npm - @tatchi-xyz/sdk - Versions diffs - 0.19.0 → 0.21.0 - Mend

@tatchi-xyz/sdk 0.19.0 → 0.21.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (243) hide show

package/dist/esm/react/context/useTatchiWithSdkFlow.js ADDED Viewed

@@ -0,0 +1,94 @@
+import { AccountRecoveryPhase, AccountRecoveryStatus, LoginPhase, LoginStatus, RegistrationPhase, RegistrationStatus, init_sdkSentEvents } from "../sdk/src/core/types/sdkSentEvents.js";
+import { useMemo } from "react";
+//#region src/react/context/useTatchiWithSdkFlow.ts
+init_sdkSentEvents();
+function useTatchiWithSdkFlow(args) {
+	const { tatchi, beginSdkFlow, appendSdkEventMessage, endSdkFlow } = args;
+	return useMemo(() => {
+		const loginAndCreateSessionWithSdkFlow = async (nearAccountId, options) => {
+			const seq = beginSdkFlow("login", nearAccountId);
+			const wrappedOptions = {
+				...options,
+				onEvent: (event) => {
+					appendSdkEventMessage(seq, event.message);
+					if (event.phase === LoginPhase.STEP_4_LOGIN_COMPLETE && event.status === LoginStatus.SUCCESS) endSdkFlow("login", seq, "success");
+					else if (event.phase === LoginPhase.LOGIN_ERROR || event.status === LoginStatus.ERROR) {
+						const error = "error" in event ? event.error : event.message;
+						endSdkFlow("login", seq, "error", error || event.message);
+					}
+					options?.onEvent?.(event);
+				},
+				onError: (error) => {
+					appendSdkEventMessage(seq, error.message);
+					endSdkFlow("login", seq, "error", error.message);
+					options?.onError?.(error);
+				}
+			};
+			return await tatchi.loginAndCreateSession(nearAccountId, wrappedOptions);
+		};
+		const registerPasskeyWithSdkFlow = async (nearAccountId, options) => {
+			const seq = beginSdkFlow("register", nearAccountId);
+			const wrappedOptions = {
+				...options,
+				onEvent: (event) => {
+					appendSdkEventMessage(seq, event.message);
+					if (event.phase === RegistrationPhase.STEP_8_REGISTRATION_COMPLETE && event.status === RegistrationStatus.SUCCESS) endSdkFlow("register", seq, "success");
+					else if (event.phase === RegistrationPhase.REGISTRATION_ERROR || event.status === RegistrationStatus.ERROR) {
+						const error = "error" in event ? event.error : event.message;
+						endSdkFlow("register", seq, "error", error || event.message);
+					}
+					options?.onEvent?.(event);
+				},
+				onError: (error) => {
+					appendSdkEventMessage(seq, error.message);
+					endSdkFlow("register", seq, "error", error.message);
+					options?.onError?.(error);
+				}
+			};
+			return await tatchi.registerPasskey(nearAccountId, wrappedOptions);
+		};
+		const recoverAccountFlowWithSdkFlow = async (args$1) => {
+			const seq = beginSdkFlow("recover", args$1?.accountId);
+			const options = args$1?.options;
+			const wrappedOptions = {
+				...options,
+				onEvent: (event) => {
+					appendSdkEventMessage(seq, event.message);
+					if (event.phase === AccountRecoveryPhase.STEP_5_ACCOUNT_RECOVERY_COMPLETE && event.status === AccountRecoveryStatus.SUCCESS) endSdkFlow("recover", seq, "success");
+					else if (event.phase === AccountRecoveryPhase.ERROR || event.status === AccountRecoveryStatus.ERROR) {
+						const error = "error" in event ? event.error : event.message;
+						endSdkFlow("recover", seq, "error", error || event.message);
+					}
+					options?.onEvent?.(event);
+				},
+				onError: (error) => {
+					appendSdkEventMessage(seq, error.message);
+					endSdkFlow("recover", seq, "error", error.message);
+					options?.onError?.(error);
+				}
+			};
+			return await tatchi.recoverAccountFlow({
+				...args$1,
+				options: wrappedOptions
+			});
+		};
+		return new Proxy(tatchi, { get(target, prop, receiver) {
+			if (prop === "loginAndCreateSession") return loginAndCreateSessionWithSdkFlow;
+			if (prop === "registerPasskey") return registerPasskeyWithSdkFlow;
+			if (prop === "recoverAccountFlow") return recoverAccountFlowWithSdkFlow;
+			const value = Reflect.get(target, prop, receiver);
+			if (typeof value === "function") return value.bind(target);
+			return value;
+		} });
+	}, [
+		appendSdkEventMessage,
+		beginSdkFlow,
+		endSdkFlow,
+		tatchi
+	]);
+}
+//#endregion
+export { useTatchiWithSdkFlow };
+//# sourceMappingURL=useTatchiWithSdkFlow.js.map

package/dist/esm/react/context/useTatchiWithSdkFlow.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"useTatchiWithSdkFlow.js","names":["loginAndCreateSessionWithSdkFlow: LoginAndCreateSessionFn","wrappedOptions: LoginHooksOptions","registerPasskeyWithSdkFlow: RegisterPasskeyFn","wrappedOptions: RegistrationHooksOptions","recoverAccountFlowWithSdkFlow: RecoverAccountFlowFn","args","options: AccountRecoveryHooksOptions | undefined","wrappedOptions: AccountRecoveryHooksOptions","value: unknown"],"sources":["../../../../src/react/context/useTatchiWithSdkFlow.ts"],"sourcesContent":["import { useMemo } from 'react';\nimport type { TatchiPasskey } from '@/core/TatchiPasskey';\nimport {\n AccountRecoveryPhase,\n AccountRecoveryStatus,\n type AccountRecoveryHooksOptions,\n type AccountRecoverySSEEvent,\n LoginPhase,\n LoginStatus,\n type LoginHooksOptions,\n type LoginSSEvent,\n RegistrationPhase,\n RegistrationStatus,\n type RegistrationHooksOptions,\n type RegistrationSSEEvent,\n} from '@/core/types/sdkSentEvents';\n\nexport function useTatchiWithSdkFlow(args: {\n tatchi: TatchiPasskey;\n beginSdkFlow: (kind: 'login' | 'register' | 'recover', accountId?: string) => number;\n appendSdkEventMessage: (seq: number, message: string) => void;\n endSdkFlow: (kind: 'login' | 'register' | 'recover', seq: number, status: 'success' | 'error', error?: string) => void;\n}): TatchiPasskey {\n const { tatchi, beginSdkFlow, appendSdkEventMessage, endSdkFlow } = args;\n\n return useMemo(() => {\n /**\n * We use a `Proxy` to instrument a few core flow entrypoints (login/register/recover)\n * while preserving the full `TatchiPasskey` API surface.\n *\n * This lets *all* callers (not just PasskeyAuthMenu) use `ctx.tatchi.*` directly and\n * still have `sdkFlow` update as events stream in.\n */\n type LoginAndCreateSessionFn = TatchiPasskey['loginAndCreateSession'];\n type RegisterPasskeyFn = TatchiPasskey['registerPasskey'];\n type RecoverAccountFlowFn = TatchiPasskey['recoverAccountFlow'];\n\n const loginAndCreateSessionWithSdkFlow: LoginAndCreateSessionFn = async (\n nearAccountId,\n options,\n ) => {\n const seq = beginSdkFlow('login', nearAccountId);\n const wrappedOptions: LoginHooksOptions = {\n ...options,\n onEvent: (event: LoginSSEvent) => {\n appendSdkEventMessage(seq, event.message);\n if (event.phase === LoginPhase.STEP_4_LOGIN_COMPLETE && event.status === LoginStatus.SUCCESS) {\n endSdkFlow('login', seq, 'success');\n } else if (event.phase === LoginPhase.LOGIN_ERROR || event.status === LoginStatus.ERROR) {\n const error = 'error' in event ? event.error : event.message;\n endSdkFlow('login', seq, 'error', error || event.message);\n }\n options?.onEvent?.(event);\n },\n onError: (error: Error) => {\n appendSdkEventMessage(seq, error.message);\n endSdkFlow('login', seq, 'error', error.message);\n options?.onError?.(error);\n },\n };\n\n return await tatchi.loginAndCreateSession(nearAccountId, wrappedOptions);\n };\n\n const registerPasskeyWithSdkFlow: RegisterPasskeyFn = async (\n nearAccountId,\n options,\n ) => {\n const seq = beginSdkFlow('register', nearAccountId);\n const wrappedOptions: RegistrationHooksOptions = {\n ...options,\n onEvent: (event: RegistrationSSEEvent) => {\n appendSdkEventMessage(seq, event.message);\n if (\n event.phase === RegistrationPhase.STEP_8_REGISTRATION_COMPLETE &&\n event.status === RegistrationStatus.SUCCESS\n ) {\n endSdkFlow('register', seq, 'success');\n } else if (event.phase === RegistrationPhase.REGISTRATION_ERROR || event.status === RegistrationStatus.ERROR) {\n const error = 'error' in event ? event.error : event.message;\n endSdkFlow('register', seq, 'error', error || event.message);\n }\n options?.onEvent?.(event);\n },\n onError: (error: Error) => {\n appendSdkEventMessage(seq, error.message);\n endSdkFlow('register', seq, 'error', error.message);\n options?.onError?.(error);\n },\n };\n\n return await tatchi.registerPasskey(nearAccountId, wrappedOptions);\n };\n\n const recoverAccountFlowWithSdkFlow: RecoverAccountFlowFn = async (args) => {\n const seq = beginSdkFlow('recover', args?.accountId);\n const options: AccountRecoveryHooksOptions | undefined = args?.options;\n\n const wrappedOptions: AccountRecoveryHooksOptions = {\n ...options,\n onEvent: (event: AccountRecoverySSEEvent) => {\n appendSdkEventMessage(seq, event.message);\n if (\n event.phase === AccountRecoveryPhase.STEP_5_ACCOUNT_RECOVERY_COMPLETE &&\n event.status === AccountRecoveryStatus.SUCCESS\n ) {\n endSdkFlow('recover', seq, 'success');\n } else if (event.phase === AccountRecoveryPhase.ERROR || event.status === AccountRecoveryStatus.ERROR) {\n const error = 'error' in event ? event.error : event.message;\n endSdkFlow('recover', seq, 'error', error || event.message);\n }\n options?.onEvent?.(event);\n },\n onError: (error: Error) => {\n appendSdkEventMessage(seq, error.message);\n endSdkFlow('recover', seq, 'error', error.message);\n options?.onError?.(error);\n },\n };\n\n return await tatchi.recoverAccountFlow({\n ...args,\n options: wrappedOptions,\n });\n };\n\n return new Proxy(tatchi, {\n get(target, prop, receiver) {\n if (prop === 'loginAndCreateSession') {\n return loginAndCreateSessionWithSdkFlow;\n }\n\n if (prop === 'registerPasskey') {\n return registerPasskeyWithSdkFlow;\n }\n\n if (prop === 'recoverAccountFlow') {\n return recoverAccountFlowWithSdkFlow;\n }\n\n const value: unknown = Reflect.get(target as object, prop, receiver);\n // For non-wrapped methods, bind to preserve `this` on the class instance.\n if (typeof value === 'function') return (value as (...args: unknown[]) => unknown).bind(target);\n return value;\n },\n });\n }, [appendSdkEventMessage, beginSdkFlow, endSdkFlow, tatchi]);\n}\n\nexport default useTatchiWithSdkFlow;\n"],"mappings":";;;;;AAiBA,SAAgB,qBAAqB,MAKnB;CAChB,MAAM,EAAE,QAAQ,cAAc,uBAAuB,eAAe;AAEpE,QAAO,cAAc;EAYnB,MAAMA,mCAA4D,OAChE,eACA,YACG;GACH,MAAM,MAAM,aAAa,SAAS;GAClC,MAAMC,iBAAoC;IACxC,GAAG;IACH,UAAU,UAAwB;AAChC,2BAAsB,KAAK,MAAM;AACjC,SAAI,MAAM,UAAU,WAAW,yBAAyB,MAAM,WAAW,YAAY,QACnF,YAAW,SAAS,KAAK;cAChB,MAAM,UAAU,WAAW,eAAe,MAAM,WAAW,YAAY,OAAO;MACvF,MAAM,QAAQ,WAAW,QAAQ,MAAM,QAAQ,MAAM;AACrD,iBAAW,SAAS,KAAK,SAAS,SAAS,MAAM;;AAEnD,cAAS,UAAU;;IAErB,UAAU,UAAiB;AACzB,2BAAsB,KAAK,MAAM;AACjC,gBAAW,SAAS,KAAK,SAAS,MAAM;AACxC,cAAS,UAAU;;;AAIvB,UAAO,MAAM,OAAO,sBAAsB,eAAe;;EAG3D,MAAMC,6BAAgD,OACpD,eACA,YACG;GACH,MAAM,MAAM,aAAa,YAAY;GACrC,MAAMC,iBAA2C;IAC/C,GAAG;IACH,UAAU,UAAgC;AACxC,2BAAsB,KAAK,MAAM;AACjC,SACE,MAAM,UAAU,kBAAkB,gCAClC,MAAM,WAAW,mBAAmB,QAEpC,YAAW,YAAY,KAAK;cACnB,MAAM,UAAU,kBAAkB,sBAAsB,MAAM,WAAW,mBAAmB,OAAO;MAC5G,MAAM,QAAQ,WAAW,QAAQ,MAAM,QAAQ,MAAM;AACrD,iBAAW,YAAY,KAAK,SAAS,SAAS,MAAM;;AAEtD,cAAS,UAAU;;IAErB,UAAU,UAAiB;AACzB,2BAAsB,KAAK,MAAM;AACjC,gBAAW,YAAY,KAAK,SAAS,MAAM;AAC3C,cAAS,UAAU;;;AAIvB,UAAO,MAAM,OAAO,gBAAgB,eAAe;;EAGrD,MAAMC,gCAAsD,OAAO,WAAS;GAC1E,MAAM,MAAM,aAAa,WAAWC,QAAM;GAC1C,MAAMC,UAAmDD,QAAM;GAE/D,MAAME,iBAA8C;IAClD,GAAG;IACH,UAAU,UAAmC;AAC3C,2BAAsB,KAAK,MAAM;AACjC,SACE,MAAM,UAAU,qBAAqB,oCACrC,MAAM,WAAW,sBAAsB,QAEvC,YAAW,WAAW,KAAK;cAClB,MAAM,UAAU,qBAAqB,SAAS,MAAM,WAAW,sBAAsB,OAAO;MACrG,MAAM,QAAQ,WAAW,QAAQ,MAAM,QAAQ,MAAM;AACrD,iBAAW,WAAW,KAAK,SAAS,SAAS,MAAM;;AAErD,cAAS,UAAU;;IAErB,UAAU,UAAiB;AACzB,2BAAsB,KAAK,MAAM;AACjC,gBAAW,WAAW,KAAK,SAAS,MAAM;AAC1C,cAAS,UAAU;;;AAIvB,UAAO,MAAM,OAAO,mBAAmB;IACrC,GAAGF;IACH,SAAS;;;AAIb,SAAO,IAAI,MAAM,QAAQ,EACvB,IAAI,QAAQ,MAAM,UAAU;AAC1B,OAAI,SAAS,wBACX,QAAO;AAGT,OAAI,SAAS,kBACX,QAAO;AAGT,OAAI,SAAS,qBACX,QAAO;GAGT,MAAMG,QAAiB,QAAQ,IAAI,QAAkB,MAAM;AAE3D,OAAI,OAAO,UAAU,WAAY,QAAQ,MAA0C,KAAK;AACxF,UAAO;;IAGV;EAAC;EAAuB;EAAc;EAAY"}

package/dist/esm/react/sdk/src/core/EmailRecovery/index.js CHANGED Viewed

@@ -1,9 +1,32 @@
 import { __esm } from "../../../../_virtual/rolldown_runtime.js";
 import { init_accountIds, toAccountId } from "../types/accountIds.js";
 import { IndexedDBManager, init_IndexedDBManager } from "../IndexedDBManager/index.js";
+import { base64Decode, init_base64 } from "../../utils/base64.js";
 import { EmailRecoveryPendingStore, init_emailRecoveryPendingStore } from "./emailRecoveryPendingStore.js";
 //#region src/core/EmailRecovery/index.ts
+function getTxSuccessValueBase64(outcome) {
+	const status = outcome.status;
+	if (!status || typeof status !== "object") return null;
+	if (!("SuccessValue" in status)) return null;
+	const value = status.SuccessValue;
+	return typeof value === "string" && value.length > 0 ? value : null;
+}
+function parseLinkDeviceRegisterUserResponse(outcome) {
+	try {
+		const successValueB64 = getTxSuccessValueBase64(outcome);
+		if (!successValueB64) return null;
+		const bytes = base64Decode(successValueB64);
+		const text = new TextDecoder().decode(bytes);
+		if (!text.trim()) return null;
+		const parsed = JSON.parse(text);
+		if (!parsed || typeof parsed !== "object") return null;
+		const candidate = parsed;
+		return typeof candidate.verified === "boolean" ? candidate : null;
+	} catch {
+		return null;
+	}
+}
 async function hashRecoveryEmails(emails, accountId) {
 	const encoder = new TextEncoder();
 	const salt = (accountId || "").trim().toLowerCase();
@@ -54,6 +77,7 @@ var canonicalizeEmail, bytesToHex;
 var init_EmailRecovery = __esm({ "src/core/EmailRecovery/index.ts": (() => {
 	init_accountIds();
 	init_IndexedDBManager();
+	init_base64();
 	init_emailRecoveryPendingStore();
 	canonicalizeEmail = (email) => {
 		const raw = String(email || "").trim();
@@ -77,5 +101,5 @@ var init_EmailRecovery = __esm({ "src/core/EmailRecovery/index.ts": (() => {
 //#endregion
 init_EmailRecovery();
-export { bytesToHex, getLocalRecoveryEmails, init_EmailRecovery, prepareRecoveryEmails };
+export { bytesToHex, canonicalizeEmail, getLocalRecoveryEmails, init_EmailRecovery, parseLinkDeviceRegisterUserResponse, prepareRecoveryEmails };
 //# sourceMappingURL=index.js.map

package/dist/esm/react/sdk/src/core/EmailRecovery/index.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"index.js","names":["hashed: number[][]","pairs: RecoveryEmailEntry[]"],"sources":["../../../../../../../src/core/EmailRecovery/index.ts"],"sourcesContent":["import type { AccountId } from '../types/accountIds';\nimport { toAccountId } from '../types/accountIds';\nimport { IndexedDBManager, type RecoveryEmailRecord } from '../IndexedDBManager';\nexport { EmailRecoveryPendingStore, type PendingStore } from './emailRecoveryPendingStore';\n\nexport type RecoveryEmailEntry = {\n hashHex: string;\n email: string;\n};\n\nexport { type RecoveryEmailRecord };\n\nexport const canonicalizeEmail = (email: string): string => {\n const raw = String(email \|\| '').trim();\n if (!raw) return '';\n\n // Handle cases where a full header line is passed in (e.g. \"From: ...\").\n const withoutHeaderName = raw.replace(/^[a-z0-9-]+\\s:\\s/i, '').trim();\n\n const emailRegex =\n /([a-zA-Z0-9.!#$%&'+/=?^_`{\|}~-]+@[a-zA-Z0-9-]+(?:\\.[a-zA-Z0-9-]+))/;\n\n // Prefer the common \"Name <email@domain>\" format when present, but still\n // validate/extract the actual address via regex.\n const angleMatch = withoutHeaderName.match(/<([^>]+)>/);\n const candidates = [\n angleMatch?.[1],\n withoutHeaderName,\n ].filter((v): v is string => typeof v === 'string' && v.length > 0);\n\n for (const candidate of candidates) {\n const cleaned = candidate.replace(/^mailto:\\s/i, '');\n const match = cleaned.match(emailRegex);\n if (match?.[1]) {\n return match[1].trim().toLowerCase();\n }\n }\n\n return withoutHeaderName.toLowerCase();\n};\n\nexport const bytesToHex = (bytes: number[] \| Uint8Array): string => {\n const arr = bytes instanceof Uint8Array ? bytes : Uint8Array.from(bytes);\n return `0x${Array.from(arr)\n .map(b => b.toString(16).padStart(2, '0'))\n .join('')}`;\n};\n\nasync function hashRecoveryEmails(emails: string[], accountId: AccountId): Promise<number[][]> {\n const encoder = new TextEncoder();\n const salt = (accountId \|\| '').trim().toLowerCase();\n const normalized = (emails \|\| [])\n .map(e => e.trim())\n .filter(e => e.length > 0);\n\n const hashed: number[][] = [];\n\n for (const email of normalized) {\n try {\n const canonicalEmail = canonicalizeEmail(email);\n const input = `${canonicalEmail}\|${salt}`;\n const data = encoder.encode(input);\n const digest = await crypto.subtle.digest('SHA-256', data);\n const bytes = new Uint8Array(digest);\n hashed.push(Array.from(bytes));\n } catch {\n const bytes = encoder.encode(email.toLowerCase());\n hashed.push(Array.from(bytes));\n }\n }\n\n return hashed;\n}\n\n/\n Canonicalize and hash recovery emails for an account, and persist the mapping\n * (hashHex → canonical email) in IndexedDB on a best-effort basis.\n */\nexport async function prepareRecoveryEmails(nearAccountId: AccountId, recoveryEmails: string[]): Promise<{\n hashes: number[][];\n pairs: RecoveryEmailEntry[];\n}> {\n const accountId = toAccountId(nearAccountId);\n\n const trimmedEmails = (recoveryEmails \|\| []).map(e => e.trim()).filter(e => e.length > 0);\n const canonicalEmails = trimmedEmails.map(canonicalizeEmail);\n const recoveryEmailHashes = await hashRecoveryEmails(recoveryEmails, accountId);\n\n const pairs: RecoveryEmailEntry[] = recoveryEmailHashes.map((hashBytes, idx) => ({\n hashHex: bytesToHex(hashBytes),\n email: canonicalEmails[idx],\n }));\n\n void (async () => {\n try {\n await IndexedDBManager.upsertRecoveryEmails(accountId, pairs);\n } catch (error) {\n console.warn('[EmailRecovery] Failed to persist local recovery emails', error);\n }\n })();\n\n return { hashes: recoveryEmailHashes, pairs };\n}\n\nexport async function getLocalRecoveryEmails(nearAccountId: AccountId): Promise<RecoveryEmailRecord[]> {\n return IndexedDBManager.getRecoveryEmails(nearAccountId);\n}\n"],"mappings":"~~;;;;;;AAgDA~~,eAAe,mBAAmB,QAAkB,WAA2C;CAC7F,MAAM,UAAU,IAAI;CACpB,MAAM,QAAQ,aAAa,IAAI,OAAO;CACtC,MAAM,cAAc,UAAU,IAC3B,KAAI,MAAK,EAAE,QACX,QAAO,MAAK,EAAE,SAAS;CAE1B,MAAMA,SAAqB;AAE3B,MAAK,MAAM,SAAS,WAClB,KAAI;EACF,MAAM,iBAAiB,kBAAkB;EACzC,MAAM,QAAQ,GAAG,eAAe,GAAG;EACnC,MAAM,OAAO,QAAQ,OAAO;EAC5B,MAAM,SAAS,MAAM,OAAO,OAAO,OAAO,WAAW;EACrD,MAAM,QAAQ,IAAI,WAAW;AAC7B,SAAO,KAAK,MAAM,KAAK;SACjB;EACN,MAAM,QAAQ,QAAQ,OAAO,MAAM;AACnC,SAAO,KAAK,MAAM,KAAK;;AAI3B,QAAO;;;;;;AAOT,eAAsB,sBAAsB,eAA0B,gBAGnE;CACD,MAAM,YAAY,YAAY;CAE9B,MAAM,iBAAiB,kBAAkB,IAAI,KAAI,MAAK,EAAE,QAAQ,QAAO,MAAK,EAAE,SAAS;CACvF,MAAM,kBAAkB,cAAc,IAAI;CAC1C,MAAM,sBAAsB,MAAM,mBAAmB,gBAAgB;CAErE,MAAMC,QAA8B,oBAAoB,KAAK,WAAW,SAAS;EAC/E,SAAS,WAAW;EACpB,OAAO,gBAAgB;;AAGzB,EAAM,YAAY;AAChB,MAAI;AACF,SAAM,iBAAiB,qBAAqB,WAAW;WAChD,OAAO;AACd,WAAQ,KAAK,2DAA2D;;;AAI5E,QAAO;EAAE,QAAQ;EAAqB;;;AAGxC,eAAsB,uBAAuB,eAA0D;AACrG,QAAO,iBAAiB,kBAAkB~~;;;;;;;~~CA7F/B,qBAAqB,UAA0B;EAC1D,MAAM,MAAM,OAAO,SAAS,IAAI;AAChC,MAAI,CAAC,IAAK,QAAO;EAGjB,MAAM,oBAAoB,IAAI,QAAQ,uBAAuB,IAAI;EAEjE,MAAM,aACJ;EAIF,MAAM,aAAa,kBAAkB,MAAM;EAC3C,MAAM,aAAa,CACjB,aAAa,IACb,mBACA,QAAQ,MAAmB,OAAO,MAAM,YAAY,EAAE,SAAS;AAEjE,OAAK,MAAM,aAAa,YAAY;GAClC,MAAM,UAAU,UAAU,QAAQ,gBAAgB;GAClD,MAAM,QAAQ,QAAQ,MAAM;AAC5B,OAAI,QAAQ,GACV,QAAO,MAAM,GAAG,OAAO;;AAI3B,SAAO,kBAAkB;;CAGd,cAAc,UAAyC;EAClE,MAAM,MAAM,iBAAiB,aAAa,QAAQ,WAAW,KAAK;AAClE,SAAO,KAAK,MAAM,KAAK,KACpB,KAAI,MAAK,EAAE,SAAS,IAAI,SAAS,GAAG,MACpC,KAAK"}
1	+ {"version":3,"file":"index.js","names":["hashed: number[][]","pairs: RecoveryEmailEntry[]"],"sources":["../../../../../../../src/core/EmailRecovery/index.ts"],"sourcesContent":["import type { AccountId } from '../types/accountIds';\nimport { toAccountId } from '../types/accountIds';\nimport { IndexedDBManager, type RecoveryEmailRecord } from '../IndexedDBManager';\nimport type { FinalExecutionOutcome } from '@near-js/types';\nimport { base64Decode } from '../../utils/base64';\nexport { EmailRecoveryPendingStore, type PendingStore } from './emailRecoveryPendingStore';\n\nexport type RecoveryEmailEntry = {\n hashHex: string;\n email: string;\n};\n\nexport { type RecoveryEmailRecord };\n\nexport type LinkDeviceRegisterUserResponse = {\n verified?: boolean;\n registration_info?: unknown;\n registrationInfo?: unknown;\n error?: unknown;\n};\n\nfunction getTxSuccessValueBase64(outcome: FinalExecutionOutcome): string \| null {\n const status = outcome.status;\n if (!status \|\| typeof status !== 'object') return null;\n if (!('SuccessValue' in status)) return null;\n const value = status.SuccessValue;\n return typeof value === 'string' && value.length > 0 ? value : null;\n}\n\nexport function parseLinkDeviceRegisterUserResponse(\n outcome: FinalExecutionOutcome\n): LinkDeviceRegisterUserResponse \| null {\n try {\n const successValueB64 = getTxSuccessValueBase64(outcome);\n if (!successValueB64) return null;\n\n const bytes = base64Decode(successValueB64);\n const text = new TextDecoder().decode(bytes);\n if (!text.trim()) return null;\n\n const parsed = JSON.parse(text) as unknown;\n if (!parsed \|\| typeof parsed !== 'object') return null;\n const candidate = parsed as LinkDeviceRegisterUserResponse;\n return typeof candidate.verified === 'boolean' ? candidate : null;\n } catch {\n return null;\n }\n}\n\nexport const canonicalizeEmail = (email: string): string => {\n const raw = String(email \|\| '').trim();\n if (!raw) return '';\n\n // Handle cases where a full header line is passed in (e.g. \"From: ...\").\n const withoutHeaderName = raw.replace(/^[a-z0-9-]+\\s:\\s/i, '').trim();\n\n const emailRegex =\n /([a-zA-Z0-9.!#$%&'+/=?^_`{\|}~-]+@[a-zA-Z0-9-]+(?:\\.[a-zA-Z0-9-]+))/;\n\n // Prefer the common \"Name <email@domain>\" format when present, but still\n // validate/extract the actual address via regex.\n const angleMatch = withoutHeaderName.match(/<([^>]+)>/);\n const candidates = [\n angleMatch?.[1],\n withoutHeaderName,\n ].filter((v): v is string => typeof v === 'string' && v.length > 0);\n\n for (const candidate of candidates) {\n const cleaned = candidate.replace(/^mailto:\\s/i, '');\n const match = cleaned.match(emailRegex);\n if (match?.[1]) {\n return match[1].trim().toLowerCase();\n }\n }\n\n return withoutHeaderName.toLowerCase();\n};\n\nexport const bytesToHex = (bytes: number[] \| Uint8Array): string => {\n const arr = bytes instanceof Uint8Array ? bytes : Uint8Array.from(bytes);\n return `0x${Array.from(arr)\n .map(b => b.toString(16).padStart(2, '0'))\n .join('')}`;\n};\n\nasync function hashRecoveryEmails(emails: string[], accountId: AccountId): Promise<number[][]> {\n const encoder = new TextEncoder();\n const salt = (accountId \|\| '').trim().toLowerCase();\n const normalized = (emails \|\| [])\n .map(e => e.trim())\n .filter(e => e.length > 0);\n\n const hashed: number[][] = [];\n\n for (const email of normalized) {\n try {\n const canonicalEmail = canonicalizeEmail(email);\n const input = `${canonicalEmail}\|${salt}`;\n const data = encoder.encode(input);\n const digest = await crypto.subtle.digest('SHA-256', data);\n const bytes = new Uint8Array(digest);\n hashed.push(Array.from(bytes));\n } catch {\n const bytes = encoder.encode(email.toLowerCase());\n hashed.push(Array.from(bytes));\n }\n }\n\n return hashed;\n}\n\n/\n Canonicalize and hash recovery emails for an account, and persist the mapping\n * (hashHex → canonical email) in IndexedDB on a best-effort basis.\n */\nexport async function prepareRecoveryEmails(nearAccountId: AccountId, recoveryEmails: string[]): Promise<{\n hashes: number[][];\n pairs: RecoveryEmailEntry[];\n}> {\n const accountId = toAccountId(nearAccountId);\n\n const trimmedEmails = (recoveryEmails \|\| []).map(e => e.trim()).filter(e => e.length > 0);\n const canonicalEmails = trimmedEmails.map(canonicalizeEmail);\n const recoveryEmailHashes = await hashRecoveryEmails(recoveryEmails, accountId);\n\n const pairs: RecoveryEmailEntry[] = recoveryEmailHashes.map((hashBytes, idx) => ({\n hashHex: bytesToHex(hashBytes),\n email: canonicalEmails[idx],\n }));\n\n void (async () => {\n try {\n await IndexedDBManager.upsertRecoveryEmails(accountId, pairs);\n } catch (error) {\n console.warn('[EmailRecovery] Failed to persist local recovery emails', error);\n }\n })();\n\n return { hashes: recoveryEmailHashes, pairs };\n}\n\nexport async function getLocalRecoveryEmails(nearAccountId: AccountId): Promise<RecoveryEmailRecord[]> {\n return IndexedDBManager.getRecoveryEmails(nearAccountId);\n}\n"],"mappings":";;;;;;;AAqBA,SAAS,wBAAwB,SAA+C;CAC9E,MAAM,SAAS,QAAQ;AACvB,KAAI,CAAC,UAAU,OAAO,WAAW,SAAU,QAAO;AAClD,KAAI,EAAE,kBAAkB,QAAS,QAAO;CACxC,MAAM,QAAQ,OAAO;AACrB,QAAO,OAAO,UAAU,YAAY,MAAM,SAAS,IAAI,QAAQ;;AAGjE,SAAgB,oCACd,SACuC;AACvC,KAAI;EACF,MAAM,kBAAkB,wBAAwB;AAChD,MAAI,CAAC,gBAAiB,QAAO;EAE7B,MAAM,QAAQ,aAAa;EAC3B,MAAM,OAAO,IAAI,cAAc,OAAO;AACtC,MAAI,CAAC,KAAK,OAAQ,QAAO;EAEzB,MAAM,SAAS,KAAK,MAAM;AAC1B,MAAI,CAAC,UAAU,OAAO,WAAW,SAAU,QAAO;EAClD,MAAM,YAAY;AAClB,SAAO,OAAO,UAAU,aAAa,YAAY,YAAY;SACvD;AACN,SAAO;;;AAwCX,eAAe,mBAAmB,QAAkB,WAA2C;CAC7F,MAAM,UAAU,IAAI;CACpB,MAAM,QAAQ,aAAa,IAAI,OAAO;CACtC,MAAM,cAAc,UAAU,IAC3B,KAAI,MAAK,EAAE,QACX,QAAO,MAAK,EAAE,SAAS;CAE1B,MAAMA,SAAqB;AAE3B,MAAK,MAAM,SAAS,WAClB,KAAI;EACF,MAAM,iBAAiB,kBAAkB;EACzC,MAAM,QAAQ,GAAG,eAAe,GAAG;EACnC,MAAM,OAAO,QAAQ,OAAO;EAC5B,MAAM,SAAS,MAAM,OAAO,OAAO,OAAO,WAAW;EACrD,MAAM,QAAQ,IAAI,WAAW;AAC7B,SAAO,KAAK,MAAM,KAAK;SACjB;EACN,MAAM,QAAQ,QAAQ,OAAO,MAAM;AACnC,SAAO,KAAK,MAAM,KAAK;;AAI3B,QAAO;;;;;;AAOT,eAAsB,sBAAsB,eAA0B,gBAGnE;CACD,MAAM,YAAY,YAAY;CAE9B,MAAM,iBAAiB,kBAAkB,IAAI,KAAI,MAAK,EAAE,QAAQ,QAAO,MAAK,EAAE,SAAS;CACvF,MAAM,kBAAkB,cAAc,IAAI;CAC1C,MAAM,sBAAsB,MAAM,mBAAmB,gBAAgB;CAErE,MAAMC,QAA8B,oBAAoB,KAAK,WAAW,SAAS;EAC/E,SAAS,WAAW;EACpB,OAAO,gBAAgB;;AAGzB,EAAM,YAAY;AAChB,MAAI;AACF,SAAM,iBAAiB,qBAAqB,WAAW;WAChD,OAAO;AACd,WAAQ,KAAK,2DAA2D;;;AAI5E,QAAO;EAAE,QAAQ;EAAqB;;;AAGxC,eAAsB,uBAAuB,eAA0D;AACrG,QAAO,iBAAiB,kBAAkB;;;;;;;;CA7F/B,qBAAqB,UAA0B;EAC1D,MAAM,MAAM,OAAO,SAAS,IAAI;AAChC,MAAI,CAAC,IAAK,QAAO;EAGjB,MAAM,oBAAoB,IAAI,QAAQ,uBAAuB,IAAI;EAEjE,MAAM,aACJ;EAIF,MAAM,aAAa,kBAAkB,MAAM;EAC3C,MAAM,aAAa,CACjB,aAAa,IACb,mBACA,QAAQ,MAAmB,OAAO,MAAM,YAAY,EAAE,SAAS;AAEjE,OAAK,MAAM,aAAa,YAAY;GAClC,MAAM,UAAU,UAAU,QAAQ,gBAAgB;GAClD,MAAM,QAAQ,QAAQ,MAAM;AAC5B,OAAI,QAAQ,GACV,QAAO,MAAM,GAAG,OAAO;;AAI3B,SAAO,kBAAkB;;CAGd,cAAc,UAAyC;EAClE,MAAM,MAAM,iBAAiB,aAAa,QAAQ,WAAW,KAAK;AAClE,SAAO,KAAK,MAAM,KAAK,KACpB,KAAI,MAAK,EAAE,SAAS,IAAI,SAAS,GAAG,MACpC,KAAK"}

package/dist/esm/react/sdk/src/core/TatchiPasskey/emailRecovery.js CHANGED Viewed

@@ -3,12 +3,16 @@ import { init_validation, validateNearAccountId } from "../../utils/validation.j
 import { init_accountIds, toAccountId } from "../types/accountIds.js";
 import { IndexedDBManager, init_IndexedDBManager } from "../IndexedDBManager/index.js";
 import { createRandomVRFChallenge, init_vrf_worker } from "../types/vrf-worker.js";
+import { errorMessage, init_errors } from "../../utils/errors.js";
 import { EmailRecoveryPhase, EmailRecoveryStatus, init_sdkSentEvents } from "../types/sdkSentEvents.js";
 import { DEFAULT_WAIT_STATUS, init_rpc } from "../types/rpc.js";
+import { getEmailRecoveryAttempt, init_rpcCalls } from "../rpcCalls.js";
 import { init_getDeviceNumber, parseDeviceNumber } from "../WebAuthnManager/SignerWorkerManager/getDeviceNumber.js";
+import { ensureEd25519Prefix, init_nearCrypto } from "../nearCrypto.js";
 import { getLoginSession, init_login } from "./login.js";
 import { EmailRecoveryPendingStore } from "../EmailRecovery/emailRecoveryPendingStore.js";
-import { init_EmailRecovery } from "../EmailRecovery/index.js";
+import { init_EmailRecovery, parseLinkDeviceRegisterUserResponse } from "../EmailRecovery/index.js";
+import { EmailRecoveryError, EmailRecoveryErrorCode, init_emailRecovery as init_emailRecovery$1 } from "../types/emailRecovery.js";
 //#region src/core/TatchiPasskey/emailRecovery.ts
 var emailRecovery_exports = {};
@@ -23,16 +27,12 @@ function getEmailRecoveryConfig(configs) {
 	const maxPollingDurationMs = Number(relayerEmailCfg.maxPollingDurationMs);
 	const pendingTtlMs = Number(relayerEmailCfg.pendingTtlMs);
 	const mailtoAddress = String(relayerEmailCfg.mailtoAddress);
-	const dkimVerifierAccountId = String(relayerEmailCfg.dkimVerifierAccountId);
-	const verificationViewMethod = String(relayerEmailCfg.verificationViewMethod);
 	return {
 		minBalanceYocto,
 		pollingIntervalMs,
 		maxPollingDurationMs,
 		pendingTtlMs,
-		mailtoAddress,
-		dkimVerifierAccountId,
-		verificationViewMethod
+		mailtoAddress
 	};
 }
 function generateEmailRecoveryRequestId() {
@@ -48,6 +48,7 @@ var EmailRecoveryFlow;
 var init_emailRecovery = __esm({ "src/core/TatchiPasskey/emailRecovery.ts": (() => {
 	init_IndexedDBManager();
 	init_validation();
+	init_errors();
 	init_accountIds();
 	init_sdkSentEvents();
 	init_vrf_worker();
@@ -55,6 +56,9 @@ var init_emailRecovery = __esm({ "src/core/TatchiPasskey/emailRecovery.ts": (()
 	init_getDeviceNumber();
 	init_login();
 	init_EmailRecovery();
+	init_emailRecovery$1();
+	init_rpcCalls();
+	init_nearCrypto();
 	EmailRecoveryFlow = class {
 		context;
 		options;
@@ -82,8 +86,9 @@ var init_emailRecovery = __esm({ "src/core/TatchiPasskey/emailRecovery.ts": (()
 		emit(event) {
 			this.options?.onEvent?.(event);
 		}
-		emitError(step, message) {
-			const err = new Error(message);
+		emitError(step, messageOrError) {
+			const err = typeof messageOrError === "string" ? new Error(messageOrError) : messageOrError;
+			const message = err.message || (typeof messageOrError === "string" ? messageOrError : "Unknown error");
 			this.phase = EmailRecoveryPhase.ERROR;
 			this.error = err;
 			this.emit({
@@ -142,20 +147,19 @@ var init_emailRecovery = __esm({ "src/core/TatchiPasskey/emailRecovery.ts": (()
 				const accountView = await this.context.nearClient.viewAccount(nearAccountId);
 				const available = this.computeAvailableBalance(accountView);
 				if (available < BigInt(minBalanceYocto)) await this.fail(1, `This account does not have enough NEAR to finalize recovery. Available: ${available.toString()} yocto; required: ${String(minBalanceYocto)}. Please top up and try again.`);
-			} catch (e) {
-				await this.fail(1, e?.message || "Failed to fetch account balance for recovery");
+			} catch (err) {
+				await this.fail(1, errorMessage(err) || "Failed to fetch account balance for recovery");
 			}
 		}
-		async getCanonicalRecoveryEmailOrFail(recoveryEmail) {
+		getCanonicalRecoveryEmail(recoveryEmail) {
 			const canonicalEmail = String(recoveryEmail || "").trim().toLowerCase();
-			if (!canonicalEmail) await this.fail(1, "Recovery email is required for email-based account recovery");
-			return canonicalEmail;
+			return canonicalEmail || void 0;
 		}
 		async getNextDeviceNumberFromContract(nearAccountId) {
 			try {
 				const { syncAuthenticatorsContractCall } = await import("../rpcCalls.js");
 				const authenticators = await syncAuthenticatorsContractCall(this.context.nearClient, this.context.configs.contractId, nearAccountId);
-				const numbers = authenticators.map((a) => a?.authenticator?.deviceNumber).filter((n) => typeof n === "number" && Number.isFinite(n));
+				const numbers = authenticators.map(({ authenticator }) => authenticator.deviceNumber).filter((n) => typeof n === "number" && Number.isFinite(n));
 				const max = numbers.length > 0 ? Math.max(...numbers) : 0;
 				return max + 1;
 			} catch {
@@ -207,7 +211,7 @@ var init_emailRecovery = __esm({ "src/core/TatchiPasskey/emailRecovery.ts": (()
 				message: "New device key created; please send the recovery email from your registered address.",
 				data: {
 					accountId: rec.accountId,
-					recoveryEmail: rec.recoveryEmail,
+					...rec.recoveryEmail ? { recoveryEmail: rec.recoveryEmail } : {},
 					nearPublicKey: rec.nearPublicKey,
 					requestId: rec.requestId,
 					mailtoUrl
@@ -223,44 +227,57 @@ var init_emailRecovery = __esm({ "src/core/TatchiPasskey/emailRecovery.ts": (()
 				data
 			});
 		}
-		async checkViaDkimViewMethod(rec) {
-			const { dkimVerifierAccountId, verificationViewMethod } = this.getConfig();
-			if (!dkimVerifierAccountId) return null;
+		async checkViaEmailRecovererAttempt(rec) {
 			try {
-				const { getEmailRecoveryVerificationResult } = await import("../rpcCalls.js");
-				const result = await getEmailRecoveryVerificationResult(this.context.nearClient, dkimVerifierAccountId, verificationViewMethod, rec.requestId);
-				if (!result) return {
+				const attempt = await getEmailRecoveryAttempt(this.context.nearClient, rec.accountId, rec.requestId);
+				if (!attempt) return {
 					completed: false,
-					success: false
+					success: false,
+					missing: true
 				};
-				if (!result.verified) {
-					const errorMessage = result.error_message || result.error_code || "Email verification failed on relayer/contract";
-					return {
+				if (attempt.request_id && attempt.request_id !== rec.requestId) return {
+					completed: true,
+					success: false,
+					errorMessage: "Email recovery attempt request_id does not match requested requestId."
+				};
+				if (attempt.new_public_key && attempt.new_public_key !== rec.nearPublicKey) {
+					const expected = ensureEd25519Prefix(rec.nearPublicKey);
+					const actual = ensureEd25519Prefix(attempt.new_public_key);
+					if (actual === expected) {} else return {
 						completed: true,
 						success: false,
-						errorMessage,
-						transactionHash: result.transaction_hash
+						errorMessage: `Email recovery new_public_key mismatch for request ${rec.requestId}. Expected ${expected}; got ${actual}. This usually means the recovery email you sent was generated for a different device/attempt.`
 					};
 				}
-				if (result.account_id && result.account_id !== rec.accountId) return {
+				const normalized = attempt.status.toLowerCase();
+				if (normalized === "complete" || normalized === "completed") return {
 					completed: true,
-					success: false,
-					errorMessage: "Email verification account_id does not match requested account.",
-					transactionHash: result.transaction_hash
+					success: true
 				};
-				if (result.new_public_key && result.new_public_key !== rec.nearPublicKey) return {
+				if (normalized.includes("failed")) return {
 					completed: true,
 					success: false,
-					errorMessage: "Email verification new_public_key does not match expected recovery key.",
-					transactionHash: result.transaction_hash
+					errorMessage: attempt.error || `Email recovery failed (${attempt.status || "unknown status"})`
 				};
 				return {
-					completed: true,
-					success: true,
-					transactionHash: result.transaction_hash
+					completed: false,
+					success: false
 				};
 			} catch (err) {
-				console.warn("[EmailRecoveryFlow] get_verification_result view failed; will retry", err);
+				console.warn("[EmailRecoveryFlow] get_recovery_attempt view failed; will retry", err);
+				return null;
+			}
+		}
+		async isRecoveryAccessKeyPresent(rec) {
+			try {
+				await this.context.nearClient.viewAccessKey(rec.accountId, rec.nearPublicKey);
+				return true;
+			} catch (err) {
+				const kind = typeof err?.kind === "string" ? String(err.kind) : "";
+				const short = typeof err?.short === "string" ? String(err.short) : "";
+				const msg = typeof err?.message === "string" ? String(err.message) : "";
+				if (/AccessKeyDoesNotExist/i.test(kind) || /AccessKeyDoesNotExist/i.test(short) || /access key does not exist/i.test(msg) || /access key .*does not exist/i.test(msg)) return false;
+				console.warn("[EmailRecoveryFlow] view_access_key failed while checking recovery key; will retry", err);
 				return null;
 			}
 		}
@@ -369,7 +386,7 @@ var init_emailRecovery = __esm({ "src/core/TatchiPasskey/emailRecovery.ts": (()
 			});
 			const nearAccountId = await this.assertValidAccountIdOrFail(1, accountId);
 			await this.assertSufficientBalance(nearAccountId);
-			const canonicalEmail = await this.getCanonicalRecoveryEmailOrFail(recoveryEmail);
+			const canonicalEmail = this.getCanonicalRecoveryEmail(recoveryEmail);
 			const deviceNumber = await this.getNextDeviceNumberFromContract(nearAccountId);
 			this.phase = EmailRecoveryPhase.STEP_2_TOUCH_ID_REGISTRATION;
 			this.emit({
@@ -403,7 +420,7 @@ var init_emailRecovery = __esm({ "src/core/TatchiPasskey/emailRecovery.ts": (()
 					nearPublicKey: rec.nearPublicKey
 				};
 			} catch (e) {
-				const err = this.emitError(2, e?.message || "Email recovery TouchID/derivation failed");
+				const err = this.emitError(2, errorMessage(e) || "Email recovery TouchID/derivation failed");
 				await this.options?.afterCall?.(false);
 				throw err;
 			}
@@ -500,29 +517,39 @@ var init_emailRecovery = __esm({ "src/core/TatchiPasskey/emailRecovery.ts": (()
 			await this.options?.afterCall?.(true, void 0);
 		}
 		async pollUntilAddKey(rec) {
-			const { pollingIntervalMs, maxPollingDurationMs, dkimVerifierAccountId } = this.getConfig();
-			if (!dkimVerifierAccountId) {
-				const err$1 = this.emitError(4, "Email recovery verification contract (dkimVerifierAccountId) is not configured");
-				await this.options?.afterCall?.(false);
-				throw err$1;
-			}
+			const { pollingIntervalMs, maxPollingDurationMs } = this.getConfig();
 			this.phase = EmailRecoveryPhase.STEP_4_POLLING_VERIFICATION_RESULT;
 			this.pollingStartedAt = Date.now();
+			let sawAttempt = false;
 			const pollResult = await this.pollUntil({
 				intervalMs: pollingIntervalMs,
 				timeoutMs: maxPollingDurationMs,
 				isCancelled: () => this.cancelled,
 				tick: async ({ elapsedMs, pollCount }) => {
-					const verification = await this.checkViaDkimViewMethod(rec);
-					const completed = verification?.completed === true;
-					const success = verification?.success === true;
+					const verification = await this.checkViaEmailRecovererAttempt(rec);
+					if (verification && !verification.missing) sawAttempt = true;
+					let completed = verification?.completed === true;
+					let success = verification?.success === true;
+					let errorMessage$1 = verification?.errorMessage;
+					let transactionHash;
+					if (verification?.missing) {
+						const hasKey = await this.isRecoveryAccessKeyPresent(rec);
+						if (hasKey === true) {
+							completed = true;
+							success = true;
+						} else if (hasKey === false && sawAttempt) {
+							completed = true;
+							success = false;
+							errorMessage$1 = "Email recovery attempt was cleared on-chain before completion. Please resend the recovery email or restart the flow.";
+						} else if (hasKey === null) return { done: false };
+					}
 					this.emit({
 						step: 4,
 						phase: EmailRecoveryPhase.STEP_4_POLLING_VERIFICATION_RESULT,
 						status: EmailRecoveryStatus.PROGRESS,
-						message: completed && success ? `Email verified for request ${rec.requestId}; finalizing registration` : `Waiting for email verification for request ${rec.requestId}`,
+						message: completed && success ? `Email recovery completed for request ${rec.requestId}; finalizing registration` : `Waiting for email recovery for request ${rec.requestId}`,
 						data: this.buildPollingEventData(rec, {
-							transactionHash: verification?.transactionHash,
+							transactionHash,
 							elapsedMs,
 							pollCount
 						})
@@ -532,7 +559,7 @@ var init_emailRecovery = __esm({ "src/core/TatchiPasskey/emailRecovery.ts": (()
 						done: true,
 						value: {
 							outcome: "failed",
-							errorMessage: verification?.errorMessage || "Email verification failed"
+							errorMessage: errorMessage$1 || "Email recovery failed"
 						}
 					};
 					return {
@@ -573,7 +600,7 @@ var init_emailRecovery = __esm({ "src/core/TatchiPasskey/emailRecovery.ts": (()
 				accountId
 			};
 		}
-		async signRegistrationTx(rec, accountId) {
+		async signNewDevice2RegistrationTx(rec, accountId) {
 			const vrfChallenge = rec.vrfChallenge;
 			if (!vrfChallenge) return this.fail(5, "Missing VRF challenge for email recovery registration");
 			const registrationResult = await this.context.webAuthnManager.signDevice2RegistrationWithStoredKey({
@@ -587,28 +614,56 @@ var init_emailRecovery = __esm({ "src/core/TatchiPasskey/emailRecovery.ts": (()
 			return registrationResult.signedTransaction;
 		}
 		async broadcastRegistrationTxAndWaitFinal(rec, signedTx) {
+			let txResult;
 			try {
-				const txResult = await this.context.nearClient.sendTransaction(signedTx, DEFAULT_WAIT_STATUS.linkDeviceRegistration);
-				try {
-					const txHash = txResult?.transaction?.hash || txResult?.transaction_hash;
-					if (txHash) this.emit({
-						step: 5,
-						phase: EmailRecoveryPhase.STEP_5_FINALIZING_REGISTRATION,
-						status: EmailRecoveryStatus.PROGRESS,
-						message: "Registration transaction confirmed",
-						data: {
-							accountId: rec.accountId,
-							nearPublicKey: rec.nearPublicKey,
-							transactionHash: txHash
-						}
-					});
-					return txHash;
-				} catch {}
-			} catch (e) {
-				const msg = String(e?.message || "");
-				await this.fail(5, msg || "Failed to broadcast email recovery registration transaction (insufficient funds or RPC error)");
+				txResult = await this.context.nearClient.sendTransaction(signedTx, DEFAULT_WAIT_STATUS.linkDeviceRegistration);
+			} catch (err) {
+				const msg = errorMessage(err) || "Failed to broadcast email recovery registration transaction (insufficient funds or RPC error)";
+				throw new Error(msg);
+			}
+			const txHash = this.getTxHash(txResult);
+			const linkDeviceResult = parseLinkDeviceRegisterUserResponse(txResult);
+			if (linkDeviceResult?.verified === false) {
+				const logs = this.extractNearExecutionLogs(txResult);
+				const isStaleChallenge = logs.some((log) => /StaleChallenge|freshness validation failed/i.test(log));
+				const txHint = txHash ? ` (tx: ${txHash})` : "";
+				const code = isStaleChallenge ? EmailRecoveryErrorCode.VRF_CHALLENGE_EXPIRED : EmailRecoveryErrorCode.REGISTRATION_NOT_VERIFIED;
+				const message = isStaleChallenge ? `Timed out finalizing registration (VRF challenge expired). Please restart email recovery and try again${txHint}.` : `Registration did not verify on-chain. Please try again${txHint}.`;
+				throw new EmailRecoveryError(message, code, {
+					accountId: rec.accountId,
+					nearPublicKey: rec.nearPublicKey,
+					transactionHash: txHash,
+					logs,
+					result: linkDeviceResult
+				});
+			}
+			if (txHash) this.emit({
+				step: 5,
+				phase: EmailRecoveryPhase.STEP_5_FINALIZING_REGISTRATION,
+				status: EmailRecoveryStatus.PROGRESS,
+				message: "Registration transaction confirmed",
+				data: {
+					accountId: rec.accountId,
+					nearPublicKey: rec.nearPublicKey,
+					transactionHash: txHash
+				}
+			});
+			return txHash;
+		}
+		getTxHash(outcome) {
+			const txUnknown = outcome.transaction;
+			if (txUnknown && typeof txUnknown === "object") {
+				const hash = txUnknown.hash;
+				if (typeof hash === "string" && hash.length > 0) return hash;
 			}
-			return void 0;
+			const fallback = outcome.transaction_hash;
+			return typeof fallback === "string" && fallback.length > 0 ? fallback : void 0;
+		}
+		extractNearExecutionLogs(outcome) {
+			const logs = [];
+			for (const entry of outcome.transaction_outcome.outcome.logs) logs.push(String(entry));
+			for (const receipt of outcome.receipts_outcome) for (const entry of receipt.outcome.logs) logs.push(String(entry));
+			return logs;
 		}
 		mapAuthenticatorsFromContract(authenticators) {
 			return authenticators.map(({ authenticator }) => ({
@@ -644,7 +699,7 @@ var init_emailRecovery = __esm({ "src/core/TatchiPasskey/emailRecovery.ts": (()
 		}
 		async updateNonceBestEffort(nonceManager, signedTx) {
 			try {
-				const txNonce = signedTx.transaction?.nonce;
+				const txNonce = signedTx.transaction.nonce;
 				if (txNonce != null) await nonceManager.updateNonceFromBlockchain(this.context.nearClient, String(txNonce));
 			} catch {}
 		}
@@ -760,7 +815,7 @@ var init_emailRecovery = __esm({ "src/core/TatchiPasskey/emailRecovery.ts": (()
 			} catch (err) {
 				return {
 					success: false,
-					reason: err?.message || String(err)
+					reason: errorMessage(err) || String(err)
 				};
 			}
 		}
@@ -788,7 +843,7 @@ var init_emailRecovery = __esm({ "src/core/TatchiPasskey/emailRecovery.ts": (()
 			});
 			try {
 				const { nonceManager, accountId } = this.initializeNonceManager(rec);
-				const signedTx = await this.signRegistrationTx(rec, accountId);
+				const signedTx = await this.signNewDevice2RegistrationTx(rec, accountId);
 				const txHash = await this.broadcastRegistrationTxAndWaitFinal(rec, signedTx);
 				if (!txHash) console.warn("[EmailRecoveryFlow] Registration transaction confirmed without hash; continuing local persistence");
 				await this.persistRecoveredUserData(rec, accountId);
@@ -816,7 +871,10 @@ var init_emailRecovery = __esm({ "src/core/TatchiPasskey/emailRecovery.ts": (()
 					}
 				});
 			} catch (e) {
-				const err = this.emitError(5, e?.message || "Email recovery finalization failed");
+				rec.status = "error";
+				await this.savePending(rec).catch(() => {});
+				const original = e instanceof Error ? e : new Error(errorMessage(e) || "Email recovery finalization failed");
+				const err = this.emitError(5, original);
 				await this.options?.afterCall?.(false);
 				throw err;
 			}
@@ -838,7 +896,7 @@ var init_emailRecovery = __esm({ "src/core/TatchiPasskey/emailRecovery.ts": (()
 				};
 				return this.handleAutoLoginFailure(touchIdResult.reason || "Auto-login failed");
 			} catch (err) {
-				return this.handleAutoLoginFailure(err?.message || String(err), err);
+				return this.handleAutoLoginFailure(errorMessage(err) || String(err), err);
 			}
 		}
 	};