@reverbia/sdk 1.0.0-next.20251229084841 → 1.1.0-next.20251230221037

package/dist/react/index.mjs

@@ -1,13 +1,32 @@
-var __defProp = Object.defineProperty;
-var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
-var __decorateClass = (decorators, target, key, kind) => {
-  var result = kind > 1 ? void 0 : kind ? __getOwnPropDesc(target, key) : target;
-  for (var i = decorators.length - 1, decorator; i >= 0; i--)
-    if (decorator = decorators[i])
-      result = (kind ? decorator(target, key, result) : decorator(result)) || result;
-  if (kind && result) __defProp(target, key, result);
-  return result;
-};
+import {
+  clearTokenData,
+  getRefreshToken,
+  getRefreshTokenSync,
+  getStoredTokenData,
+  getStoredTokenDataSync,
+  getValidAccessToken,
+  getValidAccessTokenSync,
+  hasStoredCredentialsSync,
+  isTokenExpired,
+  storeTokenData,
+  tokenResponseToStoredData
+} from "./chunk-KUFGQF6E.mjs";
+import {
+  __decorateClass,
+  clearAllEncryptionKeys,
+  clearAllKeyPairs,
+  clearEncryptionKey,
+  clearKeyPair,
+  decryptData,
+  decryptDataBytes,
+  encryptData,
+  exportPublicKey,
+  hasEncryptionKey,
+  hasKeyPair,
+  requestEncryptionKey,
+  requestKeyPair,
+  useEncryption
+} from "./chunk-T56Y62G7.mjs";
 
 // src/react/useChat.ts
 import { useCallback, useEffect, useRef, useState } from "react";
@@ -1229,123 +1248,6 @@ function useChat(options) {
   };
 }
 
-// src/react/useEncryption.ts
-var SIGN_MESSAGE = "The app is asking you to sign this message to generate a key, which will be used to encrypt data.";
-var encryptionKeyStore = /* @__PURE__ */ new Map();
-function getStoredKey(address) {
-  return encryptionKeyStore.get(address) ?? null;
-}
-function setStoredKey(address, keyHex) {
-  encryptionKeyStore.set(address, keyHex);
-}
-function clearEncryptionKey(address) {
-  encryptionKeyStore.delete(address);
-}
-function clearAllEncryptionKeys() {
-  encryptionKeyStore.clear();
-}
-function hexToBytes(hex) {
-  const cleanHex = hex.startsWith("0x") ? hex.slice(2) : hex;
-  const bytes = new Uint8Array(cleanHex.length / 2);
-  for (let i = 0; i < cleanHex.length; i += 2) {
-    bytes[i / 2] = parseInt(cleanHex.slice(i, i + 2), 16);
-  }
-  return bytes;
-}
-function bytesToHex(bytes) {
-  return Array.from(bytes).map((b) => b.toString(16).padStart(2, "0")).join("");
-}
-async function deriveKeyFromSignature(signature) {
-  const sigBytes = hexToBytes(signature);
-  const hashBuffer = await crypto.subtle.digest(
-    "SHA-256",
-    sigBytes.buffer
-  );
-  const hashBytes = new Uint8Array(hashBuffer);
-  return bytesToHex(hashBytes);
-}
-async function getEncryptionKey(address) {
-  const keyHex = getStoredKey(address);
-  if (!keyHex) {
-    throw new Error(
-      "Encryption key not found. Please sign a message to generate your encryption key."
-    );
-  }
-  const keyBytes = hexToBytes(keyHex);
-  return crypto.subtle.importKey(
-    "raw",
-    keyBytes.buffer,
-    { name: "AES-GCM" },
-    false,
-    ["encrypt", "decrypt"]
-  );
-}
-async function encryptData(plaintext, address) {
-  const key = await getEncryptionKey(address);
-  const plaintextBytes = typeof plaintext === "string" ? new TextEncoder().encode(plaintext) : plaintext;
-  const iv = crypto.getRandomValues(new Uint8Array(12));
-  const encryptedData = await crypto.subtle.encrypt(
-    {
-      name: "AES-GCM",
-      iv
-    },
-    key,
-    plaintextBytes.buffer
-  );
-  const encryptedBytes = new Uint8Array(encryptedData);
-  const combined = new Uint8Array(iv.length + encryptedBytes.length);
-  combined.set(iv, 0);
-  combined.set(encryptedBytes, iv.length);
-  return bytesToHex(combined);
-}
-async function decryptData(encryptedHex, address) {
-  const key = await getEncryptionKey(address);
-  const combined = hexToBytes(encryptedHex);
-  const iv = combined.slice(0, 12);
-  const encryptedData = combined.slice(12);
-  const decryptedData = await crypto.subtle.decrypt(
-    {
-      name: "AES-GCM",
-      iv
-    },
-    key,
-    encryptedData
-  );
-  return new TextDecoder().decode(decryptedData);
-}
-async function decryptDataBytes(encryptedHex, address) {
-  const key = await getEncryptionKey(address);
-  const combined = hexToBytes(encryptedHex);
-  const iv = combined.slice(0, 12);
-  const encryptedData = combined.slice(12);
-  const decryptedData = await crypto.subtle.decrypt(
-    {
-      name: "AES-GCM",
-      iv
-    },
-    key,
-    encryptedData
-  );
-  return new Uint8Array(decryptedData);
-}
-function hasEncryptionKey(address) {
-  return getStoredKey(address) !== null;
-}
-async function requestEncryptionKey(walletAddress, signMessage) {
-  const existingKey = getStoredKey(walletAddress);
-  if (existingKey) {
-    return;
-  }
-  const signature = await signMessage(SIGN_MESSAGE);
-  const encryptionKey = await deriveKeyFromSignature(signature);
-  setStoredKey(walletAddress, encryptionKey);
-}
-function useEncryption(signMessage) {
-  return {
-    requestEncryptionKey: (walletAddress) => requestEncryptionKey(walletAddress, signMessage)
-  };
-}
-
 // src/react/useChatStorage.ts
 import { useCallback as useCallback2, useState as useState2, useMemo } from "react";
 
@@ -2420,7 +2322,7 @@ var sdkModelClasses = [
 ];
 
 // src/react/useMemoryStorage.ts
-import { useCallback as useCallback3, useState as useState3, useMemo as useMemo2, useRef as useRef2 } from "react";
+import { useCallback as useCallback3, useState as useState3, useMemo as useMemo2, useRef as useRef2, useEffect as useEffect2 } from "react";
 import { postApiV1ChatCompletions } from "@reverbia/sdk";
 
 // src/lib/db/memory/schema.ts
@@ -2528,6 +2430,24 @@ async function getMemoriesByKeyOp(ctx, namespace, key) {
   return results.map(memoryToStored);
 }
 async function saveMemoryOp(ctx, opts) {
+  if (!opts.namespace || typeof opts.namespace !== "string") {
+    throw new Error("Namespace is required and must be a string");
+  }
+  if (!opts.key || typeof opts.key !== "string") {
+    throw new Error("Key is required and must be a string");
+  }
+  if (!opts.value || typeof opts.value !== "string") {
+    throw new Error("Value is required and must be a string");
+  }
+  if (!opts.type || typeof opts.type !== "string") {
+    throw new Error("Type is required and must be a string");
+  }
+  if (typeof opts.confidence !== "number" || opts.confidence < 0 || opts.confidence > 1) {
+    throw new Error("Confidence must be a number between 0 and 1");
+  }
+  if (typeof opts.pii !== "boolean") {
+    throw new Error("PII must be a boolean");
+  }
   const compositeKey = generateCompositeKey(opts.namespace, opts.key);
   const uniqueKey = generateUniqueKey(opts.namespace, opts.key, opts.value);
   const result = await ctx.database.write(async () => {
@@ -2962,6 +2882,275 @@ var generateEmbeddingForMemory = async (memory, options = {}) => {
   return generateEmbeddingForText(text4, options);
 };
 
+// src/lib/db/migration.ts
+var ENCRYPTION_PREFIX_V1 = "enc:v1:";
+var ENCRYPTION_PREFIX_V2 = "enc:v2:";
+var ENCRYPTION_PREFIX_LEGACY = "enc:";
+function getEncryptionVersion(value) {
+  if (value.startsWith(ENCRYPTION_PREFIX_V2)) return "v2";
+  if (value.startsWith(ENCRYPTION_PREFIX_V1)) return "v1";
+  if (value.startsWith(ENCRYPTION_PREFIX_LEGACY)) return "v1";
+  return null;
+}
+function isOldEncryption(value) {
+  const version2 = getEncryptionVersion(value);
+  return version2 === "v1";
+}
+async function encryptNewValue(plaintext, walletAddress) {
+  if (!hasEncryptionKey(walletAddress)) {
+    throw new Error("Encryption key not available for new scheme");
+  }
+  const encrypted = await encryptData(plaintext, walletAddress);
+  return `enc:v2:${encrypted}`;
+}
+async function migrateEncryptedValue(encryptedValue, walletAddress, signMessage) {
+  if (getEncryptionVersion(encryptedValue) === "v2") {
+    return encryptedValue;
+  }
+  if (!getEncryptionVersion(encryptedValue)) {
+    return encryptedValue;
+  }
+  if (!hasEncryptionKey(walletAddress)) {
+    const { requestEncryptionKey: requestEncryptionKey2 } = await import("./useEncryption-5RTXKDNZ.mjs");
+    await requestEncryptionKey2(walletAddress, signMessage);
+    if (!hasEncryptionKey(walletAddress)) {
+      throw new Error("Encryption key not available after signing");
+    }
+  }
+  let encryptedPayload;
+  if (encryptedValue.startsWith(ENCRYPTION_PREFIX_V1)) {
+    encryptedPayload = encryptedValue.slice(ENCRYPTION_PREFIX_V1.length);
+  } else if (encryptedValue.startsWith(ENCRYPTION_PREFIX_LEGACY)) {
+    encryptedPayload = encryptedValue.slice(ENCRYPTION_PREFIX_LEGACY.length);
+  } else {
+    throw new Error("Invalid old encryption format");
+  }
+  const plaintext = await decryptData(encryptedPayload, walletAddress);
+  return await encryptNewValue(plaintext, walletAddress);
+}
+
+// src/lib/db/memory/encryption.ts
+var ENCRYPTED_FIELDS = ["value", "rawEvidence", "key", "namespace"];
+var ENCRYPTION_PREFIX_V12 = "enc:v1:";
+var ENCRYPTION_PREFIX_V22 = "enc:v2:";
+var ENCRYPTION_PREFIX_LEGACY2 = "enc:";
+var CURRENT_ENCRYPTION_VERSION = "v2";
+var ENCRYPTION_PREFIX = `enc:${CURRENT_ENCRYPTION_VERSION}:`;
+var MAX_FIELD_SIZE = 1024 * 1024;
+function isEncrypted(value) {
+  return value.startsWith(ENCRYPTION_PREFIX) || value.startsWith(ENCRYPTION_PREFIX_V12) || value.startsWith(ENCRYPTION_PREFIX_LEGACY2);
+}
+function getEncryptionVersion2(value) {
+  if (value.startsWith(ENCRYPTION_PREFIX_V22)) return "v2";
+  if (value.startsWith(ENCRYPTION_PREFIX_V12)) return "v1";
+  if (value.startsWith(ENCRYPTION_PREFIX_LEGACY2)) return "v1";
+  return null;
+}
+async function encryptField(value, address) {
+  if (!value || isEncrypted(value)) {
+    return value;
+  }
+  if (value.length > MAX_FIELD_SIZE) {
+    throw new Error(
+      `Field value too large: ${value.length} bytes (max: ${MAX_FIELD_SIZE} bytes)`
+    );
+  }
+  try {
+    const encrypted = await encryptData(value, address);
+    return `${ENCRYPTION_PREFIX}${encrypted}`;
+  } catch (error) {
+    const message = error instanceof Error ? error.message : "Unknown encryption error";
+    throw new Error(`Encryption failed: ${message}`);
+  }
+}
+var DECRYPTION_FAILED_PLACEHOLDER = "[Decryption Failed]";
+async function decryptField(value, address, signMessage, onMigrated) {
+  if (!value || !isEncrypted(value)) {
+    return value;
+  }
+  try {
+    if (isOldEncryption(value) && signMessage && onMigrated) {
+      try {
+        const migratedValue = await migrateEncryptedValue(value, address, signMessage);
+        await onMigrated(migratedValue);
+        const encryptedPayload2 = migratedValue.slice(ENCRYPTION_PREFIX_V22.length);
+        return await decryptData(encryptedPayload2, address);
+      } catch (migrationError) {
+        const errorMessage = migrationError instanceof Error ? migrationError.message : "Unknown migration error";
+        console.warn("Migration failed, attempting decryption with current key:", {
+          error: errorMessage,
+          address
+        });
+      }
+    }
+    let encryptedPayload;
+    if (value.startsWith(ENCRYPTION_PREFIX_V22)) {
+      encryptedPayload = value.slice(ENCRYPTION_PREFIX_V22.length);
+    } else if (value.startsWith(ENCRYPTION_PREFIX_V12)) {
+      encryptedPayload = value.slice(ENCRYPTION_PREFIX_V12.length);
+    } else if (value.startsWith(ENCRYPTION_PREFIX_LEGACY2)) {
+      encryptedPayload = value.slice(ENCRYPTION_PREFIX_LEGACY2.length);
+    } else {
+      return value;
+    }
+    return await decryptData(encryptedPayload, address);
+  } catch (error) {
+    const errorMessage = error instanceof Error ? error.message : "Unknown decryption error";
+    console.error("Decryption failed for field:", {
+      address,
+      valueLength: value.length,
+      error: errorMessage
+    });
+    throw new Error(`Decryption failed: ${errorMessage}`);
+  }
+}
+async function encryptMemoryFields(memory, address) {
+  const encrypted = { ...memory };
+  const encryptionPromises = ENCRYPTED_FIELDS.map(async (field3) => {
+    const value = memory[field3];
+    if (typeof value === "string" && value.length > 0) {
+      try {
+        encrypted[field3] = await encryptField(value, address);
+      } catch (error) {
+        throw new Error(`Failed to encrypt field ${field3}: ${error instanceof Error ? error.message : "Unknown error"}`);
+      }
+    }
+  });
+  const results = await Promise.allSettled(encryptionPromises);
+  const failures = results.filter((r) => r.status === "rejected");
+  if (failures.length > 0) {
+    const errorMessages = failures.map(
+      (f) => f.status === "rejected" ? f.reason instanceof Error ? f.reason.message : String(f.reason) : ""
+    ).join("; ");
+    throw new Error(`Encryption failed for ${failures.length} field(s): ${errorMessages}`);
+  }
+  return encrypted;
+}
+async function decryptMemoryFields(memory, address, signMessage, updateMemory) {
+  const decrypted = { ...memory };
+  const decryptionPromises = ENCRYPTED_FIELDS.map(async (field3) => {
+    const value = memory[field3];
+    if (typeof value === "string" && value.length > 0) {
+      if (!isEncrypted(value)) {
+        if (updateMemory && memory.uniqueId) {
+          try {
+            const encryptedValue = await encryptField(value, address);
+            await updateMemory(memory.uniqueId, {
+              [field3]: encryptedValue
+            });
+            decrypted[field3] = value;
+          } catch (error) {
+            if (process.env.NODE_ENV === "development") {
+              console.warn(`Failed to encrypt field ${field3}:`, error);
+            }
+            decrypted[field3] = value;
+          }
+        } else {
+          decrypted[field3] = value;
+        }
+      } else {
+        const onMigrated = updateMemory && memory.uniqueId ? async (migratedValue) => {
+          await updateMemory(memory.uniqueId, {
+            [field3]: migratedValue
+          });
+        } : void 0;
+        decrypted[field3] = await decryptField(value, address, signMessage, onMigrated);
+      }
+    }
+  });
+  await Promise.all(decryptionPromises);
+  return decrypted;
+}
+async function encryptMemoriesBatch(memories, address) {
+  return Promise.all(
+    memories.map((memory) => encryptMemoryFields(memory, address))
+  );
+}
+async function decryptMemoriesBatch(memories, address, signMessage, updateMemory) {
+  return Promise.all(
+    memories.map(
+      (memory) => decryptMemoryFields(memory, address, signMessage, updateMemory)
+    )
+  );
+}
+function hasEncryptedFields(memory) {
+  return ENCRYPTED_FIELDS.some((field3) => {
+    const value = memory[field3];
+    return typeof value === "string" && isEncrypted(value);
+  });
+}
+function needsEncryption(memory) {
+  return ENCRYPTED_FIELDS.some((field3) => {
+    const value = memory[field3];
+    return typeof value === "string" && value.length > 0 && !isEncrypted(value);
+  });
+}
+function extractMemoryFieldsForEncryption(memory) {
+  return {
+    type: memory.type,
+    namespace: memory.namespace,
+    key: memory.key,
+    value: memory.value,
+    rawEvidence: memory.rawEvidence,
+    confidence: memory.confidence,
+    pii: memory.pii
+  };
+}
+async function retryEncryption(operation, maxRetries = 3, initialDelay = 500) {
+  let lastError;
+  for (let attempt = 0; attempt <= maxRetries; attempt++) {
+    try {
+      return await operation();
+    } catch (error) {
+      lastError = error;
+      if (attempt === maxRetries) {
+        throw lastError;
+      }
+      const delay = initialDelay * Math.pow(2, attempt);
+      await new Promise((resolve) => setTimeout(resolve, delay));
+    }
+  }
+  throw lastError;
+}
+async function encryptMemoriesBatchInPlace(memories, address, updateFn, batchSize = 5) {
+  const failed = [];
+  const errors = [];
+  let success = 0;
+  for (let i = 0; i < memories.length; i += batchSize) {
+    const batch = memories.slice(i, i + batchSize);
+    const results = await Promise.allSettled(
+      batch.map(async (memory) => {
+        await retryEncryption(async () => {
+          const fields = extractMemoryFieldsForEncryption(memory);
+          const encryptedData = await encryptMemoryFields(fields, address);
+          await updateFn(memory.uniqueId, encryptedData);
+        });
+      })
+    );
+    results.forEach((result, index) => {
+      if (result.status === "fulfilled") {
+        success++;
+      } else {
+        const memory = batch[index];
+        if (memory) {
+          failed.push(memory.uniqueId);
+          const errorMessage = result.reason instanceof Error ? result.reason.message : String(result.reason);
+          errors.push({
+            id: memory.uniqueId,
+            error: errorMessage
+          });
+          console.error(
+            "Failed to encrypt memory:",
+            memory.uniqueId,
+            errorMessage
+          );
+        }
+      }
+    });
+  }
+  return { success, failed, errors };
+}
+
 // src/react/useMemoryStorage.ts
 function useMemoryStorage(options) {
   const {
@@ -2971,7 +3160,10 @@ function useMemoryStorage(options) {
     generateEmbeddings = true,
     onFactsExtracted,
     getToken,
-    baseUrl = BASE_URL
+    baseUrl = BASE_URL,
+    walletAddress,
+    requestEncryptionKey: requestEncryptionKey2,
+    signMessage
   } = options;
   const embeddingModel = userEmbeddingModel === void 0 ? DEFAULT_API_EMBEDDING_MODEL : userEmbeddingModel;
   const [memories, setMemories] = useState3([]);
@@ -2999,10 +3191,127 @@ function useMemoryStorage(options) {
     }),
     [effectiveEmbeddingModel, getToken, baseUrl]
   );
+  const isEncryptionEnabled = useMemo2(
+    () => !!walletAddress && !!requestEncryptionKey2,
+    [walletAddress, requestEncryptionKey2]
+  );
+  const ensureEncryptionReady = useCallback3(async () => {
+    if (!isEncryptionEnabled || !walletAddress) {
+      return null;
+    }
+    if (hasEncryptionKey(walletAddress)) {
+      return walletAddress;
+    }
+    if (requestEncryptionKey2) {
+      try {
+        await requestEncryptionKey2(walletAddress);
+        return walletAddress;
+      } catch {
+        return null;
+      }
+    }
+    return null;
+  }, [isEncryptionEnabled, walletAddress, requestEncryptionKey2]);
+  const getSignMessageForMigration = useCallback3(() => {
+    return signMessage;
+  }, [signMessage]);
+  const encryptUnencryptedMemories = useCallback3(
+    async (address) => {
+      if (!isEncryptionEnabled) return;
+      try {
+        const allMemories = await getAllMemoriesOp(storageCtx);
+        if (!allMemories || allMemories.length === 0) return;
+        const memoriesToEncrypt = allMemories.filter(
+          (m) => needsEncryption(m)
+        );
+        if (memoriesToEncrypt.length === 0) return;
+        await encryptMemoriesBatchInPlace(
+          memoriesToEncrypt,
+          address,
+          async (id, data) => {
+            const result = await updateMemoryOp(storageCtx, id, data);
+            if (!result.ok) {
+              throw new Error(`Failed to update memory ${id}`);
+            }
+          }
+        );
+      } catch (error) {
+        if (process.env.NODE_ENV === "development") {
+          console.error("Failed to encrypt unencrypted memories:", error);
+        }
+      }
+    },
+    [isEncryptionEnabled, storageCtx]
+  );
+  const encryptionLockRef = useRef2(null);
+  const autoEncryptionRunRef = useRef2(false);
+  useEffect2(() => {
+    if (!isEncryptionEnabled || !walletAddress) {
+      autoEncryptionRunRef.current = false;
+      encryptionLockRef.current = null;
+      return;
+    }
+    if (encryptionLockRef.current) {
+      encryptionLockRef.current.then(() => {
+        if (isEncryptionEnabled && walletAddress && !autoEncryptionRunRef.current) {
+          ensureEncryptionReady().then((address) => {
+            if (address) {
+              autoEncryptionRunRef.current = true;
+              const encryptionPromise2 = encryptUnencryptedMemories(address).catch((err) => {
+                if (process.env.NODE_ENV === "development") {
+                  console.error("Failed to automatically encrypt memories:", err);
+                }
+              }).finally(() => {
+                encryptionLockRef.current = null;
+              });
+              encryptionLockRef.current = encryptionPromise2;
+            }
+          });
+        }
+      });
+      return;
+    }
+    if (autoEncryptionRunRef.current) {
+      return;
+    }
+    autoEncryptionRunRef.current = true;
+    const encryptionPromise = ensureEncryptionReady().then((address) => {
+      if (address) {
+        return encryptUnencryptedMemories(address);
+      }
+    }).catch((err) => {
+      if (process.env.NODE_ENV === "development") {
+        console.error("Failed to automatically encrypt memories:", err);
+      }
+    }).finally(() => {
+      encryptionLockRef.current = null;
+    });
+    encryptionLockRef.current = encryptionPromise;
+  }, [isEncryptionEnabled, walletAddress, ensureEncryptionReady, encryptUnencryptedMemories]);
   const refreshMemories = useCallback3(async () => {
     const storedMemories = await getAllMemoriesOp(storageCtx);
+    if (isEncryptionEnabled && walletAddress) {
+      const address = await ensureEncryptionReady();
+      if (address) {
+        const signMsg = getSignMessageForMigration();
+        const updateMemoryFn = async (id, data) => {
+          const result = await updateMemoryOp(storageCtx, id, data);
+          if (!result.ok) {
+            throw new Error(`Failed to update memory ${id} during migration`);
+          }
+        };
+        const decrypted = await decryptMemoriesBatch(
+          storedMemories,
+          address,
+          signMsg,
+          updateMemoryFn
+        );
+        setMemories(decrypted);
+        return;
+      }
+    }
     setMemories(storedMemories);
-  }, [storageCtx]);
+  }, [storageCtx, isEncryptionEnabled, walletAddress, ensureEncryptionReady, getSignMessageForMigration]);
   const extractMemoriesFromMessage = useCallback3(
     async (opts) => {
       const { messages, model } = opts;
@@ -3136,21 +3445,38 @@ function useMemoryStorage(options) {
                 pii: item.pii
               })
             );
-            const savedMemories = await saveMemoriesOp(storageCtx, createOptions);
+            let optionsToSave = createOptions;
+            if (isEncryptionEnabled && walletAddress) {
+              const address = await ensureEncryptionReady();
+              if (address) {
+                optionsToSave = await Promise.all(
+                  createOptions.map(async (opt) => {
+                    const encrypted = await encryptMemoryFields(
+                      opt,
+                      address
+                    );
+                    return encrypted;
+                  })
+                );
+              }
+            }
+            const savedMemories = await saveMemoriesOp(storageCtx, optionsToSave);
             console.log(
               `Saved ${savedMemories.length} memories to WatermelonDB`
             );
             if (generateEmbeddings && embeddingModel) {
               try {
-                for (const saved of savedMemories) {
+                for (let i = 0; i < savedMemories.length; i++) {
+                  const memory = createOptions[i];
+                  const saved = savedMemories[i];
                   const memoryItem = {
-                    type: saved.type,
-                    namespace: saved.namespace,
-                    key: saved.key,
-                    value: saved.value,
-                    rawEvidence: saved.rawEvidence,
-                    confidence: saved.confidence,
-                    pii: saved.pii
+                    type: memory.type,
+                    namespace: memory.namespace,
+                    key: memory.key,
+                    value: memory.value,
+                    rawEvidence: memory.rawEvidence,
+                    confidence: memory.confidence,
+                    pii: memory.pii
                   };
                   const embedding = await generateEmbeddingForMemory(
                     memoryItem,
@@ -3171,6 +3497,19 @@ function useMemoryStorage(options) {
               }
             }
             await refreshMemories();
+            if (isEncryptionEnabled && walletAddress && !encryptionLockRef.current) {
+              const address = await ensureEncryptionReady();
+              if (address) {
+                const encryptionPromise = encryptUnencryptedMemories(address).catch((err) => {
+                  if (process.env.NODE_ENV === "development") {
+                    console.error("Failed to encrypt memories:", err);
+                  }
+                }).finally(() => {
+                  encryptionLockRef.current = null;
+                });
+                encryptionLockRef.current = encryptionPromise;
+              }
+            }
           } catch (error) {
             console.error("Failed to save memories to WatermelonDB:", error);
           }
@@ -3195,7 +3534,11 @@ function useMemoryStorage(options) {
       onFactsExtracted,
       baseUrl,
       storageCtx,
-      refreshMemories
+      refreshMemories,
+      isEncryptionEnabled,
+      walletAddress,
+      ensureEncryptionReady,
+      encryptUnencryptedMemories
     ]
   );
   const searchMemories = useCallback3(
@@ -3215,6 +3558,25 @@ function useMemoryStorage(options) {
           limit,
           minSimilarity
         );
+        if (isEncryptionEnabled && walletAddress && results.length > 0) {
+          const address = await ensureEncryptionReady();
+          if (address) {
+            const signMsg = getSignMessageForMigration();
+            const updateMemoryFn = async (id, data) => {
+              const result = await updateMemoryOp(storageCtx, id, data);
+              if (!result.ok) {
+                throw new Error(`Failed to update memory ${id} during migration`);
+              }
+            };
+            const decrypted = await decryptMemoriesBatch(
+              results,
+              address,
+              signMsg,
+              updateMemoryFn
+            );
+            return decrypted;
+          }
+        }
         if (results.length === 0) {
           console.warn(
             `[Memory Search] No memories found above similarity threshold ${minSimilarity}.`
@@ -3229,31 +3591,71 @@ function useMemoryStorage(options) {
         return [];
       }
     },
-    [embeddingModel, embeddingOptions, storageCtx]
+    [embeddingModel, embeddingOptions, storageCtx, isEncryptionEnabled, walletAddress, ensureEncryptionReady, getSignMessageForMigration]
   );
   const fetchAllMemories = useCallback3(async () => {
     try {
-      return await getAllMemoriesOp(storageCtx);
+      const memories2 = await getAllMemoriesOp(storageCtx);
+      if (isEncryptionEnabled && walletAddress && memories2.length > 0) {
+        const address = await ensureEncryptionReady();
+        if (address) {
+          const signMsg = getSignMessageForMigration();
+          const updateMemoryFn = async (id, data) => {
+            const result = await updateMemoryOp(storageCtx, id, data);
+            if (!result.ok) {
+              throw new Error(`Failed to update memory ${id} during migration`);
+            }
+          };
+          const decrypted = await decryptMemoriesBatch(
+            memories2,
+            address,
+            signMsg,
+            updateMemoryFn
+          );
+          return decrypted;
+        }
+      }
+      return memories2;
     } catch (error) {
       throw new Error(
         "Failed to fetch all memories: " + (error instanceof Error ? error.message : String(error))
       );
     }
-  }, [storageCtx]);
+  }, [storageCtx, isEncryptionEnabled, walletAddress, ensureEncryptionReady, getSignMessageForMigration]);
   const fetchMemoriesByNamespace = useCallback3(
     async (namespace) => {
       if (!namespace) {
         throw new Error("Missing required field: namespace");
       }
       try {
-        return await getMemoriesByNamespaceOp(storageCtx, namespace);
+        const memories2 = await getMemoriesByNamespaceOp(storageCtx, namespace);
+        if (isEncryptionEnabled && walletAddress && memories2.length > 0) {
+          const address = await ensureEncryptionReady();
+          if (address) {
+            const signMsg = getSignMessageForMigration();
+            const updateMemoryFn = async (id, data) => {
+              const result = await updateMemoryOp(storageCtx, id, data);
+              if (!result.ok) {
+                throw new Error(`Failed to update memory ${id} during migration`);
+              }
+            };
+            const decrypted = await decryptMemoriesBatch(
+              memories2,
+              address,
+              signMsg,
+              updateMemoryFn
+            );
+            return decrypted;
+          }
+        }
+        return memories2;
       } catch (error) {
         throw new Error(
           `Failed to fetch memories for namespace "${namespace}": ` + (error instanceof Error ? error.message : String(error))
         );
       }
     },
-    [storageCtx]
+    [storageCtx, isEncryptionEnabled, walletAddress, ensureEncryptionReady, getSignMessageForMigration]
   );
   const fetchMemoriesByKey = useCallback3(
     async (namespace, key) => {
@@ -3261,31 +3663,82 @@ function useMemoryStorage(options) {
         throw new Error("Missing required fields: namespace, key");
       }
       try {
-        return await getMemoriesByKeyOp(storageCtx, namespace, key);
+        const memories2 = await getMemoriesByKeyOp(storageCtx, namespace, key);
+        if (isEncryptionEnabled && walletAddress && memories2.length > 0) {
+          const address = await ensureEncryptionReady();
+          if (address) {
+            const signMsg = getSignMessageForMigration();
+            const updateMemoryFn = async (id, data) => {
+              const result = await updateMemoryOp(storageCtx, id, data);
+              if (!result.ok) {
+                throw new Error(`Failed to update memory ${id} during migration`);
+              }
+            };
+            const decrypted = await decryptMemoriesBatch(
+              memories2,
+              address,
+              signMsg,
+              updateMemoryFn
+            );
+            return decrypted;
+          }
+        }
+        return memories2;
       } catch (error) {
         throw new Error(
           `Failed to fetch memories for "${namespace}:${key}": ` + (error instanceof Error ? error.message : String(error))
         );
       }
     },
-    [storageCtx]
+    [storageCtx, isEncryptionEnabled, walletAddress, ensureEncryptionReady, getSignMessageForMigration]
   );
   const getMemoryById = useCallback3(
     async (id) => {
       try {
-        return await getMemoryByIdOp(storageCtx, id);
+        const memory = await getMemoryByIdOp(storageCtx, id);
+        if (!memory) return null;
+        if (isEncryptionEnabled && walletAddress) {
+          const address = await ensureEncryptionReady();
+          if (address) {
+            const signMsg = getSignMessageForMigration();
+            const updateMemoryFn = async (id2, data) => {
+              const result = await updateMemoryOp(storageCtx, id2, data);
+              if (!result.ok) {
+                throw new Error(`Failed to update memory ${id2} during migration`);
+              }
+            };
+            const decrypted = await decryptMemoryFields(
+              memory,
+              address,
+              signMsg,
+              updateMemoryFn
+            );
+            return decrypted;
+          }
+        }
+        return memory;
       } catch (error) {
         throw new Error(
           `Failed to get memory ${id}: ` + (error instanceof Error ? error.message : String(error))
         );
       }
     },
-    [storageCtx]
+    [storageCtx, isEncryptionEnabled, walletAddress, ensureEncryptionReady, getSignMessageForMigration]
   );
   const saveMemory = useCallback3(
     async (memory) => {
       try {
-        const saved = await saveMemoryOp(storageCtx, memory);
+        let memoryToSave = memory;
+        if (isEncryptionEnabled && walletAddress) {
+          const address = await ensureEncryptionReady();
+          if (address) {
+            memoryToSave = await encryptMemoryFields(
+              memory,
+              address
+            );
+          }
+        }
+        const saved = await saveMemoryOp(storageCtx, memoryToSave);
         if (generateEmbeddings && embeddingModel && !memory.embedding) {
           try {
             const memoryItem = {
@@ -3311,26 +3764,60 @@ function useMemoryStorage(options) {
             console.error("Failed to generate embedding:", error);
           }
         }
+        let savedForState = saved;
+        if (isEncryptionEnabled && walletAddress) {
+          const address = await ensureEncryptionReady();
+          if (address) {
+            const signMsg = getSignMessageForMigration();
+            const updateMemoryFn = async (id, data) => {
+              const result = await updateMemoryOp(storageCtx, id, data);
+              if (!result.ok) {
+                throw new Error(`Failed to update memory ${id} during migration`);
+              }
+            };
+            savedForState = await decryptMemoryFields(
+              saved,
+              address,
+              signMsg,
+              updateMemoryFn
+            );
+          }
+        }
         setMemories((prev) => {
-          const existing = prev.find((m) => m.uniqueId === saved.uniqueId);
+          const existing = prev.find((m) => m.uniqueId === savedForState.uniqueId);
           if (existing) {
-            return prev.map((m) => m.uniqueId === saved.uniqueId ? saved : m);
+            return prev.map((m) => m.uniqueId === savedForState.uniqueId ? savedForState : m);
           }
-          return [saved, ...prev];
+          return [savedForState, ...prev];
         });
-        return saved;
+        return savedForState;
       } catch (error) {
         throw new Error(
           "Failed to save memory: " + (error instanceof Error ? error.message : String(error))
         );
       }
     },
-    [storageCtx, generateEmbeddings, embeddingModel, embeddingOptions]
+    [storageCtx, generateEmbeddings, embeddingModel, embeddingOptions, isEncryptionEnabled, walletAddress, ensureEncryptionReady, getSignMessageForMigration]
   );
   const saveMemories = useCallback3(
     async (memoriesToSave) => {
       try {
-        const saved = await saveMemoriesOp(storageCtx, memoriesToSave);
+        let optionsToSave = memoriesToSave;
+        if (isEncryptionEnabled && walletAddress) {
+          const address = await ensureEncryptionReady();
+          if (address) {
+            optionsToSave = await Promise.all(
+              memoriesToSave.map(async (opt) => {
+                const encrypted = await encryptMemoryFields(
+                  opt,
+                  address
+                );
+                return encrypted;
+              })
+            );
+          }
+        }
+        const saved = await saveMemoriesOp(storageCtx, optionsToSave);
         if (generateEmbeddings && embeddingModel) {
           for (let i = 0; i < saved.length; i++) {
             const memory = memoriesToSave[i];
@@ -3361,8 +3848,27 @@ function useMemoryStorage(options) {
             }
           }
         }
+        let savedForReturn = saved;
+        if (isEncryptionEnabled && walletAddress) {
+          const address = await ensureEncryptionReady();
+          if (address) {
+            const signMsg = getSignMessageForMigration();
+            const updateMemoryFn = async (id, data) => {
+              const result = await updateMemoryOp(storageCtx, id, data);
+              if (!result.ok) {
+                throw new Error(`Failed to update memory ${id} during migration`);
+              }
+            };
+            savedForReturn = await decryptMemoriesBatch(
+              saved,
+              address,
+              signMsg,
+              updateMemoryFn
+            );
+          }
+        }
         await refreshMemories();
-        return saved;
+        return savedForReturn;
       } catch (error) {
         throw new Error(
           "Failed to save memories: " + (error instanceof Error ? error.message : String(error))
@@ -3374,12 +3880,56 @@ function useMemoryStorage(options) {
       generateEmbeddings,
       embeddingModel,
       embeddingOptions,
-      refreshMemories
+      refreshMemories,
+      isEncryptionEnabled,
+      walletAddress,
+      ensureEncryptionReady,
+      getSignMessageForMigration
     ]
   );
   const updateMemory = useCallback3(
     async (id, updates) => {
-      const result = await updateMemoryOp(storageCtx, id, updates);
+      let updatesToSave = updates;
+      if (isEncryptionEnabled && walletAddress) {
+        const address = await ensureEncryptionReady();
+        if (address) {
+          try {
+            const fieldsToEncrypt = {};
+            if (updates.value !== void 0) {
+              fieldsToEncrypt.value = updates.value;
+            }
+            if (updates.rawEvidence !== void 0) {
+              fieldsToEncrypt.rawEvidence = updates.rawEvidence;
+            }
+            if (updates.key !== void 0) {
+              fieldsToEncrypt.key = updates.key;
+            }
+            if (updates.namespace !== void 0) {
+              fieldsToEncrypt.namespace = updates.namespace;
+            }
+            const encrypted = await encryptMemoryFields(fieldsToEncrypt, address);
+            const encryptedUpdates = { ...updates };
+            if (updates.value !== void 0) {
+              encryptedUpdates.value = encrypted.value;
+            }
+            if (updates.rawEvidence !== void 0) {
+              encryptedUpdates.rawEvidence = encrypted.rawEvidence;
+            }
+            if (updates.key !== void 0) {
+              encryptedUpdates.key = encrypted.key;
+            }
+            if (updates.namespace !== void 0) {
+              encryptedUpdates.namespace = encrypted.namespace;
+            }
+            updatesToSave = encryptedUpdates;
+          } catch (error) {
+            throw new Error(
+              `Failed to encrypt memory fields: ${error instanceof Error ? error.message : "Unknown error"}`
+            );
+          }
+        }
+      }
+      const result = await updateMemoryOp(storageCtx, id, updatesToSave);
       if (!result.ok) {
         if (result.reason === "not_found") {
           return null;
@@ -3393,7 +3943,25 @@ function useMemoryStorage(options) {
           `Failed to update memory ${id}: ${result.error.message}`
         );
       }
-      const updated = result.memory;
+      let updated = result.memory;
+      if (isEncryptionEnabled && walletAddress) {
+        const address = await ensureEncryptionReady();
+        if (address) {
+          const signMsg = getSignMessageForMigration();
+          const updateMemoryFn = async (id2, data) => {
+            const result2 = await updateMemoryOp(storageCtx, id2, data);
+            if (!result2.ok) {
+              throw new Error(`Failed to update memory ${id2} during migration`);
+            }
+          };
+          updated = await decryptMemoryFields(
+            updated,
+            address,
+            signMsg,
+            updateMemoryFn
+          );
+        }
+      }
       const contentChanged = updates.value !== void 0 || updates.rawEvidence !== void 0 || updates.type !== void 0 || updates.namespace !== void 0 || updates.key !== void 0;
       if (contentChanged && generateEmbeddings && embeddingModel && !updates.embedding) {
         try {
@@ -3425,7 +3993,7 @@ function useMemoryStorage(options) {
       );
       return updated;
     },
-    [storageCtx, generateEmbeddings, embeddingModel, embeddingOptions]
+    [storageCtx, generateEmbeddings, embeddingModel, embeddingOptions, isEncryptionEnabled, walletAddress, ensureEncryptionReady, getSignMessageForMigration]
   );
   const removeMemory = useCallback3(
     async (namespace, key, value) => {
@@ -3510,7 +4078,7 @@ function useMemoryStorage(options) {
 }
 
 // src/react/useSettings.ts
-import { useCallback as useCallback4, useState as useState4, useMemo as useMemo3, useEffect as useEffect2 } from "react";
+import { useCallback as useCallback4, useState as useState4, useMemo as useMemo3, useEffect as useEffect3 } from "react";
 
 // src/lib/db/settings/schema.ts
 import { appSchema as appSchema4, tableSchema as tableSchema4 } from "@nozbe/watermelondb";
@@ -3632,7 +4200,7 @@ function useSettings(options) {
     },
     [storageCtx, walletAddress]
   );
-  useEffect2(() => {
+  useEffect3(() => {
     if (!walletAddress) {
       setModelPreferenceState(null);
       return;
@@ -3859,7 +4427,7 @@ ${text4}`;
 }
 
 // src/react/useModels.ts
-import { useCallback as useCallback7, useEffect as useEffect3, useRef as useRef3, useState as useState7 } from "react";
+import { useCallback as useCallback7, useEffect as useEffect4, useRef as useRef3, useState as useState7 } from "react";
 function useModels(options = {}) {
   const { getToken, baseUrl = BASE_URL, provider, autoFetch = true } = options;
   const [models, setModels] = useState7([]);
@@ -3869,12 +4437,12 @@ function useModels(options = {}) {
   const baseUrlRef = useRef3(baseUrl);
   const providerRef = useRef3(provider);
   const abortControllerRef = useRef3(null);
-  useEffect3(() => {
+  useEffect4(() => {
     getTokenRef.current = getToken;
     baseUrlRef.current = baseUrl;
     providerRef.current = provider;
   });
-  useEffect3(() => {
+  useEffect4(() => {
     return () => {
       if (abortControllerRef.current) {
         abortControllerRef.current.abort();
@@ -3945,7 +4513,7 @@ function useModels(options = {}) {
     await fetchModels();
   }, [fetchModels]);
   const hasFetchedRef = useRef3(false);
-  useEffect3(() => {
+  useEffect4(() => {
     if (autoFetch && !hasFetchedRef.current) {
       hasFetchedRef.current = true;
       fetchModels();
@@ -3963,7 +4531,7 @@ function useModels(options = {}) {
 }
 
 // src/react/useSearch.ts
-import { useCallback as useCallback8, useEffect as useEffect4, useRef as useRef4, useState as useState8 } from "react";
+import { useCallback as useCallback8, useEffect as useEffect5, useRef as useRef4, useState as useState8 } from "react";
 function useSearch(options = {}) {
   const { getToken, baseUrl = BASE_URL, onError } = options;
   const [isLoading, setIsLoading] = useState8(false);
@@ -3971,7 +4539,7 @@ function useSearch(options = {}) {
   const [response, setResponse] = useState8(null);
   const [error, setError] = useState8(null);
   const abortControllerRef = useRef4(null);
-  useEffect4(() => {
+  useEffect5(() => {
     return () => {
       if (abortControllerRef.current) {
         abortControllerRef.current.abort();
@@ -4047,12 +4615,12 @@ function useSearch(options = {}) {
 }
 
 // src/react/useImageGeneration.ts
-import { useCallback as useCallback9, useEffect as useEffect5, useRef as useRef5, useState as useState9 } from "react";
+import { useCallback as useCallback9, useEffect as useEffect6, useRef as useRef5, useState as useState9 } from "react";
 function useImageGeneration(options = {}) {
   const { getToken, baseUrl = BASE_URL, onFinish, onError } = options;
   const [isLoading, setIsLoading] = useState9(false);
   const abortControllerRef = useRef5(null);
-  useEffect5(() => {
+  useEffect6(() => {
     return () => {
       if (abortControllerRef.current) {
         abortControllerRef.current.abort();
@@ -4434,66 +5002,10 @@ import {
   createElement,
   useCallback as useCallback10,
   useContext,
-  useEffect as useEffect6,
+  useEffect as useEffect7,
   useState as useState10
 } from "react";
 
-// src/lib/backup/oauth/storage.ts
-var STORAGE_KEY_PREFIX = "oauth_token_";
-function getStorageKey(provider) {
-  return `${STORAGE_KEY_PREFIX}${provider}`;
-}
-function getStoredTokenData(provider) {
-  if (typeof window === "undefined") return null;
-  try {
-    const stored = localStorage.getItem(getStorageKey(provider));
-    if (!stored) return null;
-    const data = JSON.parse(stored);
-    if (!data.accessToken) return null;
-    return data;
-  } catch {
-    return null;
-  }
-}
-function storeTokenData(provider, data) {
-  if (typeof window === "undefined") return;
-  localStorage.setItem(getStorageKey(provider), JSON.stringify(data));
-}
-function clearTokenData(provider) {
-  if (typeof window === "undefined") return;
-  localStorage.removeItem(getStorageKey(provider));
-}
-function isTokenExpired(data, bufferSeconds = 60) {
-  if (!data) return true;
-  if (!data.expiresAt) return false;
-  const now = Date.now();
-  const bufferMs = bufferSeconds * 1e3;
-  return data.expiresAt - bufferMs <= now;
-}
-function getValidAccessToken(provider) {
-  const data = getStoredTokenData(provider);
-  if (!data) return null;
-  if (data.expiresAt && isTokenExpired(data)) {
-    return null;
-  }
-  return data.accessToken;
-}
-function getRefreshToken(provider) {
-  const data = getStoredTokenData(provider);
-  return data?.refreshToken ?? null;
-}
-function tokenResponseToStoredData(accessToken, expiresIn, refreshToken, scope) {
-  const data = {
-    accessToken,
-    refreshToken,
-    scope
-  };
-  if (expiresIn) {
-    data.expiresAt = Date.now() + expiresIn * 1e3;
-  }
-  return data;
-}
-
 // src/lib/backup/dropbox/auth.ts
 var PROVIDER = "dropbox";
 var STATE_STORAGE_KEY = "dropbox_oauth_state";
@@ -4502,6 +5014,7 @@ function getRedirectUri(callbackPath) {
   if (typeof window === "undefined") return "";
   return `${window.location.origin}${callbackPath}`;
 }
+var MAX_STATE_AGE_MS = 10 * 60 * 1e3;
 function generateState() {
   const array = new Uint8Array(16);
   crypto.getRandomValues(array);
@@ -4511,21 +5024,48 @@ function generateState() {
 }
 function storeOAuthState(state) {
   if (typeof window === "undefined") return;
-  sessionStorage.setItem(STATE_STORAGE_KEY, state);
+  const stateData = {
+    state,
+    timestamp: Date.now()
+  };
+  sessionStorage.setItem(STATE_STORAGE_KEY, JSON.stringify(stateData));
 }
 function getAndClearOAuthState() {
   if (typeof window === "undefined") return null;
-  const state = sessionStorage.getItem(STATE_STORAGE_KEY);
-  sessionStorage.removeItem(STATE_STORAGE_KEY);
-  return state;
+  try {
+    const stored = sessionStorage.getItem(STATE_STORAGE_KEY);
+    if (!stored) return null;
+    const stateData = JSON.parse(stored);
+    const age = Date.now() - stateData.timestamp;
+    if (age > MAX_STATE_AGE_MS) {
+      sessionStorage.removeItem(STATE_STORAGE_KEY);
+      return null;
+    }
+    sessionStorage.removeItem(STATE_STORAGE_KEY);
+    return stateData.state;
+  } catch {
+    sessionStorage.removeItem(STATE_STORAGE_KEY);
+    return null;
+  }
 }
 function isDropboxCallback() {
   if (typeof window === "undefined") return false;
   const url = new URL(window.location.href);
   const code = url.searchParams.get("code");
   const state = url.searchParams.get("state");
-  const storedState = sessionStorage.getItem(STATE_STORAGE_KEY);
-  return !!code && !!state && state === storedState;
+  if (!code || !state) return false;
+  try {
+    const stored = sessionStorage.getItem(STATE_STORAGE_KEY);
+    if (!stored) return false;
+    const stateData = JSON.parse(stored);
+    const age = Date.now() - stateData.timestamp;
+    if (age > MAX_STATE_AGE_MS) {
+      return false;
+    }
+    return state === stateData.state;
+  } catch {
+    return false;
+  }
 }
 async function handleDropboxCallback(callbackPath, apiClient) {
   if (typeof window === "undefined") return null;
@@ -4554,15 +5094,35 @@ async function handleDropboxCallback(callbackPath, apiClient) {
       response.data.refresh_token,
       response.data.scope
     );
-    storeTokenData(PROVIDER, tokenData);
+    try {
+      await storeTokenData(PROVIDER, tokenData);
+    } catch (error) {
+      const errorMessage = error instanceof Error ? error.message : "Unknown encryption error";
+      console.error("OAuth token encryption failed in Dropbox callback:", errorMessage);
+      console.warn("OAuth token encryption failed - tokens not stored securely");
+      return null;
+    }
     window.history.replaceState({}, "", window.location.pathname);
     return response.data.access_token;
-  } catch {
+  } catch (error) {
+    const errorMessage = error instanceof Error ? error.message : "Unknown error";
+    const errorName = error instanceof Error ? error.name : "Error";
+    console.error(`Dropbox OAuth callback error: ${errorName}: ${errorMessage}`);
+    console.error("Error details:", {
+      name: errorName,
+      message: errorMessage,
+      stack: error instanceof Error ? error.stack : void 0
+    });
+    console.warn(`Dropbox OAuth callback failed: ${errorMessage}`);
+    if (errorMessage.includes("encryption failed") || errorMessage.includes("OAuth token encryption")) {
+      console.warn("OAuth callback failed due to encryption error - this is a security issue");
+      throw error;
+    }
     return null;
   }
 }
-async function refreshDropboxToken(apiClient) {
-  const refreshToken = getRefreshToken(PROVIDER);
+async function refreshDropboxToken(apiClient, walletAddress) {
+  const refreshToken = walletAddress ? await getRefreshToken(PROVIDER, walletAddress) : getRefreshTokenSync(PROVIDER);
   if (!refreshToken) return null;
   try {
     const response = await postAuthOauthByProviderRefresh({
@@ -4573,22 +5133,22 @@ async function refreshDropboxToken(apiClient) {
     if (!response.data?.access_token) {
       throw new Error("No access token in refresh response");
     }
-    const currentData = getStoredTokenData(PROVIDER);
+    const currentData = walletAddress ? await getStoredTokenData(PROVIDER, walletAddress) : getStoredTokenDataSync(PROVIDER);
     const tokenData = tokenResponseToStoredData(
       response.data.access_token,
       response.data.expires_in,
       response.data.refresh_token ?? currentData?.refreshToken,
       response.data.scope ?? currentData?.scope
     );
-    storeTokenData(PROVIDER, tokenData);
+    await storeTokenData(PROVIDER, tokenData, walletAddress);
     return response.data.access_token;
   } catch {
     clearTokenData(PROVIDER);
     return null;
   }
 }
-async function revokeDropboxToken(apiClient) {
-  const tokenData = getStoredTokenData(PROVIDER);
+async function revokeDropboxToken(apiClient, walletAddress) {
+  const tokenData = walletAddress ? await getStoredTokenData(PROVIDER, walletAddress) : getStoredTokenDataSync(PROVIDER);
   if (!tokenData) return;
   try {
     const tokenToRevoke = tokenData.refreshToken ?? tokenData.accessToken;
@@ -4602,10 +5162,10 @@ async function revokeDropboxToken(apiClient) {
     clearTokenData(PROVIDER);
   }
 }
-async function getDropboxAccessToken(apiClient) {
-  const validToken = getValidAccessToken(PROVIDER);
+async function getDropboxAccessToken(apiClient, walletAddress) {
+  const validToken = walletAddress ? await getValidAccessToken(PROVIDER, walletAddress) : getValidAccessTokenSync(PROVIDER);
   if (validToken) return validToken;
-  return refreshDropboxToken(apiClient);
+  return refreshDropboxToken(apiClient, walletAddress);
 }
 async function startDropboxAuth(appKey, callbackPath) {
   const state = generateState();
@@ -4626,8 +5186,7 @@ function clearToken() {
   clearTokenData(PROVIDER);
 }
 function hasDropboxCredentials() {
-  const data = getStoredTokenData(PROVIDER);
-  return !!(data?.accessToken || data?.refreshToken);
+  return hasStoredCredentialsSync(PROVIDER);
 }
 
 // src/react/useDropboxAuth.ts
@@ -4640,7 +5199,7 @@ function DropboxAuthProvider({
 }) {
   const [accessToken, setAccessToken] = useState10(null);
   const isConfigured = !!appKey;
-  useEffect6(() => {
+  useEffect7(() => {
     const checkStoredToken = async () => {
       if (hasDropboxCredentials()) {
         const token = await getDropboxAccessToken(apiClient);
@@ -4651,7 +5210,7 @@ function DropboxAuthProvider({
     };
     checkStoredToken();
   }, [apiClient]);
-  useEffect6(() => {
+  useEffect7(() => {
     if (!isConfigured) return;
     const handleCallback = async () => {
       if (isDropboxCallback()) {
@@ -4808,7 +5367,7 @@ import {
   createElement as createElement2,
   useCallback as useCallback12,
   useContext as useContext2,
-  useEffect as useEffect7,
+  useEffect as useEffect8,
   useState as useState11
 } from "react";
 
@@ -4824,6 +5383,7 @@ function getRedirectUri2(callbackPath) {
   if (typeof window === "undefined") return "";
   return `${window.location.origin}${callbackPath}`;
 }
+var MAX_STATE_AGE_MS2 = 10 * 60 * 1e3;
 function generateState2() {
   const array = new Uint8Array(16);
   crypto.getRandomValues(array);
@@ -4833,21 +5393,48 @@ function generateState2() {
 }
 function storeOAuthState2(state) {
   if (typeof window === "undefined") return;
-  sessionStorage.setItem(CODE_STORAGE_KEY, state);
+  const stateData = {
+    state,
+    timestamp: Date.now()
+  };
+  sessionStorage.setItem(CODE_STORAGE_KEY, JSON.stringify(stateData));
 }
 function getAndClearOAuthState2() {
   if (typeof window === "undefined") return null;
-  const state = sessionStorage.getItem(CODE_STORAGE_KEY);
-  sessionStorage.removeItem(CODE_STORAGE_KEY);
-  return state;
+  try {
+    const stored = sessionStorage.getItem(CODE_STORAGE_KEY);
+    if (!stored) return null;
+    const stateData = JSON.parse(stored);
+    const age = Date.now() - stateData.timestamp;
+    if (age > MAX_STATE_AGE_MS2) {
+      sessionStorage.removeItem(CODE_STORAGE_KEY);
+      return null;
+    }
+    sessionStorage.removeItem(CODE_STORAGE_KEY);
+    return stateData.state;
+  } catch {
+    sessionStorage.removeItem(CODE_STORAGE_KEY);
+    return null;
+  }
 }
 function isGoogleDriveCallback() {
   if (typeof window === "undefined") return false;
   const url = new URL(window.location.href);
   const code = url.searchParams.get("code");
   const state = url.searchParams.get("state");
-  const storedState = sessionStorage.getItem(CODE_STORAGE_KEY);
-  return !!code && !!state && state === storedState;
+  if (!code || !state) return false;
+  try {
+    const stored = sessionStorage.getItem(CODE_STORAGE_KEY);
+    if (!stored) return false;
+    const stateData = JSON.parse(stored);
+    const age = Date.now() - stateData.timestamp;
+    if (age > MAX_STATE_AGE_MS2) {
+      return false;
+    }
+    return state === stateData.state;
+  } catch {
+    return false;
+  }
 }
 async function handleGoogleDriveCallback(callbackPath, apiClient) {
   if (typeof window === "undefined") return null;
@@ -4876,15 +5463,35 @@ async function handleGoogleDriveCallback(callbackPath, apiClient) {
       response.data.refresh_token,
       response.data.scope
     );
-    storeTokenData(PROVIDER2, tokenData);
+    try {
+      await storeTokenData(PROVIDER2, tokenData);
+    } catch (error) {
+      const errorMessage = error instanceof Error ? error.message : "Unknown encryption error";
+      console.error("OAuth token encryption failed in Google Drive callback:", errorMessage);
+      console.warn("OAuth token encryption failed - tokens not stored securely");
+      return null;
+    }
     window.history.replaceState({}, "", window.location.pathname);
     return response.data.access_token;
-  } catch {
+  } catch (error) {
+    const errorMessage = error instanceof Error ? error.message : "Unknown error";
+    const errorName = error instanceof Error ? error.name : "Error";
+    console.error(`Google Drive OAuth callback error: ${errorName}: ${errorMessage}`);
+    console.error("Error details:", {
+      name: errorName,
+      message: errorMessage,
+      stack: error instanceof Error ? error.stack : void 0
+    });
+    console.warn(`Google Drive OAuth callback failed: ${errorMessage}`);
+    if (errorMessage.includes("encryption failed") || errorMessage.includes("OAuth token encryption")) {
+      console.warn("OAuth callback failed due to encryption error - this is a security issue");
+      throw error;
+    }
     return null;
   }
 }
-async function refreshGoogleDriveToken(apiClient) {
-  const refreshToken = getRefreshToken(PROVIDER2);
+async function refreshGoogleDriveToken(apiClient, walletAddress) {
+  const refreshToken = walletAddress ? await getRefreshToken(PROVIDER2, walletAddress) : getRefreshTokenSync(PROVIDER2);
   if (!refreshToken) return null;
   try {
     const response = await postAuthOauthByProviderRefresh({
@@ -4895,22 +5502,22 @@ async function refreshGoogleDriveToken(apiClient) {
     if (!response.data?.access_token) {
       throw new Error("No access token in refresh response");
     }
-    const currentData = getStoredTokenData(PROVIDER2);
+    const currentData = walletAddress ? await getStoredTokenData(PROVIDER2, walletAddress) : getStoredTokenDataSync(PROVIDER2);
     const tokenData = tokenResponseToStoredData(
       response.data.access_token,
       response.data.expires_in,
       response.data.refresh_token ?? currentData?.refreshToken,
       response.data.scope ?? currentData?.scope
     );
-    storeTokenData(PROVIDER2, tokenData);
+    await storeTokenData(PROVIDER2, tokenData, walletAddress);
     return response.data.access_token;
   } catch {
     clearTokenData(PROVIDER2);
     return null;
   }
 }
-async function revokeGoogleDriveToken(apiClient) {
-  const tokenData = getStoredTokenData(PROVIDER2);
+async function revokeGoogleDriveToken(apiClient, walletAddress) {
+  const tokenData = walletAddress ? await getStoredTokenData(PROVIDER2, walletAddress) : getStoredTokenDataSync(PROVIDER2);
   if (!tokenData) return;
   try {
     const tokenToRevoke = tokenData.refreshToken ?? tokenData.accessToken;
@@ -4924,8 +5531,8 @@ async function revokeGoogleDriveToken(apiClient) {
     clearTokenData(PROVIDER2);
   }
 }
-async function getGoogleDriveAccessToken(apiClient) {
-  const storedData = getStoredTokenData(PROVIDER2);
+async function getGoogleDriveAccessToken(apiClient, walletAddress) {
+  const storedData = walletAddress ? await getStoredTokenData(PROVIDER2, walletAddress) : getStoredTokenDataSync(PROVIDER2);
   if (!storedData) {
     return null;
   }
@@ -4933,7 +5540,7 @@ async function getGoogleDriveAccessToken(apiClient) {
     return storedData.accessToken;
   }
   if (storedData.refreshToken) {
-    const refreshedToken = await refreshGoogleDriveToken(apiClient);
+    const refreshedToken = await refreshGoogleDriveToken(apiClient, walletAddress);
     if (refreshedToken) {
       return refreshedToken;
     }
@@ -4962,14 +5569,13 @@ async function startGoogleDriveAuth(clientId, callbackPath) {
   });
 }
 function getGoogleDriveStoredToken() {
-  return getValidAccessToken(PROVIDER2);
+  return getValidAccessTokenSync(PROVIDER2);
 }
 function clearGoogleDriveToken() {
   clearTokenData(PROVIDER2);
 }
 function hasGoogleDriveCredentials() {
-  const data = getStoredTokenData(PROVIDER2);
-  return !!(data?.accessToken || data?.refreshToken);
+  return hasStoredCredentialsSync(PROVIDER2);
 }
 
 // src/react/useGoogleDriveAuth.ts
@@ -4982,7 +5588,7 @@ function GoogleDriveAuthProvider({
 }) {
   const [accessToken, setAccessToken] = useState11(null);
   const isConfigured = !!clientId;
-  useEffect7(() => {
+  useEffect8(() => {
     const checkStoredToken = async () => {
       if (hasGoogleDriveCredentials()) {
         const token = await getGoogleDriveAccessToken(apiClient);
@@ -4993,7 +5599,7 @@ function GoogleDriveAuthProvider({
     };
     checkStoredToken();
   }, [apiClient]);
-  useEffect7(() => {
+  useEffect8(() => {
     if (!isConfigured) return;
     const handleCallback = async () => {
       if (isGoogleDriveCallback()) {
@@ -5458,7 +6064,7 @@ import {
   createElement as createElement3,
   useCallback as useCallback14,
   useContext as useContext3,
-  useEffect as useEffect8,
+  useEffect as useEffect9,
   useState as useState12
 } from "react";
 
@@ -5708,7 +6314,7 @@ function ICloudAuthProvider({
   const [isAvailable, setIsAvailable] = useState12(false);
   const [isConfigured, setIsConfigured] = useState12(false);
   const [isLoading, setIsLoading] = useState12(false);
-  useEffect8(() => {
+  useEffect9(() => {
     if (!apiToken || typeof window === "undefined") {
       return;
     }
@@ -6024,7 +6630,7 @@ import {
   createElement as createElement4,
   useCallback as useCallback16,
   useContext as useContext4,
-  useEffect as useEffect9,
+  useEffect as useEffect10,
   useState as useState13
 } from "react";
 var BackupAuthContext = createContext4(null);
@@ -6047,7 +6653,7 @@ function BackupAuthProvider({
   const [icloudUserRecordName, setIcloudUserRecordName] = useState13(null);
   const [isIcloudAvailable, setIsIcloudAvailable] = useState13(false);
   const isIcloudConfigured = isIcloudAvailable && !!icloudApiToken;
-  useEffect9(() => {
+  useEffect10(() => {
     const checkStoredTokens = async () => {
       if (hasDropboxCredentials()) {
         const token = await getDropboxAccessToken(apiClient);
@@ -6064,7 +6670,7 @@ function BackupAuthProvider({
     };
     checkStoredTokens();
   }, [apiClient]);
-  useEffect9(() => {
+  useEffect10(() => {
     if (!icloudApiToken || typeof window === "undefined") {
       return;
     }
@@ -6092,7 +6698,7 @@ function BackupAuthProvider({
     };
     initCloudKit();
   }, [icloudApiToken, icloudContainerIdentifier, icloudEnvironment]);
-  useEffect9(() => {
+  useEffect10(() => {
     if (!isDropboxConfigured) return;
     const handleCallback = async () => {
       if (isDropboxCallback()) {
@@ -6107,7 +6713,7 @@ function BackupAuthProvider({
     };
     handleCallback();
   }, [dropboxCallbackPath, isDropboxConfigured, apiClient]);
-  useEffect9(() => {
+  useEffect10(() => {
     if (!isGoogleConfigured) return;
     const handleCallback = async () => {
       if (isGoogleDriveCallback()) {
@@ -6529,6 +7135,7 @@ export {
   BackupAuthProvider,
   Conversation as ChatConversation,
   Message as ChatMessage,
+  DECRYPTION_FAILED_PLACEHOLDER,
   DEFAULT_BACKUP_FOLDER,
   DEFAULT_CONVERSATIONS_FOLDER as DEFAULT_DRIVE_CONVERSATIONS_FOLDER,
   DEFAULT_ROOT_FOLDER as DEFAULT_DRIVE_ROOT_FOLDER,
@@ -6542,26 +7149,41 @@ export {
   chatStorageMigrations,
   chatStorageSchema,
   clearAllEncryptionKeys,
+  clearAllKeyPairs,
   clearToken as clearDropboxToken,
   clearEncryptionKey,
   clearGoogleDriveToken,
   clearICloudAuth,
+  clearKeyPair,
   createMemoryContextSystemMessage,
   decryptData,
   decryptDataBytes,
+  decryptField,
+  decryptMemoriesBatch,
+  decryptMemoryFields,
   encryptData,
+  encryptField,
+  encryptMemoriesBatch,
+  encryptMemoriesBatchInPlace,
+  encryptMemoryFields,
+  exportPublicKey,
   extractConversationContext,
   formatMemoriesForChat,
   generateCompositeKey,
   generateConversationId,
   generateUniqueKey,
+  getEncryptionVersion2 as getEncryptionVersion,
   getGoogleDriveStoredToken,
   hasDropboxCredentials,
+  hasEncryptedFields,
   hasEncryptionKey,
   hasGoogleDriveCredentials,
   hasICloudCredentials,
+  hasKeyPair,
   memoryStorageSchema,
+  needsEncryption,
   requestEncryptionKey,
+  requestKeyPair,
   sdkMigrations,
   sdkModelClasses,
   sdkSchema,