Repository: DosX-dev/rep3
Branch: main
Commit: 13f5239a8186
Files: 20
Total size: 915.8 KB

Directory structure:
gitextract_3vpkqevd/

├── CONTRIBUTING.md
├── LICENSE
├── README.md
├── SECURITY_AUDIT.md
└── src/
    ├── .server.ps1
    ├── css/
    │   └── app.css
    ├── index.html
    └── js/
        ├── constants.js
        ├── crypto.js
        ├── db.js
        ├── desktop.js
        ├── detectors/
        │   └── incognito.js
        ├── docmode.js
        ├── fileops.js
        ├── home.js
        ├── initlog.js
        ├── main.js
        ├── proactive/
        │   └── daemon.js
        ├── state.js
        └── vfs.js

================================================
FILE CONTENTS
================================================

================================================
FILE: CONTRIBUTING.md
================================================
> Thank you for considering a contribution to **SafeNova**. This document explains how to do it properly so your effort isn't wasted and the review process goes smoothly.

<a id="toc"></a>

## 📚 Table of Contents

-   [🧭 Before you start](#before-you-start)
-   [🐛 Reporting bugs](#reporting-bugs)
-   [💡 Suggesting features](#suggesting-features)
-   [🔀 Submitting a pull request](#submitting-a-pull-request)
    -   [Setting up the environment](#setup)
    -   [Branch naming](#branch-naming)
    -   [Commit messages](#commit-messages)
    -   [Pull request checklist](#pr-checklist)
-   [🎨 Code style](#code-style)
    -   [General rules](#style-general)
    -   [JavaScript specifics](#style-js)
    -   [HTML & CSS](#style-html-css)
-   [🔐 Security contribution rules](#security-rules)
-   [🚫 What we do NOT accept](#not-accepted)

---

<a id="before-you-start"></a>

## 🧭 Before you start

SafeNova is a security-first project. Before touching anything, spend time understanding how it actually works:

-   Read the full [README](./README.md) — especially the [SafeNova Proactive](./README.md#safenova-proactive), [Encryption](./README.md#encryption), and [How containers work](./README.md#how-containers-work) sections
-   Understand the [project structure](./README.md#project-structure) — each file has a specific, narrow responsibility
-   Look at the existing code style before writing a single line

> **The codebase is small and intentional.** There are no dead files, no legacy layers, no placeholder code. If something looks unusual, there is almost always a documented reason for it — read the surrounding comments before assuming it is wrong.

---

<a id="reporting-bugs"></a>

## 🐛 Reporting bugs

Use [GitHub Issues](https://github.com/DosX-dev/SafeNova/issues) to report bugs. Before opening a new issue:

-   Check if the issue already exists
-   Reproduce the bug on the latest version
-   Make sure it happens in a supported browser (Chrome 90+, Firefox 90+, Safari 15+, Edge 90+)

A good bug report includes:

| Field           | What to provide                                                               |
| --------------- | ----------------------------------------------------------------------------- |
| **Description** | What happened vs. what you expected                                           |
| **Steps**       | Exact numbered steps to reproduce                                             |
| **Environment** | Browser name + version, OS, online vs. local                                  |
| **Logs**        | DevTools console output if relevant — paste as text, not a screenshot         |
| **Severity**    | Does it cause data loss? Does it affect security? Does it only affect the UI? |

> **If the bug is security-related** (data exposure, bypass of any protection layer, key material leakage), do **not** file a public issue. See [Security contribution rules](#security-rules) below.

---

<a id="suggesting-features"></a>

## 💡 Suggesting features

Open a [GitHub Issue](https://github.com/DosX-dev/SafeNova/issues) with the `enhancement` label. Describe:

-   **What problem it solves** — not just what it does, but why it matters
-   **Who benefits** — casual user, power user, security-conscious user?
-   **Alternatives you considered** — shows you thought it through
-   **Any security implications** — SafeNova handles encrypted data; new features can introduce new attack surface

Features that don't have a clear security story or that add complexity without proportional value will likely be declined. That's not a rejection of effort — it's a design constraint.

---

<a id="submitting-a-pull-request"></a>

## 🔀 Submitting a pull request

<a id="setup"></a>

### Setting up the environment

There is no build step. The project runs as static files:

```powershell
# Clone the repo
git clone https://github.com/DosX-dev/SafeNova.git
cd SafeNova

# Start the local server
.\.server.ps1
```

The server starts on port `7777` (or the next free port) and opens the app in your browser. Edit files directly in `src/` — no bundler, no transpiler, no `npm install`.

<a id="branch-naming"></a>

### Branch naming

| Prefix      | Use for                                      | Example                          |
| ----------- | -------------------------------------------- | -------------------------------- |
| `fix/`      | Bug fixes                                    | `fix/export-blob-url`            |
| `feature/`  | New functionality                            | `feature/keyboard-shortcut-copy` |
| `refactor/` | Code cleanup with no behavior change         | `refactor/vfs-node-validation`   |
| `docs/`     | Documentation only                           | `docs/contributing-guide`        |
| `security/` | Security improvements (discuss in DMs first) | `security/csp-worker-src`        |

<a id="commit-messages"></a>

### Commit messages

Keep them short and imperative:

```
Fix export producing HTML instead of blob data
Add keyboard shortcut for container lock
Refactor VFS orphan detection to O(n) pass
```

No issue numbers in the subject line — put those in the PR description instead. No `WIP:` commits in the final branch.

<a id="pr-checklist"></a>

### Pull request checklist

Before marking the PR as ready for review:

-   [ ] Tested in at least one supported browser
-   [ ] No `console.log` or debug artifacts left in the code
-   [ ] No new external dependencies introduced
-   [ ] Existing behavior is not broken for cases you didn't touch
-   [ ] If you changed `daemon.js` — read [Security contribution rules](#security-rules) first
-   [ ] PR description explains **what** changed and **why**, not just **how**

---

<a id="code-style"></a>

## 🎨 Code style

<a id="style-general"></a>

### General rules

-   **Match the style of the file you're editing.** Indentation, spacing, quote style, comment language — all of it. Don't mix styles within a file
-   **No unnecessary abstractions.** Don't create a helper for something used once. Don't design for hypothetical future requirements
-   **Comments explain _why_, not _what_.** If the code is obvious, don't comment it. If it isn't obvious, explain the reasoning — not the mechanics
-   **No dead code.** Don't comment out unused blocks and leave them — delete them

<a id="style-js"></a>

### JavaScript specifics

The codebase is vanilla ES2020+ JavaScript — no frameworks, no TypeScript. A few conventions to follow:

-   Use `const` for everything that doesn't need reassignment, `let` otherwise. No `var`
-   Prefer early returns over deep nesting
-   Async functions use `async/await` — no raw `.then()` chains unless combining with `Promise.allSettled` or similar
-   String concatenation uses template literals `` `${x}` `` for readability; the concatenation operator `'' + x` is reserved for places where `String()` calls must be avoided for security reasons (see `daemon.js` for context)
-   `for` loops with index variables for performance-critical paths; `for...of` for readability in non-critical paths
-   Group related declarations on one line when they are semantically linked:
    ```js
    // Good — same logical unit
    let offset = 0,
        count = 0,
        valid = true;
    ```

<a id="style-html-css"></a>

### HTML & CSS

-   HTML attributes stay on one line unless there are more than ~4 and readability suffers
-   CSS follows the existing class naming — BEM is not enforced, but names should be descriptive and scoped to their component
-   No inline styles in HTML except where dynamic values make them unavoidable (e.g. `style="left: ${x}px"`)
-   No `!important` except where intentional override is the documented purpose (e.g. lockdown veil)

---

<a id="security-rules"></a>

## 🔐 Security contribution rules

SafeNova handles **encrypted data and derived cryptographic keys in a live browser environment**. This makes security changes fundamentally different from normal feature work.

**If your change touches any of the following, open a discussion issue or contact the maintainer before writing code:**

-   `daemon.js` — the Proactive anti-tamper runtime guard
-   `crypto.js` — AES-256-GCM + Argon2id layer
-   `state.js` — session key storage and three-source key wrapping
-   `db.js` — IndexedDB abstraction (container and file record layout)
-   The Content Security Policy in `index.html`
-   Any change that relaxes an existing restriction (e.g. whitelisting a new URL scheme, removing a hook)

> **Why the extra step?** Security changes that look correct can introduce subtle regressions. The Proactive guard in particular has carefully documented reasons for every design decision — a change that seems like a simplification may silently remove a specific defense. Discussing first prevents a PR that cannot be merged from wasting your time.

**Responsible disclosure for vulnerabilities:** If you find a security vulnerability (bypass of the Proactive guard, key material leakage, CSP bypass, etc.), please **do not file a public issue**. Contact the maintainer directly through GitHub. You will get credit in the changelog.

---

<a id="not-accepted"></a>

## 🚫 What we do NOT accept

To save everyone's time — PRs in the following categories will be closed without merge:

| Category                           | Reason                                                                                                  |
| ---------------------------------- | ------------------------------------------------------------------------------------------------------- |
| External runtime dependencies      | SafeNova has zero external dependencies by design. Adding `npm` packages is a non-starter               |
| Framework migrations               | React, Vue, Svelte, etc. — no. The codebase is intentionally framework-free                             |
| TypeScript conversion              | Not planned.                                                                                            |
| Weakened security controls         | Any change that removes or relaxes an existing Proactive check, CSP directive, or encryption constraint |
| UI cosmetic overhauls              | Minor tweaks are fine; wholesale redesigns need prior discussion                                        |
| Localization / i18n infrastructure | Out of scope for the current version                                                                    |

---

If you're unsure whether your idea fits — just open an issue and ask. It's faster than writing code that doesn't land.


================================================
FILE: LICENSE
================================================
MIT License

Copyright (c) 2023-2026 DosX

Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.


================================================
FILE: README.md
================================================
<img src="./pics/intro.png" style="display: block; margin: 0 auto; max-width:80%; max-height:80%; border-radius:8px; margin-bottom:16px">

> ### Try it online: [https://safenova.dosx.su/](https://safenova.dosx.su/)

<a id="what-it-is"></a>

## ❔ What it is

SafeNova is a single-page web app that lets you create encrypted **containers** — isolated vaults where you can organize files in a folder structure, much like a regular desktop file manager. Everything is encrypted client-side before being written to storage. Nothing ever leaves your device.

![](./pics/screenshot.png)

Key properties:

-   **Zero-knowledge** — the app never sees your password or plaintext data
-   **Offline-first** — works entirely without network access
-   **No installation** — start the local server and you're running (or use online)

---

## 📚 Table of Contents

-   [❔ What it is](#what-it-is)
-   [🚀 Getting started](#getting-started)
    -   [Option A — Use online version](#getting-started-online)
    -   [Option B — Local server](#getting-started-local)
-   [📋 Requirements](#requirements)
-   [⚙️ Features](#features)
-   [⚔️ SafeNova vs. the Competition](#comparison)
-   [📁 Project structure](#project-structure)
-   [🔒 How containers work](#how-containers-work)
-   [📄 The `.safenova` Container Format](#container-format)
    -   [Archive sections](#container-format-archive-sections)
    -   [Design properties](#container-format-design-properties)
-   [🔐 Encryption](#encryption)
    -   [Session token security](#session-token-security)
    -   [Current tab session](#current-tab-session)
    -   [Stay signed in](#stay-signed-in)
    -   [Three-source key wrapping](#three-source-key-wrapping)
    -   [Session payload format](#session-payload-format)
    -   [Remaining trade-off](#remaining-trade-off)
-   [🔏 Content Security Policy](#content-security-policy)
    -   [Meta tag](#csp-meta-tag)
    -   [Server-level headers](#csp-server-headers)
-   [🛡️ Cross-Tab Session Protection](#cross-tab-session-protection)
-   [🛑 Duress Password](#duress-password)
    -   [How it works](#duress-how-it-works)
    -   [Why this design](#duress-why-this-design)
    -   [Technical details](#duress-technical-details)
-   [🔬 SafeNova Proactive Anti-Tamper](#safenova-proactive-antitamper)
    -   [Startup sequence](#proactive-startup-sequence)
        -   [Why native restoration matters](#proactive-native-restoration-advantage)
    -   [Real-time watchdog](#proactive-watchdog)
    -   [Watchdog resilience](#proactive-watchdog-resilience)
    -   [Intentionally excluded from checks](#proactive-excluded-checks)
    -   [Network request interception](#proactive-network-interception)
    -   [DOM exfiltration defense](#proactive-dom-exfiltration)
    -   [Threat response](#proactive-threat-response)
    -   [Design philosophy](#proactive-design-philosophy)
        -   [Hook opacity](#proactive-hook-opacity)
-   [🔍 Container Integrity Scanner](#container-integrity-scanner)
    -   [Phase 1 — VFS structural checks](#scanner-phase-1)
    -   [Phase 2 — Database-level checks](#scanner-phase-2)
-   [⚡ Performance](#performance)
    -   [Adaptive concurrency](#adaptive-concurrency)
    -   [Bulk upload](#bulk-upload)
    -   [ZIP export](#zip-export)
    -   [Password change](#password-change)
    -   [Container export](#container-export)
    -   [Drag-and-drop performance](#drag-drop-performance)
-   [📱 Mobile Touch Support](#mobile-touch-support)
    -   [Long-press to drag](#mobile-long-press)
    -   [Multi-file drag](#mobile-multi-file-drag)
    -   [Context menu](#mobile-context-menu)
    -   [Paste at finger position](#mobile-paste-at-finger-position)
    -   [Overscroll](#mobile-overscroll)
-   [�️ Security Audit Changelog](#security-audit)
-   [�🛠️ Contribute](#contribute)
-   [💬 Community](#community)
-   [🤝 Thanks to all contributors](#thanks)

---

<a id="getting-started"></a>

## 🚀 Getting started

<a id="getting-started-online"></a>

### Option A — Use online version

SafeNova is hosted on: [https://safenova.dosx.su/](https://safenova.dosx.su/)

<a id="getting-started-local"></a>

### Option B — Local server

A zero-dependency PowerShell server is included:

```powershell
.\\.server.ps1
```

Or right-click the file → **Run with PowerShell**. It starts an HTTP server on port `7777` (or the next free port) and opens the app in your default browser.

No external installs needed — it uses the Windows built-in `HttpListener`.

---

<a id="requirements"></a>

## 📋 Requirements

-   A modern browser: **Chrome 90+**, **Firefox 90+**, **Safari 15+**, or **Edge 90+**
-   Web Crypto API must be available — this requires either **HTTPS** or **`localhost`**
-   No plugins, no extensions, no backend

---

<a id="features"></a>

## ⚙️ Features

-   **Multiple containers** — each with its own password and independent storage limit (8 GB per container)
-   **Virtual filesystem** — nested folders, drag-to-reorder icons, customizable folder colors
-   **File operations** — upload (drag & drop or browse; folder upload with 4× parallel encryption), download, copy, cut, paste, rename, delete
-   **Built-in viewers** — text editor, image viewer, audio/video player, PDF viewer
-   **Hardware key support** — optionally use a WebAuthn passkey to strengthen the container salt
-   **Session memory** — optionally remember your session per tab (ephemeral, recommended) or persistently until manually signed out, using AES-GCM-encrypted session tokens; persistent sessions survive browser restarts
-   **Cross-tab session protection** — a container can only be actively open in one browser tab at a time; a lightweight lock protocol detects conflicts and offers instant session takeover
-   **Container import / export** — portable `.safenova` container files; import reads the archive via streaming `File.slice()` without loading the full file into memory, making multi-gigabyte imports possible; export streams data chunk-by-chunk requiring no single contiguous allocation regardless of container size
-   **Export password guard** — configurable setting (on by default) to require password confirmation before exporting; when disabled, the container key is taken directly from the active session if one is open; if no session is present, a pre-generated encrypted export cache stored in IDB is used — the cache payload is deflate-compressed before encryption, reducing its IDB footprint significantly for containers with many files; the compressed bytes are then wrapped with a per-container HKDF-SHA-256 derived key (AES-256-GCM), making the cache browser-independent; if the cache is absent or stale (file count or sizes changed), the context menu shows a red dot and falls back to a password prompt — after a successful password-prompted export the cache is rebuilt automatically so subsequent exports require no password; the cache is invalidated on password change or settings re-enable
-   **Quick export button** — dedicated **Export** button in the desktop toolbar provides one-click passwordless export when the export password guard is disabled
-   **Sort & arrange** — sort icons by name, date, size, or type; drag to custom positions
-   **Secure container deletion** — before permanent erasure, every encrypted blob is cryptographically pre-shredded: inline files have random bytes XOR-flipped (position and delta are unknown and unlogged); large chunked files have their AES-GCM IV zeroed, making decryption unconditionally impossible and the operation maximally fast; heavy internal blobs (deferred workspace data, export cache, audit log) are explicitly nullified before the record is deleted so that the browser immediately releases persistent storage and the freed space is reflected without waiting for lazy garbage collection
-   **Duress password** — optional panic password that, when entered anywhere (unlock, change password, export), looks exactly like an incorrect password but silently destroys all encrypted data in the background; see [Duress Password](#duress-password) below
-   **SafeNova Proactive** — runtime protection module that loads first in `<head>`, captures all security-critical native function references at startup (including `String.prototype.toLowerCase`, `String.prototype.indexOf`, and `String.prototype.slice` for tamper-proof string operations), validates every capture is truly native (pre-capture tampering guard), hooks outbound network APIs (fetch, XHR, sendBeacon, WebSocket, window.open, EventSource, Worker/SharedWorker — including `data:` and same-origin `blob:` workers) and DOM exfiltration vectors (setAttribute, innerHTML/outerHTML, insertAdjacentHTML, document.write, Location navigation, form submit, resource property setters) to block external requests, silently removes dynamically injected external scripts via MutationObserver, blocks `eval` and `new Function()` constructors, guards string callbacks in setTimeout/setInterval, and runs a quadruple-redundant watchdog with timer-ID protection and a dead man's switch heartbeat — if the watchdog is killed, the app auto-locks all containers
-   **Container integrity scanner** — 28 automated checks (21 VFS structural + 7 database-level) with one-click auto-repair, **Deep Clean** (flattens over-nested folder trees, repairs all metadata), and a backup prompt before any destructive operation; includes file decryption verification that detects corrupted or unreadable blobs (including those silently destroyed by the duress trigger)
-   **Settings** — three tabs: personalization, statistics, activity logs
-   **Keyboard shortcuts** — `Delete`, `F2`, `Ctrl+A`, `Ctrl+C/X/V`, `Ctrl+S` (save in editor), `Escape`, `End` (lock container — only when focus is not in a text field)
-   **Incognito / private-mode detection** — on first visit the app detects if the browser is in private/incognito mode (Chrome, Firefox, Safari) using engine-fingerprint-based checks (no UA sniffing). If detected, a one-time warning explains that IndexedDB is ephemeral in private mode and encrypted containers will be lost when the tab is closed; the user can acknowledge and continue normally, or switch to a regular browser window first
-   **Mobile-friendly** — long-press to drag icons, rubber-band selection, single/double-tap gestures, paste at finger position, multi-file drag with per-item snap previews

---

<a id="comparison"></a>

## ⚔️ SafeNova vs. the Competition

We think SafeNova has real strengths worth knowing about — but every tool has its place. Compare for yourself and pick what fits your use case.

Legend: ✅ Advantage / works well &nbsp;·&nbsp; ❌ Disadvantage / not supported &nbsp;·&nbsp; 🟡 Partial / situational

<table>
<thead>
<tr>
<th align="left">Feature</th>
<th align="left"><a href="https://safenova.dosx.su/">SafeNova</a></th>
<th align="left"><a href="https://www.veracrypt.fr/">VeraCrypt</a></th>
<th align="left"><a href="https://learn.microsoft.com/windows/security/operating-system-security/data-protection/bitlocker/">BitLocker</a></th>
<th align="left"><a href="https://cryptomator.org/">Cryptomator</a></th>
</tr>
</thead>
<tbody>
<tr>
<td align="left"><b>Best suited for</b></td>
<td align="left">Personal files on shared or managed machines — zero-install, browser-only, no disk traces</td>
<td align="left">Large encrypted volumes on own hardware; plausible deniability</td>
<td align="left">IT-managed Windows with full-disk encryption and central key recovery</td>
<td align="left">Encrypting files before syncing to cloud (Dropbox, Google Drive, OneDrive…)</td>
</tr>
<tr>
<td align="left"><b>Cross-platform</b></td>
<td align="left">✅ Any browser — Windows, macOS, Linux, Android, iOS</td>
<td align="left">🟡 Desktop only — Windows, macOS, Linux</td>
<td align="left">❌ Windows only</td>
<td align="left">✅ Windows, macOS, Linux, Android, iOS</td>
</tr>
<tr>
<td align="left"><b>No installation</b></td>
<td align="left">✅ Zero install, runs in the browser</td>
<td align="left">❌ Requires system installation</td>
<td align="left">❌ Windows Pro/Enterprise only</td>
<td align="left">❌ Requires a desktop or mobile app</td>
</tr>
<tr>
<td align="left"><b>Admin / root rights</b></td>
<td align="left">✅ None required</td>
<td align="left">❌ Required for mounting</td>
<td align="left">❌ Required</td>
<td align="left">🟡 None on Windows/iOS; macOS needs macFUSE; Linux needs FUSE</td>
</tr>
<tr>
<td align="left"><b>Encryption algorithm</b></td>
<td align="left">✅ AES-256-GCM — authenticated encryption; every ciphertext has an integrity tag</td>
<td align="left">✅ AES / Twofish / Serpent (configurable)</td>
<td align="left">🟡 AES-128/256 XTS — no authentication tag</td>
<td align="left">✅ AES-256-GCM per file</td>
</tr>
<tr>
<td align="left"><b>Key derivation</b></td>
<td align="left">✅ Argon2id — memory-hard; GPU brute-force is expensive</td>
<td align="left">🟡 PBKDF2-SHA-512 / Whirlpool — not memory-hard; GPU-crackable</td>
<td align="left">🟡 TPM-bound; password KDF is comparatively weak</td>
<td align="left">✅ scrypt — memory-hard; comparable to Argon2id</td>
</tr>
<tr>
<td align="left"><b>Per-item authentication</b></td>
<td align="left">✅ GCM tag per chunk — tampering always detected</td>
<td align="left">❌ Block-level only; no per-file MAC</td>
<td align="left">❌ XTS provides no authentication</td>
<td align="left">✅ GCM tag per file</td>
</tr>
<tr>
<td align="left"><b>Portable container</b></td>
<td align="left">✅ Single <code>.safenova</code> file — copy anywhere, open anywhere</td>
<td align="left">🟡 Single container file, but fixed pre-allocated size</td>
<td align="left">❌ Tied to the Windows NTFS partition</td>
<td align="left">🟡 Folder of encrypted files — portable, but not a single archive</td>
</tr>
<tr>
<td align="left"><b>File stealer protection</b></td>
<td align="left">✅ Encrypted in IDB; never plaintext on disk</td>
<td align="left">❌ Mounted volume exposes all files to every process</td>
<td align="left">❌ Once unlocked, all files accessible to all processes</td>
<td align="left">🟡 Encrypted on disk; plaintext only in the virtual drive while open</td>
</tr>
<tr>
<td align="left"><b>Session / key management</b></td>
<td align="left">✅ Three-source HKDF wrap key; tab + browser sessions; cross-tab invalidation</td>
<td align="left">❌ Key in RAM while mounted; no session concept</td>
<td align="left">❌ TPM-derived at boot; no session control</td>
<td align="left">❌ Key in memory while open; no session tokens or expiry</td>
</tr>
<tr>
<td align="left"><b>Duress / emergency wipe</b></td>
<td align="left">✅ Duress password silently destroys the container</td>
<td align="left">❌ Not supported</td>
<td align="left">❌ Not supported</td>
<td align="left">❌ Not supported</td>
</tr>
<tr>
<td align="left"><b>Runtime anti-tamper</b></td>
<td align="left">✅ SafeNova Proactive — native API restoration, 20+ hooks, quadruple watchdog</td>
<td align="left">🟡 N/A — native binary; no browser JS attack surface</td>
<td align="left">🟡 N/A — same</td>
<td align="left">🟡 N/A — same</td>
</tr>
<tr>
<td align="left"><b>Content Security Policy</b></td>
<td align="left">✅ Strict CSP (meta tag + server headers); blocks inline scripts and external loads</td>
<td align="left">🟡 N/A — browser mechanism; not applicable to native apps</td>
<td align="left">🟡 N/A — same</td>
<td align="left">🟡 N/A — same</td>
</tr>
<tr>
<td align="left"><b>Integrity scanner</b></td>
<td align="left">✅ 28 automated checks (VFS + DB); auto-repair; decryption verification</td>
<td align="left">❌ No built-in scanning</td>
<td align="left">❌ No per-file integrity</td>
<td align="left">🟡 Detects corrupt files; no automated repair</td>
</tr>
<tr>
<td align="left"><b>Export / backup</b></td>
<td align="left">✅ One-click export as <code>.safenova</code> or ZIP</td>
<td align="left">🟡 Container file is portable but fixed size; no incremental backup</td>
<td align="left">❌ Cannot export; tied to the Windows volume</td>
<td align="left">✅ Files sync individually — cloud acts as continuous backup</td>
</tr>
<tr>
<td align="left"><b>Data deletion</b></td>
<td align="left">✅ Blob shredding + full IDB purge on delete</td>
<td align="left">🟡 Delete the file; OS journaling may retain fragments</td>
<td align="left">❌ Decryption leaves files; separate secure-erase needed</td>
<td align="left">🟡 Delete the vault; journaling applies; cloud may retain versions</td>
</tr>
<tr>
<td align="left"><b>Code auditability</b></td>
<td align="left">✅ Open source; plain JS; no build pipeline</td>
<td align="left">✅ Open source; multiple independent audits</td>
<td align="left">❌ Closed source; no audit possible</td>
<td align="left">✅ Open source; independent audits conducted</td>
</tr>
<tr>
<td align="left"><b>Performance at scale</b></td>
<td align="left">🟡 Good for typical files; slower than native for bulk operations</td>
<td align="left">✅ Native + AES-NI; minimal overhead</td>
<td align="left">✅ Kernel driver + AES-NI; transparent to the OS</td>
<td align="left">✅ Native; per-file overhead is minimal; handles large libraries</td>
</tr>
<tr>
<td align="left"><b>Targeted attack protection</b></td>
<td align="left">🟡 Blocks JS injection; limited against full-OS compromise</td>
<td align="left">🟡 Anti-forensic; cannot stop OS-level keyloggers</td>
<td align="left">❌ TPM bus sniffing (Evil Maid) is a known vector</td>
<td align="left">🟡 No special runtime protection; same OS-level limits</td>
</tr>
<tr>
<td align="left"><b>Storage size</b></td>
<td align="left">❌ Max 8 GB per container; IDB quota applies; not for large or industrial-scale data</td>
<td align="left">✅ Disk-only limit; terabyte-scale supported</td>
<td align="left">✅ Full drive at any capacity</td>
<td align="left">✅ No built-in limit; disk / cloud quota only</td>
</tr>
<tr>
<td align="left"><b>Hidden volumes</b></td>
<td align="left">❌ Not supported</td>
<td align="left">✅ Hidden volumes + hidden OS partition</td>
<td align="left">❌ Not supported</td>
<td align="left">❌ Not supported</td>
</tr>
<tr>
<td align="left"><b>OS / filesystem integration</b></td>
<td align="left">❌ Browser sandbox only; no virtual drive mount</td>
<td align="left">✅ Mounts as a real drive letter; full shell integration</td>
<td align="left">✅ Transparent OS encryption; Group Policy; BitLocker To Go</td>
<td align="left">✅ Mounts as a virtual drive (WebDAV / FUSE)</td>
</tr>
<tr>
<td align="left"><b>Multi-user access</b></td>
<td align="left">❌ Single user per container</td>
<td align="left">❌ Single user at a time</td>
<td align="left">🟡 Multiple recovery keys; enterprise AD deployment</td>
<td align="left">❌ Single shared password; per-user control requires Cryptomator Hub (separate server)</td>
</tr>
</tbody>
</table>

---

<a id="project-structure"></a>

## 📁 Project structure

```
SafeNova/
│
├── index.html          # Single-page app entry point
├── favicon.png         # Application icon
├── .server.ps1         # Local PowerShell dev server (Windows)
│
├── css/
│   └── app.css         # All application styles
│
└── js/
    ├── proactive/
    │   └── daemon.js          # SafeNova Proactive — anti-tamper runtime integrity guard (loads first of all)
    ├── libs/
    │   └── argon2.umd.min.js  # Argon2id WASM/JS implementation (hashwasm)
    ├── detectors/
    │   └── incognito.js       # Incognito / private-mode detector — warns on first visit about limitations and risks
    ├── docmode.js             # Pre-CSS docmode guard (runs before stylesheet loads)
    ├── initlog.js             # Initialization stage console logger (InitLog)
    ├── constants.js           # Shared constants (IDB names, limits, chunk size), utilities, icon SVGs, duress hash helpers
    ├── db.js                  # IDB abstraction — SafeNovaEFS (containers / files / vfs / chunks stores)
    ├── crypto.js              # AES-256-GCM + Argon2id encryption layer
    ├── vfs.js                 # In-memory virtual filesystem (nodes, positions, child index)
    ├── state.js               # App state singleton — key, session encrypt/decrypt, three-source wrap key
    ├── home.js                # Container management: create, unlock, import, export, change password
    ├── desktop.js             # Desktop UI: icons, folder windows, drag & drop, integrity scanner
    ├── fileops.js             # File operations: upload, download, open, copy/paste, rename, delete, ZIP export; export cache management for passwordless export
    └── main.js                # App boot, event binding, console security warning
```

---

<a id="how-containers-work"></a>

## 🔒 How containers work

1. **Create** a container with a name and password
2. **Unlock** the container — Argon2id derives the key from your password
3. Files you upload are encrypted with AES-256-GCM before being saved to IDB
4. The virtual filesystem (folder tree + icon positions) is also encrypted and saved separately
5. **Lock** the container — the derived container key is wiped from memory; if the **Export password guard** setting is disabled, a pre-generated export cache (built when the setting was disabled and kept up to date after every file operation) remains in the database, ready for the next passwordless export
6. **Delete** the container — first, every encrypted blob is cryptographically pre-shredded (random bytes XOR-flipped for inline files; IV zeroed for large chunked files); then heavy internal blobs (deferred workspace data, export cache, audit log) are nullified to force immediate browser-level storage release; finally all encrypted records, the VFS blob, and the container metadata are permanently deleted from IDB

All container data is scoped to the current browser and device. Use **Export Container** to back up or transfer to another device.

---

<a id="container-format"></a>

## 📄 The `.safenova` Container Format

Exported containers are saved as `.safenova` files. This is a **self-contained structured archive** with a versioned, deterministic layout. It is designed so that no file content or filesystem metadata is ever present in plaintext within the archive.

<a id="container-format-archive-sections"></a>

### Archive sections

| Section                      | Role                                                                                                                                                                                                                                                                                                                                                 |
| ---------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `container.xml`              | Plaintext container manifest: name, creation timestamp, Argon2id salt, and the AES-GCM verification IV and blob needed to authenticate a password at import. No file names or content appear here                                                                                                                                                    |
| `meta/0`                     | The IV (initialization vector) used to encrypt the VFS blob                                                                                                                                                                                                                                                                                          |
| `meta/1`                     | The encrypted VFS blob — the complete folder hierarchy, file names, MIME types, sizes, timestamps, icon positions, and folder colors, all ciphertext                                                                                                                                                                                                 |
| `meta/2`                     | The IV for the encrypted file manifest                                                                                                                                                                                                                                                                                                               |
| `meta/3`                     | The encrypted file manifest — a JSON structure mapping each file's internal ID to its byte offset and length within `workspace.bin`, encrypted with the container key. When the export password guard is disabled, this blob is taken directly from the pre-built export cache stored in the container record, avoiding re-encryption at export time |
| `safenova_efs/workspace.bin` | A single contiguous block of raw ciphertext — the encrypted content of every file, concatenated end-to-end. Without the decryption key, file boundaries and content are indistinguishable                                                                                                                                                            |
| `meta/activity_logs/0`       | _(Optional)_ The encrypted activity log, included only when the `exportWithLogs` container setting is enabled                                                                                                                                                                                                                                        |

<a id="container-format-design-properties"></a>

### Design properties

#### Zero plaintext leakage

The only identifiable plaintext in the archive is the container name in `container.xml` and the Argon2id salt. All file names, folder structure, and content are ciphertext.

#### Lazy import

A `.safenova` file can be imported without entering the container password. The archive is parsed via streaming slicing — only the directory and small metadata entries are fully read into memory; the `workspace.bin` payload is handled as a lightweight reference. The encrypted workspace is stored as-is internally and flagged as a deferred workspace. It is expanded into the local database only on first unlock — so import is instantaneous regardless of container size.

#### Self-authenticating

The salt and verification blob in `container.xml` allow the application to confirm the correctness of a supplied password before touching any file data, preventing unnecessary decryption work.

#### Versioned

The `version` attribute in the XML manifest distinguishes between format generations, enabling forward-compatible import logic. Currently only version 3 is supported; earlier formats have been retired.

---

<a id="encryption"></a>

## 🔐 Encryption

| Layer            | Algorithm                                              |
| ---------------- | ------------------------------------------------------ |
| Key derivation   | Argon2id (19 MB memory, 2 iterations, 1 thread)        |
| File encryption  | AES-256-GCM (random 96-bit IV per file)                |
| VFS encryption   | AES-256-GCM (same key, independent IV)                 |
| Session tokens   | AES-256-GCM, dual-key: per-tab ephemeral or persistent |
| Browser key wrap | HKDF-SHA-256 from fingerprint + cookie + IDB           |
| Integrity check  | AES-256-GCM verification blob authenticated on open    |
| Duress hash      | SHA-256(random 32-byte salt ‖ password), IDB-only      |

Every file is encrypted individually — each with its own freshly generated IV. The virtual filesystem (folder tree, file names, sizes, positions) is encrypted as a separate blob using the same derived key. The plaintext password is never stored; only the derived key is held in JavaScript memory for the duration of an active session.

File keys are derived from passwords through **Argon2id** with OWASP-recommended minimum parameters (19 MB memory cost, 2 iterations), providing strong resistance against brute-force and GPU-accelerated attacks.

<a id="session-token-security"></a>

### Session token security

SafeNova uses a **dual-key model** for session storage — an ephemeral per-tab key and a persistent shared key — each scoped to a distinct user intent.

<a id="current-tab-session"></a>

#### Current tab session _(Recommended)_

The 32-byte Argon2id key material is encrypted with **`snv-sk`** — a per-tab AES-256-GCM key stored in `sessionStorage`. `snv-sk` is itself wrap-encrypted with the same three-source HKDF key as `snv-bsk` before being written to `sessionStorage`. This means:

-   The session blob (`snv-s-{cid}`) lives in `sessionStorage` and is readable only by the exact tab that created it
-   Closing the tab permanently destroys `snv-sk` — no residue remains in any persistent storage
-   An attacker with access to `localStorage`, `sessionStorage`, or disk snapshots gains nothing — even a raw `sessionStorage` dump does not expose the decryption key without also possessing the browser fingerprint, the `snv-kc` cookie, and the `SafeNovaKS` IDB record

This is the recommended option: the session is automatically gone as soon as the tab is closed.

<a id="stay-signed-in"></a>

#### Stay signed in

The key material is encrypted with **`snv-bsk`** — a shared AES-256-GCM key available to all tabs of the same browser origin.

<a id="three-source-key-wrapping"></a>

#### Three-source key wrapping

Before `snv-bsk` is written to `localStorage`, it is itself encrypted with a separate _wrap key_ that is derived on-the-fly via **HKDF-SHA-256** from **three independent sources** and **never stored anywhere**:

| #   | Source              | Storage                                       | Purpose                                                                                          |
| --- | ------------------- | --------------------------------------------- | ------------------------------------------------------------------------------------------------ |
| 1   | Browser fingerprint | _(computed)_                                  | `origin \0 userAgent \0 platform \0 language \0 hardwareConcurrency \0 colorDepth \0 pixelDepth` |
| 2   | `snv-kc` cookie     | Cookie jar (`SameSite=Strict`, ~400 days TTL) | 32 random bytes, isolated from localStorage                                                      |
| 3   | `snv-ki` record     | Separate IDB `SafeNovaKS`                     | 32 random bytes, independent from main `SafeNovaEFS` database                                    |

```
ikm      = fingerprint \0 cookie_bytes(32) \0 idb_bytes(32)
wrap_key = HKDF-SHA-256( ikm, salt=0×32, info="snv-browser-wrap-v3" )
snv-bsk (localStorage)   = IV(12) || AES-256-GCM( wrap_key, raw_bsk_bytes )
snv-sk  (sessionStorage) = IV(12) || AES-256-GCM( wrap_key, raw_sk_bytes  )
```

Consequences:

-   Any tab in the **same browser** recomputes the identical fingerprint, reads the same cookie and IDB secret → identical wrap key → can decrypt `snv-bsk` and resume the session seamlessly
-   An attacker must compromise **all three storage mechanisms** simultaneously to reconstruct the wrap key — `localStorage` alone, a disk image, or a partial export will not suffice:
    -   Copying `localStorage` without the cookie and `SafeNovaKS` database → wrap key cannot be derived → `snv-bsk` is opaque
    -   Clearing cookies invalidates the cookie component → sessions become undecryptable
    -   Deleting or moving the `SafeNovaKS` database invalidates the IDB component → same effect
-   The fingerprint includes `navigator.userAgent` and `navigator.platform`, binding sessions to the specific browser version and OS. **Browser updates that change the UA string will invalidate existing sessions** — the user re-enters their password once and a new session is established automatically
-   If any of the three components change (fingerprint shift, cookie clearing, IDB loss), the stored `snv-bsk` can no longer be decrypted; a new key is generated automatically and the user must re-enter the password once — any `snv-sb-{cid}` blobs encrypted with the old key are silently dropped
-   **Legacy format migration:** `snv-bsk` and `snv-sk` entries written before wrap-encryption was introduced (raw 32-byte keys, no IV prefix) are detected by their exact byte length and silently re-wrapped in the current `IV(12) || AES-GCM` format on first access — no user action required
-   The session expires after **7 days** (TTL baked into the encrypted payload), or immediately on explicit sign-out

<a id="session-payload-format"></a>

#### Session payload format

Both scope types use the same blob layout: `IV(12) || AES-256-GCM(scope_key, expiry(8 bytes, uint64 LE) || raw_key(32 bytes))`. The AES-GCM call is authenticated with the container ID as additional data (`snv-session:{cid}`), preventing a blob from one container from being replayed to unlock a different container. Tab-scope sessions use `expiry = Number.MAX_SAFE_INTEGER` (no TTL — the tab's `sessionStorage` is the only lifetime bound); browser-scope sessions carry a hard 7-day expiry.

<a id="remaining-trade-off"></a>

#### Remaining trade-off

An attacker with live access to the running browser process (e.g. malicious extension, XSS) can still call the same fingerprint function, read the cookie, and query the `SafeNovaKS` IDB to derive the wrap key. The three-source wrapping layer protects against _offline_ credential theft (disk images, direct `localStorage` dumps, partial storage exports), not against in-browser code execution.

---

<a id="content-security-policy"></a>

## 🔒 Content Security Policy

<a id="csp-meta-tag"></a>

### Meta tag (inline)

`index.html` declares a strict per-directive CSP via `<meta http-equiv="Content-Security-Policy">`:

| Directive     | Value                       |
| ------------- | --------------------------- |
| `default-src` | `'none'`                    |
| `script-src`  | `'self' 'wasm-unsafe-eval'` |
| `style-src`   | `'self' 'unsafe-inline'`    |
| `img-src`     | `'self' blob: data:`        |
| `media-src`   | `blob:`                     |
| `frame-src`   | `blob: about:`              |
| `font-src`    | `'self'`                    |
| `connect-src` | `'self'`                    |
| `worker-src`  | `'self' blob:`              |
| `base-uri`    | `'self'`                    |
| `form-action` | `'none'`                    |
| `object-src`  | `'none'`                    |

`'unsafe-inline'` is absent from `script-src`. There are no inline `<script>` blocks — all JavaScript is loaded as external files via `'self'`. Argon2id WASM compilation is permitted by `'wasm-unsafe-eval'`. `about:` is added to `frame-src` to allow **SafeNova Proactive** to create a temporary hidden iframe at startup for capturing pristine, extension-untampered native references (the iframe is removed from the DOM immediately after capture).

<a id="csp-server-headers"></a>

### Server-level headers (`.server.ps1`)

When running via the included PowerShell dev server, every response additionally carries:

| Header                         | Value                                                          |
| ------------------------------ | -------------------------------------------------------------- |
| `X-Content-Type-Options`       | `nosniff`                                                      |
| `X-Frame-Options`              | `DENY`                                                         |
| `Referrer-Policy`              | `no-referrer`                                                  |
| `Permissions-Policy`           | `interest-cohort=(), geolocation=(), camera=(), microphone=()` |
| `Cross-Origin-Opener-Policy`   | `same-origin`                                                  |
| `Cross-Origin-Embedder-Policy` | `require-corp`                                                 |

`Cross-Origin-Opener-Policy: same-origin` prevents other origins from holding a reference to the app window. `Cross-Origin-Embedder-Policy: require-corp` blocks cross-origin subresource loads that lack explicit CORP headers — irrelevant in practice since all resources are same-origin, but also a prerequisite for enabling `SharedArrayBuffer` if needed in the future.

---

<a id="cross-tab-session-protection"></a>

## 🛡️ Cross-Tab Session Protection

To prevent a container from being open in two browser tabs simultaneously — which would risk conflicting VFS writes — SafeNova maintains a lightweight **session lock** in `localStorage`.

When a container is unlocked, the tab writes a claim entry (`snv-open-{id}`) containing its unique tab identifier and a timestamp. A **heartbeat** refreshes the timestamp every 5 seconds. Any other tab that reads a live claim (timestamp within the 30-second TTL) before opening the same container is shown a conflict dialog offering to take over the session.

On accepting the takeover, the requesting tab writes a **kick flag** into the claim entry. The original tab listens for `storage` events on this key and immediately locks itself when the flag is detected. On normal tab close, `beforeunload` and `pagehide` remove the claim entry so the container becomes available to other tabs without waiting for the TTL to expire.

---

<a id="duress-password"></a>

## 🛑 Duress Password

The duress password is a secondary password you can set for any container. It is designed for situations where you are forced to provide your password under coercion.

<a id="duress-how-it-works"></a>

### How it works

1. You set a duress password in **Settings → Danger Zone** (it must differ from your main password)
2. When the duress password is entered **anywhere** — the unlock screen, the change password dialog, or the export password prompt — the app responds with the standard **"Incorrect password"** error, exactly the same as any wrong password
3. Behind the scenes, every encrypted file blob in the container is silently and irreversibly corrupted
4. The duress hash and export cache are erased from the database, leaving no trace that a duress password ever existed
5. Later, when the real password is entered, the container opens normally — the folder tree and file names are intact — but every file is unreadable, indistinguishable from natural storage corruption

<a id="duress-why-this-design"></a>

### Why this design

An attacker watching over your shoulder sees exactly what they’d see with any wrong password — an error message. There is no special screen, no empty vault, nothing that reveals a duress mechanism exists at all. The destruction is invisible and happens before the “incorrect” error is shown.

Because the real password still works, you can unlock the container afterward to confirm the damage. The built-in **integrity scanner** will detect that files cannot be decrypted and can clean up the broken entries.

<a id="duress-technical-details"></a>

### Technical details

-   The duress hash is stored in IDB as a salted SHA-256 hash — never exported to `.safenova` files
-   Corruption method: random bytes are XOR-flipped with a random non-zero value in each encrypted blob (inline files). For large chunked files, the AES-GCM IV stored in the file record is zeroed instead — no chunk data is read, making corruption of large files maximally fast. Position and XOR delta are unknown, unlogged, and unreproducible. Any byte change in AES-GCM ciphertext, or a zeroed IV, causes authentication failure for the entire file
-   After triggering, the duress hash and export cache are deleted from the container record — no forensic residue
-   It can be toggled on and off in Settings → Danger Zone
-   The duress password must be at least 4 characters and must differ from the main password

---

<a id="safenova-proactive-antitamper"></a>

## 🛡️ SafeNova Proactive Anti-Tamper

SafeNova Proactive is a self-contained **anti-tamper runtime integrity guard** that loads **before every other application script**. Its aggressive threat model is Self-XSS and malicious browser extensions (MV2 `document_start` content scripts, cosmetic-filter injections): both classes of attack require modifying the JavaScript runtime environment in a way that can be detected by capturing native references before any attacker code runs. The application refuses to start if the guard is absent or failed to initialize.

> ![](./pics/screenshot_proactive.png) **Silent by design.** Proactive runs entirely in the background with zero user-visible presence during normal operation. No indicators, no UI overlays, no interaction required — just quiet, constant verification of the cryptographic runtime underneath the application. Think of it as an immune system rather than antivirus: always active, completely invisible, and only surfaces when something genuinely suspicious is detected.

<a id="proactive-startup-sequence"></a>

### Startup sequence

1. **Earliest captures** — at the very first line of execution, before any other code runs, a set of core language primitives is captured into private constants that cannot be reassigned from outside: `Object.freeze`, `RegExp.prototype.test`, `Array.prototype.push`, `String.prototype.slice`, `String.prototype.toLowerCase`, and `String.prototype.indexOf`. Immediately after, three **pure operator-level string utilities** are built (`_pureToLower`, `_pureIndexOf`, `_pureSlice`) using only bracket indexing (`s[i]`), `.length`, `+` concatenation, and comparison operators — these have zero prototype method calls and are used for ALL string processing inside the daemon. The original captured references are retained solely for boot-time and per-tick native validation. If any of them were already replaced by a MV2 `document_start` extension, the structural boot check will detect it
2. **Native restoration via hidden iframe** — a temporary hidden `about:blank` iframe is created whose browsing context has never been touched by extensions (MV2 extensions only target the main window, not dynamically-created child frames). If the DOM primitives needed to create the iframe are verified as native, **50+ security-critical functions** are restored back to their pristine state on the main window from the iframe's untouched copies:
    - **Core language primitives** — `Object.defineProperty`, `Object.freeze`, `Reflect.apply`, `Reflect.construct`, and other foundational methods — restored first so all subsequent restoration steps use the native version
    - **Window globals** — `fetch`, `XMLHttpRequest`, `WebSocket`, `EventSource`, `Worker`, `SharedWorker`, `MutationObserver`, `URL`, `Blob`, typed arrays, encoding/decoding, timers, `eval`, `Function`, compression streams
    - **Crypto** — `crypto.getRandomValues` and all 12 `SubtleCrypto` methods are restored individually (`window.crypto` itself is `[Unforgeable]` and cannot be replaced)
    - **Prototype methods** — XHR, EventTarget, Element, Node, Document, Storage, IDB, Form, Location, Navigator, typed array, and URL methods
    - **Console** — a tamper-proof console reference is captured from the iframe, immune to main-window replacement by extensions
    - The iframe is removed from the DOM immediately after; captured JS references survive removal
3. **Pre-existence check** — if a guard marker already exists on `window`, it means an attacker pre-defined it via `document_start` to fake the guard as active. This taints the boot
4. **Bootstrap validation** — `Function.prototype.toString` and `Function.prototype.call` are structurally validated (name, arity, and string coercion — using concatenation operators, not function calls) before building the capture registry. All regex tests in the bootstrap use captured `Reflect.apply`, so replacing `RegExp.prototype.test` at runtime cannot make fakes pass
5. **Structural validation of early captures** — the primitives captured in step 1 are validated by their structural properties (name, arity). This catches naive spoofing that forgets to replicate the original function's metadata
6. **Capture registry** — all security-critical native references are frozen into a single immutable object using the captured (not live) `Object.freeze`. From this point forward, the guard never calls live globals — only its own captured copies
7. **Pre-capture validation** — every captured reference is verified as truly native using indexed for-loops (not `for...of`, which depends on `Symbol.iterator`). If any capture is already non-native, the guard is tainted and the app refuses to boot
8. **Install protective hooks** — all hooks (network, DOM, timer, constructor, code-injection) are wrapped in an opaque forwarder. Calling `toString()` on any hooked function (e.g. `fetch.toString()` in the DevTools console) reveals only the forwarder — the actual security logic is unreachable from outside the closure. Every internal function invocation uses captured `Reflect.apply` instead of `.apply()` or `.call()`, making the entire daemon immune to `Function.prototype.apply` / `Function.prototype.call` replacement. DOM operations (overlay injection, element removal, attribute stripping, descendant scanning) use captured `Node.prototype.appendChild`, `Node.prototype.removeChild`, `Element.prototype.removeAttribute`, and `Element.prototype.querySelectorAll` references — not live prototype methods
9. Expose three non-configurable window properties:
    - A frozen boot-status token with a closure-private canary for cross-checks
    - A verification function that the application calls at startup to confirm the guard is genuine
    - An emergency lock function that directly wipes all session storage and in-memory state, bypassing the event system
10. Start the watchdog — **four independent timer mechanisms** running in parallel

<a id="proactive-native-restoration-advantage"></a>

#### Why native restoration matters

The iframe restoration in step 2 is the single most impactful defense in the entire startup sequence. Without it, any MV2 extension running at `document_start` — or a compromised CDN that injects a `<script>` above the guard — could replace `crypto.subtle.encrypt`, `fetch`, `Reflect.apply`, or any other global **before** the guard even begins to execute. A pure capture-and-validate approach can only detect such pre-load tampering after the fact and refuse to boot, but provides no recovery path.

Native restoration changes the equation: even if an attacker ran code _before_ the guard, the iframe's browsing context provides untouched native references directly from the browser engine. By restoring 50+ critical functions on the main window from these pristine copies, the guard **undoes pre-load replacements** — the attacker's hooks are overwritten _before_ anything is captured. This eliminates roughly **95% of function-replacement attack vectors** that would otherwise succeed against a capture-only design, reducing the viable pre-load attack surface to scenarios where the browser engine itself is compromised (which is outside the threat model of any userland JS defense).

<a id="proactive-watchdog"></a>

### Real-time watchdog

Each tick performs **five independent checks**:

**Hook integrity** — verifies by reference equality that the installed network hooks are still the exact functions placed by the guard. If any hook was removed or swapped by a third party (extensions like Adblock routinely wrap network APIs), the guard **silently re-installs** them without firing an alert — this is expected browser extension behaviour, not a security threat.

**Native function purity** — verifies that the following functions are still fully native using the captured `Function.prototype.toString` reference (immune to meta-spoofing). Any substitution fires an alert:

| Function                                                               | Purpose                                                                                                                                     |
| ---------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------- |
| `crypto.getRandomValues`                                               | IV / key generation                                                                                                                         |
| `crypto.subtle.{encrypt,decrypt,importKey,exportKey,deriveKey,digest}` | All cryptographic operations                                                                                                                |
| `IDBFactory.prototype.open`                                            | IDB access                                                                                                                                  |
| `Storage.prototype.{getItem,setItem,removeItem}`                       | Session key storage                                                                                                                         |
| `btoa` / `atob`                                                        | Base-64 encode/decode                                                                                                                       |
| `TextEncoder.prototype.encode` / `TextDecoder.prototype.decode`        | Text serialization / deserialization                                                                                                        |
| `Uint8Array`, `.prototype.{set,subarray,slice}`                        | Typed array integrity                                                                                                                       |
| `ArrayBuffer`, `.prototype.slice`                                      | Binary buffer integrity                                                                                                                     |
| `DataView`                                                             | Binary data views                                                                                                                           |
| `Blob`                                                                 | File blob construction                                                                                                                      |
| `URL`, `URL.createObjectURL` / `URL.revokeObjectURL`                   | URL parsing and blob URL lifecycle                                                                                                          |
| `CompressionStream` / `DecompressionStream` _(if available)_           | Compression pipeline integrity                                                                                                              |
| `Function.prototype.call` / `.apply`                                   | Meta-method hardening                                                                                                                       |
| `Reflect.apply`                                                        | Core of the native-check mechanism — must stay native                                                                                       |
| `EventTarget.prototype.addEventListener` / `.dispatchEvent`            | Event subscription and heartbeat                                                                                                            |
| `XMLHttpRequest.prototype.send`                                        | XHR send path hardening                                                                                                                     |
| `RegExp.prototype.test`                                                | Native-check regex — replacing with `()=>true` would bypass checks                                                                          |
| `Object.freeze`                                                        | Capture registry immutability                                                                                                               |
| `Array.prototype.push`                                                 | Captured for validation                                                                                                                     |
| `String.prototype.slice`                                               | Captured for boot-time + per-tick native validation only; actual string slicing uses `_pureSlice` (bracket + concatenation)                 |
| `String.prototype.toLowerCase`                                         | Captured for boot-time + per-tick native validation only; actual lowercasing uses `_pureToLower` (frozen A-Z→a-z lookup + bracket indexing) |
| `String.prototype.indexOf`                                             | Captured for boot-time + per-tick native validation only; actual substring search uses `_pureIndexOf` (nested indexed loop)                 |
| `Element.prototype.getAttribute`                                       | Used by MutationObserver defense layer to read attribute values safely                                                                      |
| `Element.prototype.removeAttribute`                                    | Used by MO observer and scanner to strip malicious `on*` handlers and external resource attributes                                          |
| `Element.prototype.querySelectorAll`                                   | Used by MO observer to scan descendant elements of injected nodes                                                                           |
| `Node.prototype.appendChild`                                           | Used to inject the alert overlay and security veil into the DOM via captured ref                                                            |
| `Node.prototype.removeChild`                                           | Used by MO scanner to remove injected external `<script>` elements from the DOM                                                             |
| `Array.prototype[Symbol.iterator]`                                     | Poisoning this would silently skip validation loops                                                                                         |

**Dead man's switch heartbeat** — every tick dispatches a heartbeat event with a **monotonic counter** that increments inside the private closure. The application only accepts events where the counter is strictly greater than the last seen value **and** within a bounded window (guards against injection of extremely large counter values that would permanently desync the heartbeat). An attacker cannot read or predict the counter from outside the closure. If more than 3 seconds pass without a valid heartbeat, the watchdog has been killed and all open containers are **automatically locked** — derived keys are wiped from memory.

**App function integrity** — at window `load`, all critical application functions are wrapped through `_mkProxy` — the same opaque-forwarder pattern used by network and DOM hooks. The original implementations become closure-private; `toString()` on the live property reveals only the thin forwarder body. Proxied references are frozen into a snapshot and compared by identity on every watchdog tick. A Self-XSS attack that replaces any of these is detected on the very next tick and triggers a full threat response. Raw (unwrapped) references to VFS.init and WinManager.closeAll are kept separately for direct invocation inside `_wipeAppState`. Covered functions: `Crypto.encrypt/decrypt/encryptBin/decryptBin/deriveKey/deriveKeyAndRaw` (exfiltration-path), `Crypto.importRawKey` (called externally — replacement would capture raw AES key bytes), `Crypto.checkVerification` (called on every unlock — replacement with `() => true` bypasses authentication), `Crypto.makeVerification`, `App.lockContainer`, `VFS.init`, `WinManager.closeAll`.

**Scope shadowing guard** — the app's encryption module and the browser's built-in `window.Crypto` (WebCrypto API) share the same identifier. The watchdog confirms it is checking the correct object (app module vs. WebCrypto) by probing for app-specific methods, eliminating false positives.
<a id="proactive-watchdog-resilience"></a>

### Watchdog resilience

The watchdog cannot be killed by a single call to `clearInterval` or by replacing a single timer API. **Four independent mechanisms** run in parallel:

| Mechanism                     | Interval | Kill vector                                                                                                                                       |
| ----------------------------- | -------- | ------------------------------------------------------------------------------------------------------------------------------------------------- |
| `setInterval`                 | 50 ms    | `clearInterval` with the correct ID                                                                                                               |
| Recursive `setTimeout`        | 937 ms   | `clearTimeout` with the correct ID                                                                                                                |
| `requestAnimationFrame` chain | ~980 ms  | `cancelAnimationFrame` — **guarded: the rAF chain ID is tracked and any call to `cancelAnimationFrame` with that exact ID is silently swallowed** |
| `MessageChannel` self-ping    | 800 ms   | Replacing `setInterval`/`setTimeout`/`cancelAnimationFrame` has zero effect — `MessageChannel` is a separate browser message-queue mechanism      |

All timer functions are captured at startup so even if `window.setInterval` is later replaced, the watchdog timers were already started with the native versions.

**Timer ID protection** — `window.clearInterval`, `window.clearTimeout`, and `window.cancelAnimationFrame` are replaced with guarded versions that silently ignore any attempt to cancel or clear watchdog timer, rAF, or active debugger-trap interval IDs. Legitimate application code that calls these functions on its own IDs is unaffected.

Watchdog timer IDs are stored using plain object properties and tested with the `in` operator — not `Set`. This is intentional: `Set.prototype.has` could be replaced via Self-XSS to let an attacker's timer IDs pass through the guard undetected. The `in` operator is a language-level construct — it cannot be overridden from userland JS.

**Visibility-change fast check** — when the tab transitions from background to visible, an immediate full tick runs so an attacker cannot exploit the ~50 ms inter-tick window while the tab was hidden.

<a id="proactive-excluded-checks"></a>

### Intentionally excluded from checks

| API                                          | Reason                                                                                                                                                                                                                                                                                                                                                                                                     |
| -------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `console` namespace                          | Overrides are common and benign (DevTools, logging libraries)                                                                                                                                                                                                                                                                                                                                              |
| `Function.prototype.toString`                | Bootstrap-validated at init time by structural checks (name, arity, string coercion). Live periodic checks cause false positives because extensions (Adblock, Dark Reader) routinely wrap `toString`                                                                                                                                                                                                       |
| `document.createElement` _(non-iframe tags)_ | Extensions legitimately create elements (including `<script>`) for their content scripts; blocking all tags causes widespread false positives. **`<iframe>` is the only exception — it is blocked post-init (D3, see below).** `<script>` elements with an external `src=` injected dynamically after page load are silently removed from the DOM and logged to the console — no full modal alert is shown |
| `JSON.stringify` / `JSON.parse`              | DevTools, debugger extensions, and frameworks actively patch these                                                                                                                                                                                                                                                                                                                                         |
| `Promise` / `Promise.prototype.then`         | Polyfills and extensions wrap these regularly                                                                                                                                                                                                                                                                                                                                                              |
| `performance.now`                            | Privacy extensions (Brave, uBlock) intentionally add timing jitter                                                                                                                                                                                                                                                                                                                                         |
| `Object.defineProperty`                      | Too many legitimate uses across extensions and frameworks                                                                                                                                                                                                                                                                                                                                                  |

<a id="proactive-network-interception"></a>

### Network request interception

Every outbound request is validated against `window.location.origin` before it is allowed to proceed. The origin check uses a **fail-closed** design: URLs that cannot be parsed by the `URL` constructor are treated as external (unsafe by default). `data:` URLs (inline resources such as canvas-generated thumbnails) are whitelisted using pure bracket-indexing comparison (`s[0] === 'd'`) and `_pureSlice` (immune to any prototype poisoning), and browser extension schemes (`chrome-extension:`, `moz-extension:`, `safari-web-extension:`) are allowed to prevent false positives from legitimate user-installed extensions:

-   **`fetch`** — blocked and rejected with an error
-   **`XMLHttpRequest.prototype.open`** — blocked and throws synchronously
-   **`navigator.sendBeacon`** — blocked and returns `false`
-   **`WebSocket`** — connections to any **host:port** combination other than the current origin are blocked and trigger a threat alert. The origin check uses a captured URL constructor (immune to runtime replacement). Same-origin WebSocket connections are forwarded transparently
-   **`window.open`** — external URLs blocked; same-origin popups forwarded normally
-   **`EventSource`** — external URLs blocked at construction; an `EventSource` to an external host would establish a persistent covert SSE channel for data exfiltration
-   **`Worker` / `SharedWorker`** — `data:` URL workers, `blob:` URL workers, and external-URL workers are blocked. SafeNova does not create Workers; a same-origin `blob:` Worker runs in a separate global scope with an unhooked native `fetch`, so even same-origin blob URLs are an exfiltration vector and are rejected unconditionally
-   **`ServiceWorker` registration** — blocked preventively. A rogue Service Worker could intercept all fetches on the next page load and inject code before the guard runs. Existing registrations are removed during the threat response
-   **`setTimeout` / `setInterval` string callbacks** — string-form callbacks (e.g. `setTimeout("eval(code)", 0)`) are stripped to a no-op. Function-form callbacks are forwarded normally
-   **`eval`** — replaced with a non-configurable, non-writable property that throws synchronously; cannot be restored after the guard runs
-   **`new Function()`** — the `Function` constructor is proxied; calls via `new Function(...)` throw synchronously. Plain `Function()` calls without `new` (used by feature detection, extensions, etc.) are forwarded to the native constructor — only the constructor path is dangerous

SafeNova makes no legitimate external network requests; any attempt is by definition suspicious.

<a id="proactive-dom-exfiltration"></a>

### DOM exfiltration defense

A second protection layer covers DOM-level exfiltration vectors — APIs that can inject external resources or redirect the page without going through the network layer directly.

| API                                      | Behaviour                                                                                                                                                                                                                                                                                                                                                                                                      |
| ---------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `Element.setAttribute`                   | External URLs in resource attributes (`src`, `href`, `data`, `ping`, `action`, `formaction`, `srcset`, `poster`) are blocked and trigger a full alert. Inline `on*` event handler attributes are stripped. Navigation elements (`<a>`, `<area>`) are exempt from the `href` check — those are user-activated navigation, not resource loaders; `ping=` remains blocked                                         |
| `Element.innerHTML` / `outerHTML` setter | HTML strings are scanned for external resource URLs and `on*` attribute patterns before assignment; blocked if a threat is found                                                                                                                                                                                                                                                                               |
| `Element.insertAdjacentHTML`             | Same scan as `innerHTML`                                                                                                                                                                                                                                                                                                                                                                                       |
| `document.write` / `document.writeln`    | Same scan; blocked before the string is written to the document                                                                                                                                                                                                                                                                                                                                                |
| `Location.assign` / `Location.replace`   | External URLs blocked; same-origin navigation forwarded normally                                                                                                                                                                                                                                                                                                                                               |
| `Location.href` setter                   | Same as `assign` / `replace`                                                                                                                                                                                                                                                                                                                                                                                   |
| `HTMLFormElement.submit`                 | External `action=` URLs blocked                                                                                                                                                                                                                                                                                                                                                                                |
| Resource property setters                | `HTMLImageElement.src`, `HTMLScriptElement.src`, `HTMLIFrameElement.src`, `HTMLVideoElement.src`, `HTMLAudioElement.src`, `HTMLEmbedElement.src`, `HTMLObjectElement.data`, `HTMLLinkElement.href` — external URL assignments are blocked. For `<script>.src` specifically the block is **silent**: the element is not loaded, a console trace is written, but no modal alert is shown (reduces alert fatigue) |

**Post-init iframe block (D3)** — after the startup iframe-restoration phase completes and the temporary iframe is removed from the DOM, `document.createElement('iframe')` is permanently intercepted. Any subsequent attempt to create an `<iframe>` triggers a full threat alert. This closes the _fresh-realm native-reset_ attack vector: an attacker who gains JS execution after daemon.js has run could otherwise create their own `about:blank` iframe, pull native function references from its unhooked context (which pass `_isNative()` checks because they genuinely are native), and silently overwrite all daemon hooks. All other tags pass through unmodified — extensions creating `<script>` or any other element are unaffected. The hook is self-healing: the watchdog re-installs it every tick if it is removed.

**MutationObserver defense-in-depth** — a `MutationObserver` watches the entire document subtree and catches attacks that bypass the property/method hooks above:

-   **Added elements** — newly appended nodes are scanned for external resource attributes or `on*` handlers; threatening attributes are removed and a full alert fires
-   **Dynamically injected `<script src="https://...">` elements** — silently removed from the DOM; a console trace is written via a tamper-proof console reference (immune to `console.error` replacement after load). Same-origin, relative-path, and inline `<script>` elements are left untouched
-   **Attribute mutations** — attribute changes on existing elements that add an external resource URL or an `on*` handler are caught and reversed; `href` changes on `<a>` and `<area>` elements are excluded (navigation-only)

---

<a id="proactive-threat-response"></a>

### Threat response

When a native function purity check, App function integrity check, or network request interception fires:

1. **Immediately wipe** all session keys from both `localStorage` and `sessionStorage` using captured native storage references (bypasses any hook placed on the Storage API by the attacker)
2. **Clear Service Workers and Cache API** — unregisters active Service Workers and wipes all browser cache data. This prevents an attacker from spawning a rogue Service Worker for persistence or stashing intercepted data asynchronously
3. **Directly zero in-memory app state** — all sensitive state (encryption key, container data, clipboard, thumbnail cache) is nullified directly, bypassing the event system. Critical cleanup functions are invoked using **captured references** snapshotted at window `load`, so a console-level replacement before the threat fires cannot prevent cleanup
4. Dispatch a lock event — the application locks all open containers via the normal code path, clearing derived keys from memory
5. **Console threat log** — a styled `console.error` with a red background is emitted via a tamper-proof console reference, providing a forensic trace that cannot be suppressed
6. **Debugger trap** — a `debugger` statement fires every 50 ms for up to 5 minutes. If the attacker has DevTools open, the JS engine pauses at each breakpoint, blocking further console commands. When DevTools are closed, this is a native no-op with zero performance cost
7. Show a **security alert overlay** identifying the blocked operation and advising the user to audit browser extensions, with a reload button. The overlay uses a **closed Shadow DOM** so its contents cannot be queried or mutated from `document` scope; a self-healing `MutationObserver` re-appends the overlay if an attacker removes it from the DOM (active for 3 minutes)

Alerts are rate-limited to one per 10 seconds to prevent alert spam while still reporting every distinct threat.

---

<a id="proactive-design-philosophy"></a>

### Design philosophy

SafeNova Proactive is built around one central principle: **protect as many JS primitives and APIs as possible, while using them as little as possible itself.**

All security-critical references are captured once at the very top of execution into a frozen snapshot — a frozen image of the JS runtime taken before any extension or injected script can interfere. From that point on, the guard never calls live globals. Every internal operation that needs a JS built-in goes through the captured snapshot:

| Instead of...                                   | Proactive uses...                                            | Why                                                                                                                                                                                               |
| ----------------------------------------------- | ------------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `window.fetch`                                  | Captured reference                                           | Immune to post-load `window.fetch = ...` replacement                                                                                                                                              |
| `Array.prototype.push`                          | `arr[arr.length] = x`                                        | Index assignment cannot be hooked                                                                                                                                                                 |
| `for...of`                                      | Indexed `for` loops                                          | Immune to `Symbol.iterator` poisoning                                                                                                                                                             |
| `new Set()` / `Set.prototype.has`               | `key in plainObject`                                         | `in` is a language operator, unhookable                                                                                                                                                           |
| `String.prototype.match` / `.exec`              | Manual `indexOf` loops                                       | Avoids hookable regex prototype methods                                                                                                                                                           |
| `String.prototype.startsWith`                   | `_pureSlice(s, 0, n) === prefix`                             | Pure bracket + concatenation; zero prototype calls                                                                                                                                                |
| `String.prototype.toLowerCase` / `.toUpperCase` | `_pureToLower(s)`                                            | Frozen A-Z→a-z lookup + bracket indexing; no prototype dependency at all. Even if every `String.prototype` method is replaced, `_pureToLower` is unaffected                                       |
| `String.prototype.indexOf` / `.substring`       | `_pureIndexOf(s, needle, from)`                              | Nested indexed loop with bracket comparison; no prototype dependency. Immune to `indexOf = () => -1` or `substring = () => ''` attacks                                                            |
| `String.prototype.slice`                        | `_pureSlice(s, start, end)`                                  | Bracket indexing + `+=` concatenation; no prototype dependency. Used for URL extraction, key prefix checks, and all substring operations                                                          |
| `String.prototype.charCodeAt`                   | `s[0] === 'd'` (bracket indexing + `===`)                    | Pure operator; the only `charCodeAt` call site (data: URL check) was replaced with a direct single-char bracket comparison                                                                        |
| `Array.prototype.forEach`                       | Indexed `for` loops                                          | Unhookable loop construct                                                                                                                                                                         |
| `String(x)`                                     | `'' + x`                                                     | Concatenation operator, not a function call                                                                                                                                                       |
| `Array.prototype.slice`                         | Captured reference                                           | Survives prototype replacement                                                                                                                                                                    |
| `fn.apply(ctx, args)` / `fn.call(ctx, args)`    | `_reflectApply(fn, ctx, args)`                               | `.apply()` / `.call()` resolve through live `Function.prototype`; if replaced post-boot, all pass-through calls are hijacked. `Reflect.apply` is captured at boot and goes directly to `[[Call]]` |
| `instanceof Request`                            | `typeof input === 'object' && typeof input.url === 'string'` | `Symbol.hasInstance` can be replaced to make `instanceof` return false, bypassing URL extraction in the fetch hook                                                                                |
| `el.appendChild(child)` / `el.removeChild(c)`   | `_reflectApply(_nodeAppend, parent, [child])`                | Live `Node.prototype.appendChild/removeChild` could be replaced to silently prevent alert overlay injection or prevent removal of malicious `<script>` elements                                   |
| `el.querySelectorAll('*')`                      | `_reflectApply(_N.elQuerySelectorAll, el, ['*'])`            | Live method could return empty NodeList, letting child elements of injected nodes bypass the MO scanner                                                                                           |
| `el.removeAttribute(name)`                      | `_reflectApply(_N.removeAttribute, el, [name])`              | Live method could be hooked to prevent stripping of malicious `on*` handlers or external resource attributes                                                                                      |
| `Object.prototype.hasOwnProperty.call()`        | `'key' in obj`                                               | `in` is a language operator; `hasOwnProperty.call` goes through live `Function.prototype.call`                                                                                                    |

As a direct result, the integrity-checking core is **well-isolated and resistant to most hook-based attacks**: replacing `window.fetch`, `Array.prototype.push`, `String.prototype.toLowerCase`, `Function.prototype.call`, `Function.prototype.apply`, or any other live global after page load cannot change the guard's behaviour — it uses pure operators for all string processing, `Reflect.apply` for all internal function invocations, captured native DOM methods for overlay/scanner operations, validates captured references on every watchdog tick, and would detect the replacement before an attacker could leverage it.

<a id="proactive-hook-opacity"></a>

#### Hook opacity

Every public hook function placed on `window` or prototypes — as well as all guarded application functions — is wrapped in an opaque forwarder. When an attacker inspects hooked functions via `toString()` in the DevTools console, they see only the forwarder shell — the actual security logic is hidden inside the closure and unreachable from outside. **All hooks and app functions** share this identical opaque signature:

| Category                | Hooks                                                                                                                                                                                          |
| ----------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| **Network**             | `fetch`, `XMLHttpRequest.prototype.open`, `navigator.sendBeacon`, `WebSocket`, `window.open`, `EventSource`                                                                                    |
| **DOM exfiltration**    | `Element.prototype.setAttribute`, `innerHTML` setter, `outerHTML` setter, `insertAdjacentHTML`, `document.write`, `document.writeln`, `Location.assign/replace/href`, `HTMLFormElement.submit` |
| **Resource properties** | `img.src`, `script.src`, `iframe.src`, `video.src`, `audio.src`, `embed.src`, `object.data`, `link.href`                                                                                       |
| **Code injection**      | `window.eval`, `window.Function` (`new Function()` is blocked; plain `Function()` calls are forwarded — only the constructor path is dangerous)                                                |
| **Timer guards**        | `setTimeout` (string callback), `setInterval` (string callback)                                                                                                                                |
| **Watchdog protection** | `clearInterval`, `clearTimeout`, `cancelAnimationFrame`                                                                                                                                        |
| **Workers**             | `Worker`, `SharedWorker`, `ServiceWorkerContainer.register`                                                                                                                                    |
| **App functions**       | `Crypto.encrypt/decrypt/encryptBin/decryptBin/deriveKey/deriveKeyAndRaw/importRawKey/checkVerification/makeVerification`, `App.lockContainer`, `VFS.init`, `WinManager.closeAll`               |

---

<a id="container-integrity-scanner"></a>

## 🛡️ Container Integrity Scanner

> ![](./pics/screenshot_integrity_scanner.png)

The built-in scanner performs a deep analysis of the virtual disk image, encrypted file table, folder hierarchy, desktop layout, and workspace environment. It runs **28 checks** in two phases:

<a id="scanner-phase-1"></a>

### Phase 1 — VFS structural checks (21 steps, synchronous)

| #   | Check                        | Repairs                                                                        |
| --- | ---------------------------- | ------------------------------------------------------------------------------ |
| 1   | Root node integrity          | Recreates missing root; fixes type and parentId                                |
| 2   | Node field validation        | Fixes IDs, names, types; restores missing/invalid ctime and mtime to today     |
| 3   | Node ID format validation    | Reassigns malformed IDs; migrates position data                                |
| 4   | Timestamp anomaly detection  | Detects mass-identical ctimes; spreads them across a 1-second window on repair |
| 5   | File name validation         | Sanitizes invalid characters, truncates long names                             |
| 6   | Orphaned node detection      | Reattaches to root                                                             |
| 7   | Parent type validation       | Reattaches nodes whose parent is a file                                        |
| 8   | Parent-child cycle detection | Breaks cycles by reattaching to root                                           |
| 9   | Node reachability analysis   | O(n) memoized; reattaches unreachable nodes                                    |
| 10  | Timestamp integrity          | Fixes invalid/future timestamps                                                |
| 11  | File size validation         | Resets negative/invalid sizes                                                  |
| 12  | File metadata validation     | Strips unknown properties                                                      |
| 13  | Duplicate name detection     | Auto-renames collisions                                                        |
| 14  | Empty folder chain detection | O(n) iterative post-order DFS; informational                                   |
| 15  | Position table cleanup       | Removes stale entries                                                          |
| 16  | Folder position maps         | Creates missing position maps                                                  |
| 17  | Position entry completeness  | Only checks visited (opened) folders; auto-positions on repair                 |
| 18  | Position collision detection | Relocates overlapping icons                                                    |
| 19  | Grid alignment verification  | Snaps off-grid positions                                                       |
| 20  | Folder depth analysis        | O(n) memoized; warns when nesting > 50 levels                                  |
| 21  | Node count summary           | Informational — file/folder/position counts                                    |

<a id="scanner-phase-2"></a>

### Phase 2 — Database-level checks (7 steps, async)

| #   | Check                        | Repairs                                                                                                             |
| --- | ---------------------------- | ------------------------------------------------------------------------------------------------------------------- |
| 1   | File data existence          | Removes VFS nodes whose encrypted blob is missing from IDB                                                          |
| 2   | Encryption IV integrity      | Accepts Array/Uint8Array/ArrayBuffer (canonical: plain Array); coerces base64 strings; purges only if truly invalid |
| 3   | File blob integrity          | Resets declared size to 0 if blob is empty                                                                          |
| 4   | Orphaned storage records     | Deletes DB records not referenced by any VFS node                                                                   |
| 5   | Record container binding     | Fixes records bound to wrong container ID                                                                           |
| 6   | Container size consistency   | Recalculates totalSize from live VFS nodes                                                                          |
| 7   | File decryption verification | Attempts to decrypt each blob; removes files whose ciphertext is unreadable (e.g. corrupted by duress trigger)      |

Before auto-repair runs, a **confirmation dialog** recommends exporting the container as a `.safenova` backup — you can do this without leaving the scanner. After a successful repair, a verification scan runs automatically to confirm all issues are resolved.

If auto-repair cannot fix the remaining issues, a **Deep Clean** option becomes available. It performs an aggressive structural rebuild in five O(n) passes:

1. Scan DB storage records
2. Purge dead nodes — remove every VFS node with no real encrypted data behind it
3. Flatten deep folder chains — files nested more than 50 levels deep are reparented to their closest ≤50-level ancestor; all file data is preserved
4. Repair metadata — each node with a missing or invalid `ctime`/`mtime` gets today's date
5. Clean storage records — remove orphaned DB entries in a single batch transaction

After Deep Clean, a verification scan runs automatically. A backup is offered before Deep Clean runs, same as for auto-repair.

---

<a id="performance"></a>

## ⚡ Performance

SafeNova schedules AES-GCM operations to run with maximum concurrency, taking full advantage of hardware AES acceleration exposed by the browser’s Web Crypto API.

<a id="adaptive-concurrency"></a>

### Adaptive concurrency

The degree of parallelism is computed once at startup based on `navigator.hardwareConcurrency`, capped at 8. This serves as the default batch width for all bulk encrypt/decrypt loops. On an 8-core machine, up to 8 files are processed simultaneously.

<a id="bulk-upload"></a>

### Bulk upload

For each batch of files the application reads all `ArrayBuffer` payloads in parallel, encrypts the batch in parallel, then writes every encrypted record to IDB in a **single transaction**, eliminating the per-file transaction overhead that would otherwise dominate for large numbers of small files. Files with encrypted blobs exceeding **50 MB** are stored as split 50 MB chunks across the `chunks` object store, avoiding the browser's ~2 GB structured-clone limit on IDB reads; the chunking is fully transparent to all read paths.

<a id="zip-export"></a>

### ZIP export

Exporting files as an archive uses a single IDB read transaction that fetches all required records concurrently. Decryption of all records is then dispatched in one parallel batch rather than being serialised sequentially.

<a id="password-change"></a>

### Password change

Re-encrypting a container under a new key dispatches all decrypt–re-encrypt pairs for every file **fully in parallel**. Results are accumulated and written back in a single batch, reducing total elapsed time to approximately one parallel round-trip plus one database write.

<a id="container-export"></a>

### Container export

Exporting a `.safenova` file requires no single contiguous memory allocation regardless of container size. The builder receives each file blob as an individual chunk (no concatenation into one giant buffer), computes CRC32 incrementally, and emits an **array of small output parts**. The parts array is passed directly to the `Blob` constructor — the browser stitches the pieces together internally without requiring a duplicate allocation. The peak RAM footprint for an N-gigabyte export is approximately N bytes (the data already held in IDB), rather than ~3× N.

<a id="drag-drop-performance"></a>

### Drag-and-drop performance (large folders)

Icon dragging in folders with many files previously rebuilt the occupied-cell map on **every** mouse/touch frame (~60 fps). With hundreds of files this became a measurable bottleneck. The hot path is now O(1) per frame:

-   **Touch drag** — the occupied map is built once at drag-start (when the 400 ms long-press fires) and reused throughout the gesture
-   **Mouse drag** — occupied maps are computed once at drag-start and once when the pointer first enters a drop target, not on every frame
-   **Snap preview throttle** — snap-preview positions are recomputed only when the pointer crosses a grid cell boundary (96 px steps), not on every pixel movement
-   **No full map clone** — snap previews use a small overlay map (one entry per selected item) instead of cloning the full occupied map on each call

---

<a id="mobile-touch-support"></a>

## 📱 Mobile Touch Support

SafeNova is fully usable on touchscreen devices (Android Chrome, iOS Safari). All gesture interactions work on real hardware, not only in DevTools device emulation.

<a id="mobile-long-press"></a>

### Long-press to drag

Holding a finger on an icon for **400 ms** activates drag mode (haptic feedback where the OS supports it). The `touchstart` handler is registered as `{ passive: false }` on the icon area and immediately calls `e.preventDefault()` when the touch lands on an icon. This suppresses the native Android long-press gesture (which would otherwise fire `touchcancel` + `contextmenu` at ~500 ms and silently kill the drag). Scrolling on empty area is unaffected — `preventDefault` is only called when a `.file-item` is the touch target, and `.file-item` elements carry `touch-action: none` in CSS to prevent the browser's pan gesture recognizer from competing.

<a id="mobile-multi-file-drag"></a>

### Multi-file drag

All items in the current selection are dragged simultaneously. Each selected icon follows the same displacement vector as the primary icon. Snap previews are shown for every item in the selection, offset relative to one another to reflect final grid positions.

<a id="mobile-context-menu"></a>

### Context menu

A short tap (< 350 ms) on an icon opens the context menu. A long press (≥ 400 ms) starts a drag instead of opening the menu. The two actions are mutually exclusive — if the native `contextmenu` event fires while a drag is already active, it is suppressed; if it fires before the drag timer completes, the timer is cancelled.

<a id="mobile-paste-at-finger-position"></a>

### Paste at finger position

When **Paste** is triggered from the context menu on a touch device, the items are placed at the position where the menu was opened, rather than defaulting to the origin. The screen position is captured when the menu action is confirmed, and each pasted item is snapped to the nearest free grid cell relative to that position.

<a id="mobile-overscroll"></a>

### Overscroll

`overscroll-behavior: none` is applied to `.desktop-area` and `.fw-area` to prevent pull-to-refresh and iOS overscroll bounce from interfering with drag gestures.

---

<a id="security-audit"></a>

## 🛡️ Security Audit Changelog

A detailed record of the most impactful security fixes and hardening steps applied during internal audits:

-   **Security Audit Changelog**: You find it [here](./SECURITY_AUDIT.md)

---

<a id="contribute"></a>

## 🛠️ Contributing

If you want to contribute check our Contributions guideline first:

-   **Contribution guideline**: You find it [here](https://github.com/DosX-dev/SafeNova/blob/main/CONTRIBUTING.md)

---

<a id="community"></a>

## 💬 Community

Have questions, ideas, or just want to chat? Here's where to find us:

-   **GitHub Issues**: Report bugs or request features via [Issues](https://github.com/DosX-dev/SafeNova/issues)

---

<a id="thanks"></a>

## 🤝 Thanks to all contributors

I (**[DosX](https://github.com/DosX-dev)**) envision **SafeNova** as what it is: a complex engineering product — something created to solve a real problem, not just to sit on a shelf. Nevertheless, I would like to point out that the level of quality and safety achieved in this project is not a purely individual achievement. The architecture, the threat model, the complex cases that I would never have thought to talk about on my own — all this was created with the help of people who really helped, asked difficult questions and identified what I had missed. Great credit goes to everyone who left a review, suggestion, or error message along the way. If you want to contribute, check out the [contribution section](https://github.com/DosX-dev/SafeNova?tab=contributing-ov-file).

<a href="https://github.com/DosX-dev/SafeNova/graphs/contributors">
<img src="https://readme-contribs.as93.net/contributors/DosX-dev/SafeNova?textColor=737373&perRow=9&shape=squircle&isResponsive=true" />
</a>

> Special thanks:
>
> -   **[Joe12387](https://github.com/Joe12387)** — Private/Incognito detection implementation in TypeScript that was rewritten in JavaScript

> The following tools were used during development:
>
> -   **[Visual Studio Code](https://code.visualstudio.com/)** — writing code in it and formatting
> -   **[Web DevTools](https://en.wikipedia.org/wiki/Web_development_tools)** — debugging and inspecting web applications
> -   **[Detect It Easy](https://github.com/horsicq/Detect-It-Easy)** — analyzing the ZIP format and structure in practice
> -   **[Claude Opus Agent (v4.6)](https://www.claude.ai/)** — help with developing the interface part, checking the code and writing local tests


================================================
FILE: SECURITY_AUDIT.md
================================================
# 🛡️ Security Audit Changelog

> This document summarizes the most significant security-related changes introduced during internal audits of the SafeNova codebase. Each entry represents a hardening step that meaningfully raises the security posture of the project.
>
> Entries are ordered newest-first. The **Area** column indicates which subsystem was affected:
>
> -   **SafeNova Proactive** — the runtime anti-tamper guard (`src/js/proactive/daemon.js`)
> -   **SafeNova Core** — the application itself (crypto, state, VFS, UI, DB)

---

## Audit Results

| Commit    | Area               | What was fixed                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          | Security impact                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     |
| --------- | ------------------ | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `b2fa4fe` | SafeNova Core      | Fixed three bugs discovered during internal audit: (1) `_corruptFileBlobs` in `db.js` — duress IV-zeroing was a no-op for chunked files because `rec.iv` is stored as a plain JS `Array` (via `Array.from()`), not an `ArrayBuffer` or `TypedArray`; the old code called `.iv.buffer` on a plain array and got `undefined`, so `new Uint8Array(undefined)` produced a zero-length view and `.fill(0)` did nothing — the IV was never actually zeroed; fixed by branching on `Array.isArray`, `instanceof ArrayBuffer`, and `ArrayBuffer.isView`. (2) `_reassemble` in `db.js` — if any chunk was absent from IDB the missing slot was silently skipped: `totalSize` was not reduced and all subsequent chunks were written at a shifted offset, producing garbled plaintext with no error; fixed by rejecting the promise the moment all reads complete if any `parts[k]` slot is empty. (3) `downloadFile` in `fileops.js` — lacked the empty-file guard that `openFile` already had; calling `Crypto.decryptBin` on a `null`/zero-length blob threw an uncaught exception and crashed the download; fixed by mirroring the `openFile` check and returning an empty `ArrayBuffer` for empty files. | (1) Duress protection was completely bypassed for large (chunked) files — the IV was left intact, making those files decryptable after a panic trigger. (2) A single missing IndexedDB chunk caused silent data corruption instead of a detectable error. (3) A zero-byte file caused an unhandled crash on export. |
| `606ffdc` | SafeNova Proactive | Captured `MessagePort.prototype.postMessage` into `_N.portPostMessage`; added it to `_CAPTURE_MUST_BE_NATIVE` and `_NATIVE_CHECKS`; routed both MC watchdog self-ping call sites through `_reflectApply(_N.portPostMessage, _mc.port1, [null])`; introduced `_RESOURCE_ATTRS_NO_SRCSET` (identical to `_RESOURCE_ATTRS` minus `srcset`) and switched `_scanElementForThreats` and the MO attribute-change path to use it — `srcset` is kept in `_RESOURCE_ATTRS` so the `setAttribute`/innerHTML hooks (which receive individual tokens) still block srcset-based exfiltration | Closes the MC watchdog kill-switch: a post-boot replacement of `MessagePort.prototype.postMessage` could silently stop the fourth watchdog mechanism (the other three remain active, but defence-in-depth is weakened); fixes a high-severity false positive where any element with a responsive-image `srcset` (e.g. `"photo.jpg 2x"`) caused `_isExternal` → `new URL()` to throw, the fail-closed return triggered an immediate alert and emergency key wipe — destroying the user's data on a completely legitimate page |
| `ede90fe` | SafeNova Proactive | Captured `Promise.prototype.then` into `_N.promiseThen` and `ServiceWorkerRegistration.prototype.unregister` into `_N.swUnregister`; added both to `_CAPTURE_MUST_BE_NATIVE` and `_NATIVE_CHECKS`; rewrote `_nukeCachesAndWorkers` to use captured refs so `Promise.prototype.then` or `.unregister` replacement cannot silently kill the cache/SW wipe; changed `_showAlert` healer `MutationObserver` target from `document.body` to `document.documentElement` (subtree: true) so replacing `document.body` after render does not leave the healer dead on a detached node; fixed `_pureCollapseAttrSpaces` to track quote state so spaces around `=` inside quoted attribute values (e.g. URL query strings) are no longer collapsed | Closes the `Promise.prototype.then` replacement bypass that turns the entire cache and Service Worker wipe into a silent no-op; prevents an attacker from keeping a rogue Service Worker alive after a threat response by replacing `.unregister`; ensures the security overlay self-healer survives `document.body` replacement (attacker gains persistent removal of the warning); prevents URL corruption in alert messages caused by collapsing `=` spaces inside quoted values |
| `93d5de5` | SafeNova Proactive | Added `_pureCollapseAttrSpaces` to normalise whitespace around `=` before attribute scanning in `_htmlHasThreat`; captured `Date.now`, `Location.prototype.reload`, `CacheStorage.prototype.keys/delete`, `ServiceWorkerContainer.prototype.getRegistrations` into `_N` with validation in `_CAPTURE_MUST_BE_NATIVE` and `_NATIVE_CHECKS`; rewrote `_nukeCachesAndWorkers` to use captured object refs and `_reflectApply`; replaced all `Date.now()` and `window.location.reload()` call sites with captured equivalents; replaced `window.addEventListener` fallback in `_showAlert` with captured `_N.addEventListener`; replaced `instanceof Set` with a structural duck-type check | Closes the HTML attribute whitespace-bypass (`src = "url"` was invisible to the scanner); makes alert rate-limiting, healer deadline, debugger-trap timeout, and post-alert reload tamper-proof; prevents live `window.caches`/`navigator.serviceWorker` replacement from silently neutering the threat-response cache wipe; guards the `DOMContentLoaded` alert fallback against `addEventListener` replacement; prevents `Symbol.hasInstance` poisoning from skipping selection clear during emergency state wipe |
| `0a7add8` | SafeNova Proactive | Fixed dead man's switch false-triggering on fresh browser sessions: the 50 ms `setInterval` in daemon.js could advance `_heartbeatN` far beyond the +15 upper bound before `main.js` registered its `snv:alive` listener; added a one-time bootstrap exemption that skips the upper-bound check on the very first accepted heartbeat                                                                                                                                                                                                                                                                                                                                                    | Eliminates a denial-of-service race condition where a legitimate user on a cold cache was immediately locked out after unlock, while preserving the protection against an attacker dispatching a fake `snv:alive` with `n = Number.MAX_SAFE_INTEGER` to silence real heartbeats                                                                                                                                                                                                                                     |
| `78af635` | SafeNova Proactive | Wrapped critical `Crypto.*` and `App.*` methods with closure-private proxies; `toString()` now shows only a thin forwarder; frozen references used for per-tick tamper detection                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        | Prevents an attacker from reading or replacing encryption/decryption routines at runtime; makes devtools inspection of real implementations infeasible                                                                                                                                                                                                                                                                                                                                                              |
| `47f7a83` | SafeNova Proactive | Replaced live `.call`/`.apply` usage with a captured `Reflect.apply`; captured additional DOM methods (`appendChild`, `removeChild`, `querySelectorAll`, `removeAttribute`) and routed all overlay/observer operations through them                                                                                                                                                                                                                                                                                                                                                                                                                                                     | Eliminates a class of attacks that poison `Function.prototype.call`/`.apply` to intercept every hooked call; DOM operations can no longer be subverted by redefining prototype methods                                                                                                                                                                                                                                                                                                                              |
| `967bc1f` | SafeNova Proactive | Introduced pure operator-level string utilities (`_pureToLower`, `_pureIndexOf`, `_pureSlice`) that use only bracket indexing and comparisons — no prototype method calls                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               | Makes all string processing inside the daemon immune to `String.prototype` poisoning, closing a subtle bypass vector for URL/attribute checks                                                                                                                                                                                                                                                                                                                                                                       |
| `9f48c33` | SafeNova Proactive | Reduced watchdog `setInterval` tick from 1 000 ms to 50 ms                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              | Shrinks the window in which a tamper can exist undetected from ~1 s to ~50 ms, drastically limiting the usefulness of race-condition attacks                                                                                                                                                                                                                                                                                                                                                                        |
| `8c8579c` | SafeNova Proactive | Captured `String.prototype.toLowerCase`/`.indexOf`; added fail-closed handling for unparseable URLs; blocked `blob:` Worker/SharedWorker URLs; added a fourth watchdog mechanism (MessageChannel self-ping)                                                                                                                                                                                                                                                                                                                                                                                                                                                                             | Closes live-prototype bypass paths in DOM hooks and URL checks; prevents covert same-origin workers from running attacker code outside the daemon's control                                                                                                                                                                                                                                                                                                                                                         |
| `0ee205b` | SafeNova Proactive | Blocked `<iframe>` creation after init (D3 defense); intercepted `document.createElement('iframe')` to return a harmless `<div>`                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        | Prevents the fresh-realm native-reset attack where an attacker spawns an iframe to obtain untampered `Function`, `Object`, etc. and circumvent all Proactive hooks                                                                                                                                                                                                                                                                                                                                                  |
| `f2f64a8` | SafeNova Proactive | Added DOM exfiltration defenses: hooked `setAttribute`, `innerHTML`/`outerHTML`, `insertAdjacentHTML`, `document.write`, `HTMLFormElement.submit`, resource property setters, `window.open`, `EventSource`, `Worker`/`SharedWorker`, `setTimeout`/`setInterval` string callbacks; blocked `eval` and `new Function()`                                                                                                                                                                                                                                                                                                                                                                   | Covers the major DOM-based data-exfiltration and dynamic-code-injection vectors; a malicious extension can no longer silently smuggle plaintext out through HTML attributes, navigation, or injected scripts                                                                                                                                                                                                                                                                                                        |
| `ae415ac` | SafeNova Proactive | Bumped daemon to v6; replaced all `Set`/`forEach`/`repeat`/`replace` usage with index-based loops and plain objects; added MessageChannel self-ping; tightened heartbeat monotonicity bounds                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            | Eliminates dependency on `Set`/`Array` iterators and prototype methods inside the daemon itself — a tampered iterator can no longer crash or silently skip the watchdog                                                                                                                                                                                                                                                                                                                                             |
| `daffd47` | SafeNova Proactive | Moved hook logic into closure-private `_*Impl` functions; public forwarders on `_H` are one-liners whose `toString()` reveals nothing                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   | Raises the bar for reverse-engineering hook internals; devtools `toString()` inspection no longer exposes the URL-matching or blocking logic                                                                                                                                                                                                                                                                                                                                                                        |
| `7cab50f` | SafeNova Proactive | On threat alert: unregister all Service Workers and delete all CacheStorage entries                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     | Prevents a persistent attacker payload from surviving a page reload via Service Worker cache; ensures the threat response leaves no injectable residue                                                                                                                                                                                                                                                                                                                                                              |
| `5e97757` | SafeNova Proactive | Upgraded to v4; added pre-capture validation (verify natives are genuine before boot); triple-redundant watchdog (setInterval + recursive setTimeout + rAF); dead-man heartbeat with auto-lock; closed-ShadowDOM alert host with session-unique class                                                                                                                                                                                                                                                                                                                                                                                                                                   | Pre-capture validation blocks "early bird" attacks that replace natives before the daemon loads; triple redundancy makes it practically impossible to silently kill the watchdog; cosmetic-filter-resistant alert overlay cannot be hidden by ad blockers or extensions                                                                                                                                                                                                                                             |
| `dc3025d` | SafeNova Proactive | Captured raw `localStorage`/`sessionStorage` references; two-pass storage wipe (overwrite with zeros → delete); dispatched `snv:lock` event on threat                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   | Getter-level interception of `window.localStorage` can no longer suppress key wiping; zero-overwrite before deletion prevents data remanence on storage engines that defer physical erasure                                                                                                                                                                                                                                                                                                                         |
| `d88dc63` | SafeNova Proactive | Initial introduction of the SafeNova Proactive runtime guard — native capture at startup, fetch/XHR/sendBeacon hooks, 1 s watchdog, storage wipe, alert overlay                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         | Established the foundational anti-tamper and anti-exfiltration layer; without this commit, no runtime integrity guarantees existed                                                                                                                                                                                                                                                                                                                                                                                  |
| `78af635` | SafeNova Core      | Wrapped `VFS.init` and `WinManager.closeAll` with proxied references for use in `_wipeAppState`                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         | Ensures the emergency state-wipe routine always calls the real methods even if the live references on the module objects have been overwritten                                                                                                                                                                                                                                                                                                                                                                      |
| `c4adf7f` | SafeNova Core      | AES-GCM-wrapped the per-tab session key (`snv-sk`); bound browser fingerprint to `navigator.userAgent` and `navigator.platform`                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         | A raw sessionStorage dump no longer yields the plain session key; copying storage blobs to a different browser/OS silently invalidates them                                                                                                                                                                                                                                                                                                                                                                         |
| `8a6d6ed` | SafeNova Core      | Added a cookie secret (`snv-kc`) and an IndexedDB secret (`snv-ki`) to the browser wrap-key derivation (three-source HKDF)                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              | Compromising a single storage mechanism (localStorage, cookie, or IDB) is no longer sufficient to reconstruct the wrap key; all three must be present simultaneously                                                                                                                                                                                                                                                                                                                                                |
| `bf6fa26` | SafeNova Core      | Derived a browser-specific HKDF-SHA-256 key from a stable fingerprint and used it to AES-GCM-wrap the persistent `snv-bsk`                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              | Persistent session keys stored in localStorage are now encrypted at rest; offline exfiltration of the storage file does not reveal the key without the matching browser fingerprint                                                                                                                                                                                                                                                                                                                                 |
| `9f962a0` | SafeNova Core      | Introduced a dual-key session model: per-tab `snv-sk` (sessionStorage) and persistent `snv-bsk` (localStorage), both AES-256-GCM encrypted with scoped expiries                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         | Splits session trust into two independent scopes — a compromised tab key does not unlock the persistent session and vice versa; expiries limit the blast radius of a leaked blob                                                                                                                                                                                                                                                                                                                                    |
| `b986213` | SafeNova Core      | Implemented cross-tab session guard with tab identity, localStorage heartbeat (5 s), 30 s TTL, and force-kick protocol                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  | Prevents parallel access to the same container from multiple tabs, eliminating a class of race conditions that could corrupt the VFS or leak decrypted state through a forgotten tab                                                                                                                                                                                                                                                                                                                                |
| `9d90b94` | SafeNova Core      | Added duress (panic) password support — silently and irreversibly corrupts all encrypted blobs; erases duress hash and export cache after trigger                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       | Provides plausible deniability under coercion; the destruction is indistinguishable from a wrong-password attempt and leaves no forensic trace of the duress feature itself                                                                                                                                                                                                                                                                                                                                         |
| `710fac9` | SafeNova Core      | Randomized XOR pre-shred for secure container deletion — random bytes XOR-flipped at random positions before blob removal                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               | Prevents AES-GCM ciphertext recovery on storage engines that lazily reclaim pages; the overwritten bytes are cryptographically unpredictable                                                                                                                                                                                                                                                                                                                                                                        |
| `7760914` | SafeNova Core      | Migrated session storage from plaintext to AES-256-GCM encrypted blobs; removed legacy plaintext import path and PBKDF2 fallback                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        | Eliminated the last remaining plaintext credential storage; even if an attacker reads sessionStorage, they obtain only encrypted blobs that require the in-memory key                                                                                                                                                                                                                                                                                                                                               |
| `7a2c7a5` | SafeNova Core      | Sanitized CSS hex colors and HTML-escaped extension text before SVG embedding; `CSS.escape` for selector queries; stripped HTML special chars from filenames                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            | Closed XSS / CSS-injection vectors in dynamically generated SVG icons and DOM queries; prevents attacker-crafted filenames from executing code in the UI                                                                                                                                                                                                                                                                                                                                                            |
| `10477c1` | SafeNova Core      | Introduced a strict Content Security Policy (`<meta>` tag + server headers); extracted inline scripts to external files for CSP compliance                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              | Blocks inline script injection entirely; even if an attacker injects HTML, the browser refuses to execute attacker-supplied `<script>` blocks                                                                                                                                                                                                                                                                                                                                                                       |
| `52de238` | SafeNova Core      | Derived a per-container HKDF-SHA-256 key for the export cache (info `snv-export-cache-v1`) from the Argon2id salt                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       | Export cache is now browser-independent but container-bound; a stolen cache blob from one container cannot be used to reconstruct another container's manifest                                                                                                                                                                                                                                                                                                                                                      |
| `a9c2edf` | SafeNova Core      | Nullified heavy blobs (`lazyWorkspace`, `_alogZ`, `_exportCache`) in IDB before record deletion on container removal                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    | Forces the browser to release persistent storage immediately; prevents ghost data from lingering in IDB until lazy garbage collection runs                                                                                                                                                                                                                                                                                                                                                                          |
| `fa0794f` | SafeNova Core      | Added recursion guards (visited sets, depth caps) in `deleteSelected`, `deepCopy`, `_folderSize`, ZIP export; sanitized filenames; hard-capped import size                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              | Eliminates infinite-loop and stack-overflow vulnerabilities on corrupt/malicious VFS data; blocks filename-based injection and oversized imports that could exhaust memory                                                                                                                                                                                                                                                                                                                                          |
| `6648cf7` | SafeNova Core      | Detected and broken parent↔child cycles in VFS; added visited-set guard to `remove()` to prevent infinite recursion                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    | A crafted or corrupted container with cyclic folder references can no longer hang the browser or crash the tab                                                                                                                                                                                                                                                                                                                                                                                                      |
| `2321820` | SafeNova Core      | Encrypted activity logs with AES-GCM before flushing to storage; preserved legacy/compressed migration path                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             | Activity logs no longer leak operation history in plaintext; even with IDB access, the log content requires the active session key                                                                                                                                                                                                                                                                                                                                                                                  |
| `1adf58c` | SafeNova Core      | Added incognito/private-mode detection using engine-fingerprint checks (no UA sniffing) with a one-time warning                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         | Warns users that containers created in private mode are ephemeral; prevents accidental data loss due to IDB volatility in incognito without relying on spoofable user-agent strings                                                                                                                                                                                                                                                                                                                                 |

---

> **How to read this table**: each row is a single commit that addressed a concrete vulnerability or hardening gap. Commits are grouped by area and sorted by significance. The table is not exhaustive — only changes with a direct, measurable impact on the security model are included.


================================================
FILE: src/.server.ps1
================================================
# Local Dev Server
# Run: right-click -> "Run with PowerShell"  |  or: .\._server.ps1
# Requirements: Windows only, no external dependencies

# UTF-8 output so Cyrillic paths and special chars display correctly in console
[Console]::OutputEncoding = [System.Text.Encoding]::UTF8
$OutputEncoding           = [System.Text.Encoding]::UTF8

# ── Config ────────────────────────────────────────────────────
$PREFERRED_PORT = 7777
$PORT_RANGE_MIN = 3000
$PORT_RANGE_MAX = 9999
$PORT_MAX_TRIES = 20
$root           = $PSScriptRoot.TrimEnd('\') + '\'

# ── MIME types ────────────────────────────────────────────────
$mime = @{
    ".html"  = "text/html; charset=utf-8"
    ".htm"   = "text/html; charset=utf-8"
    ".css"   = "text/css; charset=utf-8"
    ".js"    = "application/javascript; charset=utf-8"
    ".mjs"   = "application/javascript; charset=utf-8"
    ".json"  = "application/json; charset=utf-8"
    ".svg"   = "image/svg+xml"
    ".png"   = "image/png"
    ".jpg"   = "image/jpeg"
    ".jpeg"  = "image/jpeg"
    ".gif"   = "image/gif"
    ".webp"  = "image/webp"
    ".ico"   = "image/x-icon"
    ".woff"  = "font/woff"
    ".woff2" = "font/woff2"
    ".ttf"   = "font/ttf"
    ".otf"   = "font/otf"
    ".mp4"   = "video/mp4"
    ".webm"  = "video/webm"
    ".txt"   = "text/plain; charset=utf-8"
    ".xml"   = "application/xml; charset=utf-8"
}

# ── Port availability check ───────────────────────────────────
# Uses TcpListener to probe the port BEFORE passing it to HttpListener.
# This avoids the misleading generic "Access Denied" exception from HttpListener.
function Test-PortFree([int]$p) {
    try {
        $tcp = [System.Net.Sockets.TcpListener]::new([System.Net.IPAddress]::Loopback, $p)
        $tcp.Start()
        $tcp.Stop()
        return $true
    } catch {
        return $false
    }
}

# ── Port selection ────────────────────────────────────────────
# 1. Try preferred port first.
# 2. Fall back to random ports in range until one is free.
$port = $null

if (Test-PortFree $PREFERRED_PORT) {
    $port = $PREFERRED_PORT
} else {
    Write-Host ""
    Write-Host "  Port $PREFERRED_PORT is busy, picking a random one..." -ForegroundColor DarkYellow

    $rng  = [System.Random]::new()
    for ($i = 0; $i -lt $PORT_MAX_TRIES; $i++) {
        $candidate = $rng.Next($PORT_RANGE_MIN, $PORT_RANGE_MAX + 1)
        if (Test-PortFree $candidate) {
            $port = $candidate
            break
        }
    }
}

if ($null -eq $port) {
    Write-Host ""
    Write-Host "  [!] Could not find a free port after $PORT_MAX_TRIES attempts." -ForegroundColor Red
    Write-Host "      Range: $PORT_RANGE_MIN-$PORT_RANGE_MAX" -ForegroundColor Red
    Write-Host ""
    Read-Host "  Press Enter to exit"
    exit 1
}

# ── Start listener ────────────────────────────────────────────
$prefix   = "http://localhost:$port/"
$listener = [System.Net.HttpListener]::new()
$listener.Prefixes.Add($prefix)

try {
    $listener.Start()
} catch {
    Write-Host ""
    Write-Host "  [!] Failed to bind on port $port." -ForegroundColor Red
    Write-Host "      $_" -ForegroundColor Red
    Write-Host ""
    Read-Host "  Press Enter to exit"
    exit 1
}

Write-Host ""
Write-Host "  DosX's Dev Server" -ForegroundColor Cyan
Write-Host "  http://localhost:$port" -ForegroundColor Cyan
Write-Host "  Root: $root" -ForegroundColor Cyan
Write-Host "  Stop: Ctrl+C" -ForegroundColor Cyan
Write-Host ""

Start-Process $prefix

# ── Request loop ──────────────────────────────────────────────
try {
    while ($listener.IsListening) {
        $ctx = $listener.GetContext()

        # Per-request isolation — one bad request never crashes the loop
        try {
            $req  = $ctx.Request
            $resp = $ctx.Response

            $ts      = Get-Date -Format "HH:mm:ss"
            $method  = $req.HttpMethod.ToUpper()
            $urlPath = [System.Uri]::UnescapeDataString($req.Url.AbsolutePath)
            $relPath = $urlPath.TrimStart('/')

            # ── Security: block path traversal ──────────────
            # Resolve to absolute path and verify it stays inside $root
            $resolved = [System.IO.Path]::GetFullPath((Join-Path $root $relPath))
            if (-not $resolved.StartsWith($root, [System.StringComparison]::OrdinalIgnoreCase)) {
                $resp.StatusCode = 403
                $body = [System.Text.Encoding]::UTF8.GetBytes("403 Forbidden")
                $resp.ContentType     = "text/plain; charset=utf-8"
                $resp.ContentLength64 = $body.Length
                $resp.OutputStream.Write($body, 0, $body.Length)
                $resp.OutputStream.Close()
                Write-Host "  [$ts]  403  $urlPath  [traversal blocked]" -ForegroundColor Red
                continue
            }

            $filePath = $resolved

            # ── Directory: redirect to trailing slash ────────
            if ((Test-Path $filePath -PathType Container) -and -not $urlPath.EndsWith('/')) {
                $qs       = $req.Url.Query   # сохраняем query string (?2, ?project-id=2, ...)
                $location = $urlPath + '/' + $qs
                $resp.StatusCode = 301
                $resp.Headers.Add('Location', $location)
                $resp.ContentLength64 = 0
                $resp.OutputStream.Close()
                Write-Host "  [$ts]  301  $urlPath -> $location" -ForegroundColor DarkYellow
                continue
            }

            # ── Directory: serve index.html or index.htm ────
            if (Test-Path $filePath -PathType Container) {
                $indexFile = $null
                foreach ($filename in @("index.html", "index.htm")) {
                    $candidate = Join-Path $filePath $filename
                    if (Test-Path $candidate -PathType Leaf) {
                        $indexFile = $candidate
                        break
                    }
                }
                if ($indexFile) {
                    $filePath = $indexFile
                } else {
                    # Directory exists but no index file found — treat as 404
                    $filePath = $null
                }
            }

            # ── Serve file (GET / HEAD) ──────────────────────
            if (Test-Path $filePath -PathType Leaf) {
                $ext         = [System.IO.Path]::GetExtension($filePath).ToLower()
                $contentType = if ($mime.ContainsKey($ext)) { $mime[$ext] } else { "application/octet-stream" }
                $bytes       = [System.IO.File]::ReadAllBytes($filePath)

                $resp.StatusCode      = 200
                $resp.ContentType     = $contentType
                $resp.ContentLength64 = $bytes.Length
                # Cache-Control: no-cache — browser always revalidates; avoids stale files during dev
                $resp.Headers.Add('Cache-Control', 'no-cache')
                $resp.Headers.Add('X-Content-Type-Options', 'nosniff')
                $resp.Headers.Add('X-Frame-Options', 'DENY')
                $resp.Headers.Add('Referrer-Policy', 'no-referrer')
                $resp.Headers.Add('Permissions-Policy', 'interest-cohort=(), geolocation=(), camera=(), microphone=()')
                $resp.Headers.Add('Cross-Origin-Opener-Policy', 'same-origin')
                $resp.Headers.Add('Cross-Origin-Embedder-Policy', 'require-corp')

                # HEAD — headers only, no body
                if ($method -ne 'HEAD') {
                    $resp.OutputStream.Write($bytes, 0, $bytes.Length)
                }

                $label = if ($method -eq 'HEAD') { "HEAD" } else { " GET" }
                Write-Host "  [$ts]  200  $label  $urlPath" -ForegroundColor Green

            # ── 404 ─────────────────────────────────────────
            } else {
                $notFoundPage = $null
                foreach ($filename in @("404.html", "404.htm")) {
                    $candidate = Join-Path $root $filename
                    if (Test-Path $candidate -PathType Leaf) {
                        $notFoundPage = $candidate
                        break
                    }
                }

                if ($notFoundPage) {
                    $body = [System.IO.File]::ReadAllBytes($notFoundPage)
                    $resp.ContentType = "text/html; charset=utf-8"
                } else {
                    $body = [System.Text.Encoding]::UTF8.GetBytes("404 - Not Found: $urlPath")
                    $resp.ContentType = "text/plain; charset=utf-8"
                }

                $resp.StatusCode      = 404
                $resp.ContentLength64 = $body.Length
                if ($method -ne 'HEAD') {
                    $resp.OutputStream.Write($body, 0, $body.Length)
                }

                Write-Host "  [$ts]  404  $urlPath" -ForegroundColor DarkGray
            }

        } catch {
            # Swallow per-request errors so the server keeps running
            Write-Host "  [!] Request error: $_" -ForegroundColor Red
        } finally {
            # Always close — prevents hanging connections
            try { $ctx.Response.OutputStream.Close() } catch {}
        }
    }
} finally {
    $listener.Stop()
    Write-Host ""
    Write-Host "  Server stopped." -ForegroundColor Yellow
    Write-Host ""
}


================================================
FILE: src/css/app.css
================================================
/* ============================================================
   SafeNova — VS Code Dark Theme
   ============================================================ */
*,
*::before,
*::after {
    box-sizing: border-box;
    margin: 0;
    padding: 0;
}

/* Remove browser default focus outlines — inputs use border-color for focus instead */
:focus {
    outline: none;
}

:root {
    --bg: #1e1e1e;
    --bg2: #252526;
    --bg3: #2d2d30;
    --bg4: #3c3c3c;
    --bg5: #454545;
    --border: #3c3c3c;
    --border2: #555555;
    --text: #d4d4d4;
    --text-dim: #858585;
    --text-bright: #ffffff;
    --text-code: #9cdcfe;
    --accent: #0078d4;
    --accent-h: #1b8fd8;
    --accent2: #4ec9b0;
    --orange: #ce9178;
    --green: #4caf50;
    --green2: #6a9955;
    --red: #f44747;
    --yellow: #dcdcaa;
    --purple: #c678dd;
    --blue: #569cd6;
    --r: 2px;
    --shadow: 0 8px 32px rgba(0, 0, 0, 0.6);
    --shadow-sm: 0 2px 8px rgba(0, 0, 0, 0.4);
    --font: "Segoe UI", system-ui, -apple-system, sans-serif;
    --mono: "Cascadia Code", "Consolas", "Courier New", monospace;
    --transition: 0.15s ease;
}

html,
body {
    width: 100%;
    height: 100%;
    font-family: var(--font);
    background: var(--bg);
    color: var(--text);
    overflow: hidden;
    user-select: none;
}

/* ---- SCROLLBAR ---- */
/* WebKit (Chrome, Edge, Safari) */
::-webkit-scrollbar {
    width: 8px;
    height: 8px;
}
::-webkit-scrollbar-track {
    background: var(--bg2);
}
::-webkit-scrollbar-thumb {
    background: var(--bg5);
    border-radius: 1px;
}
::-webkit-scrollbar-thumb:hover {
    background: var(--border2);
}
/* Firefox — scrollbar-width / scrollbar-color (standard W3C spec) */
* {
    scrollbar-width: thin;
    scrollbar-color: var(--bg5) var(--bg2);
}

/* ---- VIEWS ---- */
.view {
    position: fixed;
    inset: 0;
    display: none;
    flex-direction: column;
    background: var(--bg);
}
.view.active {
    display: flex;
}

/* ============================================================
   HOME VIEW
   ============================================================ */
#view-home {
    display: none;
    flex-direction: column;
}
#view-home.active {
    display: flex;
}

.app-header {
    height: 48px;
    min-height: 48px;
    background: var(--bg2);
    border-bottom: 1px solid var(--border);
    display: flex;
    align-items: center;
    padding: 0 20px;
    gap: 16px;
    box-shadow: 0 1px 0 rgba(0, 0, 0, 0.3);
}
.header-logo {
    display: flex;
    align-items: center;
    gap: 10px;
}
.header-logo-icon {
    width: 28px;
    height: 28px;
    flex-shrink: 0;
    object-fit: contain;
}
.header-logo span {
    font-size: 16px;
    font-weight: 600;
    letter-spacing: 0.02em;
    color: var(--text-bright);
}
.header-logo small {
    font-size: 10px;
    color: var(--text-dim);
    font-weight: 400;
    border: 1px solid var(--border2);
    padding: 1px 5px;
    border-radius: 1px;
    margin-left: 4px;
}
.header-brand {
    font-size: 16px;
    font-weight: 700;
    letter-spacing: 0.02em;
    color: var(--text-bright);
    font-family: var(--font);
}
.header-spacer {
    flex: 1;
}
.header-actions {
    display: flex;
    gap: 8px;
    align-items: center;
}

.home-body {
    flex: 1;
    overflow-y: auto;
    padding: 24px;
    display: flex;
    flex-direction: column;
    gap: 20px;
}
.home-section-title {
    font-size: 11px;
    font-weight: 600;
    color: var(--text-dim);
    text-transform: uppercase;
    letter-spacing: 0.08em;
    margin-bottom: 4px;
}

/* ---- HOME DOC BLOCK ---- */
.home-doc-wrap {
    margin-top: auto;
    align-self: flex-start;
    display: flex;
    flex-direction: column;
    gap: 4px;
}
.home-doc {
    border: 1px solid var(--border);
    border-radius: var(--r);
    background: var(--bg2);
    max-width: 420px;
    padding: 11px 14px 12px;
    display: flex;
    flex-direction: column;
    gap: 6px;
    position: relative;
    overflow: hidden;
    transition:
        max-height 0.3s ease,
        opacity 0.22s ease,
        padding 0.3s ease;
    max-height: 500px;
    opacity: 1;
}
.home-doc.collapsed {
    max-height: 0;
    opacity: 0;
    padding: 0;
    pointer-events: none;
}
.home-doc-collapse {
    position: absolute;
    top: 7px;
    right: 7px;
    width: 18px;
    height: 18px;
    padding: 0;
    border: none;
    background: none;
    color: var(--text-dim);
    cursor: pointer;
    border-radius: 2px;
    line-height: 0;
    display: flex;
    align-items: center;
    justify-content: center;
    transition:
        color 0.15s,
        background 0.15s;
}
.home-doc-collapse:hover {
    color: var(--text);
    background: var(--bg3);
}
.home-doc-badge {
    font-size: 8px;
    font-weight: 700;
    text-transform: uppercase;
    letter-spacing: 0.13em;
    color: var(--accent);
    border: 1px solid rgba(0, 120, 212, 0.65);
    border-radius: 0;
    padding: 2px 6px;
    width: fit-content;
}
.home-doc-title {
    font-size: 11.5px;
    font-weight: 600;
    color: var(--text-bright);
    line-height: 1.3;
}
.home-doc-p {
    font-size: 10.5px;
    line-height: 1.62;
    color: var(--text-dim);
    margin: 0;
}
.home-doc-p strong {
    color: var(--text);
    font-weight: 500;
}
.home-doc-stack {
    display: flex;
    flex-wrap: wrap;
    gap: 3px;
    padding-top: 7px;
    border-top: 1px solid var(--border);
    margin-top: 2px;
}
.home-doc-stack span {
    font-size: 9px;
    color: var(--text-dim);
    background: var(--bg3);
    border: 1px solid var(--border);
    border-radius: 2px;
    padding: 1px 5px;
}
/* Tab shown when doc is collapsed */
.home-doc-tab {
    display: none;
    align-self: flex-start;
    align-items: center;
    gap: 5px;
    font-size: 9.5px;
    font-weight: 500;
    color: var(--text-dim);
    background: var(--bg2);
    border: 1px solid var(--border);
    border-radius: var(--r);
    padding: 4px 9px;
    cursor: pointer;
    margin-top: auto;
    transition:
        color 0.15s,
        border-color 0.15s,
        background 0.15s;
    line-height: 1;
}
.home-doc-tab:hover {
    color: var(--accent);
    border-color: rgba(0, 120, 212, 0.4);
    background: var(--bg3);
}
.home-doc-tab.visible {
    display: flex;
}
/* Pre-hide on reload (before JS runs) — eliminates flash */
html.snv-doc-hidden #home-doc {
    max-height: 0 !important;
    opacity: 0 !important;
    padding: 0 !important;
    overflow: hidden;
}
html.snv-doc-hidden #home-doc-tab {
    display: flex !important;
}

.container-grid {
    display: grid;
    grid-template-columns: repeat(auto-fill, minmax(280px, 1fr));
    gap: 12px;
}
.container-card {
    background: var(--bg2);
    border: 1px solid var(--border);
    border-radius: var(--r);
    padding: 18px 18px 46px 32px;
    cursor: pointer;
    transition:
        border-color var(--transition),
        background var(--transition),
        transform 0.1s;
    position: relative;
    overflow: hidden;
    min-height: 136px;
    /* Establish a GPU compositing layer at rest so that the :active scale(0.99)
       fires on an already-promoted layer. Without this, Firefox promotes the
       layer mid-animation which causes a one-frame sub-pixel text reposition
       (the visible "jump" in the inspector at 112.39 × 35 px). */
    will-change: transform;
    backface-visibility: hidden;
}
.container-card:hover {
    border-color: var(--accent);
    background: #2a2d2e;
}
.container-card:active {
    transform: scale(0.99);
}
@keyframes card-highlight {
    0% {
        box-shadow: 0 0 0 2px var(--accent);
    }
    100% {
        box-shadow: 0 0 0 2px transparent;
    }
}
.container-card.highlight {
    animation: card-highlight 1.8s ease-out forwards;
}
/* Enterprise / tier badge */
.tier-badge {
    display: inline-flex;
    align-items: center;
    font-size: 8.5px;
    font-weight: 600;
    letter-spacing: 0.18em;
    color: var(--text-dim);
    border: 1px solid var(--border2);
    border-radius: 2px;
    padding: 1px 6px;
    line-height: 1.8;
    font-style: normal;
    background: transparent;
    flex-shrink: 0;
    margin-left: 8px;
    font-family: var(--font);
}
/* Drag-to-reorder handle */
.container-drag-handle {
    position: absolute;
    left: 0;
    top: 0;
    bottom: 0;
    width: 26px;
    display: flex;
    align-items: center;
    justify-content: center;
    cursor: grab;
    color: var(--text-dim);
    opacity: 0;
    border-radius: var(--r) 0 0 var(--r);
    transition:
        opacity 0.15s,
        background 0.15s;
}
.container-card:hover .container-drag-handle {
    opacity: 1;
}
.container-drag-handle:hover {
    background: var(--bg3);
    color: var(--text);
}
.container-drag-handle:active {
    cursor: grabbing;
}
.container-card.drag-reorder-source {
    opacity: 0.4;
    transform: scale(0.97);
    box-shadow: none;
    pointer-events: none;
    transition:
        opacity 0.15s,
        transform 0.15s;
}
.container-card.drag-reorder-over {
    border-color: var(--accent);
    background: rgba(0, 120, 212, 0.07);
    box-shadow:
        0 0 0 2px rgba(0, 120, 212, 0.22),
        inset 3px 0 0 var(--accent);
}

.container-card-header {
    display: flex;
    align-items: center;
    gap: 12px;
    margin-bottom: 14px;
}
.container-card-icon {
    width: 36px;
    height: 36px;
    display: flex;
    align-items: center;
    justify-content: center;
    background: rgba(0, 120, 212, 0.12);
    border: 1px solid rgba(0, 120, 212, 0.3);
    border-radius: var(--r);
    flex-shrink: 0;
}
.container-card-icon svg {
    width: 20px;
    height: 20px;
}
.container-card-icon img {
    width: 20px;
    height: 20px;
    object-fit: contain;
}
.container-card-name {
    font-weight: 600;
    font-size: 14px;
    color: var(--text-bright);
    white-space: nowrap;
    overflow: hidden;
    text-overflow: ellipsis;
}
.container-card-date {
    font-size: 11px;
    color: var(--text-dim);
    margin-top: 1px;
}
.container-card-body {
    display: block;
}
.container-bar-wrap {
    position: relative;
    height: 4px;
    background: var(--bg4);
    border-radius: 1px;
    overflow: hidden;
    margin: 8px 0;
}
.container-bar-fill {
    position: absolute;
    left: 0;
    top: 0;
    bottom: 0;
    background: var(--accent);
    border-radius: 1px;
    transition: width 0.4s;
}
.container-bar-fill.warn {
    background: var(--orange);
}
.container-bar-fill.danger {
    background: var(--red);
}
.container-card-sizes {
    display: flex;
    justify-content: space-between;
    font-size: 11px;
    color: var(--text-dim);
}
.container-card-menu {
    position: absolute;
    top: 10px;
    right: 10px;
    width: 24px;
    height: 24px;
    display: flex;
    align-items: center;
    justify-content: center;
    opacity: 0;
    border-radius: var(--r);
    transition: opacity var(--transition);
    cursor: pointer;
    color: var(--text-dim);
}
.container-card:hover .container-card-menu {
    opacity: 1;
}
.container-card-menu:hover {
    background: var(--bg4);
    color: var(--text);
}
.container-empty {
    grid-column: 1/-1;
    display: flex;
    flex-direction: column;
    align-items: center;
    justify-content: center;
    min-height: 200px;
    gap: 12px;
    color: var(--text-dim);
}
.container-empty svg {
    width: 48px;
    height: 48px;
    opacity: 0.3;
}
.container-empty p {
    font-size: 14px;
}

/* ---- Storage Footer ---- */
.storage-footer {
    border-top: 1px solid var(--border);
    background: var(--bg2);
    padding: 14px 20px;
    display: flex;
    flex-direction: column;
    gap: 6px;
}
.github-link {
    display: inline-flex;
    align-items: center;
    gap: 6px;
    font-size: 10.5px;
    color: var(--text-dim);
    text-decoration: none;
    padding: 5px 8px;
    margin-top: 8px;
    border-radius: var(--r);
    border: 1px solid transparent;
    align-self: flex-start;
    transition:
        color var(--transition),
        border-color var(--transition),
        background var(--transition);
}
.github-link:hover {
    color: var(--text);
    background: var(--bg3);
    border-color: var(--border);
}
.github-link-arrow {
    opacity: 0;
    margin-left: 1px;
    transition: opacity var(--transition);
}
.github-link:hover .github-link-arrow {
    opacity: 0.6;
}
.storage-row {
    display: flex;
    align-items: center;
    gap: 12px;
}
.storage-label {
    font-size: 11px;
    color: var(--text-dim);
    white-space: nowrap;
    min-width: 110px;
}
.storage-bar-wrap {
    flex: 1;
    height: 6px;
    background: var(--bg4);
    border-radius: 1px;
    overflow: hidden;
}
.storage-bar-fill {
    height: 100%;
    background: var(--accent2);
    border-radius: 1px;
    transition: width 0.5s;
}
.storage-bar-fill.warn {
    background: var(--orange);
}
.storage-bar-fill.danger {
    background: var(--red);
}
.storage-text {
    font-size: 11px;
    color: var(--text-dim);
    white-space: nowrap;
    min-width: 140px;
    text-align: right;
}

/* ---- Storage warning banner ---- */
.storage-warning-banner {
    display: none;
    align-items: center;
    gap: 10px;
    padding: 8px 20px;
    background: rgba(244, 71, 71, 0.08);
    border-top: 1px solid rgba(244, 71, 71, 0.3);
    font-size: 12px;
    color: var(--red);
}
.storage-warning-banner.show {
    display: flex;
}
.storage-warning-banner svg {
    flex-shrink: 0;
}

/* ---- Home warning box (browser storage) ---- */
.home-warning-box {
    display: flex;
    align-items: flex-start;
    gap: 10px;
    padding: 10px 12px;
    margin-bottom: 4px;
    background: rgba(244, 71, 71, 0.07);
    border: 1px solid rgba(244, 71, 71, 0.22);
    border-left: 3px solid var(--red);
    border-radius: var(--r);
    font-size: 11.5px;
    line-height: 1.6;
    color: rgba(244, 71, 71, 0.85);
    transition:
        opacity 0.2s,
        max-height 0.25s;
}
.home-warning-box.hidden {
    display: none;
}
.home-warning-box strong {
    color: #ff6b6b;
}
.warning-dismiss {
    flex-shrink: 0;
    margin-top: 1px;
    padding: 3px;
    border: none;
    background: none;
    color: rgba(244, 71, 71, 0.45);
    cursor: pointer;
    border-radius: 2px;
    line-height: 0;
    transition:
        color 0.15s,
        background 0.15s;
}
.warning-dismiss:hover {
    color: var(--red);
    background: rgba(244, 71, 71, 0.1);
}

/* ============================================================
   BUTTONS
   ============================================================ */
.btn {
    display: inline-flex;
    align-items: center;
    justify-content: center;
    gap: 6px;
    padding: 6px 14px;
    border: none;
    border-radius: var(--r);
    font-family: var(--font);
    font-size: 13px;
    cursor: pointer;
    transition:
        background var(--transition),
        color var(--transition);
    white-space: nowrap;
    color: var(--text);
    background: var(--bg4);
}
.btn:hover {
    background: var(--bg5);
}
.btn:active {
    opacity: 0.8;
}
.btn:disabled,
.btn[disabled] {
    opacity: 0.4;
    cursor: not-allowed;
    pointer-events: none;
}
.btn-primary {
    background: var(--accent);
    color: #fff;
}
.btn-primary:hover {
    background: var(--accent-h);
}
.btn-danger {
    background: #5a1a1a;
    color: var(--red);
    border: 1px solid #7a2222;
}
.btn-danger:hover {
    background: #7a2222;
}
.btn-ghost {
    background: transparent;
    color: var(--text-dim);
    border: 1px solid transparent;
}
.btn-ghost:hover {
    background: var(--bg3);
    border-color: var(--border);
    color: var(--text);
}
.btn-ghost.active {
    background: var(--bg3);
    border-color: var(--accent);
    color: var(--accent);
}
.btn-icon {
    padding: 6px;
    width: 32px;
    height: 32px;
}
.btn-sm {
    padding: 4px 10px;
    font-size: 12px;
}
.btn-lg {
    padding: 10px 24px;
    font-size: 14px;
    font-weight: 600;
    width: 100%;
    justify-content: center;
}

/* ============================================================
   INPUTS
   ============================================================ */
.input {
    display: block;
    width: 100%;
    background: var(--bg);
    border: 1px solid var(--border);
    border-radius: var(--r);
    color: var(--text);
    font-family: var(--font);
    font-size: 13px;
    padding: 8px 12px;
    outline: none;
    transition: border-color var(--transition);
}
.input:focus {
    border-color: var(--accent);
}
.input::placeholder {
    color: var(--text-dim);
}
.input-wrap {
    position: relative;
}
.input-wrap .input {
    padding-right: 40px;
}
.input-eye {
    position: absolute;
    right: 0;
    top: 0;
    bottom: 0;
    width: 38px;
    display: flex;
    align-items: center;
    justify-content: center;
    background: none;
    border: none;
    cursor: pointer;
    color: var(--text-dim);
}
.input-eye:hover {
    color: var(--text);
}

#nc-hwkey-btn {
    display: none;
    margin-right: auto;
    flex-shrink: 0;
    border: 1px solid var(--border);
    border-radius: var(--r);
    background: var(--bg3);
    color: var(--text-dim);
    cursor: pointer;
    font-family: var(--font);
    font-size: 11px;
    flex-direction: row;
    align-items: center;
    justify-content: center;
    gap: 5px;
    padding: 0 10px;
    height: 30px;
    white-space: nowrap;
    overflow: hidden;
    transition:
        border-color var(--transition),
        color var(--transition);
}
#nc-hwkey-btn.show {
    display: flex;
}
#nc-hwkey-btn:not(:disabled):hover {
    border-color: var(--border2);
    color: var(--text);
}
#nc-hwkey-btn:disabled {
    cursor: not-allowed;
    opacity: 0.45;
}

/* Password strength */
.pw-strength {
    height: 3px;
    border-radius: 1px;
    margin-top: 4px;
    transition:
        width 0.3s,
        background 0.3s;
    background: var(--bg4);
}
.pw-strength-row {
    font-size: 11px;
    color: var(--text-dim);
    margin-top: 4px;
}

/* ============================================================
   UNLOCK VIEW
   ============================================================ */
#view-unlock {
    justify-content: center;
    align-items: center;
    background: radial-gradient(ellipse at 50% 40%, #1a2233 0%, var(--bg) 70%);
}
.unlock-box {
    width: 100%;
    max-width: 380px;
    background: var(--bg2);
    border: 1px solid var(--border);
    border-radius: var(--r);
    padding: 24px 28px 22px;
    box-shadow: var(--shadow);
    display: flex;
    flex-direction: column;
    gap: 10px;
}
.unlock-back {
    align-self: flex-start;
}
.unlock-icon {
    display: flex;
    justify-content: center;
    margin-bottom: -4px;
}
.unlock-identity {
    display: flex;
    flex-direction: column;
    align-items: center;
    gap: 4px;
}
.unlock-eyebrow {
    font-size: 10px;
    font-weight: 600;
    text-transform: uppercase;
    letter-spacing: 0.11em;
    color: var(--text-dim);
    opacity: 0.65;
}
.unlock-title {
    text-align: center;
    font-size: 22px;
    font-weight: 700;
    color: var(--text-bright);
}
.unlock-name-badge {
    text-align: center;
    font-size: 16px;
    color: var(--text);
    font-weight: 600;
    align-self: center;
    max-width: 100%;
    overflow: hidden;
    text-overflow: ellipsis;
    white-space: nowrap;
}
.unlock-error {
    font-size: 12px;
    color: var(--red);
    display: none;
    align-items: center;
    gap: 8px;
    max-height: 0;
    overflow: hidden;
    padding: 0;
    border: 1px solid transparent;
    border-radius: var(--r);
    background: transparent;
    transition:
        max-height 0.2s ease,
        padding 0.15s ease,
        background var(--transition),
        border-color var(--transition);
}
.unlock-error:not(:empty) {
    display: flex;
    max-height: 52px;
    padding: 8px 10px;
    background: var(--bg4);
    border-color: var(--border2);
}
.unlock-spinner {
    display: none;
    justify-content: center;
    align-items: center;
    gap: 8px;
    font-size: 12px;
    color: var(--text-dim);
}
.unlock-spinner.show {
    display: flex;
}
.spinner {
    width: 16px;
    height: 16px;
    border: 2px solid var(--bg4);
    border-top-color: var(--accent);
    border-radius: 50%;
    animation: spin 0.8s linear infinite;
}
@keyframes spin {
    to {
        transform: rotate(360deg);
    }
}

/* ============================================================
   DESKTOP VIEW
   ============================================================ */
#view-desktop {
    background: var(--bg);
}
.desktop-topbar {
    height: 40px;
    min-height: 40px;
    background: var(--bg2);
    border-bottom: 1px solid var(--border);
    display: flex;
    align-items: center;
    padding: 0 12px;
    gap: 8px;
}
.desktop-topbar .separator {
    width: 1px;
    height: 20px;
    background: var(--border);
    margin: 0 4px;
}
.breadcrumb {
    flex: 1;
    display: flex;
    align-items: center;
    gap: 2px;
    overflow: hidden;
    font-size: 12px;
    color: var(--text-dim);
}
.breadcrumb-item {
    cursor: pointer;
    padding: 2px 6px;
    border-radius: var(--r);
    white-space: nowrap;
    transition:
        color var(--transition),
        background var(--transition);
}
.breadcrumb-item:hover {
    color: var(--text);
    background: var(--bg3);
}
.breadcrumb-item.current {
    color: var(--text);
    cursor: default;
}
.breadcrumb-item.current:hover {
    background: transparent;
}
.breadcrumb-sep {
    color: var(--text-dim);
    opacity: 0.5;
}

.desktop-area {
    flex: 1;
    position: relative;
    overflow: auto;
    overscroll-behavior: none;
    background: #1e1e1e;
    background-image: radial-gradient(circle, #2a2a2a 1px, transparent 1px);
    background-size: calc(24px * var(--icon-scale)) calc(24px * var(--icon-scale));
    outline: none;
}
.desktop-area.no-grid-dots {
    background-image: none;
}
.fw-area.no-grid-dots {
    background-image: none;
}

/* Icon size modifiers */
body {
    --icon-scale: 1;
}
body.icons-small {
    --icon-scale: 0.75;
}
body.icons-large {
    --icon-scale: 1.25;
}
/* Animation disable */
body.no-animations * {
    animation-duration: 0s !important;
    transition-duration: 0s !important;
}

/* Rubber band */
.rubberband {
    position: absolute;
    border: 1px solid var(--accent);
    background: rgba(0, 120, 212, 0.08);
    border-radius: 1px;
    pointer-events: none;
    z-index: 200;
}

/* File icons */
.file-item {
    position: absolute;
    width: 80px;
    display: flex;
    flex-direction: column;
    align-items: center;
    gap: 5px;
    padding: 6px 4px;
    border-radius: var(--r);
    cursor: pointer;
    transition: background var(--transition);
    z-index: 1;
    transform: scale(var(--icon-scale));
    transform-origin: top left;
    -webkit-touch-callout: none; /* prevent native iOS long-press callout */
    touch-action: none; /* prevent browser from stealing touch for scroll/pan gestures */
}
.file-item:hover {
    background: rgba(255, 255, 255, 0.05);
}
.file-item.selected {
    background: rgba(0, 120, 212, 0.2);
    outline: 1px solid rgba(0, 120, 212, 0.5);
}
.file-item.dragging {
    opacity: 0.5;
    z-index: 100;
}
.file-item.drag-target {
    background: rgba(78, 201, 176, 0.15);
    outline: 1px solid var(--accent2);
}

.file-thumb {
    width: 56px;
    height: 56px;
    border-radius: var(--r);
    display: flex;
    align-items: center;
    justify-content: center;
    background: var(--bg3);
    border: 1px solid var(--border);
    overflow: hidden;
    flex-shrink: 0;
    position: relative;
}
.file-thumb img {
    width: 100%;
    height: 100%;
    object-fit: cover;
}
.file-thumb.folder-icon {
    background: transparent;
    border: none;
}
.file-thumb svg {
    pointer-events: none;
}

.file-name {
    font-size: 11px;
    text-align: center;
    color: var(--text);
    line-height: 1.3;
    width: 100%;
    overflow: hidden;
    word-wrap: break-word;
    max-height: 32px;
    display: -webkit-box;
    -webkit-line-clamp: 2;
    line-clamp: 2;
    -webkit-box-orient: vertical;
}

/* Taskbar */
.taskbar {
    height: 36px;
    min-height: 36px;
    background: var(--bg2);
    border-top: 1px solid var(--border);
    display: flex;
    align-items: center;
    padding: 0 12px;
    gap: 10px;
    overflow: hidden;
}
.taskbar-logo-icon {
    flex-shrink: 0;
    display: block;
    object-fit: contain;
}
.taskbar-container-name {
    font-size: 13px;
    font-weight: 600;
    color: var(--text-bright);
    display: flex;
    align-items: center;
    gap: 6px;
}
.taskbar-sep {
    flex: 1;
}
.taskbar-storage {
    display: flex;
    align-items: center;
    gap: 8px;
    font-size: 11px;
    color: var(--text-dim);
}
.taskbar-bar-wrap {
    width: 80px;
    height: 4px;
    background: var(--bg4);
    border-radius: 1px;
    overflow: hidden;
}
.taskbar-bar-fill {
    height: 100%;
    background: var(--accent);
    border-radius: 1px;
    transition: width 0.4s;
}
.taskbar-bar-fill.warn {
    background: var(--orange);
}
.taskbar-bar-fill.danger {
    background: var(--red);
}

/* ============================================================
   CONTEXT MENU
   ============================================================ */
.ctx-menu {
    position: fixed;
    background: var(--bg2);
    border: 1px solid var(--border2);
    border-radius: var(--r);
    box-shadow: var(--shadow);
    min-width: 190px;
    z-index: 9000;
    padding: 4px 0;
    display: none;
    user-select: none;
}
.ctx-menu.show {
    display: block;
}
.ctx-item {
    padding: 7px 14px;
    font-size: 13px;
    cursor: pointer;
    display: flex;
    align-items: center;
    gap: 10px;
    color: var(--text);
    white-space: nowrap;
    transition: background var(--transition);
}
.ctx-item:hover {
    background: var(--accent);
    color: #fff;
}
.ctx-item.danger {
    color: var(--red);
}
.ctx-item.danger:hover {
    background: var(--red);
    color: #fff;
}
.ctx-sep {
    height: 1px;
    background: var(--border);
    margin: 3px 0;
}
.ctx-item-icon {
    width: 16px;
    height: 16px;
    display: flex;
    align-items: center;
    justify-content: center;
    flex-shrink: 0;
}

/* ============================================================
   MODALS
   ============================================================ */
.modal-overlay {
    position: fixed;
    inset: 0;
    background: rgba(0, 0, 0, 0.65);
    z-index: 8000;
    display: flex;
    align-items: center;
    justify-content: center;
    opacity: 0;
    transition: opacity 0.2s;
    pointer-events: none;
}
.modal-overlay.show {
    opacity: 1;
    pointer-events: all;
}
.modal {
    background: var(--bg2);
    border: 1px solid var(--border);
    border-radius: var(--r);
    box-shadow: var(--shadow);
    min-width: 360px;
    max-width: 90vw;
    transform: scale(0.97) translateY(8px);
    transition: transform 0.2s;
    display: flex;
    flex-direction: column;
    max-height: 90vh;
    /* Keeps the element on a GPU compositing layer for the full animation
       lifetime, preventing the sub-pixel text jump visible in Firefox
       when the compositor layer is promoted/demoted mid-animation. */
    will-change: transform;
    backface-visibility: hidden;
}
.modal-overlay.show .modal {
    transform: scale(1) translateY(0);
}
.modal-header {
    padding: 16px 20px 12px;
    border-bottom: 1px solid var(--border);
    display: flex;
    align-items: center;
    justify-content: space-between;
    flex-shrink: 0;
}
.modal-title {
    font-size: 15px;
    font-weight: 600;
    color: var(--text-bright);
}
.modal-close {
    background: none;
    border: none;
    cursor: pointer;
    color: var(--text-dim);
    padding: 4px;
    border-radius: var(--r);
    display: flex;
    align-items: center;
    justify-content: center;
}
.modal-close:hover {
    background: var(--bg4);
    color: var(--text);
}
.modal-body {
    padding: 20px;
    display: flex;
    flex-direction: column;
    gap: 14px;
    overflow-y: auto;
    flex: 1;
}
.modal-footer {
    padding: 12px 20px;
    border-top: 1px solid var(--border);
    display: flex;
    justify-content: flex-end;
    gap: 8px;
    flex-shrink: 0;
}
.form-label {
    font-size: 12px;
    color: var(--text-dim);
    margin-bottom: 4px;
    display: block;
}
.form-group {
    display: flex;
    flex-direction: column;
}

/* Text Editor Modal */
.modal-editor {
    width: 85vw;
    max-width: 1000px;
    height: 80vh;
    position: relative;
    overflow: hidden;
}
.editor-area {
    flex: 1;
    overflow: hidden;
    display: flex;
    flex-direction: row;
}
.editor-line-numbers {
    flex-shrink: 0;
    width: 48px;
    overflow: hidden;
    padding: 16px 0;
    background: var(--bg3);
    border-right: 1px solid var(--border);
    font-family: var(--mono);
    font-size: 13px;
    line-height: 1.6;
    color: var(--text-dim);
    user-select: none;
    -webkit-user-select: none;
}
.editor-line-numbers > div {
    padding-right: 8px;
    text-align: right;
    white-space: nowrap;
    display: flex;
    align-items: flex-start;
    justify-content: flex-end;
}
.editor-meta {
    padding: 6px 12px;
    background: var(--bg3);
    border-top: 1px solid var(--border);
    font-size: 11px;
    color: var(--text-dim);
    display: flex;
    gap: 16px;
}
textarea.code-editor {
    flex: 1;
    width: 100%;
    background: var(--bg);
    color: var(--text-code);
    font-family: var(--mono);
    font-size: 13px;
    line-height: 1.6;
    border: none;
    outline: none;
    resize: none;
    padding: 16px;
    tab-size: 2;
    white-space: pre;
    overflow-wrap: normal;
}
textarea.code-editor.word-wrap {
    white-space: pre-wrap;
    overflow-wrap: break-word;
}
textarea.code-editor::-webkit-scrollbar-thumb {
    cursor: default;
}

/* Drag snap preview overlay */
.snap-preview {
    position: absolute;
    width: 84px;
    height: 90px;
    border: 2px dashed rgba(0, 120, 212, 0.55);
    border-radius: 4px;
    transform: scale(var(--icon-scale));
    transform-origin: top left;
    background: rgba(0, 120, 212, 0.07);
    pointer-events: none;
    z-index: 1;
    transition:
        left 0.05s linear,
        top 0.05s linear;
}
.no-snap-highlight .snap-preview {
    display: none !important;
}

/* File Viewer Modal */
.modal-viewer {
    width: 90vw;
    max-width: 1200px;
    height: 85vh;
}
.viewer-content {
    flex: 1;
    overflow: auto;
    display: flex;
    align-items: center;
    justify-content: center;
    padding: 20px;
    background: var(--bg);
}
.viewer-content img {
    max-width: 100%;
    max-height: 100%;
    object-fit: contain;
}
.viewer-content video,
.viewer-content audio {
    max-width: 100%;
    max-height: 100%;
}
.viewer-content iframe {
    width: 100%;
    height: 100%;
    border: none;
}

/* ---- Custom media player ---- */
.twc-player {
    display: flex;
    flex-direction: column;
    width: 100%;
    max-width: 720px;
    gap: 0;
}
.twc-player.audio-only {
    gap: 0;
}
.twc-player video {
    width: 100%;
    max-height: 60vh;
    background: #000;
    border-radius: var(--r) var(--r) 0 0;
    display: block;
    cursor: pointer;
    object-fit: contain;
}
.twc-player .player-controls {
    display: flex;
    align-items: center;
    gap: 8px;
    padding: 10px 14px;
    background: var(--bg2);
    border: 1px solid var(--border);
    border-radius: 0 0 var(--r) var(--r);
}
.twc-player.audio-only .player-controls {
    border-radius: var(--r);
}
/* Fullscreen mode — YouTube-style overlay controls */
.twc-player:fullscreen,
.twc-player:-webkit-full-screen {
    position: relative;
    background: #000;
    display: flex;
    flex-direction: column;
}
.twc-player:fullscreen video,
.twc-player:-webkit-full-screen video {
    max-height: none;
    flex: 1;
    border-radius: 0;
    width: 100%;
    object-fit: contain;
}
.twc-player:fullscreen .player-controls,
.twc-player:-webkit-full-screen .player-controls {
    position: absolute;
    bottom: 0;
    left: 0;
    right: 0;
    background: linear-gradient(transparent, rgba(0, 0, 0, 0.82));
    border: none;
    border-radius: 0;
    padding: 28px 16px 14px;
    opacity: 0;
    transition: opacity 0.25s;
    pointer-events: none;
}
.twc-player:fullscreen:hover .player-controls,
.twc-player:-webkit-full-screen:hover .player-controls,
.twc-player:fullscreen .player-controls:focus-within,
.twc-player:-webkit-full-screen .player-controls:focus-within {
    opacity: 1;
    pointer-events: auto;
}
.twc-player:fullscreen .player-btn,
.twc-player:-webkit-full-screen .player-btn {
    color: #fff;
}
.twc-player:fullscreen .player-time,
.twc-player:-webkit-full-screen .player-time {
    color: rgba(255, 255, 255, 0.8);
}
.twc-player .player-btn {
    background: none;
    border: none;
    cursor: pointer;
    color: var(--text);
    padding: 4px;
    display: flex;
    align-items: center;
    justify-content: center;
    border-radius: var(--r);
    transition: background var(--transition);
}
.twc-player .player-btn:hover {
    background: var(--bg4);
}
.twc-player .player-seek {
    flex: 1;
    height: 4px;
    -webkit-appearance: none;
    appearance: none;
    background: var(--bg4);
    border-radius: 2px;
    outline: none;
    cursor: pointer;
    position: relative;
}
.twc-player .player-seek::-webkit-slider-thumb {
    -webkit-appearance: none;
    width: 12px;
    height: 12px;
    border-radius: 50%;
    background: var(--accent);
    cursor: pointer;
}
.twc-player .player-seek::-moz-range-thumb {
    width: 12px;
    height: 12px;
    border-radius: 50%;
    background: var(--accent);
    cursor: pointer;
    border: none;
}
.twc-player .player-seek::-moz-range-track {
    background: var(--bg4);
    height: 4px;
    border-radius: 2px;
}
.twc-player .player-time {
    font-size: 11px;
    color: var(--text-dim);
    font-family: var(--mono);
    min-width: 75px;
    text-align: center;
}
.twc-player .player-vol {
    width: 70px;
    height: 4px;
    -webkit-appearance: none;
    appearance: none;
    background: var(--bg4);
    border-radius: 2px;
    outline: none;
    cursor: pointer;
}
.twc-player .player-vol::-webkit-slider-thumb {
    -webkit-appearance: none;
    width: 10px;
    height: 10px;
    border-radius: 50%;
    background: var(--accent-h);
    cursor: pointer;
}
.twc-player .player-vol::-moz-range-thumb {
    width: 10px;
    height: 10px;
    border-radius: 50%;
    background: var(--accent-h);
    cursor: pointer;
    border: none;
}
.twc-player .player-vol::-moz-range-track {
    background: var(--bg4);
    height: 4px;
    border-radius: 2px;
}
.twc-player .audio-vis {
    display: flex;
    align-items: center;
    justify-content: center;
    padding: 40px 20px;
    background: var(--bg3);
    border-radius: var(--r) var(--r) 0 0;
    border: 1px solid var(--border);
    border-bottom: none;
}
.twc-player .audio-vis svg {
    width: 64px;
    height: 64px;
    color: var(--accent);
    opacity: 0.6;
}

/* ---- Context menu disabled with tooltip ---- */
.ctx-item.disabled {
    opacity: 0.5;
    pointer-events: auto;
    cursor: default;
}
.ctx-item.disabled:hover {
    background: transparent;
    color: var(--text-dim);
}
.ctx-tooltip {
    position: fixed;
    background: var(--bg3);
    border: 1px solid var(--border2);
    color: var(--text-dim);
    font-size: 11px;
    padding: 6px 10px;
    border-radius: var(--r);
    box-shadow: var(--shadow-sm);
    z-index: 9500;
    pointer-events: none;
    white-space: nowrap;
}

/* Properties Modal */
.modal-props {
    min-width: 320px;
    max-width: 420px;
}
.props-icon {
    display: flex;
    justify-content: center;
    margin: 8px 0;
}
.props-table {
    width: 100%;
    border-collapse: collapse;
    font-size: 13px;
}
.props-table td {
    padding: 6px 4px;
    border-bottom: 1px solid var(--border);
}
.props-table td:first-child {
    color: var(--text-dim);
    width: 40%;
}

/* ============================================================
   TOAST
   ============================================================ */
#toast-container {
    position: fixed;
    bottom: 52px;
    right: 16px;
    z-index: 9999;
    display: flex;
    flex-direction: column;
    gap: 8px;
    pointer-events: none;
}
.toast {
    background: var(--bg3);
    border: 1px solid var(--border2);
    border-radius: var(--r);
    padding: 10px 16px;
    font-size: 13px;
    max-width: 320px;
    box-shadow: var(--shadow-sm);
    display: flex;
    align-items: center;
    gap: 10px;
    animation:
        toastIn 0.2s ease,
        toastOut 0.3s ease 2.7s forwards;
    pointer-events: all;
}
.toast.success {
    border-left: 3px solid var(--green);
}
.toast.error {
    border-left: 3px solid var(--red);
}
.toast.info {
    border-left: 3px solid var(--accent);
}
.toast.warn {
    border-left: 3px solid var(--orange);
}
@keyframes toastIn {
    from {
        opacity: 0;
        transform: translateX(20px);
    }
    to {
        opacity: 1;
        transform: translateX(0);
    }
}
@keyframes toastOut {
    to {
        opacity: 0;
        transform: translateX(20px);
    }
}

/* ============================================================
   DRAG UPLOAD OVERLAY
   ============================================================ */
.drop-overlay {
    position: absolute;
    inset: 0;
    background: rgba(0, 120, 212, 0.12);
    border: 2px dashed var(--accent);
    border-radius: var(--r);
    z-index: 500;
    display: none;
    align-items: center;
    justify-content: center;
    flex-direction: column;
    gap: 12px;
    font-size: 18px;
    color: var(--accent);
    pointer-events: none;
}
.drop-overlay.show {
    display: flex;
}
.fw-drop-overlay {
    position: absolute;
    inset: 0;
    background: rgba(0, 120, 212, 0.12);
    border: 2px dashed var(--accent);
    border-radius: var(--r);
    z-index: 500;
    display: none;
    align-items: center;
    justify-content: center;
    flex-direction: column;
    gap: 10px;
    font-size: 14px;
    color: var(--accent);
    pointer-events: none;
}
.fw-drop-overlay.show {
    display: flex;
}

/* ============================================================
   LOADING OVERLAY
   ============================================================ */
.loading-overlay {
    position: fixed;
    inset: 0;
    background: rgba(30, 30, 30, 0.8);
    z-index: 10000;
    flex-direction: column;
    align-items: center;
    justify-content: center;
    gap: 16px;
    display: none;
}
.loading-overlay.show {
    display: flex;
}
.loading-spinner {
    width: 40px;
    height: 40px;
    border: 3px solid var(--bg4);
    border-top-color: var(--accent);
    border-radius: 50%;
    animation: spin 0.8s linear infinite;
}
.loading-msg {
    font-size: 14px;
    color: var(--text-dim);
}

/* ============================================================
   INCOGNITO WARNING
   ============================================================ */
.incognito-warning {
    position: fixed;
    inset: 0;
    z-index: 10001;
    background: rgba(30, 30, 30, 0.88);
    display: flex;
    align-items: center;
    justify-content: center;
    padding: 24px;
}
.incognito-warning-card {
    background: var(--bg2);
    border: 1px solid var(--border);
    border-top: 2px solid var(--orange);
    border-radius: var(--r);
    padding: 20px 22px 16px;
    max-width: 480px;
    width: 100%;
    box-shadow: var(--shadow);
}
.incognito-warning-header {
    display: flex;
    align-items: center;
    gap: 10px;
    margin-bottom: 14px;
}
.incognito-warning-header svg {
    flex-shrink: 0;
}
.incognito-warning-title {
    font-size: 14px;
    font-weight: 600;
    color: var(--text);
}
.incognito-warning-body {
    font-size: 12.5px;
    color: var(--text-dim);
    line-height: 1.7;
    margin-bottom: 16px;
    padding-left: 32px;
}
.incognito-warning-body p {
    margin-bottom: 8px;
}
.incognito-warning-body ul {
    padding-left: 16px;
    margin-bottom: 8px;
    display: flex;
    flex-direction: column;
    gap: 3px;
}
.incognito-warning-body li strong {
    color: var(--text);
}
.incognito-warning-recommend {
    display: block;
    padding: 8px 10px;
    background: var(--bg3);
    border-left: 2px solid var(--accent2);
    color: var(--accent2);
    font-size: 11.5px;
    line-height: 1.5;
    margin-top: 10px;
    margin-bottom: 0 !important;
}
.incognito-warning-footer {
    display: flex;
    justify-content: flex-end;
    padding-top: 6px;
    border-top: 1px solid var(--border);
}

/* ============================================================
   MISC
   ============================================================ */
.badge {
    display: inline-block;
    font-size: 10px;
    font-weight: 600;
    padding: 1px 6px;
    border-radius: var(--r);
    background: var(--bg4);
    color: var(--text-dim);
}
.badge.encrypted {
    background: rgba(0, 120, 212, 0.15);
    color: var(--accent);
}

/* Selection info bar */
.selection-bar {
    position: fixed;
    bottom: 42px;
    left: 50%;
    transform: translateX(-50%);
    background: var(--bg3);
    border: 1px solid var(--border2);
    padding: 4px 14px;
    font-size: 12px;
    color: var(--text-dim);
    border-radius: 2px;
    white-space: nowrap;
    z-index: 100;
    pointer-events: none;
    opacity: 0;
    transition: opacity 0.2s;
}
.selection-bar.show {
    opacity: 1;
}

/* Warning notice box */
.notice-box {
    display: flex;
    align-items: flex-start;
    gap: 10px;
    padding: 10px 12px;
    background: var(--bg3);
    border-left: 2px solid var(--accent);
    font-size: 11px;
    color: var(--text-dim);
    line-height: 1.5;
}
.notice-box.warn {
    border-left-color: var(--orange);
}
.notice-box.danger {
    border-left-color: var(--red);
}
.notice-box.danger svg {
    color: var(--red) !important;
}
.notice-box svg {
    flex-shrink: 0;
    margin-top: 1px;
    color: var(--orange);
}

/* Delete container warning block */
.del-container-warning {
    display: flex;
    align-items: flex-start;
    gap: 12px;
    padding: 12px;
    background: rgba(244, 71, 71, 0.08);
    border: 1px solid rgba(244, 71, 71, 0.25);
    border-radius: 6px;
    margin-bottom: 6px;
}
.del-container-warning svg {
    flex-shrink: 0;
    margin-top: 2px;
}

/* ============================================================
   HIDE NATIVE BROWSER PASSWORD REVEAL BUTTON (Edge/IE)
   ============================================================ */
input[type="password"]::-ms-reveal,
input[type="password"]::-ms-clear {
    display: none;
}

/* ============================================================
   PREVENT NATIVE BROWSER DRAG-SELECT ON THUMBNAILS
   ============================================================ */
.file-item * {
    user-select: none;
    -webkit-user-drag: none;
}
.file-thumb img {
    -webkit-user-drag: none;
    pointer-events: none;
}

/* ============================================================
   REMEMBER SESSION SECTION  (in unlock view)
   ============================================================ */
.remember-row {
    display: flex;
    align-items: center;
    gap: 8px;
    margin: 0;
    font-size: 12px;
    color: var(--text-dim);
    cursor: pointer;
}
/* ---- Custom checkbox ---- */
.remember-row input[type="checkbox"] {
    -webkit-appearance: none;
    appearance: none;
    width: 14px;
    height: 14px;
    min-width: 14px;
    border: 1.5px solid var(--border2);
    background: var(--bg3);
    border-radius: 2px;
    cursor: pointer;
    flex-shrink: 0;
    position: relative;
    transition:
        background var(--transition),
        border-color var(--transition);
}
.remember-row input[type="checkbox"]:hover {
    border-color: var(--accent-h);
}
.remember-row input[type="checkbox"]:checked {
    background: var(--accent);
    border-color: var(--accent);
}
.remember-row input[type="checkbox"]:checked::after {
    content: "";
    position: absolute;
    left: 3px;
    top: 1px;
    width: 5px;
    height: 8px;
    border: 1.5px solid #fff;
    border-top: none;
    border-left: none;
    transform: rotate(45deg);
}
.remember-opts {
    display: flex;
    flex-direction: column;
    gap: 4px;
    margin: 4px 0 0 22px;
    padding: 0;
    background: none;
    border-left: none;
    border-radius: 0;
}
.remember-opt {
    display: flex;
    align-items: center;
    gap: 7px;
    font-size: 11.5px;
    color: var(--text-dim);
    cursor: pointer;
}
.remember-opt > span {
    display: inline-flex;
    align-items: center;
    gap: 5px;
}
/* ---- Spacing in unlock box ---- */
.unlock-box .remember-section {
    margin-top: 6px;
}
#btn-unlock {
    margin-top: 6px;
}
/* ---- Custom radio ---- */
.remember-opt input[type="radio"] {
    -webkit-appearance: none;
    appearance: none;
    width: 14px;
    height: 14px;
    min-width: 14px;
    border: 1.5px solid var(--border2);
    background: var(--bg3);
    border-radius: 50%;
    cursor: pointer;
    flex-shrink: 0;
    position: relative;
    transition: border-color var(--transition);
}
.remember-opt input[type="radio"]:hover {
    border-color: var(--accent-h);
}
.remember-opt input[type="radio"]::after {
    content: "";
    position: absolute;
    top: 50%;
    left: 50%;
    width: 6px;
    height: 6px;
    margin: -3px 0 0 -3px;
    border-radius: 50%;
    background: var(--accent);
    transform: scale(0);
    transition: transform var(--transition);
}
.remember-opt input[type="radio"]:checked {
    border-color: var(--accent);
}
.remember-opt input[type="radio"]:checked::after {
    transform: scale(1);
}
.remember-opt.disabled {
    opacity: 0.4;
    pointer-events: none;
    cursor: default;
}
.remember-opt.disabled input[type="radio"] {
    cursor: default;
}
.remember-opt-badge {
    font-size: 10px;
    font-weight: 500;
    color: var(--text-dim);
    background: rgba(133, 133, 133, 0.1);
    border: 1px solid rgba(133, 133, 133, 0.2);
    border-radius: 3px;
    padding: 1px 5px;
    margin-left: 4px;
    vertical-align: middle;
    white-space: nowrap;
    pointer-events: none;
}

/* ============================================================
   SESSION BADGE  (on container cards — Home view)
   ============================================================ */
.session-badge {
    position: absolute;
    bottom: 10px;
    left: 30px;
    display: inline-flex;
    align-items: center;
    gap: 5px;
    font-size: 11px;
    color: var(--accent2);
    background: rgba(78, 201, 176, 0.1);
    border: 1px solid rgba(78, 201, 176, 0.3);
    border-radius: var(--r);
    padding: 3px 8px;
    cursor: pointer;
    user-select: none;
    transition: background var(--transition);
}
.session-badge:hover {
    background: rgba(78, 201, 176, 0.22);
}

/* ============================================================
   FOLDER WINDOW  (floating explorer window)
   ============================================================ */
.folder-window {
    position: absolute;
    background: var(--bg2);
    border: 1px solid var(--border2);
    border-radius: var(--r);
    box-shadow: var(--shadow);
    display: flex;
    flex-direction: column;
    overflow: hidden;
    min-width: 420px;
    min-height: 260px;
}

/* Title bar */
.fw-titlebar {
    height: 32px;
    min-height: 32px;
    background: var(--bg3);
    border-bottom: 1px solid var(--border);
    display: flex;
    align-items: center;
    padding: 0 6px;
    gap: 6px;
    user-select: none;
    flex-shrink: 0;
}
.fw-drag-area {
    flex: 1;
    display: flex;
    align-items: center;
    gap: 6px;
    cursor: move;
    min-width: 0;
    overflow: hidden;
}
.fw-folder-icon {
    flex-shrink: 0;
    width: 18px;
    height: 18px;
    display: flex;
    align-items: center;
}
.fw-folder-icon svg {
    width: 18px;
    height: 18px;
}
.fw-title {
    font-size: 12px;
    font-weight: 600;
    color: var(--text-bright);
    white-space: nowrap;
    overflow: hidden;
    text-overflow: ellipsis;
}
.fw-controls {
    display: flex;
    gap: 1px;
    flex-shrink: 0;
}
.fw-btn {
    background: none;
    border: none;
    padding: 4px 5px;
    border-radius: var(--r);
    color: var(--text-dim);
    cursor: pointer;
    display: flex;
    align-items: center;
    justify-content: center;
    transition:
        background var(--transition),
        color var(--transition);
}
.fw-btn:hover {
    background: var(--bg5);
    color: var(--text);
}
.fw-btn.close:hover {
    background: var(--red);
    color: #fff;
}

/* Toolbar */
.fw-toolbar {
    height: 30px;
    min-height: 30px;
    background: var(--bg2);
    border-bottom: 1px solid var(--border);
    display: flex;
    align-items: center;
    padding: 0 6px;
    gap: 4px;
    overflow: hidden;
    flex-shrink: 0;
}
.fw-breadcrumb {
    flex: 1;
    display: flex;
    align-items: center;
    font-size: 11px;
    color: var(--text-dim);
    min-width: 0;
    overflow: hidden;
    margin-left: 4px;
    background: var(--bg);
    border: 1px solid var(--border);
    border-radius: var(--r);
    padding: 2px 6px;
}
.fw-bc-item {
    color: var(--text-dim);
    cursor: pointer;
    white-space: nowrap;
    overflow: hidden;
    text-overflow: ellipsis;
    padding: 1px 3px;
    border-radius: var(--r);
    transition:
        color var(--transition),
        background var(--transition);
}
.fw-bc-item:hover {
    color: var(--text);
    background: var(--bg3);
}
.fw-bc-item.current {
    color: var(--accent);
    cursor: default;
}
.fw-bc-item.current:hover {
    background: transparent;
}
.fw-bc-sep {
    color: var(--border2);
    flex-shrink: 0;
    padding: 0 1px;
}

/* Content area */
.fw-area {
    flex: 1;
    position: relative;
    overflow-x: auto;
    overflow-y: auto;
    overscroll-behavior: none;
    outline: none;
    background: #1e1e1e;
    background-image: radial-gradient(circle, #2a2a2a 1px, transparent 1px);
    background-size: calc(24px * var(--icon-scale)) calc(24px * var(--icon-scale));
    min-height: 0;
    min-width: 0;
}
.fw-canvas {
    position: absolute;
    top: 0;
    left: 0;
    pointer-events: none;
    min-width: 1px;
    min-height: 1px;
}

/* Status bar */
.fw-statusbar {
    height: 22px;
    min-height: 22px;
    background: var(--bg2);
    border-top: 1px solid var(--border);
    display: flex;
    align-items: center;
    padding: 0 10px;
    font-size: 11px;
    color: var(--text-dim);
    flex-shrink: 0;
}

/* ============================================================
   CONTEXT MENU SUBMENU ARROW
   ============================================================ */
.ctx-item-arrow {
    margin-left: auto;
    padding-left: 8px;
    font-size: 12px;
    opacity: 0.6;
}

/* ============================================================
   CONTEXT MENU KEY HINT (right-side auth indicator)
   ============================================================ */
.ctx-item-key-hint {
    margin-left: auto;
    padding-left: 8px;
    display: flex;
    align-items: center;
    flex-shrink: 0;
}

/* ============================================================
   FOLDER WINDOW RESIZE HANDLE
   ============================================================ */
.fw-resize-handle {
    position: absolute;
    bottom: 0;
    right: 0;
    width: 16px;
    height: 16px;
    cursor: se-resize;
    z-index: 10;
    border-radius: 0 0 var(--r) 0;
    background: linear-gradient(135deg, transparent 40%, var(--border2) 40%, var(--border2) 50%, transparent 50%, transparent 60%, var(--border2) 60%, var(--border2) 70%, transparent 70%, transparent 80%, var(--border2) 80%, var(--border2) 90%, transparent 90%);
}

/* ============================================================
   FILE HOVER TOOLTIP
   ============================================================ */
.file-tooltip {
    position: fixed;
    background: var(--bg3);
    border: 1px solid var(--border2);
    border-radius: var(--r);
    box-shadow: var(--shadow-sm);
    padding: 8px 12px;
    min-width: 180px;
    max-width: 300px;
    z-index: 99999;
    pointer-events: none;
    font-size: 12px;
    line-height: 1.6;
    animation: tooltipIn 0.12s ease;
}
.file-tooltip .ft-name {
    font-weight: 600;
    color: var(--text-bright);
    margin-bottom: 5px;
    overflow: hidden;
    text-overflow: ellipsis;
    white-space: nowrap;
}
.file-tooltip .ft-row {
    color: var(--text-dim);
}
@keyframes tooltipIn {
    from {
        opacity: 0;
        transform: translateY(-3px);
    }
    to {
        opacity: 1;
        transform: translateY(0);
    }
}

/* ============================================================
   CUT ITEM VISUAL FEEDBACK
   ============================================================ */
.file-item.cut-item {
    opacity: 0.45;
    filter: saturate(0.3);
    transition:
        opacity 0.15s,
        filter 0.15s;
}

/* ============================================================
   ICON APPEAR ANIMATION
   ============================================================ */
@keyframes iconPop {
    from {
        opacity: 0;
        transform: scale(calc(var(--icon-scale) * 0.72));
    }
    to {
        opacity: 1;
        transform: scale(var(--icon-scale));
    }
}

/* ============================================================
   SETTINGS MODAL
   ============================================================ */
.modal-settings {
    width: 560px;
    height: 500px;
    display: flex;
    flex-direction: column;
    overflow: hidden;
}
.settings-tabs {
    display: flex;
    border-bottom: 1px solid var(--border);
    flex-shrink: 0;
}
.settings-tab {
    flex: 1;
    padding: 10px 0;
    background: none;
    border: none;
    color: var(--text-dim);
    font-size: 13px;
    font-weight: 500;
    cursor: pointer;
    border-bottom: 2px solid transparent;
    transition:
        color var(--transition),
        border-color var(--transition);
}
.settings-tab:hover {
    color: var(--text);
}
.settings-tab.active {
    color: var(--accent);
    border-bottom-color: var(--accent);
}
.settings-panel {
    padding: 20px;
    display: flex;
    flex-direction: column;
    gap: 16px;
    flex: 1;
    overflow-y: auto;
}
.settings-section {
    display: flex;
    flex-direction: column;
    gap: 14px;
}
.settings-row {
    display: flex;
    align-items: center;
    justify-content: space-between;
    gap: 12px;
}
.settings-label {
    display: inline-flex;
    align-items: center;
    font-size: 13px;
    color: var(--text);
    white-space: nowrap;
}
.settings-toggle-group {
    display: flex;
    gap: 0;
    border: 1px solid var(--border2);
    border-radius: var(--r);
    overflow: hidden;
}
.settings-toggle-btn {
    padding: 5px 14px;
    font-size: 12px;
    background: none;
    border: none;
    color: var(--text-dim);
    cursor: pointer;
    transition:
        background var(--transition),
        color var(--transition);
}
.settings-toggle-btn:not(:last-child) {
    border-right: 1px solid var(--border2);
}
.settings-toggle-btn:hover {
    background: var(--bg3);
    color: var(--text);
}
.settings-toggle-btn.active {
    background: var(--accent);
    color: #fff;
}

/* Switch toggle */
.switch {
    position: relative;
    display: inline-block;
    width: 36px;
    height: 20px;
    flex-shrink: 0;
}
.switch input {
    opacity: 0;
    width: 0;
    height: 0;
}
.switch-slider {
    position: absolute;
    inset: 0;
    background: var(--bg4);
    border-radius: 10px;
    cursor: pointer;
    transition: background 0.2s;
}
.switch-slider::before {
    content: "";
    position: absolute;
    width: 14px;
    height: 14px;
    left: 3px;
    top: 3px;
    background: #fff;
    border-radius: 50%;
    transition: transform 0.2s;
}
.switch input:checked + .switch-slider {
    background: var(--accent);
}
.switch input:checked + .switch-slider::before {
    transform: translateX(16px);
}
.switch input:checked + .switch-slider-danger {
    background: var(--red);
}

/* ── Danger Zone (Duress) ────────────────────────────────────── */
.danger-zone-section {
    margin-top: 4px;
}
.danger-zone-title {
    color: var(--red);
    border-color: rgba(244, 71, 71, 0.3);
}
.danger-zone-body {
    padding: 12px;
    background: rgba(244, 71, 71, 0.06);
    border: 1px solid rgba(244, 71, 71, 0.22);
    border-radius: var(--r);
}
.danger-zone-header {
    display: flex;
    align-items: flex-start;
    justify-content: space-between;
    gap: 12px;
}
.danger-zone-label {
    font-size: 13px;
    font-weight: 500;
    color: var(--text);
    display: flex;
    align-items: center;
    gap: 5px;
}
.danger-zone-label svg {
    flex-shrink: 0;
}
.danger-zone-desc {
    font-size: 12px;
    color: var(--text-dim);
    margin-top: 5px;
    line-height: 1.5;
}
.danger-zone-switch {
    flex-shrink: 0;
    margin-top: 2px;
}

/* Duress form animated expand/collapse */
#duress-form {
    max-height: 0;
    opacity: 0;
    overflow: hidden;
    margin-top: 0;
    transition:
        max-height 0.3s ease,
        opacity 0.3s ease,
        margin-top 0.3s ease;
}
#duress-form.open {
    max-height: 300px;
    opacity: 1;
    margin-top: 10px;
}
.duress-fg {
    margin-bottom: 8px;
}
.duress-fl {
    font-size: 12px;
}
.duress-hint {
    font-size: 11px;
    color: var(--text-dim);
    font-weight: 400;
}
.duress-set-error {
    display: none;
    font-size: 12px;
    color: var(--red);
    margin-top: 4px;
    margin-bottom: 4px;
}
.duress-set-btn {
    width: 100%;
    margin-top: 2px;
}

/* Duress active-info block */
.duress-active-info {
    display: none;
    margin-top: 10px;
}
.duress-active-badge {
    font-size: 11px;
    color: var(--red);
    display: flex;
    align-items: center;
    gap: 5px;
    margin-bottom: 8px;
}
.duress-active-dot {
    width: 6px;
    height: 6px;
    background: var(--red);
    border-radius: 50%;
    display: inline-block;
    flex-shrink: 0;
}
.duress-remove-btn {
    width: 100%;
    font-size: 12px;
}

/* Stats */
.stats-grid {
    display: grid;
    grid-template-columns: repeat(3, 1fr);
    gap: 10px;
}
.stats-card {
    background: var(--bg3);
    border: 1px solid var(--border);
    border-radius: var(--r);
    padding: 12px 14px;
    display: flex;
    flex-direction: column;
    gap: 4px;
}
.stats-card-value {
    font-size: 17px;
    font-weight: 600;
    color: var(--text-bright);
    overflow: hidden;
    text-overflow: ellipsis;
    white-space: nowrap;
}
.stats-card-label {
    font-size: 11px;
    color: var(--text-dim);
    text-transform: uppercase;
    letter-spacing: 0.5px;
}
.stats-chart-wrap {
    margin-top: 10px;
}
.stats-bar-chart {
    display: flex;
    flex-direction: column;
    gap: 6px;
}
.stats-bar-row {
    display: flex;
    align-items: center;
    gap: 8px;
    font-size: 12px;
    color: var(--text-dim);
}
.stats-bar-row-label {
    width: 70px;
    text-align: right;
    flex-shrink: 0;
    overflow: hidden;
    text-overflow: ellipsis;
    white-space: nowrap;
}
.stats-bar-row-track {
    flex: 1;
    height: 8px;
    background: var(--bg4);
    border-radius: var(--r);
    overflow: hidden;
}
.stats-bar-row-fill {
    height: 100%;
    border-radius: var(--r);
    transition: width 0.4s ease;
}
.stats-bar-row-meta {
    display: flex;
    flex-direction: column;
    align-items: flex-end;
    width: 52px;
    flex-shrink: 0;
    font-size: 11px;
    color: var(--text-dim);
    line-height: 1.4;
}
.stats-bar-row-meta-size {
    font-size: 10px;
    opacity: 0.65;
}
.stats-storage-bar {
    height: 14px;
    background: var(--bg4);
    border-radius: var(--r);
    overflow: hidden;
    position: relative;
}
.stats-storage-fill {
    height: 100%;
    border-radius: var(--r);
    background: var(--accent);
    transition: width 0.4s ease;
}
.stats-storage-text {
    position: absolute;
    inset: 0;
    display: flex;
    align-items: center;
    justify-content: center;
    font-size: 10px;
    color: #fff;
    font-weight: 600;
    text-shadow: 0 1px 2px rgba(0, 0, 0, 0.5);
}
.stats-storage-labels {
    display: flex;
    justify-content: space-between;
    margin-top: 5px;
    font-size: 11px;
    color: var(--text-dim);
}
.stats-top-files {
    display: flex;
    flex-direction: column;
    gap: 4px;
}
.stats-top-file {
    display: flex;
    align-items: center;
    gap: 8px;
    padding: 5px 8px;
    background: var(--bg3);
    border: 1px solid var(--border);
    border-radius: var(--r);
    min-width: 0;
}
.stats-top-file-dot {
    width: 8px;
    height: 8px;
    border-radius: var(--r);
    flex-shrink: 0;
}
.stats-top-file-name {
    flex: 1;
    font-size: 12px;
    color: var(--text);
    overflow: hidden;
    text-overflow: ellipsis;
    white-space: nowrap;
    min-width: 0;
}
.stats-top-file-size {
    flex-shrink: 0;
    font-size: 11px;
    color: var(--text-dim);
    font-family: var(--mono);
}

/* ============================================================
   ACTIVITY LOGS
   ============================================================ */
.alog-toolbar {
    display: flex;
    align-items: center;
    gap: 8px;
    padding: 10px 16px 8px;
    border-bottom: 1px solid var(--border);
}
.alog-filters {
    display: flex;
    flex-wrap: wrap;
    gap: 4px;
    flex: 1;
    min-width: 0;
}
.alog-filter {
    display: inline-flex;
    align-items: center;
    gap: 4px;
    padding: 3px 8px;
    border-radius: 3px;
    font-size: 11px;
    border: 1px solid var(--border2);
    background: transparent;
    color: var(--text-dim);
    cursor: pointer;
    transition:
        background 0.15s,
        border-color 0.15s,
        color 0.15s;
    white-space: nowrap;
}
.alog-filter.active {
    color: var(--text);
    border-color: var(--accent);
    background: color-mix(in srgb, var(--accent) 8%, transparent);
}
.alog-filter:hover {
    background: var(--bg3);
}
.alog-filter-count {
    font-size: 10px;
    opacity: 0.5;
    font-weight: 600;
}
.alog-clear-btn {
    display: inline-flex;
    align-items: center;
    gap: 4px;
    padding: 4px 10px;
    border: 1px solid var(--border2);
    background: transparent;
    color: var(--text-dim);
    border-radius: var(--r);
    font-size: 11px;
    cursor: pointer;
    white-space: nowrap;
    flex-shrink: 0;
    transition:
        color 0.15s,
        border-color 0.15s;
}
.alog-clear-btn:hover {
    color: var(--red, #e74856);
    border-color: var(--red, #e74856);
}
.alog-list {
    height: 300px;
    overflow-y: auto;
}
.alog-group {
    padding: 6px 16px 4px;
    font-size: 10px;
    font-weight: 600;
    text-transform: uppercase;
    letter-spacing: 0.5px;
    color: var(--text-dim);
    background: var(--bg3);
    border-bottom: 1px solid var(--border);
    position: sticky;
    top: 0;
    z-index: 1;
}
.alog-item {
    display: flex;
    align-items: center;
    gap: 10px;
    padding: 7px 16px;
    border-bottom: 1px solid var(--border);
    font-size: 12.5px;
}
.alog-badge {
    display: inline-flex;
    align-items: center;
    justify-content: center;
    min-width: 80px;
    padding: 2px 8px;
    border-radius: 3px;
    font-size: 11px;
    font-weight: 500;
    white-space: nowrap;
    flex-shrink: 0;
    color: var(--bc);
    background: color-mix(in srgb, var(--bc) 12%, transparent);
    border: 1px solid color-mix(in srgb, var(--bc) 28%, transparent);
}
.alog-detail {
    flex: 1;
    min-width: 0;
    display: flex;
    flex-direction: column;
    gap: 2px;
    overflow: hidden;
}
.alog-detail-main {
    overflow: hidden;
    text-overflow: ellipsis;
    white-space: nowrap;
    color: var(--text);
}
.alog-path-chip {
    display: block;
    max-width: 100%;
    overflow: hidden;
    text-overflow: ellipsis;
    white-space: nowrap;
    font-family: var(--mono);
    font-size: 10px;
    color: var(--text-dim);
    background: var(--bg3);
    border: 1px solid var(--border);
    border-radius: 3px;
    padding: 0 5px;
    line-height: 17px;
    letter-spacing: 0.02em;
    cursor: default;
    user-select: text;
    margin-top: 1px;
}
.alog-path-chip:hover {
    color: var(--text);
    border-color: var(--border2);
}
.alog-paths {
    display: flex;
    align-items: center;
    gap: 4px;
    min-width: 0;
    margin-top: 1px;
}
.alog-paths > .alog-path-chip {
    display: inline-block;
    max-width: calc(50% - 10px);
    flex: 0 1 auto;
    margin-top: 0;
}
.alog-arrow {
    flex-shrink: 0;
    font-size: 11px;
    color: var(--text-dim);
}
.alog-time {
    flex-shrink: 0;
    font-size: 11px;
    color: var(--text-dim);
    align-self: flex-start;
    padding-top: 2px;
}
.alog-off,
.alog-empty {
    display: flex;
    flex-direction: column;
    align-items: center;
    justify-content: center;
    height: 340px;
    color: var(--text-dim);
    gap: 12px;
    padding: 0 24px;
}
.alog-off-text {
    font-size: 13px;
}

/* ============================================================
   SETTINGS SUB-OPTION ROW
   ============================================================ */
.settings-sub-row {
    padding-left: 28px;
    position: relative;
}
.settings-sub-indicator {
    position: absolute;
    left: 12px;
    top: -6px;
    width: 10px;
    height: calc(50% + 4px);
    border-left: 1.5px solid var(--border2);
    border-bottom: 1.5px solid var(--border2);
    border-radius: 0;
}
.settings-sub-row.disabled {
    opacity: 0.35;
    pointer-events: none;
}

/* ============================================================
   CONTAINER INTEGRITY SCANNER MODAL
   ============================================================ */
.modal-scanner {
    width: 560px;
    min-width: 520px;
    max-width: 620px;
    height: 500px;
    display: flex;
    flex-direction: column;
    overflow: hidden;
}
.scanner-body {
    display: flex;
    flex-direction: column;
    gap: 14px;
    padding: 18px 20px !important;
    flex: 1 1 0;
    min-height: 0;
    overflow: hidden;
}
.scanner-desc {
    display: flex;
    align-items: flex-start;
    gap: 12px;
    flex-shrink: 0;
}
.scanner-shield {
    flex-shrink: 0;
    color: var(--accent);
    opacity: 0.7;
    margin-top: 2px;
}
.scanner-desc-title {
    font-size: 13px;
    font-weight: 600;
    color: var(--text);
    margin-bottom: 3px;
}
.scanner-desc-text {
    font-size: 11.5px;
    color: var(--text-dim);
    line-height: 1.55;
}
.scanner-log {
    border: 1px solid var(--border2);
    border-radius: var(--r);
    background: var(--bg2);
    padding: 10px 12px;
    font-size: 12px;
    font-family: var(--font);
    flex: 1 1 0;
    min-height: 0;
    overflow-y: auto;
    display: flex;
    flex-direction: column;
    gap: 0;
}
.scanner-log:empty {
    /* Placeholder-like appearance before scan starts */
    background: color-mix(in srgb, var(--bg2) 80%, transparent);
}
.scanner-step {
    display: flex;
    align-items: center;
    gap: 8px;
    height: 26px;
    min-height: 26px;
    max-height: 26px;
    padding: 0;
    color: var(--text-dim);
    font-size: 12px;
    line-height: 26px;
    contain: layout style;
}
.scanner-step-icon {
    flex-shrink: 0;
    width: 16px;
    height: 16px;
    display: flex;
    align-items: center;
    justify-content: center;
    overflow: hidden;
}
.scanner-step-icon .spinner {
    width: 12px;
    height: 12px;
    border: 1.5px solid var(--border2);
    border-top-color: var(--accent);
    border-radius: 50%;
    animation: spin 0.6s linear infinite;
}
@keyframes spin {
    to {
        transform: rotate(360deg);
    }
}
.scanner-step-icon svg {
    display: block;
}
.scanner-step.pass .scanner-step-icon {
    color: #34d399;
}
.scanner-step.fail .scanner-step-icon {
    color: #e74856;
}
.scanner-step.warn .scanner-step-icon {
    color: #f59e0b;
}
.scanner-step .scanner-step-label {
    flex: 1;
}
.scanner-step .scanner-step-result {
    font-size: 11px;
    color: var(--text-dim);
    opacity: 0.7;
    white-space: nowrap;
}
.scanner-step.fail .scanner-step-result {
    color: #e74856;
    opacity: 1;
}
.scanner-step.warn .scanner-step-result {
    color: #f59e0b;
    opacity: 1;
}
.scanner-summary {
    border-radius: var(--r);
    padding: 12px 14px;
    font-size: 12.5px;
    display: flex;
    align-items: center;
    gap: 10px;
    flex-shrink: 0;
}
.scanner-summary.healthy {
    background: color-mix(in srgb, #34d399 8%, var(--bg2));
    border: 1px solid color-mix(in srgb, #34d399 25%, transparent);
    color: #34d399;
}
.scanner-summary.issues {
    background: color-mix(in srgb, #f59e0b 8%, var(--bg2));
    border: 1px solid color-mix(in srgb, #f59e0b 25%, transparent);
    color: #f59e0b;
}
.scanner-summary.repaired {
    background: color-mix(in srgb, #34d399 8%, var(--bg2));
    border: 1px solid color-mix(in srgb, #34d399 25%, transparent);
    color: #34d399;
}
.scanner-summary.critical {
    background: color-mix(in srgb, #e74856 8%, var(--bg2));
    border: 1px solid color-mix(in srgb, #e74856 25%, transparent);
    color: #e74856;
}
.scanner-summary.warnings {
    background: color-mix(in srgb, #60a5fa 8%, var(--bg2));
    border: 1px solid color-mix(in srgb, #60a5fa 25%, transparent);
    color: #60a5fa;
}
.scanner-summary svg {
    flex-shrink: 0;
}
.scanner-summary-text {
    line-height: 1.5;
}
.scanner-summary-text strong {
    font-weight: 600;
    color: var(--text);
}
.btn-deep-clean {
    background: color-mix(in srgb, #e74856 15%, var(--bg2));
    border-color: color-mix(in srgb, #e74856 40%, transparent);
    color: #e74856;
}
.btn-deep-clean:hover {
    background: color-mix(in srgb, #e74856 25%, var(--bg2));
    border-color: #e74856;
}

/* ── Repair confirmation overlay (above scanner modal) ── */
.repair-confirm-overlay {
    position: fixed;
    inset: 0;
    z-index: 9000;
    background: rgba(0, 0, 0, 0.55);
    display: flex;
    align-items: center;
    justify-content: center;
    opacity: 0;
    pointer-events: none;
    transition: opacity 0.18s ease;
}
.repair-confirm-overlay.show {
    opacity: 1;
    pointer-events: auto;
}
.repair-confirm-dialog {
    background: var(--bg);
    border: 1px solid var(--border);
    border-radius: var(--r2);
    padding: 28px 28px 22px;
    max-width: 400px;
    text-align: center;
    display: flex;
    flex-direction: column;
    align-items: center;
    gap: 10px;
    box-shadow: 0 12px 40px rgba(0, 0, 0, 0.5);
}
.repair-confirm-icon {
    color: #f59e0b;
}
.repair-confirm-title {
    font-size: 14px;
    font-weight: 600;
    color: var(--text);
}
.repair-confirm-text {
    font-size: 12.5px;
    color: var(--text-dim);
    line-height: 1.6;
}
.repair-confirm-actions {
    display: flex;
    gap: 8px;
    margin-top: 8px;
    flex-wrap: wrap;
    justify-content: center;
}

/* ============================================================
   AUTH DOT (red dot in context menu)
   ============================================================ */
.auth-dot {
    width: 6px;
    height: 6px;
    border-radius: 50%;
    background: #e74856;
    display: inline-block;
    flex-shrink: 0;
}

/* Burger button + dropdown: hidden by default (desktop) */
.topbar-burger {
    display: none;
}
.topbar-dropdown {
    display: none;
}

/* ============================================================
   EXTRACTED INLINE STYLES
   ============================================================ */

/* Home warning box */
.home-warning-box > svg {
    flex-shrink: 0;
    margin-top: 2px;
}
.home-warning-box > div {
    flex: 1;
}

/* Unlock crypto info */
.unlock-crypto-info {
    text-align: center;
    font-size: 11px;
    color: var(--text-dim);
    margin-top: 4px;
}

/* Taskbar lock button */
#btn-lock-taskbar {
    margin-left: 8px;
}

/* Hidden file inputs */
#file-input,
#import-container-input {
    display: none;
}

/* Notice-box consecutive spacing */
.notice-box + .notice-box {
    margin-top: 10px;
}

/* Agree checkbox label */
.agree-label {
    display: flex;
    align-items: center;
    gap: 9px;
    margin-top: 10px;
    cursor: pointer;
    user-select: none;
}
.agree-cb {
    width: 15px;
    height: 15px;
    accent-color: var(--accent);
    cursor: pointer;
    flex-shrink: 0;
}
.agree-text {
    font-size: 12px;
    color: var(--text-dim);
    line-height: 1.4;
}

/* Modal header actions */
.modal-header-actions {
    display: flex;
    gap: 6px;
    align-items: center;
}

/* Editor meta modified */
#editor-meta-modified {
    color: var(--orange);
}

/* Unsaved changes dialog */
.unsaved-overlay {
    position: absolute;
    inset: 0;
    background: rgba(0, 0, 0, 0.58);
    z-index: 20;
    align-items: center;
    justify-content: center;
}
.unsaved-dialog {
    background: var(--bg2);
    border: 1px solid var(--border2);
    border-radius: var(--r);
    padding: 24px;
    min-width: 300px;
    max-width: 90%;
    display: flex;
    flex-direction: column;
    gap: 16px;
    box-shadow: var(--shadow);
}
.unsaved-title {
    font-size: 14px;
    font-weight: 600;
    color: var(--text-bright);
}
.unsaved-msg {
    font-size: 13px;
    color: var(--text-dim);
    line-height: 1.5;
}
.unsaved-actions {
    display: flex;
    gap: 8px;
    justify-content: flex-end;
    flex-wrap: wrap;
}

/* Modal title variants */
.modal-title-danger {
    color: var(--red);
}
.modal-title-warn {
    color: var(--orange);
}

/* Modal text variants */
.modal-text {
    font-size: 13px;
    line-height: 1.6;
}
.modal-text-dim {
    font-size: 13px;
    line-height: 1.6;
    color: var(--text-dim);
}
.modal-secondary {
    font-size: 12px;
    color: var(--text-dim);
    line-height: 1.6;
}

/* Modal specific widths */
#modal-new-container,
#modal-del-container,
#modal-change-pw,
#modal-rename-container {
    min-width: 420px;
}
#modal-rename,
#modal-delete,
#modal-new-text,
#modal-new-folder,
#modal-export-confirm {
    min-width: 340px;
}
#modal-session-conflict,
#modal-import-pw {
    min-width: 380px;
}
#modal-alog-disable,
#modal-alog-clear {
    min-width: 320px;
}
#modal-export-pw {
    width: 400px;
    min-width: 360px;
    max-width: 400px;
}
#modal-settings {
    min-width: 520px;
    max-width: 620px;
}

/* Session conflict gap */
#modal-session-conflict .modal-body {
    gap: 10px;
}

/* Delete container warning */
.dc-warn-title {
    font-weight: 700;
    font-size: 14px;
    color: var(--red);
    margin-bottom: 4px;
}
.dc-warn-text {
    font-size: 12px;
    color: var(--text-dim);
    line-height: 1.5;
}
#dc-name {
    color: var(--text);
}
#dc-msg {
    font-size: 13px;
    line-height: 1.6;
    margin-top: 8px;
}

/* Export modal header */
.exp-header {
    display: flex;
    align-items: center;
    gap: 10px;
}
.exp-icon {
    width: 32px;
    height: 32px;
    border-radius: 8px;
    background: rgba(0, 120, 212, 0.12);
    display: flex;
    align-items: center;
    justify-content: center;
    flex-shrink: 0;
}
.exp-icon > svg {
    color: var(--accent);
}
.exp-subtitle {
    font-size: 11px;
    color: var(--text-dim);
    margin-top: 1px;
}

/* Export modal body/footer */
#modal-export-pw .modal-body {
    gap: 12px;
}
.notice-box.accent {
    border-left-color: var(--accent);
}
.notice-box.accent > svg {
    color: var(--accent);
}
.code-tag {
    background: var(--bg4);
    padding: 1px 4px;
    border-radius: 3px;
    font-size: 11px;
}
#ec-filename {
    font-weight: 600;
}
.modal-footer-split {
    justify-content: space-between;
    align-items: center;
}
.encrypt-label {
    font-size: 11px;
    color: var(--text-dim);
    display: flex;
    align-items: center;
    gap: 5px;
}
.modal-actions {
    display: flex;
    gap: 8px;
}

/* Export confirm notice spacing */
#modal-export-confirm .notice-box {
    margin-top: 8px;
}

/* Import modal text spacing */
#modal-import-pw .modal-text {
    margin-bottom: 8px;
}

/* Settings modal body */
#modal-settings .modal-body {
    padding: 0;
}
.settings-section + .settings-section {
    margin-top: 4px;
}
.settings-desc {
    font-size: 12px;
    color: var(--text-dim);
    line-height: 1.5;
    margin-bottom: 8px;
}
.settings-label-block {
    display: block;
    margin-bottom: 8px;
}

/* Activity logs SVG opacity */
#alog-off > svg {
    opacity: 0.45;
}
#alog-empty > svg {
    opacity: 0.35;
}

/* TWC bar background */
#twc-bar-fill {
    background: var(--purple);
}

/* Eye-closed SVG initial state */
.eye-closed {
    display: none;
}

/* ============================================================
   MOBILE RESPONSIVE
   ============================================================ */
@media (max-width: 640px) {
    /* Header */
    .app-header {
        padding: 0 10px;
        gap: 8px;
    }
    .header-logo span {
        font-size: 14px;
    }
    .header-logo small {
        display: none;
    }
    .header-actions .btn {
        padding: 5px 8px;
        font-size: 11px;
        gap: 4px;
    }
    .header-actions .btn svg {
        width: 12px;
        height: 12px;
    }

    /* Home body */
    .home-body {
        padding: 12px;
        gap: 14px;
    }
    .container-grid {
        grid-template-columns: 1fr;
        gap: 10px;
    }
    .container-card {
        padding: 14px;
    }
    .home-warning-box {
        font-size: 11px;
        padding: 10px;
    }

    /* Storage footer */
    .storage-footer {
        padding: 10px 12px;
    }

    /* Desktop topbar — show only back + breadcrumb + burger */
    .desktop-topbar {
        padding: 0 8px;
        gap: 6px;
        height: 44px;
        min-height: 44px;
    }
    .desktop-topbar .btn-sm:not(.topbar-burger):not(#btn-lock) {
        display: none;
    }
    .desktop-topbar .separator {
        display: none;
    }
    .topbar-burger {
        display: flex;
        align-items: center;
        gap: 5px;
        margin-left: auto;
        flex-shrink: 0;
        font-size: 13px;
        font-weight: 500;
        padding: 6px 10px;
    }
    .breadcrumb {
        font-size: 12px;
    }

    /* Burger dropdown — fixed so it overlays the view without breaking layout */
    .topbar-dropdown {
        position: fixed;
        top: 44px;
        left: 0;
        right: 0;
        z-index: 7500;
        background: var(--bg2);
        border-bottom: 1px solid var(--border);
        box-shadow: 0 6px 20px rgba(0, 0, 0, 0.55);
        display: flex;
        flex-direction: column;
        transform: translateY(-8px);
        opacity: 0;
        pointer-events: none;
        transition:
            transform 0.18s ease,
            opacity 0.18s ease;
        /* Ensure a stable compositing layer for the entire animation so that
           text inside does not snap/jump at the end of the enter transition
           (Firefox sub-pixel GPU layer promotion artefact). */
        will-change: transform, opacity;
        backface-visibility: hidden;
    }
    .topbar-dropdown.open {
        transform: translateY(0);
        opacity: 1;
        pointer-events: all;
    }
    .topbar-dd-item {
        display: flex;
        align-items: center;
        gap: 12px;
        padding: 13px 18px;
        font-size: 14px;
        font-family: var(--font);
        color: var(--text);
        background: none;
        border: none;
        cursor: pointer;
        text-align: left;
        transition: background var(--transition);
        -webkit-tap-highlight-color: transparent;
    }
    .topbar-dd-item:hover,
    .topbar-dd-item:active {
        background: var(--bg3);
    }
    .topbar-dd-item svg {
        flex-shrink: 0;
        color: var(--text-dim);
    }
    .topbar-dd-sep {
        height: 1px;
        background: var(--border);
        margin: 2px 0;
    }

    /* Taskbar */
    .taskbar {
        padding: 0 8px;
        gap: 6px;
        height: 36px;
        min-height: 36px;
    }
    .taskbar-container-name {
        font-size: 12px;
    }
    .taskbar-storage {
        font-size: 10px;
    }
    .taskbar-bar-wrap {
        width: 50px;
    }
    #btn-lock-taskbar {
        font-size: 11px;
        padding: 5px 8px;
    }

    /* Context menu */
    .ctx-menu {
        min-width: 180px;
    }
    .ctx-item {
        padding: 11px 16px;
        font-size: 14px;
    }

    /* Modals */
    .modal {
        min-width: 0 !important;
        width: 95vw;
        max-width: 95vw;
    }
    .modal-editor {
        width: 98vw !important;
        height: 90vh !important;
    }
    .modal-viewer {
        width: 98vw !important;
        height: 90vh !important;
    }
    .modal-settings {
        width: 95vw !important;
        max-height: 85vh !important;
    }

    /* Prevent iOS auto-zoom on input focus (font-size must be ≥16px) */
    .input,
    textarea.code-editor {
        font-size: 16px !important;
    }

    /* Folder windows: full-screen on mobile, leave room for taskbar */
    .folder-window {
        position: fixed !important;
        left: 0 !important;
        top: 0 !important;
        width: 100vw !important;
        height: calc(100dvh - 37px) !important;
        min-width: unset !important;
        min-height: unset !important;
        border-radius: 0;
        z-index: 7800 !important;
    }
    .fw-resize {
        display: none !important;
    }

    .stats-grid {
        grid-template-columns: 1fr 1fr;
        gap: 8px;
    }
    .stats-card-value {
        font-size: 16px;
    }

    /* Unlock view */
    .unlock-box {
        padding: 24px 20px;
        max-width: 95vw;
    }
    .unlock-title {
        font-size: 18px;
    }

    /* Toast */
    #toast-container {
        bottom: 46px;
        right: 8px;
        left: 8px;
    }
    .toast {
        max-width: 100%;
    }
}

/* Prevent touch callout and text selection on interactive areas */
@media (pointer: coarse) {
    .desktop-area,
    .fw-area,
    .file-item,
    .ctx-item,
    .container-card {
        -webkit-touch-callout: none;
        -webkit-tap-highlight-color: transparent;
    }
    .ctx-item {
        padding: 10px 14px;
    }
}

.settings-section-title {
    font-size: 11px;
    font-weight: 600;
    text-transform: uppercase;
    color: var(--text-dim);
    margin-bottom: 4px;
    letter-spacing: 0.5px;
    border-bottom: 1px solid var(--border2);
    padding-bottom: 4px;
}

/* ---- Settings inline hint icon + tooltip ---- */
.settings-hint {
    display: inline-flex;
    align-items: center;
    justify-content: center;
    flex-shrink: 0;
    width: 14px;
    height: 14px;
    margin-left: 5px;
    position: relative;
    top: 1px;
    color: var(--text-dim);
    opacity: 0.55;
    cursor: default;
    background: none;
    border: none;
    padding: 0;
    transition:
        opacity var(--transition),
        color var(--transition);
}
.settings-hint:hover {
    opacity: 1;
    color: var(--accent);
}
.settings-hint svg {
    display: block;
}
.settings-tip {
    position: fixed;
    background: var(--bg3);
    border: 1px solid var(--border2);
    color: var(--text-dim);
    font-size: 11px;
    line-height: 1.6;
    padding: 7px 10px;
    border-radius: var(--r);
    box-shadow: var(--shadow-sm);
    z-index: 9800;
    pointer-events: none;
    white-space: normal;
    max-width: 260px;
    animation: tooltipIn 0.1s ease;
}

/* CUSTOM DROPDOWN UI */
.custom-dd {
    position: relative;
    width: 140px;
}
.custom-dd-head {
    display: flex;
    align-items: center;
    justify-content: space-between;
    background: var(--bg3);
    border: 1px solid var(--border);
    padding: 6px 10px;
    border-radius: var(--r);
    cursor: pointer;
    font-size: 13px;
    color: var(--text);
    transition: border-color var(--transition);
    user-select: none;
}
.custom-dd-head:hover {
    border-color: var(--border2);
}
.custom-dd-head.active {
    border-color: var(--accent);
}
.custom-dd-menu {
    position: absolute;
    top: calc(100% + 4px);
    left: 0;
    right: 0;
    background: var(--bg3);
    border: 1px solid var(--border);
    border-radius: var(--r);
    box-shadow: var(--shadow);
    z-index: 9999;
    display: none;
    max-height: 200px;
    overflow-y: auto;
}
.custom-dd.open .custom-dd-menu {
    display: block;
}
.custom-dd-opt {
    padding: 8px 10px;
    font-size: 13px;
    color: var(--text);
    cursor: pointer;
    transition: background var(--transition);
}
.custom-dd-opt:hover {
    background: var(--accent);
    color: #fff;
}
.custom-dd-opt.selected {
    background: rgba(0, 120, 212, 0.2);
    color: var(--accent);
}

/* ============================================================
   DAEMON — Alert overlay + Security barrier veil
   ============================================================ */
/* Overlay backdrop — covers full viewport, centres the card */
.snv-overlay {
    position: fixed;
    inset: 0;
    z-index: 2147483647;
    background: rgba(0, 0, 0, 0.85);
    display: flex;
    align-items: center;
    justify-content: center;
    font-family: var(--font);
}
/* Alert card */
.snv-card {
    max-width: 520px;
    width: calc(100% - 96px);
    background: var(--bg);
    border: 1px solid var(--red);
    border-radius: var(--r);
    padding: 24px 28px;
    color: var(--text);
    text-align: left;
    box-shadow: var(--shadow);
}
/* Header row (icon + title) */
.snv-header {
    display: flex;
    align-items: center;
    gap: 10px;
    margin-bottom: 16px;
}
.snv-icon {
    color: var(--red);
    flex-shrink: 0;
}
.snv-title {
    font-size: 14px;
    font-weight: 600;
    color: var(--red);
    letter-spacing: 0.01em;
}
/* Reason code block */
.snv-reason {
    font-size: 12px;
    font-family: var(--mono);
    background: var(--bg2);
    padding: 8px 12px;
    border: 1px solid var(--border);
    border-radius: var(--r);
    margin-bottom: 14px;
    word-break: break-all;
    color: var(--red);
}
/* Description paragraphs */
.snv-desc {
    font-size: 13px;
    line-height: 1.6;
    color: var(--text);
    margin-bottom: 6px;
}
.snv-desc strong {
    color: var(--text-bright);
}
.snv-hint {
    font-size: 13px;
    line-height: 1.6;
    color: var(--text-dim);
    margin-bottom: 18px;
}
/* Reload button */
.snv-btn {
    background: #5a1a1a;
    color: var(--red);
    border: 1px solid #7a2222;
    border-radius: var(--r);
    padding: 6px 14px;
    font-family: var(--font);
    font-size: 13px;
    cursor: pointer;
}
.snv-btn:hover {
    background: #7a2222;
}
/* Barrier veil — diagonal animated stripes */
.snv-veil {
    position: fixed;
    inset: 0;
    z-index: 2147483646;
    background-image: linear-gradient(-45deg, rgba(6, 0, 0, 0.92) 0%, rgba(6, 0, 0, 0.92) 25%, rgba(155, 18, 18, 0.6) 25%, rgba(155, 18, 18, 0.6) 50%, rgba(6, 0, 0, 0.92) 50%, rgba(6, 0, 0, 0.92) 75%, rgba(155, 18, 18, 0.6) 75%, rgba(155, 18, 18, 0.6) 100%);
    background-size: 32px 32px;
    display: block;
}


================================================
FILE: src/index.html
================================================
<!DOCTYPE html>
<html lang="en">

<head>
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=no">
    <meta http-equiv="Content-Security-Policy" content="default-src 'none'; script-src 'self' 'wasm-unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' blob: data:; media-src blob:; frame-src blob: about:; font-src 'self'; connect-src 'self'; worker-src 'self' blob:; base-uri 'self'; form-action 'none'; object-src 'none'">
    <meta http-equiv="X-UA-Compatible" content="IE=edge">
    <meta name="description" content="SafeNova — browser-based encrypted virtual file system. AES-256-GCM + Argon2id, zero-knowledge, fully offline.">
    <meta name="theme-color" content="#1e1e1e">
    <meta name="color-scheme" content="dark">
    <meta name="robots" content="noindex, nofollow">
    <meta name="referrer" content="no-referrer">
    <title>SafeNova</title>
    <link rel="icon" href="favicon.png" type="image/png">
    <link rel="apple-touch-icon" href="favicon.png">
    <script src="js/docmode.js"></script>
    <script src="js/proactive/daemon.js"></script>
    <link rel="stylesheet" href="css/app.css">
</head>

<body>

    <!-- ==================== LOADING OVERLAY ==================== -->
    <div class="loading-overlay" id="loading-overlay">
        <div class="loading-spinner"></div>
        <div class="loading-msg" id="loading-msg">Processing...</div>
    </div>

    <!-- ==================== INCOGNITO WARNING ==================== -->
    <div id="incognito-warning" class="incognito-warning" style="display:none">
        <div class="incognito-warning-card">
            <div class="incognito-warning-header">
                <svg width="22" height="22" viewBox="0 0 28 28" fill="none" xmlns="http://www.w3.org/2000/svg">
                    <path d="M14 3L2 25h24L14 3z" fill="var(--orange)" opacity=".15" stroke="var(--orange)" stroke-width="1.5" stroke-linejoin="round" />
                    <path d="M14 11v7" stroke="var(--orange)" stroke-width="2" stroke-linecap="square" />
                    <circle cx="14" cy="21" r="1.2" fill="var(--orange)" />
                </svg>
                <span class="incognito-warning-title">Private / Incognito Mode Detected</span>
            </div>
            <div class="incognito-warning-body">
                <p>SafeNova stores encrypted containers in IndexedDB. Private mode imposes severe restrictions:</p>
                <ul>
                    <li>Containers will be <strong>permanently lost</strong> when you close this window</li>
                    <li>Sessions cannot persist between browser restarts</li>
                    <li>Storage quota is capped</li>
                </ul>
                <p class="incognito-warning-recommend">For reliable use, open SafeNova in a normal browser window.</p>
            </div>
            <div class="incognito-warning-footer">
                <button class="btn btn-primary" id="incognito-continue-btn" disabled>
                    <span id="incognito-continue-lbl">Wait… 3</span>
                </button>
            </div>
        </div>
    </div>

    <!-- ==================== HOME VIEW ==================== -->
    <div id="view-home" class="view">
        <header class="app-header">
            <div class="header-logo">
                <img src="favicon.png" class="header-logo-icon" alt="logo">
                <span class="header-brand">SafeNova</span><span class="tier-badge">Enterprise</span>
            </div>
            <span class="header-spacer"></span>
            <div class="header-actions">
                <button class="btn btn-ghost btn-sm" id="btn-import-container">
                    <svg width="14" height="14" viewBox="0 0 14 14" fill="none" xmlns="http://www.w3.org/2000/svg">
                        <path d="M7 9V1M3 6l4 4 4-4M2 11h10v2H2z" stroke="currentColor" stroke-width="1.5" stroke-linecap="square" />
                    </svg>
                    Import
                </button>
                <button class="btn btn-primary" id="btn-new-container">
                    <svg width="14" height="14" viewBox="0 0 14 14" fill="none" xmlns="http://www.w3.org/2000/svg">
                        <path d="M7 1v12M1 7h12" stroke="currentColor" stroke-width="2" stroke-linecap="square" />
                    </svg>
                    New Container
                </button>
            </div>
        </header>

        <div class="home-body">
            <div class="home-warning-box hidden" id="home-warning-box">
                <svg width="16" height="16" viewBox="0 0 16 16" fill="none" xmlns="http://www.w3.org/2000/svg">
                    <path d="M8 1.5L1 14.5h14z" stroke="currentColor" stroke-width="1.3" stroke-linejoin="round" />
                    <line x1="8" y1="6.5" x2="8" y2="10" stroke="currentColor" stroke-width="1.5" stroke-linecap="round" />
                    <circle cx="8" cy="12.5" r="0.85" fill="currentColor" />
                </svg>
                <div>
                    <strong>All files are stored directly in your browser</strong> and are never sent to any server.
                    Clearing site data, reinstalling the browser, or using a different browser/device will
                    <strong>permanently erase all containers and files</strong>. Use the Export function to back up your data.
                </div>
                <button class="warning-dismiss" id="warning-dismiss" title="Don't show again">
                    <svg width="12" height="12" viewBox="0 0 12 12" fill="none">
                        <path d="M2 2l8 8M10 2L2 10" stroke="currentColor" stroke-width="1.4" stroke-linecap="round" />
                    </svg>
                </button>
            </div>
            <div>
                <div class="home-section-title">SafeNova Containers</div>
                <div class="container-grid" id="container-grid">
                    <div class="container-empty" id="container-empty">
                        <svg viewBox="0 0 48 48" fill="none" xmlns="http://www.w3.org/2000/svg">
                            <rect x="8" y="18" width="32" height="22" rx="1" stroke="currentColor" stroke-width="2" />
                            <path d="M16 18V13a8 8 0 0116 0v5" stroke="currentColor" stroke-width="2" stroke-linecap="square" />
                            <circle cx="24" cy="29" r="3" stroke="currentColor" stroke-width="2" />
                        </svg>
                        <p>No containers yet. Create your first one.</p>
                    </div>
                </div>
            </div>

            <div class="home-doc-wrap">
                <div class="home-doc" id="home-doc">
                    <button class="home-doc-collapse" id="home-doc-collapse" title="Hide">
                        <svg width="11" height="11" viewBox="0 0 11 11" fill="none">
                            <path d="M2 2l7 7M9 2L2 9" stroke="currentColor" stroke-width="1.3" stroke-linecap="round" />
                        </svg>
                    </button>
                    <span class="home-doc-badge">Enterprise Security Platform</span>
                    <div class="home-doc-title">SafeNova &mdash; Keep it private.</div>
                    <p class="home-doc-p">Store and manage your sensitive files in <strong>encrypted containers</strong> that never leave your browser &mdash; no servers, no accounts, no cloud. Your password is never saved anywhere; close the tab and access is gone instantly. The <strong>duress password</strong> silently destroys everything if you&rsquo;re ever forced to open it. Runtime anti-tamper protection <strong>SafeNova Proactive</strong> shields your data in the background at all times.</p>
                    <div class="home-doc-stack">
                        <span>AES-256-GCM</span>
                        <span>Argon2id</span>
                        <span>Web Crypto API</span>
                        <span>WebAuthn</span>
                        <span>IndexedDB</span>
                        <span>WASM</span>
                    </div>
                    <a href="https://github.com/DosX-dev/SafeNova" target="_blank" rel="noopener noreferrer" class="github-link">
                        <svg width="13" height="13" viewBox="0 0 16 16" fill="currentColor" xmlns="http://www.w3.org/2000/svg" aria-hidden="true">
                            <path d="M8 0C3.58 0 0 3.58 0 8c0 3.54 2.29 6.53 5.47 7.59.4.07.55-.17.55-.38 0-.19-.01-.82-.01-1.49-2.01.37-2.53-.49-2.69-.94-.09-.23-.48-.94-.82-1.13-.28-.15-.68-.52-.01-.53.63-.01 1.08.58 1.23.82.72 1.21 1.87.87 2.33.66.07-.52.28-.87.51-1.07-1.78-.2-3.64-.89-3.64-3.95 0-.87.31-1.59.82-2.15-.08-.2-.36-1.02.08-2.12 0 0 .67-.21 2.2.82.64-.18 1.32-.27 2-.27.68 0 1.36.09 2 .27 1.53-1.04 2.2-.82 2.2-.82.44 1.1.16 1.92.08 2.12.51.56.82 1.27.82 2.15 0 3.07-1.87 3.75-3.65 3.95.29.25.54.73.54 1.48 0 1.07-.01 1.93-.01 2.2 0 .21.15.46.55.38A8.013 8.013 0 0016 8c0-4.42-3.58-8-8-8z" />
                        </svg>
                        <span>DosX-dev/SafeNova</span>
                        <svg width="9" height="9" viewBox="0 0 10 10" fill="none" xmlns="http://www.w3.org/2000/svg" class="github-link-arrow">
                            <path d="M2 8L8 2M8 2H4M8 2v4" stroke="currentColor" stroke-width="1.3" stroke-linecap="square" />
                        </svg>
                    </a>
                </div>
                <button class="home-doc-tab" id="home-doc-tab" title="Security info">
                    <svg width="11" height="11" viewBox="0 0 12 12" fill="none">
                        <path d="M6 1L1 3.5v4c0 2.5 2 4 5 4.5 3-.5 5-2 5-4.5v-4z" stroke="currentColor" stroke-width="1.1" stroke-linejoin="round" />
                        <path d="M4 6l1.5 1.5L8 4" stroke="currentColor" stroke-width="1.2" stroke-linecap="round" stroke-linejoin="round" />
                    </svg>
                    <span>Security Info</span>
                </button>
            </div>
        </div>

        <div class="storage-warning-banner" id="storage-warning-banner">
            <svg width="16" height="16" viewBox="0 0 16 16" fill="none" xmlns="http://www.w3.org/2000/svg">
                <path d="M8 2L1 14h14z" stroke="currentColor" stroke-width="1.4" stroke-linejoin="round" />
                <path d="M8 6v4" stroke="currentColor" stroke-width="1.5" stroke-linecap="round" />
                <circle cx="8" cy="12" r="0.8" fill="currentColor" />
            </svg>
            <span>Low storage</span>
        </div>

        <div class="storage-footer">
            <div class="storage-row">
                <span class="storage-label">Device Storage</span>
                <div class="storage-bar-wrap">
                    <div class="storage-bar-fill" id="storage-bar-fill" style="width:0%"></div>
                </div>
                <span class="storage-text" id="storage-text">-</span>
            </div>
            <div class="storage-row">
                <span class="storage-label">SafeNova</span>
                <div class="storage-bar-wrap">
                    <div class="storage-bar-fill" id="twc-bar-fill" style="width:0%"></div>
                </div>
                <span class="storage-text" id="twc-text">-</span>
            </div>
        </div>
    </div>

    <!-- ==================== UNLOCK VIEW ==================== -->
    <div id="view-unlock" class="view">
        <div class="unlock-box">
            <button class="btn btn-ghost btn-sm unlock-back" id="btn-back">
                <svg width="14" height="14" viewBox="0 0 14 14" fill="none" xmlns="http://www.w3.org/2000/svg">
                    <path d="M9 2L4 7l5 5" stroke="currentColor" stroke-width="1.5" stroke-linecap="square" />
                </svg>
                Back
            </button>
            <div class="unlock-icon">
                <svg width="36" height="36" viewBox="0 0 40 40" fill="none" xmlns="http://www.w3.org/2000/svg">
                    <rect x="7" y="18" width="26" height="18" rx="2" fill="var(--bg3)" stroke="var(--border2)" stroke-width="1.5" />
                    <path d="M13 18v-5a7 7 0 0114 0v5" stroke="var(--text-dim)" stroke-width="2.5" stroke-linecap="square" />
                    <circle cx="20" cy="27" r="3" fill="var(--text-dim)" />
                </svg>
            </div>
            <div class="unlock-identity">
                <div class="unlock-eyebrow">SafeNova</div>
                <div class="unlock-name-badge" id="unlock-name">-</div>
            </div>
            <div class="form-group">
                <div class="input-wrap">
                    <input type="password" class="input" id="unlock-pw" placeholder="Enter container password" autocomplete="current-password">
                    <button class="input-eye" id="unlock-pw-eye" tabindex="-1">
                        <svg width="16" height="16" viewBox="0 0 16 16" fill="none" xmlns="http://www.w3.org/2000/svg">
                            <path d="M1 8s2.5-5 7-5 7 5 7 5-2.5 5-7 5-7-5-7-5z" stroke="currentColor" stroke-width="1.5" />
                            <circle cx="8" cy="8" r="2.5" stroke="currentColor" stroke-width="1.5" />
                        </svg>
                    </button>
                </div>
            </div>
            <div class="unlock-spinner" id="unlock-spinner">
                <div class="spinner"></div>
                <span>Deriving key (AES-256 / Argon2id)...</span>
            </div>
            <div class="unlock-error" id="unlock-error"></div>
            <div class="remember-section">
                <label class="remember-row">
                    <input type="checkbox" id="unlock-remember">
                    <span>Remember password</span>
                </label>
                <div class="remember-opts" id="remember-opts">
                    <label class="remember-opt disabled">
                        <input type="radio" name="remember-scope" id="remember-tab" value="tab" checked disabled>
                        <span>Current tab session <span class="remember-opt-badge">Recommended</span></span>
                    </label>
                    <label class="remember-opt disabled">
                        <input type="radio" name="remember-scope" id="remember-browser" value="browser" disabled>
                        <span>Stay signed in</span>
                    </label>
                </div>
            </div>
            <button class="btn btn-primary btn-lg" id="btn-unlock">
                <svg width="14" height="14" viewBox="0 0 14 14" fill="none" xmlns="http://www.w3.org/2000/svg">
                    <rect x="2" y="6" width="10" height="7" rx="1" stroke="currentColor" stroke-width="1.5" />
                    <path d="M4 6V4a3 3 0 015.8-1" stroke="currentColor" stroke-width="1.5" stroke-linecap="square" />
                </svg>
                Unlock Container
            </button>
            <div class="unlock-crypto-info">
                AES-256-GCM &middot; Argon2id
            </div>
        </div>
    </div>

    <!-- ==================== DESKTOP VIEW ==================== -->
    <div id="view-desktop" class="view">
        <div class="desktop-topbar">
            <button class="btn btn-ghost btn-icon btn-sm" id="btn-lock" title="Back to menu">
                <svg width="16" height="16" viewBox="0 0 16 16" fill="none" xmlns="http://www.w3.org/2000/svg">
                    <path d="M10 2L4 8l6 6" stroke="currentColor" stroke-width="1.5" stroke-linecap="square" />
                </svg>
            </button>
            <div class="breadcrumb" id="breadcrumb"></div>

            <button class="btn btn-ghost btn-sm" id="btn-settings">
                <svg width="15" height="15" viewBox="0 0 15 15" fill="none" xmlns="http://www.w3.org/2000/svg">
                    <path d="M7.5 9.5a2 2 0 1 0 0-4 2 2 0 0 0 0 4Z" stroke="currentColor" stroke-width="1.4" />
                    <path d="M6.1 1.5 5.7 3.1a5.2 5.2 0 0 0-1.4.8L2.7 3.5 1.2 6l1.4 1.1a5 5 0 0 0 0 1.8L1.2 10l1.5 2.5 1.6-.4c.4.3.9.6 1.4.8l.4 1.6h3l.4-1.6c.5-.2 1-.5 1.4-.8l1.6.4L13.8 10l-1.4-1.1a5 5 0 0 0 0-1.8L13.8 6 12.3 3.5l-1.6.4a5.2 5.2 0 0 0-1.4-.8l-.4-1.6H6.1Z" stroke="currentColor" stroke-width="1.4" stroke-linejoin="round" />
                </svg>
                Environment
            </button>
            <div class="separator"></div>
            <button class="btn btn-ghost btn-sm" id="btn-upload-toolbar">
                <svg width="14" height="14" viewBox="0 0 14 14" fill="none" xmlns="http://www.w3.org/2000/svg">
                    <path d="M7 9V1M3 5l4-4 4 4M2 11h10v2H2z" stroke="currentColor" stroke-width="1.5" stroke-linecap="square" />
                </svg>
                Import
            </button>
            <button class="btn btn-ghost btn-sm" id="btn-new-file-toolbar">
                <svg width="14" height="14" viewBox="0 0 14 14" fill="none" xmlns="http://www.w3.org/2000/svg">
                    <path d="M2 1h7l3 3v9H2z" stroke="currentColor" stroke-width="1.5" stroke-linecap="square" />
                    <path d="M9 1v3h3" stroke="currentColor" stroke-width="1.5" stroke-linecap="square" />
                    <path d="M7 7v4M5 9h4" stroke="currentColor" stroke-width="1.5" stroke-linecap="square" />
                </svg>
                New File
            </button>
            <button class="btn btn-ghost btn-sm" id="btn-new-folder-toolbar">
                <svg width="14" height="14" viewBox="0 0 14 14" fill="none" xmlns="http://www.w3.org/2000/svg">
                    <path d="M1 3h5l1.5 2H13v7H1z" stroke="currentColor" stroke-width="1.5" stroke-linecap="square" />
                    <path d="M7 7v3M5.5 8.5h3" stroke="currentColor" stroke-width="1.5" stroke-linecap="square" />
                </svg>
                New Folder
            </button>

            <!-- Mobile burger button — hidden on desktop via CSS -->
            <button class="btn btn-ghost btn-sm topbar-burger" id="topbar-burger" title="Menu" aria-label="Menu">
                <svg width="18" height="18" viewBox="0 0 16 16" fill="none">
                    <rect x="2" y="3.5" width="12" height="1.5" rx=".75" fill="currentColor" />
                    <rect x="2" y="7.25" width="12" height="1.5" rx=".75" fill="currentColor" />
                    <rect x="2" y="11" width="12" height="1.5" rx=".75" fill="currentColor" />
                </svg>
                Menu
            </button>
        </div>

        <!-- Mobile topbar dropdown — hidden on desktop -->
        <div class="topbar-dropdown" id="topbar-dropdown">
            <button class="topbar-dd-item" id="topbar-dd-settings">
                <svg width="14" height="14" viewBox="0 0 15 15" fill="none">
                    <path d="M7.5 9.5a2 2 0 1 0 0-4 2 2 0 0 0 0 4Z" stroke="currentColor" stroke-width="1.4" />
                    <path d="M6.1 1.5 5.7 3.1a5.2 5.2 0 0 0-1.4.8L2.7 3.5 1.2 6l1.4 1.1a5 5 0 0 0 0 1.8L1.2 10l1.5 2.5 1.6-.4c.4.3.9.6 1.4.8l.4 1.6h3l.4-1.6c.5-.2 1-.5 1.4-.8l1.6.4L13.8 10l-1.4-1.1a5 5 0 0 0 0-1.8L13.8 6 12.3 3.5l-1.6.4a5.2 5.2 0 0 0-1.4-.8l-.4-1.6H6.1Z" stroke="currentColor" stroke-width="1.4" stroke-linejoin="round" />
                </svg>
                Environment
            </button>
            <div class="topbar-dd-sep"></div>
            <button class="topbar-dd-item" id="topbar-dd-upload">
                <svg width="14" height="14" viewBox="0 0 14 14" fill="none">
                    <path d="M7 9V1M3 5l4-4 4 4M2 11h10v2H2z" stroke="currentColor" stroke-width="1.5" stroke-linecap="square" />
                </svg>
                Import File
            </button>
            <button class="topbar-dd-item" id="topbar-dd-newfile">
                <svg width="14" height="14" viewBox="0 0 14 14" fill="none">
                    <path d="M2 1h7l3 3v9H2z" stroke="currentColor" stroke-width="1.5" stroke-linecap="square" />
                    <path d="M9 1v3h3" stroke="currentColor" stroke-width="1.5" stroke-linecap="square" />
                    <path d="M7 7v4M5 9h4" stroke="currentColor" stroke-width="1.5" stroke-linecap="square" />
                </svg>
                New File
            </button>
            <button class="topbar-dd-item" id="topbar-dd-newfolder">
                <svg width="14" height="14" viewBox="0 0 14 14" fill="none">
                    <path d="M1 3h5l1.5 2H13v7H1z" stroke="currentColor" stroke-width="1.5" stroke-linecap="square" />
                    <path d="M7 7v3M5.5 8.5h3" stroke="currentColor" stroke-width="1.5" stroke-linecap="square" />
                </svg>
                New Folder
            </button>
        </div>

        <div class="desktop-area" id="desktop-area" tabindex="0">
            <div class="drop-overlay" id="drop-overlay">
                <svg width="48" height="48" viewBox="0 0 48 48" fill="none" xmlns="http://www.w3.org/2000/svg">
                    <path d="M24 8v24M12 20l12-12 12 12M8 36h32v4H8z" stroke="currentColor" stroke-width="2.5" stroke-linecap="square" />
                </svg>
                Drop files to upload and encrypt
            </div>
            <div class="selection-bar" id="selection-bar"></div>
        </div>

        <div class="taskbar">
            <img src="favicon.png" class="taskbar-logo-icon" width="16" height="16" alt="logo">
            <span class="taskbar-container-name" id="taskbar-name">-</span>
            <span class="taskbar-sep"></span>
            <div class="taskbar-storage">
                <span id="taskbar-size-text">-</span>
                <div class="taskbar-bar-wrap">
                    <div class="taskbar-bar-fill" id="taskbar-bar-fill" style="width:0%"></div>
                </div>
                <span id="taskbar-size-pct">0%</span>
            </div>
            <button class="btn btn-danger btn-sm" id="btn-lock-taskbar">
                <svg width="12" height="12" viewBox="0 0 12 12" fill="none" xmlns="http://www.w3.org/2000/svg">
                    <rect x="1" y="5" width="10" height="7" rx="1" stroke="currentColor" stroke-width="1.4" />
                    <path d="M3 5V4a3 3 0 016 0v1" stroke="currentColor" stroke-width="1.4" stroke-linecap="square" />
                </svg>
                Exit &amp; Kill Session
            </button>
        </div>
    </div>

    <!-- Hidden file inputs -->
    <input type="file" id="file-input" multiple>
    <input type="file" id="import-container-input" accept=".safenova,.zip,.twc">

    <!-- ==================== CONTEXT MENU ==================== -->
    <div class="ctx-menu" id="ctx-menu"></div>

    <!-- ==================== MODAL OVERLAY ==================== -->
    <div class="modal-overlay" id="modal-overlay">

        <!-- New Container Modal -->
        <div class="modal" id="modal-new-container" style="display:none">
            <div class="modal-header">
                <span class="modal-title">Create New Container</span>
                <button class="modal-close" id="modal-nc-close">
                    <svg width="14" height="14" viewBox="0 0 14 14" fill="none" xmlns="http://www.w3.org/2000/svg">
                        <path d="M2 2l10 10M12 2L2 12" stroke="currentColor" stroke-width="1.5" stroke-linecap="square" />
                    </svg>
                </button>
            </div>
            <div class="modal-body">
                <div class="form-group">
                    <label class="form-label">Container Name</label>
                    <input type="text" class="input" id="nc-name" placeholder="e.g. Personal, Work, Archive">
                </div>
                <div class="form-group">
                    <label class="form-label">Password</label>
                    <div class="input-wrap">
                        <input type="password" class="input" id="nc-pw" placeholder="Choose a strong password">
                        <button class="input-eye" id="nc-pw-eye" tabindex="-1">
                            <svg width="16" height="16" viewBox="0 0 16 16" fill="none" xmlns="http://www.w3.org/2000/svg">
                                <path d="M1 8s2.5-5 7-5 7 5 7 5-2.5 5-7 5-7-5-7-5z" stroke="currentColor" stroke-width="1.5" />
                                <circle cx="8" cy="8" r="2.5" stroke="currentColor" stroke-width="1.5" />
                            </svg>
                        </button>
                    </div>
                    <div class="pw-strength" id="nc-pw-strength" style="width:0%"></div>
                    <div class="pw-strength-row" id="nc-pw-strength-label"></div>
                </div>
                <div class="form-group">
                    <label class="form-label">Confirm Password</label>
                    <input type="password" class="input" id="nc-pw2" placeholder="Repeat password">
                </div>
                <div class="notice-box warn">
                    <svg width="14" height="14" viewBox="0 0 14 14" fill="none" xmlns="http://www.w3.org/2000/svg">
                        <path d="M7 1L1 13h12z" stroke="currentColor" stroke-width="1.3" stroke-linejoin="round" />
                        <path d="M7 5v4" stroke="currentColor" stroke-width="1.4" stroke-linecap="round" />
                        <circle cx="7" cy="10.5" r="0.7" fill="currentColor" />
                    </svg>
                    <span>The password <strong>cannot be recovered</strong>. If lost, all data in this container will be permanently inaccessible.</span>
                </div>
                <div class="notice-box danger">
                    <svg width="14" height="14" viewBox="0 0 14 14" fill="none" xmlns="http://www.w3.org/2000/svg">
                        <circle cx="7" cy="7" r="6" stroke="currentColor" stroke-width="1.3" />
                        <path d="M7 4v3.5" stroke="currentColor" stroke-width="1.4" stroke-linecap="round" />
                        <circle cx="7" cy="10" r="0.7" fill="currentColor" />
                    </svg>
                    <span><strong>SafeNova has no access to your data and takes no responsibility for data loss.</strong> All containers are stored exclusively in your browser.<br>Clearing browser data or switching devices will permanently destroy all files without the ability to recover them.</span>
                </div>
                <label class="agree-label">
                    <input type="checkbox" id="nc-agree" class="agree-cb">
                    <span class="agree-text">I understand that I am solely responsible for my data</span>
                </label>
            </div>
            <div class="modal-footer">
                <button id="nc-hwkey-btn" title="Mix passkey entropy into salt">
                    <svg width="13" height="13" viewBox="0 0 14 14" fill="none" xmlns="http://www.w3.org/2000/svg">
                        <rect x="1" y="6" width="9" height="7" rx="1.2" stroke="currentColor" stroke-width="1.3" />
                        <path d="M3.5 6V4a2.5 2.5 0 015 0v2" stroke="currentColor" stroke-width="1.3" stroke-linecap="square" />
                        <circle cx="11.5" cy="5.5" r="1.8" stroke="currentColor" stroke-width="1.2" />
                        <path d="M11.5 7.3V9.5" stroke="currentColor" stroke-width="1.2" stroke-linecap="round" />
                    </svg>
                    <span>Use passkey for salt</span>
                </button>
                <button class="btn" id="nc-cancel">Cancel</button>
                <button class="btn btn-primary" id="nc-create" disabled>
                    <svg width="14" height="14" viewBox="0 0 14 14" fill="none" xmlns="http://www.w3.org/2000/svg">
                        <path d="M7 1v12M1 7h12" stroke="currentColor" stroke-width="2" stroke-linecap="square" />
                    </svg>
                    Create Container
                </button>
            </div>
        </div>

        <!-- Text Editor Modal -->
        <div class="modal modal-editor" id="modal-editor" style="display:none">
            <div class="modal-header">
                <span class="modal-title" id="editor-title">Text Editor</span>
                <div class="modal-header-actions">
                    <span class="badge encrypted">AES-256</span>
                    <button class="btn btn-ghost btn-sm" id="btn-wordwrap" title="Toggle Word Wrap">
                        <svg width="14" height="14" viewBox="0 0 14 14" fill="none" xmlns="http://www.w3.org/2000/svg">
                            <path d="M1 3h12M1 7h9a2 2 0 010 4H7" stroke="currentColor" stroke-width="1.4" stroke-linecap="square" />
                            <path d="M8 9.5L6 11l2 1.5" stroke="currentColor" stroke-width="1.4" stroke-linecap="square" stroke-linejoin="miter" />
                        </svg>
                        Wrap
                    </button>
                    <button class="btn btn-primary btn-sm" id="btn-save-editor">
                        <svg width="12" height="12" viewBox="0 0 12 12" fill="none" xmlns="http://www.w3.org/2000/svg">
                            <rect x="1" y="1" width="10" height="10" rx="1" stroke="currentColor" stroke-width="1.3" />
                            <rect x="3" y="1" width="6" height="4" stroke="currentColor" stroke-width="1.3" />
                            <rect x="3" y="6" width="5" height="4" stroke="currentColor" stroke-width="1.2" />
                        </svg>
                        Save
                    </button>
                    <button class="modal-close" id="editor-close">
                        <svg width="14" height="14" viewBox="0 0 14 14" fill="none" xmlns="http://www.w3.org/2000/svg">
                            <path d="M2 2l10 10M12 2L2 12" stroke="currentColor" stroke-width="1.5" stroke-linecap="square" />
                        </svg>
                    </button>
                </div>
            </div>
            <div class="editor-area">
                <div class="editor-line-numbers" id="editor-line-numbers"></div>
                <textarea class="code-editor" id="editor-textarea" spellcheck="false"></textarea>
            </div>
            <div class="editor-meta">
                <span id="editor-meta-chars">0 chars</span>
                <span id="editor-meta-lines">0 lines</span>
                <span id="editor-meta-modified" style="display:none">Modified</span>
            </div>
            <!-- Unsaved changes inline confirmation -->
            <div id="editor-unsaved-dialog" class="unsaved-overlay" style="display:none">
                <div class="unsaved-dialog">
                    <div class="unsaved-title">Unsaved Changes</div>
                    <div class="unsaved-msg">You have unsaved changes. What would you like to do?</div>
                    <div class="unsaved-actions">
                        <button class="btn" id="editor-unsaved-cancel">Cancel</button>
                        <button class="btn btn-danger" id="editor-unsaved-discard">Don't Save</button>
                        <button class="btn btn-primary" id="editor-unsaved-save">Save &amp; Close</button>
                    </div>
                </div>
            </div>
        </div>

        <!-- File Viewer Modal -->
        <div class="modal modal-viewer" id="modal-viewer" style="display:none">
            <div class="modal-header">
                <span class="modal-title" id="viewer-title">File Viewer</span>
                <div class="modal-header-actions">
                    <button class="btn btn-ghost btn-sm" id="btn-download-viewer">
                        <svg width="13" height="13" viewBox="0 0 13 13" fill="none" xmlns="http://www.w3.org/2000/svg">
                            <path d="M6.5 1v8M3 6l3.5 4 3.5-4M1 12h11" stroke="currentColor" stroke-width="1.4" stroke-linecap="square" />
                        </svg>
                        Export
                    </button>
                    <button class="modal-close" id="viewer-close">
                        <svg width="14" height="14" viewBox="0 0 14 14" fill="none" xmlns="http://www.w3.org/2000/svg">
                            <path d="M2 2l10 10M12 2L2 12" stroke="currentColor" stroke-width="1.5" stroke-linecap="square" />
                        </svg>
                    </button>
                </div>
            </div>
            <div class="viewer-content" id="viewer-content"></div>
        </div>

        <!-- Properties Modal -->
        <div class="modal modal-props" id="modal-props" style="display:none">
            <div class="modal-header">
                <span class="modal-title">Properties</span>
                <button class="modal-close" id="props-close">
                    <svg width="14" height="14" viewBox="0 0 14 14" fill="none" xmlns="http://www.w3.org/2000/svg">
                        <path d="M2 2l10 10M12 2L2 12" stroke="currentColor" stroke-width="1.5" stroke-linecap="square" />
                    </svg>
                </button>
            </div>
            <div class="modal-body" id="props-body"></div>
            <div class="modal-footer">
                <button class="btn btn-primary" id="props-ok">OK</button>
            </div>
        </div>

        <!-- Rename Modal -->
        <div class="modal" id="modal-rename" style="display:none">
            <div class="modal-header">
                <span class="modal-title">Rename</span>
                <button class="modal-close" id="rename-close">
                    <svg width="14" height="14" viewBox="0 0 14 14" fill="none" xmlns="http://www.w3.org/2000/svg">
                        <path d="M2 2l10 10M12 2L2 12" stroke="currentColor" stroke-width="1.5" stroke-linecap="square" />
                    </svg>
                </button>
            </div>
            <div class="modal-body">
                <div class="form-group">
                    <label class="form-label">New name</label>
                    <input type="text" class="input" id="rename-input">
                </div>
            </div>
            <div class="modal-footer">
                <button class="btn" id="rename-cancel">Cancel</button>
                <button class="btn btn-primary" id="rename-ok">Rename</button>
            </div>
        </div>

        <!-- Delete Confirm Modal -->
        <div class="modal" id="modal-delete" style="display:none">
            <div class="modal-header">
                <span class="modal-title modal-title-danger">Confirm Delete</span>
                <button class="modal-close" id="delete-close">
                    <svg width="14" height="14" viewBox="0 0 14 14" fill="none" xmlns="http://www.w3.org/2000/svg">
                        <path d="M2 2l10 10M12 2L2 12" stroke="currentColor" stroke-width="1.5" stroke-linecap="square" />
                    </svg>
                </button>
            </div>
            <div class="modal-body">
                <p id="delete-msg" class="modal-text"></p>
            </div>
            <div class="modal-footer">
                <button class="btn" id="delete-cancel">Cancel</button>
                <button class="btn btn-danger" id="delete-ok">
                    <svg width="13" height="13" viewBox="0 0 13 13" fill="none" xmlns="http://www.w3.org/2000/svg">
                        <path d="M1.5 3.5h10M4 3.5V2H9v1.5M2.5 3.5L3.5 11h6l1-7.5" stroke="currentColor" stroke-width="1.3" stroke-linecap="square" />
                    </svg>
                    Delete
                </button>
            </div>
        </div>

        <!-- Session Conflict Modal -->
        <div class="modal" id="modal-session-conflict" style="display:none">
            <div class="modal-header">
                <span class="modal-title modal-title-warn">Container Already Open</span>
            </div>
            <div class="modal-body">
                <p class="modal-text">
                    <strong id="sc-cont-name"></strong> is currently open in another tab or window.
                </p>
                <p class="modal-secondary">
                    Opening it here will immediately lock the other session. Any unsaved state in that tab will be lost.
                </p>
            </div>
            <div class="modal-footer">
                <button class="btn" id="sc-cancel">Cancel</button>
                <button class="btn btn-danger" id="sc-force">Force Close &amp; Open Here</button>
            </div>
        </div>

        <!-- Disable Activity Logs Confirm Modal -->
        <div class="modal" id="modal-alog-disable" style="display:none">
            <div class="modal-header">
                <span class="modal-title">Disable Activity Logs?</span>
            </div>
            <div class="modal-body">
                <p class="modal-text-dim">All recorded activity history will be permanently cleared. Are you sure?</p>
            </div>
            <div class="modal-footer">
                <button class="btn" id="alog-disable-cancel">Cancel</button>
                <button class="btn btn-danger" id="alog-disable-ok">Disable &amp; Clear</button>
            </div>
        </div>

        <!-- Clear Activity Logs Confirm Modal -->
        <div class="modal" id="modal-alog-clear" style="display:none">
            <div class="modal-header">
                <span class="modal-title">Clear Activity Logs?</span>
            </div>
            <div class="modal-body">
                <p class="modal-text-dim">All recorded activity history will be permanently cleared. Are you sure?</p>
            </div>
            <div class="modal-footer">
                <button class="btn" id="alog-clear-cancel">Cancel</button>
                <button class="btn btn-danger" id="alog-clear-ok">Clear All</button>
            </div>
        </div>



        <!-- New Text File Modal -->
        <div class="modal" id="modal-new-text" style="display:none">
            <div class="modal-header">
                <span class="modal-title">New Text File</span>
                <button class="modal-close" id="nf-close">
                    <svg width="14" height="14" viewBox="0 0 14 14" fill="none" xmlns="http://www.w3.org/2000/svg">
                        <path d="M2 2l10 10M12 2L2 12" stroke="currentColor" stroke-width="1.5" stroke-linecap="square" />
                    </svg>
                </button>
            </div>
            <div class="modal-body">
                <div class="form-group">
                    <label class="form-label">File name</label>
                    <input type="text" class="input" id="nf-name" placeholder="e.g. notes.txt">
                </div>
            </div>
            <div class="modal-footer">
                <button class="btn" id="nf-cancel">Cancel</button>
                <button class="btn btn-primary" id="nf-ok">Create</button>
            </div>
        </div>

        <!-- New Folder Modal -->
        <div class="modal" id="modal-new-folder" style="display:none">
            <div class="modal-header">
                <span class="modal-title">New Folder</span>
                <button class="modal-close" id="nd-close">
                    <svg width="14" height="14" viewBox="0 0 14 14" fill="none" xmlns="http://www.w3.org/2000/svg">
                        <path d="M2 2l10 10M12 2L2 12" stroke="currentColor" stroke-width="1.5" stroke-linecap="square" />
                    </svg>
                </button>
            </div>
            <div class="modal-body">
                <div class="form-group">
                    <label class="form-label">Folder name</label>
                    <input type="text" class="input" id="nd-name" placeholder="e.g. Documents">
                </div>
            </div>
            <div class="modal-footer">
                <button class="btn" id="nd-cancel">Cancel</button>
                <button class="btn btn-primary" id="nd-ok">Create Folder</button>
            </div>
        </div>

        <!-- Delete Container Confirm -->
        <div class="modal" id="modal-del-container" style="display:none">
            <div class="modal-header">
                <span class="modal-title modal-title-danger">Delete Container</span>
                <button class="modal-close" id="dc-close">
                    <svg width="14" height="14" viewBox="0 0 14 14" fill="none" xmlns="http://www.w3.org/2000/svg">
                        <path d="M2 2l10 10M12 2L2 12" stroke="currentColor" stroke-width="1.5" stroke-linecap="square" />
                    </svg>
                </button>
            </div>
            <div class="modal-body">
                <div class="del-container-warning">
                    <svg width="28" height="28" viewBox="0 0 28 28" fill="none" xmlns="http://www.w3.org/2000/svg">
                        <path d="M14 3L2 24h24L14 3z" fill="var(--red)" opacity=".18" stroke="var(--red)" stroke-width="1.5" stroke-linejoin="round" />
                        <path d="M14 11v6" stroke="var(--red)" stroke-width="2" stroke-linecap="square" />
                        <circle cx="14" cy="20.5" r="1.2" fill="var(--red)" />
                    </svg>
                    <div>
                        <div class="dc-warn-title">This action is irreversible!</div>
                        <div class="dc-warn-text">All files inside container <strong id="dc-name"></strong> will be permanently erased. There is no recovery.</div>
                    </div>
                </div>
                <p id="dc-msg"></p>
            </div>
            <div class="modal-footer">
                <button class="btn" id="dc-cancel">Cancel</button>
                <button class="btn btn-danger" id="dc-ok" disabled>
                    <svg width="13" height="13" viewBox="0 0 13 13" fill="none" xmlns="http://www.w3.org/2000/svg">
                        <path d="M1.5 3.5h10M4 3.5V2H9v1.5M2.5 3.5L3.5 11h6l1-7.5" stroke="currentColor" stroke-width="1.3" stroke-linecap="square" />
                    </svg>
                    <span id="dc-ok-label">Wait… 3</span>
                </button>
            </div>
        </div>

        <!-- ==================== CHANGE PASSWORD MODAL ==================== -->
        <div class="modal" id="modal-change-pw" style="display:none">
            <div class="modal-header">
                <span class="modal-title">Change Password</span>
                <button class="modal-close" id="cp-close">
                    <svg width="14" height="14" viewBox="0 0 14 14" fill="none" xmlns="http://www.w3.org/2000/svg">
                        <path d="M2 2l10 10M12 2L2 12" stroke="currentColor" stroke-width="1.5" stroke-linecap="square" />
                    </svg>
                </button>
            </div>
            <div class="modal-body">
                <div class="form-group">
                    <label class="form-label">Current Password</label>
                    <div class="input-wrap">
                        <input type="password" class="input" id="cp-old" placeholder="Enter current password" autocomplete="current-password">
                        <button class="input-eye" id="cp-old-eye" tabindex="-1">
                            <svg width="16" height="16" viewBox="0 0 16 16" fill="none" xmlns="http://www.w3.org/2000/svg">
                                <path d="M1 8s2.5-5 7-5 7 5 7 5-2.5 5-7 5-7-5-7-5z" stroke="currentColor" stroke-width="1.5" />
                                <circle cx="8" cy="8" r="2.5" stroke="currentColor" stroke-width="1.5" />
                            </svg>
                        </button>
                    </div>
                </div>
                <div class="form-group">
                    <label class="form-label">New Password</label>
                    <div class="input-wrap">
                        <input type="password" class="input" id="cp-new" placeholder="Enter new password" autocomplete="new-password">
                        <button class="input-eye" id="cp-new-eye" tabindex="-1">
                            <svg width="16" height="16" viewBox="0 0 16 16" fill="none" xmlns="http://www.w3.org/2000/svg">
                                <path d="M1 8s2.5-5 7-5 7 5 7 5-2.5 5-7 5-7-5-7-5z" stroke="currentColor" stroke-width="1.5" />
                                <circle cx="8" cy="8" r="2.5" stroke="currentColor" stroke-width="1.5" />
                            </svg>
                        </button>
                    </div>
                    <div class="pw-strength" id="cp-pw-strength" style="width:0%"></div>
                    <div class="pw-strength-row" id="cp-pw-strength-label"></div>
                </div>
                <div class="form-group">
                    <label class="form-label">Confirm New Password</label>
                    <input type="password" class="input" id="cp-new2" placeholder="Repeat new password" autocomplete="new-password">
                </div>
                <div class="notice-box warn">
                    <svg width="14" height="14" viewBox="0 0 14 14" fill="none" xmlns="http://www.w3.org/2000/svg">
                        <path d="M7 1L1 13h12z" stroke="currentColor" stroke-width="1.3" stroke-linejoin="round" />
                        <path d="M7 5v4" stroke="currentColor" stroke-width="1.4" stroke-linecap="round" />
                        <circle cx="7" cy="10.5" r="0.7" fill="currentColor" />
                    </svg>
                    <span>All files will be re-encrypted with the new password. <strong>Do not close the browser</strong> during this process.</span>
                </div>
                <div class="unlock-error" id="cp-error"></div>
            </div>
            <div class="modal-footer">
                <button class="btn" id="cp-cancel">Cancel</button>
                <button class="btn btn-primary" id="cp-ok">Change Password</button>
            </div>
        </div>

        <!-- ==================== RENAME CONTAINER MODAL ==================== -->
        <div class="modal" id="modal-rename-container" style="display:none">
            <div class="modal-header">
                <span class="modal-title">Rename Container</span>
                <button class="modal-close" id="rc-close">
                    <svg width="14" height="14" viewBox="0 0 14 14" fill="none" xmlns="http://www.w3.org/2000/svg">
                        <path d="M2 2l10 10M12 2L2 12" stroke="currentColor" stroke-width="1.5" stroke-linecap="square" />
                    </svg>
                </button>
            </div>
            <div class="modal-body">
                <div class="form-group">
                    <label class="form-label">Container Name</label>
                    <input type="text" class="input" id="rc-name" placeholder="Container name">
                </div>
                <div class="unlock-error" id="rc-error"></div>
            </div>
            <div class="modal-footer">
                <button class="btn" id="rc-cancel">Cancel</button>
                <button class="btn btn-primary" id="rc-ok">Rename</button>
            </div>
        </div>

        <!-- ==================== EXPORT CONFIRM MODAL ==================== -->
        <div class="modal" id="modal-export-confirm" style="display:none">
            <div class="modal-header">
                <span class="modal-title">Cannot Preview File</span>
                <button class="modal-close" id="ec-close">
                    <svg width="14" height="14" viewBox="0 0 14 14" fill="none" xmlns="http://www.w3.org/2000/svg">
                        <path d="M2 2l10 10M12 2L2 12" stroke="currentColor" stroke-width="1.5" stroke-linecap="square" />
                    </svg>
                </button>
            </div>
            <div class="modal-body">
                <p class="modal-text">This file type cannot be opened in the browser.</p>
                <div class="notice-box">
                    <span id="ec-filename"></span> — export this file to your computer?
                </div>
            </div>
            <div class="modal-footer">
                <button class="btn" id="ec-cancel">Cancel</button>
                <button class="btn btn-primary" id="ec-ok">
                    <svg width="13" height="13" viewBox="0 0 13 13" fill="none" xmlns="http://www.w3.org/2000/svg">
                        <path d="M6.5 1v8M3 6l3.5 3.5L10 6M1 11h11" stroke="currentColor" stroke-width="1.4" stroke-linecap="square" />
                    </svg>
                    Export File
                </button>
            </div>
        </div>

        <!-- ==================== EXPORT PASSWORD MODAL ==================== -->
        <div class="modal modal-export-pw" id="modal-export-pw" style="display:none">
            <div class="modal-header">
                <div class="exp-header">
                    <div class="exp-icon">
                        <svg width="16" height="16" viewBox="0 0 16 16" fill="none" xmlns="http://www.w3.org/2000/svg">
                            <path d="M8 10V2M4 5l4-4 4 4M2 13h12" stroke="currentColor" stroke-width="1.4" stroke-linecap="square" />
                        </svg>
                    </div>
                    <div>
                        <div class="modal-title">Export Container</div>
                        <div class="exp-subtitle">Confirm your identity to export</div>
                    </div>
                </div>
                <button class="modal-close" id="exp-close">
                    <svg width="14" height="14" viewBox="0 0 14 14" fill="none" xmlns="http://www.w3.org/2000/svg">
                        <path d="M2 2l10 10M12 2L2 12" stroke="currentColor" stroke-width="1.5" stroke-linecap="square" />
                    </svg>
                </button>
            </div>
            <div class="modal-body">
                <div class="notice-box accent">
                    <svg width="14" height="14" viewBox="0 0 16 16" fill="none">
                        <path d="M8 1.5a6.5 6.5 0 100 13 6.5 6.5 0 000-13zM7.25 5h1.5v4h-1.5V5zm0 5h1.5v1.5h-1.5V10z" fill="currentColor" />
                    </svg>
                    <span>Container <strong id="exp-cont-name"></strong> will be exported as a <code class="code-tag">.safenova</code> file. Enter the password to authorize the export.</span>
                </div>
                <div class="form-group">
                    <label class="form-label">Container Password</label>
                    <div class="input-wrap">
                        <input type="password" class="input" id="exp-pw" placeholder="Enter password…" autocomplete="current-password">
                        <button class="input-eye" type="button" id="exp-eye" aria-label="Show password" tabindex="-1">
                            <svg class="eye-open" width="15" height="15" viewBox="0 0 15 15" fill="none">
                                <path d="M7.5 3C4.5 3 2 7.5 2 7.5S4.5 12 7.5 12 13 7.5 13 7.5 10.5 3 7.5 3z" stroke="currentColor" stroke-width="1.3" />
                                <circle cx="7.5" cy="7.5" r="1.8" stroke="currentColor" stroke-width="1.3" />
                            </svg>
                            <svg class="eye-closed" width="15" height="15" viewBox="0 0 15 15" fill="none">
                                <path d="M2 2l11 11M6.5 5.5A3 3 0 0112 7.5M3 7.5C4 9.5 5.6 11 7.5 11" stroke="currentColor" stroke-width="1.3" stroke-linecap="square" />
                            </svg>
                        </button>
                    </div>
                </div>
                <div class="unlock-error" id="exp-error"></div>
            </div>
            <div class="modal-footer modal-footer-split">
                <span class="encrypt-label">
                    <svg width="11" height="11" viewBox="0 0 12 12" fill="none">
                        <rect x="1" y="5" width="10" height="6" rx="1" stroke="currentColor" stroke-width="1.2" />
                        <path d="M3.5 5V3.5a2.5 2.5 0 015 0V5" stroke="currentColor" stroke-width="1.2" stroke-linecap="square" />
                    </svg>
                    AES-256-GCM encrypted
                </span>
                <div class="modal-actions">
                    <button class="btn" id="exp-cancel">Cancel</button>
                    <button class="btn btn-primary" id="exp-ok">
                        <svg width="13" height="13" viewBox="0 0 13 13" fill="none">
                            <path d="M6.5 1v8M3 6l3.5 3.5L10 6M1 11h11" stroke="currentColor" stroke-width="1.4" stroke-linecap="square" />
                        </svg>
                        Export
                    </button>
                </div>
            </div>
        </div>

        <!-- ==================== IMPORT PASSWORD MODAL ==================== -->
        <div class="modal" id="modal-import-pw" style="display:none">
            <div class="modal-header">
                <span class="modal-title">Import Container</span>
                <button class="modal-close" id="imp-close">
                    <svg width="14" height="14" viewBox="0 0 14 14" fill="none" xmlns="http://www.w3.org/2000/svg">
                        <path d="M2 2l10 10M12 2L2 12" stroke="currentColor" stroke-width="1.5" stroke-linecap="square" />
                    </svg>
                </button>
            </div>
            <div class="modal-body">
                <p class="modal-text">Container <strong id="imp-name"></strong> has an encrypted file manifest. Enter the password to complete the import.</p>
                <div class="form-group">
                    <label class="form-label">Password</label>
                    <input type="password" class="input" id="imp-pw" placeholder="Container password">
                </div>
                <div class="unlock-error" id="imp-error"></div>
            </div>
            <div class="modal-footer">
                <button class="btn" id="imp-cancel">Cancel</button>
                <button class="btn btn-primary" id="imp-ok">Import</button>
            </div>
        </div>

        <!-- ==================== SETTINGS MODAL ==================== -->
        <div class="modal modal-settings" id="modal-settings" style="display:none">
            <div class="modal-header">
                <span class="modal-title">Environment</span>
                <button class="modal-close" id="settings-close">
                    <svg width="14" height="14" viewBox="0 0 14 14" fill="none" xmlns="http://www.w3.org/2000/svg">
                        <path d="M2 2l10 10M12 2L2 12" stroke="currentColor" stroke-width="1.5" stroke-linecap="square" />
                    </svg>
                </button>
            </div>
            <div class="settings-tabs">
                <button class="settings-tab active" data-tab="personalization">Settings</button>
                <button class="settings-tab" data-tab="statistics">Statistics</button>
                <button class="settings-tab" data-tab="activity-logs">Activity Logs</button>
            </div>
            <div class="modal-body">
                <!-- Personalization Tab -->
                <div class="settings-panel" id="settings-personalization">
                    <div class="settings-section">
                        <div class="settings-section-title">Security</div>
                        <div class="settings-row">
                            <span class="settings-label">Require password on export<button class="settings-hint" data-tip="When enabled, every export requires password confirmation. Metadata is generated on the fly.When disabled, an encrypted metadata index is pre-generated and cached in the local database, making export instant. The cache contains only file sizes and IVs — no filenames or content — but in theory slightly increases the attack surface."><!--?--><svg width="13" height="13" viewBox="0 0 16 16" fill="none">
                                        <circle cx="8" cy="8" r="7" stroke="currentColor" stroke-width="1.3" />
                                        <path d="M8 7v4.5" stroke="currentColor" stroke-width="1.4" stroke-linecap="square" />
                                        <circle cx="8" cy="5" r="0.8" fill="currentColor" />
                                    </svg></button></span>
                            <label class="switch" id="settings-export-pw">
                                <input type="checkbox" checked>
                                <span class="switch-slider"></span>
                            </label>
                        </div>
                        <div class="settings-row">
                            <span class="settings-label">Activity logs<button class="settings-hint" data-tip="Records container events (unlock, file upload, delete, export, etc.) with timestamps, stored encrypted inside the container. Useful for auditing. Disabling clears future log entries but does not erase existing ones."><!--?--><svg width="13" height="13" viewBox="0 0 16 16" fill="none">
                                        <circle cx="8" cy="8" r="7" stroke="currentColor" stroke-width="1.3" />
                                        <path d="M8 7v4.5" stroke="currentColor" stroke-width="1.4" stroke-linecap="square" />
                                        <circle cx="8" cy="5" r="0.8" fill="currentColor" />
                                    </svg></button></span>
                            <label class="switch" id="settings-activity-logs-toggle">
                                <input type="checkbox" checked>
                                <span class="switch-slider"></span>
                            </label>
                        </div>
                        <div class="settings-row settings-sub-row" id="settings-export-logs-row">
                            <span class="settings-sub-indicator"></span>
                            <span class="settings-label">Export with activity logs<button class="settings-hint" data-tip="Activity logs are included in the exported .safenova file, encrypted. Safe to share, but recommended to disable when handing the container to another person — to avoid leaking your access history. Enable for personal backups."><!--?--><svg width="13" height="13" viewBox="0 0 16 16" fill="none">
                                        <circle cx="8" cy="8" r="7" stroke="currentColor" stroke-width="1.3" />
                                        <path d="M8 7v4.5" stroke="currentColor" stroke-width="1.4" stroke-linecap="square" />
                                        <circle cx="8" cy="5" r="0.8" fill="currentColor" />
                                    </svg></button></span>
                            <label class="switch" id="settings-export-logs">
                                <input type="checkbox">
                                <span class="switch-slider"></span>
                            </label>
                        </div>
                        <div class="settings-row">
                            <span class="settings-label">Auto-lock (inactivity)</span>
                            <div class="custom-dd" id="settings-autolock-dd">
                                <div class="custom-dd-head">
                                    <span class="custom-dd-val">1 hour</span>
                                    <svg width="12" height="12" viewBox="0 0 24 24" fill="currentColor">
                                        <path d="M7 10l5 5 5-5z" />
                                    </svg>
                                </div>
                                <div class="custom-dd-menu">
                                    <div class="custom-dd-opt" data-value="0">Never</div>
                                    <div class="custom-dd-opt" data-value="5">5 minutes</div>
                                    <div class="custom-dd-opt" data-value="10">10 minutes</div>
                                    <div class="custom-dd-opt" data-value="15">15 minutes</div>
                                    <div class="custom-dd-opt" data-value="20">20 minutes</div>
                                    <div class="custom-dd-opt" data-value="30">30 minutes</div>
                                    <div class="custom-dd-opt" data-value="60">1 hour</div>
                                </div>
                            </div>
                        </div>
                    </div>
                    <div class="settings-section">
                        <div class="settings-section-title">Personalization</div>
                        <div class="settings-row">
                            <span class="settings-label">Icon size</span>
                            <div class="settings-toggle-group" id="settings-icon-size">
                                <button class="settings-toggle-btn active" data-value="small">Small</button>
                                <button class="settings-toggle-btn" data-value="normal">Normal</button>
                                <button class="settings-toggle-btn" data-value="large">Large</button>
                            </div>
                        </div>
                        <div class="settings-row">
                            <span class="settings-label">Show grid dots</span>
                            <label class="switch" id="settings-grid-dots">
                                <input type="checkbox" checked>
                                <span class="switch-slider"></span>
                            </label>
                        </div>
                        <div class="settings-row">
                            <span class="settings-label">Disable animations</span>
                            <label class="switch" id="settings-animations">
                                <input type="checkbox">
                                <span class="switch-slider"></span>
                            </label>
                        </div>
                        <div class="settings-row">
                            <span class="settings-label">Show drag position preview</span>
                            <label class="switch" id="settings-snap-highlight">
                                <input type="checkbox" checked>
                                <span class="switch-slider"></span>
                            </label>
                        </div>
                    </div>
                    <div class="settings-section">
                        <div class="settings-section-title">Diagnostics</div>
                        <div class="settings-desc">
                            Run a full integrity scan of the container's virtual file system and database records. Detects orphaned nodes, broken parent references, duplicate names, missing blobs, and other structural issues — with one-click auto-repair.
                        </div>
                        <div class="settings-row">
                            <span class="settings-label">Container integrity</span>
                            <button class="btn" id="fs-check-open">
                                <svg width="13" height="13" viewBox="0 0 20 20" fill="none">
                                    <path d="M10 1.5L3 5.5v4.5c0 4.3 3 8.2 7 9.5 4-1.3 7-5.2 7-9.5V5.5L10 1.5z" stroke="currentColor" stroke-width="1.5" fill="none" />
                                    <path d="M7.5 10.5l2 2 3.5-4" stroke="currentColor" stroke-width="1.5" stroke-linecap="square" stroke-linejoin="round" />
                                </svg>
                                Run diagnostics
                            </button>
                        </div>
                    </div>
                    <div class="settings-section danger-zone-section">
                        <div class="settings-section-title danger-zone-title">Danger Zone</div>
                        <div class="danger-zone-body">
                            <div class="danger-zone-header">
                                <div>
                                    <div class="danger-zone-label">
                                        <svg width="13" height="13" viewBox="0 0 24 24" fill="none">
                                            <path d="M12 2L3 7v5c0 5.25 3.75 10.15 9 11.25C17.25 22.15 21 17.25 21 12V7L12 2z" stroke="currentColor" stroke-width="1.5" fill="none" />
                                            <path d="M12 8v5" stroke="currentColor" stroke-width="1.5" stroke-linecap="round" />
                                            <circle cx="12" cy="15.5" r="0.75" fill="currentColor" />
                                        </svg>
                                        Duress password
                                    </div>
                                    <div class="danger-zone-desc">
                                        A secondary password entered under coercion. When used anywhere — unlock, change password, or export — it behaves <strong>exactly like an incorrect password</strong>, but silently and <strong>irreversibly destroys</strong> every encrypted file in the background. The real password still works afterward, but all data inside is already gone — indistinguishable from storage corruption.
                                    </div>
                                </div>
                                <label class="switch danger-zone-switch">
                                    <input type="checkbox" id="settings-duress-cb">
                                    <span class="switch-slider switch-slider-danger"></span>
                                </label>
                            </div>
                            <div id="duress-form">
                                <div class="form-group duress-fg">
                                    <label class="form-label duress-fl">Duress Password <span class="duress-hint">(min. 4 characters)</span></label>
                                    <div class="input-wrap">
                                        <input type="password" class="input" id="duress-pw" placeholder="Enter duress password" autocomplete="new-password">
                                        <button class="input-eye" id="duress-pw-eye" tabindex="-1"></button>
                                    </div>
                                    <div class="pw-strength" id="duress-pw-strength"></div>
                                    <div class="pw-strength-row" id="duress-pw-strength-label"></div>
                                </div>
                                <div class="form-group duress-fg">
                                    <label class="form-label duress-fl">Confirm</label>
                                    <input type="password" class="input" id="duress-pw2" placeholder="Repeat duress password" autocomplete="new-password">
                                </div>
                                <div class="duress-set-error" id="duress-set-error"></div>
                                <button class="btn btn-danger duress-set-btn" id="duress-set-ok">Set Duress Password</button>
                            </div>
                            <div id="duress-active-info" class="duress-active-info">
                                <div class="duress-active-badge">
                                    <span class="duress-active-dot"></span>
                                    Active — entering this password will silently destroy all files
                                </div>
                                <button class="btn btn-danger duress-remove-btn" id="duress-remove-btn">Remove Duress Password</button>
                            </div>
                        </div>
                    </div>
                </div>
                <!-- Statistics Tab -->
                <div class="settings-panel" id="settings-statistics" style="display:none">
                    <div class="settings-section">
                        <div class="stats-grid" id="stats-grid"></div>
                        <div class="stats-chart-wrap">
                            <span class="settings-label settings-label-block">File Types</span>
                            <div class="stats-bar-chart" id="stats-bar-chart"></div>
                        </div>
                        <div class="stats-chart-wrap">
                            <span class="settings-label settings-label-block">Storage Usage</span>
                            <div class="stats-storage-bar" id="stats-storage-bar"></div>
                            <div class="stats-storage-labels" id="stats-storage-labels"></div>
                        </div>
                        <div class="stats-chart-wrap">
                            <span class="settings-label settings-label-block">Largest Files</span>
                            <div class="stats-top-files" id="stats-top-files"></div>
                        </div>
                    </div>
                </div>
                <!-- Activity Logs Tab -->
                <div class="settings-panel" id="settings-activity-logs" style="display:none">
                    <div class="alog-toolbar" id="alog-toolbar" style="display:none">
                        <div class="alog-filters" id="alog-filters"></div>
                        <button class="alog-clear-btn" id="alog-clear-btn">
                            <svg width="12" height="12" viewBox="0 0 16 16" fill="none">
                                <path d="M2 4h12" stroke="currentColor" stroke-width="1.4" stroke-linecap="square" />
                                <path d="M5 4V2h6v2M3 4l1 10h8l1-10" stroke="currentColor" stroke-width="1.4" stroke-linejoin="round" />
                            </svg>
                            Clear
                        </button>
                    </div>
                    <div class="alog-off" id="alog-off" style="display:none">
                        <svg width="28" height="28" viewBox="0 0 16 16" fill="none">
                            <path d="M4 3v10M2 5l2-2 2 2M12 13V3M10 11l2 2 2-2" stroke="currentColor" stroke-width="1.3" stroke-linecap="round" stroke-linejoin="round" />
                        </svg>
                        <span class="alog-off-text">Activity Logs are disabled</span>
                        <button class="btn btn-primary" id="alog-enable-btn">Enable</button>
                    </div>
                    <div class="alog-empty" id="alog-empty" style="display:none">
                        <svg width="28" height="28" viewBox="0 0 16 16" fill="none">
                            <path d="M4 3v10M2 5l2-2 2 2M12 13V3M10 11l2 2 2-2" stroke="currentColor" stroke-width="1.3" stroke-linecap="round" stroke-linejoin="round" />
                        </svg>
                        <span class="alog-off-text">No activity recorded yet</span>
                    </div>
                    <div class="alog-list" id="alog-list">
                        <div class="alog-content" id="alog-content"></div>
                    </div>
                </div>

            </div>
            <div class="modal-footer">
                <button class="btn btn-primary" id="settings-ok">Done</button>
            </div>
        </div>

        <!-- ==================== SCANNER MODAL ==================== -->
        <div class="modal modal-scanner" id="modal-scanner" style="display:none">
            <div class="modal-header">
                <span class="modal-title">Container Integrity Scanner</span>
                <button class="modal-close" id="scanner-close">
                    <svg width="14" height="14" viewBox="0 0 14 14" fill="none" xmlns="http://www.w3.org/2000/svg">
                        <path d="M2 2l10 10M12 2L2 12" stroke="currentColor" stroke-width="1.5" stroke-linecap="square" />
                    </svg>
                </button>
            </div>
            <div class="modal-body scanner-body">
                <div class="scanner-desc">
                    <svg class="scanner-shield" width="32" height="32" viewBox="0 0 24 26" fill="none">
                        <path d="M12 3L3.5 7.5v4.5c0 5.2 3.6 10 8.5 11.5 4.9-1.5 8.5-6.3 8.5-11.5V7.5L12 3z" stroke="currentColor" stroke-width="1.5" fill="none" />
                        <path d="M9 13l2.5 2.5 4-4.5" stroke="currentColor" stroke-width="1.6" stroke-linecap="square" stroke-linejoin="round" />
                    </svg>
                    <div>
                        <div class="scanner-desc-title">Full container scan</div>
                        <div class="scanner-desc-text">Deep analysis of the virtual disk image, encrypted file table, folder hierarchy, desktop layout, and workspace environment of this crypto-container.</div>
                    </div>
                </div>
                <div class="scanner-log" id="scanner-log"></div>
                <div class="scanner-summary" id="scanner-summary" style="display:none"></div>
            </div>
            <div class="modal-footer">
                <button class="btn" id="scanner-repair" style="display:none">
                    <svg width="13" height="13" viewBox="0 0 16 16" fill="none">
                        <path d="M2 9l3 3 7-8" stroke="currentColor" stroke-width="1.6" stroke-linecap="square" stroke-linejoin="round" />
                    </svg>
                    Auto-Repair
                </button>
                <button class="btn btn-deep-clean" id="scanner-deep-clean" style="display:none">
                    <svg width="13" height="13" viewBox="0 0 16 16" fill="none">
                        <path d="M9.5 1L4.5 9H8.5L6.5 15L13 7H9L9.5 1z" stroke="currentColor" stroke-width="1.3" stroke-linejoin="round" stroke-linecap="round" fill="none" />
                    </svg>
                    Deep Clean
                </button>
                <button class="btn btn-primary" id="scanner-start">Start Scan</button>
            </div>
        </div>

    </div>

    <!-- ==================== REPAIR CONFIRMATION DIALOG ==================== -->
    <div class="repair-confirm-overlay" id="repair-confirm-overlay">
        <div class="repair-confirm-dialog">
            <div class="repair-confirm-icon">
                <svg width="28" height="28" viewBox="0 0 24 24" fill="none">
                    <path d="M12 2L1 21h22L12 2z" stroke="currentColor" stroke-width="1.5" stroke-linejoin="round" fill="none" />
                    <path d="M12 10v4" stroke="currentColor" stroke-width="1.6" stroke-linecap="round" />
                    <circle cx="12" cy="17.5" r="0.8" fill="currentColor" />
                </svg>
            </div>
            <div class="repair-confirm-title">Export before repair</div>
            <div class="repair-confirm-text">Auto-Repair may delete unrecoverable files and restructure the virtual disk. It is strongly recommended to export a backup of your container before proceeding.</div>
            <div class="repair-confirm-actions">
                <button class="btn" id="repair-confirm-export">
                    <svg width="13" height="13" viewBox="0 0 16 16" fill="none">
                        <path d="M2 10v3h12v-3" stroke="currentColor" stroke-width="1.4" stroke-linecap="square" stroke-linejoin="round" />
                        <path d="M8 2v8M5 7l3 3 3-3" stroke="currentColor" stroke-width="1.4" stroke-linecap="square" stroke-linejoin="round" />
                    </svg>
                    Export
                </button>
                <button class="btn btn-primary" id="repair-confirm-proceed">Proceed with repair</button>
                <button class="btn" id="repair-confirm-cancel">Cancel</button>
            </div>
        </div>
    </div>

    <!-- ==================== TOAST CONTAINER ==================== -->
    <div id="toast-container"></div>

    <!-- ==================== SCRIPTS (dependency order) ==================== -->
    <!-- daemon.js already loaded in <head> — runs before any other module -->
    <script src="js/libs/argon2.umd.min.js"></script>
    <script src="js/initlog.js"></script>
    <script src="js/constants.js"></script>
    <script src="js/db.js"></script>
    <script src="js/crypto.js"></script>
    <script src="js/vfs.js"></script>
    <script src="js/state.js"></script>
    <script src="js/home.js"></script>
    <script src="js/desktop.js"></script>
    <script src="js/fileops.js"></script>
    <script src="js/detectors/incognito.js"></script>
    <script src="js/main.js"></script>

</body>

</html>

================================================
FILE: src/js/constants.js
================================================
'use strict';

/* ============================================================
   CONSTANTS
   ============================================================ */
const DB_NAME = 'SafeNovaEFS',
    DB_VERSION = 3,
    CONTAINER_LIMIT = 8 * 1024 * 1024 * 1024,   // 8 GB per container
    FILE_CHUNK_SIZE = 50 * 1024 * 1024,         // 50 MB per IDB chunk — avoids browser ~2 GB read limit
    DEVICE_LIMIT = 20 * 1024 * 1024 * 1024,     // 20 GB total device display limit

    ARGON2_MEM = 19456,                         // 19 MB memory cost (OWASP minimum)
    ARGON2_ITER = 2,                            // time cost (iterations)
    ARGON2_PAR = 1,                             // parallelism
    VERIFY_TEXT = 'SafeNovaEFS-VERIFY-OK';
// Degree of parallelism for AES-GCM operations: cap at 8 to avoid
// flooding the thread with microtasks on high-core-count machines.
const _CRYPTO_CONCURRENCY = Math.min(8, navigator.hardwareConcurrency || 4);
let ICON_W = 84,
    ICON_H = 90;
let GRID_X = 96,   // horizontal grid cell size
    GRID_Y = 96;   // vertical   grid cell size

/* ============================================================
   UTILITIES
   ============================================================ */
function uid() {
    return crypto.randomUUID
        ? crypto.randomUUID()
        : Date.now().toString(36) + Math.random().toString(36).slice(2);
}

/* ============================================================
   TAB IDENTITY
   Each browser tab gets a stable UUID so we can detect when
   the same container is being opened in two different tabs.
   Stored in sessionStorage so a page refresh keeps the same ID,
   while a brand-new tab always gets a fresh one.
   ============================================================ */
const _TAB_ID = (() => {
    let id = sessionStorage.getItem('snv-tab-id');
    if (!id) { id = uid(); sessionStorage.setItem('snv-tab-id', id); }
    return id;
})();

function fmtSize(b) {
    if (!Number.isFinite(b) || b <= 0) return '0 B';
    const k = 1024, s = ['B', 'KB', 'MB', 'GB', 'TB'],
        i = Math.min(Math.floor(Math.log(b) / Math.log(k)), s.length - 1);
    return (b / Math.pow(k, i)).toFixed(i > 0 ? 1 : 0) + ' ' + s[i];
}

function fmtDate(ts) {
    const d = new Date(ts);
    return d.toLocaleDateString('en-US', { month: 'short', day: 'numeric', year: 'numeric' }) + ' ' +
        d.toLocaleTimeString('en-US', { hour: '2-digit', minute: '2-digit' });
}

function getExt(name) {
    const p = name.lastIndexOf('.');
    return p > 0 ? name.slice(p + 1).toLowerCase() : '';
}

function getMime(name) {
    const e = getExt(name);
    return ({
        txt: 'text/plain', md: 'text/markdown', html: 'text/html', htm: 'text/html',
        css: 'text/css', js: 'text/javascript', ts: 'text/typescript', json: 'application/json',
        xml: 'application/xml', csv: 'text/csv', py: 'text/x-python', rs: 'text/x-rust',
        go: 'text/x-go', java: 'text/x-java', c: 'text/x-c', cpp: 'text/x-c++',
        sh: 'text/x-sh', bat: 'text/x-bat', yaml: 'text/yaml', yml: 'text/yaml',
        png: 'image/png', jpg: 'image/jpeg', jpeg: 'image/jpeg', gif: 'image/gif',
        webp: 'image/webp', svg: 'image/svg+xml', bmp: 'image/bmp', ico: 'image/x-icon',
        avif: 'image/avif',
        pdf: 'application/pdf',
        mp3: 'audio/mpeg', wav: 'audio/wav', ogg: 'audio/ogg', flac: 'audio/flac', m4a: 'audio/m4a',
        mp4: 'video/mp4', webm: 'video/webm', mov: 'video/quicktime', avi: 'video/x-msvideo',
        zip: 'application/zip', rar: 'application/x-rar-compressed',
        gz: 'application/gzip', '7z': 'application/x-7z-compressed', tar: 'application/x-tar',
        doc: 'application/msword',
        docx: 'application/vnd.openxmlformats-officedocument.wordprocessingml.document',
        xls: 'application/vnd.ms-excel',
        xlsx: 'application/vnd.openxmlformats-officedocument.spreadsheetml.sheet',
        ppt: 'application/vnd.ms-powerpoint',
        pptx: 'application/vnd.openxmlformats-officedocument.presentationml.presentation',
        woff: 'font/woff', woff2: 'font/woff2', ttf: 'font/ttf', otf: 'font/otf',
        arj: 'application/x-arj', dbf: 'application/x-dbf',
        so: 'application/x-sharedlib',
        arj: 'application/x-arj', dbf: 'application/x-dbf',
        so: 'application/x-sharedlib',
        deb: 'application/vnd.debian.binary-package',
        iso: 'application/x-compressed-iso',
    })[e] || 'application/octet-stream';
}

function isText(mime, name) {
    return mime.startsWith('text/') ||
        ['application/json', 'application/xml', 'application/javascript'].includes(mime);
}
function isImage(mime) { return mime.startsWith('image/'); }
function isAudio(mime) { return mime.startsWith('audio/'); }
function isVideo(mime) { return mime.startsWith('video/'); }
function isPDF(mime) { return mime === 'application/pdf'; }

function buf2b64(buf) {
    const u8 = buf instanceof Uint8Array ? buf : new Uint8Array(buf),
        CHUNK = 8192;
    let s = '';
    for (let i = 0; i < u8.length; i += CHUNK)
        s += String.fromCharCode.apply(null, u8.subarray(i, Math.min(i + CHUNK, u8.length)));
    return btoa(s);
}
function b642buf(s) {
    const b = atob(s), u = new Uint8Array(b.length);
    for (let i = 0; i < b.length; i++) u[i] = b.charCodeAt(i);
    return u.buffer;
}

function pwStrength(pw) {
    let s = 0;
    if (pw.length >= 8) s++;
    if (pw.length >= 12) s++;
    if (/[a-z]/.test(pw) && /[A-Z]/.test(pw)) s++;
    if (/\d/.test(pw)) s++;
    if (/[^a-zA-Z0-9]/.test(pw)) s++;
    return s; // 0–5
}

function escHtml(str) {
    return String(str)
        .replace(/&/g, '&amp;').replace(/</g, '&lt;')
        .replace(/>/g, '&gt;').replace(/"/g, '&quot;');
}

/* Shared error/cooldown SVG fragments reused across all password forms */
const _ERR_SVG = '<svg width="14" height="14" viewBox="0 0 16 16" fill="none"><path d="M8 1.5a6.5 6.5 0 100 13 6.5 6.5 0 000-13zM7.25 5h1.5v4h-1.5V5zm0 5h1.5v1.5h-1.5V10z" fill="currentColor"/></svg>';
const _WAIT_SVG = '<svg width="14" height="14" viewBox="0 0 14 14" fill="none"><circle cx="7" cy="7" r="6" stroke="currentColor" stroke-width="1.3"/><path d="M7 4v3.5l2.5 1.5" stroke="currentColor" stroke-width="1.3" stroke-linecap="round"/></svg>';

/* Shared brute-force cooldown — disables btn and shows 3-second countdown in errEl */
function _startAttemptCooldown(errEl, btn, onClear) {
    let remaining = 3;
    const upd = s => { errEl.innerHTML = `${_WAIT_SVG} Too many attempts — wait ${s}s`; errEl.style.color = 'var(--orange)'; };
    upd(remaining);
    btn.disabled = true;
    const _t = setInterval(() => {
        if (--remaining <= 0) {
            clearInterval(_t);
            errEl.innerHTML = ''; errEl.style.color = '';
            btn.disabled = false;
            onClear?.();
        } else {
            upd(remaining);
        }
    }, 1000);
}

/* SHA-256(salt_32 || pw_bytes) — used for duress password detection */
async function hashDuress(pw, salt) {
    const saltU8 = new Uint8Array(salt),
        pwU8 = new TextEncoder().encode(pw),
        combined = new Uint8Array(saltU8.length + pwU8.length);
    combined.set(saltU8);
    combined.set(pwU8, saltU8.length);
    return Array.from(new Uint8Array(await crypto.subtle.digest('SHA-256', combined)));
}

/* Check whether pw matches the duress hash stored on a container.
   Returns true if the container has a duress password and pw matches it. */
async function checkDuress(pw, container) {
    if (!container.duressHash || pw.length < 4) return false;
    const hash = await hashDuress(pw, container.duressHash.salt);
    return hash.every((b, i) => b === container.duressHash.hash[i]);
}

/* ============================================================
   FOLDER COLOR PALETTE
   ============================================================ */
const FOLDER_COLORS = [
    { label: 'Default (Blue)', color: '#0078d4' },
    { label: 'Teal', color: '#4ec9b0' },
    { label: 'Purple', color: '#9b59d0' },
    { label: 'Orange', color: '#f18800' },
    { label: 'Red', color: '#e84040' },
    { label: 'Green', color: '#3cb371' },
    { label: 'Pink', color: '#e879a0' },
    { label: 'Yellow', color: '#d4b030' },
    { label: 'Grey', color: '#7a7a7a' },
];

/* ============================================================
   SVG ICON LIBRARY  — 16×16 UI icons
   ============================================================ */
const Icons = {
    open: `<svg width="16" height="16" viewBox="0 0 16 16" fill="none" xmlns="http://www.w3.org/2000/svg"><path d="M1 4.5h5l1.5 2H15v8H1z" stroke="currentColor" stroke-width="1.4" stroke-linejoin="round"/></svg>`,
    file: `<svg width="16" height="16" viewBox="0 0 16 16" fill="none" xmlns="http://www.w3.org/2000/svg"><path d="M3 1h7l3 3v10H3z" stroke="currentColor" stroke-width="1.4" stroke-linejoin="round"/><path d="M10 1v3h3" stroke="currentColor" stroke-width="1.4"/></svg>`,
    folder: `<svg width="16" height="16" viewBox="0 0 16 16" fill="none" xmlns="http://www.w3.org/2000/svg"><path d="M1 4.5h5l1.5 2H15v8H1z" stroke="currentColor" stroke-width="1.4" stroke-linejoin="round"/></svg>`,
    download: `<svg width="16" height="16" viewBox="0 0 16 16" fill="none" xmlns="http://www.w3.org/2000/svg"><path d="M8 2v8M4 7l4 4 4-4M2 14h12" stroke="currentColor" stroke-width="1.5" stroke-linecap="square" stroke-linejoin="miter"/></svg>`,
    upload: `<svg width="16" height="16" viewBox="0 0 16 16" fill="none" xmlns="http://www.w3.org/2000/svg"><path d="M8 10V2M4 5l4-4 4 4M2 14h12" stroke="currentColor" stroke-width="1.5" stroke-linecap="square" stroke-linejoin="miter"/></svg>`,
    rename: `<svg width="16" height="16" viewBox="0 0 16 16" fill="none" xmlns="http://www.w3.org/2000/svg"><path d="M11 2l3 3-8 8H3v-3z" stroke="currentColor" stroke-width="1.4" stroke-linejoin="round"/><path d="M9 4l3 3" stroke="currentColor" stroke-width="1.4"/></svg>`,
    trash: `<svg width="16" height="16" viewBox="0 0 16 16" fill="none" xmlns="http://www.w3.org/2000/svg"><path d="M2 4h12" stroke="currentColor" stroke-width="1.4" stroke-linecap="square"/><path d="M5 4V2h6v2" stroke="currentColor" stroke-width="1.4" stroke-linecap="square"/><path d="M3 4l1 10h8l1-10" stroke="currentColor" stroke-width="1.4" stroke-linejoin="round"/><path d="M6 7v4M10 7v4" stroke="currentColor" stroke-width="1.4" stroke-linecap="square"/></svg>`,
    info: `<svg width="16" height="16" viewBox="0 0 16 16" fill="none" xmlns="http://www.w3.org/2000/svg"><circle cx="8" cy="8" r="6.5" stroke="currentColor" stroke-width="1.4"/><path d="M8 7v4" stroke="currentColor" stroke-width="1.6" stroke-linecap="round"/><circle cx="8" cy="5.2" r="0.8" fill="currentColor"/></svg>`,
    paste: `<svg width="16" height="16" viewBox="0 0 16 16" fill="none" xmlns="http://www.w3.org/2000/svg"><rect x="5" y="4" width="9" height="10" rx="1" stroke="currentColor" stroke-width="1.4"/><path d="M5 7H2V15h8v-1" stroke="currentColor" stroke-width="1.4" stroke-linejoin="round"/><path d="M6 2h4v3H6z" stroke="currentColor" stroke-width="1.4"/></svg>`,
    sort: `<svg width="16" height="16" viewBox="0 0 16 16" fill="none" xmlns="http://www.w3.org/2000/svg"><path d="M2 4h8M2 8h6M2 12h4M12 2v10" stroke="currentColor" stroke-width="1.4" stroke-linecap="square"/><path d="M9 9l3 4 3-4" stroke="currentColor" stroke-width="1.4" stroke-linecap="square" stroke-linejoin="miter"/></svg>`,
    unlock: `<svg width="16" height="16" viewBox="0 0 16 16" fill="none" xmlns="http://www.w3.org/2000/svg"><rect x="2" y="7" width="12" height="8" rx="1" stroke="currentColor" stroke-width="1.4"/><path d="M5 7V5a3 3 0 015.8-1" stroke="currentColor" stroke-width="1.4" stroke-linecap="square"/></svg>`,
    copy: `<svg width="16" height="16" viewBox="0 0 16 16" fill="none" xmlns="http://www.w3.org/2000/svg"><rect x="5" y="5" width="9" height="9" rx="1" stroke="currentColor" stroke-width="1.4"/><path d="M4 11H2V2h9v2" stroke="currentColor" stroke-width="1.4" stroke-linejoin="round"/></svg>`,
    cut: `<svg width="16" height="16" viewBox="0 0 16 16" fill="none" xmlns="http://www.w3.org/2000/svg"><circle cx="4.5" cy="12.5" r="2" stroke="currentColor" stroke-width="1.4"/><circle cx="11.5" cy="12.5" r="2" stroke="currentColor" stroke-width="1.4"/><path d="M4.5 10.5L11 2" stroke="currentColor" stroke-width="1.4" stroke-linecap="round"/><path d="M11.5 10.5L5 2" stroke="currentColor" stroke-width="1.4" stroke-linecap="round"/></svg>`,
    newfile: `<svg width="16" height="16" viewBox="0 0 16 16" fill="none" xmlns="http://www.w3.org/2000/svg"><path d="M3 1h7l3 3v10H3z" stroke="currentColor" stroke-width="1.4" stroke-linejoin="round"/><path d="M10 1v3h3" stroke="currentColor" stroke-width="1.4"/><path d="M8 7v5M5.5 9.5h5" stroke="currentColor" stroke-width="1.4" stroke-linecap="square"/></svg>`,
    newfolder: `<svg width="16" height="16" viewBox="0 0 16 16" fill="none" xmlns="http://www.w3.org/2000/svg"><path d="M1 4.5h5l1.5 2H15v8H1z" stroke="currentColor" stroke-width="1.4" stroke-linejoin="round"/><path d="M8 8.5v4M6 10.5h4" stroke="currentColor" stroke-width="1.4" stroke-linecap="square"/></svg>`,
    warning: `<svg width="16" height="16" viewBox="0 0 16 16" fill="none" xmlns="http://www.w3.org/2000/svg"><path d="M8 2L1 14h14z" stroke="currentColor" stroke-width="1.4" stroke-linejoin="round"/><path d="M8 6v4" stroke="currentColor" stroke-width="1.5" stroke-linecap="round"/><circle cx="8" cy="12" r="0.8" fill="currentColor"/></svg>`,
    lock: `<svg width="16" height="16" viewBox="0 0 16 16" fill="none" xmlns="http://www.w3.org/2000/svg"><rect x="2" y="7" width="12" height="8" rx="1" stroke="currentColor" stroke-width="1.4"/><path d="M5 7V5a3 3 0 016 0v2" stroke="currentColor" stroke-width="1.4" stroke-linecap="square"/></svg>`,
    key: `<svg width="16" height="16" viewBox="0 0 16 16" fill="none" xmlns="http://www.w3.org/2000/svg"><circle cx="5" cy="11" r="3" stroke="currentColor" stroke-width="1.4"/><path d="M7.2 8.8L14 2M12 2l2 2M10 4l2 2" stroke="currentColor" stroke-width="1.4" stroke-linecap="square"/></svg>`,
    navup: `<svg width="16" height="16" viewBox="0 0 16 16" fill="none" xmlns="http://www.w3.org/2000/svg"><path d="M8 12V4M4 8l4-4 4 4" stroke="currentColor" stroke-width="1.5" stroke-linecap="square"/></svg>`,
    fileup: `<svg width="14" height="14" viewBox="0 0 14 14" fill="none" xmlns="http://www.w3.org/2000/svg"><path d="M7 9V1M3 5l4-4 4 4M2 11h10v2H2z" stroke="currentColor" stroke-width="1.5" stroke-linecap="square"/></svg>`,
    filedoc: `<svg width="14" height="14" viewBox="0 0 14 14" fill="none" xmlns="http://www.w3.org/2000/svg"><path d="M2 1h7l3 3v9H2z" stroke="currentColor" stroke-width="1.5" stroke-linecap="square"/><path d="M9 1v3h3" stroke="currentColor" stroke-width="1.5" stroke-linecap="square"/></svg>`,
    filedir: `<svg width="14" height="14" viewBox="0 0 14 14" fill="none" xmlns="http://www.w3.org/2000/svg"><path d="M1 3h5l1.5 2H13v7H1z" stroke="currentColor" stroke-width="1.5" stroke-linecap="square"/></svg>`,
    plus: `<svg width="14" height="14" viewBox="0 0 14 14" fill="none" xmlns="http://www.w3.org/2000/svg"><path d="M7 1v12M1 7h12" stroke="currentColor" stroke-width="2" stroke-linecap="square"/></svg>`,
    close: `<svg width="14" height="14" viewBox="0 0 14 14" fill="none" xmlns="http://www.w3.org/2000/svg"><path d="M2 2l10 10M12 2L2 12" stroke="currentColor" stroke-width="1.5" stroke-linecap="square"/></svg>`,
    eye: `<svg width="16" height="16" viewBox="0 0 16 16" fill="none" xmlns="http://www.w3.org/2000/svg"><path d="M1 8s2.5-5 7-5 7 5 7 5-2.5 5-7 5-7-5-7-5z" stroke="currentColor" stroke-width="1.5"/><circle cx="8" cy="8" r="2.5" stroke="currentColor" stroke-width="1.5"/></svg>`,
    eyeoff: `<svg width="16" height="16" viewBox="0 0 16 16" fill="none" xmlns="http://www.w3.org/2000/svg"><path d="M1 8s2.5-5 7-5 7 5 7 5-2.5 5-7 5-7-5-7-5z" stroke="currentColor" stroke-width="1.5"/><circle cx="8" cy="8" r="2.5" stroke="currentColor" stroke-width="1.5"/><path d="M3 3l10 10" stroke="currentColor" stroke-width="1.5" stroke-linecap="round"/></svg>`, save: `<svg width="14" height="14" viewBox="0 0 14 14" fill="none" xmlns="http://www.w3.org/2000/svg"><rect x="1" y="1" width="12" height="12" rx="1" stroke="currentColor" stroke-width="1.5"/><rect x="3" y="1" width="8" height="5" stroke="currentColor" stroke-width="1.5"/><rect x="4" y="7" width="6" height="5" stroke="currentColor" stroke-width="1.4"/></svg>`,
    dlbtn: `<svg width="14" height="14" viewBox="0 0 14 14" fill="none" xmlns="http://www.w3.org/2000/svg"><path d="M7 9V1M3 6l4 4 4-4M2 12h10" stroke="currentColor" stroke-width="1.5" stroke-linecap="square"/></svg>`,
    sortAsc: `<svg width="16" height="16" viewBox="0 0 16 16" fill="none" xmlns="http://www.w3.org/2000/svg"><path d="M4 12V4M2 6l2-2 2 2" stroke="currentColor" stroke-width="1.4" stroke-linecap="square"/><path d="M8 5h6M8 8h4.5M8 11h3" stroke="currentColor" stroke-width="1.4" stroke-linecap="square"/></svg>`,
    sortDesc: `<svg width="16" height="16" viewBox="0 0 16 16" fill="none" xmlns="http://www.w3.org/2000/svg"><path d="M4 4v8M2 10l2 2 2-2" stroke="currentColor" stroke-width="1.4" stroke-linecap="square"/><path d="M8 5h3M8 8h4.5M8 11h6" stroke="currentColor" stroke-width="1.4" stroke-linecap="square"/></svg>`,
    sortName: `<svg width="16" height="16" viewBox="0 0 16 16" fill="none" xmlns="http://www.w3.org/2000/svg"><path d="M3 3h10M5 7h6M7 11h2" stroke="currentColor" stroke-width="1.5" stroke-linecap="square"/></svg>`,
    sortDate: `<svg width="16" height="16" viewBox="0 0 16 16" fill="none" xmlns="http://www.w3.org/2000/svg"><rect x="2" y="3" width="12" height="11" rx="1" stroke="currentColor" stroke-width="1.4"/><path d="M2 6h12M5 1v3M11 1v3" stroke="currentColor" stroke-width="1.4" stroke-linecap="square"/></svg>`,
    sortSize: `<svg width="16" height="16" viewBox="0 0 16 16" fill="none" xmlns="http://www.w3.org/2000/svg"><rect x="2" y="10" width="4" height="4" stroke="currentColor" stroke-width="1.3"/><rect x="6" y="6" width="4" height="8" stroke="currentColor" stroke-width="1.3"/><rect x="10" y="2" width="4" height="12" stroke="currentColor" stroke-width="1.3"/></svg>`,
    sortType: `<svg width="16" height="16" viewBox="0 0 16 16" fill="none" xmlns="http://www.w3.org/2000/svg"><path d="M2 2h5l2 2v6H2z" stroke="currentColor" stroke-width="1.3"/><path d="M7 2v2h2" stroke="currentColor" stroke-width="1.3"/><path d="M7 8h5l2 2v4H7z" stroke="currentColor" stroke-width="1.3"/><path d="M12 8v2h2" stroke="currentColor" stroke-width="1.3"/></svg>`,
    refresh: `<svg width="16" height="16" viewBox="0 0 16 16" fill="none" xmlns="http://www.w3.org/2000/svg"><path d="M13.5 8a5.5 5.5 0 01-9.8 3.4" stroke="currentColor" stroke-width="1.5" stroke-linecap="square"/><path d="M2.5 8a5.5 5.5 0 019.8-3.4" stroke="currentColor" stroke-width="1.5" stroke-linecap="square"/><path d="M12.3 2v3h-3" stroke="currentColor" stroke-width="1.5" stroke-linecap="square" stroke-linejoin="miter"/><path d="M3.7 14v-3h3" stroke="currentColor" stroke-width="1.5" stroke-linecap="square" stroke-linejoin="miter"/></svg>`,
};

/* ============================================================
   LARGE (48×48) FILE TYPE ICONS — for desktop thumbnails
   ============================================================ */
function getFolderSVG(color) {
    // Validate: only allow CSS hex colors to prevent SVG attribute injection
    const c = /^#[0-9a-fA-F]{3,8}$/.test(color) ? color : '#0078d4';
    return `<svg width="48" height="48" viewBox="0 0 48 48" fill="none" xmlns="http://www.w3.org/2000/svg">
    <path d="M4 14h17l5 7h18v21H4z" fill="${c}" opacity=".22" stroke="${c}" stroke-width="1.5" stroke-linejoin="round"/>
    <path d="M4 21h40v21H4z" fill="${c}" opacity=".35" stroke="${c}" stroke-width="1.5" stroke-linejoin="round"/>
  </svg>`;
}

function getFileIconSVG(mime, name) {
    const ext = getExt(name || '');
    if (isImage(mime)) return _bigIcon('#9cdcfe', _imgPath());
    if (isAudio(mime)) return _bigIcon('#c678dd', _audioPath());
    if (isVideo(mime)) return _bigIcon('#c678dd', _videoPath());
    if (isPDF(mime)) return _bigIcon('#f44747', _pdfPath());
    if (isText(mime, name)) {
        if (['js', 'ts', 'py', 'rs', 'go', 'java', 'c', 'cmd', 'cpp', 'cs', 'php', 'rb', 'sh', 'bat', 'ps1', 'vbs'].includes(ext))
            return _bigIcon('#dcdcaa', _codePath());
        if (['json', 'yaml', 'yml', 'xml', 'csv'].includes(ext))
            return _bigIcon('#4ec9b0', _dataPath());
        return _bigIcon('#d4d4d4', _textPath());
    }
    if (['zip', 'rar', 'gz', '7z', 'tar', 'stk', 'itk', 'ltk', 'jtk', 'arj', 'deb', 'iso', 'cso', 'rpm', 'pkg', 'appx', 'msix'].includes(ext)) return _bigIcon('#ce9178', _archivePath());
    if (['doc', 'docx', 'odt', 'rtf'].includes(ext)) return _bigIcon('#569cd6', _docPath());
    if (['xls', 'xlsx', 'xlsb', 'xlsm', 'ods'].includes(ext)) return _bigIcon('#4ec9b0', _dataPath());
    if (['ppt', 'pptx', 'odp'].includes(ext)) return _bigIcon('#ce9178', _slidePath());
    // Unknown type — show extension label inside icon (≤ 4 chars only)
    if (ext && ext.length <= 4) return _bigIconExt('#858585', ext.toUpperCase());
    return _bigIcon('#858585', _filePath());
}

function _bigIcon(color, inner) {
    return `<svg width="48" height="48" viewBox="0 0 48 48" fill="none" xmlns="http://www.w3.org/2000/svg">
    <path d="M10 4h18l10 10v30H10z" fill="${color}" opacity=".1" stroke="${color}" stroke-width="1.5" stroke-linejoin="round"/>
    <path d="M28 4v10h10" stroke="${color}" stroke-width="1.5" stroke-linecap="square"/>
    ${inner.replace(/COLOR/g, color)}
  </svg>`;
}

function _filePath() { return `<path d="M16 26h16M16 31h12" stroke="COLOR" stroke-width="1.8" stroke-linecap="square" opacity=".7"/>`; }
function _textPath() { return `<path d="M16 23h16M16 28h16M16 33h11" stroke="COLOR" stroke-width="1.8" stroke-linecap="square" opacity=".7"/>`; }
function _codePath() { return `<path d="M19 22l-5 5 5 5M29 22l5 5-5 5M25 19l-4 14" stroke="COLOR" stroke-width="1.8" stroke-linecap="round" stroke-linejoin="round" opacity=".8"/>`; }
function _dataPath() { return `<path d="M15 25h18M21 20v14M27 20v14" stroke="COLOR" stroke-width="1.8" stroke-linecap="square" opacity=".7"/>`; }
function _imgPath() { return `<rect x="15" y="20" width="18" height="14" rx="1" stroke="COLOR" stroke-width="1.5" opacity=".7"/><circle cx="20" cy="25" r="2" fill="COLOR" opacity=".6"/><path d="M15 31l7-5 4 4 3-2 4 3" stroke="COLOR" stroke-width="1.5" stroke-linejoin="round" opacity=".7"/>`; }
function _audioPath() { return `<circle cx="24" cy="27" r="6" stroke="COLOR" stroke-width="1.5" opacity=".7"/><circle cx="24" cy="27" r="2" fill="COLOR" opacity=".6"/><path d="M20 21v6" stroke="COLOR" stroke-width="1.8" stroke-linecap="round" opacity=".6"/>`; }
function _videoPath() { return `<rect x="13" y="21" width="15" height="12" rx="1" stroke="COLOR" stroke-width="1.5" opacity=".7"/><path d="M28 24l7-3v10l-7-3z" fill="COLOR" opacity=".5" stroke="COLOR" stroke-width="1.5" stroke-linejoin="round"/>`; }
function _pdfPath() { return `<path d="M15 23h8M15 28h10M15 33h13" stroke="COLOR" stroke-width="1.8" stroke-linecap="square" opacity=".7"/><path d="M30 21v6h5" stroke="COLOR" stroke-width="1.5" stroke-linecap="square" opacity=".5"/>`; }
function _archivePath() { return `<path d="M22 4v40M18 12h8M18 18h8M18 24h8M18 30h8" stroke="COLOR" stroke-width="1.8" stroke-linecap="square" opacity=".7"/>`; }
function _docPath() { return `<path d="M16 23h16M16 28h16M16 33h10" stroke="COLOR" stroke-width="1.8" stroke-linecap="square" opacity=".7"/><path d="M32 21l2 2-2 2" stroke="COLOR" stroke-width="1.5" stroke-linecap="round" opacity=".6"/>`; }
function _slidePath() { return `<rect x="14" y="20" width="20" height="14" rx="1" stroke="COLOR" stroke-width="1.5" opacity=".7"/><path d="M24 27l-4-4v8z" fill="COLOR" opacity=".6"/>`; }

function _bigIconExt(color, extText) {
    const fs = extText.length <= 2 ? 14 : extText.length === 3 ? 12 : 10;
    // HTML-escape the extension before inserting into SVG text content
    const safe = extText.replace(/[&<>"]/g, ch => ({ '&': '&amp;', '<': '&lt;', '>': '&gt;', '"': '&quot;' }[ch]));
    return `<svg width="48" height="48" viewBox="0 0 48 48" fill="none" xmlns="http://www.w3.org/2000/svg">
    <path d="M10 4h18l10 10v30H10z" fill="${color}" opacity=".1" stroke="${color}" stroke-width="1.5" stroke-linejoin="round"/>
    <path d="M28 4v10h10" stroke="${color}" stroke-width="1.5" stroke-linecap="square"/>
    <text x="24" y="35" text-anchor="middle" font-size="${fs}" font-weight="700" font-family="Cascadia Code,Consolas,monospace" fill="${color}" opacity=".9">${safe}</text>
  </svg>`;
}


================================================
FILE: src/js/crypto.js
================================================
'use strict';

/* ============================================================
   CRYPTO  —  AES-256-GCM + Argon2id (WASM)
   ============================================================ */
const Crypto = (() => {

    // Returns raw 32-byte Argon2id hash as Uint8Array
    async function deriveRaw(password, salt) {
        return hashwasm.argon2id({
            password,
            salt,
            parallelism: ARGON2_PAR,
            iterations: ARGON2_ITER,
            memorySize: ARGON2_MEM,
            hashLength: 32,
            outputType: 'binary',
        });
    }

    async function deriveKey(password, salt) {
        const hash = await deriveRaw(password, salt);
        return crypto.subtle.importKey(
            'raw', hash,
            { name: 'AES-GCM' },
            false,
            ['encrypt', 'decrypt']
        );
    }

    // Derives both the CryptoKey and the raw bytes in a single Argon2id pass.
    // Use instead of calling deriveKey + deriveRaw separately to avoid double hashing.
    async function deriveKeyAndRaw(password, salt) {
        const raw = await deriveRaw(password, salt),
            key = await crypto.subtle.importKey('raw', raw, { name: 'AES-GCM' }, false, ['encrypt', 'decrypt']);
        return { key, raw };
    }

    // Import a pre-derived 32-byte key (skips Argon2id for session resume)
    async function importRawKey(rawBytes) {
        return crypto.subtle.importKey(
            'raw', rawBytes,
            { name: 'AES-GCM' },
            false,
            ['encrypt', 'decrypt']
        );
    }

    async function encrypt(key, data) {
        const iv = crypto.getRandomValues(new Uint8Array(12));
        const buf = data instanceof ArrayBuffer
            ? data
            : (data instanceof Uint8Array
                ? data.buffer
                : new TextEncoder().encode(typeof data === 'string' ? data : JSON.stringify(data)));
        const ct = await crypto.subtle.encrypt({ name: 'AES-GCM', iv }, key, buf);
        return { iv: Array.from(iv), blob: buf2b64(ct) };
    }

    async function decrypt(key, iv, blobB64) {
        const ivU8 = new Uint8Array(iv),
            buf = b642buf(blobB64);
        return crypto.subtle.decrypt({ name: 'AES-GCM', iv: ivU8 }, key, buf);
    }

    async function encryptBin(key, buf) {
        const iv = crypto.getRandomValues(new Uint8Array(12)),
            ct = await crypto.subtle.encrypt({ name: 'AES-GCM', iv }, key, buf);
        return { iv: Array.from(iv), blob: ct };
    }

    async function decryptBin(key, iv, blob) {
        return crypto.subtle.decrypt({ name: 'AES-GCM', iv: new Uint8Array(iv) }, key, blob);
    }

    async function makeVerification(key) {
        const { iv, blob } = await encrypt(key, VERIFY_TEXT);
        return { iv, blob };
    }

    async function checkVerification(key, iv, blob) {
        try {
            const buf = await decrypt(key, iv, blob);
            return new TextDecoder().decode(buf) === VERIFY_TEXT;
        } catch { return false; }
    }

    return { deriveRaw, deriveKey, deriveKeyAndRaw, importRawKey, encrypt, decrypt, encryptBin, decryptBin, makeVerification, checkVerification };
})();


================================================
FILE: src/js/db.js
================================================
'use strict';

/* ============================================================
   DATABASE  —  IndexedDB abstraction
   ============================================================ */
const DB = (() => {
    let _db = null;

    async function init() {
        InitLog.step('DB open (SafeNovaEFS)');
        return new Promise((res, rej) => {
            let settled = false;
            const timer = setTimeout(() => {
                if (!settled) { settled = true; InitLog.error('DB open (SafeNovaEFS)', 'timeout'); rej(new Error('SafeNovaEFS open timeout')); }
            }, 8000);
            const done = (db) => { if (!settled) { settled = true; clearTimeout(timer); _db = db; InitLog.done('DB open (SafeNovaEFS)'); res(); } };
            const fail = (e) => { if (!settled) { settled = true; clearTimeout(timer); InitLog.error('DB open (SafeNovaEFS)', e); rej(e); } };

            const req = indexedDB.open(DB_NAME, DB_VERSION);
            req.onupgradeneeded = e => {
                InitLog.step('DB schema upgrade');
                try {
                    const db = e.target.result;
                    if (!db.objectStoreNames.contains('containers')) {
                        db.createObjectStore('containers', { keyPath: 'id' });
                    }
                    if (!db.objectStoreNames.contains('files')) {
                        const fs = db.createObjectStore('files', { keyPath: 'id' });
                        fs.createIndex('cid', 'cid');
                    }
                    if (!db.objectStoreNames.contains('vfs')) {
                        db.createObjectStore('vfs', { keyPath: 'cid' });
                    }
                    if (!db.objectStoreNames.contains('chunks')) {
                        db.createObjectStore('chunks', { keyPath: 'id' });
                    }
                    InitLog.done('DB schema upgrade');
                } catch (err) { InitLog.error('DB schema upgrade', err); fail(err); }
            };
            req.onsuccess = e => done(e.target.result);
            req.onerror = () => fail(req.error);
            req.onblocked = () => {
                // Another connection prevents upgrade; close it by requesting versionchange on self
                InitLog.error('DB open (SafeNovaEFS)', 'blocked — waiting for other connections to close');
                // Keep waiting — the blocked event does NOT mean failure, just delay.
                // If it takes longer than the timeout above, we fail gracefully.
            };
        });
    }

    function rw(store) { return _db.transaction(store, 'readwrite').objectStore(store); }
    function ro(store) { return _db.transaction(store, 'readonly').objectStore(store); }
    function wrap(req) { return new Promise((r, j) => { req.onsuccess = () => r(req.result); req.onerror = () => j(req.error); }); }

    // Reassemble a chunked file record: reads N chunks from 'chunks' store,
    // merges them into a single ArrayBuffer, sets rec.blob, deletes rec._chunked.
    function _reassemble(rec) {
        return new Promise((resolve, reject) => {
            const count = rec._chunked, id = rec.id;
            const tx = _db.transaction('chunks', 'readonly'),
                store = tx.objectStore('chunks'),
                parts = new Array(count);
            let totalSize = 0, pending = count;
            for (let i = 0; i < count; i++) {
                const req = store.get(id + '_' + i);
                req.onsuccess = () => {
                    const d = req.result?.data;
                    if (d) { parts[i] = d; totalSize += d.byteLength; }
                    if (--pending === 0) {
                        // Reject if any chunk is missing — silently skipping a missing chunk
                        // corrupts all subsequent offsets and produces garbled data.
                        for (let k = 0; k < count; k++) {
                            if (!parts[k]) { reject(new Error('Missing chunk ' + id + '_' + k)); return; }
                        }
                        const merged = new Uint8Array(totalSize);
                        let off = 0;
                        for (const p of parts) { merged.set(new Uint8Array(p), off); off += p.byteLength; }
                        rec.blob = merged.buffer;
                        delete rec._chunked;
                        resolve(rec);
                    }
                };
                req.onerror = () => reject(req.error);
            }
        });
    }

    // Returns 2 distinct non-adjacent random indices within [0, size).
    // Falls back gracefully for very small buffers.
    function _twoRandPos(size) {
        if (size < 2) return size ? [0] : [];
        if (size < 4) return [0, size - 1]; // small buffer — take ends
        const a = Math.floor(Math.random() * size);
        let b;
        do { b = Math.floor(Math.random() * size); } while (Math.abs(b - a) <= 1);
        return [a, b];
    }

    // XOR-flips 2 random non-adjacent bytes in the buffer with a random non-zero value.
    // Position and delta are unknown and unreproducible — guaranteed to change each byte.
    function _corruptRandBytes(buf) {
        if (!buf || buf.byteLength < 1) return;
        const arr = new Uint8Array(buf);
        for (const p of _twoRandPos(arr.length)) {
            arr[p] ^= (Math.floor(Math.random() * 255) + 1);
        }
    }

    // Cryptographic pre-shredding — makes every encrypted blob irrecoverable:
    //   • Inline files : XOR-flip 2 random non-adjacent bytes in the ciphertext.
    //     Any 1-byte change in AES-GCM ciphertext causes GCM auth-tag failure
    //     for the entire file. Position and XOR delta are unknown and unlogged.
    //   • Chunked files: zero the IV stored in the file record — no chunk data
    //     is read at all, making this path maximally fast for large files.
    //     Without a valid IV, AES-GCM decryption cannot even begin.
    // Best-effort — always resolves so deletion / duress flow can continue.
    function _corruptFileBlobs(ids) {
        return new Promise((resolve) => {
            if (!ids.length) { resolve(); return; }
            const tx = _db.transaction(['files', 'chunks'], 'readwrite'),
                fs = tx.objectStore('files'),
                cs = tx.objectStore('chunks');
            tx.oncomplete = () => resolve();
            tx.onerror = (e) => { e.preventDefault(); resolve(); };
            tx.onabort = () => resolve();
            ids.forEach(id => {
                const req = fs.get(id);
                req.onsuccess = () => {
                    const rec = req.result;
                    if (!rec) return;
                    if (rec._chunked) {
                        // Large file: zero the IV — avoids reading any chunk data entirely.
                        // AES-GCM without a valid IV is unconditionally undecryptable.
                        // rec.iv is stored as a plain JS Array (via Array.from()), not an ArrayBuffer,
                        // so we must fill in-place rather than wrapping in a TypedArray view.
                        if (Array.isArray(rec.iv)) {
                            for (let _i = 0; _i < rec.iv.length; _i++) rec.iv[_i] = 0;
                        } else if (rec.iv instanceof ArrayBuffer) {
                            new Uint8Array(rec.iv).fill(0);
                        } else if (ArrayBuffer.isView(rec.iv)) {
                            new Uint8Array(rec.iv.buffer, rec.iv.byteOffset, rec.iv.byteLength).fill(0);
                        }
                        fs.put(rec);
                    } else if (rec.blob) {
                        // Inline file: XOR-flip 2 random non-adjacent bytes in the ciphertext.
                        _corruptRandBytes(rec.blob);
                        fs.put(rec);
                    }
                };
                req.onerror = (e) => e.preventDefault();
            });
        });
    }

    return {
        init,
        /* containers */
        getContainers: () => wrap(ro('containers').getAll()),
        saveContainer: (c) => wrap(rw('containers').put(c)),
        deleteContainer: (id) => wrap(rw('containers').delete(id)),

        /* files */
        saveFile: async (f) => {
            const blobSize = f.blob ? (f.blob.byteLength ?? 0) : 0;
            if (blobSize > FILE_CHUNK_SIZE) {
                const chunkCount = Math.ceil(blobSize / FILE_CHUNK_SIZE),
                    tx = _db.transaction(['files', 'chunks'], 'readwrite'),
                    fs = tx.objectStore('files'),
                    cs = tx.objectStore('chunks');
                fs.put({ id: f.id, cid: f.cid, iv: f.iv, blob: null, _chunked: chunkCount, _blobSize: blobSize });
                for (let i = 0; i < chunkCount; i++) {
                    const start = i * FILE_CHUNK_SIZE;
                    cs.put({ id: f.id + '_' + i, data: f.blob.slice(start, Math.min(start + FILE_CHUNK_SIZE, blobSize)) });
                }
                return new Promise((r, j) => { tx.oncomplete = () => r(); tx.onerror = () => j(tx.error); });
            }
            return wrap(rw('files').put(f));
        },
        getFile: async (id) => {
            let rec;
            try { rec = await wrap(ro('files').get(id)); }
            catch (e) { console.error('[DB] Failed to read file record:', id, e); return null; }
            if (!rec) return rec;
            if (rec._chunked) return _reassemble(rec);
            return rec;
        },
        getFilesByCid: async (cid) => {
            let recs;
            try {
                recs = await wrap(ro('files').index('cid').getAll(cid));
            } catch {
                // Fallback: key cursor → individual reads (handles unreadable oversized records)
                const keys = await new Promise((res, rej) => {
                    const tx = _db.transaction('files', 'readonly'),
                        idx = tx.objectStore('files').index('cid'),
                        r = [],
                        req = idx.openKeyCursor(IDBKeyRange.only(cid));
                    req.onsuccess = () => { const c = req.result; if (!c) { res(r); return; } r.push(c.primaryKey); c.continue(); };
                    req.onerror = () => rej(req.error);
                });
                recs = [];
                for (const key of keys) {
                    try { const r = await wrap(ro('files').get(key)); if (r) recs.push(r); }
                    catch (e) { console.error('[DB] Skipping unreadable file:', key, e); }
                }
            }
            const chunked = recs.filter(r => r._chunked);
            if (chunked.length) await Promise.all(chunked.map(r => _reassemble(r)));
            return recs;
        },
        // Lightweight: returns [{id, iv, sz}] without chunk reassembly
        getFileMetaByCid: (cid) => new Promise((resolve, reject) => {
            const tx = _db.transaction('files', 'readonly'),
                idx = tx.objectStore('files').index('cid'),
                req = idx.openCursor(IDBKeyRange.only(cid)),
                results = [];
            req.onsuccess = () => {
                const c = req.result;
                if (c) {
                    const r = c.value;
                    results.push({
                        id: r.id, iv: r.iv,
                        sz: r._chunked ? (r._blobSize ?? -1) : (r.blob ? (r.blob.byteLength || 0) : 0)
                    });
                    c.continue();
                } else resolve(results);
            };
            req.onerror = () => reject(req.error);
        }),
        deleteFile: async (id) => {
            let chunked = 0;
            try { const rec = await wrap(ro('files').get(id)); if (rec?._chunked) chunked = rec._chunked; }
            catch { /* unreadable record — not chunked */ }
            if (chunked) {
                const tx = _db.transaction(['files', 'chunks'], 'readwrite');
                tx.objectStore('files').delete(id);
                const cs = tx.objectStore('chunks');
                for (let i = 0; i < chunked; i++) cs.delete(id + '_' + i);
                return new Promise((r, j) => { tx.oncomplete = () => r(); tx.onerror = () => j(tx.error); });
            }
            return wrap(rw('files').delete(id));
        },
        // Batch-delete multiple file records (and their chunks) in IndexedDB
        deleteFiles: async (ids) => {
            if (!ids || !ids.length) return;
            // Phase 1: check which files are chunked (read-only, safe for broken records)
            const chunkInfo = new Map();
            await new Promise((resolve) => {
                const tx = _db.transaction('files', 'readonly'),
                    store = tx.objectStore('files');
                let pending = ids.length;
                const done = () => { if (--pending === 0) resolve(); };
                ids.forEach(id => {
                    const req = store.get(id);
                    req.onsuccess = () => { if (req.result?._chunked) chunkInfo.set(id, req.result._chunked); done(); };
                    req.onerror = (e) => { e.preventDefault(); done(); };
                });
            });
            // Phase 2: delete file records + associated chunks
            const stores = chunkInfo.size ? ['files', 'chunks'] : ['files'],
                tx = _db.transaction(stores, 'readwrite'),
                fs = tx.objectStore('files');
            ids.forEach(id => fs.delete(id));
            if (chunkInfo.size) {
                const cs = tx.objectStore('chunks');
                for (const [id, count] of chunkInfo) {
                    for (let i = 0; i < count; i++) cs.delete(id + '_' + i);
                }
            }
            return new Promise((r, j) => { tx.oncomplete = () => r(); tx.onerror = () => j(tx.error); });
        },
        // Batch-save multiple file records in a single IndexedDB transaction (with chunking for large blobs)
        saveFiles: (files) => new Promise((res, rej) => {
            if (!files || !files.length) { res(); return; }
            const hasChunked = files.some(f => f.blob && (f.blob.byteLength ?? 0) > FILE_CHUNK_SIZE),
                stores = hasChunked ? ['files', 'chunks'] : ['files'],
                tx = _db.transaction(stores, 'readwrite'),
                fileStore = tx.objectStore('files'),
                chunkStore = hasChunked ? tx.objectStore('chunks') : null;
            files.forEach(f => {
                const blobSize = f.blob ? (f.blob.byteLength ?? 0) : 0;
                if (blobSize > FILE_CHUNK_SIZE) {
                    const chunkCount = Math.ceil(blobSize / FILE_CHUNK_SIZE);
                    fileStore.put({ id: f.id, cid: f.cid, iv: f.iv, blob: null, _chunked: chunkCount, _blobSize: blobSize });
                    for (let i = 0; i < chunkCount; i++) {
                        const start = i * FILE_CHUNK_SIZE;
                        chunkStore.put({ id: f.id + '_' + i, data: f.blob.slice(start, Math.min(start + FILE_CHUNK_SIZE, blobSize)) });
                    }
                } else {
                    fileStore.put(f);
                }
            });
            tx.oncomplete = () => res();
            tx.onerror = () => rej(tx.error);
        }),
        // Batch-read specific file records by id array in a single IDB transaction.
        // Returns a Map<id, record> so callers can look up by id in O(1).
        getFilesByIds: (ids) => new Promise((res, rej) => {
            if (!ids || !ids.length) { res(new Map()); return; }
            const tx = _db.transaction('files', 'readonly'),
                store = tx.objectStore('files'),
                result = new Map(),
                chunkedRecs = [];
            let pending = ids.length;
            ids.forEach(id => {
                const req = store.get(id);
                req.onsuccess = () => {
                    if (req.result) {
                        result.set(id, req.result);
                        if (req.result._chunked) chunkedRecs.push(req.result);
                    }
                    if (--pending === 0) {
                        if (chunkedRecs.length) {
                            Promise.all(chunkedRecs.map(r => _reassemble(r))).then(() => res(result)).catch(rej);
                        } else res(result);
                    }
                };
                req.onerror = (event) => {
                    console.error('[DB] Failed to read file:', id, req.error);
                    event.preventDefault();
                    if (--pending === 0) {
                        if (chunkedRecs.length) {
                            Promise.all(chunkedRecs.map(r => _reassemble(r))).then(() => res(result)).catch(rej);
                        } else res(result);
                    }
                };
            });
        }),

        /* vfs */
        saveVFS: (cid, iv, blob) => wrap(rw('vfs').put({ cid, iv, blob })),
        getVFS: (cid) => wrap(ro('vfs').get(cid)),
        deleteVFS: (cid) => wrap(rw('vfs').delete(cid)),

        /* nuke container — corrupts blobs, then deletes everything (uses key cursor to avoid deserializing large blobs) */
        async nukeContainer(cid) {
            const ids = await new Promise((resolve, reject) => {
                const tx = _db.transaction('files', 'readonly'),
                    idx = tx.objectStore('files').index('cid'),
                    r = [],
                    req = idx.openKeyCursor(IDBKeyRange.only(cid));
                req.onsuccess = () => { const c = req.result; if (!c) { resolve(r); return; } r.push(c.primaryKey); c.continue(); };
                req.onerror = () => reject(req.error);
            });
            if (ids.length) {
                await _corruptFileBlobs(ids); // XOR-flip 2 random bytes (inline) / zero IV (chunked)
                await this.deleteFiles(ids);
            }
            await this.deleteVFS(cid);
            // Null out lazyWorkspace/heavy blobs before deleting the container record.
            // Chrome stores large Blobs in external files; IDB delete queues them for
            // lazy GC but navigator.storage.estimate() still counts them as used.
            // Overwriting with null forces immediate blob file release.
            try {
                const c = await wrap(ro('containers').get(cid));
                if (c && (c.lazyWorkspace || c._alogZ || c._exportCache)) {
                    c.lazyWorkspace = null;
                    c._alogZ = null;
                    c._exportCache = null;
                    await wrap(rw('containers').put(c));
                }
            } catch { /* read failed — proceed to delete */ }
            await this.deleteContainer(cid);
        },

        /* duress trigger — zero-overwrites blobs but does NOT delete anything */
        async corruptContainerBlobs(cid) {
            const ids = await new Promise((resolve, reject) => {
                const tx = _db.transaction('files', 'readonly'),
                    idx = tx.objectStore('files').index('cid'),
                    r = [],
                    req = idx.openKeyCursor(IDBKeyRange.only(cid));
                req.onsuccess = () => { const c = req.result; if (!c) { resolve(r); return; } r.push(c.primaryKey); c.continue(); };
                req.onerror = () => reject(req.error);
            });
            if (ids.length) await _corruptFileBlobs(ids);
        }
    };
})();


================================================
FILE: src/js/desktop.js
================================================
'use strict';

/* ============================================================
   SAVE VFS
   ============================================================ */
async function saveVFS() {
    if (!App.key || !App.container) return;
    try {
        const jsonBuf = new TextEncoder().encode(JSON.stringify(VFS.toObj())),
            { iv, blob } = await Crypto.encryptBin(App.key, jsonBuf);
        await DB.saveVFS(App.container.id, iv, blob);
        App.container.totalSize = VFS.totalSize();
        // Strip raw log so only compressed _alogZ gets persisted
        const _tmpLog = App.container.activityLog;
        delete App.container.activityLog;
        await DB.saveContainer(App.container);
        if (_tmpLog) App.container.activityLog = _tmpLog;
        Desktop.updateTaskbar();
    } catch (e) { console.error('saveVFS error', e); }
}

/* ============================================================
   ACTIVITY LOGS
   ============================================================ */
const ALOG_MAX = 2048;
let _alogSaveTimer = null, _alogRafId = null, _alogFilters = null;
let _activityLog = []; // in-memory ring buffer; never stored raw on the container

// ── Compression (deflate, built-in, zero-dependency) ────────
async function _compressBytes(bytes) {
    const cs = new Blob([bytes]).stream().pipeThrough(new CompressionStream('deflate'));
    return new Uint8Array(await new Response(cs).arrayBuffer());
}
async function _decompressBytes(bytes) {
    const ds = new Blob([bytes]).stream().pipeThrough(new DecompressionStream('deflate'));
    return new Uint8Array(await new Response(ds).arrayBuffer());
}
// Compress with a 5 s safety timeout — returns compressed bytes on success,
// or the original bytes unchanged if compression fails or times out.
async function _compressBytesOrRaw(bytes) {
    try {
        return await Promise.race([
            _compressBytes(bytes),
            new Promise((_, rej) => setTimeout(() => rej(new Error('compress timeout')), 5000))
        ]);
    } catch { return bytes; }
}
async function _compressLog(arr) {
    return _compressBytes(new TextEncoder().encode(JSON.stringify(arr)));
}
async function _decompressLog(bytes) {
    return JSON.parse(new TextDecoder().decode(await _decompressBytes(bytes)));
}
async function _loadActivityLog() {
    const pending = _activityLog.length ? _activityLog.slice() : [];
    _activityLog = [];
    if (!App.container) return;
    if (App.container._alogZ) {
        try {
            const z = App.container._alogZ;
            // New format: { iv, blob } — AES-256-GCM encrypted, then zlib-compressed
            const raw = (z && z.iv && z.blob)
                ? new Uint8Array(await Crypto.decrypt(App.key, z.iv, z.blob))
                : z; // legacy: plain compressed bytes (migrate on next flush)
            _activityLog = await _decompressLog(raw);
        } catch { }
    }
    // Migrate old uncompressed plaintext format
    if (Array.isArray(App.container.activityLog)) {
        _activityLog = _activityLog.concat(App.container.activityLog);
        delete App.container.activityLog;
    }
    // Merge any entries pushed during async decompress
    if (pending.length) _activityLog = _activityLog.concat(pending);
    if (_activityLog.length > ALOG_MAX) _activityLog.splice(0, _activityLog.length - ALOG_MAX);
}
async function _flushActivityLog() {
    _alogSaveTimer = null;
    if (!App.container || !App.key || !_activityLog.length) return;
    try {
        // Compress then encrypt — attacker must NOT read activity logs
        const compressed = await _compressLog(_activityLog);
        const { iv, blob } = await Crypto.encrypt(App.key, compressed);
        App.container._alogZ = { iv, blob };
        delete App.container.activityLog;
        await DB.saveContainer(App.container);
    } catch (e) { console.error('_flushActivityLog', e); }
}

/* ============================================================
   OPEN-FOLDER GUARD  — shared by drag handlers and file ops
   Returns the id of the first open-folder in ids, or null.
   ============================================================ */
function _getOpenFolderIds() {
    if (typeof WinManager === 'undefined') return new Set();
    const ids = new Set();
    WinManager._wins.forEach(w => {
        let cur = w.folderId;
        while (cur && cur !== 'root') { ids.add(cur); cur = (VFS.node(cur) || {}).parentId; }
    });
    return ids;
}
function _openFolderGuard(ids) {
    const open = _getOpenFolderIds();
    return [...ids].find(id => { const n = VFS.node(id); return n && n.type === 'folder' && open.has(id); }) ?? null;
}

// ── logActivity ─────────────────────────────────────────────
function logActivity(op, detail, count, itemPath, destPath) {
    if (!App.container) return;
    if (_getSettings().activityLogs === false) return;
    const entry = { t: Date.now(), o: op, d: detail };
    if (count > 1) entry.n = count;
    let p = itemPath ?? null;
    if (!p && App.folder) {
        p = VFS.fullPath(App.folder);
    }
    if (p && p !== '/') entry.p = p;
    if (destPath && destPath !== '/') entry.p2 = destPath;
    _activityLog.push(entry);
    if (_activityLog.length > ALOG_MAX) _activityLog.splice(0, _activityLog.length - ALOG_MAX);
    if (_alogSaveTimer) clearTimeout(_alogSaveTimer);
    _alogSaveTimer = setTimeout(_flushActivityLog, 3000);
}

// ── Helpers ─────────────────────────────────────────────────
function _alogRelTime(ts) {
    const d = Date.now() - ts;
    if (d < 60000) return 'Just now';
    if (d < 3600000) return Math.floor(d / 60000) + 'm ago';
    if (d < 86400000) return Math.floor(d / 3600000) + 'h ago';
    if (d < 604800000) return Math.floor(d / 86400000) + 'd ago';
    return new Date(ts).toLocaleDateString(undefined, { month: 'short', day: 'numeric', year: 'numeric' });
}
// Show path compactly: /~/Container/…/parent/name for deep paths
function _alogPathDisplay(p) {
    if (!p) return '';
    const segs = p.split('/').filter(Boolean); // ['~', 'Container', 'a', 'b', 'file']
    if (p.length <= 58 || segs.length <= 4) return p;
    const prefix = '/~/' + segs[1] + '/\u2026/',
        tail = segs.slice(-2).join('/') + (p.endsWith('/') ? '/' : ''),
        result = prefix + tail;
    // If still too long, keep only the last segment
    return result.length <= 62 ? result : prefix + segs[segs.length - 1] + (p.endsWith('/') ? '/' : '');
}
function _alogOpLabel(op) {
    const map = {
        upload: 'Uploaded', delete: 'Deleted', rename: 'Renamed', move: 'Moved',
        copy: 'Copied', cut: 'Cut', paste: 'Pasted', 'create-file': 'Created',
        'create-folder': 'New Folder', color: 'Color', edit: 'Saved',
        download: 'Exported', 'export-zip': 'ZIP Export', sort: 'Sorted',
        'export-container': 'Container Export'
    };
    return map[op] || op;
}
const _ALOG_COLORS = {
    upload: '#3a8a4f', delete: '#c44040', rename: '#b07a20', move: '#3a6ea0',
    copy: '#2a8a8a', cut: '#b06020', paste: '#7a309a', 'create-file': '#3a8a4f',
    'create-folder': '#3a8a4f', color: '#a03060', edit: '#8a7020',
    download: '#2a6aaa', 'export-zip': '#3a6ea0', sort: '#6a6a6a',
    'export-container': '#3a6ea0'
};
const _ALOG_ICONS = {
    upload: Icons.upload,
    delete: Icons.trash,
    rename: Icons.rename,
    move: `<svg width="16" height="16" viewBox="0 0 16 16" fill="none"><path d="M3 8h10M9 4l4 4-4 4" stroke="currentColor" stroke-width="1.4" stroke-linecap="round" stroke-linejoin="round"/></svg>`,
    copy: Icons.copy,
    cut: Icons.cut,
    paste: Icons.paste,
    'create-file': Icons.newfile,
    'create-folder': Icons.newfolder,
    color: `<svg width="16" height="16" viewBox="0 0 16 16" fill="none"><circle cx="8" cy="8" r="5.5" stroke="currentColor" stroke-width="1.4"/><circle cx="8" cy="8" r="2.5" fill="currentColor"/></svg>`,
    edit: Icons.save,
    download: Icons.download,
    'export-zip': `<svg width="16" height="16" viewBox="0 0 16 16" fill="none"><path d="M4 2h5l3 3v9H4z" stroke="currentColor" stroke-width="1.3" stroke-linejoin="round"/><path d="M9 2v3h3" stroke="currentColor" stroke-width="1.3"/><path d="M7 7h2v2H7zM7 10h2v2H7z" fill="currentColor" opacity=".85"/></svg>`,
    sort: Icons.sort,
    'export-container': `<svg width="16" height="16" viewBox="0 0 16 16" fill="none"><rect x="2" y="2" width="12" height="12" rx="1.5" stroke="currentColor" stroke-width="1.3"/><path d="M8 5v5M5.5 8l2.5 2 2.5-2" stroke="currentColor" stroke-width="1.3" stroke-linecap="round" stroke-linejoin="round"/></svg>`
};

// ── Render: date-grouped list with badge layout ─────────────
function _renderActivityLogs() {
    const listEl = document.getElementById('alog-list'),
        offEl = document.getElementById('alog-off'),
        emptyEl = document.getElementById('alog-empty'),
        contentEl = document.getElementById('alog-content'),
        filtersEl = document.getElementById('alog-filters'),
        toolbarEl = document.getElementById('alog-toolbar'),
        s = _getSettings(),
        log = _activityLog;

    if (s.activityLogs === false) {
        offEl.style.display = 'flex';
        emptyEl.style.display = 'none';
        listEl.style.display = 'none';
        toolbarEl.style.display = 'none';
        return;
    }
    offEl.style.display = 'none';
    if (!log.length) {
        emptyEl.style.display = 'flex';
        listEl.style.display = 'none';
        toolbarEl.style.display = 'none';
        return;
    }

    toolbarEl.style.display = '';
    emptyEl.style.display = 'none';
    listEl.style.display = '';

    // Count ops for filter chips
    const opCounts = {};
    log.forEach(e => { opCounts[e.o] = (opCounts[e.o] || 0) + 1; });
    const ops = Object.keys(opCounts).sort((a, b) => opCounts[b] - opCounts[a]);
    let filterHtml = '';
    for (const op of ops) {
        const active = !_alogFilters || _alogFilters.has(op);
        filterHtml += `<button class="alog-filter${active ? ' active' : ''}" data-op="${op}">${escHtml(_alogOpLabel(op))}<span class="alog-filter-count">${opCounts[op]}</span></button>`;
    }
    filtersEl.innerHTML = filterHtml;
    filtersEl.querySelectorAll('.alog-filter').forEach(btn => {
        btn.onclick = () => {
            const op = btn.dataset.op;
            if (!_alogFilters) {
                _alogFilters = new Set(ops);
                _alogFilters.delete(op);
            } else if (_alogFilters.has(op)) {
                _alogFilters.delete(op);
                if (!_alogFilters.size) _alogFilters = null;
            } else {
                _alogFilters.add(op);
                if (_alogFilters.size === ops.length) _alogFilters = null;
            }
            _renderActivityLogs();
        };
    });

    // Build filtered list (newest first)
    const items = [];
    for (let i = log.length - 1; i >= 0; i--) {
        if (!_alogFilters || _alogFilters.has(log[i].o)) items.push(log[i]);
    }

    if (!items.length) {
        listEl.style.display = 'none';
        emptyEl.style.display = 'flex';
        return;
    }

    // Group by date
    const now = new Date(),
        todayStart = new Date(now.getFullYear(), now.getMonth(), now.getDate()).getTime(),
        yesterdayStart = todayStart - 86400000,
        weekStart = todayStart - 6 * 86400000;
    let html = '', lastGroup = '';
    for (const it of items) {
        let group;
        if (it.t >= todayStart) group = 'Today';
        else if (it.t >= yesterdayStart) group = 'Yesterday';
        else if (it.t >= weekStart) group = 'This Week';
        else group = 'Earlier';
        if (group !== lastGroup) {
            html += `<div class="alog-group">${escHtml(group)}</div>`;
            lastGroup = group;
        }
        const color = _ALOG_COLORS[it.o] || '#666',
            label = _alogOpLabel(it.o),
            mainText = it.d || '',
            pathFull = it.p ? (it.n > 1 && !it.p.endsWith('/') ? it.p + '/' : it.p) : '',
            pathShort = _alogPathDisplay(pathFull),
            destFull = it.p2 || '',
            destShort = _alogPathDisplay(destFull),
            time = _alogRelTime(it.t);
        let pathHtml = '';
        if (pathShort && destShort) {
            pathHtml = `<span class="alog-paths"><code class="alog-path-chip" title="${escHtml(pathFull)}">${escHtml(pathShort)}</code><span class="alog-arrow">\u2192</span><code class="alog-path-chip" title="${escHtml(destFull)}">${escHtml(destShort)}</code></span>`;
        } else if (pathShort) {
            pathHtml = `<code class="alog-path-chip" title="${escHtml(pathFull)}">${escHtml(pathShort)}</code>`;
        }
        html += `<div class="alog-item"><span class="alog-badge" style="--bc:${color}">${escHtml(label)}</span><span class="alog-detail"><span class="alog-detail-main" title="${escHtml(mainText)}">${escHtml(mainText)}</span>${pathHtml}</span><span class="alog-time">${escHtml(time)}</span></div>`;
    }
    contentEl.innerHTML = html;
    listEl.onscroll = null;
}

// ── Clear / export helpers ──────────────────────────────────
async function _clearActivityLog() {
    _activityLog = [];
    if (App.container) {
        delete App.container._alogZ;
        delete App.container.activityLog;
        await DB.saveContainer(App.container);
    }
    _alogFilters = null;
}



/* ============================================================
   CONTEXT MENU
   ============================================================ */
let _activeSubmenu = null;

function showCtxMenu(x, y, items) {
    hideSubmenu();
    const menu = document.getElementById('ctx-menu');
    menu.innerHTML = '';
    items.forEach(item => {
        if (item.sep) {
            const d = document.createElement('div'); d.className = 'ctx-sep'; menu.appendChild(d); return;
        }
        const li = document.createElement('div');
        li.className = 'ctx-item' + (item.danger ? ' danger' : '') + (item.disabled ? ' disabled' : '');
        if (item.submenu) {
            li.innerHTML = `<span class="ctx-item-icon">${item.icon || ''}</span><span>${escHtml(item.label)}</span><span class="ctx-item-arrow">›</span>`;
            li.addEventListener('mouseenter', () => showSubmenu(li, item.submenu));
            li.addEventListener('mouseleave', e => { if (!e.relatedTarget?.closest('#ctx-menu-sub')) hideSubmenu(); });
        } else if (item.disabled && item._tooltip) {
            li.innerHTML = `<span class="ctx-item-icon">${item.icon || ''}</span><span>${escHtml(item.label)}</span>${item._keyHint ? `<span class="ctx-item-key-hint">${item._keyHint}</span>` : ''}`;
            let _tip = null;
            li.addEventListener('mouseenter', () => {
                _tip = document.createElement('div');
                _tip.className = 'ctx-tooltip';
                _tip.textContent = item._tooltip;
                document.body.appendChild(_tip);
                const r = li.getBoundingClientRect();
                _tip.style.left = r.right + 6 + 'px'; _tip.style.top = r.top + 'px';
                const tr = _tip.getBoundingClientRect();
                if (tr.right > window.innerWidth) _tip.style.left = Math.max(0, r.left - tr.width - 6) + 'px';
            });
            li.addEventListener('mouseleave', () => { if (_tip) { _tip.remove(); _tip = null; } });
        } else {
            li.innerHTML = `<span class="ctx-item-icon">${item.icon || ''}</span><span>${escHtml(item.label)}</span>${item._keyHint ? `<span class="ctx-item-key-hint">${item._keyHint}</span>` : ''}`;
            li.addEventListener('click', () => { hideCtxMenu(); item.action?.(); });
            li.addEventListener('mouseenter', hideSubmenu);
        }
        menu.appendChild(li);
    });
    menu.style.left = x + 'px';
    menu.style.top = y + 'px';
    menu.classList.add('show');
    const r = menu.getBoundingClientRect();
    // Account for taskbar at the bottom (36px + 1px border)
    const taskbarH = document.querySelector('.taskbar')?.offsetHeight || 37,
        maxBottom = window.innerHeight - taskbarH;
    if (r.right > window.innerWidth) menu.style.left = Math.max(0, x - r.width) + 'px';
    if (r.bottom > maxBottom) menu.style.top = Math.max(0, y - r.height) + 'px';
}

function showSubmenu(parentEl, items) {
    hideSubmenu();
    let sub = document.getElementById('ctx-menu-sub');
    if (!sub) {
        sub = document.createElement('div');
        sub.className = 'ctx-menu'; sub.id = 'ctx-menu-sub';
        document.body.appendChild(sub);
    }
    sub.innerHTML = '';
    let _activeSub2 = null;

    function hideSub2() {
        if (_activeSub2) { _activeSub2.remove(); _activeSub2 = null; }
    }

    items.forEach(item => {
        if (item.sep) { const d = document.createElement('div'); d.className = 'ctx-sep'; sub.appendChild(d); return; }
        const li = document.createElement('div');
        li.className = 'ctx-item' + (item.danger ? ' danger' : '') + (item.disabled ? ' disabled' : '');
        if (item.submenu) {
            li.innerHTML = `<span class="ctx-item-icon">${item.icon || ''}</span><span>${escHtml(item.label)}</span><span class="ctx-item-arrow">›</span>`;
            li.addEventListener('mouseenter', () => {
                hideSub2();
                const sub2 = document.createElement('div');
                sub2.className = 'ctx-menu show';
                item.submenu.forEach(si => {
                    if (si.sep) { const d = document.createElement('div'); d.className = 'ctx-sep'; sub2.appendChild(d); return; }
                    const li2 = document.createElement('div');
                    li2.className = 'ctx-item' + (si.danger ? ' danger' : '');
                    li2.innerHTML = `<span class="ctx-item-icon">${si.icon || ''}</span><span>${escHtml(si.label)}</span>`;
                    li2.addEventListener('click', () => { hideCtxMenu(); si.action?.(); });
                    sub2.appendChild(li2);
                });
                document.body.appendChild(sub2);
                const pr = li.getBoundingClientRect();
                sub2.style.position = 'fixed';
                sub2.style.left = pr.right + 'px'; sub2.style.top = pr.top + 'px';
                const sr = sub2.getBoundingClientRect();
                const _taskbarH2 = document.querySelector('.taskbar')?.offsetHeight || 37,
                    _maxB2 = window.innerHeight - _taskbarH2;
                if (window.innerWidth <= 640) {
                    sub2.style.left = Math.max(0, Math.min(pr.left, window.innerWidth - sr.width)) + 'px';
                    sub2.style.top = Math.min(pr.bottom, _maxB2 - sr.height) + 'px';
                } else {
                    if (sr.right > window.innerWidth) sub2.style.left = Math.max(0, pr.left - sr.width) + 'px';
                    if (sr.bottom > _maxB2) sub2.style.top = Math.max(0, pr.top - (sr.bottom - _maxB2)) + 'px';
                }
                _activeSub2 = sub2;
                sub2.addEventListener('mouseleave', e => {
                    if (e.relatedTarget && li.contains(e.relatedTarget)) return;
                    hideSub2();
                });
            });
            li.addEventListener('mouseleave', e => {
                if (_activeSub2 && _activeSub2.contains(e.relatedTarget)) return;
                hideSub2();
            });
        } else {
            li.innerHTML = `<span class="ctx-item-icon">${item.icon || ''}</span><span>${escHtml(item.label)}</span>`;
            li.addEventListener('click', () => { hideCtxMenu(); item.action?.(); });
            li.addEventListener('mouseenter', hideSub2);
        }
        sub.appendChild(li);
    });
    sub.classList.add('show');
    const pr = parentEl.getBoundingClientRect();
    sub.style.left = pr.right + 'px'; sub.style.top = pr.top + 'px';
    const sr = sub.getBoundingClientRect();
    const _taskbarH = document.querySelector('.taskbar')?.offsetHeight || 37,
        _maxB = window.innerHeight - _taskbarH;
    if (window.innerWidth <= 640) {
        // Mobile: open below parent item to prevent horizontal overflow
        sub.style.left = Math.max(0, Math.min(pr.left, window.innerWidth - sr.width)) + 'px';
        sub.style.top = Math.min(pr.bottom, _maxB - sr.height) + 'px';
    } else {
        if (sr.right > window.innerWidth) sub.style.left = Math.max(0, pr.left - sr.width) + 'px';
        if (sr.bottom > _maxB) sub.style.top = Math.max(0, pr.top - (sr.bottom - _maxB)) + 'px';
    }
    _activeSubmenu = sub;
}

function hideSubmenu() {
    // Remove any third-level submenus
    document.querySelectorAll('body > .ctx-menu:not(#ctx-menu):not(#ctx-menu-sub)').forEach(el => el.remove());
    if (_activeSubmenu) { _activeSubmenu.classList.remove('show'); _activeSubmenu = null; }
}

function hideCtxMenu() {
    document.getElementById('ctx-menu').classList.remove('show');
    document.querySelectorAll('body > .ctx-menu:not(#ctx-menu):not(#ctx-menu-sub)').forEach(el => el.remove());
    document.querySelectorAll('.ctx-tooltip').forEach(el => el.remove());
    hideSubmenu();
}

/* ============================================================
   HOVER TOOLTIP
   ============================================================ */
let _tooltipTimer = null,
    _tooltipEl = null,
    _isDragging = false,
    _touchDragActive = false, // true while touch-drag is active — suppresses contextmenu event
    _lastTouchTs = 0;     // timestamp of last touchstart — suppresses spurious mouseenter tooltips

function _startHoverTooltip(el, node) {
    if (_isDragging) return;
    if (Date.now() - _lastTouchTs < 1200) return; // suppress tooltip shortly after any touch
    _cancelHoverTooltip();
    _tooltipTimer = setTimeout(() => {
        _tooltipEl = document.createElement('div');
        _tooltipEl.className = 'file-tooltip';
        const mime = node.type === 'folder' ? 'Folder' : (node.mime || getMime(node.name)),
            childCount = node.type === 'folder' ? VFS.children(node.id).length : null,
            folderSize = node.type === 'folder' && typeof _folderSize === 'function' ? _folderSize(node.id) : null;
        _tooltipEl.innerHTML =
            `<div class="ft-name">${escHtml(node.name)}</div>` +
            `<div class="ft-row">Path: ${escHtml(VFS.fullPath(node.id))}</div>` +
            `<div class="ft-row">Type: ${escHtml(node.type === 'folder' ? 'Folder' : mime)}</div>` +
            (node.size != null ? `<div class="ft-row">Size: ${fmtSize(node.size)}</div>` : '') +
            (folderSize !== null ? `<div class="ft-row">Size: ${fmtSize(folderSize)}</div>` : '') +
            (childCount !== null ? `<div class="ft-row">Items: ${childCount}</div>` : '') +
            `<div class="ft-row">Modified: ${fmtDate(node.mtime)}</div>` +
            `<div class="ft-row">Created: ${fmtDate(node.ctime)}</div>`;
        _tooltipEl.style.cssText = 'position:fixed;left:0;top:0;visibility:hidden';
        document.body.appendChild(_tooltipEl);
        const rect = el.getBoundingClientRect();
        // If element was removed from DOM or has zero size, abort
        if (!document.contains(el) || (rect.width === 0 && rect.height === 0)) {
            _tooltipEl.remove(); _tooltipEl = null; return;
        }
        const tw = _tooltipEl.offsetWidth, th = _tooltipEl.offsetHeight;
        let left = rect.right + 10, top = rect.top;
        if (left + tw > window.innerWidth - 8) left = rect.left - tw - 10;
        if (top + th > window.innerHeight - 8) top = window.innerHeight - th - 8;
        left = Math.max(4, left);
        top = Math.max(4, top);
        _tooltipEl.style.cssText = `position:fixed;left:${left}px;top:${top}px`;
    }, 750);
}

function _cancelHoverTooltip() {
    if (_tooltipTimer) { clearTimeout(_tooltipTimer); _tooltipTimer = null; }
    if (_tooltipEl) { _tooltipEl.remove(); _tooltipEl = null; }
}

/* ============================================================
   SETTINGS
   ============================================================ */
const SETTINGS_DEFAULTS = { iconSize: 'normal', gridDots: true, autoLock: '60', disableAnimations: false, requireExportPassword: true, activityLogs: true, exportWithLogs: false, snapHighlight: true };

let _autoLockTimerId = null;

function _resetContainerSettings() {
    // Cancel any pending auto-lock timer
    if (_autoLockTimerId) { clearTimeout(_autoLockTimerId); _autoLockTimerId = null; }
    // Reset body icon-size and animation classes to defaults
    document.body.classList.remove('icons-small', 'icons-normal', 'icons-large', 'no-animations', 'no-snap-highlight');
    document.body.classList.add('icons-normal');
    // Reset grid constants
    GRID_X = 96;
    GRID_Y = 96;
    // Reset desktop grid dots to default (visible)
    const area = document.getElementById('desktop-area');
    if (area) area.classList.remove('no-grid-dots');
}

function _getSettings() {
    const s = App.container?.settings;
    return { ...SETTINGS_DEFAULTS, ...s };
}

function _applySettings(s, skipRemap = false) {
    // Icon Size — apply to body so it covers desktop + all folder windows
    document.body.classList.remove('icons-small', 'icons-normal', 'icons-large');
    document.body.classList.add('icons-' + (s.iconSize || 'normal'));
    // Update internal grid size depending on scale
    const oldGX = GRID_X, oldGY = GRID_Y;
    let scale = 1;
    if (s.iconSize === 'small') scale = 0.75;
    if (s.iconSize === 'large') scale = 1.25;
    GRID_X = Math.round(96 * scale);
    GRID_Y = Math.round(96 * scale);

    // Remap all saved positions to the new grid if grid changed.
    // skipRemap=true is passed on initial container load — positions are already
    // stored in the correct grid space and must NOT be converted again.
    if (!skipRemap && (oldGX !== GRID_X || oldGY !== GRID_Y)) {
        VFS.remapPositions(oldGX, oldGY, GRID_X, GRID_Y);
        saveVFS();
        Desktop._renderIcons();
        if (typeof WinManager !== 'undefined') WinManager.renderAll();
    }

    // Grid Dots
    const area = document.getElementById('desktop-area');
    area.classList.toggle('no-grid-dots', !s.gridDots);
    document.querySelectorAll('.fw-area').forEach(a => a.classList.toggle('no-grid-dots', !s.gridDots));
    // Animations
    document.body.classList.toggle('no-animations', !!s.disableAnimations);
    // Snap preview highlight
    document.body.classList.toggle('no-snap-highlight', s.snapHighlight === false);
}

async function _saveSettings(s) {
    if (!App.container) return;
    App.container.settings = s;
    await DB.saveContainer(App.container);
}

function _resetAutoLockTimer() {
    if (_autoLockTimerId) {
        clearTimeout(_autoLockTimerId);
        _autoLockTimerId = null;
    }
    const s = _getSettings();
    if (s.autoLock && s.autoLock !== '0') {
        const min = parseInt(s.autoLock, 10);
        if (!isNaN(min) && min > 0) {
            _autoLockTimerId = setTimeout(() => {
                App.lockContainer();
            }, min * 60 * 1000);
        }
    }
}

let _ddCloseListener = null;
function openSettings() {
    const s = _getSettings();
    // Populate UI
    document.querySelectorAll('#settings-icon-size .settings-toggle-btn').forEach(btn => {
        btn.classList.toggle('active', btn.dataset.value === s.iconSize);
    });
    document.querySelector('#settings-grid-dots input').checked = s.gridDots;
    document.querySelector('#settings-animations input').checked = !!s.disableAnimations;

    // Setup custom dropdown for auto-lock
    const dd = document.getElementById('settings-autolock-dd'),
        currentAl = s.autoLock || '60';

    const updateDdUI = (val) => {
        dd.querySelectorAll('.custom-dd-opt').forEach(opt => {
            const isSel = opt.dataset.value === val;
            opt.classList.toggle('selected', isSel);
            if (isSel) dd.querySelector('.custom-dd-val').textContent = opt.textContent;
        });
    };

    // Remove old listeners to prevent duplicates (clone head and menu)
    const ddHead = dd.querySelector('.custom-dd-head'),
        newDdHead = ddHead.cloneNode(true);
    ddHead.parentNode.replaceChild(newDdHead, ddHead);

    // Set initial value AFTER cloning so we update the live DOM element
    updateDdUI(currentAl);

    newDdHead.onclick = (e) => {
        e.stopPropagation();
        document.querySelectorAll('.custom-dd').forEach(d => { if (d !== dd) d.classList.remove('open'); });
        dd.classList.toggle('open');
    };

    const ddMenu = dd.querySelector('.custom-dd-menu'),
        newDdMenu = ddMenu.cloneNode(true);
    ddMenu.parentNode.replaceChild(newDdMenu, ddMenu);

    newDdMenu.querySelectorAll('.custom-dd-opt').forEach(opt => {
        opt.onclick = async (e) => {
            e.stopPropagation();
            const val = opt.dataset.value;
            updateDdUI(val);
            dd.classList.remove('open');
            const ns = { ..._getSettings(), autoLock: val };
            _applySettings(ns);
            await _saveSettings(ns);
            _resetAutoLockTimer();
        };
    });

    // Close dropdowns on outside click — replace previous listener to avoid accumulation
    if (_ddCloseListener) document.removeEventListener('click', _ddCloseListener);
    _ddCloseListener = (e) => {
        if (!e.target.closest('.custom-dd')) {
            document.querySelectorAll('.custom-dd').forEach(d => d.classList.remove('open'));
        }
    };
    document.addEventListener('click', _ddCloseListener);

    // Tab state
    document.querySelectorAll('.settings-tab').forEach(t => t.classList.toggle('active', t.dataset.tab === 'personalization'));
    document.getElementById('settings-personalization').style.display = '';
    document.getElementById('settings-statistics').style.display = 'none';
    document.getElementById('settings-activity-logs').style.display = 'none';
    // Bind tabs
    document.querySelectorAll('.settings-tab').forEach(t => {
        t.onclick = () => {
            document.querySelectorAll('.settings-tab').forEach(t2 => t2.classList.remove('active'));
            t.classList.add('active');
            document.getElementById('settings-personalization').style.display = t.dataset.tab === 'personalization' ? '' : 'none';
            document.getElementById('settings-statistics').style.display = t.dataset.tab === 'statistics' ? '' : 'none';
            document.getElementById('settings-activity-logs').style.display = t.dataset.tab === 'activity-logs' ? '' : 'none';
            if (t.dataset.tab === 'statistics') _renderStats();
            if (t.dataset.tab === 'activity-logs') _renderActivityLogs();
        };
    });
    // Bind icon size buttons
    document.querySelectorAll('#settings-icon-size .settings-toggle-btn').forEach(btn => {
        btn.onclick = async () => {
            document.querySelectorAll('#settings-icon-size .settings-toggle-btn').forEach(b => b.classList.remove('active'));
            btn.classList.add('active');
            const ns = { ..._getSettings(), iconSize: btn.dataset.value };
            _applySettings(ns);
            await _saveSettings(ns);
        };
    });
    // Bind grid dots
    document.querySelector('#settings-grid-dots input').onchange = async function () {
        const ns = { ..._getSettings(), gridDots: this.checked };
        _applySettings(ns);
        await _saveSettings(ns);
    };
    // Bind disabled animations
    document.querySelector('#settings-animations input').onchange = async function () {
        const ns = { ..._getSettings(), disableAnimations: this.checked };
        _applySettings(ns);
        await _saveSettings(ns);
    };
    // Bind snap highlight
    document.querySelector('#settings-snap-highlight input').checked = s.snapHighlight !== false;
    document.querySelector('#settings-snap-highlight input').onchange = async function () {
        const ns = { ..._getSettings(), snapHighlight: this.checked };
        _applySettings(ns);
        await _saveSettings(ns);
    };
    // Bind require export password
    document.querySelector('#settings-export-pw input').checked = s.requireExportPassword !== false;
    document.querySelector('#settings-export-pw input').onchange = async function () {
        if (!this.checked) {
            // Disabling password — build export cache first; save setting only on success
            this.disabled = true;
            const ok = typeof _updateExportCache === 'function'
                ? await _updateExportCache(true)
                : false;
            this.disabled = false;
            if (ok) {
                const ns = { ..._getSettings(), requireExportPassword: false };
                await _saveSettings(ns);
            } else {
                this.checked = true; // revert toggle
                toast('Failed to generate export cache — setting not changed', 'error');
            }
        } else {
            // Re-enabling password requirement — save immediately and clear any existing cache
            const ns = { ..._getSettings(), requireExportPassword: true };
            await _saveSettings(ns);
            if (typeof _updateExportCache === 'function') await _updateExportCache();
        }
    };
    // Bind duress password toggle + inline form
    const duressCb = document.getElementById('settings-duress-cb'),
        duressForm = document.getElementById('duress-form'),
        duressActiveInfo = document.getElementById('duress-active-info'),
        hasDuress = !!App.container?.duressHash;
    duressCb.checked = hasDuress;
    _updateDuressUI(hasDuress);
    duressCb.onchange = function () {
        if (this.checked) {
            _updateDuressUI(false); // show form with animation
            _resetDuressForm();
        } else {
            // unchecking — if duress is active, remove it; otherwise just collapse
            if (App.container?.duressHash) {
                _removeDuressPassword();
            } else {
                _updateDuressUI(false);
            }
        }
    };
    document.getElementById('duress-set-ok').onclick = () => _handleDuressSet();
    document.getElementById('duress-remove-btn').onclick = () => _removeDuressPassword();
    document.getElementById('duress-pw').oninput = function () {
        updatePwStrength(this.value, 'duress-pw-strength', 'duress-pw-strength-label');
    };
    // Bind activity logs toggle
    const alogToggle = document.querySelector('#settings-activity-logs-toggle input'),
        expLogsToggle = document.querySelector('#settings-export-logs input'),
        expLogsRow = document.getElementById('settings-export-logs-row');
    alogToggle.checked = s.activityLogs !== false;
    expLogsToggle.checked = !!s.exportWithLogs;
    expLogsRow.classList.toggle('disabled', s.activityLogs === false);
    expLogsToggle.disabled = s.activityLogs === false;
    alogToggle.onchange = async function () {
        if (!this.checked) {
            // Show confirmation before disabling
            this.checked = true; // revert, let modal decide
            Overlay.show('modal-alog-disable');
            document.getElementById('alog-disable-ok').onclick = async () => {
                Overlay.hide();
                alogToggle.checked = false;
                const ns = { ..._getSettings(), activityLogs: false };
                await _saveSettings(ns);
                await _clearActivityLog();
                expLogsRow.classList.add('disabled');
                expLogsToggle.disabled = true;
                Overlay.show('modal-settings');
            };
            document.getElementById('alog-disable-cancel').onclick = () => {
                Overlay.hide();
                Overlay.show('modal-settings');
            };
            return;
        }
        const ns = { ..._getSettings(), activityLogs: true };
        await _saveSettings(ns);
        expLogsRow.classList.remove('disabled');
        expLogsToggle.disabled = false;
    };
    expLogsToggle.onchange = async function () {
        const ns = { ..._getSettings(), exportWithLogs: this.checked };
        await _saveSettings(ns);
    };
    document.getElementById('alog-enable-btn').onclick = async () => {
        const ns = { ..._getSettings(), activityLogs: true };
        await _saveSettings(ns);
        alogToggle.checked = true;
        expLogsRow.classList.remove('disabled');
        expLogsToggle.disabled = false;
        _renderActivityLogs();
    };
    // Bind clear logs button (with confirmation)
    document.getElementById('alog-clear-btn').onclick = () => {
        Overlay.show('modal-alog-clear');
        document.getElementById('alog-clear-ok').onclick = async () => {
            Overlay.hide();
            await _clearActivityLog();
            Overlay.show('modal-settings');
            document.querySelectorAll('.settings-tab').forEach(t2 => t2.classList.toggle('active', t2.dataset.tab === 'activity-logs'));
            document.getElementById('settings-personalization').style.display = 'none';
            document.getElementById('settings-statistics').style.display = 'none';
            document.getElementById('settings-activity-logs').style.display = '';
            _renderActivityLogs();
        };
        document.getElementById('alog-clear-cancel').onclick = () => {
            Overlay.hide();
            Overlay.show('modal-settings');
        };
    };
    // ── File System check — opens scanner modal ────────────────
    document.getElementById('fs-check-open').onclick = () => {
        Overlay.hide();
        _openScannerModal();
    };
    Overlay.show('modal-settings');
}

/* ── Duress password — inline form helpers ───────────────────── */
function _updateDuressUI(isActive) {
    const form = document.getElementById('duress-form'),
        info = document.getElementById('duress-active-info'),
        cb = document.getElementById('settings-duress-cb');
    if (isActive) {
        form.classList.remove('open');
        info.style.display = 'block';
        cb.checked = true;
    } else {
        info.style.display = '';
        if (cb.checked) form.classList.add('open');
        else form.classList.remove('open');
    }
}

function _resetDuressForm() {
    const pw = document.getElementById('duress-pw'),
        pw2 = document.getElementById('duress-pw2'),
        eye1 = document.getElementById('duress-pw-eye');
    pw.value = ''; pw2.value = '';
    pw.type = 'password'; pw2.type = 'password';
    eye1.style.color = ''; eye1.innerHTML = Icons.eye;
    document.getElementById('duress-pw-strength').style.width = '0%';
    document.getElementById('duress-pw-strength').style.height = '0';
    document.getElementById('duress-pw-strength').style.marginTop = '0';
    document.getElementById('duress-pw-strength-label').textContent = '';
    document.getElementById('duress-pw-strength-label').style.display = 'none';
    document.getElementById('duress-set-error').style.display = '';
}

async function _handleDuressSet() {
    const pw = document.getElementById('duress-pw').value,
        pw2 = document.getElementById('duress-pw2').value,
        errEl = document.getElementById('duress-set-error'),
        okBtn = document.getElementById('duress-set-ok');

    const showErr = msg => { errEl.textContent = msg; errEl.style.display = 'block'; };
    errEl.style.display = '';

    if (pw.length < 4) { showErr('Duress password must be at least 4 characters'); return; }
    if (pw !== pw2) { showErr('Passwords do not match'); return; }

    // Verify that duress password differs from the main container password
    okBtn.disabled = true;
    try {
        const c = App.container,
            testKey = await Crypto.deriveKey(pw, new Uint8Array(c.salt)),
            isMain = await Crypto.checkVerification(testKey, c.verIv, c.verBlob);
        if (isMain) { showErr('Duress password must be different from the main password'); okBtn.disabled = false; return; }

        const salt = Array.from(crypto.getRandomValues(new Uint8Array(32))),
            hash = await hashDuress(pw, salt),
            updated = { ...c, duressHash: { salt, hash } };
        await DB.saveContainer(updated);
        App.container = updated;
        _updateDuressUI(true);
        toast('Duress password set', 'success');
    } catch (e) {
        showErr(e.message);
    }
    okBtn.disabled = false;
}

async function _removeDuressPassword() {
    const c = { ...App.container };
    delete c.duressHash;
    await DB.saveContainer(c);
    App.container = c;
    document.getElementById('settings-duress-cb').checked = false;
    _updateDuressUI(false);
    _resetDuressForm();
    toast('Duress password removed', 'success');
}

/* ============================================================
   CONTAINER INTEGRITY SCANNER MODAL
   ============================================================ */
const _SCAN_ICONS = {
    pass: '<svg width="14" height="14" viewBox="0 0 16 16" fill="none"><path d="M4 8l3 3 5-6" stroke="currentColor" stroke-width="1.6" stroke-linecap="square" stroke-linejoin="round"/></svg>',
    fail: '<svg width="14" height="14" viewBox="0 0 16 16" fill="none"><path d="M4 4l8 8M12 4l-8 8" stroke="currentColor" stroke-width="1.5" stroke-linecap="square"/></svg>',
    warn: '<svg width="14" height="14" viewBox="0 0 16 16" fill="none"><path d="M8 3v6M8 11.5v1" stroke="currentColor" stroke-width="1.5" stroke-linecap="square"/></svg>',
    spin: '<div class="spinner"></div>',
};

function _delay(ms) { return new Promise(r => setTimeout(r, ms)); }

function _addScanRow(log, name) {
    const row = document.createElement('div');
    row.className = 'scanner-step';
    row.innerHTML = `<span class="scanner-step-icon">${_SCAN_ICONS.spin}</span><span class="scanner-step-label">${escHtml(name)}</span><span class="scanner-step-result">…</span>`;
    log.appendChild(row);
    log.scrollTop = log.scrollHeight;
    return row;
}

function _resolveScanRow(row, status, detail) {
    row.classList.add(status);
    row.querySelector('.scanner-step-icon').innerHTML = _SCAN_ICONS[status] || _SCAN_ICONS.pass;
    row.querySelector('.scanner-step-result').textContent = detail;
}

/* --- Async DB-level checks (file data, IVs, orphan records, size consistency) --- */
async function _runDbChecks(repair, isAborted) {
    const steps = [];
    function mkStep(name, iss, fxd) {
        const hasCrit = iss.some(i => i.sev === 'critical'),
            status = iss.length === 0 ? 'pass' : hasCrit ? 'fail' : 'warn',
            detail = iss.length === 0 ? 'OK' : `${iss.length} issue${iss.length !== 1 ? 's' : ''}${repair && fxd.length ? `, ${fxd.length} fixed` : ''}`;
        steps.push({ name, status, detail, issues: iss, fixed: fxd });
    }

    // Build the DB file map once (expensive IndexedDB call)
    const allDbFiles = await DB.getFilesByCid(App.container.id),
        dbFileMap = new Map(allDbFiles.map(f => [f.id, f]));

    // Snapshot VFS file IDs — refresh after each destructive step
    let vfsFileIds = new Set(VFS.fileIds());
    const _abort = () => isAborted?.();

    // 1. File data existence — VFS file nodes whose encrypted data is missing from IndexedDB
    {
        const issues = [], fixed = [];
        for (const id of vfsFileIds) {
            if (_abort()) break;
            const node = VFS.node(id);
            if (!dbFileMap.has(id)) {
                issues.push({ sev: 'critical', msg: `"${node?.name || id}": encrypted data not found in storage` });
                if (repair) {
                    VFS.remove(id);
                    fixed.push(`Removed broken file node "${node?.name || id}"`);
                }
            }
        }
        mkStep('File data existence', issues, fixed);
        if (repair && fixed.length) vfsFileIds = new Set(VFS.fileIds());
    }

    // 2. Encryption IV integrity
    // Files are stored with iv = Array.from(Uint8Array(12)) — plain Array is the canonical format.
    // Uint8Array / ArrayBuffer / ArrayBufferView are also accepted.
    // Only flag if iv is missing, wrong length, or an unrecognized type.
    {
        if (_abort()) return steps;
        const issues = [], fixed = [];

        function ivValid(iv) {
            if (!iv) return false;
            if (Array.isArray(iv)) return iv.length >= 12;
            if (iv instanceof Uint8Array || ArrayBuffer.isView(iv)) return iv.byteLength >= 12;
            if (iv instanceof ArrayBuffer) return iv.byteLength >= 12;
            return false;
        }

        for (const [id, rec] of dbFileMap) {
            if (_abort()) break;
            if (!vfsFileIds.has(id)) continue;
            const node = VFS.node(id);

            if (!rec.iv) {
                issues.push({ sev: 'critical', msg: `"${node?.name || id}": missing encryption IV` });
                if (repair) {
                    VFS.remove(id);
                    await DB.deleteFile(id);
                    fixed.push(`Purged file missing IV: "${node?.name || id}"`);
                }
                continue;
            }

            let ok = ivValid(rec.iv);

            // Try to salvage IVs stored as unusual types (e.g. base64 string in very old data)
            if (!ok && repair) {
                let coerced = null;
                const origType = typeof rec.iv;
                if (typeof rec.iv === 'string') {
                    try { coerced = new Uint8Array(atob(rec.iv).split('').map(c => c.charCodeAt(0))); } catch { }
                }
                if (coerced && coerced.length >= 12) {
                    rec.iv = Array.from(coerced); // store as canonical Array format
                    await DB.saveFile(rec);
                    fixed.push(`Coerced IV for "${node?.name || id}" (${origType} → array)`);
                    ok = true;
                }
            }

            if (!ok) {
                const ivDesc = Array.isArray(rec.iv) ? `array[${rec.iv.length}]` : typeof rec.iv;
                issues.push({ sev: 'critical', msg: `"${node?.name || id}": invalid IV (${ivDesc})` });
                if (repair) {
                    VFS.remove(id);
                    await DB.deleteFile(id);
                    fixed.push(`Purged file with invalid IV: "${node?.name || id}"`);
                }
            }
        }
        mkStep('Encryption IV integrity', issues, fixed);
        if (repair && fixed.length) vfsFileIds = new Set(VFS.fileIds());
    }

    // 3. File blob integrity — sized files must have non-empty blob
    {
        if (_abort()) return steps;
        const issues = [], fixed = [];
        for (const [id, rec] of dbFileMap) {
            if (!vfsFileIds.has(id)) continue;
            const node = VFS.node(id);
            if (!node) continue;
            const blobLen = rec.blob ? (rec.blob.byteLength ?? rec.blob.length ?? 0) : 0;
            if (node.size > 0 && blobLen === 0) {
                issues.push({ sev: 'warn', msg: `"${node.name || id}": expected ${node.size} bytes but blob is empty` });
                if (repair) {
                    // Zero the declared size instead of deleting the file — preserves metadata
                    node.size = 0;
                    fixed.push(`Reset size to 0 for "${node.name || id}"`);
                }
            }
        }
        mkStep('File blob integrity', issues, fixed);
    }

    // 4. Orphaned DB records — DB files not referenced by any VFS node
    {
        if (_abort()) return steps;
        const issues = [], fixed = [];
        const liveIds = new Set(VFS.fileIds());
        for (const [id] of dbFileMap) {
            if (_abort()) break;
            if (!liveIds.has(id)) {
                issues.push({ sev: 'warn', msg: `Orphaned DB record "${id}"` });
                if (repair) {
                    await DB.deleteFile(id);
                    fixed.push(`Deleted orphaned DB record "${id}"`);
                }
            }
        }
        mkStep('Orphaned storage records', issues, fixed);
    }

    // 5. Record container binding — verify DB records belong to current container
    {
        if (_abort()) return steps;
        const issues = [], fixed = [];
        for (const [id, rec] of dbFileMap) {
            if (rec.cid && rec.cid !== App.container.id) {
                issues.push({ sev: 'warn', msg: `Record "${id}": bound to different container` });
                if (repair) {
                    rec.cid = App.container.id;
                    await DB.saveFile(rec);
                    fixed.push(`Rebound record "${id}" to current container`);
                }
            }
        }
        mkStep('Record container binding', issues, fixed);
    }

    // 6. Container size consistency
    {
        const issues = [], fixed = [];
        const vfsTotal = VFS.totalSize();
        const containerTotal = App.container.totalSize || 0;
        if (Math.abs(vfsTotal - containerTotal) > 1024) {
            issues.push({ sev: 'warn', msg: `Container reports ${containerTotal} bytes but VFS sums to ${vfsTotal} bytes` });
            if (repair) {
                App.container.totalSize = vfsTotal;
                await DB.saveContainer(App.container);
                fixed.push(`Corrected container totalSize to ${vfsTotal}`);
            }
        }
        mkStep('Container size consistency', issues, fixed);
    }

    // 7. File decryption verification — attempt to decrypt each file blob
    {
        if (_abort()) return steps;
        const issues = [], fixed = [];
        for (const [id, rec] of dbFileMap) {
            if (_abort()) break;
            if (!vfsFileIds.has(id)) continue;
            const node = VFS.node(id);
            if (!node) continue;
            const blobLen = rec.blob ? (rec.blob.byteLength ?? rec.blob.length ?? 0) : 0;
            if (blobLen === 0) continue;
            try {
                await Crypto.decryptBin(App.key, rec.iv, rec.blob);
            } catch {
                issues.push({ sev: 'critical', msg: `"${node.name || id}": decryption failed — data is unreadable` });
                if (repair) {
                    VFS.remove(id);
                    await DB.deleteFile(id);
                    fixed.push(`Removed unreadable file "${node.name || id}"`);
                }
            }
        }
        mkStep('File decryption verification', issues, fixed);
        if (repair && fixed.length) vfsFileIds = new Set(VFS.fileIds());
    }

    return steps;
}

function _openScannerModal() {
    const log = document.getElementById('scanner-log'),
        summary = document.getElementById('scanner-summary'),
        repairBtn = document.getElementById('scanner-repair'),
        deepCleanBtn = document.getElementById('scanner-deep-clean'),
        startBtn = document.getElementById('scanner-start'),
        closeBtn = document.getElementById('scanner-close');

    log.innerHTML = '';
    summary.style.display = 'none';
    repairBtn.style.display = 'none';
    deepCleanBtn.style.display = 'none';
    startBtn.style.display = '';
    startBtn.disabled = false;
    startBtn.textContent = 'Start Scan';
    let _hasIssues = false, _aborted = false;

    startBtn.onclick = () => {
        if (_hasIssues || startBtn.textContent === 'Done') {
            Overlay.hide();
            return;
        }
        startBtn.disabled = true;
        startBtn.textContent = 'Scanning…';
        repairBtn.style.display = 'none';
        deepCleanBtn.style.display = 'none';
        _runScanAnimated(false);
    };

    repairBtn.onclick = () => {
        // Show confirmation dialog over scanner
        _showRepairConfirm().then(proceed => {
            if (!proceed) return;
            repairBtn.style.display = 'none';
            deepCleanBtn.style.display = 'none';
            startBtn.style.display = 'none';
            log.innerHTML = '';
            summary.style.display = 'none';
            _runScanAnimated(true);
        });
    };

    deepCleanBtn.onclick = () => {
        _showRepairConfirm().then(proceed => {
            if (!proceed) return;
            repairBtn.style.display = 'none';
            deepCleanBtn.style.display = 'none';
            startBtn.style.display = 'none';
            log.innerHTML = '';
            summary.style.display = 'none';
            _runDeepCleanAnimated();
        });
    };

    closeBtn.onclick = () => { _aborted = true; Overlay.hide(); };

    async function _runDeepCleanAnimated() {
        log.innerHTML = '';
        summary.style.display = 'none';
        _aborted = false;

        // Show 5 progress rows updated via onProgress callback
        const rowStorage = _addScanRow(log, 'Scanning storage records…'),
            rowPurge = _addScanRow(log, 'Purging dead nodes…'),
            rowFlatten = _addScanRow(log, 'Flattening deep folder chains…'),
            rowMeta = _addScanRow(log, 'Repairing metadata…'),
            rowClean = _addScanRow(log, 'Cleaning storage records…');
        log.scrollTop = log.scrollHeight;
        await _delay(20);

        let phase = 0;
        const result = await _runDeepClean(() => _aborted, (msg) => {
            if (phase === 0) { _resolveScanRow(rowStorage, 'pass', 'OK'); phase = 1; }
            else if (phase === 1) { _resolveScanRow(rowPurge, 'pass', 'OK'); phase = 2; }
            else if (phase === 2) { _resolveScanRow(rowFlatten, 'pass', 'OK'); phase = 3; }
            else if (phase === 3) { _resolveScanRow(rowMeta, 'pass', 'OK'); phase = 4; }
        });
        if (_aborted) return;

        // Resolve any rows not yet resolved
        if (phase === 0) _resolveScanRow(rowStorage, 'pass', 'OK');
        if (phase <= 1) _resolveScanRow(rowPurge, 'pass', 'Clean');
        _resolveScanRow(rowFlatten, 'pass',
            result.flattened > 0 ? `${result.flattened} folder${result.flattened !== 1 ? 's' : ''} collapsed` : 'Clean');
        _resolveScanRow(rowMeta, 'pass',
            result.metadataFixed > 0 ? `${result.metadataFixed} node${result.metadataFixed !== 1 ? 's' : ''} patched` : 'Clean');
        _resolveScanRow(rowClean, 'pass', 'OK');
        log.scrollTop = log.scrollHeight;

        const totalRemoved = (result.removed || 0) + (result.flattened || 0) + (result.metadataFixed || 0);
        if (totalRemoved > 0) {
            await saveVFS();
            Desktop.render();
            if (typeof _scheduleExportCacheRefresh === 'function') _scheduleExportCacheRefresh();
            await _delay(600);
            if (!_aborted) await _runScanAnimated(false);
        } else {
            summary.style.display = '';
            summary.className = 'scanner-summary critical';
            summary.innerHTML = `<svg width="20" height="20" viewBox="0 0 20 20" fill="none"><circle cx="10" cy="10" r="8.5" stroke="currentColor" stroke-width="1.4"/><path d="M10 5.5v5.5" stroke="currentColor" stroke-width="1.5" stroke-linecap="round"/><circle cx="10" cy="14" r="0.9" fill="currentColor"/></svg>
                <span class="scanner-summary-text"><strong>Deep Clean found nothing to remove.</strong> All nodes are structurally valid. The remaining warnings are informational and require no action.</span>`;
            startBtn.style.display = '';
            startBtn.disabled = false;
            startBtn.textContent = 'Done';
        }
    }

    async function _runScanAnimated(repair) {
        log.innerHTML = '';
        summary.style.display = 'none';
        _hasIssues = false;
        _aborted = false;

        // Phase 1: VFS structural checks — run synchronously, display per step
        const vfsSteps = VFS.check(repair);
        for (const s of vfsSteps) {
            if (_aborted) return;
            const row = _addScanRow(log, s.name);
            await _delay(15);
            _resolveScanRow(row, s.status, s.detail);
            log.scrollTop = log.scrollHeight;
        }

        // Phase 2: DB async checks
        const dbCheckNames = [
            'File data existence',
            'Encryption IV integrity',
            'File blob integrity',
            'Orphaned storage records',
            'Record container binding',
            'Container size consistency',
            'File decryption verification',
        ];
        const dbRows = dbCheckNames.map(name => _addScanRow(log, name));
        log.scrollTop = log.scrollHeight;

        if (_aborted) return;
        const dbSteps = await _runDbChecks(repair, () => _aborted);
        if (_aborted) return;
        for (let i = 0; i < dbSteps.length; i++) {
            if (_aborted) return;
            await _delay(30);
            _resolveScanRow(dbRows[i], dbSteps[i].status, dbSteps[i].detail);
            log.scrollTop = log.scrollHeight;
        }

        // Combine all steps for summary
        const allSteps = [...vfsSteps, ...dbSteps];
        const actionableIssues = allSteps.filter(s => !s.informational).reduce((s, st) => s + st.issues.length, 0),
            infoIssues = allSteps.filter(s => s.informational).reduce((s, st) => s + st.issues.length, 0),
            totalIssues = actionableIssues + infoIssues,
            totalFixed = allSteps.reduce((s, st) => s + st.fixed.length, 0),
            allPass = allSteps.every(s => s.status === 'pass');

        summary.style.display = '';
        if (repair && totalFixed > 0) {
            await saveVFS();
            Desktop.render();
            if (typeof _scheduleExportCacheRefresh === 'function') _scheduleExportCacheRefresh();
            // Auto-re-scan to verify the repair result
            summary.className = 'scanner-summary repaired';
            summary.innerHTML = `<svg width="20" height="20" viewBox="0 0 16 16" fill="none"><path d="M4 8l3 3 5-6" stroke="currentColor" stroke-width="1.6" stroke-linecap="square" stroke-linejoin="round"/></svg>
                <span class="scanner-summary-text"><strong>${totalFixed} issue${totalFixed !== 1 ? 's' : ''} repaired.</strong> Running verification scan…</span>`;
            summary.style.display = '';
            await _delay(900);
            if (!_aborted) { await _runScanAnimated(false); }
            return;
        } else if (repair && totalFixed === 0 && actionableIssues > 0) {
            // Repair ran but couldn't fix actionable issues — offer Deep Clean
            summary.className = 'scanner-summary critical';
            summary.innerHTML = `<svg width="20" height="20" viewBox="0 0 20 20" fill="none"><circle cx="10" cy="10" r="8.5" stroke="currentColor" stroke-width="1.4"/><path d="M10 5.5v5.5" stroke="currentColor" stroke-width="1.5" stroke-linecap="round"/><circle cx="10" cy="14" r="0.9" fill="currentColor"/></svg>
                <span class="scanner-summary-text"><strong>${actionableIssues} issue${actionableIssues !== 1 ? 's' : ''} could not be auto-repaired.</strong> Click <em>Deep Clean</em> for aggressive recovery (flattens deep trees, repairs all metadata). A backup will be offered first — no need to exit.</span>`;
            deepCleanBtn.style.display = '';
        } else if (repair && totalFixed === 0 && actionableIssues === 0 && infoIssues > 0) {
            // All remaining issues are informational warnings only — no action needed
            summary.className = 'scanner-summary healthy';
            summary.innerHTML = `<svg width="20" height="20" viewBox="0 0 24 26" fill="none"><path d="M12 3L3.5 7.5v4.5c0 5.2 3.6 10 8.5 11.5 4.9-1.5 8.5-6.3 8.5-11.5V7.5L12 3z" stroke="currentColor" stroke-width="1.5" fill="none"/><path d="M9 13l2.5 2.5 4-4.5" stroke="currentColor" stroke-width="1.6" stroke-linecap="square" stroke-linejoin="round"/></svg>
                <span class="scanner-summary-text"><strong>All structural issues are resolved.</strong> ${infoIssues} informational warning${infoIssues !== 1 ? 's' : ''} (e.g., folder depth) are noted but require no action.</span>`;
        } else if (allPass) {
            summary.className = 'scanner-summary healthy';
            summary.innerHTML = `<svg width="20" height="20" viewBox="0 0 24 26" fill="none"><path d="M12 3L3.5 7.5v4.5c0 5.2 3.6 10 8.5 11.5 4.9-1.5 8.5-6.3 8.5-11.5V7.5L12 3z" stroke="currentColor" stroke-width="1.5" fill="none"/><path d="M9 13l2.5 2.5 4-4.5" stroke="currentColor" stroke-width="1.6" stroke-linecap="square" stroke-linejoin="round"/></svg>
                <span class="scanner-summary-text"><strong>All checks passed.</strong> Your container's virtual disk image and workspace environment are in perfect condition.</span>`;
        } else if (actionableIssues === 0 && infoIssues > 0) {
            // Only informational warnings on first scan — no repair needed
            summary.className = 'scanner-summary warnings';
            summary.innerHTML = `<svg width="20" height="20" viewBox="0 0 20 20" fill="none"><circle cx="10" cy="10" r="8.5" stroke="currentColor" stroke-width="1.4"/><path d="M10 5.5v5.5" stroke="currentColor" stroke-width="1.5" stroke-linecap="round"/><circle cx="10" cy="14" r="0.9" fill="currentColor"/></svg>
                <span class="scanner-summary-text"><strong>${infoIssues} informational warning${infoIssues !== 1 ? 's' : ''} noted.</strong> Advisory only (e.g., folder nesting depth) — no data loss, no action required.</span>`;
        } else {
            summary.className = 'scanner-summary issues';
            summary.innerHTML = `<svg width="20" height="20" viewBox="0 0 20 20" fill="none"><circle cx="10" cy="10" r="8.5" stroke="currentColor" stroke-width="1.4"/><path d="M10 5.5v5.5" stroke="currentColor" stroke-width="1.5" stroke-linecap="round"/><circle cx="10" cy="14" r="0.9" fill="currentColor"/></svg>
                <span class="scanner-summary-text"><strong>${actionableIssues} issue${actionableIssues !== 1 ? 's' : ''} detected.</strong> Click <em>Auto-Repair</em> — you'll be offered a backup option first, no need to exit the scanner.</span>`;
            _hasIssues = true;
            repairBtn.style.display = '';
        }

        startBtn.style.display = '';
        startBtn.disabled = false;
        startBtn.textContent = 'Done';
    }

    Overlay.show('modal-scanner');
}

/* ── Deep Clean — purge all phantom/empty nodes that normal repair can't fix ── */
// O(n) rebuild: marks ancestors of real files as "keep", deletes everything else.
async function _runDeepClean(isAborted, onProgress) {
    const _abort = () => isAborted?.();

    // 1. Load DB records (real data)
    onProgress?.('Scanning storage records…');
    const allDbFiles = await DB.getFilesByCid(App.container.id);
    if (_abort()) return { removed: 0 };
    const dbIds = new Set(allDbFiles.map(f => f.id));

    // 2. Determine truly live file IDs: exist in VFS AND have a DB record
    const allVfsFileIds = VFS.fileIds(),
        liveFileIds = allVfsFileIds.filter(id => dbIds.has(id));
    if (_abort()) return { removed: 0 };

    // 3. Single-pass bulk purge via VFS.purgeDeadBranches (O(n))
    onProgress?.(`Purging dead nodes…`);
    const removed = VFS.purgeDeadBranches(liveFileIds);
    if (_abort()) return { removed: 0, flattened: 0 };

    // 4. Flatten folders nested deeper than 50 levels — reparents all files to
    //    their closest depth-≤50 ancestor, then deletes the now-empty deep folders.
    //    All file data is preserved; only folder hierarchy is truncated.
    onProgress?.('Flattening deep folder chains…');
    const flattened = VFS.flattenDeepContent(50);
    if (_abort()) return { removed, flattened: 0 };

    // 5. Repair all corrupted/missing metadata (timestamps → today's date)
    onProgress?.('Repairing metadata…');
    const metadataFixed = VFS.repairMetadata();
    if (_abort()) return { removed, flattened, metadataFixed: 0 };

    // 6. Remove orphaned DB records in a single IndexedDB transaction
    onProgress?.('Cleaning storage records…');
    const liveNow = new Set(VFS.fileIds());
    const orphanIds = allDbFiles.filter(f => !liveNow.has(f.id)).map(f => f.id);
    if (orphanIds.length) await DB.deleteFiles(orphanIds);

    return { removed, flattened, metadataFixed };
}

/* ── Repair confirmation dialog (shown above scanner overlay) ─────── */
function _showRepairConfirm() {
    return new Promise(resolve => {
        const ov = document.getElementById('repair-confirm-overlay'),
            exportBtn = document.getElementById('repair-confirm-export'),
            proceedBtn = document.getElementById('repair-confirm-proceed'),
            cancelBtn = document.getElementById('repair-confirm-cancel');

        function close(val) {
            ov.classList.remove('show');
            exportBtn.onclick = proceedBtn.onclick = cancelBtn.onclick = null;
            resolve(val);
        }

        cancelBtn.onclick = () => close(false);
        proceedBtn.onclick = () => close(true);
        exportBtn.onclick = async () => {
            // Export container via existing exportContainerFile
            if (typeof exportContainerFile === 'function') {
                await exportContainerFile(App.container, false);
            }
        };

        ov.classList.add('show');
    });
}


const STATS_COLORS = ['#569cd6', '#4ec9b0', '#ce9178', '#c586c0', '#6a9955', '#dcdcaa', '#9cdcfe', '#d7ba7d'];

function _renderStats() {
    // Gather all nodes recursively
    let totalFiles = 0, totalFolders = 0, totalSize = 0;
    const typeCounts = {}, typeSizes = {};
    let largestSize = 0, largestName = '';
    const allFiles = [];
    function walk(pid) {
        VFS.children(pid).forEach(n => {
            if (n.type === 'folder') {
                totalFolders++;
                walk(n.id);
            } else {
                totalFiles++;
                const sz = n.size || 0;
                totalSize += sz;
                const ext = n.name.includes('.') ? n.name.split('.').pop().toLowerCase() : 'other';
                typeCounts[ext] = (typeCounts[ext] || 0) + 1;
                typeSizes[ext] = (typeSizes[ext] || 0) + sz;
                allFiles.push({ name: n.name, size: sz, ext });
                if (sz > largestSize) { largestSize = sz; largestName = n.name; }
            }
        });
    }
    walk('root');

    // ── Stats cards (3×2) ────────────────────────────────────
    const grid = document.getElementById('stats-grid');
    grid.innerHTML = '';
    const _shortDate = ts => ts ? new Date(ts).toLocaleDateString('en-US', { month: 'short', day: 'numeric', year: 'numeric' }) : '—';
    const cards = [
        { value: totalFiles.toLocaleString(), label: 'Files' },
        { value: totalFolders.toLocaleString(), label: 'Folders' },
        { value: fmtSize(totalSize), label: 'Total Size' },
        { value: totalFiles ? fmtSize(Math.round(totalSize / totalFiles)) : '—', label: 'Avg File Size' },
        { value: largestSize ? fmtSize(largestSize) : '—', label: largestSize ? (largestName.length > 18 ? largestName.slice(0, 17) + '\u2026' : largestName) : 'Largest File' },
        { value: _shortDate(App.container?.createdAt), label: 'Created' },
    ];
    cards.forEach(c => {
        const card = document.createElement('div'); card.className = 'stats-card';
        card.innerHTML = `<span class="stats-card-value">${escHtml(String(c.value))}</span><span class="stats-card-label">${escHtml(c.label)}</span>`;
        grid.appendChild(card);
    });

    // ── File type bar chart (top 6) ──────────────────────────
    const chart = document.getElementById('stats-bar-chart');
    chart.innerHTML = '';
    const sorted = Object.entries(typeCounts).sort((a, b) => b[1] - a[1]).slice(0, 6),
        maxCount = sorted.length ? sorted[0][1] : 1;
    sorted.forEach(([ext, count], i) => {
        const row = document.createElement('div'); row.className = 'stats-bar-row';
        row.innerHTML =
            `<span class="stats-bar-row-label">.${escHtml(ext)}</span>` +
            `<div class="stats-bar-row-track"><div class="stats-bar-row-fill" style="width:${Math.round(count / maxCount * 100)}%;background:${STATS_COLORS[i % STATS_COLORS.length]}"></div></div>` +
            `<span class="stats-bar-row-meta"><span>${count}</span><span class="stats-bar-row-meta-size">${fmtSize(typeSizes[ext] || 0)}</span></span>`;
        chart.appendChild(row);
    });
    if (!sorted.length) chart.innerHTML = '<span style="font-size:12px;color:var(--text-dim)">No files yet</span>';

    // ── Storage bar ──────────────────────────────────────────
    const storBar = document.getElementById('stats-storage-bar'),
        storLabels = document.getElementById('stats-storage-labels'),
        pctUsed = Math.min(100, Math.round(totalSize / CONTAINER_LIMIT * 100)),
        fillColor = pctUsed >= 90 ? 'var(--red)' : pctUsed >= 75 ? '#e8a020' : 'linear-gradient(90deg, var(--accent), #5aadff)';
    storBar.innerHTML =
        `<div class="stats-storage-fill" style="width:${pctUsed}%;background:${fillColor}"></div>` +
        `<span class="stats-storage-text">${pctUsed}%</span>`;
    if (storLabels) {
        storLabels.innerHTML =
            `<span>${fmtSize(totalSize)} used</span>` +
            `<span>${fmtSize(Math.max(0, CONTAINER_LIMIT - totalSize))} free of ${fmtSize(CONTAINER_LIMIT)}</span>`;
    }

    // ── Top 5 largest files ──────────────────────────────────
    const topEl = document.getElementById('stats-top-files');
    if (topEl) {
        topEl.innerHTML = '';
        const top5 = allFiles.sort((a, b) => b.size - a.size).slice(0, 5);
        if (!top5.length) {
            topEl.innerHTML = '<span style="font-size:12px;color:var(--text-dim)">No files yet</span>';
        } else {
            top5.forEach((f, i) => {
                const row = document.createElement('div'); row.className = 'stats-top-file';
                row.innerHTML =
                    `<span class="stats-top-file-dot" style="background:${STATS_COLORS[i % STATS_COLORS.length]}"></span>` +
                    `<span class="stats-top-file-name" title="${escHtml(f.name)}">${escHtml(f.name)}</span>` +
                    `<span class="stats-top-file-size">${fmtSize(f.size)}</span>`;
                topEl.appendChild(row);
            });
        }
    }
}

/* ============================================================
   SNAP TO FREE GRID CELL
   occupied = Map<"cx_cy", id>  (cells already taken)
   ============================================================ */
function _snapFreeCell(rawX, rawY, occupied, extra) {
    const cx0 = Math.max(0, Math.round((rawX - 8) / GRID_X)),
        cy0 = Math.max(0, Math.round((rawY - 8) / GRID_Y));
    for (let r = 0; r <= 80; r++) {
        for (let dy = -r; dy <= r; dy++) {
            for (let dx = -r; dx <= r; dx++) {
                if (Math.abs(dx) !== r && Math.abs(dy) !== r) continue;
                const cx = cx0 + dx, cy = cy0 + dy;
                if (cx < 0 || cy < 0) continue;
                const key = `${cx}_${cy}`;
                if (!occupied.has(key) && !(extra && extra.has(key))) return { x: 8 + cx * GRID_X, y: 8 + cy * GRID_Y };
            }
        }
    }
    return { x: 8 + cx0 * GRID_X, y: 8 + cy0 * GRID_Y };
}

/* ============================================================
   THUMBNAIL QUEUE  —  limits concurrent generateThumb calls to avoid memory spikes
   ============================================================ */
const _thumbQueue = [];
let _thumbActive = 0;
const THUMB_MAX_CONCURRENT = 8;

function _cancelThumbQueue() {
    _thumbQueue.length = 0;
    _thumbActive = 0;
}

function _enqueueThumb(node) {
    _thumbQueue.push(node);
    _drainThumbQueue();
}
function _drainThumbQueue() {
    while (_thumbActive < THUMB_MAX_CONCURRENT && _thumbQueue.length > 0) {
        const n = _thumbQueue.shift();
        _thumbActive++;
        generateThumb(n).then(url => {
            _thumbActive--;
            _drainThumbQueue();
            if (!url) return;
            App.thumbCache[n.id] = url;
            const el = document.querySelector(`.file-item[data-id="${n.id}"] .file-thumb`);
            if (el) { const i = document.createElement('img'); i.src = url; i.draggable = false; el.innerHTML = ''; el.appendChild(i); }
        });
    }
}

/* ============================================================
   SHARED ICON ELEMENT BUILDER
   ============================================================ */
function _buildIconEl(node, pos) {
    const div = document.createElement('div');
    div.className = 'file-item';
    div.dataset.id = node.id;
    div.style.left = pos.x + 'px';
    div.style.top = pos.y + 'px';

    const thumb = document.createElement('div');
    if (node.type === 'folder') {
        thumb.className = 'file-thumb folder-icon';
        thumb.innerHTML = getFolderSVG(node.color);
    } else {
        thumb.className = 'file-thumb';
        const mime = node.mime || getMime(node.name);
        if (App.thumbCache[node.id]) {
            const img = document.createElement('img');
            img.src = App.thumbCache[node.id];
            img.draggable = false;
            thumb.appendChild(img);
        } else {
            thumb.innerHTML = getFileIconSVG(mime, node.name);
            if (isImage(mime)) _enqueueThumb(node);
        }
    }

    const name = document.createElement('div');
    name.className = 'file-name';
    name.textContent = node.name;
    div.appendChild(thumb);
    div.appendChild(name);
    return div;
}

/* ============================================================
   AREA-LEVEL EVENT DELEGATION FOR ICONS
   Replaces per-element listeners — one set of listeners per container,
   covering all .file-item[data-id] children regardless of count.
   owner must implement: _onIconMousedown(e,el,node), _openNode(node), _contextIcon(e,node)
   ============================================================ */
function _setupAreaDelegation(area, owner) {
    // Prevent native drag ghost on icons
    area.addEventListener('dragstart', e => {
        if (e.target.closest('.file-item[data-id]')) e.preventDefault();
    });
    // Hover tooltips via mouseover/mouseout (simulate mouseenter/mouseleave per icon)
    area.addEventListener('mouseover', e => {
        const el = e.target.closest('.file-item[data-id]');
        if (!el) return;
        if (e.relatedTarget?.closest('.file-item[data-id]') !== el) {
            const node = VFS.node(el.dataset.id);
            if (node) _startHoverTooltip(el, node);
        }
    });
    area.addEventListener('mouseout', e => {
        const el = e.target.closest('.file-item[data-id]');
        if (!el) return;
        if (e.relatedTarget?.closest('.file-item[data-id]') !== el) _cancelHoverTooltip();
    });
    // Mousedown on icons
    area.addEventListener('mousedown', e => {
        const el = e.target.closest('.file-item[data-id]');
        if (!el) return;
        const node = VFS.node(el.dataset.id);
        if (node) owner._onIconMousedown(e, el, node);
    });
    // Double-click → open
    area.addEventListener('dblclick', e => {
        const el = e.target.closest('.file-item[data-id]');
        if (!el) return;
        e.stopPropagation();
        const node = VFS.node(el.dataset.id);
        if (node) owner._openNode(node);
    });
    // Context menu on icons
    area.addEventListener('contextmenu', e => {
        const el = e.target.closest('.file-item[data-id]');
        if (!el) return;
        e.preventDefault();
        if (_touchDragActive || el._tsIsTouch) return;
        e.stopPropagation();
        const node = VFS.node(el.dataset.id);
        if (node) owner._contextIcon(e, node);
    });
    // Touch: state stored on element to avoid per-icon closure overhead
    area.addEventListener('touchstart', e => {
        const el = e.target.closest('.file-item[data-id]');
        if (!el) return;
        e.stopPropagation(); // prevent FW icon touch bubbling to parent Desktop handlers
        el._tsTime = Date.now(); el._tsMoved = false; el._tsIsTouch = true;
        _cancelHoverTooltip();
    }, { passive: true });
    area.addEventListener('touchmove', e => {
        const el = e.target.closest('.file-item[data-id]');
        if (!el) return;
        el._tsMoved = true;
        e.stopPropagation();
    }, { passive: true });
    area.addEventListener('touchend', e => {
        const el = e.target.closest('.file-item[data-id]');
        if (!el) return;
        e.stopPropagation(); // prevent FW icon touch bubbling to parent Desktop handlers
        setTimeout(() => { el._tsIsTouch = false; }, 500);
        if (el._tsMoved || Date.now() - (el._tsTime || 0) > 350) return;
        e.preventDefault();
        const now = Date.now(), t = e.changedTouches[0],
            node = VFS.node(el.dataset.id);
        if (!node) return;
        if (now - (el._tsLastTap || 0) < 300) {
            el._tsLastTap = 0;
            owner._openNode(node);
        } else {
            el._tsLastTap = now;
            owner._contextIcon({ clientX: t.clientX, clientY: t.clientY, ctrlKey: false, metaKey: false, preventDefault() { }, stopPropagation() { } }, node);
        }
    });
    area.addEventListener('touchcancel', e => {
        const el = e.target.closest('.file-item[data-id]');
        if (el) el._tsIsTouch = false;
    }, { passive: true });
}

/* ---- Shared touch rubber-band selection on empty area + long-press context menu ----
   owner implements: selection (Set), _updateStatus(), _contextDesktop(e) */
function _initAreaTouchRubberBand(area, owner) {
    let _lpTimer = null,
        _rbBand = null, _rbSX = 0, _rbSY = 0, _rbActive = false, _rbMoved = false, _rbOnEmpty = false;

    area.addEventListener('touchstart', e => {
        if (e.touches.length !== 1) return;
        const t = e.touches[0];
        // BUGFIX: when this handler is on #desktop-area, a touch inside a FolderWindow bubbles up
        // here too — ignore it so we don't open the Desktop context menu over the FW's own menu.
        if (!area.closest('.folder-window') && t.target?.closest('.folder-window')) return;
        if (_lpTimer) { clearTimeout(_lpTimer); _lpTimer = null; }
        if (_rbBand) { _rbBand.remove(); _rbBand = null; }
        _rbActive = false; _rbMoved = false;
        _rbSX = t.clientX; _rbSY = t.clientY;
        const iconEl = t.target?.closest('.file-item[data-id]');
        _rbOnEmpty = !iconEl || !area.contains(iconEl);
        if (_rbOnEmpty) {
            _lpTimer = setTimeout(() => {
                if (_rbMoved) return;
                owner._contextDesktop({ clientX: t.clientX, clientY: t.clientY, preventDefault() { }, stopPropagation() { } });
            }, 600);
        }
    }, { passive: true });

    area.addEventListener('touchmove', e => {
        if (e.touches.length !== 1) return;
        const t = e.touches[0],
            dx = t.clientX - _rbSX, dy = t.clientY - _rbSY;
        if (!_rbMoved && (Math.abs(dx) > 8 || Math.abs(dy) > 8)) {
            _rbMoved = true;
            if (_lpTimer) { clearTimeout(_lpTimer); _lpTimer = null; }
        }
        if (!_rbOnEmpty) return;
        if (!_rbActive && _rbMoved) {
            _rbActive = true;
            owner.selection.clear();
            area.querySelectorAll(':scope > .file-item.selected').forEach(i => i.classList.remove('selected'));
            owner._updateStatus();
            const aR = area.getBoundingClientRect();
            _rbBand = document.createElement('div');
            _rbBand.className = 'rubberband';
            _rbBand.style.cssText = `left:${_rbSX - aR.left + area.scrollLeft}px;top:${_rbSY - aR.top + area.scrollTop}px;width:0;height:0`;
            area.appendChild(_rbBand);
        }
        if (_rbActive && _rbBand) {
            if (e.cancelable) e.preventDefault();
            const aR = area.getBoundingClientRect(),
                sx = _rbSX - aR.left + area.scrollLeft, sy = _rbSY - aR.top + area.scrollTop,
                cx = t.clientX - aR.left + area.scrollLeft, cy = t.clientY - aR.top + area.scrollTop,
                x = Math.min(sx, cx), y = Math.min(sy, cy),
                w = Math.abs(cx - sx), h = Math.abs(cy - sy);
            _rbBand.style.cssText = `left:${x}px;top:${y}px;width:${w}px;height:${h}px`;
            const bx2 = x + w, by2 = y + h;
            for (const item of (area._iconMap?.values() ?? area.querySelectorAll(':scope > .file-item'))) {
                const ix = parseInt(item.style.left), iy = parseInt(item.style.top),
                    hit = ix < bx2 && (ix + ICON_W) > x && iy < by2 && (iy + ICON_H) > y;
                if (hit) { owner.selection.add(item.dataset.id); item.classList.add('selected'); }
                else { owner.selection.delete(item.dataset.id); item.classList.remove('selected'); }
            }
            owner._updateStatus();
        }
    }, { passive: false });

    area.addEventListener('touchend', () => {
        if (_lpTimer) { clearTimeout(_lpTimer); _lpTimer = null; }
        if (_rbBand) { _rbBand.remove(); _rbBand = null; }
        _rbActive = false; _rbMoved = false; _rbOnEmpty = false;
    }, { passive: true });
}

/* ---- Compute max icon extent and set canvas size for both scrollbars ---- */
function _syncAreaWidth(area) {
    const canvas = area._canvas ?? (area._canvas = area.querySelector(':scope > .fw-canvas'));
    if (!canvas) return; // Desktop has no fw-canvas — skip
    let maxRight = 0, maxBottom = 0;
    for (const el of (area._iconMap?.values() ?? area.querySelectorAll(':scope > .file-item'))) {
        const r = parseInt(el.style.left) + (el.offsetWidth || 96);
        const b = parseInt(el.style.top) + (el.offsetHeight || 96);
        if (r > maxRight) maxRight = r;
        if (b > maxBottom) maxBottom = b;
    }
    canvas.style.width = maxRight > 0 ? (maxRight + 24) + 'px' : '';
    canvas.style.height = maxBottom > 0 ? (maxBottom + 24) + 'px' : '';
}

/* ---- Shared touch-drag for icons (Desktop + FolderWindow) ----
   owner implements: selection (Set-like), folderId, _updateStatus().
   opts.showSnap: boolean — true for Desktop (show snap preview dot)
   opts.afterDrop: () => void — extra callback after drop (e.g. updateTaskbar) */
function _initTouchDragCommon(area, owner, opts = {}) {
    if (typeof window.ontouchstart === 'undefined' && !navigator.maxTouchPoints) return;

    let _tdNode = null, _tdSelEls = null,
        _tdSX = 0, _tdSY = 0, _tdOffX = 0, _tdOffY = 0,
        _tdMoved = false, _tdTimer = null, _tdActive = false,
        _tdStartPos = {}, _tdHover = null, _tdSnapPrevs = [],
        _tdOccupied = null, _tdLastCx = -1, _tdLastCy = -1;

    function _tdReset() {
        if (_tdTimer) { clearTimeout(_tdTimer); _tdTimer = null; }
        _tdActive = false; _touchDragActive = false;
        if (_tdSelEls) { _tdSelEls.forEach(el => el.classList.remove('dragging')); _tdSelEls = null; }
        if (_tdHover) { area.querySelector(`.file-item[data-id="${_tdHover}"]`)?.classList.remove('drag-target'); _tdHover = null; }
        _tdSnapPrevs.forEach(p => p.remove()); _tdSnapPrevs = [];
        _tdOccupied = null; _tdLastCx = _tdLastCy = -1;
        _tdNode = null;
    }

    area.addEventListener('touchstart', e => {
        if (e.touches.length !== 1) return;
        const t = e.touches[0],
            iconEl = t.target?.closest('.file-item[data-id]');
        if (!iconEl || !area.contains(iconEl)) return;

        const nodeId = iconEl.dataset.id,
            node = VFS.node(nodeId);
        if (!node) return;

        // Prevent native long-press context menu (Android vibration + touchcancel)
        // Only when touch lands on an icon — scrolling on empty area stays unaffected.
        e.preventDefault();

        _tdMoved = false; _tdActive = false;
        _tdSX = t.clientX; _tdSY = t.clientY;
        const r = iconEl.getBoundingClientRect();
        _tdOffX = t.clientX - r.left;
        _tdOffY = t.clientY - r.top;

        _tdTimer = setTimeout(() => {
            if (_tdMoved) return;
            // Guard: if a context menu was opened during the hold (e.g. Android fires
            // contextmenu + touchcancel before our 400ms timer), do not start drag.
            if (document.getElementById('ctx-menu').classList.contains('show')) return;
            _tdActive = true;
            _touchDragActive = true;
            _tdNode = node;
            if (!owner.selection.has(nodeId)) {
                owner.selection.clear();
                area.querySelectorAll('.file-item.selected').forEach(i => i.classList.remove('selected'));
                owner.selection.add(nodeId);
                iconEl.classList.add('selected');
                owner._updateStatus();
            }
            _tdStartPos = {}; _tdSelEls = new Map();
            owner.selection.forEach(id => {
                const el = area._iconMap?.get(id) ?? area.querySelector(`.file-item[data-id="${id}"]`);
                if (!el) return;
                _tdStartPos[id] = { x: parseInt(el.style.left), y: parseInt(el.style.top) };
                _tdSelEls.set(id, el);
                el.classList.add('dragging');
            });
            // Build occupied map once at drag start (avoids O(N) per frame)
            _tdOccupied = new Map(); _tdLastCx = _tdLastCy = -1;
            VFS.children(owner.folderId).forEach(n => {
                if (owner.selection.has(n.id)) return;
                const p = VFS.getPos(owner.folderId, n.id);
                if (p) _tdOccupied.set(`${Math.round((p.x - 8) / GRID_X)}_${Math.round((p.y - 8) / GRID_Y)}`, n.id);
            });
            _cancelHoverTooltip();
        }, 400);
    }, { passive: false });

    area.addEventListener('touchmove', e => {
        if (e.touches.length !== 1) return;
        const t = e.touches[0];
        if (Math.abs(t.clientX - _tdSX) + Math.abs(t.clientY - _tdSY) > 5) _tdMoved = true;
        if ((_tdTimer && !_tdMoved) || _tdActive) { if (e.cancelable) e.preventDefault(); }
        if (!_tdActive || !_tdNode) return;

        const aR = area.getBoundingClientRect(),
            mainSp = _tdStartPos[_tdNode.id],
            rawX = t.clientX - aR.left + area.scrollLeft - _tdOffX,
            rawY = t.clientY - aR.top + area.scrollTop - _tdOffY,
            ddx = rawX - mainSp.x, ddy = rawY - mainSp.y;

        _tdSelEls.forEach((el, id) => {
            const sp = _tdStartPos[id];
            if (sp) { el.style.left = (sp.x + ddx) + 'px'; el.style.top = (sp.y + ddy) + 'px'; }
        });

        // Highlight folder under finger
        _tdSelEls.forEach(el => { el.style.pointerEvents = 'none'; });
        const hit = document.elementFromPoint(t.clientX, t.clientY);
        _tdSelEls.forEach(el => { el.style.pointerEvents = ''; });
        const folderEl = hit?.closest('.file-item[data-id]');
        const newHover = folderEl && area.contains(folderEl) &&
            !owner.selection.has(folderEl.dataset.id) &&
            VFS.node(folderEl.dataset.id)?.type === 'folder' ? folderEl.dataset.id : null;
        if (newHover !== _tdHover) {
            if (_tdHover) area.querySelector(`.file-item[data-id="${_tdHover}"]`)?.classList.remove('drag-target');
            _tdHover = newHover;
            if (_tdHover && folderEl) folderEl.classList.add('drag-target');
        }

        // Snap preview — one per selected item (mirrors mouse _showPreviews)
        if (opts.showSnap) {
            if (_tdHover || document.body.classList.contains('no-snap-highlight')) {
                _tdSnapPrevs.forEach(p => { p.style.display = 'none'; });
                _tdLastCx = _tdLastCy = -1;
            } else {
                const _scx = Math.round((rawX - 8) / GRID_X), _scy = Math.round((rawY - 8) / GRID_Y);
                if (_scx !== _tdLastCx || _scy !== _tdLastCy) {
                    _tdLastCx = _scx; _tdLastCy = _scy;
                    const selIds = [...owner.selection];
                    // grow / shrink pool
                    while (_tdSnapPrevs.length < selIds.length) {
                        const p = document.createElement('div'); p.className = 'snap-preview';
                        area.appendChild(p); _tdSnapPrevs.push(p);
                    }
                    while (_tdSnapPrevs.length > selIds.length) _tdSnapPrevs.pop().remove();
                    const extra = new Map();
                    selIds.forEach((id, i) => {
                        const sp = _tdStartPos[id],
                            offX = sp && mainSp ? sp.x - mainSp.x : 0,
                            offY = sp && mainSp ? sp.y - mainSp.y : 0,
                            sn = _snapFreeCell(rawX + offX, rawY + offY, _tdOccupied, extra),
                            cx = Math.round((sn.x - 8) / GRID_X), cy = Math.round((sn.y - 8) / GRID_Y);
                        extra.set(`${cx}_${cy}`, id);
                        _tdSnapPrevs[i].style.left = sn.x + 'px';
                        _tdSnapPrevs[i].style.top = sn.y + 'px';
                        _tdSnapPrevs[i].style.display = '';
                    });
                }
            }
        }
    }, { passive: false });

    area.addEventListener('touchend', async () => {
        if (!_tdActive || !_tdNode) { _tdReset(); return; }
        const hoverTarget = _tdHover;
        _tdReset();

        if (hoverTarget) {
            // open-folder guard
            const blocked = _openFolderGuard(owner.selection);
            if (blocked) {
                _snapBack();
                toast(`\u201C${VFS.node(blocked)?.name}\u201D is open in Explorer \u2014 close the window first`, 'error');
                return;
            }
            const cycled = [...owner.selection].filter(id => VFS.wouldCycle(id, hoverTarget));
            if (cycled.length) {
                _snapBack();
                toast(`Cannot move "${VFS.node(cycled[0])?.name}" into itself`, 'error');
                return;
            }
            const tgtChildren = VFS.children(hoverTarget),
                existing = new Set(tgtChildren.map(n => n.name.toLowerCase())),
                dupe = [...owner.selection].find(id => id !== hoverTarget && existing.has(VFS.node(id)?.name?.toLowerCase()));
            if (dupe) {
                _snapBack();
                toast(`"${VFS.node(dupe)?.name}" already exists in target folder`, 'error');
                return;
            }
            const moved = [];
            owner.selection.forEach(id => {
                if (id === hoverTarget) return;
                if (VFS.move(id, hoverTarget) === 'ok') {
                    moved.push(id);
                    area.querySelector(`.file-item[data-id="${id}"]`)?.remove();
                    area._iconMap?.delete(id);
                }
            });
            if (moved.length) logActivity('move', moved.length === 1 ? (VFS.node(moved[0])?.name ?? '1 item') : `${moved.length} items`, moved.length, VFS.fullPath(owner.folderId), VFS.fullPath(hoverTarget));
            moved.forEach(id => owner.selection.delete(id));
        } else {
            // Snap to grid in place
            const occupied = new Map();
            VFS.children(owner.folderId).forEach(n => {
                if (owner.selection.has(n.id)) return;
                const p = VFS.getPos(owner.folderId, n.id);
                if (p) occupied.set(`${Math.round((p.x - 8) / GRID_X)}_${Math.round((p.y - 8) / GRID_Y)}`, n.id);
            });
            owner.selection.forEach(id => {
                const el = area.querySelector(`.file-item[data-id="${id}"]`);
                if (!el) return;
                const snapped = _snapFreeCell(parseInt(el.style.left), parseInt(el.style.top), occupied),
                    cx = Math.round((snapped.x - 8) / GRID_X), cy = Math.round((snapped.y - 8) / GRID_Y);
                occupied.set(`${cx}_${cy}`, id);
                el.style.transition = 'left .12s ease,top .12s ease';
                el.style.left = snapped.x + 'px'; el.style.top = snapped.y + 'px';
                setTimeout(() => { if (el.parentNode) el.style.transition = ''; }, 150);
                VFS.setPos(owner.folderId, id, snapped.x, snapped.y);
            });
        }
        owner._updateStatus();
        // Wait for the snap transition to finish (120ms) before the heavy DB write
        await new Promise(r => setTimeout(r, 130));
        await saveVFS();
        if (opts.afterDrop) opts.afterDrop();
        if (typeof WinManager !== 'undefined') WinManager.renderAll();

        function _snapBack() {
            Object.entries(_tdStartPos).forEach(([id, sp]) => {
                const el = area.querySelector(`.file-item[data-id="${id}"]`);
                if (el && sp) {
                    el.style.transition = 'left .12s ease,top .12s ease';
                    el.style.left = sp.x + 'px'; el.style.top = sp.y + 'px';
                    setTimeout(() => { if (el.parentNode) el.style.transition = ''; }, 150);
                }
            });
        }
    });

    area.addEventListener('touchcancel', () => { _tdReset(); }, { passive: true });

    // On Android, long-press fires a native contextmenu event (~500-600ms).
    // If drag is already active, suppress contextmenu so it doesn't kill the drag.
    // If drag hasn't started yet (timer still pending), reset to avoid ghost state.
    area.addEventListener('contextmenu', e => {
        if (_tdActive) { e.preventDefault(); return; }
        _tdReset();
    });
}

/* ---- Shared rubber-band mouse selection ----
   sel = Set, onUpdate = () => void */
function _rubberBandSelect(e, area, sel, onUpdate) {
    const rect = area.getBoundingClientRect(),
        sx = e.clientX - rect.left + area.scrollLeft,
        sy = e.clientY - rect.top + area.scrollTop,
        band = document.createElement('div');
    band.className = 'rubberband';
    band.style.cssText = `left:${sx}px;top:${sy}px;width:0;height:0`;
    area.appendChild(band);
    const onMove = mv => {
        const cx = mv.clientX - rect.left + area.scrollLeft,
            cy = mv.clientY - rect.top + area.scrollTop,
            x = Math.min(sx, cx), y = Math.min(sy, cy),
            w = Math.abs(cx - sx), h = Math.abs(cy - sy);
        band.style.cssText = `left:${x}px;top:${y}px;width:${w}px;height:${h}px`;
        const bx1 = x, by1 = y, bx2 = x + w, by2 = y + h;
        for (const item of (area._iconMap?.values() ?? area.querySelectorAll(':scope > .file-item'))) {
            const ix = parseInt(item.style.left), iy = parseInt(item.style.top),
                hit = ix < bx2 && (ix + ICON_W) > bx1 && iy < by2 && (iy + ICON_H) > by1;
            if (hit) { sel.add(item.dataset.id); item.classList.add('selected'); }
            else if (!e.ctrlKey && !e.metaKey) { sel.delete(item.dataset.id); item.classList.remove('selected'); }
        }
        onUpdate();
    };
    const onUp = () => { band.remove(); document.removeEventListener('mousemove', onMove); document.removeEventListener('mouseup', onUp); };
    document.addEventListener('mousemove', onMove);
    document.addEventListener('mouseup', onUp);
}

/* ============================================================
   UNIFIED ICON DRAG — shared by Desktop and FolderWindow
   srcCtx = { area, folderId, selection, winEl, updateUI, clearAll }
   winEl = null  →  source is the desktop
   winEl = elem  →  source is a folder window
   ============================================================ */
function _startIconDrag(e, node, el, srcCtx) {
    e.stopPropagation(); e.preventDefault();
    _cancelHoverTooltip();

    const wasSelected = srcCtx.selection.has(node.id);
    if (!e.ctrlKey && !e.metaKey && !wasSelected) srcCtx.clearAll();
    srcCtx.selection.add(node.id);
    el.classList.add('selected');
    srcCtx.updateUI();

    const isDesktop = srcCtx.winEl === null,
        srcArea = srcCtx.area;

    // Build O(1) element lookup for hot-path drag operations (uses iconMap when available)
    const selEls = new Map();
    srcCtx.selection.forEach(id => {
        const it = srcArea._iconMap?.get(id) ?? srcArea.querySelector(`.file-item[data-id="${id}"]`);
        if (it) selEls.set(id, it);
    });

    // Elevate z-index for desktop items during drag
    if (isDesktop) {
        selEls.forEach(it => { it.style.zIndex = '7900'; });
    }

    const areaRect = srcArea.getBoundingClientRect(),
        elRect = el.getBoundingClientRect(),
        clickOffX = e.clientX - elRect.left,
        clickOffY = e.clientY - elRect.top,
        startX = e.clientX,
        startY = e.clientY;

    // Snapshot start positions of all selected icons (reuse selEls — no extra querySelector)
    const startPosMap = {};
    selEls.forEach((it, id) => { startPosMap[id] = { x: parseInt(it.style.left), y: parseInt(it.style.top) }; });

    // Build occupied map for snap preview excluding dragged items
    const srcOccupied = new Map();
    VFS.children(srcCtx.folderId).forEach(n => {
        if (srcCtx.selection.has(n.id)) return;
        const p = VFS.getPos(srcCtx.folderId, n.id);
        if (p) srcOccupied.set(`${Math.round((p.x - 8) / GRID_X)}_${Math.round((p.y - 8) / GRID_Y)}`, n.id);
    });

    let snapPreviewEls = [],      // previews inside the source area
        deskSnapPreviewEls = [],  // previews on desktop (when FW item escapes to desktop)
        winSnapPreviewEls = [],  // previews inside a hovered FW
        ghostEls = [],  // ghost clones on desktop when FW item escapes
        moved = false,
        escaped = false,         // FW item currently outside its window
        hoverFolder = null,
        hoverWin = null,
        lastX = e.clientX,
        lastY = e.clientY,
        deskOccCached = null,
        winOccCached = null,
        lastPrevCx = -1, lastPrevCy = -1, lastPrevMode = '';

    // ---- helpers ----------------------------------------------------------

    function _showPreviews(previewArr, selIds, dropX, dropY, occMap, targetArea) {
        while (previewArr.length < selIds.length) {
            const p = document.createElement('div'); p.className = 'snap-preview';
            targetArea.appendChild(p); previewArr.push(p);
        }
        while (previewArr.length > selIds.length) previewArr.pop().remove();
        const extra = new Map(),
            mainSp = startPosMap[node.id];
        selIds.forEach((id, i) => {
            const sp = startPosMap[id],
                offX = sp && mainSp ? sp.x - mainSp.x : 0,
                offY = sp && mainSp ? sp.y - mainSp.y : 0,
                snapped = _snapFreeCell(dropX + offX, dropY + offY, occMap, extra),
                cx = Math.round((snapped.x - 8) / GRID_X), cy = Math.round((snapped.y - 8) / GRID_Y);
            extra.set(`${cx}_${cy}`, id);
            previewArr[i].style.left = snapped.x + 'px';
            previewArr[i].style.top = snapped.y + 'px';
            previewArr[i].style.display = '';
        });
    }

    function _snapBackSrc() {
        srcCtx.selection.forEach(id => {
            const item = selEls.get(id),
                sp = startPosMap[id];
            if (item && sp) {
                item.style.transition = 'left 0.12s ease, top 0.12s ease';
                item.style.left = sp.x + 'px'; item.style.top = sp.y + 'px';
                setTimeout(() => { if (item.parentNode) item.style.transition = ''; }, 150);
            }
        });
    }

    async function _dropIntoFolder(destFid, dropX, dropY) {
        // pre-check: cycles (includes self-move: wouldCycle(A,A) → true)
        const cycled = [];
        srcCtx.selection.forEach(id => {
            if (VFS.wouldCycle(id, destFid)) cycled.push(VFS.node(id)?.name || id);
        });
        if (cycled.length) {
            _snapBackSrc();
            toast(`Cannot move "${cycled[0]}" into itself or a subfolder`, 'error');
            return false;
        }
        // pre-check: duplicates
        const existing = new Set(VFS.children(destFid).map(n => n.name.toLowerCase())),
            conflicts = [];
        srcCtx.selection.forEach(id => {
            const n = VFS.node(id); if (!n) return;
            if (n.parentId !== destFid && existing.has(n.name.toLowerCase())) conflicts.push(n.name);
        });
        if (conflicts.length) {
            _snapBackSrc();
            toast(`Cannot move: "${conflicts[0]}" already exists in target folder`, 'error');
            return false;
        }
        // perform move
        const movedIds = [],
            occupied = new Map();
        VFS.children(destFid).forEach(n => {
            const p = VFS.getPos(destFid, n.id);
            if (p) occupied.set(`${Math.round((p.x - 8) / GRID_X)}_${Math.round((p.y - 8) / GRID_Y)}`, n.id);
        });
        const mainSp = startPosMap[node.id];
        for (const id of srcCtx.selection) {
            if (id === destFid) continue;
            const n = VFS.node(id); if (!n) continue;
            const result = VFS.move(id, destFid);
            if (result === 'duplicate') { toast(`"${n.name}" already exists in target folder`, 'error'); continue; }
            if (result === 'cycle') { toast(`Cannot move "${n.name}" into itself or a subfolder`, 'error'); continue; }
            if (result !== 'ok') { continue; }
            if (dropX !== null) {
                const sp = startPosMap[id],
                    offX = sp && mainSp ? sp.x - mainSp.x : 0,
                    offY = sp && mainSp ? sp.y - mainSp.y : 0,
                    sn = _snapFreeCell(dropX + offX, dropY + offY, occupied);
                VFS.setPos(destFid, id, sn.x, sn.y);
                occupied.set(`${Math.round((sn.x - 8) / GRID_X)}_${Math.round((sn.y - 8) / GRID_Y)}`, id);
            }
            movedIds.push(id);
        }
        if (movedIds.length) {
            logActivity('move',
                movedIds.length === 1 ? (VFS.node(movedIds[0])?.name ?? '1 item') : `${movedIds.length} items`,
                movedIds.length, VFS.fullPath(srcCtx.folderId), VFS.fullPath(destFid));
        }
        return movedIds;
    }

    // ---- onMove -----------------------------------------------------------

    const onMove = mv => {
        lastX = mv.clientX; lastY = mv.clientY;
        if (!moved && (Math.abs(mv.clientX - startX) + Math.abs(mv.clientY - startY)) > 4) {
            moved = true; _isDragging = true; _cancelHoverTooltip();
        }
        if (!moved) return;

        const mainSp = startPosMap[node.id],
            curAreaRect = srcArea.getBoundingClientRect(),
            targetMainX = mv.clientX - curAreaRect.left + srcArea.scrollLeft - clickOffX,
            targetMainY = mv.clientY - curAreaRect.top + srcArea.scrollTop - clickOffY,
            dx = targetMainX - mainSp.x,
            dy = targetMainY - mainSp.y;

        // ---- FW-specific: escape / re-enter --------------------------------
        if (!isDesktop) {
            const winRect = srcCtx.winEl.getBoundingClientRect();
            const outsideWindow = mv.clientX < winRect.left || mv.clientX > winRect.right ||
                mv.clientY < winRect.top || mv.clientY > winRect.bottom;

            if (!outsideWindow && escaped) {
                // Re-entered source window — cancel escape
                escaped = false;
                ghostEls.forEach(g => g.remove()); ghostEls = [];
                deskSnapPreviewEls.forEach(p => p.remove()); deskSnapPreviewEls = [];
                winSnapPreviewEls.forEach(p => p.remove()); winSnapPreviewEls = [];
                selEls.forEach(orig => { orig.style.visibility = ''; });
            }
            if (outsideWindow && !escaped) {
                // Escaping — hide originals, spawn ghosts on desktop
                escaped = true;
                selEls.forEach(orig => { orig.style.visibility = 'hidden'; });
                const deskArea = document.getElementById('desktop-area'),
                    selIds = [...srcCtx.selection].sort((a, b) => a === node.id ? -1 : b === node.id ? 1 : 0);
                selIds.forEach(id => {
                    const n = VFS.node(id); if (!n) return;
                    const g = _buildIconEl(n, { x: 0, y: 0 });
                    g.classList.add('selected');
                    g.style.cssText += ';position:absolute;z-index:7900;opacity:0.7;pointer-events:none;will-change:left,top';
                    g.dataset.ghostFor = id;
                    deskArea.appendChild(g);
                    ghostEls.push(g);
                });
            }
        }

        // ---- position items / ghosts ---------------------------------------
        if (!escaped) {
            srcCtx.selection.forEach(id => {
                const it = selEls.get(id),
                    sp = startPosMap[id];
                if (it && sp) { it.style.left = (sp.x + dx) + 'px'; it.style.top = (sp.y + dy) + 'px'; }
            });
        } else {
            const deskArea = document.getElementById('desktop-area'),
                deskRect = deskArea.getBoundingClientRect(),
                baseX = mv.clientX - deskRect.left + deskArea.scrollLeft - clickOffX,
                baseY = mv.clientY - deskRect.top + deskArea.scrollTop - clickOffY;
            ghostEls.forEach(g => {
                const sp = startPosMap[g.dataset.ghostFor],
                    offX = sp && mainSp ? sp.x - mainSp.x : 0,
                    offY = sp && mainSp ? sp.y - mainSp.y : 0;
                g.style.left = (baseX + offX) + 'px';
                g.style.top = (baseY + offY) + 'px';
            });
        }

        // ---- hover-folder highlight ----------------------------------------
        if (!escaped) {
            selEls.forEach(it => { it.style.pointerEvents = 'none'; });
        }
        const target = document.elementFromPoint(mv.clientX, mv.clientY);
        if (!escaped) {
            selEls.forEach(it => { it.style.pointerEvents = ''; });
        }
        const folderEl = target?.closest('.file-item[data-id]');
        const newHover = folderEl && !srcCtx.selection.has(folderEl.dataset.id) &&
            VFS.node(folderEl.dataset.id)?.type === 'folder' ? folderEl.dataset.id : null;
        if (newHover !== hoverFolder) {
            if (hoverFolder) document.querySelectorAll(`.file-item[data-id="${hoverFolder}"]`).forEach(i => i.classList.remove('drag-target'));
            hoverFolder = newHover;
            if (hoverFolder) document.querySelectorAll(`.file-item[data-id="${hoverFolder}"]`).forEach(i => i.classList.add('drag-target'));
        }

        // ---- hovered FW (excluding source window) -------------------------
        const fwElt = !hoverFolder ? target?.closest('.folder-window') : null,
            curWin = fwElt ? (typeof WinManager !== 'undefined' ? WinManager._wins.find(w => w.el === fwElt) : null) : null,
            effectiveHoverWin = (curWin && curWin.el !== srcCtx.winEl) ? curWin : null;
        if (effectiveHoverWin !== hoverWin) {
            winSnapPreviewEls.forEach(p => p.remove()); winSnapPreviewEls = [];
            hoverWin = effectiveHoverWin;
            if (hoverWin) {
                winOccCached = new Map();
                VFS.children(hoverWin.folderId).forEach(n => {
                    const p = VFS.getPos(hoverWin.folderId, n.id);
                    if (p) winOccCached.set(`${Math.round((p.x - 8) / GRID_X)}_${Math.round((p.y - 8) / GRID_Y)}`, n.id);
                });
            } else { winOccCached = null; }
            lastPrevMode = '';
        }

        // ---- snap previews ------------------------------------------------
        if (!moved) return;

        if (hoverFolder) {
            snapPreviewEls.forEach(p => p.style.display = 'none');
            deskSnapPreviewEls.forEach(p => p.style.display = 'none');
            winSnapPreviewEls.forEach(p => p.style.display = 'none');
            lastPrevMode = '';
        } else if (hoverWin) {
            snapPreviewEls.forEach(p => p.style.display = 'none');
            deskSnapPreviewEls.forEach(p => p.style.display = 'none');
            const winArea = hoverWin.el.querySelector('.fw-area'),
                wRect = winArea.getBoundingClientRect(),
                dropX = mv.clientX - wRect.left + winArea.scrollLeft - clickOffX,
                dropY = mv.clientY - wRect.top + winArea.scrollTop - clickOffY,
                _cx = Math.round((dropX - 8) / GRID_X), _cy = Math.round((dropY - 8) / GRID_Y);
            if (_cx !== lastPrevCx || _cy !== lastPrevCy || lastPrevMode !== 'win') {
                lastPrevCx = _cx; lastPrevCy = _cy; lastPrevMode = 'win';
                _showPreviews(winSnapPreviewEls, [...srcCtx.selection], dropX, dropY, winOccCached, winArea);
            }
        } else if (escaped) {
            // on desktop (FW items that escaped)
            snapPreviewEls.forEach(p => p.style.display = 'none');
            winSnapPreviewEls.forEach(p => p.style.display = 'none');
            const deskArea = document.getElementById('desktop-area'),
                dRect = deskArea.getBoundingClientRect(),
                dropX = mv.clientX - dRect.left + deskArea.scrollLeft - clickOffX,
                dropY = mv.clientY - dRect.top + deskArea.scrollTop - clickOffY,
                _cx = Math.round((dropX - 8) / GRID_X), _cy = Math.round((dropY - 8) / GRID_Y);
            if (!deskOccCached) {
                deskOccCached = new Map();
                VFS.children(Desktop._desktopFolder).forEach(n => {
                    const p = VFS.getPos(Desktop._desktopFolder, n.id);
                    if (p) deskOccCached.set(`${Math.round((p.x - 8) / GRID_X)}_${Math.round((p.y - 8) / GRID_Y)}`, n.id);
                });
            }
            if (_cx !== lastPrevCx || _cy !== lastPrevCy || lastPrevMode !== 'desk') {
                lastPrevCx = _cx; lastPrevCy = _cy; lastPrevMode = 'desk';
                _showPreviews(deskSnapPreviewEls, [...srcCtx.selection], dropX, dropY, deskOccCached, deskArea);
            }
        } else {
            // within source area (desktop or FW)
            deskSnapPreviewEls.forEach(p => p.style.display = 'none');
            winSnapPreviewEls.forEach(p => p.style.display = 'none');
            const _cx = Math.round((mainSp.x + dx - 8) / GRID_X), _cy = Math.round((mainSp.y + dy - 8) / GRID_Y);
            if (_cx !== lastPrevCx || _cy !== lastPrevCy || lastPrevMode !== 'src') {
                lastPrevCx = _cx; lastPrevCy = _cy; lastPrevMode = 'src';
                _showPreviews(snapPreviewEls, [...srcCtx.selection], mainSp.x + dx, mainSp.y + dy, srcOccupied, srcArea);
            }
        }
    };

    // ---- onUp -------------------------------------------------------------

    const onUp = async () => {
        document.removeEventListener('mousemove', onMove);
        document.removeEventListener('mouseup', onUp);
        _isDragging = false;
        snapPreviewEls.forEach(p => p.remove()); snapPreviewEls = [];
        deskSnapPreviewEls.forEach(p => p.remove()); deskSnapPreviewEls = [];
        winSnapPreviewEls.forEach(p => p.remove()); winSnapPreviewEls = [];
        if (hoverFolder) document.querySelectorAll(`.file-item[data-id="${hoverFolder}"]`).forEach(i => i.classList.remove('drag-target'));
        ghostEls.forEach(g => g.remove()); ghostEls = [];

        // Restore desktop z-index
        if (isDesktop) {
            selEls.forEach(it => { it.style.zIndex = ''; });
        }

        if (!moved) {
            // Ctrl+click on already-selected item → deselect it
            if ((e.ctrlKey || e.metaKey) && wasSelected) {
                srcCtx.selection.delete(node.id);
                el.classList.remove('selected');
                srcCtx.updateUI();
            }
            // Click without drag — restore visibility for FW items
            if (!isDesktop) {
                selEls.forEach(orig => { orig.style.visibility = ''; });
            }
            return;
        }

        // ---- pre-check: open-folder guard (only when changing folder) ------
        // Note: for desktop items, `escaped` is never true; desktop→FW drops are caught
        // by the extra elementFromPoint check below.
        if (escaped || hoverFolder || document.elementFromPoint(lastX, lastY)?.closest('.folder-window')) {
            const blocked = _openFolderGuard(srcCtx.selection);
            if (blocked) {
                _snapBackSrc();
                if (!isDesktop) selEls.forEach(orig => { orig.style.visibility = ''; });
                toast(`\u201C${VFS.node(blocked)?.name}\u201D is open in Explorer \u2014 close the window first`, 'error');
                return;
            }
        }

        // ---- Case 1: FW item escaped → dropped back in same window (race) --
        if (!isDesktop && escaped) {
            const srcR = srcCtx.winEl.getBoundingClientRect();
            if (lastX >= srcR.left && lastX <= srcR.right && lastY >= srcR.top && lastY <= srcR.bottom) {
                selEls.forEach(orig => { orig.style.visibility = ''; });
                return;
            }
        }

        // Determine actual drop zone
        const dropTarget = document.elementFromPoint(lastX, lastY),
            tFwEl = dropTarget?.closest('.folder-window'),
            tWin = tFwEl ? (typeof WinManager !== 'undefined' ? WinManager._wins.find(w => w.el === tFwEl) : null) : null,
            actualHoverWin = (tWin && tWin.el !== srcCtx.winEl) ? tWin : null;

        // ---- Case 2: dropped onto a folder icon ----------------------------
        if (hoverFolder) {
            const movedIds = await _dropIntoFolder(hoverFolder, null, null);
            if (movedIds === false) {
                if (!isDesktop) selEls.forEach(orig => { orig.style.visibility = ''; });
                return;
            }
            const targetWinForFolder = typeof WinManager !== 'undefined' ? WinManager._wins.find(w => w.folderId === hoverFolder) : null;
            if (targetWinForFolder) targetWinForFolder._clearSelection();
            movedIds.forEach(id => {
                srcCtx.selection.delete(id);
                if (targetWinForFolder) targetWinForFolder.selection.add(id);
                selEls.get(id)?.remove();
                srcArea._iconMap?.delete(id);
            });
            // snap back failures
            if (!isDesktop) srcCtx.selection.forEach(id => {
                const orig = selEls.get(id);
                if (orig) orig.style.visibility = '';
            });
            srcCtx.updateUI();
            await saveVFS();
            if (typeof WinManager !== 'undefined') WinManager.renderAll();
            return;
        }

        // ---- Case 3: dropped onto a folder window -------------------------
        if (actualHoverWin || (!isDesktop && escaped && !hoverFolder)) {
            const targetWin = actualHoverWin;
            if (targetWin) {
                const tArea = targetWin.el.querySelector('.fw-area'),
                    tRect = tArea.getBoundingClientRect(),
                    dropPosX = lastX - tRect.left + tArea.scrollLeft - clickOffX,
                    dropPosY = lastY - tRect.top + tArea.scrollTop - clickOffY,
                    movedIds = await _dropIntoFolder(targetWin.folderId, dropPosX, dropPosY);
                if (movedIds === false) {
                    if (!isDesktop) selEls.forEach(orig => { orig.style.visibility = ''; });
                    return;
                }
                const srcWin = !isDesktop ? (typeof WinManager !== 'undefined' ? WinManager._wins.find(w => w.el === srcCtx.winEl) : null) : null;
                targetWin._clearSelection();
                movedIds.forEach(id => {
                    srcCtx.selection.delete(id);
                    targetWin.selection.add(id);
                    selEls.get(id)?.remove();
                    srcArea._iconMap?.delete(id);
                });
                // snap back failures
                if (!isDesktop) srcCtx.selection.forEach(id => {
                    const orig = selEls.get(id);
                    if (orig) orig.style.visibility = '';
                });
                srcCtx.updateUI();
                await saveVFS();
                targetWin.render();
                return;
            }
        }

        // ---- Case 4a: FW item dropped onto desktop ------------------------
        if (!isDesktop && escaped) {
            const deskArea = document.getElementById('desktop-area'),
                dRect = deskArea.getBoundingClientRect(),
                dropPosX = lastX - dRect.left + deskArea.scrollLeft - clickOffX,
                dropPosY = lastY - dRect.top + deskArea.scrollTop - clickOffY,
                deskFid = Desktop._desktopFolder,
                occupied = new Map();
            VFS.children(deskFid).forEach(n => {
                const p = VFS.getPos(deskFid, n.id);
                if (p) occupied.set(`${Math.round((p.x - 8) / GRID_X)}_${Math.round((p.y - 8) / GRID_Y)}`, n.id);
            });
            const mainSp = startPosMap[node.id],
                movedIds = [];
            for (const id of srcCtx.selection) {
                const n = VFS.node(id); if (!n) continue;
                const result = VFS.move(id, deskFid);
                if (result === 'duplicate') { toast(`"${n.name}" already exists on desktop`, 'error'); continue; }
                if (result === 'cycle') { toast(`Cannot move "${n.name}" into itself`, 'error'); continue; }
                const sp = startPosMap[id],
                    offX = sp && mainSp ? sp.x - mainSp.x : 0,
                    offY = sp && mainSp ? sp.y - mainSp.y : 0,
                    sn = _snapFreeCell(dropPosX + offX, dropPosY + offY, occupied);
                VFS.setPos(deskFid, id, sn.x, sn.y);
                occupied.set(`${Math.round((sn.x - 8) / GRID_X)}_${Math.round((sn.y - 8) / GRID_Y)}`, id);
                movedIds.push(id);
            }
            Desktop._sel.clear();
            document.querySelectorAll('#desktop-area > .file-item.selected').forEach(i => i.classList.remove('selected'));
            movedIds.forEach(id => {
                srcCtx.selection.delete(id);
                Desktop._sel.add(id);
                selEls.get(id)?.remove();
                srcArea._iconMap?.delete(id);
            });
            // snap back failures
            srcCtx.selection.forEach(id => {
                const orig = selEls.get(id);
                if (orig) {
                    orig.style.visibility = '';
                    const sp = startPosMap[id];
                    if (sp) {
                        orig.style.transition = 'left 0.15s ease, top 0.15s ease';
                        orig.style.left = sp.x + 'px'; orig.style.top = sp.y + 'px';
                        setTimeout(() => { if (orig.parentNode) orig.style.transition = ''; }, 160);
                    }
                }
            });
            if (movedIds.length) logActivity('move',
                movedIds.length === 1 ? (VFS.node(movedIds[0])?.name ?? '1 item') : `${movedIds.length} items`,
                movedIds.length, VFS.fullPath(srcCtx.folderId), VFS.fullPath(deskFid));
            srcCtx.updateUI();
            await saveVFS();
            Desktop._patchIcons();
            return;
        }

        // ---- Case 4b: within-source snap ----------------------------------
        if (!isDesktop) {
            // restore visibility first
            selEls.forEach(orig => { orig.style.visibility = ''; });
        }
        // Grid snap within source area
        const occupied = new Map();
        VFS.children(srcCtx.folderId).forEach(n => {
            if (srcCtx.selection.has(n.id)) return;
            const p = VFS.getPos(srcCtx.folderId, n.id);
            if (p) occupied.set(`${Math.round((p.x - 8) / GRID_X)}_${Math.round((p.y - 8) / GRID_Y)}`, n.id);
        });
        srcCtx.selection.forEach(id => {
            const item = selEls.get(id);
            if (!item) return;
            const rawX = parseInt(item.style.left), rawY = parseInt(item.style.top),
                snapped = _snapFreeCell(rawX, rawY, occupied),
                cx = Math.round((snapped.x - 8) / GRID_X), cy = Math.round((snapped.y - 8) / GRID_Y);
            occupied.set(`${cx}_${cy}`, id);
            item.style.transition = 'left 0.12s ease, top 0.12s ease';
            item.style.left = snapped.x + 'px'; item.style.top = snapped.y + 'px';
            setTimeout(() => { if (item.parentNode) item.style.transition = ''; }, 150);
            VFS.setPos(srcCtx.folderId, id, snapped.x, snapped.y);
        });
        // Wait for the snap transition to finish (120ms) before the heavy DB write
        await new Promise(r => setTimeout(r, 130));
        await saveVFS();
        if (isDesktop) {
            srcCtx.updateUI();
        } else {
            _syncAreaWidth(srcArea);
        }
    };

    document.addEventListener('mousemove', onMove);
    document.addEventListener('mouseup', onUp);
}

/* ============================================================
   SHARED KEYBOARD HANDLER — Desktop & FolderWindow
   syncCtx: fn to set App.folder/selection/winCtx before an operation
   withSync: fn(op) to set context → run op → restore context (sync only)
   opts.area: icon container element
   opts.refresh: fn() called on F5
   opts.extraKeys: fn(e) → true if handled (for FW-specific keys like Backspace=navup)
   ============================================================ */
function _handleKey(e, owner, syncCtx, withSync, opts = {}) {
    if ((e.key === 'Delete' || e.key === 'Backspace') && owner.selection.size > 0) {
        syncCtx(); deleteSelected();
    } else if ((e.ctrlKey || e.metaKey) && e.code === 'KeyC' && owner.selection.size > 0) {
        withSync(() => copyItems());
    } else if ((e.ctrlKey || e.metaKey) && e.code === 'KeyX' && owner.selection.size > 0) {
        withSync(() => cutItems());
    } else if ((e.ctrlKey || e.metaKey) && e.code === 'KeyV') {
        syncCtx(); pasteItems();
    } else if ((e.ctrlKey || e.metaKey) && e.code === 'KeyA') {
        syncCtx(); selectAll();
    } else if (e.key === 'Escape') {
        if (App.clipboard?.op === 'cut') cancelClipboard();
        owner.selection.clear();
        (opts.area || document).querySelectorAll('.file-item.selected').forEach(i => i.classList.remove('selected'));
        owner._updateStatus();
    } else if (e.key === 'F2' && owner.selection.size === 1) {
        renameNode(VFS.node([...owner.selection][0]));
    } else if (e.key === 'F5') {
        e.preventDefault();
        if (opts.refresh) opts.refresh();
    } else if (opts.extraKeys) {
        opts.extraKeys(e);
    }
}

/* ============================================================
   SHARED CONTEXT MENU BUILDERS — Desktop & FolderWindow
   ============================================================ */
function _buildSortSubmenu(sortTarget) {
    return [
        {
            label: 'By Name', icon: Icons.sortName, submenu: [
                { label: 'A → Z', icon: Icons.sortAsc, action: () => sortIcons('name', 'asc', sortTarget) },
                { label: 'Z → A', icon: Icons.sortDesc, action: () => sortIcons('name', 'desc', sortTarget) },
            ]
        },
        {
            label: 'By Date Modified', icon: Icons.sortDate, submenu: [
                { label: 'Newest first', icon: Icons.sortDesc, action: () => sortIcons('mtime', 'desc', sortTarget) },
                { label: 'Oldest first', icon: Icons.sortAsc, action: () => sortIcons('mtime', 'asc', sortTarget) },
            ]
        },
        {
            label: 'By Date Created', icon: Icons.sortDate, submenu: [
                { label: 'Newest first', icon: Icons.sortDesc, action: () => sortIcons('ctime', 'desc', sortTarget) },
                { label: 'Oldest first', icon: Icons.sortAsc, action: () => sortIcons('ctime', 'asc', sortTarget) },
            ]
        },
        { sep: true },
        {
            label: 'By Size', icon: Icons.sortSize, submenu: [
                { label: 'Largest first', icon: Icons.sortDesc, action: () => sortIcons('size', 'desc', sortTarget) },
                { label: 'Smallest first', icon: Icons.sortAsc, action: () => sortIcons('size', 'asc', sortTarget) },
            ]
        },
        { sep: true },
        { label: 'By Type', icon: Icons.sortType, action: () => sortIcons('type', 'asc', sortTarget) },
    ];
}

function _buildAreaMenuItems(e, syncFn, sortTarget, refreshFn) {
    const items = [
        { label: 'New Text File', icon: Icons.newfile, action: () => { syncFn(); App._ctxScreenPos = { x: e.clientX, y: e.clientY }; newTextFile(); } },
        { label: 'New Folder', icon: Icons.newfolder, action: () => { syncFn(); App._ctxScreenPos = { x: e.clientX, y: e.clientY }; newFolder(); } },
        { sep: true },
        { label: 'Import Files...', icon: Icons.upload, action: () => { syncFn(); document.getElementById('file-input').click(); } },
    ];
    if (App.clipboard) {
        items.push({ sep: true });
        items.push({ label: 'Paste', icon: Icons.paste, action: () => { syncFn(); App._ctxScreenPos = { x: e.clientX, y: e.clientY }; pasteItems(); } });
    }
    items.push({ sep: true });
    items.push({ label: 'Sort', icon: Icons.sort, submenu: _buildSortSubmenu(sortTarget) });
    items.push({ sep: true });
    items.push({ label: 'Refresh', icon: Icons.refresh, action: refreshFn });
    return items;
}

function _buildIconMenuItems(node, sel, opts) {
    const items = [];
    if (node.type === 'folder') {
        items.push({ label: 'Open', icon: Icons.open, action: () => opts.openFn(node) });
        items.push({ label: 'Open in New Window', icon: Icons.newfolder, action: () => WinManager.open(node.id) });
        items.push({
            label: 'Folder Color', icon: Icons.folder, submenu: FOLDER_COLORS.map(fc => ({
                label: fc.label,
                icon: `<span style="display:inline-block;width:12px;height:12px;border-radius:2px;background:${fc.color}"></span>`,
                action: async () => { node.color = fc.color === '#0078d4' ? undefined : fc.color; await saveVFS(); opts.colorCb(); logActivity('color', `${node.name} → ${fc.label}`, 1, VFS.fullPath(node.id)); }
            }))
        });
    } else {
        items.push({ label: 'Open', icon: Icons.file, action: () => opts.openFn(node) });
        items.push({ label: 'Edit as plain text', icon: Icons.rename, action: () => openFileAsText(node) });
        items.push({ label: 'Export', icon: Icons.download, action: () => downloadFile(node) });
    }
    items.push({ label: 'Export as ZIP', icon: Icons.download, action: opts.exportZipFn });
    items.push({ sep: true });
    if (opts.hasCopy) items.push({ label: 'Copy', icon: Icons.copy, action: opts.copyFn });
    items.push({ label: 'Cut', icon: Icons.cut, action: opts.cutFn });
    items.push({ sep: true });
    items.push({ label: 'Rename', icon: Icons.rename, action: () => renameNode(node) });
    items.push({ sep: true });
    items.push({
        label: sel.size > 1 ? `Delete ${sel.size} items` : 'Delete', icon: Icons.trash, danger: true,
        action: opts.deleteFn,
    });
    items.push({ sep: true });
    items.push({ label: 'Properties', icon: Icons.info, action: () => showProps(node) });
    return items;
}

/* ---- Shared icon-area render (Desktop + FolderWindow): full rebuild or incremental ---- */
function _renderIconArea(area, folderId, selection, updateStatusFn, forceRebuild) {
    const items = VFS.children(folderId);
    items.sort((a, b) => a.type !== b.type ? (a.type === 'folder' ? -1 : 1) : a.name.localeCompare(b.name));
    area.classList.toggle('no-grid-dots', !_getSettings().gridDots);
    const iconMap = area._iconMap || (area._iconMap = new Map());
    const afterRender = () => {
        updateStatusFn();
        if (typeof _applyCutStyles !== 'undefined') _applyCutStyles();
        _syncAreaWidth(area);
    };
    if (forceRebuild) {
        iconMap.forEach(el => el.remove());
        iconMap.clear();
        if (!items.length) { afterRender(); return; }
        const needPos = items.filter(n => !VFS.getPos(folderId, n.id));
        if (needPos.length) VFS.autoPosBatch(folderId, needPos, area);
        const useAnim = items.length <= 200;
        const token = (area._renderToken = (area._renderToken || 0) + 1);
        const renderChunk = (start) => {
            if (area._renderToken !== token) return;
            const frag = document.createDocumentFragment(),
                end = Math.min(start + 300, items.length);
            for (let i = start; i < end; i++) {
                const n = items[i], pos = VFS.getPos(folderId, n.id) || { x: 8, y: 8 },
                    div = _buildIconEl(n, pos);
                if (selection.has(n.id)) div.classList.add('selected');
                if (useAnim) div.style.animation = `iconPop 0.12s ease ${Math.min(i * 15, 200)}ms both`;
                iconMap.set(n.id, div);
                frag.appendChild(div);
            }
            area.appendChild(frag);
            if (end < items.length) requestAnimationFrame(() => renderChunk(end));
            else afterRender();
        };
        renderChunk(0);
        // Immediate status/cut-styles refresh (visible before async chunks complete)
        updateStatusFn();
        if (typeof _applyCutStyles !== 'undefined') _applyCutStyles();
    } else {
        // Incremental: animate-out removed items, add new ones
        const nodeMap = new Map(items.map(n => [n.id, n]));
        iconMap.forEach((el, id) => {
            if (!nodeMap.has(id)) {
                if (!el.isConnected) { iconMap.delete(id); }
                else {
                    el.style.transition = 'opacity .1s, transform .1s';
                    el.style.opacity = '0'; el.style.transform = 'scale(.85)';
                    setTimeout(() => { el.remove(); iconMap.delete(id); }, 110);
                }
            }
        });
        const needPos = items.filter(n => !VFS.getPos(folderId, n.id));
        if (needPos.length) VFS.autoPosBatch(folderId, needPos, area);
        for (const [idx, n] of items.entries()) {
            let existing = iconMap.get(n.id);
            if (existing && !existing.isConnected) { iconMap.delete(n.id); existing = null; }
            if (existing) {
                const nameEl = existing.querySelector('.file-name');
                if (nameEl && nameEl.textContent !== n.name) nameEl.textContent = n.name;
                if (n.type === 'folder') {
                    const thumbEl = existing.querySelector('.file-thumb.folder-icon');
                    if (thumbEl) thumbEl.innerHTML = getFolderSVG(n.color);
                }
            } else {
                const pos = VFS.getPos(folderId, n.id) || { x: 8, y: 8 },
                    div = _buildIconEl(n, pos);
                if (selection.has(n.id)) div.classList.add('selected');
                div.style.animation = `iconPop 0.12s ease ${Math.min(idx * 15, 200)}ms both`;
                iconMap.set(n.id, div);
                area.appendChild(div);
            }
        }
        afterRender();
    }
}

/* ============================================================
   DESKTOP
   ============================================================ */
const Desktop = {
    _desktopFolder: 'root',
    _sel: App.selection,   // main desktop's own selection (same reference as App.selection initially)
    // Unified interface aliases used by shared helpers (_setupAreaDelegation, _initAreaTouchRubberBand, _rubberBandSelect)
    get selection() { return this._sel; },
    get folderId() { return this._desktopFolder; },
    _updateStatus() { this._updateSelectionBar(); },

    render() {
        // Restore main desktop's folder + selection as the active App context
        App._winCtx = null;
        App.folder = this._desktopFolder;
        App.selection = this._sel;

        this._renderBreadcrumb();
        this._renderIcons();
        this.updateTaskbar();
        document.title = 'SafeNova — ' + (App.container?.name || 'Container');
        // Re-render all open folder windows
        if (typeof WinManager !== 'undefined') WinManager.renderAll();
        // Load activity log from compressed storage (async)
        _loadActivityLog();
    },

    _renderBreadcrumb() {
        const bc = document.getElementById('breadcrumb'),
            crumbs = VFS.breadcrumb(this._desktopFolder);
        bc.innerHTML = '';
        crumbs.forEach((n, i) => {
            const span = document.createElement('span');
            span.className = 'breadcrumb-item' + (i === crumbs.length - 1 ? ' current' : '');
            span.textContent = n.id === 'root' ? ('/~/' + App.container.name) : n.name;
            if (i < crumbs.length - 1) {
                span.addEventListener('click', () => {
                    this._desktopFolder = n.id;
                    this._sel.clear();
                    this.render();
                });
            }
            bc.appendChild(span);
            if (i < crumbs.length - 1) {
                const sep = document.createElement('span');
                sep.className = 'breadcrumb-sep';
                sep.textContent = ' › ';
                bc.appendChild(sep);
            }
        });
    },

    _renderIcons() {
        _renderIconArea(
            document.getElementById('desktop-area'),
            this._desktopFolder, this._sel,
            () => this._updateSelectionBar(), true
        );
    },

    // Incremental update: add new icons, remove gone ones, sync names — NO re-animation for existing
    _patchIcons() {
        App._winCtx = null;
        App.folder = this._desktopFolder;
        App.selection = this._sel;
        _renderIconArea(
            document.getElementById('desktop-area'),
            this._desktopFolder, this._sel,
            () => { this._updateSelectionBar(); this.updateTaskbar(); }, false
        );
        if (typeof WinManager !== 'undefined') WinManager.renderAll();
    },

    _onIconMousedown(e, el, node) {
        if (e.button !== 0) return;
        hideCtxMenu();
        _startIconDrag(e, node, el, {
            area: document.getElementById('desktop-area'),
            folderId: this._desktopFolder,
            selection: this._sel,
            winEl: null,
            updateUI: () => { this._updateSelectionBar(); this.updateTaskbar(); },
            clearAll: () => {
                this._sel.clear();
                document.querySelectorAll('#desktop-area > .file-item.selected').forEach(i => i.classList.remove('selected'));
            },
        });
    },


    /* ---- Touch-drag for mobile: long-press (400ms) + drag icons ---- */
    _initTouchDrag(area) {
        _initTouchDragCommon(area, this, { showSnap: true, afterDrop: () => this.updateTaskbar() });
    },

    _openNode(node) {
        hideCtxMenu();
        if (node.type === 'folder') {
            // Folders always open in a new floating window
            WinManager.open(node.id);
        } else {
            openFile(node);
        }
    },

    _contextIcon(e, node) {
        if (!e.ctrlKey && !e.metaKey && !this._sel.has(node.id)) {
            this._sel.clear();
            document.querySelectorAll('#desktop-area > .file-item.selected').forEach(i => i.classList.remove('selected'));
        }
        this._sel.add(node.id);
        document.querySelector(`#desktop-area > .file-item[data-id="${node.id}"]`)?.classList.add('selected');
        this._updateSelectionBar();
        const _sync = () => { App.folder = this._desktopFolder; App.selection = this._sel; App._winCtx = null; };
        showCtxMenu(e.clientX, e.clientY, _buildIconMenuItems(node, this._sel, {
            openFn: n => n.type === 'folder' ? WinManager.open(n.id) : this._openNode(n),
            colorCb: () => Desktop._patchIcons(),
            hasCopy: true,
            copyFn: () => { _sync(); copyItems(); },
            cutFn: () => { _sync(); cutItems(); },
            exportZipFn: () => { _sync(); exportAsZip([...this._sel]); },
            deleteFn: () => { _sync(); deleteSelected(); },
        }));
    },

    _contextDesktop(e) {
        this._sel.clear();
        document.querySelectorAll('#desktop-area > .file-item.selected').forEach(i => i.classList.remove('selected'));
        this._updateSelectionBar();
        const _sync = () => { App.folder = this._desktopFolder; App.selection = this._sel; App._winCtx = null; };
        showCtxMenu(e.clientX, e.clientY, _buildAreaMenuItems(e, _sync, undefined,
            () => { Desktop._renderIcons(); if (typeof WinManager !== 'undefined') WinManager.renderAll(); }));
    },

    // Clear selection: empties both the Set AND removes .selected CSS classes from DOM
    _clearSelection() {
        this._sel.clear();
        document.querySelectorAll('#desktop-area > .file-item.selected').forEach(i => i.classList.remove('selected'));
        this._updateSelectionBar();
    },

    _updateSelectionBar() {
        const bar = document.getElementById('selection-bar');
        if (this._sel.size > 0) {
            const totalSz = [...this._sel].reduce((s, id) => {
                const n = VFS.node(id); return s + (n && n.size ? n.size : 0);
            }, 0);
            bar.textContent = `${this._sel.size} item${this._sel.size !== 1 ? 's' : ''} selected${totalSz > 0 ? ' · ' + fmtSize(totalSz) : ''}`;
            bar.classList.add('show');
        } else {
            bar.classList.remove('show');
        }
    },

    updateTaskbar() {
        if (!App.container) return;
        const tot = App.container.totalSize || 0,
            pct = Math.min(tot / CONTAINER_LIMIT * 100, 100),
            cls = pct > 90 ? 'danger' : pct > 70 ? 'warn' : '';
        document.getElementById('taskbar-name').textContent = App.container.name;
        document.getElementById('taskbar-size-text').textContent = `${fmtSize(tot)} / ${fmtSize(CONTAINER_LIMIT)}`;
        document.getElementById('taskbar-size-pct').textContent = pct.toFixed(1) + '%';
        const bar = document.getElementById('taskbar-bar-fill');
        bar.style.width = pct + '%';
        bar.className = 'taskbar-bar-fill ' + cls;
    },

    initEvents() {
        const area = document.getElementById('desktop-area');
        // Delegated icon events: mousedown, dblclick, contextmenu, touch tap
        _setupAreaDelegation(area, this);
        // Mobile touch-drag for icons
        this._initTouchDrag(area);

        area.addEventListener('contextmenu', e => {
            if (e.target === area || e.target.classList.contains('drop-overlay') ||
                e.target.classList.contains('selection-bar')) {
                e.preventDefault();
                this._contextDesktop(e);
            }
        });

        area.addEventListener('mousedown', e => {
            if (e.target !== area) return;
            if (!e.ctrlKey && !e.metaKey) {
                this._sel.clear();
                document.querySelectorAll('#desktop-area > .file-item.selected').forEach(i => i.classList.remove('selected'));
                this._updateSelectionBar();
            }
            this._startRubberBand(e);
        });

        area.addEventListener('keydown', e => this._onKey(e));

        let _deskDndHoverFolder = null;
        area.addEventListener('dragover', e => {
            e.preventDefault();
            const overFW = !!e.target.closest('.folder-window');
            if (!overFW) {
                const folderEl = e.target?.closest?.('#desktop-area > .file-item[data-id]'),
                    newHover = folderEl && VFS.node(folderEl.dataset.id)?.type === 'folder' ? folderEl.dataset.id : null;
                if (newHover !== _deskDndHoverFolder) {
                    if (_deskDndHoverFolder) document.querySelector(`#desktop-area > .file-item[data-id="${_deskDndHoverFolder}"]`)?.classList.remove('drag-target');
                    _deskDndHoverFolder = newHover;
                    if (_deskDndHoverFolder) document.querySelector(`#desktop-area > .file-item[data-id="${_deskDndHoverFolder}"]`)?.classList.add('drag-target');
                }
            }
            document.getElementById('drop-overlay').classList.toggle('show', !overFW && !_deskDndHoverFolder);
        });
        area.addEventListener('dragleave', e => {
            if (!area.contains(e.relatedTarget)) {
                if (_deskDndHoverFolder) document.querySelector(`#desktop-area > .file-item[data-id="${_deskDndHoverFolder}"]`)?.classList.remove('drag-target');
                _deskDndHoverFolder = null;
                document.getElementById('drop-overlay').classList.remove('show');
            }
        });
        area.addEventListener('drop', e => {
            e.preventDefault();
            if (_deskDndHoverFolder) document.querySelector(`#desktop-area > .file-item[data-id="${_deskDndHoverFolder}"]`)?.classList.remove('drag-target');
            const targetFolderId = _deskDndHoverFolder || this._desktopFolder;
            _deskDndHoverFolder = null;
            document.getElementById('drop-overlay').classList.remove('show');
            App._winCtx = null;
            App.folder = targetFolderId;
            App.selection = this._sel;
            uploadEntries(e.dataTransfer.items, targetFolderId);
        });

        /* ---- Touch: rubber-band select on empty area + long-press context menu ---- */
        _initAreaTouchRubberBand(area, this);

        // Global: dismiss context menu on any LMB click outside the menu
        document.addEventListener('mousedown', e => {
            if (e.button !== 0) return;
            if (e.target.closest('#ctx-menu, #ctx-menu-sub, body > .ctx-menu')) return;
            hideCtxMenu();
        });
        // Track last touch to suppress spurious mouseenter tooltips fired by the browser after touchend
        document.addEventListener('touchstart', () => { _lastTouchTs = Date.now(); }, { passive: true, capture: true });
    },

    _startRubberBand(e) {
        _rubberBandSelect(e, document.getElementById('desktop-area'), this._sel, () => this._updateSelectionBar());
    },

    _onKey(e) {
        const sync = () => { App.folder = this._desktopFolder; App.selection = this._sel; App._winCtx = null; };
        _handleKey(e, this, sync, fn => { sync(); fn(); }, {
            area: document.getElementById('desktop-area'),
            refresh: () => { Desktop._renderIcons(); if (typeof WinManager !== 'undefined') WinManager.renderAll(); },
        });
    }
};

/* ============================================================
   FOLDER WINDOW MANAGER
   ============================================================ */
const WinManager = {
    _wins: [],
    _z: 300,

    open(folderId) {
        hideCtxMenu();
        // Auto-cancel cut if the opened folder (or its ancestor) is in the clipboard
        if (App.clipboard?.op === 'cut') {
            const cutIds = new Set(App.clipboard.ids);
            let cur = folderId;
            while (cur && cur !== 'root') {
                if (cutIds.has(cur)) { cancelClipboard(); break; }
                cur = (VFS.node(cur) || {}).parentId;
            }
        }
        // Bring existing window to front if already open
        const existing = this._wins.find(w => w.folderId === folderId && !w._navStack.length);
        if (existing) { existing.bringToFront(); return existing; }
        const win = new FolderWindow(folderId);
        this._wins.push(win);
        return win;
    },

    close(win) {
        this._wins = this._wins.filter(w => w !== win);
        win.el.remove();
    },

    closeAll() {
        this._wins.forEach(w => w.el.remove());
        this._wins = [];
    },

    renderAll() {
        this._wins.forEach(w => w.render());
    },

    nextZ() { return ++this._z; }
};

/* ============================================================
   FOLDER WINDOW  (floating explorer)
   ============================================================ */
class FolderWindow {
    constructor(folderId) {
        this.folderId = folderId;
        this.selection = new Set();
        this._navStack = [];  // for back navigation (not used in default: navigate in window)
        this.el = null;
        this._build();
    }

    /* ---- DOM BUILD ---- */
    _build() {
        const node = VFS.node(this.folderId),
            el = document.createElement('div');
        el.className = 'folder-window';
        el.style.zIndex = WinManager.nextZ();

        // Cascade position
        const area = document.getElementById('desktop-area'),
            count = WinManager._wins.length,
            defW = 680, defH = 440,
            cx = Math.max(20, Math.min((area.clientWidth - defW) / 2 + count * 28, area.clientWidth - defW - 10)),
            cy = Math.max(20, Math.min((area.clientHeight - defH) / 2 + count * 28, area.clientHeight - defH - 10));
        el.style.left = cx + 'px';
        el.style.top = cy + 'px';
        el.style.width = defW + 'px';
        el.style.height = defH + 'px';

        el.innerHTML = `
      <div class="fw-titlebar">
        <div class="fw-drag-area">
          <span class="fw-folder-icon">${getFolderSVG(node.color)}</span>
          <span class="fw-title">${escHtml(node.name)}</span>
        </div>
        <div class="fw-controls">
          <button class="fw-btn fw-btn-navup" title="Go up">
            <svg width="14" height="14" viewBox="0 0 14 14" fill="none">
              <path d="M7 11V3M3 7l4-4 4 4" stroke="currentColor" stroke-width="1.5" stroke-linecap="square"/>
            </svg>
          </button>
          <button class="fw-btn fw-btn-close close" title="Close">
            <svg width="12" height="12" viewBox="0 0 12 12" fill="none">
              <path d="M2 2l8 8M10 2L2 10" stroke="currentColor" stroke-width="1.5" stroke-linecap="square"/>
            </svg>
          </button>
        </div>
      </div>
      <div class="fw-toolbar">
        <button class="btn btn-ghost btn-sm fw-btn-upload">
          <svg width="13" height="13" viewBox="0 0 13 13" fill="none" xmlns="http://www.w3.org/2000/svg">
            <path d="M6.5 8V1M3 4.5l3.5-3.5 3.5 3.5M1 10h11v2H1z" stroke="currentColor" stroke-width="1.4" stroke-linecap="square"/>
          </svg>
          Import
        </button>
        <button class="btn btn-ghost btn-sm fw-btn-newfile">
          <svg width="13" height="13" viewBox="0 0 13 13" fill="none" xmlns="http://www.w3.org/2000/svg">
            <path d="M2 1h6l3 3v8H2z" stroke="currentColor" stroke-width="1.4" stroke-linecap="square"/>
            <path d="M8 1v3h3" stroke="currentColor" stroke-width="1.4" stroke-linecap="square"/>
            <path d="M6.5 6v3M5 7.5h3" stroke="currentColor" stroke-width="1.4" stroke-linecap="square"/>
          </svg>
          New File
        </button>
        <button class="btn btn-ghost btn-sm fw-btn-newfolder">
          <svg width="13" height="13" viewBox="0 0 13 13" fill="none" xmlns="http://www.w3.org/2000/svg">
            <path d="M1 3h4l1.5 2H12v7H1z" stroke="currentColor" stroke-width="1.4" stroke-linecap="square"/>
            <path d="M6.5 6.5v2.5M5.2 7.8h2.6" stroke="currentColor" stroke-width="1.4" stroke-linecap="square"/>
          </svg>
          New Folder
        </button>
        <div class="fw-breadcrumb" id="fw-bc-${this.folderId}"></div>
      </div>
      <div class="fw-area" tabindex="0">
        <div class="fw-canvas"></div>
        <div class="fw-drop-overlay">
          <svg width="36" height="36" viewBox="0 0 48 48" fill="none" xmlns="http://www.w3.org/2000/svg"><path d="M24 8v24M12 20l12-12 12 12M8 36h32v4H8z" stroke="currentColor" stroke-width="2.5" stroke-linecap="square"/></svg>
          Drop files to import
        </div>
      </div>
      <div class="fw-statusbar">
        <span class="fw-status-text">0 items</span>
      </div>
      <div class="fw-resize-handle"></div>
    `;

        this.el = el;
        area.appendChild(el);
        this._bindEvents();
        this.render();
    }

    /* ---- EVENTS ---- */
    _bindEvents() {
        const el = this.el;
        el.addEventListener('mousedown', () => this.bringToFront(), true);

        // Title bar drag (move window)
        this._makeDraggable(el.querySelector('.fw-drag-area'));

        // Buttons
        el.querySelector('.fw-btn-close').addEventListener('click', e => {
            e.stopPropagation(); WinManager.close(this);
        });
        el.querySelector('.fw-btn-navup').addEventListener('click', e => {
            e.stopPropagation();
            const n = VFS.node(this.folderId);
            if (n && n.parentId && n.parentId !== 'root') { this.folderId = n.parentId; this.selection.clear(); this.render(); }
        });
        el.querySelector('.fw-btn-upload').addEventListener('click', e => {
            e.stopPropagation();
            this._setCtx();
            document.getElementById('file-input').click();
        });
        el.querySelector('.fw-btn-newfile').addEventListener('click', e => {
            e.stopPropagation(); App._ctxScreenPos = null; this._setCtx(); newTextFile();
        });
        el.querySelector('.fw-btn-newfolder').addEventListener('click', e => {
            e.stopPropagation(); App._ctxScreenPos = null; this._setCtx(); newFolder();
        });

        // Content area events
        const area = el.querySelector('.fw-area');
        // Delegated icon events: mousedown, dblclick, contextmenu, touch tap
        _setupAreaDelegation(area, this);
        area.addEventListener('contextmenu', e => {
            if (e.target === area) { e.preventDefault(); e.stopPropagation(); this._contextDesktop(e); }
        });
        area.addEventListener('mousedown', e => {
            if (e.target !== area) return;
            hideCtxMenu();
            area.focus();
            if (!e.ctrlKey && !e.metaKey) {
                this.selection.clear();
                area.querySelectorAll('.file-item.selected').forEach(i => i.classList.remove('selected'));
                this._updateStatus();
            }
            this._startRubberBand(e);
        });
        area.addEventListener('keydown', e => this._onKey(e));
        const fwDropOv = area.querySelector('.fw-drop-overlay');
        let _fwDndHoverFolder = null;
        area.addEventListener('dragover', e => {
            e.preventDefault();
            const folderEl = e.target?.closest?.('.file-item[data-id]'),
                newHover = folderEl && VFS.node(folderEl.dataset.id)?.type === 'folder' ? folderEl.dataset.id : null;
            if (newHover !== _fwDndHoverFolder) {
                if (_fwDndHoverFolder) area.querySelector(`.file-item[data-id="${_fwDndHoverFolder}"]`)?.classList.remove('drag-target');
                _fwDndHoverFolder = newHover;
                if (_fwDndHoverFolder) area.querySelector(`.file-item[data-id="${_fwDndHoverFolder}"]`)?.classList.add('drag-target');
            }
            if (fwDropOv) fwDropOv.classList.toggle('show', !_fwDndHoverFolder);
        });
        area.addEventListener('dragleave', e => {
            if (!area.contains(e.relatedTarget)) {
                if (_fwDndHoverFolder) area.querySelector(`.file-item[data-id="${_fwDndHoverFolder}"]`)?.classList.remove('drag-target');
                _fwDndHoverFolder = null;
                if (fwDropOv) fwDropOv.classList.remove('show');
            }
        });
        area.addEventListener('drop', e => {
            e.preventDefault();
            e.stopPropagation(); // prevent desktop from also receiving this drop
            if (_fwDndHoverFolder) area.querySelector(`.file-item[data-id="${_fwDndHoverFolder}"]`)?.classList.remove('drag-target');
            const targetFolderId = _fwDndHoverFolder || this.folderId;
            _fwDndHoverFolder = null;
            if (fwDropOv) fwDropOv.classList.remove('show');
            App._winCtx = this;
            App.folder = targetFolderId;
            App.selection = this.selection;
            uploadEntries(e.dataTransfer.items, targetFolderId);
        });

        /* ---- Touch: rubber-band select on empty area + long-press context menu ---- */
        _initAreaTouchRubberBand(area, this);

        this._initFwTouchDrag(area);
        this._addResizeHandle();
    }

    /* ---- SET CONTEXT for modal-based and async ops ---- */
    // Clear selection: empties both the Set AND removes .selected CSS classes from DOM
    _clearSelection() {
        this.selection.clear();
        this.el.querySelectorAll('.file-item.selected').forEach(i => i.classList.remove('selected'));
        this._updateStatus();
    }

    _setCtx() {
        App._winCtx = this;
        App.folder = this.folderId;
        App.selection = this.selection;
    }

    /* ---- SET CONTEXT for sync ops (save+restore immediately) ---- */
    _withCtxSync(fn) {
        const pF = App.folder, pS = App.selection, pW = App._winCtx;
        App.folder = this.folderId; App.selection = this.selection; App._winCtx = this;
        try { fn(); } finally { App.folder = pF; App.selection = pS; App._winCtx = pW; }
    }

    /* ---- WINDOW DRAG ---- */
    _makeDraggable(handle) {
        handle.addEventListener('mousedown', e => {
            if (e.button !== 0) return;
            e.preventDefault();
            const startMouseX = e.clientX, startMouseY = e.clientY,
                startLeft = parseInt(this.el.style.left) || 0,
                startTop = parseInt(this.el.style.top) || 0;
            const onMove = mv => {
                const area = document.getElementById('desktop-area'),
                    maxL = area.clientWidth - this.el.offsetWidth,
                    maxT = area.clientHeight - this.el.offsetHeight;
                this.el.style.left = Math.max(0, Math.min(maxL, startLeft + mv.clientX - startMouseX)) + 'px';
                this.el.style.top = Math.max(0, Math.min(maxT, startTop + mv.clientY - startMouseY)) + 'px';
            };
            const onUp = () => { document.removeEventListener('mousemove', onMove); document.removeEventListener('mouseup', onUp); };
            document.addEventListener('mousemove', onMove);
            document.addEventListener('mouseup', onUp);
        });
    }

    bringToFront() { this.el.style.zIndex = WinManager.nextZ(); }

    /* ---- RENDER ---- */
    render() {
        const node = VFS.node(this.folderId);
        if (!node) { WinManager.close(this); return; }

        // Update title — full path
        this.el.querySelector('.fw-title').textContent = VFS.fullPath(this.folderId);
        // Hide navup button when at top-level folder (parent is root)
        const _navB = this.el.querySelector('.fw-btn-navup');
        if (_navB) _navB.style.display = (node.parentId && node.parentId !== 'root') ? '' : 'none';
        // Update title bar folder icon (reflects current color)
        const _folderIconEl = this.el.querySelector('.fw-folder-icon');
        if (_folderIconEl) _folderIconEl.innerHTML = getFolderSVG(node.color);

        // Update breadcrumb inside toolbar
        const bcId = `fw-bc-${this.el.querySelector('.fw-breadcrumb').id.replace('fw-bc-', '')}`,
            bc = this.el.querySelector('.fw-breadcrumb');
        bc.innerHTML = '';
        VFS.breadcrumb(this.folderId).forEach((n, i, arr) => {
            if (i === 0) return; // skip root
            const sp = document.createElement('span');
            sp.className = 'fw-bc-item' + (i === arr.length - 1 ? ' current' : '');
            sp.textContent = n.name;
            if (i < arr.length - 1) sp.addEventListener('click', () => { this.folderId = n.id; this.selection.clear(); this.render(); });
            bc.appendChild(sp);
            if (i < arr.length - 1) { const s = document.createElement('span'); s.className = 'fw-bc-sep'; s.textContent = ' › '; bc.appendChild(s); }
        });

        // Render icons — incremental when same folder to avoid flash, full rebuild on navigation
        const area = this.el.querySelector('.fw-area'),
            folderChanged = this._renderedFolderId !== this.folderId;
        this._renderedFolderId = this.folderId;
        _renderIconArea(area, this.folderId, this.selection, () => this._updateStatus(), folderChanged);
    }

    /* ---- ICON DRAG (within window + escape to desktop/other windows) ---- */
    _onIconMousedown(e, el, node) {
        if (e.button !== 0) return;
        hideCtxMenu();
        _startIconDrag(e, node, el, {
            area: this.el.querySelector('.fw-area'),
            folderId: this.folderId,
            selection: this.selection,
            winEl: this.el,
            updateUI: () => this._updateStatus(),
            clearAll: () => {
                this.selection.clear();
                this.el.querySelectorAll('.fw-area > .file-item.selected').forEach(i => i.classList.remove('selected'));
            },
        });
    }

    /* ---- OPEN NODE: default = navigate within window ---- */
    _openNode(node) {
        hideCtxMenu();
        if (node.type === 'folder') {
            // Auto-cancel cut if navigating into a cut folder
            if (App.clipboard?.op === 'cut') {
                const cutIds = new Set(App.clipboard.ids);
                let cur = node.id;
                while (cur && cur !== 'root') {
                    if (cutIds.has(cur)) { cancelClipboard(); break; }
                    cur = (VFS.node(cur) || {}).parentId;
                }
            }
            this.folderId = node.id; this.selection.clear(); this.render();
        } else {
            openFile(node);
        }
    }

    /* ---- TOUCH DRAG for mobile (inside folder window) ---- */
    _initFwTouchDrag(area) {
        _initTouchDragCommon(area, this, { showSnap: true });
    }

    /* ---- RUBBER BAND selection ---- */
    _startRubberBand(e) {
        _rubberBandSelect(e, this.el.querySelector('.fw-area'), this.selection, () => this._updateStatus());
    }

    /* ---- CONTEXT MENUS ---- */
    _contextDesktop(e) {
        this.selection.clear();
        this.el.querySelectorAll('.file-item.selected').forEach(i => i.classList.remove('selected'));
        this._updateStatus();
        const syncFn = () => this._setCtx();
        showCtxMenu(e.clientX, e.clientY, _buildAreaMenuItems(e, syncFn, this,
            () => { this._renderedFolderId = null; this.render(); }));
    }

    _contextIcon(e, node) {
        if (!e.ctrlKey && !e.metaKey && !this.selection.has(node.id)) {
            this.selection.clear();
            this.el.querySelectorAll('.file-item.selected').forEach(i => i.classList.remove('selected'));
        }
        this.selection.add(node.id);
        this.el.querySelector(`.file-item[data-id="${node.id}"]`)?.classList.add('selected');
        this._updateStatus();
        showCtxMenu(e.clientX, e.clientY, _buildIconMenuItems(node, this.selection, {
            openFn: n => n.type === 'folder' ? this._openNode(n) : openFile(n),
            colorCb: () => this.render(),
            hasCopy: false,
            copyFn: null,
            cutFn: () => this._withCtxSync(() => cutItems()),
            exportZipFn: () => this._withCtxSync(() => exportAsZip([...this.selection])),
            deleteFn: () => { this._setCtx(); deleteSelected(); },
        }));
    }

    /* ---- RESIZE HANDLE ---- */
    _addResizeHandle() {
        const handle = this.el.querySelector('.fw-resize-handle');
        if (!handle) return;
        handle.addEventListener('mousedown', e => {
            if (e.button !== 0) return;
            e.preventDefault(); e.stopPropagation();
            const startX = e.clientX, startY = e.clientY,
                startW = this.el.offsetWidth, startH = this.el.offsetHeight;
            const onMove = mv => {
                this.el.style.width = Math.max(420, Math.min(1400, startW + mv.clientX - startX)) + 'px';
                this.el.style.height = Math.max(260, Math.min(900, startH + mv.clientY - startY)) + 'px';
            };
            const onUp = () => { document.removeEventListener('mousemove', onMove); document.removeEventListener('mouseup', onUp); };
            document.addEventListener('mousemove', onMove);
            document.addEventListener('mouseup', onUp);
        });
    }

    /* ---- STATUS BAR & KEYBOARD ---- */
    _updateStatus() {
        const count = VFS.children(this.folderId).length,
            sel = this.selection.size;
        this.el.querySelector('.fw-status-text').textContent =
            sel > 0 ? `${sel} of ${count} selected` : `${count} item${count !== 1 ? 's' : ''}`;
    }

    _onKey(e) {
        _handleKey(e, this, () => this._setCtx(), fn => this._withCtxSync(fn), {
            area: this.el,
            refresh: () => { this.render(); this.el.querySelector('.fw-area')?.focus(); },
            extraKeys: ev => {
                if (ev.key === 'Backspace' && !ev.ctrlKey && !ev.metaKey) {
                    const n = VFS.node(this.folderId);
                    if (n && n.parentId && n.parentId !== 'root') { this.folderId = n.parentId; this.selection.clear(); this.render(); }
                    return true;
                }
            },
        });
    }
}


================================================
FILE: src/js/detectors/incognito.js
================================================
'use strict';

/* ============================================================
   INCOGNITO DETECTOR  v1.6.2 (adapted)

   Algorithm ported from:
   https://github.com/Joe12387/detectIncognito
   MIT License — Copyright (c) 2021-2025 Joe Rutkowski <Joe@dreggle.com>

   Re-implemented as plain ES6 (no TypeScript, no bundler).
   Covers: Chrome 76+, Edge, Brave, Opera, Safari 13+, Firefox, IE.
   ============================================================ */

/**
 * Detect whether the current tab is running in a private / incognito context.
 * @returns {Promise<{isPrivate: boolean, browserName: string}>}
 */
function detectIncognito() {
    return new Promise(function (resolve, reject) {
        let browserName = 'Unknown';
        let callbackSettled = false;

        function __callback(isPrivate) {
            if (callbackSettled) return;
            callbackSettled = true;
            resolve({ isPrivate, browserName });
        }

        // ── Engine fingerprint ────────────────────────────────────
        // Each JS engine produces a unique error.message.length for (-1).toFixed(-1):
        //   V8 (Chrome/Edge/…) → 51
        //   JavaScriptCore (Safari) → 44 or 43
        //   SpiderMonkey (Firefox) → 25
        function feid() {
            let id = 0;
            try { (-1).toFixed(-1); } catch (e) { id = e.message.length; }
            return id;
        }

        function isSafari() { const f = feid(); return f === 44 || f === 43; }
        function isChrome() { return feid() === 51; }
        function isFirefox() { return feid() === 25; }
        function isMSIE() { return navigator.msSaveBlob !== undefined; }

        function identifyChromium() {
            const ua = navigator.userAgent;
            if (ua.match(/Chrome/)) {
                if (navigator.brave !== undefined) return 'Brave';
                if (ua.match(/Edg/)) return 'Edge';
                if (ua.match(/OPR/)) return 'Opera';
                return 'Chrome';
            }
            return 'Chromium';
        }

        // ── Safari ───────────────────────────────────────────────

        async function currentSafariTest() {
            // Modern Safari private mode: getDirectory() throws "unknown transient reason"
            try {
                await navigator.storage.getDirectory();
                __callback(false);
            } catch (e) {
                const msg = (e instanceof Error) ? e.message : String(e);
                __callback(msg.includes('unknown transient reason'));
            }
        }

        function safari13to18Test() {
            // Safari 13-18: storing a Blob in IDB throws "are not yet supported" in private mode
            const tmp = String(Math.random());
            try {
                const dbReq = indexedDB.open(tmp, 1);
                dbReq.onupgradeneeded = (ev) => {
                    const db = ev.target.result;
                    const finish = (priv) => { __callback(priv); };
                    try {
                        db.createObjectStore('t', { autoIncrement: true }).put(new Blob());
                        finish(false);
                    } catch (err) {
                        const msg = (err instanceof Error) ? err.message : String(err);
                        finish(msg.includes('are not yet supported'));
                    } finally {
                        db.close();
                        indexedDB.deleteDatabase(tmp);
                    }
                };
                dbReq.onerror = () => __callback(false);
            } catch {
                __callback(false);
            }
        }

        function oldSafariTest() {
            const openDB = window.openDatabase;
            const storage = window.localStorage;
            try { openDB(null, null, null, null); } catch { __callback(true); return; }
            try { storage.setItem('test', '1'); storage.removeItem('test'); } catch { __callback(true); return; }
            __callback(false);
        }

        async function safariPrivateTest() {
            if (typeof navigator.storage?.getDirectory === 'function') {
                await currentSafariTest();
            } else if (navigator.maxTouchPoints !== undefined) {
                safari13to18Test();
            } else {
                oldSafariTest();
            }
        }

        // ── Chrome / Chromium ─────────────────────────────────────

        function getQuotaLimit() {
            return window?.performance?.memory?.jsHeapSizeLimit ?? 1073741824;
        }

        // Chrome 76+: private mode caps webkitTemporaryStorage quota to ~2× jsHeapSizeLimit
        function storageQuotaChromePrivateTest() {
            navigator.webkitTemporaryStorage.queryUsageAndQuota(
                function (_used, quota) {
                    const quotaInMib = Math.round(quota / (1024 * 1024));
                    const quotaLimitInMib = Math.round(getQuotaLimit() / (1024 * 1024)) * 2;
                    __callback(quotaInMib < quotaLimitInMib);
                },
                function (e) {
                    reject(new Error('detectIncognito failed to query storage quota: ' + e.message));
                }
            );
        }

        // Chrome 50-75: webkitRequestFileSystem fails in private mode
        function oldChromePrivateTest() {
            window.webkitRequestFileSystem(0, 1, () => __callback(false), () => __callback(true));
        }

        function chromePrivateTest() {
            if (self.Promise !== undefined && self.Promise.allSettled !== undefined) {
                storageQuotaChromePrivateTest();
            } else {
                oldChromePrivateTest();
            }
        }

        // ── Firefox ──────────────────────────────────────────────

        async function firefoxPrivateTest() {
            if (typeof navigator.storage?.getDirectory === 'function') {
                // Modern Firefox private mode: getDirectory() throws "Security error"
                try {
                    await navigator.storage.getDirectory();
                    __callback(false);
                } catch (e) {
                    const msg = (e instanceof Error) ? e.message : String(e);
                    __callback(msg.includes('Security error'));
                }
            } else {
                // Older Firefox: IDB open fails immediately in private mode
                const req = indexedDB.open('inPrivate');
                req.onerror = (event) => {
                    if (req.error && req.error.name === 'InvalidStateError') event.preventDefault();
                    __callback(true);
                };
                req.onsuccess = () => {
                    indexedDB.deleteDatabase('inPrivate');
                    __callback(false);
                };
            }
        }

        // ── IE ───────────────────────────────────────────────────

        function msiePrivateTest() {
            __callback(window.indexedDB === undefined);
        }

        // ── Main ─────────────────────────────────────────────────

        async function main() {
            if (isSafari()) {
                browserName = 'Safari';
                await safariPrivateTest();
            } else if (isChrome()) {
                browserName = identifyChromium();
                chromePrivateTest();
            } else if (isFirefox()) {
                browserName = 'Firefox';
                await firefoxPrivateTest();
            } else if (isMSIE()) {
                browserName = 'Internet Explorer';
                msiePrivateTest();
            } else {
                reject(new Error('detectIncognito cannot determine the browser'));
            }
        }

        main().catch(reject);
    });
}

/* ============================================================
   INCOGNITO WARNING UI
   ============================================================ */

/**
 * Show the full-screen incognito warning and wait for the user to dismiss it.
 * Uses a 3-second countdown before "Continue" is enabled — same pattern
 * as confirmDeleteContainer() in home.js.
 * @returns {Promise<void>} resolves when the user clicks Continue.
 */
function showIncognitoWarning() {
    return new Promise((resolve) => {
        const el = document.getElementById('incognito-warning');
        const btn = document.getElementById('incognito-continue-btn');
        const lbl = document.getElementById('incognito-continue-lbl');

        el.style.display = 'flex';

        let remaining = 3;
        lbl.textContent = `Wait\u2026 ${remaining}`;
        btn.disabled = true;

        const timer = setInterval(() => {
            remaining--;
            if (remaining > 0) {
                lbl.textContent = `Wait\u2026 ${remaining}`;
            } else {
                clearInterval(timer);
                btn.disabled = false;
                lbl.textContent = 'I understand, Continue';
            }
        }, 1000);

        btn.onclick = () => {
            clearInterval(timer);
            btn.onclick = null;
            el.style.display = 'none';
            resolve();
        };
    });
}


================================================
FILE: src/js/docmode.js
================================================
if (localStorage.getItem('snv-doc-hide') === '1') document.documentElement.classList.add('snv-doc-hidden');


================================================
FILE: src/js/fileops.js
================================================
'use strict';

/* ============================================================
   FILENAME SANITIZATION
   ============================================================ */
function sanitizeFilename(name) {
    // Strip null bytes, path separators, HTML/XML special chars, and prevent . / .. as names
    const s = (name || 'unnamed')
        .replace(/[\x00-\x1f\\/]/g, '_')
        .replace(/[<>&"']/g, '_')
        .trim();
    return /^\.{1,2}$/.test(s) || s === '' ? 'unnamed' : s;
}

/* ============================================================
   UPLOAD FILES  (from OS drag-drop or file picker — flat list)
   ============================================================ */
async function uploadFiles(files) {
    if (!App.key || !App.container) return;
    if (!files || !files.length) return;

    // Container size check
    const remaining = CONTAINER_LIMIT - VFS.totalSize();
    let totalNew = 0;
    for (const f of files) totalNew += f.size;
    if (totalNew > remaining) {
        toast(`Not enough space in container. Need ${fmtSize(totalNew)}, have ${fmtSize(remaining)}`, 'error');
        return;
    }

    // Device storage check
    const spCheck = await checkStorageSpace(totalNew * 1.1); // +10% for encryption overhead
    if (!spCheck.ok) {
        toast(
            `Not enough device storage. Need ~${fmtSize(totalNew)}, only ${fmtSize(spCheck.available)} free.`,
            'error'
        );
        return;
    }

    showLoading(`Encrypting ${files.length} file${files.length > 1 ? 's' : ''}...`);
    let ok = 0, _okIds = [];
    const fileArr = Array.from(files);
    const BATCH = _CRYPTO_CONCURRENCY;
    for (let i = 0; i < fileArr.length; i += BATCH) {
        const batch = fileArr.slice(i, i + BATCH);
        // Read all file buffers in this batch concurrently before encrypting
        const bufs = await Promise.all(batch.map(f => f.arrayBuffer()));
        const results = await Promise.allSettled(batch.map(async (f, bi) => {
            const name = sanitizeFilename(f.name),
                mime = f.type || getMime(name),
                { iv, blob } = await Crypto.encryptBin(App.key, bufs[bi]),
                nodeId = uid();
            VFS.add({
                id: nodeId, type: 'file', name, mime, size: f.size,
                parentId: App.folder, ctime: Date.now(), mtime: Date.now()
            });
            return { nodeId, rec: { id: nodeId, cid: App.container.id, iv: Array.from(iv), blob } };
        }));
        // Batch-save all encrypted records in a single IDB transaction
        const recs = [];
        for (let j = 0; j < results.length; j++) {
            if (results[j].status === 'fulfilled') {
                ok++;
                _okIds.push(results[j].value.nodeId);
                recs.push(results[j].value.rec);
            } else {
                console.error('upload error', batch[j].name, results[j].reason);
                toast('Failed to encrypt: ' + batch[j].name, 'error');
            }
        }
        if (recs.length) await DB.saveFiles(recs);
        showLoading(`Encrypting... ${Math.min(i + BATCH, fileArr.length)}/${fileArr.length}`);
    }
    await saveVFS();
    Desktop._patchIcons();
    hideLoading();
    if (ok > 0) {
        toast(`${ok} file${ok > 1 ? 's' : ''} imported`, 'success');
        logActivity('upload', ok === 1 ? files[0].name : `${ok} files`, ok, ok === 1 && _okIds[0] ? VFS.fullPath(_okIds[0]) : null);
        _scheduleExportCacheRefresh();
    }
}

/* ============================================================
   UPLOAD ENTRIES  (from OS drag-drop — supports folders)
   Handles DataTransferItemList containing files AND directories.
   ============================================================ */

// Read all entries from a FileSystemDirectoryReader.
// The API only returns up to 100 entries per call — must batch until empty.
function _readAllEntries(reader) {
    return new Promise(resolve => {
        const results = [];
        function batch() {
            reader.readEntries(entries => {
                if (!entries.length) { resolve(results); return; }
                results.push(...entries);
                batch();
            }, () => resolve(results)); // on error, return what we have
        }
        batch();
    });
}

// Encrypt a single FileSystemFileEntry and add it to the VFS under targetFolderId.
async function _uploadFileEntry(fileEntry, targetFolderId) {
    const file = await new Promise((res, rej) => fileEntry.file(res, rej));
    const name = sanitizeFilename(file.name);
    if (VFS.hasChildNamed(targetFolderId, name)) {
        toast(`"${name}" already exists — skipped`, 'warn');
        return false;
    }
    if (VFS.totalSize() + file.size > CONTAINER_LIMIT) {
        _uploadLimitHit = true;
        return false;
    }
    const spCheck = await checkStorageSpace(file.size * 1.1);
    if (!spCheck.ok) {
        _uploadDeviceFullHit = true;
        return false;
    }
    const buf = await file.arrayBuffer(),
        mime = file.type || getMime(name),
        { iv, blob } = await Crypto.encryptBin(App.key, buf),
        nodeId = uid(), now = Date.now();
    VFS.add({
        id: nodeId, type: 'file', name, mime, size: file.size,
        parentId: targetFolderId, ctime: now, mtime: now
    });
    await DB.saveFile({ id: nodeId, cid: App.container.id, iv: Array.from(iv), blob });
    return true;
}

// Recursively upload a FileSystemDirectoryEntry into the VFS under targetFolderId.
async function _uploadDirEntry(dirEntry, targetFolderId, depth) {
    if (depth > 32) { toast('Folder nesting too deep — stopped at 32 levels', 'warn'); return false; }
    const name = sanitizeFilename(dirEntry.name);
    if (VFS.hasChildNamed(targetFolderId, name)) {
        toast(`Folder "${name}" already exists — skipped`, 'warn');
        return false;
    }
    const folderId = uid(), now = Date.now();
    VFS.add({ id: folderId, type: 'folder', name, parentId: targetFolderId, ctime: now, mtime: now });
    const entries = await _readAllEntries(dirEntry.createReader());
    const fileEntries = entries.filter(e => e.isFile);
    const subDirEntries = entries.filter(e => e.isDirectory);
    // Encrypt files in this directory in parallel batches
    const BATCH = _CRYPTO_CONCURRENCY;
    for (let i = 0; i < fileEntries.length; i += BATCH) {
        await Promise.allSettled(
            fileEntries.slice(i, i + BATCH).map(e => _uploadFileEntry(e, folderId))
        );
    }
    // Recurse into subdirectories sequentially
    for (const subDir of subDirEntries) {
        await _uploadDirEntry(subDir, folderId, depth + 1);
    }
    return true;
}

let _uploadLimitHit = false;
let _uploadDeviceFullHit = false;

// Main drop entry point for desktop and folder-window drop events.
// Accepts DataTransferItemList (supports both files and folders).
async function uploadEntries(dataTransferItems, targetFolderId) {
    if (!App.key || !App.container) return;
    const itemArr = Array.from(dataTransferItems || []);
    if (!itemArr.length) return;
    _uploadLimitHit = false;
    _uploadDeviceFullHit = false;

    const entries = itemArr.map(i => i.webkitGetAsEntry?.()).filter(Boolean);
    if (!entries.length) {
        // Fallback: no Entry API support — treat all as flat files
        const files = itemArr.map(i => i.getAsFile?.()).filter(Boolean);
        if (files.length) await uploadFiles(files);
        return;
    }

    const fileEntries = entries.filter(e => e.isFile),
        folderEntries = entries.filter(e => e.isDirectory);
    const label = [
        fileEntries.length && `${fileEntries.length} file${fileEntries.length !== 1 ? 's' : ''}`,
        folderEntries.length && `${folderEntries.length} folder${folderEntries.length !== 1 ? 's' : ''}`,
    ].filter(Boolean).join(' and ');

    showLoading(`Encrypting ${label}…`);
    let ok = 0;
    for (const entry of entries) {
        try {
            const added = entry.isDirectory
                ? await _uploadDirEntry(entry, targetFolderId, 0)
                : await _uploadFileEntry(entry, targetFolderId);
            if (added) ok++;
        } catch (err) {
            console.error('upload entry error', entry.name, err);
            toast(`Failed to import: ${entry.name}`, 'error');
        }
    }
    await saveVFS();
    Desktop._patchIcons();
    if (typeof WinManager !== 'undefined') WinManager.renderAll();
    hideLoading();
    if (ok > 0) {
        toast(`${ok} item${ok !== 1 ? 's' : ''} imported`, 'success');
        {
            const _sn = ok === 1 ? VFS.children(targetFolderId).find(n => n.name === sanitizeFilename(entries[0]?.name || '')) : null;
            logActivity('upload', ok === 1 ? (entries[0]?.name ?? '1 item') : `${ok} items`, ok, _sn ? VFS.fullPath(_sn.id) : null);
        }
        _scheduleExportCacheRefresh();
    }
    if (_uploadLimitHit) toast(`Container is full (${fmtSize(CONTAINER_LIMIT)}) — some files were not imported`, 'error');
    if (_uploadDeviceFullHit) toast('Not enough device storage — some files were not imported', 'error');
}

/* ============================================================
   OPEN / DOWNLOAD FILE
   ============================================================ */
async function openFile(node) {
    if (!App.key || !App.container) return;
    showLoading('Decrypting file...');
    try {
        const rec = await DB.getFile(node.id);
        if (!rec) { toast('File data not found', 'error'); hideLoading(); return; }
        const mime = node.mime || getMime(node.name);
        let buf;
        // Empty file: blob may be missing or decrypt may fail for 0-byte content
        if (!rec.blob || (rec.blob instanceof ArrayBuffer && rec.blob.byteLength === 0)) {
            buf = new ArrayBuffer(0);
        } else {
            buf = await Crypto.decryptBin(App.key, rec.iv, rec.blob);
        }
        hideLoading();

        if (isText(mime, node.name)) {
            openEditor(node, buf);
        } else if (isImage(mime) || isAudio(mime) || isVideo(mime) || isPDF(mime)) {
            openViewer(node, buf, mime);
        } else {
            _confirmExport(node, buf, mime);
        }
    } catch (e) { hideLoading(); toast('Decryption failed: ' + e.message, 'error'); console.error(e); }
}

async function downloadFile(node) {
    if (!App.key || !App.container) return;
    showLoading('Decrypting...');
    try {
        const rec = await DB.getFile(node.id);
        if (!rec) { toast('File data not found', 'error'); hideLoading(); return; }
        let buf;
        if (!rec.blob || (rec.blob instanceof ArrayBuffer && rec.blob.byteLength === 0)) {
            buf = new ArrayBuffer(0);
        } else {
            buf = await Crypto.decryptBin(App.key, rec.iv, rec.blob);
        }
        downloadBuf(buf, node.name, node.mime || getMime(node.name));
        toast('Exported: ' + node.name, 'success');
        logActivity('download', node.name, 1, VFS.fullPath(node.id));
    } catch (e) { toast('Decryption failed: ' + e.message, 'error'); }
    hideLoading();
}

function downloadBuf(buf, name, mime) {
    const blob = new Blob(Array.isArray(buf) ? buf : [buf], { type: mime });
    const url = URL.createObjectURL(blob);
    const a = document.createElement('a');
    a.href = url; a.download = name;
    // Append to DOM before click — some Chrome builds require a connected
    // element for the download attribute to trigger blob saves correctly.
    document.body.appendChild(a);
    a.click();
    a.remove();
    setTimeout(() => URL.revokeObjectURL(url), 5000);
}

function _confirmExport(node, buf, mime) {
    const fnEl = document.getElementById('ec-filename');
    if (fnEl) fnEl.textContent = node.name;
    Overlay.show('modal-export-confirm');
    document.getElementById('ec-ok').onclick = () => {
        Overlay.hide();
        downloadBuf(buf, node.name, mime);
        toast('Exported: ' + node.name, 'success');
        logActivity('download', node.name, 1, VFS.fullPath(node.id));
    };
}

/* ============================================================
   DELETE SELECTED
   ============================================================ */
async function deleteSelected() {
    if (!App.selection.size) return;
    const selRef = App.selection;           // capture the active selection Set at call time
    const ids = [...selRef];

    // Prevent deleting folders currently open in Explorer windows
    const blocked = _openFolderGuard(ids);
    if (blocked) {
        toast(`"${VFS.node(blocked)?.name}" is open in Explorer — close the window first`, 'error');
        return;
    }

    const names = ids.map(id => VFS.node(id)?.name || '').filter(Boolean);
    const msg = ids.length === 1
        ? `Delete "${names[0]}"? This action cannot be undone.`
        : `Delete ${ids.length} items? This action cannot be undone.`;

    document.getElementById('delete-msg').textContent = msg;
    Overlay.show('modal-delete');
    document.getElementById('delete-ok').onclick = async () => {
        Overlay.hide();
        showLoading('Deleting...');
        const allFileIds = [];
        for (const id of ids) {
            const n = VFS.node(id); if (!n) continue;
            if (n.type === 'file') {
                allFileIds.push(id);
            } else {
                const _walkSeen = new Set();
                const walk = fid => {
                    if (_walkSeen.has(fid)) return;
                    _walkSeen.add(fid);
                    VFS.children(fid).forEach(c => { if (c.type === 'file') allFileIds.push(c.id); else walk(c.id); });
                };
                walk(id);
            }
        }
        if (allFileIds.length) await DB.deleteFiles(allFileIds).catch(() => { });
        allFileIds.forEach(fid => { delete App.thumbCache[fid]; });
        const _delSinglePath = ids.length === 1 ? VFS.fullPath(ids[0]) : null;
        for (const id of ids) VFS.remove(id);
        selRef.clear();
        await saveVFS();
        Desktop._patchIcons();
        if (typeof WinManager !== 'undefined') WinManager.renderAll();
        hideLoading();
        toast('Deleted', 'info');
        logActivity('delete', ids.length === 1 ? names[0] : `${ids.length} items`, ids.length, _delSinglePath);
        _scheduleExportCacheRefresh();
    };
}

/* ============================================================
   NEW TEXT FILE  —  BUG FIX: just creates the file, does NOT open editor
   ============================================================ */
function newTextFile() {
    const targetFolder = App.folder;
    let name = 'Document.txt';
    if (VFS.hasChildNamed(targetFolder, name)) {
        let i = 2;
        while (VFS.hasChildNamed(targetFolder, `Document (${i}).txt`)) i++;
        name = `Document (${i}).txt`;
    }
    document.getElementById('nf-name').value = name;
    Overlay.show('modal-new-text');
    setTimeout(() => {
        const inp = document.getElementById('nf-name');
        inp.focus();
        const dot = name.lastIndexOf('.');
        if (dot > 0) inp.setSelectionRange(0, dot); else inp.select();
    }, 100);
}

async function createTextFile() {
    const name = sanitizeFilename(document.getElementById('nf-name').value.trim());
    if (!name || name === 'unnamed') { toast('Enter a valid file name', 'error'); return; }
    // Capture context BEFORE Overlay.hide() clears it
    const targetFolder = App.folder,
        winCtx = App._winCtx;
    // Duplicate name check
    if (VFS.hasChildNamed(targetFolder, name)) {
        toast(`“${name}” already exists in this folder`, 'error'); return;
    }
    Overlay.hide();

    const nodeId = uid();
    const mime = getMime(name);
    const emptyBuf = new ArrayBuffer(0);
    const { iv, blob } = await Crypto.encryptBin(App.key, emptyBuf);
    VFS.add({
        id: nodeId, type: 'file', name, mime, size: 0,
        parentId: targetFolder, ctime: Date.now(), mtime: Date.now()
    });
    // Position at context menu cursor if available
    if (App._ctxScreenPos) {
        const area2 = winCtx ? winCtx.el.querySelector('.fw-area') : document.getElementById('desktop-area');
        const rect2 = area2.getBoundingClientRect();
        const rawX = App._ctxScreenPos.x - rect2.left + area2.scrollLeft;
        const rawY = App._ctxScreenPos.y - rect2.top + area2.scrollTop;
        const occ = new Map();
        VFS.children(targetFolder).forEach(n => {
            if (n.id === nodeId) return;
            const p = VFS.getPos(targetFolder, n.id);
            if (p) occ.set(`${Math.round((p.x - 8) / GRID_X)}_${Math.round((p.y - 8) / GRID_Y)}`, n.id);
        });
        const snapped = _snapFreeCell(rawX, rawY, occ);
        VFS.setPos(targetFolder, nodeId, snapped.x, snapped.y);
        App._ctxScreenPos = null;
    }
    await DB.saveFile({ id: nodeId, cid: App.container.id, iv: Array.from(iv), blob });
    await saveVFS();
    if (winCtx) winCtx.render(); else Desktop._patchIcons();
    toast(`File “${name}” created`, 'success');
    logActivity('create-file', name, 1, VFS.fullPath(nodeId));
}

/* ============================================================
   NEW FOLDER
   ============================================================ */
function newFolder() {
    const targetFolder = App.folder;
    let name = 'New Folder';
    if (VFS.hasChildNamed(targetFolder, name)) {
        let i = 2;
        while (VFS.hasChildNamed(targetFolder, `New Folder (${i})`)) i++;
        name = `New Folder (${i})`;
    }
    document.getElementById('nd-name').value = name;
    Overlay.show('modal-new-folder');
    setTimeout(() => {
        const inp = document.getElementById('nd-name');
        inp.focus(); inp.select();
    }, 100);
}

async function createFolder() {
    const name = sanitizeFilename(document.getElementById('nd-name').value.trim());
    if (!name || name === 'unnamed') { toast('Enter a valid folder name', 'error'); return; }
    // Capture context BEFORE Overlay.hide() clears it
    const targetFolder = App.folder,
        winCtx = App._winCtx;
    // Duplicate name check
    if (VFS.hasChildNamed(targetFolder, name)) {
        toast(`“${name}” already exists in this folder`, 'error'); return;
    }
    Overlay.hide();
    const nodeId = uid();
    VFS.add({ id: nodeId, type: 'folder', name, parentId: targetFolder, ctime: Date.now(), mtime: Date.now() });
    // Position at context menu cursor if available
    if (App._ctxScreenPos) {
        const area2 = winCtx ? winCtx.el.querySelector('.fw-area') : document.getElementById('desktop-area');
        const rect2 = area2.getBoundingClientRect();
        const rawX = App._ctxScreenPos.x - rect2.left + area2.scrollLeft;
        const rawY = App._ctxScreenPos.y - rect2.top + area2.scrollTop;
        const occ = new Map();
        VFS.children(targetFolder).forEach(n => {
            if (n.id === nodeId) return;
            const p = VFS.getPos(targetFolder, n.id);
            if (p) occ.set(`${Math.round((p.x - 8) / GRID_X)}_${Math.round((p.y - 8) / GRID_Y)}`, n.id);
        });
        const snapped = _snapFreeCell(rawX, rawY, occ);
        VFS.setPos(targetFolder, nodeId, snapped.x, snapped.y);
        App._ctxScreenPos = null;
    }
    await saveVFS();
    if (winCtx) winCtx.render(); else Desktop._patchIcons();
    toast(`Folder "${name}" created`, 'success');
    logActivity('create-folder', name, 1, VFS.fullPath(nodeId));
}

/* ============================================================
   RENAME
   ============================================================ */
function renameNode(node) {
    if (!node) return;

    // Prevent renaming folders currently open in Explorer windows
    if (node.type === 'folder') {
        const blocked = _openFolderGuard([node.id]);
        if (blocked) {
            toast(`“${node.name}” is open in Explorer — close the window first`, 'error');
            return;
        }
    }

    document.getElementById('rename-input').value = node.name;
    const capturedWinCtx = App._winCtx;
    Overlay.show('modal-rename');
    setTimeout(() => {
        const i = document.getElementById('rename-input');
        i.focus();
        const dot = i.value.lastIndexOf('.');
        if (dot > 0) i.setSelectionRange(0, dot); else i.select();
    }, 100);
    document.getElementById('rename-ok').onclick = async () => {
        const newName = sanitizeFilename(document.getElementById('rename-input').value.trim());
        if (!newName || newName === 'unnamed') { toast('Enter a valid name', 'error'); return; }
        // Duplicate check (ignore if same name, case-insensitive)
        const pid = VFS.node(node.id)?.parentId;
        if (pid && newName.toLowerCase() !== node.name.toLowerCase() && VFS.hasChildNamed(pid, newName)) {
            toast(`“${newName}” already exists in this folder`, 'error'); return;
        }
        Overlay.hide();
        const _oldName = node.name;
        VFS.rename(node.id, newName);
        await saveVFS();

        // Patch only the affected icon(s) in-place — no full desktop re-render needed.
        // node.mime was already updated by VFS.rename; recompute for the thumb.
        const _patchIconEl = (el) => {
            if (!el) return;
            const nameEl = el.querySelector('.file-name');
            if (nameEl) nameEl.textContent = newName;
            if (node.type === 'file') {
                const newMime = node.mime || getMime(newName);
                const thumb = el.querySelector('.file-thumb');
                if (thumb) {
                    // If extension changed to a non-image type, drop the thumbnail cache
                    if (!isImage(newMime) && App.thumbCache[node.id]) {
                        delete App.thumbCache[node.id];
                    }
                    if (App.thumbCache[node.id]) {
                        const img = document.createElement('img');
                        img.src = App.thumbCache[node.id];
                        img.draggable = false;
                        thumb.innerHTML = '';
                        thumb.appendChild(img);
                    } else {
                        thumb.innerHTML = getFileIconSVG(newMime, newName);
                        if (isImage(newMime)) _enqueueThumb(node);
                    }
                }
            }
        };
        document.querySelectorAll(`.file-item[data-id="${node.id}"]`).forEach(_patchIconEl);

        logActivity('rename', `${_oldName} → ${newName}`, 1, VFS.fullPath(node.id));
    };
}

/* ============================================================
   COPY / CUT / PASTE
   ============================================================ */
function copyItems() {
    App.clipboard = { op: 'copy', ids: [...App.selection] };
    toast(`${App.clipboard.ids.length} item(s) copied`, 'info');
    logActivity('copy', App.clipboard.ids.length === 1 ? (VFS.node(App.clipboard.ids[0])?.name ?? '1 item') : `${App.clipboard.ids.length} items`, App.clipboard.ids.length, App.clipboard.ids.length === 1 ? VFS.fullPath(App.clipboard.ids[0]) : null);
}
function cutItems() {
    // Prevent cutting folders currently open in Explorer windows
    const blocked = _openFolderGuard(App.selection);
    if (blocked) {
        toast(`“${VFS.node(blocked)?.name}” is open in Explorer — close the window first`, 'error');
        return;
    }

    App.clipboard = { op: 'cut', ids: [...App.selection] };
    toast(`${App.clipboard.ids.length} item(s) cut`, 'info');
    logActivity('cut', App.clipboard.ids.length === 1 ? (VFS.node(App.clipboard.ids[0])?.name ?? '1 item') : `${App.clipboard.ids.length} items`, App.clipboard.ids.length, App.clipboard.ids.length === 1 ? VFS.fullPath(App.clipboard.ids[0]) : null);
    _applyCutStyles();
}

function _dedupName(folderId, name) {
    const dot = name.lastIndexOf('.');
    const hasExt = dot > 0;
    const base = hasExt ? name.slice(0, dot) : name;
    const ext = hasExt ? name.slice(dot) : '';
    let i = 2;
    while (VFS.hasChildNamed(folderId, `${base} (${i})${ext}`)) i++;
    return `${base} (${i})${ext}`;
}

async function pasteItems() {
    if (!App.clipboard) return;
    const { op, ids } = App.clipboard;

    // Prevent pasting a cut folder if it's currently open in Explorer windows
    if (op === 'cut') {
        const blocked = _openFolderGuard(ids);
        if (blocked) {
            toast(`“${VFS.node(blocked)?.name}” is open in Explorer — close the window first`, 'error');
            // Abort the entire paste operation to prevent partial moves
            return;
        }
    }

    const _srcParent = VFS.node(ids[0])?.parentId,
        _srcFolderPath = _srcParent ? VFS.fullPath(_srcParent) : null;
    let _pastedSn = null;
    const _pastedIds = [];
    for (const id of ids) {
        const n = VFS.node(id); if (!n) continue;
        if (op === 'cut') {
            if (n.parentId === App.folder) continue;
            const result = VFS.move(id, App.folder);
            if (result === 'duplicate') { toast(`"${n.name}" already exists in this folder`, 'error'); continue; }
            if (result === 'cycle') { toast(`Cannot paste "${n.name}" into itself or a subfolder`, 'error'); continue; }
            _pastedSn = n.name;
            _pastedIds.push(id);
        } else {
            let name = n.name;
            if (VFS.hasChildNamed(App.folder, name)) name = _dedupName(App.folder, name);
            const newId = await deepCopy(id, App.folder, name !== n.name ? name : undefined);
            _pastedSn = name;
            if (newId) _pastedIds.push(newId);
        }
    }
    // Position pasted items at the context-menu cursor (set by right-click / long-press Paste)
    if (App._ctxScreenPos && _pastedIds.length > 0) {
        const winCtx = App._winCtx;
        const area2 = winCtx ? winCtx.el.querySelector('.fw-area') : document.getElementById('desktop-area');
        const rect2 = area2.getBoundingClientRect();
        const rawX = App._ctxScreenPos.x - rect2.left + area2.scrollLeft;
        const rawY = App._ctxScreenPos.y - rect2.top + area2.scrollTop;
        const occ = new Map();
        VFS.children(App.folder).forEach(n => {
            if (_pastedIds.includes(n.id)) return;
            const p = VFS.getPos(App.folder, n.id);
            if (p) occ.set(`${Math.round((p.x - 8) / GRID_X)}_${Math.round((p.y - 8) / GRID_Y)}`, n.id);
        });
        _pastedIds.forEach(id => {
            const snapped = _snapFreeCell(rawX, rawY, occ);
            VFS.setPos(App.folder, id, snapped.x, snapped.y);
            occ.set(`${Math.round((snapped.x - 8) / GRID_X)}_${Math.round((snapped.y - 8) / GRID_Y)}`, id);
        });
        App._ctxScreenPos = null;
    }
    if (op === 'cut') App.clipboard = null;
    _applyCutStyles();
    await saveVFS();
    // Refresh all open views so both source and target folders update
    Desktop._patchIcons();
    if (typeof WinManager !== 'undefined') WinManager.renderAll();
    logActivity('paste', ids.length === 1 ? (_pastedSn ?? VFS.node(ids[0])?.name ?? '1 item') : `${ids.length} items`, ids.length, _srcFolderPath, VFS.fullPath(App.folder));
    // Copy paste creates new file blobs — refresh the export cache
    if (op === 'copy') _scheduleExportCacheRefresh();
}

async function deepCopy(nodeId, newParent, newName, _depth = 0) {
    if (_depth > 64 || nodeId === 'root') return null;
    const n = VFS.node(nodeId); if (!n) return null;
    const newId = uid();
    const name = newName || n.name;
    if (n.type === 'file') {
        VFS.add({ ...n, id: newId, name, parentId: newParent, ctime: Date.now(), mtime: Date.now() });
        const rec = await DB.getFile(nodeId);
        if (rec) await DB.saveFile({ ...rec, id: newId, cid: App.container.id });
    } else {
        VFS.add({ ...n, id: newId, name, parentId: newParent, ctime: Date.now(), mtime: Date.now() });
        for (const child of VFS.children(nodeId)) await deepCopy(child.id, newId, undefined, _depth + 1);
    }
    return newId;
}

/* ============================================================
   SELECT ALL / SORT
   ============================================================ */
function selectAll() {
    VFS.children(App.folder).forEach(n => {
        App.selection.add(n.id);
        // Look in both main desktop and any folder windows
        const el = document.querySelector(`.file-item[data-id="${n.id}"]`);
        if (el) el.classList.add('selected');
    });
    if (App._winCtx) App._winCtx._updateStatus();
    else if (typeof Desktop !== 'undefined') Desktop._updateSelectionBar();
}

function sortIcons(by = 'name', dir = 'asc', winCtx = null) {
    const fid = winCtx ? winCtx.folderId : Desktop._desktopFolder;
    const area = winCtx ? winCtx.el.querySelector('.fw-area') : document.getElementById('desktop-area');
    const items = VFS.children(fid);
    items.sort((a, b) => {
        // Folders always come first
        if (a.type !== b.type) return a.type === 'folder' ? -1 : 1;
        let va, vb;
        switch (by) {
            case 'mtime': va = a.mtime || 0; vb = b.mtime || 0; break;
            case 'ctime': va = a.ctime || 0; vb = b.ctime || 0; break;
            case 'size': va = a.size || 0; vb = b.size || 0; break;
            case 'type': va = getExt(a.name) || ''; vb = getExt(b.name) || ''; break;
            default: va = a.name.toLowerCase(); vb = b.name.toLowerCase();
        }
        const cmp = va < vb ? -1 : va > vb ? 1 : 0;
        return dir === 'desc' ? -cmp : cmp;
    });
    // Compute sequential grid positions directly (don't use autoPos which sees old positions as occupied)
    const W = (area && area.clientWidth) || 800,
        cols = Math.max(1, Math.floor((W - 16) / GRID_X));
    items.forEach((n, i) => {
        const col = i % cols, row = Math.floor(i / cols);
        const x = 8 + col * GRID_X, y = 8 + row * GRID_Y;
        VFS.setPos(fid, n.id, x, y);
        const el = area._iconMap?.get(n.id) ?? area.querySelector(`.file-item[data-id="${n.id}"]`);
        if (el) {
            el.style.transition = 'left 0.12s ease, top 0.12s ease';
            el.style.left = x + 'px'; el.style.top = y + 'px';
            setTimeout(() => { if (el.parentNode) el.style.transition = ''; }, 150);
        }
    });
    saveVFS();
    logActivity('sort', `by ${by} (${dir})`);
}

/* ============================================================
   CAN EDIT AS PLAIN TEXT  (whitelist of text-ish types)
   ============================================================ */
function canEditAsText(node) {
    if (node.type === 'folder') return false;
    const mime = node.mime || getMime(node.name);
    if (mime.startsWith('text/')) return true;
    if (['application/json', 'application/xml', 'application/javascript',
        'application/x-yaml', 'application/sql'].includes(mime)) return true;
    const ext = getExt(node.name).toLowerCase();
    return ['txt', 'md', 'log', 'logs', 'conf', 'config', 'cfg', 'ini', 'env',
        'sh', 'bash', 'zsh', 'fish', 'bat', 'cmd', 'ps1',
        'js', 'ts', 'jsx', 'tsx', 'mjs', 'cjs',
        'py', 'pyw', 'rb', 'php', 'phps',
        'java', 'c', 'cpp', 'cc', 'cxx', 'h', 'hpp',
        'cs', 'fs', 'fsx', 'vb',
        'go', 'rs', 'swift', 'kt', 'kts', 'groovy', 'scala',
        'lua', 'pl', 'r', 'sql', 'graphql', 'gql',
        'json', 'xml', 'yaml', 'yml', 'toml', 'csv', 'tsv',
        'html', 'htm', 'css', 'scss', 'sass', 'less',
        'vue', 'svelte', 'astro',
        'dockerfile', 'makefile', 'cmake',
        'gitignore', 'gitattributes', 'editorconfig',
        'prettierrc', 'eslintrc', 'babelrc', 'map',
        'csproj'].includes(ext);
}

/* ============================================================
   OPEN FILE AS PLAIN TEXT  (force text editor, any file type)
   ============================================================ */
async function openFileAsText(node) {
    if (!App.key || !App.container) return;
    showLoading('Decrypting file...');
    const TIMEOUT_MS = 5000;
    try {
        const rec = await DB.getFile(node.id);
        if (!rec) { toast('File data not found', 'error'); hideLoading(); return; }
        let buf;
        if (!rec.blob || (rec.blob instanceof ArrayBuffer && rec.blob.byteLength === 0)) {
            buf = new ArrayBuffer(0);
        } else {
            const decryptPromise = Crypto.decryptBin(App.key, rec.iv, rec.blob);
            const timeoutPromise = new Promise((_, reject) =>
                setTimeout(() => reject(new Error('timeout')), TIMEOUT_MS)
            );
            buf = await Promise.race([decryptPromise, timeoutPromise]);
        }
        hideLoading();
        openEditor(node, buf);
    } catch (e) {
        hideLoading();
        if (e.message === 'timeout') {
            toast('Operation timed out after 5 seconds', 'warn');
        } else {
            toast('Decryption failed: ' + e.message, 'error');
        }
    }
}

/* ============================================================
   FOLDER SIZE  (recursive sum of all file descendants)
   ============================================================ */
function _folderSize(folderId, _visited = new Set()) {
    if (_visited.has(folderId)) return 0;
    _visited.add(folderId);
    let size = 0;
    VFS.children(folderId).forEach(n => {
        size += n.type === 'file' ? (n.size || 0) : _folderSize(n.id, _visited);
    });
    return size;
}

/* ============================================================
   PROPERTIES
   ============================================================ */
function showProps(node) {
    const body = document.getElementById('props-body');
    const icon = node.type === 'folder' ? getFolderSVG(node.color) : getFileIconSVG(node.mime || getMime(node.name), node.name);
    const folderSz = node.type === 'folder' ? _folderSize(node.id) : null;
    body.innerHTML = `
    <div class="props-icon">${icon}</div>
    <table class="props-table">
      <tr><td>Name</td><td>${escHtml(node.name)}</td></tr>
      <tr><td>Path</td><td>${escHtml(VFS.fullPath(node.id))}</td></tr>
      <tr><td>Type</td><td>${escHtml(node.type === 'folder' ? 'Folder' : (node.mime || getMime(node.name)))}</td></tr>
      ${node.size != null ? `<tr><td>Size</td><td>${fmtSize(node.size)}</td></tr>` : ''}
      ${folderSz !== null ? `<tr><td>Size</td><td>${fmtSize(folderSz)}</td></tr>` : ''}
      <tr><td>Created</td><td>${fmtDate(node.ctime)}</td></tr>
      <tr><td>Modified</td><td>${fmtDate(node.mtime)}</td></tr>
      ${node.type === 'folder' ? `<tr><td>Items</td><td>${VFS.children(node.id).length}</td></tr>` : ''}
      <tr><td>Encrypted</td><td style="color:var(--accent)">AES-256-GCM ✓</td></tr>
    </table>
  `;
    Overlay.show('modal-props');
}

/* ============================================================
   LINE NUMBER HELPERS
   ============================================================ */
let _lineNumCanvas = null;
let _lineNumTimer = null;

function _measureWrappedLineHeights(ta, lines) {
    const cs = window.getComputedStyle(ta);
    const lh = parseFloat(cs.lineHeight);
    const taW = ta.clientWidth - parseFloat(cs.paddingLeft) - parseFloat(cs.paddingRight);
    if (taW <= 0) return lines.map(() => lh);
    if (!_lineNumCanvas) _lineNumCanvas = document.createElement('canvas');
    const ctx = _lineNumCanvas.getContext('2d');
    const tabSize = parseInt(cs.tabSize) || 2;
    const tabStr = '\u00a0'.repeat(tabSize);
    ctx.font = `${cs.fontWeight} ${cs.fontSize} ${cs.fontFamily}`;
    return lines.map(line => {
        if (!line) return lh;
        const expanded = line.replace(/\t/g, tabStr);
        const w = ctx.measureText(expanded).width;
        return Math.max(1, Math.ceil(w / taW)) * lh;
    });
}

function _updateLineNumbers() {
    const ta = document.getElementById('editor-textarea');
    const gutter = document.getElementById('editor-line-numbers');
    if (!gutter || !ta) return;
    const lines = ta.value.split('\n');
    const isWrapped = ta.classList.contains('word-wrap');
    const lh = parseFloat(window.getComputedStyle(ta).lineHeight) || 20.8;
    const heights = isWrapped ? _measureWrappedLineHeights(ta, lines) : null;
    const frag = document.createDocumentFragment();
    for (let i = 0; i < lines.length; i++) {
        const d = document.createElement('div');
        d.textContent = i + 1;
        d.style.height = (heights ? heights[i] : lh) + 'px';
        frag.appendChild(d);
    }
    gutter.innerHTML = '';
    gutter.appendChild(frag);
    gutter.scrollTop = ta.scrollTop;
}

function _scheduleLineNumberUpdate() {
    clearTimeout(_lineNumTimer);
    _lineNumTimer = setTimeout(_updateLineNumbers, 80);
}

/* ============================================================
   TEXT EDITOR
   ============================================================ */
let _editorNode = null;
let _editorOriginal = '';

function openEditor(node, buf) {
    _editorNode = node;
    const raw = new TextDecoder().decode(buf);
    // Normalize line endings to \n to match what <textarea> returns
    const text = raw.replace(/\r\n/g, '\n').replace(/\r/g, '\n');
    _editorOriginal = text;
    const ta = document.getElementById('editor-textarea');
    ta.value = text;
    document.getElementById('editor-title').textContent = node.name;
    // Word wrap toggle
    const wrapBtn = document.getElementById('btn-wordwrap');
    wrapBtn.classList.toggle('active', ta.classList.contains('word-wrap'));
    wrapBtn.onclick = () => {
        ta.classList.toggle('word-wrap');
        wrapBtn.classList.toggle('active', ta.classList.contains('word-wrap'));
        _updateLineNumbers();
    };
    ta.oninput = () => {
        document.getElementById('editor-meta-chars').textContent = ta.value.length + ' chars';
        document.getElementById('editor-meta-lines').textContent = ta.value.split('\n').length + ' lines';
        const mod = document.getElementById('editor-meta-modified');
        mod.style.display = ta.value !== _editorOriginal ? '' : 'none';
        _updateLineNumbers();
    };
    ta.oninput();
    ta.onscroll = () => {
        const gutter = document.getElementById('editor-line-numbers');
        if (gutter) gutter.scrollTop = ta.scrollTop;
    };
    // Custom context menu for text editor (works on desktop + mobile)
    ta.oncontextmenu = e => {
        e.preventDefault();
        const hasSel = ta.selectionStart !== ta.selectionEnd;
        const _undoIcon = '<svg width="16" height="16" viewBox="0 0 16 16" fill="none"><path d="M3 6l-2 2 2 2" stroke="currentColor" stroke-width="1.4" stroke-linecap="square" stroke-linejoin="miter"/><path d="M1 8h9a4 4 0 000-8" stroke="currentColor" stroke-width="1.4"/></svg>';
        const _redoIcon = '<svg width="16" height="16" viewBox="0 0 16 16" fill="none"><path d="M13 6l2 2-2 2" stroke="currentColor" stroke-width="1.4" stroke-linecap="square" stroke-linejoin="miter"/><path d="M15 8H6a4 4 0 010-8" stroke="currentColor" stroke-width="1.4"/></svg>';
        const _selAllIcon = '<svg width="16" height="16" viewBox="0 0 16 16" fill="none"><rect x="2" y="2" width="12" height="12" rx="1" stroke="currentColor" stroke-width="1.4"/><path d="M5 8h6M5 5.5h6M5 10.5h4" stroke="currentColor" stroke-width="1.2" stroke-linecap="square"/></svg>';
        showCtxMenu(e.clientX || e.pageX, e.clientY || e.pageY, [
            { label: 'Undo', icon: _undoIcon, action: () => { ta.focus(); document.execCommand('undo'); if (ta.oninput) ta.oninput(); } },
            { label: 'Redo', icon: _redoIcon, action: () => { ta.focus(); document.execCommand('redo'); if (ta.oninput) ta.oninput(); } },
            { sep: true },
            { label: 'Cut', icon: Icons.cut, action: () => { ta.focus(); document.execCommand('cut'); if (ta.oninput) ta.oninput(); }, disabled: !hasSel },
            { label: 'Copy', icon: Icons.copy, action: () => { ta.focus(); document.execCommand('copy'); }, disabled: !hasSel },
            {
                label: 'Paste', icon: Icons.paste, action: async () => {
                    ta.focus();
                    try {
                        const txt = await navigator.clipboard.readText();
                        const ss = ta.selectionStart, se = ta.selectionEnd;
                        ta.setRangeText(txt, ss, se, 'end');
                        if (ta.oninput) ta.oninput();
                    } catch (_) { /* clipboard read may be blocked by browser */ }
                }
            },
            { sep: true },
            { label: 'Select All', icon: _selAllIcon, action: () => { ta.focus(); ta.select(); } }
        ]);
    };
    _updateLineNumbers();
    Overlay.show('modal-editor');
    setTimeout(() => { ta.focus(); _updateLineNumbers(); }, 100);
}

async function saveEditor() {
    if (!_editorNode || !App.key) return;

    const text = document.getElementById('editor-textarea').value;
    const buf = new TextEncoder().encode(text);
    // Container limit check: compare projected total against CONTAINER_LIMIT.
    // VFS.totalSize() still contains the old size for this node at this point.
    const _oldSize = _editorNode.size || 0;
    const _delta = buf.byteLength - _oldSize;
    if (_delta > 0 && VFS.totalSize() + _delta > CONTAINER_LIMIT) {
        toast(`Cannot save: container limit reached (${fmtSize(CONTAINER_LIMIT)})`, 'error');
        return;
    }
    const needed = buf.byteLength * 1.1;
    const spCheck = await checkStorageSpace(needed);
    if (!spCheck.ok) {
        toast(`Cannot save: not enough device storage (${fmtSize(spCheck.available)} free)`, 'error');
        return;
    }

    let saved = false;
    showLoading('Saving...');
    try {
        const { iv, blob } = await Crypto.encryptBin(App.key, buf.buffer);
        _editorNode.size = buf.byteLength;
        _editorNode.mtime = Date.now();
        VFS.add(_editorNode);
        await DB.saveFile({ id: _editorNode.id, cid: App.container.id, iv: Array.from(iv), blob });
        _editorOriginal = text;
        document.getElementById('editor-meta-modified').style.display = 'none';
        await saveVFS();
        Desktop._patchIcons();
        toast('File saved', 'success');
        logActivity('edit', _editorNode.name, 1, VFS.fullPath(_editorNode.id));
        _scheduleExportCacheRefresh();
        saved = true;
    } catch (e) { toast('Save failed: ' + e.message, 'error'); console.error(e); }
    hideLoading();
    return saved;
}

function _clearEditorMemory() {
    const ta = document.getElementById('editor-textarea');
    const gutter = document.getElementById('editor-line-numbers');
    if (ta) { ta.value = ''; ta.onscroll = null; }
    if (gutter) gutter.innerHTML = '';
    _editorOriginal = '';
}

function closeEditor() {
    const ta = document.getElementById('editor-textarea');
    const modified = ta.value !== _editorOriginal;
    if (modified) {
        const dlg = document.getElementById('editor-unsaved-dialog');
        dlg.style.display = 'flex';
        return;
    }
    Overlay.hide();
    _editorNode = null;
    _clearEditorMemory();
}

function discardEditor() {
    Overlay.hide();
    _editorNode = null;
    _clearEditorMemory();
}

async function saveAndCloseEditor() {
    const ok = await saveEditor();
    if (ok) { Overlay.hide(); _editorNode = null; _clearEditorMemory(); }
}

/* ============================================================
   FILE VIEWER
   ============================================================ */
let _viewerBlob = null;

function openViewer(node, buf, mime) {
    const content = document.getElementById('viewer-content');
    content.innerHTML = '';
    const blobObj = new Blob([buf], { type: mime }),
        url = URL.createObjectURL(blobObj);
    _viewerBlob = { url, node };

    document.getElementById('viewer-title').textContent = node.name;
    document.getElementById('btn-download-viewer').onclick = () => {
        const a = document.createElement('a'); a.href = url; a.download = node.name;
        document.body.appendChild(a); a.click(); a.remove();
    };

    if (isImage(mime)) {
        const img = document.createElement('img');
        img.src = url; img.style.cssText = 'max-width:100%;max-height:100%;object-fit:contain';
        content.appendChild(img);
    } else if (isAudio(mime)) {
        content.appendChild(_buildCustomPlayer(url, 'audio'));
    } else if (isVideo(mime)) {
        content.appendChild(_buildCustomPlayer(url, 'video'));
    } else if (isPDF(mime)) {
        const fr = document.createElement('iframe');
        fr.src = url; fr.style.cssText = 'width:100%;height:100%;border:none';
        content.appendChild(fr);
    }
    Overlay.show('modal-viewer');
}

/* ---- Custom media player builder ---- */
function _buildCustomPlayer(url, kind) {
    const wrap = document.createElement('div');
    wrap.className = 'twc-player' + (kind === 'audio' ? ' audio-only' : '');

    const media = document.createElement(kind === 'audio' ? 'audio' : 'video');
    media.src = url;
    media.preload = 'metadata';
    media.volume = 1;
    media.muted = false;
    if (kind !== 'audio') media.setAttribute('playsinline', '');

    if (kind === 'audio') {
        media.style.display = 'none';  // keep in DOM so closeViewer() can find and pause it
        wrap.appendChild(media);
        const vis = document.createElement('div');
        vis.className = 'audio-vis';
        vis.innerHTML = `<svg viewBox="0 0 64 64" fill="none" xmlns="http://www.w3.org/2000/svg">
      <path d="M10 44V20l20-10v44L10 44z" fill="currentColor" opacity=".3" stroke="currentColor" stroke-width="1.5" stroke-linejoin="round"/>
      <path d="M34 22c4 2 7 6 7 10s-3 8-7 10" stroke="currentColor" stroke-width="2" stroke-linecap="round"/>
      <path d="M38 16c6 3 10 10 10 16s-4 13-10 16" stroke="currentColor" stroke-width="2" stroke-linecap="round"/>
    </svg>`;
        wrap.appendChild(vis);
    } else {
        wrap.appendChild(media);
    }

    const controls = document.createElement('div');
    controls.className = 'player-controls';

    // Play/Pause
    const btnPlay = document.createElement('button');
    btnPlay.className = 'player-btn';
    const playIcon = '<svg width="16" height="16" viewBox="0 0 16 16" fill="none"><path d="M4 2l10 6-10 6z" fill="currentColor"/></svg>';
    const pauseIcon = '<svg width="16" height="16" viewBox="0 0 16 16" fill="none"><rect x="3" y="2" width="3.5" height="12" rx=".5" fill="currentColor"/><rect x="9.5" y="2" width="3.5" height="12" rx=".5" fill="currentColor"/></svg>';
    btnPlay.innerHTML = playIcon;
    btnPlay.addEventListener('click', () => { media.paused ? media.play() : media.pause(); });

    // Seek bar
    const seek = document.createElement('input');
    seek.type = 'range'; seek.className = 'player-seek'; seek.min = 0; seek.max = 100; seek.value = 0; seek.step = 0.1;

    // Time label
    const timeLabel = document.createElement('span');
    timeLabel.className = 'player-time';
    timeLabel.textContent = '0:00 / 0:00';

    function fmtTime(s) {
        if (!isFinite(s)) return '0:00';
        const m = Math.floor(s / 60), sec = Math.floor(s % 60);
        return m + ':' + (sec < 10 ? '0' : '') + sec;
    }

    media.addEventListener('loadedmetadata', () => {
        seek.max = media.duration || 100;
        timeLabel.textContent = fmtTime(0) + ' / ' + fmtTime(media.duration);
    });
    media.addEventListener('timeupdate', () => {
        seek.value = media.currentTime;
        timeLabel.textContent = fmtTime(media.currentTime) + ' / ' + fmtTime(media.duration);
    });
    media.addEventListener('play', () => { btnPlay.innerHTML = pauseIcon; });
    media.addEventListener('pause', () => { btnPlay.innerHTML = playIcon; });
    media.addEventListener('ended', () => { btnPlay.innerHTML = playIcon; });

    let _seeking = false;
    seek.addEventListener('mousedown', () => { _seeking = true; });
    seek.addEventListener('touchstart', () => { _seeking = true; }, { passive: true });
    seek.addEventListener('input', () => { if (_seeking) media.currentTime = seek.value; });
    seek.addEventListener('mouseup', () => { _seeking = false; media.currentTime = seek.value; });
    seek.addEventListener('touchend', () => { _seeking = false; media.currentTime = seek.value; });

    // Volume
    const btnVol = document.createElement('button');
    btnVol.className = 'player-btn';
    const volIcon = '<svg width="16" height="16" viewBox="0 0 16 16" fill="none"><path d="M2 6h3l4-3v10l-4-3H2z" fill="currentColor"/><path d="M12 4.5c1.3 1 2 2.3 2 3.5s-.7 2.5-2 3.5" stroke="currentColor" stroke-width="1.4" stroke-linecap="round"/></svg>';
    const muteIcon = '<svg width="16" height="16" viewBox="0 0 16 16" fill="none"><path d="M2 6h3l4-3v10l-4-3H2z" fill="currentColor"/><path d="M12 5l4 6M16 5l-4 6" stroke="currentColor" stroke-width="1.3" stroke-linecap="round"/></svg>';
    btnVol.innerHTML = volIcon;
    btnVol.addEventListener('click', () => {
        media.muted = !media.muted;
        btnVol.innerHTML = media.muted ? muteIcon : volIcon;
        vol.value = media.muted ? 0 : media.volume;
    });

    const vol = document.createElement('input');
    vol.type = 'range'; vol.className = 'player-vol'; vol.min = 0; vol.max = 1; vol.step = 0.01; vol.value = 1;
    vol.addEventListener('input', () => {
        media.volume = vol.value;
        media.muted = vol.value == 0;
        btnVol.innerHTML = media.muted ? muteIcon : volIcon;
    });

    controls.appendChild(btnPlay);
    controls.appendChild(seek);
    controls.appendChild(timeLabel);
    controls.appendChild(btnVol);
    controls.appendChild(vol);

    // Fullscreen button (video only)
    if (kind !== 'audio') {
        const btnFs = document.createElement('button');
        btnFs.className = 'player-btn';
        btnFs.title = 'Fullscreen (F)';
        const fsEnterIcon = '<svg width="16" height="16" viewBox="0 0 16 16" fill="none"><path d="M1 1h4M1 1v4M15 1h-4M15 1v4M1 15h4M1 15v-4M15 15h-4M15 15v-4" stroke="currentColor" stroke-width="1.5" stroke-linecap="round"/></svg>';
        const fsExitIcon = '<svg width="16" height="16" viewBox="0 0 16 16" fill="none"><path d="M5 1v4H1M11 1v4h4M5 15v-4H1M11 15v-4h4" stroke="currentColor" stroke-width="1.5" stroke-linecap="round"/></svg>';
        btnFs.innerHTML = fsEnterIcon;
        btnFs.addEventListener('click', () => {
            if (!document.fullscreenElement) wrap.requestFullscreen?.();
            else document.exitFullscreen?.();
        });
        const _onFsChange = () => { btnFs.innerHTML = document.fullscreenElement ? fsExitIcon : fsEnterIcon; };
        document.addEventListener('fullscreenchange', _onFsChange);
        wrap._cleanupFs = () => document.removeEventListener('fullscreenchange', _onFsChange);
        controls.appendChild(btnFs);

        // Click on video = play/pause; double-click = toggle fullscreen
        let _lastClick = 0;
        media.addEventListener('click', () => {
            const now = Date.now();
            if (now - _lastClick < 300) {
                // Double-click: toggle fullscreen
                if (!document.fullscreenElement) wrap.requestFullscreen?.();
                else document.exitFullscreen?.();
            } else {
                media.paused ? media.play() : media.pause();
            }
            _lastClick = now;
        });
    }

    // Keyboard shortcuts: Space = play/pause, ←/→ = ±5s, F = fullscreen, M = mute
    const _onKey = e => {
        if (!wrap.isConnected) return;
        const tag = e.target?.tagName;
        if (tag === 'INPUT' || tag === 'TEXTAREA' || tag === 'BUTTON') return;
        if (e.code === 'Space') { e.preventDefault(); media.paused ? media.play() : media.pause(); }
        if (e.code === 'ArrowLeft') { e.preventDefault(); media.currentTime = Math.max(0, media.currentTime - 5); }
        if (e.code === 'ArrowRight') { e.preventDefault(); media.currentTime = Math.min(media.duration || Infinity, media.currentTime + 5); }
        if (e.code === 'KeyF' && kind !== 'audio') {
            e.preventDefault();
            if (!document.fullscreenElement) wrap.requestFullscreen?.();
            else document.exitFullscreen?.();
        }
        if (e.code === 'KeyM') { e.preventDefault(); media.muted = !media.muted; btnVol.innerHTML = media.muted ? muteIcon : volIcon; vol.value = media.muted ? 0 : media.volume; }
    };
    document.addEventListener('keydown', _onKey);
    wrap._cleanupKeyboard = () => document.removeEventListener('keydown', _onKey);

    wrap.appendChild(controls);
    return wrap;
}

function closeViewer() {
    // Stop any playing media, cleanup event listeners
    const content = document.getElementById('viewer-content');
    content.querySelectorAll('audio, video').forEach(el => { el.pause(); el.src = ''; });
    content.querySelectorAll('.twc-player').forEach(p => { p._cleanupKeyboard?.(); p._cleanupFs?.(); });
    if (_viewerBlob) { URL.revokeObjectURL(_viewerBlob.url); _viewerBlob = null; }
    content.innerHTML = '';
    Overlay.hide();
}

/* ============================================================
   CLIPBOARD VISUAL / CUT FEEDBACK
   ============================================================ */
function _applyCutStyles() {
    document.querySelectorAll('.file-item.cut-item').forEach(el => el.classList.remove('cut-item'));
    if (App.clipboard?.op === 'cut') {
        App.clipboard.ids.forEach(id => {
            document.querySelectorAll(`.file-item[data-id="${id}"]`).forEach(el => el.classList.add('cut-item'));
        });
    }
}

function cancelClipboard() {
    App.clipboard = null;
    _applyCutStyles();
}

/* ============================================================
   ZIP EXPORT  (pure JS, no compression — stored only)
   ============================================================ */
function _escXml(s) {
    return String(s).replace(/&/g, '&amp;').replace(/</g, '&lt;').replace(/>/g, '&gt;').replace(/"/g, '&quot;');
}

function _readZip(buffer) {
    const view = new DataView(buffer);
    const u8 = new Uint8Array(buffer);
    const size = buffer.byteLength;
    let eocdOffset = -1;
    for (let i = size - 22; i >= Math.max(0, size - 65558); i--) {
        if (view.getUint32(i, true) === 0x06054b50) { eocdOffset = i; break; }
    }
    if (eocdOffset < 0) throw new Error('Not a valid ZIP file');
    const cdCount = view.getUint16(eocdOffset + 8, true),
        cdOffset = view.getUint32(eocdOffset + 16, true),
        dec = new TextDecoder('utf-8'),
        entries = {};
    let pos = cdOffset;
    for (let i = 0; i < cdCount; i++) {
        if (view.getUint32(pos, true) !== 0x02014b50) break;
        const fnLen = view.getUint16(pos + 28, true),
            exLen = view.getUint16(pos + 30, true),
            cmLen = view.getUint16(pos + 32, true),
            lhOff = view.getUint32(pos + 42, true),
            fn = dec.decode(u8.subarray(pos + 46, pos + 46 + fnLen)),
            lhFnLen = view.getUint16(lhOff + 26, true),
            lhExLen = view.getUint16(lhOff + 28, true),
            dataOff = lhOff + 30 + lhFnLen + lhExLen,
            dataLen = view.getUint32(lhOff + 22, true);
        entries[fn] = u8.slice(dataOff, dataOff + dataLen);
        pos += 46 + fnLen + exLen + cmLen;
    }
    return entries;
}
async function _readZipFromFile(file) {
    const size = file.size;
    // Read EOCD from the tail (last 65 KB is sufficient)
    const tailSize = Math.min(65558, size);
    const tailBuf = await file.slice(size - tailSize, size).arrayBuffer();
    const tailView = new DataView(tailBuf);
    let eocdOffset = -1;
    for (let i = tailBuf.byteLength - 22; i >= 0; i--) {
        if (tailView.getUint32(i, true) === 0x06054b50) { eocdOffset = i; break; }
    }
    if (eocdOffset < 0) throw new Error('Not a valid ZIP file');
    const cdCount = tailView.getUint16(eocdOffset + 8, true),
        cdSize = tailView.getUint32(eocdOffset + 12, true),
        cdOffset = tailView.getUint32(eocdOffset + 16, true);
    // Read central directory
    const cdBuf = await file.slice(cdOffset, cdOffset + cdSize).arrayBuffer();
    const cdView = new DataView(cdBuf);
    const cdU8 = new Uint8Array(cdBuf);
    const dec = new TextDecoder('utf-8');
    const infos = [];
    let pos = 0;
    for (let i = 0; i < cdCount; i++) {
        if (cdView.getUint32(pos, true) !== 0x02014b50) break;
        const fnLen = cdView.getUint16(pos + 28, true),
            exLen = cdView.getUint16(pos + 30, true),
            cmLen = cdView.getUint16(pos + 32, true),
            compSize = cdView.getUint32(pos + 20, true),
            lhOff = cdView.getUint32(pos + 42, true),
            fn = dec.decode(cdU8.subarray(pos + 46, pos + 46 + fnLen));
        infos.push({ name: fn, lhOff, compSize });
        pos += 46 + fnLen + exLen + cmLen;
    }
    // Read each entry: small ones into Uint8Array, workspace.bin as Blob (no full-file RAM load)
    const entries = {};
    for (const info of infos) {
        const lhBuf = await file.slice(info.lhOff, info.lhOff + 30).arrayBuffer();
        const lhView = new DataView(lhBuf);
        const lhFnLen = lhView.getUint16(26, true),
            lhExLen = lhView.getUint16(28, true);
        const dataOff = info.lhOff + 30 + lhFnLen + lhExLen;
        if (info.name === 'safenova_efs/workspace.bin') {
            entries[info.name] = file.slice(dataOff, dataOff + info.compSize);
        } else {
            const buf = await file.slice(dataOff, dataOff + info.compSize).arrayBuffer();
            entries[info.name] = new Uint8Array(buf);
        }
    }
    return entries;
}
function _crc32(data) {
    if (!_crc32._t) {
        const t = new Uint32Array(256);
        for (let n = 0; n < 256; n++) {
            let c = n;
            for (let k = 0; k < 8; k++) c = (c & 1) ? 0xEDB88320 ^ (c >>> 1) : (c >>> 1);
            t[n] = c;
        }
        _crc32._t = t;
    }
    const table = _crc32._t;
    let crc = 0xFFFFFFFF;
    for (let i = 0; i < data.length; i++) crc = table[(crc ^ data[i]) & 0xFF] ^ (crc >>> 8);
    return (crc ^ 0xFFFFFFFF) >>> 0;
}
// Incremental CRC32 over multiple chunks (avoids concatenating large buffers)
function _crc32multi(chunks) {
    if (!_crc32._t) _crc32(new Uint8Array(0));
    const table = _crc32._t;
    let crc = 0xFFFFFFFF;
    for (const chunk of chunks)
        for (let i = 0; i < chunk.length; i++) crc = table[(crc ^ chunk[i]) & 0xFF] ^ (crc >>> 8);
    return (crc ^ 0xFFFFFFFF) >>> 0;
}

function _buildZip(entries) {
    // entries: [ { name: string, data: Uint8Array|Uint8Array[], mtime?: number } ]
    // Returns an array of Uint8Array parts (Blob-friendly, no single giant allocation)
    const enc = new TextEncoder();
    const parts = [], centralDir = [];
    let offset = 0;

    function dosDT(ts) {
        const d = new Date(ts || Date.now());
        return {
            t: ((d.getHours() << 11) | (d.getMinutes() << 5) | Math.floor(d.getSeconds() / 2)),
            d: (((d.getFullYear() - 1980) << 9) | ((d.getMonth() + 1) << 5) | d.getDate())
        };
    }

    for (const entry of entries) {
        const nm = enc.encode(entry.name);
        const chunks = Array.isArray(entry.data) ? entry.data
            : [entry.data instanceof Uint8Array ? entry.data : new Uint8Array(entry.data)];
        const crc = chunks.length === 1 ? _crc32(chunks[0]) : _crc32multi(chunks);
        let sz = 0;
        for (const ch of chunks) sz += ch.length;
        const { t: mt, d: md } = dosDT(entry.mtime);

        const lh = new Uint8Array(30 + nm.length);
        const lv = new DataView(lh.buffer);
        lv.setUint32(0, 0x04034b50, true); lv.setUint16(4, 20, true);
        lv.setUint16(6, 0x0800, true); lv.setUint16(8, 0, true);  // 0x0800 = UTF-8 filename flag
        lv.setUint16(10, mt, true); lv.setUint16(12, md, true);
        lv.setUint32(14, crc, true); lv.setUint32(18, sz, true);
        lv.setUint32(22, sz, true); lv.setUint16(26, nm.length, true);
        lv.setUint16(28, 0, true); lh.set(nm, 30);
        parts.push(lh);
        for (const ch of chunks) parts.push(ch);

        const cd = new Uint8Array(46 + nm.length);
        const cv = new DataView(cd.buffer);
        cv.setUint32(0, 0x02014b50, true); cv.setUint16(4, 20, true); cv.setUint16(6, 20, true);
        cv.setUint16(8, 0x0800, true); cv.setUint16(10, 0, true);  // 0x0800 = UTF-8 filename flag
        cv.setUint16(12, mt, true); cv.setUint16(14, md, true);
        cv.setUint32(16, crc, true); cv.setUint32(20, sz, true); cv.setUint32(24, sz, true);
        cv.setUint16(28, nm.length, true); cv.setUint16(30, 0, true); cv.setUint16(32, 0, true);
        cv.setUint16(34, 0, true); cv.setUint16(36, 0, true); cv.setUint32(38, 0, true);
        cv.setUint32(42, offset, true); cd.set(nm, 46);
        centralDir.push(cd);

        offset += 30 + nm.length + sz;
    }

    const cdSz = centralDir.reduce((s, a) => s + a.length, 0);
    for (const cd of centralDir) parts.push(cd);
    const eocd = new Uint8Array(22);
    const ev = new DataView(eocd.buffer);
    ev.setUint32(0, 0x06054b50, true); ev.setUint16(4, 0, true); ev.setUint16(6, 0, true);
    ev.setUint16(8, entries.length, true); ev.setUint16(10, entries.length, true);
    ev.setUint32(12, cdSz, true); ev.setUint32(16, offset, true); ev.setUint16(20, 0, true);
    parts.push(eocd);
    return parts;
}

async function exportAsZip(nodeIds, zipName) {
    if (!App.key || !App.container) return;
    if (!zipName) {
        zipName = nodeIds.length === 1
            ? (VFS.node(nodeIds[0])?.name?.replace(/\.[^.]+$/, '') || 'export') + '.zip'
            : 'export.zip';
    }
    showLoading('Preparing ZIP…');
    try {
        const entries = [], _zipSeen = new Set(), _flat = [];
        function _collectFlat(nodeId, prefix, _depth = 0) {
            if (_zipSeen.has(nodeId) || _depth > 64) return;
            _zipSeen.add(nodeId);
            const n = VFS.node(nodeId); if (!n) return;
            if (n.type === 'folder') {
                for (const c of VFS.children(nodeId)) _collectFlat(c.id, prefix + n.name + '/', _depth + 1);
            } else {
                _flat.push({ id: nodeId, name: prefix + n.name, mtime: n.mtime || n.ctime });
            }
        }
        for (const id of nodeIds) _collectFlat(id, '');
        // Fetch all file records in one IDB transaction, then decrypt fully in parallel
        const fileMap = await DB.getFilesByIds(_flat.map(f => f.id));
        const decResults = await Promise.allSettled(_flat.map(async item => {
            const rec = fileMap.get(item.id); if (!rec) return null;
            const buf = await Crypto.decryptBin(App.key, rec.iv, rec.blob);
            return { name: item.name, data: new Uint8Array(buf), mtime: item.mtime };
        }));
        decResults.forEach(r => { if (r.status === 'fulfilled' && r.value) entries.push(r.value); });
        if (!entries.length) { toast('Nothing to export', 'warn'); hideLoading(); return; }
        const zipParts = _buildZip(entries);
        downloadBuf(zipParts, zipName, 'application/zip');
        toast(`Exported ${entries.length} file${entries.length !== 1 ? 's' : ''} as ZIP`, 'success');
        logActivity('export-zip', nodeIds.length === 1 ? (VFS.node(nodeIds[0])?.name ?? entries[0]?.name ?? '1 file') : `${entries.length} files`, entries.length, nodeIds.length === 1 ? VFS.fullPath(nodeIds[0]) : null);
    } catch (e) { toast('ZIP export failed: ' + e.message, 'error'); console.error(e); }
    hideLoading();
}

/* ============================================================
   CONTAINER IMPORT / EXPORT
   ============================================================ */

// _buf2b64Safe removed — buf2b64 is now chunked and equivalent

/** Brute-force attempt tracker for export password prompts */
const _expFailCounts = new Map();

/** Prompt for password to derive the container key before exporting a locked container */
function _askExportPassword(c) {
    return new Promise(resolve => {
        const expKey = 'exp:' + c.id;
        const errEl = document.getElementById('exp-error');
        const btnOk = document.getElementById('exp-ok');
        document.getElementById('exp-cont-name').textContent = c.name;
        document.getElementById('exp-pw').value = '';
        errEl.innerHTML = '';
        errEl.style.color = '';
        btnOk.disabled = false;

        const prevFails = _expFailCounts.get(expKey);
        if (prevFails?.lockUntil > Date.now()) {
            _startAttemptCooldown(errEl, btnOk, () => { if (prevFails) prevFails.lockUntil = 0; });
        }

        Overlay.show('modal-export-pw');
        setTimeout(() => document.getElementById('exp-pw').focus(), 100);

        const cleanup = () => {
            Overlay.hide();
            btnOk.onclick = null;
            document.getElementById('exp-cancel').onclick = null;
            document.getElementById('exp-close').onclick = null;
            document.getElementById('exp-pw').onkeydown = null;
        };

        const doExport = async () => {
            const fails = _expFailCounts.get(expKey) || { count: 0, lockUntil: 0 };
            if (fails.lockUntil > Date.now()) return;
            const pw = document.getElementById('exp-pw').value;
            if (!pw) { errEl.innerHTML = _ERR_SVG + ' Enter password'; return; }
            errEl.innerHTML = '';
            btnOk.disabled = true;
            try {
                const key = await Crypto.deriveKey(pw, new Uint8Array(c.salt)),
                    ok = await Crypto.checkVerification(key, c.verIv, c.verBlob);
                if (!ok) {
                    // Duress check — silently corrupts data, then falls through to "wrong password"
                    if (await checkDuress(pw, c)) await _executeDuress(c);
                    fails.count++;
                    _expFailCounts.set(expKey, fails);
                    if (fails.count > 3) {
                        fails.lockUntil = Date.now() + 3000;
                        _startAttemptCooldown(errEl, btnOk, () => { fails.lockUntil = 0; });
                    } else {
                        errEl.innerHTML = _ERR_SVG + ' Incorrect password';
                        btnOk.disabled = false;
                    }
                    return;
                }
                _expFailCounts.delete(expKey);
                cleanup();
                resolve(key);
            } catch (e) {
                errEl.textContent = 'Error: ' + e.message;
                btnOk.disabled = false;
            }
        };

        btnOk.onclick = doExport;
        document.getElementById('exp-cancel').onclick = () => { cleanup(); resolve(null); };
        document.getElementById('exp-close').onclick = () => { cleanup(); resolve(null); };
        document.getElementById('exp-pw').onkeydown = e => { if (e.key === 'Enter') doExport(); };
    });
}

/* ── Binary ↔ base64 helpers: chunked to avoid spread stack-overflow on large buffers ── */
function _u8ToB64(u8) {
    let s = '';
    for (let i = 0; i < u8.length; i += 8192)
        s += String.fromCharCode.apply(null, u8.subarray(i, i + 8192));
    return btoa(s);
}
function _b64ToU8(b64) {
    const s = atob(b64), u8 = new Uint8Array(s.length);
    for (let i = 0; i < s.length; i++) u8[i] = s.charCodeAt(i);
    return u8;
}

/* ── Export-cache key: HKDF-SHA-256 from container salt (browser-independent, no extra storage) ── */
async function _deriveExportCacheKey(salt) {
    const raw = salt instanceof Uint8Array ? salt : new Uint8Array(salt);
    const hkdf = await crypto.subtle.importKey('raw', raw, 'HKDF', false, ['deriveKey']);
    return crypto.subtle.deriveKey(
        { name: 'HKDF', hash: 'SHA-256', salt: new Uint8Array(32), info: new TextEncoder().encode('snv-export-cache-v1') },
        hkdf, { name: 'AES-GCM', length: 256 }, false, ['encrypt', 'decrypt']
    );
}
async function _wrapExportCache(salt, data) {
    const key = await _deriveExportCacheKey(salt),
        iv = crypto.getRandomValues(new Uint8Array(12)),
        ct = await crypto.subtle.encrypt({ name: 'AES-GCM', iv }, key, data),
        out = new Uint8Array(12 + ct.byteLength);
    out.set(iv); out.set(new Uint8Array(ct), 12);
    return out;
}
async function _unwrapExportCache(salt, data) {
    const key = await _deriveExportCacheKey(salt),
        iv = data.slice(0, 12), ct = data.slice(12);
    return new Uint8Array(await crypto.subtle.decrypt({ name: 'AES-GCM', iv }, key, ct));
}

/* ── Pre-generate encrypted manifest for passwordless export ──
   generateNow=true  — bypasses the saved-settings check (toggle just switched).
   silent=true       — no loading overlay; fire-and-forget from file operations.
   Returns true on success, false on failure. */
async function _updateExportCache(generateNow = false, silent = false) {
    if (!App.container || !App.key) return false;
    const shouldGenerate = generateNow || (App.container.settings || {}).requireExportPassword === false;
    if (!shouldGenerate) {
        // password is (or will be) required — clear any stale cache
        if (App.container._exportCache) {
            delete App.container._exportCache;
            await DB.saveContainer(App.container);
        }
        return true;
    }
    const _setMsg = msg => { if (!silent) document.getElementById('loading-msg').textContent = msg; };
    if (!silent) showLoading('Generating export cache database…');
    try {
        _setMsg('Export cache: reading file list…');
        const meta = await DB.getFileMetaByCid(App.container.id);
        let entries = meta;
        if (meta.some(m => m.sz < 0)) {
            _setMsg('Export cache: loading file data…');
            const recs = await DB.getFilesByCid(App.container.id);
            entries = recs.map(r => ({
                id: r.id, iv: r.iv,
                sz: r.blob instanceof ArrayBuffer ? r.blob.byteLength : (r.blob?.byteLength || 0)
            }));
        }
        _setMsg(`Export cache: building manifest (${entries.length} file${entries.length === 1 ? '' : 's'})…`);
        const order = [], manifest = [];
        let offset = 0;
        for (let _i = 0; _i < entries.length; _i += 500) {
            for (let _j = _i, _end = Math.min(_i + 500, entries.length); _j < _end; _j++) {
                const m = entries[_j];
                const ivArr = m.iv instanceof Array ? m.iv : Array.from(new Uint8Array(m.iv));
                order.push({ id: m.id, sz: m.sz });
                manifest.push({ id: m.id, ivB64: btoa(String.fromCharCode(...ivArr)), offset, size: m.sz });
                offset += m.sz;
            }
            if (_i + 500 < entries.length) await new Promise(r => setTimeout(r, 0));
        }
        _setMsg('Export cache: encrypting manifest…');
        await new Promise(r => setTimeout(r, 0));
        const enc = await Crypto.encryptBin(App.key, new TextEncoder().encode(JSON.stringify(manifest)));
        _setMsg('Export cache: saving to database…');
        await new Promise(r => setTimeout(r, 0));
        const cacheJson = new TextEncoder().encode(JSON.stringify({
            mIv: enc.iv,
            mBlob: _u8ToB64(new Uint8Array(enc.blob)),
            order
        }));
        const wrapped = await _wrapExportCache(App.container.salt, cacheJson);
        App.container._exportCache = { wrapped: _u8ToB64(wrapped) };
        await DB.saveContainer(App.container);
        return true;
    } catch (e) {
        console.error('[SafeNova] Export cache generation failed:', e);
        // Clean up any partial cache that may have been written before the failure
        if (App.container._exportCache) {
            delete App.container._exportCache;
            try { await DB.saveContainer(App.container); } catch { /* non-critical */ }
        }
        return false;
    } finally {
        if (!silent) hideLoading();
    }
}

/* ── Schedule a silent cache refresh after a file operation, only when the
   passwordless-export setting is active. Fire-and-forget; never throws. ── */
function _scheduleExportCacheRefresh() {
    if ((App.container?.settings || {}).requireExportPassword !== false) return;
    _updateExportCache(false, true).catch(() => { });
}

/* ── Remove orphaned export cache: cache stored in IDB but setting was never
   saved (e.g. app crashed mid-generation). Called on every container open. ── */
async function _cleanOrphanedExportCache() {
    if (!App.container) return;
    if ((App.container.settings || {}).requireExportPassword !== false && App.container._exportCache) {
        delete App.container._exportCache;
        try { await DB.saveContainer(App.container); } catch { /* non-critical */ }
    }
}

async function exportContainerFile(c, requirePassword = true) {
    showLoading('Exporting container…');
    try {
        const vfsRec = await DB.getVFS(c.id);
        let fileRecs = await DB.getFilesByCid(c.id);
        const now = Date.now();

        let key = (App.container?.id === c.id) ? App.key : null,
            encManifestIv, encManifestBlob, usedCache = false;

        // If the extra-confirmation setting is off, silently try the saved session
        if (!requirePassword && !key) {
            const rawKeyBytes = await loadSession(c.id);
            if (rawKeyBytes) {
                try {
                    const sk = await Crypto.importRawKey(rawKeyBytes);
                    if (await Crypto.checkVerification(sk, c.verIv, c.verBlob)) key = sk;
                } catch { /* corrupt session — will prompt below */ }
            }
        }

        // Try pre-generated export cache (no key/session needed)
        if (!requirePassword && !key && c._exportCache?.wrapped) {
            try {
                const plainBytes = await _unwrapExportCache(c.salt,
                    typeof c._exportCache.wrapped === 'string' ? _b64ToU8(c._exportCache.wrapped) : new Uint8Array(c._exportCache.wrapped));
                const cache = JSON.parse(new TextDecoder().decode(plainBytes));
                const fileMap = new Map(fileRecs.map(r => [r.id, r]));
                let valid = cache.order.length === fileRecs.length;
                if (valid) {
                    for (const o of cache.order) {
                        const rec = fileMap.get(o.id);
                        if (!rec) { valid = false; break; }
                        const sz = rec.blob instanceof ArrayBuffer ? rec.blob.byteLength : (rec.blob?.byteLength || 0);
                        if (sz !== o.sz) { valid = false; break; }
                    }
                }
                if (valid) {
                    fileRecs = cache.order.map(o => fileMap.get(o.id));
                    encManifestIv = new Uint8Array(cache.mIv);
                    encManifestBlob = typeof cache.mBlob === 'string' ? _b64ToU8(cache.mBlob) : new Uint8Array(cache.mBlob);
                    usedCache = true;
                }
            } catch { /* fingerprint changed or cache corrupted — fall through to password prompt */ }
        }

        if (!usedCache && !key) {
            hideLoading();
            key = await _askExportPassword(c);
            if (!key) return;
            showLoading('Exporting container…');
        }

        // Build file data — keep blobs as individual chunks (no giant single allocation)
        const fileChunks = fileRecs.map(f => new Uint8Array(f.blob instanceof ArrayBuffer ? f.blob : f.blob));

        if (!usedCache) {
            let offset = 0;
            const fileManifest = fileRecs.map((f, fi) => {
                const ivArr = f.iv instanceof Array ? f.iv : Array.from(new Uint8Array(f.iv));
                const ivB64 = btoa(String.fromCharCode(...ivArr));
                const entry = { id: f.id, ivB64, offset, size: fileChunks[fi].length };
                offset += fileChunks[fi].length;
                return entry;
            });
            const encManifest = await Crypto.encryptBin(key, new TextEncoder().encode(JSON.stringify(fileManifest)));
            encManifestIv = new Uint8Array(encManifest.iv);
            encManifestBlob = new Uint8Array(encManifest.blob);
        }

        // Rebuild export cache in IDB if setting is off but cache was absent (e.g. after password-prompted export)
        if (c.settings?.requireExportPassword === false && !usedCache && key) {
            try {
                const order = fileRecs.map((f, fi) => ({ id: f.id, sz: fileChunks[fi].length }));
                const cacheJson = new TextEncoder().encode(JSON.stringify({
                    mIv: Array.from(encManifestIv),
                    mBlob: _u8ToB64(encManifestBlob),
                    order
                }));
                const wrapped = await _wrapExportCache(c.salt, cacheJson);
                c._exportCache = { wrapped: _u8ToB64(wrapped) };
                DB.saveContainer(c).catch(() => { }); // async — non-critical
            } catch { /* non-critical — cache rebuilt on next lock */ }
        }

        // VFS bytes → meta/0 (iv raw), meta/1 (blob raw)
        const vfsIvData = vfsRec ? new Uint8Array(vfsRec.iv) : new Uint8Array(0),
            vfsBlobData = vfsRec ? new Uint8Array(typeof vfsRec.blob === 'string' ? b642buf(vfsRec.blob) : vfsRec.blob) : new Uint8Array(0);

        // container.xml — file manifest is encrypted, no <files> in plaintext
        const saltB64 = btoa(String.fromCharCode(...new Uint8Array(c.salt))),
            verIvB64 = btoa(String.fromCharCode(...new Uint8Array(c.verIv)));
        const settingsToExport = { ...SETTINGS_DEFAULTS, ...(c.settings || {}) };
        const xmlLines = [
            '<?xml version="1.0" encoding="UTF-8"?>',
            `<safenova version="3" exportedAt="${now}">`,
            '  <container>',
            `    <name>${_escXml(c.name)}</name>`,
            `    <createdAt>${c.createdAt}</createdAt>`,
            `    <salt>${saltB64}</salt>`,
            `    <verIv>${verIvB64}</verIv>`,
            `    <verBlob>${c.verBlob}</verBlob>`,
            `    <totalSize>${c.totalSize || 0}</totalSize>`,
            '  </container>',
            '  <settings>',
            ...Object.entries(settingsToExport).map(([k, v]) => `    <${k}>${_escXml(String(v))}</${k}>`),
            '  </settings>',
            '  <files encrypted="true"/>',
            '</safenova>',
        ];
        const xmlData = new TextEncoder().encode(xmlLines.join('\n'));

        const entries = [
            { name: 'container.xml', data: xmlData, mtime: now },
            { name: 'meta/0', data: vfsIvData, mtime: now },
            { name: 'meta/1', data: vfsBlobData, mtime: now },
            { name: 'meta/2', data: encManifestIv, mtime: now },
            { name: 'meta/3', data: encManifestBlob, mtime: now },
            { name: 'safenova_efs/workspace.bin', data: fileChunks, mtime: now },
        ];

        // Optionally include activity log (encrypted)
        if (c.settings?.exportWithLogs === true) {
            let alogEnc;
            if (App.container?.id === c.id && typeof _activityLog !== 'undefined' && _activityLog.length) {
                const compressed = await _compressLog(_activityLog);
                alogEnc = await Crypto.encrypt(App.key, compressed);
            } else if (c._alogZ && c._alogZ.iv && c._alogZ.blob) {
                alogEnc = c._alogZ;
            }
            if (alogEnc) {
                const alogBytes = new TextEncoder().encode(JSON.stringify(alogEnc));
                entries.push({ name: 'meta/activity_logs/0', data: alogBytes, mtime: now });
            }
        }
        const zipParts = _buildZip(entries);
        const dateStr = new Date(now).toISOString().slice(0, 10);
        downloadBuf(zipParts, `SafeNova_${c.name}_${dateStr}.safenova`, 'application/octet-stream');
        toast(`Container "${c.name}" exported`, 'success');
        logActivity('export-container', c.name);
    } catch (e) { toast('Export failed: ' + e.message, 'error'); console.error(e); }
    hideLoading();
}

async function importContainerFile(file) {
    if (!file) return;
    const MAX_IMPORT_SIZE = CONTAINER_LIMIT; // matches per-container 8 GB limit
    if (file.size > MAX_IMPORT_SIZE) {
        toast(`Import file too large (max ${fmtSize(MAX_IMPORT_SIZE)})`, 'error');
        return;
    }
    showLoading('Importing container…');
    try {
        const headerBuf = await file.slice(0, 2).arrayBuffer(),
            u8first = new Uint8Array(headerBuf),
            isZip = u8first[0] === 0x50 && u8first[1] === 0x4B;

        if (isZip) {
            const entries = await _readZipFromFile(file);
            if (!entries['container.xml'] || !entries['meta/0'] || !entries['meta/1'] || !entries['safenova_efs/workspace.bin'])
                throw new Error('Invalid SafeNova file: missing required entries');

            const xmlText = new TextDecoder('utf-8').decode(entries['container.xml']),
                doc = new DOMParser().parseFromString(xmlText, 'text/xml');
            const getText = (parent, sel) => { const el = parent.querySelector(sel); return el ? el.textContent.trim() : null; };

            const nameRaw = getText(doc, 'container > name'),
                createdAt = parseInt(getText(doc, 'container > createdAt') || '0', 10),
                saltB64 = getText(doc, 'container > salt'),
                verIvB64 = getText(doc, 'container > verIv'),
                verBlob = getText(doc, 'container > verBlob'),
                totalSize = parseInt(getText(doc, 'container > totalSize') || '0', 10);

            if (!nameRaw || !saltB64 || !verIvB64 || !verBlob)
                throw new Error('Invalid container.xml: missing required fields');

            // Parse settings block if present
            const settingsEl = doc.querySelector('settings');
            let importedSettings;
            if (settingsEl) {
                importedSettings = {};
                Array.from(settingsEl.children).forEach(el => {
                    const v = el.textContent.trim();
                    importedSettings[el.tagName] = v === 'true' ? true : v === 'false' ? false : v;
                });
            }

            const salt = Array.from(Uint8Array.from(atob(saltB64), ch => ch.charCodeAt(0))),
                verIv = Array.from(Uint8Array.from(atob(verIvB64), ch => ch.charCodeAt(0)));

            if (entries['meta/2'] && entries['meta/3']) {
                // v3: import without password — encrypted workspace stored as-is, expanded on first unlock
                const existing2 = await DB.getContainers();
                let name = nameRaw, suffix = 2;
                while (existing2.find(x => x.name.toLowerCase() === name.toLowerCase()))
                    name = nameRaw + ' (' + suffix++ + ')';

                const newCid = uid();
                const cObj = {
                    id: newCid, name, createdAt, salt, verIv, verBlob, totalSize,
                    settings: importedSettings || undefined,
                    lazyWorkspace: {
                        bin: entries['safenova_efs/workspace.bin'],
                        mIv: entries['meta/2'],
                        mBlob: entries['meta/3'],
                    }
                };
                // Restore encrypted activity log (if present)
                if (entries['meta/activity_logs/0']) {
                    try { cObj._alogZ = JSON.parse(new TextDecoder().decode(entries['meta/activity_logs/0'])); } catch { }
                } else if (entries['meta/activity_log.zlib']) {
                    // Legacy: plain compressed bytes — store raw, will be encrypted on first flush
                    cObj._alogZ = entries['meta/activity_log.zlib'];
                }
                await DB.saveContainer(cObj);
                await DB.saveVFS(newCid, Array.from(entries['meta/0']), entries['meta/1'].buffer);
                hideLoading();
                toast(`Container "${name}" imported`, 'success');
                await Home.render();
                _highlightCard(newCid);
                return;
            }

            throw new Error('Unsupported container format. Only SafeNova v3 (.safenova) exports are supported.');

        } else {
            throw new Error('Unsupported file format. Please use a .safenova export.');
        }
    } catch (e) {
        hideLoading();
        toast('Import failed: ' + e.message, 'error');
        console.error(e);
    }
}

/* ============================================================
   THUMBNAIL GENERATION  (async, cached)
   ============================================================ */
async function generateThumb(node) {
    if (!App.key || !App.container) return null;
    try {
        const rec = await DB.getFile(node.id); if (!rec) return null;
        const buf = await Crypto.decryptBin(App.key, rec.iv, rec.blob);
        const mime = node.mime || getMime(node.name);
        if (!isImage(mime)) return null;

        const blob = new Blob([buf], { type: mime }),
            url = URL.createObjectURL(blob);
        return new Promise(res => {
            const img = new Image();
            img.onload = () => {
                const canvas = document.createElement('canvas');
                canvas.width = canvas.height = 56;
                const ctx = canvas.getContext('2d');
                const scale = Math.min(56 / img.width, 56 / img.height),
                    w = img.width * scale,
                    h = img.height * scale;
                ctx.fillStyle = '#2d2d30'; ctx.fillRect(0, 0, 56, 56);
                ctx.drawImage(img, (56 - w) / 2, (56 - h) / 2, w, h);
                URL.revokeObjectURL(url);
                res(canvas.toDataURL('image/jpeg', 0.75));
            };
            img.onerror = () => { URL.revokeObjectURL(url); res(null); };
            img.src = url;
        });
    } catch { return null; }
}


================================================
FILE: src/js/home.js
================================================
'use strict';

/* ============================================================
   HOME VIEW
   ============================================================ */

function _loadCardOrder() {
    try { return JSON.parse(localStorage.getItem('snv-card-order') || '[]'); } catch { return []; }
}
function _saveCardOrder(ids) {
    localStorage.setItem('snv-card-order', JSON.stringify(ids));
}
function _highlightCard(cid) {
    const card = document.querySelector(`.container-card[data-id="${CSS.escape(cid)}"]`);
    if (!card) return;
    card.scrollIntoView({ behavior: 'smooth', block: 'nearest' });
    requestAnimationFrame(() => {
        card.classList.add('highlight');
        card.addEventListener('animationend', () => card.classList.remove('highlight'), { once: true });
    });
}

const Home = {
    async render() {
        InitLog.step('Home.render');
        const grid = document.getElementById('container-grid'),
            empty = document.getElementById('container-empty'),
            containers = await DB.getContainers();

        grid.querySelectorAll('.container-card').forEach(c => c.remove());

        if (containers.length === 0) {
            empty.style.display = 'flex';
        } else {
            empty.style.display = 'none';
            // Re-validate stored sessions: clear stale/expired ones before rendering badges
            for (const c of containers) {
                if (hasSession(c.id)) await loadSession(c.id);
            }
            const savedOrder = _loadCardOrder();
            containers.sort((a, b) => {
                const ia = savedOrder.indexOf(a.id), ib = savedOrder.indexOf(b.id);
                if (ia === -1 && ib === -1) return b.createdAt - a.createdAt;
                if (ia === -1) return 1;
                if (ib === -1) return -1;
                return ia - ib;
            });
            containers.forEach(c => grid.appendChild(this._makeCard(c)));
        }
        await updateStorageInfo();

        // ---- Persistent visibility: warning box (only when 1+ container exists) ----
        const warnBox = document.getElementById('home-warning-box'),
            dismissBtn = document.getElementById('warning-dismiss');
        if (warnBox) {
            const shouldShow = containers.length > 0 && localStorage.getItem('snv-warn-hide') !== '1';
            warnBox.classList.toggle('hidden', !shouldShow);
            if (dismissBtn) {
                dismissBtn.onclick = () => {
                    warnBox.classList.add('hidden');
                    localStorage.setItem('snv-warn-hide', '1');
                };
            }
        }

        // ---- Persistent visibility: doc block ----
        const docEl = document.getElementById('home-doc'),
            docTab = document.getElementById('home-doc-tab'),
            collapseBtn = document.getElementById('home-doc-collapse');
        const _applyDoc = (hidden) => {
            if (!docEl || !docTab) return;
            docEl.classList.toggle('collapsed', hidden);
            docTab.classList.toggle('visible', hidden);
        };
        // Disable transition during initial render to avoid animating on page load
        if (docEl) docEl.style.transition = 'none';
        _applyDoc(localStorage.getItem('snv-doc-hide') === '1');
        // Remove the pre-hide html class now that the correct class is set
        document.documentElement.classList.remove('snv-doc-hidden');
        // Re-enable transitions after layout settles
        if (docEl) requestAnimationFrame(() => { docEl.style.transition = ''; });
        if (collapseBtn) {
            collapseBtn.onclick = () => {
                localStorage.setItem('snv-doc-hide', '1');
                _applyDoc(true);
            };
        }
        if (docTab) {
            docTab.onclick = () => {
                localStorage.setItem('snv-doc-hide', '0');
                _applyDoc(false);
            };
        }
        InitLog.done('Home.render', containers.length + ' container(s)');
    },

    _makeCard(c) {
        const pct = Math.min((c.totalSize || 0) / CONTAINER_LIMIT * 100, 100),
            fill = pct > 90 ? 'danger' : pct > 70 ? 'warn' : '',
            hasSess = hasSession(c.id),
            card = document.createElement('div');
        card.className = 'container-card';
        card.dataset.id = c.id;
        card.innerHTML = `
      <div class="container-drag-handle" title="Drag to reorder">
        <svg width="10" height="14" viewBox="0 0 10 14" fill="none" xmlns="http://www.w3.org/2000/svg">
          <circle cx="3" cy="2.5"  r="1.2" fill="currentColor"/>
          <circle cx="7" cy="2.5"  r="1.2" fill="currentColor"/>
          <circle cx="3" cy="7"    r="1.2" fill="currentColor"/>
          <circle cx="7" cy="7"    r="1.2" fill="currentColor"/>
          <circle cx="3" cy="11.5" r="1.2" fill="currentColor"/>
          <circle cx="7" cy="11.5" r="1.2" fill="currentColor"/>
        </svg>
      </div>
      <div class="container-card-header">
        <div class="container-card-icon">
          <img src="favicon.png" width="20" height="20" alt="" style="object-fit:contain;display:block;">
        </div>
        <div>
          <div class="container-card-name">${escHtml(c.name)}</div>
          <div class="container-card-date">${fmtDate(c.createdAt)}</div>
        </div>
      </div>
      <div class="container-card-body">
        <div class="container-bar-wrap">
          <div class="container-bar-fill ${fill}" style="width:${pct.toFixed(1)}%"></div>
        </div>
        <div class="container-card-sizes">
          <span>${fmtSize(c.totalSize || 0)} used</span>
          <span>${fmtSize(Math.max(0, CONTAINER_LIMIT - (c.totalSize || 0)))} free</span>
        </div>
      </div>
      ${hasSess ? `<div class="session-badge" title="Active session — click to resume">
        <svg width="12" height="12" viewBox="0 0 12 12" fill="none" xmlns="http://www.w3.org/2000/svg">
          <circle cx="6" cy="6" r="5" stroke="currentColor" stroke-width="1.3"/>
          <path d="M4 6l1.5 1.5L8.5 4" stroke="currentColor" stroke-width="1.3" stroke-linecap="square"/>
        </svg>
        Session active
      </div>` : ''}
      <div class="container-card-menu" data-id="${c.id}" title="Options">
        <svg width="16" height="16" viewBox="0 0 16 16" fill="none" xmlns="http://www.w3.org/2000/svg">
          <circle cx="8" cy="3"  r="1.2" fill="currentColor"/>
          <circle cx="8" cy="8"  r="1.2" fill="currentColor"/>
          <circle cx="8" cy="13" r="1.2" fill="currentColor"/>
        </svg>
      </div>
    `;

        // Drag-to-reorder via handle — whole card used as ghost image
        const handle = card.querySelector('.container-drag-handle');
        handle.setAttribute('draggable', 'true');
        handle.addEventListener('dragstart', e => {
            e.dataTransfer.setData('text/plain', c.id);
            e.dataTransfer.effectAllowed = 'move';
            // Use the full card as ghost image so it looks like the whole card is being dragged
            const rect = card.getBoundingClientRect();
            e.dataTransfer.setDragImage(card, e.clientX - rect.left, e.clientY - rect.top);
            // Delay adding source class so ghost is captured before card fades
            requestAnimationFrame(() => card.classList.add('drag-reorder-source'));
            e.stopPropagation();
        });
        handle.addEventListener('dragend', () => card.classList.remove('drag-reorder-source'));
        card.addEventListener('dragover', e => {
            e.preventDefault();
            e.dataTransfer.dropEffect = 'move';
            card.classList.add('drag-reorder-over');
        });
        card.addEventListener('dragleave', e => {
            if (!card.contains(e.relatedTarget)) card.classList.remove('drag-reorder-over');
        });
        card.addEventListener('drop', e => {
            e.preventDefault();
            card.classList.remove('drag-reorder-over');
            const sourceId = e.dataTransfer.getData('text/plain');
            if (!sourceId || sourceId === c.id) return;
            const grid2 = document.getElementById('container-grid'),
                sourceCard = grid2.querySelector(`.container-card[data-id="${CSS.escape(sourceId)}"]`);
            if (!sourceCard) return;

            // Remove drag-source styling before FLIP snapshot so layout is clean
            sourceCard.classList.remove('drag-reorder-source');

            const all = [...grid2.querySelectorAll('.container-card')],
                fromIdx = all.indexOf(sourceCard),
                toIdx = all.indexOf(card);
            if (fromIdx === toIdx) return;

            // FLIP — record positions before DOM change
            const beforeRects = new Map(all.map(el => [el, el.getBoundingClientRect()]));

            // Perform DOM reorder
            if (fromIdx < toIdx) card.after(sourceCard);
            else card.before(sourceCard);

            // Force reflow so new positions are calculated
            grid2.getBoundingClientRect();

            // Apply inverse transforms (no transition yet — jump to old visual position)
            const movedCards = [];
            all.forEach(el => {
                const bef = beforeRects.get(el), aft = el.getBoundingClientRect();
                const dx = bef.left - aft.left, dy = bef.top - aft.top;
                if (Math.abs(dx) > 0.5 || Math.abs(dy) > 0.5) {
                    el.style.transition = 'none';
                    el.style.transform = `translate(${dx}px,${dy}px)`;
                    movedCards.push(el);
                }
            });

            // Second reflow to commit the inverse transforms before animating
            grid2.getBoundingClientRect();

            // Animate each card to its final (natural) position
            movedCards.forEach(el => {
                el.style.transition = 'transform 280ms cubic-bezier(0.25,0.46,0.45,0.94)';
                el.style.transform = '';
                el.addEventListener('transitionend', () => { el.style.transition = ''; }, { once: true });
            });

            const newOrder = [...grid2.querySelectorAll('.container-card')].map(el => el.dataset.id).filter(Boolean);
            _saveCardOrder(newOrder);
        });

        card.addEventListener('click', async e => {
            if (e.target.closest('.container-card-menu') || e.target.closest('.container-drag-handle')) return;
            _tryOpenContainer(c);
        });
        card.querySelector('.container-card-menu').addEventListener('click', e => {
            e.stopPropagation();
            showContainerMenu(e, c);
        });
        return card;
    }
};

/* ---- Container context menu ---- */
function showContainerMenu(e, c) {
    const hasSess = hasSession(c.id),
        isOpen = App.container && App.container.id === c.id,
        reqExpPw = c.settings?.requireExportPassword !== false || !c._exportCache?.wrapped,
        items = [];

    // Open — resume if session exists, otherwise go to unlock view
    items.push({
        label: 'Open', icon: Icons.unlock,
        _keyHint: !hasSess ? '<span class="auth-dot"></span>' : null,
        action: () => _tryOpenContainer(c)
    });
    items.push({ sep: true });

    if (hasSess) {
        items.push({ label: 'Kill Session', icon: Icons.lock, action: () => killSession(c) });
    }

    // Change Password — always visible, disabled when session active or container open
    const cpDisabled = hasSess || isOpen;
    items.push({
        label: 'Change Password…', icon: Icons.key,
        _keyHint: !cpDisabled ? '<span class="auth-dot"></span>' : null,
        disabled: cpDisabled,
        _tooltip: cpDisabled ? 'End the active session first' : null,
        action: cpDisabled ? null : () => openChangePasswordModal(c)
    });

    // Rename Container — disabled when session active or container open
    const rnDisabled = hasSess || isOpen;
    items.push({
        label: 'Rename Container…', icon: Icons.rename, disabled: rnDisabled,
        _tooltip: rnDisabled ? 'End the active session first' : null,
        action: rnDisabled ? null : () => openRenameContainerModal(c)
    });

    items.push({ sep: true });
    items.push({
        label: 'Export Container', icon: Icons.download,
        _keyHint: reqExpPw ? '<span class="auth-dot"></span>' : null,
        action: () => exportContainerFile(c, reqExpPw)
    });
    items.push({ sep: true });
    items.push({ label: 'Delete Container...', icon: Icons.trash, danger: true, action: () => confirmDeleteContainer(c) });
    showCtxMenu(e.clientX, e.clientY, items);
}

/* ---- Kill Session ---- */
function killSession(c) {
    // Notify any tab that has this container open — they will call lockContainer() via the
    // storage event listener.  forceClaimSession writes kick=true; we then immediately clean
    // up the claim entry (we're on the home page, not opening this container ourselves).
    _forceClaimSession(c.id);
    _stopContainerSession(c.id); // removes the kick entry we just wrote
    clearSession(c.id);
    toast(`Session for "${c.name}" terminated`, 'info');
    Home.render();
}

/* ---- Change Password ---- */
function openChangePasswordModal(c) {
    ['cp-old', 'cp-new', 'cp-new2'].forEach(id => {
        const el = document.getElementById(id); el.value = ''; el.type = 'password';
    });
    ['cp-old-eye', 'cp-new-eye'].forEach(id => {
        const btn = document.getElementById(id); if (btn) { btn.style.color = ''; btn.innerHTML = Icons.eye; }
    });
    document.getElementById('cp-pw-strength').style.width = '0%';
    document.getElementById('cp-pw-strength').style.height = '0';
    document.getElementById('cp-pw-strength').style.marginTop = '0';
    document.getElementById('cp-pw-strength-label').textContent = '';
    document.getElementById('cp-pw-strength-label').style.display = 'none';
    document.getElementById('cp-error').innerHTML = '';
    document.getElementById('cp-ok')._container = c;
    Overlay.show('modal-change-pw');
    setTimeout(() => document.getElementById('cp-old').focus(), 100);
}

async function doChangePassword() {
    const okBtn = document.getElementById('cp-ok'),
        c = okBtn._container;
    if (!c) return;
    const oldPw = document.getElementById('cp-old').value,
        newPw = document.getElementById('cp-new').value,
        newPw2 = document.getElementById('cp-new2').value,
        errEl = document.getElementById('cp-error');

    if (!oldPw) { errEl.textContent = 'Enter current password'; return; }
    if (newPw.length < 4) { errEl.textContent = 'New password must be at least 4 characters'; return; }
    if (newPw !== newPw2) { errEl.textContent = 'Passwords do not match'; return; }
    if (oldPw === newPw) { errEl.textContent = 'New password must differ from current'; return; }

    // Rate-limit check
    const cpKey = 'cp:' + c.id,
        cpFails = _failCounts.get(cpKey) || { count: 0, lockUntil: 0 };
    if (cpFails.lockUntil > Date.now()) return;

    errEl.innerHTML = '';
    okBtn.disabled = true;
    let _cpInModal = true;

    try {
        // Verify old password
        const oldKey = await Crypto.deriveKey(oldPw, new Uint8Array(c.salt)),
            ok = await Crypto.checkVerification(oldKey, c.verIv, c.verBlob);
        if (!ok) {
            // Duress check — silently corrupts data, then falls through to "wrong password"
            if (await checkDuress(oldPw, c)) await _executeDuress(c);
            cpFails.count++;
            _failCounts.set(cpKey, cpFails);
            if (cpFails.count > 3) {
                cpFails.lockUntil = Date.now() + 3000;
                _startAttemptCooldown(errEl, okBtn, () => { cpFails.lockUntil = 0; });
            } else {
                errEl.innerHTML = `${_ERR_SVG} Incorrect current password`;
                okBtn.disabled = false;
            }
            return;
        }
        _cpInModal = false;
        _failCounts.delete(cpKey);
        Overlay.hide();
        showLoading('Deriving new key…');

        const newSalt = Array.from(crypto.getRandomValues(new Uint8Array(32))),
            newKey = await Crypto.deriveKey(newPw, new Uint8Array(newSalt));

        // Re-encrypt VFS
        showLoading('Re-encrypting VFS…');
        const vfsRec = await DB.getVFS(c.id);
        if (vfsRec) {
            const vfsBuf = typeof vfsRec.blob === 'string'
                ? await Crypto.decrypt(oldKey, vfsRec.iv, vfsRec.blob)
                : await Crypto.decryptBin(oldKey, vfsRec.iv, vfsRec.blob);
            const { iv: newVfsIv, blob: newVfsBlob } = await Crypto.encryptBin(newKey, vfsBuf);
            await DB.saveVFS(c.id, newVfsIv, newVfsBlob);
        }

        // Expand lazy workspace (if never unlocked) so file blobs enter the re-encryption pass below.
        // The blobs are encrypted with oldKey — expanding them into IDB first is required
        // so the per-file loop below can decrypt and re-encrypt each one with newKey.
        if (c.lazyWorkspace) {
            showLoading('Restoring files from import\u2026');
            const { bin, mIv, mBlob } = c.lazyWorkspace;
            const mBlobBuf = mBlob instanceof Blob ? await mBlob.arrayBuffer() : (mBlob.buffer || mBlob);
            const decBuf = await Crypto.decryptBin(oldKey, Array.from(new Uint8Array(mIv)), mBlobBuf);
            const manifest = JSON.parse(new TextDecoder().decode(decBuf));
            const filesToExpand = await Promise.all(manifest.map(async m => {
                const raw = bin.slice(m.offset, m.offset + m.size);
                return {
                    id: m.id, cid: c.id,
                    iv: Array.from(Uint8Array.from(atob(m.ivB64), ch => ch.charCodeAt(0))),
                    blob: raw instanceof Blob ? await raw.arrayBuffer() : (raw.buffer ?? raw)
                };
            }));
            await DB.saveFiles(filesToExpand);
            delete c.lazyWorkspace;
        }

        // Re-encrypt all files fully in parallel (Web Crypto is async/hardware-accelerated;
        // browser schedules concurrent SubtleCrypto calls across available cores)
        const files = await DB.getFilesByCid(c.id);
        showLoading(`Re-encrypting files\u2026 0/${files.length}`);
        let _reencDone = 0;
        const reencResults = await Promise.allSettled(files.map(async f => {
            const buf = await Crypto.decryptBin(oldKey, f.iv, f.blob);
            const { iv, blob } = await Crypto.encryptBin(newKey, buf);
            _reencDone++;
            if (_reencDone % 4 === 0 || _reencDone === files.length)
                showLoading(`Re-encrypting files\u2026 ${_reencDone}/${files.length}`);
            return { id: f.id, cid: f.cid, iv: Array.from(iv), blob };
        }));
        const reencFiles = reencResults
            .filter(r => r.status === 'fulfilled')
            .map(r => r.value);
        if (reencFiles.length) await DB.saveFiles(reencFiles);


        // New verification blob
        showLoading('Finalizing…');
        const { iv: verIv, blob: verBlob } = await Crypto.makeVerification(newKey);

        // Update container metadata
        c.salt = newSalt;
        c.verIv = verIv;
        c.verBlob = verBlob;
        delete c._exportCache;
        await DB.saveContainer(c);

        // Clear any stored sessions (password changed)
        clearSession(c.id);

        hideLoading();
        toast(`Password for "${c.name}" changed successfully`, 'success');
        Home.render();
    } catch (e) {
        if (_cpInModal) {
            okBtn.disabled = false;
            errEl.innerHTML = `${_ERR_SVG} ${e.message}`;
        } else {
            hideLoading();
            toast('Change password failed: ' + e.message, 'error');
        }
        console.error(e);
    }
}

/* ---- Rename Container ---- */
function openRenameContainerModal(c) {
    document.getElementById('rc-name').value = c.name;
    document.getElementById('rc-error').textContent = '';
    document.getElementById('rc-ok')._container = c;
    Overlay.show('modal-rename-container');
    setTimeout(() => {
        const inp = document.getElementById('rc-name');
        inp.focus(); inp.select();
    }, 100);
}

async function doRenameContainer() {
    const okBtn = document.getElementById('rc-ok'),
        c = okBtn._container;
    if (!c) return;
    const name = document.getElementById('rc-name').value.trim(),
        errEl = document.getElementById('rc-error');

    if (!name) { errEl.textContent = 'Enter a name'; return; }
    const nameRegex = /^[a-zA-Zа-яА-ЯёЁ0-9 _\-.,!()@#$%&+=]+$/;
    if (!nameRegex.test(name)) { errEl.textContent = 'Invalid characters in name'; return; }
    if (name.toLowerCase() === c.name.toLowerCase()) { Overlay.hide(); return; }

    const existing = await DB.getContainers();
    if (existing.find(x => x.id !== c.id && x.name.toLowerCase() === name.toLowerCase())) {
        errEl.textContent = 'A container with this name already exists'; return;
    }

    c.name = name;
    await DB.saveContainer(c);
    Overlay.hide();
    toast(`Container renamed to "${name}"`, 'success');
    Home.render();
}

function confirmDeleteContainer(c) {
    document.getElementById('dc-name').textContent = c.name;
    document.getElementById('dc-msg').textContent =
        `Container "${c.name}" and ALL its files will be permanently erased. This cannot be undone.`;
    const okBtn = document.getElementById('dc-ok'),
        okLabel = document.getElementById('dc-ok-label');
    okBtn._container = c;
    okBtn.disabled = true;
    Overlay.show('modal-del-container');

    // 3-second countdown before allowing delete
    let remaining = 3;
    okLabel.textContent = `Wait\u2026 ${remaining}`;
    const timer = setInterval(() => {
        remaining--;
        if (remaining > 0) {
            okLabel.textContent = `Wait\u2026 ${remaining}`;
        } else {
            clearInterval(timer);
            okBtn.disabled = false;
            okLabel.textContent = 'Delete Forever';
        }
    }, 1000);

    // Cancel countdown if modal is dismissed
    okBtn._countdownTimer = timer;
}

/* ============================================================
   NEW CONTAINER
   ============================================================ */
let _hwSaltData = null;

/** CRC-32 of a string (for stable UA fingerprint) */
function _crc32str(str) {
    let crc = 0xFFFFFFFF;
    for (let i = 0; i < str.length; i++) {
        crc ^= str.charCodeAt(i);
        for (let j = 0; j < 8; j++) crc = (crc >>> 1) ^ (crc & 1 ? 0xEDB88320 : 0);
    }
    return ((crc ^ 0xFFFFFFFF) >>> 0).toString(16).padStart(8, '0');
}

/** Derived UA fingerprint as hex string */
function _uaCrc() { return _crc32str(navigator.userAgent); }

const _KEY_ICON = `<svg width="13" height="13" viewBox="0 0 14 14" fill="none" xmlns="http://www.w3.org/2000/svg"><rect x="1" y="6" width="9" height="7" rx="1.2" stroke="currentColor" stroke-width="1.3"/><path d="M3.5 6V4a2.5 2.5 0 015 0v2" stroke="currentColor" stroke-width="1.3" stroke-linecap="square"/><circle cx="11.5" cy="5.5" r="1.8" stroke="currentColor" stroke-width="1.2"/><path d="M11.5 7.3V9.5" stroke="currentColor" stroke-width="1.2" stroke-linecap="round"/></svg>`;

const _HW_STATES = {
    idle: () => `${_KEY_ICON}<span>Use passkey for salt</span>`,
    loading: () => `<div class="spinner" style="width:11px;height:11px;border-width:1.5px;flex-shrink:0"></div><span>Connecting…</span>`,
    ok: () => `<svg width="12" height="12" viewBox="0 0 12 12" fill="none" style="color:var(--green);flex-shrink:0"><path d="M1.5 6l3 3 6-6" stroke="currentColor" stroke-width="1.5" stroke-linecap="square"/></svg><span style="color:var(--green)">Salt secured</span>`,
    fail: () => `${_KEY_ICON}<span>Use passkey for salt</span>`,
    unavailable: () => `${_KEY_ICON}<span>Use passkey for salt</span>`,
};

/**
 * Returns a human-readable reason why WebAuthn cannot be used,
 * or null if the API appears available (sync checks only).
 */
function _webAuthnUnavailableReason() {
    if (!window.isSecureContext)
        return 'Requires a secure context (HTTPS or localhost)';
    if (typeof window.PublicKeyCredential === 'undefined')
        return 'WebAuthn is not supported in this browser';
    if (!navigator.credentials || typeof navigator.credentials.create !== 'function')
        return 'Credentials API is not available in this browser';
    return null;
}

function _setHwBtn(state) {
    const btn = document.getElementById('nc-hwkey-btn');
    if (!btn) return;
    btn.innerHTML = _HW_STATES[state]();
    btn.disabled = (state === 'loading' || state === 'ok' || state === 'unavailable');
}

async function _hwKeyBtnClick() {
    _setHwBtn('loading');
    try {
        _hwSaltData = await _webAuthnSalt();
        _setHwBtn('ok');
    } catch (e) {
        _hwSaltData = null;
        _setHwBtn('idle');
    }
}

function openNewContainerModal() {
    document.getElementById('nc-name').value = '';
    document.getElementById('nc-pw').value = '';
    document.getElementById('nc-pw2').value = '';
    document.getElementById('nc-pw-strength').style.width = '0%';
    document.getElementById('nc-pw-strength').style.height = '0';
    document.getElementById('nc-pw-strength').style.marginTop = '0';
    document.getElementById('nc-pw-strength-label').textContent = '';
    document.getElementById('nc-pw-strength-label').style.display = 'none';
    document.getElementById('nc-agree').checked = false;
    document.getElementById('nc-create').disabled = true;
    // Reset hardware key button
    _hwSaltData = null;
    const hwBtn = document.getElementById('nc-hwkey-btn');
    if (hwBtn) {
        hwBtn.classList.add('show');
        const unavailReason = _webAuthnUnavailableReason();
        if (unavailReason) {
            _setHwBtn('unavailable');
            hwBtn.title = unavailReason;
        } else {
            _setHwBtn('idle');
            hwBtn.title = 'Mix passkey entropy into salt';
            // Async check: does this device actually have a platform authenticator?
            if (typeof PublicKeyCredential.isUserVerifyingPlatformAuthenticatorAvailable === 'function') {
                PublicKeyCredential.isUserVerifyingPlatformAuthenticatorAvailable()
                    .then(ok => {
                        if (!ok) {
                            _setHwBtn('unavailable');
                            hwBtn.title = 'No platform authenticator available on this device';
                        }
                    })
                    .catch(() => {
                        _setHwBtn('unavailable');
                        hwBtn.title = 'Platform authenticator check failed';
                    });
            }
        }
    }
    Overlay.show('modal-new-container');
    setTimeout(() => document.getElementById('nc-name').focus(), 100);
}

/** Generate salt using WebAuthn passkey mixed with CSPRNG */
async function _webAuthnSalt() {
    const challenge = crypto.getRandomValues(new Uint8Array(32)),
        userId = crypto.getRandomValues(new Uint8Array(16));
    const cred = await navigator.credentials.create({
        publicKey: {
            challenge,
            rp: { name: 'SafeNova' },
            user: { id: userId, name: `safenova-${_uaCrc()}`, displayName: 'SafeNova' },
            pubKeyCredParams: [{ type: 'public-key', alg: -7 }, { type: 'public-key', alg: -257 }],
            authenticatorSelection: { userVerification: 'required' },
            attestation: 'none',
            timeout: 60000,
        }
    });
    // Mix authenticatorData with CSPRNG for the final 32-byte salt
    const authData = new Uint8Array(cred.response.authenticatorData || cred.response.clientDataJSON),
        rng = crypto.getRandomValues(new Uint8Array(32)),
        combined = new Uint8Array(authData.length + rng.length);
    combined.set(authData, 0);
    combined.set(rng, authData.length);
    const hashBuf = await crypto.subtle.digest('SHA-256', combined);
    return Array.from(new Uint8Array(hashBuf));
}

async function createContainer() {
    const name = document.getElementById('nc-name').value.trim(),
        pw = document.getElementById('nc-pw').value,
        pw2 = document.getElementById('nc-pw2').value;

    if (!name) { toast('Enter a container name', 'error'); return; }
    // Allow only letters (Latin + Cyrillic), digits, spaces, and safe filename chars
    const nameRegex = /^[a-zA-Zа-яА-ЯёЁ0-9 _\-.,!()@#$%&+=]+$/;
    if (!nameRegex.test(name)) {
        toast('Container name contains invalid characters. Use letters, digits, spaces, and safe symbols only', 'error'); return;
    } if (!document.getElementById('nc-agree').checked) { toast('Please accept the data responsibility terms', 'error'); return; } if (pw.length < 4) { toast('Password must be at least 4 characters', 'error'); return; }
    if (pw !== pw2) { toast('Passwords do not match', 'error'); return; }

    const existing = await DB.getContainers();
    if (existing.find(c => c.name.toLowerCase() === name.toLowerCase())) {
        toast('A container with this name already exists', 'error'); return;
    }

    // Check device storage before creating
    const spCheck = await checkStorageSpace(1024 * 1024); // minimal overhead
    if (!spCheck.ok) {
        toast(`Not enough device storage (${fmtSize(spCheck.available)} available)`, 'error'); return;
    }

    showLoading('Creating container and deriving key...');
    Overlay.hide();
    try {
        const salt = _hwSaltData || Array.from(crypto.getRandomValues(new Uint8Array(32))),
            key = await Crypto.deriveKey(pw, new Uint8Array(salt));
        const { iv, blob } = await Crypto.makeVerification(key);

        VFS.init();
        const vfsStr = JSON.stringify(VFS.toObj()),
            { iv: vfsIv, blob: vfsBlobB64 } = await Crypto.encrypt(key, vfsStr);

        const container = {
            id: uid(), name, createdAt: Date.now(),
            salt, verIv: iv, verBlob: blob,
            totalSize: 0
        };
        await DB.saveContainer(container);
        await DB.saveVFS(container.id, vfsIv, vfsBlobB64);
        toast(`Container "${name}" created`, 'success');
        await Home.render();
        _highlightCard(container.id);
    } catch (e) { toast('Error: ' + e.message, 'error'); console.error(e); }
    hideLoading();
}

function updatePwStrength(pw, barId = 'nc-pw-strength', lblId = 'nc-pw-strength-label') {
    const s = pwStrength(pw),
        pct = [0, 20, 40, 60, 80, 100][s],
        colors = ['#555', '#f44747', '#ce9178', '#dcdcaa', '#6a9955', '#4ec9b0'],
        labels = ['', 'Very Weak', 'Weak', 'Fair', 'Strong', 'Very Strong'],
        bar = document.getElementById(barId),
        lbl = document.getElementById(lblId);
    bar.style.width = pct + '%';
    bar.style.background = colors[s];
    bar.style.height = pct ? '3px' : '0';
    bar.style.marginTop = pct ? '4px' : '0';
    lbl.textContent = pw.length ? labels[s] : '';
    lbl.style.color = colors[s];
    lbl.style.display = pw.length ? '' : 'none';
}

/* ============================================================
   UNLOCK VIEW
   ============================================================ */
let _unlockContainer = null;
const _failCounts = new Map(); // containerId → { count, lockUntil }

function _startUnlockCooldown(c) {
    const fails = _failCounts.get(c.id);
    _startAttemptCooldown(
        document.getElementById('unlock-error'),
        document.getElementById('btn-unlock'),
        () => { if (fails) fails.lockUntil = 0; }
    );
}

function openUnlockView(c) {
    _unlockContainer = c;
    document.getElementById('unlock-name').textContent = c.name;
    document.getElementById('unlock-pw').value = '';
    document.getElementById('unlock-error').innerHTML = '';
    document.getElementById('unlock-spinner').classList.remove('show');
    // Pre-fill checkbox and scope based on saved session
    const hasSessT = !!sessionStorage.getItem('snv-s-' + c.id),
        hasSessW = !!localStorage.getItem('snv-sb-' + c.id),
        remEl = document.getElementById('unlock-remember'),
        opts = document.getElementById('remember-opts'),
        tabEl = document.getElementById('remember-tab'),
        brwEl = document.getElementById('remember-browser');
    if (remEl) {
        const remembered = hasSessT || hasSessW;
        remEl.checked = remembered;
        if (opts) {
            const radios = opts.querySelectorAll('input[type="radio"]'),
                labels = opts.querySelectorAll('.remember-opt');
            radios.forEach(r => r.disabled = !remembered);
            labels.forEach(l => l.classList.toggle('disabled', !remembered));
        }
        if (hasSessW && brwEl) brwEl.checked = true;
        else if (tabEl) tabEl.checked = true;
    }
    App.showView('unlock');
    setTimeout(() => document.getElementById('unlock-pw').focus(), 100);
}

// ── Tab deduplication guard ───────────────────────────────────

/** Show the session-conflict modal; `onConfirm` is called if the user
 *  chooses to force-close the other session. */
function _showSessionConflict(c, onConfirm) {
    document.getElementById('sc-cont-name').textContent = c.name;
    document.getElementById('sc-force').onclick = () => {
        _forceClaimSession(c.id);
        Overlay.hide();
        onConfirm?.();
    };
    document.getElementById('sc-cancel').onclick = () => Overlay.hide();
    Overlay.show('modal-session-conflict');
}

/**
 * Single entry point for opening any container.
 * Checks for cross-tab conflict FIRST (before any password prompt),
 * then resumes an existing session or shows the unlock view.
 */
async function _tryOpenContainer(c) {
    if (_checkContainerSession(c.id)) {
        _showSessionConflict(c, async () => {
            // Other tab has been kicked — proceed with open
            const savedPw = await loadSession(c.id);
            if (savedPw) _resumeSession(c, savedPw); else openUnlockView(c);
        });
        return;
    }
    const savedPw = await loadSession(c.id);
    if (savedPw) _resumeSession(c, savedPw); else openUnlockView(c);
}
// ────────────────────────────────────────────────────────────────

/* Duress execution — silently corrupts all encrypted file blobs and erases
   duress traces.  The caller continues with the normal "wrong password" flow
   so the response is indistinguishable from a genuine incorrect attempt.
   When the real password is later entered the container opens normally but
   every file decryption will fail (AES-GCM auth tag mismatch). */
async function _executeDuress(c) {
    // 1. Corrupt every encrypted file blob (zeros first 8 bytes → AES-GCM auth tag fails)
    try { await DB.corruptContainerBlobs(c.id); } catch (e) { console.error('[SafeNova] Duress corruption error:', e); }

    // 2. Erase all duress traces + invalidate export cache
    delete c.duressHash;
    delete c._exportCache;
    await DB.saveContainer(c);
}

async function doUnlock() {
    const c = _unlockContainer; if (!c) return;
    const pw = document.getElementById('unlock-pw').value;
    if (!pw) { document.getElementById('unlock-error').innerHTML = '<svg width="14" height="14" viewBox="0 0 16 16" fill="none"><path d="M8 1.5a6.5 6.5 0 100 13 6.5 6.5 0 000-13zM7.25 5h1.5v4h-1.5V5zm0 5h1.5v1.5h-1.5V10z" fill="currentColor"/></svg> Enter password'; return; }

    // Brute-force protection: check if currently locked out
    const fails = _failCounts.get(c.id) || { count: 0, lockUntil: 0 };
    if (fails.lockUntil > Date.now()) return; // button is already disabled during lockout

    document.getElementById('unlock-error').innerHTML = '';
    document.getElementById('unlock-spinner').classList.add('show');
    document.getElementById('btn-unlock').disabled = true;

    try {
        const { key, raw: _sessionRawKey } = await Crypto.deriveKeyAndRaw(pw, new Uint8Array(c.salt)),
            ok = await Crypto.checkVerification(key, c.verIv, c.verBlob);

        if (!ok) {
            // Duress check — SHA-256 is fast, runs before incrementing fail count.
            // Silently corrupts data then falls through to normal "wrong password" flow.
            if (await checkDuress(pw, c)) await _executeDuress(c);
            fails.count++;
            _failCounts.set(c.id, fails);
            document.getElementById('unlock-spinner').classList.remove('show');
            if (fails.count > 3) {
                fails.lockUntil = Date.now() + 3000;
                _startUnlockCooldown(c);
            } else {
                document.getElementById('unlock-error').innerHTML = '<svg width="14" height="14" viewBox="0 0 16 16" fill="none"><path d="M8 1.5a6.5 6.5 0 100 13 6.5 6.5 0 000-13zM7.25 5h1.5v4h-1.5V5zm0 5h1.5v1.5h-1.5V10z" fill="currentColor"/></svg> Incorrect password';
                document.getElementById('btn-unlock').disabled = false;
            }
            return;
        }

        // Load VFS (detect binary vs legacy base64 format)
        const vfsRec = await DB.getVFS(c.id);
        if (vfsRec) {
            try {
                const buf = typeof vfsRec.blob === 'string'
                    ? await Crypto.decrypt(key, vfsRec.iv, vfsRec.blob)
                    : await Crypto.decryptBin(key, vfsRec.iv, vfsRec.blob);
                const json = JSON.parse(new TextDecoder().decode(buf));
                VFS.fromObj(json);
            } catch { VFS.init(); }
        } else { VFS.init(); }

        // Expand lazy workspace if this container was imported without a password
        let _activeCont = c;
        if (c.lazyWorkspace) {
            showLoading('Restoring files from import\u2026');
            try {
                const { bin, mIv, mBlob } = c.lazyWorkspace;
                const mBlobBuf = mBlob instanceof Blob ? await mBlob.arrayBuffer() : (mBlob.buffer || mBlob);
                const decBuf = await Crypto.decryptBin(key, Array.from(new Uint8Array(mIv)), mBlobBuf);
                const manifest = JSON.parse(new TextDecoder().decode(decBuf));
                const filesToSave = await Promise.all(manifest.map(async m => {
                    const raw = bin.slice(m.offset, m.offset + m.size);
                    return {
                        id: m.id, cid: c.id,
                        iv: Array.from(Uint8Array.from(atob(m.ivB64), ch => ch.charCodeAt(0))),
                        blob: raw instanceof Blob ? await raw.arrayBuffer() : (raw.buffer ?? raw)
                    };
                }));
                await DB.saveFiles(filesToSave);
                const cleanCont = Object.assign({}, c);
                delete cleanCont.lazyWorkspace;
                await DB.saveContainer(cleanCont);
                _activeCont = cleanCont;
                _unlockContainer = cleanCont;
            } catch (expandErr) {
                console.error('Lazy expand failed', expandErr);
                toast('Could not restore files from import', 'error');
            }
            hideLoading();
        }

        _failCounts.delete(c.id); // reset fail count on successful unlock

        App.container = _activeCont;
        App.key = key;
        App.folder = 'root';
        App.selection.clear();
        _startContainerSession(_activeCont.id);
        App.showView('desktop');
        if (typeof _applySettings === 'function') _applySettings(_getSettings(), true);
        if (typeof _resetAutoLockTimer === 'function') _resetAutoLockTimer();
        Desktop.render();
        if (typeof _cleanOrphanedExportCache === 'function') _cleanOrphanedExportCache().catch(() => { });
        toast(`Container "${c.name}" unlocked`, 'success');
        // Save or clear session based on checkbox — uses rawKey already derived above (no second Argon2)
        const remEl = document.getElementById('unlock-remember');
        if (remEl && remEl.checked) {
            const scope = document.querySelector('input[name="remember-scope"]:checked')?.value || 'tab';
            try {
                await saveSession(c.id, _sessionRawKey, scope);
            } catch (sessErr) {
                console.error('[SafeNova] saveSession failed:', sessErr);
                toast('Session could not be saved — you will need to re-enter the password next time', 'warn');
            }
        } else {
            // Checkbox unchecked — clear any previously saved session
            clearSession(c.id);
        }
    } catch (e) {
        document.getElementById('unlock-error').innerHTML = '<svg width="14" height="14" viewBox="0 0 16 16" fill="none"><path d="M8 1.5a6.5 6.5 0 100 13 6.5 6.5 0 000-13zM7.25 5h1.5v4h-1.5V5zm0 5h1.5v1.5h-1.5V10z" fill="currentColor"/></svg> ' + escHtml(e.message);
        console.error(e);
    }
    document.getElementById('unlock-spinner').classList.remove('show');
    document.getElementById('btn-unlock').disabled = false;
}

/* ============================================================
   DELETE CONTAINER (confirmed with password)
   ============================================================ */
async function deleteContainerConfirmed() {
    const okBtn = document.getElementById('dc-ok');
    const c = okBtn._container; if (!c) return;
    if (okBtn.disabled) return;

    // Clear countdown timer if still running
    if (okBtn._countdownTimer) { clearInterval(okBtn._countdownTimer); okBtn._countdownTimer = null; }

    showLoading('Erasing container...');
    Overlay.hide();
    try {
        await DB.nukeContainer(c.id);
        // Clear all session tokens and the tab-coordinator claim for this container
        _stopContainerSession(c.id);
        clearSession(c.id);
        hideLoading();
        await Home.render();
        toast(`Container \"${c.name}\" deleted`, 'info');
    } catch (e) {
        hideLoading();
        toast('Delete failed: ' + e.message, 'error');
    }
}

/* ============================================================
   SESSION RESUME  —  auto-unlock using stored sessionStorage password
   ============================================================ */
async function _resumeSession(c, rawKeyBytes) {
    showLoading('Restoring session...');
    try {
        const key = await Crypto.importRawKey(rawKeyBytes),
            ok = await Crypto.checkVerification(key, c.verIv, c.verBlob);
        if (!ok) {
            // Stored session is invalid (password changed?) — clear it and open unlock view
            clearSession(c.id);
            hideLoading();
            openUnlockView(c);
            return;
        }
        const vfsRec = await DB.getVFS(c.id);
        if (vfsRec) {
            try {
                const buf = typeof vfsRec.blob === 'string'
                    ? await Crypto.decrypt(key, vfsRec.iv, vfsRec.blob)
                    : await Crypto.decryptBin(key, vfsRec.iv, vfsRec.blob);
                const json = JSON.parse(new TextDecoder().decode(buf));
                VFS.fromObj(json);
            } catch { VFS.init(); }
        } else { VFS.init(); }

        // Defensive: expand lazyWorkspace if somehow present at session resume
        if (c.lazyWorkspace) {
            try {
                const { bin, mIv, mBlob } = c.lazyWorkspace;
                const mBlobBuf = mBlob instanceof Blob ? await mBlob.arrayBuffer() : (mBlob.buffer || mBlob);
                const decBuf = await Crypto.decryptBin(key, Array.from(new Uint8Array(mIv)), mBlobBuf);
                const manifest = JSON.parse(new TextDecoder().decode(decBuf));
                const filesToSave = await Promise.all(manifest.map(async m => {
                    const raw = bin.slice(m.offset, m.offset + m.size);
                    return {
                        id: m.id, cid: c.id,
                        iv: Array.from(Uint8Array.from(atob(m.ivB64), ch => ch.charCodeAt(0))),
                        blob: raw instanceof Blob ? await raw.arrayBuffer() : (raw.buffer ?? raw)
                    };
                }));
                await DB.saveFiles(filesToSave);
                const cleanCont = Object.assign({}, c);
                delete cleanCont.lazyWorkspace;
                await DB.saveContainer(cleanCont);
                c = cleanCont;
            } catch (expandErr) {
                console.error('Lazy expand in resume failed', expandErr);
            }
        }

        App.container = c;
        App.key = key;
        App.folder = 'root';
        App.selection.clear();
        _startContainerSession(c.id);
        App.showView('desktop');
        if (typeof _applySettings === 'function') _applySettings(_getSettings(), true);
        if (typeof _resetAutoLockTimer === 'function') _resetAutoLockTimer();
        Desktop.render();
        if (typeof _cleanOrphanedExportCache === 'function') _cleanOrphanedExportCache().catch(() => { });
        toast(`Session for "${c.name}" restored`, 'success');
    } catch (e) {
        hideLoading();
        toast('Resume failed: ' + e.message, 'error');
        openUnlockView(c);
        return;
    }
    hideLoading();
}


================================================
FILE: src/js/initlog.js
================================================
'use strict';

/* ============================================================
   INITLOG  —  Initialization stage console logger

   Usage:
     InitLog.start()            — open grouped output, start timer
     InitLog.step('label')      — mark stage start (prints offset from boot)
     InitLog.done('label', d?)  — mark stage done  (prints elapsed for stage)
     InitLog.error('label', err)— mark stage failed
     InitLog.finish()           — close group, print total boot time
   ============================================================ */
const InitLog = (() => {
    let _t0 = null;
    const _timers = {};

    const _S = {
        badge: 'font-size:11px;font-weight:700;color:#1e1e1e;background:#0078d4;padding:1px 6px;border-radius:2px;font-family:Consolas,monospace',
        title: 'font-size:11px;font-weight:700;color:#0078d4;font-family:Consolas,monospace',
        step: 'font-size:11px;color:#4ec9b0;font-family:Consolas,monospace',
        lbl: 'font-size:11px;color:#d4d4d4;font-family:Consolas,monospace',
        done: 'font-size:11px;color:#89d185;font-family:Consolas,monospace',
        err: 'font-size:11px;font-weight:700;color:#f44747;font-family:Consolas,monospace',
        dim: 'font-size:11px;color:#858585;font-family:Consolas,monospace',
        time: 'font-size:11px;color:#ce9178;font-family:Consolas,monospace',
    };

    function _ts() { return _t0 != null ? '+' + (performance.now() - _t0).toFixed(1) + 'ms' : ''; }
    function _elapsed(label) { const t = _timers[label]; return t != null ? (performance.now() - t).toFixed(1) + 'ms' : ''; }

    function start() {
        _t0 = performance.now();
        console.groupCollapsed('%c SNV %c Initialization', _S.badge, _S.title);
    }

    function step(label) {
        _timers[label] = performance.now();
        console.log('%c ▶ %c' + label + ' %c' + _ts(), _S.step, _S.lbl, _S.dim);
    }

    function done(label, detail) {
        const elapsed = _elapsed(label);
        const suffix = detail ? '  · ' + detail : '';
        console.log('%c ✓ %c' + label + suffix + ' %c' + elapsed, _S.done, _S.lbl, _S.time);
    }

    function error(label, err) {
        const msg = err instanceof Error ? err.message : String(err ?? '');
        console.log('%c ✗ %c' + label + ' %c' + msg, _S.err, _S.lbl, _S.err);
    }

    function finish() {
        const total = _t0 != null ? (performance.now() - _t0).toFixed(1) : '?';
        console.log('%c ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━', _S.dim);
        console.log('%c ✔ %cReady  %c' + total + 'ms', _S.done, _S.lbl, _S.time);
        console.groupEnd();
    }

    return { start, step, done, error, finish };
})();


================================================
FILE: src/js/main.js
================================================
'use strict';

/* ============================================================
   CONSOLE SECURITY WARNING
   ============================================================ */
(function consoleSecurityWarning() {
    const W = 60,
        pad = s => s + ' '.repeat(Math.max(0, W - s.length)),
        row = s => `║ ${pad(s)} ║`,
        top = `╔${'═'.repeat(W + 2)}╗`,
        bot = `╚${'═'.repeat(W + 2)}╝`,
        sep = `╠${'═'.repeat(W + 2)}╣`,
        _ = row('');

    const box = [
        top,
        _,
        row('  DO NOT paste any code or commands into this console.'),
        row('  Not from the internet. Not from anyone. For any reason.'),
        _,
        sep,
        _,
        row('  A single malicious snippet can silently:'),
        row('    \u203a  intercept and exfiltrate your encryption keys'),
        row('    \u203a  dump the entire local file storage in plaintext'),
        row('    \u203a  steal your container password as you type'),
        row('    \u203a  re-encrypt your files with an attacker-controlled key'),
        _,
        sep,
        _,
        row('  [!] Only use this console if you know what you are doing.'),
        row('      If someone told you to paste something here \u2014'),
        row('      you are being socially engineered.'),
        _,
        bot,
    ].join('\n');

    const show = () => console.log(
        '%c STOP %c SafeNova \u2014 Security Warning\n%c\n' + box,
        'font-size:13px;font-weight:900;color:#1e1e1e;background:#f44747;padding:2px 10px;border-radius:2px;font-family:Consolas,monospace',
        'font-size:13px;font-weight:700;color:#f44747;font-family:Consolas,monospace',
        'font-size:12px;color:#d4d4d4;line-height:1;font-family:Consolas,monospace'
    );
    show();
    setInterval(show, 5_000);
})();

/* ============================================================
   PASSWORD EYE TOGGLE
   ============================================================ */
function togglePwEye(inputId, btnId) {
    const input = document.getElementById(inputId),
        btn = document.getElementById(btnId);
    if (input.type === 'password') {
        input.type = 'text';
        btn.style.color = 'var(--accent)';
        btn.innerHTML = Icons.eyeoff;
    } else {
        input.type = 'password';
        btn.style.color = '';
        btn.innerHTML = Icons.eye;
    }
}

/* ============================================================
   EVENT LISTENERS
   ============================================================ */
function initEvents() {

    /* ---- Home ---- */
    document.getElementById('btn-new-container').addEventListener('click', openNewContainerModal);
    document.getElementById('btn-import-container').addEventListener('click', () => document.getElementById('import-container-input').click());
    document.getElementById('import-container-input').addEventListener('change', e => {
        const file = e.target.files[0];
        if (file) importContainerFile(file);
        e.target.value = '';
    });

    /* ---- New Container Modal ---- */
    document.getElementById('nc-pw').addEventListener('input', e => updatePwStrength(e.target.value));
    document.getElementById('nc-pw-eye').addEventListener('click', () => togglePwEye('nc-pw', 'nc-pw-eye'));
    document.getElementById('nc-create').addEventListener('click', createContainer);
    document.getElementById('nc-cancel').addEventListener('click', () => Overlay.hide());
    document.getElementById('modal-nc-close').addEventListener('click', () => Overlay.hide());
    document.getElementById('nc-agree').addEventListener('change', e => {
        document.getElementById('nc-create').disabled = !e.target.checked;
    });
    document.getElementById('nc-hwkey-btn')?.addEventListener('click', _hwKeyBtnClick);
    document.getElementById('nc-name').addEventListener('keydown', e => { if (e.key === 'Enter') document.getElementById('nc-pw').focus(); });
    document.getElementById('nc-pw').addEventListener('keydown', e => { if (e.key === 'Enter') document.getElementById('nc-pw2').focus(); });
    document.getElementById('nc-pw2').addEventListener('keydown', e => { if (e.key === 'Enter') createContainer(); });

    /* ---- Unlock ---- */
    document.getElementById('btn-back').addEventListener('click', () => App.showView('home'));
    document.getElementById('btn-unlock').addEventListener('click', doUnlock);
    document.getElementById('unlock-pw').addEventListener('keydown', e => { if (e.key === 'Enter') doUnlock(); });
    document.getElementById('unlock-pw-eye').addEventListener('click', () => togglePwEye('unlock-pw', 'unlock-pw-eye'));

    /* ---- Export password modal eye toggle ---- */
    document.getElementById('exp-eye')?.addEventListener('click', () => {
        const inp = document.getElementById('exp-pw');
        const show = inp.type === 'password';
        inp.type = show ? 'text' : 'password';
        document.querySelector('#exp-eye .eye-open').style.display = show ? 'none' : '';
        document.querySelector('#exp-eye .eye-closed').style.display = show ? '' : 'none';
    });

    /* ---- Remember scope toggle ---- */
    document.getElementById('unlock-remember').addEventListener('change', e => {
        const opts = document.getElementById('remember-opts');
        if (!opts) return;
        const radios = opts.querySelectorAll('input[type="radio"]'),
            labels = opts.querySelectorAll('.remember-opt');
        radios.forEach(r => r.disabled = !e.target.checked);
        labels.forEach(l => l.classList.toggle('disabled', !e.target.checked));
    });

    /* ---- Desktop toolbar ---- */
    document.getElementById('btn-lock').addEventListener('click', () => App.backToMenu());
    document.getElementById('btn-lock-taskbar').addEventListener('click', () => App.lockContainer());

    document.getElementById('btn-upload-toolbar').addEventListener('click', () => document.getElementById('file-input').click());
    document.getElementById('btn-new-file-toolbar').addEventListener('click', newTextFile);
    document.getElementById('btn-new-folder-toolbar').addEventListener('click', newFolder);
    document.getElementById('btn-settings').addEventListener('click', openSettings);
    document.getElementById('settings-close').addEventListener('click', () => Overlay.hide());
    document.getElementById('settings-ok').addEventListener('click', () => Overlay.hide());
    document.getElementById('file-input').addEventListener('change', e => {
        uploadFiles(Array.from(e.target.files));
        e.target.value = '';
    });

    /* ---- Text Editor ---- */
    document.getElementById('btn-save-editor').addEventListener('click', saveEditor);
    document.getElementById('editor-close').addEventListener('click', closeEditor);
    document.getElementById('editor-textarea').addEventListener('keydown', e => {
        if (e.ctrlKey && e.code === 'KeyS') { e.preventDefault(); saveEditor(); }
    });

    /* ---- Unsaved-changes dialog buttons ---- */
    document.getElementById('editor-unsaved-cancel').addEventListener('click', () => {
        document.getElementById('editor-unsaved-dialog').style.display = 'none';
    });
    document.getElementById('editor-unsaved-discard').addEventListener('click', () => {
        document.getElementById('editor-unsaved-dialog').style.display = 'none';
        discardEditor();
    });
    document.getElementById('editor-unsaved-save').addEventListener('click', async () => {
        document.getElementById('editor-unsaved-dialog').style.display = 'none';
        await saveAndCloseEditor();
    });

    /* ---- File Viewer ---- */
    document.getElementById('viewer-close').addEventListener('click', closeViewer);

    /* ---- Properties ---- */
    document.getElementById('props-close').addEventListener('click', () => Overlay.hide());
    document.getElementById('props-ok').addEventListener('click', () => Overlay.hide());

    /* ---- Rename ---- */
    document.getElementById('rename-close').addEventListener('click', () => Overlay.hide());
    document.getElementById('rename-cancel').addEventListener('click', () => Overlay.hide());
    document.getElementById('rename-input').addEventListener('keydown', e => {
        if (e.key === 'Enter') document.getElementById('rename-ok').click();
    });

    /* ---- Delete confirm ---- */
    document.getElementById('delete-close').addEventListener('click', () => Overlay.hide());
    document.getElementById('delete-cancel').addEventListener('click', () => Overlay.hide());

    /* ---- New Text File ---- */
    document.getElementById('nf-close').addEventListener('click', () => Overlay.hide());
    document.getElementById('nf-cancel').addEventListener('click', () => Overlay.hide());
    document.getElementById('nf-ok').addEventListener('click', createTextFile);
    document.getElementById('nf-name').addEventListener('keydown', e => { if (e.key === 'Enter') createTextFile(); });

    /* ---- New Folder ---- */
    document.getElementById('nd-close').addEventListener('click', () => Overlay.hide());
    document.getElementById('nd-cancel').addEventListener('click', () => Overlay.hide());
    document.getElementById('nd-ok').addEventListener('click', createFolder);
    document.getElementById('nd-name').addEventListener('keydown', e => { if (e.key === 'Enter') createFolder(); });

    /* ---- Delete Container ---- */
    document.getElementById('dc-close').addEventListener('click', () => {
        const t = document.getElementById('dc-ok')._countdownTimer;
        if (t) { clearInterval(t); document.getElementById('dc-ok')._countdownTimer = null; }
        Overlay.hide();
    });
    document.getElementById('dc-cancel').addEventListener('click', () => {
        const t = document.getElementById('dc-ok')._countdownTimer;
        if (t) { clearInterval(t); document.getElementById('dc-ok')._countdownTimer = null; }
        Overlay.hide();
    });
    document.getElementById('dc-ok').addEventListener('click', deleteContainerConfirmed);

    /* ---- Change Password ---- */
    document.getElementById('cp-close').addEventListener('click', () => Overlay.hide());
    document.getElementById('cp-cancel').addEventListener('click', () => Overlay.hide());
    document.getElementById('cp-ok').addEventListener('click', doChangePassword);
    document.getElementById('cp-old-eye').addEventListener('click', () => togglePwEye('cp-old', 'cp-old-eye'));
    document.getElementById('cp-new-eye').addEventListener('click', () => togglePwEye('cp-new', 'cp-new-eye'));
    document.getElementById('cp-new').addEventListener('input', e => updatePwStrength(e.target.value, 'cp-pw-strength', 'cp-pw-strength-label'));

    /* ---- Duress password eyes ---- */
    document.getElementById('duress-pw-eye').innerHTML = Icons.eye;
    document.getElementById('duress-pw-eye').addEventListener('click', () => togglePwEye('duress-pw', 'duress-pw-eye'));

    document.getElementById('cp-old').addEventListener('keydown', e => { if (e.key === 'Enter') document.getElementById('cp-new').focus(); });
    document.getElementById('cp-new').addEventListener('keydown', e => { if (e.key === 'Enter') document.getElementById('cp-new2').focus(); });
    document.getElementById('cp-new2').addEventListener('keydown', e => { if (e.key === 'Enter') doChangePassword(); });

    /* ---- Rename Container ---- */
    document.getElementById('rc-close').addEventListener('click', () => Overlay.hide());
    document.getElementById('rc-cancel').addEventListener('click', () => Overlay.hide());
    document.getElementById('rc-ok').addEventListener('click', doRenameContainer);
    document.getElementById('rc-name').addEventListener('keydown', e => { if (e.key === 'Enter') doRenameContainer(); });

    /* ---- Export Confirm ---- */
    document.getElementById('ec-close').addEventListener('click', () => Overlay.hide());
    document.getElementById('ec-cancel').addEventListener('click', () => Overlay.hide());

    /* ---- Overlay background click ---- */
    let _overlayMousedownOnBg = false;
    const _overlayEl = document.getElementById('modal-overlay');
    _overlayEl.addEventListener('mousedown', e => {
        _overlayMousedownOnBg = (e.target === _overlayEl);
    });
    _overlayEl.addEventListener('click', e => {
        if (!_overlayMousedownOnBg || e.target !== _overlayEl) return;
        _overlayMousedownOnBg = false;
        const active = Overlay.current;
        if (active === 'modal-editor') closeEditor();
        else if (active === 'modal-viewer') closeViewer();
        else {
            // Clear delete-container countdown if running
            const t = document.getElementById('dc-ok')._countdownTimer;
            if (t) { clearInterval(t); document.getElementById('dc-ok')._countdownTimer = null; }
            Overlay.hide();
        }
    });

    /* ---- Block Ctrl+S system save globally (editor handles its own Ctrl+S) ---- */
    document.addEventListener('keydown', e => {
        if (e.ctrlKey && e.code === 'KeyS' && Overlay.current !== 'modal-editor') {
            e.preventDefault();
        }
    }, true);

    /* ---- Mobile burger menu ---- */
    (function initBurger() {
        const burger = document.getElementById('topbar-burger');
        const dd = document.getElementById('topbar-dropdown');
        if (!burger || !dd) return;

        const _close = () => dd.classList.remove('open'),
            _toggle = () => dd.classList.toggle('open');

        burger.addEventListener('click', e => { e.stopPropagation(); _toggle(); });

        // Proxy clicks in dropdown to real toolbar buttons
        document.getElementById('topbar-dd-settings')?.addEventListener('click', () => { _close(); document.getElementById('btn-settings').click(); });
        document.getElementById('topbar-dd-upload')?.addEventListener('click', () => { _close(); document.getElementById('btn-upload-toolbar').click(); });
        document.getElementById('topbar-dd-newfile')?.addEventListener('click', () => { _close(); document.getElementById('btn-new-file-toolbar').click(); });
        document.getElementById('topbar-dd-newfolder')?.addEventListener('click', () => { _close(); document.getElementById('btn-new-folder-toolbar').click(); });

        // Close dropdown on tap outside
        document.addEventListener('touchstart', e => {
            if (!e.target.closest('#topbar-dropdown') && !e.target.closest('#topbar-burger')) _close();
        }, { passive: true });
        document.addEventListener('mousedown', e => {
            if (!e.target.closest('#topbar-dropdown') && !e.target.closest('#topbar-burger')) _close();
        });
        // Close on Escape
        document.addEventListener('keydown', e => { if (e.key === 'Escape') _close(); });
    })();

    /* ---- Dismiss context menu ---- */
    document.addEventListener('mousedown', e => { if (!e.target.closest('.ctx-menu')) hideCtxMenu(); });
    document.addEventListener('touchstart', e => { if (!e.target.closest('.ctx-menu')) hideCtxMenu(); }, { passive: true });
    document.addEventListener('keydown', e => { if (e.key === 'Escape') hideCtxMenu(); });

    /* ---- End key: lock container (only on desktop/folder view, not in text fields) ---- */
    document.addEventListener('keydown', e => {
        if (e.key !== 'End') return;
        const tag = document.activeElement?.tagName;
        if (tag === 'INPUT' || tag === 'TEXTAREA' || document.activeElement?.isContentEditable) return;
        if (!App.key || !App.container) return;
        App.lockContainer();
    });

    /* ---- Block native browser context menu globally ---- */
    document.addEventListener('contextmenu', e => { e.preventDefault(); });

    /* ---- Desktop area events ---- */
    Desktop.initEvents();
}

/* ============================================================
   BOOT
   ============================================================ */
window.addEventListener('DOMContentLoaded', async () => {
    // SafeNova Proactive must be loaded and active before the app starts.
    // daemon.js is injected in <head> before all other scripts; if it
    // failed to load for any reason the guard token will be absent.
    // v4: __snvVerify() does canary cross-check (guards against pre-defined __snvGuard).
    // Legacy fallback: if __snvVerify is absent (v3), fall back to __snvGuard.active alone.
    const _snvOk = typeof window.__snvVerify === 'function'
        ? window.__snvVerify() === true
        : window.__snvGuard?.active === true;
    if (!_snvOk) {
        const ol = document.getElementById('loading-overlay');
        if (ol) {
            ol.innerHTML = `
              <div style="text-align:center;max-width:380px;padding:0 24px">
                <svg width="44" height="44" viewBox="0 0 24 24" fill="none" style="color:#f44747;margin-bottom:16px" xmlns="http://www.w3.org/2000/svg">
                  <path d="M12 2L3 7v5c0 5.25 3.75 10.15 9 11.35C17.25 22.15 21 17.25 21 12V7z" stroke="currentColor" stroke-width="1.6" stroke-linejoin="round"/>
                  <path d="M12 8v5" stroke="currentColor" stroke-width="1.8" stroke-linecap="round"/>
                  <circle cx="12" cy="16" r="1" fill="currentColor"/>
                </svg>
                <div style="color:var(--text);font-size:16px;font-weight:600;margin-bottom:8px">SafeNova Proactive failed to initialize</div>
                <div style="color:var(--text-dim);font-size:13px;line-height:1.7">
                  The runtime protection module did not load.<br>
                  The application cannot start without it.
                </div>
              </div>`;
            ol.style.cssText += 'display:flex;opacity:1;pointer-events:all;';
        }
        return;
    }
    InitLog.start();
    InitLog.step('initEvents');
    initEvents();
    InitLog.done('initEvents');
    try {
        await App.init();
        // Incognito / private-mode check — show warning once per session
        if (!sessionStorage.getItem('snv-incognito-warned')) {
            const { isPrivate } = await detectIncognito();
            if (isPrivate) {
                await showIncognitoWarning();
                sessionStorage.setItem('snv-incognito-warned', '1');
            }
        }
    } catch (err) {
        InitLog.error('App.init', err);
        // Show a visible error instead of leaving the user on a grey screen
        const ol = document.getElementById('loading-overlay');
        if (ol) {
            ol.innerHTML = `
              <div style="text-align:center;max-width:380px;padding:0 24px">
                <svg width="44" height="44" viewBox="0 0 24 24" fill="none" style="color:#f44747;margin-bottom:16px" xmlns="http://www.w3.org/2000/svg">
                  <path d="M12 2L2 20h20z" stroke="currentColor" stroke-width="1.5" stroke-linejoin="round"/>
                  <path d="M12 9v5" stroke="currentColor" stroke-width="1.5" stroke-linecap="round"/>
                  <circle cx="12" cy="16.5" r="0.8" fill="currentColor"/>
                </svg>
                <div style="color:var(--text);font-size:16px;font-weight:600;margin-bottom:8px">Failed to initialize</div>
                <div style="color:var(--text-dim);font-size:13px;line-height:1.7;margin-bottom:16px">${escHtml(String(err?.message || err))}</div>
                <button class="btn btn-primary" onclick="location.reload()">Reload</button>
              </div>`;
            ol.style.cssText += 'display:flex;opacity:1;pointer-events:all;';
        }
    }
    InitLog.finish();
});

/* ============================================================
   SAFENOVA PROACTIVE — FORCE LOCK
   ============================================================ */
// Fired by daemon.js whenever a security threat is detected.
// F2: Call __snvEmergencyLock first — directly nukes storage and zeroes app state
// regardless of whether App.lockContainer was patched. Then also try lockContainer
// for full UI cleanup (close file editor, show lock screen).
// The reason from e.detail is shown as a toast so the user always sees why the
// container locked — even when _showAlert is blocked by its 10 s rate-limit.
window.addEventListener('snv:lock', e => {
    try { window.__snvEmergencyLock?.(); } catch { }
    if (typeof App !== 'undefined' && App.container) {
        const reason = e?.detail?.reason;
        if (typeof reason === 'string' && reason) toast(reason, 'warn');
        App.lockContainer();
    }
});

/* ============================================================
   SAFENOVA PROACTIVE — DEAD MAN'S SWITCH  (C1)
   ============================================================ */
// daemon.js dispatches 'snv:alive' every watchdog tick (~1 s).
// If the heartbeat goes silent for >3 s the watchdog was killed —
// lock all containers immediately so keys are not left in memory.
(() => {
    let _lastAlive = Date.now(), _lastHbN = 0;
    window.addEventListener('snv:alive', e => {
        // Only accept events with a strictly increasing monotonic counter (E5)
        // capped to a maximum jump of 15 per event.
        // Without the upper bound an attacker (Self-XSS / extension) can dispatch
        // snv:alive with n = Number.MAX_SAFE_INTEGER, permanently advancing _lastHbN
        // so all real daemon ticks (n=1,2,3…) are rejected → forced lockout in 3 s.
        //
        // The +15 bound was sized for "three slow mechanisms × ~1 tick/s = ~3 ticks/s"
        // (mechanisms 2/3/4). Mechanism 1 (setInterval 50 ms = 20 ticks/s) was added
        // later, bringing the real rate to ~23 ticks/s. At that rate, +15 covers only
        // ~650 ms of startup gap — far too small for a fresh browser session where the
        // ~485 KB of bottom-of-body scripts must be fetched over the network. During
        // those network fetches the main thread is idle and the daemon's 50 ms
        // setInterval fires freely, pushing _heartbeatN past 15 before this listener
        // is registered. Every subsequent real heartbeat then fails n <= _lastHbN + 15,
        // _lastAlive is never refreshed, and the DMS fires 3 s after unlock.
        //
        // Fix (bootstrap exemption): on the very first accepted event (_lastHbN === 0)
        // skip the upper-bound check entirely — any n > 0 is accepted. The daemon is
        // the only source of snv:alive events with a monotonically increasing counter,
        // so the first event is always genuine. After this single bootstrap event the
        // strict +15 window is restored, preserving the security guarantee that a
        // post-load fake-n jump > 15 cannot permanently silence the real heartbeat.
        const n = e?.detail?.n;
        const isBootstrap = (_lastHbN === 0);
        if (typeof n === 'number' && n > _lastHbN && (isBootstrap || n <= _lastHbN + 15)) {
            _lastHbN = n;
            _lastAlive = Date.now();
        }
    });
    let _dmsLocking = false;
    setInterval(() => {
        if (Date.now() - _lastAlive > 3000 && typeof App !== 'undefined' && App.container && !_dmsLocking) {
            // F2: __snvEmergencyLock nukes storage and zeroes app state directly,
            // bypassing a patched App.lockContainer. Then still try lockContainer
            // for UI cleanup (close editor, show lock screen).
            // _dmsLocking prevents re-entrant fires while lockContainer is still
            // running asynchronously (interval period < async completion time).
            _dmsLocking = true;
            // BUG-FIX: Pass the reason string so __snvEmergencyLock shows the alert
            // overlay (previously the user saw the animated veil with no explanation).
            try { window.__snvEmergencyLock?.('Security guard stopped responding \u2014 container locked for safety.'); } catch { }
            toast('Security guard stopped responding — container locked for safety.', 'warn');
            App.lockContainer().finally(() => { _dmsLocking = false; });
        }
    }, 1000);
})();

/* ============================================================
   CROSS-TAB SESSION GUARD
   ============================================================ */
// When another tab claims (or force-kicks) our container, lock immediately.
window.addEventListener('storage', e => {
    // ── Kick: another tab force-claimed our container ──────────
    if (App.container && e.key === 'snv-open-' + App.container.id) {
        try {
            const d = e.newValue ? JSON.parse(e.newValue) : null;
            if (d && d.tab !== _TAB_ID && d.kick) {
                App.lockContainer();
                toast('This container was opened in another tab — session ended.', 'warn');
            }
        } catch { /* ignore corrupt value */ }
    }

    // ── Session badge live-update: any session blob change ─────
    // When another tab saves or clears a remembered session, refresh the home
    // view so the "Session active" badge is immediately up-to-date.
    if (App.view === 'home' && e.key && (e.key.startsWith('snv-sb-') || e.key.startsWith('snv-s-'))) {
        Home.render();
    }
});

// Release the session claim on tab close / navigation.
// beforeunload (desktop) shows a dialog when an operation is in progress.
// pagehide (mobile / bfcache) fires on navigation but is NOT cancelable —
// calling e.preventDefault() or setting e.returnValue here is a spec no-op,
// so it only handles session cleanup.
function _onTabUnload(e) {
    if (_appBusy > 0) { e.preventDefault(); e.returnValue = ''; }
    if (App.container?.id) _stopContainerSession(App.container.id);
}
window.addEventListener('beforeunload', _onTabUnload);
window.addEventListener('pagehide', () => {
    if (App.container?.id) _stopContainerSession(App.container.id);
});

/* ============================================================
   SETTINGS HINT TOOLTIPS
   ============================================================ */
(function () {
    let _stip = null;

    document.addEventListener('mouseover', e => {
        const hint = e.target.closest('.settings-hint');
        if (!hint || !hint.dataset.tip) return;
        if (_stip) return;
        _stip = document.createElement('div');
        _stip.className = 'settings-tip';
        // Use \u2028 in data-tip as line separator — render as <br>
        _stip.innerHTML = hint.dataset.tip.split('\u2028').map(s => escHtml(s)).join('<br>');
        _stip.style.cssText = 'visibility:hidden';
        document.body.appendChild(_stip);
        const r = hint.getBoundingClientRect(),
            tw = _stip.offsetWidth,
            th = _stip.offsetHeight;
        let left = r.right + 8,
            top = r.top + (r.height / 2) - (th / 2);
        // Flip left if not enough room on the right
        if (left + tw > window.innerWidth - 8) left = r.left - tw - 8;
        // Clamp vertically
        top = Math.min(Math.max(top, 6), window.innerHeight - th - 6);
        _stip.style.cssText = `left:${left}px;top:${top}px`;
    });

    document.addEventListener('mouseout', e => {
        const hint = e.target.closest('.settings-hint');
        if (!hint) return;
        // Cursor moved to a child element of the same hint — don't destroy
        if (hint.contains(e.relatedTarget)) return;
        if (_stip) { _stip.remove(); _stip = null; }
    });
})();


================================================
FILE: src/js/proactive/daemon.js
================================================
'use strict';

/* ============================================================
   SafeNova Proactive — Anti-Tamper Runtime Integrity Guard
   Version 6

   Loads BEFORE all other application scripts. Every other
   module checks window.__snvGuard.active at boot; if the
   guard is absent or inactive the app refuses to start.

   Responsibilities
   ─────────────────
   1. Capture all security-critical native function references
      at the earliest possible moment (before any extension or
      injected script can tamper), including typed arrays, Blob,
      URL, timers, and requestAnimationFrame

   2. Validate captured references — confirm every just-captured
      function is still truly native before trusting it; if any
      captured reference is already non-native the app refuses
      to start (pre-capture tampering guard)

   3. Verify that those natives are still native on every tick
      (1 s interval): crypto.subtle.*, crypto.getRandomValues,
      IDBFactory, Storage, btoa/atob, TextEncoder, Uint8Array,
      ArrayBuffer, DataView, Blob, URL, TextDecoder,
      CompressionStream, DecompressionStream

   4. Install protective hooks on outbound network, DOM, and eval APIs:
        • fetch / XMLHttpRequest.open / navigator.sendBeacon
        • WebSocket / window.open / EventSource
        • Worker / SharedWorker (data: + blob: + external URL blocked)
        • window.eval / new Function() constructor (E15/E16)
        • setTimeout / setInterval string callbacks (E14)
        • Element.setAttribute / innerHTML / outerHTML
        • insertAdjacentHTML / document.write / document.writeln
        • Location navigation (assign / replace / href setter)
        • HTMLFormElement.submit / resource property setters on
          img / script / iframe / video / audio / embed / object /
          link / anchor / area prototypes
        → MutationObserver defense-in-depth on entire document tree

   5. Watchdog resilience — four independent timer mechanisms
      (setInterval, recursive setTimeout, rAF chain, MessageChannel
      self-ping) make it impossible to kill the watchdog without
      page-level control. clearInterval/clearTimeout are guarded —
      attempts to clear watchdog timer IDs are silently ignored.

   6. Dead man's switch — every tick dispatches 'snv:alive'.
      main.js monitors the heartbeat; if >3 s silence → auto-lock.

   7. On any real threat (native crypto/storage/encoding/array
      tamper, or external network request):
        a. Immediately wipe all snv-* keys from localStorage
           and sessionStorage using captured native references
        b. Show a dismissible overlay warning the user

   8. Visibility-change fast check — when tab becomes visible,
      an immediate full tick runs so attacks during background
      cannot exploit the ~1 s window.

   9. App function integrity (G1) — critical Crypto module methods
      (encrypt, decrypt, encryptBin, decryptBin, deriveKey,
      deriveKeyAndRaw, importRawKey, checkVerification,
      makeVerification), App.lockContainer, VFS.init, and
      WinManager.closeAll are wrapped through _mkProxy at window load
      so toString() reveals only the thin forwarder body (same double-
      hook pattern as network/DOM hooks).  Raw references are kept
      closure-private for _wipeAppState.  Proxied references are
      compared by identity on every tick — replacing any of them via
      the DevTools console triggers an immediate alert and key-wipe.

  10. Debugger trap (G3) — on threat detection a 'debugger' statement
      fires every 50 ms for up to 5 minutes. If DevTools are open this
      pauses the JS engine, blocking follow-up console commands. Has
      zero cost when DevTools are closed (native no-op).

  11. Console threat log (G2) — every detected threat emits a styled
      red console.error, providing a forensic trace even if the visual
      overlay is later dismissed.

   Intentionally excluded from checks:
   • console namespace — overrides are common and benign
   • Function.prototype.toString — protected via captured ref
     (_fnToString); live checks cause false positives from
     extensions that legitimately wrap it
   • document.createElement — extensions create elements
     (including <script>) for their own content scripts;
     blocking this causes widespread false positives.
     Note: <script> elements with an external src= injected
     dynamically after page load ARE silently removed via
     MutationObserver (section 8b) without triggering a
     full alert — console trace only
   • JSON.stringify/parse — DevTools and frameworks patch these
   • Promise / Promise.prototype.then — polyfills wrap these
   • performance.now — privacy extensions add jitter
   • Object.defineProperty — too many legitimate uses
   • window.location setter — [Unforgeable]; cannot be intercepted
   Note: eval / new Function() constructor ARE blocked (E15/E16).

   Design philosophy
   ─────────────────
   This daemon's primary goal is to protect as many JS primitives and
   APIs as possible. At the same time the daemon itself uses JS to an
   absolute minimum: all internal calls go through the frozen `_N`
   snapshot rather than live globals, loop counters use indexed `for`
   instead of iterator-based `for…of`, property lookups use the `in`
   operator instead of hookable Set/Map methods, and string operations
   use pure operator-level reimplementations (`_pureToLower`,
   `_pureIndexOf`, `_pureSlice`) built entirely from bracket indexing,
   `.length`, `+` concatenation, and comparison operators — zero
   prototype method calls, immune to ANY prototype poisoning.
   The original captured references (`_strSlice`, `_strToLower`,
   `_strIndexOf`) are retained solely for boot-time and per-tick
   native validation — they are never used for actual string operations.
   As a direct result, the integrity-checking core is well-isolated
   and resistant to most hook-based attacks: replacing window.fetch,
   Array.prototype.push, String.prototype.toLowerCase, or other live
   globals after page load cannot change daemon behaviour — the daemon
   uses only pure operators for string processing, validates captured
   references on every tick, and would detect the replacement before
   an attacker could leverage it.
   ============================================================ */

(() => {

    // DEBUG: set to true to disable all protection mechanisms
    // (hooks, alerts, nukeStorage, native checks, debugger trap)
    // while keeping timers and heartbeat alive. Used to isolate
    // whether daemon.js is the cause of session invalidation.
    const _DISABLE_PROACTIVE_ANTITAMPER = false;

    /* ──────────────────────────────────────────────────────────
       0.  Earliest possible capture — before anything else runs
       ────────────────────────────────────────────────────────── */

    // BUG-A/B/C/D/F/J/K: Capture security-critical Object/Array/String/RegExp methods at
    // the very first line — before any code can replace them.  These are IIFE-private
    // const bindings (non-reassignable) used as safe alternatives to live prototype
    // calls throughout the guard.
    //   _freeze     → Object.freeze — used to freeze _N (BUG-D)
    //   _reTest     → RegExp.prototype.test — used in _isNative & bootstrap (BUG-A)
    //   _arrPush    → Array.prototype.push — safe array append (BUG-F)
    //   _strSlice   → String.prototype.slice — prefix check in _nukeStorage (BUG-C)
    //   _strToLower → String.prototype.toLowerCase — tag/attribute name normalization in
    //                 DOM exfiltration hooks; replacing with identity passes ONCLICK/SRC
    //                 uppercase through every on* and resource-attribute check (BUG-K)
    //   _strIndexOf → String.prototype.indexOf — HTML threat scanner early-exit and
    //                 attribute extraction; replacing with () => -1 disables the entire
    //                 scanner and breaks Worker data:/blob: URL blocking (BUG-J)
    const _freeze = Object.freeze;
    const _reTest = RegExp.prototype.test;
    const _arrPush = Array.prototype.push;
    const _strSlice = String.prototype.slice;
    const _strToLower = String.prototype.toLowerCase;
    const _strIndexOf = String.prototype.indexOf;

    // ── Pure operator-level string utilities ──────────────────────
    // Built entirely from language-level operators: bracket indexing (s[i]),
    // .length (string internal slot — non-overridable), concatenation (+),
    // comparison (===, >=, <=), and arithmetic.  ZERO prototype method calls.
    //
    // Why not just _reflectApply(_strSlice, …)?
    //   That chain has two dependencies: captured Reflect.apply + captured
    //   String.prototype.slice.  Both are validated native at boot and on
    //   every tick, so the practical risk is near-zero.  But the pure
    //   implementations remove even this theoretical dependency: they have
    //   NO external call targets — the JS engine resolves bracket indexing
    //   and `+` at the bytecode level, entirely outside the prototype
    //   lookup mechanism.  An attacker who controls every prototype in the
    //   runtime still cannot affect these functions.
    //
    // _LOWER_MAP — frozen A-Z → a-z lookup.  Own-property access via []
    // uses the engine's internal hash table, NOT Object.prototype.
    const _LOWER_MAP = _freeze({
        A: 'a', B: 'b', C: 'c', D: 'd', E: 'e', F: 'f', G: 'g', H: 'h', I: 'i',
        J: 'j', K: 'k', L: 'l', M: 'm', N: 'n', O: 'o', P: 'p', Q: 'q', R: 'r',
        S: 's', T: 't', U: 'u', V: 'v', W: 'w', X: 'x', Y: 'y', Z: 'z'
    });

    // _pureToLower(s) — ASCII toLowerCase.
    // Only A-Z (U+0041-U+005A) are mapped; all other code points pass through.
    // Sufficient for daemon.js: HTML tag names, attribute names, URL protocols
    // and hosts are always pure ASCII per the relevant W3C / WHATWG specs.
    const _pureToLower = s => {
        let r = '';
        for (let i = 0, len = s.length; i < len; i++) {
            const c = s[i];
            r += (c >= 'A' && c <= 'Z') ? _LOWER_MAP[c] : c;
        }
        return r;
    };

    // _pureIndexOf(s, needle [, from]) — substring search via nested indexed loop.
    // Returns first index of needle in s starting at from (default 0), or -1.
    const _pureIndexOf = (s, needle, from) => {
        const sLen = s.length, nLen = needle.length;
        if (nLen === 0) return 0;
        const start = (from !== void 0 && from > 0) ? from : 0;
        const limit = sLen - nLen;
        outer: for (let i = start; i <= limit; i++) {
            for (let j = 0; j < nLen; j++) {
                if (s[i + j] !== needle[j]) continue outer;
            }
            return i;
        }
        return -1;
    };

    // _pureSlice(s, start [, end]) — substring extraction via bracket + concatenation.
    const _pureSlice = (s, start, end) => {
        const len = s.length;
        let a = start < 0 ? (len + start > 0 ? len + start : 0) : (start > len ? len : start);
        let b = end === void 0 ? len : (end < 0 ? (len + end > 0 ? len + end : 0) : (end > len ? len : end));
        let r = '';
        for (let i = a; i < b; i++) r += s[i];
        return r;
    };

    // _pureCollapseAttrSpaces(s) — removes ASCII spaces/tabs around '=' in HTML
    // attribute assignments (e.g. 'src = "url"' → 'src="url"').
    // Per the HTML5 tokenizer spec an attribute name may be separated from its
    // value by optional whitespace around the '=' sign; without normalisation
    // a search for the literal 'src=' misses 'src =' and 'src ='.
    // Built entirely from bracket indexing, .length, comparison and concatenation —
    // ZERO prototype method calls, immune to String.prototype poisoning.
    const _pureCollapseAttrSpaces = s => {
        let r = '';
        const len = s.length;
        let i = 0;
        // FIX-QUO: track whether we are inside a quoted attribute value so that
        // '=' characters and surrounding spaces WITHIN a value (e.g. '?w=10&h = 5')
        // are not collapsed.  Without this, URLs with ' = ' inside their query
        // string are silently mutated, corrupting the URL shown in alert messages.
        // 0 = outside quotes, 34 = inside "-quote, 39 = inside '-quote.
        let inQuote = 0;
        while (i < len) {
            const c = s[i];
            if (inQuote !== 0) {
                // Inside a quoted value — pass everything through unchanged.
                if ((inQuote === 34 && c === '"') || (inQuote === 39 && c === "'")) inQuote = 0;
                r += c; i++;
            } else if (c === '"') {
                inQuote = 34; r += c; i++;
            } else if (c === "'") {
                inQuote = 39; r += c; i++;
            } else if (c === ' ' || c === '\t') {
                // Peek ahead: if the first non-space char is '=', these are
                // pre-'=' spaces — skip them entirely.
                let j = i;
                while (j < len && (s[j] === ' ' || s[j] === '\t')) j++;
                if (j < len && s[j] === '=') { i = j; continue; }
                r += c; i++;
            } else if (c === '=') {
                r += c; i++;
                // Skip post-'=' spaces so value starts immediately after '='.
                while (i < len && (s[i] === ' ' || s[i] === '\t')) i++;
            } else {
                r += c; i++;
            }
        }
        return r;
    };

    // Capture Function.prototype.toString before anyone can spoof it.
    // All subsequent "is this native?" checks use this reference directly.
    const _fnToString = Function.prototype.toString;

    // CRIT-1: _isNative MUST use Reflect.apply, NOT _fnToString.call().
    // Reason: _fnToString.call(fn) resolves .call via the live
    // Function.prototype.call property.  An attacker who replaces
    // Function.prototype.call AFTER daemon boot (Self-XSS) with a fake that
    // always returns '{ [native code] }' makes _isNative return true for ANY
    // function — including freshly-injected crypto replacements — bypassing
    // every native check on every tick.
    // Reflect.apply(fn, thisArg, args) goes directly to the C++ [[Call]]
    // internal method without touching Function.prototype.call at all.
    // _reflectApply is captured here at the very top (before _N is built)
    // so an early replacement of Reflect.apply is still caught by the
    // pre-capture validation below.
    const _reflectApply = Reflect.apply;

    // A genuine native function's body is exactly `{ [native code] }` with
    // nothing else inside — no source lines, no comments.
    // A simple .includes('[native code]') test is fooled by:
    //   function fake() { // [native code]\n  return 1; }
    // The regex requires [native code] to be the ONLY content of the body,
    // which covers both Chrome (single-line) and Firefox (indented) formats.
    // BUG-A: _nativeRe is a const binding; _isNative calls _reTest via _reflectApply
    // so a post-boot live RegExp.prototype.test replacement cannot make _isNative
    // return true for every function, bypassing all watchdog native checks.
    const _nativeRe = /\{\s*\[native code\]\s*\}\s*$/;
    const _isNative = fn =>
        typeof fn === 'function' &&
        _reflectApply(_reTest, _nativeRe, [_reflectApply(_fnToString, fn, [])]);

    // HEX-1: nibble → hex-char lookup — pure array index operator, zero function calls.
    // Used for canary generation and _ALERT_HOST_CLS; defined here so both can use it.
    const _HEX_CHARS = '0123456789abcdef';

    const _origin = window.location.origin;

    // Capture direct object references to the storage instances.
    // This is done BEFORE building _N because window.localStorage and
    // window.sessionStorage are live getters — if an attacker later
    // replaces them with Object.defineProperty, our saved refs still
    // point to the real storage objects, so _nukeStorage cannot be
    // fooled by a getter-level interception.
    const _ls = (() => { try { return window.localStorage; } catch { return null; } })();
    const _ss = (() => { try { return window.sessionStorage; } catch { return null; } })();
    // Early capture of CacheStorage and ServiceWorkerContainer instances —
    // same rationale as _ls/_ss: if an attacker later replaces window.caches
    // or navigator.serviceWorker via Object.defineProperty, _nukeCachesAndWorkers
    // still operates on the real objects.
    const _caches = (() => { try { return (typeof caches !== 'undefined' ? caches : null); } catch { return null; } })();
    const _sw = (() => { try { return (navigator && navigator.serviceWorker ? navigator.serviceWorker : null); } catch { return null; } })();

    /* ──────────────────────────────────────────────────────────
       0b. Pre-existence guard-token check
           If __snvGuard already exists on window an attacker
           pre-defined it (e.g. via MV2 document_start) to hold
           active:true while blocking our Object.defineProperty.
           We record this; __snvVerify will return false.
       ────────────────────────────────────────────────────────── */
    const _guardPreexisted = (function () {
        // V14: Use `in` operator (unhookable) instead of live
        // Object.prototype.hasOwnProperty.call which goes through the prototype chain.
        try { return '__snvGuard' in window; } catch { return true; }
    }());

    /* ──────────────────────────────────────────────────────────
       0c. Bootstrap-validate Function.prototype.toString and .call
           BEFORE building _N — avoids circular dependency.
           Uses structural checks (.name, .length) and String()
           coercion (a different code path from _fnToString.call)
           to cross-verify that the foundational helpers are genuine.
           BUG-A: All regex tests use _reflectApply(_reTest, ...) so a live
           RegExp.prototype.test replacement at MV2 document_start cannot
           cause _fnToStringValid / _fnCallValid to return true for fakes.
           _nativeRe (defined in section 0) is reused — no duplicate.
       ────────────────────────────────────────────────────────── */
    const _fnToStringValid =
        typeof _fnToString === 'function' &&
        _fnToString.name === 'toString' &&
        _fnToString.length === 0 &&
        (function () { try { return _reflectApply(_reTest, _nativeRe, ['' + _fnToString]); } catch { return false; } }());
    const _fnCallValid =
        typeof Function.prototype.call === 'function' &&
        Function.prototype.call.name === 'call' &&
        Function.prototype.call.length === 1 &&
        (function () { try { return _reflectApply(_reTest, _nativeRe, ['' + Function.prototype.call]); } catch { return false; } }());

    /* ──────────────────────────────────────────────────────────
       0d. Native restoration via about:blank iframe
           MV2 extensions (run_at:document_start) can wrap or
           replace globals and prototype methods on the main
           window before daemon.js evaluates.  A programmatically-
           created about:blank iframe has a completely fresh
           contentWindow that extensions have never touched.
           We restore as many security-critical natives as possible
           from the iframe onto the main window, then immediately
           remove the iframe from the DOM.  By the time section 1
           builds _N, it sees the restored native references.

           Restoration order matters:
             1. Object / Reflect / Array / String / RegExp primitives
                — restored first so all subsequent Object.defineProperty
                  calls in this block use the native version.
             2. Window-level globals (fetch, XHR, timers, URL, …)
             3. Crypto — window.crypto is [Unforgeable]; methods are
                restored via Object.defineProperty individually.
             4. Prototype methods (XHR, EventTarget, Element, Node,
                Document, Storage, IDB, Location, Navigator, …)
             5. Console reference (for _N.consoleError)

           Security: Document.prototype.createElement and
           Node.prototype.appendChild/.removeChild are validated as
           native via _isNative (from section 0) before use.
           If any of them is tampered, _canUseIframe is false and
           section 1b _captureClean checks will refuse boot.
       ────────────────────────────────────────────────────────── */
    const _docCreateEl = Document.prototype.createElement;
    const _nodeAppend = Node.prototype.appendChild;
    const _nodeRemove = Node.prototype.removeChild;
    // Verify the DOM creation primitives are native before trusting them.
    const _canUseIframe = _isNative(_docCreateEl) && _isNative(_nodeAppend) && _isNative(_nodeRemove);

    let _ifrConsoleErr = null;
    // D3: set to true after the init-phase iframe is removed — enables post-init
    // <iframe> creation block in _createElementImpl.
    let _iframeRestoreDone = false;

    if (_canUseIframe) {
        try {
            const _ifr = _reflectApply(_docCreateEl, document, ['iframe']);
            _ifr.style.cssText = 'display:none;width:0;height:0;position:absolute;left:-9999px;top:-9999px';
            // document.body does not exist when <head> scripts run — use documentElement.
            _reflectApply(_nodeAppend, document.documentElement, [_ifr]);
            const _iwin = _ifr.contentWindow;

            if (_iwin && typeof _iwin === 'object') {
                // Restore target[prop] from iframe value, but only if the value is a
                // native function — guards against a nested-poison iframe scenario.
                // Uses simple assignment (not Object.defineProperty) to bypass any
                // setter-level interception that may still be in place at call time.
                const _rst = (target, prop, val) => {
                    if (typeof val === 'function' && _isNative(val)) {
                        try { target[prop] = val; } catch { }
                    }
                };

                // ── 1. Core language primitives ───────────────────────
                // Restore Object.defineProperty first — all subsequent descriptor-
                // based restorations (innerHTML, href, storage.length, …) will then
                // call the native version.
                if (_iwin.Object) {
                    _rst(Object, 'defineProperty', _iwin.Object.defineProperty);
                    _rst(Object, 'getOwnPropertyDescriptor', _iwin.Object.getOwnPropertyDescriptor);
                    _rst(Object, 'getOwnPropertyDescriptors', _iwin.Object.getOwnPropertyDescriptors);
                    _rst(Object, 'freeze', _iwin.Object.freeze);
                    _rst(Object, 'keys', _iwin.Object.keys);
                    _rst(Object, 'assign', _iwin.Object.assign);
                }
                if (_iwin.Reflect) {
                    _rst(Reflect, 'apply', _iwin.Reflect.apply);
                    _rst(Reflect, 'construct', _iwin.Reflect.construct);
                    _rst(Reflect, 'defineProperty', _iwin.Reflect.defineProperty);
                    _rst(Reflect, 'ownKeys', _iwin.Reflect.ownKeys);
                }
                if (_iwin.RegExp) _rst(RegExp.prototype, 'test', _iwin.RegExp.prototype.test);
                if (_iwin.Array) {
                    _rst(Array.prototype, 'push', _iwin.Array.prototype.push);
                    _rst(Array.prototype, 'slice', _iwin.Array.prototype.slice);
                    _rst(Array, 'from', _iwin.Array.from);
                    _rst(Array, 'isArray', _iwin.Array.isArray);
                }
                if (_iwin.String) {
                    _rst(String.prototype, 'slice', _iwin.String.prototype.slice);
                    _rst(String.prototype, 'indexOf', _iwin.String.prototype.indexOf);
                    _rst(String.prototype, 'toLowerCase', _iwin.String.prototype.toLowerCase);
                }

                // ── 2. Window-level globals ───────────────────────────
                _rst(window, 'fetch', _iwin.fetch);
                _rst(window, 'XMLHttpRequest', _iwin.XMLHttpRequest);
                _rst(window, 'WebSocket', _iwin.WebSocket);
                _rst(window, 'EventSource', _iwin.EventSource);
                _rst(window, 'Worker', _iwin.Worker);
                _rst(window, 'MutationObserver', _iwin.MutationObserver);
                _rst(window, 'CustomEvent', _iwin.CustomEvent);
                // URL and Blob constructors are intentionally NOT restored from
                // the iframe.  After iframe DOM removal the browsing context is
                // destroyed; constructors and static methods that depend on the
                // originating realm (Blob storage, blob-URL registry) produce
                // objects in a dead context — URL.createObjectURL returns URLs
                // the browser cannot serve, causing downloads to fall back to
                // the current HTML page (same class of bug as the crypto .bind()
                // hang).  The daemon still captures these in _N and validates
                // nativity every watchdog tick; pre-load tampering is detected
                // at boot and the app refuses to start.
                // _rst(window, 'URL',  _iwin.URL);
                // _rst(window, 'Blob', _iwin.Blob);
                _rst(window, 'Uint8Array', _iwin.Uint8Array);
                _rst(window, 'ArrayBuffer', _iwin.ArrayBuffer);
                _rst(window, 'DataView', _iwin.DataView);
                _rst(window, 'TextEncoder', _iwin.TextEncoder);
                _rst(window, 'TextDecoder', _iwin.TextDecoder);
                _rst(window, 'btoa', _iwin.btoa);
                _rst(window, 'atob', _iwin.atob);
                _rst(window, 'setTimeout', _iwin.setTimeout);
                _rst(window, 'clearTimeout', _iwin.clearTimeout);
                _rst(window, 'setInterval', _iwin.setInterval);
                _rst(window, 'clearInterval', _iwin.clearInterval);
                _rst(window, 'requestAnimationFrame', _iwin.requestAnimationFrame);
                _rst(window, 'cancelAnimationFrame', _iwin.cancelAnimationFrame);
                // eval / Function — restored to native here; E15/E16 hooks block them later
                _rst(window, 'eval', _iwin.eval);
                _rst(window, 'Function', _iwin.Function);
                if (_iwin.SharedWorker) _rst(window, 'SharedWorker', _iwin.SharedWorker);
                if (_iwin.CompressionStream) _rst(window, 'CompressionStream', _iwin.CompressionStream);
                if (_iwin.DecompressionStream) _rst(window, 'DecompressionStream', _iwin.DecompressionStream);

                // ── 3. Crypto ─────────────────────────────────────────
                // window.crypto is [Unforgeable] — cannot be replaced as a whole.
                // Restore getRandomValues and all SubtleCrypto methods individually.
                const _iCrypto = _iwin.crypto;
                if (_iCrypto && typeof _iCrypto === 'object' && window.crypto) {
                    if (typeof _iCrypto.getRandomValues === 'function' && _isNative(_iCrypto.getRandomValues)) {
                        try {
                            Object.defineProperty(window.crypto, 'getRandomValues', {
                                value: _iCrypto.getRandomValues,
                                writable: true, configurable: true, enumerable: true
                            });
                        } catch { }
                    }
                    const _iSubtle = _iCrypto.subtle;
                    if (_iSubtle && typeof _iSubtle === 'object' && window.crypto.subtle) {
                        const _sM = ['encrypt', 'decrypt', 'importKey', 'exportKey',
                            'deriveKey', 'deriveBits', 'digest', 'sign',
                            'verify', 'generateKey', 'wrapKey', 'unwrapKey'];
                        for (let _si = 0; _si < _sM.length; _si++) {
                            const _sv = _iSubtle[_sM[_si]];
                            if (typeof _sv === 'function' && _isNative(_sv)) {
                                try {
                                    Object.defineProperty(window.crypto.subtle, _sM[_si], {
                                        value: _sv,
                                        writable: true, configurable: true, enumerable: true
                                    });
                                } catch { }
                            }
                        }
                    }
                }

                // ── 4. XHR prototype ──────────────────────────────────
                if (_iwin.XMLHttpRequest) {
                    const _iXP = _iwin.XMLHttpRequest.prototype;
                    _rst(XMLHttpRequest.prototype, 'open', _iXP.open);
                    _rst(XMLHttpRequest.prototype, 'send', _iXP.send);
                }

                // ── 5. EventTarget prototype ──────────────────────────
                if (_iwin.EventTarget) {
                    const _iETP = _iwin.EventTarget.prototype;
                    _rst(EventTarget.prototype, 'addEventListener', _iETP.addEventListener);
                    _rst(EventTarget.prototype, 'dispatchEvent', _iETP.dispatchEvent);
                    _rst(EventTarget.prototype, 'removeEventListener', _iETP.removeEventListener);
                }

                // ── 6. Element / Node / Document prototypes ───────────
                if (_iwin.Element) {
                    const _iElP = _iwin.Element.prototype;
                    _rst(Element.prototype, 'setAttribute', _iElP.setAttribute);
                    _rst(Element.prototype, 'getAttribute', _iElP.getAttribute);
                    _rst(Element.prototype, 'removeAttribute', _iElP.removeAttribute);
                    _rst(Element.prototype, 'insertAdjacentHTML', _iElP.insertAdjacentHTML);
                    _rst(Element.prototype, 'querySelector', _iElP.querySelector);
                    _rst(Element.prototype, 'querySelectorAll', _iElP.querySelectorAll);
                    _rst(Element.prototype, 'animate', _iElP.animate);
                    // innerHTML / outerHTML are accessor descriptors — require defineProperty
                    const _iInD = Object.getOwnPropertyDescriptor(_iwin.Element.prototype, 'innerHTML');
                    const _iOuD = Object.getOwnPropertyDescriptor(_iwin.Element.prototype, 'outerHTML');
                    if (_iInD && typeof _iInD.set === 'function') {
                        try { Object.defineProperty(Element.prototype, 'innerHTML', _iInD); } catch { }
                    }
                    if (_iOuD && typeof _iOuD.set === 'function') {
                        try { Object.defineProperty(Element.prototype, 'outerHTML', _iOuD); } catch { }
                    }
                }
                if (_iwin.Node) {
                    const _iNP = _iwin.Node.prototype;
                    _rst(Node.prototype, 'appendChild', _iNP.appendChild);
                    _rst(Node.prototype, 'removeChild', _iNP.removeChild);
                    _rst(Node.prototype, 'insertBefore', _iNP.insertBefore);
                }
                if (_iwin.Document) {
                    const _iDP = _iwin.Document.prototype;
                    _rst(Document.prototype, 'createElement', _iDP.createElement);
                    _rst(Document.prototype, 'getElementById', _iDP.getElementById);
                    _rst(Document.prototype, 'querySelector', _iDP.querySelector);
                    _rst(Document.prototype, 'querySelectorAll', _iDP.querySelectorAll);
                    if (_iDP.write) _rst(Document.prototype, 'write', _iDP.write);
                    if (_iDP.writeln) _rst(Document.prototype, 'writeln', _iDP.writeln);
                }

                // ── 7. Storage prototype ──────────────────────────────
                if (_iwin.Storage) {
                    const _iSP = _iwin.Storage.prototype;
                    _rst(Storage.prototype, 'getItem', _iSP.getItem);
                    _rst(Storage.prototype, 'setItem', _iSP.setItem);
                    _rst(Storage.prototype, 'removeItem', _iSP.removeItem);
                    _rst(Storage.prototype, 'clear', _iSP.clear);
                    _rst(Storage.prototype, 'key', _iSP.key);
                    const _iLD = Object.getOwnPropertyDescriptor(_iwin.Storage.prototype, 'length');
                    if (_iLD && typeof _iLD.get === 'function') {
                        try { Object.defineProperty(Storage.prototype, 'length', _iLD); } catch { }
                    }
                }

                // ── 8. IDBFactory prototype ───────────────────────────
                if (_iwin.IDBFactory) {
                    _rst(IDBFactory.prototype, 'open', _iwin.IDBFactory.prototype.open);
                }

                // ── 9. HTMLFormElement / Location / Navigator ─────────
                if (_iwin.HTMLFormElement) {
                    _rst(HTMLFormElement.prototype, 'submit', _iwin.HTMLFormElement.prototype.submit);
                }
                if (_iwin.Location) {
                    const _iLP = _iwin.Location.prototype;
                    if (typeof _iLP.assign === 'function') _rst(Location.prototype, 'assign', _iLP.assign);
                    if (typeof _iLP.replace === 'function') _rst(Location.prototype, 'replace', _iLP.replace);
                    const _iHD = Object.getOwnPropertyDescriptor(_iwin.Location.prototype, 'href');
                    if (_iHD && typeof _iHD.set === 'function') {
                        try { Object.defineProperty(Location.prototype, 'href', _iHD); } catch { }
                    }
                }
                if (_iwin.Navigator && typeof _iwin.Navigator.prototype.sendBeacon === 'function') {
                    _rst(Navigator.prototype, 'sendBeacon', _iwin.Navigator.prototype.sendBeacon);
                }

                // ── 10. Typed array prototype methods ─────────────────
                if (_iwin.Uint8Array) {
                    const _iU8P = _iwin.Uint8Array.prototype;
                    _rst(Uint8Array.prototype, 'set', _iU8P.set);
                    _rst(Uint8Array.prototype, 'subarray', _iU8P.subarray);
                    _rst(Uint8Array.prototype, 'slice', _iU8P.slice);
                }
                if (_iwin.ArrayBuffer) {
                    _rst(ArrayBuffer.prototype, 'slice', _iwin.ArrayBuffer.prototype.slice);
                }

                // ── 11. URL static methods ────────────────────────────
                // createObjectURL / revokeObjectURL are NOT restored for the
                // same reason as URL and Blob above: calling static methods
                // whose [[Realm]] is the destroyed iframe produces blob URLs
                // that cannot be served by the browser.
                // if (_iwin.URL) {
                //     _rst(URL, 'createObjectURL', _iwin.URL.createObjectURL);
                //     _rst(URL, 'revokeObjectURL', _iwin.URL.revokeObjectURL);
                // }

                // ── 12. Console (for _N.consoleError) ─────────────────
                if (_iwin.console && typeof _iwin.console.error === 'function') {
                    _ifrConsoleErr = _iwin.console.error.bind(_iwin.console);
                }
            }

            // Remove iframe from DOM — JS references remain valid, node is gone
            _reflectApply(_nodeRemove, document.documentElement, [_ifr]);
        } catch { /* frame-src CSP blocked, DOM unavailable — fall back to direct captures */ }
    }
    // D3: all init-phase iframe work is complete — block future iframe creation
    _iframeRestoreDone = true;

    /* ──────────────────────────────────────────────────────────
       1.  Lock in native references
       ────────────────────────────────────────────────────────── */
    // BUG-D: Use captured _freeze (not live Object.freeze) so that replacing
    // Object.freeze = (x) => x before daemon.js loads cannot leave _N mutable.
    const _N = _freeze({
        // Network
        fetch: window.fetch,
        xhrOpen: XMLHttpRequest.prototype.open,
        xhrSend: XMLHttpRequest.prototype.send,
        sendBeacon: navigator.sendBeacon,

        // DOM
        createElement: Document.prototype.createElement,
        appendChild: Element.prototype.appendChild,

        // Crypto
        getRandomValues: crypto.getRandomValues,
        subtleEncrypt: crypto.subtle.encrypt,
        subtleDecrypt: crypto.subtle.decrypt,
        subtleImportKey: crypto.subtle.importKey,
        subtleExportKey: crypto.subtle.exportKey,
        subtleDeriveKey: crypto.subtle.deriveKey,
        subtleDigest: crypto.subtle.digest,

        // IndexedDB
        idbOpen: IDBFactory.prototype.open,

        // Storage (prototype-level, covers both localStorage and sessionStorage)
        storageGetItem: Storage.prototype.getItem,
        storageSetItem: Storage.prototype.setItem,
        storageRemoveItem: Storage.prototype.removeItem,
        storageClear: Storage.prototype.clear,
        storageKey: Storage.prototype.key,
        storageLength: Object.getOwnPropertyDescriptor(Storage.prototype, 'length')?.get,

        // Encoding
        btoa: window.btoa,
        atob: window.atob,
        textEncode: TextEncoder.prototype.encode,
        textDecode: TextDecoder.prototype.decode,

        // Typed Arrays & ArrayBuffer
        Uint8Array: window.Uint8Array,
        Uint8ArraySet: Uint8Array.prototype.set,
        Uint8ArraySubarray: Uint8Array.prototype.subarray,
        Uint8ArraySlice: Uint8Array.prototype.slice,
        ArrayBuffer: window.ArrayBuffer,
        ArrayBufferSlice: ArrayBuffer.prototype.slice,
        DataView: window.DataView,

        // Blob & URL
        Blob: window.Blob,
        URL: window.URL,
        createObjectURL: URL.createObjectURL,
        revokeObjectURL: URL.revokeObjectURL,

        // Compression (may be absent in older browsers)
        CompressionStream: window.CompressionStream ?? null,
        DecompressionStream: window.DecompressionStream ?? null,

        // Timers — captured BEFORE any code can replace them
        _setInterval: window.setInterval,
        _clearInterval: window.clearInterval,
        _setTimeout: window.setTimeout,
        _clearTimeout: window.clearTimeout,
        _requestAnimationFrame: window.requestAnimationFrame,

        // Document.cookie descriptor (validate getter/setter not replaced)
        cookieDesc: Object.getOwnPropertyDescriptor(Document.prototype, 'cookie'),

        // Function meta-methods — hardening for internal .call()/.apply() usages
        fnCall: Function.prototype.call,
        fnApply: Function.prototype.apply,

        // CRIT-1: Reflect.apply — bypasses Function.prototype.call entirely.
        // Used in _isNative so a live Function.prototype.call replacement cannot
        // make every native check pass.  Captured here so a pre-load replacement
        // is caught in the pre-capture validation block.
        reflectApply: Reflect.apply,

        // CRIT-3: EventTarget.prototype.addEventListener — used for ALL
        // daemon-internal event subscriptions.  If a MV2 extension replaces this
        // at document_start before daemon.js runs, our 'load' listener (which
        // populates G1 refs) would never fire.  Capturing it here and validating
        // it as native ensures we detect the replacement at boot and use our own
        // reference for every internal addEventListener call.
        addEventListener: EventTarget.prototype.addEventListener,

        // CRIT-4: EventTarget.prototype.dispatchEvent — used for heartbeat
        // (snv:alive) and threat events (snv:lock).  window.dispatchEvent is a
        // live property; replacing it with a no-op silently drops both events.
        dispatchEvent: EventTarget.prototype.dispatchEvent,

        // CRIT-4: CustomEvent constructor — captured so an attacker replacing
        // window.CustomEvent cannot intercept or suppress heartbeat payloads.
        CustomEvent: window.CustomEvent,

        // cancelAnimationFrame — needed for E4 guard
        _cancelAnimationFrame: window.cancelAnimationFrame ?? null,

        // MutationObserver — needed for E7 self-healing alert overlay
        MutationObserver: window.MutationObserver ?? null,

        // DOM access — captured to harden against attacker hooking getElementById/querySelector
        // after daemon.js loads. Used exclusively inside _wipeAppState() to reach
        // sensitive UI elements without going through potentially-patched window methods.
        docGetElementById: Document.prototype.getElementById ?? null,
        docQuerySelector: Document.prototype.querySelector ?? null,
        docQuerySelectorAll: Document.prototype.querySelectorAll ?? null,
        elQuerySelectorAll: Element.prototype.querySelectorAll ?? null,

        // Value setters — wipe decrypted plaintext from editor/input elements
        // without relying on the script-accessible .value property path which
        // could be intercepted via Object.defineProperty on the prototype.
        taValueSetter: Object.getOwnPropertyDescriptor(HTMLTextAreaElement?.prototype, 'value')?.set ?? null,
        inputValueSetter: Object.getOwnPropertyDescriptor(HTMLInputElement?.prototype, 'value')?.set ?? null,

        // Web Animations API — used to animate the security barrier veil without
        // a <style> injection (no injectable keyframe name to target via CSS).
        elementAnimate: Element.prototype.animate ?? null,

        // Diagnostics — prefer iframe-sourced console.error (immune to main-window
        // wrapping by MV2 extensions at document_start); fall back to direct capture.
        consoleError: _ifrConsoleErr ?? (console.error?.bind(console) ?? null),

        // DOM exfiltration defense — element methods (D2)
        setAttribute: Element.prototype.setAttribute,
        getAttribute: Element.prototype.getAttribute,
        removeAttribute: Element.prototype.removeAttribute,
        insertAdjacentHTML: Element.prototype.insertAdjacentHTML ?? null,
        formSubmit: HTMLFormElement.prototype.submit,

        // DOM exfiltration — property descriptors for src/href/data/innerHTML/outerHTML
        imgSrcDesc: Object.getOwnPropertyDescriptor(HTMLImageElement.prototype, 'src'),
        scriptSrcDesc: Object.getOwnPropertyDescriptor(HTMLScriptElement.prototype, 'src'),
        iframeSrcDesc: Object.getOwnPropertyDescriptor(HTMLIFrameElement.prototype, 'src'),
        videoSrcDesc: Object.getOwnPropertyDescriptor(HTMLVideoElement.prototype, 'src'),
        audioSrcDesc: Object.getOwnPropertyDescriptor(HTMLAudioElement.prototype, 'src'),
        embedSrcDesc: Object.getOwnPropertyDescriptor(HTMLEmbedElement.prototype, 'src'),
        objectDataDesc: Object.getOwnPropertyDescriptor(HTMLObjectElement.prototype, 'data'),
        linkHrefDesc: Object.getOwnPropertyDescriptor(HTMLLinkElement.prototype, 'href'),
        // <a href> and <area href> are navigation-only — NOT auto-loading resources;
        // hooking them blocks legitimate external links in the app UI (false positives).
        // ping= on anchors is still blocked via _RESOURCE_ATTRS in setAttribute/MO.
        innerHTMLDesc: Object.getOwnPropertyDescriptor(Element.prototype, 'innerHTML'),
        outerHTMLDesc: Object.getOwnPropertyDescriptor(Element.prototype, 'outerHTML'),

        // Location defense — captured to block external navigation
        locAssign: Location.prototype.assign ?? null,
        locReplace: Location.prototype.replace ?? null,
        locHrefDesc: Object.getOwnPropertyDescriptor(Location.prototype, 'href') ?? null,

        // Document write defense
        docWrite: Document.prototype.write ?? null,
        docWriteln: Document.prototype.writeln ?? null,

        // UI — captured so our alert overlay cannot itself be intercepted
        alert: window.alert,

        // Location reload — captured so an attacker replacing window.location.reload
        // after daemon.js boots cannot prevent the post-alert page reload.
        locationReload: Location.prototype.reload ?? null,

        // Date.now — captured so rate-limiting (_ALERT_COOLDOWN_MS) and healer
        // deadline cannot be bypassed by replacing Date.now after boot.
        dateNow: Date.now,

        // CacheStorage and ServiceWorkerContainer prototype methods — captured so
        // _nukeCachesAndWorkers uses native methods even if the live globals are
        // later replaced via Object.defineProperty.  Optional: may be null in
        // environments that lack the Cache API or Service Worker support.
        cacheStorageKeys: (typeof CacheStorage !== 'undefined' && CacheStorage.prototype && typeof CacheStorage.prototype.keys === 'function') ? CacheStorage.prototype.keys : null,
        cacheStorageDelete: (typeof CacheStorage !== 'undefined' && CacheStorage.prototype && typeof CacheStorage.prototype.delete === 'function') ? CacheStorage.prototype.delete : null,
        swGetRegistrations: (typeof ServiceWorkerContainer !== 'undefined' && ServiceWorkerContainer.prototype && typeof ServiceWorkerContainer.prototype.getRegistrations === 'function') ? ServiceWorkerContainer.prototype.getRegistrations : null,

        // Promise.prototype.then — used in _nukeCachesAndWorkers to chain async
        // cache/SW wipe callbacks.  If an attacker replaces Promise.prototype.then
        // after boot, the entire cache and SW wipe silently becomes a no-op.
        // Must be validated native at both boot and on every tick.
        promiseThen: Promise.prototype.then,

        // ServiceWorkerRegistration.prototype.unregister — called per-registration
        // in _nukeCachesAndWorkers.  Captured so a post-boot replacement of this
        // prototype method cannot prevent SW unregistration during threat response.
        swUnregister: (typeof ServiceWorkerRegistration !== 'undefined' && ServiceWorkerRegistration.prototype && typeof ServiceWorkerRegistration.prototype.unregister === 'function') ? ServiceWorkerRegistration.prototype.unregister : null,

        // MessagePort.prototype.postMessage — used in the MessageChannel (mechanism 4)
        // watchdog self-ping.  If an attacker replaces this after boot, the fourth
        // watchdog mechanism silently dies; the other three remain active but the
        // defence-in-depth guarantee is weakened.
        portPostMessage: (typeof MessagePort !== 'undefined' && MessagePort.prototype && typeof MessagePort.prototype.postMessage === 'function') ? MessagePort.prototype.postMessage : null,
    });

    /* ──────────────────────────────────────────────────────────
       1b. Pre-capture validation — confirm EVERY captured ref is
           truly native before we trust it.  If malicious code ran
           before daemon.js (e.g. via a MV2 document_start content
           script), any of the just-captured references could
           already be non-native wrappers.  We fail hard here:
           set __snvGuard.active = false so the app refuses to boot.
       ────────────────────────────────────────────────────────── */
    const _CAPTURE_MUST_BE_NATIVE = [
        _N.fetch, _N.xhrOpen, _N.xhrSend,
        _N.getRandomValues,
        _N.subtleEncrypt, _N.subtleDecrypt, _N.subtleImportKey,
        _N.subtleExportKey, _N.subtleDeriveKey, _N.subtleDigest,
        _N.idbOpen,
        _N.storageGetItem, _N.storageSetItem, _N.storageRemoveItem,
        _N.storageClear, _N.storageKey,
        _N.btoa, _N.atob,
        _N.textEncode, _N.textDecode,
        _N.Uint8ArraySet, _N.Uint8ArraySubarray, _N.Uint8ArraySlice,
        _N.ArrayBufferSlice,
        _N.createObjectURL, _N.revokeObjectURL,
        _N._setInterval, _N._clearInterval, _N._setTimeout,
        _N._clearTimeout, _N._requestAnimationFrame,
        _N.fnCall, _N.fnApply,
        // CRIT-1: Reflect.apply must be native (see _isNative comment above)
        _N.reflectApply,
        // CRIT-3/4: event subscription and dispatch must be native
        _N.addEventListener, _N.dispatchEvent,
        // BUG-A/C/D/F/J/K: newly-captured Array/String/Object/RegExp methods
        _reTest, _freeze, _arrPush, _strSlice, _strToLower, _strIndexOf,
        // DOM exfiltration — core methods (D2)
        _N.setAttribute, _N.getAttribute, _N.formSubmit,
        // Date.now — used for alert rate-limiting and healer deadline
        _N.dateNow,
        // Promise.prototype.then — used for async cache/SW wipe callbacks
        _N.promiseThen,
    ];
    // MessagePort.prototype.postMessage — optional (absent in very old browsers)
    if (_N.portPostMessage) _CAPTURE_MUST_BE_NATIVE[_CAPTURE_MUST_BE_NATIVE.length] = _N.portPostMessage;
    // Constructors are native but toString prints differently — check them
    // with _isNative which already handles "function Uint8Array() { [native code] }"
    const _CAPTURE_MUST_BE_NATIVE_CTORS = [
        _N.Uint8Array, _N.ArrayBuffer, _N.DataView, _N.Blob, _N.URL,
        // CRIT-4: CustomEvent ctor must be native (see comment above)
        _N.CustomEvent,
    ];
    // Optional: CompressionStream / DecompressionStream may be null in older browsers
    // BUG-F: index assignment avoids live Array.prototype.push
    if (_N.CompressionStream) _CAPTURE_MUST_BE_NATIVE_CTORS[_CAPTURE_MUST_BE_NATIVE_CTORS.length] = _N.CompressionStream;
    if (_N.DecompressionStream) _CAPTURE_MUST_BE_NATIVE_CTORS[_CAPTURE_MUST_BE_NATIVE_CTORS.length] = _N.DecompressionStream;
    // DOM exfiltration — optional method captures (null in older browsers)
    if (_N.insertAdjacentHTML) _CAPTURE_MUST_BE_NATIVE[_CAPTURE_MUST_BE_NATIVE.length] = _N.insertAdjacentHTML;
    if (_N.locAssign) _CAPTURE_MUST_BE_NATIVE[_CAPTURE_MUST_BE_NATIVE.length] = _N.locAssign;
    if (_N.locReplace) _CAPTURE_MUST_BE_NATIVE[_CAPTURE_MUST_BE_NATIVE.length] = _N.locReplace;
    if (_N.docWrite) _CAPTURE_MUST_BE_NATIVE[_CAPTURE_MUST_BE_NATIVE.length] = _N.docWrite;
    if (_N.docWriteln) _CAPTURE_MUST_BE_NATIVE[_CAPTURE_MUST_BE_NATIVE.length] = _N.docWriteln;
    // CacheStorage / ServiceWorkerContainer methods — optional (absent in some browsers)
    if (_N.cacheStorageKeys) _CAPTURE_MUST_BE_NATIVE[_CAPTURE_MUST_BE_NATIVE.length] = _N.cacheStorageKeys;
    if (_N.cacheStorageDelete) _CAPTURE_MUST_BE_NATIVE[_CAPTURE_MUST_BE_NATIVE.length] = _N.cacheStorageDelete;
    if (_N.swGetRegistrations) _CAPTURE_MUST_BE_NATIVE[_CAPTURE_MUST_BE_NATIVE.length] = _N.swGetRegistrations;
    // locationReload — optional (may be null in non-standard environments)
    if (_N.locationReload) _CAPTURE_MUST_BE_NATIVE[_CAPTURE_MUST_BE_NATIVE.length] = _N.locationReload;
    // swUnregister — optional (absent in browsers without Service Worker support)
    if (_N.swUnregister) _CAPTURE_MUST_BE_NATIVE[_CAPTURE_MUST_BE_NATIVE.length] = _N.swUnregister;

    // BUG-E: for...of relies on Array.prototype[Symbol.iterator]; replacing it
    // before daemon.js loads makes both loops iterate zero elements, so
    // _captureClean stays true even when every capture is already tainted.
    // Indexed for-loops access elements by numeric index — immune to any
    // prototype or Symbol replacement.
    let _captureClean = true;
    for (let _ci = 0; _ci < _CAPTURE_MUST_BE_NATIVE.length; _ci++) {
        if (!_isNative(_CAPTURE_MUST_BE_NATIVE[_ci])) { _captureClean = false; break; }
    }
    if (_captureClean) {
        for (let _ci = 0; _ci < _CAPTURE_MUST_BE_NATIVE_CTORS.length; _ci++) {
            if (!_isNative(_CAPTURE_MUST_BE_NATIVE_CTORS[_ci])) { _captureClean = false; break; }
        }
    }
    // storageLength is a getter, not a plain function — validate separately
    if (_captureClean && _N.storageLength && typeof _N.storageLength !== 'function') {
        _captureClean = false;
    }
    // Factor in bootstrap validation results
    if (_captureClean && (!_fnToStringValid || !_fnCallValid)) {
        _captureClean = false;
    }
    // Structural validation for early-captured methods (cannot use _isNative —
    // _reTest is itself one of them, creating a circular dependency).
    // .name checks catch naive spoofing attempts that forget to copy the name.
    if (_captureClean &&
        (typeof _reTest !== 'function' || _reTest.name !== 'test' ||
            typeof _freeze !== 'function' || _freeze.name !== 'freeze' ||
            typeof _arrPush !== 'function' || _arrPush.name !== 'push' ||
            typeof _strSlice !== 'function' || _strSlice.name !== 'slice' ||
            typeof _strToLower !== 'function' || _strToLower.name !== 'toLowerCase' ||
            typeof _strIndexOf !== 'function' || _strIndexOf.name !== 'indexOf')) {
        _captureClean = false;
    }
    // Factor in pre-existence of __snvGuard — indicates attacker setup
    if (_captureClean && _guardPreexisted) {
        _captureClean = false;
    }

    // Session canary — CRIT-2: generated with CSPRNG, NOT Math.random().
    // V8’s Math.random() uses xorshift128+: observing 5–7 subsequent outputs
    // allows an attacker to recover the PRNG state and reverse-compute past
    // values, making the canary predictable and __snvVerify forgeable.
    // _N.getRandomValues (already captured & validated above) uses the
    // browser’s OS-level CSPRNG — its output is irreversible.
    let _canary;
    try {
        const _cb = new _N.Uint8Array(16); // 128 bits of entropy
        _reflectApply(_N.getRandomValues, crypto, [_cb]);
        let _cs = '';
        for (let _i = 0; _i < 16; _i++) {
            const _b = _cb[_i];
            // HEX-1: bitwise nibble extraction — no Number.prototype.toString call
            _cs += _HEX_CHARS[_b >> 4] + _HEX_CHARS[_b & 15];
        }
        _canary = _cs;
    } catch {
        // Only reachable if crypto is tampered — _captureClean is false in that
        // case so the app refuses to boot regardless of the canary value.
        // HEX-1: inline hex from bitwise ops — avoids Number.prototype.toString
        const _r0 = Math.random() * 0xffffffff >>> 0;
        const _r1 = Math.random() * 0xffffffff >>> 0;
        let _fb = '';
        for (let _fi = 28; _fi >= 0; _fi -= 4) _fb += _HEX_CHARS[(_r0 >>> _fi) & 15];
        for (let _fi = 28; _fi >= 0; _fi -= 4) _fb += _HEX_CHARS[(_r1 >>> _fi) & 15];
        _canary = _fb;
    }

    /* ──────────────────────────────────────────────────────────
       2.  Functions that must remain native (we never hook them)
           Each entry: [display name, live-reference getter]

           Function.prototype.toString is deliberately excluded:
           it is protected by the captured _fnToString reference
           and extensions (Adblock, Dark Reader) routinely wrap
           it, causing false positives on every tick.
       ────────────────────────────────────────────────────────── */
    const _NATIVE_CHECKS = [
        // Crypto
        ['crypto.getRandomValues', () => crypto.getRandomValues],
        ['crypto.subtle.encrypt', () => crypto.subtle.encrypt],
        ['crypto.subtle.decrypt', () => crypto.subtle.decrypt],
        ['crypto.subtle.importKey', () => crypto.subtle.importKey],
        ['crypto.subtle.exportKey', () => crypto.subtle.exportKey],
        ['crypto.subtle.deriveKey', () => crypto.subtle.deriveKey],
        ['crypto.subtle.digest', () => crypto.subtle.digest],
        // IndexedDB
        ['IDBFactory.prototype.open', () => IDBFactory.prototype.open],
        // Storage
        ['Storage.prototype.getItem', () => Storage.prototype.getItem],
        ['Storage.prototype.setItem', () => Storage.prototype.setItem],
        ['Storage.prototype.removeItem', () => Storage.prototype.removeItem],
        // Encoding
        ['btoa', () => window.btoa],
        ['atob', () => window.atob],
        ['TextEncoder.prototype.encode', () => TextEncoder.prototype.encode],
        ['TextDecoder.prototype.decode', () => TextDecoder.prototype.decode],
        // Typed Arrays & ArrayBuffer (A1)
        ['Uint8Array', () => window.Uint8Array],
        ['Uint8Array.prototype.set', () => Uint8Array.prototype.set],
        ['Uint8Array.prototype.subarray', () => Uint8Array.prototype.subarray],
        ['Uint8Array.prototype.slice', () => Uint8Array.prototype.slice],
        ['ArrayBuffer', () => window.ArrayBuffer],
        ['ArrayBuffer.prototype.slice', () => ArrayBuffer.prototype.slice],
        ['DataView', () => window.DataView],
        // Blob & URL (A2)
        ['Blob', () => window.Blob],
        ['URL', () => window.URL],
        ['URL.createObjectURL', () => URL.createObjectURL],
        ['URL.revokeObjectURL', () => URL.revokeObjectURL],
    ];
    // BUG-F: All .push() replaced with arr[arr.length]=x — index assignment avoids
    // live Array.prototype.push which could be silently replaced before daemon runs.
    // CompressionStream / DecompressionStream — optional in older browsers
    if (window.CompressionStream) {
        _NATIVE_CHECKS[_NATIVE_CHECKS.length] = ['CompressionStream', () => window.CompressionStream];
    }
    if (window.DecompressionStream) {
        _NATIVE_CHECKS[_NATIVE_CHECKS.length] = ['DecompressionStream', () => window.DecompressionStream];
    }
    // Function meta-methods (E1b)
    _NATIVE_CHECKS[_NATIVE_CHECKS.length] = ['Function.prototype.call', () => Function.prototype.call];
    _NATIVE_CHECKS[_NATIVE_CHECKS.length] = ['Function.prototype.apply', () => Function.prototype.apply];
    // CRIT-1: Reflect.apply — must stay native to protect _isNative
    _NATIVE_CHECKS[_NATIVE_CHECKS.length] = ['Reflect.apply', () => Reflect.apply];
    // CRIT-3/4: event subscription and dispatch must stay native
    _NATIVE_CHECKS[_NATIVE_CHECKS.length] = ['EventTarget.prototype.addEventListener', () => EventTarget.prototype.addEventListener];
    _NATIVE_CHECKS[_NATIVE_CHECKS.length] = ['EventTarget.prototype.dispatchEvent', () => EventTarget.prototype.dispatchEvent];
    // CRIT-6: XHR.send — captured at boot but was missing from live checks
    _NATIVE_CHECKS[_NATIVE_CHECKS.length] = ['XMLHttpRequest.prototype.send', () => XMLHttpRequest.prototype.send];
    // BUG-A/C/D/F: additional captured methods must stay native on every tick
    _NATIVE_CHECKS[_NATIVE_CHECKS.length] = ['RegExp.prototype.test', () => RegExp.prototype.test];
    _NATIVE_CHECKS[_NATIVE_CHECKS.length] = ['Object.freeze', () => Object.freeze];
    _NATIVE_CHECKS[_NATIVE_CHECKS.length] = ['Array.prototype.push', () => Array.prototype.push];
    _NATIVE_CHECKS[_NATIVE_CHECKS.length] = ['String.prototype.slice', () => String.prototype.slice];
    // BUG-E: Symbol.iterator — detect if array iteration is poisoned
    _NATIVE_CHECKS[_NATIVE_CHECKS.length] = ['Array.prototype[Symbol.iterator]', () => Array.prototype[Symbol.iterator]];
    // DOM exfiltration — getAttribute must stay native (used by MO defense layer)
    _NATIVE_CHECKS[_NATIVE_CHECKS.length] = ['Element.prototype.getAttribute', () => Element.prototype.getAttribute];
    // BUG-J/K: toLowerCase and indexOf — used throughout DOM exfiltration hooks;
    // replacing either post-boot bypasses attribute/tag-name checks or the entire
    // HTML threat scanner early-exit and attribute extraction logic.
    _NATIVE_CHECKS[_NATIVE_CHECKS.length] = ['String.prototype.toLowerCase', () => String.prototype.toLowerCase];
    _NATIVE_CHECKS[_NATIVE_CHECKS.length] = ['String.prototype.indexOf', () => String.prototype.indexOf];
    // V11/V12: appendChild and removeChild — used by alert overlay, veil, and
    // MO scanner to inject/remove DOM elements via captured _nodeAppend/_nodeRemove.
    _NATIVE_CHECKS[_NATIVE_CHECKS.length] = ['Node.prototype.appendChild', () => Node.prototype.appendChild];
    _NATIVE_CHECKS[_NATIVE_CHECKS.length] = ['Node.prototype.removeChild', () => Node.prototype.removeChild];
    // V13: querySelectorAll — used by MO observer to scan descendant elements.
    _NATIVE_CHECKS[_NATIVE_CHECKS.length] = ['Element.prototype.querySelectorAll', () => Element.prototype.querySelectorAll];
    // removeAttribute — used by MO observer and scanner to strip malicious attributes.
    _NATIVE_CHECKS[_NATIVE_CHECKS.length] = ['Element.prototype.removeAttribute', () => Element.prototype.removeAttribute];
    // Date.now — used for alert rate-limiting and healer deadline; replacing it
    // could suppress alerts or keep the healer alive indefinitely.
    _NATIVE_CHECKS[_NATIVE_CHECKS.length] = ['Date.now', () => Date.now];
    // Location.prototype.reload — used in the alert dismiss/reload button.
    if (_N.locationReload) _NATIVE_CHECKS[_NATIVE_CHECKS.length] = ['Location.prototype.reload', () => Location.prototype.reload];
    // CacheStorage / ServiceWorkerContainer — optional; validate when present.
    if (_N.cacheStorageKeys) _NATIVE_CHECKS[_NATIVE_CHECKS.length] = ['CacheStorage.prototype.keys', () => (typeof CacheStorage !== 'undefined' ? CacheStorage.prototype.keys : _N.cacheStorageKeys)];
    if (_N.cacheStorageDelete) _NATIVE_CHECKS[_NATIVE_CHECKS.length] = ['CacheStorage.prototype.delete', () => (typeof CacheStorage !== 'undefined' ? CacheStorage.prototype.delete : _N.cacheStorageDelete)];
    if (_N.swGetRegistrations) _NATIVE_CHECKS[_NATIVE_CHECKS.length] = ['ServiceWorkerContainer.prototype.getRegistrations', () => (typeof ServiceWorkerContainer !== 'undefined' ? ServiceWorkerContainer.prototype.getRegistrations : _N.swGetRegistrations)];
    // Promise.prototype.then — replacing it silently kills _nukeCachesAndWorkers
    _NATIVE_CHECKS[_NATIVE_CHECKS.length] = ['Promise.prototype.then', () => Promise.prototype.then];
    // ServiceWorkerRegistration.prototype.unregister — used per-registration in threat response
    if (_N.swUnregister) _NATIVE_CHECKS[_NATIVE_CHECKS.length] = ['ServiceWorkerRegistration.prototype.unregister', () => (typeof ServiceWorkerRegistration !== 'undefined' ? ServiceWorkerRegistration.prototype.unregister : _N.swUnregister)];
    // MessagePort.prototype.postMessage — used in the MC watchdog self-ping
    if (_N.portPostMessage) _NATIVE_CHECKS[_NATIVE_CHECKS.length] = ['MessagePort.prototype.postMessage', () => (typeof MessagePort !== 'undefined' ? MessagePort.prototype.postMessage : _N.portPostMessage)];

    /* ──────────────────────────────────────────────────────────
       3.  Threat response
       ────────────────────────────────────────────────────────── */
    let _lastAlertAt = 0;
    const _ALERT_COOLDOWN_MS = 10_000;

    // Wipe all snv-* keys from storage using a two-pass strategy:
    //   Pass 1 — overwrite every key value with zeros (destroys key
    //             material immediately; even if removeItem is later
    //             intercepted or fails, the actual bytes are gone)
    //   Pass 2 — delete the entries via the captured native prototype ref
    //
    // Uses _ls/_ss (captured object refs) as `this`, NOT the live
    // window.localStorage / window.sessionStorage getters, so a
    // getter-level replacement attack cannot redirect calls to a fake
    // storage object.
    function _nukeStorage() {
        if (_DISABLE_PROACTIVE_ANTITAMPER) return;
        const nuke = (store) => {
            if (!store) return;
            try {
                const len = _reflectApply(_N.storageLength, store, []);
                const keys = [];
                let _ki = 0;
                for (let i = 0; i < len; i++) {
                    const k = _reflectApply(_N.storageKey, store, [i]);
                    // BUG-C: k?.startsWith('snv-') uses live String.prototype.startsWith;
                    // _pureSlice uses only bracket indexing + concatenation — zero prototype calls.
                    // BUG-F: index assignment (keys[_ki++]) replaces keys.push(k).
                    if (k && _pureSlice(k, 0, 4) === 'snv-') { keys[_ki++] = k; }
                }
                if (!keys.length) return;

                // Pass 1: zero out the value — key material is gone
                //         even if the delete step is somehow blocked
                // STR-1: for-loop replaces '\x00'.repeat(256) — no String.prototype.repeat call
                let zeros = '';
                for (let _zi = 0; _zi < 256; _zi++) zeros += '\x00';
                // BUG-B: keys.forEach() uses live Array.prototype.forEach;
                // an indexed for-loop is completely immune to prototype replacement.
                for (_ki = 0; _ki < keys.length; _ki++) {
                    try { _reflectApply(_N.storageSetItem, store, [keys[_ki], zeros]); } catch { }
                }

                // Pass 2: delete the entries
                for (_ki = 0; _ki < keys.length; _ki++) {
                    try { _reflectApply(_N.storageRemoveItem, store, [keys[_ki]]); } catch { }
                }
            } catch { /* storage access denied — skip */ }
        };
        nuke(_ss);
        nuke(_ls);
    }

    // E9: Service Worker & CacheStorage nuke.
    // If an attacker managed to run code (e.g. Self-XSS), they might spawn a
    // rogue Service Worker for persistence or stash data in the Cache API.
    // We unregister all SWs and delete all Cache API storage to guarantee a clean slate.
    // Uses _caches/_sw (captured object refs, see section 0) and captured prototype
    // methods from _N so live window.caches / navigator.serviceWorker replacements
    // cannot redirect these calls to fake objects.
    function _nukeCachesAndWorkers() {
        try {
            if (_caches && _N.cacheStorageKeys && _N.promiseThen) {
                // BUG-I: indexed for-loops replace .forEach() — immune to
                // Array.prototype.forEach replacement (same rationale as BUG-B/E).
                // FIX-PT: use captured _N.promiseThen instead of live .then() —
                // a post-boot Promise.prototype.then replacement would otherwise
                // turn this entire block into a silent no-op.
                _reflectApply(_N.promiseThen, _reflectApply(_N.cacheStorageKeys, _caches, []), [keys => {
                    if (keys && keys.length) {
                        for (let _ki = 0; _ki < keys.length; _ki++) {
                            try {
                                if (_N.cacheStorageDelete) {
                                    _reflectApply(_N.cacheStorageDelete, _caches, [keys[_ki]]);
                                }
                            } catch { }
                        }
                    }
                }, () => { }]);
            }
        } catch { }
        try {
            if (_sw && _N.swGetRegistrations && _N.promiseThen) {
                // FIX-PT: same rationale — use captured promiseThen and swUnregister
                // so post-boot prototype replacements cannot suppress SW cleanup.
                _reflectApply(_N.promiseThen, _reflectApply(_N.swGetRegistrations, _sw, []), [regs => {
                    if (regs && regs.length) {
                        for (let _ri = 0; _ri < regs.length; _ri++) {
                            try {
                                if (_N.swUnregister) _reflectApply(_N.swUnregister, regs[_ri], []);
                                else regs[_ri].unregister();
                            } catch { }
                        }
                    }
                }, () => { }]);
            }
        } catch { }
    }

    // Random class for the alert host element — generated once per page session.
    // ABP cosmetic-filter rules store class selectors persistently; a class that
    // changes on every page load cannot be persistently blocked across sessions.
    // Must start with a letter so it is valid as a CSS identifier.
    // HEX-1: use 5 CSPRNG bytes → 10-char hex string. No Math.random(), no .toString(36).
    let _ALERT_HOST_CLS = 'xsafenova00'; // fallback (never a real CSS class used by ABP rules)
    try {
        const _alcBuf = new _N.Uint8Array(5);
        _reflectApply(_N.getRandomValues, crypto, [_alcBuf]);
        let _alc = 'x';
        for (let _ali = 0; _ali < 5; _ali++) {
            _alc += _HEX_CHARS[_alcBuf[_ali] >> 4] + _HEX_CHARS[_alcBuf[_ali] & 15];
        }
        _ALERT_HOST_CLS = _alc;
    } catch { /* crypto unavailable — fallback is fine for ABP resistance */ }

    // F1: Reference-based alert overlay tracking.
    // Removal detection uses overlay.isConnected (reference-based),
    // which is unaffected by class changes or same-id decoys.
    let _alertOverlay = null;
    let _alertHealer = null; // Bug 1b: module-level ref so old healer can be disconnected

    function _showAlert(reason) {
        // CSS for alert internals — injected into ShadowRoot (external CSS cannot
        // penetrate closed shadows). Uses the same values as app.css .snv-* rules.
        // Every element receives _ALERT_HOST_CLS as first class for ABP-resistance.
        const _css = `
.snv-card{max-width:520px;width:calc(100% - 96px);background:#1e1e1e;border:1px solid #f44747;border-radius:2px;padding:24px 28px;color:#d4d4d4;text-align:left;box-shadow:0 8px 32px rgba(0,0,0,.6)}
.snv-header{display:flex;align-items:center;gap:10px;margin-bottom:16px}
.snv-icon{color:#f44747;flex-shrink:0}
.snv-title{font-size:14px;font-weight:600;color:#f44747;letter-spacing:.01em}
.snv-reason{font-size:12px;font-family:'Cascadia Code',Consolas,'Courier New',monospace;background:#252526;padding:8px 12px;border:1px solid #3c3c3c;border-radius:2px;margin-bottom:14px;word-break:break-all;color:#f44747}
.snv-desc{font-size:13px;line-height:1.6;color:#d4d4d4;margin-bottom:6px}
.snv-desc strong{color:#fff}
.snv-hint{font-size:13px;line-height:1.6;color:#858585;margin-bottom:18px}
.snv-btn{background:#5a1a1a;color:#f44747;border:1px solid #7a2222;border-radius:2px;padding:6px 14px;font-family:'Segoe UI',system-ui,sans-serif;font-size:13px;cursor:pointer}
.snv-btn:hover{background:#7a2222}`;

        const render = () => {
            // Remove previous alert by stored reference, not by predictable selector
            try { _alertOverlay?.remove(); _alertOverlay = null; } catch { }

            // Bug 1b: Disconnect the previous healer before creating a new one.
            // Without this, the old MO keeps trying to re-append the old (already
            // removed) overlay on every body childList change, stacking overlays.
            if (_alertHealer) {
                try { _alertHealer.disconnect(); } catch { }
                _alertHealer = null;
            }

            const _rc = _ALERT_HOST_CLS; // shorthand for random class

            // Use the captured native createElement so hooks cannot interfere
            const overlay = _reflectApply(_N.createElement, document, ['div']);
            // F1: Random session-specific class — cannot be persistently blocked by
            //     cosmetic filters (class name is unguessable and changes every load).
            //     CSS class "snv-overlay" provides the visual styles; _rc defeats ABP.
            overlay.className = _rc + ' snv-overlay';
            // Critical properties use !important; inline !important beats any
            // author-stylesheet !important per the CSS cascade specification.
            // ITER-1: indexed loop — immune to Array.prototype[Symbol.iterator] poisoning
            const _ovStyles = [
                ['position', 'fixed'],
                ['inset', '0'],
                ['z-index', '2147483647'],
                ['background', 'rgba(0,0,0,.85)'],
                ['display', 'flex'],
                ['align-items', 'center'],
                ['justify-content', 'center'],
                ['font-family', '"Segoe UI",system-ui,-apple-system,sans-serif'],
            ];
            for (let _osi = 0; _osi < _ovStyles.length; _osi++) {
                try { overlay.style.setProperty(_ovStyles[_osi][0], _ovStyles[_osi][1], 'important'); } catch { }
            }
            _alertOverlay = overlay;

            // STR-3: for-loop + bracket index + === operator — no String.prototype.replace calls.
            // String.prototype.replace could be spoofed to return unsanitised content,
            // enabling XSS injection into the shadow DOM.  Bracket indexing and === are
            // pure language operators and cannot be intercepted from userland JS.
            const _raw = '' + reason;
            let safeReason = '';
            for (let _sri = 0; _sri < _raw.length; _sri++) {
                const _c = _raw[_sri];
                if (_c === '&') safeReason += '&amp;';
                else if (_c === '<') safeReason += '&lt;';
                else if (_c === '>') safeReason += '&gt;';
                else if (_c === '"') safeReason += '&quot;';
                else safeReason += _c;
            }

            // E7: Closed ShadowRoot — content is invisible to document.querySelector
            // and to inline MutationObserver-based removal attacks. An attacker can
            // still remove the host element, but cannot find or suppress the button.
            let contentRoot = overlay;
            try {
                const shadow = overlay.attachShadow({ mode: 'closed' });
                contentRoot = shadow;
            } catch { /* ShadowRoot unavailable — fall back to plain overlay */ }

            // Inject styles into shadow (external CSS cannot reach closed shadow)
            contentRoot.innerHTML = `<style>${_css}</style>
<div class="${_rc} snv-card">
  <div class="${_rc} snv-header">
    <svg class="${_rc} snv-icon" width="20" height="20" viewBox="0 0 24 24" fill="none" xmlns="http://www.w3.org/2000/svg">
      <path d="M12 2L3 7v5c0 5.25 3.75 10.15 9 11.35C17.25 22.15 21 17.25 21 12V7z" stroke="currentColor" stroke-width="1.6" stroke-linejoin="round"/>
      <path d="M12 8v5" stroke="currentColor" stroke-width="1.8" stroke-linecap="round"/>
      <circle cx="12" cy="16" r="1" fill="currentColor"/>
    </svg>
    <span class="${_rc} snv-title">SafeNova Proactive</span>
  </div>
  <div class="${_rc} snv-reason">${safeReason}</div>
  <div class="${_rc} snv-desc">
    A suspicious operation was <strong>blocked</strong> and all encrypted session keys have been <strong>cleared</strong>.
  </div>
  <div class="${_rc} snv-hint">
    This may indicate a malicious browser extension attempting to intercept or exfiltrate data. Audit your installed extensions and reload.
  </div>
  <button class="${_rc} snv-btn" id="snv-pa-ok">
    I understand — Reload
  </button>
</div>`;

            try {
                // V11: Use captured _nodeAppend — live Node.prototype.appendChild
                // could be replaced post-boot to silently prevent alert overlay.
                _reflectApply(_nodeAppend, document.body || document.documentElement, [overlay]);
            } catch { }

            // querySelector searches contentRoot (shadow), not document scope
            const btn = contentRoot.querySelector('#snv-pa-ok');
            if (btn) {
                btn.addEventListener('click', () => {
                    overlay.remove();
                    // Use captured Location.prototype.reload so an attacker who
                    // replaces window.location.reload after boot cannot suppress reload.
                    try { _reflectApply(_N.locationReload, window.location, []); }
                    catch { window.location.reload(); }
                }, { once: true });
            }

            // E7: Self-healing — re-append and reinforce visibility if overlay was
            // removed from DOM OR hidden via a CSS cosmetic filter. Using
            // overlay.isConnected (reference-based) instead of getElementById so an
            // attacker removing the element but keeping a same-id decoy doesn't fool us.
            if (_N.MutationObserver) {
                const _healDeadline = _reflectApply(_N.dateNow, Date, []) + 180_000;
                const _healer = new _N.MutationObserver(() => {
                    // Bug 1c: Stale closure guard — if a newer render() has replaced
                    // _alertOverlay, this healer is orphaned. Disconnect immediately
                    // instead of trying to re-add an overlay that was intentionally removed.
                    if (overlay !== _alertOverlay) { _healer.disconnect(); return; }
                    if (_reflectApply(_N.dateNow, Date, []) > _healDeadline) { _healer.disconnect(); _alertHealer = null; return; }
                    if (!overlay.isConnected) {
                        try { _reflectApply(_nodeAppend, document.body || document.documentElement, [overlay]); } catch { }
                    }
                    // Reinforce display:flex!important in case a stylesheet injection hid it
                    try { overlay.style.setProperty('display', 'flex', 'important'); } catch { }
                });
                _alertHealer = _healer;
                try {
                    // FIX-BDY: observe documentElement (subtree:true) instead of
                    // document.body — if an attacker replaces document.body after
                    // render(), the old observer is on a detached node and never
                    // fires again.  documentElement cannot be replaced from JS.
                    _healer.observe(document.documentElement, { childList: true, subtree: true });
                } catch { }
            }
        };

        if (document.body) {
            render();
        } else {
            // CRIT-3: use captured _N.addEventListener so a live replacement cannot
            // prevent the fallback render from firing.
            _reflectApply(_N.addEventListener, window, ['DOMContentLoaded', render, { once: true }]);
        }
    }

    /* ──────────────────────────────────────────────────────────
       G2.  Console threat log
       ────────────────────────────────────────────────────────── */
    // Prints a styled red error to the DevTools console using the captured
    // _N.consoleError reference, so an attacker who replaces console.error
    // after daemon.js loads cannot suppress the message.
    function _logThreatToConsole(reason) {
        try {
            const _ce = _N.consoleError || console.error.bind(console);
            _ce(
                '%c\u26d4\ufe0f  SafeNova Proactive  \u2502  THREAT DETECTED',
                'background:#6a0000;color:#ff5555;font-size:13px;font-weight:700;padding:3px 8px;border-radius:3px'
            );
            _ce('%c' + ('' + reason),
                'color:#ff4444;font-weight:600;font-size:12px;padding-left:4px'
            );
            _ce(
                '%cAll encrypted session keys have been cleared. The container is locked.',
                'color:#cc6666;padding-left:4px'
            );
        } catch { }
    }

    /* ──────────────────────────────────────────────────────────
       G3.  Debugger trap (Self-XSS / console attack deterrent)
       ────────────────────────────────────────────────────────── */
    // Schedules a 'debugger' statement every 50 ms after a threat fires.
    // When DevTools are open the JS engine pauses at each breakpoint, blocking
    // follow-up console commands. When DevTools are closed this is a no-op.
    // The interval ID is stored in _trapIds so window.clearInterval (our guarded
    // wrapper) silently drops any attempt to cancel it from untrusted code.
    // The trap self-cancels after 5 minutes.
    function _startDebuggerTrap() {
        if (_debugTrapActive) return;
        _debugTrapActive = true;
        const _trapEnd = _reflectApply(_N.dateNow, Date, []) + 300_000;
        const _tidRef = { id: null };
        const _fire = function snvDebugTrap() {
            debugger; // intentional — Self-XSS deterrent // eslint-disable-line no-debugger
            if (_reflectApply(_N.dateNow, Date, []) > _trapEnd) {
                _reflectApply(_N._clearInterval, window, [_tidRef.id]);
                delete _trapIds[_tidRef.id]; // SET-2: delete operator
                _debugTrapActive = false;
            }
        };
        _tidRef.id = _reflectApply(_N._setInterval, window, [_fire, 50]);
        _trapIds[_tidRef.id] = 1; // SET-2: direct assignment
    }

    function _triggerAlert(reason) {
        if (_DISABLE_PROACTIVE_ANTITAMPER) return;
        // Always clear storage immediately — even if we rate-limit the UI
        _nukeStorage();
        _nukeCachesAndWorkers();

        // Directly zero in-memory app state — bypasses the event system;
        // works even if App.lockContainer or the snv:lock listener was patched.
        _wipeAppState();

        // G2: Emit red console error — forensic trace visible in DevTools.
        _logThreatToConsole(reason);

        // G3: Start debugger trap — freezes DevTools console if open.
        _startDebuggerTrap();

        // CRIT-4: Use captured _N.dispatchEvent + _N.CustomEvent so a live
        // window.dispatchEvent = () => {} replacement cannot silently drop
        // the snv:lock event that triggers lockContainer() in main.js.
        try {
            _reflectApply(_N.dispatchEvent, window, [
                new _N.CustomEvent('snv:lock', { detail: { reason } })]);
        } catch { }

        const now = _reflectApply(_N.dateNow, Date, []);
        if (now - _lastAlertAt < _ALERT_COOLDOWN_MS) return;
        _lastAlertAt = now;
        _showAlert(reason);
    }

    /* ──────────────────────────────────────────────────────────
       4.  URL origin check
       ────────────────────────────────────────────────────────── */
    function _isExternal(urlStr) {
        if (!urlStr) return false;
        try {
            const s = '' + urlStr;
            // data: URLs are inline resources (canvas thumbnails, etc.) — always safe
            // BUG-G: s[0] is a pure bracket-indexing operator; _pureSlice uses only
            // bracket indexing + concatenation — no hookable prototype method at all.
            if (s[0] === 'd' && _pureSlice(s, 0, 5) === 'data:') return false;
            const parsed = new _N.URL(s, window.location.href);
            const proto = parsed.protocol;
            // Browser-extension resources are injected by user-installed extensions
            if (proto === 'chrome-extension:' || proto === 'moz-extension:'
                || proto === 'safari-web-extension:') return false;
            return parsed.origin !== _origin;
        } catch {
            return true; // FAIL-CLOSED: unparseable URL is treated as external
        }
    }

    /* ──────────────────────────────────────────────────────────
       5.  Hook installation — double-hook pattern
           The real logic lives in IIFE-private _*Impl closures.
           The publicly assigned functions are thin forwarders, so
           fetch.toString() / XMLHttpRequest.prototype.open.toString()
           reveals only the forwarder body — not the security logic.

           _fetchImpl, _xhrOpenImpl, _sendBeaconImpl are invisible
           from the DevTools console (closure scope, not on window).
       ────────────────────────────────────────────────────────── */

    // ── Inner implementations (closure-private) ────────────────
    const _fetchImpl = function (input) {
        // V10: Do not use `instanceof Request` — attackable via Symbol.hasInstance.
        // `typeof` is an operator (unhookable); .url is read either way.
        const url = (typeof input === 'object' && input !== null && typeof input.url === 'string')
            ? input.url : ('' + (input ?? ''));
        if (_isExternal(url)) {
            _triggerAlert('Outbound fetch blocked → ' + url);
            return Promise.reject(new Error('[SafeNova Proactive] External fetch blocked'));
        }
        // V9: Use captured _reflectApply instead of live Function.prototype.apply,
        // which could be replaced post-boot to intercept pass-through arguments.
        return _reflectApply(_N.fetch, this === window ? window : globalThis, arguments);
    };

    const _xhrOpenImpl = function (method, url) {
        if (_isExternal('' + (url ?? ''))) {
            _triggerAlert('Outbound XHR blocked → ' + url);
            throw new Error('[SafeNova Proactive] External XHR blocked');
        }
        return _reflectApply(_N.xhrOpen, this, arguments);
    };

    const _sendBeaconImpl = function (url) {
        if (_isExternal('' + (url ?? ''))) {
            _triggerAlert('sendBeacon to external URL blocked → ' + url);
            return false;
        }
        return _reflectApply(_N.sendBeacon, navigator, arguments);
    };

    // ── D2: DOM exfiltration defense constants ─────────────────
    // Pure-object lookup — `in` operator is a language construct,
    // unhookable (unlike Set.prototype.has or Array.includes).
    const _RESOURCE_ATTRS = {
        src: 1, href: 1, data: 1, ping: 1,
        srcset: 1, action: 1, formaction: 1, poster: 1
    };
    // FIX-SS: srcset values contain space-separated URL+descriptor tokens
    // (e.g. "photo.jpg 2x" or "img.jpg 320w"). Passing a raw srcset string
    // to new URL() throws, making _isExternal return true (fail-closed) for
    // every srcset — any extension that adds srcset causes a false alert and
    // key wipe. srcset is kept in _RESOURCE_ATTRS so setAttribute/innerHTML
    // hooks (which parse individual tokens) can still check it, but the MO
    // attribute-change and element-scan paths skip it to avoid false positives.
    const _RESOURCE_ATTRS_NO_SRCSET = {
        src: 1, href: 1, data: 1, ping: 1,
        action: 1, formaction: 1, poster: 1
    };
    const _ON_ATTR_RE = /\bon[a-z]+\s*=/i;

    /* ──────────────────────────────────────────────────────────
       5b. DOM exfiltration hook implementations (D2)
           Same double-hook pattern as network hooks above.
       ────────────────────────────────────────────────────────── */

    // ── setAttribute — blocks on* handlers and external resource URLs ──
    const _setAttributeImpl = function (name, value) {
        // BUG-K: _pureToLower uses a frozen A-Z→a-z lookup + bracket indexing —
        // no prototype method call; immune to any String.prototype.toLowerCase hook.
        const lName = _pureToLower('' + (name ?? ''));
        if (lName.length > 2 && lName[0] === 'o' && lName[1] === 'n') {
            _triggerAlert('Inline event handler via setAttribute blocked \u2192 ' + lName);
            return;
        }
        // <a> and <area> href= are navigation-only (user-activated click),
        // not auto-loading. Blocking them causes false positives for normal app links.
        // ping= on anchors is still caught below (auto-fires on click).
        if (lName === 'href') {
            const tag = _pureToLower('' + (this.tagName || ''));
            if (tag === 'a' || tag === 'area') {
                return _reflectApply(_N.setAttribute, this, arguments);
            }
        }
        if (lName in _RESOURCE_ATTRS && _isExternal('' + (value ?? ''))) {
            _triggerAlert('External resource via setAttribute blocked \u2192 ' + lName + '=' + value);
            return;
        }
        return _reflectApply(_N.setAttribute, this, arguments);
    };

    // ── HTML content threat scanner ────────────────────────────
    // indexOf-based extraction avoids hookable String.prototype.match/exec.
    function _htmlHasThreat(html) {
        const h = '' + (html ?? '');
        if (_reflectApply(_reTest, _ON_ATTR_RE, [h])) return 'inline event handler';
        // BUG-J: _pureIndexOf uses a nested indexed loop + bracket comparison —
        // no prototype method call; immune to any String.prototype.indexOf hook.
        if (_pureIndexOf(h, '://') === -1) return false;
        const _RATTR_KEYS = ['src=', 'href=', 'data=', 'ping=', 'action=', 'formaction=', 'poster=', 'srcset='];
        // BUG-K: _pureToLower — pure operator-level ASCII lowercasing.
        // FIX-WS: _pureCollapseAttrSpaces normalises 'attr = "url"' → 'attr="url"'
        // so that attributes with whitespace around '=' are not missed by the
        // literal 'src=' search (HTML5 spec allows optional whitespace around '=').
        // Both hLow and hOrig apply the same normalisation so their indices align.
        const hLow = _pureCollapseAttrSpaces(_pureToLower(h));
        const hOrig = _pureCollapseAttrSpaces(h);
        for (let _ri = 0; _ri < _RATTR_KEYS.length; _ri++) {
            const attr = _RATTR_KEYS[_ri];
            let apos = 0;
            while (true) {
                apos = _pureIndexOf(hLow, attr, apos);
                if (apos === -1) break;
                let vs = apos + attr.length;
                // After normalisation post-'=' spaces are already removed;
                // the loop is kept as a no-op fallback for defence-in-depth.
                while (vs < hOrig.length && (hOrig[vs] === ' ' || hOrig[vs] === '\t')) vs++;
                let ve;
                if (hOrig[vs] === '"' || hOrig[vs] === "'") {
                    const q = hOrig[vs]; vs++;
                    ve = _pureIndexOf(hOrig, q, vs);
                    if (ve === -1) ve = hOrig.length;
                } else {
                    ve = vs;
                    while (ve < hOrig.length && hOrig[ve] !== ' ' && hOrig[ve] !== '>' && hOrig[ve] !== '\t') ve++;
                }
                // BUG-L: _pureSlice extracts substring via bracket + concatenation —
                // immune to any String.prototype.slice / .substring hook.
                const url = _pureSlice(hOrig, vs, ve);
                if (_isExternal(url)) return attr + url;
                apos = ve;
            }
        }
        return false;
    }

    const _insertAdjacentHTMLImpl = function (position, html) {
        const threat = _htmlHasThreat(html);
        if (threat) { _triggerAlert('Threat in insertAdjacentHTML blocked \u2192 ' + threat); return; }
        return _reflectApply(_N.insertAdjacentHTML, this, arguments);
    };

    const _docWriteImpl = function () {
        let combined = '';
        for (let _i = 0; _i < arguments.length; _i++) combined += '' + (arguments[_i] ?? '');
        const threat = _htmlHasThreat(combined);
        if (threat) { _triggerAlert('Threat in document.write blocked \u2192 ' + threat); return; }
        return _reflectApply(_N.docWrite, this, arguments);
    };
    const _docWritelnImpl = function () {
        let combined = '';
        for (let _i = 0; _i < arguments.length; _i++) combined += '' + (arguments[_i] ?? '');
        const threat = _htmlHasThreat(combined);
        if (threat) { _triggerAlert('Threat in document.writeln blocked \u2192 ' + threat); return; }
        return _reflectApply(_N.docWriteln, this, arguments);
    };

    // ── D3: post-init iframe creation block ───────────────────
    // An attacker who gains JS execution after daemon.js runs could:
    //   1. document.createElement('iframe') → fresh about:blank realm
    //   2. grab iwin.fetch / iwin.XMLHttpRequest.prototype.open etc.
    //      (they ARE native, so _isNative() passes them)
    //   3. assign them back over the hooked prototypes → all network/DOM
    //      hooks silently stripped without triggering any _NATIVE_CHECKS alert
    // Blocking <iframe> creation post-init closes this entire attack vector.
    // All other tags pass through unmodified — extensions that create <script>
    // or other elements for their own purposes are unaffected.
    const _createElementImpl = function (tagName) {
        if (_iframeRestoreDone) {
            // BUG-K: _pureToLower — pure operator-level; no prototype dependency.
            const _tag = _pureToLower('' + (tagName ?? ''));
            if (_tag === 'iframe') {
                _triggerAlert('iframe creation blocked post-init \u2192 native-reset attack vector');
                // Return a harmless <div> so the call site does not throw,
                // minimising fingerprinting surface for the attacker.
                return _reflectApply(_N.createElement, this, ['div']);
            }
        }
        return _reflectApply(_N.createElement, this, arguments);
    };

    const _locAssignImpl = function (url) {
        if (_isExternal('' + (url ?? ''))) {
            _triggerAlert('External navigation (assign) blocked \u2192 ' + url); return;
        }
        return _reflectApply(_N.locAssign, this, arguments);
    };
    const _locReplaceImpl = function (url) {
        if (_isExternal('' + (url ?? ''))) {
            _triggerAlert('External navigation (replace) blocked \u2192 ' + url); return;
        }
        return _reflectApply(_N.locReplace, this, arguments);
    };

    const _locHrefSetImpl = _N.locHrefDesc?.set ? (function () {
        const _origSet = _N.locHrefDesc.set;
        return function (val) {
            if (_isExternal('' + (val ?? ''))) {
                _triggerAlert('External navigation (href) blocked \u2192 ' + val); return;
            }
            _reflectApply(_origSet, this, [val]);
        };
    })() : null;

    const _innerHTMLSetImpl = _N.innerHTMLDesc?.set ? (function () {
        const _origSet = _N.innerHTMLDesc.set;
        return function (val) {
            const threat = _htmlHasThreat(val);
            if (threat) { _triggerAlert('Threat in innerHTML blocked \u2192 ' + threat); return; }
            _reflectApply(_origSet, this, [val]);
        };
    })() : null;
    const _outerHTMLSetImpl = _N.outerHTMLDesc?.set ? (function () {
        const _origSet = _N.outerHTMLDesc.set;
        return function (val) {
            const threat = _htmlHasThreat(val);
            if (threat) { _triggerAlert('Threat in outerHTML blocked \u2192 ' + threat); return; }
            _reflectApply(_origSet, this, [val]);
        };
    })() : null;

    const _formSubmitImpl = function () {
        const action = '' + (this.action || '');
        if (_isExternal(action)) {
            _triggerAlert('Form submit to external URL blocked \u2192 ' + action); return;
        }
        return _reflectApply(_N.formSubmit, this, arguments);
    };

    // Shared console output for silently-blocked operations (no modal alert, no key-wipe).
    // Uses captured _N.consoleError — immune to post-load console.error replacement.
    function _logBlockedToConsole(msg) {
        try {
            const _ce = _N.consoleError || console.error.bind(console);
            _ce('%c\u26d4\ufe0f  SafeNova Proactive  \u2502  BLOCKED',
                'background:#6a0000;color:#ff5555;font-size:13px;font-weight:700;padding:3px 8px;border-radius:3px');
            _ce('%c' + ('' + msg),
                'color:#ff4444;font-weight:600;font-size:12px;padding-left:4px');
        } catch { }
    }

    // Resource property (.src/.href/.data) hook helper.
    // Caches the setter in _H[hKey] so re-hooks reuse the same closure.
    // noAlert — if truthy, log to console only (no modal/key-wipe). Used for
    // <script>.src so that an injected script tag is quietly neutralised rather
    // than surfaced as a full intrusion alert (reduces alert fatigue while still
    // blocking the load and leaving a forensic trace in DevTools).
    function _hookResourceProp(proto, propName, origDesc, hKey, label, noAlert) {
        if (!origDesc || !origDesc.set) return;
        if (!_H[hKey]) {
            const _impl = noAlert
                ? function (val) {
                    if (_isExternal('' + (val ?? ''))) {
                        _logBlockedToConsole(label + ' blocked \u2192 ' + val);
                        return;
                    }
                    _reflectApply(origDesc.set, this, [val]);
                }
                : function (val) {
                    if (_isExternal('' + (val ?? ''))) {
                        _triggerAlert('External ' + label + ' blocked \u2192 ' + val); return;
                    }
                    _reflectApply(origDesc.set, this, [val]);
                };
            _H[hKey] = _mkProxy(_impl, 'snv_' + hKey);
        }
        Object.defineProperty(proto, propName, {
            configurable: true, enumerable: true,
            get: origDesc.get, set: _H[hKey]
        });
    }

    // MutationObserver element threat scanner — checks a single element node.
    function _scanElementForThreats(el) {
        if (!el || el.nodeType !== 1) return;
        // BUG-K: _pureToLower — pure operator-level ASCII lowercasing; no prototype
        // dependency. Replacing String.prototype.toLowerCase cannot affect this.
        const _elTag = _pureToLower('' + (el.tagName || ''));
        // <script> elements: only intercept external-src injections.
        // Same-origin and relative scripts (app's own modules) are allowed through.
        // Inline scripts have no src and are handled upstream by innerHTML/document.write hooks.
        // Full alert suppressed for scripts — console-only to avoid modal fatigue.
        if (_elTag === 'script') {
            let _scriptSrc = '';
            try { _scriptSrc = '' + (_reflectApply(_N.getAttribute, el, ['src']) || ''); } catch { }
            if (_scriptSrc && _isExternal(_scriptSrc)) {
                // V12: Use captured _nodeRemove — live Node.prototype.removeChild
                // could be replaced to prevent removal of injected script elements.
                try { if (el.parentNode) _reflectApply(_nodeRemove, el.parentNode, [el]); } catch { }
                _logBlockedToConsole('Injected external <script> removed from DOM \u2192 src=' + _scriptSrc);
            }
            return; // never fall through to the general attribute scan for script elements
        }
        const attrs = el.attributes;
        if (!attrs) return;
        // <a> and <area> href= are navigation attributes (user-clicked, not auto-loaded).
        // Flagging them causes false positives on legitimate app links (e.g. about/credits).
        // ping= on anchors is NOT skipped — it auto-fires a POST request on click.
        const _isNavEl = (_elTag === 'a' || _elTag === 'area');
        for (let _ai = 0; _ai < attrs.length; _ai++) {
            const _a = attrs[_ai];
            const aName = _pureToLower('' + _a.name);
            if (aName.length > 2 && aName[0] === 'o' && aName[1] === 'n') {
                try { _reflectApply(_N.removeAttribute, el, [aName]); } catch { }
                _triggerAlert('Inline event handler on DOM element \u2192 ' + aName);
                return;
            }
            if (_isNavEl && aName === 'href') continue; // navigation-only, not a resource loader
            // FIX-SS: use _RESOURCE_ATTRS_NO_SRCSET — srcset values contain URL+descriptor tokens
            // (e.g. "img.jpg 2x") that are not valid URLs; passing them to new URL() throws, so
            // _isExternal returns true (fail-closed) for every srcset, causing false alerts.
            if (aName in _RESOURCE_ATTRS_NO_SRCSET) {
                const val = '' + (_a.value || '');
                if (_isExternal(val)) {
                    try { _reflectApply(_N.removeAttribute, el, [aName]); } catch { }
                    _triggerAlert('External resource on DOM element \u2192 ' + aName + '=' + val);
                    return;
                }
            }
        }
    }

    /* ──────────────────────────────────────────────────────────
       App state emergency wipe
       Captured after window 'load' so window.App is available.
       Directly nullifies in-memory key material as a direct
       bypass when the snv:lock event handler in main.js might
       itself be patched or replaced by an attacker.
       ────────────────────────────────────────────────────────── */
    let _appRef = null;
    // _appCryptoRefs: frozen snapshot of _mkProxy-wrapped Crypto method references.
    // Populated at 'load' (after crypto.js has executed). Used in tick 6d.
    let _appCryptoRefs = null;
    // _appMethodRefs: frozen snapshot of _mkProxy-wrapped App method references.
    // Populated at 'load'. Used in tick 6e to detect App.lockContainer replacement.
    let _appMethodRefs = null;
    // _vfsInitRef / _wmCloseAllRef: raw (unwrapped) function references for VFS.init
    // and WinManager.closeAll.  Populated at 'load'.  Used in _wipeAppState so that
    // a console-level replacement before a threat fires cannot prevent the in-memory
    // VFS clear or window-panel teardown.  The objects themselves receive _mkProxy
    // wrappers at load time; these raw refs bypass the proxy for direct invocation.
    let _vfsInitRef = null;
    let _wmCloseAllRef = null;
    // _debugTrapActive: prevents stacking multiple 50 ms debugger intervals.
    let _debugTrapActive = false;
    // _trapIds: guarded map of debugger-trap interval IDs.
    // Our window.clearInterval wrapper silently drops calls targeting these.
    // SET-2: plain object — `id in _trapIds` and `delete _trapIds[id]` are pure
    // language operators; Set.prototype.has/.add/.delete could be spoofed via Self-XSS.
    const _trapIds = {};
    // _readVFS / _readWinManager: bare-identifier readers for the module-scope consts
    // declared in vfs.js / desktop.js.  Like App, these are `const` declarations that
    // land in the JS lexical environment record, NOT on window — so window.VFS and
    // window.WinManager are always undefined and any live access must use the bare name.
    const _readVFS = () => (typeof VFS !== 'undefined' ? VFS : null);
    const _readWinManager = () => (typeof WinManager !== 'undefined' ? WinManager : null);

    // _readApp: safe reader for the `App` global const (state.js).
    // `const App = {...}` in state.js goes into the JS global LEXICAL environment
    // record, NOT onto the global object (window), so `window.App` is always
    // undefined. The bare identifier `App` resolves it via the scope chain at
    // call time (same technique as bare `Crypto` for crypto.js).  The function
    // is defined as an arrow so callers can safely call it inside try/catch
    // without worrying about `this` binding.
    const _readApp = () => (typeof App !== 'undefined' ? App : null);
    try {
        // CRIT-3: Use captured _N.addEventListener (not live window.addEventListener).
        // A MV2 extension that replaces EventTarget.prototype.addEventListener at
        // document_start would prevent this 'load' listener from being installed,
        // leaving _appCryptoRefs/_appMethodRefs permanently null and permanently
        // disabling G1 checks for Crypto and App.lockContainer.
        _reflectApply(_N.addEventListener, window, ['load', function () {
            try { _appRef = _readApp(); } catch { }
            // G1: Wrap critical Crypto methods through _mkProxy and capture
            // the proxied references for per-tick tamper detection (6d).
            // Each method’s toString() now reveals only the thin _mkProxy
            // forwarder body — the real implementation is closure-private.
            // 'Crypto' bare identifier resolves to the app's script-scope const
            // (declared in crypto.js as `const Crypto = ...`), NOT to window.Crypto
            // (browser WebCrypto API). We verify identity with .encrypt
            // (app module has it; browser WebCrypto does not — it has .subtle).
            try {
                if (typeof Crypto !== 'undefined' && typeof Crypto.encrypt === 'function') {
                    // Wrap each Crypto method through _mkProxy — toString() on
                    // the live property reveals only the thin forwarder body,
                    // hiding the real implementation in a closure-private _p.
                    const _pEncrypt = _mkProxy(Crypto.encrypt, 'snvCryptoEncrypt');
                    const _pDecrypt = _mkProxy(Crypto.decrypt, 'snvCryptoDecrypt');
                    const _pEncryptBin = _mkProxy(Crypto.encryptBin, 'snvCryptoEncryptBin');
                    const _pDecryptBin = _mkProxy(Crypto.decryptBin, 'snvCryptoDecryptBin');
                    const _pDeriveKey = _mkProxy(Crypto.deriveKey, 'snvCryptoDeriveKey');
                    const _pDeriveKeyAndRaw = _mkProxy(Crypto.deriveKeyAndRaw, 'snvCryptoDeriveKeyAndRaw');
                    // importRawKey: called by home.js + fileops.js to turn raw AES
                    // bytes into a CryptoKey.  Replacing it could capture key material.
                    const _pImportRawKey = _mkProxy(Crypto.importRawKey, 'snvCryptoImportRawKey');
                    // checkVerification: called from home.js, fileops.js, desktop.js
                    // to verify the password against the stored blob.  Replacing with
                    // () => true bypasses authentication in all unlock paths.
                    const _pCheckVerification = _mkProxy(Crypto.checkVerification, 'snvCryptoCheckVerification');
                    // makeVerification: called when creating / changing a container
                    // password to generate the stored verification blob.
                    const _pMakeVerification = _mkProxy(Crypto.makeVerification, 'snvCryptoMakeVerification');
                    // Install proxied versions on the Crypto module object
                    Crypto.encrypt = _pEncrypt;
                    Crypto.decrypt = _pDecrypt;
                    Crypto.encryptBin = _pEncryptBin;
                    Crypto.decryptBin = _pDecryptBin;
                    Crypto.deriveKey = _pDeriveKey;
                    Crypto.deriveKeyAndRaw = _pDeriveKeyAndRaw;
                    Crypto.importRawKey = _pImportRawKey;
                    Crypto.checkVerification = _pCheckVerification;
                    Crypto.makeVerification = _pMakeVerification;
                    // Store proxied refs for per-tick tamper detection (6d)
                    _appCryptoRefs = Object.freeze({
                        encrypt: _pEncrypt,
                        decrypt: _pDecrypt,
                        encryptBin: _pEncryptBin,
                        decryptBin: _pDecryptBin,
                        deriveKey: _pDeriveKey,
                        deriveKeyAndRaw: _pDeriveKeyAndRaw,
                        importRawKey: _pImportRawKey,
                        checkVerification: _pCheckVerification,
                        makeVerification: _pMakeVerification,
                    });
                }
            } catch { }
            // G1 (App security methods): wrap App.lockContainer through _mkProxy
            // and install the proxied version on the App object.  A console-level
            // replacement (App.lockContainer = () => {}) is detected on the next
            // tick.  _readApp() uses the bare identifier because state.js declares
            // `const App = {...}` in the lexical env record, NOT on window.
            try {
                const _a = _readApp();
                if (_a && typeof _a.lockContainer === 'function') {
                    const _pLockContainer = _mkProxy(_a.lockContainer, 'snvLockContainer');
                    _a.lockContainer = _pLockContainer;
                    _appMethodRefs = Object.freeze({
                        lockContainer: _pLockContainer,
                    });
                }
            } catch { }
            // BUG-4: Capture raw VFS.init and WinManager.closeAll by reference
            // for direct use in _wipeAppState (immune to post-capture replacement),
            // then install _mkProxy wrappers on the objects so toString() hides
            // the real implementations.  Bare identifiers (_readVFS / _readWinManager)
            // because both are `const` module-scope declarations, never on window.
            try {
                const _v = _readVFS();
                if (_v && typeof _v.init === 'function') {
                    _vfsInitRef = _v.init; // raw ref for _wipeAppState
                    _v.init = _mkProxy(_v.init, 'snvVfsInit');
                }
            } catch { }
            try {
                const _wm = _readWinManager();
                if (_wm && typeof _wm.closeAll === 'function') {
                    _wmCloseAllRef = _wm.closeAll; // raw ref for _wipeAppState
                    _wm.closeAll = _mkProxy(_wm.closeAll, 'snvWmCloseAll');
                }
            } catch { }
        }, { once: true }]);
    } catch { }

    // Tracks whether _wipeAppState has already installed the DOM lockdown.
    // The veil and forced-reload run exactly once per page lifetime;
    // subsequent calls (one per watchdog tick) only re-zero key material.
    let _wipeExecuted = false;

    function _wipeAppState() {
        if (_DISABLE_PROACTIVE_ANTITAMPER) return;
        // ── Part 1 (always): zero in-memory key material ─────────────
        try {
            const a = _appRef || _readApp();
            if (a) {
                try { if (a.key !== undefined) a.key = null; } catch { }
                try { if (a.container !== undefined) a.container = null; } catch { }
                try { if (a.clipboard !== undefined) a.clipboard = null; } catch { }
                try { if (a.thumbCache !== undefined) a.thumbCache = {}; } catch { }
                try { if (a.selection && typeof a.selection.clear === 'function') a.selection.clear(); } catch { }
            }
        } catch { }

        // ── Part 2 (once): DOM content wipe + veil + reload ────────
        // Bug 1a: guard ensures this block executes only ONCE per page lifetime
        // so the watchdog firing 3×/s does not stack 3 veils/s or schedule
        // dozens of competing reload timers.
        if (_wipeExecuted) return;
        _wipeExecuted = true;

        // Bug 2: Directly wipe DOM-resident decrypted content.
        // These operations use exclusively captured native references so the
        // attacker cannot intercept them by patching the live window/proto chain.
        // Helper: call a captured Document prototype method with document as context.
        const _docCall = (fn, arg) => {
            if (!fn) return null;
            try { return _reflectApply(fn, document, [arg]); } catch { return null; }
        };

        // 2a. Zero editor textarea — wipes decrypted file plaintext from the DOM.
        //     Use the captured HTMLTextAreaElement.prototype.value setter — if an
        //     attacker redefined the .value property on the element instance or
        //     prototype, our captured setter still reaches the native C++ binding.
        try {
            const ta = _docCall(_N.docGetElementById, 'editor-textarea');
            if (ta) {
                if (_N.taValueSetter) _reflectApply(_N.taValueSetter, ta, ['']);
                else ta.value = '';
            }
        } catch { }

        // 2b. Zero password input so credential is not visible after lockdown.
        try {
            const pw = _docCall(_N.docGetElementById, 'unlock-pw');
            if (pw) {
                if (_N.inputValueSetter) _reflectApply(_N.inputValueSetter, pw, ['']);
                else pw.value = '';
            }
        } catch { }

        // 2c. Force-close open modals (editor, viewer) using !important to beat
        //     any injected stylesheet that tries to keep them visible.
        // BUG-E: indexed loop avoids Array.prototype[Symbol.iterator].
        const _modalIds = ['modal-editor', 'modal-viewer'];
        for (let _mi = 0; _mi < _modalIds.length; _mi++) {
            try {
                const el = _docCall(_N.docGetElementById, _modalIds[_mi]);
                if (el) el.style.setProperty('display', 'none', 'important');
            } catch { }
        }

        // 2d. Force the view back to home: deactivate desktop, activate home.
        //     Uses classList directly (no hooked setters needed here — classList
        //     is a live DOMTokenList backed by the browser engine, not patchable
        //     from JS in a way that affects our captured getElementById result).
        try {
            const desktop = _docCall(_N.docGetElementById, 'view-desktop');
            if (desktop) {
                desktop.classList.remove('active');
                desktop.style.setProperty('display', 'none', 'important');
            }
        } catch { }
        try {
            const home = _docCall(_N.docGetElementById, 'view-home');
            if (home) {
                home.classList.add('active');
                home.style.removeProperty('display');
            }
        } catch { }

        // 2e. Revoke active Blob URLs so decrypted content (thumbnails, file previews)
        //     is freed from memory and the browser can no longer serve their data.
        try {
            if (_N.docQuerySelectorAll) {
                const _blobs = _reflectApply(_N.docQuerySelectorAll,
                    document, ['img[src^="blob:"],video[src^="blob:"],a[href^="blob:"]']);
                for (let i = 0; i < _blobs.length; i++) {
                    try {
                        const src = _blobs[i].src || _blobs[i].href || '';
                        if (src) _N.revokeObjectURL(src);
                    } catch { }
                }
            }
        } catch { }

        // 2f. Clear in-memory VFS tree — holds decrypted file metadata and structure.
        // Use the captured _vfsInitRef so a console VFS.init = () => {} swap before
        // the threat fires cannot leave the file tree in memory.
        // VFS is a `const` module-scope declaration (not on window); use _readVFS().
        try {
            if (_vfsInitRef) { _vfsInitRef(); }
            else { const _v = _readVFS(); if (_v) _v.init(); }
        } catch { }

        // 2g. Close all floating window panels — they contain decrypted filenames and icons.
        try {
            if (_wmCloseAllRef) { _wmCloseAllRef(); }
            else { const _wm = _readWinManager(); if (_wm) _wm.closeAll(); }
        } catch { }

        // F3: Security barrier veil — animated diagonal stripes (Minecraft barrier style).
        // Covers all application content below the alert overlay.
        // z-index 2147483646: below alert (2147483647), above everything else.
        // CSS class "snv-veil" provides visual styles; _ALERT_HOST_CLS defeats ABP.
        //
        // Technique: linear-gradient (NOT repeating) over a square tile with stops at
        // 25 % / 50 % / 75 % / 100 %. This is the only approach that produces clean
        // parallel diagonal stripes without the diamond / hexagon artefacts that
        // repeating-linear-gradient produces when tiled with background-size.
        //
        // Tile size T = 32 px.  Animation: shift background-position by (T, T) per
        // cycle — the square tile guarantees a perfectly seamless loop at any speed.
        //
        // Stripe colours:
        //   dark band  → rgba(6, 0, 0, 0.92) — near-black with a faint red tint
        //   light band → rgba(155, 18, 18, 0.60) — muted dark red, semi-transparent
        //
        // NOTE: No background-color — stripes are semi-transparent so the app
        // content bleeds through, making the barrier visible but not fully opaque.
        try {
            const _T = 32; // tile side, px — must be even for clean 50 % boundary
            const _Tpx = _T + 'px';
            const _dark = 'rgba(6,0,0,.92)';
            const _red = 'rgba(155,18,18,.60)';
            // String concatenation — no Array.prototype.join call
            const _barrier =
                'linear-gradient(-45deg,' +
                _dark + ' 0%,' + _dark + ' 25%,' +
                _red + ' 25%,' + _red + ' 50%,' +
                _dark + ' 50%,' + _dark + ' 75%,' +
                _red + ' 75%,' + _red + ' 100%)';
            const veil = _reflectApply(_N.createElement, document, ['div']);
            veil.className = _ALERT_HOST_CLS + ' snv-veil';
            // ITER-2: indexed loop — immune to Array.prototype[Symbol.iterator] poisoning
            const _veilStyles = [
                ['position', 'fixed'],
                ['inset', '0'],
                ['z-index', '2147483646'],
                ['background-image', _barrier],
                ['background-size', _Tpx + ' ' + _Tpx],
                ['display', 'block'],
            ];
            for (let _vsi = 0; _vsi < _veilStyles.length; _vsi++) {
                try { veil.style.setProperty(_veilStyles[_vsi][0], _veilStyles[_vsi][1], 'important'); } catch { }
            }
            // V11: Use captured _nodeAppend — live .appendChild could be hooked.
            _reflectApply(_nodeAppend, document.body || document.documentElement, [veil]);
            // Shifting background-position by exactly one tile (T, T) per iteration
            // is mathematically guaranteed to produce a seamless loop.
            if (_N.elementAnimate) {
                try {
                    _reflectApply(_N.elementAnimate, veil, [
                        [{ backgroundPosition: '0 0' },
                        { backgroundPosition: _Tpx + ' ' + _Tpx }],
                        { duration: 700, iterations: Infinity, easing: 'linear' }
                    ]);
                } catch { }
            }
        } catch { }
    }

    // ── _mkProxy: opaque hook factory ──────────────────────────
    // Creates a thin forwarder whose toString() reveals only:
    //   "function () { return _reflectApply(_p, this, arguments); }"
    // All security logic lives in the closure-private impl (_p).
    // Uses _reflectApply (captured Reflect.apply) — immune to
    // Function.prototype.apply replacement.
    //   impl:  closure-private implementation function
    //   name:  cosmetic .name for console display (e.g. 'snvFetch')
    //   proto: optional .prototype to copy (constructor proxies)
    const _mkProxy = function (impl, name, proto) {
        const _p = impl;
        const _fn = function () { return _reflectApply(_p, this, arguments); };
        if (name) try { Object.defineProperty(_fn, 'name', { value: name, configurable: true }); } catch { }
        if (proto !== void 0) try { _fn.prototype = proto; } catch { }
        return _fn;
    };

    // ── Constructor hook impl factory (Worker, SharedWorker, EventSource) ──
    // Eliminates duplication between identical constructor hooks.
    //   nativeCtor: captured native constructor
    //   label:      display name for alerts (e.g. 'Worker')
    //   blockData:  if truthy, also block data: URL scripts
    function _mkCtorImpl(nativeCtor, label, blockData) {
        return function () {
            const urlStr = '' + (arguments[0] ?? '');
            // BUG-J: _pureIndexOf — nested indexed loop, zero prototype calls.
            if (blockData && _pureIndexOf(urlStr, 'data:') === 0) {
                _triggerAlert(label + ' with data: URL blocked');
                throw new Error('[SafeNova Proactive] ' + label + ' data: URL blocked');
            }
            // BUG-H: Block blob: URLs for Workers/SharedWorkers.  A same-origin
            // blob: URL passes _isExternal (origin matches) but the Worker runs
            // in a separate global with a clean, unhooked fetch — any code inside
            // the blob can exfiltrate data without triggering page-level hooks.
            // SafeNova never creates Workers; any blob: Worker is suspicious.
            if (blockData && _pureIndexOf(urlStr, 'blob:') === 0) {
                _triggerAlert(label + ' with blob: URL blocked');
                throw new Error('[SafeNova Proactive] ' + label + ' blob: URL blocked');
            }
            if (_isExternal(urlStr)) {
                _triggerAlert(label + ' to external URL blocked \u2192 ' + urlStr);
                throw new Error('[SafeNova Proactive] External ' + label + ' blocked');
            }
            return arguments.length >= 2
                ? new nativeCtor(arguments[0], arguments[1])
                : new nativeCtor(arguments[0]);
        };
    }

    // ── Timer string-guard impl factory (setTimeout, setInterval) ──
    function _mkTimerImpl(nativeFn, label) {
        return function (fn) {
            if (typeof fn === 'string') {
                _triggerAlert(label + ' with string callback blocked');
                return 0;
            }
            return _reflectApply(nativeFn, window, arguments);
        };
    }

    // ── Publicly visible hooks (thin forwarders via _mkProxy) ──
    const _H = {}; // live hook references — checked every tick

    function _installHooks() {
        // All hooks use _mkProxy — toString() on each shows only the
        // thin forwarder body, not the security logic in the impl closure.

        _H.fetch = _mkProxy(_fetchImpl, 'snvFetch');
        window.fetch = _H.fetch;

        _H.xhrOpen = _mkProxy(_xhrOpenImpl, 'snvXhrOpen');
        XMLHttpRequest.prototype.open = _H.xhrOpen;

        if (_N.sendBeacon) {
            _H.sendBeacon = _mkProxy(_sendBeaconImpl, 'snvSendBeacon');
            navigator.sendBeacon = _H.sendBeacon;
        }

        // ── D2: DOM exfiltration hooks ──────────────────────────

        _H.setAttribute = _mkProxy(_setAttributeImpl, 'snvSetAttribute');
        Element.prototype.setAttribute = _H.setAttribute;

        if (_innerHTMLSetImpl) {
            _H.innerHTMLSet = _mkProxy(_innerHTMLSetImpl, 'snvInnerHTMLSet');
            Object.defineProperty(Element.prototype, 'innerHTML', {
                configurable: true, enumerable: true,
                get: _N.innerHTMLDesc.get, set: _H.innerHTMLSet
            });
        }
        if (_outerHTMLSetImpl) {
            _H.outerHTMLSet = _mkProxy(_outerHTMLSetImpl, 'snvOuterHTMLSet');
            Object.defineProperty(Element.prototype, 'outerHTML', {
                configurable: true, enumerable: true,
                get: _N.outerHTMLDesc.get, set: _H.outerHTMLSet
            });
        }

        if (_N.insertAdjacentHTML) {
            _H.insertAdjacentHTML = _mkProxy(_insertAdjacentHTMLImpl, 'snvInsertAdjacentHTML');
            Element.prototype.insertAdjacentHTML = _H.insertAdjacentHTML;
        }
        if (_N.docWrite) {
            _H.docWrite = _mkProxy(_docWriteImpl, 'snvDocWrite');
            Document.prototype.write = _H.docWrite;
        }
        if (_N.docWriteln) {
            _H.docWriteln = _mkProxy(_docWritelnImpl, 'snvDocWriteln');
            Document.prototype.writeln = _H.docWriteln;
        }

        if (_N.locAssign) {
            try {
                _H.locAssign = _mkProxy(_locAssignImpl, 'snvLocAssign');
                Location.prototype.assign = _H.locAssign;
            } catch { /* Location.prototype.assign non-configurable */ }
        }
        if (_N.locReplace) {
            try {
                _H.locReplace = _mkProxy(_locReplaceImpl, 'snvLocReplace');
                Location.prototype.replace = _H.locReplace;
            } catch { /* Location.prototype.replace non-configurable */ }
        }
        if (_locHrefSetImpl && _N.locHrefDesc) {
            try {
                _H.locHrefSet = _mkProxy(_locHrefSetImpl, 'snvLocHrefSet');
                Object.defineProperty(Location.prototype, 'href', {
                    configurable: true, enumerable: true,
                    get: _N.locHrefDesc.get, set: _H.locHrefSet
                });
            } catch { /* Location.prototype.href non-configurable */ }
        }

        _H.formSubmit = _mkProxy(_formSubmitImpl, 'snvFormSubmit');
        HTMLFormElement.prototype.submit = _H.formSubmit;

        _hookResourceProp(HTMLImageElement.prototype, 'src', _N.imgSrcDesc, 'imgSrcSet', 'img.src');
        _hookResourceProp(HTMLScriptElement.prototype, 'src', _N.scriptSrcDesc, 'scriptSrcSet', 'script.src', true);
        _hookResourceProp(HTMLIFrameElement.prototype, 'src', _N.iframeSrcDesc, 'iframeSrcSet', 'iframe.src');
        _hookResourceProp(HTMLVideoElement.prototype, 'src', _N.videoSrcDesc, 'videoSrcSet', 'video.src');
        _hookResourceProp(HTMLAudioElement.prototype, 'src', _N.audioSrcDesc, 'audioSrcSet', 'audio.src');
        _hookResourceProp(HTMLEmbedElement.prototype, 'src', _N.embedSrcDesc, 'embedSrcSet', 'embed.src');
        _hookResourceProp(HTMLObjectElement.prototype, 'data', _N.objectDataDesc, 'objectDataSet', 'object.data');
        _hookResourceProp(HTMLLinkElement.prototype, 'href', _N.linkHrefDesc, 'linkHrefSet', 'link.href');
        // HTMLAnchorElement.href and HTMLAreaElement.href are intentionally NOT hooked:
        // they are navigation-only attributes (require user click) and blocking them
        // causes false positives on legitimate external links in the app UI.

        // D3: Restricted createElement hook — only <iframe> is blocked post-init.
        // Extensions (Adblock, Dark Reader, etc.) that create <script> or other
        // elements are unaffected; _createElementImpl passes all non-iframe tags
        // straight through to the native. The 'iframe' tag is the only primitive
        // needed for the fresh-realm native-reset attack, so it alone is blocked.
        _H.createElement = _mkProxy(_createElementImpl, 'snvCreateElement');
        Document.prototype.createElement = _H.createElement;
    }

    /* ──────────────────────────────────────────────────────────
       6.  Watchdog  (setInterval: 50 ms; other mechanisms: 800–980 ms)
       ────────────────────────────────────────────────────────── */
    let _heartbeatN = 0; // monotonic counter for dead man's switch (E5)
    function _tick() {
        if (_DISABLE_PROACTIVE_ANTITAMPER) {
            // Only dispatch heartbeat — skip all protection checks
            try {
                _reflectApply(_N.dispatchEvent, window, [
                    new _N.CustomEvent('snv:alive', { detail: { n: ++_heartbeatN } })]);
            } catch { }
            return;
        }
        // 6a. Verify our hooks are still in place.
        //     Extensions routinely wrap fetch/XHR for their own purposes
        //     (ad blocking, privacy, etc.), so we silently re-install
        //     without firing an alert — this is NOT a security threat,
        //     just normal browser extension behaviour.
        const hookTampered =
            window.fetch !== _H.fetch ||
            XMLHttpRequest.prototype.open !== _H.xhrOpen ||
            (_N.sendBeacon && navigator.sendBeacon !== _H.sendBeacon) ||
            Element.prototype.setAttribute !== _H.setAttribute ||
            (_H.formSubmit && HTMLFormElement.prototype.submit !== _H.formSubmit) ||
            (_H.insertAdjacentHTML && Element.prototype.insertAdjacentHTML !== _H.insertAdjacentHTML) ||
            (_H.docWrite && Document.prototype.write !== _H.docWrite) ||
            (_H.docWriteln && Document.prototype.writeln !== _H.docWriteln) ||
            (_H.locAssign && Location.prototype.assign !== _H.locAssign) ||
            (_H.locReplace && Location.prototype.replace !== _H.locReplace) ||
            // D3: guard the post-init iframe-creation block
            (_H.createElement && Document.prototype.createElement !== _H.createElement);

        if (hookTampered) {
            _installHooks(); // silent re-hook, no alert
        }

        // 6b. Verify security-critical natives are still native.
        //     We call the LIVE getter on each check, not our cached ref,
        //     so we catch live substitutions made after our capture.
        // BUG-E: for-of + destructuring [name, getLive] relies on
        // Array.prototype[Symbol.iterator]; indexed loop is immune.
        for (let _ni = 0; _ni < _NATIVE_CHECKS.length; _ni++) {
            const _nc = _NATIVE_CHECKS[_ni];
            const name = _nc[0], getLive = _nc[1];
            let live;
            try { live = getLive(); } catch {
                _triggerAlert('Security-critical property was removed: ' + name);
                return;
            }
            if (!_isNative(live)) {
                _triggerAlert('Native function tampered: ' + name);
                return; // one alert per tick avoids spam
            }
        }

        // 6d. App function integrity — verify critical Crypto module methods
        //     have not been replaced via the DevTools console (Self-XSS / G1).
        //     'Crypto' (bare identifier) resolves to the app's script-scope const
        //     via the JS declarative env record (checked before the object env record
        //     where window.Crypto / WebCrypto lives).
        //     _appCryptoRefs is null until 'load' fires — early ticks are safe.
        if (_appCryptoRefs) {
            let _liveC = null;
            try { _liveC = Crypto; } catch { /* Crypto became undefined — treat as tampered */ }
            if (!_liveC ||
                _liveC.encrypt !== _appCryptoRefs.encrypt ||
                _liveC.decrypt !== _appCryptoRefs.decrypt ||
                _liveC.encryptBin !== _appCryptoRefs.encryptBin ||
                _liveC.decryptBin !== _appCryptoRefs.decryptBin ||
                _liveC.deriveKey !== _appCryptoRefs.deriveKey ||
                _liveC.deriveKeyAndRaw !== _appCryptoRefs.deriveKeyAndRaw ||
                _liveC.importRawKey !== _appCryptoRefs.importRawKey ||
                _liveC.checkVerification !== _appCryptoRefs.checkVerification ||
                _liveC.makeVerification !== _appCryptoRefs.makeVerification
            ) {
                _triggerAlert('App function tampered: Crypto');
                return;
            }
        }

        // 6e. App method integrity — verify App.lockContainer has not been
        //     replaced via the DevTools console (Self-XSS).
        //     `const App = {...}` in state.js is in the JS global LEXICAL env
        //     record, not on window. Use _readApp() (bare identifier) to read it.
        //     Captures both: property replacement (App.lockContainer = () => {})
        //     and full object substitution.
        //     _appMethodRefs is null until 'load' fires — early ticks are safe.
        if (_appMethodRefs) {
            let _liveApp = null;
            try { _liveApp = _readApp(); } catch { }
            if (!_liveApp || _liveApp.lockContainer !== _appMethodRefs.lockContainer) {
                _triggerAlert('App function tampered: lockContainer');
                return;
            }
        }

        // 6c. Dead man's switch heartbeat — monotonic counter (C1/E5)
        //     main.js accepts ONLY events where counter is strictly increasing.
        //     An attacker faking snv:alive events cannot know the current count.
        //     CRIT-4: Use captured dispatchEvent + CustomEvent so a live
        //     window.dispatchEvent replacement cannot suppress the heartbeat.
        try {
            _reflectApply(_N.dispatchEvent, window, [
                new _N.CustomEvent('snv:alive', { detail: { n: ++_heartbeatN } })]);
        } catch { }
    }

    /* ──────────────────────────────────────────────────────────
       7.  Guard token, __snvVerify, __snvEmergencyLock
       ────────────────────────────────────────────────────────── */
    // Guard token includes the session canary for __snvVerify cross-check.
    // If _guardPreexisted == true, the attacker pre-defined this property as
    // non-configurable; our Object.defineProperty will throw but __snvVerify
    // will return false because the attacker's guard won't carry our _canary.
    try {
        Object.defineProperty(window, '__snvGuard', {
            value: Object.freeze({ active: _captureClean, version: 6, _c: _canary }),
            writable: false,
            configurable: false,
            enumerable: false,
        });
    } catch { /* pre-defined by attacker — __snvVerify will catch this */ }

    // __snvVerify — canary cross-check. main.js calls this instead of (or in addition
    // to) checking __snvGuard.active. Attacker who pre-defined __snvGuard cannot
    // produce the correct _canary without reading this IIFE's closure at runtime.
    try {
        Object.defineProperty(window, '__snvVerify', {
            value: function snvVerify() {
                return _captureClean &&
                    !_guardPreexisted &&
                    typeof window.__snvGuard === 'object' &&
                    window.__snvGuard !== null &&
                    window.__snvGuard._c === _canary;
            },
            writable: false,
            configurable: false,
            enumerable: false,
        });
    } catch { /* attacker pre-defined — main.js falls back to __snvGuard.active */ }

    // __snvEmergencyLock — exposed non-configurable function that wipes storage
    // and app state directly, bypassing the event system entirely.
    try {
        Object.defineProperty(window, '__snvEmergencyLock', {
            value: function snvEmergencyLock(reason) {
                _nukeStorage();
                _wipeAppState();
                // BUG-FIX: Previously, callers (e.g. the dead man's switch in main.js)
                // that used __snvEmergencyLock directly would create the veil via
                // _wipeAppState but NEVER show the alert overlay — the user saw the
                // animated stripes pattern with no explanation and no reload button.
                // When a reason string is provided, show the full alert overlay.
                // The snv:lock handler in main.js calls this WITHOUT a reason (to avoid
                // a duplicate overlay, since _triggerAlert already calls _showAlert).
                if (typeof reason === 'string' && reason) _showAlert(reason);
            },
            writable: false,
            configurable: false,
            enumerable: false,
        });
    } catch { }

    // If captures were already tainted, do NOT start watchdog — just bail.
    // The app will show the "Proactive failed to initialize" screen.
    if (!_captureClean) return;

    /* ──────────────────────────────────────────────────────────
       8.  Boot — four independent timer mechanisms (B1-B4)
           Killing the watchdog requires neutralizing ALL FOUR.
       ────────────────────────────────────────────────────────── */
    if (!_DISABLE_PROACTIVE_ANTITAMPER) _installHooks();

    // Timer IDs for the watchdog — guarded against clearInterval/clearTimeout
    // SET-1: plain object replaces Set — `id in obj` and `delete obj[id]` are pure
    // language operators, completely unhookable.  Set.prototype.has/.add/.delete
    // could be spoofed via console Self-XSS to let an attacker clear our timer IDs.
    const _watchdogIds = {};   // id → 1 mapping (numeric keys, no prototype conflict)
    let _watchdogCount = 0;    // manual size counter; Set.prototype.size is a getter
    const _wdQueue = [];       // insertion-order queue for trim; closed over, no external ref
    let _wdQHead = 0;          // soft-delete head — advances past already-removed entries

    // ── Mechanism 1: setInterval (50 ms) ───────────────────────
    const _ivId = _reflectApply(_N._setInterval, window, [_tick, 50]);
    _watchdogIds[_ivId] = 1; _watchdogCount++;
    _wdQueue[_wdQueue.length] = _ivId;

    // ── Mechanism 2: recursive setTimeout (~937 ms, prime offset) ─
    //    For recursive setTimeout the timer IDs change every iteration.
    //    We cap the map to the last 16 IDs to avoid unbounded memory growth
    //    (at 937 ms cadence this is ~15 seconds of IDs — more than enough
    //    to foil an attacker who reads the current map snapshot in the
    //    brief window between when a new ID is generated and added).
    (function _stLoop() {
        _tick();
        const id = _reflectApply(_N._setTimeout, window, [_stLoop, 937]);
        _watchdogIds[id] = 1; _watchdogCount++;
        _wdQueue[_wdQueue.length] = id;
        if (_watchdogCount > 16) {
            // Trim oldest setTimeout ID: walk queue from head, skip entries already
            // deleted or matching _ivId (the setInterval ID we always keep).
            while (_wdQHead < _wdQueue.length) {
                const _old = _wdQueue[_wdQHead++];
                if (_old in _watchdogIds && _old !== _ivId) {
                    delete _watchdogIds[_old];
                    _watchdogCount--;
                    break;
                }
            }
        }
    })();

    // ── Mechanism 3: requestAnimationFrame chain ───────────────
    //    rAF cannot be killed via clearInterval/clearTimeout.
    //    Throttled to ~1 s cadence to avoid burning CPU.
    //    _rafId is tracked so the cancelAnimationFrame guard (E4)
    //    can silently ignore attempts to kill this specific chain.
    let _lastRafTick = 0, _rafId = null;
    function _rafLoop(ts) {
        if (ts - _lastRafTick >= 980) { _lastRafTick = ts; _tick(); }
        _rafId = _reflectApply(_N._requestAnimationFrame, window, [_rafLoop]);
    }
    _rafId = _reflectApply(_N._requestAnimationFrame, window, [_rafLoop]);

    // ── Mechanism 4: MessageChannel self-ping (~800 ms) ────────
    //    CRIT-5 (anti-removal hardening): completely independent of
    //    setInterval, setTimeout, and requestAnimationFrame — those
    //    three share the same underlying timer infrastructure in all
    //    current JS engines.  MessageChannel.postMessage scheduling
    //    goes through a separate queue (microtask/message-event loop)
    //    and cannot be killed by replacing window.setInterval,
    //    window.setTimeout, or window.cancelAnimationFrame.
    //    An attacker who wants to silence ALL four mechanisms must
    //    simultaneously neutralise four unrelated browser subsystems,
    //    which is not feasible from Self-XSS / extension scope.
    try {
        const _mc = new MessageChannel();
        let _lastMcTick = 0;
        _mc.port2.onmessage = function _mcLoop() {
            const _now = _reflectApply(_N.dateNow, Date, []);
            if (_now - _lastMcTick >= 800) { _lastMcTick = _now; _tick(); }
            // Re-schedule via a captured setTimeout so the interval can be
            // tuned independently; if setTimeout was killed (all IDs in
            // _watchdogIds are expired) the MessageChannel still fires once
            // more and the dead man's switch in main.js covers the rest.
            // FIX-MP: use captured _N.portPostMessage so a post-boot replacement
            // of MessagePort.prototype.postMessage cannot kill this mechanism.
            const _pmFn = _N.portPostMessage || _mc.port1.postMessage.bind(_mc.port1);
            _reflectApply(_N._setTimeout, window, [() => { _reflectApply(_pmFn, _mc.port1, [null]); }, 800]);
        };
        // FIX-MP: same rationale for the initial prime.
        const _pmFn = _N.portPostMessage || _mc.port1.postMessage.bind(_mc.port1);
        _reflectApply(_pmFn, _mc.port1, [null]); // prime the first message
    } catch { /* MessageChannel unavailable — three mechanisms still active */ }

    // ── B2: Guard clearInterval / clearTimeout ─────────────────
    //    If external code tries to clear our watchdog timer IDs,
    //    silently ignore the call. Legitimate code never targets
    //    foreign timer IDs.
    const _clearIntervalImpl = function (id) {
        if (id in _watchdogIds || id in _trapIds) return; // SET-1/2: `in` operator
        return _reflectApply(_N._clearInterval, window, [id]);
    };
    window.clearInterval = _mkProxy(_clearIntervalImpl, 'snvClearInterval');
    const _clearTimeoutImpl = function (id) {
        if (id in _watchdogIds || id in _trapIds) return; // SET-1/2: protect both watchdog and debugger-trap IDs
        return _reflectApply(_N._clearTimeout, window, [id]);
    };
    window.clearTimeout = _mkProxy(_clearTimeoutImpl, 'snvClearTimeout');

    // ── E4: Guard cancelAnimationFrame ─────────────────────────
    //    Silently ignore attempts to cancel our rAF chain ID.
    if (_N._cancelAnimationFrame) {
        const _cancelRAFImpl = function (id) {
            if (_rafId !== null && id === _rafId) return;
            return _reflectApply(_N._cancelAnimationFrame, window, [id]);
        };
        window.cancelAnimationFrame = _mkProxy(_cancelRAFImpl, 'snvCancelAnimationFrame');
    }

    // ── E6: WebSocket hook ──────────────────────────────
    //    SafeNova makes no WebSocket connections.
    //    Any attempt to open a WebSocket to an external host
    //    is blocked and triggers a threat alert.
    const _NativeWebSocket = window.WebSocket;
    if (_NativeWebSocket && _isNative(_NativeWebSocket)) {
        const _wsImpl = function (url) {
            const urlStr = '' + (url ?? ''); // STR-2: concatenation op, no String() call
            const isSameOrigin = (function () {
                try {
                    // Parse with the captured _N.URL to resist a live window.URL replacement.
                    // Compare .host (hostname + port) so wss://localhost:9999 is rejected
                    // when the page is on localhost:8080 — hostname-only checks would pass.
                    const parsed = new _N.URL(urlStr);
                    const proto = parsed.protocol;
                    if (proto !== 'ws:' && proto !== 'wss:') return false;
                    // BUG-K: _pureToLower — pure operator-level; no prototype dependency.
                    return _pureToLower(parsed.host) === _pureToLower(window.location.host);
                } catch { return false; }
            }());
            if (!isSameOrigin) {
                _triggerAlert('WebSocket to external host blocked \u2192 ' + urlStr);
                throw new Error('[SafeNova Proactive] External WebSocket blocked');
            }
            return arguments.length >= 2
                ? new _NativeWebSocket(arguments[0], arguments[1])
                : new _NativeWebSocket(arguments[0]);
        };
        window.WebSocket = _mkProxy(_wsImpl, 'snvWebSocket', _NativeWebSocket.prototype);
    }

    // ── E11: window.open — popup / navigation exfiltration ─────
    //    window.open('https://evil.com/steal?data=...') triggers a GET
    //    request that bypasses fetch/XHR/sendBeacon/WebSocket hooks.
    //    Same-origin opens (popups, _blank same-site) pass through.
    const _NativeWindowOpen = window.open;
    if (_NativeWindowOpen && _isNative(_NativeWindowOpen)) {
        const _woImpl = function (url) {
            const urlStr = '' + (url ?? '');
            if (urlStr && _isExternal(urlStr)) {
                _triggerAlert('window.open to external URL blocked \u2192 ' + urlStr);
                return null;
            }
            return _reflectApply(_NativeWindowOpen, window, arguments);
        };
        window.open = _mkProxy(_woImpl, 'snvWindowOpen');
    }

    // ── E12: EventSource — SSE-based exfiltration ───────────────
    //    new EventSource('https://evil.com/steal?data=...')  opens a
    //    persistent HTTP GET connection to an external server.
    const _NativeEventSource = window.EventSource;
    if (_NativeEventSource && _isNative(_NativeEventSource)) {
        window.EventSource = _mkProxy(_mkCtorImpl(_NativeEventSource, 'EventSource'), 'snvEventSource', _NativeEventSource.prototype);
    }

    // ── E13: Worker / SharedWorker — worker-based exfiltration ──
    //    Workers run in a separate global scope with a clean native
    //    fetch that bypasses all page-level network hooks.
    //    data: URLs inline hostile code; external URLs pull it.
    const _NativeWorker = window.Worker;
    if (_NativeWorker && _isNative(_NativeWorker)) {
        window.Worker = _mkProxy(_mkCtorImpl(_NativeWorker, 'Worker', true), 'snvWorker', _NativeWorker.prototype);
    }
    const _NativeSharedWorker = window.SharedWorker;
    if (_NativeSharedWorker && _isNative(_NativeSharedWorker)) {
        window.SharedWorker = _mkProxy(_mkCtorImpl(_NativeSharedWorker, 'SharedWorker', true), 'snvSharedWorker', _NativeSharedWorker.prototype);
    }

    // ── E13b: ServiceWorker registration — preventive block ─────
    //    A rogue SW can intercept all fetches on next page load,
    //    injecting code BEFORE daemon.js runs.  SafeNova does not
    //    use ServiceWorkers.  Block register() preventively.
    //    Existing SWs are nuked reactively in _nukeCachesAndWorkers.
    try {
        const _swcProto = navigator && navigator.serviceWorker
            && Object.getPrototypeOf(navigator.serviceWorker);
        if (_swcProto && typeof _swcProto.register === 'function') {
            const _nativeSwRegister = _swcProto.register;
            _swcProto.register = _mkProxy(function () {
                _triggerAlert('ServiceWorker registration blocked');
                return Promise.reject(
                    new Error('[SafeNova Proactive] ServiceWorker registration blocked'));
            }, 'snvSwRegister');
        }
    } catch { /* serviceWorker unavailable */ }

    // ── E14: setTimeout / setInterval string-callback guard ─────
    //    setTimeout('malicious code', n) / setInterval('...', n) are
    //    eval-equivalent.  SafeNova only ever passes function refs.
    //    String callbacks are blocked unconditionally.
    //    Daemon's own timers use _N._setTimeout/_N._setInterval
    //    directly, bypassing this hook.
    window.setTimeout = _mkProxy(_mkTimerImpl(_N._setTimeout, 'setTimeout'), 'snvSetTimeout');
    window.setInterval = _mkProxy(_mkTimerImpl(_N._setInterval, 'setInterval'), 'snvSetInterval');

    // ── E15: window.eval — indirect eval block ──────────────────
    //    Direct eval('...') in strict-mode code cannot be overridden.
    //    Indirect eval: (0,eval)('...') or window.eval('...') IS
    //    overridable — this is the attack path from DevTools console.
    //    SafeNova uses zero eval in its codebase — block all.
    if (window.eval && _isNative(window.eval)) {
        const _evalImpl = function () {
            _triggerAlert('eval() blocked \u2192 dynamic code injection detected');
            throw new Error('[SafeNova Proactive] eval() blocked');
        };
        const _snvEval = _mkProxy(_evalImpl, 'snvEval');
        try {
            // configurable:false prevents delete window.eval restoring native
            Object.defineProperty(window, 'eval', {
                configurable: false, enumerable: true, writable: false, value: _snvEval
            });
        } catch { window.eval = _snvEval; }
    }

    // ── E16: new Function() constructor — string-to-code block ──
    //    new Function('return evil()') is a second eval-equivalent.
    //    Blocked ONLY when called as a constructor (new.target is set).
    //    Plain calls without new: Function.prototype.toString, feature
    //    detection, and various browser extensions call Function() or
    //    Function.prototype.bind() etc. legitimately — these must pass.
    //    Per spec §10.2.1 the only dangerous path is `new Function(src)`.
    const _NativeFunctionCtor = window.Function;
    if (_NativeFunctionCtor && _isNative(_NativeFunctionCtor)) {
        const _fnCtorImpl = function () {
            if (new.target) {
                _triggerAlert('new Function() blocked \u2192 dynamic code injection detected');
                throw new Error('[SafeNova Proactive] new Function() blocked');
            }
            return _reflectApply(_NativeFunctionCtor, this, arguments);
        };
        const _snvFunction = _mkProxy(_fnCtorImpl, 'snvFunction', _NativeFunctionCtor.prototype);
        try {
            Object.defineProperty(window, 'Function', {
                configurable: false, enumerable: true, writable: false, value: _snvFunction
            });
        } catch { window.Function = _snvFunction; }
    }

    // ── E10: Script-element presence monitor ───────────────────
    //    BONUS (anti-removal hardening) — captures the daemon's own
    //    <script> element via document.currentScript at IIFE evaluation
    //    time, then watches document.head via MutationObserver.
    //
    //    Why: Removing the <script> tag from the DOM (DevTools Elements
    //    panel → Delete node) does NOT stop already-running JavaScript.
    //    The watchdog keeps firing.  HOWEVER it signals an attacker's
    //    intent to disable daemon.js on the NEXT page reload — removing
    //    the tag from the live document does not persist; but an attacker
    //    who discovers the daemon script path may also try to remove it
    //    via an injected fetch/XHR or service worker that patches the
    //    HTML.  Detecting the DOM removal gives an early forensic signal.
    //
    //    The observer is read-only forensics only — no false positives
    //    because legitimate extension / page code never removes our tag.
    try {
        const _ownScript = document.currentScript; // null if already async
        if (_ownScript && _N.MutationObserver) {
            const _headObserver = new _N.MutationObserver(mutations => {
                // BUG-E: indexed loops — immune to Array.prototype[Symbol.iterator]
                // and NodeList's own iterator being replaced.
                for (let _mi = 0; _mi < mutations.length; _mi++) {
                    const _removed = mutations[_mi].removedNodes;
                    for (let _ri = 0; _ri < _removed.length; _ri++) {
                        if (_removed[_ri] === _ownScript) {
                            _triggerAlert('SafeNova Proactivity removed from DOM');
                            _headObserver.disconnect();
                            return;
                        }
                    }
                }
            });
            const _headTarget = _ownScript.parentNode || document.head || document.documentElement;
            _headObserver.observe(_headTarget, { childList: true, subtree: false });
        }
    } catch { /* currentScript unavailable in module context — skip silently */ }

    // ── 8b. DOM exfiltration MutationObserver (defense-in-depth) ──
    //    Watches the entire document tree for added elements or attribute
    //    changes containing external src/href/data/on* values.
    //    Last line of defense: catches attacks that bypass property/method hooks.
    try {
        if (_N.MutationObserver) {
            const _domObserver = new _N.MutationObserver(function (mutations) {
                for (let _mi = 0; _mi < mutations.length; _mi++) {
                    const _mut = mutations[_mi];
                    if (_mut.type === 'childList') {
                        const _added = _mut.addedNodes;
                        for (let _ni = 0; _ni < _added.length; _ni++) {
                            const _node = _added[_ni];
                            if (_node.nodeType !== 1) continue;
                            _scanElementForThreats(_node);
                            // V13: Use captured Element.prototype.querySelectorAll —
                            // live method could be replaced to return empty NodeList,
                            // letting child elements of injected nodes bypass scanning.
                            const _desc = _N.elQuerySelectorAll
                                ? _reflectApply(_N.elQuerySelectorAll, _node, ['*']) : [];
                            for (let _di = 0; _di < _desc.length; _di++) {
                                _scanElementForThreats(_desc[_di]);
                            }
                        }
                    }
                    if (_mut.type === 'attributes') {
                        // BUG-K: _pureToLower — pure operator-level; no prototype dependency.
                        const _aName = _pureToLower('' + (_mut.attributeName || ''));
                        const _tgt = _mut.target;
                        if (_tgt.nodeType !== 1) continue;
                        if (_aName.length > 2 && _aName[0] === 'o' && _aName[1] === 'n') {
                            try { _reflectApply(_N.removeAttribute, _tgt, [_aName]); } catch { }
                            _triggerAlert('Inline event handler attribute changed \u2192 ' + _aName);
                            continue;
                        }
                        // <a> and <area> href changes are navigation-only — not auto-loading resources
                        if (_aName === 'href') {
                            const _tgtTag = _pureToLower('' + (_tgt.tagName || ''));
                            if (_tgtTag === 'a' || _tgtTag === 'area') continue;
                        }
                        // FIX-SS: use _RESOURCE_ATTRS_NO_SRCSET — same reason as _scanElementForThreats
                        if (_aName in _RESOURCE_ATTRS_NO_SRCSET) {
                            let _val;
                            try { _val = _reflectApply(_N.getAttribute, _tgt, [_aName]); } catch { continue; }
                            if (_isExternal('' + (_val || ''))) {
                                try { _reflectApply(_N.removeAttribute, _tgt, [_aName]); } catch { }
                                _triggerAlert('External resource attribute changed \u2192 ' + _aName + '=' + _val);
                            }
                        }
                    }
                }
            });
            _domObserver.observe(document.documentElement, {
                childList: true, subtree: true, attributes: true
            });
        }
    } catch { /* MutationObserver unavailable — other hooks still active */ }

    // ── D1: Visibility-change fast check ───────────────────────
    //    When the tab becomes visible again, run an immediate full
    //    tick so an attacker cannot exploit the ~1 s gap.
    //    CRIT-3: Use captured _N.addEventListener so a live replacement
    //    cannot prevent this fast-check from being installed.
    _reflectApply(_N.addEventListener, document, ['visibilitychange', () => {
        if (document.visibilityState === 'visible') _tick();
    }]);

})();


================================================
FILE: src/js/state.js
================================================
'use strict';

/* ============================================================
   SESSION ENCRYPTION  —  AES-256-GCM encrypted session storage

   Two distinct encryption keys are used, one per scope:

   Tab-scope  (snv-s-{cid}  in sessionStorage):
   • Encrypted with snv-sk — a per-tab AES key stored in sessionStorage.
   • snv-sk itself is wrap-encrypted with the same 3-source HKDF key
     as snv-bsk before being written to sessionStorage, so a raw dump
     of sessionStorage cannot recover the key without also possessing
     the browser fingerprint, snv-kc cookie, and SafeNovaKS IDB record.
   • Survives page refresh within the same tab; dies when the tab
     is closed (sessionStorage is wiped).

   Persistent  (snv-sb-{cid}  in localStorage)  ["Stay signed in"]:
   • Encrypted with snv-bsk — a shared AES-256-GCM key in localStorage.
   • snv-bsk itself is AES-GCM-encrypted before being stored — the
     wrapping key is derived on-the-fly via HKDF from THREE independent
     sources and NEVER written to any storage:
       1. Browser fingerprint (origin, userAgent, platform, language,
          hardwareConcurrency, colorDepth, pixelDepth) — ties sessions
          to the specific browser version and OS environment.
       2. 32 random bytes in a cookie (snv-kc, SameSite=Strict) —
          survives across sessions, isolated from localStorage.
       3. 32 random bytes in a separate IndexedDB (SafeNovaKS) —
          independent from the main SafeNovaEFS database.
     An attacker must compromise ALL three storage mechanisms
     simultaneously to reconstruct the wrap-key.
     Copying localStorage alone is useless — without the matching
     cookie AND the SafeNovaKS database AND the same browser
     fingerprint, snv-bsk is undecryptable.
     Browser updates that change the UA string will invalidate sessions;
     the user re-enters their password once and a new session is created.
   • Survives browser restarts until the 7-day TTL expires or the
     user explicitly signs out.

   Separation guarantees:
   • Tab-scope blobs → only the originating tab can decrypt them
     (key in sessionStorage, not shared).
   • Persistent blobs → any tab of the SAME browser can decrypt
     them (shared snv-bsk, same fingerprint + cookie + IDB → same wrap-key).
   • A copied localStorage is useless without the matching browser,
     cookie, and SafeNovaKS IndexedDB.
   ============================================================ */

/* ── Tab-scope session key (sessionStorage, per-tab, wrap-encrypted) ── */
let _sessionKey = null;

async function _getOrCreateSessionKey() {
    if (_sessionKey) return _sessionKey;
    // snv-sk is wrap-encrypted with the same 3-source browser wrap key as snv-bsk,
    // so a raw sessionStorage dump cannot recover the inner key without also
    // possessing the fingerprint, snv-kc cookie, and SafeNovaKS IDB record.
    const wrapKey = await _getOrCreateBrowserWrapKey();
    const stored = sessionStorage.getItem('snv-sk');
    if (stored) {
        try {
            const blobBytes = Uint8Array.from(atob(stored), ch => ch.charCodeAt(0));
            // Legacy format (pre-wrap): exactly 32 raw bytes stored plain — migrate on-the-fly
            if (blobBytes.length === 32) {
                const wrapIV = crypto.getRandomValues(new Uint8Array(12)),
                    ct = await crypto.subtle.encrypt({ name: 'AES-GCM', iv: wrapIV }, wrapKey, blobBytes),
                    blob = new Uint8Array(12 + ct.byteLength);
                blob.set(wrapIV);
                blob.set(new Uint8Array(ct), 12);
                sessionStorage.setItem('snv-sk', btoa(String.fromCharCode(...blob)));
                _sessionKey = await crypto.subtle.importKey('raw', blobBytes, { name: 'AES-GCM' }, false, ['encrypt', 'decrypt']);
                return _sessionKey;
            }
            // Current format: IV(12) + AES-GCM(CT) wrapping the 32-byte raw key
            const iv = blobBytes.slice(0, 12), ct = blobBytes.slice(12);
            const raw = await crypto.subtle.decrypt({ name: 'AES-GCM', iv }, wrapKey, ct);
            _sessionKey = await crypto.subtle.importKey('raw', raw, { name: 'AES-GCM' }, false, ['encrypt', 'decrypt']);
            return _sessionKey;
        } catch { /* corrupted or fingerprint changed — regenerate below */ }
    }
    // Generate fresh snv-sk and wrap it with the browser wrap key before storing
    const raw = crypto.getRandomValues(new Uint8Array(32)),
        wrapIV = crypto.getRandomValues(new Uint8Array(12)),
        ct = await crypto.subtle.encrypt({ name: 'AES-GCM', iv: wrapIV }, wrapKey, raw),
        blob = new Uint8Array(12 + ct.byteLength);
    blob.set(wrapIV);
    blob.set(new Uint8Array(ct), 12);
    sessionStorage.setItem('snv-sk', btoa(String.fromCharCode(...blob)));
    _sessionKey = await crypto.subtle.importKey('raw', raw, { name: 'AES-GCM' }, false, ['encrypt', 'decrypt']);
    return _sessionKey;
}

/* ── Browser fingerprint → HKDF wrap-key (never stored) ──
   The wrap-key is derived from THREE independent sources:
   1. Browser fingerprint (browser+OS environment, see below)
   2. Random 32-byte secret stored in a cookie (snv-kc)
   3. Random 32-byte secret stored in a SEPARATE IndexedDB (SafeNovaKS)

   An attacker must compromise ALL three storage mechanisms
   simultaneously to reconstruct the wrap-key:
   • localStorage alone is useless (no cookie or IDB secret)
   • A disk image copy lacks the cookie (browser-bound)
   • Clearing cookies or the key-store IDB invalidates the key

   Includes navigator.userAgent and navigator.platform to bind sessions
   to the specific browser version and OS. Browser updates that change
   the UA string will invalidate existing sessions — the user re-enters
   their password once and a new session is established automatically.
   Also used as the wrap key for snv-sk (sessionStorage), so both
   storage types require the same 3-source credential to recover. */
let _browserWrapKey = null;

function _getBrowserFingerprint() {
    const n = navigator, s = screen;
    return [
        window.location.origin,              // deployment-bound
        n.userAgent || '',                   // browser + OS version
        n.platform || '',                    // OS/CPU platform
        n.language || '',                    // system language
        String(n.hardwareConcurrency || 0),  // CPU core count
        String(s.colorDepth || 0),           // display bit depth
        String(s.pixelDepth || 0),
    ].join('\x00');
}

/* ── Cookie key-part (snv-kc): 32 random bytes ── */
function _readKeyPartCookie() {
    const m = document.cookie.match(/(?:^|;\s*)snv-kc=([A-Za-z0-9+/=]+)/);
    return m ? m[1] : null;
}

function _writeKeyPartCookie(b64) {
    const maxAge = 400 * 24 * 60 * 60, // ~400 days (browser max-age ceiling)
        secure = location.protocol === 'https:' ? '; Secure' : '';
    document.cookie = `snv-kc=${b64}; path=/; max-age=${maxAge}; SameSite=Strict${secure}`;
}

async function _getOrCreateKeyPartCookie() {
    InitLog.step('wrap-key: cookie part');
    const existing = _readKeyPartCookie();
    if (existing) {
        try {
            const bytes = Uint8Array.from(atob(existing), c => c.charCodeAt(0));
            if (bytes.length === 32) {
                _writeKeyPartCookie(existing); // refresh max-age
                InitLog.done('wrap-key: cookie part', 'existing');
                return bytes;
            }
        } catch { /* corrupted — regenerate */ }
    }
    const bytes = crypto.getRandomValues(new Uint8Array(32));
    _writeKeyPartCookie(btoa(String.fromCharCode(...bytes)));
    InitLog.done('wrap-key: cookie part', 'new');
    return bytes;
}

/* ── IndexedDB key-part (SafeNovaKS): 32 random bytes in an
   independent database, separate from the main SafeNovaEFS ── */
const _KS_DB_NAME = 'SafeNovaKS';
const _KS_TIMEOUT = 4000; // 4 s — abort if IDB hangs (blocked, quota, etc.)

async function _getOrCreateKeyPartIDB() {
    InitLog.step('wrap-key: SafeNovaKS IDB');
    return new Promise((resolve, reject) => {
        const timer = setTimeout(() => reject(new Error('SafeNovaKS open timeout')), _KS_TIMEOUT);
        let settled = false;
        const done = (v) => { if (!settled) { settled = true; clearTimeout(timer); InitLog.done('wrap-key: SafeNovaKS IDB'); resolve(v); } },
            fail = (e) => { if (!settled) { settled = true; clearTimeout(timer); InitLog.error('wrap-key: SafeNovaKS IDB', e); reject(e); } };

        let db;
        try {
            const req = indexedDB.open(_KS_DB_NAME, 1);
            req.onupgradeneeded = e => {
                try {
                    db = e.target.result;
                    if (!db.objectStoreNames.contains('keys'))
                        db.createObjectStore('keys', { keyPath: 'id' });
                } catch (err) { fail(err); }
            };
            req.onblocked = () => fail(new Error('SafeNovaKS blocked'));
            req.onerror = () => fail(req.error);
            req.onsuccess = e => {
                try {
                    db = e.target.result;
                    const tx = db.transaction('keys', 'readonly'),
                        get = tx.objectStore('keys').get('snv-ki');
                    get.onsuccess = () => {
                        try {
                            const rec = get.result;
                            const val = rec?.value;
                            let bytes = null, needsMigration = false;

                            if (typeof val === 'string' && val.length > 0) {
                                // Current format: base64 string — immune to cross-realm
                                // instanceof issues caused by daemon.js iframe restoration
                                try { bytes = Uint8Array.from(atob(val), c => c.charCodeAt(0)); } catch { }
                            } else if (val && typeof val === 'object') {
                                // Legacy format: raw typed array stored before base64 migration.
                                // daemon.js replaces window.Uint8Array/ArrayBuffer with iframe
                                // copies, but IDB structured clone deserializes into the original
                                // realm's constructors — instanceof fails across realms.
                                // Indexed element access (pure language operator) is realm-safe.
                                needsMigration = true;
                                const len = typeof val.length === 'number' ? val.length
                                    : typeof val.byteLength === 'number' ? val.byteLength : 0;
                                if (len === 32 && typeof val[0] === 'number') {
                                    bytes = new Uint8Array(32);
                                    for (let i = 0; i < 32; i++) bytes[i] = val[i];
                                }
                            }

                            if (bytes && bytes.length === 32) {
                                if (needsMigration) {
                                    // Migrate legacy binary → base64 for future reads
                                    const b64 = btoa(String.fromCharCode(...bytes));
                                    try {
                                        const tx2 = db.transaction('keys', 'readwrite');
                                        tx2.objectStore('keys').put({ id: 'snv-ki', value: b64 });
                                        tx2.oncomplete = () => { db.close(); done(bytes); };
                                        tx2.onerror = () => { db.close(); done(bytes); };
                                    } catch { db.close(); done(bytes); }
                                } else {
                                    db.close();
                                    done(bytes);
                                }
                            } else {
                                // Generate new key part and store as base64 string
                                const newBytes = crypto.getRandomValues(new Uint8Array(32));
                                const b64 = btoa(String.fromCharCode(...newBytes));
                                const tx2 = db.transaction('keys', 'readwrite');
                                tx2.objectStore('keys').put({ id: 'snv-ki', value: b64 });
                                tx2.oncomplete = () => { db.close(); done(newBytes); };
                                tx2.onerror = () => { db.close(); fail(tx2.error); };
                            }
                        } catch (err) { try { db.close(); } catch { } fail(err); }
                    };
                    get.onerror = () => { try { db.close(); } catch { } fail(get.error); };
                } catch (err) { try { db?.close(); } catch { } fail(err); }
            };
        } catch (err) { fail(err); }
    });
}

async function _getOrCreateBrowserWrapKey() {
    if (_browserWrapKey) return _browserWrapKey;
    InitLog.step('wrap-key: HKDF derive');

    // 1. Deterministic browser fingerprint
    const fpBytes = new TextEncoder().encode(_getBrowserFingerprint());

    // 2. Random secret from cookie
    let cookiePart;
    try { cookiePart = await _getOrCreateKeyPartCookie(); }
    catch (e) {
        InitLog.error('wrap-key: cookie part', e);
        throw new Error('Cookie key-part unavailable: ' + (e?.message || e));
    }

    // 3. Random secret from separate IndexedDB
    let idbPart;
    try { idbPart = await _getOrCreateKeyPartIDB(); }
    catch (e) {
        InitLog.error('wrap-key: SafeNovaKS IDB', e);
        throw new Error('IDB key-part unavailable: ' + (e?.message || e));
    }

    // Concatenate all three components: fingerprint \0 cookie(32) \0 idb(32)
    const combined = new Uint8Array(fpBytes.length + 1 + 32 + 1 + 32);
    combined.set(fpBytes);
    combined[fpBytes.length] = 0;
    combined.set(cookiePart, fpBytes.length + 1);
    combined[fpBytes.length + 1 + 32] = 0;
    combined.set(idbPart, fpBytes.length + 1 + 32 + 1);

    const hkdf = await crypto.subtle.importKey('raw', combined, 'HKDF', false, ['deriveKey']),
        salt = new Uint8Array(32), // all-zero deterministic salt
        info = new TextEncoder().encode('snv-browser-wrap-v3');
    _browserWrapKey = await crypto.subtle.deriveKey(
        { name: 'HKDF', hash: 'SHA-256', salt, info },
        hkdf,
        { name: 'AES-GCM', length: 256 },
        false,
        ['encrypt', 'decrypt']
    );
    InitLog.done('wrap-key: HKDF derive');
    return _browserWrapKey;
}

/* ── Browser-scope session key (localStorage, shared across all tabs, wrap-encrypted) ── */
let _browserScopeKey = null;

async function _getOrCreateBrowserScopeKey() {
    if (_browserScopeKey) return _browserScopeKey;
    InitLog.step('browser-scope-key');
    let wrapKey;
    try {
        wrapKey = await _getOrCreateBrowserWrapKey();
    } catch (e) {
        // If wrap-key derivation fails (cookie/IDB unavailable), persistent
        // sessions cannot work. Clear any stored snv-bsk and propagate.
        InitLog.error('browser-scope-key', 'wrap-key derivation failed: ' + e?.message);
        localStorage.removeItem('snv-bsk');
        throw e;
    }
    const stored = localStorage.getItem('snv-bsk');
    if (stored) {
        try {
            const blobBytes = Uint8Array.from(atob(stored), ch => ch.charCodeAt(0));
            // Legacy format (pre-fingerprint-wrap): exactly 32 raw bytes, no IV prefix.
            // Migrate on-the-fly: import the raw key, re-wrap it, overwrite localStorage.
            if (blobBytes.length === 32) {
                const legacyKey = await crypto.subtle.importKey('raw', blobBytes, { name: 'AES-GCM' }, true, ['encrypt', 'decrypt']),
                    rawExported = await crypto.subtle.exportKey('raw', legacyKey),
                    wrapIV = crypto.getRandomValues(new Uint8Array(12)),
                    ct = await crypto.subtle.encrypt({ name: 'AES-GCM', iv: wrapIV }, wrapKey, rawExported),
                    newBlob = new Uint8Array(12 + ct.byteLength);
                newBlob.set(wrapIV);
                newBlob.set(new Uint8Array(ct), 12);
                localStorage.setItem('snv-bsk', btoa(String.fromCharCode(...newBlob)));
                _browserScopeKey = await crypto.subtle.importKey('raw', rawExported, { name: 'AES-GCM' }, false, ['encrypt', 'decrypt']);
                InitLog.done('browser-scope-key', 'legacy-migrated');
                return _browserScopeKey;
            }
            // Current format: IV(12) + AES-GCM(CT) wrapping the 32-byte raw key
            const iv = blobBytes.slice(0, 12), ct = blobBytes.slice(12);
            const raw = await crypto.subtle.decrypt({ name: 'AES-GCM', iv }, wrapKey, ct);
            _browserScopeKey = await crypto.subtle.importKey('raw', raw, { name: 'AES-GCM' }, false, ['encrypt', 'decrypt']);
            InitLog.done('browser-scope-key', 'existing');
            return _browserScopeKey;
        } catch { /* corrupted, stale wrap-key, or invalid base64 — regenerate below */ }
    }
    // Generate fresh snv-bsk and wrap it with the browser-specific key before storing
    const raw = crypto.getRandomValues(new Uint8Array(32)),
        wrapIV = crypto.getRandomValues(new Uint8Array(12)),
        ct = await crypto.subtle.encrypt({ name: 'AES-GCM', iv: wrapIV }, wrapKey, raw),
        blob = new Uint8Array(12 + ct.byteLength);
    blob.set(wrapIV);
    blob.set(new Uint8Array(ct), 12);
    localStorage.setItem('snv-bsk', btoa(String.fromCharCode(...blob)));
    _browserScopeKey = await crypto.subtle.importKey('raw', raw, { name: 'AES-GCM' }, false, ['encrypt', 'decrypt']);
    InitLog.done('browser-scope-key', 'new');
    return _browserScopeKey;
}

// Browser-scope sessions expire after 7 days; tab-scope persist until tab closes
const SESSION_TTL_BROWSER = 7 * 24 * 60 * 60 * 1000;

async function _encryptSessionPayload(key, cid, rawKeyBytes, expiryMs) {
    const iv = crypto.getRandomValues(new Uint8Array(12)),
        payload = new Uint8Array(8 + rawKeyBytes.length);
    new DataView(payload.buffer).setBigUint64(0, BigInt(expiryMs), true);
    payload.set(rawKeyBytes, 8);
    const aad = new TextEncoder().encode('snv-session:' + cid),
        ct = await crypto.subtle.encrypt({ name: 'AES-GCM', iv, additionalData: aad }, key, payload),
        blob = new Uint8Array(12 + ct.byteLength);
    blob.set(iv);
    blob.set(new Uint8Array(ct), 12);
    return btoa(String.fromCharCode(...blob));
}

async function _decryptSessionPayload(key, cid, b64) {
    const blob = Uint8Array.from(atob(b64), ch => ch.charCodeAt(0)),
        iv = blob.slice(0, 12), ct = blob.slice(12);
    const aad = new TextEncoder().encode('snv-session:' + cid),
        dec = await crypto.subtle.decrypt({ name: 'AES-GCM', iv, additionalData: aad }, key, ct),
        payload = new Uint8Array(dec),
        expiry = Number(new DataView(payload.buffer).getBigUint64(0, true));
    if (Date.now() > expiry) return null; // expired
    return payload.slice(8); // 32-byte raw key material
}

// rawKeyBytes — Uint8Array(32) from Crypto.deriveRaw(), never the plaintext password
async function saveSession(cid, rawKeyBytes, scope) {
    if (scope === 'browser') {
        // Use the shared browser-scope key so ALL tabs can resume this session
        const key = await _getOrCreateBrowserScopeKey(),
            b64 = await _encryptSessionPayload(key, cid, rawKeyBytes, Date.now() + SESSION_TTL_BROWSER);
        localStorage.setItem('snv-sb-' + cid, b64);
        sessionStorage.removeItem('snv-s-' + cid);
    } else {
        // Use the per-tab key; only this tab can decrypt it
        const key = await _getOrCreateSessionKey(),
            b64 = await _encryptSessionPayload(key, cid, rawKeyBytes, Number.MAX_SAFE_INTEGER);
        sessionStorage.setItem('snv-s-' + cid, b64);
        localStorage.removeItem('snv-sb-' + cid);
    }
}

// Returns Uint8Array(32) raw key bytes on success, or null on failure/expiry
async function loadSession(cid) {
    // Tab-scope first — per-tab key, lives in sessionStorage
    const tabBlob = sessionStorage.getItem('snv-s-' + cid);
    if (tabBlob) {
        try {
            const key = await _getOrCreateSessionKey();
            const raw = await _decryptSessionPayload(key, cid, tabBlob);
            if (raw) { InitLog.done('loadSession', 'tab-scope OK'); return raw; }
            // null means expired
            InitLog.error('loadSession', 'tab-scope expired');
            sessionStorage.removeItem('snv-s-' + cid);
        } catch (e) {
            // Corrupted tab blob — belongs to this tab, safe to clear
            InitLog.error('loadSession', 'tab-scope error: ' + (e?.message || e));
            sessionStorage.removeItem('snv-s-' + cid);
        }
    }

    // Browser-scope — shared key, any tab can decrypt
    const browserBlob = localStorage.getItem('snv-sb-' + cid);
    if (browserBlob) {
        try {
            const key = await _getOrCreateBrowserScopeKey();
            const raw = await _decryptSessionPayload(key, cid, browserBlob);
            if (raw) { InitLog.done('loadSession', 'browser-scope OK'); return raw; }
            // null means expired
            InitLog.error('loadSession', 'browser-scope expired');
            localStorage.removeItem('snv-sb-' + cid);
        } catch (e) {
            // Corrupted blob or wrap-key unavailable — remove it
            InitLog.error('loadSession', 'browser-scope error: ' + (e?.message || e));
            localStorage.removeItem('snv-sb-' + cid);
        }
    }

    return null;
}

function clearSession(cid) {
    sessionStorage.removeItem('snv-s-' + cid);
    localStorage.removeItem('snv-sb-' + cid);
}

function hasSession(cid) {
    return !!(sessionStorage.getItem('snv-s-' + cid) || localStorage.getItem('snv-sb-' + cid));
}

/* ============================================================
   TAB SESSION GUARD
   Prevents the same container from being opened in two tabs
   simultaneously. Uses localStorage for cross-tab visibility
   and a heartbeat to detect stale (dead tab) claims.
   ============================================================ */
const _OPEN_TTL = 30000; // consider stale after 6 missed heartbeats (heartbeat = 5 s)
let _sessionHeartbeat = null;

function _openKey(cid) { return 'snv-open-' + cid; }

/** Returns true if another live tab currently has this container open. */
function _checkContainerSession(cid) {
    try {
        const raw = localStorage.getItem(_openKey(cid));
        if (!raw) return false;
        const d = JSON.parse(raw);
        return !!(d && d.tab !== _TAB_ID && (Date.now() - d.ts) < _OPEN_TTL);
    } catch { return false; }
}

/** Claim the container session for this tab and start heartbeat. */
function _startContainerSession(cid) {
    const write = () => localStorage.setItem(_openKey(cid), JSON.stringify({ tab: _TAB_ID, ts: Date.now() }));
    write();
    if (_sessionHeartbeat) clearInterval(_sessionHeartbeat);
    _sessionHeartbeat = setInterval(() => {
        if (App.container?.id === cid) write(); else _stopContainerSession(cid);
    }, 5000);
}

/** Release the container session claim for this tab. */
function _stopContainerSession(cid) {
    if (_sessionHeartbeat) { clearInterval(_sessionHeartbeat); _sessionHeartbeat = null; }
    if (!cid) return;
    try {
        const raw = localStorage.getItem(_openKey(cid));
        if (raw) {
            const d = JSON.parse(raw);
            if (d.tab === _TAB_ID) localStorage.removeItem(_openKey(cid));
        }
    } catch { localStorage.removeItem(_openKey(cid)); }
}

/** Force-claim: writes kick flag → causes the other tab to lock itself via storage event. */
function _forceClaimSession(cid) {
    localStorage.setItem(_openKey(cid), JSON.stringify({ tab: _TAB_ID, ts: Date.now(), kick: true }));
}

/* ============================================================
   APP STATE
   ============================================================ */
const App = {
    view: 'home',
    container: null,   // container metadata object
    key: null,   // CryptoKey (in-memory only, never persisted)
    folder: 'root',
    selection: new Set(),
    clipboard: null,   // { op: 'copy'|'cut', ids: [...] }
    thumbCache: {},    // nodeId → dataURL
    _winCtx: null,   // active FolderWindow context (set by FolderWindow ops)
    _ctxScreenPos: null, // screen {x,y} of last context-menu click (used to position new files/folders)

    async init() {
        InitLog.step('App.init');
        if (!window.isSecureContext || !window.crypto?.subtle) {
            const ol = document.getElementById('loading-overlay');
            if (ol) {
                const reason = !window.isSecureContext
                    ? 'Open this page over <strong style="color:var(--text)">HTTPS</strong> or <code style="color:var(--accent);font-family:monospace">localhost</code>.'
                    : 'This browser does not support the Web Crypto API.';
                ol.innerHTML = `
          <div style="text-align:center;max-width:380px;padding:0 24px">
            <svg width="44" height="44" viewBox="0 0 24 24" fill="none" style="color:#f44747;margin-bottom:16px" xmlns="http://www.w3.org/2000/svg">
              <path d="M12 2L2 20h20z" stroke="currentColor" stroke-width="1.5" stroke-linejoin="round"/>
              <path d="M12 9v5" stroke="currentColor" stroke-width="1.5" stroke-linecap="round"/>
              <circle cx="12" cy="16.5" r="0.8" fill="currentColor"/>
            </svg>
            <div style="color:var(--text);font-size:16px;font-weight:600;margin-bottom:8px">Web Crypto API unavailable</div>
            <div style="color:var(--text-dim);font-size:13px;line-height:1.7">${reason}<br>Use Chrome, Firefox, or Edge.</div>
          </div>`;
                ol.style.cssText += 'display:flex;opacity:1;pointer-events:all;';
            }
            return;
        }
        await DB.init();
        this.showView('home');
        await Home.render();
        await updateStorageInfo();
        InitLog.done('App.init');
    },

    showView(name) {
        document.querySelectorAll('.view').forEach(v => v.classList.remove('active'));
        document.getElementById('view-' + name).classList.add('active');
        this.view = name;
    },

    // Return to home WITHOUT killing the session (password stays remembered)
    async backToMenu() {
        document.title = 'SafeNova';
        // Close any open file preview or editor so decrypted data is not left visible
        if (typeof closeViewer === 'function') closeViewer();
        if (typeof discardEditor === 'function') discardEditor();
        Overlay.hide();
        if (this.container?.id) _stopContainerSession(this.container.id);
        this.key = null;
        this.container = null;
        this.folder = 'root';
        this.selection = new Set();
        this.clipboard = null;
        this.thumbCache = {};
        if (typeof _cancelThumbQueue === 'function') _cancelThumbQueue();
        this._winCtx = null;
        if (typeof WinManager !== 'undefined') WinManager.closeAll();
        if (typeof _resetContainerSettings === 'function') _resetContainerSettings();
        if (typeof Desktop !== 'undefined') {
            Desktop._desktopFolder = 'root';
            Desktop._sel = this.selection;
        }
        VFS.init();
        this.showView('home');
        await Home.render();
        await updateStorageInfo();
    },

    async lockContainer() {
        document.title = 'SafeNova';
        const cname = this.container?.name ?? null;
        // Close any open file preview or editor — critical: clears decrypted content from DOM
        if (typeof closeViewer === 'function') closeViewer();
        if (typeof discardEditor === 'function') discardEditor();
        Overlay.hide();
        // Drain the loading counter: snv:lock / dead man's switch / cross-tab kick can fire
        // mid-operation (while _appBusy > 0). Without an explicit reset, beforeunload would
        // keep showing the "unsaved changes" dialog long after the container is locked.
        while (_appBusy > 0) hideLoading();
        const cid = this.container?.id;
        if (cid) { _stopContainerSession(cid); clearSession(cid); }
        // Null out heavy blobs in the container record before releasing the key.
        // _alogZ and lazyWorkspace accumulate as persistent orphans in IDB if not
        // explicitly cleared — Chrome's lazy blob GC won't reclaim them promptly.
        // NOTE: _exportCache is intentionally kept — it allows passwordless export
        // even after lock. It is cleaned by _cleanOrphanedExportCache() on unlock
        // (if the setting was disabled) and by nukeContainer() on full delete.
        try {
            const c = this.container;
            if (c && (c._alogZ || c.lazyWorkspace)) {
                c._alogZ = null;
                c.lazyWorkspace = null;
                await DB.saveContainer(c);
            }
        } catch { /* non-critical — proceed to lock even if IDB write fails */ }
        this.key = null;
        this.container = null;
        this.folder = 'root';
        this.selection = new Set();
        this.clipboard = null;
        this.thumbCache = {};
        if (typeof _cancelThumbQueue === 'function') _cancelThumbQueue();
        this._winCtx = null;
        // Close all open folder windows
        if (typeof WinManager !== 'undefined') WinManager.closeAll();
        if (typeof _resetContainerSettings === 'function') _resetContainerSettings();
        // Reset desktop folder tracking
        if (typeof Desktop !== 'undefined') {
            Desktop._desktopFolder = 'root';
            Desktop._sel = this.selection;
        }
        VFS.init();
        this.showView('home');
        await Home.render();
        await updateStorageInfo();
        toast(cname ? `“${cname}” locked` : 'Container locked', 'info');
    }
};

/* ============================================================
   LOADING OVERLAY
   ============================================================ */
let _appBusy = 0;
function showLoading(msg = 'Processing...') {
    _appBusy++;
    document.getElementById('loading-msg').textContent = msg;
    document.getElementById('loading-overlay').classList.add('show');
}
function hideLoading() {
    _appBusy = Math.max(0, _appBusy - 1);
    document.getElementById('loading-overlay').classList.remove('show');
}

/* ============================================================
   TOAST NOTIFICATIONS
   ============================================================ */
function toast(msg, type = 'info') {
    const t = document.createElement('div');
    t.className = 'toast ' + type;
    const iconMap = {
        success: Icons.info,
        error: Icons.warning,
        warn: Icons.warning,
        info: Icons.info,
    };
    t.innerHTML = `<span style="color:var(--text-dim)">${iconMap[type] || ''}</span><span>${escHtml(msg)}</span>`;
    document.getElementById('toast-container').appendChild(t);
    setTimeout(() => t.remove(), 3200);
}

/* ============================================================
   MODAL OVERLAY HELPER
   ============================================================ */
const Overlay = {
    current: null,
    _hideTimer: null,

    show(modalId) {
        // Cancel any pending hide so the modal doesn't get wiped by a deferred setTimeout
        if (this._hideTimer) { clearTimeout(this._hideTimer); this._hideTimer = null; }
        const ov = document.getElementById('modal-overlay');
        ov.querySelectorAll('.modal').forEach(m => m.style.display = 'none');
        const m = document.getElementById(modalId);
        if (m) m.style.display = 'flex';
        ov.classList.add('show');
        this.current = modalId;
    },

    hide() {
        document.getElementById('modal-overlay').classList.remove('show');
        this._hideTimer = setTimeout(() => {
            this._hideTimer = null;
            document.getElementById('modal-overlay')
                .querySelectorAll('.modal').forEach(m => m.style.display = 'none');
        }, 200);
        this.current = null;
        // If cancelled from a FolderWindow context — restore main desktop state
        if (App._winCtx !== null) {
            App._winCtx = null;
            if (typeof Desktop !== 'undefined') {
                App.folder = Desktop._desktopFolder;
                App.selection = Desktop._sel;
            }
        }
    }
};

/* ============================================================
   STORAGE INFO  —  20 GB device limit + low-space warnings
   ============================================================ */
let _storageWarnShown = false;

async function updateStorageInfo() {
    try {
        if (!navigator.storage?.estimate) return;
        const est = await navigator.storage.estimate();
        const used = est.usage || 0,
            quota = est.quota || 0;

        // Cap the visual scale at DEVICE_LIMIT (20 GB).
        // available = free space remaining within SafeNova's own limit,
        // not the full browser quota — other origin data is irrelevant here.
        const displayMax = Math.min(quota > 0 ? quota : DEVICE_LIMIT, DEVICE_LIMIT),
            available = displayMax - used,
            pct = displayMax > 0 ? Math.min((used / displayMax) * 100, 100) : 0;

        const fill = document.getElementById('storage-bar-fill'),
            txt = document.getElementById('storage-text');
        if (fill) {
            fill.style.width = pct + '%';
            fill.className = 'storage-bar-fill' + (pct > 90 ? ' danger' : pct > 70 ? ' warn' : '');
        }
        if (txt) txt.textContent = `${fmtSize(used)} / ${fmtSize(displayMax)}  ·  ${fmtSize(available)} free`;

        // Storage warning banner
        const banner = document.getElementById('storage-warning-banner');
        if (banner) {
            if (available < 200 * 1024 * 1024) {        // < 200 MB
                banner.querySelector('span').textContent =
                    `Critical: only ${fmtSize(available)} of storage remaining on this device. Data may not be saved.`;
                banner.classList.add('show');
            } else if (available < 1 * 1024 * 1024 * 1024) { // < 1 GB
                banner.querySelector('span').textContent =
                    `Low storage: ${fmtSize(available)} remaining on this device.`;
                banner.classList.add('show');
            } else {
                banner.classList.remove('show');
            }
        }

        // One-time toast for low storage
        if (!_storageWarnShown && available < 500 * 1024 * 1024) {
            _storageWarnShown = true;
            if (available < 100 * 1024 * 1024) {
                toast(`Critical: only ${fmtSize(available)} free on this device!`, 'error');
            } else {
                toast(`Low storage: ${fmtSize(available)} remaining.`, 'warn');
            }
        }

        // TrueWebCrypt containers usage
        const containers = await DB.getContainers(),
            twcUsed = containers.reduce((s, c) => s + (c.totalSize || 0), 0),
            twcPct = displayMax > 0 ? Math.min((twcUsed / displayMax) * 100, 100) : 0,
            twcFill = document.getElementById('twc-bar-fill'),
            twcTxt = document.getElementById('twc-text');
        if (twcFill) twcFill.style.width = twcPct + '%';
        if (twcTxt) twcTxt.textContent = `${fmtSize(twcUsed)} in ${containers.length} container${containers.length !== 1 ? 's' : ''}`;
    } catch (e) { /* silently ignore — storage API may be restricted */ }
}

/* ============================================================
   CHECK DEVICE STORAGE BEFORE WRITE
   Returns { ok: bool, available: number }
   ============================================================ */
async function checkStorageSpace(needed) {
    try {
        if (!navigator.storage?.estimate) return { ok: true, available: Infinity };
        const est = await navigator.storage.estimate(),
            quota = est.quota || 0,
            used = est.usage || 0,
            // Check against SafeNova's 20 GB limit (capped at device quota if lower)
            displayMax = Math.min(quota > 0 ? quota : DEVICE_LIMIT, DEVICE_LIMIT),
            available = displayMax - used;
        // Keep 50 MB safety margin
        if (available - needed < 50 * 1024 * 1024) {
            return { ok: false, available };
        }
        return { ok: true, available };
    } catch { return { ok: true, available: Infinity }; }
}


================================================
FILE: src/js/vfs.js
================================================
'use strict';

/* ============================================================
   VFS  —  Virtual File System (in-memory, serialized encrypted)
   ============================================================ */
const VFS = (() => {
    let _nodes = {};  // id → Node
    let _pos = {};  // parentId → { nodeId: {x, y} }
    let _childIndex = {};  // parentId → Set<childId> — O(1) children lookup

    function _rebuildChildIndex() {
        _childIndex = {};
        for (const id of Object.keys(_nodes)) {
            if (id === 'root') continue;
            const pid = _nodes[id].parentId;
            if (pid != null) {
                if (!_childIndex[pid]) _childIndex[pid] = new Set();
                _childIndex[pid].add(id);
            }
        }
    }

    function init() {
        _nodes = { root: { id: 'root', type: 'folder', name: '/', parentId: null, ctime: Date.now(), mtime: Date.now() } };
        _pos = { root: {} };
        _childIndex = {};
    }

    function fromObj(obj) {
        _nodes = obj.nodes || {};
        _pos = obj.pos || {};
        if (!_nodes.root) _nodes.root = { id: 'root', type: 'folder', name: '/', parentId: null, ctime: Date.now(), mtime: Date.now() };
        if (!_pos.root) _pos.root = {};
        // Integrity repair pass 1: reattach orphaned nodes whose parentId points to non-existent node
        Object.values(_nodes).forEach(n => {
            if (n.id !== 'root' && n.parentId && !_nodes[n.parentId]) {
                console.warn('VFS: orphaned node', n.id, '— reattaching to root');
                n.parentId = 'root';
            }
        });
        // Integrity repair pass 2: detect and break real parent→child cycles
        // For each node walk the ancestor chain; if we revisit any node in the same chain → cycle
        Object.keys(_nodes).forEach(id => {
            if (id === 'root') return;
            const chain = new Set();
            let cur = id;
            while (cur && cur !== 'root') {
                if (chain.has(cur)) {
                    console.warn('VFS: cycle detected at node', cur, '— reattaching to root');
                    _nodes[cur].parentId = 'root';
                    break;
                }
                if (!_nodes[cur]) break;
                chain.add(cur);
                cur = _nodes[cur].parentId;
            }
        });
        // Integrity repair pass 3: prune _pos entries whose parent or child node no longer exists
        for (const pid of Object.keys(_pos)) {
            if (pid !== 'root' && !_nodes[pid]) { delete _pos[pid]; continue; }
            for (const nid of Object.keys(_pos[pid] || {})) {
                if (!_nodes[nid]) delete _pos[pid][nid];
            }
        }
        // Rebuild O(1) children index after loading + all repairs
        _rebuildChildIndex();
    }

    function toObj() { return { nodes: _nodes, pos: _pos }; }

    function children(pid) {
        const ids = _childIndex[pid];
        if (!ids || ids.size === 0) return [];
        const result = [];
        for (const id of ids) { if (_nodes[id]) result.push(_nodes[id]); }
        return result;
    }

    function getPos(pid, nid) { return (_pos[pid] || {})[nid] || null; }
    function setPos(pid, nid, x, y) {
        if (!_pos[pid]) _pos[pid] = {};
        // Always snap to the current grid so sub-pixel drift and legacy off-grid positions
        // are corrected at write time. Math.round handles both truncation and rounding.
        const sx = 8 + Math.max(0, Math.round((Math.round(x) - 8) / GRID_X)) * GRID_X,
            sy = 8 + Math.max(0, Math.round((Math.round(y) - 8) / GRID_Y)) * GRID_Y;
        _pos[pid][nid] = { x: sx, y: sy };
    }
    function delPos(pid, nid) { if (_pos[pid]) delete _pos[pid][nid]; }

    function add(nd) {
        if (!nd?.id || nd.id === 'root' || !['file', 'folder'].includes(nd.type)) return;
        _nodes[nd.id] = nd;
        if (!_pos[nd.id] && nd.type === 'folder') _pos[nd.id] = {};
        // Maintain child index
        if (nd.parentId != null) {
            if (!_childIndex[nd.parentId]) _childIndex[nd.parentId] = new Set();
            _childIndex[nd.parentId].add(nd.id);
        }
    }

    function remove(id, _visited = new Set()) {
        if (_visited.has(id)) return;
        _visited.add(id);
        const n = _nodes[id]; if (!n) return;
        if (n.type === 'folder') {
            children(id).forEach(c => remove(c.id, _visited));
            delete _pos[id];
            delete _childIndex[id];
        }
        delPos(n.parentId, id);
        if (_childIndex[n.parentId]) _childIndex[n.parentId].delete(id);
        delete _nodes[id];
    }

    function rename(id, newName) {
        const n = _nodes[id];
        if (id !== 'root' && n) {
            n.name = newName;
            n.mtime = Date.now();
            // Refresh mime when the file extension changes so icon and viewer
            // reflect the new type rather than the original upload type.
            if (n.type === 'file' && typeof getMime === 'function') {
                n.mime = getMime(newName);
            }
        }
    }

    function move(id, newParentId) {
        const n = _nodes[id]; if (!n || !_nodes[newParentId]) return 'not_found';
        if (id === 'root' || _nodes[newParentId].type !== 'folder') return 'not_found';
        // prevent move into self or descendant — visited Set guards against corrupt-data infinite loops
        let c = newParentId;
        const _mv = new Set();
        while (c) {
            if (c === id) return 'cycle';
            if (_mv.has(c)) break;
            _mv.add(c);
            c = (_nodes[c] || {}).parentId;
        }
        // prevent duplicate name in destination
        if (children(newParentId).some(s => s.id !== id && s.name.toLowerCase() === n.name.toLowerCase())) return 'duplicate';
        const oldParentId = n.parentId;
        delPos(n.parentId, id);
        n.parentId = newParentId;
        n.mtime = Date.now();
        // Update child indexes
        if (_childIndex[oldParentId]) _childIndex[oldParentId].delete(id);
        if (!_childIndex[newParentId]) _childIndex[newParentId] = new Set();
        _childIndex[newParentId].add(id);
        return 'ok';
    }

    function totalSize() {
        let sum = 0;
        for (const id in _nodes) {
            const n = _nodes[id];
            if (n.type === 'file' && Number.isFinite(n.size)) sum += n.size;
        }
        return sum;
    }

    function breadcrumb(folderId) {
        const path = [], visited = new Set(); let cur = folderId;
        while (cur && !visited.has(cur)) {
            visited.add(cur);
            path.unshift(_nodes[cur]);
            cur = (_nodes[cur] || {}).parentId;
        }
        return path;
    }

    function fullPath(nodeId) {
        const parts = [], visited = new Set();
        let cur = nodeId;
        while (cur) {
            if (visited.has(cur)) break; // cycle guard
            visited.add(cur);
            const n = _nodes[cur];
            if (!n) break;
            if (n.id === 'root') break;
            parts.unshift(n.name);
            cur = n.parentId;
        }
        return '/~/' + (App.container ? App.container.name : '') + (parts.length ? '/' + parts.join('/') : '');
    }

    function autoPos(pid, idx, area) {
        const W = (area && area.clientWidth) || 800,
            cols = Math.max(1, Math.floor((W - 16) / GRID_X));
        // Build set of occupied grid cells
        const occupied = new Set();
        Object.values(_pos[pid] || {}).forEach(p => {
            const cx = Math.round((p.x - 8) / GRID_X),
                cy = Math.round((p.y - 8) / GRID_Y);
            occupied.add(`${cx}_${cy}`);
        });
        // Row-by-row scan for first free cell
        for (let row = 0; row < 10000; row++) {
            for (let col = 0; col < cols; col++) {
                if (!occupied.has(`${col}_${row}`)) return { x: 8 + col * GRID_X, y: 8 + row * GRID_Y };
            }
        }
        const col = idx % cols, row = Math.floor(idx / cols);
        return { x: 8 + col * GRID_X, y: 8 + row * GRID_Y };
    }

    function node(id) { return _nodes[id]; }

    function hasChildNamed(pid, name) {
        const lower = name.toLowerCase();
        return children(pid).some(n => n.name.toLowerCase() === lower);
    }

    function wouldCycle(id, newParentId) {
        let c = newParentId;
        const _wc = new Set();
        while (c) {
            if (c === id) return true;
            if (_wc.has(c)) break;
            _wc.add(c);
            c = (_nodes[c] || {}).parentId;
        }
        return false;
    }

    function remapPositions(oldGX, oldGY, newGX, newGY) {
        if (oldGX === newGX && oldGY === newGY) return;
        for (const pid of Object.keys(_pos)) {
            const map = _pos[pid];
            for (const nid of Object.keys(map)) {
                const p = map[nid];
                const cx = Math.round((p.x - 8) / oldGX),
                    cy = Math.round((p.y - 8) / oldGY);
                map[nid] = { x: 8 + cx * newGX, y: 8 + cy * newGY };
            }
        }
    }

    // ── Integrity checker ──────────────────────────────────────
    // Returns array of step results: [{ name, status:'pass'|'warn'|'fail', detail, issues[], fixed[] }]
    // When repair=true, fixes issues in-place. Synchronous (VFS structure only).
    function check(repair) {
        const steps = [];

        function step(name, fn, informational = false) {
            const issues = [], fixed = [],
                log = (sev, msg) => issues.push({ sev, msg }),
                fix = (msg) => fixed.push(msg);
            fn(log, fix);
            const hasCrit = issues.some(i => i.sev === 'critical'),
                status = issues.length === 0 ? 'pass' : hasCrit ? 'fail' : 'warn',
                detail = issues.length === 0 ? 'OK' : `${issues.length} issue${issues.length !== 1 ? 's' : ''}${repair && fixed.length ? `, ${fixed.length} fixed` : ''}`;
            steps.push({ name, status, detail, issues, fixed, informational });
        }

        // 1. Root node & position map
        step('Root node integrity', (log, fix) => {
            if (!_nodes.root) {
                log('critical', 'Root node missing');
                if (repair) { _nodes.root = { id: 'root', type: 'folder', name: '/', parentId: null, ctime: Date.now(), mtime: Date.now() }; fix('Recreated root node'); }
            } else {
                if (_nodes.root.parentId !== null) {
                    log('warn', 'Root has non-null parentId');
                    if (repair) { _nodes.root.parentId = null; fix('Set root parentId to null'); }
                }
                if (_nodes.root.type !== 'folder') {
                    log('critical', 'Root node type is not folder');
                    if (repair) { _nodes.root.type = 'folder'; fix('Fixed root type to folder'); }
                }
            }
            if (!_pos.root) {
                log('warn', 'Root position map missing');
                if (repair) { _pos.root = {}; fix('Recreated root position map'); }
            }
        });

        const allIds = Object.keys(_nodes);

        // 2. Node required fields
        step('Node field validation', (log, fix) => {
            const _now = Date.now();
            for (const id of allIds) {
                const n = _nodes[id];
                if (!n.id || n.id !== id) {
                    log('critical', `Node "${id}": id mismatch or missing`);
                    if (repair) { n.id = id; fix(`Fixed id for "${id}"`); }
                }
                if (id !== 'root' && !n.name) {
                    log('warn', `Node "${id}": name missing`);
                    if (repair) { n.name = 'Recovered_' + id.slice(0, 6); fix(`Set fallback name for "${id}"`); }
                }
                if (!n.type || !['file', 'folder'].includes(n.type)) {
                    log('warn', `Node "${id}": invalid type "${n.type}"`);
                    if (repair) { n.type = 'file'; fix(`Set type to file for "${id}"`); }
                }
                if (id !== 'root') {
                    const badCtime = !n.ctime || typeof n.ctime !== 'number' || n.ctime <= 0 || !isFinite(n.ctime),
                        badMtime = !n.mtime || typeof n.mtime !== 'number' || n.mtime <= 0 || !isFinite(n.mtime);
                    if (badCtime) {
                        log('warn', `"${n.name || id}": missing or invalid ctime`);
                        if (repair) { n.ctime = _now; fix(`Restored ctime for "${n.name || id}"`); }
                    }
                    if (badMtime) {
                        log('warn', `"${n.name || id}": missing or invalid mtime`);
                        if (repair) { n.mtime = n.ctime || _now; fix(`Restored mtime for "${n.name || id}"`); }
                    }
                }
            }
        });

        // 3. Node ID format validation
        step('Node ID format validation', (log, fix) => {
            const uuidRe = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i,
                fallbackRe = /^[0-9a-z]{6,20}$/i;
            let badCount = 0;
            for (const id of allIds) {
                if (id === 'root') continue;
                if (!uuidRe.test(id) && !fallbackRe.test(id)) {
                    badCount++;
                    log('warn', `"${id.slice(0, 24)}${id.length > 24 ? '…' : ''}": malformed node ID`);
                    if (repair) {
                        const n = _nodes[id], newId = (typeof crypto !== 'undefined' && crypto.randomUUID) ? crypto.randomUUID() : Date.now().toString(36) + Math.random().toString(36).slice(2);
                        n.id = newId;
                        _nodes[newId] = n;
                        delete _nodes[id];
                        // Update children referencing old ID as parent
                        for (const cid of Object.keys(_nodes)) {
                            if (_nodes[cid].parentId === id) _nodes[cid].parentId = newId;
                        }
                        // Migrate position data
                        if (_pos[id]) { _pos[newId] = _pos[id]; delete _pos[id]; }
                        for (const pid of Object.keys(_pos)) {
                            if (_pos[pid][id]) { _pos[pid][newId] = _pos[pid][id]; delete _pos[pid][id]; }
                        }
                        fix(`Reassigned ID for "${n.name || newId}"`);
                    }
                }
            }
        });

        // 4. Timestamp anomaly detection — when >50% of nodes share an identical ctime,
        //    it indicates a bulk-import or corruption event. On repair, spread those ctimes
        //    across a 1-second window so each node gets a unique, meaningful timestamp.
        step('Timestamp anomaly detection', (log, fix) => {
            if (allIds.length < 20) return;
            const ctimeMap = new Map();
            for (const id of allIds) {
                if (id === 'root') continue;
                const ct = _nodes[id].ctime;
                if (ct) ctimeMap.set(ct, (ctimeMap.get(ct) || 0) + 1);
            }
            let maxCluster = 0, maxTime = 0;
            for (const [t, count] of ctimeMap) {
                if (count > maxCluster) { maxCluster = count; maxTime = t; }
            }
            const total = allIds.length - 1;
            if (maxCluster > total * 0.5 && maxCluster > 50) {
                log('warn', `${maxCluster} of ${total} nodes share identical ctime (${new Date(maxTime).toISOString()}) — possible bulk-import or VFS corruption`);
                if (repair) {
                    // Spread affected nodes across 1-second window (1 ms apart) so each gets unique ctime
                    const base = Date.now();
                    let offset = 0;
                    for (const id of allIds) {
                        if (id === 'root') continue;
                        if (_nodes[id].ctime === maxTime) {
                            _nodes[id].ctime = base + offset;
                            if (!_nodes[id].mtime || _nodes[id].mtime === maxTime) _nodes[id].mtime = base + offset;
                            offset++;
                        }
                    }
                    fix(`Spread ${maxCluster} identical ctimes across a 1-second window`);
                }
            }
        });

        // 5. File name validation
        step('File name validation', (log, fix) => {
            for (const id of allIds) {
                if (id === 'root') continue;
                const n = _nodes[id];
                if (typeof n.name === 'string') {
                    if (n.name.trim() === '') {
                        log('warn', `Node "${id}": name is empty/whitespace`);
                        if (repair) { n.name = 'Unnamed_' + id.slice(0, 6); fix(`Set fallback name for "${id}"`); }
                    } else if (n.name.length > 255) {
                        log('warn', `"${n.name.slice(0, 30)}...": name exceeds 255 chars`);
                        if (repair) { n.name = n.name.slice(0, 200) + '…'; fix(`Truncated name of "${id}"`); }
                    } else if (/[<>:"/\\|?*\x00-\x1f]/.test(n.name)) {
                        log('warn', `"${n.name}": contains invalid characters`);
                        if (repair) { n.name = n.name.replace(/[<>:"/\\|?*\x00-\x1f]/g, '_'); fix(`Sanitized name of "${id}"`); }
                    }
                }
            }
        });

        // 6. Orphaned nodes (parentId → non-existent node)
        step('Orphaned node detection', (log, fix) => {
            for (const id of allIds) {
                if (id === 'root') continue;
                const n = _nodes[id];
                if (n.parentId && !_nodes[n.parentId]) {
                    log('critical', `"${n.name || id}": parent "${n.parentId}" does not exist`);
                    if (repair) { n.parentId = 'root'; fix(`Reattached "${n.name || id}" to root`); }
                }
                if (!n.parentId) {
                    log('warn', `"${n.name || id}": missing parentId`);
                    if (repair) { n.parentId = 'root'; fix(`Assigned parentId=root for "${n.name || id}"`); }
                }
            }
        });

        // 7. Parent type validation — parent must be a folder
        step('Parent type validation', (log, fix) => {
            for (const id of allIds) {
                if (id === 'root') continue;
                const n = _nodes[id];
                const parent = _nodes[n.parentId];
                if (parent && parent.type !== 'folder') {
                    log('critical', `"${n.name || id}": parent "${parent.name || n.parentId}" is not a folder`);
                    if (repair) { n.parentId = 'root'; fix(`Reattached "${n.name || id}" to root (parent was a file)`); }
                }
            }
        });

        // 8. Cycle detection + 9. Reachability (combined O(n) with memoization)
        //    Each node is visited at most twice (once for cycle check, once for reachability cache)
        step('Parent-child cycle detection', (log, fix) => {
            // Phase A: detect and break cycles
            const visiting = new Set(), safe = new Set(['root']);
            for (const id of allIds) {
                if (id === 'root' || safe.has(id)) continue;
                const path = [];
                let cur = id;
                while (cur && cur !== 'root' && !safe.has(cur)) {
                    if (visiting.has(cur)) {
                        // Cycle found — break at this node
                        log('critical', `Cycle at "${_nodes[cur]?.name || cur}"`);
                        if (repair) { _nodes[cur].parentId = 'root'; fix(`Broke cycle: reattached "${_nodes[cur]?.name || cur}" to root`); }
                        break;
                    }
                    visiting.add(cur);
                    path.push(cur);
                    if (!_nodes[cur]) break;
                    cur = _nodes[cur].parentId;
                }
                // Mark entire path as safe (regardless of how the chain ended)
                for (const p of path) { safe.add(p); visiting.delete(p); }
            }
        });

        step('Node reachability analysis', (log, fix) => {
            // Phase B: check reachability with cache (O(n) amortized)
            const reachCache = new Map(); // id → boolean
            reachCache.set('root', true);
            function isReachable(nid) {
                if (reachCache.has(nid)) return reachCache.get(nid);
                const chain = [];
                let cur = nid;
                while (cur && !reachCache.has(cur)) {
                    chain.push(cur);
                    cur = _nodes[cur]?.parentId;
                }
                const result = cur ? (reachCache.get(cur) || false) : false;
                for (const c of chain) reachCache.set(c, result);
                return result;
            }
            for (const id of allIds) {
                if (id === 'root') continue;
                if (!isReachable(id)) {
                    log('warn', `"${_nodes[id]?.name || id}" is unreachable from root`);
                    if (repair) {
                        _nodes[id].parentId = 'root';
                        reachCache.set(id, true);
                        fix(`Reattached unreachable "${_nodes[id]?.name || id}" to root`);
                    }
                }
            }
        });

        // 10. Timestamp validation
        step('Timestamp integrity', (log, fix) => {
            const now = Date.now(), futureThreshold = now + 86400000;
            for (const id of allIds) {
                const n = _nodes[id];
                if (!n.ctime || typeof n.ctime !== 'number' || n.ctime <= 0) {
                    log('warn', `"${n.name || id}": invalid ctime`);
                    if (repair) { n.ctime = now; fix(`Fixed ctime for "${n.name || id}"`); }
                } else if (n.ctime > futureThreshold) {
                    log('warn', `"${n.name || id}": ctime is in the future`);
                    if (repair) { n.ctime = now; fix(`Reset future ctime for "${n.name || id}"`); }
                }
                if (!n.mtime || typeof n.mtime !== 'number' || n.mtime <= 0) {
                    log('warn', `"${n.name || id}": invalid mtime`);
                    if (repair) { n.mtime = now; fix(`Fixed mtime for "${n.name || id}"`); }
                } else if (n.mtime > futureThreshold) {
                    log('warn', `"${n.name || id}": mtime is in the future`);
                    if (repair) { n.mtime = now; fix(`Reset future mtime for "${n.name || id}"`); }
                }
                if (n.mtime && n.ctime && n.mtime < n.ctime) {
                    log('warn', `"${n.name || id}": mtime is earlier than ctime`);
                    if (repair) { n.mtime = n.ctime; fix(`Corrected mtime for "${n.name || id}"`); }
                }
            }
        });

        // 11. File size & folder size validation
        step('File size validation', (log, fix) => {
            for (const id of allIds) {
                const n = _nodes[id];
                if (n.type === 'file') {
                    if (n.size !== undefined && (!Number.isFinite(n.size) || n.size < 0)) {
                        log('warn', `"${n.name || id}": invalid size ${n.size}`);
                        if (repair) { n.size = 0; fix(`Reset size for "${n.name || id}"`); }
                    }
                    if (n.size === undefined) {
                        log('warn', `"${n.name || id}": missing size property`);
                        if (repair) { n.size = 0; fix(`Set size=0 for "${n.name || id}"`); }
                    }
                }
                if (n.type === 'folder' && n.size !== undefined) {
                    log('warn', `Folder "${n.name || id}": has size property`);
                    if (repair) { delete n.size; fix(`Removed size from folder "${n.name || id}"`); }
                }
            }
        });

        // 12. File MIME type check
        step('File metadata validation', (log, fix) => {
            const allowed = new Set(['id', 'name', 'type', 'parentId', 'ctime', 'mtime', 'size', 'mime', 'color']);
            for (const id of allIds) {
                const n = _nodes[id];
                if (n.type === 'file') {
                    if (n.mime !== undefined && typeof n.mime !== 'string') {
                        log('warn', `"${n.name || id}": invalid mime type`);
                        if (repair) { delete n.mime; fix(`Removed invalid mime for "${n.name || id}"`); }
                    }
                }
                for (const key of Object.keys(n)) {
                    if (!allowed.has(key)) {
                        log('warn', `"${n.name || id}": unexpected property "${key}"`);
                        if (repair) { delete n[key]; fix(`Removed unknown property "${key}" from "${n.name || id}"`); }
                    }
                }
            }
        });

        // 13. Duplicate names in same parent
        step('Duplicate name detection', (log, fix) => {
            const parentChildren = {};
            for (const id of allIds) {
                if (id === 'root') continue;
                const pid = _nodes[id].parentId;
                if (!parentChildren[pid]) parentChildren[pid] = [];
                parentChildren[pid].push(_nodes[id]);
            }
            for (const pid of Object.keys(parentChildren)) {
                const seen = new Map();
                for (const n of parentChildren[pid]) {
                    const lower = n.name?.toLowerCase();
                    if (seen.has(lower)) {
                        log('warn', `Duplicate "${n.name}" in "${_nodes[pid]?.name || pid}"`);
                        if (repair) {
                            let counter = 2, base = n.name, ext = '';
                            const dotIdx = base.lastIndexOf('.');
                            if (n.type === 'file' && dotIdx > 0) { ext = base.slice(dotIdx); base = base.slice(0, dotIdx); }
                            while (parentChildren[pid].some(s => s.name.toLowerCase() === (base + ' (' + counter + ')' + ext).toLowerCase())) counter++;
                            n.name = base + ' (' + counter + ')' + ext;
                            fix(`Renamed duplicate to "${n.name}"`);
                        }
                    } else {
                        seen.set(lower, n);
                    }
                }
            }
        });

        // 14. Empty folder chains (folder containing only empty folders, depth > 5, read-only)
        step('Empty folder chain detection', (log) => {
            const childCount = {}, folderKids = new Map();
            for (const id of allIds) {
                if (id === 'root') continue;
                const pid = _nodes[id].parentId;
                if (!childCount[pid]) childCount[pid] = { files: 0, folders: 0 };
                if (_nodes[id].type === 'file') childCount[pid].files++;
                else {
                    childCount[pid].folders++;
                    if (!folderKids.has(pid)) folderKids.set(pid, []);
                    folderKids.get(pid).push(id);
                }
            }
            // Iterative post-order DFS — no recursion to avoid stack overflow on deep chains
            const emptyCache = new Map();
            for (const startId of allIds) {
                if (_nodes[startId]?.type !== 'folder' || startId === 'root') continue;
                if (emptyCache.has(startId)) continue;
                const stack = [{ id: startId, childIdx: 0 }];
                while (stack.length) {
                    const top = stack[stack.length - 1];
                    const kids = folderKids.get(top.id) || [];
                    let pushed = false;
                    while (top.childIdx < kids.length) {
                        const kid = kids[top.childIdx++];
                        if (!emptyCache.has(kid) && _nodes[kid]?.type === 'folder') {
                            stack.push({ id: kid, childIdx: 0 });
                            pushed = true;
                            break;
                        }
                    }
                    if (!pushed) {
                        stack.pop();
                        const cc = childCount[top.id];
                        if (!cc || (cc.files === 0 && cc.folders === 0)) {
                            emptyCache.set(top.id, 1);
                        } else if (cc.files > 0) {
                            emptyCache.set(top.id, 0);
                        } else {
                            let maxD = 0;
                            for (const sub of (folderKids.get(top.id) || [])) maxD = Math.max(maxD, emptyCache.get(sub) || 0);
                            emptyCache.set(top.id, maxD > 0 ? maxD + 1 : 0);
                        }
                    }
                }
            }
            for (const id of allIds) {
                if (_nodes[id]?.type !== 'folder' || id === 'root') continue;
                const d = emptyCache.get(id) || 0;
                if (d > 5) log('warn', `"${_nodes[id].name}": empty folder chain ${d} levels deep`);
            }
        }, true);

        // 15. Stale position entries
        step('Position table cleanup', (log, fix) => {
            for (const pid of Object.keys(_pos)) {
                if (pid !== 'root' && !_nodes[pid]) {
                    log('warn', `Position map for deleted folder "${pid}"`);
                    if (repair) { delete _pos[pid]; fix(`Removed stale position map "${pid}"`); }
                    continue;
                }
                for (const nid of Object.keys(_pos[pid] || {})) {
                    if (!_nodes[nid]) {
                        log('warn', `Position for deleted node "${nid}"`);
                        if (repair) { delete _pos[pid][nid]; fix(`Removed stale position "${nid}"`); }
                    } else if (_nodes[nid].parentId !== pid) {
                        log('warn', `"${_nodes[nid]?.name || nid}" positioned in wrong folder`);
                        if (repair) { delete _pos[pid][nid]; fix(`Removed misplaced position for "${_nodes[nid]?.name || nid}"`); }
                    }
                }
            }
        });

        // 16. Missing position maps for folders
        step('Folder position maps', (log, fix) => {
            for (const id of allIds) {
                if (_nodes[id].type === 'folder' && !_pos[id]) {
                    log('warn', `Folder "${_nodes[id].name || id}" has no position map`);
                    if (repair) { _pos[id] = {}; fix(`Created position map for "${_nodes[id].name || id}"`); }
                }
            }
        });

        // 17. Position completeness — only flag if the parent folder has been visited
        // Positions are lazily assigned when a folder is first opened.
        // Files in never-opened folders naturally have no position yet — not an error.
        step('Position entry completeness', (log, fix) => {
            for (const id of allIds) {
                if (id === 'root') continue;
                const pid = _nodes[id].parentId;
                if (!pid || !_pos[pid]) continue;
                const posMap = _pos[pid];
                // If no siblings have positions, the folder was never opened — skip
                if (Object.keys(posMap).length === 0) continue;
                if (!posMap[id]) {
                    log('warn', `"${_nodes[id]?.name || id}" has no position in parent folder`);
                    if (repair) {
                        const ap = autoPos(pid, 0, null);
                        _pos[pid][id] = { x: ap.x, y: ap.y };
                        fix(`Auto-positioned "${_nodes[id]?.name || id}"`);
                    }
                }
            }
        });

        // 18. Position collisions
        step('Position collision detection', (log, fix) => {
            for (const pid of Object.keys(_pos)) {
                const cellMap = new Map();
                for (const nid of Object.keys(_pos[pid] || {})) {
                    const p = _pos[pid][nid];
                    const key = `${Math.round((p.x - 8) / GRID_X)}_${Math.round((p.y - 8) / GRID_Y)}`;
                    if (cellMap.has(key)) {
                        log('warn', `Collision: "${_nodes[nid]?.name || nid}" and "${_nodes[cellMap.get(key)]?.name || cellMap.get(key)}"`);
                        if (repair) {
                            const newP = autoPos(pid, 0, null);
                            _pos[pid][nid] = { x: newP.x, y: newP.y };
                            fix(`Relocated "${_nodes[nid]?.name || nid}"`);
                        }
                    } else {
                        cellMap.set(key, nid);
                    }
                }
            }
        });

        // 19. Grid alignment
        step('Grid alignment verification', (log, fix) => {
            for (const pid of Object.keys(_pos)) {
                for (const nid of Object.keys(_pos[pid] || {})) {
                    const p = _pos[pid][nid];
                    const sx = 8 + Math.max(0, Math.round((p.x - 8) / GRID_X)) * GRID_X,
                        sy = 8 + Math.max(0, Math.round((p.y - 8) / GRID_Y)) * GRID_Y;
                    if (p.x !== sx || p.y !== sy) {
                        log('warn', `"${_nodes[nid]?.name || nid}" is off-grid (${p.x},${p.y})`);
                        if (repair) { _pos[pid][nid] = { x: sx, y: sy }; fix(`Snapped "${_nodes[nid]?.name || nid}" to grid`); }
                    }
                }
            }
        });

        // 20. Folder depth check (O(n) memoized)
        step('Folder depth analysis', (log) => {
            const dc = new Map([[undefined, 0], [null, 0], ['root', 0]]);
            function depth(nid) {
                if (dc.has(nid)) return dc.get(nid);
                const chain = [];
                let cur = nid;
                while (cur && !dc.has(cur)) { chain.push(cur); cur = _nodes[cur]?.parentId; }
                let d = dc.get(cur) || 0;
                for (let i = chain.length - 1; i >= 0; i--) dc.set(chain[i], ++d);
                return dc.get(nid) || 0;
            }
            for (const id of allIds) {
                if (_nodes[id]?.type !== 'folder' || id === 'root') continue;
                const d = depth(id);
                if (d > 50) log('warn', `"${_nodes[id]?.name || id}" is nested ${d} levels deep`);
            }
        });

        // 21. Node count & summary stats
        step('Node count summary', (log) => {
            const files = allIds.filter(id => _nodes[id]?.type === 'file').length,
                folders = allIds.filter(id => _nodes[id]?.type === 'folder').length - 1,
                posEntries = Object.values(_pos).reduce((s, m) => s + Object.keys(m).length, 0);
            log('info', `${files} file${files !== 1 ? 's' : ''}, ${folders} folder${folders !== 1 ? 's' : ''}, ${posEntries} position entries`);
        });

        // Override: last step is always info-only (pass)
        const last = steps[steps.length - 1];
        last.status = 'pass';
        last.detail = last.issues[0]?.msg || 'OK';

        // After repair passes that mutate _nodes directly, rebuild child index
        if (repair) _rebuildChildIndex();

        return steps;
    }

    // Returns list of file IDs that exist in VFS as type 'file'
    function fileIds() {
        return Object.keys(_nodes).filter(id => _nodes[id]?.type === 'file');
    }

    // Bulk-purge every node that is NOT an ancestor of any live file.
    // O(n) — single pass: mark ancestors, then delete everything else.
    // Returns count of removed nodes.
    function purgeDeadBranches(liveFileIds) {
        const keep = new Set(['root']);
        for (const id of liveFileIds) {
            let cur = id;
            while (cur && !keep.has(cur)) {
                keep.add(cur);
                cur = _nodes[cur]?.parentId;
            }
        }
        // Delete all nodes not in keep — single pass, no child scans
        let removed = 0;
        for (const id of Object.keys(_nodes)) {
            if (!keep.has(id)) {
                delete _nodes[id];
                removed++;
            }
        }
        // Rebuild _pos: drop maps for gone folders, drop entries for gone nodes
        for (const pid of Object.keys(_pos)) {
            if (!keep.has(pid)) { delete _pos[pid]; continue; }
            for (const nid of Object.keys(_pos[pid] || {})) {
                if (!keep.has(nid)) delete _pos[pid][nid];
            }
        }
        _rebuildChildIndex();
        return removed;
    }

    // Flatten tree: move all files deeper than MAX_DEPTH up to their nearest ≤MAX_DEPTH ancestor,
    // then delete any (now-empty) folders still at depth > MAX_DEPTH.
    // Preserves ALL file data. Returns count of removed folders.
    function flattenDeepContent(MAX_DEPTH = 50) {
        const allIds = Object.keys(_nodes);

        // 1. O(n) memoized depth computation
        const dc = new Map([[undefined, 0], [null, 0], ['root', 0]]);
        function depth(nid) {
            if (dc.has(nid)) return dc.get(nid);
            const chain = [];
            let cur = nid;
            while (cur && !dc.has(cur)) { chain.push(cur); cur = _nodes[cur]?.parentId; }
            let d = dc.get(cur) || 0;
            for (let i = chain.length - 1; i >= 0; i--) dc.set(chain[i], ++d);
            return dc.get(nid) || 0;
        }
        for (const id of allIds) depth(id);

        // 2. Pre-build name sets per folder for collision detection
        const namesByParent = new Map();
        function getNames(pid) {
            if (!namesByParent.has(pid)) {
                const s = new Set(
                    Object.keys(_nodes)
                        .filter(id => _nodes[id]?.parentId === pid)
                        .map(id => _nodes[id].name.toLowerCase())
                );
                namesByParent.set(pid, s);
            }
            return namesByParent.get(pid);
        }
        function uniqueName(pid, name) {
            const names = getNames(pid);
            if (!names.has(name.toLowerCase())) { names.add(name.toLowerCase()); return name; }
            const dot = name.lastIndexOf('.'),
                base = dot >= 0 ? name.slice(0, dot) : name,
                ext = dot >= 0 ? name.slice(dot) : '';
            let i = 1;
            while (names.has(`${base} (${i})${ext}`.toLowerCase())) i++;
            const result = `${base} (${i})${ext}`;
            names.add(result.toLowerCase());
            return result;
        }

        // 3. Reparent all files whose parent folder is deeper than MAX_DEPTH
        for (const id of allIds) {
            const n = _nodes[id];
            if (!n || n.type !== 'file') continue;
            if (depth(n.parentId) <= MAX_DEPTH) continue;

            // Walk up to the closest ancestor at depth ≤ MAX_DEPTH
            let targetPid = n.parentId;
            while (targetPid && depth(targetPid) > MAX_DEPTH) targetPid = _nodes[targetPid]?.parentId;
            if (!targetPid) targetPid = 'root';

            const oldPid = n.parentId;
            n.name = uniqueName(targetPid, n.name);
            n.parentId = targetPid;
            n.mtime = Date.now();

            // Update position maps
            if (_pos[oldPid]) delete _pos[oldPid][id];
            if (!_pos[targetPid]) _pos[targetPid] = {};
            const posIdx = Object.keys(_pos[targetPid]).length,
                cols = Math.max(1, Math.floor((800 - 16) / GRID_X));
            _pos[targetPid][id] = { x: 8 + (posIdx % cols) * GRID_X, y: 8 + Math.floor(posIdx / cols) * GRID_Y };
        }

        // 4. Delete all folders now at depth > MAX_DEPTH (no files remain in them)
        let removed = 0;
        for (const id of Object.keys(_nodes)) {
            const n = _nodes[id];
            if (!n || n.type !== 'folder' || id === 'root') continue;
            if (depth(id) > MAX_DEPTH) {
                delete _nodes[id];
                delete _pos[id];
                removed++;
            }
        }

        // 5. Clean stale _pos entries
        for (const pid of Object.keys(_pos)) {
            if (!_nodes[pid] && pid !== 'root') { delete _pos[pid]; continue; }
            for (const nid of Object.keys(_pos[pid] || {})) {
                if (!_nodes[nid]) delete _pos[pid][nid];
            }
        }

        _rebuildChildIndex();
        return removed;
    }

    // Fix all corrupted/missing timestamps on every node. O(n), no side-effects beyond timestamps.
    // Returns count of nodes whose metadata was patched.
    function repairMetadata() {
        const now = Date.now();
        let fixed = 0;
        for (const id of Object.keys(_nodes)) {
            if (id === 'root') continue;
            const n = _nodes[id];
            let changed = false;
            if (!n.ctime || typeof n.ctime !== 'number' || n.ctime <= 0 || !isFinite(n.ctime)) {
                n.ctime = now; changed = true;
            }
            if (!n.mtime || typeof n.mtime !== 'number' || n.mtime <= 0 || !isFinite(n.mtime)) {
                n.mtime = n.ctime; changed = true;
            }
            if (changed) fixed++;
        }
        return fixed;
    }

    // Batch auto-positioning: builds the occupied set ONCE and assigns positions to all items
    // that need one. Stores positions in _pos[pid] and returns Map<nodeId, {x, y}>.
    function autoPosBatch(pid, items, area) {
        if (!items.length) return new Map();
        if (!_pos[pid]) _pos[pid] = {};
        const W = (area && area.clientWidth) || 800,
            cols = Math.max(1, Math.floor((W - 16) / GRID_X));
        // Build occupied set once from existing positions
        const occupied = new Set();
        for (const p of Object.values(_pos[pid])) {
            occupied.add(`${Math.round((p.x - 8) / GRID_X)}_${Math.round((p.y - 8) / GRID_Y)}`);
        }
        const results = new Map();
        let scanRow = 0, scanCol = 0;
        outer: for (const n of items) {
            for (let row = scanRow; row < 10000; row++) {
                for (let col = (row === scanRow ? scanCol : 0); col < cols; col++) {
                    if (!occupied.has(`${col}_${row}`)) {
                        const pos = { x: 8 + col * GRID_X, y: 8 + row * GRID_Y };
                        _pos[pid][n.id] = pos;
                        occupied.add(`${col}_${row}`);
                        results.set(n.id, pos);
                        scanRow = row; scanCol = col + 1;
                        if (scanCol >= cols) { scanCol = 0; scanRow = row + 1; }
                        continue outer;
                    }
                }
            }
        }
        return results;
    }

    return {
        init, fromObj, toObj, children, node, add, remove, rename, move, wouldCycle,
        getPos, setPos, delPos, totalSize, breadcrumb, fullPath, autoPos, autoPosBatch,
        hasChildNamed, remapPositions, check, fileIds, purgeDeadBranches,
        flattenDeepContent, repairMetadata
    };
})();