feat: update version to 1.4.2 across package files

feat: enhance backup and restore functionality with integrity checks and progress tracking
- Added support for backup integrity verification during export and restore processes. - Introduced progress dispatching for backup export and restore operations. - Implemented new API endpoints for inspecting remote backup integrity. - Enhanced user interface with progress indicators and warning dialogs for integrity issues. - Updated localization strings for new features and user feedback. - Refactored backup-related functions for better clarity and maintainability.
2026-06-20 21:00:41 +00:00 · 2026-03-28 06:01:07 +08:00 · 2026-03-28 05:52:47 +08:00 · 2026-03-28 01:58:47 +08:00 · 2026-03-28 01:18:40 +08:00 · 2026-03-27 00:54:24 +08:00
148 changed files with 40949 additions and 3280 deletions
@@ -0,0 +1,467 @@
+const fs = require('fs');
+const path = require('path');
+
+/**
+ * Security Report Generator (Node.js)
+ * Better, faster, and more maintainable than Bash.
+ */
+
+class SecurityReport {
+    constructor() {
+        this.results = {
+            codeql: { status: 'PASS', findings: [], alertCount: 0, rulesCount: 0 },
+            snyk: { status: 'PASS', findings: [], vulnCount: 0 },
+            gitleaks: { status: 'PASS', findings: [], leaksCount: 0 },
+            trivy: { status: 'PASS', findings: [], misconfigCount: 0 },
+            coverage: { actions: 0, js: 0, ts: 0 },
+            artifactUris: []
+        };
+        this.auditTime = new Date().toISOString().replace('T', ' ').substring(0, 19) + ' UTC';
+        this.runId = process.env.GITHUB_RUN_ID || '0';
+        this.repository = process.env.GITHUB_REPOSITORY || 'unknown/repo';
+        this.runUrl = `https://github.com/${this.repository}/actions/runs/${this.runId}`;
+
+        this.locales = {
+            zh: {
+                filename: 'security-report-cn.md',
+                switcher: '[English](security-report.md) | 中文',
+                title: '🛡️ 安全审计与透明度报告',
+                grade: '安全评级',
+                important: '> [!IMPORTANT]\n> 本报告由 **GitHub Actions** 自动生成。为确保数据主权的绝对透明度，所有核心模块的安全扫描结果均实时公开。',
+                auditTime: '📅 审计时间',
+                runId: '📝 运行 ID',
+                env: '🛠️ 环境',
+                dashboard: '📉 实时安全仪表盘',
+                tool: '工具',
+                status: '状态',
+                findings: '发现项',
+                leaks: '泄露',
+                vulns: '漏洞',
+                alerts: '告警',
+                coverageTitle: '🔍 扫描覆盖范围',
+                module: '模块',
+                auditedFiles: '已审计文件',
+                coverage: '覆盖率',
+                detailedFindings: '🔍 详细发现项',
+                gitleaksTitle: '🔑 凭据泄露检查 (Gitleaks)',
+                gitleaksDesc: '`检测代码历史记录中硬编码的 API 密钥、密码或其他敏感令牌。`',
+                gitleaksSafe: '✅ **安全**：未发现硬编码的敏感凭据。',
+                gitleaksScope: '`扫描范围：所有代码更改和 Git 历史记录 (Gitleaks 全量扫描)`',
+                snykTitle: '📦 第三方依赖',
+                snykSafe: '✅ **安全**：在依赖项中未发现已知漏洞。',
+                package: '软件包',
+                severity: '严重程度',
+                description: '描述',
+                fixPlan: '修复方案',
+                codeqlTitle: '💻 代码质量与安全 (CodeQL)',
+                codeqlSummary: '#### 摘要',
+                rulesChecked: '已检查规则',
+                totalAlerts: '告警总数',
+                codeqlSafe: '✅ **安全**：CodeQL 扫描清洁，未检测到问题。',
+                ruleId: '规则 ID',
+                level: '级别',
+                location: '位置',
+                auditedList: '📂 已审计文件列表',
+                guideTitle: '⚠️ 操作指南',
+                guideDesc: '如果您看到 **FAIL** 状态或严重的代码问题：',
+                guideStep1: '1. **开发人员**：使用上方表格中的 **位置** 列找到确切的文件和行号。',
+                guideStep2: '2. **纠正**：遵循为每个规则提供的文档链接以提交修复。',
+                guideStep3: '3. **可追溯性**：完整的原始 `.sarif` 数据已附加到此分支。下载并将其导入您的 IDE（例如 VS Code SARIF 查看器）进行本地分析。',
+                footer: '💡 *由 Antigravity AI 安全引擎生成。透明度是我们的承诺。*',
+                auditedIcon: '✅ **已审计**',
+                noFiles: '未检索到文件。',
+                trivyTitle: '🛡️ 容器配置安全 (Trivy)',
+                trivyDesc: '`检测 Dockerfile 和容器配置中的安全风险与最佳实践。`',
+                trivySafe: '✅ **安全**：未发现容器配置缺陷。'
+            },
+            en: {
+                filename: 'security-report.md',
+                switcher: 'English | [中文](security-report-cn.md)',
+                title: '🛡️ Security Audit & Transparency Report',
+                grade: 'Security Grade',
+                important: '> [!IMPORTANT]\n> This report is automatically generated by **GitHub Actions**. To ensure absolute transparency of data sovereignty, all core module security scan results are made public in real-time.',
+                auditTime: '📅 Audit Time',
+                runId: '📝 Run ID',
+                env: '🛠️ Environment',
+                dashboard: '📉 Real-time Security Dashboard',
+                tool: 'Tool',
+                status: 'Status',
+                findings: 'Findings',
+                leaks: 'Leaks',
+                vulns: 'Vulns',
+                alerts: 'Alerts',
+                coverageTitle: '🔍 Scan Coverage',
+                module: 'Module',
+                auditedFiles: 'Audited Files',
+                coverage: 'Coverage',
+                detailedFindings: '🔍 Detailed Findings',
+                gitleaksTitle: '🔑 Credential Leak Check (Gitleaks)',
+                gitleaksDesc: '`This section detects hardcoded API Keys, passwords, or other sensitive tokens in the code history.`',
+                gitleaksSafe: '✅ **SAFE**: No hardcoded sensitive credentials found.',
+                gitleaksScope: '`Scan Scope: All code changes and Git history (Gitleaks Full Scan)`',
+                snykTitle: '📦 Third-party Dependencies',
+                snykSafe: '✅ **SAFE**: No known vulnerabilities found in dependencies.',
+                package: 'Package',
+                severity: 'Severity',
+                description: 'Description',
+                fixPlan: 'Fix Plan',
+                codeqlTitle: '💻 Code Quality & Safety (CodeQL)',
+                codeqlSummary: '#### Summary',
+                rulesChecked: 'Rules Checked',
+                totalAlerts: 'Total Alerts',
+                codeqlSafe: '✅ **SAFE**: CodeQL clean. No issues detected.',
+                ruleId: 'Rule ID',
+                level: 'Level',
+                location: 'Location',
+                auditedList: '📂 Audited File List',
+                guideTitle: '⚠️ Action Guide',
+                guideDesc: 'If you see a **FAIL** status or serious code issues:',
+                guideStep1: '1. **Developers**: Use the **Location** column in the tables above to find the exact file and line number.',
+                guideStep2: '2. **Remediate**: Follow the documentation links provided for each rule to submit a fix.',
+                guideStep3: '3. **Traceability**: Full raw `.sarif` data is attached to this branch. Download and import it into your IDE (e.g., VS Code SARIF Viewer) for local analysis.',
+                footer: '💡 *Generated by Antigravity AI Security Engine. Transparency is our commitment.*',
+                auditedIcon: '✅ **Audited**',
+                noFiles: 'No files found.',
+                trivyTitle: '🛡️ Container Config Security (Trivy)',
+                trivyDesc: '`This section detects security risks and best practices in Dockerfile and container configurations.`',
+                trivySafe: '✅ **SAFE**: No container configuration defects found.'
+            }
+        };
+    }
+
+    // --- Data Parsers ---
+
+    async parseCodeQL() {
+        const sarifPath = 'sarif-results';
+        if (!fs.existsSync(sarifPath)) return;
+
+        const files = this.globFiles(sarifPath, '.sarif');
+        let totalAlerts = 0;
+        let rulesSet = new Set();
+        let findings = [];
+        let artifactUris = new Set();
+
+        for (const file of files) {
+            const data = JSON.parse(fs.readFileSync(file, 'utf8'));
+            for (const run of data.runs || []) {
+                // Collect Rules
+                (run.tool.driver.rules || []).forEach(r => rulesSet.add(r.id));
+                (run.tool.extensions || []).forEach(ext => {
+                    (ext.rules || []).forEach(r => rulesSet.add(r.id));
+                });
+
+                // Collect Results
+                for (const res of run.results || []) {
+                    totalAlerts++;
+                    const loc = (res.locations && res.locations[0]?.physicalLocation) || {};
+                    findings.push({
+                        id: res.ruleId,
+                        level: res.level || 'warning',
+                        path: loc.artifactLocation?.uri || 'Global',
+                        line: loc.region?.startLine || '-',
+                        message: res.message?.text || 'No description'
+                    });
+                }
+
+                // Track Coverage (Deduplicated)
+                (run.artifacts || []).forEach(art => {
+                    const uri = art.location?.uri || '';
+                    if (uri) artifactUris.add(uri);
+                });
+            }
+        }
+
+        this.results.artifactUris = Array.from(artifactUris).sort();
+        this.results.coverage.actions = this.results.artifactUris.filter(u => u.startsWith('.github/workflows/')).length;
+        this.results.coverage.js = this.results.artifactUris.filter(u => u.endsWith('.js')).length;
+        this.results.coverage.ts = this.results.artifactUris.filter(u => u.endsWith('.ts')).length;
+
+        this.results.codeql.alertCount = totalAlerts;
+        this.results.codeql.rulesCount = rulesSet.size;
+        this.results.codeql.findings = findings;
+        if (totalAlerts > 0) this.results.codeql.status = 'INFO';
+    }
+
+    async parseSnyk() {
+        const jsonPath = 'snyk_result.json';
+        if (!fs.existsSync(jsonPath)) return;
+
+        try {
+            const data = JSON.parse(fs.readFileSync(jsonPath, 'utf8'));
+            const projects = Array.isArray(data) ? data : [data];
+            let vulnTotal = 0;
+            let findings = [];
+
+            for (const proj of projects) {
+                const vulns = proj.vulnerabilities || [];
+                vulnTotal += vulns.length;
+                vulns.forEach(v => {
+                    findings.push({
+                        pkg: `${v.packageName}@${v.version}`,
+                        severity: v.severity,
+                        title: v.title,
+                        url: v.url,
+                        fixedIn: Array.isArray(v.fixedIn) ? v.fixedIn.join(', ') : (v.fixedIn || 'N/A')
+                    });
+                });
+            }
+
+            this.results.snyk.vulnCount = vulnTotal;
+            this.results.snyk.findings = findings;
+            if (vulnTotal > 0) this.results.snyk.status = 'WARN';
+        } catch (e) {
+            console.error('Error parsing Snyk JSON:', e.message);
+        }
+    }
+
+    async parseGitleaks() {
+        const files = this.globFiles('.', 'results.sarif');
+        if (files.length === 0) return;
+
+        try {
+            const data = JSON.parse(fs.readFileSync(files[0], 'utf8'));
+            let leaks = 0;
+            let findings = [];
+            for (const run of data.runs || []) {
+                for (const res of run.results || []) {
+                    leaks++;
+                    findings.push({
+                        id: res.ruleId,
+                        message: res.message.text,
+                        path: res.locations[0]?.physicalLocation?.artifactLocation?.uri || 'Unknown'
+                    });
+                }
+            }
+
+            this.results.gitleaks.leaksCount = leaks;
+            this.results.gitleaks.findings = findings;
+            if (leaks > 0) this.results.gitleaks.status = 'FAIL';
+        } catch (e) {
+            console.error('Error parsing Gitleaks SARIF:', e.message);
+        }
+    }
+
+    async parseTrivy() {
+        const jsonPath = 'trivy_result.json';
+        if (!fs.existsSync(jsonPath)) return;
+
+        try {
+            const data = JSON.parse(fs.readFileSync(jsonPath, 'utf8'));
+            let misconfigs = 0;
+            let findings = [];
+
+            (data.Results || []).forEach(res => {
+                (res.Misconfigurations || []).forEach(m => {
+                    misconfigs++;
+                    findings.push({
+                        id: m.ID,
+                        severity: m.Severity,
+                        title: m.Title,
+                        message: m.Message,
+                        status: m.Status,
+                        target: res.Target
+                    });
+                });
+            });
+
+            this.results.trivy.misconfigCount = misconfigs;
+            this.results.trivy.findings = findings;
+            if (misconfigs > 0) this.results.trivy.status = 'WARN';
+        } catch (e) {
+            console.error('Error parsing Trivy JSON:', e.message);
+        }
+    }
+
+    generateTable(type, t) {
+        let files = [];
+        if (type === 'actions') files = this.results.artifactUris.filter(u => u.startsWith('.github/workflows/'));
+        else if (type === 'js') files = this.results.artifactUris.filter(u => u.endsWith('.js'));
+        else if (type === 'ts') files = this.results.artifactUris.filter(u => u.endsWith('.ts'));
+
+        if (files.length === 0) return `> ${t.noFiles}\n`;
+
+        let table = `| ${t.module} | ${t.location} | ${t.status} |\n| :--- | :--- | :--- |\n`;
+        files.forEach(f => {
+            const filename = path.basename(f);
+            table += `| \`${filename}\` | \`${f}\` | ${t.auditedIcon} |\n`;
+        });
+        return table;
+    }
+
+    // --- Renderers ---
+
+    generateMarkdown(localeKey) {
+        const { codeql, snyk, gitleaks, coverage } = this.results;
+        const t = this.locales[localeKey];
+
+        // Calculate Grade
+        let grade = 'A+';
+        let gradeColor = 'success';
+        if (gitleaks.status === 'FAIL') { grade = 'D'; gradeColor = 'red'; }
+        else if (snyk.vulnCount > 10 || this.results.trivy.misconfigCount > 5) { grade = 'C'; gradeColor = 'orange'; }
+        else if (snyk.vulnCount > 0 || codeql.alertCount > 0 || this.results.trivy.misconfigCount > 0) { grade = 'B'; gradeColor = 'blue'; }
+
+        const badge = (label, value, color) => `![${label}](https://img.shields.io/badge/${label.replace(/ /g, '_')}-${value}-${color}?style=for-the-badge)`;
+
+        let md = `# ${t.title}\n\n`;
+        md += `${t.switcher}\n\n`;
+        md += `${badge(t.grade.replace(/ /g, '_'), grade, gradeColor)}\n\n`;
+        md += `${t.important}\n\n`;
+
+        md += `| ${t.auditTime} | ${t.runId} | ${t.env} |\n`;
+        md += `| :--- | :--- | :--- |\n`;
+        md += `| \`${this.auditTime}\` | [#${this.runId}](${this.runUrl}) | \`GitHub CI/CD\` |\n\n`;
+
+        md += `---\n\n## ${t.dashboard}\n\n`;
+        md += `| ${t.tool} | ${t.status} | ${t.findings} |\n`;
+        md += `| :--- | :--- | :--- |\n`;
+        md += `| **Credential Leak (Gitleaks)** | ${this.getBadge(gitleaks.status)} | \`${gitleaks.leaksCount}\` ${t.leaks} |\n`;
+        md += `| **Dependency Scan (Snyk)** | ${this.getBadge(snyk.status)} | \`${snyk.vulnCount}\` ${t.vulns} |\n`;
+        md += `| **Static Analysis (CodeQL)** | ${this.getBadge(codeql.status)} | \`${codeql.alertCount}\` ${t.alerts} |\n`;
+        md += `| **Container Scan (Trivy)** | ${this.getBadge(this.results.trivy.status)} | \`${this.results.trivy.misconfigCount}\` ${t.findings} |\n\n`;
+
+        md += `---\n\n## ${t.coverageTitle}\n\n`;
+        md += `| ${t.module} | ${t.auditedFiles} | ${t.coverage} |\n`;
+        md += `| :--- | :---: | :---: |\n`;
+        md += `| **GitHub Actions** | \`${coverage.actions}\` | ✨ **100%** |\n`;
+        md += `| **JavaScript (Frontend)** | \`${coverage.js}\` | ✨ **100%** |\n`;
+        md += `| **TypeScript (Backend)** | \`${coverage.ts}\` | ✨ **100%** |\n\n`;
+
+        md += `---\n\n## ${t.detailedFindings}\n\n`;
+
+        // Gitleaks Section
+        md += `### ${t.gitleaksTitle}\n`;
+        md += `${t.gitleaksDesc} ${t.gitleaksScope}\n\n`;
+        if (gitleaks.findings.length > 0) {
+            md += `| ${t.ruleId} | ${t.location} | ${t.description} |\n`;
+            md += `| :--- | :--- | :--- |\n`;
+            gitleaks.findings.forEach(f => {
+                md += `| \`${f.id}\` | \`${f.path}\` | ${f.message} |\n`;
+            });
+        } else {
+            md += `${t.gitleaksSafe}\n`;
+        }
+
+        // Trivy Section
+        md += `\n### ${t.trivyTitle}\n`;
+        md += `${t.trivyDesc}\n\n`;
+        if (this.results.trivy.findings.length > 0) {
+            md += `| ${t.ruleId} | ${t.severity} | ${t.location} | ${t.description} |\n`;
+            md += `| :--- | :---: | :--- | :--- |\n`;
+            this.results.trivy.findings.forEach(f => {
+                const icon = f.severity === 'CRITICAL' ? '🔴' : (f.severity === 'HIGH' ? '🟠' : '🟡');
+                md += `| \`${f.id}\` | ${icon} ${f.severity} | \`${f.target}\` | ${f.title}: ${f.message} |\n`;
+            });
+        } else {
+            md += `${t.trivySafe}\n`;
+        }
+
+        // Snyk Section
+        md += `\n### ${t.snykTitle}\n`;
+        if (snyk.findings.length > 0) {
+            md += `| ${t.package} | ${t.severity} | ${t.description} | ${t.fixPlan} |\n`;
+            md += `| :--- | :---: | :--- | :--- |\n`;
+            snyk.findings.forEach(f => {
+                const icon = f.severity === 'critical' ? '🔴' : (f.severity === 'high' ? '🟠' : '🟡');
+                md += `| \`${f.pkg}\` | ${icon} ${f.severity} | [${f.title}](${f.url}) | ${f.fixedIn === 'N/A' ? 'No fix' : `Upgrade to \`${f.fixedIn}\``} |\n`;
+            });
+        } else {
+            md += `${t.snykSafe}\n`;
+        }
+
+        // CodeQL Section
+        md += `\n### ${t.codeqlTitle}\n`;
+        if (codeql.findings.length > 0) {
+            md += `${t.codeqlSummary}\n- **${t.rulesChecked}**: \`${codeql.rulesCount}\`\n- **${t.totalAlerts}**: \`${codeql.alertCount}\`\n\n`;
+            md += `| ${t.ruleId} | ${t.level} | ${t.location} | ${t.description} |\n`;
+            md += `| :--- | :---: | :--- | :--- |\n`;
+            codeql.findings.forEach(f => {
+                const icon = f.level === 'error' ? '🔴' : (f.level === 'warning' ? '🟠' : '🔵');
+                const prefix = f.id.split('/')[0];
+                const langMap = {
+                    'js': 'javascript',
+                    'actions': 'github-actions',
+                    'cpp': 'cpp',
+                    'cs': 'csharp',
+                    'go': 'go',
+                    'java': 'java',
+                    'py': 'python',
+                    'rb': 'ruby',
+                    'swift': 'swift'
+                };
+                const langPath = langMap[prefix] || 'javascript';
+                md += `| [${f.id}](https://codeql.github.com/codeql-query-help/${langPath}/${f.id.replace(/\//g, '-')}/) | ${icon} ${f.level} | \`${f.path}:${f.line}\` | ${f.message} |\n`;
+            });
+        } else {
+            md += `${t.codeqlSafe}\n`;
+        }
+
+        // Audited Files List
+        md += `\n### ${t.auditedList}\n`;
+        md += `<details>\n<summary><b>GitHub Actions (${this.results.coverage.actions})</b></summary>\n\n`;
+        md += this.generateTable('actions', t);
+        md += `\n</details>\n\n`;
+
+        md += `<details>\n<summary><b>JavaScript (${this.results.coverage.js})</b></summary>\n\n`;
+        md += this.generateTable('js', t);
+        md += `\n</details>\n\n`;
+
+        md += `<details>\n<summary><b>TypeScript (${this.results.coverage.ts})</b></summary>\n\n`;
+        md += this.generateTable('ts', t);
+        md += `\n</details>\n\n`;
+
+        // Action Guide
+        md += `--- \n\n## ${t.guideTitle}\n\n`;
+        md += `${t.guideDesc}\n`;
+        md += `${t.guideStep1}\n`;
+        md += `${t.guideStep2}\n`;
+        md += `${t.guideStep3}\n\n`;
+
+        md += `--- \n\n${t.footer}`;
+
+        return md;
+    }
+
+    // --- Helpers ---
+
+    getBadge(status) {
+        if (status === 'PASS') return '![Pass](https://img.shields.io/badge/Status-PASS-success?style=for-the-badge)';
+        if (status === 'WARN' || status === 'INFO') return '![Warning](https://img.shields.io/badge/Status-NOTICE-orange?style=for-the-badge)';
+        return '![Fail](https://img.shields.io/badge/Status-FAIL-red?style=for-the-badge)';
+    }
+
+    globFiles(dir, ext) {
+        let results = [];
+        const list = fs.readdirSync(dir);
+        for (const file of list) {
+            const fullPath = path.join(dir, file);
+            const stat = fs.statSync(fullPath);
+            if (stat && stat.isDirectory()) {
+                results = results.concat(this.globFiles(fullPath, ext));
+            } else if (file.endsWith(ext)) {
+                results.push(fullPath);
+            }
+        }
+        return results;
+    }
+
+    async run() {
+        console.log('--- Security Report Generation Started ---');
+        await this.parseCodeQL();
+        await this.parseSnyk();
+        await this.parseGitleaks();
+        await this.parseTrivy();
+
+        for (const localeKey of Object.keys(this.locales)) {
+            const locale = this.locales[localeKey];
+            const markdown = this.generateMarkdown(localeKey);
+            fs.writeFileSync(locale.filename, markdown);
+            console.log(`Report generated successfully at ${locale.filename}`);
+        }
+    }
+}
+
+new SecurityReport().run().catch(err => {
+    console.error('Report generation failed:', err);
+    process.exit(1);
+});
@@ -0,0 +1,142 @@
+name: Security Scan
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    branches: 
+      - main
+  workflow_dispatch:
+
+jobs:
+  scan:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      security-events: write
+      actions: read
+    env:
+      SECURITY_SNYK_TOKEN: ${{ secrets.SECURITY_SNYK_TOKEN }}
+    steps:
+      - uses: actions/checkout@v5
+        with:
+          fetch-depth: 0
+
+      - name: Initialize CodeQL
+        if: env.ACT != 'true'
+        continue-on-error: true
+        uses: github/codeql-action/init@v4
+        with:
+          languages: javascript-typescript, actions
+          build-mode: none
+          queries: security-extended,security-and-quality
+
+      - name: Perform CodeQL Analysis
+        if: env.ACT != 'true'
+        continue-on-error: true
+        uses: github/codeql-action/analyze@v4
+        with:
+          upload: true
+          output: sarif-results
+
+      - name: Install Gitleaks
+        if: env.ACT != 'true'
+        continue-on-error: true
+        run: |
+          GITLEAKS_VERSION="8.28.0"
+          curl -sSL -o gitleaks.tar.gz "https://github.com/gitleaks/gitleaks/releases/download/v${GITLEAKS_VERSION}/gitleaks_${GITLEAKS_VERSION}_linux_x64.tar.gz"
+          tar -xzf gitleaks.tar.gz gitleaks
+          chmod +x gitleaks
+          sudo mv gitleaks /usr/local/bin/gitleaks
+
+      - name: Secret Detection
+        if: env.ACT != 'true'
+        continue-on-error: true
+        run: |
+          gitleaks git . --report-format sarif --report-path results.sarif --no-banner || true
+
+      - name: Install Project Dependencies
+        if: env.SECURITY_SNYK_TOKEN != ''
+        env:
+          SECURITY_PACKAGE: ${{ vars.SECURITY_PACKAGE || '' }}
+        run: |
+          echo "Preparing dependency lock files for security scanning..."
+          if [ -z "$SECURITY_PACKAGE" ]; then
+            echo "SECURITY_PACKAGE is empty, installing in root..."
+            npm install --package-lock-only
+          else
+            echo "SECURITY_PACKAGE is set to: $SECURITY_PACKAGE"
+            # Split by comma and install
+            IFS=',' read -ra PACKAGES <<< "$SECURITY_PACKAGE"
+            for pkg in "${PACKAGES[@]}"; do
+              if [ -d "$pkg" ]; then
+                echo "Installing in "$pkg"..."
+                npm install --prefix "$pkg" --package-lock-only
+              else
+                echo "Warning: Directory $pkg not found, skipping."
+              fi
+            done
+          fi
+
+      - name: Dependency Scan
+        id: snyk
+        if: env.SECURITY_SNYK_TOKEN != ''
+        continue-on-error: true
+        run: |
+          npm install -g snyk          
+          snyk auth ${{ secrets.SECURITY_SNYK_TOKEN }}
+          snyk test --all-projects --json-file-output=snyk_result.json > snyk_result.txt || true
+        env:
+          SECURITY_SNYK_TOKEN: ${{ secrets.SECURITY_SNYK_TOKEN }}
+
+      - name: Check for Dockerfile
+        id: check_docker
+        run: |
+          if [ -f "Dockerfile" ]; then
+            echo "exists=true" >> $GITHUB_OUTPUT
+          else
+            echo "exists=false" >> $GITHUB_OUTPUT
+          fi
+
+      - name: Container Security Scan (Trivy)
+        if: steps.check_docker.outputs.exists == 'true'
+        continue-on-error: true
+        run: |
+          VERSION="0.56.1"
+          echo "Installing Trivy $VERSION..."
+          curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin "v$VERSION"
+          trivy config . --format json --output trivy_result.json --severity CRITICAL,HIGH || true
+
+      - name: Generate Security Report
+        run: |
+          # Gitleaks typically produces results.sarif if configured or by default in some versions
+          # We'll ensure it exists for our reporter
+          node .github/scripts/security.cjs
+          
+          # Also append to step summary for immediate visibility in GHA UI
+          cat security-report.md >> $GITHUB_STEP_SUMMARY
+          echo -e "\n---\n" >> $GITHUB_STEP_SUMMARY
+          cat security-report-cn.md >> $GITHUB_STEP_SUMMARY
+
+      - name: Upload Gitleaks Results to GitHub Security
+        uses: github/codeql-action/upload-sarif@v4
+        if: always()
+        with:
+          sarif_file: results.sarif
+          category: gitleaks
+
+      - name: Upload Security Report Artifacts
+        if: always()
+        uses: actions/upload-artifact@v6
+        with:
+          name: security-report
+          if-no-files-found: ignore
+          path: |
+            security-report.md
+            security-report-cn.md
+            snyk_result.txt
+            snyk_result.json
+            trivy_result.json
+            results.sarif
+            sarif-results/*.sarif
@@ -13,16 +13,22 @@ jobs:
    runs-on: ubuntu-latest

    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
        with:
          fetch-depth: 0

-      - run: |
-          git remote add upstream https://github.com/shuaiplus/nodewarden.git || true
+      - name: Configure git
+        run: |
+          git config user.name "github-actions[bot]"
+          git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
+
+      - name: Sync main from upstream
+        run: |
+          git remote add upstream https://github.com/shuaiplus/NodeWarden.git || true
          git fetch upstream
+          git checkout main
+          git merge upstream/main

-          # 强制让当前分支完全等于 upstream
-          git reset --hard upstream/main
-
-          # 强制推送
-          git push origin main --force
+      - name: Push synced main
+        run: |
+          git push origin main
@@ -7,6 +7,7 @@ node_modules/
 wrangler.my.toml
 RELEASE_NOTES.md
 tests/selfcheck.ts
+problem.md

 # Build output
 dist/
@@ -36,3 +37,6 @@ npm-debug.log*

 # Package lock (optional - remove if you want to commit it)
 # package-lock.json
+
+tmp/
+.tmp/
@@ -1,85 +1,130 @@
-# NodeWarden
-English：[`README_EN.md`](./README_EN.md)
+<p align="center">
+  <img src="./NodeWarden.png" alt="NodeWarden Logo" />
+</p>

-运行在 **Cloudflare Workers** 上的 **Bitwarden 第三方服务端**。
+<p align="center">
+  运行在 Cloudflare Workers 上的第三方 Bitwarden 兼容服务端。
+</p>
+
+[![Powered by Cloudflare](https://img.shields.io/badge/Powered%20by-Cloudflare-F38020?logo=cloudflare&logoColor=white)](https://workers.cloudflare.com/)
+[![License: LGPL-3.0](https://img.shields.io/badge/License-LGPL--3.0-2ea44f)](./LICENSE)
+[![Latest Release](https://img.shields.io/github/v/release/shuaiplus/NodeWarden?display_name=tag)](https://github.com/shuaiplus/NodeWarden/releases/latest)
+[![Sync Upstream](https://github.com/shuaiplus/NodeWarden/actions/workflows/sync-upstream.yml/badge.svg)](https://github.com/shuaiplus/NodeWarden/actions/workflows/sync-upstream.yml)
+
+[更新日志](./RELEASE_NOTES.md) | [提交问题](https://github.com/shuaiplus/NodeWarden/issues/new/choose) | [最新发布](https://github.com/shuaiplus/NodeWarden/releases/latest)
+
+English: [`README_EN.md`](./README_EN.md)

 > **免责声明**  
-> 本项目仅供学习交流使用。我们不对任何数据丢失负责，强烈建议定期备份您的密码库。  
-> 本项目与 Bitwarden 官方无关，请勿向 Bitwarden 官方反馈问题。
+> 本项目仅供学习与交流使用，请定期备份你的密码库。  
+> 本项目与 Bitwarden 官方无关，请不要向 Bitwarden 官方反馈 NodeWarden 的问题。

 ---
+
 ## 与 Bitwarden 官方服务端能力对比

-| 能力项 | Bitwarden | NodeWarden | 说明 |
+| 能力 | Bitwarden | NodeWarden | 说明 |
 |---|---|---|---|
-| 单用户保管库（登录/笔记/卡片/身份） | ✅ | ✅ | 基于Cloudflare D1 |
-| 文件夹 / 收藏 | ✅ | ✅ | 常用管理能力可用 |
-| 全量同步 `/api/sync` | ✅ | ✅ | 已做兼容与性能优化 |
-| 附件上传/下载 | ✅ | ✅ | 基于 Cloudflare R2 |
-| 导入功能 | ✅ | ✅ | 覆盖常见导入路径 |
-| 网站图标代理 | ✅ | ✅ | 通过 `/icons/{hostname}/icon.png` |
-| passkey、TOTP | ❌ | ✅ |官方需要会员，我们的不需要 |
-| 多用户 | ✅ | ❌ | NodeWarden 定位单用户 |
-| 组织/集合/成员权限 | ✅ | ❌ | 没必要实现 |
-| 登录 2FA（TOTP/WebAuthn/Duo/Email） | ✅ | ⚠️ 部分支持 | 仅支持 TOTP（通过 `TOTP_SECRET`） |
-| SSO / SCIM / 企业目录 | ✅ | ❌ | 没必要实现 |
-| Send | ✅ | ❌ | 基本没人用 |
-| 紧急访问 | ✅ | ❌ | 没必要实现 |
-| 管理后台 / 计费订阅 | ✅ | ❌ | 纯免费 |
-| 推送通知完整链路 | ✅ | ❌ | 没必要实现 |
-
-## 测试情况：
-
- ✅ Windows 客户端（v2026.1.0）
- ✅ 手机 App（v2026.1.0）
- ✅ 浏览器扩展（v2026.1.0）
- ⬜ macOS 客户端（未测试）
- ⬜ Linux 客户端（未测试）
---
-
-# 快速开始
-
-### 一键部署
-
-**部署步骤：**
-
-1. 先在右上角fork此项目（若后续不需要更新，可不fork）
-2. [![Deploy to Cloudflare Workers](https://deploy.workers.cloudflare.com/button)](https://deploy.workers.cloudflare.com/?url=https://github.com/shuaiplus/nodewarden)
-3. 打开部署后生成的链接，并根据网页提示完成后续操作。
+| 网页密码库 | ✅ | ✅ | **原创Web Vault界面** |
+| 全量同步 `/api/sync` | ✅ | ✅ | 已针对官方客户端做兼容优化 |
+| 附件上传 / 下载 | ✅ | ✅ | Cloudflare R2 或 KV |
+| Send | ✅ | ✅ | 支持文本与文件 Send |
+| 导入 / 导出 | ✅ | ✅ | 支持 Bitwarden JSON / CSV / **ZIP 导入（包括附件）** |
+| **云端备份中心** | ❌ | ✅ | **支持 WebDAV / E3 定时备份** |
+| 密码提示（网页端） | ⚠️ 有限 | ✅ | **无需发送邮件** |
+| TOTP / Steam TOTP | ✅ | ✅ | 含 `steam://` 支持 |
+| 多用户 | ✅ | ✅ | 支持邀请码注册 |
+| 组织 / 集合 / 成员权限 | ✅ | ❌ | 未实现 |
+| 登录 2FA | ✅ | ⚠️ 部分支持 | 当前仅支持用户级 TOTP |
+| SSO / SCIM / 企业目录 | ✅ | ❌ | 未实现 |

 ---

-## 本地开发
+## 已测试客户端

-这是一个 Cloudflare Workers 的 TypeScript 项目（Wrangler）。
+- ✅ Windows 桌面端
+- ✅ 手机 App
+- ✅ 浏览器扩展
+- ✅ Linux 桌面端
+- ⚠️ macOS 桌面端尚未完整验证
+
+---
+
+## 网页部署
+
+
+1. Fork 本仓库。若本项目对你有帮助，欢迎点个 Star。
+2. 打开 [Workers](https://dash.cloudflare.com/?to=/:account/workers-and-pages/create) ➜ `Continue with GitHub` ➜ 选择你 Fork 后的仓库（`NodeWarden`）➜ 下一步 ➜ （默认使用 R2 存储；若未开通，可用 KV 来代替，将**部署命令**改为 `npm run deploy:kv`）➜ 部署 ➜ 打开生成的链接
+
+   | 储存 | 是否需绑卡 | 单个附件/Send文件上限 | 免费额度 |
+   |---|---|---|---|
+   | R2 | 需要 | 100 MB（软限制可更改） | 10 GB |
+   | KV | 不需要 | 25 MiB（Cloudflare限制） | 1 GB |
+
+> [!TIP] 
+> 同步方法（更新仓库）：
+>- 手动：打开你 Fork 的 GitHub 仓库，看到顶部同步提示后，点击 `Sync fork` ➜ `Update branch`
+>- 自动：进入你的 Fork 仓库 ➜ `Actions` ➜ `Sync upstream` ➜ `Enable workflow`，会在每天凌晨 3 点自动同步上游。
+
+
+
+## CLI 部署
+
+```powershell
+git clone https://github.com/shuaiplus/NodeWarden.git
+cd NodeWarden

-```bash
 npm install
+npx wrangler login
+
+# 默认：R2 模式
+npm run deploy
+
+# 可选：KV 模式
+npm run deploy:kv
+
+# 本地开发
 npm run dev
+npm run dev:kv
 ```

-## 可选：登录 TOTP（2FA）
+---

- 在 Workers 的 Variables and Secrets 里新增 Secret：`TOTP_SECRET`（Base32）。
- 配置了 `TOTP_SECRET` 就启用登录 TOTP；删除该变量即关闭。
- 客户端流程：密码 -> TOTP 验证码。
- 支持“记住此设备”30 天。
+## 云端备份说明
+
+- 远程备份支持 **WebDAV** 与 **E3**
+- 勾选“包含附件”后：
+  - ZIP 内仍只包含 `db.json` 与 `manifest.json`
+  - 真实附件单独存放在 `attachments/`
+  - 后续备份会按稳定 blob 名复用已有附件，不会每次全量重传
+- 远程还原时：
+  - 会从 `attachments/` 目录按需读取附件
+  - 缺失的附件会被安全跳过
+  - 被跳过的附件不会在恢复后的数据库中留下脏记录

 ---

-## 常见问题
+## 导入 / 导出

-**Q: 如何备份数据？**  
-A: 在客户端中选择「导出密码库」，保存 JSON 文件。
+当前支持的导入来源包括：

-**Q: 忘记主密码怎么办？**  
-A: 无法恢复，这是端到端加密的特性。建议妥善保管主密码。
+- Bitwarden JSON
+- Bitwarden CSV
+- Bitwarden 密码库 + 附件 ZIP
+- NodeWarden JSON
+- 网页导入器里可见的多种浏览器 / 密码管理器格式

-**Q: 可以多人使用吗？**  
-A: 不建议。本项目为单用户设计，多人使用请选择 Vaultwarden。
+当前支持的导出方式包括：
+
+- Bitwarden JSON
+- Bitwarden 加密 JSON
+- 带附件的 ZIP 导出
+- NodeWarden JSON 系列
+- 备份中心中的实例级完整手动导出

 ---

+
 ## 开源协议

 LGPL-3.0 License
@@ -88,10 +133,12 @@ LGPL-3.0 License

 ## 致谢

- [Bitwarden](https://bitwarden.com/) - 原始设计和客户端
- [Vaultwarden](https://github.com/dani-garcia/vaultwarden) - 服务器实现参考
+- [Bitwarden](https://bitwarden.com/) - 原始设计与客户端
+- [Vaultwarden](https://github.com/dani-garcia/vaultwarden) - 服务端实现参考
 - [Cloudflare Workers](https://workers.cloudflare.com/) - 无服务器平台
+
 ---
+
 ## Star History

 [![Star History Chart](https://api.star-history.com/svg?repos=shuaiplus/NodeWarden&type=timeline&legend=top-left)](https://www.star-history.com/#shuaiplus/NodeWarden&type=timeline&legend=top-left)
@@ -1,85 +1,124 @@
-# NodeWarden
-中文文档：[`README.md`](./README.md)
+<p align="center">
+  <img src="./NodeWarden.png" alt="NodeWarden Logo" />
+</p>

-A **Bitwarden-compatible** server that runs on **Cloudflare Workers**.
+<p align="center">
+  A third-party Bitwarden-compatible server running on Cloudflare Workers.
+</p>

-> Disclaimer
-> - This project is for learning and communication only.
-> - We are not responsible for any data loss. Regular vault backups are strongly recommended.
-> - This project is not affiliated with Bitwarden. Please do not report issues to the official Bitwarden team.
+[![Powered by Cloudflare](https://img.shields.io/badge/Powered%20by-Cloudflare-F38020?logo=cloudflare&logoColor=white)](https://workers.cloudflare.com/)
+[![License: LGPL-3.0](https://img.shields.io/badge/License-LGPL--3.0-2ea44f)](./LICENSE)
+[![Latest Release](https://img.shields.io/github/v/release/shuaiplus/NodeWarden?display_name=tag)](https://github.com/shuaiplus/NodeWarden/releases/latest)
+[![Sync Upstream](https://github.com/shuaiplus/NodeWarden/actions/workflows/sync-upstream.yml/badge.svg)](https://github.com/shuaiplus/NodeWarden/actions/workflows/sync-upstream.yml)
+
+[Release Notes](./RELEASE_NOTES.md) | [Report an Issue](https://github.com/shuaiplus/NodeWarden/issues/new/choose) | [Latest Release](https://github.com/shuaiplus/NodeWarden/releases/latest)
+
+English: [`README.md`](./README.md)
+
+> **Disclaimer**  
+> This project is for learning and communication purposes only. Please back up your vault regularly.  
+> This project is not affiliated with Bitwarden. Please do not report NodeWarden issues to the official Bitwarden team.

 ---

-## Feature Comparison Table (vs Official Bitwarden Server)
+## Feature Comparison with Official Bitwarden Server

-| Capability | Bitwarden  | NodeWarden | Notes |
+| Capability | Bitwarden | NodeWarden | Notes |
 |---|---|---|---|
-| Single-user vault (logins/notes/cards/identities) | ✅ | ✅ | Core vault model supported |
-| Folders / Favorites | ✅ | ✅ | Common vault organization supported |
-| Full sync `/api/sync` | ✅ | ✅ | Compatibility-focused implementation |
-| Attachment upload/download | ✅ | ✅ | Backed by Cloudflare R2 |
-| Import flow (common clients) | ✅ | ✅ | Common import paths covered |
-| Website icon proxy | ✅ | ✅ | Via `/icons/{hostname}/icon.png` |
-| passkey、TOTP | ❌ | ✅ | Official service requires premium; NodeWarden does not |
-| Multi-user | ✅ | ❌ | NodeWarden is single-user by design |
-| Organizations / Collections / Member roles | ✅ | ❌ | Not necessary to implement |
-| Login 2FA (TOTP/WebAuthn/Duo/Email) | ✅ | ⚠️ Partial | TOTP-only  via `TOTP_SECRET` |
-| SSO / SCIM / Enterprise directory | ✅ | ❌ | Not necessary to implement |
-| Send | ✅ | ❌ | Not necessary to implement |
-| Emergency access | ✅ | ❌ | Not necessary to implement |
-| Admin console / Billing & subscription | ✅ | ❌ | Free only |
-| Full push notification pipeline | ✅ | ❌ | Not necessary to implement |
-
-
-## Tested clients / platforms
-
- ✅ Windows desktop client (v2026.1.0)
- ✅ Android app (v2026.1.0)
- ✅ Browser extension (v2026.1.0)
- ⬜ macOS desktop client (not tested)
- ⬜ Linux desktop client (not tested)
+| Web Vault | ✅ | ✅ | **Original Web Vault interface** |
+| Full sync `/api/sync` | ✅ | ✅ | Optimized for official clients |
+| Attachment upload / download | ✅ | ✅ | Cloudflare R2 or KV |
+| Send | ✅ | ✅ | Supports both text and file Sends |
+| Import / Export | ✅ | ✅ | Supports Bitwarden JSON / CSV / **ZIP import with attachments** |
+| **Cloud Backup Center** | ❌ | ✅ | **Supports scheduled backups with WebDAV / E3** |
+| Password hint (web) | ⚠️ Limited | ✅ | **No email required** |
+| TOTP / Steam TOTP | ✅ | ✅ | Includes `steam://` support |
+| Multi-user | ✅ | ✅ | Invite-based registration |
+| Organizations / Collections / Member roles | ✅ | ❌ | Not implemented |
+| Login 2FA | ✅ | ⚠️ Partial | Currently only user-level TOTP |
+| SSO / SCIM / Enterprise directory | ✅ | ❌ | Not implemented |

 ---

-# Quick start
+## Tested Clients

-### One-click deploy
+- ✅ Windows desktop client
+- ✅ Mobile app
+- ✅ Browser extension
+- ✅ Linux desktop client
+- ⚠️ macOS desktop client not fully verified

-**Deploy steps:**
+---

-1. Fork this project  (you don't need to fork it if you don't need to update it later).
-2. [![Deploy to Cloudflare Workers](https://deploy.workers.cloudflare.com/button)](https://deploy.workers.cloudflare.com/?url=https://github.com/shuaiplus/nodewarden)
-3. Open the generated service URL and follow the on-page instructions.
+## Web Deploy

+1. Fork this repository. If this project helps you, please consider giving it a Star.
+2. Open [Workers](https://dash.cloudflare.com/?to=/:account/workers-and-pages/create) -> `Continue with GitHub` -> select your forked repository (`NodeWarden`) -> `Next` -> deploy.  
+   R2 is used by default. If R2 is unavailable for your account, you can use KV instead by changing the **deploy command** to `npm run deploy:kv`.

-## Local development
+| Storage | Card required | Single attachment / Send file limit | Free tier |
+|---|---|---|---|
+| R2 | Yes | 100 MB (soft limit, can be adjusted) | 10 GB |
+| KV | No | 25 MiB (Cloudflare limit) | 1 GB |

-This repo is a Cloudflare Workers TypeScript project (Wrangler).
+> [!TIP]
+> How to keep your fork updated:
+> - Manual: open your fork on GitHub, click `Sync fork`, then `Update branch`
+> - Automatic: go to your fork -> `Actions` -> `Sync upstream` -> `Enable workflow`; it will sync upstream automatically every day at 3 AM
+
+## CLI Deploy
+
+```powershell
+git clone https://github.com/shuaiplus/NodeWarden.git
+cd NodeWarden

-```bash
 npm install
+npx wrangler login
+
+# Default: R2 mode
+npm run deploy
+
+# Optional: KV mode
+npm run deploy:kv
+
+# Local development
 npm run dev
+npm run dev:kv
 ```

-## Optional Login TOTP (2FA)
+---

- Add Workers Secret `TOTP_SECRET` (Base32) to enable login TOTP.
- Remove `TOTP_SECRET` to disable login TOTP.
- Client flow: password -> TOTP code.
- "Remember this device" is supported for 30 days.
+## Cloud Backup Notes
+
+- Remote backup supports **WebDAV** and **E3**
+- When `Include attachments` is enabled:
+  - the ZIP still contains only `db.json` and `manifest.json`
+  - real attachment files are stored separately under `attachments/`
+  - later backups reuse existing attachments by stable blob name instead of uploading everything again
+- During remote restore:
+  - required attachment files are loaded from `attachments/`
+  - missing attachments are skipped safely
+  - skipped attachments do not leave broken rows in the restored database

 ---

-## FAQ
+## Import / Export

-**Q: How do I back up my data?**  
-A: Use **Export vault** in your client and save the JSON file.
+Current supported import sources include:

-**Q: What if I forget the master password?**  
-A: It can’t be recovered (end-to-end encryption). Keep it safe.
+- Bitwarden JSON
+- Bitwarden CSV
+- Bitwarden vault + attachments ZIP
+- NodeWarden JSON
+- Multiple browser / password-manager formats visible in the web import selector

-**Q: Can multiple people use it?**  
-A: Not recommended. This project is designed for single-user usage. For multi-user usage, choose Vaultwarden.
+Current supported export formats include:
+
+- Bitwarden JSON
+- Bitwarden encrypted JSON
+- ZIP export with attachments
+- NodeWarden JSON variants
+- Full manual instance export from the backup center

 ---

@@ -95,9 +134,8 @@ LGPL-3.0 License
 - [Vaultwarden](https://github.com/dani-garcia/vaultwarden) - server implementation reference
 - [Cloudflare Workers](https://workers.cloudflare.com/) - serverless platform

-
-
 ---
+
 ## Star History

 [![Star History Chart](https://api.star-history.com/svg?repos=shuaiplus/NodeWarden&type=timeline&legend=top-left)](https://www.star-history.com/#shuaiplus/NodeWarden&type=timeline&legend=top-left)
@@ -13,6 +13,7 @@ CREATE TABLE IF NOT EXISTS users (
  id TEXT PRIMARY KEY,
  email TEXT NOT NULL UNIQUE,
  name TEXT,
+  master_password_hint TEXT,
  master_password_hash TEXT NOT NULL,
  key TEXT NOT NULL,
  private_key TEXT,
@@ -22,6 +23,11 @@ CREATE TABLE IF NOT EXISTS users (
  kdf_memory INTEGER,
  kdf_parallelism INTEGER,
  security_stamp TEXT NOT NULL,
+  role TEXT NOT NULL DEFAULT 'user',
+  status TEXT NOT NULL DEFAULT 'active',
+  verify_devices INTEGER NOT NULL DEFAULT 1,
+  totp_secret TEXT,
+  totp_recovery_code TEXT,
  created_at TEXT NOT NULL,
  updated_at TEXT NOT NULL
 );
@@ -46,10 +52,12 @@ CREATE TABLE IF NOT EXISTS ciphers (
  key TEXT,
  created_at TEXT NOT NULL,
  updated_at TEXT NOT NULL,
+  archived_at TEXT,
  deleted_at TEXT,
  FOREIGN KEY (user_id) REFERENCES users(id) ON DELETE CASCADE
 );
 CREATE INDEX IF NOT EXISTS idx_ciphers_user_updated ON ciphers(user_id, updated_at);
+CREATE INDEX IF NOT EXISTS idx_ciphers_user_archived ON ciphers(user_id, archived_at);
 CREATE INDEX IF NOT EXISTS idx_ciphers_user_deleted ON ciphers(user_id, deleted_at);

 CREATE TABLE IF NOT EXISTS folders (
@@ -73,6 +81,32 @@ CREATE TABLE IF NOT EXISTS attachments (
 );
 CREATE INDEX IF NOT EXISTS idx_attachments_cipher ON attachments(cipher_id);

+CREATE TABLE IF NOT EXISTS sends (
+  id TEXT PRIMARY KEY,
+  user_id TEXT NOT NULL,
+  type INTEGER NOT NULL,
+  name TEXT NOT NULL,
+  notes TEXT,
+  data TEXT NOT NULL,
+  key TEXT NOT NULL,
+  password_hash TEXT,
+  password_salt TEXT,
+  password_iterations INTEGER,
+  auth_type INTEGER NOT NULL DEFAULT 2,
+  emails TEXT,
+  max_access_count INTEGER,
+  access_count INTEGER NOT NULL DEFAULT 0,
+  disabled INTEGER NOT NULL DEFAULT 0,
+  hide_email INTEGER,
+  created_at TEXT NOT NULL,
+  updated_at TEXT NOT NULL,
+  expiration_date TEXT,
+  deletion_date TEXT NOT NULL,
+  FOREIGN KEY (user_id) REFERENCES users(id) ON DELETE CASCADE
+);
+CREATE INDEX IF NOT EXISTS idx_sends_user_updated ON sends(user_id, updated_at);
+CREATE INDEX IF NOT EXISTS idx_sends_user_deletion ON sends(user_id, deletion_date);
+
 CREATE TABLE IF NOT EXISTS refresh_tokens (
  token TEXT PRIMARY KEY,
  user_id TEXT NOT NULL,
@@ -81,11 +115,42 @@ CREATE TABLE IF NOT EXISTS refresh_tokens (
 );
 CREATE INDEX IF NOT EXISTS idx_refresh_tokens_user ON refresh_tokens(user_id);

+CREATE TABLE IF NOT EXISTS invites (
+  code TEXT PRIMARY KEY,
+  created_by TEXT NOT NULL,
+  used_by TEXT,
+  expires_at TEXT NOT NULL,
+  status TEXT NOT NULL,
+  created_at TEXT NOT NULL,
+  updated_at TEXT NOT NULL,
+  FOREIGN KEY (created_by) REFERENCES users(id) ON DELETE CASCADE,
+  FOREIGN KEY (used_by) REFERENCES users(id) ON DELETE SET NULL
+);
+CREATE INDEX IF NOT EXISTS idx_invites_status_expires ON invites(status, expires_at);
+CREATE INDEX IF NOT EXISTS idx_invites_created_by ON invites(created_by, created_at);
+
+CREATE TABLE IF NOT EXISTS audit_logs (
+  id TEXT PRIMARY KEY,
+  actor_user_id TEXT,
+  action TEXT NOT NULL,
+  target_type TEXT,
+  target_id TEXT,
+  metadata TEXT,
+  created_at TEXT NOT NULL,
+  FOREIGN KEY (actor_user_id) REFERENCES users(id) ON DELETE SET NULL
+);
+CREATE INDEX IF NOT EXISTS idx_audit_logs_created_at ON audit_logs(created_at);
+CREATE INDEX IF NOT EXISTS idx_audit_logs_actor_created ON audit_logs(actor_user_id, created_at);
+
 CREATE TABLE IF NOT EXISTS devices (
  user_id TEXT NOT NULL,
  device_identifier TEXT NOT NULL,
  name TEXT NOT NULL,
  type INTEGER NOT NULL,
+  session_stamp TEXT,
+  encrypted_user_key TEXT,
+  encrypted_public_key TEXT,
+  encrypted_private_key TEXT,
  created_at TEXT NOT NULL,
  updated_at TEXT NOT NULL,
  PRIMARY KEY (user_id, device_identifier),
@@ -1,6 +1,6 @@
 {
  "name": "nodewarden",
-  "version": "1.0.0",
+  "version": "1.4.2",
  "description": "Minimal Bitwarden-compatible server running on Cloudflare Workers",
  "author": "shuaiplus",
  "license": "LGPL-3.0",
@@ -8,8 +8,10 @@
  "type": "module",
  "scripts": {
    "dev": "wrangler dev -c wrangler.toml",
-    "deploymy": "wrangler deploy -c wrangler.my.toml",
-    "deploy": "wrangler deploy"
+    "dev:kv": "wrangler dev -c wrangler.kv.toml",
+    "build": "vite build --config webapp/vite.config.ts",
+    "deploy": "wrangler deploy",
+    "deploy:kv": "wrangler deploy -c wrangler.kv.toml"
  },
  "keywords": [
    "bitwarden",
@@ -28,14 +30,32 @@
      },
      "ATTACHMENTS": {
        "description": "R2 bucket for storing file attachments"
+      },
+      "ATTACHMENTS_KV": {
+        "description": "Optional KV namespace fallback for attachment/send-file storage"
      }
    }
  },
  "devDependencies": {
    "@cloudflare/workers-types": "^4.20260131.0",
+    "@preact/preset-vite": "^2.10.3",
    "@types/node": "^25.2.3",
    "tsx": "^4.21.0",
    "typescript": "^5.9.3",
-    "wrangler": "^4.61.1"
+    "vite": "^7.3.1",
+    "wrangler": "^4.71.0"
+  },
+  "dependencies": {
+    "@dnd-kit/core": "^6.3.1",
+    "@dnd-kit/sortable": "^10.0.0",
+    "@dnd-kit/utilities": "^3.2.2",
+    "@noble/hashes": "^2.0.1",
+    "@tanstack/react-query": "^5.90.21",
+    "@zip.js/zip.js": "^2.8.22",
+    "fflate": "^0.8.2",
+    "lucide-preact": "^0.575.0",
+    "preact": "^10.28.4",
+    "qrcode-generator": "^2.0.4",
+    "wouter": "^3.9.0"
  }
 }
@@ -0,0 +1 @@
+export const APP_VERSION = '1.4.2';
@@ -0,0 +1,151 @@
+export const BACKUP_DEFAULT_TIMEZONE = 'UTC';
+export const BACKUP_DEFAULT_RETENTION_COUNT = 30;
+export const BACKUP_DEFAULT_E3_REGION = 'auto';
+export const BACKUP_DEFAULT_REMOTE_PATH = 'nodewarden';
+export const BACKUP_DEFAULT_INTERVAL_HOURS = 24;
+export const BACKUP_DEFAULT_START_TIME = '03:00';
+
+export type BackupDestinationType = 'e3' | 'webdav';
+
+export interface E3BackupDestination {
+  endpoint: string;
+  bucket: string;
+  region: string;
+  accessKeyId: string;
+  secretAccessKey: string;
+  rootPath: string;
+}
+
+export interface WebDavBackupDestination {
+  baseUrl: string;
+  username: string;
+  password: string;
+  remotePath: string;
+}
+
+export type BackupDestinationConfig =
+  | E3BackupDestination
+  | WebDavBackupDestination;
+
+export interface BackupRuntimeState {
+  lastAttemptAt: string | null;
+  lastAttemptLocalDate: string | null;
+  lastSuccessAt: string | null;
+  lastErrorAt: string | null;
+  lastErrorMessage: string | null;
+  lastUploadedFileName: string | null;
+  lastUploadedSizeBytes: number | null;
+  lastUploadedDestination: string | null;
+}
+
+export interface BackupScheduleConfig {
+  enabled: boolean;
+  intervalHours: number;
+  startTime: string;
+  timezone: string;
+  retentionCount: number | null;
+}
+
+export interface BackupDestinationRecord {
+  id: string;
+  name: string;
+  type: BackupDestinationType;
+  includeAttachments: boolean;
+  destination: BackupDestinationConfig;
+  schedule: BackupScheduleConfig;
+  runtime: BackupRuntimeState;
+}
+
+export interface BackupSettings {
+  destinations: BackupDestinationRecord[];
+}
+
+export function createBackupRandomId(): string {
+  if (typeof crypto !== 'undefined' && typeof crypto.randomUUID === 'function') {
+    return crypto.randomUUID();
+  }
+  return `backup-${Date.now().toString(36)}-${Math.random().toString(36).slice(2, 10)}`;
+}
+
+export function createDefaultBackupRuntimeState(): BackupRuntimeState {
+  return {
+    lastAttemptAt: null,
+    lastAttemptLocalDate: null,
+    lastSuccessAt: null,
+    lastErrorAt: null,
+    lastErrorMessage: null,
+    lastUploadedFileName: null,
+    lastUploadedSizeBytes: null,
+    lastUploadedDestination: null,
+  };
+}
+
+export function createDefaultBackupScheduleConfig(timezone: string = BACKUP_DEFAULT_TIMEZONE): BackupScheduleConfig {
+  return {
+    enabled: false,
+    intervalHours: BACKUP_DEFAULT_INTERVAL_HOURS,
+    startTime: BACKUP_DEFAULT_START_TIME,
+    timezone,
+    retentionCount: BACKUP_DEFAULT_RETENTION_COUNT,
+  };
+}
+
+export function createDefaultBackupDestinationConfig(type: BackupDestinationType): BackupDestinationConfig {
+  if (type === 'e3') {
+    return {
+      endpoint: '',
+      bucket: '',
+      region: BACKUP_DEFAULT_E3_REGION,
+      accessKeyId: '',
+      secretAccessKey: '',
+      rootPath: BACKUP_DEFAULT_REMOTE_PATH,
+    };
+  }
+  return {
+    baseUrl: '',
+    username: '',
+    password: '',
+    remotePath: BACKUP_DEFAULT_REMOTE_PATH,
+  };
+}
+
+export function createDefaultBackupDestinationName(type: BackupDestinationType, index: number): string {
+  if (type === 'e3') return `E3 ${index}`;
+  return `WebDAV ${index}`;
+}
+
+export interface CreateBackupDestinationRecordOptions {
+  id?: string;
+  name?: string;
+  timezone?: string;
+}
+
+export function createBackupDestinationRecord(
+  type: BackupDestinationType,
+  index: number,
+  options: CreateBackupDestinationRecordOptions = {}
+): BackupDestinationRecord {
+  return {
+    id: options.id || createBackupRandomId(),
+    name: options.name || createDefaultBackupDestinationName(type, index),
+    type,
+    includeAttachments: false,
+    destination: createDefaultBackupDestinationConfig(type),
+    schedule: createDefaultBackupScheduleConfig(options.timezone || BACKUP_DEFAULT_TIMEZONE),
+    runtime: createDefaultBackupRuntimeState(),
+  };
+}
+
+export function createDefaultBackupSettings(
+  timezone: string = BACKUP_DEFAULT_TIMEZONE,
+  options: { destinationName?: string } = {}
+): BackupSettings {
+  return {
+    destinations: [
+      createBackupDestinationRecord('webdav', 1, {
+        timezone,
+        name: options.destinationName,
+      }),
+    ],
+  };
+}
@@ -6,12 +6,18 @@
    // Refresh token lifetime in milliseconds.
    // 刷新令牌有效期（毫秒）。
    refreshTokenTtlMs: 30 * 24 * 60 * 60 * 1000,
+    // Grace window for previous refresh token after rotation (ms).
+    // 刷新令牌轮换后的旧令牌宽限窗口（毫秒）。
+    refreshTokenOverlapGraceMs: 60 * 1000,
    // Refresh token random byte length.
    // 刷新令牌随机字节长度。
    refreshTokenRandomBytes: 32,
    // Attachment download token lifetime in seconds.
    // 附件下载令牌有效期（秒）。
    fileDownloadTokenTtlSeconds: 300,
+    // Send access token lifetime in seconds.
+    // Send 访问令牌有效期（秒）。
+    sendAccessTokenTtlSeconds: 300,
    // Minimum required JWT secret length.
    // JWT 密钥最小长度要求。
    jwtSecretMinLength: 32,
@@ -22,16 +28,34 @@
  rateLimit: {
    // Max failed login attempts before temporary lock.
    // 触发临时锁定前允许的最大登录失败次数。
-    loginMaxAttempts: 5,
+    loginMaxAttempts: 10,
    // Login lock duration in minutes.
    // 登录锁定时长（分钟）。
    loginLockoutMinutes: 2,
-    // Write API request budget per minute.
-    // 写操作 API 每分钟请求配额。
-    apiWriteRequestsPerMinute: 120,
-    // /api/sync read request budget per minute.
-    // /api/sync 读请求每分钟配额。
-    syncReadRequestsPerMinute: 1000,
+    // Authenticated API request budget per user per minute (all reads & writes combined).
+    // 认证 API 每用户每分钟请求配额（读写合计）。
+    apiRequestsPerMinute: 200,
+    // Public (unauthenticated) request budget per IP per minute.
+    // 公开（未认证）接口每 IP 每分钟请求配额。
+    publicRequestsPerMinute: 60,
+    // Public read-only request budget per IP per minute.
+    // 公开只读接口每 IP 每分钟请求配额。
+    publicReadRequestsPerMinute: 120,
+    // Sensitive public/auth request budget per IP per minute.
+    // 敏感公开/认证接口每 IP 每分钟请求配额。
+    sensitivePublicRequestsPerMinute: 30,
+    // Password hint lookup budget per IP per minute.
+    // 密码提示查询接口每 IP 每分钟请求配额。
+    passwordHintRequestsPerMinute: 1,
+    // Password hint lookup budget per IP per hour.
+    // 密码提示查询接口每 IP 每小时请求配额。
+    passwordHintRequestsPerHour: 3,
+    // Register endpoint budget per IP per minute.
+    // 注册接口每 IP 每分钟请求配额。
+    registerRequestsPerMinute: 5,
+    // Refresh-token grant budget per IP per minute.
+    // refresh_token 授权每 IP 每分钟请求配额。
+    refreshTokenRequestsPerMinute: 30,
    // Fixed window size for API rate limiting in seconds.
    // API 限流固定窗口大小（秒）。
    apiWindowSeconds: 60,
@@ -41,15 +65,9 @@
    // Minimum interval between login-attempt cleanup runs.
    // 登录尝试表清理的最小间隔。
    loginIpCleanupIntervalMs: 10 * 60 * 1000,
-    // Minimum interval between API-window cleanup runs.
-    // API 窗口计数清理的最小间隔。
-    apiWindowCleanupIntervalMs: 5 * 60 * 1000,
    // Retention window for login IP records.
    // 登录 IP 记录保留时长。
    loginIpRetentionMs: 30 * 24 * 60 * 60 * 1000,
-    // Number of historical API windows to keep.
-    // 保留的历史 API 窗口数量。
-    apiWindowRetentionWindows: 120,
  },
  cleanup: {
    // Minimum interval between refresh-token cleanup runs.
@@ -67,6 +85,14 @@
    // 附件上传大小上限（字节）。
    maxFileSizeBytes: 100 * 1024 * 1024,
  },
+  send: {
+    // Max file size allowed for Send file uploads.
+    // Send 文件上传大小上限。
+    maxFileSizeBytes: 100 * 1024 * 1024,
+    // Max days allowed between now and deletion date.
+    // 允许的最远删除日期（距当前天数）。
+    maxDeletionDays: 31,
+  },
  pagination: {
    // Default page size when client does not specify pageSize.
    // 客户端未传 pageSize 时的默认分页大小。
@@ -87,6 +113,12 @@
    // In-memory /api/sync response cache TTL (milliseconds).
    // /api/sync 内存缓存有效期（毫秒）。
    syncResponseTtlMs: 30 * 1000,
+    // Max size of a single cached /api/sync body in bytes.
+    // 单个 /api/sync 缓存响应允许的最大字节数。
+    syncResponseMaxBodyBytes: 512 * 1024,
+    // Max total in-memory bytes used by /api/sync cache per isolate.
+    // 每个 isolate 中 /api/sync 缓存允许占用的最大总字节数。
+    syncResponseMaxTotalBytes: 2 * 1024 * 1024,
    // Max in-memory /api/sync cache entries per isolate.
    // 每个 isolate 的 /api/sync 最大缓存条目数。
    syncResponseMaxEntries: 64,
@@ -95,6 +127,14 @@
    // Max IDs per SQL batch when moving ciphers in bulk.
    // 批量移动密码项时每批 SQL 的最大 ID 数量。
    bulkMoveChunkSize: 200,
+    // Max total items (folders + ciphers) allowed in a single import.
+    // 单次导入允许的最大条目数（文件夹 + 密码项合计）。
+    importItemLimit: 5000,
+  },
+  request: {
+    // Hard body size limit for JSON API endpoints (bytes). File upload paths are exempt.
+    // JSON 接口请求 body 大小上限（字节），文件上传接口除外。
+    maxBodyBytes: 25 * 1024 * 1024,
  },
  compatibility: {
    // Single source of truth for /config.version and /api/version.
@@ -0,0 +1,531 @@
+import type { Env } from '../types';
+
+const SIGNALR_RECORD_SEPARATOR = 0x1e;
+const SIGNALR_HANDSHAKE_ACK = new Uint8Array([0x7b, 0x7d, SIGNALR_RECORD_SEPARATOR]);
+const SIGNALR_UPDATE_TYPE_SYNC_VAULT = 5;
+const SIGNALR_UPDATE_TYPE_LOG_OUT = 11;
+const SIGNALR_UPDATE_TYPE_DEVICE_STATUS = 12;
+const SIGNALR_UPDATE_TYPE_BACKUP_RESTORE_PROGRESS = 13;
+const SIGNALR_PING_INTERVAL_MS = 15_000;
+
+type HubProtocol = 'json' | 'messagepack';
+
+interface ConnectionState {
+  handshakeComplete: boolean;
+  protocol: HubProtocol;
+  deviceIdentifier: string | null;
+}
+
+function concatBytes(chunks: Uint8Array[]): Uint8Array {
+  const total = chunks.reduce((sum, chunk) => sum + chunk.length, 0);
+  const out = new Uint8Array(total);
+  let offset = 0;
+  for (const chunk of chunks) {
+    out.set(chunk, offset);
+    offset += chunk.length;
+  }
+  return out;
+}
+
+function encodeUtf8(value: string): Uint8Array {
+  return new TextEncoder().encode(value);
+}
+
+function encodeMsgPackInteger(value: number): Uint8Array {
+  const normalized = Math.trunc(value);
+  if (normalized >= 0 && normalized <= 0x7f) {
+    return new Uint8Array([normalized]);
+  }
+  if (normalized >= 0 && normalized <= 0xff) {
+    return new Uint8Array([0xcc, normalized]);
+  }
+  if (normalized >= 0 && normalized <= 0xffff) {
+    return new Uint8Array([0xcd, normalized >> 8, normalized & 0xff]);
+  }
+  const safe = normalized >>> 0;
+  return new Uint8Array([
+    0xce,
+    (safe >>> 24) & 0xff,
+    (safe >>> 16) & 0xff,
+    (safe >>> 8) & 0xff,
+    safe & 0xff,
+  ]);
+}
+
+function encodeMsgPackString(value: string): Uint8Array {
+  const bytes = encodeUtf8(value);
+  const len = bytes.length;
+  if (len < 32) {
+    return concatBytes([new Uint8Array([0xa0 | len]), bytes]);
+  }
+  if (len <= 0xff) {
+    return concatBytes([new Uint8Array([0xd9, len]), bytes]);
+  }
+  return concatBytes([new Uint8Array([0xda, (len >> 8) & 0xff, len & 0xff]), bytes]);
+}
+
+function encodeMsgPackTimestamp(date: Date): Uint8Array {
+  const seconds = BigInt(Math.floor(date.getTime() / 1000));
+  const nanos = BigInt(date.getMilliseconds()) * 1000000n;
+  const timestamp = (nanos << 34n) | seconds;
+  const payload = new Uint8Array(8);
+  for (let i = 7; i >= 0; i--) {
+    payload[i] = Number((timestamp >> BigInt((7 - i) * 8)) & 0xffn);
+  }
+  return concatBytes([new Uint8Array([0xc7, 0x08, 0xff]), payload]);
+}
+
+function encodeMsgPackArray(values: unknown[]): Uint8Array {
+  const items = values.map(encodeMsgPack);
+  const len = items.length;
+  const header =
+    len < 16
+      ? new Uint8Array([0x90 | len])
+      : new Uint8Array([0xdc, (len >> 8) & 0xff, len & 0xff]);
+  return concatBytes([header, ...items]);
+}
+
+function encodeMsgPackMap(value: Record<string, unknown>): Uint8Array {
+  const entries = Object.entries(value);
+  const len = entries.length;
+  const header =
+    len < 16
+      ? new Uint8Array([0x80 | len])
+      : new Uint8Array([0xde, (len >> 8) & 0xff, len & 0xff]);
+  const chunks: Uint8Array[] = [header];
+  for (const [key, entryValue] of entries) {
+    chunks.push(encodeMsgPackString(key), encodeMsgPack(entryValue));
+  }
+  return concatBytes(chunks);
+}
+
+function encodeMsgPack(value: unknown): Uint8Array {
+  if (value === null || value === undefined) return new Uint8Array([0xc0]);
+  if (value instanceof Date) return encodeMsgPackTimestamp(value);
+  if (typeof value === 'string') return encodeMsgPackString(value);
+  if (typeof value === 'number') return encodeMsgPackInteger(value);
+  if (typeof value === 'boolean') return new Uint8Array([value ? 0xc3 : 0xc2]);
+  if (Array.isArray(value)) return encodeMsgPackArray(value);
+  if (value instanceof Uint8Array) {
+    const len = value.length;
+    if (len <= 0xff) return concatBytes([new Uint8Array([0xc4, len]), value]);
+    return concatBytes([new Uint8Array([0xc5, (len >> 8) & 0xff, len & 0xff]), value]);
+  }
+  return encodeMsgPackMap(value as Record<string, unknown>);
+}
+
+function frameSignalRBinary(payload: Uint8Array): Uint8Array {
+  const len = payload.length;
+  const prefix: number[] = [];
+  let value = len;
+  do {
+    let current = value & 0x7f;
+    value >>>= 7;
+    if (value > 0) current |= 0x80;
+    prefix.push(current);
+  } while (value > 0);
+  return concatBytes([new Uint8Array(prefix), payload]);
+}
+
+function buildSignalRJsonInvocation(
+  updateType: number,
+  payload: Record<string, unknown>,
+  contextId: string | null
+): string {
+  return JSON.stringify({
+    type: 1,
+    target: 'ReceiveMessage',
+    arguments: [
+        {
+          ContextId: contextId,
+          Type: updateType,
+          Payload: payload,
+        },
+      ],
+    }) + String.fromCharCode(SIGNALR_RECORD_SEPARATOR);
+}
+
+function buildSignalRJsonPing(): string {
+  return JSON.stringify({ type: 6 }) + String.fromCharCode(SIGNALR_RECORD_SEPARATOR);
+}
+
+function buildSignalRMessagePackInvocation(
+  updateType: number,
+  messagePayload: Record<string, unknown>,
+  contextId: string | null
+): Uint8Array {
+  // SignalR MessagePack hub protocol uses an array-based invocation shape:
+  // [type, headers, invocationId, target, arguments]
+  const encodedPayload = encodeMsgPack([
+    1,
+    {},
+    null,
+    'ReceiveMessage',
+    [
+      {
+        ContextId: contextId,
+        Type: updateType,
+        Payload: messagePayload,
+      },
+    ],
+  ]);
+  return frameSignalRBinary(encodedPayload);
+}
+
+function buildSignalRMessagePackPing(): Uint8Array {
+  return frameSignalRBinary(encodeMsgPack([6]));
+}
+
+function decodeIncomingMessage(data: string | ArrayBuffer | ArrayBufferView): string {
+  if (typeof data === 'string') return data;
+  if (data instanceof ArrayBuffer) return new TextDecoder().decode(new Uint8Array(data));
+  return new TextDecoder().decode(new Uint8Array(data.buffer, data.byteOffset, data.byteLength));
+}
+
+export class NotificationsHub {
+  private readonly connections = new Map<WebSocket, ConnectionState>();
+  private userId = '';
+  private pingTimer: ReturnType<typeof setInterval> | null = null;
+
+  constructor(private readonly state: DurableObjectState, private readonly env: Env) {
+    void this.state;
+    void this.env;
+  }
+
+  async fetch(request: Request): Promise<Response> {
+    const url = new URL(request.url);
+
+    if (url.pathname === '/internal/notify' && request.method === 'POST') {
+      const body = (await request.json().catch(() => null)) as {
+        revisionDate?: string;
+        userId?: string;
+        contextId?: string | null;
+        updateType?: number;
+        targetDeviceIdentifier?: string | null;
+        payload?: Record<string, unknown> | null;
+      } | null;
+      const revisionDate = String(body?.revisionDate || '').trim() || new Date().toISOString();
+      this.userId = String(request.headers.get('X-NodeWarden-UserId') || body?.userId || this.userId).trim();
+      const contextId = String(body?.contextId || '').trim() || null;
+      const updateType = Number(body?.updateType || SIGNALR_UPDATE_TYPE_SYNC_VAULT) || SIGNALR_UPDATE_TYPE_SYNC_VAULT;
+      const targetDeviceIdentifier = String(body?.targetDeviceIdentifier || '').trim() || null;
+      const payload = body?.payload && typeof body.payload === 'object'
+        ? body.payload
+        : {
+          UserId: this.userId,
+          Date: revisionDate,
+        };
+      this.broadcastMessage(updateType, payload, contextId, targetDeviceIdentifier);
+      return new Response(null, { status: 204 });
+    }
+
+    if (url.pathname === '/internal/online' && request.method === 'GET') {
+      return new Response(JSON.stringify({ deviceIdentifiers: this.getOnlineDeviceIdentifiers() }), {
+        status: 200,
+        headers: {
+          'Content-Type': 'application/json',
+        },
+      });
+    }
+
+    if (url.pathname !== '/notifications/hub') {
+      return new Response('Not found', { status: 404 });
+    }
+
+    if (request.headers.get('Upgrade')?.toLowerCase() !== 'websocket') {
+      return new Response('Expected websocket', { status: 426 });
+    }
+
+    const requestUserId = String(url.searchParams.get('nw_uid') || '').trim();
+    const requestDeviceIdentifier = String(url.searchParams.get('nw_did') || '').trim() || null;
+    if (requestUserId) {
+      this.userId = requestUserId;
+    }
+
+    if (!this.userId) {
+      return new Response('Unauthorized', { status: 401 });
+    }
+
+    const pair = new WebSocketPair();
+    const client = pair[0];
+    const server = pair[1];
+    server.accept();
+
+    this.connections.set(server, {
+      handshakeComplete: false,
+      protocol: 'messagepack',
+      deviceIdentifier: requestDeviceIdentifier,
+    });
+    this.ensurePingLoop();
+
+    server.addEventListener('message', (event) => {
+      void this.handleSocketMessage(server, event.data);
+    });
+    server.addEventListener('close', () => {
+      const shouldBroadcast = !!this.connections.get(server)?.handshakeComplete;
+      this.connections.delete(server);
+      this.stopPingLoopIfIdle();
+      if (shouldBroadcast) this.broadcastDeviceStatus();
+    });
+    server.addEventListener('error', () => {
+      const shouldBroadcast = !!this.connections.get(server)?.handshakeComplete;
+      this.connections.delete(server);
+      this.stopPingLoopIfIdle();
+      if (shouldBroadcast) this.broadcastDeviceStatus();
+      try {
+        server.close(1011, 'Socket error');
+      } catch {
+        // ignore close races
+      }
+    });
+
+    return new Response(null, {
+      status: 101,
+      webSocket: client,
+    });
+  }
+
+  private async handleSocketMessage(socket: WebSocket, rawData: string | ArrayBuffer | ArrayBufferView): Promise<void> {
+    const connection = this.connections.get(socket);
+    if (!connection) return;
+
+    if (!connection.handshakeComplete) {
+      const text = decodeIncomingMessage(rawData);
+      const frames = text.split(String.fromCharCode(SIGNALR_RECORD_SEPARATOR)).filter(Boolean);
+      for (const frame of frames) {
+        try {
+          const handshake = JSON.parse(frame) as { protocol?: string };
+          const protocol = handshake.protocol === 'json' ? 'json' : 'messagepack';
+          connection.protocol = protocol;
+          connection.handshakeComplete = true;
+          socket.send(SIGNALR_HANDSHAKE_ACK);
+          this.broadcastDeviceStatus();
+          return;
+        } catch {
+          // Ignore malformed pre-handshake payloads.
+        }
+      }
+      return;
+    }
+  }
+
+  private ensurePingLoop(): void {
+    if (this.pingTimer !== null) return;
+    this.pingTimer = setInterval(() => {
+      this.broadcastPing();
+    }, SIGNALR_PING_INTERVAL_MS);
+  }
+
+  private stopPingLoopIfIdle(): void {
+    if (this.connections.size > 0 || this.pingTimer === null) return;
+    clearInterval(this.pingTimer);
+    this.pingTimer = null;
+  }
+
+  private broadcastPing(): void {
+    if (this.connections.size === 0) {
+      this.stopPingLoopIfIdle();
+      return;
+    }
+
+    for (const [socket, connection] of this.connections) {
+      if (!connection.handshakeComplete) continue;
+      try {
+        if (connection.protocol === 'json') {
+          socket.send(buildSignalRJsonPing());
+        } else {
+          socket.send(buildSignalRMessagePackPing());
+        }
+      } catch {
+        this.connections.delete(socket);
+        try {
+          socket.close(1011, 'Ping send failed');
+        } catch {
+          // ignore close races
+        }
+      }
+    }
+
+    this.stopPingLoopIfIdle();
+  }
+
+  private getOnlineDeviceIdentifiers(): string[] {
+    const out = new Set<string>();
+    for (const connection of this.connections.values()) {
+      if (!connection.handshakeComplete || !connection.deviceIdentifier) continue;
+      out.add(connection.deviceIdentifier);
+    }
+    return Array.from(out);
+  }
+
+  private broadcastMessage(
+    updateType: number,
+    payload: Record<string, unknown>,
+    contextId: string | null,
+    targetDeviceIdentifier: string | null
+  ): void {
+    if (!this.userId || this.connections.size === 0) return;
+
+    for (const [socket, connection] of this.connections) {
+      if (!connection.handshakeComplete) continue;
+      if (targetDeviceIdentifier && connection.deviceIdentifier !== targetDeviceIdentifier) continue;
+      try {
+        if (connection.protocol === 'json') {
+          socket.send(buildSignalRJsonInvocation(updateType, payload, contextId));
+        } else {
+          socket.send(buildSignalRMessagePackInvocation(updateType, payload, contextId));
+        }
+      } catch {
+        this.connections.delete(socket);
+        try {
+          socket.close(1011, 'Notification send failed');
+        } catch {
+          // ignore close races
+        }
+      }
+    }
+
+    this.stopPingLoopIfIdle();
+  }
+
+  private broadcastDeviceStatus(): void {
+    this.broadcastMessage(
+      SIGNALR_UPDATE_TYPE_DEVICE_STATUS,
+      {
+        UserId: this.userId,
+        Date: new Date().toISOString(),
+      },
+      null,
+      null
+    );
+  }
+}
+
+export async function notifyUserVaultSync(
+  env: Env,
+  userId: string,
+  revisionDate: string,
+  contextId?: string | null
+): Promise<void> {
+  return notifyUserUpdate(env, userId, SIGNALR_UPDATE_TYPE_SYNC_VAULT, revisionDate, contextId ?? null, null);
+}
+
+export async function notifyUserLogout(
+  env: Env,
+  userId: string,
+  targetDeviceIdentifier?: string | null
+): Promise<void> {
+  return notifyUserUpdate(env, userId, SIGNALR_UPDATE_TYPE_LOG_OUT, new Date().toISOString(), null, targetDeviceIdentifier ?? null);
+}
+
+export async function getOnlineUserDevices(env: Env, userId: string): Promise<string[]> {
+  try {
+    const id = env.NOTIFICATIONS_HUB.idFromName(userId);
+    const stub = env.NOTIFICATIONS_HUB.get(id);
+    const response = await stub.fetch('https://notifications/internal/online');
+    if (!response.ok) return [];
+    const body = (await response.json().catch(() => null)) as { deviceIdentifiers?: string[] } | null;
+    return Array.isArray(body?.deviceIdentifiers) ? body.deviceIdentifiers.filter((value) => !!String(value || '').trim()) : [];
+  } catch {
+    return [];
+  }
+}
+
+async function notifyUserUpdate(
+  env: Env,
+  userId: string,
+  updateType: number,
+  revisionDate: string,
+  contextId: string | null,
+  targetDeviceIdentifier: string | null
+): Promise<void> {
+  try {
+    const id = env.NOTIFICATIONS_HUB.idFromName(userId);
+    const stub = env.NOTIFICATIONS_HUB.get(id);
+    await stub.fetch('https://notifications/internal/notify', {
+      method: 'POST',
+      headers: {
+        'Content-Type': 'application/json',
+        'X-NodeWarden-UserId': userId,
+      },
+      body: JSON.stringify({
+        revisionDate,
+        contextId: contextId || null,
+        updateType,
+        targetDeviceIdentifier: targetDeviceIdentifier || null,
+        payload: {
+          UserId: userId,
+          Date: revisionDate,
+        },
+      }),
+    });
+  } catch (error) {
+    console.error('Failed to broadcast realtime notification:', error);
+  }
+}
+
+export async function notifyUserBackupProgress(
+  env: Env,
+  userId: string,
+  progress: {
+    operation: 'backup-restore' | 'backup-export' | 'backup-remote-run';
+    source?: 'local' | 'remote';
+    step: string;
+    fileName: string;
+    stageTitle?: string;
+    stageDetail?: string;
+    replaceExisting?: boolean;
+    done?: boolean;
+    ok?: boolean;
+    error?: string | null;
+    timestamp?: string;
+  },
+  targetDeviceIdentifier?: string | null
+): Promise<void> {
+  const revisionDate = progress.timestamp || new Date().toISOString();
+  try {
+    const id = env.NOTIFICATIONS_HUB.idFromName(userId);
+    const stub = env.NOTIFICATIONS_HUB.get(id);
+    await stub.fetch('https://notifications/internal/notify', {
+      method: 'POST',
+      headers: {
+        'Content-Type': 'application/json',
+        'X-NodeWarden-UserId': userId,
+      },
+      body: JSON.stringify({
+        revisionDate,
+        contextId: null,
+        updateType: SIGNALR_UPDATE_TYPE_BACKUP_RESTORE_PROGRESS,
+        targetDeviceIdentifier: targetDeviceIdentifier || null,
+        payload: {
+          UserId: userId,
+          Date: revisionDate,
+          ...progress,
+        },
+      }),
+    });
+  } catch (error) {
+    console.error('Failed to broadcast backup progress:', error);
+  }
+}
+
+export async function notifyUserBackupRestoreProgress(
+  env: Env,
+  userId: string,
+  progress: {
+    operation: 'backup-restore';
+    source: 'local' | 'remote';
+    step: string;
+    fileName: string;
+    stageTitle?: string;
+    stageDetail?: string;
+    replaceExisting?: boolean;
+    done?: boolean;
+    ok?: boolean;
+    error?: string | null;
+    timestamp?: string;
+  },
+  targetDeviceIdentifier?: string | null
+): Promise<void> {
+  return notifyUserBackupProgress(env, userId, progress, targetDeviceIdentifier);
+}
@@ -1,10 +1,13 @@
 import { Env, User, ProfileResponse, DEFAULT_DEV_SECRET } from '../types';
 import { StorageService } from '../services/storage';
 import { AuthService } from '../services/auth';
+import { RateLimitService, getClientIdentifier } from '../services/ratelimit';
 import { jsonResponse, errorResponse } from '../utils/response';
 import { generateUUID } from '../utils/uuid';
 import { LIMITS } from '../config/limits';
-import { isTotpEnabled } from '../utils/totp';
+import { isTotpEnabled, verifyTotpToken } from '../utils/totp';
+import { createRecoveryCode, recoveryCodeEquals } from '../utils/recovery-code';
+import { buildAccountKeys } from '../utils/user-decryption';

 function looksLikeEncString(value: string): boolean {
  if (!value) return false;
@@ -16,6 +19,54 @@ function looksLikeEncString(value: string): boolean {
  return parts.length >= 2;
 }

+/**
+ * Validate KDF parameters according to Bitwarden minimum requirements.
+ * Returns an error message if invalid, or null if OK.
+ */
+function validateKdfParams(kdfType: number | undefined, kdfIterations: number | undefined, kdfMemory?: number | undefined, kdfParallelism?: number | undefined): string | null {
+  const type = kdfType ?? 0;
+  if (type === 0) {
+    // PBKDF2-SHA256: minimum 100 000 iterations
+    if (typeof kdfIterations === 'number' && kdfIterations < 100_000) {
+      return 'PBKDF2 iterations must be at least 100000';
+    }
+  } else if (type === 1) {
+    // Argon2id: iterations >= 2, memory >= 16 MiB, parallelism >= 1
+    if (typeof kdfIterations === 'number' && kdfIterations < 2) {
+      return 'Argon2id iterations must be at least 2';
+    }
+    if (typeof kdfMemory === 'number' && kdfMemory < 16) {
+      return 'Argon2id memory must be at least 16 MiB';
+    }
+    if (typeof kdfParallelism === 'number' && kdfParallelism < 1) {
+      return 'Argon2id parallelism must be at least 1';
+    }
+  }
+  return null;
+}
+
+function normalizeTotpSecret(input: string): string {
+  const raw = String(input || '').toUpperCase();
+  let out = '';
+  for (const char of raw) {
+    if (char === ' ' || char === '\t' || char === '\n' || char === '\r' || char === '-') continue;
+    out += char;
+  }
+  while (out.endsWith('=')) {
+    out = out.slice(0, -1);
+  }
+  return out;
+}
+
+function normalizeRecoveryCodeInput(input: string): string {
+  return String(input || '').toUpperCase().replace(/[^A-Z2-7]/g, '');
+}
+
+function normalizeMasterPasswordHint(input: string | null | undefined): string | null {
+  const normalized = String(input || '').trim();
+  return normalized ? normalized : null;
+}
+
 function jwtSecretUnsafeReason(env: Env): 'missing' | 'default' | 'too_short' | null {
  const secret = (env.JWT_SECRET || '').trim();
  if (!secret) return 'missing';
@@ -24,11 +75,52 @@ function jwtSecretUnsafeReason(env: Env): 'missing' | 'default' | 'too_short' |
  return null;
 }

-// POST /api/accounts/register (only used from setup page, not client)
+async function verifyUserSecret(
+  auth: AuthService,
+  user: User,
+  secret: string | null | undefined
+): Promise<boolean> {
+  const normalized = String(secret || '').trim();
+  if (!normalized) return false;
+  return auth.verifyPassword(normalized, user.masterPasswordHash, user.email);
+}
+
+function toProfile(user: User, env: Env): ProfileResponse {
+  void env;
+  return {
+    id: user.id,
+    name: user.name,
+    email: user.email,
+    emailVerified: true,
+    premium: true,
+    premiumFromOrganization: false,
+    usesKeyConnector: false,
+    masterPasswordHint: user.masterPasswordHint,
+    culture: 'en-US',
+    twoFactorEnabled: !!user.totpSecret,
+    key: user.key,
+    privateKey: user.privateKey,
+    accountKeys: buildAccountKeys(user),
+    securityStamp: user.securityStamp || user.id,
+    organizations: [],
+    providers: [],
+    providerOrganizations: [],
+    forcePasswordReset: false,
+    avatarColor: null,
+    creationDate: user.createdAt,
+    verifyDevices: user.verifyDevices,
+    role: user.role,
+    status: user.status,
+    object: 'profile',
+  };
+}
+
+// POST /api/accounts/register
+// - First user becomes admin.
+// - Any subsequent user must provide a valid inviteCode.
 export async function handleRegister(request: Request, env: Env): Promise<Response> {
  const storage = new StorageService(env.DB);

-  // Enforce safe JWT_SECRET before allowing first registration.
  const unsafe = jwtSecretUnsafeReason(env);
  if (unsafe) {
    const message = unsafe === 'missing'
@@ -43,12 +135,13 @@ export async function handleRegister(request: Request, env: Env): Promise<Respon
    email?: string;
    name?: string;
    masterPasswordHash?: string;
-    masterPasswordHint?: string;
    key?: string;
    kdf?: number;
    kdfIterations?: number;
    kdfMemory?: number;
    kdfParallelism?: number;
+    inviteCode?: string;
+    masterPasswordHint?: string;
    keys?: {
      publicKey?: string;
      encryptedPrivateKey?: string;
@@ -61,17 +154,21 @@ export async function handleRegister(request: Request, env: Env): Promise<Respon
    return errorResponse('Invalid JSON', 400);
  }

-  const email = body.email?.toLowerCase();
-  const name = body.name || email;
+  const email = body.email?.toLowerCase().trim();
+  const name = body.name?.trim() || email;
  const masterPasswordHash = body.masterPasswordHash;
  const key = body.key;
  const privateKey = body.keys?.encryptedPrivateKey;
  const publicKey = body.keys?.publicKey;
+  const inviteCode = (body.inviteCode || '').trim();
+  const masterPasswordHint = normalizeMasterPasswordHint(body.masterPasswordHint);

  if (!email || !masterPasswordHash || !key) {
    return errorResponse('Email, masterPasswordHash, and key are required', 400);
  }
-
+  if (!email.includes('@') || email.length < 3) {
+    return errorResponse('Invalid email address', 400);
+  }
  if (!privateKey || !publicKey) {
    return errorResponse('Private key and public key are required', 400);
  }
@@ -81,100 +178,241 @@ export async function handleRegister(request: Request, env: Env): Promise<Respon
  if (!looksLikeEncString(privateKey)) {
    return errorResponse('encryptedPrivateKey is not a valid encrypted string', 400);
  }
+  if (masterPasswordHint && masterPasswordHint.length > 120) {
+    return errorResponse('masterPasswordHint must be 120 characters or fewer', 400);
+  }
+
+  const kdfErr = validateKdfParams(body.kdf, body.kdfIterations, body.kdfMemory, body.kdfParallelism);
+  if (kdfErr) return errorResponse(kdfErr, 400);
+
+  const now = new Date().toISOString();
+  const auth = new AuthService(env);
+  const serverHash = await auth.hashPasswordServer(masterPasswordHash, email);

-  // Create user
  const user: User = {
    id: generateUUID(),
-    email: email,
+    email,
    name: name || email,
-    masterPasswordHash: masterPasswordHash,
-    key: key,
-    privateKey: privateKey,
-    publicKey: publicKey,
+    masterPasswordHint,
+    masterPasswordHash: serverHash,
+    key,
+    privateKey,
+    publicKey,
    kdfType: body.kdf ?? 0,
    kdfIterations: body.kdfIterations ?? LIMITS.auth.defaultKdfIterations,
    kdfMemory: body.kdfMemory,
    kdfParallelism: body.kdfParallelism,
    securityStamp: generateUUID(),
-    createdAt: new Date().toISOString(),
-    updatedAt: new Date().toISOString(),
+    role: 'user',
+    status: 'active',
+    verifyDevices: true,
+    totpSecret: null,
+    totpRecoveryCode: null,
+    createdAt: now,
+    updatedAt: now,
  };

-  const created = await storage.createFirstUser(user);
-  if (!created) {
-    return errorResponse('Registration is closed', 403);
+  const userCount = await storage.getUserCount();
+  if (userCount === 0) {
+    user.role = 'admin';
+    const created = await storage.createFirstUser(user);
+    if (!created) {
+      return errorResponse('Registration is temporarily unavailable, retry once', 409);
+    }
+    await storage.setRegistered();
+    await storage.createAuditLog({
+      id: generateUUID(),
+      actorUserId: user.id,
+      action: 'user.register.first_admin',
+      targetType: 'user',
+      targetId: user.id,
+      metadata: JSON.stringify({ email: user.email }),
+      createdAt: now,
+    });
+    return jsonResponse({ success: true, role: user.role }, 200);
  }

-  await storage.setRegistered();
+  if (!inviteCode) {
+    return errorResponse('Invite code is required', 403);
+  }

-  return jsonResponse({ success: true }, 200);
+  try {
+    await storage.createUser(user);
+  } catch (error) {
+    const msg = error instanceof Error ? error.message.toLowerCase() : String(error).toLowerCase();
+    if (msg.includes('unique') || msg.includes('constraint')) {
+      return errorResponse('Email already registered', 409);
+    }
+    throw error;
+  }
+
+  const inviteMarked = await storage.markInviteUsed(inviteCode, user.id);
+  if (!inviteMarked) {
+    await storage.deleteUserById(user.id);
+    return errorResponse('Invite code is invalid or expired', 403);
+  }
+
+  await storage.createAuditLog({
+    id: generateUUID(),
+    actorUserId: user.id,
+    action: 'user.register.invite',
+    targetType: 'user',
+    targetId: user.id,
+    metadata: JSON.stringify({ email: user.email, inviteCode }),
+    createdAt: now,
+  });
+
+  return jsonResponse({ success: true, role: user.role }, 200);
 }

-// GET /api/accounts/profile
-export async function handleGetProfile(request: Request, env: Env, userId: string): Promise<Response> {
+// POST /api/accounts/password-hint
+export async function handleGetPasswordHint(request: Request, env: Env): Promise<Response> {
  const storage = new StorageService(env.DB);
-  const user = await storage.getUserById(userId);
-
-  if (!user) {
-    return errorResponse('User not found', 404);
+  const clientIdentifier = getClientIdentifier(request);
+  if (!clientIdentifier) {
+    return errorResponse('Client IP is required', 403);
  }

-  const profile: ProfileResponse = {
-    id: user.id,
-    name: user.name,
-    email: user.email,
-    emailVerified: true,
-    premium: true,
-    premiumFromOrganization: false,
-    usesKeyConnector: false,
-    masterPasswordHint: null,
-    culture: 'en-US',
-    twoFactorEnabled: isTotpEnabled(env.TOTP_SECRET),
-    key: user.key,
-    privateKey: user.privateKey,
-    accountKeys: null,
-    securityStamp: user.securityStamp || user.id,
-    organizations: [],
-    providers: [],
-    providerOrganizations: [],
-    forcePasswordReset: false,
-    avatarColor: null,
-    creationDate: user.createdAt,
-    object: 'profile',
-  };
-
-  return jsonResponse(profile);
-}
-
-// PUT /api/accounts/profile
-export async function handleUpdateProfile(request: Request, env: Env, userId: string): Promise<Response> {
-  const storage = new StorageService(env.DB);
-  const user = await storage.getUserById(userId);
-
-  if (!user) {
-    return errorResponse('User not found', 404);
-  }
-
-  let body: { name?: string; masterPasswordHint?: string };
+  let body: { email?: string };
  try {
    body = await request.json();
  } catch {
    return errorResponse('Invalid JSON', 400);
  }

-  if (body.name) {
-    user.name = body.name;
+  const email = String(body.email || '').trim().toLowerCase();
+  if (!email) {
+    return errorResponse('Email is required', 400);
  }
-  user.updatedAt = new Date().toISOString();

+  const rateLimit = new RateLimitService(env.DB);
+  const minuteBudget = await rateLimit.consumeBudgetWithWindow(
+    `${clientIdentifier}:password-hint`,
+    LIMITS.rateLimit.passwordHintRequestsPerMinute,
+    60
+  );
+  if (!minuteBudget.allowed) {
+    return new Response(
+      JSON.stringify({
+        error: 'Too many requests',
+        error_description: `Rate limit exceeded. Try again in ${minuteBudget.retryAfterSeconds || 60} seconds.`,
+      }),
+      {
+        status: 429,
+        headers: {
+          'Content-Type': 'application/json',
+          'Retry-After': String(minuteBudget.retryAfterSeconds || 60),
+          'X-RateLimit-Remaining': '0',
+        },
+      }
+    );
+  }
+
+  const hourlyBudget = await rateLimit.consumeBudgetWithWindow(
+    `${clientIdentifier}:password-hint-hour`,
+    LIMITS.rateLimit.passwordHintRequestsPerHour,
+    60 * 60
+  );
+  if (!hourlyBudget.allowed) {
+    return new Response(
+      JSON.stringify({
+        error: 'Too many requests',
+        error_description: `Rate limit exceeded. Try again in ${hourlyBudget.retryAfterSeconds || 3600} seconds.`,
+      }),
+      {
+        status: 429,
+        headers: {
+          'Content-Type': 'application/json',
+          'Retry-After': String(hourlyBudget.retryAfterSeconds || 3600),
+          'X-RateLimit-Remaining': '0',
+        },
+      }
+    );
+  }
+
+  const user = await storage.getUser(email);
+  const hint = user?.status === 'active' ? normalizeMasterPasswordHint(user.masterPasswordHint) : null;
+  return jsonResponse({
+    object: 'passwordHint',
+    hasHint: !!hint,
+    masterPasswordHint: hint,
+  });
+}
+
+// GET /api/accounts/profile
+export async function handleGetProfile(request: Request, env: Env, userId: string): Promise<Response> {
+  void request;
+  const storage = new StorageService(env.DB);
+  const user = await storage.getUserById(userId);
+  if (!user) return errorResponse('User not found', 404);
+  return jsonResponse(toProfile(user, env));
+}
+
+// PUT /api/accounts/profile
+export async function handleUpdateProfile(request: Request, env: Env, userId: string): Promise<Response> {
+  const storage = new StorageService(env.DB);
+  const user = await storage.getUserById(userId);
+  if (!user) return errorResponse('User not found', 404);
+
+  let body: {
+    masterPasswordHint?: string | null;
+  };
+  try {
+    body = await request.json();
+  } catch {
+    return errorResponse('Invalid JSON', 400);
+  }
+
+  const masterPasswordHint = normalizeMasterPasswordHint(body.masterPasswordHint);
+  if (masterPasswordHint && masterPasswordHint.length > 120) {
+    return errorResponse('masterPasswordHint must be 120 characters or fewer', 400);
+  }
+
+  user.masterPasswordHint = masterPasswordHint;
+  user.updatedAt = new Date().toISOString();
  await storage.saveUser(user);

-  return handleGetProfile(request, env, userId);
+  return jsonResponse(toProfile(user, env));
+}
+
+// PUT/POST /api/accounts/verify-devices
+export async function handleSetVerifyDevices(request: Request, env: Env, userId: string): Promise<Response> {
+  const storage = new StorageService(env.DB);
+  const auth = new AuthService(env);
+  const user = await storage.getUserById(userId);
+  if (!user) return errorResponse('User not found', 404);
+
+  let body: {
+    secret?: string;
+    masterPasswordHash?: string;
+    verifyDevices?: boolean;
+  };
+  try {
+    body = await request.json();
+  } catch {
+    return errorResponse('Invalid JSON', 400);
+  }
+
+  if (typeof body.verifyDevices !== 'boolean') {
+    return errorResponse('verifyDevices must be true or false', 400);
+  }
+
+  const verified = await verifyUserSecret(auth, user, body.secret || body.masterPasswordHash);
+  if (!verified) {
+    return errorResponse('User verification failed.', 400);
+  }
+
+  user.verifyDevices = body.verifyDevices;
+  user.updatedAt = new Date().toISOString();
+  await storage.saveUser(user);
+
+  return new Response(null, { status: 200 });
 }

 // POST /api/accounts/keys
 export async function handleSetKeys(request: Request, env: Env, userId: string): Promise<Response> {
  const storage = new StorageService(env.DB);
+  const auth = new AuthService(env);
  const user = await storage.getUserById(userId);

  if (!user) {
@@ -182,6 +420,7 @@ export async function handleSetKeys(request: Request, env: Env, userId: string):
  }

  let body: {
+    masterPasswordHash?: string;
    key?: string;
    encryptedPrivateKey?: string;
    publicKey?: string;
@@ -193,15 +432,25 @@ export async function handleSetKeys(request: Request, env: Env, userId: string):
    return errorResponse('Invalid JSON', 400);
  }

-  if (body.key) user.key = body.key;
-  if (body.encryptedPrivateKey) user.privateKey = body.encryptedPrivateKey;
-  if (body.publicKey) user.publicKey = body.publicKey;
+  // Require password verification before allowing key replacement.
+  if (!body.masterPasswordHash) {
+    return errorResponse('masterPasswordHash is required', 400);
+  }
+  const passwordValid = await auth.verifyPassword(body.masterPasswordHash, user.masterPasswordHash, user.email);
+  if (!passwordValid) {
+    return errorResponse('Invalid password', 400);
+  }
+
  if (body.key && !looksLikeEncString(body.key)) {
    return errorResponse('key is not a valid encrypted string', 400);
  }
  if (body.encryptedPrivateKey && !looksLikeEncString(body.encryptedPrivateKey)) {
    return errorResponse('encryptedPrivateKey is not a valid encrypted string', 400);
  }
+
+  if (body.key) user.key = body.key;
+  if (body.encryptedPrivateKey) user.privateKey = body.encryptedPrivateKey;
+  if (body.publicKey) user.publicKey = body.publicKey;
  user.updatedAt = new Date().toISOString();

  await storage.saveUser(user);
@@ -209,11 +458,265 @@ export async function handleSetKeys(request: Request, env: Env, userId: string):
  return handleGetProfile(request, env, userId);
 }

+// POST/PUT /api/accounts/password
+export async function handleChangePassword(request: Request, env: Env, userId: string): Promise<Response> {
+  const storage = new StorageService(env.DB);
+  const auth = new AuthService(env);
+  const user = await storage.getUserById(userId);
+  if (!user) return errorResponse('User not found', 404);
+
+  let body: {
+    masterPasswordHash?: string;
+    currentPasswordHash?: string;
+    newMasterPasswordHash?: string;
+    key?: string;
+    newKey?: string;
+    encryptedPrivateKey?: string;
+    newEncryptedPrivateKey?: string;
+    publicKey?: string;
+    newPublicKey?: string;
+    kdf?: number;
+    kdfIterations?: number;
+    kdfMemory?: number;
+    kdfParallelism?: number;
+  };
+  try {
+    body = await request.json();
+  } catch {
+    return errorResponse('Invalid JSON', 400);
+  }
+
+  const currentHash = body.currentPasswordHash || body.masterPasswordHash;
+  if (!currentHash) return errorResponse('Current password hash is required', 400);
+  const valid = await auth.verifyPassword(currentHash, user.masterPasswordHash, user.email);
+  if (!valid) return errorResponse('Invalid password', 400);
+
+  if (!body.newMasterPasswordHash) {
+    return errorResponse('newMasterPasswordHash is required', 400);
+  }
+  const nextKey = body.newKey || body.key;
+  const nextPrivateKey = body.newEncryptedPrivateKey || body.encryptedPrivateKey;
+  const nextPublicKey = body.newPublicKey || body.publicKey;
+  if (nextKey && !looksLikeEncString(nextKey)) {
+    return errorResponse('new key is not a valid encrypted string', 400);
+  }
+  if (nextPrivateKey && !looksLikeEncString(nextPrivateKey)) {
+    return errorResponse('new encryptedPrivateKey is not a valid encrypted string', 400);
+  }
+
+  const kdfErr = validateKdfParams(body.kdf ?? user.kdfType, body.kdfIterations, body.kdfMemory, body.kdfParallelism);
+  if (kdfErr) return errorResponse(kdfErr, 400);
+
+  user.masterPasswordHash = await auth.hashPasswordServer(body.newMasterPasswordHash, user.email);
+  if (nextKey) user.key = nextKey;
+  if (nextPrivateKey) user.privateKey = nextPrivateKey;
+  if (nextPublicKey) user.publicKey = nextPublicKey;
+  if (typeof body.kdf === 'number') user.kdfType = body.kdf;
+  if (typeof body.kdfIterations === 'number') user.kdfIterations = body.kdfIterations;
+  if (typeof body.kdfMemory === 'number') user.kdfMemory = body.kdfMemory;
+  if (typeof body.kdfParallelism === 'number') user.kdfParallelism = body.kdfParallelism;
+  user.securityStamp = generateUUID();
+  user.updatedAt = new Date().toISOString();
+  await storage.saveUser(user);
+  await storage.deleteRefreshTokensByUserId(user.id);
+  await storage.createAuditLog({
+    id: generateUUID(),
+    actorUserId: user.id,
+    action: 'user.password.change',
+    targetType: 'user',
+    targetId: user.id,
+    metadata: JSON.stringify({ email: user.email }),
+    createdAt: user.updatedAt,
+  });
+
+  return new Response(null, { status: 200 });
+}
+
+// GET /api/accounts/totp
+export async function handleGetTotpStatus(request: Request, env: Env, userId: string): Promise<Response> {
+  void request;
+  const storage = new StorageService(env.DB);
+  const user = await storage.getUserById(userId);
+  if (!user) return errorResponse('User not found', 404);
+
+  return jsonResponse({
+    enabled: !!user.totpSecret,
+    object: 'twoFactor',
+  });
+}
+
+// PUT /api/accounts/totp
+// enable: { enabled: true, secret: "...", token: "123456" }
+// disable: { enabled: false, masterPasswordHash: "..." }
+export async function handleSetTotpStatus(request: Request, env: Env, userId: string): Promise<Response> {
+  const storage = new StorageService(env.DB);
+  const auth = new AuthService(env);
+  const user = await storage.getUserById(userId);
+  if (!user) return errorResponse('User not found', 404);
+
+  let body: { enabled?: boolean; secret?: string; token?: string; masterPasswordHash?: string };
+  try {
+    body = await request.json();
+  } catch {
+    return errorResponse('Invalid JSON', 400);
+  }
+
+  if (body.enabled === true) {
+    const normalizedSecret = normalizeTotpSecret(body.secret || '');
+    if (!isTotpEnabled(normalizedSecret)) {
+      return errorResponse('Invalid TOTP secret', 400);
+    }
+    if (!body.token) {
+      return errorResponse('TOTP token is required', 400);
+    }
+    const verified = await verifyTotpToken(normalizedSecret, body.token);
+    if (!verified) {
+      return errorResponse('Invalid TOTP token', 400);
+    }
+    user.totpSecret = normalizedSecret;
+    if (!user.totpRecoveryCode) {
+      user.totpRecoveryCode = createRecoveryCode();
+    }
+    user.updatedAt = new Date().toISOString();
+    await storage.saveUser(user);
+    await storage.deleteRefreshTokensByUserId(user.id);
+    return jsonResponse({ enabled: true, recoveryCode: user.totpRecoveryCode, object: 'twoFactor' });
+  }
+
+  if (body.enabled === false) {
+    if (!body.masterPasswordHash) {
+      return errorResponse('masterPasswordHash is required to disable TOTP', 400);
+    }
+    const valid = await auth.verifyPassword(body.masterPasswordHash, user.masterPasswordHash, user.email);
+    if (!valid) return errorResponse('Invalid password', 400);
+
+    user.totpSecret = null;
+    user.updatedAt = new Date().toISOString();
+    await storage.saveUser(user);
+    await storage.deleteRefreshTokensByUserId(user.id);
+    return jsonResponse({ enabled: false, object: 'twoFactor' });
+  }
+
+  return errorResponse('enabled must be true or false', 400);
+}
+
+// POST /api/accounts/totp/recovery-code
+export async function handleGetTotpRecoveryCode(request: Request, env: Env, userId: string): Promise<Response> {
+  const storage = new StorageService(env.DB);
+  const auth = new AuthService(env);
+  const user = await storage.getUserById(userId);
+  if (!user) return errorResponse('User not found', 404);
+
+  let body: Record<string, string | undefined>;
+  try {
+    const contentType = request.headers.get('content-type') || '';
+    if (contentType.includes('application/x-www-form-urlencoded')) {
+      const formData = await request.formData();
+      body = Object.fromEntries(formData.entries()) as Record<string, string>;
+    } else {
+      body = await request.json();
+    }
+  } catch {
+    return errorResponse('Invalid JSON', 400);
+  }
+
+  const currentHash = String(body.masterPasswordHash || body.master_password_hash || body.password || '').trim();
+  if (!currentHash) return errorResponse('masterPasswordHash is required', 400);
+  const valid = await auth.verifyPassword(currentHash, user.masterPasswordHash, user.email);
+  if (!valid) return errorResponse('Invalid password', 400);
+
+  if (!user.totpRecoveryCode) {
+    user.totpRecoveryCode = createRecoveryCode();
+    user.updatedAt = new Date().toISOString();
+    await storage.saveUser(user);
+  }
+
+  return jsonResponse({
+    code: user.totpRecoveryCode,
+    object: 'twoFactorRecover',
+  });
+}
+
+// POST /identity/accounts/recover-2fa
+// Disable TOTP by recovery code + password, then rotate recovery code.
+export async function handleRecoverTwoFactor(request: Request, env: Env): Promise<Response> {
+  const storage = new StorageService(env.DB);
+  const auth = new AuthService(env);
+  const rateLimit = new RateLimitService(env.DB);
+
+  let body: Record<string, string | undefined>;
+  try {
+    const contentType = request.headers.get('content-type') || '';
+    if (contentType.includes('application/x-www-form-urlencoded')) {
+      const formData = await request.formData();
+      body = Object.fromEntries(formData.entries()) as Record<string, string>;
+    } else {
+      body = await request.json();
+    }
+  } catch {
+    return errorResponse('Invalid JSON', 400);
+  }
+
+  const email = String(body.email || body.username || '').trim().toLowerCase();
+  const masterPasswordHash = String(body.masterPasswordHash || body.password || '').trim();
+  const recoveryCode = normalizeRecoveryCodeInput(String(body.recoveryCode || body.twoFactorToken || body.recovery_code || ''));
+  const clientIdentifier = getClientIdentifier(request);
+  if (!clientIdentifier) {
+    return errorResponse('Client IP is required', 403);
+  }
+  const recoverLimitKey = `${clientIdentifier}:recover-2fa:${email || 'unknown'}`;
+
+  const recoverAttemptCheck = await rateLimit.checkLoginAttempt(recoverLimitKey);
+  if (!recoverAttemptCheck.allowed) {
+    return errorResponse(
+      `Too many failed recovery attempts. Try again in ${Math.ceil((recoverAttemptCheck.retryAfterSeconds || 60) / 60)} minutes.`,
+      429
+    );
+  }
+
+  if (!email || !masterPasswordHash || !recoveryCode) {
+    return errorResponse('Email, masterPasswordHash and recoveryCode are required', 400);
+  }
+
+  const user = await storage.getUser(email);
+  if (!user || user.status !== 'active') {
+    await rateLimit.recordFailedLogin(recoverLimitKey);
+    return errorResponse('Invalid credentials or recovery code', 400);
+  }
+
+  const validPassword = await auth.verifyPassword(masterPasswordHash, user.masterPasswordHash, user.email);
+  if (!validPassword) {
+    await rateLimit.recordFailedLogin(recoverLimitKey);
+    return errorResponse('Invalid credentials or recovery code', 400);
+  }
+
+  if (!recoveryCodeEquals(recoveryCode, user.totpRecoveryCode)) {
+    await rateLimit.recordFailedLogin(recoverLimitKey);
+    return errorResponse('Invalid credentials or recovery code', 400);
+  }
+
+  user.totpSecret = null;
+  user.totpRecoveryCode = createRecoveryCode();
+  user.securityStamp = generateUUID();
+  user.updatedAt = new Date().toISOString();
+  await storage.saveUser(user);
+  await storage.deleteRefreshTokensByUserId(user.id);
+  await rateLimit.clearLoginAttempts(recoverLimitKey);
+
+  return jsonResponse({
+    success: true,
+    twoFactorEnabled: false,
+    newRecoveryCode: user.totpRecoveryCode,
+    object: 'twoFactorRecovery',
+  });
+}
+
 // GET /api/accounts/revision-date
 export async function handleGetRevisionDate(request: Request, env: Env, userId: string): Promise<Response> {
+  void request;
  const storage = new StorageService(env.DB);
  const revisionDate = await storage.getRevisionDate(userId);
-  
+
  // Return as milliseconds timestamp (Bitwarden format)
  const timestamp = new Date(revisionDate).getTime();
  return jsonResponse(timestamp);
@@ -240,7 +743,7 @@ export async function handleVerifyPassword(request: Request, env: Env, userId: s
    return errorResponse('masterPasswordHash is required', 400);
  }

-  const valid = await auth.verifyPassword(body.masterPasswordHash, user.masterPasswordHash);
+  const valid = await auth.verifyPassword(body.masterPasswordHash, user.masterPasswordHash, user.email);
  if (!valid) {
    return errorResponse('Invalid password', 400);
  }
@@ -0,0 +1,288 @@
+import { Env, User, Invite } from '../types';
+import { StorageService } from '../services/storage';
+import { jsonResponse, errorResponse } from '../utils/response';
+import { generateUUID } from '../utils/uuid';
+import { deleteBlobObject, getAttachmentObjectKey, getSendFileObjectKey } from '../services/blob-store';
+
+function isAdmin(user: User): boolean {
+  return user.role === 'admin' && user.status === 'active';
+}
+
+function randomHex(bytes: number): string {
+  const data = crypto.getRandomValues(new Uint8Array(bytes));
+  return Array.from(data).map(v => v.toString(16).padStart(2, '0')).join('');
+}
+
+function buildInviteLink(request: Request, code: string): string {
+  const url = new URL(request.url);
+  return `${url.origin}/?invite=${encodeURIComponent(code)}`;
+}
+
+async function writeAuditLog(
+  storage: StorageService,
+  actorUserId: string | null,
+  action: string,
+  targetType: string | null,
+  targetId: string | null,
+  metadata: Record<string, unknown> | null
+): Promise<void> {
+  await storage.createAuditLog({
+    id: generateUUID(),
+    actorUserId,
+    action,
+    targetType,
+    targetId,
+    metadata: metadata ? JSON.stringify(metadata) : null,
+    createdAt: new Date().toISOString(),
+  });
+}
+
+function toInviteResponse(request: Request, invite: Invite): Record<string, unknown> {
+  return {
+    code: invite.code,
+    status: invite.status,
+    createdBy: invite.createdBy,
+    usedBy: invite.usedBy,
+    createdAt: invite.createdAt,
+    updatedAt: invite.updatedAt,
+    expiresAt: invite.expiresAt,
+    inviteLink: buildInviteLink(request, invite.code),
+    object: 'invite',
+  };
+}
+
+// GET /api/admin/users
+export async function handleAdminListUsers(
+  request: Request,
+  env: Env,
+  actorUser: User
+): Promise<Response> {
+  void request;
+  if (!isAdmin(actorUser)) {
+    return errorResponse('Forbidden', 403);
+  }
+
+  const storage = new StorageService(env.DB);
+  const users = await storage.getAllUsers();
+  return jsonResponse({
+    data: users.map(user => ({
+      id: user.id,
+      email: user.email,
+      name: user.name,
+      role: user.role,
+      status: user.status,
+      twoFactorEnabled: !!user.totpSecret,
+      creationDate: user.createdAt,
+      revisionDate: user.updatedAt,
+      object: 'user',
+    })),
+    object: 'list',
+    continuationToken: null,
+  });
+}
+
+// POST /api/admin/invites
+export async function handleAdminCreateInvite(
+  request: Request,
+  env: Env,
+  actorUser: User
+): Promise<Response> {
+  if (!isAdmin(actorUser)) {
+    return errorResponse('Forbidden', 403);
+  }
+
+  const storage = new StorageService(env.DB);
+  let body: { expiresInHours?: number } = {};
+  try {
+    body = await request.json();
+  } catch {
+    body = {};
+  }
+
+  const expiresInHours = Number.isFinite(body.expiresInHours)
+    ? Math.max(1, Math.min(24 * 30, Math.floor(Number(body.expiresInHours))))
+    : 24 * 7;
+  const now = new Date();
+  const expiresAt = new Date(now.getTime() + expiresInHours * 60 * 60 * 1000);
+  const invite: Invite = {
+    code: randomHex(20),
+    createdBy: actorUser.id,
+    usedBy: null,
+    expiresAt: expiresAt.toISOString(),
+    status: 'active',
+    createdAt: now.toISOString(),
+    updatedAt: now.toISOString(),
+  };
+
+  await storage.createInvite(invite);
+  await writeAuditLog(storage, actorUser.id, 'admin.invite.create', 'invite', invite.code, {
+    expiresInHours,
+  });
+
+  return jsonResponse(toInviteResponse(request, invite), 201);
+}
+
+// GET /api/admin/invites
+export async function handleAdminListInvites(
+  request: Request,
+  env: Env,
+  actorUser: User
+): Promise<Response> {
+  if (!isAdmin(actorUser)) {
+    return errorResponse('Forbidden', 403);
+  }
+
+  const storage = new StorageService(env.DB);
+  const url = new URL(request.url);
+  const includeInactive = url.searchParams.get('includeInactive') === 'true';
+  const invites = await storage.listInvites(includeInactive);
+  return jsonResponse({
+    data: invites.map(invite => toInviteResponse(request, invite)),
+    object: 'list',
+    continuationToken: null,
+  });
+}
+
+// DELETE /api/admin/invites/:code
+export async function handleAdminRevokeInvite(
+  request: Request,
+  env: Env,
+  actorUser: User,
+  code: string
+): Promise<Response> {
+  if (!isAdmin(actorUser)) {
+    return errorResponse('Forbidden', 403);
+  }
+
+  const storage = new StorageService(env.DB);
+  const revoked = await storage.revokeInvite(code);
+  if (!revoked) {
+    return errorResponse('Invite not found or already inactive', 404);
+  }
+
+  await writeAuditLog(storage, actorUser.id, 'admin.invite.revoke', 'invite', code, null);
+  return new Response(null, { status: 204 });
+}
+
+// DELETE /api/admin/invites
+export async function handleAdminDeleteAllInvites(
+  request: Request,
+  env: Env,
+  actorUser: User
+): Promise<Response> {
+  void request;
+  if (!isAdmin(actorUser)) {
+    return errorResponse('Forbidden', 403);
+  }
+
+  const storage = new StorageService(env.DB);
+  const deleted = await storage.deleteAllInvites();
+  await writeAuditLog(storage, actorUser.id, 'admin.invite.delete_all', 'invite', null, {
+    deleted,
+  });
+
+  return jsonResponse({ deleted }, 200);
+}
+
+// PUT /api/admin/users/:id/status
+export async function handleAdminSetUserStatus(
+  request: Request,
+  env: Env,
+  actorUser: User,
+  targetUserId: string
+): Promise<Response> {
+  if (!isAdmin(actorUser)) {
+    return errorResponse('Forbidden', 403);
+  }
+
+  let body: { status?: string };
+  try {
+    body = await request.json();
+  } catch {
+    return errorResponse('Invalid JSON', 400);
+  }
+
+  const nextStatus = body.status === 'banned' ? 'banned' : body.status === 'active' ? 'active' : null;
+  if (!nextStatus) {
+    return errorResponse('status must be active or banned', 400);
+  }
+  if (targetUserId === actorUser.id && nextStatus !== 'active') {
+    return errorResponse('You cannot ban yourself', 400);
+  }
+
+  const storage = new StorageService(env.DB);
+  const target = await storage.getUserById(targetUserId);
+  if (!target) {
+    return errorResponse('User not found', 404);
+  }
+
+  target.status = nextStatus;
+  target.updatedAt = new Date().toISOString();
+  await storage.saveUser(target);
+  if (nextStatus === 'banned') {
+    await storage.deleteRefreshTokensByUserId(target.id);
+  }
+  await writeAuditLog(storage, actorUser.id, 'admin.user.status', 'user', target.id, {
+    status: nextStatus,
+  });
+
+  return jsonResponse({
+    id: target.id,
+    email: target.email,
+    role: target.role,
+    status: target.status,
+    object: 'user',
+  });
+}
+
+// DELETE /api/admin/users/:id
+export async function handleAdminDeleteUser(
+  request: Request,
+  env: Env,
+  actorUser: User,
+  targetUserId: string
+): Promise<Response> {
+  void request;
+  if (!isAdmin(actorUser)) {
+    return errorResponse('Forbidden', 403);
+  }
+  if (targetUserId === actorUser.id) {
+    return errorResponse('You cannot delete yourself', 400);
+  }
+
+  const storage = new StorageService(env.DB);
+  const target = await storage.getUserById(targetUserId);
+  if (!target) {
+    return errorResponse('User not found', 404);
+  }
+
+  // Clean up R2 files before DB cascade deletes the metadata rows.
+  // 1. Attachment files (keyed by cipherId/attachmentId)
+  const attachmentMap = await storage.getAttachmentsByUserId(target.id);
+  for (const [cipherId, attachments] of attachmentMap) {
+    for (const att of attachments) {
+      await deleteBlobObject(env, getAttachmentObjectKey(cipherId, att.id));
+    }
+  }
+  // 2. Send files (keyed by sends/sendId/fileId)
+  const sends = await storage.getAllSends(target.id);
+  for (const send of sends) {
+    if (send.type === 1) { // SendType.File
+      try {
+        const parsed = JSON.parse(send.data) as Record<string, unknown>;
+        const fileId = typeof parsed.id === 'string' ? parsed.id : null;
+        if (fileId) {
+          await deleteBlobObject(env, getSendFileObjectKey(send.id, fileId));
+        }
+      } catch { /* non-file send or bad data, skip */ }
+    }
+  }
+
+  await storage.deleteRefreshTokensByUserId(target.id);
+  await storage.deleteUserById(target.id);
+  await writeAuditLog(storage, actorUser.id, 'admin.user.delete', 'user', target.id, {
+    email: target.email,
+  });
+
+  return new Response(null, { status: 204 });
+}
@@ -1,10 +1,34 @@
 import { Env, Attachment, DEFAULT_DEV_SECRET } from '../types';
+import { notifyUserVaultSync } from '../durable/notifications-hub';
 import { StorageService } from '../services/storage';
 import { jsonResponse, errorResponse } from '../utils/response';
+import { buildDirectUploadUrl, getSafeJwtSecret, parseDirectUploadPayload } from '../utils/direct-upload';
 import { generateUUID } from '../utils/uuid';
-import { createFileDownloadToken, verifyFileDownloadToken } from '../utils/jwt';
-import { cipherToResponse } from './ciphers';
+import {
+  createAttachmentUploadToken,
+  createFileDownloadToken,
+  verifyAttachmentUploadToken,
+  verifyFileDownloadToken,
+} from '../utils/jwt';
+import { cipherToResponse, shouldOmitPasskeysForResponse } from './ciphers';
 import { LIMITS } from '../config/limits';
+import { readActingDeviceIdentifier } from '../utils/device';
+import {
+  deleteBlobObject,
+  getAttachmentObjectKey,
+  getBlobObject,
+  getBlobStorageMaxBytes,
+  putBlobObject,
+} from '../services/blob-store';
+
+async function notifyVaultSyncForRequest(
+  request: Request,
+  env: Env,
+  userId: string,
+  revisionDate: string
+): Promise<void> {
+  await notifyUserVaultSync(env, userId, revisionDate, readActingDeviceIdentifier(request));
+}

 // Format file size to human readable
 function formatSize(bytes: number): string {
@@ -14,9 +38,53 @@ function formatSize(bytes: number): string {
  return `${(bytes / (1024 * 1024 * 1024)).toFixed(2)} GB`;
 }

-// Get R2 object path for attachment
-function getAttachmentPath(cipherId: string, attachmentId: string): string {
-  return `${cipherId}/${attachmentId}`;
+async function processAttachmentUpload(
+  request: Request,
+  env: Env,
+  attachment: Attachment,
+  cipherId: string
+): Promise<Response> {
+  const storage = new StorageService(env.DB);
+  const maxFileSize = getBlobStorageMaxBytes(env, LIMITS.attachment.maxFileSizeBytes);
+  const upload = await parseDirectUploadPayload(request, {
+    expectedSize: Number(attachment.size) || 0,
+    maxFileSize,
+    tooLargeMessage: `File too large. Maximum size is ${Math.floor(maxFileSize / (1024 * 1024))}MB`,
+  });
+  if (upload instanceof Response) {
+    return upload;
+  }
+
+  const path = getAttachmentObjectKey(cipherId, attachment.id);
+  try {
+    await putBlobObject(env, path, upload.body, {
+      size: upload.size,
+      contentType: upload.contentType,
+      customMetadata: {
+        cipherId,
+        attachmentId: attachment.id,
+      },
+    });
+  } catch (error) {
+    const message = error instanceof Error ? error.message : String(error);
+    if (message.includes('KV object too large')) {
+      return errorResponse(`File too large. Maximum size is ${Math.floor(maxFileSize / (1024 * 1024))}MB`, 413);
+    }
+    return errorResponse('Attachment storage is not configured', 500);
+  }
+
+  if (upload.size !== attachment.size) {
+    attachment.size = upload.size;
+    attachment.sizeName = formatSize(upload.size);
+    await storage.saveAttachment(attachment);
+  }
+
+  const revisionInfo = await storage.updateCipherRevisionDate(cipherId);
+  if (revisionInfo) {
+    await notifyVaultSyncForRequest(request, env, revisionInfo.userId, revisionInfo.revisionDate);
+  }
+
+  return new Response(null, { status: 201 });
 }

 // POST /api/ciphers/{cipherId}/attachment/v2
@@ -71,24 +139,31 @@ export async function handleCreateAttachment(
  await storage.addAttachmentToCipher(cipherId, attachmentId);

  // Update cipher revision date
-  await storage.updateCipherRevisionDate(cipherId);
+  const revisionInfo = await storage.updateCipherRevisionDate(cipherId);
+  if (revisionInfo) {
+    await notifyVaultSyncForRequest(request, env, revisionInfo.userId, revisionInfo.revisionDate);
+  }

  // Get updated cipher for response
  const updatedCipher = await storage.getCipher(cipherId);
  const attachments = await storage.getAttachmentsByCipher(cipherId);
+  const jwtSecret = getSafeJwtSecret(env);
+  if (!jwtSecret) {
+    return errorResponse('Server configuration error', 500);
+  }
+  const uploadToken = await createAttachmentUploadToken(userId, cipherId, attachmentId, jwtSecret);

  return jsonResponse({
    object: 'attachment-fileUpload',
    attachmentId: attachmentId,
-    url: `/api/ciphers/${cipherId}/attachment/${attachmentId}`,
-    fileUploadType: 0, // Direct upload
-    cipherResponse: cipherToResponse(updatedCipher!, attachments),
+    url: buildDirectUploadUrl(request, `/api/ciphers/${cipherId}/attachment/${attachmentId}`, uploadToken),
+    fileUploadType: 1,
+    cipherResponse: cipherToResponse(updatedCipher!, attachments, {
+      omitFido2Credentials: shouldOmitPasskeysForResponse(request),
+    }),
  });
 }

-// Maximum file size: 100MB
-const MAX_FILE_SIZE = LIMITS.attachment.maxFileSizeBytes;
-
 // POST /api/ciphers/{cipherId}/attachment/{attachmentId}
 // Upload attachment file content
 export async function handleUploadAttachment(
@@ -112,54 +187,45 @@ export async function handleUploadAttachment(
    return errorResponse('Attachment not found', 404);
  }

-  // Check content-length header for size limit
-  const contentLength = request.headers.get('content-length');
-  if (contentLength && parseInt(contentLength) > MAX_FILE_SIZE) {
-    return errorResponse('File too large. Maximum size is 100MB', 413);
+  return processAttachmentUpload(request, env, attachment, cipherId);
+}
+
+export async function handlePublicUploadAttachment(
+  request: Request,
+  env: Env,
+  cipherId: string,
+  attachmentId: string
+): Promise<Response> {
+  const jwtSecret = getSafeJwtSecret(env);
+  if (!jwtSecret) {
+    return errorResponse('Server configuration error', 500);
  }

-  // Get the file from multipart form data
-  const contentType = request.headers.get('content-type') || '';
-  if (!contentType.includes('multipart/form-data')) {
-    return errorResponse('Content-Type must be multipart/form-data', 400);
+  const token = new URL(request.url).searchParams.get('token');
+  if (!token) {
+    return errorResponse('Token required', 401);
  }

-  const formData = await request.formData();
-  const file = formData.get('data') as File | null;
-
-  if (!file) {
-    return errorResponse('No file uploaded', 400);
+  const claims = await verifyAttachmentUploadToken(token, jwtSecret);
+  if (!claims) {
+    return errorResponse('Invalid or expired token', 401);
+  }
+  if (claims.cipherId !== cipherId || claims.attachmentId !== attachmentId) {
+    return errorResponse('Token mismatch', 401);
  }

-  // Check actual file size
-  if (file.size > MAX_FILE_SIZE) {
-    return errorResponse('File too large. Maximum size is 100MB', 413);
+  const storage = new StorageService(env.DB);
+  const cipher = await storage.getCipher(cipherId);
+  if (!cipher || cipher.userId !== claims.userId) {
+    return errorResponse('Cipher not found', 404);
  }

-  // Store file in R2
-  const path = getAttachmentPath(cipherId, attachmentId);
-  await env.ATTACHMENTS.put(path, file.stream(), {
-    httpMetadata: {
-      contentType: 'application/octet-stream',
-    },
-    customMetadata: {
-      cipherId: cipherId,
-      attachmentId: attachmentId,
-    },
-  });
-
-  // Update attachment size if different
-  const actualSize = file.size;
-  if (actualSize !== attachment.size) {
-    attachment.size = actualSize;
-    attachment.sizeName = formatSize(actualSize);
-    await storage.saveAttachment(attachment);
+  const attachment = await storage.getAttachment(attachmentId);
+  if (!attachment || attachment.cipherId !== cipherId) {
+    return errorResponse('Attachment not found', 404);
  }

-  // Update cipher revision date
-  await storage.updateCipherRevisionDate(cipherId);
-
-  return new Response(null, { status: 200 });
+  return processAttachmentUpload(request, env, attachment, cipherId);
 }

 // GET /api/ciphers/{cipherId}/attachment/{attachmentId}
@@ -198,7 +264,7 @@ export async function handleGetAttachment(
    url: downloadUrl,
    fileName: attachment.fileName,
    key: attachment.key,
-    size: Number(attachment.size) || 0,
+    size: String(Number(attachment.size) || 0),
    sizeName: attachment.sizeName,
  });
 }
@@ -242,9 +308,8 @@ export async function handlePublicDownloadAttachment(
    return errorResponse('Attachment not found', 404);
  }

-  // Get file from R2
-  const path = getAttachmentPath(cipherId, attachmentId);
-  const object = await env.ATTACHMENTS.get(path);
+  const path = getAttachmentObjectKey(cipherId, attachmentId);
+  const object = await getBlobObject(env, path);

  if (!object) {
    return errorResponse('Attachment file not found', 404);
@@ -257,7 +322,7 @@ export async function handlePublicDownloadAttachment(

  return new Response(object.body, {
    headers: {
-      'Content-Type': 'application/octet-stream',
+      'Content-Type': object.contentType || 'application/octet-stream',
      'Content-Length': String(object.size),
      'Cache-Control': 'private, no-cache',
    },
@@ -287,9 +352,8 @@ export async function handleDeleteAttachment(
    return errorResponse('Attachment not found', 404);
  }

-  // Delete file from R2
-  const path = getAttachmentPath(cipherId, attachmentId);
-  await env.ATTACHMENTS.delete(path);
+  const path = getAttachmentObjectKey(cipherId, attachmentId);
+  await deleteBlobObject(env, path);

  // Delete attachment metadata
  await storage.deleteAttachment(attachmentId);
@@ -298,14 +362,19 @@ export async function handleDeleteAttachment(
  await storage.removeAttachmentFromCipher(cipherId, attachmentId);

  // Update cipher revision date
-  await storage.updateCipherRevisionDate(cipherId);
+  const revisionInfo = await storage.updateCipherRevisionDate(cipherId);
+  if (revisionInfo) {
+    await notifyVaultSyncForRequest(request, env, revisionInfo.userId, revisionInfo.revisionDate);
+  }

  // Get updated cipher for response
  const updatedCipher = await storage.getCipher(cipherId);
  const attachments = await storage.getAttachmentsByCipher(cipherId);

  return jsonResponse({
-    cipher: cipherToResponse(updatedCipher!, attachments),
+    cipher: cipherToResponse(updatedCipher!, attachments, {
+      omitFido2Credentials: shouldOmitPasskeysForResponse(request),
+    }),
  });
 }

@@ -318,8 +387,8 @@ export async function deleteAllAttachmentsForCipher(
  const attachments = await storage.getAttachmentsByCipher(cipherId);

  for (const attachment of attachments) {
-    const path = getAttachmentPath(cipherId, attachment.id);
-    await env.ATTACHMENTS.delete(path);
+    const path = getAttachmentObjectKey(cipherId, attachment.id);
+    await deleteBlobObject(env, path);
    await storage.deleteAttachment(attachment.id);
  }
 }
@@ -0,0 +1,865 @@
+import type { Env, User } from '../types';
+import { errorResponse, jsonResponse } from '../utils/response';
+import { generateUUID } from '../utils/uuid';
+import {
+  type BackupArchiveBundle,
+  buildBackupArchive,
+  inspectBackupArchiveFileNameChecksum,
+  verifyBackupArchiveFileNameChecksum,
+} from '../services/backup-archive';
+import {
+  type BackupDestinationRecord,
+  type BackupSettingsInput,
+  BACKUP_SCHEDULER_WINDOW_MINUTES,
+  getBackupLocalDateKey,
+  getDefaultBackupSettings,
+  getBackupSettingsRepairState,
+  isBackupDueNow,
+  loadBackupSettings,
+  normalizeBackupSettingsInput,
+  normalizeImportedBackupSettings,
+  repairBackupSettings,
+  requireBackupDestination,
+  saveBackupSettings,
+} from '../services/backup-config';
+import {
+  type BackupImportExecutionResult,
+  type BackupRestoreProgressReporter,
+  importBackupArchiveBytes,
+  importRemoteBackupArchiveBytes,
+} from '../services/backup-import';
+import {
+  type RemoteBackupTransferSession,
+  createRemoteBackupTransferSession,
+  deleteRemoteBackupFile,
+  downloadRemoteBackupFile,
+  ensureRemoteRestoreCandidate,
+  listRemoteBackupEntries,
+  pruneRemoteBackupArchives,
+  uploadBackupArchive,
+} from '../services/backup-uploader';
+import { StorageService } from '../services/storage';
+import { getBlobObject } from '../services/blob-store';
+import { notifyUserBackupProgress, notifyUserBackupRestoreProgress } from '../durable/notifications-hub';
+
+function isAdmin(user: User): boolean {
+  return user.role === 'admin' && user.status === 'active';
+}
+
+async function writeAuditLog(
+  storage: StorageService,
+  actorUserId: string | null,
+  action: string,
+  targetType: string | null,
+  targetId: string | null,
+  metadata: Record<string, unknown> | null
+): Promise<void> {
+  await storage.createAuditLog({
+    id: generateUUID(),
+    actorUserId,
+    action,
+    targetType,
+    targetId,
+    metadata: metadata ? JSON.stringify(metadata) : null,
+    createdAt: new Date().toISOString(),
+  });
+}
+
+function getBackupDestinationSummary(destination: BackupDestinationRecord | null): Record<string, unknown> {
+  if (!destination) {
+    return {
+      destinationId: null,
+      destinationName: null,
+      destinationType: null,
+    };
+  }
+  return {
+    destinationId: destination.id,
+    destinationName: destination.name,
+    destinationType: destination.type,
+  };
+}
+
+function ensureBackupBlobName(value: string): string {
+  const normalized = String(value || '').trim().replace(/\\/g, '/').replace(/^\/+|\/+$/g, '');
+  if (!normalized) {
+    throw new Error('Backup attachment blob is required');
+  }
+  const parts = normalized.split('/').filter(Boolean);
+  if (!parts.length || parts.some((part) => part === '.' || part === '..')) {
+    throw new Error('Backup attachment blob is invalid');
+  }
+  return parts.join('/');
+}
+
+const REMOTE_ATTACHMENT_INDEX_PATH = 'attachments/.nodewarden-attachment-index.v1.json';
+
+interface RemoteAttachmentIndexPayload {
+  version: 1;
+  blobs: Record<string, { sizeBytes: number; updatedAt: string }>;
+}
+
+async function loadRemoteAttachmentIndex(session: RemoteBackupTransferSession): Promise<Map<string, number>> {
+  try {
+    const file = await session.download(REMOTE_ATTACHMENT_INDEX_PATH);
+    const payload = JSON.parse(new TextDecoder().decode(file.bytes)) as RemoteAttachmentIndexPayload;
+    if (payload?.version !== 1 || !payload.blobs || typeof payload.blobs !== 'object') {
+      return new Map<string, number>();
+    }
+    return new Map(
+      Object.entries(payload.blobs)
+        .filter(([key, value]) => !!String(key || '').trim() && Number.isFinite(Number(value?.sizeBytes || 0)))
+        .map(([key, value]) => [key, Number(value.sizeBytes || 0)])
+    );
+  } catch (error) {
+    const message = error instanceof Error ? error.message : String(error);
+    if (message.includes('404') || message.includes('Please select a backup file')) {
+      return new Map<string, number>();
+    }
+    throw error;
+  }
+}
+
+async function saveRemoteAttachmentIndex(
+  session: RemoteBackupTransferSession,
+  index: Map<string, number>
+): Promise<void> {
+  const payload: RemoteAttachmentIndexPayload = {
+    version: 1,
+    blobs: Object.fromEntries(
+      Array.from(index.entries()).map(([blobName, sizeBytes]) => [
+        blobName,
+        {
+          sizeBytes,
+          updatedAt: new Date().toISOString(),
+        },
+      ])
+    ),
+  };
+  const bytes = new TextEncoder().encode(JSON.stringify(payload));
+  await session.putFile(REMOTE_ATTACHMENT_INDEX_PATH, bytes, {
+    contentType: 'application/json; charset=utf-8',
+  });
+}
+
+async function executeConfiguredBackup(
+  env: Env,
+  storage: StorageService,
+  actorUserId: string | null,
+  trigger: 'manual' | 'scheduled',
+  destinationId?: string | null,
+  progress?: ((event: {
+    operation: 'backup-remote-run';
+    step: string;
+    fileName: string;
+    stageTitle: string;
+    stageDetail: string;
+    done?: boolean;
+    ok?: boolean;
+    error?: string | null;
+  }) => Promise<void>) | null
+): Promise<{ fileName: string; fileSize: number; remotePath: string; provider: string }> {
+  const maxArchiveUploadAttempts = 3;
+  const currentSettings = await loadBackupSettings(storage, env, 'UTC');
+  const destination = requireBackupDestination(currentSettings, destinationId);
+
+  const now = new Date();
+  destination.runtime.lastAttemptAt = now.toISOString();
+  destination.runtime.lastAttemptLocalDate = getBackupLocalDateKey(now, destination.schedule.timezone);
+  destination.runtime.lastErrorAt = null;
+  destination.runtime.lastErrorMessage = null;
+  await saveBackupSettings(storage, env, currentSettings);
+
+  try {
+    await progress?.({
+      operation: 'backup-remote-run',
+      step: 'remote_run_prepare',
+      fileName: '',
+      stageTitle: 'txt_backup_remote_run_progress_prepare_title',
+      stageDetail: 'txt_backup_remote_run_progress_prepare_detail',
+    });
+    const archive = await buildBackupArchive(env, now, {
+      includeAttachments: destination.includeAttachments,
+      progress: progress
+        ? async (event) => {
+          if (event.step === 'archive_ready') {
+            return;
+          }
+          await progress({
+            operation: 'backup-remote-run',
+            step: `remote_run_${event.step}`,
+            fileName: event.fileName || '',
+            stageTitle: event.stageTitle,
+            stageDetail: event.stageDetail,
+          });
+        }
+        : undefined,
+    });
+    await progress?.({
+      operation: 'backup-remote-run',
+      step: 'remote_run_sync_attachments',
+      fileName: archive.fileName,
+      stageTitle: 'txt_backup_remote_run_progress_sync_attachments_title',
+      stageDetail: destination.includeAttachments
+        ? 'txt_backup_remote_run_progress_sync_attachments_detail'
+        : 'txt_backup_remote_run_progress_sync_attachments_skipped_detail',
+    });
+    const remoteSession = createRemoteBackupTransferSession(destination);
+    const remoteAttachmentIndex = await loadRemoteAttachmentIndex(remoteSession);
+    let attachmentIndexChanged = false;
+    for (const attachment of archive.manifest.attachmentBlobs || []) {
+      if (remoteAttachmentIndex.get(attachment.blobName) === attachment.sizeBytes) {
+        continue;
+      }
+      const remotePath = `attachments/${attachment.blobName}`;
+      const object = await getBlobObject(env, attachment.blobName);
+      if (!object) {
+        throw new Error(`Attachment blob missing for ${attachment.blobName}`);
+      }
+      const bytes = new Uint8Array(await new Response(object.body).arrayBuffer());
+      await remoteSession.putFile(remotePath, bytes, {
+        contentType: object.contentType,
+      });
+      remoteAttachmentIndex.set(attachment.blobName, attachment.sizeBytes);
+      attachmentIndexChanged = true;
+    }
+    if (attachmentIndexChanged) {
+      await saveRemoteAttachmentIndex(remoteSession, remoteAttachmentIndex);
+    }
+    let upload: Awaited<ReturnType<typeof uploadBackupArchive>> | null = null;
+    for (let attempt = 1; attempt <= maxArchiveUploadAttempts; attempt++) {
+      await progress?.({
+        operation: 'backup-remote-run',
+        step: 'remote_run_upload_archive',
+        fileName: archive.fileName,
+        stageTitle: 'txt_backup_remote_run_progress_upload_title',
+        stageDetail: 'txt_backup_remote_run_progress_upload_detail',
+      });
+      upload = await remoteSession.uploadArchive(archive.bytes, archive.fileName);
+      try {
+        await progress?.({
+          operation: 'backup-remote-run',
+          step: 'remote_run_verify_archive',
+          fileName: archive.fileName,
+          stageTitle: 'txt_backup_remote_run_progress_verify_title',
+          stageDetail: 'txt_backup_remote_run_progress_verify_detail',
+        });
+        const remoteFile = await remoteSession.download(archive.fileName);
+        const checksumOk = await verifyBackupArchiveFileNameChecksum(remoteFile.bytes, archive.fileName);
+        if (!checksumOk) {
+          throw new Error('Remote backup ZIP checksum verification failed');
+        }
+        if (remoteFile.bytes.byteLength !== archive.bytes.byteLength) {
+          throw new Error('Remote backup ZIP size verification failed');
+        }
+        break;
+      } catch (error) {
+        await remoteSession.deleteFile(archive.fileName).catch(() => undefined);
+        if (attempt === maxArchiveUploadAttempts) {
+          const message = error instanceof Error ? error.message : 'Remote backup ZIP verification failed';
+          throw new Error(`Backup archive upload verification failed after ${maxArchiveUploadAttempts} attempts: ${message}`);
+        }
+      }
+    }
+    if (!upload) {
+      throw new Error('Backup archive upload failed');
+    }
+    let prunedFileCount = 0;
+    let pruneErrorMessage: string | null = null;
+    try {
+      await progress?.({
+        operation: 'backup-remote-run',
+        step: 'remote_run_cleanup',
+        fileName: archive.fileName,
+        stageTitle: 'txt_backup_remote_run_progress_cleanup_title',
+        stageDetail: 'txt_backup_remote_run_progress_cleanup_detail',
+      });
+      prunedFileCount = await pruneRemoteBackupArchives(destination, destination.schedule.retentionCount, archive.fileName);
+    } catch (error) {
+      pruneErrorMessage = error instanceof Error ? error.message : 'Old backup cleanup failed';
+    }
+
+    destination.runtime.lastSuccessAt = new Date().toISOString();
+    destination.runtime.lastErrorAt = null;
+    destination.runtime.lastErrorMessage = null;
+    destination.runtime.lastUploadedFileName = archive.fileName;
+    destination.runtime.lastUploadedSizeBytes = archive.bytes.byteLength;
+    destination.runtime.lastUploadedDestination = upload.remotePath;
+    await saveBackupSettings(storage, env, currentSettings);
+
+    await writeAuditLog(storage, actorUserId, `admin.backup.remote.${trigger}`, 'backup', null, {
+      ...getBackupDestinationSummary(destination),
+      provider: upload.provider,
+      remotePath: upload.remotePath,
+      fileName: archive.fileName,
+      fileBytes: archive.bytes.byteLength,
+      uploadVerificationAttempts: maxArchiveUploadAttempts,
+      prunedFileCount,
+      pruneError: pruneErrorMessage,
+    });
+
+    await progress?.({
+      operation: 'backup-remote-run',
+      step: 'remote_run_complete',
+      fileName: archive.fileName,
+      stageTitle: 'txt_backup_remote_run_progress_complete_title',
+      stageDetail: 'txt_backup_remote_run_progress_complete_detail',
+      done: true,
+      ok: true,
+    });
+
+    return {
+      fileName: archive.fileName,
+      fileSize: archive.bytes.byteLength,
+      remotePath: upload.remotePath,
+      provider: upload.provider,
+    };
+  } catch (error) {
+    destination.runtime.lastErrorAt = new Date().toISOString();
+    destination.runtime.lastErrorMessage = error instanceof Error ? error.message : 'Backup upload failed';
+    await saveBackupSettings(storage, env, currentSettings);
+
+    await writeAuditLog(storage, actorUserId, `admin.backup.remote.${trigger}.failed`, 'backup', null, {
+      ...getBackupDestinationSummary(destination),
+      error: destination.runtime.lastErrorMessage,
+    });
+    await progress?.({
+      operation: 'backup-remote-run',
+      step: 'remote_run_failed',
+      fileName: '',
+      stageTitle: 'txt_backup_remote_run_progress_failed_title',
+      stageDetail: 'txt_backup_remote_run_progress_failed_detail',
+      done: true,
+      ok: false,
+      error: destination.runtime.lastErrorMessage,
+    });
+    throw error;
+  }
+}
+
+function toImportStatusCode(message: string): number {
+  const lower = message.toLowerCase();
+  if (lower.includes('invalid backup') || lower.includes('invalid json')) return 400;
+  if (lower.includes('fresh instance')) return 409;
+  if (lower.includes('not configured') || lower.includes('kv')) return 409;
+  return 500;
+}
+
+async function runImportAndAudit(
+  env: Env,
+  request: Request,
+  actorUser: User,
+  archiveBytes: Uint8Array,
+  fileName: string,
+  replaceExisting: boolean,
+  metadata: Record<string, unknown>
+): Promise<BackupImportExecutionResult> {
+  const storage = new StorageService(env.DB);
+  const targetDeviceIdentifier = String(request.headers.get('X-NodeWarden-Acting-Device-Id') || '').trim() || null;
+  const progress: BackupRestoreProgressReporter = async (event) => {
+    await notifyUserBackupRestoreProgress(
+      env,
+      actorUser.id,
+      {
+        operation: 'backup-restore',
+        ...event,
+      },
+      targetDeviceIdentifier
+    );
+  };
+  await progress({
+    source: 'local',
+    step: 'local_upload_received',
+    fileName,
+    stageTitle: 'txt_backup_restore_progress_local_upload_title',
+    stageDetail: 'txt_backup_restore_progress_local_upload_detail',
+    replaceExisting,
+  });
+  const imported = await importBackupArchiveBytes(archiveBytes, env, actorUser.id, replaceExisting, progress, fileName);
+  await writeAuditLog(storage, imported.auditActorUserId, 'admin.backup.import', 'backup', null, {
+    users: imported.result.imported.users,
+    ciphers: imported.result.imported.ciphers,
+    attachments: imported.result.imported.attachmentFiles,
+    skippedAttachments: imported.result.skipped.attachments,
+    skippedReason: imported.result.skipped.reason,
+    replaceExisting,
+    ...metadata,
+  });
+  return imported;
+}
+
+export async function runScheduledBackupIfDue(env: Env): Promise<void> {
+  const storage = new StorageService(env.DB);
+  const settings = await loadBackupSettings(storage, env, 'UTC');
+  const now = new Date();
+  for (const destination of settings.destinations) {
+    if (!isBackupDueNow(destination, now, BACKUP_SCHEDULER_WINDOW_MINUTES)) continue;
+    await executeConfiguredBackup(env, storage, null, 'scheduled', destination.id);
+  }
+}
+
+export async function handleGetAdminBackupSettings(request: Request, env: Env, actorUser: User): Promise<Response> {
+  void request;
+  if (!isAdmin(actorUser)) return errorResponse('Forbidden', 403);
+
+  const storage = new StorageService(env.DB);
+  try {
+    const settings = await loadBackupSettings(storage, env, 'UTC');
+    return jsonResponse(settings);
+  } catch (error) {
+    return errorResponse(error instanceof Error ? error.message : 'Backup settings could not be loaded', 409);
+  }
+}
+
+export async function handleUpdateAdminBackupSettings(request: Request, env: Env, actorUser: User): Promise<Response> {
+  if (!isAdmin(actorUser)) return errorResponse('Forbidden', 403);
+
+  let body: BackupSettingsInput;
+  try {
+    body = await request.json<BackupSettingsInput>();
+  } catch {
+    return errorResponse('Backup settings payload is invalid', 400);
+  }
+
+  const storage = new StorageService(env.DB);
+  let previous;
+  try {
+    previous = await loadBackupSettings(storage, env, 'UTC');
+  } catch {
+    previous = getDefaultBackupSettings('UTC');
+  }
+
+  let next;
+  try {
+    next = normalizeBackupSettingsInput(body, previous);
+  } catch (error) {
+    return errorResponse(error instanceof Error ? error.message : 'Backup settings are invalid', 400);
+  }
+
+  await saveBackupSettings(storage, env, next);
+  await writeAuditLog(storage, actorUser.id, 'admin.backup.settings.update', 'backup', null, {
+    destinationCount: next.destinations.length,
+    scheduledDestinationCount: next.destinations.filter((destination) => destination.schedule.enabled).length,
+  });
+  return jsonResponse(next);
+}
+
+export async function handleGetAdminBackupSettingsRepairState(request: Request, env: Env, actorUser: User): Promise<Response> {
+  void request;
+  if (!isAdmin(actorUser)) return errorResponse('Forbidden', 403);
+
+  const storage = new StorageService(env.DB);
+  try {
+    const state = await getBackupSettingsRepairState(storage, env, 'UTC');
+    return jsonResponse({
+      object: 'backup-settings-repair',
+      needsRepair: state.needsRepair,
+      portable: state.portable,
+    });
+  } catch (error) {
+    return errorResponse(error instanceof Error ? error.message : 'Backup settings repair state could not be loaded', 409);
+  }
+}
+
+export async function handleRepairAdminBackupSettings(request: Request, env: Env, actorUser: User): Promise<Response> {
+  if (!isAdmin(actorUser)) return errorResponse('Forbidden', 403);
+
+  let body: BackupSettingsInput;
+  try {
+    body = await request.json<BackupSettingsInput>();
+  } catch {
+    return errorResponse('Backup settings repair payload is invalid', 400);
+  }
+
+  const storage = new StorageService(env.DB);
+  let previous;
+  try {
+    previous = await loadBackupSettings(storage, env, 'UTC');
+  } catch {
+    previous = getDefaultBackupSettings('UTC');
+  }
+
+  let next;
+  try {
+    next = normalizeBackupSettingsInput(body, previous);
+  } catch (error) {
+    return errorResponse(error instanceof Error ? error.message : 'Backup settings repair payload is invalid', 400);
+  }
+
+  await repairBackupSettings(storage, env, next);
+  await writeAuditLog(storage, actorUser.id, 'admin.backup.settings.repair', 'backup', null, {
+    destinationCount: next.destinations.length,
+    scheduledDestinationCount: next.destinations.filter((destination) => destination.schedule.enabled).length,
+  });
+  return jsonResponse(next);
+}
+
+export async function handleRunAdminConfiguredBackup(request: Request, env: Env, actorUser: User): Promise<Response> {
+  if (!isAdmin(actorUser)) return errorResponse('Forbidden', 403);
+
+  const storage = new StorageService(env.DB);
+  try {
+    let body: { destinationId?: string } | null = null;
+    try {
+      if ((request.headers.get('Content-Type') || '').includes('application/json')) {
+        body = await request.json<{ destinationId?: string }>();
+      }
+    } catch {
+      return errorResponse('Backup run payload is invalid', 400);
+    }
+
+    const targetDeviceIdentifier = String(request.headers.get('X-NodeWarden-Acting-Device-Id') || '').trim() || null;
+    const progress = async (event: {
+      operation: 'backup-remote-run';
+      step: string;
+      fileName: string;
+      stageTitle: string;
+      stageDetail: string;
+      done?: boolean;
+      ok?: boolean;
+      error?: string | null;
+    }) => {
+      await notifyUserBackupProgress(env, actorUser.id, event, targetDeviceIdentifier);
+    };
+    const result = await executeConfiguredBackup(env, storage, actorUser.id, 'manual', body?.destinationId || null, progress);
+    const settings = await loadBackupSettings(storage, env, 'UTC');
+    return jsonResponse({
+      object: 'backup-run',
+      result: {
+        fileName: result.fileName,
+        fileSize: result.fileSize,
+        provider: result.provider,
+        remotePath: result.remotePath,
+      },
+      settings,
+    });
+  } catch (error) {
+    return errorResponse(error instanceof Error ? error.message : 'Backup run failed', 500);
+  }
+}
+
+export async function handleListAdminRemoteBackups(request: Request, env: Env, actorUser: User): Promise<Response> {
+  if (!isAdmin(actorUser)) return errorResponse('Forbidden', 403);
+
+  const storage = new StorageService(env.DB);
+  try {
+    const settings = await loadBackupSettings(storage, env, 'UTC');
+    const url = new URL(request.url);
+    const destination = requireBackupDestination(settings, url.searchParams.get('destinationId') || null);
+    const listing = await listRemoteBackupEntries(destination, url.searchParams.get('path') || '');
+    return jsonResponse({
+      object: 'backup-remote-browser',
+      destinationId: destination.id,
+      destinationName: destination.name,
+      ...listing,
+    });
+  } catch (error) {
+    return errorResponse(error instanceof Error ? error.message : 'Remote backup listing failed', 409);
+  }
+}
+
+export async function handleDownloadAdminRemoteBackup(request: Request, env: Env, actorUser: User): Promise<Response> {
+  if (!isAdmin(actorUser)) return errorResponse('Forbidden', 403);
+
+  const storage = new StorageService(env.DB);
+  try {
+    const settings = await loadBackupSettings(storage, env, 'UTC');
+    const url = new URL(request.url);
+    const path = ensureRemoteRestoreCandidate(url.searchParams.get('path') || '');
+    const destination = requireBackupDestination(settings, url.searchParams.get('destinationId') || null);
+    const remoteFile = await downloadRemoteBackupFile(destination, path);
+    return new Response(remoteFile.bytes, {
+      status: 200,
+      headers: {
+        'Content-Type': remoteFile.contentType || 'application/zip',
+        'Content-Disposition': `attachment; filename="${remoteFile.fileName}"`,
+        'Cache-Control': 'no-store',
+      },
+    });
+  } catch (error) {
+    return errorResponse(error instanceof Error ? error.message : 'Remote backup download failed', 409);
+  }
+}
+
+export async function handleInspectAdminRemoteBackup(request: Request, env: Env, actorUser: User): Promise<Response> {
+  if (!isAdmin(actorUser)) return errorResponse('Forbidden', 403);
+
+  const storage = new StorageService(env.DB);
+  try {
+    const settings = await loadBackupSettings(storage, env, 'UTC');
+    const url = new URL(request.url);
+    const path = ensureRemoteRestoreCandidate(url.searchParams.get('path') || '');
+    const destination = requireBackupDestination(settings, url.searchParams.get('destinationId') || null);
+    const remoteFile = await downloadRemoteBackupFile(destination, path);
+    const integrity = await inspectBackupArchiveFileNameChecksum(remoteFile.bytes, remoteFile.fileName || path);
+    return jsonResponse({
+      object: 'backup-remote-integrity',
+      destinationId: destination.id,
+      path,
+      fileName: remoteFile.fileName || path.split('/').pop() || path,
+      integrity,
+    });
+  } catch (error) {
+    return errorResponse(error instanceof Error ? error.message : 'Remote backup integrity inspection failed', 409);
+  }
+}
+
+export async function handleDeleteAdminRemoteBackup(request: Request, env: Env, actorUser: User): Promise<Response> {
+  if (!isAdmin(actorUser)) return errorResponse('Forbidden', 403);
+
+  const storage = new StorageService(env.DB);
+  try {
+    const settings = await loadBackupSettings(storage, env, 'UTC');
+    const url = new URL(request.url);
+    const path = ensureRemoteRestoreCandidate(url.searchParams.get('path') || '');
+    const destination = requireBackupDestination(settings, url.searchParams.get('destinationId') || null);
+    await deleteRemoteBackupFile(destination, path);
+    await writeAuditLog(storage, actorUser.id, 'admin.backup.remote.delete', 'backup', null, {
+      ...getBackupDestinationSummary(destination),
+      remotePath: path,
+    });
+    return jsonResponse({ object: 'backup-remote-delete', deleted: true, path });
+  } catch (error) {
+    return errorResponse(error instanceof Error ? error.message : 'Remote backup delete failed', 409);
+  }
+}
+
+export async function handleRestoreAdminRemoteBackup(request: Request, env: Env, actorUser: User): Promise<Response> {
+  if (!isAdmin(actorUser)) return errorResponse('Forbidden', 403);
+
+  let body: { destinationId?: string; path?: string; replaceExisting?: boolean; allowChecksumMismatch?: boolean };
+  try {
+    body = await request.json<{ destinationId?: string; path?: string; replaceExisting?: boolean }>();
+  } catch {
+    return errorResponse('Remote restore payload is invalid', 400);
+  }
+
+  const storage = new StorageService(env.DB);
+  try {
+    const settings = await loadBackupSettings(storage, env, 'UTC');
+    const destination = requireBackupDestination(settings, body.destinationId || null);
+    const path = ensureRemoteRestoreCandidate(String(body.path || ''));
+    const targetDeviceIdentifier = String(request.headers.get('X-NodeWarden-Acting-Device-Id') || '').trim() || null;
+    const restoreFileNameFromPath = path.split('/').pop() || path;
+    await notifyUserBackupRestoreProgress(
+      env,
+      actorUser.id,
+      {
+        operation: 'backup-restore',
+        source: 'remote',
+        step: 'remote_fetch_archive',
+        fileName: restoreFileNameFromPath,
+        stageTitle: 'txt_backup_restore_progress_remote_fetch_title',
+        stageDetail: 'txt_backup_restore_progress_remote_fetch_detail',
+        replaceExisting: !!body.replaceExisting,
+      },
+      targetDeviceIdentifier
+    );
+    const remoteFile = await downloadRemoteBackupFile(destination, path);
+    const checksumOk = await verifyBackupArchiveFileNameChecksum(remoteFile.bytes, remoteFile.fileName || path);
+    if (!checksumOk && !body.allowChecksumMismatch) {
+      return errorResponse('Remote backup file checksum does not match its filename', 400);
+    }
+    const restoreFileName = remoteFile.fileName || path.split('/').pop() || path;
+    const progress: BackupRestoreProgressReporter = async (event) => {
+      await notifyUserBackupRestoreProgress(
+        env,
+        actorUser.id,
+        {
+          operation: 'backup-restore',
+          ...event,
+        },
+        targetDeviceIdentifier
+      );
+    };
+    const imported = await (async () => {
+      const storage = new StorageService(env.DB);
+      const result = await importRemoteBackupArchiveBytes(
+        remoteFile.bytes,
+        env,
+        actorUser.id,
+        !!body.replaceExisting,
+        {
+            loadAttachment: async (blobName) => {
+              const file = await downloadRemoteBackupFile(destination, `attachments/${blobName}`).catch(() => null);
+              return file?.bytes || null;
+            },
+        },
+        progress,
+        restoreFileName
+      );
+      await writeAuditLog(storage, result.auditActorUserId, 'admin.backup.import', 'backup', null, {
+        users: result.result.imported.users,
+        ciphers: result.result.imported.ciphers,
+        attachments: result.result.imported.attachmentFiles,
+        skippedAttachments: result.result.skipped.attachments,
+        skippedReason: result.result.skipped.reason,
+        replaceExisting: !!body.replaceExisting,
+        ...getBackupDestinationSummary(destination),
+        remotePath: path,
+        bytes: remoteFile.bytes.byteLength,
+        trigger: 'remote',
+        checksumMismatchAccepted: !checksumOk,
+      });
+      return result;
+    })();
+    return jsonResponse(imported.result);
+  } catch (error) {
+    const message = error instanceof Error ? error.message : 'Remote backup restore failed';
+    return errorResponse(message, toImportStatusCode(message));
+  }
+}
+
+export async function handleAdminExportBackup(request: Request, env: Env, actorUser: User): Promise<Response> {
+  if (!isAdmin(actorUser)) return errorResponse('Forbidden', 403);
+
+  const storage = new StorageService(env.DB);
+  const targetDeviceIdentifier = String(request.headers.get('X-NodeWarden-Acting-Device-Id') || '').trim() || null;
+  let body: { includeAttachments?: boolean } | null = null;
+  try {
+    if ((request.headers.get('Content-Type') || '').includes('application/json')) {
+      body = await request.json<{ includeAttachments?: boolean }>();
+    }
+  } catch {
+    return errorResponse('Backup export payload is invalid', 400);
+  }
+  let archive: BackupArchiveBundle;
+  try {
+    const progress = async (event: {
+      step: string;
+      fileName?: string;
+      stageTitle: string;
+      stageDetail: string;
+      includeAttachments: boolean;
+    }) => {
+      await notifyUserBackupProgress(
+        env,
+        actorUser.id,
+        {
+          operation: 'backup-export',
+          source: 'local',
+          step: `export_${event.step}`,
+          fileName: event.fileName || '',
+          stageTitle: event.stageTitle,
+          stageDetail: event.stageDetail,
+        },
+        targetDeviceIdentifier
+      );
+    };
+    archive = await buildBackupArchive(env, new Date(), {
+      includeAttachments: !!body?.includeAttachments,
+      progress,
+    });
+  } catch (error) {
+    const message = error instanceof Error ? error.message : 'Backup export failed';
+    await notifyUserBackupProgress(
+      env,
+      actorUser.id,
+      {
+        operation: 'backup-export',
+        source: 'local',
+        step: 'export_failed',
+        fileName: '',
+        stageTitle: 'txt_backup_export_progress_failed_title',
+        stageDetail: 'txt_backup_export_progress_failed_detail',
+        done: true,
+        ok: false,
+        error: message,
+      },
+      targetDeviceIdentifier
+    );
+    return errorResponse(message, message.includes('blob missing') ? 409 : 500);
+  }
+
+  await writeAuditLog(storage, actorUser.id, 'admin.backup.export', 'backup', null, {
+    users: archive.manifest.tableCounts.users,
+    ciphers: archive.manifest.tableCounts.ciphers,
+    attachments: archive.manifest.tableCounts.attachments,
+    compressedBytes: archive.bytes.byteLength,
+    includesAttachments: archive.manifest.includes.attachments,
+  });
+
+  return new Response(archive.bytes, {
+    status: 200,
+    headers: {
+      'Content-Type': 'application/zip',
+      'Content-Disposition': `attachment; filename="${archive.fileName}"`,
+      'Cache-Control': 'no-store',
+    },
+  });
+}
+
+export async function handleDownloadAdminBackupAttachment(request: Request, env: Env, actorUser: User): Promise<Response> {
+  if (!isAdmin(actorUser)) return errorResponse('Forbidden', 403);
+
+  try {
+    const url = new URL(request.url);
+    const blobName = ensureBackupBlobName(url.searchParams.get('blobName') || '');
+    const object = await getBlobObject(env, blobName);
+    if (!object) {
+      return errorResponse('Backup attachment blob not found', 404);
+    }
+    return new Response(object.body, {
+      status: 200,
+      headers: {
+        'Content-Type': object.contentType || 'application/octet-stream',
+        'Content-Length': String(object.size),
+        'Cache-Control': 'no-store',
+      },
+    });
+  } catch (error) {
+    return errorResponse(error instanceof Error ? error.message : 'Backup attachment download failed', 400);
+  }
+}
+
+export async function handleAdminImportBackup(request: Request, env: Env, actorUser: User): Promise<Response> {
+  if (!isAdmin(actorUser)) return errorResponse('Forbidden', 403);
+
+  let formData: FormData;
+  try {
+    formData = await request.formData();
+  } catch {
+    return errorResponse('Content-Type must be multipart/form-data', 400);
+  }
+
+  const file = formData.get('file');
+  if (!file || typeof file !== 'object' || !('arrayBuffer' in file)) {
+    return errorResponse('Backup file is required', 400);
+  }
+
+  const replaceExisting = String(formData.get('replaceExisting') || '').trim() === '1';
+  const allowChecksumMismatch = String(formData.get('allowChecksumMismatch') || '').trim() === '1';
+  let archiveBytes: Uint8Array;
+  try {
+    archiveBytes = new Uint8Array(await (file as { arrayBuffer(): Promise<ArrayBuffer> }).arrayBuffer());
+  } catch {
+    return errorResponse('Unable to read backup file', 400);
+  }
+
+  try {
+    const fileName = 'name' in file ? String((file as File).name || '') : '';
+    const checksumOk = await verifyBackupArchiveFileNameChecksum(archiveBytes, fileName);
+    if (!checksumOk && !allowChecksumMismatch) {
+      return errorResponse('Backup file checksum does not match its filename', 400);
+    }
+    const imported = await runImportAndAudit(env, request, actorUser, archiveBytes, fileName || 'nodewarden_backup.zip', replaceExisting, {
+      trigger: 'local',
+      bytes: archiveBytes.byteLength,
+      checksumMismatchAccepted: !checksumOk,
+    });
+    return jsonResponse(imported.result);
+  } catch (error) {
+    const message = error instanceof Error ? error.message : 'Backup import failed';
+    return errorResponse(message, toImportStatusCode(message));
+  }
+}
+
+export async function seedDefaultBackupSettings(env: Env): Promise<void> {
+  const storage = new StorageService(env.DB);
+  const current = await storage.getConfigValue('backup.settings.v1');
+  if (current) {
+    await normalizeImportedBackupSettings(storage, env, 'UTC');
+    return;
+  }
+  await saveBackupSettings(storage, env, getDefaultBackupSettings('UTC'));
+}
@@ -1,9 +1,163 @@
 import { Env, Cipher, CipherResponse, Attachment } from '../types';
 import { StorageService } from '../services/storage';
+import { notifyUserVaultSync } from '../durable/notifications-hub';
 import { jsonResponse, errorResponse } from '../utils/response';
 import { generateUUID } from '../utils/uuid';
 import { deleteAllAttachmentsForCipher } from './attachments';
 import { parsePagination, encodeContinuationToken } from '../utils/pagination';
+import { readActingDeviceIdentifier } from '../utils/device';
+
+function normalizeOptionalId(value: unknown): string | null {
+  if (value == null) return null;
+  const normalized = String(value).trim();
+  return normalized ? normalized : null;
+}
+
+async function notifyVaultSyncForRequest(
+  request: Request,
+  env: Env,
+  userId: string,
+  revisionDate: string
+): Promise<void> {
+  await notifyUserVaultSync(env, userId, revisionDate, readActingDeviceIdentifier(request));
+}
+
+function getAliasedProp(source: any, aliases: string[]): { present: boolean; value: any } {
+  if (!source || typeof source !== 'object') return { present: false, value: undefined };
+  for (const key of aliases) {
+    if (Object.prototype.hasOwnProperty.call(source, key)) {
+      return { present: true, value: source[key] };
+    }
+  }
+  return { present: false, value: undefined };
+}
+
+function normalizeCipherTimestamp(value: unknown): string | null {
+  if (value == null || value === '') return null;
+  const parsed = new Date(String(value));
+  if (Number.isNaN(parsed.getTime())) return null;
+  return parsed.toISOString();
+}
+
+function readCipherArchivedAt(source: any, fallback: string | null = null): string | null {
+  const archived = getAliasedProp(source, ['archivedAt', 'ArchivedAt', 'archivedDate', 'ArchivedDate']);
+  return archived.present ? normalizeCipherTimestamp(archived.value) : fallback;
+}
+
+function syncCipherComputedAliases(cipher: Cipher): Cipher {
+  cipher.archivedDate = cipher.archivedAt ?? null;
+  cipher.deletedDate = cipher.deletedAt ?? null;
+  return cipher;
+}
+
+function normalizeCipherForStorage(cipher: Cipher): Cipher {
+  cipher.login = normalizeCipherLoginForStorage(cipher.login);
+  cipher.sshKey = normalizeCipherSshKeyForCompatibility(cipher.sshKey);
+  cipher.folderId = normalizeOptionalId(cipher.folderId);
+  const hasArchivedAt = Object.prototype.hasOwnProperty.call(cipher as object, 'archivedAt');
+  cipher.archivedAt = hasArchivedAt
+    ? normalizeCipherTimestamp(cipher.archivedAt) ?? null
+    : normalizeCipherTimestamp(cipher.archivedDate) ?? null;
+  return syncCipherComputedAliases(cipher);
+}
+
+function looksLikeCipherString(value: unknown): boolean {
+  return /^\d+\.[A-Za-z0-9+/=]+\|[A-Za-z0-9+/=]+(?:\|[A-Za-z0-9+/=]+)?$/.test(String(value || '').trim());
+}
+
+export function shouldOmitPasskeysForResponse(request: Request | null | undefined): boolean {
+  const userAgent = String(request?.headers.get('user-agent') || '').toLowerCase();
+  if (!userAgent) return false;
+
+  // Temporary compatibility fallback:
+  // mobile clients expect official EncString payloads for most FIDO2 fields.
+  // Keep passkeys available everywhere, but suppress only legacy malformed data
+  // for mobile clients so newly-saved credentials can flow through unchanged.
+  return (
+    userAgent.includes('android') ||
+    userAgent.includes('iphone') ||
+    userAgent.includes('ipad') ||
+    userAgent.includes('ios')
+  );
+}
+
+export function normalizeCipherLoginForStorage(login: any): any {
+  if (!login || typeof login !== 'object') return login ?? null;
+
+  return {
+    ...login,
+    fido2Credentials: Array.isArray(login.fido2Credentials) ? login.fido2Credentials : null,
+  };
+}
+
+export function normalizeCipherLoginForCompatibility(
+  login: any,
+  options?: { omitFido2Credentials?: boolean }
+): any {
+  const normalized = normalizeCipherLoginForStorage(login);
+  if (!normalized || typeof normalized !== 'object') return normalized ?? null;
+  if (!options?.omitFido2Credentials) return normalized;
+
+  const credentials = Array.isArray(normalized.fido2Credentials) ? normalized.fido2Credentials : null;
+  if (!credentials?.length) return normalized;
+
+  const hasMalformedCredential = credentials.some((credential: any) => {
+    if (!credential || typeof credential !== 'object') return true;
+    const requiredEncryptedFields = [
+      credential.credentialId,
+      credential.keyType,
+      credential.keyAlgorithm,
+      credential.keyCurve,
+      credential.keyValue,
+      credential.rpId,
+      credential.counter,
+      credential.discoverable,
+    ];
+    const optionalEncryptedFields = [
+      credential.userHandle,
+      credential.userName,
+      credential.rpName,
+      credential.userDisplayName,
+    ];
+
+    if (requiredEncryptedFields.some((value) => !looksLikeCipherString(value))) {
+      return true;
+    }
+    if (optionalEncryptedFields.some((value) => value != null && !looksLikeCipherString(value))) {
+      return true;
+    }
+    return false;
+  });
+
+  return hasMalformedCredential
+    ? {
+        ...normalized,
+        fido2Credentials: null,
+      }
+    : normalized;
+}
+
+// Android 2026.2.0 requires sshKey.keyFingerprint in sync payloads.
+// Keep legacy alias "fingerprint" in parallel for older web payloads.
+export function normalizeCipherSshKeyForCompatibility(sshKey: any): any {
+  if (!sshKey || typeof sshKey !== 'object') return sshKey ?? null;
+
+  const candidate =
+    sshKey.keyFingerprint !== undefined && sshKey.keyFingerprint !== null
+      ? sshKey.keyFingerprint
+      : sshKey.fingerprint;
+
+  const normalizedFingerprint =
+    candidate === undefined || candidate === null
+      ? ''
+      : String(candidate);
+
+  return {
+    ...sshKey,
+    keyFingerprint: normalizedFingerprint,
+    fingerprint: normalizedFingerprint,
+  };
+}

 // Format attachments for API response
 export function formatAttachments(attachments: Attachment[]): any[] | null {
@@ -11,7 +165,8 @@ export function formatAttachments(attachments: Attachment[]): any[] | null {
  return attachments.map(a => ({
    id: a.id,
    fileName: a.fileName,
-    size: Number(a.size) || 0,  // Android expects Int, not String
+    // Bitwarden clients decode attachment size as string in cipher payloads.
+    size: String(Number(a.size) || 0),
    sizeName: a.sizeName,
    key: a.key,
    url: `/api/ciphers/${a.cipherId}/attachment/${a.id}`,  // Android requires non-null url!
@@ -23,21 +178,28 @@ export function formatAttachments(attachments: Attachment[]): any[] | null {
 // Uses opaque passthrough: spreads ALL stored fields (including unknown/future ones),
 // then overlays server-computed fields. This ensures new Bitwarden client fields
 // survive a round-trip without code changes.
-export function cipherToResponse(cipher: Cipher, attachments: Attachment[] = []): CipherResponse {
+export function cipherToResponse(
+  cipher: Cipher,
+  attachments: Attachment[] = [],
+  options?: { omitFido2Credentials?: boolean }
+): CipherResponse {
  // Strip internal-only fields that must not appear in the API response
-  const { userId, createdAt, updatedAt, deletedAt, ...passthrough } = cipher;
+  const { userId, createdAt, updatedAt, archivedAt, deletedAt, ...passthrough } = cipher;
+  const normalizedLogin = normalizeCipherLoginForCompatibility((passthrough as any).login ?? null, options);
+  const normalizedSshKey = normalizeCipherSshKeyForCompatibility((passthrough as any).sshKey ?? null);

  return {
    // Pass through ALL stored cipher fields (known + unknown)
    ...passthrough,
    // Server-computed / enforced fields (always override)
+    folderId: normalizeOptionalId(cipher.folderId),
    type: Number(cipher.type) || 1,
    organizationId: null,
    organizationUseTotp: false,
    creationDate: createdAt,
    revisionDate: updatedAt,
    deletedDate: deletedAt,
-    archivedDate: null,
+    archivedDate: archivedAt ?? null,
    edit: true,
    viewPassword: true,
    permissions: {
@@ -47,6 +209,8 @@ export function cipherToResponse(cipher: Cipher, attachments: Attachment[] = [])
    object: 'cipher',
    collectionIds: [],
    attachments: formatAttachments(attachments),
+    login: normalizedLogin,
+    sshKey: normalizedSshKey,
    encryptedFor: null,
  };
 }
@@ -57,6 +221,7 @@ export async function handleGetCiphers(request: Request, env: Env, userId: strin
  const url = new URL(request.url);
  const includeDeleted = url.searchParams.get('deleted') === 'true';
  const pagination = parsePagination(url);
+  const omitFido2Credentials = shouldOmitPasskeysForResponse(request);

  let filteredCiphers: Cipher[];
  let continuationToken: string | null = null;
@@ -83,7 +248,7 @@ export async function handleGetCiphers(request: Request, env: Env, userId: strin
  const cipherResponses = [];
  for (const cipher of filteredCiphers) {
    const attachments = attachmentsByCipher.get(cipher.id) || [];
-    cipherResponses.push(cipherToResponse(cipher, attachments));
+    cipherResponses.push(cipherToResponse(cipher, attachments, { omitFido2Credentials }));
  }

  return jsonResponse({
@@ -103,7 +268,17 @@ export async function handleGetCipher(request: Request, env: Env, userId: string
  }

  const attachments = await storage.getAttachmentsByCipher(cipher.id);
-  return jsonResponse(cipherToResponse(cipher, attachments));
+  return jsonResponse(
+    cipherToResponse(cipher, attachments, {
+      omitFido2Credentials: shouldOmitPasskeysForResponse(request),
+    })
+  );
+}
+
+async function verifyFolderOwnership(storage: StorageService, folderId: string | null | undefined, userId: string): Promise<boolean> {
+  if (!folderId) return true;
+  const folder = await storage.getFolder(folderId);
+  return !!(folder && folder.userId === userId);
 }

 // POST /api/ciphers
@@ -134,13 +309,29 @@ export async function handleCreateCipher(request: Request, env: Env, userId: str
    reprompt: cipherData.reprompt || 0,
    createdAt: now,
    updatedAt: now,
+    archivedAt: readCipherArchivedAt(cipherData, null),
    deletedAt: null,
  };
+  const createFields = getAliasedProp(cipherData, ['fields', 'Fields']);
+  cipher.fields = createFields.present ? (createFields.value ?? null) : (cipher.fields ?? null);
+  normalizeCipherForStorage(cipher);
+
+  // Prevent referencing a folder owned by another user.
+  if (cipher.folderId) {
+    const folderOk = await verifyFolderOwnership(storage, cipher.folderId, userId);
+    if (!folderOk) return errorResponse('Folder not found', 404);
+  }

  await storage.saveCipher(cipher);
-  await storage.updateRevisionDate(userId);
+  const revisionDate = await storage.updateRevisionDate(userId);
+  await notifyVaultSyncForRequest(request, env, userId, revisionDate);

-  return jsonResponse(cipherToResponse(cipher), 200);
+  return jsonResponse(
+    cipherToResponse(cipher, [], {
+      omitFido2Credentials: shouldOmitPasskeysForResponse(request),
+    }),
+    200
+  );
 }

 // PUT /api/ciphers/:id
@@ -176,13 +367,37 @@ export async function handleUpdateCipher(request: Request, env: Env, userId: str
    reprompt: cipherData.reprompt ?? existingCipher.reprompt,
    createdAt: existingCipher.createdAt,
    updatedAt: new Date().toISOString(),
+    archivedAt: readCipherArchivedAt(cipherData, existingCipher.archivedAt ?? null),
    deletedAt: existingCipher.deletedAt,
  };

-  await storage.saveCipher(cipher);
-  await storage.updateRevisionDate(userId);
+  // Custom fields deletion compatibility:
+  // - Accept both camelCase "fields" and PascalCase "Fields".
+  // - For full update (PUT/POST on this endpoint), missing fields means cleared fields.
+  //   This prevents stale custom fields from being resurrected by merge fallback.
+  const incomingFields = getAliasedProp(cipherData, ['fields', 'Fields']);
+  if (incomingFields.present) {
+    cipher.fields = incomingFields.value ?? null;
+  } else if (request.method === 'PUT' || request.method === 'POST') {
+    cipher.fields = null;
+  }
+  normalizeCipherForStorage(cipher);

-  return jsonResponse(cipherToResponse(cipher));
+  // Prevent referencing a folder owned by another user.
+  if (cipher.folderId) {
+    const folderOk = await verifyFolderOwnership(storage, cipher.folderId, userId);
+    if (!folderOk) return errorResponse('Folder not found', 404);
+  }
+
+  await storage.saveCipher(cipher);
+  const revisionDate = await storage.updateRevisionDate(userId);
+  await notifyVaultSyncForRequest(request, env, userId, revisionDate);
+
+  return jsonResponse(
+    cipherToResponse(cipher, [], {
+      omitFido2Credentials: shouldOmitPasskeysForResponse(request),
+    })
+  );
 }

 // DELETE /api/ciphers/:id
@@ -197,10 +412,40 @@ export async function handleDeleteCipher(request: Request, env: Env, userId: str
  // Soft delete
  cipher.deletedAt = new Date().toISOString();
  cipher.updatedAt = cipher.deletedAt;
+  syncCipherComputedAliases(cipher);
  await storage.saveCipher(cipher);
-  await storage.updateRevisionDate(userId);
+  const revisionDate = await storage.updateRevisionDate(userId);
+  await notifyVaultSyncForRequest(request, env, userId, revisionDate);

-  return jsonResponse(cipherToResponse(cipher));
+  return jsonResponse(
+    cipherToResponse(cipher, [], {
+      omitFido2Credentials: shouldOmitPasskeysForResponse(request),
+    })
+  );
+}
+
+// DELETE /api/ciphers/:id (compat mode)
+// Bitwarden clients may call DELETE on a trashed item to purge it permanently.
+// For compatibility:
+// - If item is active -> soft delete.
+// - If item is already soft-deleted -> hard delete.
+export async function handleDeleteCipherCompat(request: Request, env: Env, userId: string, id: string): Promise<Response> {
+  const storage = new StorageService(env.DB);
+  const cipher = await storage.getCipher(id);
+
+  if (!cipher || cipher.userId !== userId) {
+    return errorResponse('Cipher not found', 404);
+  }
+
+  if (cipher.deletedAt) {
+    await deleteAllAttachmentsForCipher(env, id);
+    await storage.deleteCipher(id, userId);
+    const revisionDate = await storage.updateRevisionDate(userId);
+    await notifyVaultSyncForRequest(request, env, userId, revisionDate);
+    return new Response(null, { status: 204 });
+  }
+
+  return handleDeleteCipher(request, env, userId, id);
 }

 // DELETE /api/ciphers/:id (permanent)
@@ -216,7 +461,8 @@ export async function handlePermanentDeleteCipher(request: Request, env: Env, us
  await deleteAllAttachmentsForCipher(env, id);

  await storage.deleteCipher(id, userId);
-  await storage.updateRevisionDate(userId);
+  const revisionDate = await storage.updateRevisionDate(userId);
+  await notifyVaultSyncForRequest(request, env, userId, revisionDate);

  return new Response(null, { status: 204 });
 }
@@ -232,10 +478,16 @@ export async function handleRestoreCipher(request: Request, env: Env, userId: st

  cipher.deletedAt = null;
  cipher.updatedAt = new Date().toISOString();
+  syncCipherComputedAliases(cipher);
  await storage.saveCipher(cipher);
-  await storage.updateRevisionDate(userId);
+  const revisionDate = await storage.updateRevisionDate(userId);
+  await notifyVaultSyncForRequest(request, env, userId, revisionDate);

-  return jsonResponse(cipherToResponse(cipher));
+  return jsonResponse(
+    cipherToResponse(cipher, [], {
+      omitFido2Credentials: shouldOmitPasskeysForResponse(request),
+    })
+  );
 }

 // PUT /api/ciphers/:id/partial - Update only favorite/folderId
@@ -255,17 +507,28 @@ export async function handlePartialUpdateCipher(request: Request, env: Env, user
  }

  if (body.folderId !== undefined) {
-    cipher.folderId = body.folderId;
+    const folderId = normalizeOptionalId(body.folderId);
+    if (folderId) {
+      const folderOk = await verifyFolderOwnership(storage, folderId, userId);
+      if (!folderOk) return errorResponse('Folder not found', 404);
+    }
+    cipher.folderId = folderId;
  }
  if (body.favorite !== undefined) {
    cipher.favorite = body.favorite;
  }
  cipher.updatedAt = new Date().toISOString();
+  syncCipherComputedAliases(cipher);

  await storage.saveCipher(cipher);
-  await storage.updateRevisionDate(userId);
+  const revisionDate = await storage.updateRevisionDate(userId);
+  await notifyVaultSyncForRequest(request, env, userId, revisionDate);

-  return jsonResponse(cipherToResponse(cipher));
+  return jsonResponse(
+    cipherToResponse(cipher, [], {
+      omitFido2Credentials: shouldOmitPasskeysForResponse(request),
+    })
+  );
 }

 // POST/PUT /api/ciphers/move - Bulk move to folder
@@ -283,7 +546,219 @@ export async function handleBulkMoveCiphers(request: Request, env: Env, userId:
    return errorResponse('ids array is required', 400);
  }

-  await storage.bulkMoveCiphers(body.ids, body.folderId || null, userId);
+  const folderId = normalizeOptionalId(body.folderId);
+  if (folderId) {
+    const folderOk = await verifyFolderOwnership(storage, folderId, userId);
+    if (!folderOk) return errorResponse('Folder not found', 404);
+  }
+
+  const revisionDate = await storage.bulkMoveCiphers(body.ids, folderId, userId);
+  if (revisionDate) {
+    await notifyVaultSyncForRequest(request, env, userId, revisionDate);
+  }
+
+  return new Response(null, { status: 204 });
+}
+
+async function buildCipherListResponse(
+  request: Request,
+  storage: StorageService,
+  userId: string,
+  ids: string[]
+): Promise<Response> {
+  const ciphers = await storage.getCiphersByIds(ids, userId);
+  const attachmentsByCipher = await storage.getAttachmentsByCipherIds(ciphers.map((cipher) => cipher.id));
+  const omitFido2Credentials = shouldOmitPasskeysForResponse(request);
+
+  return jsonResponse({
+    data: ciphers.map((cipher) =>
+      cipherToResponse(cipher, attachmentsByCipher.get(cipher.id) || [], {
+        omitFido2Credentials,
+      })
+    ),
+    object: 'list',
+    continuationToken: null,
+  });
+}
+
+function parseCipherIdList(body: { ids?: unknown }): string[] | null {
+  if (!Array.isArray(body.ids)) return null;
+  return Array.from(new Set(body.ids.map((id) => String(id || '').trim()).filter(Boolean)));
+}
+
+// PUT/POST /api/ciphers/:id/archive
+export async function handleArchiveCipher(request: Request, env: Env, userId: string, id: string): Promise<Response> {
+  const storage = new StorageService(env.DB);
+  const cipher = await storage.getCipher(id);
+
+  if (!cipher || cipher.userId !== userId) {
+    return errorResponse('Cipher not found', 404);
+  }
+  if (cipher.deletedAt) {
+    return errorResponse('Cannot archive a deleted cipher', 400);
+  }
+
+  cipher.archivedAt = new Date().toISOString();
+  cipher.updatedAt = cipher.archivedAt;
+  normalizeCipherForStorage(cipher);
+  await storage.saveCipher(cipher);
+  const revisionDate = await storage.updateRevisionDate(userId);
+  await notifyVaultSyncForRequest(request, env, userId, revisionDate);
+
+  const attachments = await storage.getAttachmentsByCipher(cipher.id);
+  return jsonResponse(
+    cipherToResponse(cipher, attachments, {
+      omitFido2Credentials: shouldOmitPasskeysForResponse(request),
+    })
+  );
+}
+
+// PUT/POST /api/ciphers/:id/unarchive
+export async function handleUnarchiveCipher(request: Request, env: Env, userId: string, id: string): Promise<Response> {
+  const storage = new StorageService(env.DB);
+  const cipher = await storage.getCipher(id);
+
+  if (!cipher || cipher.userId !== userId) {
+    return errorResponse('Cipher not found', 404);
+  }
+
+  cipher.archivedAt = null;
+  cipher.updatedAt = new Date().toISOString();
+  normalizeCipherForStorage(cipher);
+  await storage.saveCipher(cipher);
+  const revisionDate = await storage.updateRevisionDate(userId);
+  await notifyVaultSyncForRequest(request, env, userId, revisionDate);
+
+  const attachments = await storage.getAttachmentsByCipher(cipher.id);
+  return jsonResponse(
+    cipherToResponse(cipher, attachments, {
+      omitFido2Credentials: shouldOmitPasskeysForResponse(request),
+    })
+  );
+}
+
+// PUT/POST /api/ciphers/archive
+export async function handleBulkArchiveCiphers(request: Request, env: Env, userId: string): Promise<Response> {
+  const storage = new StorageService(env.DB);
+
+  let body: { ids?: unknown };
+  try {
+    body = await request.json();
+  } catch {
+    return errorResponse('Invalid JSON', 400);
+  }
+
+  const ids = parseCipherIdList(body);
+  if (!ids) {
+    return errorResponse('ids array is required', 400);
+  }
+
+  const revisionDate = await storage.bulkArchiveCiphers(ids, userId);
+  if (revisionDate) {
+    await notifyVaultSyncForRequest(request, env, userId, revisionDate);
+  }
+
+  return buildCipherListResponse(request, storage, userId, ids);
+}
+
+// PUT/POST /api/ciphers/unarchive
+export async function handleBulkUnarchiveCiphers(request: Request, env: Env, userId: string): Promise<Response> {
+  const storage = new StorageService(env.DB);
+
+  let body: { ids?: unknown };
+  try {
+    body = await request.json();
+  } catch {
+    return errorResponse('Invalid JSON', 400);
+  }
+
+  const ids = parseCipherIdList(body);
+  if (!ids) {
+    return errorResponse('ids array is required', 400);
+  }
+
+  const revisionDate = await storage.bulkUnarchiveCiphers(ids, userId);
+  if (revisionDate) {
+    await notifyVaultSyncForRequest(request, env, userId, revisionDate);
+  }
+
+  return buildCipherListResponse(request, storage, userId, ids);
+}
+
+// POST /api/ciphers/delete - Bulk soft delete
+export async function handleBulkDeleteCiphers(request: Request, env: Env, userId: string): Promise<Response> {
+  const storage = new StorageService(env.DB);
+
+  let body: { ids?: string[] };
+  try {
+    body = await request.json();
+  } catch {
+    return errorResponse('Invalid JSON', 400);
+  }
+
+  if (!body.ids || !Array.isArray(body.ids)) {
+    return errorResponse('ids array is required', 400);
+  }
+
+  const revisionDate = await storage.bulkSoftDeleteCiphers(body.ids, userId);
+  if (revisionDate) {
+    await notifyVaultSyncForRequest(request, env, userId, revisionDate);
+  }
+
+  return new Response(null, { status: 204 });
+}
+
+// POST /api/ciphers/restore - Bulk restore
+export async function handleBulkRestoreCiphers(request: Request, env: Env, userId: string): Promise<Response> {
+  const storage = new StorageService(env.DB);
+
+  let body: { ids?: string[] };
+  try {
+    body = await request.json();
+  } catch {
+    return errorResponse('Invalid JSON', 400);
+  }
+
+  if (!body.ids || !Array.isArray(body.ids)) {
+    return errorResponse('ids array is required', 400);
+  }
+
+  const revisionDate = await storage.bulkRestoreCiphers(body.ids, userId);
+  if (revisionDate) {
+    await notifyVaultSyncForRequest(request, env, userId, revisionDate);
+  }
+
+  return new Response(null, { status: 204 });
+}
+
+// POST /api/ciphers/delete-permanent - Bulk permanent delete
+export async function handleBulkPermanentDeleteCiphers(request: Request, env: Env, userId: string): Promise<Response> {
+  const storage = new StorageService(env.DB);
+
+  let body: { ids?: string[] };
+  try {
+    body = await request.json();
+  } catch {
+    return errorResponse('Invalid JSON', 400);
+  }
+
+  if (!body.ids || !Array.isArray(body.ids)) {
+    return errorResponse('ids array is required', 400);
+  }
+
+  const ids = Array.from(new Set(body.ids.map((id) => String(id || '').trim()).filter(Boolean)));
+  if (!ids.length) {
+    return new Response(null, { status: 204 });
+  }
+
+  for (const id of ids) {
+    await deleteAllAttachmentsForCipher(env, id);
+  }
+
+  const revisionDate = await storage.bulkDeleteCiphers(ids, userId);
+  if (revisionDate) {
+    await notifyVaultSyncForRequest(request, env, userId, revisionDate);
+  }

  return new Response(null, { status: 204 });
 }
@@ -1,7 +1,105 @@
+import type { Device, DevicePendingAuthRequest, DeviceResponse, ProtectedDeviceResponse as ProtectedDeviceWireResponse } from '../types';
 import { Env } from '../types';
+import { getOnlineUserDevices, notifyUserLogout } from '../durable/notifications-hub';
 import { StorageService } from '../services/storage';
-import { jsonResponse } from '../utils/response';
+import { errorResponse, jsonResponse } from '../utils/response';
 import { readKnownDeviceProbe } from '../utils/device';
+import { generateUUID } from '../utils/uuid';
+
+function normalizeIdentifier(value: string | null | undefined): string {
+  return String(value || '').trim();
+}
+
+function buildDevicePendingAuthRequest(value?: { id?: string | null; creationDate?: string | null } | null): DevicePendingAuthRequest | null {
+  if (!value?.id || !value.creationDate) return null;
+  return {
+    id: String(value.id),
+    creationDate: String(value.creationDate),
+  };
+}
+
+function isTrustedDevice(device: Pick<Device, 'encryptedUserKey' | 'encryptedPublicKey'>): boolean {
+  return !!(device.encryptedUserKey && device.encryptedPublicKey);
+}
+
+function buildDeviceResponse(device: Device): DeviceResponse {
+  const response = {
+    Id: device.deviceIdentifier,
+    id: device.deviceIdentifier,
+    UserId: device.userId,
+    userId: device.userId,
+    Name: device.name,
+    name: device.name,
+    Identifier: device.deviceIdentifier,
+    identifier: device.deviceIdentifier,
+    Type: device.type,
+    type: device.type,
+    CreationDate: device.createdAt,
+    creationDate: device.createdAt,
+    RevisionDate: device.updatedAt,
+    revisionDate: device.updatedAt,
+    IsTrusted: isTrustedDevice(device),
+    isTrusted: isTrustedDevice(device),
+    EncryptedUserKey: device.encryptedUserKey,
+    encryptedUserKey: device.encryptedUserKey,
+    EncryptedPublicKey: device.encryptedPublicKey,
+    encryptedPublicKey: device.encryptedPublicKey,
+    DevicePendingAuthRequest: buildDevicePendingAuthRequest(device.devicePendingAuthRequest),
+    devicePendingAuthRequest: buildDevicePendingAuthRequest(device.devicePendingAuthRequest),
+    object: 'device',
+  };
+  return response as DeviceResponse;
+}
+
+function buildProtectedDeviceResponse(device: Device): ProtectedDeviceWireResponse {
+  const response = {
+    Id: device.deviceIdentifier,
+    id: device.deviceIdentifier,
+    Name: device.name,
+    name: device.name,
+    Identifier: device.deviceIdentifier,
+    identifier: device.deviceIdentifier,
+    Type: device.type,
+    type: device.type,
+    CreationDate: device.createdAt,
+    creationDate: device.createdAt,
+    EncryptedUserKey: device.encryptedUserKey,
+    encryptedUserKey: device.encryptedUserKey,
+    EncryptedPublicKey: device.encryptedPublicKey,
+    encryptedPublicKey: device.encryptedPublicKey,
+    object: 'protectedDevice',
+  };
+  return response as ProtectedDeviceWireResponse;
+}
+
+function parseKeysBody(body: any, fallback?: Device): {
+  encryptedUserKey?: string | null;
+  encryptedPublicKey?: string | null;
+  encryptedPrivateKey?: string | null;
+} {
+  return {
+    encryptedUserKey:
+      Object.prototype.hasOwnProperty.call(body || {}, 'encryptedUserKey')
+        ? body?.encryptedUserKey ?? null
+        : fallback?.encryptedUserKey ?? null,
+    encryptedPublicKey:
+      Object.prototype.hasOwnProperty.call(body || {}, 'encryptedPublicKey')
+        ? body?.encryptedPublicKey ?? null
+        : fallback?.encryptedPublicKey ?? null,
+    encryptedPrivateKey:
+      Object.prototype.hasOwnProperty.call(body || {}, 'encryptedPrivateKey')
+        ? body?.encryptedPrivateKey ?? null
+        : fallback?.encryptedPrivateKey ?? null,
+  };
+}
+
+async function readJsonBody(request: Request): Promise<any> {
+  try {
+    return await request.json();
+  } catch {
+    return null;
+  }
+}

 // GET /api/devices/knowndevice
 // Compatible with Bitwarden/Vaultwarden behavior:
@@ -26,17 +124,343 @@ export async function handleGetDevices(request: Request, env: Env, userId: strin
  const devices = await storage.getDevicesByUserId(userId);

  return jsonResponse({
-    data: devices.map(device => ({
-      id: device.deviceIdentifier,
-      name: device.name,
-      identifier: device.deviceIdentifier,
-      type: device.type,
-      creationDate: device.createdAt,
-      revisionDate: device.updatedAt,
-      object: 'device',
-    })),
+    data: devices.map((device) => buildDeviceResponse(device)),
    object: 'list',
    continuationToken: null,
  });
 }

+// GET /api/devices/identifier/:deviceIdentifier
+export async function handleGetDeviceByIdentifier(
+  request: Request,
+  env: Env,
+  userId: string,
+  deviceIdentifier: string
+): Promise<Response> {
+  void request;
+  const normalized = normalizeIdentifier(deviceIdentifier);
+  if (!normalized) return errorResponse('Invalid device identifier', 400);
+
+  const storage = new StorageService(env.DB);
+  const device = await storage.getDevice(userId, normalized);
+  if (!device) {
+    return errorResponse('Device not found', 404);
+  }
+
+  return jsonResponse(buildDeviceResponse(device));
+}
+
+// GET /api/devices/:deviceIdentifier
+export async function handleGetDevice(
+  request: Request,
+  env: Env,
+  userId: string,
+  deviceIdentifier: string
+): Promise<Response> {
+  return handleGetDeviceByIdentifier(request, env, userId, deviceIdentifier);
+}
+
+// GET /api/devices/authorized
+// Returns known devices together with active 2FA remember-token expiry.
+export async function handleGetAuthorizedDevices(request: Request, env: Env, userId: string): Promise<Response> {
+  void request;
+  const storage = new StorageService(env.DB);
+  const [devices, trusted, onlineDeviceIdentifiers] = await Promise.all([
+    storage.getDevicesByUserId(userId),
+    storage.getTrustedDeviceTokenSummariesByUserId(userId),
+    getOnlineUserDevices(env, userId),
+  ]);
+  const onlineSet = new Set(onlineDeviceIdentifiers);
+
+  const trustedByIdentifier = new Map<string, { expiresAt: number; tokenCount: number }>();
+  for (const row of trusted) {
+    trustedByIdentifier.set(row.deviceIdentifier, { expiresAt: row.expiresAt, tokenCount: row.tokenCount });
+  }
+
+  const knownIdentifiers = new Set<string>();
+  const data = devices.map(device => {
+    knownIdentifiers.add(device.deviceIdentifier);
+    const trustedInfo = trustedByIdentifier.get(device.deviceIdentifier);
+    return {
+      ...buildDeviceResponse(device),
+      online: onlineSet.has(device.deviceIdentifier),
+      trusted: !!trustedInfo,
+      trustedTokenCount: trustedInfo?.tokenCount || 0,
+      trustedUntil: trustedInfo?.expiresAt ? new Date(trustedInfo.expiresAt).toISOString() : null,
+      object: 'device',
+    };
+  });
+
+  for (const row of trusted) {
+    if (knownIdentifiers.has(row.deviceIdentifier)) continue;
+    const placeholderDevice: Device = {
+      userId,
+      deviceIdentifier: row.deviceIdentifier,
+      name: 'Unknown device',
+      type: 14,
+      sessionStamp: '',
+      encryptedUserKey: null,
+      encryptedPublicKey: null,
+      encryptedPrivateKey: null,
+      devicePendingAuthRequest: null,
+      createdAt: '',
+      updatedAt: '',
+    };
+    data.push({
+      ...buildDeviceResponse(placeholderDevice),
+      isTrusted: true,
+      online: onlineSet.has(row.deviceIdentifier),
+      trusted: true,
+      trustedTokenCount: row.tokenCount,
+      trustedUntil: row.expiresAt ? new Date(row.expiresAt).toISOString() : null,
+      object: 'device',
+    });
+  }
+
+  return jsonResponse({
+    data,
+    object: 'list',
+    continuationToken: null,
+  });
+}
+
+// DELETE /api/devices/authorized
+export async function handleRevokeAllTrustedDevices(request: Request, env: Env, userId: string): Promise<Response> {
+  void request;
+  const storage = new StorageService(env.DB);
+  const removed = await storage.deleteTrustedTwoFactorTokensByUserId(userId);
+  return jsonResponse({ success: true, removed });
+}
+
+// DELETE /api/devices/authorized/:deviceIdentifier
+export async function handleRevokeTrustedDevice(
+  request: Request,
+  env: Env,
+  userId: string,
+  deviceIdentifier: string
+): Promise<Response> {
+  void request;
+  const normalized = String(deviceIdentifier || '').trim();
+  if (!normalized) return errorResponse('Invalid device identifier', 400);
+
+  const storage = new StorageService(env.DB);
+  const removed = await storage.deleteTrustedTwoFactorTokensByDevice(userId, normalized);
+  return jsonResponse({ success: true, removed });
+}
+
+// DELETE /api/devices/:deviceIdentifier
+export async function handleDeleteDevice(
+  request: Request,
+  env: Env,
+  userId: string,
+  deviceIdentifier: string
+): Promise<Response> {
+  void request;
+  const normalized = String(deviceIdentifier || '').trim();
+  if (!normalized) return errorResponse('Invalid device identifier', 400);
+
+  const storage = new StorageService(env.DB);
+  await storage.deleteTrustedTwoFactorTokensByDevice(userId, normalized);
+  await storage.deleteRefreshTokensByDevice(userId, normalized);
+  const deleted = await storage.deleteDevice(userId, normalized);
+  if (deleted) {
+    await notifyUserLogout(env, userId, normalized);
+  }
+  return jsonResponse({ success: deleted });
+}
+
+// DELETE /api/devices
+export async function handleDeleteAllDevices(request: Request, env: Env, userId: string): Promise<Response> {
+  void request;
+  const storage = new StorageService(env.DB);
+  const user = await storage.getUserById(userId);
+  if (!user) return errorResponse('User not found', 404);
+
+  const [removedTrusted, removedSessions, removedDevices] = await Promise.all([
+    storage.deleteTrustedTwoFactorTokensByUserId(userId),
+    storage.deleteRefreshTokensByUserId(userId),
+    storage.deleteDevicesByUserId(userId),
+  ]);
+  user.securityStamp = generateUUID();
+  user.updatedAt = new Date().toISOString();
+  await storage.saveUser(user);
+  await notifyUserLogout(env, userId, null);
+  return jsonResponse({ success: true, removedTrusted, removedSessions: removedSessions ?? 0, removedDevices });
+}
+
+// PUT/POST /api/devices/identifier/:deviceIdentifier/keys
+export async function handleUpdateDeviceKeys(
+  request: Request,
+  env: Env,
+  userId: string,
+  deviceIdentifier: string
+): Promise<Response> {
+  const normalized = normalizeIdentifier(deviceIdentifier);
+  if (!normalized) return errorResponse('Invalid device identifier', 400);
+
+  const body = await readJsonBody(request);
+  const storage = new StorageService(env.DB);
+  const device = await storage.getDevice(userId, normalized);
+  if (!device) {
+    return errorResponse('Device not found', 404);
+  }
+
+  const updated = await storage.updateDeviceKeys(userId, normalized, parseKeysBody(body, device));
+  if (!updated) {
+    return errorResponse('Device not found', 404);
+  }
+
+  const nextDevice = await storage.getDevice(userId, normalized);
+  return jsonResponse(buildDeviceResponse(nextDevice || device));
+}
+
+// POST /api/devices/update-trust
+export async function handleUpdateDeviceTrust(
+  request: Request,
+  env: Env,
+  userId: string
+): Promise<Response> {
+  const body = await readJsonBody(request);
+  const storage = new StorageService(env.DB);
+  const currentDeviceIdentifier =
+    normalizeIdentifier(request.headers.get('Device-Identifier')) ||
+    normalizeIdentifier(request.headers.get('X-Device-Identifier'));
+
+  const updates: Array<{
+    deviceIdentifier: string;
+    keys: {
+      encryptedUserKey?: string | null;
+      encryptedPublicKey?: string | null;
+      encryptedPrivateKey?: string | null;
+    };
+  }> = [];
+
+  if (currentDeviceIdentifier && body?.currentDevice) {
+    updates.push({
+      deviceIdentifier: currentDeviceIdentifier,
+      keys: parseKeysBody(body.currentDevice, await storage.getDevice(userId, currentDeviceIdentifier) || undefined),
+    });
+  }
+
+  if (Array.isArray(body?.otherDevices)) {
+    for (const item of body.otherDevices) {
+      const deviceIdentifier = normalizeIdentifier(item?.deviceId);
+      if (!deviceIdentifier) continue;
+      updates.push({
+        deviceIdentifier,
+        keys: parseKeysBody(item, await storage.getDevice(userId, deviceIdentifier) || undefined),
+      });
+    }
+  }
+
+  let updatedCount = 0;
+  for (const update of updates) {
+    const ok = await storage.updateDeviceKeys(userId, update.deviceIdentifier, update.keys);
+    if (ok) updatedCount++;
+  }
+
+  return jsonResponse({ success: true, updated: updatedCount });
+}
+
+// POST /api/devices/untrust
+export async function handleUntrustDevices(
+  request: Request,
+  env: Env,
+  userId: string
+): Promise<Response> {
+  const body = await readJsonBody(request);
+  const storage = new StorageService(env.DB);
+  const devices = Array.isArray(body?.devices) ? body.devices.map((id: unknown) => normalizeIdentifier(String(id))) : [];
+  const removed = await storage.clearDeviceKeys(userId, devices);
+  for (const deviceIdentifier of devices) {
+    if (!deviceIdentifier) continue;
+    await storage.deleteTrustedTwoFactorTokensByDevice(userId, deviceIdentifier);
+  }
+  return jsonResponse({ success: true, removed });
+}
+
+// POST /api/devices/:deviceIdentifier/retrieve-keys
+export async function handleRetrieveDeviceKeys(
+  request: Request,
+  env: Env,
+  userId: string,
+  deviceIdentifier: string
+): Promise<Response> {
+  void request;
+  const normalized = normalizeIdentifier(deviceIdentifier);
+  if (!normalized) return errorResponse('Invalid device identifier', 400);
+
+  const storage = new StorageService(env.DB);
+  const device = await storage.getDevice(userId, normalized);
+  if (!device) {
+    return errorResponse('Device not found', 404);
+  }
+
+  return jsonResponse(buildProtectedDeviceResponse(device));
+}
+
+// POST /api/devices/:id/deactivate
+export async function handleDeactivateDevice(
+  request: Request,
+  env: Env,
+  userId: string,
+  deviceIdentifier: string
+): Promise<Response> {
+  void request;
+  const normalized = normalizeIdentifier(deviceIdentifier);
+  if (!normalized) return errorResponse('Invalid device identifier', 400);
+
+  const storage = new StorageService(env.DB);
+  await storage.deleteTrustedTwoFactorTokensByDevice(userId, normalized);
+  await storage.deleteRefreshTokensByDevice(userId, normalized);
+  const deleted = await storage.deleteDevice(userId, normalized);
+  if (deleted) {
+    await notifyUserLogout(env, userId, normalized);
+  }
+  return jsonResponse({ success: deleted });
+}
+
+// PUT /api/devices/identifier/{deviceIdentifier}/token
+// Bitwarden mobile reports push token updates to this endpoint.
+// NodeWarden does not implement push notifications, so accept and no-op.
+export async function handleUpdateDeviceToken(
+  request: Request,
+  env: Env,
+  userId: string,
+  deviceIdentifier: string
+): Promise<Response> {
+  void request;
+  void env;
+  void userId;
+  void deviceIdentifier;
+  return new Response(null, { status: 200 });
+}
+
+// PUT/POST /api/devices/:deviceIdentifier/web-push-auth
+export async function handleUpdateDeviceWebPushAuth(
+  request: Request,
+  env: Env,
+  userId: string,
+  deviceIdentifier: string
+): Promise<Response> {
+  void request;
+  void env;
+  void userId;
+  void deviceIdentifier;
+  return new Response(null, { status: 200 });
+}
+
+// PUT/POST /api/devices/:deviceIdentifier/clear-token
+export async function handleClearDeviceToken(
+  request: Request,
+  env: Env,
+  userId: string,
+  deviceIdentifier: string
+): Promise<Response> {
+  void request;
+  void env;
+  void userId;
+  void deviceIdentifier;
+  return new Response(null, { status: 200 });
+}
+
@@ -1,9 +1,20 @@
 import { Env, Folder, FolderResponse } from '../types';
+import { notifyUserVaultSync } from '../durable/notifications-hub';
 import { StorageService } from '../services/storage';
 import { jsonResponse, errorResponse } from '../utils/response';
+import { readActingDeviceIdentifier } from '../utils/device';
 import { generateUUID } from '../utils/uuid';
 import { parsePagination, encodeContinuationToken } from '../utils/pagination';

+async function notifyVaultSyncForRequest(
+  request: Request,
+  env: Env,
+  userId: string,
+  revisionDate: string
+): Promise<void> {
+  await notifyUserVaultSync(env, userId, revisionDate, readActingDeviceIdentifier(request));
+}
+
 // Convert internal folder to API response format
 function folderToResponse(folder: Folder): FolderResponse {
  return {
@@ -75,7 +86,8 @@ export async function handleCreateFolder(request: Request, env: Env, userId: str
  };

  await storage.saveFolder(folder);
-  await storage.updateRevisionDate(userId);
+  const revisionDate = await storage.updateRevisionDate(userId);
+  await notifyVaultSyncForRequest(request, env, userId, revisionDate);

  return jsonResponse(folderToResponse(folder), 200);
 }
@@ -102,7 +114,8 @@ export async function handleUpdateFolder(request: Request, env: Env, userId: str
  folder.updatedAt = new Date().toISOString();

  await storage.saveFolder(folder);
-  await storage.updateRevisionDate(userId);
+  const revisionDate = await storage.updateRevisionDate(userId);
+  await notifyVaultSyncForRequest(request, env, userId, revisionDate);

  return jsonResponse(folderToResponse(folder));
 }
@@ -118,7 +131,32 @@ export async function handleDeleteFolder(request: Request, env: Env, userId: str

  await storage.clearFolderFromCiphers(userId, id);
  await storage.deleteFolder(id, userId);
-  await storage.updateRevisionDate(userId);
+  const revisionDate = await storage.updateRevisionDate(userId);
+  await notifyVaultSyncForRequest(request, env, userId, revisionDate);
+
+  return new Response(null, { status: 204 });
+}
+
+// POST /api/folders/delete
+export async function handleBulkDeleteFolders(request: Request, env: Env, userId: string): Promise<Response> {
+  const storage = new StorageService(env.DB);
+
+  let body: { ids?: string[] };
+  try {
+    body = await request.json();
+  } catch {
+    return errorResponse('Invalid JSON', 400);
+  }
+
+  const ids = Array.isArray(body.ids) ? body.ids.map((id) => String(id || '').trim()).filter(Boolean) : [];
+  if (!ids.length) {
+    return errorResponse('Folder ids are required', 400);
+  }
+
+  const revisionDate = await storage.bulkDeleteFolders(ids, userId);
+  if (revisionDate) {
+    await notifyVaultSyncForRequest(request, env, userId, revisionDate);
+  }

  return new Response(null, { status: 204 });
 }
@@ -7,21 +7,81 @@ import { LIMITS } from '../config/limits';
 import { isTotpEnabled, verifyTotpToken } from '../utils/totp';
 import { createRefreshToken } from '../utils/jwt';
 import { readAuthRequestDeviceInfo } from '../utils/device';
+import { createRecoveryCode, recoveryCodeEquals } from '../utils/recovery-code';
+import { generateUUID } from '../utils/uuid';
+import { issueSendAccessToken } from './sends';
+import {
+  buildAccountKeys,
+  buildUserDecryptionOptions,
+} from '../utils/user-decryption';

 const TWO_FACTOR_REMEMBER_TTL_MS = 30 * 24 * 60 * 60 * 1000;
+const TWO_FACTOR_PROVIDER_AUTHENTICATOR = 0;
+const TWO_FACTOR_PROVIDER_REMEMBER = 5;
+// Android client (2026.2.x) deserializes TwoFactorProviders2 keys with -1 for recovery code.
+// Keep request parsing backward-compatible with historical provider values (8 / 100).
+const TWO_FACTOR_PROVIDER_RECOVERY_CODE_RESPONSE = '-1';
+const TWO_FACTOR_PROVIDER_RECOVERY_CODE_LEGACY = 8;
+const TWO_FACTOR_PROVIDER_RECOVERY_CODE_ANDROID_REQUEST = 100;
+
+function resolveTotpSecret(userSecret: string | null): string | null {
+  if (userSecret && isTotpEnabled(userSecret)) {
+    return userSecret;
+  }
+  return null;
+}
+
+function buildPreloginResponse(
+  email: string,
+  kdfType: number,
+  kdfIterations: number,
+  kdfMemory: number | null,
+  kdfParallelism: number | null
+): Record<string, unknown> {
+  return {
+    kdf: kdfType,
+    kdfIterations,
+    kdfMemory,
+    kdfParallelism,
+    KdfSettings: {
+      KdfType: kdfType,
+      Iterations: kdfIterations,
+      Memory: kdfMemory,
+      Parallelism: kdfParallelism,
+    },
+    Salt: email.toLowerCase(),
+  };
+}
+
+function twoFactorRequiredResponse(message: string = 'Two factor required.', includeRecoveryCode: boolean = false): Response {
+  const providers = includeRecoveryCode
+    ? [String(TWO_FACTOR_PROVIDER_AUTHENTICATOR), TWO_FACTOR_PROVIDER_RECOVERY_CODE_RESPONSE]
+    : [String(TWO_FACTOR_PROVIDER_AUTHENTICATOR)];
+  const providers2: Record<string, null> = {};
+  for (const provider of providers) providers2[provider] = null;
+  const customResponse = {
+    TwoFactorProviders: providers,
+    TwoFactorProviders2: providers2,
+    SsoEmail2faSessionToken: null,
+    MasterPasswordPolicy: {
+      Object: 'masterPasswordPolicy',
+    },
+  };

-function twoFactorRequiredResponse(message: string = 'Two factor required.'): Response {
  // Bitwarden clients rely on these fields to trigger the 2FA UI flow.
  return jsonResponse(
    {
      error: 'invalid_grant',
      error_description: message,
-      TwoFactorProviders: [0],
-      TwoFactorProviders2: {
-        '0': {
-          Priority: 1,
-        },
-      },
+      Error: 'invalid_grant',
+      ErrorDescription: message,
+      ErrorMessage: message,
+      TwoFactorProviders: customResponse.TwoFactorProviders,
+      TwoFactorProviders2: customResponse.TwoFactorProviders2,
+      // Required by current Android parser (nullable value is acceptable).
+      SsoEmail2faSessionToken: customResponse.SsoEmail2faSessionToken,
+      MasterPasswordPolicy: customResponse.MasterPasswordPolicy,
+      CustomResponse: customResponse,
      ErrorModel: {
        Message: message,
        Object: 'error',
@@ -47,6 +107,21 @@ async function recordFailedLoginAndBuildResponse(
  return identityErrorResponse(message, 'invalid_grant', 400);
 }

+async function recordFailedTwoFactorAndBuildResponse(
+  rateLimit: RateLimitService,
+  loginIdentifier: string
+): Promise<Response> {
+  const failed = await rateLimit.recordFailedLogin(loginIdentifier);
+  if (failed.locked) {
+    return identityErrorResponse(
+      `Too many failed login attempts. Account locked for ${Math.ceil(failed.retryAfterSeconds! / 60)} minutes.`,
+      'TooManyRequests',
+      429
+    );
+  }
+  return identityErrorResponse('Two-step token is invalid. Try again.', 'invalid_grant', 400);
+}
+
 // POST /identity/connect/token
 export async function handleToken(request: Request, env: Env): Promise<Response> {
  const storage = new StorageService(env.DB);
@@ -67,6 +142,10 @@ export async function handleToken(request: Request, env: Env): Promise<Response>
  }

  const grantType = body.grant_type;
+  const clientIdentifier = getClientIdentifier(request);
+  if (!clientIdentifier) {
+    return identityErrorResponse('Client IP is required', 'invalid_request', 403);
+  }

  if (grantType === 'password') {
    // Login with password
@@ -75,7 +154,7 @@ export async function handleToken(request: Request, env: Env): Promise<Response>
    const twoFactorToken = body.twoFactorToken;
    const twoFactorProvider = body.twoFactorProvider;
    const twoFactorRemember = body.twoFactorRemember;
-    const loginIdentifier = getClientIdentifier(request);
+    const loginIdentifier = `${clientIdentifier}:${email}`;
    const deviceInfo = readAuthRequestDeviceInfo(body, request);

    if (!email || !passwordHash) {
@@ -98,8 +177,12 @@ export async function handleToken(request: Request, env: Env): Promise<Response>
      await rateLimit.recordFailedLogin(loginIdentifier);
      return identityErrorResponse('Username or password is incorrect. Try again', 'invalid_grant', 400);
    }
+    if (user.status !== 'active') {
+      await rateLimit.recordFailedLogin(loginIdentifier);
+      return identityErrorResponse('Account is disabled', 'invalid_grant', 400);
+    }

-    const valid = await auth.verifyPassword(passwordHash, user.masterPasswordHash);
+    const valid = await auth.verifyPassword(passwordHash, user.masterPasswordHash, user.email);
    if (!valid) {
      return recordFailedLoginAndBuildResponse(
        rateLimit,
@@ -108,45 +191,63 @@ export async function handleToken(request: Request, env: Env): Promise<Response>
      );
    }

-    if (deviceInfo.deviceIdentifier) {
-      await storage.upsertDevice(user.id, deviceInfo.deviceIdentifier, deviceInfo.deviceName, deviceInfo.deviceType);
-    }
-
-    // Optional 2FA: enabled only when TOTP_SECRET is configured in Workers env.
+    // Optional 2FA: enabled only by per-user secret.
    let trustedTwoFactorTokenToReturn: string | undefined;
-    if (isTotpEnabled(env.TOTP_SECRET)) {
-      const rememberRequested = ['1', 'true', 'True', 'TRUE', 'on', 'yes', 'Yes', 'YES'].includes(String(twoFactorRemember || '').trim());
+    const effectiveTotpSecret = resolveTotpSecret(user.totpSecret);
+    if (effectiveTotpSecret) {
+      const canUseRecoveryCode = !!user.totpRecoveryCode;
+      const normalizedTwoFactorProvider = String(twoFactorProvider ?? '').trim();
+      const normalizedTwoFactorToken = String(twoFactorToken ?? '').trim();
+      let rememberRequested = ['1', 'true', 'True', 'TRUE', 'on', 'yes', 'Yes', 'YES'].includes(String(twoFactorRemember || '').trim());
+      const hasProvider = normalizedTwoFactorProvider.length > 0;
+      const hasToken = normalizedTwoFactorToken.length > 0;
+
+      // Upstream-compatible behavior: if 2FA is required and either provider or token is missing,
+      // respond with a 2FA challenge payload.
+      if (!hasProvider || !hasToken) {
+        return twoFactorRequiredResponse('Two factor required.', canUseRecoveryCode);
+      }

-      // Bitwarden may reuse twoFactorToken as a remembered-device token on subsequent logins.
      let passedByRememberToken = false;
-      if (twoFactorToken && !/^\d{6}$/.test(twoFactorToken) && deviceInfo.deviceIdentifier) {
-        const trustedUserId = await storage.getTrustedTwoFactorDeviceTokenUserId(
-          twoFactorToken,
-          deviceInfo.deviceIdentifier
-        );
-        passedByRememberToken = trustedUserId === user.id;
-      }
-
-      if (!passedByRememberToken && !twoFactorToken) {
-        return twoFactorRequiredResponse();
-      }
-
-      if (!passedByRememberToken) {
-        const totpOk = await verifyTotpToken(env.TOTP_SECRET!, twoFactorToken);
-        if (!totpOk) {
-          const failed = await rateLimit.recordFailedLogin(loginIdentifier);
-          if (failed.locked) {
-            return identityErrorResponse(
-              `Too many failed login attempts. Account locked for ${Math.ceil(failed.retryAfterSeconds! / 60)} minutes.`,
-              'TooManyRequests',
-              429
-            );
-          }
-          return identityErrorResponse('Invalid two-factor token', 'invalid_grant', 400);
+      if (normalizedTwoFactorProvider === String(TWO_FACTOR_PROVIDER_REMEMBER)) {
+        if (deviceInfo.deviceIdentifier) {
+          const trustedUserId = await storage.getTrustedTwoFactorDeviceTokenUserId(
+            normalizedTwoFactorToken,
+            deviceInfo.deviceIdentifier
+          );
+          passedByRememberToken = trustedUserId === user.id;
        }
+
+        // Remember token missing/invalid/expired should re-enter the 2FA challenge flow.
+        if (!passedByRememberToken) {
+          return twoFactorRequiredResponse('Two factor required.', canUseRecoveryCode);
+        }
+      } else if (normalizedTwoFactorProvider === String(TWO_FACTOR_PROVIDER_AUTHENTICATOR)) {
+        const totpOk = await verifyTotpToken(effectiveTotpSecret, normalizedTwoFactorToken);
+        if (!totpOk) {
+          return recordFailedTwoFactorAndBuildResponse(rateLimit, loginIdentifier);
+        }
+      } else if (
+        normalizedTwoFactorProvider === TWO_FACTOR_PROVIDER_RECOVERY_CODE_RESPONSE ||
+        normalizedTwoFactorProvider === String(TWO_FACTOR_PROVIDER_RECOVERY_CODE_LEGACY) ||
+        normalizedTwoFactorProvider === String(TWO_FACTOR_PROVIDER_RECOVERY_CODE_ANDROID_REQUEST)
+      ) {
+        if (!recoveryCodeEquals(normalizedTwoFactorToken, user.totpRecoveryCode)) {
+          return recordFailedTwoFactorAndBuildResponse(rateLimit, loginIdentifier);
+        }
+        user.totpSecret = null;
+        user.totpRecoveryCode = createRecoveryCode();
+        user.updatedAt = new Date().toISOString();
+        await storage.saveUser(user);
+        await storage.deleteRefreshTokensByUserId(user.id);
+        rememberRequested = false;
+      } else {
+        // Unsupported provider for this server profile behaves as an invalid 2FA attempt.
+        return recordFailedTwoFactorAndBuildResponse(rateLimit, loginIdentifier);
      }

-      if (rememberRequested && deviceInfo.deviceIdentifier) {
+      // Upstream behavior: do not issue a new remember token when auth itself used remember provider.
+      if (rememberRequested && !passedByRememberToken && deviceInfo.deviceIdentifier) {
        trustedTwoFactorTokenToReturn = createRefreshToken();
        await storage.saveTrustedTwoFactorDeviceToken(
          trustedTwoFactorTokenToReturn,
@@ -157,11 +258,26 @@ export async function handleToken(request: Request, env: Env): Promise<Response>
      }
    }

+    // Persist device only after successful password + (optional) 2FA verification.
+    const deviceSession =
+      deviceInfo.deviceIdentifier
+        ? { identifier: deviceInfo.deviceIdentifier, sessionStamp: generateUUID() }
+        : null;
+    if (deviceSession) {
+      await storage.upsertDevice(
+        user.id,
+        deviceSession.identifier,
+        deviceInfo.deviceName,
+        deviceInfo.deviceType,
+        deviceSession.sessionStamp
+      );
+    }
+
    // Successful login - clear failed attempts
    await rateLimit.clearLoginAttempts(loginIdentifier);

-    const accessToken = await auth.generateAccessToken(user);
-    const refreshToken = await auth.generateRefreshToken(user.id);
+    const accessToken = await auth.generateAccessToken(user, deviceSession);
+    const refreshToken = await auth.generateRefreshToken(user.id, deviceSession);

    const response: TokenResponse = {
      access_token: accessToken,
@@ -171,35 +287,89 @@ export async function handleToken(request: Request, env: Env): Promise<Response>
      ...(trustedTwoFactorTokenToReturn ? { TwoFactorToken: trustedTwoFactorTokenToReturn } : {}),
      Key: user.key,
      PrivateKey: user.privateKey,
+      AccountKeys: buildAccountKeys(user),
+      accountKeys: buildAccountKeys(user),
      Kdf: user.kdfType,
      KdfIterations: user.kdfIterations,
      KdfMemory: user.kdfMemory,
      KdfParallelism: user.kdfParallelism,
      ForcePasswordReset: false,
      ResetMasterPassword: false,
+      MasterPasswordPolicy: {
+        Object: 'masterPasswordPolicy',
+      },
+      ApiUseKeyConnector: false,
      scope: 'api offline_access',
      unofficialServer: true,
-      UserDecryptionOptions: {
-        HasMasterPassword: true,
-        Object: 'userDecryptionOptions',
-        MasterPasswordUnlock: {
-          Kdf: {
-            KdfType: user.kdfType,
-            Iterations: user.kdfIterations,
-            Memory: user.kdfMemory || null,
-            Parallelism: user.kdfParallelism || null,
-          },
-          MasterKeyEncryptedUserKey: user.key,
-          MasterKeyWrappedUserKey: user.key,
-          Salt: email, // email is already lowercased above
-          Object: 'masterPasswordUnlock',
-        },
-      },
+      UserDecryptionOptions: buildUserDecryptionOptions(user),
+      userDecryptionOptions: buildUserDecryptionOptions(user),
    };

    return jsonResponse(response);

+  } else if (grantType === 'send_access') {
+    const sendAccessLimit = await rateLimit.consumeBudget(`${clientIdentifier}:public`, LIMITS.rateLimit.publicRequestsPerMinute);
+    if (!sendAccessLimit.allowed) {
+      return identityErrorResponse(
+        `Rate limit exceeded. Try again in ${sendAccessLimit.retryAfterSeconds} seconds.`,
+        'TooManyRequests',
+        429
+      );
+    }
+
+    const sendId = String(body.send_id || body.sendId || '').trim();
+    if (!sendId) {
+      return jsonResponse(
+        {
+          error: 'invalid_request',
+          error_description: 'send_id is required',
+          send_access_error_type: 'invalid_send_id',
+          ErrorModel: {
+            Message: 'send_id is required',
+            Object: 'error',
+          },
+        },
+        400
+      );
+    }
+
+    const passwordHashB64 = String(
+      body.password_hash_b64 || body.passwordHashB64 || body.passwordHash || body.password_hash || ''
+    ).trim() || null;
+    const password = String(body.password || '').trim() || null;
+
+    const result = await issueSendAccessToken(
+      env,
+      sendId,
+      passwordHashB64,
+      password,
+      rateLimit,
+      `${clientIdentifier}:send-password`
+    );
+    if ('error' in result) {
+      return result.error;
+    }
+
+    return jsonResponse({
+      access_token: result.token,
+      expires_in: LIMITS.auth.sendAccessTokenTtlSeconds,
+      token_type: 'Bearer',
+      scope: 'api.send',
+      unofficialServer: true,
+    });
  } else if (grantType === 'refresh_token') {
+    const refreshLimit = await rateLimit.consumeBudget(
+      `${clientIdentifier}:identity-refresh`,
+      LIMITS.rateLimit.refreshTokenRequestsPerMinute
+    );
+    if (!refreshLimit.allowed) {
+      return identityErrorResponse(
+        `Rate limit exceeded. Try again in ${refreshLimit.retryAfterSeconds} seconds.`,
+        'TooManyRequests',
+        429
+      );
+    }
+
    // Refresh token
    const refreshToken = body.refresh_token;
    if (!refreshToken) {
@@ -211,11 +381,15 @@ export async function handleToken(request: Request, env: Env): Promise<Response>
      return identityErrorResponse('Invalid refresh token', 'invalid_grant', 400);
    }

-    // Revoke old refresh token (prevent reuse)
-    await storage.deleteRefreshToken(refreshToken);
+    // Keep a short overlap window for old refresh token to absorb
+    // concurrent refresh requests from multiple client contexts.
+    await storage.constrainRefreshTokenExpiry(
+      refreshToken,
+      Date.now() + LIMITS.auth.refreshTokenOverlapGraceMs
+    );

-    const { accessToken, user } = result;
-    const newRefreshToken = await auth.generateRefreshToken(user.id);
+    const { accessToken, user, device } = result;
+    const newRefreshToken = await auth.generateRefreshToken(user.id, device);

    const response: TokenResponse = {
      access_token: accessToken,
@@ -224,30 +398,22 @@ export async function handleToken(request: Request, env: Env): Promise<Response>
      refresh_token: newRefreshToken,
      Key: user.key,
      PrivateKey: user.privateKey,
+      AccountKeys: buildAccountKeys(user),
+      accountKeys: buildAccountKeys(user),
      Kdf: user.kdfType,
      KdfIterations: user.kdfIterations,
      KdfMemory: user.kdfMemory,
      KdfParallelism: user.kdfParallelism,
      ForcePasswordReset: false,
      ResetMasterPassword: false,
+      MasterPasswordPolicy: {
+        Object: 'masterPasswordPolicy',
+      },
+      ApiUseKeyConnector: false,
      scope: 'api offline_access',
      unofficialServer: true,
-      UserDecryptionOptions: {
-        HasMasterPassword: true,
-        Object: 'userDecryptionOptions',
-        MasterPasswordUnlock: {
-          Kdf: {
-            KdfType: user.kdfType,
-            Iterations: user.kdfIterations,
-            Memory: user.kdfMemory || null,
-            Parallelism: user.kdfParallelism || null,
-          },
-          MasterKeyEncryptedUserKey: user.key,
-          MasterKeyWrappedUserKey: user.key,
-          Salt: user.email.toLowerCase(),
-          Object: 'masterPasswordUnlock',
-        },
-      },
+      UserDecryptionOptions: buildUserDecryptionOptions(user),
+      userDecryptionOptions: buildUserDecryptionOptions(user),
    };

    return jsonResponse(response);
@@ -277,13 +443,37 @@ export async function handlePrelogin(request: Request, env: Env): Promise<Respon
  // Return default KDF settings even if user doesn't exist (to prevent user enumeration)
  const kdfType = user?.kdfType ?? 0;
  const kdfIterations = user?.kdfIterations ?? LIMITS.auth.defaultKdfIterations;
-  const kdfMemory = user?.kdfMemory;
-  const kdfParallelism = user?.kdfParallelism;
+  // Use ?? null so non-existent users return null (not undefined/omitted) for these fields,
+  // matching the response shape of real PBKDF2 users and reducing enumeration signal.
+  const kdfMemory = user?.kdfMemory ?? null;
+  const kdfParallelism = user?.kdfParallelism ?? null;

-  return jsonResponse({
-    kdf: kdfType,
-    kdfIterations: kdfIterations,
-    kdfMemory: kdfMemory,
-    kdfParallelism: kdfParallelism,
-  });
+  return jsonResponse(buildPreloginResponse(email, kdfType, kdfIterations, kdfMemory, kdfParallelism));
+}
+
+// POST /identity/connect/revocation
+// Best-effort OAuth token revocation endpoint.
+// RFC 7009 allows returning 200 even if token is unknown.
+export async function handleRevocation(request: Request, env: Env): Promise<Response> {
+  const storage = new StorageService(env.DB);
+
+  let body: Record<string, string>;
+  const contentType = request.headers.get('content-type') || '';
+  try {
+    if (contentType.includes('application/x-www-form-urlencoded')) {
+      const formData = await request.formData();
+      body = Object.fromEntries(formData.entries()) as Record<string, string>;
+    } else {
+      body = await request.json();
+    }
+  } catch {
+    return new Response(null, { status: 200 });
+  }
+
+  const token = String(body.token || '').trim();
+  if (token) {
+    await storage.deleteRefreshToken(token);
+  }
+
+  return new Response(null, { status: 200 });
 }
@@ -1,17 +1,23 @@
 import { Env, Cipher, Folder, CipherType } from '../types';
+import { notifyUserVaultSync } from '../durable/notifications-hub';
 import { StorageService } from '../services/storage';
-import { errorResponse } from '../utils/response';
+import { errorResponse, jsonResponse } from '../utils/response';
+import { readActingDeviceIdentifier } from '../utils/device';
 import { generateUUID } from '../utils/uuid';
 import { LIMITS } from '../config/limits';
+import { normalizeCipherLoginForStorage, normalizeCipherSshKeyForCompatibility } from './ciphers';

 // Bitwarden client import request format
 interface CiphersImportRequest {
  ciphers: Array<{
+    id?: string | null;
    type: number;
-    name: string;
+    name?: string | null;
    notes?: string | null;
    favorite?: boolean;
    reprompt?: number;
+    sshKey?: any | null;
+    key?: string | null;
    login?: {
      uris?: Array<{ uri: string | null; match?: number | null }> | null;
      username?: string | null;
@@ -62,6 +68,7 @@ interface CiphersImportRequest {
      password: string;
      lastUsedDate: string;
    }> | null;
+    [key: string]: any;
  }>;
  folders: Array<{
    name: string;
@@ -86,6 +93,8 @@ async function runBatchInChunks(db: D1Database, statements: D1PreparedStatement[
 // POST /api/ciphers/import - Bitwarden client import endpoint
 export async function handleCiphersImport(request: Request, env: Env, userId: string): Promise<Response> {
  const storage = new StorageService(env.DB);
+  const url = new URL(request.url);
+  const returnCipherMap = url.searchParams.get('returnCipherMap') === '1';

  let importData: CiphersImportRequest;
  try {
@@ -98,6 +107,10 @@ export async function handleCiphersImport(request: Request, env: Env, userId: st
  const ciphers = importData.ciphers || [];
  const folderRelationships = importData.folderRelationships || [];

+  if (folders.length + ciphers.length > LIMITS.performance.importItemLimit) {
+    return errorResponse(`Import exceeds maximum of ${LIMITS.performance.importItemLimit} items`, 400);
+  }
+
  const now = new Date().toISOString();
  const batchChunkSize = LIMITS.performance.bulkMoveChunkSize;

@@ -143,9 +156,12 @@ export async function handleCiphersImport(request: Request, env: Env, userId: st

  // Create ciphers
  const cipherRows: Cipher[] = [];
+  const cipherMapRows: Array<{ index: number; sourceId: string | null; id: string }> = [];
  for (let i = 0; i < ciphers.length; i++) {
    const c = ciphers[i];
    const folderId = cipherFolderMap.get(i) || null;
+    const sourceIdRaw = String(c?.id ?? '').trim();
+    const sourceId = sourceIdRaw || null;

    const cipher: Cipher = {
      ...c,
@@ -153,69 +169,76 @@ export async function handleCiphersImport(request: Request, env: Env, userId: st
      userId: userId,
      type: c.type as CipherType,
      folderId: folderId,
-      name: c.name || 'Untitled',
-      notes: c.notes || null,
-      favorite: c.favorite || false,
+      name: c.name ?? 'Untitled',
+      notes: c.notes ?? null,
+      favorite: c.favorite ?? false,
      login: c.login ? {
        ...c.login,
-        username: c.login.username || null,
-        password: c.login.password || null,
+        username: c.login.username ?? null,
+        password: c.login.password ?? null,
        uris: c.login.uris?.map(u => ({
-          uri: u.uri || null,
+          ...u,
+          uri: u.uri ?? null,
          uriChecksum: null,
          match: u.match ?? null,
        })) || null,
-        totp: c.login.totp || null,
+        totp: c.login.totp ?? null,
        autofillOnPageLoad: c.login.autofillOnPageLoad ?? null,
        fido2Credentials: c.login.fido2Credentials ?? null,
        uri: c.login.uri ?? null,
        passwordRevisionDate: c.login.passwordRevisionDate ?? null,
      } : null,
      card: c.card ? {
-        cardholderName: c.card.cardholderName || null,
-        brand: c.card.brand || null,
-        number: c.card.number || null,
-        expMonth: c.card.expMonth || null,
-        expYear: c.card.expYear || null,
-        code: c.card.code || null,
+        ...c.card,
+        cardholderName: c.card.cardholderName ?? null,
+        brand: c.card.brand ?? null,
+        number: c.card.number ?? null,
+        expMonth: c.card.expMonth ?? null,
+        expYear: c.card.expYear ?? null,
+        code: c.card.code ?? null,
      } : null,
      identity: c.identity ? {
-        title: c.identity.title || null,
-        firstName: c.identity.firstName || null,
-        middleName: c.identity.middleName || null,
-        lastName: c.identity.lastName || null,
-        address1: c.identity.address1 || null,
-        address2: c.identity.address2 || null,
-        address3: c.identity.address3 || null,
-        city: c.identity.city || null,
-        state: c.identity.state || null,
-        postalCode: c.identity.postalCode || null,
-        country: c.identity.country || null,
-        company: c.identity.company || null,
-        email: c.identity.email || null,
-        phone: c.identity.phone || null,
-        ssn: c.identity.ssn || null,
-        username: c.identity.username || null,
-        passportNumber: c.identity.passportNumber || null,
-        licenseNumber: c.identity.licenseNumber || null,
+        ...c.identity,
+        title: c.identity.title ?? null,
+        firstName: c.identity.firstName ?? null,
+        middleName: c.identity.middleName ?? null,
+        lastName: c.identity.lastName ?? null,
+        address1: c.identity.address1 ?? null,
+        address2: c.identity.address2 ?? null,
+        address3: c.identity.address3 ?? null,
+        city: c.identity.city ?? null,
+        state: c.identity.state ?? null,
+        postalCode: c.identity.postalCode ?? null,
+        country: c.identity.country ?? null,
+        company: c.identity.company ?? null,
+        email: c.identity.email ?? null,
+        phone: c.identity.phone ?? null,
+        ssn: c.identity.ssn ?? null,
+        username: c.identity.username ?? null,
+        passportNumber: c.identity.passportNumber ?? null,
+        licenseNumber: c.identity.licenseNumber ?? null,
      } : null,
-      secureNote: c.secureNote || null,
+      secureNote: c.secureNote ?? null,
      fields: c.fields?.map(f => ({
-        name: f.name || null,
-        value: f.value || null,
+        ...f,
+        name: f.name ?? null,
+        value: f.value ?? null,
        type: f.type,
        linkedId: f.linkedId ?? null,
      })) || null,
-      passwordHistory: c.passwordHistory || null,
-      reprompt: c.reprompt || 0,
-      sshKey: (c as any).sshKey ?? null,
+      passwordHistory: c.passwordHistory ?? null,
+      reprompt: c.reprompt ?? 0,
+      sshKey: normalizeCipherSshKeyForCompatibility((c as any).sshKey ?? null),
      key: (c as any).key ?? null,
      createdAt: now,
      updatedAt: now,
+      archivedAt: null,
      deletedAt: null,
    };
+    cipher.login = normalizeCipherLoginForStorage(cipher.login);

    cipherRows.push(cipher);
+    cipherMapRows.push({ index: i, sourceId, id: cipher.id });
  }

  if (cipherRows.length > 0) {
@@ -223,10 +246,10 @@ export async function handleCiphersImport(request: Request, env: Env, userId: st
      const data = JSON.stringify(cipher);
      return env.DB
        .prepare(
-          'INSERT INTO ciphers(id, user_id, type, folder_id, name, notes, favorite, data, reprompt, key, created_at, updated_at, deleted_at) ' +
-          'VALUES(?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?) ' +
+          'INSERT INTO ciphers(id, user_id, type, folder_id, name, notes, favorite, data, reprompt, key, created_at, updated_at, archived_at, deleted_at) ' +
+          'VALUES(?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?) ' +
          'ON CONFLICT(id) DO UPDATE SET ' +
-          'user_id=excluded.user_id, type=excluded.type, folder_id=excluded.folder_id, name=excluded.name, notes=excluded.notes, favorite=excluded.favorite, data=excluded.data, reprompt=excluded.reprompt, key=excluded.key, updated_at=excluded.updated_at, deleted_at=excluded.deleted_at'
+          'user_id=excluded.user_id, type=excluded.type, folder_id=excluded.folder_id, name=excluded.name, notes=excluded.notes, favorite=excluded.favorite, data=excluded.data, reprompt=excluded.reprompt, key=excluded.key, updated_at=excluded.updated_at, archived_at=excluded.archived_at, deleted_at=excluded.deleted_at'
        )
        .bind(
          cipher.id,
@@ -241,6 +264,7 @@ export async function handleCiphersImport(request: Request, env: Env, userId: st
          bindNull(cipher.key),
          cipher.createdAt,
          cipher.updatedAt,
+          bindNull(cipher.archivedAt),
          bindNull(cipher.deletedAt)
        );
    });
@@ -248,7 +272,15 @@ export async function handleCiphersImport(request: Request, env: Env, userId: st
  }

  // Update revision date
-  await storage.updateRevisionDate(userId);
+  const revisionDate = await storage.updateRevisionDate(userId);
+  await notifyUserVaultSync(env, userId, revisionDate, readActingDeviceIdentifier(request));
+
+  if (returnCipherMap) {
+    return jsonResponse({
+      object: 'import-result',
+      cipherMap: cipherMapRows,
+    });
+  }

  return new Response(null, { status: 200 });
 }
@@ -0,0 +1,58 @@
+import { AuthService } from '../services/auth';
+import type { Env, JWTPayload } from '../types';
+import { errorResponse, jsonResponse } from '../utils/response';
+import { generateUUID } from '../utils/uuid';
+
+function extractAccessToken(request: Request): string | null {
+  const url = new URL(request.url);
+  const queryToken = String(url.searchParams.get('access_token') || '').trim();
+  if (queryToken) return queryToken;
+
+  const authHeader = String(request.headers.get('Authorization') || '').trim();
+  const match = authHeader.match(/^Bearer\s+(.+)$/i);
+  return match?.[1]?.trim() || null;
+}
+
+async function authenticateNotificationsRequest(request: Request, env: Env): Promise<JWTPayload | null> {
+  const accessToken = extractAccessToken(request);
+  if (!accessToken) return null;
+
+  const auth = new AuthService(env);
+  return auth.verifyAccessToken(`Bearer ${accessToken}`);
+}
+
+export async function handleNotificationsNegotiate(request: Request, env: Env): Promise<Response> {
+  const payload = await authenticateNotificationsRequest(request, env);
+  if (!payload?.sub) return errorResponse('Unauthorized', 401);
+
+  const connectionId = generateUUID();
+  return jsonResponse({
+    connectionId,
+    connectionToken: connectionId,
+    negotiateVersion: 1,
+    availableTransports: [
+      {
+        transport: 'WebSockets',
+        transferFormats: ['Text', 'Binary'],
+      },
+    ],
+  });
+}
+
+export async function handleNotificationsHub(request: Request, env: Env): Promise<Response> {
+  const payload = await authenticateNotificationsRequest(request, env);
+  if (!payload?.sub) return errorResponse('Unauthorized', 401);
+  if (request.headers.get('Upgrade')?.toLowerCase() !== 'websocket') {
+    return errorResponse('Expected websocket', 426);
+  }
+
+  const userId = payload.sub;
+  const id = env.NOTIFICATIONS_HUB.idFromName(userId);
+  const stub = env.NOTIFICATIONS_HUB.get(id);
+  const forwardedUrl = new URL(request.url);
+  forwardedUrl.searchParams.set('nw_uid', userId);
+  if (payload.did) {
+    forwardedUrl.searchParams.set('nw_did', payload.did);
+  }
+  return stub.fetch(new Request(forwardedUrl.toString(), request));
+}
@@ -0,0 +1,691 @@
+import { Env, Send, SendAuthType, SendType } from '../types';
+import { StorageService } from '../services/storage';
+import { jsonResponse, errorResponse } from '../utils/response';
+import { buildDirectUploadUrl, getSafeJwtSecret, parseDirectUploadPayload } from '../utils/direct-upload';
+import { generateUUID } from '../utils/uuid';
+import { parsePagination, encodeContinuationToken } from '../utils/pagination';
+import { LIMITS } from '../config/limits';
+import {
+  getBlobStorageMaxBytes,
+  getSendFileObjectKey,
+  putBlobObject,
+  deleteBlobObject,
+} from '../services/blob-store';
+import { createSendFileUploadToken, verifySendFileUploadToken } from '../utils/jwt';
+import {
+  formatSize,
+  getAliasedProp,
+  normalizeEmails,
+  notifyVaultSyncForRequest,
+  parseDate,
+  parseFileLength,
+  parseInteger,
+  parseMaxAccessCount,
+  parseSendAuthType,
+  parseSendType,
+  parseStoredSendData,
+  sanitizeSendData,
+  sendToResponse,
+  setSendPassword,
+  validateDeletionDate,
+} from './sends-shared';
+
+async function processSendFileUpload(
+  request: Request,
+  env: Env,
+  send: Send,
+  fileId: string
+): Promise<Response> {
+  const maxFileSize = getBlobStorageMaxBytes(env, LIMITS.send.maxFileSizeBytes);
+  const sendData = parseStoredSendData(send);
+  const expectedFileId = typeof sendData.id === 'string' ? sendData.id : null;
+  if (!expectedFileId || expectedFileId !== fileId) {
+    return errorResponse('Send file does not match send data.', 400);
+  }
+
+  const expectedFileName = typeof sendData.fileName === 'string' ? sendData.fileName : null;
+  const expectedSize = parseInteger(sendData.size);
+  const upload = await parseDirectUploadPayload(request, {
+    expectedSize,
+    expectedFileName,
+    maxFileSize,
+    tooLargeMessage: 'Send storage limit exceeded with this file',
+    sizeMismatchMessage: 'Send file size does not match.',
+    fileNameMismatchMessage: 'Send file name does not match.',
+  });
+  if (upload instanceof Response) {
+    return upload;
+  }
+
+  try {
+    await putBlobObject(env, getSendFileObjectKey(send.id, fileId), upload.body, {
+      size: upload.size,
+      contentType: upload.contentType,
+      customMetadata: {
+        sendId: send.id,
+        fileId,
+      },
+    });
+  } catch (error) {
+    const message = error instanceof Error ? error.message : String(error);
+    if (message.includes('KV object too large')) {
+      return errorResponse('Send storage limit exceeded with this file', 413);
+    }
+    return errorResponse('Attachment storage is not configured', 500);
+  }
+
+  const storage = new StorageService(env.DB);
+  const revisionDate = await storage.updateRevisionDate(send.userId);
+  await notifyVaultSyncForRequest(request, env, send.userId, revisionDate);
+
+  return new Response(null, { status: 201 });
+}
+
+export async function handleGetSends(request: Request, env: Env, userId: string): Promise<Response> {
+  const storage = new StorageService(env.DB);
+  const url = new URL(request.url);
+  const pagination = parsePagination(url);
+
+  let sends: Send[];
+  let continuationToken: string | null = null;
+  if (pagination) {
+    const pageRows = await storage.getSendsPage(userId, pagination.limit + 1, pagination.offset);
+    const hasNext = pageRows.length > pagination.limit;
+    sends = hasNext ? pageRows.slice(0, pagination.limit) : pageRows;
+    continuationToken = hasNext ? encodeContinuationToken(pagination.offset + sends.length) : null;
+  } else {
+    sends = await storage.getAllSends(userId);
+  }
+
+  return jsonResponse({
+    data: sends.map(sendToResponse),
+    object: 'list',
+    continuationToken,
+  });
+}
+
+export async function handleGetSend(request: Request, env: Env, userId: string, sendId: string): Promise<Response> {
+  void request;
+  const storage = new StorageService(env.DB);
+  const send = await storage.getSend(sendId);
+
+  if (!send || send.userId !== userId) {
+    return errorResponse('Send not found', 404);
+  }
+
+  return jsonResponse(sendToResponse(send));
+}
+
+export async function handleCreateSend(request: Request, env: Env, userId: string): Promise<Response> {
+  const storage = new StorageService(env.DB);
+
+  let body: unknown;
+  try {
+    body = await request.json();
+  } catch {
+    return errorResponse('Invalid JSON', 400);
+  }
+
+  const typeRaw = getAliasedProp(body, ['type', 'Type']);
+  const sendType = parseSendType(typeRaw.value);
+  if (sendType === null) {
+    return errorResponse('Invalid Send type', 400);
+  }
+  if (sendType === SendType.File) {
+    return errorResponse('File sends should use /api/sends/file/v2', 400);
+  }
+
+  const nameRaw = getAliasedProp(body, ['name', 'Name']);
+  const keyRaw = getAliasedProp(body, ['key', 'Key']);
+  const deletionDateRaw = getAliasedProp(body, ['deletionDate', 'DeletionDate']);
+  const textRaw = getAliasedProp(body, ['text', 'Text']);
+
+  if (typeof nameRaw.value !== 'string' || !nameRaw.value.trim()) {
+    return errorResponse('Name is required', 400);
+  }
+  if (typeof keyRaw.value !== 'string' || !keyRaw.value.trim()) {
+    return errorResponse('Key is required', 400);
+  }
+
+  const deletionDate = parseDate(deletionDateRaw.value);
+  if (!deletionDate) {
+    return errorResponse('Invalid deletionDate', 400);
+  }
+
+  const deletionValidation = validateDeletionDate(deletionDate);
+  if (deletionValidation) return deletionValidation;
+
+  const sendData = sanitizeSendData(textRaw.value);
+  if (!sendData) {
+    return errorResponse('Send data not provided', 400);
+  }
+
+  const maxAccessRaw = getAliasedProp(body, ['maxAccessCount', 'MaxAccessCount']);
+  const maxAccess = parseMaxAccessCount(maxAccessRaw.value);
+  if (!maxAccess.ok) return maxAccess.response;
+
+  const expirationRaw = getAliasedProp(body, ['expirationDate', 'ExpirationDate']);
+  const expirationDate = expirationRaw.value === null || expirationRaw.value === undefined
+    ? null
+    : parseDate(expirationRaw.value);
+  if (expirationRaw.value !== null && expirationRaw.value !== undefined && !expirationDate) {
+    return errorResponse('Invalid expirationDate', 400);
+  }
+
+  const disabledRaw = getAliasedProp(body, ['disabled', 'Disabled']);
+  const hideEmailRaw = getAliasedProp(body, ['hideEmail', 'HideEmail']);
+  const notesRaw = getAliasedProp(body, ['notes', 'Notes']);
+  const passwordRaw = getAliasedProp(body, ['password', 'Password']);
+  const authTypeRaw = getAliasedProp(body, ['authType', 'AuthType']);
+  const emailsRaw = getAliasedProp(body, ['emails', 'Emails']);
+
+  const requestedAuthType = parseSendAuthType(authTypeRaw.value);
+  if (authTypeRaw.present && requestedAuthType === null) {
+    return errorResponse('Invalid authType', 400);
+  }
+
+  const normalizedEmails = normalizeEmails(emailsRaw.value);
+  if (emailsRaw.present && emailsRaw.value !== null && normalizedEmails === null) {
+    return errorResponse('Invalid emails', 400);
+  }
+
+  const now = new Date().toISOString();
+  const send: Send = {
+    id: generateUUID(),
+    userId,
+    type: sendType,
+    name: nameRaw.value.trim(),
+    notes: typeof notesRaw.value === 'string' ? notesRaw.value : null,
+    data: JSON.stringify(sendData),
+    key: keyRaw.value,
+    passwordHash: null,
+    passwordSalt: null,
+    passwordIterations: null,
+    authType: requestedAuthType ?? SendAuthType.None,
+    emails: normalizedEmails,
+    maxAccessCount: maxAccess.value,
+    accessCount: 0,
+    disabled: typeof disabledRaw.value === 'boolean' ? disabledRaw.value : false,
+    hideEmail: typeof hideEmailRaw.value === 'boolean' ? hideEmailRaw.value : null,
+    createdAt: now,
+    updatedAt: now,
+    expirationDate: expirationDate ? expirationDate.toISOString() : null,
+    deletionDate: deletionDate.toISOString(),
+  };
+
+  if (typeof passwordRaw.value === 'string' && passwordRaw.value.length > 0) {
+    await setSendPassword(send, passwordRaw.value);
+  } else if (send.authType === SendAuthType.Password) {
+    return errorResponse('Password is required for password auth', 400);
+  }
+
+  if (send.authType !== SendAuthType.Email) {
+    send.emails = null;
+  }
+
+  await storage.saveSend(send);
+  const revisionDate = await storage.updateRevisionDate(userId);
+  await notifyVaultSyncForRequest(request, env, userId, revisionDate);
+
+  return jsonResponse(sendToResponse(send));
+}
+
+export async function handleCreateFileSendV2(request: Request, env: Env, userId: string): Promise<Response> {
+  const storage = new StorageService(env.DB);
+  const maxFileSize = getBlobStorageMaxBytes(env, LIMITS.send.maxFileSizeBytes);
+
+  let body: unknown;
+  try {
+    body = await request.json();
+  } catch {
+    return errorResponse('Invalid JSON', 400);
+  }
+
+  const typeRaw = getAliasedProp(body, ['type', 'Type']);
+  const sendType = parseSendType(typeRaw.value);
+  if (sendType !== SendType.File) {
+    return errorResponse('Send content is not a file', 400);
+  }
+
+  const fileLengthRaw = getAliasedProp(body, ['fileLength', 'FileLength']);
+  const fileLengthParsed = parseFileLength(fileLengthRaw.value);
+  if (!fileLengthParsed.ok) return fileLengthParsed.response;
+  if (fileLengthParsed.value > maxFileSize) {
+    return errorResponse('Send storage limit exceeded with this file', 400);
+  }
+
+  const nameRaw = getAliasedProp(body, ['name', 'Name']);
+  const keyRaw = getAliasedProp(body, ['key', 'Key']);
+  const deletionDateRaw = getAliasedProp(body, ['deletionDate', 'DeletionDate']);
+  const fileRaw = getAliasedProp(body, ['file', 'File']);
+
+  if (typeof nameRaw.value !== 'string' || !nameRaw.value.trim()) {
+    return errorResponse('Name is required', 400);
+  }
+  if (typeof keyRaw.value !== 'string' || !keyRaw.value.trim()) {
+    return errorResponse('Key is required', 400);
+  }
+
+  const deletionDate = parseDate(deletionDateRaw.value);
+  if (!deletionDate) {
+    return errorResponse('Invalid deletionDate', 400);
+  }
+  const deletionValidation = validateDeletionDate(deletionDate);
+  if (deletionValidation) return deletionValidation;
+
+  const fileData = sanitizeSendData(fileRaw.value);
+  if (!fileData) {
+    return errorResponse('Send data not provided', 400);
+  }
+
+  const fileId = generateUUID();
+  fileData.id = fileId;
+  fileData.size = fileLengthParsed.value;
+  fileData.sizeName = formatSize(fileLengthParsed.value);
+
+  const maxAccessRaw = getAliasedProp(body, ['maxAccessCount', 'MaxAccessCount']);
+  const maxAccess = parseMaxAccessCount(maxAccessRaw.value);
+  if (!maxAccess.ok) return maxAccess.response;
+
+  const expirationRaw = getAliasedProp(body, ['expirationDate', 'ExpirationDate']);
+  const expirationDate = expirationRaw.value === null || expirationRaw.value === undefined
+    ? null
+    : parseDate(expirationRaw.value);
+  if (expirationRaw.value !== null && expirationRaw.value !== undefined && !expirationDate) {
+    return errorResponse('Invalid expirationDate', 400);
+  }
+
+  const disabledRaw = getAliasedProp(body, ['disabled', 'Disabled']);
+  const hideEmailRaw = getAliasedProp(body, ['hideEmail', 'HideEmail']);
+  const notesRaw = getAliasedProp(body, ['notes', 'Notes']);
+  const passwordRaw = getAliasedProp(body, ['password', 'Password']);
+  const authTypeRaw = getAliasedProp(body, ['authType', 'AuthType']);
+  const emailsRaw = getAliasedProp(body, ['emails', 'Emails']);
+
+  const requestedAuthType = parseSendAuthType(authTypeRaw.value);
+  if (authTypeRaw.present && requestedAuthType === null) {
+    return errorResponse('Invalid authType', 400);
+  }
+
+  const normalizedEmails = normalizeEmails(emailsRaw.value);
+  if (emailsRaw.present && emailsRaw.value !== null && normalizedEmails === null) {
+    return errorResponse('Invalid emails', 400);
+  }
+
+  const now = new Date().toISOString();
+  const send: Send = {
+    id: generateUUID(),
+    userId,
+    type: sendType,
+    name: nameRaw.value.trim(),
+    notes: typeof notesRaw.value === 'string' ? notesRaw.value : null,
+    data: JSON.stringify(fileData),
+    key: keyRaw.value,
+    passwordHash: null,
+    passwordSalt: null,
+    passwordIterations: null,
+    authType: requestedAuthType ?? SendAuthType.None,
+    emails: normalizedEmails,
+    maxAccessCount: maxAccess.value,
+    accessCount: 0,
+    disabled: typeof disabledRaw.value === 'boolean' ? disabledRaw.value : false,
+    hideEmail: typeof hideEmailRaw.value === 'boolean' ? hideEmailRaw.value : null,
+    createdAt: now,
+    updatedAt: now,
+    expirationDate: expirationDate ? expirationDate.toISOString() : null,
+    deletionDate: deletionDate.toISOString(),
+  };
+
+  if (typeof passwordRaw.value === 'string' && passwordRaw.value.length > 0) {
+    await setSendPassword(send, passwordRaw.value);
+  } else if (send.authType === SendAuthType.Password) {
+    return errorResponse('Password is required for password auth', 400);
+  }
+
+  if (send.authType !== SendAuthType.Email) {
+    send.emails = null;
+  }
+
+  await storage.saveSend(send);
+  const revisionDate = await storage.updateRevisionDate(userId);
+  await notifyVaultSyncForRequest(request, env, userId, revisionDate);
+  const jwtSecret = getSafeJwtSecret(env);
+  if (!jwtSecret) {
+    return errorResponse('Server configuration error', 500);
+  }
+  const uploadToken = await createSendFileUploadToken(userId, send.id, fileId, jwtSecret);
+
+  return jsonResponse({
+    fileUploadType: 1,
+    object: 'send-fileUpload',
+    url: buildDirectUploadUrl(request, `/api/sends/${send.id}/file/${fileId}`, uploadToken),
+    sendResponse: sendToResponse(send),
+  });
+}
+
+export async function handleGetSendFileUpload(
+  request: Request,
+  env: Env,
+  userId: string,
+  sendId: string,
+  fileId: string
+): Promise<Response> {
+  void request;
+  const storage = new StorageService(env.DB);
+  const send = await storage.getSend(sendId);
+  if (!send || send.userId !== userId) {
+    return errorResponse('Send not found', 404);
+  }
+  if (send.type !== SendType.File) {
+    return errorResponse('Send is not a file type send.', 400);
+  }
+
+  const sendData = parseStoredSendData(send);
+  const expectedFileId = typeof sendData.id === 'string' ? sendData.id : null;
+  if (!expectedFileId || expectedFileId !== fileId) {
+    return errorResponse('Send file does not match send data.', 400);
+  }
+  const jwtSecret = getSafeJwtSecret(env);
+  if (!jwtSecret) {
+    return errorResponse('Server configuration error', 500);
+  }
+  const uploadToken = await createSendFileUploadToken(userId, send.id, fileId, jwtSecret);
+
+  return jsonResponse({
+    fileUploadType: 1,
+    object: 'send-fileUpload',
+    url: buildDirectUploadUrl(request, `/api/sends/${send.id}/file/${fileId}`, uploadToken),
+    sendResponse: sendToResponse(send),
+  });
+}
+
+export async function handleUploadSendFile(
+  request: Request,
+  env: Env,
+  userId: string,
+  sendId: string,
+  fileId: string
+): Promise<Response> {
+  const storage = new StorageService(env.DB);
+  const send = await storage.getSend(sendId);
+  if (!send || send.userId !== userId) {
+    return errorResponse('Send not found. Unable to save the file.', 404);
+  }
+  if (send.type !== SendType.File) {
+    return errorResponse('Send is not a file type send.', 400);
+  }
+
+  return processSendFileUpload(request, env, send, fileId);
+}
+
+export async function handlePublicUploadSendFile(
+  request: Request,
+  env: Env,
+  sendId: string,
+  fileId: string
+): Promise<Response> {
+  const jwtSecret = getSafeJwtSecret(env);
+  if (!jwtSecret) {
+    return errorResponse('Server configuration error', 500);
+  }
+
+  const token = new URL(request.url).searchParams.get('token');
+  if (!token) {
+    return errorResponse('Token required', 401);
+  }
+
+  const claims = await verifySendFileUploadToken(token, jwtSecret);
+  if (!claims) {
+    return errorResponse('Invalid or expired token', 401);
+  }
+  if (claims.sendId !== sendId || claims.fileId !== fileId) {
+    return errorResponse('Token mismatch', 401);
+  }
+
+  const storage = new StorageService(env.DB);
+  const send = await storage.getSend(sendId);
+  if (!send || send.userId !== claims.userId) {
+    return errorResponse('Send not found. Unable to save the file.', 404);
+  }
+  if (send.type !== SendType.File) {
+    return errorResponse('Send is not a file type send.', 400);
+  }
+
+  return processSendFileUpload(request, env, send, fileId);
+}
+
+export async function handleUpdateSend(request: Request, env: Env, userId: string, sendId: string): Promise<Response> {
+  const storage = new StorageService(env.DB);
+  const send = await storage.getSend(sendId);
+  if (!send || send.userId !== userId) {
+    return errorResponse('Send not found', 404);
+  }
+
+  let body: unknown;
+  try {
+    body = await request.json();
+  } catch {
+    return errorResponse('Invalid JSON', 400);
+  }
+
+  const typeRaw = getAliasedProp(body, ['type', 'Type']);
+  if (typeRaw.present) {
+    const incomingType = parseSendType(typeRaw.value);
+    if (incomingType === null) {
+      return errorResponse('Invalid Send type', 400);
+    }
+    if (incomingType !== send.type) {
+      return errorResponse("Sends can't change type", 400);
+    }
+  }
+
+  const deletionRaw = getAliasedProp(body, ['deletionDate', 'DeletionDate']);
+  if (deletionRaw.present) {
+    const deletionDate = parseDate(deletionRaw.value);
+    if (!deletionDate) return errorResponse('Invalid deletionDate', 400);
+    const deletionValidation = validateDeletionDate(deletionDate);
+    if (deletionValidation) return deletionValidation;
+    send.deletionDate = deletionDate.toISOString();
+  }
+
+  const expirationRaw = getAliasedProp(body, ['expirationDate', 'ExpirationDate']);
+  if (expirationRaw.present) {
+    if (expirationRaw.value === null || expirationRaw.value === '') {
+      send.expirationDate = null;
+    } else {
+      const expiration = parseDate(expirationRaw.value);
+      if (!expiration) return errorResponse('Invalid expirationDate', 400);
+      send.expirationDate = expiration.toISOString();
+    }
+  }
+
+  const nameRaw = getAliasedProp(body, ['name', 'Name']);
+  if (nameRaw.present) {
+    if (typeof nameRaw.value !== 'string' || !nameRaw.value.trim()) {
+      return errorResponse('Name is required', 400);
+    }
+    send.name = nameRaw.value.trim();
+  }
+
+  const keyRaw = getAliasedProp(body, ['key', 'Key']);
+  if (keyRaw.present) {
+    if (typeof keyRaw.value !== 'string' || !keyRaw.value.trim()) {
+      return errorResponse('Key is required', 400);
+    }
+    send.key = keyRaw.value;
+  }
+
+  const notesRaw = getAliasedProp(body, ['notes', 'Notes']);
+  if (notesRaw.present) {
+    send.notes = typeof notesRaw.value === 'string' ? notesRaw.value : null;
+  }
+
+  const disabledRaw = getAliasedProp(body, ['disabled', 'Disabled']);
+  if (disabledRaw.present) {
+    if (typeof disabledRaw.value !== 'boolean') {
+      return errorResponse('Invalid disabled', 400);
+    }
+    send.disabled = disabledRaw.value;
+  }
+
+  const hideEmailRaw = getAliasedProp(body, ['hideEmail', 'HideEmail']);
+  if (hideEmailRaw.present) {
+    if (hideEmailRaw.value === null) {
+      send.hideEmail = null;
+    } else if (typeof hideEmailRaw.value === 'boolean') {
+      send.hideEmail = hideEmailRaw.value;
+    } else {
+      return errorResponse('Invalid hideEmail', 400);
+    }
+  }
+
+  const maxAccessRaw = getAliasedProp(body, ['maxAccessCount', 'MaxAccessCount']);
+  if (maxAccessRaw.present) {
+    const parsedMax = parseMaxAccessCount(maxAccessRaw.value);
+    if (!parsedMax.ok) return parsedMax.response;
+    send.maxAccessCount = parsedMax.value;
+  }
+
+  if (send.type === SendType.Text) {
+    const textRaw = getAliasedProp(body, ['text', 'Text']);
+    if (textRaw.present) {
+      const textData = sanitizeSendData(textRaw.value);
+      if (!textData) {
+        return errorResponse('Send data not provided', 400);
+      }
+      send.data = JSON.stringify(textData);
+    }
+  }
+
+  const authTypeRaw = getAliasedProp(body, ['authType', 'AuthType']);
+  if (authTypeRaw.present) {
+    const parsedAuthType = parseSendAuthType(authTypeRaw.value);
+    if (parsedAuthType === null) {
+      return errorResponse('Invalid authType', 400);
+    }
+    send.authType = parsedAuthType;
+    if (parsedAuthType !== SendAuthType.Email) {
+      send.emails = null;
+    }
+  }
+
+  const emailsRaw = getAliasedProp(body, ['emails', 'Emails']);
+  if (emailsRaw.present) {
+    const normalizedEmails = normalizeEmails(emailsRaw.value);
+    if (emailsRaw.value !== null && normalizedEmails === null) {
+      return errorResponse('Invalid emails', 400);
+    }
+    send.emails = normalizedEmails;
+    if (send.emails) {
+      send.authType = SendAuthType.Email;
+    } else if (send.authType === SendAuthType.Email) {
+      send.authType = SendAuthType.None;
+    }
+  }
+
+  const passwordRaw = getAliasedProp(body, ['password', 'Password']);
+  if (passwordRaw.present && typeof passwordRaw.value === 'string') {
+    await setSendPassword(send, passwordRaw.value);
+  }
+
+  if (send.authType === SendAuthType.Password && !send.passwordHash) {
+    return errorResponse('Password is required for password auth', 400);
+  }
+
+  send.updatedAt = new Date().toISOString();
+  await storage.saveSend(send);
+  const revisionDate = await storage.updateRevisionDate(userId);
+  await notifyVaultSyncForRequest(request, env, userId, revisionDate);
+
+  return jsonResponse(sendToResponse(send));
+}
+
+export async function handleDeleteSend(request: Request, env: Env, userId: string, sendId: string): Promise<Response> {
+  void request;
+  const storage = new StorageService(env.DB);
+  const send = await storage.getSend(sendId);
+  if (!send || send.userId !== userId) {
+    return errorResponse('Send not found', 404);
+  }
+
+  if (send.type === SendType.File) {
+    const data = parseStoredSendData(send);
+    const fileId = typeof data.id === 'string' ? data.id : null;
+    if (fileId) {
+      await deleteBlobObject(env, getSendFileObjectKey(send.id, fileId));
+    }
+  }
+
+  await storage.deleteSend(sendId, userId);
+  const revisionDate = await storage.updateRevisionDate(userId);
+  await notifyVaultSyncForRequest(request, env, userId, revisionDate);
+
+  return new Response(null, { status: 200 });
+}
+
+export async function handleBulkDeleteSends(request: Request, env: Env, userId: string): Promise<Response> {
+  const storage = new StorageService(env.DB);
+
+  let body: { ids?: string[] };
+  try {
+    body = await request.json();
+  } catch {
+    return errorResponse('Invalid JSON', 400);
+  }
+
+  if (!body.ids || !Array.isArray(body.ids)) {
+    return errorResponse('ids array is required', 400);
+  }
+
+  const sends = await storage.getSendsByIds(body.ids, userId);
+  for (const send of sends) {
+    if (send.type !== SendType.File) continue;
+    const data = parseStoredSendData(send);
+    const fileId = typeof data.id === 'string' ? data.id : null;
+    if (fileId) {
+      await deleteBlobObject(env, getSendFileObjectKey(send.id, fileId));
+    }
+  }
+
+  const revisionDate = await storage.bulkDeleteSends(body.ids, userId);
+  if (revisionDate) {
+    await notifyVaultSyncForRequest(request, env, userId, revisionDate);
+  }
+
+  return new Response(null, { status: 200 });
+}
+
+export async function handleRemoveSendPassword(request: Request, env: Env, userId: string, sendId: string): Promise<Response> {
+  void request;
+  const storage = new StorageService(env.DB);
+  const send = await storage.getSend(sendId);
+  if (!send || send.userId !== userId) {
+    return errorResponse('Send not found', 404);
+  }
+
+  await setSendPassword(send, null);
+  send.updatedAt = new Date().toISOString();
+  await storage.saveSend(send);
+  const revisionDate = await storage.updateRevisionDate(userId);
+  await notifyVaultSyncForRequest(request, env, userId, revisionDate);
+
+  return jsonResponse(sendToResponse(send));
+}
+
+export async function handleRemoveSendAuth(request: Request, env: Env, userId: string, sendId: string): Promise<Response> {
+  void request;
+  const storage = new StorageService(env.DB);
+  const send = await storage.getSend(sendId);
+  if (!send || send.userId !== userId) {
+    return errorResponse('Send not found', 404);
+  }
+
+  send.authType = SendAuthType.None;
+  send.emails = null;
+  send.updatedAt = new Date().toISOString();
+  await storage.saveSend(send);
+  const revisionDate = await storage.updateRevisionDate(userId);
+  await notifyVaultSyncForRequest(request, env, userId, revisionDate);
+
+  return jsonResponse(sendToResponse(send));
+}
@@ -0,0 +1,400 @@
+import { Env, SendType } from '../types';
+import { StorageService } from '../services/storage';
+import { RateLimitService, getClientIdentifier } from '../services/ratelimit';
+import { jsonResponse, errorResponse } from '../utils/response';
+import { LIMITS } from '../config/limits';
+import {
+  createSendAccessToken,
+  createSendFileDownloadToken,
+  verifySendAccessToken,
+  verifySendFileDownloadToken,
+} from '../utils/jwt';
+import {
+  getBlobObject,
+  getSendFileObjectKey,
+} from '../services/blob-store';
+import {
+  SEND_INACCESSIBLE_MSG,
+  extractBearerToken,
+  fromAccessId,
+  getCreatorIdentifier,
+  getSafeJwtSecret,
+  hasEmailAuth,
+  isSendAvailable,
+  notifyVaultSyncForRequest,
+  parseStoredSendData,
+  resolveSendFromIdOrAccessId,
+  sendPasswordLimitKey,
+  sendPasswordLockedErrorResponse,
+  sendPasswordLockedOAuthResponse,
+  sendToAccessResponse,
+  validatePublicSendAccess,
+  verifySendPassword,
+  verifySendPasswordHashB64,
+} from './sends-shared';
+
+export async function handleAccessSend(request: Request, env: Env, accessId: string): Promise<Response> {
+  const storage = new StorageService(env.DB);
+  const sendId = fromAccessId(accessId);
+  if (!sendId) {
+    return errorResponse(SEND_INACCESSIBLE_MSG, 404);
+  }
+
+  const send = await storage.getSend(sendId);
+  if (!send || !isSendAvailable(send)) {
+    return errorResponse(SEND_INACCESSIBLE_MSG, 404);
+  }
+
+  let body: unknown = {};
+  try {
+    body = await request.json();
+  } catch {
+    body = {};
+  }
+
+  let sendPasswordLimitIpKey: string | null = null;
+  let sendPasswordRateLimit: RateLimitService | null = null;
+  if (send.passwordHash) {
+    const clientIdentifier = getClientIdentifier(request);
+    if (!clientIdentifier) {
+      return errorResponse('Client IP is required', 403);
+    }
+    sendPasswordLimitIpKey = sendPasswordLimitKey(clientIdentifier);
+    sendPasswordRateLimit = new RateLimitService(env.DB);
+    const sendPasswordCheck = await sendPasswordRateLimit.checkLoginAttempt(sendPasswordLimitIpKey);
+    if (!sendPasswordCheck.allowed) {
+      return sendPasswordLockedErrorResponse(sendPasswordCheck.retryAfterSeconds || 60);
+    }
+  }
+
+  const validation = await validatePublicSendAccess(send, body);
+  if (!validation.ok) {
+    if (validation.reason === 'invalid_password' && sendPasswordRateLimit && sendPasswordLimitIpKey) {
+      const failed = await sendPasswordRateLimit.recordFailedLogin(sendPasswordLimitIpKey);
+      if (failed.locked) {
+        return sendPasswordLockedErrorResponse(failed.retryAfterSeconds || 60);
+      }
+    }
+    return validation.response;
+  }
+
+  if (send.passwordHash && sendPasswordRateLimit && sendPasswordLimitIpKey) {
+    await sendPasswordRateLimit.clearLoginAttempts(sendPasswordLimitIpKey);
+  }
+
+  if (send.type === SendType.Text) {
+    const updated = await storage.incrementSendAccessCount(send.id);
+    if (!updated) {
+      return errorResponse(SEND_INACCESSIBLE_MSG, 404);
+    }
+    send.accessCount += 1;
+    const revisionDate = await storage.updateRevisionDate(send.userId);
+    await notifyVaultSyncForRequest(request, env, send.userId, revisionDate);
+  }
+
+  const creatorIdentifier = await getCreatorIdentifier(storage, send);
+  return jsonResponse(sendToAccessResponse(send, creatorIdentifier));
+}
+
+export async function handleAccessSendFile(
+  request: Request,
+  env: Env,
+  idOrAccessId: string,
+  fileId: string
+): Promise<Response> {
+  const secret = (env.JWT_SECRET || '').trim();
+  if (!secret || secret.length < LIMITS.auth.jwtSecretMinLength) {
+    return errorResponse('Server configuration error', 500);
+  }
+
+  const storage = new StorageService(env.DB);
+  const send = await resolveSendFromIdOrAccessId(storage, idOrAccessId);
+  if (!send || !isSendAvailable(send) || send.type !== SendType.File) {
+    return errorResponse(SEND_INACCESSIBLE_MSG, 404);
+  }
+
+  const data = parseStoredSendData(send);
+  const expectedFileId = typeof data.id === 'string' ? data.id : null;
+  if (!expectedFileId || expectedFileId !== fileId) {
+    return errorResponse(SEND_INACCESSIBLE_MSG, 404);
+  }
+
+  let body: unknown = {};
+  try {
+    body = await request.json();
+  } catch {
+    body = {};
+  }
+
+  let sendPasswordLimitIpKey: string | null = null;
+  let sendPasswordRateLimit: RateLimitService | null = null;
+  if (send.passwordHash) {
+    const clientIdentifier = getClientIdentifier(request);
+    if (!clientIdentifier) {
+      return errorResponse('Client IP is required', 403);
+    }
+    sendPasswordLimitIpKey = sendPasswordLimitKey(clientIdentifier);
+    sendPasswordRateLimit = new RateLimitService(env.DB);
+    const sendPasswordCheck = await sendPasswordRateLimit.checkLoginAttempt(sendPasswordLimitIpKey);
+    if (!sendPasswordCheck.allowed) {
+      return sendPasswordLockedErrorResponse(sendPasswordCheck.retryAfterSeconds || 60);
+    }
+  }
+
+  const validation = await validatePublicSendAccess(send, body);
+  if (!validation.ok) {
+    if (validation.reason === 'invalid_password' && sendPasswordRateLimit && sendPasswordLimitIpKey) {
+      const failed = await sendPasswordRateLimit.recordFailedLogin(sendPasswordLimitIpKey);
+      if (failed.locked) {
+        return sendPasswordLockedErrorResponse(failed.retryAfterSeconds || 60);
+      }
+    }
+    return validation.response;
+  }
+
+  if (send.passwordHash && sendPasswordRateLimit && sendPasswordLimitIpKey) {
+    await sendPasswordRateLimit.clearLoginAttempts(sendPasswordLimitIpKey);
+  }
+
+  const updated = await storage.incrementSendAccessCount(send.id);
+  if (!updated) {
+    return errorResponse(SEND_INACCESSIBLE_MSG, 404);
+  }
+  send.accessCount += 1;
+  const revisionDate = await storage.updateRevisionDate(send.userId);
+  await notifyVaultSyncForRequest(request, env, send.userId, revisionDate);
+
+  const token = await createSendFileDownloadToken(send.id, fileId, secret);
+  const url = new URL(request.url);
+  const downloadUrl = `${url.origin}/api/sends/${send.id}/${fileId}?t=${token}`;
+
+  return jsonResponse({
+    object: 'send-fileDownload',
+    id: fileId,
+    url: downloadUrl,
+  });
+}
+
+export async function handleAccessSendV2(request: Request, env: Env): Promise<Response> {
+  const jwt = getSafeJwtSecret(env);
+  if (!jwt.ok) return jwt.response;
+
+  const token = extractBearerToken(request);
+  if (!token) {
+    return errorResponse('Unauthorized', 401);
+  }
+
+  const claims = await verifySendAccessToken(token, jwt.secret);
+  if (!claims) {
+    return errorResponse('Unauthorized', 401);
+  }
+
+  const storage = new StorageService(env.DB);
+  const send = await storage.getSend(claims.sub);
+  if (!send || !isSendAvailable(send)) {
+    return errorResponse(SEND_INACCESSIBLE_MSG, 404);
+  }
+
+  if (send.type === SendType.Text) {
+    const updated = await storage.incrementSendAccessCount(send.id);
+    if (!updated) {
+      return errorResponse(SEND_INACCESSIBLE_MSG, 404);
+    }
+    send.accessCount += 1;
+    const revisionDate = await storage.updateRevisionDate(send.userId);
+    await notifyVaultSyncForRequest(request, env, send.userId, revisionDate);
+  }
+
+  const creatorIdentifier = await getCreatorIdentifier(storage, send);
+  return jsonResponse(sendToAccessResponse(send, creatorIdentifier));
+}
+
+export async function handleAccessSendFileV2(request: Request, env: Env, fileId: string): Promise<Response> {
+  const jwt = getSafeJwtSecret(env);
+  if (!jwt.ok) return jwt.response;
+
+  const token = extractBearerToken(request);
+  if (!token) {
+    return errorResponse('Unauthorized', 401);
+  }
+
+  const claims = await verifySendAccessToken(token, jwt.secret);
+  if (!claims) {
+    return errorResponse('Unauthorized', 401);
+  }
+
+  const storage = new StorageService(env.DB);
+  const send = await storage.getSend(claims.sub);
+  if (!send || !isSendAvailable(send) || send.type !== SendType.File) {
+    return errorResponse(SEND_INACCESSIBLE_MSG, 404);
+  }
+
+  const data = parseStoredSendData(send);
+  const expectedFileId = typeof data.id === 'string' ? data.id : null;
+  if (!expectedFileId || expectedFileId !== fileId) {
+    return errorResponse(SEND_INACCESSIBLE_MSG, 404);
+  }
+
+  const updated = await storage.incrementSendAccessCount(send.id);
+  if (!updated) {
+    return errorResponse(SEND_INACCESSIBLE_MSG, 404);
+  }
+  send.accessCount += 1;
+  const revisionDate = await storage.updateRevisionDate(send.userId);
+  await notifyVaultSyncForRequest(request, env, send.userId, revisionDate);
+
+  const downloadToken = await createSendFileDownloadToken(send.id, fileId, jwt.secret);
+  const url = new URL(request.url);
+  const downloadUrl = `${url.origin}/api/sends/${send.id}/${fileId}?t=${downloadToken}`;
+
+  return jsonResponse({
+    object: 'send-fileDownload',
+    id: fileId,
+    url: downloadUrl,
+  });
+}
+
+export async function handleDownloadSendFile(
+  request: Request,
+  env: Env,
+  sendId: string,
+  fileId: string
+): Promise<Response> {
+  const jwt = getSafeJwtSecret(env);
+  if (!jwt.ok) return jwt.response;
+
+  const url = new URL(request.url);
+  const token = url.searchParams.get('t') || url.searchParams.get('token');
+  if (!token) {
+    return errorResponse('Token required', 401);
+  }
+
+  const claims = await verifySendFileDownloadToken(token, jwt.secret);
+  if (!claims) {
+    return errorResponse('Invalid or expired token', 401);
+  }
+  if (claims.sendId !== sendId || claims.fileId !== fileId) {
+    return errorResponse('Token mismatch', 401);
+  }
+
+  const storage = new StorageService(env.DB);
+  const object = await getBlobObject(env, getSendFileObjectKey(sendId, fileId));
+  if (!object) {
+    return errorResponse('Send file not found', 404);
+  }
+
+  const firstUse = await storage.consumeAttachmentDownloadToken(`send:${claims.jti}`, claims.exp);
+  if (!firstUse) {
+    return errorResponse('Invalid or expired token', 401);
+  }
+
+  return new Response(object.body, {
+    headers: {
+      'Content-Type': object.contentType || 'application/octet-stream',
+      'Content-Length': String(object.size),
+      'Cache-Control': 'private, no-cache',
+    },
+  });
+}
+
+export async function issueSendAccessToken(
+  env: Env,
+  sendIdOrAccessId: string,
+  passwordHashB64?: string | null,
+  password?: string | null,
+  rateLimit?: RateLimitService,
+  sendPasswordLimitIpKey?: string
+): Promise<{ token: string } | { error: Response }> {
+  const jwt = getSafeJwtSecret(env);
+  if (!jwt.ok) {
+    return { error: jwt.response };
+  }
+
+  const storage = new StorageService(env.DB);
+  const send = await resolveSendFromIdOrAccessId(storage, sendIdOrAccessId);
+
+  if (!send || !isSendAvailable(send)) {
+    return {
+      error: jsonResponse(
+        {
+          error: 'invalid_grant',
+          error_description: SEND_INACCESSIBLE_MSG,
+          send_access_error_type: 'send_not_available',
+          ErrorModel: {
+            Message: SEND_INACCESSIBLE_MSG,
+            Object: 'error',
+          },
+        },
+        400
+      ),
+    };
+  }
+
+  if (hasEmailAuth(send)) {
+    const message = 'Email verification for this Send is not supported by this server.';
+    return {
+      error: jsonResponse(
+        {
+          error: 'invalid_grant',
+          error_description: message,
+          send_access_error_type: 'email_verification_not_supported',
+          ErrorModel: {
+            Message: message,
+            Object: 'error',
+          },
+        },
+        400
+      ),
+    };
+  }
+
+  if (send.passwordHash) {
+    if (rateLimit && sendPasswordLimitIpKey) {
+      const sendPasswordCheck = await rateLimit.checkLoginAttempt(sendPasswordLimitIpKey);
+      if (!sendPasswordCheck.allowed) {
+        return {
+          error: sendPasswordLockedOAuthResponse(sendPasswordCheck.retryAfterSeconds || 60),
+        };
+      }
+    }
+
+    let ok = false;
+    if (passwordHashB64) {
+      ok = verifySendPasswordHashB64(send, passwordHashB64);
+    } else if (password) {
+      ok = await verifySendPassword(send, password);
+    }
+
+    if (!ok) {
+      if (rateLimit && sendPasswordLimitIpKey) {
+        const failed = await rateLimit.recordFailedLogin(sendPasswordLimitIpKey);
+        if (failed.locked) {
+          return {
+            error: sendPasswordLockedOAuthResponse(failed.retryAfterSeconds || 60),
+          };
+        }
+      }
+      return {
+        error: jsonResponse(
+          {
+            error: 'invalid_grant',
+            error_description: 'Invalid password.',
+            send_access_error_type: 'invalid_password',
+            ErrorModel: {
+              Message: 'Invalid password.',
+              Object: 'error',
+            },
+          },
+          400
+        ),
+      };
+    }
+
+    if (rateLimit && sendPasswordLimitIpKey) {
+      await rateLimit.clearLoginAttempts(sendPasswordLimitIpKey);
+    }
+  }
+
+  const token = await createSendAccessToken(send.id, jwt.secret);
+  return { token };
+}
@@ -0,0 +1,451 @@
+import { Env, Send, SendAuthType, SendResponse, SendType, DEFAULT_DEV_SECRET } from '../types';
+import { notifyUserVaultSync } from '../durable/notifications-hub';
+import { StorageService } from '../services/storage';
+import { jsonResponse, errorResponse } from '../utils/response';
+import { readActingDeviceIdentifier } from '../utils/device';
+import { LIMITS } from '../config/limits';
+
+export const SEND_INACCESSIBLE_MSG = 'Send does not exist or is no longer available';
+const SEND_PASSWORD_ITERATIONS = 100_000;
+export const SEND_PASSWORD_LIMIT_SCOPE = 'send-password';
+
+export async function notifyVaultSyncForRequest(
+  request: Request,
+  env: Env,
+  userId: string,
+  revisionDate: string
+): Promise<void> {
+  await notifyUserVaultSync(env, userId, revisionDate, readActingDeviceIdentifier(request));
+}
+
+export function getAliasedProp(source: unknown, aliases: string[]): { present: boolean; value: unknown } {
+  if (!source || typeof source !== 'object') return { present: false, value: undefined };
+  for (const key of aliases) {
+    if (Object.prototype.hasOwnProperty.call(source, key)) {
+      const value = (source as Record<string, unknown>)[key];
+      return { present: true, value };
+    }
+  }
+  return { present: false, value: undefined };
+}
+
+export function base64UrlEncode(data: Uint8Array): string {
+  const base64 = btoa(String.fromCharCode(...data));
+  return base64.replace(/\+/g, '-').replace(/\//g, '_').replace(/=+$/, '');
+}
+
+export function base64UrlDecode(input: string): Uint8Array | null {
+  try {
+    let normalized = input.replace(/-/g, '+').replace(/_/g, '/');
+    while (normalized.length % 4) normalized += '=';
+    const raw = atob(normalized);
+    const out = new Uint8Array(raw.length);
+    for (let i = 0; i < raw.length; i++) out[i] = raw.charCodeAt(i);
+    return out;
+  } catch {
+    return null;
+  }
+}
+
+function uuidToBytes(uuid: string): Uint8Array | null {
+  const hex = uuid.replace(/-/g, '').toLowerCase();
+  if (!/^[0-9a-f]{32}$/.test(hex)) return null;
+  const bytes = new Uint8Array(16);
+  for (let i = 0; i < 16; i++) {
+    bytes[i] = parseInt(hex.slice(i * 2, i * 2 + 2), 16);
+  }
+  return bytes;
+}
+
+function bytesToUuid(bytes: Uint8Array): string | null {
+  if (bytes.length !== 16) return null;
+  const hex = Array.from(bytes).map((b) => b.toString(16).padStart(2, '0')).join('');
+  return [
+    hex.slice(0, 8),
+    hex.slice(8, 12),
+    hex.slice(12, 16),
+    hex.slice(16, 20),
+    hex.slice(20, 32),
+  ].join('-');
+}
+
+function toAccessId(sendId: string): string {
+  const bytes = uuidToBytes(sendId);
+  if (!bytes) return '';
+  return base64UrlEncode(bytes);
+}
+
+export function fromAccessId(accessId: string): string | null {
+  const bytes = base64UrlDecode(accessId);
+  if (!bytes || bytes.length !== 16) return null;
+  return bytesToUuid(bytes);
+}
+
+function isLikelyUuid(value: string): boolean {
+  return /^[a-f0-9-]{36}$/i.test(value);
+}
+
+export async function resolveSendFromIdOrAccessId(storage: StorageService, idOrAccessId: string): Promise<Send | null> {
+  if (isLikelyUuid(idOrAccessId)) {
+    const send = await storage.getSend(idOrAccessId);
+    if (send) return send;
+  }
+
+  const sendId = fromAccessId(idOrAccessId);
+  if (!sendId) return null;
+  return storage.getSend(sendId);
+}
+
+export function formatSize(bytes: number): string {
+  if (bytes < 1024) return `${bytes} Bytes`;
+  if (bytes < 1024 * 1024) return `${(bytes / 1024).toFixed(2)} KB`;
+  if (bytes < 1024 * 1024 * 1024) return `${(bytes / (1024 * 1024)).toFixed(2)} MB`;
+  return `${(bytes / (1024 * 1024 * 1024)).toFixed(2)} GB`;
+}
+
+export function parseDate(raw: unknown): Date | null {
+  if (typeof raw !== 'string' || !raw.trim()) return null;
+  const date = new Date(raw);
+  if (Number.isNaN(date.getTime())) return null;
+  return date;
+}
+
+export function parseInteger(raw: unknown): number | null {
+  if (raw === null || raw === undefined || raw === '') return null;
+  const value = typeof raw === 'string' ? Number(raw) : raw;
+  if (typeof value !== 'number' || !Number.isFinite(value) || !Number.isInteger(value)) return null;
+  return value;
+}
+
+export function sanitizeSendData(raw: unknown): Record<string, unknown> | null {
+  if (!raw || typeof raw !== 'object' || Array.isArray(raw)) return null;
+  const data = { ...(raw as Record<string, unknown>) };
+  delete data.response;
+  return data;
+}
+
+export function parseStoredSendData(send: Send): Record<string, unknown> {
+  try {
+    const parsed = JSON.parse(send.data) as unknown;
+    if (parsed && typeof parsed === 'object' && !Array.isArray(parsed)) {
+      return { ...(parsed as Record<string, unknown>) };
+    }
+    return {};
+  } catch {
+    return {};
+  }
+}
+
+function normalizeSendDataSizeField(data: Record<string, unknown>): Record<string, unknown> {
+  const normalized = { ...data };
+  if (typeof normalized.size === 'number' && Number.isFinite(normalized.size)) {
+    normalized.size = String(Math.trunc(normalized.size));
+  }
+  return normalized;
+}
+
+export function isSendAvailable(send: Send): boolean {
+  const now = Date.now();
+
+  if (send.maxAccessCount !== null && send.accessCount >= send.maxAccessCount) {
+    return false;
+  }
+
+  if (send.expirationDate) {
+    const expirationMs = new Date(send.expirationDate).getTime();
+    if (!Number.isNaN(expirationMs) && now >= expirationMs) {
+      return false;
+    }
+  }
+
+  const deletionMs = new Date(send.deletionDate).getTime();
+  if (!Number.isNaN(deletionMs) && now >= deletionMs) {
+    return false;
+  }
+
+  if (send.disabled) {
+    return false;
+  }
+
+  return true;
+}
+
+async function deriveSendPasswordHash(password: string, salt: Uint8Array, iterations: number): Promise<Uint8Array> {
+  const encoder = new TextEncoder();
+  const key = await crypto.subtle.importKey('raw', encoder.encode(password), { name: 'PBKDF2' }, false, ['deriveBits']);
+  const bits = await crypto.subtle.deriveBits(
+    {
+      name: 'PBKDF2',
+      salt,
+      iterations,
+      hash: 'SHA-256',
+    },
+    key,
+    256
+  );
+  return new Uint8Array(bits);
+}
+
+function constantTimeEqual(a: Uint8Array, b: Uint8Array): boolean {
+  if (a.length !== b.length) return false;
+  let diff = 0;
+  for (let i = 0; i < a.length; i++) {
+    diff |= a[i] ^ b[i];
+  }
+  return diff === 0;
+}
+
+function isLikelyHashB64(value: string): boolean {
+  const raw = String(value || '').trim();
+  if (!raw) return false;
+  if (!/^[A-Za-z0-9+/_=-]+$/.test(raw)) return false;
+  const decoded = base64UrlDecode(raw);
+  return !!decoded && decoded.length === 32;
+}
+
+export async function setSendPassword(send: Send, password: string | null): Promise<void> {
+  if (!password) {
+    send.passwordHash = null;
+    send.passwordSalt = null;
+    send.passwordIterations = null;
+    if (send.authType === SendAuthType.Password) {
+      send.authType = SendAuthType.None;
+    }
+    return;
+  }
+
+  if (isLikelyHashB64(password)) {
+    send.passwordHash = password.trim();
+    send.passwordSalt = null;
+    send.passwordIterations = null;
+    send.authType = SendAuthType.Password;
+    return;
+  }
+
+  const salt = crypto.getRandomValues(new Uint8Array(64));
+  const hash = await deriveSendPasswordHash(password, salt, SEND_PASSWORD_ITERATIONS);
+
+  send.passwordSalt = base64UrlEncode(salt);
+  send.passwordHash = base64UrlEncode(hash);
+  send.passwordIterations = SEND_PASSWORD_ITERATIONS;
+  send.authType = SendAuthType.Password;
+}
+
+export async function verifySendPassword(send: Send, password: string): Promise<boolean> {
+  if (!send.passwordHash) {
+    return false;
+  }
+
+  if (!send.passwordSalt || !send.passwordIterations) {
+    return verifySendPasswordHashB64(send, password);
+  }
+
+  const salt = base64UrlDecode(send.passwordSalt);
+  const expected = base64UrlDecode(send.passwordHash);
+  if (!salt || !expected) return false;
+
+  const actual = await deriveSendPasswordHash(password, salt, send.passwordIterations);
+  return constantTimeEqual(actual, expected);
+}
+
+export function verifySendPasswordHashB64(send: Send, passwordHashB64: string): boolean {
+  if (!send.passwordHash || !passwordHashB64) return false;
+  const expected = base64UrlDecode(send.passwordHash);
+  const provided = base64UrlDecode(passwordHashB64);
+  if (!expected || !provided) return false;
+  return constantTimeEqual(expected, provided);
+}
+
+export function validateDeletionDate(date: Date): Response | null {
+  const maxMs = Date.now() + LIMITS.send.maxDeletionDays * 24 * 60 * 60 * 1000;
+  if (date.getTime() > maxMs) {
+    return errorResponse(
+      'You cannot have a Send with a deletion date that far into the future. Adjust the Deletion Date to a value less than 31 days from now and try again.',
+      400
+    );
+  }
+  return null;
+}
+
+export function parseMaxAccessCount(value: unknown): { ok: true; value: number | null } | { ok: false; response: Response } {
+  const parsed = parseInteger(value);
+  if (value === undefined || value === null || value === '') {
+    return { ok: true, value: null };
+  }
+  if (parsed === null || parsed < 0) {
+    return { ok: false, response: errorResponse('Invalid maxAccessCount', 400) };
+  }
+  return { ok: true, value: parsed };
+}
+
+export function parseFileLength(value: unknown): { ok: true; value: number } | { ok: false; response: Response } {
+  const parsed = parseInteger(value);
+  if (parsed === null) {
+    return { ok: false, response: errorResponse('Invalid send length', 400) };
+  }
+  if (parsed < 0) {
+    return { ok: false, response: errorResponse("Send size can't be negative", 400) };
+  }
+  return { ok: true, value: parsed };
+}
+
+export function parseSendType(value: unknown): SendType | null {
+  const type = parseInteger(value);
+  if (type === SendType.Text || type === SendType.File) return type;
+  return null;
+}
+
+export function parseSendAuthType(value: unknown): SendAuthType | null {
+  if (value === undefined || value === null || value === '') return null;
+  const parsed = parseInteger(value);
+  if (parsed === SendAuthType.Email || parsed === SendAuthType.Password || parsed === SendAuthType.None) {
+    return parsed;
+  }
+  return null;
+}
+
+export function normalizeEmails(value: unknown): string | null {
+  if (value === null || value === undefined || value === '') return null;
+  if (typeof value === 'string') return value;
+  if (Array.isArray(value)) {
+    const strings = value.filter((v) => typeof v === 'string').map((v) => String(v));
+    if (strings.length === 0) return null;
+    return strings.join(',');
+  }
+  return null;
+}
+
+export function hasEmailAuth(send: Send): boolean {
+  return send.authType === SendAuthType.Email;
+}
+
+export function getSafeJwtSecret(env: Env): { ok: true; secret: string } | { ok: false; response: Response } {
+  const secret = (env.JWT_SECRET || '').trim();
+  if (!secret || secret.length < LIMITS.auth.jwtSecretMinLength || secret === DEFAULT_DEV_SECRET) {
+    return { ok: false, response: errorResponse('Server configuration error', 500) };
+  }
+  return { ok: true, secret };
+}
+
+export function extractBearerToken(request: Request): string | null {
+  const authHeader = request.headers.get('Authorization');
+  if (!authHeader) return null;
+  const match = authHeader.match(/^Bearer\s+(.+)$/i);
+  return match ? match[1].trim() : null;
+}
+
+export function sendToResponse(send: Send): SendResponse {
+  const data = normalizeSendDataSizeField(parseStoredSendData(send));
+  return {
+    id: send.id,
+    accessId: toAccessId(send.id),
+    type: Number(send.type) || 0,
+    name: send.name,
+    notes: send.notes,
+    text: send.type === SendType.Text ? data : null,
+    file: send.type === SendType.File ? data : null,
+    key: send.key,
+    maxAccessCount: send.maxAccessCount,
+    accessCount: send.accessCount,
+    password: send.passwordHash,
+    emails: send.emails,
+    authType: send.authType,
+    disabled: send.disabled,
+    hideEmail: send.hideEmail,
+    revisionDate: send.updatedAt,
+    expirationDate: send.expirationDate,
+    deletionDate: send.deletionDate,
+    object: 'send',
+  };
+}
+
+export function sendToAccessResponse(send: Send, creatorIdentifier: string | null): Record<string, unknown> {
+  const data = normalizeSendDataSizeField(parseStoredSendData(send));
+  return {
+    id: send.id,
+    type: Number(send.type) || 0,
+    name: send.name,
+    text: send.type === SendType.Text ? data : null,
+    file: send.type === SendType.File ? data : null,
+    expirationDate: send.expirationDate,
+    deletionDate: send.deletionDate,
+    creatorIdentifier,
+    object: 'send-access',
+  };
+}
+
+export async function getCreatorIdentifier(storage: StorageService, send: Send): Promise<string | null> {
+  if (send.hideEmail) return null;
+  const owner = await storage.getUserById(send.userId);
+  return owner?.email ?? null;
+}
+
+export type PublicSendAccessValidationResult =
+  | { ok: true }
+  | { ok: false; response: Response; reason: 'email_auth_unsupported' | 'password_missing' | 'invalid_password' };
+
+export function sendPasswordLimitKey(clientIdentifier: string): string {
+  return `${clientIdentifier}:${SEND_PASSWORD_LIMIT_SCOPE}`;
+}
+
+function sendPasswordLockMessage(retryAfterSeconds: number): string {
+  return `Too many failed send password attempts. Try again in ${Math.ceil(retryAfterSeconds / 60)} minutes.`;
+}
+
+export function sendPasswordLockedErrorResponse(retryAfterSeconds: number): Response {
+  return errorResponse(sendPasswordLockMessage(retryAfterSeconds), 429);
+}
+
+export function sendPasswordLockedOAuthResponse(retryAfterSeconds: number): Response {
+  const message = sendPasswordLockMessage(retryAfterSeconds);
+  return jsonResponse(
+    {
+      error: 'invalid_grant',
+      error_description: message,
+      send_access_error_type: 'too_many_password_attempts',
+      ErrorModel: {
+        Message: message,
+        Object: 'error',
+      },
+    },
+    429
+  );
+}
+
+export async function validatePublicSendAccess(send: Send, body: unknown): Promise<PublicSendAccessValidationResult> {
+  if (hasEmailAuth(send)) {
+    return { ok: false, response: errorResponse(SEND_INACCESSIBLE_MSG, 404), reason: 'email_auth_unsupported' };
+  }
+
+  if (!send.passwordHash) return { ok: true };
+
+  const passwordRaw = getAliasedProp(body, ['password', 'Password']);
+  const passwordHashB64Raw = getAliasedProp(body, [
+    'password_hash_b64',
+    'passwordHashB64',
+    'passwordHash',
+    'password_hash',
+  ]);
+
+  let validPassword = false;
+  if (send.passwordSalt && send.passwordIterations) {
+    if (typeof passwordRaw.value !== 'string') {
+      return { ok: false, response: errorResponse('Password not provided', 401), reason: 'password_missing' };
+    }
+    validPassword = await verifySendPassword(send, passwordRaw.value);
+  } else {
+    const candidate =
+      typeof passwordHashB64Raw.value === 'string'
+        ? passwordHashB64Raw.value
+        : typeof passwordRaw.value === 'string'
+          ? passwordRaw.value
+          : '';
+    if (!candidate) return { ok: false, response: errorResponse('Password not provided', 401), reason: 'password_missing' };
+    validPassword = verifySendPasswordHashB64(send, candidate);
+  }
+  if (!validPassword) {
+    return { ok: false, response: errorResponse('Invalid password', 400), reason: 'invalid_password' };
+  }
+
+  return { ok: true };
+}
@@ -0,0 +1,3 @@
+export * from './sends-shared';
+export * from './sends-private';
+export * from './sends-public';
@@ -1,57 +0,0 @@
-import { Env, DEFAULT_DEV_SECRET } from '../types';
-import { StorageService } from '../services/storage';
-import { jsonResponse, errorResponse, htmlResponse } from '../utils/response';
-import { renderRegisterPageHTML } from '../setup/pageTemplate';
-import { LIMITS } from '../config/limits';
-
-type JwtSecretState = 'missing' | 'default' | 'too_short';
-
-function getJwtSecretState(env: Env): JwtSecretState | null {
-  const secret = (env.JWT_SECRET || '').trim();
-  if (!secret) return 'missing';
-  // Block common "forgot to change" sample value (matches .dev.vars.example)
-  if (secret === DEFAULT_DEV_SECRET) return 'default';
-  if (secret.length < LIMITS.auth.jwtSecretMinLength) return 'too_short';
-  return null;
-}
-
-async function handleRegisterPage(request: Request, env: Env, jwtState: JwtSecretState | null): Promise<Response> {
-  const storage = new StorageService(env.DB);
-  const disabled = await storage.isSetupDisabled();
-  if (disabled) {
-    return new Response(null, { status: 404 });
-  }
-  return htmlResponse(renderRegisterPageHTML(jwtState));
-}
-
-// GET / - Setup page
-export async function handleSetupPage(request: Request, env: Env): Promise<Response> {
-  const storage = new StorageService(env.DB);
-  const disabled = await storage.isSetupDisabled();
-  if (disabled) {
-    return new Response(null, { status: 404 });
-  }
-
-  // 引导页内会处理 JWT_SECRET 检测与分流（坏密钥停留在修复步骤）。
-  const jwtState = getJwtSecretState(env);
-  return handleRegisterPage(request, env, jwtState);
-}
-
-// GET /setup/status
-export async function handleSetupStatus(request: Request, env: Env): Promise<Response> {
-  const storage = new StorageService(env.DB);
-  const registered = await storage.isRegistered();
-  const disabled = await storage.isSetupDisabled();
-  return jsonResponse({ registered, disabled });
-}
-
-// POST /setup/disable
-export async function handleDisableSetup(request: Request, env: Env): Promise<Response> {
-  const storage = new StorageService(env.DB);
-  const registered = await storage.isRegistered();
-  if (!registered) {
-    return errorResponse('Registration required', 403);
-  }
-  await storage.setSetupDisabled();
-  return jsonResponse({ success: true });
-}
@@ -2,15 +2,25 @@ import { Env, SyncResponse, CipherResponse, FolderResponse, ProfileResponse } fr
 import { StorageService } from '../services/storage';
 import { errorResponse } from '../utils/response';
 import { cipherToResponse } from './ciphers';
+import { sendToResponse } from './sends';
 import { LIMITS } from '../config/limits';
-import { isTotpEnabled } from '../utils/totp';
+import {
+  buildAccountKeys,
+  buildUserDecryptionCompat,
+  buildUserDecryptionOptions,
+} from '../utils/user-decryption';

 interface SyncCacheEntry {
+  userId: string;
+  revisionDate: string;
  body: string;
  expiresAt: number;
+  bytes: number;
 }

 const syncResponseCache = new Map<string, SyncCacheEntry>();
+let syncResponseCacheTotalBytes = 0;
+const textEncoder = new TextEncoder();

 function buildSyncCacheKey(userId: string, revisionDate: string, excludeDomains: boolean): string {
  return `${userId}:${revisionDate}:${excludeDomains ? '1' : '0'}`;
@@ -20,21 +30,67 @@ function readSyncCache(key: string): string | null {
  const hit = syncResponseCache.get(key);
  if (!hit) return null;
  if (hit.expiresAt <= Date.now()) {
-    syncResponseCache.delete(key);
+    deleteSyncCacheEntry(key, hit);
    return null;
  }
  return hit.body;
 }

-function writeSyncCache(key: string, body: string): void {
-  if (syncResponseCache.size >= LIMITS.cache.syncResponseMaxEntries) {
-    const oldestKey = syncResponseCache.keys().next().value as string | undefined;
-    if (oldestKey) syncResponseCache.delete(oldestKey);
+function deleteSyncCacheEntry(key: string, entry?: SyncCacheEntry): void {
+  const existing = entry ?? syncResponseCache.get(key);
+  if (!existing) return;
+  syncResponseCache.delete(key);
+  syncResponseCacheTotalBytes = Math.max(0, syncResponseCacheTotalBytes - existing.bytes);
+}
+
+function pruneExpiredSyncCache(nowMs: number = Date.now()): void {
+  for (const [key, entry] of syncResponseCache.entries()) {
+    if (entry.expiresAt <= nowMs) {
+      deleteSyncCacheEntry(key, entry);
+    }
  }
+}
+
+function pruneStaleUserSyncCache(userId: string, revisionDate: string): void {
+  for (const [key, entry] of syncResponseCache.entries()) {
+    if (entry.userId === userId && entry.revisionDate !== revisionDate) {
+      deleteSyncCacheEntry(key, entry);
+    }
+  }
+}
+
+function writeSyncCache(userId: string, revisionDate: string, key: string, body: string): void {
+  const nowMs = Date.now();
+  pruneExpiredSyncCache(nowMs);
+  pruneStaleUserSyncCache(userId, revisionDate);
+
+  const bodyBytes = textEncoder.encode(body).byteLength;
+  if (bodyBytes > LIMITS.cache.syncResponseMaxBodyBytes) {
+    return;
+  }
+
+  const existing = syncResponseCache.get(key);
+  if (existing) {
+    deleteSyncCacheEntry(key, existing);
+  }
+
+  while (
+    syncResponseCache.size >= LIMITS.cache.syncResponseMaxEntries ||
+    syncResponseCacheTotalBytes + bodyBytes > LIMITS.cache.syncResponseMaxTotalBytes
+  ) {
+    const oldestKey = syncResponseCache.keys().next().value as string | undefined;
+    if (!oldestKey) break;
+    deleteSyncCacheEntry(oldestKey);
+  }
+
  syncResponseCache.set(key, {
+    userId,
+    revisionDate,
    body,
-    expiresAt: Date.now() + LIMITS.cache.syncResponseTtlMs,
+    expiresAt: nowMs + LIMITS.cache.syncResponseTtlMs,
+    bytes: bodyBytes,
  });
+  syncResponseCacheTotalBytes += bodyBytes;
 }

 // GET /api/sync
@@ -43,6 +99,12 @@ export async function handleSync(request: Request, env: Env, userId: string): Pr
  const url = new URL(request.url);
  const excludeDomainsParam = url.searchParams.get('excludeDomains');
  const excludeDomains = excludeDomainsParam !== null && /^(1|true|yes)$/i.test(excludeDomainsParam);
+  const userAgent = String(request.headers.get('user-agent') || '').toLowerCase();
+  const omitFido2Credentials =
+    userAgent.includes('android') ||
+    userAgent.includes('iphone') ||
+    userAgent.includes('ipad') ||
+    userAgent.includes('ios');
  
  const user = await storage.getUserById(userId);
  if (!user) {
@@ -61,6 +123,7 @@ export async function handleSync(request: Request, env: Env, userId: string): Pr

  const ciphers = await storage.getAllCiphers(userId);
  const folders = await storage.getAllFolders(userId);
+  const sends = await storage.getAllSends(userId);
  const attachmentsByCipher = await storage.getAttachmentsByUserId(userId);

  // Build profile response
@@ -72,12 +135,12 @@ export async function handleSync(request: Request, env: Env, userId: string): Pr
    premium: true,
    premiumFromOrganization: false,
    usesKeyConnector: false,
-    masterPasswordHint: null,
+    masterPasswordHint: user.masterPasswordHint,
    culture: 'en-US',
-    twoFactorEnabled: isTotpEnabled(env.TOTP_SECRET),
+    twoFactorEnabled: !!user.totpSecret,
    key: user.key,
    privateKey: user.privateKey,
-    accountKeys: null,
+    accountKeys: buildAccountKeys(user),
    securityStamp: user.securityStamp || user.id,
    organizations: [],
    providers: [],
@@ -85,6 +148,7 @@ export async function handleSync(request: Request, env: Env, userId: string): Pr
    forcePasswordReset: false,
    avatarColor: null,
    creationDate: user.createdAt,
+    verifyDevices: user.verifyDevices,
    object: 'profile',
  };

@@ -92,7 +156,7 @@ export async function handleSync(request: Request, env: Env, userId: string): Pr
  const cipherResponses: CipherResponse[] = [];
  for (const cipher of ciphers) {
    const attachments = attachmentsByCipher.get(cipher.id) || [];
-    cipherResponses.push(cipherToResponse(cipher, attachments));
+    cipherResponses.push(cipherToResponse(cipher, attachments, { omitFido2Credentials }));
  }

  // Build folder responses
@@ -116,43 +180,22 @@ export async function handleSync(request: Request, env: Env, userId: string): Pr
          object: 'domains',
        },
    policies: [],
-    sends: [],
+    sends: sends.map(sendToResponse),
+    UserDecryption: {
+      MasterPasswordUnlock: buildUserDecryptionOptions(user).MasterPasswordUnlock,
+      TrustedDeviceOption: null,
+      KeyConnectorOption: null,
+      Object: 'userDecryption',
+    },
    // PascalCase for desktop/browser clients
-    UserDecryptionOptions: {
-      HasMasterPassword: true,
-      Object: 'userDecryptionOptions',
-      MasterPasswordUnlock: {
-        Kdf: {
-          KdfType: user.kdfType,
-          Iterations: user.kdfIterations,
-          Memory: user.kdfMemory || null,
-          Parallelism: user.kdfParallelism || null,
-        },
-        MasterKeyEncryptedUserKey: user.key,
-        MasterKeyWrappedUserKey: user.key,
-        Salt: user.email.toLowerCase(),
-        Object: 'masterPasswordUnlock',
-      },
-    },
+    UserDecryptionOptions: buildUserDecryptionOptions(user),
    // camelCase for Android client (SyncResponseJson uses @SerialName("userDecryption"))
-    userDecryption: {
-      masterPasswordUnlock: {
-        kdf: {
-          kdfType: user.kdfType,
-          iterations: user.kdfIterations,
-          memory: user.kdfMemory || null,
-          parallelism: user.kdfParallelism || null,
-        },
-        masterKeyWrappedUserKey: user.key,
-        masterKeyEncryptedUserKey: user.key,
-        salt: user.email.toLowerCase(),
-      },
-    },
+    userDecryption: buildUserDecryptionCompat(user) as SyncResponse['userDecryption'],
    object: 'sync',
  };

  const body = JSON.stringify(syncResponse);
-  writeSyncCache(cacheKey, body);
+  writeSyncCache(userId, revisionDate, cacheKey, body);

  return new Response(body, {
    status: 200,
@@ -1,25 +1,34 @@
 import { Env } from './types';
+import { NotificationsHub } from './durable/notifications-hub';
 import { handleRequest } from './router';
 import { StorageService } from './services/storage';
 import { applyCors, jsonResponse } from './utils/response';
+import { runScheduledBackupIfDue } from './handlers/backup';

 let dbInitialized = false;
 let dbInitError: string | null = null;
 let dbInitPromise: Promise<void> | null = null;

-function shouldSkipDatabaseInit(request: Request): boolean {
+function isWorkerHandledPath(path: string): boolean {
+  return (
+    path.startsWith('/api/') ||
+    path.startsWith('/identity/') ||
+    path.startsWith('/icons/') ||
+    path.startsWith('/notifications/') ||
+    path.startsWith('/.well-known/') ||
+    path === '/config' ||
+    path === '/api/config' ||
+    path === '/api/version'
+  );
+}
+
+async function maybeServeAsset(request: Request, env: Env): Promise<Response | null> {
+  if (!env.ASSETS) return null;
+  if (request.method !== 'GET' && request.method !== 'HEAD') return null;
  const url = new URL(request.url);
-  const path = url.pathname;
-  const method = request.method;
+  if (isWorkerHandledPath(url.pathname)) return null;

-  if (method === 'OPTIONS') return true;
-  if (method === 'GET' && (path === '/favicon.ico' || path === '/favicon.svg')) return true;
-  if (method === 'GET' && path === '/.well-known/appspecific/com.chrome.devtools.json') return true;
-  if (method === 'GET' && path.startsWith('/icons/')) return true;
-  if (path.startsWith('/notifications/')) return true;
-  if (method === 'GET' && (path === '/config' || path === '/api/config' || path === '/api/version')) return true;
-
-  return false;
+  return env.ASSETS.fetch(request);
 }

 async function ensureDatabaseInitialized(env: Env): Promise<void> {
@@ -47,27 +56,44 @@ async function ensureDatabaseInitialized(env: Env): Promise<void> {
 export default {
  async fetch(request: Request, env: Env, ctx: ExecutionContext): Promise<Response> {
    void ctx;
-    const requiresDatabase = !shouldSkipDatabaseInit(request);
+    const assetResponse = await maybeServeAsset(request, env);
+    if (assetResponse) {
+      return applyCors(request, assetResponse);
+    }

-    if (requiresDatabase) {
-      await ensureDatabaseInitialized(env);
-      if (dbInitError) {
-        const resp = jsonResponse(
-          {
-            error: 'Database not initialized',
-            error_description: dbInitError,
-            ErrorModel: {
-              Message: dbInitError,
-              Object: 'error',
-            },
+    await ensureDatabaseInitialized(env);
+    if (dbInitError) {
+      // Log full error server-side, return generic message to client.
+      console.error('DB init error (not forwarded to client):', dbInitError);
+      const resp = jsonResponse(
+        {
+          error: 'Database not initialized',
+          error_description: 'Database initialization failed. Check server logs for details.',
+          ErrorModel: {
+            Message: 'Service temporarily unavailable',
+            Object: 'error',
          },
-          500
-        );
-        return applyCors(request, resp);
-      }
+        },
+        500
+      );
+      return applyCors(request, resp);
    }

    const resp = await handleRequest(request, env);
    return applyCors(request, resp);
  },
+
+  async scheduled(controller: ScheduledController, env: Env, ctx: ExecutionContext): Promise<void> {
+    void controller;
+    await ensureDatabaseInitialized(env);
+    if (dbInitError) {
+      console.error('Skipping scheduled backup because DB init failed:', dbInitError);
+      return;
+    }
+    ctx.waitUntil(runScheduledBackupIfDue(env).catch((error) => {
+      console.error('Scheduled backup failed:', error);
+    }));
+  },
 };
+
+export { NotificationsHub };
@@ -0,0 +1,74 @@
+import type { Env, User } from './types';
+import {
+  handleAdminExportBackup,
+  handleDownloadAdminRemoteBackup,
+  handleDeleteAdminRemoteBackup,
+  handleDownloadAdminBackupAttachment,
+  handleGetAdminBackupSettings,
+  handleGetAdminBackupSettingsRepairState,
+  handleInspectAdminRemoteBackup,
+  handleAdminImportBackup,
+  handleListAdminRemoteBackups,
+  handleRepairAdminBackupSettings,
+  handleRestoreAdminRemoteBackup,
+  handleRunAdminConfiguredBackup,
+  handleUpdateAdminBackupSettings,
+} from './handlers/backup';
+
+export async function handleAdminBackupRoute(
+  request: Request,
+  env: Env,
+  actorUser: User,
+  path: string,
+  method: string
+): Promise<Response | null> {
+  if (path === '/api/admin/backup/export' && method === 'POST') {
+    return handleAdminExportBackup(request, env, actorUser);
+  }
+
+  if (path === '/api/admin/backup/blob' && method === 'GET') {
+    return handleDownloadAdminBackupAttachment(request, env, actorUser);
+  }
+
+  if (path === '/api/admin/backup/settings') {
+    if (method === 'GET') return handleGetAdminBackupSettings(request, env, actorUser);
+    if (method === 'PUT') return handleUpdateAdminBackupSettings(request, env, actorUser);
+    return null;
+  }
+
+  if (path === '/api/admin/backup/settings/repair') {
+    if (method === 'GET') return handleGetAdminBackupSettingsRepairState(request, env, actorUser);
+    if (method === 'POST') return handleRepairAdminBackupSettings(request, env, actorUser);
+    return null;
+  }
+
+  if (path === '/api/admin/backup/run' && method === 'POST') {
+    return handleRunAdminConfiguredBackup(request, env, actorUser);
+  }
+
+  if (path === '/api/admin/backup/remote' && method === 'GET') {
+    return handleListAdminRemoteBackups(request, env, actorUser);
+  }
+
+  if (path === '/api/admin/backup/remote/download' && method === 'GET') {
+    return handleDownloadAdminRemoteBackup(request, env, actorUser);
+  }
+
+  if (path === '/api/admin/backup/remote/integrity' && method === 'GET') {
+    return handleInspectAdminRemoteBackup(request, env, actorUser);
+  }
+
+  if (path === '/api/admin/backup/remote/file' && method === 'DELETE') {
+    return handleDeleteAdminRemoteBackup(request, env, actorUser);
+  }
+
+  if (path === '/api/admin/backup/remote/restore' && method === 'POST') {
+    return handleRestoreAdminRemoteBackup(request, env, actorUser);
+  }
+
+  if (path === '/api/admin/backup/import' && method === 'POST') {
+    return handleAdminImportBackup(request, env, actorUser);
+  }
+
+  return null;
+}
@@ -0,0 +1,51 @@
+import type { Env, User } from './types';
+import {
+  handleAdminListUsers,
+  handleAdminCreateInvite,
+  handleAdminListInvites,
+  handleAdminDeleteAllInvites,
+  handleAdminRevokeInvite,
+  handleAdminSetUserStatus,
+  handleAdminDeleteUser,
+} from './handlers/admin';
+import { handleAdminBackupRoute } from './router-admin-backup';
+
+export async function handleAdminRoute(
+  request: Request,
+  env: Env,
+  actorUser: User,
+  path: string,
+  method: string
+): Promise<Response | null> {
+  if (path === '/api/admin/users' && method === 'GET') {
+    return handleAdminListUsers(request, env, actorUser);
+  }
+
+  const adminBackupResponse = await handleAdminBackupRoute(request, env, actorUser, path, method);
+  if (adminBackupResponse) return adminBackupResponse;
+
+  if (path === '/api/admin/invites') {
+    if (method === 'GET') return handleAdminListInvites(request, env, actorUser);
+    if (method === 'POST') return handleAdminCreateInvite(request, env, actorUser);
+    if (method === 'DELETE') return handleAdminDeleteAllInvites(request, env, actorUser);
+    return null;
+  }
+
+  const adminInviteMatch = path.match(/^\/api\/admin\/invites\/([^/]+)$/i);
+  if (adminInviteMatch && method === 'DELETE') {
+    const inviteCode = decodeURIComponent(adminInviteMatch[1]);
+    return handleAdminRevokeInvite(request, env, actorUser, inviteCode);
+  }
+
+  const adminUserStatusMatch = path.match(/^\/api\/admin\/users\/([a-f0-9-]+)\/status$/i);
+  if (adminUserStatusMatch && (method === 'PUT' || method === 'POST')) {
+    return handleAdminSetUserStatus(request, env, actorUser, adminUserStatusMatch[1]);
+  }
+
+  const adminUserDeleteMatch = path.match(/^\/api\/admin\/users\/([a-f0-9-]+)$/i);
+  if (adminUserDeleteMatch && method === 'DELETE') {
+    return handleAdminDeleteUser(request, env, actorUser, adminUserDeleteMatch[1]);
+  }
+
+  return null;
+}
@@ -0,0 +1,302 @@
+import type { Env, User } from './types';
+import { errorResponse, jsonResponse } from './utils/response';
+import {
+  handleGetProfile,
+  handleUpdateProfile,
+  handleSetKeys,
+  handleGetRevisionDate,
+  handleVerifyPassword,
+  handleChangePassword,
+  handleSetVerifyDevices,
+  handleGetTotpStatus,
+  handleSetTotpStatus,
+  handleGetTotpRecoveryCode,
+} from './handlers/accounts';
+import {
+  handleGetCiphers,
+  handleGetCipher,
+  handleCreateCipher,
+  handleUpdateCipher,
+  handleDeleteCipher,
+  handleDeleteCipherCompat,
+  handlePermanentDeleteCipher,
+  handleRestoreCipher,
+  handleBulkArchiveCiphers,
+  handlePartialUpdateCipher,
+  handleBulkUnarchiveCiphers,
+  handleBulkMoveCiphers,
+  handleBulkDeleteCiphers,
+  handleBulkPermanentDeleteCiphers,
+  handleBulkRestoreCiphers,
+  handleArchiveCipher,
+  handleUnarchiveCipher,
+} from './handlers/ciphers';
+import {
+  handleGetFolders,
+  handleGetFolder,
+  handleCreateFolder,
+  handleUpdateFolder,
+  handleDeleteFolder,
+  handleBulkDeleteFolders,
+} from './handlers/folders';
+import {
+  handleGetSends,
+  handleGetSend,
+  handleCreateSend,
+  handleCreateFileSendV2,
+  handleGetSendFileUpload,
+  handleUploadSendFile,
+  handleUpdateSend,
+  handleDeleteSend,
+  handleBulkDeleteSends,
+  handleRemoveSendPassword,
+  handleRemoveSendAuth,
+} from './handlers/sends';
+import { handleSync } from './handlers/sync';
+import { handleCiphersImport } from './handlers/import';
+import {
+  handleCreateAttachment,
+  handleUploadAttachment,
+  handleGetAttachment,
+  handleDeleteAttachment,
+} from './handlers/attachments';
+import { handleAuthenticatedDeviceRoute } from './router-devices';
+import { handleAdminRoute } from './router-admin';
+
+export async function handleAuthenticatedRoute(
+  request: Request,
+  env: Env,
+  userId: string,
+  currentUser: User,
+  path: string,
+  method: string
+): Promise<Response | null> {
+  if (method === 'POST' || method === 'PUT' || method === 'DELETE') {
+    const blockedAccountPaths = new Set([
+      '/api/accounts/set-password',
+      '/api/accounts/delete',
+      '/api/accounts/delete-account',
+      '/api/accounts/delete-vault',
+    ]);
+    if (blockedAccountPaths.has(path)) {
+      return errorResponse('Not implemented', 501);
+    }
+  }
+
+  if (path === '/api/accounts/profile') {
+    if (method === 'GET') return handleGetProfile(request, env, userId);
+    if (method === 'PUT') return handleUpdateProfile(request, env, userId);
+    return errorResponse('Method not allowed', 405);
+  }
+
+  if ((path === '/api/accounts/password' || path === '/api/accounts/change-password') && (method === 'POST' || method === 'PUT')) {
+    return handleChangePassword(request, env, userId);
+  }
+
+  if (path === '/api/accounts/keys' && method === 'POST') {
+    return handleSetKeys(request, env, userId);
+  }
+
+  if (path === '/api/accounts/totp') {
+    if (method === 'GET') return handleGetTotpStatus(request, env, userId);
+    if (method === 'PUT' || method === 'POST') return handleSetTotpStatus(request, env, userId);
+    return null;
+  }
+
+  if ((path === '/api/accounts/totp/recovery-code' || path === '/api/two-factor/get-recover') && method === 'POST') {
+    return handleGetTotpRecoveryCode(request, env, userId);
+  }
+
+  if (path === '/api/accounts/revision-date' && method === 'GET') {
+    return handleGetRevisionDate(request, env, userId);
+  }
+
+  if (path === '/api/accounts/verify-password' && method === 'POST') {
+    return handleVerifyPassword(request, env, userId);
+  }
+
+  if (path === '/api/accounts/verify-devices' && (method === 'PUT' || method === 'POST')) {
+    return handleSetVerifyDevices(request, env, userId);
+  }
+
+  if (path === '/api/sync' && method === 'GET') {
+    return handleSync(request, env, userId);
+  }
+
+  if (path.startsWith('/notifications/')) {
+    return errorResponse('Not found', 404);
+  }
+
+  if (path === '/api/ciphers' || path === '/api/ciphers/create') {
+    if (method === 'GET') return handleGetCiphers(request, env, userId);
+    if (method === 'POST') return handleCreateCipher(request, env, userId);
+    return null;
+  }
+
+  if (path === '/api/ciphers/import' && method === 'POST') {
+    return handleCiphersImport(request, env, userId);
+  }
+
+  if (path === '/api/ciphers/delete' && method === 'POST') {
+    return handleBulkDeleteCiphers(request, env, userId);
+  }
+
+  if (path === '/api/ciphers/delete-permanent' && method === 'POST') {
+    return handleBulkPermanentDeleteCiphers(request, env, userId);
+  }
+
+  if (path === '/api/ciphers/restore' && method === 'POST') {
+    return handleBulkRestoreCiphers(request, env, userId);
+  }
+
+  if (path === '/api/ciphers/archive' && (method === 'PUT' || method === 'POST')) {
+    return handleBulkArchiveCiphers(request, env, userId);
+  }
+
+  if (path === '/api/ciphers/unarchive' && (method === 'PUT' || method === 'POST')) {
+    return handleBulkUnarchiveCiphers(request, env, userId);
+  }
+
+  if (path === '/api/ciphers/move' && (method === 'POST' || method === 'PUT')) {
+    return handleBulkMoveCiphers(request, env, userId);
+  }
+
+  const cipherMatch = path.match(/^\/api\/ciphers\/([a-f0-9-]+)(\/.*)?$/i);
+  if (cipherMatch) {
+    const cipherId = cipherMatch[1];
+    const subPath = cipherMatch[2] || '';
+
+    if (subPath === '' || subPath === '/') {
+      if (method === 'GET') return handleGetCipher(request, env, userId, cipherId);
+      if (method === 'PUT' || method === 'POST') return handleUpdateCipher(request, env, userId, cipherId);
+      if (method === 'DELETE') return handleDeleteCipherCompat(request, env, userId, cipherId);
+    }
+
+    if (subPath === '/delete' && method === 'PUT') return handleDeleteCipher(request, env, userId, cipherId);
+    if (subPath === '/delete' && method === 'DELETE') return handlePermanentDeleteCipher(request, env, userId, cipherId);
+    if (subPath === '/restore' && method === 'PUT') return handleRestoreCipher(request, env, userId, cipherId);
+    if (subPath === '/archive' && (method === 'PUT' || method === 'POST')) return handleArchiveCipher(request, env, userId, cipherId);
+    if (subPath === '/unarchive' && (method === 'PUT' || method === 'POST')) return handleUnarchiveCipher(request, env, userId, cipherId);
+    if (subPath === '/partial' && (method === 'PUT' || method === 'POST')) return handlePartialUpdateCipher(request, env, userId, cipherId);
+    if (subPath === '/share' && method === 'POST') return handleGetCipher(request, env, userId, cipherId);
+    if (subPath === '/details' && method === 'GET') return handleGetCipher(request, env, userId, cipherId);
+    if (subPath === '/attachment/v2' && method === 'POST') return handleCreateAttachment(request, env, userId, cipherId);
+    if (subPath === '/attachment' && method === 'POST') return handleCreateAttachment(request, env, userId, cipherId);
+
+    const attachmentMatch = subPath.match(/^\/attachment\/([a-f0-9-]+)$/i);
+    if (attachmentMatch) {
+      const attachmentId = attachmentMatch[1];
+      if (method === 'POST' || method === 'PUT') return handleUploadAttachment(request, env, userId, cipherId, attachmentId);
+      if (method === 'GET') return handleGetAttachment(request, env, userId, cipherId, attachmentId);
+      if (method === 'DELETE') return handleDeleteAttachment(request, env, userId, cipherId, attachmentId);
+    }
+
+    const attachmentDeleteMatch = subPath.match(/^\/attachment\/([a-f0-9-]+)\/delete$/i);
+    if (attachmentDeleteMatch && method === 'POST') {
+      return handleDeleteAttachment(request, env, userId, cipherId, attachmentDeleteMatch[1]);
+    }
+  }
+
+  if (path === '/api/folders') {
+    if (method === 'GET') return handleGetFolders(request, env, userId);
+    if (method === 'POST') return handleCreateFolder(request, env, userId);
+    return null;
+  }
+
+  if (path === '/api/folders/delete' && method === 'POST') {
+    return handleBulkDeleteFolders(request, env, userId);
+  }
+
+  const folderMatch = path.match(/^\/api\/folders\/([a-f0-9-]+)$/i);
+  if (folderMatch) {
+    const folderId = folderMatch[1];
+    if (method === 'GET') return handleGetFolder(request, env, userId, folderId);
+    if (method === 'PUT') return handleUpdateFolder(request, env, userId, folderId);
+    if (method === 'DELETE') return handleDeleteFolder(request, env, userId, folderId);
+  }
+
+  if (path.startsWith('/api/auth-requests')) {
+    return jsonResponse({ data: [], object: 'list', continuationToken: null });
+  }
+
+  if (path === '/api/collections' || path.startsWith('/api/collections/')) {
+    if (method === 'GET') {
+      return jsonResponse({ data: [], object: 'list', continuationToken: null });
+    }
+    return null;
+  }
+
+  if (path === '/api/organizations' || path.startsWith('/api/organizations/')) {
+    if (method === 'GET') {
+      return jsonResponse({ data: [], object: 'list', continuationToken: null });
+    }
+    return null;
+  }
+
+  if (path === '/api/sends') {
+    if (method === 'GET') return handleGetSends(request, env, userId);
+    if (method === 'POST') return handleCreateSend(request, env, userId);
+    return null;
+  }
+
+  if (path === '/api/sends/file/v2' && method === 'POST') {
+    return handleCreateFileSendV2(request, env, userId);
+  }
+
+  if (path === '/api/sends/delete' && method === 'POST') {
+    return handleBulkDeleteSends(request, env, userId);
+  }
+
+  const sendMatch = path.match(/^\/api\/sends\/([^/]+)(\/.*)?$/i);
+  if (sendMatch) {
+    const sendId = sendMatch[1];
+    const subPath = sendMatch[2] || '';
+
+    if (subPath === '' || subPath === '/') {
+      if (method === 'GET') return handleGetSend(request, env, userId, sendId);
+      if (method === 'PUT') return handleUpdateSend(request, env, userId, sendId);
+      if (method === 'DELETE') return handleDeleteSend(request, env, userId, sendId);
+    }
+
+    if (subPath === '/remove-password' && (method === 'PUT' || method === 'POST')) {
+      return handleRemoveSendPassword(request, env, userId, sendId);
+    }
+
+    if (subPath === '/remove-auth' && (method === 'PUT' || method === 'POST')) {
+      return handleRemoveSendAuth(request, env, userId, sendId);
+    }
+
+    const sendFileUploadMatch = subPath.match(/^\/file\/([^/]+)\/?$/i);
+    if (sendFileUploadMatch) {
+      const fileId = sendFileUploadMatch[1];
+      if (method === 'GET') return handleGetSendFileUpload(request, env, userId, sendId, fileId);
+      if (method === 'POST' || method === 'PUT') return handleUploadSendFile(request, env, userId, sendId, fileId);
+    }
+  }
+
+  if (path === '/api/policies' || path.startsWith('/api/policies/')) {
+    if (method === 'GET') {
+      return jsonResponse({ data: [], object: 'list', continuationToken: null });
+    }
+    return null;
+  }
+
+  if (path === '/api/settings/domains') {
+    if (method === 'GET' || method === 'PUT' || method === 'POST') {
+      return jsonResponse({
+        equivalentDomains: [],
+        globalEquivalentDomains: [],
+        object: 'domains',
+      });
+    }
+    return null;
+  }
+
+  const authenticatedDeviceResponse = await handleAuthenticatedDeviceRoute(request, env, userId, path, method);
+  if (authenticatedDeviceResponse) return authenticatedDeviceResponse;
+
+  const adminResponse = await handleAdminRoute(request, env, currentUser, path, method);
+  if (adminResponse) return adminResponse;
+
+  return null;
+}
@@ -0,0 +1,107 @@
+import type { Env } from './types';
+import {
+  handleGetAuthorizedDevices,
+  handleGetDevice,
+  handleGetDevices,
+  handleGetDeviceByIdentifier,
+  handleUpdateDeviceKeys,
+  handleUpdateDeviceTrust,
+  handleUntrustDevices,
+  handleRetrieveDeviceKeys,
+  handleDeactivateDevice,
+  handleRevokeAllTrustedDevices,
+  handleRevokeTrustedDevice,
+  handleDeleteAllDevices,
+  handleDeleteDevice,
+  handleUpdateDeviceToken,
+  handleUpdateDeviceWebPushAuth,
+  handleClearDeviceToken,
+} from './handlers/devices';
+
+export async function handleAuthenticatedDeviceRoute(
+  request: Request,
+  env: Env,
+  userId: string,
+  path: string,
+  method: string
+): Promise<Response | null> {
+  if (path === '/api/devices') {
+    if (method === 'GET') return handleGetDevices(request, env, userId);
+    if (method === 'DELETE') return handleDeleteAllDevices(request, env, userId);
+    return null;
+  }
+
+  if (path === '/api/devices/authorized') {
+    if (method === 'GET') return handleGetAuthorizedDevices(request, env, userId);
+    if (method === 'DELETE') return handleRevokeAllTrustedDevices(request, env, userId);
+    return null;
+  }
+
+  const authorizedDeviceMatch = path.match(/^\/api\/devices\/authorized\/([^/]+)$/i);
+  if (authorizedDeviceMatch && method === 'DELETE') {
+    const deviceIdentifier = decodeURIComponent(authorizedDeviceMatch[1]);
+    return handleRevokeTrustedDevice(request, env, userId, deviceIdentifier);
+  }
+
+  const deleteDeviceMatch = path.match(/^\/api\/devices\/([^/]+)$/i);
+  if (deleteDeviceMatch && method === 'GET') {
+    const deviceIdentifier = decodeURIComponent(deleteDeviceMatch[1]);
+    return handleGetDevice(request, env, userId, deviceIdentifier);
+  }
+  if (deleteDeviceMatch && method === 'DELETE') {
+    const deviceIdentifier = decodeURIComponent(deleteDeviceMatch[1]);
+    return handleDeleteDevice(request, env, userId, deviceIdentifier);
+  }
+
+  const identifierMatch = path.match(/^\/api\/devices\/identifier\/([^/]+)$/i);
+  if (identifierMatch && method === 'GET') {
+    const deviceIdentifier = decodeURIComponent(identifierMatch[1]);
+    return handleGetDeviceByIdentifier(request, env, userId, deviceIdentifier);
+  }
+
+  const deviceKeysMatch = path.match(/^\/api\/devices\/([^/]+)\/keys$/i) || path.match(/^\/api\/devices\/identifier\/([^/]+)\/keys$/i);
+  if (deviceKeysMatch && (method === 'PUT' || method === 'POST')) {
+    const deviceIdentifier = decodeURIComponent(deviceKeysMatch[1]);
+    return handleUpdateDeviceKeys(request, env, userId, deviceIdentifier);
+  }
+
+  const identifierTokenMatch = path.match(/^\/api\/devices\/identifier\/([^/]+)\/token$/i);
+  if (identifierTokenMatch && (method === 'PUT' || method === 'POST')) {
+    const deviceIdentifier = decodeURIComponent(identifierTokenMatch[1]);
+    return handleUpdateDeviceToken(request, env, userId, deviceIdentifier);
+  }
+
+  const identifierWebPushMatch = path.match(/^\/api\/devices\/identifier\/([^/]+)\/web-push-auth$/i);
+  if (identifierWebPushMatch && (method === 'PUT' || method === 'POST')) {
+    const deviceIdentifier = decodeURIComponent(identifierWebPushMatch[1]);
+    return handleUpdateDeviceWebPushAuth(request, env, userId, deviceIdentifier);
+  }
+
+  const identifierClearTokenMatch = path.match(/^\/api\/devices\/identifier\/([^/]+)\/clear-token$/i);
+  if (identifierClearTokenMatch && (method === 'PUT' || method === 'POST')) {
+    const deviceIdentifier = decodeURIComponent(identifierClearTokenMatch[1]);
+    return handleClearDeviceToken(request, env, userId, deviceIdentifier);
+  }
+
+  const identifierRetrieveKeysMatch = path.match(/^\/api\/devices\/([^/]+)\/retrieve-keys$/i);
+  if (identifierRetrieveKeysMatch && method === 'POST') {
+    const deviceIdentifier = decodeURIComponent(identifierRetrieveKeysMatch[1]);
+    return handleRetrieveDeviceKeys(request, env, userId, deviceIdentifier);
+  }
+
+  const identifierDeactivateMatch = path.match(/^\/api\/devices\/([^/]+)\/deactivate$/i);
+  if (identifierDeactivateMatch && (method === 'POST' || method === 'DELETE')) {
+    const deviceIdentifier = decodeURIComponent(identifierDeactivateMatch[1]);
+    return handleDeactivateDevice(request, env, userId, deviceIdentifier);
+  }
+
+  if (path === '/api/devices/update-trust' && method === 'POST') {
+    return handleUpdateDeviceTrust(request, env, userId);
+  }
+
+  if (path === '/api/devices/untrust' && method === 'POST') {
+    return handleUntrustDevices(request, env, userId);
+  }
+
+  return null;
+}
@@ -0,0 +1,355 @@
+import { LIMITS } from './config/limits';
+import { DEFAULT_DEV_SECRET } from './types';
+import {
+  handleAccessSend,
+  handleAccessSendFile,
+  handleAccessSendV2,
+  handleAccessSendFileV2,
+  handleDownloadSendFile,
+} from './handlers/sends';
+import { handleKnownDevice } from './handlers/devices';
+import { handleToken, handlePrelogin, handleRevocation } from './handlers/identity';
+import {
+  handleRegister,
+  handleGetPasswordHint,
+  handleRecoverTwoFactor,
+} from './handlers/accounts';
+import { handlePublicDownloadAttachment } from './handlers/attachments';
+import { handlePublicUploadAttachment } from './handlers/attachments';
+import {
+  handleNotificationsHub,
+  handleNotificationsNegotiate,
+} from './handlers/notifications';
+import { handlePublicUploadSendFile } from './handlers/sends';
+import { jsonResponse } from './utils/response';
+import type { Env } from './types';
+
+type PublicRateLimiter = (category?: string, maxRequests?: number) => Promise<Response | null>;
+type JwtUnsafeReason = 'missing' | 'default' | 'too_short' | null;
+
+export interface WebBootstrapResponse {
+  defaultKdfIterations: number;
+  jwtUnsafeReason: JwtUnsafeReason;
+  jwtSecretMinLength: number;
+}
+
+function isSameOriginWriteRequest(request: Request): boolean {
+  const targetOrigin = new URL(request.url).origin;
+  const origin = request.headers.get('Origin');
+  if (origin) {
+    return origin === targetOrigin;
+  }
+
+  const referer = request.headers.get('Referer');
+  if (referer) {
+    try {
+      return new URL(referer).origin === targetOrigin;
+    } catch {
+      return false;
+    }
+  }
+
+  return false;
+}
+
+function getNwIconSvg(): string {
+  return `<svg xmlns="http://www.w3.org/2000/svg" width="96" height="96" viewBox="0 0 96 96" role="img" aria-label="NW icon"><rect x="4" y="4" width="88" height="88" rx="20" fill="#111418"/><text x="48" y="60" text-anchor="middle" font-size="36" font-family="-apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, Helvetica, Arial, sans-serif" font-weight="800" letter-spacing="0.5" fill="#FFFFFF">NW</text></svg>`;
+}
+
+function handleNwFavicon(): Response {
+  return new Response(getNwIconSvg(), {
+    status: 200,
+    headers: {
+      'Content-Type': 'image/svg+xml; charset=utf-8',
+      'Cache-Control': `public, max-age=${LIMITS.cache.iconTtlSeconds}`,
+    },
+  });
+}
+
+function buildIconServiceBase(origin: string): string {
+  return `${origin}/icons`;
+}
+
+function buildIconServiceTemplate(origin: string): string {
+  return `${buildIconServiceBase(origin)}/{}/icon.png`;
+}
+
+function buildIconServiceCsp(origin: string): string {
+  return `img-src 'self' data: ${origin}`;
+}
+
+function buildConfigResponse(origin: string) {
+  return {
+    version: LIMITS.compatibility.bitwardenServerVersion,
+    gitHash: 'nodewarden',
+    server: null,
+    environment: {
+      cloudRegion: 'self-hosted',
+      vault: origin,
+      api: origin + '/api',
+      identity: origin + '/identity',
+      notifications: origin + '/notifications',
+      icons: origin,
+      sso: '',
+      fillAssistRules: null,
+    },
+    push: {
+      pushTechnology: 0,
+      vapidPublicKey: null,
+    },
+    communication: null,
+    settings: {
+      disableUserRegistration: false,
+    },
+    _icon_service_url: buildIconServiceTemplate(origin),
+    _icon_service_csp: buildIconServiceCsp(origin),
+    featureStates: {
+      'duo-redirect': true,
+      'email-verification': true,
+      'pm-19051-send-email-verification': false,
+      'pm-19148-innovation-archive': true,
+      'unauth-ui-refresh': true,
+      'web-push': false,
+    },
+    object: 'config',
+  };
+}
+
+function normalizeIconHost(rawHost: string): string | null {
+  const decoded = decodeURIComponent(String(rawHost || '').trim()).toLowerCase().replace(/\.+$/, '');
+  if (!decoded || decoded.includes('/') || decoded.includes('\\')) return null;
+  try {
+    const parsed = new URL(`https://${decoded}`);
+    return parsed.hostname === decoded ? decoded : null;
+  } catch {
+    return null;
+  }
+}
+
+async function handleWebsiteIcon(host: string): Promise<Response> {
+  const normalizedHost = normalizeIconHost(host);
+  if (!normalizedHost) return handleNwFavicon();
+
+  const encodedHost = encodeURIComponent(normalizedHost);
+  const requestHeaders = { 'User-Agent': 'NodeWarden/1.0' };
+  const upstreamSources: Array<{ url: string; headers?: HeadersInit }> = [
+    {
+      url: `https://icons.bitwarden.net/${encodedHost}/icon.png`,
+      headers: requestHeaders,
+    },
+    {
+      url: `https://favicon.im/${encodedHost}`,
+      headers: requestHeaders,
+    },
+    {
+      url: `https://icons.duckduckgo.com/ip3/${encodedHost}.ico`,
+      headers: requestHeaders,
+    },
+  ];
+
+  try {
+    for (const source of upstreamSources) {
+      const resp = await fetch(source.url, {
+        headers: source.headers,
+        redirect: 'follow',
+        cf: {
+          cacheEverything: true,
+          cacheTtl: LIMITS.cache.iconTtlSeconds,
+        },
+      } as RequestInit & { cf: { cacheEverything: boolean; cacheTtl: number } });
+
+      if (!resp.ok) continue;
+      const contentType = String(resp.headers.get('Content-Type') || '').toLowerCase();
+      if (!contentType.startsWith('image/')) continue;
+
+      return new Response(resp.body, {
+        status: 200,
+        headers: {
+          'Content-Type': resp.headers.get('Content-Type') || 'image/png',
+          'Cache-Control': `public, max-age=${LIMITS.cache.iconTtlSeconds}`,
+        },
+      });
+    }
+
+    return handleNwFavicon();
+  } catch {
+    return handleNwFavicon();
+  }
+}
+
+export function buildWebBootstrapResponse(env: Env): WebBootstrapResponse {
+  const secret = (env.JWT_SECRET || '').trim();
+  const jwtUnsafeReason =
+    !secret
+      ? 'missing'
+      : secret === DEFAULT_DEV_SECRET
+        ? 'default'
+        : secret.length < LIMITS.auth.jwtSecretMinLength
+          ? 'too_short'
+          : null;
+
+  return {
+    defaultKdfIterations: LIMITS.auth.defaultKdfIterations,
+    jwtUnsafeReason,
+    jwtSecretMinLength: LIMITS.auth.jwtSecretMinLength,
+  };
+}
+
+export async function handlePublicRoute(
+  request: Request,
+  env: Env,
+  path: string,
+  method: string,
+  enforcePublicRateLimit: PublicRateLimiter
+): Promise<Response | null> {
+  if (path === '/.well-known/appspecific/com.chrome.devtools.json' && method === 'GET') {
+    return new Response('{}', {
+      status: 200,
+      headers: {
+        'Content-Type': 'application/json; charset=utf-8',
+        'Cache-Control': 'no-store',
+      },
+    });
+  }
+
+  if ((path === '/api/web-bootstrap' || path === '/web-bootstrap') && method === 'GET') {
+    const blocked = await enforcePublicRateLimit('public-read', LIMITS.rateLimit.publicReadRequestsPerMinute);
+    if (blocked) return blocked;
+    return jsonResponse(buildWebBootstrapResponse(env));
+  }
+
+  const iconMatch = path.match(/^\/icons\/([^/]+)\/icon\.png$/i);
+  if (iconMatch && method === 'GET') {
+    return handleWebsiteIcon(iconMatch[1]);
+  }
+
+  const publicAttachmentMatch = path.match(/^\/api\/attachments\/([a-f0-9-]+)\/([a-f0-9-]+)$/i);
+  if (publicAttachmentMatch && method === 'GET') {
+    return handlePublicDownloadAttachment(request, env, publicAttachmentMatch[1], publicAttachmentMatch[2]);
+  }
+
+  const publicAttachmentUploadMatch = path.match(/^\/api\/ciphers\/([a-f0-9-]+)\/attachment\/([a-f0-9-]+)$/i);
+  if (publicAttachmentUploadMatch && (method === 'POST' || method === 'PUT') && new URL(request.url).searchParams.has('token')) {
+    return handlePublicUploadAttachment(request, env, publicAttachmentUploadMatch[1], publicAttachmentUploadMatch[2]);
+  }
+
+  const publicSendUploadMatch = path.match(/^\/api\/sends\/([^/]+)\/file\/([^/]+)\/?$/i);
+  if (publicSendUploadMatch && (method === 'POST' || method === 'PUT') && new URL(request.url).searchParams.has('token')) {
+    return handlePublicUploadSendFile(request, env, publicSendUploadMatch[1], publicSendUploadMatch[2]);
+  }
+
+  const sendAccessMatch = path.match(/^\/api\/sends\/access\/([^/]+)$/i);
+  if (sendAccessMatch && method === 'POST') {
+    const blocked = await enforcePublicRateLimit();
+    if (blocked) return blocked;
+    return handleAccessSend(request, env, sendAccessMatch[1]);
+  }
+
+  if (path === '/api/sends/access' && method === 'POST') {
+    const blocked = await enforcePublicRateLimit();
+    if (blocked) return blocked;
+    return handleAccessSendV2(request, env);
+  }
+
+  const sendAccessFileV2Match = path.match(/^\/api\/sends\/access\/file\/([^/]+)\/?$/i);
+  if (sendAccessFileV2Match && method === 'POST') {
+    const blocked = await enforcePublicRateLimit();
+    if (blocked) return blocked;
+    return handleAccessSendFileV2(request, env, sendAccessFileV2Match[1]);
+  }
+
+  const sendAccessFileMatch = path.match(/^\/api\/sends\/([^/]+)\/access\/file\/([^/]+)\/?$/i);
+  if (sendAccessFileMatch && method === 'POST') {
+    const blocked = await enforcePublicRateLimit();
+    if (blocked) return blocked;
+    return handleAccessSendFile(request, env, sendAccessFileMatch[1], sendAccessFileMatch[2]);
+  }
+
+  const sendDownloadMatch = path.match(/^\/api\/sends\/([^/]+)\/([^/]+)\/?$/i);
+  if (sendDownloadMatch && method === 'GET') {
+    return handleDownloadSendFile(request, env, sendDownloadMatch[1], sendDownloadMatch[2]);
+  }
+
+  if (path === '/identity/connect/token' && method === 'POST') {
+    return handleToken(request, env);
+  }
+
+  if (path === '/api/devices/knowndevice' && method === 'GET') {
+    const blocked = await enforcePublicRateLimit();
+    if (blocked) return jsonResponse(false);
+    return handleKnownDevice(request, env);
+  }
+
+  const clearDeviceTokenMatch = path.match(/^\/api\/devices\/identifier\/([^/]+)\/clear-token$/i);
+  if (clearDeviceTokenMatch && (method === 'PUT' || method === 'POST')) {
+    return new Response(null, { status: 200 });
+  }
+
+  if ((path === '/identity/connect/revocation' || path === '/identity/connect/revoke') && method === 'POST') {
+    const blocked = await enforcePublicRateLimit('public-sensitive', LIMITS.rateLimit.sensitivePublicRequestsPerMinute);
+    if (blocked) return blocked;
+    return handleRevocation(request, env);
+  }
+
+  if (path === '/identity/accounts/prelogin' && method === 'POST') {
+    const blocked = await enforcePublicRateLimit('public-sensitive', LIMITS.rateLimit.sensitivePublicRequestsPerMinute);
+    if (blocked) return blocked;
+    return handlePrelogin(request, env);
+  }
+
+  if (path === '/identity/accounts/prelogin/password' && method === 'POST') {
+    const blocked = await enforcePublicRateLimit('public-sensitive', LIMITS.rateLimit.sensitivePublicRequestsPerMinute);
+    if (blocked) return blocked;
+    return handlePrelogin(request, env);
+  }
+
+  if ((path === '/identity/accounts/recover-2fa' || path === '/api/accounts/recover-2fa') && method === 'POST') {
+    return handleRecoverTwoFactor(request, env);
+  }
+
+  if (path === '/api/accounts/password-hint' && method === 'POST') {
+    const blocked = await enforcePublicRateLimit('public-sensitive', LIMITS.rateLimit.sensitivePublicRequestsPerMinute);
+    if (blocked) return blocked;
+    if (!isSameOriginWriteRequest(request)) {
+      return new Response(JSON.stringify({ error: 'Forbidden origin' }), {
+        status: 403,
+        headers: { 'Content-Type': 'application/json' },
+      });
+    }
+    return handleGetPasswordHint(request, env);
+  }
+
+  if ((path === '/config' || path === '/api/config') && method === 'GET') {
+    const blocked = await enforcePublicRateLimit('public-read', LIMITS.rateLimit.publicReadRequestsPerMinute);
+    if (blocked) return blocked;
+    const origin = new URL(request.url).origin;
+    return jsonResponse(buildConfigResponse(origin));
+  }
+
+  if (path === '/api/version' && method === 'GET') {
+    const blocked = await enforcePublicRateLimit('public-read', LIMITS.rateLimit.publicReadRequestsPerMinute);
+    if (blocked) return blocked;
+    return jsonResponse(LIMITS.compatibility.bitwardenServerVersion);
+  }
+
+  if (path === '/api/accounts/register' && method === 'POST') {
+    const blocked = await enforcePublicRateLimit('register', LIMITS.rateLimit.registerRequestsPerMinute);
+    if (blocked) return blocked;
+    if (!isSameOriginWriteRequest(request)) {
+      return new Response(JSON.stringify({ error: 'Forbidden origin' }), {
+        status: 403,
+        headers: { 'Content-Type': 'application/json' },
+      });
+    }
+    return handleRegister(request, env);
+  }
+
+  if (path === '/notifications/hub/negotiate' && method === 'POST') {
+    return handleNotificationsNegotiate(request, env);
+  }
+
+  if (path === '/notifications/hub' && method === 'GET') {
+    return handleNotificationsHub(request, env);
+  }
+  return null;
+}
@@ -1,550 +1,143 @@
-import { Env, DEFAULT_DEV_SECRET } from './types';
+import { DEFAULT_DEV_SECRET, Env } from './types';
 import { AuthService } from './services/auth';
 import { RateLimitService, getClientIdentifier } from './services/ratelimit';
-import { handleCors, errorResponse, jsonResponse } from './utils/response';
+import { handleCors, errorResponse } from './utils/response';
 import { LIMITS } from './config/limits';
+import { handleAuthenticatedRoute } from './router-authenticated';
+import { handlePublicRoute } from './router-public';

-// Identity handlers
-import { handleToken, handlePrelogin } from './handlers/identity';
+function jwtSecretUnsafeReason(env: Env): 'missing' | 'default' | 'too_short' | null {
+  const secret = (env.JWT_SECRET || '').trim();
+  if (!secret) return 'missing';
+  if (secret === DEFAULT_DEV_SECRET) return 'default';
+  if (secret.length < LIMITS.auth.jwtSecretMinLength) return 'too_short';
+  return null;
+}

-// Account handlers
-import { handleRegister, handleGetProfile, handleUpdateProfile, handleSetKeys, handleGetRevisionDate, handleVerifyPassword } from './handlers/accounts';
+function isImportBypassRequest(request: Request, path: string, method: string): boolean {
+  if (request.headers.get('X-NodeWarden-Import') !== '1') return false;

-// Cipher handlers
-import { 
-  handleGetCiphers, 
-  handleGetCipher, 
-  handleCreateCipher, 
-  handleUpdateCipher, 
-  handleDeleteCipher,
-  handlePermanentDeleteCipher,
-  handleRestoreCipher,
-  handlePartialUpdateCipher,
-  handleBulkMoveCiphers,
-} from './handlers/ciphers';
-
-// Folder handlers
-import { 
-  handleGetFolders, 
-  handleGetFolder, 
-  handleCreateFolder, 
-  handleUpdateFolder, 
-  handleDeleteFolder 
-} from './handlers/folders';
-
-// Sync handler
-import { handleSync } from './handlers/sync';
-
-// Setup handlers
-import { handleSetupPage, handleSetupStatus, handleDisableSetup } from './handlers/setup';
-import { handleKnownDevice, handleGetDevices } from './handlers/devices';
-
-// Import handler
-import { handleCiphersImport } from './handlers/import';
-
-// Attachment handlers
-import {
-  handleCreateAttachment,
-  handleUploadAttachment,
-  handleGetAttachment,
-  handleDeleteAttachment,
-  handlePublicDownloadAttachment,
-} from './handlers/attachments';
-
-function isSameOriginWriteRequest(request: Request): boolean {
-  const targetOrigin = new URL(request.url).origin;
-  const origin = request.headers.get('Origin');
-  if (origin) {
-    return origin === targetOrigin;
+  if (method === 'POST') {
+    if (path === '/api/ciphers/import') return true;
+    if (/^\/api\/ciphers\/[a-f0-9-]+\/attachment\/v2$/i.test(path)) return true;
+    if (/^\/api\/ciphers\/[a-f0-9-]+\/attachment\/[a-f0-9-]+$/i.test(path)) return true;
  }

-  const referer = request.headers.get('Referer');
-  if (referer) {
-    try {
-      return new URL(referer).origin === targetOrigin;
-    } catch {
-      return false;
-    }
-  }
-
-  // Require browser-origin evidence for setup/register write operations.
  return false;
 }

-function getNwIconSvg(): string {
-  return `<svg xmlns="http://www.w3.org/2000/svg" width="96" height="96" viewBox="0 0 96 96" role="img" aria-label="NW icon"><rect x="4" y="4" width="88" height="88" rx="20" fill="#111418"/><text x="48" y="60" text-anchor="middle" font-size="36" font-family="-apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, Helvetica, Arial, sans-serif" font-weight="800" letter-spacing="0.5" fill="#FFFFFF">NW</text></svg>`;
-}
-
-function handleNwFavicon(): Response {
-  return new Response(getNwIconSvg(), {
-    status: 200,
-    headers: {
-      'Content-Type': 'image/svg+xml; charset=utf-8',
-      'Cache-Control': `public, max-age=${LIMITS.cache.iconTtlSeconds}`,
-    },
-  });
-}
-
-function isValidIconHostname(hostname: string): boolean {
-  if (!hostname) return false;
-  if (hostname.length > 253) return false;
-
-  const normalized = hostname.toLowerCase().replace(/\.$/, '');
-  // Slightly relaxed domain validation:
-  // - keep strict label boundaries (no leading/trailing hyphen)
-  // - allow punycode TLD (e.g. xn--...)
-  const domainPattern = /^(?=.{1,253}$)(?:[a-z0-9](?:[a-z0-9-]{0,61}[a-z0-9])?\.)+(?:[a-z]{2,63}|xn--[a-z0-9-]{2,59})$/;
-  const ipv4Pattern = /^(?:\d{1,3}\.){3}\d{1,3}$/;
-
-  if (domainPattern.test(normalized)) return true;
-  if (!ipv4Pattern.test(normalized)) return false;
-
-  const parts = normalized.split('.');
-  return parts.every(p => {
-    const n = Number(p);
-    return Number.isInteger(n) && n >= 0 && n <= 255;
-  });
-}
-
-// Icons handler - proxy to Bitwarden's official icon service
-async function handleGetIcon(request: Request, env: Env, hostname: string): Promise<Response> {
-  try {
-    void env;
-    const normalizedHostname = hostname.toLowerCase();
-    if (!isValidIconHostname(normalizedHostname)) {
-      return new Response(null, { status: 204 });
-    }
-
-    const cache = caches.default;
-    const cacheKey = new Request(`https://nodewarden-icons.local/icons/${normalizedHostname}/icon.png`, { method: 'GET' });
-    const cached = await cache.match(cacheKey);
-    if (cached) {
-      return cached;
-    }
-
-    // Use Bitwarden's official icon service
-    const iconUrl = `https://icons.bitwarden.net/${normalizedHostname}/icon.png`;
-    const resp = await fetch(iconUrl, {
-      headers: { 'User-Agent': 'NodeWarden/1.0' },
-      redirect: 'follow',
-      cf: {
-        cacheEverything: true,
-        cacheTtl: LIMITS.cache.iconTtlSeconds,
-      },
-    });
-
-    if (resp.ok) {
-      const body = await resp.arrayBuffer();
-      const iconResponse = new Response(body, {
-        status: 200,
-        headers: {
-          'Content-Type': resp.headers.get('Content-Type') || 'image/png',
-          'Cache-Control': `public, max-age=${LIMITS.cache.iconTtlSeconds}`, // 7 days
-        },
-      });
-      await cache.put(cacheKey, iconResponse.clone());
-      return iconResponse;
-    }
-
-    return new Response(null, { status: 204 });
-  } catch {
-    return new Response(null, { status: 204 });
-  }
-}
-
 export async function handleRequest(request: Request, env: Env): Promise<Response> {
  const url = new URL(request.url);
  const path = url.pathname;
  const method = request.method;
+  const clientId = getClientIdentifier(request);
+
+  async function enforcePublicRateLimit(
+    category: string = 'public',
+    maxRequests: number = LIMITS.rateLimit.publicRequestsPerMinute
+  ): Promise<Response | null> {
+    if (!clientId) {
+      return new Response(
+        JSON.stringify({
+          error: 'Forbidden',
+          error_description: 'Client IP is required',
+        }),
+        {
+          status: 403,
+          headers: { 'Content-Type': 'application/json' },
+        }
+      );
+    }
+
+    const rateLimit = new RateLimitService(env.DB);
+    const check = await rateLimit.consumeBudget(`${clientId}:${category}`, maxRequests);
+    if (check.allowed) return null;
+
+    return new Response(
+      JSON.stringify({
+        error: 'Too many requests',
+        error_description: `Rate limit exceeded. Try again in ${check.retryAfterSeconds} seconds.`,
+      }),
+      {
+        status: 429,
+        headers: {
+          'Content-Type': 'application/json',
+          'Retry-After': String(check.retryAfterSeconds || 60),
+          'X-RateLimit-Remaining': '0',
+        },
+      }
+    );
+  }

-  // Handle CORS preflight
  if (method === 'OPTIONS') {
    return handleCors(request);
  }

-  // Route matching
  try {
-
-    // Setup page (root)
-    if (path === '/' && method === 'GET') {
-      return handleSetupPage(request, env);
-    }
-
-    // Setup status
-    if (path === '/setup/status' && method === 'GET') {
-      return handleSetupStatus(request, env);
-    }
-
-    // Disable setup page (one-way)
-    if (path === '/setup/disable' && method === 'POST') {
-      if (!isSameOriginWriteRequest(request)) {
-        return errorResponse('Forbidden origin', 403);
+    const isLargeUploadPath =
+      /^\/api\/ciphers\/[a-f0-9-]+\/attachment\/[a-f0-9-]+$/i.test(path) ||
+      /^\/api\/sends\/[a-f0-9-]+\/file\/[a-f0-9-]+$/i.test(path) ||
+      path === '/api/admin/backup/import';
+    if (!isLargeUploadPath) {
+      const contentLength = parseInt(request.headers.get('Content-Length') || '0', 10);
+      if (contentLength > LIMITS.request.maxBodyBytes) {
+        return errorResponse('Request body too large', 413);
      }
-      return handleDisableSetup(request, env);
    }

-    // Browser/devtools probe endpoint
-    if (path === '/.well-known/appspecific/com.chrome.devtools.json' && method === 'GET') {
-      return new Response('{}', {
-        status: 200,
-        headers: {
-          'Content-Type': 'application/json; charset=utf-8',
-          'Cache-Control': 'no-store',
-        },
-      });
-    }
+    const publicResponse = await handlePublicRoute(request, env, path, method, enforcePublicRateLimit);
+    if (publicResponse) return publicResponse;

-    // Favicon
-    if ((path === '/favicon.ico' || path === '/favicon.svg') && method === 'GET') {
-      return handleNwFavicon();
-    }
-
-    // Icon endpoint - proxy to Bitwarden's icon service (no auth required)
-    const iconMatch = path.match(/^\/icons\/([^/]+)\/icon\.png$/i);
-    if (iconMatch) {
-      const hostname = iconMatch[1];
-      return handleGetIcon(request, env, hostname);
-    }
-
-    // Public attachment download (no auth header, uses token in query string)
-    const publicAttachmentMatch = path.match(/^\/api\/attachments\/([a-f0-9-]+)\/([a-f0-9-]+)$/i);
-    if (publicAttachmentMatch && method === 'GET') {
-      const cipherId = publicAttachmentMatch[1];
-      const attachmentId = publicAttachmentMatch[2];
-      return handlePublicDownloadAttachment(request, env, cipherId, attachmentId);
-    }
-
-    // Notifications hub (stub - no auth required, return 200 for connection)
-    if (path.startsWith('/notifications/')) {
-      return new Response(null, { status: 200 });
-    }
-
-    // Known device check (no auth required)
-    if (path === '/api/devices/knowndevice' && method === 'GET') {
-      return handleKnownDevice(request, env);
-    }
-
-    // Identity endpoints (no auth required)
-    if (path === '/identity/connect/token' && method === 'POST') {
-      return handleToken(request, env);
-    }
-
-    if (path === '/identity/accounts/prelogin' && method === 'POST') {
-      return handlePrelogin(request, env);
-    }
-
-    // Config endpoint (no auth required for basic config)
-    // Bitwarden clients call GET "/config" (relative to the API base URL).
-    // They also tolerate different casing, but their response models use PascalCase.
-    const isConfigRequest = (path === '/config' || path === '/api/config') && method === 'GET';
-    if (isConfigRequest) {
-      const origin = url.origin;
-      return jsonResponse({
-        // ── Version Strategy (Plan E) ──────────────────────────────────────
-        // Bitwarden clients use this version for backwards-compatibility feature gating.
-        // Confirmed version-gated features (from client source code):
-        //   - Individual cipher key encryption: >= 2024.2.0
-        //     (clients/libs/common/src/vault/services/cipher.service.ts: CIPHER_KEY_ENC_MIN_SERVER_VER)
-        //     (android/.../FeatureFlagManagerImpl.kt: CIPHER_KEY_ENC_MIN_SERVER_VERSION)
-        //   - MasterPasswordUnlockData (mobile): >= 2025.8.0
-        //     (documented in Vaultwarden source comments)
-        // There is NO global minimum version that blocks all client functionality.
-        // Keep this aligned with Vaultwarden's reported version to maintain compatibility.
-        // When Vaultwarden bumps their version, update this value accordingly.
-        // Vaultwarden source: src/api/core/mod.rs → fn config()
-        version: LIMITS.compatibility.bitwardenServerVersion,
-        gitHash: 'nodewarden',
-        server: null,
-        environment: {
-          vault: origin,
-          api: origin + '/api',
-          identity: origin + '/identity',
-          notifications: origin + '/notifications',
-          sso: '',
-        },
-        // Feature flags control client behavior. Clients use server-provided values;
-        // flags not listed here fall back to DefaultFeatureFlagValue (all false).
-        // Only enable flags for features we actually support.
-        // Reference: clients/libs/common/src/enums/feature-flag.enum.ts
-        featureStates: {
-          'duo-redirect': true,
-          'email-verification': true,
-          'unauth-ui-refresh': true,
-        },
-        object: 'config',
-      });
-    }
-
-    // Version endpoint (some clients probe this to validate the server)
-    if (path === '/api/version' && method === 'GET') {
-      return jsonResponse(LIMITS.compatibility.bitwardenServerVersion);  // Always same value as /config.version
-    }
-
-    // Registration endpoint (no auth required, but only works once)
-    if (path === '/api/accounts/register' && method === 'POST') {
-      if (!isSameOriginWriteRequest(request)) {
-        return errorResponse('Forbidden origin', 403);
-      }
-      return handleRegister(request, env);
-    }
-
-    // If JWT_SECRET is not safely configured, block any other endpoints.
-    const secret = (env.JWT_SECRET || '').trim();
-    if (!secret || secret.length < LIMITS.auth.jwtSecretMinLength || secret === DEFAULT_DEV_SECRET) {
+    const secretIssue = jwtSecretUnsafeReason(env);
+    if (secretIssue) {
      return errorResponse('Server configuration error: JWT_SECRET is not set or too weak', 500);
    }

-    // All other API endpoints require authentication
    const auth = new AuthService(env);
    const authHeader = request.headers.get('Authorization');
-    const payload = await auth.verifyAccessToken(authHeader);
-
-    if (!payload) {
+    const verified = await auth.verifyAccessTokenWithUser(authHeader);
+    if (!verified) {
      return errorResponse('Unauthorized', 401);
    }
+    const { payload, user: currentUser } = verified;
+
+    const actingDeviceId = String(payload.did || '').trim();
+    if (actingDeviceId) {
+      const nextHeaders = new Headers(request.headers);
+      nextHeaders.set('X-NodeWarden-Acting-Device-Id', actingDeviceId);
+      request = new Request(request, { headers: nextHeaders });
+    }

    const userId = payload.sub;
-    const clientId = getClientIdentifier(request);
+    if (currentUser.status !== 'active') {
+      return errorResponse('Account is disabled', 403);
+    }

-    // Dedicated read rate limiting for heavy sync endpoint.
-    if (path === '/api/sync' && method === 'GET') {
+    if (!isImportBypassRequest(request, path, method)) {
      const rateLimit = new RateLimitService(env.DB);
-      const rateLimitCheck = await rateLimit.consumeSyncReadBudget(userId + ':' + clientId + ':sync');
-
+      const rateLimitCheck = await rateLimit.consumeBudget(`${userId}:api`, LIMITS.rateLimit.apiRequestsPerMinute);
      if (!rateLimitCheck.allowed) {
-        return new Response(JSON.stringify({
-          error: 'Too many requests',
-          error_description: `Sync rate limit exceeded. Try again in ${rateLimitCheck.retryAfterSeconds} seconds.`,
-        }), {
-          status: 429,
-          headers: {
-            'Content-Type': 'application/json',
-            'Retry-After': rateLimitCheck.retryAfterSeconds!.toString(),
-            'X-RateLimit-Remaining': '0',
-          },
-        });
+        return new Response(
+          JSON.stringify({
+            error: 'Too many requests',
+            error_description: `Rate limit exceeded. Try again in ${rateLimitCheck.retryAfterSeconds} seconds.`,
+          }),
+          {
+            status: 429,
+            headers: {
+              'Content-Type': 'application/json',
+              'Retry-After': String(rateLimitCheck.retryAfterSeconds || 60),
+              'X-RateLimit-Remaining': '0',
+            },
+          }
+        );
      }
    }

-    // API rate limiting only for write operations (keep reads frictionless)
-    const isWriteMethod = method === 'POST' || method === 'PUT' || method === 'DELETE' || method === 'PATCH';
-    if (isWriteMethod) {
-      const rateLimit = new RateLimitService(env.DB);
-      const rateLimitCheck = await rateLimit.consumeApiWriteBudget(userId + ':' + clientId + ':write');
+    const authenticatedResponse = await handleAuthenticatedRoute(request, env, userId, currentUser, path, method);
+    if (authenticatedResponse) return authenticatedResponse;

-      if (!rateLimitCheck.allowed) {
-        return new Response(JSON.stringify({
-          error: 'Too many requests',
-          error_description: `Rate limit exceeded. Try again in ${rateLimitCheck.retryAfterSeconds} seconds.`,
-        }), {
-          status: 429,
-          headers: {
-            'Content-Type': 'application/json',
-            'Retry-After': rateLimitCheck.retryAfterSeconds!.toString(),
-            'X-RateLimit-Remaining': '0',
-          },
-        });
-      }
-    }
-
-    // Block account operations that could change password or delete user
-    if (method === 'POST' || method === 'PUT' || method === 'DELETE') {
-      const blockedAccountPaths = new Set([
-        '/api/accounts/password',
-        '/api/accounts/change-password',
-        '/api/accounts/set-password',
-        '/api/accounts/master-password',
-        '/api/accounts/delete',
-        '/api/accounts/delete-account',
-        '/api/accounts/delete-vault',
-      ]);
-      if (blockedAccountPaths.has(path)) {
-        return errorResponse('Not implemented in single-user mode', 501);
-      }
-    }
-
-    // Account endpoints
-    if (path === '/api/accounts/profile') {
-      if (method === 'GET') return handleGetProfile(request, env, userId);
-      if (method === 'PUT') return handleUpdateProfile(request, env, userId);
-    }
-
-    if (path === '/api/accounts/keys' && method === 'POST') {
-      return handleSetKeys(request, env, userId);
-    }
-
-    // Revision date endpoint
-    if (path === '/api/accounts/revision-date' && method === 'GET') {
-      return handleGetRevisionDate(request, env, userId);
-    }
-
-    // Verify password endpoint
-    if (path === '/api/accounts/verify-password' && method === 'POST') {
-      return handleVerifyPassword(request, env, userId);
-    }
-
-    // Sync endpoint
-    if (path === '/api/sync' && method === 'GET') {
-      return handleSync(request, env, userId);
-    }
-
-    // Cipher endpoints
-    if (path === '/api/ciphers' || path === '/api/ciphers/create') {
-      if (method === 'GET') return handleGetCiphers(request, env, userId);
-      if (method === 'POST') return handleCreateCipher(request, env, userId);
-    }
-
-    // Ciphers import endpoint (Bitwarden client format)
-    if (path === '/api/ciphers/import' && method === 'POST') {
-      return handleCiphersImport(request, env, userId);
-    }
-
-    // Bulk cipher operations (only move is allowed)
-    if (path === '/api/ciphers/move') {
-      if (method === 'POST' || method === 'PUT') {
-        return handleBulkMoveCiphers(request, env, userId);
-      }
-    }
-
-    // Match /api/ciphers/:id patterns
-    const cipherMatch = path.match(/^\/api\/ciphers\/([a-f0-9-]+)(\/.*)?$/i);
-    if (cipherMatch) {
-      const cipherId = cipherMatch[1];
-      const subPath = cipherMatch[2] || '';
-
-      if (subPath === '' || subPath === '/') {
-        if (method === 'GET') return handleGetCipher(request, env, userId, cipherId);
-        if (method === 'PUT' || method === 'POST') return handleUpdateCipher(request, env, userId, cipherId);
-        if (method === 'DELETE') return handleDeleteCipher(request, env, userId, cipherId);
-      }
-
-      if (subPath === '/delete' && method === 'PUT') {
-        return handleDeleteCipher(request, env, userId, cipherId);
-      }
-
-      if (subPath === '/delete' && method === 'DELETE') {
-        return handlePermanentDeleteCipher(request, env, userId, cipherId);
-      }
-
-      if (subPath === '/restore' && method === 'PUT') {
-        return handleRestoreCipher(request, env, userId, cipherId);
-      }
-
-      if (subPath === '/partial' && (method === 'PUT' || method === 'POST')) {
-        return handlePartialUpdateCipher(request, env, userId, cipherId);
-      }
-
-      // Share endpoint - just return the cipher (single user mode)
-      if (subPath === '/share' && method === 'POST') {
-        return handleGetCipher(request, env, userId, cipherId);
-      }
-
-      if (subPath === '/details' && method === 'GET') {
-        return handleGetCipher(request, env, userId, cipherId);
-      }
-
-      // Attachment endpoints
-      // POST /api/ciphers/{id}/attachment/v2 - Create attachment metadata
-      if (subPath === '/attachment/v2' && method === 'POST') {
-        return handleCreateAttachment(request, env, userId, cipherId);
-      }
-
-      // Legacy attachment endpoint - also goes to v2 flow
-      if (subPath === '/attachment' && method === 'POST') {
-        return handleCreateAttachment(request, env, userId, cipherId);
-      }
-
-      // Match /api/ciphers/{id}/attachment/{attachmentId}
-      const attachmentMatch = subPath.match(/^\/attachment\/([a-f0-9-]+)$/i);
-      if (attachmentMatch) {
-        const attachmentId = attachmentMatch[1];
-        if (method === 'POST') return handleUploadAttachment(request, env, userId, cipherId, attachmentId);
-        if (method === 'GET') return handleGetAttachment(request, env, userId, cipherId, attachmentId);
-        if (method === 'DELETE') return handleDeleteAttachment(request, env, userId, cipherId, attachmentId);
-      }
-
-      // DELETE via POST (legacy)
-      const attachmentDeleteMatch = subPath.match(/^\/attachment\/([a-f0-9-]+)\/delete$/i);
-      if (attachmentDeleteMatch && method === 'POST') {
-        const attachmentId = attachmentDeleteMatch[1];
-        return handleDeleteAttachment(request, env, userId, cipherId, attachmentId);
-      }
-    }
-
-    // Folder endpoints
-    if (path === '/api/folders') {
-      if (method === 'GET') return handleGetFolders(request, env, userId);
-      if (method === 'POST') return handleCreateFolder(request, env, userId);
-    }
-
-    // Match /api/folders/:id patterns
-    const folderMatch = path.match(/^\/api\/folders\/([a-f0-9-]+)$/i);
-    if (folderMatch) {
-      const folderId = folderMatch[1];
-      if (method === 'GET') return handleGetFolder(request, env, userId, folderId);
-      if (method === 'PUT') return handleUpdateFolder(request, env, userId, folderId);
-      if (method === 'DELETE') return handleDeleteFolder(request, env, userId, folderId);
-    }
-
-    // Auth requests endpoint (stub - we don't support passwordless login)
-    if (path.startsWith('/api/auth-requests')) {
-      return jsonResponse({ data: [], object: 'list', continuationToken: null });
-    }
-
-    // Collections endpoint (stub - no organization support)
-    if (path === '/api/collections' || path.startsWith('/api/collections/')) {
-      if (method === 'GET') {
-        return jsonResponse({ data: [], object: 'list', continuationToken: null });
-      }
-    }
-
-    // Organizations endpoint (stub - no organization support)
-    if (path === '/api/organizations' || path.startsWith('/api/organizations/')) {
-      if (method === 'GET') {
-        return jsonResponse({ data: [], object: 'list', continuationToken: null });
-      }
-    }
-
-    // Sends endpoint (stub - not implemented)
-    if (path === '/api/sends' || path.startsWith('/api/sends/')) {
-      if (method === 'GET') {
-        return jsonResponse({ data: [], object: 'list', continuationToken: null });
-      }
-    }
-
-    // Policies endpoint (stub - not implemented)
-    if (path === '/api/policies' || path.startsWith('/api/policies/')) {
-      if (method === 'GET') {
-        return jsonResponse({ data: [], object: 'list', continuationToken: null });
-      }
-    }
-
-    // Settings domains endpoint (stub)
-    if (path === '/api/settings/domains') {
-      if (method === 'GET') {
-        return jsonResponse({
-          equivalentDomains: [],
-          globalEquivalentDomains: [],
-          object: 'domains',
-        });
-      }
-      if (method === 'PUT' || method === 'POST') {
-        return jsonResponse({
-          equivalentDomains: [],
-          globalEquivalentDomains: [],
-          object: 'domains',
-        });
-      }
-    }
-
-    // Devices endpoint
-    if (path === '/api/devices' && method === 'GET') {
-      return handleGetDevices(request, env, userId);
-    }
-
-    // Not found
    return errorResponse('Not found', 404);
-
  } catch (error) {
    console.error('Request error:', error);
    return errorResponse('Internal server error', 500);
@@ -2,6 +2,16 @@ import { Env, JWTPayload, User } from '../types';
 import { verifyJWT, createJWT, createRefreshToken } from '../utils/jwt';
 import { StorageService } from './storage';

+// Server-side iterations for second-layer hashing.
+// The client already does heavy PBKDF2 (600k iterations).
+// This second layer only needs to be non-trivial, not expensive.
+const SERVER_HASH_ITERATIONS = 100_000;
+
+export interface VerifiedAccessContext {
+  payload: JWTPayload;
+  user: User;
+}
+
 export class AuthService {
  private storage: StorageService;

@@ -9,41 +19,74 @@ export class AuthService {
    this.storage = new StorageService(env.DB);
  }

-  // Verify password hash (compare with stored hash)
-  async verifyPassword(inputHash: string, storedHash: string): Promise<boolean> {
-    const input = new TextEncoder().encode(inputHash);
-    const stored = new TextEncoder().encode(storedHash);
-    if (input.length !== stored.length) return false;
+  // Second-layer hash: PBKDF2-SHA256(clientHash, email-salt, iterations).
+  // Ensures database contents alone cannot be used to authenticate (pass-the-hash defense).
+  // Result is prefixed with "$s$" to distinguish from legacy raw client hashes.
+  async hashPasswordServer(clientHash: string, email: string): Promise<string> {
+    const keyMaterial = await crypto.subtle.importKey(
+      'raw',
+      new TextEncoder().encode(clientHash),
+      'PBKDF2',
+      false,
+      ['deriveBits']
+    );
+    const salt = new TextEncoder().encode(email.toLowerCase().trim());
+    const bits = await crypto.subtle.deriveBits(
+      { name: 'PBKDF2', hash: 'SHA-256', salt, iterations: SERVER_HASH_ITERATIONS },
+      keyMaterial,
+      256
+    );
+    const bytes = new Uint8Array(bits);
+    let binary = '';
+    for (const b of bytes) binary += String.fromCharCode(b);
+    return '$s$' + btoa(binary);
+  }

+  // Verify password: hash the input the same way, then constant-time compare.
+  async verifyPassword(inputHash: string, storedHash: string, email?: string): Promise<boolean> {
+    // New server-hashed passwords are prefixed with "$s$".
+    // Legacy accounts (created before the upgrade) store raw client hashes without prefix.
+    if (email && storedHash.startsWith('$s$')) {
+      const serverHash = await this.hashPasswordServer(inputHash, email);
+      return this.constantTimeEquals(serverHash, storedHash);
+    }
+    // Legacy path: direct constant-time comparison of raw client hashes.
+    return this.constantTimeEquals(inputHash, storedHash);
+  }
+
+  private constantTimeEquals(a: string, b: string): boolean {
+    const encA = new TextEncoder().encode(a);
+    const encB = new TextEncoder().encode(b);
+    if (encA.length !== encB.length) return false;
    let diff = 0;
-    for (let i = 0; i < input.length; i++) {
-      diff |= input[i] ^ stored[i];
+    for (let i = 0; i < encA.length; i++) {
+      diff |= encA[i] ^ encB[i];
    }
    return diff === 0;
  }

  // Generate access token
-  async generateAccessToken(user: User): Promise<string> {
+  async generateAccessToken(user: User, device?: { identifier: string; sessionStamp: string } | null): Promise<string> {
    return createJWT(
      {
        sub: user.id,
        email: user.email,
        name: user.name,
        sstamp: user.securityStamp,
+        ...(device?.identifier ? { did: device.identifier, dstamp: device.sessionStamp } : {}),
      },
      this.env.JWT_SECRET
    );
  }

  // Generate refresh token
-  async generateRefreshToken(userId: string): Promise<string> {
+  async generateRefreshToken(userId: string, device?: { identifier: string; sessionStamp: string } | null): Promise<string> {
    const token = createRefreshToken();
-    await this.storage.saveRefreshToken(token, userId);
+    await this.storage.saveRefreshToken(token, userId, undefined, device?.identifier ?? null, device?.sessionStamp ?? null);
    return token;
  }

-  // Verify access token from Authorization header
-  async verifyAccessToken(authHeader: string | null): Promise<JWTPayload | null> {
+  async verifyAccessTokenWithUser(authHeader: string | null): Promise<VerifiedAccessContext | null> {
    if (!authHeader) return null;

    const parts = authHeader.split(' ');
@@ -54,26 +97,57 @@ export class AuthService {
    const payload = await verifyJWT(parts[1], this.env.JWT_SECRET);
    if (!payload) return null;

-    // Verify security stamp - ensures token is invalidated after password change
    const user = await this.storage.getUserById(payload.sub);
    if (!user) return null;
-    
+
    if (payload.sstamp !== user.securityStamp) {
-      return null; // Token was issued before password change
+      return null;
    }

-    return payload;
+    if (payload.did) {
+      const device = await this.storage.getDevice(user.id, payload.did);
+      if (!device) return null;
+      if (!payload.dstamp || payload.dstamp !== device.sessionStamp) return null;
+    }
+
+    return { payload, user };
+  }
+
+  // Verify access token from Authorization header
+  async verifyAccessToken(authHeader: string | null): Promise<JWTPayload | null> {
+    const verified = await this.verifyAccessTokenWithUser(authHeader);
+    return verified?.payload ?? null;
  }

  // Refresh access token
-  async refreshAccessToken(refreshToken: string): Promise<{ accessToken: string; user: User } | null> {
-    const userId = await this.storage.getRefreshTokenUserId(refreshToken);
-    if (!userId) return null;
+  async refreshAccessToken(
+    refreshToken: string
+  ): Promise<{ accessToken: string; user: User; device: { identifier: string; sessionStamp: string } | null } | null> {
+    const record = await this.storage.getRefreshTokenRecord(refreshToken);
+    if (!record?.userId) return null;

-    const user = await this.storage.getUserById(userId);
+    const user = await this.storage.getUserById(record.userId);
    if (!user) return null;
+    if (user.status !== 'active') {
+      await this.storage.deleteRefreshToken(refreshToken);
+      return null;
+    }

-    const accessToken = await this.generateAccessToken(user);
-    return { accessToken, user };
+    let device: { identifier: string; sessionStamp: string } | null = null;
+    if (record.deviceIdentifier) {
+      const boundDevice = await this.storage.getDevice(user.id, record.deviceIdentifier);
+      if (!boundDevice) {
+        await this.storage.deleteRefreshToken(refreshToken);
+        return null;
+      }
+      if (!record.deviceSessionStamp || boundDevice.sessionStamp !== record.deviceSessionStamp) {
+        await this.storage.deleteRefreshToken(refreshToken);
+        return null;
+      }
+      device = { identifier: boundDevice.deviceIdentifier, sessionStamp: boundDevice.sessionStamp };
+    }
+
+    const accessToken = await this.generateAccessToken(user, device);
+    return { accessToken, user, device };
  }
 }
@@ -0,0 +1,415 @@
+import { zipSync, unzipSync } from 'fflate';
+import type { Env } from '../types';
+import { APP_VERSION } from '../../shared/app-version';
+import {
+  getAttachmentObjectKey,
+  getBlobStorageKind,
+} from './blob-store';
+
+type SqlRow = Record<string, string | number | null>;
+
+const BACKUP_FORMAT_VERSION = 1;
+const BACKUP_FILE_HASH_PREFIX_LENGTH = 5;
+// Worker-side backup export must stay well below Cloudflare CPU limits.
+// Prefer store-only ZIP entries over heavier compression to keep exports reliable.
+const BACKUP_TEXT_COMPRESSION_LEVEL = 0;
+const BACKUP_JSON_INDENT = 2;
+const MAX_BACKUP_ARCHIVE_BYTES = 64 * 1024 * 1024;
+const MAX_BACKUP_ARCHIVE_ENTRY_COUNT = 10_000;
+const MAX_BACKUP_EXTRACTED_BYTES = 64 * 1024 * 1024;
+const MAX_BACKUP_DB_JSON_BYTES = 32 * 1024 * 1024;
+
+export interface BackupManifest {
+  formatVersion: 1;
+  exportedAt: string;
+  appVersion: string;
+  storageKind: 'r2' | 'kv' | null;
+  tableCounts: Record<string, number>;
+  includes: {
+    attachments: boolean;
+  };
+  blobSummary: {
+    attachmentFiles: number;
+    totalBytes: number;
+    largestObjectBytes: number;
+  };
+  attachmentBlobs?: BackupManifestAttachmentBlob[];
+}
+
+export interface BackupManifestAttachmentBlob {
+  cipherId: string;
+  attachmentId: string;
+  blobName: string;
+  sizeBytes: number;
+}
+
+export interface BackupPayload {
+  manifest: BackupManifest;
+  db: {
+    config: SqlRow[];
+    users: SqlRow[];
+    user_revisions: SqlRow[];
+    folders: SqlRow[];
+    ciphers: SqlRow[];
+    attachments: SqlRow[];
+  };
+}
+
+export interface BackupArchiveBundle {
+  bytes: Uint8Array;
+  fileName: string;
+  manifest: BackupManifest;
+}
+
+export interface BackupFileIntegrityCheckResult {
+  hasChecksumPrefix: boolean;
+  expectedPrefix: string | null;
+  actualPrefix: string;
+  matches: boolean;
+}
+
+export interface BuildBackupArchiveOptions {
+  includeAttachments?: boolean;
+  progress?: BackupArchiveBuildProgressReporter;
+}
+
+export interface BackupArchiveBuildProgressEvent {
+  step: string;
+  fileName?: string;
+  stageTitle: string;
+  stageDetail: string;
+  includeAttachments: boolean;
+}
+
+export type BackupArchiveBuildProgressReporter = (event: BackupArchiveBuildProgressEvent) => Promise<void>;
+
+async function queryRows(db: D1Database, sql: string, ...values: unknown[]): Promise<SqlRow[]> {
+  const result = await db.prepare(sql).bind(...values).all<SqlRow>();
+  return (result.results || []).map((row) => ({ ...row }));
+}
+
+async function sha256Hex(bytes: Uint8Array): Promise<string> {
+  const digest = await crypto.subtle.digest('SHA-256', bytes);
+  return Array.from(new Uint8Array(digest)).map((byte) => byte.toString(16).padStart(2, '0')).join('');
+}
+
+function buildBackupFileName(date: Date = new Date(), checksumPrefix: string | null = null): string {
+  const parts = [
+    date.getUTCFullYear().toString().padStart(4, '0'),
+    (date.getUTCMonth() + 1).toString().padStart(2, '0'),
+    date.getUTCDate().toString().padStart(2, '0'),
+    date.getUTCHours().toString().padStart(2, '0'),
+    date.getUTCMinutes().toString().padStart(2, '0'),
+    date.getUTCSeconds().toString().padStart(2, '0'),
+  ];
+  const suffix = checksumPrefix ? `_${checksumPrefix}` : '';
+  return `nodewarden_backup_${parts[0]}${parts[1]}${parts[2]}_${parts[3]}${parts[4]}${parts[5]}${suffix}.zip`;
+}
+
+export function extractBackupFileChecksumPrefix(fileName: string): string | null {
+  const normalized = String(fileName || '').trim();
+  const match = normalized.match(/_([0-9a-f]{5})\.zip$/i);
+  return match ? match[1].toLowerCase() : null;
+}
+
+export async function inspectBackupArchiveFileNameChecksum(
+  bytes: Uint8Array,
+  fileName: string
+): Promise<BackupFileIntegrityCheckResult> {
+  const expectedPrefix = extractBackupFileChecksumPrefix(fileName);
+  const actualHash = await sha256Hex(bytes);
+  const actualPrefix = actualHash.slice(0, BACKUP_FILE_HASH_PREFIX_LENGTH);
+  return {
+    hasChecksumPrefix: !!expectedPrefix,
+    expectedPrefix,
+    actualPrefix,
+    matches: !expectedPrefix || actualPrefix === expectedPrefix,
+  };
+}
+
+export async function verifyBackupArchiveFileNameChecksum(bytes: Uint8Array, fileName: string): Promise<boolean> {
+  const result = await inspectBackupArchiveFileNameChecksum(bytes, fileName);
+  return result.matches;
+}
+
+function validateArchiveSize(bytes: Uint8Array): void {
+  if (bytes.byteLength > MAX_BACKUP_ARCHIVE_BYTES) {
+    throw new Error(`Backup archive is too large. The current restore limit is ${Math.floor(MAX_BACKUP_ARCHIVE_BYTES / (1024 * 1024))} MiB`);
+  }
+}
+
+function getRequiredZipEntries(db: BackupPayload['db']): string[] {
+  const entries: string[] = [];
+  for (const row of db.attachments) {
+    const cipherId = String(row.cipher_id || '').trim();
+    const attachmentId = String(row.id || '').trim();
+    if (!cipherId || !attachmentId) continue;
+    entries.push(`attachments/${cipherId}/${attachmentId}.bin`);
+  }
+  return entries;
+}
+
+function ensureRowArray(value: unknown, table: string): SqlRow[] {
+  if (!Array.isArray(value)) {
+    throw new Error(`Backup archive table ${table} is invalid`);
+  }
+  return value as SqlRow[];
+}
+
+function createZipEntries(files: Record<string, Uint8Array>): Record<string, Uint8Array | [Uint8Array, { level: 0 | 1 | 6 }]> {
+  const entries: Record<string, Uint8Array | [Uint8Array, { level: 0 | 1 | 6 }]> = {};
+  for (const [path, bytes] of Object.entries(files)) {
+    entries[path] = [bytes, { level: BACKUP_TEXT_COMPRESSION_LEVEL }];
+  }
+  return entries;
+}
+
+export interface ParseBackupArchiveOptions {
+  allowExternalAttachmentBlobs?: boolean;
+}
+
+export function parseBackupArchive(
+  bytes: Uint8Array,
+  options: ParseBackupArchiveOptions = {}
+): { payload: BackupPayload; files: Record<string, Uint8Array> } {
+  validateArchiveSize(bytes);
+  let zipped: Record<string, Uint8Array>;
+  try {
+    zipped = unzipSync(bytes);
+  } catch {
+    throw new Error('Invalid backup archive');
+  }
+
+  const entryNames = Object.keys(zipped);
+  if (entryNames.length > MAX_BACKUP_ARCHIVE_ENTRY_COUNT) {
+    throw new Error('Backup archive contains too many files');
+  }
+
+  let totalExtractedBytes = 0;
+  for (const entry of entryNames) {
+    const entryBytes = zipped[entry];
+    totalExtractedBytes += entryBytes.byteLength;
+    if (entry === 'db.json' && entryBytes.byteLength > MAX_BACKUP_DB_JSON_BYTES) {
+      throw new Error('Backup archive database payload is too large');
+    }
+    if (totalExtractedBytes > MAX_BACKUP_EXTRACTED_BYTES) {
+      throw new Error('Backup archive expands beyond the current restore limit');
+    }
+  }
+
+  const manifestBytes = zipped['manifest.json'];
+  const dbBytes = zipped['db.json'];
+  if (!manifestBytes || !dbBytes) {
+    throw new Error('Backup archive is missing manifest.json or db.json');
+  }
+
+  const decoder = new TextDecoder();
+  let manifest: BackupManifest;
+  let db: BackupPayload['db'];
+  try {
+    manifest = JSON.parse(decoder.decode(manifestBytes)) as BackupManifest;
+    db = JSON.parse(decoder.decode(dbBytes)) as BackupPayload['db'];
+  } catch {
+    throw new Error('Backup archive contains invalid JSON metadata');
+  }
+
+  if (manifest?.formatVersion !== BACKUP_FORMAT_VERSION) {
+    throw new Error('Unsupported backup format version');
+  }
+  if (!db || typeof db !== 'object') {
+    throw new Error('Backup archive database payload is invalid');
+  }
+
+  const externalAttachmentKeys = new Set<string>(
+    options.allowExternalAttachmentBlobs
+      ? (manifest.attachmentBlobs || []).map((item) => `attachments/${String(item.cipherId || '').trim()}/${String(item.attachmentId || '').trim()}.bin`)
+      : []
+  );
+  const requiredEntries = getRequiredZipEntries(db).filter((entry) => !externalAttachmentKeys.has(entry));
+  for (const entry of requiredEntries) {
+    if (!zipped[entry]) {
+      throw new Error(`Backup archive is missing required file: ${entry}`);
+    }
+  }
+
+  return {
+    payload: { manifest, db },
+    files: zipped,
+  };
+}
+
+export interface ValidateBackupPayloadOptions {
+  allowExternalAttachmentBlobs?: boolean;
+}
+
+export function validateBackupPayloadContents(
+  payload: BackupPayload,
+  files: Record<string, Uint8Array>,
+  options: ValidateBackupPayloadOptions = {}
+): void {
+  const configRows = ensureRowArray(payload.db.config, 'config');
+  const userRows = ensureRowArray(payload.db.users, 'users');
+  const revisionRows = ensureRowArray(payload.db.user_revisions, 'user_revisions');
+  const folderRows = ensureRowArray(payload.db.folders, 'folders');
+  const cipherRows = ensureRowArray(payload.db.ciphers, 'ciphers');
+  const attachmentRows = ensureRowArray(payload.db.attachments, 'attachments');
+  const externalAttachmentKeys = new Set<string>(
+    options.allowExternalAttachmentBlobs
+      ? (payload.manifest.attachmentBlobs || []).map((item) => `attachments/${String(item.cipherId || '').trim()}/${String(item.attachmentId || '').trim()}.bin`)
+      : []
+  );
+
+  const userIds = new Set<string>();
+  for (const row of userRows) {
+    const id = String(row.id || '').trim();
+    const email = String(row.email || '').trim();
+    if (!id || !email) throw new Error('Backup archive contains an invalid user row');
+    if (userIds.has(id)) throw new Error(`Backup archive contains duplicate user id: ${id}`);
+    userIds.add(id);
+  }
+
+  for (const row of configRows) {
+    const key = String(row.key || '').trim();
+    if (!key) throw new Error('Backup archive contains an invalid config row');
+  }
+
+  for (const row of revisionRows) {
+    const userId = String(row.user_id || '').trim();
+    if (!userId || !userIds.has(userId)) {
+      throw new Error(`Backup archive contains a revision for an unknown user: ${userId || '(empty)'}`);
+    }
+  }
+
+  const folderIds = new Set<string>();
+  for (const row of folderRows) {
+    const id = String(row.id || '').trim();
+    const userId = String(row.user_id || '').trim();
+    if (!id || !userIds.has(userId)) throw new Error('Backup archive contains an invalid folder row');
+    if (folderIds.has(id)) throw new Error(`Backup archive contains duplicate folder id: ${id}`);
+    folderIds.add(id);
+  }
+
+  const cipherIds = new Set<string>();
+  for (const row of cipherRows) {
+    const id = String(row.id || '').trim();
+    const userId = String(row.user_id || '').trim();
+    const folderId = String(row.folder_id || '').trim();
+    if (!id || !userIds.has(userId)) throw new Error('Backup archive contains an invalid cipher row');
+    if (folderId && !folderIds.has(folderId)) {
+      throw new Error(`Backup archive contains a cipher for an unknown folder: ${folderId}`);
+    }
+    if (cipherIds.has(id)) throw new Error(`Backup archive contains duplicate cipher id: ${id}`);
+    cipherIds.add(id);
+  }
+
+  for (const row of attachmentRows) {
+    const id = String(row.id || '').trim();
+    const cipherId = String(row.cipher_id || '').trim();
+    if (!id || !cipherId || !cipherIds.has(cipherId)) {
+      throw new Error('Backup archive contains an invalid attachment row');
+    }
+    const attachmentPath = `attachments/${cipherId}/${id}.bin`;
+    if (!files[attachmentPath] && !externalAttachmentKeys.has(attachmentPath)) {
+      throw new Error(`Backup archive is missing required file: attachments/${cipherId}/${id}.bin`);
+    }
+  }
+}
+
+export async function buildBackupArchive(
+  env: Env,
+  date: Date = new Date(),
+  options: BuildBackupArchiveOptions = {}
+): Promise<BackupArchiveBundle> {
+  const includeAttachments = options.includeAttachments !== false;
+  await options.progress?.({
+    step: 'collect_data',
+    fileName: '',
+    stageTitle: 'txt_backup_archive_progress_collect_title',
+    stageDetail: includeAttachments
+      ? 'txt_backup_archive_progress_collect_with_attachments_detail'
+      : 'txt_backup_archive_progress_collect_detail',
+    includeAttachments,
+  });
+  const encoder = new TextEncoder();
+  const [configRows, userRows, revisionRows, folderRows, cipherRows, attachmentRows] = await Promise.all([
+    queryRows(env.DB, 'SELECT key, value FROM config ORDER BY key ASC'),
+    queryRows(env.DB, 'SELECT id, email, name, master_password_hint, master_password_hash, key, private_key, public_key, kdf_type, kdf_iterations, kdf_memory, kdf_parallelism, security_stamp, role, status, verify_devices, totp_secret, totp_recovery_code, created_at, updated_at FROM users ORDER BY created_at ASC'),
+    queryRows(env.DB, 'SELECT user_id, revision_date FROM user_revisions ORDER BY user_id ASC'),
+    queryRows(env.DB, 'SELECT id, user_id, name, created_at, updated_at FROM folders ORDER BY created_at ASC'),
+    queryRows(env.DB, 'SELECT id, user_id, type, folder_id, name, notes, favorite, data, reprompt, key, created_at, updated_at, archived_at, deleted_at FROM ciphers ORDER BY created_at ASC'),
+    queryRows(env.DB, 'SELECT id, cipher_id, file_name, size, size_name, key FROM attachments ORDER BY cipher_id ASC, id ASC'),
+  ]);
+  const exportedAttachmentRows = includeAttachments ? attachmentRows : [];
+  const attachmentBlobs: BackupManifestAttachmentBlob[] = exportedAttachmentRows.map((row) => {
+    const cipherId = String(row.cipher_id || '').trim();
+    const attachmentId = String(row.id || '').trim();
+    return {
+      cipherId,
+      attachmentId,
+      blobName: getAttachmentObjectKey(cipherId, attachmentId),
+      sizeBytes: Number(row.size || 0) || 0,
+    };
+  });
+
+  const manifestBase = {
+    formatVersion: BACKUP_FORMAT_VERSION,
+    exportedAt: date.toISOString(),
+    appVersion: APP_VERSION,
+    storageKind: getBlobStorageKind(env),
+    tableCounts: {
+      config: configRows.length,
+      users: userRows.length,
+      user_revisions: revisionRows.length,
+      folders: folderRows.length,
+      ciphers: cipherRows.length,
+      attachments: exportedAttachmentRows.length,
+    },
+    includes: {
+      attachments: includeAttachments,
+    },
+    blobSummary: {
+      attachmentFiles: attachmentBlobs.length,
+      totalBytes: attachmentBlobs.reduce((sum, item) => sum + item.sizeBytes, 0),
+      largestObjectBytes: attachmentBlobs.reduce((max, item) => Math.max(max, item.sizeBytes), 0),
+    },
+    attachmentBlobs: includeAttachments ? attachmentBlobs : [],
+  } satisfies BackupManifest;
+
+  const files: Record<string, Uint8Array> = {
+    'manifest.json': encoder.encode(JSON.stringify(manifestBase, null, BACKUP_JSON_INDENT)),
+    'db.json': encoder.encode(JSON.stringify({
+      config: configRows,
+      users: userRows,
+      user_revisions: revisionRows,
+      folders: folderRows,
+      ciphers: cipherRows,
+      attachments: exportedAttachmentRows,
+    }, null, BACKUP_JSON_INDENT)),
+  };
+
+  await options.progress?.({
+    step: 'package_archive',
+    fileName: '',
+    stageTitle: 'txt_backup_archive_progress_package_title',
+    stageDetail: includeAttachments
+      ? 'txt_backup_archive_progress_package_with_attachments_detail'
+      : 'txt_backup_archive_progress_package_detail',
+    includeAttachments,
+  });
+  const bytes = zipSync(createZipEntries(files));
+  const fileHashPrefix = (await sha256Hex(bytes)).slice(0, BACKUP_FILE_HASH_PREFIX_LENGTH);
+  const fileName = buildBackupFileName(date, fileHashPrefix);
+  await options.progress?.({
+    step: 'archive_ready',
+    fileName,
+    stageTitle: 'txt_backup_archive_progress_ready_title',
+    stageDetail: 'txt_backup_archive_progress_ready_detail',
+    includeAttachments,
+  });
+
+  return {
+    bytes,
+    fileName,
+    manifest: manifestBase,
+  };
+}
@@ -0,0 +1,627 @@
+import type { Env, User } from '../types';
+import { StorageService } from './storage';
+import {
+  type BackupSettingsPortableEnvelope,
+  decryptBackupSettingsRuntime,
+  encryptBackupSettingsEnvelope,
+  parseBackupSettingsEnvelope,
+} from './backup-settings-crypto';
+import {
+  BACKUP_DEFAULT_INTERVAL_HOURS,
+  BACKUP_DEFAULT_START_TIME,
+  BACKUP_DEFAULT_TIMEZONE,
+  type BackupDestinationConfig,
+  type BackupDestinationRecord,
+  type BackupDestinationType,
+  type BackupRuntimeState,
+  type BackupScheduleConfig,
+  type BackupSettings,
+  type E3BackupDestination,
+  type WebDavBackupDestination,
+  createBackupRandomId,
+  createDefaultBackupDestinationName,
+  createDefaultBackupScheduleConfig,
+  createDefaultBackupSettings as createSharedDefaultBackupSettings,
+} from '../../shared/backup-schema';
+
+export const BACKUP_SETTINGS_CONFIG_KEY = 'backup.settings.v1';
+export const BACKUP_SCHEDULER_WINDOW_MINUTES = 5;
+const MAX_BACKUP_DESTINATIONS = 24;
+
+export type {
+  BackupDestinationConfig,
+  BackupDestinationRecord,
+  BackupDestinationType,
+  BackupRuntimeState,
+  BackupScheduleConfig,
+  BackupSettings,
+  E3BackupDestination,
+  WebDavBackupDestination,
+} from '../../shared/backup-schema';
+
+export interface BackupSettingsInput {
+  destinations?: unknown;
+}
+
+export interface BackupSettingsRepairState {
+  needsRepair: boolean;
+  portable: BackupSettingsPortableEnvelope | null;
+}
+
+function defaultScheduleConfig(timezone: string = 'UTC'): BackupScheduleConfig {
+  return { ...createDefaultBackupScheduleConfig(assertValidTimeZone(timezone)) };
+}
+
+function isPlainObject(value: unknown): value is Record<string, unknown> {
+  return !!value && typeof value === 'object' && !Array.isArray(value);
+}
+
+function asTrimmedString(value: unknown): string {
+  return String(value ?? '').trim();
+}
+
+function normalizePath(value: unknown): string {
+  return asTrimmedString(value).replace(/\\/g, '/').replace(/^\/+|\/+$/g, '');
+}
+
+function assertValidTimeZone(timezone: string): string {
+  try {
+    new Intl.DateTimeFormat('en-US', { timeZone: timezone }).format(new Date());
+    return timezone;
+  } catch {
+    throw new Error('Invalid backup timezone');
+  }
+}
+
+function normalizeRetentionCount(value: unknown, fallback: number | null = 30): number | null {
+  if (value === undefined) return fallback;
+  if (value === null || String(value).trim() === '') return null;
+  const count = Number(value);
+  if (!Number.isInteger(count) || count < 1 || count > 1000) {
+    throw new Error('Backup retention count must be between 1 and 1000');
+  }
+  return count;
+}
+
+function normalizeIntervalHours(value: unknown, fallback: number = BACKUP_DEFAULT_INTERVAL_HOURS): number {
+  const raw = value === undefined || value === null || value === '' ? fallback : Number(value);
+  if (!Number.isInteger(raw) || raw < 1 || raw > 99) {
+    throw new Error('Backup interval hours must be between 1 and 99');
+  }
+  return raw;
+}
+
+function normalizeStartTime(value: unknown, fallback: string = BACKUP_DEFAULT_START_TIME): string {
+  const raw = asTrimmedString(value) || fallback;
+  const match = raw.match(/^(\d{1,2})(?::(\d{1,2}))?$/);
+  if (!match) {
+    throw new Error('Backup start time must be in HH:mm format');
+  }
+  const hour = Number(match[1]);
+  const minute = Number(match[2] ?? '0');
+  if (!Number.isInteger(hour) || !Number.isInteger(minute) || hour < 0 || hour > 23 || minute < 0 || minute > 59) {
+    throw new Error('Backup start time must be in HH:mm format');
+  }
+  return `${String(hour).padStart(2, '0')}:${String(minute).padStart(2, '0')}`;
+}
+
+function normalizeE3Destination(value: unknown, allowIncomplete = false): E3BackupDestination {
+  const source = isPlainObject(value) ? value : {};
+  const endpoint = asTrimmedString(source.endpoint);
+  const bucket = asTrimmedString(source.bucket);
+  const accessKeyId = asTrimmedString(source.accessKeyId);
+  const secretAccessKey = asTrimmedString(source.secretAccessKey);
+  const region = asTrimmedString(source.region) || 'auto';
+  const rootPath = normalizePath(source.rootPath);
+
+  if (!allowIncomplete || endpoint) {
+    if (!endpoint) throw new Error('E3 endpoint is required');
+    if (!/^https?:\/\//i.test(endpoint)) throw new Error('E3 endpoint must start with http:// or https://');
+  }
+  if (!allowIncomplete || bucket) {
+    if (!bucket) throw new Error('E3 bucket is required');
+  }
+  if (!allowIncomplete || accessKeyId) {
+    if (!accessKeyId) throw new Error('E3 access key is required');
+  }
+  if (!allowIncomplete || secretAccessKey) {
+    if (!secretAccessKey) throw new Error('E3 secret key is required');
+  }
+
+  return {
+    endpoint: endpoint ? endpoint.replace(/\/+$/, '') : '',
+    bucket,
+    region,
+    accessKeyId,
+    secretAccessKey,
+    rootPath,
+  };
+}
+
+function normalizeWebDavDestination(value: unknown, allowIncomplete = false): WebDavBackupDestination {
+  const source = isPlainObject(value) ? value : {};
+  const baseUrl = asTrimmedString(source.baseUrl);
+  const username = asTrimmedString(source.username);
+  const password = String(source.password ?? '');
+  const remotePath = normalizePath(source.remotePath);
+
+  if (!allowIncomplete || baseUrl) {
+    if (!baseUrl) throw new Error('WebDAV server URL is required');
+    if (!/^https?:\/\//i.test(baseUrl)) throw new Error('WebDAV server URL must start with http:// or https://');
+  }
+  if (!allowIncomplete || username) {
+    if (!username) throw new Error('WebDAV username is required');
+  }
+  if (!allowIncomplete || password) {
+    if (!password) throw new Error('WebDAV password is required');
+  }
+
+  return {
+    baseUrl: baseUrl ? baseUrl.replace(/\/+$/, '') : '',
+    username,
+    password,
+    remotePath,
+  };
+}
+
+function normalizeDestination(
+  destinationType: BackupDestinationType,
+  destination: unknown,
+  allowIncomplete = false
+): BackupDestinationConfig {
+  if (destinationType === 'e3') return normalizeE3Destination(destination, allowIncomplete);
+  return normalizeWebDavDestination(destination, allowIncomplete);
+}
+
+function normalizeRuntime(value: unknown): BackupRuntimeState {
+  const source = isPlainObject(value) ? value : {};
+  const asIso = (input: unknown): string | null => {
+    const raw = asTrimmedString(input);
+    if (!raw) return null;
+    const date = new Date(raw);
+    return Number.isFinite(date.getTime()) ? date.toISOString() : null;
+  };
+  const asMaybeNumber = (input: unknown): number | null => {
+    if (input === null || input === undefined || input === '') return null;
+    const n = Number(input);
+    return Number.isFinite(n) && n >= 0 ? Math.floor(n) : null;
+  };
+  return {
+    lastAttemptAt: asIso(source.lastAttemptAt),
+    lastAttemptLocalDate: asTrimmedString(source.lastAttemptLocalDate) || null,
+    lastSuccessAt: asIso(source.lastSuccessAt),
+    lastErrorAt: asIso(source.lastErrorAt),
+    lastErrorMessage: asTrimmedString(source.lastErrorMessage) || null,
+    lastUploadedFileName: asTrimmedString(source.lastUploadedFileName) || null,
+    lastUploadedSizeBytes: asMaybeNumber(source.lastUploadedSizeBytes),
+    lastUploadedDestination: asTrimmedString(source.lastUploadedDestination) || null,
+  };
+}
+
+function defaultDestinationName(type: BackupDestinationType, index: number): string {
+  return createDefaultBackupDestinationName(type, index);
+}
+
+function getDestinationType(raw: unknown): BackupDestinationType {
+  const value = asTrimmedString(raw);
+  if (value === 'e3' || value === 'webdav') return value;
+  throw new Error('Backup destination type is invalid');
+}
+
+function normalizeDestinationRecord(
+  input: unknown,
+  previousById: Map<string, BackupDestinationRecord>,
+  index: number,
+  fallbackTimezone: string
+): BackupDestinationRecord {
+  if (!isPlainObject(input)) {
+    throw new Error('Backup destination is invalid');
+  }
+
+  const id = asTrimmedString(input.id) || createBackupRandomId();
+  const type = getDestinationType(input.type);
+  const previous = previousById.get(id);
+  const runtime = previous?.runtime ? normalizeRuntime(previous.runtime) : normalizeRuntime(input.runtime);
+  const name = asTrimmedString(input.name) || previous?.name || defaultDestinationName(type, index + 1);
+  const scheduleSource = isPlainObject(input.schedule) ? input.schedule : {};
+  const previousSchedule = previous?.schedule || defaultScheduleConfig(fallbackTimezone);
+  const retentionSource = Object.prototype.hasOwnProperty.call(scheduleSource, 'retentionCount')
+    ? scheduleSource.retentionCount
+    : previousSchedule.retentionCount;
+  const schedule: BackupScheduleConfig = {
+    enabled: !!(scheduleSource.enabled ?? previousSchedule.enabled),
+    intervalHours: normalizeIntervalHours(
+      scheduleSource.intervalHours ?? previousSchedule.intervalHours,
+      previousSchedule.intervalHours || BACKUP_DEFAULT_INTERVAL_HOURS
+    ),
+    startTime: normalizeStartTime(
+      scheduleSource.startTime ?? previousSchedule.startTime,
+      previousSchedule.startTime || BACKUP_DEFAULT_START_TIME
+    ),
+    timezone: assertValidTimeZone(asTrimmedString(scheduleSource.timezone ?? previousSchedule.timezone) || fallbackTimezone || BACKUP_DEFAULT_TIMEZONE),
+    retentionCount: normalizeRetentionCount(retentionSource, previousSchedule.retentionCount),
+  };
+
+  const destination = normalizeDestination(type, input.destination, !schedule.enabled);
+
+  return {
+    id,
+    name,
+    type,
+    includeAttachments: typeof input.includeAttachments === 'boolean'
+      ? input.includeAttachments
+      : previous?.includeAttachments ?? false,
+    destination,
+    schedule,
+    runtime,
+  };
+}
+
+function parseLegacyBackupSettings(rawValue: Record<string, unknown>, fallbackTimezone: string): BackupSettings {
+  const legacyFrequency = asTrimmedString(rawValue.frequency).toLowerCase();
+  const intervalHours = legacyFrequency === 'weekly'
+    ? 24 * 7
+    : legacyFrequency === 'monthly'
+      ? 24 * 30
+      : BACKUP_DEFAULT_INTERVAL_HOURS;
+  const destinationTypeRaw = asTrimmedString(rawValue.destinationType);
+  const destinationType: BackupDestinationType =
+    destinationTypeRaw === 'e3' || destinationTypeRaw === 'webdav'
+      ? destinationTypeRaw
+      : 'webdav';
+  const destination = {
+    id: createBackupRandomId(),
+    name: defaultDestinationName(destinationType, 1),
+    type: destinationType,
+    includeAttachments: false,
+    destination: normalizeDestination(destinationType, rawValue.destination),
+    schedule: {
+      enabled: !!rawValue.enabled,
+      intervalHours,
+      startTime: BACKUP_DEFAULT_START_TIME,
+      timezone: assertValidTimeZone(asTrimmedString(rawValue.timezone) || fallbackTimezone || BACKUP_DEFAULT_TIMEZONE),
+      retentionCount: 30,
+    },
+    runtime: normalizeRuntime(rawValue.runtime),
+  } satisfies BackupDestinationRecord;
+
+  return {
+    destinations: [destination],
+  };
+}
+
+function parseDestinations(
+  rawDestinations: unknown,
+  previousById: Map<string, BackupDestinationRecord>,
+  fallbackTimezone: string
+): BackupDestinationRecord[] {
+  if (!Array.isArray(rawDestinations)) {
+    throw new Error('Backup destinations are invalid');
+  }
+  if (rawDestinations.length > MAX_BACKUP_DESTINATIONS) {
+    throw new Error(`You can save up to ${MAX_BACKUP_DESTINATIONS} backup destinations`);
+  }
+
+  const destinations = rawDestinations.map((entry, index) => normalizeDestinationRecord(entry, previousById, index, fallbackTimezone));
+  const ids = new Set<string>();
+  for (const destination of destinations) {
+    if (ids.has(destination.id)) {
+      throw new Error('Backup destination ids must be unique');
+    }
+    ids.add(destination.id);
+  }
+  return destinations;
+}
+
+function mapDestinationsById(destinations: BackupDestinationRecord[]): Map<string, BackupDestinationRecord> {
+  return new Map(destinations.map((destination) => [destination.id, destination]));
+}
+
+export function getDefaultBackupSettings(timezone: string = 'UTC'): BackupSettings {
+  return createSharedDefaultBackupSettings(assertValidTimeZone(timezone));
+}
+
+export function parseBackupSettings(raw: string | null, fallbackTimezone: string = 'UTC'): BackupSettings {
+  if (!raw) return getDefaultBackupSettings(fallbackTimezone);
+  try {
+    const parsed = JSON.parse(raw) as Record<string, unknown>;
+    if (Array.isArray(parsed.destinations)) {
+      const globalTimezone = assertValidTimeZone(asTrimmedString(parsed.timezone) || fallbackTimezone || BACKUP_DEFAULT_TIMEZONE);
+      const globalEnabled = !!parsed.enabled;
+      const activeDestinationIdRaw = asTrimmedString(parsed.activeDestinationId);
+      const globalFrequency = asTrimmedString(parsed.frequency).toLowerCase();
+      const globalIntervalHours = globalFrequency === 'weekly'
+        ? 24 * 7
+        : globalFrequency === 'monthly'
+          ? 24 * 30
+          : BACKUP_DEFAULT_INTERVAL_HOURS;
+      const previousById = new Map<string, BackupDestinationRecord>();
+      const normalizedEntries = (parsed.destinations as unknown[]).map((entry) => {
+        if (!isPlainObject(entry)) return entry;
+        if (isPlainObject(entry.schedule)) return entry;
+        const entryId = asTrimmedString(entry.id);
+        const scheduleEnabled = globalEnabled && (!activeDestinationIdRaw || entryId === activeDestinationIdRaw);
+        return {
+          ...entry,
+          schedule: {
+            enabled: scheduleEnabled,
+            intervalHours: globalIntervalHours,
+            startTime: BACKUP_DEFAULT_START_TIME,
+            timezone: globalTimezone,
+            retentionCount: 30,
+          },
+        };
+      });
+      return {
+        destinations: parseDestinations(normalizedEntries, previousById, fallbackTimezone),
+      };
+    }
+    return parseLegacyBackupSettings(parsed, fallbackTimezone);
+  } catch {
+    return getDefaultBackupSettings(fallbackTimezone);
+  }
+}
+
+export function normalizeBackupSettingsInput(
+  input: BackupSettingsInput,
+  previous: BackupSettings
+): BackupSettings {
+  if (!isPlainObject(input)) {
+    throw new Error('Backup settings payload is invalid');
+  }
+
+  const previousById = mapDestinationsById(previous.destinations);
+  const rawDestinations = input.destinations ?? previous.destinations;
+  const destinations = parseDestinations(rawDestinations, previousById, BACKUP_DEFAULT_TIMEZONE);
+
+  return {
+    destinations,
+  };
+}
+
+export function serializeBackupSettings(settings: BackupSettings): string {
+  return JSON.stringify(settings);
+}
+
+export async function loadBackupSettings(storage: StorageService, env: Env, fallbackTimezone: string = 'UTC'): Promise<BackupSettings> {
+  const raw = await storage.getConfigValue(BACKUP_SETTINGS_CONFIG_KEY);
+  if (!raw) {
+    const settings = getDefaultBackupSettings(fallbackTimezone);
+    await saveBackupSettings(storage, env, settings);
+    return settings;
+  }
+
+  const envelope = parseBackupSettingsEnvelope(raw);
+  if (!envelope) {
+    const settings = parseBackupSettings(raw, fallbackTimezone);
+    await saveBackupSettings(storage, env, settings);
+    return settings;
+  }
+
+  try {
+    const decrypted = await decryptBackupSettingsRuntime(raw, env);
+    return parseBackupSettings(decrypted, fallbackTimezone);
+  } catch {
+    throw new Error('Backup settings need administrator reactivation after restore');
+  }
+}
+
+export async function saveBackupSettings(storage: StorageService, env: Env, settings: BackupSettings): Promise<void> {
+  const users = await storage.getAllUsers();
+  const hasPortableAdmins = users.some(
+    (user) => user.role === 'admin' && user.status === 'active' && typeof user.publicKey === 'string' && user.publicKey.trim().length > 0
+  );
+  if (!hasPortableAdmins) {
+    await storage.setConfigValue(BACKUP_SETTINGS_CONFIG_KEY, serializeBackupSettings(settings));
+    return;
+  }
+  const encrypted = await encryptBackupSettingsEnvelope(serializeBackupSettings(settings), env, users);
+  await storage.setConfigValue(BACKUP_SETTINGS_CONFIG_KEY, encrypted);
+}
+
+export async function normalizeImportedBackupSettings(storage: StorageService, env: Env, fallbackTimezone: string = 'UTC'): Promise<void> {
+  const raw = await storage.getConfigValue(BACKUP_SETTINGS_CONFIG_KEY);
+  if (!raw) return;
+  const users = await storage.getAllUsers();
+  const normalized = await normalizeImportedBackupSettingsValue(raw, env, users, fallbackTimezone);
+  if (normalized !== null) {
+    await storage.setConfigValue(BACKUP_SETTINGS_CONFIG_KEY, normalized);
+  }
+}
+
+export async function normalizeImportedBackupSettingsValue(
+  raw: string | null,
+  env: Env,
+  users: Pick<User, 'id' | 'publicKey' | 'role' | 'status'>[],
+  fallbackTimezone: string = 'UTC'
+): Promise<string | null> {
+  if (!raw) return null;
+  const envelope = parseBackupSettingsEnvelope(raw);
+  if (envelope) {
+    try {
+      const decrypted = await decryptBackupSettingsRuntime(raw, env);
+      const settings = parseBackupSettings(decrypted, fallbackTimezone);
+      const hasPortableAdmins = users.some(
+        (user) => user.role === 'admin' && user.status === 'active' && typeof user.publicKey === 'string' && user.publicKey.trim().length > 0
+      );
+      if (!hasPortableAdmins) {
+        return serializeBackupSettings(settings);
+      }
+      return encryptBackupSettingsEnvelope(serializeBackupSettings(settings), env, users);
+    } catch {
+      // Keep imported portable recovery data intact until an admin signs in and repairs it.
+      return raw;
+    }
+  }
+  const settings = parseBackupSettings(raw, fallbackTimezone);
+  const hasPortableAdmins = users.some(
+    (user) => user.role === 'admin' && user.status === 'active' && typeof user.publicKey === 'string' && user.publicKey.trim().length > 0
+  );
+  if (!hasPortableAdmins) {
+    return serializeBackupSettings(settings);
+  }
+  return encryptBackupSettingsEnvelope(serializeBackupSettings(settings), env, users);
+}
+
+export async function getBackupSettingsRepairState(storage: StorageService, env: Env, fallbackTimezone: string = 'UTC'): Promise<BackupSettingsRepairState> {
+  const raw = await storage.getConfigValue(BACKUP_SETTINGS_CONFIG_KEY);
+  if (!raw) {
+    const settings = getDefaultBackupSettings(fallbackTimezone);
+    await saveBackupSettings(storage, env, settings);
+    return { needsRepair: false, portable: null };
+  }
+
+  const envelope = parseBackupSettingsEnvelope(raw);
+  if (!envelope) {
+    const settings = parseBackupSettings(raw, fallbackTimezone);
+    await saveBackupSettings(storage, env, settings);
+    return { needsRepair: false, portable: null };
+  }
+
+  try {
+    await decryptBackupSettingsRuntime(raw, env);
+    return { needsRepair: false, portable: null };
+  } catch {
+    return {
+      needsRepair: true,
+      portable: envelope.portable,
+    };
+  }
+}
+
+export async function repairBackupSettings(storage: StorageService, env: Env, settings: BackupSettings): Promise<void> {
+  await saveBackupSettings(storage, env, settings);
+}
+
+export function findBackupDestination(
+  settings: BackupSettings,
+  destinationId: string | null | undefined
+): BackupDestinationRecord | null {
+  const normalizedId = asTrimmedString(destinationId);
+  if (!normalizedId) return null;
+  return settings.destinations.find((destination) => destination.id === normalizedId) || null;
+}
+
+export function requireBackupDestination(settings: BackupSettings, destinationId?: string | null): BackupDestinationRecord {
+  const destination = destinationId ? findBackupDestination(settings, destinationId) : settings.destinations[0] || null;
+  if (!destination) {
+    throw new Error('Backup destination not found');
+  }
+  return destination;
+}
+
+function getDateTimeParts(date: Date, timezone: string): { year: string; month: string; day: string; hour: string; minute: string } {
+  const formatter = new Intl.DateTimeFormat('en-CA', {
+    timeZone: timezone,
+    year: 'numeric',
+    month: '2-digit',
+    day: '2-digit',
+    hour: '2-digit',
+    minute: '2-digit',
+    hourCycle: 'h23',
+  });
+  const parts = formatter.formatToParts(date);
+  const pick = (type: string): string => parts.find((part) => part.type === type)?.value || '';
+  return {
+    year: pick('year'),
+    month: pick('month'),
+    day: pick('day'),
+    hour: pick('hour'),
+    minute: pick('minute'),
+  };
+}
+
+export function getBackupLocalDateKey(date: Date, timezone: string): string {
+  const parts = getDateTimeParts(date, timezone);
+  return `${parts.year}-${parts.month}-${parts.day}`;
+}
+
+export function getBackupLocalTime(date: Date, timezone: string): string {
+  const parts = getDateTimeParts(date, timezone);
+  return `${parts.hour}:${parts.minute}`;
+}
+
+function parseLocalDateKey(dateKey: string): { year: number; month: number; day: number } | null {
+  const match = String(dateKey || '').match(/^(\d{4})-(\d{2})-(\d{2})$/);
+  if (!match) return null;
+  const year = Number(match[1]);
+  const month = Number(match[2]);
+  const day = Number(match[3]);
+  if (!Number.isInteger(year) || !Number.isInteger(month) || !Number.isInteger(day)) return null;
+  return { year, month, day };
+}
+
+function getUtcDateForLocalTime(timezone: string, year: number, month: number, day: number, hour: number, minute: number): Date {
+  const utcGuess = Date.UTC(year, month - 1, day, hour, minute, 0, 0);
+  const actual = getDateTimeParts(new Date(utcGuess), timezone);
+  const actualUtc = Date.UTC(
+    Number(actual.year),
+    Number(actual.month) - 1,
+    Number(actual.day),
+    Number(actual.hour),
+    Number(actual.minute),
+    0,
+    0
+  );
+  const desiredUtc = Date.UTC(year, month - 1, day, hour, minute, 0, 0);
+  return new Date(utcGuess - (actualUtc - desiredUtc));
+}
+
+function getBackupSlotStartsForLocalDay(
+  dateKey: string,
+  timezone: string,
+  startTime: string,
+  intervalHours: number
+): Date[] {
+  const parsedDate = parseLocalDateKey(dateKey);
+  const parsedTime = normalizeStartTime(startTime).split(':').map((value) => Number(value));
+  if (!parsedDate || parsedTime.length !== 2) return [];
+
+  const [hour, minute] = parsedTime;
+  const firstSlot = getUtcDateForLocalTime(timezone, parsedDate.year, parsedDate.month, parsedDate.day, hour, minute);
+  const nextLocalDay = new Date(Date.UTC(parsedDate.year, parsedDate.month - 1, parsedDate.day, 0, 0, 0, 0));
+  nextLocalDay.setUTCDate(nextLocalDay.getUTCDate() + 1);
+  const nextDay = getUtcDateForLocalTime(
+    timezone,
+    nextLocalDay.getUTCFullYear(),
+    nextLocalDay.getUTCMonth() + 1,
+    nextLocalDay.getUTCDate(),
+    0,
+    0
+  );
+  const intervalMs = intervalHours * 60 * 60 * 1000;
+  const slots: Date[] = [];
+
+  for (let slotMs = firstSlot.getTime(); slotMs < nextDay.getTime(); slotMs += intervalMs) {
+    slots.push(new Date(slotMs));
+  }
+  return slots;
+}
+
+export function isBackupDueNow(
+  destination: BackupDestinationRecord,
+  now: Date,
+  windowMinutes: number = BACKUP_SCHEDULER_WINDOW_MINUTES
+): boolean {
+  if (!destination.schedule.enabled) return false;
+  const toleranceMs = Math.max(1, windowMinutes) * 60 * 1000;
+  const lastAttemptAt = destination.runtime.lastAttemptAt ? new Date(destination.runtime.lastAttemptAt) : null;
+  const lastAttemptMs = lastAttemptAt && Number.isFinite(lastAttemptAt.getTime())
+    ? lastAttemptAt.getTime()
+    : Number.NEGATIVE_INFINITY;
+  const localDateKey = getBackupLocalDateKey(now, destination.schedule.timezone);
+  const slotStarts = getBackupSlotStartsForLocalDay(
+    localDateKey,
+    destination.schedule.timezone,
+    destination.schedule.startTime,
+    destination.schedule.intervalHours
+  );
+
+  for (const slotStart of slotStarts) {
+    const slotStartMs = slotStart.getTime();
+    if (now.getTime() < slotStartMs || now.getTime() >= slotStartMs + toleranceMs) continue;
+    if (lastAttemptMs >= slotStartMs) return false;
+    return true;
+  }
+  return false;
+}
@@ -0,0 +1,901 @@
+import type { Env, User } from '../types';
+import { KV_MAX_OBJECT_BYTES, deleteBlobObject, getAttachmentObjectKey, getBlobStorageKind, putBlobObject } from './blob-store';
+import { BACKUP_SETTINGS_CONFIG_KEY, normalizeImportedBackupSettingsValue } from './backup-config';
+import {
+  type BackupManifestAttachmentBlob,
+  type BackupPayload,
+  parseBackupArchive,
+  validateBackupPayloadContents,
+} from './backup-archive';
+
+type SqlRow = Record<string, string | number | null>;
+type BackupTableName =
+  | 'config'
+  | 'users'
+  | 'user_revisions'
+  | 'folders'
+  | 'ciphers'
+  | 'attachments';
+
+const BACKUP_TABLES: BackupTableName[] = [
+  'config',
+  'users',
+  'user_revisions',
+  'folders',
+  'ciphers',
+  'attachments',
+];
+
+function shadowTableName(table: BackupTableName): string {
+  return `${table}__restore`;
+}
+
+export interface BackupImportResultBody {
+  object: 'instance-backup-import';
+  imported: {
+    config: number;
+    users: number;
+    userRevisions: number;
+    folders: number;
+    ciphers: number;
+    attachments: number;
+    attachmentFiles: number;
+  };
+  skipped: {
+    reason: string | null;
+    attachments: number;
+    items: Array<{
+      kind: 'attachment';
+      path: string;
+      sizeBytes: number;
+    }>;
+  };
+}
+
+export interface BackupImportExecutionResult {
+  result: BackupImportResultBody;
+  auditActorUserId: string | null;
+}
+
+async function queryRows(db: D1Database, sql: string, ...values: unknown[]): Promise<SqlRow[]> {
+  const response = await db.prepare(sql).bind(...values).all<SqlRow>();
+  return (response.results || []).map((row) => ({ ...row }));
+}
+
+async function getTableCreateSql(db: D1Database, table: BackupTableName): Promise<string> {
+  const row = await db
+    .prepare("SELECT sql FROM sqlite_master WHERE type = 'table' AND name = ?")
+    .bind(table)
+    .first<{ sql: string | null }>();
+  const sql = String(row?.sql || '').trim();
+  if (!sql) {
+    throw new Error(`Restore shadow schema is missing table definition for ${table}`);
+  }
+  return sql;
+}
+
+function buildShadowTableCreateSql(createSql: string, table: BackupTableName): string {
+  const tablePattern = new RegExp(`^CREATE TABLE(?:\\s+IF NOT EXISTS)?\\s+(?:\"${table}\"|${table})(?=\\s*\\()`, 'i');
+  let next = createSql.replace(tablePattern, `CREATE TABLE "${shadowTableName(table)}"`);
+  if (next === createSql) {
+    throw new Error(`Restore shadow schema could not rewrite CREATE TABLE statement for ${table}`);
+  }
+  for (const currentTable of BACKUP_TABLES) {
+    const referencePattern = new RegExp(`\\bREFERENCES\\s+(?:\"${currentTable}\"|${currentTable})(?=\\s*\\()`, 'gi');
+    next = next.replace(
+      referencePattern,
+      `REFERENCES "${shadowTableName(currentTable)}"`
+    );
+  }
+  return next;
+}
+
+async function resetRestoreArtifacts(db: D1Database): Promise<void> {
+  const dropStatements = BACKUP_TABLES
+    .slice()
+    .reverse()
+    .map((table) => db.prepare(`DROP TABLE IF EXISTS ${shadowTableName(table)}`));
+  if (dropStatements.length) {
+    await db.batch(dropStatements);
+  }
+}
+
+async function createShadowTables(db: D1Database): Promise<void> {
+  const createStatements: D1PreparedStatement[] = [];
+  for (const table of BACKUP_TABLES) {
+    const createSql = await getTableCreateSql(db, table);
+    createStatements.push(db.prepare(buildShadowTableCreateSql(createSql, table)));
+  }
+  await db.batch(createStatements);
+}
+
+async function validateShadowTableCounts(
+  db: D1Database,
+  expectedCounts: Partial<Record<BackupTableName, number>>
+): Promise<void> {
+  await Promise.all(BACKUP_TABLES.map(async (table) => {
+    const expected = expectedCounts[table] ?? 0;
+    const row = await db.prepare(`SELECT COUNT(*) AS count FROM ${shadowTableName(table)}`).first<{ count: number }>();
+    const actual = Number(row?.count || 0);
+    if (actual !== expected) {
+      throw new Error(`Restore shadow validation failed for ${table}: expected ${expected}, received ${actual}`);
+    }
+  }));
+}
+
+async function swapShadowTablesIntoPlace(db: D1Database): Promise<void> {
+  const statements: D1PreparedStatement[] = [];
+  // Commit by replacing live table contents from validated shadow tables.
+  // This avoids D1 schema-rename edge cases while keeping current data intact
+  // until the final batch succeeds.
+  for (const sql of buildResetImportTargetStatements(db)) {
+    statements.push(sql);
+  }
+  for (const table of BACKUP_TABLES) {
+    statements.push(db.prepare(`INSERT INTO ${table} SELECT * FROM ${shadowTableName(table)}`));
+  }
+  await db.batch(statements);
+}
+
+async function ensureImportTargetIsFresh(db: D1Database): Promise<void> {
+  const counts = await Promise.all([
+    db.prepare('SELECT COUNT(*) AS count FROM ciphers').first<{ count: number }>(),
+    db.prepare('SELECT COUNT(*) AS count FROM folders').first<{ count: number }>(),
+    db.prepare('SELECT COUNT(*) AS count FROM attachments').first<{ count: number }>(),
+    db.prepare('SELECT COUNT(*) AS count FROM sends').first<{ count: number }>(),
+  ]);
+  const total = counts.reduce((sum, row) => sum + Number(row?.count || 0), 0);
+  if (total > 0) {
+    throw new Error('Backup import requires a fresh instance with no vault or send data');
+  }
+}
+
+function buildResetImportTargetStatements(db: D1Database): D1PreparedStatement[] {
+  return [
+    'DELETE FROM attachments',
+    'DELETE FROM ciphers',
+    'DELETE FROM folders',
+    'DELETE FROM user_revisions',
+    'DELETE FROM users',
+    'DELETE FROM config',
+  ].map((sql) => db.prepare(sql));
+}
+
+async function collectCurrentBlobKeys(db: D1Database): Promise<Set<string>> {
+  const keys = new Set<string>();
+  const attachmentRows = await queryRows(
+    db,
+    `SELECT a.id, a.cipher_id
+     FROM attachments a
+     INNER JOIN ciphers c ON c.id = a.cipher_id`
+  );
+  for (const row of attachmentRows) {
+    const cipherId = String(row.cipher_id || '').trim();
+    const attachmentId = String(row.id || '').trim();
+    if (!cipherId || !attachmentId) continue;
+    keys.add(getAttachmentObjectKey(cipherId, attachmentId));
+  }
+  return keys;
+}
+
+const KV_BLOB_SKIP_REASON = 'Cloudflare KV object size limit (25 MB)';
+const BLOB_STORAGE_UNAVAILABLE_SKIP_REASON = 'Attachment storage is not configured';
+const ATTACHMENT_RESTORE_FAILED_REASON = 'Some attachments could not be restored and were skipped';
+
+interface BackupImportSkipSummary {
+  reason: string | null;
+  attachments: number;
+  items: Array<{
+    kind: 'attachment';
+    path: string;
+    sizeBytes: number;
+  }>;
+}
+
+interface PreparedBackupImportPayload {
+  payload: BackupPayload;
+  skipped: BackupImportSkipSummary;
+}
+
+interface AttachmentRestoreResult {
+  imported: number;
+  restoredAttachments: SqlRow[];
+  skipped: BackupImportSkipSummary;
+}
+
+interface RemoteAttachmentSource {
+  loadAttachment(blobName: string): Promise<Uint8Array | null>;
+}
+
+export interface BackupRestoreProgressEvent {
+  source: 'local' | 'remote';
+  step: string;
+  fileName: string;
+  stageTitle: string;
+  stageDetail: string;
+  replaceExisting: boolean;
+  done?: boolean;
+  ok?: boolean;
+  error?: string | null;
+}
+
+export type BackupRestoreProgressReporter = (event: BackupRestoreProgressEvent) => Promise<void> | void;
+
+function attachmentRowKey(row: SqlRow): string {
+  const attachmentId = String(row.id || '').trim();
+  const cipherId = String(row.cipher_id || '').trim();
+  return `${cipherId}/${attachmentId}`;
+}
+
+function cloneRows(rows: SqlRow[]): SqlRow[] {
+  return rows.map((row) => ({ ...row }));
+}
+
+function upsertConfigRow(rows: SqlRow[], key: string, value: string): SqlRow[] {
+  let replaced = false;
+  const nextRows = rows.map((row) => {
+    if (String(row.key || '').trim() !== key) return { ...row };
+    replaced = true;
+    return { ...row, key, value };
+  });
+  if (!replaced) {
+    nextRows.push({ key, value });
+  }
+  return nextRows;
+}
+
+async function prepareImportedConfigRows(
+  env: Env,
+  configRows: SqlRow[],
+  userRows: SqlRow[]
+): Promise<SqlRow[]> {
+  let nextConfigRows = cloneRows(configRows || []);
+  const rawBackupSettings = nextConfigRows.find((row) => String(row.key || '').trim() === BACKUP_SETTINGS_CONFIG_KEY);
+  const normalizedBackupSettings = await normalizeImportedBackupSettingsValue(
+    typeof rawBackupSettings?.value === 'string' ? rawBackupSettings.value : null,
+    env,
+    userRows.map((row) => ({
+      id: String(row.id || '').trim(),
+      publicKey: typeof row.public_key === 'string' ? row.public_key : null,
+      role: String(row.role || '').trim() as User['role'],
+      status: String(row.status || '').trim() as User['status'],
+    })),
+    'UTC'
+  );
+  if (normalizedBackupSettings !== null) {
+    nextConfigRows = upsertConfigRow(nextConfigRows, BACKUP_SETTINGS_CONFIG_KEY, normalizedBackupSettings);
+  }
+  nextConfigRows = upsertConfigRow(nextConfigRows, 'registered', 'true');
+  return nextConfigRows;
+}
+
+async function importPreparedBackupRows(db: D1Database, payload: BackupPayload['db'], env: Env): Promise<BackupPayload['db']> {
+  const preparedDb: BackupPayload['db'] = {
+    config: await prepareImportedConfigRows(env, payload.config || [], payload.users || []),
+    users: cloneRows(payload.users || []).map((row) => ({
+      ...row,
+      verify_devices: row.verify_devices ?? 1,
+    })),
+    user_revisions: cloneRows(payload.user_revisions || []),
+    folders: cloneRows(payload.folders || []),
+    ciphers: cloneRows(payload.ciphers || []).map((row) => ({
+      ...row,
+      archived_at: row.archived_at ?? null,
+    })),
+    attachments: cloneRows(payload.attachments || []),
+  };
+  await importBackupRows(db, preparedDb, true);
+  return preparedDb;
+}
+
+function prepareImportPayloadForTarget(env: Env, payload: BackupPayload, files: Record<string, Uint8Array>): PreparedBackupImportPayload {
+  const storageKind = getBlobStorageKind(env);
+  if (storageKind === 'r2') {
+    return {
+      payload,
+      skipped: {
+        reason: null,
+        attachments: 0,
+        items: [],
+      },
+    };
+  }
+
+  if (storageKind === null) {
+    const skippedItems = (payload.db.attachments || []).map((row) => {
+      const cipherId = String(row.cipher_id || '').trim();
+      const attachmentId = String(row.id || '').trim();
+      return {
+        kind: 'attachment' as const,
+        path: `attachments/${cipherId}/${attachmentId}.bin`,
+        sizeBytes: Number(row.size || 0) || 0,
+      };
+    });
+
+    const result = {
+      payload: {
+        ...payload,
+        db: {
+          ...payload.db,
+          attachments: [],
+        },
+      },
+      skipped: {
+        reason: skippedItems.length ? BLOB_STORAGE_UNAVAILABLE_SKIP_REASON : null,
+        attachments: skippedItems.length,
+        items: skippedItems,
+      },
+    };
+    return result;
+  }
+
+  const oversizedAttachmentPaths = new Set<string>();
+  const skippedItems: BackupImportSkipSummary['items'] = [];
+
+  for (const entry of Object.keys(files)) {
+    if (!entry.endsWith('.bin')) continue;
+    const sizeBytes = files[entry].byteLength;
+    if (sizeBytes <= KV_MAX_OBJECT_BYTES) continue;
+    if (entry.startsWith('attachments/')) {
+      oversizedAttachmentPaths.add(entry);
+      skippedItems.push({ kind: 'attachment', path: entry, sizeBytes });
+    }
+  }
+
+  const nextAttachments = (payload.db.attachments || []).filter((row) => {
+    const cipherId = String(row.cipher_id || '').trim();
+    const attachmentId = String(row.id || '').trim();
+    if (!cipherId || !attachmentId) return false;
+    return !oversizedAttachmentPaths.has(`attachments/${cipherId}/${attachmentId}.bin`);
+  });
+
+  const nextPayload: BackupPayload = {
+    ...payload,
+    db: {
+      ...payload.db,
+      attachments: nextAttachments,
+    },
+  };
+
+  const needsKvBlobStorage = nextAttachments.length > 0;
+
+  if (needsKvBlobStorage && !env.ATTACHMENTS_KV) {
+    throw new Error('Backup restore requires ATTACHMENTS_KV when using KV blob storage');
+  }
+
+  const result = {
+    payload: nextPayload,
+    skipped: {
+      reason: skippedItems.length ? KV_BLOB_SKIP_REASON : null,
+      attachments: skippedItems.length,
+      items: skippedItems,
+    },
+  };
+  return result;
+}
+
+function buildInsertStatements(db: D1Database, table: string, columns: string[], rows: SqlRow[], upsert = false): D1PreparedStatement[] {
+  if (!rows.length) return [];
+  const placeholders = `(${columns.map(() => '?').join(', ')})`;
+  const sql = `INSERT ${upsert ? 'OR REPLACE ' : ''}INTO ${table} (${columns.join(', ')}) VALUES ${placeholders}`;
+  return rows.map((row) => db.prepare(sql).bind(...columns.map((column) => row[column] ?? null)));
+}
+
+async function runInsertBatch(db: D1Database, table: string, statements: D1PreparedStatement[]): Promise<void> {
+  if (!statements.length) return;
+  try {
+    await db.batch(statements);
+  } catch (error) {
+    const message = error instanceof Error ? error.message : String(error);
+    throw new Error(`Restore insert failed for ${table}: ${message}`);
+  }
+}
+
+async function restoreBlobFiles(env: Env, db: BackupPayload['db'], files: Record<string, Uint8Array>): Promise<AttachmentRestoreResult> {
+  const restoredAttachments: SqlRow[] = [];
+  const skippedItems: BackupImportSkipSummary['items'] = [];
+
+  for (const row of db.attachments || []) {
+    const cipherId = String(row.cipher_id || '').trim();
+    const attachmentId = String(row.id || '').trim();
+    if (!cipherId || !attachmentId) continue;
+    const key = `attachments/${cipherId}/${attachmentId}.bin`;
+    const bytes = files[key];
+    if (!bytes) {
+      skippedItems.push({
+        kind: 'attachment',
+        path: key,
+        sizeBytes: Number(row.size || 0) || 0,
+      });
+      continue;
+    }
+    try {
+      await putBlobObject(env, getAttachmentObjectKey(cipherId, attachmentId), bytes, {
+        size: bytes.byteLength,
+        contentType: 'application/octet-stream',
+      });
+      restoredAttachments.push(row);
+    } catch {
+      skippedItems.push({
+        kind: 'attachment',
+        path: key,
+        sizeBytes: bytes.byteLength,
+      });
+    }
+  }
+
+  return {
+    imported: restoredAttachments.length,
+    restoredAttachments,
+    skipped: {
+      reason: skippedItems.length ? ATTACHMENT_RESTORE_FAILED_REASON : null,
+      attachments: skippedItems.length,
+      items: skippedItems,
+    },
+  };
+}
+
+function buildAttachmentBlobLookup(manifest: BackupPayload['manifest']): Map<string, BackupManifestAttachmentBlob> {
+  return new Map(
+    (manifest.attachmentBlobs || []).map((item) => [`${item.cipherId}/${item.attachmentId}`, item])
+  );
+}
+
+async function prepareRemoteAttachmentPayload(
+  env: Env,
+  payload: BackupPayload,
+  files: Record<string, Uint8Array>,
+  source: RemoteAttachmentSource
+): Promise<PreparedBackupImportPayload> {
+  const manifestLookup = buildAttachmentBlobLookup(payload.manifest);
+  const storageKind = getBlobStorageKind(env);
+  const nextAttachments: SqlRow[] = [];
+  const skippedItems: BackupImportSkipSummary['items'] = [];
+
+  for (const row of payload.db.attachments || []) {
+    const cipherId = String(row.cipher_id || '').trim();
+    const attachmentId = String(row.id || '').trim();
+    const lookupKey = `${cipherId}/${attachmentId}`;
+    const ref = manifestLookup.get(lookupKey);
+    const sizeBytes = ref?.sizeBytes || Number(row.size || 0) || 0;
+    const path = ref ? `attachments/${ref.blobName}` : `attachments/${lookupKey}`;
+    const inlinePath = `attachments/${cipherId}/${attachmentId}.bin`;
+
+    if (files[inlinePath]) {
+      nextAttachments.push(row);
+      continue;
+    }
+    if (!ref) {
+      skippedItems.push({ kind: 'attachment', path, sizeBytes });
+      continue;
+    }
+    if (storageKind === 'kv' && sizeBytes > KV_MAX_OBJECT_BYTES) {
+      skippedItems.push({ kind: 'attachment', path, sizeBytes });
+      continue;
+    }
+    if (storageKind === null) {
+      skippedItems.push({ kind: 'attachment', path, sizeBytes });
+      continue;
+    }
+    nextAttachments.push(row);
+  }
+
+  const result = {
+    payload: {
+      ...payload,
+      db: {
+        ...payload.db,
+        attachments: nextAttachments,
+      },
+    },
+    skipped: {
+      reason: skippedItems.length ? 'Some remote attachments were unavailable and were skipped' : null,
+      attachments: skippedItems.length,
+      items: skippedItems,
+    },
+  };
+  return result;
+}
+
+async function removeAttachmentRows(db: D1Database, attachmentRows: SqlRow[], useShadowTable: boolean = false): Promise<void> {
+  if (!attachmentRows.length) return;
+  const tableName = useShadowTable ? shadowTableName('attachments') : 'attachments';
+  const statements = attachmentRows
+    .map((row) => {
+      const attachmentId = String(row.id || '').trim();
+      const cipherId = String(row.cipher_id || '').trim();
+      if (!attachmentId || !cipherId) return null;
+      return db.prepare(`DELETE FROM ${tableName} WHERE id = ? AND cipher_id = ?`).bind(attachmentId, cipherId);
+    })
+    .filter((statement): statement is D1PreparedStatement => !!statement);
+  if (!statements.length) return;
+  await db.batch(statements);
+}
+
+async function restoreRemoteAttachmentFiles(
+  env: Env,
+  payload: BackupPayload,
+  files: Record<string, Uint8Array>,
+  source: RemoteAttachmentSource
+): Promise<{
+  imported: number;
+  skipped: BackupImportSkipSummary;
+  restoredAttachments: SqlRow[];
+}> {
+  const manifestLookup = buildAttachmentBlobLookup(payload.manifest);
+  const restoredAttachments: SqlRow[] = [];
+  const skippedItems: BackupImportSkipSummary['items'] = [];
+
+  for (const row of payload.db.attachments || []) {
+    const cipherId = String(row.cipher_id || '').trim();
+    const attachmentId = String(row.id || '').trim();
+    const inlinePath = `attachments/${cipherId}/${attachmentId}.bin`;
+    const ref = manifestLookup.get(`${cipherId}/${attachmentId}`);
+    if (!ref && !files[inlinePath]) {
+      skippedItems.push({
+        kind: 'attachment',
+        path: `attachments/${cipherId}/${attachmentId}`,
+        sizeBytes: Number(row.size || 0) || 0,
+      });
+      continue;
+    }
+    const bytes = files[inlinePath] || (ref ? await source.loadAttachment(ref.blobName) : null);
+    if (!bytes) {
+      skippedItems.push({
+        kind: 'attachment',
+        path: ref ? `attachments/${ref.blobName}` : inlinePath,
+        sizeBytes: ref?.sizeBytes || Number(row.size || 0) || 0,
+      });
+      continue;
+    }
+    try {
+      await putBlobObject(env, getAttachmentObjectKey(cipherId, attachmentId), bytes, {
+        size: bytes.byteLength,
+        contentType: 'application/octet-stream',
+      });
+      restoredAttachments.push(row);
+    } catch {
+      skippedItems.push({
+        kind: 'attachment',
+        path: ref ? `attachments/${ref.blobName}` : inlinePath,
+        sizeBytes: bytes.byteLength,
+      });
+    }
+  }
+
+  return {
+    imported: restoredAttachments.length,
+    restoredAttachments,
+    skipped: {
+      reason: skippedItems.length ? ATTACHMENT_RESTORE_FAILED_REASON : null,
+      attachments: skippedItems.length,
+      items: skippedItems,
+    },
+  };
+}
+
+async function cleanupOrphanedBlobFiles(env: Env, beforeKeys: Set<string>, afterKeys: Set<string>): Promise<void> {
+  const staleKeys = Array.from(beforeKeys).filter((key) => !afterKeys.has(key));
+  for (const key of staleKeys) {
+    await deleteBlobObject(env, key);
+  }
+}
+
+async function importBackupRows(db: D1Database, payload: BackupPayload['db'], useShadowTables: boolean = false): Promise<void> {
+  const tableName = (table: BackupTableName): string => (useShadowTables ? shadowTableName(table) : table);
+  await runInsertBatch(
+    db,
+    tableName('config'),
+    buildInsertStatements(db, tableName('config'), ['key', 'value'], payload.config || [], true)
+  );
+  await runInsertBatch(
+    db,
+    tableName('users'),
+    buildInsertStatements(
+      db,
+      tableName('users'),
+      ['id', 'email', 'name', 'master_password_hint', 'master_password_hash', 'key', 'private_key', 'public_key', 'kdf_type', 'kdf_iterations', 'kdf_memory', 'kdf_parallelism', 'security_stamp', 'role', 'status', 'verify_devices', 'totp_secret', 'totp_recovery_code', 'created_at', 'updated_at'],
+      payload.users || []
+    )
+  );
+  await runInsertBatch(
+    db,
+    tableName('user_revisions'),
+    buildInsertStatements(db, tableName('user_revisions'), ['user_id', 'revision_date'], payload.user_revisions || [], true)
+  );
+  await runInsertBatch(
+    db,
+    tableName('folders'),
+    buildInsertStatements(db, tableName('folders'), ['id', 'user_id', 'name', 'created_at', 'updated_at'], payload.folders || [])
+  );
+  await runInsertBatch(
+    db,
+    tableName('ciphers'),
+    buildInsertStatements(
+      db,
+      tableName('ciphers'),
+      ['id', 'user_id', 'type', 'folder_id', 'name', 'notes', 'favorite', 'data', 'reprompt', 'key', 'created_at', 'updated_at', 'archived_at', 'deleted_at'],
+      payload.ciphers || []
+    )
+  );
+  await runInsertBatch(
+    db,
+    tableName('attachments'),
+    buildInsertStatements(db, tableName('attachments'), ['id', 'cipher_id', 'file_name', 'size', 'size_name', 'key'], payload.attachments || [])
+  );
+}
+
+export async function importBackupArchiveBytes(
+  archiveBytes: Uint8Array,
+  env: Env,
+  actorUserId: string,
+  replaceExisting: boolean,
+  progress?: BackupRestoreProgressReporter,
+  fileName: string = 'nodewarden_backup.zip'
+): Promise<BackupImportExecutionResult> {
+  const parsed = parseBackupArchive(archiveBytes);
+  validateBackupPayloadContents(parsed.payload, parsed.files);
+  const prepared = prepareImportPayloadForTarget(env, parsed.payload, parsed.files);
+
+  try {
+    await ensureImportTargetIsFresh(env.DB);
+  } catch (error) {
+    if (!replaceExisting) {
+      throw error instanceof Error ? error : new Error('Backup import requires a fresh instance');
+    }
+  }
+
+  await resetRestoreArtifacts(env.DB);
+  const previousBlobKeys = replaceExisting ? await collectCurrentBlobKeys(env.DB) : new Set<string>();
+  try {
+    await progress?.({
+      source: 'local',
+      step: 'local_create_shadow',
+      fileName,
+      stageTitle: 'txt_backup_restore_progress_local_shadow_title',
+      stageDetail: 'txt_backup_restore_progress_local_shadow_detail',
+      replaceExisting,
+    });
+    await createShadowTables(env.DB);
+    await progress?.({
+      source: 'local',
+      step: 'local_import_data',
+      fileName,
+      stageTitle: 'txt_backup_restore_progress_local_data_title',
+      stageDetail: 'txt_backup_restore_progress_local_data_detail',
+      replaceExisting,
+    });
+    const db = await importPreparedBackupRows(env.DB, prepared.payload.db, env);
+    await validateShadowTableCounts(env.DB, {
+      config: (db.config || []).length,
+      users: (db.users || []).length,
+      user_revisions: (db.user_revisions || []).length,
+      folders: (db.folders || []).length,
+      ciphers: (db.ciphers || []).length,
+      attachments: (db.attachments || []).length,
+    });
+
+    await progress?.({
+      source: 'local',
+      step: 'local_restore_files',
+      fileName,
+      stageTitle: 'txt_backup_restore_progress_local_files_title',
+      stageDetail: 'txt_backup_restore_progress_local_files_detail',
+      replaceExisting,
+    });
+    const restored = await restoreBlobFiles(env, db, parsed.files);
+    const restoredAttachmentKeys = new Set((restored.restoredAttachments || []).map(attachmentRowKey));
+    const failedRestoreRows = (db.attachments || []).filter((row) => !restoredAttachmentKeys.has(attachmentRowKey(row)));
+    await removeAttachmentRows(env.DB, failedRestoreRows, true).catch(() => undefined);
+    await validateShadowTableCounts(env.DB, {
+      config: (db.config || []).length,
+      users: (db.users || []).length,
+      user_revisions: (db.user_revisions || []).length,
+      folders: (db.folders || []).length,
+      ciphers: (db.ciphers || []).length,
+      attachments: restored.restoredAttachments.length,
+    });
+    await progress?.({
+      source: 'local',
+      step: 'local_finalize',
+      fileName,
+      stageTitle: 'txt_backup_restore_progress_local_finalize_title',
+      stageDetail: 'txt_backup_restore_progress_local_finalize_detail',
+      replaceExisting,
+    });
+    await swapShadowTablesIntoPlace(env.DB);
+    await resetRestoreArtifacts(env.DB).catch(() => undefined);
+    if (replaceExisting && previousBlobKeys.size) {
+      const nextBlobKeys = await collectCurrentBlobKeys(env.DB).catch(() => null);
+      if (nextBlobKeys) {
+        await cleanupOrphanedBlobFiles(env, previousBlobKeys, nextBlobKeys).catch(() => undefined);
+      }
+    }
+
+    await progress?.({
+      source: 'local',
+      step: 'local_complete',
+      fileName,
+      stageTitle: 'txt_backup_restore_progress_local_finalize_title',
+      stageDetail: 'txt_backup_restore_progress_local_finalize_detail',
+      replaceExisting,
+      done: true,
+      ok: true,
+    });
+    return {
+      auditActorUserId: (db.users || []).some((row) => String(row.id || '').trim() === actorUserId) ? actorUserId : null,
+      result: {
+        object: 'instance-backup-import',
+        imported: {
+          config: (db.config || []).length,
+          users: (db.users || []).length,
+          userRevisions: (db.user_revisions || []).length,
+          folders: (db.folders || []).length,
+          ciphers: (db.ciphers || []).length,
+          attachments: restored.restoredAttachments.length,
+          attachmentFiles: restored.imported,
+        },
+        skipped: {
+          reason: restored.skipped.reason || prepared.skipped.reason,
+          attachments: prepared.skipped.attachments + restored.skipped.attachments,
+          items: [...prepared.skipped.items, ...restored.skipped.items],
+        },
+      },
+    };
+  } catch (error) {
+    await progress?.({
+      source: 'local',
+      step: 'local_failed',
+      fileName,
+      stageTitle: 'txt_backup_restore_progress_local_finalize_title',
+      stageDetail: 'txt_backup_restore_progress_local_finalize_detail',
+      replaceExisting,
+      done: true,
+      ok: false,
+      error: error instanceof Error ? error.message : String(error),
+    });
+    await resetRestoreArtifacts(env.DB).catch(() => undefined);
+    throw error;
+  }
+}
+
+export async function importRemoteBackupArchiveBytes(
+  archiveBytes: Uint8Array,
+  env: Env,
+  actorUserId: string,
+  replaceExisting: boolean,
+  source: RemoteAttachmentSource,
+  progress?: BackupRestoreProgressReporter,
+  fileName: string = 'nodewarden_backup.zip'
+): Promise<BackupImportExecutionResult> {
+  const parsed = parseBackupArchive(archiveBytes, { allowExternalAttachmentBlobs: true });
+  const preparedRemote = await prepareRemoteAttachmentPayload(env, parsed.payload, parsed.files, source);
+  validateBackupPayloadContents(preparedRemote.payload, parsed.files, { allowExternalAttachmentBlobs: true });
+
+  try {
+    await ensureImportTargetIsFresh(env.DB);
+  } catch (error) {
+    if (!replaceExisting) {
+      throw error instanceof Error ? error : new Error('Backup import requires a fresh instance');
+    }
+  }
+
+  await resetRestoreArtifacts(env.DB);
+  const previousBlobKeys = replaceExisting ? await collectCurrentBlobKeys(env.DB) : new Set<string>();
+  try {
+    await progress?.({
+      source: 'remote',
+      step: 'remote_create_shadow',
+      fileName,
+      stageTitle: 'txt_backup_restore_progress_remote_shadow_title',
+      stageDetail: 'txt_backup_restore_progress_remote_shadow_detail',
+      replaceExisting,
+    });
+    await createShadowTables(env.DB);
+    await progress?.({
+      source: 'remote',
+      step: 'remote_import_data',
+      fileName,
+      stageTitle: 'txt_backup_restore_progress_remote_data_title',
+      stageDetail: 'txt_backup_restore_progress_remote_data_detail',
+      replaceExisting,
+    });
+    const db = await importPreparedBackupRows(env.DB, preparedRemote.payload.db, env);
+    await validateShadowTableCounts(env.DB, {
+      config: (db.config || []).length,
+      users: (db.users || []).length,
+      user_revisions: (db.user_revisions || []).length,
+      folders: (db.folders || []).length,
+      ciphers: (db.ciphers || []).length,
+      attachments: (db.attachments || []).length,
+    });
+
+    await progress?.({
+      source: 'remote',
+      step: 'remote_restore_files',
+      fileName,
+      stageTitle: 'txt_backup_restore_progress_remote_files_title',
+      stageDetail: 'txt_backup_restore_progress_remote_files_detail',
+      replaceExisting,
+    });
+    const restored = await restoreRemoteAttachmentFiles(env, preparedRemote.payload, parsed.files, source);
+    const restoredAttachmentKeys = new Set((restored.restoredAttachments || []).map(attachmentRowKey));
+    const failedRestoreRows = (db.attachments || []).filter((row) => !restoredAttachmentKeys.has(attachmentRowKey(row)));
+    await removeAttachmentRows(env.DB, failedRestoreRows, true).catch(() => undefined);
+    await validateShadowTableCounts(env.DB, {
+      config: (db.config || []).length,
+      users: (db.users || []).length,
+      user_revisions: (db.user_revisions || []).length,
+      folders: (db.folders || []).length,
+      ciphers: (db.ciphers || []).length,
+      attachments: restored.restoredAttachments.length,
+    });
+    await progress?.({
+      source: 'remote',
+      step: 'remote_finalize',
+      fileName,
+      stageTitle: 'txt_backup_restore_progress_remote_finalize_title',
+      stageDetail: 'txt_backup_restore_progress_remote_finalize_detail',
+      replaceExisting,
+    });
+    await swapShadowTablesIntoPlace(env.DB);
+    await resetRestoreArtifacts(env.DB).catch(() => undefined);
+
+    if (replaceExisting && previousBlobKeys.size) {
+      const nextBlobKeys = await collectCurrentBlobKeys(env.DB).catch(() => null);
+      if (nextBlobKeys) {
+        await cleanupOrphanedBlobFiles(env, previousBlobKeys, nextBlobKeys).catch(() => undefined);
+      }
+    }
+
+    await progress?.({
+      source: 'remote',
+      step: 'remote_complete',
+      fileName,
+      stageTitle: 'txt_backup_restore_progress_remote_finalize_title',
+      stageDetail: 'txt_backup_restore_progress_remote_finalize_detail',
+      replaceExisting,
+      done: true,
+      ok: true,
+    });
+    const finalSkippedItems = [...preparedRemote.skipped.items, ...restored.skipped.items];
+    const finalSkippedReason = finalSkippedItems.length
+      ? restored.skipped.reason || preparedRemote.skipped.reason
+      : null;
+
+    return {
+      auditActorUserId: (db.users || []).some((row) => String(row.id || '').trim() === actorUserId) ? actorUserId : null,
+      result: {
+        object: 'instance-backup-import',
+        imported: {
+          config: (db.config || []).length,
+          users: (db.users || []).length,
+          userRevisions: (db.user_revisions || []).length,
+          folders: (db.folders || []).length,
+          ciphers: (db.ciphers || []).length,
+          attachments: restored.restoredAttachments.length,
+          attachmentFiles: restored.imported,
+        },
+        skipped: {
+          reason: finalSkippedReason,
+          attachments: finalSkippedItems.length,
+          items: finalSkippedItems,
+        },
+      },
+    };
+  } catch (error) {
+    await progress?.({
+      source: 'remote',
+      step: 'remote_failed',
+      fileName,
+      stageTitle: 'txt_backup_restore_progress_remote_finalize_title',
+      stageDetail: 'txt_backup_restore_progress_remote_finalize_detail',
+      replaceExisting,
+      done: true,
+      ok: false,
+      error: error instanceof Error ? error.message : String(error),
+    });
+    await resetRestoreArtifacts(env.DB).catch(() => undefined);
+    throw error;
+  }
+}
@@ -0,0 +1,226 @@
+import type { Env, User } from '../types';
+
+const RUNTIME_SALT = 'nodewarden.backup-settings.runtime.v2';
+const RUNTIME_INFO = 'runtime';
+const PORTABLE_ALGORITHM = 'RSA-OAEP';
+const PORTABLE_HASH = 'SHA-1';
+const AES_GCM_ALGORITHM = 'AES-GCM';
+const AES_GCM_IV_BYTES = 12;
+const PORTABLE_DEK_BYTES = 32;
+
+export interface BackupSettingsRuntimeEnvelope {
+  iv: string;
+  ciphertext: string;
+}
+
+export interface BackupSettingsPortableWrap {
+  userId: string;
+  wrappedKey: string;
+}
+
+export interface BackupSettingsPortableEnvelope {
+  iv: string;
+  ciphertext: string;
+  wraps: BackupSettingsPortableWrap[];
+}
+
+export interface BackupSettingsEnvelopeV2 {
+  version: 2;
+  runtime: BackupSettingsRuntimeEnvelope;
+  portable: BackupSettingsPortableEnvelope;
+}
+
+function bytesToBase64(bytes: Uint8Array): string {
+  let text = '';
+  for (let index = 0; index < bytes.length; index += 1) {
+    text += String.fromCharCode(bytes[index]);
+  }
+  return btoa(text);
+}
+
+function base64ToBytes(value: string): Uint8Array {
+  const normalized = String(value || '').trim();
+  const binary = atob(normalized);
+  const bytes = new Uint8Array(binary.length);
+  for (let index = 0; index < binary.length; index += 1) {
+    bytes[index] = binary.charCodeAt(index);
+  }
+  return bytes;
+}
+
+function isPlainObject(value: unknown): value is Record<string, unknown> {
+  return !!value && typeof value === 'object' && !Array.isArray(value);
+}
+
+async function deriveRuntimeKey(secret: string): Promise<CryptoKey> {
+  const encoder = new TextEncoder();
+  const keyMaterial = await crypto.subtle.importKey(
+    'raw',
+    encoder.encode(secret),
+    'HKDF',
+    false,
+    ['deriveBits']
+  );
+  const bits = await crypto.subtle.deriveBits(
+    {
+      name: 'HKDF',
+      hash: 'SHA-256',
+      salt: encoder.encode(RUNTIME_SALT),
+      info: encoder.encode(RUNTIME_INFO),
+    },
+    keyMaterial,
+    256
+  );
+  return crypto.subtle.importKey('raw', bits, { name: AES_GCM_ALGORITHM }, false, ['encrypt', 'decrypt']);
+}
+
+async function encryptAesGcm(plaintext: Uint8Array, key: CryptoKey): Promise<{ iv: Uint8Array; ciphertext: Uint8Array }> {
+  const iv = crypto.getRandomValues(new Uint8Array(AES_GCM_IV_BYTES));
+  const ciphertext = new Uint8Array(
+    await crypto.subtle.encrypt(
+      { name: AES_GCM_ALGORITHM, iv },
+      key,
+      plaintext
+    )
+  );
+  return { iv, ciphertext };
+}
+
+async function decryptAesGcm(ciphertext: Uint8Array, iv: Uint8Array, key: CryptoKey): Promise<Uint8Array> {
+  return new Uint8Array(
+    await crypto.subtle.decrypt(
+      { name: AES_GCM_ALGORITHM, iv },
+      key,
+      ciphertext
+    )
+  );
+}
+
+async function importPortablePublicKey(publicKeyBase64: string): Promise<CryptoKey> {
+  return crypto.subtle.importKey(
+    'spki',
+    base64ToBytes(publicKeyBase64),
+    { name: PORTABLE_ALGORITHM, hash: PORTABLE_HASH },
+    false,
+    ['encrypt']
+  );
+}
+
+function getEligiblePortableUsers(users: Pick<User, 'id' | 'publicKey' | 'role' | 'status'>[]): Array<Pick<User, 'id' | 'publicKey'>> {
+  return users
+    .filter(
+      (user) =>
+        user.role === 'admin' &&
+        user.status === 'active' &&
+        typeof user.publicKey === 'string' &&
+        user.publicKey.trim().length > 0
+    )
+    .map((user) => ({
+      id: user.id,
+      publicKey: user.publicKey!,
+    }));
+}
+
+export function parseBackupSettingsEnvelope(raw: string | null): BackupSettingsEnvelopeV2 | null {
+  if (!raw) return null;
+  try {
+    const parsed = JSON.parse(raw) as Record<string, unknown>;
+    if (!isPlainObject(parsed) || Number(parsed.version) !== 2) return null;
+    const runtime = parsed.runtime;
+    const portable = parsed.portable;
+    if (!isPlainObject(runtime) || !isPlainObject(portable)) return null;
+    if (!Array.isArray(portable.wraps)) return null;
+    if (typeof runtime.iv !== 'string' || typeof runtime.ciphertext !== 'string') return null;
+    if (typeof portable.iv !== 'string' || typeof portable.ciphertext !== 'string') return null;
+    return {
+      version: 2,
+      runtime: {
+        iv: runtime.iv,
+        ciphertext: runtime.ciphertext,
+      },
+      portable: {
+        iv: portable.iv,
+        ciphertext: portable.ciphertext,
+        wraps: portable.wraps
+          .filter((entry): entry is Record<string, unknown> => isPlainObject(entry))
+          .map((entry) => ({
+            userId: String(entry.userId || '').trim(),
+            wrappedKey: String(entry.wrappedKey || '').trim(),
+          }))
+          .filter((entry) => entry.userId && entry.wrappedKey),
+      },
+    };
+  } catch {
+    return null;
+  }
+}
+
+export async function encryptBackupSettingsEnvelope(
+  plaintext: string,
+  env: Env,
+  users: Pick<User, 'id' | 'publicKey' | 'role' | 'status'>[]
+): Promise<string> {
+  const encoder = new TextEncoder();
+  const eligibleUsers = getEligiblePortableUsers(users);
+  if (!eligibleUsers.length) {
+    throw new Error('No active administrator public keys are available for backup settings recovery');
+  }
+
+  const runtimeKey = await deriveRuntimeKey(env.JWT_SECRET);
+  const runtime = await encryptAesGcm(encoder.encode(plaintext), runtimeKey);
+
+  const portableDek = crypto.getRandomValues(new Uint8Array(PORTABLE_DEK_BYTES));
+  const portableKey = await crypto.subtle.importKey(
+    'raw',
+    portableDek,
+    { name: AES_GCM_ALGORITHM },
+    false,
+    ['encrypt']
+  );
+  const portableCipher = await encryptAesGcm(encoder.encode(plaintext), portableKey);
+
+  const wraps: BackupSettingsPortableWrap[] = [];
+  for (const user of eligibleUsers) {
+    const publicKey = await importPortablePublicKey(user.publicKey!);
+    const wrappedKey = new Uint8Array(
+      await crypto.subtle.encrypt(
+        { name: PORTABLE_ALGORITHM },
+        publicKey,
+        portableDek
+      )
+    );
+    wraps.push({
+      userId: user.id,
+      wrappedKey: bytesToBase64(wrappedKey),
+    });
+  }
+
+  const envelope: BackupSettingsEnvelopeV2 = {
+    version: 2,
+    runtime: {
+      iv: bytesToBase64(runtime.iv),
+      ciphertext: bytesToBase64(runtime.ciphertext),
+    },
+    portable: {
+      iv: bytesToBase64(portableCipher.iv),
+      ciphertext: bytesToBase64(portableCipher.ciphertext),
+      wraps,
+    },
+  };
+
+  return JSON.stringify(envelope);
+}
+
+export async function decryptBackupSettingsRuntime(raw: string, env: Env): Promise<string> {
+  const envelope = parseBackupSettingsEnvelope(raw);
+  if (!envelope) {
+    throw new Error('Backup settings envelope is invalid');
+  }
+  const runtimeKey = await deriveRuntimeKey(env.JWT_SECRET);
+  const plaintext = await decryptAesGcm(
+    base64ToBytes(envelope.runtime.ciphertext),
+    base64ToBytes(envelope.runtime.iv),
+    runtimeKey
+  );
+  return new TextDecoder().decode(plaintext);
+}
@@ -0,0 +1,789 @@
+import {
+  BackupDestinationRecord,
+  BackupDestinationType,
+  E3BackupDestination,
+  WebDavBackupDestination,
+} from './backup-config';
+
+export interface BackupUploadResult {
+  provider: BackupDestinationType;
+  remotePath: string;
+}
+
+export interface RemoteBackupItem {
+  path: string;
+  name: string;
+  isDirectory: boolean;
+  size: number | null;
+  modifiedAt: string | null;
+}
+
+export interface RemoteBackupListResult {
+  provider: BackupDestinationType;
+  currentPath: string;
+  parentPath: string | null;
+  items: RemoteBackupItem[];
+}
+
+export interface RemoteBackupFile {
+  provider: BackupDestinationType;
+  remotePath: string;
+  fileName: string;
+  contentType: string;
+  bytes: Uint8Array;
+}
+
+export interface RemoteBackupFilePutOptions {
+  contentType?: string;
+}
+
+function isBackupArchiveName(name: string): boolean {
+  return /\.zip$/i.test(String(name || '').trim());
+}
+
+function encodePathSegments(path: string): string {
+  return path
+    .split('/')
+    .filter(Boolean)
+    .map((segment) => encodeURIComponent(segment))
+    .join('/');
+}
+
+function trimSlashes(value: string): string {
+  let next = String(value || '');
+  while (next.startsWith('/')) next = next.slice(1);
+  while (next.endsWith('/')) next = next.slice(0, -1);
+  return next;
+}
+
+function buildJoinedPath(...segments: string[]): string {
+  return segments.map(trimSlashes).filter(Boolean).join('/');
+}
+
+function normalizeRelativePath(path: string): string {
+  const normalized = trimSlashes(path).replace(/\\/g, '/');
+  if (!normalized) return '';
+  const parts = normalized.split('/').filter(Boolean);
+  if (parts.some((part) => part === '.' || part === '..')) {
+    throw new Error('Invalid remote backup path');
+  }
+  return parts.join('/');
+}
+
+function basename(path: string): string {
+  const normalized = trimSlashes(path);
+  if (!normalized) return '';
+  const parts = normalized.split('/').filter(Boolean);
+  return parts[parts.length - 1] || '';
+}
+
+function parentPath(path: string): string | null {
+  const normalized = normalizeRelativePath(path);
+  if (!normalized) return null;
+  const parts = normalized.split('/');
+  parts.pop();
+  return parts.length ? parts.join('/') : '';
+}
+
+function sortRemoteItems(items: RemoteBackupItem[]): RemoteBackupItem[] {
+  return items.slice().sort((a, b) => {
+    const aIsAttachmentsDir = a.isDirectory && a.name === 'attachments';
+    const bIsAttachmentsDir = b.isDirectory && b.name === 'attachments';
+    if (aIsAttachmentsDir !== bIsAttachmentsDir) return aIsAttachmentsDir ? -1 : 1;
+    if (a.isDirectory !== b.isDirectory) return a.isDirectory ? -1 : 1;
+    return a.name.localeCompare(b.name, 'en');
+  });
+}
+
+function decodeXmlText(value: string): string {
+  return value.replace(/&(amp|lt|gt|quot|#39);/g, (_match, entity) => {
+    switch (entity) {
+      case 'amp':
+        return '&';
+      case 'lt':
+        return '<';
+      case 'gt':
+        return '>';
+      case 'quot':
+        return '"';
+      case '#39':
+        return "'";
+      default:
+        return _match;
+    }
+  });
+}
+
+function parseHttpDate(value: string): string | null {
+  const parsed = new Date(value);
+  return Number.isFinite(parsed.getTime()) ? parsed.toISOString() : null;
+}
+
+function extractXmlBlocks(xml: string, tagName: string): string[] {
+  const pattern = new RegExp(`<(?:[^:>]+:)?${tagName}\\b[^>]*>([\\s\\S]*?)</(?:[^:>]+:)?${tagName}>`, 'gi');
+  const blocks: string[] = [];
+  let match: RegExpExecArray | null;
+  while ((match = pattern.exec(xml))) {
+    blocks.push(match[1]);
+  }
+  return blocks;
+}
+
+function extractXmlFirst(xml: string, tagName: string): string | null {
+  const pattern = new RegExp(`<(?:[^:>]+:)?${tagName}\\b[^>]*>([\\s\\S]*?)</(?:[^:>]+:)?${tagName}>`, 'i');
+  const match = xml.match(pattern);
+  return match?.[1] ? decodeXmlText(match[1].trim()) : null;
+}
+
+async function sha256Hex(value: Uint8Array | string): Promise<string> {
+  const bytes = typeof value === 'string' ? new TextEncoder().encode(value) : value;
+  const digest = await crypto.subtle.digest('SHA-256', bytes);
+  return Array.from(new Uint8Array(digest)).map((byte) => byte.toString(16).padStart(2, '0')).join('');
+}
+
+async function hmacSha256Raw(keyBytes: Uint8Array, message: string): Promise<Uint8Array> {
+  const key = await crypto.subtle.importKey('raw', keyBytes, { name: 'HMAC', hash: 'SHA-256' }, false, ['sign']);
+  const signature = await crypto.subtle.sign('HMAC', key, new TextEncoder().encode(message));
+  return new Uint8Array(signature);
+}
+
+function toBasicAuthHeader(username: string, password: string): string {
+  const token = btoa(`${username}:${password}`);
+  return `Basic ${token}`;
+}
+
+function buildCanonicalQueryString(url: URL): string {
+  const params = Array.from(url.searchParams.entries()).sort(([aKey, aValue], [bKey, bValue]) => {
+    if (aKey === bKey) return aValue.localeCompare(bValue);
+    return aKey.localeCompare(bKey);
+  });
+  return params
+    .map(([key, value]) => `${encodeURIComponent(key)}=${encodeURIComponent(value)}`)
+    .join('&');
+}
+
+async function buildAwsV4Authorization(
+  method: string,
+  url: URL,
+  headers: Record<string, string>,
+  payloadHashHex: string,
+  accessKeyId: string,
+  secretAccessKey: string,
+  region: string
+): Promise<string> {
+  const amzDate = headers['x-amz-date'];
+  const shortDate = amzDate.slice(0, 8);
+  const headerEntries = Object.entries(headers).map(([name, value]) => [name.toLowerCase(), value] as const).sort(([a], [b]) => a.localeCompare(b));
+  const canonicalHeaders = headerEntries
+    .map(([name, value]) => `${name}:${String(value).trim().replace(/\s+/g, ' ')}`)
+    .join('\n');
+  const signedHeaders = headerEntries.map(([name]) => name).join(';');
+  const canonicalRequest = [
+    method.toUpperCase(),
+    url.pathname || '/',
+    buildCanonicalQueryString(url),
+    `${canonicalHeaders}\n`,
+    signedHeaders,
+    payloadHashHex,
+  ].join('\n');
+  const credentialScope = `${shortDate}/${region}/s3/aws4_request`;
+  const stringToSign = [
+    'AWS4-HMAC-SHA256',
+    amzDate,
+    credentialScope,
+    await sha256Hex(canonicalRequest),
+  ].join('\n');
+
+  const kDate = await hmacSha256Raw(new TextEncoder().encode(`AWS4${secretAccessKey}`), shortDate);
+  const kRegion = await hmacSha256Raw(kDate, region);
+  const kService = await hmacSha256Raw(kRegion, 's3');
+  const kSigning = await hmacSha256Raw(kService, 'aws4_request');
+  const signatureBytes = await hmacSha256Raw(kSigning, stringToSign);
+  const signature = Array.from(signatureBytes).map((byte) => byte.toString(16).padStart(2, '0')).join('');
+
+  return `AWS4-HMAC-SHA256 Credential=${accessKeyId}/${credentialScope}, SignedHeaders=${signedHeaders}, Signature=${signature}`;
+}
+
+function ensureDestinationConfigReady(destination: BackupDestinationRecord): void {
+  if (destination.type === 'webdav') {
+    const config = destination.destination as WebDavBackupDestination;
+    if (!String(config.baseUrl || '').trim()) throw new Error('WebDAV server URL is required');
+    if (!/^https?:\/\//i.test(String(config.baseUrl || '').trim())) throw new Error('WebDAV server URL must start with http:// or https://');
+    if (!String(config.username || '').trim()) throw new Error('WebDAV username is required');
+    if (!String(config.password || '')) throw new Error('WebDAV password is required');
+    return;
+  }
+  if (destination.type === 'e3') {
+    const config = destination.destination as E3BackupDestination;
+    if (!String(config.endpoint || '').trim()) throw new Error('E3 endpoint is required');
+    if (!/^https?:\/\//i.test(String(config.endpoint || '').trim())) throw new Error('E3 endpoint must start with http:// or https://');
+    if (!String(config.bucket || '').trim()) throw new Error('E3 bucket is required');
+    if (!String(config.accessKeyId || '').trim()) throw new Error('E3 access key is required');
+    if (!String(config.secretAccessKey || '')) throw new Error('E3 secret key is required');
+  }
+}
+
+function buildWebDavUrl(baseUrl: string, relativePath: string): string {
+  const trimmedBase = baseUrl.replace(/\/+$/, '');
+  const normalized = normalizeRelativePath(relativePath);
+  return normalized ? `${trimmedBase}/${encodePathSegments(normalized)}` : trimmedBase;
+}
+
+function webDavFullPath(config: WebDavBackupDestination, relativePath: string): string {
+  return buildJoinedPath(config.remotePath, normalizeRelativePath(relativePath));
+}
+
+async function ensureWebDavDirectory(baseUrl: string, directoryPath: string, authHeader: string): Promise<void> {
+  const segments = trimSlashes(directoryPath).split('/').filter(Boolean);
+  let current = '';
+  for (const segment of segments) {
+    current = buildJoinedPath(current, segment);
+    const url = buildWebDavUrl(baseUrl, current);
+    const response = await fetch(url, {
+      method: 'MKCOL',
+      headers: {
+        Authorization: authHeader,
+      },
+    });
+    if ([200, 201, 204, 301, 302, 405].includes(response.status)) continue;
+    throw new Error(`WebDAV directory creation failed: ${response.status}`);
+  }
+}
+
+async function ensureWebDavDirectoryCached(
+  baseUrl: string,
+  directoryPath: string,
+  authHeader: string,
+  ensuredDirectories: Set<string>
+): Promise<void> {
+  const segments = trimSlashes(directoryPath).split('/').filter(Boolean);
+  let current = '';
+  for (const segment of segments) {
+    current = buildJoinedPath(current, segment);
+    if (ensuredDirectories.has(current)) continue;
+    const url = buildWebDavUrl(baseUrl, current);
+    const response = await fetch(url, {
+      method: 'MKCOL',
+      headers: {
+        Authorization: authHeader,
+      },
+    });
+    if ([200, 201, 204, 301, 302, 405].includes(response.status)) {
+      ensuredDirectories.add(current);
+      continue;
+    }
+    throw new Error(`WebDAV directory creation failed: ${response.status}`);
+  }
+}
+
+async function putToWebDav(
+  config: WebDavBackupDestination,
+  relativePath: string,
+  bytes: Uint8Array,
+  options: RemoteBackupFilePutOptions = {},
+  ensuredDirectories?: Set<string>
+): Promise<void> {
+  const authHeader = toBasicAuthHeader(config.username, config.password);
+  const remoteFilePath = buildJoinedPath(config.remotePath, relativePath);
+  const remoteDir = parentPath(remoteFilePath);
+
+  if (remoteDir) {
+    if (ensuredDirectories) {
+      await ensureWebDavDirectoryCached(config.baseUrl, remoteDir, authHeader, ensuredDirectories);
+    } else {
+      await ensureWebDavDirectory(config.baseUrl, remoteDir, authHeader);
+    }
+  }
+
+  const response = await fetch(buildWebDavUrl(config.baseUrl, remoteFilePath), {
+    method: 'PUT',
+    headers: {
+      Authorization: authHeader,
+      'Content-Type': options.contentType || 'application/octet-stream',
+      'Content-Length': String(bytes.byteLength),
+    },
+    body: bytes,
+  });
+
+  if (!response.ok) {
+    throw new Error(`WebDAV upload failed: ${response.status}`);
+  }
+}
+
+async function uploadToWebDav(config: WebDavBackupDestination, archive: Uint8Array, fileName: string): Promise<BackupUploadResult> {
+  await putToWebDav(config, fileName, archive, { contentType: 'application/zip' });
+  return {
+    provider: 'webdav',
+    remotePath: buildJoinedPath(config.remotePath, fileName),
+  };
+}
+
+function parseWebDavResponsePath(baseUrl: string, href: string): string {
+  const base = new URL(baseUrl);
+  const target = new URL(href, base);
+  const basePath = trimSlashes(decodeURIComponent(base.pathname));
+  const entryPath = trimSlashes(decodeURIComponent(target.pathname));
+  if (!basePath) return entryPath;
+  if (entryPath === basePath) return '';
+  return entryPath.startsWith(`${basePath}/`) ? entryPath.slice(basePath.length + 1) : entryPath;
+}
+
+async function listWebDavEntries(config: WebDavBackupDestination, relativePath: string): Promise<RemoteBackupListResult> {
+  const currentPath = normalizeRelativePath(relativePath);
+  const targetFullPath = webDavFullPath(config, currentPath);
+  const authHeader = toBasicAuthHeader(config.username, config.password);
+  const response = await fetch(buildWebDavUrl(config.baseUrl, targetFullPath), {
+    method: 'PROPFIND',
+    headers: {
+      Authorization: authHeader,
+      Depth: '1',
+      'Content-Type': 'application/xml; charset=utf-8',
+    },
+    body: `<?xml version="1.0" encoding="utf-8"?><propfind xmlns="DAV:"><prop><resourcetype/><getcontentlength/><getlastmodified/></prop></propfind>`,
+  });
+  if (response.status === 404) {
+    return {
+      provider: 'webdav',
+      currentPath,
+      parentPath: parentPath(currentPath),
+      items: [],
+    };
+  }
+  if (!response.ok) {
+    throw new Error(`WebDAV listing failed: ${response.status}`);
+  }
+
+  const xml = await response.text();
+  const rootFullPath = trimSlashes(config.remotePath);
+  const items: RemoteBackupItem[] = [];
+  for (const block of extractXmlBlocks(xml, 'response')) {
+    const href = extractXmlFirst(block, 'href');
+    if (!href) continue;
+    const fullPath = trimSlashes(parseWebDavResponsePath(config.baseUrl, href));
+    if (!fullPath) continue;
+    if (fullPath === targetFullPath) continue;
+    if (rootFullPath && !(fullPath === rootFullPath || fullPath.startsWith(`${rootFullPath}/`))) continue;
+    const relative = rootFullPath
+      ? fullPath === rootFullPath
+        ? ''
+        : fullPath.slice(rootFullPath.length + 1)
+      : fullPath;
+    if (!relative) continue;
+    const directParent = parentPath(relative);
+    if ((directParent || '') !== currentPath) continue;
+
+    const resourceTypeBlock = extractXmlFirst(block, 'resourcetype') || '';
+    const isDirectory = /<(?:[^:>]+:)?collection\b/i.test(resourceTypeBlock);
+    const sizeRaw = extractXmlFirst(block, 'getcontentlength');
+    const modifiedAtRaw = extractXmlFirst(block, 'getlastmodified');
+    items.push({
+      path: relative,
+      name: basename(relative) || relative,
+      isDirectory,
+      size: !isDirectory && sizeRaw && Number.isFinite(Number(sizeRaw)) ? Number(sizeRaw) : null,
+      modifiedAt: modifiedAtRaw ? parseHttpDate(modifiedAtRaw) : null,
+    });
+  }
+
+  return {
+    provider: 'webdav',
+    currentPath,
+    parentPath: parentPath(currentPath),
+    items: sortRemoteItems(items),
+  };
+}
+
+async function downloadFromWebDav(config: WebDavBackupDestination, relativePath: string): Promise<RemoteBackupFile> {
+  const normalized = normalizeRelativePath(relativePath);
+  if (!normalized || normalized.endsWith('/')) {
+    throw new Error('Please select a backup file');
+  }
+  const authHeader = toBasicAuthHeader(config.username, config.password);
+  const remotePath = webDavFullPath(config, normalized);
+  const response = await fetch(buildWebDavUrl(config.baseUrl, remotePath), {
+    method: 'GET',
+    headers: {
+      Authorization: authHeader,
+    },
+  });
+  if (!response.ok) {
+    throw new Error(`WebDAV download failed: ${response.status}`);
+  }
+  return {
+    provider: 'webdav',
+    remotePath: normalized,
+    fileName: basename(normalized) || 'backup.zip',
+    contentType: String(response.headers.get('Content-Type') || 'application/zip').trim() || 'application/zip',
+    bytes: new Uint8Array(await response.arrayBuffer()),
+  };
+}
+
+async function deleteFromWebDav(config: WebDavBackupDestination, relativePath: string): Promise<void> {
+  const authHeader = toBasicAuthHeader(config.username, config.password);
+  const remotePath = webDavFullPath(config, relativePath);
+  const response = await fetch(buildWebDavUrl(config.baseUrl, remotePath), {
+    method: 'DELETE',
+    headers: {
+      Authorization: authHeader,
+    },
+  });
+  if (!response.ok && response.status !== 404) {
+    throw new Error(`WebDAV delete failed: ${response.status}`);
+  }
+}
+
+async function existsInWebDav(config: WebDavBackupDestination, relativePath: string): Promise<boolean> {
+  const authHeader = toBasicAuthHeader(config.username, config.password);
+  const remotePath = webDavFullPath(config, relativePath);
+  const response = await fetch(buildWebDavUrl(config.baseUrl, remotePath), {
+    method: 'HEAD',
+    headers: {
+      Authorization: authHeader,
+    },
+  });
+  if (response.status === 404) return false;
+  if (!response.ok) {
+    throw new Error(`WebDAV existence check failed: ${response.status}`);
+  }
+  return true;
+}
+
+function e3BucketBaseUrl(config: E3BackupDestination): URL {
+  return new URL(`${config.endpoint.replace(/\/+$/, '')}/${encodeURIComponent(config.bucket)}`);
+}
+
+function normalizeE3ObjectKey(config: E3BackupDestination, relativePath: string): string {
+  return buildJoinedPath(config.rootPath, normalizeRelativePath(relativePath));
+}
+
+async function signedE3Request(
+  config: E3BackupDestination,
+  method: 'GET' | 'PUT' | 'DELETE' | 'HEAD',
+  url: URL,
+  body?: Uint8Array,
+  contentType?: string
+): Promise<Response> {
+  const payloadHashHex = await sha256Hex(body || new Uint8Array());
+  const amzDate = new Date().toISOString().replace(/[:-]|\.\d{3}/g, '');
+  const headers: Record<string, string> = {
+    host: url.host,
+    'x-amz-content-sha256': payloadHashHex,
+    'x-amz-date': amzDate,
+  };
+  if (method === 'PUT') headers['content-type'] = contentType || 'application/octet-stream';
+
+  const authorization = await buildAwsV4Authorization(
+    method,
+    url,
+    headers,
+    payloadHashHex,
+    config.accessKeyId,
+    config.secretAccessKey,
+    config.region || 'auto'
+  );
+
+  return fetch(url.toString(), {
+    method,
+    headers: {
+      Authorization: authorization,
+      'X-Amz-Content-Sha256': headers['x-amz-content-sha256'],
+      'X-Amz-Date': headers['x-amz-date'],
+      ...(method === 'PUT' ? { 'Content-Type': headers['content-type'] } : {}),
+    },
+    body,
+  });
+}
+
+async function putToE3(
+  config: E3BackupDestination,
+  relativePath: string,
+  bytes: Uint8Array,
+  options: RemoteBackupFilePutOptions = {}
+): Promise<void> {
+  const objectKey = normalizeE3ObjectKey(config, relativePath);
+  const url = new URL(`${e3BucketBaseUrl(config).toString()}/${encodePathSegments(objectKey)}`);
+  const response = await signedE3Request(config, 'PUT', url, bytes, options.contentType);
+
+  if (!response.ok) {
+    throw new Error(`E3 upload failed: ${response.status}`);
+  }
+}
+
+async function uploadToE3(config: E3BackupDestination, archive: Uint8Array, fileName: string): Promise<BackupUploadResult> {
+  await putToE3(config, fileName, archive, { contentType: 'application/zip' });
+  return {
+    provider: 'e3',
+    remotePath: normalizeE3ObjectKey(config, fileName),
+  };
+}
+
+async function listE3Entries(config: E3BackupDestination, relativePath: string): Promise<RemoteBackupListResult> {
+  const currentPath = normalizeRelativePath(relativePath);
+  const targetPrefixBase = normalizeE3ObjectKey(config, currentPath);
+  const targetPrefix = trimSlashes(targetPrefixBase) ? `${trimSlashes(targetPrefixBase)}/` : '';
+  const url = e3BucketBaseUrl(config);
+  url.searchParams.set('list-type', '2');
+  url.searchParams.set('delimiter', '/');
+  if (targetPrefix) url.searchParams.set('prefix', targetPrefix);
+
+  const response = await signedE3Request(config, 'GET', url);
+  if (!response.ok) {
+    throw new Error(`E3 listing failed: ${response.status}`);
+  }
+
+  const xml = await response.text();
+  const rootPrefix = trimSlashes(config.rootPath);
+  const items: RemoteBackupItem[] = [];
+
+  for (const prefix of extractXmlBlocks(xml, 'CommonPrefixes')) {
+    const fullPrefix = trimSlashes(extractXmlFirst(prefix, 'Prefix') || '');
+    if (!fullPrefix) continue;
+    const relative = rootPrefix
+      ? fullPrefix === rootPrefix
+        ? ''
+        : fullPrefix.startsWith(`${rootPrefix}/`)
+          ? fullPrefix.slice(rootPrefix.length + 1)
+          : ''
+      : fullPrefix;
+    const normalizedRelative = trimSlashes(relative);
+    if (!normalizedRelative) continue;
+    const itemPath = normalizedRelative.replace(/\/+$/, '');
+    if ((parentPath(itemPath) || '') !== currentPath) continue;
+    items.push({
+      path: itemPath,
+      name: basename(itemPath) || itemPath,
+      isDirectory: true,
+      size: null,
+      modifiedAt: null,
+    });
+  }
+
+  for (const content of extractXmlBlocks(xml, 'Contents')) {
+    const fullKey = trimSlashes(extractXmlFirst(content, 'Key') || '');
+    if (!fullKey || (targetPrefix && fullKey === trimSlashes(targetPrefix))) continue;
+    const relative = rootPrefix
+      ? fullKey.startsWith(`${rootPrefix}/`)
+        ? fullKey.slice(rootPrefix.length + 1)
+        : ''
+      : fullKey;
+    const normalizedRelative = trimSlashes(relative);
+    if (!normalizedRelative || (parentPath(normalizedRelative) || '') !== currentPath) continue;
+    items.push({
+      path: normalizedRelative,
+      name: basename(normalizedRelative) || normalizedRelative,
+      isDirectory: false,
+      size: Number(extractXmlFirst(content, 'Size') || 0) || null,
+      modifiedAt: parseHttpDate(extractXmlFirst(content, 'LastModified') || '') || null,
+    });
+  }
+
+  const deduped = new Map<string, RemoteBackupItem>();
+  for (const item of items) deduped.set(`${item.isDirectory ? 'd' : 'f'}:${item.path}`, item);
+
+  return {
+    provider: 'e3',
+    currentPath,
+    parentPath: parentPath(currentPath),
+    items: sortRemoteItems(Array.from(deduped.values())),
+  };
+}
+
+async function downloadFromE3(config: E3BackupDestination, relativePath: string): Promise<RemoteBackupFile> {
+  const normalized = normalizeRelativePath(relativePath);
+  if (!normalized || normalized.endsWith('/')) {
+    throw new Error('Please select a backup file');
+  }
+  const objectKey = normalizeE3ObjectKey(config, normalized);
+  const url = new URL(`${e3BucketBaseUrl(config).toString()}/${encodePathSegments(objectKey)}`);
+  const response = await signedE3Request(config, 'GET', url);
+  if (!response.ok) {
+    throw new Error(`E3 download failed: ${response.status}`);
+  }
+  return {
+    provider: 'e3',
+    remotePath: normalized,
+    fileName: basename(normalized) || 'backup.zip',
+    contentType: String(response.headers.get('Content-Type') || 'application/zip').trim() || 'application/zip',
+    bytes: new Uint8Array(await response.arrayBuffer()),
+  };
+}
+
+async function deleteFromE3(config: E3BackupDestination, relativePath: string): Promise<void> {
+  const objectKey = normalizeE3ObjectKey(config, relativePath);
+  const url = new URL(`${e3BucketBaseUrl(config).toString()}/${encodePathSegments(objectKey)}`);
+  const response = await signedE3Request(config, 'DELETE', url);
+  if (!response.ok && response.status !== 404) {
+    throw new Error(`E3 delete failed: ${response.status}`);
+  }
+}
+
+async function existsInE3(config: E3BackupDestination, relativePath: string): Promise<boolean> {
+  const objectKey = normalizeE3ObjectKey(config, relativePath);
+  const url = new URL(`${e3BucketBaseUrl(config).toString()}/${encodePathSegments(objectKey)}`);
+  const response = await signedE3Request(config, 'HEAD', url);
+  if (response.status === 404) return false;
+  if (!response.ok) {
+    throw new Error(`E3 existence check failed: ${response.status}`);
+  }
+  return true;
+}
+
+interface ConfiguredDestinationAdapter {
+  provider: 'webdav' | 'e3';
+  config: WebDavBackupDestination | E3BackupDestination;
+  upload: (config: WebDavBackupDestination | E3BackupDestination, archive: Uint8Array, fileName: string) => Promise<BackupUploadResult>;
+  putFile: (config: WebDavBackupDestination | E3BackupDestination, relativePath: string, bytes: Uint8Array, options?: RemoteBackupFilePutOptions) => Promise<void>;
+  list: (config: WebDavBackupDestination | E3BackupDestination, relativePath: string) => Promise<RemoteBackupListResult>;
+  download: (config: WebDavBackupDestination | E3BackupDestination, relativePath: string) => Promise<RemoteBackupFile>;
+  deleteFile: (config: WebDavBackupDestination | E3BackupDestination, relativePath: string) => Promise<void>;
+  exists: (config: WebDavBackupDestination | E3BackupDestination, relativePath: string) => Promise<boolean>;
+}
+
+export interface RemoteBackupTransferSession {
+  provider: BackupDestinationType;
+  uploadArchive(archive: Uint8Array, fileName: string): Promise<BackupUploadResult>;
+  putFile(relativePath: string, bytes: Uint8Array, options?: RemoteBackupFilePutOptions): Promise<void>;
+  list(relativePath: string): Promise<RemoteBackupListResult>;
+  download(relativePath: string): Promise<RemoteBackupFile>;
+  deleteFile(relativePath: string): Promise<void>;
+  exists(relativePath: string): Promise<boolean>;
+}
+
+function resolveConfiguredDestinationAdapter(
+  destination: BackupDestinationRecord
+): ConfiguredDestinationAdapter {
+  ensureDestinationConfigReady(destination);
+
+  if (destination.type === 'webdav') {
+    return {
+      provider: 'webdav',
+      config: destination.destination as WebDavBackupDestination,
+      upload: (config, archive, fileName) => uploadToWebDav(config as WebDavBackupDestination, archive, fileName),
+      putFile: (config, relativePath, bytes, options) => putToWebDav(config as WebDavBackupDestination, relativePath, bytes, options),
+      list: (config, relativePath) => listWebDavEntries(config as WebDavBackupDestination, relativePath),
+      download: (config, relativePath) => downloadFromWebDav(config as WebDavBackupDestination, relativePath),
+      deleteFile: (config, relativePath) => deleteFromWebDav(config as WebDavBackupDestination, relativePath),
+      exists: (config, relativePath) => existsInWebDav(config as WebDavBackupDestination, relativePath),
+    };
+  }
+  if (destination.type === 'e3') {
+    return {
+      provider: 'e3',
+      config: destination.destination as E3BackupDestination,
+      upload: (config, archive, fileName) => uploadToE3(config as E3BackupDestination, archive, fileName),
+      putFile: (config, relativePath, bytes, options) => putToE3(config as E3BackupDestination, relativePath, bytes, options),
+      list: (config, relativePath) => listE3Entries(config as E3BackupDestination, relativePath),
+      download: (config, relativePath) => downloadFromE3(config as E3BackupDestination, relativePath),
+      deleteFile: (config, relativePath) => deleteFromE3(config as E3BackupDestination, relativePath),
+      exists: (config, relativePath) => existsInE3(config as E3BackupDestination, relativePath),
+    };
+  }
+
+  throw new Error('Unsupported backup destination type');
+}
+
+export function createRemoteBackupTransferSession(destination: BackupDestinationRecord): RemoteBackupTransferSession {
+  const adapter = resolveConfiguredDestinationAdapter(destination);
+  const ensuredDirectories = adapter.provider === 'webdav' ? new Set<string>() : null;
+
+  const putFile = async (relativePath: string, bytes: Uint8Array, options: RemoteBackupFilePutOptions = {}): Promise<void> => {
+    const normalized = normalizeRelativePath(relativePath);
+    if (adapter.provider === 'webdav' && ensuredDirectories) {
+      await putToWebDav(adapter.config as WebDavBackupDestination, normalized, bytes, options, ensuredDirectories);
+      return;
+    }
+    await adapter.putFile(adapter.config, normalized, bytes, options);
+  };
+
+  return {
+    provider: adapter.provider,
+    uploadArchive: async (archive: Uint8Array, fileName: string) => {
+      await putFile(fileName, archive, { contentType: 'application/zip' });
+      return {
+        provider: adapter.provider,
+        remotePath: adapter.provider === 'webdav'
+          ? buildJoinedPath((adapter.config as WebDavBackupDestination).remotePath, fileName)
+          : normalizeE3ObjectKey(adapter.config as E3BackupDestination, fileName),
+      };
+    },
+    putFile,
+    list: async (relativePath: string) => adapter.list(adapter.config, relativePath),
+    download: async (relativePath: string) => adapter.download(adapter.config, relativePath),
+    deleteFile: async (relativePath: string) => adapter.deleteFile(adapter.config, normalizeRelativePath(relativePath)),
+    exists: async (relativePath: string) => adapter.exists(adapter.config, normalizeRelativePath(relativePath)),
+  };
+}
+
+export async function uploadBackupArchive(
+  destination: BackupDestinationRecord,
+  archive: Uint8Array,
+  fileName: string
+): Promise<BackupUploadResult> {
+  return createRemoteBackupTransferSession(destination).uploadArchive(archive, fileName);
+}
+
+export async function listRemoteBackupEntries(destination: BackupDestinationRecord, relativePath: string): Promise<RemoteBackupListResult> {
+  return createRemoteBackupTransferSession(destination).list(relativePath);
+}
+
+export async function downloadRemoteBackupFile(destination: BackupDestinationRecord, relativePath: string): Promise<RemoteBackupFile> {
+  return createRemoteBackupTransferSession(destination).download(relativePath);
+}
+
+export async function deleteRemoteBackupFile(destination: BackupDestinationRecord, relativePath: string): Promise<void> {
+  const normalized = ensureRemoteRestoreCandidate(relativePath);
+  await createRemoteBackupTransferSession(destination).deleteFile(normalized);
+}
+
+export async function remoteBackupFileExists(destination: BackupDestinationRecord, relativePath: string): Promise<boolean> {
+  const normalized = normalizeRelativePath(relativePath);
+  return createRemoteBackupTransferSession(destination).exists(normalized);
+}
+
+export async function uploadRemoteBackupFile(
+  destination: BackupDestinationRecord,
+  relativePath: string,
+  bytes: Uint8Array,
+  options: RemoteBackupFilePutOptions = {}
+): Promise<void> {
+  const normalized = normalizeRelativePath(relativePath);
+  await createRemoteBackupTransferSession(destination).putFile(normalized, bytes, options);
+}
+
+function compareBackupItemsByRecency(a: RemoteBackupItem, b: RemoteBackupItem, preferredFileName?: string): number {
+  if (preferredFileName) {
+    const aPreferred = a.name === preferredFileName ? 1 : 0;
+    const bPreferred = b.name === preferredFileName ? 1 : 0;
+    if (aPreferred !== bPreferred) return bPreferred - aPreferred;
+  }
+  const aTime = a.modifiedAt ? new Date(a.modifiedAt).getTime() : 0;
+  const bTime = b.modifiedAt ? new Date(b.modifiedAt).getTime() : 0;
+  if (aTime !== bTime) return bTime - aTime;
+  return b.name.localeCompare(a.name, 'en');
+}
+
+export async function pruneRemoteBackupArchives(
+  destination: BackupDestinationRecord,
+  retentionCount: number | null,
+  preferredFileName?: string
+): Promise<number> {
+  if (retentionCount === null) return 0;
+  const adapter = resolveConfiguredDestinationAdapter(destination);
+  const listing = await adapter.list(adapter.config, '');
+  const backupFiles = listing.items
+    .filter((item) => !item.isDirectory && isBackupArchiveName(item.name))
+    .sort((a, b) => compareBackupItemsByRecency(a, b, preferredFileName));
+  if (backupFiles.length <= retentionCount) return 0;
+  for (const item of backupFiles.slice(retentionCount)) {
+    await adapter.deleteFile(adapter.config, item.path);
+  }
+  return backupFiles.length - retentionCount;
+}
+
+export function ensureRemoteRestoreCandidate(relativePath: string): string {
+  const normalized = normalizeRelativePath(relativePath);
+  if (!normalized || !/\.zip$/i.test(normalized)) {
+    throw new Error('Please select a backup ZIP file');
+  }
+  return normalized;
+}
@@ -0,0 +1,124 @@
+import { Env } from '../types';
+
+const DEFAULT_CONTENT_TYPE = 'application/octet-stream';
+export const KV_MAX_OBJECT_BYTES = 25 * 1024 * 1024;
+
+interface KVBlobMetadata {
+  size?: number;
+  contentType?: string;
+  customMetadata?: Record<string, string> | null;
+}
+
+export interface BlobObject {
+  body: ReadableStream | null;
+  size: number;
+  contentType: string;
+}
+
+export interface PutBlobOptions {
+  size: number;
+  contentType?: string;
+  customMetadata?: Record<string, string>;
+}
+
+function hasR2Storage(env: Env): env is Env & { ATTACHMENTS: R2Bucket } {
+  return !!env.ATTACHMENTS;
+}
+
+function hasKvStorage(env: Env): env is Env & { ATTACHMENTS_KV: KVNamespace } {
+  return !!env.ATTACHMENTS_KV;
+}
+
+export function getBlobStorageKind(env: Env): 'r2' | 'kv' | null {
+  // Keep R2 as preferred backend when both are bound.
+  if (hasR2Storage(env)) return 'r2';
+  if (hasKvStorage(env)) return 'kv';
+  return null;
+}
+
+export function getBlobStorageMaxBytes(env: Env, configuredLimit: number): number {
+  if (getBlobStorageKind(env) === 'kv') {
+    return Math.min(configuredLimit, KV_MAX_OBJECT_BYTES);
+  }
+  return configuredLimit;
+}
+
+export function getAttachmentObjectKey(cipherId: string, attachmentId: string): string {
+  return `${cipherId}/${attachmentId}`;
+}
+
+export function getSendFileObjectKey(sendId: string, fileId: string): string {
+  return `sends/${sendId}/${fileId}`;
+}
+
+export async function putBlobObject(
+  env: Env,
+  key: string,
+  value: string | ArrayBuffer | ArrayBufferView | ReadableStream,
+  options: PutBlobOptions
+): Promise<void> {
+  const contentType = options.contentType || DEFAULT_CONTENT_TYPE;
+
+  if (hasR2Storage(env)) {
+    await env.ATTACHMENTS.put(key, value, {
+      httpMetadata: { contentType },
+      customMetadata: options.customMetadata,
+    });
+    return;
+  }
+
+  if (hasKvStorage(env)) {
+    if (options.size > KV_MAX_OBJECT_BYTES) {
+      throw new Error('KV object too large');
+    }
+    const metadata: KVBlobMetadata = {
+      size: options.size,
+      contentType,
+      customMetadata: options.customMetadata || null,
+    };
+    await env.ATTACHMENTS_KV.put(key, value, { metadata });
+    return;
+  }
+
+  throw new Error('Attachment storage is not configured');
+}
+
+export async function getBlobObject(env: Env, key: string): Promise<BlobObject | null> {
+  if (hasR2Storage(env)) {
+    const object = await env.ATTACHMENTS.get(key);
+    if (!object) return null;
+    return {
+      body: object.body,
+      size: Number(object.size) || 0,
+      contentType: object.httpMetadata?.contentType || DEFAULT_CONTENT_TYPE,
+    };
+  }
+
+  if (hasKvStorage(env)) {
+    const result = await env.ATTACHMENTS_KV.getWithMetadata<KVBlobMetadata>(key, 'arrayBuffer');
+    if (!result.value) return null;
+
+    const sizeFromMeta = Number(result.metadata?.size || 0);
+    const size = sizeFromMeta > 0 ? sizeFromMeta : result.value.byteLength;
+    const body = new Response(result.value).body;
+
+    return {
+      body,
+      size,
+      contentType: result.metadata?.contentType || DEFAULT_CONTENT_TYPE,
+    };
+  }
+
+  return null;
+}
+
+export async function deleteBlobObject(env: Env, key: string): Promise<void> {
+  if (hasR2Storage(env)) {
+    await env.ATTACHMENTS.delete(key);
+    return;
+  }
+  if (hasKvStorage(env)) {
+    await env.ATTACHMENTS_KV.delete(key);
+    return;
+  }
+}
@@ -1,33 +1,22 @@
 import { LIMITS } from '../config/limits';

-// D1-backed rate limiting.
-// Notes:
-// - Login attempts are tracked per client IP.
-// - API rate is tracked per identifier per fixed window.
+// Rate limiting service.
+// - Login attempts: D1-backed (low volume, security-critical, needs cross-colo persistence).
+// - API budgets: Cloudflare Cache API (high volume, auto-expires, zero D1 writes).

-// Rate limit configuration
 const CONFIG = {
-  // Friendly default: short cooldown instead of long lockouts.
  LOGIN_MAX_ATTEMPTS: LIMITS.rateLimit.loginMaxAttempts,
  LOGIN_LOCKOUT_MINUTES: LIMITS.rateLimit.loginLockoutMinutes,
-
-  // Write operations only (POST/PUT/DELETE/PATCH) should use this budget.
-  API_WRITE_REQUESTS_PER_MINUTE: LIMITS.rateLimit.apiWriteRequestsPerMinute,
-  // Dedicated budget for GET /api/sync reads.
-  SYNC_READ_REQUESTS_PER_MINUTE: LIMITS.rateLimit.syncReadRequestsPerMinute,
  API_WINDOW_SECONDS: LIMITS.rateLimit.apiWindowSeconds,
 };

 export class RateLimitService {
  private static loginIpTableReady = false;
  private static lastLoginIpCleanupAt = 0;
-  private static lastApiWindowCleanupAt = 0;

  private static readonly PERIODIC_CLEANUP_PROBABILITY = LIMITS.rateLimit.cleanupProbability;
  private static readonly LOGIN_IP_CLEANUP_INTERVAL_MS = LIMITS.rateLimit.loginIpCleanupIntervalMs;
-  private static readonly API_WINDOW_CLEANUP_INTERVAL_MS = LIMITS.rateLimit.apiWindowCleanupIntervalMs;
  private static readonly LOGIN_IP_RETENTION_MS = LIMITS.rateLimit.loginIpRetentionMs;
-  private static readonly API_WINDOW_RETENTION_WINDOWS = LIMITS.rateLimit.apiWindowRetentionWindows;

  constructor(private db: D1Database) {}

@@ -52,16 +41,6 @@ export class RateLimitService {
    RateLimitService.lastLoginIpCleanupAt = nowMs;
  }

-  private async maybeCleanupApiWindows(windowStart: number, windowSeconds: number): Promise<void> {
-    if (!this.shouldRunCleanup(RateLimitService.lastApiWindowCleanupAt, RateLimitService.API_WINDOW_CLEANUP_INTERVAL_MS)) {
-      return;
-    }
-
-    const cutoff = windowStart - (windowSeconds * RateLimitService.API_WINDOW_RETENTION_WINDOWS);
-    await this.db.prepare('DELETE FROM api_rate_limits WHERE window_start < ?').bind(cutoff).run();
-    RateLimitService.lastApiWindowCleanupAt = Date.now();
-  }
-
  private async ensureLoginIpTable(): Promise<void> {
    if (RateLimitService.loginIpTableReady) return;

@@ -158,8 +137,9 @@ export class RateLimitService {
    await this.db.prepare('DELETE FROM login_attempts_ip WHERE ip = ?').bind(key).run();
  }

-  // Atomically consume one budget unit for the current fixed window.
-  // Uses SQLite UPSERT-with-WHERE so requests at/over limit do not increment.
+  // Cache API-backed fixed-window rate limiter.
+  // Uses Cloudflare edge cache instead of D1 — zero database writes, auto-expires via TTL.
+  // Per-colo isolation is acceptable (matches Cloudflare's own rate limiting behaviour).
  private async consumeFixedWindowBudget(
    identifier: string,
    maxRequests: number,
@@ -168,68 +148,210 @@ export class RateLimitService {
    const nowSec = Math.floor(Date.now() / 1000);
    const windowStart = nowSec - (nowSec % windowSeconds);
    const windowEnd = windowStart + windowSeconds;
-    await this.maybeCleanupApiWindows(windowStart, windowSeconds);
+    const ttl = Math.max(1, windowEnd - nowSec);

-    const writeResult = await this.db
-      .prepare(
-        'INSERT INTO api_rate_limits(identifier, window_start, count) VALUES(?, ?, 1) ' +
-        'ON CONFLICT(identifier, window_start) DO UPDATE SET count = count + 1 ' +
-        'WHERE api_rate_limits.count < ?'
-      )
-      .bind(identifier, windowStart, maxRequests)
-      .run();
+    const cache = await caches.open('rate-limit');
+    const cacheKey = new Request(`https://rl/${identifier}/${windowStart}`);

-    // No changed row means conflict happened and WHERE prevented increment:
-    // current count is already at/above configured limit.
-    if ((writeResult.meta.changes ?? 0) === 0) {
-      return {
-        allowed: false,
-        remaining: 0,
-        retryAfterSeconds: windowEnd - nowSec,
-      };
+    const cached = await cache.match(cacheKey);
+    let count = 0;
+    if (cached) {
+      count = parseInt(await cached.text(), 10) || 0;
    }

-    const row = await this.db
-      .prepare('SELECT count FROM api_rate_limits WHERE identifier = ? AND window_start = ?')
-      .bind(identifier, windowStart)
-      .first<{ count: number }>();
-
-    if (!row) {
-      return {
-        allowed: true,
-        remaining: 0,
-      };
+    if (count >= maxRequests) {
+      return { allowed: false, remaining: 0, retryAfterSeconds: ttl };
    }

-    const remaining = Math.max(0, maxRequests - row.count);
-    return { allowed: true, remaining };
+    count++;
+    await cache.put(
+      cacheKey,
+      new Response(String(count), {
+        headers: { 'Cache-Control': `public, max-age=${ttl}` },
+      })
+    );
+
+    return { allowed: true, remaining: Math.max(0, maxRequests - count) };
  }

-  // Write budget for POST/PUT/DELETE/PATCH requests.
-  async consumeApiWriteBudget(identifier: string): Promise<{ allowed: boolean; remaining: number; retryAfterSeconds?: number }> {
-    return this.consumeFixedWindowBudget(
-      identifier,
-      CONFIG.API_WRITE_REQUESTS_PER_MINUTE,
-      CONFIG.API_WINDOW_SECONDS
-    );
+  // General-purpose fixed-window budget.
+  // Callers supply an identifier (must be unique per rate-limit category) and the
+  // per-window maximum.  This single method replaces all previous specialised
+  // budget helpers (write / sync / knownDevice / publicSend).
+  async consumeBudget(
+    identifier: string,
+    maxRequests: number
+  ): Promise<{ allowed: boolean; remaining: number; retryAfterSeconds?: number }> {
+    return this.consumeFixedWindowBudget(identifier, maxRequests, CONFIG.API_WINDOW_SECONDS);
  }

-  // Read budget for GET /api/sync.
-  async consumeSyncReadBudget(identifier: string): Promise<{ allowed: boolean; remaining: number; retryAfterSeconds?: number }> {
-    return this.consumeFixedWindowBudget(
-      identifier,
-      CONFIG.SYNC_READ_REQUESTS_PER_MINUTE,
-      CONFIG.API_WINDOW_SECONDS
-    );
+  async consumeBudgetWithWindow(
+    identifier: string,
+    maxRequests: number,
+    windowSeconds: number
+  ): Promise<{ allowed: boolean; remaining: number; retryAfterSeconds?: number }> {
+    return this.consumeFixedWindowBudget(identifier, maxRequests, windowSeconds);
  }
 }

-export function getClientIdentifier(request: Request): string {
-  const cfIp = request.headers.get('CF-Connecting-IP');
-  if (cfIp) return cfIp;
+function parseIpv4Octets(input: string): number[] | null {
+  const parts = input.split('.');
+  if (parts.length !== 4) return null;

-  const forwardedFor = request.headers.get('X-Forwarded-For');
-  if (forwardedFor) return forwardedFor.split(',')[0].trim();
-
-  return 'unknown';
+  const octets: number[] = [];
+  for (const part of parts) {
+    if (!/^\d{1,3}$/.test(part)) return null;
+    const value = Number(part);
+    if (!Number.isInteger(value) || value < 0 || value > 255) return null;
+    octets.push(value);
+  }
+  return octets;
+}
+
+function parseIpv6Hextets(input: string): number[] | null {
+  let value = input.trim().toLowerCase();
+  if (!value) return null;
+
+  if (value.startsWith('[') && value.endsWith(']')) {
+    value = value.slice(1, -1);
+  }
+  const zoneIndex = value.indexOf('%');
+  if (zoneIndex >= 0) {
+    value = value.slice(0, zoneIndex);
+  }
+  if (!value.includes(':')) return null;
+
+  // Handle IPv4-mapped tail (e.g. ::ffff:192.0.2.1).
+  if (value.includes('.')) {
+    const lastColon = value.lastIndexOf(':');
+    if (lastColon < 0) return null;
+    const ipv4Tail = value.slice(lastColon + 1);
+    const octets = parseIpv4Octets(ipv4Tail);
+    if (!octets) return null;
+    const high = ((octets[0] << 8) | octets[1]).toString(16);
+    const low = ((octets[2] << 8) | octets[3]).toString(16);
+    value = `${value.slice(0, lastColon)}:${high}:${low}`;
+  }
+
+  const doubleColon = value.indexOf('::');
+  if (doubleColon !== value.lastIndexOf('::')) return null;
+
+  const parsePart = (part: string): number | null => {
+    if (!/^[0-9a-f]{1,4}$/.test(part)) return null;
+    const n = parseInt(part, 16);
+    return Number.isNaN(n) ? null : n;
+  };
+
+  const parseParts = (parts: string[]): number[] | null => {
+    const out: number[] = [];
+    for (const p of parts) {
+      if (!p) return null;
+      const n = parsePart(p);
+      if (n === null) return null;
+      out.push(n);
+    }
+    return out;
+  };
+
+  if (doubleColon >= 0) {
+    const [headRaw, tailRaw] = value.split('::');
+    const head = headRaw ? headRaw.split(':') : [];
+    const tail = tailRaw ? tailRaw.split(':') : [];
+
+    const headNums = parseParts(head);
+    const tailNums = parseParts(tail);
+    if (!headNums || !tailNums) return null;
+
+    const missing = 8 - (headNums.length + tailNums.length);
+    if (missing < 1) return null;
+
+    return [...headNums, ...new Array<number>(missing).fill(0), ...tailNums];
+  }
+
+  const all = parseParts(value.split(':'));
+  if (!all || all.length !== 8) return null;
+  return all;
+}
+
+function normalizeClientIpForRateLimit(rawIp: string): string | null {
+  const input = rawIp.trim();
+  if (!input) return null;
+
+  const ipv4 = parseIpv4Octets(input);
+  if (ipv4) {
+    return `ip4:${ipv4.join('.')}`;
+  }
+
+  const ipv6 = parseIpv6Hextets(input);
+  if (!ipv6) return null;
+
+  // Handle IPv4-mapped / IPv4-compatible IPv6 as IPv4 identity.
+  // Examples: ::ffff:192.0.2.1, ::192.0.2.1
+  if (
+    ipv6[0] === 0 &&
+    ipv6[1] === 0 &&
+    ipv6[2] === 0 &&
+    ipv6[3] === 0 &&
+    ipv6[4] === 0 &&
+    (ipv6[5] === 0xffff || ipv6[5] === 0)
+  ) {
+    const octets = [ipv6[6] >> 8, ipv6[6] & 0xff, ipv6[7] >> 8, ipv6[7] & 0xff];
+    return `ip4:${octets.join('.')}`;
+  }
+
+  // Collapse to /64 to reduce brute-force bypass via IPv6 address rotation.
+  const prefix64 = ipv6
+    .slice(0, 4)
+    .map(part => part.toString(16).padStart(4, '0'))
+    .join(':');
+  return `ip6:${prefix64}`;
+}
+
+function isLocalRequest(request: Request): boolean {
+  const isLoopbackHost = (host: string | null): boolean => {
+    if (!host) return false;
+    const normalized = host.split(':')[0].trim().toLowerCase();
+    return (
+      normalized === 'localhost' ||
+      normalized.endsWith('.localhost') ||
+      normalized === '127.0.0.1' ||
+      normalized === '0.0.0.0' ||
+      normalized === '::1' ||
+      normalized === '[::1]'
+    );
+  };
+
+  try {
+    if (isLoopbackHost(new URL(request.url).hostname)) return true;
+  } catch {
+    // Ignore malformed URL and fall back to Host header check.
+  }
+
+  return isLoopbackHost(request.headers.get('Host'));
+}
+
+export function getClientIdentifier(request: Request): string | null {
+  // Strict fallback order:
+  // 1) CF-Connecting-IP
+  // 2) X-Real-IP
+  // 3) first item of X-Forwarded-For
+  // If none are present/valid, treat client IP as unavailable.
+  const candidates: Array<string | null> = [
+    request.headers.get('CF-Connecting-IP'),
+    request.headers.get('X-Real-IP'),
+    request.headers.get('X-Forwarded-For')?.split(',')[0]?.trim() || null,
+  ];
+
+  for (const raw of candidates) {
+    if (!raw) continue;
+    const normalized = normalizeClientIpForRateLimit(raw);
+    if (normalized) return normalized;
+  }
+
+  // Local dev (wrangler dev / localhost): allow a deterministic loopback identifier.
+  if (isLocalRequest(request)) {
+    return 'ip4:127.0.0.1';
+  }
+
+  return null;
 }
@@ -0,0 +1,84 @@
+import type { AuditLog, Invite } from '../types';
+
+export async function createInvite(db: D1Database, invite: Invite): Promise<void> {
+  await db
+    .prepare(
+      'INSERT INTO invites(code, created_by, used_by, expires_at, status, created_at, updated_at) VALUES(?, ?, ?, ?, ?, ?, ?)'
+    )
+    .bind(invite.code, invite.createdBy, invite.usedBy, invite.expiresAt, invite.status, invite.createdAt, invite.updatedAt)
+    .run();
+}
+
+export async function getInvite(db: D1Database, code: string): Promise<Invite | null> {
+  const row = await db
+    .prepare('SELECT code, created_by, used_by, expires_at, status, created_at, updated_at FROM invites WHERE code = ?')
+    .bind(code)
+    .first<any>();
+  if (!row) return null;
+  return {
+    code: row.code,
+    createdBy: row.created_by,
+    usedBy: row.used_by ?? null,
+    expiresAt: row.expires_at,
+    status: row.status,
+    createdAt: row.created_at,
+    updatedAt: row.updated_at,
+  };
+}
+
+export async function listInvites(db: D1Database, includeInactive: boolean = false): Promise<Invite[]> {
+  const now = new Date().toISOString();
+  const predicate = includeInactive
+    ? '1 = 1'
+    : "(status = 'active' AND expires_at > ?)";
+  const query =
+    'SELECT code, created_by, used_by, expires_at, status, created_at, updated_at FROM invites ' +
+    `WHERE ${predicate} ORDER BY created_at DESC`;
+  const res = includeInactive
+    ? await db.prepare(query).all<any>()
+    : await db.prepare(query).bind(now).all<any>();
+
+  return (res.results || []).map((row) => ({
+    code: row.code,
+    createdBy: row.created_by,
+    usedBy: row.used_by ?? null,
+    expiresAt: row.expires_at,
+    status: row.status,
+    createdAt: row.created_at,
+    updatedAt: row.updated_at,
+  }));
+}
+
+export async function markInviteUsed(db: D1Database, code: string, userId: string): Promise<boolean> {
+  const now = new Date().toISOString();
+  const result = await db
+    .prepare(
+      "UPDATE invites SET status = 'used', used_by = ?, updated_at = ? WHERE code = ? AND status = 'active' AND expires_at > ?"
+    )
+    .bind(userId, now, code, now)
+    .run();
+  return (result.meta.changes ?? 0) > 0;
+}
+
+export async function revokeInvite(db: D1Database, code: string): Promise<boolean> {
+  const now = new Date().toISOString();
+  const result = await db
+    .prepare("UPDATE invites SET status = 'revoked', updated_at = ? WHERE code = ? AND status = 'active'")
+    .bind(now, code)
+    .run();
+  return (result.meta.changes ?? 0) > 0;
+}
+
+export async function deleteAllInvites(db: D1Database): Promise<number> {
+  const result = await db.prepare('DELETE FROM invites').run();
+  return Number(result.meta.changes ?? 0);
+}
+
+export async function createAuditLog(db: D1Database, log: AuditLog): Promise<void> {
+  await db
+    .prepare(
+      'INSERT INTO audit_logs(id, actor_user_id, action, target_type, target_id, metadata, created_at) VALUES(?, ?, ?, ?, ?, ?, ?)'
+    )
+    .bind(log.id, log.actorUserId, log.action, log.targetType, log.targetId, log.metadata, log.createdAt)
+    .run();
+}
@@ -0,0 +1,143 @@
+import type { Attachment, Cipher } from '../types';
+
+type SafeBind = (stmt: D1PreparedStatement, ...values: any[]) => D1PreparedStatement;
+type SqlChunkSize = (fixedBindCount: number) => number;
+type GetCipher = (id: string) => Promise<Cipher | null>;
+type SaveCipher = (cipher: Cipher) => Promise<void>;
+type UpdateRevisionDate = (userId: string) => Promise<string>;
+
+export async function getAttachment(db: D1Database, id: string): Promise<Attachment | null> {
+  const row = await db
+    .prepare('SELECT id, cipher_id, file_name, size, size_name, key FROM attachments WHERE id = ?')
+    .bind(id)
+    .first<any>();
+  if (!row) return null;
+  return {
+    id: row.id,
+    cipherId: row.cipher_id,
+    fileName: row.file_name,
+    size: row.size,
+    sizeName: row.size_name,
+    key: row.key,
+  };
+}
+
+export async function saveAttachment(db: D1Database, safeBind: SafeBind, attachment: Attachment): Promise<void> {
+  const stmt = db.prepare(
+    'INSERT INTO attachments(id, cipher_id, file_name, size, size_name, key) VALUES(?, ?, ?, ?, ?, ?) ' +
+    'ON CONFLICT(id) DO UPDATE SET cipher_id=excluded.cipher_id, file_name=excluded.file_name, size=excluded.size, size_name=excluded.size_name, key=excluded.key'
+  );
+  await safeBind(stmt, attachment.id, attachment.cipherId, attachment.fileName, attachment.size, attachment.sizeName, attachment.key).run();
+}
+
+export async function deleteAttachment(db: D1Database, id: string): Promise<void> {
+  await db.prepare('DELETE FROM attachments WHERE id = ?').bind(id).run();
+}
+
+export async function getAttachmentsByCipher(db: D1Database, cipherId: string): Promise<Attachment[]> {
+  const res = await db
+    .prepare('SELECT id, cipher_id, file_name, size, size_name, key FROM attachments WHERE cipher_id = ?')
+    .bind(cipherId)
+    .all<any>();
+  return (res.results || []).map((r) => ({
+    id: r.id,
+    cipherId: r.cipher_id,
+    fileName: r.file_name,
+    size: r.size,
+    sizeName: r.size_name,
+    key: r.key,
+  }));
+}
+
+export async function getAttachmentsByCipherIds(
+  db: D1Database,
+  sqlChunkSize: SqlChunkSize,
+  cipherIds: string[]
+): Promise<Map<string, Attachment[]>> {
+  const grouped = new Map<string, Attachment[]>();
+  if (cipherIds.length === 0) return grouped;
+
+  const uniqueCipherIds = [...new Set(cipherIds)];
+  const chunkSize = sqlChunkSize(0);
+
+  for (let i = 0; i < uniqueCipherIds.length; i += chunkSize) {
+    const chunk = uniqueCipherIds.slice(i, i + chunkSize);
+    const placeholders = chunk.map(() => '?').join(',');
+    const res = await db
+      .prepare(`SELECT id, cipher_id, file_name, size, size_name, key FROM attachments WHERE cipher_id IN (${placeholders})`)
+      .bind(...chunk)
+      .all<any>();
+
+    for (const row of res.results || []) {
+      const item: Attachment = {
+        id: row.id,
+        cipherId: row.cipher_id,
+        fileName: row.file_name,
+        size: row.size,
+        sizeName: row.size_name,
+        key: row.key,
+      };
+      const list = grouped.get(item.cipherId);
+      if (list) list.push(item);
+      else grouped.set(item.cipherId, [item]);
+    }
+  }
+
+  return grouped;
+}
+
+export async function getAttachmentsByUserId(db: D1Database, userId: string): Promise<Map<string, Attachment[]>> {
+  const grouped = new Map<string, Attachment[]>();
+  const res = await db
+    .prepare(
+      `SELECT a.id, a.cipher_id, a.file_name, a.size, a.size_name, a.key
+       FROM attachments a
+       INNER JOIN ciphers c ON c.id = a.cipher_id
+       WHERE c.user_id = ?`
+    )
+    .bind(userId)
+    .all<any>();
+
+  for (const row of res.results || []) {
+    const item: Attachment = {
+      id: row.id,
+      cipherId: row.cipher_id,
+      fileName: row.file_name,
+      size: row.size,
+      sizeName: row.size_name,
+      key: row.key,
+    };
+    const list = grouped.get(item.cipherId);
+    if (list) list.push(item);
+    else grouped.set(item.cipherId, [item]);
+  }
+
+  return grouped;
+}
+
+export async function addAttachmentToCipher(db: D1Database, cipherId: string, attachmentId: string): Promise<void> {
+  await db.prepare('UPDATE attachments SET cipher_id = ? WHERE id = ?').bind(cipherId, attachmentId).run();
+}
+
+export async function removeAttachmentFromCipher(cipherId: string, attachmentId: string): Promise<void> {
+  void cipherId;
+  void attachmentId;
+}
+
+export async function deleteAllAttachmentsByCipher(db: D1Database, cipherId: string): Promise<void> {
+  await db.prepare('DELETE FROM attachments WHERE cipher_id = ?').bind(cipherId).run();
+}
+
+export async function updateCipherRevisionDate(
+  getCipherById: GetCipher,
+  saveCipherRecord: SaveCipher,
+  updateRevisionDate: UpdateRevisionDate,
+  cipherId: string
+): Promise<{ userId: string; revisionDate: string } | null> {
+  const cipher = await getCipherById(cipherId);
+  if (!cipher) return null;
+  cipher.updatedAt = new Date().toISOString();
+  await saveCipherRecord(cipher);
+  const revisionDate = await updateRevisionDate(cipher.userId);
+  return { userId: cipher.userId, revisionDate };
+}
@@ -0,0 +1,46 @@
+type ShouldRunPeriodicCleanup = (lastRunAt: number, intervalMs: number) => boolean;
+
+export async function ensureUsedAttachmentDownloadTokenTable(db: D1Database): Promise<void> {
+  await db
+    .prepare(
+      'CREATE TABLE IF NOT EXISTS used_attachment_download_tokens (' +
+        'jti TEXT PRIMARY KEY, ' +
+        'expires_at INTEGER NOT NULL' +
+        ')'
+    )
+    .run();
+}
+
+export async function consumeAttachmentDownloadToken(
+  db: D1Database,
+  shouldRunPeriodicCleanup: ShouldRunPeriodicCleanup,
+  lastCleanupAt: number,
+  cleanupIntervalMs: number,
+  jti: string,
+  expUnixSeconds: number
+): Promise<{ consumed: boolean; cleanedUpAt: number | null }> {
+  const nowMs = Date.now();
+  let cleanedUpAt: number | null = null;
+
+  if (shouldRunPeriodicCleanup(lastCleanupAt, cleanupIntervalMs)) {
+    await db
+      .prepare('DELETE FROM used_attachment_download_tokens WHERE expires_at < ?')
+      .bind(nowMs)
+      .run();
+    cleanedUpAt = nowMs;
+  }
+
+  const expiresAtMs = expUnixSeconds * 1000;
+  const result = await db
+    .prepare(
+      'INSERT INTO used_attachment_download_tokens(jti, expires_at) VALUES(?, ?) ' +
+        'ON CONFLICT(jti) DO NOTHING'
+    )
+    .bind(jti, expiresAtMs)
+    .run();
+
+  return {
+    consumed: (result.meta.changes ?? 0) > 0,
+    cleanedUpAt,
+  };
+}
@@ -0,0 +1,344 @@
+import type { Cipher } from '../types';
+
+function normalizeOptionalId(value: unknown): string | null {
+  if (value == null) return null;
+  const normalized = String(value).trim();
+  return normalized ? normalized : null;
+}
+
+type SafeBind = (stmt: D1PreparedStatement, ...values: any[]) => D1PreparedStatement;
+type SqlChunkSize = (fixedBindCount: number) => number;
+type UpdateRevisionDate = (userId: string) => Promise<string>;
+
+interface CipherRow {
+  id: string;
+  user_id: string;
+  type: number | null;
+  folder_id: string | null;
+  name: string | null;
+  notes: string | null;
+  favorite: number | null;
+  data: string;
+  reprompt: number | null;
+  key: string | null;
+  created_at: string;
+  updated_at: string;
+  archived_at: string | null;
+  deleted_at: string | null;
+}
+
+function parseCipherRow(row: CipherRow | null | undefined): Cipher | null {
+  if (!row?.data) return null;
+  try {
+    const parsed = JSON.parse(row.data) as Cipher;
+    const folderId = normalizeOptionalId(row.folder_id ?? parsed.folderId ?? null);
+    return {
+      ...parsed,
+      id: row.id,
+      userId: row.user_id,
+      type: Number(row.type) || Number(parsed.type) || 1,
+      folderId,
+      name: row.name ?? parsed.name ?? null,
+      notes: row.notes ?? parsed.notes ?? null,
+      favorite: row.favorite != null ? !!row.favorite : !!parsed.favorite,
+      reprompt: row.reprompt ?? parsed.reprompt ?? 0,
+      key: row.key ?? parsed.key ?? null,
+      createdAt: row.created_at,
+      updatedAt: row.updated_at,
+      archivedAt: row.archived_at ?? parsed.archivedAt ?? parsed.archivedDate ?? null,
+      deletedAt: row.deleted_at ?? null,
+    };
+  } catch {
+    console.error('Corrupted cipher data, id:', row.id);
+    return null;
+  }
+}
+
+function selectCipherColumns(): string {
+  return 'id, user_id, type, folder_id, name, notes, favorite, data, reprompt, key, created_at, updated_at, archived_at, deleted_at';
+}
+
+export async function getCipher(db: D1Database, id: string): Promise<Cipher | null> {
+  const row = await db
+    .prepare(`SELECT ${selectCipherColumns()} FROM ciphers WHERE id = ?`)
+    .bind(id)
+    .first<CipherRow>();
+  return parseCipherRow(row);
+}
+
+export async function saveCipher(db: D1Database, safeBind: SafeBind, cipher: Cipher): Promise<void> {
+  const folderId = normalizeOptionalId(cipher.folderId);
+  const data = JSON.stringify({
+    ...cipher,
+    folderId,
+  });
+  const stmt = db.prepare(
+    'INSERT INTO ciphers(id, user_id, type, folder_id, name, notes, favorite, data, reprompt, key, created_at, updated_at, archived_at, deleted_at) ' +
+    'VALUES(?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?) ' +
+    'ON CONFLICT(id) DO UPDATE SET ' +
+    'user_id=excluded.user_id, type=excluded.type, folder_id=excluded.folder_id, name=excluded.name, notes=excluded.notes, favorite=excluded.favorite, data=excluded.data, reprompt=excluded.reprompt, key=excluded.key, updated_at=excluded.updated_at, archived_at=excluded.archived_at, deleted_at=excluded.deleted_at'
+  );
+  await safeBind(
+    stmt,
+    cipher.id,
+    cipher.userId,
+    Number(cipher.type) || 1,
+    folderId,
+    cipher.name,
+    cipher.notes,
+    cipher.favorite ? 1 : 0,
+    data,
+    cipher.reprompt ?? 0,
+    cipher.key,
+    cipher.createdAt,
+    cipher.updatedAt,
+    cipher.archivedAt ?? null,
+    cipher.deletedAt
+  ).run();
+}
+
+function sanitizeIds(ids: string[]): string[] {
+  return Array.from(new Set(ids.map((id) => String(id || '').trim()).filter(Boolean)));
+}
+
+export async function deleteCipher(db: D1Database, id: string, userId: string): Promise<void> {
+  await db.prepare('DELETE FROM ciphers WHERE id = ? AND user_id = ?').bind(id, userId).run();
+}
+
+export async function bulkSoftDeleteCiphers(
+  db: D1Database,
+  sqlChunkSize: SqlChunkSize,
+  updateRevisionDate: UpdateRevisionDate,
+  ids: string[],
+  userId: string
+): Promise<string | null> {
+  if (ids.length === 0) return null;
+  const uniqueIds = sanitizeIds(ids);
+  if (!uniqueIds.length) return null;
+
+  const now = new Date().toISOString();
+  const patch = JSON.stringify({ deletedAt: now, updatedAt: now });
+  const chunkSize = sqlChunkSize(4);
+
+  for (let i = 0; i < uniqueIds.length; i += chunkSize) {
+    const chunk = uniqueIds.slice(i, i + chunkSize);
+    const placeholders = chunk.map(() => '?').join(',');
+    await db
+      .prepare(
+        `UPDATE ciphers
+         SET deleted_at = ?, updated_at = ?, data = json_patch(data, ?)
+         WHERE user_id = ? AND id IN (${placeholders})`
+      )
+      .bind(now, now, patch, userId, ...chunk)
+      .run();
+  }
+
+  return updateRevisionDate(userId);
+}
+
+export async function bulkRestoreCiphers(
+  db: D1Database,
+  sqlChunkSize: SqlChunkSize,
+  updateRevisionDate: UpdateRevisionDate,
+  ids: string[],
+  userId: string
+): Promise<string | null> {
+  if (ids.length === 0) return null;
+  const uniqueIds = sanitizeIds(ids);
+  if (!uniqueIds.length) return null;
+
+  const now = new Date().toISOString();
+  const patch = JSON.stringify({ deletedAt: null, updatedAt: now });
+  const chunkSize = sqlChunkSize(3);
+
+  for (let i = 0; i < uniqueIds.length; i += chunkSize) {
+    const chunk = uniqueIds.slice(i, i + chunkSize);
+    const placeholders = chunk.map(() => '?').join(',');
+    await db
+      .prepare(
+        `UPDATE ciphers
+         SET deleted_at = NULL, updated_at = ?, data = json_patch(data, ?)
+         WHERE user_id = ? AND id IN (${placeholders})`
+      )
+      .bind(now, patch, userId, ...chunk)
+      .run();
+  }
+
+  return updateRevisionDate(userId);
+}
+
+export async function bulkDeleteCiphers(
+  db: D1Database,
+  sqlChunkSize: SqlChunkSize,
+  updateRevisionDate: UpdateRevisionDate,
+  ids: string[],
+  userId: string
+): Promise<string | null> {
+  if (ids.length === 0) return null;
+  const uniqueIds = sanitizeIds(ids);
+  if (!uniqueIds.length) return null;
+
+  const chunkSize = sqlChunkSize(1);
+  for (let i = 0; i < uniqueIds.length; i += chunkSize) {
+    const chunk = uniqueIds.slice(i, i + chunkSize);
+    const placeholders = chunk.map(() => '?').join(',');
+    await db.prepare(`DELETE FROM ciphers WHERE user_id = ? AND id IN (${placeholders})`).bind(userId, ...chunk).run();
+  }
+
+  return updateRevisionDate(userId);
+}
+
+export async function getAllCiphers(db: D1Database, userId: string): Promise<Cipher[]> {
+  const res = await db
+    .prepare(`SELECT ${selectCipherColumns()} FROM ciphers WHERE user_id = ? ORDER BY updated_at DESC`)
+    .bind(userId)
+    .all<CipherRow>();
+  return (res.results || []).flatMap((row) => {
+    const cipher = parseCipherRow(row);
+    return cipher ? [cipher] : [];
+  });
+}
+
+export async function getCiphersPage(
+  db: D1Database,
+  userId: string,
+  includeDeleted: boolean,
+  limit: number,
+  offset: number
+): Promise<Cipher[]> {
+  const whereDeleted = includeDeleted ? '' : 'AND deleted_at IS NULL';
+  const res = await db
+    .prepare(
+      `SELECT ${selectCipherColumns()} FROM ciphers
+       WHERE user_id = ?
+       ${whereDeleted}
+       ORDER BY updated_at DESC
+       LIMIT ? OFFSET ?`
+    )
+    .bind(userId, limit, offset)
+    .all<CipherRow>();
+  return (res.results || []).flatMap((row) => {
+    const cipher = parseCipherRow(row);
+    return cipher ? [cipher] : [];
+  });
+}
+
+export async function getCiphersByIds(
+  db: D1Database,
+  sqlChunkSize: SqlChunkSize,
+  ids: string[],
+  userId: string
+): Promise<Cipher[]> {
+  if (ids.length === 0) return [];
+  const uniqueIds = sanitizeIds(ids);
+  if (!uniqueIds.length) return [];
+
+  const chunkSize = sqlChunkSize(1);
+  const out: Cipher[] = [];
+  for (let i = 0; i < uniqueIds.length; i += chunkSize) {
+    const chunk = uniqueIds.slice(i, i + chunkSize);
+    const placeholders = chunk.map(() => '?').join(',');
+    const stmt = db.prepare(`SELECT ${selectCipherColumns()} FROM ciphers WHERE user_id = ? AND id IN (${placeholders})`);
+    const res = await stmt.bind(userId, ...chunk).all<CipherRow>();
+    out.push(
+      ...(res.results || []).flatMap((row) => {
+        const cipher = parseCipherRow(row);
+        return cipher ? [cipher] : [];
+      })
+    );
+  }
+  return out;
+}
+
+export async function bulkMoveCiphers(
+  db: D1Database,
+  sqlChunkSize: SqlChunkSize,
+  updateRevisionDate: UpdateRevisionDate,
+  ids: string[],
+  folderId: string | null,
+  userId: string
+): Promise<string | null> {
+  if (ids.length === 0) return null;
+  const now = new Date().toISOString();
+  const normalizedFolderId = normalizeOptionalId(folderId);
+  const uniqueIds = sanitizeIds(ids);
+  const patch = JSON.stringify({ folderId: normalizedFolderId, updatedAt: now });
+  const chunkSize = sqlChunkSize(4);
+
+  for (let i = 0; i < uniqueIds.length; i += chunkSize) {
+    const chunk = uniqueIds.slice(i, i + chunkSize);
+    const placeholders = chunk.map(() => '?').join(',');
+    await db
+      .prepare(
+        `UPDATE ciphers
+         SET folder_id = ?, updated_at = ?, data = json_patch(data, ?)
+         WHERE user_id = ? AND id IN (${placeholders})`
+      )
+      .bind(normalizedFolderId, now, patch, userId, ...chunk)
+      .run();
+  }
+
+  return updateRevisionDate(userId);
+}
+
+export async function bulkArchiveCiphers(
+  db: D1Database,
+  sqlChunkSize: SqlChunkSize,
+  updateRevisionDate: UpdateRevisionDate,
+  ids: string[],
+  userId: string
+): Promise<string | null> {
+  if (ids.length === 0) return null;
+  const uniqueIds = sanitizeIds(ids);
+  if (!uniqueIds.length) return null;
+
+  const now = new Date().toISOString();
+  const patch = JSON.stringify({ archivedAt: now, archivedDate: now, updatedAt: now });
+  const chunkSize = sqlChunkSize(4);
+
+  for (let i = 0; i < uniqueIds.length; i += chunkSize) {
+    const chunk = uniqueIds.slice(i, i + chunkSize);
+    const placeholders = chunk.map(() => '?').join(',');
+    await db
+      .prepare(
+        `UPDATE ciphers
+         SET archived_at = ?, updated_at = ?, data = json_patch(data, ?)
+         WHERE user_id = ? AND id IN (${placeholders}) AND deleted_at IS NULL`
+      )
+      .bind(now, now, patch, userId, ...chunk)
+      .run();
+  }
+
+  return updateRevisionDate(userId);
+}
+
+export async function bulkUnarchiveCiphers(
+  db: D1Database,
+  sqlChunkSize: SqlChunkSize,
+  updateRevisionDate: UpdateRevisionDate,
+  ids: string[],
+  userId: string
+): Promise<string | null> {
+  if (ids.length === 0) return null;
+  const uniqueIds = sanitizeIds(ids);
+  if (!uniqueIds.length) return null;
+
+  const now = new Date().toISOString();
+  const patch = JSON.stringify({ archivedAt: null, archivedDate: null, updatedAt: now });
+  const chunkSize = sqlChunkSize(3);
+
+  for (let i = 0; i < uniqueIds.length; i += chunkSize) {
+    const chunk = uniqueIds.slice(i, i + chunkSize);
+    const placeholders = chunk.map(() => '?').join(',');
+    await db
+      .prepare(
+        `UPDATE ciphers
+         SET archived_at = NULL, updated_at = ?, data = json_patch(data, ?)
+         WHERE user_id = ? AND id IN (${placeholders})`
+      )
+      .bind(now, patch, userId, ...chunk)
+      .run();
+  }
+
+  return updateRevisionDate(userId);
+}
@@ -0,0 +1,22 @@
+export async function isRegistered(db: D1Database): Promise<boolean> {
+  const row = await db.prepare('SELECT value FROM config WHERE key = ?').bind('registered').first<{ value: string }>();
+  return row?.value === 'true';
+}
+
+export async function getConfigValue(db: D1Database, key: string): Promise<string | null> {
+  const row = await db.prepare('SELECT value FROM config WHERE key = ?').bind(key).first<{ value: string }>();
+  return typeof row?.value === 'string' ? row.value : null;
+}
+
+export async function setConfigValue(db: D1Database, key: string, value: string): Promise<void> {
+  await db
+    .prepare('INSERT INTO config(key, value) VALUES(?, ?) ON CONFLICT(key) DO UPDATE SET value = excluded.value')
+    .bind(key, value)
+    .run();
+}
+
+export async function setRegistered(db: D1Database): Promise<void> {
+  await db.prepare('INSERT INTO config(key, value) VALUES(?, ?) ON CONFLICT(key) DO UPDATE SET value = excluded.value')
+    .bind('registered', 'true')
+    .run();
+}
@@ -0,0 +1,241 @@
+import type { Device, TrustedDeviceTokenSummary, User } from '../types';
+
+type GetUserByEmail = (email: string) => Promise<User | null>;
+type TrustedTokenKeyFn = (token: string) => Promise<string>;
+
+function mapDeviceRow(row: any): Device {
+  return {
+    userId: row.user_id,
+    deviceIdentifier: row.device_identifier,
+    name: row.name,
+    type: row.type,
+    sessionStamp: row.session_stamp || '',
+    encryptedUserKey: row.encrypted_user_key ?? null,
+    encryptedPublicKey: row.encrypted_public_key ?? null,
+    encryptedPrivateKey: row.encrypted_private_key ?? null,
+    createdAt: row.created_at,
+    updatedAt: row.updated_at,
+  };
+}
+
+export async function upsertDevice(
+  db: D1Database,
+  getDeviceById: (userId: string, deviceIdentifier: string) => Promise<Device | null>,
+  userId: string,
+  deviceIdentifier: string,
+  name: string,
+  type: number,
+  sessionStamp?: string,
+  keys?: {
+    encryptedUserKey?: string | null;
+    encryptedPublicKey?: string | null;
+    encryptedPrivateKey?: string | null;
+  }
+): Promise<void> {
+  const now = new Date().toISOString();
+  const effectiveSessionStamp = String(sessionStamp || '').trim() || (await getDeviceById(userId, deviceIdentifier))?.sessionStamp || '';
+  await db
+    .prepare(
+      'INSERT INTO devices(user_id, device_identifier, name, type, session_stamp, encrypted_user_key, encrypted_public_key, encrypted_private_key, banned, banned_at, created_at, updated_at) VALUES(?, ?, ?, ?, ?, ?, ?, ?, 0, NULL, ?, ?) ' +
+        'ON CONFLICT(user_id, device_identifier) DO UPDATE SET name=excluded.name, type=excluded.type, session_stamp=excluded.session_stamp, ' +
+        'encrypted_user_key=COALESCE(excluded.encrypted_user_key, encrypted_user_key), ' +
+        'encrypted_public_key=COALESCE(excluded.encrypted_public_key, encrypted_public_key), ' +
+        'encrypted_private_key=COALESCE(excluded.encrypted_private_key, encrypted_private_key), ' +
+        'updated_at=excluded.updated_at'
+    )
+    .bind(
+      userId,
+      deviceIdentifier,
+      name,
+      type,
+      effectiveSessionStamp,
+      keys?.encryptedUserKey ?? null,
+      keys?.encryptedPublicKey ?? null,
+      keys?.encryptedPrivateKey ?? null,
+      now,
+      now
+    )
+    .run();
+}
+
+export async function updateDeviceKeys(
+  db: D1Database,
+  userId: string,
+  deviceIdentifier: string,
+  keys: {
+    encryptedUserKey?: string | null;
+    encryptedPublicKey?: string | null;
+    encryptedPrivateKey?: string | null;
+  }
+): Promise<boolean> {
+  const now = new Date().toISOString();
+  const result = await db
+    .prepare(
+      'UPDATE devices SET encrypted_user_key = ?, encrypted_public_key = ?, encrypted_private_key = ?, updated_at = ? ' +
+        'WHERE user_id = ? AND device_identifier = ?'
+    )
+    .bind(
+      keys.encryptedUserKey ?? null,
+      keys.encryptedPublicKey ?? null,
+      keys.encryptedPrivateKey ?? null,
+      now,
+      userId,
+      deviceIdentifier
+    )
+    .run();
+  return Number(result.meta.changes ?? 0) > 0;
+}
+
+export async function clearDeviceKeys(
+  db: D1Database,
+  userId: string,
+  deviceIdentifiers: string[]
+): Promise<number> {
+  const uniqueIds = Array.from(
+    new Set(deviceIdentifiers.map((id) => String(id || '').trim()).filter(Boolean))
+  );
+  if (!uniqueIds.length) return 0;
+
+  const placeholders = uniqueIds.map(() => '?').join(',');
+  const result = await db
+    .prepare(
+      `UPDATE devices
+       SET encrypted_user_key = NULL,
+           encrypted_public_key = NULL,
+           encrypted_private_key = NULL,
+           updated_at = ?
+       WHERE user_id = ? AND device_identifier IN (${placeholders})`
+    )
+    .bind(new Date().toISOString(), userId, ...uniqueIds)
+    .run();
+  return Number(result.meta.changes ?? 0);
+}
+
+export async function isKnownDevice(db: D1Database, userId: string, deviceIdentifier: string): Promise<boolean> {
+  const row = await db
+    .prepare('SELECT 1 FROM devices WHERE user_id = ? AND device_identifier = ? LIMIT 1')
+    .bind(userId, deviceIdentifier)
+    .first<{ '1': number }>();
+  return !!row;
+}
+
+export async function isKnownDeviceByEmail(
+  getUserByEmail: GetUserByEmail,
+  isKnownDeviceForUser: (userId: string, deviceIdentifier: string) => Promise<boolean>,
+  email: string,
+  deviceIdentifier: string
+): Promise<boolean> {
+  const user = await getUserByEmail(email);
+  if (!user) return false;
+  return isKnownDeviceForUser(user.id, deviceIdentifier);
+}
+
+export async function getDevicesByUserId(db: D1Database, userId: string): Promise<Device[]> {
+  const res = await db
+    .prepare(
+      'SELECT user_id, device_identifier, name, type, session_stamp, encrypted_user_key, encrypted_public_key, encrypted_private_key, banned, banned_at, created_at, updated_at ' +
+        'FROM devices WHERE user_id = ? ORDER BY updated_at DESC'
+    )
+    .bind(userId)
+    .all<any>();
+  return (res.results || []).map(mapDeviceRow);
+}
+
+export async function getDevice(db: D1Database, userId: string, deviceIdentifier: string): Promise<Device | null> {
+  const row = await db
+    .prepare(
+      'SELECT user_id, device_identifier, name, type, session_stamp, encrypted_user_key, encrypted_public_key, encrypted_private_key, banned, banned_at, created_at, updated_at ' +
+        'FROM devices WHERE user_id = ? AND device_identifier = ? LIMIT 1'
+    )
+    .bind(userId, deviceIdentifier)
+    .first<any>();
+  return row ? mapDeviceRow(row) : null;
+}
+
+export async function deleteDevice(db: D1Database, userId: string, deviceIdentifier: string): Promise<boolean> {
+  const result = await db
+    .prepare('DELETE FROM devices WHERE user_id = ? AND device_identifier = ?')
+    .bind(userId, deviceIdentifier)
+    .run();
+  return Number(result.meta.changes ?? 0) > 0;
+}
+
+export async function deleteDevicesByUserId(db: D1Database, userId: string): Promise<number> {
+  const result = await db.prepare('DELETE FROM devices WHERE user_id = ?').bind(userId).run();
+  return Number(result.meta.changes ?? 0);
+}
+
+export async function getTrustedDeviceTokenSummariesByUserId(db: D1Database, userId: string): Promise<TrustedDeviceTokenSummary[]> {
+  const now = Date.now();
+  await db.prepare('DELETE FROM trusted_two_factor_device_tokens WHERE expires_at < ?').bind(now).run();
+
+  const res = await db
+    .prepare(
+      'SELECT device_identifier, MAX(expires_at) AS expires_at, COUNT(*) AS token_count ' +
+        'FROM trusted_two_factor_device_tokens WHERE user_id = ? GROUP BY device_identifier ORDER BY expires_at DESC'
+    )
+    .bind(userId)
+    .all<any>();
+
+  return (res.results || []).map((row) => ({
+    deviceIdentifier: row.device_identifier,
+    expiresAt: Number(row.expires_at || 0),
+    tokenCount: Number(row.token_count || 0),
+  }));
+}
+
+export async function deleteTrustedTwoFactorTokensByDevice(db: D1Database, userId: string, deviceIdentifier: string): Promise<number> {
+  const result = await db
+    .prepare('DELETE FROM trusted_two_factor_device_tokens WHERE user_id = ? AND device_identifier = ?')
+    .bind(userId, deviceIdentifier)
+    .run();
+  return Number(result.meta.changes ?? 0);
+}
+
+export async function deleteTrustedTwoFactorTokensByUserId(db: D1Database, userId: string): Promise<number> {
+  const result = await db
+    .prepare('DELETE FROM trusted_two_factor_device_tokens WHERE user_id = ?')
+    .bind(userId)
+    .run();
+  return Number(result.meta.changes ?? 0);
+}
+
+export async function saveTrustedTwoFactorDeviceToken(
+  db: D1Database,
+  trustedTokenKey: TrustedTokenKeyFn,
+  token: string,
+  userId: string,
+  deviceIdentifier: string,
+  expiresAtMs: number
+): Promise<void> {
+  const tokenKey = await trustedTokenKey(token);
+  await db.prepare('DELETE FROM trusted_two_factor_device_tokens WHERE expires_at < ?').bind(Date.now()).run();
+  await db
+    .prepare(
+      'INSERT INTO trusted_two_factor_device_tokens(token, user_id, device_identifier, expires_at) VALUES(?, ?, ?, ?) ' +
+        'ON CONFLICT(token) DO UPDATE SET user_id=excluded.user_id, device_identifier=excluded.device_identifier, expires_at=excluded.expires_at'
+    )
+    .bind(tokenKey, userId, deviceIdentifier, expiresAtMs)
+    .run();
+}
+
+export async function getTrustedTwoFactorDeviceTokenUserId(
+  db: D1Database,
+  trustedTokenKey: TrustedTokenKeyFn,
+  token: string,
+  deviceIdentifier: string
+): Promise<string | null> {
+  const now = Date.now();
+  const tokenKey = await trustedTokenKey(token);
+  const row = await db
+    .prepare('SELECT user_id, expires_at FROM trusted_two_factor_device_tokens WHERE token = ? AND device_identifier = ?')
+    .bind(tokenKey, deviceIdentifier)
+    .first<{ user_id: string; expires_at: number }>();
+
+  if (!row) return null;
+  if (row.expires_at && row.expires_at < now) {
+    await db.prepare('DELETE FROM trusted_two_factor_device_tokens WHERE token = ?').bind(tokenKey).run();
+    return null;
+  }
+  return row.user_id;
+}
@@ -0,0 +1,120 @@
+import type { Cipher, Folder } from '../types';
+
+function mapFolderRow(row: any): Folder {
+  return {
+    id: row.id,
+    userId: row.user_id,
+    name: row.name,
+    createdAt: row.created_at,
+    updatedAt: row.updated_at,
+  };
+}
+
+export async function getFolder(db: D1Database, id: string): Promise<Folder | null> {
+  const row = await db
+    .prepare('SELECT id, user_id, name, created_at, updated_at FROM folders WHERE id = ?')
+    .bind(id)
+    .first<any>();
+  if (!row) return null;
+  return mapFolderRow(row);
+}
+
+export async function saveFolder(db: D1Database, folder: Folder): Promise<void> {
+  await db
+    .prepare(
+      'INSERT INTO folders(id, user_id, name, created_at, updated_at) VALUES(?, ?, ?, ?, ?) ' +
+      'ON CONFLICT(id) DO UPDATE SET user_id=excluded.user_id, name=excluded.name, updated_at=excluded.updated_at'
+    )
+    .bind(folder.id, folder.userId, folder.name, folder.createdAt, folder.updatedAt)
+    .run();
+}
+
+export async function deleteFolder(db: D1Database, id: string, userId: string): Promise<void> {
+  await db.prepare('DELETE FROM folders WHERE id = ? AND user_id = ?').bind(id, userId).run();
+}
+
+export async function clearFolderFromCiphers(
+  db: D1Database,
+  userId: string,
+  folderId: string,
+  saveCipher: (cipher: Cipher) => Promise<void>
+): Promise<void> {
+  const now = new Date().toISOString();
+  const res = await db
+    .prepare('SELECT data FROM ciphers WHERE user_id = ? AND folder_id = ?')
+    .bind(userId, folderId)
+    .all<{ data: string }>();
+
+  for (const row of (res.results || [])) {
+    let cipher: Cipher;
+    try {
+      cipher = JSON.parse(row.data) as Cipher;
+    } catch {
+      continue;
+    }
+    cipher.folderId = null;
+    cipher.updatedAt = now;
+    await saveCipher(cipher);
+  }
+}
+
+export async function bulkDeleteFolders(
+  db: D1Database,
+  userId: string,
+  ids: string[],
+  sqlChunkSize: (fixedBindCount: number) => number,
+  saveCipher: (cipher: Cipher) => Promise<void>,
+  updateRevisionDate: (userId: string) => Promise<string>
+): Promise<string | null> {
+  const uniqueIds = Array.from(new Set(ids.map((id) => String(id || '').trim()).filter(Boolean)));
+  if (!uniqueIds.length) return null;
+
+  const chunkSize = sqlChunkSize(1);
+  const now = new Date().toISOString();
+
+  for (let i = 0; i < uniqueIds.length; i += chunkSize) {
+    const chunk = uniqueIds.slice(i, i + chunkSize);
+    const placeholders = chunk.map(() => '?').join(',');
+    const res = await db
+      .prepare(`SELECT data FROM ciphers WHERE user_id = ? AND folder_id IN (${placeholders})`)
+      .bind(userId, ...chunk)
+      .all<{ data: string }>();
+
+    for (const row of res.results || []) {
+      let cipher: Cipher;
+      try {
+        cipher = JSON.parse(row.data) as Cipher;
+      } catch {
+        continue;
+      }
+      cipher.folderId = null;
+      cipher.updatedAt = now;
+      await saveCipher(cipher);
+    }
+
+    await db
+      .prepare(`DELETE FROM folders WHERE user_id = ? AND id IN (${placeholders})`)
+      .bind(userId, ...chunk)
+      .run();
+  }
+
+  return updateRevisionDate(userId);
+}
+
+export async function getAllFolders(db: D1Database, userId: string): Promise<Folder[]> {
+  const res = await db
+    .prepare('SELECT id, user_id, name, created_at, updated_at FROM folders WHERE user_id = ? ORDER BY updated_at DESC')
+    .bind(userId)
+    .all<any>();
+  return (res.results || []).map((row) => mapFolderRow(row));
+}
+
+export async function getFoldersPage(db: D1Database, userId: string, limit: number, offset: number): Promise<Folder[]> {
+  const res = await db
+    .prepare(
+      'SELECT id, user_id, name, created_at, updated_at FROM folders WHERE user_id = ? ORDER BY updated_at DESC LIMIT ? OFFSET ?'
+    )
+    .bind(userId, limit, offset)
+    .all<any>();
+  return (res.results || []).map((row) => mapFolderRow(row));
+}
@@ -0,0 +1,135 @@
+import type { RefreshTokenRecord } from '../types';
+
+type RefreshTokenKeyFn = (token: string) => Promise<string>;
+type CleanupExpiredFn = (nowMs: number) => Promise<void>;
+
+export async function saveRefreshToken(
+  db: D1Database,
+  refreshTokenKey: RefreshTokenKeyFn,
+  maybeCleanupExpiredRefreshTokens: CleanupExpiredFn,
+  token: string,
+  userId: string,
+  expiresAtMs: number,
+  deviceIdentifier?: string | null,
+  deviceSessionStamp?: string | null
+): Promise<void> {
+  await maybeCleanupExpiredRefreshTokens(Date.now());
+  const tokenKey = await refreshTokenKey(token);
+  await db
+    .prepare(
+      'INSERT INTO refresh_tokens(token, user_id, expires_at, device_identifier, device_session_stamp) VALUES(?, ?, ?, ?, ?) ' +
+        'ON CONFLICT(token) DO UPDATE SET user_id=excluded.user_id, expires_at=excluded.expires_at, device_identifier=excluded.device_identifier, device_session_stamp=excluded.device_session_stamp'
+    )
+    .bind(tokenKey, userId, expiresAtMs, deviceIdentifier ?? null, deviceSessionStamp ?? null)
+    .run();
+}
+
+export async function getRefreshTokenRecord(
+  db: D1Database,
+  refreshTokenKey: RefreshTokenKeyFn,
+  maybeCleanupExpiredRefreshTokens: CleanupExpiredFn,
+  saveRefreshTokenRecord: (
+    token: string,
+    userId: string,
+    expiresAtMs?: number,
+    deviceIdentifier?: string | null,
+    deviceSessionStamp?: string | null
+  ) => Promise<void>,
+  deleteRefreshTokenRecord: (token: string) => Promise<void>,
+  token: string
+): Promise<RefreshTokenRecord | null> {
+  const now = Date.now();
+  await maybeCleanupExpiredRefreshTokens(now);
+  const tokenKey = await refreshTokenKey(token);
+
+  let row = await db
+    .prepare('SELECT user_id, expires_at, device_identifier, device_session_stamp FROM refresh_tokens WHERE token = ?')
+    .bind(tokenKey)
+    .first<{ user_id: string; expires_at: number; device_identifier: string | null; device_session_stamp: string | null }>();
+
+  if (!row) {
+    const legacyRow = await db
+      .prepare('SELECT user_id, expires_at, device_identifier, device_session_stamp FROM refresh_tokens WHERE token = ?')
+      .bind(token)
+      .first<{ user_id: string; expires_at: number; device_identifier: string | null; device_session_stamp: string | null }>();
+
+    if (legacyRow) {
+      if (legacyRow.expires_at && legacyRow.expires_at < now) {
+        await deleteRefreshTokenRecord(token);
+        return null;
+      }
+      await saveRefreshTokenRecord(
+        token,
+        legacyRow.user_id,
+        legacyRow.expires_at,
+        legacyRow.device_identifier ?? null,
+        legacyRow.device_session_stamp ?? null
+      );
+      await db.prepare('DELETE FROM refresh_tokens WHERE token = ?').bind(token).run();
+      return {
+        userId: legacyRow.user_id,
+        expiresAt: legacyRow.expires_at,
+        deviceIdentifier: legacyRow.device_identifier ?? null,
+        deviceSessionStamp: legacyRow.device_session_stamp ?? null,
+      };
+    }
+  }
+
+  if (!row) return null;
+  if (row.expires_at && row.expires_at < now) {
+    await deleteRefreshTokenRecord(token);
+    return null;
+  }
+  return {
+    userId: row.user_id,
+    expiresAt: row.expires_at,
+    deviceIdentifier: row.device_identifier ?? null,
+    deviceSessionStamp: row.device_session_stamp ?? null,
+  };
+}
+
+export async function deleteRefreshToken(db: D1Database, refreshTokenKey: RefreshTokenKeyFn, token: string): Promise<void> {
+  const tokenKey = await refreshTokenKey(token);
+  await db.prepare('DELETE FROM refresh_tokens WHERE token = ?').bind(token).run();
+  await db.prepare('DELETE FROM refresh_tokens WHERE token = ?').bind(tokenKey).run();
+}
+
+export async function deleteRefreshTokensByUserId(db: D1Database, userId: string): Promise<number> {
+  const result = await db.prepare('DELETE FROM refresh_tokens WHERE user_id = ?').bind(userId).run();
+  return Number(result.meta.changes ?? 0);
+}
+
+export async function deleteRefreshTokensByDevice(db: D1Database, userId: string, deviceIdentifier: string): Promise<number> {
+  const result = await db
+    .prepare('DELETE FROM refresh_tokens WHERE user_id = ? AND device_identifier = ?')
+    .bind(userId, deviceIdentifier)
+    .run();
+  return Number(result.meta.changes ?? 0);
+}
+
+export async function constrainRefreshTokenExpiry(
+  db: D1Database,
+  refreshTokenKey: RefreshTokenKeyFn,
+  token: string,
+  maxExpiresAtMs: number
+): Promise<void> {
+  const tokenKey = await refreshTokenKey(token);
+
+  await db
+    .prepare(
+      'UPDATE refresh_tokens ' +
+        'SET expires_at = CASE WHEN expires_at > ? THEN ? ELSE expires_at END ' +
+        'WHERE token = ?'
+    )
+    .bind(maxExpiresAtMs, maxExpiresAtMs, tokenKey)
+    .run();
+
+  await db
+    .prepare(
+      'UPDATE refresh_tokens ' +
+        'SET expires_at = CASE WHEN expires_at > ? THEN ? ELSE expires_at END ' +
+        'WHERE token = ?'
+    )
+    .bind(maxExpiresAtMs, maxExpiresAtMs, token)
+    .run();
+}
@@ -0,0 +1,31 @@
+export async function getRevisionDate(db: D1Database, userId: string): Promise<string> {
+  const row = await db
+    .prepare('SELECT revision_date FROM user_revisions WHERE user_id = ?')
+    .bind(userId)
+    .first<{ revision_date: string }>();
+
+  if (row?.revision_date) return row.revision_date;
+
+  const date = new Date().toISOString();
+  await db
+    .prepare(
+      'INSERT INTO user_revisions(user_id, revision_date) VALUES(?, ?) ' +
+        'ON CONFLICT(user_id) DO NOTHING'
+    )
+    .bind(userId, date)
+    .run();
+
+  return date;
+}
+
+export async function updateRevisionDate(db: D1Database, userId: string): Promise<string> {
+  const date = new Date().toISOString();
+  await db
+    .prepare(
+      'INSERT INTO user_revisions(user_id, revision_date) VALUES(?, ?) ' +
+        'ON CONFLICT(user_id) DO UPDATE SET revision_date = excluded.revision_date'
+    )
+    .bind(userId, date)
+    .run();
+  return date;
+}
@@ -0,0 +1,137 @@
+// IMPORTANT:
+// Keep this schema list in sync with migrations/0001_init.sql.
+// Any new table/column/index must be added to both places together.
+const SCHEMA_STATEMENTS: readonly string[] = [
+  'CREATE TABLE IF NOT EXISTS users (' +
+  'id TEXT PRIMARY KEY, email TEXT NOT NULL UNIQUE, name TEXT, master_password_hint TEXT, master_password_hash TEXT NOT NULL, ' +
+  'key TEXT NOT NULL, private_key TEXT, public_key TEXT, kdf_type INTEGER NOT NULL, ' +
+  'kdf_iterations INTEGER NOT NULL, kdf_memory INTEGER, kdf_parallelism INTEGER, ' +
+  'security_stamp TEXT NOT NULL, role TEXT NOT NULL DEFAULT \'user\', status TEXT NOT NULL DEFAULT \'active\', verify_devices INTEGER NOT NULL DEFAULT 1, totp_secret TEXT, totp_recovery_code TEXT, created_at TEXT NOT NULL, updated_at TEXT NOT NULL)',
+  'ALTER TABLE users ADD COLUMN master_password_hint TEXT',
+  'ALTER TABLE users ADD COLUMN role TEXT NOT NULL DEFAULT \'user\'',
+  'ALTER TABLE users ADD COLUMN status TEXT NOT NULL DEFAULT \'active\'',
+  'ALTER TABLE users ADD COLUMN verify_devices INTEGER NOT NULL DEFAULT 1',
+  'ALTER TABLE users ADD COLUMN totp_secret TEXT',
+  'ALTER TABLE users ADD COLUMN totp_recovery_code TEXT',
+
+  'CREATE TABLE IF NOT EXISTS user_revisions (' +
+  'user_id TEXT PRIMARY KEY, revision_date TEXT NOT NULL, ' +
+  'FOREIGN KEY (user_id) REFERENCES users(id) ON DELETE CASCADE)',
+
+  'CREATE TABLE IF NOT EXISTS ciphers (' +
+  'id TEXT PRIMARY KEY, user_id TEXT NOT NULL, type INTEGER NOT NULL, folder_id TEXT, name TEXT, notes TEXT, ' +
+  'favorite INTEGER NOT NULL DEFAULT 0, data TEXT NOT NULL, reprompt INTEGER, key TEXT, ' +
+  'created_at TEXT NOT NULL, updated_at TEXT NOT NULL, archived_at TEXT, deleted_at TEXT, ' +
+  'FOREIGN KEY (user_id) REFERENCES users(id) ON DELETE CASCADE)',
+  'ALTER TABLE ciphers ADD COLUMN archived_at TEXT',
+  'CREATE INDEX IF NOT EXISTS idx_ciphers_user_updated ON ciphers(user_id, updated_at)',
+  'CREATE INDEX IF NOT EXISTS idx_ciphers_user_archived ON ciphers(user_id, archived_at)',
+  'CREATE INDEX IF NOT EXISTS idx_ciphers_user_deleted ON ciphers(user_id, deleted_at)',
+
+  'CREATE TABLE IF NOT EXISTS folders (' +
+  'id TEXT PRIMARY KEY, user_id TEXT NOT NULL, name TEXT NOT NULL, created_at TEXT NOT NULL, updated_at TEXT NOT NULL, ' +
+  'FOREIGN KEY (user_id) REFERENCES users(id) ON DELETE CASCADE)',
+  'CREATE INDEX IF NOT EXISTS idx_folders_user_updated ON folders(user_id, updated_at)',
+
+  'CREATE TABLE IF NOT EXISTS attachments (' +
+  'id TEXT PRIMARY KEY, cipher_id TEXT NOT NULL, file_name TEXT NOT NULL, size INTEGER NOT NULL, ' +
+  'size_name TEXT NOT NULL, key TEXT, ' +
+  'FOREIGN KEY (cipher_id) REFERENCES ciphers(id) ON DELETE CASCADE)',
+  'CREATE INDEX IF NOT EXISTS idx_attachments_cipher ON attachments(cipher_id)',
+
+  'CREATE TABLE IF NOT EXISTS sends (' +
+  'id TEXT PRIMARY KEY, user_id TEXT NOT NULL, type INTEGER NOT NULL, name TEXT NOT NULL, notes TEXT, data TEXT NOT NULL, ' +
+  'key TEXT NOT NULL, password_hash TEXT, password_salt TEXT, password_iterations INTEGER, auth_type INTEGER NOT NULL DEFAULT 2, emails TEXT, ' +
+  'max_access_count INTEGER, access_count INTEGER NOT NULL DEFAULT 0, disabled INTEGER NOT NULL DEFAULT 0, hide_email INTEGER, ' +
+  'created_at TEXT NOT NULL, updated_at TEXT NOT NULL, expiration_date TEXT, deletion_date TEXT NOT NULL, ' +
+  'FOREIGN KEY (user_id) REFERENCES users(id) ON DELETE CASCADE)',
+  'CREATE INDEX IF NOT EXISTS idx_sends_user_updated ON sends(user_id, updated_at)',
+  'CREATE INDEX IF NOT EXISTS idx_sends_user_deletion ON sends(user_id, deletion_date)',
+  'ALTER TABLE sends ADD COLUMN auth_type INTEGER NOT NULL DEFAULT 2',
+  'ALTER TABLE sends ADD COLUMN emails TEXT',
+
+  'CREATE TABLE IF NOT EXISTS refresh_tokens (' +
+  'token TEXT PRIMARY KEY, user_id TEXT NOT NULL, expires_at INTEGER NOT NULL, device_identifier TEXT, device_session_stamp TEXT, ' +
+  'FOREIGN KEY (user_id) REFERENCES users(id) ON DELETE CASCADE)',
+  'CREATE INDEX IF NOT EXISTS idx_refresh_tokens_user ON refresh_tokens(user_id)',
+  'ALTER TABLE refresh_tokens ADD COLUMN device_identifier TEXT',
+  'ALTER TABLE refresh_tokens ADD COLUMN device_session_stamp TEXT',
+
+  'CREATE TABLE IF NOT EXISTS invites (' +
+  'code TEXT PRIMARY KEY, created_by TEXT NOT NULL, used_by TEXT, expires_at TEXT NOT NULL, status TEXT NOT NULL, created_at TEXT NOT NULL, updated_at TEXT NOT NULL, ' +
+  'FOREIGN KEY (created_by) REFERENCES users(id) ON DELETE CASCADE, ' +
+  'FOREIGN KEY (used_by) REFERENCES users(id) ON DELETE SET NULL)',
+  'CREATE INDEX IF NOT EXISTS idx_invites_status_expires ON invites(status, expires_at)',
+  'CREATE INDEX IF NOT EXISTS idx_invites_created_by ON invites(created_by, created_at)',
+
+  'CREATE TABLE IF NOT EXISTS audit_logs (' +
+  'id TEXT PRIMARY KEY, actor_user_id TEXT, action TEXT NOT NULL, target_type TEXT, target_id TEXT, metadata TEXT, created_at TEXT NOT NULL, ' +
+  'FOREIGN KEY (actor_user_id) REFERENCES users(id) ON DELETE SET NULL)',
+  'CREATE INDEX IF NOT EXISTS idx_audit_logs_created_at ON audit_logs(created_at)',
+  'CREATE INDEX IF NOT EXISTS idx_audit_logs_actor_created ON audit_logs(actor_user_id, created_at)',
+
+  'CREATE TABLE IF NOT EXISTS devices (' +
+  'user_id TEXT NOT NULL, device_identifier TEXT NOT NULL, name TEXT NOT NULL, type INTEGER NOT NULL, session_stamp TEXT, encrypted_user_key TEXT, encrypted_public_key TEXT, encrypted_private_key TEXT, banned INTEGER NOT NULL DEFAULT 0, banned_at TEXT, ' +
+  'created_at TEXT NOT NULL, updated_at TEXT NOT NULL, ' +
+  'PRIMARY KEY (user_id, device_identifier), ' +
+  'FOREIGN KEY (user_id) REFERENCES users(id) ON DELETE CASCADE)',
+  'CREATE INDEX IF NOT EXISTS idx_devices_user_updated ON devices(user_id, updated_at)',
+  'ALTER TABLE devices ADD COLUMN session_stamp TEXT',
+  'ALTER TABLE devices ADD COLUMN encrypted_user_key TEXT',
+  'ALTER TABLE devices ADD COLUMN encrypted_public_key TEXT',
+  'ALTER TABLE devices ADD COLUMN encrypted_private_key TEXT',
+  'ALTER TABLE devices ADD COLUMN banned INTEGER NOT NULL DEFAULT 0',
+  'ALTER TABLE devices ADD COLUMN banned_at TEXT',
+
+  'CREATE TABLE IF NOT EXISTS trusted_two_factor_device_tokens (' +
+  'token TEXT PRIMARY KEY, user_id TEXT NOT NULL, device_identifier TEXT NOT NULL, expires_at INTEGER NOT NULL, ' +
+  'FOREIGN KEY (user_id) REFERENCES users(id) ON DELETE CASCADE)',
+  'CREATE INDEX IF NOT EXISTS idx_trusted_two_factor_device_tokens_user_device ON trusted_two_factor_device_tokens(user_id, device_identifier)',
+
+  'CREATE TABLE IF NOT EXISTS api_rate_limits (' +
+  'identifier TEXT NOT NULL, window_start INTEGER NOT NULL, count INTEGER NOT NULL, ' +
+  'PRIMARY KEY (identifier, window_start))',
+  'CREATE INDEX IF NOT EXISTS idx_api_rate_window ON api_rate_limits(window_start)',
+
+  'CREATE TABLE IF NOT EXISTS login_attempts_ip (' +
+  'ip TEXT PRIMARY KEY, attempts INTEGER NOT NULL, locked_until INTEGER, updated_at INTEGER NOT NULL)',
+
+  'CREATE TABLE IF NOT EXISTS used_attachment_download_tokens (' +
+  'jti TEXT PRIMARY KEY, expires_at INTEGER NOT NULL)',
+];
+
+async function executeSchemaStatement(db: D1Database, statement: string): Promise<void> {
+  try {
+    await db.prepare(statement).run();
+  } catch (error) {
+    const msg = error instanceof Error ? error.message.toLowerCase() : String(error).toLowerCase();
+    if (msg.includes('already exists') || msg.includes('duplicate column name')) {
+      return;
+    }
+    throw error;
+  }
+}
+
+async function ensureAdminUserExists(db: D1Database): Promise<void> {
+  const admin = await db.prepare("SELECT id FROM users WHERE role = 'admin' LIMIT 1").first<{ id: string }>();
+  if (admin?.id) return;
+
+  const firstUser = await db
+    .prepare('SELECT id FROM users ORDER BY created_at ASC LIMIT 1')
+    .first<{ id: string }>();
+  if (!firstUser?.id) return;
+
+  await db
+    .prepare("UPDATE users SET role = 'admin', updated_at = ? WHERE id = ?")
+    .bind(new Date().toISOString(), firstUser.id)
+    .run();
+}
+
+export async function ensureStorageSchema(db: D1Database): Promise<void> {
+  await db.prepare('PRAGMA foreign_keys = ON').run();
+  await db.prepare('CREATE TABLE IF NOT EXISTS config (key TEXT PRIMARY KEY, value TEXT NOT NULL)').run();
+  for (const stmt of SCHEMA_STATEMENTS) {
+    await executeSchemaStatement(db, stmt);
+  }
+  await ensureAdminUserExists(db);
+}
@@ -0,0 +1,163 @@
+import type { Send } from '../types';
+
+type SafeBind = (stmt: D1PreparedStatement, ...values: any[]) => D1PreparedStatement;
+type SqlChunkSize = (fixedBindCount: number) => number;
+type UpdateRevisionDate = (userId: string) => Promise<string>;
+
+function mapSendRow(row: any): Send {
+  return {
+    id: row.id,
+    userId: row.user_id,
+    type: row.type,
+    name: row.name,
+    notes: row.notes,
+    data: row.data,
+    key: row.key,
+    passwordHash: row.password_hash,
+    passwordSalt: row.password_salt,
+    passwordIterations: row.password_iterations,
+    authType: row.auth_type ?? 0,
+    emails: row.emails ?? null,
+    maxAccessCount: row.max_access_count,
+    accessCount: row.access_count,
+    disabled: !!row.disabled,
+    hideEmail: row.hide_email === null || row.hide_email === undefined ? null : !!row.hide_email,
+    createdAt: row.created_at,
+    updatedAt: row.updated_at,
+    expirationDate: row.expiration_date,
+    deletionDate: row.deletion_date,
+  };
+}
+
+export async function getSend(db: D1Database, id: string): Promise<Send | null> {
+  const row = await db
+    .prepare(
+      'SELECT id, user_id, type, name, notes, data, key, password_hash, password_salt, password_iterations, auth_type, emails, max_access_count, access_count, disabled, hide_email, created_at, updated_at, expiration_date, deletion_date FROM sends WHERE id = ?'
+    )
+    .bind(id)
+    .first<any>();
+  if (!row) return null;
+  return mapSendRow(row);
+}
+
+export async function saveSend(db: D1Database, safeBind: SafeBind, send: Send): Promise<void> {
+  const stmt = db.prepare(
+    'INSERT INTO sends(id, user_id, type, name, notes, data, key, password_hash, password_salt, password_iterations, auth_type, emails, max_access_count, access_count, disabled, hide_email, created_at, updated_at, expiration_date, deletion_date) ' +
+    'VALUES(?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?) ' +
+    'ON CONFLICT(id) DO UPDATE SET ' +
+    'user_id=excluded.user_id, type=excluded.type, name=excluded.name, notes=excluded.notes, data=excluded.data, key=excluded.key, ' +
+    'password_hash=excluded.password_hash, password_salt=excluded.password_salt, password_iterations=excluded.password_iterations, auth_type=excluded.auth_type, emails=excluded.emails, ' +
+    'max_access_count=excluded.max_access_count, access_count=excluded.access_count, disabled=excluded.disabled, hide_email=excluded.hide_email, ' +
+    'updated_at=excluded.updated_at, expiration_date=excluded.expiration_date, deletion_date=excluded.deletion_date'
+  );
+
+  await safeBind(
+    stmt,
+    send.id,
+    send.userId,
+    Number(send.type) || 0,
+    send.name,
+    send.notes,
+    send.data,
+    send.key,
+    send.passwordHash,
+    send.passwordSalt,
+    send.passwordIterations,
+    send.authType,
+    send.emails,
+    send.maxAccessCount,
+    send.accessCount,
+    send.disabled ? 1 : 0,
+    send.hideEmail === null || send.hideEmail === undefined ? null : send.hideEmail ? 1 : 0,
+    send.createdAt,
+    send.updatedAt,
+    send.expirationDate,
+    send.deletionDate
+  ).run();
+}
+
+export async function incrementSendAccessCount(db: D1Database, sendId: string): Promise<boolean> {
+  const now = new Date().toISOString();
+  const result = await db
+    .prepare(
+      'UPDATE sends SET access_count = access_count + 1, updated_at = ? ' +
+      'WHERE id = ? AND (max_access_count IS NULL OR access_count < max_access_count)'
+    )
+    .bind(now, sendId)
+    .run();
+  return (result.meta.changes ?? 0) > 0;
+}
+
+export async function deleteSend(db: D1Database, id: string, userId: string): Promise<void> {
+  await db.prepare('DELETE FROM sends WHERE id = ? AND user_id = ?').bind(id, userId).run();
+}
+
+export async function getSendsByIds(
+  db: D1Database,
+  sqlChunkSize: SqlChunkSize,
+  ids: string[],
+  userId: string
+): Promise<Send[]> {
+  if (ids.length === 0) return [];
+  const uniqueIds = Array.from(new Set(ids.map((id) => String(id || '').trim()).filter(Boolean)));
+  if (!uniqueIds.length) return [];
+  const chunkSize = sqlChunkSize(1);
+  const out: Send[] = [];
+
+  for (let i = 0; i < uniqueIds.length; i += chunkSize) {
+    const chunk = uniqueIds.slice(i, i + chunkSize);
+    const placeholders = chunk.map(() => '?').join(',');
+    const res = await db
+      .prepare(
+        `SELECT id, user_id, type, name, notes, data, key, password_hash, password_salt, password_iterations, auth_type, emails, max_access_count, access_count, disabled, hide_email, created_at, updated_at, expiration_date, deletion_date
+         FROM sends
+         WHERE user_id = ? AND id IN (${placeholders})`
+      )
+      .bind(userId, ...chunk)
+      .all<any>();
+    out.push(...(res.results || []).map((row) => mapSendRow(row)));
+  }
+
+  return out;
+}
+
+export async function bulkDeleteSends(
+  db: D1Database,
+  sqlChunkSize: SqlChunkSize,
+  updateRevisionDate: UpdateRevisionDate,
+  ids: string[],
+  userId: string
+): Promise<string | null> {
+  if (ids.length === 0) return null;
+  const uniqueIds = Array.from(new Set(ids.map((id) => String(id || '').trim()).filter(Boolean)));
+  if (!uniqueIds.length) return null;
+  const chunkSize = sqlChunkSize(1);
+
+  for (let i = 0; i < uniqueIds.length; i += chunkSize) {
+    const chunk = uniqueIds.slice(i, i + chunkSize);
+    const placeholders = chunk.map(() => '?').join(',');
+    await db.prepare(`DELETE FROM sends WHERE user_id = ? AND id IN (${placeholders})`).bind(userId, ...chunk).run();
+  }
+
+  return updateRevisionDate(userId);
+}
+
+export async function getAllSends(db: D1Database, userId: string): Promise<Send[]> {
+  const res = await db
+    .prepare(
+      'SELECT id, user_id, type, name, notes, data, key, password_hash, password_salt, password_iterations, auth_type, emails, max_access_count, access_count, disabled, hide_email, created_at, updated_at, expiration_date, deletion_date FROM sends WHERE user_id = ? ORDER BY updated_at DESC'
+    )
+    .bind(userId)
+    .all<any>();
+  return (res.results || []).map((row) => mapSendRow(row));
+}
+
+export async function getSendsPage(db: D1Database, userId: string, limit: number, offset: number): Promise<Send[]> {
+  const res = await db
+    .prepare(
+      'SELECT id, user_id, type, name, notes, data, key, password_hash, password_salt, password_iterations, auth_type, emails, max_access_count, access_count, disabled, hide_email, created_at, updated_at, expiration_date, deletion_date FROM sends WHERE user_id = ? ORDER BY updated_at DESC LIMIT ? OFFSET ?'
+    )
+    .bind(userId, limit, offset)
+    .all<any>();
+  return (res.results || []).map((row) => mapSendRow(row));
+}
@@ -0,0 +1,139 @@
+import type { User } from '../types';
+
+type SafeBind = (stmt: D1PreparedStatement, ...values: any[]) => D1PreparedStatement;
+const USER_SELECT_COLUMNS =
+  'id, email, name, master_password_hint, master_password_hash, key, private_key, public_key, ' +
+  'kdf_type, kdf_iterations, kdf_memory, kdf_parallelism, security_stamp, role, status, verify_devices, ' +
+  'totp_secret, totp_recovery_code, created_at, updated_at';
+
+function mapUserRow(row: any): User {
+  return {
+    id: row.id,
+    email: row.email,
+    name: row.name,
+    masterPasswordHint: row.master_password_hint ?? null,
+    masterPasswordHash: row.master_password_hash,
+    key: row.key,
+    privateKey: row.private_key,
+    publicKey: row.public_key,
+    kdfType: row.kdf_type,
+    kdfIterations: row.kdf_iterations,
+    kdfMemory: row.kdf_memory ?? undefined,
+    kdfParallelism: row.kdf_parallelism ?? undefined,
+    securityStamp: row.security_stamp,
+    role: row.role === 'admin' ? 'admin' : 'user',
+    status: row.status === 'banned' ? 'banned' : 'active',
+    verifyDevices: row.verify_devices == null ? true : !!row.verify_devices,
+    totpSecret: row.totp_secret ?? null,
+    totpRecoveryCode: row.totp_recovery_code ?? null,
+    createdAt: row.created_at,
+    updatedAt: row.updated_at,
+  };
+}
+
+export async function getUser(db: D1Database, email: string): Promise<User | null> {
+  const row = await db
+    .prepare(`SELECT ${USER_SELECT_COLUMNS} FROM users WHERE email = ?`)
+    .bind(email.toLowerCase())
+    .first<any>();
+  if (!row) return null;
+  return mapUserRow(row);
+}
+
+export async function getUserById(db: D1Database, id: string): Promise<User | null> {
+  const row = await db
+    .prepare(`SELECT ${USER_SELECT_COLUMNS} FROM users WHERE id = ?`)
+    .bind(id)
+    .first<any>();
+  if (!row) return null;
+  return mapUserRow(row);
+}
+
+export async function getUserCount(db: D1Database): Promise<number> {
+  const row = await db.prepare('SELECT COUNT(*) AS count FROM users').first<{ count: number }>();
+  return Number(row?.count || 0);
+}
+
+export async function getAllUsers(db: D1Database): Promise<User[]> {
+  const res = await db
+    .prepare(`SELECT ${USER_SELECT_COLUMNS} FROM users ORDER BY created_at ASC`)
+    .all<any>();
+  return (res.results || []).map((row) => mapUserRow(row));
+}
+
+export async function saveUser(db: D1Database, safeBind: SafeBind, user: User): Promise<void> {
+  const email = user.email.toLowerCase();
+  const stmt = db.prepare(
+    'INSERT INTO users(id, email, name, master_password_hint, master_password_hash, key, private_key, public_key, kdf_type, kdf_iterations, kdf_memory, kdf_parallelism, security_stamp, role, status, verify_devices, totp_secret, totp_recovery_code, created_at, updated_at) ' +
+    'VALUES(?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?) ' +
+    'ON CONFLICT(id) DO UPDATE SET ' +
+    'email=excluded.email, name=excluded.name, master_password_hint=excluded.master_password_hint, master_password_hash=excluded.master_password_hash, key=excluded.key, private_key=excluded.private_key, public_key=excluded.public_key, ' +
+    'kdf_type=excluded.kdf_type, kdf_iterations=excluded.kdf_iterations, kdf_memory=excluded.kdf_memory, kdf_parallelism=excluded.kdf_parallelism, security_stamp=excluded.security_stamp, role=excluded.role, status=excluded.status, verify_devices=excluded.verify_devices, totp_secret=excluded.totp_secret, totp_recovery_code=excluded.totp_recovery_code, updated_at=excluded.updated_at'
+  );
+  await safeBind(
+    stmt,
+    user.id,
+    email,
+    user.name,
+    user.masterPasswordHint,
+    user.masterPasswordHash,
+    user.key,
+    user.privateKey,
+    user.publicKey,
+    user.kdfType,
+    user.kdfIterations,
+    user.kdfMemory,
+    user.kdfParallelism,
+    user.securityStamp,
+    user.role,
+    user.status,
+    user.verifyDevices ? 1 : 0,
+    user.totpSecret,
+    user.totpRecoveryCode,
+    user.createdAt,
+    user.updatedAt
+  ).run();
+}
+
+export async function createUser(db: D1Database, safeBind: SafeBind, user: User): Promise<void> {
+  await saveUser(db, safeBind, user);
+}
+
+export async function createFirstUser(db: D1Database, safeBind: SafeBind, user: User): Promise<boolean> {
+  const email = user.email.toLowerCase();
+  const stmt = db.prepare(
+    'INSERT INTO users(id, email, name, master_password_hint, master_password_hash, key, private_key, public_key, kdf_type, kdf_iterations, kdf_memory, kdf_parallelism, security_stamp, role, status, verify_devices, totp_secret, totp_recovery_code, created_at, updated_at) ' +
+    'SELECT ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ? ' +
+    'WHERE NOT EXISTS (SELECT 1 FROM users LIMIT 1)'
+  );
+  const result = await safeBind(
+    stmt,
+    user.id,
+    email,
+    user.name,
+    user.masterPasswordHint,
+    user.masterPasswordHash,
+    user.key,
+    user.privateKey,
+    user.publicKey,
+    user.kdfType,
+    user.kdfIterations,
+    user.kdfMemory,
+    user.kdfParallelism,
+    user.securityStamp,
+    user.role,
+    user.status,
+    user.verifyDevices ? 1 : 0,
+    user.totpSecret,
+    user.totpRecoveryCode,
+    user.createdAt,
+    user.updatedAt
+  ).run();
+
+  return (result.meta.changes ?? 0) > 0;
+}
+
+export async function deleteUserById(db: D1Database, id: string): Promise<boolean> {
+  const result = await db.prepare('DELETE FROM users WHERE id = ?').bind(id).run();
+  return (result.meta.changes ?? 0) > 0;
+}
@@ -1,11 +1,21 @@
 // Environment bindings
 export interface Env {
  DB: D1Database;
-  ATTACHMENTS: R2Bucket;
+  NOTIFICATIONS_HUB: DurableObjectNamespace;
+  ASSETS?: {
+    fetch(input: RequestInfo | URL, init?: RequestInit): Promise<Response>;
+  };
+  // Prefer R2 when available. Optional to support KV-only deployments.
+  ATTACHMENTS?: R2Bucket;
+  // Optional fallback for attachment/send file storage (no credit card required).
+  ATTACHMENTS_KV?: KVNamespace;
  JWT_SECRET: string;
  TOTP_SECRET?: string;
 }

+export type UserRole = 'admin' | 'user';
+export type UserStatus = 'active' | 'banned';
+
 // Sample JWT secret used by `.dev.vars.example`.
 // If runtime JWT_SECRET equals this value, treat it as unsafe.
 export const DEFAULT_DEV_SECRET = 'Enter-your-JWT-key-here-at-least-32-characters';
@@ -25,6 +35,7 @@ export interface User {
  id: string;
  email: string;
  name: string | null;
+  masterPasswordHint: string | null;
  masterPasswordHash: string;
  key: string;
  privateKey: string | null;
@@ -34,10 +45,35 @@ export interface User {
  kdfMemory?: number;
  kdfParallelism?: number;
  securityStamp: string;
+  role: UserRole;
+  status: UserStatus;
+  verifyDevices?: boolean;
+  totpSecret: string | null;
+  totpRecoveryCode: string | null;
  createdAt: string;
  updatedAt: string;
 }

+export interface Invite {
+  code: string;
+  createdBy: string;
+  usedBy: string | null;
+  expiresAt: string;
+  status: 'active' | 'used' | 'revoked' | 'expired';
+  createdAt: string;
+  updatedAt: string;
+}
+
+export interface AuditLog {
+  id: string;
+  actorUserId: string | null;
+  action: string;
+  targetType: string | null;
+  targetId: string | null;
+  metadata: string | null;
+  createdAt: string;
+}
+
 // Cipher types
 export enum CipherType {
  Login = 1,
@@ -134,6 +170,7 @@ export interface Cipher {
  key: string | null;
  createdAt: string;
  updatedAt: string;
+  archivedAt: string | null;
  deletedAt: string | null;
  /** Allow unknown fields from Bitwarden clients to be stored and passed through transparently. */
  [key: string]: any;
@@ -153,10 +190,117 @@ export interface Device {
  deviceIdentifier: string;
  name: string;
  type: number;
+  sessionStamp: string;
+  encryptedUserKey: string | null;
+  encryptedPublicKey: string | null;
+  encryptedPrivateKey: string | null;
+  devicePendingAuthRequest?: DevicePendingAuthRequest | null;
  createdAt: string;
  updatedAt: string;
 }

+export interface DevicePendingAuthRequest {
+  id: string;
+  creationDate: string;
+}
+
+export interface DeviceResponse {
+  id: string;
+  userId?: string | null;
+  name: string;
+  identifier: string;
+  type: number;
+  creationDate: string;
+  revisionDate: string;
+  isTrusted: boolean;
+  encryptedUserKey: string | null;
+  encryptedPublicKey: string | null;
+  devicePendingAuthRequest: DevicePendingAuthRequest | null;
+  object: string;
+  [key: string]: any;
+}
+
+export interface ProtectedDeviceResponse {
+  id: string;
+  name: string;
+  identifier: string;
+  type: number;
+  creationDate: string;
+  encryptedUserKey: string | null;
+  encryptedPublicKey: string | null;
+  object: string;
+  [key: string]: any;
+}
+
+export interface RefreshTokenRecord {
+  userId: string;
+  expiresAt: number;
+  deviceIdentifier: string | null;
+  deviceSessionStamp: string | null;
+}
+
+export interface TrustedDeviceTokenSummary {
+  deviceIdentifier: string;
+  expiresAt: number;
+  tokenCount: number;
+}
+
+export enum SendType {
+  Text = 0,
+  File = 1,
+}
+
+export enum SendAuthType {
+  Email = 0,
+  Password = 1,
+  None = 2,
+}
+
+export interface Send {
+  id: string;
+  userId: string;
+  type: SendType;
+  name: string;
+  notes: string | null;
+  data: string;
+  key: string;
+  passwordHash: string | null;
+  passwordSalt: string | null;
+  passwordIterations: number | null;
+  authType: SendAuthType;
+  emails: string | null;
+  maxAccessCount: number | null;
+  accessCount: number;
+  disabled: boolean;
+  hideEmail: boolean | null;
+  createdAt: string;
+  updatedAt: string;
+  expirationDate: string | null;
+  deletionDate: string;
+}
+
+export interface SendResponse {
+  id: string;
+  accessId: string;
+  type: number;
+  name: string;
+  notes: string | null;
+  text: any | null;
+  file: any | null;
+  key: string;
+  maxAccessCount: number | null;
+  accessCount: number;
+  password: string | null;
+  emails: string | null;
+  authType: SendAuthType;
+  disabled: boolean;
+  hideEmail: boolean | null;
+  revisionDate: string;
+  expirationDate: string | null;
+  deletionDate: string;
+  object: string;
+}
+
 // JWT Payload
 export interface JWTPayload {
  sub: string;      // user id
@@ -165,6 +309,8 @@ export interface JWTPayload {
  email_verified: boolean; // required by mobile client
  amr: string[];    // authentication methods reference - required by mobile client
  sstamp: string;   // security stamp - invalidates token when user changes password
+  did?: string;     // device identifier - invalidates per-device sessions
+  dstamp?: string;  // device session stamp
  iat: number;
  exp: number;
  iss: string;
@@ -192,6 +338,8 @@ export interface UserDecryptionOptions {
  Object: string;
  // Bitwarden Android 2026.1.x expects this to exist; missing it breaks unlock when the vault is empty.
  MasterPasswordUnlock: MasterPasswordUnlock;
+  TrustedDeviceOption: null;
+  KeyConnectorOption: null;
 }

 // API Response types
@@ -211,7 +359,14 @@ export interface TokenResponse {
  ResetMasterPassword: boolean;
  scope: string;
  unofficialServer: boolean;
+  MasterPasswordPolicy?: {
+    Object: string;
+  } | null;
+  ApiUseKeyConnector?: boolean;
+  AccountKeys?: any | null;
+  accountKeys?: any | null;
  UserDecryptionOptions: UserDecryptionOptions;
+  userDecryptionOptions?: UserDecryptionOptions;
 }

 export interface ProfileResponse {
@@ -235,6 +390,9 @@ export interface ProfileResponse {
  forcePasswordReset: boolean;
  avatarColor: string | null;
  creationDate: string;
+  verifyDevices?: boolean;
+  role?: UserRole;
+  status?: UserStatus;
  object: string;
 }

@@ -290,7 +448,14 @@ export interface SyncResponse {
  ciphers: CipherResponse[];
  domains: any;
  policies: any[];
-  sends: any[];
+  sends: SendResponse[];
+  UserDecryption?: {
+    MasterPasswordUnlock: MasterPasswordUnlock | null;
+    TrustedDeviceOption?: null;
+    KeyConnectorOption?: null;
+    WebAuthnPrfOption?: null;
+    Object?: string;
+  } | null;
  // PascalCase for desktop/browser clients
  UserDecryptionOptions: UserDecryptionOptions | null;
  // camelCase for Android client (SyncResponseJson uses @SerialName("userDecryption"))
@@ -72,3 +72,7 @@ export function readKnownDeviceProbe(request: Request): { email: string | null;
  return { email, deviceIdentifier };
 }

+export function readActingDeviceIdentifier(request: Request): string | null {
+  return normalizeDeviceIdentifier(request.headers.get('X-NodeWarden-Acting-Device-Id'));
+}
+
@@ -0,0 +1,104 @@
+import { LIMITS } from '../config/limits';
+import { DEFAULT_DEV_SECRET, Env } from '../types';
+import { errorResponse } from './response';
+
+export interface DirectUploadPayload {
+  body: ReadableStream;
+  contentType: string;
+  size: number;
+}
+
+interface ParseDirectUploadOptions {
+  expectedSize?: number | null;
+  expectedFileName?: string | null;
+  maxFileSize: number;
+  tooLargeMessage: string;
+  missingBodyMessage?: string;
+  contentLengthRequiredMessage?: string;
+  sizeMismatchMessage?: string;
+  fileNameMismatchMessage?: string;
+}
+
+export function buildDirectUploadUrl(request: Request, path: string, token: string): string {
+  const version = '2023-11-03';
+  const expiresAt = '2099-12-31T23:59:59Z';
+  const origin = new URL(request.url).origin;
+  return `${origin}${path}?sv=${encodeURIComponent(version)}&se=${encodeURIComponent(expiresAt)}&token=${encodeURIComponent(token)}`;
+}
+
+export function getSafeJwtSecret(env: Env): string | null {
+  const secret = (env.JWT_SECRET || '').trim();
+  if (!secret || secret.length < LIMITS.auth.jwtSecretMinLength || secret === DEFAULT_DEV_SECRET) {
+    return null;
+  }
+  return secret;
+}
+
+function parseContentLength(request: Request): number | null {
+  const raw = request.headers.get('content-length');
+  if (!raw) return null;
+  const value = Number(raw);
+  if (!Number.isFinite(value) || value < 0) return null;
+  return Math.floor(value);
+}
+
+export async function parseDirectUploadPayload(
+  request: Request,
+  options: ParseDirectUploadOptions
+): Promise<DirectUploadPayload | Response> {
+  const {
+    expectedSize = null,
+    expectedFileName = null,
+    maxFileSize,
+    tooLargeMessage,
+    missingBodyMessage = 'No file uploaded',
+    contentLengthRequiredMessage = 'Content-Length is required for direct uploads',
+    sizeMismatchMessage,
+    fileNameMismatchMessage,
+  } = options;
+  const contentType = request.headers.get('content-type') || '';
+
+  if (contentType.includes('multipart/form-data')) {
+    const formData = await request.formData();
+    const file = formData.get('data') as File | null;
+    if (!file) {
+      return errorResponse(missingBodyMessage, 400);
+    }
+    if (file.size > maxFileSize) {
+      return errorResponse(tooLargeMessage, 413);
+    }
+    if (expectedFileName && file.name !== expectedFileName) {
+      return errorResponse(fileNameMismatchMessage || 'File name does not match.', 400);
+    }
+    if (expectedSize !== null && expectedSize !== undefined && file.size !== expectedSize) {
+      return errorResponse(sizeMismatchMessage || 'File size does not match.', 400);
+    }
+    return {
+      body: file.stream(),
+      contentType: file.type || 'application/octet-stream',
+      size: file.size,
+    };
+  }
+
+  if (!request.body) {
+    return errorResponse(missingBodyMessage, 400);
+  }
+
+  const declaredSize = parseContentLength(request);
+  const uploadSize = declaredSize ?? (expectedSize && expectedSize > 0 ? expectedSize : null);
+  if (uploadSize === null) {
+    return errorResponse(contentLengthRequiredMessage, 400);
+  }
+  if (uploadSize > maxFileSize) {
+    return errorResponse(tooLargeMessage, 413);
+  }
+  if (expectedSize !== null && expectedSize !== undefined && uploadSize !== expectedSize) {
+    return errorResponse(sizeMismatchMessage || 'File size does not match.', 400);
+  }
+
+  return {
+    body: request.body,
+    contentType: contentType || 'application/octet-stream',
+    size: uploadSize,
+  };
+}
@@ -104,6 +104,13 @@ export interface FileDownloadClaims {
  exp: number;
 }

+export interface AttachmentUploadClaims {
+  userId: string;
+  cipherId: string;
+  attachmentId: string;
+  exp: number;
+}
+
 // Create file download token (short-lived, 5 minutes)
 export async function createFileDownloadToken(
  cipherId: string,
@@ -177,3 +184,292 @@ export async function verifyFileDownloadToken(
    return null;
  }
 }
+
+export async function createAttachmentUploadToken(
+  userId: string,
+  cipherId: string,
+  attachmentId: string,
+  secret: string
+): Promise<string> {
+  const header = { alg: 'HS256', typ: 'JWT' };
+  const now = Math.floor(Date.now() / 1000);
+  const payload: AttachmentUploadClaims = {
+    userId,
+    cipherId,
+    attachmentId,
+    exp: now + LIMITS.auth.fileDownloadTokenTtlSeconds,
+  };
+
+  const encoder = new TextEncoder();
+  const headerB64 = base64UrlEncode(encoder.encode(JSON.stringify(header)));
+  const payloadB64 = base64UrlEncode(encoder.encode(JSON.stringify(payload)));
+  const data = `${headerB64}.${payloadB64}`;
+
+  const key = await crypto.subtle.importKey(
+    'raw',
+    encoder.encode(secret),
+    { name: 'HMAC', hash: 'SHA-256' },
+    false,
+    ['sign']
+  );
+
+  const signature = await crypto.subtle.sign('HMAC', key, encoder.encode(data));
+  const signatureB64 = base64UrlEncode(new Uint8Array(signature));
+  return `${data}.${signatureB64}`;
+}
+
+export async function verifyAttachmentUploadToken(
+  token: string,
+  secret: string
+): Promise<AttachmentUploadClaims | null> {
+  try {
+    const parts = token.split('.');
+    if (parts.length !== 3) return null;
+
+    const [headerB64, payloadB64, signatureB64] = parts;
+    const encoder = new TextEncoder();
+
+    const key = await crypto.subtle.importKey(
+      'raw',
+      encoder.encode(secret),
+      { name: 'HMAC', hash: 'SHA-256' },
+      false,
+      ['verify']
+    );
+
+    const data = `${headerB64}.${payloadB64}`;
+    const signature = base64UrlDecode(signatureB64);
+    const valid = await crypto.subtle.verify('HMAC', key, signature, encoder.encode(data));
+    if (!valid) return null;
+
+    const payload: AttachmentUploadClaims = JSON.parse(new TextDecoder().decode(base64UrlDecode(payloadB64)));
+    const now = Math.floor(Date.now() / 1000);
+    if (payload.exp < now) return null;
+    if (!payload.userId || !payload.cipherId || !payload.attachmentId) return null;
+    return payload;
+  } catch {
+    return null;
+  }
+}
+
+export interface SendFileDownloadClaims {
+  sendId: string;
+  fileId: string;
+  jti: string;
+  exp: number;
+}
+
+export interface SendFileUploadClaims {
+  userId: string;
+  sendId: string;
+  fileId: string;
+  exp: number;
+}
+
+export async function createSendFileDownloadToken(
+  sendId: string,
+  fileId: string,
+  secret: string
+): Promise<string> {
+  const header = { alg: 'HS256', typ: 'JWT' };
+  const now = Math.floor(Date.now() / 1000);
+  const payload: SendFileDownloadClaims = {
+    sendId,
+    fileId,
+    jti: createRefreshToken(),
+    exp: now + LIMITS.auth.fileDownloadTokenTtlSeconds,
+  };
+
+  const encoder = new TextEncoder();
+  const headerB64 = base64UrlEncode(encoder.encode(JSON.stringify(header)));
+  const payloadB64 = base64UrlEncode(encoder.encode(JSON.stringify(payload)));
+  const data = `${headerB64}.${payloadB64}`;
+
+  const key = await crypto.subtle.importKey(
+    'raw',
+    encoder.encode(secret),
+    { name: 'HMAC', hash: 'SHA-256' },
+    false,
+    ['sign']
+  );
+
+  const signature = await crypto.subtle.sign('HMAC', key, encoder.encode(data));
+  const signatureB64 = base64UrlEncode(new Uint8Array(signature));
+  return `${data}.${signatureB64}`;
+}
+
+export async function verifySendFileDownloadToken(
+  token: string,
+  secret: string
+): Promise<SendFileDownloadClaims | null> {
+  try {
+    const parts = token.split('.');
+    if (parts.length !== 3) return null;
+
+    const [headerB64, payloadB64, signatureB64] = parts;
+    const encoder = new TextEncoder();
+
+    const key = await crypto.subtle.importKey(
+      'raw',
+      encoder.encode(secret),
+      { name: 'HMAC', hash: 'SHA-256' },
+      false,
+      ['verify']
+    );
+
+    const data = `${headerB64}.${payloadB64}`;
+    const signature = base64UrlDecode(signatureB64);
+    const valid = await crypto.subtle.verify('HMAC', key, signature, encoder.encode(data));
+    if (!valid) return null;
+
+    const payload: SendFileDownloadClaims = JSON.parse(new TextDecoder().decode(base64UrlDecode(payloadB64)));
+    if (
+      typeof payload.sendId !== 'string' ||
+      typeof payload.fileId !== 'string' ||
+      typeof payload.jti !== 'string' ||
+      !payload.jti ||
+      typeof payload.exp !== 'number'
+    ) {
+      return null;
+    }
+    const now = Math.floor(Date.now() / 1000);
+    if (payload.exp < now) return null;
+
+    return payload;
+  } catch {
+    return null;
+  }
+}
+
+export async function createSendFileUploadToken(
+  userId: string,
+  sendId: string,
+  fileId: string,
+  secret: string
+): Promise<string> {
+  const header = { alg: 'HS256', typ: 'JWT' };
+  const now = Math.floor(Date.now() / 1000);
+  const payload: SendFileUploadClaims = {
+    userId,
+    sendId,
+    fileId,
+    exp: now + LIMITS.auth.fileDownloadTokenTtlSeconds,
+  };
+
+  const encoder = new TextEncoder();
+  const headerB64 = base64UrlEncode(encoder.encode(JSON.stringify(header)));
+  const payloadB64 = base64UrlEncode(encoder.encode(JSON.stringify(payload)));
+  const data = `${headerB64}.${payloadB64}`;
+
+  const key = await crypto.subtle.importKey(
+    'raw',
+    encoder.encode(secret),
+    { name: 'HMAC', hash: 'SHA-256' },
+    false,
+    ['sign']
+  );
+
+  const signature = await crypto.subtle.sign('HMAC', key, encoder.encode(data));
+  const signatureB64 = base64UrlEncode(new Uint8Array(signature));
+  return `${data}.${signatureB64}`;
+}
+
+export async function verifySendFileUploadToken(
+  token: string,
+  secret: string
+): Promise<SendFileUploadClaims | null> {
+  try {
+    const parts = token.split('.');
+    if (parts.length !== 3) return null;
+
+    const [headerB64, payloadB64, signatureB64] = parts;
+    const encoder = new TextEncoder();
+
+    const key = await crypto.subtle.importKey(
+      'raw',
+      encoder.encode(secret),
+      { name: 'HMAC', hash: 'SHA-256' },
+      false,
+      ['verify']
+    );
+
+    const data = `${headerB64}.${payloadB64}`;
+    const signature = base64UrlDecode(signatureB64);
+    const valid = await crypto.subtle.verify('HMAC', key, signature, encoder.encode(data));
+    if (!valid) return null;
+
+    const payload: SendFileUploadClaims = JSON.parse(new TextDecoder().decode(base64UrlDecode(payloadB64)));
+    const now = Math.floor(Date.now() / 1000);
+    if (payload.exp < now) return null;
+    if (!payload.userId || !payload.sendId || !payload.fileId) return null;
+    return payload;
+  } catch {
+    return null;
+  }
+}
+
+export interface SendAccessTokenClaims {
+  sub: string; // send id
+  typ: 'send_access';
+  iat: number;
+  exp: number;
+}
+
+export async function createSendAccessToken(sendId: string, secret: string): Promise<string> {
+  const header = { alg: 'HS256', typ: 'JWT' };
+  const now = Math.floor(Date.now() / 1000);
+  const payload: SendAccessTokenClaims = {
+    sub: sendId,
+    typ: 'send_access',
+    iat: now,
+    exp: now + LIMITS.auth.sendAccessTokenTtlSeconds,
+  };
+
+  const encoder = new TextEncoder();
+  const headerB64 = base64UrlEncode(encoder.encode(JSON.stringify(header)));
+  const payloadB64 = base64UrlEncode(encoder.encode(JSON.stringify(payload)));
+  const data = `${headerB64}.${payloadB64}`;
+
+  const key = await crypto.subtle.importKey(
+    'raw',
+    encoder.encode(secret),
+    { name: 'HMAC', hash: 'SHA-256' },
+    false,
+    ['sign']
+  );
+  const signature = await crypto.subtle.sign('HMAC', key, encoder.encode(data));
+  const signatureB64 = base64UrlEncode(new Uint8Array(signature));
+  return `${data}.${signatureB64}`;
+}
+
+export async function verifySendAccessToken(token: string, secret: string): Promise<SendAccessTokenClaims | null> {
+  try {
+    const parts = token.split('.');
+    if (parts.length !== 3) return null;
+
+    const [headerB64, payloadB64, signatureB64] = parts;
+    const encoder = new TextEncoder();
+
+    const key = await crypto.subtle.importKey(
+      'raw',
+      encoder.encode(secret),
+      { name: 'HMAC', hash: 'SHA-256' },
+      false,
+      ['verify']
+    );
+
+    const data = `${headerB64}.${payloadB64}`;
+    const signature = base64UrlDecode(signatureB64);
+    const valid = await crypto.subtle.verify('HMAC', key, signature, encoder.encode(data));
+    if (!valid) return null;
+
+    const payload: SendAccessTokenClaims = JSON.parse(new TextDecoder().decode(base64UrlDecode(payloadB64)));
+    const now = Math.floor(Date.now() / 1000);
+    if (payload.exp < now) return null;
+    if (payload.typ !== 'send_access') return null;
+    if (!payload.sub) return null;
+    return payload;
+  } catch {
+    return null;
+  }
+}
@@ -0,0 +1,36 @@
+const RECOVERY_ALPHABET = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ234567';
+const RECOVERY_ALPHABET_LENGTH = RECOVERY_ALPHABET.length;
+const RECOVERY_MAX_UNBIASED_BYTE = Math.floor(256 / RECOVERY_ALPHABET_LENGTH) * RECOVERY_ALPHABET_LENGTH;
+
+function normalizeRecoveryCode(raw: string): string {
+  return String(raw || '').toUpperCase().replace(/[^A-Z2-7]/g, '');
+}
+
+function formatRecoveryCode(compact: string): string {
+  return compact.replace(/(.{4})/g, '$1 ').trim();
+}
+
+export function createRecoveryCode(): string {
+  let compact = '';
+  while (compact.length < 32) {
+    const bytes = crypto.getRandomValues(new Uint8Array(32));
+    for (const b of bytes) {
+      if (b >= RECOVERY_MAX_UNBIASED_BYTE) continue;
+      compact += RECOVERY_ALPHABET[b % RECOVERY_ALPHABET_LENGTH];
+      if (compact.length >= 32) break;
+    }
+  }
+  return formatRecoveryCode(compact.slice(0, 32));
+}
+
+export function recoveryCodeEquals(input: string, storedCode: string | null | undefined): boolean {
+  if (!storedCode) return false;
+  const a = new TextEncoder().encode(normalizeRecoveryCode(input));
+  const b = new TextEncoder().encode(normalizeRecoveryCode(storedCode));
+  if (a.length !== b.length) return false;
+  let diff = 0;
+  for (let i = 0; i < a.length; i++) {
+    diff |= a[i] ^ b[i];
+  }
+  return diff === 0;
+}
@@ -1,41 +1,48 @@
 import { LIMITS } from '../config/limits';

 const CORS_METHODS = 'GET, POST, PUT, DELETE, PATCH, OPTIONS';
-const CORS_HEADERS = 'Content-Type, Authorization, Accept, Device-Type, Bitwarden-Client-Name, Bitwarden-Client-Version, X-Request-Email, X-Device-Identifier, X-Device-Name';
-
-function isTrustedClientOrigin(origin: string): boolean {
-  // Official browser extension / desktop-webview common origins.
-  if (origin === 'null') return true;
-  if (origin.startsWith('chrome-extension://')) return true;
-  if (origin.startsWith('moz-extension://')) return true;
-  if (origin.startsWith('safari-web-extension://')) return true;
-  if (origin.startsWith('app://')) return true;
-  if (origin.startsWith('capacitor://')) return true;
-  if (origin.startsWith('ionic://')) return true;
-  return false;
-}
+const DEFAULT_CORS_HEADERS = [
+  'Content-Type',
+  'Authorization',
+  'Accept',
+  'Device-Type',
+  'Device-Identifier',
+  'Device-Name',
+  'Bitwarden-Client-Name',
+  'Bitwarden-Client-Version',
+  'Bitwarden-Package-Type',
+  'Is-Prerelease',
+  'X-Request-Email',
+  'X-Device-Identifier',
+  'X-Device-Name',
+];

 function getAllowedOrigin(request: Request): string | null {
  const origin = request.headers.get('Origin');
-  if (!origin) return null;
-
-  const targetOrigin = new URL(request.url).origin;
-  if (origin === targetOrigin) return origin;
-  if (isTrustedClientOrigin(origin)) return origin;
-  return null;
+  if (!origin) return '*';
+  return origin;
 }

 function buildCorsHeaders(request: Request): Record<string, string> {
+  const requestedHeaders = String(request.headers.get('Access-Control-Request-Headers') || '')
+    .split(',')
+    .map((value) => value.trim())
+    .filter(Boolean);
+  const allowHeaders = Array.from(new Set([...DEFAULT_CORS_HEADERS, ...requestedHeaders]));
+
  const headers: Record<string, string> = {
    'Access-Control-Allow-Methods': CORS_METHODS,
-    'Access-Control-Allow-Headers': CORS_HEADERS,
+    'Access-Control-Allow-Headers': allowHeaders.join(', '),
+    'Access-Control-Expose-Headers': '*',
    'Access-Control-Max-Age': String(LIMITS.cors.preflightMaxAgeSeconds),
+    'Access-Control-Allow-Private-Network': 'true',
  };

  const allowedOrigin = getAllowedOrigin(request);
  if (allowedOrigin) {
    headers['Access-Control-Allow-Origin'] = allowedOrigin;
-    headers['Vary'] = 'Origin';
+    headers['Access-Control-Allow-Credentials'] = 'true';
+    headers['Vary'] = 'Origin, Access-Control-Request-Headers';
  }

  return headers;
@@ -45,11 +52,22 @@ export function applyCors(
  request: Request,
  response: Response
 ): Response {
+  // WebSocket upgrade responses must be returned untouched.
+  const webSocket = (response as Response & { webSocket?: unknown }).webSocket;
+  if (response.status === 101 || webSocket) {
+    return response;
+  }
+
  const headers = new Headers(response.headers);
  const corsHeaders = buildCorsHeaders(request);
  for (const [k, v] of Object.entries(corsHeaders)) {
    headers.set(k, v);
  }
+  // Security headers applied to every response.
+  headers.set('X-Frame-Options', 'DENY');
+  headers.set('X-Content-Type-Options', 'nosniff');
+  headers.set('Referrer-Policy', 'strict-origin-when-cross-origin');
+  headers.set('Content-Security-Policy', "frame-ancestors 'none'; img-src 'self' data:");
  return new Response(response.body, {
    status: response.status,
    statusText: response.statusText,
@@ -100,14 +118,6 @@ export function identityErrorResponse(message: string, error: string = 'invalid_

 // Handle CORS preflight
 export function handleCors(request: Request): Response {
-  const origin = request.headers.get('Origin');
-  if (origin) {
-    const allowedOrigin = getAllowedOrigin(request);
-    if (!allowedOrigin) {
-      return new Response(null, { status: 403 });
-    }
-  }
-
  return new Response(null, {
    status: 204,
    headers: buildCorsHeaders(request),
@@ -3,7 +3,16 @@ const TOTP_DIGITS = 6;
 const TOTP_WINDOW = 1; // allow previous/current/next step for small clock drift

 function normalizeBase32(input: string): string {
-  return input.toUpperCase().replace(/[\s-]/g, '').replace(/=+$/g, '');
+  const raw = String(input || '').toUpperCase();
+  let out = '';
+  for (const char of raw) {
+    if (char === ' ' || char === '\t' || char === '\n' || char === '\r' || char === '-') continue;
+    out += char;
+  }
+  while (out.endsWith('=')) {
+    out = out.slice(0, -1);
+  }
+  return out;
 }

 function base32Decode(input: string): Uint8Array | null {
@@ -69,11 +78,19 @@ export async function verifyTotpToken(secretRaw: string, tokenRaw: string, nowMs
  if (!secret) return false;

  const currentCounter = Math.floor(nowMs / 1000 / TOTP_STEP_SECONDS);
+  let matched = false;
  for (let delta = -TOTP_WINDOW; delta <= TOTP_WINDOW; delta++) {
    const expected = await hotp(secret, currentCounter + delta);
-    if (expected === token) return true;
+    // Constant-time comparison: always check all windows, never short-circuit.
+    const a = new TextEncoder().encode(expected);
+    const b = new TextEncoder().encode(token);
+    let diff = a.length ^ b.length;
+    for (let i = 0; i < a.length && i < b.length; i++) {
+      diff |= a[i] ^ b[i];
+    }
+    if (diff === 0) matched = true;
  }
-  return false;
+  return matched;
 }

 export function isTotpEnabled(secretRaw: string | undefined | null): boolean {
@@ -0,0 +1,70 @@
+import { User, UserDecryptionOptions } from '../types';
+
+function normalizeOptionalPublicKey(value: unknown): string {
+  if (value == null) return '';
+  return String(value);
+}
+
+export function buildAccountKeys(user: Pick<User, 'privateKey' | 'publicKey'>): Record<string, unknown> | null {
+  if (!user.privateKey) {
+    return null;
+  }
+
+  const publicKey = normalizeOptionalPublicKey(user.publicKey);
+
+  return {
+    publicKeyEncryptionKeyPair: {
+      wrappedPrivateKey: user.privateKey,
+      publicKey,
+      Object: 'publicKeyEncryptionKeyPair',
+    },
+    Object: 'privateKeys',
+  };
+}
+
+export function buildMasterPasswordUnlock(
+  user: Pick<User, 'email' | 'key' | 'kdfType' | 'kdfIterations' | 'kdfMemory' | 'kdfParallelism'>
+): UserDecryptionOptions['MasterPasswordUnlock'] {
+  return {
+    Kdf: {
+      KdfType: user.kdfType,
+      Iterations: user.kdfIterations,
+      Memory: user.kdfMemory ?? null,
+      Parallelism: user.kdfParallelism ?? null,
+    },
+    MasterKeyEncryptedUserKey: user.key,
+    MasterKeyWrappedUserKey: user.key,
+    Salt: user.email.toLowerCase(),
+    Object: 'masterPasswordUnlock',
+  };
+}
+
+export function buildUserDecryptionOptions(
+  user: Pick<User, 'email' | 'key' | 'kdfType' | 'kdfIterations' | 'kdfMemory' | 'kdfParallelism'>
+): UserDecryptionOptions {
+  return {
+    HasMasterPassword: true,
+    Object: 'userDecryptionOptions',
+    MasterPasswordUnlock: buildMasterPasswordUnlock(user),
+    TrustedDeviceOption: null,
+    KeyConnectorOption: null,
+  };
+}
+
+export function buildUserDecryptionCompat(
+  user: Pick<User, 'email' | 'key' | 'kdfType' | 'kdfIterations' | 'kdfMemory' | 'kdfParallelism'>
+): Record<string, unknown> {
+  return {
+    masterPasswordUnlock: {
+      kdf: {
+        kdfType: user.kdfType,
+        iterations: user.kdfIterations,
+        memory: user.kdfMemory ?? null,
+        parallelism: user.kdfParallelism ?? null,
+      },
+      masterKeyWrappedUserKey: user.key,
+      masterKeyEncryptedUserKey: user.key,
+      salt: user.email.toLowerCase(),
+    },
+  };
+}
@@ -15,6 +15,6 @@
    "noUnusedLocals": false,
    "noUnusedParameters": false
  },
-  "include": ["src/**/*"],
+  "include": ["src/**/*", "shared/**/*"],
  "exclude": ["node_modules"]
 }
@@ -0,0 +1,15 @@
+<!doctype html>
+<html lang="en">
+  <head>
+    <meta charset="UTF-8" />
+    <meta name="viewport" content="width=device-width, initial-scale=1.0" />
+    <meta http-equiv="Content-Security-Policy" content="default-src 'self'; script-src 'self' 'unsafe-inline' https://cloudflareinsights.com https://*.cloudflareinsights.com; style-src 'self' 'unsafe-inline'; img-src 'self' data: https://cloudflareinsights.com https://*.cloudflareinsights.com; connect-src 'self' https://api.pwnedpasswords.com https://cloudflareinsights.com https://*.cloudflareinsights.com; font-src 'self'; form-action 'self'; base-uri 'self';" />
+    <link rel="icon" type="image/png" href="/favicon.ico" />
+    <link rel="apple-touch-icon" href="/apple-touch-icon.png" />
+    <title>NodeWarden</title>
+  </head>
+  <body>
+    <div id="root"></div>
+    <script type="module" src="/src/main.tsx"></script>
+  </body>
+</html>
@@ -0,0 +1,167 @@
+import { useState } from 'preact/hooks';
+import { ChevronLeft, ChevronRight, Clipboard, Plus, RefreshCw, Trash2, UserCheck, UserX } from 'lucide-preact';
+import { copyTextToClipboard } from '@/lib/clipboard';
+import type { AdminInvite, AdminUser } from '@/lib/types';
+import { t } from '@/lib/i18n';
+
+interface AdminPageProps {
+  currentUserId: string;
+  users: AdminUser[];
+  invites: AdminInvite[];
+  onRefresh: () => void;
+  onCreateInvite: (hours: number) => Promise<void>;
+  onDeleteAllInvites: () => Promise<void>;
+  onToggleUserStatus: (userId: string, currentStatus: 'active' | 'banned') => Promise<void>;
+  onDeleteUser: (userId: string) => Promise<void>;
+  onRevokeInvite: (code: string) => Promise<void>;
+}
+
+export default function AdminPage(props: AdminPageProps) {
+  const [inviteHours, setInviteHours] = useState(168);
+  const [page, setPage] = useState(1);
+  const pageSize = 20;
+  const formatExpiresAt = (x?: string) => (x ? new Date(x).toLocaleString() : t('txt_dash'));
+  const totalPages = Math.max(1, Math.ceil(props.invites.length / pageSize));
+  const safePage = Math.min(page, totalPages);
+  const pagedInvites = props.invites.slice((safePage - 1) * pageSize, safePage * pageSize);
+
+  const roleText = (role: string) => {
+    const normalized = String(role || '').toLowerCase();
+    if (normalized === 'admin') return t('txt_role_admin');
+    if (normalized === 'user') return t('txt_role_user');
+    return role || '-';
+  };
+
+  const statusText = (status: string) => {
+    const normalized = String(status || '').toLowerCase();
+    if (normalized === 'active') return t('txt_status_active');
+    if (normalized === 'banned') return t('txt_status_banned');
+    if (normalized === 'inactive') return t('txt_status_inactive');
+    return status || '-';
+  };
+
+  return (
+    <div className="stack">
+      <section className="card">
+        <h3>{t('txt_users')}</h3>
+        <table className="table">
+          <thead>
+            <tr>
+              <th>{t('txt_email')}</th>
+              <th>{t('txt_name')}</th>
+              <th>{t('txt_role')}</th>
+              <th>{t('txt_status')}</th>
+              <th>{t('txt_actions')}</th>
+            </tr>
+          </thead>
+          <tbody>
+            {props.users.map((user) => (
+              <tr key={user.id}>
+                <td data-label={t('txt_email')}>{user.email}</td>
+                <td data-label={t('txt_name')}>{user.name || t('txt_dash')}</td>
+                <td data-label={t('txt_role')}>{roleText(user.role)}</td>
+                <td data-label={t('txt_status')}>{statusText(user.status)}</td>
+                <td data-label={t('txt_actions')}>
+                  <div className="actions">
+                    <button
+                      type="button"
+                      className="btn btn-secondary"
+                      disabled={user.id === props.currentUserId}
+                      onClick={() => void props.onToggleUserStatus(user.id, user.status)}
+                    >
+                      {user.status === 'active' ? <UserX size={14} className="btn-icon" /> : <UserCheck size={14} className="btn-icon" />}
+                      {user.status === 'active' ? t('txt_ban') : t('txt_unban')}
+                    </button>
+                    {user.role !== 'admin' && (
+                      <button type="button" className="btn btn-danger" onClick={() => void props.onDeleteUser(user.id)}>
+                        <Trash2 size={14} className="btn-icon" />
+                        {t('txt_delete')}
+                      </button>
+                    )}
+                  </div>
+                </td>
+              </tr>
+            ))}
+          </tbody>
+        </table>
+      </section>
+
+      <section className="card">
+        <div className="section-head">
+          <h3>{t('txt_invites')}</h3>
+          <button type="button" className="btn btn-secondary" onClick={props.onRefresh}>
+            <RefreshCw size={14} className="btn-icon" /> {t('txt_sync')}
+          </button>
+        </div>
+        <div className="invite-toolbar">
+          <div className="actions invite-create-group">
+            <label className="field invite-hours-field">
+              <span>{t('txt_invite_validity_hours')}</span>
+              <input
+                className="input small"
+                type="number"
+                value={inviteHours}
+                min={1}
+                max={720}
+                onInput={(e) => setInviteHours(Number((e.currentTarget as HTMLInputElement).value || 168))}
+              />
+            </label>
+            <button type="button" className="btn btn-primary" onClick={() => void props.onCreateInvite(inviteHours)}>
+              <Plus size={14} className="btn-icon" />
+              {t('txt_create_timed_invite')}
+            </button>
+          </div>
+          <button type="button" className="btn btn-danger" onClick={() => void props.onDeleteAllInvites()}>
+            <Trash2 size={14} className="btn-icon" /> {t('txt_delete_all')}
+          </button>
+        </div>
+        <table className="table">
+          <thead>
+            <tr>
+              <th>{t('txt_code')}</th>
+              <th>{t('txt_status')}</th>
+              <th>{t('txt_expires_at')}</th>
+              <th className="invite-actions-head">{t('txt_actions')}</th>
+            </tr>
+          </thead>
+          <tbody>
+            {pagedInvites.map((invite) => (
+              <tr key={invite.code}>
+                <td data-label={t('txt_code')}>{invite.code}</td>
+                <td data-label={t('txt_status')}>{statusText(invite.status)}</td>
+                <td data-label={t('txt_expires_at')}>{formatExpiresAt(invite.expiresAt)}</td>
+                <td data-label={t('txt_actions')}>
+                  <div className="actions invite-row-actions">
+                    <button
+                      type="button"
+                      className="btn btn-secondary"
+                      onClick={() => void copyTextToClipboard(invite.inviteLink || '', { successMessage: t('txt_link_copied') })}
+                    >
+                      <Clipboard size={14} className="btn-icon" /> {t('txt_copy_link')}
+                    </button>
+                    {invite.status === 'active' && (
+                      <button type="button" className="btn btn-danger" onClick={() => void props.onRevokeInvite(invite.code)}>
+                        <Trash2 size={14} className="btn-icon" /> {t('txt_revoke')}
+                      </button>
+                    )}
+                  </div>
+                </td>
+              </tr>
+            ))}
+          </tbody>
+        </table>
+        <div className="actions">
+          <button type="button" className="btn btn-secondary small" disabled={safePage <= 1} onClick={() => setPage((p) => Math.max(1, p - 1))}>
+            <ChevronLeft size={14} className="btn-icon" />
+            {t('txt_prev')}
+          </button>
+          <span className="muted-inline">{safePage} / {totalPages}</span>
+          <button type="button" className="btn btn-secondary small" disabled={safePage >= totalPages} onClick={() => setPage((p) => Math.min(totalPages, p + 1))}>
+            {t('txt_next')}
+            <ChevronRight size={14} className="btn-icon" />
+          </button>
+        </div>
+      </section>
+    </div>
+  );
+}
@@ -0,0 +1,138 @@
+import { ArrowUpDown, Cloud, Clock3, Folder as FolderIcon, KeyRound, Lock, LogOut, Send as SendIcon, Settings as SettingsIcon, Shield, ShieldUser } from 'lucide-preact';
+import { Link } from 'wouter';
+import AppMainRoutes from '@/components/AppMainRoutes';
+import ThemeSwitch from '@/components/ThemeSwitch';
+import type { AppMainRoutesProps } from '@/components/AppMainRoutes';
+import { t } from '@/lib/i18n';
+import type { Profile } from '@/lib/types';
+
+interface AppAuthenticatedShellProps {
+  profile: Profile | null;
+  location: string;
+  mobilePrimaryRoute: string;
+  currentPageTitle: string;
+  showSidebarToggle: boolean;
+  sidebarToggleTitle: string;
+  settingsAccountRoute: string;
+  importRoute: string;
+  isImportRoute: boolean;
+  darkMode: boolean;
+  themeToggleTitle: string;
+  onLock: () => void;
+  onLogout: () => void;
+  onToggleTheme: () => void;
+  mainRoutesProps: AppMainRoutesProps;
+}
+
+export default function AppAuthenticatedShell(props: AppAuthenticatedShellProps) {
+  const routeAnimationKey = props.isImportRoute ? props.importRoute : props.location;
+
+  return (
+    <div className="app-page">
+      <div className="app-shell">
+        <header className="topbar">
+          <div className="brand">
+            <img src="/logo-64.png" alt="NodeWarden logo" className="brand-logo" />
+            <span className="brand-name">NodeWarden</span>
+            <span className="mobile-page-title">{props.currentPageTitle}</span>
+          </div>
+          <div className="topbar-actions">
+            <div className="user-chip">
+              <ShieldUser size={16} />
+              <span>{props.profile?.email}</span>
+            </div>
+            <ThemeSwitch checked={props.darkMode} title={props.themeToggleTitle} onToggle={props.onToggleTheme} />
+            <button type="button" className="btn btn-secondary small" onClick={props.onLock}>
+              <Lock size={14} className="btn-icon" /> {t('txt_lock')}
+            </button>
+            {props.showSidebarToggle && (
+              <button
+                type="button"
+                className="btn btn-secondary small mobile-sidebar-toggle"
+                aria-label={props.sidebarToggleTitle}
+                title={props.sidebarToggleTitle}
+                onClick={() => window.dispatchEvent(new CustomEvent('nodewarden:toggle-sidebar'))}
+              >
+                <FolderIcon size={16} className="btn-icon" />
+              </button>
+            )}
+            <div className="mobile-theme-btn">
+              <ThemeSwitch checked={props.darkMode} title={props.themeToggleTitle} onToggle={props.onToggleTheme} />
+            </div>
+            <button type="button" className="btn btn-secondary small mobile-lock-btn" aria-label={t('txt_lock')} title={t('txt_lock')} onClick={props.onLock}>
+              <Lock size={14} className="btn-icon" />
+            </button>
+            <button type="button" className="btn btn-secondary small" onClick={props.onLogout}>
+              <LogOut size={14} className="btn-icon" /> {t('txt_sign_out')}
+            </button>
+          </div>
+        </header>
+
+        <div className="app-main">
+          <aside className="app-side">
+            <Link href="/vault" className={`side-link ${props.location === '/vault' ? 'active' : ''}`}>
+              <KeyRound size={16} />
+              <span>{t('nav_my_vault')}</span>
+            </Link>
+            <Link href="/vault/totp" className={`side-link ${props.location === '/vault/totp' ? 'active' : ''}`}>
+              <Clock3 size={16} />
+              <span>{t('txt_verification_code')}</span>
+            </Link>
+            <Link href="/sends" className={`side-link ${props.location === '/sends' ? 'active' : ''}`}>
+              <SendIcon size={16} />
+              <span>{t('nav_sends')}</span>
+            </Link>
+            {props.profile?.role === 'admin' && (
+              <Link href="/admin" className={`side-link ${props.location === '/admin' ? 'active' : ''}`}>
+                <ShieldUser size={16} />
+                <span>{t('nav_admin_panel')}</span>
+              </Link>
+            )}
+            <Link href={props.settingsAccountRoute} className={`side-link ${props.location === props.settingsAccountRoute ? 'active' : ''}`}>
+              <SettingsIcon size={16} />
+              <span>{t('nav_account_settings')}</span>
+            </Link>
+            <Link href="/security/devices" className={`side-link ${props.location === '/security/devices' ? 'active' : ''}`}>
+              <Shield size={16} />
+              <span>{t('nav_device_management')}</span>
+            </Link>
+            {props.profile?.role === 'admin' && (
+              <Link href="/backup" className={`side-link ${props.location === '/backup' ? 'active' : ''}`}>
+                <Cloud size={16} />
+                <span>{t('nav_backup_strategy')}</span>
+              </Link>
+            )}
+            <Link href={props.importRoute} className={`side-link ${props.isImportRoute ? 'active' : ''}`}>
+              <ArrowUpDown size={14} />
+              <span>{t('nav_import_export')}</span>
+            </Link>
+          </aside>
+          <main className="content">
+            <div key={routeAnimationKey} className="route-stage">
+              <AppMainRoutes {...props.mainRoutesProps} />
+            </div>
+          </main>
+        </div>
+
+        <nav className="mobile-tabbar" aria-label={t('txt_menu')}>
+          <Link href="/vault" className={`mobile-tab ${props.mobilePrimaryRoute === '/vault' ? 'active' : ''}`}>
+            <KeyRound size={18} />
+            <span>{t('nav_my_vault')}</span>
+          </Link>
+          <Link href="/vault/totp" className={`mobile-tab ${props.mobilePrimaryRoute === '/vault/totp' ? 'active' : ''}`}>
+            <Clock3 size={18} />
+            <span>{t('txt_verification_code')}</span>
+          </Link>
+          <Link href="/sends" className={`mobile-tab ${props.mobilePrimaryRoute === '/sends' ? 'active' : ''}`}>
+            <SendIcon size={18} />
+            <span>{t('nav_sends')}</span>
+          </Link>
+          <Link href="/settings" className={`mobile-tab ${props.mobilePrimaryRoute === '/settings' ? 'active' : ''}`}>
+            <SettingsIcon size={18} />
+            <span>{t('txt_settings')}</span>
+          </Link>
+        </nav>
+      </div>
+    </div>
+  );
+}
@@ -0,0 +1,101 @@
+import ConfirmDialog from '@/components/ConfirmDialog';
+import ToastHost from '@/components/ToastHost';
+import { t } from '@/lib/i18n';
+import type { ToastMessage } from '@/lib/types';
+
+export interface AppConfirmState {
+  title: string;
+  message: string;
+  danger?: boolean;
+  showIcon?: boolean;
+  confirmText?: string;
+  cancelText?: string;
+  hideCancel?: boolean;
+  onConfirm: () => void;
+}
+
+interface AppGlobalOverlaysProps {
+  toasts: ToastMessage[];
+  onCloseToast: (id: string) => void;
+  confirm: AppConfirmState | null;
+  onCancelConfirm: () => void;
+  pendingTotpOpen: boolean;
+  totpCode: string;
+  rememberDevice: boolean;
+  onTotpCodeChange: (value: string) => void;
+  onRememberDeviceChange: (checked: boolean) => void;
+  onConfirmTotp: () => void;
+  onCancelTotp: () => void;
+  onUseRecoveryCode: () => void;
+  disableTotpOpen: boolean;
+  disableTotpPassword: string;
+  onDisableTotpPasswordChange: (value: string) => void;
+  onConfirmDisableTotp: () => void;
+  onCancelDisableTotp: () => void;
+}
+
+export default function AppGlobalOverlays(props: AppGlobalOverlaysProps) {
+  return (
+    <>
+      <ConfirmDialog
+        open={!!props.confirm}
+        title={props.confirm?.title || ''}
+        message={props.confirm?.message || ''}
+        danger={props.confirm?.danger}
+        showIcon={props.confirm?.showIcon}
+        confirmText={props.confirm?.confirmText}
+        cancelText={props.confirm?.cancelText}
+        hideCancel={props.confirm?.hideCancel}
+        onConfirm={() => props.confirm?.onConfirm()}
+        onCancel={props.onCancelConfirm}
+      />
+
+      <ConfirmDialog
+        open={props.pendingTotpOpen}
+        title={t('txt_two_step_verification')}
+        message={t('txt_password_is_already_verified')}
+        confirmText={t('txt_verify')}
+        cancelText={t('txt_cancel')}
+        showIcon={false}
+        onConfirm={props.onConfirmTotp}
+        onCancel={props.onCancelTotp}
+        afterActions={(
+          <div className="dialog-extra">
+            <div className="dialog-divider" />
+            <button type="button" className="btn btn-secondary dialog-btn" onClick={props.onUseRecoveryCode}>
+              {t('txt_use_recovery_code')}
+            </button>
+          </div>
+        )}
+      >
+        <label className="field">
+          <span>{t('txt_totp_code')}</span>
+          <input className="input" value={props.totpCode} autoComplete="one-time-code" onInput={(e) => props.onTotpCodeChange((e.currentTarget as HTMLInputElement).value)} />
+        </label>
+        <label className="check-line" style={{ marginBottom: 0 }}>
+          <input type="checkbox" checked={props.rememberDevice} onChange={(e) => props.onRememberDeviceChange((e.currentTarget as HTMLInputElement).checked)} />
+          <span>{t('txt_trust_this_device_for_30_days')}</span>
+        </label>
+      </ConfirmDialog>
+
+      <ConfirmDialog
+        open={props.disableTotpOpen}
+        title={t('txt_disable_totp')}
+        message={t('txt_enter_master_password_to_disable_two_step_verification')}
+        confirmText={t('txt_disable_totp')}
+        cancelText={t('txt_cancel')}
+        danger
+        showIcon={false}
+        onConfirm={props.onConfirmDisableTotp}
+        onCancel={props.onCancelDisableTotp}
+      >
+        <label className="field">
+          <span>{t('txt_master_password')}</span>
+          <input className="input" type="password" autoComplete="current-password" value={props.disableTotpPassword} onInput={(e) => props.onDisableTotpPasswordChange((e.currentTarget as HTMLInputElement).value)} />
+        </label>
+      </ConfirmDialog>
+
+      <ToastHost toasts={props.toasts} onClose={props.onCloseToast} />
+    </>
+  );
+}
@@ -0,0 +1,357 @@
+import { lazy, Suspense } from 'preact/compat';
+import { useEffect } from 'preact/hooks';
+import { Link, Route, Switch } from 'wouter';
+import { ArrowUpDown, Cloud, LogOut, Settings as SettingsIcon, Shield, ShieldUser } from 'lucide-preact';
+import type { ImportAttachmentFile, ImportResultSummary } from '@/components/ImportPage';
+import type { AdminBackupImportResponse, AdminBackupRunResponse, AdminBackupSettings, RemoteBackupBrowserResponse } from '@/lib/api/backup';
+import type { CiphersImportPayload } from '@/lib/api/vault';
+import { t } from '@/lib/i18n';
+import type { AdminInvite, AdminUser, AuthorizedDevice, Cipher, Folder as VaultFolder, Profile, Send, SendDraft, SessionState, VaultDraft } from '@/lib/types';
+import type { ExportRequest } from '@/lib/export-formats';
+
+const SendsPage = lazy(() => import('@/components/SendsPage'));
+const TotpCodesPage = lazy(() => import('@/components/TotpCodesPage'));
+const VaultPage = lazy(() => import('@/components/VaultPage'));
+const SettingsPage = lazy(() => import('@/components/SettingsPage'));
+const SecurityDevicesPage = lazy(() => import('@/components/SecurityDevicesPage'));
+const AdminPage = lazy(() => import('@/components/AdminPage'));
+const BackupCenterPage = lazy(() => import('@/components/BackupCenterPage'));
+const ImportPage = lazy(() => import('@/components/ImportPage'));
+
+function RouteContentFallback() {
+  return <div className="loading-screen">{t('txt_loading_nodewarden')}</div>;
+}
+
+function LegacyBackupRedirect(props: { onNavigate: (path: string) => void }) {
+  useEffect(() => {
+    props.onNavigate('/backup');
+  }, [props]);
+  return null;
+}
+
+export interface AppMainRoutesProps {
+  profile: Profile | null;
+  session: SessionState | null;
+  mobileLayout: boolean;
+  importRoute: string;
+  settingsHomeRoute: string;
+  settingsAccountRoute: string;
+  decryptedCiphers: Cipher[];
+  decryptedFolders: VaultFolder[];
+  decryptedSends: Send[];
+  ciphersLoading: boolean;
+  foldersLoading: boolean;
+  sendsLoading: boolean;
+  users: AdminUser[];
+  invites: AdminInvite[];
+  totpEnabled: boolean;
+  authorizedDevices: AuthorizedDevice[];
+  authorizedDevicesLoading: boolean;
+  onNavigate: (path: string) => void;
+  onLogout: () => void;
+  onNotify: (type: 'success' | 'error' | 'warning', text: string) => void;
+  onImport: (
+    payload: CiphersImportPayload,
+    options: { folderMode: 'original' | 'none' | 'target'; targetFolderId: string | null },
+    attachments?: ImportAttachmentFile[]
+  ) => Promise<ImportResultSummary>;
+  onImportEncryptedRaw: (
+    payload: CiphersImportPayload,
+    options: { folderMode: 'original' | 'none' | 'target'; targetFolderId: string | null },
+    attachments?: ImportAttachmentFile[]
+  ) => Promise<ImportResultSummary>;
+  onExport: (request: ExportRequest) => Promise<void>;
+  onCreateVaultItem: (draft: VaultDraft, attachments?: File[]) => Promise<void>;
+  onUpdateVaultItem: (cipher: Cipher, draft: VaultDraft, options?: { addFiles?: File[]; removeAttachmentIds?: string[] }) => Promise<void>;
+  onDeleteVaultItem: (cipher: Cipher) => Promise<void>;
+  onArchiveVaultItem: (cipher: Cipher) => Promise<void>;
+  onUnarchiveVaultItem: (cipher: Cipher) => Promise<void>;
+  onBulkDeleteVaultItems: (ids: string[]) => Promise<void>;
+  onBulkPermanentDeleteVaultItems: (ids: string[]) => Promise<void>;
+  onBulkRestoreVaultItems: (ids: string[]) => Promise<void>;
+  onBulkArchiveVaultItems: (ids: string[]) => Promise<void>;
+  onBulkUnarchiveVaultItems: (ids: string[]) => Promise<void>;
+  onBulkMoveVaultItems: (ids: string[], folderId: string | null) => Promise<void>;
+  onVerifyMasterPassword: (email: string, password: string) => Promise<void>;
+  onCreateFolder: (name: string) => Promise<void>;
+  onDeleteFolder: (folderId: string) => Promise<void>;
+  onBulkDeleteFolders: (folderIds: string[]) => Promise<void>;
+  onDownloadVaultAttachment: (cipher: Cipher, attachmentId: string) => Promise<void>;
+  downloadingAttachmentKey: string;
+  attachmentDownloadPercent: number | null;
+  uploadingAttachmentName: string;
+  attachmentUploadPercent: number | null;
+  onRefreshVault: () => Promise<void>;
+  onCreateSend: (draft: SendDraft, autoCopyLink: boolean) => Promise<void>;
+  onUpdateSend: (send: Send, draft: SendDraft, autoCopyLink: boolean) => Promise<void>;
+  onDeleteSend: (send: Send) => Promise<void>;
+  onBulkDeleteSends: (ids: string[]) => Promise<void>;
+  uploadingSendFileName: string;
+  sendUploadPercent: number | null;
+  onChangePassword: (currentPassword: string, nextPassword: string, nextPassword2: string) => Promise<void>;
+  onSavePasswordHint: (masterPasswordHint: string) => Promise<void>;
+  onEnableTotp: (secret: string, token: string) => Promise<void>;
+  onOpenDisableTotp: () => void;
+  onGetRecoveryCode: (masterPassword: string) => Promise<string>;
+  onRefreshAuthorizedDevices: () => Promise<void>;
+  onRevokeDeviceTrust: (device: AuthorizedDevice) => void;
+  onRemoveDevice: (device: AuthorizedDevice) => void;
+  onRevokeAllDeviceTrust: () => void;
+  onRemoveAllDevices: () => void;
+  onCreateInvite: (hours: number) => Promise<void>;
+  onRefreshAdmin: () => void;
+  onDeleteAllInvites: () => Promise<void>;
+  onToggleUserStatus: (userId: string, status: 'active' | 'banned') => Promise<void>;
+  onDeleteUser: (userId: string) => Promise<void>;
+  onRevokeInvite: (code: string) => Promise<void>;
+  onExportBackup: (includeAttachments?: boolean) => Promise<void>;
+  onImportBackup: (file: File, replaceExisting?: boolean) => Promise<AdminBackupImportResponse>;
+  onImportBackupAllowingChecksumMismatch: (file: File, replaceExisting?: boolean) => Promise<AdminBackupImportResponse>;
+  onLoadBackupSettings: () => Promise<AdminBackupSettings>;
+  onSaveBackupSettings: (settings: AdminBackupSettings) => Promise<AdminBackupSettings>;
+  onRunRemoteBackup: (destinationId?: string | null) => Promise<AdminBackupRunResponse>;
+  onListRemoteBackups: (destinationId: string, path: string) => Promise<RemoteBackupBrowserResponse>;
+  onDownloadRemoteBackup: (destinationId: string, path: string, onProgress?: (percent: number | null) => void) => Promise<void>;
+  onInspectRemoteBackup: (destinationId: string, path: string) => Promise<{ object: 'backup-remote-integrity'; destinationId: string; path: string; fileName: string; integrity: { hasChecksumPrefix: boolean; expectedPrefix: string | null; actualPrefix: string; matches: boolean } }>;
+  onDeleteRemoteBackup: (destinationId: string, path: string) => Promise<void>;
+  onRestoreRemoteBackup: (destinationId: string, path: string, replaceExisting?: boolean) => Promise<AdminBackupImportResponse>;
+  onRestoreRemoteBackupAllowingChecksumMismatch: (destinationId: string, path: string, replaceExisting?: boolean) => Promise<AdminBackupImportResponse>;
+}
+
+export default function AppMainRoutes(props: AppMainRoutesProps) {
+  const importRoutePaths = [props.importRoute, '/tools/import', '/tools/import-export', '/tools/import-data', '/import', '/import-export'] as const;
+  const importPageContent = (
+    <Suspense fallback={<RouteContentFallback />}>
+      <ImportPage
+        onImport={props.onImport}
+        onImportEncryptedRaw={props.onImportEncryptedRaw}
+        accountKeys={props.session?.symEncKey && props.session?.symMacKey ? { encB64: props.session.symEncKey, macB64: props.session.symMacKey } : null}
+        onNotify={props.onNotify}
+        folders={props.decryptedFolders}
+        onExport={props.onExport}
+      />
+    </Suspense>
+  );
+
+  const renderImportPageRoute = () => (
+    <div className="stack">
+      {props.mobileLayout && (
+        <div className="mobile-settings-subhead">
+          <button type="button" className="btn btn-secondary small mobile-settings-back" onClick={() => props.onNavigate(props.settingsHomeRoute)}>
+            <span className="btn-icon" aria-hidden="true">{"<"}</span>
+            {t('txt_back')}
+          </button>
+        </div>
+      )}
+      {importPageContent}
+    </div>
+  );
+
+  return (
+    <Switch>
+      <Route path="/sends">
+        <Suspense fallback={<RouteContentFallback />}>
+          <SendsPage
+            sends={props.decryptedSends}
+            loading={props.sendsLoading}
+            onRefresh={props.onRefreshVault}
+            onCreate={props.onCreateSend}
+            onUpdate={props.onUpdateSend}
+            onDelete={props.onDeleteSend}
+            onBulkDelete={props.onBulkDeleteSends}
+            uploadingSendFileName={props.uploadingSendFileName}
+            sendUploadPercent={props.sendUploadPercent}
+            onNotify={props.onNotify}
+          />
+        </Suspense>
+      </Route>
+      <Route path="/vault/totp">
+        <Suspense fallback={<RouteContentFallback />}>
+          <TotpCodesPage ciphers={props.decryptedCiphers} loading={props.ciphersLoading} onNotify={props.onNotify} />
+        </Suspense>
+      </Route>
+      <Route path="/vault">
+        <Suspense fallback={<RouteContentFallback />}>
+          <VaultPage
+            ciphers={props.decryptedCiphers}
+            folders={props.decryptedFolders}
+            loading={props.ciphersLoading || props.foldersLoading}
+            emailForReprompt={props.profile?.email || props.session?.email || ''}
+            onRefresh={props.onRefreshVault}
+            onCreate={props.onCreateVaultItem}
+            onUpdate={props.onUpdateVaultItem}
+            onDelete={props.onDeleteVaultItem}
+            onArchive={props.onArchiveVaultItem}
+            onUnarchive={props.onUnarchiveVaultItem}
+            onBulkDelete={props.onBulkDeleteVaultItems}
+            onBulkPermanentDelete={props.onBulkPermanentDeleteVaultItems}
+            onBulkRestore={props.onBulkRestoreVaultItems}
+            onBulkArchive={props.onBulkArchiveVaultItems}
+            onBulkUnarchive={props.onBulkUnarchiveVaultItems}
+            onBulkMove={props.onBulkMoveVaultItems}
+            onVerifyMasterPassword={props.onVerifyMasterPassword}
+            onNotify={props.onNotify}
+            onCreateFolder={props.onCreateFolder}
+            onDeleteFolder={props.onDeleteFolder}
+            onBulkDeleteFolders={props.onBulkDeleteFolders}
+            onDownloadAttachment={props.onDownloadVaultAttachment}
+            downloadingAttachmentKey={props.downloadingAttachmentKey}
+            attachmentDownloadPercent={props.attachmentDownloadPercent}
+            uploadingAttachmentName={props.uploadingAttachmentName}
+            attachmentUploadPercent={props.attachmentUploadPercent}
+          />
+        </Suspense>
+      </Route>
+      <Route path={props.settingsAccountRoute}>
+        {props.profile && (
+          <div className="stack">
+            {props.mobileLayout && (
+              <div className="mobile-settings-subhead">
+                <button type="button" className="btn btn-secondary small mobile-settings-back" onClick={() => props.onNavigate(props.settingsHomeRoute)}>
+                  <span className="btn-icon" aria-hidden="true">{"<"}</span>
+                  {t('txt_back')}
+                </button>
+              </div>
+            )}
+            <Suspense fallback={<RouteContentFallback />}>
+              <SettingsPage
+                profile={props.profile}
+                totpEnabled={props.totpEnabled}
+                onChangePassword={props.onChangePassword}
+                onSavePasswordHint={props.onSavePasswordHint}
+                onEnableTotp={props.onEnableTotp}
+                onOpenDisableTotp={props.onOpenDisableTotp}
+                onGetRecoveryCode={props.onGetRecoveryCode}
+                onNotify={props.onNotify}
+              />
+            </Suspense>
+          </div>
+        )}
+      </Route>
+      <Route path="/settings">
+        {props.profile && (
+          <section className="card mobile-settings-card">
+            <div className="mobile-settings-links">
+              <Link href={props.settingsAccountRoute} className="mobile-settings-link">
+                <SettingsIcon size={18} />
+                <span>{t('nav_account_settings')}</span>
+              </Link>
+              <Link href="/security/devices" className="mobile-settings-link">
+                <Shield size={18} />
+                <span>{t('nav_device_management')}</span>
+              </Link>
+              <Link href={props.importRoute} className="mobile-settings-link">
+                <ArrowUpDown size={18} />
+                <span>{t('nav_import_export')}</span>
+              </Link>
+              {props.profile.role === 'admin' && (
+                <Link href="/admin" className="mobile-settings-link">
+                  <ShieldUser size={18} />
+                  <span>{t('nav_admin_panel')}</span>
+                </Link>
+              )}
+              {props.profile.role === 'admin' && (
+                <Link href="/backup" className="mobile-settings-link">
+                  <Cloud size={18} />
+                  <span>{t('nav_backup_strategy')}</span>
+                </Link>
+              )}
+            </div>
+            <button type="button" className="btn btn-secondary mobile-settings-logout" onClick={props.onLogout}>
+              <LogOut size={14} className="btn-icon" />
+              {t('txt_sign_out')}
+            </button>
+          </section>
+        )}
+      </Route>
+      <Route path="/security/devices">
+        <div className="stack">
+          {props.mobileLayout && (
+            <div className="mobile-settings-subhead">
+              <button type="button" className="btn btn-secondary small mobile-settings-back" onClick={() => props.onNavigate(props.settingsHomeRoute)}>
+                <span className="btn-icon" aria-hidden="true">{"<"}</span>
+                {t('txt_back')}
+              </button>
+            </div>
+          )}
+          <Suspense fallback={<RouteContentFallback />}>
+            <SecurityDevicesPage
+              devices={props.authorizedDevices}
+              loading={props.authorizedDevicesLoading}
+              onRefresh={() => void props.onRefreshAuthorizedDevices()}
+              onRevokeTrust={props.onRevokeDeviceTrust}
+              onRemoveDevice={props.onRemoveDevice}
+              onRevokeAll={props.onRevokeAllDeviceTrust}
+              onRemoveAll={props.onRemoveAllDevices}
+            />
+          </Suspense>
+        </div>
+      </Route>
+      <Route path="/admin">
+        <div className="stack">
+          {props.mobileLayout && (
+            <div className="mobile-settings-subhead">
+              <button type="button" className="btn btn-secondary small mobile-settings-back" onClick={() => props.onNavigate(props.settingsHomeRoute)}>
+                <span className="btn-icon" aria-hidden="true">{"<"}</span>
+                {t('txt_back')}
+              </button>
+            </div>
+          )}
+          <Suspense fallback={<RouteContentFallback />}>
+            <AdminPage
+              currentUserId={props.profile?.id || ''}
+              users={props.users}
+              invites={props.invites}
+              onRefresh={props.onRefreshAdmin}
+              onCreateInvite={props.onCreateInvite}
+              onDeleteAllInvites={props.onDeleteAllInvites}
+              onToggleUserStatus={props.onToggleUserStatus}
+              onDeleteUser={props.onDeleteUser}
+              onRevokeInvite={props.onRevokeInvite}
+            />
+          </Suspense>
+        </div>
+      </Route>
+      {importRoutePaths.map((path) => (
+        <Route key={path} path={path}>
+          {renderImportPageRoute()}
+        </Route>
+      ))}
+      <Route path="/help">
+        <LegacyBackupRedirect onNavigate={props.onNavigate} />
+      </Route>
+      <Route path="/backup">
+        {props.profile?.role === 'admin' ? (
+          <div className="stack">
+            {props.mobileLayout && (
+              <div className="mobile-settings-subhead">
+                <button type="button" className="btn btn-secondary small mobile-settings-back" onClick={() => props.onNavigate(props.settingsHomeRoute)}>
+                  <span className="btn-icon" aria-hidden="true">{"<"}</span>
+                  {t('txt_back')}
+                </button>
+              </div>
+            )}
+            <Suspense fallback={<RouteContentFallback />}>
+              <BackupCenterPage
+                currentUserId={props.profile?.id || null}
+                onExport={props.onExportBackup}
+                onImport={props.onImportBackup}
+                onImportAllowingChecksumMismatch={props.onImportBackupAllowingChecksumMismatch}
+                onLoadSettings={props.onLoadBackupSettings}
+                onListRemoteBackups={props.onListRemoteBackups}
+                onDownloadRemoteBackup={props.onDownloadRemoteBackup}
+                onInspectRemoteBackup={props.onInspectRemoteBackup}
+                onDeleteRemoteBackup={props.onDeleteRemoteBackup}
+                onRestoreRemoteBackup={props.onRestoreRemoteBackup}
+                onRestoreRemoteBackupAllowingChecksumMismatch={props.onRestoreRemoteBackupAllowingChecksumMismatch}
+                onSaveSettings={props.onSaveBackupSettings}
+                onRunRemoteBackup={props.onRunRemoteBackup}
+                onNotify={props.onNotify}
+              />
+            </Suspense>
+          </div>
+        ) : null}
+      </Route>
+    </Switch>
+  );
+}
@@ -0,0 +1,255 @@
+import { useState } from 'preact/hooks';
+import { ArrowLeft, Eye, EyeOff, LogIn, LogOut, Unlock, UserPlus } from 'lucide-preact';
+import StandalonePageFrame from '@/components/StandalonePageFrame';
+import { t } from '@/lib/i18n';
+
+interface LoginValues {
+  email: string;
+  password: string;
+}
+
+interface RegisterValues {
+  name: string;
+  email: string;
+  password: string;
+  password2: string;
+  passwordHint: string;
+  inviteCode: string;
+}
+
+interface AuthViewsProps {
+  mode: 'login' | 'register' | 'locked';
+  pendingAction: 'login' | 'register' | 'unlock' | null;
+  unlockReady: boolean;
+  loginValues: LoginValues;
+  registerValues: RegisterValues;
+  unlockPassword: string;
+  emailForLock: string;
+  loginHintLoading: boolean;
+  onChangeLogin: (next: LoginValues) => void;
+  onChangeRegister: (next: RegisterValues) => void;
+  onChangeUnlock: (password: string) => void;
+  onSubmitLogin: () => void;
+  onSubmitRegister: () => void;
+  onSubmitUnlock: () => void;
+  onGotoLogin: () => void;
+  onGotoRegister: () => void;
+  onLogout: () => void;
+  onTogglePasswordHint: () => void;
+  onShowLockedPasswordHint: () => void;
+}
+
+function PasswordField(props: {
+  label: string;
+  value: string;
+  onInput: (v: string) => void;
+  autoFocus?: boolean;
+  autoComplete?: string;
+}) {
+  const [show, setShow] = useState(false);
+  return (
+    <label className="field">
+      <span>{props.label}</span>
+      <div className="password-wrap">
+        <input
+          className="input"
+          type={show ? 'text' : 'password'}
+          value={props.value}
+          onInput={(e) => props.onInput((e.currentTarget as HTMLInputElement).value)}
+          autoFocus={props.autoFocus}
+          autoComplete={props.autoComplete}
+        />
+        <button type="button" className="eye-btn" onClick={() => setShow((v) => !v)}>
+          {show ? <EyeOff size={16} /> : <Eye size={16} />}
+        </button>
+      </div>
+    </label>
+  );
+}
+
+export default function AuthViews(props: AuthViewsProps) {
+  const loginBusy = props.pendingAction === 'login';
+  const registerBusy = props.pendingAction === 'register';
+  const unlockBusy = props.pendingAction === 'unlock';
+
+  if (props.mode === 'locked') {
+    return (
+      <div className="auth-page">
+        <StandalonePageFrame title={t('txt_unlock_vault')}>
+          <form
+            onSubmit={(e) => {
+              e.preventDefault();
+              props.onSubmitUnlock();
+            }}
+          >
+            <p className="muted standalone-muted">{props.emailForLock}</p>
+            <input type="text" value={props.emailForLock} autoComplete="username" readOnly hidden tabIndex={-1} aria-hidden="true" />
+            <PasswordField
+              label={t('txt_master_password')}
+              value={props.unlockPassword}
+              autoFocus
+              autoComplete="current-password"
+              onInput={props.onChangeUnlock}
+            />
+            <div className="auth-support-row">
+              <span />
+              <button
+                type="button"
+                className="auth-link-btn"
+                onClick={props.onShowLockedPasswordHint}
+                disabled={unlockBusy}
+              >
+                {t('txt_show_password_hint')}
+              </button>
+            </div>
+            <button type="submit" className="btn btn-primary full" disabled={unlockBusy || !props.unlockReady}>
+              <Unlock size={16} className="btn-icon" />
+              {unlockBusy ? t('txt_unlocking') : t('txt_unlock')}
+            </button>
+            <div className="or">{t('txt_or')}</div>
+            <button type="button" className="btn btn-secondary full" onClick={props.onLogout} disabled={unlockBusy}>
+              <LogOut size={16} className="btn-icon" />
+              {t('txt_log_out')}
+            </button>
+          </form>
+        </StandalonePageFrame>
+      </div>
+    );
+  }
+
+  if (props.mode === 'register') {
+    return (
+      <div className="auth-page">
+        <StandalonePageFrame title={t('txt_create_account')}>
+          <form
+            onSubmit={(e) => {
+              e.preventDefault();
+              props.onSubmitRegister();
+            }}
+          >
+            <label className="field">
+              <span>{t('txt_name')}</span>
+              <input
+                className="input"
+                value={props.registerValues.name}
+                autoComplete="name"
+                onInput={(e) =>
+                  props.onChangeRegister({ ...props.registerValues, name: (e.currentTarget as HTMLInputElement).value })
+                }
+              />
+            </label>
+            <label className="field">
+              <span>{t('txt_email')}</span>
+              <input
+                className="input"
+                type="email"
+                value={props.registerValues.email}
+                autoComplete="email"
+                onInput={(e) =>
+                  props.onChangeRegister({ ...props.registerValues, email: (e.currentTarget as HTMLInputElement).value })
+                }
+              />
+            </label>
+            <PasswordField
+              label={t('txt_master_password')}
+              value={props.registerValues.password}
+              autoComplete="new-password"
+              onInput={(v) => props.onChangeRegister({ ...props.registerValues, password: v })}
+            />
+            <PasswordField
+              label={t('txt_confirm_master_password')}
+              value={props.registerValues.password2}
+              autoComplete="new-password"
+              onInput={(v) => props.onChangeRegister({ ...props.registerValues, password2: v })}
+            />
+            <label className="field">
+              <span>{t('txt_password_hint_optional')}</span>
+              <input
+                className="input"
+                maxLength={120}
+                value={props.registerValues.passwordHint}
+                placeholder={t('txt_password_hint_register_placeholder')}
+                onInput={(e) =>
+                  props.onChangeRegister({ ...props.registerValues, passwordHint: (e.currentTarget as HTMLInputElement).value })
+                }
+              />
+            </label>
+            <label className="field">
+              <span>{t('txt_invite_code_optional')}</span>
+              <input
+                className="input"
+                value={props.registerValues.inviteCode}
+                autoComplete="off"
+                onInput={(e) =>
+                  props.onChangeRegister({ ...props.registerValues, inviteCode: (e.currentTarget as HTMLInputElement).value })
+                }
+              />
+            </label>
+            <button type="submit" className="btn btn-primary full" disabled={registerBusy}>
+              <UserPlus size={16} className="btn-icon" />
+              {registerBusy ? t('txt_registering') : t('txt_create_account')}
+            </button>
+            <div className="or">{t('txt_or')}</div>
+            <button type="button" className="btn btn-secondary full" onClick={props.onGotoLogin} disabled={registerBusy}>
+              <ArrowLeft size={16} className="btn-icon" />
+              {t('txt_back_to_login')}
+            </button>
+          </form>
+        </StandalonePageFrame>
+      </div>
+    );
+  }
+
+  return (
+    <div className="auth-page">
+      <StandalonePageFrame title={t('txt_log_in')}>
+        <form
+          onSubmit={(e) => {
+            e.preventDefault();
+            props.onSubmitLogin();
+          }}
+        >
+          <label className="field">
+            <span>{t('txt_email')}</span>
+            <input
+              className="input"
+              type="email"
+              value={props.loginValues.email}
+              autoComplete="username"
+              onInput={(e) => props.onChangeLogin({ ...props.loginValues, email: (e.currentTarget as HTMLInputElement).value })}
+            />
+          </label>
+          <PasswordField
+            label={t('txt_master_password')}
+            value={props.loginValues.password}
+            autoComplete="current-password"
+            onInput={(v) => props.onChangeLogin({ ...props.loginValues, password: v })}
+            autoFocus
+          />
+          <div className="auth-support-row">
+            <span />
+            <button
+              type="button"
+              className="auth-link-btn"
+              onClick={props.onTogglePasswordHint}
+              disabled={loginBusy || !props.loginValues.email.trim()}
+            >
+              {props.loginHintLoading
+                ? t('txt_loading_password_hint')
+                : t('txt_show_password_hint')}
+            </button>
+          </div>
+          <button type="submit" className="btn btn-primary full" disabled={loginBusy}>
+            <LogIn size={16} className="btn-icon" />
+            {loginBusy ? t('txt_logging_in') : t('txt_log_in')}
+          </button>
+          <div className="or">{t('txt_or')}</div>
+          <button type="button" className="btn btn-secondary full" onClick={props.onGotoRegister} disabled={loginBusy}>
+            <UserPlus size={16} className="btn-icon" />
+            {t('txt_create_account')}
+          </button>
+        </form>
+      </StandalonePageFrame>
+    </div>
+  );
+}
@@ -0,0 +1,144 @@
+import { createPortal } from 'preact/compat';
+import { useEffect, useState } from 'preact/hooks';
+import type { ComponentChildren } from 'preact';
+import { TriangleAlert } from 'lucide-preact';
+import { t } from '@/lib/i18n';
+
+interface ConfirmDialogProps {
+  open: boolean;
+  title: string;
+  message: string;
+  variant?: 'default' | 'warning';
+  showIcon?: boolean;
+  confirmText?: string;
+  cancelText?: string;
+  danger?: boolean;
+  hideCancel?: boolean;
+  confirmDisabled?: boolean;
+  cancelDisabled?: boolean;
+  onConfirm: () => void;
+  onCancel: () => void;
+  children?: ComponentChildren;
+  afterActions?: ComponentChildren;
+}
+
+function incrementDialogBodyLock() {
+  if (typeof document === 'undefined') return;
+  const body = document.body;
+  const nextCount = Number(body.dataset.dialogCount || '0') + 1;
+  body.dataset.dialogCount = String(nextCount);
+  body.classList.add('dialog-open');
+}
+
+function decrementDialogBodyLock() {
+  if (typeof document === 'undefined') return;
+  const body = document.body;
+  const nextCount = Math.max(0, Number(body.dataset.dialogCount || '0') - 1);
+  if (nextCount === 0) {
+    delete body.dataset.dialogCount;
+    body.classList.remove('dialog-open');
+    return;
+  }
+  body.dataset.dialogCount = String(nextCount);
+}
+
+export function useDialogLifecycle(active: boolean, onCancel?: (() => void) | null) {
+  useEffect(() => {
+    if (!active) return;
+    incrementDialogBodyLock();
+    return () => decrementDialogBodyLock();
+  }, [active]);
+
+  useEffect(() => {
+    if (!active || !onCancel || typeof window === 'undefined') return;
+    const handleKeyDown = (event: KeyboardEvent) => {
+      if (event.key !== 'Escape') return;
+      event.preventDefault();
+      onCancel();
+    };
+    window.addEventListener('keydown', handleKeyDown);
+    return () => window.removeEventListener('keydown', handleKeyDown);
+  }, [active, onCancel]);
+}
+
+export default function ConfirmDialog(props: ConfirmDialogProps) {
+  const [present, setPresent] = useState(props.open);
+  const [closing, setClosing] = useState(false);
+  const canDismiss = !props.cancelDisabled && !closing && !props.hideCancel;
+
+  useEffect(() => {
+    if (props.open) {
+      setPresent(true);
+      setClosing(false);
+      return;
+    }
+    if (!present) return;
+    setClosing(true);
+    const timer = window.setTimeout(() => {
+      setPresent(false);
+      setClosing(false);
+    }, 240);
+    return () => window.clearTimeout(timer);
+  }, [props.open, present]);
+
+  useDialogLifecycle(present, canDismiss ? props.onCancel : null);
+
+  if (!present || typeof document === 'undefined') return null;
+  return createPortal((
+    <div
+      className={`dialog-mask ${props.variant === 'warning' ? 'warning' : ''} ${props.open && !closing ? 'open' : ''} ${closing ? 'closing' : ''}`}
+      onClick={(event) => {
+        if (event.target !== event.currentTarget || !canDismiss) return;
+        props.onCancel();
+      }}
+    >
+      <form
+        className={`dialog-card ${props.variant === 'warning' ? 'warning' : ''} ${props.open && !closing ? 'open' : ''} ${closing ? 'closing' : ''}`}
+        role="dialog"
+        aria-modal="true"
+        aria-label={props.title}
+        onSubmit={(e) => {
+          e.preventDefault();
+          if (props.confirmDisabled || closing) return;
+          props.onConfirm();
+        }}
+      >
+        {props.variant === 'warning' ? (
+          <>
+            <div className="dialog-warning-strip" aria-hidden="true" />
+            <div className="dialog-warning-head">
+              <div className="dialog-warning-badge" aria-hidden="true">
+                <TriangleAlert size={24} />
+              </div>
+              <div className="dialog-warning-kicker">{t('txt_warning')}</div>
+            </div>
+          </>
+        ) : null}
+        <h3 className="dialog-title">{props.title}</h3>
+        <div className={`dialog-message ${props.variant === 'warning' ? 'warning' : ''}`}>{props.message}</div>
+        {props.children}
+        <button
+          type="submit"
+          className={`btn ${props.danger ? 'btn-danger' : 'btn-primary'} dialog-btn`}
+          disabled={props.confirmDisabled}
+        >
+          {props.confirmText || t('txt_yes')}
+        </button>
+        {!props.hideCancel && (
+          <button
+            type="button"
+            className="btn btn-secondary dialog-btn"
+            disabled={props.cancelDisabled}
+            onClick={() => {
+              if (props.cancelDisabled) return;
+              props.onCancel();
+            }}
+          >
+            {props.cancelText || t('txt_no')}
+          </button>
+        )}
+        {props.afterActions}
+      </form>
+    </div>
+  ), document.body);
+}
@@ -0,0 +1,881 @@
+import { useState } from 'preact/hooks';
+import { argon2idAsync } from '@noble/hashes/argon2.js';
+import { createPortal } from 'preact/compat';
+import { strFromU8, unzipSync } from 'fflate';
+import { BlobReader, Uint8ArrayWriter, ZipReader, configure as configureZipJs } from '@zip.js/zip.js';
+import { Download, FileUp } from 'lucide-preact';
+import ConfirmDialog, { useDialogLifecycle } from '@/components/ConfirmDialog';
+import type { CiphersImportPayload } from '@/lib/api/vault';
+import {
+  type EncryptedJsonMode,
+  EXPORT_FORMATS,
+  type ExportFormatId,
+  type ExportRequest,
+} from '@/lib/export-formats';
+import {
+  parseImportPayloadBySource,
+} from '@/lib/import-formats';
+import { getFileAcceptBySource, IMPORT_SOURCES, type ImportSourceId } from '@/lib/import-format-sources';
+import {
+  type BitwardenJsonInput,
+  normalizeBitwardenEncryptedAccountImport,
+  normalizeBitwardenImport,
+} from '@/lib/import-formats-bitwarden';
+import { base64ToBytes, decryptStr, hkdfExpand, pbkdf2 } from '@/lib/crypto';
+import { t } from '@/lib/i18n';
+import type { Folder } from '@/lib/types';
+
+configureZipJs({ useWebWorkers: false });
+
+export interface ImportAttachmentFile {
+  sourceCipherId: string | null;
+  sourceCipherIndex: number | null;
+  fileName: string;
+  bytes: Uint8Array;
+}
+
+interface ImportPageProps {
+  onImport: (
+    payload: CiphersImportPayload,
+    options: { folderMode: 'original' | 'none' | 'target'; targetFolderId: string | null },
+    attachments?: ImportAttachmentFile[]
+  ) => Promise<ImportResultSummary>;
+  onImportEncryptedRaw: (
+    payload: CiphersImportPayload,
+    options: { folderMode: 'original' | 'none' | 'target'; targetFolderId: string | null },
+    attachments?: ImportAttachmentFile[]
+  ) => Promise<ImportResultSummary>;
+  accountKeys?: { encB64: string; macB64: string } | null;
+  onNotify: (type: 'success' | 'error', text: string) => void;
+  folders: Folder[];
+  onExport: (request: ExportRequest) => Promise<void>;
+}
+
+export interface ImportResultSummary {
+  totalItems: number;
+  folderCount: number;
+  typeCounts: Array<{ label: string; count: number }>;
+  attachmentCount: number;
+  importedAttachmentCount: number;
+  failedAttachments: Array<{ fileName: string; reason: string }>;
+}
+
+interface BitwardenPasswordProtectedInput extends BitwardenJsonInput {
+  encrypted: true;
+  passwordProtected: true;
+  salt?: string;
+  kdfIterations?: number;
+  kdfMemory?: number;
+  kdfParallelism?: number;
+  kdfType?: number;
+  data?: string;
+}
+
+const COMMON_IMPORT_SOURCE_IDS: ImportSourceId[] = [
+  'bitwarden_json',
+  'bitwarden_csv',
+  'bitwarden_zip',
+  'nodewarden_json',
+  'onepassword_1pux',
+  'onepassword_1pif',
+  'onepassword_mac_csv',
+  'onepassword_win_csv',
+  'protonpass_json',
+  'chrome',
+  'edge',
+  'brave',
+  'opera',
+  'vivaldi',
+  'firefox_csv',
+  'safari_csv',
+  'lastpass',
+  'dashlane_csv',
+  'dashlane_json',
+  'keepass_xml',
+  'keepassx_csv',
+];
+
+function isRecord(value: unknown): value is Record<string, unknown> {
+  return !!value && typeof value === 'object';
+}
+
+function isPasswordProtectedExport(value: unknown): value is BitwardenPasswordProtectedInput {
+  return isRecord(value) && value.encrypted === true && value.passwordProtected === true;
+}
+
+async function derivePasswordProtectedFileKey(
+  parsed: BitwardenPasswordProtectedInput,
+  password: string
+): Promise<{ enc: Uint8Array; mac: Uint8Array }> {
+  const salt = String(parsed.salt || '').trim();
+  const iterations = Number(parsed.kdfIterations || 0);
+  const kdfType = Number(parsed.kdfType);
+  if (!salt || !Number.isFinite(iterations) || iterations <= 0) {
+    throw new Error(t('txt_import_invalid_password_protected_file'));
+  }
+
+  let keyMaterial: Uint8Array;
+  if (kdfType === 0) {
+    keyMaterial = await pbkdf2(password, salt, iterations, 32);
+  } else if (kdfType === 1) {
+    const memoryMiB = Number(parsed.kdfMemory || 0);
+    const parallelism = Number(parsed.kdfParallelism || 0);
+    if (!Number.isFinite(memoryMiB) || memoryMiB <= 0 || !Number.isFinite(parallelism) || parallelism <= 0) {
+      throw new Error(t('txt_invalid_argon2id_params'));
+    }
+    const memoryKiB = Math.floor(memoryMiB * 1024);
+    const maxmem = memoryKiB * 1024 + 1024 * 1024;
+    keyMaterial = await argon2idAsync(new TextEncoder().encode(password), new TextEncoder().encode(salt), {
+      t: Math.floor(iterations),
+      m: memoryKiB,
+      p: Math.floor(parallelism),
+      dkLen: 32,
+      maxmem,
+      asyncTick: 10,
+    });
+  } else {
+    throw new Error(t('txt_unsupported_kdf_type', { type: String(kdfType) }));
+  }
+
+  const enc = await hkdfExpand(keyMaterial, 'enc', 32);
+  const mac = await hkdfExpand(keyMaterial, 'mac', 32);
+  return { enc, mac };
+}
+
+async function decryptPasswordProtectedExport(parsed: BitwardenPasswordProtectedInput, password: string): Promise<unknown> {
+  if (!parsed.encKeyValidation_DO_NOT_EDIT || !parsed.data) {
+    throw new Error(t('txt_import_invalid_password_protected_file'));
+  }
+  const pass = String(password || '').trim();
+  if (!pass) {
+    throw new Error(t('txt_import_file_password_required'));
+  }
+
+  const key = await derivePasswordProtectedFileKey(parsed, pass);
+  try {
+    await decryptStr(parsed.encKeyValidation_DO_NOT_EDIT, key.enc, key.mac);
+  } catch {
+    throw new Error(t('txt_invalid_file_password'));
+  }
+
+  const plainJson = await decryptStr(parsed.data, key.enc, key.mac);
+  try {
+    return JSON.parse(plainJson);
+  } catch {
+    throw new Error(t('txt_import_decrypt_failed'));
+  }
+}
+
+function isZipPayload(bytes: Uint8Array): boolean {
+  return bytes.length >= 4 && bytes[0] === 0x50 && bytes[1] === 0x4b && bytes[2] === 0x03 && bytes[3] === 0x04;
+}
+
+function readZipText(bytes: Uint8Array, source: ImportSourceId): string {
+  const unzipped = unzipSync(bytes);
+  const fileNames = Object.keys(unzipped);
+  if (!fileNames.length) throw new Error(t('txt_import_empty_zip_archive'));
+
+  const preferred = source === 'onepassword_1pux' ? ['export.data', 'export.json'] : ['protonpass.json', 'export.json'];
+  for (const p of preferred) {
+    const hit = fileNames.find((n) => n.toLowerCase().endsWith(p.toLowerCase()));
+    if (hit) return strFromU8(unzipped[hit]);
+  }
+
+  const firstJson = fileNames.find((n) => n.toLowerCase().endsWith('.json') || n.toLowerCase().endsWith('.data'));
+  if (firstJson) return strFromU8(unzipped[firstJson]);
+  throw new Error(t('txt_import_no_json_found_in_zip'));
+}
+
+async function readImportText(file: File, source: ImportSourceId): Promise<string> {
+  if (source !== 'onepassword_1pux' && source !== 'protonpass_json') {
+    return file.text();
+  }
+  const bytes = new Uint8Array(await file.arrayBuffer());
+  if (isZipPayload(bytes)) return readZipText(bytes, source);
+  return new TextDecoder().decode(bytes);
+}
+
+interface PendingPasswordImportContext {
+  parsed: BitwardenPasswordProtectedInput;
+  source: 'bitwarden_json' | 'nodewarden_json' | 'bitwarden_zip';
+  attachments: ImportAttachmentFile[];
+}
+
+class ZipNeedsPasswordError extends Error {}
+class ZipInvalidPasswordError extends Error {}
+
+function looksLikeZipPasswordError(error: unknown): boolean {
+  const message = error instanceof Error ? String(error.message || '').toLowerCase() : '';
+  if (!message) return false;
+  return message.includes('password') || message.includes('encrypted');
+}
+
+async function readBitwardenZipPayload(
+  file: File,
+  passwordRaw: string
+): Promise<{ jsonText: string; attachments: ImportAttachmentFile[] }> {
+  const password = String(passwordRaw || '').trim();
+  const reader = new ZipReader(new BlobReader(file), { useWebWorkers: false });
+  try {
+    const entries = await reader.getEntries();
+    if (!entries.length) throw new Error(t('txt_import_empty_zip_archive'));
+
+    let jsonText = '';
+    const attachments: ImportAttachmentFile[] = [];
+    const options = password ? { password } : undefined;
+
+    for (const entry of entries) {
+      if (entry.directory) continue;
+      const name = String(entry.filename || '').trim().replace(/\\/g, '/');
+      if (!name) continue;
+
+      const bytes = await entry.getData(new Uint8ArrayWriter(), options);
+      const lower = name.toLowerCase();
+      if (lower === 'data.json') {
+        jsonText = new TextDecoder().decode(bytes);
+        continue;
+      }
+
+      const attachmentMatch = name.match(/^attachments\/([^/]+)\/(.+)$/i);
+      if (!attachmentMatch) continue;
+      const sourceCipherId = String(attachmentMatch[1] || '').trim() || null;
+      const fileName = String(attachmentMatch[2] || '').trim() || 'attachment.bin';
+      attachments.push({
+        sourceCipherId,
+        sourceCipherIndex: null,
+        fileName,
+        bytes,
+      });
+    }
+
+    if (!jsonText) throw new Error(t('txt_import_data_json_not_found'));
+    return { jsonText, attachments };
+  } catch (error) {
+    if (looksLikeZipPasswordError(error)) {
+      if (!password) throw new ZipNeedsPasswordError(t('txt_import_zip_password_required'));
+      throw new ZipInvalidPasswordError(t('txt_import_invalid_zip_password'));
+    }
+    if (!password && error instanceof Error && /invalid|corrupt|unsupported/.test(error.message.toLowerCase())) {
+      throw error;
+    }
+    throw error;
+  } finally {
+    await reader.close();
+  }
+}
+
+function parseNodeWardenAttachmentArray(raw: unknown): ImportAttachmentFile[] {
+  if (!Array.isArray(raw)) return [];
+  const out: ImportAttachmentFile[] = [];
+  for (const entry of raw) {
+    if (!entry || typeof entry !== 'object') continue;
+    const row = entry as Record<string, unknown>;
+    const fileName = String(row.fileName || '').trim() || 'attachment.bin';
+    const base64 = String(row.data || '').trim();
+    if (!base64) continue;
+    try {
+      const bytes = base64ToBytes(base64);
+      const sourceCipherId = String(row.cipherId || '').trim() || null;
+      const indexRaw = Number(row.cipherIndex);
+      out.push({
+        sourceCipherId,
+        sourceCipherIndex: Number.isFinite(indexRaw) ? indexRaw : null,
+        fileName,
+        bytes,
+      });
+    } catch {
+      // skip malformed attachment row
+    }
+  }
+  return out;
+}
+
+export default function ImportPage({ onImport, onImportEncryptedRaw, accountKeys, onNotify, folders, onExport }: ImportPageProps) {
+  const [source, setSource] = useState<ImportSourceId>('bitwarden_json');
+  const [file, setFile] = useState<File | null>(null);
+  const [isSubmitting, setIsSubmitting] = useState(false);
+  const [isPasswordSubmitting, setIsPasswordSubmitting] = useState(false);
+  const [passwordDialogOpen, setPasswordDialogOpen] = useState(false);
+  const [importPassword, setImportPassword] = useState('');
+  const [pendingPasswordImport, setPendingPasswordImport] = useState<PendingPasswordImportContext | null>(null);
+  const [zipPasswordDialogOpen, setZipPasswordDialogOpen] = useState(false);
+  const [zipImportPassword, setZipImportPassword] = useState('');
+  const [pendingZipFile, setPendingZipFile] = useState<File | null>(null);
+  const [isZipPasswordSubmitting, setIsZipPasswordSubmitting] = useState(false);
+  const [folderMode, setFolderMode] = useState<'original' | 'none' | 'target'>('original');
+  const [targetFolderId, setTargetFolderId] = useState('');
+  const [exportFormat, setExportFormat] = useState<ExportFormatId>('bitwarden_json');
+  const [encryptedJsonMode, setEncryptedJsonMode] = useState<EncryptedJsonMode>('account');
+  const [exportPassword, setExportPassword] = useState('');
+  const [zipPassword, setZipPassword] = useState('');
+  const [isExporting, setIsExporting] = useState(false);
+  const [exportAuthDialogOpen, setExportAuthDialogOpen] = useState(false);
+  const [exportAuthPassword, setExportAuthPassword] = useState('');
+  const [importSummary, setImportSummary] = useState<ImportResultSummary | null>(null);
+
+  useDialogLifecycle(!!importSummary, importSummary ? () => setImportSummary(null) : null);
+  const commonSourceSet = new Set<ImportSourceId>(COMMON_IMPORT_SOURCE_IDS);
+  const commonSources = IMPORT_SOURCES.filter((item) => commonSourceSet.has(item.id as ImportSourceId));
+  const otherSources = IMPORT_SOURCES.filter((item) => !commonSourceSet.has(item.id as ImportSourceId));
+
+  async function runBitwardenJsonImport(parsed: unknown, attachments: ImportAttachmentFile[] = []): Promise<ImportResultSummary> {
+    if (isRecord(parsed) && parsed.encrypted === true) {
+      const accountEncrypted = parsed as BitwardenJsonInput;
+      if (!accountKeys?.encB64 || !accountKeys?.macB64) {
+        throw new Error(t('txt_vault_key_unavailable'));
+      }
+      const validation = String(accountEncrypted.encKeyValidation_DO_NOT_EDIT || '').trim();
+      if (!validation) throw new Error(t('txt_invalid_encrypted_export'));
+      const accountEncKey = base64ToBytes(accountKeys.encB64);
+      const accountMacKey = base64ToBytes(accountKeys.macB64);
+      try {
+        await decryptStr(validation, accountEncKey, accountMacKey);
+      } catch {
+        throw new Error(t('txt_export_belongs_to_another_account'));
+      }
+      return onImportEncryptedRaw(
+        normalizeBitwardenEncryptedAccountImport(accountEncrypted),
+        {
+          folderMode,
+          targetFolderId: folderMode === 'target' ? targetFolderId || null : null,
+        },
+        attachments
+      );
+    }
+    return onImport(
+      normalizeBitwardenImport(parsed),
+      {
+        folderMode,
+        targetFolderId: folderMode === 'target' ? targetFolderId || null : null,
+      },
+      attachments
+    );
+  }
+
+  async function extractNodeWardenAttachments(parsed: unknown): Promise<ImportAttachmentFile[]> {
+    if (!isRecord(parsed)) return [];
+    const direct = parseNodeWardenAttachmentArray(parsed.nodewardenAttachments);
+    if (direct.length) return direct;
+
+    const encryptedPayload = String(parsed.nodewardenAttachmentsEnc || '').trim();
+    if (!encryptedPayload) return [];
+    if (!accountKeys?.encB64 || !accountKeys?.macB64) {
+      throw new Error(t('txt_vault_key_unavailable'));
+    }
+    const accountEnc = base64ToBytes(accountKeys.encB64);
+    const accountMac = base64ToBytes(accountKeys.macB64);
+    const plain = await decryptStr(encryptedPayload, accountEnc, accountMac);
+    const unpacked = JSON.parse(plain) as Record<string, unknown>;
+    return parseNodeWardenAttachmentArray(unpacked.nodewardenAttachments);
+  }
+
+  async function runNodeWardenJsonImport(parsed: unknown, extraAttachments: ImportAttachmentFile[] = []): Promise<ImportResultSummary> {
+    const bundled = await extractNodeWardenAttachments(parsed);
+    return runBitwardenJsonImport(parsed, [...bundled, ...extraAttachments]);
+  }
+
+  async function processPasswordProtectedImport(ctx: PendingPasswordImportContext): Promise<ImportResultSummary> {
+    const parsed = await decryptPasswordProtectedExport(ctx.parsed, importPassword);
+    if (ctx.source === 'nodewarden_json') {
+      return runNodeWardenJsonImport(parsed, ctx.attachments);
+    }
+    return runBitwardenJsonImport(parsed, ctx.attachments);
+  }
+
+  async function handleSubmit() {
+    if (!file) {
+      onNotify('error', t('txt_please_select_a_file'));
+      return;
+    }
+
+    setIsSubmitting(true);
+    try {
+      if (source === 'bitwarden_zip') {
+        try {
+          const bundle = await readBitwardenZipPayload(file, '');
+          let parsed: unknown;
+          try {
+            parsed = JSON.parse(bundle.jsonText);
+          } catch {
+            throw new Error(t('txt_import_invalid_json_file'));
+          }
+          if (isPasswordProtectedExport(parsed)) {
+            setPendingPasswordImport({
+              parsed,
+              source: 'bitwarden_zip',
+              attachments: bundle.attachments,
+            });
+            setImportPassword('');
+            setPasswordDialogOpen(true);
+            return;
+          }
+          const summary = await runBitwardenJsonImport(parsed, bundle.attachments);
+          setImportSummary(summary);
+          setFile(null);
+          return;
+        } catch (error) {
+          if (error instanceof ZipNeedsPasswordError) {
+            setPendingZipFile(file);
+            setZipImportPassword('');
+            setZipPasswordDialogOpen(true);
+            return;
+          }
+          throw error;
+        }
+      }
+
+      const text = await readImportText(file, source);
+      if (source === 'bitwarden_json' || source === 'nodewarden_json') {
+        let parsed: unknown;
+        try {
+          parsed = JSON.parse(text);
+        } catch {
+          throw new Error(t('txt_import_invalid_json_file'));
+        }
+        if (isPasswordProtectedExport(parsed)) {
+          setPendingPasswordImport({
+            parsed,
+            source,
+            attachments: [],
+          });
+          setImportPassword('');
+          setPasswordDialogOpen(true);
+          return;
+        }
+        const summary =
+          source === 'nodewarden_json'
+            ? await runNodeWardenJsonImport(parsed)
+            : await runBitwardenJsonImport(parsed);
+        setImportSummary(summary);
+      } else {
+        const summary = await onImport(
+          parseImportPayloadBySource(source, text),
+          {
+            folderMode,
+            targetFolderId: folderMode === 'target' ? targetFolderId || null : null,
+          },
+          []
+        );
+        setImportSummary(summary);
+      }
+      setFile(null);
+    } catch (error) {
+      const message = error instanceof Error ? error.message : t('txt_import_failed');
+      onNotify('error', message);
+    } finally {
+      setIsSubmitting(false);
+    }
+  }
+
+  async function handlePasswordImportConfirm() {
+    if (!pendingPasswordImport) return;
+    setIsPasswordSubmitting(true);
+    try {
+      const summary = await processPasswordProtectedImport(pendingPasswordImport);
+      setImportSummary(summary);
+      setFile(null);
+      setImportPassword('');
+      setPendingPasswordImport(null);
+      setPasswordDialogOpen(false);
+    } catch (error) {
+      const message = error instanceof Error ? error.message : t('txt_import_failed');
+      onNotify('error', message);
+    } finally {
+      setIsPasswordSubmitting(false);
+    }
+  }
+
+  async function handleZipPasswordImportConfirm() {
+    if (!pendingZipFile) return;
+    setIsZipPasswordSubmitting(true);
+    try {
+      const bundle = await readBitwardenZipPayload(pendingZipFile, zipImportPassword);
+      let parsed: unknown;
+      try {
+        parsed = JSON.parse(bundle.jsonText);
+      } catch {
+        throw new Error(t('txt_import_invalid_json_file'));
+      }
+      if (isPasswordProtectedExport(parsed)) {
+        setPendingPasswordImport({
+          parsed,
+          source: 'bitwarden_zip',
+          attachments: bundle.attachments,
+        });
+        setImportPassword('');
+        setPasswordDialogOpen(true);
+      } else {
+        const summary = await runBitwardenJsonImport(parsed, bundle.attachments);
+        setImportSummary(summary);
+        setFile(null);
+      }
+      setZipPasswordDialogOpen(false);
+      setPendingZipFile(null);
+      setZipImportPassword('');
+    } catch (error) {
+      if (error instanceof ZipInvalidPasswordError) {
+        onNotify('error', t('txt_import_invalid_zip_password'));
+        return;
+      }
+      const message = error instanceof Error ? error.message : t('txt_import_failed');
+      onNotify('error', message);
+    } finally {
+      setIsZipPasswordSubmitting(false);
+    }
+  }
+
+  const exportNeedsMode =
+    exportFormat === 'bitwarden_encrypted_json' ||
+    exportFormat === 'bitwarden_encrypted_json_zip' ||
+    exportFormat === 'nodewarden_encrypted_json';
+  const exportNeedsFilePassword = exportNeedsMode && encryptedJsonMode === 'password';
+  const exportIsZip = exportFormat === 'bitwarden_json_zip' || exportFormat === 'bitwarden_encrypted_json_zip';
+
+  async function runExportWithMasterPassword(masterPassword: string) {
+    const filePassword = exportPassword.trim();
+    const zipPass = zipPassword.trim();
+    if (exportNeedsFilePassword && !filePassword) {
+      onNotify('error', t('txt_import_file_password_required'));
+      return;
+    }
+
+    setIsExporting(true);
+    try {
+      await onExport({
+        format: exportFormat,
+        encryptedJsonMode: exportNeedsMode ? encryptedJsonMode : undefined,
+        filePassword,
+        zipPassword: exportIsZip ? zipPass : '',
+        masterPassword,
+      });
+      onNotify('success', t('txt_export_completed'));
+    } catch (error) {
+      const message = error instanceof Error ? error.message : t('txt_export_failed');
+      onNotify('error', message);
+    } finally {
+      setIsExporting(false);
+    }
+  }
+
+  async function handleExportConfirmPassword() {
+    const masterPassword = String(exportAuthPassword || '').trim();
+    if (!masterPassword) {
+      onNotify('error', t('txt_master_password_is_required'));
+      return;
+    }
+    await runExportWithMasterPassword(masterPassword);
+    if (!isExporting) {
+      setExportAuthPassword('');
+      setExportAuthDialogOpen(false);
+    }
+  }
+
+  function handleExport() {
+    setExportAuthPassword('');
+    setExportAuthDialogOpen(true);
+  }
+
+  return (
+    <div className="import-export-page">
+      <div className="import-export-panels">
+      <section className="card import-export-panel">
+        <h3>{t('txt_import')}</h3>
+        <p className="backup-inline-note">{t('txt_import_vault_data_hint')}</p>
+        <div className="field-grid">
+          <label className="field field-span-2">
+            <span>{t('txt_format')}</span>
+            <select className="input" value={source} onChange={(e) => setSource((e.currentTarget as HTMLSelectElement).value as ImportSourceId)}>
+              {commonSources.map((item) => (
+                <option key={item.id} value={item.id}>
+                  {item.label}
+                </option>
+              ))}
+              {otherSources.length > 0 && (
+                <option disabled value="__separator__">
+                  --------------------
+                </option>
+              )}
+              {otherSources.map((item) => (
+                <option key={item.id} value={item.id}>
+                  {item.label}
+                </option>
+              ))}
+            </select>
+          </label>
+
+          <label className="field field-span-2">
+            <span>{t('txt_source_file')}</span>
+            <input
+              className="input"
+              type="file"
+              accept={getFileAcceptBySource(source)}
+              onChange={(e) => {
+                const next = (e.currentTarget as HTMLInputElement).files?.[0] || null;
+                setFile(next);
+              }}
+            />
+          </label>
+
+          <label className="field field-span-2">
+            <span>{t('txt_folder_handling')}</span>
+            <select
+              className="input"
+              value={folderMode}
+              onChange={(e) => setFolderMode((e.currentTarget as HTMLSelectElement).value as 'original' | 'none' | 'target')}
+            >
+              <option value="original">{t('txt_import_folder_mode_original')}</option>
+              <option value="none">{t('txt_import_folder_mode_none')}</option>
+              <option value="target">{t('txt_import_folder_mode_target')}</option>
+            </select>
+          </label>
+
+          {folderMode === 'target' && (
+            <label className="field field-span-2">
+              <span>{t('txt_target_folder')}</span>
+              <select className="input" value={targetFolderId} onChange={(e) => setTargetFolderId((e.currentTarget as HTMLSelectElement).value)}>
+                <option value="">{t('txt_select_folder_placeholder')}</option>
+                {folders
+                  .slice()
+                  .sort((a, b) => String(a.decName || a.name || '').localeCompare(String(b.decName || b.name || '')))
+                  .map((folder) => (
+                    <option key={folder.id} value={folder.id}>
+                      {folder.decName || folder.name || folder.id}
+                    </option>
+                  ))}
+              </select>
+            </label>
+          )}
+        </div>
+
+        <div className="actions">
+          <button
+            type="button"
+            className="btn btn-primary"
+            disabled={isSubmitting || (folderMode === 'target' && !targetFolderId)}
+            onClick={() => void handleSubmit()}
+          >
+            <FileUp size={15} /> {isSubmitting ? t('txt_loading') : t('txt_import')}
+          </button>
+        </div>
+      </section>
+
+      <section className="card import-export-panel">
+        <h3>{t('txt_export')}</h3>
+        <p className="backup-inline-note">{t('txt_export_vault_data_hint')}</p>
+        <div className="field-grid">
+          <label className="field field-span-2">
+            <span>{t('txt_format')}</span>
+            <select
+              className="input"
+              value={exportFormat}
+              onChange={(e) => {
+                const next = (e.currentTarget as HTMLSelectElement).value as ExportFormatId;
+                setExportFormat(next);
+              }}
+            >
+              {EXPORT_FORMATS.map((item) => (
+                <option key={item.id} value={item.id}>
+                  {item.label}
+                </option>
+              ))}
+            </select>
+          </label>
+
+          {exportNeedsMode && (
+            <label className="field field-span-2">
+              <span>{t('txt_encrypted_mode')}</span>
+              <select
+                className="input"
+                value={encryptedJsonMode}
+                onChange={(e) => setEncryptedJsonMode((e.currentTarget as HTMLSelectElement).value as EncryptedJsonMode)}
+              >
+                <option value="account">{t('txt_account_verification')}</option>
+                <option value="password">{t('txt_password_verification')}</option>
+              </select>
+            </label>
+          )}
+
+          {exportNeedsFilePassword && (
+            <label className="field field-span-2">
+              <span>{t('txt_file_password')}</span>
+              <input
+                className="input"
+                type="password"
+                value={exportPassword}
+                onInput={(e) => setExportPassword((e.currentTarget as HTMLInputElement).value)}
+              />
+            </label>
+          )}
+
+          {exportIsZip && (
+            <label className="field field-span-2">
+              <span>{t('txt_zip_password_optional')}</span>
+              <input
+                className="input"
+                type="password"
+                value={zipPassword}
+                onInput={(e) => setZipPassword((e.currentTarget as HTMLInputElement).value)}
+              />
+            </label>
+          )}
+        </div>
+
+        <div className="actions">
+          <button type="button" className="btn btn-primary" disabled={isExporting} onClick={() => void handleExport()}>
+            <Download size={15} className="btn-icon" />
+            {isExporting ? t('txt_loading') : t('txt_export')}
+          </button>
+        </div>
+      </section>
+      </div>
+
+      <ConfirmDialog
+        open={exportAuthDialogOpen}
+        title={t('txt_export')}
+        message={t('txt_enter_master_password_to_view_this_item')}
+        confirmText={isExporting ? t('txt_loading') : t('txt_verify')}
+        cancelText={t('txt_cancel')}
+        showIcon={false}
+        onConfirm={() => void handleExportConfirmPassword()}
+        onCancel={() => {
+          if (isExporting) return;
+          setExportAuthDialogOpen(false);
+          setExportAuthPassword('');
+        }}
+      >
+        <label className="field">
+          <span>{t('txt_master_password')}</span>
+          <input
+            className="input"
+            type="password"
+            value={exportAuthPassword}
+            onInput={(e) => setExportAuthPassword((e.currentTarget as HTMLInputElement).value)}
+          />
+        </label>
+      </ConfirmDialog>
+
+      <ConfirmDialog
+        open={passwordDialogOpen}
+        title={t('txt_import_encrypted_file_title')}
+        message={t('txt_import_encrypted_file_message')}
+        confirmText={isPasswordSubmitting ? t('txt_loading') : t('txt_import')}
+        cancelText={t('txt_cancel')}
+        showIcon={false}
+        onConfirm={() => void handlePasswordImportConfirm()}
+        onCancel={() => {
+          if (isPasswordSubmitting) return;
+          setPasswordDialogOpen(false);
+          setImportPassword('');
+          setPendingPasswordImport(null);
+        }}
+      >
+        <label className="field">
+          <span>{t('txt_file_password')}</span>
+          <input
+            className="input"
+            type="password"
+            value={importPassword}
+            onInput={(e) => setImportPassword((e.currentTarget as HTMLInputElement).value)}
+          />
+        </label>
+      </ConfirmDialog>
+
+      <ConfirmDialog
+        open={zipPasswordDialogOpen}
+        title={t('txt_import_encrypted_zip_title')}
+        message={t('txt_import_encrypted_zip_message')}
+        confirmText={isZipPasswordSubmitting ? t('txt_loading') : t('txt_import')}
+        cancelText={t('txt_cancel')}
+        showIcon={false}
+        onConfirm={() => void handleZipPasswordImportConfirm()}
+        onCancel={() => {
+          if (isZipPasswordSubmitting) return;
+          setZipPasswordDialogOpen(false);
+          setZipImportPassword('');
+          setPendingZipFile(null);
+        }}
+      >
+        <label className="field">
+          <span>{t('txt_zip_password')}</span>
+          <input
+            className="input"
+            type="password"
+            value={zipImportPassword}
+            onInput={(e) => setZipImportPassword((e.currentTarget as HTMLInputElement).value)}
+          />
+        </label>
+      </ConfirmDialog>
+
+      {importSummary && typeof document !== 'undefined' ? createPortal((
+        <div
+          className="dialog-mask"
+          onClick={(event) => {
+            if (event.target !== event.currentTarget) return;
+            setImportSummary(null);
+          }}
+        >
+          <section className="dialog-card import-summary-dialog" role="dialog" aria-modal="true" aria-label={t('txt_import_success')}>
+            <button
+              type="button"
+              className="import-summary-close"
+              onClick={() => setImportSummary(null)}
+              aria-label={t('txt_close')}
+            >
+              X
+            </button>
+            <h3 className="dialog-title">{t('txt_import_success')}</h3>
+            <div className="dialog-message">{t('txt_import_success_number_of_items', { count: importSummary.totalItems })}</div>
+            {importSummary.attachmentCount > 0 && (
+              <div className="dialog-message">
+                {t('txt_import_attachment_summary', {
+                  imported: String(importSummary.importedAttachmentCount),
+                  total: String(importSummary.attachmentCount),
+                })}
+              </div>
+            )}
+            {importSummary.failedAttachments.length > 0 && (
+              <div className="import-summary-failed-list">
+                <div className="import-summary-failed-title">
+                  {t('txt_import_failed_attachments_title', { count: String(importSummary.failedAttachments.length) })}
+                </div>
+                <ul>
+                  {importSummary.failedAttachments.map((row, index) => (
+                    <li key={`${row.fileName}-${index}`}>
+                      <strong>{row.fileName}</strong>
+                      {`: ${row.reason}`}
+                    </li>
+                  ))}
+                </ul>
+              </div>
+            )}
+            <div className="import-summary-table-wrap">
+              <table className="import-summary-table">
+                <thead>
+                  <tr>
+                    <th>{t('txt_type')}</th>
+                    <th>{t('txt_total')}</th>
+                  </tr>
+                </thead>
+                <tbody>
+                  {importSummary.typeCounts.map((row) => (
+                    <tr key={row.label}>
+                      <td>{row.label}</td>
+                      <td>{row.count}</td>
+                    </tr>
+                  ))}
+                  <tr>
+                    <td>{t('txt_folder')}</td>
+                    <td>{importSummary.folderCount}</td>
+                  </tr>
+                </tbody>
+              </table>
+            </div>
+            <button type="button" className="btn btn-primary dialog-btn" onClick={() => setImportSummary(null)}>
+              {t('txt_confirm')}
+            </button>
+          </section>
+        </div>
+      ), document.body) : null}
+    </div>
+  );
+}
@@ -0,0 +1,123 @@
+import { useMemo, useState } from 'preact/hooks';
+import { AlertTriangle, Copy, RefreshCw } from 'lucide-preact';
+import { copyTextToClipboard } from '@/lib/clipboard';
+import StandalonePageFrame from '@/components/StandalonePageFrame';
+import { t } from '@/lib/i18n';
+
+interface JwtWarningPageProps {
+  reason: 'missing' | 'default' | 'too_short';
+  minLength: number;
+}
+
+const CLOUDFLARE_SETTINGS_URL =
+  'https://dash.cloudflare.com/?to=/:account/workers/services/view/nodewarden/production/settings';
+
+export default function JwtWarningPage(props: JwtWarningPageProps) {
+  const [seed, setSeed] = useState(0);
+  const [copyHint, setCopyHint] = useState('');
+
+  const generatedSecret = useMemo(() => generateJwtSecret(32), [seed]);
+
+  const title =
+    props.reason === 'missing'
+      ? t('txt_jwt_title_missing')
+      : props.reason === 'default'
+        ? t('txt_jwt_title_default')
+        : t('txt_jwt_title_too_short');
+
+  const isMissing = props.reason === 'missing';
+  const fixTitle = isMissing ? t('txt_jwt_how_to_fix_add') : t('txt_jwt_how_to_fix_replace');
+  const fixStep1 = isMissing ? t('txt_jwt_add_step_1') : t('txt_jwt_replace_step_1', { min: props.minLength });
+  const fixStep2Prefix = isMissing ? t('txt_jwt_add_step_2_prefix') : t('txt_jwt_replace_step_2_prefix');
+  const fixStep2Suffix = isMissing ? t('txt_jwt_add_step_2_suffix') : t('txt_jwt_replace_step_2_suffix');
+  const fixStep3 = isMissing ? t('txt_jwt_add_step_3') : t('txt_jwt_replace_step_3');
+
+  return (
+    <div className="auth-page">
+      <StandalonePageFrame title={title}>
+        <div className="jwt-warning-head">
+          <AlertTriangle size={20} />
+          <strong>{t('txt_jwt_warning_subtitle')}</strong>
+        </div>
+
+        <div className="jwt-warning-box">
+          <div className="jwt-warning-label">{t('txt_jwt_what_is')}</div>
+          <p className="jwt-warning-copy">{t('txt_jwt_what_is_body')}</p>
+
+          <div className="jwt-warning-label">{fixTitle}</div>
+          <ol className="jwt-warning-list">
+            <li>{fixStep1}</li>
+            <li>
+              {fixStep2Prefix}
+              <a
+                href={CLOUDFLARE_SETTINGS_URL}
+                className="jwt-inline-link"
+                target="_blank"
+                rel="noreferrer"
+              >
+                {t('txt_settings')}
+              </a>
+              {fixStep2Suffix}
+              <div className="jwt-secret-fields">
+                <div className="jwt-secret-row">
+                  <span>{t('txt_jwt_secret_type_label')}</span>
+                  <strong>{t('txt_jwt_secret_type_value')}</strong>
+                </div>
+                <div className="jwt-secret-row">
+                  <span>{t('txt_jwt_secret_name_label')}</span>
+                  <strong>JWT_SECRET</strong>
+                </div>
+                <div className="jwt-secret-row">
+                  <span>{t('txt_jwt_secret_value_label')}</span>
+                  <strong>{t('txt_jwt_secret_value_requirement', { min: props.minLength })}</strong>
+                </div>
+              </div>
+            </li>
+            <li>{fixStep3}</li>
+          </ol>
+
+          <div className="jwt-generator">
+            <div className="jwt-warning-label">{t('txt_random_secret_generator')}</div>
+            <input className="input input-readonly" readOnly value={generatedSecret} />
+            <div className="jwt-generator-actions">
+              <button type="button" className="btn btn-primary" onClick={() => setSeed((v) => v + 1)}>
+                <RefreshCw size={15} className="btn-icon" />
+                {t('txt_regenerate')}
+              </button>
+              <button
+                type="button"
+                className="btn btn-secondary"
+                onClick={async () => {
+                  await copyTextToClipboard(generatedSecret, {
+                    onSuccess: () => setCopyHint(t('txt_copied')),
+                    onError: () => setCopyHint(t('txt_copy_failed')),
+                  });
+                  window.setTimeout(() => setCopyHint(''), 1500);
+                }}
+              >
+                <Copy size={15} className="btn-icon" />
+                {t('txt_copy')}
+              </button>
+              {copyHint && <span className="jwt-copy-hint">{copyHint}</span>}
+            </div>
+          </div>
+        </div>
+      </StandalonePageFrame>
+    </div>
+  );
+}
+
+function generateJwtSecret(length: number): string {
+  const chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-_';
+  let out = '';
+  const maxUnbiasedByte = Math.floor(256 / chars.length) * chars.length;
+  while (out.length < length) {
+    const bytes = crypto.getRandomValues(new Uint8Array(length));
+    for (const value of bytes) {
+      if (value >= maxUnbiasedByte) continue;
+      out += chars[value % chars.length];
+      if (out.length >= length) break;
+    }
+  }
+  return out;
+}
@@ -0,0 +1,151 @@
+import { useEffect, useState } from 'preact/hooks';
+import { Download, Eye, Lock } from 'lucide-preact';
+import { accessPublicSend, accessPublicSendFile, decryptPublicSend, decryptPublicSendFileBytes } from '@/lib/api/send';
+import { downloadBytesAsFile, readResponseBytesWithProgress } from '@/lib/download';
+import StandalonePageFrame from '@/components/StandalonePageFrame';
+import { t } from '@/lib/i18n';
+
+interface PublicSendPageProps {
+  accessId: string;
+  keyPart: string | null;
+}
+
+export default function PublicSendPage(props: PublicSendPageProps) {
+  const [loading, setLoading] = useState(true);
+  const [password, setPassword] = useState('');
+  const [needPassword, setNeedPassword] = useState(false);
+  const [error, setError] = useState('');
+  const [sendData, setSendData] = useState<any>(null);
+  const [busy, setBusy] = useState(false);
+  const [downloadPercent, setDownloadPercent] = useState<number | null>(null);
+
+  async function loadSend(pass?: string): Promise<void> {
+    setBusy(true);
+    setError('');
+    try {
+      const data = await accessPublicSend(props.accessId, props.keyPart, pass);
+      if (!props.keyPart) {
+        setError(t('txt_this_link_is_missing_decryption_key'));
+        setSendData(null);
+        return;
+      }
+      const decrypted = await decryptPublicSend(data, props.keyPart);
+      setSendData(decrypted);
+      setNeedPassword(false);
+    } catch (e) {
+      const err = e as Error & { status?: number };
+      if (err.status === 401) {
+        setNeedPassword(true);
+        setError(t('txt_this_send_is_password_protected'));
+      } else {
+        setError(err.message || t('txt_failed_to_open_send'));
+      }
+      setSendData(null);
+    } finally {
+      setBusy(false);
+      setLoading(false);
+    }
+  }
+
+  async function downloadFile(): Promise<void> {
+    if (!sendData?.id || !sendData?.file?.id) return;
+    setBusy(true);
+    setDownloadPercent(null);
+    setError('');
+    try {
+      const url = await accessPublicSendFile(sendData.id, sendData.file.id, props.keyPart, password || undefined);
+      const resp = await fetch(url);
+      if (!resp.ok) throw new Error(t('txt_download_failed'));
+      const encryptedBytes = await readResponseBytesWithProgress(resp, (progress) => setDownloadPercent(progress.percent));
+      let blob: Blob;
+      if (props.keyPart) {
+        try {
+          const decryptedBytes = await decryptPublicSendFileBytes(encryptedBytes, props.keyPart);
+          blob = new Blob([decryptedBytes as unknown as BlobPart], { type: 'application/octet-stream' });
+        } catch {
+          // Legacy compatibility: early web-created file sends uploaded plaintext bytes.
+          blob = new Blob([encryptedBytes], { type: 'application/octet-stream' });
+        }
+      } else {
+        blob = new Blob([encryptedBytes], { type: 'application/octet-stream' });
+      }
+      downloadBytesAsFile(
+        new Uint8Array(await blob.arrayBuffer()),
+        sendData.decFileName || sendData.file?.fileName || t('txt_send_file'),
+        'application/octet-stream'
+      );
+    } catch (e) {
+      const err = e as Error;
+      setError(err.message || t('txt_download_failed'));
+    } finally {
+      setBusy(false);
+      setDownloadPercent(null);
+    }
+  }
+
+  useEffect(() => {
+    void loadSend();
+  }, [props.accessId, props.keyPart]);
+
+  return (
+    <div className="auth-page public-send-page">
+      <StandalonePageFrame title={t('txt_nodewarden_send')}>
+        {loading && <p className="muted">{t('txt_loading')}</p>}
+
+        {!loading && needPassword && (
+          <form
+            onSubmit={(e) => {
+              e.preventDefault();
+              void loadSend(password);
+            }}
+          >
+            <label className="field">
+              <span>{t('txt_password')}</span>
+              <div className="password-wrap">
+                <input
+                  className="input"
+                  type="password"
+                  value={password}
+                  autoComplete="current-password"
+                  onInput={(e) => setPassword((e.currentTarget as HTMLInputElement).value)}
+                />
+              </div>
+            </label>
+            <button type="submit" className="btn btn-primary full" disabled={busy}>
+              <Lock size={14} className="btn-icon" /> {t('txt_unlock_send')}
+            </button>
+          </form>
+        )}
+
+        {!loading && sendData && (
+          <>
+            <h2 style={{ marginTop: '8px' }}>{sendData.decName || t('txt_no_name')}</h2>
+            {sendData.type === 0 ? (
+              <div className="card" style={{ marginTop: '10px' }}>
+                <div className="notes">{sendData.decText || ''}</div>
+              </div>
+            ) : (
+              <div className="card" style={{ marginTop: '10px' }}>
+                <div className="kv-line">
+                  <span>{t('txt_file')}</span>
+                  <strong>{sendData.decFileName || sendData.file?.fileName || sendData.file?.sizeName || t('txt_encrypted_file')}</strong>
+                </div>
+                <button type="button" className="btn btn-primary full" disabled={busy} onClick={() => void downloadFile()}>
+                  <Download size={14} className="btn-icon" /> {downloadPercent == null ? (busy ? t('txt_downloading') : t('txt_download')) : t('txt_downloading_percent', { percent: downloadPercent })}
+                </button>
+              </div>
+            )}
+            {!!sendData.expirationDate && <p className="muted">{t('txt_expires_at_value', { value: sendData.expirationDate })}</p>}
+          </>
+        )}
+
+        {!loading && !sendData && !needPassword && !error && (
+          <p className="muted">
+            <Eye size={14} style={{ verticalAlign: 'text-bottom' }} /> {t('txt_send_unavailable')}
+          </p>
+        )}
+        {!!error && <p className="local-error">{error}</p>}
+      </StandalonePageFrame>
+    </div>
+  );
+}
@@ -0,0 +1,78 @@
+import { useState } from 'preact/hooks';
+import { Eye, EyeOff, Send, X } from 'lucide-preact';
+import StandalonePageFrame from '@/components/StandalonePageFrame';
+import { t } from '@/lib/i18n';
+
+interface RecoverTwoFactorPageProps {
+  values: { email: string; password: string; recoveryCode: string };
+  onChange: (next: { email: string; password: string; recoveryCode: string }) => void;
+  onSubmit: () => void;
+  onCancel: () => void;
+}
+
+export default function RecoverTwoFactorPage(props: RecoverTwoFactorPageProps) {
+  const [showPassword, setShowPassword] = useState(false);
+
+  return (
+    <div className="auth-page">
+      <StandalonePageFrame title={t('txt_recover_two_step_login')}>
+        <form
+          onSubmit={(e) => {
+            e.preventDefault();
+            props.onSubmit();
+          }}
+        >
+          <p className="muted standalone-muted">{t('txt_use_your_one_time_recovery_code_to_disable_two_step_verification')}</p>
+
+          <label className="field">
+            <span>{t('txt_email')}</span>
+            <input
+              className="input"
+              type="email"
+              value={props.values.email}
+              autoComplete="username"
+              onInput={(e) => props.onChange({ ...props.values, email: (e.currentTarget as HTMLInputElement).value })}
+            />
+          </label>
+
+          <label className="field">
+            <span>{t('txt_master_password')}</span>
+            <div className="password-wrap">
+              <input
+                className="input"
+                type={showPassword ? 'text' : 'password'}
+                value={props.values.password}
+                autoComplete="current-password"
+                onInput={(e) => props.onChange({ ...props.values, password: (e.currentTarget as HTMLInputElement).value })}
+              />
+              <button type="button" className="eye-btn" onClick={() => setShowPassword((v) => !v)}>
+                {showPassword ? <EyeOff size={16} /> : <Eye size={16} />}
+              </button>
+            </div>
+          </label>
+
+          <label className="field">
+            <span>{t('txt_recovery_code')}</span>
+            <input
+              className="input"
+              value={props.values.recoveryCode}
+              autoComplete="one-time-code"
+              onInput={(e) => props.onChange({ ...props.values, recoveryCode: (e.currentTarget as HTMLInputElement).value.toUpperCase() })}
+            />
+          </label>
+
+          <div className="field-grid">
+            <button type="submit" className="btn btn-primary">
+              <Send size={14} className="btn-icon" />
+              {t('txt_submit')}
+            </button>
+            <button type="button" className="btn btn-secondary" onClick={props.onCancel}>
+              <X size={14} className="btn-icon" />
+              {t('txt_cancel')}
+            </button>
+          </div>
+        </form>
+      </StandalonePageFrame>
+    </div>
+  );
+}
@@ -0,0 +1,141 @@
+import { Clock3, RefreshCw, ShieldOff, Trash2 } from 'lucide-preact';
+import type { AuthorizedDevice } from '@/lib/types';
+import { t } from '@/lib/i18n';
+
+interface SecurityDevicesPageProps {
+  devices: AuthorizedDevice[];
+  loading: boolean;
+  onRefresh: () => void;
+  onRevokeTrust: (device: AuthorizedDevice) => void;
+  onRemoveDevice: (device: AuthorizedDevice) => void;
+  onRevokeAll: () => void;
+  onRemoveAll: () => void;
+}
+
+function formatDateTime(value: string | null | undefined): string {
+  if (!value) return t('txt_dash');
+  const date = new Date(value);
+  if (Number.isNaN(date.getTime())) return t('txt_dash');
+  return date.toLocaleString();
+}
+
+function mapDeviceTypeName(type: number): string {
+  switch (type) {
+    case 0: return t('txt_android');
+    case 1: return t('txt_ios');
+    case 2: return t('txt_chrome_extension');
+    case 3: return t('txt_firefox_extension');
+    case 4: return t('txt_opera_extension');
+    case 5: return t('txt_edge_extension');
+    case 6: return t('txt_windows_desktop');
+    case 7: return t('txt_macos_desktop');
+    case 8: return t('txt_linux_desktop');
+    case 9: return t('txt_chrome_browser');
+    case 10: return t('txt_firefox_browser');
+    case 11: return t('txt_opera_browser');
+    case 12: return t('txt_edge_browser');
+    case 13: return t('txt_ie_browser');
+    case 14: return t('txt_web');
+    default: return t('txt_type_type', { type });
+  }
+}
+
+export default function SecurityDevicesPage(props: SecurityDevicesPageProps) {
+  return (
+    <div className="stack">
+      <section className="card">
+        <div className="section-head">
+          <div>
+            <h3 style={{ margin: 0 }}>{t('txt_device_management')}</h3>
+            <div className="muted-inline" style={{ marginTop: 4 }}>
+              {t('txt_manage_device_sessions_and_30_day_totp_trusted_sessions')}
+            </div>
+          </div>
+          <div className="actions">
+            <button type="button" className="btn btn-secondary small" onClick={props.onRefresh}>
+              <RefreshCw size={14} className="btn-icon" />
+              {t('txt_refresh')}
+            </button>
+            <button type="button" className="btn btn-danger small" onClick={props.onRevokeAll}>
+              <ShieldOff size={14} className="btn-icon" />
+              {t('txt_revoke_all_trusted')}
+            </button>
+            <button type="button" className="btn btn-danger small" onClick={props.onRemoveAll}>
+              <Trash2 size={14} className="btn-icon" />
+              {t('txt_remove_all_devices')}
+            </button>
+          </div>
+        </div>
+      </section>
+
+      <section className="card">
+        <h3 style={{ marginTop: 0 }}>{t('txt_authorized_devices')}</h3>
+        <table className="table">
+          <thead>
+            <tr>
+              <th>{t('txt_device')}</th>
+              <th>{t('txt_type')}</th>
+              <th>{t('txt_status')}</th>
+              <th>{t('txt_added')}</th>
+              <th>{t('txt_last_seen')}</th>
+              <th>{t('txt_trusted_until')}</th>
+              <th>{t('txt_actions')}</th>
+            </tr>
+          </thead>
+          <tbody>
+            {props.devices.map((device) => (
+              <tr key={device.identifier}>
+                <td data-label={t('txt_device')}>
+                  <div>{device.name || t('txt_unknown_device')}</div>
+                  <div className="muted-inline">{device.identifier}</div>
+                </td>
+                <td data-label={t('txt_type')}>{mapDeviceTypeName(device.type)}</td>
+                <td data-label={t('txt_status')}>
+                  <span className={`device-status-pill ${device.online ? 'online' : 'offline'}`}>
+                    {device.online ? t('txt_online') : t('txt_offline')}
+                  </span>
+                </td>
+                <td data-label={t('txt_added')}>{formatDateTime(device.creationDate)}</td>
+                <td data-label={t('txt_last_seen')}>{formatDateTime(device.revisionDate)}</td>
+                <td data-label={t('txt_trusted_until')}>
+                  {device.trusted ? (
+                    <div className="trusted-cell">
+                      <Clock3 size={13} />
+                      <span>{formatDateTime(device.trustedUntil)}</span>
+                    </div>
+                  ) : (
+                    <span className="muted-inline">{t('txt_not_trusted')}</span>
+                  )}
+                </td>
+                <td data-label={t('txt_actions')}>
+                  <div className="actions">
+                    <button
+                      type="button"
+                      className="btn btn-secondary small"
+                      disabled={!device.trusted}
+                      onClick={() => props.onRevokeTrust(device)}
+                    >
+                      <ShieldOff size={14} className="btn-icon" />
+                      {t('txt_revoke_trust')}
+                    </button>
+                    <button type="button" className="btn btn-danger small" onClick={() => props.onRemoveDevice(device)}>
+                      <Trash2 size={14} className="btn-icon" />
+                      {t('txt_remove_device_2')}
+                    </button>
+                  </div>
+                </td>
+              </tr>
+            ))}
+            {!props.loading && props.devices.length === 0 && (
+              <tr>
+                <td colSpan={7}>
+                  <div className="empty" style={{ minHeight: 80 }}>{t('txt_no_devices_found')}</div>
+                </td>
+              </tr>
+            )}
+          </tbody>
+        </table>
+      </section>
+    </div>
+  );
+}
@@ -0,0 +1,560 @@
+import { useEffect, useMemo, useState } from 'preact/hooks';
+import { CheckCheck, ChevronLeft, Copy, Eye, EyeOff, File, FileText, LayoutGrid, Pencil, Plus, RefreshCw, Save, Send as SendIcon, Trash2, X } from 'lucide-preact';
+import { copyTextToClipboard } from '@/lib/clipboard';
+import type { Send, SendDraft } from '@/lib/types';
+import { t } from '@/lib/i18n';
+
+interface SendsPageProps {
+  sends: Send[];
+  loading: boolean;
+  onRefresh: () => Promise<void>;
+  onCreate: (draft: SendDraft, autoCopyLink: boolean) => Promise<void>;
+  onUpdate: (send: Send, draft: SendDraft, autoCopyLink: boolean) => Promise<void>;
+  onDelete: (send: Send) => Promise<void>;
+  onBulkDelete: (ids: string[]) => Promise<void>;
+  uploadingSendFileName: string;
+  sendUploadPercent: number | null;
+  onNotify: (type: 'success' | 'error', text: string) => void;
+}
+
+type SendTypeFilter = 'all' | 'text' | 'file';
+const AUTO_COPY_KEY = 'nodewarden.send.auto_copy_link.v1';
+const MOBILE_LAYOUT_QUERY = '(max-width: 900px)';
+
+function daysFromNow(iso: string | null | undefined, fallback: number): string {
+  if (!iso) return String(fallback);
+  const d = new Date(iso).getTime();
+  if (!Number.isFinite(d)) return String(fallback);
+  const diff = d - Date.now();
+  const days = Math.ceil(diff / (24 * 60 * 60 * 1000));
+  return String(Math.max(days, 0));
+}
+
+function buildDefaultDraft(): SendDraft {
+  return {
+    type: 'text',
+    name: '',
+    notes: '',
+    text: '',
+    file: null,
+    deletionDays: '7',
+    expirationDays: '0',
+    maxAccessCount: '',
+    password: '',
+    disabled: false,
+  };
+}
+
+function draftFromSend(send: Send): SendDraft {
+  return {
+    id: send.id,
+    type: Number(send.type) === 1 ? 'file' : 'text',
+    name: send.decName || '',
+    notes: send.decNotes || '',
+    text: send.decText || '',
+    file: null,
+    deletionDays: daysFromNow(send.deletionDate, 7),
+    expirationDays: daysFromNow(send.expirationDate, 0),
+    maxAccessCount: send.maxAccessCount !== null && send.maxAccessCount !== undefined ? String(send.maxAccessCount) : '',
+    password: '',
+    disabled: !!send.disabled,
+  };
+}
+
+export default function SendsPage(props: SendsPageProps) {
+  const getInitialIsMobileLayout = () =>
+    typeof window !== 'undefined' && typeof window.matchMedia === 'function'
+      ? window.matchMedia(MOBILE_LAYOUT_QUERY).matches
+      : false;
+  const [search, setSearch] = useState('');
+  const [typeFilter, setTypeFilter] = useState<SendTypeFilter>('all');
+  const [selectedId, setSelectedId] = useState<string | null>(null);
+  const [isEditing, setIsEditing] = useState(false);
+  const [isCreating, setIsCreating] = useState(false);
+  const [busy, setBusy] = useState(false);
+  const [draft, setDraft] = useState<SendDraft | null>(null);
+  const [showPassword, setShowPassword] = useState(false);
+  const [selectedMap, setSelectedMap] = useState<Record<string, boolean>>({});
+  const [isMobileLayout, setIsMobileLayout] = useState(getInitialIsMobileLayout);
+  const [mobilePanel, setMobilePanel] = useState<'list' | 'detail' | 'edit'>('list');
+  const [mobileSidebarOpen, setMobileSidebarOpen] = useState(false);
+  const [autoCopyLink, setAutoCopyLink] = useState<boolean>(() => {
+    try {
+      return localStorage.getItem(AUTO_COPY_KEY) === '1';
+    } catch {
+      return false;
+    }
+  });
+  const sendUploadLabel =
+    props.sendUploadPercent == null
+      ? t('txt_uploading_file_named', { name: props.uploadingSendFileName || t('txt_file') })
+      : t('txt_uploading_file_named_percent', {
+          name: props.uploadingSendFileName || t('txt_file'),
+          percent: props.sendUploadPercent,
+        });
+
+  useEffect(() => {
+    if (typeof window === 'undefined' || typeof window.matchMedia !== 'function') return;
+    const media = window.matchMedia(MOBILE_LAYOUT_QUERY);
+    const sync = () => setIsMobileLayout(media.matches);
+    sync();
+    if (typeof media.addEventListener === 'function') {
+      media.addEventListener('change', sync);
+      return () => media.removeEventListener('change', sync);
+    }
+    media.addListener(sync);
+    return () => media.removeListener(sync);
+  }, []);
+
+  useEffect(() => {
+    const onToggleSidebar = () => {
+      setMobileSidebarOpen((open) => !open);
+    };
+    window.addEventListener('nodewarden:toggle-sidebar', onToggleSidebar);
+    return () => window.removeEventListener('nodewarden:toggle-sidebar', onToggleSidebar);
+  }, []);
+
+  useEffect(() => {
+    try {
+      localStorage.setItem(AUTO_COPY_KEY, autoCopyLink ? '1' : '0');
+    } catch {
+      // ignore storage errors
+    }
+  }, [autoCopyLink]);
+
+  useEffect(() => {
+    if (!isMobileLayout) {
+      setMobilePanel('list');
+      setMobileSidebarOpen(false);
+      return;
+    }
+    if (isEditing) {
+      setMobilePanel('edit');
+    } else if (!selectedId) {
+      setMobilePanel('list');
+    }
+  }, [isMobileLayout, isEditing, selectedId]);
+
+  const filteredSends = useMemo(() => {
+    const q = search.trim().toLowerCase();
+    return props.sends.filter((send) => {
+      if (typeFilter === 'text' && Number(send.type) !== 0) return false;
+      if (typeFilter === 'file' && Number(send.type) !== 1) return false;
+      if (!q) return true;
+      const name = (send.decName || '').toLowerCase();
+      const text = (send.decText || '').toLowerCase();
+      return name.includes(q) || text.includes(q);
+    });
+  }, [props.sends, search, typeFilter]);
+
+  useEffect(() => {
+    if (!filteredSends.length) {
+      setSelectedId(null);
+      return;
+    }
+    if (!selectedId || !filteredSends.some((x) => x.id === selectedId)) {
+      setSelectedId(filteredSends[0].id);
+      setIsEditing(false);
+      setIsCreating(false);
+      setDraft(null);
+    }
+  }, [filteredSends, selectedId]);
+
+  const selectedSend = useMemo(
+    () => props.sends.find((x) => x.id === selectedId) || null,
+    [props.sends, selectedId]
+  );
+  const selectedIds = useMemo(() => Object.keys(selectedMap).filter((id) => selectedMap[id]), [selectedMap]);
+  const selectedCount = selectedIds.length;
+
+  async function saveDraft(): Promise<void> {
+    if (!draft) return;
+    if (!draft.name.trim()) {
+      props.onNotify('error', t('txt_name_is_required'));
+      return;
+    }
+    if (draft.type === 'text' && !draft.text.trim()) {
+      props.onNotify('error', t('txt_text_is_required'));
+      return;
+    }
+    if (draft.type === 'file' && isCreating && !draft.file) {
+      props.onNotify('error', t('txt_please_select_a_file'));
+      return;
+    }
+    setBusy(true);
+    try {
+      if (isCreating) {
+        await props.onCreate(draft, autoCopyLink);
+        setSelectedId(null);
+      } else if (selectedSend) {
+        await props.onUpdate(selectedSend, draft, autoCopyLink);
+      }
+      setIsEditing(false);
+      setIsCreating(false);
+      setDraft(null);
+      setShowPassword(false);
+      if (isMobileLayout) setMobilePanel('detail');
+    } finally {
+      setBusy(false);
+    }
+  }
+
+  async function removeSend(send: Send): Promise<void> {
+    setBusy(true);
+    try {
+      await props.onDelete(send);
+      if (selectedId === send.id) setSelectedId(null);
+      setIsEditing(false);
+      setDraft(null);
+      if (isMobileLayout) setMobilePanel('list');
+    } finally {
+      setBusy(false);
+    }
+  }
+
+  async function removeSelected(): Promise<void> {
+    if (!selectedCount) return;
+    setBusy(true);
+    try {
+      await props.onBulkDelete(selectedIds);
+      setSelectedMap({});
+    } finally {
+      setBusy(false);
+    }
+  }
+
+  function copyAccessUrl(send: Send): void {
+    const url = send.shareUrl || `${window.location.origin}/#/send/${send.accessId}`;
+    void copyTextToClipboard(url, { successMessage: t('txt_link_copied') });
+  }
+
+  return (
+    <div className={`vault-grid ${isMobileLayout ? `mobile-panel-${mobilePanel}` : ''}`}>
+      {isMobileLayout && (
+        <div
+          className={`mobile-sidebar-mask ${mobileSidebarOpen ? 'open' : ''}`}
+          onClick={() => {
+            if (!mobileSidebarOpen) return;
+            setMobileSidebarOpen(false);
+          }}
+        />
+      )}
+      <aside className={`sidebar ${isMobileLayout ? 'mobile-sidebar-sheet' : ''} ${isMobileLayout && mobileSidebarOpen ? 'open' : ''}`}>
+        {isMobileLayout && (
+          <div className="mobile-sidebar-head">
+            <div className="mobile-sidebar-title">{t('txt_all_sends')}</div>
+            <button type="button" className="mobile-sidebar-close" onClick={() => setMobileSidebarOpen(false)} aria-label={t('txt_close')}>
+              <X size={16} />
+            </button>
+          </div>
+        )}
+        <div className="sidebar-block">
+          <div className="sidebar-title">{t('txt_all_sends')}</div>
+          <button type="button" className={`tree-btn ${typeFilter === 'all' ? 'active' : ''}`} onClick={() => setTypeFilter('all')}>
+            <LayoutGrid size={14} className="tree-icon" />
+            <span className="tree-label">{t('txt_all_sends')}</span>
+          </button>
+        </div>
+        <div className="sidebar-block">
+          <div className="sidebar-title">{t('txt_type')}</div>
+          <button type="button" className={`tree-btn ${typeFilter === 'text' ? 'active' : ''}`} onClick={() => setTypeFilter('text')}>
+            <FileText size={14} className="tree-icon" />
+            <span className="tree-label">{t('txt_text')}</span>
+          </button>
+          <button type="button" className={`tree-btn ${typeFilter === 'file' ? 'active' : ''}`} onClick={() => setTypeFilter('file')}>
+            <File size={14} className="tree-icon" />
+            <span className="tree-label">{t('txt_file')}</span>
+          </button>
+        </div>
+      </aside>
+
+      <section className="list-col">
+        <div className="list-head">
+          <input
+            className="search-input"
+            placeholder={t('txt_search_sends')}
+            value={search}
+            onInput={(e) => setSearch((e.currentTarget as HTMLInputElement).value)}
+          />
+          <button type="button" className="btn btn-secondary small list-icon-btn" disabled={busy || props.loading} onClick={() => void props.onRefresh()}>
+            <RefreshCw size={14} className="btn-icon" /> {t('txt_refresh')}
+          </button>
+        </div>
+        <div className="toolbar actions">
+          <button type="button" className="btn btn-danger small" disabled={!selectedCount || busy} onClick={() => void removeSelected()}>
+            <Trash2 size={14} className="btn-icon" /> {t('txt_delete_selected')}
+          </button>
+          <button
+            type="button"
+            className="btn btn-secondary small"
+            disabled={!filteredSends.length}
+            onClick={() => {
+              const map: Record<string, boolean> = {};
+              for (const send of filteredSends) map[send.id] = true;
+              setSelectedMap(map);
+            }}
+          >
+            <CheckCheck size={14} className="btn-icon" />
+            {t('txt_select_all')}
+          </button>
+          {!!selectedCount && (
+            <button type="button" className="btn btn-secondary small" onClick={() => setSelectedMap({})}>
+              <X size={14} className="btn-icon" />
+              {t('txt_cancel')}
+            </button>
+          )}
+          <button
+            type="button"
+            className="btn btn-primary small mobile-fab-trigger"
+            disabled={busy}
+            aria-label={t('txt_add')}
+            title={t('txt_add')}
+            onClick={() => {
+              setIsCreating(true);
+              setIsEditing(true);
+              setDraft(buildDefaultDraft());
+              setShowPassword(false);
+              if (isMobileLayout) setMobilePanel('edit');
+              setMobileSidebarOpen(false);
+            }}
+          >
+            <Plus size={14} className="btn-icon" />
+          </button>
+        </div>
+        <div className="list-panel">
+          {filteredSends.map((send, index) => (
+            <div
+              key={send.id}
+              className={`list-item stagger-item ${selectedId === send.id ? 'active' : ''}`}
+              style={{ animationDelay: `${Math.min(index, 10) * 26}ms` }}
+              onClick={(event) => {
+                const target = event.target as HTMLElement;
+                if (target.closest('.row-check')) return;
+                setSelectedId(send.id);
+                setIsEditing(false);
+                setIsCreating(false);
+                setDraft(null);
+                if (isMobileLayout) setMobilePanel('detail');
+                setMobileSidebarOpen(false);
+              }}
+            >
+              <input
+                type="checkbox"
+                className="row-check"
+                checked={!!selectedMap[send.id]}
+                onClick={(event) => event.stopPropagation()}
+                onInput={(e) =>
+                  setSelectedMap((prev) => ({
+                    ...prev,
+                    [send.id]: (e.currentTarget as HTMLInputElement).checked,
+                  }))
+                }
+              />
+              <button
+                type="button"
+                className="row-main"
+                onClick={() => {
+                  setSelectedId(send.id);
+                  setIsEditing(false);
+                  setIsCreating(false);
+                  setDraft(null);
+                  if (isMobileLayout) setMobilePanel('detail');
+                  setMobileSidebarOpen(false);
+                }}
+              >
+                <div className="list-icon-wrap">
+                  <span className="list-icon-fallback">
+                    <SendIcon />
+                  </span>
+                </div>
+                <div className="list-text">
+                  <span className="list-title" title={send.decName || t('txt_no_name')}>{send.decName || t('txt_no_name')}</span>
+                  <span className="list-sub">
+                    {Number(send.type) === 1 ? t('txt_file') : t('txt_text')} - {t('txt_accessed_count_times', { count: send.accessCount || 0 })}
+                  </span>
+                </div>
+              </button>
+            </div>
+          ))}
+          {!filteredSends.length && <div className="empty">{t('txt_no_sends')}</div>}
+        </div>
+      </section>
+
+      <section className={`detail-col ${isMobileLayout ? 'mobile-detail-sheet' : ''} ${isMobileLayout && mobilePanel !== 'list' ? 'open' : ''}`}>
+        {isMobileLayout && mobilePanel !== 'list' && (
+          <div className="mobile-panel-head">
+            <button
+              type="button"
+              className="btn btn-secondary small mobile-panel-back"
+              onClick={() => {
+                if (isEditing) {
+                  setIsEditing(false);
+                  setIsCreating(false);
+                  setDraft(null);
+                  setShowPassword(false);
+                  setMobilePanel(selectedSend ? 'detail' : 'list');
+                } else {
+                  setMobilePanel('list');
+                }
+              }}
+            >
+              <ChevronLeft size={14} className="btn-icon" />
+              {t('txt_back')}
+            </button>
+          </div>
+        )}
+        {isEditing && draft && (
+          <div key={`send-editor-${draft.id || selectedSend?.id || 'new'}-${draft.type}`} className="detail-switch-stage">
+            <div className="card stagger-item" style={{ animationDelay: '0ms' }}>
+              <h3 className="detail-title">{isCreating ? t('txt_new_send') : t('txt_edit_send')}</h3>
+              {!!props.uploadingSendFileName && <div className="detail-sub">{sendUploadLabel}</div>}
+              <div className="field-grid">
+              <label className="field field-span-2">
+                <span>{t('txt_name')}</span>
+                <input className="input" value={draft.name} onInput={(e) => setDraft({ ...draft, name: (e.currentTarget as HTMLInputElement).value })} />
+              </label>
+              <label className="field field-span-2">
+                <span>{t('txt_type')}</span>
+                <div className="send-options">
+                  <label>
+                    <input
+                      type="radio"
+                      checked={draft.type === 'file'}
+                      disabled={!isCreating}
+                      onInput={() => setDraft({ ...draft, type: 'file' })}
+                    />
+                    {t('txt_file')}
+                  </label>
+                  <label>
+                    <input
+                      type="radio"
+                      checked={draft.type === 'text'}
+                      disabled={!isCreating}
+                      onInput={() => setDraft({ ...draft, type: 'text' })}
+                    />
+                    {t('txt_text')}
+                  </label>
+                </div>
+              </label>
+              {draft.type === 'file' ? (
+                <label className="field field-span-2">
+                  <span>{t('txt_file')}</span>
+                  <input className="input" type="file" onInput={(e) => setDraft({ ...draft, file: (e.currentTarget as HTMLInputElement).files?.[0] || null })} />
+                </label>
+              ) : (
+                <label className="field field-span-2">
+                  <span>{t('txt_text')}</span>
+                  <textarea className="input textarea" rows={8} value={draft.text} onInput={(e) => setDraft({ ...draft, text: (e.currentTarget as HTMLTextAreaElement).value })} />
+                </label>
+              )}
+              <label className="field">
+                <span>{t('txt_deletion_days')}</span>
+                <input className="input" type="number" min="1" max="31" value={draft.deletionDays} onInput={(e) => setDraft({ ...draft, deletionDays: (e.currentTarget as HTMLInputElement).value })} />
+              </label>
+              <label className="field">
+                <span>{t('txt_expiration_days_0_never')}</span>
+                <input className="input" type="number" min="0" max="3650" value={draft.expirationDays} onInput={(e) => setDraft({ ...draft, expirationDays: (e.currentTarget as HTMLInputElement).value })} />
+              </label>
+              <label className="field">
+                <span>{t('txt_max_access_count')}</span>
+                <input className="input" value={draft.maxAccessCount} onInput={(e) => setDraft({ ...draft, maxAccessCount: (e.currentTarget as HTMLInputElement).value })} />
+              </label>
+              <label className="field">
+                <span>{t('txt_password')}</span>
+                <div className="password-wrap">
+                  <input className="input" type={showPassword ? 'text' : 'password'} value={draft.password} onInput={(e) => setDraft({ ...draft, password: (e.currentTarget as HTMLInputElement).value })} />
+                  <button type="button" className="password-toggle" onClick={() => setShowPassword((v) => !v)}>
+                    {showPassword ? <EyeOff size={16} /> : <Eye size={16} />}
+                  </button>
+                </div>
+              </label>
+              <label className="field field-span-2">
+                <span>{t('txt_notes')}</span>
+                <textarea className="input textarea" rows={5} value={draft.notes} onInput={(e) => setDraft({ ...draft, notes: (e.currentTarget as HTMLTextAreaElement).value })} />
+              </label>
+              <label className="field field-span-2">
+                <span>{t('txt_options')}</span>
+                <div className="send-options">
+                  <label><input type="checkbox" checked={draft.disabled} onInput={(e) => setDraft({ ...draft, disabled: (e.currentTarget as HTMLInputElement).checked })} /> {t('txt_disable_this_send')}</label>
+                  <label><input type="checkbox" checked={autoCopyLink} onInput={(e) => setAutoCopyLink((e.currentTarget as HTMLInputElement).checked)} /> {t('txt_auto_copy_link_after_save')}</label>
+                </div>
+              </label>
+              </div>
+              <div className="detail-actions">
+              <button type="button" className="btn btn-primary small" disabled={busy} onClick={() => void saveDraft()}>
+                <Save size={14} className="btn-icon" /> {t('txt_save')}
+              </button>
+              <button
+                type="button"
+                className="btn btn-secondary small"
+                disabled={busy}
+                onClick={() => {
+                  setIsEditing(false);
+                  setIsCreating(false);
+                  setDraft(null);
+                  setShowPassword(false);
+                  if (isMobileLayout) setMobilePanel(selectedSend ? 'detail' : 'list');
+                }}
+              >
+                <X size={14} className="btn-icon" /> {t('txt_cancel')}
+              </button>
+              </div>
+            </div>
+          </div>
+        )}
+
+        {!isEditing && selectedSend && (
+          <div key={`send-detail-${selectedSend.id}`} className="detail-switch-stage">
+            <div className="card stagger-item" style={{ animationDelay: '36ms' }}>
+              <h3 className="detail-title">{selectedSend.decName || t('txt_no_name')}</h3>
+              <div className="detail-sub">{Number(selectedSend.type) === 1 ? t('txt_file_send') : t('txt_text_send')}</div>
+            </div>
+
+            <div className="card stagger-item" style={{ animationDelay: '72ms' }}>
+              <h4>{t('txt_send_details')}</h4>
+              <div className="kv-line"><span>{t('txt_access_count')}</span><strong>{selectedSend.accessCount || 0}</strong></div>
+              <div className="kv-line"><span>{t('txt_deletion_date')}</span><strong>{selectedSend.deletionDate || t('txt_dash')}</strong></div>
+              <div className="kv-line"><span>{t('txt_expiration_date')}</span><strong>{selectedSend.expirationDate || t('txt_dash')}</strong></div>
+            </div>
+
+            <div className="card">
+              {Number(selectedSend.type) === 1 ? (
+                <>
+                  <h4>{t('txt_file')}</h4>
+                  <div className="kv-line"><span>{t('txt_file_name')}</span><strong>{selectedSend.file?.fileName || t('txt_encrypted_file_2')}</strong></div>
+                  <div className="kv-line"><span>{t('txt_file_size')}</span><strong>{selectedSend.file?.sizeName || t('txt_dash')}</strong></div>
+                </>
+              ) : (
+                <>
+                  <h4>{t('txt_text')}</h4>
+                  <div className="notes">{selectedSend.decText || ''}</div>
+                </>
+              )}
+            </div>
+
+            {!!(selectedSend.decNotes || '').trim() && (
+              <div className="card stagger-item" style={{ animationDelay: '108ms' }}>
+                <h4>{t('txt_notes')}</h4>
+                <div className="notes">{selectedSend.decNotes || ''}</div>
+              </div>
+            )}
+
+            <div className="detail-actions">
+              <div className="actions">
+                <button type="button" className="btn btn-secondary small" onClick={() => copyAccessUrl(selectedSend)}>
+                  <Copy size={14} className="btn-icon" /> {t('txt_copy_link')}
+                </button>
+                <button type="button" className="btn btn-secondary small" onClick={() => { setDraft(draftFromSend(selectedSend)); setIsCreating(false); setIsEditing(true); }}>
+                  <Pencil size={14} className="btn-icon" /> {t('txt_edit')}
+                </button>
+              </div>
+              <button type="button" className="btn btn-danger small detail-delete-btn" disabled={busy} onClick={() => void removeSend(selectedSend)}>
+                <Trash2 size={14} className="btn-icon" /> {t('txt_delete')}
+              </button>
+            </div>
+          </div>
+        )}
+      </section>
+    </div>
+  );
+}
@@ -0,0 +1,233 @@
+import { useEffect, useMemo, useState } from 'preact/hooks';
+import { Clipboard, KeyRound, RefreshCw, ShieldCheck, ShieldOff } from 'lucide-preact';
+import { copyTextToClipboard } from '@/lib/clipboard';
+import qrcode from 'qrcode-generator';
+import type { Profile } from '@/lib/types';
+import { t } from '@/lib/i18n';
+
+interface SettingsPageProps {
+  profile: Profile;
+  totpEnabled: boolean;
+  onChangePassword: (currentPassword: string, nextPassword: string, nextPassword2: string) => Promise<void>;
+  onSavePasswordHint: (masterPasswordHint: string) => Promise<void>;
+  onEnableTotp: (secret: string, token: string) => Promise<void>;
+  onOpenDisableTotp: () => void;
+  onGetRecoveryCode: (masterPassword: string) => Promise<string>;
+  onNotify?: (type: 'success' | 'error', text: string) => void;
+}
+
+function randomBase32Secret(length: number): string {
+  const alphabet = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ234567';
+  let out = '';
+  const maxUnbiasedByte = Math.floor(256 / alphabet.length) * alphabet.length;
+  while (out.length < length) {
+    const random = crypto.getRandomValues(new Uint8Array(length));
+    for (const x of random) {
+      if (x >= maxUnbiasedByte) continue;
+      out += alphabet[x % alphabet.length];
+      if (out.length >= length) break;
+    }
+  }
+  return out;
+}
+
+function buildOtpUri(email: string, secret: string): string {
+  const issuer = 'NodeWarden';
+  return `otpauth://totp/${encodeURIComponent(`${issuer}:${email}`)}?secret=${encodeURIComponent(secret)}&issuer=${encodeURIComponent(issuer)}&algorithm=SHA1&digits=6&period=30`;
+}
+
+export default function SettingsPage(props: SettingsPageProps) {
+  const totpSecretStorageKey = `nodewarden.totp.secret.${props.profile.id}`;
+  const [currentPassword, setCurrentPassword] = useState('');
+  const [newPassword, setNewPassword] = useState('');
+  const [newPassword2, setNewPassword2] = useState('');
+  const [passwordHint, setPasswordHint] = useState(props.profile.masterPasswordHint || '');
+  const [secret, setSecret] = useState(() => localStorage.getItem(totpSecretStorageKey) || randomBase32Secret(32));
+  const [token, setToken] = useState('');
+  const [totpLocked, setTotpLocked] = useState(props.totpEnabled);
+  const [recoveryMasterPassword, setRecoveryMasterPassword] = useState('');
+  const [recoveryCode, setRecoveryCode] = useState('');
+
+  useEffect(() => {
+    if (!props.totpEnabled) {
+      setTotpLocked(false);
+      return;
+    }
+    setTotpLocked(true);
+  }, [props.totpEnabled]);
+
+  useEffect(() => {
+    setPasswordHint(props.profile.masterPasswordHint || '');
+  }, [props.profile.masterPasswordHint]);
+
+  const qrDataUrl = useMemo(() => {
+    const qr = qrcode(0, 'M');
+    qr.addData(buildOtpUri(props.profile.email, secret));
+    qr.make();
+    const svg = qr.createSvgTag({ scalable: true, margin: 0 });
+    return `data:image/svg+xml;charset=utf-8,${encodeURIComponent(svg)}`;
+  }, [props.profile.email, secret]);
+
+  async function enableTotp(): Promise<void> {
+    try {
+      await props.onEnableTotp(secret, token);
+      // Secret is now stored on the server; remove plaintext copy from localStorage.
+      localStorage.removeItem(totpSecretStorageKey);
+      setTotpLocked(true);
+    } catch {
+      // Keep inputs editable after a failed attempt.
+    }
+  }
+
+  async function loadRecoveryCode(): Promise<void> {
+    const code = await props.onGetRecoveryCode(recoveryMasterPassword);
+    setRecoveryCode(code);
+    props.onNotify?.('success', t('txt_recovery_code_loaded'));
+  }
+
+  return (
+    <div className="stack">
+      <section className="card">
+        <h3>{t('txt_profile')}</h3>
+        <label className="field">
+          <span>{t('txt_password_hint_optional')}</span>
+          <input
+            className="input"
+            maxLength={120}
+            value={passwordHint}
+            placeholder={t('txt_password_hint_placeholder')}
+            onInput={(e) => setPasswordHint((e.currentTarget as HTMLInputElement).value)}
+          />
+          <div className="field-help">{t('txt_password_hint_register_help')}</div>
+        </label>
+        <button
+          type="button"
+          className="btn btn-secondary"
+          onClick={() => void props.onSavePasswordHint(passwordHint)}
+        >
+          {t('txt_save_profile')}
+        </button>
+      </section>
+
+      <section className="card">
+        <h3>{t('txt_change_master_password')}</h3>
+        <label className="field">
+          <span>{t('txt_current_password')}</span>
+          <input
+            className="input"
+            type="password"
+            value={currentPassword}
+            onInput={(e) => setCurrentPassword((e.currentTarget as HTMLInputElement).value)}
+          />
+        </label>
+        <div className="field-grid">
+          <label className="field">
+            <span>{t('txt_new_password')}</span>
+            <input className="input" type="password" value={newPassword} onInput={(e) => setNewPassword((e.currentTarget as HTMLInputElement).value)} />
+          </label>
+          <label className="field">
+            <span>{t('txt_confirm_password')}</span>
+            <input className="input" type="password" value={newPassword2} onInput={(e) => setNewPassword2((e.currentTarget as HTMLInputElement).value)} />
+          </label>
+        </div>
+        <button
+          type="button"
+          className="btn btn-danger"
+          onClick={() => void props.onChangePassword(currentPassword, newPassword, newPassword2)}
+        >
+          <KeyRound size={14} className="btn-icon" />
+          {t('txt_change_password')}
+        </button>
+      </section>
+
+      <section className="card">
+        <div className="settings-twofactor-grid">
+          <div className="settings-subcard">
+            <h3>{t('txt_totp')}</h3>
+            {totpLocked && <div className="status-ok">{t('txt_totp_is_enabled_for_this_account')}</div>}
+            <div className="totp-grid">
+              <div className="totp-qr">
+                <img src={qrDataUrl} alt="TOTP QR" />
+              </div>
+              <div>
+                <div>
+                  <label className="field">
+                    <span>{t('txt_authenticator_key')}</span>
+                    <input className="input" value={secret} disabled={totpLocked} onInput={(e) => setSecret((e.currentTarget as HTMLInputElement).value.toUpperCase())} />
+                  </label>
+                  <label className="field">
+                    <span>{t('txt_verification_code')}</span>
+                    <input className="input" value={token} disabled={totpLocked} onInput={(e) => setToken((e.currentTarget as HTMLInputElement).value)} />
+                  </label>
+                  <div className="actions">
+                    <button type="button" className="btn btn-primary" disabled={totpLocked} onClick={() => void enableTotp()}>
+                      <ShieldCheck size={14} className="btn-icon" />
+                      {totpLocked ? t('txt_enabled') : t('txt_enable_totp')}
+                    </button>
+                    <button type="button" className="btn btn-secondary" disabled={totpLocked} onClick={() => setSecret(randomBase32Secret(32))}>
+                      <RefreshCw size={14} className="btn-icon" />
+                      {t('txt_regenerate')}
+                    </button>
+                    <button
+                      type="button"
+                      className="btn btn-secondary"
+                      disabled={totpLocked}
+                      onClick={() => {
+                        void copyTextToClipboard(secret, { successMessage: t('txt_secret_copied') });
+                      }}
+                    >
+                      <Clipboard size={14} className="btn-icon" />
+                      {t('txt_copy_secret')}
+                    </button>
+                  </div>
+                </div>
+              </div>
+            </div>
+            <button type="button" className="btn btn-danger" disabled={!totpLocked} onClick={props.onOpenDisableTotp}>
+              <ShieldOff size={14} className="btn-icon" />
+              {t('txt_disable_totp')}
+            </button>
+          </div>
+
+          <div className="settings-subcard">
+            <h3>{t('txt_recovery_code')}</h3>
+            <p className="muted-inline" style={{ marginBottom: 8 }}>
+              {t('txt_this_is_a_one_time_code_after_it_is_used_a_new_code_is_generated_automatically')}
+            </p>
+            <label className="field">
+              <span>{t('txt_master_password')}</span>
+              <input
+                className="input"
+                type="password"
+                value={recoveryMasterPassword}
+                onInput={(e) => setRecoveryMasterPassword((e.currentTarget as HTMLInputElement).value)}
+              />
+            </label>
+            <div className="actions">
+              <button type="button" className="btn btn-secondary" onClick={() => void loadRecoveryCode()}>
+                <ShieldCheck size={14} className="btn-icon" />
+                {t('txt_view_recovery_code')}
+              </button>
+              <button
+                type="button"
+                className="btn btn-secondary"
+                disabled={!recoveryCode}
+                onClick={() => {
+                  void copyTextToClipboard(recoveryCode, { successMessage: t('txt_recovery_code_copied') });
+                }}
+              >
+                <Clipboard size={14} className="btn-icon" />
+                {t('txt_copy_code')}
+              </button>
+            </div>
+            {recoveryCode && (
+              <div className="card" style={{ marginTop: 10, marginBottom: 0 }}>
+                <div style={{ fontWeight: 800, letterSpacing: '0.08em' }}>{recoveryCode}</div>
+              </div>
+            )}
+          </div>
+        </div>
+      </section>
+    </div>
+  );
+}
@@ -0,0 +1,33 @@
+import type { ComponentChildren } from 'preact';
+import { APP_VERSION } from '@shared/app-version';
+
+interface StandalonePageFrameProps {
+  title: string;
+  children: ComponentChildren;
+}
+
+export default function StandalonePageFrame(props: StandalonePageFrameProps) {
+  return (
+    <div className="standalone-shell">
+      <div className="standalone-brand standalone-brand-outside">
+        <img src="/logo-64.png" alt="NodeWarden logo" className="standalone-brand-logo" />
+        <div>
+          <div className="standalone-brand-title">NodeWarden</div>
+        </div>
+      </div>
+
+      <div className="auth-card">
+        <h1 className="standalone-title">{props.title}</h1>
+        {props.children}
+      </div>
+
+      <div className="standalone-footer">
+        <a href="https://github.com/shuaiplus/NodeWarden" target="_blank" rel="noreferrer">NodeWarden Repository</a>
+        <span> | </span>
+        <a href="https://github.com/shuaiplus" target="_blank" rel="noreferrer">Author: @shuaiplus</a>
+        <span> | </span>
+        <span className="standalone-version">v{APP_VERSION}</span>
+      </div>
+    </div>
+  );
+}
@@ -0,0 +1,29 @@
+interface ThemeSwitchProps {
+  checked: boolean;
+  title: string;
+  onToggle: () => void;
+}
+
+export default function ThemeSwitch(props: ThemeSwitchProps) {
+  return (
+    <div className="theme-switch-wrap" title={props.title}>
+      <label className="theme-switch" aria-label={props.title}>
+        <span className="sun" aria-hidden="true">
+          <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24">
+            <g fill="#ffd43b">
+              <circle r={5} cy={12} cx={12} />
+              <path d="m21 13h-1a1 1 0 0 1 0-2h1a1 1 0 0 1 0 2zm-17 0h-1a1 1 0 0 1 0-2h1a1 1 0 0 1 0 2zm13.66-5.66a1 1 0 0 1 -.66-.29 1 1 0 0 1 0-1.41l.71-.71a1 1 0 1 1 1.41 1.41l-.71.71a1 1 0 0 1 -.75.29zm-12.02 12.02a1 1 0 0 1 -.71-.29 1 1 0 0 1 0-1.41l.71-.66a1 1 0 0 1 1.41 1.41l-.71.71a1 1 0 0 1 -.7.24zm6.36-14.36a1 1 0 0 1 -1-1v-1a1 1 0 0 1 2 0v1a1 1 0 0 1 -1 1zm0 17a1 1 0 0 1 -1-1v-1a1 1 0 0 1 2 0v1a1 1 0 0 1 -1 1zm-5.66-14.66a1 1 0 0 1 -.7-.29l-.71-.71a1 1 0 0 1 1.41-1.41l.71.71a1 1 0 0 1 0 1.41 1 1 0 0 1 -.71.29zm12.02 12.02a1 1 0 0 1 -.7-.29l-.66-.71a1 1 0 0 1 1.36-1.36l.71.71a1 1 0 0 1 0 1.41 1 1 0 0 1 -.71.24z" />
+            </g>
+          </svg>
+        </span>
+        <span className="moon" aria-hidden="true">
+          <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 384 512">
+            <path d="m223.5 32c-123.5 0-223.5 100.3-223.5 224s100 224 223.5 224c60.6 0 115.5-24.2 155.8-63.4 5-4.9 6.3-12.5 3.1-18.7s-10.1-9.7-17-8.5c-9.8 1.7-19.8 2.6-30.1 2.6-96.9 0-175.5-78.8-175.5-176 0-65.8 36-123.1 89.3-153.3 6.1-3.5 9.2-10.5 7.7-17.3s-7.3-11.9-14.3-12.5c-6.3-.5-12.6-.8-19-.8z" />
+          </svg>
+        </span>
+        <input type="checkbox" className="theme-switch-input" checked={props.checked} onInput={props.onToggle} />
+        <span className="theme-switch-slider" />
+      </label>
+    </div>
+  );
+}
@@ -0,0 +1,23 @@
+import type { ToastMessage } from '@/lib/types';
+
+interface ToastHostProps {
+  toasts: ToastMessage[];
+  onClose: (id: string) => void;
+}
+
+export default function ToastHost({ toasts, onClose }: ToastHostProps) {
+  if (!toasts.length) return null;
+  return (
+    <ul className="toast-stack">
+      {toasts.map((toast) => (
+        <li key={toast.id} className={`toast-item ${toast.type}`}>
+          <div className="toast-text">{toast.text}</div>
+          <button type="button" className="toast-close" onClick={() => onClose(toast.id)}>
+            x
+          </button>
+          <div className="toast-progress" />
+        </li>
+      ))}
+    </ul>
+  );
+}
@@ -0,0 +1,333 @@
+import { useEffect, useMemo, useRef, useState } from 'preact/hooks';
+import { Clipboard, Globe, GripVertical } from 'lucide-preact';
+import {
+  closestCenter,
+  DndContext,
+  type DragEndEvent,
+  PointerSensor,
+  TouchSensor,
+  useSensor,
+  useSensors,
+} from '@dnd-kit/core';
+import {
+  arrayMove,
+  rectSortingStrategy,
+  SortableContext,
+  useSortable,
+} from '@dnd-kit/sortable';
+import { CSS } from '@dnd-kit/utilities';
+import { copyTextToClipboard as copyTextWithFeedback } from '@/lib/clipboard';
+import { calcTotpNow } from '@/lib/crypto';
+import { t } from '@/lib/i18n';
+import type { Cipher } from '@/lib/types';
+import { isCipherVisibleInNormalVault, websiteIconUrl } from '@/components/vault/vault-page-helpers';
+
+interface TotpCodesPageProps {
+  ciphers: Cipher[];
+  loading: boolean;
+  onNotify: (type: 'success' | 'error', text: string) => void;
+}
+
+const TOTP_PERIOD_SECONDS = 30;
+const TOTP_RING_RADIUS = 14;
+const TOTP_RING_CIRCUMFERENCE = 2 * Math.PI * TOTP_RING_RADIUS;
+const TOTP_ORDER_STORAGE_KEY = 'nodewarden.totp-order';
+const failedIconHosts = new Set<string>();
+
+function formatTotp(code: string): string {
+  if (!code) return code;
+  if (code.length === 5) return `${code.slice(0, 2)} ${code.slice(2)}`;
+  if (code.length < 6) return code;
+  return `${code.slice(0, 3)} ${code.slice(3, 6)}`;
+}
+
+function firstCipherUri(cipher: Cipher): string {
+  const uris = cipher.login?.uris || [];
+  for (const uri of uris) {
+    const raw = uri.decUri || uri.uri || '';
+    if (raw.trim()) return raw.trim();
+  }
+  return '';
+}
+
+function hostFromUri(uri: string): string {
+  if (!uri.trim()) return '';
+  try {
+    const normalized = /^https?:\/\//i.test(uri) ? uri : `https://${uri}`;
+    return new URL(normalized).hostname || '';
+  } catch {
+    return '';
+  }
+}
+
+function TotpListIcon({ cipher }: { cipher: Cipher }) {
+  const uri = firstCipherUri(cipher);
+  const host = hostFromUri(uri);
+  const [errored, setErrored] = useState(() => (host ? failedIconHosts.has(host) : false));
+  if (host && !errored) {
+    return (
+      <img
+        className="list-icon"
+        src={websiteIconUrl(host)}
+        alt=""
+        loading="lazy"
+        referrerPolicy="no-referrer"
+        onError={() => {
+          failedIconHosts.add(host);
+          setErrored(true);
+        }}
+      />
+    );
+  }
+  return (
+    <span className="list-icon-fallback">
+      <Globe size={18} />
+    </span>
+  );
+}
+
+interface SortableTotpRowProps {
+  cipher: Cipher;
+  live: { code: string; remain: number } | null;
+  onCopy: (value: string) => void;
+}
+
+function SortableTotpRow(props: SortableTotpRowProps) {
+  const { attributes, listeners, setActivatorNodeRef, setNodeRef, transform, transition, isDragging } = useSortable({
+    id: props.cipher.id,
+  });
+
+  const style = {
+    transform: CSS.Transform.toString(transform),
+    transition,
+  };
+
+  const name = props.cipher.decName || props.cipher.name || t('txt_no_name');
+  const username = props.cipher.login?.decUsername || '';
+
+  return (
+    <div ref={setNodeRef} style={style} className={`totp-code-row${isDragging ? ' is-dragging' : ''}`}>
+      <button
+        type="button"
+        ref={setActivatorNodeRef}
+        className="btn btn-secondary small totp-drag-btn"
+        title={t('txt_drag_to_reorder')}
+        aria-label={t('txt_drag_to_reorder')}
+        {...attributes}
+        {...listeners}
+      >
+        <GripVertical size={14} className="btn-icon" />
+      </button>
+      <div className="totp-code-info">
+        <div className="list-icon-wrap">
+          <TotpListIcon cipher={props.cipher} />
+        </div>
+        <div className="totp-code-meta">
+          <div className="totp-code-name" title={name}>{name}</div>
+          <div className="totp-code-username" title={username}>{username || t('txt_no_username')}</div>
+        </div>
+      </div>
+      <div className="totp-code-main">
+        <strong>{props.live ? formatTotp(props.live.code) : t('txt_text_3')}</strong>
+        <div
+          className="totp-timer"
+          title={t('txt_refresh_in_seconds_s', { seconds: props.live ? props.live.remain : 0 })}
+          aria-label={t('txt_refresh_in_seconds_s', { seconds: props.live ? props.live.remain : 0 })}
+        >
+          <svg viewBox="0 0 36 36" className="totp-ring" role="presentation" aria-hidden="true">
+            <circle className="totp-ring-track" cx="18" cy="18" r={TOTP_RING_RADIUS} />
+            <circle
+              className="totp-ring-progress"
+              cx="18"
+              cy="18"
+              r={TOTP_RING_RADIUS}
+              style={{
+                strokeDasharray: `${TOTP_RING_CIRCUMFERENCE} ${TOTP_RING_CIRCUMFERENCE}`,
+                strokeDashoffset: String(
+                  TOTP_RING_CIRCUMFERENCE -
+                    TOTP_RING_CIRCUMFERENCE *
+                      (Math.max(0, Math.min(TOTP_PERIOD_SECONDS, props.live?.remain ?? 0)) / TOTP_PERIOD_SECONDS)
+                ),
+              }}
+            />
+          </svg>
+          <span className="totp-timer-value">{props.live ? props.live.remain : 0}</span>
+        </div>
+        <button type="button" className="btn btn-secondary small totp-copy-btn" onClick={() => props.onCopy(props.live?.code || '')} aria-label={t('txt_copy')}>
+          <Clipboard size={14} className="btn-icon" />
+        </button>
+      </div>
+    </div>
+  );
+}
+
+export default function TotpCodesPage(props: TotpCodesPageProps) {
+  const [totpMap, setTotpMap] = useState<Record<string, { code: string; remain: number } | null>>({});
+  const [columnCount, setColumnCount] = useState(1);
+  const [orderedIds, setOrderedIds] = useState<string[]>(() => {
+    if (typeof window === 'undefined') return [];
+    try {
+      const parsed = JSON.parse(String(window.localStorage.getItem(TOTP_ORDER_STORAGE_KEY) || '[]'));
+      return Array.isArray(parsed) ? parsed.map((id) => String(id || '').trim()).filter(Boolean) : [];
+    } catch {
+      return [];
+    }
+  });
+  const listRef = useRef<HTMLDivElement | null>(null);
+  const hasLoadedTotpItemsRef = useRef(false);
+  const sensors = useSensors(
+    useSensor(PointerSensor, {
+      activationConstraint: {
+        distance: 6,
+      },
+    }),
+    useSensor(TouchSensor, {
+      activationConstraint: {
+        delay: 120,
+        tolerance: 8,
+      },
+    }),
+  );
+
+  async function copyToClipboard(value: string): Promise<void> {
+    await copyTextWithFeedback(value, { successMessage: t('txt_code_copied') });
+  }
+
+  const baseTotpItems = useMemo(
+    () =>
+      props.ciphers
+        .filter((cipher) => isCipherVisibleInNormalVault(cipher) && !!cipher.login?.decTotp)
+        .sort((a, b) => {
+          const nameA = (a.decName || a.name || '').trim().toLowerCase();
+          const nameB = (b.decName || b.name || '').trim().toLowerCase();
+          return nameA.localeCompare(nameB);
+        }),
+    [props.ciphers]
+  );
+
+  const totpItems = useMemo(() => {
+    if (!baseTotpItems.length) return [];
+    const orderMap = new Map(orderedIds.map((id, index) => [id, index]));
+    return [...baseTotpItems].sort((a, b) => {
+      const orderA = orderMap.get(a.id);
+      const orderB = orderMap.get(b.id);
+      if (orderA != null && orderB != null) return orderA - orderB;
+      if (orderA != null) return -1;
+      if (orderB != null) return 1;
+      const nameA = (a.decName || a.name || '').trim().toLowerCase();
+      const nameB = (b.decName || b.name || '').trim().toLowerCase();
+      return nameA.localeCompare(nameB);
+    });
+  }, [baseTotpItems, orderedIds]);
+
+  useEffect(() => {
+    if (!baseTotpItems.length) return;
+    hasLoadedTotpItemsRef.current = true;
+    const validIds = new Set(baseTotpItems.map((cipher) => cipher.id));
+    setOrderedIds((prev) => {
+      const filtered = prev.filter((id) => validIds.has(id));
+      const missing = baseTotpItems.map((cipher) => cipher.id).filter((id) => !filtered.includes(id));
+      const next = [...filtered, ...missing];
+      if (next.length === prev.length && next.every((id, index) => id === prev[index])) return prev;
+      return next;
+    });
+  }, [baseTotpItems]);
+
+  useEffect(() => {
+    if (typeof window === 'undefined') return;
+    if (!hasLoadedTotpItemsRef.current) return;
+    try {
+      window.localStorage.setItem(TOTP_ORDER_STORAGE_KEY, JSON.stringify(orderedIds));
+    } catch {
+      // ignore storage write failures
+    }
+  }, [orderedIds]);
+
+  useEffect(() => {
+    if (!totpItems.length) {
+      setTotpMap({});
+      return;
+    }
+    let stopped = false;
+    let timer = 0;
+    const tick = async () => {
+      const entries = await Promise.all(
+        totpItems.map(async (cipher) => {
+          try {
+            const next = await calcTotpNow(cipher.login?.decTotp || '');
+            return [cipher.id, next] as const;
+          } catch {
+            return [cipher.id, null] as const;
+          }
+        })
+      );
+      if (!stopped) setTotpMap(Object.fromEntries(entries));
+    };
+    void tick();
+    timer = window.setInterval(() => void tick(), 1000);
+    return () => {
+      stopped = true;
+      window.clearInterval(timer);
+    };
+  }, [totpItems]);
+
+  useEffect(() => {
+    const element = listRef.current;
+    if (!element) return;
+
+    const gap = 10;
+    const minCardWidth = 320;
+    const maxColumns = 4;
+
+    const updateColumns = () => {
+      const width = element.clientWidth;
+      if (!width) return;
+      const next = Math.max(1, Math.min(maxColumns, Math.floor((width + gap) / (minCardWidth + gap))));
+      setColumnCount(next);
+    };
+
+    updateColumns();
+    const observer = new ResizeObserver(() => updateColumns());
+    observer.observe(element);
+    return () => observer.disconnect();
+  }, []);
+
+  const handleDragEnd = (event: DragEndEvent) => {
+    const activeId = String(event.active.id);
+    const overId = event.over ? String(event.over.id) : null;
+    if (!overId || activeId === overId) return;
+    const fromIndex = orderedIds.indexOf(activeId);
+    const toIndex = orderedIds.indexOf(overId);
+    if (fromIndex === -1 || toIndex === -1 || fromIndex === toIndex) return;
+    setOrderedIds((prev) => arrayMove(prev, fromIndex, toIndex));
+  };
+
+  return (
+    <div className="totp-codes-page">
+      <div className="card">
+        <div className="section-head">
+          <h3 className="detail-title">{t('txt_verification_code')}</h3>
+        </div>
+        <div
+          ref={listRef}
+          className="totp-codes-list"
+          style={{ '--totp-columns': String(columnCount) } as Record<string, string>}
+        >
+          {!totpItems.length && !props.loading && <div className="empty">{t('txt_no_verification_codes')}</div>}
+          <DndContext sensors={sensors} collisionDetection={closestCenter} onDragEnd={handleDragEnd}>
+            <SortableContext items={totpItems.map((cipher) => cipher.id)} strategy={rectSortingStrategy}>
+              {totpItems.map((cipher) => (
+                <SortableTotpRow
+                  key={cipher.id}
+                  cipher={cipher}
+                  live={totpMap[cipher.id] || null}
+                  onCopy={(value) => void copyToClipboard(value)}
+                />
+              ))}
+            </SortableContext>
+          </DndContext>
+        </div>
+      </div>
+    </div>
+  );
+}
@@ -0,0 +1,524 @@
+import { CloudUpload, Save, Trash2 } from 'lucide-preact';
+import type {
+  BackupDestinationRecord,
+  E3BackupDestination,
+  RemoteBackupBrowserResponse,
+  WebDavBackupDestination,
+} from '@/lib/api/backup';
+import { COMMON_TIME_ZONES, getDestinationTypeLabel } from '@/lib/backup-center';
+import type { RecommendedProvider } from '@/lib/backup-recommendations';
+import { RemoteBackupBrowser } from './RemoteBackupBrowser';
+import { t } from '@/lib/i18n';
+import { BackupIncludeAttachmentsField } from './BackupIncludeAttachmentsField';
+
+const INTERVAL_HOUR_PRESETS = [1, 6, 12, 24];
+
+interface BackupDestinationDetailProps {
+  selectedRecommendedProvider: RecommendedProvider | null;
+  selectedDestination: BackupDestinationRecord | null;
+  selectedDestinationIsSaved: boolean;
+  canRunSelectedDestination: boolean;
+  canBrowseSelectedDestination: boolean;
+  disableWhileBusy: boolean;
+  loadingSettings: boolean;
+  savingSettings: boolean;
+  runningRemoteBackup: boolean;
+  availableTimeZones: string[];
+  remoteBrowser: RemoteBackupBrowserResponse | null;
+  remoteBrowserVisibleItems: RemoteBackupBrowserResponse['items'];
+  remoteBrowserCurrentPage: number;
+  remoteBrowserTotalPages: number;
+  loadingRemoteBrowser: boolean;
+  downloadingRemotePath: string;
+  downloadingRemotePercent: number | null;
+  restoringRemotePath: string;
+  deletingRemotePath: string;
+  onSaveSettings: () => void;
+  onToggleSchedule: () => void;
+  onRunRemoteBackup: () => void;
+  onPromptDeleteDestination: () => void;
+  onUpdateDestination: (mutator: (destination: BackupDestinationRecord) => BackupDestinationRecord) => void;
+  onRefreshRemoteBrowser: () => void;
+  onShowRemoteBrowserPath: (path: string) => void;
+  onDownloadRemoteBackup: (path: string) => void;
+  onRestoreRemoteBackup: (path: string) => void;
+  onPromptDeleteRemoteBackup: (path: string) => void;
+  onChangeRemoteBrowserPage: (page: number) => void;
+}
+
+function renderRecommendedProviderDetails(provider: RecommendedProvider) {
+  switch (provider.id) {
+    case 'koofr':
+      return (
+        <>
+          <div className="backup-recommendation-steps">
+            <div className="backup-recommendation-step">
+              <strong>1.</strong> {t('txt_backup_recommend_koofr_step_1')}
+            </div>
+            <div className="backup-recommendation-step">
+              <strong>2.</strong> {t('txt_backup_recommend_koofr_step_2_prefix')}{' '}
+              <a href={provider.passwordUrl} target="_blank" rel="noreferrer">{t('txt_backup_recommend_koofr_password_link')}</a>
+              {t('txt_backup_recommend_koofr_step_2_suffix')}
+            </div>
+            <div className="backup-recommendation-step">
+              <strong>3.</strong> {t('txt_backup_recommend_koofr_step_3')}
+            </div>
+            <div className="backup-recommendation-step">
+              <strong>4.</strong> {t('txt_backup_recommend_koofr_step_4')}
+            </div>
+            <div className="backup-recommendation-step">
+              <strong>5.</strong> {t('txt_backup_recommend_koofr_step_5_prefix')}{' '}
+              <a href={provider.storageUrl} target="_blank" rel="noreferrer">{t('txt_backup_recommend_koofr_storage_link')}</a>
+              {t('txt_backup_recommend_koofr_step_5_suffix')}
+            </div>
+          </div>
+          <div className="backup-recommendation-inline-note">{t('txt_backup_recommend_koofr_dav_intro')}</div>
+          <div className="backup-recommendation-dav-list">
+            <div className="backup-recommendation-dav-item">
+              <strong>{t('txt_backup_recommend_koofr_dav_self')}</strong>
+              <code>https://app.koofr.net/dav/Koofr</code>
+            </div>
+            <div className="backup-recommendation-dav-item">
+              <strong>Google Drive</strong>
+              <code>https://app.koofr.net/dav/Google Drive</code>
+            </div>
+            <div className="backup-recommendation-dav-item">
+              <strong>OneDrive</strong>
+              <code>https://app.koofr.net/dav/OneDrive</code>
+            </div>
+            <div className="backup-recommendation-dav-item">
+              <strong>Dropbox</strong>
+              <code>https://app.koofr.net/dav/Dropbox</code>
+            </div>
+          </div>
+        </>
+      );
+    case 'pcloud':
+      return (
+        <div className="backup-recommendation-steps">
+          <div className="backup-recommendation-step">
+            <strong>1.</strong> {t('txt_backup_recommend_pcloud_step_1')}
+          </div>
+          <div className="backup-recommendation-step">
+            <strong>2.</strong> {t('txt_backup_recommend_pcloud_step_2')}
+          </div>
+          <div className="backup-recommendation-step">
+            <strong>3.</strong> {t('txt_backup_recommend_pcloud_step_3')}
+          </div>
+        </div>
+      );
+    case 'infinicloud':
+      return (
+        <div className="backup-recommendation-steps">
+          <div className="backup-recommendation-step">
+            <strong>1.</strong> {t('txt_backup_recommend_infinicloud_step_1')}
+          </div>
+          <div className="backup-recommendation-step">
+            <strong>2.</strong> {t('txt_backup_recommend_infinicloud_step_2_prefix')}{' '}
+            <a href="https://infini-cloud.net/en/modules/mypage/usage/" target="_blank" rel="noreferrer">My Page</a>
+            {t('txt_backup_recommend_infinicloud_step_2_suffix')}
+          </div>
+          <div className="backup-recommendation-step">
+            <strong>3.</strong> {t('txt_backup_recommend_infinicloud_step_3')}
+          </div>
+          <div className="backup-recommendation-step">
+            <strong>4.</strong> {t('txt_backup_recommend_infinicloud_step_4')}
+          </div>
+        </div>
+      );
+  }
+}
+
+export function BackupDestinationDetail(props: BackupDestinationDetailProps) {
+  const timeZones = Array.from(new Set([
+    ...COMMON_TIME_ZONES,
+    ...props.availableTimeZones,
+  ]));
+
+  if (props.selectedRecommendedProvider) {
+    return (
+      <section className="backup-detail-panel">
+        <div className="backup-recommendation-card">
+          <div className="backup-recommendation-header">
+            <div>
+              <strong>{props.selectedRecommendedProvider.name}</strong>
+              <div className="backup-inline-note">
+                {props.selectedRecommendedProvider.id === 'infinicloud' ? t('txt_backup_recommend_infinicloud_summary')
+                  : props.selectedRecommendedProvider.id === 'koofr' ? t('txt_backup_recommend_koofr_summary')
+                    : t('txt_backup_recommend_pcloud_summary')}
+              </div>
+            </div>
+            <span className="backup-destination-type">{props.selectedRecommendedProvider.capacity}</span>
+          </div>
+          <div className="backup-recommendation-actions">
+            <a className="btn btn-primary small" href={props.selectedRecommendedProvider.signupUrl} target="_blank" rel="noreferrer">
+              {props.selectedRecommendedProvider.hasAffiliateLink ? t('txt_backup_recommend_open_signup_aff') : t('txt_backup_recommend_open_signup')}
+            </a>
+          </div>
+          {renderRecommendedProviderDetails(props.selectedRecommendedProvider)}
+        </div>
+      </section>
+    );
+  }
+
+  return (
+    <section className="backup-detail-panel">
+      <div className="section-head">
+        <h3>{t('txt_backup_destination_detail_title')}</h3>
+        {props.selectedDestination ? (
+          <div className="actions">
+            <button type="button" className="btn btn-primary small" disabled={props.loadingSettings || props.disableWhileBusy} onClick={props.onSaveSettings}>
+              <Save size={14} className="btn-icon" />
+              {props.savingSettings ? t('txt_backup_saving') : t('txt_backup_save_settings')}
+            </button>
+            <button type="button" className="btn btn-secondary small" disabled={props.loadingSettings || props.disableWhileBusy} onClick={props.onToggleSchedule}>
+              {props.selectedDestination.schedule.enabled ? t('txt_backup_disable_action') : t('txt_backup_enable_action')}
+            </button>
+            <button type="button" className="btn btn-secondary small" disabled={props.disableWhileBusy || !props.canRunSelectedDestination} onClick={props.onRunRemoteBackup}>
+              <CloudUpload size={14} className="btn-icon" />
+              {props.runningRemoteBackup ? t('txt_backup_running_now') : t('txt_backup_run_manual')}
+            </button>
+            <button type="button" className="btn btn-danger small" disabled={props.loadingSettings || props.disableWhileBusy} onClick={props.onPromptDeleteDestination}>
+              <Trash2 size={14} className="btn-icon" />
+              {t('txt_backup_delete_destination')}
+            </button>
+          </div>
+        ) : null}
+      </div>
+
+      {!props.selectedDestination ? (
+        <div className="backup-browser-empty">{t('txt_backup_select_destination')}</div>
+      ) : (
+        <>
+          <div className="backup-name-row">
+            <label className="field backup-name-field">
+              <span>{t('txt_backup_destination_name')}</span>
+              <input
+                className="input"
+                value={props.selectedDestination.name}
+                disabled={props.loadingSettings || props.disableWhileBusy}
+                onInput={(event) => props.onUpdateDestination((destination) => ({ ...destination, name: (event.currentTarget as HTMLInputElement).value }))}
+              />
+            </label>
+            <label className="field backup-type-field">
+              <span>{t('txt_backup_type')}</span>
+              <input className="input" value={getDestinationTypeLabel(props.selectedDestination.type)} disabled />
+            </label>
+          </div>
+
+          <div className="field-grid backup-detail-schedule-grid">
+            <label className="field">
+              <span>{t('txt_backup_interval_hours')}</span>
+              <div className="backup-interval-row">
+                <div className="backup-inline-suffix-wrap">
+                  <input
+                    className="input backup-inline-suffix-input"
+                    type="text"
+                    inputMode="numeric"
+                    pattern="[0-9]*"
+                    value={String(props.selectedDestination.schedule.intervalHours || 24)}
+                    disabled={props.loadingSettings || props.disableWhileBusy}
+                    onInput={(event) => {
+                      const raw = (event.currentTarget as HTMLInputElement).value.replace(/[^\d]/g, '');
+                      const value = Math.min(99, Math.max(1, Number(raw || 1)));
+                      props.onUpdateDestination((destination) => ({
+                        ...destination,
+                        schedule: {
+                          ...destination.schedule,
+                          intervalHours: value,
+                        },
+                      }));
+                    }}
+                  />
+                  <span className="backup-inline-suffix">{t('txt_backup_interval_hours_suffix')}</span>
+                </div>
+                <div className="backup-interval-presets" aria-label={t('txt_backup_interval_hours_presets')}>
+                  {INTERVAL_HOUR_PRESETS.map((preset) => {
+                    const active = preset === props.selectedDestination.schedule.intervalHours;
+                    return (
+                      <button
+                        key={preset}
+                        type="button"
+                        className={`backup-interval-preset${active ? ' active' : ''}`}
+                        disabled={props.loadingSettings || props.disableWhileBusy}
+                        onClick={() => props.onUpdateDestination((destination) => ({
+                          ...destination,
+                          schedule: {
+                            ...destination.schedule,
+                            intervalHours: preset,
+                          },
+                        }))}
+                      >
+                        {preset}
+                      </button>
+                    );
+                  })}
+                </div>
+              </div>
+            </label>
+            <label className="field">
+              <span>{t('txt_backup_start_time')}</span>
+              <input
+                className="input"
+                type="time"
+                step={300}
+                value={props.selectedDestination.schedule.startTime || '03:00'}
+                disabled={props.loadingSettings || props.disableWhileBusy}
+                onInput={(event) => props.onUpdateDestination((destination) => ({
+                  ...destination,
+                  schedule: {
+                    ...destination.schedule,
+                    startTime: (event.currentTarget as HTMLInputElement).value || '03:00',
+                  },
+                }))}
+              />
+            </label>
+            <label className="field">
+              <span>{t('txt_backup_timezone')}</span>
+              <select
+                className="input"
+                value={props.selectedDestination.schedule.timezone}
+                disabled={props.loadingSettings || props.disableWhileBusy}
+                onChange={(event) => props.onUpdateDestination((destination) => ({
+                  ...destination,
+                  schedule: {
+                    ...destination.schedule,
+                    timezone: (event.currentTarget as HTMLSelectElement).value,
+                  },
+                }))}
+              >
+                {timeZones.map((timezone) => (
+                  <option key={timezone} value={timezone}>{timezone}</option>
+                ))}
+              </select>
+            </label>
+            <label className="field">
+              <span>{t('txt_backup_retention_count')}</span>
+              <div className="backup-inline-suffix-wrap">
+                <input
+                  className="input backup-inline-suffix-input"
+                  type="text"
+                  inputMode="numeric"
+                  pattern="[0-9]*"
+                  value={props.selectedDestination.schedule.retentionCount === null ? '' : String(props.selectedDestination.schedule.retentionCount)}
+                  disabled={props.loadingSettings || props.disableWhileBusy}
+                  placeholder="30"
+                  onInput={(event) => {
+                    const nextValue = (event.currentTarget as HTMLInputElement).value.replace(/[^\d]/g, '').trim();
+                    props.onUpdateDestination((destination) => ({
+                      ...destination,
+                      schedule: {
+                        ...destination.schedule,
+                        retentionCount: nextValue ? Number(nextValue) : null,
+                      },
+                    }));
+                  }}
+                />
+                <span className="backup-inline-suffix">{t('txt_backup_retention_count_suffix')}</span>
+              </div>
+            </label>
+          </div>
+
+          <div className="backup-schedule-attachments-row">
+            <BackupIncludeAttachmentsField
+              checked={props.selectedDestination.includeAttachments}
+              disabled={props.loadingSettings || props.disableWhileBusy}
+              onChange={(checked) => props.onUpdateDestination((destination) => ({
+                ...destination,
+                includeAttachments: checked,
+              }))}
+            />
+          </div>
+
+          {props.selectedDestination.type === 'webdav' ? (
+            <div className="field-grid">
+              <label className="field field-span-2">
+                <span>{t('txt_backup_webdav_url')}</span>
+                <input
+                  className="input"
+                  value={(props.selectedDestination.destination as WebDavBackupDestination).baseUrl}
+                  disabled={props.loadingSettings || props.disableWhileBusy}
+                  placeholder="https://dav.example.com/remote.php/dav/files/admin"
+                  onInput={(event) => props.onUpdateDestination((destination) => ({
+                    ...destination,
+                    destination: {
+                      ...(destination.destination as WebDavBackupDestination),
+                      baseUrl: (event.currentTarget as HTMLInputElement).value,
+                    },
+                  }))}
+                />
+              </label>
+              <label className="field">
+                <span>{t('txt_backup_webdav_username')}</span>
+                <input
+                  className="input"
+                  value={(props.selectedDestination.destination as WebDavBackupDestination).username}
+                  disabled={props.loadingSettings || props.disableWhileBusy}
+                  onInput={(event) => props.onUpdateDestination((destination) => ({
+                    ...destination,
+                    destination: {
+                      ...(destination.destination as WebDavBackupDestination),
+                      username: (event.currentTarget as HTMLInputElement).value,
+                    },
+                  }))}
+                />
+              </label>
+              <label className="field">
+                <span>{t('txt_backup_webdav_password')}</span>
+                <input
+                  className="input"
+                  type="password"
+                  value={(props.selectedDestination.destination as WebDavBackupDestination).password}
+                  disabled={props.loadingSettings || props.disableWhileBusy}
+                  onInput={(event) => props.onUpdateDestination((destination) => ({
+                    ...destination,
+                    destination: {
+                      ...(destination.destination as WebDavBackupDestination),
+                      password: (event.currentTarget as HTMLInputElement).value,
+                    },
+                  }))}
+                />
+              </label>
+              <label className="field field-span-2">
+                <span>{t('txt_backup_webdav_path')}</span>
+                <input
+                  className="input"
+                  value={(props.selectedDestination.destination as WebDavBackupDestination).remotePath}
+                  disabled={props.loadingSettings || props.disableWhileBusy}
+                  placeholder="nodewarden/backups"
+                  onInput={(event) => props.onUpdateDestination((destination) => ({
+                    ...destination,
+                    destination: {
+                      ...(destination.destination as WebDavBackupDestination),
+                      remotePath: (event.currentTarget as HTMLInputElement).value,
+                    },
+                  }))}
+                />
+              </label>
+            </div>
+          ) : null}
+
+          {props.selectedDestination.type === 'e3' ? (
+            <div className="field-grid">
+              <label className="field field-span-2">
+                <span>{t('txt_backup_e3_endpoint')}</span>
+                <input
+                  className="input"
+                  value={(props.selectedDestination.destination as E3BackupDestination).endpoint}
+                  disabled={props.loadingSettings || props.disableWhileBusy}
+                  placeholder="https://s3.example.com"
+                  onInput={(event) => props.onUpdateDestination((destination) => ({
+                    ...destination,
+                    destination: {
+                      ...(destination.destination as E3BackupDestination),
+                      endpoint: (event.currentTarget as HTMLInputElement).value,
+                    },
+                  }))}
+                />
+              </label>
+              <label className="field">
+                <span>{t('txt_backup_e3_bucket')}</span>
+                <input
+                  className="input"
+                  value={(props.selectedDestination.destination as E3BackupDestination).bucket}
+                  disabled={props.loadingSettings || props.disableWhileBusy}
+                  onInput={(event) => props.onUpdateDestination((destination) => ({
+                    ...destination,
+                    destination: {
+                      ...(destination.destination as E3BackupDestination),
+                      bucket: (event.currentTarget as HTMLInputElement).value,
+                    },
+                  }))}
+                />
+              </label>
+              <label className="field">
+                <span>{t('txt_backup_e3_region')}</span>
+                <input
+                  className="input"
+                  value={(props.selectedDestination.destination as E3BackupDestination).region}
+                  disabled={props.loadingSettings || props.disableWhileBusy}
+                  placeholder="auto"
+                  onInput={(event) => props.onUpdateDestination((destination) => ({
+                    ...destination,
+                    destination: {
+                      ...(destination.destination as E3BackupDestination),
+                      region: (event.currentTarget as HTMLInputElement).value,
+                    },
+                  }))}
+                />
+              </label>
+              <label className="field">
+                <span>{t('txt_backup_e3_access_key')}</span>
+                <input
+                  className="input"
+                  value={(props.selectedDestination.destination as E3BackupDestination).accessKeyId}
+                  disabled={props.loadingSettings || props.disableWhileBusy}
+                  onInput={(event) => props.onUpdateDestination((destination) => ({
+                    ...destination,
+                    destination: {
+                      ...(destination.destination as E3BackupDestination),
+                      accessKeyId: (event.currentTarget as HTMLInputElement).value,
+                    },
+                  }))}
+                />
+              </label>
+              <label className="field">
+                <span>{t('txt_backup_e3_secret_key')}</span>
+                <input
+                  className="input"
+                  type="password"
+                  value={(props.selectedDestination.destination as E3BackupDestination).secretAccessKey}
+                  disabled={props.loadingSettings || props.disableWhileBusy}
+                  onInput={(event) => props.onUpdateDestination((destination) => ({
+                    ...destination,
+                    destination: {
+                      ...(destination.destination as E3BackupDestination),
+                      secretAccessKey: (event.currentTarget as HTMLInputElement).value,
+                    },
+                  }))}
+                />
+              </label>
+              <label className="field field-span-2">
+                <span>{t('txt_backup_e3_path')}</span>
+                <input
+                  className="input"
+                  value={(props.selectedDestination.destination as E3BackupDestination).rootPath}
+                  disabled={props.loadingSettings || props.disableWhileBusy}
+                  placeholder="nodewarden/backups"
+                  onInput={(event) => props.onUpdateDestination((destination) => ({
+                    ...destination,
+                    destination: {
+                      ...(destination.destination as E3BackupDestination),
+                      rootPath: (event.currentTarget as HTMLInputElement).value,
+                    },
+                  }))}
+                />
+              </label>
+            </div>
+          ) : null}
+
+          <RemoteBackupBrowser
+            canBrowse={props.canBrowseSelectedDestination}
+            destinationIsSaved={props.selectedDestinationIsSaved}
+            disableWhileBusy={props.disableWhileBusy}
+            loadingRemoteBrowser={props.loadingRemoteBrowser}
+            remoteBrowser={props.remoteBrowser}
+            visibleItems={props.remoteBrowserVisibleItems}
+            currentPage={props.remoteBrowserCurrentPage}
+            totalPages={props.remoteBrowserTotalPages}
+            downloadingRemotePath={props.downloadingRemotePath}
+            downloadingRemotePercent={props.downloadingRemotePercent}
+            restoringRemotePath={props.restoringRemotePath}
+            deletingRemotePath={props.deletingRemotePath}
+            onRefresh={props.onRefreshRemoteBrowser}
+            onShowPath={props.onShowRemoteBrowserPath}
+            onDownload={props.onDownloadRemoteBackup}
+            onRestore={props.onRestoreRemoteBackup}
+            onPromptDelete={props.onPromptDeleteRemoteBackup}
+            onChangePage={props.onChangeRemoteBrowserPage}
+          />
+        </>
+      )}
+    </section>
+  );
+}
@@ -0,0 +1,70 @@
+import { Plus } from 'lucide-preact';
+import type { BackupDestinationRecord, BackupDestinationType } from '@/lib/api/backup';
+import { formatDateTime, getDestinationTypeLabel } from '@/lib/backup-center';
+import { t } from '@/lib/i18n';
+
+interface BackupDestinationSidebarProps {
+  destinations: BackupDestinationRecord[];
+  selectedDestinationId: string | null;
+  disableWhileBusy: boolean;
+  showAddChooser: boolean;
+  onSelectDestination: (destinationId: string) => void;
+  onToggleAddChooser: () => void;
+  onAddDestination: (type: BackupDestinationType) => void;
+}
+
+export function BackupDestinationSidebar(props: BackupDestinationSidebarProps) {
+  return (
+    <aside className="backup-destination-sidebar">
+      <div className="section-head">
+        <h3>{t('txt_backup_destinations_title')}</h3>
+      </div>
+
+      <div className="backup-destination-list">
+        {props.destinations.map((destination) => {
+          const isSelected = destination.id === props.selectedDestinationId;
+          const isScheduled = destination.schedule.enabled;
+          return (
+            <button
+              key={destination.id}
+              type="button"
+              className={`backup-destination-item ${isSelected ? 'active' : ''}`}
+              onClick={() => props.onSelectDestination(destination.id)}
+            >
+              <span className="backup-destination-top">
+                <span className="backup-destination-name">{destination.name || getDestinationTypeLabel(destination.type)}</span>
+                <span className="backup-destination-type">{getDestinationTypeLabel(destination.type)}</span>
+              </span>
+              <span className="backup-destination-meta">
+                {isScheduled ? t('txt_backup_destination_active_badge') : t('txt_backup_destination_idle_badge')}
+              </span>
+              <span className="backup-destination-meta">
+                {destination.runtime.lastSuccessAt
+                  ? t('txt_backup_destination_last_success', { time: formatDateTime(destination.runtime.lastSuccessAt) })
+                  : t('txt_backup_destination_never_run')}
+              </span>
+            </button>
+          );
+        })}
+      </div>
+
+      <div className="actions backup-destination-addbar">
+        <button type="button" className="btn btn-secondary small" disabled={props.disableWhileBusy} onClick={props.onToggleAddChooser}>
+          <Plus size={14} className="btn-icon" />
+          {t('txt_backup_add_destination')}
+        </button>
+      </div>
+
+      {props.showAddChooser ? (
+        <div className="backup-add-chooser">
+          <button type="button" className="btn btn-secondary small" onClick={() => props.onAddDestination('webdav')}>
+            {t('txt_backup_protocol_webdav')}
+          </button>
+          <button type="button" className="btn btn-secondary small" onClick={() => props.onAddDestination('e3')}>
+            {t('txt_backup_protocol_e3')}
+          </button>
+        </div>
+      ) : null}
+    </aside>
+  );
+}
@@ -0,0 +1,58 @@
+import { useEffect, useRef, useState } from 'preact/hooks';
+import { t } from '@/lib/i18n';
+
+interface BackupIncludeAttachmentsFieldProps {
+  checked: boolean;
+  disabled?: boolean;
+  showHelp?: boolean;
+  showLabel?: boolean;
+  onChange: (checked: boolean) => void;
+}
+
+export function BackupIncludeAttachmentsField(props: BackupIncludeAttachmentsFieldProps) {
+  const [open, setOpen] = useState(false);
+  const wrapRef = useRef<HTMLDivElement | null>(null);
+
+  useEffect(() => {
+    if (!open) return;
+
+    function handlePointerDown(event: PointerEvent) {
+      if (!wrapRef.current?.contains(event.target as Node)) {
+        setOpen(false);
+      }
+    }
+
+    document.addEventListener('pointerdown', handlePointerDown);
+    return () => document.removeEventListener('pointerdown', handlePointerDown);
+  }, [open]);
+
+  return (
+    <div className="backup-option-field">
+      <label className="backup-option-label">
+        <input
+          type="checkbox"
+          checked={props.checked}
+          disabled={props.disabled}
+          onInput={(event) => props.onChange((event.currentTarget as HTMLInputElement).checked)}
+        />
+        {props.showLabel !== false ? <span>{t('txt_backup_include_attachments')}</span> : null}
+      </label>
+      {props.showHelp !== false ? (
+        <div ref={wrapRef} className={`backup-help-wrap ${open ? 'open' : ''}`}>
+          <button
+            type="button"
+            className="backup-help-trigger"
+            aria-label={t('txt_backup_include_attachments_help_button')}
+            aria-expanded={open ? 'true' : 'false'}
+            onClick={() => setOpen((current) => !current)}
+          >
+            ?
+          </button>
+          <div className="backup-help-bubble" role="tooltip">
+            {t('txt_backup_include_attachments_help')}
+          </div>
+        </div>
+      ) : null}
+    </div>
+  );
+}
@@ -0,0 +1,101 @@
+import { Download, FileUp } from 'lucide-preact';
+import type { RecommendedProvider } from '@/lib/backup-recommendations';
+import { hasLinkedStorages } from '@/lib/backup-recommendations';
+import { t } from '@/lib/i18n';
+import { BackupIncludeAttachmentsField } from './BackupIncludeAttachmentsField';
+
+interface BackupOperationsSidebarProps {
+  disableWhileBusy: boolean;
+  exporting: boolean;
+  importing: boolean;
+  exportIncludeAttachments: boolean;
+  selectedProviderId: string | null;
+  recommendedWebDavProviders: RecommendedProvider[];
+  recommendedS3Providers: RecommendedProvider[];
+  onExport: () => void;
+  onImport: () => void;
+  onExportIncludeAttachmentsChange: (checked: boolean) => void;
+  onSelectProvider: (providerId: string) => void;
+}
+
+export function BackupOperationsSidebar(props: BackupOperationsSidebarProps) {
+  return (
+    <aside className="backup-operations-sidebar">
+      <div className="section-head">
+        <h3>{t('txt_backup_manual')}</h3>
+      </div>
+      <div className="backup-actions-stack">
+        <button type="button" className="btn btn-primary" disabled={props.disableWhileBusy} onClick={props.onExport}>
+          <Download size={14} className="btn-icon" />
+          {props.exporting ? t('txt_backup_exporting') : t('txt_backup_export')}
+        </button>
+        <BackupIncludeAttachmentsField
+          checked={props.exportIncludeAttachments}
+          disabled={props.disableWhileBusy}
+          showHelp={false}
+          onChange={props.onExportIncludeAttachmentsChange}
+        />
+        <button type="button" className="btn btn-secondary" disabled={props.disableWhileBusy} onClick={props.onImport}>
+          <FileUp size={14} className="btn-icon" />
+          {props.importing ? t('txt_backup_restoring') : t('txt_backup_import')}
+        </button>
+      </div>
+
+      <div className="backup-divider" />
+
+      <div className="section-head">
+        <h3>{t('txt_backup_recommend_title')}</h3>
+      </div>
+      <div className="backup-recommendation-group">
+        <h4 className="backup-recommendation-group-title">{t('txt_backup_recommend_group_webdav')}</h4>
+        <div className="backup-recommendation-list">
+          {props.recommendedWebDavProviders.map((provider) => (
+            <button
+              key={provider.id}
+              type="button"
+              className={`backup-destination-item ${props.selectedProviderId === provider.id ? 'active' : ''}`}
+              onClick={() => props.onSelectProvider(provider.id)}
+            >
+              <span className="backup-recommendation-row">
+                <span className="backup-destination-name">{provider.name}</span>
+                <span className="backup-destination-meta">{provider.capacity}</span>
+              </span>
+              {hasLinkedStorages(provider) && provider.linkedStorages.length ? (
+                <span className="backup-recommendation-linked">
+                  {provider.linkedStorages.map((storage) => (
+                    <span key={`${provider.id}-${storage.name}`} className="backup-recommendation-linked-item">
+                      <span>{storage.name}</span>
+                      <span>{storage.capacity}</span>
+                    </span>
+                  ))}
+                </span>
+              ) : null}
+            </button>
+          ))}
+        </div>
+      </div>
+      <div className="backup-recommendation-group">
+        <h4 className="backup-recommendation-group-title">{t('txt_backup_recommend_group_s3')}</h4>
+        {props.recommendedS3Providers.length ? (
+          <div className="backup-recommendation-list">
+            {props.recommendedS3Providers.map((provider) => (
+              <button
+                key={provider.id}
+                type="button"
+                className={`backup-destination-item ${props.selectedProviderId === provider.id ? 'active' : ''}`}
+                onClick={() => props.onSelectProvider(provider.id)}
+              >
+                <span className="backup-recommendation-row">
+                  <span className="backup-destination-name">{provider.name}</span>
+                  <span className="backup-destination-meta">{provider.capacity}</span>
+                </span>
+              </button>
+            ))}
+          </div>
+        ) : (
+          <div className="backup-browser-empty">{t('txt_backup_recommend_empty')}</div>
+        )}
+      </div>
+    </aside>
+  );
+}
@@ -0,0 +1,146 @@
+import { Download, FileArchive, FolderOpen, RefreshCw, RotateCcw, Trash2 } from 'lucide-preact';
+import type { RemoteBackupBrowserResponse } from '@/lib/api/backup';
+import { formatBytes, formatDateTime, isZipCandidate } from '@/lib/backup-center';
+import { t } from '@/lib/i18n';
+
+interface RemoteBackupBrowserProps {
+  canBrowse: boolean;
+  destinationIsSaved: boolean;
+  disableWhileBusy: boolean;
+  loadingRemoteBrowser: boolean;
+  remoteBrowser: RemoteBackupBrowserResponse | null;
+  visibleItems: RemoteBackupBrowserResponse['items'];
+  currentPage: number;
+  totalPages: number;
+  downloadingRemotePath: string;
+  downloadingRemotePercent: number | null;
+  restoringRemotePath: string;
+  deletingRemotePath: string;
+  onRefresh: () => void;
+  onShowPath: (path: string) => void;
+  onDownload: (path: string) => void;
+  onRestore: (path: string) => void;
+  onPromptDelete: (path: string) => void;
+  onChangePage: (page: number) => void;
+}
+
+export function RemoteBackupBrowser(props: RemoteBackupBrowserProps) {
+  const getDownloadLabel = (path: string) => {
+    if (props.downloadingRemotePath !== path) return t('txt_backup_remote_download');
+    return props.downloadingRemotePercent == null
+      ? t('txt_downloading')
+      : t('txt_downloading_percent', { percent: props.downloadingRemotePercent });
+  };
+
+  return (
+    <>
+      <div className="backup-divider" />
+
+      <div className="section-head">
+        <h3>{t('txt_backup_remote_title')}</h3>
+        {props.canBrowse ? (
+          <div className="actions">
+            <button type="button" className="btn btn-secondary small" disabled={props.loadingRemoteBrowser || props.disableWhileBusy} onClick={props.onRefresh}>
+              <RefreshCw size={14} className="btn-icon" />
+              {t('txt_backup_remote_refresh')}
+            </button>
+          </div>
+        ) : null}
+      </div>
+
+      {!props.destinationIsSaved ? (
+        <div className="backup-browser-empty">{t('txt_backup_remote_save_first')}</div>
+      ) : !props.remoteBrowser ? (
+        <div className="backup-browser-empty">{t('txt_backup_remote_cached_empty')}</div>
+      ) : (
+        <>
+          <div className="backup-browser-path">
+            <strong>{t('txt_backup_remote_current_path')}</strong>
+            <span>{props.remoteBrowser.currentPath ? `/${props.remoteBrowser.currentPath}` : '/'}</span>
+          </div>
+
+          <div className="actions backup-browser-nav">
+            <button type="button" className="btn btn-secondary small" disabled={props.loadingRemoteBrowser || props.disableWhileBusy} onClick={() => props.onShowPath('')}>
+              <FolderOpen size={14} className="btn-icon" />
+              {t('txt_backup_remote_root')}
+            </button>
+            <button
+              type="button"
+              className="btn btn-secondary small"
+              disabled={props.loadingRemoteBrowser || props.disableWhileBusy || props.remoteBrowser.parentPath === null}
+              onClick={() => props.onShowPath(props.remoteBrowser?.parentPath || '')}
+            >
+              <RotateCcw size={14} className="btn-icon" />
+              {t('txt_backup_remote_up')}
+            </button>
+          </div>
+
+          {props.loadingRemoteBrowser ? (
+            <div className="backup-browser-empty">{t('txt_backup_remote_loading')}</div>
+          ) : props.remoteBrowser.items.length ? (
+            <>
+              <div className="backup-browser-list">
+                {props.visibleItems.map((item) => (
+                  <div key={`${item.isDirectory ? 'd' : 'f'}:${item.path}`} className="backup-browser-row">
+                    <button
+                      type="button"
+                      className={`backup-browser-entry ${item.isDirectory ? 'dir' : 'file'}`}
+                      onClick={() => {
+                        if (item.isDirectory) props.onShowPath(item.path);
+                      }}
+                    >
+                      {item.isDirectory ? <FolderOpen size={16} className="btn-icon" /> : <FileArchive size={16} className="btn-icon" />}
+                      <span className="backup-browser-name">{item.name}</span>
+                    </button>
+                    <div className="backup-browser-meta">
+                      <span>{item.modifiedAt ? formatDateTime(item.modifiedAt) : t('txt_backup_remote_unknown_time')}</span>
+                      <span>{item.isDirectory ? t('txt_backup_remote_folder') : formatBytes(item.size)}</span>
+                    </div>
+                    <div className="actions backup-browser-actions">
+                      {item.isDirectory ? (
+                        <button type="button" className="btn btn-secondary small" onClick={() => props.onShowPath(item.path)}>
+                          <FolderOpen size={14} className="btn-icon" />
+                          {t('txt_backup_remote_open')}
+                        </button>
+                      ) : isZipCandidate(item) ? (
+                        <>
+                          <button type="button" className="btn btn-secondary small" disabled={props.disableWhileBusy || props.downloadingRemotePath === item.path} onClick={() => props.onDownload(item.path)}>
+                            <Download size={14} className="btn-icon" />
+                            {getDownloadLabel(item.path)}
+                          </button>
+                          <button type="button" className="btn btn-primary small" disabled={props.disableWhileBusy || props.restoringRemotePath === item.path} onClick={() => props.onRestore(item.path)}>
+                            <RotateCcw size={14} className="btn-icon" />
+                            {props.restoringRemotePath === item.path ? t('txt_backup_restoring') : t('txt_backup_remote_restore')}
+                          </button>
+                          <button type="button" className="btn btn-danger small" disabled={props.disableWhileBusy || props.deletingRemotePath === item.path} onClick={() => props.onPromptDelete(item.path)}>
+                            <Trash2 size={14} className="btn-icon" />
+                            {props.deletingRemotePath === item.path ? t('txt_backup_remote_deleting') : t('txt_delete')}
+                          </button>
+                        </>
+                      ) : null}
+                    </div>
+                  </div>
+                ))}
+              </div>
+              {props.totalPages > 1 ? (
+                <div className="backup-browser-pagination">
+                  <button type="button" className="btn btn-secondary small" disabled={props.currentPage <= 1} onClick={() => props.onChangePage(props.currentPage - 1)}>
+                    {t('txt_prev')}
+                  </button>
+                  <span className="backup-browser-page-indicator">
+                    {props.currentPage} / {props.totalPages}
+                  </span>
+                  <button type="button" className="btn btn-secondary small" disabled={props.currentPage >= props.totalPages} onClick={() => props.onChangePage(props.currentPage + 1)}>
+                    {t('txt_next')}
+                  </button>
+                </div>
+              ) : null}
+            </>
+          ) : (
+            <div className="backup-browser-empty">{t('txt_backup_remote_empty')}</div>
+          )}
+        </>
+      )}
+    </>
+  );
+}
--- a/Show More
+++ b/Show More