npm - @tatchi-xyz/sdk - Versions diffs - 0.18.0 → 0.20.0 - Mend

@tatchi-xyz/sdk 0.18.0 → 0.20.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (112) hide show

package/dist/cjs/core/EmailRecovery/index.js CHANGED Viewed

@@ -1,9 +1,32 @@
 const require_rolldown_runtime = require('../../_virtual/rolldown_runtime.js');
 const require_accountIds = require('../types/accountIds.js');
 const require_index = require('../IndexedDBManager/index.js');
+const require_base64 = require('../../utils/base64.js');
 const require_emailRecoveryPendingStore = require('./emailRecoveryPendingStore.js');
 //#region src/core/EmailRecovery/index.ts
+function getTxSuccessValueBase64(outcome) {
+	const status = outcome.status;
+	if (!status || typeof status !== "object") return null;
+	if (!("SuccessValue" in status)) return null;
+	const value = status.SuccessValue;
+	return typeof value === "string" && value.length > 0 ? value : null;
+}
+function parseLinkDeviceRegisterUserResponse(outcome) {
+	try {
+		const successValueB64 = getTxSuccessValueBase64(outcome);
+		if (!successValueB64) return null;
+		const bytes = require_base64.base64Decode(successValueB64);
+		const text = new TextDecoder().decode(bytes);
+		if (!text.trim()) return null;
+		const parsed = JSON.parse(text);
+		if (!parsed || typeof parsed !== "object") return null;
+		const candidate = parsed;
+		return typeof candidate.verified === "boolean" ? candidate : null;
+	} catch {
+		return null;
+	}
+}
 async function hashRecoveryEmails(emails, accountId) {
 	const encoder = new TextEncoder();
 	const salt = (accountId || "").trim().toLowerCase();
@@ -54,6 +77,7 @@ var canonicalizeEmail, bytesToHex;
 var init_EmailRecovery = require_rolldown_runtime.__esm({ "src/core/EmailRecovery/index.ts": (() => {
 	require_accountIds.init_accountIds();
 	require_index.init_IndexedDBManager();
+	require_base64.init_base64();
 	require_emailRecoveryPendingStore.init_emailRecoveryPendingStore();
 	canonicalizeEmail = (email) => {
 		const raw = String(email || "").trim();
@@ -85,5 +109,6 @@ Object.defineProperty(exports, 'init_EmailRecovery', {
     return init_EmailRecovery;
   }
 });
+exports.parseLinkDeviceRegisterUserResponse = parseLinkDeviceRegisterUserResponse;
 exports.prepareRecoveryEmails = prepareRecoveryEmails;
 //# sourceMappingURL=index.js.map

package/dist/cjs/core/EmailRecovery/index.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"index.js","names":["hashed: number[][]","toAccountId","pairs: RecoveryEmailEntry[]","IndexedDBManager"],"sources":["../../../../src/core/EmailRecovery/index.ts"],"sourcesContent":["import type { AccountId } from '../types/accountIds';\nimport { toAccountId } from '../types/accountIds';\nimport { IndexedDBManager, type RecoveryEmailRecord } from '../IndexedDBManager';\nexport { EmailRecoveryPendingStore, type PendingStore } from './emailRecoveryPendingStore';\n\nexport type RecoveryEmailEntry = {\n hashHex: string;\n email: string;\n};\n\nexport { type RecoveryEmailRecord };\n\nexport const canonicalizeEmail = (email: string): string => {\n const raw = String(email \|\| '').trim();\n if (!raw) return '';\n\n // Handle cases where a full header line is passed in (e.g. \"From: ...\").\n const withoutHeaderName = raw.replace(/^[a-z0-9-]+\\s:\\s/i, '').trim();\n\n const emailRegex =\n /([a-zA-Z0-9.!#$%&'+/=?^_`{\|}~-]+@[a-zA-Z0-9-]+(?:\\.[a-zA-Z0-9-]+))/;\n\n // Prefer the common \"Name <email@domain>\" format when present, but still\n // validate/extract the actual address via regex.\n const angleMatch = withoutHeaderName.match(/<([^>]+)>/);\n const candidates = [\n angleMatch?.[1],\n withoutHeaderName,\n ].filter((v): v is string => typeof v === 'string' && v.length > 0);\n\n for (const candidate of candidates) {\n const cleaned = candidate.replace(/^mailto:\\s/i, '');\n const match = cleaned.match(emailRegex);\n if (match?.[1]) {\n return match[1].trim().toLowerCase();\n }\n }\n\n return withoutHeaderName.toLowerCase();\n};\n\nexport const bytesToHex = (bytes: number[] \| Uint8Array): string => {\n const arr = bytes instanceof Uint8Array ? bytes : Uint8Array.from(bytes);\n return `0x${Array.from(arr)\n .map(b => b.toString(16).padStart(2, '0'))\n .join('')}`;\n};\n\nasync function hashRecoveryEmails(emails: string[], accountId: AccountId): Promise<number[][]> {\n const encoder = new TextEncoder();\n const salt = (accountId \|\| '').trim().toLowerCase();\n const normalized = (emails \|\| [])\n .map(e => e.trim())\n .filter(e => e.length > 0);\n\n const hashed: number[][] = [];\n\n for (const email of normalized) {\n try {\n const canonicalEmail = canonicalizeEmail(email);\n const input = `${canonicalEmail}\|${salt}`;\n const data = encoder.encode(input);\n const digest = await crypto.subtle.digest('SHA-256', data);\n const bytes = new Uint8Array(digest);\n hashed.push(Array.from(bytes));\n } catch {\n const bytes = encoder.encode(email.toLowerCase());\n hashed.push(Array.from(bytes));\n }\n }\n\n return hashed;\n}\n\n/\n Canonicalize and hash recovery emails for an account, and persist the mapping\n * (hashHex → canonical email) in IndexedDB on a best-effort basis.\n */\nexport async function prepareRecoveryEmails(nearAccountId: AccountId, recoveryEmails: string[]): Promise<{\n hashes: number[][];\n pairs: RecoveryEmailEntry[];\n}> {\n const accountId = toAccountId(nearAccountId);\n\n const trimmedEmails = (recoveryEmails \|\| []).map(e => e.trim()).filter(e => e.length > 0);\n const canonicalEmails = trimmedEmails.map(canonicalizeEmail);\n const recoveryEmailHashes = await hashRecoveryEmails(recoveryEmails, accountId);\n\n const pairs: RecoveryEmailEntry[] = recoveryEmailHashes.map((hashBytes, idx) => ({\n hashHex: bytesToHex(hashBytes),\n email: canonicalEmails[idx],\n }));\n\n void (async () => {\n try {\n await IndexedDBManager.upsertRecoveryEmails(accountId, pairs);\n } catch (error) {\n console.warn('[EmailRecovery] Failed to persist local recovery emails', error);\n }\n })();\n\n return { hashes: recoveryEmailHashes, pairs };\n}\n\nexport async function getLocalRecoveryEmails(nearAccountId: AccountId): Promise<RecoveryEmailRecord[]> {\n return IndexedDBManager.getRecoveryEmails(nearAccountId);\n}\n"],"mappings":"~~;;;;;;AAgDA~~,eAAe,mBAAmB,QAAkB,WAA2C;CAC7F,MAAM,UAAU,IAAI;CACpB,MAAM,QAAQ,aAAa,IAAI,OAAO;CACtC,MAAM,cAAc,UAAU,IAC3B,KAAI,MAAK,EAAE,QACX,QAAO,MAAK,EAAE,SAAS;CAE1B,~~MAAMA~~,SAAqB;AAE3B,MAAK,MAAM,SAAS,WAClB,KAAI;EACF,MAAM,iBAAiB,kBAAkB;EACzC,MAAM,QAAQ,GAAG,eAAe,GAAG;EACnC,MAAM,OAAO,QAAQ,OAAO;EAC5B,MAAM,SAAS,MAAM,OAAO,OAAO,OAAO,WAAW;EACrD,MAAM,QAAQ,IAAI,WAAW;AAC7B,SAAO,KAAK,MAAM,KAAK;SACjB;EACN,MAAM,QAAQ,QAAQ,OAAO,MAAM;AACnC,SAAO,KAAK,MAAM,KAAK;;AAI3B,QAAO;;;;;;AAOT,eAAsB,sBAAsB,eAA0B,gBAGnE;CACD,MAAM,YAAYC,+BAAY;CAE9B,MAAM,iBAAiB,kBAAkB,IAAI,KAAI,MAAK,EAAE,QAAQ,QAAO,MAAK,EAAE,SAAS;CACvF,MAAM,kBAAkB,cAAc,IAAI;CAC1C,MAAM,sBAAsB,MAAM,mBAAmB,gBAAgB;CAErE,MAAMC,QAA8B,oBAAoB,KAAK,WAAW,SAAS;EAC/E,SAAS,WAAW;EACpB,OAAO,gBAAgB;;AAGzB,EAAM,YAAY;AAChB,MAAI;AACF,SAAMC,+BAAiB,qBAAqB,WAAW;WAChD,OAAO;AACd,WAAQ,KAAK,2DAA2D;;;AAI5E,QAAO;EAAE,QAAQ;EAAqB;;;AAGxC,eAAsB,uBAAuB,eAA0D;AACrG,QAAOA,+BAAiB,kBAAkB~~;;;;;;;~~CA7F/B,qBAAqB,UAA0B;EAC1D,MAAM,MAAM,OAAO,SAAS,IAAI;AAChC,MAAI,CAAC,IAAK,QAAO;EAGjB,MAAM,oBAAoB,IAAI,QAAQ,uBAAuB,IAAI;EAEjE,MAAM,aACJ;EAIF,MAAM,aAAa,kBAAkB,MAAM;EAC3C,MAAM,aAAa,CACjB,aAAa,IACb,mBACA,QAAQ,MAAmB,OAAO,MAAM,YAAY,EAAE,SAAS;AAEjE,OAAK,MAAM,aAAa,YAAY;GAClC,MAAM,UAAU,UAAU,QAAQ,gBAAgB;GAClD,MAAM,QAAQ,QAAQ,MAAM;AAC5B,OAAI,QAAQ,GACV,QAAO,MAAM,GAAG,OAAO;;AAI3B,SAAO,kBAAkB;;CAGd,cAAc,UAAyC;EAClE,MAAM,MAAM,iBAAiB,aAAa,QAAQ,WAAW,KAAK;AAClE,SAAO,KAAK,MAAM,KAAK,KACpB,KAAI,MAAK,EAAE,SAAS,IAAI,SAAS,GAAG,MACpC,KAAK"}
1	+ {"version":3,"file":"index.js","names":["base64Decode","hashed: number[][]","toAccountId","pairs: RecoveryEmailEntry[]","IndexedDBManager"],"sources":["../../../../src/core/EmailRecovery/index.ts"],"sourcesContent":["import type { AccountId } from '../types/accountIds';\nimport { toAccountId } from '../types/accountIds';\nimport { IndexedDBManager, type RecoveryEmailRecord } from '../IndexedDBManager';\nimport type { FinalExecutionOutcome } from '@near-js/types';\nimport { base64Decode } from '../../utils/base64';\nexport { EmailRecoveryPendingStore, type PendingStore } from './emailRecoveryPendingStore';\n\nexport type RecoveryEmailEntry = {\n hashHex: string;\n email: string;\n};\n\nexport { type RecoveryEmailRecord };\n\nexport type LinkDeviceRegisterUserResponse = {\n verified?: boolean;\n registration_info?: unknown;\n registrationInfo?: unknown;\n error?: unknown;\n};\n\nfunction getTxSuccessValueBase64(outcome: FinalExecutionOutcome): string \| null {\n const status = outcome.status;\n if (!status \|\| typeof status !== 'object') return null;\n if (!('SuccessValue' in status)) return null;\n const value = status.SuccessValue;\n return typeof value === 'string' && value.length > 0 ? value : null;\n}\n\nexport function parseLinkDeviceRegisterUserResponse(\n outcome: FinalExecutionOutcome\n): LinkDeviceRegisterUserResponse \| null {\n try {\n const successValueB64 = getTxSuccessValueBase64(outcome);\n if (!successValueB64) return null;\n\n const bytes = base64Decode(successValueB64);\n const text = new TextDecoder().decode(bytes);\n if (!text.trim()) return null;\n\n const parsed = JSON.parse(text) as unknown;\n if (!parsed \|\| typeof parsed !== 'object') return null;\n const candidate = parsed as LinkDeviceRegisterUserResponse;\n return typeof candidate.verified === 'boolean' ? candidate : null;\n } catch {\n return null;\n }\n}\n\nexport const canonicalizeEmail = (email: string): string => {\n const raw = String(email \|\| '').trim();\n if (!raw) return '';\n\n // Handle cases where a full header line is passed in (e.g. \"From: ...\").\n const withoutHeaderName = raw.replace(/^[a-z0-9-]+\\s:\\s/i, '').trim();\n\n const emailRegex =\n /([a-zA-Z0-9.!#$%&'+/=?^_`{\|}~-]+@[a-zA-Z0-9-]+(?:\\.[a-zA-Z0-9-]+))/;\n\n // Prefer the common \"Name <email@domain>\" format when present, but still\n // validate/extract the actual address via regex.\n const angleMatch = withoutHeaderName.match(/<([^>]+)>/);\n const candidates = [\n angleMatch?.[1],\n withoutHeaderName,\n ].filter((v): v is string => typeof v === 'string' && v.length > 0);\n\n for (const candidate of candidates) {\n const cleaned = candidate.replace(/^mailto:\\s/i, '');\n const match = cleaned.match(emailRegex);\n if (match?.[1]) {\n return match[1].trim().toLowerCase();\n }\n }\n\n return withoutHeaderName.toLowerCase();\n};\n\nexport const bytesToHex = (bytes: number[] \| Uint8Array): string => {\n const arr = bytes instanceof Uint8Array ? bytes : Uint8Array.from(bytes);\n return `0x${Array.from(arr)\n .map(b => b.toString(16).padStart(2, '0'))\n .join('')}`;\n};\n\nasync function hashRecoveryEmails(emails: string[], accountId: AccountId): Promise<number[][]> {\n const encoder = new TextEncoder();\n const salt = (accountId \|\| '').trim().toLowerCase();\n const normalized = (emails \|\| [])\n .map(e => e.trim())\n .filter(e => e.length > 0);\n\n const hashed: number[][] = [];\n\n for (const email of normalized) {\n try {\n const canonicalEmail = canonicalizeEmail(email);\n const input = `${canonicalEmail}\|${salt}`;\n const data = encoder.encode(input);\n const digest = await crypto.subtle.digest('SHA-256', data);\n const bytes = new Uint8Array(digest);\n hashed.push(Array.from(bytes));\n } catch {\n const bytes = encoder.encode(email.toLowerCase());\n hashed.push(Array.from(bytes));\n }\n }\n\n return hashed;\n}\n\n/\n Canonicalize and hash recovery emails for an account, and persist the mapping\n * (hashHex → canonical email) in IndexedDB on a best-effort basis.\n */\nexport async function prepareRecoveryEmails(nearAccountId: AccountId, recoveryEmails: string[]): Promise<{\n hashes: number[][];\n pairs: RecoveryEmailEntry[];\n}> {\n const accountId = toAccountId(nearAccountId);\n\n const trimmedEmails = (recoveryEmails \|\| []).map(e => e.trim()).filter(e => e.length > 0);\n const canonicalEmails = trimmedEmails.map(canonicalizeEmail);\n const recoveryEmailHashes = await hashRecoveryEmails(recoveryEmails, accountId);\n\n const pairs: RecoveryEmailEntry[] = recoveryEmailHashes.map((hashBytes, idx) => ({\n hashHex: bytesToHex(hashBytes),\n email: canonicalEmails[idx],\n }));\n\n void (async () => {\n try {\n await IndexedDBManager.upsertRecoveryEmails(accountId, pairs);\n } catch (error) {\n console.warn('[EmailRecovery] Failed to persist local recovery emails', error);\n }\n })();\n\n return { hashes: recoveryEmailHashes, pairs };\n}\n\nexport async function getLocalRecoveryEmails(nearAccountId: AccountId): Promise<RecoveryEmailRecord[]> {\n return IndexedDBManager.getRecoveryEmails(nearAccountId);\n}\n"],"mappings":";;;;;;;AAqBA,SAAS,wBAAwB,SAA+C;CAC9E,MAAM,SAAS,QAAQ;AACvB,KAAI,CAAC,UAAU,OAAO,WAAW,SAAU,QAAO;AAClD,KAAI,EAAE,kBAAkB,QAAS,QAAO;CACxC,MAAM,QAAQ,OAAO;AACrB,QAAO,OAAO,UAAU,YAAY,MAAM,SAAS,IAAI,QAAQ;;AAGjE,SAAgB,oCACd,SACuC;AACvC,KAAI;EACF,MAAM,kBAAkB,wBAAwB;AAChD,MAAI,CAAC,gBAAiB,QAAO;EAE7B,MAAM,QAAQA,4BAAa;EAC3B,MAAM,OAAO,IAAI,cAAc,OAAO;AACtC,MAAI,CAAC,KAAK,OAAQ,QAAO;EAEzB,MAAM,SAAS,KAAK,MAAM;AAC1B,MAAI,CAAC,UAAU,OAAO,WAAW,SAAU,QAAO;EAClD,MAAM,YAAY;AAClB,SAAO,OAAO,UAAU,aAAa,YAAY,YAAY;SACvD;AACN,SAAO;;;AAwCX,eAAe,mBAAmB,QAAkB,WAA2C;CAC7F,MAAM,UAAU,IAAI;CACpB,MAAM,QAAQ,aAAa,IAAI,OAAO;CACtC,MAAM,cAAc,UAAU,IAC3B,KAAI,MAAK,EAAE,QACX,QAAO,MAAK,EAAE,SAAS;CAE1B,MAAMC,SAAqB;AAE3B,MAAK,MAAM,SAAS,WAClB,KAAI;EACF,MAAM,iBAAiB,kBAAkB;EACzC,MAAM,QAAQ,GAAG,eAAe,GAAG;EACnC,MAAM,OAAO,QAAQ,OAAO;EAC5B,MAAM,SAAS,MAAM,OAAO,OAAO,OAAO,WAAW;EACrD,MAAM,QAAQ,IAAI,WAAW;AAC7B,SAAO,KAAK,MAAM,KAAK;SACjB;EACN,MAAM,QAAQ,QAAQ,OAAO,MAAM;AACnC,SAAO,KAAK,MAAM,KAAK;;AAI3B,QAAO;;;;;;AAOT,eAAsB,sBAAsB,eAA0B,gBAGnE;CACD,MAAM,YAAYC,+BAAY;CAE9B,MAAM,iBAAiB,kBAAkB,IAAI,KAAI,MAAK,EAAE,QAAQ,QAAO,MAAK,EAAE,SAAS;CACvF,MAAM,kBAAkB,cAAc,IAAI;CAC1C,MAAM,sBAAsB,MAAM,mBAAmB,gBAAgB;CAErE,MAAMC,QAA8B,oBAAoB,KAAK,WAAW,SAAS;EAC/E,SAAS,WAAW;EACpB,OAAO,gBAAgB;;AAGzB,EAAM,YAAY;AAChB,MAAI;AACF,SAAMC,+BAAiB,qBAAqB,WAAW;WAChD,OAAO;AACd,WAAQ,KAAK,2DAA2D;;;AAI5E,QAAO;EAAE,QAAQ;EAAqB;;;AAGxC,eAAsB,uBAAuB,eAA0D;AACrG,QAAOA,+BAAiB,kBAAkB;;;;;;;;CA7F/B,qBAAqB,UAA0B;EAC1D,MAAM,MAAM,OAAO,SAAS,IAAI;AAChC,MAAI,CAAC,IAAK,QAAO;EAGjB,MAAM,oBAAoB,IAAI,QAAQ,uBAAuB,IAAI;EAEjE,MAAM,aACJ;EAIF,MAAM,aAAa,kBAAkB,MAAM;EAC3C,MAAM,aAAa,CACjB,aAAa,IACb,mBACA,QAAQ,MAAmB,OAAO,MAAM,YAAY,EAAE,SAAS;AAEjE,OAAK,MAAM,aAAa,YAAY;GAClC,MAAM,UAAU,UAAU,QAAQ,gBAAgB;GAClD,MAAM,QAAQ,QAAQ,MAAM;AAC5B,OAAI,QAAQ,GACV,QAAO,MAAM,GAAG,OAAO;;AAI3B,SAAO,kBAAkB;;CAGd,cAAc,UAAyC;EAClE,MAAM,MAAM,iBAAiB,aAAa,QAAQ,WAAW,KAAK;AAClE,SAAO,KAAK,MAAM,KAAK,KACpB,KAAI,MAAK,EAAE,SAAS,IAAI,SAAS,GAAG,MACpC,KAAK"}

package/dist/cjs/core/TatchiPasskey/emailRecovery.js CHANGED Viewed

@@ -3,12 +3,14 @@ const require_validation = require('../../utils/validation.js');
 const require_accountIds = require('../types/accountIds.js');
 const require_index = require('../IndexedDBManager/index.js');
 const require_vrf_worker = require('../types/vrf-worker.js');
+const require_errors = require('../../utils/errors.js');
 const require_sdkSentEvents = require('../types/sdkSentEvents.js');
 const require_rpc = require('../types/rpc.js');
 const require_getDeviceNumber = require('../WebAuthnManager/SignerWorkerManager/getDeviceNumber.js');
 const require_login = require('./login.js');
 const require_emailRecoveryPendingStore = require('../EmailRecovery/emailRecoveryPendingStore.js');
 const require_index$1 = require('../EmailRecovery/index.js');
+const require_emailRecovery = require('../types/emailRecovery.js');
 //#region src/core/TatchiPasskey/emailRecovery.ts
 var emailRecovery_exports = {};
@@ -48,6 +50,7 @@ var EmailRecoveryFlow;
 var init_emailRecovery = require_rolldown_runtime.__esm({ "src/core/TatchiPasskey/emailRecovery.ts": (() => {
 	require_index.init_IndexedDBManager();
 	require_validation.init_validation();
+	require_errors.init_errors();
 	require_accountIds.init_accountIds();
 	require_sdkSentEvents.init_sdkSentEvents();
 	require_vrf_worker.init_vrf_worker();
@@ -55,6 +58,7 @@ var init_emailRecovery = require_rolldown_runtime.__esm({ "src/core/TatchiPasske
 	require_getDeviceNumber.init_getDeviceNumber();
 	require_login.init_login();
 	require_index$1.init_EmailRecovery();
+	require_emailRecovery.init_emailRecovery();
 	EmailRecoveryFlow = class {
 		context;
 		options;
@@ -82,8 +86,9 @@ var init_emailRecovery = require_rolldown_runtime.__esm({ "src/core/TatchiPasske
 		emit(event) {
 			this.options?.onEvent?.(event);
 		}
-		emitError(step, message) {
-			const err = new Error(message);
+		emitError(step, messageOrError) {
+			const err = typeof messageOrError === "string" ? new Error(messageOrError) : messageOrError;
+			const message = err.message || (typeof messageOrError === "string" ? messageOrError : "Unknown error");
 			this.phase = require_sdkSentEvents.EmailRecoveryPhase.ERROR;
 			this.error = err;
 			this.emit({
@@ -142,8 +147,8 @@ var init_emailRecovery = require_rolldown_runtime.__esm({ "src/core/TatchiPasske
 				const accountView = await this.context.nearClient.viewAccount(nearAccountId);
 				const available = this.computeAvailableBalance(accountView);
 				if (available < BigInt(minBalanceYocto)) await this.fail(1, `This account does not have enough NEAR to finalize recovery. Available: ${available.toString()} yocto; required: ${String(minBalanceYocto)}. Please top up and try again.`);
-			} catch (e) {
-				await this.fail(1, e?.message || "Failed to fetch account balance for recovery");
+			} catch (err) {
+				await this.fail(1, require_errors.errorMessage(err) || "Failed to fetch account balance for recovery");
 			}
 		}
 		async getCanonicalRecoveryEmailOrFail(recoveryEmail) {
@@ -155,7 +160,7 @@ var init_emailRecovery = require_rolldown_runtime.__esm({ "src/core/TatchiPasske
 			try {
 				const { syncAuthenticatorsContractCall } = await Promise.resolve().then(() => require("../rpcCalls.js"));
 				const authenticators = await syncAuthenticatorsContractCall(this.context.nearClient, this.context.configs.contractId, nearAccountId);
-				const numbers = authenticators.map((a) => a?.authenticator?.deviceNumber).filter((n) => typeof n === "number" && Number.isFinite(n));
+				const numbers = authenticators.map(({ authenticator }) => authenticator.deviceNumber).filter((n) => typeof n === "number" && Number.isFinite(n));
 				const max = numbers.length > 0 ? Math.max(...numbers) : 0;
 				return max + 1;
 			} catch {
@@ -234,11 +239,11 @@ var init_emailRecovery = require_rolldown_runtime.__esm({ "src/core/TatchiPasske
 					success: false
 				};
 				if (!result.verified) {
-					const errorMessage = result.error_message || result.error_code || "Email verification failed on relayer/contract";
+					const errorMessage$1 = result.error_message || result.error_code || "Email verification failed on relayer/contract";
 					return {
 						completed: true,
 						success: false,
-						errorMessage,
+						errorMessage: errorMessage$1,
 						transactionHash: result.transaction_hash
 					};
 				}
@@ -403,7 +408,7 @@ var init_emailRecovery = require_rolldown_runtime.__esm({ "src/core/TatchiPasske
 					nearPublicKey: rec.nearPublicKey
 				};
 			} catch (e) {
-				const err = this.emitError(2, e?.message || "Email recovery TouchID/derivation failed");
+				const err = this.emitError(2, require_errors.errorMessage(e) || "Email recovery TouchID/derivation failed");
 				await this.options?.afterCall?.(false);
 				throw err;
 			}
@@ -573,7 +578,7 @@ var init_emailRecovery = require_rolldown_runtime.__esm({ "src/core/TatchiPasske
 				accountId
 			};
 		}
-		async signRegistrationTx(rec, accountId) {
+		async signNewDevice2RegistrationTx(rec, accountId) {
 			const vrfChallenge = rec.vrfChallenge;
 			if (!vrfChallenge) return this.fail(5, "Missing VRF challenge for email recovery registration");
 			const registrationResult = await this.context.webAuthnManager.signDevice2RegistrationWithStoredKey({
@@ -587,47 +592,56 @@ var init_emailRecovery = require_rolldown_runtime.__esm({ "src/core/TatchiPasske
 			return registrationResult.signedTransaction;
 		}
 		async broadcastRegistrationTxAndWaitFinal(rec, signedTx) {
+			let txResult;
 			try {
-				const txResult = await this.context.nearClient.sendTransaction(signedTx, require_rpc.DEFAULT_WAIT_STATUS.linkDeviceRegistration);
-				try {
-					const txHash = txResult?.transaction?.hash || txResult?.transaction_hash;
-					if (txHash) this.emit({
-						step: 5,
-						phase: require_sdkSentEvents.EmailRecoveryPhase.STEP_5_FINALIZING_REGISTRATION,
-						status: require_sdkSentEvents.EmailRecoveryStatus.PROGRESS,
-						message: "Registration transaction confirmed",
-						data: {
-							accountId: rec.accountId,
-							nearPublicKey: rec.nearPublicKey,
-							transactionHash: txHash
-						}
-					});
-					return txHash;
-				} catch {}
-			} catch (e) {
-				const msg = String(e?.message || "");
-				await this.fail(5, msg || "Failed to broadcast email recovery registration transaction (insufficient funds or RPC error)");
+				txResult = await this.context.nearClient.sendTransaction(signedTx, require_rpc.DEFAULT_WAIT_STATUS.linkDeviceRegistration);
+			} catch (err) {
+				const msg = require_errors.errorMessage(err) || "Failed to broadcast email recovery registration transaction (insufficient funds or RPC error)";
+				throw new Error(msg);
 			}
-			return void 0;
-		}
-		async persistRecoveredUserRecordBestEffort(rec, accountId) {
-			try {
-				await require_index.IndexedDBManager.clientDB.storeWebAuthnUserData({
-					nearAccountId: accountId,
-					deviceNumber: rec.deviceNumber,
-					clientNearPublicKey: rec.nearPublicKey,
-					passkeyCredential: {
-						id: rec.credential.id,
-						rawId: rec.credential.rawId
-					},
-					encryptedVrfKeypair: rec.encryptedVrfKeypair,
-					serverEncryptedVrfKeypair: rec.serverEncryptedVrfKeypair || void 0
+			const txHash = this.getTxHash(txResult);
+			const linkDeviceResult = require_index$1.parseLinkDeviceRegisterUserResponse(txResult);
+			if (linkDeviceResult?.verified === false) {
+				const logs = this.extractNearExecutionLogs(txResult);
+				const isStaleChallenge = logs.some((log) => /StaleChallenge|freshness validation failed/i.test(log));
+				const txHint = txHash ? ` (tx: ${txHash})` : "";
+				const code = isStaleChallenge ? require_emailRecovery.EmailRecoveryErrorCode.VRF_CHALLENGE_EXPIRED : require_emailRecovery.EmailRecoveryErrorCode.REGISTRATION_NOT_VERIFIED;
+				const message = isStaleChallenge ? `Timed out finalizing registration (VRF challenge expired). Please restart email recovery and try again${txHint}.` : `Registration did not verify on-chain. Please try again${txHint}.`;
+				throw new require_emailRecovery.EmailRecoveryError(message, code, {
+					accountId: rec.accountId,
+					nearPublicKey: rec.nearPublicKey,
+					transactionHash: txHash,
+					logs,
+					result: linkDeviceResult
 				});
-				return true;
-			} catch (err) {
-				console.warn("[EmailRecoveryFlow] Failed to store recovery user record:", err);
-				return false;
 			}
+			if (txHash) this.emit({
+				step: 5,
+				phase: require_sdkSentEvents.EmailRecoveryPhase.STEP_5_FINALIZING_REGISTRATION,
+				status: require_sdkSentEvents.EmailRecoveryStatus.PROGRESS,
+				message: "Registration transaction confirmed",
+				data: {
+					accountId: rec.accountId,
+					nearPublicKey: rec.nearPublicKey,
+					transactionHash: txHash
+				}
+			});
+			return txHash;
+		}
+		getTxHash(outcome) {
+			const txUnknown = outcome.transaction;
+			if (txUnknown && typeof txUnknown === "object") {
+				const hash = txUnknown.hash;
+				if (typeof hash === "string" && hash.length > 0) return hash;
+			}
+			const fallback = outcome.transaction_hash;
+			return typeof fallback === "string" && fallback.length > 0 ? fallback : void 0;
+		}
+		extractNearExecutionLogs(outcome) {
+			const logs = [];
+			for (const entry of outcome.transaction_outcome.outcome.logs) logs.push(String(entry));
+			for (const receipt of outcome.receipts_outcome) for (const entry of receipt.outcome.logs) logs.push(String(entry));
+			return logs;
 		}
 		mapAuthenticatorsFromContract(authenticators) {
 			return authenticators.map(({ authenticator }) => ({
@@ -663,7 +677,7 @@ var init_emailRecovery = require_rolldown_runtime.__esm({ "src/core/TatchiPasske
 		}
 		async updateNonceBestEffort(nonceManager, signedTx) {
 			try {
-				const txNonce = signedTx.transaction?.nonce;
+				const txNonce = signedTx.transaction.nonce;
 				if (txNonce != null) await nonceManager.updateNonceFromBlockchain(this.context.nearClient, String(txNonce));
 			} catch {}
 		}
@@ -686,6 +700,10 @@ var init_emailRecovery = require_rolldown_runtime.__esm({ "src/core/TatchiPasske
 			};
 			await webAuthnManager.storeUserData(payload);
 		}
+		/**
+		* Explicitly persist the authenticator from the recovery record into the local cache.
+		* This ensures the key is available immediately, bridging the gap before RPC sync sees it.
+		*/
 		async persistAuthenticatorBestEffort(rec, accountId) {
 			try {
 				const { webAuthnManager } = this.context;
@@ -702,7 +720,10 @@ var init_emailRecovery = require_rolldown_runtime.__esm({ "src/core/TatchiPasske
 					syncedAt: (/* @__PURE__ */ new Date()).toISOString(),
 					vrfPublicKey: rec.vrfPublicKey
 				});
-			} catch {}
+				console.log("[EmailRecoveryFlow] Locally persisted recovered authenticator for immediate use.");
+			} catch (e) {
+				console.error("[EmailRecoveryFlow] Failed to locally persist authenticator (critical for immediate export):", e);
+			}
 		}
 		async markCompleteAndClearPending(rec) {
 			rec.status = "complete";
@@ -772,7 +793,7 @@ var init_emailRecovery = require_rolldown_runtime.__esm({ "src/core/TatchiPasske
 			} catch (err) {
 				return {
 					success: false,
-					reason: err?.message || String(err)
+					reason: require_errors.errorMessage(err) || String(err)
 				};
 			}
 		}
@@ -800,18 +821,14 @@ var init_emailRecovery = require_rolldown_runtime.__esm({ "src/core/TatchiPasske
 			});
 			try {
 				const { nonceManager, accountId } = this.initializeNonceManager(rec);
-				const signedTx = await this.signRegistrationTx(rec, accountId);
+				const signedTx = await this.signNewDevice2RegistrationTx(rec, accountId);
 				const txHash = await this.broadcastRegistrationTxAndWaitFinal(rec, signedTx);
-				if (txHash) {
-					const storedUser = await this.persistRecoveredUserRecordBestEffort(rec, accountId);
-					if (storedUser) {
-						const syncedAuthenticators = await this.syncAuthenticatorsBestEffort(accountId);
-						if (syncedAuthenticators) await this.setLastUserBestEffort(accountId, rec.deviceNumber);
-					}
-				}
-				await this.updateNonceBestEffort(nonceManager, signedTx);
+				if (!txHash) console.warn("[EmailRecoveryFlow] Registration transaction confirmed without hash; continuing local persistence");
 				await this.persistRecoveredUserData(rec, accountId);
+				await this.syncAuthenticatorsBestEffort(accountId);
 				await this.persistAuthenticatorBestEffort(rec, accountId);
+				await this.setLastUserBestEffort(accountId, rec.deviceNumber);
+				await this.updateNonceBestEffort(nonceManager, signedTx);
 				this.emitAutoLoginEvent(require_sdkSentEvents.EmailRecoveryStatus.PROGRESS, "Attempting auto-login with recovered device...", { autoLogin: "progress" });
 				const autoLoginResult = await this.attemptAutoLogin(rec);
 				if (autoLoginResult.success) this.emitAutoLoginEvent(require_sdkSentEvents.EmailRecoveryStatus.SUCCESS, `Welcome ${accountId}`, { autoLogin: "success" });
@@ -832,7 +849,10 @@ var init_emailRecovery = require_rolldown_runtime.__esm({ "src/core/TatchiPasske
 					}
 				});
 			} catch (e) {
-				const err = this.emitError(5, e?.message || "Email recovery finalization failed");
+				rec.status = "error";
+				await this.savePending(rec).catch(() => {});
+				const original = e instanceof Error ? e : new Error(require_errors.errorMessage(e) || "Email recovery finalization failed");
+				const err = this.emitError(5, original);
 				await this.options?.afterCall?.(false);
 				throw err;
 			}
@@ -854,7 +874,7 @@ var init_emailRecovery = require_rolldown_runtime.__esm({ "src/core/TatchiPasske
 				};
 				return this.handleAutoLoginFailure(touchIdResult.reason || "Auto-login failed");
 			} catch (err) {
-				return this.handleAutoLoginFailure(err?.message || String(err), err);
+				return this.handleAutoLoginFailure(require_errors.errorMessage(err) || String(err), err);
 			}
 		}
 	};