holosphere 2.0.0-alpha13 → 2.0.0-alpha15

package/dist/{index-BN_uoxQK.js → index-C3Cag0SV.js}

@@ -1347,7 +1347,7 @@ function createHasher$1(hashCons) {
   hashC.create = () => hashCons();
   return hashC;
 }
-function randomBytes$2(bytesLength = 32) {
+function randomBytes$3(bytesLength = 32) {
   if (crypto$2 && typeof crypto$2.getRandomValues === "function") {
     return crypto$2.getRandomValues(new Uint8Array(bytesLength));
   }
@@ -2930,15 +2930,15 @@ function weierstrassN(params, extraOpts = {}) {
       if (!Fn.isValidNot0(scalar))
         throw new Error("invalid scalar: out of range");
       let point, fake;
-      const mul = (n2) => wnaf.cached(this, n2, (p) => normalizeZ(Point, p));
+      const mul3 = (n2) => wnaf.cached(this, n2, (p) => normalizeZ(Point, p));
       if (endo2) {
         const { k1neg, k1, k2neg, k2 } = splitEndoScalarN(scalar);
-        const { p: k1p, f: k1f } = mul(k1);
-        const { p: k2p, f: k2f } = mul(k2);
+        const { p: k1p, f: k1f } = mul3(k1);
+        const { p: k2p, f: k2f } = mul3(k2);
         fake = k1f.add(k2f);
         point = finishEndo(endo2.beta, k1p, k2p, k1neg, k2neg);
       } else {
-        const { p, f } = mul(scalar);
+        const { p, f } = mul3(scalar);
         point = p;
         fake = f;
       }
@@ -3062,7 +3062,7 @@ function getWLengths(Fp, Fn) {
 }
 function ecdh(Point, ecdhOpts = {}) {
   const { Fn } = Point;
-  const randomBytes_ = ecdhOpts.randomBytes || randomBytes$2;
+  const randomBytes_ = ecdhOpts.randomBytes || randomBytes$3;
   const lengths = Object.assign(getWLengths(Point.Fp, Fn), { seed: getMinHashLength(Fn.ORDER) });
   function isValidSecretKey(secretKey) {
     try {
@@ -3137,7 +3137,7 @@ function ecdsa(Point, hash2, ecdsaOpts = {}) {
     bits2int: "function",
     bits2int_modN: "function"
   });
-  const randomBytes2 = ecdsaOpts.randomBytes || randomBytes$2;
+  const randomBytes2 = ecdsaOpts.randomBytes || randomBytes$3;
   const hmac2 = ecdsaOpts.hmac || ((key, ...msgs) => hmac$1(hash2, key, concatBytes$3(...msgs)));
   const { Fp, Fn } = Point;
   const { ORDER: CURVE_ORDER, BITS: fnBits } = Fn;
@@ -3541,7 +3541,7 @@ function challenge(...args) {
 function schnorrGetPublicKey(secretKey) {
   return schnorrGetExtPubKey(secretKey).bytes;
 }
-function schnorrSign(message, secretKey, auxRand = randomBytes$2(32)) {
+function schnorrSign(message, secretKey, auxRand = randomBytes$3(32)) {
   const { Fn } = Pointk1;
   const m = ensureBytes("message", message);
   const { bytes: px, scalar: d2 } = schnorrGetExtPubKey(secretKey);
@@ -3583,7 +3583,7 @@ function schnorrVerify(signature, message, publicKey) {
 const schnorr = /* @__PURE__ */ (() => {
   const size = 32;
   const seedLength = 48;
-  const randomSecretKey = (seed = randomBytes$2(seedLength)) => {
+  const randomSecretKey = (seed = randomBytes$3(seedLength)) => {
     return mapHashToField(seed, secp256k1_CURVE.n);
   };
   secp256k1$1.utils.randomSecretKey;
@@ -4808,7 +4808,7 @@ function wrapConstructor$2(hashCons) {
   hashC.create = () => hashCons();
   return hashC;
 }
-function randomBytes$1(bytesLength = 32) {
+function randomBytes$2(bytesLength = 32) {
   if (crypto$1 && typeof crypto$1.getRandomValues === "function") {
     return crypto$1.getRandomValues(new Uint8Array(bytesLength));
   }
@@ -5365,6 +5365,7 @@ function output$2(out, instance) {
   }
 }
 /*! noble-ciphers - MIT License (c) 2023 Paul Miller (paulmillr.com) */
+const u8 = (arr) => new Uint8Array(arr.buffer, arr.byteOffset, arr.byteLength);
 const u32$1 = (arr) => new Uint32Array(arr.buffer, arr.byteOffset, Math.floor(arr.byteLength / 4));
 const createView$2 = (arr) => new DataView(arr.buffer, arr.byteOffset, arr.byteLength);
 const isLE$2 = new Uint8Array(new Uint32Array([287454020]).buffer)[0] === 68;
@@ -5409,8 +5410,8 @@ function setBigUint64$1(view, byteOffset, value, isLE2) {
   const _u32_max = BigInt(4294967295);
   const wh = Number(value >> _32n2 & _u32_max);
   const wl = Number(value & _u32_max);
-  const h = 4;
-  const l = 0;
+  const h = isLE2 ? 4 : 0;
+  const l = isLE2 ? 0 : 4;
   view.setUint32(byteOffset + h, wh, isLE2);
   view.setUint32(byteOffset + l, wl, isLE2);
 }
@@ -5659,7 +5660,7 @@ class Poly1305 {
     return res;
   }
 }
-function wrapConstructorWithKey(hashCons) {
+function wrapConstructorWithKey$1(hashCons) {
   const hashC = (msg, key) => hashCons(key).update(toBytes$2(msg)).digest();
   const tmp = hashCons(new Uint8Array(32));
   hashC.outputLen = tmp.outputLen;
@@ -5667,7 +5668,7 @@ function wrapConstructorWithKey(hashCons) {
   hashC.create = (key) => hashCons(key);
   return hashC;
 }
-const poly1305 = wrapConstructorWithKey((key) => new Poly1305(key));
+const poly1305 = wrapConstructorWithKey$1((key) => new Poly1305(key));
 const _utf8ToBytes = (str2) => Uint8Array.from(str2.split("").map((c) => c.charCodeAt(0)));
 const sigma16 = _utf8ToBytes("expand 16-byte k");
 const sigma32 = _utf8ToBytes("expand 32-byte k");
@@ -5948,16 +5949,16 @@ const xchacha20 = /* @__PURE__ */ createCipher(chachaCore, {
   extendNonceFn: hchacha,
   allowShortKeys: false
 });
-const ZEROS16 = /* @__PURE__ */ new Uint8Array(16);
+const ZEROS16$1 = /* @__PURE__ */ new Uint8Array(16);
 const updatePadded = (h, msg) => {
   h.update(msg);
   const left = msg.length % 16;
   if (left)
-    h.update(ZEROS16.subarray(left));
+    h.update(ZEROS16$1.subarray(left));
 };
-const ZEROS32 = /* @__PURE__ */ new Uint8Array(32);
-function computeTag(fn, key, nonce, data, AAD) {
-  const authKey = fn(key, nonce, ZEROS32);
+const ZEROS32$1 = /* @__PURE__ */ new Uint8Array(32);
+function computeTag$1(fn, key, nonce, data, AAD) {
+  const authKey = fn(key, nonce, ZEROS32$1);
   const h = poly1305.create(authKey);
   if (AAD)
     updatePadded(h, AAD);
@@ -5985,7 +5986,7 @@ const _poly1305_aead = (xorStream) => (key, nonce, AAD) => {
         output2 = new Uint8Array(clength);
       }
       xorStream(key, nonce, plaintext, output2, 1);
-      const tag = computeTag(xorStream, key, nonce, output2.subarray(0, -tagLength), AAD);
+      const tag = computeTag$1(xorStream, key, nonce, output2.subarray(0, -tagLength), AAD);
       output2.set(tag, plength);
       return output2;
     },
@@ -6001,7 +6002,7 @@ const _poly1305_aead = (xorStream) => (key, nonce, AAD) => {
       }
       const data = ciphertext.subarray(0, -tagLength);
       const passedTag = ciphertext.subarray(-tagLength);
-      const tag = computeTag(xorStream, key, nonce, data, AAD);
+      const tag = computeTag$1(xorStream, key, nonce, data, AAD);
       if (!equalBytes(passedTag, tag))
         throw new Error("invalid tag");
       xorStream(key, nonce, data, output2, 1);
@@ -6424,11 +6425,11 @@ function encodeBech32$1(prefix, data) {
 function encodeBytes$1(prefix, bytes2) {
   return encodeBech32$1(prefix, bytes2);
 }
-function encrypt$1(sec, password, logn = 16, ksb = 2) {
-  let salt = randomBytes$1(16);
+function encrypt$2(sec, password, logn = 16, ksb = 2) {
+  let salt = randomBytes$2(16);
   let n2 = 2 ** logn;
   let key = scrypt(password.normalize("NFKC"), salt, { N: n2, r: 8, p: 1, dkLen: 32 });
-  let nonce = randomBytes$1(24);
+  let nonce = randomBytes$2(24);
   let aad = Uint8Array.from([ksb]);
   let xc2p1 = xchacha20poly1305(key, nonce, aad);
   let ciphertext = xc2p1.encrypt(sec);
@@ -6460,7 +6461,7 @@ function decrypt$1(ncryptsec, password) {
 const nip49_star = /* @__PURE__ */ Object.freeze(/* @__PURE__ */ Object.defineProperty({
   __proto__: null,
   decrypt: decrypt$1,
-  encrypt: encrypt$1
+  encrypt: encrypt$2
 }, Symbol.toStringTag, { value: "Module" }));
 var utf8Decoder = new TextDecoder("utf-8");
 var utf8Encoder = new TextEncoder();
@@ -7408,9 +7409,9 @@ var NDKRelayConnectivity = class {
         }
         case "COUNT": {
           const payload = data[2];
-          const cr = this.openCountRequests.get(id2);
-          if (cr) {
-            cr.resolve(payload.count);
+          const cr2 = this.openCountRequests.get(id2);
+          if (cr2) {
+            cr2.resolve(payload.count);
             this.openCountRequests.delete(id2);
           }
           return;
@@ -9050,7 +9051,7 @@ async function generateContentTags(content, tags = [], opts, ctx) {
 async function maybeGetEventRelayUrl(_nip19Id) {
   return "";
 }
-async function encrypt(recipient, signer, scheme = "nip44") {
+async function encrypt$1(recipient, signer, scheme = "nip44") {
   let encrypted;
   if (!this.ndk) throw new Error("No NDK instance found!");
   let currentSigner = signer;
@@ -9718,7 +9719,7 @@ var NDKEvent = class _NDKEvent extends lib$1.EventEmitter {
    * @returns {string} - Encoded naddr, note or nevent.
    */
   encode = encode$1.bind(this);
-  encrypt = encrypt.bind(this);
+  encrypt = encrypt$1.bind(this);
   decrypt = decrypt.bind(this);
   /**
    * Get all tags with the given name
@@ -15528,7 +15529,7 @@ var NDKPrivateKeySigner = class _NDKPrivateKeySigner {
    */
   encryptToNcryptsec(password, logn = 16, ksb = 2) {
     if (!this._privateKey) throw new Error("Private key not available");
-    return encrypt$1(this._privateKey, password, logn, ksb);
+    return encrypt$2(this._privateKey, password, logn, ksb);
   }
   /**
    * Generate a new private key.
@@ -18010,12 +18011,12 @@ async function createPersistentStorage(namespace, options = {}) {
   const isBrowser = typeof window !== "undefined" && typeof window.indexedDB !== "undefined";
   typeof process !== "undefined" && process.versions && void 0;
   if (isBrowser) {
-    const { IndexedDBStorage } = await import("./indexeddb-storage-bpA01pAU.js");
+    const { IndexedDBStorage } = await import("./indexeddb-storage-dx01N0ET.js");
     const storage = new IndexedDBStorage();
     await storage.init(namespace);
     return storage;
   } else {
-    const { MemoryStorage } = await import("./memory-storage-BqhmytP_.js");
+    const { MemoryStorage } = await import("./memory-storage-BPIfkpcf.js");
     const storage = new MemoryStorage();
     await storage.init(namespace);
     return storage;
@@ -18028,7 +18029,7 @@ async function loadNDKCacheAdapter() {
   ndkCacheAdapterLoaded = true;
   if (typeof window !== "undefined" && typeof indexedDB !== "undefined") {
     try {
-      const module2 = await import("./index-Z5TstN1e.js");
+      const module2 = await import("./index-nMC3dWZ5.js");
       NDKCacheAdapterDexie = module2.default || module2.NDKCacheAdapterDexie;
     } catch (e) {
       console.debug("[nostr] NDK cache adapter not available, using LRU cache");
@@ -18220,7 +18221,13 @@ class NostrClient {
         cacheAdapter
       });
       this.relays.forEach((r) => globalNDKRelays.add(r));
-      await this.ndk.connect();
+      console.log("[NostrClient] Connecting to relays:", this.relays);
+      try {
+        await this.ndk.connect();
+        console.log("[NostrClient] NDK connect() completed. Pool stats:", this.ndk.pool?.stats?.());
+      } catch (err) {
+        console.error("[NostrClient] NDK connect() FAILED:", err.message);
+      }
     } else {
       this.ndk = null;
     }
@@ -18403,7 +18410,15 @@ class NostrClient {
    * @returns {Promise<Object|null>} The event or null if not found
    */
   async persistentGet(path) {
-    await this._initReady;
+    try {
+      await Promise.race([
+        this._initReady,
+        new Promise((_, reject) => setTimeout(() => reject(new Error("Init timeout")), 1e4))
+      ]);
+    } catch (err) {
+      console.warn("[NostrClient] persistentGet: Init timeout, returning null");
+      return null;
+    }
     if (!this.persistentStorage) return null;
     try {
       const event = await this.persistentStorage.get(path);
@@ -18490,7 +18505,14 @@ class NostrClient {
    * });
    */
   async publish(event, options = {}) {
-    await this._initReady;
+    try {
+      await Promise.race([
+        this._initReady,
+        new Promise((_, reject) => setTimeout(() => reject(new Error("Init timeout")), 15e3))
+      ]);
+    } catch (err) {
+      console.warn("[NostrClient] publish: Init timeout, continuing with available state");
+    }
     const waitForRelays = options.waitForRelays || false;
     const isReplaceable2 = event.kind >= 3e4 && event.kind < 4e4;
     const shouldDebounce = isReplaceable2 && options.debounce !== false && !waitForRelays;
@@ -18642,9 +18664,14 @@ class NostrClient {
     const failed = [];
     const formattedResults = [];
     try {
-      const publishedRelays = await ndkEvent.publish();
+      const publishPromise = ndkEvent.publish();
+      const timeoutPromise = new Promise(
+        (_, reject) => setTimeout(() => reject(new Error("Publish timeout")), 3e4)
+      );
+      const publishedRelays = await Promise.race([publishPromise, timeoutPromise]);
       for (const relay of relays) {
-        const wasPublished = publishedRelays.has(this.ndk.pool.getRelay(relay));
+        const ndkRelay = this.ndk.pool.getRelay(relay);
+        const wasPublished = publishedRelays.has(ndkRelay);
         if (wasPublished) {
           successful.push(relay);
           formattedResults.push({
@@ -18701,8 +18728,16 @@ class NostrClient {
    * });
    */
   async query(filter, options = {}) {
-    await this._initReady;
-    const timeout = options.timeout !== void 0 ? options.timeout : 3e4;
+    const queryTimeout = options.timeout !== void 0 ? options.timeout : 3e4;
+    try {
+      await Promise.race([
+        this._initReady,
+        new Promise((_, reject) => setTimeout(() => reject(new Error("Init timeout")), Math.min(queryTimeout, 1e4)))
+      ]);
+    } catch (err) {
+      console.warn("[NostrClient] query: Init timeout, continuing with available state");
+    }
+    const timeout = queryTimeout;
     const localFirst = options.localFirst !== false;
     const forceRelay = options.forceRelay === true;
     if (this.relays.length === 0 || !this.ndk) {
@@ -18715,7 +18750,7 @@ class NostrClient {
       const matchingEvents = this._getMatchingCachedEvents(filter);
       return matchingEvents;
     }
-    if (isOwnDataQuery && subInfo && !subInfo.initialized) {
+    if (!forceRelay && isOwnDataQuery && subInfo && !subInfo.initialized) {
       await Promise.race([
         subInfo.initPromise,
         new Promise((resolve) => setTimeout(resolve, Math.min(timeout, AUTHOR_SUB_INIT_TIMEOUT)))
@@ -18757,10 +18792,23 @@ class NostrClient {
       try {
         let events = [];
         if (this.ndk) {
-          const fetchedEvents = await this.ndk.fetchEvents(filter, {
+          const fetchPromise = this.ndk.fetchEvents(filter, {
             closeOnEose: true
           });
-          events = Array.from(fetchedEvents).map((e) => e.rawEvent());
+          const timeoutPromise = new Promise(
+            (_, reject) => setTimeout(() => reject(new Error("Relay query timeout")), timeout || 3e4)
+          );
+          try {
+            const fetchedEvents = await Promise.race([fetchPromise, timeoutPromise]);
+            events = Array.from(fetchedEvents).map((e) => e.rawEvent());
+          } catch (err) {
+            if (err.message === "Relay query timeout") {
+              console.warn("[NostrClient] Relay query timed out, returning empty results");
+              events = [];
+            } else {
+              throw err;
+            }
+          }
         }
         if (filter.authors && filter.authors.length > 0) {
           events = events.filter((event) => filter.authors.includes(event.pubkey));
@@ -18935,16 +18983,20 @@ class NostrClient {
    */
   async queryHybrid(filter, options = {}) {
     await this._initReady;
-    options.timeout !== void 0 ? options.timeout : 3e4;
+    const timeout = options.timeout !== void 0 ? options.timeout : 3e4;
     const localEvents = this._getMatchingCachedEvents(filter);
     if (this.relays.length === 0 || !this.ndk) {
       return localEvents;
     }
     let relayEvents = [];
     try {
-      const fetchedEvents = await this.ndk.fetchEvents(filter, {
+      const fetchPromise = this.ndk.fetchEvents(filter, {
         closeOnEose: true
       });
+      const timeoutPromise = new Promise(
+        (_, reject) => setTimeout(() => reject(new Error("Relay query timeout")), timeout)
+      );
+      const fetchedEvents = await Promise.race([fetchPromise, timeoutPromise]);
       relayEvents = Array.from(fetchedEvents).map((e) => e.rawEvent());
       if (filter.authors && filter.authors.length > 0) {
         relayEvents = relayEvents.filter((event) => filter.authors.includes(event.pubkey));
@@ -20963,7 +21015,7 @@ class GunSchemaValidator {
       return true;
     }
     try {
-      const AjvModule = await import("./2019-CLMqIAfQ.js").then((n2) => n2._);
+      const AjvModule = await import("./2019-BfjzDRje.js").then((n2) => n2._);
       this.Ajv = AjvModule.default || AjvModule;
       this.validator = new this.Ajv({
         allErrors: true,
@@ -21184,7 +21236,7 @@ class GunDBBackend extends StorageBackend {
     let Gun;
     try {
       console.log("[gundb-backend] Importing Gun...");
-      const gunModule = await import("./browser-nUQt1cnB.js").then((n2) => n2.b);
+      const gunModule = await import("./browser-CKTczilW.js").then((n2) => n2.b);
       Gun = gunModule.default || gunModule;
       console.log("[gundb-backend] Gun imported:", typeof Gun);
     } catch (error) {
@@ -21815,7 +21867,7 @@ class GunDBBackend extends StorageBackend {
   }
 }
 const name = "holosphere";
-const version$1 = "2.0.0-alpha12";
+const version$1 = "2.0.0-alpha14";
 const description = "Holonic geospatial communication infrastructure combining H3 hexagonal indexing with distributed P2P storage";
 const type = "module";
 const bin = {
@@ -21840,6 +21892,8 @@ const scripts = {
   test: "vitest run",
   "test:watch": "vitest",
   "test:coverage": "vitest run --coverage",
+  "test:real-relays": "USE_REAL_RELAYS=true vitest run",
+  "test:integration:real": "USE_REAL_RELAYS=true vitest run tests/unit/integration",
   lint: "eslint src tests",
   format: 'prettier --write "src/**/*.js" "tests/**/*.js"'
 };
@@ -22580,44 +22634,784 @@ const h3Operations = /* @__PURE__ */ Object.freeze(/* @__PURE__ */ Object.define
   isValidH3,
   toHolon
 }, Symbol.toStringTag, { value: "Module" }));
+const BLOCK_SIZE$1 = 16;
+const ZEROS16 = /* @__PURE__ */ new Uint8Array(16);
+const ZEROS32 = u32$1(ZEROS16);
+const POLY$1 = 225;
+const mul2$1 = (s0, s1, s2, s3) => {
+  const hiBit = s3 & 1;
+  return {
+    s3: s2 << 31 | s3 >>> 1,
+    s2: s1 << 31 | s2 >>> 1,
+    s1: s0 << 31 | s1 >>> 1,
+    s0: s0 >>> 1 ^ POLY$1 << 24 & -(hiBit & 1)
+    // reduce % poly
+  };
+};
+const swapLE = (n2) => (n2 >>> 0 & 255) << 24 | (n2 >>> 8 & 255) << 16 | (n2 >>> 16 & 255) << 8 | n2 >>> 24 & 255 | 0;
+function _toGHASHKey(k) {
+  k.reverse();
+  const hiBit = k[15] & 1;
+  let carry = 0;
+  for (let i = 0; i < k.length; i++) {
+    const t = k[i];
+    k[i] = t >>> 1 | carry;
+    carry = (t & 1) << 7;
+  }
+  k[0] ^= -hiBit & 225;
+  return k;
+}
+const estimateWindow = (bytes2) => {
+  if (bytes2 > 64 * 1024)
+    return 8;
+  if (bytes2 > 1024)
+    return 4;
+  return 2;
+};
+class GHASH {
+  // We select bits per window adaptively based on expectedLength
+  constructor(key, expectedLength) {
+    this.blockLen = BLOCK_SIZE$1;
+    this.outputLen = BLOCK_SIZE$1;
+    this.s0 = 0;
+    this.s1 = 0;
+    this.s2 = 0;
+    this.s3 = 0;
+    this.finished = false;
+    key = toBytes$2(key);
+    bytes$2(key, 16);
+    const kView = createView$2(key);
+    let k0 = kView.getUint32(0, false);
+    let k1 = kView.getUint32(4, false);
+    let k2 = kView.getUint32(8, false);
+    let k3 = kView.getUint32(12, false);
+    const doubles = [];
+    for (let i = 0; i < 128; i++) {
+      doubles.push({ s0: swapLE(k0), s1: swapLE(k1), s2: swapLE(k2), s3: swapLE(k3) });
+      ({ s0: k0, s1: k1, s2: k2, s3: k3 } = mul2$1(k0, k1, k2, k3));
+    }
+    const W = estimateWindow(expectedLength || 1024);
+    if (![1, 2, 4, 8].includes(W))
+      throw new Error(`ghash: wrong window size=${W}, should be 2, 4 or 8`);
+    this.W = W;
+    const bits = 128;
+    const windows = bits / W;
+    const windowSize = this.windowSize = 2 ** W;
+    const items = [];
+    for (let w = 0; w < windows; w++) {
+      for (let byte = 0; byte < windowSize; byte++) {
+        let s0 = 0, s1 = 0, s2 = 0, s3 = 0;
+        for (let j = 0; j < W; j++) {
+          const bit = byte >>> W - j - 1 & 1;
+          if (!bit)
+            continue;
+          const { s0: d0, s1: d1, s2: d2, s3: d3 } = doubles[W * w + j];
+          s0 ^= d0, s1 ^= d1, s2 ^= d2, s3 ^= d3;
+        }
+        items.push({ s0, s1, s2, s3 });
+      }
+    }
+    this.t = items;
+  }
+  _updateBlock(s0, s1, s2, s3) {
+    s0 ^= this.s0, s1 ^= this.s1, s2 ^= this.s2, s3 ^= this.s3;
+    const { W, t, windowSize } = this;
+    let o0 = 0, o1 = 0, o2 = 0, o3 = 0;
+    const mask2 = (1 << W) - 1;
+    let w = 0;
+    for (const num2 of [s0, s1, s2, s3]) {
+      for (let bytePos = 0; bytePos < 4; bytePos++) {
+        const byte = num2 >>> 8 * bytePos & 255;
+        for (let bitPos = 8 / W - 1; bitPos >= 0; bitPos--) {
+          const bit = byte >>> W * bitPos & mask2;
+          const { s0: e0, s1: e1, s2: e2, s3: e3 } = t[w * windowSize + bit];
+          o0 ^= e0, o1 ^= e1, o2 ^= e2, o3 ^= e3;
+          w += 1;
+        }
+      }
+    }
+    this.s0 = o0;
+    this.s1 = o1;
+    this.s2 = o2;
+    this.s3 = o3;
+  }
+  update(data) {
+    data = toBytes$2(data);
+    exists$2(this);
+    const b32 = u32$1(data);
+    const blocks = Math.floor(data.length / BLOCK_SIZE$1);
+    const left = data.length % BLOCK_SIZE$1;
+    for (let i = 0; i < blocks; i++) {
+      this._updateBlock(b32[i * 4 + 0], b32[i * 4 + 1], b32[i * 4 + 2], b32[i * 4 + 3]);
+    }
+    if (left) {
+      ZEROS16.set(data.subarray(blocks * BLOCK_SIZE$1));
+      this._updateBlock(ZEROS32[0], ZEROS32[1], ZEROS32[2], ZEROS32[3]);
+      ZEROS32.fill(0);
+    }
+    return this;
+  }
+  destroy() {
+    const { t } = this;
+    for (const elm of t) {
+      elm.s0 = 0, elm.s1 = 0, elm.s2 = 0, elm.s3 = 0;
+    }
+  }
+  digestInto(out) {
+    exists$2(this);
+    output$2(out, this);
+    this.finished = true;
+    const { s0, s1, s2, s3 } = this;
+    const o32 = u32$1(out);
+    o32[0] = s0;
+    o32[1] = s1;
+    o32[2] = s2;
+    o32[3] = s3;
+    return out;
+  }
+  digest() {
+    const res = new Uint8Array(BLOCK_SIZE$1);
+    this.digestInto(res);
+    this.destroy();
+    return res;
+  }
+}
+class Polyval extends GHASH {
+  constructor(key, expectedLength) {
+    key = toBytes$2(key);
+    const ghKey = _toGHASHKey(key.slice());
+    super(ghKey, expectedLength);
+    ghKey.fill(0);
+  }
+  update(data) {
+    data = toBytes$2(data);
+    exists$2(this);
+    const b32 = u32$1(data);
+    const left = data.length % BLOCK_SIZE$1;
+    const blocks = Math.floor(data.length / BLOCK_SIZE$1);
+    for (let i = 0; i < blocks; i++) {
+      this._updateBlock(swapLE(b32[i * 4 + 3]), swapLE(b32[i * 4 + 2]), swapLE(b32[i * 4 + 1]), swapLE(b32[i * 4 + 0]));
+    }
+    if (left) {
+      ZEROS16.set(data.subarray(blocks * BLOCK_SIZE$1));
+      this._updateBlock(swapLE(ZEROS32[3]), swapLE(ZEROS32[2]), swapLE(ZEROS32[1]), swapLE(ZEROS32[0]));
+      ZEROS32.fill(0);
+    }
+    return this;
+  }
+  digestInto(out) {
+    exists$2(this);
+    output$2(out, this);
+    this.finished = true;
+    const { s0, s1, s2, s3 } = this;
+    const o32 = u32$1(out);
+    o32[0] = s0;
+    o32[1] = s1;
+    o32[2] = s2;
+    o32[3] = s3;
+    return out.reverse();
+  }
+}
+function wrapConstructorWithKey(hashCons) {
+  const hashC = (msg, key) => hashCons(key, msg.length).update(toBytes$2(msg)).digest();
+  const tmp = hashCons(new Uint8Array(16), 0);
+  hashC.outputLen = tmp.outputLen;
+  hashC.blockLen = tmp.blockLen;
+  hashC.create = (key, expectedLength) => hashCons(key, expectedLength);
+  return hashC;
+}
+const ghash = wrapConstructorWithKey((key, expectedLength) => new GHASH(key, expectedLength));
+wrapConstructorWithKey((key, expectedLength) => new Polyval(key, expectedLength));
+const BLOCK_SIZE = 16;
+const BLOCK_SIZE32 = 4;
+const EMPTY_BLOCK = new Uint8Array(BLOCK_SIZE);
+const POLY = 283;
+function mul2(n2) {
+  return n2 << 1 ^ POLY & -(n2 >> 7);
+}
+function mul(a, b2) {
+  let res = 0;
+  for (; b2 > 0; b2 >>= 1) {
+    res ^= a & -(b2 & 1);
+    a = mul2(a);
+  }
+  return res;
+}
+const sbox = /* @__PURE__ */ (() => {
+  let t = new Uint8Array(256);
+  for (let i = 0, x = 1; i < 256; i++, x ^= mul2(x))
+    t[i] = x;
+  const box = new Uint8Array(256);
+  box[0] = 99;
+  for (let i = 0; i < 255; i++) {
+    let x = t[255 - i];
+    x |= x << 8;
+    box[t[i]] = (x ^ x >> 4 ^ x >> 5 ^ x >> 6 ^ x >> 7 ^ 99) & 255;
+  }
+  return box;
+})();
+const rotr32_8 = (n2) => n2 << 24 | n2 >>> 8;
+const rotl32_8 = (n2) => n2 << 8 | n2 >>> 24;
+function genTtable(sbox2, fn) {
+  if (sbox2.length !== 256)
+    throw new Error("Wrong sbox length");
+  const T0 = new Uint32Array(256).map((_, j) => fn(sbox2[j]));
+  const T1 = T0.map(rotl32_8);
+  const T2 = T1.map(rotl32_8);
+  const T3 = T2.map(rotl32_8);
+  const T01 = new Uint32Array(256 * 256);
+  const T23 = new Uint32Array(256 * 256);
+  const sbox22 = new Uint16Array(256 * 256);
+  for (let i = 0; i < 256; i++) {
+    for (let j = 0; j < 256; j++) {
+      const idx = i * 256 + j;
+      T01[idx] = T0[i] ^ T1[j];
+      T23[idx] = T2[i] ^ T3[j];
+      sbox22[idx] = sbox2[i] << 8 | sbox2[j];
+    }
+  }
+  return { sbox: sbox2, sbox2: sbox22, T0, T1, T2, T3, T01, T23 };
+}
+const tableEncoding = /* @__PURE__ */ genTtable(sbox, (s) => mul(s, 3) << 24 | s << 16 | s << 8 | mul(s, 2));
+const xPowers = /* @__PURE__ */ (() => {
+  const p = new Uint8Array(16);
+  for (let i = 0, x = 1; i < 16; i++, x = mul2(x))
+    p[i] = x;
+  return p;
+})();
+function expandKeyLE(key) {
+  bytes$2(key);
+  const len = key.length;
+  if (![16, 24, 32].includes(len))
+    throw new Error(`aes: wrong key size: should be 16, 24 or 32, got: ${len}`);
+  const { sbox2 } = tableEncoding;
+  const k32 = u32$1(key);
+  const Nk = k32.length;
+  const subByte = (n2) => applySbox(sbox2, n2, n2, n2, n2);
+  const xk = new Uint32Array(len + 28);
+  xk.set(k32);
+  for (let i = Nk; i < xk.length; i++) {
+    let t = xk[i - 1];
+    if (i % Nk === 0)
+      t = subByte(rotr32_8(t)) ^ xPowers[i / Nk - 1];
+    else if (Nk > 6 && i % Nk === 4)
+      t = subByte(t);
+    xk[i] = xk[i - Nk] ^ t;
+  }
+  return xk;
+}
+function apply0123(T01, T23, s0, s1, s2, s3) {
+  return T01[s0 << 8 & 65280 | s1 >>> 8 & 255] ^ T23[s2 >>> 8 & 65280 | s3 >>> 24 & 255];
+}
+function applySbox(sbox2, s0, s1, s2, s3) {
+  return sbox2[s0 & 255 | s1 & 65280] | sbox2[s2 >>> 16 & 255 | s3 >>> 16 & 65280] << 16;
+}
+function encrypt(xk, s0, s1, s2, s3) {
+  const { sbox2, T01, T23 } = tableEncoding;
+  let k = 0;
+  s0 ^= xk[k++], s1 ^= xk[k++], s2 ^= xk[k++], s3 ^= xk[k++];
+  const rounds = xk.length / 4 - 2;
+  for (let i = 0; i < rounds; i++) {
+    const t02 = xk[k++] ^ apply0123(T01, T23, s0, s1, s2, s3);
+    const t12 = xk[k++] ^ apply0123(T01, T23, s1, s2, s3, s0);
+    const t22 = xk[k++] ^ apply0123(T01, T23, s2, s3, s0, s1);
+    const t32 = xk[k++] ^ apply0123(T01, T23, s3, s0, s1, s2);
+    s0 = t02, s1 = t12, s2 = t22, s3 = t32;
+  }
+  const t0 = xk[k++] ^ applySbox(sbox2, s0, s1, s2, s3);
+  const t1 = xk[k++] ^ applySbox(sbox2, s1, s2, s3, s0);
+  const t2 = xk[k++] ^ applySbox(sbox2, s2, s3, s0, s1);
+  const t3 = xk[k++] ^ applySbox(sbox2, s3, s0, s1, s2);
+  return { s0: t0, s1: t1, s2: t2, s3: t3 };
+}
+function getDst(len, dst) {
+  if (!dst)
+    return new Uint8Array(len);
+  bytes$2(dst);
+  if (dst.length < len)
+    throw new Error(`aes: wrong destination length, expected at least ${len}, got: ${dst.length}`);
+  return dst;
+}
+function ctr32(xk, isLE2, nonce, src, dst) {
+  bytes$2(nonce, BLOCK_SIZE);
+  bytes$2(src);
+  dst = getDst(src.length, dst);
+  const ctr = nonce;
+  const c32 = u32$1(ctr);
+  const view = createView$2(ctr);
+  const src32 = u32$1(src);
+  const dst32 = u32$1(dst);
+  const ctrPos = isLE2 ? 0 : 12;
+  const srcLen = src.length;
+  let ctrNum = view.getUint32(ctrPos, isLE2);
+  let { s0, s1, s2, s3 } = encrypt(xk, c32[0], c32[1], c32[2], c32[3]);
+  for (let i = 0; i + 4 <= src32.length; i += 4) {
+    dst32[i + 0] = src32[i + 0] ^ s0;
+    dst32[i + 1] = src32[i + 1] ^ s1;
+    dst32[i + 2] = src32[i + 2] ^ s2;
+    dst32[i + 3] = src32[i + 3] ^ s3;
+    ctrNum = ctrNum + 1 >>> 0;
+    view.setUint32(ctrPos, ctrNum, isLE2);
+    ({ s0, s1, s2, s3 } = encrypt(xk, c32[0], c32[1], c32[2], c32[3]));
+  }
+  const start = BLOCK_SIZE * Math.floor(src32.length / BLOCK_SIZE32);
+  if (start < srcLen) {
+    const b32 = new Uint32Array([s0, s1, s2, s3]);
+    const buf = u8(b32);
+    for (let i = start, pos = 0; i < srcLen; i++, pos++)
+      dst[i] = src[i] ^ buf[pos];
+  }
+  return dst;
+}
+function computeTag(fn, isLE2, key, data, AAD) {
+  const h = fn.create(key, data.length + (AAD?.length || 0));
+  if (AAD)
+    h.update(AAD);
+  h.update(data);
+  const num2 = new Uint8Array(16);
+  const view = createView$2(num2);
+  if (AAD)
+    setBigUint64$1(view, 0, BigInt(AAD.length * 8), isLE2);
+  setBigUint64$1(view, 8, BigInt(data.length * 8), isLE2);
+  h.update(num2);
+  return h.digest();
+}
+const gcm = /* @__PURE__ */ wrapCipher({ blockSize: 16, nonceLength: 12, tagLength: 16 }, function gcm2(key, nonce, AAD) {
+  bytes$2(nonce);
+  if (nonce.length === 0)
+    throw new Error("aes/gcm: empty nonce");
+  const tagLength = 16;
+  function _computeTag(authKey, tagMask, data) {
+    const tag = computeTag(ghash, false, authKey, data, AAD);
+    for (let i = 0; i < tagMask.length; i++)
+      tag[i] ^= tagMask[i];
+    return tag;
+  }
+  function deriveKeys() {
+    const xk = expandKeyLE(key);
+    const authKey = EMPTY_BLOCK.slice();
+    const counter = EMPTY_BLOCK.slice();
+    ctr32(xk, false, counter, counter, authKey);
+    if (nonce.length === 12) {
+      counter.set(nonce);
+    } else {
+      const nonceLen = EMPTY_BLOCK.slice();
+      const view = createView$2(nonceLen);
+      setBigUint64$1(view, 8, BigInt(nonce.length * 8), false);
+      ghash.create(authKey).update(nonce).update(nonceLen).digestInto(counter);
+    }
+    const tagMask = ctr32(xk, false, counter, EMPTY_BLOCK);
+    return { xk, authKey, counter, tagMask };
+  }
+  return {
+    encrypt: (plaintext) => {
+      bytes$2(plaintext);
+      const { xk, authKey, counter, tagMask } = deriveKeys();
+      const out = new Uint8Array(plaintext.length + tagLength);
+      ctr32(xk, false, counter, plaintext, out);
+      const tag = _computeTag(authKey, tagMask, out.subarray(0, out.length - tagLength));
+      out.set(tag, plaintext.length);
+      xk.fill(0);
+      return out;
+    },
+    decrypt: (ciphertext) => {
+      bytes$2(ciphertext);
+      if (ciphertext.length < tagLength)
+        throw new Error(`aes/gcm: ciphertext less than tagLen (${tagLength})`);
+      const { xk, authKey, counter, tagMask } = deriveKeys();
+      const data = ciphertext.subarray(0, -tagLength);
+      const passedTag = ciphertext.subarray(-tagLength);
+      const tag = _computeTag(authKey, tagMask, data);
+      if (!equalBytes(tag, passedTag))
+        throw new Error("aes/gcm: invalid ghash tag");
+      const out = ctr32(xk, false, counter, data);
+      authKey.fill(0);
+      tagMask.fill(0);
+      xk.fill(0);
+      return out;
+    }
+  };
+});
+const cr = typeof globalThis === "object" && "crypto" in globalThis ? globalThis.crypto : void 0;
+function randomBytes$1(bytesLength = 32) {
+  if (cr && typeof cr.getRandomValues === "function")
+    return cr.getRandomValues(new Uint8Array(bytesLength));
+  throw new Error("crypto.getRandomValues must be defined");
+}
+/*! noble-hashes - MIT License (c) 2022 Paul Miller (paulmillr.com) */
+const u8a$1 = (a) => a instanceof Uint8Array;
+const createView$1 = (arr) => new DataView(arr.buffer, arr.byteOffset, arr.byteLength);
+const rotr$1 = (word, shift) => word << 32 - shift | word >>> shift;
+const isLE$1 = new Uint8Array(new Uint32Array([287454020]).buffer)[0] === 68;
+if (!isLE$1)
+  throw new Error("Non little-endian hardware is not supported");
+const hexes = Array.from({ length: 256 }, (v, i) => i.toString(16).padStart(2, "0"));
+function bytesToHex$1(bytes2) {
+  if (!u8a$1(bytes2))
+    throw new Error("Uint8Array expected");
+  let hex2 = "";
+  for (let i = 0; i < bytes2.length; i++) {
+    hex2 += hexes[bytes2[i]];
+  }
+  return hex2;
+}
+function hexToBytes$1(hex2) {
+  if (typeof hex2 !== "string")
+    throw new Error("hex string expected, got " + typeof hex2);
+  const len = hex2.length;
+  if (len % 2)
+    throw new Error("padded hex string expected, got unpadded hex of length " + len);
+  const array = new Uint8Array(len / 2);
+  for (let i = 0; i < array.length; i++) {
+    const j = i * 2;
+    const hexByte = hex2.slice(j, j + 2);
+    const byte = Number.parseInt(hexByte, 16);
+    if (Number.isNaN(byte) || byte < 0)
+      throw new Error("Invalid byte sequence");
+    array[i] = byte;
+  }
+  return array;
+}
+function utf8ToBytes$1(str2) {
+  if (typeof str2 !== "string")
+    throw new Error(`utf8ToBytes expected string, got ${typeof str2}`);
+  return new Uint8Array(new TextEncoder().encode(str2));
+}
+function toBytes$1(data) {
+  if (typeof data === "string")
+    data = utf8ToBytes$1(data);
+  if (!u8a$1(data))
+    throw new Error(`expected Uint8Array, got ${typeof data}`);
+  return data;
+}
+function concatBytes$1(...arrays) {
+  const r = new Uint8Array(arrays.reduce((sum, a) => sum + a.length, 0));
+  let pad = 0;
+  arrays.forEach((a) => {
+    if (!u8a$1(a))
+      throw new Error("Uint8Array expected");
+    r.set(a, pad);
+    pad += a.length;
+  });
+  return r;
+}
+let Hash$1 = class Hash5 {
+  // Safe version that clones internal state
+  clone() {
+    return this._cloneInto();
+  }
+};
+function wrapConstructor$1(hashCons) {
+  const hashC = (msg) => hashCons().update(toBytes$1(msg)).digest();
+  const tmp = hashCons();
+  hashC.outputLen = tmp.outputLen;
+  hashC.blockLen = tmp.blockLen;
+  hashC.create = () => hashCons();
+  return hashC;
+}
+function hexToBytes(hex2) {
+  const bytes2 = new Uint8Array(hex2.length / 2);
+  for (let i = 0; i < hex2.length; i += 2) {
+    bytes2[i / 2] = parseInt(hex2.substr(i, 2), 16);
+  }
+  return bytes2;
+}
+function bytesToHex(bytes2) {
+  return Array.from(bytes2).map((b2) => b2.toString(16).padStart(2, "0")).join("");
+}
+function parseNpubOrHex(input) {
+  const trimmed = input?.trim();
+  if (!trimmed) {
+    return { valid: false, error: "Public key is required" };
+  }
+  if (/^[0-9a-fA-F]{64}$/.test(trimmed)) {
+    return { valid: true, hexPubKey: trimmed.toLowerCase() };
+  }
+  let npubString = trimmed;
+  if (npubString.startsWith("nostr:")) {
+    npubString = npubString.slice(6);
+  }
+  if (npubString.startsWith("npub1")) {
+    try {
+      const decoded = nip19.decode(npubString);
+      if (decoded.type === "npub") {
+        return { valid: true, hexPubKey: decoded.data };
+      }
+      return { valid: false, error: "Invalid npub format" };
+    } catch (e) {
+      return { valid: false, error: "Invalid npub: unable to decode" };
+    }
+  }
+  return { valid: false, error: "Enter a valid npub (npub1...) or 64-character hex public key" };
+}
+function hexToNpub(hexPubKey) {
+  try {
+    return nip19.npubEncode(hexPubKey);
+  } catch (e) {
+    console.error("Failed to encode hex to npub:", e);
+    return hexPubKey;
+  }
+}
+function npubToHex(npub2) {
+  try {
+    const decoded = nip19.decode(npub2);
+    if (decoded.type === "npub") {
+      return decoded.data;
+    }
+    return null;
+  } catch (e) {
+    return null;
+  }
+}
+function shortenPubKey(pubKey) {
+  if (!pubKey || pubKey.length <= 20) return pubKey || "";
+  return `${pubKey.slice(0, 8)}...${pubKey.slice(-8)}`;
+}
+function shortenNpub(npub2) {
+  if (!npub2 || npub2.length <= 20) return npub2 || "";
+  return `${npub2.slice(0, 12)}...${npub2.slice(-8)}`;
+}
+function getPublicKey$1(privateKey) {
+  return getPublicKey$2(hexToBytes(privateKey));
+}
+async function encryptNIP04(privateKey, recipientPubKey, content) {
+  return await nip04.encrypt(privateKey, recipientPubKey, content);
+}
+async function decryptNIP04(privateKey, senderPubKey, encryptedContent) {
+  return await nip04.decrypt(privateKey, senderPubKey, encryptedContent);
+}
+function encryptNIP44(privateKey, recipientPubKey, content) {
+  const privKeyBytes = hexToBytes(privateKey);
+  const conversationKey = nip44.v2.utils.getConversationKey(privKeyBytes, recipientPubKey);
+  return nip44.v2.encrypt(content, conversationKey);
+}
+function decryptNIP44(privateKey, senderPubKey, encryptedContent) {
+  const privKeyBytes = hexToBytes(privateKey);
+  const conversationKey = nip44.v2.utils.getConversationKey(privKeyBytes, senderPubKey);
+  return nip44.v2.decrypt(encryptedContent, conversationKey);
+}
+function createSignedEvent(kind2, content, tags, privateKey) {
+  const event = {
+    kind: kind2,
+    content,
+    tags,
+    created_at: Math.floor(Date.now() / 1e3)
+  };
+  return finalizeEvent(event, hexToBytes(privateKey));
+}
+function createDMEvent(recipientPubKey, encryptedContent, privateKey) {
+  return createSignedEvent(
+    4,
+    // NIP-04 encrypted DM
+    encryptedContent,
+    [["p", recipientPubKey]],
+    privateKey
+  );
+}
+function isValidHexPubKey(str2) {
+  return typeof str2 === "string" && /^[0-9a-fA-F]{64}$/.test(str2);
+}
+function isValidNpub(str2) {
+  if (typeof str2 !== "string" || !str2.startsWith("npub1")) {
+    return false;
+  }
+  try {
+    const decoded = nip19.decode(str2);
+    return decoded.type === "npub";
+  } catch {
+    return false;
+  }
+}
+function generateNonce$1() {
+  return Date.now().toString(36) + Math.random().toString(36).substring(2, 15);
+}
+function signEvent(event, privateKey) {
+  const eventToSign = {
+    kind: event.kind,
+    content: event.content,
+    tags: event.tags || [],
+    created_at: event.created_at || Math.floor(Date.now() / 1e3)
+  };
+  return finalizeEvent(eventToSign, hexToBytes(privateKey));
+}
+function verifyEvent(event) {
+  return verifyEvent$1(event);
+}
+const nostrUtils = /* @__PURE__ */ Object.freeze(/* @__PURE__ */ Object.defineProperty({
+  __proto__: null,
+  NDK,
+  NDKEvent,
+  NDKPrivateKeySigner,
+  NDKSubscriptionCacheUsage,
+  NDKUser,
+  bytesToHex,
+  createDMEvent,
+  createSignedEvent,
+  decryptNIP04,
+  decryptNIP44,
+  encryptNIP04,
+  encryptNIP44,
+  generateNonce: generateNonce$1,
+  getPublicKey: getPublicKey$1,
+  hexToBytes,
+  hexToNpub,
+  isValidHexPubKey,
+  isValidNpub,
+  npubToHex,
+  parseNpubOrHex,
+  shortenNpub,
+  shortenPubKey,
+  signEvent,
+  verifyEvent
+}, Symbol.toStringTag, { value: "Module" }));
+function generateLensKey() {
+  return randomBytes$1(32);
+}
+function uint8ToBase64(bytes2) {
+  if (typeof btoa === "function") {
+    return btoa(String.fromCharCode(...bytes2));
+  }
+  return Buffer.from(bytes2).toString("base64");
+}
+function base64ToUint8(base64) {
+  if (typeof atob === "function") {
+    const binary = atob(base64);
+    const bytes2 = new Uint8Array(binary.length);
+    for (let i = 0; i < binary.length; i++) {
+      bytes2[i] = binary.charCodeAt(i);
+    }
+    return bytes2;
+  }
+  return new Uint8Array(Buffer.from(base64, "base64"));
+}
+function encryptWithKey(key, plaintext) {
+  const iv = randomBytes$1(12);
+  const aes = gcm(key, iv);
+  const plaintextBytes = new TextEncoder().encode(plaintext);
+  const ciphertext = aes.encrypt(plaintextBytes);
+  const combined = new Uint8Array(iv.length + ciphertext.length);
+  combined.set(iv, 0);
+  combined.set(ciphertext, iv.length);
+  return uint8ToBase64(combined);
+}
+function decryptWithKey(key, ciphertext) {
+  const data = base64ToUint8(ciphertext);
+  const iv = data.slice(0, 12);
+  const encrypted = data.slice(12);
+  const aes = gcm(key, iv);
+  const decrypted = aes.decrypt(encrypted);
+  return new TextDecoder().decode(decrypted);
+}
+function wrapKeyForRecipient(lensKey, senderPrivKey, recipientPubKey) {
+  const keyBase64 = uint8ToBase64(lensKey);
+  return encryptNIP44(senderPrivKey, recipientPubKey, keyBase64);
+}
+function unwrapKey(wrappedKey, recipientPrivKey, senderPubKey) {
+  const keyBase64 = decryptNIP44(recipientPrivKey, senderPubKey, wrappedKey);
+  return base64ToUint8(keyBase64);
+}
+function serializeLensKey(lensKey, ownerPrivKey, ownerPubKey) {
+  return {
+    wrappedKey: wrapKeyForRecipient(lensKey, ownerPrivKey, ownerPubKey),
+    algorithm: "aes-256-gcm",
+    keyWrap: "nip44",
+    version: "1.0"
+  };
+}
+function deserializeLensKey(keyData, ownerPrivKey, ownerPubKey) {
+  if (keyData.version !== "1.0") {
+    throw new Error(`Unsupported lens key version: ${keyData.version}`);
+  }
+  return unwrapKey(keyData.wrappedKey, ownerPrivKey, ownerPubKey);
+}
+function isEncrypted(content) {
+  if (!content || typeof content !== "string") return false;
+  const trimmed = content.trim();
+  if (trimmed.startsWith("{") || trimmed.startsWith("[")) {
+    return false;
+  }
+  if (content.length < 38) return false;
+  try {
+    const decoded = base64ToUint8(content);
+    return decoded.length >= 29;
+  } catch {
+    return false;
+  }
+}
+const lensKeys = /* @__PURE__ */ Object.freeze(/* @__PURE__ */ Object.defineProperty({
+  __proto__: null,
+  decryptWithKey,
+  deserializeLensKey,
+  encryptWithKey,
+  generateLensKey,
+  isEncrypted,
+  serializeLensKey,
+  unwrapKey,
+  wrapKeyForRecipient
+}, Symbol.toStringTag, { value: "Module" }));
 const globalSubscriptions = /* @__PURE__ */ new Map();
 const singlePathSubscriptions = /* @__PURE__ */ new Map();
 const pendingQueries = /* @__PURE__ */ new Map();
 const QUERY_DEDUP_WINDOW = 2e3;
+function _parseEventContent(event, lensKey = null) {
+  if (!event || !event.content) return null;
+  try {
+    const encryptedTag = event.tags?.find((t) => t[0] === "encrypted");
+    const isSymmetricEncrypted = encryptedTag && encryptedTag[1] === "symmetric";
+    if (isSymmetricEncrypted) {
+      if (!lensKey) {
+        return null;
+      }
+      const decrypted = decryptWithKey(lensKey, event.content);
+      return JSON.parse(decrypted);
+    } else {
+      return JSON.parse(event.content);
+    }
+  } catch (error) {
+    return null;
+  }
+}
 async function nostrPut(client, path, data, kindOrOptions = 3e4) {
   const options = typeof kindOrOptions === "number" ? { kind: kindOrOptions } : kindOrOptions;
   const kind2 = options.kind || 3e4;
+  const { lensKey } = options;
+  let content;
+  const tags = [["d", path]];
+  if (lensKey) {
+    content = encryptWithKey(lensKey, JSON.stringify(data));
+    tags.push(["encrypted", "symmetric"]);
+  } else {
+    content = JSON.stringify(data);
+  }
   const dataEvent = {
     kind: kind2,
     created_at: Math.floor(Date.now() / 1e3),
-    tags: [
-      ["d", path]
-      // d-tag for parameterized replaceable events
-    ],
-    content: JSON.stringify(data)
+    tags,
+    content
+  };
+  const publishOptions = {
+    ...options.signingKey && { signingKey: options.signingKey },
+    ...options.waitForRelays && { waitForRelays: options.waitForRelays }
   };
-  const publishOptions = options.signingKey ? { signingKey: options.signingKey } : {};
   const result = await client.publish(dataEvent, publishOptions);
   return result;
 }
 async function nostrGet(client, path, kind2 = 3e4, options = {}) {
   const timeout = options.timeout !== void 0 ? options.timeout : 3e4;
   const authors = options.authors || [client.publicKey];
+  const { lensKey } = options;
   if (!options.skipCache && client.getCachedByPath) {
     const cachedEvent = client.getCachedByPath(path, kind2);
     if (cachedEvent && cachedEvent.content) {
       if (authors.includes(cachedEvent.pubkey)) {
-        try {
-          const data = JSON.parse(cachedEvent.content);
-          if (!data || data._deleted) {
-            return null;
-          }
-          if (options.includeAuthor) {
-            data._author = cachedEvent.pubkey;
-          }
-          return data;
-        } catch (error) {
+        const data = _parseEventContent(cachedEvent, lensKey);
+        if (!data || data._deleted) {
+          return null;
+        }
+        if (options.includeAuthor) {
+          data._author = cachedEvent.pubkey;
         }
+        return data;
       }
     }
   }
@@ -22626,21 +23420,20 @@ async function nostrGet(client, path, kind2 = 3e4, options = {}) {
     if (persistedEvent && persistedEvent.content) {
       if (!authors.includes(persistedEvent.pubkey)) ;
       else {
-        try {
-          const data = JSON.parse(persistedEvent.content);
-          if (!data || data._deleted) {
+        const data = _parseEventContent(persistedEvent, lensKey);
+        if (!data || data._deleted) {
+          if (persistedEvent.tags?.find((t) => t[0] === "encrypted") && !lensKey) {
             return null;
           }
-          if (options.includeAuthor) {
-            data._author = persistedEvent.pubkey;
-          }
-          if (client.refreshPathInBackground) {
-            client.refreshPathInBackground(path, kind2, { authors, timeout });
-          }
-          return data;
-        } catch (error) {
-          console.warn("[nostrGet] Failed to parse persisted event:", error);
+          return null;
+        }
+        if (options.includeAuthor) {
+          data._author = persistedEvent.pubkey;
         }
+        if (client.refreshPathInBackground) {
+          client.refreshPathInBackground(path, kind2, { authors, timeout });
+        }
+        return data;
       }
     }
   }
@@ -22665,6 +23458,7 @@ async function nostrGet(client, path, kind2 = 3e4, options = {}) {
   return queryPromise;
 }
 async function _executeNostrGet(client, path, kind2, authors, timeout, options) {
+  const { lensKey } = options;
   const filter = {
     kinds: [kind2],
     authors,
@@ -22673,29 +23467,26 @@ async function _executeNostrGet(client, path, kind2, authors, timeout, options)
     limit: authors.length
     // Increase limit to get events from all authors
   };
-  const events = await client.query(filter, { timeout });
+  const events = await client.query(filter, { timeout, forceRelay: options.forceRelay });
   const authoredEvents = events.filter((event2) => authors.includes(event2.pubkey));
   if (authoredEvents.length === 0) {
     return null;
   }
   const event = authoredEvents.sort((a, b2) => b2.created_at - a.created_at)[0];
-  try {
-    const data = JSON.parse(event.content);
-    if (!data || data._deleted) {
-      return null;
-    }
-    if (options.includeAuthor) {
-      data._author = event.pubkey;
-    }
-    return data;
-  } catch (error) {
+  const data = _parseEventContent(event, lensKey);
+  if (!data || data._deleted) {
     return null;
   }
+  if (options.includeAuthor) {
+    data._author = event.pubkey;
+  }
+  return data;
 }
 async function nostrGetAll(client, pathPrefix, kind2 = 3e4, options = {}) {
   const timeout = options.timeout !== void 0 ? options.timeout : 3e4;
   const limit2 = options.limit || 1e3;
   const authors = options.authors || [client.publicKey];
+  const { lensKey } = options;
   if (!options.skipPersistent && client.persistentGetAll) {
     const persistedEvents = await client.persistentGetAll(pathPrefix);
     if (persistedEvents.length > 0) {
@@ -22708,18 +23499,15 @@ async function nostrGetAll(client, pathPrefix, kind2 = 3e4, options = {}) {
         const path = dTag[1];
         const existing = byPath.get(path);
         if (!existing || event.created_at > existing.created_at) {
-          try {
-            const data = JSON.parse(event.content);
-            if (!data || data._deleted) {
-              byPath.delete(path);
-              continue;
-            }
-            if (options.includeAuthor) {
-              data._author = event.pubkey;
-            }
-            byPath.set(path, { data, created_at: event.created_at });
-          } catch (error) {
+          const data = _parseEventContent(event, lensKey);
+          if (!data || data._deleted) {
+            byPath.delete(path);
+            continue;
           }
+          if (options.includeAuthor) {
+            data._author = event.pubkey;
+          }
+          byPath.set(path, { data, created_at: event.created_at });
         }
       }
       if (client.refreshPrefixInBackground) {
@@ -22749,6 +23537,7 @@ async function nostrGetAll(client, pathPrefix, kind2 = 3e4, options = {}) {
   return queryPromise;
 }
 async function _executeNostrGetAll(client, pathPrefix, kind2, authors, timeout, limit2, options) {
+  const { lensKey } = options;
   const filter = {
     kinds: [kind2],
     authors,
@@ -22766,18 +23555,15 @@ async function _executeNostrGetAll(client, pathPrefix, kind2, authors, timeout,
     const dTag = event.tags.find((t) => t[0] === "d")[1];
     const existing = byPath.get(dTag);
     if (!existing || event.created_at > existing.created_at) {
-      try {
-        const data = JSON.parse(event.content);
-        if (!data || data._deleted) {
-          byPath.delete(dTag);
-          continue;
-        }
-        if (options.includeAuthor) {
-          data._author = event.pubkey;
-        }
-        byPath.set(dTag, { data, created_at: event.created_at });
-      } catch (error) {
+      const data = _parseEventContent(event, lensKey);
+      if (!data || data._deleted) {
+        byPath.delete(dTag);
+        continue;
       }
+      if (options.includeAuthor) {
+        data._author = event.pubkey;
+      }
+      byPath.set(dTag, { data, created_at: event.created_at });
     }
   }
   return Array.from(byPath.values()).map((item) => item.data);
@@ -23014,7 +23800,9 @@ async function nostrSubscribe(client, path, callback, options = {}) {
 }
 async function nostrSubscribeMany(client, pathPrefix, callback, options = {}) {
   const kind2 = options.kind || 3e4;
-  const subscriptionKey = `${client.publicKey}:${kind2}:${pathPrefix}`;
+  const pathParts = pathPrefix.split("/");
+  const targetAuthor = pathParts[1] || client.publicKey;
+  const subscriptionKey = `${targetAuthor}:${kind2}:${pathPrefix}`;
   const existingSub = globalSubscriptions.get(subscriptionKey);
   if (existingSub) {
     existingSub.callbacks.push(callback);
@@ -23042,14 +23830,14 @@ async function nostrSubscribeMany(client, pathPrefix, callback, options = {}) {
       return;
     }
     seenEventIds.add(event.id);
-    if (event.pubkey !== client.publicKey) {
+    if (event.pubkey !== targetAuthor) {
       rejectedCount++;
       const now = Date.now();
       if (now - lastLogTime > LOG_INTERVAL) {
         console.warn("[nostrSubscribeMany] ⚠️ Relay not respecting authors filter!", {
           rejectedCount,
           acceptedCount,
-          expected: client.publicKey,
+          expected: targetAuthor,
           message: "Consider using a different relay or implementing private relay"
         });
         lastLogTime = now;
@@ -23076,10 +23864,12 @@ async function nostrSubscribeMany(client, pathPrefix, callback, options = {}) {
   const subscriptionStartTime = Math.floor(Date.now() / 1e3);
   const dataFilter = {
     kinds: [kind2],
-    authors: [client.publicKey],
+    authors: [targetAuthor],
+    // Use target author (holon ID), not client pubkey
     since: subscriptionStartTime
     // Only get new events after subscription
   };
+  console.log("[nostrSubscribeMany] Subscribing to:", { pathPrefix, targetAuthor: targetAuthor.slice(0, 12), clientPubKey: client.publicKey.slice(0, 12) });
   const dataSubscription = await client.subscribe(dataFilter, handleDataEvent);
   let isDocumentHidden = typeof document !== "undefined" && document.hidden;
   let lastVisibilityCheck = subscriptionStartTime;
@@ -23140,7 +23930,10 @@ function encodePathComponent(component) {
 }
 async function write$1(client, path, data, options = {}) {
   try {
-    const putOptions = options.signingKey ? { signingKey: options.signingKey } : {};
+    const putOptions = {
+      ...options.signingKey && { signingKey: options.signingKey },
+      ...options.waitForRelays && { waitForRelays: options.waitForRelays }
+    };
     const result = await nostrPut(client, path, data, putOptions);
     const success = result.results.length === 0 ? true : result.results.some((r) => r.status === "fulfilled");
     return success;
@@ -23222,14 +24015,14 @@ async function subscribe$1(client, path, callback, options = {}) {
 function buildPath(appName, holonId, lensName, key = null) {
   return buildPath$1(appName, holonId, lensName, key);
 }
-async function write(client, path, data) {
+async function write(client, path, data, options = {}) {
   if (client.write && client.gun) {
-    return client.write(path, data);
+    return client.write(path, data, options);
   }
   if (client.gun) {
     return write$2(client.gun, path, data);
   }
-  return write$1(client, path, data);
+  return write$1(client, path, data, options);
 }
 async function read(client, path, options = {}) {
   if (client.read && client.gun) {
@@ -23432,77 +24225,6 @@ const assert$1 = {
   exists: exists$1,
   output: output$1
 };
-/*! noble-hashes - MIT License (c) 2022 Paul Miller (paulmillr.com) */
-const u8a$1 = (a) => a instanceof Uint8Array;
-const createView$1 = (arr) => new DataView(arr.buffer, arr.byteOffset, arr.byteLength);
-const rotr$1 = (word, shift) => word << 32 - shift | word >>> shift;
-const isLE$1 = new Uint8Array(new Uint32Array([287454020]).buffer)[0] === 68;
-if (!isLE$1)
-  throw new Error("Non little-endian hardware is not supported");
-const hexes = Array.from({ length: 256 }, (v, i) => i.toString(16).padStart(2, "0"));
-function bytesToHex$1(bytes2) {
-  if (!u8a$1(bytes2))
-    throw new Error("Uint8Array expected");
-  let hex2 = "";
-  for (let i = 0; i < bytes2.length; i++) {
-    hex2 += hexes[bytes2[i]];
-  }
-  return hex2;
-}
-function hexToBytes$1(hex2) {
-  if (typeof hex2 !== "string")
-    throw new Error("hex string expected, got " + typeof hex2);
-  const len = hex2.length;
-  if (len % 2)
-    throw new Error("padded hex string expected, got unpadded hex of length " + len);
-  const array = new Uint8Array(len / 2);
-  for (let i = 0; i < array.length; i++) {
-    const j = i * 2;
-    const hexByte = hex2.slice(j, j + 2);
-    const byte = Number.parseInt(hexByte, 16);
-    if (Number.isNaN(byte) || byte < 0)
-      throw new Error("Invalid byte sequence");
-    array[i] = byte;
-  }
-  return array;
-}
-function utf8ToBytes$1(str2) {
-  if (typeof str2 !== "string")
-    throw new Error(`utf8ToBytes expected string, got ${typeof str2}`);
-  return new Uint8Array(new TextEncoder().encode(str2));
-}
-function toBytes$1(data) {
-  if (typeof data === "string")
-    data = utf8ToBytes$1(data);
-  if (!u8a$1(data))
-    throw new Error(`expected Uint8Array, got ${typeof data}`);
-  return data;
-}
-function concatBytes$1(...arrays) {
-  const r = new Uint8Array(arrays.reduce((sum, a) => sum + a.length, 0));
-  let pad = 0;
-  arrays.forEach((a) => {
-    if (!u8a$1(a))
-      throw new Error("Uint8Array expected");
-    r.set(a, pad);
-    pad += a.length;
-  });
-  return r;
-}
-let Hash$1 = class Hash5 {
-  // Safe version that clones internal state
-  clone() {
-    return this._cloneInto();
-  }
-};
-function wrapConstructor$1(hashCons) {
-  const hashC = (msg) => hashCons().update(toBytes$1(msg)).digest();
-  const tmp = hashCons();
-  hashC.outputLen = tmp.outputLen;
-  hashC.blockLen = tmp.blockLen;
-  hashC.create = () => hashCons();
-  return hashC;
-}
 function setBigUint64(view, byteOffset, value, isLE2) {
   if (typeof view.setBigUint64 === "function")
     return view.setBigUint64(byteOffset, value, isLE2);
@@ -23766,15 +24488,15 @@ class SHA224 extends SHA256 {
 }
 const sha256 = wrapConstructor$1(() => new SHA256());
 wrapConstructor$1(() => new SHA224());
-function getPublicKey$1(privateKey) {
-  const pubKey = secp256k1$1.getPublicKey(privateKey);
+function getPublicKey(privateKey) {
+  const pubKey = schnorr.getPublicKey(privateKey);
   return bytesToHex$1(pubKey);
 }
 async function sign(content, privateKey) {
   try {
     const msgHash = hashContent(content);
-    const signature = secp256k1$1.sign(msgHash, privateKey);
-    return signature.toCompactHex();
+    const signature = schnorr.sign(msgHash, privateKey);
+    return bytesToHex$1(signature);
   } catch (error) {
     throw new Error(`Signature generation failed: ${error.message}`);
   }
@@ -23785,7 +24507,7 @@ async function verify(content, signature, publicKey) {
       throw new Error("Invalid public key format");
     }
     const msgHash = hashContent(content);
-    const isValid = secp256k1$1.verify(signature, msgHash, publicKey);
+    const isValid = schnorr.verify(signature, msgHash, publicKey);
     return isValid;
   } catch (error) {
     if (error.message === "Invalid public key format") {
@@ -23840,12 +24562,12 @@ async function issueCapability$1(permissions, scope, recipient, options = {}) {
     issuer,
     isSelfCapability: selfCap,
     // Mark self-capabilities for clarity
-    nonce: generateNonce$1(),
+    nonce: generateNonce(),
     issued: Date.now(),
     expires: Date.now() + expiresIn
   };
   const payload = JSON.stringify(token);
-  const encoded = Buffer.from ? Buffer.from(payload).toString("base64") : btoa(payload);
+  const encoded = typeof btoa === "function" ? btoa(payload) : Buffer.from(payload).toString("base64");
   if (issuerKey) {
     const signature = await sign(payload, issuerKey);
     return `${encoded}.${signature}`;
@@ -23867,11 +24589,28 @@ async function verifyCapability$1(token, requiredPermission, scope) {
     if (token && typeof token === "object" && token.token) {
       token = token.token;
     }
+    if (token && typeof token === "object" && token.type === "Buffer" && Array.isArray(token.data)) {
+      try {
+        token = String.fromCharCode.apply(null, token.data);
+      } catch (e) {
+        console.log("[verifyCapability] ❌ Failed to decode Buffer object:", e.message);
+        return false;
+      }
+    }
+    if (typeof token === "string" && /^\d+(,\d+)+$/.test(token.substring(0, 50))) {
+      try {
+        const bytes2 = token.split(",").map(Number);
+        token = String.fromCharCode.apply(null, bytes2);
+      } catch (e) {
+        console.log("[verifyCapability] ❌ Failed to decode byte string:", e.message);
+        return false;
+      }
+    }
     if (typeof token === "string") {
       if (token.startsWith("ey") || !token.includes(".") && !token.startsWith("{")) {
         try {
           const payload = token.includes(".") ? token.split(".")[0] : token;
-          const decoded = Buffer.from ? Buffer.from(payload, "base64").toString("utf8") : atob(payload);
+          const decoded = typeof atob === "function" ? atob(payload) : Buffer.from(payload, "base64").toString("utf8");
           tokenObj = JSON.parse(decoded);
         } catch (e) {
           console.log("[verifyCapability] ❌ Token is not valid base64 JSON:", {
@@ -23933,7 +24672,86 @@ async function verifyCapability$1(token, requiredPermission, scope) {
     return false;
   }
 }
-function generateNonce$1() {
+async function verifyCapabilityIssuer(token, expectedIssuer) {
+  try {
+    if (token && typeof token === "object" && token.token) {
+      token = token.token;
+    }
+    if (token && typeof token === "object" && token.type === "Buffer" && Array.isArray(token.data)) {
+      token = String.fromCharCode.apply(null, token.data);
+    }
+    if (typeof token !== "string") {
+      console.log("[verifyCapabilityIssuer] ❌ Token is not a string");
+      return false;
+    }
+    let payload;
+    let signature;
+    let tokenObj;
+    if (token.includes(".")) {
+      const parts = token.split(".");
+      const encodedPayload = parts[0];
+      signature = parts[1];
+      const decoded = typeof atob === "function" ? atob(encodedPayload) : Buffer.from(encodedPayload, "base64").toString("utf8");
+      payload = decoded;
+      tokenObj = JSON.parse(decoded);
+    } else if (token.startsWith("ey")) {
+      const decoded = typeof atob === "function" ? atob(token) : Buffer.from(token, "base64").toString("utf8");
+      payload = decoded;
+      tokenObj = JSON.parse(decoded);
+    } else if (token.startsWith("{")) {
+      payload = token;
+      tokenObj = JSON.parse(token);
+    } else {
+      console.log("[verifyCapabilityIssuer] ❌ Unknown token format");
+      return false;
+    }
+    if (tokenObj.issuer !== expectedIssuer) {
+      console.log("[verifyCapabilityIssuer] ❌ Issuer mismatch:", {
+        tokenIssuer: tokenObj.issuer?.slice(0, 12) + "...",
+        expectedIssuer: expectedIssuer?.slice(0, 12) + "..."
+      });
+      return false;
+    }
+    if (signature) {
+      const signatureValid = await verify(payload, signature, expectedIssuer);
+      if (!signatureValid) {
+        console.log("[verifyCapabilityIssuer] ❌ Signature verification failed - capability not signed by claimed issuer");
+        return false;
+      }
+    } else {
+      console.log("[verifyCapabilityIssuer] ⚠️ Token has no signature - cannot verify cryptographically");
+    }
+    console.log("[verifyCapabilityIssuer] ✅ Issuer verified");
+    return true;
+  } catch (error) {
+    console.log("[verifyCapabilityIssuer] ❌ Error:", error.message);
+    return false;
+  }
+}
+function decodeCapability(token) {
+  try {
+    if (token && typeof token === "object" && token.token) {
+      token = token.token;
+    }
+    if (token && typeof token === "object" && token.type === "Buffer" && Array.isArray(token.data)) {
+      token = String.fromCharCode.apply(null, token.data);
+    }
+    if (typeof token !== "string") {
+      return null;
+    }
+    if (token.startsWith("ey") || !token.includes(".") && !token.startsWith("{")) {
+      const payload = token.includes(".") ? token.split(".")[0] : token;
+      const decoded = typeof atob === "function" ? atob(payload) : Buffer.from(payload, "base64").toString("utf8");
+      return JSON.parse(decoded);
+    } else if (token.startsWith("{")) {
+      return JSON.parse(token);
+    }
+    return null;
+  } catch (error) {
+    return null;
+  }
+}
+function generateNonce() {
   return Date.now().toString(36) + Math.random().toString(36).substring(2, 15);
 }
 function hashContent(content) {
@@ -23945,18 +24763,45 @@ function hashContent(content) {
 }
 const secp256k1 = /* @__PURE__ */ Object.freeze(/* @__PURE__ */ Object.defineProperty({
   __proto__: null,
-  getPublicKey: getPublicKey$1,
+  decodeCapability,
+  getPublicKey,
   issueCapability: issueCapability$1,
   issueSelfCapability,
   matchScope,
   sign,
   verify,
-  verifyCapability: verifyCapability$1
+  verifyCapability: verifyCapability$1,
+  verifyCapabilityIssuer
 }, Symbol.toStringTag, { value: "Module" }));
 const FEDERATION_TABLE = "federations";
-async function getFederationRegistry(client, appname) {
-  const registry2 = await readGlobal(client, appname, FEDERATION_TABLE, client.publicKey);
-  return registry2 || {
+const registryCache = /* @__PURE__ */ new Map();
+const CACHE_TTL_MS = 1e4;
+function buildPartnerIndex(federatedWith) {
+  const index = /* @__PURE__ */ new Map();
+  for (const partner of federatedWith) {
+    if (partner.pubKey) {
+      index.set(partner.pubKey, partner);
+    }
+  }
+  return index;
+}
+function getCacheKey(client, appname) {
+  return `${client.publicKey}:${appname}`;
+}
+function invalidateRegistryCache(client, appname) {
+  const key = getCacheKey(client, appname);
+  registryCache.delete(key);
+}
+async function getFederationRegistry(client, appname, options = {}) {
+  const cacheKey = getCacheKey(client, appname);
+  const now = Date.now();
+  if (!options.skipCache) {
+    const cached = registryCache.get(cacheKey);
+    if (cached && now - cached.timestamp < CACHE_TTL_MS) {
+      return cached.registry;
+    }
+  }
+  const registry2 = await readGlobal(client, appname, FEDERATION_TABLE, client.publicKey) || {
     id: client.publicKey,
     federatedWith: [],
     discoveryEnabled: false,
@@ -23964,8 +24809,25 @@ async function getFederationRegistry(client, appname) {
     defaultScope: { holonId: "*", lensName: "*" },
     defaultPermissions: ["read"]
   };
+  const partnerIndex = buildPartnerIndex(registry2.federatedWith || []);
+  registryCache.set(cacheKey, {
+    registry: registry2,
+    partnerIndex,
+    timestamp: now
+  });
+  return registry2;
+}
+async function getPartnerFromIndex(client, appname, partnerPubKey) {
+  const cacheKey = getCacheKey(client, appname);
+  await getFederationRegistry(client, appname);
+  const cached = registryCache.get(cacheKey);
+  if (cached && cached.partnerIndex) {
+    return cached.partnerIndex.get(partnerPubKey) || null;
+  }
+  return null;
 }
 async function saveFederationRegistry(client, appname, registry2) {
+  invalidateRegistryCache(client, appname);
   return writeGlobal(client, appname, FEDERATION_TABLE, registry2);
 }
 async function addFederatedPartner(client, appname, partnerPubKey, options = {}) {
@@ -23977,10 +24839,16 @@ async function addFederatedPartner(client, appname, partnerPubKey, options = {})
       existing.alias = options.alias;
     }
     if (options.inboundCapabilities) {
-      existing.inboundCapabilities = [
+      const allCaps = [
         ...existing.inboundCapabilities || [],
         ...options.inboundCapabilities
       ];
+      const seen = /* @__PURE__ */ new Map();
+      for (const cap of allCaps) {
+        const scopeKey = `${cap.scope?.holonId}:${cap.scope?.lensName}:${cap.scope?.dataId}`;
+        seen.set(scopeKey, cap);
+      }
+      existing.inboundCapabilities = Array.from(seen.values());
     }
     existing.updatedAt = Date.now();
     registry2.federatedWith[existingIndex] = existing;
@@ -24010,65 +24878,31 @@ async function getFederatedAuthors(client, appname) {
   return registry2.federatedWith.map((p) => p.pubKey);
 }
 async function getFederatedPartner(client, appname, partnerPubKey) {
-  const registry2 = await getFederationRegistry(client, appname);
-  return registry2.federatedWith.find((p) => p.pubKey === partnerPubKey) || null;
+  return getPartnerFromIndex(client, appname, partnerPubKey);
 }
 async function getCapabilityForAuthor(client, appname, authorPubKey, scope) {
-  const registry2 = await getFederationRegistry(client, appname);
-  console.log("[Registry] 🔍 getCapabilityForAuthor called:", {
-    authorPubKey: authorPubKey?.slice(0, 12) + "...",
-    scope,
-    federatedWithCount: registry2.federatedWith?.length || 0,
-    federatedPartners: registry2.federatedWith?.map((p) => p.pubKey?.slice(0, 12) + "...") || []
-  });
-  const partner = registry2.federatedWith.find((p) => p.pubKey === authorPubKey);
+  const partner = await getPartnerFromIndex(client, appname, authorPubKey);
   if (!partner) {
-    console.log("[Registry] ❌ Partner not found in federatedWith");
     return null;
   }
   if (!partner.inboundCapabilities || partner.inboundCapabilities.length === 0) {
-    console.log("[Registry] ❌ Partner has no inboundCapabilities:", {
-      partnerPubKey: authorPubKey?.slice(0, 12) + "...",
-      hasInboundCaps: !!partner.inboundCapabilities,
-      inboundCapsLength: partner.inboundCapabilities?.length || 0
-    });
     return null;
   }
-  console.log("[Registry] Partner found with inboundCapabilities:", {
-    partnerPubKey: authorPubKey?.slice(0, 12) + "...",
-    capsCount: partner.inboundCapabilities.length,
-    capScopes: partner.inboundCapabilities.map((c) => c.scope)
-  });
-  const result = partner.inboundCapabilities.find((cap) => {
-    if (cap.expires && cap.expires < Date.now()) {
-      console.log("[Registry] Capability expired:", { expires: cap.expires, now: Date.now() });
-      return false;
+  const now = Date.now();
+  for (const cap of partner.inboundCapabilities) {
+    if (cap.expires && cap.expires < now) {
+      continue;
+    }
+    if (matchScope(cap.scope, scope)) {
+      return cap;
     }
-    const matches = matchScope(cap.scope, scope);
-    console.log("[Registry] Scope match check:", {
-      capScope: cap.scope,
-      requestedScope: scope,
-      matches
-    });
-    return matches;
-  }) || null;
-  if (result) {
-    console.log("[Registry] ✅ Matching capability found");
-  } else {
-    console.log("[Registry] ❌ No matching capability found");
   }
-  return result;
+  return null;
 }
 async function storeInboundCapability(client, appname, partnerPubKey, capabilityInfo) {
-  console.log("[Registry] 📥 storeInboundCapability called:", {
-    partnerPubKey: partnerPubKey?.slice(0, 12) + "...",
-    scope: capabilityInfo?.scope,
-    hasToken: !!capabilityInfo?.token
-  });
   const registry2 = await getFederationRegistry(client, appname);
   const partner = registry2.federatedWith.find((p) => p.pubKey === partnerPubKey);
   if (!partner) {
-    console.log("[Registry] Partner not in registry, auto-adding with capability");
     return addFederatedPartner(client, appname, partnerPubKey, {
       addedVia: "capability_received",
       inboundCapabilities: [capabilityInfo]
@@ -24081,21 +24915,17 @@ async function storeInboundCapability(client, appname, partnerPubKey, capability
     (cap) => JSON.stringify(cap.scope) === JSON.stringify(capabilityInfo.scope)
   );
   if (existingIndex >= 0) {
-    console.log("[Registry] Updating existing capability at index:", existingIndex);
     partner.inboundCapabilities[existingIndex] = {
       ...capabilityInfo,
       updatedAt: Date.now()
     };
   } else {
-    console.log("[Registry] Adding new capability, total will be:", partner.inboundCapabilities.length + 1);
     partner.inboundCapabilities.push({
       ...capabilityInfo,
       receivedAt: Date.now()
     });
   }
-  const result = await saveFederationRegistry(client, appname, registry2);
-  console.log("[Registry] ✅ Capability stored, registry saved:", result);
-  return result;
+  return saveFederationRegistry(client, appname, registry2);
 }
 async function storeOutboundCapability(client, appname, partnerPubKey, capabilityInfo) {
   const registry2 = await getFederationRegistry(client, appname);
@@ -24253,19 +25083,412 @@ async function getSelfCapability(client, appname, scope) {
 function isSelfCapability(capabilityInfo) {
   return capabilityInfo && capabilityInfo.isSelfCapability === true;
 }
+async function grantWriteAccessToHolon(client, appname, holonId, lensName, options = {}) {
+  console.warn("[Deprecated] grantWriteAccessToHolon() is deprecated. Use grantAccess() instead.");
+  const registry2 = await getFederationRegistry(client, appname);
+  let partner = registry2.federatedWith.find((p) => p.pubKey === holonId);
+  if (!partner) {
+    partner = {
+      pubKey: holonId,
+      alias: null,
+      addedAt: Date.now(),
+      addedVia: "write_grant",
+      inboundCapabilities: [],
+      outboundCapabilities: [],
+      writeGrants: []
+    };
+    registry2.federatedWith.push(partner);
+  }
+  if (!partner.writeGrants) {
+    partner.writeGrants = [];
+  }
+  const existingIndex = partner.writeGrants.findIndex((g) => g.lensName === lensName);
+  const grant = {
+    lensName,
+    grantedAt: Date.now(),
+    expiresAt: options.expiresAt || null
+  };
+  if (existingIndex >= 0) {
+    partner.writeGrants[existingIndex] = grant;
+  } else {
+    partner.writeGrants.push(grant);
+  }
+  return saveFederationRegistry(client, appname, registry2);
+}
+async function revokeWriteAccess(client, appname, holonId, lensName) {
+  console.warn("[Deprecated] revokeWriteAccess() is deprecated. Use revokeAccess() instead.");
+  const registry2 = await getFederationRegistry(client, appname);
+  const partner = registry2.federatedWith.find((p) => p.pubKey === holonId);
+  if (!partner || !partner.writeGrants) {
+    return false;
+  }
+  const initialLength = partner.writeGrants.length;
+  partner.writeGrants = partner.writeGrants.filter((g) => g.lensName !== lensName);
+  if (partner.writeGrants.length === initialLength) {
+    return false;
+  }
+  return saveFederationRegistry(client, appname, registry2);
+}
+async function getWriteGrantsForHolon(client, appname, holonId) {
+  console.warn("[Deprecated] getWriteGrantsForHolon() is deprecated. Use getAccessGrants() instead.");
+  const registry2 = await getFederationRegistry(client, appname);
+  const partner = registry2.federatedWith.find((p) => p.pubKey === holonId);
+  if (!partner || !partner.writeGrants) {
+    return [];
+  }
+  const now = Date.now();
+  return partner.writeGrants.filter((g) => !g.expiresAt || g.expiresAt > now);
+}
+async function hasWriteAccess(client, appname, holonId, lensName) {
+  console.warn("[Deprecated] hasWriteAccess() is deprecated. Use findAccessGrant() instead.");
+  const grants = await getWriteGrantsForHolon(client, appname, holonId);
+  return grants.some((g) => g.lensName === lensName || g.lensName === "*");
+}
+async function getAllWriteGrants(client, appname) {
+  console.warn("[Deprecated] getAllWriteGrants() is deprecated. Use getAccessGrants() instead.");
+  const registry2 = await getFederationRegistry(client, appname);
+  const now = Date.now();
+  const results = [];
+  for (const partner of registry2.federatedWith) {
+    if (partner.writeGrants && partner.writeGrants.length > 0) {
+      const validGrants = partner.writeGrants.filter((g) => !g.expiresAt || g.expiresAt > now);
+      if (validGrants.length > 0) {
+        results.push({
+          holonId: partner.pubKey,
+          alias: partner.alias,
+          writeGrants: validGrants
+        });
+      }
+    }
+  }
+  return results;
+}
+async function grantAccess(client, appname, partnerPubKey, scope, permissions, options = {}) {
+  const registry2 = await getFederationRegistry(client, appname);
+  const { expiresAt = null, capabilityToken = null, direction = "inbound" } = options;
+  let partner = registry2.federatedWith.find((p) => p.pubKey === partnerPubKey);
+  if (!partner) {
+    partner = {
+      pubKey: partnerPubKey,
+      alias: null,
+      addedAt: Date.now(),
+      addedVia: "access_grant",
+      inboundCapabilities: [],
+      outboundCapabilities: [],
+      writeGrants: [],
+      accessGrants: []
+      // New unified array
+    };
+    registry2.federatedWith.push(partner);
+  }
+  if (!partner.accessGrants) {
+    partner.accessGrants = [];
+  }
+  const normalizedScope = {
+    holonId: scope.holonId || "*",
+    lensName: scope.lensName || "*"
+  };
+  const existingIndex = partner.accessGrants.findIndex(
+    (g) => g.scope.holonId === normalizedScope.holonId && g.scope.lensName === normalizedScope.lensName && g.direction === direction
+  );
+  const grant = {
+    scope: normalizedScope,
+    permissions: [...permissions],
+    grantedAt: Date.now(),
+    expiresAt,
+    capabilityToken,
+    direction
+  };
+  if (existingIndex >= 0) {
+    partner.accessGrants[existingIndex] = grant;
+  } else {
+    partner.accessGrants.push(grant);
+  }
+  return saveFederationRegistry(client, appname, registry2);
+}
+async function revokeAccess(client, appname, partnerPubKey, scope, permissions = null, options = {}) {
+  const registry2 = await getFederationRegistry(client, appname);
+  const { direction = "inbound" } = options;
+  const partner = registry2.federatedWith.find((p) => p.pubKey === partnerPubKey);
+  if (!partner || !partner.accessGrants) {
+    return false;
+  }
+  const normalizedScope = {
+    holonId: scope.holonId || "*",
+    lensName: scope.lensName || "*"
+  };
+  const grantIndex = partner.accessGrants.findIndex(
+    (g) => g.scope.holonId === normalizedScope.holonId && g.scope.lensName === normalizedScope.lensName && g.direction === direction
+  );
+  if (grantIndex < 0) {
+    return false;
+  }
+  if (permissions === null) {
+    partner.accessGrants.splice(grantIndex, 1);
+  } else {
+    const grant = partner.accessGrants[grantIndex];
+    grant.permissions = grant.permissions.filter((p) => !permissions.includes(p));
+    if (grant.permissions.length === 0) {
+      partner.accessGrants.splice(grantIndex, 1);
+    }
+  }
+  return saveFederationRegistry(client, appname, registry2);
+}
+async function findAccessGrant(client, appname, partnerPubKey, scope, permission, options = {}) {
+  const registry2 = await getFederationRegistry(client, appname);
+  const { direction = "inbound" } = options;
+  const now = Date.now();
+  const partner = registry2.federatedWith.find((p) => p.pubKey === partnerPubKey);
+  if (!partner) {
+    return null;
+  }
+  if (partner.accessGrants && partner.accessGrants.length > 0) {
+    for (const grant of partner.accessGrants) {
+      if (grant.expiresAt && grant.expiresAt < now) {
+        continue;
+      }
+      if (grant.direction !== direction) {
+        continue;
+      }
+      if (!grant.permissions.includes(permission)) {
+        continue;
+      }
+      if (matchScope(grant.scope, scope)) {
+        return grant;
+      }
+    }
+  }
+  if (permission === "read" && direction === "inbound") {
+    if (partner.inboundCapabilities) {
+      for (const cap of partner.inboundCapabilities) {
+        if (cap.expires && cap.expires < now) continue;
+        if (cap.permissions && !cap.permissions.includes("read")) continue;
+        if (matchScope(cap.scope, scope)) {
+          return {
+            scope: cap.scope,
+            permissions: cap.permissions || ["read"],
+            grantedAt: cap.receivedAt || Date.now(),
+            expiresAt: cap.expires || null,
+            capabilityToken: cap.token,
+            direction: "inbound",
+            _legacy: true
+          };
+        }
+      }
+    }
+  }
+  if (permission === "write" && direction === "inbound") {
+    if (partner.writeGrants) {
+      for (const wg of partner.writeGrants) {
+        if (wg.expiresAt && wg.expiresAt < now) continue;
+        if (wg.lensName === scope.lensName || wg.lensName === "*") {
+          return {
+            scope: { holonId: "*", lensName: wg.lensName },
+            permissions: ["write"],
+            grantedAt: wg.grantedAt || Date.now(),
+            expiresAt: wg.expiresAt || null,
+            direction: "inbound",
+            _legacy: true
+          };
+        }
+      }
+    }
+  }
+  return null;
+}
+async function getAccessGrants(client, appname, partnerPubKey, options = {}) {
+  const registry2 = await getFederationRegistry(client, appname);
+  const { direction = "all", includeLegacy = true } = options;
+  const now = Date.now();
+  const partner = registry2.federatedWith.find((p) => p.pubKey === partnerPubKey);
+  if (!partner) {
+    return [];
+  }
+  const results = [];
+  if (partner.accessGrants) {
+    for (const grant of partner.accessGrants) {
+      if (grant.expiresAt && grant.expiresAt < now) continue;
+      if (direction !== "all" && grant.direction !== direction) continue;
+      results.push(grant);
+    }
+  }
+  if (includeLegacy) {
+    if (partner.inboundCapabilities && (direction === "all" || direction === "inbound")) {
+      for (const cap of partner.inboundCapabilities) {
+        if (cap.expires && cap.expires < now) continue;
+        results.push({
+          scope: cap.scope,
+          permissions: cap.permissions || ["read"],
+          grantedAt: cap.receivedAt || Date.now(),
+          expiresAt: cap.expires || null,
+          capabilityToken: cap.token,
+          direction: "inbound",
+          _legacy: true
+        });
+      }
+    }
+    if (partner.writeGrants && (direction === "all" || direction === "inbound")) {
+      for (const wg of partner.writeGrants) {
+        if (wg.expiresAt && wg.expiresAt < now) continue;
+        results.push({
+          scope: { holonId: "*", lensName: wg.lensName },
+          permissions: ["write"],
+          grantedAt: wg.grantedAt || Date.now(),
+          expiresAt: wg.expiresAt || null,
+          direction: "inbound",
+          _legacy: true
+        });
+      }
+    }
+  }
+  return results;
+}
+async function migrateToUnifiedGrants(client, appname) {
+  const registry2 = await getFederationRegistry(client, appname);
+  let migratedPartners = 0;
+  let migratedGrants = 0;
+  for (const partner of registry2.federatedWith) {
+    let partnerModified = false;
+    if (!partner.accessGrants) {
+      partner.accessGrants = [];
+    }
+    if (partner.inboundCapabilities && partner.inboundCapabilities.length > 0) {
+      for (const cap of partner.inboundCapabilities) {
+        const alreadyMigrated = partner.accessGrants.some(
+          (g) => g.scope.holonId === cap.scope?.holonId && g.scope.lensName === cap.scope?.lensName && g.direction === "inbound" && g._migratedFrom === "inboundCapability"
+        );
+        if (!alreadyMigrated && cap.scope) {
+          partner.accessGrants.push({
+            scope: { holonId: cap.scope.holonId || "*", lensName: cap.scope.lensName || "*" },
+            permissions: cap.permissions || ["read"],
+            grantedAt: cap.receivedAt || Date.now(),
+            expiresAt: cap.expires || null,
+            capabilityToken: cap.token,
+            direction: "inbound",
+            _migratedFrom: "inboundCapability"
+          });
+          migratedGrants++;
+          partnerModified = true;
+        }
+      }
+    }
+    if (partner.writeGrants && partner.writeGrants.length > 0) {
+      for (const wg of partner.writeGrants) {
+        const alreadyMigrated = partner.accessGrants.some(
+          (g) => g.scope.lensName === wg.lensName && g.permissions.includes("write") && g.direction === "inbound" && g._migratedFrom === "writeGrant"
+        );
+        if (!alreadyMigrated) {
+          partner.accessGrants.push({
+            scope: { holonId: "*", lensName: wg.lensName },
+            permissions: ["write"],
+            grantedAt: wg.grantedAt || Date.now(),
+            expiresAt: wg.expiresAt || null,
+            direction: "inbound",
+            _migratedFrom: "writeGrant"
+          });
+          migratedGrants++;
+          partnerModified = true;
+        }
+      }
+    }
+    if (partnerModified) {
+      migratedPartners++;
+    }
+  }
+  if (migratedGrants > 0) {
+    await saveFederationRegistry(client, appname, registry2);
+  }
+  return { migratedPartners, migratedGrants };
+}
+function convertLegacyLensConfig(legacyConfig) {
+  if (!legacyConfig) return { version: "2.0", permissions: {} };
+  const permissions = {};
+  for (const lens of legacyConfig.inbound || []) {
+    if (!permissions[lens]) {
+      permissions[lens] = { receive: [], share: [] };
+    }
+    if (!permissions[lens].receive.includes("read")) {
+      permissions[lens].receive.push("read");
+    }
+  }
+  for (const lens of legacyConfig.outbound || []) {
+    if (!permissions[lens]) {
+      permissions[lens] = { receive: [], share: [] };
+    }
+    if (!permissions[lens].share.includes("read")) {
+      permissions[lens].share.push("read");
+    }
+  }
+  for (const lens of legacyConfig.writeInbound || []) {
+    if (!permissions[lens]) {
+      permissions[lens] = { receive: [], share: [] };
+    }
+    if (!permissions[lens].receive.includes("write")) {
+      permissions[lens].receive.push("write");
+    }
+  }
+  for (const lens of legacyConfig.writeOutbound || []) {
+    if (!permissions[lens]) {
+      permissions[lens] = { receive: [], share: [] };
+    }
+    if (!permissions[lens].share.includes("write")) {
+      permissions[lens].share.push("write");
+    }
+  }
+  return { version: "2.0", permissions };
+}
+function convertToLegacyLensConfig(unifiedConfig) {
+  if (!unifiedConfig || !unifiedConfig.permissions) {
+    return { inbound: [], outbound: [], writeInbound: [], writeOutbound: [] };
+  }
+  const legacy = {
+    inbound: [],
+    outbound: [],
+    writeInbound: [],
+    writeOutbound: []
+  };
+  for (const [lensName, perms] of Object.entries(unifiedConfig.permissions)) {
+    if (perms.receive?.includes("read")) {
+      legacy.inbound.push(lensName);
+    }
+    if (perms.share?.includes("read")) {
+      legacy.outbound.push(lensName);
+    }
+    if (perms.receive?.includes("write")) {
+      legacy.writeInbound.push(lensName);
+    }
+    if (perms.share?.includes("write")) {
+      legacy.writeOutbound.push(lensName);
+    }
+  }
+  return legacy;
+}
 const registry = /* @__PURE__ */ Object.freeze(/* @__PURE__ */ Object.defineProperty({
   __proto__: null,
   addFederatedPartner,
   cleanupExpiredCapabilities,
+  convertLegacyLensConfig,
+  convertToLegacyLensConfig,
+  findAccessGrant,
+  getAccessGrants,
+  getAllWriteGrants,
   getCapabilityForAuthor,
   getFederatedAuthors,
   getFederatedAuthorsForScope,
   getFederatedPartner,
   getFederationRegistry,
   getSelfCapability,
+  getWriteGrantsForHolon,
+  grantAccess,
+  grantWriteAccessToHolon,
+  hasWriteAccess,
+  invalidateRegistryCache,
   isSelfCapability,
+  migrateToUnifiedGrants,
   removeFederatedPartner,
+  revokeAccess,
   revokeOutboundCapability,
+  revokeWriteAccess,
   saveFederationRegistry,
   storeInboundCapability,
   storeOutboundCapability,
@@ -24334,6 +25557,7 @@ function createHologram(sourceHolon, targetHolon, lensName, dataId, appname, opt
     // Always the token string (normalized above)
     _meta: {
       created: Date.now(),
+      lastUpdated: Date.now(),
       sourceHolon,
       source: sourceHolon,
       // Alias for compatibility
@@ -24346,6 +25570,8 @@ function createHologram(sourceHolon, targetHolon, lensName, dataId, appname, opt
 async function createHologramWithCapability(client, sourceHolon, targetHolon, lensName, dataId, appname, options = {}) {
   const {
     sourceAuthorPubKey = client.publicKey,
+    sourceAuthorPrivKey = client.privateKey,
+    // Allow passing author's private key for signing
     targetAuthorPubKey = client.publicKey,
     capability: providedCapability = null,
     permissions = ["read"],
@@ -24362,7 +25588,8 @@ async function createHologramWithCapability(client, sourceHolon, targetHolon, le
         expiresIn: expiresIn !== null ? expiresIn : isSelfCapability2 ? 365 * 24 * 60 * 60 * 1e3 : 36e5,
         // 1 year for self, 1 hour for cross
         issuer: sourceAuthorPubKey,
-        issuerKey: client.privateKey
+        issuerKey: sourceAuthorPrivKey
+        // Use passed private key (holon's key when federated via holonsbot)
       }
     );
     if (!isSelfCapability2 && client.privateKey) {
@@ -24442,6 +25669,18 @@ async function resolveHologram(client, hologram2, visited = /* @__PURE__ */ new
       console.warn(`❌ Hologram missing capability: ${soul}`);
       return null;
     }
+    if (authorPubKey) {
+      const issuerMatch = await verifyCapabilityIssuer(capability, authorPubKey);
+      if (!issuerMatch) {
+        console.warn(`❌ Capability issuer does not match authorPubKey for hologram: ${soul}`);
+        console.warn(`   Expected author: ${authorPubKey?.slice(0, 12)}...`);
+        const decoded = decodeCapability(capability);
+        if (decoded) {
+          console.warn(`   Actual issuer: ${decoded.issuer?.slice(0, 12)}...`);
+        }
+        return null;
+      }
+    }
     const isValid = await verifyCapability$1(
       capability,
       "read",
@@ -24636,13 +25875,6 @@ async function propagateData(client, appname, data, sourceHolon, targetHolon, le
     const sourceAuthorPubKey = options.sourceAuthorPubKey || client.publicKey;
     const isPubkey2 = typeof targetHolon === "string" && /^[0-9a-f]{64}$/i.test(targetHolon);
     const targetAuthorPubKey = options.targetAuthorPubKey || (isPubkey2 ? targetHolon : client.publicKey);
-    console.log("[propagateData] Creating hologram with capability:", {
-      sourceHolon: sourceHolon?.slice(0, 12) + "...",
-      targetHolon: targetHolon?.slice(0, 12) + "...",
-      sourceAuthorPubKey: sourceAuthorPubKey?.slice(0, 12) + "...",
-      targetAuthorPubKey: targetAuthorPubKey?.slice(0, 12) + "...",
-      hasProvidedCapability: !!options.capability
-    });
     const hologram2 = await createHologramWithCapability(
       client,
       sourceHolon,
@@ -24652,6 +25884,8 @@ async function propagateData(client, appname, data, sourceHolon, targetHolon, le
       appname,
       {
         sourceAuthorPubKey,
+        sourceAuthorPrivKey: options.sourceAuthorPrivKey,
+        // Pass through for holon-signed capabilities
         targetAuthorPubKey,
         capability: options.capability,
         permissions: ["read"]
@@ -24716,7 +25950,6 @@ async function addActiveHologram(client, appname, sourceHolon, lensName, dataId,
   let sourcePath = buildPath(currentAppname, currentHolon, currentLens, currentDataId);
   let sourceData = await read(client, sourcePath);
   if (!sourceData) {
-    console.warn(`Source data not found at ${sourcePath}`);
     return false;
   }
   let depth = 0;
@@ -24730,13 +25963,9 @@ async function addActiveHologram(client, appname, sourceHolon, lensName, dataId,
     sourcePath = buildPath(currentAppname, currentHolon, currentLens, currentDataId);
     sourceData = await read(client, sourcePath);
     if (!sourceData) {
-      console.warn(`Real source data not found at ${sourcePath}`);
       return false;
     }
   }
-  if (depth > 0) {
-    console.info(`📍 Followed hologram chain (depth: ${depth}) to real source: ${currentHolon}/${currentLens}/${currentDataId}`);
-  }
   if (!sourceData._meta) {
     sourceData._meta = {};
   }
@@ -24804,7 +26033,6 @@ async function updateActiveHologramPlatform(client, appname, sourceHolon, lensNa
   let sourcePath = buildPath(currentAppname, currentHolon, currentLens, currentDataId);
   let sourceData = await read(client, sourcePath);
   if (!sourceData) {
-    console.warn(`Source data not found at ${sourcePath}`);
     return false;
   }
   let depth = 0;
@@ -24818,7 +26046,6 @@ async function updateActiveHologramPlatform(client, appname, sourceHolon, lensNa
     sourcePath = buildPath(currentAppname, currentHolon, currentLens, currentDataId);
     sourceData = await read(client, sourcePath);
     if (!sourceData) {
-      console.warn(`Real source data not found at ${sourcePath}`);
       return false;
     }
   }
@@ -25086,161 +26313,6 @@ const hologram = /* @__PURE__ */ Object.freeze(/* @__PURE__ */ Object.defineProp
   updateHologramOverrides,
   wouldCreateCircularHologram
 }, Symbol.toStringTag, { value: "Module" }));
-function hexToBytes(hex2) {
-  const bytes2 = new Uint8Array(hex2.length / 2);
-  for (let i = 0; i < hex2.length; i += 2) {
-    bytes2[i / 2] = parseInt(hex2.substr(i, 2), 16);
-  }
-  return bytes2;
-}
-function bytesToHex(bytes2) {
-  return Array.from(bytes2).map((b2) => b2.toString(16).padStart(2, "0")).join("");
-}
-function parseNpubOrHex(input) {
-  const trimmed = input?.trim();
-  if (!trimmed) {
-    return { valid: false, error: "Public key is required" };
-  }
-  if (/^[0-9a-fA-F]{64}$/.test(trimmed)) {
-    return { valid: true, hexPubKey: trimmed.toLowerCase() };
-  }
-  let npubString = trimmed;
-  if (npubString.startsWith("nostr:")) {
-    npubString = npubString.slice(6);
-  }
-  if (npubString.startsWith("npub1")) {
-    try {
-      const decoded = nip19.decode(npubString);
-      if (decoded.type === "npub") {
-        return { valid: true, hexPubKey: decoded.data };
-      }
-      return { valid: false, error: "Invalid npub format" };
-    } catch (e) {
-      return { valid: false, error: "Invalid npub: unable to decode" };
-    }
-  }
-  return { valid: false, error: "Enter a valid npub (npub1...) or 64-character hex public key" };
-}
-function hexToNpub(hexPubKey) {
-  try {
-    return nip19.npubEncode(hexPubKey);
-  } catch (e) {
-    console.error("Failed to encode hex to npub:", e);
-    return hexPubKey;
-  }
-}
-function npubToHex(npub2) {
-  try {
-    const decoded = nip19.decode(npub2);
-    if (decoded.type === "npub") {
-      return decoded.data;
-    }
-    return null;
-  } catch (e) {
-    return null;
-  }
-}
-function shortenPubKey(pubKey) {
-  if (!pubKey || pubKey.length <= 20) return pubKey || "";
-  return `${pubKey.slice(0, 8)}...${pubKey.slice(-8)}`;
-}
-function shortenNpub(npub2) {
-  if (!npub2 || npub2.length <= 20) return npub2 || "";
-  return `${npub2.slice(0, 12)}...${npub2.slice(-8)}`;
-}
-function getPublicKey(privateKey) {
-  return getPublicKey$2(hexToBytes(privateKey));
-}
-async function encryptNIP04(privateKey, recipientPubKey, content) {
-  return await nip04.encrypt(privateKey, recipientPubKey, content);
-}
-async function decryptNIP04(privateKey, senderPubKey, encryptedContent) {
-  return await nip04.decrypt(privateKey, senderPubKey, encryptedContent);
-}
-function encryptNIP44(privateKey, recipientPubKey, content) {
-  const privKeyBytes = hexToBytes(privateKey);
-  const conversationKey = nip44.v2.utils.getConversationKey(privKeyBytes, recipientPubKey);
-  return nip44.v2.encrypt(content, conversationKey);
-}
-function decryptNIP44(privateKey, senderPubKey, encryptedContent) {
-  const privKeyBytes = hexToBytes(privateKey);
-  const conversationKey = nip44.v2.utils.getConversationKey(privKeyBytes, senderPubKey);
-  return nip44.v2.decrypt(encryptedContent, conversationKey);
-}
-function createSignedEvent(kind2, content, tags, privateKey) {
-  const event = {
-    kind: kind2,
-    content,
-    tags,
-    created_at: Math.floor(Date.now() / 1e3)
-  };
-  return finalizeEvent(event, hexToBytes(privateKey));
-}
-function createDMEvent(recipientPubKey, encryptedContent, privateKey) {
-  return createSignedEvent(
-    4,
-    // NIP-04 encrypted DM
-    encryptedContent,
-    [["p", recipientPubKey]],
-    privateKey
-  );
-}
-function isValidHexPubKey(str2) {
-  return typeof str2 === "string" && /^[0-9a-fA-F]{64}$/.test(str2);
-}
-function isValidNpub(str2) {
-  if (typeof str2 !== "string" || !str2.startsWith("npub1")) {
-    return false;
-  }
-  try {
-    const decoded = nip19.decode(str2);
-    return decoded.type === "npub";
-  } catch {
-    return false;
-  }
-}
-function generateNonce() {
-  return Date.now().toString(36) + Math.random().toString(36).substring(2, 15);
-}
-function signEvent(event, privateKey) {
-  const eventToSign = {
-    kind: event.kind,
-    content: event.content,
-    tags: event.tags || [],
-    created_at: event.created_at || Math.floor(Date.now() / 1e3)
-  };
-  return finalizeEvent(eventToSign, hexToBytes(privateKey));
-}
-function verifyEvent(event) {
-  return verifyEvent$1(event);
-}
-const nostrUtils = /* @__PURE__ */ Object.freeze(/* @__PURE__ */ Object.defineProperty({
-  __proto__: null,
-  NDK,
-  NDKEvent,
-  NDKPrivateKeySigner,
-  NDKSubscriptionCacheUsage,
-  NDKUser,
-  bytesToHex,
-  createDMEvent,
-  createSignedEvent,
-  decryptNIP04,
-  decryptNIP44,
-  encryptNIP04,
-  encryptNIP44,
-  generateNonce,
-  getPublicKey,
-  hexToBytes,
-  hexToNpub,
-  isValidHexPubKey,
-  isValidNpub,
-  npubToHex,
-  parseNpubOrHex,
-  shortenNpub,
-  shortenPubKey,
-  signEvent,
-  verifyEvent
-}, Symbol.toStringTag, { value: "Module" }));
 const HOLON_REGISTRY_TABLE = "_holon-registry";
 function isPubkey(str2) {
   return typeof str2 === "string" && /^[0-9a-f]{64}$/i.test(str2);
@@ -25848,23 +26920,309 @@ const cardStorage$1 = /* @__PURE__ */ Object.freeze(/* @__PURE__ */ Object.defin
   setLastDMFetchTime,
   updateCardStatus
 }, Symbol.toStringTag, { value: "Module" }));
+class LensKeyStore {
+  /**
+   * Creates a new LensKeyStore instance.
+   */
+  constructor() {
+    this.ownKeys = /* @__PURE__ */ new Map();
+    this.receivedKeys = /* @__PURE__ */ new Map();
+    this.partnerWrappedKeys = /* @__PURE__ */ new Map();
+  }
+  /**
+   * Store a lens key we own (we generated it).
+   *
+   * @param {string} lensPath - Path identifying the lens (appName/holonId/lensName)
+   * @param {Uint8Array} key - 32-byte symmetric key
+   * @param {string} wrappedForSelf - NIP-44 wrapped key for self-recovery
+   */
+  storeOwnKey(lensPath, key, wrappedForSelf) {
+    this.ownKeys.set(lensPath, {
+      key,
+      wrappedForSelf,
+      createdAt: Date.now()
+    });
+  }
+  /**
+   * Store a lens key we received from a federation partner.
+   *
+   * @param {string} lensPath - Path identifying the lens
+   * @param {Uint8Array} key - 32-byte symmetric key
+   * @param {string} fromPubKey - Public key of the partner who shared the key
+   */
+  storeReceivedKey(lensPath, key, fromPubKey) {
+    this.receivedKeys.set(lensPath, {
+      key,
+      fromPubKey,
+      receivedAt: Date.now()
+    });
+  }
+  /**
+   * Get the key for a lens (own or received).
+   * Own keys take precedence over received keys.
+   *
+   * @param {string} lensPath - Path identifying the lens
+   * @returns {Uint8Array|null} 32-byte symmetric key or null if not found
+   */
+  getKey(lensPath) {
+    const own = this.ownKeys.get(lensPath);
+    if (own) return own.key;
+    const received = this.receivedKeys.get(lensPath);
+    if (received) return received.key;
+    return null;
+  }
+  /**
+   * Check if we have a key for a lens.
+   *
+   * @param {string} lensPath - Path identifying the lens
+   * @returns {boolean} True if key exists
+   */
+  hasKey(lensPath) {
+    return this.ownKeys.has(lensPath) || this.receivedKeys.has(lensPath);
+  }
+  /**
+   * Check if we own the key for a lens (vs received it).
+   *
+   * @param {string} lensPath - Path identifying the lens
+   * @returns {boolean} True if we own the key
+   */
+  isOwnKey(lensPath) {
+    return this.ownKeys.has(lensPath);
+  }
+  /**
+   * Get or create a key for a lens.
+   * If key doesn't exist, generates a new one.
+   *
+   * @param {string} lensPath - Path identifying the lens
+   * @param {string} ownerPrivKey - Owner's private key for wrapping
+   * @param {string} ownerPubKey - Owner's public key
+   * @returns {Object} { key: Uint8Array, isNew: boolean, wrappedForSelf: string }
+   */
+  getOrCreateKey(lensPath, ownerPrivKey, ownerPubKey) {
+    const existing = this.ownKeys.get(lensPath);
+    if (existing) {
+      return {
+        key: existing.key,
+        isNew: false,
+        wrappedForSelf: existing.wrappedForSelf
+      };
+    }
+    if (this.receivedKeys.has(lensPath)) {
+      const received = this.receivedKeys.get(lensPath);
+      return {
+        key: received.key,
+        isNew: false,
+        wrappedForSelf: null
+        // We don't have wrapped version for received keys
+      };
+    }
+    const key = generateLensKey();
+    const wrappedForSelf = wrapKeyForRecipient(key, ownerPrivKey, ownerPubKey);
+    this.storeOwnKey(lensPath, key, wrappedForSelf);
+    return { key, isNew: true, wrappedForSelf };
+  }
+  /**
+   * Wrap a lens key for a partner (for federation sharing).
+   *
+   * @param {string} lensPath - Path identifying the lens
+   * @param {string} ownerPrivKey - Owner's private key
+   * @param {string} partnerPubKey - Partner's public key
+   * @returns {string|null} Wrapped key for partner or null if no key exists
+   */
+  wrapKeyForPartner(lensPath, ownerPrivKey, partnerPubKey) {
+    const key = this.getKey(lensPath);
+    if (!key) return null;
+    const wrappedKey = wrapKeyForRecipient(key, ownerPrivKey, partnerPubKey);
+    if (!this.partnerWrappedKeys.has(lensPath)) {
+      this.partnerWrappedKeys.set(lensPath, /* @__PURE__ */ new Map());
+    }
+    this.partnerWrappedKeys.get(lensPath).set(partnerPubKey, wrappedKey);
+    return wrappedKey;
+  }
+  /**
+   * Get all partners who have been given wrapped keys for a lens.
+   *
+   * @param {string} lensPath - Path identifying the lens
+   * @returns {string[]} Array of partner public keys
+   */
+  getPartnersWithAccess(lensPath) {
+    const partners = this.partnerWrappedKeys.get(lensPath);
+    return partners ? Array.from(partners.keys()) : [];
+  }
+  /**
+   * Revoke a partner's access by removing their wrapped key.
+   * Note: This doesn't prevent them from using their cached key.
+   * For true revocation, you need to re-key the lens.
+   *
+   * @param {string} lensPath - Path identifying the lens
+   * @param {string} partnerPubKey - Partner's public key
+   * @returns {boolean} True if partner was found and removed
+   */
+  revokePartnerAccess(lensPath, partnerPubKey) {
+    const partners = this.partnerWrappedKeys.get(lensPath);
+    if (partners) {
+      return partners.delete(partnerPubKey);
+    }
+    return false;
+  }
+  /**
+   * Re-key a lens (generate new key and re-wrap for remaining partners).
+   * Used for key rotation or access revocation.
+   *
+   * @param {string} lensPath - Path identifying the lens
+   * @param {string} ownerPrivKey - Owner's private key
+   * @param {string} ownerPubKey - Owner's public key
+   * @param {string[]} [excludePartners=[]] - Partners to exclude from re-wrapping
+   * @returns {Object} { newKey, wrappedForSelf, partnerKeys: Map<pubKey, wrappedKey> }
+   */
+  rekeyLens(lensPath, ownerPrivKey, ownerPubKey, excludePartners = []) {
+    const currentPartners = this.getPartnersWithAccess(lensPath);
+    const remainingPartners = currentPartners.filter((p) => !excludePartners.includes(p));
+    const newKey = generateLensKey();
+    const wrappedForSelf = wrapKeyForRecipient(newKey, ownerPrivKey, ownerPubKey);
+    this.storeOwnKey(lensPath, newKey, wrappedForSelf);
+    const partnerKeys = /* @__PURE__ */ new Map();
+    this.partnerWrappedKeys.set(lensPath, /* @__PURE__ */ new Map());
+    for (const partnerPubKey of remainingPartners) {
+      const wrappedKey = wrapKeyForRecipient(newKey, ownerPrivKey, partnerPubKey);
+      this.partnerWrappedKeys.get(lensPath).set(partnerPubKey, wrappedKey);
+      partnerKeys.set(partnerPubKey, wrappedKey);
+    }
+    return { newKey, wrappedForSelf, partnerKeys };
+  }
+  /**
+   * Receive and unwrap a key from a partner.
+   *
+   * @param {string} lensPath - Path identifying the lens
+   * @param {string} wrappedKey - NIP-44 wrapped key from partner
+   * @param {string} recipientPrivKey - Our private key
+   * @param {string} senderPubKey - Partner's public key
+   * @returns {Uint8Array} Unwrapped 32-byte symmetric key
+   */
+  receiveKey(lensPath, wrappedKey, recipientPrivKey, senderPubKey) {
+    const key = unwrapKey(wrappedKey, recipientPrivKey, senderPubKey);
+    this.storeReceivedKey(lensPath, key, senderPubKey);
+    return key;
+  }
+  /**
+   * Export own keys for persistent storage.
+   * Returns serializable format that can be stored in Nostr.
+   *
+   * @returns {Object[]} Array of { lensPath, wrappedForSelf, createdAt }
+   */
+  exportOwnKeys() {
+    const exported = [];
+    for (const [lensPath, data] of this.ownKeys.entries()) {
+      exported.push({
+        lensPath,
+        wrappedForSelf: data.wrappedForSelf,
+        createdAt: data.createdAt
+      });
+    }
+    return exported;
+  }
+  /**
+   * Import own keys from persistent storage.
+   *
+   * @param {Object[]} keyData - Array of exported key data
+   * @param {string} ownerPrivKey - Owner's private key for unwrapping
+   * @param {string} ownerPubKey - Owner's public key
+   */
+  importOwnKeys(keyData, ownerPrivKey, ownerPubKey) {
+    for (const data of keyData) {
+      const key = unwrapKey(data.wrappedForSelf, ownerPrivKey, ownerPubKey);
+      this.ownKeys.set(data.lensPath, {
+        key,
+        wrappedForSelf: data.wrappedForSelf,
+        createdAt: data.createdAt
+      });
+    }
+  }
+  /**
+   * Clear all keys from the store.
+   * Use with caution - this will remove all access to encrypted data.
+   */
+  clear() {
+    this.ownKeys.clear();
+    this.receivedKeys.clear();
+    this.partnerWrappedKeys.clear();
+  }
+  /**
+   * Get statistics about the key store.
+   *
+   * @returns {Object} { ownKeyCount, receivedKeyCount, totalPartnerGrants }
+   */
+  getStats() {
+    let totalPartnerGrants = 0;
+    for (const partners of this.partnerWrappedKeys.values()) {
+      totalPartnerGrants += partners.size;
+    }
+    return {
+      ownKeyCount: this.ownKeys.size,
+      receivedKeyCount: this.receivedKeys.size,
+      totalPartnerGrants
+    };
+  }
+}
+function buildLensPath(appName, holonId, lensName) {
+  return `${appName}/${holonId}/${lensName}`;
+}
+function parseLensPath(lensPath) {
+  const parts = lensPath.split("/");
+  if (parts.length < 3) {
+    throw new Error(`Invalid lens path: ${lensPath}`);
+  }
+  return {
+    appName: parts[0],
+    holonId: parts[1],
+    lensName: parts[2]
+  };
+}
+function isV2LensConfig(lensConfig) {
+  return lensConfig && lensConfig.version === "2.0" && lensConfig.permissions;
+}
+function normalizeLensConfig(lensConfig) {
+  if (!lensConfig) {
+    return { inbound: [], outbound: [], writeInbound: [], writeOutbound: [] };
+  }
+  if (isV2LensConfig(lensConfig)) {
+    return convertToLegacyLensConfig(lensConfig);
+  }
+  return {
+    inbound: lensConfig.inbound || [],
+    outbound: lensConfig.outbound || [],
+    writeInbound: lensConfig.writeInbound || [],
+    writeOutbound: lensConfig.writeOutbound || []
+  };
+}
+function toUnifiedPermissions(lensConfig) {
+  if (!lensConfig) {
+    return { version: "2.0", permissions: {} };
+  }
+  if (isV2LensConfig(lensConfig)) {
+    return lensConfig;
+  }
+  return convertLegacyLensConfig(lensConfig);
+}
 function createFederationRequest({
   senderHolonId,
   senderHolonName,
   senderPubKey,
-  lensConfig = { inbound: [], outbound: [] },
+  lensConfig = { inbound: [], outbound: [], writeInbound: [], writeOutbound: [] },
   capabilities: capabilities2 = [],
-  message
+  message,
+  useV2 = false
 }) {
+  const normalizedLensConfig = useV2 ? toUnifiedPermissions(lensConfig) : normalizeLensConfig(lensConfig);
   return {
     type: "federation_request",
-    version: "1.0",
-    requestId: generateNonce(),
+    version: useV2 ? "2.0" : "1.0",
+    requestId: generateNonce$1(),
     timestamp: Date.now(),
     senderHolonId,
     senderHolonName,
     senderNpub: hexToNpub(senderPubKey),
-    lensConfig,
+    lensConfig: normalizedLensConfig,
     capabilities: capabilities2,
     message
   };
@@ -25877,18 +27235,23 @@ function createFederationResponse({
   responderPubKey,
   lensConfig,
   capabilities: capabilities2,
-  message
+  message,
+  useV2 = false
 }) {
+  let normalizedLensConfig;
+  if (lensConfig) {
+    normalizedLensConfig = useV2 ? toUnifiedPermissions(lensConfig) : normalizeLensConfig(lensConfig);
+  }
   return {
     type: "federation_response",
-    version: "1.0",
+    version: useV2 ? "2.0" : "1.0",
     requestId,
     timestamp: Date.now(),
     status,
     responderHolonId,
     responderHolonName,
     responderNpub: responderPubKey ? hexToNpub(responderPubKey) : void 0,
-    lensConfig,
+    lensConfig: normalizedLensConfig,
     capabilities: capabilities2,
     message
   };
@@ -25929,8 +27292,33 @@ async function sendFederationResponse(client, privateKey, recipientPubKey, respo
     return false;
   }
 }
+async function sendLensKeyShare(client, privateKey, recipientPubKey, keyShare) {
+  try {
+    const payload = {
+      type: "lens_key_share",
+      version: "1.0",
+      lensPath: keyShare.lensPath,
+      wrappedKey: keyShare.wrappedKey,
+      timestamp: Date.now()
+    };
+    const content = JSON.stringify(payload);
+    const encrypted = encryptNIP44(privateKey, recipientPubKey, content);
+    const event = createDMEvent(recipientPubKey, encrypted, privateKey);
+    if (client?.publish) {
+      await client.publish(event);
+      console.log("[Handshake] Lens key share sent to:", recipientPubKey.substring(0, 8) + "...", "for lens:", keyShare.lensPath);
+      return true;
+    } else {
+      console.error("[Handshake] No publish method on client");
+      return false;
+    }
+  } catch (error) {
+    console.error("[Handshake] Failed to send lens key share:", error);
+    return false;
+  }
+}
 function subscribeToFederationDMs(client, privateKey, publicKey, handlers, options = {}) {
-  const { onRequest, onResponse, onUpdate, onUpdateResponse } = handlers;
+  const { onRequest, onResponse, onUpdate, onUpdateResponse, onKeyShare } = handlers;
   const { appname } = options;
   let isActive = true;
   const processedEventIds = /* @__PURE__ */ new Set();
@@ -26027,6 +27415,19 @@ function subscribeToFederationDMs(client, privateKey, publicKey, handlers, optio
         }
         console.log("[Handshake] Received federation update response from:", event.pubkey.substring(0, 8) + "...");
         onUpdateResponse?.(payload, event.pubkey);
+      } else if (payload.type === "lens_key_share" && payload.version === "1.0") {
+        const keyShareKey = `key_${payload.lensPath}_${event.pubkey}`;
+        if (processedResponseIds.has(keyShareKey)) {
+          console.log("[Handshake] Skipping already processed key share:", keyShareKey);
+          return;
+        }
+        if (appname && client?.client) {
+          await markDMProcessed(client.client, appname, event.id, "key_share");
+          processedResponseIds.add(keyShareKey);
+          processedDMIds.add(event.id);
+        }
+        console.log("[Handshake] Received lens key share from:", event.pubkey.substring(0, 8) + "...", "for lens:", payload.lensPath);
+        onKeyShare?.(payload, event.pubkey);
       }
     } catch (error) {
     }
@@ -26072,13 +27473,19 @@ async function initiateFederationHandshake(holosphere, privateKey, params) {
     partnerPubKey,
     holonId,
     holonName,
-    lensConfig = { inbound: [], outbound: [] },
+    lensConfig = { inbound: [], outbound: [], writeInbound: [], writeOutbound: [] },
     message
   } = params;
   try {
-    const senderPubKey = getPublicKey(privateKey);
+    const senderPubKey = getPublicKey$1(privateKey);
+    const normalizedLensConfig = {
+      inbound: lensConfig.inbound || [],
+      outbound: lensConfig.outbound || [],
+      writeInbound: lensConfig.writeInbound || [],
+      writeOutbound: lensConfig.writeOutbound || []
+    };
     const capabilities2 = [];
-    for (const lensName of lensConfig.outbound || []) {
+    for (const lensName of normalizedLensConfig.outbound) {
       try {
         const token = await issueCapability$1(
           ["read"],
@@ -26100,11 +27507,42 @@ async function initiateFederationHandshake(holosphere, privateKey, params) {
         console.warn(`[Handshake] Failed to issue capability for ${lensName}:`, err.message);
       }
     }
+    if (holosphere.client) {
+      for (const lensName of normalizedLensConfig.writeOutbound) {
+        try {
+          await grantAccess(
+            holosphere.client,
+            holosphere.config.appName,
+            partnerPubKey,
+            { holonId: "*", lensName },
+            ["write"],
+            { direction: "inbound" }
+          );
+          console.log(`[Handshake] Pre-granted write access to partner for lens "${lensName}"`);
+        } catch (err) {
+          console.warn(`[Handshake] Failed to grant write access for ${lensName}:`, err.message);
+        }
+      }
+      for (const lensName of normalizedLensConfig.outbound) {
+        try {
+          await grantAccess(
+            holosphere.client,
+            holosphere.config.appName,
+            partnerPubKey,
+            { holonId: "*", lensName },
+            ["read"],
+            { direction: "outbound" }
+          );
+        } catch (err) {
+          console.warn(`[Handshake] Failed to grant read access for ${lensName}:`, err.message);
+        }
+      }
+    }
     const request = createFederationRequest({
       senderHolonId: holonId,
       senderHolonName: holonName,
       senderPubKey,
-      lensConfig,
+      lensConfig: normalizedLensConfig,
       capabilities: capabilities2,
       message
     });
@@ -26130,11 +27568,17 @@ async function acceptFederationRequest$1(holosphere, privateKey, params) {
     senderPubKey,
     holonId,
     holonName,
-    lensConfig = { inbound: [], outbound: [] },
+    lensConfig = { inbound: [], outbound: [], writeInbound: [], writeOutbound: [] },
     message
   } = params;
   try {
-    const responderPubKey = getPublicKey(privateKey);
+    const responderPubKey = getPublicKey$1(privateKey);
+    const normalizedLensConfig = {
+      inbound: lensConfig.inbound || [],
+      outbound: lensConfig.outbound || [],
+      writeInbound: lensConfig.writeInbound || [],
+      writeOutbound: lensConfig.writeOutbound || []
+    };
     if (holosphere.client) {
       await addFederatedPartner(holosphere.client, holosphere.config.appName, senderPubKey, {
         alias: request.senderHolonName,
@@ -26145,6 +27589,39 @@ async function acceptFederationRequest$1(holosphere, privateKey, params) {
           await storeInboundCapability(holosphere.client, holosphere.config.appName, senderPubKey, cap);
         }
       }
+      const senderWriteOutbound = request.lensConfig?.writeOutbound || [];
+      if (senderWriteOutbound.length > 0) {
+        console.log("[Handshake] Sender is granting write access for lenses:", senderWriteOutbound);
+      }
+      for (const lensName of normalizedLensConfig.writeOutbound) {
+        try {
+          await grantAccess(
+            holosphere.client,
+            holosphere.config.appName,
+            senderPubKey,
+            { holonId: "*", lensName },
+            ["write"],
+            { direction: "inbound" }
+          );
+          console.log(`[Handshake] Granted write access to sender for lens "${lensName}"`);
+        } catch (err) {
+          console.warn(`[Handshake] Failed to grant write access for ${lensName}:`, err.message);
+        }
+      }
+      for (const lensName of normalizedLensConfig.outbound) {
+        try {
+          await grantAccess(
+            holosphere.client,
+            holosphere.config.appName,
+            senderPubKey,
+            { holonId: "*", lensName },
+            ["read"],
+            { direction: "outbound" }
+          );
+        } catch (err) {
+          console.warn(`[Handshake] Failed to grant read access for ${lensName}:`, err.message);
+        }
+      }
       if (request.senderHolonId) {
         await registerHolon(holosphere.client, holosphere.config.appName, request.senderHolonId, senderPubKey, {
           alias: request.senderHolonName
@@ -26156,11 +27633,11 @@ async function acceptFederationRequest$1(holosphere, privateKey, params) {
       }
     }
     await holosphere.federateHolon(holonId, senderPubKey, {
-      lensConfig,
+      lensConfig: normalizedLensConfig,
       partnerName: request.senderHolonName
     });
     const capabilities2 = [];
-    for (const lensName of lensConfig.outbound || []) {
+    for (const lensName of normalizedLensConfig.outbound) {
       try {
         const token = await issueCapability$1(
           ["read"],
@@ -26182,13 +27659,37 @@ async function acceptFederationRequest$1(holosphere, privateKey, params) {
         console.warn(`[Handshake] Failed to issue capability for ${lensName}:`, err.message);
       }
     }
+    if (holosphere.keyStore && holosphere.client?.privateKey) {
+      for (const lensName of normalizedLensConfig.outbound) {
+        const lensPath = buildLensPath(holosphere.config.appName, responderPubKey, lensName);
+        const lensKey = holosphere.keyStore.getKey(lensPath);
+        if (lensKey) {
+          try {
+            const wrappedKey = holosphere.keyStore.wrapKeyForPartner(
+              lensPath,
+              holosphere.client.privateKey,
+              senderPubKey
+            );
+            if (wrappedKey) {
+              await sendLensKeyShare(holosphere.client, privateKey, senderPubKey, {
+                lensPath,
+                wrappedKey
+              });
+              console.log(`[Handshake] Shared lens key for "${lensName}" with partner`);
+            }
+          } catch (err) {
+            console.warn(`[Handshake] Failed to share lens key for ${lensName}:`, err.message);
+          }
+        }
+      }
+    }
     const response = createFederationResponse({
       requestId: request.requestId,
       status: "accepted",
       responderHolonId: holonId,
       responderHolonName: holonName,
       responderPubKey,
-      lensConfig,
+      lensConfig: normalizedLensConfig,
       capabilities: capabilities2,
       message
     });
@@ -26199,7 +27700,7 @@ async function acceptFederationRequest$1(holosphere, privateKey, params) {
         console.log("[Handshake] Request dismissed after acceptance:", request.requestId);
       }
       const receivedHolograms = {};
-      const inboundLenses = lensConfig.inbound || [];
+      const inboundLenses = normalizedLensConfig.inbound;
       if (inboundLenses.length > 0 && holosphere.receiveFederatedLens) {
         console.log("[Handshake] Receiving federated lens data as holograms...");
         for (const lensName of inboundLenses) {
@@ -26312,7 +27813,7 @@ function createFederationUpdate({
   return {
     type: "federation_update",
     version: "1.0",
-    updateId: generateNonce(),
+    updateId: generateNonce$1(),
     timestamp: Date.now(),
     senderHolonId,
     senderHolonName,
@@ -26370,7 +27871,7 @@ async function sendFederationUpdateResponse(client, privateKey, recipientPubKey,
 async function requestFederationUpdate(holosphere, privateKey, params) {
   const { partnerPubKey, holonId, holonName, newLensConfig, message } = params;
   try {
-    const senderPubKey = getPublicKey(privateKey);
+    const senderPubKey = getPublicKey$1(privateKey);
     const update2 = createFederationUpdate({
       senderHolonId: holonId,
       senderHolonName: holonName,
@@ -26439,6 +27940,8 @@ const handshake = /* @__PURE__ */ Object.freeze(/* @__PURE__ */ Object.definePro
   isFederationResponse,
   isFederationUpdate,
   isFederationUpdateResponse,
+  isV2LensConfig,
+  normalizeLensConfig,
   processFederationResponse,
   rejectFederationRequest,
   rejectFederationUpdate,
@@ -26447,7 +27950,9 @@ const handshake = /* @__PURE__ */ Object.freeze(/* @__PURE__ */ Object.definePro
   sendFederationResponse,
   sendFederationUpdate,
   sendFederationUpdateResponse,
-  subscribeToFederationDMs
+  sendLensKeyShare,
+  subscribeToFederationDMs,
+  toUnifiedPermissions
 }, Symbol.toStringTag, { value: "Module" }));
 function validateNostrEvent(event, partial = true, throwOnError = false) {
   if (!event || typeof event !== "object") {
@@ -26578,7 +28083,7 @@ async function createSubscription(client, path, callback, options = {}) {
     if (!isActive) {
       return;
     }
-    const uniqueKey = `${key}-${data?.id || ""}-${data?._meta?.timestamp || Date.now()}`;
+    const uniqueKey = `${key}-${data?.id || ""}-${data?._meta?.lastUpdated || data?._meta?.timestamp || Date.now()}`;
     if (seenKeys.has(uniqueKey)) {
       return;
     }
@@ -36839,7 +38344,7 @@ class ChainManager {
    */
   async _loadEthers() {
     if (!this.ethers) {
-      const ethersModule = await import("./index-CoAjtqsD.js");
+      const ethersModule = await import("./index-BdnrGafX.js");
       this.ethers = ethersModule;
     }
     return this.ethers;
@@ -45630,7 +47135,7 @@ class ContractDeployer {
    */
   async _loadEthers() {
     if (!this.ethers) {
-      this.ethers = await import("./index-CoAjtqsD.js");
+      this.ethers = await import("./index-BdnrGafX.js");
     }
     return this.ethers;
   }
@@ -46016,7 +47521,7 @@ class ContractOperations {
    */
   async _loadEthers() {
     if (!this.ethers) {
-      this.ethers = await import("./index-CoAjtqsD.js");
+      this.ethers = await import("./index-BdnrGafX.js");
     }
     return this.ethers;
   }
@@ -57066,8 +58571,9 @@ function withFederationMethods(Base) {
         permissions = ["read"],
         filter = null
       } = options;
-      const normalizedSource = typeof source === "string" ? { holonId: source, authorPubKey: this.client.publicKey } : { holonId: source.holonId, authorPubKey: source.authorPubKey || this.client.publicKey };
-      const normalizedTarget = typeof target === "string" ? { holonId: target, authorPubKey: this.client.publicKey } : { holonId: target.holonId, authorPubKey: target.authorPubKey || this.client.publicKey };
+      const isPubkey2 = (str2) => typeof str2 === "string" && /^[0-9a-f]{64}$/i.test(str2);
+      const normalizedSource = typeof source === "string" ? { holonId: source, authorPubKey: isPubkey2(source) ? source : this.client.publicKey } : { holonId: source.holonId, authorPubKey: source.authorPubKey || (isPubkey2(source.holonId) ? source.holonId : this.client.publicKey) };
+      const normalizedTarget = typeof target === "string" ? { holonId: target, authorPubKey: isPubkey2(target) ? target : this.client.publicKey } : { holonId: target.holonId, authorPubKey: target.authorPubKey || (isPubkey2(target.holonId) ? target.holonId : this.client.publicKey) };
       if (normalizedSource.holonId === normalizedTarget.holonId && normalizedSource.authorPubKey === normalizedTarget.authorPubKey) {
         throw new ValidationError("Cannot federate a holon with itself");
       }
@@ -57715,6 +59221,259 @@ function withFederationMethods(Base) {
       }
       return results;
     }
+    // === UNIFIED ACCESS CONTROL ===
+    /**
+     * Unified access verification method.
+     * Single entry point for checking all access permissions (read, write, etc.).
+     * Replaces and unifies the previous separate access checking methods.
+     *
+     * @param {string} targetHolonId - The holon being accessed
+     * @param {string} lensName - The lens being accessed
+     * @param {string} actorPubKey - The actor's public key
+     * @param {string} permission - Permission to check ('read' or 'write')
+     * @param {Object} [options={}] - Options
+     * @param {string} [options.actingAsHolon] - The holon the actor is acting on behalf of
+     * @param {string} [options.capabilityToken] - Explicit capability token to verify
+     * @returns {Promise<Object>} { allowed: boolean, via: string, reason?: string, grant?: Object }
+     *
+     * @example
+     * // Check if current user can read from a holon
+     * const result = await hs.canAccess(targetHolonId, 'quests', myPubKey, 'read');
+     * if (result.allowed) {
+     *   console.log('Access granted via:', result.via);
+     * }
+     *
+     * @example
+     * // Check write access with explicit capability
+     * const result = await hs.canAccess(targetHolonId, 'quests', myPubKey, 'write', {
+     *   capabilityToken: myCapToken
+     * });
+     */
+    async canAccess(targetHolonId, lensName, actorPubKey, permission, options = {}) {
+      const { actingAsHolon = null, capabilityToken = null } = options;
+      if (actorPubKey === targetHolonId) {
+        return { allowed: true, via: "owner" };
+      }
+      if (capabilityToken) {
+        try {
+          const valid = await this.verifyCapability(capabilityToken, permission, {
+            holonId: targetHolonId,
+            lensName
+          });
+          if (valid) {
+            return { allowed: true, via: "capability" };
+          }
+        } catch (err) {
+          console.log("[canAccess] Capability verification failed:", err.message);
+        }
+      }
+      try {
+        const members = await this.get(targetHolonId, "users");
+        if (members && Array.isArray(members)) {
+          const isMember = members.some(
+            (m) => m.pubKey === actorPubKey || m.id === actorPubKey || m.nostrPubKey === actorPubKey
+          );
+          if (isMember) {
+            return { allowed: true, via: "membership" };
+          }
+        }
+      } catch (err) {
+        console.log("[canAccess] Could not read users lens:", err.message);
+      }
+      const scope = { holonId: targetHolonId, lensName };
+      if (actingAsHolon) {
+        const actorHolons = await this.getHolonsForPubKey(actorPubKey);
+        const isMemberOfActingHolon = actorHolons.some((h) => h.id === actingAsHolon);
+        if (!isMemberOfActingHolon) {
+          return { allowed: false, via: "none", reason: "Not a member of the acting holon" };
+        }
+        const grant = await findAccessGrant(
+          this.client,
+          this.config.appName,
+          actingAsHolon,
+          scope,
+          permission,
+          { direction: "inbound" }
+        );
+        if (grant) {
+          return {
+            allowed: true,
+            via: "federation",
+            grant,
+            reason: `Acting as ${actingAsHolon} with ${permission} grant`
+          };
+        }
+      } else {
+        const actorHolons = await this.getHolonsForPubKey(actorPubKey);
+        for (const holon of actorHolons) {
+          const grant = await findAccessGrant(
+            this.client,
+            this.config.appName,
+            holon.id,
+            scope,
+            permission,
+            { direction: "inbound" }
+          );
+          if (grant) {
+            return {
+              allowed: true,
+              via: "federation",
+              grant,
+              reason: `Member of ${holon.name || holon.id} which has ${permission} grant`,
+              viaHolon: holon.id
+            };
+          }
+        }
+      }
+      return { allowed: false, via: "none", reason: "No access" };
+    }
+    // === CROSS-HOLON WRITE ACCESS ===
+    /**
+     * Check if a writer can write to a target holon's lens.
+     * This is a backward-compatible wrapper that delegates to canAccess().
+     *
+     * @param {string} targetHolonId - The holon being written to
+     * @param {string} lensName - The lens being written to
+     * @param {string} writerPubKey - The writer's public key
+     * @param {Object} [options={}] - Options
+     * @param {string} [options.actingAsHolon] - The holon the writer is acting on behalf of
+     * @param {string} [options.capabilityToken] - Explicit capability token to verify
+     * @returns {Promise<Object>} { canWrite: boolean, reason: string, accessType: string }
+     *
+     * @example
+     * // Check if current user can write to another holon
+     * const result = await hs.canWrite(targetHolonId, 'quests', myPubKey);
+     * if (result.canWrite) {
+     *   console.log('Access granted:', result.accessType);
+     * }
+     */
+    async canWrite(targetHolonId, lensName, writerPubKey, options = {}) {
+      const result = await this.canAccess(targetHolonId, lensName, writerPubKey, "write", options);
+      return {
+        canWrite: result.allowed,
+        reason: result.reason || result.via,
+        accessType: result.via,
+        viaHolon: result.viaHolon,
+        grant: result.grant
+      };
+    }
+    /**
+     * Check if an actor can read from a target holon's lens.
+     * Convenience wrapper around canAccess() for read operations.
+     *
+     * @param {string} targetHolonId - The holon being read from
+     * @param {string} lensName - The lens being read from
+     * @param {string} readerPubKey - The reader's public key
+     * @param {Object} [options={}] - Options
+     * @param {string} [options.actingAsHolon] - The holon the reader is acting on behalf of
+     * @param {string} [options.capabilityToken] - Explicit capability token to verify
+     * @returns {Promise<Object>} { canRead: boolean, reason: string, accessType: string }
+     */
+    async canRead(targetHolonId, lensName, readerPubKey, options = {}) {
+      const result = await this.canAccess(targetHolonId, lensName, readerPubKey, "read", options);
+      return {
+        canRead: result.allowed,
+        reason: result.reason || result.via,
+        accessType: result.via,
+        viaHolon: result.viaHolon,
+        grant: result.grant
+      };
+    }
+    /**
+     * Get all holons that a public key is a member of.
+     * Searches federation registry and users lenses.
+     *
+     * @param {string} pubKey - The public key to look up
+     * @returns {Promise<Array>} Array of { id, name } for each holon
+     */
+    async getHolonsForPubKey(pubKey) {
+      const results = [];
+      results.push({ id: pubKey, name: "Personal Holon" });
+      try {
+        const reg = await getFederationRegistry(this.client, this.config.appName);
+        if (reg && reg.federatedWith) {
+          for (const partner of reg.federatedWith) {
+            try {
+              const members = await this.get(partner.pubKey, "users");
+              if (members && Array.isArray(members)) {
+                const isMember = members.some(
+                  (m) => m.pubKey === pubKey || m.id === pubKey || m.nostrPubKey === pubKey
+                );
+                if (isMember) {
+                  results.push({ id: partner.pubKey, name: partner.alias || partner.pubKey });
+                }
+              }
+            } catch (err) {
+            }
+          }
+        }
+      } catch (err) {
+        console.warn("[getHolonsForPubKey] Error reading federation registry:", err.message);
+      }
+      return results;
+    }
+    /**
+     * Grant write access to a federated holon for a specific lens.
+     * Members of the granted holon will be able to write to this lens.
+     *
+     * @param {string} holonId - The holon to grant write access to
+     * @param {string} lensName - The lens to grant write access for (or '*' for all)
+     * @param {Object} [options={}] - Grant options
+     * @param {number} [options.expiresAt] - Optional expiration timestamp
+     * @returns {Promise<boolean>} Success indicator
+     *
+     * @example
+     * // Grant holon B write access to quests lens
+     * await hs.grantWriteAccess('holon-b-pubkey', 'quests');
+     */
+    async grantWriteAccess(holonId, lensName, options = {}) {
+      return grantWriteAccessToHolon(
+        this.client,
+        this.config.appName,
+        holonId,
+        lensName,
+        options
+      );
+    }
+    /**
+     * Revoke write access from a federated holon for a specific lens.
+     *
+     * @param {string} holonId - The holon to revoke write access from
+     * @param {string} lensName - The lens to revoke write access for
+     * @returns {Promise<boolean>} Success indicator
+     */
+    async revokeWriteAccess(holonId, lensName) {
+      return revokeWriteAccess(
+        this.client,
+        this.config.appName,
+        holonId,
+        lensName
+      );
+    }
+    /**
+     * Get write grants for a specific holon.
+     *
+     * @param {string} holonId - The holon to get write grants for
+     * @returns {Promise<Array>} Array of write grants { lensName, grantedAt, expiresAt }
+     */
+    async getWriteGrantsForHolon(holonId) {
+      return getWriteGrantsForHolon(
+        this.client,
+        this.config.appName,
+        holonId
+      );
+    }
+    /**
+     * Get all write grants issued to federated holons.
+     *
+     * @returns {Promise<Array>} Array of { holonId, alias, writeGrants }
+     */
+    async getAllWriteGrants() {
+      return getAllWriteGrants(
+        this.client,
+        this.config.appName
+      );
+    }
   };
 }
 function createAIServices(apiKey, holosphere = null, options = {}, openaiClient = null) {
@@ -57795,6 +59554,11 @@ class HoloSphereBase extends HoloSphere$1 {
       this._initializeAI(openaiKey, aiOptions);
     }
     this._contracts = null;
+    this.keyStore = new LensKeyStore();
+    this._encryptionConfig = {
+      encryptByDefault: config.encryptByDefault ?? false,
+      publicLenses: config.publicLenses || ["profile", "settings", "public"]
+    };
   }
   /**
    * Gets an environment variable value (Node.js only).
@@ -57969,6 +59733,7 @@ class HoloSphereBase extends HoloSphere$1 {
    * @param {Object} [options.propagationOptions] - Options for propagation
    * @param {boolean} [options.blocking=false] - If true, wait for relay confirmation before returning
    * @param {string} [options.signingKey] - Private key to sign with (hex format). If not provided, uses holosphere's default key.
+   * @param {boolean} [options.encrypt] - Whether to encrypt this data. Defaults to encryptByDefault config.
    * @returns {Promise<boolean>} True if write succeeded (or queued for optimistic writes)
    * @throws {ValidationError} If holonId, lensName, or data is invalid
    * @throws {AuthorizationError} If capability token is invalid
@@ -57985,8 +59750,61 @@ class HoloSphereBase extends HoloSphere$1 {
     if (!data || typeof data !== "object") {
       throw new ValidationError$1("ValidationError: data must be an object");
     }
+    const isPubkeyHolon = typeof holonId === "string" && /^[0-9a-f]{64}$/i.test(holonId);
+    let effectiveWriterPubKey = this.client?.publicKey;
+    if (options.signingKey) {
+      try {
+        effectiveWriterPubKey = getPublicKey(options.signingKey);
+      } catch (err) {
+        this._log("WARN", "⚠️ Invalid signingKey provided, using client key", { error: err.message });
+      }
+    }
+    const isOwnHolon = effectiveWriterPubKey && (holonId === effectiveWriterPubKey || !isPubkeyHolon);
     const capToken = options.capabilityToken || options.capability;
-    if (capToken) {
+    const actingAsHolon = options.actingAs || options.actingAsHolon;
+    if (!isOwnHolon) {
+      if (capToken) {
+        const authorized = await this.verifyCapability(capToken, "write", { holonId, lensName });
+        if (!authorized) {
+          this._log("WARN", "🚫 Write denied: Invalid capability token", { holonId, lensName });
+          throw new AuthorizationError(
+            "Invalid capability token for write operation",
+            "write"
+          );
+        }
+        this._log("DEBUG", "✅ Write authorized via capability token", { holonId, lensName });
+      } else {
+        const writerPubKey = effectiveWriterPubKey;
+        if (!writerPubKey) {
+          this._log("WARN", "🚫 Write denied: No authenticated user", { holonId, lensName });
+          throw new AuthorizationError(
+            "Authentication required for writing to federated holons",
+            "write"
+          );
+        }
+        const accessCheck = await this.canAccess(holonId, lensName, writerPubKey, "write", { actingAsHolon });
+        if (!accessCheck.allowed) {
+          this._log("WARN", "🚫 Write denied: No write access", {
+            holonId,
+            lensName,
+            reason: accessCheck.reason,
+            via: accessCheck.via,
+            writerPubKey: writerPubKey?.slice(0, 12) + "..."
+          });
+          throw new AuthorizationError(
+            `Write access denied: ${accessCheck.reason}`,
+            "write"
+          );
+        }
+        this._log("DEBUG", "✅ Write authorized via unified access control", {
+          holonId,
+          lensName,
+          via: accessCheck.via,
+          reason: accessCheck.reason,
+          grant: accessCheck.grant ? "yes" : "no"
+        });
+      }
+    } else if (capToken) {
       const authorized = await this.verifyCapability(capToken, "write", { holonId, lensName });
       if (!authorized) {
         throw new AuthorizationError("AuthorizationError: Invalid capability token for write operation", "write");
@@ -58050,7 +59868,29 @@ class HoloSphereBase extends HoloSphere$1 {
         this._log("DEBUG", "🔗 Syncing hologram write", { path, target: existingData.target });
         return this._syncHologramWrite(existingData, data, path, lensName, options);
       }
-      const writeOptions = options.signingKey ? { signingKey: options.signingKey } : {};
+      const shouldEncrypt = this._shouldEncryptLens(lensName, options);
+      let lensKey = null;
+      if (shouldEncrypt && this.client?.privateKey && this.client?.publicKey) {
+        const lensPath = buildLensPath(this.config.appName, holonId, lensName);
+        const keyResult = this.keyStore.getOrCreateKey(
+          lensPath,
+          this.client.privateKey,
+          this.client.publicKey
+        );
+        lensKey = keyResult.key;
+        if (keyResult.isNew) {
+          this._log("DEBUG", "🔑 Generated new lens key", { lensPath });
+          this._storeWrappedKey(lensPath, keyResult.wrappedForSelf).catch((err) => {
+            this._log("WARN", "⚠️ Failed to persist wrapped key", { lensPath, error: err.message });
+          });
+        }
+      }
+      const writeOptions = {
+        ...options.signingKey ? { signingKey: options.signingKey } : {},
+        ...lensKey ? { lensKey } : {},
+        waitForRelays: true
+        // Always wait for relay confirmation when sync is called
+      };
       await write(this.client, path, data, writeOptions);
       const endTime = Date.now();
       const duration = endTime - startTime;
@@ -58118,6 +59958,22 @@ class HoloSphereBase extends HoloSphere$1 {
     const startTime = Date.now();
     await write(this.client, path, localData);
     if (Object.keys(sourceUpdates).length > 0) {
+      const capability = existingData.capability;
+      if (!capability) {
+        throw new Error("Hologram missing capability token for source update");
+      }
+      const hasWrite = await verifyCapability$1(
+        capability,
+        "write",
+        {
+          holonId: existingData.target.holonId,
+          lensName: existingData.target.lensName,
+          dataId: existingData.target.dataId
+        }
+      );
+      if (!hasWrite) {
+        throw new Error("Write capability required to update source data through hologram");
+      }
       const sourcePath = buildPath(
         existingData.target.appname || this.config.appName,
         existingData.target.holonId,
@@ -58162,6 +60018,156 @@ class HoloSphereBase extends HoloSphere$1 {
   async _getCapabilityForAuthor(authorPubKey, scope) {
     return getCapabilityForAuthor(this.client, this.config.appName, authorPubKey, scope);
   }
+  /**
+   * Determine if a lens should be encrypted.
+   *
+   * @private
+   * @param {string} lensName - Name of the lens
+   * @param {Object} options - Write options
+   * @returns {boolean} True if lens should be encrypted
+   */
+  _shouldEncryptLens(lensName, options = {}) {
+    if (options.encrypt !== void 0) {
+      return options.encrypt;
+    }
+    if (this._encryptionConfig.publicLenses.includes(lensName)) {
+      return false;
+    }
+    return this._encryptionConfig.encryptByDefault;
+  }
+  /**
+   * Store a wrapped lens key in Nostr for persistence.
+   * This allows recovering keys after restart.
+   *
+   * @private
+   * @param {string} lensPath - Path identifying the lens
+   * @param {string} wrappedKey - NIP-44 wrapped key for self
+   * @returns {Promise<void>}
+   */
+  async _storeWrappedKey(lensPath, wrappedKey) {
+    const keyStorePath = buildPath(this.config.appName, "_keys", "lens-keys", lensPath.replace(/\//g, "_"));
+    await write(this.client, keyStorePath, {
+      id: lensPath.replace(/\//g, "_"),
+      lensPath,
+      wrappedKey,
+      algorithm: "aes-256-gcm",
+      keyWrap: "nip44",
+      version: "1.0",
+      createdAt: Date.now()
+    });
+  }
+  /**
+   * Load stored wrapped keys from Nostr and restore them to the keyStore.
+   * Called during initialization to recover keys after restart.
+   *
+   * @private
+   * @returns {Promise<number>} Number of keys restored
+   */
+  async _loadStoredKeys() {
+    if (!this.client?.privateKey || !this.client?.publicKey) {
+      return 0;
+    }
+    const keyStorePath = buildPath(this.config.appName, "_keys", "lens-keys") + "/";
+    const storedKeys = await readAll(this.client, keyStorePath);
+    let restored = 0;
+    for (const keyData of storedKeys) {
+      if (keyData && keyData.lensPath && keyData.wrappedKey) {
+        try {
+          const key = unwrapKey(
+            keyData.wrappedKey,
+            this.client.privateKey,
+            this.client.publicKey
+          );
+          this.keyStore.storeOwnKey(keyData.lensPath, key, keyData.wrappedKey);
+          restored++;
+        } catch (err) {
+          this._log("WARN", "⚠️ Failed to restore lens key", { lensPath: keyData.lensPath, error: err.message });
+        }
+      }
+    }
+    if (restored > 0) {
+      this._log("DEBUG", "🔑 Restored lens keys", { count: restored });
+    }
+    return restored;
+  }
+  /**
+   * Get the lens key for reading encrypted data.
+   * Returns the key from keyStore if available, otherwise null.
+   *
+   * @private
+   * @param {string} holonId - Holon identifier
+   * @param {string} lensName - Lens name
+   * @returns {Buffer|null} Lens key or null if not available
+   */
+  _getLensKey(holonId, lensName) {
+    const lensPath = buildLensPath(this.config.appName, holonId, lensName);
+    return this.keyStore.getKey(lensPath);
+  }
+  /**
+   * Handle a received lens key share from a federation partner.
+   * Call this from your onKeyShare handler in subscribeToFederationDMs.
+   *
+   * @param {Object} keyShare - Key share payload
+   * @param {string} keyShare.lensPath - Path identifying the lens
+   * @param {string} keyShare.wrappedKey - NIP-44 wrapped symmetric key
+   * @param {string} senderPubKey - Sender's public key
+   * @returns {boolean} True if key was successfully stored
+   */
+  handleReceivedKeyShare(keyShare, senderPubKey) {
+    if (!this.client?.privateKey) {
+      this._log("WARN", "⚠️ Cannot receive key share: no private key");
+      return false;
+    }
+    try {
+      const key = this.keyStore.receiveKey(
+        keyShare.lensPath,
+        keyShare.wrappedKey,
+        this.client.privateKey,
+        senderPubKey
+      );
+      this._log("DEBUG", "🔑 Received and stored lens key", {
+        lensPath: keyShare.lensPath,
+        from: senderPubKey.slice(0, 12) + "..."
+      });
+      return true;
+    } catch (error) {
+      this._log("ERROR", "❌ Failed to receive key share", {
+        lensPath: keyShare.lensPath,
+        error: error.message
+      });
+      return false;
+    }
+  }
+  /**
+   * Get encryption statistics for the key store.
+   *
+   * @returns {Object} { ownKeyCount, receivedKeyCount, totalPartnerGrants }
+   */
+  getEncryptionStats() {
+    return this.keyStore.getStats();
+  }
+  /**
+   * Check if a lens has an encryption key available.
+   *
+   * @param {string} holonId - Holon identifier
+   * @param {string} lensName - Lens name
+   * @returns {boolean} True if key is available for this lens
+   */
+  hasLensKey(holonId, lensName) {
+    const lensPath = buildLensPath(this.config.appName, holonId, lensName);
+    return this.keyStore.hasKey(lensPath);
+  }
+  /**
+   * Check if we own the key for a lens (vs received it from a partner).
+   *
+   * @param {string} holonId - Holon identifier
+   * @param {string} lensName - Lens name
+   * @returns {boolean} True if we own the key
+   */
+  isOwnLensKey(holonId, lensName) {
+    const lensPath = buildLensPath(this.config.appName, holonId, lensName);
+    return this.keyStore.isOwnKey(lensPath);
+  }
   /**
    * Recursively resolves holograms (references) to their source data.
    * Handles circular reference detection and local overrides.
@@ -58292,9 +60298,17 @@ class HoloSphereBase extends HoloSphere$1 {
         return cached.data;
       }
     }
-    const targetPubkey = await this._resolveHolonToPubkey(holonId);
+    const targetPubkey = options.skipResolve ? null : await this._resolveHolonToPubkey(holonId);
     const isOtherAuthor = targetPubkey && targetPubkey !== this.client.publicKey;
+    this._log("DEBUG", "🔍 READ: author check", {
+      targetPubkey: targetPubkey?.slice(0, 12),
+      clientPubkey: this.client?.publicKey?.slice(0, 12),
+      isOtherAuthor,
+      holonId: holonId?.slice(0, 12)
+    });
     let readOptions = {};
+    if (options.forceRelay) readOptions.forceRelay = true;
+    if (options.timeout) readOptions.timeout = options.timeout;
     const capToken = options.capabilityToken || options.capability;
     if (capToken) {
       const authorized = await this.verifyCapability(capToken, "read", { holonId, lensName, dataId });
@@ -58328,18 +60342,23 @@ class HoloSphereBase extends HoloSphere$1 {
       });
       readOptions.authors = [targetPubkey];
     }
+    this._log("DEBUG", "🔍 Checking for federated authors", { isOtherAuthor, holonId: holonId?.slice(0, 12) });
     if (!isOtherAuthor) {
       try {
-        const federatedAuthors = await getFederatedAuthorsForScope(
+        this._log("DEBUG", "🔍 Getting federated authors...");
+        const fedAuthorsPromise = getFederatedAuthors(
           this.client,
-          this.config.appName,
-          { holonId, lensName, dataId },
-          "read"
+          this.config.appName
         );
+        const fedAuthorsTimeout = new Promise(
+          (resolve) => setTimeout(() => resolve([]), 5e3)
+          // 5 second timeout, resolve with empty array
+        );
+        const federatedAuthors = await Promise.race([fedAuthorsPromise, fedAuthorsTimeout]);
+        this._log("DEBUG", "✅ Got federated authors", { count: federatedAuthors?.length || 0 });
         if (federatedAuthors.length > 0) {
-          const partnerPubkeys = federatedAuthors.map((f) => f.pubKey);
-          readOptions.authors = [this.client.publicKey, ...partnerPubkeys];
-          this._log("DEBUG", "Including federated authors", { count: partnerPubkeys.length });
+          readOptions.authors = [this.client.publicKey, ...federatedAuthors];
+          this._log("DEBUG", "Including federated authors", { count: federatedAuthors.length });
         }
       } catch (err) {
         this._log("WARN", "Failed to get federated authors", { error: err.message });
@@ -58347,6 +60366,10 @@ class HoloSphereBase extends HoloSphere$1 {
     }
     const startTime = Date.now();
     let result;
+    const lensKey = this._getLensKey(holonId, lensName);
+    if (lensKey) {
+      readOptions.lensKey = lensKey;
+    }
     if (dataId) {
       const path = buildPath(this.config.appName, holonId, lensName, dataId);
       if (this._deleteCache.has(path)) {
@@ -58368,7 +60391,7 @@ class HoloSphereBase extends HoloSphere$1 {
           });
           result = cached.data;
         } else {
-          this._log("DEBUG", "📖 CACHE MISS: Reading from storage", { path, authors: readOptions.authors });
+          this._log("DEBUG", "📖 CACHE MISS: Reading from storage", { path, authors: readOptions.authors, hasKey: !!lensKey });
           result = await read(this.client, path, readOptions);
           this._log("DEBUG", "💾 STORAGE READ", {
             path,
@@ -58380,7 +60403,7 @@ class HoloSphereBase extends HoloSphere$1 {
       }
     } else {
       const path = buildPath(this.config.appName, holonId, lensName);
-      this._log("DEBUG", "readAll", { holonId, lensName, path, authors: readOptions.authors });
+      this._log("DEBUG", "readAll", { holonId, lensName, path, authors: readOptions.authors, hasKey: !!lensKey });
       const storageResult = await readAll(this.client, path, readOptions);
       result = isOtherAuthor ? storageResult : this._mergeWithWriteCache(storageResult, path);
       this._log("DEBUG", "readAll result", { count: Array.isArray(result) ? result.length : 0 });
@@ -58456,8 +60479,26 @@ class HoloSphereBase extends HoloSphere$1 {
     if (!updates || typeof updates !== "object") {
       throw new ValidationError$1("ValidationError: updates must be an object");
     }
+    const isPubkeyHolon = typeof holonId === "string" && /^[0-9a-f]{64}$/i.test(holonId);
+    const isOwnHolon = this.client && (holonId === this.client.publicKey || !isPubkeyHolon);
     const capToken = options.capabilityToken || options.capability;
-    if (capToken) {
+    if (!isOwnHolon) {
+      if (!capToken) {
+        this._log("WARN", "🚫 Update denied: No capability token for federated holon", { holonId, lensName, dataId });
+        throw new AuthorizationError(
+          "Capability token required for writing to federated holons",
+          "write"
+        );
+      }
+      const authorized = await this.verifyCapability(capToken, "write", { holonId, lensName, dataId });
+      if (!authorized) {
+        this._log("WARN", "🚫 Update denied: Invalid capability token", { holonId, lensName, dataId });
+        throw new AuthorizationError(
+          "Invalid capability token for update operation",
+          "write"
+        );
+      }
+    } else if (capToken) {
       const authorized = await this.verifyCapability(capToken, "write", { holonId, lensName, dataId });
       if (!authorized) {
         throw new AuthorizationError("AuthorizationError: Invalid capability token for update operation", "write");
@@ -58528,7 +60569,7 @@ class HoloSphereBase extends HoloSphere$1 {
       });
       if (existingData._meta && existingData._meta.activeHolograms) {
         this._log("DEBUG", "🔗 Refreshing active holograms", { path });
-        refreshActiveHolograms(this.client, this.config.appName, holonId, lensName, dataId).catch((err) => this._log("WARN", "⚠️ Hologram refresh failed", { path, error: err.message }));
+        await refreshActiveHolograms(this.client, this.config.appName, holonId, lensName, dataId).catch((err) => this._log("WARN", "⚠️ Hologram refresh failed", { path, error: err.message }));
       }
       return true;
     } catch (error) {
@@ -58571,6 +60612,16 @@ class HoloSphereBase extends HoloSphere$1 {
     if (!dataId) {
       throw new ValidationError$1("ValidationError: dataId must be a non-empty string");
     }
+    const isPubkeyHolon = typeof holonId === "string" && /^[0-9a-f]{64}$/i.test(holonId);
+    const isOwnHolon = this.client && (holonId === this.client.publicKey || !isPubkeyHolon);
+    const capToken = options.capabilityToken || options.capability;
+    if (!isOwnHolon && !capToken) {
+      this._log("WARN", "🚫 Delete denied: No capability token for federated holon", { holonId, lensName, dataId });
+      throw new AuthorizationError(
+        "Capability token required for writing to federated holons",
+        "delete"
+      );
+    }
     const path = buildPath(this.config.appName, holonId, lensName, dataId);
     const cached = this._writeCache.get(path);
     let existingData = cached ? cached.data : null;
@@ -58585,9 +60636,8 @@ class HoloSphereBase extends HoloSphere$1 {
     }
     this._log("DEBUG", "🗑️ DELETE: Found data", { path, source: dataSource });
     const dataOwner = existingData.owner || existingData._creator;
-    const isOwner = !dataOwner || dataOwner === this.client.publicKey;
-    const capToken = options.capabilityToken || options.capability;
-    if (!isOwner) {
+    const isDataOwner = !dataOwner || dataOwner === this.client.publicKey;
+    if (!isDataOwner) {
       if (!capToken) {
         throw new AuthorizationError("AuthorizationError: Capability token required for delete operation", "delete");
       }
@@ -58870,15 +60920,22 @@ class HoloSphereBase extends HoloSphere$1 {
    * @param {string} lensName - Name of the lens
    * @param {Object} data - Data object containing the id to reference
    * @param {string} [targetHolon=null] - Target holon for the hologram, defaults to sourceHolon
-   * @returns {Object} Hologram object structure
+   * @returns {Promise<Object>} Hologram object structure
    */
-  createHologram(sourceHolon, lensName, data, targetHolon = null) {
-    return createHologram(
+  async createHologram(sourceHolon, lensName, data, targetHolon = null) {
+    const target = targetHolon || sourceHolon;
+    return createHologramWithCapability(
+      this.client,
       sourceHolon,
-      targetHolon || sourceHolon,
+      target,
       lensName,
       data.id,
-      this.config.appName
+      this.config.appName,
+      {
+        sourceAuthorPubKey: this.client.publicKey,
+        targetAuthorPubKey: this.client.publicKey,
+        permissions: ["read"]
+      }
     );
   }
   /**
@@ -59187,6 +61244,8 @@ class HoloSphereBase extends HoloSphere$1 {
     federationData.lensConfig[targetHolon] = {
       inbound: lensConfig.inbound || [],
       outbound: lensConfig.outbound || [],
+      writeInbound: lensConfig.writeInbound || [],
+      writeOutbound: lensConfig.writeOutbound || [],
       timestamp: Date.now()
     };
     const success = await this.writeGlobal("federation", federationData);
@@ -59323,7 +61382,7 @@ class HoloSphereBase extends HoloSphere$1 {
    * @returns {Promise<string>} Hex-encoded public key
    */
   async getPublicKey(privateKey) {
-    return getPublicKey$1(privateKey);
+    return getPublicKey(privateKey);
   }
   /**
    * Signs content with a private key.
@@ -59789,26 +61848,30 @@ export {
   networks as bA,
   matchScope as bB,
   createHologram as bC,
-  createFederationCard as bD,
-  getVisibleLenses as bE,
-  getLensConfigForHandshake as bF,
-  toggleLens as bG,
-  toggleCardExpansion as bH,
-  dismissCard$1 as bI,
-  saveCard as bJ,
-  getCard as bK,
-  getDisplayableCards as bL,
-  dismissRequest as bM,
-  markResponseProcessed as bN,
-  isResponseProcessed as bO,
-  createAIServices as bP,
-  NETWORKS as bQ,
-  getNetwork as bR,
-  getNetworksByType as bS,
-  listNetworks as bT,
-  isNetworkSupported as bU,
-  getTxUrl as bV,
-  getAddressUrl as bW,
+  LensKeyStore as bD,
+  buildLensPath as bE,
+  parseLensPath as bF,
+  lensKeys as bG,
+  createFederationCard as bH,
+  getVisibleLenses as bI,
+  getLensConfigForHandshake as bJ,
+  toggleLens as bK,
+  toggleCardExpansion as bL,
+  dismissCard$1 as bM,
+  saveCard as bN,
+  getCard as bO,
+  getDisplayableCards as bP,
+  dismissRequest as bQ,
+  markResponseProcessed as bR,
+  isResponseProcessed as bS,
+  createAIServices as bT,
+  NETWORKS as bU,
+  getNetwork as bV,
+  getNetworksByType as bW,
+  listNetworks as bX,
+  isNetworkSupported as bY,
+  getTxUrl as bZ,
+  getAddressUrl as b_,
   RelationshipDiscovery as ba,
   TaskBreakdown as bb,
   H3AI as bc,
@@ -59860,4 +61923,4 @@ export {
   concatBytes as y,
   dataLength as z
 };
-//# sourceMappingURL=index-BN_uoxQK.js.map
+//# sourceMappingURL=index-C3Cag0SV.js.map