nastech-app 1.0.0

package/sources/sync/sync.ts

@@ -0,0 +1,2555 @@
+import Constants from 'expo-constants';
+import { apiSocket, getCurrentAppState, getNasTechClientId } from '@/sync/apiSocket';
+import { notifyUnreadMessage } from '@/sync/webTabTitle';
+import { AuthCredentials } from '@/auth/tokenStorage';
+import { Encryption } from '@/sync/encryption/encryption';
+import { decodeBase64, encodeBase64 } from '@/encryption/base64';
+import { storage } from './storage';
+import { ApiEphemeralUpdateSchema, ApiMessage, ApiUpdateContainerSchema } from './apiTypes';
+import type { ApiEphemeralActivityUpdate } from './apiTypes';
+import { Session, Machine } from './storageTypes';
+import { InvalidateSync } from '@/utils/sync';
+import { ActivityUpdateAccumulator } from './reducer/activityUpdateAccumulator';
+import { randomUUID } from 'expo-crypto';
+import * as Notifications from 'expo-notifications';
+import { syncCurrentPushToken } from './pushRegistration';
+import { Platform, AppState, type AppStateStatus } from 'react-native';
+import { isRunningOnMac } from '@/utils/platform';
+import { NormalizedMessage, normalizeRawMessage, RawRecord } from './typesRaw';
+import { applySettings, Settings, settingsDefaults, settingsParse, settingsToSyncPayload, SUPPORTED_SCHEMA_VERSION } from './settings';
+import { Profile, profileParse } from './profile';
+import { loadPendingSettings, savePendingSettings } from './persistence';
+import {
+    initializeTracking,
+    trackGitHubConnected,
+    trackMessageSent,
+    tracking,
+    trackPaywallCancelled,
+    trackPaywallError,
+    trackPaywallPresented,
+    trackPaywallPurchased,
+    trackPaywallRestored,
+} from '@/track';
+import type { MessageSentSource } from '@/track';
+import { parseToken } from '@/utils/parseToken';
+import { RevenueCat, LogLevel, PaywallResult } from './revenueCat';
+import { getServerUrl } from './serverConfig';
+import { config } from '@/config';
+import { log } from '@/log';
+import { gitStatusSync } from './gitStatusSync';
+import { AsyncLock } from '@/utils/lock';
+import { voiceHooks } from '@/realtime/hooks/voiceHooks';
+import { Message } from './typesMessage';
+import { EncryptionCache } from './encryption/encryptionCache';
+import { systemPrompt } from './prompt/systemPrompt';
+import { fetchArtifact, fetchArtifacts, createArtifact, updateArtifact } from './apiArtifacts';
+import { DecryptedArtifact, Artifact, ArtifactCreateRequest, ArtifactUpdateRequest } from './artifactTypes';
+import { ArtifactEncryption } from './encryption/artifactEncryption';
+import { getFriendsList, getUserProfile } from './apiFriends';
+import { fetchFeed } from './apiFeed';
+import { FeedItem } from './feedTypes';
+import { UserProfile } from './friendTypes';
+import { resolveMessageModeMeta } from './messageMeta';
+import type { AttachmentPreview, UploadedAttachment } from './attachmentTypes';
+import { requestAttachmentUpload, uploadEncryptedBlob } from './apiAttachments';
+import { encryptBlob } from '@/encryption/blob';
+import { readFileBytes } from '@/utils/readFileBytes';
+import { Modal } from '@/modal';
+import { t } from '@/text';
+
+type V3GetSessionMessagesResponse = {
+    messages: ApiMessage[];
+    hasMore: boolean;
+};
+
+// Sentinel used as `before_seq` for the very first backward fetch of a
+// session. It must exceed any real `seq` value the server can produce.
+// `seq` is stored as Postgres int4 on the server, so the maximum is
+// 2_147_483_647. We use that exact upper bound to keep the request safely
+// within int4 while still being effectively "infinite" for any session.
+const SEQ_BACKWARD_INITIAL_SENTINEL = 2_147_483_647;
+
+type V3PostSessionMessagesResponse = {
+    messages: Array<{
+        id: string;
+        seq: number;
+        localId: string | null;
+        createdAt: number;
+        updatedAt: number;
+    }>;
+};
+
+type OutboxMessage = {
+    localId: string;
+    content: string;
+};
+
+type SendMessageOptions = {
+    displayText?: string;
+    source?: MessageSentSource;
+    /** Optional image attachments to send before the text message. */
+    attachments?: AttachmentPreview[];
+};
+
+class Sync {
+    private static readonly BACKGROUND_SEND_TIMEOUT_MS = 30_000;
+    encryption!: Encryption;
+    serverID!: string;
+    anonID!: string;
+    private credentials!: AuthCredentials;
+    public encryptionCache = new EncryptionCache();
+    private sessionsSync: InvalidateSync;
+    private messagesSync = new Map<string, InvalidateSync>();
+    private sendSync = new Map<string, InvalidateSync>();
+    private sendAbortControllers = new Map<string, AbortController>();
+    private sessionLastSeq = new Map<string, number>();
+    // Lowest seq value we have already fetched and applied for a session.
+    // Used as the cursor for backward pagination when the user scrolls up to
+    // load older history. Set after the initial latest-page fetch and
+    // advanced downward by loadOlderMessages.
+    private sessionOldestSeq = new Map<string, number>();
+    private pendingOutbox = new Map<string, OutboxMessage[]>();
+    private sessionMessageQueue = new Map<string, NormalizedMessage[]>();
+    private sessionQueueProcessing = new Set<string>();
+    private sessionMessageLocks = new Map<string, AsyncLock>();
+    private sessionDataKeys = new Map<string, Uint8Array>(); // Store session data encryption keys internally
+    private machineDataKeys = new Map<string, Uint8Array>(); // Store machine data encryption keys internally
+    private artifactDataKeys = new Map<string, Uint8Array>(); // Store artifact data encryption keys internally
+    private settingsSync: InvalidateSync;
+    private profileSync: InvalidateSync;
+    private purchasesSync: InvalidateSync;
+    private machinesSync: InvalidateSync;
+    private pushTokenSync: InvalidateSync;
+    private nativeUpdateSync: InvalidateSync;
+    private artifactsSync: InvalidateSync;
+    private friendsSync: InvalidateSync;
+    private friendRequestsSync: InvalidateSync;
+    private feedSync: InvalidateSync;
+    private activityAccumulator: ActivityUpdateAccumulator;
+    private pendingSettings: Partial<Settings> = loadPendingSettings();
+    private appState: AppStateStatus = AppState.currentState;
+    private backgroundSendTimeout: ReturnType<typeof setTimeout> | null = null;
+    private backgroundSendNotificationId: string | null = null;
+    private backgroundSendStartedAt: number | null = null;
+    revenueCatInitialized = false;
+
+    // Generic locking mechanism
+    private recalculationLockCount = 0;
+    private lastRecalculationTime = 0;
+
+    constructor() {
+        this.sessionsSync = new InvalidateSync(this.fetchSessions);
+        this.settingsSync = new InvalidateSync(this.syncSettings);
+        this.profileSync = new InvalidateSync(this.fetchProfile);
+        this.purchasesSync = new InvalidateSync(this.syncPurchases);
+        this.machinesSync = new InvalidateSync(this.fetchMachines);
+        this.nativeUpdateSync = new InvalidateSync(this.fetchNativeUpdate);
+        this.artifactsSync = new InvalidateSync(this.fetchArtifactsList);
+        this.friendsSync = new InvalidateSync(this.fetchFriends);
+        this.friendRequestsSync = new InvalidateSync(this.fetchFriendRequests);
+        this.feedSync = new InvalidateSync(this.fetchFeed);
+
+        const registerPushToken = async () => {
+            await this.registerPushToken();
+        }
+        this.pushTokenSync = new InvalidateSync(registerPushToken);
+        this.activityAccumulator = new ActivityUpdateAccumulator(this.flushActivityUpdates.bind(this), 2000);
+
+        // Listen for app state changes to refresh purchases
+        AppState.addEventListener('change', (nextAppState) => {
+            this.appState = nextAppState;
+
+            // Notify server of focus state for push notification routing.
+            // Mobile: AppState.currentState reflects fg/bg directly.
+            // Web/desktop: visibilitychange/focus listeners below drive this same path
+            // by updating this.appState too — re-derive via getCurrentAppState() so
+            // the wire value matches what the server uses for suppression.
+            apiSocket.sendAppState(getCurrentAppState());
+
+            if (nextAppState === 'active') {
+                const shouldFailAfterResume = this.backgroundSendStartedAt !== null
+                    && this.hasPendingOutboxMessages()
+                    && (Date.now() - this.backgroundSendStartedAt) >= Sync.BACKGROUND_SEND_TIMEOUT_MS;
+                void this.cancelBackgroundSendTimeoutNotification();
+                this.clearBackgroundSendWatchdog();
+                if (shouldFailAfterResume) {
+                    void this.notifyMessageSendFailed();
+                    this.failPendingOutboxMessages('Message failed to send in background after 30s. Please retry.');
+                }
+                log.log('📱 App became active');
+                this.purchasesSync.invalidate();
+                this.profileSync.invalidate();
+                this.machinesSync.invalidate();
+                this.pushTokenSync.invalidate();
+                this.sessionsSync.invalidate();
+                this.nativeUpdateSync.invalidate();
+                log.log('📱 App became active: Invalidating artifacts sync');
+                this.artifactsSync.invalidate();
+                this.friendsSync.invalidate();
+                this.friendRequestsSync.invalidate();
+                this.feedSync.invalidate();
+            } else {
+                log.log(`📱 App state changed to: ${nextAppState}`);
+                this.maybeStartBackgroundSendWatchdog();
+            }
+        });
+
+        // Web/desktop: AppState alone doesn't capture tab focus/visibility.
+        // Notify server when the tab becomes hidden, regains visibility,
+        // or window focus changes — so push routing can suppress only when
+        // the user is actually looking at this client.
+        if (Platform.OS === 'web' && typeof document !== 'undefined') {
+            const broadcast = () => {
+                apiSocket.sendAppState(getCurrentAppState());
+            };
+            document.addEventListener('visibilitychange', broadcast);
+            window.addEventListener('focus', broadcast);
+            window.addEventListener('blur', broadcast);
+        }
+    }
+
+    async create(credentials: AuthCredentials, encryption: Encryption) {
+        this.credentials = credentials;
+        this.encryption = encryption;
+        this.anonID = encryption.anonID;
+        this.serverID = credentials.token ? parseToken(credentials.token) : 'local';
+        await this.#init();
+
+        // Await settings sync to have fresh settings
+        await this.settingsSync.awaitQueue();
+
+        // Await profile sync to have fresh profile
+        await this.profileSync.awaitQueue();
+
+        // Await purchases sync to have fresh purchases
+        await this.purchasesSync.awaitQueue();
+    }
+
+    async restore(credentials: AuthCredentials, encryption: Encryption) {
+        // NOTE: No awaiting anything here, we're restoring from a disk (ie app restarted)
+        // Purchases sync is invalidated in #init() and will complete asynchronously
+        this.credentials = credentials;
+        this.encryption = encryption;
+        this.anonID = encryption.anonID;
+        this.serverID = credentials.token ? parseToken(credentials.token) : 'local';
+        await this.#init();
+    }
+
+    async #init() {
+
+        // Subscribe to updates
+        this.subscribeToUpdates();
+
+        // Sync initial PostHog opt-out state with stored settings
+        if (tracking) {
+            const currentSettings = storage.getState().settings;
+            if (currentSettings.analyticsOptOut) {
+                tracking.optOut();
+            } else {
+                tracking.optIn();
+            }
+        }
+
+        // Invalidate sync
+        log.log('🔄 #init: Invalidating all syncs');
+        this.sessionsSync.invalidate();
+        this.settingsSync.invalidate();
+        this.profileSync.invalidate();
+        this.purchasesSync.invalidate();
+        this.machinesSync.invalidate();
+        this.pushTokenSync.invalidate();
+        this.nativeUpdateSync.invalidate();
+        this.friendsSync.invalidate();
+        this.friendRequestsSync.invalidate();
+        this.artifactsSync.invalidate();
+        this.feedSync.invalidate();
+        log.log('🔄 #init: All syncs invalidated, including artifacts');
+
+        // Mark UI ready as soon as sessions load. Machines sync may hang
+        // when encryption keys are unavailable (e.g. V1 auth fallback) —
+        // let it resolve in the background instead of blocking the UI.
+        this.sessionsSync.awaitQueue().then(() => {
+            storage.getState().applyReady();
+        }).catch((error) => {
+            console.error('Failed to load sessions:', error);
+            // Still mark ready so the UI doesn't stay on a blank screen forever
+            storage.getState().applyReady();
+        });
+    }
+
+
+    onSessionVisible = (sessionId: string) => {
+        this.getMessagesSync(sessionId).invalidate();
+
+        // Also invalidate git status sync for this session
+        gitStatusSync.getSync(sessionId).invalidate();
+
+        // Notify voice assistant about session visibility
+        const session = storage.getState().sessions[sessionId];
+        if (session) {
+            voiceHooks.onSessionFocus(sessionId, session.metadata || undefined);
+        }
+    }
+
+    private getMessagesSync(sessionId: string): InvalidateSync {
+        let sync = this.messagesSync.get(sessionId);
+        if (!sync) {
+            sync = new InvalidateSync(() => this.fetchMessages(sessionId));
+            this.messagesSync.set(sessionId, sync);
+        }
+        return sync;
+    }
+
+    private getSendSync(sessionId: string): InvalidateSync {
+        let sync = this.sendSync.get(sessionId);
+        if (!sync) {
+            sync = new InvalidateSync(() => this.flushOutbox(sessionId));
+            this.sendSync.set(sessionId, sync);
+        }
+        return sync;
+    }
+
+    private enqueueMessages(sessionId: string, messages: NormalizedMessage[]) {
+        if (messages.length === 0) {
+            return;
+        }
+
+        let queue = this.sessionMessageQueue.get(sessionId);
+        if (!queue) {
+            queue = [];
+            this.sessionMessageQueue.set(sessionId, queue);
+        }
+        queue.push(...messages);
+
+        this.scheduleQueuedMessagesProcessing(sessionId);
+    }
+
+    private getSessionMessageLock(sessionId: string): AsyncLock {
+        let lock = this.sessionMessageLocks.get(sessionId);
+        if (!lock) {
+            lock = new AsyncLock();
+            this.sessionMessageLocks.set(sessionId, lock);
+        }
+        return lock;
+    }
+
+    private scheduleQueuedMessagesProcessing(sessionId: string) {
+        if (this.sessionQueueProcessing.has(sessionId)) {
+            return;
+        }
+
+        this.sessionQueueProcessing.add(sessionId);
+        const lock = this.getSessionMessageLock(sessionId);
+        void lock.inLock(() => {
+            while (true) {
+                const pending = this.sessionMessageQueue.get(sessionId);
+                if (!pending || pending.length === 0) {
+                    break;
+                }
+                const batch = pending.splice(0, pending.length);
+                this.applyMessages(sessionId, batch);
+            }
+        }).finally(() => {
+            this.sessionQueueProcessing.delete(sessionId);
+            const pending = this.sessionMessageQueue.get(sessionId);
+            if (pending && pending.length > 0) {
+                this.scheduleQueuedMessagesProcessing(sessionId);
+            }
+        });
+    }
+
+    private hasPendingOutboxMessages() {
+        if (this.sendAbortControllers.size > 0) {
+            return true;
+        }
+        for (const messages of this.pendingOutbox.values()) {
+            if (messages.length > 0) {
+                return true;
+            }
+        }
+        return false;
+    }
+
+    private maybeStartBackgroundSendWatchdog() {
+        if (Platform.OS === 'web' || this.appState === 'active') {
+            return;
+        }
+        if (!this.hasPendingOutboxMessages() || this.backgroundSendTimeout) {
+            return;
+        }
+
+        log.log('📨 Pending messages detected in background. Starting 30s send watchdog.');
+        this.backgroundSendStartedAt = Date.now();
+        this.backgroundSendTimeout = setTimeout(() => {
+            this.backgroundSendTimeout = null;
+            void this.handleBackgroundSendTimeout();
+        }, Sync.BACKGROUND_SEND_TIMEOUT_MS);
+        void this.scheduleBackgroundSendTimeoutNotification();
+    }
+
+    private clearBackgroundSendWatchdog() {
+        if (this.backgroundSendTimeout) {
+            clearTimeout(this.backgroundSendTimeout);
+            this.backgroundSendTimeout = null;
+        }
+        this.backgroundSendStartedAt = null;
+    }
+
+    private async scheduleBackgroundSendTimeoutNotification() {
+        if (Platform.OS === 'web' || this.backgroundSendNotificationId) {
+            return;
+        }
+        try {
+            this.backgroundSendNotificationId = await Notifications.scheduleNotificationAsync({
+                content: {
+                    title: 'Message not sent',
+                    body: 'A message is still sending in the background. It will fail in 30 seconds if not delivered.',
+                    sound: true
+                },
+                trigger: {
+                    type: Notifications.SchedulableTriggerInputTypes.TIME_INTERVAL,
+                    seconds: Math.ceil(Sync.BACKGROUND_SEND_TIMEOUT_MS / 1000)
+                }
+            });
+        } catch (error) {
+            log.log(`Failed to schedule background send timeout notification: ${error}`);
+        }
+    }
+
+    private async cancelBackgroundSendTimeoutNotification() {
+        if (!this.backgroundSendNotificationId) {
+            return;
+        }
+        try {
+            await Notifications.cancelScheduledNotificationAsync(this.backgroundSendNotificationId);
+        } catch (error) {
+            log.log(`Failed to cancel background send timeout notification: ${error}`);
+        } finally {
+            this.backgroundSendNotificationId = null;
+        }
+    }
+
+    private async notifyMessageSendFailed() {
+        if (Platform.OS === 'web') {
+            return;
+        }
+        try {
+            await Notifications.scheduleNotificationAsync({
+                content: {
+                    title: 'Message failed',
+                    body: 'A message failed to send while the app was in background. Open NasTech and retry.',
+                    sound: true
+                },
+                trigger: null
+            });
+        } catch (error) {
+            log.log(`Failed to schedule message failure notification: ${error}`);
+        }
+    }
+
+    private failPendingOutboxMessages(reasonText: string) {
+        for (const controller of this.sendAbortControllers.values()) {
+            controller.abort();
+        }
+        this.sendAbortControllers.clear();
+
+        const now = Date.now();
+        const sessionIds: string[] = [];
+        for (const [sessionId, pending] of this.pendingOutbox) {
+            if (pending.length === 0) {
+                continue;
+            }
+            pending.length = 0;
+            this.pendingOutbox.delete(sessionId);
+            sessionIds.push(sessionId);
+        }
+
+        for (const sessionId of sessionIds) {
+            this.enqueueMessages(sessionId, [{
+                id: randomUUID(),
+                localId: null,
+                createdAt: now,
+                role: 'event',
+                isSidechain: false,
+                content: {
+                    type: 'message',
+                    message: reasonText
+                }
+            }]);
+        }
+    }
+
+    private async handleBackgroundSendTimeout() {
+        if (!this.hasPendingOutboxMessages()) {
+            await this.cancelBackgroundSendTimeoutNotification();
+            this.backgroundSendStartedAt = null;
+            return;
+        }
+
+        await this.cancelBackgroundSendTimeoutNotification();
+        await this.notifyMessageSendFailed();
+        this.failPendingOutboxMessages('Message failed to send in background after 30s. Please retry.');
+        this.backgroundSendStartedAt = null;
+    }
+
+    /**
+     * Upload image attachments for a session: read bytes → encrypt → upload to server.
+     * Returns UploadedAttachment records to embed as file events before the text message.
+     * Failures are logged and skipped rather than aborting the whole message send.
+     */
+    private async uploadAttachmentsForSession(
+        sessionId: string,
+        attachments: AttachmentPreview[],
+    ): Promise<{ uploaded: UploadedAttachment[]; failed: number }> {
+        if (!this.credentials) return { uploaded: [], failed: attachments.length };
+
+        const blobKey = this.encryption.getSessionBlobKey(sessionId);
+        if (!blobKey) {
+            console.error(`[attachments] No blob key for session ${sessionId}`);
+            return { uploaded: [], failed: attachments.length };
+        }
+
+        const uploaded: UploadedAttachment[] = [];
+        let failed = 0;
+
+        for (const attachment of attachments) {
+            try {
+                const bytes = await readFileBytes(attachment.uri);
+                const encrypted = encryptBlob(bytes, blobKey);
+
+                const upload = await requestAttachmentUpload(
+                    this.credentials,
+                    sessionId,
+                    attachment.name,
+                    encrypted.length,
+                );
+
+                await uploadEncryptedBlob(upload, encrypted, this.credentials);
+                const { ref } = upload;
+
+                uploaded.push({
+                    ref,
+                    name: attachment.name,
+                    size: attachment.size,
+                    width: attachment.width,
+                    height: attachment.height,
+                    thumbhash: attachment.thumbhash,
+                });
+            } catch (err) {
+                console.error(`[attachments] Failed to upload ${attachment.name}:`, err);
+                failed++;
+                // Skip this attachment; do not abort the whole message send.
+            }
+        }
+
+        return { uploaded, failed };
+    }
+
+    async sendMessage(sessionId: string, text: string, options?: SendMessageOptions) {
+
+        // Get encryption — may not be ready yet if sessions are still syncing
+        let encryption = this.encryption.getSessionEncryption(sessionId);
+        if (!encryption) {
+            // Wait for sessions sync to complete (initializes encryption keys)
+            await this.sessionsSync.awaitQueue();
+            encryption = this.encryption.getSessionEncryption(sessionId);
+            if (!encryption) {
+                console.error(`Session ${sessionId} not found after sync`);
+                return;
+            }
+        }
+
+        // Get session data from storage
+        let session = storage.getState().sessions[sessionId];
+        if (!session) {
+            await this.sessionsSync.awaitQueue();
+            session = storage.getState().sessions[sessionId];
+            if (!session) {
+                console.error(`Session ${sessionId} not found in storage after sync`);
+                return;
+            }
+        }
+
+        const modeMeta = resolveMessageModeMeta(session, storage.getState().settings);
+        const { displayText, source = 'chat', attachments } = options ?? {};
+
+        // Image attachments are wired into the Claude pipeline only; Codex /
+        // Gemini / OpenClaw runners read message.content.text and ignore
+        // file events, so dropping attachments silently would leave the user
+        // wondering why the image was skipped. Warn and send text only.
+        const flavor = session.metadata?.flavor;
+        const supportsAttachments = !flavor || flavor === 'claude';
+        const effectiveAttachments = supportsAttachments ? attachments : undefined;
+
+        if (attachments && attachments.length > 0 && !supportsAttachments) {
+            Modal.alert(
+                t('imageUpload.notSupportedTitle'),
+                t('imageUpload.notSupportedMessage'),
+                [{ text: t('common.ok'), style: 'cancel' }],
+            );
+        }
+
+        // Upload attachments and queue file events before the text message.
+        if (effectiveAttachments && effectiveAttachments.length > 0) {
+            const { uploaded, failed } = await this.uploadAttachmentsForSession(sessionId, effectiveAttachments);
+
+            if (failed > 0) {
+                Modal.alert(
+                    t('imageUpload.uploadFailedTitle'),
+                    t('imageUpload.uploadFailedMessage', { count: failed }),
+                    [{ text: t('common.ok'), style: 'cancel' }],
+                );
+            }
+
+            if (uploaded.length > 0) {
+                let pending = this.pendingOutbox.get(sessionId);
+                if (!pending) {
+                    pending = [];
+                    this.pendingOutbox.set(sessionId, pending);
+                }
+
+                for (const att of uploaded) {
+                    const fileRecord: RawRecord = {
+                        role: 'session',
+                        content: {
+                            type: 'session',
+                            data: {
+                                id: randomUUID(),
+                                time: Date.now(),
+                                role: 'user',
+                                ev: {
+                                    t: 'file',
+                                    ref: att.ref,
+                                    name: att.name,
+                                    size: att.size,
+                                    // Include image metadata when we have dimensions; thumbhash is
+                                    // optional. The native iOS picker can't generate a thumbhash
+                                    // without Canvas, so requiring it here would reduce the chat
+                                    // bubble to a compact filename row instead of an inline picture.
+                                    // FileView only needs w/h to size the inline render — placeholder
+                                    // is absent, but the real image is decrypted on mount.
+                                    ...(att.width > 0 && att.height > 0
+                                        ? {
+                                            image: {
+                                                width: att.width,
+                                                height: att.height,
+                                                ...(att.thumbhash ? { thumbhash: att.thumbhash } : {}),
+                                            },
+                                        }
+                                        : {}),
+                                },
+                            },
+                        },
+                    };
+                    const encryptedFileRecord = await encryption.encryptRawRecord(fileRecord);
+                    const fileLocalId = randomUUID();
+                    const fileNormalized = normalizeRawMessage(fileLocalId, fileLocalId, Date.now(), fileRecord);
+                    if (fileNormalized) {
+                        this.enqueueMessages(sessionId, [fileNormalized]);
+                    }
+                    pending.push({ localId: fileLocalId, content: encryptedFileRecord });
+                }
+            }
+        }
+
+        // Generate local ID
+        const localId = randomUUID();
+
+        // Determine sentFrom based on platform
+        let sentFrom: string;
+        if (Platform.OS === 'web') {
+            sentFrom = 'web';
+        } else if (Platform.OS === 'android') {
+            sentFrom = 'android';
+        } else if (Platform.OS === 'ios') {
+            // Check if running on Mac (Catalyst or Designed for iPad on Mac)
+            if (isRunningOnMac()) {
+                sentFrom = 'mac';
+            } else {
+                sentFrom = 'ios';
+            }
+        } else {
+            sentFrom = 'web'; // fallback
+        }
+
+        // Create user message content with metadata
+        const content: RawRecord = {
+            role: 'user',
+            content: {
+                type: 'text',
+                text
+            },
+            meta: {
+                sentFrom,
+                appendSystemPrompt: systemPrompt,
+                ...(modeMeta.permissionMode !== undefined ? { permissionMode: modeMeta.permissionMode } : {}),
+                ...(modeMeta.model !== undefined ? { model: modeMeta.model } : {}),
+                ...(modeMeta.effort !== undefined ? { effort: modeMeta.effort } : {}),
+                ...(displayText && { displayText }) // Add displayText if provided
+            }
+        };
+        const encryptedRawRecord = await encryption.encryptRawRecord(content);
+
+        // Add to messages - normalize the raw record
+        const createdAt = Date.now();
+        const normalizedMessage = normalizeRawMessage(localId, localId, createdAt, content);
+        if (normalizedMessage) {
+            this.enqueueMessages(sessionId, [normalizedMessage]);
+        }
+
+        let pending = this.pendingOutbox.get(sessionId);
+        if (!pending) {
+            pending = [];
+            this.pendingOutbox.set(sessionId, pending);
+        }
+        pending.push({
+            localId,
+            content: encryptedRawRecord
+        });
+        trackMessageSent(source, session.metadata);
+
+        this.getSendSync(sessionId).invalidate();
+        this.maybeStartBackgroundSendWatchdog();
+    }
+
+    /** Server sent us settings — merge any pending local changes on top, then apply as one update. */
+    private applyServerSettings = (serverSettings: Settings, version: number) => {
+        const merged = Object.keys(this.pendingSettings).length > 0
+            ? applySettings(serverSettings, this.pendingSettings)
+            : serverSettings;
+        storage.getState().applySettings(merged, version);
+    }
+
+    applySettings = (delta: Partial<Settings>) => {
+        storage.getState().applySettingsLocal(delta);
+
+        // Save pending settings
+        this.pendingSettings = { ...this.pendingSettings, ...delta };
+        savePendingSettings(this.pendingSettings);
+
+        // Sync PostHog opt-out state if it was changed
+        if (tracking && 'analyticsOptOut' in delta) {
+            const currentSettings = storage.getState().settings;
+            if (currentSettings.analyticsOptOut) {
+                tracking.optOut();
+            } else {
+                tracking.optIn();
+            }
+        }
+
+        // Invalidate settings sync
+        this.settingsSync.invalidate();
+    }
+
+    refreshPurchases = () => {
+        this.purchasesSync.invalidate();
+    }
+
+    refreshProfile = async () => {
+        await this.profileSync.invalidateAndAwait();
+    }
+
+    purchaseProduct = async (productId: string): Promise<{ success: boolean; error?: string }> => {
+        try {
+            // Check if RevenueCat is initialized
+            if (!this.revenueCatInitialized) {
+                return { success: false, error: 'RevenueCat not initialized' };
+            }
+
+            // Fetch the product
+            const products = await RevenueCat.getProducts([productId]);
+            if (products.length === 0) {
+                return { success: false, error: `Product '${productId}' not found` };
+            }
+
+            // Purchase the product
+            const product = products[0];
+            const { customerInfo } = await RevenueCat.purchaseStoreProduct(product);
+
+            // Update local purchases data
+            storage.getState().applyPurchases(customerInfo);
+
+            return { success: true };
+        } catch (error: any) {
+            // Check if user cancelled
+            if (error.userCancelled) {
+                return { success: false, error: 'Purchase cancelled' };
+            }
+
+            // Return the error message
+            return { success: false, error: error.message || 'Purchase failed' };
+        }
+    }
+
+    getOfferings = async (): Promise<{ success: boolean; offerings?: any; error?: string }> => {
+        try {
+            // Check if RevenueCat is initialized
+            if (!this.revenueCatInitialized) {
+                return { success: false, error: 'RevenueCat not initialized' };
+            }
+
+            // Fetch offerings
+            const offerings = await RevenueCat.getOfferings();
+
+            // Return the offerings data
+            return {
+                success: true,
+                offerings: {
+                    current: offerings.current,
+                    all: offerings.all
+                }
+            };
+        } catch (error: any) {
+            return { success: false, error: error.message || 'Failed to fetch offerings' };
+        }
+    }
+
+    presentPaywall = async (flow?: string): Promise<{ success: boolean; purchased?: boolean; error?: string }> => {
+        try {
+            // Check if RevenueCat is initialized
+            if (!this.revenueCatInitialized) {
+                const error = 'RevenueCat not initialized';
+                trackPaywallError(error, flow);
+                return { success: false, error };
+            }
+
+            // Track paywall presentation
+            trackPaywallPresented(flow);
+
+            // Present the paywall (with flow custom variable if specified)
+            const result = await RevenueCat.presentPaywall(
+                flow ? { customVariables: { flow } } : undefined
+            );
+
+            // Handle the result
+            switch (result) {
+                case PaywallResult.PURCHASED:
+                    trackPaywallPurchased(flow);
+                    // Refresh customer info after purchase
+                    await this.syncPurchases();
+                    return { success: true, purchased: true };
+                case PaywallResult.RESTORED:
+                    trackPaywallRestored(flow);
+                    // Refresh customer info after restore
+                    await this.syncPurchases();
+                    return { success: true, purchased: true };
+                case PaywallResult.CANCELLED:
+                    trackPaywallCancelled(flow);
+                    return { success: true, purchased: false };
+                case PaywallResult.NOT_PRESENTED:
+                    trackPaywallError('Paywall not presented', flow);
+                    return { success: false, error: 'Paywall not available on this platform' };
+                case PaywallResult.ERROR:
+                default:
+                    const errorMsg = 'Failed to present paywall';
+                    trackPaywallError(errorMsg, flow);
+                    return { success: false, error: errorMsg };
+            }
+        } catch (error: any) {
+            const errorMessage = error.message || 'Failed to present paywall';
+            trackPaywallError(errorMessage, flow);
+            return { success: false, error: errorMessage };
+        }
+    }
+
+    async assumeUsers(userIds: string[]): Promise<void> {
+        if (!this.credentials || userIds.length === 0) return;
+        
+        const state = storage.getState();
+        // Filter out users we already have in cache (including null for 404s)
+        const missingIds = userIds.filter(id => !(id in state.users));
+        
+        if (missingIds.length === 0) return;
+        
+        log.log(`👤 Fetching ${missingIds.length} missing users...`);
+        
+        // Fetch missing users in parallel
+        const results = await Promise.all(
+            missingIds.map(async (id) => {
+                try {
+                    const profile = await getUserProfile(this.credentials!, id);
+                    return { id, profile };  // profile is null if 404
+                } catch (error) {
+                    console.error(`Failed to fetch user ${id}:`, error);
+                    return { id, profile: null };  // Treat errors as 404
+                }
+            })
+        );
+        
+        // Convert to Record<string, UserProfile | null>
+        const usersMap: Record<string, UserProfile | null> = {};
+        results.forEach(({ id, profile }) => {
+            usersMap[id] = profile;
+        });
+        
+        storage.getState().applyUsers(usersMap);
+        log.log(`👤 Applied ${results.length} users to cache (${results.filter(r => r.profile).length} found, ${results.filter(r => !r.profile).length} not found)`);
+    }
+
+    //
+    // Private
+    //
+
+    private fetchSessions = async () => {
+        const API_ENDPOINT = getServerUrl();
+        const response = await fetch(`${API_ENDPOINT}/api/sessions`, {
+            headers: { 'Content-Type': 'application/json' }
+        });
+
+        if (!response.ok) {
+            throw new Error(`Failed to fetch sessions: ${response.status}`);
+        }
+
+        const data = await response.json();
+        const nasSessions = data.sessions as Array<{
+            id: string;
+            title?: string;
+            started_at?: number;
+            last_active?: number;
+            ended_at?: number | null;
+            is_active?: boolean;
+            model?: string;
+            preview?: string;
+        }>;
+
+        // Initialize null encryption for all sessions (NasTech has no per-session keys)
+        const sessionKeys = new Map<string, Uint8Array | null>();
+        for (const s of nasSessions) {
+            sessionKeys.set(s.id, null);
+        }
+        await this.encryption.initializeSessions(sessionKeys);
+
+        const now = Date.now();
+        const decryptedSessions: (Omit<Session, 'presence'> & { presence?: "online" | number })[] = nasSessions.map(s => ({
+            id: s.id,
+            tag: '',
+            seq: 0,
+            thinking: false,
+            thinkingAt: 0,
+            active: s.is_active ?? false,
+            activeAt: s.last_active ? s.last_active * 1000 : now,
+            createdAt: s.started_at ? s.started_at * 1000 : now,
+            updatedAt: s.last_active ? s.last_active * 1000 : now,
+            metadata: {
+                path: '/',
+                host: 'localhost',
+                name: s.title ?? '',
+                version: '1.0',
+                summary: s.preview ? { text: s.preview, updatedAt: now } : undefined,
+            },
+            agentState: null,
+            lastMessage: null,
+            dataEncryptionKey: null,
+            metadataVersion: 0,
+            agentStateVersion: 0,
+        }));
+
+        this.applySessions(decryptedSessions);
+        log.log(`📥 fetchSessions completed - processed ${decryptedSessions.length} sessions`);
+    }
+
+    public refreshMachines = async () => {
+        return this.fetchMachines();
+    }
+
+    public refreshSessions = async () => {
+        return this.sessionsSync.invalidateAndAwait();
+    }
+
+    public getCredentials() {
+        return this.credentials;
+    }
+
+    // Artifact methods
+    public fetchArtifactsList = async (): Promise<void> => {
+        log.log('📦 fetchArtifactsList: Starting artifact sync');
+        if (!this.credentials) {
+            log.log('📦 fetchArtifactsList: No credentials, skipping');
+            return;
+        }
+
+        try {
+            log.log('📦 fetchArtifactsList: Fetching artifacts from server');
+            const artifacts = await fetchArtifacts(this.credentials);
+            log.log(`📦 fetchArtifactsList: Received ${artifacts.length} artifacts from server`);
+            const decryptedArtifacts: DecryptedArtifact[] = [];
+
+            for (const artifact of artifacts) {
+                try {
+                    // Decrypt the data encryption key
+                    const decryptedKey = await this.encryption.decryptEncryptionKey(artifact.dataEncryptionKey);
+                    if (!decryptedKey) {
+                        console.error(`Failed to decrypt key for artifact ${artifact.id}`);
+                        continue;
+                    }
+
+                    // Store the decrypted key in memory
+                    this.artifactDataKeys.set(artifact.id, decryptedKey);
+
+                    // Create artifact encryption instance
+                    const artifactEncryption = new ArtifactEncryption(decryptedKey);
+
+                    // Decrypt header
+                    const header = await artifactEncryption.decryptHeader(artifact.header);
+                    
+                    decryptedArtifacts.push({
+                        id: artifact.id,
+                        title: header?.title || null,
+                        sessions: header?.sessions,  // Include sessions from header
+                        draft: header?.draft,        // Include draft flag from header
+                        body: undefined, // Body not loaded in list
+                        headerVersion: artifact.headerVersion,
+                        bodyVersion: artifact.bodyVersion,
+                        seq: artifact.seq,
+                        createdAt: artifact.createdAt,
+                        updatedAt: artifact.updatedAt,
+                        isDecrypted: !!header,
+                    });
+                } catch (err) {
+                    console.error(`Failed to decrypt artifact ${artifact.id}:`, err);
+                    // Add with decryption failed flag
+                    decryptedArtifacts.push({
+                        id: artifact.id,
+                        title: null,
+                        body: undefined,
+                        headerVersion: artifact.headerVersion,
+                        seq: artifact.seq,
+                        createdAt: artifact.createdAt,
+                        updatedAt: artifact.updatedAt,
+                        isDecrypted: false,
+                    });
+                }
+            }
+
+            log.log(`📦 fetchArtifactsList: Successfully decrypted ${decryptedArtifacts.length} artifacts`);
+            storage.getState().applyArtifacts(decryptedArtifacts);
+            log.log('📦 fetchArtifactsList: Artifacts applied to storage');
+        } catch (error) {
+            log.log(`📦 fetchArtifactsList: Error fetching artifacts: ${error}`);
+            console.error('Failed to fetch artifacts:', error);
+            throw error;
+        }
+    }
+
+    public async fetchArtifactWithBody(artifactId: string): Promise<DecryptedArtifact | null> {
+        if (!this.credentials) return null;
+
+        try {
+            const artifact = await fetchArtifact(this.credentials, artifactId);
+
+            // Decrypt the data encryption key
+            const decryptedKey = await this.encryption.decryptEncryptionKey(artifact.dataEncryptionKey);
+            if (!decryptedKey) {
+                console.error(`Failed to decrypt key for artifact ${artifactId}`);
+                return null;
+            }
+
+            // Store the decrypted key in memory
+            this.artifactDataKeys.set(artifact.id, decryptedKey);
+
+            // Create artifact encryption instance
+            const artifactEncryption = new ArtifactEncryption(decryptedKey);
+
+            // Decrypt header and body
+            const header = await artifactEncryption.decryptHeader(artifact.header);
+            const body = artifact.body ? await artifactEncryption.decryptBody(artifact.body) : null;
+
+            return {
+                id: artifact.id,
+                title: header?.title || null,
+                sessions: header?.sessions,  // Include sessions from header
+                draft: header?.draft,        // Include draft flag from header
+                body: body?.body || null,
+                headerVersion: artifact.headerVersion,
+                bodyVersion: artifact.bodyVersion,
+                seq: artifact.seq,
+                createdAt: artifact.createdAt,
+                updatedAt: artifact.updatedAt,
+                isDecrypted: !!header,
+            };
+        } catch (error) {
+            console.error(`Failed to fetch artifact ${artifactId}:`, error);
+            return null;
+        }
+    }
+
+    public async createArtifact(
+        title: string | null, 
+        body: string | null,
+        sessions?: string[],
+        draft?: boolean
+    ): Promise<string> {
+        if (!this.credentials) {
+            throw new Error('Not authenticated');
+        }
+
+        try {
+            // Generate unique artifact ID
+            const artifactId = this.encryption.generateId();
+
+            // Generate data encryption key
+            const dataEncryptionKey = ArtifactEncryption.generateDataEncryptionKey();
+            
+            // Store the decrypted key in memory
+            this.artifactDataKeys.set(artifactId, dataEncryptionKey);
+            
+            // Encrypt the data encryption key with user's key
+            const encryptedKey = await this.encryption.encryptEncryptionKey(dataEncryptionKey);
+            
+            // Create artifact encryption instance
+            const artifactEncryption = new ArtifactEncryption(dataEncryptionKey);
+            
+            // Encrypt header and body
+            const encryptedHeader = await artifactEncryption.encryptHeader({ title, sessions, draft });
+            const encryptedBody = await artifactEncryption.encryptBody({ body });
+            
+            // Create the request
+            const request: ArtifactCreateRequest = {
+                id: artifactId,
+                header: encryptedHeader,
+                body: encryptedBody,
+                dataEncryptionKey: encodeBase64(encryptedKey, 'base64'),
+            };
+            
+            // Send to server
+            const artifact = await createArtifact(this.credentials, request);
+            
+            // Add to local storage
+            const decryptedArtifact: DecryptedArtifact = {
+                id: artifact.id,
+                title,
+                sessions,
+                draft,
+                body,
+                headerVersion: artifact.headerVersion,
+                bodyVersion: artifact.bodyVersion,
+                seq: artifact.seq,
+                createdAt: artifact.createdAt,
+                updatedAt: artifact.updatedAt,
+                isDecrypted: true,
+            };
+            
+            storage.getState().addArtifact(decryptedArtifact);
+            
+            return artifactId;
+        } catch (error) {
+            console.error('Failed to create artifact:', error);
+            throw error;
+        }
+    }
+
+    public async updateArtifact(
+        artifactId: string, 
+        title: string | null, 
+        body: string | null,
+        sessions?: string[],
+        draft?: boolean
+    ): Promise<void> {
+        if (!this.credentials) {
+            throw new Error('Not authenticated');
+        }
+
+        try {
+            // Get current artifact to get versions and encryption key
+            const currentArtifact = storage.getState().artifacts[artifactId];
+            if (!currentArtifact) {
+                throw new Error('Artifact not found');
+            }
+
+            // Get the data encryption key from memory or fetch it
+            let dataEncryptionKey = this.artifactDataKeys.get(artifactId);
+            
+            // Fetch full artifact if we don't have version info or encryption key
+            let headerVersion = currentArtifact.headerVersion;
+            let bodyVersion = currentArtifact.bodyVersion;
+            
+            if (headerVersion === undefined || bodyVersion === undefined || !dataEncryptionKey) {
+                const fullArtifact = await fetchArtifact(this.credentials, artifactId);
+                headerVersion = fullArtifact.headerVersion;
+                bodyVersion = fullArtifact.bodyVersion;
+                
+                // Decrypt and store the data encryption key if we don't have it
+                if (!dataEncryptionKey) {
+                    const decryptedKey = await this.encryption.decryptEncryptionKey(fullArtifact.dataEncryptionKey);
+                    if (!decryptedKey) {
+                        throw new Error('Failed to decrypt encryption key');
+                    }
+                    this.artifactDataKeys.set(artifactId, decryptedKey);
+                    dataEncryptionKey = decryptedKey;
+                }
+            }
+
+            // Create artifact encryption instance
+            const artifactEncryption = new ArtifactEncryption(dataEncryptionKey);
+
+            // Prepare update request
+            const updateRequest: ArtifactUpdateRequest = {};
+            
+            // Check if header needs updating (title, sessions, or draft changed)
+            if (title !== currentArtifact.title || 
+                JSON.stringify(sessions) !== JSON.stringify(currentArtifact.sessions) ||
+                draft !== currentArtifact.draft) {
+                const encryptedHeader = await artifactEncryption.encryptHeader({ 
+                    title, 
+                    sessions, 
+                    draft 
+                });
+                updateRequest.header = encryptedHeader;
+                updateRequest.expectedHeaderVersion = headerVersion;
+            }
+
+            // Only update body if it changed
+            if (body !== currentArtifact.body) {
+                const encryptedBody = await artifactEncryption.encryptBody({ body });
+                updateRequest.body = encryptedBody;
+                updateRequest.expectedBodyVersion = bodyVersion;
+            }
+
+            // Skip if no changes
+            if (Object.keys(updateRequest).length === 0) {
+                return;
+            }
+
+            // Send update to server
+            const response = await updateArtifact(this.credentials, artifactId, updateRequest);
+            
+            if (!response.success) {
+                // Handle version mismatch
+                if (response.error === 'version-mismatch') {
+                    throw new Error('Artifact was modified by another client. Please refresh and try again.');
+                }
+                throw new Error('Failed to update artifact');
+            }
+
+            // Update local storage
+            const updatedArtifact: DecryptedArtifact = {
+                ...currentArtifact,
+                title,
+                sessions,
+                draft,
+                body,
+                headerVersion: response.headerVersion !== undefined ? response.headerVersion : headerVersion,
+                bodyVersion: response.bodyVersion !== undefined ? response.bodyVersion : bodyVersion,
+                updatedAt: Date.now(),
+            };
+            
+            storage.getState().updateArtifact(updatedArtifact);
+        } catch (error) {
+            console.error('Failed to update artifact:', error);
+            throw error;
+        }
+    }
+
+    private fetchMachines = async () => {
+        // NasTech has no machines concept — apply empty list and return immediately
+        storage.getState().applyMachines([], true);
+        log.log('🖥️ fetchMachines: no machines in NasTech mode');
+        return;
+
+        // Dead code below kept for type-checking; never executed
+        const API_ENDPOINT = getServerUrl();
+        const response = await fetch(`${API_ENDPOINT}/v1/machines`, {
+            headers: {
+                'Content-Type': 'application/json',
+                'X-NasTech-Client': getNasTechClientId(),
+            }
+        });
+
+        if (!response.ok) {
+            console.error(`Failed to fetch machines: ${response.status}`);
+            return;
+        }
+
+        const data = await response.json();
+        console.log(`📊 Sync: Fetched ${Array.isArray(data) ? data.length : 0} machines from server`);
+        const machines = data as Array<{
+            id: string;
+            metadata: string;
+            metadataVersion: number;
+            daemonState?: string | null;
+            daemonStateVersion?: number;
+            dataEncryptionKey?: string | null; // Add support for per-machine encryption keys
+            seq: number;
+            active: boolean;
+            activeAt: number;  // Changed from lastActiveAt
+            createdAt: number;
+            updatedAt: number;
+        }>;
+
+        // First, collect and decrypt encryption keys for all machines
+        const machineKeysMap = new Map<string, Uint8Array | null>();
+        for (const machine of machines) {
+            if (machine.dataEncryptionKey) {
+                const decryptedKey = await this.encryption.decryptEncryptionKey(machine.dataEncryptionKey as string);
+                if (!decryptedKey) {
+                    console.error(`Failed to decrypt data encryption key for machine ${machine.id}`);
+                    continue;
+                }
+                machineKeysMap.set(machine.id, decryptedKey);
+                this.machineDataKeys.set(machine.id, decryptedKey as Uint8Array);
+            } else {
+                machineKeysMap.set(machine.id, null);
+            }
+        }
+
+        // Initialize machine encryptions
+        await this.encryption.initializeMachines(machineKeysMap);
+
+        // Process all machines first, then update state once
+        const decryptedMachines: Machine[] = [];
+
+        for (const machine of machines) {
+            // Get machine-specific encryption (might exist from previous initialization)
+            const machineEncryption = this.encryption.getMachineEncryption(machine.id);
+            if (!machineEncryption) {
+                console.error(`Machine encryption not found for ${machine.id} - this should never happen`);
+                continue;
+            }
+
+            try {
+
+                // Use machine-specific encryption (which handles fallback internally)
+                const metadata = machine.metadata
+                    ? await machineEncryption!.decryptMetadata(machine.metadataVersion, machine.metadata)
+                    : null;
+
+                const daemonState = machine.daemonState
+                    ? await machineEncryption!.decryptDaemonState(machine.daemonStateVersion || 0, machine.daemonState)
+                    : null;
+
+                decryptedMachines.push({
+                    id: machine.id,
+                    seq: machine.seq,
+                    createdAt: machine.createdAt,
+                    updatedAt: machine.updatedAt,
+                    active: machine.active,
+                    activeAt: machine.activeAt,
+                    metadata,
+                    metadataVersion: machine.metadataVersion,
+                    daemonState,
+                    daemonStateVersion: machine.daemonStateVersion || 0
+                });
+            } catch (error) {
+                console.error(`Failed to decrypt machine ${machine.id}:`, error);
+                // Still add the machine with null metadata
+                decryptedMachines.push({
+                    id: machine.id,
+                    seq: machine.seq,
+                    createdAt: machine.createdAt,
+                    updatedAt: machine.updatedAt,
+                    active: machine.active,
+                    activeAt: machine.activeAt,
+                    metadata: null,
+                    metadataVersion: machine.metadataVersion,
+                    daemonState: null,
+                    daemonStateVersion: 0
+                });
+            }
+        }
+
+        // Replace entire machine state with fetched machines
+        storage.getState().applyMachines(decryptedMachines, true);
+        log.log(`🖥️ fetchMachines completed - processed ${decryptedMachines.length} machines`);
+    }
+
+    private fetchFriends = async () => {
+        if (!this.credentials) return;
+        
+        try {
+            log.log('👥 Fetching friends list...');
+            const friendsList = await getFriendsList(this.credentials);
+            storage.getState().applyFriends(friendsList);
+            log.log(`👥 fetchFriends completed - processed ${friendsList.length} friends`);
+        } catch (error) {
+            console.error('Failed to fetch friends:', error);
+            // Silently handle error - UI will show appropriate state
+        }
+    }
+
+    private fetchFriendRequests = async () => {
+        // Friend requests are now included in the friends list with status='pending'
+        // This method is kept for backward compatibility but does nothing
+        log.log('👥 fetchFriendRequests called - now handled by fetchFriends');
+    }
+
+    private fetchFeed = async () => {
+        if (!this.credentials) return;
+
+        try {
+            log.log('📰 Fetching feed...');
+            const state = storage.getState();
+            const existingItems = state.feedItems;
+            const head = state.feedHead;
+            
+            // Load feed items - if we have a head, load newer items
+            let allItems: FeedItem[] = [];
+            let hasMore = true;
+            let cursor = head ? { after: head } : undefined;
+            let loadedCount = 0;
+            const maxItems = 500;
+            
+            // Keep loading until we reach known items or hit max limit
+            while (hasMore && loadedCount < maxItems) {
+                const response = await fetchFeed(this.credentials, {
+                    limit: 100,
+                    ...cursor
+                });
+                
+                // Check if we reached known items
+                const foundKnown = response.items.some(item => 
+                    existingItems.some(existing => existing.id === item.id)
+                );
+                
+                allItems.push(...response.items);
+                loadedCount += response.items.length;
+                hasMore = response.hasMore && !foundKnown;
+                
+                // Update cursor for next page
+                if (response.items.length > 0) {
+                    const lastItem = response.items[response.items.length - 1];
+                    cursor = { after: lastItem.cursor };
+                }
+            }
+            
+            // If this is initial load (no head), also load older items
+            if (!head && allItems.length < 100) {
+                const response = await fetchFeed(this.credentials, {
+                    limit: 100
+                });
+                allItems.push(...response.items);
+            }
+            
+            // Collect user IDs from friend-related feed items
+            const userIds = new Set<string>();
+            allItems.forEach(item => {
+                if (item.body && (item.body.kind === 'friend_request' || item.body.kind === 'friend_accepted')) {
+                    userIds.add(item.body.uid);
+                }
+            });
+            
+            // Fetch missing users
+            if (userIds.size > 0) {
+                await this.assumeUsers(Array.from(userIds));
+            }
+            
+            // Filter out items where user is not found (404)
+            const users = storage.getState().users;
+            const compatibleItems = allItems.filter(item => {
+                // Keep text items
+                if (item.body.kind === 'text') return true;
+                
+                // For friend-related items, check if user exists and is not null (404)
+                if (item.body.kind === 'friend_request' || item.body.kind === 'friend_accepted') {
+                    const userProfile = users[item.body.uid];
+                    // Keep item only if user exists and is not null
+                    return userProfile !== null && userProfile !== undefined;
+                }
+                
+                return true;
+            });
+            
+            // Apply only compatible items to storage
+            storage.getState().applyFeedItems(compatibleItems);
+            log.log(`📰 fetchFeed completed - loaded ${compatibleItems.length} compatible items (${allItems.length - compatibleItems.length} filtered)`);
+        } catch (error) {
+            console.error('Failed to fetch feed:', error);
+        }
+    }
+
+    private syncSettings = async () => {
+        // NasTech has no remote settings server — manage settings locally only.
+        // Flush any pending changes into the local store and return.
+        if (Object.keys(this.pendingSettings).length > 0) {
+            const current = storage.getState().settings;
+            const merged = applySettings(current, this.pendingSettings);
+            this.pendingSettings = {};
+            savePendingSettings(this.pendingSettings);
+            const nextVersion = (storage.getState().settingsVersion ?? 0) + 1;
+            this.applyServerSettings(merged, nextVersion);
+        }
+    }
+
+    private fetchProfile = async () => {
+        // NasTech has no profile endpoint — skip silently
+    }
+
+    private fetchNativeUpdate = async () => {
+        try {
+            const serverUrl = getServerUrl();
+            const response = await fetch(`${serverUrl}/api/status`);
+            if (!response.ok) {
+                storage.getState().applyNativeUpdateStatus(null);
+                return;
+            }
+            // NasTech does not push native update URLs — always report no update available
+            storage.getState().applyNativeUpdateStatus({ available: false });
+        } catch (error) {
+            console.log('[fetchNativeUpdate] Error:', error);
+            storage.getState().applyNativeUpdateStatus(null);
+        }
+    }
+
+    private syncPurchases = async () => {
+        try {
+            // Initialize RevenueCat if not already done
+            if (!this.revenueCatInitialized) {
+                // Get the appropriate API key based on platform
+                let apiKey: string | undefined;
+
+                if (Platform.OS === 'ios') {
+                    apiKey = config.revenueCatAppleKey;
+                } else if (Platform.OS === 'android') {
+                    apiKey = config.revenueCatGoogleKey;
+                } else if (Platform.OS === 'web') {
+                    apiKey = config.revenueCatStripeKey;
+                }
+
+                if (!apiKey) {
+                    console.log(`RevenueCat: No API key found for platform ${Platform.OS}`);
+                    return;
+                }
+
+                // Configure RevenueCat
+                if (__DEV__) {
+                    RevenueCat.setLogLevel(LogLevel.DEBUG);
+                }
+
+                // Initialize with the public ID as user ID
+                RevenueCat.configure({
+                    apiKey,
+                    appUserID: this.serverID, // In server this is a CUID, which we can assume is globaly unique even between servers
+                    useAmazon: false,
+                });
+
+                this.revenueCatInitialized = true;
+                console.log('RevenueCat initialized successfully');
+            }
+
+            // Sync purchases
+            await RevenueCat.syncPurchases();
+
+            // Fetch customer info
+            const customerInfo = await RevenueCat.getCustomerInfo();
+
+            // Apply to storage (storage handles the transformation)
+            storage.getState().applyPurchases(customerInfo);
+
+        } catch (error) {
+            console.error('Failed to sync purchases:', error);
+            // Don't throw - purchases are optional
+        }
+    }
+
+    private flushOutbox = async (sessionId: string) => {
+        const pending = this.pendingOutbox.get(sessionId);
+        if (!pending || pending.length === 0) {
+            if (!this.hasPendingOutboxMessages()) {
+                this.clearBackgroundSendWatchdog();
+                await this.cancelBackgroundSendTimeoutNotification();
+                this.backgroundSendStartedAt = null;
+            }
+            return;
+        }
+
+        const batch = pending.slice();
+        const controller = new AbortController();
+        this.sendAbortControllers.set(sessionId, controller);
+        try {
+            const response = await apiSocket.request(`/v3/sessions/${sessionId}/messages`, {
+                method: 'POST',
+                body: JSON.stringify({
+                    messages: batch.map((message) => ({
+                        localId: message.localId,
+                        content: message.content
+                    }))
+                }),
+                headers: {
+                    'Content-Type': 'application/json'
+                },
+                signal: controller.signal
+            });
+            if (!response.ok) {
+                throw new Error(`Failed to send messages for ${sessionId}: ${response.status}`);
+            }
+
+            const data = await response.json() as V3PostSessionMessagesResponse;
+            pending.splice(0, batch.length);
+            if (Array.isArray(data.messages) && data.messages.length > 0) {
+                const currentLastSeq = this.sessionLastSeq.get(sessionId) ?? 0;
+                let maxSeq = currentLastSeq;
+                for (const message of data.messages) {
+                    if (message.seq > maxSeq) {
+                        maxSeq = message.seq;
+                    }
+                }
+                this.sessionLastSeq.set(sessionId, maxSeq);
+            }
+        } catch (error) {
+            this.maybeStartBackgroundSendWatchdog();
+            throw error;
+        } finally {
+            this.sendAbortControllers.delete(sessionId);
+        }
+
+        if (pending.length === 0) {
+            this.pendingOutbox.delete(sessionId);
+        }
+        if (!this.hasPendingOutboxMessages()) {
+            this.clearBackgroundSendWatchdog();
+            await this.cancelBackgroundSendTimeoutNotification();
+            this.backgroundSendStartedAt = null;
+        } else if (this.appState !== 'active') {
+            this.maybeStartBackgroundSendWatchdog();
+        }
+    }
+
+    private fetchMessages = async (sessionId: string) => {
+        log.log(`💬 fetchMessages starting for session ${sessionId} - acquiring lock`);
+        const lock = this.getSessionMessageLock(sessionId);
+        await lock.inLock(async () => {
+            const encryption = this.encryption.getSessionEncryption(sessionId);
+            if (!encryption) {
+                log.log(`💬 fetchMessages: Session encryption not ready for ${sessionId}, will retry`);
+                throw new Error(`Session encryption not ready for ${sessionId}`);
+            }
+
+            const knownLastSeq = this.sessionLastSeq.get(sessionId);
+            const isInitialLoad = knownLastSeq === undefined;
+            if (isInitialLoad) {
+                // Initial load. Pull only the most recent page so the user can
+                // start chatting immediately. Older history streams in lazily
+                // through loadOlderMessages() when the user scrolls up — and
+                // also through a background prefetch kicked off below, so the
+                // history fills in even when the user doesn't scroll.
+                //
+                // Previously this method walked forward from seq=0 until every
+                // page had been fetched and decrypted, which blocked the chat
+                // from displaying anything for sessions with thousands of
+                // messages. The user's reported pain point was "opening a long
+                // session feels frozen" — this is the fix.
+                await this.fetchInitialLatestPage(sessionId, encryption);
+            } else {
+                // Forward incremental sync. Used after reconnect, invalidate,
+                // or any subsequent visit. Only pulls messages newer than what
+                // we already have, so it's bounded and fast in normal use.
+                await this.fetchForwardSince(sessionId, encryption, knownLastSeq);
+            }
+
+            storage.getState().applyMessagesLoaded(sessionId);
+            log.log(`💬 fetchMessages completed for session ${sessionId}`);
+
+            if (isInitialLoad) {
+                // Fire-and-forget. The chat is interactive at this point;
+                // background pages stream in without blocking either the
+                // surrounding lock or the UI. loadOlderMessages takes the
+                // same lock internally, so the loop naturally serialises
+                // with on-scroll triggers and live socket updates.
+                void this.prefetchOlderMessagesInBackground(sessionId);
+            }
+        });
+    }
+
+    private prefetchOlderMessagesInBackground = async (sessionId: string) => {
+        const SLEEP_BETWEEN_PAGES_MS = 250;
+        // While loadOlderMessages handles the actual work, this loop is what
+        // keeps it going without user input. We keep stepping until either:
+        //   - the server says there is no more older history, or
+        //   - the session is no longer present in the store (user navigated
+        //     away and the session was unloaded), or
+        //   - we hit seq = 1 (the very first message), or
+        //   - the encryption key is gone (logged out).
+        // The loop yields between pages to keep the UI thread responsive
+        // and to spread out server load.
+        while (true) {
+            const sessionMessages = storage.getState().sessionMessages[sessionId];
+            if (!sessionMessages || !sessionMessages.hasMoreOlder) {
+                return;
+            }
+            if (!this.encryption.getSessionEncryption(sessionId)) {
+                return;
+            }
+            const oldestSeq = this.sessionOldestSeq.get(sessionId);
+            if (oldestSeq === undefined || oldestSeq <= 1) {
+                return;
+            }
+
+            try {
+                await this.loadOlderMessages(sessionId);
+            } catch (error) {
+                log.log(`💬 prefetchOlderMessagesInBackground: error for ${sessionId}, stopping: ${String(error)}`);
+                return;
+            }
+
+            await new Promise((resolve) => setTimeout(resolve, SLEEP_BETWEEN_PAGES_MS));
+        }
+    }
+
+    private fetchInitialLatestPage = async (
+        sessionId: string,
+        _encryption: ReturnType<Encryption['getSessionEncryption']> & {}
+    ) => {
+        const API_ENDPOINT = getServerUrl();
+        const response = await fetch(`${API_ENDPOINT}/api/sessions/${sessionId}/messages`);
+        if (!response.ok) {
+            throw new Error(`Failed to fetch initial page for ${sessionId}: ${response.status}`);
+        }
+        const data = await response.json();
+        const messages: Array<{ id: string | number; role: string; content: unknown; created_at?: string | number }> =
+            Array.isArray(data.messages) ? data.messages : [];
+
+        const normalized = messages
+            .map((msg, idx) => this.mapNasTechRawMsg(msg, idx))
+            .filter(Boolean) as NormalizedMessage[];
+
+        if (normalized.length > 0) {
+            this.applyMessages(sessionId, normalized);
+        }
+
+        // NasTech returns all messages at once — no pagination needed
+        this.sessionLastSeq.set(sessionId, messages.length);
+        if (messages.length > 0) {
+            this.sessionOldestSeq.set(sessionId, 1);
+        }
+        storage.getState().applyOlderMessagesPagination(sessionId, { hasMore: false });
+    }
+
+    private fetchForwardSince = async (
+        sessionId: string,
+        _encryption: ReturnType<Encryption['getSessionEncryption']> & {},
+        fromSeq: number
+    ) => {
+        const API_ENDPOINT = getServerUrl();
+        const response = await fetch(`${API_ENDPOINT}/api/sessions/${sessionId}/messages`);
+        if (!response.ok) {
+            throw new Error(`Failed to forward-sync ${sessionId}: ${response.status}`);
+        }
+        const data = await response.json();
+        const allMessages: Array<{ id: string | number; role: string; content: unknown; created_at?: string | number }> =
+            Array.isArray(data.messages) ? data.messages : [];
+
+        // Only apply messages newer than what we already have (by index)
+        const newMessages = allMessages.slice(fromSeq);
+        if (newMessages.length > 0) {
+            const normalized = newMessages
+                .map((msg, idx) => this.mapNasTechRawMsg(msg, fromSeq + idx))
+                .filter(Boolean) as NormalizedMessage[];
+            if (normalized.length > 0) {
+                this.applyMessages(sessionId, normalized);
+            }
+        }
+        this.sessionLastSeq.set(sessionId, allMessages.length);
+    }
+
+    private mapNasTechRawMsg = (
+        msg: { id: string | number; role: string; content: unknown; created_at?: string | number },
+        fallbackSeq: number
+    ): NormalizedMessage | null => {
+        const id = String(msg.id ?? fallbackSeq);
+        const rawTs = msg.created_at;
+        const createdAt = rawTs
+            ? (typeof rawTs === 'number' ? rawTs * 1000 : new Date(rawTs as string).getTime())
+            : Date.now();
+        const text = typeof msg.content === 'string'
+            ? msg.content
+            : msg.content != null ? JSON.stringify(msg.content) : '';
+        if (!text) return null;
+
+        if (msg.role === 'user') {
+            return {
+                id,
+                localId: null,
+                createdAt,
+                isSidechain: false,
+                role: 'user',
+                content: { type: 'text', text },
+            };
+        }
+        // assistant / tool / system → render as agent text bubble
+        return {
+            id,
+            localId: null,
+            createdAt,
+            isSidechain: false,
+            role: 'agent',
+            content: [{ type: 'text', text, uuid: id, parentUUID: null }],
+        };
+    }
+
+    private applyFetchedMessages = async (
+        sessionId: string,
+        encryption: ReturnType<Encryption['getSessionEncryption']> & {},
+        messages: ApiMessage[]
+    ) => {
+        if (messages.length === 0) return;
+        const decryptedMessages = await encryption.decryptMessages(messages);
+        const normalizedMessages: NormalizedMessage[] = [];
+        for (let i = 0; i < decryptedMessages.length; i++) {
+            const decrypted = decryptedMessages[i];
+            if (!decrypted) continue;
+            const normalized = normalizeRawMessage(decrypted.id, decrypted.localId, decrypted.createdAt, decrypted.content);
+            if (normalized) {
+                normalizedMessages.push(normalized);
+            }
+        }
+        if (normalizedMessages.length > 0) {
+            this.applyMessages(sessionId, normalizedMessages);
+        }
+    }
+
+    /**
+     * Fetch one page of older messages for a session and prepend them to the
+     * store. Called from the chat UI when the user scrolls past the top of
+     * the currently loaded history. No-op when we have already fetched the
+     * earliest message, when no initial fetch has happened yet, or when an
+     * older-fetch is already in flight for this session.
+     */
+    loadOlderMessages = async (sessionId: string) => {
+        const oldestSeq = this.sessionOldestSeq.get(sessionId);
+        if (oldestSeq === undefined || oldestSeq <= 1) {
+            return;
+        }
+        const sessionMessages = storage.getState().sessionMessages[sessionId];
+        if (!sessionMessages || sessionMessages.isLoadingOlder || !sessionMessages.hasMoreOlder) {
+            return;
+        }
+
+        storage.getState().applyOlderMessagesLoading(sessionId, true);
+        const lock = this.getSessionMessageLock(sessionId);
+        try {
+            await lock.inLock(async () => {
+                const encryption = this.encryption.getSessionEncryption(sessionId);
+                if (!encryption) {
+                    log.log(`💬 loadOlderMessages: encryption not ready for ${sessionId}`);
+                    return;
+                }
+                // Re-read the cursor inside the lock. A concurrent
+                // socket-pushed update or reload could have changed it.
+                const beforeSeq = this.sessionOldestSeq.get(sessionId);
+                if (beforeSeq === undefined || beforeSeq <= 1) {
+                    return;
+                }
+                // NasTech loads all messages at once — no older-page pagination needed
+                storage.getState().applyOlderMessagesPagination(sessionId, { hasMore: false });
+            });
+        } finally {
+            storage.getState().applyOlderMessagesLoading(sessionId, false);
+        }
+    }
+
+    private registerPushToken = async () => {
+        log.log('registerPushToken');
+        try {
+            const result = await syncCurrentPushToken(this.credentials);
+            log.log('Push token sync result: ' + JSON.stringify({
+                registered: result.registered,
+                hasToken: !!result.token,
+                permission: result.permission.status,
+            }));
+            if (!result.permission.granted) {
+                console.log('Failed to get push token for push notification!');
+            }
+        } catch (error) {
+            log.log('Failed to register push token: ' + JSON.stringify(error));
+        }
+    }
+
+    private subscribeToUpdates = () => {
+        // Connect to NasTech backend WebSocket for real-time session/message updates
+        const connectNasTechWs = () => {
+            const serverUrl = getServerUrl().replace(/^http/, 'ws');
+            let ws: WebSocket | null = null;
+            try {
+                ws = new WebSocket(`${serverUrl}/api/ws`);
+                ws.onmessage = (_e) => {
+                    this.sessionsSync.invalidate();
+                };
+                ws.onclose = () => {
+                    setTimeout(connectNasTechWs, 3000);
+                };
+                ws.onerror = () => {
+                    ws?.close();
+                };
+            } catch {
+                setTimeout(connectNasTechWs, 5000);
+            }
+        };
+        connectNasTechWs();
+
+        // Polling fallback: refresh session list every 10 seconds
+        setInterval(() => {
+            this.sessionsSync.invalidate();
+        }, 10000);
+    }
+
+    private handleUpdate = async (update: unknown) => {
+        const validatedUpdate = ApiUpdateContainerSchema.safeParse(update);
+        if (!validatedUpdate.success) {
+            console.log('❌ Sync: Invalid update received:', validatedUpdate.error);
+            console.error('❌ Sync: Invalid update data:', update);
+            return;
+        }
+        const updateData = validatedUpdate.data;
+        console.log(`🔄 Sync: Validated update type: ${updateData.body.t}`);
+
+        if (updateData.body.t === 'new-message') {
+
+            // Get encryption — may not be ready if sessions are still syncing
+            let encryption = this.encryption.getSessionEncryption(updateData.body.sid);
+            if (!encryption) {
+                await this.sessionsSync.awaitQueue();
+                encryption = this.encryption.getSessionEncryption(updateData.body.sid);
+                if (!encryption) {
+                    console.error(`Session ${updateData.body.sid} not found after sync`);
+                    this.fetchSessions();
+                    return;
+                }
+            }
+
+            // Decrypt message
+            let lastMessage: NormalizedMessage | null = null;
+            if (updateData.body.message) {
+                const decrypted = await encryption.decryptMessage(updateData.body.message);
+                if (decrypted) {
+                    lastMessage = normalizeRawMessage(decrypted.id, decrypted.localId, decrypted.createdAt, decrypted.content);
+
+                    // Check for task lifecycle events to update thinking state
+                    // This ensures UI updates even if volatile activity updates are lost
+                    const rawContent = decrypted.content as {
+                        role?: string;
+                        content?: {
+                            type?: string;
+                            data?: {
+                                type?: string;
+                                ev?: { t?: string };
+                            }
+                        }
+                    } | null;
+                    const contentType = rawContent?.content?.type;
+                    const dataType = rawContent?.content?.data?.type;
+                    const sessionEventType = rawContent?.content?.data?.ev?.t;
+                    
+                    // Debug logging to trace lifecycle events
+                    if (dataType === 'task_complete' || dataType === 'turn_aborted' || dataType === 'task_started' || sessionEventType === 'turn-start' || sessionEventType === 'turn-end') {
+                        console.log(`🔄 [Sync] Lifecycle event detected: contentType=${contentType}, dataType=${dataType}, sessionEventType=${sessionEventType}`);
+                    }
+                    
+                    const isTaskComplete = 
+                        ((contentType === 'acp' || contentType === 'codex') && 
+                            (dataType === 'task_complete' || dataType === 'turn_aborted')) ||
+                        (contentType === 'session' && sessionEventType === 'turn-end');
+                    
+                    const isTaskStarted = 
+                        ((contentType === 'acp' || contentType === 'codex') && dataType === 'task_started') ||
+                        (contentType === 'session' && sessionEventType === 'turn-start');
+                    
+                    if (isTaskComplete || isTaskStarted) {
+                        console.log(`🔄 [Sync] Updating thinking state: isTaskComplete=${isTaskComplete}, isTaskStarted=${isTaskStarted}`);
+                    }
+
+                    // Update session
+                    const session = storage.getState().sessions[updateData.body.sid];
+                    if (session) {
+                        this.applySessions([{
+                            ...session,
+                            updatedAt: updateData.createdAt,
+                            seq: updateData.seq,
+                            // Update thinking state based on task lifecycle events
+                            ...(isTaskComplete ? { thinking: false } : {}),
+                            ...(isTaskStarted ? { thinking: true } : {})
+                        }])
+                    } else {
+                        // Fetch sessions again if we don't have this session
+                        this.fetchSessions();
+                    }
+
+                    // Fast-path only on consecutive seq values, otherwise fetch from server.
+                    const currentLastSeq = this.sessionLastSeq.get(updateData.body.sid);
+                    const incomingSeq = updateData.body.message.seq;
+                    if (lastMessage && currentLastSeq !== undefined && incomingSeq === currentLastSeq + 1) {
+                        this.enqueueMessages(updateData.body.sid, [lastMessage]);
+                        this.sessionLastSeq.set(updateData.body.sid, incomingSeq);
+                        let hasMutableTool = false;
+                        if (lastMessage.role === 'agent' && lastMessage.content[0] && lastMessage.content[0].type === 'tool-result') {
+                            hasMutableTool = storage.getState().isMutableToolCall(updateData.body.sid, lastMessage.content[0].tool_use_id);
+                        }
+                        if (hasMutableTool) {
+                            gitStatusSync.invalidate(updateData.body.sid);
+                        }
+                    } else {
+                        this.getMessagesSync(updateData.body.sid).invalidate();
+                    }
+                }
+            }
+
+            // Ping session
+            this.onSessionVisible(updateData.body.sid);
+
+        } else if (updateData.body.t === 'new-session') {
+            log.log('🆕 New session update received');
+            this.sessionsSync.invalidate();
+        } else if (updateData.body.t === 'delete-session') {
+            log.log('🗑️ Delete session update received');
+            const sessionId = updateData.body.sid;
+
+            // Remove session from storage
+            storage.getState().deleteSession(sessionId);
+
+            // Remove encryption keys from memory
+            this.encryption.removeSessionEncryption(sessionId);
+
+            // Clear any cached git status
+            gitStatusSync.clearForSession(sessionId);
+            this.messagesSync.delete(sessionId);
+            this.sendSync.delete(sessionId);
+            this.pendingOutbox.delete(sessionId);
+            this.sessionLastSeq.delete(sessionId);
+            this.sessionOldestSeq.delete(sessionId);
+            this.sessionMessageLocks.delete(sessionId);
+            this.sessionMessageQueue.delete(sessionId);
+            this.sessionQueueProcessing.delete(sessionId);
+
+            log.log(`🗑️ Session ${sessionId} deleted from local storage`);
+        } else if (updateData.body.t === 'update-session') {
+            // Session + encryption may not be initialized yet if sessions are
+            // still syncing on startup. Mirror the new-message path: await the
+            // sessions sync queue and re-check before giving up — dropping here
+            // silently loses the metadata update that carries the chat title
+            // (#1251: every chat stuck on "New chat" after the lazy-load change).
+            let session = storage.getState().sessions[updateData.body.id];
+            let sessionEncryption = this.encryption.getSessionEncryption(updateData.body.id);
+            if (!session || !sessionEncryption) {
+                await this.sessionsSync.awaitQueue();
+                session = storage.getState().sessions[updateData.body.id];
+                sessionEncryption = this.encryption.getSessionEncryption(updateData.body.id);
+            }
+            if (session) {
+                if (!sessionEncryption) {
+                    console.error(`Session encryption not found for ${updateData.body.id} after sync`);
+                    this.fetchSessions();
+                    return;
+                }
+
+                const agentState = updateData.body.agentState && sessionEncryption
+                    ? await sessionEncryption.decryptAgentState(updateData.body.agentState.version, updateData.body.agentState.value)
+                    : session.agentState;
+                const metadata = updateData.body.metadata && sessionEncryption
+                    ? await sessionEncryption.decryptMetadata(updateData.body.metadata.version, updateData.body.metadata.value)
+                    : session.metadata;
+
+                this.applySessions([{
+                    ...session,
+                    agentState,
+                    agentStateVersion: updateData.body.agentState
+                        ? updateData.body.agentState.version
+                        : session.agentStateVersion,
+                    metadata,
+                    metadataVersion: updateData.body.metadata
+                        ? updateData.body.metadata.version
+                        : session.metadataVersion,
+                    updatedAt: updateData.createdAt,
+                    seq: updateData.seq
+                }]);
+
+                // Invalidate git status when agent state changes (files may have been modified)
+                if (updateData.body.agentState) {
+                    gitStatusSync.invalidate(updateData.body.id);
+
+                    // Check for new permission requests and notify voice assistant
+                    if (agentState?.requests && Object.keys(agentState.requests).length > 0) {
+                        const requestIds = Object.keys(agentState.requests);
+                        const firstRequest = agentState.requests[requestIds[0]];
+                        const toolName = firstRequest?.tool;
+                        voiceHooks.onPermissionRequested(updateData.body.id, requestIds[0], toolName, firstRequest?.arguments);
+                    }
+
+                    // Re-fetch messages when control returns to mobile (local -> remote mode switch)
+                    // This catches up on any messages that were exchanged while desktop had control
+                    const wasControlledByUser = session.agentState?.controlledByUser;
+                    const isNowControlledByUser = agentState?.controlledByUser;
+                    if (!wasControlledByUser && isNowControlledByUser) {
+                        log.log(`🔄 Control returned to mobile for session ${updateData.body.id}, re-fetching messages`);
+                        this.onSessionVisible(updateData.body.id);
+                    }
+                }
+            }
+        } else if (updateData.body.t === 'update-account') {
+            const accountUpdate = updateData.body;
+            const currentProfile = storage.getState().profile;
+            const hadGitHub = !!currentProfile.github?.login;
+
+            // Build updated profile with new data
+            const updatedProfile: Profile = {
+                ...currentProfile,
+                firstName: accountUpdate.firstName !== undefined ? accountUpdate.firstName : currentProfile.firstName,
+                lastName: accountUpdate.lastName !== undefined ? accountUpdate.lastName : currentProfile.lastName,
+                avatar: accountUpdate.avatar !== undefined ? accountUpdate.avatar : currentProfile.avatar,
+                github: accountUpdate.github !== undefined ? accountUpdate.github : currentProfile.github,
+                timestamp: updateData.createdAt // Update timestamp to latest
+            };
+
+            // Apply the updated profile to storage
+            storage.getState().applyProfile(updatedProfile);
+
+            if (!hadGitHub && updatedProfile.github?.login) {
+                trackGitHubConnected();
+            }
+
+            // Handle settings updates (new for profile sync)
+            if (accountUpdate.settings?.value) {
+                try {
+                    const decryptedSettings = await this.encryption.decryptRaw(accountUpdate.settings.value);
+                    const parsedSettings = settingsParse(decryptedSettings);
+
+                    // Version compatibility check
+                    const settingsSchemaVersion = parsedSettings.schemaVersion ?? 1;
+                    if (settingsSchemaVersion > SUPPORTED_SCHEMA_VERSION) {
+                        console.warn(
+                            `⚠️ Received settings schema v${settingsSchemaVersion}, ` +
+                            `we support v${SUPPORTED_SCHEMA_VERSION}. Update app for full functionality.`
+                        );
+                    }
+
+                    this.applyServerSettings(parsedSettings, accountUpdate.settings.version);
+                    log.log(`📋 Settings synced from server (schema v${settingsSchemaVersion}, version ${accountUpdate.settings.version})`);
+                } catch (error) {
+                    console.error('❌ Failed to process settings update:', error);
+                    // Don't crash on settings sync errors, just log
+                }
+            }
+        } else if (updateData.body.t === 'update-machine') {
+            const machineUpdate = updateData.body;
+            const machineId = machineUpdate.machineId;  // Changed from .id to .machineId
+            const machine = storage.getState().machines[machineId];
+
+            // Create or update machine with all required fields
+            const updatedMachine: Machine = {
+                id: machineId,
+                seq: updateData.seq,
+                createdAt: machine?.createdAt ?? updateData.createdAt,
+                updatedAt: updateData.createdAt,
+                active: machineUpdate.active ?? true,
+                activeAt: machineUpdate.activeAt ?? updateData.createdAt,
+                metadata: machine?.metadata ?? null,
+                metadataVersion: machine?.metadataVersion ?? 0,
+                daemonState: machine?.daemonState ?? null,
+                daemonStateVersion: machine?.daemonStateVersion ?? 0
+            };
+
+            // Get machine-specific encryption (might not exist if machine wasn't initialized)
+            const machineEncryption = this.encryption.getMachineEncryption(machineId);
+            if (!machineEncryption) {
+                console.error(`Machine encryption not found for ${machineId} - cannot decrypt updates`);
+                return;
+            }
+
+            // If metadata is provided, decrypt and update it
+            const metadataUpdate = machineUpdate.metadata;
+            if (metadataUpdate) {
+                try {
+                    const metadata = await machineEncryption.decryptMetadata(metadataUpdate.version, metadataUpdate.value);
+                    updatedMachine.metadata = metadata;
+                    updatedMachine.metadataVersion = metadataUpdate.version;
+                } catch (error) {
+                    console.error(`Failed to decrypt machine metadata for ${machineId}:`, error);
+                }
+            }
+
+            // If daemonState is provided, decrypt and update it
+            const daemonStateUpdate = machineUpdate.daemonState;
+            if (daemonStateUpdate) {
+                try {
+                    const daemonState = await machineEncryption.decryptDaemonState(daemonStateUpdate.version, daemonStateUpdate.value);
+                    updatedMachine.daemonState = daemonState;
+                    updatedMachine.daemonStateVersion = daemonStateUpdate.version;
+                } catch (error) {
+                    console.error(`Failed to decrypt machine daemonState for ${machineId}:`, error);
+                }
+            }
+
+            // Update storage using applyMachines which rebuilds sessionListViewData
+            storage.getState().applyMachines([updatedMachine]);
+        } else if (updateData.body.t === 'delete-machine') {
+            const machineId = updateData.body.machineId;
+            log.log(`🗑️ Delete machine update received for ${machineId}`);
+            if (!storage.getState().machines[machineId]) {
+                log.log(`Machine ${machineId} not in storage, skipping delete`);
+            } else {
+                storage.getState().deleteMachine(machineId);
+                this.encryption.removeMachineEncryption(machineId);
+                this.machineDataKeys.delete(machineId);
+            }
+        } else if (updateData.body.t === 'relationship-updated') {
+            log.log('👥 Received relationship-updated update');
+            const relationshipUpdate = updateData.body;
+            
+            // Apply the relationship update to storage
+            storage.getState().applyRelationshipUpdate({
+                fromUserId: relationshipUpdate.fromUserId,
+                toUserId: relationshipUpdate.toUserId,
+                status: relationshipUpdate.status,
+                action: relationshipUpdate.action,
+                fromUser: relationshipUpdate.fromUser,
+                toUser: relationshipUpdate.toUser,
+                timestamp: relationshipUpdate.timestamp
+            });
+            
+            // Invalidate friends data to refresh with latest changes
+            this.friendsSync.invalidate();
+            this.friendRequestsSync.invalidate();
+            this.feedSync.invalidate();
+        } else if (updateData.body.t === 'new-artifact') {
+            log.log('📦 Received new-artifact update');
+            const artifactUpdate = updateData.body;
+            const artifactId = artifactUpdate.artifactId;
+            
+            try {
+                // Decrypt the data encryption key
+                const decryptedKey = await this.encryption.decryptEncryptionKey(artifactUpdate.dataEncryptionKey);
+                if (!decryptedKey) {
+                    console.error(`Failed to decrypt key for new artifact ${artifactId}`);
+                    return;
+                }
+                
+                // Store the decrypted key in memory
+                this.artifactDataKeys.set(artifactId, decryptedKey);
+                
+                // Create artifact encryption instance
+                const artifactEncryption = new ArtifactEncryption(decryptedKey);
+                
+                // Decrypt header
+                const header = await artifactEncryption.decryptHeader(artifactUpdate.header);
+                
+                // Decrypt body if provided
+                let decryptedBody: string | null | undefined = undefined;
+                if (artifactUpdate.body && artifactUpdate.bodyVersion !== undefined) {
+                    const body = await artifactEncryption.decryptBody(artifactUpdate.body);
+                    decryptedBody = body?.body || null;
+                }
+                
+                // Add to storage
+                const decryptedArtifact: DecryptedArtifact = {
+                    id: artifactId,
+                    title: header?.title || null,
+                    body: decryptedBody,
+                    headerVersion: artifactUpdate.headerVersion,
+                    bodyVersion: artifactUpdate.bodyVersion,
+                    seq: artifactUpdate.seq,
+                    createdAt: artifactUpdate.createdAt,
+                    updatedAt: artifactUpdate.updatedAt,
+                    isDecrypted: !!header,
+                };
+                
+                storage.getState().addArtifact(decryptedArtifact);
+                log.log(`📦 Added new artifact ${artifactId} to storage`);
+            } catch (error) {
+                console.error(`Failed to process new artifact ${artifactId}:`, error);
+            }
+        } else if (updateData.body.t === 'update-artifact') {
+            log.log('📦 Received update-artifact update');
+            const artifactUpdate = updateData.body;
+            const artifactId = artifactUpdate.artifactId;
+            
+            // Get existing artifact
+            const existingArtifact = storage.getState().artifacts[artifactId];
+            if (!existingArtifact) {
+                console.error(`Artifact ${artifactId} not found in storage`);
+                // Fetch all artifacts to sync
+                this.artifactsSync.invalidate();
+                return;
+            }
+            
+            try {
+                // Get the data encryption key from memory
+                let dataEncryptionKey = this.artifactDataKeys.get(artifactId);
+                if (!dataEncryptionKey) {
+                    console.error(`Encryption key not found for artifact ${artifactId}, fetching artifacts`);
+                    this.artifactsSync.invalidate();
+                    return;
+                }
+                
+                // Create artifact encryption instance
+                const artifactEncryption = new ArtifactEncryption(dataEncryptionKey);
+                
+                // Update artifact with new data  
+                const updatedArtifact: DecryptedArtifact = {
+                    ...existingArtifact,
+                    seq: updateData.seq,
+                    updatedAt: updateData.createdAt,
+                };
+                
+                // Decrypt and update header if provided
+                if (artifactUpdate.header) {
+                    const header = await artifactEncryption.decryptHeader(artifactUpdate.header.value);
+                    updatedArtifact.title = header?.title || null;
+                    updatedArtifact.sessions = header?.sessions;
+                    updatedArtifact.draft = header?.draft;
+                    updatedArtifact.headerVersion = artifactUpdate.header.version;
+                }
+                
+                // Decrypt and update body if provided
+                if (artifactUpdate.body) {
+                    const body = await artifactEncryption.decryptBody(artifactUpdate.body.value);
+                    updatedArtifact.body = body?.body || null;
+                    updatedArtifact.bodyVersion = artifactUpdate.body.version;
+                }
+                
+                storage.getState().updateArtifact(updatedArtifact);
+                log.log(`📦 Updated artifact ${artifactId} in storage`);
+            } catch (error) {
+                console.error(`Failed to process artifact update ${artifactId}:`, error);
+            }
+        } else if (updateData.body.t === 'delete-artifact') {
+            log.log('📦 Received delete-artifact update');
+            const artifactUpdate = updateData.body;
+            const artifactId = artifactUpdate.artifactId;
+            
+            // Remove from storage
+            storage.getState().deleteArtifact(artifactId);
+            
+            // Remove encryption key from memory
+            this.artifactDataKeys.delete(artifactId);
+        } else if (updateData.body.t === 'new-feed-post') {
+            log.log('📰 Received new-feed-post update');
+            const feedUpdate = updateData.body;
+            
+            // Convert to FeedItem with counter from cursor
+            const feedItem: FeedItem = {
+                id: feedUpdate.id,
+                body: feedUpdate.body,
+                cursor: feedUpdate.cursor,
+                createdAt: feedUpdate.createdAt,
+                repeatKey: feedUpdate.repeatKey,
+                counter: parseInt(feedUpdate.cursor.substring(2), 10)
+            };
+            
+            // Check if we need to fetch user for friend-related items
+            if (feedItem.body && (feedItem.body.kind === 'friend_request' || feedItem.body.kind === 'friend_accepted')) {
+                await this.assumeUsers([feedItem.body.uid]);
+                
+                // Check if user fetch failed (404) - don't store item if user not found
+                const users = storage.getState().users;
+                const userProfile = users[feedItem.body.uid];
+                if (userProfile === null || userProfile === undefined) {
+                    // User was not found or 404, don't store this item
+                    log.log(`📰 Skipping feed item ${feedItem.id} - user ${feedItem.body.uid} not found`);
+                    return;
+                }
+            }
+            
+            // Apply to storage (will handle repeatKey replacement)
+            storage.getState().applyFeedItems([feedItem]);
+        }
+    }
+
+    private flushActivityUpdates = (updates: Map<string, ApiEphemeralActivityUpdate>) => {
+        // log.log(`🔄 Flushing activity updates for ${updates.size} sessions - acquiring lock`);
+
+
+        const sessions: Session[] = [];
+
+        for (const [sessionId, update] of updates) {
+            const session = storage.getState().sessions[sessionId];
+            if (session) {
+                sessions.push({
+                    ...session,
+                    active: update.active,
+                    activeAt: update.activeAt,
+                    thinking: update.thinking ?? false,
+                    thinkingAt: update.activeAt // Always use activeAt for consistency
+                });
+            }
+        }
+
+        if (sessions.length > 0) {
+            // console.log('flushing activity updates ' + sessions.length);
+            this.applySessions(sessions);
+            // log.log(`🔄 Activity updates flushed - updated ${sessions.length} sessions`);
+        }
+    }
+
+    private handleEphemeralUpdate = (update: unknown) => {
+        const validatedUpdate = ApiEphemeralUpdateSchema.safeParse(update);
+        if (!validatedUpdate.success) {
+            console.log('Invalid ephemeral update received:', validatedUpdate.error);
+            console.error('Invalid ephemeral update received:', update);
+            return;
+        } else {
+            // console.log('Ephemeral update received:', update);
+        }
+        const updateData = validatedUpdate.data;
+
+        // Process activity updates through smart debounce accumulator
+        if (updateData.type === 'activity') {
+            // console.log('adding activity update ' + updateData.id);
+            this.activityAccumulator.addUpdate(updateData);
+        }
+
+        // Handle machine activity updates
+        if (updateData.type === 'machine-activity') {
+            // Update machine's active status and lastActiveAt
+            const machine = storage.getState().machines[updateData.id];
+            if (machine) {
+                const updatedMachine: Machine = {
+                    ...machine,
+                    active: updateData.active,
+                    activeAt: updateData.activeAt
+                };
+                storage.getState().applyMachines([updatedMachine]);
+            }
+        }
+
+        // Session-level lifecycle event (Claude finished, needs permission, asks question).
+        // This is the same signal that triggers the mobile push — bump browser-tab
+        // unread counter on these only, ignore the noisy per-message stream.
+        if (updateData.type === 'session-event') {
+            notifyUnreadMessage();
+        }
+
+        // daemon-status ephemeral updates are deprecated, machine status is handled via machine-activity
+    }
+
+    //
+    // Apply store
+    //
+
+    private applyMessages = (sessionId: string, messages: NormalizedMessage[]) => {
+        const result = storage.getState().applyMessages(sessionId, messages);
+        let m: Message[] = [];
+        for (let messageId of result.changed) {
+            const message = storage.getState().sessionMessages[sessionId].messagesMap[messageId];
+            if (message) {
+                m.push(message);
+            }
+        }
+        if (m.length > 0) {
+            voiceHooks.onMessages(sessionId, m);
+        }
+        if (result.hasReadyEvent) {
+            voiceHooks.onReady(sessionId);
+        }
+    }
+
+    private applySessions = (sessions: (Omit<Session, "presence"> & {
+        presence?: "online" | number;
+    })[]) => {
+        const active = storage.getState().getActiveSessions();
+        storage.getState().applySessions(sessions);
+        const newActive = storage.getState().getActiveSessions();
+        this.applySessionDiff(active, newActive);
+    }
+
+    private applySessionDiff = (active: Session[], newActive: Session[]) => {
+        let wasActive = new Set(active.map(s => s.id));
+        let isActive = new Set(newActive.map(s => s.id));
+        for (let s of active) {
+            if (!isActive.has(s.id)) {
+                voiceHooks.onSessionOffline(s.id, s.metadata ?? undefined);
+            }
+        }
+        for (let s of newActive) {
+            if (!wasActive.has(s.id)) {
+                voiceHooks.onSessionOnline(s.id, s.metadata ?? undefined);
+            }
+        }
+    }
+
+}
+
+// Global singleton instance
+export const sync = new Sync();
+
+//
+// Init sequence
+//
+
+let isInitialized = false;
+export async function syncCreate(credentials: AuthCredentials) {
+    if (isInitialized) {
+        console.warn('Sync already initialized: ignoring');
+        return;
+    }
+    isInitialized = true;
+    await syncInit(credentials, false);
+}
+
+export async function syncRestore(credentials: AuthCredentials) {
+    if (isInitialized) {
+        console.warn('Sync already initialized: ignoring');
+        return;
+    }
+    isInitialized = true;
+    await syncInit(credentials, true);
+}
+
+async function syncInit(credentials: AuthCredentials, restore: boolean) {
+
+    // Initialize sync engine
+    const secretKey = decodeBase64(credentials.secret, 'base64url');
+    if (secretKey.length !== 32) {
+        throw new Error(`Invalid secret key length: ${secretKey.length}, expected 32`);
+    }
+    const encryption = await Encryption.create(secretKey);
+
+    // Initialize tracking
+    initializeTracking(encryption.anonID);
+
+    // Initialize socket connection
+    const API_ENDPOINT = getServerUrl();
+    apiSocket.initialize({ endpoint: API_ENDPOINT }, encryption);
+
+    // Wire socket status to storage
+    apiSocket.onStatusChange((status) => {
+        storage.getState().setSocketStatus(status);
+    });
+
+    // Initialize sessions engine
+    if (restore) {
+        await sync.restore(credentials, encryption);
+    } else {
+        await sync.create(credentials, encryption);
+    }
+}
+
+/**
+ * Initialize sync without authentication.
+ * Generates or loads a persistent local device key from MMKV.
+ * Used when the NasTech backend runs in open/insecure mode.
+ */
+export async function syncStartNoAuth() {
+    if (isInitialized) {
+        console.warn('Sync already initialized: ignoring');
+        return;
+    }
+    isInitialized = true;
+
+    // Load or generate a persistent 32-byte device key
+    const { MMKV } = await import('react-native-mmkv');
+    const keyStore = new MMKV({ id: 'nastech-device-key' });
+    const DEVICE_KEY = 'device-secret';
+    let secretB64 = keyStore.getString(DEVICE_KEY);
+    if (!secretB64) {
+        const sodium = (await import('@/encryption/libsodium.lib')).default;
+        await sodium.ready;
+        const key = sodium.randombytes_buf(32);
+        const { encodeBase64 } = await import('@/encryption/base64');
+        secretB64 = encodeBase64(key, 'base64url');
+        keyStore.set(DEVICE_KEY, secretB64);
+    }
+
+    const { decodeBase64 } = await import('@/encryption/base64');
+    const secretKey = decodeBase64(secretB64, 'base64url');
+    const encryption = await Encryption.create(secretKey);
+
+    initializeTracking(encryption.anonID);
+
+    const API_ENDPOINT = getServerUrl();
+    apiSocket.initialize({ endpoint: API_ENDPOINT }, encryption);
+
+    apiSocket.onStatusChange((status) => {
+        storage.getState().setSocketStatus(status);
+    });
+
+    const fakeCredentials: AuthCredentials = { token: '', secret: secretB64 };
+    await sync.restore(fakeCredentials, encryption);
+}
+