@reverbia/sdk 1.0.0-next.20251229084841 → 1.1.0-next.20251230221037

package/dist/react/index.cjs

@@ -5,6 +5,9 @@ var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
 var __getOwnPropNames = Object.getOwnPropertyNames;
 var __getProtoOf = Object.getPrototypeOf;
 var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __esm = (fn, res) => function __init() {
+  return fn && (res = (0, fn[__getOwnPropNames(fn)[0]])(fn = 0)), res;
+};
 var __export = (target, all) => {
   for (var name in all)
     __defProp(target, name, { get: all[name], enumerable: true });
@@ -15,25 +18,729 @@ var __copyProps = (to, from, except, desc) => {
       if (!__hasOwnProp.call(to, key) && key !== except)
         __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
   }
-  return to;
-};
-var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
-  // If the importer is in node compatibility mode or this is not an ESM
-  // file that has been converted to a CommonJS file using a Babel-
-  // compatible transform (i.e. "__esModule" has not been set), then set
-  // "default" to the CommonJS "module.exports" for node compatibility.
-  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
-  mod
-));
-var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
-var __decorateClass = (decorators, target, key, kind) => {
-  var result = kind > 1 ? void 0 : kind ? __getOwnPropDesc(target, key) : target;
-  for (var i = decorators.length - 1, decorator; i >= 0; i--)
-    if (decorator = decorators[i])
-      result = (kind ? decorator(target, key, result) : decorator(result)) || result;
-  if (kind && result) __defProp(target, key, result);
-  return result;
-};
+  return to;
+};
+var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
+  // If the importer is in node compatibility mode or this is not an ESM
+  // file that has been converted to a CommonJS file using a Babel-
+  // compatible transform (i.e. "__esModule" has not been set), then set
+  // "default" to the CommonJS "module.exports" for node compatibility.
+  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
+  mod
+));
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+var __decorateClass = (decorators, target, key, kind) => {
+  var result = kind > 1 ? void 0 : kind ? __getOwnPropDesc(target, key) : target;
+  for (var i = decorators.length - 1, decorator; i >= 0; i--)
+    if (decorator = decorators[i])
+      result = (kind ? decorator(target, key, result) : decorator(result)) || result;
+  if (kind && result) __defProp(target, key, result);
+  return result;
+};
+
+// src/lib/validation.ts
+function isValidWalletAddress(address) {
+  if (!address || typeof address !== "string") return false;
+  const ethereumAddressRegex = /^0x[a-fA-F0-9]{40}$/;
+  return ethereumAddressRegex.test(address);
+}
+var init_validation = __esm({
+  "src/lib/validation.ts"() {
+    "use strict";
+  }
+});
+
+// src/lib/backup/oauth/storage.ts
+var storage_exports = {};
+__export(storage_exports, {
+  clearTokenData: () => clearTokenData,
+  getRefreshToken: () => getRefreshToken,
+  getRefreshTokenSync: () => getRefreshTokenSync,
+  getStoredTokenData: () => getStoredTokenData,
+  getStoredTokenDataSync: () => getStoredTokenDataSync,
+  getValidAccessToken: () => getValidAccessToken,
+  getValidAccessTokenSync: () => getValidAccessTokenSync,
+  hasStoredCredentialsSync: () => hasStoredCredentialsSync,
+  isTokenExpired: () => isTokenExpired,
+  reEncryptUnencryptedTokens: () => reEncryptUnencryptedTokens,
+  storeTokenData: () => storeTokenData,
+  tokenResponseToStoredData: () => tokenResponseToStoredData
+});
+function getStorageKey(provider) {
+  return `${STORAGE_KEY_PREFIX}${provider}`;
+}
+function isEncrypted(value) {
+  return value.startsWith(ENCRYPTION_PREFIX);
+}
+async function getOrCreateSessionKey() {
+  if (typeof window === "undefined") {
+    throw new Error("Session key generation requires browser environment");
+  }
+  let sessionKey = sessionStorage.getItem(SESSION_KEY_STORAGE_KEY);
+  if (sessionKey) {
+    return sessionKey;
+  }
+  const keyBytes = crypto.getRandomValues(new Uint8Array(32));
+  sessionKey = Array.from(keyBytes).map((b) => b.toString(16).padStart(2, "0")).join("");
+  sessionStorage.setItem(SESSION_KEY_STORAGE_KEY, sessionKey);
+  return sessionKey;
+}
+async function encryptWithSessionKey(plaintext) {
+  const sessionKeyHex = await getOrCreateSessionKey();
+  const keyBytes = hexToBytes(sessionKeyHex);
+  const key = await crypto.subtle.importKey(
+    "raw",
+    keyBytes.buffer,
+    { name: "AES-GCM" },
+    false,
+    ["encrypt", "decrypt"]
+  );
+  const iv = crypto.getRandomValues(new Uint8Array(12));
+  const plaintextBytes = new TextEncoder().encode(plaintext);
+  const encryptedData = await crypto.subtle.encrypt(
+    { name: "AES-GCM", iv },
+    key,
+    plaintextBytes.buffer
+  );
+  const encryptedBytes = new Uint8Array(encryptedData);
+  const combined = new Uint8Array(iv.length + encryptedBytes.length);
+  combined.set(iv, 0);
+  combined.set(encryptedBytes, iv.length);
+  return Array.from(combined).map((b) => b.toString(16).padStart(2, "0")).join("");
+}
+async function decryptWithSessionKey(encryptedHex) {
+  const sessionKeyHex = sessionStorage.getItem(SESSION_KEY_STORAGE_KEY);
+  if (!sessionKeyHex) {
+    throw new Error("Session key not found");
+  }
+  const keyBytes = hexToBytes(sessionKeyHex);
+  const key = await crypto.subtle.importKey(
+    "raw",
+    keyBytes.buffer,
+    { name: "AES-GCM" },
+    false,
+    ["encrypt", "decrypt"]
+  );
+  const combined = hexToBytes(encryptedHex);
+  const iv = combined.slice(0, 12);
+  const encryptedData = combined.slice(12);
+  const decryptedData = await crypto.subtle.decrypt(
+    { name: "AES-GCM", iv },
+    key,
+    encryptedData
+  );
+  return new TextDecoder().decode(decryptedData);
+}
+function hexToBytes(hex) {
+  const cleanHex = hex.startsWith("0x") ? hex.slice(2) : hex;
+  const bytes = new Uint8Array(cleanHex.length / 2);
+  for (let i = 0; i < cleanHex.length; i += 2) {
+    bytes[i / 2] = parseInt(cleanHex.slice(i, i + 2), 16);
+  }
+  return bytes;
+}
+async function reEncryptUnencryptedTokens(walletAddress) {
+  if (typeof window === "undefined") return;
+  if (!hasEncryptionKey(walletAddress)) return;
+  const providers = ["google-drive", "dropbox"];
+  for (const provider of providers) {
+    try {
+      const stored = localStorage.getItem(getStorageKey(provider));
+      if (!stored) continue;
+      if (!isEncrypted(stored)) {
+        try {
+          const data = JSON.parse(stored);
+          if (data.accessToken) {
+            await storeTokenData(provider, data, walletAddress);
+          }
+        } catch {
+          continue;
+        }
+      } else {
+        const encryptedPayload = stored.slice(ENCRYPTION_PREFIX.length);
+        try {
+          const decrypted = await decryptWithSessionKey(encryptedPayload);
+          const data = JSON.parse(decrypted);
+          if (data.accessToken) {
+            await storeTokenData(provider, data, walletAddress);
+          }
+        } catch {
+          continue;
+        }
+      }
+    } catch {
+      continue;
+    }
+  }
+}
+async function getStoredTokenData(provider, walletAddress) {
+  if (typeof window === "undefined") return null;
+  try {
+    const stored = localStorage.getItem(getStorageKey(provider));
+    if (!stored) return null;
+    if (isEncrypted(stored)) {
+      const encryptedPayload = stored.slice(ENCRYPTION_PREFIX.length);
+      if (walletAddress && hasEncryptionKey(walletAddress)) {
+        try {
+          const decrypted = await decryptData(encryptedPayload, walletAddress);
+          const data = JSON.parse(decrypted);
+          if (!data.accessToken) return null;
+          return data;
+        } catch {
+        }
+      }
+      try {
+        const decrypted = await decryptWithSessionKey(encryptedPayload);
+        const data = JSON.parse(decrypted);
+        if (!data.accessToken) return null;
+        if (walletAddress && hasEncryptionKey(walletAddress)) {
+          try {
+            await storeTokenData(provider, data, walletAddress);
+          } catch {
+            console.error(`Failed to re-encrypt OAuth token for ${provider}`);
+          }
+        }
+        return data;
+      } catch {
+        return null;
+      }
+    } else {
+      try {
+        const data = JSON.parse(stored);
+        if (!data.accessToken) return null;
+        if (walletAddress && hasEncryptionKey(walletAddress)) {
+          try {
+            await storeTokenData(provider, data, walletAddress);
+          } catch {
+            console.error(`Failed to re-encrypt OAuth token for ${provider}`);
+          }
+        } else {
+          try {
+            await storeTokenData(provider, data);
+          } catch {
+            console.error(`Failed to encrypt OAuth token for ${provider}`);
+          }
+        }
+        return data;
+      } catch {
+        return null;
+      }
+    }
+  } catch {
+    return null;
+  }
+}
+function getStoredTokenDataSync(provider) {
+  if (typeof window === "undefined") return null;
+  try {
+    const stored = localStorage.getItem(getStorageKey(provider));
+    if (!stored) return null;
+    if (isEncrypted(stored)) {
+      return null;
+    }
+    const data = JSON.parse(stored);
+    if (!data.accessToken) return null;
+    return data;
+  } catch {
+    return null;
+  }
+}
+async function storeTokenData(provider, data, walletAddress) {
+  if (typeof window === "undefined") return;
+  const jsonData = JSON.stringify(data);
+  if (walletAddress && hasEncryptionKey(walletAddress)) {
+    try {
+      const encrypted = await encryptData(jsonData, walletAddress);
+      localStorage.setItem(getStorageKey(provider), `${ENCRYPTION_PREFIX}${encrypted}`);
+      return;
+    } catch (error) {
+      const message = error instanceof Error ? error.message : "Unknown encryption error";
+      throw new Error(`OAuth token encryption failed: ${message}`);
+    }
+  }
+  try {
+    const encrypted = await encryptWithSessionKey(jsonData);
+    localStorage.setItem(getStorageKey(provider), `${ENCRYPTION_PREFIX}${encrypted}`);
+  } catch (error) {
+    const sessionStorageAvailable = typeof window !== "undefined" && typeof window.sessionStorage !== "undefined" && typeof window.sessionStorage.getItem === "function" && typeof window.sessionStorage.setItem === "function";
+    if (!sessionStorageAvailable) {
+      localStorage.setItem(getStorageKey(provider), jsonData);
+    } else {
+      const message = error instanceof Error ? error.message : "Unknown encryption error";
+      throw new Error(`OAuth token encryption failed: ${message}`);
+    }
+  }
+}
+function clearTokenData(provider) {
+  if (typeof window === "undefined") return;
+  localStorage.removeItem(getStorageKey(provider));
+}
+function isTokenExpired(data, bufferSeconds = 60) {
+  if (!data) return true;
+  if (!data.expiresAt) return false;
+  const now = Date.now();
+  const bufferMs = bufferSeconds * 1e3;
+  return data.expiresAt - bufferMs <= now;
+}
+async function getValidAccessToken(provider, walletAddress) {
+  const data = await getStoredTokenData(provider, walletAddress);
+  if (!data) return null;
+  if (data.expiresAt && isTokenExpired(data)) {
+    return null;
+  }
+  return data.accessToken;
+}
+function getValidAccessTokenSync(provider) {
+  const data = getStoredTokenDataSync(provider);
+  if (!data) return null;
+  if (data.expiresAt && isTokenExpired(data)) {
+    return null;
+  }
+  return data.accessToken;
+}
+async function getRefreshToken(provider, walletAddress) {
+  const data = await getStoredTokenData(provider, walletAddress);
+  return data?.refreshToken ?? null;
+}
+function getRefreshTokenSync(provider) {
+  const data = getStoredTokenDataSync(provider);
+  return data?.refreshToken ?? null;
+}
+function hasStoredCredentialsSync(provider) {
+  if (typeof window === "undefined") return false;
+  const stored = localStorage.getItem(getStorageKey(provider));
+  if (!stored) return false;
+  if (isEncrypted(stored)) {
+    return true;
+  }
+  try {
+    const data = JSON.parse(stored);
+    return !!(data?.accessToken || data?.refreshToken);
+  } catch {
+    return false;
+  }
+}
+function tokenResponseToStoredData(accessToken, expiresIn, refreshToken, scope) {
+  const data = {
+    accessToken,
+    refreshToken,
+    scope
+  };
+  if (expiresIn) {
+    data.expiresAt = Date.now() + expiresIn * 1e3;
+  }
+  return data;
+}
+var STORAGE_KEY_PREFIX, ENCRYPTION_PREFIX, SESSION_KEY_STORAGE_KEY;
+var init_storage = __esm({
+  "src/lib/backup/oauth/storage.ts"() {
+    "use strict";
+    init_useEncryption();
+    STORAGE_KEY_PREFIX = "oauth_token_";
+    ENCRYPTION_PREFIX = "enc:";
+    SESSION_KEY_STORAGE_KEY = "oauth_session_encryption_key";
+  }
+});
+
+// src/react/useEncryption.ts
+var useEncryption_exports = {};
+__export(useEncryption_exports, {
+  clearAllEncryptionKeys: () => clearAllEncryptionKeys,
+  clearAllKeyPairs: () => clearAllKeyPairs,
+  clearEncryptionKey: () => clearEncryptionKey,
+  clearKeyPair: () => clearKeyPair,
+  decryptData: () => decryptData,
+  decryptDataBytes: () => decryptDataBytes,
+  encryptData: () => encryptData,
+  exportPublicKey: () => exportPublicKey,
+  hasEncryptionKey: () => hasEncryptionKey,
+  hasKeyPair: () => hasKeyPair,
+  requestEncryptionKey: () => requestEncryptionKey,
+  requestKeyPair: () => requestKeyPair,
+  useEncryption: () => useEncryption
+});
+function getStoredKey(address) {
+  return encryptionKeyStore.get(address) ?? null;
+}
+function setStoredKey(address, keyHex) {
+  encryptionKeyStore.set(address, keyHex);
+}
+function clearEncryptionKey(address) {
+  encryptionKeyStore.delete(address);
+}
+function clearAllEncryptionKeys() {
+  encryptionKeyStore.clear();
+}
+function hexToBytes2(hex) {
+  const cleanHex = hex.startsWith("0x") ? hex.slice(2) : hex;
+  const bytes = new Uint8Array(cleanHex.length / 2);
+  for (let i = 0; i < cleanHex.length; i += 2) {
+    bytes[i / 2] = parseInt(cleanHex.slice(i, i + 2), 16);
+  }
+  return bytes;
+}
+function bytesToHex(bytes) {
+  return Array.from(bytes).map((b) => b.toString(16).padStart(2, "0")).join("");
+}
+async function deriveKeyFromSignature(signature) {
+  const sigBytes = hexToBytes2(signature);
+  const hashBuffer = await crypto.subtle.digest(
+    "SHA-256",
+    sigBytes.buffer
+  );
+  const hashBytes = new Uint8Array(hashBuffer);
+  return bytesToHex(hashBytes);
+}
+function getStoredKeyPair(address) {
+  return keyPairStore.get(address) ?? null;
+}
+function setStoredKeyPair(address, keyPair) {
+  keyPairStore.set(address, keyPair);
+}
+async function deriveKeyPairFromSignature(signature, walletAddress) {
+  const sigBytes = hexToBytes2(signature);
+  const seedBuffer = await crypto.subtle.digest(
+    "SHA-256",
+    sigBytes.buffer
+  );
+  const seed = new Uint8Array(seedBuffer);
+  const addressBytes = hexToBytes2(walletAddress);
+  const hkdfKey = await crypto.subtle.importKey(
+    "raw",
+    seed.buffer,
+    { name: "HKDF" },
+    false,
+    ["deriveBits"]
+  );
+  const saltBytes = new Uint8Array(addressBytes);
+  const derivedBits = await crypto.subtle.deriveBits(
+    {
+      name: "HKDF",
+      hash: "SHA-256",
+      salt: saltBytes,
+      // Use wallet address as salt for deterministic derivation
+      info: new TextEncoder().encode("ECDH-P256-KeyPair")
+      // Context info
+    },
+    hkdfKey,
+    256
+    // 32 bytes = 256 bits
+  );
+  const privateKeyBytes = new Uint8Array(derivedBits);
+  if (privateKeyBytes.every((b) => b === 0)) {
+    privateKeyBytes[31] = 1;
+  }
+  const privateKey = await crypto.subtle.importKey(
+    "pkcs8",
+    await createPKCS8PrivateKey(privateKeyBytes),
+    {
+      name: "ECDH",
+      namedCurve: "P-256"
+    },
+    true,
+    // extractable so we can export to JWK
+    ["deriveBits", "deriveKey"]
+  );
+  const privateKeyJwk = await crypto.subtle.exportKey("jwk", privateKey);
+  if (!privateKeyJwk.x || !privateKeyJwk.y) {
+    throw new Error("Failed to derive public key from private key");
+  }
+  const publicKey = await crypto.subtle.importKey(
+    "jwk",
+    {
+      kty: "EC",
+      crv: "P-256",
+      x: privateKeyJwk.x,
+      y: privateKeyJwk.y
+    },
+    {
+      name: "ECDH",
+      namedCurve: "P-256"
+    },
+    true,
+    // extractable
+    []
+    // no key usage needed for public key
+  );
+  return {
+    privateKey,
+    publicKey
+  };
+}
+async function createPKCS8PrivateKey(privateKeyBytes) {
+  const ecPublicKeyOID = new Uint8Array([
+    6,
+    7,
+    42,
+    134,
+    72,
+    206,
+    61,
+    2,
+    1
+  ]);
+  const prime256v1OID = new Uint8Array([
+    6,
+    8,
+    42,
+    134,
+    72,
+    206,
+    61,
+    3,
+    1,
+    7
+  ]);
+  const version2 = new Uint8Array([2, 1, 1]);
+  const privateKeyOctet = new Uint8Array([
+    4,
+    32,
+    // OCTET STRING, 32 bytes
+    ...privateKeyBytes
+  ]);
+  const ecPrivateKeyContent = new Uint8Array([
+    ...version2,
+    ...privateKeyOctet
+  ]);
+  const ecPrivateKeyLength = ecPrivateKeyContent.length;
+  const ecPrivateKeySeq = new Uint8Array([
+    48,
+    // SEQUENCE
+    ecPrivateKeyLength,
+    // Length
+    ...ecPrivateKeyContent
+  ]);
+  const wrappedPrivateKey = new Uint8Array([
+    4,
+    // OCTET STRING
+    ecPrivateKeySeq.length,
+    // Length
+    ...ecPrivateKeySeq
+  ]);
+  const algorithmIdContent = new Uint8Array([
+    ...ecPublicKeyOID,
+    ...prime256v1OID
+  ]);
+  const algorithmIdLength = algorithmIdContent.length;
+  const algorithmIdSeq = new Uint8Array([
+    48,
+    // SEQUENCE
+    algorithmIdLength,
+    // Length
+    ...algorithmIdContent
+  ]);
+  const pkcs8Version = new Uint8Array([2, 1, 0]);
+  const pkcs8Content = new Uint8Array([
+    ...pkcs8Version,
+    ...algorithmIdSeq,
+    ...wrappedPrivateKey
+  ]);
+  const pkcs8ContentLength = pkcs8Content.length;
+  const pkcs8Seq = new Uint8Array([
+    48,
+    // SEQUENCE
+    pkcs8ContentLength,
+    // Length
+    ...pkcs8Content
+  ]);
+  return pkcs8Seq.buffer;
+}
+async function getEncryptionKey(address) {
+  const keyHex = getStoredKey(address);
+  if (!keyHex) {
+    throw new Error(
+      "Encryption key not found. Please sign a message to generate your encryption key."
+    );
+  }
+  const keyBytes = hexToBytes2(keyHex);
+  return crypto.subtle.importKey(
+    "raw",
+    keyBytes.buffer,
+    { name: "AES-GCM" },
+    false,
+    ["encrypt", "decrypt"]
+  );
+}
+async function encryptData(plaintext, address) {
+  if (!isValidWalletAddress(address)) {
+    throw new Error(`Invalid wallet address: ${address}. Wallet address must be a valid Ethereum address (0x followed by 40 hex characters).`);
+  }
+  const key = await getEncryptionKey(address);
+  const plaintextBytes = typeof plaintext === "string" ? new TextEncoder().encode(plaintext) : plaintext;
+  const iv = crypto.getRandomValues(new Uint8Array(12));
+  const encryptedData = await crypto.subtle.encrypt(
+    {
+      name: "AES-GCM",
+      iv
+    },
+    key,
+    plaintextBytes.buffer
+  );
+  const encryptedBytes = new Uint8Array(encryptedData);
+  const combined = new Uint8Array(iv.length + encryptedBytes.length);
+  combined.set(iv, 0);
+  combined.set(encryptedBytes, iv.length);
+  return bytesToHex(combined);
+}
+async function decryptData(encryptedHex, address) {
+  if (!isValidWalletAddress(address)) {
+    throw new Error(`Invalid wallet address: ${address}. Wallet address must be a valid Ethereum address (0x followed by 40 hex characters).`);
+  }
+  const key = await getEncryptionKey(address);
+  const combined = hexToBytes2(encryptedHex);
+  const iv = combined.slice(0, 12);
+  const encryptedData = combined.slice(12);
+  const decryptedData = await crypto.subtle.decrypt(
+    {
+      name: "AES-GCM",
+      iv
+    },
+    key,
+    encryptedData
+  );
+  return new TextDecoder().decode(decryptedData);
+}
+async function decryptDataBytes(encryptedHex, address) {
+  const key = await getEncryptionKey(address);
+  const combined = hexToBytes2(encryptedHex);
+  const iv = combined.slice(0, 12);
+  const encryptedData = combined.slice(12);
+  const decryptedData = await crypto.subtle.decrypt(
+    {
+      name: "AES-GCM",
+      iv
+    },
+    key,
+    encryptedData
+  );
+  return new Uint8Array(decryptedData);
+}
+function hasEncryptionKey(address) {
+  return getStoredKey(address) !== null;
+}
+function isRateLimitError(error) {
+  if (!error) return false;
+  if (typeof error === "object") {
+    const err = error;
+    if (err.status === 429 || err.statusCode === 429) return true;
+    if (err.code === "429" || err.code === "RATE_LIMIT_EXCEEDED") return true;
+    if (err.message?.includes("429") || err.message?.toLowerCase().includes("rate limit")) return true;
+  }
+  if (typeof error === "string") {
+    return error.includes("429") || error.toLowerCase().includes("rate limit");
+  }
+  return false;
+}
+async function signMessageWithRetry(signMessage, message, maxRetries = 3, initialDelay = 1e3) {
+  let lastError;
+  for (let attempt = 0; attempt <= maxRetries; attempt++) {
+    try {
+      return await signMessage(message);
+    } catch (error) {
+      lastError = error;
+      if (!isRateLimitError(error)) {
+        throw error;
+      }
+      if (attempt === maxRetries) {
+        throw new Error(
+          `Rate limit exceeded: Unable to sign message after ${maxRetries + 1} attempts. Please wait a moment and try again. Privy allows 5 signatures per 60 seconds.`
+        );
+      }
+      const delay = Math.min(
+        initialDelay * Math.pow(2, attempt),
+        6e4
+        // Max 60 seconds
+      );
+      if (process.env.NODE_ENV === "development") {
+        console.warn(
+          `[Encryption] Rate limit hit (attempt ${attempt + 1}/${maxRetries + 1}). Retrying in ${Math.ceil(delay / 1e3)}s...`
+        );
+      }
+      await new Promise((resolve) => setTimeout(resolve, delay));
+    }
+  }
+  throw lastError;
+}
+async function requestEncryptionKey(walletAddress, signMessage) {
+  if (!isValidWalletAddress(walletAddress)) {
+    throw new Error(`Invalid wallet address: ${walletAddress}. Wallet address must be a valid Ethereum address (0x followed by 40 hex characters).`);
+  }
+  const existingKey = getStoredKey(walletAddress);
+  if (existingKey) {
+    try {
+      const { reEncryptUnencryptedTokens: reEncryptUnencryptedTokens2 } = await Promise.resolve().then(() => (init_storage(), storage_exports));
+      await reEncryptUnencryptedTokens2(walletAddress);
+    } catch {
+    }
+    return;
+  }
+  const signature = await signMessageWithRetry(signMessage, SIGN_MESSAGE);
+  const encryptionKey = await deriveKeyFromSignature(signature);
+  setStoredKey(walletAddress, encryptionKey);
+  try {
+    const { reEncryptUnencryptedTokens: reEncryptUnencryptedTokens2 } = await Promise.resolve().then(() => (init_storage(), storage_exports));
+    await reEncryptUnencryptedTokens2(walletAddress);
+  } catch {
+  }
+}
+async function getKeyPair(address, signMessage) {
+  const existingKeyPair = getStoredKeyPair(address);
+  if (existingKeyPair) {
+    return existingKeyPair;
+  }
+  await requestKeyPair(address, signMessage);
+  const keyPair = getStoredKeyPair(address);
+  if (!keyPair) {
+    throw new Error(
+      "Key pair not found. Please sign a message to generate your key pair."
+    );
+  }
+  return keyPair;
+}
+async function requestKeyPair(walletAddress, signMessage) {
+  const existingKeyPair = getStoredKeyPair(walletAddress);
+  if (existingKeyPair) {
+    return;
+  }
+  const signature = await signMessageWithRetry(signMessage, SIGN_MESSAGE);
+  const keyPair = await deriveKeyPairFromSignature(signature, walletAddress);
+  setStoredKeyPair(walletAddress, keyPair);
+}
+async function exportPublicKey(address, signMessage) {
+  const keyPair = await getKeyPair(address, signMessage);
+  const spkiBuffer = await crypto.subtle.exportKey("spki", keyPair.publicKey);
+  const spkiBytes = new Uint8Array(spkiBuffer);
+  return btoa(String.fromCharCode(...spkiBytes));
+}
+function hasKeyPair(address) {
+  return getStoredKeyPair(address) !== null;
+}
+function clearKeyPair(address) {
+  keyPairStore.delete(address);
+}
+function clearAllKeyPairs() {
+  keyPairStore.clear();
+}
+function useEncryption(signMessage) {
+  return {
+    requestEncryptionKey: (walletAddress) => requestEncryptionKey(walletAddress, signMessage),
+    requestKeyPair: (walletAddress) => requestKeyPair(walletAddress, signMessage),
+    exportPublicKey: (walletAddress) => exportPublicKey(walletAddress, signMessage),
+    hasKeyPair: (walletAddress) => hasKeyPair(walletAddress),
+    clearKeyPair: (walletAddress) => clearKeyPair(walletAddress)
+  };
+}
+var SIGN_MESSAGE, encryptionKeyStore, keyPairStore;
+var init_useEncryption = __esm({
+  "src/react/useEncryption.ts"() {
+    "use strict";
+    "use client";
+    init_validation();
+    SIGN_MESSAGE = "The app is asking you to sign this message to generate encryption keys, which will be used to encrypt data and for encryption with cloud services.";
+    encryptionKeyStore = /* @__PURE__ */ new Map();
+    keyPairStore = /* @__PURE__ */ new Map();
+  }
+});
 
 // src/react/index.ts
 var index_exports = {};
@@ -44,6 +751,7 @@ __export(index_exports, {
   BackupAuthProvider: () => BackupAuthProvider,
   ChatConversation: () => Conversation,
   ChatMessage: () => Message,
+  DECRYPTION_FAILED_PLACEHOLDER: () => DECRYPTION_FAILED_PLACEHOLDER,
   DEFAULT_BACKUP_FOLDER: () => DEFAULT_BACKUP_FOLDER,
   DEFAULT_DRIVE_CONVERSATIONS_FOLDER: () => DEFAULT_CONVERSATIONS_FOLDER,
   DEFAULT_DRIVE_ROOT_FOLDER: () => DEFAULT_ROOT_FOLDER,
@@ -57,26 +765,41 @@ __export(index_exports, {
   chatStorageMigrations: () => chatStorageMigrations,
   chatStorageSchema: () => chatStorageSchema,
   clearAllEncryptionKeys: () => clearAllEncryptionKeys,
+  clearAllKeyPairs: () => clearAllKeyPairs,
   clearDropboxToken: () => clearToken,
   clearEncryptionKey: () => clearEncryptionKey,
   clearGoogleDriveToken: () => clearGoogleDriveToken,
   clearICloudAuth: () => clearICloudAuth,
+  clearKeyPair: () => clearKeyPair,
   createMemoryContextSystemMessage: () => createMemoryContextSystemMessage,
   decryptData: () => decryptData,
   decryptDataBytes: () => decryptDataBytes,
+  decryptField: () => decryptField,
+  decryptMemoriesBatch: () => decryptMemoriesBatch,
+  decryptMemoryFields: () => decryptMemoryFields,
   encryptData: () => encryptData,
+  encryptField: () => encryptField,
+  encryptMemoriesBatch: () => encryptMemoriesBatch,
+  encryptMemoriesBatchInPlace: () => encryptMemoriesBatchInPlace,
+  encryptMemoryFields: () => encryptMemoryFields,
+  exportPublicKey: () => exportPublicKey,
   extractConversationContext: () => extractConversationContext,
   formatMemoriesForChat: () => formatMemoriesForChat,
   generateCompositeKey: () => generateCompositeKey,
   generateConversationId: () => generateConversationId,
   generateUniqueKey: () => generateUniqueKey,
+  getEncryptionVersion: () => getEncryptionVersion2,
   getGoogleDriveStoredToken: () => getGoogleDriveStoredToken,
   hasDropboxCredentials: () => hasDropboxCredentials,
+  hasEncryptedFields: () => hasEncryptedFields,
   hasEncryptionKey: () => hasEncryptionKey,
   hasGoogleDriveCredentials: () => hasGoogleDriveCredentials,
   hasICloudCredentials: () => hasICloudCredentials,
+  hasKeyPair: () => hasKeyPair,
   memoryStorageSchema: () => memoryStorageSchema,
+  needsEncryption: () => needsEncryption,
   requestEncryptionKey: () => requestEncryptionKey,
+  requestKeyPair: () => requestKeyPair,
   sdkMigrations: () => sdkMigrations,
   sdkModelClasses: () => sdkModelClasses,
   sdkSchema: () => sdkSchema,
@@ -1322,122 +2045,8 @@ function useChat(options) {
   };
 }
 
-// src/react/useEncryption.ts
-var SIGN_MESSAGE = "The app is asking you to sign this message to generate a key, which will be used to encrypt data.";
-var encryptionKeyStore = /* @__PURE__ */ new Map();
-function getStoredKey(address) {
-  return encryptionKeyStore.get(address) ?? null;
-}
-function setStoredKey(address, keyHex) {
-  encryptionKeyStore.set(address, keyHex);
-}
-function clearEncryptionKey(address) {
-  encryptionKeyStore.delete(address);
-}
-function clearAllEncryptionKeys() {
-  encryptionKeyStore.clear();
-}
-function hexToBytes(hex) {
-  const cleanHex = hex.startsWith("0x") ? hex.slice(2) : hex;
-  const bytes = new Uint8Array(cleanHex.length / 2);
-  for (let i = 0; i < cleanHex.length; i += 2) {
-    bytes[i / 2] = parseInt(cleanHex.slice(i, i + 2), 16);
-  }
-  return bytes;
-}
-function bytesToHex(bytes) {
-  return Array.from(bytes).map((b) => b.toString(16).padStart(2, "0")).join("");
-}
-async function deriveKeyFromSignature(signature) {
-  const sigBytes = hexToBytes(signature);
-  const hashBuffer = await crypto.subtle.digest(
-    "SHA-256",
-    sigBytes.buffer
-  );
-  const hashBytes = new Uint8Array(hashBuffer);
-  return bytesToHex(hashBytes);
-}
-async function getEncryptionKey(address) {
-  const keyHex = getStoredKey(address);
-  if (!keyHex) {
-    throw new Error(
-      "Encryption key not found. Please sign a message to generate your encryption key."
-    );
-  }
-  const keyBytes = hexToBytes(keyHex);
-  return crypto.subtle.importKey(
-    "raw",
-    keyBytes.buffer,
-    { name: "AES-GCM" },
-    false,
-    ["encrypt", "decrypt"]
-  );
-}
-async function encryptData(plaintext, address) {
-  const key = await getEncryptionKey(address);
-  const plaintextBytes = typeof plaintext === "string" ? new TextEncoder().encode(plaintext) : plaintext;
-  const iv = crypto.getRandomValues(new Uint8Array(12));
-  const encryptedData = await crypto.subtle.encrypt(
-    {
-      name: "AES-GCM",
-      iv
-    },
-    key,
-    plaintextBytes.buffer
-  );
-  const encryptedBytes = new Uint8Array(encryptedData);
-  const combined = new Uint8Array(iv.length + encryptedBytes.length);
-  combined.set(iv, 0);
-  combined.set(encryptedBytes, iv.length);
-  return bytesToHex(combined);
-}
-async function decryptData(encryptedHex, address) {
-  const key = await getEncryptionKey(address);
-  const combined = hexToBytes(encryptedHex);
-  const iv = combined.slice(0, 12);
-  const encryptedData = combined.slice(12);
-  const decryptedData = await crypto.subtle.decrypt(
-    {
-      name: "AES-GCM",
-      iv
-    },
-    key,
-    encryptedData
-  );
-  return new TextDecoder().decode(decryptedData);
-}
-async function decryptDataBytes(encryptedHex, address) {
-  const key = await getEncryptionKey(address);
-  const combined = hexToBytes(encryptedHex);
-  const iv = combined.slice(0, 12);
-  const encryptedData = combined.slice(12);
-  const decryptedData = await crypto.subtle.decrypt(
-    {
-      name: "AES-GCM",
-      iv
-    },
-    key,
-    encryptedData
-  );
-  return new Uint8Array(decryptedData);
-}
-function hasEncryptionKey(address) {
-  return getStoredKey(address) !== null;
-}
-async function requestEncryptionKey(walletAddress, signMessage) {
-  const existingKey = getStoredKey(walletAddress);
-  if (existingKey) {
-    return;
-  }
-  const signature = await signMessage(SIGN_MESSAGE);
-  const encryptionKey = await deriveKeyFromSignature(signature);
-  setStoredKey(walletAddress, encryptionKey);
-}
-function useEncryption(signMessage) {
-  return {
-    requestEncryptionKey: (walletAddress) => requestEncryptionKey(walletAddress, signMessage)
-  };
-}
+// src/react/index.ts
+init_useEncryption();
 
 // src/react/useChatStorage.ts
 var import_react2 = require("react");
@@ -2614,6 +3223,24 @@ async function getMemoriesByKeyOp(ctx, namespace, key) {
   return results.map(memoryToStored);
 }
 async function saveMemoryOp(ctx, opts) {
+  if (!opts.namespace || typeof opts.namespace !== "string") {
+    throw new Error("Namespace is required and must be a string");
+  }
+  if (!opts.key || typeof opts.key !== "string") {
+    throw new Error("Key is required and must be a string");
+  }
+  if (!opts.value || typeof opts.value !== "string") {
+    throw new Error("Value is required and must be a string");
+  }
+  if (!opts.type || typeof opts.type !== "string") {
+    throw new Error("Type is required and must be a string");
+  }
+  if (typeof opts.confidence !== "number" || opts.confidence < 0 || opts.confidence > 1) {
+    throw new Error("Confidence must be a number between 0 and 1");
+  }
+  if (typeof opts.pii !== "boolean") {
+    throw new Error("PII must be a boolean");
+  }
   const compositeKey = generateCompositeKey(opts.namespace, opts.key);
   const uniqueKey = generateUniqueKey(opts.namespace, opts.key, opts.value);
   const result = await ctx.database.write(async () => {
@@ -3027,28 +3654,302 @@ var generateEmbeddingForText = async (text4, options = {}) => {
       Authorization: `Bearer ${token}`
     }
   });
-  if (response.error) {
-    throw new Error(
-      typeof response.error === "object" && response.error && "error" in response.error ? response.error.error : "API embedding failed"
-    );
+  if (response.error) {
+    throw new Error(
+      typeof response.error === "object" && response.error && "error" in response.error ? response.error.error : "API embedding failed"
+    );
+  }
+  if (!response.data?.data?.[0]?.embedding) {
+    throw new Error("No embedding returned from API");
+  }
+  return response.data.data[0].embedding;
+};
+var generateEmbeddingForMemory = async (memory, options = {}) => {
+  const text4 = [
+    memory.rawEvidence,
+    memory.type,
+    memory.namespace,
+    memory.key,
+    memory.value
+  ].filter(Boolean).join(" ");
+  return generateEmbeddingForText(text4, options);
+};
+
+// src/lib/db/memory/encryption.ts
+init_useEncryption();
+
+// src/lib/db/migration.ts
+init_useEncryption();
+var ENCRYPTION_PREFIX_V1 = "enc:v1:";
+var ENCRYPTION_PREFIX_V2 = "enc:v2:";
+var ENCRYPTION_PREFIX_LEGACY = "enc:";
+function getEncryptionVersion(value) {
+  if (value.startsWith(ENCRYPTION_PREFIX_V2)) return "v2";
+  if (value.startsWith(ENCRYPTION_PREFIX_V1)) return "v1";
+  if (value.startsWith(ENCRYPTION_PREFIX_LEGACY)) return "v1";
+  return null;
+}
+function isOldEncryption(value) {
+  const version2 = getEncryptionVersion(value);
+  return version2 === "v1";
+}
+async function encryptNewValue(plaintext, walletAddress) {
+  if (!hasEncryptionKey(walletAddress)) {
+    throw new Error("Encryption key not available for new scheme");
+  }
+  const encrypted = await encryptData(plaintext, walletAddress);
+  return `enc:v2:${encrypted}`;
+}
+async function migrateEncryptedValue(encryptedValue, walletAddress, signMessage) {
+  if (getEncryptionVersion(encryptedValue) === "v2") {
+    return encryptedValue;
+  }
+  if (!getEncryptionVersion(encryptedValue)) {
+    return encryptedValue;
+  }
+  if (!hasEncryptionKey(walletAddress)) {
+    const { requestEncryptionKey: requestEncryptionKey2 } = await Promise.resolve().then(() => (init_useEncryption(), useEncryption_exports));
+    await requestEncryptionKey2(walletAddress, signMessage);
+    if (!hasEncryptionKey(walletAddress)) {
+      throw new Error("Encryption key not available after signing");
+    }
+  }
+  let encryptedPayload;
+  if (encryptedValue.startsWith(ENCRYPTION_PREFIX_V1)) {
+    encryptedPayload = encryptedValue.slice(ENCRYPTION_PREFIX_V1.length);
+  } else if (encryptedValue.startsWith(ENCRYPTION_PREFIX_LEGACY)) {
+    encryptedPayload = encryptedValue.slice(ENCRYPTION_PREFIX_LEGACY.length);
+  } else {
+    throw new Error("Invalid old encryption format");
+  }
+  const plaintext = await decryptData(encryptedPayload, walletAddress);
+  return await encryptNewValue(plaintext, walletAddress);
+}
+
+// src/lib/db/memory/encryption.ts
+var ENCRYPTED_FIELDS = ["value", "rawEvidence", "key", "namespace"];
+var ENCRYPTION_PREFIX_V12 = "enc:v1:";
+var ENCRYPTION_PREFIX_V22 = "enc:v2:";
+var ENCRYPTION_PREFIX_LEGACY2 = "enc:";
+var CURRENT_ENCRYPTION_VERSION = "v2";
+var ENCRYPTION_PREFIX2 = `enc:${CURRENT_ENCRYPTION_VERSION}:`;
+var MAX_FIELD_SIZE = 1024 * 1024;
+function isEncrypted2(value) {
+  return value.startsWith(ENCRYPTION_PREFIX2) || value.startsWith(ENCRYPTION_PREFIX_V12) || value.startsWith(ENCRYPTION_PREFIX_LEGACY2);
+}
+function getEncryptionVersion2(value) {
+  if (value.startsWith(ENCRYPTION_PREFIX_V22)) return "v2";
+  if (value.startsWith(ENCRYPTION_PREFIX_V12)) return "v1";
+  if (value.startsWith(ENCRYPTION_PREFIX_LEGACY2)) return "v1";
+  return null;
+}
+async function encryptField(value, address) {
+  if (!value || isEncrypted2(value)) {
+    return value;
+  }
+  if (value.length > MAX_FIELD_SIZE) {
+    throw new Error(
+      `Field value too large: ${value.length} bytes (max: ${MAX_FIELD_SIZE} bytes)`
+    );
+  }
+  try {
+    const encrypted = await encryptData(value, address);
+    return `${ENCRYPTION_PREFIX2}${encrypted}`;
+  } catch (error) {
+    const message = error instanceof Error ? error.message : "Unknown encryption error";
+    throw new Error(`Encryption failed: ${message}`);
+  }
+}
+var DECRYPTION_FAILED_PLACEHOLDER = "[Decryption Failed]";
+async function decryptField(value, address, signMessage, onMigrated) {
+  if (!value || !isEncrypted2(value)) {
+    return value;
+  }
+  try {
+    if (isOldEncryption(value) && signMessage && onMigrated) {
+      try {
+        const migratedValue = await migrateEncryptedValue(value, address, signMessage);
+        await onMigrated(migratedValue);
+        const encryptedPayload2 = migratedValue.slice(ENCRYPTION_PREFIX_V22.length);
+        return await decryptData(encryptedPayload2, address);
+      } catch (migrationError) {
+        const errorMessage = migrationError instanceof Error ? migrationError.message : "Unknown migration error";
+        console.warn("Migration failed, attempting decryption with current key:", {
+          error: errorMessage,
+          address
+        });
+      }
+    }
+    let encryptedPayload;
+    if (value.startsWith(ENCRYPTION_PREFIX_V22)) {
+      encryptedPayload = value.slice(ENCRYPTION_PREFIX_V22.length);
+    } else if (value.startsWith(ENCRYPTION_PREFIX_V12)) {
+      encryptedPayload = value.slice(ENCRYPTION_PREFIX_V12.length);
+    } else if (value.startsWith(ENCRYPTION_PREFIX_LEGACY2)) {
+      encryptedPayload = value.slice(ENCRYPTION_PREFIX_LEGACY2.length);
+    } else {
+      return value;
+    }
+    return await decryptData(encryptedPayload, address);
+  } catch (error) {
+    const errorMessage = error instanceof Error ? error.message : "Unknown decryption error";
+    console.error("Decryption failed for field:", {
+      address,
+      valueLength: value.length,
+      error: errorMessage
+    });
+    throw new Error(`Decryption failed: ${errorMessage}`);
+  }
+}
+async function encryptMemoryFields(memory, address) {
+  const encrypted = { ...memory };
+  const encryptionPromises = ENCRYPTED_FIELDS.map(async (field3) => {
+    const value = memory[field3];
+    if (typeof value === "string" && value.length > 0) {
+      try {
+        encrypted[field3] = await encryptField(value, address);
+      } catch (error) {
+        throw new Error(`Failed to encrypt field ${field3}: ${error instanceof Error ? error.message : "Unknown error"}`);
+      }
+    }
+  });
+  const results = await Promise.allSettled(encryptionPromises);
+  const failures = results.filter((r) => r.status === "rejected");
+  if (failures.length > 0) {
+    const errorMessages = failures.map(
+      (f) => f.status === "rejected" ? f.reason instanceof Error ? f.reason.message : String(f.reason) : ""
+    ).join("; ");
+    throw new Error(`Encryption failed for ${failures.length} field(s): ${errorMessages}`);
+  }
+  return encrypted;
+}
+async function decryptMemoryFields(memory, address, signMessage, updateMemory) {
+  const decrypted = { ...memory };
+  const decryptionPromises = ENCRYPTED_FIELDS.map(async (field3) => {
+    const value = memory[field3];
+    if (typeof value === "string" && value.length > 0) {
+      if (!isEncrypted2(value)) {
+        if (updateMemory && memory.uniqueId) {
+          try {
+            const encryptedValue = await encryptField(value, address);
+            await updateMemory(memory.uniqueId, {
+              [field3]: encryptedValue
+            });
+            decrypted[field3] = value;
+          } catch (error) {
+            if (process.env.NODE_ENV === "development") {
+              console.warn(`Failed to encrypt field ${field3}:`, error);
+            }
+            decrypted[field3] = value;
+          }
+        } else {
+          decrypted[field3] = value;
+        }
+      } else {
+        const onMigrated = updateMemory && memory.uniqueId ? async (migratedValue) => {
+          await updateMemory(memory.uniqueId, {
+            [field3]: migratedValue
+          });
+        } : void 0;
+        decrypted[field3] = await decryptField(value, address, signMessage, onMigrated);
+      }
+    }
+  });
+  await Promise.all(decryptionPromises);
+  return decrypted;
+}
+async function encryptMemoriesBatch(memories, address) {
+  return Promise.all(
+    memories.map((memory) => encryptMemoryFields(memory, address))
+  );
+}
+async function decryptMemoriesBatch(memories, address, signMessage, updateMemory) {
+  return Promise.all(
+    memories.map(
+      (memory) => decryptMemoryFields(memory, address, signMessage, updateMemory)
+    )
+  );
+}
+function hasEncryptedFields(memory) {
+  return ENCRYPTED_FIELDS.some((field3) => {
+    const value = memory[field3];
+    return typeof value === "string" && isEncrypted2(value);
+  });
+}
+function needsEncryption(memory) {
+  return ENCRYPTED_FIELDS.some((field3) => {
+    const value = memory[field3];
+    return typeof value === "string" && value.length > 0 && !isEncrypted2(value);
+  });
+}
+function extractMemoryFieldsForEncryption(memory) {
+  return {
+    type: memory.type,
+    namespace: memory.namespace,
+    key: memory.key,
+    value: memory.value,
+    rawEvidence: memory.rawEvidence,
+    confidence: memory.confidence,
+    pii: memory.pii
+  };
+}
+async function retryEncryption(operation, maxRetries = 3, initialDelay = 500) {
+  let lastError;
+  for (let attempt = 0; attempt <= maxRetries; attempt++) {
+    try {
+      return await operation();
+    } catch (error) {
+      lastError = error;
+      if (attempt === maxRetries) {
+        throw lastError;
+      }
+      const delay = initialDelay * Math.pow(2, attempt);
+      await new Promise((resolve) => setTimeout(resolve, delay));
+    }
   }
-  if (!response.data?.data?.[0]?.embedding) {
-    throw new Error("No embedding returned from API");
+  throw lastError;
+}
+async function encryptMemoriesBatchInPlace(memories, address, updateFn, batchSize = 5) {
+  const failed = [];
+  const errors = [];
+  let success = 0;
+  for (let i = 0; i < memories.length; i += batchSize) {
+    const batch = memories.slice(i, i + batchSize);
+    const results = await Promise.allSettled(
+      batch.map(async (memory) => {
+        await retryEncryption(async () => {
+          const fields = extractMemoryFieldsForEncryption(memory);
+          const encryptedData = await encryptMemoryFields(fields, address);
+          await updateFn(memory.uniqueId, encryptedData);
+        });
+      })
+    );
+    results.forEach((result, index) => {
+      if (result.status === "fulfilled") {
+        success++;
+      } else {
+        const memory = batch[index];
+        if (memory) {
+          failed.push(memory.uniqueId);
+          const errorMessage = result.reason instanceof Error ? result.reason.message : String(result.reason);
+          errors.push({
+            id: memory.uniqueId,
+            error: errorMessage
+          });
+          console.error(
+            "Failed to encrypt memory:",
+            memory.uniqueId,
+            errorMessage
+          );
+        }
+      }
+    });
   }
-  return response.data.data[0].embedding;
-};
-var generateEmbeddingForMemory = async (memory, options = {}) => {
-  const text4 = [
-    memory.rawEvidence,
-    memory.type,
-    memory.namespace,
-    memory.key,
-    memory.value
-  ].filter(Boolean).join(" ");
-  return generateEmbeddingForText(text4, options);
-};
+  return { success, failed, errors };
+}
 
 // src/react/useMemoryStorage.ts
+init_useEncryption();
 function useMemoryStorage(options) {
   const {
     database,
@@ -3057,7 +3958,10 @@ function useMemoryStorage(options) {
     generateEmbeddings = true,
     onFactsExtracted,
     getToken,
-    baseUrl = BASE_URL
+    baseUrl = BASE_URL,
+    walletAddress,
+    requestEncryptionKey: requestEncryptionKey2,
+    signMessage
   } = options;
   const embeddingModel = userEmbeddingModel === void 0 ? DEFAULT_API_EMBEDDING_MODEL : userEmbeddingModel;
   const [memories, setMemories] = (0, import_react3.useState)([]);
@@ -3085,10 +3989,127 @@ function useMemoryStorage(options) {
     }),
     [effectiveEmbeddingModel, getToken, baseUrl]
   );
+  const isEncryptionEnabled = (0, import_react3.useMemo)(
+    () => !!walletAddress && !!requestEncryptionKey2,
+    [walletAddress, requestEncryptionKey2]
+  );
+  const ensureEncryptionReady = (0, import_react3.useCallback)(async () => {
+    if (!isEncryptionEnabled || !walletAddress) {
+      return null;
+    }
+    if (hasEncryptionKey(walletAddress)) {
+      return walletAddress;
+    }
+    if (requestEncryptionKey2) {
+      try {
+        await requestEncryptionKey2(walletAddress);
+        return walletAddress;
+      } catch {
+        return null;
+      }
+    }
+    return null;
+  }, [isEncryptionEnabled, walletAddress, requestEncryptionKey2]);
+  const getSignMessageForMigration = (0, import_react3.useCallback)(() => {
+    return signMessage;
+  }, [signMessage]);
+  const encryptUnencryptedMemories = (0, import_react3.useCallback)(
+    async (address) => {
+      if (!isEncryptionEnabled) return;
+      try {
+        const allMemories = await getAllMemoriesOp(storageCtx);
+        if (!allMemories || allMemories.length === 0) return;
+        const memoriesToEncrypt = allMemories.filter(
+          (m) => needsEncryption(m)
+        );
+        if (memoriesToEncrypt.length === 0) return;
+        await encryptMemoriesBatchInPlace(
+          memoriesToEncrypt,
+          address,
+          async (id, data) => {
+            const result = await updateMemoryOp(storageCtx, id, data);
+            if (!result.ok) {
+              throw new Error(`Failed to update memory ${id}`);
+            }
+          }
+        );
+      } catch (error) {
+        if (process.env.NODE_ENV === "development") {
+          console.error("Failed to encrypt unencrypted memories:", error);
+        }
+      }
+    },
+    [isEncryptionEnabled, storageCtx]
+  );
+  const encryptionLockRef = (0, import_react3.useRef)(null);
+  const autoEncryptionRunRef = (0, import_react3.useRef)(false);
+  (0, import_react3.useEffect)(() => {
+    if (!isEncryptionEnabled || !walletAddress) {
+      autoEncryptionRunRef.current = false;
+      encryptionLockRef.current = null;
+      return;
+    }
+    if (encryptionLockRef.current) {
+      encryptionLockRef.current.then(() => {
+        if (isEncryptionEnabled && walletAddress && !autoEncryptionRunRef.current) {
+          ensureEncryptionReady().then((address) => {
+            if (address) {
+              autoEncryptionRunRef.current = true;
+              const encryptionPromise2 = encryptUnencryptedMemories(address).catch((err) => {
+                if (process.env.NODE_ENV === "development") {
+                  console.error("Failed to automatically encrypt memories:", err);
+                }
+              }).finally(() => {
+                encryptionLockRef.current = null;
+              });
+              encryptionLockRef.current = encryptionPromise2;
+            }
+          });
+        }
+      });
+      return;
+    }
+    if (autoEncryptionRunRef.current) {
+      return;
+    }
+    autoEncryptionRunRef.current = true;
+    const encryptionPromise = ensureEncryptionReady().then((address) => {
+      if (address) {
+        return encryptUnencryptedMemories(address);
+      }
+    }).catch((err) => {
+      if (process.env.NODE_ENV === "development") {
+        console.error("Failed to automatically encrypt memories:", err);
+      }
+    }).finally(() => {
+      encryptionLockRef.current = null;
+    });
+    encryptionLockRef.current = encryptionPromise;
+  }, [isEncryptionEnabled, walletAddress, ensureEncryptionReady, encryptUnencryptedMemories]);
   const refreshMemories = (0, import_react3.useCallback)(async () => {
     const storedMemories = await getAllMemoriesOp(storageCtx);
+    if (isEncryptionEnabled && walletAddress) {
+      const address = await ensureEncryptionReady();
+      if (address) {
+        const signMsg = getSignMessageForMigration();
+        const updateMemoryFn = async (id, data) => {
+          const result = await updateMemoryOp(storageCtx, id, data);
+          if (!result.ok) {
+            throw new Error(`Failed to update memory ${id} during migration`);
+          }
+        };
+        const decrypted = await decryptMemoriesBatch(
+          storedMemories,
+          address,
+          signMsg,
+          updateMemoryFn
+        );
+        setMemories(decrypted);
+        return;
+      }
+    }
     setMemories(storedMemories);
-  }, [storageCtx]);
+  }, [storageCtx, isEncryptionEnabled, walletAddress, ensureEncryptionReady, getSignMessageForMigration]);
   const extractMemoriesFromMessage = (0, import_react3.useCallback)(
     async (opts) => {
       const { messages, model } = opts;
@@ -3222,21 +4243,38 @@ function useMemoryStorage(options) {
                 pii: item.pii
               })
             );
-            const savedMemories = await saveMemoriesOp(storageCtx, createOptions);
+            let optionsToSave = createOptions;
+            if (isEncryptionEnabled && walletAddress) {
+              const address = await ensureEncryptionReady();
+              if (address) {
+                optionsToSave = await Promise.all(
+                  createOptions.map(async (opt) => {
+                    const encrypted = await encryptMemoryFields(
+                      opt,
+                      address
+                    );
+                    return encrypted;
+                  })
+                );
+              }
+            }
+            const savedMemories = await saveMemoriesOp(storageCtx, optionsToSave);
             console.log(
               `Saved ${savedMemories.length} memories to WatermelonDB`
             );
             if (generateEmbeddings && embeddingModel) {
               try {
-                for (const saved of savedMemories) {
+                for (let i = 0; i < savedMemories.length; i++) {
+                  const memory = createOptions[i];
+                  const saved = savedMemories[i];
                   const memoryItem = {
-                    type: saved.type,
-                    namespace: saved.namespace,
-                    key: saved.key,
-                    value: saved.value,
-                    rawEvidence: saved.rawEvidence,
-                    confidence: saved.confidence,
-                    pii: saved.pii
+                    type: memory.type,
+                    namespace: memory.namespace,
+                    key: memory.key,
+                    value: memory.value,
+                    rawEvidence: memory.rawEvidence,
+                    confidence: memory.confidence,
+                    pii: memory.pii
                   };
                   const embedding = await generateEmbeddingForMemory(
                     memoryItem,
@@ -3257,6 +4295,19 @@ function useMemoryStorage(options) {
               }
             }
             await refreshMemories();
+            if (isEncryptionEnabled && walletAddress && !encryptionLockRef.current) {
+              const address = await ensureEncryptionReady();
+              if (address) {
+                const encryptionPromise = encryptUnencryptedMemories(address).catch((err) => {
+                  if (process.env.NODE_ENV === "development") {
+                    console.error("Failed to encrypt memories:", err);
+                  }
+                }).finally(() => {
+                  encryptionLockRef.current = null;
+                });
+                encryptionLockRef.current = encryptionPromise;
+              }
+            }
           } catch (error) {
             console.error("Failed to save memories to WatermelonDB:", error);
           }
@@ -3281,7 +4332,11 @@ function useMemoryStorage(options) {
       onFactsExtracted,
       baseUrl,
       storageCtx,
-      refreshMemories
+      refreshMemories,
+      isEncryptionEnabled,
+      walletAddress,
+      ensureEncryptionReady,
+      encryptUnencryptedMemories
     ]
   );
   const searchMemories = (0, import_react3.useCallback)(
@@ -3301,6 +4356,25 @@ function useMemoryStorage(options) {
           limit,
           minSimilarity
         );
+        if (isEncryptionEnabled && walletAddress && results.length > 0) {
+          const address = await ensureEncryptionReady();
+          if (address) {
+            const signMsg = getSignMessageForMigration();
+            const updateMemoryFn = async (id, data) => {
+              const result = await updateMemoryOp(storageCtx, id, data);
+              if (!result.ok) {
+                throw new Error(`Failed to update memory ${id} during migration`);
+              }
+            };
+            const decrypted = await decryptMemoriesBatch(
+              results,
+              address,
+              signMsg,
+              updateMemoryFn
+            );
+            return decrypted;
+          }
+        }
         if (results.length === 0) {
           console.warn(
             `[Memory Search] No memories found above similarity threshold ${minSimilarity}.`
@@ -3315,31 +4389,71 @@ function useMemoryStorage(options) {
         return [];
       }
     },
-    [embeddingModel, embeddingOptions, storageCtx]
+    [embeddingModel, embeddingOptions, storageCtx, isEncryptionEnabled, walletAddress, ensureEncryptionReady, getSignMessageForMigration]
   );
   const fetchAllMemories = (0, import_react3.useCallback)(async () => {
     try {
-      return await getAllMemoriesOp(storageCtx);
+      const memories2 = await getAllMemoriesOp(storageCtx);
+      if (isEncryptionEnabled && walletAddress && memories2.length > 0) {
+        const address = await ensureEncryptionReady();
+        if (address) {
+          const signMsg = getSignMessageForMigration();
+          const updateMemoryFn = async (id, data) => {
+            const result = await updateMemoryOp(storageCtx, id, data);
+            if (!result.ok) {
+              throw new Error(`Failed to update memory ${id} during migration`);
+            }
+          };
+          const decrypted = await decryptMemoriesBatch(
+            memories2,
+            address,
+            signMsg,
+            updateMemoryFn
+          );
+          return decrypted;
+        }
+      }
+      return memories2;
     } catch (error) {
       throw new Error(
         "Failed to fetch all memories: " + (error instanceof Error ? error.message : String(error))
       );
     }
-  }, [storageCtx]);
+  }, [storageCtx, isEncryptionEnabled, walletAddress, ensureEncryptionReady, getSignMessageForMigration]);
   const fetchMemoriesByNamespace = (0, import_react3.useCallback)(
     async (namespace) => {
       if (!namespace) {
         throw new Error("Missing required field: namespace");
       }
       try {
-        return await getMemoriesByNamespaceOp(storageCtx, namespace);
+        const memories2 = await getMemoriesByNamespaceOp(storageCtx, namespace);
+        if (isEncryptionEnabled && walletAddress && memories2.length > 0) {
+          const address = await ensureEncryptionReady();
+          if (address) {
+            const signMsg = getSignMessageForMigration();
+            const updateMemoryFn = async (id, data) => {
+              const result = await updateMemoryOp(storageCtx, id, data);
+              if (!result.ok) {
+                throw new Error(`Failed to update memory ${id} during migration`);
+              }
+            };
+            const decrypted = await decryptMemoriesBatch(
+              memories2,
+              address,
+              signMsg,
+              updateMemoryFn
+            );
+            return decrypted;
+          }
+        }
+        return memories2;
       } catch (error) {
         throw new Error(
           `Failed to fetch memories for namespace "${namespace}": ` + (error instanceof Error ? error.message : String(error))
         );
       }
     },
-    [storageCtx]
+    [storageCtx, isEncryptionEnabled, walletAddress, ensureEncryptionReady, getSignMessageForMigration]
   );
   const fetchMemoriesByKey = (0, import_react3.useCallback)(
     async (namespace, key) => {
@@ -3347,31 +4461,82 @@ function useMemoryStorage(options) {
         throw new Error("Missing required fields: namespace, key");
       }
       try {
-        return await getMemoriesByKeyOp(storageCtx, namespace, key);
+        const memories2 = await getMemoriesByKeyOp(storageCtx, namespace, key);
+        if (isEncryptionEnabled && walletAddress && memories2.length > 0) {
+          const address = await ensureEncryptionReady();
+          if (address) {
+            const signMsg = getSignMessageForMigration();
+            const updateMemoryFn = async (id, data) => {
+              const result = await updateMemoryOp(storageCtx, id, data);
+              if (!result.ok) {
+                throw new Error(`Failed to update memory ${id} during migration`);
+              }
+            };
+            const decrypted = await decryptMemoriesBatch(
+              memories2,
+              address,
+              signMsg,
+              updateMemoryFn
+            );
+            return decrypted;
+          }
+        }
+        return memories2;
       } catch (error) {
         throw new Error(
           `Failed to fetch memories for "${namespace}:${key}": ` + (error instanceof Error ? error.message : String(error))
         );
       }
     },
-    [storageCtx]
+    [storageCtx, isEncryptionEnabled, walletAddress, ensureEncryptionReady, getSignMessageForMigration]
   );
   const getMemoryById = (0, import_react3.useCallback)(
     async (id) => {
       try {
-        return await getMemoryByIdOp(storageCtx, id);
+        const memory = await getMemoryByIdOp(storageCtx, id);
+        if (!memory) return null;
+        if (isEncryptionEnabled && walletAddress) {
+          const address = await ensureEncryptionReady();
+          if (address) {
+            const signMsg = getSignMessageForMigration();
+            const updateMemoryFn = async (id2, data) => {
+              const result = await updateMemoryOp(storageCtx, id2, data);
+              if (!result.ok) {
+                throw new Error(`Failed to update memory ${id2} during migration`);
+              }
+            };
+            const decrypted = await decryptMemoryFields(
+              memory,
+              address,
+              signMsg,
+              updateMemoryFn
+            );
+            return decrypted;
+          }
+        }
+        return memory;
       } catch (error) {
         throw new Error(
           `Failed to get memory ${id}: ` + (error instanceof Error ? error.message : String(error))
         );
       }
     },
-    [storageCtx]
+    [storageCtx, isEncryptionEnabled, walletAddress, ensureEncryptionReady, getSignMessageForMigration]
   );
   const saveMemory = (0, import_react3.useCallback)(
     async (memory) => {
       try {
-        const saved = await saveMemoryOp(storageCtx, memory);
+        let memoryToSave = memory;
+        if (isEncryptionEnabled && walletAddress) {
+          const address = await ensureEncryptionReady();
+          if (address) {
+            memoryToSave = await encryptMemoryFields(
+              memory,
+              address
+            );
+          }
+        }
+        const saved = await saveMemoryOp(storageCtx, memoryToSave);
         if (generateEmbeddings && embeddingModel && !memory.embedding) {
           try {
             const memoryItem = {
@@ -3397,26 +4562,60 @@ function useMemoryStorage(options) {
             console.error("Failed to generate embedding:", error);
           }
         }
+        let savedForState = saved;
+        if (isEncryptionEnabled && walletAddress) {
+          const address = await ensureEncryptionReady();
+          if (address) {
+            const signMsg = getSignMessageForMigration();
+            const updateMemoryFn = async (id, data) => {
+              const result = await updateMemoryOp(storageCtx, id, data);
+              if (!result.ok) {
+                throw new Error(`Failed to update memory ${id} during migration`);
+              }
+            };
+            savedForState = await decryptMemoryFields(
+              saved,
+              address,
+              signMsg,
+              updateMemoryFn
+            );
+          }
+        }
         setMemories((prev) => {
-          const existing = prev.find((m) => m.uniqueId === saved.uniqueId);
+          const existing = prev.find((m) => m.uniqueId === savedForState.uniqueId);
           if (existing) {
-            return prev.map((m) => m.uniqueId === saved.uniqueId ? saved : m);
+            return prev.map((m) => m.uniqueId === savedForState.uniqueId ? savedForState : m);
           }
-          return [saved, ...prev];
+          return [savedForState, ...prev];
         });
-        return saved;
+        return savedForState;
       } catch (error) {
         throw new Error(
           "Failed to save memory: " + (error instanceof Error ? error.message : String(error))
         );
       }
     },
-    [storageCtx, generateEmbeddings, embeddingModel, embeddingOptions]
+    [storageCtx, generateEmbeddings, embeddingModel, embeddingOptions, isEncryptionEnabled, walletAddress, ensureEncryptionReady, getSignMessageForMigration]
   );
   const saveMemories = (0, import_react3.useCallback)(
     async (memoriesToSave) => {
       try {
-        const saved = await saveMemoriesOp(storageCtx, memoriesToSave);
+        let optionsToSave = memoriesToSave;
+        if (isEncryptionEnabled && walletAddress) {
+          const address = await ensureEncryptionReady();
+          if (address) {
+            optionsToSave = await Promise.all(
+              memoriesToSave.map(async (opt) => {
+                const encrypted = await encryptMemoryFields(
+                  opt,
+                  address
+                );
+                return encrypted;
+              })
+            );
+          }
+        }
+        const saved = await saveMemoriesOp(storageCtx, optionsToSave);
         if (generateEmbeddings && embeddingModel) {
           for (let i = 0; i < saved.length; i++) {
             const memory = memoriesToSave[i];
@@ -3447,8 +4646,27 @@ function useMemoryStorage(options) {
             }
           }
         }
+        let savedForReturn = saved;
+        if (isEncryptionEnabled && walletAddress) {
+          const address = await ensureEncryptionReady();
+          if (address) {
+            const signMsg = getSignMessageForMigration();
+            const updateMemoryFn = async (id, data) => {
+              const result = await updateMemoryOp(storageCtx, id, data);
+              if (!result.ok) {
+                throw new Error(`Failed to update memory ${id} during migration`);
+              }
+            };
+            savedForReturn = await decryptMemoriesBatch(
+              saved,
+              address,
+              signMsg,
+              updateMemoryFn
+            );
+          }
+        }
         await refreshMemories();
-        return saved;
+        return savedForReturn;
       } catch (error) {
         throw new Error(
           "Failed to save memories: " + (error instanceof Error ? error.message : String(error))
@@ -3460,12 +4678,56 @@ function useMemoryStorage(options) {
       generateEmbeddings,
       embeddingModel,
       embeddingOptions,
-      refreshMemories
+      refreshMemories,
+      isEncryptionEnabled,
+      walletAddress,
+      ensureEncryptionReady,
+      getSignMessageForMigration
     ]
   );
   const updateMemory = (0, import_react3.useCallback)(
     async (id, updates) => {
-      const result = await updateMemoryOp(storageCtx, id, updates);
+      let updatesToSave = updates;
+      if (isEncryptionEnabled && walletAddress) {
+        const address = await ensureEncryptionReady();
+        if (address) {
+          try {
+            const fieldsToEncrypt = {};
+            if (updates.value !== void 0) {
+              fieldsToEncrypt.value = updates.value;
+            }
+            if (updates.rawEvidence !== void 0) {
+              fieldsToEncrypt.rawEvidence = updates.rawEvidence;
+            }
+            if (updates.key !== void 0) {
+              fieldsToEncrypt.key = updates.key;
+            }
+            if (updates.namespace !== void 0) {
+              fieldsToEncrypt.namespace = updates.namespace;
+            }
+            const encrypted = await encryptMemoryFields(fieldsToEncrypt, address);
+            const encryptedUpdates = { ...updates };
+            if (updates.value !== void 0) {
+              encryptedUpdates.value = encrypted.value;
+            }
+            if (updates.rawEvidence !== void 0) {
+              encryptedUpdates.rawEvidence = encrypted.rawEvidence;
+            }
+            if (updates.key !== void 0) {
+              encryptedUpdates.key = encrypted.key;
+            }
+            if (updates.namespace !== void 0) {
+              encryptedUpdates.namespace = encrypted.namespace;
+            }
+            updatesToSave = encryptedUpdates;
+          } catch (error) {
+            throw new Error(
+              `Failed to encrypt memory fields: ${error instanceof Error ? error.message : "Unknown error"}`
+            );
+          }
+        }
+      }
+      const result = await updateMemoryOp(storageCtx, id, updatesToSave);
       if (!result.ok) {
         if (result.reason === "not_found") {
           return null;
@@ -3479,7 +4741,25 @@ function useMemoryStorage(options) {
           `Failed to update memory ${id}: ${result.error.message}`
         );
       }
-      const updated = result.memory;
+      let updated = result.memory;
+      if (isEncryptionEnabled && walletAddress) {
+        const address = await ensureEncryptionReady();
+        if (address) {
+          const signMsg = getSignMessageForMigration();
+          const updateMemoryFn = async (id2, data) => {
+            const result2 = await updateMemoryOp(storageCtx, id2, data);
+            if (!result2.ok) {
+              throw new Error(`Failed to update memory ${id2} during migration`);
+            }
+          };
+          updated = await decryptMemoryFields(
+            updated,
+            address,
+            signMsg,
+            updateMemoryFn
+          );
+        }
+      }
       const contentChanged = updates.value !== void 0 || updates.rawEvidence !== void 0 || updates.type !== void 0 || updates.namespace !== void 0 || updates.key !== void 0;
       if (contentChanged && generateEmbeddings && embeddingModel && !updates.embedding) {
         try {
@@ -3511,7 +4791,7 @@ function useMemoryStorage(options) {
       );
       return updated;
     },
-    [storageCtx, generateEmbeddings, embeddingModel, embeddingOptions]
+    [storageCtx, generateEmbeddings, embeddingModel, embeddingOptions, isEncryptionEnabled, walletAddress, ensureEncryptionReady, getSignMessageForMigration]
   );
   const removeMemory = (0, import_react3.useCallback)(
     async (namespace, key, value) => {
@@ -4517,63 +5797,8 @@ async function performDropboxImport(userAddress, token, deps, onProgress, backup
 // src/react/useDropboxAuth.ts
 var import_react10 = require("react");
 
-// src/lib/backup/oauth/storage.ts
-var STORAGE_KEY_PREFIX = "oauth_token_";
-function getStorageKey(provider) {
-  return `${STORAGE_KEY_PREFIX}${provider}`;
-}
-function getStoredTokenData(provider) {
-  if (typeof window === "undefined") return null;
-  try {
-    const stored = localStorage.getItem(getStorageKey(provider));
-    if (!stored) return null;
-    const data = JSON.parse(stored);
-    if (!data.accessToken) return null;
-    return data;
-  } catch {
-    return null;
-  }
-}
-function storeTokenData(provider, data) {
-  if (typeof window === "undefined") return;
-  localStorage.setItem(getStorageKey(provider), JSON.stringify(data));
-}
-function clearTokenData(provider) {
-  if (typeof window === "undefined") return;
-  localStorage.removeItem(getStorageKey(provider));
-}
-function isTokenExpired(data, bufferSeconds = 60) {
-  if (!data) return true;
-  if (!data.expiresAt) return false;
-  const now = Date.now();
-  const bufferMs = bufferSeconds * 1e3;
-  return data.expiresAt - bufferMs <= now;
-}
-function getValidAccessToken(provider) {
-  const data = getStoredTokenData(provider);
-  if (!data) return null;
-  if (data.expiresAt && isTokenExpired(data)) {
-    return null;
-  }
-  return data.accessToken;
-}
-function getRefreshToken(provider) {
-  const data = getStoredTokenData(provider);
-  return data?.refreshToken ?? null;
-}
-function tokenResponseToStoredData(accessToken, expiresIn, refreshToken, scope) {
-  const data = {
-    accessToken,
-    refreshToken,
-    scope
-  };
-  if (expiresIn) {
-    data.expiresAt = Date.now() + expiresIn * 1e3;
-  }
-  return data;
-}
-
 // src/lib/backup/dropbox/auth.ts
+init_storage();
 var PROVIDER = "dropbox";
 var STATE_STORAGE_KEY = "dropbox_oauth_state";
 var DROPBOX_AUTH_URL = "https://www.dropbox.com/oauth2/authorize";
@@ -4581,6 +5806,7 @@ function getRedirectUri(callbackPath) {
   if (typeof window === "undefined") return "";
   return `${window.location.origin}${callbackPath}`;
 }
+var MAX_STATE_AGE_MS = 10 * 60 * 1e3;
 function generateState() {
   const array = new Uint8Array(16);
   crypto.getRandomValues(array);
@@ -4590,21 +5816,48 @@ function generateState() {
 }
 function storeOAuthState(state) {
   if (typeof window === "undefined") return;
-  sessionStorage.setItem(STATE_STORAGE_KEY, state);
+  const stateData = {
+    state,
+    timestamp: Date.now()
+  };
+  sessionStorage.setItem(STATE_STORAGE_KEY, JSON.stringify(stateData));
 }
 function getAndClearOAuthState() {
   if (typeof window === "undefined") return null;
-  const state = sessionStorage.getItem(STATE_STORAGE_KEY);
-  sessionStorage.removeItem(STATE_STORAGE_KEY);
-  return state;
+  try {
+    const stored = sessionStorage.getItem(STATE_STORAGE_KEY);
+    if (!stored) return null;
+    const stateData = JSON.parse(stored);
+    const age = Date.now() - stateData.timestamp;
+    if (age > MAX_STATE_AGE_MS) {
+      sessionStorage.removeItem(STATE_STORAGE_KEY);
+      return null;
+    }
+    sessionStorage.removeItem(STATE_STORAGE_KEY);
+    return stateData.state;
+  } catch {
+    sessionStorage.removeItem(STATE_STORAGE_KEY);
+    return null;
+  }
 }
 function isDropboxCallback() {
   if (typeof window === "undefined") return false;
   const url = new URL(window.location.href);
   const code = url.searchParams.get("code");
   const state = url.searchParams.get("state");
-  const storedState = sessionStorage.getItem(STATE_STORAGE_KEY);
-  return !!code && !!state && state === storedState;
+  if (!code || !state) return false;
+  try {
+    const stored = sessionStorage.getItem(STATE_STORAGE_KEY);
+    if (!stored) return false;
+    const stateData = JSON.parse(stored);
+    const age = Date.now() - stateData.timestamp;
+    if (age > MAX_STATE_AGE_MS) {
+      return false;
+    }
+    return state === stateData.state;
+  } catch {
+    return false;
+  }
 }
 async function handleDropboxCallback(callbackPath, apiClient) {
   if (typeof window === "undefined") return null;
@@ -4633,15 +5886,35 @@ async function handleDropboxCallback(callbackPath, apiClient) {
       response.data.refresh_token,
       response.data.scope
     );
-    storeTokenData(PROVIDER, tokenData);
+    try {
+      await storeTokenData(PROVIDER, tokenData);
+    } catch (error) {
+      const errorMessage = error instanceof Error ? error.message : "Unknown encryption error";
+      console.error("OAuth token encryption failed in Dropbox callback:", errorMessage);
+      console.warn("OAuth token encryption failed - tokens not stored securely");
+      return null;
+    }
     window.history.replaceState({}, "", window.location.pathname);
     return response.data.access_token;
-  } catch {
+  } catch (error) {
+    const errorMessage = error instanceof Error ? error.message : "Unknown error";
+    const errorName = error instanceof Error ? error.name : "Error";
+    console.error(`Dropbox OAuth callback error: ${errorName}: ${errorMessage}`);
+    console.error("Error details:", {
+      name: errorName,
+      message: errorMessage,
+      stack: error instanceof Error ? error.stack : void 0
+    });
+    console.warn(`Dropbox OAuth callback failed: ${errorMessage}`);
+    if (errorMessage.includes("encryption failed") || errorMessage.includes("OAuth token encryption")) {
+      console.warn("OAuth callback failed due to encryption error - this is a security issue");
+      throw error;
+    }
     return null;
   }
 }
-async function refreshDropboxToken(apiClient) {
-  const refreshToken = getRefreshToken(PROVIDER);
+async function refreshDropboxToken(apiClient, walletAddress) {
+  const refreshToken = walletAddress ? await getRefreshToken(PROVIDER, walletAddress) : getRefreshTokenSync(PROVIDER);
   if (!refreshToken) return null;
   try {
     const response = await postAuthOauthByProviderRefresh({
@@ -4652,22 +5925,22 @@ async function refreshDropboxToken(apiClient) {
     if (!response.data?.access_token) {
       throw new Error("No access token in refresh response");
     }
-    const currentData = getStoredTokenData(PROVIDER);
+    const currentData = walletAddress ? await getStoredTokenData(PROVIDER, walletAddress) : getStoredTokenDataSync(PROVIDER);
     const tokenData = tokenResponseToStoredData(
       response.data.access_token,
       response.data.expires_in,
       response.data.refresh_token ?? currentData?.refreshToken,
       response.data.scope ?? currentData?.scope
     );
-    storeTokenData(PROVIDER, tokenData);
+    await storeTokenData(PROVIDER, tokenData, walletAddress);
     return response.data.access_token;
   } catch {
     clearTokenData(PROVIDER);
     return null;
   }
 }
-async function revokeDropboxToken(apiClient) {
-  const tokenData = getStoredTokenData(PROVIDER);
+async function revokeDropboxToken(apiClient, walletAddress) {
+  const tokenData = walletAddress ? await getStoredTokenData(PROVIDER, walletAddress) : getStoredTokenDataSync(PROVIDER);
   if (!tokenData) return;
   try {
     const tokenToRevoke = tokenData.refreshToken ?? tokenData.accessToken;
@@ -4681,10 +5954,10 @@ async function revokeDropboxToken(apiClient) {
     clearTokenData(PROVIDER);
   }
 }
-async function getDropboxAccessToken(apiClient) {
-  const validToken = getValidAccessToken(PROVIDER);
+async function getDropboxAccessToken(apiClient, walletAddress) {
+  const validToken = walletAddress ? await getValidAccessToken(PROVIDER, walletAddress) : getValidAccessTokenSync(PROVIDER);
   if (validToken) return validToken;
-  return refreshDropboxToken(apiClient);
+  return refreshDropboxToken(apiClient, walletAddress);
 }
 async function startDropboxAuth(appKey, callbackPath) {
   const state = generateState();
@@ -4705,8 +5978,7 @@ function clearToken() {
   clearTokenData(PROVIDER);
 }
 function hasDropboxCredentials() {
-  const data = getStoredTokenData(PROVIDER);
-  return !!(data?.accessToken || data?.refreshToken);
+  return hasStoredCredentialsSync(PROVIDER);
 }
 
 // src/react/useDropboxAuth.ts
@@ -4885,6 +6157,7 @@ function useDropboxBackup(options) {
 var import_react12 = require("react");
 
 // src/lib/backup/google/auth.ts
+init_storage();
 var PROVIDER2 = "google-drive";
 var CODE_STORAGE_KEY = "google_oauth_state";
 var GOOGLE_AUTH_URL = "https://accounts.google.com/o/oauth2/v2/auth";
@@ -4896,6 +6169,7 @@ function getRedirectUri2(callbackPath) {
   if (typeof window === "undefined") return "";
   return `${window.location.origin}${callbackPath}`;
 }
+var MAX_STATE_AGE_MS2 = 10 * 60 * 1e3;
 function generateState2() {
   const array = new Uint8Array(16);
   crypto.getRandomValues(array);
@@ -4905,21 +6179,48 @@ function generateState2() {
 }
 function storeOAuthState2(state) {
   if (typeof window === "undefined") return;
-  sessionStorage.setItem(CODE_STORAGE_KEY, state);
+  const stateData = {
+    state,
+    timestamp: Date.now()
+  };
+  sessionStorage.setItem(CODE_STORAGE_KEY, JSON.stringify(stateData));
 }
 function getAndClearOAuthState2() {
   if (typeof window === "undefined") return null;
-  const state = sessionStorage.getItem(CODE_STORAGE_KEY);
-  sessionStorage.removeItem(CODE_STORAGE_KEY);
-  return state;
+  try {
+    const stored = sessionStorage.getItem(CODE_STORAGE_KEY);
+    if (!stored) return null;
+    const stateData = JSON.parse(stored);
+    const age = Date.now() - stateData.timestamp;
+    if (age > MAX_STATE_AGE_MS2) {
+      sessionStorage.removeItem(CODE_STORAGE_KEY);
+      return null;
+    }
+    sessionStorage.removeItem(CODE_STORAGE_KEY);
+    return stateData.state;
+  } catch {
+    sessionStorage.removeItem(CODE_STORAGE_KEY);
+    return null;
+  }
 }
 function isGoogleDriveCallback() {
   if (typeof window === "undefined") return false;
   const url = new URL(window.location.href);
   const code = url.searchParams.get("code");
   const state = url.searchParams.get("state");
-  const storedState = sessionStorage.getItem(CODE_STORAGE_KEY);
-  return !!code && !!state && state === storedState;
+  if (!code || !state) return false;
+  try {
+    const stored = sessionStorage.getItem(CODE_STORAGE_KEY);
+    if (!stored) return false;
+    const stateData = JSON.parse(stored);
+    const age = Date.now() - stateData.timestamp;
+    if (age > MAX_STATE_AGE_MS2) {
+      return false;
+    }
+    return state === stateData.state;
+  } catch {
+    return false;
+  }
 }
 async function handleGoogleDriveCallback(callbackPath, apiClient) {
   if (typeof window === "undefined") return null;
@@ -4948,15 +6249,35 @@ async function handleGoogleDriveCallback(callbackPath, apiClient) {
       response.data.refresh_token,
       response.data.scope
     );
-    storeTokenData(PROVIDER2, tokenData);
+    try {
+      await storeTokenData(PROVIDER2, tokenData);
+    } catch (error) {
+      const errorMessage = error instanceof Error ? error.message : "Unknown encryption error";
+      console.error("OAuth token encryption failed in Google Drive callback:", errorMessage);
+      console.warn("OAuth token encryption failed - tokens not stored securely");
+      return null;
+    }
     window.history.replaceState({}, "", window.location.pathname);
     return response.data.access_token;
-  } catch {
+  } catch (error) {
+    const errorMessage = error instanceof Error ? error.message : "Unknown error";
+    const errorName = error instanceof Error ? error.name : "Error";
+    console.error(`Google Drive OAuth callback error: ${errorName}: ${errorMessage}`);
+    console.error("Error details:", {
+      name: errorName,
+      message: errorMessage,
+      stack: error instanceof Error ? error.stack : void 0
+    });
+    console.warn(`Google Drive OAuth callback failed: ${errorMessage}`);
+    if (errorMessage.includes("encryption failed") || errorMessage.includes("OAuth token encryption")) {
+      console.warn("OAuth callback failed due to encryption error - this is a security issue");
+      throw error;
+    }
     return null;
   }
 }
-async function refreshGoogleDriveToken(apiClient) {
-  const refreshToken = getRefreshToken(PROVIDER2);
+async function refreshGoogleDriveToken(apiClient, walletAddress) {
+  const refreshToken = walletAddress ? await getRefreshToken(PROVIDER2, walletAddress) : getRefreshTokenSync(PROVIDER2);
   if (!refreshToken) return null;
   try {
     const response = await postAuthOauthByProviderRefresh({
@@ -4967,22 +6288,22 @@ async function refreshGoogleDriveToken(apiClient) {
     if (!response.data?.access_token) {
       throw new Error("No access token in refresh response");
     }
-    const currentData = getStoredTokenData(PROVIDER2);
+    const currentData = walletAddress ? await getStoredTokenData(PROVIDER2, walletAddress) : getStoredTokenDataSync(PROVIDER2);
     const tokenData = tokenResponseToStoredData(
       response.data.access_token,
       response.data.expires_in,
       response.data.refresh_token ?? currentData?.refreshToken,
       response.data.scope ?? currentData?.scope
     );
-    storeTokenData(PROVIDER2, tokenData);
+    await storeTokenData(PROVIDER2, tokenData, walletAddress);
     return response.data.access_token;
   } catch {
     clearTokenData(PROVIDER2);
     return null;
   }
 }
-async function revokeGoogleDriveToken(apiClient) {
-  const tokenData = getStoredTokenData(PROVIDER2);
+async function revokeGoogleDriveToken(apiClient, walletAddress) {
+  const tokenData = walletAddress ? await getStoredTokenData(PROVIDER2, walletAddress) : getStoredTokenDataSync(PROVIDER2);
   if (!tokenData) return;
   try {
     const tokenToRevoke = tokenData.refreshToken ?? tokenData.accessToken;
@@ -4996,8 +6317,8 @@ async function revokeGoogleDriveToken(apiClient) {
     clearTokenData(PROVIDER2);
   }
 }
-async function getGoogleDriveAccessToken(apiClient) {
-  const storedData = getStoredTokenData(PROVIDER2);
+async function getGoogleDriveAccessToken(apiClient, walletAddress) {
+  const storedData = walletAddress ? await getStoredTokenData(PROVIDER2, walletAddress) : getStoredTokenDataSync(PROVIDER2);
   if (!storedData) {
     return null;
   }
@@ -5005,7 +6326,7 @@ async function getGoogleDriveAccessToken(apiClient) {
     return storedData.accessToken;
   }
   if (storedData.refreshToken) {
-    const refreshedToken = await refreshGoogleDriveToken(apiClient);
+    const refreshedToken = await refreshGoogleDriveToken(apiClient, walletAddress);
     if (refreshedToken) {
       return refreshedToken;
     }
@@ -5034,14 +6355,13 @@ async function startGoogleDriveAuth(clientId, callbackPath) {
   });
 }
 function getGoogleDriveStoredToken() {
-  return getValidAccessToken(PROVIDER2);
+  return getValidAccessTokenSync(PROVIDER2);
 }
 function clearGoogleDriveToken() {
   clearTokenData(PROVIDER2);
 }
 function hasGoogleDriveCredentials() {
-  const data = getStoredTokenData(PROVIDER2);
-  return !!(data?.accessToken || data?.refreshToken);
+  return hasStoredCredentialsSync(PROVIDER2);
 }
 
 // src/react/useGoogleDriveAuth.ts
@@ -6588,6 +7908,7 @@ function useBackup(options) {
   BackupAuthProvider,
   ChatConversation,
   ChatMessage,
+  DECRYPTION_FAILED_PLACEHOLDER,
   DEFAULT_BACKUP_FOLDER,
   DEFAULT_DRIVE_CONVERSATIONS_FOLDER,
   DEFAULT_DRIVE_ROOT_FOLDER,
@@ -6601,26 +7922,41 @@ function useBackup(options) {
   chatStorageMigrations,
   chatStorageSchema,
   clearAllEncryptionKeys,
+  clearAllKeyPairs,
   clearDropboxToken,
   clearEncryptionKey,
   clearGoogleDriveToken,
   clearICloudAuth,
+  clearKeyPair,
   createMemoryContextSystemMessage,
   decryptData,
   decryptDataBytes,
+  decryptField,
+  decryptMemoriesBatch,
+  decryptMemoryFields,
   encryptData,
+  encryptField,
+  encryptMemoriesBatch,
+  encryptMemoriesBatchInPlace,
+  encryptMemoryFields,
+  exportPublicKey,
   extractConversationContext,
   formatMemoriesForChat,
   generateCompositeKey,
   generateConversationId,
   generateUniqueKey,
+  getEncryptionVersion,
   getGoogleDriveStoredToken,
   hasDropboxCredentials,
+  hasEncryptedFields,
   hasEncryptionKey,
   hasGoogleDriveCredentials,
   hasICloudCredentials,
+  hasKeyPair,
   memoryStorageSchema,
+  needsEncryption,
   requestEncryptionKey,
+  requestKeyPair,
   sdkMigrations,
   sdkModelClasses,
   sdkSchema,