@tatchi-xyz/sdk 0.20.0 → 0.21.0

package/dist/cjs/react/components/PasskeyAuthMenu/ui/EmailRecoverySlide.js

@@ -1,6 +1,6 @@
 const require_rolldown_runtime = require('../../../_virtual/rolldown_runtime.js');
-const require_accountIds = require('../../../sdk/src/core/types/accountIds.js');
-const require_index = require('../../../sdk/src/core/IndexedDBManager/index.js');
+const require_sdkSentEvents = require('../../../sdk/src/core/types/sdkSentEvents.js');
+const require_index = require('../../../sdk/src/core/EmailRecovery/index.js');
 const require_emailRecovery = require('../../../sdk/src/core/types/emailRecovery.js');
 let react = require("react");
 react = require_rolldown_runtime.__toESM(react);
@@ -8,9 +8,20 @@ let react_jsx_runtime = require("react/jsx-runtime");
 react_jsx_runtime = require_rolldown_runtime.__toESM(react_jsx_runtime);
 
 //#region src/react/components/PasskeyAuthMenu/ui/EmailRecoverySlide.tsx
-require_index.init_IndexedDBManager();
-require_accountIds.init_accountIds();
+require_sdkSentEvents.init_sdkSentEvents();
 require_emailRecovery.init_emailRecovery();
+require_index.init_EmailRecovery();
+async function hashRecoveryEmailForAccountHex(args) {
+	const salt = String(args.accountId || "").trim().toLowerCase();
+	if (!salt) return null;
+	const canonical = require_index.canonicalizeEmail(String(args.recoveryEmail || ""));
+	if (!canonical || !canonical.includes("@")) return null;
+	if (typeof crypto === "undefined" || !crypto.subtle) return null;
+	const input = `${canonical}|${salt}`;
+	const bytes = new TextEncoder().encode(input);
+	const digest = await crypto.subtle.digest("SHA-256", bytes);
+	return require_index.bytesToHex(new Uint8Array(digest));
+}
 function getEmailRecoveryErrorCode(err) {
 	const code = err?.code;
 	if (typeof code !== "string") return null;
@@ -18,6 +29,11 @@ function getEmailRecoveryErrorCode(err) {
 }
 function getEmailRecoveryUiError(err) {
 	const fallback = err instanceof Error ? err.message : String(err || "");
+	const normalizedFallback = fallback.trim().toLowerCase();
+	if (normalizedFallback.includes("recovery email is required")) return {
+		message: fallback || "Recovery email is required for email-based account recovery. Make sure you send the email from your configured recovery email address.",
+		canRestart: true
+	};
 	const code = getEmailRecoveryErrorCode(err);
 	switch (code) {
 		case require_emailRecovery.EmailRecoveryErrorCode.VRF_CHALLENGE_EXPIRED: return {
@@ -34,6 +50,19 @@ function getEmailRecoveryUiError(err) {
 		};
 	}
 }
+function getEmailRecoveryErrorTxHash(err) {
+	const carrier = err;
+	const ctx = carrier?.context && typeof carrier.context === "object" ? carrier.context : null;
+	const details = carrier?.details && typeof carrier.details === "object" ? carrier.details : null;
+	const source = ctx ?? details;
+	if (!source) return null;
+	const txHash = source.transactionHash;
+	return typeof txHash === "string" && txHash.trim().length > 0 ? txHash.trim() : null;
+}
+function asRecord(value) {
+	if (!value || typeof value !== "object") return null;
+	return value;
+}
 const EmailRecoverySlide = ({ tatchiPasskey, accountId, refreshLoginState, emailRecoveryOptions }) => {
 	const mountedRef = react.default.useRef(true);
 	const mailtoAttemptTimerRef = react.default.useRef(null);
@@ -50,7 +79,6 @@ const EmailRecoverySlide = ({ tatchiPasskey, accountId, refreshLoginState, email
 	}, []);
 	const [isBusy, setIsBusy] = react.default.useState(false);
 	const [accountIdInput, setAccountIdInput] = react.default.useState("");
-	const [recoveryEmailInput, setRecoveryEmailInput] = react.default.useState("");
 	const [pendingMailtoUrl, setPendingMailtoUrl] = react.default.useState(null);
 	const [pendingNearPublicKey, setPendingNearPublicKey] = react.default.useState(null);
 	const [mailtoUiState, setMailtoUiState] = react.default.useState("ready");
@@ -62,9 +90,11 @@ const EmailRecoverySlide = ({ tatchiPasskey, accountId, refreshLoginState, email
 	const [accountInfoLoading, setAccountInfoLoading] = react.default.useState(false);
 	const [accountInfoError, setAccountInfoError] = react.default.useState(null);
 	const [localRecoveryEmails, setLocalRecoveryEmails] = react.default.useState([]);
+	const [recoveryEmailRecords, setRecoveryEmailRecords] = react.default.useState([]);
+	const [recoveryEmailInput, setRecoveryEmailInput] = react.default.useState("");
+	const [recoveryEmailMatchStatus, setRecoveryEmailMatchStatus] = react.default.useState("empty");
 	const [explorerToast, setExplorerToast] = react.default.useState(null);
 	const lastPrefilledAccountIdRef = react.default.useRef("");
-	const lastPrefilledRecoveryEmailRef = react.default.useRef("");
 	react.default.useEffect(() => {
 		const next = (accountId || "").trim();
 		if (!next) return;
@@ -85,6 +115,9 @@ const EmailRecoverySlide = ({ tatchiPasskey, accountId, refreshLoginState, email
 		setAccountInfo(null);
 		setAccountInfoError(null);
 		setLocalRecoveryEmails([]);
+		setRecoveryEmailRecords([]);
+		setRecoveryEmailInput("");
+		setRecoveryEmailMatchStatus("empty");
 		setExplorerToast(null);
 		if (mailtoAttemptTimerRef.current != null) {
 			window.clearTimeout(mailtoAttemptTimerRef.current);
@@ -108,14 +141,16 @@ const EmailRecoverySlide = ({ tatchiPasskey, accountId, refreshLoginState, email
 	const safeSetAccountInfoLoading = react.default.useMemo(() => safeSet(setAccountInfoLoading), []);
 	const safeSetAccountInfoError = react.default.useMemo(() => safeSet(setAccountInfoError), []);
 	const safeSetLocalRecoveryEmails = react.default.useMemo(() => safeSet(setLocalRecoveryEmails), []);
+	const safeSetRecoveryEmailRecords = react.default.useMemo(() => safeSet(setRecoveryEmailRecords), []);
+	const safeSetRecoveryEmailMatchStatus = react.default.useMemo(() => safeSet(setRecoveryEmailMatchStatus), []);
 	const safeSetExplorerToast = react.default.useMemo(() => safeSet(setExplorerToast), []);
 	const safeSetMailtoUiState = react.default.useMemo(() => safeSet(setMailtoUiState), []);
 	const onEvent = react.default.useCallback((ev) => {
 		if (cancelRequestedRef.current) return;
 		safeSetStatusText(ev?.message || null);
 		emailRecoveryOptions?.onEvent?.(ev);
-		const data = ev?.data || {};
-		const rawTxHash = data?.transactionHash ?? data?.transaction_hash;
+		const data = "data" in ev ? asRecord(ev.data) : null;
+		const rawTxHash = data?.["transactionHash"] ?? data?.["transaction_hash"];
 		const txHash = typeof rawTxHash === "string" ? rawTxHash.trim() : "";
 		if (txHash) {
 			const base = String(tatchiPasskey.configs?.nearExplorerUrl || "https://testnet.nearblocks.io").replace(/\/$/, "");
@@ -125,13 +160,13 @@ const EmailRecoverySlide = ({ tatchiPasskey, accountId, refreshLoginState, email
 				transactionHash: txHash
 			});
 		}
-		const elapsedRaw = data?.elapsedMs ?? data?.elapsed_ms;
+		const elapsedRaw = data?.["elapsedMs"] ?? data?.["elapsed_ms"];
 		if (elapsedRaw == null) safeSetPollingElapsedMs(null);
 		const elapsed = elapsedRaw == null ? NaN : Number(elapsedRaw);
 		if (!Number.isNaN(elapsed)) safeSetPollingElapsedMs(elapsed);
-		if (ev?.phase === "email-recovery-error" || ev?.status === "error") {
-			const raw = ev?.error || ev?.message || "Email recovery failed";
-			safeSetErrorText(String(raw));
+		if (ev.phase === require_sdkSentEvents.EmailRecoveryPhase.ERROR || ev.status === require_sdkSentEvents.EmailRecoveryStatus.ERROR) {
+			const raw = "error" in ev ? ev.error : ev.message;
+			safeSetErrorText(raw || "Email recovery failed");
 			safeSetCanRestart(false);
 		}
 	}, [
@@ -153,6 +188,16 @@ const EmailRecoverySlide = ({ tatchiPasskey, accountId, refreshLoginState, email
 			accountId: normalized
 		});
 	}, [safeSetExplorerToast, tatchiPasskey]);
+	const showExplorerTxToast = react.default.useCallback((txHash) => {
+		const normalized = (txHash || "").trim();
+		if (!normalized) return;
+		const base = String(tatchiPasskey.configs?.nearExplorerUrl || "https://testnet.nearblocks.io").replace(/\/$/, "");
+		const url = base.includes("nearblocks.io") ? `${base}/txns/${normalized}` : `${base}/transactions/${normalized}`;
+		safeSetExplorerToast({
+			url,
+			transactionHash: normalized
+		});
+	}, [safeSetExplorerToast, tatchiPasskey]);
 	const launchMailto = react.default.useCallback((rawMailtoUrl) => {
 		const url = String(rawMailtoUrl || "").trim();
 		if (!url) return;
@@ -198,40 +243,9 @@ const EmailRecoverySlide = ({ tatchiPasskey, accountId, refreshLoginState, email
 			document.removeEventListener("visibilitychange", onVisibilityChange);
 		};
 	}, [mailtoUiState, safeSetMailtoUiState]);
-	const fetchLocalRecoveryEmailsFromIndexedDB = react.default.useCallback(async (rawAccountId) => {
-		const normalized = (rawAccountId || "").trim();
-		if (!normalized) {
-			console.log("[EmailRecoverySlide] fetchLocalRecoveryEmails: empty accountId");
-			return [];
-		}
-		try {
-			console.log("[EmailRecoverySlide] fetchLocalRecoveryEmails: loading from IndexedDB", { accountId: normalized });
-			const records = await require_index.IndexedDBManager.getRecoveryEmails(require_accountIds.toAccountId(normalized));
-			console.log("[EmailRecoverySlide] fetchLocalRecoveryEmails: raw IndexedDB records", {
-				accountId: normalized,
-				count: Array.isArray(records) ? records.length : 0,
-				records
-			});
-			if (!Array.isArray(records) || records.length === 0) return [];
-			const sorted = [...records].sort((a, b) => (b?.addedAt || 0) - (a?.addedAt || 0));
-			const emails = sorted.map((r) => String(r?.email || "").trim().toLowerCase()).filter((e) => !!e && e.includes("@"));
-			const uniq = Array.from(new Set(emails));
-			console.log("[EmailRecoverySlide] fetchLocalRecoveryEmails: parsed emails", {
-				accountId: normalized,
-				emails: uniq
-			});
-			return uniq;
-		} catch (err) {
-			console.log("[EmailRecoverySlide] fetchLocalRecoveryEmails: failed to read IndexedDB", {
-				accountId: normalized,
-				error: err instanceof Error ? err.message : String(err)
-			});
-			return [];
-		}
-	}, []);
 	const deriveEmailsFromRecoveryRecords = react.default.useCallback((records) => {
-		if (!Array.isArray(records) || records.length === 0) return [];
-		const emails = records.map((r) => String(r?.email || "").trim().toLowerCase()).filter((e) => !!e && e.includes("@"));
+		if (records.length === 0) return [];
+		const emails = records.map((r) => r.email.trim().toLowerCase()).filter((e) => e.length > 0 && e.includes("@"));
 		return Array.from(new Set(emails));
 	}, []);
 	react.default.useEffect(() => {
@@ -249,27 +263,11 @@ const EmailRecoverySlide = ({ tatchiPasskey, accountId, refreshLoginState, email
 		const handle = window.setTimeout(() => {
 			(async () => {
 				try {
-					const isWalletIframeMode = !!tatchiPasskey.configs?.iframeWallet?.walletOrigin;
-					let localEmails = [];
-					if (!isWalletIframeMode) {
-						localEmails = await fetchLocalRecoveryEmailsFromIndexedDB(normalized);
-						if (!cancelled) console.log("[EmailRecoverySlide] local saved emails (IndexedDB)", {
-							accountId: normalized,
-							localEmails
-						});
-					}
 					const records = await tatchiPasskey.getRecoveryEmails(normalized);
-					const resolvedEmails = isWalletIframeMode ? deriveEmailsFromRecoveryRecords(records) : localEmails;
+					const resolvedEmails = deriveEmailsFromRecoveryRecords(records);
 					if (!cancelled) {
 						safeSetLocalRecoveryEmails(resolvedEmails);
-						console.log("[EmailRecoverySlide] recovery email suggestions (state)", {
-							accountId: normalized,
-							emails: resolvedEmails
-						});
-						if (resolvedEmails.length === 1 && (recoveryEmailInput.trim() === "" || recoveryEmailInput === lastPrefilledRecoveryEmailRef.current)) {
-							lastPrefilledRecoveryEmailRef.current = resolvedEmails[0];
-							setRecoveryEmailInput(resolvedEmails[0]);
-						}
+						safeSetRecoveryEmailRecords(records);
 					}
 					const info = records ? { emailsCount: Array.isArray(records) ? records.length : 0 } : null;
 					if (cancelled) return;
@@ -277,7 +275,10 @@ const EmailRecoverySlide = ({ tatchiPasskey, accountId, refreshLoginState, email
 				} catch (err) {
 					if (cancelled) return;
 					safeSetAccountInfo(null);
-					safeSetAccountInfoError(err?.message || "Failed to load email recovery settings for this account");
+					const msg = err instanceof Error ? err.message : "";
+					safeSetAccountInfoError(msg || "Failed to load email recovery settings for this account");
+					safeSetLocalRecoveryEmails([]);
+					safeSetRecoveryEmailRecords([]);
 				} finally {
 					if (!cancelled) safeSetAccountInfoLoading(false);
 				}
@@ -290,25 +291,100 @@ const EmailRecoverySlide = ({ tatchiPasskey, accountId, refreshLoginState, email
 	}, [
 		accountIdInput,
 		deriveEmailsFromRecoveryRecords,
-		fetchLocalRecoveryEmailsFromIndexedDB,
-		recoveryEmailInput,
 		safeSetAccountInfo,
 		safeSetAccountInfoError,
 		safeSetAccountInfoLoading,
 		safeSetLocalRecoveryEmails,
+		safeSetRecoveryEmailRecords,
 		tatchiPasskey
 	]);
+	const recoveryEmailConfirmationRequired = !accountInfoLoading && !accountInfoError && !!accountInfo && accountInfo.emailsCount > 0 && localRecoveryEmails.length === 0;
+	react.default.useEffect(() => {
+		const normalizedAccountId = (accountIdInput || "").trim();
+		const rawEmail = (recoveryEmailInput || "").trim();
+		if (!rawEmail || !normalizedAccountId) {
+			safeSetRecoveryEmailMatchStatus("empty");
+			return;
+		}
+		if (!Array.isArray(recoveryEmailRecords) || recoveryEmailRecords.length === 0) {
+			safeSetRecoveryEmailMatchStatus("checking");
+			return;
+		}
+		let cancelled = false;
+		safeSetRecoveryEmailMatchStatus("checking");
+		const handle = window.setTimeout(() => {
+			(async () => {
+				try {
+					const hashHex = await hashRecoveryEmailForAccountHex({
+						recoveryEmail: rawEmail,
+						accountId: normalizedAccountId
+					});
+					if (cancelled) return;
+					if (!hashHex) {
+						safeSetRecoveryEmailMatchStatus("invalid");
+						return;
+					}
+					const normalizedHashHex = hashHex.toLowerCase();
+					const matches = recoveryEmailRecords.some((rec) => String(rec.hashHex || "").toLowerCase() === normalizedHashHex);
+					safeSetRecoveryEmailMatchStatus(matches ? "match" : "mismatch");
+				} catch {
+					if (!cancelled) safeSetRecoveryEmailMatchStatus("invalid");
+				}
+			})();
+		}, 250);
+		return () => {
+			cancelled = true;
+			window.clearTimeout(handle);
+		};
+	}, [
+		accountIdInput,
+		recoveryEmailInput,
+		recoveryEmailRecords,
+		safeSetRecoveryEmailMatchStatus
+	]);
 	const handleStart = react.default.useCallback(async () => {
 		const normalizedAccountId = (accountIdInput || "").trim();
 		if (!normalizedAccountId) {
 			safeSetErrorText("Enter an account ID.");
 			return;
 		}
-		const emailCandidate = (recoveryEmailInput || "").trim().toLowerCase();
-		if (!emailCandidate) {
-			safeSetErrorText("Enter the recovery email to send from.");
+		if (accountInfoLoading) {
+			safeSetErrorText("Checking recovery email settings…");
 			return;
 		}
+		if (accountInfoError) {
+			safeSetErrorText(accountInfoError);
+			return;
+		}
+		if (!accountInfo) {
+			safeSetErrorText("Failed to load email recovery settings for this account.");
+			return;
+		}
+		if (accountInfo.emailsCount === 0) {
+			safeSetErrorText("No recovery emails are configured for this account.");
+			return;
+		}
+		const recoveryEmail = recoveryEmailInput.trim();
+		if (recoveryEmailConfirmationRequired) {
+			if (!recoveryEmail) {
+				safeSetErrorText("Enter the recovery email address you will send from.");
+				return;
+			}
+			const hashHex = await hashRecoveryEmailForAccountHex({
+				recoveryEmail,
+				accountId: normalizedAccountId
+			}).catch(() => null);
+			if (!hashHex) {
+				safeSetErrorText("Enter a valid recovery email address.");
+				return;
+			}
+			const normalizedHashHex = hashHex.toLowerCase();
+			const matches = recoveryEmailRecords.some((rec) => String(rec.hashHex || "").toLowerCase() === normalizedHashHex);
+			if (!matches) {
+				safeSetErrorText("That email is not configured for recovery on this account. Please use your configured recovery email address.");
+				return;
+			}
+		}
 		safeSetIsBusy(true);
 		cancelRequestedRef.current = false;
 		safeSetErrorText(null);
@@ -322,7 +398,7 @@ const EmailRecoverySlide = ({ tatchiPasskey, accountId, refreshLoginState, email
 		try {
 			const result = await tatchiPasskey.startEmailRecovery({
 				accountId: normalizedAccountId,
-				recoveryEmail: emailCandidate,
+				...recoveryEmail ? { recoveryEmail } : {},
 				options: {
 					onEvent,
 					onError: (err) => {
@@ -330,8 +406,7 @@ const EmailRecoverySlide = ({ tatchiPasskey, accountId, refreshLoginState, email
 						safeSetErrorText(err?.message || "Failed to start email recovery");
 						didForwardError = true;
 						emailRecoveryOptions?.onError?.(err);
-					},
-					afterCall: async () => {}
+					}
 				}
 			});
 			safeSetPendingMailtoUrl(result.mailtoUrl);
@@ -348,10 +423,11 @@ const EmailRecoverySlide = ({ tatchiPasskey, accountId, refreshLoginState, email
 						const uiError = getEmailRecoveryUiError(err);
 						safeSetErrorText(uiError.message || "Failed to finalize email recovery");
 						safeSetCanRestart(uiError.canRestart);
+						const txHash = getEmailRecoveryErrorTxHash(err);
+						if (txHash) showExplorerTxToast(txHash);
 						didForwardError = true;
 						emailRecoveryOptions?.onError?.(err);
-					},
-					afterCall: async () => {}
+					}
 				}
 			});
 			showExplorerToast(normalizedAccountId);
@@ -382,6 +458,8 @@ const EmailRecoverySlide = ({ tatchiPasskey, accountId, refreshLoginState, email
 			const uiError = getEmailRecoveryUiError(err);
 			safeSetErrorText(uiError.message || "Failed to start email recovery");
 			safeSetCanRestart(uiError.canRestart);
+			const txHash = getEmailRecoveryErrorTxHash(err);
+			if (txHash) showExplorerTxToast(txHash);
 			if (!didForwardError && err instanceof Error) emailRecoveryOptions?.onError?.(err);
 		} finally {
 			safeSetIsBusy(false);
@@ -389,9 +467,14 @@ const EmailRecoverySlide = ({ tatchiPasskey, accountId, refreshLoginState, email
 	}, [
 		accountIdInput,
 		emailRecoveryOptions,
-		recoveryEmailInput,
 		onEvent,
 		refreshLoginState,
+		accountInfo,
+		accountInfoError,
+		accountInfoLoading,
+		recoveryEmailConfirmationRequired,
+		recoveryEmailInput,
+		recoveryEmailRecords,
 		showExplorerToast,
 		safeSetErrorText,
 		safeSetIsBusy,
@@ -400,6 +483,7 @@ const EmailRecoverySlide = ({ tatchiPasskey, accountId, refreshLoginState, email
 		safeSetStatusText,
 		safeSetMailtoUiState,
 		attemptOpenMailtoAuto,
+		showExplorerTxToast,
 		tatchiPasskey
 	]);
 	const handleRestart = react.default.useCallback(async () => {
@@ -436,8 +520,27 @@ const EmailRecoverySlide = ({ tatchiPasskey, accountId, refreshLoginState, email
 		safeSetStatusText,
 		tatchiPasskey
 	]);
-	const summaryLine = accountInfoLoading ? "Checking if account has recovery emails configured..." : accountInfo && !accountInfoError ? `Recovery emails configured: ${accountInfo.emailsCount}` : "\xA0";
+	const summaryLine = accountInfoLoading ? /* @__PURE__ */ (0, react_jsx_runtime.jsxs)(react_jsx_runtime.Fragment, { children: ["Checking if account has recovery emails configured", /* @__PURE__ */ (0, react_jsx_runtime.jsxs)("span", {
+		className: "w3a-ellipsis",
+		"aria-hidden": "true",
+		children: [
+			/* @__PURE__ */ (0, react_jsx_runtime.jsx)("span", {
+				className: "w3a-ellipsis-dot",
+				children: "."
+			}),
+			/* @__PURE__ */ (0, react_jsx_runtime.jsx)("span", {
+				className: "w3a-ellipsis-dot",
+				children: "."
+			}),
+			/* @__PURE__ */ (0, react_jsx_runtime.jsx)("span", {
+				className: "w3a-ellipsis-dot",
+				children: "."
+			})
+		]
+	})] }) : accountInfo && !accountInfoError ? `Recovery emails configured: ${accountInfo.emailsCount}` : "\xA0";
 	const noRecoveryEmailsConfigured = !accountInfoLoading && !accountInfoError && !!accountInfo && accountInfo.emailsCount === 0;
+	const disableStartForRecoveryEmailMismatch = recoveryEmailConfirmationRequired && (recoveryEmailMatchStatus === "empty" || recoveryEmailMatchStatus === "checking" || recoveryEmailMatchStatus === "invalid" || recoveryEmailMatchStatus === "mismatch");
+	const startDisabled = isBusy || accountInfoLoading || !!accountInfoError || !accountInfo || noRecoveryEmailsConfigured || disableStartForRecoveryEmailMismatch;
 	return /* @__PURE__ */ (0, react_jsx_runtime.jsxs)("div", {
 		className: "w3a-email-recovery-slide",
 		children: [
@@ -447,73 +550,84 @@ const EmailRecoverySlide = ({ tatchiPasskey, accountId, refreshLoginState, email
 			}),
 			/* @__PURE__ */ (0, react_jsx_runtime.jsx)("div", {
 				className: "w3a-email-recovery-help",
-				children: "Send a recovery email from your registered email address. Your account will be recovered with a new key once the email is verified."
+				children: "Send a special email to recover your account. This email must be sent from the designated email recovery address."
 			}),
-			/* @__PURE__ */ (0, react_jsx_runtime.jsx)("div", {
-				className: "w3a-email-recovery-field",
+			/* @__PURE__ */ (0, react_jsx_runtime.jsx)("div", { children: /* @__PURE__ */ (0, react_jsx_runtime.jsx)("div", {
+				className: "w3a-input-pill w3a-email-recovery-input-pill",
 				children: /* @__PURE__ */ (0, react_jsx_runtime.jsx)("div", {
-					className: "w3a-input-pill w3a-email-recovery-input-pill",
-					children: /* @__PURE__ */ (0, react_jsx_runtime.jsx)("div", {
-						className: "w3a-input-wrap",
-						children: /* @__PURE__ */ (0, react_jsx_runtime.jsx)("input", {
-							type: "text",
-							value: accountIdInput,
-							onChange: (e) => setAccountIdInput(e.target.value),
-							placeholder: "NEAR account ID (e.g. alice.testnet)",
-							className: "w3a-input",
-							autoCapitalize: "none",
-							autoCorrect: "off",
-							spellCheck: false,
-							inputMode: "text",
-							disabled: isBusy
-						})
+					className: "w3a-input-wrap",
+					children: /* @__PURE__ */ (0, react_jsx_runtime.jsx)("input", {
+						type: "text",
+						value: accountIdInput,
+						onChange: (e) => setAccountIdInput(e.target.value),
+						placeholder: "NEAR account ID (e.g. alice.testnet)",
+						className: "w3a-input",
+						autoCapitalize: "none",
+						autoCorrect: "off",
+						spellCheck: false,
+						inputMode: "text",
+						disabled: isBusy
 					})
 				})
-			}),
-			/* @__PURE__ */ (0, react_jsx_runtime.jsx)("div", {
+			}) }),
+			/* @__PURE__ */ (0, react_jsx_runtime.jsxs)("div", {
 				className: "w3a-email-recovery-summary",
 				"aria-live": "polite",
-				children: /* @__PURE__ */ (0, react_jsx_runtime.jsx)("div", { children: summaryLine })
-			}),
-			/* @__PURE__ */ (0, react_jsx_runtime.jsx)("div", {
-				className: "w3a-email-recovery-field",
-				children: /* @__PURE__ */ (0, react_jsx_runtime.jsx)("div", {
-					className: "w3a-input-pill w3a-email-recovery-input-pill",
-					children: /* @__PURE__ */ (0, react_jsx_runtime.jsx)("div", {
-						className: "w3a-input-wrap",
-						children: /* @__PURE__ */ (0, react_jsx_runtime.jsx)("input", {
-							type: "email",
-							value: recoveryEmailInput,
-							onChange: (e) => setRecoveryEmailInput(e.target.value),
-							placeholder: "Recovery email to send from",
-							className: "w3a-input",
-							list: localRecoveryEmails.length > 0 ? "w3a-email-recovery-saved-emails" : void 0,
-							autoCapitalize: "none",
-							autoCorrect: "off",
-							spellCheck: false,
-							inputMode: "email",
-							disabled: isBusy || noRecoveryEmailsConfigured
-						})
+				children: [
+					/* @__PURE__ */ (0, react_jsx_runtime.jsx)("div", { children: summaryLine }),
+					!!accountInfoError && /* @__PURE__ */ (0, react_jsx_runtime.jsx)("div", {
+						className: "w3a-email-recovery-warning",
+						children: accountInfoError
+					}),
+					localRecoveryEmails.length > 0 && /* @__PURE__ */ (0, react_jsx_runtime.jsx)("div", {
+						className: "w3a-email-recovery-saved-emails",
+						role: "list",
+						"aria-label": "Recovery emails",
+						children: localRecoveryEmails.map((email) => /* @__PURE__ */ (0, react_jsx_runtime.jsx)("span", {
+							className: "w3a-email-recovery-email-chip w3a-email-recovery-email-chip-static",
+							role: "listitem",
+							children: email
+						}, email))
+					}),
+					recoveryEmailConfirmationRequired && /* @__PURE__ */ (0, react_jsx_runtime.jsxs)(react_jsx_runtime.Fragment, { children: [
+						/* @__PURE__ */ (0, react_jsx_runtime.jsx)("div", {
+							className: "w3a-email-recovery-warning",
+							children: "This device can’t display your configured recovery email address. Enter the email you will send from to confirm it matches what’s configured for this account."
+						}),
+						/* @__PURE__ */ (0, react_jsx_runtime.jsx)("div", {
+							className: "w3a-input-pill w3a-email-recovery-input-pill",
+							children: /* @__PURE__ */ (0, react_jsx_runtime.jsx)("div", {
+								className: "w3a-input-wrap",
+								children: /* @__PURE__ */ (0, react_jsx_runtime.jsx)("input", {
+									type: "email",
+									value: recoveryEmailInput,
+									onChange: (e) => setRecoveryEmailInput(e.target.value),
+									placeholder: "Recovery email address (sender)",
+									className: "w3a-input",
+									autoCapitalize: "none",
+									autoCorrect: "off",
+									spellCheck: false,
+									inputMode: "email",
+									disabled: isBusy
+								})
+							})
+						}),
+						recoveryEmailMatchStatus === "checking" && /* @__PURE__ */ (0, react_jsx_runtime.jsx)("div", { children: "Checking recovery email…" }),
+						recoveryEmailMatchStatus === "invalid" && /* @__PURE__ */ (0, react_jsx_runtime.jsx)("div", {
+							className: "w3a-email-recovery-warning",
+							children: "Enter a valid email address."
+						}),
+						recoveryEmailMatchStatus === "mismatch" && /* @__PURE__ */ (0, react_jsx_runtime.jsx)("div", {
+							className: "w3a-email-recovery-warning",
+							children: "That email is not configured for recovery on this account."
+						}),
+						recoveryEmailMatchStatus === "match" && /* @__PURE__ */ (0, react_jsx_runtime.jsx)("div", { children: "Recovery email verified for this account." })
+					] }),
+					!!accountIdInput.trim() && !noRecoveryEmailsConfigured && /* @__PURE__ */ (0, react_jsx_runtime.jsx)("div", {
+						className: "w3a-email-recovery-from-warning",
+						children: recoveryEmailInput.trim() ? `Check that you are sending the recovery email from ${recoveryEmailInput.trim()}.` : "Check that you are sending the recovery email from your designated recovery email."
 					})
-				})
-			}),
-			localRecoveryEmails.length > 0 && /* @__PURE__ */ (0, react_jsx_runtime.jsxs)("div", {
-				className: "w3a-email-recovery-summary",
-				"aria-live": "polite",
-				children: [/* @__PURE__ */ (0, react_jsx_runtime.jsx)("div", { children: "Saved on this device:" }), /* @__PURE__ */ (0, react_jsx_runtime.jsx)("div", {
-					className: "w3a-email-recovery-saved-emails",
-					children: localRecoveryEmails.map((email) => /* @__PURE__ */ (0, react_jsx_runtime.jsx)("button", {
-						type: "button",
-						className: "w3a-email-recovery-email-chip",
-						onClick: () => setRecoveryEmailInput(email),
-						disabled: isBusy,
-						children: email
-					}, email))
-				})]
-			}),
-			localRecoveryEmails.length > 0 && /* @__PURE__ */ (0, react_jsx_runtime.jsx)("datalist", {
-				id: "w3a-email-recovery-saved-emails",
-				children: localRecoveryEmails.map((email) => /* @__PURE__ */ (0, react_jsx_runtime.jsx)("option", { value: email }, email))
+				]
 			}),
 			/* @__PURE__ */ (0, react_jsx_runtime.jsxs)("div", {
 				className: "w3a-email-recovery-actions",
@@ -521,8 +635,8 @@ const EmailRecoverySlide = ({ tatchiPasskey, accountId, refreshLoginState, email
 					(!pendingMailtoUrl || !isBusy) && /* @__PURE__ */ (0, react_jsx_runtime.jsx)("button", {
 						onClick: handleStart,
 						className: "w3a-link-device-btn w3a-link-device-btn-primary",
-						disabled: isBusy || noRecoveryEmailsConfigured,
-						children: noRecoveryEmailsConfigured ? "No recovery emails configured" : isBusy ? "Working…" : "Start Email Recovery"
+						disabled: startDisabled,
+						children: accountInfoLoading ? "Checking recovery emails…" : noRecoveryEmailsConfigured ? "No recovery emails configured" : disableStartForRecoveryEmailMismatch ? "Confirm recovery email" : isBusy ? "Working…" : "Start Email Recovery"
 					}),
 					pendingMailtoUrl && /* @__PURE__ */ (0, react_jsx_runtime.jsxs)("button", {
 						type: "button",
@@ -556,13 +670,13 @@ const EmailRecoverySlide = ({ tatchiPasskey, accountId, refreshLoginState, email
 							"s)."
 						]
 					}),
-					explorerToast && /* @__PURE__ */ (0, react_jsx_runtime.jsx)(react_jsx_runtime.Fragment, { children: /* @__PURE__ */ (0, react_jsx_runtime.jsx)("a", {
+					explorerToast && /* @__PURE__ */ (0, react_jsx_runtime.jsxs)(react_jsx_runtime.Fragment, { children: [/* @__PURE__ */ (0, react_jsx_runtime.jsx)("br", {}), /* @__PURE__ */ (0, react_jsx_runtime.jsx)("a", {
 						className: "w3a-email-recovery-link",
 						href: explorerToast.url,
 						target: "_blank",
 						rel: "noopener noreferrer",
 						children: "View on explorer"
-					}) })
+					})] })
 				]
 			})
 		]