feat(v1.3.0): ephemeral session-key encryption + cleanup

- Update version to 1.3.0
- Remove debug console logs
- Session-key encryption working in production
- Mnemonic auto-clears after QR generation
- Lock/Clear functionality verified

GEMINI.md

@@ -0,0 +1,377 @@
+# SeedPGP - Gemini Code Assist Project Brief
+
+## Project Overview
+
+**SeedPGP v1.3.0**: Client-side BIP39 mnemonic encryption webapp  
+**Stack**: Bun + Vite + React + TypeScript + OpenPGP.js + Tailwind CSS  
+**Deploy**: GitHub Pages (public repo: `seedpgp-web-app`, private source: `seedpgp-web`)  
+**Live URL**: <https://kccleoc.github.io/seedpgp-web-app/>
+
+## Core Constraints
+
+1. **Security-first**: Never persist secrets (mnemonic/passphrase/private keys) to localStorage/sessionStorage/IndexedDB
+2. **Small PRs**: Max 1-5 files per feature; propose plan before coding
+3. **Client-side only**: No backend; all crypto runs in browser (Web Crypto API + OpenPGP.js)
+4. **GitHub Pages deploy**: Base path `/seedpgp-web-app/` configured in vite.config.ts
+5. **Honest security claims**: Don't overclaim what client-side JS can guarantee
+
+## Non-Negotiables
+
+- Small diffs only: one feature slice per PR (1-5 files if possible)
+- No big code dumps; propose plan first, then implement
+- Never persist secrets to browser storage
+- Prefer "explain what you found in the repo" over guessing
+- TypeScript strict mode; no `any` types without justification
+
+---
+
+## Architecture Map
+
+### Entry Points
+
+- `src/main.tsx` → `src/App.tsx` (main application)
+- Build output: `dist/` (separate git repo for GitHub Pages deployment)
+
+### Directory Structure
+
+```
+src/
+├── components/        # React UI components
+│   ├── PgpKeyInput.tsx
+│   ├── QrDisplay.tsx
+│   ├── QrScanner.tsx
+│   ├── ReadOnly.tsx
+│   ├── StorageIndicator.tsx
+│   ├── SecurityWarnings.tsx
+│   └── ClipboardTracker.tsx
+├── lib/              # Core logic & crypto utilities
+│   ├── seedpgp.ts    # Main encrypt/decrypt functions
+│   ├── sessionCrypto.ts  # Ephemeral AES-GCM session keys
+│   ├── types.ts      # TypeScript interfaces
+│   └── qr.ts         # QR code utilities
+├── App.tsx           # Main app component
+└── main.tsx          # React entry point
+```
+
+### Key Modules
+
+#### `src/lib/seedpgp.ts`
+
+Core encryption/decryption:
+
+- `encryptToSeedPgp()` - Encrypts mnemonic with PGP public key + optional password
+- `decryptFromSeedPgp()` - Decrypts with PGP private key + optional password
+- Uses OpenPGP.js for PGP operations
+- Output format: `SEEDPGP1:version:base64data:fingerprint`
+
+#### `src/lib/sessionCrypto.ts` (v1.3.0+)
+
+Ephemeral session-key encryption:
+
+- `getSessionKey()` - Generates/returns non-exportable AES-GCM-256 key (idempotent)
+- `encryptJsonToBlob(obj)` - Encrypts to `{v, alg, iv_b64, ct_b64}`
+- `decryptBlobToJson(blob)` - Decrypts back to original object
+- `destroySessionKey()` - Drops key reference for garbage collection
+- Test: `await window.runSessionCryptoTest()` (DEV only)
+
+#### `src/lib/types.ts`
+
+Core interfaces:
+
+- `SeedPgpPlaintext` - Decrypted mnemonic data structure
+- `SeedPgpCiphertext` - Encrypted payload structure
+- `EncryptedBlob` - Session-key encrypted cache format
+
+---
+
+## Key Features
+
+### v1.0 - Core Functionality
+
+- **Backup**: Encrypt mnemonic with PGP public key + optional password → QR display
+- **Restore**: Scan/paste QR → decrypt with private key → show mnemonic
+- **PGP support**: Import public/private keys (.asc files or paste)
+
+### v1.1 - QR Features
+
+- **QR Display**: Generate QR codes from encrypted data
+- **QR Scanner**: Camera + file upload (uses html5-qrcode library)
+
+### v1.2 - Security Monitoring
+
+- **Storage Indicator**: Real-time display of localStorage/sessionStorage contents
+- **Security Warnings**: Context-aware alerts about browser memory limitations
+- **Clipboard Tracker**: Monitor clipboard operations on sensitive fields
+- **Read-only Mode**: Toggle to clear state + show CSP/build info
+
+### v1.3 - Session-Key Encryption (Current)
+
+- **Ephemeral encryption**: AES-GCM-256 session key (non-exportable) encrypts sensitive state
+- **Auto-clear**: Plaintext mnemonic cleared from UI immediately after QR generation
+- **Encrypted cache**: Only ciphertext stored in React state; key lives in memory only
+- **Lock/Clear**: Manual cleanup destroys session key + clears all state
+- **Lifecycle**: Session key auto-destroyed on page close/refresh
+
+---
+
+## Development Workflow
+
+### Commands
+
+```bash
+bun install           # Install dependencies
+bun run dev           # Dev server (localhost:5173)
+bun run build         # Build to dist/
+bun run typecheck     # TypeScript validation (tsc --noEmit)
+bun run preview       # Preview production build
+./scripts/deploy.sh v1.x.x  # Build + push to public repo
+```
+
+### Deployment Process
+
+1. **Private repo** (`seedpgp-web`): Source code, development
+2. **Public repo** (`seedpgp-web-app`): Built files for GitHub Pages
+3. **Deploy script** (`scripts/deploy.sh`): Builds + copies to dist/ + pushes to public repo
+
+### Git Workflow
+
+```bash
+# Commit feature
+git add src/
+git commit -m "feat(v1.x): description"
+
+# Tag version
+git tag v1.x.x
+git push origin main --tags
+
+# Deploy to GitHub Pages
+./scripts/deploy.sh v1.x.x
+```
+
+---
+
+## Required Workflow for AI Agents
+
+### 1. Study First
+
+Before implementing any feature:
+
+- Read relevant files
+- Explain current architecture + entry points
+- List files that will be touched
+- Identify potential conflicts or dependencies
+
+### 2. Plan
+
+- Propose smallest vertical slice (1-5 files)
+- Show API signatures or interface changes first
+- Get approval before generating full implementation
+
+### 3. Implement
+
+- Generate code with TypeScript strict mode
+- Include JSDoc comments for public APIs
+- Show unified diffs, not full file rewrites (when possible)
+- Keep changes under 50-100 lines per file when feasible
+
+### 4. Verify
+
+- Run `bun run typecheck` - no errors
+- Run `bun run build` - successful dist/ output
+- Provide manual test steps for browser verification
+- Show build output / console logs / DevTools screenshots
+
+---
+
+## Common Patterns
+
+### State Management
+
+- React `useState` + `useEffect` (no Redux/Zustand/external store)
+- Ephemeral state only; avoid persistent storage for secrets
+
+### Styling
+
+- Tailwind utility classes (configured in `tailwind.config.js`)
+- Responsive design: mobile-first with `md:` breakpoints
+- Dark theme primary: slate-900 background, blue-400 accents
+
+### Icons
+
+- `lucide-react` library
+- Common: Shield, QrCode, Lock, Eye, AlertCircle
+
+### Crypto Operations
+
+- **PGP**: OpenPGP.js (`openpgp` package)
+- **Session keys**: Web Crypto API (`crypto.subtle`)
+- **Key generation**: `crypto.subtle.generateKey()` with `extractable: false`
+- **Encryption**: AES-GCM with random 12-byte IV per operation
+
+### Type Safety
+
+- Strict TypeScript (`tsconfig.json`: `strict: true`)
+- Check `src/lib/types.ts` for core interfaces
+- Avoid `any`; use `unknown` + type guards when necessary
+
+---
+
+## Security Architecture
+
+### Threat Model (Honest)
+
+**What we protect against:**
+
+- Accidental persistence to localStorage/sessionStorage
+- Plaintext secrets lingering in React state after use
+- Clipboard history exposure (with warnings)
+
+**What we DON'T protect against (and must not claim to):**
+
+- Active XSS or malicious browser extensions
+- Memory dumps or browser crash reports
+- JavaScript garbage collection timing (non-deterministic)
+
+### Memory Handling
+
+- **Session keys**: Non-exportable CryptoKey objects (Web Crypto API)
+- **Plaintext clearing**: Set to empty string + drop references (but GC timing is non-deterministic)
+- **No guarantees**: Cannot force immediate memory wiping in JavaScript
+
+### Storage Policy
+
+- **NEVER write to**: localStorage, sessionStorage, IndexedDB, cookies
+- **Exception**: Non-sensitive UI state only (theme preferences, etc.) - NOT IMPLEMENTED YET
+- **Verification**: StorageIndicator component monitors all storage APIs
+
+---
+
+## What NOT to Do
+
+### Code Generation
+
+- Don't generate full file rewrites unless necessary
+- Don't add dependencies without discussing bundle size impact
+- Don't use `any` types without explicit justification
+- Don't skip TypeScript strict mode checks
+
+### Security Claims
+
+- Don't claim "RAM is wiped" (JavaScript can't force GC)
+- Don't claim "offline mode" without real CSP headers (GitHub Pages can't set custom headers)
+- Don't promise protection against active browser compromise (XSS/extensions)
+
+### Storage
+
+- Don't write secrets to storage without explicit approval
+- Don't cache decrypted data beyond immediate use
+- Don't assume browser storage is secure
+
+---
+
+## Testing & Verification
+
+### Manual Test Checklist (Before Marking Feature Complete)
+
+1. ✅ `bun run typecheck` passes (no TypeScript errors)
+2. ✅ `bun run build` succeeds (dist/ generated)
+3. ✅ Browser test: Feature works as described
+4. ✅ DevTools Console: No runtime errors
+5. ✅ DevTools Application tab: No plaintext secrets in storage
+6. ✅ DevTools Network tab: No unexpected network calls (if Read-only Mode)
+
+### Session-Key Encryption Test (v1.3+)
+
+```javascript
+// In browser DevTools console:
+await window.runSessionCryptoTest()
+// Expected: ✅ Success: Data integrity verified.
+```
+
+---
+
+## Current Version: v1.3.0
+
+### Recent Changes (2026-01-29)
+
+- ✅ Added `src/lib/sessionCrypto.ts` with ephemeral AES-GCM session keys
+- ✅ Integrated into Backup flow: plaintext mnemonic auto-cleared after QR generation
+- ✅ Added Lock/Clear button to destroy session key and clear all state
+- ✅ Added cleanup on component unmount
+
+### Known Limitations
+
+- GitHub Pages cannot set custom CSP headers (need Cloudflare Pages for enforcement)
+- Read-only Mode is UI-level only (not browser-enforced)
+- Session-key encryption doesn't protect against active XSS/extensions
+
+### Next Priorities (Suggested)
+
+1. Extend session-key encryption to Restore flow
+2. Migrate to Cloudflare Pages for real CSP header enforcement
+3. Add "Encrypted in memory" badge when encryptedMnemonicCache exists
+4. Document reproducible builds (git hash verification)
+
+---
+
+## Quick Reference
+
+### File a Bug/Feature
+
+1. Describe expected vs actual behavior
+2. Include browser console errors (if any)
+3. Specify which flow (Backup/Restore/QR Scanner)
+
+### Roll Over to Next Session
+
+Always provide:
+
+- Current version number
+- What was implemented this session
+- Files modified
+- What still needs work
+- Any gotchas or edge cases discovered
+
+---
+
+## Example Prompts for Gemini
+
+### Exploration
+
+```
+Read GEMINI.md, then explain:
+1. Where is the mnemonic textarea and how is its value managed?
+2. List all places localStorage/sessionStorage are used
+3. Show data flow from "Backup" button to QR display
+```
+
+### Feature Request
+
+```
+Task: [Feature description]
+
+Requirements:
+1. [Specific requirement]
+2. [Another requirement]
+
+Files to touch:
+- [List files]
+
+Plan first: show proposed API/changes before generating code.
+```
+
+### Verification
+
+```
+Audit the codebase to verify [feature] is fully implemented.
+Check:
+1. [Requirement 1]
+2. [Requirement 2]
+Output: ✅ or ❌ for each item + suggest fixes for failures.
+```
+
+---
+
+**Last Updated**: 2026-01-29  
+**Maintained by**: @kccleoc  
+**AI Agent**: Optimized for Gemini Code Assist

package.json

@@ -1,12 +1,13 @@
 {
   "name": "seedpgp-web",
   "private": true,
-  "version": "1.1.0",
+  "version": "1.3.0",
   "type": "module",
   "scripts": {
     "dev": "vite",
     "build": "tsc && vite build",
-    "preview": "vite preview"
+    "preview": "vite preview",
+    "typecheck": "tsc --noEmit"
   },
   "dependencies": {
     "html5-qrcode": "^2.3.8",

public/README.md

@@ -1,48 +1,121 @@
 # SeedPGP Web App
 
-**Secure BIP39 mnemonic backup tool using PGP encryption**
+**Secure BIP39 mnemonic backup tool using OpenPGP encryption**
 
 🔗 **Live App**: https://kccleoc.github.io/seedpgp-web-app/
 
 ## About
 
-This is a client-side web application for encrypting cryptocurrency seed phrases (BIP39 mnemonics) using OpenPGP encryption and Base45 encoding for QR code generation.
+Client-side web application for encrypting cryptocurrency seed phrases (BIP39 mnemonics) using OpenPGP encryption with QR code generation and scanning capabilities.
 
-### Features
+### ✨ Features
 
-- 🔐 PGP encryption with cv25519 (Curve25519)
+- 🔐 **OpenPGP Encryption** - Curve25519Legacy (cv25519) encryption
-- 📱 QR code-ready output (Base45 + CRC16)
+- 📱 **QR Code Generation** - High-quality 512x512px PNG with download
-- ✅ Supports 12/18/24-word BIP39 mnemonics
+- 📸 **QR Code Scanner** - Camera or image upload with live preview
-- 🔒 All encryption happens in your browser (client-side only)
+- 🔄 **Round-trip Flow** - Encrypt → QR → Scan → Decrypt seamlessly
+- ✅ **BIP39 Support** - 12/18/24-word mnemonics with optional passphrase
+- 🔒 **Symmetric Encryption** - Optional password-only encryption (SKESK)
+- 🎯 **CRC16 Validation** - Frame integrity checking
+- 📦 **Base45 Encoding** - Compact QR-friendly format (RFC 9285)
+- 🌐 **100% Client-Side** - No backend, no data transmission
 
-## Security Notice
+## 🔒 Security Notice
 
 ⚠️ **Your private keys and seed phrases never leave your browser**
 
-- This is a static web app with no backend server
+- Static web app with **no backend server**
-- All cryptographic operations run locally in your browser
+- All cryptographic operations run **locally in your browser**
-- No data is transmitted to any server
+- **No data transmitted** to any server
+- Camera access requires **HTTPS or localhost**
 - Always verify you're on the correct URL before use
 
 ### For Maximum Security
 
 For production use with real funds:
-- Download and run locally
+- 🏠 Download and run locally (\`bun run dev\`)
-- Or use a self-hosted version
+- 🔐 Use on airgapped device
-- Source code: https://github.com/kccleoc/seedpgp-web
+- 📥 Self-host on your own domain
+- 🔍 Source code: https://github.com/kccleoc/seedpgp-web (private)
 
-## How to Use
+## 📖 How to Use
 
-1. **Encrypt**: Enter your mnemonic + PGP public key → Get QR code
+### Backup Flow
-2. **Decrypt**: Scan QR code + provide private key → Recover mnemonic
+1. **Enter** your 12/24-word BIP39 mnemonic
+2. **Add** PGP public key and/or message password (optional)
+3. **Generate** encrypted QR code
+4. **Download** or scan QR code for backup
 
-## Version
+### Restore Flow
+1. **Scan QR Code** using camera or upload image
+2. **Provide** private key and/or message password
+3. **Decrypt** to recover your mnemonic
 
-Current deployment: **v1.1.0**
+### QR Scanner Features
+- 📷 **Camera Mode** - Live scanning with environment camera (iPhone Continuity Camera supported on macOS)
+- 📁 **Upload Mode** - Scan from saved images or screenshots
+- ✅ **Auto-validation** - Verifies SEEDPGP1 format before accepting
 
-Last updated: 2026-01-28
+## 🛠 Technical Stack
+
+- **TypeScript** - Type-safe development
+- **React 18** - Modern UI framework
+- **Vite 6** - Lightning-fast build tool
+- **OpenPGP.js v6** - RFC 4880 compliant encryption
+- **html5-qrcode** - QR scanning library
+- **TailwindCSS** - Utility-first styling
+- **Lucide React** - Beautiful icons
+
+## 📋 Protocol Format
+
+\`\`\`
+SEEDPGP1:0:ABCD:BASE45DATA
+
+SEEDPGP1 - Protocol identifier + version
+0        - Frame number (single frame)
+ABCD     - CRC16-CCITT-FALSE checksum
+BASE45   - Base45-encoded OpenPGP binary message
+\`\`\`
+
+## 🔐 Encryption Details
+
+- **Algorithm**: AES-256 (preferred symmetric cipher)
+- **Curve**: Curve25519Legacy for modern security
+- **Key Format**: OpenPGP RFC 4880 compliant
+- **Error Correction**: QR Level M (15% recovery)
+- **Integrity**: CRC16-CCITT-FALSE frame validation
+
+## 📱 Browser Compatibility
+
+- ✅ Chrome/Edge (latest)
+- ✅ Safari 16+ (macOS/iOS)
+- ✅ Firefox (latest)
+- 📷 Camera requires HTTPS or localhost
+
+## 📦 Version
+
+**Current deployment: v1.2.0**
+
+### Changelog
+
+#### v1.2.0 (2026-01-29)
+- ✨ Added QR scanner with camera/upload support
+- 📥 Added QR code download with auto-naming
+- 🔧 Split state for backup/restore tabs
+- 🎨 Improved QR generation quality
+- 🐛 Fixed Safari camera permissions
+- 📱 Added Continuity Camera support
+
+#### v1.1.0 (2026-01-28)
+- 🎉 Initial public release
+- 🔐 OpenPGP encryption/decryption
+- 📱 QR code generation
+- ✅ BIP39 validation
 
 ---
 
-Built with TypeScript, React, Vite, and OpenPGP.js v6
+**Last updated**: 2026-01-29
 
+**Built with** ❤️ using TypeScript, React, Vite, and OpenPGP.js
+
+**License**: Private source code - deployment only

scripts/deploy.sh

@@ -1,4 +1,5 @@
 #!/bin/bash
+
 set -e
 
 VERSION=$1
@@ -9,23 +10,26 @@ if [ -z "$VERSION" ]; then
 fi
 
 echo "🔨 Building $VERSION..."
+# Remove old build files but keep .git
+rm -rf dist/assets dist/index.html dist/*.js dist/*.css dist/vite.svg
+
 bun run build
 
 echo "📄 Adding README..."
-cp public/README.md dist/README.md
+if [ -f public/README.md ]; then
+  cp public/README.md dist/README.md
+fi
 
 echo "📦 Deploying to GitHub Pages..."
 cd dist
+
 git add .
 git commit -m "Deploy $VERSION" || echo "No changes to commit"
 git push
 
 cd ..
+
 echo "✅ Deployed to https://kccleoc.github.io/seedpgp-web-app/"
-echo "📖 Repo: https://github.com/kccleoc/seedpgp-web-app"
+echo ""
-echo "🏷️  Don't forget to tag: git tag $VERSION && git push --tags"
+echo "Tag private repo:"
-echo "./scripts/deploy.sh v1.2.0"
+echo "  git tag $VERSION && git push origin --tags"
-echo "git tag v1.2.0"
-echo "git push --tags"
-
-

src/App.tsx

@@ -1,16 +1,16 @@
-import { useState } from 'react';
+import { useState, useEffect } from 'react';
 import {
   Shield,
   QrCode,
   RefreshCw,
-  CheckCircle2,
+  CheckCircle2, Lock,
   AlertCircle,
-  Lock,
   Unlock,
   Eye,
   EyeOff,
   FileKey,
-  Info
+  Info,
+  WifiOff
 } from 'lucide-react';
 import { PgpKeyInput } from './components/PgpKeyInput';
 import { QrDisplay } from './components/QrDisplay';
@@ -19,10 +19,15 @@ import { validateBip39Mnemonic } from './lib/bip39';
 import { buildPlaintext, encryptToSeedPgp, decryptSeedPgp } from './lib/seedpgp';
 import type { SeedPgpPlaintext } from './lib/types';
 import * as openpgp from 'openpgp';
+import { StorageIndicator } from './components/StorageIndicator';
+import { SecurityWarnings } from './components/SecurityWarnings';
+import { ClipboardTracker } from './components/ClipboardTracker';
+import { ReadOnly } from './components/ReadOnly';
+import { getSessionKey, encryptJsonToBlob, destroySessionKey, EncryptedBlob } from './lib/sessionCrypto';
  
-console.log("OpenPGP.js version:", openpgp.config.versionString);
+ console.log("OpenPGP.js version:", openpgp.config.versionString);
  
-function App() {
+ function App() {
    const [activeTab, setActiveTab] = useState<'backup' | 'restore'>('backup');
    const [mnemonic, setMnemonic] = useState('');
    const [backupMessagePassword, setBackupMessagePassword] = useState('');
@@ -41,8 +46,38 @@ function App() {
    const [showMnemonic, setShowMnemonic] = useState(false);
    const [copied, setCopied] = useState(false);
    const [showQRScanner, setShowQRScanner] = useState(false);
+   const [isReadOnly, setIsReadOnly] = useState(false);
+   const [encryptedMnemonicCache, setEncryptedMnemonicCache] = useState<EncryptedBlob | null>(null);
+ 
+   useEffect(() => {
+     // When entering read-only mode, clear sensitive data for security.
+     if (isReadOnly) {
+       setMnemonic('');
+       setBackupMessagePassword('');
+       setRestoreMessagePassword('');
+       setPublicKeyInput('');
+       setPrivateKeyInput('');
+       setPrivateKeyPassphrase('');
+       setQrPayload('');
+       setRestoreInput('');
+       setRestoredData(null);
+       setError('');
+     }
+   }, [isReadOnly]);
+ 
+   // Cleanup session key on component unmount
+   useEffect(() => {
+     return () => {
+       destroySessionKey();
+     };
+   }, []);
+ 
  
    const copyToClipboard = async (text: string) => {
+     if (isReadOnly) {
+       setError("Copy to clipboard is disabled in Read-only mode.");
+       return;
+     }
      try {
        await navigator.clipboard.writeText(text);
        setCopied(true);
@@ -79,13 +114,20 @@ function App() {
        const result = await encryptToSeedPgp({
          plaintext,
          publicKeyArmored: publicKeyInput || undefined,
-        messagePassword: backupMessagePassword || undefined,  // Changed
+         messagePassword: backupMessagePassword || undefined,
        });
  
        setQrPayload(result.framed);
        if (result.recipientFingerprint) {
          setRecipientFpr(result.recipientFingerprint);
        }
+ 
+      // Initialize session key before encrypting
+      await getSessionKey();
+       // Encrypt mnemonic with session key and clear plaintext state
+       const blob = await encryptJsonToBlob({ mnemonic, timestamp: Date.now() });
+       setEncryptedMnemonicCache(blob);
+       setMnemonic(''); // Clear plaintext mnemonic
      } catch (e) {
        setError(e instanceof Error ? e.message : 'Encryption failed');
      } finally {
@@ -103,7 +145,7 @@ function App() {
          frameText: restoreInput,
          privateKeyArmored: privateKeyInput || undefined,
          privateKeyPassphrase: privateKeyPassphrase || undefined,
-        messagePassword: restoreMessagePassword || undefined,  // Changed
+         messagePassword: restoreMessagePassword || undefined,
        });
  
  
@@ -115,6 +157,25 @@ function App() {
      }
    };
  
+   const handleLockAndClear = () => {
+     destroySessionKey();
+     setEncryptedMnemonicCache(null);
+     setMnemonic('');
+     setBackupMessagePassword('');
+     setRestoreMessagePassword('');
+     setPublicKeyInput('');
+     setPrivateKeyInput('');
+     setPrivateKeyPassphrase('');
+     setQrPayload('');
+     setRecipientFpr('');
+     setRestoreInput('');
+     setRestoredData(null);
+     setError('');
+     setShowMnemonic(false);
+     setCopied(false);
+     setShowQRScanner(false);
+   };
+ 
  
    return (
      <>
@@ -129,11 +190,27 @@ function App() {
                </div>
                <div>
                  <h1 className="text-2xl font-bold tracking-tight">
-                  SeedPGP <span className="text-blue-400 font-mono text-base ml-2">v1.2</span>
+                   SeedPGP <span className="text-blue-400 font-mono text-base ml-2">v{__APP_VERSION__}</span>
                  </h1>
                  <p className="text-xs text-slate-400 mt-0.5">OpenPGP-secured BIP39 backup</p>
                </div>
              </div>
+             {encryptedMnemonicCache && ( // Show only if encrypted data exists
+               <button
+                 onClick={handleLockAndClear}
+                 className="flex items-center gap-2 text-sm text-red-400 bg-slate-800/50 px-3 py-1.5 rounded-lg hover:bg-red-900/50 transition-colors"
+               >
+                 <Lock size={16} />
+                 <span>Lock/Clear</span>
+               </button>
+             )}
+             <div className="flex items-center gap-4">
+               {isReadOnly && (
+                 <div className="flex items-center gap-2 text-sm text-amber-400 bg-slate-800/50 px-3 py-1.5 rounded-lg">
+                   <WifiOff size={16} />
+                   <span>Read-only</span>
+                 </div>
+               )}
                <div className="flex bg-slate-800/50 rounded-lg p-1 backdrop-blur">
                  <button
                    onClick={() => {
@@ -165,6 +242,7 @@ function App() {
                  </button>
                </div>
              </div>
+           </div>
  
            <div className="p-6 md:p-8 space-y-6">
              {/* Error Display */}
@@ -197,9 +275,11 @@ function App() {
                        <label className="text-sm font-semibold text-slate-700">BIP39 Mnemonic</label>
                        <textarea
                          className="w-full h-32 p-4 bg-slate-50 border border-slate-200 rounded-xl text-sm font-mono focus:outline-none focus:ring-2 focus:ring-blue-500 transition-all resize-none"
+                         data-sensitive="BIP39 Mnemonic"
                          placeholder="Enter your 12 or 24 word seed phrase..."
                          value={mnemonic}
                          onChange={(e) => setMnemonic(e.target.value)}
+                         readOnly={isReadOnly}
                        />
                      </div>
  
@@ -209,6 +289,7 @@ function App() {
                        placeholder="-----BEGIN PGP PUBLIC KEY BLOCK-----&#10;&#10;Paste or drag & drop your public key..."
                        value={publicKeyInput}
                        onChange={setPublicKeyInput}
+                       readOnly={isReadOnly}
                      />
                    </>
                  ) : (
@@ -216,7 +297,8 @@ function App() {
                      <div className="flex gap-2">
                        <button
                          onClick={() => setShowQRScanner(true)}
-                        className="flex-1 py-3 bg-gradient-to-r from-purple-600 to-purple-700 text-white rounded-xl font-semibold flex items-center justify-center gap-2 hover:from-purple-700 hover:to-purple-800 transition-all shadow-lg"
+                         disabled={isReadOnly}
+                         className="flex-1 py-3 bg-gradient-to-r from-purple-600 to-purple-700 text-white rounded-xl font-semibold flex items-center justify-center gap-2 hover:from-purple-700 hover:to-purple-800 transition-all shadow-lg disabled:opacity-50"
                        >
                          <QrCode size={18} />
                          Scan QR Code
@@ -230,15 +312,18 @@ function App() {
                          placeholder="SEEDPGP1:0:ABCD:..."
                          value={restoreInput}
                          onChange={(e) => setRestoreInput(e.target.value)}
+                         readOnly={isReadOnly}
                        />
                      </div>
  
                      <PgpKeyInput
                        label="PGP Private Key (Optional)"
                        icon={FileKey}
+                       data-sensitive="PGP Private Key"
                        placeholder="-----BEGIN PGP PRIVATE KEY BLOCK-----&#10;&#10;Paste or drag & drop your private key..."
                        value={privateKeyInput}
                        onChange={setPrivateKeyInput}
+                       readOnly={isReadOnly}
                      />
  
                      {privateKeyInput && (
@@ -248,10 +333,12 @@ function App() {
                            <Lock className="absolute left-3 top-3 text-slate-400" size={16} />
                            <input
                              type="password"
+                             data-sensitive="Message Password"
                              className="w-full pl-10 pr-4 py-2.5 bg-white border border-slate-200 rounded-lg text-sm focus:outline-none focus:ring-2 focus:ring-blue-500 transition-all"
                              placeholder="Unlock private key..."
                              value={privateKeyPassphrase}
                              onChange={(e) => setPrivateKeyPassphrase(e.target.value)}
+                             readOnly={isReadOnly}
                            />
                          </div>
                        </div>
@@ -277,6 +364,7 @@ function App() {
                          placeholder="Optional password..."
                          value={activeTab === 'backup' ? backupMessagePassword : restoreMessagePassword}
                          onChange={(e) => activeTab === 'backup' ? setBackupMessagePassword(e.target.value) : setRestoreMessagePassword(e.target.value)}
+                         readOnly={isReadOnly}
                        />
                      </div>
                      <p className="text-[10px] text-slate-500 mt-1">Symmetric encryption password (SKESK)</p>
@@ -290,6 +378,7 @@ function App() {
                            type="checkbox"
                            checked={hasBip39Passphrase}
                            onChange={(e) => setHasBip39Passphrase(e.target.checked)}
+                           disabled={isReadOnly}
                            className="rounded text-blue-600 focus:ring-2 focus:ring-blue-500 transition-all"
                          />
                          <span className="text-xs font-medium text-slate-700 group-hover:text-slate-900 transition-colors">
@@ -298,13 +387,20 @@ function App() {
                        </label>
                      </div>
                    )}
+ 
+                   <ReadOnly
+                     isReadOnly={isReadOnly}
+                     onToggle={setIsReadOnly}
+                     appVersion={__APP_VERSION__}
+                     buildHash={__BUILD_HASH__}
+                   />
                  </div>
  
                  {/* Action Button */}
                  {activeTab === 'backup' ? (
                    <button
                      onClick={handleBackup}
-                    disabled={!mnemonic || loading}
+                     disabled={!mnemonic || loading || isReadOnly}
                      className="w-full py-4 bg-gradient-to-r from-blue-600 to-blue-700 text-white rounded-xl font-bold flex items-center justify-center gap-2 hover:from-blue-700 hover:to-blue-800 transition-all shadow-lg hover:shadow-xl disabled:opacity-50 disabled:cursor-not-allowed disabled:hover:from-blue-600 disabled:hover:to-blue-700"
                    >
                      {loading ? (
@@ -317,7 +413,7 @@ function App() {
                  ) : (
                    <button
                      onClick={handleRestore}
-                    disabled={!restoreInput || loading}
+                     disabled={!restoreInput || loading || isReadOnly}
                      className="w-full py-4 bg-gradient-to-r from-slate-800 to-slate-900 text-white rounded-xl font-bold flex items-center justify-center gap-2 hover:from-slate-900 hover:to-black transition-all shadow-lg hover:shadow-xl disabled:opacity-50 disabled:cursor-not-allowed"
                    >
                      {loading ? (
@@ -412,7 +508,7 @@ function App() {
  
          {/* Footer */}
          <div className="mt-8 text-center text-xs text-slate-500">
-          <p>SeedPGP v1.2 • OpenPGP (RFC 4880) + Base45 (RFC 9285) + CRC16/CCITT-FALSE</p>
+           <p>SeedPGP v{__APP_VERSION__} • OpenPGP (RFC 4880) + Base45 (RFC 9285) + CRC16/CCITT-FALSE</p>
            <p className="mt-1">Never share your private keys or seed phrases. Always verify on an airgapped device.</p>
          </div>
        </div>
@@ -428,9 +524,23 @@ function App() {
            onClose={() => setShowQRScanner(false)}
          />
        )}
+       <div className="max-w-4xl mx-auto p-8">
+         <h1>SeedPGP v1.2.0</h1>
+         {/* ... rest of your app ... */}
+       </div>
+ 
+       {/* Floating Storage Monitor - bottom right */}
+       {!isReadOnly && (
+         <>
+           <StorageIndicator />
+           <SecurityWarnings />
+           <ClipboardTracker />
          </>
+       )}
+     </>
+ 
    );
  
-}
+ }
  
-export default App;
+ export default App;

src/components/ClipboardTracker.tsx

@@ -0,0 +1,184 @@
+import { useState, useEffect } from 'react';
+
+interface ClipboardEvent {
+    timestamp: Date;
+    field: string;
+    length: number; // Show length without storing actual content
+}
+
+export const ClipboardTracker = () => {
+    const [events, setEvents] = useState<ClipboardEvent[]>([]);
+    const [isExpanded, setIsExpanded] = useState(false);
+
+    useEffect(() => {
+        const handleCopy = (e: ClipboardEvent & Event) => {
+            const target = e.target as HTMLElement;
+
+            // Get selection to measure length
+            const selection = window.getSelection()?.toString() || '';
+            const length = selection.length;
+
+            if (length === 0) return; // Nothing copied
+
+            // Detect field name
+            let field = 'Unknown field';
+
+            if (target.tagName === 'TEXTAREA' || target.tagName === 'INPUT') {
+                // Try multiple ways to identify the field
+                field =
+                    target.getAttribute('aria-label') ||
+                    target.getAttribute('name') ||
+                    target.getAttribute('id') ||
+                    (target as HTMLInputElement).type ||
+                    target.tagName.toLowerCase();
+
+                // Check parent labels
+                const label = target.closest('label') ||
+                    document.querySelector(`label[for="${target.id}"]`);
+                if (label) {
+                    field = label.textContent?.trim() || field;
+                }
+
+                // Check for data-sensitive attribute
+                const sensitiveAttr = target.getAttribute('data-sensitive') ||
+                    target.closest('[data-sensitive]')?.getAttribute('data-sensitive');
+                if (sensitiveAttr) {
+                    field = sensitiveAttr;
+                }
+
+                // Detect if it looks like sensitive data
+                const isSensitive = /mnemonic|seed|key|private|password|secret/i.test(
+                    target.className + ' ' + field + ' ' + (target.getAttribute('placeholder') || '')
+                );
+
+                if (isSensitive && field === target.tagName.toLowerCase()) {
+                    // Try to guess from placeholder
+                    const placeholder = target.getAttribute('placeholder');
+                    if (placeholder) {
+                        field = placeholder.substring(0, 40) + '...';
+                    }
+                }
+            }
+
+            setEvents(prev => [
+                { timestamp: new Date(), field, length },
+                ...prev.slice(0, 9) // Keep last 10 events
+            ]);
+
+            // Auto-expand on first copy
+            if (events.length === 0) {
+                setIsExpanded(true);
+            }
+        };
+
+        document.addEventListener('copy', handleCopy as EventListener);
+        return () => document.removeEventListener('copy', handleCopy as EventListener);
+    }, [events.length]);
+
+    const clearClipboard = async () => {
+        try {
+            // Actually clear the system clipboard
+            await navigator.clipboard.writeText('');
+
+            // Clear history
+            setEvents([]);
+
+            // Show success briefly
+            alert('✅ Clipboard cleared and history wiped');
+        } catch (err) {
+            // Fallback for browsers that don't support clipboard API
+            const dummy = document.createElement('textarea');
+            dummy.value = '';
+            document.body.appendChild(dummy);
+            dummy.select();
+            document.execCommand('copy');
+            document.body.removeChild(dummy);
+
+            setEvents([]);
+            alert('✅ History cleared (clipboard may require manual clearing)');
+        }
+    };
+
+    return (
+        <div className="fixed bottom-24 right-4 z-50 max-w-sm">
+            <div className={`rounded-lg shadow-lg border-2 transition-all ${events.length > 0
+                ? 'bg-orange-50 border-orange-400'
+                : 'bg-gray-50 border-gray-300'
+                }`}>
+
+                {/* Header */}
+                <div
+                    className={`px-4 py-3 cursor-pointer flex items-center justify-between rounded-t-lg transition-colors ${events.length > 0 ? 'hover:bg-orange-100' : 'hover:bg-gray-100'
+                        }`}
+                    onClick={() => setIsExpanded(!isExpanded)}
+                >
+                    <div className="flex items-center gap-2">
+                        <span className="text-lg">📋</span>
+                        <span className="font-semibold text-sm text-gray-700">Clipboard Activity</span>
+                    </div>
+
+                    <div className="flex items-center gap-2">
+                        {events.length > 0 && (
+                            <span className="text-xs bg-orange-500 text-white px-2 py-0.5 rounded-full font-medium">
+                                {events.length}
+                            </span>
+                        )}
+                        <span className="text-gray-400 text-sm">{isExpanded ? '▼' : '▶'}</span>
+                    </div>
+                </div>
+
+                {/* Expanded Content */}
+                {isExpanded && (
+                    <div className="p-4 border-t border-gray-300">
+                        {events.length > 0 && (
+                            <div className="mb-3 bg-orange-100 border border-orange-300 rounded-md p-3 text-xs text-orange-900">
+                                <strong>⚠️ Clipboard Warning:</strong> Copied data is accessible to other apps,
+                                browser tabs, and extensions. Clear clipboard after use.
+                            </div>
+                        )}
+
+                        {events.length > 0 ? (
+                            <>
+                                <div className="space-y-2 mb-3 max-h-64 overflow-y-auto">
+                                    {events.map((event, idx) => (
+                                        <div
+                                            key={idx}
+                                            className="bg-white border border-orange-200 rounded-md p-2 text-xs"
+                                        >
+                                            <div className="flex justify-between items-start gap-2 mb-1">
+                                                <span className="font-semibold text-orange-900 break-all">
+                                                    {event.field}
+                                                </span>
+                                                <span className="text-gray-400 text-[10px] whitespace-nowrap">
+                                                    {event.timestamp.toLocaleTimeString()}
+                                                </span>
+                                            </div>
+                                            <div className="text-gray-600 text-[10px]">
+                                                Copied {event.length} character{event.length !== 1 ? 's' : ''}
+                                            </div>
+                                        </div>
+                                    ))}
+                                </div>
+
+                                <button
+                                    onClick={(e) => {
+                                        e.stopPropagation(); // Prevent collapse toggle
+                                        clearClipboard();
+                                    }}
+                                    className="w-full text-xs py-2 px-3 bg-orange-600 hover:bg-orange-700 text-white rounded-md font-medium transition-colors"
+                                >
+                                    🗑️ Clear Clipboard & History
+                                </button>
+                            </>
+                        ) : (
+                            <div className="text-center py-4">
+                                <div className="text-3xl mb-2">✅</div>
+                                <p className="text-xs text-gray-500">No clipboard activity detected</p>
+                            </div>
+                        )}
+                    </div>
+                )}
+            </div>
+        </div>
+    );
+};

src/components/PgpKeyInput.tsx

@@ -1,15 +1,14 @@
 import React, { useState } from 'react';
 import { Upload } from 'lucide-react';
 import type { LucideIcon } from "lucide-react";
+
 interface PgpKeyInputProps {
     value: string;
     onChange: (value: string) => void;
     placeholder: string;
     label: string;
     icon?: LucideIcon;
-
+    readOnly?: boolean;
-
-
 }
 
 export const PgpKeyInput: React.FC<PgpKeyInputProps> = ({
@@ -17,21 +16,25 @@ export const PgpKeyInput: React.FC<PgpKeyInputProps> = ({
     onChange,
     placeholder,
     label,
-    icon: Icon
+    icon: Icon,
+    readOnly = false,
 }) => {
     const [isDragging, setIsDragging] = useState(false);
 
     const handleDragOver = (e: React.DragEvent) => {
+        if (readOnly) return;
         e.preventDefault();
         setIsDragging(true);
     };
 
     const handleDragLeave = (e: React.DragEvent) => {
+        if (readOnly) return;
         e.preventDefault();
         setIsDragging(false);
     };
 
     const handleDrop = (e: React.DragEvent) => {
+        if (readOnly) return;
         e.preventDefault();
         setIsDragging(false);
 
@@ -53,24 +56,27 @@ export const PgpKeyInput: React.FC<PgpKeyInputProps> = ({
                 <span className="flex items-center gap-2">
                     {Icon && <Icon size={14} />} {label}
                 </span>
+                {!readOnly && (
                     <span className="text-[10px] text-slate-400 font-normal bg-slate-100 px-2 py-0.5 rounded-full border border-slate-200">
                         Drag & Drop .asc file
                     </span>
+                )}
             </label>
             <div
-                className={`relative transition-all duration-200 ${isDragging ? 'scale-[1.01]' : ''}`}
+                className={`relative transition-all duration-200 ${isDragging && !readOnly ? 'scale-[1.01]' : ''}`}
                 onDragOver={handleDragOver}
                 onDragLeave={handleDragLeave}
                 onDrop={handleDrop}
             >
                 <textarea
-                    className={`w-full h-40 p-3 bg-slate-50 border rounded-xl text-xs font-mono transition-colors resize-none focus:outline-none focus:ring-2 focus:ring-blue-500 ${isDragging ? 'border-blue-500 bg-blue-50' : 'border-slate-200'
+                    className={`w-full h-40 p-3 bg-slate-50 border rounded-xl text-xs font-mono transition-colors resize-none focus:outline-none focus:ring-2 focus:ring-blue-500 ${isDragging && !readOnly ? 'border-blue-500 bg-blue-50' : 'border-slate-200'
                         }`}
                     placeholder={placeholder}
                     value={value}
                     onChange={(e) => onChange(e.target.value)}
+                    readOnly={readOnly}
                 />
-                {isDragging && (
+                {isDragging && !readOnly && (
                     <div className="absolute inset-0 flex items-center justify-center bg-blue-50/90 rounded-xl border-2 border-dashed border-blue-500 pointer-events-none z-10">
                         <div className="text-blue-600 font-bold flex flex-col items-center animate-bounce">
                             <Upload size={24} />

src/components/ReadOnly.tsx

@@ -0,0 +1,39 @@
+import { WifiOff } from 'lucide-react';
+
+type ReadOnlyProps = {
+  isReadOnly: boolean;
+  onToggle: (isReadOnly: boolean) => void;
+  buildHash: string;
+  appVersion: string;
+};
+
+const CSP_POLICY = `default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; connect-src 'none';`;
+
+export function ReadOnly({ isReadOnly, onToggle, buildHash, appVersion }: ReadOnlyProps) {
+  return (
+    <div className="pt-3 border-t border-slate-300">
+      <label className="flex items-center gap-2 cursor-pointer group">
+        <input
+          type="checkbox"
+          checked={isReadOnly}
+          onChange={(e) => onToggle(e.target.checked)}
+          className="rounded text-blue-600 focus:ring-2 focus:ring-blue-500 transition-all"
+        />
+        <span className="text-xs font-medium text-slate-700 group-hover:text-slate-900 transition-colors">
+          Read-only Mode
+        </span>
+      </label>
+      {isReadOnly && (
+        <div className="mt-4 p-3 bg-slate-800 text-slate-200 rounded-lg text-xs space-y-2 animate-in fade-in">
+          <p className="font-bold flex items-center gap-2"><WifiOff size={14} /> Network & Persistence Disabled</p>
+          <div className="font-mono text-[10px] space-y-1">
+            <p><span className="font-semibold text-slate-400">Version:</span> {appVersion}</p>
+            <p><span className="font-semibold text-slate-400">Build:</span> {buildHash}</p>
+            <p className="pt-1 font-semibold text-slate-400">Content Security Policy:</p>
+            <p className="text-sky-300 break-words">{CSP_POLICY}</p>
+          </div>
+        </div>
+      )}
+    </div>
+  );
+}

src/components/SecurityWarnings.tsx

@@ -0,0 +1,81 @@
+import { useState } from 'react';
+
+export const SecurityWarnings = () => {
+    const [isExpanded, setIsExpanded] = useState(false);
+
+    return (
+        <div className="fixed bottom-4 left-4 z-50 max-w-sm">
+            <div className="bg-yellow-50 border-2 border-yellow-400 rounded-lg shadow-lg">
+
+                {/* Header */}
+                <div
+                    className="px-4 py-3 cursor-pointer flex items-center justify-between hover:bg-yellow-100 transition-colors rounded-t-lg"
+                    onClick={() => setIsExpanded(!isExpanded)}
+                >
+                    <div className="flex items-center gap-2">
+                        <span className="text-lg">⚠️</span>
+                        <span className="font-semibold text-sm text-yellow-900">Security Limitations</span>
+                    </div>
+                    <span className="text-yellow-600 text-sm">{isExpanded ? '▼' : '▶'}</span>
+                </div>
+
+                {/* Expanded Content */}
+                {isExpanded && (
+                    <div className="px-4 py-3 border-t border-yellow-300 space-y-3 max-h-96 overflow-y-auto">
+
+                        <Warning
+                            icon="🧵"
+                            title="JavaScript Strings are Immutable"
+                            description="Strings cannot be overwritten in memory. Copies persist until garbage collection runs (timing unpredictable)."
+                        />
+
+                        <Warning
+                            icon="🗑️"
+                            title="No Guaranteed Memory Wiping"
+                            description="JavaScript has no secure memory clearing. Sensitive data may linger in RAM until GC or browser restart."
+                        />
+
+                        <Warning
+                            icon="📋"
+                            title="Clipboard Exposure"
+                            description="Copied data is accessible to other tabs/apps. Browser extensions can read clipboard contents."
+                        />
+
+                        <Warning
+                            icon="💾"
+                            title="Browser Storage Persistence"
+                            description="localStorage survives browser restart. sessionStorage survives page refresh. Both readable by any script on this domain."
+                        />
+
+                        <Warning
+                            icon="🔍"
+                            title="DevTools Access"
+                            description="All app state, memory, and storage visible in browser DevTools. Never use on untrusted devices."
+                        />
+
+                        <Warning
+                            icon="🌐"
+                            title="Network Risks (When Online)"
+                            description="If hosted online: DNS, HTTPS, CDN, and browser can see usage patterns. Use offline/local for maximum security."
+                        />
+
+                        <div className="pt-2 border-t border-yellow-300 text-xs text-yellow-800">
+                            <strong>Recommendation:</strong> Use this tool on a dedicated offline device.
+                            Clear browser data after each use. Never use on shared/public computers.
+                        </div>
+                    </div>
+                )}
+            </div>
+        </div>
+    );
+};
+
+const Warning = ({ icon, title, description }: { icon: string; title: string; description: string }) => (
+    <div className="flex gap-2 text-xs">
+        <span className="text-base flex-shrink-0">{icon}</span>
+        <div>
+            <div className="font-semibold text-yellow-900 mb-0.5">{title}</div>
+            <div className="text-yellow-800 leading-relaxed">{description}</div>
+        </div>
+    </div>
+);

src/components/StorageIndicator.tsx

@@ -0,0 +1,150 @@
+import { useState, useEffect } from 'react';
+
+interface StorageItem {
+    key: string;
+    value: string;
+    size: number;
+    isSensitive: boolean;
+}
+
+export const StorageIndicator = () => {
+    const [localItems, setLocalItems] = useState<StorageItem[]>([]);
+    const [sessionItems, setSessionItems] = useState<StorageItem[]>([]);
+    const [isExpanded, setIsExpanded] = useState(false);
+
+    const SENSITIVE_PATTERNS = ['key', 'mnemonic', 'seed', 'private', 'secret', 'pgp', 'password'];
+
+    const isSensitiveKey = (key: string): boolean => {
+        const lowerKey = key.toLowerCase();
+        return SENSITIVE_PATTERNS.some(pattern => lowerKey.includes(pattern));
+    };
+
+    const getStorageItems = (storage: Storage): StorageItem[] => {
+        const items: StorageItem[] = [];
+        for (let i = 0; i < storage.length; i++) {
+            const key = storage.key(i);
+            if (key) {
+                const value = storage.getItem(key) || '';
+                items.push({
+                    key,
+                    value: value.substring(0, 50) + (value.length > 50 ? '...' : ''),
+                    size: new Blob([value]).size,
+                    isSensitive: isSensitiveKey(key)
+                });
+            }
+        }
+        return items.sort((a, b) => (b.isSensitive ? 1 : 0) - (a.isSensitive ? 1 : 0));
+    };
+
+    const refreshStorage = () => {
+        setLocalItems(getStorageItems(localStorage));
+        setSessionItems(getStorageItems(sessionStorage));
+    };
+
+    useEffect(() => {
+        refreshStorage();
+        const interval = setInterval(refreshStorage, 2000);
+        return () => clearInterval(interval);
+    }, []);
+
+    const totalItems = localItems.length + sessionItems.length;
+    const sensitiveCount = [...localItems, ...sessionItems].filter(i => i.isSensitive).length;
+
+    return (
+        <div className="fixed bottom-4 right-4 z-50 max-w-md">
+            <div className={`bg-white rounded-lg shadow-lg border-2 ${sensitiveCount > 0 ? 'border-red-400' : 'border-gray-300'
+                } transition-all duration-200`}>
+
+                {/* Header Bar */}
+                <div
+                    className={`px-4 py-3 rounded-t-lg cursor-pointer flex items-center justify-between ${sensitiveCount > 0 ? 'bg-red-50' : 'bg-gray-50'
+                        } hover:opacity-90 transition-opacity`}
+                    onClick={() => setIsExpanded(!isExpanded)}
+                >
+                    <div className="flex items-center gap-2">
+                        <span className="text-lg">🗄️</span>
+                        <span className="font-semibold text-sm text-gray-700">Storage Monitor</span>
+                    </div>
+
+                    <div className="flex items-center gap-2">
+                        {sensitiveCount > 0 && (
+                            <span className="text-xs bg-red-500 text-white px-2 py-0.5 rounded-full font-medium">
+                                {sensitiveCount}⚠️
+                            </span>
+                        )}
+                        <span className={`text-xs px-2 py-0.5 rounded-full font-medium ${totalItems > 0 ? 'bg-blue-100 text-blue-700' : 'bg-green-100 text-green-700'
+                            }`}>
+                            {totalItems === 0 ? '✓ Empty' : `${totalItems} item${totalItems !== 1 ? 's' : ''}`}
+                        </span>
+                        <span className="text-gray-400 text-sm">{isExpanded ? '▼' : '▶'}</span>
+                    </div>
+                </div>
+
+                {/* Expanded Content */}
+                {isExpanded && (
+                    <div className="p-4 max-h-96 overflow-y-auto">
+                        {sensitiveCount > 0 && (
+                            <div className="mb-3 bg-yellow-50 border border-yellow-300 rounded-md p-3 text-xs">
+                                <div className="flex items-start gap-2">
+                                    <span className="text-yellow-600 mt-0.5">⚠️</span>
+                                    <div className="text-yellow-800">
+                                        <strong>Security Notice:</strong> Sensitive data persists in browser storage
+                                        (survives refresh/restart). Clear manually if on shared device.
+                                    </div>
+                                </div>
+                            </div>
+                        )}
+
+                        <div className="space-y-3">
+                            <StorageSection title="localStorage" items={localItems} icon="💾" />
+                            <StorageSection title="sessionStorage" items={sessionItems} icon="⏱️" />
+                        </div>
+
+                        {totalItems === 0 && (
+                            <div className="text-center py-6">
+                                <div className="text-4xl mb-2">✅</div>
+                                <p className="text-sm text-gray-500">No data in browser storage</p>
+                            </div>
+                        )}
+                    </div>
+                )}
+            </div>
+        </div>
+    );
+};
+
+const StorageSection = ({ title, items, icon }: { title: string; items: StorageItem[]; icon: string }) => {
+    if (items.length === 0) return null;
+
+    return (
+        <div>
+            <h4 className="text-xs font-bold text-gray-500 mb-2 flex items-center gap-1">
+                <span>{icon}</span>
+                <span className="uppercase">{title}</span>
+                <span className="ml-auto text-gray-400 font-normal">({items.length})</span>
+            </h4>
+            <div className="space-y-2">
+                {items.map((item) => (
+                    <div
+                        key={item.key}
+                        className={`text-xs rounded-md border p-2 ${item.isSensitive
+                                ? 'bg-red-50 border-red-300'
+                                : 'bg-gray-50 border-gray-200'
+                            }`}
+                    >
+                        <div className="flex justify-between items-start gap-2 mb-1">
+                            <span className={`font-mono font-semibold text-[11px] break-all ${item.isSensitive ? 'text-red-700' : 'text-gray-700'
+                                }`}>
+                                {item.isSensitive && '🔴 '}{item.key}
+                            </span>
+                            <span className="text-gray-400 text-[10px] whitespace-nowrap">{item.size}B</span>
+                        </div>
+                        <div className="text-gray-500 font-mono text-[10px] break-all leading-relaxed opacity-70">
+                            {item.value}
+                        </div>
+                    </div>
+                ))}
+            </div>
+        </div>
+    );
+};

src/lib/seedpgp.ts

@@ -3,6 +3,12 @@ import { base45Encode, base45Decode } from "./base45";
 import { crc16CcittFalse } from "./crc16";
 import type { SeedPgpPlaintext, ParsedSeedPgpFrame } from "./types";
 
+// Configure OpenPGP.js (disable warnings)
+openpgp.config.showComment = false;
+openpgp.config.showVersion = false;
+openpgp.config.allowUnauthenticatedMessages = true; // Suppress AES warning
+openpgp.config.allowUnauthenticatedStream = true;   // Suppress stream warning
+
 function nonEmptyTrimmed(s?: string): string | undefined {
     if (!s) return undefined;
     const t = s.trim();

src/lib/sessionCrypto.ts

@@ -0,0 +1,211 @@
+/**
+ * @file Ephemeral, per-session, in-memory encryption using Web Crypto API.
+ *
+ * This module manages a single, non-exportable AES-GCM key for a user's session.
+ * It's designed to encrypt sensitive data (like a mnemonic) before it's placed
+ * into React state, mitigating the risk of plaintext data in memory snapshots.
+ * The key is destroyed when the user navigates away or the session ends.
+ */
+
+// --- Helper functions for encoding ---
+
+function base64ToBytes(base64: string): Uint8Array {
+  const binString = atob(base64);
+  return Uint8Array.from(binString, (m) => m.codePointAt(0)!);
+}
+
+function bytesToBase64(bytes: Uint8Array): string {
+  const binString = Array.from(bytes, (byte) =>
+    String.fromCodePoint(byte),
+  ).join("");
+  return btoa(binString);
+}
+
+// --- Module-level state ---
+
+/**
+ * Holds the session's AES-GCM key. This variable is not exported and is
+ * only accessible through the functions in this module.
+ * @private
+ */
+let sessionKey: CryptoKey | null = null;
+const KEY_ALGORITHM = 'AES-GCM';
+const KEY_LENGTH = 256;
+
+/**
+ * An object containing encrypted data and necessary metadata for decryption.
+ */
+export interface EncryptedBlob {
+  v: 1;
+  /**
+   * The algorithm used. This is metadata; the actual Web Crypto API call
+   * uses `{ name: "AES-GCM", length: 256 }`.
+   */
+  alg: 'A256GCM';
+  iv_b64: string; // Initialization Vector (base64)
+  ct_b64: string; // Ciphertext (base64)
+}
+
+// --- Core API Functions ---
+
+/**
+ * Generates and stores a session-level AES-GCM 256-bit key.
+ * The key is non-exportable and is held in a private module-level variable.
+ * If a key already exists, the existing key is returned, making the function idempotent.
+ * This function must be called before any encryption or decryption can occur.
+ * @returns A promise that resolves to the generated or existing CryptoKey.
+ */
+export async function getSessionKey(): Promise<CryptoKey> {
+  console.log('getSessionKey called.');
+  if (sessionKey) {
+    console.log('Session key already exists.');
+    return sessionKey;
+  }
+
+  console.log('Generating new session key...');
+  const key = await window.crypto.subtle.generateKey(
+    {
+      name: KEY_ALGORITHM,
+      length: KEY_LENGTH,
+    },
+    false, // non-exportable
+    ['encrypt', 'decrypt'],
+  );
+  sessionKey = key;
+  console.log('New session key generated and stored.');
+  return key;
+}
+
+/**
+ * Encrypts a JSON-serializable object using the current session key.
+ * @param data The object to encrypt. Must be JSON-serializable.
+ * @returns A promise that resolves to an EncryptedBlob.
+ */
+export async function encryptJsonToBlob<T>(data: T): Promise<EncryptedBlob> {
+  console.log('encryptJsonToBlob called.');
+  if (!sessionKey) {
+    console.error('ERROR: Session key not initialized when encryptJsonToBlob was called.');
+    throw new Error('Session key not initialized. Call getSessionKey() first.');
+  }
+
+  const iv = window.crypto.getRandomValues(new Uint8Array(12)); // 96-bit IV is recommended for AES-GCM
+  const plaintext = new TextEncoder().encode(JSON.stringify(data));
+
+  const ciphertext = await window.crypto.subtle.encrypt(
+    {
+      name: KEY_ALGORITHM,
+      iv: new Uint8Array(iv),
+    },
+    sessionKey,
+    plaintext,
+  );
+
+  return {
+    v: 1,
+    alg: 'A256GCM',
+    iv_b64: bytesToBase64(iv),
+    ct_b64: bytesToBase64(new Uint8Array(ciphertext)),
+  };
+}
+
+/**
+ * Decrypts an EncryptedBlob back into its original object form.
+ * @param blob The EncryptedBlob to decrypt.
+ * @returns A promise that resolves to the original decrypted object.
+ */
+export async function decryptBlobToJson<T>(blob: EncryptedBlob): Promise<T> {
+  if (!sessionKey) {
+    throw new Error('Session key not initialized or has been destroyed.');
+  }
+  if (blob.v !== 1 || blob.alg !== 'A256GCM') {
+    throw new Error('Invalid or unsupported encrypted blob format.');
+  }
+
+  const iv = base64ToBytes(blob.iv_b64);
+  const ciphertext = base64ToBytes(blob.ct_b64);
+
+  const decrypted = await window.crypto.subtle.decrypt(
+    {
+      name: KEY_ALGORITHM,
+      iv: new Uint8Array(iv),
+    },
+    sessionKey,
+    new Uint8Array(ciphertext),
+  );
+
+  const jsonString = new TextDecoder().decode(decrypted);
+  return JSON.parse(jsonString) as T;
+}
+
+/**
+ * Destroys the session key reference, making it unavailable for future
+ * operations and allowing it to be garbage collected.
+ */
+export function destroySessionKey(): void {
+  sessionKey = null;
+}
+
+/**
+ * A standalone test function that can be run in the browser console
+ * to verify the complete encryption and decryption lifecycle.
+ *
+ * To use:
+ * 1. Copy this entire function into the browser's developer console.
+ * 2. Run it by typing: `await runSessionCryptoTest()`
+ * 3. Check the console for logs.
+ */
+export async function runSessionCryptoTest(): Promise<void> {
+  console.log('--- Running Session Crypto Test ---');
+  try {
+    // 1. Destroy any old key
+    destroySessionKey();
+    console.log('Old key destroyed (if any).');
+
+    // 2. Generate a new key
+    await getSessionKey();
+    console.log('New session key generated.');
+
+    // 3. Define a secret object
+    const originalObject = {
+      mnemonic: 'fee table visa input phrase lake buffalo vague merit million mesh blend',
+      timestamp: new Date().toISOString(),
+    };
+    console.log('Original object:', originalObject);
+
+    // 4. Encrypt the object
+    const encrypted = await encryptJsonToBlob(originalObject);
+    console.log('Encrypted blob:', encrypted);
+    if (typeof encrypted.ct_b64 !== 'string' || encrypted.ct_b64.length < 20) {
+      throw new Error('Encryption failed: ciphertext looks invalid.');
+    }
+
+    // 5. Decrypt the object
+    const decrypted = await decryptBlobToJson(encrypted);
+    console.log('Decrypted object:', decrypted);
+
+    // 6. Verify integrity
+    if (JSON.stringify(originalObject) !== JSON.stringify(decrypted)) {
+      throw new Error('Verification failed: Decrypted data does not match original data.');
+    }
+    console.log('%c✅ Success: Data integrity verified.', 'color: green; font-weight: bold;');
+
+    // 7. Test key destruction
+    destroySessionKey();
+    console.log('Session key destroyed.');
+    try {
+      await decryptBlobToJson(encrypted);
+    } catch (e) {
+      console.log('As expected, decryption failed after key destruction:', (e as Error).message);
+    }
+  } catch (error) {
+    console.error('%c❌ Test Failed:', 'color: red; font-weight: bold;', error);
+  } finally {
+    console.log('--- Test Complete ---');
+  }
+}
+
+// For convenience, attach the test runner to the window object.
+// This is for development/testing only and can be removed in production.
+if (import.meta.env.DEV && typeof window !== 'undefined') {
+  (window as any).runSessionCryptoTest = runSessionCryptoTest;
+}

src/main.tsx

@@ -1,8 +1,32 @@
+// Suppress OpenPGP.js AES cipher warnings
+const originalWarn = console.warn;
+const originalError = console.error;
+
+console.warn = (...args: any[]) => {
+  const msg = args[0]?.toString() || '';
+  if (msg.includes('AES-CBC') || msg.includes('AES-CTR') || msg.includes('authentication')) {
+    return;
+  }
+  originalWarn.apply(console, args);
+};
+
+console.error = (...args: any[]) => {
+  const msg = args[0]?.toString() || '';
+  if (msg.includes('AES-CBC') || msg.includes('AES-CTR') || msg.includes('authentication')) {
+    return;
+  }
+  originalError.apply(console, args);
+};
+
 import { StrictMode } from 'react'
 import { createRoot } from 'react-dom/client'
 import './index.css'
 import App from './App'
 
+if (import.meta.env.DEV) {
+  await import('./lib/sessionCrypto');
+}
+
 createRoot(document.getElementById('root')!).render(
   <StrictMode>
     <App />

src/vite-env.d.ts

@@ -6,3 +6,5 @@ declare module '*.css' {
   export default content;
 }
 
+declare const __APP_VERSION__: string;
+declare const __BUILD_HASH__: string;

vite.config.ts

@@ -1,18 +1,24 @@
 import { defineConfig } from 'vite'
 import react from '@vitejs/plugin-react'
+import { execSync } from 'child_process'
+import fs from 'fs'
+
+// Read version from package.json
+const packageJson = JSON.parse(fs.readFileSync('./package.json', 'utf-8'))
+const appVersion = packageJson.version
+
+// Get git commit hash
+const gitHash = execSync('git rev-parse --short HEAD').toString().trim()
 
 export default defineConfig({
   plugins: [react()],
-  base: '/seedpgp-web-app/', // Match your repo name
+  base: '/seedpgp-web-app/',
   build: {
-    chunkSizeWarningLimit: 600, // Suppress warning
+    outDir: 'dist',
-    rollupOptions: {
+    emptyOutDir: false,
-      output: {
+  },
-        manualChunks: {
+  define: {
-          'openpgp': ['openpgp'], // Separate chunk for PGP
+    '__APP_VERSION__': JSON.stringify(appVersion),
-        }
+    '__BUILD_HASH__': JSON.stringify(gitHash),
-      }
-    }
   }
 })
-