narrarium-astro-reader 0.1.26 → 0.1.28

package/cli-dist/lib/content-crypto.d.ts

@@ -0,0 +1,19 @@
+/** Return the singleton salt for this build process, creating it on first call. */
+export declare function getBuildSalt(): Buffer;
+/** Base64-encoded build salt, ready to embed in an HTML attribute. */
+export declare function getBuildSaltBase64(): string;
+export interface EncryptedChunk {
+    /** Base64-encoded 12-byte random IV. */
+    iv: string;
+    /** Base64-encoded (ciphertext ∥ 16-byte GCM auth tag). */
+    ct: string;
+}
+/**
+ * Encrypt a UTF-8 string with AES-256-GCM using PBKDF2-derived key.
+ *
+ * The ciphertext field contains the encrypted bytes immediately followed by
+ * the 16-byte GCM authentication tag, so Web Crypto's AES-GCM decrypt can
+ * verify integrity without any additional framing.
+ */
+export declare function encryptString(plaintext: string, password: string): EncryptedChunk;
+//# sourceMappingURL=content-crypto.d.ts.map

package/cli-dist/lib/content-crypto.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"content-crypto.d.ts","sourceRoot":"","sources":["../../src/lib/content-crypto.ts"],"names":[],"mappings":"AAcA,mFAAmF;AACnF,wBAAgB,YAAY,IAAI,MAAM,CAKrC;AAED,sEAAsE;AACtE,wBAAgB,kBAAkB,IAAI,MAAM,CAE3C;AAMD,MAAM,WAAW,cAAc;IAC7B,wCAAwC;IACxC,EAAE,EAAE,MAAM,CAAC;IACX,0DAA0D;IAC1D,EAAE,EAAE,MAAM,CAAC;CACZ;AAED;;;;;;GAMG;AACH,wBAAgB,aAAa,CAAC,SAAS,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,cAAc,CAWjF"}

package/cli-dist/lib/content-crypto.js

@@ -0,0 +1,45 @@
+import { createCipheriv, pbkdf2Sync, randomBytes } from "node:crypto";
+/**
+ * Build-time AES-256-GCM content encryption utilities.
+ *
+ * A single random 16-byte salt is generated once per Node process (i.e. once
+ * per Astro build). It is embedded publicly in the built HTML via
+ * `data-crypto-salt` on `<body>` so the client can run PBKDF2 key derivation
+ * with the same parameters. A public salt is fine — it only prevents rainbow
+ * tables; the security comes from the password entropy.
+ */
+let _buildSalt = null;
+/** Return the singleton salt for this build process, creating it on first call. */
+export function getBuildSalt() {
+    if (!_buildSalt) {
+        _buildSalt = randomBytes(16);
+    }
+    return _buildSalt;
+}
+/** Base64-encoded build salt, ready to embed in an HTML attribute. */
+export function getBuildSaltBase64() {
+    return getBuildSalt().toString("base64");
+}
+function deriveKey(password, salt) {
+    return pbkdf2Sync(password, salt, 100_000, 32, "sha256");
+}
+/**
+ * Encrypt a UTF-8 string with AES-256-GCM using PBKDF2-derived key.
+ *
+ * The ciphertext field contains the encrypted bytes immediately followed by
+ * the 16-byte GCM authentication tag, so Web Crypto's AES-GCM decrypt can
+ * verify integrity without any additional framing.
+ */
+export function encryptString(plaintext, password) {
+    const salt = getBuildSalt();
+    const key = deriveKey(password, salt);
+    const iv = randomBytes(12);
+    const cipher = createCipheriv("aes-256-gcm", key, iv);
+    const body = Buffer.concat([cipher.update(plaintext, "utf8"), cipher.final()]);
+    const tag = cipher.getAuthTag(); // always 16 bytes for AES-GCM
+    return {
+        iv: iv.toString("base64"),
+        ct: Buffer.concat([body, tag]).toString("base64"),
+    };
+}
+//# sourceMappingURL=content-crypto.js.map

package/cli-dist/lib/content-crypto.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"content-crypto.js","sourceRoot":"","sources":["../../src/lib/content-crypto.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,cAAc,EAAE,UAAU,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAEtE;;;;;;;;GAQG;AAEH,IAAI,UAAU,GAAkB,IAAI,CAAC;AAErC,mFAAmF;AACnF,MAAM,UAAU,YAAY;IAC1B,IAAI,CAAC,UAAU,EAAE,CAAC;QAChB,UAAU,GAAG,WAAW,CAAC,EAAE,CAAC,CAAC;IAC/B,CAAC;IACD,OAAO,UAAU,CAAC;AACpB,CAAC;AAED,sEAAsE;AACtE,MAAM,UAAU,kBAAkB;IAChC,OAAO,YAAY,EAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;AAC3C,CAAC;AAED,SAAS,SAAS,CAAC,QAAgB,EAAE,IAAY;IAC/C,OAAO,UAAU,CAAC,QAAQ,EAAE,IAAI,EAAE,OAAO,EAAE,EAAE,EAAE,QAAQ,CAAC,CAAC;AAC3D,CAAC;AASD;;;;;;GAMG;AACH,MAAM,UAAU,aAAa,CAAC,SAAiB,EAAE,QAAgB;IAC/D,MAAM,IAAI,GAAG,YAAY,EAAE,CAAC;IAC5B,MAAM,GAAG,GAAG,SAAS,CAAC,QAAQ,EAAE,IAAI,CAAC,CAAC;IACtC,MAAM,EAAE,GAAG,WAAW,CAAC,EAAE,CAAC,CAAC;IAC3B,MAAM,MAAM,GAAG,cAAc,CAAC,aAAa,EAAE,GAAG,EAAE,EAAE,CAAC,CAAC;IACtD,MAAM,IAAI,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,SAAS,EAAE,MAAM,CAAC,EAAE,MAAM,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC;IAC/E,MAAM,GAAG,GAAG,MAAM,CAAC,UAAU,EAAE,CAAC,CAAC,8BAA8B;IAC/D,OAAO;QACL,EAAE,EAAE,EAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC;QACzB,EAAE,EAAE,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC;KAClD,CAAC;AACJ,CAAC"}

package/cli-dist/lib/reader-mode.d.ts

@@ -1,2 +1,15 @@
 export declare function isFullCanonMode(): boolean;
+/**
+ * Returns the raw NARRARIUM_READER_PASSWORD env var value, or null when the
+ * variable is not set. Used at build time to derive the AES-256-GCM key for
+ * content encryption. Never embedded in the built HTML.
+ */
+export declare function getReaderPassword(): string | null;
+/**
+ * Returns a SHA-256 hex hash of the NARRARIUM_READER_PASSWORD env var,
+ * or null when the variable is not set. The hash is embedded in the built
+ * HTML and compared against the user's input at runtime via SubtleCrypto
+ * as a fast pre-filter before the more expensive PBKDF2 key derivation.
+ */
+export declare function getReaderPasswordHash(): string | null;
 //# sourceMappingURL=reader-mode.d.ts.map

package/cli-dist/lib/reader-mode.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"reader-mode.d.ts","sourceRoot":"","sources":["../../src/lib/reader-mode.ts"],"names":[],"mappings":"AAEA,wBAAgB,eAAe,IAAI,OAAO,CAMzC"}
+{"version":3,"file":"reader-mode.d.ts","sourceRoot":"","sources":["../../src/lib/reader-mode.ts"],"names":[],"mappings":"AAGA,wBAAgB,eAAe,IAAI,OAAO,CAMzC;AAED;;;;GAIG;AACH,wBAAgB,iBAAiB,IAAI,MAAM,GAAG,IAAI,CAEjD;AAED;;;;;GAKG;AACH,wBAAgB,qBAAqB,IAAI,MAAM,GAAG,IAAI,CAIrD"}

package/cli-dist/lib/reader-mode.js

@@ -1,3 +1,4 @@
+import { createHash } from "node:crypto";
 import { readReaderEnv } from "./env.js";
 export function isFullCanonMode() {
     const raw = String(readReaderEnv(["NARRARIUM_READER_CANON_MODE", "NARRARIUM_READER_ALLOW_FULL_CANON"]) ?? "")
@@ -5,4 +6,24 @@ export function isFullCanonMode() {
         .toLowerCase();
     return raw === "1" || raw === "true" || raw === "full" || raw === "author" || raw === "spoilers";
 }
+/**
+ * Returns the raw NARRARIUM_READER_PASSWORD env var value, or null when the
+ * variable is not set. Used at build time to derive the AES-256-GCM key for
+ * content encryption. Never embedded in the built HTML.
+ */
+export function getReaderPassword() {
+    return readReaderEnv(["NARRARIUM_READER_PASSWORD"]) ?? null;
+}
+/**
+ * Returns a SHA-256 hex hash of the NARRARIUM_READER_PASSWORD env var,
+ * or null when the variable is not set. The hash is embedded in the built
+ * HTML and compared against the user's input at runtime via SubtleCrypto
+ * as a fast pre-filter before the more expensive PBKDF2 key derivation.
+ */
+export function getReaderPasswordHash() {
+    const raw = readReaderEnv(["NARRARIUM_READER_PASSWORD"]);
+    if (!raw)
+        return null;
+    return createHash("sha256").update(raw).digest("hex");
+}
 //# sourceMappingURL=reader-mode.js.map

package/cli-dist/lib/reader-mode.js.map

@@ -1 +1 @@
-{"version":3,"file":"reader-mode.js","sourceRoot":"","sources":["../../src/lib/reader-mode.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,aAAa,EAAE,MAAM,UAAU,CAAC;AAEzC,MAAM,UAAU,eAAe;IAC7B,MAAM,GAAG,GAAG,MAAM,CAAC,aAAa,CAAC,CAAC,6BAA6B,EAAE,mCAAmC,CAAC,CAAC,IAAI,EAAE,CAAC;SAC1G,IAAI,EAAE;SACN,WAAW,EAAE,CAAC;IAEjB,OAAO,GAAG,KAAK,GAAG,IAAI,GAAG,KAAK,MAAM,IAAI,GAAG,KAAK,MAAM,IAAI,GAAG,KAAK,QAAQ,IAAI,GAAG,KAAK,UAAU,CAAC;AACnG,CAAC"}
+{"version":3,"file":"reader-mode.js","sourceRoot":"","sources":["../../src/lib/reader-mode.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AACzC,OAAO,EAAE,aAAa,EAAE,MAAM,UAAU,CAAC;AAEzC,MAAM,UAAU,eAAe;IAC7B,MAAM,GAAG,GAAG,MAAM,CAAC,aAAa,CAAC,CAAC,6BAA6B,EAAE,mCAAmC,CAAC,CAAC,IAAI,EAAE,CAAC;SAC1G,IAAI,EAAE;SACN,WAAW,EAAE,CAAC;IAEjB,OAAO,GAAG,KAAK,GAAG,IAAI,GAAG,KAAK,MAAM,IAAI,GAAG,KAAK,MAAM,IAAI,GAAG,KAAK,QAAQ,IAAI,GAAG,KAAK,UAAU,CAAC;AACnG,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,iBAAiB;IAC/B,OAAO,aAAa,CAAC,CAAC,2BAA2B,CAAC,CAAC,IAAI,IAAI,CAAC;AAC9D,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,qBAAqB;IACnC,MAAM,GAAG,GAAG,aAAa,CAAC,CAAC,2BAA2B,CAAC,CAAC,CAAC;IACzD,IAAI,CAAC,GAAG;QAAE,OAAO,IAAI,CAAC;IACtB,OAAO,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;AACxD,CAAC"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "narrarium-astro-reader",
-  "version": "0.1.26",
+  "version": "0.1.28",
   "type": "module",
   "description": "Astro reader and scaffolding CLI for Narrarium book repositories.",
   "license": "MIT",
@@ -50,7 +50,7 @@
     "test": "npm run build:cli && node --test test/**/*.test.mjs"
   },
   "dependencies": {
-    "narrarium": "^0.1.26",
+    "narrarium": "^0.1.27",
     "astro": "^5.14.1",
     "chokidar": "^4.0.3",
     "marked": "^16.3.0"

package/src/components/EncryptedHtml.astro

@@ -0,0 +1,18 @@
+---
+import { getReaderPassword } from "../lib/reader-mode.js";
+import { encryptString } from "../lib/content-crypto.js";
+
+interface Props {
+  /** Raw HTML string to either render directly or encrypt at build time. */
+  html: string;
+}
+
+const { html } = Astro.props;
+const password = getReaderPassword();
+const encrypted = password ? encryptString(html, password) : null;
+---
+
+{encrypted
+  ? <span data-enc-html data-enc-iv={encrypted.iv} data-enc-ct={encrypted.ct} hidden></span>
+  : <Fragment set:html={html} />
+}

package/src/components/ReaderRuntime.astro

@@ -1,5 +1,7 @@
 ---
 import type { GlossaryEntry } from "../lib/glossary";
+import { getReaderPassword } from "../lib/reader-mode.js";
+import { encryptString } from "../lib/content-crypto.js";
 
 interface Props {
   glossary: GlossaryEntry[];
@@ -8,7 +10,9 @@ interface Props {
 }
 
 const { glossary, chapters } = Astro.props;
-const glossaryJson = JSON.stringify(glossary).replace(/</g, "\\u003c");
+const password = getReaderPassword();
+const rawGlossaryJson = JSON.stringify(glossary).replace(/</g, "\\u003c");
+const glossaryEncrypted = password ? encryptString(rawGlossaryJson, password) : null;
 const chaptersJson = JSON.stringify(chapters).replace(/</g, "\\u003c");
 ---
 
@@ -144,7 +148,10 @@ const chaptersJson = JSON.stringify(chapters).replace(/</g, "\\u003c");
   <div class="tts-status" data-tts-status>Speech will resume from the saved sentence when available.</div>
 </aside>
 
-<script type="application/json" id="canon-glossary-data" set:html={glossaryJson}></script>
+{glossaryEncrypted
+  ? <script type="application/json" id="canon-glossary-data" data-enc-iv={glossaryEncrypted.iv} data-enc-ct={glossaryEncrypted.ct}></script>
+  : <script type="application/json" id="canon-glossary-data" set:html={rawGlossaryJson}></script>
+}
 <script type="application/json" id="reader-chapter-data" set:html={chaptersJson}></script>
 
 <script>
@@ -160,21 +167,39 @@ const chaptersJson = JSON.stringify(chapters).replace(/</g, "\\u003c");
   const ttsRateStorageKey = "narrarium-reader-tts-rate";
   const ttsProgressStorageKey = "narrarium-reader-tts-progress";
   const ttsPlayerDismissedStorageKey = "narrarium-reader-tts-player-dismissed";
-  const glossaryDataElement = document.getElementById("canon-glossary-data");
   const chapterDataElement = document.getElementById("reader-chapter-data");
-  const glossaryEntries = glossaryDataElement ? JSON.parse(glossaryDataElement.textContent || "[]") : [];
   const chapterEntries = chapterDataElement ? JSON.parse(chapterDataElement.textContent || "[]") : [];
   const currentPageChapterRaw = document.body.dataset.readerChapterNumber;
   const currentPageChapterNumber = currentPageChapterRaw ? Number(currentPageChapterRaw) : Number.NaN;
 
+  // glossaryEntries is populated after content decryption (or immediately when
+  // there is no password protection). Declared as let so _loadGlossaryAndInit
+  // can reassign before dependent initializers run.
+  // eslint-disable-next-line prefer-const
+  let glossaryEntries: any[] = [];
+
+  function _loadGlossaryAndInit() {
+    const el = document.getElementById("canon-glossary-data");
+    // Guard: skip if the element still carries encrypted attrs (not yet decrypted).
+    if (!el || el.hasAttribute("data-enc-iv")) return;
+    try { glossaryEntries = JSON.parse(el.textContent || "[]"); } catch { glossaryEntries = []; }
+    initializeCanonMentions();
+    initializeReadAloud();
+  }
+
   initializeThemeToggle();
   initializeReaderPreferences();
   initializeReaderSettings();
   initializeSearchOverlay();
   initializeCanonModeToggle();
   initializeReadingProgress();
-  initializeCanonMentions();
-  initializeReadAloud();
+
+  // Wait for content to be available before initializing glossary-dependent features.
+  ((window as any)._narrariumContentReady || Promise.resolve("plain")).then((state: string) => {
+    if (state !== "locked") _loadGlossaryAndInit();
+  });
+  // Re-init after manual password unlock (state was "locked" when promise resolved).
+  document.addEventListener("narrarium:content-unlocked", _loadGlossaryAndInit);
 
   function initializeThemeToggle() {
     const saved = readStorage(themeStorageKey);

package/src/components/SiteSearch.astro

@@ -1,12 +1,16 @@
 ---
 import type { SearchEntry } from "../lib/search";
+import { getReaderPassword } from "../lib/reader-mode.js";
+import { encryptString } from "../lib/content-crypto.js";
 
 interface Props {
   entries: SearchEntry[];
 }
 
 const { entries } = Astro.props;
-const entriesJson = JSON.stringify(entries).replace(/</g, "\\u003c");
+const password = getReaderPassword();
+const rawEntriesJson = JSON.stringify(entries).replace(/</g, "\\u003c");
+const entriesEncrypted = password ? encryptString(rawEntriesJson, password) : null;
 const filters = [
   { key: "all", label: "All" },
   ...Array.from(new Map(entries.map((entry) => [entry.kindKey, entry.kind])).entries()).map(([key, label]) => ({ key, label })),
@@ -40,15 +44,26 @@ const filters = [
   </div>
 </div>
 
-<script type="application/json" id="reader-search-data" set:html={entriesJson}></script>
+{entriesEncrypted
+  ? <script type="application/json" id="reader-search-data" data-enc-iv={entriesEncrypted.iv} data-enc-ct={entriesEncrypted.ct}></script>
+  : <script type="application/json" id="reader-search-data" set:html={rawEntriesJson}></script>
+}
 
 <script is:inline>
   (() => {
     const spoilerLimitStorageKey = "narrarium-reader-spoiler-limit";
-    const searchDataElement = document.getElementById("reader-search-data");
-    const searchEntries = searchDataElement ? JSON.parse(searchDataElement.textContent || "[]") : [];
     const searchRoot = document.querySelector("[data-site-search]");
 
+    // searchEntries is populated once content is ready (after decryption when
+    // password-protected, or immediately for plain builds).
+    var searchEntries = [];
+
+    function loadSearchEntries() {
+      const el = document.getElementById("reader-search-data");
+      if (!el || el.hasAttribute("data-enc-iv")) return; // still encrypted
+      try { searchEntries = JSON.parse(el.textContent || "[]"); } catch { searchEntries = []; }
+    }
+
     if (searchRoot) {
       const input = searchRoot.querySelector("[data-search-input]");
       const results = searchRoot.querySelector("[data-search-results]");
@@ -102,6 +117,13 @@ const filters = [
       });
     }
 
+    // Load search entries once content is available.
+    (window._narrariumContentReady || Promise.resolve("plain")).then(function (state) {
+      if (state !== "locked") loadSearchEntries();
+    });
+    // Re-load after manual password unlock.
+    document.addEventListener("narrarium:content-unlocked", loadSearchEntries);
+
     function getSpoilerLimit() {
       const value = Number(localStorage.getItem(spoilerLimitStorageKey) || "");
       return Number.isFinite(value) ? value : null;

package/src/layouts/BaseLayout.astro

@@ -5,7 +5,8 @@ import SiteSearch from "../components/SiteSearch.astro";
 import { listChapters } from "narrarium";
 import { getBookRoot } from "../lib/book.js";
 import { loadCanonGlossary } from "../lib/glossary.js";
-import { isFullCanonMode } from "../lib/reader-mode.js";
+import { isFullCanonMode, getReaderPasswordHash, getReaderPassword } from "../lib/reader-mode.js";
+import { getBuildSaltBase64 } from "../lib/content-crypto.js";
 import { loadSearchIndex } from "../lib/search.js";
 
 interface Props {
@@ -29,6 +30,8 @@ const canonGlossary = await loadCanonGlossary(currentChapterNumber);
 const searchIndex = await loadSearchIndex(currentChapterNumber);
 const readerChapters = await listChapters(getBookRoot()).catch(() => []);
 const fullCanonMode = isFullCanonMode();
+const passwordHash = getReaderPasswordHash();
+const cryptoSalt = getReaderPassword() ? getBuildSaltBase64() : null;
 const isChapterPage = Number.isFinite(currentChapterNumber);
 ---
 
@@ -59,7 +62,7 @@ const isChapterPage = Number.isFinite(currentChapterNumber);
       })();
     </script>
   </head>
-  <body class:list={[isChapterPage && "page-chapter"]} data-reader-chapter-number={currentChapterNumber} data-full-canon={fullCanonMode ? "true" : "false"}>
+    <body class:list={[isChapterPage && "page-chapter"]} data-reader-chapter-number={currentChapterNumber} data-full-canon={fullCanonMode ? "true" : "false"} data-reader-password-hash={passwordHash ?? ""} data-crypto-salt={cryptoSalt ?? undefined}>
     <script is:inline>
       (() => {
         try {
@@ -70,6 +73,138 @@ const isChapterPage = Number.isFinite(currentChapterNumber);
         } catch {}
       })();
     </script>
+    <script is:inline>
+      (function () {
+        /* ── Content-ready promise ────────────────────────────────────────────
+           Resolved values:
+             "plain"     – no encryption, content available immediately
+             "locked"    – encrypted, no stored key, waiting for user password
+             "decrypted" – encrypted, auto-decrypted from stored AES key
+        ──────────────────────────────────────────────────────────────────── */
+        var salt = document.body.dataset.cryptoSalt;
+
+        if (!salt) {
+          // No encryption configured — content is always available.
+          window._narrariumContentReady = Promise.resolve("plain");
+          return;
+        }
+
+        // ── Helpers ──────────────────────────────────────────────────────────
+        function b64ToBytes(b64) {
+          var bin = atob(b64);
+          var bytes = new Uint8Array(bin.length);
+          for (var i = 0; i < bin.length; i++) { bytes[i] = bin.charCodeAt(i); }
+          return bytes;
+        }
+
+        function aesDecrypt(cryptoKey, ivB64, ctB64) {
+          return crypto.subtle.decrypt(
+            { name: "AES-GCM", iv: b64ToBytes(ivB64) },
+            cryptoKey,
+            b64ToBytes(ctB64)
+          ).then(function (buf) { return new TextDecoder().decode(buf); });
+        }
+
+        function decryptAllContent(cryptoKey) {
+          var tasks = [];
+
+          // Decrypt JSON script data tags
+          document.querySelectorAll('script[type="application/json"][data-enc-iv]').forEach(function (el) {
+            var iv = el.getAttribute("data-enc-iv");
+            var ct = el.getAttribute("data-enc-ct");
+            if (!iv || !ct) return;
+            tasks.push(
+              aesDecrypt(cryptoKey, iv, ct).then(function (plaintext) {
+                el.textContent = plaintext;
+                el.removeAttribute("data-enc-iv");
+                el.removeAttribute("data-enc-ct");
+              })
+            );
+          });
+
+          // Decrypt inline HTML placeholder spans
+          document.querySelectorAll("[data-enc-html]").forEach(function (el) {
+            var iv = el.getAttribute("data-enc-iv");
+            var ct = el.getAttribute("data-enc-ct");
+            if (!iv || !ct) return;
+            tasks.push(
+              aesDecrypt(cryptoKey, iv, ct).then(function (html) {
+                var tpl = document.createElement("template");
+                tpl.innerHTML = html;
+                el.parentNode.insertBefore(tpl.content, el);
+                el.parentNode.removeChild(el);
+              })
+            );
+          });
+
+          return Promise.all(tasks);
+        }
+
+        // ── Deferred promise setup ───────────────────────────────────────────
+        var _resolveReady;
+        window._narrariumContentReady = new Promise(function (res) { _resolveReady = res; });
+
+        /**
+         * Decrypt all page content with the given CryptoKey, remove the lock
+         * class, and resolve _narrariumContentReady.
+         * @param {boolean} isAutoDecrypt - true when called from stored-key path;
+         *   false (default) when called after the user submits the password form.
+         *   When false, dispatches narrarium:content-unlocked so late-init scripts
+         *   that already observed "locked" can re-initialize.
+         */
+        window._narrariumDecryptPage = function (cryptoKey, isAutoDecrypt) {
+          return decryptAllContent(cryptoKey).then(function () {
+            document.body.classList.remove("reader-auth-locked");
+            _resolveReady("decrypted");
+            if (!isAutoDecrypt) {
+              document.dispatchEvent(new CustomEvent("narrarium:content-unlocked"));
+            }
+          });
+        };
+
+        // ── Try auto-decrypt from stored AES key ─────────────────────────────
+        var storedKeyB64 = null;
+        try { storedKeyB64 = localStorage.getItem("narrarium-reader-aes-key"); } catch (_) {}
+
+        if (storedKeyB64) {
+          crypto.subtle.importKey(
+            "raw", b64ToBytes(storedKeyB64),
+            { name: "AES-GCM", length: 256 },
+            false, ["decrypt"]
+          )
+            .then(function (key) { return window._narrariumDecryptPage(key, true); })
+            .catch(function () {
+              // Stored key is stale or corrupt — clear it and show lock screen.
+              try { localStorage.removeItem("narrarium-reader-aes-key"); } catch (_) {}
+              document.body.classList.add("reader-auth-locked");
+              _resolveReady("locked");
+            });
+        } else {
+          document.body.classList.add("reader-auth-locked");
+          _resolveReady("locked");
+        }
+      })();
+    </script>
+    {passwordHash && (
+      <div id="reader-password-gate" role="dialog" aria-modal="true" aria-label="Access required">
+        <div class="reader-password-gate__inner">
+          <p class="eyebrow">Narrarium Reader</p>
+          <h1 class="reader-password-gate__title">Access Required</h1>
+          <p class="reader-password-gate__desc">Enter the password to access this book.</p>
+          <form id="reader-password-form" class="reader-password-gate__form" novalidate>
+            <input
+              type="password"
+              id="reader-password-input"
+              class="reader-password-gate__input"
+              placeholder="Password"
+              autocomplete="current-password"
+            />
+            <button type="submit" class="reader-password-gate__button">Unlock</button>
+          </form>
+          <p id="reader-password-error" class="reader-password-gate__error" hidden>Incorrect password. Please try again.</p>
+        </div>
+      </div>
+    )}
     <main class="shell">
       <header class="masthead">
         <a class="brand" href="./">Narrarium</a>
@@ -95,5 +230,80 @@ const isChapterPage = Number.isFinite(currentChapterNumber);
     </main>
     <SiteSearch entries={searchIndex} />
     <ReaderRuntime glossary={canonGlossary} chapters={readerChapters} currentChapterNumber={currentChapterNumber} />
+    {passwordHash && (
+      <script is:inline>
+        (function initPasswordGate() {
+          var gate = document.getElementById("reader-password-gate");
+          var form = document.getElementById("reader-password-form");
+          var input = document.getElementById("reader-password-input");
+          var errorEl = document.getElementById("reader-password-error");
+          var passwordHash = document.body.dataset.readerPasswordHash;
+          var cryptoSalt = document.body.dataset.cryptoSalt;
+          if (!gate || !form || !passwordHash) return;
+          if (input) { input.focus(); }
+
+          function buf2hex(buffer) {
+            return Array.from(new Uint8Array(buffer))
+              .map(function (b) { return b.toString(16).padStart(2, "0"); })
+              .join("");
+          }
+
+          function b64ToBytes(b64) {
+            var bin = atob(b64);
+            var bytes = new Uint8Array(bin.length);
+            for (var i = 0; i < bin.length; i++) { bytes[i] = bin.charCodeAt(i); }
+            return bytes;
+          }
+
+          form.addEventListener("submit", function (event) {
+            event.preventDefault();
+            var password = input ? input.value : "";
+            if (!password) return;
+
+            var encoded = new TextEncoder().encode(password);
+
+            // Quick SHA-256 check before the expensive PBKDF2 step.
+            crypto.subtle.digest("SHA-256", encoded).then(function (hashBuffer) {
+              if (buf2hex(hashBuffer) !== passwordHash) {
+                if (errorEl) { errorEl.hidden = false; }
+                if (input) { input.value = ""; input.focus(); }
+                return;
+              }
+
+              // Hash matched — derive the AES-256-GCM key via PBKDF2.
+              var saltBytes = b64ToBytes(cryptoSalt);
+              crypto.subtle.importKey("raw", encoded, "PBKDF2", false, ["deriveKey"])
+                .then(function (keyMaterial) {
+                  return crypto.subtle.deriveKey(
+                    { name: "PBKDF2", salt: saltBytes, iterations: 100000, hash: "SHA-256" },
+                    keyMaterial,
+                    { name: "AES-GCM", length: 256 },
+                    true,          // extractable so we can export and store it
+                    ["decrypt"]
+                  );
+                })
+                .then(function (aesKey) {
+                  // Persist the raw key bytes so auto-decrypt works on reload.
+                  crypto.subtle.exportKey("raw", aesKey).then(function (rawBuf) {
+                    var rawBytes = new Uint8Array(rawBuf);
+                    var b64 = btoa(String.fromCharCode.apply(null, Array.from(rawBytes)));
+                    try { localStorage.setItem("narrarium-reader-aes-key", b64); } catch (_) {}
+                  });
+
+                  // Decrypt the page — passes false = manual unlock, so the
+                  // content-unlocked event will fire for late-init scripts.
+                  return window._narrariumDecryptPage(aesKey, false);
+                })
+                .catch(function () {
+                  if (errorEl) { errorEl.hidden = false; }
+                  if (input) { input.value = ""; input.focus(); }
+                });
+            }).catch(function () {
+              if (errorEl) { errorEl.hidden = false; }
+            });
+          });
+        })();
+      </script>
+    )}
   </body>
 </html>

package/src/lib/content-crypto.ts

@@ -0,0 +1,57 @@
+import { createCipheriv, pbkdf2Sync, randomBytes } from "node:crypto";
+
+/**
+ * Build-time AES-256-GCM content encryption utilities.
+ *
+ * A single random 16-byte salt is generated once per Node process (i.e. once
+ * per Astro build). It is embedded publicly in the built HTML via
+ * `data-crypto-salt` on `<body>` so the client can run PBKDF2 key derivation
+ * with the same parameters. A public salt is fine — it only prevents rainbow
+ * tables; the security comes from the password entropy.
+ */
+
+let _buildSalt: Buffer | null = null;
+
+/** Return the singleton salt for this build process, creating it on first call. */
+export function getBuildSalt(): Buffer {
+  if (!_buildSalt) {
+    _buildSalt = randomBytes(16);
+  }
+  return _buildSalt;
+}
+
+/** Base64-encoded build salt, ready to embed in an HTML attribute. */
+export function getBuildSaltBase64(): string {
+  return getBuildSalt().toString("base64");
+}
+
+function deriveKey(password: string, salt: Buffer): Buffer {
+  return pbkdf2Sync(password, salt, 100_000, 32, "sha256");
+}
+
+export interface EncryptedChunk {
+  /** Base64-encoded 12-byte random IV. */
+  iv: string;
+  /** Base64-encoded (ciphertext ∥ 16-byte GCM auth tag). */
+  ct: string;
+}
+
+/**
+ * Encrypt a UTF-8 string with AES-256-GCM using PBKDF2-derived key.
+ *
+ * The ciphertext field contains the encrypted bytes immediately followed by
+ * the 16-byte GCM authentication tag, so Web Crypto's AES-GCM decrypt can
+ * verify integrity without any additional framing.
+ */
+export function encryptString(plaintext: string, password: string): EncryptedChunk {
+  const salt = getBuildSalt();
+  const key = deriveKey(password, salt);
+  const iv = randomBytes(12);
+  const cipher = createCipheriv("aes-256-gcm", key, iv);
+  const body = Buffer.concat([cipher.update(plaintext, "utf8"), cipher.final()]);
+  const tag = cipher.getAuthTag(); // always 16 bytes for AES-GCM
+  return {
+    iv: iv.toString("base64"),
+    ct: Buffer.concat([body, tag]).toString("base64"),
+  };
+}

package/src/lib/reader-mode.ts

@@ -1,3 +1,4 @@
+import { createHash } from "node:crypto";
 import { readReaderEnv } from "./env.js";
 
 export function isFullCanonMode(): boolean {
@@ -7,3 +8,24 @@ export function isFullCanonMode(): boolean {
 
   return raw === "1" || raw === "true" || raw === "full" || raw === "author" || raw === "spoilers";
 }
+
+/**
+ * Returns the raw NARRARIUM_READER_PASSWORD env var value, or null when the
+ * variable is not set. Used at build time to derive the AES-256-GCM key for
+ * content encryption. Never embedded in the built HTML.
+ */
+export function getReaderPassword(): string | null {
+  return readReaderEnv(["NARRARIUM_READER_PASSWORD"]) ?? null;
+}
+
+/**
+ * Returns a SHA-256 hex hash of the NARRARIUM_READER_PASSWORD env var,
+ * or null when the variable is not set. The hash is embedded in the built
+ * HTML and compared against the user's input at runtime via SubtleCrypto
+ * as a fast pre-filter before the more expensive PBKDF2 key derivation.
+ */
+export function getReaderPasswordHash(): string | null {
+  const raw = readReaderEnv(["NARRARIUM_READER_PASSWORD"]);
+  if (!raw) return null;
+  return createHash("sha256").update(raw).digest("hex");
+}

package/src/pages/chapters/[chapter].astro

@@ -4,6 +4,7 @@ import path from "node:path";
 import { listChapters, pathExists } from "narrarium";
 import AssetFigure from "../../components/AssetFigure.astro";
 import ChapterPager from "../../components/ChapterPager.astro";
+import EncryptedHtml from "../../components/EncryptedHtml.astro";
 import LinkedValue from "../../components/LinkedValue.astro";
 import MetadataSection from "../../components/MetadataSection.astro";
 import RelatedLinks from "../../components/RelatedLinks.astro";
@@ -89,8 +90,9 @@ const renderedParagraphs = await Promise.all(
         data-reader-marker-scope="chapter-intro"
         data-tts-root="chapter-intro"
         data-tts-label="Chapter opening"
-        set:html={chapterHtml}
-      />
+      >
+        <EncryptedHtml html={chapterHtml} />
+      </article>
     )}
 
     {chapterFigure && <AssetFigure figure={chapterFigure} className="scene-media focus-hidden" />}
@@ -156,7 +158,9 @@ const renderedParagraphs = await Promise.all(
                 </p>
               )}
 
-              <div class="prose" data-tts-root={paragraph.anchorId} data-tts-label={paragraph.metadata.title} set:html={paragraph.html} />
+              <div class="prose" data-tts-root={paragraph.anchorId} data-tts-label={paragraph.metadata.title}>
+                <EncryptedHtml html={paragraph.html} />
+              </div>
               {paragraph.figure && <AssetFigure figure={paragraph.figure} className="scene-media focus-hidden" />}
             </article>
           ))
@@ -214,7 +218,7 @@ const renderedParagraphs = await Promise.all(
   </aside>
 
   <div class="focus-hint" data-reader-focus-hint aria-hidden="true">
-    Move the mouse, tap, or press a key to show controls.
+    Double-tap or double-click to show controls, or press a key.
   </div>
 
   <script is:inline>
@@ -240,6 +244,8 @@ const renderedParagraphs = await Promise.all(
       let railPointerInside = false;
       let focusHintShownForSession = false;
       let refreshScheduled = false;
+      let lastTapTime = 0;
+      const doubleTapThresholdMs = 300;
 
       applyFocusMode(readStorage(focusModeKey) === "true", false, { allowFullscreenRequest: false });
       updateMarkerUi(readMarker());
@@ -247,8 +253,16 @@ const renderedParagraphs = await Promise.all(
 
       window.addEventListener("scroll", scheduleSceneRefresh, { passive: true });
       window.addEventListener("resize", scheduleSceneRefresh);
-      document.addEventListener("pointermove", handleFocusRailWake, { passive: true });
-      document.addEventListener("touchstart", handleFocusRailWake, { passive: true });
+      document.addEventListener("dblclick", handleFocusRailWake);
+      document.addEventListener("touchend", (event) => {
+        const now = Date.now();
+        if (now - lastTapTime < doubleTapThresholdMs) {
+          handleFocusRailWake();
+          lastTapTime = 0;
+        } else {
+          lastTapTime = now;
+        }
+      }, { passive: true });
       document.addEventListener("fullscreenchange", handleFullscreenChange);
 
       focusRail?.addEventListener("pointerenter", () => {

package/src/pages/characters/[slug].astro

@@ -2,6 +2,7 @@
 import path from "node:path";
 import { listEntities, pathExists } from "narrarium";
 import AssetFigure from "../../components/AssetFigure.astro";
+import EncryptedHtml from "../../components/EncryptedHtml.astro";
 import MetadataSection from "../../components/MetadataSection.astro";
 import RelatedLinks from "../../components/RelatedLinks.astro";
 import BaseLayout from "../../layouts/BaseLayout.astro";
@@ -53,7 +54,7 @@ const view = await buildCanonPageView("character", entity);
 
   {view.html && (
     <section class="section">
-      <article class="scene prose" set:html={view.html} />
+      <article class="scene prose"><EncryptedHtml html={view.html} /></article>
     </section>
   )}
 </BaseLayout>

package/src/pages/factions/[slug].astro

@@ -2,6 +2,7 @@
 import path from "node:path";
 import { listEntities, pathExists } from "narrarium";
 import AssetFigure from "../../components/AssetFigure.astro";
+import EncryptedHtml from "../../components/EncryptedHtml.astro";
 import MetadataSection from "../../components/MetadataSection.astro";
 import RelatedLinks from "../../components/RelatedLinks.astro";
 import BaseLayout from "../../layouts/BaseLayout.astro";
@@ -53,7 +54,7 @@ const view = await buildCanonPageView("faction", entity);
 
   {view.html && (
     <section class="section">
-      <article class="scene prose" set:html={view.html} />
+      <article class="scene prose"><EncryptedHtml html={view.html} /></article>
     </section>
   )}
 </BaseLayout>

package/src/pages/items/[slug].astro

@@ -2,6 +2,7 @@
 import path from "node:path";
 import { listEntities, pathExists } from "narrarium";
 import AssetFigure from "../../components/AssetFigure.astro";
+import EncryptedHtml from "../../components/EncryptedHtml.astro";
 import MetadataSection from "../../components/MetadataSection.astro";
 import RelatedLinks from "../../components/RelatedLinks.astro";
 import BaseLayout from "../../layouts/BaseLayout.astro";
@@ -53,7 +54,7 @@ const view = await buildCanonPageView("item", entity);
 
   {view.html && (
     <section class="section">
-      <article class="scene prose" set:html={view.html} />
+      <article class="scene prose"><EncryptedHtml html={view.html} /></article>
     </section>
   )}
 </BaseLayout>

package/src/pages/locations/[slug].astro

@@ -2,6 +2,7 @@
 import path from "node:path";
 import { listEntities, pathExists } from "narrarium";
 import AssetFigure from "../../components/AssetFigure.astro";
+import EncryptedHtml from "../../components/EncryptedHtml.astro";
 import MetadataSection from "../../components/MetadataSection.astro";
 import RelatedLinks from "../../components/RelatedLinks.astro";
 import BaseLayout from "../../layouts/BaseLayout.astro";
@@ -53,7 +54,7 @@ const view = await buildCanonPageView("location", entity);
 
   {view.html && (
     <section class="section">
-      <article class="scene prose" set:html={view.html} />
+      <article class="scene prose"><EncryptedHtml html={view.html} /></article>
     </section>
   )}
 </BaseLayout>

package/src/pages/secrets/[slug].astro

@@ -2,6 +2,7 @@
 import path from "node:path";
 import { listEntities, pathExists } from "narrarium";
 import AssetFigure from "../../components/AssetFigure.astro";
+import EncryptedHtml from "../../components/EncryptedHtml.astro";
 import MetadataSection from "../../components/MetadataSection.astro";
 import RelatedLinks from "../../components/RelatedLinks.astro";
 import BaseLayout from "../../layouts/BaseLayout.astro";
@@ -53,7 +54,7 @@ const view = await buildCanonPageView("secret", entity);
 
   {view.html && (
     <section class="section">
-      <article class="scene prose" set:html={view.html} />
+      <article class="scene prose"><EncryptedHtml html={view.html} /></article>
     </section>
   )}
 </BaseLayout>

package/src/pages/timeline/[slug].astro

@@ -2,6 +2,7 @@
 import path from "node:path";
 import { listEntities, pathExists } from "narrarium";
 import AssetFigure from "../../components/AssetFigure.astro";
+import EncryptedHtml from "../../components/EncryptedHtml.astro";
 import MetadataSection from "../../components/MetadataSection.astro";
 import RelatedLinks from "../../components/RelatedLinks.astro";
 import BaseLayout from "../../layouts/BaseLayout.astro";
@@ -53,7 +54,7 @@ const view = await buildCanonPageView("timeline-event", entity);
 
   {view.html && (
     <section class="section">
-      <article class="scene prose" set:html={view.html} />
+      <article class="scene prose"><EncryptedHtml html={view.html} /></article>
     </section>
   )}
 </BaseLayout>

package/src/styles/global.css

@@ -119,6 +119,7 @@ html[data-theme="dark"] .focus-rail__button.is-primary {
 
 body.is-focus-mode {
   background: var(--app-bg);
+  touch-action: manipulation;
 }
 
 body.is-focus-mode .masthead,
@@ -1464,3 +1465,98 @@ mark {
     gap: 0 1rem;
   }
 }
+
+/* ─── Password gate ──────────────────────────────────────────── */
+#reader-password-gate {
+  display: none;
+  position: fixed;
+  inset: 0;
+  z-index: 200;
+  background: var(--app-bg);
+  align-items: center;
+  justify-content: center;
+  flex-direction: column;
+  padding: 1.5rem;
+}
+
+body.reader-auth-locked {
+  overflow: hidden;
+}
+
+body.reader-auth-locked #reader-password-gate {
+  display: flex;
+}
+
+.reader-password-gate__inner {
+  width: min(380px, 100%);
+  text-align: center;
+}
+
+.reader-password-gate__title {
+  font-size: clamp(1.5rem, 3vw, 2rem);
+  margin: 0.5rem 0 0;
+  letter-spacing: -0.02em;
+}
+
+.reader-password-gate__desc {
+  margin: 0.75rem 0 0;
+  color: var(--text-muted);
+  font-size: 0.95rem;
+}
+
+.reader-password-gate__form {
+  display: flex;
+  flex-direction: column;
+  gap: 0.75rem;
+  margin-top: 1.75rem;
+}
+
+.reader-password-gate__input {
+  width: 100%;
+  padding: 0.7rem 1rem;
+  border: 1px solid var(--line);
+  border-radius: 10px;
+  background: var(--surface);
+  color: var(--text);
+  font: inherit;
+  font-size: 1rem;
+  text-align: center;
+  transition: border-color 120ms ease, box-shadow 120ms ease;
+}
+
+.reader-password-gate__input:focus {
+  outline: none;
+  border-color: var(--accent);
+  box-shadow: 0 0 0 3px var(--accent-soft);
+}
+
+.reader-password-gate__button {
+  display: inline-flex;
+  align-items: center;
+  justify-content: center;
+  padding: 0.65rem 1.5rem;
+  border: 1px solid var(--accent);
+  border-radius: 100px;
+  background: var(--accent);
+  color: #fff;
+  font: inherit;
+  font-size: 0.95rem;
+  font-weight: 600;
+  cursor: pointer;
+  transition: background 120ms ease, border-color 120ms ease;
+}
+
+.reader-password-gate__button:hover {
+  background: color-mix(in srgb, var(--accent) 85%, #000);
+  border-color: color-mix(in srgb, var(--accent) 85%, #000);
+}
+
+.reader-password-gate__error {
+  margin: 0.75rem 0 0;
+  color: #c0392b;
+  font-size: 0.875rem;
+}
+
+html[data-theme="dark"] .reader-password-gate__error {
+  color: #e74c3c;
+}