@tatchi-xyz/sdk 0.17.0 → 0.19.0

package/dist/esm/sdk/wallet-iframe-host.js

@@ -15,7 +15,7 @@ import { MinimalNearClient, SignedTransaction, isOffline, openOfflineExport } fr
 import { AccountRecoveryPhase, AccountRecoveryStatus, ActionPhase, ActionStatus, DEFAULT_WAIT_STATUS, DeviceLinkingPhase, DeviceLinkingStatus, EmailRecoveryPhase, EmailRecoveryStatus, LoginPhase, LoginStatus, RegistrationPhase, RegistrationStatus, init_rpc, init_sdkSentEvents } from "./sdkSentEvents-_jrJLIhw.js";
 import { SecureConfirmMessageType, SecureConfirmationType, TouchIdPrompt, authenticatorsToAllowCredentials, createRandomVRFChallenge, getIntentDigest, init_accountIds, init_touchIdPrompt, init_vrf_worker, parseTransactionSummary, sanitizeForPostMessage, sendConfirmResponse, toAccountId, validateVRFChallenge } from "./requestHelpers-Dh1hEYL9.js";
 import { PASSKEY_MANAGER_DEFAULT_CONFIGS, buildConfigsFromEnv, init_defaultConfigs } from "./defaultConfigs-DpslkAQd.js";
-import { buildSetRecoveryEmailsActions, checkCanRegisterUserContractCall, executeDeviceLinkingContractCalls, getCredentialIdsContractCall, getDeviceLinkingAccountContractCall, getRecoveryEmailHashesContractCall, init_rpcCalls, syncAuthenticatorsContractCall, verifyAuthenticationResponse } from "./rpcCalls-OhgEeFig.js";
+import { buildSetRecoveryEmailsActions, checkCanRegisterUserContractCall, executeDeviceLinkingContractCalls, getCredentialIdsContractCall, getDeviceLinkingAccountContractCall, getRecoveryEmailHashesContractCall, init_rpcCalls, syncAuthenticatorsContractCall, verifyAuthenticationResponse } from "./rpcCalls-YVeUVMk2.js";
 import { getLastLoggedInDeviceNumber, init_getDeviceNumber, parseDeviceNumber } from "./getDeviceNumber-zsOHT_Um.js";
 
 //#region src/core/sdkPaths/workers.ts
@@ -3271,42 +3271,42 @@ async function importFlow(label, loader) {
 }
 const HANDLERS = {
 	[SecureConfirmationType.DECRYPT_PRIVATE_KEY_WITH_PRF]: async ({ ctx, request, worker, confirmationConfig, transactionSummary }) => {
-		const { handleLocalOnlyFlow } = await importFlow("localOnly", () => import("./localOnly-pXMTqh1m.js"));
+		const { handleLocalOnlyFlow } = await importFlow("localOnly", () => import("./localOnly-BHScJasw.js"));
 		await handleLocalOnlyFlow(ctx, request, worker, {
 			confirmationConfig,
 			transactionSummary
 		});
 	},
 	[SecureConfirmationType.SHOW_SECURE_PRIVATE_KEY_UI]: async ({ ctx, request, worker, confirmationConfig, transactionSummary }) => {
-		const { handleLocalOnlyFlow } = await importFlow("localOnly", () => import("./localOnly-pXMTqh1m.js"));
+		const { handleLocalOnlyFlow } = await importFlow("localOnly", () => import("./localOnly-BHScJasw.js"));
 		await handleLocalOnlyFlow(ctx, request, worker, {
 			confirmationConfig,
 			transactionSummary
 		});
 	},
 	[SecureConfirmationType.REGISTER_ACCOUNT]: async ({ ctx, request, worker, confirmationConfig, transactionSummary }) => {
-		const { handleRegistrationFlow } = await importFlow("registration", () => import("./registration-DLPLsGCz.js"));
+		const { handleRegistrationFlow } = await importFlow("registration", () => import("./registration-lDD60Ytt.js"));
 		await handleRegistrationFlow(ctx, request, worker, {
 			confirmationConfig,
 			transactionSummary
 		});
 	},
 	[SecureConfirmationType.LINK_DEVICE]: async ({ ctx, request, worker, confirmationConfig, transactionSummary }) => {
-		const { handleRegistrationFlow } = await importFlow("registration", () => import("./registration-DLPLsGCz.js"));
+		const { handleRegistrationFlow } = await importFlow("registration", () => import("./registration-lDD60Ytt.js"));
 		await handleRegistrationFlow(ctx, request, worker, {
 			confirmationConfig,
 			transactionSummary
 		});
 	},
 	[SecureConfirmationType.SIGN_TRANSACTION]: async ({ ctx, request, worker, confirmationConfig, transactionSummary }) => {
-		const { handleTransactionSigningFlow } = await importFlow("transactions", () => import("./transactions-Bk-VavcV.js"));
+		const { handleTransactionSigningFlow } = await importFlow("transactions", () => import("./transactions-BalIhtJ9.js"));
 		await handleTransactionSigningFlow(ctx, request, worker, {
 			confirmationConfig,
 			transactionSummary
 		});
 	},
 	[SecureConfirmationType.SIGN_NEP413_MESSAGE]: async ({ ctx, request, worker, confirmationConfig, transactionSummary }) => {
-		const { handleTransactionSigningFlow } = await importFlow("transactions", () => import("./transactions-Bk-VavcV.js"));
+		const { handleTransactionSigningFlow } = await importFlow("transactions", () => import("./transactions-BalIhtJ9.js"));
 		await handleTransactionSigningFlow(ctx, request, worker, {
 			confirmationConfig,
 			transactionSummary
@@ -6385,6 +6385,29 @@ var WebAuthnManager = class {
 	async extractCosePublicKey(attestationObjectBase64url) {
 		return await this.signerWorkerManager.extractCosePublicKey(attestationObjectBase64url);
 	}
+	/**
+	* Helper to ensure the local `lastUser` pointer is consistent with the latest DB updates.
+	* This fixes issues where a recovery or registration might have updated the user record
+	* but failed to update the `lastUser` pointer (e.g. due to previous bugs or interruptions),
+	* preventing the strict `ensureCurrentPasskey` check from passing.
+	*/
+	async autoHealLastUserPointer(nearAccountId) {
+		try {
+			const lastUser = await this.getLastUser();
+			if (lastUser && lastUser.nearAccountId === nearAccountId) {
+				const freshest = await IndexedDBManager.clientDB.getLastDBUpdatedUser(nearAccountId);
+				if (freshest && freshest.deviceNumber !== lastUser.deviceNumber) {
+					console.log(`[WebAuthnManager] Auto-healing lastUser pointer from device ${lastUser.deviceNumber} to ${freshest.deviceNumber}`);
+					await this.setLastUser(nearAccountId, freshest.deviceNumber);
+				}
+			} else {
+				const freshest = await IndexedDBManager.clientDB.getLastDBUpdatedUser(nearAccountId);
+				if (freshest) await this.setLastUser(nearAccountId, freshest.deviceNumber);
+			}
+		} catch (e) {
+			console.warn("[WebAuthnManager] Auto-heal pointer failed (non-fatal):", e);
+		}
+	}
 	/** Worker-driven export: two-phase V2 (collect PRF → decrypt → show UI) */
 	async exportNearKeypairWithUIWorkerDriven(nearAccountId, options) {
 		await this.withSigningSession({
@@ -9845,8 +9868,30 @@ async function signDelegateAction(args) {
 //#endregion
 //#region src/core/TatchiPasskey/relay.ts
 init_sdkSentEvents();
+const toNumberArray = (value) => Array.isArray(value) ? value : Array.from(value);
+const normalizeSignedDelegateForRelay = (signedDelegate) => {
+	const delegateAction = signedDelegate.delegateAction;
+	const signature = signedDelegate.signature;
+	return {
+		delegateAction: {
+			...delegateAction,
+			publicKey: {
+				...delegateAction.publicKey,
+				keyData: toNumberArray(delegateAction.publicKey.keyData)
+			}
+		},
+		signature: {
+			...signature,
+			signatureData: toNumberArray(signature.signatureData)
+		}
+	};
+};
 async function sendDelegateActionViaRelayer(args) {
 	const { url, payload, signal, options } = args;
+	const normalizedPayload = {
+		...payload,
+		signedDelegate: normalizeSignedDelegateForRelay(payload.signedDelegate)
+	};
 	const emit = (event) => options?.onEvent?.(event);
 	const emitError = (message) => {
 		emit({
@@ -9868,7 +9913,7 @@ async function sendDelegateActionViaRelayer(args) {
 		res = await fetch(url, {
 			method: "POST",
 			headers: { "content-type": "application/json" },
-			body: JSON.stringify(payload),
+			body: JSON.stringify(normalizedPayload),
 			signal
 		});
 	} catch (err$1) {
@@ -9933,28 +9978,65 @@ const OFFLINE_EXPORT_FALLBACK = "OFFLINE_EXPORT_FALLBACK";
 const WALLET_UI_CLOSED = "WALLET_UI_CLOSED";
 const EXPORT_NEAR_KEYPAIR_CANCELLED = "EXPORT_NEAR_KEYPAIR_CANCELLED";
 
+//#endregion
+//#region src/core/EmailRecovery/emailRecoveryPendingStore.ts
+var EmailRecoveryPendingStore;
+var init_emailRecoveryPendingStore = __esm({ "src/core/EmailRecovery/emailRecoveryPendingStore.ts": (() => {
+	init_IndexedDBManager();
+	EmailRecoveryPendingStore = class {
+		getPendingTtlMs;
+		now;
+		constructor(options) {
+			this.getPendingTtlMs = options.getPendingTtlMs;
+			this.now = options.now ?? Date.now;
+		}
+		getPendingIndexKey(accountId) {
+			return `pendingEmailRecovery:${accountId}`;
+		}
+		getPendingRecordKey(accountId, nearPublicKey) {
+			return `${this.getPendingIndexKey(accountId)}:${nearPublicKey}`;
+		}
+		async get(accountId, nearPublicKey) {
+			const pendingTtlMs = this.getPendingTtlMs();
+			const indexKey = this.getPendingIndexKey(accountId);
+			const indexedNearPublicKey = await IndexedDBManager.clientDB.getAppState(indexKey);
+			const resolvedNearPublicKey = nearPublicKey ?? indexedNearPublicKey;
+			if (!resolvedNearPublicKey) return null;
+			const recordKey = this.getPendingRecordKey(accountId, resolvedNearPublicKey);
+			const record = await IndexedDBManager.clientDB.getAppState(recordKey);
+			const shouldClearIndex = indexedNearPublicKey === resolvedNearPublicKey;
+			if (!record) {
+				if (shouldClearIndex) await IndexedDBManager.clientDB.setAppState(indexKey, void 0).catch(() => {});
+				return null;
+			}
+			if (this.now() - record.createdAt > pendingTtlMs) {
+				await IndexedDBManager.clientDB.setAppState(recordKey, void 0).catch(() => {});
+				if (shouldClearIndex) await IndexedDBManager.clientDB.setAppState(indexKey, void 0).catch(() => {});
+				return null;
+			}
+			await this.touchIndex(accountId, record.nearPublicKey);
+			return record;
+		}
+		async set(record) {
+			const key = this.getPendingRecordKey(record.accountId, record.nearPublicKey);
+			await IndexedDBManager.clientDB.setAppState(key, record);
+			await this.touchIndex(record.accountId, record.nearPublicKey);
+		}
+		async clear(accountId, nearPublicKey) {
+			const indexKey = this.getPendingIndexKey(accountId);
+			const idx = await IndexedDBManager.clientDB.getAppState(indexKey).catch(() => void 0);
+			const resolvedNearPublicKey = nearPublicKey || idx || "";
+			if (resolvedNearPublicKey) await IndexedDBManager.clientDB.setAppState(this.getPendingRecordKey(accountId, resolvedNearPublicKey), void 0).catch(() => {});
+			if (!nearPublicKey || idx === nearPublicKey) await IndexedDBManager.clientDB.setAppState(indexKey, void 0).catch(() => {});
+		}
+		async touchIndex(accountId, nearPublicKey) {
+			await IndexedDBManager.clientDB.setAppState(this.getPendingIndexKey(accountId), nearPublicKey).catch(() => {});
+		}
+	};
+}) });
+
 //#endregion
 //#region src/core/EmailRecovery/index.ts
-init_accountIds();
-init_IndexedDBManager();
-const canonicalizeEmail = (email) => {
-	const raw = String(email || "").trim();
-	if (!raw) return "";
-	const withoutHeaderName = raw.replace(/^[a-z0-9-]+\s*:\s*/i, "").trim();
-	const emailRegex = /([a-zA-Z0-9.!#$%&'*+/=?^_`{|}~-]+@[a-zA-Z0-9-]+(?:\.[a-zA-Z0-9-]+)*)/;
-	const angleMatch = withoutHeaderName.match(/<([^>]+)>/);
-	const candidates = [angleMatch?.[1], withoutHeaderName].filter((v) => typeof v === "string" && v.length > 0);
-	for (const candidate of candidates) {
-		const cleaned = candidate.replace(/^mailto:\s*/i, "");
-		const match = cleaned.match(emailRegex);
-		if (match?.[1]) return match[1].trim().toLowerCase();
-	}
-	return withoutHeaderName.toLowerCase();
-};
-const bytesToHex = (bytes) => {
-	const arr = bytes instanceof Uint8Array ? bytes : Uint8Array.from(bytes);
-	return `0x${Array.from(arr).map((b) => b.toString(16).padStart(2, "0")).join("")}`;
-};
 async function hashRecoveryEmails(emails, accountId) {
 	const encoder = new TextEncoder();
 	const salt = (accountId || "").trim().toLowerCase();
@@ -10001,6 +10083,30 @@ async function prepareRecoveryEmails(nearAccountId, recoveryEmails) {
 async function getLocalRecoveryEmails(nearAccountId) {
 	return IndexedDBManager.getRecoveryEmails(nearAccountId);
 }
+var canonicalizeEmail, bytesToHex;
+var init_EmailRecovery = __esm({ "src/core/EmailRecovery/index.ts": (() => {
+	init_accountIds();
+	init_IndexedDBManager();
+	init_emailRecoveryPendingStore();
+	canonicalizeEmail = (email) => {
+		const raw = String(email || "").trim();
+		if (!raw) return "";
+		const withoutHeaderName = raw.replace(/^[a-z0-9-]+\s*:\s*/i, "").trim();
+		const emailRegex = /([a-zA-Z0-9.!#$%&'*+/=?^_`{|}~-]+@[a-zA-Z0-9-]+(?:\.[a-zA-Z0-9-]+)*)/;
+		const angleMatch = withoutHeaderName.match(/<([^>]+)>/);
+		const candidates = [angleMatch?.[1], withoutHeaderName].filter((v) => typeof v === "string" && v.length > 0);
+		for (const candidate of candidates) {
+			const cleaned = candidate.replace(/^mailto:\s*/i, "");
+			const match = cleaned.match(emailRegex);
+			if (match?.[1]) return match[1].trim().toLowerCase();
+		}
+		return withoutHeaderName.toLowerCase();
+	};
+	bytesToHex = (bytes) => {
+		const arr = bytes instanceof Uint8Array ? bytes : Uint8Array.from(bytes);
+		return `0x${Array.from(arr).map((b) => b.toString(16).padStart(2, "0")).join("")}`;
+	};
+}) });
 
 //#endregion
 //#region src/core/TatchiPasskey/emailRecovery.ts
@@ -10047,9 +10153,11 @@ var init_emailRecovery = __esm({ "src/core/TatchiPasskey/emailRecovery.ts": (()
 	init_rpc();
 	init_getDeviceNumber();
 	init_login();
+	init_EmailRecovery();
 	EmailRecoveryFlow = class {
 		context;
 		options;
+		pendingStore;
 		pending = null;
 		phase = EmailRecoveryPhase.STEP_1_PREPARATION;
 		pollingTimer;
@@ -10060,6 +10168,7 @@ var init_emailRecovery = __esm({ "src/core/TatchiPasskey/emailRecovery.ts": (()
 		constructor(context, options) {
 			this.context = context;
 			this.options = options;
+			this.pendingStore = options?.pendingStore ?? new EmailRecoveryPendingStore({ getPendingTtlMs: () => this.getConfig().pendingTtlMs });
 		}
 		setOptions(options) {
 			if (!options) return;
@@ -10067,6 +10176,7 @@ var init_emailRecovery = __esm({ "src/core/TatchiPasskey/emailRecovery.ts": (()
 				...this.options || {},
 				...options
 			};
+			if (options.pendingStore) this.pendingStore = options.pendingStore;
 		}
 		emit(event) {
 			this.options?.onEvent?.(event);
@@ -10085,24 +10195,139 @@ var init_emailRecovery = __esm({ "src/core/TatchiPasskey/emailRecovery.ts": (()
 			this.options?.onError?.(err$1);
 			return err$1;
 		}
+		async fail(step, message) {
+			const err$1 = this.emitError(step, message);
+			await this.options?.afterCall?.(false);
+			throw err$1;
+		}
+		async assertValidAccountIdOrFail(step, accountId) {
+			const validation = validateNearAccountId(accountId);
+			if (!validation.valid) await this.fail(step, `Invalid NEAR account ID: ${validation.error}`);
+			return toAccountId(accountId);
+		}
+		async resolvePendingOrFail(step, args, options) {
+			const { allowErrorStatus = true, missingMessage = "No pending email recovery record found for this account", errorStatusMessage = "Pending email recovery is in an error state; please restart the flow" } = options ?? {};
+			let rec = this.pending;
+			if (!rec || rec.accountId !== args.accountId || args.nearPublicKey && rec.nearPublicKey !== args.nearPublicKey) {
+				rec = await this.loadPending(args.accountId, args.nearPublicKey);
+				this.pending = rec;
+			}
+			if (!rec) await this.fail(step, missingMessage);
+			const resolved = rec;
+			if (!allowErrorStatus && resolved.status === "error") await this.fail(step, errorStatusMessage);
+			return resolved;
+		}
 		getConfig() {
 			return getEmailRecoveryConfig(this.context.configs);
 		}
-		getPendingIndexKey(accountId) {
-			return `pendingEmailRecovery:${accountId}`;
+		toBigInt(value) {
+			if (typeof value === "bigint") return value;
+			if (typeof value === "number") return BigInt(value);
+			if (typeof value === "string" && value.length > 0) return BigInt(value);
+			return BigInt(0);
 		}
-		getPendingRecordKey(accountId, nearPublicKey) {
-			return `${this.getPendingIndexKey(accountId)}:${nearPublicKey}`;
+		computeAvailableBalance(accountView) {
+			const STORAGE_PRICE_PER_BYTE = BigInt("10000000000000000000");
+			const amount = this.toBigInt(accountView.amount);
+			const locked = this.toBigInt(accountView.locked);
+			const storageUsage = this.toBigInt(accountView.storage_usage);
+			const storageCost = storageUsage * STORAGE_PRICE_PER_BYTE;
+			const rawAvailable = amount - locked - storageCost;
+			return rawAvailable > 0 ? rawAvailable : BigInt(0);
+		}
+		async assertSufficientBalance(nearAccountId) {
+			const { minBalanceYocto } = this.getConfig();
+			try {
+				const accountView = await this.context.nearClient.viewAccount(nearAccountId);
+				const available = this.computeAvailableBalance(accountView);
+				if (available < BigInt(minBalanceYocto)) await this.fail(1, `This account does not have enough NEAR to finalize recovery. Available: ${available.toString()} yocto; required: ${String(minBalanceYocto)}. Please top up and try again.`);
+			} catch (e) {
+				await this.fail(1, e?.message || "Failed to fetch account balance for recovery");
+			}
+		}
+		async getCanonicalRecoveryEmailOrFail(recoveryEmail) {
+			const canonicalEmail = String(recoveryEmail || "").trim().toLowerCase();
+			if (!canonicalEmail) await this.fail(1, "Recovery email is required for email-based account recovery");
+			return canonicalEmail;
+		}
+		async getNextDeviceNumberFromContract(nearAccountId) {
+			try {
+				const { syncAuthenticatorsContractCall: syncAuthenticatorsContractCall$1 } = await import("./rpcCalls-BQrJMTdg.js");
+				const authenticators = await syncAuthenticatorsContractCall$1(this.context.nearClient, this.context.configs.contractId, nearAccountId);
+				const numbers = authenticators.map((a) => a?.authenticator?.deviceNumber).filter((n) => typeof n === "number" && Number.isFinite(n));
+				const max = numbers.length > 0 ? Math.max(...numbers) : 0;
+				return max + 1;
+			} catch {
+				return 1;
+			}
 		}
-		async checkVerificationStatus(rec) {
+		async collectRecoveryCredentialOrFail(nearAccountId, deviceNumber) {
+			const confirmerText = {
+				title: this.options?.confirmerText?.title ?? "Register New Recovery Account",
+				body: this.options?.confirmerText?.body ?? "Create a recovery account and send an encrypted email to recover your account."
+			};
+			const confirm = await this.context.webAuthnManager.requestRegistrationCredentialConfirmation({
+				nearAccountId,
+				deviceNumber,
+				confirmerText,
+				confirmationConfigOverride: this.options?.confirmationConfig
+			});
+			if (!confirm.confirmed || !confirm.credential) await this.fail(2, "User cancelled email recovery TouchID confirmation");
+			return {
+				credential: confirm.credential,
+				vrfChallenge: confirm.vrfChallenge || void 0
+			};
+		}
+		async deriveRecoveryKeysOrFail(nearAccountId, deviceNumber, credential) {
+			const vrfDerivationResult = await this.context.webAuthnManager.deriveVrfKeypair({
+				credential,
+				nearAccountId
+			});
+			if (!vrfDerivationResult.success || !vrfDerivationResult.encryptedVrfKeypair) await this.fail(2, "Failed to derive VRF keypair from PRF for email recovery");
+			const nearKeyResult = await this.context.webAuthnManager.deriveNearKeypairAndEncryptFromSerialized({
+				nearAccountId,
+				credential,
+				options: { deviceNumber }
+			});
+			if (!nearKeyResult.success || !nearKeyResult.publicKey) await this.fail(2, "Failed to derive NEAR keypair for email recovery");
+			return {
+				encryptedVrfKeypair: vrfDerivationResult.encryptedVrfKeypair,
+				serverEncryptedVrfKeypair: vrfDerivationResult.serverEncryptedVrfKeypair || null,
+				vrfPublicKey: vrfDerivationResult.vrfPublicKey,
+				nearPublicKey: nearKeyResult.publicKey
+			};
+		}
+		emitAwaitEmail(rec, mailtoUrl) {
+			this.phase = EmailRecoveryPhase.STEP_3_AWAIT_EMAIL;
+			this.emit({
+				step: 3,
+				phase: EmailRecoveryPhase.STEP_3_AWAIT_EMAIL,
+				status: EmailRecoveryStatus.PROGRESS,
+				message: "New device key created; please send the recovery email from your registered address.",
+				data: {
+					accountId: rec.accountId,
+					recoveryEmail: rec.recoveryEmail,
+					nearPublicKey: rec.nearPublicKey,
+					requestId: rec.requestId,
+					mailtoUrl
+				}
+			});
+		}
+		emitAutoLoginEvent(status, message, data) {
+			this.emit({
+				step: 5,
+				phase: EmailRecoveryPhase.STEP_5_FINALIZING_REGISTRATION,
+				status,
+				message,
+				data
+			});
+		}
+		async checkViaDkimViewMethod(rec) {
 			const { dkimVerifierAccountId, verificationViewMethod } = this.getConfig();
 			if (!dkimVerifierAccountId) return null;
 			try {
-				const result = await this.context.nearClient.view({
-					account: dkimVerifierAccountId,
-					method: verificationViewMethod,
-					args: { request_id: rec.requestId }
-				});
+				const { getEmailRecoveryVerificationResult } = await import("./rpcCalls-BQrJMTdg.js");
+				const result = await getEmailRecoveryVerificationResult(this.context.nearClient, dkimVerifierAccountId, verificationViewMethod, rec.requestId);
 				if (!result) return {
 					completed: false,
 					success: false
@@ -10134,43 +10359,78 @@ var init_emailRecovery = __esm({ "src/core/TatchiPasskey/emailRecovery.ts": (()
 					transactionHash: result.transaction_hash
 				};
 			} catch (err$1) {
-				console.warn("[EmailRecoveryFlow] get_verification_result view failed; falling back to access key polling", err$1);
+				console.warn("[EmailRecoveryFlow] get_verification_result view failed; will retry", err$1);
 				return null;
 			}
 		}
-		async loadPending(accountId, nearPublicKey) {
-			const { pendingTtlMs } = this.getConfig();
-			const indexKey = this.getPendingIndexKey(accountId);
-			const indexedNearPublicKey = await IndexedDBManager.clientDB.getAppState(indexKey);
-			const resolvedNearPublicKey = nearPublicKey ?? indexedNearPublicKey;
-			if (!resolvedNearPublicKey) return null;
-			const recordKey = this.getPendingRecordKey(accountId, resolvedNearPublicKey);
-			const record = await IndexedDBManager.clientDB.getAppState(recordKey);
-			const shouldClearIndex = indexedNearPublicKey === resolvedNearPublicKey;
-			if (!record) {
-				if (shouldClearIndex) await IndexedDBManager.clientDB.setAppState(indexKey, void 0).catch(() => {});
-				return null;
-			}
-			if (Date.now() - record.createdAt > pendingTtlMs) {
-				await IndexedDBManager.clientDB.setAppState(recordKey, void 0).catch(() => {});
-				if (shouldClearIndex) await IndexedDBManager.clientDB.setAppState(indexKey, void 0).catch(() => {});
-				return null;
+		buildPollingEventData(rec, details) {
+			return {
+				accountId: rec.accountId,
+				requestId: rec.requestId,
+				nearPublicKey: rec.nearPublicKey,
+				transactionHash: details.transactionHash,
+				elapsedMs: details.elapsedMs,
+				pollCount: details.pollCount
+			};
+		}
+		async sleepForPollInterval(ms) {
+			await new Promise((resolve) => {
+				this.pollIntervalResolver = resolve;
+				this.pollingTimer = setTimeout(() => {
+					this.pollIntervalResolver = void 0;
+					this.pollingTimer = void 0;
+					resolve();
+				}, ms);
+			}).finally(() => {
+				this.pollIntervalResolver = void 0;
+			});
+		}
+		async pollUntil(args) {
+			const now = args.now ?? Date.now;
+			const sleep = args.sleep ?? this.sleepForPollInterval.bind(this);
+			const startedAt = now();
+			let pollCount = 0;
+			while (!args.isCancelled()) {
+				pollCount += 1;
+				const elapsedMs$1 = now() - startedAt;
+				if (elapsedMs$1 > args.timeoutMs) return {
+					status: "timedOut",
+					elapsedMs: elapsedMs$1,
+					pollCount
+				};
+				const result = await args.tick({
+					elapsedMs: elapsedMs$1,
+					pollCount
+				});
+				if (result.done) return {
+					status: "completed",
+					value: result.value,
+					elapsedMs: elapsedMs$1,
+					pollCount
+				};
+				if (args.isCancelled()) return {
+					status: "cancelled",
+					elapsedMs: elapsedMs$1,
+					pollCount
+				};
+				await sleep(args.intervalMs);
 			}
-			await IndexedDBManager.clientDB.setAppState(indexKey, record.nearPublicKey).catch(() => {});
-			return record;
+			const elapsedMs = now() - startedAt;
+			return {
+				status: "cancelled",
+				elapsedMs,
+				pollCount
+			};
+		}
+		async loadPending(accountId, nearPublicKey) {
+			return this.pendingStore.get(accountId, nearPublicKey);
 		}
 		async savePending(rec) {
-			const key = this.getPendingRecordKey(rec.accountId, rec.nearPublicKey);
-			await IndexedDBManager.clientDB.setAppState(key, rec);
-			await IndexedDBManager.clientDB.setAppState(this.getPendingIndexKey(rec.accountId), rec.nearPublicKey).catch(() => {});
+			await this.pendingStore.set(rec);
 			this.pending = rec;
 		}
 		async clearPending(accountId, nearPublicKey) {
-			const indexKey = this.getPendingIndexKey(accountId);
-			const idx = await IndexedDBManager.clientDB.getAppState(indexKey).catch(() => void 0);
-			const resolvedNearPublicKey = nearPublicKey || idx || "";
-			if (resolvedNearPublicKey) await IndexedDBManager.clientDB.setAppState(this.getPendingRecordKey(accountId, resolvedNearPublicKey), void 0).catch(() => {});
-			if (!nearPublicKey || idx === nearPublicKey) await IndexedDBManager.clientDB.setAppState(indexKey, void 0).catch(() => {});
+			await this.pendingStore.clear(accountId, nearPublicKey);
 			if (this.pending && this.pending.accountId === accountId && (!nearPublicKey || this.pending.nearPublicKey === nearPublicKey)) this.pending = null;
 		}
 		getState() {
@@ -10184,48 +10444,14 @@ var init_emailRecovery = __esm({ "src/core/TatchiPasskey/emailRecovery.ts": (()
 			const { accountId, nearPublicKey } = args;
 			this.cancelled = false;
 			this.error = void 0;
-			const validation = validateNearAccountId(accountId);
-			if (!validation.valid) {
-				const err$1 = this.emitError(3, `Invalid NEAR account ID: ${validation.error}`);
-				await this.options?.afterCall?.(false);
-				throw err$1;
-			}
-			const nearAccountId = toAccountId(accountId);
-			let rec = this.pending;
-			if (!rec || rec.accountId !== nearAccountId || nearPublicKey && rec.nearPublicKey !== nearPublicKey) {
-				rec = await this.loadPending(nearAccountId, nearPublicKey);
-				this.pending = rec;
-			}
-			if (!rec) {
-				const err$1 = this.emitError(3, "No pending email recovery record found for this account");
-				await this.options?.afterCall?.(false);
-				throw err$1;
-			}
-			if (rec.status === "error") {
-				const err$1 = this.emitError(3, "Pending email recovery is in an error state; please restart the flow");
-				await this.options?.afterCall?.(false);
-				throw err$1;
-			}
-			if (rec.status === "finalizing" || rec.status === "complete") {
-				const err$1 = this.emitError(3, "Recovery email has already been processed on-chain for this request");
-				await this.options?.afterCall?.(false);
-				throw err$1;
-			}
+			const nearAccountId = await this.assertValidAccountIdOrFail(3, accountId);
+			const rec = await this.resolvePendingOrFail(3, {
+				accountId: nearAccountId,
+				nearPublicKey
+			}, { allowErrorStatus: false });
+			if (rec.status === "finalizing" || rec.status === "complete") await this.fail(3, "Recovery email has already been processed on-chain for this request");
 			const mailtoUrl = rec.status === "awaiting-email" ? await this.buildMailtoUrlAndUpdateStatus(rec) : this.buildMailtoUrlInternal(rec);
-			this.phase = EmailRecoveryPhase.STEP_3_AWAIT_EMAIL;
-			this.emit({
-				step: 3,
-				phase: EmailRecoveryPhase.STEP_3_AWAIT_EMAIL,
-				status: EmailRecoveryStatus.PROGRESS,
-				message: "New device key created; please send the recovery email from your registered address.",
-				data: {
-					accountId: rec.accountId,
-					recoveryEmail: rec.recoveryEmail,
-					nearPublicKey: rec.nearPublicKey,
-					requestId: rec.requestId,
-					mailtoUrl
-				}
-			});
+			this.emitAwaitEmail(rec, mailtoUrl);
 			await this.options?.afterCall?.(true, void 0);
 			return mailtoUrl;
 		}
@@ -10240,49 +10466,10 @@ var init_emailRecovery = __esm({ "src/core/TatchiPasskey/emailRecovery.ts": (()
 				status: EmailRecoveryStatus.PROGRESS,
 				message: "Preparing email recovery..."
 			});
-			const validation = validateNearAccountId(accountId);
-			if (!validation.valid) {
-				const err$1 = this.emitError(1, `Invalid NEAR account ID: ${validation.error}`);
-				await this.options?.afterCall?.(false);
-				throw err$1;
-			}
-			const nearAccountId = toAccountId(accountId);
-			const { minBalanceYocto } = this.getConfig();
-			const STORAGE_PRICE_PER_BYTE = BigInt("10000000000000000000");
-			try {
-				const accountView = await this.context.nearClient.viewAccount(nearAccountId);
-				const amount = BigInt(accountView.amount || "0");
-				const locked = BigInt(accountView.locked || "0");
-				const storageUsage = BigInt(accountView.storage_usage || 0);
-				const storageCost = storageUsage * STORAGE_PRICE_PER_BYTE;
-				const rawAvailable = amount - locked - storageCost;
-				const available = rawAvailable > 0 ? rawAvailable : BigInt(0);
-				if (available < BigInt(minBalanceYocto)) {
-					const err$1 = this.emitError(1, `This account does not have enough NEAR to finalize recovery. Available: ${available.toString()} yocto; required: ${String(minBalanceYocto)}. Please top up and try again.`);
-					await this.options?.afterCall?.(false);
-					throw err$1;
-				}
-			} catch (e) {
-				const err$1 = this.emitError(1, e?.message || "Failed to fetch account balance for recovery");
-				await this.options?.afterCall?.(false);
-				throw err$1;
-			}
-			const canonicalEmail = String(recoveryEmail || "").trim().toLowerCase();
-			if (!canonicalEmail) {
-				const err$1 = this.emitError(1, "Recovery email is required for email-based account recovery");
-				await this.options?.afterCall?.(false);
-				throw err$1;
-			}
-			let deviceNumber = 1;
-			try {
-				const { syncAuthenticatorsContractCall: syncAuthenticatorsContractCall$1 } = await import("./rpcCalls-DEv9x5-f.js");
-				const authenticators = await syncAuthenticatorsContractCall$1(this.context.nearClient, this.context.configs.contractId, nearAccountId);
-				const numbers = authenticators.map((a) => a?.authenticator?.deviceNumber).filter((n) => typeof n === "number" && Number.isFinite(n));
-				const max = numbers.length > 0 ? Math.max(...numbers) : 0;
-				deviceNumber = max + 1;
-			} catch {
-				deviceNumber = 1;
-			}
+			const nearAccountId = await this.assertValidAccountIdOrFail(1, accountId);
+			await this.assertSufficientBalance(nearAccountId);
+			const canonicalEmail = await this.getCanonicalRecoveryEmailOrFail(recoveryEmail);
+			const deviceNumber = await this.getNextDeviceNumberFromContract(nearAccountId);
 			this.phase = EmailRecoveryPhase.STEP_2_TOUCH_ID_REGISTRATION;
 			this.emit({
 				step: 2,
@@ -10291,69 +10478,24 @@ var init_emailRecovery = __esm({ "src/core/TatchiPasskey/emailRecovery.ts": (()
 				message: "Collecting passkey for email recovery..."
 			});
 			try {
-				const confirmerText = {
-					title: this.options?.confirmerText?.title ?? "Register New Recovery Account",
-					body: this.options?.confirmerText?.body ?? "Create a recovery account and send an encrypted email to recover your account."
-				};
-				const confirm = await this.context.webAuthnManager.requestRegistrationCredentialConfirmation({
-					nearAccountId,
-					deviceNumber,
-					confirmerText,
-					confirmationConfigOverride: this.options?.confirmationConfig
-				});
-				if (!confirm.confirmed || !confirm.credential) {
-					const err$1 = this.emitError(2, "User cancelled email recovery TouchID confirmation");
-					await this.options?.afterCall?.(false);
-					throw err$1;
-				}
-				const vrfDerivationResult = await this.context.webAuthnManager.deriveVrfKeypair({
-					credential: confirm.credential,
-					nearAccountId
-				});
-				if (!vrfDerivationResult.success || !vrfDerivationResult.encryptedVrfKeypair) {
-					const err$1 = this.emitError(2, "Failed to derive VRF keypair from PRF for email recovery");
-					await this.options?.afterCall?.(false);
-					throw err$1;
-				}
-				const nearKeyResult = await this.context.webAuthnManager.deriveNearKeypairAndEncryptFromSerialized({
-					nearAccountId,
-					credential: confirm.credential,
-					options: { deviceNumber }
-				});
-				if (!nearKeyResult.success || !nearKeyResult.publicKey) {
-					const err$1 = this.emitError(2, "Failed to derive NEAR keypair for email recovery");
-					await this.options?.afterCall?.(false);
-					throw err$1;
-				}
+				const confirm = await this.collectRecoveryCredentialOrFail(nearAccountId, deviceNumber);
+				const derivedKeys = await this.deriveRecoveryKeysOrFail(nearAccountId, deviceNumber, confirm.credential);
 				const rec = {
 					accountId: nearAccountId,
 					recoveryEmail: canonicalEmail,
 					deviceNumber,
-					nearPublicKey: nearKeyResult.publicKey,
+					nearPublicKey: derivedKeys.nearPublicKey,
 					requestId: generateEmailRecoveryRequestId(),
-					encryptedVrfKeypair: vrfDerivationResult.encryptedVrfKeypair,
-					serverEncryptedVrfKeypair: vrfDerivationResult.serverEncryptedVrfKeypair || null,
-					vrfPublicKey: vrfDerivationResult.vrfPublicKey,
+					encryptedVrfKeypair: derivedKeys.encryptedVrfKeypair,
+					serverEncryptedVrfKeypair: derivedKeys.serverEncryptedVrfKeypair,
+					vrfPublicKey: derivedKeys.vrfPublicKey,
 					credential: confirm.credential,
 					vrfChallenge: confirm.vrfChallenge || void 0,
 					createdAt: Date.now(),
 					status: "awaiting-email"
 				};
 				const mailtoUrl = await this.buildMailtoUrlAndUpdateStatus(rec);
-				this.phase = EmailRecoveryPhase.STEP_3_AWAIT_EMAIL;
-				this.emit({
-					step: 3,
-					phase: EmailRecoveryPhase.STEP_3_AWAIT_EMAIL,
-					status: EmailRecoveryStatus.PROGRESS,
-					message: "New device key created; please send the recovery email from your registered address.",
-					data: {
-						accountId: rec.accountId,
-						recoveryEmail: rec.recoveryEmail,
-						nearPublicKey: rec.nearPublicKey,
-						requestId: rec.requestId,
-						mailtoUrl
-					}
-				});
+				this.emitAwaitEmail(rec, mailtoUrl);
 				await this.options?.afterCall?.(true, void 0);
 				return {
 					mailtoUrl,
@@ -10381,28 +10523,11 @@ var init_emailRecovery = __esm({ "src/core/TatchiPasskey/emailRecovery.ts": (()
 			const { accountId, nearPublicKey } = args;
 			this.cancelled = false;
 			this.error = void 0;
-			const validation = validateNearAccountId(accountId);
-			if (!validation.valid) {
-				const err$1 = this.emitError(4, `Invalid NEAR account ID: ${validation.error}`);
-				await this.options?.afterCall?.(false);
-				throw err$1;
-			}
-			const nearAccountId = toAccountId(accountId);
-			let rec = this.pending;
-			if (!rec || rec.accountId !== nearAccountId || nearPublicKey && rec.nearPublicKey !== nearPublicKey) {
-				rec = await this.loadPending(nearAccountId, nearPublicKey);
-				this.pending = rec;
-			}
-			if (!rec) {
-				const err$1 = this.emitError(4, "No pending email recovery record found for this account");
-				await this.options?.afterCall?.(false);
-				throw err$1;
-			}
-			if (rec.status === "error") {
-				const err$1 = this.emitError(4, "Pending email recovery is in an error state; please restart the flow");
-				await this.options?.afterCall?.(false);
-				throw err$1;
-			}
+			const nearAccountId = await this.assertValidAccountIdOrFail(4, accountId);
+			const rec = await this.resolvePendingOrFail(4, {
+				accountId: nearAccountId,
+				nearPublicKey
+			}, { allowErrorStatus: false });
 			if (rec.status === "complete" || rec.status === "finalizing") {
 				await this.options?.afterCall?.(true, void 0);
 				return;
@@ -10442,23 +10567,11 @@ var init_emailRecovery = __esm({ "src/core/TatchiPasskey/emailRecovery.ts": (()
 			const { accountId, nearPublicKey } = args;
 			this.cancelled = false;
 			this.error = void 0;
-			const validation = validateNearAccountId(accountId);
-			if (!validation.valid) {
-				const err$1 = this.emitError(4, `Invalid NEAR account ID: ${validation.error}`);
-				await this.options?.afterCall?.(false);
-				throw err$1;
-			}
-			const nearAccountId = toAccountId(accountId);
-			let rec = this.pending;
-			if (!rec || rec.accountId !== nearAccountId || nearPublicKey && rec.nearPublicKey !== nearPublicKey) {
-				rec = await this.loadPending(nearAccountId, nearPublicKey);
-				this.pending = rec;
-			}
-			if (!rec) {
-				const err$1 = this.emitError(4, "No pending email recovery record found for this account");
-				await this.options?.afterCall?.(false);
-				throw err$1;
-			}
+			const nearAccountId = await this.assertValidAccountIdOrFail(4, accountId);
+			const rec = await this.resolvePendingOrFail(4, {
+				accountId: nearAccountId,
+				nearPublicKey
+			}, { allowErrorStatus: true });
 			this.emit({
 				step: 0,
 				phase: EmailRecoveryPhase.RESUMED_FROM_PENDING,
@@ -10494,245 +10607,230 @@ var init_emailRecovery = __esm({ "src/core/TatchiPasskey/emailRecovery.ts": (()
 			}
 			this.phase = EmailRecoveryPhase.STEP_4_POLLING_VERIFICATION_RESULT;
 			this.pollingStartedAt = Date.now();
-			let pollCount = 0;
-			while (!this.cancelled) {
-				pollCount += 1;
-				const elapsed = Date.now() - (this.pollingStartedAt || 0);
-				if (elapsed > maxPollingDurationMs) {
-					const err$2 = this.emitError(4, "Timed out waiting for recovery email to be processed on-chain");
+			const pollResult = await this.pollUntil({
+				intervalMs: pollingIntervalMs,
+				timeoutMs: maxPollingDurationMs,
+				isCancelled: () => this.cancelled,
+				tick: async ({ elapsedMs, pollCount }) => {
+					const verification = await this.checkViaDkimViewMethod(rec);
+					const completed = verification?.completed === true;
+					const success = verification?.success === true;
+					this.emit({
+						step: 4,
+						phase: EmailRecoveryPhase.STEP_4_POLLING_VERIFICATION_RESULT,
+						status: EmailRecoveryStatus.PROGRESS,
+						message: completed && success ? `Email verified for request ${rec.requestId}; finalizing registration` : `Waiting for email verification for request ${rec.requestId}`,
+						data: this.buildPollingEventData(rec, {
+							transactionHash: verification?.transactionHash,
+							elapsedMs,
+							pollCount
+						})
+					});
+					if (!completed) return { done: false };
+					if (!success) return {
+						done: true,
+						value: {
+							outcome: "failed",
+							errorMessage: verification?.errorMessage || "Email verification failed"
+						}
+					};
+					return {
+						done: true,
+						value: { outcome: "verified" }
+					};
+				}
+			});
+			if (pollResult.status === "completed") {
+				if (pollResult.value.outcome === "failed") {
+					const err$2 = this.emitError(4, pollResult.value.errorMessage);
 					rec.status = "error";
 					await this.savePending(rec);
 					await this.options?.afterCall?.(false);
 					throw err$2;
 				}
-				const verification = await this.checkVerificationStatus(rec);
-				const completed = verification?.completed === true;
-				const success = verification?.success === true;
-				this.emit({
-					step: 4,
-					phase: EmailRecoveryPhase.STEP_4_POLLING_VERIFICATION_RESULT,
-					status: EmailRecoveryStatus.PROGRESS,
-					message: completed && success ? `Email verified for request ${rec.requestId}; finalizing registration` : `Waiting for email verification for request ${rec.requestId}`,
-					data: {
-						accountId: rec.accountId,
-						requestId: rec.requestId,
-						nearPublicKey: rec.nearPublicKey,
-						transactionHash: verification?.transactionHash,
-						elapsedMs: elapsed,
-						pollCount
-					}
-				});
-				if (completed) {
-					if (!success) {
-						const err$2 = this.emitError(4, verification?.errorMessage || "Email verification failed");
-						rec.status = "error";
-						await this.savePending(rec);
-						await this.options?.afterCall?.(false);
-						throw err$2;
-					}
-					rec.status = "finalizing";
-					await this.savePending(rec);
-					return;
-				}
-				if (this.cancelled) break;
-				await new Promise((resolve) => {
-					this.pollIntervalResolver = resolve;
-					this.pollingTimer = setTimeout(() => {
-						this.pollIntervalResolver = void 0;
-						this.pollingTimer = void 0;
-						resolve();
-					}, pollingIntervalMs);
-				}).finally(() => {
-					this.pollIntervalResolver = void 0;
-				});
+				rec.status = "finalizing";
+				await this.savePending(rec);
+				return;
+			}
+			if (pollResult.status === "timedOut") {
+				const err$2 = this.emitError(4, "Timed out waiting for recovery email to be processed on-chain");
+				rec.status = "error";
+				await this.savePending(rec);
+				await this.options?.afterCall?.(false);
+				throw err$2;
 			}
 			const err$1 = this.emitError(4, "Email recovery polling was cancelled");
 			await this.options?.afterCall?.(false);
 			throw err$1;
 		}
-		async finalizeRegistration(rec) {
-			this.phase = EmailRecoveryPhase.STEP_5_FINALIZING_REGISTRATION;
-			this.emit({
-				step: 5,
-				phase: EmailRecoveryPhase.STEP_5_FINALIZING_REGISTRATION,
-				status: EmailRecoveryStatus.PROGRESS,
-				message: "Finalizing email recovery registration...",
-				data: {
-					accountId: rec.accountId,
-					nearPublicKey: rec.nearPublicKey
-				}
-			});
+		initializeNonceManager(rec) {
 			const nonceManager = this.context.webAuthnManager.getNonceManager();
 			const accountId = toAccountId(rec.accountId);
 			nonceManager.initializeUser(accountId, rec.nearPublicKey);
+			return {
+				nonceManager,
+				accountId
+			};
+		}
+		async signRegistrationTx(rec, accountId) {
+			const vrfChallenge = rec.vrfChallenge;
+			if (!vrfChallenge) return this.fail(5, "Missing VRF challenge for email recovery registration");
+			const registrationResult = await this.context.webAuthnManager.signDevice2RegistrationWithStoredKey({
+				nearAccountId: accountId,
+				credential: rec.credential,
+				vrfChallenge,
+				deterministicVrfPublicKey: rec.vrfPublicKey,
+				deviceNumber: rec.deviceNumber
+			});
+			if (!registrationResult.success || !registrationResult.signedTransaction) await this.fail(5, registrationResult.error || "Failed to sign email recovery registration transaction");
+			return registrationResult.signedTransaction;
+		}
+		async broadcastRegistrationTxAndWaitFinal(rec, signedTx) {
 			try {
-				if (!rec.vrfChallenge) {
-					const err$1 = this.emitError(5, "Missing VRF challenge for email recovery registration");
-					await this.options?.afterCall?.(false);
-					throw err$1;
-				}
-				const registrationResult = await this.context.webAuthnManager.signDevice2RegistrationWithStoredKey({
-					nearAccountId: accountId,
-					credential: rec.credential,
-					vrfChallenge: rec.vrfChallenge,
-					deterministicVrfPublicKey: rec.vrfPublicKey,
-					deviceNumber: rec.deviceNumber
-				});
-				if (!registrationResult.success || !registrationResult.signedTransaction) {
-					const err$1 = this.emitError(5, registrationResult.error || "Failed to sign email recovery registration transaction");
-					await this.options?.afterCall?.(false);
-					throw err$1;
-				}
-				const signedTx = registrationResult.signedTransaction;
+				const txResult = await this.context.nearClient.sendTransaction(signedTx, DEFAULT_WAIT_STATUS.linkDeviceRegistration);
 				try {
-					const txResult = await this.context.nearClient.sendTransaction(signedTx, DEFAULT_WAIT_STATUS.linkDeviceRegistration);
-					try {
-						const txHash = txResult?.transaction?.hash || txResult?.transaction_hash;
-						if (txHash) {
-							this.emit({
-								step: 5,
-								phase: EmailRecoveryPhase.STEP_5_FINALIZING_REGISTRATION,
-								status: EmailRecoveryStatus.PROGRESS,
-								message: "Registration transaction confirmed",
-								data: {
-									accountId: rec.accountId,
-									nearPublicKey: rec.nearPublicKey,
-									transactionHash: txHash
-								}
-							});
-							try {
-								await IndexedDBManager.clientDB.storeWebAuthnUserData({
-									nearAccountId: accountId,
-									deviceNumber: rec.deviceNumber,
-									clientNearPublicKey: rec.nearPublicKey,
-									passkeyCredential: {
-										id: rec.credential.id,
-										rawId: rec.credential.rawId
-									},
-									encryptedVrfKeypair: rec.encryptedVrfKeypair,
-									serverEncryptedVrfKeypair: rec.serverEncryptedVrfKeypair || void 0
-								});
-								const { syncAuthenticatorsContractCall: syncAuthenticatorsContractCall$1 } = await import("./rpcCalls-DEv9x5-f.js");
-								const authenticators = await syncAuthenticatorsContractCall$1(this.context.nearClient, this.context.configs.contractId, accountId);
-								const mappedAuthenticators = authenticators.map(({ authenticator }) => ({
-									credentialId: authenticator.credentialId,
-									credentialPublicKey: authenticator.credentialPublicKey,
-									transports: authenticator.transports,
-									name: authenticator.name,
-									registered: authenticator.registered.toISOString(),
-									vrfPublicKey: authenticator.vrfPublicKeys?.[0] || "",
-									deviceNumber: authenticator.deviceNumber
-								}));
-								await IndexedDBManager.clientDB.syncAuthenticatorsFromContract(accountId, mappedAuthenticators);
-								await IndexedDBManager.clientDB.setLastUser(accountId, rec.deviceNumber);
-							} catch (syncErr) {
-								console.warn("[EmailRecoveryFlow] Failed to sync authenticators after recovery:", syncErr);
-							}
+					const txHash = txResult?.transaction?.hash || txResult?.transaction_hash;
+					if (txHash) this.emit({
+						step: 5,
+						phase: EmailRecoveryPhase.STEP_5_FINALIZING_REGISTRATION,
+						status: EmailRecoveryStatus.PROGRESS,
+						message: "Registration transaction confirmed",
+						data: {
+							accountId: rec.accountId,
+							nearPublicKey: rec.nearPublicKey,
+							transactionHash: txHash
 						}
-					} catch {}
-				} catch (e) {
-					const msg = String(e?.message || "");
-					const err$1 = this.emitError(5, msg || "Failed to broadcast email recovery registration transaction (insufficient funds or RPC error)");
-					await this.options?.afterCall?.(false);
-					throw err$1;
-				}
-				try {
-					const txNonce = signedTx.transaction?.nonce;
-					if (txNonce != null) await nonceManager.updateNonceFromBlockchain(this.context.nearClient, String(txNonce));
+					});
+					return txHash;
 				} catch {}
+			} catch (e) {
+				const msg = String(e?.message || "");
+				await this.fail(5, msg || "Failed to broadcast email recovery registration transaction (insufficient funds or RPC error)");
+			}
+			return void 0;
+		}
+		mapAuthenticatorsFromContract(authenticators) {
+			return authenticators.map(({ authenticator }) => ({
+				credentialId: authenticator.credentialId,
+				credentialPublicKey: authenticator.credentialPublicKey,
+				transports: authenticator.transports,
+				name: authenticator.name,
+				registered: authenticator.registered.toISOString(),
+				vrfPublicKey: authenticator.vrfPublicKeys?.[0] || "",
+				deviceNumber: authenticator.deviceNumber
+			}));
+		}
+		async syncAuthenticatorsBestEffort(accountId) {
+			try {
+				const { syncAuthenticatorsContractCall: syncAuthenticatorsContractCall$1 } = await import("./rpcCalls-BQrJMTdg.js");
+				const authenticators = await syncAuthenticatorsContractCall$1(this.context.nearClient, this.context.configs.contractId, accountId);
+				const mappedAuthenticators = this.mapAuthenticatorsFromContract(authenticators);
+				await IndexedDBManager.clientDB.syncAuthenticatorsFromContract(accountId, mappedAuthenticators);
+				return true;
+			} catch (err$1) {
+				console.warn("[EmailRecoveryFlow] Failed to sync authenticators after recovery:", err$1);
+				return false;
+			}
+		}
+		async setLastUserBestEffort(accountId, deviceNumber) {
+			try {
+				await IndexedDBManager.clientDB.setLastUser(accountId, deviceNumber);
+				return true;
+			} catch (err$1) {
+				console.warn("[EmailRecoveryFlow] Failed to set last user after recovery:", err$1);
+				return false;
+			}
+		}
+		async updateNonceBestEffort(nonceManager, signedTx) {
+			try {
+				const txNonce = signedTx.transaction?.nonce;
+				if (txNonce != null) await nonceManager.updateNonceFromBlockchain(this.context.nearClient, String(txNonce));
+			} catch {}
+		}
+		async persistRecoveredUserData(rec, accountId) {
+			const { webAuthnManager } = this.context;
+			const payload = {
+				nearAccountId: accountId,
+				deviceNumber: rec.deviceNumber,
+				clientNearPublicKey: rec.nearPublicKey,
+				lastUpdated: Date.now(),
+				passkeyCredential: {
+					id: rec.credential.id,
+					rawId: rec.credential.rawId
+				},
+				encryptedVrfKeypair: {
+					encryptedVrfDataB64u: rec.encryptedVrfKeypair.encryptedVrfDataB64u,
+					chacha20NonceB64u: rec.encryptedVrfKeypair.chacha20NonceB64u
+				},
+				serverEncryptedVrfKeypair: rec.serverEncryptedVrfKeypair || void 0
+			};
+			await webAuthnManager.storeUserData(payload);
+		}
+		/**
+		* Explicitly persist the authenticator from the recovery record into the local cache.
+		* This ensures the key is available immediately, bridging the gap before RPC sync sees it.
+		*/
+		async persistAuthenticatorBestEffort(rec, accountId) {
+			try {
 				const { webAuthnManager } = this.context;
-				await webAuthnManager.storeUserData({
+				const attestationB64u = rec.credential.response.attestationObject;
+				const credentialPublicKey = await webAuthnManager.extractCosePublicKey(attestationB64u);
+				await webAuthnManager.storeAuthenticator({
 					nearAccountId: accountId,
 					deviceNumber: rec.deviceNumber,
-					clientNearPublicKey: rec.nearPublicKey,
-					lastUpdated: Date.now(),
-					passkeyCredential: {
-						id: rec.credential.id,
-						rawId: rec.credential.rawId
-					},
-					encryptedVrfKeypair: {
-						encryptedVrfDataB64u: rec.encryptedVrfKeypair.encryptedVrfDataB64u,
-						chacha20NonceB64u: rec.encryptedVrfKeypair.chacha20NonceB64u
-					},
-					serverEncryptedVrfKeypair: rec.serverEncryptedVrfKeypair || void 0
-				});
-				try {
-					const attestationB64u = rec.credential.response.attestationObject;
-					const credentialPublicKey = await webAuthnManager.extractCosePublicKey(attestationB64u);
-					await webAuthnManager.storeAuthenticator({
-						nearAccountId: accountId,
-						deviceNumber: rec.deviceNumber,
-						credentialId: rec.credential.rawId,
-						credentialPublicKey,
-						transports: ["internal"],
-						name: `Device ${rec.deviceNumber} Passkey for ${rec.accountId.split(".")[0]}`,
-						registered: (/* @__PURE__ */ new Date()).toISOString(),
-						syncedAt: (/* @__PURE__ */ new Date()).toISOString(),
-						vrfPublicKey: rec.vrfPublicKey
-					});
-				} catch {}
-				await this.attemptAutoLogin(rec);
-				rec.status = "complete";
-				await this.savePending(rec);
-				await this.clearPending(rec.accountId, rec.nearPublicKey);
-				this.phase = EmailRecoveryPhase.STEP_6_COMPLETE;
-				this.emit({
-					step: 6,
-					phase: EmailRecoveryPhase.STEP_6_COMPLETE,
-					status: EmailRecoveryStatus.SUCCESS,
-					message: "Email recovery completed successfully",
-					data: {
-						accountId: rec.accountId,
-						nearPublicKey: rec.nearPublicKey
-					}
+					credentialId: rec.credential.rawId,
+					credentialPublicKey,
+					transports: ["internal"],
+					name: `Device ${rec.deviceNumber} Passkey for ${rec.accountId.split(".")[0]}`,
+					registered: (/* @__PURE__ */ new Date()).toISOString(),
+					syncedAt: (/* @__PURE__ */ new Date()).toISOString(),
+					vrfPublicKey: rec.vrfPublicKey
 				});
+				console.log("[EmailRecoveryFlow] Locally persisted recovered authenticator for immediate use.");
 			} catch (e) {
-				const err$1 = this.emitError(5, e?.message || "Email recovery finalization failed");
-				await this.options?.afterCall?.(false);
-				throw err$1;
+				console.error("[EmailRecoveryFlow] Failed to locally persist authenticator (critical for immediate export):", e);
 			}
 		}
-		async attemptAutoLogin(rec) {
+		async markCompleteAndClearPending(rec) {
+			rec.status = "complete";
+			await this.savePending(rec);
+			await this.clearPending(rec.accountId, rec.nearPublicKey);
+		}
+		async assertVrfActiveForAccount(accountId, message) {
+			const vrfStatus = await this.context.webAuthnManager.checkVrfStatus();
+			const vrfActiveForAccount = vrfStatus.active && vrfStatus.nearAccountId && String(vrfStatus.nearAccountId) === String(accountId);
+			if (!vrfActiveForAccount) throw new Error(message);
+		}
+		async finalizeLocalLoginState(accountId, deviceNumber) {
+			const { webAuthnManager } = this.context;
+			await webAuthnManager.setLastUser(accountId, deviceNumber);
+			await webAuthnManager.initializeCurrentUser(accountId, this.context.nearClient);
 			try {
-				this.emit({
-					step: 5,
-					phase: EmailRecoveryPhase.STEP_5_FINALIZING_REGISTRATION,
-					status: EmailRecoveryStatus.PROGRESS,
-					message: "Attempting auto-login with recovered device...",
-					data: { autoLogin: "progress" }
+				await getLoginSession(this.context, accountId);
+			} catch {}
+		}
+		async tryShamirUnlock(rec, accountId, deviceNumber) {
+			if (!rec.serverEncryptedVrfKeypair || !rec.serverEncryptedVrfKeypair.serverKeyId || !this.context.configs.vrfWorkerConfigs?.shamir3pass?.relayServerUrl) return false;
+			try {
+				const { webAuthnManager } = this.context;
+				const unlockResult = await webAuthnManager.shamir3PassDecryptVrfKeypair({
+					nearAccountId: accountId,
+					kek_s_b64u: rec.serverEncryptedVrfKeypair.kek_s_b64u,
+					ciphertextVrfB64u: rec.serverEncryptedVrfKeypair.ciphertextVrfB64u,
+					serverKeyId: rec.serverEncryptedVrfKeypair.serverKeyId
 				});
+				if (!unlockResult.success) return false;
+				await this.assertVrfActiveForAccount(accountId, "VRF session inactive after Shamir3Pass unlock");
+				await this.finalizeLocalLoginState(accountId, deviceNumber);
+				return true;
+			} catch (err$1) {
+				console.warn("[EmailRecoveryFlow] Shamir 3-pass unlock failed, falling back to TouchID", err$1);
+				return false;
+			}
+		}
+		async tryTouchIdUnlock(rec, accountId, deviceNumber) {
+			try {
 				const { webAuthnManager } = this.context;
-				const accountId = toAccountId(rec.accountId);
-				const deviceNumber = parseDeviceNumber(rec.deviceNumber, { min: 1 });
-				if (deviceNumber === null) throw new Error(`Invalid deviceNumber for auto-login: ${String(rec.deviceNumber)}`);
-				if (rec.serverEncryptedVrfKeypair && rec.serverEncryptedVrfKeypair.serverKeyId && this.context.configs.vrfWorkerConfigs?.shamir3pass?.relayServerUrl) try {
-					const unlockResult = await webAuthnManager.shamir3PassDecryptVrfKeypair({
-						nearAccountId: accountId,
-						kek_s_b64u: rec.serverEncryptedVrfKeypair.kek_s_b64u,
-						ciphertextVrfB64u: rec.serverEncryptedVrfKeypair.ciphertextVrfB64u,
-						serverKeyId: rec.serverEncryptedVrfKeypair.serverKeyId
-					});
-					if (unlockResult.success) {
-						const vrfStatus$1 = await webAuthnManager.checkVrfStatus();
-						const vrfActiveForAccount$1 = vrfStatus$1.active && vrfStatus$1.nearAccountId && String(vrfStatus$1.nearAccountId) === String(accountId);
-						if (!vrfActiveForAccount$1) throw new Error("VRF session inactive after Shamir3Pass unlock");
-						await webAuthnManager.setLastUser(accountId, deviceNumber);
-						await webAuthnManager.initializeCurrentUser(accountId, this.context.nearClient);
-						try {
-							await getLoginSession(this.context, accountId);
-						} catch {}
-						this.emit({
-							step: 5,
-							phase: EmailRecoveryPhase.STEP_5_FINALIZING_REGISTRATION,
-							status: EmailRecoveryStatus.SUCCESS,
-							message: `Welcome ${accountId}`,
-							data: { autoLogin: "success" }
-						});
-						return;
-					}
-				} catch (err$1) {
-					console.warn("[EmailRecoveryFlow] Shamir 3-pass unlock failed, falling back to TouchID", err$1);
-				}
 				const authChallenge = createRandomVRFChallenge();
 				const storedCredentialId = String(rec.credential?.rawId || rec.credential?.id || "").trim();
 				const credentialIds = storedCredentialId ? [storedCredentialId] : [];
@@ -10742,43 +10840,104 @@ var init_emailRecovery = __esm({ "src/core/TatchiPasskey/emailRecovery.ts": (()
 					challenge: authChallenge,
 					credentialIds: credentialIds.length > 0 ? credentialIds : authenticators.map((a) => a.credentialId)
 				});
-				if (storedCredentialId && authCredential.rawId !== storedCredentialId) throw new Error("Wrong passkey selected during recovery auto-login; please use the newly recovered passkey.");
+				if (storedCredentialId && authCredential.rawId !== storedCredentialId) return {
+					success: false,
+					reason: "Wrong passkey selected during recovery auto-login; please use the newly recovered passkey."
+				};
 				const vrfUnlockResult = await webAuthnManager.unlockVRFKeypair({
 					nearAccountId: accountId,
 					encryptedVrfKeypair: rec.encryptedVrfKeypair,
 					credential: authCredential
 				});
-				if (!vrfUnlockResult.success) throw new Error(vrfUnlockResult.error || "VRF unlock failed during auto-login");
-				const vrfStatus = await webAuthnManager.checkVrfStatus();
-				const vrfActiveForAccount = vrfStatus.active && vrfStatus.nearAccountId && String(vrfStatus.nearAccountId) === String(accountId);
-				if (!vrfActiveForAccount) throw new Error("VRF session inactive after TouchID unlock");
-				await webAuthnManager.setLastUser(accountId, deviceNumber);
-				await webAuthnManager.initializeCurrentUser(accountId, this.context.nearClient);
-				try {
-					await getLoginSession(this.context, accountId);
-				} catch {}
-				this.emit({
-					step: 5,
-					phase: EmailRecoveryPhase.STEP_5_FINALIZING_REGISTRATION,
-					status: EmailRecoveryStatus.SUCCESS,
-					message: `Welcome ${accountId}`,
-					data: { autoLogin: "success" }
-				});
+				if (!vrfUnlockResult.success) return {
+					success: false,
+					reason: vrfUnlockResult.error || "VRF unlock failed during auto-login"
+				};
+				await this.assertVrfActiveForAccount(accountId, "VRF session inactive after TouchID unlock");
+				await this.finalizeLocalLoginState(accountId, deviceNumber);
+				return { success: true };
 			} catch (err$1) {
-				console.warn("[EmailRecoveryFlow] Auto-login failed after recovery", err$1);
-				try {
-					await this.context.webAuthnManager.clearVrfSession();
-				} catch {}
+				return {
+					success: false,
+					reason: err$1?.message || String(err$1)
+				};
+			}
+		}
+		async handleAutoLoginFailure(reason, err$1) {
+			console.warn("[EmailRecoveryFlow] Auto-login failed after recovery", err$1 ?? reason);
+			try {
+				await this.context.webAuthnManager.clearVrfSession();
+			} catch {}
+			return {
+				success: false,
+				reason
+			};
+		}
+		async finalizeRegistration(rec) {
+			this.phase = EmailRecoveryPhase.STEP_5_FINALIZING_REGISTRATION;
+			this.emit({
+				step: 5,
+				phase: EmailRecoveryPhase.STEP_5_FINALIZING_REGISTRATION,
+				status: EmailRecoveryStatus.PROGRESS,
+				message: "Finalizing email recovery registration...",
+				data: {
+					accountId: rec.accountId,
+					nearPublicKey: rec.nearPublicKey
+				}
+			});
+			try {
+				const { nonceManager, accountId } = this.initializeNonceManager(rec);
+				const signedTx = await this.signRegistrationTx(rec, accountId);
+				const txHash = await this.broadcastRegistrationTxAndWaitFinal(rec, signedTx);
+				if (!txHash) console.warn("[EmailRecoveryFlow] Registration transaction confirmed without hash; continuing local persistence");
+				await this.persistRecoveredUserData(rec, accountId);
+				await this.syncAuthenticatorsBestEffort(accountId);
+				await this.persistAuthenticatorBestEffort(rec, accountId);
+				await this.setLastUserBestEffort(accountId, rec.deviceNumber);
+				await this.updateNonceBestEffort(nonceManager, signedTx);
+				this.emitAutoLoginEvent(EmailRecoveryStatus.PROGRESS, "Attempting auto-login with recovered device...", { autoLogin: "progress" });
+				const autoLoginResult = await this.attemptAutoLogin(rec);
+				if (autoLoginResult.success) this.emitAutoLoginEvent(EmailRecoveryStatus.SUCCESS, `Welcome ${accountId}`, { autoLogin: "success" });
+				else this.emitAutoLoginEvent(EmailRecoveryStatus.ERROR, "Auto-login failed; please log in manually on this device.", {
+					error: autoLoginResult.reason,
+					autoLogin: "error"
+				});
+				await this.markCompleteAndClearPending(rec);
+				this.phase = EmailRecoveryPhase.STEP_6_COMPLETE;
 				this.emit({
-					step: 5,
-					phase: EmailRecoveryPhase.STEP_5_FINALIZING_REGISTRATION,
-					status: EmailRecoveryStatus.ERROR,
-					message: "Auto-login failed; please log in manually on this device.",
+					step: 6,
+					phase: EmailRecoveryPhase.STEP_6_COMPLETE,
+					status: EmailRecoveryStatus.SUCCESS,
+					message: "Email recovery completed successfully",
 					data: {
-						error: err$1?.message || String(err$1),
-						autoLogin: "error"
+						accountId: rec.accountId,
+						nearPublicKey: rec.nearPublicKey
 					}
 				});
+			} catch (e) {
+				const err$1 = this.emitError(5, e?.message || "Email recovery finalization failed");
+				await this.options?.afterCall?.(false);
+				throw err$1;
+			}
+		}
+		async attemptAutoLogin(rec) {
+			try {
+				const accountId = toAccountId(rec.accountId);
+				const deviceNumber = parseDeviceNumber(rec.deviceNumber, { min: 1 });
+				if (deviceNumber === null) return this.handleAutoLoginFailure(`Invalid deviceNumber for auto-login: ${String(rec.deviceNumber)}`);
+				const shamirUnlocked = await this.tryShamirUnlock(rec, accountId, deviceNumber);
+				if (shamirUnlocked) return {
+					success: true,
+					method: "shamir"
+				};
+				const touchIdResult = await this.tryTouchIdUnlock(rec, accountId, deviceNumber);
+				if (touchIdResult.success) return {
+					success: true,
+					method: "touchid"
+				};
+				return this.handleAutoLoginFailure(touchIdResult.reason || "Auto-login failed");
+			} catch (err$1) {
+				return this.handleAutoLoginFailure(err$1?.message || String(err$1), err$1);
 			}
 		}
 	};
@@ -10793,6 +10952,7 @@ init_IndexedDBManager();
 init_actions();
 init_errors();
 init_rpcCalls();
+init_EmailRecovery();
 init_defaultConfigs();
 let warnedAboutSameOriginWallet = false;
 /**
@@ -10849,7 +11009,7 @@ var TatchiPasskey = class {
 		} catch {}
 		if (!this.iframeRouter) {
 			if (!this.walletIframeInitInFlight) this.walletIframeInitInFlight = (async () => {
-				const { WalletIframeRouter } = await import("./router-BLFegW7J.js");
+				const { WalletIframeRouter } = await import("./router-DuGYOd3G.js");
 				this.iframeRouter = new WalletIframeRouter({
 					walletOrigin,
 					servicePath: walletIframeConfig?.walletServicePath || "/wallet-service",