ultimate-jekyll-manager 1.3.3 → 1.3.5

package/CHANGELOG.md

@@ -14,6 +14,20 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 - `Fixed` for any bug fixes.
 - `Security` in case of vulnerabilities.
 
+---
+## [1.3.5] - 2026-05-24
+
+### Added
+
+- **Diagnostic logging in `extractBlockingFunctionMessage()` (`src/assets/js/libs/auth.js`).** When BEM's `beforeCreate` rate limit (2 signups/day/IP) fires via Google OAuth redirect, the user just saw "Firebase: Error (auth/error-code:-47)" instead of the helpful "Unable to create account at this time. Please try again later." message. The 1.3.4 extraction handles the standard 400-with-`BLOCKING_FUNCTION_ERROR_RESPONSE` path, but the 503 path (Google's Identity Toolkit returns 503 directly with code -47, no `customData.serverResponse`) flows through to the generic `auth.code` branch. Added a `console.warn` that dumps the full error shape (code, message, customData, serverResponse) so the next failed signup attempt reveals exactly what Firebase delivers — then we can write a matching handler. Diagnostic ships first; fix follows in a subsequent version.
+
+---
+## [1.3.4] - 2026-05-22
+
+### Added
+
+- **Surface BEM blocking-function error messages to users.** Firebase Auth blocking functions (`before-create`, `before-signin`) that throw `HttpsError('resource-exhausted', 'Too many signups...')` get wrapped by Firebase as the opaque `auth/internal-error` (sometimes `auth/error-code:-47`). The actual BEM-side message is buried in `error.customData.serverResponse` inside a `BLOCKING_FUNCTION_ERROR_RESPONSE : ((error : (message : "...")))` wrapper. New `extractBlockingFunctionMessage(error)` helper in `src/assets/js/libs/auth.js` unwraps it. Wired into all 4 auth error sites (OAuth popup, OAuth redirect, email signup, email signin) so users now see "Too many signups from your IP, please try again later" instead of "Firebase: Error (auth/error-code:-47)."
+
 ---
 ## [1.3.3] - 2026-05-21
 

package/TODO-AUTH-TESTING.md

@@ -0,0 +1,165 @@
+# TODO: Automated Tests for the Auth System
+
+## Why
+
+The consent-guard / `sendUserSignupMetadata` ordering bug that shipped in v1.3.1 (and was fixed in v1.3.2) is exactly the kind of regression that should never reach production. The bug was:
+
+- Page-load consent guard ran BEFORE `sendUserSignupMetadata`
+- Brand-new signups had `consent.legal.status: 'revoked'` (BEM schema default)
+- Guard saw `'revoked'` → signed user out → metadata POST never fired → user permanently orphaned
+
+Discovered only via live testing on Somiibo. Should have been caught by a unit test.
+
+This file proposes a layered test strategy so the next refactor + every future change is safe.
+
+## Strategy: three tiers, mostly mocked
+
+### Tier 1 — Unit (JSDOM + mocked Firebase, fast)
+
+Run from UJM. Add to the existing `test/tests/**/*.test.js` harness. No real Firebase, no network. Covers ~80% of bugs including the v1.3.1 regression.
+
+Files to write:
+
+```
+test/tests/auth-consent-capture.test.js
+  • captureSignupConsent() reads consent-legal + consent-marketing checkboxes
+  • writes the right shape to webManager.storage() under key 'consent'
+  • label text is captured verbatim (so BEM gets the exact string the user saw)
+
+test/tests/auth-consent-validate.test.js
+  • validateConsent() blocks submit when consent-legal is unchecked
+  • surfaces the inline error + wrapper outline
+  • does NOT block submit when both boxes are checked or only marketing is unchecked
+
+test/tests/auth-guard-ordering.test.js   ← THIS WOULD HAVE CAUGHT v1.3.1
+  • on a fresh user (account < SIGNUP_MAX_AGE) with consent.legal.status: 'revoked'
+    → sendUserSignupMetadata is called
+    → guard does NOT sign out
+  • on an old user (account > SIGNUP_MAX_AGE) with consent.legal.status: 'revoked'
+    → guard signs out
+    → notification is shown
+  • on any user with consent.legal.status: 'granted'
+    → guard does NOT fire regardless of age
+
+test/tests/auth-reverse-signup.test.js
+  • reverseAccidentalSignup() calls user.delete() THEN signOut() THEN clears authReturnUrl
+  • formManager.showError fires with the right message
+  • if user.delete() throws, signOut still runs (best-effort)
+
+test/tests/auth-policy-redirect.test.js
+  • policy='authenticated' + no user → redirect to unauthenticated URL
+  • policy='unauthenticated' + user → redirect to authenticated URL (honoring authReturnUrl)
+  • policy='disabled' → no-op
+
+test/tests/auth-metadata-payload.test.js
+  • sendUserSignupMetadata builds the right payload shape
+  • includes consent, attribution, context
+  • skips when account is old or signupProcessed flag is set
+  • sets signupProcessed flag after successful POST
+```
+
+Mocking contract:
+
+```js
+// Mock webManager
+const fakeWebManager = {
+  auth: () => ({ listen, signOut, getIdToken }),
+  storage: () => ({ get, set }),
+  utilities: () => ({ showNotification }),
+  config: { auth: { config: { policy, redirects, roles } } },
+};
+
+// Mock Firebase auth functions
+// - createUserWithEmailAndPassword
+// - signInWithEmailAndPassword
+// - signInWithPopup / signInWithRedirect
+// - getRedirectResult
+// - sendPasswordResetEmail
+// - user.delete()
+// - getAuth().signOut()
+
+// Mock FormManager (or use the real one — it's mockable already)
+const fakeFormManager = { showError, showSuccess, ready, ... };
+```
+
+Approach: load `src/assets/js/core/auth.js` and `src/assets/js/libs/auth.js` into JSDOM
+with all imports stubbed (Jest/Mocha module mocks or rewire). For HTML-aware tests
+(captureSignupConsent), load `src/defaults/dist/_layouts/themes/classy/frontend/pages/auth/signup.html`
+into JSDOM and exercise the real DOM.
+
+### Tier 2 — Integration against Firebase Emulator (slower, optional)
+
+Run from UJM. Boot `firebase emulators:start --only auth,firestore` before the suite.
+Extend the existing `test/fixtures/consumer-site/` with:
+
+- `firebase.json` configured for emulator ports
+- Canned Firebase web config pointing at `localhost:9099` / `localhost:8080`
+- Test user seeding via Admin SDK helpers
+
+Covers: full email-signup round-trip, the storage-survives-redirect path, real
+auth-state-listener firing, real Firestore reads in the guard.
+
+**Skip OAuth at this tier.** Firebase emulator's auth emulator doesn't speak to
+real Google. OAuth tests stay manual (Tier 3).
+
+This is OPTIONAL — only worth building if a bug slips through Tier 1.
+
+### Tier 3 — Manual smoke (don't automate)
+
+Google OAuth + cross-provider webhooks stay manual. Reasons:
+- Google actively blocks scripted browsers (even Puppeteer with stealth plugins)
+- Real 2FA flows
+- Provider UI rolls and tests break
+- Cost/value is terrible
+
+Keep the live-test checklist (see [TODO-CONSENT-LIVETEST.md](TODO-CONSENT-LIVETEST.md))
+as the authoritative manual smoke procedure.
+
+## Where the tests live
+
+Run from UJM. NOT from a host project. Reasons:
+- `core/auth.js` + `libs/auth.js` are owned by UJM
+- Host project tests would re-test framework internals, wrong layering
+- UJM's existing 60-test Mocha harness is already fast (~6s)
+
+Default config (Firebase emulator + a fake brand) baked into
+`test/fixtures/` so contributors don't need their own Firebase project.
+
+## Sequencing
+
+1. **First**: do the libs/auth.js refactor (split into `auth.js` + `auth-providers.js` + `auth-consent.js`).
+   - See the auth-audit findings in this session's notes.
+   - Refactor first means we write tests against the FINAL shape, not throw-away.
+   - Each new file gets a focused test file.
+
+2. **Then**: Tier 1 unit tests for the new shape.
+   - Target: every test file from the list above, green.
+   - Should take ~half a day.
+
+3. **Optional later**: Tier 2 emulator-backed tests, only if Tier 1 misses a class
+   of bugs in practice. Probably won't be needed.
+
+4. **Never**: Tier 3 automation. Stays manual via [TODO-CONSENT-LIVETEST.md](TODO-CONSENT-LIVETEST.md).
+
+## What about Ultimate Jekyll for the test site?
+
+Tempting but NO. Reasons:
+- UJ build is heavy (Jekyll + webpack), test boot would be 10+ seconds
+- Circular dependency risk (UJM testing UJM via UJ which uses UJM)
+- UJM's existing Mocha harness is the right tool
+
+The test harness should stay vanilla Mocha + JSDOM + fixture HTML files.
+
+## What this DOESN'T cover
+
+- Google OAuth UI flows (manual only)
+- Cross-provider unsubscribe webhooks (manual + BEM tests already exist)
+- Beehiiv webhook setup (blocked on plan upgrade; manual when ready)
+- Firebase Auth SDK bugs (not our code, not our problem)
+
+## Done criteria
+
+- All 6 test files above written and green
+- `npm test` in UJM runs them as part of the standard suite
+- The v1.3.1 bug (consent guard ordering) is caught by `auth-guard-ordering.test.js` — verify by reverting the v1.3.2 fix in a branch and watching the test fail
+- Documented in `docs/testing.md` so contributors know to add auth tests when touching auth code

package/TODO-CONSENT-LIVETEST.md

@@ -0,0 +1,201 @@
+# TODO: Consent System End-to-End Live Test Checklist
+
+## Context
+
+End-to-end manual smoke for the marketing-consent + cross-provider-unsub
+pipeline. Run after each new BEM/WM/UJM deploy that touches auth, consent,
+email-preferences, or webhook code paths.
+
+Each step depends on state set up by earlier steps. Run top-to-bottom.
+
+Live test target: **Somiibo** (`somiibo.com` + `api.somiibo.com`).
+Parent BEM: **ITW** (`itwcreativeworks.com` + `api.itwcreativeworks.com`).
+
+## Pre-flight
+
+- [ ] **Use a fresh email** (`consent-test+1@yourdomain.com` or a Gmail alias) so the signup is genuinely new
+- [ ] **Have a separate Google account ready** that has never signed up here (for the reverse-signup test)
+- [ ] **Open multiple browser windows side by side**:
+  - Somiibo signup page
+  - SendGrid Marketing → Contacts
+  - Beehiiv dashboard → Somiibo publication subscribers
+- [ ] **Tail BEM logs in terminal**:
+  ```bash
+  cd /Users/ian/Developer/Repositories/Somiibo/somiibo-backend/functions
+  npx mgr logs:tail
+  ```
+- [ ] **Confirm current package versions live**:
+  - BEM: `^5.2.2`
+  - web-manager: `^4.2.0`
+  - UJM: `^1.3.2`
+- [ ] **Confirm last Somiibo backend + website deploys** were AFTER the BEM/UJM version bumps
+- [ ] **Delete any stale test accounts** from previous attempts:
+  ```bash
+  npx mgr auth:get "<test-email>"     # find the uid
+  npx mgr auth:delete "<uid>" --force
+  npx mgr firestore:delete "users/<uid>" --force
+  ```
+
+## Tests
+
+### ☐ Test 1 — Signup with marketing consent granted (golden path)
+
+**Action:** Sign up at `somiibo.com/signup` with both checkboxes checked.
+
+**Verify:**
+- [ ] Account created, redirected to logged-in dashboard
+- [ ] `npx mgr firestore:get users/<uid>` shows:
+  - `consent.legal.status: 'granted'`
+  - `consent.legal.grantedAt.source: 'signup'`
+  - `consent.legal.grantedAt.ip` populated (not null)
+  - `consent.legal.grantedAt.text` is the actual label string
+  - `consent.marketing.status: 'granted'`
+  - `consent.marketing.grantedAt.source: 'signup'`
+  - `consent.marketing.revokedAt.timestamp: null`
+- [ ] SendGrid Contacts: new contact exists with this email
+- [ ] Beehiiv Subscribers: new subscriber exists
+- [ ] BEM logs: search for `buildConsentRecord: legal=granted, marketing=granted`
+
+**Capture the uid** for use in later tests.
+
+### ☐ Test 2 — Signup with marketing UNCHECKED
+
+**Action:** Sign out. Sign up with a different fresh email. Legal checked, marketing UNCHECKED.
+
+**Verify:**
+- [ ] `consent.marketing.status: 'revoked'`, `revokedAt.source: 'signup'`, `grantedAt.timestamp: null`
+- [ ] SendGrid: contact NOT created
+- [ ] Beehiiv: subscriber NOT created
+- [ ] BEM logs: `buildConsentRecord: legal=granted, marketing=revoked` — `mailer.sync()` should NOT have been called
+
+### ☐ Test 3 — Signup with legal UNCHECKED (validation blocks)
+
+**Action:** Try to submit signup with legal box UNCHECKED.
+
+**Verify:**
+- [ ] Submit button is disabled OR clicking submit shows the inline error + red outline around the consent group
+- [ ] No Firebase auth user created
+- [ ] No request fired to `/user/signup` (browser DevTools network tab)
+
+### ☐ Test 4 — Google sign-in with a NEW (nonexistent) Google account on /signin
+
+**Action:** On `somiibo.com/signin` (NOT `/signup`), click "Continue with Google" and authenticate with a Google account that has never been used here.
+
+**Verify:**
+- [ ] Inline error appears: "This account doesn't exist. Try signing up first or use a different account."
+- [ ] User stays on `/signin` (no redirect away)
+- [ ] Firebase Auth dashboard: the user does NOT persist (created then deleted)
+- [ ] Firestore: no orphan user doc remains (`users` collection)
+- [ ] BEM logs: look for `Reversing accidental signup from /signin` warning
+- [ ] `sendUserSignupMetadata` should NOT have run (no `/user/signup` POST in logs)
+
+### ☐ Test 5 — Account-page opt-out
+
+**Action:** Sign in as the Test 1 user. Go to `/account` → notifications section. Toggle marketing OFF.
+
+**Verify:**
+- [ ] Toast/UI confirms the change
+- [ ] `consent.marketing.status: 'revoked'`, `revokedAt.source: 'account'`, `revokedAt.timestamp` is recent, `revokedAt.ip` populated
+- [ ] `consent.marketing.grantedAt` is UNTOUCHED (original signup grant info preserved)
+- [ ] SendGrid: contact removed from list
+- [ ] Beehiiv: subscriber removed
+
+### ☐ Test 6 — Account-page opt-in (re-grant)
+
+**Action:** Same user. Toggle marketing back ON.
+
+**Verify:**
+- [ ] `status: 'granted'`, `grantedAt.source: 'account'`, `grantedAt.timestamp` newer than original
+- [ ] `revokedAt` UNTOUCHED (informational, still shows the Test 5 revoke)
+- [ ] SendGrid: contact re-added
+- [ ] Beehiiv: subscriber re-added
+
+### ☐ Test 7 — SendGrid webhook → cross-provider sync via parent forwarder
+
+**Action:** In SendGrid dashboard → Marketing → Contacts, find Test 1 user's contact and manually unsubscribe (or add their email to the Global Unsubscribe list via Suppressions).
+
+**Verify (allow up to ~30s for delivery):**
+- [ ] ITW BEM logs: `POST /backend-manager/marketing/webhook/forward?provider=sendgrid` with 200
+- [ ] Somiibo BEM logs: `POST /backend-manager/marketing/webhook?provider=sendgrid` from parent forwarder
+- [ ] Somiibo Firestore: `consent.marketing.status: 'revoked'`, `revokedAt.source: 'sendgrid'`
+- [ ] Beehiiv: subscriber removed (cross-provider sync)
+- [ ] ITW Firestore `marketing-webhooks/{eventId}` doc exists (idempotency record)
+- [ ] Repost the same event manually with curl → second receipt short-circuits on `eventId`
+
+### ☐ Test 8 — Beehiiv webhook (DEFERRED until Beehiiv plan upgraded)
+
+**⏸️ Blocked**: Beehiiv webhook API requires a paid Beehiiv tier (currently 403 `ACCESS_FORBIDDEN`).
+
+When unblocked:
+- Run `npm start -- --service beehiiv` in OMEGA to auto-configure all publications
+- OR manually add the webhook in each publication's settings:
+  - URL: `https://api.itwcreativeworks.com/backend-manager/marketing/webhook/forward?provider=beehiiv&key=<BACKEND_MANAGER_WEBHOOK_KEY>`
+  - Events: `subscription.unsubscribed`, `subscription.deleted`, `subscription.paused`
+  - Publications: Somiibo (`pub_60fa806e...`), StudyMonkey (`pub_0716e341...`), shared devbeans (`pub_69c961a7...`)
+
+Then test: unsub via Beehiiv's "Manage subscription" link → verify symmetric flip on Firestore + SendGrid.
+
+### ☐ Test 9 — Page-load consent guard (ENFORCE_CONSENT_GUARD = true)
+
+**Action:** Manually edit Test 1 user's Firestore doc via `npx mgr firestore:set users/<uid>` to flip `consent.legal.status` to `'revoked'`. Refresh the Somiibo page.
+
+**Verify:**
+- [ ] User is signed out (with notification toast: "This account hasn't completed setup. Please sign up first.")
+- [ ] Lands on public site
+- [ ] Browser console warning: `[Auth] Signing out user with no legal consent on record`
+- [ ] **Restore** `consent.legal.status` to `'granted'` so the user can use Somiibo again
+
+**Important caveat from v1.3.2 fix:** the guard only fires for accounts older than `SIGNUP_MAX_AGE` (5min). For this test to work, the Test 1 user must have signed up more than 5 minutes ago. If you just signed up and immediately ran this, the guard won't fire — wait 5 minutes or use an older test account.
+
+### ☐ Test 10 — HMAC anonymous unsubscribe link (from a marketing email)
+
+**Action:** Trigger a marketing email send (or grab an existing unsub link from a previous email). Click it.
+
+**Verify:**
+- [ ] Unsub confirmation page loads
+- [ ] User's `consent.marketing.status: 'revoked'`, `revokedAt.source: 'sendgrid'` (or `'beehiiv'` depending on link origin)
+- [ ] SendGrid: removed
+- [ ] Beehiiv: removed
+
+## Commands cheat-sheet
+
+```bash
+# All from Somiibo backend dir
+cd /Users/ian/Developer/Repositories/Somiibo/somiibo-backend/functions
+
+# Logs (live tail)
+npx mgr logs:tail
+
+# Logs (one-shot)
+npx mgr logs:read --limit 100
+npx mgr logs:read --filter "consent" --limit 50
+npx mgr logs:read --filter "marketing/webhook" --limit 50
+npx mgr logs:read --filter "<uid>" --limit 100
+
+# Firestore
+npx mgr firestore:get "users/<uid>"
+npx mgr firestore:query "marketing-webhooks" --limit 10    # idempotency records (run from ITW backend, the parent)
+npx mgr firestore:set "users/<uid>" '{...partial...}' --merge
+npx mgr firestore:delete "users/<uid>" --force
+
+# Auth
+npx mgr auth:get "<email-or-uid>"
+npx mgr auth:delete "<uid>" --force
+```
+
+## Progress log
+
+Track which tests have been run + when. Mark with date once you've verified end-to-end.
+
+- [ ] Test 1 — Signup, marketing GRANTED
+- [ ] Test 2 — Signup, marketing UNCHECKED
+- [ ] Test 3 — Signup, legal UNCHECKED (validation blocks)
+- [ ] Test 4 — Google new account on /signin (reverse-signup)
+- [ ] Test 5 — Account opt-out
+- [ ] Test 6 — Account opt-in (re-grant)
+- [ ] Test 7 — SendGrid webhook → cross-provider
+- [ ] Test 8 — Beehiiv webhook (deferred)
+- [ ] Test 9 — Page-load guard
+- [ ] Test 10 — HMAC unsub link
+
+Last attempted: 2026-05-22, got blocked on Test 1 by the v1.3.1 consent-guard ordering bug. Fixed in v1.3.2. Ready to restart from Test 1 after Somiibo redeploys against `ultimate-jekyll-manager@^1.3.2`.

package/dist/assets/js/libs/auth.js

@@ -314,8 +314,13 @@ export default function () {
         webManager.sentry().captureException(new Error('Error handling redirect result', { cause: error }));
       }
 
-      // Handle specific OAuth errors
-      if (error.code === 'auth/account-exists-with-different-credential') {
+      // Handle specific OAuth errors. Check blocking-function rejections FIRST —
+      // those carry a custom message from BEM (rate limit, disposable email, etc.)
+      // that the user actually needs to see, hidden behind a generic Firebase code.
+      const blockingMessage = extractBlockingFunctionMessage(error);
+      if (blockingMessage) {
+        formManager.showError(blockingMessage);
+      } else if (error.code === 'auth/account-exists-with-different-credential') {
         formManager.showError('An account already exists with the same email address but different sign-in credentials. Try signing in with a different provider.');
       } else if (error.code === 'auth/popup-blocked') {
         formManager.showError('Popup was blocked. Please allow popups for this site and try again.');
@@ -508,6 +513,13 @@ export default function () {
         }
       }
 
+      // Blocking-function rejections from BEM (rate limit, disposable email, etc.)
+      // — surface the BEM-side message instead of the opaque auth/internal-error.
+      const blockingMessage = extractBlockingFunctionMessage(error);
+      if (blockingMessage) {
+        throw new Error(blockingMessage);
+      }
+
       // Re-throw the error to be handled by the form handler
       throw error;
     }
@@ -523,14 +535,24 @@ export default function () {
     // Log
     console.log('[Auth] Attempting email sign-in for:', email);
 
-    // Sign in with email and password
-    const userCredential = await attemptEmailSignIn(email, password);
+    try {
+      // Sign in with email and password
+      const userCredential = await attemptEmailSignIn(email, password);
 
-    // Track login
-    trackLogin('email', userCredential.user);
+      // Track login
+      trackLogin('email', userCredential.user);
 
-    // Show success message
-    formManager.showSuccess('Successfully signed in!');
+      // Show success message
+      formManager.showSuccess('Successfully signed in!');
+    } catch (error) {
+      // Blocking-function rejections from BEM's before-signin (rate limit, etc.)
+      // — surface the BEM-side message instead of the opaque auth/internal-error.
+      const blockingMessage = extractBlockingFunctionMessage(error);
+      if (blockingMessage) {
+        throw new Error(blockingMessage);
+      }
+      throw error;
+    }
   }
 
   async function handlePasswordReset(formData) {
@@ -688,8 +710,13 @@ export default function () {
         webManager.sentry().captureException(new Error('OAuth provider sign-in error', { cause: error }));
       }
 
-      // Handle specific errors
-      if (error.code === 'auth/account-exists-with-different-credential') {
+      // Handle specific errors. Blocking-function rejections from BEM carry a
+      // custom message (rate limit, disposable email, etc.) that the user needs
+      // to see — check those FIRST before generic Firebase codes.
+      const blockingMessage = extractBlockingFunctionMessage(error);
+      if (blockingMessage) {
+        throw new Error(blockingMessage);
+      } else if (error.code === 'auth/account-exists-with-different-credential') {
         throw new Error('An account already exists with the same email address but different sign-in credentials. Try signing in with a different provider.');
       } else if (error.code === 'auth/invalid-credential') {
         throw new Error('Invalid credentials. Please try again.');
@@ -757,6 +784,69 @@ export default function () {
     return userErrors.includes(errorCode);
   }
 
+  // Extract the readable message from a Firebase Auth blocking-function error.
+  //
+  // When a BEM blocking function (before-create / before-signin) throws
+  // HttpsError('resource-exhausted', 'Too many signups...'), Firebase surfaces
+  // it as `auth/internal-error` (sometimes also `auth/error-code:-47`) and
+  // stashes the actual server response on `error.customData.serverResponse`.
+  // The blob looks like:
+  //
+  //   {
+  //     "error": {
+  //       "code": 400,
+  //       "message": "BLOCKING_FUNCTION_ERROR_RESPONSE : ((error : (message : \"Too many signups...\")))",
+  //       ...
+  //     }
+  //   }
+  //
+  // Returns just the inner message string, or null if nothing useful was found.
+  function extractBlockingFunctionMessage(error) {
+    // Diagnostic: dump the full shape of every error that lands here so we can
+    // see exactly what Firebase delivers when BEM's beforeCreate throws. The
+    // 503 path (Identity Toolkit returns 503 with code -47, no BLOCKING_FUNCTION
+    // wrapper) needs different handling than the 400 path.
+    console.warn('[Auth] extractBlockingFunctionMessage: error shape', {
+      code: error?.code,
+      message: error?.message,
+      name: error?.name,
+      hasCustomData: !!error?.customData,
+      hasServerResponse: !!error?.customData?.serverResponse,
+      serverResponse: error?.customData?.serverResponse,
+      fullError: error,
+    });
+
+    const raw = error?.customData?.serverResponse;
+    if (!raw) {
+      return null;
+    }
+
+    let parsed;
+    try {
+      parsed = typeof raw === 'string' ? JSON.parse(raw) : raw;
+    } catch (e) {
+      return null;
+    }
+
+    const message = parsed?.error?.message || '';
+    if (!message) {
+      return null;
+    }
+
+    // Unwrap "BLOCKING_FUNCTION_ERROR_RESPONSE : ((error : (message : \"...\")))"
+    const match = message.match(/message\s*:\s*"([^"]+)"/);
+    if (match) {
+      return match[1];
+    }
+
+    // Fall back to the raw message if it's not the BLOCKING_FUNCTION wrapper format
+    if (!message.startsWith('BLOCKING_FUNCTION')) {
+      return message;
+    }
+
+    return null;
+  }
+
   function trackLogin(method, user) {
     const userId = user.uid;
     const methodName = method.charAt(0).toUpperCase() + method.slice(1);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "ultimate-jekyll-manager",
-  "version": "1.3.3",
+  "version": "1.3.5",
   "description": "Ultimate Jekyll dependency manager",
   "main": "dist/index.js",
   "exports": {