@cmdoss/memwal-sdk 0.6.2 → 0.8.0

package/src/retrieval/MemoryDecryptionPipeline.ts

@@ -1,825 +1,826 @@
-/**
- * MemoryDecryptionPipeline - Seamless SEAL-based Memory Decryption
- * 
- * Provides comprehensive decryption capabilities for encrypted memories using
- * Mysten's SEAL SDK with official testnet key servers and configurable infrastructure.
- * 
- * Features:
- * - 🔐 Seamless SEAL decryption integration
- * - 🔑 Automatic key server configuration (testnet/mainnet)
- * - ⚡ Batch decryption optimization
- * - 🛡️ Secure session key management
- * - 🔄 Automatic retry and fallback mechanisms
- * - 📊 Decryption analytics and monitoring
- * - 🌍 Environment-based configuration
- */
-
-import { SealClient, SessionKey } from '@mysten/seal';
-import { Transaction } from '@mysten/sui/transactions';
-import { fromHex, toHex } from '@mysten/sui/utils';
-import { EncryptionService } from '../services/EncryptionService';
-import { StorageManager } from '../infrastructure/walrus/StorageManager';
-import { UnifiedMemoryResult } from '../retrieval/MemoryRetrievalService';
-
-// Key server configurations from SEAL documentation
-export interface KeyServerConfig {
-  name: string;
-  mode: 'open' | 'permissioned';
-  objectId: string;
-  url: string;
-  provider: string;
-  network: 'testnet' | 'mainnet';
-  weight?: number;
-  isDefault?: boolean;
-}
-
-export interface DecryptionConfig {
-  // Key server configuration
-  keyServers?: KeyServerConfig[];
-  defaultKeyServerMode?: 'open' | 'permissioned';
-  customKeyServerUrl?: string;
-  customKeyServerObjectId?: string;
-  
-  // Session management
-  sessionKeyTTL?: number; // minutes
-  maxSessionKeys?: number;
-  autoRefreshSession?: boolean;
-  
-  // Performance options
-  enableBatchDecryption?: boolean;
-  batchSize?: number;
-  maxConcurrentDecryptions?: number;
-  decryptionTimeout?: number; // ms
-  
-  // Fallback options
-  enableFallback?: boolean;
-  maxRetryAttempts?: number;
-  retryDelayMs?: number;
-  
-  // Security options
-  verifyKeyServers?: boolean;
-  enableDecryptionAudit?: boolean;
-  requireOwnershipVerification?: boolean;
-}
-
-export interface DecryptionRequest {
-  memoryId: string;
-  encryptedContent: string;
-  contentHash?: string;
-  userAddress: string;
-  ownerAddress?: string;
-  sessionKey?: SessionKey;
-  metadata?: Record<string, any>;
-}
-
-export interface DecryptionResult {
-  memoryId: string;
-  decryptedContent: string;
-  contentHash: string;
-  isVerified: boolean;
-  decryptionTime: number;
-  keyServerUsed: string;
-  sessionKeyId: string;
-}
-
-export interface BatchDecryptionResult {
-  successful: DecryptionResult[];
-  failed: Array<{
-    memoryId: string;
-    error: string;
-    retryCount: number;
-  }>;
-  stats: {
-    totalRequests: number;
-    successCount: number;
-    failureCount: number;
-    totalProcessingTime: number;
-    averageDecryptionTime: number;
-    keyServerPerformance: Record<string, {
-      requests: number;
-      successes: number;
-      averageTime: number;
-    }>;
-  };
-}
-
-/**
- * Memory Decryption Pipeline Service
- */
-export class MemoryDecryptionPipeline {
-  private sealClient: SealClient | null = null;
-  private encryptionService: EncryptionService;
-  private storageManager: StorageManager;
-  private config: DecryptionConfig;
-  
-  // Session key management
-  private sessionKeys = new Map<string, SessionKey>();
-  private sessionKeyTimestamps = new Map<string, number>();
-  
-  // Decryption cache
-  private decryptionCache = new Map<string, { content: string; timestamp: number }>();
-  private readonly CACHE_TTL = 30 * 60 * 1000; // 30 minutes
-  
-  // Performance monitoring
-  private decryptionStats = {
-    totalDecryptions: 0,
-    successfulDecryptions: 0,
-    failedDecryptions: 0,
-    totalDecryptionTime: 0,
-    keyServerStats: new Map<string, { requests: number; successes: number; totalTime: number }>()
-  };
-
-  // Official Mysten Labs testnet key servers from documentation
-  private static readonly DEFAULT_TESTNET_SERVERS: KeyServerConfig[] = [
-    {
-      name: 'mysten-testnet-1',
-      mode: 'open',
-      objectId: '0x73d05d62c18d9374e3ea529e8e0ed6161da1a141a94d3f76ae3fe4e99356db75',
-      url: 'https://seal-key-server-testnet-1.mystenlabs.com',
-      provider: 'Mysten Labs',
-      network: 'testnet',
-      weight: 1,
-      isDefault: true
-    },
-    {
-      name: 'mysten-testnet-2', 
-      mode: 'open',
-      objectId: '0xf5d14a81a982144ae441cd7d64b09027f116a468bd36e7eca494f750591623c8',
-      url: 'https://seal-key-server-testnet-2.mystenlabs.com',
-      provider: 'Mysten Labs',
-      network: 'testnet',
-      weight: 1,
-      isDefault: true
-    }
-  ];
-
-  // Additional verified testnet key servers
-  private static readonly VERIFIED_TESTNET_SERVERS: KeyServerConfig[] = [
-    {
-      name: 'ruby-nodes-testnet',
-      mode: 'open',
-      objectId: '0x6068c0acb197dddbacd4746a9de7f025b2ed5a5b6c1b1ab44dade4426d141da2',
-      url: 'https://seal-testnet.api.rubynodes.io',
-      provider: 'Ruby Nodes',
-      network: 'testnet',
-      weight: 1
-    },
-    {
-      name: 'nodeinfra-testnet',
-      mode: 'open', 
-      objectId: '0x5466b7df5c15b508678d51496ada8afab0d6f70a01c10613123382b1b8131007',
-      url: 'https://open-seal-testnet.nodeinfra.com',
-      provider: 'NodeInfra',
-      network: 'testnet',
-      weight: 1
-    },
-    {
-      name: 'studio-mirai-testnet',
-      mode: 'open',
-      objectId: '0x164ac3d2b3b8694b8181c13f671950004765c23f270321a45fdd04d40cccf0f2',
-      url: 'https://open.key-server-testnet.seal.mirai.cloud',
-      provider: 'Studio Mirai',
-      network: 'testnet',
-      weight: 1
-    },
-    {
-      name: 'overclock-testnet',
-      mode: 'open',
-      objectId: '0x9c949e53c36ab7a9c484ed9e8b43267a77d4b8d70e79aa6b39042e3d4c434105',
-      url: 'https://seal-testnet-open.overclock.run',
-      provider: 'Overclock',
-      network: 'testnet',
-      weight: 1
-    },
-    {
-      name: 'h2o-nodes-testnet',
-      mode: 'open',
-      objectId: '0x39cef09b24b667bc6ed54f7159d82352fe2d5dd97ca9a5beaa1d21aa774f25a2',
-      url: 'https://seal-open.sui-testnet.h2o-nodes.com',
-      provider: 'H2O Nodes', 
-      network: 'testnet',
-      weight: 1
-    },
-    {
-      name: 'triton-one-testnet',
-      mode: 'open',
-      objectId: '0x4cded1abeb52a22b6becb42a91d3686a4c901cf52eee16234214d0b5b2da4c46',
-      url: 'https://seal.testnet.sui.rpcpool.com',
-      provider: 'Triton One',
-      network: 'testnet',
-      weight: 1
-    }
-  ];
-
-  constructor(
-    encryptionService: EncryptionService,
-    storageManager: StorageManager,
-    config?: Partial<DecryptionConfig>
-  ) {
-    this.encryptionService = encryptionService;
-    this.storageManager = storageManager;
-    this.config = this.mergeWithDefaults(config || {});
-    this.initializeDecryptionPipeline();
-  }
-
-  // ==================== INITIALIZATION ====================
-
-  /**
-   * Merge user config with environment variables and defaults
-   */
-  private mergeWithDefaults(userConfig: Partial<DecryptionConfig>): DecryptionConfig {
-    // Load from environment variables
-    const envConfig: Partial<DecryptionConfig> = {
-      customKeyServerUrl: process.env.SEAL_KEY_SERVER_URL,
-      customKeyServerObjectId: process.env.SEAL_KEY_SERVER_OBJECT_ID,
-      sessionKeyTTL: process.env.SEAL_SESSION_TTL ? parseInt(process.env.SEAL_SESSION_TTL) : undefined,
-      enableBatchDecryption: process.env.SEAL_ENABLE_BATCH === 'true',
-      batchSize: process.env.SEAL_BATCH_SIZE ? parseInt(process.env.SEAL_BATCH_SIZE) : undefined,
-      decryptionTimeout: process.env.SEAL_DECRYPTION_TIMEOUT ? parseInt(process.env.SEAL_DECRYPTION_TIMEOUT) : undefined,
-      verifyKeyServers: process.env.SEAL_VERIFY_SERVERS !== 'false', // Default true
-      enableDecryptionAudit: process.env.SEAL_ENABLE_AUDIT === 'true'
-    };
-
-    // Default configuration
-    const defaults: DecryptionConfig = {
-      keyServers: this.getDefaultKeyServers(),
-      defaultKeyServerMode: 'open',
-      sessionKeyTTL: 60, // 1 hour
-      maxSessionKeys: 100,
-      autoRefreshSession: true,
-      enableBatchDecryption: true,
-      batchSize: 10,
-      maxConcurrentDecryptions: 5,
-      decryptionTimeout: 30000, // 30 seconds
-      enableFallback: true,
-      maxRetryAttempts: 3,
-      retryDelayMs: 1000,
-      verifyKeyServers: process.env.NODE_ENV === 'production',
-      enableDecryptionAudit: false,
-      requireOwnershipVerification: true
-    };
-
-    return { ...defaults, ...envConfig, ...userConfig };
-  }
-
-  /**
-   * Get default key servers based on environment
-   */
-  private getDefaultKeyServers(): KeyServerConfig[] {
-    const network = process.env.SUI_NETWORK || 'testnet';
-    
-    if (network === 'testnet') {
-      // Use official Mysten Labs servers as primary, with fallbacks
-      return [
-        ...MemoryDecryptionPipeline.DEFAULT_TESTNET_SERVERS,
-        ...MemoryDecryptionPipeline.VERIFIED_TESTNET_SERVERS.slice(0, 2) // Add 2 fallback servers
-      ];
-    }
-    
-    // For mainnet, would need to configure based on chosen providers
-    return MemoryDecryptionPipeline.DEFAULT_TESTNET_SERVERS;
-  }
-
-  /**
-   * Initialize the decryption pipeline
-   */
-  private async initializeDecryptionPipeline(): Promise<void> {
-    try {
-      console.log('🔑 Initializing SEAL Memory Decryption Pipeline...');
-      
-      // Determine key servers to use
-      let keyServers = this.config.keyServers || this.getDefaultKeyServers();
-      
-      // Add custom key server if configured
-      if (this.config.customKeyServerUrl && this.config.customKeyServerObjectId) {
-        keyServers = [{
-          name: 'custom-server',
-          mode: this.config.defaultKeyServerMode || 'open',
-          objectId: this.config.customKeyServerObjectId,
-          url: this.config.customKeyServerUrl,
-          provider: 'Custom',
-          network: 'custom' as any,
-          weight: 2, // Higher weight for custom server
-          isDefault: false
-        }, ...keyServers];
-      }
-
-      // Initialize SEAL client
-      this.sealClient = new SealClient({
-        suiClient: (this.encryptionService as any).suiClient,
-        serverConfigs: keyServers.map(server => ({
-          objectId: server.objectId,
-          weight: server.weight || 1
-        })),
-        verifyKeyServers: this.config.verifyKeyServers || false
-      });
-
-      console.log(`✅ SEAL client initialized with ${keyServers.length} key servers`);
-      console.log('📡 Key servers:', keyServers.map(s => `${s.name} (${s.provider})`).join(', '));
-
-      // Start session key cleanup interval
-      this.startSessionKeyCleanup();
-
-    } catch (error) {
-      console.error('❌ Failed to initialize decryption pipeline:', error);
-      throw new Error(`Decryption pipeline initialization failed: ${error instanceof Error ? error.message : 'Unknown error'}`);
-    }
-  }
-
-  // ==================== CORE DECRYPTION METHODS ====================
-
-  /**
-   * Decrypt a single memory with full pipeline support
-   */
-  async decryptMemory(request: DecryptionRequest): Promise<DecryptionResult> {
-    const startTime = Date.now();
-    
-    try {
-      // Check cache first
-      const cacheKey = `${request.memoryId}:${request.userAddress}`;
-      const cached = this.getFromCache(cacheKey);
-      if (cached) {
-        console.log(`🎯 Cache hit for memory ${request.memoryId}`);
-        return {
-          memoryId: request.memoryId,
-          decryptedContent: cached,
-          contentHash: request.contentHash || '',
-          isVerified: true,
-          decryptionTime: Date.now() - startTime,
-          keyServerUsed: 'cache',
-          sessionKeyId: 'cached'
-        };
-      }
-
-      // Verify ownership if required
-      if (this.config.requireOwnershipVerification && request.ownerAddress) {
-        const hasAccess = await this.verifyAccess(request.userAddress, request.memoryId, request.ownerAddress);
-        if (!hasAccess) {
-          throw new Error(`Access denied: User ${request.userAddress} cannot decrypt memory ${request.memoryId}`);
-        }
-      }
-
-      // Get or create session key
-      const sessionKey = request.sessionKey || await this.getOrCreateSessionKey(request.userAddress);
-      
-      // Perform decryption
-      const decryptedBytes = await this.performDecryption(request, sessionKey);
-      const decryptedContent = new TextDecoder().decode(decryptedBytes);
-      
-      // Verify content integrity if hash provided
-      let isVerified = true;
-      if (request.contentHash) {
-        isVerified = await this.verifyContentIntegrity(decryptedBytes, request.contentHash);
-        if (!isVerified) {
-          console.warn(`⚠️ Content integrity check failed for memory ${request.memoryId}`);
-        }
-      }
-
-      // Cache the result
-      this.addToCache(cacheKey, decryptedContent);
-
-      // Update stats
-      this.updateDecryptionStats(true, Date.now() - startTime);
-
-      const result: DecryptionResult = {
-        memoryId: request.memoryId,
-        decryptedContent,
-        contentHash: request.contentHash || '',
-        isVerified,
-        decryptionTime: Date.now() - startTime,
-        keyServerUsed: 'seal-client', // Would track specific server in production
-        sessionKeyId: await this.getSessionKeyId(sessionKey)
-      };
-
-      console.log(`✅ Successfully decrypted memory ${request.memoryId} in ${result.decryptionTime}ms`);
-      return result;
-
-    } catch (error) {
-      this.updateDecryptionStats(false, Date.now() - startTime);
-      const errorMsg = `Decryption failed for memory ${request.memoryId}: ${error instanceof Error ? error.message : 'Unknown error'}`;
-      console.error('❌', errorMsg);
-      throw new Error(errorMsg);
-    }
-  }
-
-  /**
-   * Decrypt multiple memories in batch for performance
-   */
-  async decryptMemoryBatch(requests: DecryptionRequest[]): Promise<BatchDecryptionResult> {
-    console.log(`🔄 Starting batch decryption of ${requests.length} memories`);
-    const startTime = Date.now();
-    
-    const successful: DecryptionResult[] = [];
-    const failed: Array<{ memoryId: string; error: string; retryCount: number }> = [];
-    
-    // Group requests into batches
-    const batchSize = this.config.batchSize || 10;
-    const batches = this.chunkArray(requests, batchSize);
-    
-    for (const batch of batches) {
-      // Process batch with concurrency limit
-      const batchPromises = batch.map(async (request) => {
-        try {
-          const result = await this.decryptMemory(request);
-          successful.push(result);
-        } catch (error) {
-          failed.push({
-            memoryId: request.memoryId,
-            error: error instanceof Error ? error.message : 'Unknown error',
-            retryCount: 0
-          });
-        }
-      });
-
-      // Wait for batch to complete
-      await Promise.allSettled(batchPromises);
-    }
-
-    // Retry failed decryptions if enabled
-    if (this.config.enableFallback && this.config.maxRetryAttempts && this.config.maxRetryAttempts > 0) {
-      await this.retryFailedDecryptions(requests, failed, successful);
-    }
-
-    const totalProcessingTime = Date.now() - startTime;
-    const stats = this.generateBatchStats(requests.length, successful.length, failed.length, totalProcessingTime);
-
-    console.log(`✅ Batch decryption completed: ${successful.length}/${requests.length} successful in ${totalProcessingTime}ms`);
-
-    return {
-      successful,
-      failed,
-      stats
-    };
-  }
-
-  // ==================== SESSION KEY MANAGEMENT ====================
-
-  /**
-   * Get or create session key for user
-   */
-  async getOrCreateSessionKey(userAddress: string): Promise<SessionKey> {
-    // Check if we have a valid cached session key
-    const existing = this.sessionKeys.get(userAddress);
-    const timestamp = this.sessionKeyTimestamps.get(userAddress);
-    
-    if (existing && timestamp) {
-      const age = Date.now() - timestamp;
-      const ttl = (this.config.sessionKeyTTL || 60) * 60 * 1000; // Convert to ms
-      
-      if (age < ttl) {
-        return existing;
-      }
-    }
-
-    // Create new session key
-    console.log(`🔑 Creating new session key for user ${userAddress}`);
-    const sessionKey = await this.encryptionService.createSessionKey(userAddress);
-    
-    // Cache with timestamp
-    this.sessionKeys.set(userAddress, sessionKey);
-    this.sessionKeyTimestamps.set(userAddress, Date.now());
-    
-    // Cleanup old keys if we exceed limit
-    if (this.sessionKeys.size > (this.config.maxSessionKeys || 100)) {
-      this.cleanupOldestSessionKeys();
-    }
-
-    return sessionKey;
-  }
-
-  /**
-   * Cleanup expired session keys
-   */
-  private startSessionKeyCleanup(): void {
-    setInterval(() => {
-      const now = Date.now();
-      const ttl = (this.config.sessionKeyTTL || 60) * 60 * 1000;
-      
-      for (const [userAddress, timestamp] of this.sessionKeyTimestamps.entries()) {
-        if (now - timestamp > ttl) {
-          this.sessionKeys.delete(userAddress);
-          this.sessionKeyTimestamps.delete(userAddress);
-          console.log(`🧹 Cleaned up expired session key for ${userAddress}`);
-        }
-      }
-    }, 5 * 60 * 1000); // Check every 5 minutes
-  }
-
-  /**
-   * Cleanup oldest session keys when limit exceeded
-   */
-  private cleanupOldestSessionKeys(): void {
-    const entries = Array.from(this.sessionKeyTimestamps.entries())
-      .sort((a, b) => a[1] - b[1]); // Sort by timestamp
-    
-    // Remove oldest 25%
-    const toRemove = Math.floor(entries.length * 0.25);
-    for (let i = 0; i < toRemove; i++) {
-      const [userAddress] = entries[i];
-      this.sessionKeys.delete(userAddress);
-      this.sessionKeyTimestamps.delete(userAddress);
-    }
-    
-    console.log(`🧹 Cleaned up ${toRemove} oldest session keys`);
-  }
-
-  // ==================== DECRYPTION UTILITIES ====================
-
-  /**
-   * Perform the actual decryption using SEAL
-   */
-  private async performDecryption(request: DecryptionRequest, sessionKey: SessionKey): Promise<Uint8Array> {
-    if (!this.sealClient) {
-      throw new Error('SEAL client not initialized');
-    }
-
-    // Convert base64 encrypted content to bytes
-    const encryptedBytes = this.base64ToUint8Array(request.encryptedContent);
-    
-    // Build access transaction
-    const accessTx = await this.encryptionService.buildAccessTransaction(request.userAddress, 'read');
-    const txBytes = await accessTx.build({ client: (this.encryptionService as any).suiClient });
-
-    // Perform decryption with timeout
-    const decryptPromise = this.sealClient.decrypt({
-      data: encryptedBytes,
-      sessionKey: sessionKey,
-      txBytes: txBytes,
-      checkShareConsistency: true
-    });
-
-    // Add timeout
-    const timeoutPromise = new Promise<never>((_, reject) => {
-      setTimeout(() => reject(new Error('Decryption timeout')), this.config.decryptionTimeout || 30000);
-    });
-
-    return Promise.race([decryptPromise, timeoutPromise]);
-  }
-
-  /**
-   * Verify user access to encrypted content
-   */
-  private async verifyAccess(userAddress: string, memoryId: string, ownerAddress: string): Promise<boolean> {
-    try {
-      return await this.encryptionService.hasAccess(userAddress, memoryId, ownerAddress);
-    } catch (error) {
-      console.error(`Access verification failed: ${error}`);
-      return false;
-    }
-  }
-
-  /**
-   * Verify content integrity using hash
-   */
-  private async verifyContentIntegrity(content: Uint8Array, expectedHash: string): Promise<boolean> {
-    try {
-      return await (this.encryptionService as any).verifyContentHash(content, expectedHash);
-    } catch (error) {
-      console.error(`Content integrity verification failed: ${error}`);
-      return false;
-    }
-  }
-
-  /**
-   * Retry failed decryptions with exponential backoff
-   */
-  private async retryFailedDecryptions(
-    originalRequests: DecryptionRequest[],
-    failed: Array<{ memoryId: string; error: string; retryCount: number }>,
-    successful: DecryptionResult[]
-  ): Promise<void> {
-    const maxRetries = this.config.maxRetryAttempts || 3;
-    const baseDelay = this.config.retryDelayMs || 1000;
-
-    for (const failure of failed) {
-      if (failure.retryCount >= maxRetries) continue;
-
-      const originalRequest = originalRequests.find(r => r.memoryId === failure.memoryId);
-      if (!originalRequest) continue;
-
-      try {
-        // Exponential backoff
-        const delay = baseDelay * Math.pow(2, failure.retryCount);
-        await new Promise(resolve => setTimeout(resolve, delay));
-
-        console.log(`🔄 Retrying decryption for memory ${failure.memoryId} (attempt ${failure.retryCount + 1})`);
-        const result = await this.decryptMemory(originalRequest);
-        
-        // Move from failed to successful
-        successful.push(result);
-        const failIndex = failed.indexOf(failure);
-        failed.splice(failIndex, 1);
-        
-        console.log(`✅ Retry successful for memory ${failure.memoryId}`);
-      } catch (error) {
-        failure.retryCount++;
-        failure.error = error instanceof Error ? error.message : 'Unknown error';
-        console.warn(`⚠️ Retry ${failure.retryCount} failed for memory ${failure.memoryId}`);
-      }
-    }
-  }
-
-  // ==================== CACHE MANAGEMENT ====================
-
-  private getFromCache(key: string): string | null {
-    const cached = this.decryptionCache.get(key);
-    if (cached && Date.now() - cached.timestamp < this.CACHE_TTL) {
-      return cached.content;
-    }
-    this.decryptionCache.delete(key);
-    return null;
-  }
-
-  private addToCache(key: string, content: string): void {
-    this.decryptionCache.set(key, { content, timestamp: Date.now() });
-  }
-
-  // ==================== UTILITY METHODS ====================
-
-  private base64ToUint8Array(base64: string): Uint8Array {
-    const binaryString = atob(base64);
-    const bytes = new Uint8Array(binaryString.length);
-    for (let i = 0; i < binaryString.length; i++) {
-      bytes[i] = binaryString.charCodeAt(i);
-    }
-    return bytes;
-  }
-
-  private chunkArray<T>(array: T[], size: number): T[][] {
-    const chunks: T[][] = [];
-    for (let i = 0; i < array.length; i += size) {
-      chunks.push(array.slice(i, i + size));
-    }
-    return chunks;
-  }
-
-  private async getSessionKeyId(sessionKey: SessionKey): Promise<string> {
-    try {
-      const exported = sessionKey.export();
-      return `session_${Date.now()}_${Math.random().toString(36).substr(2, 9)}`;
-    } catch {
-      return `session_${Date.now()}`;
-    }
-  }
-
-  private updateDecryptionStats(success: boolean, processingTime: number): void {
-    this.decryptionStats.totalDecryptions++;
-    this.decryptionStats.totalDecryptionTime += processingTime;
-    
-    if (success) {
-      this.decryptionStats.successfulDecryptions++;
-    } else {
-      this.decryptionStats.failedDecryptions++;
-    }
-  }
-
-  private generateBatchStats(
-    totalRequests: number,
-    successCount: number,
-    failureCount: number,
-    totalProcessingTime: number
-  ): BatchDecryptionResult['stats'] {
-    return {
-      totalRequests,
-      successCount,
-      failureCount,
-      totalProcessingTime,
-      averageDecryptionTime: totalProcessingTime / totalRequests,
-      keyServerPerformance: {} // Would be populated with actual server stats
-    };
-  }
-
-  // ==================== PUBLIC API ====================
-
-  /**
-   * Decrypt encrypted content from unified memory results
-   */
-  async decryptMemoryResults(
-    memories: UnifiedMemoryResult[],
-    userAddress: string
-  ): Promise<UnifiedMemoryResult[]> {
-    console.log(`🔐 Decrypting ${memories.length} encrypted memories for user ${userAddress}`);
-
-    const encryptedMemories = memories.filter(m => m.metadata.isEncrypted);
-    if (encryptedMemories.length === 0) {
-      console.log('📋 No encrypted memories found, returning original results');
-      return memories;
-    }
-
-    // Prepare decryption requests
-    const decryptionRequests: DecryptionRequest[] = encryptedMemories.map(memory => ({
-      memoryId: memory.id,
-      encryptedContent: memory.content || '',
-      userAddress,
-      ownerAddress: memory.metadata.owner,
-      metadata: memory.metadata
-    }));
-
-    // Batch decrypt if enabled
-    let decryptedResults: DecryptionResult[] = [];
-    if (this.config.enableBatchDecryption && decryptionRequests.length > 1) {
-      const batchResult = await this.decryptMemoryBatch(decryptionRequests);
-      decryptedResults = batchResult.successful;
-      
-      if (batchResult.failed.length > 0) {
-        console.warn(`⚠️ Failed to decrypt ${batchResult.failed.length} memories:`, 
-          batchResult.failed.map(f => f.memoryId));
-      }
-    } else {
-      // Decrypt individually
-      for (const request of decryptionRequests) {
-        try {
-          const result = await this.decryptMemory(request);
-          decryptedResults.push(result);
-        } catch (error) {
-          console.error(`Failed to decrypt memory ${request.memoryId}:`, error);
-        }
-      }
-    }
-
-    // Update memory results with decrypted content
-    const decryptionMap = new Map(decryptedResults.map(r => [r.memoryId, r]));
-    
-    return memories.map(memory => {
-      if (memory.metadata.isEncrypted && decryptionMap.has(memory.id)) {
-        const decrypted = decryptionMap.get(memory.id)!;
-        return {
-          ...memory,
-          content: decrypted.decryptedContent,
-          analytics: {
-            ...memory.analytics,
-            viewCount: memory.analytics?.viewCount || 0,
-            shareCount: memory.analytics?.shareCount || 0,
-            editCount: memory.analytics?.editCount || 0,
-            sentimentScore: memory.analytics?.sentimentScore || 0,
-            topicDistribution: memory.analytics?.topicDistribution || {},
-            decryptionTime: decrypted.decryptionTime,
-            isDecryptionVerified: decrypted.isVerified
-          }
-        };
-      }
-      return memory;
-    });
-  }
-
-  /**
-   * Get decryption pipeline statistics
-   */
-  getDecryptionStats(): {
-    totalDecryptions: number;
-    successRate: number;
-    averageDecryptionTime: number;
-    cacheHitRate: number;
-    activeSessionKeys: number;
-    keyServerStatus: string[];
-  } {
-    const successRate = this.decryptionStats.totalDecryptions > 0 
-      ? this.decryptionStats.successfulDecryptions / this.decryptionStats.totalDecryptions 
-      : 0;
-    
-    const avgTime = this.decryptionStats.totalDecryptions > 0 
-      ? this.decryptionStats.totalDecryptionTime / this.decryptionStats.totalDecryptions 
-      : 0;
-
-    return {
-      totalDecryptions: this.decryptionStats.totalDecryptions,
-      successRate,
-      averageDecryptionTime: avgTime,
-      cacheHitRate: 0.85, // Would calculate from actual cache stats
-      activeSessionKeys: this.sessionKeys.size,
-      keyServerStatus: this.config.keyServers?.map(s => s.name) || []
-    };
-  }
-
-  /**
-   * Clear decryption cache
-   */
-  clearCache(): void {
-    this.decryptionCache.clear();
-    console.log('🧹 Decryption cache cleared');
-  }
-
-  /**
-   * Check if decryption pipeline is ready
-   */
-  isReady(): boolean {
-    return this.sealClient !== null;
-  }
-
-  /**
-   * Get pipeline configuration info
-   */
-  getConfigInfo(): {
-    keyServers: number;
-    defaultNetwork: string;
-    batchingEnabled: boolean;
-    cacheEnabled: boolean;
-  } {
-    return {
-      keyServers: this.config.keyServers?.length || 0,
-      defaultNetwork: process.env.SUI_NETWORK || 'testnet',
-      batchingEnabled: this.config.enableBatchDecryption || false,
-      cacheEnabled: true
-    };
-  }
+/**
+ * MemoryDecryptionPipeline - Seamless SEAL-based Memory Decryption
+ * 
+ * Provides comprehensive decryption capabilities for encrypted memories using
+ * Mysten's SEAL SDK with official testnet key servers and configurable infrastructure.
+ * 
+ * Features:
+ * - 🔐 Seamless SEAL decryption integration
+ * - 🔑 Automatic key server configuration (testnet/mainnet)
+ * - ⚡ Batch decryption optimization
+ * - 🛡️ Secure session key management
+ * - 🔄 Automatic retry and fallback mechanisms
+ * - 📊 Decryption analytics and monitoring
+ * - 🌍 Environment-based configuration
+ */
+
+import { SealClient, SessionKey } from '@mysten/seal';
+import { Transaction } from '@mysten/sui/transactions';
+import { fromHex, toHex } from '@mysten/sui/utils';
+import { EncryptionService } from '../services/EncryptionService';
+import { StorageManager } from '../infrastructure/walrus/StorageManager';
+import { UnifiedMemoryResult } from '../retrieval/MemoryRetrievalService';
+
+// Key server configurations from SEAL documentation
+export interface KeyServerConfig {
+  name: string;
+  mode: 'open' | 'permissioned';
+  objectId: string;
+  url: string;
+  provider: string;
+  network: 'testnet' | 'mainnet';
+  weight?: number;
+  isDefault?: boolean;
+}
+
+export interface DecryptionConfig {
+  // Key server configuration
+  keyServers?: KeyServerConfig[];
+  defaultKeyServerMode?: 'open' | 'permissioned';
+  customKeyServerUrl?: string;
+  customKeyServerObjectId?: string;
+  
+  // Session management
+  sessionKeyTTL?: number; // minutes
+  maxSessionKeys?: number;
+  autoRefreshSession?: boolean;
+  
+  // Performance options
+  enableBatchDecryption?: boolean;
+  batchSize?: number;
+  maxConcurrentDecryptions?: number;
+  decryptionTimeout?: number; // ms
+  
+  // Fallback options
+  enableFallback?: boolean;
+  maxRetryAttempts?: number;
+  retryDelayMs?: number;
+  
+  // Security options
+  verifyKeyServers?: boolean;
+  enableDecryptionAudit?: boolean;
+  requireOwnershipVerification?: boolean;
+}
+
+export interface DecryptionRequest {
+  memoryId: string;
+  encryptedContent: string;
+  contentHash?: string;
+  userAddress: string;
+  ownerAddress?: string;
+  sessionKey?: SessionKey;
+  metadata?: Record<string, any>;
+}
+
+export interface DecryptionResult {
+  memoryId: string;
+  decryptedContent: string;
+  contentHash: string;
+  isVerified: boolean;
+  decryptionTime: number;
+  keyServerUsed: string;
+  sessionKeyId: string;
+}
+
+export interface BatchDecryptionResult {
+  successful: DecryptionResult[];
+  failed: Array<{
+    memoryId: string;
+    error: string;
+    retryCount: number;
+  }>;
+  stats: {
+    totalRequests: number;
+    successCount: number;
+    failureCount: number;
+    totalProcessingTime: number;
+    averageDecryptionTime: number;
+    keyServerPerformance: Record<string, {
+      requests: number;
+      successes: number;
+      averageTime: number;
+    }>;
+  };
+}
+
+/**
+ * Memory Decryption Pipeline Service
+ */
+export class MemoryDecryptionPipeline {
+  private sealClient: SealClient | null = null;
+  private encryptionService: EncryptionService;
+  private storageManager: StorageManager;
+  private config: DecryptionConfig;
+  
+  // Session key management
+  private sessionKeys = new Map<string, SessionKey>();
+  private sessionKeyTimestamps = new Map<string, number>();
+  
+  // Decryption cache
+  private decryptionCache = new Map<string, { content: string; timestamp: number }>();
+  private readonly CACHE_TTL = 30 * 60 * 1000; // 30 minutes
+  
+  // Performance monitoring
+  private decryptionStats = {
+    totalDecryptions: 0,
+    successfulDecryptions: 0,
+    failedDecryptions: 0,
+    totalDecryptionTime: 0,
+    keyServerStats: new Map<string, { requests: number; successes: number; totalTime: number }>()
+  };
+
+  // Official Mysten Labs testnet key servers from documentation
+  private static readonly DEFAULT_TESTNET_SERVERS: KeyServerConfig[] = [
+    {
+      name: 'mysten-testnet-1',
+      mode: 'open',
+      objectId: '0x73d05d62c18d9374e3ea529e8e0ed6161da1a141a94d3f76ae3fe4e99356db75',
+      url: 'https://seal-key-server-testnet-1.mystenlabs.com',
+      provider: 'Mysten Labs',
+      network: 'testnet',
+      weight: 1,
+      isDefault: true
+    },
+    {
+      name: 'mysten-testnet-2', 
+      mode: 'open',
+      objectId: '0xf5d14a81a982144ae441cd7d64b09027f116a468bd36e7eca494f750591623c8',
+      url: 'https://seal-key-server-testnet-2.mystenlabs.com',
+      provider: 'Mysten Labs',
+      network: 'testnet',
+      weight: 1,
+      isDefault: true
+    }
+  ];
+
+  // Additional verified testnet key servers
+  private static readonly VERIFIED_TESTNET_SERVERS: KeyServerConfig[] = [
+    {
+      name: 'ruby-nodes-testnet',
+      mode: 'open',
+      objectId: '0x6068c0acb197dddbacd4746a9de7f025b2ed5a5b6c1b1ab44dade4426d141da2',
+      url: 'https://seal-testnet.api.rubynodes.io',
+      provider: 'Ruby Nodes',
+      network: 'testnet',
+      weight: 1
+    },
+    {
+      name: 'nodeinfra-testnet',
+      mode: 'open', 
+      objectId: '0x5466b7df5c15b508678d51496ada8afab0d6f70a01c10613123382b1b8131007',
+      url: 'https://open-seal-testnet.nodeinfra.com',
+      provider: 'NodeInfra',
+      network: 'testnet',
+      weight: 1
+    },
+    {
+      name: 'studio-mirai-testnet',
+      mode: 'open',
+      objectId: '0x164ac3d2b3b8694b8181c13f671950004765c23f270321a45fdd04d40cccf0f2',
+      url: 'https://open.key-server-testnet.seal.mirai.cloud',
+      provider: 'Studio Mirai',
+      network: 'testnet',
+      weight: 1
+    },
+    {
+      name: 'overclock-testnet',
+      mode: 'open',
+      objectId: '0x9c949e53c36ab7a9c484ed9e8b43267a77d4b8d70e79aa6b39042e3d4c434105',
+      url: 'https://seal-testnet-open.overclock.run',
+      provider: 'Overclock',
+      network: 'testnet',
+      weight: 1
+    },
+    {
+      name: 'h2o-nodes-testnet',
+      mode: 'open',
+      objectId: '0x39cef09b24b667bc6ed54f7159d82352fe2d5dd97ca9a5beaa1d21aa774f25a2',
+      url: 'https://seal-open.sui-testnet.h2o-nodes.com',
+      provider: 'H2O Nodes', 
+      network: 'testnet',
+      weight: 1
+    },
+    {
+      name: 'triton-one-testnet',
+      mode: 'open',
+      objectId: '0x4cded1abeb52a22b6becb42a91d3686a4c901cf52eee16234214d0b5b2da4c46',
+      url: 'https://seal.testnet.sui.rpcpool.com',
+      provider: 'Triton One',
+      network: 'testnet',
+      weight: 1
+    }
+  ];
+
+  constructor(
+    encryptionService: EncryptionService,
+    storageManager: StorageManager,
+    config?: Partial<DecryptionConfig>
+  ) {
+    this.encryptionService = encryptionService;
+    this.storageManager = storageManager;
+    this.config = this.mergeWithDefaults(config || {});
+    this.initializeDecryptionPipeline();
+  }
+
+  // ==================== INITIALIZATION ====================
+
+  /**
+   * Merge user config with environment variables and defaults
+   */
+  private mergeWithDefaults(userConfig: Partial<DecryptionConfig>): DecryptionConfig {
+    // Load from environment variables
+    const envConfig: Partial<DecryptionConfig> = {
+      customKeyServerUrl: process.env.SEAL_KEY_SERVER_URL,
+      customKeyServerObjectId: process.env.SEAL_KEY_SERVER_OBJECT_ID,
+      sessionKeyTTL: process.env.SEAL_SESSION_TTL ? parseInt(process.env.SEAL_SESSION_TTL) : undefined,
+      enableBatchDecryption: process.env.SEAL_ENABLE_BATCH === 'true',
+      batchSize: process.env.SEAL_BATCH_SIZE ? parseInt(process.env.SEAL_BATCH_SIZE) : undefined,
+      decryptionTimeout: process.env.SEAL_DECRYPTION_TIMEOUT ? parseInt(process.env.SEAL_DECRYPTION_TIMEOUT) : undefined,
+      verifyKeyServers: process.env.SEAL_VERIFY_SERVERS !== 'false', // Default true
+      enableDecryptionAudit: process.env.SEAL_ENABLE_AUDIT === 'true'
+    };
+
+    // Default configuration
+    const defaults: DecryptionConfig = {
+      keyServers: this.getDefaultKeyServers(),
+      defaultKeyServerMode: 'open',
+      sessionKeyTTL: 60, // 1 hour
+      maxSessionKeys: 100,
+      autoRefreshSession: true,
+      enableBatchDecryption: true,
+      batchSize: 10,
+      maxConcurrentDecryptions: 5,
+      decryptionTimeout: 30000, // 30 seconds
+      enableFallback: true,
+      maxRetryAttempts: 3,
+      retryDelayMs: 1000,
+      verifyKeyServers: process.env.NODE_ENV === 'production',
+      enableDecryptionAudit: false,
+      requireOwnershipVerification: true
+    };
+
+    return { ...defaults, ...envConfig, ...userConfig };
+  }
+
+  /**
+   * Get default key servers based on environment
+   */
+  private getDefaultKeyServers(): KeyServerConfig[] {
+    const network = process.env.SUI_NETWORK || 'testnet';
+    
+    if (network === 'testnet') {
+      // Use official Mysten Labs servers as primary, with fallbacks
+      return [
+        ...MemoryDecryptionPipeline.DEFAULT_TESTNET_SERVERS,
+        ...MemoryDecryptionPipeline.VERIFIED_TESTNET_SERVERS.slice(0, 2) // Add 2 fallback servers
+      ];
+    }
+    
+    // For mainnet, would need to configure based on chosen providers
+    return MemoryDecryptionPipeline.DEFAULT_TESTNET_SERVERS;
+  }
+
+  /**
+   * Initialize the decryption pipeline
+   */
+  private async initializeDecryptionPipeline(): Promise<void> {
+    try {
+      console.log('🔑 Initializing SEAL Memory Decryption Pipeline...');
+      
+      // Determine key servers to use
+      let keyServers = this.config.keyServers || this.getDefaultKeyServers();
+      
+      // Add custom key server if configured
+      if (this.config.customKeyServerUrl && this.config.customKeyServerObjectId) {
+        keyServers = [{
+          name: 'custom-server',
+          mode: this.config.defaultKeyServerMode || 'open',
+          objectId: this.config.customKeyServerObjectId,
+          url: this.config.customKeyServerUrl,
+          provider: 'Custom',
+          network: 'custom' as any,
+          weight: 2, // Higher weight for custom server
+          isDefault: false
+        }, ...keyServers];
+      }
+
+      // Initialize SEAL client
+      this.sealClient = new SealClient({
+        suiClient: (this.encryptionService as any).suiClient,
+        serverConfigs: keyServers.map(server => ({
+          objectId: server.objectId,
+          weight: server.weight || 1
+        })),
+        verifyKeyServers: this.config.verifyKeyServers || false
+      });
+
+      console.log(`✅ SEAL client initialized with ${keyServers.length} key servers`);
+      console.log('📡 Key servers:', keyServers.map(s => `${s.name} (${s.provider})`).join(', '));
+
+      // Start session key cleanup interval
+      this.startSessionKeyCleanup();
+
+    } catch (error) {
+      console.error('❌ Failed to initialize decryption pipeline:', error);
+      throw new Error(`Decryption pipeline initialization failed: ${error instanceof Error ? error.message : 'Unknown error'}`);
+    }
+  }
+
+  // ==================== CORE DECRYPTION METHODS ====================
+
+  /**
+   * Decrypt a single memory with full pipeline support
+   */
+  async decryptMemory(request: DecryptionRequest): Promise<DecryptionResult> {
+    const startTime = Date.now();
+    
+    try {
+      // Check cache first
+      const cacheKey = `${request.memoryId}:${request.userAddress}`;
+      const cached = this.getFromCache(cacheKey);
+      if (cached) {
+        console.log(`🎯 Cache hit for memory ${request.memoryId}`);
+        return {
+          memoryId: request.memoryId,
+          decryptedContent: cached,
+          contentHash: request.contentHash || '',
+          isVerified: true,
+          decryptionTime: Date.now() - startTime,
+          keyServerUsed: 'cache',
+          sessionKeyId: 'cached'
+        };
+      }
+
+      // Verify ownership if required
+      if (this.config.requireOwnershipVerification && request.ownerAddress) {
+        const hasAccess = await this.verifyAccess(request.userAddress, request.memoryId, request.ownerAddress);
+        if (!hasAccess) {
+          throw new Error(`Access denied: User ${request.userAddress} cannot decrypt memory ${request.memoryId}`);
+        }
+      }
+
+      // Get or create session key
+      const sessionKey = request.sessionKey || await this.getOrCreateSessionKey(request.userAddress);
+      
+      // Perform decryption
+      const decryptedBytes = await this.performDecryption(request, sessionKey);
+      const decryptedContent = new TextDecoder().decode(decryptedBytes);
+      
+      // Verify content integrity if hash provided
+      let isVerified = true;
+      if (request.contentHash) {
+        isVerified = await this.verifyContentIntegrity(decryptedBytes, request.contentHash);
+        if (!isVerified) {
+          console.warn(`⚠️ Content integrity check failed for memory ${request.memoryId}`);
+        }
+      }
+
+      // Cache the result
+      this.addToCache(cacheKey, decryptedContent);
+
+      // Update stats
+      this.updateDecryptionStats(true, Date.now() - startTime);
+
+      const result: DecryptionResult = {
+        memoryId: request.memoryId,
+        decryptedContent,
+        contentHash: request.contentHash || '',
+        isVerified,
+        decryptionTime: Date.now() - startTime,
+        keyServerUsed: 'seal-client', // Would track specific server in production
+        sessionKeyId: await this.getSessionKeyId(sessionKey)
+      };
+
+      console.log(`✅ Successfully decrypted memory ${request.memoryId} in ${result.decryptionTime}ms`);
+      return result;
+
+    } catch (error) {
+      this.updateDecryptionStats(false, Date.now() - startTime);
+      const errorMsg = `Decryption failed for memory ${request.memoryId}: ${error instanceof Error ? error.message : 'Unknown error'}`;
+      console.error('❌', errorMsg);
+      throw new Error(errorMsg);
+    }
+  }
+
+  /**
+   * Decrypt multiple memories in batch for performance
+   */
+  async decryptMemoryBatch(requests: DecryptionRequest[]): Promise<BatchDecryptionResult> {
+    console.log(`🔄 Starting batch decryption of ${requests.length} memories`);
+    const startTime = Date.now();
+    
+    const successful: DecryptionResult[] = [];
+    const failed: Array<{ memoryId: string; error: string; retryCount: number }> = [];
+    
+    // Group requests into batches
+    const batchSize = this.config.batchSize || 10;
+    const batches = this.chunkArray(requests, batchSize);
+    
+    for (const batch of batches) {
+      // Process batch with concurrency limit
+      const batchPromises = batch.map(async (request) => {
+        try {
+          const result = await this.decryptMemory(request);
+          successful.push(result);
+        } catch (error) {
+          failed.push({
+            memoryId: request.memoryId,
+            error: error instanceof Error ? error.message : 'Unknown error',
+            retryCount: 0
+          });
+        }
+      });
+
+      // Wait for batch to complete
+      await Promise.allSettled(batchPromises);
+    }
+
+    // Retry failed decryptions if enabled
+    if (this.config.enableFallback && this.config.maxRetryAttempts && this.config.maxRetryAttempts > 0) {
+      await this.retryFailedDecryptions(requests, failed, successful);
+    }
+
+    const totalProcessingTime = Date.now() - startTime;
+    const stats = this.generateBatchStats(requests.length, successful.length, failed.length, totalProcessingTime);
+
+    console.log(`✅ Batch decryption completed: ${successful.length}/${requests.length} successful in ${totalProcessingTime}ms`);
+
+    return {
+      successful,
+      failed,
+      stats
+    };
+  }
+
+  // ==================== SESSION KEY MANAGEMENT ====================
+
+  /**
+   * Get or create session key for user
+   */
+  async getOrCreateSessionKey(userAddress: string): Promise<SessionKey> {
+    // Check if we have a valid cached session key
+    const existing = this.sessionKeys.get(userAddress);
+    const timestamp = this.sessionKeyTimestamps.get(userAddress);
+    
+    if (existing && timestamp) {
+      const age = Date.now() - timestamp;
+      const ttl = (this.config.sessionKeyTTL || 60) * 60 * 1000; // Convert to ms
+      
+      if (age < ttl) {
+        return existing;
+      }
+    }
+
+    // Create new session key
+    console.log(`🔑 Creating new session key for user ${userAddress}`);
+    const sessionKey = await this.encryptionService.createSessionKey(userAddress);
+    
+    // Cache with timestamp
+    this.sessionKeys.set(userAddress, sessionKey);
+    this.sessionKeyTimestamps.set(userAddress, Date.now());
+    
+    // Cleanup old keys if we exceed limit
+    if (this.sessionKeys.size > (this.config.maxSessionKeys || 100)) {
+      this.cleanupOldestSessionKeys();
+    }
+
+    return sessionKey;
+  }
+
+  /**
+   * Cleanup expired session keys
+   */
+  private startSessionKeyCleanup(): void {
+    setInterval(() => {
+      const now = Date.now();
+      const ttl = (this.config.sessionKeyTTL || 60) * 60 * 1000;
+      
+      for (const [userAddress, timestamp] of this.sessionKeyTimestamps.entries()) {
+        if (now - timestamp > ttl) {
+          this.sessionKeys.delete(userAddress);
+          this.sessionKeyTimestamps.delete(userAddress);
+          console.log(`🧹 Cleaned up expired session key for ${userAddress}`);
+        }
+      }
+    }, 5 * 60 * 1000); // Check every 5 minutes
+  }
+
+  /**
+   * Cleanup oldest session keys when limit exceeded
+   */
+  private cleanupOldestSessionKeys(): void {
+    const entries = Array.from(this.sessionKeyTimestamps.entries())
+      .sort((a, b) => a[1] - b[1]); // Sort by timestamp
+    
+    // Remove oldest 25%
+    const toRemove = Math.floor(entries.length * 0.25);
+    for (let i = 0; i < toRemove; i++) {
+      const [userAddress] = entries[i];
+      this.sessionKeys.delete(userAddress);
+      this.sessionKeyTimestamps.delete(userAddress);
+    }
+    
+    console.log(`🧹 Cleaned up ${toRemove} oldest session keys`);
+  }
+
+  // ==================== DECRYPTION UTILITIES ====================
+
+  /**
+   * Perform the actual decryption using SEAL
+   */
+  private async performDecryption(request: DecryptionRequest, sessionKey: SessionKey): Promise<Uint8Array> {
+    if (!this.sealClient) {
+      throw new Error('SEAL client not initialized');
+    }
+
+    // Convert base64 encrypted content to bytes
+    const encryptedBytes = this.base64ToUint8Array(request.encryptedContent);
+    
+    // Build access transaction
+    const accessTx = await this.encryptionService.buildAccessTransaction(request.userAddress, 'read');
+    // SEAL REQUIREMENT: Must use onlyTransactionKind: true for PTB validation
+    const txBytes = await accessTx.build({ client: (this.encryptionService as any).suiClient, onlyTransactionKind: true });
+
+    // Perform decryption with timeout
+    const decryptPromise = this.sealClient.decrypt({
+      data: encryptedBytes,
+      sessionKey: sessionKey,
+      txBytes: txBytes,
+      checkShareConsistency: true
+    });
+
+    // Add timeout
+    const timeoutPromise = new Promise<never>((_, reject) => {
+      setTimeout(() => reject(new Error('Decryption timeout')), this.config.decryptionTimeout || 30000);
+    });
+
+    return Promise.race([decryptPromise, timeoutPromise]);
+  }
+
+  /**
+   * Verify user access to encrypted content
+   */
+  private async verifyAccess(userAddress: string, memoryId: string, ownerAddress: string): Promise<boolean> {
+    try {
+      return await this.encryptionService.hasAccess(userAddress, memoryId, ownerAddress);
+    } catch (error) {
+      console.error(`Access verification failed: ${error}`);
+      return false;
+    }
+  }
+
+  /**
+   * Verify content integrity using hash
+   */
+  private async verifyContentIntegrity(content: Uint8Array, expectedHash: string): Promise<boolean> {
+    try {
+      return await (this.encryptionService as any).verifyContentHash(content, expectedHash);
+    } catch (error) {
+      console.error(`Content integrity verification failed: ${error}`);
+      return false;
+    }
+  }
+
+  /**
+   * Retry failed decryptions with exponential backoff
+   */
+  private async retryFailedDecryptions(
+    originalRequests: DecryptionRequest[],
+    failed: Array<{ memoryId: string; error: string; retryCount: number }>,
+    successful: DecryptionResult[]
+  ): Promise<void> {
+    const maxRetries = this.config.maxRetryAttempts || 3;
+    const baseDelay = this.config.retryDelayMs || 1000;
+
+    for (const failure of failed) {
+      if (failure.retryCount >= maxRetries) continue;
+
+      const originalRequest = originalRequests.find(r => r.memoryId === failure.memoryId);
+      if (!originalRequest) continue;
+
+      try {
+        // Exponential backoff
+        const delay = baseDelay * Math.pow(2, failure.retryCount);
+        await new Promise(resolve => setTimeout(resolve, delay));
+
+        console.log(`🔄 Retrying decryption for memory ${failure.memoryId} (attempt ${failure.retryCount + 1})`);
+        const result = await this.decryptMemory(originalRequest);
+        
+        // Move from failed to successful
+        successful.push(result);
+        const failIndex = failed.indexOf(failure);
+        failed.splice(failIndex, 1);
+        
+        console.log(`✅ Retry successful for memory ${failure.memoryId}`);
+      } catch (error) {
+        failure.retryCount++;
+        failure.error = error instanceof Error ? error.message : 'Unknown error';
+        console.warn(`⚠️ Retry ${failure.retryCount} failed for memory ${failure.memoryId}`);
+      }
+    }
+  }
+
+  // ==================== CACHE MANAGEMENT ====================
+
+  private getFromCache(key: string): string | null {
+    const cached = this.decryptionCache.get(key);
+    if (cached && Date.now() - cached.timestamp < this.CACHE_TTL) {
+      return cached.content;
+    }
+    this.decryptionCache.delete(key);
+    return null;
+  }
+
+  private addToCache(key: string, content: string): void {
+    this.decryptionCache.set(key, { content, timestamp: Date.now() });
+  }
+
+  // ==================== UTILITY METHODS ====================
+
+  private base64ToUint8Array(base64: string): Uint8Array {
+    const binaryString = atob(base64);
+    const bytes = new Uint8Array(binaryString.length);
+    for (let i = 0; i < binaryString.length; i++) {
+      bytes[i] = binaryString.charCodeAt(i);
+    }
+    return bytes;
+  }
+
+  private chunkArray<T>(array: T[], size: number): T[][] {
+    const chunks: T[][] = [];
+    for (let i = 0; i < array.length; i += size) {
+      chunks.push(array.slice(i, i + size));
+    }
+    return chunks;
+  }
+
+  private async getSessionKeyId(sessionKey: SessionKey): Promise<string> {
+    try {
+      const exported = sessionKey.export();
+      return `session_${Date.now()}_${Math.random().toString(36).substr(2, 9)}`;
+    } catch {
+      return `session_${Date.now()}`;
+    }
+  }
+
+  private updateDecryptionStats(success: boolean, processingTime: number): void {
+    this.decryptionStats.totalDecryptions++;
+    this.decryptionStats.totalDecryptionTime += processingTime;
+    
+    if (success) {
+      this.decryptionStats.successfulDecryptions++;
+    } else {
+      this.decryptionStats.failedDecryptions++;
+    }
+  }
+
+  private generateBatchStats(
+    totalRequests: number,
+    successCount: number,
+    failureCount: number,
+    totalProcessingTime: number
+  ): BatchDecryptionResult['stats'] {
+    return {
+      totalRequests,
+      successCount,
+      failureCount,
+      totalProcessingTime,
+      averageDecryptionTime: totalProcessingTime / totalRequests,
+      keyServerPerformance: {} // Would be populated with actual server stats
+    };
+  }
+
+  // ==================== PUBLIC API ====================
+
+  /**
+   * Decrypt encrypted content from unified memory results
+   */
+  async decryptMemoryResults(
+    memories: UnifiedMemoryResult[],
+    userAddress: string
+  ): Promise<UnifiedMemoryResult[]> {
+    console.log(`🔐 Decrypting ${memories.length} encrypted memories for user ${userAddress}`);
+
+    const encryptedMemories = memories.filter(m => m.metadata.isEncrypted);
+    if (encryptedMemories.length === 0) {
+      console.log('📋 No encrypted memories found, returning original results');
+      return memories;
+    }
+
+    // Prepare decryption requests
+    const decryptionRequests: DecryptionRequest[] = encryptedMemories.map(memory => ({
+      memoryId: memory.id,
+      encryptedContent: memory.content || '',
+      userAddress,
+      ownerAddress: memory.metadata.owner,
+      metadata: memory.metadata
+    }));
+
+    // Batch decrypt if enabled
+    let decryptedResults: DecryptionResult[] = [];
+    if (this.config.enableBatchDecryption && decryptionRequests.length > 1) {
+      const batchResult = await this.decryptMemoryBatch(decryptionRequests);
+      decryptedResults = batchResult.successful;
+      
+      if (batchResult.failed.length > 0) {
+        console.warn(`⚠️ Failed to decrypt ${batchResult.failed.length} memories:`, 
+          batchResult.failed.map(f => f.memoryId));
+      }
+    } else {
+      // Decrypt individually
+      for (const request of decryptionRequests) {
+        try {
+          const result = await this.decryptMemory(request);
+          decryptedResults.push(result);
+        } catch (error) {
+          console.error(`Failed to decrypt memory ${request.memoryId}:`, error);
+        }
+      }
+    }
+
+    // Update memory results with decrypted content
+    const decryptionMap = new Map(decryptedResults.map(r => [r.memoryId, r]));
+    
+    return memories.map(memory => {
+      if (memory.metadata.isEncrypted && decryptionMap.has(memory.id)) {
+        const decrypted = decryptionMap.get(memory.id)!;
+        return {
+          ...memory,
+          content: decrypted.decryptedContent,
+          analytics: {
+            ...memory.analytics,
+            viewCount: memory.analytics?.viewCount || 0,
+            shareCount: memory.analytics?.shareCount || 0,
+            editCount: memory.analytics?.editCount || 0,
+            sentimentScore: memory.analytics?.sentimentScore || 0,
+            topicDistribution: memory.analytics?.topicDistribution || {},
+            decryptionTime: decrypted.decryptionTime,
+            isDecryptionVerified: decrypted.isVerified
+          }
+        };
+      }
+      return memory;
+    });
+  }
+
+  /**
+   * Get decryption pipeline statistics
+   */
+  getDecryptionStats(): {
+    totalDecryptions: number;
+    successRate: number;
+    averageDecryptionTime: number;
+    cacheHitRate: number;
+    activeSessionKeys: number;
+    keyServerStatus: string[];
+  } {
+    const successRate = this.decryptionStats.totalDecryptions > 0 
+      ? this.decryptionStats.successfulDecryptions / this.decryptionStats.totalDecryptions 
+      : 0;
+    
+    const avgTime = this.decryptionStats.totalDecryptions > 0 
+      ? this.decryptionStats.totalDecryptionTime / this.decryptionStats.totalDecryptions 
+      : 0;
+
+    return {
+      totalDecryptions: this.decryptionStats.totalDecryptions,
+      successRate,
+      averageDecryptionTime: avgTime,
+      cacheHitRate: 0.85, // Would calculate from actual cache stats
+      activeSessionKeys: this.sessionKeys.size,
+      keyServerStatus: this.config.keyServers?.map(s => s.name) || []
+    };
+  }
+
+  /**
+   * Clear decryption cache
+   */
+  clearCache(): void {
+    this.decryptionCache.clear();
+    console.log('🧹 Decryption cache cleared');
+  }
+
+  /**
+   * Check if decryption pipeline is ready
+   */
+  isReady(): boolean {
+    return this.sealClient !== null;
+  }
+
+  /**
+   * Get pipeline configuration info
+   */
+  getConfigInfo(): {
+    keyServers: number;
+    defaultNetwork: string;
+    batchingEnabled: boolean;
+    cacheEnabled: boolean;
+  } {
+    return {
+      keyServers: this.config.keyServers?.length || 0,
+      defaultNetwork: process.env.SUI_NETWORK || 'testnet',
+      batchingEnabled: this.config.enableBatchDecryption || false,
+      cacheEnabled: true
+    };
+  }
 }