@tatchi-xyz/sdk 0.17.0 → 0.18.0

package/dist/cjs/core/TatchiPasskey/emailRecovery.js

@@ -7,6 +7,8 @@ const require_sdkSentEvents = require('../types/sdkSentEvents.js');
 const require_rpc = require('../types/rpc.js');
 const require_getDeviceNumber = require('../WebAuthnManager/SignerWorkerManager/getDeviceNumber.js');
 const require_login = require('./login.js');
+const require_emailRecoveryPendingStore = require('../EmailRecovery/emailRecoveryPendingStore.js');
+const require_index$1 = require('../EmailRecovery/index.js');
 
 //#region src/core/TatchiPasskey/emailRecovery.ts
 var emailRecovery_exports = {};
@@ -52,9 +54,11 @@ var init_emailRecovery = require_rolldown_runtime.__esm({ "src/core/TatchiPasske
 	require_rpc.init_rpc();
 	require_getDeviceNumber.init_getDeviceNumber();
 	require_login.init_login();
+	require_index$1.init_EmailRecovery();
 	EmailRecoveryFlow = class {
 		context;
 		options;
+		pendingStore;
 		pending = null;
 		phase = require_sdkSentEvents.EmailRecoveryPhase.STEP_1_PREPARATION;
 		pollingTimer;
@@ -65,6 +69,7 @@ var init_emailRecovery = require_rolldown_runtime.__esm({ "src/core/TatchiPasske
 		constructor(context, options) {
 			this.context = context;
 			this.options = options;
+			this.pendingStore = options?.pendingStore ?? new require_emailRecoveryPendingStore.EmailRecoveryPendingStore({ getPendingTtlMs: () => this.getConfig().pendingTtlMs });
 		}
 		setOptions(options) {
 			if (!options) return;
@@ -72,6 +77,7 @@ var init_emailRecovery = require_rolldown_runtime.__esm({ "src/core/TatchiPasske
 				...this.options || {},
 				...options
 			};
+			if (options.pendingStore) this.pendingStore = options.pendingStore;
 		}
 		emit(event) {
 			this.options?.onEvent?.(event);
@@ -90,24 +96,139 @@ var init_emailRecovery = require_rolldown_runtime.__esm({ "src/core/TatchiPasske
 			this.options?.onError?.(err);
 			return err;
 		}
+		async fail(step, message) {
+			const err = this.emitError(step, message);
+			await this.options?.afterCall?.(false);
+			throw err;
+		}
+		async assertValidAccountIdOrFail(step, accountId) {
+			const validation = require_validation.validateNearAccountId(accountId);
+			if (!validation.valid) await this.fail(step, `Invalid NEAR account ID: ${validation.error}`);
+			return require_accountIds.toAccountId(accountId);
+		}
+		async resolvePendingOrFail(step, args, options) {
+			const { allowErrorStatus = true, missingMessage = "No pending email recovery record found for this account", errorStatusMessage = "Pending email recovery is in an error state; please restart the flow" } = options ?? {};
+			let rec = this.pending;
+			if (!rec || rec.accountId !== args.accountId || args.nearPublicKey && rec.nearPublicKey !== args.nearPublicKey) {
+				rec = await this.loadPending(args.accountId, args.nearPublicKey);
+				this.pending = rec;
+			}
+			if (!rec) await this.fail(step, missingMessage);
+			const resolved = rec;
+			if (!allowErrorStatus && resolved.status === "error") await this.fail(step, errorStatusMessage);
+			return resolved;
+		}
 		getConfig() {
 			return getEmailRecoveryConfig(this.context.configs);
 		}
-		getPendingIndexKey(accountId) {
-			return `pendingEmailRecovery:${accountId}`;
+		toBigInt(value) {
+			if (typeof value === "bigint") return value;
+			if (typeof value === "number") return BigInt(value);
+			if (typeof value === "string" && value.length > 0) return BigInt(value);
+			return BigInt(0);
 		}
-		getPendingRecordKey(accountId, nearPublicKey) {
-			return `${this.getPendingIndexKey(accountId)}:${nearPublicKey}`;
+		computeAvailableBalance(accountView) {
+			const STORAGE_PRICE_PER_BYTE = BigInt("10000000000000000000");
+			const amount = this.toBigInt(accountView.amount);
+			const locked = this.toBigInt(accountView.locked);
+			const storageUsage = this.toBigInt(accountView.storage_usage);
+			const storageCost = storageUsage * STORAGE_PRICE_PER_BYTE;
+			const rawAvailable = amount - locked - storageCost;
+			return rawAvailable > 0 ? rawAvailable : BigInt(0);
 		}
-		async checkVerificationStatus(rec) {
+		async assertSufficientBalance(nearAccountId) {
+			const { minBalanceYocto } = this.getConfig();
+			try {
+				const accountView = await this.context.nearClient.viewAccount(nearAccountId);
+				const available = this.computeAvailableBalance(accountView);
+				if (available < BigInt(minBalanceYocto)) await this.fail(1, `This account does not have enough NEAR to finalize recovery. Available: ${available.toString()} yocto; required: ${String(minBalanceYocto)}. Please top up and try again.`);
+			} catch (e) {
+				await this.fail(1, e?.message || "Failed to fetch account balance for recovery");
+			}
+		}
+		async getCanonicalRecoveryEmailOrFail(recoveryEmail) {
+			const canonicalEmail = String(recoveryEmail || "").trim().toLowerCase();
+			if (!canonicalEmail) await this.fail(1, "Recovery email is required for email-based account recovery");
+			return canonicalEmail;
+		}
+		async getNextDeviceNumberFromContract(nearAccountId) {
+			try {
+				const { syncAuthenticatorsContractCall } = await Promise.resolve().then(() => require("../rpcCalls.js"));
+				const authenticators = await syncAuthenticatorsContractCall(this.context.nearClient, this.context.configs.contractId, nearAccountId);
+				const numbers = authenticators.map((a) => a?.authenticator?.deviceNumber).filter((n) => typeof n === "number" && Number.isFinite(n));
+				const max = numbers.length > 0 ? Math.max(...numbers) : 0;
+				return max + 1;
+			} catch {
+				return 1;
+			}
+		}
+		async collectRecoveryCredentialOrFail(nearAccountId, deviceNumber) {
+			const confirmerText = {
+				title: this.options?.confirmerText?.title ?? "Register New Recovery Account",
+				body: this.options?.confirmerText?.body ?? "Create a recovery account and send an encrypted email to recover your account."
+			};
+			const confirm = await this.context.webAuthnManager.requestRegistrationCredentialConfirmation({
+				nearAccountId,
+				deviceNumber,
+				confirmerText,
+				confirmationConfigOverride: this.options?.confirmationConfig
+			});
+			if (!confirm.confirmed || !confirm.credential) await this.fail(2, "User cancelled email recovery TouchID confirmation");
+			return {
+				credential: confirm.credential,
+				vrfChallenge: confirm.vrfChallenge || void 0
+			};
+		}
+		async deriveRecoveryKeysOrFail(nearAccountId, deviceNumber, credential) {
+			const vrfDerivationResult = await this.context.webAuthnManager.deriveVrfKeypair({
+				credential,
+				nearAccountId
+			});
+			if (!vrfDerivationResult.success || !vrfDerivationResult.encryptedVrfKeypair) await this.fail(2, "Failed to derive VRF keypair from PRF for email recovery");
+			const nearKeyResult = await this.context.webAuthnManager.deriveNearKeypairAndEncryptFromSerialized({
+				nearAccountId,
+				credential,
+				options: { deviceNumber }
+			});
+			if (!nearKeyResult.success || !nearKeyResult.publicKey) await this.fail(2, "Failed to derive NEAR keypair for email recovery");
+			return {
+				encryptedVrfKeypair: vrfDerivationResult.encryptedVrfKeypair,
+				serverEncryptedVrfKeypair: vrfDerivationResult.serverEncryptedVrfKeypair || null,
+				vrfPublicKey: vrfDerivationResult.vrfPublicKey,
+				nearPublicKey: nearKeyResult.publicKey
+			};
+		}
+		emitAwaitEmail(rec, mailtoUrl) {
+			this.phase = require_sdkSentEvents.EmailRecoveryPhase.STEP_3_AWAIT_EMAIL;
+			this.emit({
+				step: 3,
+				phase: require_sdkSentEvents.EmailRecoveryPhase.STEP_3_AWAIT_EMAIL,
+				status: require_sdkSentEvents.EmailRecoveryStatus.PROGRESS,
+				message: "New device key created; please send the recovery email from your registered address.",
+				data: {
+					accountId: rec.accountId,
+					recoveryEmail: rec.recoveryEmail,
+					nearPublicKey: rec.nearPublicKey,
+					requestId: rec.requestId,
+					mailtoUrl
+				}
+			});
+		}
+		emitAutoLoginEvent(status, message, data) {
+			this.emit({
+				step: 5,
+				phase: require_sdkSentEvents.EmailRecoveryPhase.STEP_5_FINALIZING_REGISTRATION,
+				status,
+				message,
+				data
+			});
+		}
+		async checkViaDkimViewMethod(rec) {
 			const { dkimVerifierAccountId, verificationViewMethod } = this.getConfig();
 			if (!dkimVerifierAccountId) return null;
 			try {
-				const result = await this.context.nearClient.view({
-					account: dkimVerifierAccountId,
-					method: verificationViewMethod,
-					args: { request_id: rec.requestId }
-				});
+				const { getEmailRecoveryVerificationResult } = await Promise.resolve().then(() => require("../rpcCalls.js"));
+				const result = await getEmailRecoveryVerificationResult(this.context.nearClient, dkimVerifierAccountId, verificationViewMethod, rec.requestId);
 				if (!result) return {
 					completed: false,
 					success: false
@@ -139,43 +260,78 @@ var init_emailRecovery = require_rolldown_runtime.__esm({ "src/core/TatchiPasske
 					transactionHash: result.transaction_hash
 				};
 			} catch (err) {
-				console.warn("[EmailRecoveryFlow] get_verification_result view failed; falling back to access key polling", err);
+				console.warn("[EmailRecoveryFlow] get_verification_result view failed; will retry", err);
 				return null;
 			}
 		}
-		async loadPending(accountId, nearPublicKey) {
-			const { pendingTtlMs } = this.getConfig();
-			const indexKey = this.getPendingIndexKey(accountId);
-			const indexedNearPublicKey = await require_index.IndexedDBManager.clientDB.getAppState(indexKey);
-			const resolvedNearPublicKey = nearPublicKey ?? indexedNearPublicKey;
-			if (!resolvedNearPublicKey) return null;
-			const recordKey = this.getPendingRecordKey(accountId, resolvedNearPublicKey);
-			const record = await require_index.IndexedDBManager.clientDB.getAppState(recordKey);
-			const shouldClearIndex = indexedNearPublicKey === resolvedNearPublicKey;
-			if (!record) {
-				if (shouldClearIndex) await require_index.IndexedDBManager.clientDB.setAppState(indexKey, void 0).catch(() => {});
-				return null;
-			}
-			if (Date.now() - record.createdAt > pendingTtlMs) {
-				await require_index.IndexedDBManager.clientDB.setAppState(recordKey, void 0).catch(() => {});
-				if (shouldClearIndex) await require_index.IndexedDBManager.clientDB.setAppState(indexKey, void 0).catch(() => {});
-				return null;
+		buildPollingEventData(rec, details) {
+			return {
+				accountId: rec.accountId,
+				requestId: rec.requestId,
+				nearPublicKey: rec.nearPublicKey,
+				transactionHash: details.transactionHash,
+				elapsedMs: details.elapsedMs,
+				pollCount: details.pollCount
+			};
+		}
+		async sleepForPollInterval(ms) {
+			await new Promise((resolve) => {
+				this.pollIntervalResolver = resolve;
+				this.pollingTimer = setTimeout(() => {
+					this.pollIntervalResolver = void 0;
+					this.pollingTimer = void 0;
+					resolve();
+				}, ms);
+			}).finally(() => {
+				this.pollIntervalResolver = void 0;
+			});
+		}
+		async pollUntil(args) {
+			const now = args.now ?? Date.now;
+			const sleep = args.sleep ?? this.sleepForPollInterval.bind(this);
+			const startedAt = now();
+			let pollCount = 0;
+			while (!args.isCancelled()) {
+				pollCount += 1;
+				const elapsedMs$1 = now() - startedAt;
+				if (elapsedMs$1 > args.timeoutMs) return {
+					status: "timedOut",
+					elapsedMs: elapsedMs$1,
+					pollCount
+				};
+				const result = await args.tick({
+					elapsedMs: elapsedMs$1,
+					pollCount
+				});
+				if (result.done) return {
+					status: "completed",
+					value: result.value,
+					elapsedMs: elapsedMs$1,
+					pollCount
+				};
+				if (args.isCancelled()) return {
+					status: "cancelled",
+					elapsedMs: elapsedMs$1,
+					pollCount
+				};
+				await sleep(args.intervalMs);
 			}
-			await require_index.IndexedDBManager.clientDB.setAppState(indexKey, record.nearPublicKey).catch(() => {});
-			return record;
+			const elapsedMs = now() - startedAt;
+			return {
+				status: "cancelled",
+				elapsedMs,
+				pollCount
+			};
+		}
+		async loadPending(accountId, nearPublicKey) {
+			return this.pendingStore.get(accountId, nearPublicKey);
 		}
 		async savePending(rec) {
-			const key = this.getPendingRecordKey(rec.accountId, rec.nearPublicKey);
-			await require_index.IndexedDBManager.clientDB.setAppState(key, rec);
-			await require_index.IndexedDBManager.clientDB.setAppState(this.getPendingIndexKey(rec.accountId), rec.nearPublicKey).catch(() => {});
+			await this.pendingStore.set(rec);
 			this.pending = rec;
 		}
 		async clearPending(accountId, nearPublicKey) {
-			const indexKey = this.getPendingIndexKey(accountId);
-			const idx = await require_index.IndexedDBManager.clientDB.getAppState(indexKey).catch(() => void 0);
-			const resolvedNearPublicKey = nearPublicKey || idx || "";
-			if (resolvedNearPublicKey) await require_index.IndexedDBManager.clientDB.setAppState(this.getPendingRecordKey(accountId, resolvedNearPublicKey), void 0).catch(() => {});
-			if (!nearPublicKey || idx === nearPublicKey) await require_index.IndexedDBManager.clientDB.setAppState(indexKey, void 0).catch(() => {});
+			await this.pendingStore.clear(accountId, nearPublicKey);
 			if (this.pending && this.pending.accountId === accountId && (!nearPublicKey || this.pending.nearPublicKey === nearPublicKey)) this.pending = null;
 		}
 		getState() {
@@ -189,48 +345,14 @@ var init_emailRecovery = require_rolldown_runtime.__esm({ "src/core/TatchiPasske
 			const { accountId, nearPublicKey } = args;
 			this.cancelled = false;
 			this.error = void 0;
-			const validation = require_validation.validateNearAccountId(accountId);
-			if (!validation.valid) {
-				const err = this.emitError(3, `Invalid NEAR account ID: ${validation.error}`);
-				await this.options?.afterCall?.(false);
-				throw err;
-			}
-			const nearAccountId = require_accountIds.toAccountId(accountId);
-			let rec = this.pending;
-			if (!rec || rec.accountId !== nearAccountId || nearPublicKey && rec.nearPublicKey !== nearPublicKey) {
-				rec = await this.loadPending(nearAccountId, nearPublicKey);
-				this.pending = rec;
-			}
-			if (!rec) {
-				const err = this.emitError(3, "No pending email recovery record found for this account");
-				await this.options?.afterCall?.(false);
-				throw err;
-			}
-			if (rec.status === "error") {
-				const err = this.emitError(3, "Pending email recovery is in an error state; please restart the flow");
-				await this.options?.afterCall?.(false);
-				throw err;
-			}
-			if (rec.status === "finalizing" || rec.status === "complete") {
-				const err = this.emitError(3, "Recovery email has already been processed on-chain for this request");
-				await this.options?.afterCall?.(false);
-				throw err;
-			}
+			const nearAccountId = await this.assertValidAccountIdOrFail(3, accountId);
+			const rec = await this.resolvePendingOrFail(3, {
+				accountId: nearAccountId,
+				nearPublicKey
+			}, { allowErrorStatus: false });
+			if (rec.status === "finalizing" || rec.status === "complete") await this.fail(3, "Recovery email has already been processed on-chain for this request");
 			const mailtoUrl = rec.status === "awaiting-email" ? await this.buildMailtoUrlAndUpdateStatus(rec) : this.buildMailtoUrlInternal(rec);
-			this.phase = require_sdkSentEvents.EmailRecoveryPhase.STEP_3_AWAIT_EMAIL;
-			this.emit({
-				step: 3,
-				phase: require_sdkSentEvents.EmailRecoveryPhase.STEP_3_AWAIT_EMAIL,
-				status: require_sdkSentEvents.EmailRecoveryStatus.PROGRESS,
-				message: "New device key created; please send the recovery email from your registered address.",
-				data: {
-					accountId: rec.accountId,
-					recoveryEmail: rec.recoveryEmail,
-					nearPublicKey: rec.nearPublicKey,
-					requestId: rec.requestId,
-					mailtoUrl
-				}
-			});
+			this.emitAwaitEmail(rec, mailtoUrl);
 			await this.options?.afterCall?.(true, void 0);
 			return mailtoUrl;
 		}
@@ -245,49 +367,10 @@ var init_emailRecovery = require_rolldown_runtime.__esm({ "src/core/TatchiPasske
 				status: require_sdkSentEvents.EmailRecoveryStatus.PROGRESS,
 				message: "Preparing email recovery..."
 			});
-			const validation = require_validation.validateNearAccountId(accountId);
-			if (!validation.valid) {
-				const err = this.emitError(1, `Invalid NEAR account ID: ${validation.error}`);
-				await this.options?.afterCall?.(false);
-				throw err;
-			}
-			const nearAccountId = require_accountIds.toAccountId(accountId);
-			const { minBalanceYocto } = this.getConfig();
-			const STORAGE_PRICE_PER_BYTE = BigInt("10000000000000000000");
-			try {
-				const accountView = await this.context.nearClient.viewAccount(nearAccountId);
-				const amount = BigInt(accountView.amount || "0");
-				const locked = BigInt(accountView.locked || "0");
-				const storageUsage = BigInt(accountView.storage_usage || 0);
-				const storageCost = storageUsage * STORAGE_PRICE_PER_BYTE;
-				const rawAvailable = amount - locked - storageCost;
-				const available = rawAvailable > 0 ? rawAvailable : BigInt(0);
-				if (available < BigInt(minBalanceYocto)) {
-					const err = this.emitError(1, `This account does not have enough NEAR to finalize recovery. Available: ${available.toString()} yocto; required: ${String(minBalanceYocto)}. Please top up and try again.`);
-					await this.options?.afterCall?.(false);
-					throw err;
-				}
-			} catch (e) {
-				const err = this.emitError(1, e?.message || "Failed to fetch account balance for recovery");
-				await this.options?.afterCall?.(false);
-				throw err;
-			}
-			const canonicalEmail = String(recoveryEmail || "").trim().toLowerCase();
-			if (!canonicalEmail) {
-				const err = this.emitError(1, "Recovery email is required for email-based account recovery");
-				await this.options?.afterCall?.(false);
-				throw err;
-			}
-			let deviceNumber = 1;
-			try {
-				const { syncAuthenticatorsContractCall } = await Promise.resolve().then(() => require("../rpcCalls.js"));
-				const authenticators = await syncAuthenticatorsContractCall(this.context.nearClient, this.context.configs.contractId, nearAccountId);
-				const numbers = authenticators.map((a) => a?.authenticator?.deviceNumber).filter((n) => typeof n === "number" && Number.isFinite(n));
-				const max = numbers.length > 0 ? Math.max(...numbers) : 0;
-				deviceNumber = max + 1;
-			} catch {
-				deviceNumber = 1;
-			}
+			const nearAccountId = await this.assertValidAccountIdOrFail(1, accountId);
+			await this.assertSufficientBalance(nearAccountId);
+			const canonicalEmail = await this.getCanonicalRecoveryEmailOrFail(recoveryEmail);
+			const deviceNumber = await this.getNextDeviceNumberFromContract(nearAccountId);
 			this.phase = require_sdkSentEvents.EmailRecoveryPhase.STEP_2_TOUCH_ID_REGISTRATION;
 			this.emit({
 				step: 2,
@@ -296,69 +379,24 @@ var init_emailRecovery = require_rolldown_runtime.__esm({ "src/core/TatchiPasske
 				message: "Collecting passkey for email recovery..."
 			});
 			try {
-				const confirmerText = {
-					title: this.options?.confirmerText?.title ?? "Register New Recovery Account",
-					body: this.options?.confirmerText?.body ?? "Create a recovery account and send an encrypted email to recover your account."
-				};
-				const confirm = await this.context.webAuthnManager.requestRegistrationCredentialConfirmation({
-					nearAccountId,
-					deviceNumber,
-					confirmerText,
-					confirmationConfigOverride: this.options?.confirmationConfig
-				});
-				if (!confirm.confirmed || !confirm.credential) {
-					const err = this.emitError(2, "User cancelled email recovery TouchID confirmation");
-					await this.options?.afterCall?.(false);
-					throw err;
-				}
-				const vrfDerivationResult = await this.context.webAuthnManager.deriveVrfKeypair({
-					credential: confirm.credential,
-					nearAccountId
-				});
-				if (!vrfDerivationResult.success || !vrfDerivationResult.encryptedVrfKeypair) {
-					const err = this.emitError(2, "Failed to derive VRF keypair from PRF for email recovery");
-					await this.options?.afterCall?.(false);
-					throw err;
-				}
-				const nearKeyResult = await this.context.webAuthnManager.deriveNearKeypairAndEncryptFromSerialized({
-					nearAccountId,
-					credential: confirm.credential,
-					options: { deviceNumber }
-				});
-				if (!nearKeyResult.success || !nearKeyResult.publicKey) {
-					const err = this.emitError(2, "Failed to derive NEAR keypair for email recovery");
-					await this.options?.afterCall?.(false);
-					throw err;
-				}
+				const confirm = await this.collectRecoveryCredentialOrFail(nearAccountId, deviceNumber);
+				const derivedKeys = await this.deriveRecoveryKeysOrFail(nearAccountId, deviceNumber, confirm.credential);
 				const rec = {
 					accountId: nearAccountId,
 					recoveryEmail: canonicalEmail,
 					deviceNumber,
-					nearPublicKey: nearKeyResult.publicKey,
+					nearPublicKey: derivedKeys.nearPublicKey,
 					requestId: generateEmailRecoveryRequestId(),
-					encryptedVrfKeypair: vrfDerivationResult.encryptedVrfKeypair,
-					serverEncryptedVrfKeypair: vrfDerivationResult.serverEncryptedVrfKeypair || null,
-					vrfPublicKey: vrfDerivationResult.vrfPublicKey,
+					encryptedVrfKeypair: derivedKeys.encryptedVrfKeypair,
+					serverEncryptedVrfKeypair: derivedKeys.serverEncryptedVrfKeypair,
+					vrfPublicKey: derivedKeys.vrfPublicKey,
 					credential: confirm.credential,
 					vrfChallenge: confirm.vrfChallenge || void 0,
 					createdAt: Date.now(),
 					status: "awaiting-email"
 				};
 				const mailtoUrl = await this.buildMailtoUrlAndUpdateStatus(rec);
-				this.phase = require_sdkSentEvents.EmailRecoveryPhase.STEP_3_AWAIT_EMAIL;
-				this.emit({
-					step: 3,
-					phase: require_sdkSentEvents.EmailRecoveryPhase.STEP_3_AWAIT_EMAIL,
-					status: require_sdkSentEvents.EmailRecoveryStatus.PROGRESS,
-					message: "New device key created; please send the recovery email from your registered address.",
-					data: {
-						accountId: rec.accountId,
-						recoveryEmail: rec.recoveryEmail,
-						nearPublicKey: rec.nearPublicKey,
-						requestId: rec.requestId,
-						mailtoUrl
-					}
-				});
+				this.emitAwaitEmail(rec, mailtoUrl);
 				await this.options?.afterCall?.(true, void 0);
 				return {
 					mailtoUrl,
@@ -386,28 +424,11 @@ var init_emailRecovery = require_rolldown_runtime.__esm({ "src/core/TatchiPasske
 			const { accountId, nearPublicKey } = args;
 			this.cancelled = false;
 			this.error = void 0;
-			const validation = require_validation.validateNearAccountId(accountId);
-			if (!validation.valid) {
-				const err = this.emitError(4, `Invalid NEAR account ID: ${validation.error}`);
-				await this.options?.afterCall?.(false);
-				throw err;
-			}
-			const nearAccountId = require_accountIds.toAccountId(accountId);
-			let rec = this.pending;
-			if (!rec || rec.accountId !== nearAccountId || nearPublicKey && rec.nearPublicKey !== nearPublicKey) {
-				rec = await this.loadPending(nearAccountId, nearPublicKey);
-				this.pending = rec;
-			}
-			if (!rec) {
-				const err = this.emitError(4, "No pending email recovery record found for this account");
-				await this.options?.afterCall?.(false);
-				throw err;
-			}
-			if (rec.status === "error") {
-				const err = this.emitError(4, "Pending email recovery is in an error state; please restart the flow");
-				await this.options?.afterCall?.(false);
-				throw err;
-			}
+			const nearAccountId = await this.assertValidAccountIdOrFail(4, accountId);
+			const rec = await this.resolvePendingOrFail(4, {
+				accountId: nearAccountId,
+				nearPublicKey
+			}, { allowErrorStatus: false });
 			if (rec.status === "complete" || rec.status === "finalizing") {
 				await this.options?.afterCall?.(true, void 0);
 				return;
@@ -447,23 +468,11 @@ var init_emailRecovery = require_rolldown_runtime.__esm({ "src/core/TatchiPasske
 			const { accountId, nearPublicKey } = args;
 			this.cancelled = false;
 			this.error = void 0;
-			const validation = require_validation.validateNearAccountId(accountId);
-			if (!validation.valid) {
-				const err = this.emitError(4, `Invalid NEAR account ID: ${validation.error}`);
-				await this.options?.afterCall?.(false);
-				throw err;
-			}
-			const nearAccountId = require_accountIds.toAccountId(accountId);
-			let rec = this.pending;
-			if (!rec || rec.accountId !== nearAccountId || nearPublicKey && rec.nearPublicKey !== nearPublicKey) {
-				rec = await this.loadPending(nearAccountId, nearPublicKey);
-				this.pending = rec;
-			}
-			if (!rec) {
-				const err = this.emitError(4, "No pending email recovery record found for this account");
-				await this.options?.afterCall?.(false);
-				throw err;
-			}
+			const nearAccountId = await this.assertValidAccountIdOrFail(4, accountId);
+			const rec = await this.resolvePendingOrFail(4, {
+				accountId: nearAccountId,
+				nearPublicKey
+			}, { allowErrorStatus: true });
 			this.emit({
 				step: 0,
 				phase: require_sdkSentEvents.EmailRecoveryPhase.RESUMED_FROM_PENDING,
@@ -499,245 +508,242 @@ var init_emailRecovery = require_rolldown_runtime.__esm({ "src/core/TatchiPasske
 			}
 			this.phase = require_sdkSentEvents.EmailRecoveryPhase.STEP_4_POLLING_VERIFICATION_RESULT;
 			this.pollingStartedAt = Date.now();
-			let pollCount = 0;
-			while (!this.cancelled) {
-				pollCount += 1;
-				const elapsed = Date.now() - (this.pollingStartedAt || 0);
-				if (elapsed > maxPollingDurationMs) {
-					const err$1 = this.emitError(4, "Timed out waiting for recovery email to be processed on-chain");
+			const pollResult = await this.pollUntil({
+				intervalMs: pollingIntervalMs,
+				timeoutMs: maxPollingDurationMs,
+				isCancelled: () => this.cancelled,
+				tick: async ({ elapsedMs, pollCount }) => {
+					const verification = await this.checkViaDkimViewMethod(rec);
+					const completed = verification?.completed === true;
+					const success = verification?.success === true;
+					this.emit({
+						step: 4,
+						phase: require_sdkSentEvents.EmailRecoveryPhase.STEP_4_POLLING_VERIFICATION_RESULT,
+						status: require_sdkSentEvents.EmailRecoveryStatus.PROGRESS,
+						message: completed && success ? `Email verified for request ${rec.requestId}; finalizing registration` : `Waiting for email verification for request ${rec.requestId}`,
+						data: this.buildPollingEventData(rec, {
+							transactionHash: verification?.transactionHash,
+							elapsedMs,
+							pollCount
+						})
+					});
+					if (!completed) return { done: false };
+					if (!success) return {
+						done: true,
+						value: {
+							outcome: "failed",
+							errorMessage: verification?.errorMessage || "Email verification failed"
+						}
+					};
+					return {
+						done: true,
+						value: { outcome: "verified" }
+					};
+				}
+			});
+			if (pollResult.status === "completed") {
+				if (pollResult.value.outcome === "failed") {
+					const err$1 = this.emitError(4, pollResult.value.errorMessage);
 					rec.status = "error";
 					await this.savePending(rec);
 					await this.options?.afterCall?.(false);
 					throw err$1;
 				}
-				const verification = await this.checkVerificationStatus(rec);
-				const completed = verification?.completed === true;
-				const success = verification?.success === true;
-				this.emit({
-					step: 4,
-					phase: require_sdkSentEvents.EmailRecoveryPhase.STEP_4_POLLING_VERIFICATION_RESULT,
-					status: require_sdkSentEvents.EmailRecoveryStatus.PROGRESS,
-					message: completed && success ? `Email verified for request ${rec.requestId}; finalizing registration` : `Waiting for email verification for request ${rec.requestId}`,
-					data: {
-						accountId: rec.accountId,
-						requestId: rec.requestId,
-						nearPublicKey: rec.nearPublicKey,
-						transactionHash: verification?.transactionHash,
-						elapsedMs: elapsed,
-						pollCount
-					}
-				});
-				if (completed) {
-					if (!success) {
-						const err$1 = this.emitError(4, verification?.errorMessage || "Email verification failed");
-						rec.status = "error";
-						await this.savePending(rec);
-						await this.options?.afterCall?.(false);
-						throw err$1;
-					}
-					rec.status = "finalizing";
-					await this.savePending(rec);
-					return;
-				}
-				if (this.cancelled) break;
-				await new Promise((resolve) => {
-					this.pollIntervalResolver = resolve;
-					this.pollingTimer = setTimeout(() => {
-						this.pollIntervalResolver = void 0;
-						this.pollingTimer = void 0;
-						resolve();
-					}, pollingIntervalMs);
-				}).finally(() => {
-					this.pollIntervalResolver = void 0;
-				});
+				rec.status = "finalizing";
+				await this.savePending(rec);
+				return;
+			}
+			if (pollResult.status === "timedOut") {
+				const err$1 = this.emitError(4, "Timed out waiting for recovery email to be processed on-chain");
+				rec.status = "error";
+				await this.savePending(rec);
+				await this.options?.afterCall?.(false);
+				throw err$1;
 			}
 			const err = this.emitError(4, "Email recovery polling was cancelled");
 			await this.options?.afterCall?.(false);
 			throw err;
 		}
-		async finalizeRegistration(rec) {
-			this.phase = require_sdkSentEvents.EmailRecoveryPhase.STEP_5_FINALIZING_REGISTRATION;
-			this.emit({
-				step: 5,
-				phase: require_sdkSentEvents.EmailRecoveryPhase.STEP_5_FINALIZING_REGISTRATION,
-				status: require_sdkSentEvents.EmailRecoveryStatus.PROGRESS,
-				message: "Finalizing email recovery registration...",
-				data: {
-					accountId: rec.accountId,
-					nearPublicKey: rec.nearPublicKey
-				}
-			});
+		initializeNonceManager(rec) {
 			const nonceManager = this.context.webAuthnManager.getNonceManager();
 			const accountId = require_accountIds.toAccountId(rec.accountId);
 			nonceManager.initializeUser(accountId, rec.nearPublicKey);
+			return {
+				nonceManager,
+				accountId
+			};
+		}
+		async signRegistrationTx(rec, accountId) {
+			const vrfChallenge = rec.vrfChallenge;
+			if (!vrfChallenge) return this.fail(5, "Missing VRF challenge for email recovery registration");
+			const registrationResult = await this.context.webAuthnManager.signDevice2RegistrationWithStoredKey({
+				nearAccountId: accountId,
+				credential: rec.credential,
+				vrfChallenge,
+				deterministicVrfPublicKey: rec.vrfPublicKey,
+				deviceNumber: rec.deviceNumber
+			});
+			if (!registrationResult.success || !registrationResult.signedTransaction) await this.fail(5, registrationResult.error || "Failed to sign email recovery registration transaction");
+			return registrationResult.signedTransaction;
+		}
+		async broadcastRegistrationTxAndWaitFinal(rec, signedTx) {
 			try {
-				if (!rec.vrfChallenge) {
-					const err = this.emitError(5, "Missing VRF challenge for email recovery registration");
-					await this.options?.afterCall?.(false);
-					throw err;
-				}
-				const registrationResult = await this.context.webAuthnManager.signDevice2RegistrationWithStoredKey({
-					nearAccountId: accountId,
-					credential: rec.credential,
-					vrfChallenge: rec.vrfChallenge,
-					deterministicVrfPublicKey: rec.vrfPublicKey,
-					deviceNumber: rec.deviceNumber
-				});
-				if (!registrationResult.success || !registrationResult.signedTransaction) {
-					const err = this.emitError(5, registrationResult.error || "Failed to sign email recovery registration transaction");
-					await this.options?.afterCall?.(false);
-					throw err;
-				}
-				const signedTx = registrationResult.signedTransaction;
+				const txResult = await this.context.nearClient.sendTransaction(signedTx, require_rpc.DEFAULT_WAIT_STATUS.linkDeviceRegistration);
 				try {
-					const txResult = await this.context.nearClient.sendTransaction(signedTx, require_rpc.DEFAULT_WAIT_STATUS.linkDeviceRegistration);
-					try {
-						const txHash = txResult?.transaction?.hash || txResult?.transaction_hash;
-						if (txHash) {
-							this.emit({
-								step: 5,
-								phase: require_sdkSentEvents.EmailRecoveryPhase.STEP_5_FINALIZING_REGISTRATION,
-								status: require_sdkSentEvents.EmailRecoveryStatus.PROGRESS,
-								message: "Registration transaction confirmed",
-								data: {
-									accountId: rec.accountId,
-									nearPublicKey: rec.nearPublicKey,
-									transactionHash: txHash
-								}
-							});
-							try {
-								await require_index.IndexedDBManager.clientDB.storeWebAuthnUserData({
-									nearAccountId: accountId,
-									deviceNumber: rec.deviceNumber,
-									clientNearPublicKey: rec.nearPublicKey,
-									passkeyCredential: {
-										id: rec.credential.id,
-										rawId: rec.credential.rawId
-									},
-									encryptedVrfKeypair: rec.encryptedVrfKeypair,
-									serverEncryptedVrfKeypair: rec.serverEncryptedVrfKeypair || void 0
-								});
-								const { syncAuthenticatorsContractCall } = await Promise.resolve().then(() => require("../rpcCalls.js"));
-								const authenticators = await syncAuthenticatorsContractCall(this.context.nearClient, this.context.configs.contractId, accountId);
-								const mappedAuthenticators = authenticators.map(({ authenticator }) => ({
-									credentialId: authenticator.credentialId,
-									credentialPublicKey: authenticator.credentialPublicKey,
-									transports: authenticator.transports,
-									name: authenticator.name,
-									registered: authenticator.registered.toISOString(),
-									vrfPublicKey: authenticator.vrfPublicKeys?.[0] || "",
-									deviceNumber: authenticator.deviceNumber
-								}));
-								await require_index.IndexedDBManager.clientDB.syncAuthenticatorsFromContract(accountId, mappedAuthenticators);
-								await require_index.IndexedDBManager.clientDB.setLastUser(accountId, rec.deviceNumber);
-							} catch (syncErr) {
-								console.warn("[EmailRecoveryFlow] Failed to sync authenticators after recovery:", syncErr);
-							}
+					const txHash = txResult?.transaction?.hash || txResult?.transaction_hash;
+					if (txHash) this.emit({
+						step: 5,
+						phase: require_sdkSentEvents.EmailRecoveryPhase.STEP_5_FINALIZING_REGISTRATION,
+						status: require_sdkSentEvents.EmailRecoveryStatus.PROGRESS,
+						message: "Registration transaction confirmed",
+						data: {
+							accountId: rec.accountId,
+							nearPublicKey: rec.nearPublicKey,
+							transactionHash: txHash
 						}
-					} catch {}
-				} catch (e) {
-					const msg = String(e?.message || "");
-					const err = this.emitError(5, msg || "Failed to broadcast email recovery registration transaction (insufficient funds or RPC error)");
-					await this.options?.afterCall?.(false);
-					throw err;
-				}
-				try {
-					const txNonce = signedTx.transaction?.nonce;
-					if (txNonce != null) await nonceManager.updateNonceFromBlockchain(this.context.nearClient, String(txNonce));
+					});
+					return txHash;
 				} catch {}
-				const { webAuthnManager } = this.context;
-				await webAuthnManager.storeUserData({
+			} catch (e) {
+				const msg = String(e?.message || "");
+				await this.fail(5, msg || "Failed to broadcast email recovery registration transaction (insufficient funds or RPC error)");
+			}
+			return void 0;
+		}
+		async persistRecoveredUserRecordBestEffort(rec, accountId) {
+			try {
+				await require_index.IndexedDBManager.clientDB.storeWebAuthnUserData({
 					nearAccountId: accountId,
 					deviceNumber: rec.deviceNumber,
 					clientNearPublicKey: rec.nearPublicKey,
-					lastUpdated: Date.now(),
 					passkeyCredential: {
 						id: rec.credential.id,
 						rawId: rec.credential.rawId
 					},
-					encryptedVrfKeypair: {
-						encryptedVrfDataB64u: rec.encryptedVrfKeypair.encryptedVrfDataB64u,
-						chacha20NonceB64u: rec.encryptedVrfKeypair.chacha20NonceB64u
-					},
+					encryptedVrfKeypair: rec.encryptedVrfKeypair,
 					serverEncryptedVrfKeypair: rec.serverEncryptedVrfKeypair || void 0
 				});
-				try {
-					const attestationB64u = rec.credential.response.attestationObject;
-					const credentialPublicKey = await webAuthnManager.extractCosePublicKey(attestationB64u);
-					await webAuthnManager.storeAuthenticator({
-						nearAccountId: accountId,
-						deviceNumber: rec.deviceNumber,
-						credentialId: rec.credential.rawId,
-						credentialPublicKey,
-						transports: ["internal"],
-						name: `Device ${rec.deviceNumber} Passkey for ${rec.accountId.split(".")[0]}`,
-						registered: (/* @__PURE__ */ new Date()).toISOString(),
-						syncedAt: (/* @__PURE__ */ new Date()).toISOString(),
-						vrfPublicKey: rec.vrfPublicKey
-					});
-				} catch {}
-				await this.attemptAutoLogin(rec);
-				rec.status = "complete";
-				await this.savePending(rec);
-				await this.clearPending(rec.accountId, rec.nearPublicKey);
-				this.phase = require_sdkSentEvents.EmailRecoveryPhase.STEP_6_COMPLETE;
-				this.emit({
-					step: 6,
-					phase: require_sdkSentEvents.EmailRecoveryPhase.STEP_6_COMPLETE,
-					status: require_sdkSentEvents.EmailRecoveryStatus.SUCCESS,
-					message: "Email recovery completed successfully",
-					data: {
-						accountId: rec.accountId,
-						nearPublicKey: rec.nearPublicKey
-					}
-				});
-			} catch (e) {
-				const err = this.emitError(5, e?.message || "Email recovery finalization failed");
-				await this.options?.afterCall?.(false);
-				throw err;
+				return true;
+			} catch (err) {
+				console.warn("[EmailRecoveryFlow] Failed to store recovery user record:", err);
+				return false;
 			}
 		}
-		async attemptAutoLogin(rec) {
+		mapAuthenticatorsFromContract(authenticators) {
+			return authenticators.map(({ authenticator }) => ({
+				credentialId: authenticator.credentialId,
+				credentialPublicKey: authenticator.credentialPublicKey,
+				transports: authenticator.transports,
+				name: authenticator.name,
+				registered: authenticator.registered.toISOString(),
+				vrfPublicKey: authenticator.vrfPublicKeys?.[0] || "",
+				deviceNumber: authenticator.deviceNumber
+			}));
+		}
+		async syncAuthenticatorsBestEffort(accountId) {
 			try {
-				this.emit({
-					step: 5,
-					phase: require_sdkSentEvents.EmailRecoveryPhase.STEP_5_FINALIZING_REGISTRATION,
-					status: require_sdkSentEvents.EmailRecoveryStatus.PROGRESS,
-					message: "Attempting auto-login with recovered device...",
-					data: { autoLogin: "progress" }
+				const { syncAuthenticatorsContractCall } = await Promise.resolve().then(() => require("../rpcCalls.js"));
+				const authenticators = await syncAuthenticatorsContractCall(this.context.nearClient, this.context.configs.contractId, accountId);
+				const mappedAuthenticators = this.mapAuthenticatorsFromContract(authenticators);
+				await require_index.IndexedDBManager.clientDB.syncAuthenticatorsFromContract(accountId, mappedAuthenticators);
+				return true;
+			} catch (err) {
+				console.warn("[EmailRecoveryFlow] Failed to sync authenticators after recovery:", err);
+				return false;
+			}
+		}
+		async setLastUserBestEffort(accountId, deviceNumber) {
+			try {
+				await require_index.IndexedDBManager.clientDB.setLastUser(accountId, deviceNumber);
+				return true;
+			} catch (err) {
+				console.warn("[EmailRecoveryFlow] Failed to set last user after recovery:", err);
+				return false;
+			}
+		}
+		async updateNonceBestEffort(nonceManager, signedTx) {
+			try {
+				const txNonce = signedTx.transaction?.nonce;
+				if (txNonce != null) await nonceManager.updateNonceFromBlockchain(this.context.nearClient, String(txNonce));
+			} catch {}
+		}
+		async persistRecoveredUserData(rec, accountId) {
+			const { webAuthnManager } = this.context;
+			const payload = {
+				nearAccountId: accountId,
+				deviceNumber: rec.deviceNumber,
+				clientNearPublicKey: rec.nearPublicKey,
+				lastUpdated: Date.now(),
+				passkeyCredential: {
+					id: rec.credential.id,
+					rawId: rec.credential.rawId
+				},
+				encryptedVrfKeypair: {
+					encryptedVrfDataB64u: rec.encryptedVrfKeypair.encryptedVrfDataB64u,
+					chacha20NonceB64u: rec.encryptedVrfKeypair.chacha20NonceB64u
+				},
+				serverEncryptedVrfKeypair: rec.serverEncryptedVrfKeypair || void 0
+			};
+			await webAuthnManager.storeUserData(payload);
+		}
+		async persistAuthenticatorBestEffort(rec, accountId) {
+			try {
+				const { webAuthnManager } = this.context;
+				const attestationB64u = rec.credential.response.attestationObject;
+				const credentialPublicKey = await webAuthnManager.extractCosePublicKey(attestationB64u);
+				await webAuthnManager.storeAuthenticator({
+					nearAccountId: accountId,
+					deviceNumber: rec.deviceNumber,
+					credentialId: rec.credential.rawId,
+					credentialPublicKey,
+					transports: ["internal"],
+					name: `Device ${rec.deviceNumber} Passkey for ${rec.accountId.split(".")[0]}`,
+					registered: (/* @__PURE__ */ new Date()).toISOString(),
+					syncedAt: (/* @__PURE__ */ new Date()).toISOString(),
+					vrfPublicKey: rec.vrfPublicKey
 				});
+			} catch {}
+		}
+		async markCompleteAndClearPending(rec) {
+			rec.status = "complete";
+			await this.savePending(rec);
+			await this.clearPending(rec.accountId, rec.nearPublicKey);
+		}
+		async assertVrfActiveForAccount(accountId, message) {
+			const vrfStatus = await this.context.webAuthnManager.checkVrfStatus();
+			const vrfActiveForAccount = vrfStatus.active && vrfStatus.nearAccountId && String(vrfStatus.nearAccountId) === String(accountId);
+			if (!vrfActiveForAccount) throw new Error(message);
+		}
+		async finalizeLocalLoginState(accountId, deviceNumber) {
+			const { webAuthnManager } = this.context;
+			await webAuthnManager.setLastUser(accountId, deviceNumber);
+			await webAuthnManager.initializeCurrentUser(accountId, this.context.nearClient);
+			try {
+				await require_login.getLoginSession(this.context, accountId);
+			} catch {}
+		}
+		async tryShamirUnlock(rec, accountId, deviceNumber) {
+			if (!rec.serverEncryptedVrfKeypair || !rec.serverEncryptedVrfKeypair.serverKeyId || !this.context.configs.vrfWorkerConfigs?.shamir3pass?.relayServerUrl) return false;
+			try {
+				const { webAuthnManager } = this.context;
+				const unlockResult = await webAuthnManager.shamir3PassDecryptVrfKeypair({
+					nearAccountId: accountId,
+					kek_s_b64u: rec.serverEncryptedVrfKeypair.kek_s_b64u,
+					ciphertextVrfB64u: rec.serverEncryptedVrfKeypair.ciphertextVrfB64u,
+					serverKeyId: rec.serverEncryptedVrfKeypair.serverKeyId
+				});
+				if (!unlockResult.success) return false;
+				await this.assertVrfActiveForAccount(accountId, "VRF session inactive after Shamir3Pass unlock");
+				await this.finalizeLocalLoginState(accountId, deviceNumber);
+				return true;
+			} catch (err) {
+				console.warn("[EmailRecoveryFlow] Shamir 3-pass unlock failed, falling back to TouchID", err);
+				return false;
+			}
+		}
+		async tryTouchIdUnlock(rec, accountId, deviceNumber) {
+			try {
 				const { webAuthnManager } = this.context;
-				const accountId = require_accountIds.toAccountId(rec.accountId);
-				const deviceNumber = require_getDeviceNumber.parseDeviceNumber(rec.deviceNumber, { min: 1 });
-				if (deviceNumber === null) throw new Error(`Invalid deviceNumber for auto-login: ${String(rec.deviceNumber)}`);
-				if (rec.serverEncryptedVrfKeypair && rec.serverEncryptedVrfKeypair.serverKeyId && this.context.configs.vrfWorkerConfigs?.shamir3pass?.relayServerUrl) try {
-					const unlockResult = await webAuthnManager.shamir3PassDecryptVrfKeypair({
-						nearAccountId: accountId,
-						kek_s_b64u: rec.serverEncryptedVrfKeypair.kek_s_b64u,
-						ciphertextVrfB64u: rec.serverEncryptedVrfKeypair.ciphertextVrfB64u,
-						serverKeyId: rec.serverEncryptedVrfKeypair.serverKeyId
-					});
-					if (unlockResult.success) {
-						const vrfStatus$1 = await webAuthnManager.checkVrfStatus();
-						const vrfActiveForAccount$1 = vrfStatus$1.active && vrfStatus$1.nearAccountId && String(vrfStatus$1.nearAccountId) === String(accountId);
-						if (!vrfActiveForAccount$1) throw new Error("VRF session inactive after Shamir3Pass unlock");
-						await webAuthnManager.setLastUser(accountId, deviceNumber);
-						await webAuthnManager.initializeCurrentUser(accountId, this.context.nearClient);
-						try {
-							await require_login.getLoginSession(this.context, accountId);
-						} catch {}
-						this.emit({
-							step: 5,
-							phase: require_sdkSentEvents.EmailRecoveryPhase.STEP_5_FINALIZING_REGISTRATION,
-							status: require_sdkSentEvents.EmailRecoveryStatus.SUCCESS,
-							message: `Welcome ${accountId}`,
-							data: { autoLogin: "success" }
-						});
-						return;
-					}
-				} catch (err) {
-					console.warn("[EmailRecoveryFlow] Shamir 3-pass unlock failed, falling back to TouchID", err);
-				}
 				const authChallenge = require_vrf_worker.createRandomVRFChallenge();
 				const storedCredentialId = String(rec.credential?.rawId || rec.credential?.id || "").trim();
 				const credentialIds = storedCredentialId ? [storedCredentialId] : [];
@@ -747,43 +753,108 @@ var init_emailRecovery = require_rolldown_runtime.__esm({ "src/core/TatchiPasske
 					challenge: authChallenge,
 					credentialIds: credentialIds.length > 0 ? credentialIds : authenticators.map((a) => a.credentialId)
 				});
-				if (storedCredentialId && authCredential.rawId !== storedCredentialId) throw new Error("Wrong passkey selected during recovery auto-login; please use the newly recovered passkey.");
+				if (storedCredentialId && authCredential.rawId !== storedCredentialId) return {
+					success: false,
+					reason: "Wrong passkey selected during recovery auto-login; please use the newly recovered passkey."
+				};
 				const vrfUnlockResult = await webAuthnManager.unlockVRFKeypair({
 					nearAccountId: accountId,
 					encryptedVrfKeypair: rec.encryptedVrfKeypair,
 					credential: authCredential
 				});
-				if (!vrfUnlockResult.success) throw new Error(vrfUnlockResult.error || "VRF unlock failed during auto-login");
-				const vrfStatus = await webAuthnManager.checkVrfStatus();
-				const vrfActiveForAccount = vrfStatus.active && vrfStatus.nearAccountId && String(vrfStatus.nearAccountId) === String(accountId);
-				if (!vrfActiveForAccount) throw new Error("VRF session inactive after TouchID unlock");
-				await webAuthnManager.setLastUser(accountId, deviceNumber);
-				await webAuthnManager.initializeCurrentUser(accountId, this.context.nearClient);
-				try {
-					await require_login.getLoginSession(this.context, accountId);
-				} catch {}
-				this.emit({
-					step: 5,
-					phase: require_sdkSentEvents.EmailRecoveryPhase.STEP_5_FINALIZING_REGISTRATION,
-					status: require_sdkSentEvents.EmailRecoveryStatus.SUCCESS,
-					message: `Welcome ${accountId}`,
-					data: { autoLogin: "success" }
-				});
+				if (!vrfUnlockResult.success) return {
+					success: false,
+					reason: vrfUnlockResult.error || "VRF unlock failed during auto-login"
+				};
+				await this.assertVrfActiveForAccount(accountId, "VRF session inactive after TouchID unlock");
+				await this.finalizeLocalLoginState(accountId, deviceNumber);
+				return { success: true };
 			} catch (err) {
-				console.warn("[EmailRecoveryFlow] Auto-login failed after recovery", err);
-				try {
-					await this.context.webAuthnManager.clearVrfSession();
-				} catch {}
+				return {
+					success: false,
+					reason: err?.message || String(err)
+				};
+			}
+		}
+		async handleAutoLoginFailure(reason, err) {
+			console.warn("[EmailRecoveryFlow] Auto-login failed after recovery", err ?? reason);
+			try {
+				await this.context.webAuthnManager.clearVrfSession();
+			} catch {}
+			return {
+				success: false,
+				reason
+			};
+		}
+		async finalizeRegistration(rec) {
+			this.phase = require_sdkSentEvents.EmailRecoveryPhase.STEP_5_FINALIZING_REGISTRATION;
+			this.emit({
+				step: 5,
+				phase: require_sdkSentEvents.EmailRecoveryPhase.STEP_5_FINALIZING_REGISTRATION,
+				status: require_sdkSentEvents.EmailRecoveryStatus.PROGRESS,
+				message: "Finalizing email recovery registration...",
+				data: {
+					accountId: rec.accountId,
+					nearPublicKey: rec.nearPublicKey
+				}
+			});
+			try {
+				const { nonceManager, accountId } = this.initializeNonceManager(rec);
+				const signedTx = await this.signRegistrationTx(rec, accountId);
+				const txHash = await this.broadcastRegistrationTxAndWaitFinal(rec, signedTx);
+				if (txHash) {
+					const storedUser = await this.persistRecoveredUserRecordBestEffort(rec, accountId);
+					if (storedUser) {
+						const syncedAuthenticators = await this.syncAuthenticatorsBestEffort(accountId);
+						if (syncedAuthenticators) await this.setLastUserBestEffort(accountId, rec.deviceNumber);
+					}
+				}
+				await this.updateNonceBestEffort(nonceManager, signedTx);
+				await this.persistRecoveredUserData(rec, accountId);
+				await this.persistAuthenticatorBestEffort(rec, accountId);
+				this.emitAutoLoginEvent(require_sdkSentEvents.EmailRecoveryStatus.PROGRESS, "Attempting auto-login with recovered device...", { autoLogin: "progress" });
+				const autoLoginResult = await this.attemptAutoLogin(rec);
+				if (autoLoginResult.success) this.emitAutoLoginEvent(require_sdkSentEvents.EmailRecoveryStatus.SUCCESS, `Welcome ${accountId}`, { autoLogin: "success" });
+				else this.emitAutoLoginEvent(require_sdkSentEvents.EmailRecoveryStatus.ERROR, "Auto-login failed; please log in manually on this device.", {
+					error: autoLoginResult.reason,
+					autoLogin: "error"
+				});
+				await this.markCompleteAndClearPending(rec);
+				this.phase = require_sdkSentEvents.EmailRecoveryPhase.STEP_6_COMPLETE;
 				this.emit({
-					step: 5,
-					phase: require_sdkSentEvents.EmailRecoveryPhase.STEP_5_FINALIZING_REGISTRATION,
-					status: require_sdkSentEvents.EmailRecoveryStatus.ERROR,
-					message: "Auto-login failed; please log in manually on this device.",
+					step: 6,
+					phase: require_sdkSentEvents.EmailRecoveryPhase.STEP_6_COMPLETE,
+					status: require_sdkSentEvents.EmailRecoveryStatus.SUCCESS,
+					message: "Email recovery completed successfully",
 					data: {
-						error: err?.message || String(err),
-						autoLogin: "error"
+						accountId: rec.accountId,
+						nearPublicKey: rec.nearPublicKey
 					}
 				});
+			} catch (e) {
+				const err = this.emitError(5, e?.message || "Email recovery finalization failed");
+				await this.options?.afterCall?.(false);
+				throw err;
+			}
+		}
+		async attemptAutoLogin(rec) {
+			try {
+				const accountId = require_accountIds.toAccountId(rec.accountId);
+				const deviceNumber = require_getDeviceNumber.parseDeviceNumber(rec.deviceNumber, { min: 1 });
+				if (deviceNumber === null) return this.handleAutoLoginFailure(`Invalid deviceNumber for auto-login: ${String(rec.deviceNumber)}`);
+				const shamirUnlocked = await this.tryShamirUnlock(rec, accountId, deviceNumber);
+				if (shamirUnlocked) return {
+					success: true,
+					method: "shamir"
+				};
+				const touchIdResult = await this.tryTouchIdUnlock(rec, accountId, deviceNumber);
+				if (touchIdResult.success) return {
+					success: true,
+					method: "touchid"
+				};
+				return this.handleAutoLoginFailure(touchIdResult.reason || "Auto-login failed");
+			} catch (err) {
+				return this.handleAutoLoginFailure(err?.message || String(err), err);
 			}
 		}
 	};