npm - @tatchi-xyz/sdk - Versions diffs - 0.17.0 → 0.18.0 - Mend

@tatchi-xyz/sdk 0.17.0 → 0.18.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (122) hide show

package/dist/esm/core/TatchiPasskey/emailRecovery.js CHANGED Viewed

@@ -7,6 +7,8 @@ import { EmailRecoveryPhase, EmailRecoveryStatus, init_sdkSentEvents } from "../
 import { DEFAULT_WAIT_STATUS, init_rpc } from "../types/rpc.js";
 import { init_getDeviceNumber, parseDeviceNumber } from "../WebAuthnManager/SignerWorkerManager/getDeviceNumber.js";
 import { getLoginSession, init_login } from "./login.js";
+import { EmailRecoveryPendingStore } from "../EmailRecovery/emailRecoveryPendingStore.js";
+import { init_EmailRecovery } from "../EmailRecovery/index.js";
 //#region src/core/TatchiPasskey/emailRecovery.ts
 var emailRecovery_exports = {};
@@ -52,9 +54,11 @@ var init_emailRecovery = __esm({ "src/core/TatchiPasskey/emailRecovery.ts": (()
 	init_rpc();
 	init_getDeviceNumber();
 	init_login();
+	init_EmailRecovery();
 	EmailRecoveryFlow = class {
 		context;
 		options;
+		pendingStore;
 		pending = null;
 		phase = EmailRecoveryPhase.STEP_1_PREPARATION;
 		pollingTimer;
@@ -65,6 +69,7 @@ var init_emailRecovery = __esm({ "src/core/TatchiPasskey/emailRecovery.ts": (()
 		constructor(context, options) {
 			this.context = context;
 			this.options = options;
+			this.pendingStore = options?.pendingStore ?? new EmailRecoveryPendingStore({ getPendingTtlMs: () => this.getConfig().pendingTtlMs });
 		}
 		setOptions(options) {
 			if (!options) return;
@@ -72,6 +77,7 @@ var init_emailRecovery = __esm({ "src/core/TatchiPasskey/emailRecovery.ts": (()
 				...this.options || {},
 				...options
 			};
+			if (options.pendingStore) this.pendingStore = options.pendingStore;
 		}
 		emit(event) {
 			this.options?.onEvent?.(event);
@@ -90,24 +96,139 @@ var init_emailRecovery = __esm({ "src/core/TatchiPasskey/emailRecovery.ts": (()
 			this.options?.onError?.(err);
 			return err;
 		}
+		async fail(step, message) {
+			const err = this.emitError(step, message);
+			await this.options?.afterCall?.(false);
+			throw err;
+		}
+		async assertValidAccountIdOrFail(step, accountId) {
+			const validation = validateNearAccountId(accountId);
+			if (!validation.valid) await this.fail(step, `Invalid NEAR account ID: ${validation.error}`);
+			return toAccountId(accountId);
+		}
+		async resolvePendingOrFail(step, args, options) {
+			const { allowErrorStatus = true, missingMessage = "No pending email recovery record found for this account", errorStatusMessage = "Pending email recovery is in an error state; please restart the flow" } = options ?? {};
+			let rec = this.pending;
+			if (!rec || rec.accountId !== args.accountId || args.nearPublicKey && rec.nearPublicKey !== args.nearPublicKey) {
+				rec = await this.loadPending(args.accountId, args.nearPublicKey);
+				this.pending = rec;
+			}
+			if (!rec) await this.fail(step, missingMessage);
+			const resolved = rec;
+			if (!allowErrorStatus && resolved.status === "error") await this.fail(step, errorStatusMessage);
+			return resolved;
+		}
 		getConfig() {
 			return getEmailRecoveryConfig(this.context.configs);
 		}
-		getPendingIndexKey(accountId) {
-			return `pendingEmailRecovery:${accountId}`;
+		toBigInt(value) {
+			if (typeof value === "bigint") return value;
+			if (typeof value === "number") return BigInt(value);
+			if (typeof value === "string" && value.length > 0) return BigInt(value);
+			return BigInt(0);
 		}
-		getPendingRecordKey(accountId, nearPublicKey) {
-			return `${this.getPendingIndexKey(accountId)}:${nearPublicKey}`;
+		computeAvailableBalance(accountView) {
+			const STORAGE_PRICE_PER_BYTE = BigInt("10000000000000000000");
+			const amount = this.toBigInt(accountView.amount);
+			const locked = this.toBigInt(accountView.locked);
+			const storageUsage = this.toBigInt(accountView.storage_usage);
+			const storageCost = storageUsage * STORAGE_PRICE_PER_BYTE;
+			const rawAvailable = amount - locked - storageCost;
+			return rawAvailable > 0 ? rawAvailable : BigInt(0);
 		}
-		async checkVerificationStatus(rec) {
+		async assertSufficientBalance(nearAccountId) {
+			const { minBalanceYocto } = this.getConfig();
+			try {
+				const accountView = await this.context.nearClient.viewAccount(nearAccountId);
+				const available = this.computeAvailableBalance(accountView);
+				if (available < BigInt(minBalanceYocto)) await this.fail(1, `This account does not have enough NEAR to finalize recovery. Available: ${available.toString()} yocto; required: ${String(minBalanceYocto)}. Please top up and try again.`);
+			} catch (e) {
+				await this.fail(1, e?.message || "Failed to fetch account balance for recovery");
+			}
+		}
+		async getCanonicalRecoveryEmailOrFail(recoveryEmail) {
+			const canonicalEmail = String(recoveryEmail || "").trim().toLowerCase();
+			if (!canonicalEmail) await this.fail(1, "Recovery email is required for email-based account recovery");
+			return canonicalEmail;
+		}
+		async getNextDeviceNumberFromContract(nearAccountId) {
+			try {
+				const { syncAuthenticatorsContractCall } = await import("../rpcCalls.js");
+				const authenticators = await syncAuthenticatorsContractCall(this.context.nearClient, this.context.configs.contractId, nearAccountId);
+				const numbers = authenticators.map((a) => a?.authenticator?.deviceNumber).filter((n) => typeof n === "number" && Number.isFinite(n));
+				const max = numbers.length > 0 ? Math.max(...numbers) : 0;
+				return max + 1;
+			} catch {
+				return 1;
+			}
+		}
+		async collectRecoveryCredentialOrFail(nearAccountId, deviceNumber) {
+			const confirmerText = {
+				title: this.options?.confirmerText?.title ?? "Register New Recovery Account",
+				body: this.options?.confirmerText?.body ?? "Create a recovery account and send an encrypted email to recover your account."
+			};
+			const confirm = await this.context.webAuthnManager.requestRegistrationCredentialConfirmation({
+				nearAccountId,
+				deviceNumber,
+				confirmerText,
+				confirmationConfigOverride: this.options?.confirmationConfig
+			});
+			if (!confirm.confirmed || !confirm.credential) await this.fail(2, "User cancelled email recovery TouchID confirmation");
+			return {
+				credential: confirm.credential,
+				vrfChallenge: confirm.vrfChallenge || void 0
+			};
+		}
+		async deriveRecoveryKeysOrFail(nearAccountId, deviceNumber, credential) {
+			const vrfDerivationResult = await this.context.webAuthnManager.deriveVrfKeypair({
+				credential,
+				nearAccountId
+			});
+			if (!vrfDerivationResult.success || !vrfDerivationResult.encryptedVrfKeypair) await this.fail(2, "Failed to derive VRF keypair from PRF for email recovery");
+			const nearKeyResult = await this.context.webAuthnManager.deriveNearKeypairAndEncryptFromSerialized({
+				nearAccountId,
+				credential,
+				options: { deviceNumber }
+			});
+			if (!nearKeyResult.success || !nearKeyResult.publicKey) await this.fail(2, "Failed to derive NEAR keypair for email recovery");
+			return {
+				encryptedVrfKeypair: vrfDerivationResult.encryptedVrfKeypair,
+				serverEncryptedVrfKeypair: vrfDerivationResult.serverEncryptedVrfKeypair || null,
+				vrfPublicKey: vrfDerivationResult.vrfPublicKey,
+				nearPublicKey: nearKeyResult.publicKey
+			};
+		}
+		emitAwaitEmail(rec, mailtoUrl) {
+			this.phase = EmailRecoveryPhase.STEP_3_AWAIT_EMAIL;
+			this.emit({
+				step: 3,
+				phase: EmailRecoveryPhase.STEP_3_AWAIT_EMAIL,
+				status: EmailRecoveryStatus.PROGRESS,
+				message: "New device key created; please send the recovery email from your registered address.",
+				data: {
+					accountId: rec.accountId,
+					recoveryEmail: rec.recoveryEmail,
+					nearPublicKey: rec.nearPublicKey,
+					requestId: rec.requestId,
+					mailtoUrl
+				}
+			});
+		}
+		emitAutoLoginEvent(status, message, data) {
+			this.emit({
+				step: 5,
+				phase: EmailRecoveryPhase.STEP_5_FINALIZING_REGISTRATION,
+				status,
+				message,
+				data
+			});
+		}
+		async checkViaDkimViewMethod(rec) {
 			const { dkimVerifierAccountId, verificationViewMethod } = this.getConfig();
 			if (!dkimVerifierAccountId) return null;
 			try {
-				const result = await this.context.nearClient.view({
-					account: dkimVerifierAccountId,
-					method: verificationViewMethod,
-					args: { request_id: rec.requestId }
-				});
+				const { getEmailRecoveryVerificationResult } = await import("../rpcCalls.js");
+				const result = await getEmailRecoveryVerificationResult(this.context.nearClient, dkimVerifierAccountId, verificationViewMethod, rec.requestId);
 				if (!result) return {
 					completed: false,
 					success: false
@@ -139,43 +260,78 @@ var init_emailRecovery = __esm({ "src/core/TatchiPasskey/emailRecovery.ts": (()
 					transactionHash: result.transaction_hash
 				};
 			} catch (err) {
-				console.warn("[EmailRecoveryFlow] get_verification_result view failed; falling back to access key polling", err);
+				console.warn("[EmailRecoveryFlow] get_verification_result view failed; will retry", err);
 				return null;
 			}
 		}
-		async loadPending(accountId, nearPublicKey) {
-			const { pendingTtlMs } = this.getConfig();
-			const indexKey = this.getPendingIndexKey(accountId);
-			const indexedNearPublicKey = await IndexedDBManager.clientDB.getAppState(indexKey);
-			const resolvedNearPublicKey = nearPublicKey ?? indexedNearPublicKey;
-			if (!resolvedNearPublicKey) return null;
-			const recordKey = this.getPendingRecordKey(accountId, resolvedNearPublicKey);
-			const record = await IndexedDBManager.clientDB.getAppState(recordKey);
-			const shouldClearIndex = indexedNearPublicKey === resolvedNearPublicKey;
-			if (!record) {
-				if (shouldClearIndex) await IndexedDBManager.clientDB.setAppState(indexKey, void 0).catch(() => {});
-				return null;
-			}
-			if (Date.now() - record.createdAt > pendingTtlMs) {
-				await IndexedDBManager.clientDB.setAppState(recordKey, void 0).catch(() => {});
-				if (shouldClearIndex) await IndexedDBManager.clientDB.setAppState(indexKey, void 0).catch(() => {});
-				return null;
+		buildPollingEventData(rec, details) {
+			return {
+				accountId: rec.accountId,
+				requestId: rec.requestId,
+				nearPublicKey: rec.nearPublicKey,
+				transactionHash: details.transactionHash,
+				elapsedMs: details.elapsedMs,
+				pollCount: details.pollCount
+			};
+		}
+		async sleepForPollInterval(ms) {
+			await new Promise((resolve) => {
+				this.pollIntervalResolver = resolve;
+				this.pollingTimer = setTimeout(() => {
+					this.pollIntervalResolver = void 0;
+					this.pollingTimer = void 0;
+					resolve();
+				}, ms);
+			}).finally(() => {
+				this.pollIntervalResolver = void 0;
+			});
+		}
+		async pollUntil(args) {
+			const now = args.now ?? Date.now;
+			const sleep = args.sleep ?? this.sleepForPollInterval.bind(this);
+			const startedAt = now();
+			let pollCount = 0;
+			while (!args.isCancelled()) {
+				pollCount += 1;
+				const elapsedMs$1 = now() - startedAt;
+				if (elapsedMs$1 > args.timeoutMs) return {
+					status: "timedOut",
+					elapsedMs: elapsedMs$1,
+					pollCount
+				};
+				const result = await args.tick({
+					elapsedMs: elapsedMs$1,
+					pollCount
+				});
+				if (result.done) return {
+					status: "completed",
+					value: result.value,
+					elapsedMs: elapsedMs$1,
+					pollCount
+				};
+				if (args.isCancelled()) return {
+					status: "cancelled",
+					elapsedMs: elapsedMs$1,
+					pollCount
+				};
+				await sleep(args.intervalMs);
 			}
-			await IndexedDBManager.clientDB.setAppState(indexKey, record.nearPublicKey).catch(() => {});
-			return record;
+			const elapsedMs = now() - startedAt;
+			return {
+				status: "cancelled",
+				elapsedMs,
+				pollCount
+			};
+		}
+		async loadPending(accountId, nearPublicKey) {
+			return this.pendingStore.get(accountId, nearPublicKey);
 		}
 		async savePending(rec) {
-			const key = this.getPendingRecordKey(rec.accountId, rec.nearPublicKey);
-			await IndexedDBManager.clientDB.setAppState(key, rec);
-			await IndexedDBManager.clientDB.setAppState(this.getPendingIndexKey(rec.accountId), rec.nearPublicKey).catch(() => {});
+			await this.pendingStore.set(rec);
 			this.pending = rec;
 		}
 		async clearPending(accountId, nearPublicKey) {
-			const indexKey = this.getPendingIndexKey(accountId);
-			const idx = await IndexedDBManager.clientDB.getAppState(indexKey).catch(() => void 0);
-			const resolvedNearPublicKey = nearPublicKey || idx || "";
-			if (resolvedNearPublicKey) await IndexedDBManager.clientDB.setAppState(this.getPendingRecordKey(accountId, resolvedNearPublicKey), void 0).catch(() => {});
-			if (!nearPublicKey || idx === nearPublicKey) await IndexedDBManager.clientDB.setAppState(indexKey, void 0).catch(() => {});
+			await this.pendingStore.clear(accountId, nearPublicKey);
 			if (this.pending && this.pending.accountId === accountId && (!nearPublicKey || this.pending.nearPublicKey === nearPublicKey)) this.pending = null;
 		}
 		getState() {
@@ -189,48 +345,14 @@ var init_emailRecovery = __esm({ "src/core/TatchiPasskey/emailRecovery.ts": (()
 			const { accountId, nearPublicKey } = args;
 			this.cancelled = false;
 			this.error = void 0;
-			const validation = validateNearAccountId(accountId);
-			if (!validation.valid) {
-				const err = this.emitError(3, `Invalid NEAR account ID: ${validation.error}`);
-				await this.options?.afterCall?.(false);
-				throw err;
-			}
-			const nearAccountId = toAccountId(accountId);
-			let rec = this.pending;
-			if (!rec || rec.accountId !== nearAccountId || nearPublicKey && rec.nearPublicKey !== nearPublicKey) {
-				rec = await this.loadPending(nearAccountId, nearPublicKey);
-				this.pending = rec;
-			}
-			if (!rec) {
-				const err = this.emitError(3, "No pending email recovery record found for this account");
-				await this.options?.afterCall?.(false);
-				throw err;
-			}
-			if (rec.status === "error") {
-				const err = this.emitError(3, "Pending email recovery is in an error state; please restart the flow");
-				await this.options?.afterCall?.(false);
-				throw err;
-			}
-			if (rec.status === "finalizing" || rec.status === "complete") {
-				const err = this.emitError(3, "Recovery email has already been processed on-chain for this request");
-				await this.options?.afterCall?.(false);
-				throw err;
-			}
+			const nearAccountId = await this.assertValidAccountIdOrFail(3, accountId);
+			const rec = await this.resolvePendingOrFail(3, {
+				accountId: nearAccountId,
+				nearPublicKey
+			}, { allowErrorStatus: false });
+			if (rec.status === "finalizing" || rec.status === "complete") await this.fail(3, "Recovery email has already been processed on-chain for this request");
 			const mailtoUrl = rec.status === "awaiting-email" ? await this.buildMailtoUrlAndUpdateStatus(rec) : this.buildMailtoUrlInternal(rec);
-			this.phase = EmailRecoveryPhase.STEP_3_AWAIT_EMAIL;
-			this.emit({
-				step: 3,
-				phase: EmailRecoveryPhase.STEP_3_AWAIT_EMAIL,
-				status: EmailRecoveryStatus.PROGRESS,
-				message: "New device key created; please send the recovery email from your registered address.",
-				data: {
-					accountId: rec.accountId,
-					recoveryEmail: rec.recoveryEmail,
-					nearPublicKey: rec.nearPublicKey,
-					requestId: rec.requestId,
-					mailtoUrl
-				}
-			});
+			this.emitAwaitEmail(rec, mailtoUrl);
 			await this.options?.afterCall?.(true, void 0);
 			return mailtoUrl;
 		}
@@ -245,49 +367,10 @@ var init_emailRecovery = __esm({ "src/core/TatchiPasskey/emailRecovery.ts": (()
 				status: EmailRecoveryStatus.PROGRESS,
 				message: "Preparing email recovery..."
 			});
-			const validation = validateNearAccountId(accountId);
-			if (!validation.valid) {
-				const err = this.emitError(1, `Invalid NEAR account ID: ${validation.error}`);
-				await this.options?.afterCall?.(false);
-				throw err;
-			}
-			const nearAccountId = toAccountId(accountId);
-			const { minBalanceYocto } = this.getConfig();
-			const STORAGE_PRICE_PER_BYTE = BigInt("10000000000000000000");
-			try {
-				const accountView = await this.context.nearClient.viewAccount(nearAccountId);
-				const amount = BigInt(accountView.amount || "0");
-				const locked = BigInt(accountView.locked || "0");
-				const storageUsage = BigInt(accountView.storage_usage || 0);
-				const storageCost = storageUsage * STORAGE_PRICE_PER_BYTE;
-				const rawAvailable = amount - locked - storageCost;
-				const available = rawAvailable > 0 ? rawAvailable : BigInt(0);
-				if (available < BigInt(minBalanceYocto)) {
-					const err = this.emitError(1, `This account does not have enough NEAR to finalize recovery. Available: ${available.toString()} yocto; required: ${String(minBalanceYocto)}. Please top up and try again.`);
-					await this.options?.afterCall?.(false);
-					throw err;
-				}
-			} catch (e) {
-				const err = this.emitError(1, e?.message || "Failed to fetch account balance for recovery");
-				await this.options?.afterCall?.(false);
-				throw err;
-			}
-			const canonicalEmail = String(recoveryEmail || "").trim().toLowerCase();
-			if (!canonicalEmail) {
-				const err = this.emitError(1, "Recovery email is required for email-based account recovery");
-				await this.options?.afterCall?.(false);
-				throw err;
-			}
-			let deviceNumber = 1;
-			try {
-				const { syncAuthenticatorsContractCall } = await import("../rpcCalls.js");
-				const authenticators = await syncAuthenticatorsContractCall(this.context.nearClient, this.context.configs.contractId, nearAccountId);
-				const numbers = authenticators.map((a) => a?.authenticator?.deviceNumber).filter((n) => typeof n === "number" && Number.isFinite(n));
-				const max = numbers.length > 0 ? Math.max(...numbers) : 0;
-				deviceNumber = max + 1;
-			} catch {
-				deviceNumber = 1;
-			}
+			const nearAccountId = await this.assertValidAccountIdOrFail(1, accountId);
+			await this.assertSufficientBalance(nearAccountId);
+			const canonicalEmail = await this.getCanonicalRecoveryEmailOrFail(recoveryEmail);
+			const deviceNumber = await this.getNextDeviceNumberFromContract(nearAccountId);
 			this.phase = EmailRecoveryPhase.STEP_2_TOUCH_ID_REGISTRATION;
 			this.emit({
 				step: 2,
@@ -296,69 +379,24 @@ var init_emailRecovery = __esm({ "src/core/TatchiPasskey/emailRecovery.ts": (()
 				message: "Collecting passkey for email recovery..."
 			});
 			try {
-				const confirmerText = {
-					title: this.options?.confirmerText?.title ?? "Register New Recovery Account",
-					body: this.options?.confirmerText?.body ?? "Create a recovery account and send an encrypted email to recover your account."
-				};
-				const confirm = await this.context.webAuthnManager.requestRegistrationCredentialConfirmation({
-					nearAccountId,
-					deviceNumber,
-					confirmerText,
-					confirmationConfigOverride: this.options?.confirmationConfig
-				});
-				if (!confirm.confirmed || !confirm.credential) {
-					const err = this.emitError(2, "User cancelled email recovery TouchID confirmation");
-					await this.options?.afterCall?.(false);
-					throw err;
-				}
-				const vrfDerivationResult = await this.context.webAuthnManager.deriveVrfKeypair({
-					credential: confirm.credential,
-					nearAccountId
-				});
-				if (!vrfDerivationResult.success || !vrfDerivationResult.encryptedVrfKeypair) {
-					const err = this.emitError(2, "Failed to derive VRF keypair from PRF for email recovery");
-					await this.options?.afterCall?.(false);
-					throw err;
-				}
-				const nearKeyResult = await this.context.webAuthnManager.deriveNearKeypairAndEncryptFromSerialized({
-					nearAccountId,
-					credential: confirm.credential,
-					options: { deviceNumber }
-				});
-				if (!nearKeyResult.success || !nearKeyResult.publicKey) {
-					const err = this.emitError(2, "Failed to derive NEAR keypair for email recovery");
-					await this.options?.afterCall?.(false);
-					throw err;
-				}
+				const confirm = await this.collectRecoveryCredentialOrFail(nearAccountId, deviceNumber);
+				const derivedKeys = await this.deriveRecoveryKeysOrFail(nearAccountId, deviceNumber, confirm.credential);
 				const rec = {
 					accountId: nearAccountId,
 					recoveryEmail: canonicalEmail,
 					deviceNumber,
-					nearPublicKey: nearKeyResult.publicKey,
+					nearPublicKey: derivedKeys.nearPublicKey,
 					requestId: generateEmailRecoveryRequestId(),
-					encryptedVrfKeypair: vrfDerivationResult.encryptedVrfKeypair,
-					serverEncryptedVrfKeypair: vrfDerivationResult.serverEncryptedVrfKeypair || null,
-					vrfPublicKey: vrfDerivationResult.vrfPublicKey,
+					encryptedVrfKeypair: derivedKeys.encryptedVrfKeypair,
+					serverEncryptedVrfKeypair: derivedKeys.serverEncryptedVrfKeypair,
+					vrfPublicKey: derivedKeys.vrfPublicKey,
 					credential: confirm.credential,
 					vrfChallenge: confirm.vrfChallenge || void 0,
 					createdAt: Date.now(),
 					status: "awaiting-email"
 				};
 				const mailtoUrl = await this.buildMailtoUrlAndUpdateStatus(rec);
-				this.phase = EmailRecoveryPhase.STEP_3_AWAIT_EMAIL;
-				this.emit({
-					step: 3,
-					phase: EmailRecoveryPhase.STEP_3_AWAIT_EMAIL,
-					status: EmailRecoveryStatus.PROGRESS,
-					message: "New device key created; please send the recovery email from your registered address.",
-					data: {
-						accountId: rec.accountId,
-						recoveryEmail: rec.recoveryEmail,
-						nearPublicKey: rec.nearPublicKey,
-						requestId: rec.requestId,
-						mailtoUrl
-					}
-				});
+				this.emitAwaitEmail(rec, mailtoUrl);
 				await this.options?.afterCall?.(true, void 0);
 				return {
 					mailtoUrl,
@@ -386,28 +424,11 @@ var init_emailRecovery = __esm({ "src/core/TatchiPasskey/emailRecovery.ts": (()
 			const { accountId, nearPublicKey } = args;
 			this.cancelled = false;
 			this.error = void 0;
-			const validation = validateNearAccountId(accountId);
-			if (!validation.valid) {
-				const err = this.emitError(4, `Invalid NEAR account ID: ${validation.error}`);
-				await this.options?.afterCall?.(false);
-				throw err;
-			}
-			const nearAccountId = toAccountId(accountId);
-			let rec = this.pending;
-			if (!rec || rec.accountId !== nearAccountId || nearPublicKey && rec.nearPublicKey !== nearPublicKey) {
-				rec = await this.loadPending(nearAccountId, nearPublicKey);
-				this.pending = rec;
-			}
-			if (!rec) {
-				const err = this.emitError(4, "No pending email recovery record found for this account");
-				await this.options?.afterCall?.(false);
-				throw err;
-			}
-			if (rec.status === "error") {
-				const err = this.emitError(4, "Pending email recovery is in an error state; please restart the flow");
-				await this.options?.afterCall?.(false);
-				throw err;
-			}
+			const nearAccountId = await this.assertValidAccountIdOrFail(4, accountId);
+			const rec = await this.resolvePendingOrFail(4, {
+				accountId: nearAccountId,
+				nearPublicKey
+			}, { allowErrorStatus: false });
 			if (rec.status === "complete" || rec.status === "finalizing") {
 				await this.options?.afterCall?.(true, void 0);
 				return;
@@ -447,23 +468,11 @@ var init_emailRecovery = __esm({ "src/core/TatchiPasskey/emailRecovery.ts": (()
 			const { accountId, nearPublicKey } = args;
 			this.cancelled = false;
 			this.error = void 0;
-			const validation = validateNearAccountId(accountId);
-			if (!validation.valid) {
-				const err = this.emitError(4, `Invalid NEAR account ID: ${validation.error}`);
-				await this.options?.afterCall?.(false);
-				throw err;
-			}
-			const nearAccountId = toAccountId(accountId);
-			let rec = this.pending;
-			if (!rec || rec.accountId !== nearAccountId || nearPublicKey && rec.nearPublicKey !== nearPublicKey) {
-				rec = await this.loadPending(nearAccountId, nearPublicKey);
-				this.pending = rec;
-			}
-			if (!rec) {
-				const err = this.emitError(4, "No pending email recovery record found for this account");
-				await this.options?.afterCall?.(false);
-				throw err;
-			}
+			const nearAccountId = await this.assertValidAccountIdOrFail(4, accountId);
+			const rec = await this.resolvePendingOrFail(4, {
+				accountId: nearAccountId,
+				nearPublicKey
+			}, { allowErrorStatus: true });
 			this.emit({
 				step: 0,
 				phase: EmailRecoveryPhase.RESUMED_FROM_PENDING,
@@ -499,245 +508,242 @@ var init_emailRecovery = __esm({ "src/core/TatchiPasskey/emailRecovery.ts": (()
 			}
 			this.phase = EmailRecoveryPhase.STEP_4_POLLING_VERIFICATION_RESULT;
 			this.pollingStartedAt = Date.now();
-			let pollCount = 0;
-			while (!this.cancelled) {
-				pollCount += 1;
-				const elapsed = Date.now() - (this.pollingStartedAt || 0);
-				if (elapsed > maxPollingDurationMs) {
-					const err$1 = this.emitError(4, "Timed out waiting for recovery email to be processed on-chain");
+			const pollResult = await this.pollUntil({
+				intervalMs: pollingIntervalMs,
+				timeoutMs: maxPollingDurationMs,
+				isCancelled: () => this.cancelled,
+				tick: async ({ elapsedMs, pollCount }) => {
+					const verification = await this.checkViaDkimViewMethod(rec);
+					const completed = verification?.completed === true;
+					const success = verification?.success === true;
+					this.emit({
+						step: 4,
+						phase: EmailRecoveryPhase.STEP_4_POLLING_VERIFICATION_RESULT,
+						status: EmailRecoveryStatus.PROGRESS,
+						message: completed && success ? `Email verified for request ${rec.requestId}; finalizing registration` : `Waiting for email verification for request ${rec.requestId}`,
+						data: this.buildPollingEventData(rec, {
+							transactionHash: verification?.transactionHash,
+							elapsedMs,
+							pollCount
+						})
+					});
+					if (!completed) return { done: false };
+					if (!success) return {
+						done: true,
+						value: {
+							outcome: "failed",
+							errorMessage: verification?.errorMessage || "Email verification failed"
+						}
+					};
+					return {
+						done: true,
+						value: { outcome: "verified" }
+					};
+				}
+			});
+			if (pollResult.status === "completed") {
+				if (pollResult.value.outcome === "failed") {
+					const err$1 = this.emitError(4, pollResult.value.errorMessage);
 					rec.status = "error";
 					await this.savePending(rec);
 					await this.options?.afterCall?.(false);
 					throw err$1;
 				}
-				const verification = await this.checkVerificationStatus(rec);
-				const completed = verification?.completed === true;
-				const success = verification?.success === true;
-				this.emit({
-					step: 4,
-					phase: EmailRecoveryPhase.STEP_4_POLLING_VERIFICATION_RESULT,
-					status: EmailRecoveryStatus.PROGRESS,
-					message: completed && success ? `Email verified for request ${rec.requestId}; finalizing registration` : `Waiting for email verification for request ${rec.requestId}`,
-					data: {
-						accountId: rec.accountId,
-						requestId: rec.requestId,
-						nearPublicKey: rec.nearPublicKey,
-						transactionHash: verification?.transactionHash,
-						elapsedMs: elapsed,
-						pollCount
-					}
-				});
-				if (completed) {
-					if (!success) {
-						const err$1 = this.emitError(4, verification?.errorMessage || "Email verification failed");
-						rec.status = "error";
-						await this.savePending(rec);
-						await this.options?.afterCall?.(false);
-						throw err$1;
-					}
-					rec.status = "finalizing";
-					await this.savePending(rec);
-					return;
-				}
-				if (this.cancelled) break;
-				await new Promise((resolve) => {
-					this.pollIntervalResolver = resolve;
-					this.pollingTimer = setTimeout(() => {
-						this.pollIntervalResolver = void 0;
-						this.pollingTimer = void 0;
-						resolve();
-					}, pollingIntervalMs);
-				}).finally(() => {
-					this.pollIntervalResolver = void 0;
-				});
+				rec.status = "finalizing";
+				await this.savePending(rec);
+				return;
+			}
+			if (pollResult.status === "timedOut") {
+				const err$1 = this.emitError(4, "Timed out waiting for recovery email to be processed on-chain");
+				rec.status = "error";
+				await this.savePending(rec);
+				await this.options?.afterCall?.(false);
+				throw err$1;
 			}
 			const err = this.emitError(4, "Email recovery polling was cancelled");
 			await this.options?.afterCall?.(false);
 			throw err;
 		}
-		async finalizeRegistration(rec) {
-			this.phase = EmailRecoveryPhase.STEP_5_FINALIZING_REGISTRATION;
-			this.emit({
-				step: 5,
-				phase: EmailRecoveryPhase.STEP_5_FINALIZING_REGISTRATION,
-				status: EmailRecoveryStatus.PROGRESS,
-				message: "Finalizing email recovery registration...",
-				data: {
-					accountId: rec.accountId,
-					nearPublicKey: rec.nearPublicKey
-				}
-			});
+		initializeNonceManager(rec) {
 			const nonceManager = this.context.webAuthnManager.getNonceManager();
 			const accountId = toAccountId(rec.accountId);
 			nonceManager.initializeUser(accountId, rec.nearPublicKey);
+			return {
+				nonceManager,
+				accountId
+			};
+		}
+		async signRegistrationTx(rec, accountId) {
+			const vrfChallenge = rec.vrfChallenge;
+			if (!vrfChallenge) return this.fail(5, "Missing VRF challenge for email recovery registration");
+			const registrationResult = await this.context.webAuthnManager.signDevice2RegistrationWithStoredKey({
+				nearAccountId: accountId,
+				credential: rec.credential,
+				vrfChallenge,
+				deterministicVrfPublicKey: rec.vrfPublicKey,
+				deviceNumber: rec.deviceNumber
+			});
+			if (!registrationResult.success || !registrationResult.signedTransaction) await this.fail(5, registrationResult.error || "Failed to sign email recovery registration transaction");
+			return registrationResult.signedTransaction;
+		}
+		async broadcastRegistrationTxAndWaitFinal(rec, signedTx) {
 			try {
-				if (!rec.vrfChallenge) {
-					const err = this.emitError(5, "Missing VRF challenge for email recovery registration");
-					await this.options?.afterCall?.(false);
-					throw err;
-				}
-				const registrationResult = await this.context.webAuthnManager.signDevice2RegistrationWithStoredKey({
-					nearAccountId: accountId,
-					credential: rec.credential,
-					vrfChallenge: rec.vrfChallenge,
-					deterministicVrfPublicKey: rec.vrfPublicKey,
-					deviceNumber: rec.deviceNumber
-				});
-				if (!registrationResult.success || !registrationResult.signedTransaction) {
-					const err = this.emitError(5, registrationResult.error || "Failed to sign email recovery registration transaction");
-					await this.options?.afterCall?.(false);
-					throw err;
-				}
-				const signedTx = registrationResult.signedTransaction;
+				const txResult = await this.context.nearClient.sendTransaction(signedTx, DEFAULT_WAIT_STATUS.linkDeviceRegistration);
 				try {
-					const txResult = await this.context.nearClient.sendTransaction(signedTx, DEFAULT_WAIT_STATUS.linkDeviceRegistration);
-					try {
-						const txHash = txResult?.transaction?.hash || txResult?.transaction_hash;
-						if (txHash) {
-							this.emit({
-								step: 5,
-								phase: EmailRecoveryPhase.STEP_5_FINALIZING_REGISTRATION,
-								status: EmailRecoveryStatus.PROGRESS,
-								message: "Registration transaction confirmed",
-								data: {
-									accountId: rec.accountId,
-									nearPublicKey: rec.nearPublicKey,
-									transactionHash: txHash
-								}
-							});
-							try {
-								await IndexedDBManager.clientDB.storeWebAuthnUserData({
-									nearAccountId: accountId,
-									deviceNumber: rec.deviceNumber,
-									clientNearPublicKey: rec.nearPublicKey,
-									passkeyCredential: {
-										id: rec.credential.id,
-										rawId: rec.credential.rawId
-									},
-									encryptedVrfKeypair: rec.encryptedVrfKeypair,
-									serverEncryptedVrfKeypair: rec.serverEncryptedVrfKeypair || void 0
-								});
-								const { syncAuthenticatorsContractCall } = await import("../rpcCalls.js");
-								const authenticators = await syncAuthenticatorsContractCall(this.context.nearClient, this.context.configs.contractId, accountId);
-								const mappedAuthenticators = authenticators.map(({ authenticator }) => ({
-									credentialId: authenticator.credentialId,
-									credentialPublicKey: authenticator.credentialPublicKey,
-									transports: authenticator.transports,
-									name: authenticator.name,
-									registered: authenticator.registered.toISOString(),
-									vrfPublicKey: authenticator.vrfPublicKeys?.[0] || "",
-									deviceNumber: authenticator.deviceNumber
-								}));
-								await IndexedDBManager.clientDB.syncAuthenticatorsFromContract(accountId, mappedAuthenticators);
-								await IndexedDBManager.clientDB.setLastUser(accountId, rec.deviceNumber);
-							} catch (syncErr) {
-								console.warn("[EmailRecoveryFlow] Failed to sync authenticators after recovery:", syncErr);
-							}
+					const txHash = txResult?.transaction?.hash || txResult?.transaction_hash;
+					if (txHash) this.emit({
+						step: 5,
+						phase: EmailRecoveryPhase.STEP_5_FINALIZING_REGISTRATION,
+						status: EmailRecoveryStatus.PROGRESS,
+						message: "Registration transaction confirmed",
+						data: {
+							accountId: rec.accountId,
+							nearPublicKey: rec.nearPublicKey,
+							transactionHash: txHash
 						}
-					} catch {}
-				} catch (e) {
-					const msg = String(e?.message || "");
-					const err = this.emitError(5, msg || "Failed to broadcast email recovery registration transaction (insufficient funds or RPC error)");
-					await this.options?.afterCall?.(false);
-					throw err;
-				}
-				try {
-					const txNonce = signedTx.transaction?.nonce;
-					if (txNonce != null) await nonceManager.updateNonceFromBlockchain(this.context.nearClient, String(txNonce));
+					});
+					return txHash;
 				} catch {}
-				const { webAuthnManager } = this.context;
-				await webAuthnManager.storeUserData({
+			} catch (e) {
+				const msg = String(e?.message || "");
+				await this.fail(5, msg || "Failed to broadcast email recovery registration transaction (insufficient funds or RPC error)");
+			}
+			return void 0;
+		}
+		async persistRecoveredUserRecordBestEffort(rec, accountId) {
+			try {
+				await IndexedDBManager.clientDB.storeWebAuthnUserData({
 					nearAccountId: accountId,
 					deviceNumber: rec.deviceNumber,
 					clientNearPublicKey: rec.nearPublicKey,
-					lastUpdated: Date.now(),
 					passkeyCredential: {
 						id: rec.credential.id,
 						rawId: rec.credential.rawId
 					},
-					encryptedVrfKeypair: {
-						encryptedVrfDataB64u: rec.encryptedVrfKeypair.encryptedVrfDataB64u,
-						chacha20NonceB64u: rec.encryptedVrfKeypair.chacha20NonceB64u
-					},
+					encryptedVrfKeypair: rec.encryptedVrfKeypair,
 					serverEncryptedVrfKeypair: rec.serverEncryptedVrfKeypair || void 0
 				});
-				try {
-					const attestationB64u = rec.credential.response.attestationObject;
-					const credentialPublicKey = await webAuthnManager.extractCosePublicKey(attestationB64u);
-					await webAuthnManager.storeAuthenticator({
-						nearAccountId: accountId,
-						deviceNumber: rec.deviceNumber,
-						credentialId: rec.credential.rawId,
-						credentialPublicKey,
-						transports: ["internal"],
-						name: `Device ${rec.deviceNumber} Passkey for ${rec.accountId.split(".")[0]}`,
-						registered: (/* @__PURE__ */ new Date()).toISOString(),
-						syncedAt: (/* @__PURE__ */ new Date()).toISOString(),
-						vrfPublicKey: rec.vrfPublicKey
-					});
-				} catch {}
-				await this.attemptAutoLogin(rec);
-				rec.status = "complete";
-				await this.savePending(rec);
-				await this.clearPending(rec.accountId, rec.nearPublicKey);
-				this.phase = EmailRecoveryPhase.STEP_6_COMPLETE;
-				this.emit({
-					step: 6,
-					phase: EmailRecoveryPhase.STEP_6_COMPLETE,
-					status: EmailRecoveryStatus.SUCCESS,
-					message: "Email recovery completed successfully",
-					data: {
-						accountId: rec.accountId,
-						nearPublicKey: rec.nearPublicKey
-					}
-				});
-			} catch (e) {
-				const err = this.emitError(5, e?.message || "Email recovery finalization failed");
-				await this.options?.afterCall?.(false);
-				throw err;
+				return true;
+			} catch (err) {
+				console.warn("[EmailRecoveryFlow] Failed to store recovery user record:", err);
+				return false;
 			}
 		}
-		async attemptAutoLogin(rec) {
+		mapAuthenticatorsFromContract(authenticators) {
+			return authenticators.map(({ authenticator }) => ({
+				credentialId: authenticator.credentialId,
+				credentialPublicKey: authenticator.credentialPublicKey,
+				transports: authenticator.transports,
+				name: authenticator.name,
+				registered: authenticator.registered.toISOString(),
+				vrfPublicKey: authenticator.vrfPublicKeys?.[0] || "",
+				deviceNumber: authenticator.deviceNumber
+			}));
+		}
+		async syncAuthenticatorsBestEffort(accountId) {
 			try {
-				this.emit({
-					step: 5,
-					phase: EmailRecoveryPhase.STEP_5_FINALIZING_REGISTRATION,
-					status: EmailRecoveryStatus.PROGRESS,
-					message: "Attempting auto-login with recovered device...",
-					data: { autoLogin: "progress" }
+				const { syncAuthenticatorsContractCall } = await import("../rpcCalls.js");
+				const authenticators = await syncAuthenticatorsContractCall(this.context.nearClient, this.context.configs.contractId, accountId);
+				const mappedAuthenticators = this.mapAuthenticatorsFromContract(authenticators);
+				await IndexedDBManager.clientDB.syncAuthenticatorsFromContract(accountId, mappedAuthenticators);
+				return true;
+			} catch (err) {
+				console.warn("[EmailRecoveryFlow] Failed to sync authenticators after recovery:", err);
+				return false;
+			}
+		}
+		async setLastUserBestEffort(accountId, deviceNumber) {
+			try {
+				await IndexedDBManager.clientDB.setLastUser(accountId, deviceNumber);
+				return true;
+			} catch (err) {
+				console.warn("[EmailRecoveryFlow] Failed to set last user after recovery:", err);
+				return false;
+			}
+		}
+		async updateNonceBestEffort(nonceManager, signedTx) {
+			try {
+				const txNonce = signedTx.transaction?.nonce;
+				if (txNonce != null) await nonceManager.updateNonceFromBlockchain(this.context.nearClient, String(txNonce));
+			} catch {}
+		}
+		async persistRecoveredUserData(rec, accountId) {
+			const { webAuthnManager } = this.context;
+			const payload = {
+				nearAccountId: accountId,
+				deviceNumber: rec.deviceNumber,
+				clientNearPublicKey: rec.nearPublicKey,
+				lastUpdated: Date.now(),
+				passkeyCredential: {
+					id: rec.credential.id,
+					rawId: rec.credential.rawId
+				},
+				encryptedVrfKeypair: {
+					encryptedVrfDataB64u: rec.encryptedVrfKeypair.encryptedVrfDataB64u,
+					chacha20NonceB64u: rec.encryptedVrfKeypair.chacha20NonceB64u
+				},
+				serverEncryptedVrfKeypair: rec.serverEncryptedVrfKeypair || void 0
+			};
+			await webAuthnManager.storeUserData(payload);
+		}
+		async persistAuthenticatorBestEffort(rec, accountId) {
+			try {
+				const { webAuthnManager } = this.context;
+				const attestationB64u = rec.credential.response.attestationObject;
+				const credentialPublicKey = await webAuthnManager.extractCosePublicKey(attestationB64u);
+				await webAuthnManager.storeAuthenticator({
+					nearAccountId: accountId,
+					deviceNumber: rec.deviceNumber,
+					credentialId: rec.credential.rawId,
+					credentialPublicKey,
+					transports: ["internal"],
+					name: `Device ${rec.deviceNumber} Passkey for ${rec.accountId.split(".")[0]}`,
+					registered: (/* @__PURE__ */ new Date()).toISOString(),
+					syncedAt: (/* @__PURE__ */ new Date()).toISOString(),
+					vrfPublicKey: rec.vrfPublicKey
 				});
+			} catch {}
+		}
+		async markCompleteAndClearPending(rec) {
+			rec.status = "complete";
+			await this.savePending(rec);
+			await this.clearPending(rec.accountId, rec.nearPublicKey);
+		}
+		async assertVrfActiveForAccount(accountId, message) {
+			const vrfStatus = await this.context.webAuthnManager.checkVrfStatus();
+			const vrfActiveForAccount = vrfStatus.active && vrfStatus.nearAccountId && String(vrfStatus.nearAccountId) === String(accountId);
+			if (!vrfActiveForAccount) throw new Error(message);
+		}
+		async finalizeLocalLoginState(accountId, deviceNumber) {
+			const { webAuthnManager } = this.context;
+			await webAuthnManager.setLastUser(accountId, deviceNumber);
+			await webAuthnManager.initializeCurrentUser(accountId, this.context.nearClient);
+			try {
+				await getLoginSession(this.context, accountId);
+			} catch {}
+		}
+		async tryShamirUnlock(rec, accountId, deviceNumber) {
+			if (!rec.serverEncryptedVrfKeypair || !rec.serverEncryptedVrfKeypair.serverKeyId || !this.context.configs.vrfWorkerConfigs?.shamir3pass?.relayServerUrl) return false;
+			try {
+				const { webAuthnManager } = this.context;
+				const unlockResult = await webAuthnManager.shamir3PassDecryptVrfKeypair({
+					nearAccountId: accountId,
+					kek_s_b64u: rec.serverEncryptedVrfKeypair.kek_s_b64u,
+					ciphertextVrfB64u: rec.serverEncryptedVrfKeypair.ciphertextVrfB64u,
+					serverKeyId: rec.serverEncryptedVrfKeypair.serverKeyId
+				});
+				if (!unlockResult.success) return false;
+				await this.assertVrfActiveForAccount(accountId, "VRF session inactive after Shamir3Pass unlock");
+				await this.finalizeLocalLoginState(accountId, deviceNumber);
+				return true;
+			} catch (err) {
+				console.warn("[EmailRecoveryFlow] Shamir 3-pass unlock failed, falling back to TouchID", err);
+				return false;
+			}
+		}
+		async tryTouchIdUnlock(rec, accountId, deviceNumber) {
+			try {
 				const { webAuthnManager } = this.context;
-				const accountId = toAccountId(rec.accountId);
-				const deviceNumber = parseDeviceNumber(rec.deviceNumber, { min: 1 });
-				if (deviceNumber === null) throw new Error(`Invalid deviceNumber for auto-login: ${String(rec.deviceNumber)}`);
-				if (rec.serverEncryptedVrfKeypair && rec.serverEncryptedVrfKeypair.serverKeyId && this.context.configs.vrfWorkerConfigs?.shamir3pass?.relayServerUrl) try {
-					const unlockResult = await webAuthnManager.shamir3PassDecryptVrfKeypair({
-						nearAccountId: accountId,
-						kek_s_b64u: rec.serverEncryptedVrfKeypair.kek_s_b64u,
-						ciphertextVrfB64u: rec.serverEncryptedVrfKeypair.ciphertextVrfB64u,
-						serverKeyId: rec.serverEncryptedVrfKeypair.serverKeyId
-					});
-					if (unlockResult.success) {
-						const vrfStatus$1 = await webAuthnManager.checkVrfStatus();
-						const vrfActiveForAccount$1 = vrfStatus$1.active && vrfStatus$1.nearAccountId && String(vrfStatus$1.nearAccountId) === String(accountId);
-						if (!vrfActiveForAccount$1) throw new Error("VRF session inactive after Shamir3Pass unlock");
-						await webAuthnManager.setLastUser(accountId, deviceNumber);
-						await webAuthnManager.initializeCurrentUser(accountId, this.context.nearClient);
-						try {
-							await getLoginSession(this.context, accountId);
-						} catch {}
-						this.emit({
-							step: 5,
-							phase: EmailRecoveryPhase.STEP_5_FINALIZING_REGISTRATION,
-							status: EmailRecoveryStatus.SUCCESS,
-							message: `Welcome ${accountId}`,
-							data: { autoLogin: "success" }
-						});
-						return;
-					}
-				} catch (err) {
-					console.warn("[EmailRecoveryFlow] Shamir 3-pass unlock failed, falling back to TouchID", err);
-				}
 				const authChallenge = createRandomVRFChallenge();
 				const storedCredentialId = String(rec.credential?.rawId || rec.credential?.id || "").trim();
 				const credentialIds = storedCredentialId ? [storedCredentialId] : [];
@@ -747,43 +753,108 @@ var init_emailRecovery = __esm({ "src/core/TatchiPasskey/emailRecovery.ts": (()
 					challenge: authChallenge,
 					credentialIds: credentialIds.length > 0 ? credentialIds : authenticators.map((a) => a.credentialId)
 				});
-				if (storedCredentialId && authCredential.rawId !== storedCredentialId) throw new Error("Wrong passkey selected during recovery auto-login; please use the newly recovered passkey.");
+				if (storedCredentialId && authCredential.rawId !== storedCredentialId) return {
+					success: false,
+					reason: "Wrong passkey selected during recovery auto-login; please use the newly recovered passkey."
+				};
 				const vrfUnlockResult = await webAuthnManager.unlockVRFKeypair({
 					nearAccountId: accountId,
 					encryptedVrfKeypair: rec.encryptedVrfKeypair,
 					credential: authCredential
 				});
-				if (!vrfUnlockResult.success) throw new Error(vrfUnlockResult.error || "VRF unlock failed during auto-login");
-				const vrfStatus = await webAuthnManager.checkVrfStatus();
-				const vrfActiveForAccount = vrfStatus.active && vrfStatus.nearAccountId && String(vrfStatus.nearAccountId) === String(accountId);
-				if (!vrfActiveForAccount) throw new Error("VRF session inactive after TouchID unlock");
-				await webAuthnManager.setLastUser(accountId, deviceNumber);
-				await webAuthnManager.initializeCurrentUser(accountId, this.context.nearClient);
-				try {
-					await getLoginSession(this.context, accountId);
-				} catch {}
-				this.emit({
-					step: 5,
-					phase: EmailRecoveryPhase.STEP_5_FINALIZING_REGISTRATION,
-					status: EmailRecoveryStatus.SUCCESS,
-					message: `Welcome ${accountId}`,
-					data: { autoLogin: "success" }
-				});
+				if (!vrfUnlockResult.success) return {
+					success: false,
+					reason: vrfUnlockResult.error || "VRF unlock failed during auto-login"
+				};
+				await this.assertVrfActiveForAccount(accountId, "VRF session inactive after TouchID unlock");
+				await this.finalizeLocalLoginState(accountId, deviceNumber);
+				return { success: true };
 			} catch (err) {
-				console.warn("[EmailRecoveryFlow] Auto-login failed after recovery", err);
-				try {
-					await this.context.webAuthnManager.clearVrfSession();
-				} catch {}
+				return {
+					success: false,
+					reason: err?.message || String(err)
+				};
+			}
+		}
+		async handleAutoLoginFailure(reason, err) {
+			console.warn("[EmailRecoveryFlow] Auto-login failed after recovery", err ?? reason);
+			try {
+				await this.context.webAuthnManager.clearVrfSession();
+			} catch {}
+			return {
+				success: false,
+				reason
+			};
+		}
+		async finalizeRegistration(rec) {
+			this.phase = EmailRecoveryPhase.STEP_5_FINALIZING_REGISTRATION;
+			this.emit({
+				step: 5,
+				phase: EmailRecoveryPhase.STEP_5_FINALIZING_REGISTRATION,
+				status: EmailRecoveryStatus.PROGRESS,
+				message: "Finalizing email recovery registration...",
+				data: {
+					accountId: rec.accountId,
+					nearPublicKey: rec.nearPublicKey
+				}
+			});
+			try {
+				const { nonceManager, accountId } = this.initializeNonceManager(rec);
+				const signedTx = await this.signRegistrationTx(rec, accountId);
+				const txHash = await this.broadcastRegistrationTxAndWaitFinal(rec, signedTx);
+				if (txHash) {
+					const storedUser = await this.persistRecoveredUserRecordBestEffort(rec, accountId);
+					if (storedUser) {
+						const syncedAuthenticators = await this.syncAuthenticatorsBestEffort(accountId);
+						if (syncedAuthenticators) await this.setLastUserBestEffort(accountId, rec.deviceNumber);
+					}
+				}
+				await this.updateNonceBestEffort(nonceManager, signedTx);
+				await this.persistRecoveredUserData(rec, accountId);
+				await this.persistAuthenticatorBestEffort(rec, accountId);
+				this.emitAutoLoginEvent(EmailRecoveryStatus.PROGRESS, "Attempting auto-login with recovered device...", { autoLogin: "progress" });
+				const autoLoginResult = await this.attemptAutoLogin(rec);
+				if (autoLoginResult.success) this.emitAutoLoginEvent(EmailRecoveryStatus.SUCCESS, `Welcome ${accountId}`, { autoLogin: "success" });
+				else this.emitAutoLoginEvent(EmailRecoveryStatus.ERROR, "Auto-login failed; please log in manually on this device.", {
+					error: autoLoginResult.reason,
+					autoLogin: "error"
+				});
+				await this.markCompleteAndClearPending(rec);
+				this.phase = EmailRecoveryPhase.STEP_6_COMPLETE;
 				this.emit({
-					step: 5,
-					phase: EmailRecoveryPhase.STEP_5_FINALIZING_REGISTRATION,
-					status: EmailRecoveryStatus.ERROR,
-					message: "Auto-login failed; please log in manually on this device.",
+					step: 6,
+					phase: EmailRecoveryPhase.STEP_6_COMPLETE,
+					status: EmailRecoveryStatus.SUCCESS,
+					message: "Email recovery completed successfully",
 					data: {
-						error: err?.message || String(err),
-						autoLogin: "error"
+						accountId: rec.accountId,
+						nearPublicKey: rec.nearPublicKey
 					}
 				});
+			} catch (e) {
+				const err = this.emitError(5, e?.message || "Email recovery finalization failed");
+				await this.options?.afterCall?.(false);
+				throw err;
+			}
+		}
+		async attemptAutoLogin(rec) {
+			try {
+				const accountId = toAccountId(rec.accountId);
+				const deviceNumber = parseDeviceNumber(rec.deviceNumber, { min: 1 });
+				if (deviceNumber === null) return this.handleAutoLoginFailure(`Invalid deviceNumber for auto-login: ${String(rec.deviceNumber)}`);
+				const shamirUnlocked = await this.tryShamirUnlock(rec, accountId, deviceNumber);
+				if (shamirUnlocked) return {
+					success: true,
+					method: "shamir"
+				};
+				const touchIdResult = await this.tryTouchIdUnlock(rec, accountId, deviceNumber);
+				if (touchIdResult.success) return {
+					success: true,
+					method: "touchid"
+				};
+				return this.handleAutoLoginFailure(touchIdResult.reason || "Auto-login failed");
+			} catch (err) {
+				return this.handleAutoLoginFailure(err?.message || String(err), err);
 			}
 		}
 	};