,OAAO,CAAC;AACnE,YAAA,OAAO,IAAI,CAAC,KAAK,CAAC,IAAI,CAAmB;QAC7C;QAAE,OAAO,GAAY,EAAE;AACnB,YAAA,IACI,GAAG;gBACH,OAAO,GAAG,KAAK,QAAQ;AACvB,gBAAA,MAAM,IAAI,GAAG;gBACb,GAAG,CAAC,IAAI,KAAK,QAAQ;AAErB,gBAAA,OAAO,IAAI;AACf,YAAA,MAAM,GAAG;QACb;IACJ;AAEA;;;;;;;;AAQG;AACK,IAAA,MAAM,gBAAgB,CAC1B,OAAe,EACf,QAAwB,EAAA;AAExB,QAAA,MAAM,EAAE,CAAC,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,YAAY,CAAC,OAAO,CAAC,CAAC,EAAE;AACrD,YAAA,SAAS,EAAE,IAAI;AAClB,SAAA,CAAC;QACF,MAAM,EAAE,CAAC,SAAS,CACd,IAAI,CAAC,YAAY,CAAC,OAAO,CAAC,EAC1B,IAAI,CAAC,SAAS,CAAC,QAAQ,EAAE,IAAI,EAAE,CAAC,CAAC,EACjC,OAAO,CACV;IACL;IAEQ,MAAM,gBAAgB,CAC1B,QAAgB,EAAA;AAEhB,QAAA,IAAI;YACA,MAAM,IAAI,GAAG,MAAM,EAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC;AACxC,YAAA,OAAO,IAAI,UAAU,CAAC,IAAI,CAAC;QAC/B;QAAE,OAAO,GAAQ,EAAE;AACf,YAAA,IAAI,GAAG,CAAC,IAAI,KAAK,QAAQ;AAAE,gBAAA,OAAO,IAAI;AACtC,YAAA,MAAM,GAAG;QACb;IACJ;AAEA;;;;;;;;AAQG;AACK,IAAA,MAAM,eAAe,CACzB,QAAgB,EAChB,IAAgB,EAAA;QAEhB,MAAM,GAAG,GAAG,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC;AAClC,QAAA,MAAM,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC;AACxC,QAAA,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,CACtB,GAAG,EACH,CAAA,CAAA,EAAI,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAA,CAAA,EAAI,OAAO,CAAC,GAAG,CAAA,CAAA,EAAI,IAAI,CAAC,GAAG,EAAE,CAAA,CAAA,EAAI,IAAI,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAA,IAAA,CAAM,CACxG;QACD,MAAM,EAAE,CAAC,SAAS,CAAC,QAAQ,EAAE,IAAI,CAAC;AAClC,QAAA,IAAI;YACA,MAAM,EAAE,CAAC,MAAM,CAAC,QAAQ,EAAE,QAAQ,CAAC;QACvC;QAAE,OAAO,GAAY,EAAE;YACnB,MAAM,IAAI,GAAG,GAAG,IAAI,OAAO,GAAG,KAAK,QAAQ,IAAI,MAAM,IAAI,GAAG,GAAI,GAA6B,CAAC,IAAI,GAAG,SAAS;;AAE9G,YAAA,IAAI,IAAI,KAAK,QAAQ,IAAI,IAAI,KAAK,OAAO,IAAI,IAAI,KAAK,QAAQ,EAAE;AAC5D,gBAAA,MAAM,EAAE,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,KAAK,CAAC,MAAK,EAAE,CAAC,CAAC;AACzC,gBAAA,IAAI;oBACA,MAAM,EAAE,CAAC,MAAM,CAAC,QAAQ,EAAE,QAAQ,CAAC;gBACvC;gBAAE,OAAO,IAAI,EAAE;AACX,oBAAA,MAAM,EAAE,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,KAAK,CAAC,MAAK,EAAE,CAAC,CAAC;AACzC,oBAAA,MAAM,IAAI;gBACd;YACJ;iBAAO;AACH,gBAAA,MAAM,EAAE,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,KAAK,CAAC,MAAK,EAAE,CAAC,CAAC;AACzC,gBAAA,MAAM,GAAG;YACb;QACJ;IACJ;AAEA;;;;;;;;;AASG;IACK,MAAM,cAAc,CAAC,GAAW,EAAA;AACpC,QAAA,IAAI;AACA,YAAA,MAAM,EAAE,CAAC,EAAE,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC;QACtD;QAAE,OAAO,GAAY,EAAE;YACnB,MAAM,IAAI,GAAG,GAAG,IAAI,OAAO,GAAG,KAAK,QAAQ,IAAI,MAAM,IAAI,GAAG,GAAI,GAA6B,CAAC,IAAI,GAAG,SAAS;AAC9G,YAAA,IAAI,IAAI,KAAK,QAAQ,EAAE;gBACnB;YACJ;AACA,YAAA,MAAM,GAAG;QACb;IACJ;;;;AAMA;;;;;;;;;;;;;;AAcG;IACH,MAAM,WAAW,CAAC,OAAmB,EAAA;AACjC,QAAA,IAAI,CAAC,eAAe,CAAC,OAAO,CAAC,OAAO,CAAC;;QAErC,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,gBAAgB,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,OAAO,CAAC,OAAO,CAAC,CAAC;;AAGxF,QAAA,IAAI,CAAC,QAAQ;AAAE,YAAA,OAAO,IAAI;;AAG1B,QAAA,MAAM,WAAW,GACb,OAAO,CAAC,WAAW,KAAK,MAAM,IAAI,CAAC,cAAc,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC;QACvE,IAAI,WAAW,EAAE;AACb,YAAA,MAAM,IAAI,CAAC,WAAW,CAAC,cAAc,CAAC;gBAClC,QAAQ;gBACR,OAAO,EAAE,OAAO,CAAC,OAAO;gBACxB,WAAW;AACd,aAAA,CAAC;QACN;;AAGA,QAAA,OAAO,QAAQ;IACnB;AAEA;;;;;;;;;;;;;;;;;;;;;;;AAuBG;IACH,MAAM,aAAa,CAAC,OAAmB,EAAA;;QAEnC,MAAM,WAAW,GAAG,MAAM,IAAI,CAAC,WAAW,CAAC,OAAO,CAAC;AACnD,QAAA,IAAI,CAAC,WAAW;AAAE,YAAA,OAAO,IAAI;;AAG7B,QAAA,OAAO,UAAU,CAAC,SAAS,CAAC,WAAW,CAAC;IAC5C;AAEA;;;;;;;;;;;;;;;;;;;;;;;AAuBG;IACH,MAAM,eAAe,CAAC,OAAmB,EAAA;;QAErC,MAAM,aAAa,GAAG,MAAM,IAAI,CAAC,WAAW,CAAC,OAAO,CAAC;AACrD,QAAA,IAAI,CAAC,aAAa;AAAE,YAAA,OAAO,IAAI;;AAG/B,QAAA,OAAO,YAAY,CAAC,SAAS,CAAC,aAAa,CAAC;IAChD;AAEA;;;;;;;;;;;;;;AAcG;AACH,IAAA,MAAM,OAAO,CACT,aAAyB,EACzB,eAA2B,EAC3B,IAAqB,EAAA;AAErB,QAAA,IAAI,CAAC,eAAe,CAAC,aAAa,CAAC,OAAO,CAAC;AAC3C,QAAA,IAAI,CAAC,eAAe,CAAC,eAAe,CAAC,OAAO,CAAC;;AAE7C,QAAA,MAAM,CAAC,UAAU,EAAE,YAAY,CAAC,GAAG,IAAI;AACvC,QAAA,MAAM,CAAC,eAAe,EAAE,iBAAiB,CAAC,GAAG;YACzC,UAAU,CAAC,OAAO,EAAE;YACpB,YAAY,CAAC,OAAO,EAAE;SACzB;;QAGD,MAAM,CAAC,iBAAiB,EAAE,mBAAmB,CAAC,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC;AAC/D,YAAA,IAAI,CAAC,WAAW,CAAC,kBAAkB,CAAC;AAChC,gBAAA,QAAQ,EAAE,eAAe;gBACzB,OAAO,EAAE,aAAa,CAAC,OAAO;gBAC9B,WAAW,EAAE,aAAa,CAAC,WAAW;aACzC,CAAC;AACF,YAAA,IAAI,CAAC,WAAW,CAAC,kBAAkB,CAAC;AAChC,gBAAA,QAAQ,EAAE,iBAAiB;gBAC3B,OAAO,EAAE,eAAe,CAAC,OAAO;gBAChC,WAAW,EAAE,eAAe,CAAC,WAAW;aAC3C,CAAC;AACL,SAAA,CAAC;;AAGF,QAAA,MAAM,IAAI,CAAC,eAAe,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,aAAa,CAAC,OAAO,CAAC,EAAE,eAAe,CAAC;AAC7F,QAAA,MAAM,IAAI,CAAC,eAAe,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,eAAe,CAAC,OAAO,CAAC,EAAE,iBAAiB,CAAC;QACjG,MAAM,IAAI,CAAC,gBAAgB,CAAC,aAAa,CAAC,OAAO,EAAE,iBAAiB,CAAC;QACrE,MAAM,IAAI,CAAC,gBAAgB,CACvB,eAAe,CAAC,OAAO,EACvB,mBAAmB,CACtB;IACL;AAEA;;;;;;;;;;;AAWG;AACH,IAAA,MAAM,WAAW,CAAC,QAAoB,EAAE,OAAmB,EAAA;AACvD,QAAA,IAAI,CAAC,eAAe,CAAC,OAAO,CAAC,OAAO,CAAC;;QAErC,MAAM,gBAAgB,GAAG,MAAM,IAAI,CAAC,WAAW,CAAC,kBAAkB,CAAC;AAC/D,YAAA,QAAQ,EAAE,QAAQ;YAClB,OAAO,EAAE,OAAO,CAAC,OAAO;YACxB,WAAW,EAAE,OAAO,CAAC,WAAW;AACnC,SAAA,CAAC;;AAGF,QAAA,MAAM,IAAI,CAAC,eAAe,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,OAAO,CAAC,OAAO,CAAC,EAAE,QAAQ,CAAC;QAChF,MAAM,IAAI,CAAC,gBAAgB,CAAC,OAAO,CAAC,OAAO,EAAE,gBAAgB,CAAC;IAClE;AAEA;;;;;;;;;;;AAWG;IACH,MAAM,cAAc,CAAC,OAAe,EAAA;AAChC,QAAA,IAAI,CAAC,eAAe,CAAC,OAAO,CAAC;AAC7B,QAAA,OAAO,IAAI,CAAC,eAAe,CAAC,OAAO,CAAC;IACxC;AAEA;;;;;;;;;;;;;AAaG;IACH,MAAM,GAAG,CAAC,OAAe,EAAA;AACrB,QAAA,IAAI,CAAC,eAAe,CAAC,OAAO,CAAC;AAC7B,QAAA,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,OAAO,CAAC;AAClD,QAAA,OAAO,MAAM;aACR,MAAM,CAAC,OAAO;AACd,aAAA,IAAI,CAAC,MAAM,IAAI;AACf,aAAA,KAAK,CAAC,MAAM,KAAK,CAAC;IAC3B;AAEA;;;;;;;;AAQG;IACH,MAAM,MAAM,CAAC,OAAe,EAAA;AACxB,QAAA,IAAI,CAAC,eAAe,CAAC,OAAO,CAAC;AAC7B,QAAA,MAAM,CAAC,GAAG,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,OAAO,CAAC;QAC5C,MAAM,CAAC,GAAG,IAAI,CAAC,YAAY,CAAC,OAAO,CAAC;AAEpC,QAAA,MAAM,EAAE,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,MAAK,EAAE,CAAC,CAAC;AAClC,QAAA,MAAM,EAAE,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,MAAK,EAAE,CAAC,CAAC;IACtC;AAEA;;;;;;;;AAQG;AACH,IAAA,MAAM,KAAK,GAAA;QACP,MAAM,IAAI,CAAC,cAAc,CAAC,IAAI,CAAC,SAAS,CAAC;IAC7C;AACH;;;;"}

package/dist/mainnet/program-manager.d.ts CHANGED Viewed

@@ -3,7 +3,8 @@ import { AleoNetworkClient, AleoNetworkClientOptions, ProgramImports } from "./n
 import { ImportedPrograms, ImportedVerifyingKeys } from "./models/imports.js";
 import { RecordProvider } from "./record-provider.js";
 import { RecordSearchParams } from "./models/record-provider/recordSearchParams.js";
-import { FunctionKeyPair, FunctionKeyProvider, KeySearchParams } from "./function-key-provider.js";
+import { FunctionKeyProvider, KeySearchParams } from "./keys/provider/interface.js";
+import { FunctionKeyPair } from "./models/keyPair.js";
 import { Authorization, ExecutionResponse, OfflineQuery, RecordPlaintext, PrivateKey, Program, ProvingKey, ProvingRequest, VerifyingKey, Transaction } from "./wasm.js";
 /**
  * Represents the options for deploying and upgrading a transaction in the Aleo network.
@@ -1369,7 +1370,7 @@ declare class ProgramManager {
      * import { AleoKeyProvider, getOrInitConsensusVersionTestHeights, ProgramManager, NetworkRecordProvider } from "@provablehq/sdk/mainnet.js";
      *
      * // Initialize the development consensus heights in order to work with devnode.
-     * getOrInitConsensusVersionTestHeights("0,1,2,3,4,5,6,7,8,9,10,11");
+     * getOrInitConsensusVersionTestHeights("0,1,2,3,4,5,6,7,8,9,10,11,12");
      *
      * // Create a new NetworkClient and RecordProvider.
      * const recordProvider = new NetworkRecordProvider(account, networkClient);
@@ -1410,7 +1411,7 @@ declare class ProgramManager {
      * import { ProgramManager, NetworkRecordProvider, getOrInitConsensusVersionTestHeights } from "@provablehq/sdk/mainnet.js";
      *
      * // Initialize the development consensus heights in order to work with a local devnode.
-     * getOrInitConsensusVersionTestHeights("0,1,2,3,4,5,6,7,8,9,10,11");
+     * getOrInitConsensusVersionTestHeights("0,1,2,3,4,5,6,7,8,9,10,11,12");
      *
      * // Create a new NetworkClient, and RecordProvider
      * const recordProvider = new NetworkRecordProvider(account, networkClient);

package/dist/mainnet/record-scanner.d.ts CHANGED Viewed

@@ -6,6 +6,7 @@ import { RecordProvider } from "./record-provider";
 import { Field, ViewKey } from "./wasm";
 import { RecordsFilter } from "./models/record-scanner/recordsFilter";
 import { RegisterResult } from "./models/record-scanner/registrationResult.js";
+import { RevokeResult } from "./models/record-scanner/revokeResult.js";
 import { TagsResult } from "./models/record-scanner/tagsResult.js";
 import { SerialNumbersResult } from "./models/record-scanner/serialNumbersResult.js";
 import { StatusResult } from "./models/record-scanner/statusResult.js";
@@ -218,6 +219,21 @@ declare class RecordScanner implements RecordProvider {
      * @returns {Promise<RegisterResult>} `{ ok: true, data }` on success, or `{ ok: false, status, error }` on failure.
      */
     registerEncrypted(viewKey: ViewKey, startBlock: number): Promise<RegisterResult>;
+    /**
+     * Remove all local scanner state associated with the given UUID (stored uuid, viewKeys entry, account if it matches).
+     * Called after a successful revoke so the scanner does not retain view keys or account for a revoked registration.
+     */
+    private clearLocalStateForUuid;
+    /**
+     * Revoke the account registration with the record scanning service (POST /revoke). On success, also removes
+     * all local state for that UUID: the stored UUID (if it matches), the view key for that UUID, and the
+     * account (if its view key corresponds to that UUID).
+     *
+     * @param {string | Field | undefined} uuid The UUID to revoke. If omitted, uses the UUID configured on the scanner.
+     * @returns {Promise<RevokeResult>} `{ ok: true, data: { status } }` on success, or `{ ok: false, status, error }` on failure.
+     * @throws {UUIDError} When no UUID is configured and none provided, or when the UUID string is invalid.
+     */
+    revoke(uuid?: string | Field): Promise<RevokeResult>;
     /**
      * Get encrypted records from the record scanning service. This is a safe variant of /records/encrypted that returns
      * a result instead of throwing on HTTP error.

package/dist/mainnet/security.d.ts CHANGED Viewed

@@ -36,3 +36,27 @@ export declare function encryptViewKey(publicKey: string, viewKey: ViewKey): str
  * @returns {string} the encrypted view key in RFC 4648 standard Base64.
  */
 export declare function encryptRegistrationRequest(publicKey: string, viewKey: ViewKey, start: number): string;
+/**
+ * Best-effort zeroization of a byte array by overwriting all bytes with zeros.
+ * Use this to clear sensitive data (e.g., key bytes) from memory when working
+ * with Uint8Array representations of keys or other secrets.
+ *
+ * This is best-effort in JavaScript — the JIT compiler could theoretically
+ * elide the fill if the array is never read again (though current engines
+ * do not). For deterministic zeroization of key material, use
+ * `Account.destroy()` or call `.free()` on key objects (PrivateKey, ViewKey,
+ * ComputeKey, GraphKey) whose Rust Drop implementations zeroize memory
+ * before deallocation.
+ *
+ * Note: This cannot zeroize JavaScript strings, which are immutable and managed
+ * by the garbage collector. Prefer using byte array representations of sensitive
+ * data over strings whenever possible.
+ *
+ * @param {Uint8Array} bytes The byte array to zeroize
+ *
+ * @example
+ * const keyBytes = privateKey.toBytesLe();
+ * // ... use keyBytes ...
+ * zeroizeBytes(keyBytes); // Overwrite with zeros when done
+ */
+export declare function zeroizeBytes(bytes: Uint8Array): void;

package/dist/testnet/account.d.ts CHANGED Viewed

@@ -1,6 +1,6 @@
 import { Address, ComputeKey, Field, Group, PrivateKey, Signature, ViewKey, PrivateKeyCiphertext, RecordCiphertext, RecordPlaintext } from "./wasm.js";
 interface AccountParam {
-    privateKey?: string;
+    privateKey?: string | PrivateKey;
     seed?: Uint8Array;
 }
 /**
@@ -13,6 +13,9 @@ interface AccountParam {
  * credits and other records to. This class should only be used in environments where the safety of the underlying key
  * material can be assured.
  *
+ * When an Account is no longer needed, call {@link destroy} to securely zeroize and free all sensitive key material
+ * from WASM memory. Alternatively, use `[Symbol.dispose]()` with the `using` declaration in ES2024+ environments.
+ *
  * @example
  * import { Account } from "@provablehq/sdk/testnet.js";
  *
@@ -32,12 +35,16 @@ interface AccountParam {
  *
  * // Verify a signature
  * assert(myRandomAccount.verify(hello_world, signature));
+ *
+ * // Securely destroy the account when done
+ * myRandomAccount.destroy();
  */
 export declare class Account {
     _privateKey: PrivateKey;
     _viewKey: ViewKey;
     _computeKey: ComputeKey;
     _address: Address;
+    private _destroyed;
     constructor(params?: AccountParam);
     /**
      * Attempts to create an account from a private key ciphertext
@@ -69,10 +76,14 @@ export declare class Account {
     static isValidAddress(address: string | Uint8Array): boolean;
     /**
      * Creates a PrivateKey from the provided parameters.
-     * @param {AccountParam} params The parameters containing either a private key string or a seed
+     * @param {AccountParam} params The parameters containing either a private key string, PrivateKey object, or a seed
      * @returns {PrivateKey} A PrivateKey instance derived from the provided parameters
      */
     private privateKeyFromParams;
+    /**
+     * Throws an error if this account has been destroyed.
+     */
+    private assertNotDestroyed;
     /**
      * Returns the PrivateKey associated with the account.
      * @returns {PrivateKey} The private key of the account
@@ -118,7 +129,8 @@ export declare class Account {
      */
     address(): Address;
     /**
-     * Deep clones the Account.
+     * Deep clones the Account via byte serialization of the private key,
+     * avoiding creation of immutable JS string representations of the private key.
      * @returns {Account} A new Account instance with the same private key
      *
      * @example
@@ -303,5 +315,33 @@ export declare class Account {
      * assert(account.verify(message, signature));
      */
     verify(message: Uint8Array, signature: Signature): boolean;
+    /**
+     * Securely destroys the account by zeroizing and freeing all sensitive key material
+     * from WASM memory. After calling this method, the account object should not be used.
+     *
+     * This triggers the Rust-level zeroizing Drop implementation which overwrites private key,
+     * view key, and compute key bytes with zeros in WASM linear memory before deallocation.
+     *
+     * Note: If destroy() is never called, the FinalizationRegistry (set up by wasm-bindgen)
+     * will eventually trigger cleanup via GC, but the timing is non-deterministic. For security-
+     * sensitive applications, always call destroy() explicitly when the account is no longer needed.
+     *
+     * @example
+     * const account = new Account();
+     * // ... use account ...
+     * account.destroy(); // Securely cleans up key material
+     */
+    destroy(): void;
+    /**
+     * Implements the Disposable interface for use with `using` declarations (ES2024+).
+     * Calls {@link destroy} to securely clean up key material.
+     *
+     * @example
+     * {
+     *   using account = new Account();
+     *   // ... use account ...
+     * } // account is automatically destroyed here
+     */
+    [Symbol.dispose](): void;
 }
 export {};