From 01c601f62a3d9a481cfd7396b68d8ff23dc3a648 Mon Sep 17 00:00:00 2001
From: Oleksandr Tkachenko <oleksandr.tkachenko@dfinity.org>
Date: Fri, 1 Aug 2025 19:13:49 +0200
Subject: [PATCH 01/62] first commit

---
 examples/encrypted_chat/README.md             |    0
 examples/encrypted_chat/rust/Cargo.lock       | 3064 +++++++++++++++++
 examples/encrypted_chat/rust/Cargo.toml       |    3 +
 .../encrypted_chat/rust/backend/Cargo.toml    |   31 +
 .../encrypted_chat/rust/backend/backend.did   |   32 +
 .../encrypted_chat/rust/backend/src/lib.rs    |  820 +++++
 .../encrypted_chat/rust/backend/src/types.rs  |  314 ++
 .../rust/backend/tests/direct_chat.rs         | 1160 +++++++
 .../rust/backend/tests/group_chat.rs          | 1427 ++++++++
 .../encrypted_chat/rust/backend/tests/misc.rs |   22 +
 examples/encrypted_chat/rust/dfx.json         |   48 +
 .../encrypted_chat/rust/rust-toolchain.toml   |    1 +
 12 files changed, 6922 insertions(+)
 create mode 100644 examples/encrypted_chat/README.md
 create mode 100644 examples/encrypted_chat/rust/Cargo.lock
 create mode 100644 examples/encrypted_chat/rust/Cargo.toml
 create mode 100644 examples/encrypted_chat/rust/backend/Cargo.toml
 create mode 100644 examples/encrypted_chat/rust/backend/backend.did
 create mode 100644 examples/encrypted_chat/rust/backend/src/lib.rs
 create mode 100644 examples/encrypted_chat/rust/backend/src/types.rs
 create mode 100644 examples/encrypted_chat/rust/backend/tests/direct_chat.rs
 create mode 100644 examples/encrypted_chat/rust/backend/tests/group_chat.rs
 create mode 100644 examples/encrypted_chat/rust/backend/tests/misc.rs
 create mode 100644 examples/encrypted_chat/rust/dfx.json
 create mode 120000 examples/encrypted_chat/rust/rust-toolchain.toml

diff --git a/examples/encrypted_chat/README.md b/examples/encrypted_chat/README.md
new file mode 100644
index 00000000..e69de29b
diff --git a/examples/encrypted_chat/rust/Cargo.lock b/examples/encrypted_chat/rust/Cargo.lock
new file mode 100644
index 00000000..1f815cea
--- /dev/null
+++ b/examples/encrypted_chat/rust/Cargo.lock
@@ -0,0 +1,3064 @@
+# This file is automatically @generated by Cargo.
+# It is not intended for manual editing.
+version = 4
+
+[[package]]
+name = "addr2line"
+version = "0.24.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "dfbe277e56a376000877090da837660b4427aad530e3028d44e0bffe4f89a1c1"
+dependencies = [
+ "gimli",
+]
+
+[[package]]
+name = "adler2"
+version = "2.0.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "320119579fcad9c21884f5c4861d16174d0e06250625266f50fe6898340abefa"
+
+[[package]]
+name = "aho-corasick"
+version = "1.1.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8e60d3430d3a69478ad0993f19238d2df97c507009a52b3c10addcd7f6bcb916"
+dependencies = [
+ "memchr",
+]
+
+[[package]]
+name = "android-tzdata"
+version = "0.1.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e999941b234f3131b00bc13c22d06e8c5ff726d1b6318ac7eb276997bbb4fef0"
+
+[[package]]
+name = "android_system_properties"
+version = "0.1.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "819e7219dbd41043ac279b19830f2efc897156490d7fd6ea916720117ee66311"
+dependencies = [
+ "libc",
+]
+
+[[package]]
+name = "anyhow"
+version = "1.0.98"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e16d2d3311acee920a9eb8d33b8cbc1787ce4a264e85f964c2404b969bdcd487"
+
+[[package]]
+name = "arrayvec"
+version = "0.5.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "23b62fc65de8e4e7f52534fb52b0f3ed04746ae267519eef2a83941e8085068b"
+
+[[package]]
+name = "atomic-waker"
+version = "1.1.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1505bd5d3d116872e7271a6d4e16d81d0c8570876c8de68093a09ac269d8aac0"
+
+[[package]]
+name = "autocfg"
+version = "1.5.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c08606f8c3cbf4ce6ec8e28fb0014a2c086708fe954eaa885384a6165172e7e8"
+
+[[package]]
+name = "backoff"
+version = "0.4.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b62ddb9cb1ec0a098ad4bbf9344d0713fa193ae1a80af55febcff2627b6a00c1"
+dependencies = [
+ "getrandom 0.2.16",
+ "instant",
+ "rand 0.8.5",
+]
+
+[[package]]
+name = "backtrace"
+version = "0.3.75"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "6806a6321ec58106fea15becdad98371e28d92ccbc7c8f1b3b6dd724fe8f1002"
+dependencies = [
+ "addr2line",
+ "cfg-if",
+ "libc",
+ "miniz_oxide",
+ "object",
+ "rustc-demangle",
+ "windows-targets",
+]
+
+[[package]]
+name = "base64"
+version = "0.13.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9e1b586273c5702936fe7b7d6896644d8be71e6314cfe09d3167c95f712589e8"
+
+[[package]]
+name = "base64"
+version = "0.22.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "72b3254f16251a8381aa12e40e3c4d2f0199f8c6508fbecb9d91f575e0fbb8c6"
+
+[[package]]
+name = "binread"
+version = "2.2.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "16598dfc8e6578e9b597d9910ba2e73618385dc9f4b1d43dd92c349d6be6418f"
+dependencies = [
+ "binread_derive",
+ "lazy_static",
+ "rustversion",
+]
+
+[[package]]
+name = "binread_derive"
+version = "2.1.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1d9672209df1714ee804b1f4d4f68c8eb2a90b1f7a07acf472f88ce198ef1fed"
+dependencies = [
+ "either",
+ "proc-macro2",
+ "quote",
+ "syn 1.0.109",
+]
+
+[[package]]
+name = "bitflags"
+version = "2.9.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1b8e56985ec62d17e9c1001dc89c88ecd7dc08e47eba5ec7c29c7b5eeecde967"
+
+[[package]]
+name = "block-buffer"
+version = "0.10.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "3078c7629b62d3f0439517fa394996acacc5cbc91c5a20d8c658e77abd503a71"
+dependencies = [
+ "generic-array",
+]
+
+[[package]]
+name = "bumpalo"
+version = "3.19.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "46c5e41b57b8bba42a04676d81cb89e9ee8e859a1a66f80a5a72e1cb76b34d43"
+
+[[package]]
+name = "byteorder"
+version = "1.5.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1fd0f2584146f6f2ef48085050886acf353beff7305ebd1ae69500e27c67f64b"
+
+[[package]]
+name = "bytes"
+version = "1.10.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d71b6127be86fdcfddb610f7182ac57211d4b18a3e9c82eb2d17662f2227ad6a"
+
+[[package]]
+name = "candid"
+version = "0.10.14"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f9d90f5a1426d0489283a0bd5da9ed406fb3e69597e0d823dcb88a1965bb58d2"
+dependencies = [
+ "anyhow",
+ "binread",
+ "byteorder",
+ "candid_derive",
+ "hex",
+ "ic_principal",
+ "leb128",
+ "num-bigint",
+ "num-traits",
+ "paste",
+ "pretty",
+ "serde",
+ "serde_bytes",
+ "stacker",
+ "thiserror 1.0.69",
+]
+
+[[package]]
+name = "candid_derive"
+version = "0.6.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "3de398570c386726e7a59d9887b68763c481477f9a043fb998a2e09d428df1a9"
+dependencies = [
+ "lazy_static",
+ "proc-macro2",
+ "quote",
+ "syn 2.0.104",
+]
+
+[[package]]
+name = "cc"
+version = "1.2.30"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "deec109607ca693028562ed836a5f1c4b8bd77755c4e132fc5ce11b0b6211ae7"
+dependencies = [
+ "shlex",
+]
+
+[[package]]
+name = "cfg-if"
+version = "1.0.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9555578bc9e57714c812a1f84e4fc5b4d21fcb063490c624de019f7464c91268"
+
+[[package]]
+name = "cfg_aliases"
+version = "0.2.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "613afe47fcd5fac7ccf1db93babcb082c5994d996f20b8b159f2ad1658eb5724"
+
+[[package]]
+name = "chrono"
+version = "0.4.41"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c469d952047f47f91b68d1cba3f10d63c11d73e4636f24f08daf0278abf01c4d"
+dependencies = [
+ "android-tzdata",
+ "iana-time-zone",
+ "num-traits",
+ "serde",
+ "windows-link",
+]
+
+[[package]]
+name = "core-foundation"
+version = "0.10.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b2a6cd9ae233e7f62ba4e9353e81a88df7fc8a5987b8d445b4d90c879bd156f6"
+dependencies = [
+ "core-foundation-sys",
+ "libc",
+]
+
+[[package]]
+name = "core-foundation-sys"
+version = "0.8.7"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "773648b94d0e5d620f64f280777445740e61fe701025087ec8b57f45c791888b"
+
+[[package]]
+name = "cpufeatures"
+version = "0.2.17"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "59ed5838eebb26a2bb2e58f6d5b5316989ae9d08bab10e0e6d103e656d1b0280"
+dependencies = [
+ "libc",
+]
+
+[[package]]
+name = "crc32fast"
+version = "1.5.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9481c1c90cbf2ac953f07c8d4a58aa3945c425b7185c9154d67a65e4230da511"
+dependencies = [
+ "cfg-if",
+]
+
+[[package]]
+name = "crossbeam-channel"
+version = "0.5.15"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "82b8f8f868b36967f9606790d1903570de9ceaf870a7bf9fbbd3016d636a2cb2"
+dependencies = [
+ "crossbeam-utils",
+]
+
+[[package]]
+name = "crossbeam-utils"
+version = "0.8.21"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d0a5c400df2834b80a4c3327b3aad3a4c4cd4de0629063962b03235697506a28"
+
+[[package]]
+name = "crypto-common"
+version = "0.1.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1bfb12502f3fc46cca1bb51ac28df9d618d813cdc3d2f25b9fe775a34af26bb3"
+dependencies = [
+ "generic-array",
+ "typenum",
+]
+
+[[package]]
+name = "darling"
+version = "0.20.11"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "fc7f46116c46ff9ab3eb1597a45688b6715c6e628b5c133e288e709a29bcb4ee"
+dependencies = [
+ "darling_core",
+ "darling_macro",
+]
+
+[[package]]
+name = "darling_core"
+version = "0.20.11"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "0d00b9596d185e565c2207a0b01f8bd1a135483d02d9b7b0a54b11da8d53412e"
+dependencies = [
+ "fnv",
+ "ident_case",
+ "proc-macro2",
+ "quote",
+ "strsim",
+ "syn 2.0.104",
+]
+
+[[package]]
+name = "darling_macro"
+version = "0.20.11"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "fc34b93ccb385b40dc71c6fceac4b2ad23662c7eeb248cf10d529b7e055b6ead"
+dependencies = [
+ "darling_core",
+ "quote",
+ "syn 2.0.104",
+]
+
+[[package]]
+name = "data-encoding"
+version = "2.9.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "2a2330da5de22e8a3cb63252ce2abb30116bf5265e89c0e01bc17015ce30a476"
+
+[[package]]
+name = "deranged"
+version = "0.4.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9c9e6a11ca8224451684bc0d7d5a7adbf8f2fd6887261a1cfc3c0432f9d4068e"
+dependencies = [
+ "powerfmt",
+ "serde",
+]
+
+[[package]]
+name = "digest"
+version = "0.10.7"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9ed9a281f7bc9b7576e61468ba615a66a5c8cfdff42420a70aa82701a3b1e292"
+dependencies = [
+ "block-buffer",
+ "crypto-common",
+ "subtle",
+]
+
+[[package]]
+name = "displaydoc"
+version = "0.2.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "97369cbbc041bc366949bc74d34658d6cda5621039731c6310521892a3a20ae0"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn 2.0.104",
+]
+
+[[package]]
+name = "dyn-clone"
+version = "1.0.19"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1c7a8fb8a9fbf66c1f703fe16184d10ca0ee9d23be5b4436400408ba54a95005"
+
+[[package]]
+name = "either"
+version = "1.15.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "48c757948c5ede0e46177b7add2e67155f70e33c07fea8284df6576da70b3719"
+
+[[package]]
+name = "equivalent"
+version = "1.0.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "877a4ace8713b0bcf2a4e7eec82529c029f1d0619886d18145fea96c3ffe5c0f"
+
+[[package]]
+name = "erased-serde"
+version = "0.3.31"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "6c138974f9d5e7fe373eb04df7cae98833802ae4b11c24ac7039a21d5af4b26c"
+dependencies = [
+ "serde",
+]
+
+[[package]]
+name = "errno"
+version = "0.3.13"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "778e2ac28f6c47af28e4907f13ffd1e1ddbd400980a9abd7c8df189bf578a5ad"
+dependencies = [
+ "libc",
+ "windows-sys 0.59.0",
+]
+
+[[package]]
+name = "fastrand"
+version = "2.3.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "37909eebbb50d72f9059c3b6d82c0463f2ff062c9e95845c43a6c9c0355411be"
+
+[[package]]
+name = "ff"
+version = "0.13.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c0b50bfb653653f9ca9095b427bed08ab8d75a137839d9ad64eb11810d5b6393"
+dependencies = [
+ "rand_core 0.6.4",
+ "subtle",
+]
+
+[[package]]
+name = "flate2"
+version = "1.1.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "4a3d7db9596fecd151c5f638c0ee5d5bd487b6e0ea232e5dc96d5250f6f94b1d"
+dependencies = [
+ "crc32fast",
+ "miniz_oxide",
+]
+
+[[package]]
+name = "fnv"
+version = "1.0.7"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "3f9eec918d3f24069decb9af1554cad7c880e2da24a9afd88aca000531ab82c1"
+
+[[package]]
+name = "form_urlencoded"
+version = "1.2.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e13624c2627564efccf4934284bdd98cbaa14e79b0b5a141218e507b3a823456"
+dependencies = [
+ "percent-encoding",
+]
+
+[[package]]
+name = "futures"
+version = "0.3.31"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "65bc07b1a8bc7c85c5f2e110c476c7389b4554ba72af57d8445ea63a576b0876"
+dependencies = [
+ "futures-channel",
+ "futures-core",
+ "futures-executor",
+ "futures-io",
+ "futures-sink",
+ "futures-task",
+ "futures-util",
+]
+
+[[package]]
+name = "futures-channel"
+version = "0.3.31"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "2dff15bf788c671c1934e366d07e30c1814a8ef514e1af724a602e8a2fbe1b10"
+dependencies = [
+ "futures-core",
+ "futures-sink",
+]
+
+[[package]]
+name = "futures-core"
+version = "0.3.31"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "05f29059c0c2090612e8d742178b0580d2dc940c837851ad723096f87af6663e"
+
+[[package]]
+name = "futures-executor"
+version = "0.3.31"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1e28d1d997f585e54aebc3f97d39e72338912123a67330d723fdbb564d646c9f"
+dependencies = [
+ "futures-core",
+ "futures-task",
+ "futures-util",
+]
+
+[[package]]
+name = "futures-io"
+version = "0.3.31"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9e5c1b78ca4aae1ac06c48a526a655760685149f0d465d21f37abfe57ce075c6"
+
+[[package]]
+name = "futures-macro"
+version = "0.3.31"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "162ee34ebcb7c64a8abebc059ce0fee27c2262618d7b60ed8faf72fef13c3650"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn 2.0.104",
+]
+
+[[package]]
+name = "futures-sink"
+version = "0.3.31"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e575fab7d1e0dcb8d0c7bcf9a63ee213816ab51902e6d244a95819acacf1d4f7"
+
+[[package]]
+name = "futures-task"
+version = "0.3.31"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f90f7dce0722e95104fcb095585910c0977252f286e354b5e3bd38902cd99988"
+
+[[package]]
+name = "futures-util"
+version = "0.3.31"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9fa08315bb612088cc391249efdc3bc77536f16c91f6cf495e6fbe85b20a4a81"
+dependencies = [
+ "futures-channel",
+ "futures-core",
+ "futures-io",
+ "futures-macro",
+ "futures-sink",
+ "futures-task",
+ "memchr",
+ "pin-project-lite",
+ "pin-utils",
+ "slab",
+]
+
+[[package]]
+name = "generic-array"
+version = "0.14.7"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "85649ca51fd72272d7821adaf274ad91c288277713d9c18820d8499a7ff69e9a"
+dependencies = [
+ "typenum",
+ "version_check",
+]
+
+[[package]]
+name = "getrandom"
+version = "0.2.16"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "335ff9f135e4384c8150d6f27c6daed433577f86b4750418338c01a1a2528592"
+dependencies = [
+ "cfg-if",
+ "js-sys",
+ "libc",
+ "wasi 0.11.1+wasi-snapshot-preview1",
+ "wasm-bindgen",
+]
+
+[[package]]
+name = "getrandom"
+version = "0.3.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "26145e563e54f2cadc477553f1ec5ee650b00862f0a58bcd12cbdc5f0ea2d2f4"
+dependencies = [
+ "cfg-if",
+ "js-sys",
+ "libc",
+ "r-efi",
+ "wasi 0.14.2+wasi-0.2.4",
+ "wasm-bindgen",
+]
+
+[[package]]
+name = "gimli"
+version = "0.31.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "07e28edb80900c19c28f1072f2e8aeca7fa06b23cd4169cefe1af5aa3260783f"
+
+[[package]]
+name = "group"
+version = "0.13.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f0f9ef7462f7c099f518d754361858f86d8a07af53ba9af0fe635bbccb151a63"
+dependencies = [
+ "ff",
+ "rand_core 0.6.4",
+ "subtle",
+]
+
+[[package]]
+name = "h2"
+version = "0.4.11"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "17da50a276f1e01e0ba6c029e47b7100754904ee8a278f886546e98575380785"
+dependencies = [
+ "atomic-waker",
+ "bytes",
+ "fnv",
+ "futures-core",
+ "futures-sink",
+ "http",
+ "indexmap 2.10.0",
+ "slab",
+ "tokio",
+ "tokio-util",
+ "tracing",
+]
+
+[[package]]
+name = "half"
+version = "1.8.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1b43ede17f21864e81be2fa654110bf1e793774238d86ef8555c37e6519c0403"
+
+[[package]]
+name = "hashbrown"
+version = "0.12.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8a9ee70c43aaf417c914396645a0fa852624801b24ebb7ae78fe8272889ac888"
+
+[[package]]
+name = "hashbrown"
+version = "0.15.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5971ac85611da7067dbfcabef3c70ebb5606018acd9e2a3903a0da507521e0d5"
+
+[[package]]
+name = "heck"
+version = "0.5.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "2304e00983f87ffb38b55b444b5e3b60a884b5d30c0fca7d82fe33449bbe55ea"
+
+[[package]]
+name = "hex"
+version = "0.4.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7f24254aa9a54b5c858eaee2f5bccdb46aaf0e486a595ed5fd8f86ba55232a70"
+dependencies = [
+ "serde",
+]
+
+[[package]]
+name = "hkdf"
+version = "0.12.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7b5f8eb2ad728638ea2c7d47a21db23b7b58a72ed6a38256b8a1849f15fbbdf7"
+dependencies = [
+ "hmac",
+]
+
+[[package]]
+name = "hmac"
+version = "0.12.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "6c49c37c09c17a53d937dfbb742eb3a961d65a994e6bcdcf37e7399d0cc8ab5e"
+dependencies = [
+ "digest",
+]
+
+[[package]]
+name = "http"
+version = "1.3.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f4a85d31aea989eead29a3aaf9e1115a180df8282431156e533de47660892565"
+dependencies = [
+ "bytes",
+ "fnv",
+ "itoa",
+]
+
+[[package]]
+name = "http-body"
+version = "1.0.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1efedce1fb8e6913f23e0c92de8e62cd5b772a67e7b3946df930a62566c93184"
+dependencies = [
+ "bytes",
+ "http",
+]
+
+[[package]]
+name = "http-body-util"
+version = "0.1.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b021d93e26becf5dc7e1b75b1bed1fd93124b374ceb73f43d4d4eafec896a64a"
+dependencies = [
+ "bytes",
+ "futures-core",
+ "http",
+ "http-body",
+ "pin-project-lite",
+]
+
+[[package]]
+name = "httparse"
+version = "1.10.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "6dbf3de79e51f3d586ab4cb9d5c3e2c14aa28ed23d180cf89b4df0454a69cc87"
+
+[[package]]
+name = "hyper"
+version = "1.6.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "cc2b571658e38e0c01b1fdca3bbbe93c00d3d71693ff2770043f8c29bc7d6f80"
+dependencies = [
+ "bytes",
+ "futures-channel",
+ "futures-util",
+ "h2",
+ "http",
+ "http-body",
+ "httparse",
+ "itoa",
+ "pin-project-lite",
+ "smallvec",
+ "tokio",
+ "want",
+]
+
+[[package]]
+name = "hyper-rustls"
+version = "0.27.7"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e3c93eb611681b207e1fe55d5a71ecf91572ec8a6705cdb6857f7d8d5242cf58"
+dependencies = [
+ "http",
+ "hyper",
+ "hyper-util",
+ "rustls",
+ "rustls-native-certs",
+ "rustls-pki-types",
+ "tokio",
+ "tokio-rustls",
+ "tower-service",
+ "webpki-roots",
+]
+
+[[package]]
+name = "hyper-util"
+version = "0.1.16"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8d9b05277c7e8da2c93a568989bb6207bef0112e8d17df7a6eda4a3cf143bc5e"
+dependencies = [
+ "base64 0.22.1",
+ "bytes",
+ "futures-channel",
+ "futures-core",
+ "futures-util",
+ "http",
+ "http-body",
+ "hyper",
+ "ipnet",
+ "libc",
+ "percent-encoding",
+ "pin-project-lite",
+ "socket2 0.6.0",
+ "tokio",
+ "tower-service",
+ "tracing",
+]
+
+[[package]]
+name = "iana-time-zone"
+version = "0.1.63"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b0c919e5debc312ad217002b8048a17b7d83f80703865bbfcfebb0458b0b27d8"
+dependencies = [
+ "android_system_properties",
+ "core-foundation-sys",
+ "iana-time-zone-haiku",
+ "js-sys",
+ "log",
+ "wasm-bindgen",
+ "windows-core",
+]
+
+[[package]]
+name = "iana-time-zone-haiku"
+version = "0.1.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f31827a206f56af32e590ba56d5d2d085f558508192593743f16b2306495269f"
+dependencies = [
+ "cc",
+]
+
+[[package]]
+name = "ic-cdk"
+version = "0.18.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "db9cc3e0e86ee12504c749fa33793014f1f4d6956a8a70e4db595169c5f6ac26"
+dependencies = [
+ "candid",
+ "ic-cdk-executor",
+ "ic-cdk-macros",
+ "ic-error-types",
+ "ic-management-canister-types",
+ "ic0",
+ "serde",
+ "serde_bytes",
+ "slotmap",
+ "thiserror 2.0.12",
+]
+
+[[package]]
+name = "ic-cdk-executor"
+version = "1.0.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "15948808e3e7b50749fe50838df77fccaf048c8af2c26884ff5c8f787c29787a"
+dependencies = [
+ "slotmap",
+]
+
+[[package]]
+name = "ic-cdk-macros"
+version = "0.18.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b190cace2b141a5801252115bdc27397d47f086c928af3e917ce1da81b17e3cd"
+dependencies = [
+ "candid",
+ "darling",
+ "proc-macro2",
+ "quote",
+ "syn 2.0.104",
+]
+
+[[package]]
+name = "ic-certification"
+version = "3.0.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ffb40d73f9f8273dc6569a68859003bbd467c9dc6d53c6fd7d174742f857209d"
+dependencies = [
+ "hex",
+ "serde",
+ "serde_bytes",
+ "sha2",
+]
+
+[[package]]
+name = "ic-dummy-getrandom-for-wasm"
+version = "0.1.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e16d0dde1892f34bc07df75d68137abdecef8effb819c5b1003ee31654a81b9e"
+dependencies = [
+ "getrandom 0.2.16",
+]
+
+[[package]]
+name = "ic-error-types"
+version = "0.2.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "bbeeb3d91aa179d6496d7293becdacedfc413c825cac79fd54ea1906f003ee55"
+dependencies = [
+ "serde",
+ "strum 0.26.3",
+ "strum_macros 0.26.4",
+]
+
+[[package]]
+name = "ic-management-canister-types"
+version = "0.3.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "98554c2d8a30c00b6bfda18062fdcef21215cad07a52d8b8b1eb3130e51bfe71"
+dependencies = [
+ "candid",
+ "serde",
+ "serde_bytes",
+]
+
+[[package]]
+name = "ic-stable-structures"
+version = "0.6.9"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "4d30d4cf17aff1024e13133897048bcba580e063c9000571ab766ca37e2996f4"
+dependencies = [
+ "ic_principal",
+]
+
+[[package]]
+name = "ic-stable-structures"
+version = "0.7.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e54aeb082293c69def5ab34c70593ba85ff000386f7d0eacdf73514daaeca031"
+dependencies = [
+ "ic_principal",
+]
+
+[[package]]
+name = "ic-transport-types"
+version = "0.40.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a2e7706e55836e8104c98149ec0796d20d5213fef972ac01b544657d410f1883"
+dependencies = [
+ "candid",
+ "hex",
+ "ic-certification",
+ "leb128",
+ "serde",
+ "serde_bytes",
+ "serde_cbor",
+ "serde_repr",
+ "sha2",
+ "thiserror 2.0.12",
+]
+
+[[package]]
+name = "ic-vetkeys"
+version = "0.3.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "6d0fe4e1f361dea9b93841e428c00c6934eb5256ee9d35890db2fced4ac1a3c9"
+dependencies = [
+ "anyhow",
+ "candid",
+ "futures",
+ "hex",
+ "hkdf",
+ "ic-cdk",
+ "ic-cdk-macros",
+ "ic-stable-structures 0.6.9",
+ "ic_bls12_381",
+ "lazy_static",
+ "pairing",
+ "rand 0.8.5",
+ "rand_chacha 0.3.1",
+ "serde",
+ "serde_bytes",
+ "serde_cbor",
+ "serde_with",
+ "sha2",
+ "sha3",
+ "strum 0.27.2",
+ "strum_macros 0.27.2",
+ "subtle",
+ "zeroize",
+]
+
+[[package]]
+name = "ic-vetkeys-example-encrypted-chat-backend"
+version = "0.1.0"
+dependencies = [
+ "candid",
+ "ic-cdk",
+ "ic-cdk-macros",
+ "ic-dummy-getrandom-for-wasm",
+ "ic-stable-structures 0.7.0",
+ "ic-vetkeys",
+ "pocket-ic",
+ "rand 0.9.2",
+ "rand_chacha 0.9.0",
+ "serde",
+ "serde_bytes",
+ "serde_cbor",
+ "serde_with",
+]
+
+[[package]]
+name = "ic0"
+version = "1.0.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8877193e1921b5fd16accb0305eb46016868cd1935b05c05eca0ec007b943272"
+
+[[package]]
+name = "ic_bls12_381"
+version = "0.10.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a1e828f9e804ccefe4b9b15b2195f474c60fd4f95ccd14fcb554eb6d7dfafde3"
+dependencies = [
+ "digest",
+ "ff",
+ "group",
+ "pairing",
+ "rand_core 0.6.4",
+ "subtle",
+ "zeroize",
+]
+
+[[package]]
+name = "ic_principal"
+version = "0.1.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1762deb6f7c8d8c2bdee4b6c5a47b60195b74e9b5280faa5ba29692f8e17429c"
+dependencies = [
+ "crc32fast",
+ "data-encoding",
+ "serde",
+ "sha2",
+ "thiserror 1.0.69",
+]
+
+[[package]]
+name = "icu_collections"
+version = "2.0.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "200072f5d0e3614556f94a9930d5dc3e0662a652823904c3a75dc3b0af7fee47"
+dependencies = [
+ "displaydoc",
+ "potential_utf",
+ "yoke",
+ "zerofrom",
+ "zerovec",
+]
+
+[[package]]
+name = "icu_locale_core"
+version = "2.0.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "0cde2700ccaed3872079a65fb1a78f6c0a36c91570f28755dda67bc8f7d9f00a"
+dependencies = [
+ "displaydoc",
+ "litemap",
+ "tinystr",
+ "writeable",
+ "zerovec",
+]
+
+[[package]]
+name = "icu_normalizer"
+version = "2.0.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "436880e8e18df4d7bbc06d58432329d6458cc84531f7ac5f024e93deadb37979"
+dependencies = [
+ "displaydoc",
+ "icu_collections",
+ "icu_normalizer_data",
+ "icu_properties",
+ "icu_provider",
+ "smallvec",
+ "zerovec",
+]
+
+[[package]]
+name = "icu_normalizer_data"
+version = "2.0.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "00210d6893afc98edb752b664b8890f0ef174c8adbb8d0be9710fa66fbbf72d3"
+
+[[package]]
+name = "icu_properties"
+version = "2.0.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "016c619c1eeb94efb86809b015c58f479963de65bdb6253345c1a1276f22e32b"
+dependencies = [
+ "displaydoc",
+ "icu_collections",
+ "icu_locale_core",
+ "icu_properties_data",
+ "icu_provider",
+ "potential_utf",
+ "zerotrie",
+ "zerovec",
+]
+
+[[package]]
+name = "icu_properties_data"
+version = "2.0.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "298459143998310acd25ffe6810ed544932242d3f07083eee1084d83a71bd632"
+
+[[package]]
+name = "icu_provider"
+version = "2.0.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "03c80da27b5f4187909049ee2d72f276f0d9f99a42c306bd0131ecfe04d8e5af"
+dependencies = [
+ "displaydoc",
+ "icu_locale_core",
+ "stable_deref_trait",
+ "tinystr",
+ "writeable",
+ "yoke",
+ "zerofrom",
+ "zerotrie",
+ "zerovec",
+]
+
+[[package]]
+name = "ident_case"
+version = "1.0.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b9e0384b61958566e926dc50660321d12159025e767c18e043daf26b70104c39"
+
+[[package]]
+name = "idna"
+version = "1.0.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "686f825264d630750a544639377bae737628043f20d38bbc029e8f29ea968a7e"
+dependencies = [
+ "idna_adapter",
+ "smallvec",
+ "utf8_iter",
+]
+
+[[package]]
+name = "idna_adapter"
+version = "1.2.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "3acae9609540aa318d1bc588455225fb2085b9ed0c4f6bd0d9d5bcd86f1a0344"
+dependencies = [
+ "icu_normalizer",
+ "icu_properties",
+]
+
+[[package]]
+name = "indexmap"
+version = "1.9.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "bd070e393353796e801d209ad339e89596eb4c8d430d18ede6a1cced8fafbd99"
+dependencies = [
+ "autocfg",
+ "hashbrown 0.12.3",
+ "serde",
+]
+
+[[package]]
+name = "indexmap"
+version = "2.10.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "fe4cd85333e22411419a0bcae1297d25e58c9443848b11dc6a86fefe8c78a661"
+dependencies = [
+ "equivalent",
+ "hashbrown 0.15.4",
+ "serde",
+]
+
+[[package]]
+name = "instant"
+version = "0.1.13"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e0242819d153cba4b4b05a5a8f2a7e9bbf97b6055b2a002b395c96b5ff3c0222"
+dependencies = [
+ "cfg-if",
+]
+
+[[package]]
+name = "io-uring"
+version = "0.7.9"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d93587f37623a1a17d94ef2bc9ada592f5465fe7732084ab7beefabe5c77c0c4"
+dependencies = [
+ "bitflags",
+ "cfg-if",
+ "libc",
+]
+
+[[package]]
+name = "ipnet"
+version = "2.11.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "469fb0b9cefa57e3ef31275ee7cacb78f2fdca44e4765491884a2b119d4eb130"
+
+[[package]]
+name = "iri-string"
+version = "0.7.8"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "dbc5ebe9c3a1a7a5127f920a418f7585e9e758e911d0466ed004f393b0e380b2"
+dependencies = [
+ "memchr",
+ "serde",
+]
+
+[[package]]
+name = "itoa"
+version = "1.0.15"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "4a5f13b858c8d314ee3e8f639011f7ccefe71f97f96e50151fb991f267928e2c"
+
+[[package]]
+name = "js-sys"
+version = "0.3.77"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1cfaf33c695fc6e08064efbc1f72ec937429614f25eef83af942d0e227c3a28f"
+dependencies = [
+ "once_cell",
+ "wasm-bindgen",
+]
+
+[[package]]
+name = "keccak"
+version = "0.1.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ecc2af9a1119c51f12a14607e783cb977bde58bc069ff0c3da1095e635d70654"
+dependencies = [
+ "cpufeatures",
+]
+
+[[package]]
+name = "lazy_static"
+version = "1.5.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "bbd2bcb4c963f2ddae06a2efc7e9f3591312473c50c6685e1f298068316e66fe"
+
+[[package]]
+name = "leb128"
+version = "0.2.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "884e2677b40cc8c339eaefcb701c32ef1fd2493d71118dc0ca4b6a736c93bd67"
+
+[[package]]
+name = "libc"
+version = "0.2.174"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1171693293099992e19cddea4e8b849964e9846f4acee11b3948bcc337be8776"
+
+[[package]]
+name = "linux-raw-sys"
+version = "0.9.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "cd945864f07fe9f5371a27ad7b52a172b4b499999f1d97574c9fa68373937e12"
+
+[[package]]
+name = "litemap"
+version = "0.8.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "241eaef5fd12c88705a01fc1066c48c4b36e0dd4377dcdc7ec3942cea7a69956"
+
+[[package]]
+name = "lock_api"
+version = "0.4.13"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "96936507f153605bddfcda068dd804796c84324ed2510809e5b2a624c81da765"
+dependencies = [
+ "autocfg",
+ "scopeguard",
+]
+
+[[package]]
+name = "log"
+version = "0.4.27"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "13dc2df351e3202783a1fe0d44375f7295ffb4049267b0f3018346dc122a1d94"
+
+[[package]]
+name = "lru-slab"
+version = "0.1.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "112b39cec0b298b6c1999fee3e31427f74f676e4cb9879ed1a121b43661a4154"
+
+[[package]]
+name = "matchers"
+version = "0.1.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8263075bb86c5a1b1427b5ae862e8889656f126e9f77c484496e8b47cf5c5558"
+dependencies = [
+ "regex-automata 0.1.10",
+]
+
+[[package]]
+name = "memchr"
+version = "2.7.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "32a282da65faaf38286cf3be983213fcf1d2e2a58700e808f83f4ea9a4804bc0"
+
+[[package]]
+name = "mime"
+version = "0.3.17"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "6877bb514081ee2a7ff5ef9de3281f14a4dd4bceac4c09388074a6b5df8a139a"
+
+[[package]]
+name = "mime_guess"
+version = "2.0.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f7c44f8e672c00fe5308fa235f821cb4198414e1c77935c1ab6948d3fd78550e"
+dependencies = [
+ "mime",
+ "unicase",
+]
+
+[[package]]
+name = "miniz_oxide"
+version = "0.8.9"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1fa76a2c86f704bdb222d66965fb3d63269ce38518b83cb0575fca855ebb6316"
+dependencies = [
+ "adler2",
+]
+
+[[package]]
+name = "mio"
+version = "1.0.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "78bed444cc8a2160f01cbcf811ef18cac863ad68ae8ca62092e8db51d51c761c"
+dependencies = [
+ "libc",
+ "wasi 0.11.1+wasi-snapshot-preview1",
+ "windows-sys 0.59.0",
+]
+
+[[package]]
+name = "nu-ansi-term"
+version = "0.46.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "77a8165726e8236064dbb45459242600304b42a5ea24ee2948e18e023bf7ba84"
+dependencies = [
+ "overload",
+ "winapi",
+]
+
+[[package]]
+name = "num-bigint"
+version = "0.4.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a5e44f723f1133c9deac646763579fdb3ac745e418f2a7af9cd0c431da1f20b9"
+dependencies = [
+ "num-integer",
+ "num-traits",
+ "serde",
+]
+
+[[package]]
+name = "num-conv"
+version = "0.1.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "51d515d32fb182ee37cda2ccdcb92950d6a3c2893aa280e540671c2cd0f3b1d9"
+
+[[package]]
+name = "num-integer"
+version = "0.1.46"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7969661fd2958a5cb096e56c8e1ad0444ac2bbcd0061bd28660485a44879858f"
+dependencies = [
+ "num-traits",
+]
+
+[[package]]
+name = "num-traits"
+version = "0.2.19"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "071dfc062690e90b734c0b2273ce72ad0ffa95f0c74596bc250dcfd960262841"
+dependencies = [
+ "autocfg",
+]
+
+[[package]]
+name = "object"
+version = "0.36.7"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "62948e14d923ea95ea2c7c86c71013138b66525b86bdc08d2dcc262bdb497b87"
+dependencies = [
+ "memchr",
+]
+
+[[package]]
+name = "once_cell"
+version = "1.21.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "42f5e15c9953c5e4ccceeb2e7382a716482c34515315f7b03532b8b4e8393d2d"
+
+[[package]]
+name = "openssl-probe"
+version = "0.1.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d05e27ee213611ffe7d6348b942e8f942b37114c00cc03cec254295a4a17852e"
+
+[[package]]
+name = "overload"
+version = "0.1.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b15813163c1d831bf4a13c3610c05c0d03b39feb07f7e09fa234dac9b15aaf39"
+
+[[package]]
+name = "pairing"
+version = "0.23.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "81fec4625e73cf41ef4bb6846cafa6d44736525f442ba45e407c4a000a13996f"
+dependencies = [
+ "group",
+]
+
+[[package]]
+name = "parking_lot"
+version = "0.12.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "70d58bf43669b5795d1576d0641cfb6fbb2057bf629506267a92807158584a13"
+dependencies = [
+ "lock_api",
+ "parking_lot_core",
+]
+
+[[package]]
+name = "parking_lot_core"
+version = "0.9.11"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "bc838d2a56b5b1a6c25f55575dfc605fabb63bb2365f6c2353ef9159aa69e4a5"
+dependencies = [
+ "cfg-if",
+ "libc",
+ "redox_syscall",
+ "smallvec",
+ "windows-targets",
+]
+
+[[package]]
+name = "paste"
+version = "1.0.15"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "57c0d7b74b563b49d38dae00a0c37d4d6de9b432382b2892f0574ddcae73fd0a"
+
+[[package]]
+name = "percent-encoding"
+version = "2.3.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e3148f5046208a5d56bcfc03053e3ca6334e51da8dfb19b6cdc8b306fae3283e"
+
+[[package]]
+name = "pin-project-lite"
+version = "0.2.16"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "3b3cff922bd51709b605d9ead9aa71031d81447142d828eb4a6eba76fe619f9b"
+
+[[package]]
+name = "pin-utils"
+version = "0.1.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8b870d8c151b6f2fb93e84a13146138f05d02ed11c7e7c54f8826aaaf7c9f184"
+
+[[package]]
+name = "pocket-ic"
+version = "9.0.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "4e523c23bda9dc26ae989aab647b8bd805b54c72a3f2f00d668830d8b490c9c8"
+dependencies = [
+ "backoff",
+ "base64 0.13.1",
+ "candid",
+ "flate2",
+ "hex",
+ "ic-certification",
+ "ic-management-canister-types",
+ "ic-transport-types",
+ "reqwest",
+ "schemars 0.8.22",
+ "serde",
+ "serde_bytes",
+ "serde_cbor",
+ "serde_json",
+ "sha2",
+ "slog",
+ "strum 0.26.3",
+ "strum_macros 0.26.4",
+ "tempfile",
+ "thiserror 2.0.12",
+ "tokio",
+ "tracing",
+ "tracing-appender",
+ "tracing-subscriber",
+ "wslpath",
+]
+
+[[package]]
+name = "potential_utf"
+version = "0.1.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e5a7c30837279ca13e7c867e9e40053bc68740f988cb07f7ca6df43cc734b585"
+dependencies = [
+ "zerovec",
+]
+
+[[package]]
+name = "powerfmt"
+version = "0.2.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "439ee305def115ba05938db6eb1644ff94165c5ab5e9420d1c1bcedbba909391"
+
+[[package]]
+name = "ppv-lite86"
+version = "0.2.21"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "85eae3c4ed2f50dcfe72643da4befc30deadb458a9b590d720cde2f2b1e97da9"
+dependencies = [
+ "zerocopy",
+]
+
+[[package]]
+name = "pretty"
+version = "0.12.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ac98773b7109bc75f475ab5a134c9b64b87e59d776d31098d8f346922396a477"
+dependencies = [
+ "arrayvec",
+ "typed-arena",
+ "unicode-width",
+]
+
+[[package]]
+name = "proc-macro2"
+version = "1.0.95"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "02b3e5e68a3a1a02aad3ec490a98007cbc13c37cbe84a3cd7b8e406d76e7f778"
+dependencies = [
+ "unicode-ident",
+]
+
+[[package]]
+name = "psm"
+version = "0.1.26"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "6e944464ec8536cd1beb0bbfd96987eb5e3b72f2ecdafdc5c769a37f1fa2ae1f"
+dependencies = [
+ "cc",
+]
+
+[[package]]
+name = "quinn"
+version = "0.11.8"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "626214629cda6781b6dc1d316ba307189c85ba657213ce642d9c77670f8202c8"
+dependencies = [
+ "bytes",
+ "cfg_aliases",
+ "pin-project-lite",
+ "quinn-proto",
+ "quinn-udp",
+ "rustc-hash",
+ "rustls",
+ "socket2 0.5.10",
+ "thiserror 2.0.12",
+ "tokio",
+ "tracing",
+ "web-time",
+]
+
+[[package]]
+name = "quinn-proto"
+version = "0.11.12"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "49df843a9161c85bb8aae55f101bc0bac8bcafd637a620d9122fd7e0b2f7422e"
+dependencies = [
+ "bytes",
+ "getrandom 0.3.3",
+ "lru-slab",
+ "rand 0.9.2",
+ "ring",
+ "rustc-hash",
+ "rustls",
+ "rustls-pki-types",
+ "slab",
+ "thiserror 2.0.12",
+ "tinyvec",
+ "tracing",
+ "web-time",
+]
+
+[[package]]
+name = "quinn-udp"
+version = "0.5.13"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "fcebb1209ee276352ef14ff8732e24cc2b02bbac986cd74a4c81bcb2f9881970"
+dependencies = [
+ "cfg_aliases",
+ "libc",
+ "once_cell",
+ "socket2 0.5.10",
+ "tracing",
+ "windows-sys 0.59.0",
+]
+
+[[package]]
+name = "quote"
+version = "1.0.40"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1885c039570dc00dcb4ff087a89e185fd56bae234ddc7f056a945bf36467248d"
+dependencies = [
+ "proc-macro2",
+]
+
+[[package]]
+name = "r-efi"
+version = "5.3.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "69cdb34c158ceb288df11e18b4bd39de994f6657d83847bdffdbd7f346754b0f"
+
+[[package]]
+name = "rand"
+version = "0.8.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "34af8d1a0e25924bc5b7c43c079c942339d8f0a8b57c39049bef581b46327404"
+dependencies = [
+ "libc",
+ "rand_chacha 0.3.1",
+ "rand_core 0.6.4",
+]
+
+[[package]]
+name = "rand"
+version = "0.9.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "6db2770f06117d490610c7488547d543617b21bfa07796d7a12f6f1bd53850d1"
+dependencies = [
+ "rand_chacha 0.9.0",
+ "rand_core 0.9.3",
+]
+
+[[package]]
+name = "rand_chacha"
+version = "0.3.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e6c10a63a0fa32252be49d21e7709d4d4baf8d231c2dbce1eaa8141b9b127d88"
+dependencies = [
+ "ppv-lite86",
+ "rand_core 0.6.4",
+]
+
+[[package]]
+name = "rand_chacha"
+version = "0.9.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d3022b5f1df60f26e1ffddd6c66e8aa15de382ae63b3a0c1bfc0e4d3e3f325cb"
+dependencies = [
+ "ppv-lite86",
+ "rand_core 0.9.3",
+]
+
+[[package]]
+name = "rand_core"
+version = "0.6.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ec0be4795e2f6a28069bec0b5ff3e2ac9bafc99e6a9a7dc3547996c5c816922c"
+dependencies = [
+ "getrandom 0.2.16",
+]
+
+[[package]]
+name = "rand_core"
+version = "0.9.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "99d9a13982dcf210057a8a78572b2217b667c3beacbf3a0d8b454f6f82837d38"
+dependencies = [
+ "getrandom 0.3.3",
+]
+
+[[package]]
+name = "redox_syscall"
+version = "0.5.17"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5407465600fb0548f1442edf71dd20683c6ed326200ace4b1ef0763521bb3b77"
+dependencies = [
+ "bitflags",
+]
+
+[[package]]
+name = "ref-cast"
+version = "1.0.24"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "4a0ae411dbe946a674d89546582cea4ba2bb8defac896622d6496f14c23ba5cf"
+dependencies = [
+ "ref-cast-impl",
+]
+
+[[package]]
+name = "ref-cast-impl"
+version = "1.0.24"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1165225c21bff1f3bbce98f5a1f889949bc902d3575308cc7b0de30b4f6d27c7"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn 2.0.104",
+]
+
+[[package]]
+name = "regex"
+version = "1.11.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b544ef1b4eac5dc2db33ea63606ae9ffcfac26c1416a2806ae0bf5f56b201191"
+dependencies = [
+ "aho-corasick",
+ "memchr",
+ "regex-automata 0.4.9",
+ "regex-syntax 0.8.5",
+]
+
+[[package]]
+name = "regex-automata"
+version = "0.1.10"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "6c230d73fb8d8c1b9c0b3135c5142a8acee3a0558fb8db5cf1cb65f8d7862132"
+dependencies = [
+ "regex-syntax 0.6.29",
+]
+
+[[package]]
+name = "regex-automata"
+version = "0.4.9"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "809e8dc61f6de73b46c85f4c96486310fe304c434cfa43669d7b40f711150908"
+dependencies = [
+ "aho-corasick",
+ "memchr",
+ "regex-syntax 0.8.5",
+]
+
+[[package]]
+name = "regex-syntax"
+version = "0.6.29"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f162c6dd7b008981e4d40210aca20b4bd0f9b60ca9271061b07f78537722f2e1"
+
+[[package]]
+name = "regex-syntax"
+version = "0.8.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "2b15c43186be67a4fd63bee50d0303afffcef381492ebe2c5d87f324e1b8815c"
+
+[[package]]
+name = "reqwest"
+version = "0.12.22"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "cbc931937e6ca3a06e3b6c0aa7841849b160a90351d6ab467a8b9b9959767531"
+dependencies = [
+ "base64 0.22.1",
+ "bytes",
+ "futures-channel",
+ "futures-core",
+ "futures-util",
+ "h2",
+ "http",
+ "http-body",
+ "http-body-util",
+ "hyper",
+ "hyper-rustls",
+ "hyper-util",
+ "js-sys",
+ "log",
+ "mime_guess",
+ "percent-encoding",
+ "pin-project-lite",
+ "quinn",
+ "rustls",
+ "rustls-native-certs",
+ "rustls-pki-types",
+ "serde",
+ "serde_json",
+ "serde_urlencoded",
+ "sync_wrapper",
+ "tokio",
+ "tokio-rustls",
+ "tokio-util",
+ "tower",
+ "tower-http",
+ "tower-service",
+ "url",
+ "wasm-bindgen",
+ "wasm-bindgen-futures",
+ "wasm-streams",
+ "web-sys",
+ "webpki-roots",
+]
+
+[[package]]
+name = "ring"
+version = "0.17.14"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a4689e6c2294d81e88dc6261c768b63bc4fcdb852be6d1352498b114f61383b7"
+dependencies = [
+ "cc",
+ "cfg-if",
+ "getrandom 0.2.16",
+ "libc",
+ "untrusted",
+ "windows-sys 0.52.0",
+]
+
+[[package]]
+name = "rustc-demangle"
+version = "0.1.26"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "56f7d92ca342cea22a06f2121d944b4fd82af56988c270852495420f961d4ace"
+
+[[package]]
+name = "rustc-hash"
+version = "2.1.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "357703d41365b4b27c590e3ed91eabb1b663f07c4c084095e60cbed4362dff0d"
+
+[[package]]
+name = "rustix"
+version = "1.0.8"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "11181fbabf243db407ef8df94a6ce0b2f9a733bd8be4ad02b4eda9602296cac8"
+dependencies = [
+ "bitflags",
+ "errno",
+ "libc",
+ "linux-raw-sys",
+ "windows-sys 0.59.0",
+]
+
+[[package]]
+name = "rustls"
+version = "0.23.31"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c0ebcbd2f03de0fc1122ad9bb24b127a5a6cd51d72604a3f3c50ac459762b6cc"
+dependencies = [
+ "once_cell",
+ "ring",
+ "rustls-pki-types",
+ "rustls-webpki",
+ "subtle",
+ "zeroize",
+]
+
+[[package]]
+name = "rustls-native-certs"
+version = "0.8.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7fcff2dd52b58a8d98a70243663a0d234c4e2b79235637849d15913394a247d3"
+dependencies = [
+ "openssl-probe",
+ "rustls-pki-types",
+ "schannel",
+ "security-framework",
+]
+
+[[package]]
+name = "rustls-pki-types"
+version = "1.12.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "229a4a4c221013e7e1f1a043678c5cc39fe5171437c88fb47151a21e6f5b5c79"
+dependencies = [
+ "web-time",
+ "zeroize",
+]
+
+[[package]]
+name = "rustls-webpki"
+version = "0.103.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "0a17884ae0c1b773f1ccd2bd4a8c72f16da897310a98b0e84bf349ad5ead92fc"
+dependencies = [
+ "ring",
+ "rustls-pki-types",
+ "untrusted",
+]
+
+[[package]]
+name = "rustversion"
+version = "1.0.21"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8a0d197bd2c9dc6e53b84da9556a69ba4cdfab8619eb41a8bd1cc2027a0f6b1d"
+
+[[package]]
+name = "ryu"
+version = "1.0.20"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "28d3b2b1366ec20994f1fd18c3c594f05c5dd4bc44d8bb0c1c632c8d6829481f"
+
+[[package]]
+name = "schannel"
+version = "0.1.27"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1f29ebaa345f945cec9fbbc532eb307f0fdad8161f281b6369539c8d84876b3d"
+dependencies = [
+ "windows-sys 0.59.0",
+]
+
+[[package]]
+name = "schemars"
+version = "0.8.22"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "3fbf2ae1b8bc8e02df939598064d22402220cd5bbcca1c76f7d6a310974d5615"
+dependencies = [
+ "dyn-clone",
+ "schemars_derive",
+ "serde",
+ "serde_json",
+]
+
+[[package]]
+name = "schemars"
+version = "0.9.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "4cd191f9397d57d581cddd31014772520aa448f65ef991055d7f61582c65165f"
+dependencies = [
+ "dyn-clone",
+ "ref-cast",
+ "serde",
+ "serde_json",
+]
+
+[[package]]
+name = "schemars"
+version = "1.0.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "82d20c4491bc164fa2f6c5d44565947a52ad80b9505d8e36f8d54c27c739fcd0"
+dependencies = [
+ "dyn-clone",
+ "ref-cast",
+ "serde",
+ "serde_json",
+]
+
+[[package]]
+name = "schemars_derive"
+version = "0.8.22"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "32e265784ad618884abaea0600a9adf15393368d840e0222d101a072f3f7534d"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "serde_derive_internals",
+ "syn 2.0.104",
+]
+
+[[package]]
+name = "scopeguard"
+version = "1.2.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "94143f37725109f92c262ed2cf5e59bce7498c01bcc1502d7b9afe439a4e9f49"
+
+[[package]]
+name = "security-framework"
+version = "3.2.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "271720403f46ca04f7ba6f55d438f8bd878d6b8ca0a1046e8228c4145bcbb316"
+dependencies = [
+ "bitflags",
+ "core-foundation",
+ "core-foundation-sys",
+ "libc",
+ "security-framework-sys",
+]
+
+[[package]]
+name = "security-framework-sys"
+version = "2.14.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "49db231d56a190491cb4aeda9527f1ad45345af50b0851622a7adb8c03b01c32"
+dependencies = [
+ "core-foundation-sys",
+ "libc",
+]
+
+[[package]]
+name = "serde"
+version = "1.0.219"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5f0e2c6ed6606019b4e29e69dbaba95b11854410e5347d525002456dbbb786b6"
+dependencies = [
+ "serde_derive",
+]
+
+[[package]]
+name = "serde_bytes"
+version = "0.11.17"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8437fd221bde2d4ca316d61b90e337e9e702b3820b87d63caa9ba6c02bd06d96"
+dependencies = [
+ "serde",
+]
+
+[[package]]
+name = "serde_cbor"
+version = "0.11.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "2bef2ebfde456fb76bbcf9f59315333decc4fda0b2b44b420243c11e0f5ec1f5"
+dependencies = [
+ "half",
+ "serde",
+]
+
+[[package]]
+name = "serde_derive"
+version = "1.0.219"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5b0276cf7f2c73365f7157c8123c21cd9a50fbbd844757af28ca1f5925fc2a00"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn 2.0.104",
+]
+
+[[package]]
+name = "serde_derive_internals"
+version = "0.29.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "18d26a20a969b9e3fdf2fc2d9f21eda6c40e2de84c9408bb5d3b05d499aae711"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn 2.0.104",
+]
+
+[[package]]
+name = "serde_json"
+version = "1.0.141"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "30b9eff21ebe718216c6ec64e1d9ac57087aad11efc64e32002bce4a0d4c03d3"
+dependencies = [
+ "itoa",
+ "memchr",
+ "ryu",
+ "serde",
+]
+
+[[package]]
+name = "serde_repr"
+version = "0.1.20"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "175ee3e80ae9982737ca543e96133087cbd9a485eecc3bc4de9c1a37b47ea59c"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn 2.0.104",
+]
+
+[[package]]
+name = "serde_urlencoded"
+version = "0.7.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d3491c14715ca2294c4d6a88f15e84739788c1d030eed8c110436aafdaa2f3fd"
+dependencies = [
+ "form_urlencoded",
+ "itoa",
+ "ryu",
+ "serde",
+]
+
+[[package]]
+name = "serde_with"
+version = "3.14.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f2c45cd61fefa9db6f254525d46e392b852e0e61d9a1fd36e5bd183450a556d5"
+dependencies = [
+ "base64 0.22.1",
+ "chrono",
+ "hex",
+ "indexmap 1.9.3",
+ "indexmap 2.10.0",
+ "schemars 0.9.0",
+ "schemars 1.0.4",
+ "serde",
+ "serde_derive",
+ "serde_json",
+ "serde_with_macros",
+ "time",
+]
+
+[[package]]
+name = "serde_with_macros"
+version = "3.14.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "de90945e6565ce0d9a25098082ed4ee4002e047cb59892c318d66821e14bb30f"
+dependencies = [
+ "darling",
+ "proc-macro2",
+ "quote",
+ "syn 2.0.104",
+]
+
+[[package]]
+name = "sha2"
+version = "0.10.9"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a7507d819769d01a365ab707794a4084392c824f54a7a6a7862f8c3d0892b283"
+dependencies = [
+ "cfg-if",
+ "cpufeatures",
+ "digest",
+]
+
+[[package]]
+name = "sha3"
+version = "0.10.8"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "75872d278a8f37ef87fa0ddbda7802605cb18344497949862c0d4dcb291eba60"
+dependencies = [
+ "digest",
+ "keccak",
+]
+
+[[package]]
+name = "sharded-slab"
+version = "0.1.7"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f40ca3c46823713e0d4209592e8d6e826aa57e928f09752619fc696c499637f6"
+dependencies = [
+ "lazy_static",
+]
+
+[[package]]
+name = "shlex"
+version = "1.3.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "0fda2ff0d084019ba4d7c6f371c95d8fd75ce3524c3cb8fb653a3023f6323e64"
+
+[[package]]
+name = "signal-hook-registry"
+version = "1.4.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9203b8055f63a2a00e2f593bb0510367fe707d7ff1e5c872de2f537b339e5410"
+dependencies = [
+ "libc",
+]
+
+[[package]]
+name = "slab"
+version = "0.4.10"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "04dc19736151f35336d325007ac991178d504a119863a2fcb3758cdb5e52c50d"
+
+[[package]]
+name = "slog"
+version = "2.7.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8347046d4ebd943127157b94d63abb990fcf729dc4e9978927fdf4ac3c998d06"
+dependencies = [
+ "erased-serde",
+]
+
+[[package]]
+name = "slotmap"
+version = "1.0.7"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "dbff4acf519f630b3a3ddcfaea6c06b42174d9a44bc70c620e9ed1649d58b82a"
+dependencies = [
+ "version_check",
+]
+
+[[package]]
+name = "smallvec"
+version = "1.15.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "67b1b7a3b5fe4f1376887184045fcf45c69e92af734b7aaddc05fb777b6fbd03"
+
+[[package]]
+name = "socket2"
+version = "0.5.10"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e22376abed350d73dd1cd119b57ffccad95b4e585a7cda43e286245ce23c0678"
+dependencies = [
+ "libc",
+ "windows-sys 0.52.0",
+]
+
+[[package]]
+name = "socket2"
+version = "0.6.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "233504af464074f9d066d7b5416c5f9b894a5862a6506e306f7b816cdd6f1807"
+dependencies = [
+ "libc",
+ "windows-sys 0.59.0",
+]
+
+[[package]]
+name = "stable_deref_trait"
+version = "1.2.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a8f112729512f8e442d81f95a8a7ddf2b7c6b8a1a6f509a95864142b30cab2d3"
+
+[[package]]
+name = "stacker"
+version = "0.1.21"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "cddb07e32ddb770749da91081d8d0ac3a16f1a569a18b20348cd371f5dead06b"
+dependencies = [
+ "cc",
+ "cfg-if",
+ "libc",
+ "psm",
+ "windows-sys 0.59.0",
+]
+
+[[package]]
+name = "strsim"
+version = "0.11.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7da8b5736845d9f2fcb837ea5d9e2628564b3b043a70948a3f0b778838c5fb4f"
+
+[[package]]
+name = "strum"
+version = "0.26.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8fec0f0aef304996cf250b31b5a10dee7980c85da9d759361292b8bca5a18f06"
+dependencies = [
+ "strum_macros 0.26.4",
+]
+
+[[package]]
+name = "strum"
+version = "0.27.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "af23d6f6c1a224baef9d3f61e287d2761385a5b88fdab4eb4c6f11aeb54c4bcf"
+
+[[package]]
+name = "strum_macros"
+version = "0.26.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "4c6bee85a5a24955dc440386795aa378cd9cf82acd5f764469152d2270e581be"
+dependencies = [
+ "heck",
+ "proc-macro2",
+ "quote",
+ "rustversion",
+ "syn 2.0.104",
+]
+
+[[package]]
+name = "strum_macros"
+version = "0.27.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7695ce3845ea4b33927c055a39dc438a45b059f7c1b3d91d38d10355fb8cbca7"
+dependencies = [
+ "heck",
+ "proc-macro2",
+ "quote",
+ "syn 2.0.104",
+]
+
+[[package]]
+name = "subtle"
+version = "2.6.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "13c2bddecc57b384dee18652358fb23172facb8a2c51ccc10d74c157bdea3292"
+
+[[package]]
+name = "syn"
+version = "1.0.109"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "72b64191b275b66ffe2469e8af2c1cfe3bafa67b529ead792a6d0160888b4237"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "unicode-ident",
+]
+
+[[package]]
+name = "syn"
+version = "2.0.104"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "17b6f705963418cdb9927482fa304bc562ece2fdd4f616084c50b7023b435a40"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "unicode-ident",
+]
+
+[[package]]
+name = "sync_wrapper"
+version = "1.0.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "0bf256ce5efdfa370213c1dabab5935a12e49f2c58d15e9eac2870d3b4f27263"
+dependencies = [
+ "futures-core",
+]
+
+[[package]]
+name = "synstructure"
+version = "0.13.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "728a70f3dbaf5bab7f0c4b1ac8d7ae5ea60a4b5549c8a5914361c99147a709d2"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn 2.0.104",
+]
+
+[[package]]
+name = "tempfile"
+version = "3.20.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e8a64e3985349f2441a1a9ef0b853f869006c3855f2cda6862a94d26ebb9d6a1"
+dependencies = [
+ "fastrand",
+ "getrandom 0.3.3",
+ "once_cell",
+ "rustix",
+ "windows-sys 0.59.0",
+]
+
+[[package]]
+name = "thiserror"
+version = "1.0.69"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b6aaf5339b578ea85b50e080feb250a3e8ae8cfcdff9a461c9ec2904bc923f52"
+dependencies = [
+ "thiserror-impl 1.0.69",
+]
+
+[[package]]
+name = "thiserror"
+version = "2.0.12"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "567b8a2dae586314f7be2a752ec7474332959c6460e02bde30d702a66d488708"
+dependencies = [
+ "thiserror-impl 2.0.12",
+]
+
+[[package]]
+name = "thiserror-impl"
+version = "1.0.69"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "4fee6c4efc90059e10f81e6d42c60a18f76588c3d74cb83a0b242a2b6c7504c1"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn 2.0.104",
+]
+
+[[package]]
+name = "thiserror-impl"
+version = "2.0.12"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7f7cf42b4507d8ea322120659672cf1b9dbb93f8f2d4ecfd6e51350ff5b17a1d"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn 2.0.104",
+]
+
+[[package]]
+name = "thread_local"
+version = "1.1.9"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f60246a4944f24f6e018aa17cdeffb7818b76356965d03b07d6a9886e8962185"
+dependencies = [
+ "cfg-if",
+]
+
+[[package]]
+name = "time"
+version = "0.3.41"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8a7619e19bc266e0f9c5e6686659d394bc57973859340060a69221e57dbc0c40"
+dependencies = [
+ "deranged",
+ "itoa",
+ "num-conv",
+ "powerfmt",
+ "serde",
+ "time-core",
+ "time-macros",
+]
+
+[[package]]
+name = "time-core"
+version = "0.1.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c9e9a38711f559d9e3ce1cdb06dd7c5b8ea546bc90052da6d06bb76da74bb07c"
+
+[[package]]
+name = "time-macros"
+version = "0.2.22"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "3526739392ec93fd8b359c8e98514cb3e8e021beb4e5f597b00a0221f8ed8a49"
+dependencies = [
+ "num-conv",
+ "time-core",
+]
+
+[[package]]
+name = "tinystr"
+version = "0.8.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5d4f6d1145dcb577acf783d4e601bc1d76a13337bb54e6233add580b07344c8b"
+dependencies = [
+ "displaydoc",
+ "zerovec",
+]
+
+[[package]]
+name = "tinyvec"
+version = "1.9.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "09b3661f17e86524eccd4371ab0429194e0d7c008abb45f7a7495b1719463c71"
+dependencies = [
+ "tinyvec_macros",
+]
+
+[[package]]
+name = "tinyvec_macros"
+version = "0.1.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1f3ccbac311fea05f86f61904b462b55fb3df8837a366dfc601a0161d0532f20"
+
+[[package]]
+name = "tokio"
+version = "1.47.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "43864ed400b6043a4757a25c7a64a8efde741aed79a056a2fb348a406701bb35"
+dependencies = [
+ "backtrace",
+ "bytes",
+ "io-uring",
+ "libc",
+ "mio",
+ "parking_lot",
+ "pin-project-lite",
+ "signal-hook-registry",
+ "slab",
+ "socket2 0.6.0",
+ "tokio-macros",
+ "windows-sys 0.59.0",
+]
+
+[[package]]
+name = "tokio-macros"
+version = "2.5.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "6e06d43f1345a3bcd39f6a56dbb7dcab2ba47e68e8ac134855e7e2bdbaf8cab8"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn 2.0.104",
+]
+
+[[package]]
+name = "tokio-rustls"
+version = "0.26.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8e727b36a1a0e8b74c376ac2211e40c2c8af09fb4013c60d910495810f008e9b"
+dependencies = [
+ "rustls",
+ "tokio",
+]
+
+[[package]]
+name = "tokio-util"
+version = "0.7.15"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "66a539a9ad6d5d281510d5bd368c973d636c02dbf8a67300bfb6b950696ad7df"
+dependencies = [
+ "bytes",
+ "futures-core",
+ "futures-sink",
+ "pin-project-lite",
+ "tokio",
+]
+
+[[package]]
+name = "tower"
+version = "0.5.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d039ad9159c98b70ecfd540b2573b97f7f52c3e8d9f8ad57a24b916a536975f9"
+dependencies = [
+ "futures-core",
+ "futures-util",
+ "pin-project-lite",
+ "sync_wrapper",
+ "tokio",
+ "tower-layer",
+ "tower-service",
+]
+
+[[package]]
+name = "tower-http"
+version = "0.6.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "adc82fd73de2a9722ac5da747f12383d2bfdb93591ee6c58486e0097890f05f2"
+dependencies = [
+ "bitflags",
+ "bytes",
+ "futures-util",
+ "http",
+ "http-body",
+ "iri-string",
+ "pin-project-lite",
+ "tower",
+ "tower-layer",
+ "tower-service",
+]
+
+[[package]]
+name = "tower-layer"
+version = "0.3.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "121c2a6cda46980bb0fcd1647ffaf6cd3fc79a013de288782836f6df9c48780e"
+
+[[package]]
+name = "tower-service"
+version = "0.3.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8df9b6e13f2d32c91b9bd719c00d1958837bc7dec474d94952798cc8e69eeec3"
+
+[[package]]
+name = "tracing"
+version = "0.1.41"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "784e0ac535deb450455cbfa28a6f0df145ea1bb7ae51b821cf5e7927fdcfbdd0"
+dependencies = [
+ "pin-project-lite",
+ "tracing-attributes",
+ "tracing-core",
+]
+
+[[package]]
+name = "tracing-appender"
+version = "0.2.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "3566e8ce28cc0a3fe42519fc80e6b4c943cc4c8cef275620eb8dac2d3d4e06cf"
+dependencies = [
+ "crossbeam-channel",
+ "thiserror 1.0.69",
+ "time",
+ "tracing-subscriber",
+]
+
+[[package]]
+name = "tracing-attributes"
+version = "0.1.30"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "81383ab64e72a7a8b8e13130c49e3dab29def6d0c7d76a03087b3cf71c5c6903"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn 2.0.104",
+]
+
+[[package]]
+name = "tracing-core"
+version = "0.1.34"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b9d12581f227e93f094d3af2ae690a574abb8a2b9b7a96e7cfe9647b2b617678"
+dependencies = [
+ "once_cell",
+ "valuable",
+]
+
+[[package]]
+name = "tracing-log"
+version = "0.2.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ee855f1f400bd0e5c02d150ae5de3840039a3f54b025156404e34c23c03f47c3"
+dependencies = [
+ "log",
+ "once_cell",
+ "tracing-core",
+]
+
+[[package]]
+name = "tracing-serde"
+version = "0.2.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "704b1aeb7be0d0a84fc9828cae51dab5970fee5088f83d1dd7ee6f6246fc6ff1"
+dependencies = [
+ "serde",
+ "tracing-core",
+]
+
+[[package]]
+name = "tracing-subscriber"
+version = "0.3.19"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e8189decb5ac0fa7bc8b96b7cb9b2701d60d48805aca84a238004d665fcc4008"
+dependencies = [
+ "matchers",
+ "nu-ansi-term",
+ "once_cell",
+ "regex",
+ "serde",
+ "serde_json",
+ "sharded-slab",
+ "smallvec",
+ "thread_local",
+ "time",
+ "tracing",
+ "tracing-core",
+ "tracing-log",
+ "tracing-serde",
+]
+
+[[package]]
+name = "try-lock"
+version = "0.2.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e421abadd41a4225275504ea4d6566923418b7f05506fbc9c0fe86ba7396114b"
+
+[[package]]
+name = "typed-arena"
+version = "2.0.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "6af6ae20167a9ece4bcb41af5b80f8a1f1df981f6391189ce00fd257af04126a"
+
+[[package]]
+name = "typenum"
+version = "1.18.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1dccffe3ce07af9386bfd29e80c0ab1a8205a2fc34e4bcd40364df902cfa8f3f"
+
+[[package]]
+name = "unicase"
+version = "2.8.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "75b844d17643ee918803943289730bec8aac480150456169e647ed0b576ba539"
+
+[[package]]
+name = "unicode-ident"
+version = "1.0.18"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5a5f39404a5da50712a4c1eecf25e90dd62b613502b7e925fd4e4d19b5c96512"
+
+[[package]]
+name = "unicode-width"
+version = "0.1.14"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7dd6e30e90baa6f72411720665d41d89b9a3d039dc45b8faea1ddd07f617f6af"
+
+[[package]]
+name = "untrusted"
+version = "0.9.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8ecb6da28b8a351d773b68d5825ac39017e680750f980f3a1a85cd8dd28a47c1"
+
+[[package]]
+name = "url"
+version = "2.5.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "32f8b686cadd1473f4bd0117a5d28d36b1ade384ea9b5069a1c40aefed7fda60"
+dependencies = [
+ "form_urlencoded",
+ "idna",
+ "percent-encoding",
+]
+
+[[package]]
+name = "utf8_iter"
+version = "1.0.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b6c140620e7ffbb22c2dee59cafe6084a59b5ffc27a8859a5f0d494b5d52b6be"
+
+[[package]]
+name = "valuable"
+version = "0.1.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ba73ea9cf16a25df0c8caa16c51acb937d5712a8429db78a3ee29d5dcacd3a65"
+
+[[package]]
+name = "version_check"
+version = "0.9.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "0b928f33d975fc6ad9f86c8f283853ad26bdd5b10b7f1542aa2fa15e2289105a"
+
+[[package]]
+name = "want"
+version = "0.3.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "bfa7760aed19e106de2c7c0b581b509f2f25d3dacaf737cb82ac61bc6d760b0e"
+dependencies = [
+ "try-lock",
+]
+
+[[package]]
+name = "wasi"
+version = "0.11.1+wasi-snapshot-preview1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ccf3ec651a847eb01de73ccad15eb7d99f80485de043efb2f370cd654f4ea44b"
+
+[[package]]
+name = "wasi"
+version = "0.14.2+wasi-0.2.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9683f9a5a998d873c0d21fcbe3c083009670149a8fab228644b8bd36b2c48cb3"
+dependencies = [
+ "wit-bindgen-rt",
+]
+
+[[package]]
+name = "wasm-bindgen"
+version = "0.2.100"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1edc8929d7499fc4e8f0be2262a241556cfc54a0bea223790e71446f2aab1ef5"
+dependencies = [
+ "cfg-if",
+ "once_cell",
+ "rustversion",
+ "wasm-bindgen-macro",
+]
+
+[[package]]
+name = "wasm-bindgen-backend"
+version = "0.2.100"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "2f0a0651a5c2bc21487bde11ee802ccaf4c51935d0d3d42a6101f98161700bc6"
+dependencies = [
+ "bumpalo",
+ "log",
+ "proc-macro2",
+ "quote",
+ "syn 2.0.104",
+ "wasm-bindgen-shared",
+]
+
+[[package]]
+name = "wasm-bindgen-futures"
+version = "0.4.50"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "555d470ec0bc3bb57890405e5d4322cc9ea83cebb085523ced7be4144dac1e61"
+dependencies = [
+ "cfg-if",
+ "js-sys",
+ "once_cell",
+ "wasm-bindgen",
+ "web-sys",
+]
+
+[[package]]
+name = "wasm-bindgen-macro"
+version = "0.2.100"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7fe63fc6d09ed3792bd0897b314f53de8e16568c2b3f7982f468c0bf9bd0b407"
+dependencies = [
+ "quote",
+ "wasm-bindgen-macro-support",
+]
+
+[[package]]
+name = "wasm-bindgen-macro-support"
+version = "0.2.100"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8ae87ea40c9f689fc23f209965b6fb8a99ad69aeeb0231408be24920604395de"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn 2.0.104",
+ "wasm-bindgen-backend",
+ "wasm-bindgen-shared",
+]
+
+[[package]]
+name = "wasm-bindgen-shared"
+version = "0.2.100"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1a05d73b933a847d6cccdda8f838a22ff101ad9bf93e33684f39c1f5f0eece3d"
+dependencies = [
+ "unicode-ident",
+]
+
+[[package]]
+name = "wasm-streams"
+version = "0.4.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "15053d8d85c7eccdbefef60f06769760a563c7f0a9d6902a13d35c7800b0ad65"
+dependencies = [
+ "futures-util",
+ "js-sys",
+ "wasm-bindgen",
+ "wasm-bindgen-futures",
+ "web-sys",
+]
+
+[[package]]
+name = "web-sys"
+version = "0.3.77"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "33b6dd2ef9186f1f2072e409e99cd22a975331a6b3591b12c764e0e55c60d5d2"
+dependencies = [
+ "js-sys",
+ "wasm-bindgen",
+]
+
+[[package]]
+name = "web-time"
+version = "1.1.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5a6580f308b1fad9207618087a65c04e7a10bc77e02c8e84e9b00dd4b12fa0bb"
+dependencies = [
+ "js-sys",
+ "wasm-bindgen",
+]
+
+[[package]]
+name = "webpki-roots"
+version = "1.0.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7e8983c3ab33d6fb807cfcdad2491c4ea8cbc8ed839181c7dfd9c67c83e261b2"
+dependencies = [
+ "rustls-pki-types",
+]
+
+[[package]]
+name = "winapi"
+version = "0.3.9"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5c839a674fcd7a98952e593242ea400abe93992746761e38641405d28b00f419"
+dependencies = [
+ "winapi-i686-pc-windows-gnu",
+ "winapi-x86_64-pc-windows-gnu",
+]
+
+[[package]]
+name = "winapi-i686-pc-windows-gnu"
+version = "0.4.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ac3b87c63620426dd9b991e5ce0329eff545bccbbb34f3be09ff6fb6ab51b7b6"
+
+[[package]]
+name = "winapi-x86_64-pc-windows-gnu"
+version = "0.4.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "712e227841d057c1ee1cd2fb22fa7e5a5461ae8e48fa2ca79ec42cfc1931183f"
+
+[[package]]
+name = "windows-core"
+version = "0.61.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c0fdd3ddb90610c7638aa2b3a3ab2904fb9e5cdbecc643ddb3647212781c4ae3"
+dependencies = [
+ "windows-implement",
+ "windows-interface",
+ "windows-link",
+ "windows-result",
+ "windows-strings",
+]
+
+[[package]]
+name = "windows-implement"
+version = "0.60.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a47fddd13af08290e67f4acabf4b459f647552718f683a7b415d290ac744a836"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn 2.0.104",
+]
+
+[[package]]
+name = "windows-interface"
+version = "0.59.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "bd9211b69f8dcdfa817bfd14bf1c97c9188afa36f4750130fcdf3f400eca9fa8"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn 2.0.104",
+]
+
+[[package]]
+name = "windows-link"
+version = "0.1.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5e6ad25900d524eaabdbbb96d20b4311e1e7ae1699af4fb28c17ae66c80d798a"
+
+[[package]]
+name = "windows-result"
+version = "0.3.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "56f42bd332cc6c8eac5af113fc0c1fd6a8fd2aa08a0119358686e5160d0586c6"
+dependencies = [
+ "windows-link",
+]
+
+[[package]]
+name = "windows-strings"
+version = "0.4.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "56e6c93f3a0c3b36176cb1327a4958a0353d5d166c2a35cb268ace15e91d3b57"
+dependencies = [
+ "windows-link",
+]
+
+[[package]]
+name = "windows-sys"
+version = "0.52.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "282be5f36a8ce781fad8c8ae18fa3f9beff57ec1b52cb3de0789201425d9a33d"
+dependencies = [
+ "windows-targets",
+]
+
+[[package]]
+name = "windows-sys"
+version = "0.59.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1e38bc4d79ed67fd075bcc251a1c39b32a1776bbe92e5bef1f0bf1f8c531853b"
+dependencies = [
+ "windows-targets",
+]
+
+[[package]]
+name = "windows-targets"
+version = "0.52.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9b724f72796e036ab90c1021d4780d4d3d648aca59e491e6b98e725b84e99973"
+dependencies = [
+ "windows_aarch64_gnullvm",
+ "windows_aarch64_msvc",
+ "windows_i686_gnu",
+ "windows_i686_gnullvm",
+ "windows_i686_msvc",
+ "windows_x86_64_gnu",
+ "windows_x86_64_gnullvm",
+ "windows_x86_64_msvc",
+]
+
+[[package]]
+name = "windows_aarch64_gnullvm"
+version = "0.52.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "32a4622180e7a0ec044bb555404c800bc9fd9ec262ec147edd5989ccd0c02cd3"
+
+[[package]]
+name = "windows_aarch64_msvc"
+version = "0.52.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "09ec2a7bb152e2252b53fa7803150007879548bc709c039df7627cabbd05d469"
+
+[[package]]
+name = "windows_i686_gnu"
+version = "0.52.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8e9b5ad5ab802e97eb8e295ac6720e509ee4c243f69d781394014ebfe8bbfa0b"
+
+[[package]]
+name = "windows_i686_gnullvm"
+version = "0.52.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "0eee52d38c090b3caa76c563b86c3a4bd71ef1a819287c19d586d7334ae8ed66"
+
+[[package]]
+name = "windows_i686_msvc"
+version = "0.52.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "240948bc05c5e7c6dabba28bf89d89ffce3e303022809e73deaefe4f6ec56c66"
+
+[[package]]
+name = "windows_x86_64_gnu"
+version = "0.52.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "147a5c80aabfbf0c7d901cb5895d1de30ef2907eb21fbbab29ca94c5b08b1a78"
+
+[[package]]
+name = "windows_x86_64_gnullvm"
+version = "0.52.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "24d5b23dc417412679681396f2b49f3de8c1473deb516bd34410872eff51ed0d"
+
+[[package]]
+name = "windows_x86_64_msvc"
+version = "0.52.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "589f6da84c646204747d1270a2a5661ea66ed1cced2631d546fdfb155959f9ec"
+
+[[package]]
+name = "wit-bindgen-rt"
+version = "0.39.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "6f42320e61fe2cfd34354ecb597f86f413484a798ba44a8ca1165c58d42da6c1"
+dependencies = [
+ "bitflags",
+]
+
+[[package]]
+name = "writeable"
+version = "0.6.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ea2f10b9bb0928dfb1b42b65e1f9e36f7f54dbdf08457afefb38afcdec4fa2bb"
+
+[[package]]
+name = "wslpath"
+version = "0.0.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "04a2ecdf2cc4d33a6a93d71bcfbc00bb1f635cdb8029a2cc0709204a045ec7a3"
+
+[[package]]
+name = "yoke"
+version = "0.8.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5f41bb01b8226ef4bfd589436a297c53d118f65921786300e427be8d487695cc"
+dependencies = [
+ "serde",
+ "stable_deref_trait",
+ "yoke-derive",
+ "zerofrom",
+]
+
+[[package]]
+name = "yoke-derive"
+version = "0.8.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "38da3c9736e16c5d3c8c597a9aaa5d1fa565d0532ae05e27c24aa62fb32c0ab6"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn 2.0.104",
+ "synstructure",
+]
+
+[[package]]
+name = "zerocopy"
+version = "0.8.26"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1039dd0d3c310cf05de012d8a39ff557cb0d23087fd44cad61df08fc31907a2f"
+dependencies = [
+ "zerocopy-derive",
+]
+
+[[package]]
+name = "zerocopy-derive"
+version = "0.8.26"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9ecf5b4cc5364572d7f4c329661bcc82724222973f2cab6f050a4e5c22f75181"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn 2.0.104",
+]
+
+[[package]]
+name = "zerofrom"
+version = "0.1.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "50cc42e0333e05660c3587f3bf9d0478688e15d870fab3346451ce7f8c9fbea5"
+dependencies = [
+ "zerofrom-derive",
+]
+
+[[package]]
+name = "zerofrom-derive"
+version = "0.1.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d71e5d6e06ab090c67b5e44993ec16b72dcbaabc526db883a360057678b48502"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn 2.0.104",
+ "synstructure",
+]
+
+[[package]]
+name = "zeroize"
+version = "1.8.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ced3678a2879b30306d323f4542626697a464a97c0a07c9aebf7ebca65cd4dde"
+dependencies = [
+ "zeroize_derive",
+]
+
+[[package]]
+name = "zeroize_derive"
+version = "1.4.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ce36e65b0d2999d2aafac989fb249189a141aee1f53c612c1f37d72631959f69"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn 2.0.104",
+]
+
+[[package]]
+name = "zerotrie"
+version = "0.2.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "36f0bbd478583f79edad978b407914f61b2972f5af6fa089686016be8f9af595"
+dependencies = [
+ "displaydoc",
+ "yoke",
+ "zerofrom",
+]
+
+[[package]]
+name = "zerovec"
+version = "0.11.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "4a05eb080e015ba39cc9e23bbe5e7fb04d5fb040350f99f34e338d5fdd294428"
+dependencies = [
+ "yoke",
+ "zerofrom",
+ "zerovec-derive",
+]
+
+[[package]]
+name = "zerovec-derive"
+version = "0.11.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5b96237efa0c878c64bd89c436f661be4e46b2f3eff1ebb976f7ef2321d2f58f"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn 2.0.104",
+]
diff --git a/examples/encrypted_chat/rust/Cargo.toml b/examples/encrypted_chat/rust/Cargo.toml
new file mode 100644
index 00000000..d1e49e31
--- /dev/null
+++ b/examples/encrypted_chat/rust/Cargo.toml
@@ -0,0 +1,3 @@
+[workspace]
+members = ["backend"]
+resolver = "2"
diff --git a/examples/encrypted_chat/rust/backend/Cargo.toml b/examples/encrypted_chat/rust/backend/Cargo.toml
new file mode 100644
index 00000000..ce056b7d
--- /dev/null
+++ b/examples/encrypted_chat/rust/backend/Cargo.toml
@@ -0,0 +1,31 @@
+[package]
+name = "ic-vetkeys-example-encrypted-chat-backend"
+authors = ["DFINITY Stiftung"]
+version = "0.1.0"
+edition = "2021"
+license = "Apache-2.0"
+description = "Encrypted Chat using vetKeys"
+repository = "https://github.com/dfinity/vetkeys"
+rust-version = "1.85.0"
+
+[lib]
+path = "src/lib.rs"
+crate-type = ["cdylib", "lib"]
+
+[dependencies]
+candid = "0.10.2"
+ic-cdk = "0.18.3"
+ic-cdk-macros = "0.18.3"
+ic-dummy-getrandom-for-wasm = "0.1.0"
+ic-stable-structures = "0.7.0"
+ic-vetkeys = "0.3.0"
+serde = "1.0.217"
+serde_bytes = "0.11.15"
+serde_cbor = "0.11.2"
+serde_with = "3.11.0"
+
+[dev-dependencies]
+ic-vetkeys = "0.3.0"
+pocket-ic = "9.0.2"
+rand_chacha = "0.9.0"
+rand = "0.9.2"
diff --git a/examples/encrypted_chat/rust/backend/backend.did b/examples/encrypted_chat/rust/backend/backend.did
new file mode 100644
index 00000000..be7044ea
--- /dev/null
+++ b/examples/encrypted_chat/rust/backend/backend.did
@@ -0,0 +1,32 @@
+type ChatId = variant {
+  Group : nat64;
+  Direct : record { principal; principal };
+};
+type EncryptedMessageMetadata = record {
+  vetkey_epoch : nat64;
+  sender : principal;
+  symmetric_key_epoch : nat64;
+  timestamp : nat64;
+};
+type Result = variant { Ok; Err : text };
+type Result_1 = variant { Ok : blob; Err : text };
+type UserMessage = record {
+  vetkey_epoch : nat64;
+  content : blob;
+  symmetric_key_epoch : nat64;
+  message_id : nat64;
+};
+service : (text) -> {
+  create_direct_chat : (principal, nat64) -> (Result);
+  create_group_chat : (vec principal, nat64) -> (Result);
+  derive_vetkey : (ChatId, opt nat64, blob) -> (Result_1);
+  get_all_messages : () -> (vec UserMessage) query;
+  get_messages : (ChatId, nat64) -> (vec UserMessage) query;
+  get_my_chat_ids : () -> (vec ChatId) query;
+  get_unread_inboxes : () -> (vec ChatId) query;
+  get_unread_message_metadata : (ChatId) -> (
+      vec EncryptedMessageMetadata,
+    ) query;
+  send_direct_message : (UserMessage, principal) -> (Result);
+  send_group_message : (UserMessage, principal) -> (Result);
+}
diff --git a/examples/encrypted_chat/rust/backend/src/lib.rs b/examples/encrypted_chat/rust/backend/src/lib.rs
new file mode 100644
index 00000000..3119fdd9
--- /dev/null
+++ b/examples/encrypted_chat/rust/backend/src/lib.rs
@@ -0,0 +1,820 @@
+// TODOs:
+// * cache vetKey API and eventually encrypted maps
+// * vetKey resharing (vetKey API + storage)
+// * removal of expired messages and cache: if a vetKey epoch expires, we need to remove all associated messages, cache, and resharings. This can be done by a timer job.
+
+use candid::Principal;
+use ic_cdk::management_canister::{VetKDCurve, VetKDDeriveKeyArgs, VetKDKeyId, VetKDPublicKeyArgs};
+use ic_stable_structures::memory_manager::{MemoryId, MemoryManager, VirtualMemory};
+use ic_stable_structures::{
+    BTreeMap as StableBTreeMap, Cell as StableCell, DefaultMemoryImpl, Storable,
+};
+use std::cell::RefCell;
+
+pub mod types;
+use types::*;
+
+type Memory = VirtualMemory<DefaultMemoryImpl>;
+
+const NANOSECONDS_IN_MINUTE: u64 = 60_000_000_000;
+
+thread_local! {
+    static MEMORY_MANAGER: RefCell<MemoryManager<DefaultMemoryImpl>> =
+        RefCell::new(MemoryManager::init(DefaultMemoryImpl::default()));
+
+    static DIRECT_CHAT_MESSAGES: RefCell<StableBTreeMap<(DirectChatId, ChatMessageId), EncryptedMessage, Memory>> = RefCell::new(StableBTreeMap::init(
+        MEMORY_MANAGER.with(|m| m.borrow().get(MemoryId::new(0))),
+    ));
+
+    static GROUP_CHAT_MESSAGES: RefCell<StableBTreeMap<(GroupChatId, ChatMessageId), EncryptedMessage, Memory>> = RefCell::new(StableBTreeMap::init(
+        MEMORY_MANAGER.with(|m| m.borrow().get(MemoryId::new(1))),
+    ));
+
+    static GROUP_CHATS: RefCell<StableBTreeMap<GroupChatId, GroupChatMetadata, Memory>> = RefCell::new(StableBTreeMap::init(
+        MEMORY_MANAGER.with(|m| m.borrow().get(MemoryId::new(2))),
+    ));
+
+    static CHAT_TO_MESSAGE_COUNTERS: RefCell<StableBTreeMap<ChatId, ChatMessageId, Memory>> = RefCell::new(StableBTreeMap::init(
+        MEMORY_MANAGER.with(|m| m.borrow().get(MemoryId::new(3))),
+    ));
+
+    static SET_CHAT_AND_SENDER_AND_USER_MESSAGE_ID: RefCell<StableBTreeMap<(ChatId, Sender, SenderMessageId), (), Memory>> = RefCell::new(StableBTreeMap::init(
+        MEMORY_MANAGER.with(|m| m.borrow().get(MemoryId::new(4))),
+    ));
+
+    static CHAT_TO_VETKEYS_METADATA: RefCell<StableBTreeMap<(ChatId, Time), VetKeyEpochMetadata, Memory>> = RefCell::new(StableBTreeMap::init(
+        MEMORY_MANAGER.with(|m| m.borrow().get(MemoryId::new(5))),
+    ));
+
+    static CHAT_TO_MESSAGE_EXPIRY_SETTING: RefCell<StableBTreeMap<ChatId, Time, Memory>> = RefCell::new(StableBTreeMap::init(
+        MEMORY_MANAGER.with(|m| m.borrow().get(MemoryId::new(6))),
+    ));
+
+    static EXPIRING_MESSAGES: RefCell<StableBTreeMap<Time, (ChatId, ChatMessageId), Memory>> = RefCell::new(StableBTreeMap::init(
+        MEMORY_MANAGER.with(|m| m.borrow().get(MemoryId::new(7))),
+    ));
+
+    static EXPIRING_VETKEY_EPOCHS_CACHES: RefCell<StableBTreeMap<Time, (ChatId, Principal, VetKeyEpochId), Memory>> = RefCell::new(StableBTreeMap::init(
+        MEMORY_MANAGER.with(|m| m.borrow().get(MemoryId::new(8))),
+    ));
+
+    static USER_TO_CHAT_MAP: RefCell<StableBTreeMap<(Principal, ChatId, VetKeyEpochId), (), Memory>> = RefCell::new(StableBTreeMap::init(
+        MEMORY_MANAGER.with(|m| m.borrow().get(MemoryId::new(9))),
+    ));
+
+    static USER_SYMMETRIC_KEY_CACHE: RefCell<StableBTreeMap<(ChatId, VetKeyEpochId, Principal), SymmetricKeyEpochCache, Memory>> = RefCell::new(StableBTreeMap::init(
+        MEMORY_MANAGER.with(|m| m.borrow().get(MemoryId::new(10))),
+    ));
+
+    static RESHARED_VETKEYS: RefCell<StableBTreeMap<(ChatId, Principal,VetKeyEpochId), IbeEncryptedVetKey, Memory>> = RefCell::new(StableBTreeMap::init(
+        MEMORY_MANAGER.with(|m| m.borrow().get(MemoryId::new(11))),
+    ));
+
+    static VETKD_KEY_NAME: RefCell<StableCell<String, Memory>> =
+        RefCell::new(StableCell::init(MEMORY_MANAGER.with(|m| m.borrow().get(MemoryId::new(12))), String::new()));
+}
+
+pub static DOMAIN_SEPARATOR_VETKEY_ROTATION: &str = "vetkeys-example-encrypted-chat-ratchet";
+
+#[ic_cdk::init]
+fn init(key_name: String) {
+    VETKD_KEY_NAME.with(|name| {
+        name.borrow_mut().set(key_name);
+    });
+}
+
+#[ic_cdk::update]
+fn create_direct_chat(
+    receiver: Principal,
+    symmetric_key_rotation_duration_minutes: Time,
+    message_expiry_time_minutes: Time,
+) -> Result<Time, String> {
+    let caller = ic_cdk::api::msg_caller();
+    let chat_id = ChatId::Direct(DirectChatId::new((caller, receiver)));
+
+    if latest_vetkey_epoch_id(chat_id).is_some() {
+        return Err(format!("Chat {chat_id:?} already exists"));
+    }
+
+    let now = Time(ic_cdk::api::time());
+    const NANOSECONDS_IN_MINUTE: u64 = 60_000_000_000;
+
+    let symmetric_key_rotation_duration = Time(
+        symmetric_key_rotation_duration_minutes
+            .0
+            .checked_mul(NANOSECONDS_IN_MINUTE)
+            .ok_or(format!("Overflow: too symmetric key rotation time"))?,
+    );
+
+    let todo_remove_1 = CHAT_TO_VETKEYS_METADATA.with_borrow_mut(|metadata| {
+        let vetkey_epoch_metadata = VetKeyEpochMetadata {
+            epoch_id: VetKeyEpochId(0),
+            participants: vec![caller, receiver],
+            creation_timestamp: now,
+            symmetric_key_rotation_duration,
+        };
+        metadata.insert((chat_id, now), vetkey_epoch_metadata.clone())
+    });
+    assert!(todo_remove_1.is_none());
+
+    let todo_remove_2 = CHAT_TO_MESSAGE_COUNTERS
+        .with_borrow_mut(|counters| counters.insert(chat_id, ChatMessageId(0)));
+    assert!(todo_remove_2.is_none());
+
+    USER_TO_CHAT_MAP.with_borrow_mut(|map| {
+        let todo_remove_3 = map.insert((caller, chat_id, VetKeyEpochId(0)), ());
+        assert!(todo_remove_3.is_none());
+        let todo_remove_4 = map.insert((receiver, chat_id, VetKeyEpochId(0)), ());
+        if caller != receiver {
+            assert!(todo_remove_4.is_none());
+        }
+    });
+
+    let expiry_time_nanos = Time(
+        message_expiry_time_minutes
+            .0
+            .checked_mul(NANOSECONDS_IN_MINUTE)
+            .ok_or(format!("Overflow: too large expiry time"))?,
+    );
+
+    let todo_remove = CHAT_TO_MESSAGE_EXPIRY_SETTING
+        .with_borrow_mut(|expiry_settings| expiry_settings.insert(chat_id, expiry_time_nanos));
+
+    assert!(todo_remove.is_none());
+
+    Ok(now)
+}
+
+#[ic_cdk::update]
+fn create_group_chat(
+    other_participants: Vec<Principal>,
+    symmetric_key_rotation_duration_minutes: Time,
+    message_expiry_time_minutes: Time,
+) -> Result<GroupChatMetadata, String> {
+    let caller = ic_cdk::api::msg_caller();
+    let now = Time(ic_cdk::api::time());
+
+    let chat_id_u64 =
+        GROUP_CHATS.with_borrow(|chats| chats.last_key_value().map(|kv| kv.0 .0 + 1).unwrap_or(0));
+    let group_chat_id = GroupChatId(chat_id_u64);
+
+    let group_chat_metadata = GroupChatMetadata {
+        chat_id: group_chat_id,
+        creation_timestamp: now,
+    };
+
+    GROUP_CHATS.with_borrow_mut(|chats| {
+        let todo_remove = chats.insert(group_chat_id, group_chat_metadata);
+        assert!(todo_remove.is_none());
+    });
+
+    let chat_id = ChatId::Group(group_chat_id);
+
+    let mut participants: Vec<_> = [caller]
+        .into_iter()
+        .chain(other_participants.into_iter())
+        .collect();
+
+    participants.sort();
+
+    // ignore duplicates
+    participants.dedup();
+
+    let symmetric_key_rotation_duration = Time(
+        symmetric_key_rotation_duration_minutes
+            .0
+            .checked_mul(NANOSECONDS_IN_MINUTE)
+            .ok_or(format!("Overflow: too symmetric key rotation time"))?,
+    );
+
+    let todo_remove_1 = CHAT_TO_VETKEYS_METADATA.with_borrow_mut(|metadata| {
+        let vetkey_epoch_metadata = VetKeyEpochMetadata {
+            epoch_id: VetKeyEpochId(0),
+            participants: participants.clone(),
+            creation_timestamp: now,
+            symmetric_key_rotation_duration,
+        };
+        metadata.insert((chat_id, now), vetkey_epoch_metadata.clone())
+    });
+    assert!(todo_remove_1.is_none());
+
+    let todo_remove_2 = CHAT_TO_MESSAGE_COUNTERS
+        .with_borrow_mut(|counters| counters.insert(chat_id, ChatMessageId(0)));
+    assert!(todo_remove_2.is_none());
+
+    USER_TO_CHAT_MAP.with_borrow_mut(|map| {
+        for participant in participants.iter().copied() {
+            let todo_remove_3 = map.insert((participant, chat_id, VetKeyEpochId(0)), ());
+            assert!(todo_remove_3.is_none());
+        }
+    });
+
+    let expiry_time_nanos = Time(
+        message_expiry_time_minutes
+            .0
+            .checked_mul(NANOSECONDS_IN_MINUTE)
+            .ok_or(format!("Overflow: too large expiry time"))?,
+    );
+
+    let todo_remove = CHAT_TO_MESSAGE_EXPIRY_SETTING
+        .with_borrow_mut(|expiry_settings| expiry_settings.insert(chat_id, expiry_time_nanos));
+
+    assert!(todo_remove.is_none());
+
+    Ok(group_chat_metadata)
+}
+
+#[ic_cdk::update]
+async fn public_key(chat_id: ChatId, vetkey_epoch_id: VetKeyEpochId) -> serde_bytes::ByteBuf {
+    let request = VetKDPublicKeyArgs {
+        canister_id: None,
+        context: ratchet_context(chat_id, vetkey_epoch_id),
+        key_id: key_id(),
+    };
+
+    let result = ic_cdk::management_canister::vetkd_public_key(&request)
+        .await
+        .expect("call to vetkd_derive_key failed");
+
+    result.public_key.into()
+}
+
+/// Derives a vetKey for an existing chat or creates a new one if the chat does not exist.
+///
+/// # Arguments
+/// * `chat_id`: The chat to derive a vetKey for.
+/// * `opt_vetkey_epoch`: The vetKey epoch to derive a vetKey for. If `None`, a new epoch is created.
+/// * `transport_key`: The transport key to derive a vetKey for.
+///
+/// # Errors
+/// * If the vetKey epoch has expired.
+/// * If the user does not have access to the chat or vetKey epoch.
+/// * If the user has already cached the key.
+#[ic_cdk::update]
+async fn derive_vetkey(
+    chat_id: ChatId,
+    opt_vetkey_epoch_id: Option<VetKeyEpochId>,
+    transport_key: serde_bytes::ByteBuf,
+) -> Result<serde_bytes::ByteBuf, String> {
+    let caller = ic_cdk::api::msg_caller();
+
+    let vetkey_epoch_id = opt_vetkey_epoch_id
+        .or_else(|| latest_vetkey_epoch_id(chat_id))
+        .ok_or_else(|| format!("No chat {chat_id:?} found"))?;
+
+    ensure_chat_and_vetkey_epoch_exist(chat_id, vetkey_epoch_id)?;
+    ensure_user_has_access_to_chat_at_epoch(caller, chat_id, vetkey_epoch_id)?;
+    ensure_user_has_no_cached_key_for_vetkey_epoch(caller, chat_id, vetkey_epoch_id)?;
+
+    let request = VetKDDeriveKeyArgs {
+        input: vec![],
+        context: ratchet_context(chat_id, vetkey_epoch_id),
+        key_id: key_id(),
+        transport_public_key: transport_key.into_vec(),
+    };
+
+    let result = ic_cdk::management_canister::vetkd_derive_key(&request)
+        .await
+        .expect("call to vetkd_derive_key failed");
+
+    Ok(result.encrypted_key.into())
+}
+
+#[ic_cdk::query]
+fn get_latest_chat_vetkey_epoch_metadata(chat_id: ChatId) -> Result<VetKeyEpochMetadata, String> {
+    let caller = ic_cdk::api::msg_caller();
+
+    let latest_epoch_metadata =
+        latest_vetkey_epoch_metadata(chat_id).ok_or(format!("No chat {chat_id:?} found"))?;
+    ensure_chat_and_vetkey_epoch_exist(chat_id, latest_epoch_metadata.epoch_id)?;
+    ensure_user_has_access_to_chat_at_epoch(caller, chat_id, latest_epoch_metadata.epoch_id)?;
+
+    Ok(latest_epoch_metadata)
+}
+
+#[ic_cdk::update]
+fn rotate_chat_vetkey(chat_id: ChatId) -> Result<VetKeyEpochId, String> {
+    let caller: Principal = ic_cdk::api::msg_caller();
+    let now = Time(ic_cdk::api::time());
+
+    let latest_epoch_metadata =
+        latest_vetkey_epoch_metadata(chat_id).ok_or(format!("No chat {chat_id:?} found"))?;
+    ensure_user_has_access_to_chat_at_epoch(caller, chat_id, latest_epoch_metadata.epoch_id)?;
+
+    let new_vetkey_epoch_id = CHAT_TO_VETKEYS_METADATA.with_borrow_mut(|metadata| {
+        let new_vetkey_epoch_id = VetKeyEpochId(latest_epoch_metadata.epoch_id.0 + 1);
+        let new_vetkey_epoch_metadata = VetKeyEpochMetadata {
+            epoch_id: new_vetkey_epoch_id,
+            creation_timestamp: now,
+            ..latest_epoch_metadata
+        };
+
+        for participant in new_vetkey_epoch_metadata.participants.iter().copied() {
+            USER_TO_CHAT_MAP.with_borrow_mut(|map| {
+                let todo_remove = map.insert((participant, chat_id, new_vetkey_epoch_id), ());
+                assert!(todo_remove.is_none());
+            });
+        }
+
+        let todo_remove = metadata.insert((chat_id, now), new_vetkey_epoch_metadata);
+        assert!(todo_remove.is_none());
+
+        clean_up_expired_vetkey_epochs(metadata, chat_id, now);
+
+        new_vetkey_epoch_id
+    });
+
+    Ok(new_vetkey_epoch_id)
+}
+
+#[ic_cdk::update]
+fn send_direct_message(user_message: UserMessage, receiver: Principal) -> Result<Time, String> {
+    let caller = ic_cdk::api::msg_caller();
+    let direct_chat_id = DirectChatId::new((caller, receiver));
+    let chat_id = ChatId::Direct(direct_chat_id);
+
+    ensure_chat_and_vetkey_epoch_exist(chat_id, user_message.vetkey_epoch)?;
+    ensure_user_has_access_to_chat_at_epoch(caller, chat_id, user_message.vetkey_epoch)?;
+    ensure_latest_and_correct_vetkey_and_symmetric_key_epoch(
+        chat_id,
+        user_message.vetkey_epoch,
+        user_message.symmetric_key_epoch,
+    )?;
+    ensure_message_id_is_unique(chat_id, user_message.message_id)?;
+
+    let now = Time(ic_cdk::api::time());
+
+    let chat_message_id = CHAT_TO_MESSAGE_COUNTERS.with_borrow_mut(|counters| {
+        let chat_message_id = counters
+            .get(&chat_id)
+            .expect("bug: uninitialized chat message counter");
+        counters.insert(chat_id, ChatMessageId(chat_message_id.0 + 1));
+        chat_message_id
+    });
+
+    let stored_message = EncryptedMessage {
+        content: user_message.content,
+        metadata: EncryptedMessageMetadata {
+            sender: caller,
+            timestamp: now,
+            vetkey_epoch: user_message.vetkey_epoch,
+            symmetric_key_epoch: user_message.symmetric_key_epoch,
+            chat_message_id,
+        },
+    };
+
+    SET_CHAT_AND_SENDER_AND_USER_MESSAGE_ID.with_borrow_mut(|message_times| {
+        message_times.insert((chat_id, Sender(caller), user_message.message_id), ());
+    });
+
+    DIRECT_CHAT_MESSAGES.with_borrow_mut(|messages| {
+        messages.insert((direct_chat_id, chat_message_id), stored_message);
+    });
+
+    Ok(now)
+}
+
+#[ic_cdk::update]
+fn send_group_message(
+    user_message: UserMessage,
+    group_chat_id: GroupChatId,
+) -> Result<Time, String> {
+    let caller = ic_cdk::api::msg_caller();
+    let chat_id = ChatId::Group(group_chat_id);
+
+    ensure_chat_and_vetkey_epoch_exist(chat_id, user_message.vetkey_epoch)?;
+    ensure_user_has_access_to_chat_at_epoch(caller, chat_id, user_message.vetkey_epoch)?;
+    ensure_latest_and_correct_vetkey_and_symmetric_key_epoch(
+        chat_id,
+        user_message.vetkey_epoch,
+        user_message.symmetric_key_epoch,
+    )?;
+    ensure_message_id_is_unique(chat_id, user_message.message_id)?;
+
+    let now = Time(ic_cdk::api::time());
+
+    let chat_message_id = CHAT_TO_MESSAGE_COUNTERS.with_borrow_mut(|counters| {
+        let chat_message_id = counters
+            .get(&chat_id)
+            .expect("bug: uninitialized chat message counter");
+        counters.insert(chat_id, ChatMessageId(chat_message_id.0 + 1));
+        chat_message_id
+    });
+
+    let stored_message = EncryptedMessage {
+        content: user_message.content,
+        metadata: EncryptedMessageMetadata {
+            sender: caller,
+            timestamp: now,
+            vetkey_epoch: user_message.vetkey_epoch,
+            symmetric_key_epoch: user_message.symmetric_key_epoch,
+            chat_message_id,
+        },
+    };
+
+    SET_CHAT_AND_SENDER_AND_USER_MESSAGE_ID.with_borrow_mut(|message_times| {
+        message_times.insert((chat_id, Sender(caller), user_message.message_id), ());
+    });
+
+    GROUP_CHAT_MESSAGES.with_borrow_mut(|messages| {
+        messages.insert((group_chat_id, chat_message_id), stored_message);
+    });
+
+    Ok(now)
+}
+
+#[ic_cdk::query]
+fn get_my_chat_ids() -> Vec<ChatId> {
+    let caller = ic_cdk::api::msg_caller();
+    USER_TO_CHAT_MAP.with_borrow(|map| {
+        map.keys_range((caller, ChatId::MIN_VALUE, VetKeyEpochId(0))..)
+            .take_while(|(user, _, _)| user == &caller)
+            .map(|(_, chat_id, _)| chat_id)
+            .collect()
+    })
+}
+
+/// Returns messages for a chat starting from a given message id.
+///
+/// # Arguments
+/// * `chat_id`: The chat to get messages for.
+/// * `message_id`: The message id to start from.
+/// * `limit`: The maximum number of messages to return.
+///
+/// # Notes
+/// * Does not fail if the chat does not exist or the user has no access -- returns empty vector instead.
+#[ic_cdk::query]
+fn get_some_messages_for_chat_starting_from(
+    chat_id: ChatId,
+    message_id: ChatMessageId,
+    limit: Option<u32>,
+) -> Vec<EncryptedMessage> {
+    let caller = ic_cdk::api::msg_caller();
+
+    match chat_id {
+        ChatId::Direct(direct_chat) => DIRECT_CHAT_MESSAGES.with_borrow(|messages| {
+            if direct_chat.0 == caller || direct_chat.1 == caller {
+                messages
+                    .range(&(direct_chat, message_id)..)
+                    .take_while(|kv| kv.key().0 == direct_chat)
+                    .map(|kv| kv.value())
+                    .filter(|message| {
+                        ensure_user_has_access_to_chat_at_epoch(
+                            caller,
+                            chat_id,
+                            message.metadata.vetkey_epoch,
+                        )
+                        .is_ok()
+                    })
+                    .take(limit.unwrap_or(u32::MAX) as usize)
+                    .collect()
+            } else {
+                vec![]
+            }
+        }),
+        ChatId::Group(group_chat) => GROUP_CHAT_MESSAGES.with_borrow(|messages| {
+            messages
+                .range(&(group_chat, message_id)..)
+                .take_while(|kv| kv.key().0 == group_chat)
+                .map(|kv| kv.value())
+                .filter(|message| {
+                    ensure_user_has_access_to_chat_at_epoch(
+                        caller,
+                        chat_id,
+                        message.metadata.vetkey_epoch,
+                    )
+                    .is_ok()
+                })
+                .take(limit.unwrap_or(u32::MAX) as usize)
+                .collect()
+        }),
+    }
+}
+
+fn ensure_latest_and_correct_vetkey_and_symmetric_key_epoch(
+    chat_id: ChatId,
+    vetkey_epoch_id: VetKeyEpochId,
+    symmetric_key_epoch_id: SymmetricKeyEpochId,
+) -> Result<(), String> {
+    let latest_vetkey_epoch_metadata = latest_vetkey_epoch_metadata(chat_id)
+        .ok_or(format!("No vetkey epoch found for chat {chat_id:?}"))?;
+
+    if vetkey_epoch_id != latest_vetkey_epoch_metadata.epoch_id {
+        return Err(format!(
+            "Wrong vetKey epoch: expected {:?} but got {:?}",
+            latest_vetkey_epoch_metadata.epoch_id, vetkey_epoch_id
+        ));
+    }
+
+    let now = ic_cdk::api::time();
+    let creation = latest_vetkey_epoch_metadata.creation_timestamp.0;
+    let rotation: u64 = latest_vetkey_epoch_metadata
+        .symmetric_key_rotation_duration
+        .0;
+    let epoch_offset = rotation
+        .checked_mul(symmetric_key_epoch_id.0)
+        .ok_or(format!(
+            "Overflow: too large epoch id ({}) or rotation duration ({rotation})",
+            symmetric_key_epoch_id.0
+        ))?;
+    let epoch_start = creation.checked_add(epoch_offset).ok_or(format!(
+        "Overflow: too large creation date ({creation}) or epoch offset ({epoch_offset})"
+    ))?;
+    let epoch_end = epoch_start.checked_add(rotation).ok_or(format!(
+        "Overflow: too large epoch start ({epoch_start}) or rotation duration ({rotation})"
+    ))?;
+
+    if now < epoch_start {
+        return Err(format!(
+            "Wrong symmetric key epoch {:?} is not yet active, current time is {now} and epoch start is {epoch_start}",
+            symmetric_key_epoch_id.0
+        ));
+    }
+
+    if epoch_end <= now {
+        return Err(format!(
+            "Wrong symmetric key epoch: epoch {:?} is expired, current time is {now} and epoch end is {epoch_end}",
+            symmetric_key_epoch_id.0
+        ));
+    }
+    Ok(())
+}
+
+#[ic_cdk::update]
+fn update_symmetric_key_cache(
+    chat_id: ChatId,
+    vetkey_epoch_id: VetKeyEpochId,
+    user_cache: SymmetricKeyEpochCache,
+) -> Result<(), String> {
+    let caller = ic_cdk::api::msg_caller();
+    ensure_chat_and_vetkey_epoch_exist(chat_id, vetkey_epoch_id)?;
+    ensure_user_has_access_to_chat_at_epoch(caller, chat_id, vetkey_epoch_id)?;
+    ensure_vetkey_epoch_did_not_expire(chat_id, vetkey_epoch_id)?;
+
+    USER_SYMMETRIC_KEY_CACHE.with_borrow_mut(|caches| {
+        caches.insert((chat_id, vetkey_epoch_id, caller), user_cache);
+    });
+
+    Ok(())
+}
+
+#[ic_cdk::update]
+fn get_my_symmetric_key_cache(
+    chat_id: ChatId,
+    vetkey_epoch_id: VetKeyEpochId,
+) -> Result<Option<SymmetricKeyEpochCache>, String> {
+    let caller = ic_cdk::api::msg_caller();
+    ensure_chat_and_vetkey_epoch_exist(chat_id, vetkey_epoch_id)?;
+    ensure_user_has_access_to_chat_at_epoch(caller, chat_id, vetkey_epoch_id)?;
+    ensure_vetkey_epoch_did_not_expire(chat_id, vetkey_epoch_id)?;
+
+    Ok(USER_SYMMETRIC_KEY_CACHE
+        .with_borrow(|caches| caches.get(&(chat_id, vetkey_epoch_id, caller))))
+}
+
+#[ic_cdk::update]
+fn modify_group_chat_participants(
+    group_chat_id: GroupChatId,
+    group_modification: GroupModification,
+) -> Result<VetKeyEpochId, String> {
+    let caller = ic_cdk::api::msg_caller();
+    let now = Time(ic_cdk::api::time());
+    let chat_id = ChatId::Group(group_chat_id);
+
+    if group_modification.add_participants.is_empty()
+        && group_modification.remove_participants.is_empty()
+    {
+        return Err("No modifications provided".to_string());
+    }
+
+    let latest_epoch_metadata =
+        latest_vetkey_epoch_metadata(chat_id).ok_or(format!("No chat {chat_id:?} found"))?;
+    ensure_user_has_access_to_chat_at_epoch(caller, chat_id, latest_epoch_metadata.epoch_id)?;
+
+    let vetkey_epoch_id = latest_epoch_metadata.epoch_id;
+
+    if vetkey_epoch_id != latest_epoch_metadata.epoch_id {
+        return Err(format!(
+            "Wrong vetKey epoch: expected {:?} but got {:?}",
+            latest_epoch_metadata.epoch_id, vetkey_epoch_id
+        ));
+    }
+
+    for participant in group_modification.add_participants.iter().copied() {
+        if latest_epoch_metadata.participants.contains(&participant) {
+            return Err(format!(
+                "Participant {participant} is already a member of the group chat and cannot be added"
+            ));
+        }
+    }
+
+    for participant in group_modification.remove_participants.iter().copied() {
+        if !latest_epoch_metadata.participants.contains(&participant) {
+            return Err(format!(
+                "Participant {participant} is not a member of the group chat and cannot be removed"
+            ));
+        }
+    }
+
+    let mut new_participants = latest_epoch_metadata.participants.clone();
+    new_participants.extend(group_modification.add_participants);
+    new_participants
+        .retain(|participant| !group_modification.remove_participants.contains(participant));
+    new_participants.sort();
+
+    let new_vetkey_epoch_id = CHAT_TO_VETKEYS_METADATA.with_borrow_mut(|metadata| {
+        let new_vetkey_epoch_id = VetKeyEpochId(latest_epoch_metadata.epoch_id.0 + 1);
+        let new_vetkey_epoch_metadata = VetKeyEpochMetadata {
+            epoch_id: new_vetkey_epoch_id,
+            creation_timestamp: now,
+            participants: new_participants,
+            symmetric_key_rotation_duration: latest_epoch_metadata.symmetric_key_rotation_duration,
+        };
+
+        for participant in new_vetkey_epoch_metadata.participants.iter().copied() {
+            USER_TO_CHAT_MAP.with_borrow_mut(|map| {
+                let todo_remove = map.insert((participant, chat_id, new_vetkey_epoch_id), ());
+                assert!(todo_remove.is_none());
+            });
+        }
+
+        for participant in group_modification.remove_participants.iter().copied() {
+            USER_TO_CHAT_MAP.with_borrow_mut(|map| {
+                let todo_remove = map.remove(&(participant, chat_id, vetkey_epoch_id));
+                assert!(todo_remove.is_some());
+            });
+        }
+
+        let todo_remove = metadata.insert((chat_id, now), new_vetkey_epoch_metadata);
+        assert!(todo_remove.is_none());
+
+        clean_up_expired_vetkey_epochs(metadata, chat_id, now);
+
+        new_vetkey_epoch_id
+    });
+
+    Ok(new_vetkey_epoch_id)
+}
+
+fn clean_up_expired_vetkey_epochs(
+    metadata: &mut StableBTreeMap<(ChatId, Time), VetKeyEpochMetadata, Memory>,
+    chat_id: ChatId,
+    now: Time,
+) {
+    let message_expiry_setting = CHAT_TO_MESSAGE_EXPIRY_SETTING
+        .with_borrow(|expiry_settings| expiry_settings.get(&chat_id))
+        .expect("bug: expiry should always exist for existing chats");
+
+    let expired_epochs: Vec<_> = metadata
+        .range((chat_id, Time(0))..)
+        .take_while(|metadata| {
+            (metadata.key().1 .0 + message_expiry_setting.0) < now.0 && metadata.key().0 == chat_id
+        })
+        .map(|metadata| metadata.value())
+        .collect();
+
+    for epoch in expired_epochs {
+        let todo_remove = metadata.remove(&(chat_id, epoch.creation_timestamp));
+        assert!(todo_remove.is_some());
+    }
+}
+
+fn ensure_user_has_access_to_chat_at_epoch(
+    user: Principal,
+    chat_id: ChatId,
+    vetkey_epoch_id: VetKeyEpochId,
+) -> Result<(), String> {
+    let result = USER_TO_CHAT_MAP.with_borrow(|chats| chats.get(&(user, chat_id, vetkey_epoch_id)));
+
+    result.ok_or(format!(
+        "User {} does not have access to chat {:?} at epoch {:?}",
+        user, chat_id, vetkey_epoch_id
+    ))
+}
+
+fn ensure_user_has_no_cached_key_for_vetkey_epoch(
+    user: Principal,
+    chat_id: ChatId,
+    vetkey_epoch_id: VetKeyEpochId,
+) -> Result<(), String> {
+    let cache_exists = USER_SYMMETRIC_KEY_CACHE
+        .with_borrow_mut(|caches| caches.contains_key(&(chat_id, vetkey_epoch_id, user)));
+    if cache_exists {
+        Err(format!(
+            "User {} already has a cached key for chat {:?} at vetkey epoch {:?}",
+            user, chat_id, vetkey_epoch_id
+        ))
+    } else {
+        Ok(())
+    }
+}
+
+fn ensure_chat_and_vetkey_epoch_exist(
+    chat_id: ChatId,
+    vetkey_epoch_id: VetKeyEpochId,
+) -> Result<(), String> {
+    let _ = latest_vetkey_epoch_id(chat_id).ok_or(format!("No chat {chat_id:?} found"))?;
+
+    CHAT_TO_VETKEYS_METADATA.with_borrow(|metadata| {
+        metadata
+            .range(&(chat_id, Time(0))..)
+            .take_while(|metadata| metadata.key().0 == chat_id)
+            .filter(|metadata| metadata.value().epoch_id == vetkey_epoch_id)
+            .next()
+            .map(|_| ())
+            .ok_or(format!(
+                "vetKey epoch {vetkey_epoch_id:?} not found for chat {chat_id:?}"
+            ))
+    })
+}
+
+fn ensure_message_id_is_unique(
+    chat_id: ChatId,
+    sender_message_id: SenderMessageId,
+) -> Result<(), String> {
+    let caller = ic_cdk::api::msg_caller();
+    let maybe_existing_id = SET_CHAT_AND_SENDER_AND_USER_MESSAGE_ID
+        .with_borrow(|message_ids| message_ids.get(&(chat_id, Sender(caller), sender_message_id)));
+
+    match maybe_existing_id {
+        Some(_) => Err(format!(
+            "Message {sender_message_id:?} already exists for sender {caller} chat {chat_id:?}"
+        )),
+        None => Ok(()),
+    }
+}
+
+fn ensure_vetkey_epoch_did_not_expire(
+    chat_id: ChatId,
+    vetkey_epoch_id: VetKeyEpochId,
+) -> Result<(), String> {
+    let now = ic_cdk::api::time();
+
+    let chat_message_expiry_setting =
+        CHAT_TO_MESSAGE_EXPIRY_SETTING.with_borrow(|expiry_settings| {
+            expiry_settings
+                .get(&chat_id)
+                .expect("bug: expiry should always exist for existing chats")
+        });
+
+    let opt_creation_timestamp = CHAT_TO_VETKEYS_METADATA.with_borrow(|metadata| {
+        metadata
+            .range(&(chat_id, Time(0))..)
+            .take_while(|metadata| metadata.key().0 == chat_id)
+            .filter(|metadata| metadata.value().epoch_id == vetkey_epoch_id)
+            .next()
+            .map(|metadata| metadata.value().creation_timestamp)
+    });
+
+    match opt_creation_timestamp {
+        Some(creation_timestamp) if now < creation_timestamp.0 + chat_message_expiry_setting.0 => {
+            Ok(())
+        }
+        _ => Err(format!("vetKey epoch {vetkey_epoch_id:?} expired",)),
+    }
+}
+
+fn latest_vetkey_epoch_id(chat_id: ChatId) -> Option<VetKeyEpochId> {
+    CHAT_TO_VETKEYS_METADATA.with_borrow(|metadata| {
+        metadata
+            .range(&(chat_id, Time(0))..)
+            .take_while(|metadata| metadata.key().0 == chat_id)
+            .last()
+            .map(|metadata| metadata.value().epoch_id)
+    })
+}
+
+fn latest_vetkey_epoch_metadata(chat_id: ChatId) -> Option<VetKeyEpochMetadata> {
+    CHAT_TO_VETKEYS_METADATA.with_borrow(|metadata| {
+        metadata
+            .range(&(chat_id, Time(0))..)
+            .take_while(|metadata| metadata.key().0 == chat_id)
+            .last()
+            .map(|metadata| metadata.value())
+    })
+}
+
+fn key_id() -> VetKDKeyId {
+    let name = VETKD_KEY_NAME.with(|name| name.borrow().get().clone());
+    VetKDKeyId {
+        curve: VetKDCurve::Bls12_381_G2,
+        name,
+    }
+}
+
+pub fn ratchet_context(chat_id: ChatId, vetkey_epoch_id: VetKeyEpochId) -> Vec<u8> {
+    let chat_id_bytes = chat_id.to_bytes();
+    let mut context = vec![];
+
+    context.extend_from_slice(&[DOMAIN_SEPARATOR_VETKEY_ROTATION.as_bytes().len() as u8]);
+    context.extend_from_slice(DOMAIN_SEPARATOR_VETKEY_ROTATION.as_bytes());
+
+    context.extend_from_slice(&[chat_id_bytes.len() as u8]);
+    context.extend_from_slice(&chat_id_bytes);
+
+    context.extend_from_slice(&vetkey_epoch_id.0.to_le_bytes());
+
+    context
+}
+
+ic_cdk::export_candid!();
diff --git a/examples/encrypted_chat/rust/backend/src/types.rs b/examples/encrypted_chat/rust/backend/src/types.rs
new file mode 100644
index 00000000..70bef960
--- /dev/null
+++ b/examples/encrypted_chat/rust/backend/src/types.rs
@@ -0,0 +1,314 @@
+use candid::{CandidType, Principal};
+use ic_stable_structures::storable::{Bound, Storable};
+use serde::{Deserialize, Serialize};
+use std::borrow::Cow;
+
+macro_rules! storable_unbounded {
+    ($name:ident) => {
+        impl Storable for $name {
+            fn into_bytes(self) -> Vec<u8> {
+                serde_cbor::to_vec(&self).expect("failed to serialize")
+            }
+
+            fn to_bytes(&self) -> Cow<[u8]> {
+                Cow::Owned(serde_cbor::to_vec(self).expect("failed to serialize"))
+            }
+
+            fn from_bytes(bytes: Cow<[u8]>) -> Self {
+                serde_cbor::from_slice(&bytes).expect("failed to deserialize")
+            }
+
+            const BOUND: Bound = Bound::Unbounded;
+        }
+    };
+}
+
+macro_rules! storable_delegate {
+    ($name:ident, $t:ident) => {
+        impl Storable for $name {
+            fn to_bytes(&self) -> Cow<'_, [u8]> {
+                self.0.to_bytes()
+            }
+
+            fn into_bytes(self) -> Vec<u8> {
+                self.0.into_bytes()
+            }
+
+            fn from_bytes(bytes: Cow<[u8]>) -> Self {
+                $name($t::from_bytes(bytes))
+            }
+
+            const BOUND: Bound = $t::BOUND;
+        }
+    };
+}
+
+#[derive(CandidType, Serialize, Deserialize, PartialEq, Eq, PartialOrd, Ord, Clone, Debug)]
+pub struct EncryptedMessage {
+    pub content: Vec<u8>,
+    pub metadata: EncryptedMessageMetadata,
+}
+
+storable_unbounded!(EncryptedMessage);
+
+#[derive(CandidType, Serialize, Deserialize, PartialEq, Eq, PartialOrd, Ord, Clone, Debug)]
+pub struct EncryptedMessageMetadata {
+    pub sender: Principal,
+    /// timestamp when the message was received by the canister - determines the symmetric key epoch
+    pub timestamp: Time,
+    pub vetkey_epoch: VetKeyEpochId,
+    pub symmetric_key_epoch: SymmetricKeyEpochId,
+    pub chat_message_id: ChatMessageId,
+}
+
+impl Storable for EncryptedMessageMetadata {
+    fn to_bytes(&self) -> Cow<'_, [u8]> {
+        let mut bytes = Vec::new();
+        bytes.extend_from_slice(self.sender.as_slice());
+        bytes.extend_from_slice(&self.timestamp.0.to_le_bytes());
+        bytes.extend_from_slice(&self.vetkey_epoch.0.to_le_bytes());
+        bytes.extend_from_slice(&self.symmetric_key_epoch.0.to_le_bytes());
+        bytes.extend_from_slice(&self.chat_message_id.0.to_le_bytes());
+        Cow::Owned(bytes)
+    }
+
+    fn into_bytes(self) -> Vec<u8> {
+        self.to_bytes().into_owned()
+    }
+
+    #[inline]
+    fn from_bytes(bytes: Cow<[u8]>) -> Self {
+        let (sender_bytes, rest) = bytes.as_ref().split_at(Principal::MAX_LENGTH_IN_BYTES);
+        let sender = Principal::from_slice(sender_bytes);
+
+        let (timestamp_bytes, rest) = rest.split_at(8);
+        let timestamp = Time(u64::from_le_bytes(timestamp_bytes.try_into().unwrap()));
+
+        let (vetkey_epoch_bytes, rest) = rest.split_at(8);
+        let vetkey_epoch =
+            VetKeyEpochId(u64::from_le_bytes(vetkey_epoch_bytes.try_into().unwrap()));
+
+        let (symmetric_key_epoch_bytes, chat_message_id_bytes) = rest.split_at(8);
+        let symmetric_key_epoch = SymmetricKeyEpochId(u64::from_le_bytes(
+            symmetric_key_epoch_bytes.try_into().unwrap(),
+        ));
+
+        let chat_message_id = ChatMessageId(u64::from_le_bytes(
+            chat_message_id_bytes.try_into().unwrap(),
+        ));
+
+        Self {
+            sender,
+            timestamp,
+            vetkey_epoch,
+            symmetric_key_epoch,
+            chat_message_id,
+        }
+    }
+
+    const BOUND: Bound = Bound::Bounded {
+        max_size: Principal::MAX_LENGTH_IN_BYTES as u32 + 3 * 8,
+        is_fixed_size: false,
+    };
+}
+
+#[derive(CandidType, Serialize, Deserialize, PartialEq, Eq, PartialOrd, Ord, Clone, Debug)]
+pub struct UserMessage {
+    pub content: Vec<u8>,
+    pub vetkey_epoch: VetKeyEpochId,
+    pub symmetric_key_epoch: SymmetricKeyEpochId,
+    pub message_id: SenderMessageId,
+}
+
+storable_unbounded!(UserMessage);
+
+#[derive(
+    CandidType, Serialize, Deserialize, PartialEq, Eq, PartialOrd, Ord, Clone, Debug, Copy,
+)]
+pub struct SymmetricKeyEpochId(pub u64);
+
+storable_delegate!(SymmetricKeyEpochId, u64);
+
+#[derive(
+    CandidType, Serialize, Deserialize, PartialEq, Eq, PartialOrd, Ord, Clone, Debug, Copy,
+)]
+pub struct DirectChatId(pub(crate) Principal, pub(crate) Principal);
+
+impl Storable for DirectChatId {
+    fn to_bytes(&self) -> Cow<'_, [u8]> {
+        Cow::Owned(
+            self.0
+                .as_slice()
+                .iter()
+                .chain(self.1.as_slice().iter())
+                .cloned()
+                .collect(),
+        )
+    }
+
+    fn into_bytes(self) -> Vec<u8> {
+        self.to_bytes().into_owned()
+    }
+
+    fn from_bytes(bytes: Cow<[u8]>) -> Self {
+        let (a_bytes, b_bytes) = bytes.as_ref().split_at(Principal::MAX_LENGTH_IN_BYTES);
+        let a = Principal::from_slice(a_bytes);
+        let b = Principal::from_slice(b_bytes);
+        Self(a, b)
+    }
+
+    const BOUND: Bound = Bound::Bounded {
+        max_size: 2 * Principal::MAX_LENGTH_IN_BYTES as u32,
+        is_fixed_size: false,
+    };
+}
+
+impl DirectChatId {
+    pub fn new(participants: (Principal, Principal)) -> Self {
+        let (a, b) = participants;
+        let (a, b) = if a < b { (a, b) } else { (b, a) };
+        Self(a, b)
+    }
+}
+
+#[derive(
+    CandidType, Serialize, Deserialize, PartialEq, Eq, PartialOrd, Ord, Clone, Debug, Copy,
+)]
+pub struct GroupChatMetadata {
+    pub chat_id: GroupChatId,
+    pub creation_timestamp: Time,
+}
+
+storable_unbounded!(GroupChatMetadata);
+
+#[derive(
+    CandidType, Serialize, Deserialize, PartialEq, Eq, PartialOrd, Ord, Clone, Debug, Copy,
+)]
+pub struct GroupChatId(pub u64);
+
+storable_delegate!(GroupChatId, u64);
+
+#[derive(CandidType, Serialize, Deserialize, PartialEq, Eq, PartialOrd, Ord, Clone, Debug)]
+pub struct SymmetricKeyEpochCache(pub Vec<u8>);
+
+storable_unbounded!(SymmetricKeyEpochCache);
+
+#[derive(
+    CandidType, Serialize, Deserialize, PartialEq, Eq, PartialOrd, Ord, Clone, Debug, Copy,
+)]
+pub struct Time(pub u64);
+
+storable_delegate!(Time, u64);
+
+#[derive(CandidType, Serialize, Deserialize, PartialEq, Eq, PartialOrd, Ord, Clone, Debug)]
+pub struct VetKeyEpochMetadata {
+    pub epoch_id: VetKeyEpochId,
+    pub participants: Vec<Principal>,
+    pub creation_timestamp: Time,
+    pub symmetric_key_rotation_duration: Time,
+}
+
+storable_unbounded!(VetKeyEpochMetadata);
+
+#[derive(
+    CandidType, Serialize, Deserialize, PartialEq, Eq, PartialOrd, Ord, Clone, Debug, Copy,
+)]
+pub enum ChatId {
+    Direct(DirectChatId),
+    Group(GroupChatId),
+}
+
+impl ChatId {
+    pub const MIN_VALUE: Self = Self::Direct(DirectChatId(
+        Principal::management_canister(),
+        Principal::management_canister(),
+    ));
+}
+
+impl Storable for ChatId {
+    fn to_bytes(&self) -> Cow<'_, [u8]> {
+        let result = match self {
+            ChatId::Direct(id) => [0].iter().chain(id.to_bytes().iter()).cloned().collect(),
+            ChatId::Group(id) => [1].iter().chain(id.to_bytes().iter()).cloned().collect(),
+        };
+
+        Cow::Owned(result)
+    }
+
+    fn into_bytes(self) -> Vec<u8> {
+        self.to_bytes().into_owned()
+    }
+
+    fn from_bytes(bytes: Cow<[u8]>) -> Self {
+        match bytes.as_ref() {
+            [0, ..] => ChatId::Direct(DirectChatId::from_bytes(Cow::Borrowed(
+                &bytes.as_ref()[1..],
+            ))),
+            [1, ..] => ChatId::Group(GroupChatId::from_bytes(Cow::Borrowed(&bytes.as_ref()[1..]))),
+            _ => panic!("invalid chat id"),
+        }
+    }
+
+    const BOUND: Bound = Bound::Bounded {
+        max_size: 1 + 2 * Principal::MAX_LENGTH_IN_BYTES as u32,
+        is_fixed_size: false,
+    };
+}
+
+/// Per-sender, user-assigned message id.
+#[derive(
+    CandidType, Serialize, Deserialize, PartialEq, Eq, PartialOrd, Ord, Clone, Debug, Copy,
+)]
+pub struct SenderMessageId(pub u64);
+
+storable_delegate!(SenderMessageId, u64);
+
+/// Chat message id is assigned to each message in the chat sequentially.
+/// The IDs are assigned from an incrementing counter for a chat for all users.
+/// This is useful because user's messages can arrive out of order (which makes user's IDs unreliable) or arrive many at the same consensus time.
+/// Therefore, it's important to be able to provide convenient pagination of chat messages, s.t. a user can retrieve a longer chat history iteratively.
+#[derive(
+    CandidType, Serialize, Deserialize, PartialEq, Eq, PartialOrd, Ord, Clone, Debug, Copy,
+)]
+pub struct ChatMessageId(pub u64);
+
+storable_delegate!(ChatMessageId, u64);
+
+#[derive(
+    CandidType, Serialize, Deserialize, PartialEq, Eq, PartialOrd, Ord, Clone, Debug, Copy,
+)]
+pub struct Sender(pub Principal);
+
+storable_delegate!(Sender, Principal);
+
+#[derive(
+    CandidType, Serialize, Deserialize, PartialEq, Eq, PartialOrd, Ord, Clone, Debug, Copy,
+)]
+pub struct VetKeyEpochId(pub u64);
+
+storable_delegate!(VetKeyEpochId, u64);
+
+#[derive(CandidType, Serialize, Deserialize, PartialEq, Eq, PartialOrd, Ord, Clone, Debug)]
+pub struct IbeEncryptedVetKey(pub serde_bytes::ByteBuf);
+
+impl Storable for IbeEncryptedVetKey {
+    fn to_bytes(&self) -> Cow<'_, [u8]> {
+        Cow::Borrowed(self.0.as_slice())
+    }
+
+    fn into_bytes(self) -> Vec<u8> {
+        self.0.into_vec()
+    }
+
+    fn from_bytes(bytes: Cow<[u8]>) -> Self {
+        Self(serde_bytes::ByteBuf::from(bytes.into_owned()))
+    }
+
+    const BOUND: Bound = Bound::Unbounded;
+}
+
+#[derive(CandidType, Serialize, Deserialize, PartialEq, Eq, PartialOrd, Ord, Clone, Debug)]
+pub struct GroupModification {
+    pub add_participants: Vec<Principal>,
+    pub remove_participants: Vec<Principal>,
+}
diff --git a/examples/encrypted_chat/rust/backend/tests/direct_chat.rs b/examples/encrypted_chat/rust/backend/tests/direct_chat.rs
new file mode 100644
index 00000000..2fdcd924
--- /dev/null
+++ b/examples/encrypted_chat/rust/backend/tests/direct_chat.rs
@@ -0,0 +1,1160 @@
+use candid::{decode_one, encode_args, encode_one, CandidType, Principal};
+use ic_vetkeys_example_encrypted_chat_backend::types::{
+    ChatId, ChatMessageId, DirectChatId, EncryptedMessage, EncryptedMessageMetadata,
+    SenderMessageId, SymmetricKeyEpochCache, SymmetricKeyEpochId, Time, UserMessage, VetKeyEpochId,
+};
+use pocket_ic::{PocketIc, PocketIcBuilder};
+use rand::{CryptoRng, Rng, SeedableRng};
+use rand_chacha::ChaCha20Rng;
+use serde_bytes::ByteBuf;
+use std::path::Path;
+
+const NANOSECONDS_IN_MINUTE: u64 = 60_000_000_000;
+
+#[test]
+fn can_create_chat() {
+    let rng = &mut reproducible_rng();
+    let env = TestEnvironment::new(rng);
+
+    let p0_self_chat_id = ChatId::Direct(DirectChatId::new((env.principal_0, env.principal_0)));
+    let p0_p1_chat_id = ChatId::Direct(DirectChatId::new((env.principal_0, env.principal_1)));
+
+    for p in [env.principal_0, env.principal_1] {
+        assert_eq!(
+            env.query::<Vec<ChatId>>(p, "get_my_chat_ids", encode_args(()).unwrap()),
+            vec![]
+        );
+    }
+
+    env.update::<Result<Time, String>>(
+        env.principal_0,
+        "create_direct_chat",
+        encode_args((env.principal_0, Time(1_000), Time(10_000))).unwrap(),
+    )
+    .unwrap();
+
+    let chat_ids: Vec<ChatId> =
+        env.query(env.principal_0, "get_my_chat_ids", encode_args(()).unwrap());
+    assert_eq!(chat_ids, vec![p0_self_chat_id]);
+
+    assert_eq!(
+        env.query::<Vec<ChatId>>(env.principal_1, "get_my_chat_ids", encode_args(()).unwrap()),
+        vec![]
+    );
+
+    env.update::<Result<Time, String>>(
+        env.principal_0,
+        "create_direct_chat",
+        encode_args((env.principal_1, Time(1_000), Time(10_000))).unwrap(),
+    )
+    .unwrap();
+
+    assert_eq!(
+        env.query::<Vec<ChatId>>(env.principal_1, "get_my_chat_ids", encode_args(()).unwrap()),
+        vec![p0_p1_chat_id]
+    );
+
+    let chat_ids: Vec<ChatId> =
+        env.query(env.principal_0, "get_my_chat_ids", encode_args(()).unwrap());
+    for chat_id in vec![p0_self_chat_id, p0_p1_chat_id] {
+        assert!(chat_ids.contains(&chat_id));
+    }
+    assert_eq!(chat_ids.len(), 2);
+}
+
+#[test]
+fn fails_to_create_chat_with_same_participants_more_than_once() {
+    let rng = &mut reproducible_rng();
+    let env = TestEnvironment::new(rng);
+
+    env.update::<Result<Time, String>>(
+        env.principal_0,
+        "create_direct_chat",
+        encode_args((env.principal_0, Time(1_000), Time(10_000))).unwrap(),
+    )
+    .unwrap();
+
+    for _ in 0..3 {
+        assert_eq!(
+            env.update::<Result<Time, String>>(
+                env.principal_0,
+                "create_direct_chat",
+                encode_args((env.principal_0, Time(1_000), Time(10_000))).unwrap(),
+            ),
+            Err(format!(
+                "Chat {:?} already exists",
+                ChatId::Direct(DirectChatId::new((env.principal_0, env.principal_0)))
+            ))
+        );
+    }
+}
+
+#[test]
+fn can_send_and_get_messages() {
+    let rng = &mut reproducible_rng();
+    let env = TestEnvironment::new(rng);
+
+    env.update::<Result<Time, String>>(
+        env.principal_0,
+        "create_direct_chat",
+        encode_args((env.principal_1, Time(1_000), Time(10_000))).unwrap(),
+    )
+    .unwrap();
+
+    let message_content = b"dummy encrypted message".to_vec();
+
+    let mut message_id_counters =
+        std::collections::BTreeMap::from([(env.principal_0, 0), (env.principal_1, 0)]);
+
+    let mut expected_chat_history = vec![];
+
+    let chat_id = ChatId::Direct(DirectChatId::new((env.principal_0, env.principal_1)));
+
+    for caller in [env.principal_0, env.principal_1].iter().copied() {
+        assert_eq!(
+            env.update::<Vec<EncryptedMessage>>(
+                caller,
+                "get_some_messages_for_chat_starting_from",
+                encode_args((chat_id, ChatMessageId(0), Option::<u32>::None)).unwrap(),
+            ),
+            vec![]
+        );
+    }
+
+    for _ in 0..10 {
+        for sender in [env.principal_0, env.principal_1].iter().copied() {
+            let message_id_raw = *message_id_counters.get(&sender).unwrap();
+            message_id_counters.insert(sender, message_id_raw + 1);
+
+            let user_message = UserMessage {
+                content: message_content.clone(),
+                vetkey_epoch: VetKeyEpochId(0),
+                symmetric_key_epoch: SymmetricKeyEpochId(0),
+                message_id: SenderMessageId(message_id_raw),
+            };
+
+            // + 1 is because the update call calls `tick` internally
+            let expected_message_time = env.pic.get_time().as_nanos_since_unix_epoch() + 1;
+
+            let message_time = env
+                .update::<Result<Time, String>>(
+                    sender,
+                    "send_direct_message",
+                    encode_args((
+                        user_message,
+                        if sender == env.principal_0 {
+                            env.principal_1
+                        } else {
+                            env.principal_0
+                        },
+                    ))
+                    .unwrap(),
+                )
+                .unwrap();
+
+            let expected_added_chat_message = EncryptedMessage {
+                content: message_content.clone(),
+                metadata: EncryptedMessageMetadata {
+                    sender,
+                    timestamp: message_time,
+                    vetkey_epoch: VetKeyEpochId(0),
+                    symmetric_key_epoch: SymmetricKeyEpochId(0),
+                    chat_message_id: ChatMessageId(expected_chat_history.len() as u64),
+                },
+            };
+
+            expected_chat_history.push(expected_added_chat_message);
+
+            for caller in [env.principal_0, env.principal_1].iter().copied() {
+                assert_eq!(
+                    env.update::<Vec<EncryptedMessage>>(
+                        caller,
+                        "get_some_messages_for_chat_starting_from",
+                        encode_args((chat_id, ChatMessageId(0), Option::<u32>::None)).unwrap(),
+                    ),
+                    expected_chat_history
+                );
+            }
+
+            assert_eq!(message_time.0, expected_message_time);
+        }
+    }
+}
+
+#[test]
+fn fails_to_send_messages_with_wrong_symmetric_key_epoch() {
+    let rng = &mut reproducible_rng();
+    let env = TestEnvironment::new(rng);
+
+    let symmetric_key_rotation_minutes = Time(1_000);
+    let chat_message_expiration_minutes = Time(10_000);
+
+    let chat_creation_time = env
+        .update::<Result<Time, String>>(
+            env.principal_0,
+            "create_direct_chat",
+            encode_args((
+                env.principal_1,
+                symmetric_key_rotation_minutes,
+                chat_message_expiration_minutes,
+            ))
+            .unwrap(),
+        )
+        .unwrap();
+
+    let message_content = b"dummy encrypted message".to_vec();
+    let chat_id = ChatId::Direct(DirectChatId::new((env.principal_0, env.principal_1)));
+
+    // check that epoch 1 fails while we have epoch 0
+    for i in 0..2 {
+        for sender in [env.principal_0, env.principal_1].iter().copied() {
+            let symmetric_key_epoch = SymmetricKeyEpochId(1);
+            let user_message = UserMessage {
+                content: message_content.clone(),
+                vetkey_epoch: VetKeyEpochId(0),
+                symmetric_key_epoch,
+                message_id: SenderMessageId(0),
+            };
+
+            let result = env.update::<Result<Time, String>>(
+                sender,
+                "send_direct_message",
+                encode_args((
+                    user_message,
+                    if sender == env.principal_0 {
+                        env.principal_1
+                    } else {
+                        env.principal_0
+                    },
+                ))
+                .unwrap(),
+            );
+
+            assert_eq!(
+                result,
+                Err(
+                    format!(
+                        "Wrong symmetric key epoch {} is not yet active, current time is {} and epoch start is {}",
+                        symmetric_key_epoch.0,
+                        env.pic.get_time().as_nanos_since_unix_epoch(),
+                        chat_creation_time.0 + symmetric_key_epoch.0 * symmetric_key_rotation_minutes.0 * NANOSECONDS_IN_MINUTE
+                    )
+                )
+            );
+        }
+
+        // set time to 2 ns before the change to epoch 1
+        if i == 0 {
+            env.pic
+                .set_time(pocket_ic::Time::from_nanos_since_unix_epoch(
+                    chat_creation_time.0 + symmetric_key_rotation_minutes.0 * NANOSECONDS_IN_MINUTE
+                        - 2,
+                ));
+        }
+    }
+
+    // check that epoch 0 and 2 fails while we have epoch 1
+    for i in 0..2 {
+        for sender in [env.principal_0, env.principal_1].iter().copied() {
+            // use epoch 0
+            {
+                let symmetric_key_epoch = SymmetricKeyEpochId(0);
+                let user_message = UserMessage {
+                    content: message_content.clone(),
+                    vetkey_epoch: VetKeyEpochId(0),
+                    symmetric_key_epoch,
+                    message_id: SenderMessageId(0),
+                };
+
+                let result = env.update::<Result<Time, String>>(
+                    sender,
+                    "send_direct_message",
+                    encode_args((
+                        user_message,
+                        if sender == env.principal_0 {
+                            env.principal_1
+                        } else {
+                            env.principal_0
+                        },
+                    ))
+                    .unwrap(),
+                );
+
+                assert_eq!(
+                result,
+                Err(
+                    format!(
+                        "Wrong symmetric key epoch: epoch {} is expired, current time is {} and epoch end is {}",
+                        symmetric_key_epoch.0,
+                        env.pic.get_time().as_nanos_since_unix_epoch(),
+                        chat_creation_time.0 + symmetric_key_rotation_minutes.0 * NANOSECONDS_IN_MINUTE
+                    )
+                )
+            );
+            }
+
+            // use epoch 2
+            {
+                let symmetric_key_epoch = SymmetricKeyEpochId(2);
+                let user_message = UserMessage {
+                    content: message_content.clone(),
+                    vetkey_epoch: VetKeyEpochId(0),
+                    symmetric_key_epoch,
+                    message_id: SenderMessageId(0),
+                };
+
+                let result = env.update::<Result<Time, String>>(
+                    sender,
+                    "send_direct_message",
+                    encode_args((
+                        user_message,
+                        if sender == env.principal_0 {
+                            env.principal_1
+                        } else {
+                            env.principal_0
+                        },
+                    ))
+                    .unwrap(),
+                );
+
+                assert_eq!(
+                result,
+                Err(
+                    format!(
+                        "Wrong symmetric key epoch {} is not yet active, current time is {} and epoch start is {}",
+                        symmetric_key_epoch.0,
+                        env.pic.get_time().as_nanos_since_unix_epoch(),
+                        chat_creation_time.0 + symmetric_key_epoch.0 * symmetric_key_rotation_minutes.0 * NANOSECONDS_IN_MINUTE
+                    )
+                )
+            );
+            }
+        }
+
+        // set time to 4 ns before the change to epoch 2
+        if i == 0 {
+            env.pic
+                .set_time(pocket_ic::Time::from_nanos_since_unix_epoch(
+                    chat_creation_time.0
+                        + 2 * symmetric_key_rotation_minutes.0 * NANOSECONDS_IN_MINUTE
+                        - 4,
+                ));
+        }
+    }
+
+    // sanity check that no messages were added
+    for caller in [env.principal_0, env.principal_1].iter().copied() {
+        assert_eq!(
+            env.update::<Vec<EncryptedMessage>>(
+                caller,
+                "get_some_messages_for_chat_starting_from",
+                encode_args((chat_id, ChatMessageId(0), Option::<u32>::None)).unwrap(),
+            ),
+            vec![]
+        );
+    }
+}
+
+#[test]
+fn can_get_vetkey_for_chat() {
+    let rng = &mut reproducible_rng();
+    let env = TestEnvironment::new(rng);
+
+    env.update::<Result<Time, String>>(
+        env.principal_0,
+        "create_direct_chat",
+        encode_args((env.principal_1, Time(1_000), Time(10_000))).unwrap(),
+    )
+    .unwrap();
+    let chat_id = ChatId::Direct(DirectChatId::new((env.principal_0, env.principal_1)));
+
+    // DON'T REUSE THE SAME TRANSPORT KEYS IN PRODUCTION
+    let transport_key = ic_vetkeys::TransportSecretKey::from_seed(random_bytes(32, rng)).unwrap();
+
+    let mut raw_encrypted_vetkeys = std::collections::BTreeMap::new();
+
+    for latest_epoch in 0..3 {
+        for caller in [env.principal_0, env.principal_1] {
+            for epoch in 0..=latest_epoch {
+                for vetkey_epoch_id in [Option::<VetKeyEpochId>::None, Some(VetKeyEpochId(epoch))] {
+                    if vetkey_epoch_id.is_none() && epoch != latest_epoch {
+                        continue;
+                    }
+
+                    let raw_encrypted_vetkey = env
+                        .update::<Result<serde_bytes::ByteBuf, String>>(
+                            caller,
+                            "derive_vetkey",
+                            encode_args((
+                                chat_id,
+                                vetkey_epoch_id,
+                                ByteBuf::from(transport_key.public_key()),
+                            ))
+                            .unwrap(),
+                        )
+                        .unwrap()
+                        .into_vec();
+                    let opt_evicted =
+                        raw_encrypted_vetkeys.insert(epoch, raw_encrypted_vetkey.clone());
+                    if let Some(evicted) = opt_evicted {
+                        assert_eq!(evicted, raw_encrypted_vetkey, "epoch: {epoch}, latest_epoch: {latest_epoch}, vetkey_epoch_id: {vetkey_epoch_id:?}");
+                    }
+                }
+            }
+        }
+
+        let new_epoch = env
+            .update::<Result<VetKeyEpochId, String>>(
+                env.principal_0,
+                "rotate_chat_vetkey",
+                encode_args((chat_id,)).unwrap(),
+            )
+            .unwrap();
+        assert_eq!(new_epoch, VetKeyEpochId(latest_epoch + 1));
+    }
+
+    for (epoch, raw_encrypted_vetkey) in raw_encrypted_vetkeys.into_iter() {
+        let raw_public_key = env
+            .update::<serde_bytes::ByteBuf>(
+                env.principal_0,
+                "public_key",
+                encode_args((chat_id, VetKeyEpochId(epoch))).unwrap(),
+            )
+            .into_vec();
+
+        let public_key =
+            ic_vetkeys::DerivedPublicKey::deserialize(raw_public_key.as_slice()).unwrap();
+
+        let _vetkey = ic_vetkeys::EncryptedVetKey::deserialize(&raw_encrypted_vetkey)
+            .unwrap()
+            .decrypt_and_verify(&transport_key, &public_key, &[])
+            .unwrap();
+    }
+}
+
+#[test]
+fn public_keys_for_different_chats_and_epochs_are_different() {
+    let rng = &mut reproducible_rng();
+    let env = TestEnvironment::new(rng);
+
+    let chat_id_0 = ChatId::Direct(DirectChatId::new((env.principal_0, env.principal_1)));
+    let chat_id_1 = ChatId::Direct(DirectChatId::new((env.principal_1, env.principal_2)));
+
+    // we can get public key for any chats, also non-existing ones
+    let raw_public_key_00 = env
+        .update::<serde_bytes::ByteBuf>(
+            env.principal_0,
+            "public_key",
+            encode_args((chat_id_0, VetKeyEpochId(0))).unwrap(),
+        )
+        .into_vec();
+
+    let raw_public_key_01 = env
+        .update::<serde_bytes::ByteBuf>(
+            env.principal_0,
+            "public_key",
+            encode_args((chat_id_0, VetKeyEpochId(1))).unwrap(),
+        )
+        .into_vec();
+
+    let raw_public_key_10 = env
+        .update::<serde_bytes::ByteBuf>(
+            env.principal_0,
+            "public_key",
+            encode_args((chat_id_1, VetKeyEpochId(0))).unwrap(),
+        )
+        .into_vec();
+
+    assert_ne!(raw_public_key_00, raw_public_key_01);
+    assert_ne!(raw_public_key_00, raw_public_key_10);
+}
+
+#[test]
+fn fails_to_get_vetkey_for_chat_if_unauthorized() {
+    let rng = &mut reproducible_rng();
+    let env = TestEnvironment::new(rng);
+
+    let transport_key = ic_vetkeys::TransportSecretKey::from_seed(random_bytes(32, rng)).unwrap();
+
+    env.update::<Result<Time, String>>(
+        env.principal_0,
+        "create_direct_chat",
+        encode_args((env.principal_1, Time(1_000), Time(10_000))).unwrap(),
+    )
+    .unwrap();
+
+    let chat_id = ChatId::Direct(DirectChatId::new((env.principal_0, env.principal_1)));
+
+    let result = env.update::<Result<serde_bytes::ByteBuf, String>>(
+        env.principal_2,
+        "derive_vetkey",
+        encode_args((
+            chat_id,
+            Option::<VetKeyEpochId>::None,
+            ByteBuf::from(transport_key.public_key()),
+        ))
+        .unwrap(),
+    );
+
+    assert_eq!(
+        result,
+        Err(format!(
+            "User {} does not have access to chat {chat_id:?} at epoch {:?}",
+            env.principal_2,
+            VetKeyEpochId(0)
+        ))
+    );
+}
+
+#[test]
+fn fails_to_send_messages_with_wrong_vetkey_epoch() {
+    let rng = &mut reproducible_rng();
+    let env = TestEnvironment::new(rng);
+
+    let symmetric_key_rotation_minutes = Time(1_000);
+    let chat_message_expiration_minutes = Time(10_000);
+
+    env.update::<Result<Time, String>>(
+        env.principal_0,
+        "create_direct_chat",
+        encode_args((
+            env.principal_1,
+            symmetric_key_rotation_minutes,
+            chat_message_expiration_minutes,
+        ))
+        .unwrap(),
+    )
+    .unwrap();
+
+    let message_content = b"dummy encrypted message".to_vec();
+    let chat_id = ChatId::Direct(DirectChatId::new((env.principal_0, env.principal_1)));
+
+    // Start with using epoch 1 before it's been rotated to (should fail)
+    for latest_epoch in 0..3 {
+        for sender in [env.principal_0, env.principal_1].iter().copied() {
+            let user_message = UserMessage {
+                content: message_content.clone(),
+                vetkey_epoch: VetKeyEpochId(latest_epoch + 1),
+                symmetric_key_epoch: SymmetricKeyEpochId(0),
+                message_id: SenderMessageId(0),
+            };
+
+            let result = env.update::<Result<Time, String>>(
+                sender,
+                "send_direct_message",
+                encode_args((
+                    user_message,
+                    if sender == env.principal_0 {
+                        env.principal_1
+                    } else {
+                        env.principal_0
+                    },
+                ))
+                .unwrap(),
+            );
+
+            assert_eq!(
+                result,
+                Err(format!(
+                    "vetKey epoch {:?} not found for chat {chat_id:?}",
+                    VetKeyEpochId(latest_epoch + 1)
+                ))
+            );
+        }
+
+        // Rotate to next epoch
+        let new_epoch = env
+            .update::<Result<VetKeyEpochId, String>>(
+                env.principal_0,
+                "rotate_chat_vetkey",
+                encode_args((chat_id,)).unwrap(),
+            )
+            .unwrap();
+        assert_eq!(new_epoch, VetKeyEpochId(latest_epoch + 1));
+    }
+
+    // sanity check that no messages were added
+    for caller in [env.principal_0, env.principal_1].iter().copied() {
+        assert_eq!(
+            env.update::<Vec<EncryptedMessage>>(
+                caller,
+                "get_some_messages_for_chat_starting_from",
+                encode_args((chat_id, ChatMessageId(0), Option::<u32>::None)).unwrap(),
+            ),
+            vec![]
+        );
+    }
+}
+
+#[test]
+fn fails_to_derive_vetkey_with_wrong_vetkey_epoch() {
+    let rng = &mut reproducible_rng();
+    let env = TestEnvironment::new(rng);
+
+    let transport_key = ic_vetkeys::TransportSecretKey::from_seed(random_bytes(32, rng)).unwrap();
+
+    env.update::<Result<Time, String>>(
+        env.principal_0,
+        "create_direct_chat",
+        encode_args((env.principal_1, Time(1_000), Time(10_000))).unwrap(),
+    )
+    .unwrap();
+
+    let chat_id = ChatId::Direct(DirectChatId::new((env.principal_0, env.principal_1)));
+
+    // Use epoch 1 before it's been rotated to
+    for latest_epoch in 0..3 {
+        for caller in [env.principal_0, env.principal_1] {
+            let result = env.update::<Result<serde_bytes::ByteBuf, String>>(
+                caller,
+                "derive_vetkey",
+                encode_args((
+                    chat_id,
+                    Some(VetKeyEpochId(latest_epoch + 1)),
+                    ByteBuf::from(transport_key.public_key()),
+                ))
+                .unwrap(),
+            );
+
+            assert_eq!(
+                result,
+                Err(format!(
+                    "vetKey epoch {:?} not found for chat {chat_id:?}",
+                    VetKeyEpochId(latest_epoch + 1)
+                ))
+            );
+        }
+
+        // Rotate to next epoch
+        let new_epoch = env
+            .update::<Result<VetKeyEpochId, String>>(
+                env.principal_0,
+                "rotate_chat_vetkey",
+                encode_args((chat_id,)).unwrap(),
+            )
+            .unwrap();
+        assert_eq!(new_epoch, VetKeyEpochId(latest_epoch + 1));
+    }
+}
+
+#[test]
+fn can_rotate_chat_vetkey() {
+    let rng = &mut reproducible_rng();
+    let env = TestEnvironment::new(rng);
+
+    env.update::<Result<Time, String>>(
+        env.principal_0,
+        "create_direct_chat",
+        encode_args((env.principal_1, Time(1_000), Time(10_000))).unwrap(),
+    )
+    .unwrap();
+
+    let chat_id = ChatId::Direct(DirectChatId::new((env.principal_0, env.principal_1)));
+
+    // Initially, epoch 0 should be the latest (we can verify this by trying to use epoch 1)
+    let result = env.update::<Result<serde_bytes::ByteBuf, String>>(
+        env.principal_0,
+        "derive_vetkey",
+        encode_args((
+            chat_id,
+            Some(VetKeyEpochId(1)),
+            ByteBuf::from(vec![0u8; 32]), // dummy transport key
+        ))
+        .unwrap(),
+    );
+    assert!(result.is_err()); // Should fail because epoch 1 doesn't exist yet
+
+    // Rotate to epoch 1
+    let new_epoch = env
+        .update::<Result<VetKeyEpochId, String>>(
+            env.principal_0,
+            "rotate_chat_vetkey",
+            encode_args((chat_id,)).unwrap(),
+        )
+        .unwrap();
+    assert_eq!(new_epoch, VetKeyEpochId(1));
+
+    // Rotate to epoch 2
+    let new_epoch = env
+        .update::<Result<VetKeyEpochId, String>>(
+            env.principal_0,
+            "rotate_chat_vetkey",
+            encode_args((chat_id,)).unwrap(),
+        )
+        .unwrap();
+    assert_eq!(new_epoch, VetKeyEpochId(2));
+
+    // Both participants should be able to rotate
+    let new_epoch = env
+        .update::<Result<VetKeyEpochId, String>>(
+            env.principal_1,
+            "rotate_chat_vetkey",
+            encode_args((chat_id,)).unwrap(),
+        )
+        .unwrap();
+    assert_eq!(new_epoch, VetKeyEpochId(3));
+}
+
+#[test]
+fn unauthorized_user_cannot_rotate_chat_vetkey() {
+    let rng = &mut reproducible_rng();
+    let env = TestEnvironment::new(rng);
+
+    env.update::<Result<Time, String>>(
+        env.principal_0,
+        "create_direct_chat",
+        encode_args((env.principal_1, Time(1_000), Time(10_000))).unwrap(),
+    )
+    .unwrap();
+
+    let chat_id = ChatId::Direct(DirectChatId::new((env.principal_0, env.principal_1)));
+
+    let result = env.update::<Result<VetKeyEpochId, String>>(
+        env.principal_2,
+        "rotate_chat_vetkey",
+        encode_args((chat_id,)).unwrap(),
+    );
+
+    assert_eq!(
+        result,
+        Err(format!(
+            "User {} does not have access to chat {chat_id:?} at epoch {:?}",
+            env.principal_2,
+            VetKeyEpochId(0)
+        ))
+    );
+}
+
+#[test]
+fn can_update_and_get_symmetric_key_cache() {
+    let rng = &mut reproducible_rng();
+    let env = TestEnvironment::new(rng);
+
+    env.update::<Result<Time, String>>(
+        env.principal_0,
+        "create_direct_chat",
+        encode_args((env.principal_1, Time(1_000), Time(10_000))).unwrap(),
+    )
+    .unwrap();
+
+    let chat_id = ChatId::Direct(DirectChatId::new((env.principal_0, env.principal_1)));
+    let cache_data = b"dummy symmetric key cache".to_vec();
+    let user_cache = SymmetricKeyEpochCache(cache_data.clone());
+
+    // Initially, cache should be empty for both participants
+    for caller in [env.principal_0, env.principal_1] {
+        assert_eq!(
+            env.update::<Result<Option<SymmetricKeyEpochCache>, String>>(
+                caller,
+                "get_my_symmetric_key_cache",
+                encode_args((chat_id, VetKeyEpochId(0))).unwrap(),
+            ),
+            Ok(None)
+        );
+    }
+
+    // Authorized user can create cache
+    for caller in [env.principal_0, env.principal_1] {
+        let result = env.update::<Result<(), String>>(
+            caller,
+            "update_symmetric_key_cache",
+            encode_args((chat_id, VetKeyEpochId(0), user_cache.clone())).unwrap(),
+        );
+        assert_eq!(result, Ok(()));
+    }
+
+    // Authorized user can retrieve their cache
+    for caller in [env.principal_0, env.principal_1] {
+        let result = env.update::<Result<Option<SymmetricKeyEpochCache>, String>>(
+            caller,
+            "get_my_symmetric_key_cache",
+            encode_args((chat_id, VetKeyEpochId(0))).unwrap(),
+        );
+        assert_eq!(result, Ok(Some(user_cache.clone())));
+    }
+
+    // Authorized user can update their cache
+    let updated_cache_data = b"updated symmetric key cache".to_vec();
+    let updated_user_cache = SymmetricKeyEpochCache(updated_cache_data.clone());
+
+    for caller in [env.principal_0, env.principal_1] {
+        let result = env.update::<Result<(), String>>(
+            caller,
+            "update_symmetric_key_cache",
+            encode_args((chat_id, VetKeyEpochId(0), updated_user_cache.clone())).unwrap(),
+        );
+        assert_eq!(result, Ok(()));
+    }
+
+    // Verify the cache was updated
+    for caller in [env.principal_0, env.principal_1] {
+        let result = env.update::<Result<Option<SymmetricKeyEpochCache>, String>>(
+            caller,
+            "get_my_symmetric_key_cache",
+            encode_args((chat_id, VetKeyEpochId(0))).unwrap(),
+        );
+        assert_eq!(result, Ok(Some(updated_user_cache.clone())));
+    }
+}
+
+#[test]
+fn unauthorized_user_cannot_access_symmetric_key_cache() {
+    let rng = &mut reproducible_rng();
+    let env = TestEnvironment::new(rng);
+
+    env.update::<Result<Time, String>>(
+        env.principal_0,
+        "create_direct_chat",
+        encode_args((env.principal_1, Time(1_000), Time(10_000))).unwrap(),
+    )
+    .unwrap();
+
+    let chat_id = ChatId::Direct(DirectChatId::new((env.principal_0, env.principal_1)));
+    let cache_data = b"dummy symmetric key cache".to_vec();
+    let user_cache = SymmetricKeyEpochCache(cache_data);
+
+    // Unauthorized user cannot update cache
+    let result = env.update::<Result<(), String>>(
+        env.principal_2,
+        "update_symmetric_key_cache",
+        encode_args((chat_id, VetKeyEpochId(0), user_cache.clone())).unwrap(),
+    );
+    assert_eq!(
+        result,
+        Err(format!(
+            "User {} does not have access to chat {chat_id:?} at epoch {:?}",
+            env.principal_2,
+            VetKeyEpochId(0)
+        ))
+    );
+
+    // Unauthorized user cannot get cache
+    let result = env.update::<Result<Option<SymmetricKeyEpochCache>, String>>(
+        env.principal_2,
+        "get_my_symmetric_key_cache",
+        encode_args((chat_id, VetKeyEpochId(0))).unwrap(),
+    );
+    assert_eq!(
+        result,
+        Err(format!(
+            "User {} does not have access to chat {chat_id:?} at epoch {:?}",
+            env.principal_2,
+            VetKeyEpochId(0)
+        ))
+    );
+}
+
+#[test]
+fn cannot_access_cache_after_vetkey_epoch_expires() {
+    let rng = &mut reproducible_rng();
+    let env = TestEnvironment::new(rng);
+
+    let expiry_setting_minutes = 10_000;
+
+    let chat_creation_time = env
+        .update::<Result<Time, String>>(
+            env.principal_0,
+            "create_direct_chat",
+            encode_args((env.principal_1, Time(1_000), Time(expiry_setting_minutes))).unwrap(),
+        )
+        .unwrap();
+
+    let chat_id = ChatId::Direct(DirectChatId::new((env.principal_0, env.principal_1)));
+    let cache_data = b"dummy symmetric key cache".to_vec();
+    let user_cache = SymmetricKeyEpochCache(cache_data.clone());
+
+    // Create cache for epoch 0
+    for caller in [env.principal_0, env.principal_1] {
+        env.update::<Result<(), String>>(
+            caller,
+            "update_symmetric_key_cache",
+            encode_args((chat_id, VetKeyEpochId(0), user_cache.clone())).unwrap(),
+        )
+        .unwrap();
+    }
+
+    let expiry_time = chat_creation_time.0 + expiry_setting_minutes * NANOSECONDS_IN_MINUTE;
+    // Fast forward time to expire epoch 0
+    env.pic
+        .set_time(pocket_ic::Time::from_nanos_since_unix_epoch(expiry_time));
+
+    // Neither authorized nor unauthorized users can access expired epoch cache
+    for caller in [env.principal_0, env.principal_1] {
+        // Cannot update cache for expired epoch
+        let result = env.update::<Result<(), String>>(
+            caller,
+            "update_symmetric_key_cache",
+            encode_args((chat_id, VetKeyEpochId(0), user_cache.clone())).unwrap(),
+        );
+        assert_eq!(
+            result,
+            Err(format!("vetKey epoch {:?} expired", VetKeyEpochId(0),))
+        );
+
+        // Cannot get cache for expired epoch
+        let result = env.update::<Result<Option<SymmetricKeyEpochCache>, String>>(
+            caller,
+            "get_my_symmetric_key_cache",
+            encode_args((chat_id, VetKeyEpochId(0))).unwrap(),
+        );
+        assert_eq!(
+            result,
+            Err(format!("vetKey epoch {:?} expired", VetKeyEpochId(0),))
+        );
+    }
+}
+
+#[test]
+fn cannot_derive_vetkey_after_cache_exists() {
+    let rng = &mut reproducible_rng();
+    let env = TestEnvironment::new(rng);
+
+    env.update::<Result<Time, String>>(
+        env.principal_0,
+        "create_direct_chat",
+        encode_args((env.principal_1, Time(1_000), Time(10_000))).unwrap(),
+    )
+    .unwrap();
+
+    let chat_id = ChatId::Direct(DirectChatId::new((env.principal_0, env.principal_1)));
+    let cache_data = b"dummy symmetric key cache".to_vec();
+    let user_cache = SymmetricKeyEpochCache(cache_data.clone());
+
+    // DON'T REUSE THE SAME TRANSPORT KEYS IN PRODUCTION
+    let transport_key = ic_vetkeys::TransportSecretKey::from_seed(random_bytes(32, rng)).unwrap();
+
+    for caller in [env.principal_0, env.principal_1] {
+        // Create cache
+        env.update::<Result<(), String>>(
+            caller,
+            "update_symmetric_key_cache",
+            encode_args((chat_id, VetKeyEpochId(0), user_cache.clone())).unwrap(),
+        )
+        .unwrap();
+
+        // Now derive_vetkey should fail
+        let result = env.update::<Result<serde_bytes::ByteBuf, String>>(
+            caller,
+            "derive_vetkey",
+            encode_args((
+                chat_id,
+                Option::<VetKeyEpochId>::None,
+                ByteBuf::from(transport_key.public_key()),
+            ))
+            .unwrap(),
+        );
+        assert_eq!(
+            result,
+            Err(format!(
+                "User {} already has a cached key for chat {chat_id:?} at vetkey epoch {:?}",
+                caller,
+                VetKeyEpochId(0)
+            ))
+        );
+    }
+}
+
+#[test]
+fn cache_is_separate_for_different_epochs() {
+    let rng = &mut reproducible_rng();
+    let env = TestEnvironment::new(rng);
+
+    env.update::<Result<Time, String>>(
+        env.principal_0,
+        "create_direct_chat",
+        encode_args((env.principal_1, Time(1_000), Time(10_000))).unwrap(),
+    )
+    .unwrap();
+
+    let chat_id = ChatId::Direct(DirectChatId::new((env.principal_0, env.principal_1)));
+    let user_cache_0 = SymmetricKeyEpochCache(b"cache for epoch 0".to_vec());
+    let user_cache_1 = SymmetricKeyEpochCache(b"cache for epoch 1".to_vec());
+
+    for caller in [env.principal_0, env.principal_1] {
+        // Create cache for epoch 0
+        env.update::<Result<(), String>>(
+            caller,
+            "update_symmetric_key_cache",
+            encode_args((chat_id, VetKeyEpochId(0), user_cache_0.clone())).unwrap(),
+        )
+        .unwrap();
+
+        // Verify cache exists for epoch 0
+        let result = env.update::<Result<Option<SymmetricKeyEpochCache>, String>>(
+            caller,
+            "get_my_symmetric_key_cache",
+            encode_args((chat_id, VetKeyEpochId(0))).unwrap(),
+        );
+        assert_eq!(result, Ok(Some(user_cache_0.clone())));
+
+        // Verify no cache exists for epoch 1
+        let result = env.update::<Result<Option<SymmetricKeyEpochCache>, String>>(
+            caller,
+            "get_my_symmetric_key_cache",
+            encode_args((chat_id, VetKeyEpochId(1))).unwrap(),
+        );
+        assert_eq!(
+            result,
+            Err(format!(
+                "vetKey epoch {:?} not found for chat {chat_id:?}",
+                VetKeyEpochId(1)
+            ))
+        );
+    }
+
+    // Rotate to epoch 1
+    let new_epoch = env
+        .update::<Result<VetKeyEpochId, String>>(
+            env.principal_0,
+            "rotate_chat_vetkey",
+            encode_args((chat_id,)).unwrap(),
+        )
+        .unwrap();
+    assert_eq!(new_epoch, VetKeyEpochId(1));
+
+    for caller in [env.principal_0, env.principal_1] {
+        // Create cache for epoch 1
+        env.update::<Result<(), String>>(
+            caller,
+            "update_symmetric_key_cache",
+            encode_args((chat_id, VetKeyEpochId(1), user_cache_1.clone())).unwrap(),
+        )
+        .unwrap();
+
+        // Verify cache still exists for epoch 0
+        let result = env.update::<Result<Option<SymmetricKeyEpochCache>, String>>(
+            caller,
+            "get_my_symmetric_key_cache",
+            encode_args((chat_id, VetKeyEpochId(0))).unwrap(),
+        );
+        assert_eq!(result, Ok(Some(user_cache_0.clone())));
+
+        // Verify cache exists for epoch 1
+        let result = env.update::<Result<Option<SymmetricKeyEpochCache>, String>>(
+            caller,
+            "get_my_symmetric_key_cache",
+            encode_args((chat_id, VetKeyEpochId(1))).unwrap(),
+        );
+        assert_eq!(result, Ok(Some(user_cache_1.clone())));
+    }
+}
+
+fn reproducible_rng() -> ChaCha20Rng {
+    let mut seed = [0u8; 32];
+    rand::rng().fill(&mut seed);
+    let rng = ChaCha20Rng::from_seed(seed);
+    println!("{seed:?}");
+    rng
+}
+
+fn random_self_authenticating_principal<R: Rng + CryptoRng>(rng: &mut R) -> Principal {
+    let fake_pk = random_bytes(32, rng);
+    Principal::self_authenticating(&fake_pk)
+}
+
+fn random_bytes<R: Rng + CryptoRng>(size: usize, rng: &mut R) -> Vec<u8> {
+    let mut buf = vec![0; size];
+    rng.fill_bytes(&mut buf);
+    buf
+}
+
+struct TestEnvironment {
+    pic: PocketIc,
+    canister_id: Principal,
+    principal_0: Principal,
+    principal_1: Principal,
+    principal_2: Principal,
+}
+
+impl TestEnvironment {
+    fn new<R: Rng + CryptoRng>(rng: &mut R) -> Self {
+        let pic = PocketIcBuilder::new()
+            .with_application_subnet()
+            .with_ii_subnet()
+            .with_fiduciary_subnet()
+            .with_nonmainnet_features(true)
+            .build();
+
+        let canister_id = pic.create_canister();
+        pic.add_cycles(canister_id, 2_000_000_000_000);
+
+        let wasm_bytes = load_canister_wasm();
+        pic.install_canister(
+            canister_id,
+            wasm_bytes,
+            encode_one("dfx_test_key").unwrap(),
+            None,
+        );
+
+        // Make sure the canister is properly initialized
+        fast_forward(&pic, 5);
+
+        Self {
+            pic,
+            canister_id,
+            principal_0: random_self_authenticating_principal(rng),
+            principal_1: random_self_authenticating_principal(rng),
+            principal_2: random_self_authenticating_principal(rng),
+        }
+    }
+
+    fn update<T: CandidType + for<'de> candid::Deserialize<'de>>(
+        &self,
+        caller: Principal,
+        method_name: &str,
+        args: Vec<u8>,
+    ) -> T {
+        let reply = self
+            .pic
+            .update_call(self.canister_id, caller, method_name, args);
+        match reply {
+            Ok(data) => decode_one(&data).expect("failed to decode reply"),
+            Err(user_error) => panic!("canister returned a user error: {user_error}"),
+        }
+    }
+
+    fn query<T: CandidType + for<'de> candid::Deserialize<'de>>(
+        &self,
+        caller: Principal,
+        method_name: &str,
+        args: Vec<u8>,
+    ) -> T {
+        let reply = self
+            .pic
+            .query_call(self.canister_id, caller, method_name, args);
+        match reply {
+            Ok(data) => decode_one(&data).expect("failed to decode reply"),
+            Err(user_error) => panic!("canister returned a user error: {user_error}"),
+        }
+    }
+}
+
+fn fast_forward(ic: &PocketIc, ticks: u64) {
+    for _ in 0..ticks - 1 {
+        ic.tick();
+    }
+}
+
+fn load_canister_wasm() -> Vec<u8> {
+    let wasm_path_string = match std::env::var("CUSTOM_WASM_PATH") {
+        Ok(path) if !path.is_empty() => path,
+        _ => format!(
+            "{}/examples/encrypted_chat/rust/target/wasm32-unknown-unknown/release/ic_vetkeys_example_encrypted_chat_backend.wasm",
+            git_root_dir()
+        ),
+    };
+    let wasm_path = Path::new(&wasm_path_string);
+    std::fs::read(wasm_path)
+        .expect("wasm does not exist - run `cargo build --release --target wasm32-unknown-unknown`")
+}
+
+pub fn git_root_dir() -> String {
+    let output = std::process::Command::new("git")
+        .args(["rev-parse", "--show-toplevel"])
+        .output()
+        .expect("Failed to execute git command");
+    assert!(output.status.success());
+    let root_dir_with_newline =
+        String::from_utf8(output.stdout).expect("Failed to convert stdout to string");
+    root_dir_with_newline.trim_end_matches('\n').to_string()
+}
diff --git a/examples/encrypted_chat/rust/backend/tests/group_chat.rs b/examples/encrypted_chat/rust/backend/tests/group_chat.rs
new file mode 100644
index 00000000..71fb3f98
--- /dev/null
+++ b/examples/encrypted_chat/rust/backend/tests/group_chat.rs
@@ -0,0 +1,1427 @@
+use candid::{decode_one, encode_args, encode_one, CandidType, Principal};
+use ic_vetkeys_example_encrypted_chat_backend::types::{
+    ChatId, ChatMessageId, EncryptedMessage, EncryptedMessageMetadata, GroupChatId,
+    GroupChatMetadata, GroupModification, SenderMessageId, SymmetricKeyEpochCache,
+    SymmetricKeyEpochId, Time, UserMessage, VetKeyEpochId, VetKeyEpochMetadata,
+};
+use pocket_ic::{PocketIc, PocketIcBuilder};
+use rand::{CryptoRng, Rng, SeedableRng};
+use rand_chacha::ChaCha20Rng;
+use serde_bytes::ByteBuf;
+use std::path::Path;
+
+const NANOSECONDS_IN_MINUTE: u64 = 60_000_000_000;
+
+#[test]
+fn can_create_chat() {
+    let rng = &mut reproducible_rng();
+    let env = TestEnvironment::new(rng);
+
+    let mut expected_chat_id = 0;
+
+    for other_participants in [
+        vec![],
+        vec![env.principal_1],
+        vec![env.principal_1, env.principal_2],
+    ] {
+        let result = env.update::<Result<GroupChatMetadata, String>>(
+            env.principal_0,
+            "create_group_chat",
+            encode_args((other_participants, Time(1_000), Time(10_000))).unwrap(),
+        );
+
+        assert_eq!(
+            result,
+            Ok(GroupChatMetadata {
+                chat_id: GroupChatId(expected_chat_id),
+                creation_timestamp: Time(env.pic.get_time().as_nanos_since_unix_epoch()),
+            })
+        );
+
+        expected_chat_id += 1;
+    }
+}
+
+#[test]
+fn can_send_and_get_messages() {
+    let rng = &mut reproducible_rng();
+    let env = TestEnvironment::new(rng);
+
+    for other_participants in [
+        vec![],
+        vec![env.principal_1],
+        vec![env.principal_1, env.principal_2],
+    ] {
+        let all_participants: Vec<_> = [env.principal_0]
+            .into_iter()
+            .chain(other_participants.iter().copied())
+            .collect();
+
+        let group_chat_metadata = env
+            .update::<Result<GroupChatMetadata, String>>(
+                env.principal_0,
+                "create_group_chat",
+                encode_args((other_participants, Time(1_000), Time(10_000))).unwrap(),
+            )
+            .unwrap();
+
+        let message_content = b"dummy encrypted message".to_vec();
+
+        let mut message_id_counters = std::collections::BTreeMap::from([
+            (env.principal_0, 0),
+            (env.principal_1, 0),
+            (env.principal_2, 0),
+        ]);
+
+        let mut expected_chat_history = vec![];
+
+        let chat_id = ChatId::Group(group_chat_metadata.chat_id);
+
+        for caller in all_participants.iter().copied() {
+            assert_eq!(
+                env.update::<Vec<EncryptedMessage>>(
+                    caller,
+                    "get_some_messages_for_chat_starting_from",
+                    encode_args((chat_id, ChatMessageId(0), Option::<u32>::None)).unwrap(),
+                ),
+                vec![]
+            );
+        }
+
+        for _ in 0..10 {
+            for sender in all_participants.iter().copied() {
+                let message_id_raw = *message_id_counters.get(&sender).unwrap();
+                message_id_counters.insert(sender, message_id_raw + 1);
+
+                let user_message = UserMessage {
+                    content: message_content.clone(),
+                    vetkey_epoch: VetKeyEpochId(0),
+                    symmetric_key_epoch: SymmetricKeyEpochId(0),
+                    message_id: SenderMessageId(message_id_raw),
+                };
+
+                // + 1 is because the update call calls `tick` internally
+                let expected_message_time = env.pic.get_time().as_nanos_since_unix_epoch() + 1;
+
+                let message_time = env
+                    .update::<Result<Time, String>>(
+                        sender,
+                        "send_group_message",
+                        encode_args((user_message, group_chat_metadata.chat_id)).unwrap(),
+                    )
+                    .unwrap();
+
+                let expected_added_chat_message = EncryptedMessage {
+                    content: message_content.clone(),
+                    metadata: EncryptedMessageMetadata {
+                        sender,
+                        timestamp: message_time,
+                        vetkey_epoch: VetKeyEpochId(0),
+                        symmetric_key_epoch: SymmetricKeyEpochId(0),
+                        chat_message_id: ChatMessageId(expected_chat_history.len() as u64),
+                    },
+                };
+
+                expected_chat_history.push(expected_added_chat_message);
+
+                for caller in all_participants.iter().copied() {
+                    assert_eq!(
+                        env.update::<Vec<EncryptedMessage>>(
+                            caller,
+                            "get_some_messages_for_chat_starting_from",
+                            encode_args((chat_id, ChatMessageId(0), Option::<u32>::None)).unwrap(),
+                        ),
+                        expected_chat_history
+                    );
+                }
+
+                assert_eq!(message_time.0, expected_message_time);
+            }
+        }
+    }
+}
+
+#[test]
+fn fails_to_send_messages_with_wrong_symmetric_key_epoch() {
+    let rng = &mut reproducible_rng();
+    let env = TestEnvironment::new(rng);
+
+    let symmetric_key_rotation_minutes = Time(1_000);
+    let chat_message_expiration_minutes = Time(10_000);
+
+    for other_participants in [
+        vec![],
+        vec![env.principal_1],
+        vec![env.principal_1, env.principal_2],
+    ] {
+        let all_participants: Vec<_> = [env.principal_0]
+            .into_iter()
+            .chain(other_participants.iter().copied())
+            .collect();
+
+        let group_chat_metadata = env
+            .update::<Result<GroupChatMetadata, String>>(
+                env.principal_0,
+                "create_group_chat",
+                encode_args((
+                    other_participants,
+                    symmetric_key_rotation_minutes,
+                    chat_message_expiration_minutes,
+                ))
+                .unwrap(),
+            )
+            .unwrap();
+
+        let message_content = b"dummy encrypted message".to_vec();
+        let chat_id = ChatId::Group(group_chat_metadata.chat_id);
+
+        // check that epoch 1 fails while we have epoch 0
+        for i in 0..2 {
+            for sender in all_participants.iter().copied() {
+                let symmetric_key_epoch = SymmetricKeyEpochId(1);
+                let user_message = UserMessage {
+                    content: message_content.clone(),
+                    vetkey_epoch: VetKeyEpochId(0),
+                    symmetric_key_epoch,
+                    message_id: SenderMessageId(0),
+                };
+
+                let result = env.update::<Result<Time, String>>(
+                    sender,
+                    "send_group_message",
+                    encode_args((user_message, group_chat_metadata.chat_id)).unwrap(),
+                );
+
+                assert_eq!(
+                result,
+                Err(
+                    format!(
+                        "Wrong symmetric key epoch {} is not yet active, current time is {} and epoch start is {}",
+                        symmetric_key_epoch.0,
+                        env.pic.get_time().as_nanos_since_unix_epoch(),
+                        group_chat_metadata.creation_timestamp.0 + symmetric_key_epoch.0 * symmetric_key_rotation_minutes.0 * NANOSECONDS_IN_MINUTE
+                    )
+                )
+            );
+            }
+
+            // set time to `all_participants.len()` ns before the change to epoch 1
+            if i == 0 {
+                env.pic
+                    .set_time(pocket_ic::Time::from_nanos_since_unix_epoch(
+                        group_chat_metadata.creation_timestamp.0
+                            + symmetric_key_rotation_minutes.0 * NANOSECONDS_IN_MINUTE
+                            - all_participants.len() as u64,
+                    ));
+            }
+        }
+
+        // check that epoch 0 and 2 fails while we have epoch 1
+        for i in 0..2 {
+            for sender in all_participants.iter().copied() {
+                // use epoch 0
+                {
+                    let symmetric_key_epoch = SymmetricKeyEpochId(0);
+                    let user_message = UserMessage {
+                        content: message_content.clone(),
+                        vetkey_epoch: VetKeyEpochId(0),
+                        symmetric_key_epoch,
+                        message_id: SenderMessageId(0),
+                    };
+
+                    let result = env.update::<Result<Time, String>>(
+                        sender,
+                        "send_group_message",
+                        encode_args((user_message, group_chat_metadata.chat_id)).unwrap(),
+                    );
+
+                    assert_eq!(
+                result,
+                Err(
+                    format!(
+                        "Wrong symmetric key epoch: epoch {} is expired, current time is {} and epoch end is {}",
+                        symmetric_key_epoch.0,
+                        env.pic.get_time().as_nanos_since_unix_epoch(),
+                        group_chat_metadata.creation_timestamp.0 + symmetric_key_rotation_minutes.0 * NANOSECONDS_IN_MINUTE
+                    )
+                )
+            );
+                }
+
+                // use epoch 2
+                {
+                    let symmetric_key_epoch = SymmetricKeyEpochId(2);
+                    let user_message = UserMessage {
+                        content: message_content.clone(),
+                        vetkey_epoch: VetKeyEpochId(0),
+                        symmetric_key_epoch,
+                        message_id: SenderMessageId(0),
+                    };
+
+                    let result = env.update::<Result<Time, String>>(
+                        sender,
+                        "send_group_message",
+                        encode_args((user_message, group_chat_metadata.chat_id)).unwrap(),
+                    );
+
+                    assert_eq!(
+                result,
+                Err(
+                    format!(
+                        "Wrong symmetric key epoch {} is not yet active, current time is {} and epoch start is {}",
+                        symmetric_key_epoch.0,
+                        env.pic.get_time().as_nanos_since_unix_epoch(),
+                        group_chat_metadata.creation_timestamp.0 + symmetric_key_epoch.0 * symmetric_key_rotation_minutes.0 * NANOSECONDS_IN_MINUTE
+                    )
+                )
+            );
+                }
+            }
+
+            // set time to `2 * all_participants.len()` ns before the change to epoch 2
+            if i == 0 {
+                env.pic
+                    .set_time(pocket_ic::Time::from_nanos_since_unix_epoch(
+                        group_chat_metadata.creation_timestamp.0
+                            + 2 * symmetric_key_rotation_minutes.0 * NANOSECONDS_IN_MINUTE
+                            - 2 * all_participants.len() as u64,
+                    ));
+            }
+        }
+
+        // sanity check that no messages were added
+        for caller in all_participants.iter().copied() {
+            assert_eq!(
+                env.update::<Vec<EncryptedMessage>>(
+                    caller,
+                    "get_some_messages_for_chat_starting_from",
+                    encode_args((chat_id, ChatMessageId(0), Option::<u32>::None)).unwrap(),
+                ),
+                vec![]
+            );
+        }
+    }
+}
+
+#[test]
+fn can_get_vetkey_for_chat() {
+    let rng = &mut reproducible_rng();
+    let env = TestEnvironment::new(rng);
+
+    for other_participants in [
+        vec![],
+        vec![env.principal_1],
+        vec![env.principal_1, env.principal_2],
+    ] {
+        let participants: Vec<_> = [env.principal_0]
+            .into_iter()
+            .chain(other_participants.iter().copied())
+            .collect();
+        let group_chat_metadata = env
+            .update::<Result<GroupChatMetadata, String>>(
+                env.principal_0,
+                "create_group_chat",
+                encode_args((other_participants, Time(1_000), Time(10_000))).unwrap(),
+            )
+            .unwrap();
+
+        let chat_id = ChatId::Group(group_chat_metadata.chat_id);
+        // DON'T REUSE THE SAME TRANSPORT KEYS IN PRODUCTION
+        let transport_key =
+            ic_vetkeys::TransportSecretKey::from_seed(random_bytes(32, rng)).unwrap();
+
+        let mut raw_encrypted_vetkeys = std::collections::BTreeMap::new();
+
+        for latest_epoch in 0..3 {
+            for caller in participants.iter().copied() {
+                for epoch in 0..=latest_epoch {
+                    for vetkey_epoch_id in
+                        [Option::<VetKeyEpochId>::None, Some(VetKeyEpochId(epoch))]
+                    {
+                        if vetkey_epoch_id.is_none() && epoch != latest_epoch {
+                            continue;
+                        }
+
+                        let raw_encrypted_vetkey = env
+                            .update::<Result<serde_bytes::ByteBuf, String>>(
+                                caller,
+                                "derive_vetkey",
+                                encode_args((
+                                    chat_id,
+                                    vetkey_epoch_id,
+                                    ByteBuf::from(transport_key.public_key()),
+                                ))
+                                .unwrap(),
+                            )
+                            .unwrap()
+                            .into_vec();
+                        let opt_evicted =
+                            raw_encrypted_vetkeys.insert(epoch, raw_encrypted_vetkey.clone());
+                        if let Some(evicted) = opt_evicted {
+                            assert_eq!(evicted, raw_encrypted_vetkey, "epoch: {epoch}, latest_epoch: {latest_epoch}, vetkey_epoch_id: {vetkey_epoch_id:?}");
+                        }
+                    }
+                }
+            }
+
+            let new_epoch = env
+                .update::<Result<VetKeyEpochId, String>>(
+                    env.principal_0,
+                    "rotate_chat_vetkey",
+                    encode_args((chat_id,)).unwrap(),
+                )
+                .unwrap();
+            assert_eq!(new_epoch, VetKeyEpochId(latest_epoch + 1));
+        }
+
+        for (epoch, raw_encrypted_vetkey) in raw_encrypted_vetkeys.into_iter() {
+            let raw_public_key = env
+                .update::<serde_bytes::ByteBuf>(
+                    env.principal_0,
+                    "public_key",
+                    encode_args((chat_id, VetKeyEpochId(epoch))).unwrap(),
+                )
+                .into_vec();
+
+            let public_key =
+                ic_vetkeys::DerivedPublicKey::deserialize(raw_public_key.as_slice()).unwrap();
+
+            let _vetkey = ic_vetkeys::EncryptedVetKey::deserialize(&raw_encrypted_vetkey)
+                .unwrap()
+                .decrypt_and_verify(&transport_key, &public_key, &[])
+                .unwrap();
+        }
+    }
+}
+
+#[test]
+fn public_keys_for_different_chats_and_epochs_are_different() {
+    let rng = &mut reproducible_rng();
+    let env = TestEnvironment::new(rng);
+
+    let chat_id_0 = ChatId::Group(GroupChatId(0));
+    let chat_id_1 = ChatId::Group(GroupChatId(1));
+
+    // we can get public key for any chats, also non-existing ones
+    let raw_public_key_00 = env
+        .update::<serde_bytes::ByteBuf>(
+            env.principal_0,
+            "public_key",
+            encode_args((chat_id_0, VetKeyEpochId(0))).unwrap(),
+        )
+        .into_vec();
+
+    let raw_public_key_01 = env
+        .update::<serde_bytes::ByteBuf>(
+            env.principal_0,
+            "public_key",
+            encode_args((chat_id_0, VetKeyEpochId(1))).unwrap(),
+        )
+        .into_vec();
+
+    let raw_public_key_10 = env
+        .update::<serde_bytes::ByteBuf>(
+            env.principal_0,
+            "public_key",
+            encode_args((chat_id_1, VetKeyEpochId(0))).unwrap(),
+        )
+        .into_vec();
+
+    assert_ne!(raw_public_key_00, raw_public_key_01);
+    assert_ne!(raw_public_key_00, raw_public_key_10);
+}
+
+#[test]
+fn fails_to_get_vetkey_for_chat_if_unauthorized() {
+    let rng = &mut reproducible_rng();
+    let env = TestEnvironment::new(rng);
+
+    let transport_key = ic_vetkeys::TransportSecretKey::from_seed(random_bytes(32, rng)).unwrap();
+
+    for (other_participants, unauthorized_participants) in [
+        (vec![], vec![env.principal_1, env.principal_2]),
+        (vec![env.principal_1], vec![env.principal_2]),
+    ] {
+        env.update::<Result<GroupChatMetadata, String>>(
+            env.principal_0,
+            "create_group_chat",
+            encode_args((other_participants, Time(1_000), Time(10_000))).unwrap(),
+        )
+        .unwrap();
+
+        let chat_id = ChatId::Group(GroupChatId(0));
+
+        for unauthorized_participant in unauthorized_participants {
+            let result = env.update::<Result<serde_bytes::ByteBuf, String>>(
+                unauthorized_participant,
+                "derive_vetkey",
+                encode_args((
+                    chat_id,
+                    Option::<VetKeyEpochId>::None,
+                    ByteBuf::from(transport_key.public_key()),
+                ))
+                .unwrap(),
+            );
+
+            assert_eq!(
+                result,
+                Err(format!(
+                    "User {} does not have access to chat {chat_id:?} at epoch {:?}",
+                    unauthorized_participant,
+                    VetKeyEpochId(0)
+                ))
+            );
+        }
+    }
+}
+
+#[test]
+fn fails_to_send_group_chat_message_with_wrong_vetkey_epoch() {
+    let rng = &mut reproducible_rng();
+    let env = TestEnvironment::new(rng);
+
+    for other_participants in [
+        vec![],
+        vec![env.principal_1],
+        vec![env.principal_1, env.principal_2],
+    ] {
+        let participants: Vec<_> = [env.principal_0]
+            .into_iter()
+            .chain(other_participants.iter().copied())
+            .collect();
+        let group_chat_metadata = env
+            .update::<Result<GroupChatMetadata, String>>(
+                env.principal_0,
+                "create_group_chat",
+                encode_args((other_participants, Time(1_000), Time(10_000))).unwrap(),
+            )
+            .unwrap();
+
+        let chat_id = ChatId::Group(group_chat_metadata.chat_id);
+
+        let message_content = b"dummy encrypted message".to_vec();
+
+        // Start with using epoch 1 before it's been rotated to (should fail)
+        for latest_epoch in 0..3 {
+            for sender in participants.iter().copied() {
+                let user_message = UserMessage {
+                    content: message_content.clone(),
+                    vetkey_epoch: VetKeyEpochId(latest_epoch + 1),
+                    symmetric_key_epoch: SymmetricKeyEpochId(0),
+                    message_id: SenderMessageId(0),
+                };
+
+                let result = env.update::<Result<Time, String>>(
+                    sender,
+                    "send_group_message",
+                    encode_args((user_message, group_chat_metadata.chat_id)).unwrap(),
+                );
+
+                assert_eq!(
+                    result,
+                    Err(format!(
+                        "vetKey epoch {:?} not found for chat {chat_id:?}",
+                        VetKeyEpochId(latest_epoch + 1)
+                    ))
+                );
+            }
+
+            // Rotate to next epoch
+            let new_epoch = env
+                .update::<Result<VetKeyEpochId, String>>(
+                    env.principal_0,
+                    "rotate_chat_vetkey",
+                    encode_args((chat_id,)).unwrap(),
+                )
+                .unwrap();
+            assert_eq!(new_epoch, VetKeyEpochId(latest_epoch + 1));
+        }
+
+        // sanity check that no messages were added
+        for caller in participants.iter().copied() {
+            assert_eq!(
+                env.update::<Vec<EncryptedMessage>>(
+                    caller,
+                    "get_some_messages_for_chat_starting_from",
+                    encode_args((chat_id, ChatMessageId(0), Option::<u32>::None)).unwrap(),
+                ),
+                vec![]
+            );
+        }
+    }
+}
+
+#[test]
+fn fails_to_derive_vetkey_with_wrong_vetkey_epoch() {
+    let rng = &mut reproducible_rng();
+    let env = TestEnvironment::new(rng);
+
+    let transport_key = ic_vetkeys::TransportSecretKey::from_seed(random_bytes(32, rng)).unwrap();
+
+    for other_participants in [
+        vec![],
+        vec![env.principal_1],
+        vec![env.principal_1, env.principal_2],
+    ] {
+        let participants: Vec<_> = [env.principal_0]
+            .into_iter()
+            .chain(other_participants.iter().copied())
+            .collect();
+
+        let group_chat_metadata = env
+            .update::<Result<GroupChatMetadata, String>>(
+                env.principal_0,
+                "create_group_chat",
+                encode_args((other_participants, Time(1_000), Time(10_000))).unwrap(),
+            )
+            .unwrap();
+
+        let chat_id = ChatId::Group(group_chat_metadata.chat_id);
+
+        // Use epoch 1 before it's been rotated to
+        for latest_epoch in 0..3 {
+            for caller in participants.iter().copied() {
+                let result = env.update::<Result<serde_bytes::ByteBuf, String>>(
+                    caller,
+                    "derive_vetkey",
+                    encode_args((
+                        chat_id,
+                        Some(VetKeyEpochId(latest_epoch + 1)),
+                        ByteBuf::from(transport_key.public_key()),
+                    ))
+                    .unwrap(),
+                );
+
+                assert_eq!(
+                    result,
+                    Err(format!(
+                        "vetKey epoch {:?} not found for chat {chat_id:?}",
+                        VetKeyEpochId(latest_epoch + 1)
+                    ))
+                );
+            }
+
+            // Rotate to next epoch
+            let new_epoch = env
+                .update::<Result<VetKeyEpochId, String>>(
+                    env.principal_0,
+                    "rotate_chat_vetkey",
+                    encode_args((chat_id,)).unwrap(),
+                )
+                .unwrap();
+            assert_eq!(new_epoch, VetKeyEpochId(latest_epoch + 1));
+        }
+    }
+}
+
+#[test]
+fn can_rotate_chat_vetkey() {
+    let rng = &mut reproducible_rng();
+    let env = TestEnvironment::new(rng);
+
+    for other_participants in [
+        vec![],
+        vec![env.principal_1],
+        vec![env.principal_1, env.principal_2],
+    ] {
+        let participants: Vec<_> = [env.principal_0]
+            .into_iter()
+            .chain(other_participants.iter().copied())
+            .collect();
+
+        let group_chat_metadata = env
+            .update::<Result<GroupChatMetadata, String>>(
+                env.principal_0,
+                "create_group_chat",
+                encode_args((other_participants, Time(1_000), Time(10_000))).unwrap(),
+            )
+            .unwrap();
+
+        let chat_id = ChatId::Group(group_chat_metadata.chat_id);
+
+        // Initially, epoch 0 should be the latest (we can verify this by trying to use epoch 1)
+        let result = env.update::<Result<serde_bytes::ByteBuf, String>>(
+            env.principal_0,
+            "derive_vetkey",
+            encode_args((
+                chat_id,
+                Some(VetKeyEpochId(1)),
+                ByteBuf::from(vec![0u8; 32]), // dummy transport key
+            ))
+            .unwrap(),
+        );
+        assert!(result.is_err()); // Should fail because epoch 1 doesn't exist yet
+
+        // Rotate to epoch 1
+        let new_epoch = env
+            .update::<Result<VetKeyEpochId, String>>(
+                env.principal_0,
+                "rotate_chat_vetkey",
+                encode_args((chat_id,)).unwrap(),
+            )
+            .unwrap();
+        assert_eq!(new_epoch, VetKeyEpochId(1));
+
+        // All participants should be able to rotate
+        for (i, participant) in participants.iter().copied().enumerate() {
+            let new_epoch = env
+                .update::<Result<VetKeyEpochId, String>>(
+                    participant,
+                    "rotate_chat_vetkey",
+                    encode_args((chat_id,)).unwrap(),
+                )
+                .unwrap();
+            // The epoch should increment for each rotation
+            assert_eq!(new_epoch, VetKeyEpochId(i as u64 + 2));
+        }
+    }
+}
+
+#[test]
+fn unauthorized_user_cannot_rotate_chat_vetkey() {
+    let rng = &mut reproducible_rng();
+    let env = TestEnvironment::new(rng);
+
+    for (other_participants, unauthorized_participants) in [
+        (vec![], vec![env.principal_1, env.principal_2]),
+        (vec![env.principal_1], vec![env.principal_2]),
+    ] {
+        env.update::<Result<GroupChatMetadata, String>>(
+            env.principal_0,
+            "create_group_chat",
+            encode_args((other_participants, Time(1_000), Time(10_000))).unwrap(),
+        )
+        .unwrap();
+
+        let chat_id = ChatId::Group(GroupChatId(0));
+
+        for unauthorized_participant in unauthorized_participants {
+            let result = env.update::<Result<VetKeyEpochId, String>>(
+                unauthorized_participant,
+                "rotate_chat_vetkey",
+                encode_args((chat_id,)).unwrap(),
+            );
+
+            assert_eq!(
+                result,
+                Err(format!(
+                    "User {} does not have access to chat {chat_id:?} at epoch {:?}",
+                    unauthorized_participant,
+                    VetKeyEpochId(0)
+                ))
+            );
+        }
+    }
+}
+
+#[test]
+fn can_update_and_get_symmetric_key_cache() {
+    let rng = &mut reproducible_rng();
+    let env = TestEnvironment::new(rng);
+
+    for other_participants in [
+        vec![],
+        vec![env.principal_1],
+        vec![env.principal_1, env.principal_2],
+    ] {
+        let participants: Vec<_> = [env.principal_0]
+            .into_iter()
+            .chain(other_participants.iter().copied())
+            .collect();
+
+        let group_chat_metadata = env
+            .update::<Result<GroupChatMetadata, String>>(
+                env.principal_0,
+                "create_group_chat",
+                encode_args((other_participants, Time(1_000), Time(10_000))).unwrap(),
+            )
+            .unwrap();
+
+        let chat_id = ChatId::Group(group_chat_metadata.chat_id);
+        let cache_data = b"dummy symmetric key cache".to_vec();
+        let user_cache = SymmetricKeyEpochCache(cache_data.clone());
+
+        // Initially, cache should be empty for all participants
+        for caller in participants.iter().copied() {
+            assert_eq!(
+                env.update::<Result<Option<SymmetricKeyEpochCache>, String>>(
+                    caller,
+                    "get_my_symmetric_key_cache",
+                    encode_args((chat_id, VetKeyEpochId(0))).unwrap(),
+                ),
+                Ok(None)
+            );
+        }
+
+        // Authorized user can create cache
+        for caller in participants.iter().copied() {
+            let result = env.update::<Result<(), String>>(
+                caller,
+                "update_symmetric_key_cache",
+                encode_args((chat_id, VetKeyEpochId(0), user_cache.clone())).unwrap(),
+            );
+            assert_eq!(result, Ok(()));
+        }
+
+        // Authorized user can retrieve their cache
+        for caller in participants.iter().copied() {
+            let result = env.update::<Result<Option<SymmetricKeyEpochCache>, String>>(
+                caller,
+                "get_my_symmetric_key_cache",
+                encode_args((chat_id, VetKeyEpochId(0))).unwrap(),
+            );
+            assert_eq!(result, Ok(Some(user_cache.clone())));
+        }
+
+        // Authorized user can update their cache
+        let updated_cache_data = b"updated symmetric key cache".to_vec();
+        let updated_user_cache = SymmetricKeyEpochCache(updated_cache_data.clone());
+
+        for caller in participants.iter().copied() {
+            let result = env.update::<Result<(), String>>(
+                caller,
+                "update_symmetric_key_cache",
+                encode_args((chat_id, VetKeyEpochId(0), updated_user_cache.clone())).unwrap(),
+            );
+            assert_eq!(result, Ok(()));
+        }
+
+        // Verify the cache was updated
+        for caller in participants.iter().copied() {
+            let result = env.update::<Result<Option<SymmetricKeyEpochCache>, String>>(
+                caller,
+                "get_my_symmetric_key_cache",
+                encode_args((chat_id, VetKeyEpochId(0))).unwrap(),
+            );
+            assert_eq!(result, Ok(Some(updated_user_cache.clone())));
+        }
+    }
+}
+
+#[test]
+fn unauthorized_user_cannot_access_symmetric_key_cache() {
+    let rng = &mut reproducible_rng();
+    let env = TestEnvironment::new(rng);
+
+    for (other_participants, unauthorized_participants) in [
+        (vec![], vec![env.principal_1, env.principal_2]),
+        (vec![env.principal_1], vec![env.principal_2]),
+    ] {
+        env.update::<Result<GroupChatMetadata, String>>(
+            env.principal_0,
+            "create_group_chat",
+            encode_args((other_participants, Time(1_000), Time(10_000))).unwrap(),
+        )
+        .unwrap();
+
+        let chat_id = ChatId::Group(GroupChatId(0));
+        let cache_data = b"dummy symmetric key cache".to_vec();
+        let user_cache = SymmetricKeyEpochCache(cache_data);
+
+        for unauthorized_participant in unauthorized_participants {
+            // Unauthorized user cannot update cache
+            let result = env.update::<Result<(), String>>(
+                unauthorized_participant,
+                "update_symmetric_key_cache",
+                encode_args((chat_id, VetKeyEpochId(0), user_cache.clone())).unwrap(),
+            );
+            assert_eq!(
+                result,
+                Err(format!(
+                    "User {} does not have access to chat {chat_id:?} at epoch {:?}",
+                    unauthorized_participant,
+                    VetKeyEpochId(0)
+                ))
+            );
+
+            // Unauthorized user cannot get cache
+            let result = env.update::<Result<Option<SymmetricKeyEpochCache>, String>>(
+                unauthorized_participant,
+                "get_my_symmetric_key_cache",
+                encode_args((chat_id, VetKeyEpochId(0))).unwrap(),
+            );
+            assert_eq!(
+                result,
+                Err(format!(
+                    "User {} does not have access to chat {chat_id:?} at epoch {:?}",
+                    unauthorized_participant,
+                    VetKeyEpochId(0)
+                ))
+            );
+        }
+    }
+}
+
+#[test]
+fn cannot_access_cache_after_vetkey_epoch_expires() {
+    let rng = &mut reproducible_rng();
+    let env = TestEnvironment::new(rng);
+
+    for other_participants in [
+        vec![],
+        vec![env.principal_1],
+        vec![env.principal_1, env.principal_2],
+    ] {
+        let participants: Vec<_> = [env.principal_0]
+            .into_iter()
+            .chain(other_participants.iter().copied())
+            .collect();
+
+        let group_chat_metadata = env
+            .update::<Result<GroupChatMetadata, String>>(
+                env.principal_0,
+                "create_group_chat",
+                encode_args((other_participants.clone(), Time(1_000), Time(10_000))).unwrap(),
+            )
+            .unwrap();
+
+        let chat_id = ChatId::Group(group_chat_metadata.chat_id);
+        let cache_data = b"dummy symmetric key cache".to_vec();
+        let user_cache = SymmetricKeyEpochCache(cache_data.clone());
+
+        // Create cache for epoch 0
+        for caller in participants.iter().copied() {
+            env.update::<Result<(), String>>(
+                caller,
+                "update_symmetric_key_cache",
+                encode_args((chat_id, VetKeyEpochId(0), user_cache.clone())).unwrap(),
+            )
+            .unwrap();
+        }
+
+        // Rotate to epoch 1
+        let new_epoch = env
+            .update::<Result<VetKeyEpochId, String>>(
+                env.principal_0,
+                "rotate_chat_vetkey",
+                encode_args((chat_id,)).unwrap(),
+            )
+            .unwrap();
+        assert_eq!(new_epoch, VetKeyEpochId(1));
+
+        let expiry_setting_minutes = 10_000;
+        let expiry_time = group_chat_metadata.creation_timestamp.0
+            + expiry_setting_minutes * NANOSECONDS_IN_MINUTE;
+        // Fast forward time to expire epoch 0
+        env.pic
+            .set_time(pocket_ic::Time::from_nanos_since_unix_epoch(expiry_time));
+
+        // Neither authorized nor unauthorized users can access expired epoch cache
+        for caller in [env.principal_0, env.principal_1, env.principal_2]
+            .into_iter()
+            .filter(|p| *p == env.principal_0 || other_participants.contains(&p))
+        {
+            // Cannot update cache for expired epoch
+            let result = env.update::<Result<(), String>>(
+                caller,
+                "update_symmetric_key_cache",
+                encode_args((chat_id, VetKeyEpochId(0), user_cache.clone())).unwrap(),
+            );
+            assert_eq!(
+                result,
+                Err(format!("vetKey epoch {:?} expired", VetKeyEpochId(0),))
+            );
+
+            // Cannot get cache for expired epoch
+            let result = env.update::<Result<Option<SymmetricKeyEpochCache>, String>>(
+                caller,
+                "get_my_symmetric_key_cache",
+                encode_args((chat_id, VetKeyEpochId(0))).unwrap(),
+            );
+            assert_eq!(
+                result,
+                Err(format!("vetKey epoch {:?} expired", VetKeyEpochId(0),))
+            );
+        }
+    }
+}
+
+#[test]
+fn cannot_derive_vetkey_after_cache_exists() {
+    let rng = &mut reproducible_rng();
+    let env = TestEnvironment::new(rng);
+
+    for other_participants in [
+        vec![],
+        vec![env.principal_1],
+        vec![env.principal_1, env.principal_2],
+    ] {
+        let participants: Vec<_> = [env.principal_0]
+            .into_iter()
+            .chain(other_participants.iter().copied())
+            .collect();
+
+        let group_chat_metadata = env
+            .update::<Result<GroupChatMetadata, String>>(
+                env.principal_0,
+                "create_group_chat",
+                encode_args((other_participants, Time(1_000), Time(10_000))).unwrap(),
+            )
+            .unwrap();
+
+        let chat_id = ChatId::Group(group_chat_metadata.chat_id);
+        let cache_data = b"dummy symmetric key cache".to_vec();
+        let user_cache = SymmetricKeyEpochCache(cache_data.clone());
+
+        // DON'T REUSE THE SAME TRANSPORT KEYS IN PRODUCTION
+        let transport_key =
+            ic_vetkeys::TransportSecretKey::from_seed(random_bytes(32, rng)).unwrap();
+
+        for caller in participants.iter().copied() {
+            // Create cache
+            env.update::<Result<(), String>>(
+                caller,
+                "update_symmetric_key_cache",
+                encode_args((chat_id, VetKeyEpochId(0), user_cache.clone())).unwrap(),
+            )
+            .unwrap();
+
+            // Now derive_vetkey should fail
+            let result = env.update::<Result<serde_bytes::ByteBuf, String>>(
+                caller,
+                "derive_vetkey",
+                encode_args((
+                    chat_id,
+                    Option::<VetKeyEpochId>::None,
+                    ByteBuf::from(transport_key.public_key()),
+                ))
+                .unwrap(),
+            );
+            assert_eq!(
+                result,
+                Err(format!(
+                    "User {} already has a cached key for chat {chat_id:?} at vetkey epoch {:?}",
+                    caller,
+                    VetKeyEpochId(0)
+                ))
+            );
+        }
+    }
+}
+
+#[test]
+fn cache_is_separate_for_different_epochs() {
+    let rng = &mut reproducible_rng();
+    let env = TestEnvironment::new(rng);
+
+    for other_participants in [
+        vec![],
+        vec![env.principal_1],
+        vec![env.principal_1, env.principal_2],
+    ] {
+        let participants: Vec<_> = [env.principal_0]
+            .into_iter()
+            .chain(other_participants.iter().copied())
+            .collect();
+
+        let group_chat_metadata = env
+            .update::<Result<GroupChatMetadata, String>>(
+                env.principal_0,
+                "create_group_chat",
+                encode_args((other_participants, Time(1_000), Time(10_000))).unwrap(),
+            )
+            .unwrap();
+
+        let chat_id = ChatId::Group(group_chat_metadata.chat_id);
+        let user_cache_0 = SymmetricKeyEpochCache(b"cache for epoch 0".to_vec());
+        let user_cache_1 = SymmetricKeyEpochCache(b"cache for epoch 1".to_vec());
+
+        for caller in participants.iter().copied() {
+            // Create cache for epoch 0
+            env.update::<Result<(), String>>(
+                caller,
+                "update_symmetric_key_cache",
+                encode_args((chat_id, VetKeyEpochId(0), user_cache_0.clone())).unwrap(),
+            )
+            .unwrap();
+
+            // Verify cache exists for epoch 0
+            let result = env.update::<Result<Option<SymmetricKeyEpochCache>, String>>(
+                caller,
+                "get_my_symmetric_key_cache",
+                encode_args((chat_id, VetKeyEpochId(0))).unwrap(),
+            );
+            assert_eq!(result, Ok(Some(user_cache_0.clone())));
+
+            // Verify no cache exists for epoch 1
+            let result = env.update::<Result<Option<SymmetricKeyEpochCache>, String>>(
+                caller,
+                "get_my_symmetric_key_cache",
+                encode_args((chat_id, VetKeyEpochId(1))).unwrap(),
+            );
+            assert_eq!(
+                result,
+                Err(format!(
+                    "vetKey epoch {:?} not found for chat {chat_id:?}",
+                    VetKeyEpochId(1),
+                ))
+            );
+        }
+
+        // Rotate to epoch 1
+        let new_epoch = env
+            .update::<Result<VetKeyEpochId, String>>(
+                env.principal_0,
+                "rotate_chat_vetkey",
+                encode_args((chat_id,)).unwrap(),
+            )
+            .unwrap();
+        assert_eq!(new_epoch, VetKeyEpochId(1));
+
+        for caller in participants.iter().copied() {
+            // Create cache for epoch 1
+            env.update::<Result<(), String>>(
+                caller,
+                "update_symmetric_key_cache",
+                encode_args((chat_id, VetKeyEpochId(1), user_cache_1.clone())).unwrap(),
+            )
+            .unwrap();
+
+            // Verify cache still exists for epoch 0
+            let result = env.update::<Result<Option<SymmetricKeyEpochCache>, String>>(
+                caller,
+                "get_my_symmetric_key_cache",
+                encode_args((chat_id, VetKeyEpochId(0))).unwrap(),
+            );
+            assert_eq!(result, Ok(Some(user_cache_0.clone())));
+
+            // Verify cache exists for epoch 1
+            let result = env.update::<Result<Option<SymmetricKeyEpochCache>, String>>(
+                caller,
+                "get_my_symmetric_key_cache",
+                encode_args((chat_id, VetKeyEpochId(1))).unwrap(),
+            );
+            assert_eq!(result, Ok(Some(user_cache_1.clone())));
+        }
+    }
+}
+
+#[test]
+fn modify_chat_participants() {
+    let sorted_principals = |mut principals: Vec<Principal>| {
+        principals.sort();
+        principals
+    };
+
+    let mut rng = reproducible_rng();
+
+    let env = TestEnvironment::new(&mut rng);
+    let principal_0 = env.principal_0;
+    let principal_1 = env.principal_1;
+    let principal_2 = env.principal_2;
+    let principal_3 = random_self_authenticating_principal(&mut rng);
+    let principal_4 = random_self_authenticating_principal(&mut rng);
+
+    let symmetric_key_rotation_duration_minutes = Time(1_000);
+    let symmetric_key_rotation_duration =
+        Time(NANOSECONDS_IN_MINUTE * symmetric_key_rotation_duration_minutes.0);
+
+    let group_metadata = env
+        .update::<Result<GroupChatMetadata, String>>(
+            principal_0,
+            "create_group_chat",
+            encode_args((
+                vec![principal_1],
+                symmetric_key_rotation_duration_minutes,
+                Time(10_000),
+            ))
+            .unwrap(),
+        )
+        .unwrap();
+
+    let chat_id = ChatId::Group(group_metadata.chat_id);
+
+    {
+        let group_metadata = env
+            .query::<Result<VetKeyEpochMetadata, String>>(
+                principal_0,
+                "get_latest_chat_vetkey_epoch_metadata",
+                encode_args((chat_id,)).unwrap(),
+            )
+            .unwrap();
+        assert_eq!(
+            group_metadata,
+            VetKeyEpochMetadata {
+                epoch_id: VetKeyEpochId(0),
+                participants: sorted_principals(vec![principal_0, principal_1]),
+                creation_timestamp: Time(env.pic.get_time().as_nanos_since_unix_epoch()),
+                symmetric_key_rotation_duration,
+            }
+        );
+    }
+
+    let add_participants = vec![principal_2, principal_3];
+    let remove_participants: Vec<Principal> = vec![];
+    let result = env.update::<Result<VetKeyEpochId, String>>(
+        principal_0,
+        "modify_group_chat_participants",
+        encode_args((
+            group_metadata.chat_id,
+            GroupModification {
+                add_participants: add_participants.clone(),
+                remove_participants: remove_participants.clone(),
+            },
+        ))
+        .unwrap(),
+    );
+    assert_eq!(result, Ok(VetKeyEpochId(1)));
+    {
+        let group_metadata = env
+            .query::<Result<VetKeyEpochMetadata, String>>(
+                principal_0,
+                "get_latest_chat_vetkey_epoch_metadata",
+                encode_args((chat_id,)).unwrap(),
+            )
+            .unwrap();
+        assert_eq!(
+            group_metadata,
+            VetKeyEpochMetadata {
+                epoch_id: VetKeyEpochId(1),
+                participants: sorted_principals(vec![
+                    principal_0,
+                    principal_1,
+                    principal_2,
+                    principal_3
+                ]),
+                creation_timestamp: Time(env.pic.get_time().as_nanos_since_unix_epoch()),
+                symmetric_key_rotation_duration,
+            }
+        );
+    }
+
+    let add_participants: Vec<Principal> = vec![];
+    let remove_participants = vec![principal_1, principal_2];
+    let result = env.update::<Result<VetKeyEpochId, String>>(
+        principal_0,
+        "modify_group_chat_participants",
+        encode_args((
+            group_metadata.chat_id,
+            GroupModification {
+                add_participants: add_participants.clone(),
+                remove_participants: remove_participants.clone(),
+            },
+        ))
+        .unwrap(),
+    );
+    assert_eq!(result, Ok(VetKeyEpochId(2)));
+    {
+        let group_metadata = env
+            .query::<Result<VetKeyEpochMetadata, String>>(
+                principal_0,
+                "get_latest_chat_vetkey_epoch_metadata",
+                encode_args((chat_id,)).unwrap(),
+            )
+            .unwrap();
+        assert_eq!(
+            group_metadata,
+            VetKeyEpochMetadata {
+                epoch_id: VetKeyEpochId(2),
+                participants: sorted_principals(vec![principal_0, principal_3]),
+                creation_timestamp: Time(env.pic.get_time().as_nanos_since_unix_epoch()),
+                symmetric_key_rotation_duration,
+            }
+        );
+    }
+
+    let add_participants: Vec<Principal> = vec![principal_1, principal_2];
+    let remove_participants = vec![principal_3];
+    let result = env.update::<Result<VetKeyEpochId, String>>(
+        principal_0,
+        "modify_group_chat_participants",
+        encode_args((
+            group_metadata.chat_id,
+            GroupModification {
+                add_participants: add_participants.clone(),
+                remove_participants: remove_participants.clone(),
+            },
+        ))
+        .unwrap(),
+    );
+    assert_eq!(result, Ok(VetKeyEpochId(3)));
+    {
+        let group_metadata = env
+            .query::<Result<VetKeyEpochMetadata, String>>(
+                principal_0,
+                "get_latest_chat_vetkey_epoch_metadata",
+                encode_args((chat_id,)).unwrap(),
+            )
+            .unwrap();
+        assert_eq!(
+            group_metadata,
+            VetKeyEpochMetadata {
+                epoch_id: VetKeyEpochId(3),
+                participants: sorted_principals(vec![principal_0, principal_1, principal_2]),
+                creation_timestamp: Time(env.pic.get_time().as_nanos_since_unix_epoch()),
+                symmetric_key_rotation_duration,
+            }
+        );
+    }
+
+    // 2. Unauthorized user (principal_4, not a member) tries to add principal_4
+    let add_participants = vec![principal_4];
+    let remove_participants: Vec<Principal> = vec![];
+    let result = env.update::<Result<VetKeyEpochId, String>>(
+        principal_4,
+        "modify_group_chat_participants",
+        encode_args((
+            group_metadata.chat_id,
+            GroupModification {
+                add_participants: add_participants.clone(),
+                remove_participants: remove_participants.clone(),
+            },
+        ))
+        .unwrap(),
+    );
+    assert_eq!(
+        result,
+        Err(format!(
+            "User {principal_4} does not have access to chat {:?} at epoch {:?}",
+            chat_id,
+            VetKeyEpochId(3)
+        ))
+    );
+
+    // 2b. Unauthorized user (principal_4) tries to remove principal_0
+    let add_participants: Vec<Principal> = vec![];
+    let remove_participants = vec![principal_0];
+    let result = env.update::<Result<VetKeyEpochId, String>>(
+        principal_4,
+        "modify_group_chat_participants",
+        encode_args((
+            group_metadata.chat_id,
+            GroupModification {
+                add_participants,
+                remove_participants,
+            },
+        ))
+        .unwrap(),
+    );
+    assert_eq!(
+        result,
+        Err(format!(
+            "User {principal_4} does not have access to chat {:?} at epoch {:?}",
+            chat_id,
+            VetKeyEpochId(3)
+        ))
+    );
+}
+
+fn reproducible_rng() -> ChaCha20Rng {
+    let mut seed = [0u8; 32];
+    rand::rng().fill(&mut seed);
+    let rng = ChaCha20Rng::from_seed(seed);
+    println!("{seed:?}");
+    rng
+}
+
+fn random_self_authenticating_principal<R: Rng + CryptoRng>(rng: &mut R) -> Principal {
+    let fake_pk = random_bytes(32, rng);
+    Principal::self_authenticating(&fake_pk)
+}
+
+fn random_bytes<R: Rng + CryptoRng>(size: usize, rng: &mut R) -> Vec<u8> {
+    let mut buf = vec![0; size];
+    rng.fill_bytes(&mut buf);
+    buf
+}
+
+struct TestEnvironment {
+    pic: PocketIc,
+    canister_id: Principal,
+    principal_0: Principal,
+    principal_1: Principal,
+    principal_2: Principal,
+}
+
+impl TestEnvironment {
+    fn new<R: Rng + CryptoRng>(rng: &mut R) -> Self {
+        let pic = PocketIcBuilder::new()
+            .with_application_subnet()
+            .with_ii_subnet()
+            .with_fiduciary_subnet()
+            .with_nonmainnet_features(true)
+            .build();
+
+        let canister_id = pic.create_canister();
+        pic.add_cycles(canister_id, 2_000_000_000_000);
+
+        let wasm_bytes = load_canister_wasm();
+        pic.install_canister(
+            canister_id,
+            wasm_bytes,
+            encode_one("dfx_test_key").unwrap(),
+            None,
+        );
+
+        // Make sure the canister is properly initialized
+        fast_forward(&pic, 5);
+
+        Self {
+            pic,
+            canister_id,
+            principal_0: random_self_authenticating_principal(rng),
+            principal_1: random_self_authenticating_principal(rng),
+            principal_2: random_self_authenticating_principal(rng),
+        }
+    }
+
+    fn update<T: CandidType + for<'de> candid::Deserialize<'de>>(
+        &self,
+        caller: Principal,
+        method_name: &str,
+        args: Vec<u8>,
+    ) -> T {
+        let reply = self
+            .pic
+            .update_call(self.canister_id, caller, method_name, args);
+        match reply {
+            Ok(data) => decode_one(&data).expect("failed to decode reply"),
+            Err(user_error) => panic!("canister returned a user error: {user_error}"),
+        }
+    }
+
+    fn query<T: CandidType + for<'de> candid::Deserialize<'de>>(
+        &self,
+        caller: Principal,
+        method_name: &str,
+        args: Vec<u8>,
+    ) -> T {
+        let reply = self
+            .pic
+            .query_call(self.canister_id, caller, method_name, args);
+        match reply {
+            Ok(data) => decode_one(&data).expect("failed to decode reply"),
+            Err(user_error) => panic!("canister returned a user error: {user_error}"),
+        }
+    }
+}
+
+fn fast_forward(ic: &PocketIc, ticks: u64) {
+    for _ in 0..ticks - 1 {
+        ic.tick();
+    }
+}
+
+fn load_canister_wasm() -> Vec<u8> {
+    let wasm_path_string = match std::env::var("CUSTOM_WASM_PATH") {
+        Ok(path) if !path.is_empty() => path,
+        _ => format!(
+            "{}/examples/encrypted_chat/rust/target/wasm32-unknown-unknown/release/ic_vetkeys_example_encrypted_chat_backend.wasm",
+            git_root_dir()
+        ),
+    };
+    let wasm_path = Path::new(&wasm_path_string);
+    std::fs::read(wasm_path)
+        .expect("wasm does not exist - run `cargo build --release --target wasm32-unknown-unknown`")
+}
+
+pub fn git_root_dir() -> String {
+    let output = std::process::Command::new("git")
+        .args(["rev-parse", "--show-toplevel"])
+        .output()
+        .expect("Failed to execute git command");
+    assert!(output.status.success());
+    let root_dir_with_newline =
+        String::from_utf8(output.stdout).expect("Failed to convert stdout to string");
+    root_dir_with_newline.trim_end_matches('\n').to_string()
+}
diff --git a/examples/encrypted_chat/rust/backend/tests/misc.rs b/examples/encrypted_chat/rust/backend/tests/misc.rs
new file mode 100644
index 00000000..8c8c9d7e
--- /dev/null
+++ b/examples/encrypted_chat/rust/backend/tests/misc.rs
@@ -0,0 +1,22 @@
+use candid::Principal;
+use ic_vetkeys_example_encrypted_chat_backend::types::*;
+
+/// This test ensures that the minimum value of the ChatId enum is the direct chat with the management canister as both participants.
+#[test]
+fn test_chat_id_min_value() {
+    assert_eq!(
+        ChatId::MIN_VALUE,
+        ChatId::Direct(DirectChatId::new((
+            Principal::management_canister(),
+            Principal::management_canister(),
+        )))
+    );
+
+    assert!(ChatId::MIN_VALUE < ChatId::Group(GroupChatId(0)));
+
+    // modify this test if more enum variants are added
+    match ChatId::MIN_VALUE {
+        ChatId::Direct(_) => {}
+        ChatId::Group(_) => {}
+    };
+}
diff --git a/examples/encrypted_chat/rust/dfx.json b/examples/encrypted_chat/rust/dfx.json
new file mode 100644
index 00000000..a0f5953e
--- /dev/null
+++ b/examples/encrypted_chat/rust/dfx.json
@@ -0,0 +1,48 @@
+{
+    "canisters": {
+      "encrypted_chat": {
+        "candid": "backend/backend.did",
+        "type": "custom",
+        "init_arg": "(\"test_key_1\")",
+        "gzip": true,
+        "wasm": "target/wasm32-unknown-unknown/release/ic_vetkeys_example_encrypted_chat_backend.wasm",
+        "build": [
+          "cd backend && cargo build --release --target wasm32-unknown-unknown && candid-extractor ../target/wasm32-unknown-unknown/release/ic_vetkeys_example_encrypted_chat_backend.wasm > backend.did"
+        ],
+        "metadata": [
+          {
+            "name": "candid:service",
+            "visibility": "public"
+          }
+        ]
+      },
+      "internet-identity": {
+        "candid": "https://github.com/dfinity/internet-identity/releases/latest/download/internet_identity.did",
+        "type": "custom",
+        "specified_id": "rdmx6-jaaaa-aaaaa-aaadq-cai",
+        "remote": {
+        "id": {
+            "ic": "rdmx6-jaaaa-aaaaa-aaadq-cai"
+          }
+        },
+        "wasm": "https://github.com/dfinity/internet-identity/releases/latest/download/internet_identity_dev.wasm.gz"
+      },
+      "www": {
+        "dependencies": ["encrypted_chat", "internet-identity"],
+        "build": ["cd frontend && npm i --include=dev && npm run build && cd - && rm -r dist > /dev/null 2>&1; mv frontend/dist ./"],
+        "frontend": {
+          "entrypoint": "dist/index.html"
+        },
+        "gzip": true,
+        "source": ["dist/"],
+        "type": "assets",
+        "output_env_file": "frontend/.env"
+      }
+    },
+    "networks": {
+      "local": {
+        "bind": "localhost:8000",
+        "type": "ephemeral"
+      }
+    }
+  }
\ No newline at end of file
diff --git a/examples/encrypted_chat/rust/rust-toolchain.toml b/examples/encrypted_chat/rust/rust-toolchain.toml
new file mode 120000
index 00000000..4e9e6489
--- /dev/null
+++ b/examples/encrypted_chat/rust/rust-toolchain.toml
@@ -0,0 +1 @@
+../../../rust-toolchain.toml
\ No newline at end of file

From b09bbfce262a9303e8876807af4ba0b9bbf60113 Mon Sep 17 00:00:00 2001
From: Oleksandr Tkachenko <oleksandr.tkachenko@dfinity.org>
Date: Fri, 1 Aug 2025 19:21:13 +0200
Subject: [PATCH 02/62] add workflow

---
 .github/workflows/examples-encrypted-chat.yml | 38 +++++++++++++++++++
 1 file changed, 38 insertions(+)
 create mode 100644 .github/workflows/examples-encrypted-chat.yml

diff --git a/.github/workflows/examples-encrypted-chat.yml b/.github/workflows/examples-encrypted-chat.yml
new file mode 100644
index 00000000..536f48bd
--- /dev/null
+++ b/.github/workflows/examples-encrypted-chat.yml
@@ -0,0 +1,38 @@
+name: examples-encrypted-chat
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    paths:
+      - examples/encrypted_chat/**
+      - .github/workflows/provision-darwin.sh
+      - .github/workflows/provision-linux.sh
+      - .github/workflows/examples-encrypted-chat.yml
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+jobs:
+  examples-encrypted-chat-rust-darwin:
+    runs-on: macos-15
+    steps:
+      - uses: actions/checkout@v4
+      - name: Provision Darwin
+        run: |
+          bash .github/workflows/provision-darwin.sh
+      - name: Backend Tests Encrypted Chat Rust Darwin
+        run: |
+          set -eExuo pipefail
+          cd examples/encrypted_chat/rust/backend
+          cargo build --release --target wasm32-unknown-unknown && cargo test
+  examples-encrypted-chat-rust-linux:
+    runs-on: ubuntu-24.04
+    steps:
+      - uses: actions/checkout@v4
+      - name: Provision Linux
+        run: bash .github/workflows/provision-linux.sh
+      - name: Backend Tests Encrypted Chat Rust Linux
+        run: |
+          set -eExuo pipefail
+          cd examples/encrypted_chat/rust/backend
+          cargo build --release --target wasm32-unknown-unknown && cargo test

From 7bd200fb41d8f22e2ee270861cc6830546011d85 Mon Sep 17 00:00:00 2001
From: Oleksandr Tkachenko <oleksandr.tkachenko@dfinity.org>
Date: Fri, 1 Aug 2025 19:32:37 +0200
Subject: [PATCH 03/62] candid

---
 .../encrypted_chat/rust/backend/backend.did   | 45 ++++++++++++++-----
 1 file changed, 34 insertions(+), 11 deletions(-)

diff --git a/examples/encrypted_chat/rust/backend/backend.did b/examples/encrypted_chat/rust/backend/backend.did
index be7044ea..b474a133 100644
--- a/examples/encrypted_chat/rust/backend/backend.did
+++ b/examples/encrypted_chat/rust/backend/backend.did
@@ -2,31 +2,54 @@ type ChatId = variant {
   Group : nat64;
   Direct : record { principal; principal };
 };
+type EncryptedMessage = record {
+  content : blob;
+  metadata : EncryptedMessageMetadata;
+};
 type EncryptedMessageMetadata = record {
   vetkey_epoch : nat64;
   sender : principal;
   symmetric_key_epoch : nat64;
+  chat_message_id : nat64;
   timestamp : nat64;
 };
-type Result = variant { Ok; Err : text };
-type Result_1 = variant { Ok : blob; Err : text };
+type GroupChatMetadata = record { creation_timestamp : nat64; chat_id : nat64 };
+type GroupModification = record {
+  remove_participants : vec principal;
+  add_participants : vec principal;
+};
+type Result = variant { Ok : nat64; Err : text };
+type Result_1 = variant { Ok : GroupChatMetadata; Err : text };
+type Result_2 = variant { Ok : blob; Err : text };
+type Result_3 = variant { Ok : VetKeyEpochMetadata; Err : text };
+type Result_4 = variant { Ok : opt blob; Err : text };
+type Result_5 = variant { Ok; Err : text };
 type UserMessage = record {
   vetkey_epoch : nat64;
   content : blob;
   symmetric_key_epoch : nat64;
   message_id : nat64;
 };
+type VetKeyEpochMetadata = record {
+  symmetric_key_rotation_duration : nat64;
+  participants : vec principal;
+  creation_timestamp : nat64;
+  epoch_id : nat64;
+};
 service : (text) -> {
-  create_direct_chat : (principal, nat64) -> (Result);
-  create_group_chat : (vec principal, nat64) -> (Result);
-  derive_vetkey : (ChatId, opt nat64, blob) -> (Result_1);
-  get_all_messages : () -> (vec UserMessage) query;
-  get_messages : (ChatId, nat64) -> (vec UserMessage) query;
+  create_direct_chat : (principal, nat64, nat64) -> (Result);
+  create_group_chat : (vec principal, nat64, nat64) -> (Result_1);
+  derive_vetkey : (ChatId, opt nat64, blob) -> (Result_2);
+  get_latest_chat_vetkey_epoch_metadata : (ChatId) -> (Result_3) query;
   get_my_chat_ids : () -> (vec ChatId) query;
-  get_unread_inboxes : () -> (vec ChatId) query;
-  get_unread_message_metadata : (ChatId) -> (
-      vec EncryptedMessageMetadata,
+  get_my_symmetric_key_cache : (ChatId, nat64) -> (Result_4);
+  get_some_messages_for_chat_starting_from : (ChatId, nat64, opt nat32) -> (
+      vec EncryptedMessage,
     ) query;
+  modify_group_chat_participants : (nat64, GroupModification) -> (Result);
+  public_key : (ChatId, nat64) -> (blob);
+  rotate_chat_vetkey : (ChatId) -> (Result);
   send_direct_message : (UserMessage, principal) -> (Result);
-  send_group_message : (UserMessage, principal) -> (Result);
+  send_group_message : (UserMessage, nat64) -> (Result);
+  update_symmetric_key_cache : (ChatId, nat64, blob) -> (Result_5);
 }

From 9907e94c7bfc354d907dba38f8ce026bd46bbc74 Mon Sep 17 00:00:00 2001
From: Oleksandr Tkachenko <oleksandr.tkachenko@dfinity.org>
Date: Tue, 5 Aug 2025 16:47:50 +0200
Subject: [PATCH 04/62] finish first draft of backend (some tests to be added)

---
 examples/encrypted_chat/rust/Cargo.lock       |  51 ++-
 .../encrypted_chat/rust/backend/Cargo.toml    |   9 +-
 .../encrypted_chat/rust/backend/src/lib.rs    | 388 ++++++++++++++++--
 .../encrypted_chat/rust/backend/src/types.rs  |   8 +-
 4 files changed, 402 insertions(+), 54 deletions(-)

diff --git a/examples/encrypted_chat/rust/Cargo.lock b/examples/encrypted_chat/rust/Cargo.lock
index 1f815cea..d3f754f5 100644
--- a/examples/encrypted_chat/rust/Cargo.lock
+++ b/examples/encrypted_chat/rust/Cargo.lock
@@ -161,9 +161,9 @@ checksum = "d71b6127be86fdcfddb610f7182ac57211d4b18a3e9c82eb2d17662f2227ad6a"
 
 [[package]]
 name = "candid"
-version = "0.10.14"
+version = "0.10.17"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f9d90f5a1426d0489283a0bd5da9ed406fb3e69597e0d823dcb88a1965bb58d2"
+checksum = "eaac522d18020d5fbc8320ecb12a9b13b2137ae31133da2d42fa256a825507c4"
 dependencies = [
  "anyhow",
  "binread",
@@ -184,9 +184,9 @@ dependencies = [
 
 [[package]]
 name = "candid_derive"
-version = "0.6.6"
+version = "0.10.17"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "3de398570c386726e7a59d9887b68763c481477f9a043fb998a2e09d428df1a9"
+checksum = "8a1b4fddbd462182050989068d53604a91a3d0f117c3c8316c6818023df00add"
 dependencies = [
  "lazy_static",
  "proc-macro2",
@@ -633,6 +633,12 @@ dependencies = [
  "serde",
 ]
 
+[[package]]
+name = "hex-literal"
+version = "1.0.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "bcaaec4551594c969335c98c903c1397853d4198408ea609190f420500f6be71"
+
 [[package]]
 name = "hkdf"
 version = "0.12.4"
@@ -817,6 +823,21 @@ dependencies = [
  "syn 2.0.104",
 ]
 
+[[package]]
+name = "ic-cdk-timers"
+version = "0.12.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9ea87cf31444de833db85bbd15e97bc135ee14529b13158ffdaf6530bf6d7e85"
+dependencies = [
+ "candid",
+ "futures",
+ "ic-cdk",
+ "ic0",
+ "serde",
+ "serde_bytes",
+ "slotmap",
+]
+
 [[package]]
 name = "ic-certification"
 version = "3.0.3"
@@ -860,15 +881,6 @@ dependencies = [
  "serde_bytes",
 ]
 
-[[package]]
-name = "ic-stable-structures"
-version = "0.6.9"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "4d30d4cf17aff1024e13133897048bcba580e063c9000571ab766ca37e2996f4"
-dependencies = [
- "ic_principal",
-]
-
 [[package]]
 name = "ic-stable-structures"
 version = "0.7.0"
@@ -898,18 +910,18 @@ dependencies = [
 
 [[package]]
 name = "ic-vetkeys"
-version = "0.3.0"
+version = "0.4.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "6d0fe4e1f361dea9b93841e428c00c6934eb5256ee9d35890db2fced4ac1a3c9"
+checksum = "89db8e638924d9e07dd8fa33dc5cfcdc69b7331bed7fcc72e2586f3956b12e58"
 dependencies = [
  "anyhow",
  "candid",
  "futures",
- "hex",
+ "hex-literal",
  "hkdf",
  "ic-cdk",
  "ic-cdk-macros",
- "ic-stable-structures 0.6.9",
+ "ic-stable-structures",
  "ic_bls12_381",
  "lazy_static",
  "pairing",
@@ -918,7 +930,6 @@ dependencies = [
  "serde",
  "serde_bytes",
  "serde_cbor",
- "serde_with",
  "sha2",
  "sha3",
  "strum 0.27.2",
@@ -934,8 +945,9 @@ dependencies = [
  "candid",
  "ic-cdk",
  "ic-cdk-macros",
+ "ic-cdk-timers",
  "ic-dummy-getrandom-for-wasm",
- "ic-stable-structures 0.7.0",
+ "ic-stable-structures",
  "ic-vetkeys",
  "pocket-ic",
  "rand 0.9.2",
@@ -944,6 +956,7 @@ dependencies = [
  "serde_bytes",
  "serde_cbor",
  "serde_with",
+ "sha2",
 ]
 
 [[package]]
diff --git a/examples/encrypted_chat/rust/backend/Cargo.toml b/examples/encrypted_chat/rust/backend/Cargo.toml
index ce056b7d..10ceb23f 100644
--- a/examples/encrypted_chat/rust/backend/Cargo.toml
+++ b/examples/encrypted_chat/rust/backend/Cargo.toml
@@ -14,18 +14,19 @@ crate-type = ["cdylib", "lib"]
 
 [dependencies]
 candid = "0.10.2"
-ic-cdk = "0.18.3"
-ic-cdk-macros = "0.18.3"
+ic-cdk = "0.18.5"
+ic-cdk-macros = "0.18.5"
 ic-dummy-getrandom-for-wasm = "0.1.0"
 ic-stable-structures = "0.7.0"
-ic-vetkeys = "0.3.0"
+ic-cdk-timers = "0.12.2"
+ic-vetkeys = "0.4.0"
 serde = "1.0.217"
 serde_bytes = "0.11.15"
 serde_cbor = "0.11.2"
 serde_with = "3.11.0"
+sha2 = "0.10.7"
 
 [dev-dependencies]
-ic-vetkeys = "0.3.0"
 pocket-ic = "9.0.2"
 rand_chacha = "0.9.0"
 rand = "0.9.2"
diff --git a/examples/encrypted_chat/rust/backend/src/lib.rs b/examples/encrypted_chat/rust/backend/src/lib.rs
index 3119fdd9..3dda4e74 100644
--- a/examples/encrypted_chat/rust/backend/src/lib.rs
+++ b/examples/encrypted_chat/rust/backend/src/lib.rs
@@ -1,14 +1,13 @@
-// TODOs:
-// * cache vetKey API and eventually encrypted maps
-// * vetKey resharing (vetKey API + storage)
-// * removal of expired messages and cache: if a vetKey epoch expires, we need to remove all associated messages, cache, and resharings. This can be done by a timer job.
-
 use candid::Principal;
 use ic_cdk::management_canister::{VetKDCurve, VetKDDeriveKeyArgs, VetKDKeyId, VetKDPublicKeyArgs};
 use ic_stable_structures::memory_manager::{MemoryId, MemoryManager, VirtualMemory};
 use ic_stable_structures::{
     BTreeMap as StableBTreeMap, Cell as StableCell, DefaultMemoryImpl, Storable,
 };
+use ic_vetkeys::encrypted_maps::EncryptedMaps;
+use ic_vetkeys::types::AccessRights;
+use sha2::Digest;
+use std::borrow::Cow;
 use std::cell::RefCell;
 
 pub mod types;
@@ -18,6 +17,11 @@ type Memory = VirtualMemory<DefaultMemoryImpl>;
 
 const NANOSECONDS_IN_MINUTE: u64 = 60_000_000_000;
 
+pub static DOMAIN_SEPARATOR_VETKEY_ROTATION: &str = "vetkeys-example-encrypted-chat-rotation";
+pub static DOMAIN_SEPARATOR_USER_CACHE: &str = "vetkeys-example-encrypted-chat-user-cache";
+pub static DOMAIN_SEPARATOR_VETKEY_RESHARING: &str =
+    "vetkeys-example-encrypted-chat-vetkey-resharing";
+
 thread_local! {
     static MEMORY_MANAGER: RefCell<MemoryManager<DefaultMemoryImpl>> =
         RefCell::new(MemoryManager::init(DefaultMemoryImpl::default()));
@@ -50,11 +54,11 @@ thread_local! {
         MEMORY_MANAGER.with(|m| m.borrow().get(MemoryId::new(6))),
     ));
 
-    static EXPIRING_MESSAGES: RefCell<StableBTreeMap<Time, (ChatId, ChatMessageId), Memory>> = RefCell::new(StableBTreeMap::init(
+    static EXPIRING_MESSAGES: RefCell<StableBTreeMap<(Time, ChatId, ChatMessageId), (), Memory>> = RefCell::new(StableBTreeMap::init(
         MEMORY_MANAGER.with(|m| m.borrow().get(MemoryId::new(7))),
     ));
 
-    static EXPIRING_VETKEY_EPOCHS_CACHES: RefCell<StableBTreeMap<Time, (ChatId, Principal, VetKeyEpochId), Memory>> = RefCell::new(StableBTreeMap::init(
+    static EXPIRING_VETKEY_EPOCHS_CACHES: RefCell<StableBTreeMap<(Time, ChatId, Principal),  VetKeyEpochId, Memory>> = RefCell::new(StableBTreeMap::init(
         MEMORY_MANAGER.with(|m| m.borrow().get(MemoryId::new(8))),
     ));
 
@@ -62,25 +66,44 @@ thread_local! {
         MEMORY_MANAGER.with(|m| m.borrow().get(MemoryId::new(9))),
     ));
 
-    static USER_SYMMETRIC_KEY_CACHE: RefCell<StableBTreeMap<(ChatId, VetKeyEpochId, Principal), SymmetricKeyEpochCache, Memory>> = RefCell::new(StableBTreeMap::init(
-        MEMORY_MANAGER.with(|m| m.borrow().get(MemoryId::new(10))),
-    ));
-
-    static RESHARED_VETKEYS: RefCell<StableBTreeMap<(ChatId, Principal,VetKeyEpochId), IbeEncryptedVetKey, Memory>> = RefCell::new(StableBTreeMap::init(
+    static RESHARED_VETKEYS: RefCell<StableBTreeMap<(ChatId, VetKeyEpochId, Principal), IbeEncryptedVetKey, Memory>> = RefCell::new(StableBTreeMap::init(
         MEMORY_MANAGER.with(|m| m.borrow().get(MemoryId::new(11))),
     ));
 
+    // Store symmetric key cache in encrypted maps. On a high level, store the cache in:
+    //
+    // map = ENCRYPTED_MAPS[(caller, "encrypted_chat_cache")]
+    // map[SHA256(chat_id || vetkey_epoch_id)] = cache
+    static ENCRYPTED_MAPS: RefCell<Option<EncryptedMaps<AccessRights>>> = const { RefCell::new(None) };
+
     static VETKD_KEY_NAME: RefCell<StableCell<String, Memory>> =
         RefCell::new(StableCell::init(MEMORY_MANAGER.with(|m| m.borrow().get(MemoryId::new(12))), String::new()));
 }
 
-pub static DOMAIN_SEPARATOR_VETKEY_ROTATION: &str = "vetkeys-example-encrypted-chat-ratchet";
-
 #[ic_cdk::init]
 fn init(key_name: String) {
     VETKD_KEY_NAME.with(|name| {
         name.borrow_mut().set(key_name);
     });
+
+    ENCRYPTED_MAPS.with_borrow_mut(|maps| {
+        let x = EncryptedMaps::init(
+            DOMAIN_SEPARATOR_USER_CACHE,
+            key_id(),
+            MEMORY_MANAGER.with(|m| m.borrow().get(MemoryId::new(13))),
+            MEMORY_MANAGER.with(|m| m.borrow().get(MemoryId::new(14))),
+            MEMORY_MANAGER.with(|m| m.borrow().get(MemoryId::new(15))),
+            MEMORY_MANAGER.with(|m| m.borrow().get(MemoryId::new(16))),
+        );
+        *maps = Some(x);
+    });
+
+    start_expired_cleanup_timer_job_with_interval(24 * 3600);
+}
+
+#[ic_cdk::post_upgrade]
+fn post_upgrade(key_name: String) {
+    init(key_name);
 }
 
 #[ic_cdk::update]
@@ -264,7 +287,7 @@ async fn derive_vetkey(
 
     ensure_chat_and_vetkey_epoch_exist(chat_id, vetkey_epoch_id)?;
     ensure_user_has_access_to_chat_at_epoch(caller, chat_id, vetkey_epoch_id)?;
-    ensure_user_has_no_cached_key_for_vetkey_epoch(caller, chat_id, vetkey_epoch_id)?;
+    ensure_user_has_no_cached_key_for_chat_and_vetkey_epoch(caller, chat_id, vetkey_epoch_id)?;
 
     let request = VetKDDeriveKeyArgs {
         input: vec![],
@@ -319,7 +342,7 @@ fn rotate_chat_vetkey(chat_id: ChatId) -> Result<VetKeyEpochId, String> {
         let todo_remove = metadata.insert((chat_id, now), new_vetkey_epoch_metadata);
         assert!(todo_remove.is_none());
 
-        clean_up_expired_vetkey_epochs(metadata, chat_id, now);
+        clean_up_expired_vetkey_epochs(metadata, chat_id);
 
         new_vetkey_epoch_id
     });
@@ -371,6 +394,18 @@ fn send_direct_message(user_message: UserMessage, receiver: Principal) -> Result
         messages.insert((direct_chat_id, chat_message_id), stored_message);
     });
 
+    let expiry_time = CHAT_TO_MESSAGE_EXPIRY_SETTING.with_borrow(|expiry_settings| {
+        expiry_settings
+            .get(&chat_id)
+            .expect("bug: uninitialized expiry setting")
+    });
+
+    EXPIRING_MESSAGES.with_borrow_mut(|expiring_messages| {
+        let todo_insert =
+            expiring_messages.insert((Time(now.0 + expiry_time.0), chat_id, chat_message_id), ());
+        assert!(todo_insert.is_none());
+    });
+
     Ok(now)
 }
 
@@ -420,6 +455,18 @@ fn send_group_message(
         messages.insert((group_chat_id, chat_message_id), stored_message);
     });
 
+    let expiry_time = CHAT_TO_MESSAGE_EXPIRY_SETTING.with_borrow(|expiry_settings| {
+        expiry_settings
+            .get(&chat_id)
+            .expect("bug: uninitialized expiry setting")
+    });
+
+    EXPIRING_MESSAGES.with_borrow_mut(|expiring_messages| {
+        let todo_insert =
+            expiring_messages.insert((Time(now.0 + expiry_time.0), chat_id, chat_message_id), ());
+        assert!(todo_insert.is_none());
+    });
+
     Ok(now)
 }
 
@@ -541,18 +588,38 @@ fn ensure_latest_and_correct_vetkey_and_symmetric_key_epoch(
 }
 
 #[ic_cdk::update]
-fn update_symmetric_key_cache(
+fn update_my_symmetric_key_cache(
     chat_id: ChatId,
     vetkey_epoch_id: VetKeyEpochId,
-    user_cache: SymmetricKeyEpochCache,
+    user_cache: SymmetricKeyEpochCache, // TODO encrypted
 ) -> Result<(), String> {
     let caller = ic_cdk::api::msg_caller();
     ensure_chat_and_vetkey_epoch_exist(chat_id, vetkey_epoch_id)?;
     ensure_user_has_access_to_chat_at_epoch(caller, chat_id, vetkey_epoch_id)?;
     ensure_vetkey_epoch_did_not_expire(chat_id, vetkey_epoch_id)?;
+    ensure_payload_has_reasonable_size_for_key(&user_cache.0)?;
+
+    ENCRYPTED_MAPS.with_borrow_mut(|opt_maps| {
+        let maps = opt_maps
+            .as_mut()
+            .expect("bug: encrypted maps should be initialized after canister initialization");
+        let _ = maps
+            .insert_encrypted_value(
+                caller,
+                map_id(caller),
+                map_key_id(chat_id, vetkey_epoch_id),
+                ic_vetkeys::types::ByteBuf::from(user_cache.to_bytes().into_owned()),
+            )
+            .expect("bug: failed to insert encrypted value");
+    });
 
-    USER_SYMMETRIC_KEY_CACHE.with_borrow_mut(|caches| {
-        caches.insert((chat_id, vetkey_epoch_id, caller), user_cache);
+    let now = Time(ic_cdk::api::time());
+    EXPIRING_VETKEY_EPOCHS_CACHES.with_borrow_mut(|caches| {
+        caches.insert((now, chat_id, caller), vetkey_epoch_id);
+    });
+
+    RESHARED_VETKEYS.with_borrow_mut(|reshared_vetkeys| {
+        let _ = reshared_vetkeys.remove(&(chat_id, vetkey_epoch_id, caller));
     });
 
     Ok(())
@@ -568,8 +635,118 @@ fn get_my_symmetric_key_cache(
     ensure_user_has_access_to_chat_at_epoch(caller, chat_id, vetkey_epoch_id)?;
     ensure_vetkey_epoch_did_not_expire(chat_id, vetkey_epoch_id)?;
 
-    Ok(USER_SYMMETRIC_KEY_CACHE
-        .with_borrow(|caches| caches.get(&(chat_id, vetkey_epoch_id, caller))))
+    ENCRYPTED_MAPS.with_borrow(|opt_maps| {
+        let maps = opt_maps
+            .as_ref()
+            .expect("bug: encrypted maps should be initialized after canister initialization");
+
+        maps.get_encrypted_value(caller, map_id(caller), map_key_id(chat_id, vetkey_epoch_id))
+            .map(|opt_cache| opt_cache.map(|cache| SymmetricKeyEpochCache(cache.into_bytes())))
+    })
+}
+
+#[ic_cdk::update]
+async fn get_encrypted_vetkey_for_my_cache_storage(
+    transport_key: serde_bytes::ByteBuf,
+) -> serde_bytes::ByteBuf {
+    let caller: Principal = ic_cdk::api::msg_caller();
+    let transport_key = ic_vetkeys::types::ByteBuf::from(transport_key.into_vec());
+
+    let encrypted_vetkey = ENCRYPTED_MAPS
+        .with_borrow(|opt_maps| {
+            opt_maps
+                .as_ref()
+                .expect("bug: encrypted maps should be initialized after canister initialization")
+                .get_encrypted_vetkey(caller, map_id(caller), transport_key)
+                .expect("bug: failed to get user's vetkey")
+        })
+        .await;
+
+    serde_bytes::ByteBuf::from(encrypted_vetkey.into_bytes())
+}
+
+#[ic_cdk::update]
+async fn get_vetkey_verification_key_for_my_cache_storage() -> serde_bytes::ByteBuf {
+    let verification_key = ENCRYPTED_MAPS
+        .with_borrow(|opt_maps| {
+            opt_maps
+                .as_ref()
+                .expect("bug: encrypted maps should be initialized after canister initialization")
+                .get_vetkey_verification_key()
+        })
+        .await;
+
+    serde_bytes::ByteBuf::from(verification_key.into_bytes())
+}
+
+#[ic_cdk::update]
+fn reshare_ibe_encrypted_vetkeys(
+    chat_id: ChatId,
+    vetkey_epoch_id: VetKeyEpochId,
+    users_and_encrypted_vetkeys: Vec<(Principal, serde_bytes::ByteBuf)>,
+) -> Result<(), String> {
+    let caller = ic_cdk::api::msg_caller();
+    ensure_chat_and_vetkey_epoch_exist(chat_id, vetkey_epoch_id)?;
+    ensure_user_has_access_to_chat_at_epoch(caller, chat_id, vetkey_epoch_id)?;
+    ensure_vetkey_epoch_did_not_expire(chat_id, vetkey_epoch_id)?;
+
+    users_and_encrypted_vetkeys.iter().map(|(user, _encrypted_vetkey)| {
+        ensure_user_has_access_to_chat_at_epoch(*user, chat_id, vetkey_epoch_id)?;
+        ensure_user_has_no_cached_key_for_chat_and_vetkey_epoch(*user, chat_id, vetkey_epoch_id)?;
+
+        RESHARED_VETKEYS.with_borrow_mut(|reshared_vetkeys| {
+        let resharing_exists =  reshared_vetkeys.get(&(chat_id, vetkey_epoch_id, *user)).is_some();
+        if resharing_exists{
+            Err(format!("User {user} already has a cached key for chat {chat_id:?} at vetkey epoch {vetkey_epoch_id:?}"))
+        }
+        else {
+            Ok(())
+        }
+    })
+    }).collect::<Result<Vec<_>, String>>()?;
+
+    for (user, encrypted_vetkey) in users_and_encrypted_vetkeys.into_iter() {
+        RESHARED_VETKEYS.with_borrow_mut(|reshared_vetkeys| {
+            let todo_remove_ = reshared_vetkeys.insert(
+                (chat_id, vetkey_epoch_id, user),
+                IbeEncryptedVetKey(encrypted_vetkey),
+            );
+            assert!(todo_remove_.is_none());
+        });
+    }
+    Ok(())
+}
+
+#[ic_cdk::update]
+async fn get_vetkey_resharing_ibe_decryption_key(
+    transport_key: serde_bytes::ByteBuf,
+) -> serde_bytes::ByteBuf {
+    let caller = ic_cdk::api::msg_caller();
+    let args = ic_cdk::management_canister::VetKDDeriveKeyArgs {
+        input: vec![],
+        context: resharing_context(caller),
+        transport_public_key: transport_key.into_vec(),
+        key_id: key_id(),
+    };
+    let result = ic_cdk::management_canister::vetkd_derive_key(&args)
+        .await
+        .unwrap();
+    serde_bytes::ByteBuf::from(result.encrypted_key)
+}
+
+#[ic_cdk::update]
+async fn get_vetkey_resharing_ibe_encryption_key() -> serde_bytes::ByteBuf {
+    let caller = ic_cdk::api::msg_caller();
+    let args = ic_cdk::management_canister::VetKDPublicKeyArgs {
+        canister_id: None,
+        context: resharing_context(caller),
+        key_id: key_id(),
+    };
+    let result = ic_cdk::management_canister::vetkd_public_key(&args)
+        .await
+        .unwrap();
+
+    serde_bytes::ByteBuf::from(result.public_key)
 }
 
 #[ic_cdk::update]
@@ -648,7 +825,7 @@ fn modify_group_chat_participants(
         let todo_remove = metadata.insert((chat_id, now), new_vetkey_epoch_metadata);
         assert!(todo_remove.is_none());
 
-        clean_up_expired_vetkey_epochs(metadata, chat_id, now);
+        clean_up_expired_vetkey_epochs(metadata, chat_id);
 
         new_vetkey_epoch_id
     });
@@ -656,11 +833,107 @@ fn modify_group_chat_participants(
     Ok(new_vetkey_epoch_id)
 }
 
+fn start_expired_cleanup_timer_job_with_interval(secs: u64) {
+    let secs = std::time::Duration::from_secs(secs);
+    let _timer_id = ic_cdk_timers::set_timer_interval(secs, periodic_cleanup_of_expired_items);
+}
+
+fn periodic_cleanup_of_expired_items() {
+    let now = Time(ic_cdk::api::time());
+
+    let mut num_expired_direct_messages: usize = 0;
+    let mut num_expired_group_messages: usize = 0;
+    let mut num_expired_vetkey_epochs_caches: usize = 0;
+    let mut num_expired_reshared_vetkeys: usize = 0;
+
+    EXPIRING_MESSAGES.with_borrow_mut(|expiring_messages| {
+        let now = Time(ic_cdk::api::time());
+        let expired_messages: Vec<_> = expiring_messages
+            .iter()
+            .filter(|entry| entry.key().0 < now)
+            .map(|entry| *entry.key())
+            .collect();
+        for key in expired_messages {
+            let todo_remove = expiring_messages.remove(&key);
+            assert!(todo_remove.is_some());
+
+            match key.1 {
+                ChatId::Direct(chat_id) => {
+                    num_expired_direct_messages += 1;
+                    DIRECT_CHAT_MESSAGES.with_borrow_mut(|messages| {
+                        let todo_remove = messages.remove(&(chat_id, key.2));
+                        assert!(todo_remove.is_some());
+                    });
+                }
+                ChatId::Group(group_chat_id) => {
+                    num_expired_group_messages += 1;
+                    GROUP_CHAT_MESSAGES.with_borrow_mut(|messages| {
+                        let todo_remove = messages.remove(&(group_chat_id, key.2));
+                        assert!(todo_remove.is_some());
+                    });
+                }
+            }
+        }
+    });
+
+    EXPIRING_VETKEY_EPOCHS_CACHES.with_borrow_mut(|expiring_vetkey_epochs_caches| {
+        let mut expired_vetkey_epochs = std::collections::BTreeSet::new();
+        let expired_vetkey_epochs_caches: Vec<_> = expiring_vetkey_epochs_caches
+            .iter()
+            .filter(|entry| entry.key().0 < now)
+            .map(|entry| (*entry.key(), entry.value()))
+            .collect();
+        for ((time, chat_id, principal), vetkey_epoch_id) in expired_vetkey_epochs_caches {
+            expired_vetkey_epochs.insert((chat_id, vetkey_epoch_id));
+            let todo_remove_1 = expiring_vetkey_epochs_caches.remove(&(time, chat_id, principal));
+            assert!(todo_remove_1.is_some());
+
+            ENCRYPTED_MAPS.with_borrow_mut(|opt_maps| {
+                let maps = opt_maps.as_mut().expect(
+                    "bug: encrypted maps should be initialized after canister initialization",
+                );
+                num_expired_vetkey_epochs_caches += 1;
+                let todo_remove_2 = maps
+                    .remove_encrypted_value(
+                        principal,
+                        map_id(principal),
+                        map_key_id(chat_id, vetkey_epoch_id),
+                    )
+                    .unwrap();
+                assert!(todo_remove_2.is_some());
+            });
+        }
+
+        for (chat_id, vetkey_epoch_id) in expired_vetkey_epochs {
+            RESHARED_VETKEYS.with_borrow_mut(|reshared_vetkeys| {
+                let reshared_vetkeys_to_remove: Vec<_> = reshared_vetkeys
+                    .range(&(chat_id, vetkey_epoch_id, Principal::management_canister())..)
+                    .filter(|entry| entry.key().0 == chat_id && entry.key().1 == vetkey_epoch_id)
+                    .map(|entry| *entry.key())
+                    .collect();
+                for key in reshared_vetkeys_to_remove {
+                    let todo_remove = reshared_vetkeys.remove(&key);
+                    assert!(todo_remove.is_some());
+                    num_expired_reshared_vetkeys += 1;
+                }
+            });
+        }
+    });
+
+    println!(
+        "Timer job: cleaned up {} expired direct messages, {} expired group messages, {} expired vetkey epochs caches, {} expired reshared vetkeys",
+        num_expired_direct_messages,
+        num_expired_group_messages,
+        num_expired_vetkey_epochs_caches,
+        num_expired_reshared_vetkeys
+    );
+}
+
 fn clean_up_expired_vetkey_epochs(
     metadata: &mut StableBTreeMap<(ChatId, Time), VetKeyEpochMetadata, Memory>,
     chat_id: ChatId,
-    now: Time,
 ) {
+    let now = Time(ic_cdk::api::time());
     let message_expiry_setting = CHAT_TO_MESSAGE_EXPIRY_SETTING
         .with_borrow(|expiry_settings| expiry_settings.get(&chat_id))
         .expect("bug: expiry should always exist for existing chats");
@@ -692,13 +965,26 @@ fn ensure_user_has_access_to_chat_at_epoch(
     ))
 }
 
-fn ensure_user_has_no_cached_key_for_vetkey_epoch(
+fn ensure_user_has_no_cached_key_for_chat_and_vetkey_epoch(
     user: Principal,
     chat_id: ChatId,
     vetkey_epoch_id: VetKeyEpochId,
 ) -> Result<(), String> {
-    let cache_exists = USER_SYMMETRIC_KEY_CACHE
-        .with_borrow_mut(|caches| caches.contains_key(&(chat_id, vetkey_epoch_id, user)));
+    let cache_exists = ENCRYPTED_MAPS.with_borrow(|opt_maps| {
+        let maps = opt_maps
+            .as_ref()
+            .expect("bug: encrypted maps should be initialized after canister initialization");
+        let map_id = (
+            user,
+            ic_stable_structures::storable::Blob::<32>::from_bytes(Cow::Borrowed(
+                b"encrypted_chat_cache",
+            )),
+        );
+        let map_key_id = map_key_id(chat_id, vetkey_epoch_id);
+        maps.get_encrypted_value(user, map_id, map_key_id)
+            .expect("bug: failed to get encrypted value")
+            .is_some()
+    });
     if cache_exists {
         Err(format!(
             "User {} already has a cached key for chat {:?} at vetkey epoch {:?}",
@@ -774,6 +1060,43 @@ fn ensure_vetkey_epoch_did_not_expire(
     }
 }
 
+fn ensure_payload_has_reasonable_size_for_key(payload: &[u8]) -> Result<(), String> {
+    if payload.len() > 200 {
+        Err(format!(
+            "Payload is way too large: expected <= 200 B, got {} B",
+            payload.len()
+        ))
+    } else {
+        Ok(())
+    }
+}
+
+fn map_id(caller: Principal) -> (Principal, ic_stable_structures::storable::Blob<32>) {
+    (
+        caller,
+        ic_stable_structures::storable::Blob::<32>::from_bytes(Cow::Borrowed(
+            b"encrypted_chat_cache",
+        )),
+    )
+}
+
+fn map_key_id(
+    chat_id: ChatId,
+    vetkey_epoch_id: VetKeyEpochId,
+) -> ic_stable_structures::storable::Blob<32> {
+    ic_stable_structures::storable::Blob::<32>::from_bytes(Cow::Owned(
+        sha2::Sha256::digest(
+            chat_id
+                .to_bytes()
+                .iter()
+                .cloned()
+                .chain(vetkey_epoch_id.to_bytes().iter().cloned())
+                .collect::<Vec<u8>>(),
+        )
+        .to_vec(),
+    ))
+}
+
 fn latest_vetkey_epoch_id(chat_id: ChatId) -> Option<VetKeyEpochId> {
     CHAT_TO_VETKEYS_METADATA.with_borrow(|metadata| {
         metadata
@@ -817,4 +1140,15 @@ pub fn ratchet_context(chat_id: ChatId, vetkey_epoch_id: VetKeyEpochId) -> Vec<u
     context
 }
 
+pub fn resharing_context(caller: Principal) -> Vec<u8> {
+    let mut context = vec![];
+
+    context.extend_from_slice(&[DOMAIN_SEPARATOR_VETKEY_RESHARING.as_bytes().len() as u8]);
+    context.extend_from_slice(DOMAIN_SEPARATOR_VETKEY_ROTATION.as_bytes());
+
+    context.extend_from_slice(&caller.as_slice());
+
+    context
+}
+
 ic_cdk::export_candid!();
diff --git a/examples/encrypted_chat/rust/backend/src/types.rs b/examples/encrypted_chat/rust/backend/src/types.rs
index 70bef960..28538311 100644
--- a/examples/encrypted_chat/rust/backend/src/types.rs
+++ b/examples/encrypted_chat/rust/backend/src/types.rs
@@ -6,14 +6,14 @@ use std::borrow::Cow;
 macro_rules! storable_unbounded {
     ($name:ident) => {
         impl Storable for $name {
-            fn into_bytes(self) -> Vec<u8> {
-                serde_cbor::to_vec(&self).expect("failed to serialize")
-            }
-
             fn to_bytes(&self) -> Cow<[u8]> {
                 Cow::Owned(serde_cbor::to_vec(self).expect("failed to serialize"))
             }
 
+            fn into_bytes(self) -> Vec<u8> {
+                self.to_bytes().into_owned()
+            }
+
             fn from_bytes(bytes: Cow<[u8]>) -> Self {
                 serde_cbor::from_slice(&bytes).expect("failed to deserialize")
             }

From 53983cc6d761d6dcf7f46b60c08d346a02689885 Mon Sep 17 00:00:00 2001
From: Oleksandr Tkachenko <oleksandr.tkachenko@dfinity.org>
Date: Tue, 5 Aug 2025 17:03:13 +0200
Subject: [PATCH 05/62] some test fixes

---
 .../encrypted_chat/rust/backend/src/lib.rs    | 10 +++---
 .../rust/backend/tests/direct_chat.rs         | 34 +++++++++----------
 .../rust/backend/tests/group_chat.rs          | 34 +++++++++----------
 3 files changed, 40 insertions(+), 38 deletions(-)

diff --git a/examples/encrypted_chat/rust/backend/src/lib.rs b/examples/encrypted_chat/rust/backend/src/lib.rs
index 3dda4e74..509d977e 100644
--- a/examples/encrypted_chat/rust/backend/src/lib.rs
+++ b/examples/encrypted_chat/rust/backend/src/lib.rs
@@ -74,6 +74,8 @@ thread_local! {
     //
     // map = ENCRYPTED_MAPS[(caller, "encrypted_chat_cache")]
     // map[SHA256(chat_id || vetkey_epoch_id)] = cache
+    //
+    // The reason for not storing that data directly is that in encrypted maps, the key is limited to 32 bytes, which is a conservative constant due to the fact that stable structures cannot currently store unbounded data in tuples.
     static ENCRYPTED_MAPS: RefCell<Option<EncryptedMaps<AccessRights>>> = const { RefCell::new(None) };
 
     static VETKD_KEY_NAME: RefCell<StableCell<String, Memory>> =
@@ -248,7 +250,7 @@ fn create_group_chat(
 }
 
 #[ic_cdk::update]
-async fn public_key(chat_id: ChatId, vetkey_epoch_id: VetKeyEpochId) -> serde_bytes::ByteBuf {
+async fn chat_public_key(chat_id: ChatId, vetkey_epoch_id: VetKeyEpochId) -> serde_bytes::ByteBuf {
     let request = VetKDPublicKeyArgs {
         canister_id: None,
         context: ratchet_context(chat_id, vetkey_epoch_id),
@@ -274,7 +276,7 @@ async fn public_key(chat_id: ChatId, vetkey_epoch_id: VetKeyEpochId) -> serde_by
 /// * If the user does not have access to the chat or vetKey epoch.
 /// * If the user has already cached the key.
 #[ic_cdk::update]
-async fn derive_vetkey(
+async fn derive_chat_vetkey(
     chat_id: ChatId,
     opt_vetkey_epoch_id: Option<VetKeyEpochId>,
     transport_key: serde_bytes::ByteBuf,
@@ -608,7 +610,7 @@ fn update_my_symmetric_key_cache(
                 caller,
                 map_id(caller),
                 map_key_id(chat_id, vetkey_epoch_id),
-                ic_vetkeys::types::ByteBuf::from(user_cache.to_bytes().into_owned()),
+                ic_vetkeys::types::ByteBuf::from(user_cache.0),
             )
             .expect("bug: failed to insert encrypted value");
     });
@@ -641,7 +643,7 @@ fn get_my_symmetric_key_cache(
             .expect("bug: encrypted maps should be initialized after canister initialization");
 
         maps.get_encrypted_value(caller, map_id(caller), map_key_id(chat_id, vetkey_epoch_id))
-            .map(|opt_cache| opt_cache.map(|cache| SymmetricKeyEpochCache(cache.into_bytes())))
+            .map(|opt_cache| opt_cache.map(|cache| SymmetricKeyEpochCache(cache.into())))
     })
 }
 
diff --git a/examples/encrypted_chat/rust/backend/tests/direct_chat.rs b/examples/encrypted_chat/rust/backend/tests/direct_chat.rs
index 2fdcd924..257a7739 100644
--- a/examples/encrypted_chat/rust/backend/tests/direct_chat.rs
+++ b/examples/encrypted_chat/rust/backend/tests/direct_chat.rs
@@ -384,7 +384,7 @@ fn can_get_vetkey_for_chat() {
                     let raw_encrypted_vetkey = env
                         .update::<Result<serde_bytes::ByteBuf, String>>(
                             caller,
-                            "derive_vetkey",
+                            "derive_chat_vetkey",
                             encode_args((
                                 chat_id,
                                 vetkey_epoch_id,
@@ -417,7 +417,7 @@ fn can_get_vetkey_for_chat() {
         let raw_public_key = env
             .update::<serde_bytes::ByteBuf>(
                 env.principal_0,
-                "public_key",
+                "chat_public_key",
                 encode_args((chat_id, VetKeyEpochId(epoch))).unwrap(),
             )
             .into_vec();
@@ -444,7 +444,7 @@ fn public_keys_for_different_chats_and_epochs_are_different() {
     let raw_public_key_00 = env
         .update::<serde_bytes::ByteBuf>(
             env.principal_0,
-            "public_key",
+            "chat_public_key",
             encode_args((chat_id_0, VetKeyEpochId(0))).unwrap(),
         )
         .into_vec();
@@ -452,7 +452,7 @@ fn public_keys_for_different_chats_and_epochs_are_different() {
     let raw_public_key_01 = env
         .update::<serde_bytes::ByteBuf>(
             env.principal_0,
-            "public_key",
+            "chat_public_key",
             encode_args((chat_id_0, VetKeyEpochId(1))).unwrap(),
         )
         .into_vec();
@@ -460,7 +460,7 @@ fn public_keys_for_different_chats_and_epochs_are_different() {
     let raw_public_key_10 = env
         .update::<serde_bytes::ByteBuf>(
             env.principal_0,
-            "public_key",
+            "chat_public_key",
             encode_args((chat_id_1, VetKeyEpochId(0))).unwrap(),
         )
         .into_vec();
@@ -487,7 +487,7 @@ fn fails_to_get_vetkey_for_chat_if_unauthorized() {
 
     let result = env.update::<Result<serde_bytes::ByteBuf, String>>(
         env.principal_2,
-        "derive_vetkey",
+        "derive_chat_vetkey",
         encode_args((
             chat_id,
             Option::<VetKeyEpochId>::None,
@@ -607,7 +607,7 @@ fn fails_to_derive_vetkey_with_wrong_vetkey_epoch() {
         for caller in [env.principal_0, env.principal_1] {
             let result = env.update::<Result<serde_bytes::ByteBuf, String>>(
                 caller,
-                "derive_vetkey",
+                "derive_chat_vetkey",
                 encode_args((
                     chat_id,
                     Some(VetKeyEpochId(latest_epoch + 1)),
@@ -654,7 +654,7 @@ fn can_rotate_chat_vetkey() {
     // Initially, epoch 0 should be the latest (we can verify this by trying to use epoch 1)
     let result = env.update::<Result<serde_bytes::ByteBuf, String>>(
         env.principal_0,
-        "derive_vetkey",
+        "derive_chat_vetkey",
         encode_args((
             chat_id,
             Some(VetKeyEpochId(1)),
@@ -757,7 +757,7 @@ fn can_update_and_get_symmetric_key_cache() {
     for caller in [env.principal_0, env.principal_1] {
         let result = env.update::<Result<(), String>>(
             caller,
-            "update_symmetric_key_cache",
+            "update_my_symmetric_key_cache",
             encode_args((chat_id, VetKeyEpochId(0), user_cache.clone())).unwrap(),
         );
         assert_eq!(result, Ok(()));
@@ -780,7 +780,7 @@ fn can_update_and_get_symmetric_key_cache() {
     for caller in [env.principal_0, env.principal_1] {
         let result = env.update::<Result<(), String>>(
             caller,
-            "update_symmetric_key_cache",
+            "update_my_symmetric_key_cache",
             encode_args((chat_id, VetKeyEpochId(0), updated_user_cache.clone())).unwrap(),
         );
         assert_eq!(result, Ok(()));
@@ -816,7 +816,7 @@ fn unauthorized_user_cannot_access_symmetric_key_cache() {
     // Unauthorized user cannot update cache
     let result = env.update::<Result<(), String>>(
         env.principal_2,
-        "update_symmetric_key_cache",
+        "update_my_symmetric_key_cache",
         encode_args((chat_id, VetKeyEpochId(0), user_cache.clone())).unwrap(),
     );
     assert_eq!(
@@ -867,7 +867,7 @@ fn cannot_access_cache_after_vetkey_epoch_expires() {
     for caller in [env.principal_0, env.principal_1] {
         env.update::<Result<(), String>>(
             caller,
-            "update_symmetric_key_cache",
+            "update_my_symmetric_key_cache",
             encode_args((chat_id, VetKeyEpochId(0), user_cache.clone())).unwrap(),
         )
         .unwrap();
@@ -883,7 +883,7 @@ fn cannot_access_cache_after_vetkey_epoch_expires() {
         // Cannot update cache for expired epoch
         let result = env.update::<Result<(), String>>(
             caller,
-            "update_symmetric_key_cache",
+            "update_my_symmetric_key_cache",
             encode_args((chat_id, VetKeyEpochId(0), user_cache.clone())).unwrap(),
         );
         assert_eq!(
@@ -927,7 +927,7 @@ fn cannot_derive_vetkey_after_cache_exists() {
         // Create cache
         env.update::<Result<(), String>>(
             caller,
-            "update_symmetric_key_cache",
+            "update_my_symmetric_key_cache",
             encode_args((chat_id, VetKeyEpochId(0), user_cache.clone())).unwrap(),
         )
         .unwrap();
@@ -935,7 +935,7 @@ fn cannot_derive_vetkey_after_cache_exists() {
         // Now derive_vetkey should fail
         let result = env.update::<Result<serde_bytes::ByteBuf, String>>(
             caller,
-            "derive_vetkey",
+            "derive_chat_vetkey",
             encode_args((
                 chat_id,
                 Option::<VetKeyEpochId>::None,
@@ -974,7 +974,7 @@ fn cache_is_separate_for_different_epochs() {
         // Create cache for epoch 0
         env.update::<Result<(), String>>(
             caller,
-            "update_symmetric_key_cache",
+            "update_my_symmetric_key_cache",
             encode_args((chat_id, VetKeyEpochId(0), user_cache_0.clone())).unwrap(),
         )
         .unwrap();
@@ -1016,7 +1016,7 @@ fn cache_is_separate_for_different_epochs() {
         // Create cache for epoch 1
         env.update::<Result<(), String>>(
             caller,
-            "update_symmetric_key_cache",
+            "update_my_symmetric_key_cache",
             encode_args((chat_id, VetKeyEpochId(1), user_cache_1.clone())).unwrap(),
         )
         .unwrap();
diff --git a/examples/encrypted_chat/rust/backend/tests/group_chat.rs b/examples/encrypted_chat/rust/backend/tests/group_chat.rs
index 71fb3f98..7f4bfdd6 100644
--- a/examples/encrypted_chat/rust/backend/tests/group_chat.rs
+++ b/examples/encrypted_chat/rust/backend/tests/group_chat.rs
@@ -345,7 +345,7 @@ fn can_get_vetkey_for_chat() {
                         let raw_encrypted_vetkey = env
                             .update::<Result<serde_bytes::ByteBuf, String>>(
                                 caller,
-                                "derive_vetkey",
+                                "derive_chat_vetkey",
                                 encode_args((
                                     chat_id,
                                     vetkey_epoch_id,
@@ -378,7 +378,7 @@ fn can_get_vetkey_for_chat() {
             let raw_public_key = env
                 .update::<serde_bytes::ByteBuf>(
                     env.principal_0,
-                    "public_key",
+                    "chat_public_key",
                     encode_args((chat_id, VetKeyEpochId(epoch))).unwrap(),
                 )
                 .into_vec();
@@ -406,7 +406,7 @@ fn public_keys_for_different_chats_and_epochs_are_different() {
     let raw_public_key_00 = env
         .update::<serde_bytes::ByteBuf>(
             env.principal_0,
-            "public_key",
+            "chat_public_key",
             encode_args((chat_id_0, VetKeyEpochId(0))).unwrap(),
         )
         .into_vec();
@@ -414,7 +414,7 @@ fn public_keys_for_different_chats_and_epochs_are_different() {
     let raw_public_key_01 = env
         .update::<serde_bytes::ByteBuf>(
             env.principal_0,
-            "public_key",
+            "chat_public_key",
             encode_args((chat_id_0, VetKeyEpochId(1))).unwrap(),
         )
         .into_vec();
@@ -422,7 +422,7 @@ fn public_keys_for_different_chats_and_epochs_are_different() {
     let raw_public_key_10 = env
         .update::<serde_bytes::ByteBuf>(
             env.principal_0,
-            "public_key",
+            "chat_public_key",
             encode_args((chat_id_1, VetKeyEpochId(0))).unwrap(),
         )
         .into_vec();
@@ -454,7 +454,7 @@ fn fails_to_get_vetkey_for_chat_if_unauthorized() {
         for unauthorized_participant in unauthorized_participants {
             let result = env.update::<Result<serde_bytes::ByteBuf, String>>(
                 unauthorized_participant,
-                "derive_vetkey",
+                "derive_chat_vetkey",
                 encode_args((
                     chat_id,
                     Option::<VetKeyEpochId>::None,
@@ -583,7 +583,7 @@ fn fails_to_derive_vetkey_with_wrong_vetkey_epoch() {
             for caller in participants.iter().copied() {
                 let result = env.update::<Result<serde_bytes::ByteBuf, String>>(
                     caller,
-                    "derive_vetkey",
+                    "derive_chat_vetkey",
                     encode_args((
                         chat_id,
                         Some(VetKeyEpochId(latest_epoch + 1)),
@@ -642,7 +642,7 @@ fn can_rotate_chat_vetkey() {
         // Initially, epoch 0 should be the latest (we can verify this by trying to use epoch 1)
         let result = env.update::<Result<serde_bytes::ByteBuf, String>>(
             env.principal_0,
-            "derive_vetkey",
+            "derive_chat_vetkey",
             encode_args((
                 chat_id,
                 Some(VetKeyEpochId(1)),
@@ -757,7 +757,7 @@ fn can_update_and_get_symmetric_key_cache() {
         for caller in participants.iter().copied() {
             let result = env.update::<Result<(), String>>(
                 caller,
-                "update_symmetric_key_cache",
+                "update_my_symmetric_key_cache",
                 encode_args((chat_id, VetKeyEpochId(0), user_cache.clone())).unwrap(),
             );
             assert_eq!(result, Ok(()));
@@ -780,7 +780,7 @@ fn can_update_and_get_symmetric_key_cache() {
         for caller in participants.iter().copied() {
             let result = env.update::<Result<(), String>>(
                 caller,
-                "update_symmetric_key_cache",
+                "update_my_symmetric_key_cache",
                 encode_args((chat_id, VetKeyEpochId(0), updated_user_cache.clone())).unwrap(),
             );
             assert_eq!(result, Ok(()));
@@ -822,7 +822,7 @@ fn unauthorized_user_cannot_access_symmetric_key_cache() {
             // Unauthorized user cannot update cache
             let result = env.update::<Result<(), String>>(
                 unauthorized_participant,
-                "update_symmetric_key_cache",
+                "update_my_symmetric_key_cache",
                 encode_args((chat_id, VetKeyEpochId(0), user_cache.clone())).unwrap(),
             );
             assert_eq!(
@@ -883,7 +883,7 @@ fn cannot_access_cache_after_vetkey_epoch_expires() {
         for caller in participants.iter().copied() {
             env.update::<Result<(), String>>(
                 caller,
-                "update_symmetric_key_cache",
+                "update_my_symmetric_key_cache",
                 encode_args((chat_id, VetKeyEpochId(0), user_cache.clone())).unwrap(),
             )
             .unwrap();
@@ -914,7 +914,7 @@ fn cannot_access_cache_after_vetkey_epoch_expires() {
             // Cannot update cache for expired epoch
             let result = env.update::<Result<(), String>>(
                 caller,
-                "update_symmetric_key_cache",
+                "update_my_symmetric_key_cache",
                 encode_args((chat_id, VetKeyEpochId(0), user_cache.clone())).unwrap(),
             );
             assert_eq!(
@@ -971,7 +971,7 @@ fn cannot_derive_vetkey_after_cache_exists() {
             // Create cache
             env.update::<Result<(), String>>(
                 caller,
-                "update_symmetric_key_cache",
+                "update_my_symmetric_key_cache",
                 encode_args((chat_id, VetKeyEpochId(0), user_cache.clone())).unwrap(),
             )
             .unwrap();
@@ -979,7 +979,7 @@ fn cannot_derive_vetkey_after_cache_exists() {
             // Now derive_vetkey should fail
             let result = env.update::<Result<serde_bytes::ByteBuf, String>>(
                 caller,
-                "derive_vetkey",
+                "derive_chat_vetkey",
                 encode_args((
                     chat_id,
                     Option::<VetKeyEpochId>::None,
@@ -1030,7 +1030,7 @@ fn cache_is_separate_for_different_epochs() {
             // Create cache for epoch 0
             env.update::<Result<(), String>>(
                 caller,
-                "update_symmetric_key_cache",
+                "update_my_symmetric_key_cache",
                 encode_args((chat_id, VetKeyEpochId(0), user_cache_0.clone())).unwrap(),
             )
             .unwrap();
@@ -1072,7 +1072,7 @@ fn cache_is_separate_for_different_epochs() {
             // Create cache for epoch 1
             env.update::<Result<(), String>>(
                 caller,
-                "update_symmetric_key_cache",
+                "update_my_symmetric_key_cache",
                 encode_args((chat_id, VetKeyEpochId(1), user_cache_1.clone())).unwrap(),
             )
             .unwrap();

From aac6a87c4f51f1c85af0e9ebf746704c2e252310 Mon Sep 17 00:00:00 2001
From: Oleksandr Tkachenko <oleksandr.tkachenko@dfinity.org>
Date: Tue, 5 Aug 2025 17:08:26 +0200
Subject: [PATCH 06/62] SymmetricKeyEpochCache ->
 EncryptedSymmetricKeyEpochCache

---
 .../encrypted_chat/rust/backend/src/lib.rs    |  6 +--
 .../encrypted_chat/rust/backend/src/types.rs  |  4 +-
 .../rust/backend/tests/direct_chat.rs         | 35 ++++++++---------
 .../rust/backend/tests/group_chat.rs          | 38 +++++++++----------
 4 files changed, 42 insertions(+), 41 deletions(-)

diff --git a/examples/encrypted_chat/rust/backend/src/lib.rs b/examples/encrypted_chat/rust/backend/src/lib.rs
index 509d977e..a9f808cf 100644
--- a/examples/encrypted_chat/rust/backend/src/lib.rs
+++ b/examples/encrypted_chat/rust/backend/src/lib.rs
@@ -593,7 +593,7 @@ fn ensure_latest_and_correct_vetkey_and_symmetric_key_epoch(
 fn update_my_symmetric_key_cache(
     chat_id: ChatId,
     vetkey_epoch_id: VetKeyEpochId,
-    user_cache: SymmetricKeyEpochCache, // TODO encrypted
+    user_cache: EncryptedSymmetricKeyEpochCache,
 ) -> Result<(), String> {
     let caller = ic_cdk::api::msg_caller();
     ensure_chat_and_vetkey_epoch_exist(chat_id, vetkey_epoch_id)?;
@@ -631,7 +631,7 @@ fn update_my_symmetric_key_cache(
 fn get_my_symmetric_key_cache(
     chat_id: ChatId,
     vetkey_epoch_id: VetKeyEpochId,
-) -> Result<Option<SymmetricKeyEpochCache>, String> {
+) -> Result<Option<EncryptedSymmetricKeyEpochCache>, String> {
     let caller = ic_cdk::api::msg_caller();
     ensure_chat_and_vetkey_epoch_exist(chat_id, vetkey_epoch_id)?;
     ensure_user_has_access_to_chat_at_epoch(caller, chat_id, vetkey_epoch_id)?;
@@ -643,7 +643,7 @@ fn get_my_symmetric_key_cache(
             .expect("bug: encrypted maps should be initialized after canister initialization");
 
         maps.get_encrypted_value(caller, map_id(caller), map_key_id(chat_id, vetkey_epoch_id))
-            .map(|opt_cache| opt_cache.map(|cache| SymmetricKeyEpochCache(cache.into())))
+            .map(|opt_cache| opt_cache.map(|cache| EncryptedSymmetricKeyEpochCache(cache.into())))
     })
 }
 
diff --git a/examples/encrypted_chat/rust/backend/src/types.rs b/examples/encrypted_chat/rust/backend/src/types.rs
index 28538311..a8bf911c 100644
--- a/examples/encrypted_chat/rust/backend/src/types.rs
+++ b/examples/encrypted_chat/rust/backend/src/types.rs
@@ -189,9 +189,9 @@ pub struct GroupChatId(pub u64);
 storable_delegate!(GroupChatId, u64);
 
 #[derive(CandidType, Serialize, Deserialize, PartialEq, Eq, PartialOrd, Ord, Clone, Debug)]
-pub struct SymmetricKeyEpochCache(pub Vec<u8>);
+pub struct EncryptedSymmetricKeyEpochCache(pub Vec<u8>);
 
-storable_unbounded!(SymmetricKeyEpochCache);
+storable_unbounded!(EncryptedSymmetricKeyEpochCache);
 
 #[derive(
     CandidType, Serialize, Deserialize, PartialEq, Eq, PartialOrd, Ord, Clone, Debug, Copy,
diff --git a/examples/encrypted_chat/rust/backend/tests/direct_chat.rs b/examples/encrypted_chat/rust/backend/tests/direct_chat.rs
index 257a7739..221370a4 100644
--- a/examples/encrypted_chat/rust/backend/tests/direct_chat.rs
+++ b/examples/encrypted_chat/rust/backend/tests/direct_chat.rs
@@ -1,7 +1,8 @@
 use candid::{decode_one, encode_args, encode_one, CandidType, Principal};
 use ic_vetkeys_example_encrypted_chat_backend::types::{
     ChatId, ChatMessageId, DirectChatId, EncryptedMessage, EncryptedMessageMetadata,
-    SenderMessageId, SymmetricKeyEpochCache, SymmetricKeyEpochId, Time, UserMessage, VetKeyEpochId,
+    EncryptedSymmetricKeyEpochCache, SenderMessageId, SymmetricKeyEpochId, Time, UserMessage,
+    VetKeyEpochId,
 };
 use pocket_ic::{PocketIc, PocketIcBuilder};
 use rand::{CryptoRng, Rng, SeedableRng};
@@ -739,12 +740,12 @@ fn can_update_and_get_symmetric_key_cache() {
 
     let chat_id = ChatId::Direct(DirectChatId::new((env.principal_0, env.principal_1)));
     let cache_data = b"dummy symmetric key cache".to_vec();
-    let user_cache = SymmetricKeyEpochCache(cache_data.clone());
+    let user_cache = EncryptedSymmetricKeyEpochCache(cache_data.clone());
 
     // Initially, cache should be empty for both participants
     for caller in [env.principal_0, env.principal_1] {
         assert_eq!(
-            env.update::<Result<Option<SymmetricKeyEpochCache>, String>>(
+            env.update::<Result<Option<EncryptedSymmetricKeyEpochCache>, String>>(
                 caller,
                 "get_my_symmetric_key_cache",
                 encode_args((chat_id, VetKeyEpochId(0))).unwrap(),
@@ -765,7 +766,7 @@ fn can_update_and_get_symmetric_key_cache() {
 
     // Authorized user can retrieve their cache
     for caller in [env.principal_0, env.principal_1] {
-        let result = env.update::<Result<Option<SymmetricKeyEpochCache>, String>>(
+        let result = env.update::<Result<Option<EncryptedSymmetricKeyEpochCache>, String>>(
             caller,
             "get_my_symmetric_key_cache",
             encode_args((chat_id, VetKeyEpochId(0))).unwrap(),
@@ -775,7 +776,7 @@ fn can_update_and_get_symmetric_key_cache() {
 
     // Authorized user can update their cache
     let updated_cache_data = b"updated symmetric key cache".to_vec();
-    let updated_user_cache = SymmetricKeyEpochCache(updated_cache_data.clone());
+    let updated_user_cache = EncryptedSymmetricKeyEpochCache(updated_cache_data.clone());
 
     for caller in [env.principal_0, env.principal_1] {
         let result = env.update::<Result<(), String>>(
@@ -788,7 +789,7 @@ fn can_update_and_get_symmetric_key_cache() {
 
     // Verify the cache was updated
     for caller in [env.principal_0, env.principal_1] {
-        let result = env.update::<Result<Option<SymmetricKeyEpochCache>, String>>(
+        let result = env.update::<Result<Option<EncryptedSymmetricKeyEpochCache>, String>>(
             caller,
             "get_my_symmetric_key_cache",
             encode_args((chat_id, VetKeyEpochId(0))).unwrap(),
@@ -811,7 +812,7 @@ fn unauthorized_user_cannot_access_symmetric_key_cache() {
 
     let chat_id = ChatId::Direct(DirectChatId::new((env.principal_0, env.principal_1)));
     let cache_data = b"dummy symmetric key cache".to_vec();
-    let user_cache = SymmetricKeyEpochCache(cache_data);
+    let user_cache = EncryptedSymmetricKeyEpochCache(cache_data);
 
     // Unauthorized user cannot update cache
     let result = env.update::<Result<(), String>>(
@@ -829,7 +830,7 @@ fn unauthorized_user_cannot_access_symmetric_key_cache() {
     );
 
     // Unauthorized user cannot get cache
-    let result = env.update::<Result<Option<SymmetricKeyEpochCache>, String>>(
+    let result = env.update::<Result<Option<EncryptedSymmetricKeyEpochCache>, String>>(
         env.principal_2,
         "get_my_symmetric_key_cache",
         encode_args((chat_id, VetKeyEpochId(0))).unwrap(),
@@ -861,7 +862,7 @@ fn cannot_access_cache_after_vetkey_epoch_expires() {
 
     let chat_id = ChatId::Direct(DirectChatId::new((env.principal_0, env.principal_1)));
     let cache_data = b"dummy symmetric key cache".to_vec();
-    let user_cache = SymmetricKeyEpochCache(cache_data.clone());
+    let user_cache = EncryptedSymmetricKeyEpochCache(cache_data.clone());
 
     // Create cache for epoch 0
     for caller in [env.principal_0, env.principal_1] {
@@ -892,7 +893,7 @@ fn cannot_access_cache_after_vetkey_epoch_expires() {
         );
 
         // Cannot get cache for expired epoch
-        let result = env.update::<Result<Option<SymmetricKeyEpochCache>, String>>(
+        let result = env.update::<Result<Option<EncryptedSymmetricKeyEpochCache>, String>>(
             caller,
             "get_my_symmetric_key_cache",
             encode_args((chat_id, VetKeyEpochId(0))).unwrap(),
@@ -918,7 +919,7 @@ fn cannot_derive_vetkey_after_cache_exists() {
 
     let chat_id = ChatId::Direct(DirectChatId::new((env.principal_0, env.principal_1)));
     let cache_data = b"dummy symmetric key cache".to_vec();
-    let user_cache = SymmetricKeyEpochCache(cache_data.clone());
+    let user_cache = EncryptedSymmetricKeyEpochCache(cache_data.clone());
 
     // DON'T REUSE THE SAME TRANSPORT KEYS IN PRODUCTION
     let transport_key = ic_vetkeys::TransportSecretKey::from_seed(random_bytes(32, rng)).unwrap();
@@ -967,8 +968,8 @@ fn cache_is_separate_for_different_epochs() {
     .unwrap();
 
     let chat_id = ChatId::Direct(DirectChatId::new((env.principal_0, env.principal_1)));
-    let user_cache_0 = SymmetricKeyEpochCache(b"cache for epoch 0".to_vec());
-    let user_cache_1 = SymmetricKeyEpochCache(b"cache for epoch 1".to_vec());
+    let user_cache_0 = EncryptedSymmetricKeyEpochCache(b"cache for epoch 0".to_vec());
+    let user_cache_1 = EncryptedSymmetricKeyEpochCache(b"cache for epoch 1".to_vec());
 
     for caller in [env.principal_0, env.principal_1] {
         // Create cache for epoch 0
@@ -980,7 +981,7 @@ fn cache_is_separate_for_different_epochs() {
         .unwrap();
 
         // Verify cache exists for epoch 0
-        let result = env.update::<Result<Option<SymmetricKeyEpochCache>, String>>(
+        let result = env.update::<Result<Option<EncryptedSymmetricKeyEpochCache>, String>>(
             caller,
             "get_my_symmetric_key_cache",
             encode_args((chat_id, VetKeyEpochId(0))).unwrap(),
@@ -988,7 +989,7 @@ fn cache_is_separate_for_different_epochs() {
         assert_eq!(result, Ok(Some(user_cache_0.clone())));
 
         // Verify no cache exists for epoch 1
-        let result = env.update::<Result<Option<SymmetricKeyEpochCache>, String>>(
+        let result = env.update::<Result<Option<EncryptedSymmetricKeyEpochCache>, String>>(
             caller,
             "get_my_symmetric_key_cache",
             encode_args((chat_id, VetKeyEpochId(1))).unwrap(),
@@ -1022,7 +1023,7 @@ fn cache_is_separate_for_different_epochs() {
         .unwrap();
 
         // Verify cache still exists for epoch 0
-        let result = env.update::<Result<Option<SymmetricKeyEpochCache>, String>>(
+        let result = env.update::<Result<Option<EncryptedSymmetricKeyEpochCache>, String>>(
             caller,
             "get_my_symmetric_key_cache",
             encode_args((chat_id, VetKeyEpochId(0))).unwrap(),
@@ -1030,7 +1031,7 @@ fn cache_is_separate_for_different_epochs() {
         assert_eq!(result, Ok(Some(user_cache_0.clone())));
 
         // Verify cache exists for epoch 1
-        let result = env.update::<Result<Option<SymmetricKeyEpochCache>, String>>(
+        let result = env.update::<Result<Option<EncryptedSymmetricKeyEpochCache>, String>>(
             caller,
             "get_my_symmetric_key_cache",
             encode_args((chat_id, VetKeyEpochId(1))).unwrap(),
diff --git a/examples/encrypted_chat/rust/backend/tests/group_chat.rs b/examples/encrypted_chat/rust/backend/tests/group_chat.rs
index 7f4bfdd6..f8cf1d43 100644
--- a/examples/encrypted_chat/rust/backend/tests/group_chat.rs
+++ b/examples/encrypted_chat/rust/backend/tests/group_chat.rs
@@ -1,8 +1,8 @@
 use candid::{decode_one, encode_args, encode_one, CandidType, Principal};
 use ic_vetkeys_example_encrypted_chat_backend::types::{
-    ChatId, ChatMessageId, EncryptedMessage, EncryptedMessageMetadata, GroupChatId,
-    GroupChatMetadata, GroupModification, SenderMessageId, SymmetricKeyEpochCache,
-    SymmetricKeyEpochId, Time, UserMessage, VetKeyEpochId, VetKeyEpochMetadata,
+    ChatId, ChatMessageId, EncryptedMessage, EncryptedMessageMetadata,
+    EncryptedSymmetricKeyEpochCache, GroupChatId, GroupChatMetadata, GroupModification,
+    SenderMessageId, SymmetricKeyEpochId, Time, UserMessage, VetKeyEpochId, VetKeyEpochMetadata,
 };
 use pocket_ic::{PocketIc, PocketIcBuilder};
 use rand::{CryptoRng, Rng, SeedableRng};
@@ -739,12 +739,12 @@ fn can_update_and_get_symmetric_key_cache() {
 
         let chat_id = ChatId::Group(group_chat_metadata.chat_id);
         let cache_data = b"dummy symmetric key cache".to_vec();
-        let user_cache = SymmetricKeyEpochCache(cache_data.clone());
+        let user_cache = EncryptedSymmetricKeyEpochCache(cache_data.clone());
 
         // Initially, cache should be empty for all participants
         for caller in participants.iter().copied() {
             assert_eq!(
-                env.update::<Result<Option<SymmetricKeyEpochCache>, String>>(
+                env.update::<Result<Option<EncryptedSymmetricKeyEpochCache>, String>>(
                     caller,
                     "get_my_symmetric_key_cache",
                     encode_args((chat_id, VetKeyEpochId(0))).unwrap(),
@@ -765,7 +765,7 @@ fn can_update_and_get_symmetric_key_cache() {
 
         // Authorized user can retrieve their cache
         for caller in participants.iter().copied() {
-            let result = env.update::<Result<Option<SymmetricKeyEpochCache>, String>>(
+            let result = env.update::<Result<Option<EncryptedSymmetricKeyEpochCache>, String>>(
                 caller,
                 "get_my_symmetric_key_cache",
                 encode_args((chat_id, VetKeyEpochId(0))).unwrap(),
@@ -775,7 +775,7 @@ fn can_update_and_get_symmetric_key_cache() {
 
         // Authorized user can update their cache
         let updated_cache_data = b"updated symmetric key cache".to_vec();
-        let updated_user_cache = SymmetricKeyEpochCache(updated_cache_data.clone());
+        let updated_user_cache = EncryptedSymmetricKeyEpochCache(updated_cache_data.clone());
 
         for caller in participants.iter().copied() {
             let result = env.update::<Result<(), String>>(
@@ -788,7 +788,7 @@ fn can_update_and_get_symmetric_key_cache() {
 
         // Verify the cache was updated
         for caller in participants.iter().copied() {
-            let result = env.update::<Result<Option<SymmetricKeyEpochCache>, String>>(
+            let result = env.update::<Result<Option<EncryptedSymmetricKeyEpochCache>, String>>(
                 caller,
                 "get_my_symmetric_key_cache",
                 encode_args((chat_id, VetKeyEpochId(0))).unwrap(),
@@ -816,7 +816,7 @@ fn unauthorized_user_cannot_access_symmetric_key_cache() {
 
         let chat_id = ChatId::Group(GroupChatId(0));
         let cache_data = b"dummy symmetric key cache".to_vec();
-        let user_cache = SymmetricKeyEpochCache(cache_data);
+        let user_cache = EncryptedSymmetricKeyEpochCache(cache_data);
 
         for unauthorized_participant in unauthorized_participants {
             // Unauthorized user cannot update cache
@@ -835,7 +835,7 @@ fn unauthorized_user_cannot_access_symmetric_key_cache() {
             );
 
             // Unauthorized user cannot get cache
-            let result = env.update::<Result<Option<SymmetricKeyEpochCache>, String>>(
+            let result = env.update::<Result<Option<EncryptedSymmetricKeyEpochCache>, String>>(
                 unauthorized_participant,
                 "get_my_symmetric_key_cache",
                 encode_args((chat_id, VetKeyEpochId(0))).unwrap(),
@@ -877,7 +877,7 @@ fn cannot_access_cache_after_vetkey_epoch_expires() {
 
         let chat_id = ChatId::Group(group_chat_metadata.chat_id);
         let cache_data = b"dummy symmetric key cache".to_vec();
-        let user_cache = SymmetricKeyEpochCache(cache_data.clone());
+        let user_cache = EncryptedSymmetricKeyEpochCache(cache_data.clone());
 
         // Create cache for epoch 0
         for caller in participants.iter().copied() {
@@ -923,7 +923,7 @@ fn cannot_access_cache_after_vetkey_epoch_expires() {
             );
 
             // Cannot get cache for expired epoch
-            let result = env.update::<Result<Option<SymmetricKeyEpochCache>, String>>(
+            let result = env.update::<Result<Option<EncryptedSymmetricKeyEpochCache>, String>>(
                 caller,
                 "get_my_symmetric_key_cache",
                 encode_args((chat_id, VetKeyEpochId(0))).unwrap(),
@@ -961,7 +961,7 @@ fn cannot_derive_vetkey_after_cache_exists() {
 
         let chat_id = ChatId::Group(group_chat_metadata.chat_id);
         let cache_data = b"dummy symmetric key cache".to_vec();
-        let user_cache = SymmetricKeyEpochCache(cache_data.clone());
+        let user_cache = EncryptedSymmetricKeyEpochCache(cache_data.clone());
 
         // DON'T REUSE THE SAME TRANSPORT KEYS IN PRODUCTION
         let transport_key =
@@ -1023,8 +1023,8 @@ fn cache_is_separate_for_different_epochs() {
             .unwrap();
 
         let chat_id = ChatId::Group(group_chat_metadata.chat_id);
-        let user_cache_0 = SymmetricKeyEpochCache(b"cache for epoch 0".to_vec());
-        let user_cache_1 = SymmetricKeyEpochCache(b"cache for epoch 1".to_vec());
+        let user_cache_0 = EncryptedSymmetricKeyEpochCache(b"cache for epoch 0".to_vec());
+        let user_cache_1 = EncryptedSymmetricKeyEpochCache(b"cache for epoch 1".to_vec());
 
         for caller in participants.iter().copied() {
             // Create cache for epoch 0
@@ -1036,7 +1036,7 @@ fn cache_is_separate_for_different_epochs() {
             .unwrap();
 
             // Verify cache exists for epoch 0
-            let result = env.update::<Result<Option<SymmetricKeyEpochCache>, String>>(
+            let result = env.update::<Result<Option<EncryptedSymmetricKeyEpochCache>, String>>(
                 caller,
                 "get_my_symmetric_key_cache",
                 encode_args((chat_id, VetKeyEpochId(0))).unwrap(),
@@ -1044,7 +1044,7 @@ fn cache_is_separate_for_different_epochs() {
             assert_eq!(result, Ok(Some(user_cache_0.clone())));
 
             // Verify no cache exists for epoch 1
-            let result = env.update::<Result<Option<SymmetricKeyEpochCache>, String>>(
+            let result = env.update::<Result<Option<EncryptedSymmetricKeyEpochCache>, String>>(
                 caller,
                 "get_my_symmetric_key_cache",
                 encode_args((chat_id, VetKeyEpochId(1))).unwrap(),
@@ -1078,7 +1078,7 @@ fn cache_is_separate_for_different_epochs() {
             .unwrap();
 
             // Verify cache still exists for epoch 0
-            let result = env.update::<Result<Option<SymmetricKeyEpochCache>, String>>(
+            let result = env.update::<Result<Option<EncryptedSymmetricKeyEpochCache>, String>>(
                 caller,
                 "get_my_symmetric_key_cache",
                 encode_args((chat_id, VetKeyEpochId(0))).unwrap(),
@@ -1086,7 +1086,7 @@ fn cache_is_separate_for_different_epochs() {
             assert_eq!(result, Ok(Some(user_cache_0.clone())));
 
             // Verify cache exists for epoch 1
-            let result = env.update::<Result<Option<SymmetricKeyEpochCache>, String>>(
+            let result = env.update::<Result<Option<EncryptedSymmetricKeyEpochCache>, String>>(
                 caller,
                 "get_my_symmetric_key_cache",
                 encode_args((chat_id, VetKeyEpochId(1))).unwrap(),

From b2bc51572392a68055d42134def7ef50b6c6402e Mon Sep 17 00:00:00 2001
From: Oleksandr Tkachenko <oleksandr.tkachenko@dfinity.org>
Date: Tue, 5 Aug 2025 18:16:50 +0200
Subject: [PATCH 07/62] add vetKey resharing tests

---
 .../encrypted_chat/rust/backend/src/lib.rs    |  30 +-
 .../encrypted_chat/rust/backend/src/types.rs  |   8 +-
 .../rust/backend/tests/direct_chat.rs         | 402 ++++++++++++-
 .../rust/backend/tests/group_chat.rs          | 532 +++++++++++++++++-
 4 files changed, 958 insertions(+), 14 deletions(-)

diff --git a/examples/encrypted_chat/rust/backend/src/lib.rs b/examples/encrypted_chat/rust/backend/src/lib.rs
index a9f808cf..6f7d2efb 100644
--- a/examples/encrypted_chat/rust/backend/src/lib.rs
+++ b/examples/encrypted_chat/rust/backend/src/lib.rs
@@ -685,7 +685,7 @@ async fn get_vetkey_verification_key_for_my_cache_storage() -> serde_bytes::Byte
 fn reshare_ibe_encrypted_vetkeys(
     chat_id: ChatId,
     vetkey_epoch_id: VetKeyEpochId,
-    users_and_encrypted_vetkeys: Vec<(Principal, serde_bytes::ByteBuf)>,
+    users_and_encrypted_vetkeys: Vec<(Principal, IbeEncryptedVetKey)>,
 ) -> Result<(), String> {
     let caller = ic_cdk::api::msg_caller();
     ensure_chat_and_vetkey_epoch_exist(chat_id, vetkey_epoch_id)?;
@@ -696,10 +696,14 @@ fn reshare_ibe_encrypted_vetkeys(
         ensure_user_has_access_to_chat_at_epoch(*user, chat_id, vetkey_epoch_id)?;
         ensure_user_has_no_cached_key_for_chat_and_vetkey_epoch(*user, chat_id, vetkey_epoch_id)?;
 
+        if *user == caller {
+            return Err(format!("User {user} cannot reshare a vetkey with themselves"));
+        }
+
         RESHARED_VETKEYS.with_borrow_mut(|reshared_vetkeys| {
         let resharing_exists =  reshared_vetkeys.get(&(chat_id, vetkey_epoch_id, *user)).is_some();
-        if resharing_exists{
-            Err(format!("User {user} already has a cached key for chat {chat_id:?} at vetkey epoch {vetkey_epoch_id:?}"))
+        if resharing_exists {
+            Err(format!("User {user} already has a reshared key for chat {chat_id:?} at vetkey epoch {vetkey_epoch_id:?}"))
         }
         else {
             Ok(())
@@ -709,16 +713,28 @@ fn reshare_ibe_encrypted_vetkeys(
 
     for (user, encrypted_vetkey) in users_and_encrypted_vetkeys.into_iter() {
         RESHARED_VETKEYS.with_borrow_mut(|reshared_vetkeys| {
-            let todo_remove_ = reshared_vetkeys.insert(
-                (chat_id, vetkey_epoch_id, user),
-                IbeEncryptedVetKey(encrypted_vetkey),
-            );
+            let todo_remove_ =
+                reshared_vetkeys.insert((chat_id, vetkey_epoch_id, user), encrypted_vetkey);
             assert!(todo_remove_.is_none());
         });
     }
     Ok(())
 }
 
+#[ic_cdk::update]
+fn get_my_reshared_ibe_encrypted_vetkey(
+    chat_id: ChatId,
+    vetkey_epoch_id: VetKeyEpochId,
+) -> Result<Option<IbeEncryptedVetKey>, String> {
+    let caller = ic_cdk::api::msg_caller();
+
+    ensure_chat_and_vetkey_epoch_exist(chat_id, vetkey_epoch_id)?;
+    ensure_vetkey_epoch_did_not_expire(chat_id, vetkey_epoch_id)?;
+
+    Ok(RESHARED_VETKEYS
+        .with_borrow(|reshared_vetkeys| reshared_vetkeys.get(&(chat_id, vetkey_epoch_id, caller))))
+}
+
 #[ic_cdk::update]
 async fn get_vetkey_resharing_ibe_decryption_key(
     transport_key: serde_bytes::ByteBuf,
diff --git a/examples/encrypted_chat/rust/backend/src/types.rs b/examples/encrypted_chat/rust/backend/src/types.rs
index a8bf911c..573e2eb1 100644
--- a/examples/encrypted_chat/rust/backend/src/types.rs
+++ b/examples/encrypted_chat/rust/backend/src/types.rs
@@ -189,7 +189,7 @@ pub struct GroupChatId(pub u64);
 storable_delegate!(GroupChatId, u64);
 
 #[derive(CandidType, Serialize, Deserialize, PartialEq, Eq, PartialOrd, Ord, Clone, Debug)]
-pub struct EncryptedSymmetricKeyEpochCache(pub Vec<u8>);
+pub struct EncryptedSymmetricKeyEpochCache(#[serde(with = "serde_bytes")] pub Vec<u8>);
 
 storable_unbounded!(EncryptedSymmetricKeyEpochCache);
 
@@ -289,7 +289,7 @@ pub struct VetKeyEpochId(pub u64);
 storable_delegate!(VetKeyEpochId, u64);
 
 #[derive(CandidType, Serialize, Deserialize, PartialEq, Eq, PartialOrd, Ord, Clone, Debug)]
-pub struct IbeEncryptedVetKey(pub serde_bytes::ByteBuf);
+pub struct IbeEncryptedVetKey(#[serde(with = "serde_bytes")] pub Vec<u8>);
 
 impl Storable for IbeEncryptedVetKey {
     fn to_bytes(&self) -> Cow<'_, [u8]> {
@@ -297,11 +297,11 @@ impl Storable for IbeEncryptedVetKey {
     }
 
     fn into_bytes(self) -> Vec<u8> {
-        self.0.into_vec()
+        self.0
     }
 
     fn from_bytes(bytes: Cow<[u8]>) -> Self {
-        Self(serde_bytes::ByteBuf::from(bytes.into_owned()))
+        Self(bytes.into_owned())
     }
 
     const BOUND: Bound = Bound::Unbounded;
diff --git a/examples/encrypted_chat/rust/backend/tests/direct_chat.rs b/examples/encrypted_chat/rust/backend/tests/direct_chat.rs
index 221370a4..b59d2e0f 100644
--- a/examples/encrypted_chat/rust/backend/tests/direct_chat.rs
+++ b/examples/encrypted_chat/rust/backend/tests/direct_chat.rs
@@ -1,8 +1,8 @@
 use candid::{decode_one, encode_args, encode_one, CandidType, Principal};
 use ic_vetkeys_example_encrypted_chat_backend::types::{
     ChatId, ChatMessageId, DirectChatId, EncryptedMessage, EncryptedMessageMetadata,
-    EncryptedSymmetricKeyEpochCache, SenderMessageId, SymmetricKeyEpochId, Time, UserMessage,
-    VetKeyEpochId,
+    EncryptedSymmetricKeyEpochCache, IbeEncryptedVetKey, SenderMessageId, SymmetricKeyEpochId,
+    Time, UserMessage, VetKeyEpochId,
 };
 use pocket_ic::{PocketIc, PocketIcBuilder};
 use rand::{CryptoRng, Rng, SeedableRng};
@@ -1040,6 +1040,404 @@ fn cache_is_separate_for_different_epochs() {
     }
 }
 
+#[test]
+fn can_reshare_vetkey() {
+    let rng = &mut reproducible_rng();
+    let env = TestEnvironment::new(rng);
+
+    env.update::<Result<Time, String>>(
+        env.principal_0,
+        "create_direct_chat",
+        encode_args((env.principal_1, Time(1_000), Time(10_000))).unwrap(),
+    )
+    .unwrap();
+
+    let chat_id = ChatId::Direct(DirectChatId::new((env.principal_0, env.principal_1)));
+
+    let reshared_vetkey = b"dummy_encrypted_vetkey".to_vec();
+
+    env.update::<Result<(), String>>(
+        env.principal_0,
+        "reshare_ibe_encrypted_vetkeys",
+        encode_args((
+            chat_id,
+            VetKeyEpochId(0),
+            vec![(env.principal_1, IbeEncryptedVetKey(reshared_vetkey.clone()))],
+        ))
+        .unwrap(),
+    )
+    .unwrap();
+
+    let result = env.update::<Result<Option<IbeEncryptedVetKey>, String>>(
+        env.principal_1,
+        "get_my_reshared_ibe_encrypted_vetkey",
+        encode_args((chat_id, VetKeyEpochId(0))).unwrap(),
+    );
+
+    assert_eq!(result, Ok(Some(IbeEncryptedVetKey(reshared_vetkey))));
+}
+
+#[test]
+fn reshared_vetkey_is_deleted_and_rejected_after_user_uploads_cache() {
+    let rng = &mut reproducible_rng();
+    let env = TestEnvironment::new(rng);
+
+    env.update::<Result<Time, String>>(
+        env.principal_0,
+        "create_direct_chat",
+        encode_args((env.principal_1, Time(1_000), Time(10_000))).unwrap(),
+    )
+    .unwrap();
+    let chat_id = ChatId::Direct(DirectChatId::new((env.principal_0, env.principal_1)));
+
+    env.update::<Result<(), String>>(
+        env.principal_0,
+        "reshare_ibe_encrypted_vetkeys",
+        encode_args((
+            chat_id,
+            VetKeyEpochId(0),
+            vec![(
+                env.principal_1,
+                IbeEncryptedVetKey(b"dummy_encrypted_vetkey".to_vec()),
+            )],
+        ))
+        .unwrap(),
+    )
+    .unwrap();
+
+    let user_cache = EncryptedSymmetricKeyEpochCache(b"dummy symmetric key cache".to_vec());
+    let result = env.update::<Result<(), String>>(
+        env.principal_1,
+        "update_my_symmetric_key_cache",
+        encode_args((chat_id, VetKeyEpochId(0), user_cache.clone())).unwrap(),
+    );
+    assert_eq!(result, Ok(()));
+
+    let result = env.update::<Result<Option<IbeEncryptedVetKey>, String>>(
+        env.principal_1,
+        "get_my_reshared_ibe_encrypted_vetkey",
+        encode_args((chat_id, VetKeyEpochId(0))).unwrap(),
+    );
+
+    assert_eq!(result, Ok(None));
+
+    let result = env.update::<Result<(), String>>(
+        env.principal_1,
+        "reshare_ibe_encrypted_vetkeys",
+        encode_args((
+            chat_id,
+            VetKeyEpochId(0),
+            vec![(
+                env.principal_1,
+                IbeEncryptedVetKey(b"dummy_encrypted_vetkey".to_vec()),
+            )],
+        ))
+        .unwrap(),
+    );
+    assert_eq!(
+        result,
+        Err(format!(
+            "User {} already has a cached key for chat {chat_id:?} at vetkey epoch {:?}",
+            env.principal_1,
+            VetKeyEpochId(0)
+        ))
+    );
+}
+
+#[test]
+fn cannot_reshare_vetkey_twice() {
+    let rng = &mut reproducible_rng();
+    let env = TestEnvironment::new(rng);
+
+    env.update::<Result<Time, String>>(
+        env.principal_0,
+        "create_direct_chat",
+        encode_args((env.principal_1, Time(1_000), Time(10_000))).unwrap(),
+    )
+    .unwrap();
+
+    let chat_id = ChatId::Direct(DirectChatId::new((env.principal_0, env.principal_1)));
+
+    let reshared_vetkey = b"dummy_encrypted_vetkey".to_vec();
+
+    env.update::<Result<(), String>>(
+        env.principal_0,
+        "reshare_ibe_encrypted_vetkeys",
+        encode_args((
+            chat_id,
+            VetKeyEpochId(0),
+            vec![(env.principal_1, IbeEncryptedVetKey(reshared_vetkey.clone()))],
+        ))
+        .unwrap(),
+    )
+    .unwrap();
+
+    assert_eq!(
+        env.update::<Result<(), String>>(
+            env.principal_0,
+            "reshare_ibe_encrypted_vetkeys",
+            encode_args((
+                chat_id,
+                VetKeyEpochId(0),
+                vec![(
+                    env.principal_1,
+                    IbeEncryptedVetKey(b"dummy_encrypted_vetkey_2".to_vec())
+                )],
+            ))
+            .unwrap(),
+        ),
+        Err(format!(
+            "User {} already has a reshared key for chat {chat_id:?} at vetkey epoch {:?}",
+            env.principal_1,
+            VetKeyEpochId(0)
+        ))
+    );
+
+    let result = env.update::<Result<Option<IbeEncryptedVetKey>, String>>(
+        env.principal_1,
+        "get_my_reshared_ibe_encrypted_vetkey",
+        encode_args((chat_id, VetKeyEpochId(0))).unwrap(),
+    );
+
+    assert_eq!(result, Ok(Some(IbeEncryptedVetKey(reshared_vetkey))));
+}
+
+#[test]
+fn fails_to_reshare_vetkey_if_unauthorized() {
+    let rng = &mut reproducible_rng();
+    let env = TestEnvironment::new(rng);
+
+    env.update::<Result<Time, String>>(
+        env.principal_0,
+        "create_direct_chat",
+        encode_args((env.principal_1, Time(1_000), Time(10_000))).unwrap(),
+    )
+    .unwrap();
+
+    let chat_id = ChatId::Direct(DirectChatId::new((env.principal_0, env.principal_1)));
+
+    let reshared_vetkey = b"dummy_encrypted_vetkey".to_vec();
+
+    assert_eq!(
+        env.update::<Result<(), String>>(
+            env.principal_2,
+            "reshare_ibe_encrypted_vetkeys",
+            encode_args((
+                chat_id,
+                VetKeyEpochId(0),
+                vec![(env.principal_1, IbeEncryptedVetKey(reshared_vetkey.clone()))],
+            ))
+            .unwrap(),
+        ),
+        Err(format!(
+            "User {} does not have access to chat {chat_id:?} at epoch {:?}",
+            env.principal_2,
+            VetKeyEpochId(0)
+        ))
+    );
+
+    let result = env.update::<Result<Option<IbeEncryptedVetKey>, String>>(
+        env.principal_0,
+        "get_my_reshared_ibe_encrypted_vetkey",
+        encode_args((chat_id, VetKeyEpochId(0))).unwrap(),
+    );
+
+    assert_eq!(result, Ok(None));
+}
+
+#[test]
+fn fails_to_reshare_vetkey_with_oneself() {
+    let rng = &mut reproducible_rng();
+    let env = TestEnvironment::new(rng);
+
+    env.update::<Result<Time, String>>(
+        env.principal_0,
+        "create_direct_chat",
+        encode_args((env.principal_1, Time(1_000), Time(10_000))).unwrap(),
+    )
+    .unwrap();
+
+    let chat_id = ChatId::Direct(DirectChatId::new((env.principal_0, env.principal_1)));
+
+    let reshared_vetkey = b"dummy_encrypted_vetkey".to_vec();
+
+    assert_eq!(
+        env.update::<Result<(), String>>(
+            env.principal_0,
+            "reshare_ibe_encrypted_vetkeys",
+            encode_args((
+                chat_id,
+                VetKeyEpochId(0),
+                vec![(env.principal_0, IbeEncryptedVetKey(reshared_vetkey.clone()))],
+            ))
+            .unwrap(),
+        ),
+        Err(format!(
+            "User {} cannot reshare a vetkey with themselves",
+            env.principal_0
+        ))
+    );
+
+    let result = env.update::<Result<Option<IbeEncryptedVetKey>, String>>(
+        env.principal_0,
+        "get_my_reshared_ibe_encrypted_vetkey",
+        encode_args((chat_id, VetKeyEpochId(0))).unwrap(),
+    );
+
+    assert_eq!(result, Ok(None));
+}
+
+#[test]
+fn fails_to_reshare_or_get_reshared_vetkeys_for_invalid_vetkey_epochs() {
+    let rng = &mut reproducible_rng();
+    let env = TestEnvironment::new(rng);
+
+    let message_expiry_time_minutes = Time(10_000);
+
+    let chat_creation_time = env
+        .update::<Result<Time, String>>(
+            env.principal_0,
+            "create_direct_chat",
+            encode_args((env.principal_1, Time(1_000), message_expiry_time_minutes)).unwrap(),
+        )
+        .unwrap();
+
+    let chat_id = ChatId::Direct(DirectChatId::new((env.principal_0, env.principal_1)));
+
+    let reshared_vetkey = b"dummy_encrypted_vetkey".to_vec();
+
+    assert_eq!(
+        env.update::<Result<(), String>>(
+            env.principal_0,
+            "reshare_ibe_encrypted_vetkeys",
+            encode_args((
+                chat_id,
+                VetKeyEpochId(1),
+                vec![(env.principal_1, IbeEncryptedVetKey(reshared_vetkey.clone()))],
+            ))
+            .unwrap(),
+        ),
+        Err(format!(
+            "vetKey epoch {:?} not found for chat {chat_id:?}",
+            VetKeyEpochId(1)
+        ))
+    );
+
+    env.update::<Result<(), String>>(
+        env.principal_0,
+        "reshare_ibe_encrypted_vetkeys",
+        encode_args((
+            chat_id,
+            VetKeyEpochId(0),
+            vec![(env.principal_1, IbeEncryptedVetKey(reshared_vetkey.clone()))],
+        ))
+        .unwrap(),
+    )
+    .unwrap();
+
+    let result = env.update::<Result<Option<IbeEncryptedVetKey>, String>>(
+        env.principal_1,
+        "get_my_reshared_ibe_encrypted_vetkey",
+        encode_args((chat_id, VetKeyEpochId(1))).unwrap(),
+    );
+
+    assert_eq!(
+        result,
+        Err(format!(
+            "vetKey epoch {:?} not found for chat {chat_id:?}",
+            VetKeyEpochId(1)
+        ))
+    );
+
+    let new_epoch = env
+        .update::<Result<VetKeyEpochId, String>>(
+            env.principal_0,
+            "rotate_chat_vetkey",
+            encode_args((chat_id,)).unwrap(),
+        )
+        .unwrap();
+    assert_eq!(new_epoch, VetKeyEpochId(1));
+
+    let result = env.update::<Result<Option<IbeEncryptedVetKey>, String>>(
+        env.principal_1,
+        "get_my_reshared_ibe_encrypted_vetkey",
+        encode_args((chat_id, VetKeyEpochId(0))).unwrap(),
+    );
+
+    assert_eq!(
+        result,
+        Ok(Some(IbeEncryptedVetKey(reshared_vetkey.clone())))
+    );
+
+    let result = env.update::<Result<Option<IbeEncryptedVetKey>, String>>(
+        env.principal_1,
+        "get_my_reshared_ibe_encrypted_vetkey",
+        encode_args((chat_id, VetKeyEpochId(2))).unwrap(),
+    );
+
+    assert_eq!(
+        result,
+        Err(format!(
+            "vetKey epoch {:?} not found for chat {chat_id:?}",
+            VetKeyEpochId(2)
+        ))
+    );
+
+    env.pic
+        .set_time(pocket_ic::Time::from_nanos_since_unix_epoch(
+            chat_creation_time.0 + message_expiry_time_minutes.0 * NANOSECONDS_IN_MINUTE,
+        ));
+
+    let result = env.update::<Result<Option<IbeEncryptedVetKey>, String>>(
+        env.principal_1,
+        "get_my_reshared_ibe_encrypted_vetkey",
+        encode_args((chat_id, VetKeyEpochId(0))).unwrap(),
+    );
+
+    assert_eq!(
+        result,
+        Err(format!("vetKey epoch {:?} expired", VetKeyEpochId(0)))
+    );
+
+    env.update::<Result<Option<IbeEncryptedVetKey>, String>>(
+        env.principal_1,
+        "get_my_reshared_ibe_encrypted_vetkey",
+        encode_args((chat_id, VetKeyEpochId(1))).unwrap(),
+    )
+    .unwrap();
+
+    env.pic.advance_time(std::time::Duration::from_nanos(10));
+
+    let result = env.update::<Result<Option<IbeEncryptedVetKey>, String>>(
+        env.principal_1,
+        "get_my_reshared_ibe_encrypted_vetkey",
+        encode_args((chat_id, VetKeyEpochId(1))).unwrap(),
+    );
+
+    assert_eq!(
+        result,
+        Err(format!("vetKey epoch {:?} expired", VetKeyEpochId(1)))
+    );
+
+    for i in 0..2 {
+        let result = env.update::<Result<(), String>>(
+            env.principal_0,
+            "reshare_ibe_encrypted_vetkeys",
+            encode_args((
+                chat_id,
+                VetKeyEpochId(i),
+                vec![(env.principal_1, IbeEncryptedVetKey(reshared_vetkey.clone()))],
+            ))
+            .unwrap(),
+        );
+
+        assert_eq!(
+            result,
+            Err(format!("vetKey epoch {:?} expired", VetKeyEpochId(i)))
+        );
+    }
+}
+
 fn reproducible_rng() -> ChaCha20Rng {
     let mut seed = [0u8; 32];
     rand::rng().fill(&mut seed);
diff --git a/examples/encrypted_chat/rust/backend/tests/group_chat.rs b/examples/encrypted_chat/rust/backend/tests/group_chat.rs
index f8cf1d43..b38dcda1 100644
--- a/examples/encrypted_chat/rust/backend/tests/group_chat.rs
+++ b/examples/encrypted_chat/rust/backend/tests/group_chat.rs
@@ -2,7 +2,8 @@ use candid::{decode_one, encode_args, encode_one, CandidType, Principal};
 use ic_vetkeys_example_encrypted_chat_backend::types::{
     ChatId, ChatMessageId, EncryptedMessage, EncryptedMessageMetadata,
     EncryptedSymmetricKeyEpochCache, GroupChatId, GroupChatMetadata, GroupModification,
-    SenderMessageId, SymmetricKeyEpochId, Time, UserMessage, VetKeyEpochId, VetKeyEpochMetadata,
+    IbeEncryptedVetKey, SenderMessageId, SymmetricKeyEpochId, Time, UserMessage, VetKeyEpochId,
+    VetKeyEpochMetadata,
 };
 use pocket_ic::{PocketIc, PocketIcBuilder};
 use rand::{CryptoRng, Rng, SeedableRng};
@@ -1306,6 +1307,535 @@ fn modify_chat_participants() {
     );
 }
 
+#[test]
+fn can_reshare_vetkey() {
+    let rng = &mut reproducible_rng();
+    let env = TestEnvironment::new(rng);
+
+    for other_participants in [
+        vec![env.principal_1],
+        vec![env.principal_1, env.principal_2],
+    ] {
+        let participants: Vec<_> = [env.principal_0]
+            .into_iter()
+            .chain(other_participants.iter().copied())
+            .collect();
+
+        let group_chat_metadata = env
+            .update::<Result<GroupChatMetadata, String>>(
+                participants[0],
+                "create_group_chat",
+                encode_args((other_participants, Time(1_000), Time(10_000))).unwrap(),
+            )
+            .unwrap();
+
+        let chat_id = ChatId::Group(group_chat_metadata.chat_id);
+        let reshared_vetkey = b"dummy_encrypted_vetkey".to_vec();
+
+        // Reshare vetkey to all participants except the resharing user
+        let resharing_user = participants[0];
+        let target_users: Vec<_> = participants
+            .iter()
+            .copied()
+            .filter(|&p| p != resharing_user)
+            .collect();
+
+        env.update::<Result<(), String>>(
+            resharing_user,
+            "reshare_ibe_encrypted_vetkeys",
+            encode_args((
+                chat_id,
+                VetKeyEpochId(0),
+                target_users
+                    .iter()
+                    .map(|&user| (user, IbeEncryptedVetKey(reshared_vetkey.clone())))
+                    .collect::<Vec<_>>(),
+            ))
+            .unwrap(),
+        )
+        .unwrap();
+
+        // Verify all target users can retrieve their reshared vetkey
+        for target_user in target_users.iter().copied() {
+            let result = env.update::<Result<Option<IbeEncryptedVetKey>, String>>(
+                target_user,
+                "get_my_reshared_ibe_encrypted_vetkey",
+                encode_args((chat_id, VetKeyEpochId(0))).unwrap(),
+            );
+
+            assert_eq!(
+                result,
+                Ok(Some(IbeEncryptedVetKey(reshared_vetkey.clone())))
+            );
+        }
+    }
+}
+
+#[test]
+fn reshared_vetkey_is_deleted_and_rejected_after_user_uploads_cache() {
+    let rng = &mut reproducible_rng();
+    let env = TestEnvironment::new(rng);
+
+    for other_participants in [
+        vec![env.principal_1],
+        vec![env.principal_1, env.principal_2],
+    ] {
+        let participants: Vec<_> = [env.principal_0]
+            .into_iter()
+            .chain(other_participants.iter().copied())
+            .collect();
+
+        let group_chat_metadata = env
+            .update::<Result<GroupChatMetadata, String>>(
+                env.principal_0,
+                "create_group_chat",
+                encode_args((other_participants, Time(1_000), Time(10_000))).unwrap(),
+            )
+            .unwrap();
+
+        let chat_id = ChatId::Group(group_chat_metadata.chat_id);
+
+        // Reshare vetkey to all participants except the resharing user
+        let resharing_user = env.principal_0;
+        let target_users: Vec<_> = participants
+            .iter()
+            .copied()
+            .filter(|&p| p != resharing_user)
+            .collect();
+
+        env.update::<Result<(), String>>(
+            resharing_user,
+            "reshare_ibe_encrypted_vetkeys",
+            encode_args((
+                chat_id,
+                VetKeyEpochId(0),
+                target_users
+                    .iter()
+                    .map(|&user| (user, IbeEncryptedVetKey(b"dummy_encrypted_vetkey".to_vec())))
+                    .collect::<Vec<_>>(),
+            ))
+            .unwrap(),
+        )
+        .unwrap();
+
+        // One of the target users uploads their cache
+        let target_user = target_users[0];
+        let user_cache = EncryptedSymmetricKeyEpochCache(b"dummy symmetric key cache".to_vec());
+        let result = env.update::<Result<(), String>>(
+            target_user,
+            "update_my_symmetric_key_cache",
+            encode_args((chat_id, VetKeyEpochId(0), user_cache.clone())).unwrap(),
+        );
+        assert_eq!(result, Ok(()));
+
+        // Verify the reshared vetkey is deleted for that user
+        let result = env.update::<Result<Option<IbeEncryptedVetKey>, String>>(
+            target_user,
+            "get_my_reshared_ibe_encrypted_vetkey",
+            encode_args((chat_id, VetKeyEpochId(0))).unwrap(),
+        );
+
+        assert_eq!(result, Ok(None));
+
+        // Verify that user cannot receive reshared vetkey anymore
+        let result = env.update::<Result<(), String>>(
+            resharing_user,
+            "reshare_ibe_encrypted_vetkeys",
+            encode_args((
+                chat_id,
+                VetKeyEpochId(0),
+                vec![(
+                    target_user,
+                    IbeEncryptedVetKey(b"dummy_encrypted_vetkey".to_vec()),
+                )],
+            ))
+            .unwrap(),
+        );
+        assert_eq!(
+            result,
+            Err(format!(
+                "User {} already has a cached key for chat {chat_id:?} at vetkey epoch {:?}",
+                target_user,
+                VetKeyEpochId(0)
+            ))
+        );
+    }
+}
+
+#[test]
+fn cannot_reshare_vetkey_twice() {
+    let rng = &mut reproducible_rng();
+    let env = TestEnvironment::new(rng);
+
+    for other_participants in [
+        vec![env.principal_1],
+        vec![env.principal_1, env.principal_2],
+    ] {
+        let participants: Vec<_> = [env.principal_0]
+            .into_iter()
+            .chain(other_participants.iter().copied())
+            .collect();
+
+        let group_chat_metadata = env
+            .update::<Result<GroupChatMetadata, String>>(
+                env.principal_0,
+                "create_group_chat",
+                encode_args((other_participants, Time(1_000), Time(10_000))).unwrap(),
+            )
+            .unwrap();
+
+        let chat_id = ChatId::Group(group_chat_metadata.chat_id);
+        let reshared_vetkey = b"dummy_encrypted_vetkey".to_vec();
+
+        // Reshare vetkey to all participants except the resharing user
+        let resharing_user = env.principal_0;
+        let target_users: Vec<_> = participants
+            .iter()
+            .copied()
+            .filter(|&p| p != resharing_user)
+            .collect();
+
+        env.update::<Result<(), String>>(
+            resharing_user,
+            "reshare_ibe_encrypted_vetkeys",
+            encode_args((
+                chat_id,
+                VetKeyEpochId(0),
+                target_users
+                    .iter()
+                    .map(|&user| (user, IbeEncryptedVetKey(reshared_vetkey.clone())))
+                    .collect::<Vec<_>>(),
+            ))
+            .unwrap(),
+        )
+        .unwrap();
+
+        // Try to reshare again to the same users
+        assert_eq!(
+            env.update::<Result<(), String>>(
+                resharing_user,
+                "reshare_ibe_encrypted_vetkeys",
+                encode_args((
+                    chat_id,
+                    VetKeyEpochId(0),
+                    target_users
+                        .iter()
+                        .map(|&user| (
+                            user,
+                            IbeEncryptedVetKey(b"dummy_encrypted_vetkey_2".to_vec())
+                        ))
+                        .collect::<Vec<_>>(),
+                ))
+                .unwrap(),
+            ),
+            Err(format!(
+                "User {} already has a reshared key for chat {chat_id:?} at vetkey epoch {:?}",
+                target_users[0],
+                VetKeyEpochId(0)
+            ))
+        );
+
+        // Verify the original reshared vetkey is still available
+        for target_user in target_users.iter().copied() {
+            let result = env.update::<Result<Option<IbeEncryptedVetKey>, String>>(
+                target_user,
+                "get_my_reshared_ibe_encrypted_vetkey",
+                encode_args((chat_id, VetKeyEpochId(0))).unwrap(),
+            );
+
+            assert_eq!(
+                result,
+                Ok(Some(IbeEncryptedVetKey(reshared_vetkey.clone())))
+            );
+        }
+    }
+}
+
+#[test]
+fn fails_to_reshare_vetkey_if_unauthorized() {
+    let mut rng = reproducible_rng();
+    let env = TestEnvironment::new(&mut rng);
+
+    for other_participants in [
+        vec![env.principal_1],
+        vec![env.principal_1, env.principal_2],
+    ] {
+        let participants: Vec<_> = [env.principal_0]
+            .into_iter()
+            .chain(other_participants.iter().copied())
+            .collect();
+
+        let group_chat_metadata = env
+            .update::<Result<GroupChatMetadata, String>>(
+                env.principal_0,
+                "create_group_chat",
+                encode_args((other_participants, Time(1_000), Time(10_000))).unwrap(),
+            )
+            .unwrap();
+
+        let chat_id = ChatId::Group(group_chat_metadata.chat_id);
+        let reshared_vetkey = b"dummy_encrypted_vetkey".to_vec();
+
+        // Create an unauthorized user
+        let mut unauthorized_user = random_self_authenticating_principal(&mut rng);
+        while participants.contains(&unauthorized_user) {
+            unauthorized_user = random_self_authenticating_principal(&mut rng);
+        }
+
+        assert_eq!(
+            env.update::<Result<(), String>>(
+                unauthorized_user,
+                "reshare_ibe_encrypted_vetkeys",
+                encode_args((
+                    chat_id,
+                    VetKeyEpochId(0),
+                    vec![(participants[0], IbeEncryptedVetKey(reshared_vetkey.clone()))],
+                ))
+                .unwrap(),
+            ),
+            Err(format!(
+                "User {} does not have access to chat {chat_id:?} at epoch {:?}",
+                unauthorized_user,
+                VetKeyEpochId(0)
+            ))
+        );
+
+        // Verify no reshared vetkey was created
+        let result = env.update::<Result<Option<IbeEncryptedVetKey>, String>>(
+            participants[0],
+            "get_my_reshared_ibe_encrypted_vetkey",
+            encode_args((chat_id, VetKeyEpochId(0))).unwrap(),
+        );
+
+        assert_eq!(result, Ok(None));
+    }
+}
+
+#[test]
+fn fails_to_reshare_vetkey_with_oneself() {
+    let rng = &mut reproducible_rng();
+    let env = TestEnvironment::new(rng);
+
+    for other_participants in [
+        vec![env.principal_1],
+        vec![env.principal_1, env.principal_2],
+    ] {
+        let participants: Vec<_> = [env.principal_0]
+            .into_iter()
+            .chain(other_participants.iter().copied())
+            .collect();
+
+        let group_chat_metadata = env
+            .update::<Result<GroupChatMetadata, String>>(
+                env.principal_0,
+                "create_group_chat",
+                encode_args((other_participants, Time(1_000), Time(10_000))).unwrap(),
+            )
+            .unwrap();
+
+        let chat_id = ChatId::Group(group_chat_metadata.chat_id);
+        let reshared_vetkey = b"dummy_encrypted_vetkey".to_vec();
+
+        for resharing_user in participants.iter().copied() {
+            assert_eq!(
+                env.update::<Result<(), String>>(
+                    resharing_user,
+                    "reshare_ibe_encrypted_vetkeys",
+                    encode_args((
+                        chat_id,
+                        VetKeyEpochId(0),
+                        vec![(resharing_user, IbeEncryptedVetKey(reshared_vetkey.clone()))],
+                    ))
+                    .unwrap(),
+                ),
+                Err(format!(
+                    "User {} cannot reshare a vetkey with themselves",
+                    resharing_user
+                ))
+            );
+
+            // Verify no reshared vetkey was created
+            let result = env.update::<Result<Option<IbeEncryptedVetKey>, String>>(
+                resharing_user,
+                "get_my_reshared_ibe_encrypted_vetkey",
+                encode_args((chat_id, VetKeyEpochId(0))).unwrap(),
+            );
+
+            assert_eq!(result, Ok(None));
+        }
+    }
+}
+
+#[test]
+fn fails_to_reshare_or_get_reshared_vetkeys_for_invalid_vetkey_epochs() {
+    let rng = &mut reproducible_rng();
+    let env = TestEnvironment::new(rng);
+    let expiry_setting_minutes = Time(10_000);
+
+    for other_participants in [
+        vec![env.principal_1],
+        vec![env.principal_1, env.principal_2],
+    ] {
+        let participants: Vec<_> = [env.principal_0]
+            .into_iter()
+            .chain(other_participants.iter().copied())
+            .collect();
+
+        let group_chat_metadata = env
+            .update::<Result<GroupChatMetadata, String>>(
+                env.principal_0,
+                "create_group_chat",
+                encode_args((other_participants, Time(1_000), expiry_setting_minutes)).unwrap(),
+            )
+            .unwrap();
+
+        let chat_id = ChatId::Group(group_chat_metadata.chat_id);
+        let reshared_vetkey = b"dummy_encrypted_vetkey".to_vec();
+
+        // Try to reshare to epoch 1 before it exists
+        assert_eq!(
+            env.update::<Result<(), String>>(
+                participants[0],
+                "reshare_ibe_encrypted_vetkeys",
+                encode_args((
+                    chat_id,
+                    VetKeyEpochId(1),
+                    vec![(participants[1], IbeEncryptedVetKey(reshared_vetkey.clone()))],
+                ))
+                .unwrap(),
+            ),
+            Err(format!(
+                "vetKey epoch {:?} not found for chat {chat_id:?}",
+                VetKeyEpochId(1)
+            ))
+        );
+
+        // Reshare to epoch 0
+        env.update::<Result<(), String>>(
+            participants[0],
+            "reshare_ibe_encrypted_vetkeys",
+            encode_args((
+                chat_id,
+                VetKeyEpochId(0),
+                vec![(participants[1], IbeEncryptedVetKey(reshared_vetkey.clone()))],
+            ))
+            .unwrap(),
+        )
+        .unwrap();
+
+        // Try to get reshared vetkey for epoch 1 before it exists
+        let result = env.update::<Result<Option<IbeEncryptedVetKey>, String>>(
+            participants[1],
+            "get_my_reshared_ibe_encrypted_vetkey",
+            encode_args((chat_id, VetKeyEpochId(1))).unwrap(),
+        );
+
+        assert_eq!(
+            result,
+            Err(format!(
+                "vetKey epoch {:?} not found for chat {chat_id:?}",
+                VetKeyEpochId(1)
+            ))
+        );
+
+        // Rotate to epoch 1
+        let new_epoch = env
+            .update::<Result<VetKeyEpochId, String>>(
+                participants[0],
+                "rotate_chat_vetkey",
+                encode_args((chat_id,)).unwrap(),
+            )
+            .unwrap();
+        assert_eq!(new_epoch, VetKeyEpochId(1));
+
+        // Verify epoch 0 reshared vetkey is still available
+        let result = env.update::<Result<Option<IbeEncryptedVetKey>, String>>(
+            participants[1],
+            "get_my_reshared_ibe_encrypted_vetkey",
+            encode_args((chat_id, VetKeyEpochId(0))).unwrap(),
+        );
+
+        assert_eq!(
+            result,
+            Ok(Some(IbeEncryptedVetKey(reshared_vetkey.clone())))
+        );
+
+        // Try to get reshared vetkey for epoch 2 before it exists
+        let result = env.update::<Result<Option<IbeEncryptedVetKey>, String>>(
+            participants[1],
+            "get_my_reshared_ibe_encrypted_vetkey",
+            encode_args((chat_id, VetKeyEpochId(2))).unwrap(),
+        );
+
+        assert_eq!(
+            result,
+            Err(format!(
+                "vetKey epoch {:?} not found for chat {chat_id:?}",
+                VetKeyEpochId(2)
+            ))
+        );
+
+        // Fast forward time to expire epoch 0
+        let expiry_time = group_chat_metadata.creation_timestamp.0
+            + expiry_setting_minutes.0 * NANOSECONDS_IN_MINUTE;
+        env.pic
+            .set_time(pocket_ic::Time::from_nanos_since_unix_epoch(expiry_time));
+
+        // Verify epoch 0 reshared vetkey is expired
+        let result = env.update::<Result<Option<IbeEncryptedVetKey>, String>>(
+            participants[1],
+            "get_my_reshared_ibe_encrypted_vetkey",
+            encode_args((chat_id, VetKeyEpochId(0))).unwrap(),
+        );
+
+        assert_eq!(
+            result,
+            Err(format!("vetKey epoch {:?} expired", VetKeyEpochId(0)))
+        );
+
+        // Verify epoch 1 reshared vetkey is still available
+        env.update::<Result<Option<IbeEncryptedVetKey>, String>>(
+            participants[0],
+            "get_my_reshared_ibe_encrypted_vetkey",
+            encode_args((chat_id, VetKeyEpochId(1))).unwrap(),
+        )
+        .unwrap();
+
+        // Fast forward time to expire epoch 1
+        env.pic.advance_time(std::time::Duration::from_nanos(10));
+
+        let result = env.update::<Result<Option<IbeEncryptedVetKey>, String>>(
+            participants[1],
+            "get_my_reshared_ibe_encrypted_vetkey",
+            encode_args((chat_id, VetKeyEpochId(1))).unwrap(),
+        );
+
+        assert_eq!(
+            result,
+            Err(format!("vetKey epoch {:?} expired", VetKeyEpochId(1)))
+        );
+
+        // Try to reshare to expired epochs
+        for i in 0..2 {
+            let result = env.update::<Result<(), String>>(
+                participants[0],
+                "reshare_ibe_encrypted_vetkeys",
+                encode_args((
+                    chat_id,
+                    VetKeyEpochId(i),
+                    vec![(participants[1], IbeEncryptedVetKey(reshared_vetkey.clone()))],
+                ))
+                .unwrap(),
+            );
+
+            assert_eq!(
+                result,
+                Err(format!("vetKey epoch {:?} expired", VetKeyEpochId(i)))
+            );
+        }
+    }
+}
+
 fn reproducible_rng() -> ChaCha20Rng {
     let mut seed = [0u8; 32];
     rand::rng().fill(&mut seed);

From 388934f6183fbb47edd1aee237a6a70039798e68 Mon Sep 17 00:00:00 2001
From: Oleksandr Tkachenko <oleksandr.tkachenko@dfinity.org>
Date: Tue, 5 Aug 2025 19:01:15 +0200
Subject: [PATCH 08/62] add a timer test

---
 .../encrypted_chat/rust/backend/src/lib.rs    | 18 ++--
 .../rust/backend/tests/direct_chat.rs         | 94 ++++++++++++++++++
 .../rust/backend/tests/group_chat.rs          | 98 +++++++++++++++++++
 3 files changed, 202 insertions(+), 8 deletions(-)

diff --git a/examples/encrypted_chat/rust/backend/src/lib.rs b/examples/encrypted_chat/rust/backend/src/lib.rs
index 6f7d2efb..91cc9ebd 100644
--- a/examples/encrypted_chat/rust/backend/src/lib.rs
+++ b/examples/encrypted_chat/rust/backend/src/lib.rs
@@ -393,7 +393,7 @@ fn send_direct_message(user_message: UserMessage, receiver: Principal) -> Result
     });
 
     DIRECT_CHAT_MESSAGES.with_borrow_mut(|messages| {
-        messages.insert((direct_chat_id, chat_message_id), stored_message);
+        messages.insert((direct_chat_id, chat_message_id), stored_message.clone());
     });
 
     let expiry_time = CHAT_TO_MESSAGE_EXPIRY_SETTING.with_borrow(|expiry_settings| {
@@ -868,7 +868,7 @@ fn periodic_cleanup_of_expired_items() {
         let now = Time(ic_cdk::api::time());
         let expired_messages: Vec<_> = expiring_messages
             .iter()
-            .filter(|entry| entry.key().0 < now)
+            .filter(|entry| entry.key().0 <= now)
             .map(|entry| *entry.key())
             .collect();
         for key in expired_messages {
@@ -898,7 +898,7 @@ fn periodic_cleanup_of_expired_items() {
         let mut expired_vetkey_epochs = std::collections::BTreeSet::new();
         let expired_vetkey_epochs_caches: Vec<_> = expiring_vetkey_epochs_caches
             .iter()
-            .filter(|entry| entry.key().0 < now)
+            .filter(|entry| entry.key().0 <= now)
             .map(|entry| (*entry.key(), entry.value()))
             .collect();
         for ((time, chat_id, principal), vetkey_epoch_id) in expired_vetkey_epochs_caches {
@@ -910,15 +910,17 @@ fn periodic_cleanup_of_expired_items() {
                 let maps = opt_maps.as_mut().expect(
                     "bug: encrypted maps should be initialized after canister initialization",
                 );
-                num_expired_vetkey_epochs_caches += 1;
-                let todo_remove_2 = maps
+                if maps
                     .remove_encrypted_value(
                         principal,
                         map_id(principal),
                         map_key_id(chat_id, vetkey_epoch_id),
                     )
-                    .unwrap();
-                assert!(todo_remove_2.is_some());
+                    .unwrap()
+                    .is_some()
+                {
+                    num_expired_vetkey_epochs_caches += 1
+                }
             });
         }
 
@@ -938,7 +940,7 @@ fn periodic_cleanup_of_expired_items() {
         }
     });
 
-    println!(
+    ic_cdk::println!(
         "Timer job: cleaned up {} expired direct messages, {} expired group messages, {} expired vetkey epochs caches, {} expired reshared vetkeys",
         num_expired_direct_messages,
         num_expired_group_messages,
diff --git a/examples/encrypted_chat/rust/backend/tests/direct_chat.rs b/examples/encrypted_chat/rust/backend/tests/direct_chat.rs
index b59d2e0f..bd9b6c21 100644
--- a/examples/encrypted_chat/rust/backend/tests/direct_chat.rs
+++ b/examples/encrypted_chat/rust/backend/tests/direct_chat.rs
@@ -1438,6 +1438,100 @@ fn fails_to_reshare_or_get_reshared_vetkeys_for_invalid_vetkey_epochs() {
     }
 }
 
+#[test]
+fn time_job_reports_cleaned_up_expired_items() {
+    let rng = &mut reproducible_rng();
+    let env = TestEnvironment::new(rng);
+
+    let chat_id_01 = ChatId::Direct(DirectChatId::new((env.principal_0, env.principal_1)));
+    let chat_id_02 = ChatId::Direct(DirectChatId::new((env.principal_0, env.principal_2)));
+    let user_cache = EncryptedSymmetricKeyEpochCache(b"dummy_symmetric_key".to_vec());
+    let dummy_encrypted_vetkey = IbeEncryptedVetKey(b"dummy_encrypted_vetkey".to_vec());
+
+    env.update::<Result<Time, String>>(
+        env.principal_0,
+        "create_direct_chat",
+        encode_args((env.principal_1, Time(30), Time(60))).unwrap(),
+    )
+    .unwrap();
+
+    env.update::<Result<Time, String>>(
+        env.principal_0,
+        "create_direct_chat",
+        encode_args((env.principal_2, Time(30), Time(60))).unwrap(),
+    )
+    .unwrap();
+
+    for i in 0..2 {
+        for j in 0..2 {
+            let user_message = UserMessage {
+                content: b"hello".to_vec(),
+                vetkey_epoch: VetKeyEpochId(i),
+                symmetric_key_epoch: SymmetricKeyEpochId(0),
+                message_id: SenderMessageId(i + 2 * j),
+            };
+            env.update::<Result<Time, String>>(
+                env.principal_0,
+                "send_direct_message",
+                encode_args((user_message.clone(), env.principal_1)).unwrap(),
+            )
+            .unwrap();
+            env.update::<Result<Time, String>>(
+                env.principal_0,
+                "send_direct_message",
+                encode_args((user_message.clone(), env.principal_2)).unwrap(),
+            )
+            .unwrap();
+        }
+
+        for (chat_id, receiver) in [(chat_id_01, env.principal_1), (chat_id_02, env.principal_2)] {
+            env.update::<Result<(), String>>(
+                env.principal_0,
+                "update_my_symmetric_key_cache",
+                encode_args((chat_id, VetKeyEpochId(i), user_cache.clone())).unwrap(),
+            )
+            .unwrap();
+
+            env.update::<Result<(), String>>(
+                env.principal_0,
+                "reshare_ibe_encrypted_vetkeys",
+                encode_args((
+                    chat_id,
+                    VetKeyEpochId(i),
+                    vec![(receiver, dummy_encrypted_vetkey.clone())],
+                ))
+                .unwrap(),
+            )
+            .unwrap();
+
+            if i == 0 {
+                let new_epoch = env
+                    .update::<Result<VetKeyEpochId, String>>(
+                        env.principal_0,
+                        "rotate_chat_vetkey",
+                        encode_args((chat_id,)).unwrap(),
+                    )
+                    .unwrap();
+
+                assert_eq!(new_epoch, VetKeyEpochId(1));
+            }
+        }
+    }
+
+    env.pic
+        .advance_time(std::time::Duration::from_secs(24 * 3600));
+    env.pic.tick();
+
+    let logs = env
+        .pic
+        .fetch_canister_logs(env.canister_id, Principal::anonymous())
+        .unwrap();
+    let log_string = logs.iter().fold(String::new(), |acc, log| {
+        format!("{acc}{}", String::from_utf8(log.content.clone()).unwrap())
+    });
+    assert_eq!(log_string, "Timer job: cleaned up 8 expired direct messages, 0 expired group messages, 4 expired vetkey epochs caches, 4 expired reshared vetkeys");
+}
+
 fn reproducible_rng() -> ChaCha20Rng {
     let mut seed = [0u8; 32];
     rand::rng().fill(&mut seed);
diff --git a/examples/encrypted_chat/rust/backend/tests/group_chat.rs b/examples/encrypted_chat/rust/backend/tests/group_chat.rs
index b38dcda1..a8347821 100644
--- a/examples/encrypted_chat/rust/backend/tests/group_chat.rs
+++ b/examples/encrypted_chat/rust/backend/tests/group_chat.rs
@@ -1836,6 +1836,104 @@ fn fails_to_reshare_or_get_reshared_vetkeys_for_invalid_vetkey_epochs() {
     }
 }
 
+#[test]
+fn time_job_reports_cleaned_up_expired_items() {
+    let rng = &mut reproducible_rng();
+    let env = TestEnvironment::new(rng);
+
+    let user_cache = EncryptedSymmetricKeyEpochCache(b"dummy_symmetric_key".to_vec());
+    let dummy_encrypted_vetkey = IbeEncryptedVetKey(b"dummy_encrypted_vetkey".to_vec());
+
+    // Create two group chats
+    let group_chat_metadata_1 = env
+        .update::<Result<GroupChatMetadata, String>>(
+            env.principal_0,
+            "create_group_chat",
+            encode_args((vec![env.principal_1], Time(30), Time(60))).unwrap(),
+        )
+        .unwrap();
+
+    let group_chat_metadata_2 = env
+        .update::<Result<GroupChatMetadata, String>>(
+            env.principal_0,
+            "create_group_chat",
+            encode_args((vec![env.principal_2], Time(30), Time(60))).unwrap(),
+        )
+        .unwrap();
+
+    let chat_id_1 = ChatId::Group(group_chat_metadata_1.chat_id);
+    let chat_id_2 = ChatId::Group(group_chat_metadata_2.chat_id);
+
+    for i in 0..2 {
+        for j in 0..2 {
+            let user_message = UserMessage {
+                content: b"hello".to_vec(),
+                vetkey_epoch: VetKeyEpochId(i),
+                symmetric_key_epoch: SymmetricKeyEpochId(0),
+                message_id: SenderMessageId(i + 2 * j),
+            };
+            env.update::<Result<Time, String>>(
+                env.principal_0,
+                "send_group_message",
+                encode_args((user_message.clone(), group_chat_metadata_1.chat_id)).unwrap(),
+            )
+            .unwrap();
+            env.update::<Result<Time, String>>(
+                env.principal_0,
+                "send_group_message",
+                encode_args((user_message.clone(), group_chat_metadata_2.chat_id)).unwrap(),
+            )
+            .unwrap();
+        }
+
+        for (chat_id, receiver) in [(chat_id_1, env.principal_1), (chat_id_2, env.principal_2)] {
+            env.update::<Result<(), String>>(
+                env.principal_0,
+                "update_my_symmetric_key_cache",
+                encode_args((chat_id, VetKeyEpochId(i), user_cache.clone())).unwrap(),
+            )
+            .unwrap();
+
+            env.update::<Result<(), String>>(
+                env.principal_0,
+                "reshare_ibe_encrypted_vetkeys",
+                encode_args((
+                    chat_id,
+                    VetKeyEpochId(i),
+                    vec![(receiver, dummy_encrypted_vetkey.clone())],
+                ))
+                .unwrap(),
+            )
+            .unwrap();
+
+            if i == 0 {
+                let new_epoch = env
+                    .update::<Result<VetKeyEpochId, String>>(
+                        env.principal_0,
+                        "rotate_chat_vetkey",
+                        encode_args((chat_id,)).unwrap(),
+                    )
+                    .unwrap();
+
+                assert_eq!(new_epoch, VetKeyEpochId(1));
+            }
+        }
+    }
+
+    env.pic
+        .advance_time(std::time::Duration::from_secs(24 * 3600));
+    env.pic.tick();
+
+    let logs = env
+        .pic
+        .fetch_canister_logs(env.canister_id, Principal::anonymous())
+        .unwrap();
+    let log_string = logs.iter().fold(String::new(), |acc, log| {
+        format!("{acc}{}", String::from_utf8(log.content.clone()).unwrap())
+    });
+    assert_eq!(log_string, "Timer job: cleaned up 0 expired direct messages, 8 expired group messages, 4 expired vetkey epochs caches, 4 expired reshared vetkeys");
+}
+
 fn reproducible_rng() -> ChaCha20Rng {
     let mut seed = [0u8; 32];
     rand::rng().fill(&mut seed);

From c70f73f65207afd2adf4b9a6dccec6b23dc15d07 Mon Sep 17 00:00:00 2001
From: Oleksandr Tkachenko <oleksandr.tkachenko@dfinity.org>
Date: Wed, 6 Aug 2025 08:14:14 +0200
Subject: [PATCH 09/62] update candid

---
 .../encrypted_chat/rust/backend/backend.did   | 36 +++++++++++++++++--
 1 file changed, 33 insertions(+), 3 deletions(-)

diff --git a/examples/encrypted_chat/rust/backend/backend.did b/examples/encrypted_chat/rust/backend/backend.did
index b474a133..631c1e28 100644
--- a/examples/encrypted_chat/rust/backend/backend.did
+++ b/examples/encrypted_chat/rust/backend/backend.did
@@ -37,19 +37,49 @@ type VetKeyEpochMetadata = record {
   epoch_id : nat64;
 };
 service : (text) -> {
+  chat_public_key : (ChatId, nat64) -> (blob);
   create_direct_chat : (principal, nat64, nat64) -> (Result);
   create_group_chat : (vec principal, nat64, nat64) -> (Result_1);
-  derive_vetkey : (ChatId, opt nat64, blob) -> (Result_2);
+  // Derives a vetKey for an existing chat or creates a new one if the chat does not exist.
+  // 
+  // # Arguments
+  // * `chat_id`: The chat to derive a vetKey for.
+  // * `opt_vetkey_epoch`: The vetKey epoch to derive a vetKey for. If `None`, a new epoch is created.
+  // * `transport_key`: The transport key to derive a vetKey for.
+  // 
+  // # Errors
+  // * If the vetKey epoch has expired.
+  // * If the user does not have access to the chat or vetKey epoch.
+  // * If the user has already cached the key.
+  derive_chat_vetkey : (ChatId, opt nat64, blob) -> (Result_2);
+  get_encrypted_vetkey_for_my_cache_storage : (blob) -> (blob);
   get_latest_chat_vetkey_epoch_metadata : (ChatId) -> (Result_3) query;
   get_my_chat_ids : () -> (vec ChatId) query;
+  get_my_reshared_ibe_encrypted_vetkey : (ChatId, nat64) -> (Result_4);
   get_my_symmetric_key_cache : (ChatId, nat64) -> (Result_4);
+  // Returns messages for a chat starting from a given message id.
+  // 
+  // # Arguments
+  // * `chat_id`: The chat to get messages for.
+  // * `message_id`: The message id to start from.
+  // * `limit`: The maximum number of messages to return.
+  // 
+  // # Notes
+  // * Does not fail if the chat does not exist or the user has no access -- returns empty vector instead.
   get_some_messages_for_chat_starting_from : (ChatId, nat64, opt nat32) -> (
       vec EncryptedMessage,
     ) query;
+  get_vetkey_resharing_ibe_decryption_key : (blob) -> (blob);
+  get_vetkey_resharing_ibe_encryption_key : () -> (blob);
+  get_vetkey_verification_key_for_my_cache_storage : () -> (blob);
   modify_group_chat_participants : (nat64, GroupModification) -> (Result);
-  public_key : (ChatId, nat64) -> (blob);
+  reshare_ibe_encrypted_vetkeys : (
+      ChatId,
+      nat64,
+      vec record { principal; blob },
+    ) -> (Result_5);
   rotate_chat_vetkey : (ChatId) -> (Result);
   send_direct_message : (UserMessage, principal) -> (Result);
   send_group_message : (UserMessage, nat64) -> (Result);
-  update_symmetric_key_cache : (ChatId, nat64, blob) -> (Result_5);
+  update_my_symmetric_key_cache : (ChatId, nat64, blob) -> (Result_5);
 }

From 861abba4c3f440a1df89284170f971f85c4b9cee Mon Sep 17 00:00:00 2001
From: Oleksandr Tkachenko <oleksandr.tkachenko@dfinity.org>
Date: Wed, 6 Aug 2025 11:47:50 +0200
Subject: [PATCH 10/62] dummy frontend

---
 examples/encrypted_chat/frontend/.gitignore   |   24 +
 examples/encrypted_chat/frontend/.npmrc       |    1 +
 .../encrypted_chat/frontend/.prettierignore   |    9 +
 examples/encrypted_chat/frontend/.prettierrc  |   16 +
 examples/encrypted_chat/frontend/README.md    |   38 +
 .../encrypted_chat/frontend/e2e/demo.test.ts  |    6 +
 .../encrypted_chat/frontend/eslint.config.js  |   40 +
 .../encrypted_chat/frontend/package-lock.json | 4592 +++++++++++++++++
 examples/encrypted_chat/frontend/package.json |   50 +
 .../frontend/playwright.config.ts             |    9 +
 examples/encrypted_chat/frontend/src/app.css  |    7 +
 examples/encrypted_chat/frontend/src/app.d.ts |   13 +
 examples/encrypted_chat/frontend/src/app.html |   12 +
 .../frontend/src/lib/assets/favicon.svg       |    1 +
 .../src/lib/components/ChatHeader.svelte      |  309 ++
 .../src/lib/components/ChatInterface.svelte   |   95 +
 .../src/lib/components/ChatList.svelte        |   54 +
 .../src/lib/components/ChatListItem.svelte    |  166 +
 .../src/lib/components/EmojiPicker.svelte     |  228 +
 .../components/GroupManagementModal.svelte    |  258 +
 .../src/lib/components/MessageBubble.svelte   |  188 +
 .../src/lib/components/MessageHistory.svelte  |  237 +
 .../src/lib/components/MessageInput.svelte    |  223 +
 .../lib/components/NotificationBanner.svelte  |  120 +
 .../src/lib/components/UserProfile.svelte     |   87 +
 .../encrypted_chat/frontend/src/lib/index.ts  |    1 +
 .../frontend/src/lib/services/api.ts          |  323 ++
 .../frontend/src/lib/services/identity.ts     |   83 +
 .../frontend/src/lib/services/storage.ts      |  135 +
 .../frontend/src/lib/stores/chat.ts           |  265 +
 .../frontend/src/lib/types/index.ts           |  100 +
 .../frontend/src/routes/+layout.svelte        |   27 +
 .../frontend/src/routes/+layout.ts            |    1 +
 .../frontend/src/routes/+page.svelte          |  118 +
 .../encrypted_chat/frontend/static/robots.txt |    3 +
 .../encrypted_chat/frontend/svelte.config.js  |   11 +
 .../frontend/tailwind.config.js               |   24 +
 .../encrypted_chat/frontend/tsconfig.json     |   19 +
 .../encrypted_chat/frontend/vite.config.ts    |    7 +
 39 files changed, 7900 insertions(+)
 create mode 100644 examples/encrypted_chat/frontend/.gitignore
 create mode 100644 examples/encrypted_chat/frontend/.npmrc
 create mode 100644 examples/encrypted_chat/frontend/.prettierignore
 create mode 100644 examples/encrypted_chat/frontend/.prettierrc
 create mode 100644 examples/encrypted_chat/frontend/README.md
 create mode 100644 examples/encrypted_chat/frontend/e2e/demo.test.ts
 create mode 100644 examples/encrypted_chat/frontend/eslint.config.js
 create mode 100644 examples/encrypted_chat/frontend/package-lock.json
 create mode 100644 examples/encrypted_chat/frontend/package.json
 create mode 100644 examples/encrypted_chat/frontend/playwright.config.ts
 create mode 100644 examples/encrypted_chat/frontend/src/app.css
 create mode 100644 examples/encrypted_chat/frontend/src/app.d.ts
 create mode 100644 examples/encrypted_chat/frontend/src/app.html
 create mode 100644 examples/encrypted_chat/frontend/src/lib/assets/favicon.svg
 create mode 100644 examples/encrypted_chat/frontend/src/lib/components/ChatHeader.svelte
 create mode 100644 examples/encrypted_chat/frontend/src/lib/components/ChatInterface.svelte
 create mode 100644 examples/encrypted_chat/frontend/src/lib/components/ChatList.svelte
 create mode 100644 examples/encrypted_chat/frontend/src/lib/components/ChatListItem.svelte
 create mode 100644 examples/encrypted_chat/frontend/src/lib/components/EmojiPicker.svelte
 create mode 100644 examples/encrypted_chat/frontend/src/lib/components/GroupManagementModal.svelte
 create mode 100644 examples/encrypted_chat/frontend/src/lib/components/MessageBubble.svelte
 create mode 100644 examples/encrypted_chat/frontend/src/lib/components/MessageHistory.svelte
 create mode 100644 examples/encrypted_chat/frontend/src/lib/components/MessageInput.svelte
 create mode 100644 examples/encrypted_chat/frontend/src/lib/components/NotificationBanner.svelte
 create mode 100644 examples/encrypted_chat/frontend/src/lib/components/UserProfile.svelte
 create mode 100644 examples/encrypted_chat/frontend/src/lib/index.ts
 create mode 100644 examples/encrypted_chat/frontend/src/lib/services/api.ts
 create mode 100644 examples/encrypted_chat/frontend/src/lib/services/identity.ts
 create mode 100644 examples/encrypted_chat/frontend/src/lib/services/storage.ts
 create mode 100644 examples/encrypted_chat/frontend/src/lib/stores/chat.ts
 create mode 100644 examples/encrypted_chat/frontend/src/lib/types/index.ts
 create mode 100644 examples/encrypted_chat/frontend/src/routes/+layout.svelte
 create mode 100644 examples/encrypted_chat/frontend/src/routes/+layout.ts
 create mode 100644 examples/encrypted_chat/frontend/src/routes/+page.svelte
 create mode 100644 examples/encrypted_chat/frontend/static/robots.txt
 create mode 100644 examples/encrypted_chat/frontend/svelte.config.js
 create mode 100644 examples/encrypted_chat/frontend/tailwind.config.js
 create mode 100644 examples/encrypted_chat/frontend/tsconfig.json
 create mode 100644 examples/encrypted_chat/frontend/vite.config.ts

diff --git a/examples/encrypted_chat/frontend/.gitignore b/examples/encrypted_chat/frontend/.gitignore
new file mode 100644
index 00000000..bff793d5
--- /dev/null
+++ b/examples/encrypted_chat/frontend/.gitignore
@@ -0,0 +1,24 @@
+test-results
+node_modules
+
+# Output
+.output
+.vercel
+.netlify
+.wrangler
+/.svelte-kit
+/build
+
+# OS
+.DS_Store
+Thumbs.db
+
+# Env
+.env
+.env.*
+!.env.example
+!.env.test
+
+# Vite
+vite.config.js.timestamp-*
+vite.config.ts.timestamp-*
diff --git a/examples/encrypted_chat/frontend/.npmrc b/examples/encrypted_chat/frontend/.npmrc
new file mode 100644
index 00000000..b6f27f13
--- /dev/null
+++ b/examples/encrypted_chat/frontend/.npmrc
@@ -0,0 +1 @@
+engine-strict=true
diff --git a/examples/encrypted_chat/frontend/.prettierignore b/examples/encrypted_chat/frontend/.prettierignore
new file mode 100644
index 00000000..7d74fe24
--- /dev/null
+++ b/examples/encrypted_chat/frontend/.prettierignore
@@ -0,0 +1,9 @@
+# Package Managers
+package-lock.json
+pnpm-lock.yaml
+yarn.lock
+bun.lock
+bun.lockb
+
+# Miscellaneous
+/static/
diff --git a/examples/encrypted_chat/frontend/.prettierrc b/examples/encrypted_chat/frontend/.prettierrc
new file mode 100644
index 00000000..8103a0b5
--- /dev/null
+++ b/examples/encrypted_chat/frontend/.prettierrc
@@ -0,0 +1,16 @@
+{
+	"useTabs": true,
+	"singleQuote": true,
+	"trailingComma": "none",
+	"printWidth": 100,
+	"plugins": ["prettier-plugin-svelte", "prettier-plugin-tailwindcss"],
+	"overrides": [
+		{
+			"files": "*.svelte",
+			"options": {
+				"parser": "svelte"
+			}
+		}
+	],
+	"tailwindStylesheet": "./src/app.css"
+}
diff --git a/examples/encrypted_chat/frontend/README.md b/examples/encrypted_chat/frontend/README.md
new file mode 100644
index 00000000..75842c40
--- /dev/null
+++ b/examples/encrypted_chat/frontend/README.md
@@ -0,0 +1,38 @@
+# sv
+
+Everything you need to build a Svelte project, powered by [`sv`](https://github.com/sveltejs/cli).
+
+## Creating a project
+
+If you're seeing this, you've probably already done this step. Congrats!
+
+```sh
+# create a new project in the current directory
+npx sv create
+
+# create a new project in my-app
+npx sv create my-app
+```
+
+## Developing
+
+Once you've created a project and installed dependencies with `npm install` (or `pnpm install` or `yarn`), start a development server:
+
+```sh
+npm run dev
+
+# or start the server and open the app in a new browser tab
+npm run dev -- --open
+```
+
+## Building
+
+To create a production version of your app:
+
+```sh
+npm run build
+```
+
+You can preview the production build with `npm run preview`.
+
+> To deploy your app, you may need to install an [adapter](https://svelte.dev/docs/kit/adapters) for your target environment.
diff --git a/examples/encrypted_chat/frontend/e2e/demo.test.ts b/examples/encrypted_chat/frontend/e2e/demo.test.ts
new file mode 100644
index 00000000..9985ce11
--- /dev/null
+++ b/examples/encrypted_chat/frontend/e2e/demo.test.ts
@@ -0,0 +1,6 @@
+import { expect, test } from '@playwright/test';
+
+test('home page has expected h1', async ({ page }) => {
+	await page.goto('/');
+	await expect(page.locator('h1')).toBeVisible();
+});
diff --git a/examples/encrypted_chat/frontend/eslint.config.js b/examples/encrypted_chat/frontend/eslint.config.js
new file mode 100644
index 00000000..a9628784
--- /dev/null
+++ b/examples/encrypted_chat/frontend/eslint.config.js
@@ -0,0 +1,40 @@
+import prettier from 'eslint-config-prettier';
+import { includeIgnoreFile } from '@eslint/compat';
+import js from '@eslint/js';
+import svelte from 'eslint-plugin-svelte';
+import globals from 'globals';
+import { fileURLToPath } from 'node:url';
+import ts from 'typescript-eslint';
+import svelteConfig from './svelte.config.js';
+
+const gitignorePath = fileURLToPath(new URL('./.gitignore', import.meta.url));
+
+export default ts.config(
+	includeIgnoreFile(gitignorePath),
+	js.configs.recommended,
+	...ts.configs.recommended,
+	...svelte.configs.recommended,
+	prettier,
+	...svelte.configs.prettier,
+	{
+		languageOptions: {
+			globals: { ...globals.browser, ...globals.node }
+		},
+		rules: {
+			// typescript-eslint strongly recommend that you do not use the no-undef lint rule on TypeScript projects.
+			// see: https://typescript-eslint.io/troubleshooting/faqs/eslint/#i-get-errors-from-the-no-undef-rule-about-global-variables-not-being-defined-even-though-there-are-no-typescript-errors
+			'no-undef': 'off'
+		}
+	},
+	{
+		files: ['**/*.svelte', '**/*.svelte.ts', '**/*.svelte.js'],
+		languageOptions: {
+			parserOptions: {
+				projectService: true,
+				extraFileExtensions: ['.svelte'],
+				parser: ts.parser,
+				svelteConfig
+			}
+		}
+	}
+);
diff --git a/examples/encrypted_chat/frontend/package-lock.json b/examples/encrypted_chat/frontend/package-lock.json
new file mode 100644
index 00000000..79468e80
--- /dev/null
+++ b/examples/encrypted_chat/frontend/package-lock.json
@@ -0,0 +1,4592 @@
+{
+	"name": "svelte-latest",
+	"version": "0.0.1",
+	"lockfileVersion": 3,
+	"requires": true,
+	"packages": {
+		"": {
+			"name": "svelte-latest",
+			"version": "0.0.1",
+			"dependencies": {
+				"@dfinity/agent": "^3.1.0",
+				"@dfinity/auth-client": "^3.1.0",
+				"@skeletonlabs/skeleton": "^3.1.7",
+				"@skeletonlabs/tw-plugin": "^0.4.1",
+				"@sveltejs/adapter-static": "^3.0.8",
+				"idb-keyval": "^6.2.2",
+				"lucide-svelte": "^0.536.0",
+				"sass": "^1.90.0"
+			},
+			"devDependencies": {
+				"@eslint/compat": "^1.2.5",
+				"@eslint/js": "^9.18.0",
+				"@playwright/test": "^1.49.1",
+				"@sveltejs/adapter-auto": "^6.0.0",
+				"@sveltejs/kit": "^2.22.0",
+				"@sveltejs/vite-plugin-svelte": "^6.0.0",
+				"@tailwindcss/vite": "^4.0.0",
+				"eslint": "^9.18.0",
+				"eslint-config-prettier": "^10.0.1",
+				"eslint-plugin-svelte": "^3.0.0",
+				"globals": "^16.0.0",
+				"prettier": "^3.4.2",
+				"prettier-plugin-svelte": "^3.3.3",
+				"prettier-plugin-tailwindcss": "^0.6.11",
+				"svelte": "^5.0.0",
+				"svelte-check": "^4.0.0",
+				"tailwindcss": "^4.0.0",
+				"typescript": "^5.0.0",
+				"typescript-eslint": "^8.20.0",
+				"vite": "^7.0.4"
+			}
+		},
+		"node_modules/@ampproject/remapping": {
+			"version": "2.3.0",
+			"resolved": "https://registry.npmjs.org/@ampproject/remapping/-/remapping-2.3.0.tgz",
+			"integrity": "sha512-30iZtAPgz+LTIYoeivqYo853f02jBYSd5uGnGpkFV0M3xOt9aN73erkgYAmZU43x4VfqcnLxW9Kpg3R5LC4YYw==",
+			"license": "Apache-2.0",
+			"dependencies": {
+				"@jridgewell/gen-mapping": "^0.3.5",
+				"@jridgewell/trace-mapping": "^0.3.24"
+			},
+			"engines": {
+				"node": ">=6.0.0"
+			}
+		},
+		"node_modules/@dfinity/agent": {
+			"version": "3.1.0",
+			"resolved": "https://registry.npmjs.org/@dfinity/agent/-/agent-3.1.0.tgz",
+			"integrity": "sha512-4ktWU9KoB+Y0y84i0c2up9xmek2WjwSsbh4zGUK+o3VwZyqH8Cck4Fh4eiTa5jOve/vtfSVDbUVNFXsaS3Gttw==",
+			"license": "Apache-2.0",
+			"dependencies": {
+				"@dfinity/cbor": "^0.2.2",
+				"@noble/curves": "^1.9.2"
+			},
+			"peerDependencies": {
+				"@dfinity/candid": "3.1.0",
+				"@dfinity/principal": "3.1.0",
+				"@noble/hashes": "^1.8.0"
+			}
+		},
+		"node_modules/@dfinity/auth-client": {
+			"version": "3.1.0",
+			"resolved": "https://registry.npmjs.org/@dfinity/auth-client/-/auth-client-3.1.0.tgz",
+			"integrity": "sha512-Ww92+pX6G1M5v3Dl30AalBjsro3KLkEyj5vecp2m+jh6sJWg/nxPexREvf4JlshowpMHkAIvg6GHEg+w4881Eg==",
+			"license": "Apache-2.0",
+			"dependencies": {
+				"idb": "^7.0.2"
+			},
+			"peerDependencies": {
+				"@dfinity/agent": "3.1.0",
+				"@dfinity/identity": "3.1.0",
+				"@dfinity/principal": "3.1.0"
+			}
+		},
+		"node_modules/@dfinity/candid": {
+			"version": "3.1.0",
+			"resolved": "https://registry.npmjs.org/@dfinity/candid/-/candid-3.1.0.tgz",
+			"integrity": "sha512-YwZJROFmzPa4GCJJyGCoOYJ2pKmp9rboixGQSbLPekX0n0oU0mcEbuVKJFu6HY6CnoDoI8YKc9x+jlqh4n0u5A==",
+			"license": "Apache-2.0",
+			"peer": true,
+			"peerDependencies": {
+				"@dfinity/principal": "3.1.0"
+			}
+		},
+		"node_modules/@dfinity/cbor": {
+			"version": "0.2.2",
+			"resolved": "https://registry.npmjs.org/@dfinity/cbor/-/cbor-0.2.2.tgz",
+			"integrity": "sha512-GPJpH73kDEKbUBdUjY80lz7cq9l0vm1h/7ppejPV6O0ZTqCLrYspssYvqjRmK4aNnJ/SKXsP0rg9LYX7zpegaA==",
+			"license": "Apache-2.0"
+		},
+		"node_modules/@dfinity/identity": {
+			"version": "3.1.0",
+			"resolved": "https://registry.npmjs.org/@dfinity/identity/-/identity-3.1.0.tgz",
+			"integrity": "sha512-XI4UuzBaPh7BNaZBsQthvtrVk2S3tS24BYjKO//9+AdkNcxH3iZlzYkn6RejVaisnmztM7L0BMK3ECmGqy+OSw==",
+			"license": "Apache-2.0",
+			"peer": true,
+			"peerDependencies": {
+				"@dfinity/agent": "3.1.0",
+				"@dfinity/candid": "3.1.0",
+				"@dfinity/principal": "3.1.0",
+				"@noble/curves": "^1.9.2",
+				"@noble/hashes": "^1.8.0"
+			}
+		},
+		"node_modules/@dfinity/principal": {
+			"version": "3.1.0",
+			"resolved": "https://registry.npmjs.org/@dfinity/principal/-/principal-3.1.0.tgz",
+			"integrity": "sha512-ef2JbgwQGtam0s19bH9CaR8ztpuoNx10eC6/kBjR/R8VC2eIBlaJHvD0lXDrBWGtOPZGzEy/XAugeBr3raxZ8A==",
+			"license": "Apache-2.0",
+			"peer": true,
+			"dependencies": {
+				"@noble/hashes": "^1.8.0"
+			}
+		},
+		"node_modules/@esbuild/aix-ppc64": {
+			"version": "0.25.8",
+			"resolved": "https://registry.npmjs.org/@esbuild/aix-ppc64/-/aix-ppc64-0.25.8.tgz",
+			"integrity": "sha512-urAvrUedIqEiFR3FYSLTWQgLu5tb+m0qZw0NBEasUeo6wuqatkMDaRT+1uABiGXEu5vqgPd7FGE1BhsAIy9QVA==",
+			"cpu": [
+				"ppc64"
+			],
+			"license": "MIT",
+			"optional": true,
+			"os": [
+				"aix"
+			],
+			"engines": {
+				"node": ">=18"
+			}
+		},
+		"node_modules/@esbuild/android-arm": {
+			"version": "0.25.8",
+			"resolved": "https://registry.npmjs.org/@esbuild/android-arm/-/android-arm-0.25.8.tgz",
+			"integrity": "sha512-RONsAvGCz5oWyePVnLdZY/HHwA++nxYWIX1atInlaW6SEkwq6XkP3+cb825EUcRs5Vss/lGh/2YxAb5xqc07Uw==",
+			"cpu": [
+				"arm"
+			],
+			"license": "MIT",
+			"optional": true,
+			"os": [
+				"android"
+			],
+			"engines": {
+				"node": ">=18"
+			}
+		},
+		"node_modules/@esbuild/android-arm64": {
+			"version": "0.25.8",
+			"resolved": "https://registry.npmjs.org/@esbuild/android-arm64/-/android-arm64-0.25.8.tgz",
+			"integrity": "sha512-OD3p7LYzWpLhZEyATcTSJ67qB5D+20vbtr6vHlHWSQYhKtzUYrETuWThmzFpZtFsBIxRvhO07+UgVA9m0i/O1w==",
+			"cpu": [
+				"arm64"
+			],
+			"license": "MIT",
+			"optional": true,
+			"os": [
+				"android"
+			],
+			"engines": {
+				"node": ">=18"
+			}
+		},
+		"node_modules/@esbuild/android-x64": {
+			"version": "0.25.8",
+			"resolved": "https://registry.npmjs.org/@esbuild/android-x64/-/android-x64-0.25.8.tgz",
+			"integrity": "sha512-yJAVPklM5+4+9dTeKwHOaA+LQkmrKFX96BM0A/2zQrbS6ENCmxc4OVoBs5dPkCCak2roAD+jKCdnmOqKszPkjA==",
+			"cpu": [
+				"x64"
+			],
+			"license": "MIT",
+			"optional": true,
+			"os": [
+				"android"
+			],
+			"engines": {
+				"node": ">=18"
+			}
+		},
+		"node_modules/@esbuild/darwin-arm64": {
+			"version": "0.25.8",
+			"resolved": "https://registry.npmjs.org/@esbuild/darwin-arm64/-/darwin-arm64-0.25.8.tgz",
+			"integrity": "sha512-Jw0mxgIaYX6R8ODrdkLLPwBqHTtYHJSmzzd+QeytSugzQ0Vg4c5rDky5VgkoowbZQahCbsv1rT1KW72MPIkevw==",
+			"cpu": [
+				"arm64"
+			],
+			"license": "MIT",
+			"optional": true,
+			"os": [
+				"darwin"
+			],
+			"engines": {
+				"node": ">=18"
+			}
+		},
+		"node_modules/@esbuild/darwin-x64": {
+			"version": "0.25.8",
+			"resolved": "https://registry.npmjs.org/@esbuild/darwin-x64/-/darwin-x64-0.25.8.tgz",
+			"integrity": "sha512-Vh2gLxxHnuoQ+GjPNvDSDRpoBCUzY4Pu0kBqMBDlK4fuWbKgGtmDIeEC081xi26PPjn+1tct+Bh8FjyLlw1Zlg==",
+			"cpu": [
+				"x64"
+			],
+			"license": "MIT",
+			"optional": true,
+			"os": [
+				"darwin"
+			],
+			"engines": {
+				"node": ">=18"
+			}
+		},
+		"node_modules/@esbuild/freebsd-arm64": {
+			"version": "0.25.8",
+			"resolved": "https://registry.npmjs.org/@esbuild/freebsd-arm64/-/freebsd-arm64-0.25.8.tgz",
+			"integrity": "sha512-YPJ7hDQ9DnNe5vxOm6jaie9QsTwcKedPvizTVlqWG9GBSq+BuyWEDazlGaDTC5NGU4QJd666V0yqCBL2oWKPfA==",
+			"cpu": [
+				"arm64"
+			],
+			"license": "MIT",
+			"optional": true,
+			"os": [
+				"freebsd"
+			],
+			"engines": {
+				"node": ">=18"
+			}
+		},
+		"node_modules/@esbuild/freebsd-x64": {
+			"version": "0.25.8",
+			"resolved": "https://registry.npmjs.org/@esbuild/freebsd-x64/-/freebsd-x64-0.25.8.tgz",
+			"integrity": "sha512-MmaEXxQRdXNFsRN/KcIimLnSJrk2r5H8v+WVafRWz5xdSVmWLoITZQXcgehI2ZE6gioE6HirAEToM/RvFBeuhw==",
+			"cpu": [
+				"x64"
+			],
+			"license": "MIT",
+			"optional": true,
+			"os": [
+				"freebsd"
+			],
+			"engines": {
+				"node": ">=18"
+			}
+		},
+		"node_modules/@esbuild/linux-arm": {
+			"version": "0.25.8",
+			"resolved": "https://registry.npmjs.org/@esbuild/linux-arm/-/linux-arm-0.25.8.tgz",
+			"integrity": "sha512-FuzEP9BixzZohl1kLf76KEVOsxtIBFwCaLupVuk4eFVnOZfU+Wsn+x5Ryam7nILV2pkq2TqQM9EZPsOBuMC+kg==",
+			"cpu": [
+				"arm"
+			],
+			"license": "MIT",
+			"optional": true,
+			"os": [
+				"linux"
+			],
+			"engines": {
+				"node": ">=18"
+			}
+		},
+		"node_modules/@esbuild/linux-arm64": {
+			"version": "0.25.8",
+			"resolved": "https://registry.npmjs.org/@esbuild/linux-arm64/-/linux-arm64-0.25.8.tgz",
+			"integrity": "sha512-WIgg00ARWv/uYLU7lsuDK00d/hHSfES5BzdWAdAig1ioV5kaFNrtK8EqGcUBJhYqotlUByUKz5Qo6u8tt7iD/w==",
+			"cpu": [
+				"arm64"
+			],
+			"license": "MIT",
+			"optional": true,
+			"os": [
+				"linux"
+			],
+			"engines": {
+				"node": ">=18"
+			}
+		},
+		"node_modules/@esbuild/linux-ia32": {
+			"version": "0.25.8",
+			"resolved": "https://registry.npmjs.org/@esbuild/linux-ia32/-/linux-ia32-0.25.8.tgz",
+			"integrity": "sha512-A1D9YzRX1i+1AJZuFFUMP1E9fMaYY+GnSQil9Tlw05utlE86EKTUA7RjwHDkEitmLYiFsRd9HwKBPEftNdBfjg==",
+			"cpu": [
+				"ia32"
+			],
+			"license": "MIT",
+			"optional": true,
+			"os": [
+				"linux"
+			],
+			"engines": {
+				"node": ">=18"
+			}
+		},
+		"node_modules/@esbuild/linux-loong64": {
+			"version": "0.25.8",
+			"resolved": "https://registry.npmjs.org/@esbuild/linux-loong64/-/linux-loong64-0.25.8.tgz",
+			"integrity": "sha512-O7k1J/dwHkY1RMVvglFHl1HzutGEFFZ3kNiDMSOyUrB7WcoHGf96Sh+64nTRT26l3GMbCW01Ekh/ThKM5iI7hQ==",
+			"cpu": [
+				"loong64"
+			],
+			"license": "MIT",
+			"optional": true,
+			"os": [
+				"linux"
+			],
+			"engines": {
+				"node": ">=18"
+			}
+		},
+		"node_modules/@esbuild/linux-mips64el": {
+			"version": "0.25.8",
+			"resolved": "https://registry.npmjs.org/@esbuild/linux-mips64el/-/linux-mips64el-0.25.8.tgz",
+			"integrity": "sha512-uv+dqfRazte3BzfMp8PAQXmdGHQt2oC/y2ovwpTteqrMx2lwaksiFZ/bdkXJC19ttTvNXBuWH53zy/aTj1FgGw==",
+			"cpu": [
+				"mips64el"
+			],
+			"license": "MIT",
+			"optional": true,
+			"os": [
+				"linux"
+			],
+			"engines": {
+				"node": ">=18"
+			}
+		},
+		"node_modules/@esbuild/linux-ppc64": {
+			"version": "0.25.8",
+			"resolved": "https://registry.npmjs.org/@esbuild/linux-ppc64/-/linux-ppc64-0.25.8.tgz",
+			"integrity": "sha512-GyG0KcMi1GBavP5JgAkkstMGyMholMDybAf8wF5A70CALlDM2p/f7YFE7H92eDeH/VBtFJA5MT4nRPDGg4JuzQ==",
+			"cpu": [
+				"ppc64"
+			],
+			"license": "MIT",
+			"optional": true,
+			"os": [
+				"linux"
+			],
+			"engines": {
+				"node": ">=18"
+			}
+		},
+		"node_modules/@esbuild/linux-riscv64": {
+			"version": "0.25.8",
+			"resolved": "https://registry.npmjs.org/@esbuild/linux-riscv64/-/linux-riscv64-0.25.8.tgz",
+			"integrity": "sha512-rAqDYFv3yzMrq7GIcen3XP7TUEG/4LK86LUPMIz6RT8A6pRIDn0sDcvjudVZBiiTcZCY9y2SgYX2lgK3AF+1eg==",
+			"cpu": [
+				"riscv64"
+			],
+			"license": "MIT",
+			"optional": true,
+			"os": [
+				"linux"
+			],
+			"engines": {
+				"node": ">=18"
+			}
+		},
+		"node_modules/@esbuild/linux-s390x": {
+			"version": "0.25.8",
+			"resolved": "https://registry.npmjs.org/@esbuild/linux-s390x/-/linux-s390x-0.25.8.tgz",
+			"integrity": "sha512-Xutvh6VjlbcHpsIIbwY8GVRbwoviWT19tFhgdA7DlenLGC/mbc3lBoVb7jxj9Z+eyGqvcnSyIltYUrkKzWqSvg==",
+			"cpu": [
+				"s390x"
+			],
+			"license": "MIT",
+			"optional": true,
+			"os": [
+				"linux"
+			],
+			"engines": {
+				"node": ">=18"
+			}
+		},
+		"node_modules/@esbuild/linux-x64": {
+			"version": "0.25.8",
+			"resolved": "https://registry.npmjs.org/@esbuild/linux-x64/-/linux-x64-0.25.8.tgz",
+			"integrity": "sha512-ASFQhgY4ElXh3nDcOMTkQero4b1lgubskNlhIfJrsH5OKZXDpUAKBlNS0Kx81jwOBp+HCeZqmoJuihTv57/jvQ==",
+			"cpu": [
+				"x64"
+			],
+			"license": "MIT",
+			"optional": true,
+			"os": [
+				"linux"
+			],
+			"engines": {
+				"node": ">=18"
+			}
+		},
+		"node_modules/@esbuild/netbsd-arm64": {
+			"version": "0.25.8",
+			"resolved": "https://registry.npmjs.org/@esbuild/netbsd-arm64/-/netbsd-arm64-0.25.8.tgz",
+			"integrity": "sha512-d1KfruIeohqAi6SA+gENMuObDbEjn22olAR7egqnkCD9DGBG0wsEARotkLgXDu6c4ncgWTZJtN5vcgxzWRMzcw==",
+			"cpu": [
+				"arm64"
+			],
+			"license": "MIT",
+			"optional": true,
+			"os": [
+				"netbsd"
+			],
+			"engines": {
+				"node": ">=18"
+			}
+		},
+		"node_modules/@esbuild/netbsd-x64": {
+			"version": "0.25.8",
+			"resolved": "https://registry.npmjs.org/@esbuild/netbsd-x64/-/netbsd-x64-0.25.8.tgz",
+			"integrity": "sha512-nVDCkrvx2ua+XQNyfrujIG38+YGyuy2Ru9kKVNyh5jAys6n+l44tTtToqHjino2My8VAY6Lw9H7RI73XFi66Cg==",
+			"cpu": [
+				"x64"
+			],
+			"license": "MIT",
+			"optional": true,
+			"os": [
+				"netbsd"
+			],
+			"engines": {
+				"node": ">=18"
+			}
+		},
+		"node_modules/@esbuild/openbsd-arm64": {
+			"version": "0.25.8",
+			"resolved": "https://registry.npmjs.org/@esbuild/openbsd-arm64/-/openbsd-arm64-0.25.8.tgz",
+			"integrity": "sha512-j8HgrDuSJFAujkivSMSfPQSAa5Fxbvk4rgNAS5i3K+r8s1X0p1uOO2Hl2xNsGFppOeHOLAVgYwDVlmxhq5h+SQ==",
+			"cpu": [
+				"arm64"
+			],
+			"license": "MIT",
+			"optional": true,
+			"os": [
+				"openbsd"
+			],
+			"engines": {
+				"node": ">=18"
+			}
+		},
+		"node_modules/@esbuild/openbsd-x64": {
+			"version": "0.25.8",
+			"resolved": "https://registry.npmjs.org/@esbuild/openbsd-x64/-/openbsd-x64-0.25.8.tgz",
+			"integrity": "sha512-1h8MUAwa0VhNCDp6Af0HToI2TJFAn1uqT9Al6DJVzdIBAd21m/G0Yfc77KDM3uF3T/YaOgQq3qTJHPbTOInaIQ==",
+			"cpu": [
+				"x64"
+			],
+			"license": "MIT",
+			"optional": true,
+			"os": [
+				"openbsd"
+			],
+			"engines": {
+				"node": ">=18"
+			}
+		},
+		"node_modules/@esbuild/openharmony-arm64": {
+			"version": "0.25.8",
+			"resolved": "https://registry.npmjs.org/@esbuild/openharmony-arm64/-/openharmony-arm64-0.25.8.tgz",
+			"integrity": "sha512-r2nVa5SIK9tSWd0kJd9HCffnDHKchTGikb//9c7HX+r+wHYCpQrSgxhlY6KWV1nFo1l4KFbsMlHk+L6fekLsUg==",
+			"cpu": [
+				"arm64"
+			],
+			"license": "MIT",
+			"optional": true,
+			"os": [
+				"openharmony"
+			],
+			"engines": {
+				"node": ">=18"
+			}
+		},
+		"node_modules/@esbuild/sunos-x64": {
+			"version": "0.25.8",
+			"resolved": "https://registry.npmjs.org/@esbuild/sunos-x64/-/sunos-x64-0.25.8.tgz",
+			"integrity": "sha512-zUlaP2S12YhQ2UzUfcCuMDHQFJyKABkAjvO5YSndMiIkMimPmxA+BYSBikWgsRpvyxuRnow4nS5NPnf9fpv41w==",
+			"cpu": [
+				"x64"
+			],
+			"license": "MIT",
+			"optional": true,
+			"os": [
+				"sunos"
+			],
+			"engines": {
+				"node": ">=18"
+			}
+		},
+		"node_modules/@esbuild/win32-arm64": {
+			"version": "0.25.8",
+			"resolved": "https://registry.npmjs.org/@esbuild/win32-arm64/-/win32-arm64-0.25.8.tgz",
+			"integrity": "sha512-YEGFFWESlPva8hGL+zvj2z/SaK+pH0SwOM0Nc/d+rVnW7GSTFlLBGzZkuSU9kFIGIo8q9X3ucpZhu8PDN5A2sQ==",
+			"cpu": [
+				"arm64"
+			],
+			"license": "MIT",
+			"optional": true,
+			"os": [
+				"win32"
+			],
+			"engines": {
+				"node": ">=18"
+			}
+		},
+		"node_modules/@esbuild/win32-ia32": {
+			"version": "0.25.8",
+			"resolved": "https://registry.npmjs.org/@esbuild/win32-ia32/-/win32-ia32-0.25.8.tgz",
+			"integrity": "sha512-hiGgGC6KZ5LZz58OL/+qVVoZiuZlUYlYHNAmczOm7bs2oE1XriPFi5ZHHrS8ACpV5EjySrnoCKmcbQMN+ojnHg==",
+			"cpu": [
+				"ia32"
+			],
+			"license": "MIT",
+			"optional": true,
+			"os": [
+				"win32"
+			],
+			"engines": {
+				"node": ">=18"
+			}
+		},
+		"node_modules/@esbuild/win32-x64": {
+			"version": "0.25.8",
+			"resolved": "https://registry.npmjs.org/@esbuild/win32-x64/-/win32-x64-0.25.8.tgz",
+			"integrity": "sha512-cn3Yr7+OaaZq1c+2pe+8yxC8E144SReCQjN6/2ynubzYjvyqZjTXfQJpAcQpsdJq3My7XADANiYGHoFC69pLQw==",
+			"cpu": [
+				"x64"
+			],
+			"license": "MIT",
+			"optional": true,
+			"os": [
+				"win32"
+			],
+			"engines": {
+				"node": ">=18"
+			}
+		},
+		"node_modules/@eslint-community/eslint-utils": {
+			"version": "4.7.0",
+			"resolved": "https://registry.npmjs.org/@eslint-community/eslint-utils/-/eslint-utils-4.7.0.tgz",
+			"integrity": "sha512-dyybb3AcajC7uha6CvhdVRJqaKyn7w2YKqKyAN37NKYgZT36w+iRb0Dymmc5qEJ549c/S31cMMSFd75bteCpCw==",
+			"dev": true,
+			"license": "MIT",
+			"dependencies": {
+				"eslint-visitor-keys": "^3.4.3"
+			},
+			"engines": {
+				"node": "^12.22.0 || ^14.17.0 || >=16.0.0"
+			},
+			"funding": {
+				"url": "https://opencollective.com/eslint"
+			},
+			"peerDependencies": {
+				"eslint": "^6.0.0 || ^7.0.0 || >=8.0.0"
+			}
+		},
+		"node_modules/@eslint-community/eslint-utils/node_modules/eslint-visitor-keys": {
+			"version": "3.4.3",
+			"resolved": "https://registry.npmjs.org/eslint-visitor-keys/-/eslint-visitor-keys-3.4.3.tgz",
+			"integrity": "sha512-wpc+LXeiyiisxPlEkUzU6svyS1frIO3Mgxj1fdy7Pm8Ygzguax2N3Fa/D/ag1WqbOprdI+uY6wMUl8/a2G+iag==",
+			"dev": true,
+			"license": "Apache-2.0",
+			"engines": {
+				"node": "^12.22.0 || ^14.17.0 || >=16.0.0"
+			},
+			"funding": {
+				"url": "https://opencollective.com/eslint"
+			}
+		},
+		"node_modules/@eslint-community/regexpp": {
+			"version": "4.12.1",
+			"resolved": "https://registry.npmjs.org/@eslint-community/regexpp/-/regexpp-4.12.1.tgz",
+			"integrity": "sha512-CCZCDJuduB9OUkFkY2IgppNZMi2lBQgD2qzwXkEia16cge2pijY/aXi96CJMquDMn3nJdlPV1A5KrJEXwfLNzQ==",
+			"dev": true,
+			"license": "MIT",
+			"engines": {
+				"node": "^12.0.0 || ^14.0.0 || >=16.0.0"
+			}
+		},
+		"node_modules/@eslint/compat": {
+			"version": "1.3.1",
+			"resolved": "https://registry.npmjs.org/@eslint/compat/-/compat-1.3.1.tgz",
+			"integrity": "sha512-k8MHony59I5EPic6EQTCNOuPoVBnoYXkP+20xvwFjN7t0qI3ImyvyBgg+hIVPwC8JaxVjjUZld+cLfBLFDLucg==",
+			"dev": true,
+			"license": "Apache-2.0",
+			"engines": {
+				"node": "^18.18.0 || ^20.9.0 || >=21.1.0"
+			},
+			"peerDependencies": {
+				"eslint": "^8.40 || 9"
+			},
+			"peerDependenciesMeta": {
+				"eslint": {
+					"optional": true
+				}
+			}
+		},
+		"node_modules/@eslint/config-array": {
+			"version": "0.21.0",
+			"resolved": "https://registry.npmjs.org/@eslint/config-array/-/config-array-0.21.0.tgz",
+			"integrity": "sha512-ENIdc4iLu0d93HeYirvKmrzshzofPw6VkZRKQGe9Nv46ZnWUzcF1xV01dcvEg/1wXUR61OmmlSfyeyO7EvjLxQ==",
+			"dev": true,
+			"license": "Apache-2.0",
+			"dependencies": {
+				"@eslint/object-schema": "^2.1.6",
+				"debug": "^4.3.1",
+				"minimatch": "^3.1.2"
+			},
+			"engines": {
+				"node": "^18.18.0 || ^20.9.0 || >=21.1.0"
+			}
+		},
+		"node_modules/@eslint/config-helpers": {
+			"version": "0.3.0",
+			"resolved": "https://registry.npmjs.org/@eslint/config-helpers/-/config-helpers-0.3.0.tgz",
+			"integrity": "sha512-ViuymvFmcJi04qdZeDc2whTHryouGcDlaxPqarTD0ZE10ISpxGUVZGZDx4w01upyIynL3iu6IXH2bS1NhclQMw==",
+			"dev": true,
+			"license": "Apache-2.0",
+			"engines": {
+				"node": "^18.18.0 || ^20.9.0 || >=21.1.0"
+			}
+		},
+		"node_modules/@eslint/core": {
+			"version": "0.15.1",
+			"resolved": "https://registry.npmjs.org/@eslint/core/-/core-0.15.1.tgz",
+			"integrity": "sha512-bkOp+iumZCCbt1K1CmWf0R9pM5yKpDv+ZXtvSyQpudrI9kuFLp+bM2WOPXImuD/ceQuaa8f5pj93Y7zyECIGNA==",
+			"dev": true,
+			"license": "Apache-2.0",
+			"dependencies": {
+				"@types/json-schema": "^7.0.15"
+			},
+			"engines": {
+				"node": "^18.18.0 || ^20.9.0 || >=21.1.0"
+			}
+		},
+		"node_modules/@eslint/eslintrc": {
+			"version": "3.3.1",
+			"resolved": "https://registry.npmjs.org/@eslint/eslintrc/-/eslintrc-3.3.1.tgz",
+			"integrity": "sha512-gtF186CXhIl1p4pJNGZw8Yc6RlshoePRvE0X91oPGb3vZ8pM3qOS9W9NGPat9LziaBV7XrJWGylNQXkGcnM3IQ==",
+			"dev": true,
+			"license": "MIT",
+			"dependencies": {
+				"ajv": "^6.12.4",
+				"debug": "^4.3.2",
+				"espree": "^10.0.1",
+				"globals": "^14.0.0",
+				"ignore": "^5.2.0",
+				"import-fresh": "^3.2.1",
+				"js-yaml": "^4.1.0",
+				"minimatch": "^3.1.2",
+				"strip-json-comments": "^3.1.1"
+			},
+			"engines": {
+				"node": "^18.18.0 || ^20.9.0 || >=21.1.0"
+			},
+			"funding": {
+				"url": "https://opencollective.com/eslint"
+			}
+		},
+		"node_modules/@eslint/eslintrc/node_modules/globals": {
+			"version": "14.0.0",
+			"resolved": "https://registry.npmjs.org/globals/-/globals-14.0.0.tgz",
+			"integrity": "sha512-oahGvuMGQlPw/ivIYBjVSrWAfWLBeku5tpPE2fOPLi+WHffIWbuh2tCjhyQhTBPMf5E9jDEH4FOmTYgYwbKwtQ==",
+			"dev": true,
+			"license": "MIT",
+			"engines": {
+				"node": ">=18"
+			},
+			"funding": {
+				"url": "https://github.com/sponsors/sindresorhus"
+			}
+		},
+		"node_modules/@eslint/js": {
+			"version": "9.32.0",
+			"resolved": "https://registry.npmjs.org/@eslint/js/-/js-9.32.0.tgz",
+			"integrity": "sha512-BBpRFZK3eX6uMLKz8WxFOBIFFcGFJ/g8XuwjTHCqHROSIsopI+ddn/d5Cfh36+7+e5edVS8dbSHnBNhrLEX0zg==",
+			"dev": true,
+			"license": "MIT",
+			"engines": {
+				"node": "^18.18.0 || ^20.9.0 || >=21.1.0"
+			},
+			"funding": {
+				"url": "https://eslint.org/donate"
+			}
+		},
+		"node_modules/@eslint/object-schema": {
+			"version": "2.1.6",
+			"resolved": "https://registry.npmjs.org/@eslint/object-schema/-/object-schema-2.1.6.tgz",
+			"integrity": "sha512-RBMg5FRL0I0gs51M/guSAj5/e14VQ4tpZnQNWwuDT66P14I43ItmPfIZRhO9fUVIPOAQXU47atlywZ/czoqFPA==",
+			"dev": true,
+			"license": "Apache-2.0",
+			"engines": {
+				"node": "^18.18.0 || ^20.9.0 || >=21.1.0"
+			}
+		},
+		"node_modules/@eslint/plugin-kit": {
+			"version": "0.3.4",
+			"resolved": "https://registry.npmjs.org/@eslint/plugin-kit/-/plugin-kit-0.3.4.tgz",
+			"integrity": "sha512-Ul5l+lHEcw3L5+k8POx6r74mxEYKG5kOb6Xpy2gCRW6zweT6TEhAf8vhxGgjhqrd/VO/Dirhsb+1hNpD1ue9hw==",
+			"dev": true,
+			"license": "Apache-2.0",
+			"dependencies": {
+				"@eslint/core": "^0.15.1",
+				"levn": "^0.4.1"
+			},
+			"engines": {
+				"node": "^18.18.0 || ^20.9.0 || >=21.1.0"
+			}
+		},
+		"node_modules/@humanfs/core": {
+			"version": "0.19.1",
+			"resolved": "https://registry.npmjs.org/@humanfs/core/-/core-0.19.1.tgz",
+			"integrity": "sha512-5DyQ4+1JEUzejeK1JGICcideyfUbGixgS9jNgex5nqkW+cY7WZhxBigmieN5Qnw9ZosSNVC9KQKyb+GUaGyKUA==",
+			"dev": true,
+			"license": "Apache-2.0",
+			"engines": {
+				"node": ">=18.18.0"
+			}
+		},
+		"node_modules/@humanfs/node": {
+			"version": "0.16.6",
+			"resolved": "https://registry.npmjs.org/@humanfs/node/-/node-0.16.6.tgz",
+			"integrity": "sha512-YuI2ZHQL78Q5HbhDiBA1X4LmYdXCKCMQIfw0pw7piHJwyREFebJUvrQN4cMssyES6x+vfUbx1CIpaQUKYdQZOw==",
+			"dev": true,
+			"license": "Apache-2.0",
+			"dependencies": {
+				"@humanfs/core": "^0.19.1",
+				"@humanwhocodes/retry": "^0.3.0"
+			},
+			"engines": {
+				"node": ">=18.18.0"
+			}
+		},
+		"node_modules/@humanfs/node/node_modules/@humanwhocodes/retry": {
+			"version": "0.3.1",
+			"resolved": "https://registry.npmjs.org/@humanwhocodes/retry/-/retry-0.3.1.tgz",
+			"integrity": "sha512-JBxkERygn7Bv/GbN5Rv8Ul6LVknS+5Bp6RgDC/O8gEBU/yeH5Ui5C/OlWrTb6qct7LjjfT6Re2NxB0ln0yYybA==",
+			"dev": true,
+			"license": "Apache-2.0",
+			"engines": {
+				"node": ">=18.18"
+			},
+			"funding": {
+				"type": "github",
+				"url": "https://github.com/sponsors/nzakas"
+			}
+		},
+		"node_modules/@humanwhocodes/module-importer": {
+			"version": "1.0.1",
+			"resolved": "https://registry.npmjs.org/@humanwhocodes/module-importer/-/module-importer-1.0.1.tgz",
+			"integrity": "sha512-bxveV4V8v5Yb4ncFTT3rPSgZBOpCkjfK0y4oVVVJwIuDVBRMDXrPyXRL988i5ap9m9bnyEEjWfm5WkBmtffLfA==",
+			"dev": true,
+			"license": "Apache-2.0",
+			"engines": {
+				"node": ">=12.22"
+			},
+			"funding": {
+				"type": "github",
+				"url": "https://github.com/sponsors/nzakas"
+			}
+		},
+		"node_modules/@humanwhocodes/retry": {
+			"version": "0.4.3",
+			"resolved": "https://registry.npmjs.org/@humanwhocodes/retry/-/retry-0.4.3.tgz",
+			"integrity": "sha512-bV0Tgo9K4hfPCek+aMAn81RppFKv2ySDQeMoSZuvTASywNTnVJCArCZE2FWqpvIatKu7VMRLWlR1EazvVhDyhQ==",
+			"dev": true,
+			"license": "Apache-2.0",
+			"engines": {
+				"node": ">=18.18"
+			},
+			"funding": {
+				"type": "github",
+				"url": "https://github.com/sponsors/nzakas"
+			}
+		},
+		"node_modules/@isaacs/fs-minipass": {
+			"version": "4.0.1",
+			"resolved": "https://registry.npmjs.org/@isaacs/fs-minipass/-/fs-minipass-4.0.1.tgz",
+			"integrity": "sha512-wgm9Ehl2jpeqP3zw/7mo3kRHFp5MEDhqAdwy1fTGkHAwnkGOVsgpvQhL8B5n1qlb01jV3n/bI0ZfZp5lWA1k4w==",
+			"dev": true,
+			"license": "ISC",
+			"dependencies": {
+				"minipass": "^7.0.4"
+			},
+			"engines": {
+				"node": ">=18.0.0"
+			}
+		},
+		"node_modules/@jridgewell/gen-mapping": {
+			"version": "0.3.12",
+			"resolved": "https://registry.npmjs.org/@jridgewell/gen-mapping/-/gen-mapping-0.3.12.tgz",
+			"integrity": "sha512-OuLGC46TjB5BbN1dH8JULVVZY4WTdkF7tV9Ys6wLL1rubZnCMstOhNHueU5bLCrnRuDhKPDM4g6sw4Bel5Gzqg==",
+			"license": "MIT",
+			"dependencies": {
+				"@jridgewell/sourcemap-codec": "^1.5.0",
+				"@jridgewell/trace-mapping": "^0.3.24"
+			}
+		},
+		"node_modules/@jridgewell/resolve-uri": {
+			"version": "3.1.2",
+			"resolved": "https://registry.npmjs.org/@jridgewell/resolve-uri/-/resolve-uri-3.1.2.tgz",
+			"integrity": "sha512-bRISgCIjP20/tbWSPWMEi54QVPRZExkuD9lJL+UIxUKtwVJA8wW1Trb1jMs1RFXo1CBTNZ/5hpC9QvmKWdopKw==",
+			"license": "MIT",
+			"engines": {
+				"node": ">=6.0.0"
+			}
+		},
+		"node_modules/@jridgewell/sourcemap-codec": {
+			"version": "1.5.4",
+			"resolved": "https://registry.npmjs.org/@jridgewell/sourcemap-codec/-/sourcemap-codec-1.5.4.tgz",
+			"integrity": "sha512-VT2+G1VQs/9oz078bLrYbecdZKs912zQlkelYpuf+SXF+QvZDYJlbx/LSx+meSAwdDFnF8FVXW92AVjjkVmgFw==",
+			"license": "MIT"
+		},
+		"node_modules/@jridgewell/trace-mapping": {
+			"version": "0.3.29",
+			"resolved": "https://registry.npmjs.org/@jridgewell/trace-mapping/-/trace-mapping-0.3.29.tgz",
+			"integrity": "sha512-uw6guiW/gcAGPDhLmd77/6lW8QLeiV5RUTsAX46Db6oLhGaVj4lhnPwb184s1bkc8kdVg/+h988dro8GRDpmYQ==",
+			"license": "MIT",
+			"dependencies": {
+				"@jridgewell/resolve-uri": "^3.1.0",
+				"@jridgewell/sourcemap-codec": "^1.4.14"
+			}
+		},
+		"node_modules/@noble/curves": {
+			"version": "1.9.6",
+			"resolved": "https://registry.npmjs.org/@noble/curves/-/curves-1.9.6.tgz",
+			"integrity": "sha512-GIKz/j99FRthB8icyJQA51E8Uk5hXmdyThjgQXRKiv9h0zeRlzSCLIzFw6K1LotZ3XuB7yzlf76qk7uBmTdFqA==",
+			"license": "MIT",
+			"dependencies": {
+				"@noble/hashes": "1.8.0"
+			},
+			"engines": {
+				"node": "^14.21.3 || >=16"
+			},
+			"funding": {
+				"url": "https://paulmillr.com/funding/"
+			}
+		},
+		"node_modules/@noble/hashes": {
+			"version": "1.8.0",
+			"resolved": "https://registry.npmjs.org/@noble/hashes/-/hashes-1.8.0.tgz",
+			"integrity": "sha512-jCs9ldd7NwzpgXDIf6P3+NrHh9/sD6CQdxHyjQI+h/6rDNo88ypBxxz45UDuZHz9r3tNz7N/VInSVoVdtXEI4A==",
+			"license": "MIT",
+			"engines": {
+				"node": "^14.21.3 || >=16"
+			},
+			"funding": {
+				"url": "https://paulmillr.com/funding/"
+			}
+		},
+		"node_modules/@nodelib/fs.scandir": {
+			"version": "2.1.5",
+			"resolved": "https://registry.npmjs.org/@nodelib/fs.scandir/-/fs.scandir-2.1.5.tgz",
+			"integrity": "sha512-vq24Bq3ym5HEQm2NKCr3yXDwjc7vTsEThRDnkp2DK9p1uqLR+DHurm/NOTo0KG7HYHU7eppKZj3MyqYuMBf62g==",
+			"dev": true,
+			"license": "MIT",
+			"dependencies": {
+				"@nodelib/fs.stat": "2.0.5",
+				"run-parallel": "^1.1.9"
+			},
+			"engines": {
+				"node": ">= 8"
+			}
+		},
+		"node_modules/@nodelib/fs.stat": {
+			"version": "2.0.5",
+			"resolved": "https://registry.npmjs.org/@nodelib/fs.stat/-/fs.stat-2.0.5.tgz",
+			"integrity": "sha512-RkhPPp2zrqDAQA/2jNhnztcPAlv64XdhIp7a7454A5ovI7Bukxgt7MX7udwAu3zg1DcpPU0rz3VV1SeaqvY4+A==",
+			"dev": true,
+			"license": "MIT",
+			"engines": {
+				"node": ">= 8"
+			}
+		},
+		"node_modules/@nodelib/fs.walk": {
+			"version": "1.2.8",
+			"resolved": "https://registry.npmjs.org/@nodelib/fs.walk/-/fs.walk-1.2.8.tgz",
+			"integrity": "sha512-oGB+UxlgWcgQkgwo8GcEGwemoTFt3FIO9ababBmaGwXIoBKZ+GTy0pP185beGg7Llih/NSHSV2XAs1lnznocSg==",
+			"dev": true,
+			"license": "MIT",
+			"dependencies": {
+				"@nodelib/fs.scandir": "2.1.5",
+				"fastq": "^1.6.0"
+			},
+			"engines": {
+				"node": ">= 8"
+			}
+		},
+		"node_modules/@parcel/watcher": {
+			"version": "2.5.1",
+			"resolved": "https://registry.npmjs.org/@parcel/watcher/-/watcher-2.5.1.tgz",
+			"integrity": "sha512-dfUnCxiN9H4ap84DvD2ubjw+3vUNpstxa0TneY/Paat8a3R4uQZDLSvWjmznAY/DoahqTHl9V46HF/Zs3F29pg==",
+			"hasInstallScript": true,
+			"license": "MIT",
+			"optional": true,
+			"dependencies": {
+				"detect-libc": "^1.0.3",
+				"is-glob": "^4.0.3",
+				"micromatch": "^4.0.5",
+				"node-addon-api": "^7.0.0"
+			},
+			"engines": {
+				"node": ">= 10.0.0"
+			},
+			"funding": {
+				"type": "opencollective",
+				"url": "https://opencollective.com/parcel"
+			},
+			"optionalDependencies": {
+				"@parcel/watcher-android-arm64": "2.5.1",
+				"@parcel/watcher-darwin-arm64": "2.5.1",
+				"@parcel/watcher-darwin-x64": "2.5.1",
+				"@parcel/watcher-freebsd-x64": "2.5.1",
+				"@parcel/watcher-linux-arm-glibc": "2.5.1",
+				"@parcel/watcher-linux-arm-musl": "2.5.1",
+				"@parcel/watcher-linux-arm64-glibc": "2.5.1",
+				"@parcel/watcher-linux-arm64-musl": "2.5.1",
+				"@parcel/watcher-linux-x64-glibc": "2.5.1",
+				"@parcel/watcher-linux-x64-musl": "2.5.1",
+				"@parcel/watcher-win32-arm64": "2.5.1",
+				"@parcel/watcher-win32-ia32": "2.5.1",
+				"@parcel/watcher-win32-x64": "2.5.1"
+			}
+		},
+		"node_modules/@parcel/watcher-android-arm64": {
+			"version": "2.5.1",
+			"resolved": "https://registry.npmjs.org/@parcel/watcher-android-arm64/-/watcher-android-arm64-2.5.1.tgz",
+			"integrity": "sha512-KF8+j9nNbUN8vzOFDpRMsaKBHZ/mcjEjMToVMJOhTozkDonQFFrRcfdLWn6yWKCmJKmdVxSgHiYvTCef4/qcBA==",
+			"cpu": [
+				"arm64"
+			],
+			"license": "MIT",
+			"optional": true,
+			"os": [
+				"android"
+			],
+			"engines": {
+				"node": ">= 10.0.0"
+			},
+			"funding": {
+				"type": "opencollective",
+				"url": "https://opencollective.com/parcel"
+			}
+		},
+		"node_modules/@parcel/watcher-darwin-arm64": {
+			"version": "2.5.1",
+			"resolved": "https://registry.npmjs.org/@parcel/watcher-darwin-arm64/-/watcher-darwin-arm64-2.5.1.tgz",
+			"integrity": "sha512-eAzPv5osDmZyBhou8PoF4i6RQXAfeKL9tjb3QzYuccXFMQU0ruIc/POh30ePnaOyD1UXdlKguHBmsTs53tVoPw==",
+			"cpu": [
+				"arm64"
+			],
+			"license": "MIT",
+			"optional": true,
+			"os": [
+				"darwin"
+			],
+			"engines": {
+				"node": ">= 10.0.0"
+			},
+			"funding": {
+				"type": "opencollective",
+				"url": "https://opencollective.com/parcel"
+			}
+		},
+		"node_modules/@parcel/watcher-darwin-x64": {
+			"version": "2.5.1",
+			"resolved": "https://registry.npmjs.org/@parcel/watcher-darwin-x64/-/watcher-darwin-x64-2.5.1.tgz",
+			"integrity": "sha512-1ZXDthrnNmwv10A0/3AJNZ9JGlzrF82i3gNQcWOzd7nJ8aj+ILyW1MTxVk35Db0u91oD5Nlk9MBiujMlwmeXZg==",
+			"cpu": [
+				"x64"
+			],
+			"license": "MIT",
+			"optional": true,
+			"os": [
+				"darwin"
+			],
+			"engines": {
+				"node": ">= 10.0.0"
+			},
+			"funding": {
+				"type": "opencollective",
+				"url": "https://opencollective.com/parcel"
+			}
+		},
+		"node_modules/@parcel/watcher-freebsd-x64": {
+			"version": "2.5.1",
+			"resolved": "https://registry.npmjs.org/@parcel/watcher-freebsd-x64/-/watcher-freebsd-x64-2.5.1.tgz",
+			"integrity": "sha512-SI4eljM7Flp9yPuKi8W0ird8TI/JK6CSxju3NojVI6BjHsTyK7zxA9urjVjEKJ5MBYC+bLmMcbAWlZ+rFkLpJQ==",
+			"cpu": [
+				"x64"
+			],
+			"license": "MIT",
+			"optional": true,
+			"os": [
+				"freebsd"
+			],
+			"engines": {
+				"node": ">= 10.0.0"
+			},
+			"funding": {
+				"type": "opencollective",
+				"url": "https://opencollective.com/parcel"
+			}
+		},
+		"node_modules/@parcel/watcher-linux-arm-glibc": {
+			"version": "2.5.1",
+			"resolved": "https://registry.npmjs.org/@parcel/watcher-linux-arm-glibc/-/watcher-linux-arm-glibc-2.5.1.tgz",
+			"integrity": "sha512-RCdZlEyTs8geyBkkcnPWvtXLY44BCeZKmGYRtSgtwwnHR4dxfHRG3gR99XdMEdQ7KeiDdasJwwvNSF5jKtDwdA==",
+			"cpu": [
+				"arm"
+			],
+			"license": "MIT",
+			"optional": true,
+			"os": [
+				"linux"
+			],
+			"engines": {
+				"node": ">= 10.0.0"
+			},
+			"funding": {
+				"type": "opencollective",
+				"url": "https://opencollective.com/parcel"
+			}
+		},
+		"node_modules/@parcel/watcher-linux-arm-musl": {
+			"version": "2.5.1",
+			"resolved": "https://registry.npmjs.org/@parcel/watcher-linux-arm-musl/-/watcher-linux-arm-musl-2.5.1.tgz",
+			"integrity": "sha512-6E+m/Mm1t1yhB8X412stiKFG3XykmgdIOqhjWj+VL8oHkKABfu/gjFj8DvLrYVHSBNC+/u5PeNrujiSQ1zwd1Q==",
+			"cpu": [
+				"arm"
+			],
+			"license": "MIT",
+			"optional": true,
+			"os": [
+				"linux"
+			],
+			"engines": {
+				"node": ">= 10.0.0"
+			},
+			"funding": {
+				"type": "opencollective",
+				"url": "https://opencollective.com/parcel"
+			}
+		},
+		"node_modules/@parcel/watcher-linux-arm64-glibc": {
+			"version": "2.5.1",
+			"resolved": "https://registry.npmjs.org/@parcel/watcher-linux-arm64-glibc/-/watcher-linux-arm64-glibc-2.5.1.tgz",
+			"integrity": "sha512-LrGp+f02yU3BN9A+DGuY3v3bmnFUggAITBGriZHUREfNEzZh/GO06FF5u2kx8x+GBEUYfyTGamol4j3m9ANe8w==",
+			"cpu": [
+				"arm64"
+			],
+			"license": "MIT",
+			"optional": true,
+			"os": [
+				"linux"
+			],
+			"engines": {
+				"node": ">= 10.0.0"
+			},
+			"funding": {
+				"type": "opencollective",
+				"url": "https://opencollective.com/parcel"
+			}
+		},
+		"node_modules/@parcel/watcher-linux-arm64-musl": {
+			"version": "2.5.1",
+			"resolved": "https://registry.npmjs.org/@parcel/watcher-linux-arm64-musl/-/watcher-linux-arm64-musl-2.5.1.tgz",
+			"integrity": "sha512-cFOjABi92pMYRXS7AcQv9/M1YuKRw8SZniCDw0ssQb/noPkRzA+HBDkwmyOJYp5wXcsTrhxO0zq1U11cK9jsFg==",
+			"cpu": [
+				"arm64"
+			],
+			"license": "MIT",
+			"optional": true,
+			"os": [
+				"linux"
+			],
+			"engines": {
+				"node": ">= 10.0.0"
+			},
+			"funding": {
+				"type": "opencollective",
+				"url": "https://opencollective.com/parcel"
+			}
+		},
+		"node_modules/@parcel/watcher-linux-x64-glibc": {
+			"version": "2.5.1",
+			"resolved": "https://registry.npmjs.org/@parcel/watcher-linux-x64-glibc/-/watcher-linux-x64-glibc-2.5.1.tgz",
+			"integrity": "sha512-GcESn8NZySmfwlTsIur+49yDqSny2IhPeZfXunQi48DMugKeZ7uy1FX83pO0X22sHntJ4Ub+9k34XQCX+oHt2A==",
+			"cpu": [
+				"x64"
+			],
+			"license": "MIT",
+			"optional": true,
+			"os": [
+				"linux"
+			],
+			"engines": {
+				"node": ">= 10.0.0"
+			},
+			"funding": {
+				"type": "opencollective",
+				"url": "https://opencollective.com/parcel"
+			}
+		},
+		"node_modules/@parcel/watcher-linux-x64-musl": {
+			"version": "2.5.1",
+			"resolved": "https://registry.npmjs.org/@parcel/watcher-linux-x64-musl/-/watcher-linux-x64-musl-2.5.1.tgz",
+			"integrity": "sha512-n0E2EQbatQ3bXhcH2D1XIAANAcTZkQICBPVaxMeaCVBtOpBZpWJuf7LwyWPSBDITb7In8mqQgJ7gH8CILCURXg==",
+			"cpu": [
+				"x64"
+			],
+			"license": "MIT",
+			"optional": true,
+			"os": [
+				"linux"
+			],
+			"engines": {
+				"node": ">= 10.0.0"
+			},
+			"funding": {
+				"type": "opencollective",
+				"url": "https://opencollective.com/parcel"
+			}
+		},
+		"node_modules/@parcel/watcher-win32-arm64": {
+			"version": "2.5.1",
+			"resolved": "https://registry.npmjs.org/@parcel/watcher-win32-arm64/-/watcher-win32-arm64-2.5.1.tgz",
+			"integrity": "sha512-RFzklRvmc3PkjKjry3hLF9wD7ppR4AKcWNzH7kXR7GUe0Igb3Nz8fyPwtZCSquGrhU5HhUNDr/mKBqj7tqA2Vw==",
+			"cpu": [
+				"arm64"
+			],
+			"license": "MIT",
+			"optional": true,
+			"os": [
+				"win32"
+			],
+			"engines": {
+				"node": ">= 10.0.0"
+			},
+			"funding": {
+				"type": "opencollective",
+				"url": "https://opencollective.com/parcel"
+			}
+		},
+		"node_modules/@parcel/watcher-win32-ia32": {
+			"version": "2.5.1",
+			"resolved": "https://registry.npmjs.org/@parcel/watcher-win32-ia32/-/watcher-win32-ia32-2.5.1.tgz",
+			"integrity": "sha512-c2KkcVN+NJmuA7CGlaGD1qJh1cLfDnQsHjE89E60vUEMlqduHGCdCLJCID5geFVM0dOtA3ZiIO8BoEQmzQVfpQ==",
+			"cpu": [
+				"ia32"
+			],
+			"license": "MIT",
+			"optional": true,
+			"os": [
+				"win32"
+			],
+			"engines": {
+				"node": ">= 10.0.0"
+			},
+			"funding": {
+				"type": "opencollective",
+				"url": "https://opencollective.com/parcel"
+			}
+		},
+		"node_modules/@parcel/watcher-win32-x64": {
+			"version": "2.5.1",
+			"resolved": "https://registry.npmjs.org/@parcel/watcher-win32-x64/-/watcher-win32-x64-2.5.1.tgz",
+			"integrity": "sha512-9lHBdJITeNR++EvSQVUcaZoWupyHfXe1jZvGZ06O/5MflPcuPLtEphScIBL+AiCWBO46tDSHzWyD0uDmmZqsgA==",
+			"cpu": [
+				"x64"
+			],
+			"license": "MIT",
+			"optional": true,
+			"os": [
+				"win32"
+			],
+			"engines": {
+				"node": ">= 10.0.0"
+			},
+			"funding": {
+				"type": "opencollective",
+				"url": "https://opencollective.com/parcel"
+			}
+		},
+		"node_modules/@parcel/watcher/node_modules/detect-libc": {
+			"version": "1.0.3",
+			"resolved": "https://registry.npmjs.org/detect-libc/-/detect-libc-1.0.3.tgz",
+			"integrity": "sha512-pGjwhsmsp4kL2RTz08wcOlGN83otlqHeD/Z5T8GXZB+/YcpQ/dgo+lbU8ZsGxV0HIvqqxo9l7mqYwyYMD9bKDg==",
+			"license": "Apache-2.0",
+			"optional": true,
+			"bin": {
+				"detect-libc": "bin/detect-libc.js"
+			},
+			"engines": {
+				"node": ">=0.10"
+			}
+		},
+		"node_modules/@playwright/test": {
+			"version": "1.54.2",
+			"resolved": "https://registry.npmjs.org/@playwright/test/-/test-1.54.2.tgz",
+			"integrity": "sha512-A+znathYxPf+72riFd1r1ovOLqsIIB0jKIoPjyK2kqEIe30/6jF6BC7QNluHuwUmsD2tv1XZVugN8GqfTMOxsA==",
+			"dev": true,
+			"license": "Apache-2.0",
+			"dependencies": {
+				"playwright": "1.54.2"
+			},
+			"bin": {
+				"playwright": "cli.js"
+			},
+			"engines": {
+				"node": ">=18"
+			}
+		},
+		"node_modules/@polka/url": {
+			"version": "1.0.0-next.29",
+			"resolved": "https://registry.npmjs.org/@polka/url/-/url-1.0.0-next.29.tgz",
+			"integrity": "sha512-wwQAWhWSuHaag8c4q/KN/vCoeOJYshAIvMQwD4GpSb3OiZklFfvAgmj0VCBBImRpuF/aFgIRzllXlVX93Jevww==",
+			"license": "MIT"
+		},
+		"node_modules/@rollup/rollup-android-arm-eabi": {
+			"version": "4.46.2",
+			"resolved": "https://registry.npmjs.org/@rollup/rollup-android-arm-eabi/-/rollup-android-arm-eabi-4.46.2.tgz",
+			"integrity": "sha512-Zj3Hl6sN34xJtMv7Anwb5Gu01yujyE/cLBDB2gnHTAHaWS1Z38L7kuSG+oAh0giZMqG060f/YBStXtMH6FvPMA==",
+			"cpu": [
+				"arm"
+			],
+			"license": "MIT",
+			"optional": true,
+			"os": [
+				"android"
+			]
+		},
+		"node_modules/@rollup/rollup-android-arm64": {
+			"version": "4.46.2",
+			"resolved": "https://registry.npmjs.org/@rollup/rollup-android-arm64/-/rollup-android-arm64-4.46.2.tgz",
+			"integrity": "sha512-nTeCWY83kN64oQ5MGz3CgtPx8NSOhC5lWtsjTs+8JAJNLcP3QbLCtDDgUKQc/Ro/frpMq4SHUaHN6AMltcEoLQ==",
+			"cpu": [
+				"arm64"
+			],
+			"license": "MIT",
+			"optional": true,
+			"os": [
+				"android"
+			]
+		},
+		"node_modules/@rollup/rollup-darwin-arm64": {
+			"version": "4.46.2",
+			"resolved": "https://registry.npmjs.org/@rollup/rollup-darwin-arm64/-/rollup-darwin-arm64-4.46.2.tgz",
+			"integrity": "sha512-HV7bW2Fb/F5KPdM/9bApunQh68YVDU8sO8BvcW9OngQVN3HHHkw99wFupuUJfGR9pYLLAjcAOA6iO+evsbBaPQ==",
+			"cpu": [
+				"arm64"
+			],
+			"license": "MIT",
+			"optional": true,
+			"os": [
+				"darwin"
+			]
+		},
+		"node_modules/@rollup/rollup-darwin-x64": {
+			"version": "4.46.2",
+			"resolved": "https://registry.npmjs.org/@rollup/rollup-darwin-x64/-/rollup-darwin-x64-4.46.2.tgz",
+			"integrity": "sha512-SSj8TlYV5nJixSsm/y3QXfhspSiLYP11zpfwp6G/YDXctf3Xkdnk4woJIF5VQe0of2OjzTt8EsxnJDCdHd2xMA==",
+			"cpu": [
+				"x64"
+			],
+			"license": "MIT",
+			"optional": true,
+			"os": [
+				"darwin"
+			]
+		},
+		"node_modules/@rollup/rollup-freebsd-arm64": {
+			"version": "4.46.2",
+			"resolved": "https://registry.npmjs.org/@rollup/rollup-freebsd-arm64/-/rollup-freebsd-arm64-4.46.2.tgz",
+			"integrity": "sha512-ZyrsG4TIT9xnOlLsSSi9w/X29tCbK1yegE49RYm3tu3wF1L/B6LVMqnEWyDB26d9Ecx9zrmXCiPmIabVuLmNSg==",
+			"cpu": [
+				"arm64"
+			],
+			"license": "MIT",
+			"optional": true,
+			"os": [
+				"freebsd"
+			]
+		},
+		"node_modules/@rollup/rollup-freebsd-x64": {
+			"version": "4.46.2",
+			"resolved": "https://registry.npmjs.org/@rollup/rollup-freebsd-x64/-/rollup-freebsd-x64-4.46.2.tgz",
+			"integrity": "sha512-pCgHFoOECwVCJ5GFq8+gR8SBKnMO+xe5UEqbemxBpCKYQddRQMgomv1104RnLSg7nNvgKy05sLsY51+OVRyiVw==",
+			"cpu": [
+				"x64"
+			],
+			"license": "MIT",
+			"optional": true,
+			"os": [
+				"freebsd"
+			]
+		},
+		"node_modules/@rollup/rollup-linux-arm-gnueabihf": {
+			"version": "4.46.2",
+			"resolved": "https://registry.npmjs.org/@rollup/rollup-linux-arm-gnueabihf/-/rollup-linux-arm-gnueabihf-4.46.2.tgz",
+			"integrity": "sha512-EtP8aquZ0xQg0ETFcxUbU71MZlHaw9MChwrQzatiE8U/bvi5uv/oChExXC4mWhjiqK7azGJBqU0tt5H123SzVA==",
+			"cpu": [
+				"arm"
+			],
+			"license": "MIT",
+			"optional": true,
+			"os": [
+				"linux"
+			]
+		},
+		"node_modules/@rollup/rollup-linux-arm-musleabihf": {
+			"version": "4.46.2",
+			"resolved": "https://registry.npmjs.org/@rollup/rollup-linux-arm-musleabihf/-/rollup-linux-arm-musleabihf-4.46.2.tgz",
+			"integrity": "sha512-qO7F7U3u1nfxYRPM8HqFtLd+raev2K137dsV08q/LRKRLEc7RsiDWihUnrINdsWQxPR9jqZ8DIIZ1zJJAm5PjQ==",
+			"cpu": [
+				"arm"
+			],
+			"license": "MIT",
+			"optional": true,
+			"os": [
+				"linux"
+			]
+		},
+		"node_modules/@rollup/rollup-linux-arm64-gnu": {
+			"version": "4.46.2",
+			"resolved": "https://registry.npmjs.org/@rollup/rollup-linux-arm64-gnu/-/rollup-linux-arm64-gnu-4.46.2.tgz",
+			"integrity": "sha512-3dRaqLfcOXYsfvw5xMrxAk9Lb1f395gkoBYzSFcc/scgRFptRXL9DOaDpMiehf9CO8ZDRJW2z45b6fpU5nwjng==",
+			"cpu": [
+				"arm64"
+			],
+			"license": "MIT",
+			"optional": true,
+			"os": [
+				"linux"
+			]
+		},
+		"node_modules/@rollup/rollup-linux-arm64-musl": {
+			"version": "4.46.2",
+			"resolved": "https://registry.npmjs.org/@rollup/rollup-linux-arm64-musl/-/rollup-linux-arm64-musl-4.46.2.tgz",
+			"integrity": "sha512-fhHFTutA7SM+IrR6lIfiHskxmpmPTJUXpWIsBXpeEwNgZzZZSg/q4i6FU4J8qOGyJ0TR+wXBwx/L7Ho9z0+uDg==",
+			"cpu": [
+				"arm64"
+			],
+			"license": "MIT",
+			"optional": true,
+			"os": [
+				"linux"
+			]
+		},
+		"node_modules/@rollup/rollup-linux-loongarch64-gnu": {
+			"version": "4.46.2",
+			"resolved": "https://registry.npmjs.org/@rollup/rollup-linux-loongarch64-gnu/-/rollup-linux-loongarch64-gnu-4.46.2.tgz",
+			"integrity": "sha512-i7wfGFXu8x4+FRqPymzjD+Hyav8l95UIZ773j7J7zRYc3Xsxy2wIn4x+llpunexXe6laaO72iEjeeGyUFmjKeA==",
+			"cpu": [
+				"loong64"
+			],
+			"license": "MIT",
+			"optional": true,
+			"os": [
+				"linux"
+			]
+		},
+		"node_modules/@rollup/rollup-linux-ppc64-gnu": {
+			"version": "4.46.2",
+			"resolved": "https://registry.npmjs.org/@rollup/rollup-linux-ppc64-gnu/-/rollup-linux-ppc64-gnu-4.46.2.tgz",
+			"integrity": "sha512-B/l0dFcHVUnqcGZWKcWBSV2PF01YUt0Rvlurci5P+neqY/yMKchGU8ullZvIv5e8Y1C6wOn+U03mrDylP5q9Yw==",
+			"cpu": [
+				"ppc64"
+			],
+			"license": "MIT",
+			"optional": true,
+			"os": [
+				"linux"
+			]
+		},
+		"node_modules/@rollup/rollup-linux-riscv64-gnu": {
+			"version": "4.46.2",
+			"resolved": "https://registry.npmjs.org/@rollup/rollup-linux-riscv64-gnu/-/rollup-linux-riscv64-gnu-4.46.2.tgz",
+			"integrity": "sha512-32k4ENb5ygtkMwPMucAb8MtV8olkPT03oiTxJbgkJa7lJ7dZMr0GCFJlyvy+K8iq7F/iuOr41ZdUHaOiqyR3iQ==",
+			"cpu": [
+				"riscv64"
+			],
+			"license": "MIT",
+			"optional": true,
+			"os": [
+				"linux"
+			]
+		},
+		"node_modules/@rollup/rollup-linux-riscv64-musl": {
+			"version": "4.46.2",
+			"resolved": "https://registry.npmjs.org/@rollup/rollup-linux-riscv64-musl/-/rollup-linux-riscv64-musl-4.46.2.tgz",
+			"integrity": "sha512-t5B2loThlFEauloaQkZg9gxV05BYeITLvLkWOkRXogP4qHXLkWSbSHKM9S6H1schf/0YGP/qNKtiISlxvfmmZw==",
+			"cpu": [
+				"riscv64"
+			],
+			"license": "MIT",
+			"optional": true,
+			"os": [
+				"linux"
+			]
+		},
+		"node_modules/@rollup/rollup-linux-s390x-gnu": {
+			"version": "4.46.2",
+			"resolved": "https://registry.npmjs.org/@rollup/rollup-linux-s390x-gnu/-/rollup-linux-s390x-gnu-4.46.2.tgz",
+			"integrity": "sha512-YKjekwTEKgbB7n17gmODSmJVUIvj8CX7q5442/CK80L8nqOUbMtf8b01QkG3jOqyr1rotrAnW6B/qiHwfcuWQA==",
+			"cpu": [
+				"s390x"
+			],
+			"license": "MIT",
+			"optional": true,
+			"os": [
+				"linux"
+			]
+		},
+		"node_modules/@rollup/rollup-linux-x64-gnu": {
+			"version": "4.46.2",
+			"resolved": "https://registry.npmjs.org/@rollup/rollup-linux-x64-gnu/-/rollup-linux-x64-gnu-4.46.2.tgz",
+			"integrity": "sha512-Jj5a9RUoe5ra+MEyERkDKLwTXVu6s3aACP51nkfnK9wJTraCC8IMe3snOfALkrjTYd2G1ViE1hICj0fZ7ALBPA==",
+			"cpu": [
+				"x64"
+			],
+			"license": "MIT",
+			"optional": true,
+			"os": [
+				"linux"
+			]
+		},
+		"node_modules/@rollup/rollup-linux-x64-musl": {
+			"version": "4.46.2",
+			"resolved": "https://registry.npmjs.org/@rollup/rollup-linux-x64-musl/-/rollup-linux-x64-musl-4.46.2.tgz",
+			"integrity": "sha512-7kX69DIrBeD7yNp4A5b81izs8BqoZkCIaxQaOpumcJ1S/kmqNFjPhDu1LHeVXv0SexfHQv5cqHsxLOjETuqDuA==",
+			"cpu": [
+				"x64"
+			],
+			"license": "MIT",
+			"optional": true,
+			"os": [
+				"linux"
+			]
+		},
+		"node_modules/@rollup/rollup-win32-arm64-msvc": {
+			"version": "4.46.2",
+			"resolved": "https://registry.npmjs.org/@rollup/rollup-win32-arm64-msvc/-/rollup-win32-arm64-msvc-4.46.2.tgz",
+			"integrity": "sha512-wiJWMIpeaak/jsbaq2HMh/rzZxHVW1rU6coyeNNpMwk5isiPjSTx0a4YLSlYDwBH/WBvLz+EtsNqQScZTLJy3g==",
+			"cpu": [
+				"arm64"
+			],
+			"license": "MIT",
+			"optional": true,
+			"os": [
+				"win32"
+			]
+		},
+		"node_modules/@rollup/rollup-win32-ia32-msvc": {
+			"version": "4.46.2",
+			"resolved": "https://registry.npmjs.org/@rollup/rollup-win32-ia32-msvc/-/rollup-win32-ia32-msvc-4.46.2.tgz",
+			"integrity": "sha512-gBgaUDESVzMgWZhcyjfs9QFK16D8K6QZpwAaVNJxYDLHWayOta4ZMjGm/vsAEy3hvlS2GosVFlBlP9/Wb85DqQ==",
+			"cpu": [
+				"ia32"
+			],
+			"license": "MIT",
+			"optional": true,
+			"os": [
+				"win32"
+			]
+		},
+		"node_modules/@rollup/rollup-win32-x64-msvc": {
+			"version": "4.46.2",
+			"resolved": "https://registry.npmjs.org/@rollup/rollup-win32-x64-msvc/-/rollup-win32-x64-msvc-4.46.2.tgz",
+			"integrity": "sha512-CvUo2ixeIQGtF6WvuB87XWqPQkoFAFqW+HUo/WzHwuHDvIwZCtjdWXoYCcr06iKGydiqTclC4jU/TNObC/xKZg==",
+			"cpu": [
+				"x64"
+			],
+			"license": "MIT",
+			"optional": true,
+			"os": [
+				"win32"
+			]
+		},
+		"node_modules/@skeletonlabs/skeleton": {
+			"version": "3.1.7",
+			"resolved": "https://registry.npmjs.org/@skeletonlabs/skeleton/-/skeleton-3.1.7.tgz",
+			"integrity": "sha512-ozq4aYjn6eslQTxh5DqexXrPMioWWNLLTlsYPV8iWAAao7BfS4HJDpd2RRGxi0Ux+kndm4Hig/jTlGsy9bFPSA==",
+			"license": "MIT",
+			"peerDependencies": {
+				"tailwindcss": "^4.0.0"
+			}
+		},
+		"node_modules/@skeletonlabs/tw-plugin": {
+			"version": "0.4.1",
+			"resolved": "https://registry.npmjs.org/@skeletonlabs/tw-plugin/-/tw-plugin-0.4.1.tgz",
+			"integrity": "sha512-crrC8BGKis0GNTp7V2HF6mk1ECLUvAxgTTV26LMgt/rV3U6Xd7N7dL5qIL8fE4MTHvpKa1SBsdqsnMbEvATeEg==",
+			"license": "MIT",
+			"peerDependencies": {
+				"tailwindcss": ">=3.0.0"
+			}
+		},
+		"node_modules/@standard-schema/spec": {
+			"version": "1.0.0",
+			"resolved": "https://registry.npmjs.org/@standard-schema/spec/-/spec-1.0.0.tgz",
+			"integrity": "sha512-m2bOd0f2RT9k8QJx1JN85cZYyH1RqFBdlwtkSlf4tBDYLCiiZnv1fIIwacK6cqwXavOydf0NPToMQgpKq+dVlA==",
+			"license": "MIT"
+		},
+		"node_modules/@sveltejs/acorn-typescript": {
+			"version": "1.0.5",
+			"resolved": "https://registry.npmjs.org/@sveltejs/acorn-typescript/-/acorn-typescript-1.0.5.tgz",
+			"integrity": "sha512-IwQk4yfwLdibDlrXVE04jTZYlLnwsTT2PIOQQGNLWfjavGifnk1JD1LcZjZaBTRcxZu2FfPfNLOE04DSu9lqtQ==",
+			"license": "MIT",
+			"peerDependencies": {
+				"acorn": "^8.9.0"
+			}
+		},
+		"node_modules/@sveltejs/adapter-auto": {
+			"version": "6.0.1",
+			"resolved": "https://registry.npmjs.org/@sveltejs/adapter-auto/-/adapter-auto-6.0.1.tgz",
+			"integrity": "sha512-mcWud3pYGPWM2Pphdj8G9Qiq24nZ8L4LB7coCUckUEy5Y7wOWGJ/enaZ4AtJTcSm5dNK1rIkBRoqt+ae4zlxcQ==",
+			"dev": true,
+			"license": "MIT",
+			"peerDependencies": {
+				"@sveltejs/kit": "^2.0.0"
+			}
+		},
+		"node_modules/@sveltejs/adapter-static": {
+			"version": "3.0.8",
+			"resolved": "https://registry.npmjs.org/@sveltejs/adapter-static/-/adapter-static-3.0.8.tgz",
+			"integrity": "sha512-YaDrquRpZwfcXbnlDsSrBQNCChVOT9MGuSg+dMAyfsAa1SmiAhrA5jUYUiIMC59G92kIbY/AaQOWcBdq+lh+zg==",
+			"license": "MIT",
+			"peerDependencies": {
+				"@sveltejs/kit": "^2.0.0"
+			}
+		},
+		"node_modules/@sveltejs/kit": {
+			"version": "2.27.1",
+			"resolved": "https://registry.npmjs.org/@sveltejs/kit/-/kit-2.27.1.tgz",
+			"integrity": "sha512-u5HbL9T4TgWZwXZM7hwdT0f5sDkGaNxsSrLYQoql+eiz2+9rcbbq4MiOAPoRtXG0dys5P5ixBmyQdqZedwZUlA==",
+			"license": "MIT",
+			"dependencies": {
+				"@standard-schema/spec": "^1.0.0",
+				"@sveltejs/acorn-typescript": "^1.0.5",
+				"@types/cookie": "^0.6.0",
+				"acorn": "^8.14.1",
+				"cookie": "^0.6.0",
+				"devalue": "^5.1.0",
+				"esm-env": "^1.2.2",
+				"kleur": "^4.1.5",
+				"magic-string": "^0.30.5",
+				"mrmime": "^2.0.0",
+				"sade": "^1.8.1",
+				"set-cookie-parser": "^2.6.0",
+				"sirv": "^3.0.0"
+			},
+			"bin": {
+				"svelte-kit": "svelte-kit.js"
+			},
+			"engines": {
+				"node": ">=18.13"
+			},
+			"peerDependencies": {
+				"@sveltejs/vite-plugin-svelte": "^3.0.0 || ^4.0.0-next.1 || ^5.0.0 || ^6.0.0-next.0",
+				"svelte": "^4.0.0 || ^5.0.0-next.0",
+				"vite": "^5.0.3 || ^6.0.0 || ^7.0.0-beta.0"
+			}
+		},
+		"node_modules/@sveltejs/vite-plugin-svelte": {
+			"version": "6.1.0",
+			"resolved": "https://registry.npmjs.org/@sveltejs/vite-plugin-svelte/-/vite-plugin-svelte-6.1.0.tgz",
+			"integrity": "sha512-+U6lz1wvGEG/BvQyL4z/flyNdQ9xDNv5vrh+vWBWTHaebqT0c9RNggpZTo/XSPoHsSCWBlYaTlRX8pZ9GATXCw==",
+			"license": "MIT",
+			"dependencies": {
+				"@sveltejs/vite-plugin-svelte-inspector": "^5.0.0-next.1",
+				"debug": "^4.4.1",
+				"deepmerge": "^4.3.1",
+				"kleur": "^4.1.5",
+				"magic-string": "^0.30.17",
+				"vitefu": "^1.1.1"
+			},
+			"engines": {
+				"node": "^20.19 || ^22.12 || >=24"
+			},
+			"peerDependencies": {
+				"svelte": "^5.0.0",
+				"vite": "^6.3.0 || ^7.0.0"
+			}
+		},
+		"node_modules/@sveltejs/vite-plugin-svelte-inspector": {
+			"version": "5.0.0",
+			"resolved": "https://registry.npmjs.org/@sveltejs/vite-plugin-svelte-inspector/-/vite-plugin-svelte-inspector-5.0.0.tgz",
+			"integrity": "sha512-iwQ8Z4ET6ZFSt/gC+tVfcsSBHwsqc6RumSaiLUkAurW3BCpJam65cmHw0oOlDMTO0u+PZi9hilBRYN+LZNHTUQ==",
+			"license": "MIT",
+			"dependencies": {
+				"debug": "^4.4.1"
+			},
+			"engines": {
+				"node": "^20.19 || ^22.12 || >=24"
+			},
+			"peerDependencies": {
+				"@sveltejs/vite-plugin-svelte": "^6.0.0-next.0",
+				"svelte": "^5.0.0",
+				"vite": "^6.3.0 || ^7.0.0"
+			}
+		},
+		"node_modules/@tailwindcss/node": {
+			"version": "4.1.11",
+			"resolved": "https://registry.npmjs.org/@tailwindcss/node/-/node-4.1.11.tgz",
+			"integrity": "sha512-yzhzuGRmv5QyU9qLNg4GTlYI6STedBWRE7NjxP45CsFYYq9taI0zJXZBMqIC/c8fViNLhmrbpSFS57EoxUmD6Q==",
+			"dev": true,
+			"license": "MIT",
+			"dependencies": {
+				"@ampproject/remapping": "^2.3.0",
+				"enhanced-resolve": "^5.18.1",
+				"jiti": "^2.4.2",
+				"lightningcss": "1.30.1",
+				"magic-string": "^0.30.17",
+				"source-map-js": "^1.2.1",
+				"tailwindcss": "4.1.11"
+			}
+		},
+		"node_modules/@tailwindcss/oxide": {
+			"version": "4.1.11",
+			"resolved": "https://registry.npmjs.org/@tailwindcss/oxide/-/oxide-4.1.11.tgz",
+			"integrity": "sha512-Q69XzrtAhuyfHo+5/HMgr1lAiPP/G40OMFAnws7xcFEYqcypZmdW8eGXaOUIeOl1dzPJBPENXgbjsOyhg2nkrg==",
+			"dev": true,
+			"hasInstallScript": true,
+			"license": "MIT",
+			"dependencies": {
+				"detect-libc": "^2.0.4",
+				"tar": "^7.4.3"
+			},
+			"engines": {
+				"node": ">= 10"
+			},
+			"optionalDependencies": {
+				"@tailwindcss/oxide-android-arm64": "4.1.11",
+				"@tailwindcss/oxide-darwin-arm64": "4.1.11",
+				"@tailwindcss/oxide-darwin-x64": "4.1.11",
+				"@tailwindcss/oxide-freebsd-x64": "4.1.11",
+				"@tailwindcss/oxide-linux-arm-gnueabihf": "4.1.11",
+				"@tailwindcss/oxide-linux-arm64-gnu": "4.1.11",
+				"@tailwindcss/oxide-linux-arm64-musl": "4.1.11",
+				"@tailwindcss/oxide-linux-x64-gnu": "4.1.11",
+				"@tailwindcss/oxide-linux-x64-musl": "4.1.11",
+				"@tailwindcss/oxide-wasm32-wasi": "4.1.11",
+				"@tailwindcss/oxide-win32-arm64-msvc": "4.1.11",
+				"@tailwindcss/oxide-win32-x64-msvc": "4.1.11"
+			}
+		},
+		"node_modules/@tailwindcss/oxide-android-arm64": {
+			"version": "4.1.11",
+			"resolved": "https://registry.npmjs.org/@tailwindcss/oxide-android-arm64/-/oxide-android-arm64-4.1.11.tgz",
+			"integrity": "sha512-3IfFuATVRUMZZprEIx9OGDjG3Ou3jG4xQzNTvjDoKmU9JdmoCohQJ83MYd0GPnQIu89YoJqvMM0G3uqLRFtetg==",
+			"cpu": [
+				"arm64"
+			],
+			"dev": true,
+			"license": "MIT",
+			"optional": true,
+			"os": [
+				"android"
+			],
+			"engines": {
+				"node": ">= 10"
+			}
+		},
+		"node_modules/@tailwindcss/oxide-darwin-arm64": {
+			"version": "4.1.11",
+			"resolved": "https://registry.npmjs.org/@tailwindcss/oxide-darwin-arm64/-/oxide-darwin-arm64-4.1.11.tgz",
+			"integrity": "sha512-ESgStEOEsyg8J5YcMb1xl8WFOXfeBmrhAwGsFxxB2CxY9evy63+AtpbDLAyRkJnxLy2WsD1qF13E97uQyP1lfQ==",
+			"cpu": [
+				"arm64"
+			],
+			"dev": true,
+			"license": "MIT",
+			"optional": true,
+			"os": [
+				"darwin"
+			],
+			"engines": {
+				"node": ">= 10"
+			}
+		},
+		"node_modules/@tailwindcss/oxide-darwin-x64": {
+			"version": "4.1.11",
+			"resolved": "https://registry.npmjs.org/@tailwindcss/oxide-darwin-x64/-/oxide-darwin-x64-4.1.11.tgz",
+			"integrity": "sha512-EgnK8kRchgmgzG6jE10UQNaH9Mwi2n+yw1jWmof9Vyg2lpKNX2ioe7CJdf9M5f8V9uaQxInenZkOxnTVL3fhAw==",
+			"cpu": [
+				"x64"
+			],
+			"dev": true,
+			"license": "MIT",
+			"optional": true,
+			"os": [
+				"darwin"
+			],
+			"engines": {
+				"node": ">= 10"
+			}
+		},
+		"node_modules/@tailwindcss/oxide-freebsd-x64": {
+			"version": "4.1.11",
+			"resolved": "https://registry.npmjs.org/@tailwindcss/oxide-freebsd-x64/-/oxide-freebsd-x64-4.1.11.tgz",
+			"integrity": "sha512-xdqKtbpHs7pQhIKmqVpxStnY1skuNh4CtbcyOHeX1YBE0hArj2romsFGb6yUmzkq/6M24nkxDqU8GYrKrz+UcA==",
+			"cpu": [
+				"x64"
+			],
+			"dev": true,
+			"license": "MIT",
+			"optional": true,
+			"os": [
+				"freebsd"
+			],
+			"engines": {
+				"node": ">= 10"
+			}
+		},
+		"node_modules/@tailwindcss/oxide-linux-arm-gnueabihf": {
+			"version": "4.1.11",
+			"resolved": "https://registry.npmjs.org/@tailwindcss/oxide-linux-arm-gnueabihf/-/oxide-linux-arm-gnueabihf-4.1.11.tgz",
+			"integrity": "sha512-ryHQK2eyDYYMwB5wZL46uoxz2zzDZsFBwfjssgB7pzytAeCCa6glsiJGjhTEddq/4OsIjsLNMAiMlHNYnkEEeg==",
+			"cpu": [
+				"arm"
+			],
+			"dev": true,
+			"license": "MIT",
+			"optional": true,
+			"os": [
+				"linux"
+			],
+			"engines": {
+				"node": ">= 10"
+			}
+		},
+		"node_modules/@tailwindcss/oxide-linux-arm64-gnu": {
+			"version": "4.1.11",
+			"resolved": "https://registry.npmjs.org/@tailwindcss/oxide-linux-arm64-gnu/-/oxide-linux-arm64-gnu-4.1.11.tgz",
+			"integrity": "sha512-mYwqheq4BXF83j/w75ewkPJmPZIqqP1nhoghS9D57CLjsh3Nfq0m4ftTotRYtGnZd3eCztgbSPJ9QhfC91gDZQ==",
+			"cpu": [
+				"arm64"
+			],
+			"dev": true,
+			"license": "MIT",
+			"optional": true,
+			"os": [
+				"linux"
+			],
+			"engines": {
+				"node": ">= 10"
+			}
+		},
+		"node_modules/@tailwindcss/oxide-linux-arm64-musl": {
+			"version": "4.1.11",
+			"resolved": "https://registry.npmjs.org/@tailwindcss/oxide-linux-arm64-musl/-/oxide-linux-arm64-musl-4.1.11.tgz",
+			"integrity": "sha512-m/NVRFNGlEHJrNVk3O6I9ggVuNjXHIPoD6bqay/pubtYC9QIdAMpS+cswZQPBLvVvEF6GtSNONbDkZrjWZXYNQ==",
+			"cpu": [
+				"arm64"
+			],
+			"dev": true,
+			"license": "MIT",
+			"optional": true,
+			"os": [
+				"linux"
+			],
+			"engines": {
+				"node": ">= 10"
+			}
+		},
+		"node_modules/@tailwindcss/oxide-linux-x64-gnu": {
+			"version": "4.1.11",
+			"resolved": "https://registry.npmjs.org/@tailwindcss/oxide-linux-x64-gnu/-/oxide-linux-x64-gnu-4.1.11.tgz",
+			"integrity": "sha512-YW6sblI7xukSD2TdbbaeQVDysIm/UPJtObHJHKxDEcW2exAtY47j52f8jZXkqE1krdnkhCMGqP3dbniu1Te2Fg==",
+			"cpu": [
+				"x64"
+			],
+			"dev": true,
+			"license": "MIT",
+			"optional": true,
+			"os": [
+				"linux"
+			],
+			"engines": {
+				"node": ">= 10"
+			}
+		},
+		"node_modules/@tailwindcss/oxide-linux-x64-musl": {
+			"version": "4.1.11",
+			"resolved": "https://registry.npmjs.org/@tailwindcss/oxide-linux-x64-musl/-/oxide-linux-x64-musl-4.1.11.tgz",
+			"integrity": "sha512-e3C/RRhGunWYNC3aSF7exsQkdXzQ/M+aYuZHKnw4U7KQwTJotnWsGOIVih0s2qQzmEzOFIJ3+xt7iq67K/p56Q==",
+			"cpu": [
+				"x64"
+			],
+			"dev": true,
+			"license": "MIT",
+			"optional": true,
+			"os": [
+				"linux"
+			],
+			"engines": {
+				"node": ">= 10"
+			}
+		},
+		"node_modules/@tailwindcss/oxide-wasm32-wasi": {
+			"version": "4.1.11",
+			"resolved": "https://registry.npmjs.org/@tailwindcss/oxide-wasm32-wasi/-/oxide-wasm32-wasi-4.1.11.tgz",
+			"integrity": "sha512-Xo1+/GU0JEN/C/dvcammKHzeM6NqKovG+6921MR6oadee5XPBaKOumrJCXvopJ/Qb5TH7LX/UAywbqrP4lax0g==",
+			"bundleDependencies": [
+				"@napi-rs/wasm-runtime",
+				"@emnapi/core",
+				"@emnapi/runtime",
+				"@tybys/wasm-util",
+				"@emnapi/wasi-threads",
+				"tslib"
+			],
+			"cpu": [
+				"wasm32"
+			],
+			"dev": true,
+			"license": "MIT",
+			"optional": true,
+			"dependencies": {
+				"@emnapi/core": "^1.4.3",
+				"@emnapi/runtime": "^1.4.3",
+				"@emnapi/wasi-threads": "^1.0.2",
+				"@napi-rs/wasm-runtime": "^0.2.11",
+				"@tybys/wasm-util": "^0.9.0",
+				"tslib": "^2.8.0"
+			},
+			"engines": {
+				"node": ">=14.0.0"
+			}
+		},
+		"node_modules/@tailwindcss/oxide-win32-arm64-msvc": {
+			"version": "4.1.11",
+			"resolved": "https://registry.npmjs.org/@tailwindcss/oxide-win32-arm64-msvc/-/oxide-win32-arm64-msvc-4.1.11.tgz",
+			"integrity": "sha512-UgKYx5PwEKrac3GPNPf6HVMNhUIGuUh4wlDFR2jYYdkX6pL/rn73zTq/4pzUm8fOjAn5L8zDeHp9iXmUGOXZ+w==",
+			"cpu": [
+				"arm64"
+			],
+			"dev": true,
+			"license": "MIT",
+			"optional": true,
+			"os": [
+				"win32"
+			],
+			"engines": {
+				"node": ">= 10"
+			}
+		},
+		"node_modules/@tailwindcss/oxide-win32-x64-msvc": {
+			"version": "4.1.11",
+			"resolved": "https://registry.npmjs.org/@tailwindcss/oxide-win32-x64-msvc/-/oxide-win32-x64-msvc-4.1.11.tgz",
+			"integrity": "sha512-YfHoggn1j0LK7wR82TOucWc5LDCguHnoS879idHekmmiR7g9HUtMw9MI0NHatS28u/Xlkfi9w5RJWgz2Dl+5Qg==",
+			"cpu": [
+				"x64"
+			],
+			"dev": true,
+			"license": "MIT",
+			"optional": true,
+			"os": [
+				"win32"
+			],
+			"engines": {
+				"node": ">= 10"
+			}
+		},
+		"node_modules/@tailwindcss/vite": {
+			"version": "4.1.11",
+			"resolved": "https://registry.npmjs.org/@tailwindcss/vite/-/vite-4.1.11.tgz",
+			"integrity": "sha512-RHYhrR3hku0MJFRV+fN2gNbDNEh3dwKvY8XJvTxCSXeMOsCRSr+uKvDWQcbizrHgjML6ZmTE5OwMrl5wKcujCw==",
+			"dev": true,
+			"license": "MIT",
+			"dependencies": {
+				"@tailwindcss/node": "4.1.11",
+				"@tailwindcss/oxide": "4.1.11",
+				"tailwindcss": "4.1.11"
+			},
+			"peerDependencies": {
+				"vite": "^5.2.0 || ^6 || ^7"
+			}
+		},
+		"node_modules/@types/cookie": {
+			"version": "0.6.0",
+			"resolved": "https://registry.npmjs.org/@types/cookie/-/cookie-0.6.0.tgz",
+			"integrity": "sha512-4Kh9a6B2bQciAhf7FSuMRRkUWecJgJu9nPnx3yzpsfXX/c50REIqpHY4C82bXP90qrLtXtkDxTZosYO3UpOwlA==",
+			"license": "MIT"
+		},
+		"node_modules/@types/estree": {
+			"version": "1.0.8",
+			"resolved": "https://registry.npmjs.org/@types/estree/-/estree-1.0.8.tgz",
+			"integrity": "sha512-dWHzHa2WqEXI/O1E9OjrocMTKJl2mSrEolh1Iomrv6U+JuNwaHXsXx9bLu5gG7BUWFIN0skIQJQ/L1rIex4X6w==",
+			"license": "MIT"
+		},
+		"node_modules/@types/json-schema": {
+			"version": "7.0.15",
+			"resolved": "https://registry.npmjs.org/@types/json-schema/-/json-schema-7.0.15.tgz",
+			"integrity": "sha512-5+fP8P8MFNC+AyZCDxrB2pkZFPGzqQWUzpSeuuVLvm8VMcorNYavBqoFcxK8bQz4Qsbn4oUEEem4wDLfcysGHA==",
+			"dev": true,
+			"license": "MIT"
+		},
+		"node_modules/@typescript-eslint/eslint-plugin": {
+			"version": "8.39.0",
+			"resolved": "https://registry.npmjs.org/@typescript-eslint/eslint-plugin/-/eslint-plugin-8.39.0.tgz",
+			"integrity": "sha512-bhEz6OZeUR+O/6yx9Jk6ohX6H9JSFTaiY0v9/PuKT3oGK0rn0jNplLmyFUGV+a9gfYnVNwGDwS/UkLIuXNb2Rw==",
+			"dev": true,
+			"license": "MIT",
+			"dependencies": {
+				"@eslint-community/regexpp": "^4.10.0",
+				"@typescript-eslint/scope-manager": "8.39.0",
+				"@typescript-eslint/type-utils": "8.39.0",
+				"@typescript-eslint/utils": "8.39.0",
+				"@typescript-eslint/visitor-keys": "8.39.0",
+				"graphemer": "^1.4.0",
+				"ignore": "^7.0.0",
+				"natural-compare": "^1.4.0",
+				"ts-api-utils": "^2.1.0"
+			},
+			"engines": {
+				"node": "^18.18.0 || ^20.9.0 || >=21.1.0"
+			},
+			"funding": {
+				"type": "opencollective",
+				"url": "https://opencollective.com/typescript-eslint"
+			},
+			"peerDependencies": {
+				"@typescript-eslint/parser": "^8.39.0",
+				"eslint": "^8.57.0 || ^9.0.0",
+				"typescript": ">=4.8.4 <6.0.0"
+			}
+		},
+		"node_modules/@typescript-eslint/eslint-plugin/node_modules/ignore": {
+			"version": "7.0.5",
+			"resolved": "https://registry.npmjs.org/ignore/-/ignore-7.0.5.tgz",
+			"integrity": "sha512-Hs59xBNfUIunMFgWAbGX5cq6893IbWg4KnrjbYwX3tx0ztorVgTDA6B2sxf8ejHJ4wz8BqGUMYlnzNBer5NvGg==",
+			"dev": true,
+			"license": "MIT",
+			"engines": {
+				"node": ">= 4"
+			}
+		},
+		"node_modules/@typescript-eslint/parser": {
+			"version": "8.39.0",
+			"resolved": "https://registry.npmjs.org/@typescript-eslint/parser/-/parser-8.39.0.tgz",
+			"integrity": "sha512-g3WpVQHngx0aLXn6kfIYCZxM6rRJlWzEkVpqEFLT3SgEDsp9cpCbxxgwnE504q4H+ruSDh/VGS6nqZIDynP+vg==",
+			"dev": true,
+			"license": "MIT",
+			"dependencies": {
+				"@typescript-eslint/scope-manager": "8.39.0",
+				"@typescript-eslint/types": "8.39.0",
+				"@typescript-eslint/typescript-estree": "8.39.0",
+				"@typescript-eslint/visitor-keys": "8.39.0",
+				"debug": "^4.3.4"
+			},
+			"engines": {
+				"node": "^18.18.0 || ^20.9.0 || >=21.1.0"
+			},
+			"funding": {
+				"type": "opencollective",
+				"url": "https://opencollective.com/typescript-eslint"
+			},
+			"peerDependencies": {
+				"eslint": "^8.57.0 || ^9.0.0",
+				"typescript": ">=4.8.4 <6.0.0"
+			}
+		},
+		"node_modules/@typescript-eslint/project-service": {
+			"version": "8.39.0",
+			"resolved": "https://registry.npmjs.org/@typescript-eslint/project-service/-/project-service-8.39.0.tgz",
+			"integrity": "sha512-CTzJqaSq30V/Z2Og9jogzZt8lJRR5TKlAdXmWgdu4hgcC9Kww5flQ+xFvMxIBWVNdxJO7OifgdOK4PokMIWPew==",
+			"dev": true,
+			"license": "MIT",
+			"dependencies": {
+				"@typescript-eslint/tsconfig-utils": "^8.39.0",
+				"@typescript-eslint/types": "^8.39.0",
+				"debug": "^4.3.4"
+			},
+			"engines": {
+				"node": "^18.18.0 || ^20.9.0 || >=21.1.0"
+			},
+			"funding": {
+				"type": "opencollective",
+				"url": "https://opencollective.com/typescript-eslint"
+			},
+			"peerDependencies": {
+				"typescript": ">=4.8.4 <6.0.0"
+			}
+		},
+		"node_modules/@typescript-eslint/scope-manager": {
+			"version": "8.39.0",
+			"resolved": "https://registry.npmjs.org/@typescript-eslint/scope-manager/-/scope-manager-8.39.0.tgz",
+			"integrity": "sha512-8QOzff9UKxOh6npZQ/4FQu4mjdOCGSdO3p44ww0hk8Vu+IGbg0tB/H1LcTARRDzGCC8pDGbh2rissBuuoPgH8A==",
+			"dev": true,
+			"license": "MIT",
+			"dependencies": {
+				"@typescript-eslint/types": "8.39.0",
+				"@typescript-eslint/visitor-keys": "8.39.0"
+			},
+			"engines": {
+				"node": "^18.18.0 || ^20.9.0 || >=21.1.0"
+			},
+			"funding": {
+				"type": "opencollective",
+				"url": "https://opencollective.com/typescript-eslint"
+			}
+		},
+		"node_modules/@typescript-eslint/tsconfig-utils": {
+			"version": "8.39.0",
+			"resolved": "https://registry.npmjs.org/@typescript-eslint/tsconfig-utils/-/tsconfig-utils-8.39.0.tgz",
+			"integrity": "sha512-Fd3/QjmFV2sKmvv3Mrj8r6N8CryYiCS8Wdb/6/rgOXAWGcFuc+VkQuG28uk/4kVNVZBQuuDHEDUpo/pQ32zsIQ==",
+			"dev": true,
+			"license": "MIT",
+			"engines": {
+				"node": "^18.18.0 || ^20.9.0 || >=21.1.0"
+			},
+			"funding": {
+				"type": "opencollective",
+				"url": "https://opencollective.com/typescript-eslint"
+			},
+			"peerDependencies": {
+				"typescript": ">=4.8.4 <6.0.0"
+			}
+		},
+		"node_modules/@typescript-eslint/type-utils": {
+			"version": "8.39.0",
+			"resolved": "https://registry.npmjs.org/@typescript-eslint/type-utils/-/type-utils-8.39.0.tgz",
+			"integrity": "sha512-6B3z0c1DXVT2vYA9+z9axjtc09rqKUPRmijD5m9iv8iQpHBRYRMBcgxSiKTZKm6FwWw1/cI4v6em35OsKCiN5Q==",
+			"dev": true,
+			"license": "MIT",
+			"dependencies": {
+				"@typescript-eslint/types": "8.39.0",
+				"@typescript-eslint/typescript-estree": "8.39.0",
+				"@typescript-eslint/utils": "8.39.0",
+				"debug": "^4.3.4",
+				"ts-api-utils": "^2.1.0"
+			},
+			"engines": {
+				"node": "^18.18.0 || ^20.9.0 || >=21.1.0"
+			},
+			"funding": {
+				"type": "opencollective",
+				"url": "https://opencollective.com/typescript-eslint"
+			},
+			"peerDependencies": {
+				"eslint": "^8.57.0 || ^9.0.0",
+				"typescript": ">=4.8.4 <6.0.0"
+			}
+		},
+		"node_modules/@typescript-eslint/types": {
+			"version": "8.39.0",
+			"resolved": "https://registry.npmjs.org/@typescript-eslint/types/-/types-8.39.0.tgz",
+			"integrity": "sha512-ArDdaOllnCj3yn/lzKn9s0pBQYmmyme/v1HbGIGB0GB/knFI3fWMHloC+oYTJW46tVbYnGKTMDK4ah1sC2v0Kg==",
+			"dev": true,
+			"license": "MIT",
+			"engines": {
+				"node": "^18.18.0 || ^20.9.0 || >=21.1.0"
+			},
+			"funding": {
+				"type": "opencollective",
+				"url": "https://opencollective.com/typescript-eslint"
+			}
+		},
+		"node_modules/@typescript-eslint/typescript-estree": {
+			"version": "8.39.0",
+			"resolved": "https://registry.npmjs.org/@typescript-eslint/typescript-estree/-/typescript-estree-8.39.0.tgz",
+			"integrity": "sha512-ndWdiflRMvfIgQRpckQQLiB5qAKQ7w++V4LlCHwp62eym1HLB/kw7D9f2e8ytONls/jt89TEasgvb+VwnRprsw==",
+			"dev": true,
+			"license": "MIT",
+			"dependencies": {
+				"@typescript-eslint/project-service": "8.39.0",
+				"@typescript-eslint/tsconfig-utils": "8.39.0",
+				"@typescript-eslint/types": "8.39.0",
+				"@typescript-eslint/visitor-keys": "8.39.0",
+				"debug": "^4.3.4",
+				"fast-glob": "^3.3.2",
+				"is-glob": "^4.0.3",
+				"minimatch": "^9.0.4",
+				"semver": "^7.6.0",
+				"ts-api-utils": "^2.1.0"
+			},
+			"engines": {
+				"node": "^18.18.0 || ^20.9.0 || >=21.1.0"
+			},
+			"funding": {
+				"type": "opencollective",
+				"url": "https://opencollective.com/typescript-eslint"
+			},
+			"peerDependencies": {
+				"typescript": ">=4.8.4 <6.0.0"
+			}
+		},
+		"node_modules/@typescript-eslint/typescript-estree/node_modules/brace-expansion": {
+			"version": "2.0.2",
+			"resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-2.0.2.tgz",
+			"integrity": "sha512-Jt0vHyM+jmUBqojB7E1NIYadt0vI0Qxjxd2TErW94wDz+E2LAm5vKMXXwg6ZZBTHPuUlDgQHKXvjGBdfcF1ZDQ==",
+			"dev": true,
+			"license": "MIT",
+			"dependencies": {
+				"balanced-match": "^1.0.0"
+			}
+		},
+		"node_modules/@typescript-eslint/typescript-estree/node_modules/minimatch": {
+			"version": "9.0.5",
+			"resolved": "https://registry.npmjs.org/minimatch/-/minimatch-9.0.5.tgz",
+			"integrity": "sha512-G6T0ZX48xgozx7587koeX9Ys2NYy6Gmv//P89sEte9V9whIapMNF4idKxnW2QtCcLiTWlb/wfCabAtAFWhhBow==",
+			"dev": true,
+			"license": "ISC",
+			"dependencies": {
+				"brace-expansion": "^2.0.1"
+			},
+			"engines": {
+				"node": ">=16 || 14 >=14.17"
+			},
+			"funding": {
+				"url": "https://github.com/sponsors/isaacs"
+			}
+		},
+		"node_modules/@typescript-eslint/utils": {
+			"version": "8.39.0",
+			"resolved": "https://registry.npmjs.org/@typescript-eslint/utils/-/utils-8.39.0.tgz",
+			"integrity": "sha512-4GVSvNA0Vx1Ktwvf4sFE+exxJ3QGUorQG1/A5mRfRNZtkBT2xrA/BCO2H0eALx/PnvCS6/vmYwRdDA41EoffkQ==",
+			"dev": true,
+			"license": "MIT",
+			"dependencies": {
+				"@eslint-community/eslint-utils": "^4.7.0",
+				"@typescript-eslint/scope-manager": "8.39.0",
+				"@typescript-eslint/types": "8.39.0",
+				"@typescript-eslint/typescript-estree": "8.39.0"
+			},
+			"engines": {
+				"node": "^18.18.0 || ^20.9.0 || >=21.1.0"
+			},
+			"funding": {
+				"type": "opencollective",
+				"url": "https://opencollective.com/typescript-eslint"
+			},
+			"peerDependencies": {
+				"eslint": "^8.57.0 || ^9.0.0",
+				"typescript": ">=4.8.4 <6.0.0"
+			}
+		},
+		"node_modules/@typescript-eslint/visitor-keys": {
+			"version": "8.39.0",
+			"resolved": "https://registry.npmjs.org/@typescript-eslint/visitor-keys/-/visitor-keys-8.39.0.tgz",
+			"integrity": "sha512-ldgiJ+VAhQCfIjeOgu8Kj5nSxds0ktPOSO9p4+0VDH2R2pLvQraaM5Oen2d7NxzMCm+Sn/vJT+mv2H5u6b/3fA==",
+			"dev": true,
+			"license": "MIT",
+			"dependencies": {
+				"@typescript-eslint/types": "8.39.0",
+				"eslint-visitor-keys": "^4.2.1"
+			},
+			"engines": {
+				"node": "^18.18.0 || ^20.9.0 || >=21.1.0"
+			},
+			"funding": {
+				"type": "opencollective",
+				"url": "https://opencollective.com/typescript-eslint"
+			}
+		},
+		"node_modules/acorn": {
+			"version": "8.15.0",
+			"resolved": "https://registry.npmjs.org/acorn/-/acorn-8.15.0.tgz",
+			"integrity": "sha512-NZyJarBfL7nWwIq+FDL6Zp/yHEhePMNnnJ0y3qfieCrmNvYct8uvtiV41UvlSe6apAfk0fY1FbWx+NwfmpvtTg==",
+			"license": "MIT",
+			"bin": {
+				"acorn": "bin/acorn"
+			},
+			"engines": {
+				"node": ">=0.4.0"
+			}
+		},
+		"node_modules/acorn-jsx": {
+			"version": "5.3.2",
+			"resolved": "https://registry.npmjs.org/acorn-jsx/-/acorn-jsx-5.3.2.tgz",
+			"integrity": "sha512-rq9s+JNhf0IChjtDXxllJ7g41oZk5SlXtp0LHwyA5cejwn7vKmKp4pPri6YEePv2PU65sAsegbXtIinmDFDXgQ==",
+			"dev": true,
+			"license": "MIT",
+			"peerDependencies": {
+				"acorn": "^6.0.0 || ^7.0.0 || ^8.0.0"
+			}
+		},
+		"node_modules/ajv": {
+			"version": "6.12.6",
+			"resolved": "https://registry.npmjs.org/ajv/-/ajv-6.12.6.tgz",
+			"integrity": "sha512-j3fVLgvTo527anyYyJOGTYJbG+vnnQYvE0m5mmkc1TK+nxAppkCLMIL0aZ4dblVCNoGShhm+kzE4ZUykBoMg4g==",
+			"dev": true,
+			"license": "MIT",
+			"dependencies": {
+				"fast-deep-equal": "^3.1.1",
+				"fast-json-stable-stringify": "^2.0.0",
+				"json-schema-traverse": "^0.4.1",
+				"uri-js": "^4.2.2"
+			},
+			"funding": {
+				"type": "github",
+				"url": "https://github.com/sponsors/epoberezkin"
+			}
+		},
+		"node_modules/ansi-styles": {
+			"version": "4.3.0",
+			"resolved": "https://registry.npmjs.org/ansi-styles/-/ansi-styles-4.3.0.tgz",
+			"integrity": "sha512-zbB9rCJAT1rbjiVDb2hqKFHNYLxgtk8NURxZ3IZwD3F6NtxbXZQCnnSi1Lkx+IDohdPlFp222wVALIheZJQSEg==",
+			"dev": true,
+			"license": "MIT",
+			"dependencies": {
+				"color-convert": "^2.0.1"
+			},
+			"engines": {
+				"node": ">=8"
+			},
+			"funding": {
+				"url": "https://github.com/chalk/ansi-styles?sponsor=1"
+			}
+		},
+		"node_modules/argparse": {
+			"version": "2.0.1",
+			"resolved": "https://registry.npmjs.org/argparse/-/argparse-2.0.1.tgz",
+			"integrity": "sha512-8+9WqebbFzpX9OR+Wa6O29asIogeRMzcGtAINdpMHHyAg10f05aSFVBbcEqGf/PXw1EjAZ+q2/bEBg3DvurK3Q==",
+			"dev": true,
+			"license": "Python-2.0"
+		},
+		"node_modules/aria-query": {
+			"version": "5.3.2",
+			"resolved": "https://registry.npmjs.org/aria-query/-/aria-query-5.3.2.tgz",
+			"integrity": "sha512-COROpnaoap1E2F000S62r6A60uHZnmlvomhfyT2DlTcrY1OrBKn2UhH7qn5wTC9zMvD0AY7csdPSNwKP+7WiQw==",
+			"license": "Apache-2.0",
+			"engines": {
+				"node": ">= 0.4"
+			}
+		},
+		"node_modules/axobject-query": {
+			"version": "4.1.0",
+			"resolved": "https://registry.npmjs.org/axobject-query/-/axobject-query-4.1.0.tgz",
+			"integrity": "sha512-qIj0G9wZbMGNLjLmg1PT6v2mE9AH2zlnADJD/2tC6E00hgmhUOfEB6greHPAfLRSufHqROIUTkw6E+M3lH0PTQ==",
+			"license": "Apache-2.0",
+			"engines": {
+				"node": ">= 0.4"
+			}
+		},
+		"node_modules/balanced-match": {
+			"version": "1.0.2",
+			"resolved": "https://registry.npmjs.org/balanced-match/-/balanced-match-1.0.2.tgz",
+			"integrity": "sha512-3oSeUO0TMV67hN1AmbXsK4yaqU7tjiHlbxRDZOpH0KW9+CeX4bRAaX0Anxt0tx2MrpRpWwQaPwIlISEJhYU5Pw==",
+			"dev": true,
+			"license": "MIT"
+		},
+		"node_modules/brace-expansion": {
+			"version": "1.1.12",
+			"resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.12.tgz",
+			"integrity": "sha512-9T9UjW3r0UW5c1Q7GTwllptXwhvYmEzFhzMfZ9H7FQWt+uZePjZPjBP/W1ZEyZ1twGWom5/56TF4lPcqjnDHcg==",
+			"dev": true,
+			"license": "MIT",
+			"dependencies": {
+				"balanced-match": "^1.0.0",
+				"concat-map": "0.0.1"
+			}
+		},
+		"node_modules/braces": {
+			"version": "3.0.3",
+			"resolved": "https://registry.npmjs.org/braces/-/braces-3.0.3.tgz",
+			"integrity": "sha512-yQbXgO/OSZVD2IsiLlro+7Hf6Q18EJrKSEsdoMzKePKXct3gvD8oLcOQdIzGupr5Fj+EDe8gO/lxc1BzfMpxvA==",
+			"devOptional": true,
+			"license": "MIT",
+			"dependencies": {
+				"fill-range": "^7.1.1"
+			},
+			"engines": {
+				"node": ">=8"
+			}
+		},
+		"node_modules/callsites": {
+			"version": "3.1.0",
+			"resolved": "https://registry.npmjs.org/callsites/-/callsites-3.1.0.tgz",
+			"integrity": "sha512-P8BjAsXvZS+VIDUI11hHCQEv74YT67YUi5JJFNWIqL235sBmjX4+qx9Muvls5ivyNENctx46xQLQ3aTuE7ssaQ==",
+			"dev": true,
+			"license": "MIT",
+			"engines": {
+				"node": ">=6"
+			}
+		},
+		"node_modules/chalk": {
+			"version": "4.1.2",
+			"resolved": "https://registry.npmjs.org/chalk/-/chalk-4.1.2.tgz",
+			"integrity": "sha512-oKnbhFyRIXpUuez8iBMmyEa4nbj4IOQyuhc/wy9kY7/WVPcwIO9VA668Pu8RkO7+0G76SLROeyw9CpQ061i4mA==",
+			"dev": true,
+			"license": "MIT",
+			"dependencies": {
+				"ansi-styles": "^4.1.0",
+				"supports-color": "^7.1.0"
+			},
+			"engines": {
+				"node": ">=10"
+			},
+			"funding": {
+				"url": "https://github.com/chalk/chalk?sponsor=1"
+			}
+		},
+		"node_modules/chokidar": {
+			"version": "4.0.3",
+			"resolved": "https://registry.npmjs.org/chokidar/-/chokidar-4.0.3.tgz",
+			"integrity": "sha512-Qgzu8kfBvo+cA4962jnP1KkS6Dop5NS6g7R5LFYJr4b8Ub94PPQXUksCw9PvXoeXPRRddRNC5C1JQUR2SMGtnA==",
+			"license": "MIT",
+			"dependencies": {
+				"readdirp": "^4.0.1"
+			},
+			"engines": {
+				"node": ">= 14.16.0"
+			},
+			"funding": {
+				"url": "https://paulmillr.com/funding/"
+			}
+		},
+		"node_modules/chownr": {
+			"version": "3.0.0",
+			"resolved": "https://registry.npmjs.org/chownr/-/chownr-3.0.0.tgz",
+			"integrity": "sha512-+IxzY9BZOQd/XuYPRmrvEVjF/nqj5kgT4kEq7VofrDoM1MxoRjEWkrCC3EtLi59TVawxTAn+orJwFQcrqEN1+g==",
+			"dev": true,
+			"license": "BlueOak-1.0.0",
+			"engines": {
+				"node": ">=18"
+			}
+		},
+		"node_modules/clsx": {
+			"version": "2.1.1",
+			"resolved": "https://registry.npmjs.org/clsx/-/clsx-2.1.1.tgz",
+			"integrity": "sha512-eYm0QWBtUrBWZWG0d386OGAw16Z995PiOVo2B7bjWSbHedGl5e0ZWaq65kOGgUSNesEIDkB9ISbTg/JK9dhCZA==",
+			"license": "MIT",
+			"engines": {
+				"node": ">=6"
+			}
+		},
+		"node_modules/color-convert": {
+			"version": "2.0.1",
+			"resolved": "https://registry.npmjs.org/color-convert/-/color-convert-2.0.1.tgz",
+			"integrity": "sha512-RRECPsj7iu/xb5oKYcsFHSppFNnsj/52OVTRKb4zP5onXwVF3zVmmToNcOfGC+CRDpfK/U584fMg38ZHCaElKQ==",
+			"dev": true,
+			"license": "MIT",
+			"dependencies": {
+				"color-name": "~1.1.4"
+			},
+			"engines": {
+				"node": ">=7.0.0"
+			}
+		},
+		"node_modules/color-name": {
+			"version": "1.1.4",
+			"resolved": "https://registry.npmjs.org/color-name/-/color-name-1.1.4.tgz",
+			"integrity": "sha512-dOy+3AuW3a2wNbZHIuMZpTcgjGuLU/uBL/ubcZF9OXbDo8ff4O8yVp5Bf0efS8uEoYo5q4Fx7dY9OgQGXgAsQA==",
+			"dev": true,
+			"license": "MIT"
+		},
+		"node_modules/concat-map": {
+			"version": "0.0.1",
+			"resolved": "https://registry.npmjs.org/concat-map/-/concat-map-0.0.1.tgz",
+			"integrity": "sha512-/Srv4dswyQNBfohGpz9o6Yb3Gz3SrUDqBH5rTuhGR7ahtlbYKnVxw2bCFMRljaA7EXHaXZ8wsHdodFvbkhKmqg==",
+			"dev": true,
+			"license": "MIT"
+		},
+		"node_modules/cookie": {
+			"version": "0.6.0",
+			"resolved": "https://registry.npmjs.org/cookie/-/cookie-0.6.0.tgz",
+			"integrity": "sha512-U71cyTamuh1CRNCfpGY6to28lxvNwPG4Guz/EVjgf3Jmzv0vlDp1atT9eS5dDjMYHucpHbWns6Lwf3BKz6svdw==",
+			"license": "MIT",
+			"engines": {
+				"node": ">= 0.6"
+			}
+		},
+		"node_modules/cross-spawn": {
+			"version": "7.0.6",
+			"resolved": "https://registry.npmjs.org/cross-spawn/-/cross-spawn-7.0.6.tgz",
+			"integrity": "sha512-uV2QOWP2nWzsy2aMp8aRibhi9dlzF5Hgh5SHaB9OiTGEyDTiJJyx0uy51QXdyWbtAHNua4XJzUKca3OzKUd3vA==",
+			"dev": true,
+			"license": "MIT",
+			"dependencies": {
+				"path-key": "^3.1.0",
+				"shebang-command": "^2.0.0",
+				"which": "^2.0.1"
+			},
+			"engines": {
+				"node": ">= 8"
+			}
+		},
+		"node_modules/cssesc": {
+			"version": "3.0.0",
+			"resolved": "https://registry.npmjs.org/cssesc/-/cssesc-3.0.0.tgz",
+			"integrity": "sha512-/Tb/JcjK111nNScGob5MNtsntNM1aCNUDipB/TkwZFhyDrrE47SOx/18wF2bbjgc3ZzCSKW1T5nt5EbFoAz/Vg==",
+			"dev": true,
+			"license": "MIT",
+			"bin": {
+				"cssesc": "bin/cssesc"
+			},
+			"engines": {
+				"node": ">=4"
+			}
+		},
+		"node_modules/debug": {
+			"version": "4.4.1",
+			"resolved": "https://registry.npmjs.org/debug/-/debug-4.4.1.tgz",
+			"integrity": "sha512-KcKCqiftBJcZr++7ykoDIEwSa3XWowTfNPo92BYxjXiyYEVrUQh2aLyhxBCwww+heortUFxEJYcRzosstTEBYQ==",
+			"license": "MIT",
+			"dependencies": {
+				"ms": "^2.1.3"
+			},
+			"engines": {
+				"node": ">=6.0"
+			},
+			"peerDependenciesMeta": {
+				"supports-color": {
+					"optional": true
+				}
+			}
+		},
+		"node_modules/deep-is": {
+			"version": "0.1.4",
+			"resolved": "https://registry.npmjs.org/deep-is/-/deep-is-0.1.4.tgz",
+			"integrity": "sha512-oIPzksmTg4/MriiaYGO+okXDT7ztn/w3Eptv/+gSIdMdKsJo0u4CfYNFJPy+4SKMuCqGw2wxnA+URMg3t8a/bQ==",
+			"dev": true,
+			"license": "MIT"
+		},
+		"node_modules/deepmerge": {
+			"version": "4.3.1",
+			"resolved": "https://registry.npmjs.org/deepmerge/-/deepmerge-4.3.1.tgz",
+			"integrity": "sha512-3sUqbMEc77XqpdNO7FRyRog+eW3ph+GYCbj+rK+uYyRMuwsVy0rMiVtPn+QJlKFvWP/1PYpapqYn0Me2knFn+A==",
+			"license": "MIT",
+			"engines": {
+				"node": ">=0.10.0"
+			}
+		},
+		"node_modules/detect-libc": {
+			"version": "2.0.4",
+			"resolved": "https://registry.npmjs.org/detect-libc/-/detect-libc-2.0.4.tgz",
+			"integrity": "sha512-3UDv+G9CsCKO1WKMGw9fwq/SWJYbI0c5Y7LU1AXYoDdbhE2AHQ6N6Nb34sG8Fj7T5APy8qXDCKuuIHd1BR0tVA==",
+			"devOptional": true,
+			"license": "Apache-2.0",
+			"engines": {
+				"node": ">=8"
+			}
+		},
+		"node_modules/devalue": {
+			"version": "5.1.1",
+			"resolved": "https://registry.npmjs.org/devalue/-/devalue-5.1.1.tgz",
+			"integrity": "sha512-maua5KUiapvEwiEAe+XnlZ3Rh0GD+qI1J/nb9vrJc3muPXvcF/8gXYTWF76+5DAqHyDUtOIImEuo0YKE9mshVw==",
+			"license": "MIT"
+		},
+		"node_modules/enhanced-resolve": {
+			"version": "5.18.2",
+			"resolved": "https://registry.npmjs.org/enhanced-resolve/-/enhanced-resolve-5.18.2.tgz",
+			"integrity": "sha512-6Jw4sE1maoRJo3q8MsSIn2onJFbLTOjY9hlx4DZXmOKvLRd1Ok2kXmAGXaafL2+ijsJZ1ClYbl/pmqr9+k4iUQ==",
+			"dev": true,
+			"license": "MIT",
+			"dependencies": {
+				"graceful-fs": "^4.2.4",
+				"tapable": "^2.2.0"
+			},
+			"engines": {
+				"node": ">=10.13.0"
+			}
+		},
+		"node_modules/esbuild": {
+			"version": "0.25.8",
+			"resolved": "https://registry.npmjs.org/esbuild/-/esbuild-0.25.8.tgz",
+			"integrity": "sha512-vVC0USHGtMi8+R4Kz8rt6JhEWLxsv9Rnu/lGYbPR8u47B+DCBksq9JarW0zOO7bs37hyOK1l2/oqtbciutL5+Q==",
+			"hasInstallScript": true,
+			"license": "MIT",
+			"bin": {
+				"esbuild": "bin/esbuild"
+			},
+			"engines": {
+				"node": ">=18"
+			},
+			"optionalDependencies": {
+				"@esbuild/aix-ppc64": "0.25.8",
+				"@esbuild/android-arm": "0.25.8",
+				"@esbuild/android-arm64": "0.25.8",
+				"@esbuild/android-x64": "0.25.8",
+				"@esbuild/darwin-arm64": "0.25.8",
+				"@esbuild/darwin-x64": "0.25.8",
+				"@esbuild/freebsd-arm64": "0.25.8",
+				"@esbuild/freebsd-x64": "0.25.8",
+				"@esbuild/linux-arm": "0.25.8",
+				"@esbuild/linux-arm64": "0.25.8",
+				"@esbuild/linux-ia32": "0.25.8",
+				"@esbuild/linux-loong64": "0.25.8",
+				"@esbuild/linux-mips64el": "0.25.8",
+				"@esbuild/linux-ppc64": "0.25.8",
+				"@esbuild/linux-riscv64": "0.25.8",
+				"@esbuild/linux-s390x": "0.25.8",
+				"@esbuild/linux-x64": "0.25.8",
+				"@esbuild/netbsd-arm64": "0.25.8",
+				"@esbuild/netbsd-x64": "0.25.8",
+				"@esbuild/openbsd-arm64": "0.25.8",
+				"@esbuild/openbsd-x64": "0.25.8",
+				"@esbuild/openharmony-arm64": "0.25.8",
+				"@esbuild/sunos-x64": "0.25.8",
+				"@esbuild/win32-arm64": "0.25.8",
+				"@esbuild/win32-ia32": "0.25.8",
+				"@esbuild/win32-x64": "0.25.8"
+			}
+		},
+		"node_modules/escape-string-regexp": {
+			"version": "4.0.0",
+			"resolved": "https://registry.npmjs.org/escape-string-regexp/-/escape-string-regexp-4.0.0.tgz",
+			"integrity": "sha512-TtpcNJ3XAzx3Gq8sWRzJaVajRs0uVxA2YAkdb1jm2YkPz4G6egUFAyA3n5vtEIZefPk5Wa4UXbKuS5fKkJWdgA==",
+			"dev": true,
+			"license": "MIT",
+			"engines": {
+				"node": ">=10"
+			},
+			"funding": {
+				"url": "https://github.com/sponsors/sindresorhus"
+			}
+		},
+		"node_modules/eslint": {
+			"version": "9.32.0",
+			"resolved": "https://registry.npmjs.org/eslint/-/eslint-9.32.0.tgz",
+			"integrity": "sha512-LSehfdpgMeWcTZkWZVIJl+tkZ2nuSkyyB9C27MZqFWXuph7DvaowgcTvKqxvpLW1JZIk8PN7hFY3Rj9LQ7m7lg==",
+			"dev": true,
+			"license": "MIT",
+			"dependencies": {
+				"@eslint-community/eslint-utils": "^4.2.0",
+				"@eslint-community/regexpp": "^4.12.1",
+				"@eslint/config-array": "^0.21.0",
+				"@eslint/config-helpers": "^0.3.0",
+				"@eslint/core": "^0.15.0",
+				"@eslint/eslintrc": "^3.3.1",
+				"@eslint/js": "9.32.0",
+				"@eslint/plugin-kit": "^0.3.4",
+				"@humanfs/node": "^0.16.6",
+				"@humanwhocodes/module-importer": "^1.0.1",
+				"@humanwhocodes/retry": "^0.4.2",
+				"@types/estree": "^1.0.6",
+				"@types/json-schema": "^7.0.15",
+				"ajv": "^6.12.4",
+				"chalk": "^4.0.0",
+				"cross-spawn": "^7.0.6",
+				"debug": "^4.3.2",
+				"escape-string-regexp": "^4.0.0",
+				"eslint-scope": "^8.4.0",
+				"eslint-visitor-keys": "^4.2.1",
+				"espree": "^10.4.0",
+				"esquery": "^1.5.0",
+				"esutils": "^2.0.2",
+				"fast-deep-equal": "^3.1.3",
+				"file-entry-cache": "^8.0.0",
+				"find-up": "^5.0.0",
+				"glob-parent": "^6.0.2",
+				"ignore": "^5.2.0",
+				"imurmurhash": "^0.1.4",
+				"is-glob": "^4.0.0",
+				"json-stable-stringify-without-jsonify": "^1.0.1",
+				"lodash.merge": "^4.6.2",
+				"minimatch": "^3.1.2",
+				"natural-compare": "^1.4.0",
+				"optionator": "^0.9.3"
+			},
+			"bin": {
+				"eslint": "bin/eslint.js"
+			},
+			"engines": {
+				"node": "^18.18.0 || ^20.9.0 || >=21.1.0"
+			},
+			"funding": {
+				"url": "https://eslint.org/donate"
+			},
+			"peerDependencies": {
+				"jiti": "*"
+			},
+			"peerDependenciesMeta": {
+				"jiti": {
+					"optional": true
+				}
+			}
+		},
+		"node_modules/eslint-config-prettier": {
+			"version": "10.1.8",
+			"resolved": "https://registry.npmjs.org/eslint-config-prettier/-/eslint-config-prettier-10.1.8.tgz",
+			"integrity": "sha512-82GZUjRS0p/jganf6q1rEO25VSoHH0hKPCTrgillPjdI/3bgBhAE1QzHrHTizjpRvy6pGAvKjDJtk2pF9NDq8w==",
+			"dev": true,
+			"license": "MIT",
+			"bin": {
+				"eslint-config-prettier": "bin/cli.js"
+			},
+			"funding": {
+				"url": "https://opencollective.com/eslint-config-prettier"
+			},
+			"peerDependencies": {
+				"eslint": ">=7.0.0"
+			}
+		},
+		"node_modules/eslint-plugin-svelte": {
+			"version": "3.11.0",
+			"resolved": "https://registry.npmjs.org/eslint-plugin-svelte/-/eslint-plugin-svelte-3.11.0.tgz",
+			"integrity": "sha512-KliWlkieHyEa65aQIkRwUFfHzT5Cn4u3BQQsu3KlkJOs7c1u7ryn84EWaOjEzilbKgttT4OfBURA8Uc4JBSQIw==",
+			"dev": true,
+			"license": "MIT",
+			"dependencies": {
+				"@eslint-community/eslint-utils": "^4.6.1",
+				"@jridgewell/sourcemap-codec": "^1.5.0",
+				"esutils": "^2.0.3",
+				"globals": "^16.0.0",
+				"known-css-properties": "^0.37.0",
+				"postcss": "^8.4.49",
+				"postcss-load-config": "^3.1.4",
+				"postcss-safe-parser": "^7.0.0",
+				"semver": "^7.6.3",
+				"svelte-eslint-parser": "^1.3.0"
+			},
+			"engines": {
+				"node": "^18.18.0 || ^20.9.0 || >=21.1.0"
+			},
+			"funding": {
+				"url": "https://github.com/sponsors/ota-meshi"
+			},
+			"peerDependencies": {
+				"eslint": "^8.57.1 || ^9.0.0",
+				"svelte": "^3.37.0 || ^4.0.0 || ^5.0.0"
+			},
+			"peerDependenciesMeta": {
+				"svelte": {
+					"optional": true
+				}
+			}
+		},
+		"node_modules/eslint-scope": {
+			"version": "8.4.0",
+			"resolved": "https://registry.npmjs.org/eslint-scope/-/eslint-scope-8.4.0.tgz",
+			"integrity": "sha512-sNXOfKCn74rt8RICKMvJS7XKV/Xk9kA7DyJr8mJik3S7Cwgy3qlkkmyS2uQB3jiJg6VNdZd/pDBJu0nvG2NlTg==",
+			"dev": true,
+			"license": "BSD-2-Clause",
+			"dependencies": {
+				"esrecurse": "^4.3.0",
+				"estraverse": "^5.2.0"
+			},
+			"engines": {
+				"node": "^18.18.0 || ^20.9.0 || >=21.1.0"
+			},
+			"funding": {
+				"url": "https://opencollective.com/eslint"
+			}
+		},
+		"node_modules/eslint-visitor-keys": {
+			"version": "4.2.1",
+			"resolved": "https://registry.npmjs.org/eslint-visitor-keys/-/eslint-visitor-keys-4.2.1.tgz",
+			"integrity": "sha512-Uhdk5sfqcee/9H/rCOJikYz67o0a2Tw2hGRPOG2Y1R2dg7brRe1uG0yaNQDHu+TO/uQPF/5eCapvYSmHUjt7JQ==",
+			"dev": true,
+			"license": "Apache-2.0",
+			"engines": {
+				"node": "^18.18.0 || ^20.9.0 || >=21.1.0"
+			},
+			"funding": {
+				"url": "https://opencollective.com/eslint"
+			}
+		},
+		"node_modules/esm-env": {
+			"version": "1.2.2",
+			"resolved": "https://registry.npmjs.org/esm-env/-/esm-env-1.2.2.tgz",
+			"integrity": "sha512-Epxrv+Nr/CaL4ZcFGPJIYLWFom+YeV1DqMLHJoEd9SYRxNbaFruBwfEX/kkHUJf55j2+TUbmDcmuilbP1TmXHA==",
+			"license": "MIT"
+		},
+		"node_modules/espree": {
+			"version": "10.4.0",
+			"resolved": "https://registry.npmjs.org/espree/-/espree-10.4.0.tgz",
+			"integrity": "sha512-j6PAQ2uUr79PZhBjP5C5fhl8e39FmRnOjsD5lGnWrFU8i2G776tBK7+nP8KuQUTTyAZUwfQqXAgrVH5MbH9CYQ==",
+			"dev": true,
+			"license": "BSD-2-Clause",
+			"dependencies": {
+				"acorn": "^8.15.0",
+				"acorn-jsx": "^5.3.2",
+				"eslint-visitor-keys": "^4.2.1"
+			},
+			"engines": {
+				"node": "^18.18.0 || ^20.9.0 || >=21.1.0"
+			},
+			"funding": {
+				"url": "https://opencollective.com/eslint"
+			}
+		},
+		"node_modules/esquery": {
+			"version": "1.6.0",
+			"resolved": "https://registry.npmjs.org/esquery/-/esquery-1.6.0.tgz",
+			"integrity": "sha512-ca9pw9fomFcKPvFLXhBKUK90ZvGibiGOvRJNbjljY7s7uq/5YO4BOzcYtJqExdx99rF6aAcnRxHmcUHcz6sQsg==",
+			"dev": true,
+			"license": "BSD-3-Clause",
+			"dependencies": {
+				"estraverse": "^5.1.0"
+			},
+			"engines": {
+				"node": ">=0.10"
+			}
+		},
+		"node_modules/esrap": {
+			"version": "2.1.0",
+			"resolved": "https://registry.npmjs.org/esrap/-/esrap-2.1.0.tgz",
+			"integrity": "sha512-yzmPNpl7TBbMRC5Lj2JlJZNPml0tzqoqP5B1JXycNUwtqma9AKCO0M2wHrdgsHcy1WRW7S9rJknAMtByg3usgA==",
+			"license": "MIT",
+			"dependencies": {
+				"@jridgewell/sourcemap-codec": "^1.4.15"
+			}
+		},
+		"node_modules/esrecurse": {
+			"version": "4.3.0",
+			"resolved": "https://registry.npmjs.org/esrecurse/-/esrecurse-4.3.0.tgz",
+			"integrity": "sha512-KmfKL3b6G+RXvP8N1vr3Tq1kL/oCFgn2NYXEtqP8/L3pKapUA4G8cFVaoF3SU323CD4XypR/ffioHmkti6/Tag==",
+			"dev": true,
+			"license": "BSD-2-Clause",
+			"dependencies": {
+				"estraverse": "^5.2.0"
+			},
+			"engines": {
+				"node": ">=4.0"
+			}
+		},
+		"node_modules/estraverse": {
+			"version": "5.3.0",
+			"resolved": "https://registry.npmjs.org/estraverse/-/estraverse-5.3.0.tgz",
+			"integrity": "sha512-MMdARuVEQziNTeJD8DgMqmhwR11BRQ/cBP+pLtYdSTnf3MIO8fFeiINEbX36ZdNlfU/7A9f3gUw49B3oQsvwBA==",
+			"dev": true,
+			"license": "BSD-2-Clause",
+			"engines": {
+				"node": ">=4.0"
+			}
+		},
+		"node_modules/esutils": {
+			"version": "2.0.3",
+			"resolved": "https://registry.npmjs.org/esutils/-/esutils-2.0.3.tgz",
+			"integrity": "sha512-kVscqXk4OCp68SZ0dkgEKVi6/8ij300KBWTJq32P/dYeWTSwK41WyTxalN1eRmA5Z9UU/LX9D7FWSmV9SAYx6g==",
+			"dev": true,
+			"license": "BSD-2-Clause",
+			"engines": {
+				"node": ">=0.10.0"
+			}
+		},
+		"node_modules/fast-deep-equal": {
+			"version": "3.1.3",
+			"resolved": "https://registry.npmjs.org/fast-deep-equal/-/fast-deep-equal-3.1.3.tgz",
+			"integrity": "sha512-f3qQ9oQy9j2AhBe/H9VC91wLmKBCCU/gDOnKNAYG5hswO7BLKj09Hc5HYNz9cGI++xlpDCIgDaitVs03ATR84Q==",
+			"dev": true,
+			"license": "MIT"
+		},
+		"node_modules/fast-glob": {
+			"version": "3.3.3",
+			"resolved": "https://registry.npmjs.org/fast-glob/-/fast-glob-3.3.3.tgz",
+			"integrity": "sha512-7MptL8U0cqcFdzIzwOTHoilX9x5BrNqye7Z/LuC7kCMRio1EMSyqRK3BEAUD7sXRq4iT4AzTVuZdhgQ2TCvYLg==",
+			"dev": true,
+			"license": "MIT",
+			"dependencies": {
+				"@nodelib/fs.stat": "^2.0.2",
+				"@nodelib/fs.walk": "^1.2.3",
+				"glob-parent": "^5.1.2",
+				"merge2": "^1.3.0",
+				"micromatch": "^4.0.8"
+			},
+			"engines": {
+				"node": ">=8.6.0"
+			}
+		},
+		"node_modules/fast-glob/node_modules/glob-parent": {
+			"version": "5.1.2",
+			"resolved": "https://registry.npmjs.org/glob-parent/-/glob-parent-5.1.2.tgz",
+			"integrity": "sha512-AOIgSQCepiJYwP3ARnGx+5VnTu2HBYdzbGP45eLw1vr3zB3vZLeyed1sC9hnbcOc9/SrMyM5RPQrkGz4aS9Zow==",
+			"dev": true,
+			"license": "ISC",
+			"dependencies": {
+				"is-glob": "^4.0.1"
+			},
+			"engines": {
+				"node": ">= 6"
+			}
+		},
+		"node_modules/fast-json-stable-stringify": {
+			"version": "2.1.0",
+			"resolved": "https://registry.npmjs.org/fast-json-stable-stringify/-/fast-json-stable-stringify-2.1.0.tgz",
+			"integrity": "sha512-lhd/wF+Lk98HZoTCtlVraHtfh5XYijIjalXck7saUtuanSDyLMxnHhSXEDJqHxD7msR8D0uCmqlkwjCV8xvwHw==",
+			"dev": true,
+			"license": "MIT"
+		},
+		"node_modules/fast-levenshtein": {
+			"version": "2.0.6",
+			"resolved": "https://registry.npmjs.org/fast-levenshtein/-/fast-levenshtein-2.0.6.tgz",
+			"integrity": "sha512-DCXu6Ifhqcks7TZKY3Hxp3y6qphY5SJZmrWMDrKcERSOXWQdMhU9Ig/PYrzyw/ul9jOIyh0N4M0tbC5hodg8dw==",
+			"dev": true,
+			"license": "MIT"
+		},
+		"node_modules/fastq": {
+			"version": "1.19.1",
+			"resolved": "https://registry.npmjs.org/fastq/-/fastq-1.19.1.tgz",
+			"integrity": "sha512-GwLTyxkCXjXbxqIhTsMI2Nui8huMPtnxg7krajPJAjnEG/iiOS7i+zCtWGZR9G0NBKbXKh6X9m9UIsYX/N6vvQ==",
+			"dev": true,
+			"license": "ISC",
+			"dependencies": {
+				"reusify": "^1.0.4"
+			}
+		},
+		"node_modules/fdir": {
+			"version": "6.4.6",
+			"resolved": "https://registry.npmjs.org/fdir/-/fdir-6.4.6.tgz",
+			"integrity": "sha512-hiFoqpyZcfNm1yc4u8oWCf9A2c4D3QjCrks3zmoVKVxpQRzmPNar1hUJcBG2RQHvEVGDN+Jm81ZheVLAQMK6+w==",
+			"license": "MIT",
+			"peerDependencies": {
+				"picomatch": "^3 || ^4"
+			},
+			"peerDependenciesMeta": {
+				"picomatch": {
+					"optional": true
+				}
+			}
+		},
+		"node_modules/file-entry-cache": {
+			"version": "8.0.0",
+			"resolved": "https://registry.npmjs.org/file-entry-cache/-/file-entry-cache-8.0.0.tgz",
+			"integrity": "sha512-XXTUwCvisa5oacNGRP9SfNtYBNAMi+RPwBFmblZEF7N7swHYQS6/Zfk7SRwx4D5j3CH211YNRco1DEMNVfZCnQ==",
+			"dev": true,
+			"license": "MIT",
+			"dependencies": {
+				"flat-cache": "^4.0.0"
+			},
+			"engines": {
+				"node": ">=16.0.0"
+			}
+		},
+		"node_modules/fill-range": {
+			"version": "7.1.1",
+			"resolved": "https://registry.npmjs.org/fill-range/-/fill-range-7.1.1.tgz",
+			"integrity": "sha512-YsGpe3WHLK8ZYi4tWDg2Jy3ebRz2rXowDxnld4bkQB00cc/1Zw9AWnC0i9ztDJitivtQvaI9KaLyKrc+hBW0yg==",
+			"devOptional": true,
+			"license": "MIT",
+			"dependencies": {
+				"to-regex-range": "^5.0.1"
+			},
+			"engines": {
+				"node": ">=8"
+			}
+		},
+		"node_modules/find-up": {
+			"version": "5.0.0",
+			"resolved": "https://registry.npmjs.org/find-up/-/find-up-5.0.0.tgz",
+			"integrity": "sha512-78/PXT1wlLLDgTzDs7sjq9hzz0vXD+zn+7wypEe4fXQxCmdmqfGsEPQxmiCSQI3ajFV91bVSsvNtrJRiW6nGng==",
+			"dev": true,
+			"license": "MIT",
+			"dependencies": {
+				"locate-path": "^6.0.0",
+				"path-exists": "^4.0.0"
+			},
+			"engines": {
+				"node": ">=10"
+			},
+			"funding": {
+				"url": "https://github.com/sponsors/sindresorhus"
+			}
+		},
+		"node_modules/flat-cache": {
+			"version": "4.0.1",
+			"resolved": "https://registry.npmjs.org/flat-cache/-/flat-cache-4.0.1.tgz",
+			"integrity": "sha512-f7ccFPK3SXFHpx15UIGyRJ/FJQctuKZ0zVuN3frBo4HnK3cay9VEW0R6yPYFHC0AgqhukPzKjq22t5DmAyqGyw==",
+			"dev": true,
+			"license": "MIT",
+			"dependencies": {
+				"flatted": "^3.2.9",
+				"keyv": "^4.5.4"
+			},
+			"engines": {
+				"node": ">=16"
+			}
+		},
+		"node_modules/flatted": {
+			"version": "3.3.3",
+			"resolved": "https://registry.npmjs.org/flatted/-/flatted-3.3.3.tgz",
+			"integrity": "sha512-GX+ysw4PBCz0PzosHDepZGANEuFCMLrnRTiEy9McGjmkCQYwRq4A/X786G/fjM/+OjsWSU1ZrY5qyARZmO/uwg==",
+			"dev": true,
+			"license": "ISC"
+		},
+		"node_modules/fsevents": {
+			"version": "2.3.2",
+			"resolved": "https://registry.npmjs.org/fsevents/-/fsevents-2.3.2.tgz",
+			"integrity": "sha512-xiqMQR4xAeHTuB9uWm+fFRcIOgKBMiOBP+eXiyT7jsgVCq1bkVygt00oASowB7EdtpOHaaPgKt812P9ab+DDKA==",
+			"hasInstallScript": true,
+			"license": "MIT",
+			"optional": true,
+			"os": [
+				"darwin"
+			],
+			"engines": {
+				"node": "^8.16.0 || ^10.6.0 || >=11.0.0"
+			}
+		},
+		"node_modules/glob-parent": {
+			"version": "6.0.2",
+			"resolved": "https://registry.npmjs.org/glob-parent/-/glob-parent-6.0.2.tgz",
+			"integrity": "sha512-XxwI8EOhVQgWp6iDL+3b0r86f4d6AX6zSU55HfB4ydCEuXLXc5FcYeOu+nnGftS4TEju/11rt4KJPTMgbfmv4A==",
+			"dev": true,
+			"license": "ISC",
+			"dependencies": {
+				"is-glob": "^4.0.3"
+			},
+			"engines": {
+				"node": ">=10.13.0"
+			}
+		},
+		"node_modules/globals": {
+			"version": "16.3.0",
+			"resolved": "https://registry.npmjs.org/globals/-/globals-16.3.0.tgz",
+			"integrity": "sha512-bqWEnJ1Nt3neqx2q5SFfGS8r/ahumIakg3HcwtNlrVlwXIeNumWn/c7Pn/wKzGhf6SaW6H6uWXLqC30STCMchQ==",
+			"dev": true,
+			"license": "MIT",
+			"engines": {
+				"node": ">=18"
+			},
+			"funding": {
+				"url": "https://github.com/sponsors/sindresorhus"
+			}
+		},
+		"node_modules/graceful-fs": {
+			"version": "4.2.11",
+			"resolved": "https://registry.npmjs.org/graceful-fs/-/graceful-fs-4.2.11.tgz",
+			"integrity": "sha512-RbJ5/jmFcNNCcDV5o9eTnBLJ/HszWV0P73bc+Ff4nS/rJj+YaS6IGyiOL0VoBYX+l1Wrl3k63h/KrH+nhJ0XvQ==",
+			"dev": true,
+			"license": "ISC"
+		},
+		"node_modules/graphemer": {
+			"version": "1.4.0",
+			"resolved": "https://registry.npmjs.org/graphemer/-/graphemer-1.4.0.tgz",
+			"integrity": "sha512-EtKwoO6kxCL9WO5xipiHTZlSzBm7WLT627TqC/uVRd0HKmq8NXyebnNYxDoBi7wt8eTWrUrKXCOVaFq9x1kgag==",
+			"dev": true,
+			"license": "MIT"
+		},
+		"node_modules/has-flag": {
+			"version": "4.0.0",
+			"resolved": "https://registry.npmjs.org/has-flag/-/has-flag-4.0.0.tgz",
+			"integrity": "sha512-EykJT/Q1KjTWctppgIAgfSO0tKVuZUjhgMr17kqTumMl6Afv3EISleU7qZUzoXDFTAHTDC4NOoG/ZxU3EvlMPQ==",
+			"dev": true,
+			"license": "MIT",
+			"engines": {
+				"node": ">=8"
+			}
+		},
+		"node_modules/idb": {
+			"version": "7.1.1",
+			"resolved": "https://registry.npmjs.org/idb/-/idb-7.1.1.tgz",
+			"integrity": "sha512-gchesWBzyvGHRO9W8tzUWFDycow5gwjvFKfyV9FF32Y7F50yZMp7mP+T2mJIWFx49zicqyC4uefHM17o6xKIVQ==",
+			"license": "ISC"
+		},
+		"node_modules/idb-keyval": {
+			"version": "6.2.2",
+			"resolved": "https://registry.npmjs.org/idb-keyval/-/idb-keyval-6.2.2.tgz",
+			"integrity": "sha512-yjD9nARJ/jb1g+CvD0tlhUHOrJ9Sy0P8T9MF3YaLlHnSRpwPfpTX0XIvpmw3gAJUmEu3FiICLBDPXVwyEvrleg==",
+			"license": "Apache-2.0"
+		},
+		"node_modules/ignore": {
+			"version": "5.3.2",
+			"resolved": "https://registry.npmjs.org/ignore/-/ignore-5.3.2.tgz",
+			"integrity": "sha512-hsBTNUqQTDwkWtcdYI2i06Y/nUBEsNEDJKjWdigLvegy8kDuJAS8uRlpkkcQpyEXL0Z/pjDy5HBmMjRCJ2gq+g==",
+			"dev": true,
+			"license": "MIT",
+			"engines": {
+				"node": ">= 4"
+			}
+		},
+		"node_modules/immutable": {
+			"version": "5.1.3",
+			"resolved": "https://registry.npmjs.org/immutable/-/immutable-5.1.3.tgz",
+			"integrity": "sha512-+chQdDfvscSF1SJqv2gn4SRO2ZyS3xL3r7IW/wWEEzrzLisnOlKiQu5ytC/BVNcS15C39WT2Hg/bjKjDMcu+zg==",
+			"license": "MIT"
+		},
+		"node_modules/import-fresh": {
+			"version": "3.3.1",
+			"resolved": "https://registry.npmjs.org/import-fresh/-/import-fresh-3.3.1.tgz",
+			"integrity": "sha512-TR3KfrTZTYLPB6jUjfx6MF9WcWrHL9su5TObK4ZkYgBdWKPOFoSoQIdEuTuR82pmtxH2spWG9h6etwfr1pLBqQ==",
+			"dev": true,
+			"license": "MIT",
+			"dependencies": {
+				"parent-module": "^1.0.0",
+				"resolve-from": "^4.0.0"
+			},
+			"engines": {
+				"node": ">=6"
+			},
+			"funding": {
+				"url": "https://github.com/sponsors/sindresorhus"
+			}
+		},
+		"node_modules/imurmurhash": {
+			"version": "0.1.4",
+			"resolved": "https://registry.npmjs.org/imurmurhash/-/imurmurhash-0.1.4.tgz",
+			"integrity": "sha512-JmXMZ6wuvDmLiHEml9ykzqO6lwFbof0GG4IkcGaENdCRDDmMVnny7s5HsIgHCbaq0w2MyPhDqkhTUgS2LU2PHA==",
+			"dev": true,
+			"license": "MIT",
+			"engines": {
+				"node": ">=0.8.19"
+			}
+		},
+		"node_modules/is-extglob": {
+			"version": "2.1.1",
+			"resolved": "https://registry.npmjs.org/is-extglob/-/is-extglob-2.1.1.tgz",
+			"integrity": "sha512-SbKbANkN603Vi4jEZv49LeVJMn4yGwsbzZworEoyEiutsN3nJYdbO36zfhGJ6QEDpOZIFkDtnq5JRxmvl3jsoQ==",
+			"devOptional": true,
+			"license": "MIT",
+			"engines": {
+				"node": ">=0.10.0"
+			}
+		},
+		"node_modules/is-glob": {
+			"version": "4.0.3",
+			"resolved": "https://registry.npmjs.org/is-glob/-/is-glob-4.0.3.tgz",
+			"integrity": "sha512-xelSayHH36ZgE7ZWhli7pW34hNbNl8Ojv5KVmkJD4hBdD3th8Tfk9vYasLM+mXWOZhFkgZfxhLSnrwRr4elSSg==",
+			"devOptional": true,
+			"license": "MIT",
+			"dependencies": {
+				"is-extglob": "^2.1.1"
+			},
+			"engines": {
+				"node": ">=0.10.0"
+			}
+		},
+		"node_modules/is-number": {
+			"version": "7.0.0",
+			"resolved": "https://registry.npmjs.org/is-number/-/is-number-7.0.0.tgz",
+			"integrity": "sha512-41Cifkg6e8TylSpdtTpeLVMqvSBEVzTttHvERD741+pnZ8ANv0004MRL43QKPDlK9cGvNp6NZWZUBlbGXYxxng==",
+			"devOptional": true,
+			"license": "MIT",
+			"engines": {
+				"node": ">=0.12.0"
+			}
+		},
+		"node_modules/is-reference": {
+			"version": "3.0.3",
+			"resolved": "https://registry.npmjs.org/is-reference/-/is-reference-3.0.3.tgz",
+			"integrity": "sha512-ixkJoqQvAP88E6wLydLGGqCJsrFUnqoH6HnaczB8XmDH1oaWU+xxdptvikTgaEhtZ53Ky6YXiBuUI2WXLMCwjw==",
+			"license": "MIT",
+			"dependencies": {
+				"@types/estree": "^1.0.6"
+			}
+		},
+		"node_modules/isexe": {
+			"version": "2.0.0",
+			"resolved": "https://registry.npmjs.org/isexe/-/isexe-2.0.0.tgz",
+			"integrity": "sha512-RHxMLp9lnKHGHRng9QFhRCMbYAcVpn69smSGcq3f36xjgVVWThj4qqLbTLlq7Ssj8B+fIQ1EuCEGI2lKsyQeIw==",
+			"dev": true,
+			"license": "ISC"
+		},
+		"node_modules/jiti": {
+			"version": "2.5.1",
+			"resolved": "https://registry.npmjs.org/jiti/-/jiti-2.5.1.tgz",
+			"integrity": "sha512-twQoecYPiVA5K/h6SxtORw/Bs3ar+mLUtoPSc7iMXzQzK8d7eJ/R09wmTwAjiamETn1cXYPGfNnu7DMoHgu12w==",
+			"devOptional": true,
+			"license": "MIT",
+			"bin": {
+				"jiti": "lib/jiti-cli.mjs"
+			}
+		},
+		"node_modules/js-yaml": {
+			"version": "4.1.0",
+			"resolved": "https://registry.npmjs.org/js-yaml/-/js-yaml-4.1.0.tgz",
+			"integrity": "sha512-wpxZs9NoxZaJESJGIZTyDEaYpl0FKSA+FB9aJiyemKhMwkxQg63h4T1KJgUGHpTqPDNRcmmYLugrRjJlBtWvRA==",
+			"dev": true,
+			"license": "MIT",
+			"dependencies": {
+				"argparse": "^2.0.1"
+			},
+			"bin": {
+				"js-yaml": "bin/js-yaml.js"
+			}
+		},
+		"node_modules/json-buffer": {
+			"version": "3.0.1",
+			"resolved": "https://registry.npmjs.org/json-buffer/-/json-buffer-3.0.1.tgz",
+			"integrity": "sha512-4bV5BfR2mqfQTJm+V5tPPdf+ZpuhiIvTuAB5g8kcrXOZpTT/QwwVRWBywX1ozr6lEuPdbHxwaJlm9G6mI2sfSQ==",
+			"dev": true,
+			"license": "MIT"
+		},
+		"node_modules/json-schema-traverse": {
+			"version": "0.4.1",
+			"resolved": "https://registry.npmjs.org/json-schema-traverse/-/json-schema-traverse-0.4.1.tgz",
+			"integrity": "sha512-xbbCH5dCYU5T8LcEhhuh7HJ88HXuW3qsI3Y0zOZFKfZEHcpWiHU/Jxzk629Brsab/mMiHQti9wMP+845RPe3Vg==",
+			"dev": true,
+			"license": "MIT"
+		},
+		"node_modules/json-stable-stringify-without-jsonify": {
+			"version": "1.0.1",
+			"resolved": "https://registry.npmjs.org/json-stable-stringify-without-jsonify/-/json-stable-stringify-without-jsonify-1.0.1.tgz",
+			"integrity": "sha512-Bdboy+l7tA3OGW6FjyFHWkP5LuByj1Tk33Ljyq0axyzdk9//JSi2u3fP1QSmd1KNwq6VOKYGlAu87CisVir6Pw==",
+			"dev": true,
+			"license": "MIT"
+		},
+		"node_modules/keyv": {
+			"version": "4.5.4",
+			"resolved": "https://registry.npmjs.org/keyv/-/keyv-4.5.4.tgz",
+			"integrity": "sha512-oxVHkHR/EJf2CNXnWxRLW6mg7JyCCUcG0DtEGmL2ctUo1PNTin1PUil+r/+4r5MpVgC/fn1kjsx7mjSujKqIpw==",
+			"dev": true,
+			"license": "MIT",
+			"dependencies": {
+				"json-buffer": "3.0.1"
+			}
+		},
+		"node_modules/kleur": {
+			"version": "4.1.5",
+			"resolved": "https://registry.npmjs.org/kleur/-/kleur-4.1.5.tgz",
+			"integrity": "sha512-o+NO+8WrRiQEE4/7nwRJhN1HWpVmJm511pBHUxPLtp0BUISzlBplORYSmTclCnJvQq2tKu/sgl3xVpkc7ZWuQQ==",
+			"license": "MIT",
+			"engines": {
+				"node": ">=6"
+			}
+		},
+		"node_modules/known-css-properties": {
+			"version": "0.37.0",
+			"resolved": "https://registry.npmjs.org/known-css-properties/-/known-css-properties-0.37.0.tgz",
+			"integrity": "sha512-JCDrsP4Z1Sb9JwG0aJ8Eo2r7k4Ou5MwmThS/6lcIe1ICyb7UBJKGRIUUdqc2ASdE/42lgz6zFUnzAIhtXnBVrQ==",
+			"dev": true,
+			"license": "MIT"
+		},
+		"node_modules/levn": {
+			"version": "0.4.1",
+			"resolved": "https://registry.npmjs.org/levn/-/levn-0.4.1.tgz",
+			"integrity": "sha512-+bT2uH4E5LGE7h/n3evcS/sQlJXCpIp6ym8OWJ5eV6+67Dsql/LaaT7qJBAt2rzfoa/5QBGBhxDix1dMt2kQKQ==",
+			"dev": true,
+			"license": "MIT",
+			"dependencies": {
+				"prelude-ls": "^1.2.1",
+				"type-check": "~0.4.0"
+			},
+			"engines": {
+				"node": ">= 0.8.0"
+			}
+		},
+		"node_modules/lightningcss": {
+			"version": "1.30.1",
+			"resolved": "https://registry.npmjs.org/lightningcss/-/lightningcss-1.30.1.tgz",
+			"integrity": "sha512-xi6IyHML+c9+Q3W0S4fCQJOym42pyurFiJUHEcEyHS0CeKzia4yZDEsLlqOFykxOdHpNy0NmvVO31vcSqAxJCg==",
+			"devOptional": true,
+			"license": "MPL-2.0",
+			"dependencies": {
+				"detect-libc": "^2.0.3"
+			},
+			"engines": {
+				"node": ">= 12.0.0"
+			},
+			"funding": {
+				"type": "opencollective",
+				"url": "https://opencollective.com/parcel"
+			},
+			"optionalDependencies": {
+				"lightningcss-darwin-arm64": "1.30.1",
+				"lightningcss-darwin-x64": "1.30.1",
+				"lightningcss-freebsd-x64": "1.30.1",
+				"lightningcss-linux-arm-gnueabihf": "1.30.1",
+				"lightningcss-linux-arm64-gnu": "1.30.1",
+				"lightningcss-linux-arm64-musl": "1.30.1",
+				"lightningcss-linux-x64-gnu": "1.30.1",
+				"lightningcss-linux-x64-musl": "1.30.1",
+				"lightningcss-win32-arm64-msvc": "1.30.1",
+				"lightningcss-win32-x64-msvc": "1.30.1"
+			}
+		},
+		"node_modules/lightningcss-darwin-arm64": {
+			"version": "1.30.1",
+			"resolved": "https://registry.npmjs.org/lightningcss-darwin-arm64/-/lightningcss-darwin-arm64-1.30.1.tgz",
+			"integrity": "sha512-c8JK7hyE65X1MHMN+Viq9n11RRC7hgin3HhYKhrMyaXflk5GVplZ60IxyoVtzILeKr+xAJwg6zK6sjTBJ0FKYQ==",
+			"cpu": [
+				"arm64"
+			],
+			"license": "MPL-2.0",
+			"optional": true,
+			"os": [
+				"darwin"
+			],
+			"engines": {
+				"node": ">= 12.0.0"
+			},
+			"funding": {
+				"type": "opencollective",
+				"url": "https://opencollective.com/parcel"
+			}
+		},
+		"node_modules/lightningcss-darwin-x64": {
+			"version": "1.30.1",
+			"resolved": "https://registry.npmjs.org/lightningcss-darwin-x64/-/lightningcss-darwin-x64-1.30.1.tgz",
+			"integrity": "sha512-k1EvjakfumAQoTfcXUcHQZhSpLlkAuEkdMBsI/ivWw9hL+7FtilQc0Cy3hrx0AAQrVtQAbMI7YjCgYgvn37PzA==",
+			"cpu": [
+				"x64"
+			],
+			"license": "MPL-2.0",
+			"optional": true,
+			"os": [
+				"darwin"
+			],
+			"engines": {
+				"node": ">= 12.0.0"
+			},
+			"funding": {
+				"type": "opencollective",
+				"url": "https://opencollective.com/parcel"
+			}
+		},
+		"node_modules/lightningcss-freebsd-x64": {
+			"version": "1.30.1",
+			"resolved": "https://registry.npmjs.org/lightningcss-freebsd-x64/-/lightningcss-freebsd-x64-1.30.1.tgz",
+			"integrity": "sha512-kmW6UGCGg2PcyUE59K5r0kWfKPAVy4SltVeut+umLCFoJ53RdCUWxcRDzO1eTaxf/7Q2H7LTquFHPL5R+Gjyig==",
+			"cpu": [
+				"x64"
+			],
+			"license": "MPL-2.0",
+			"optional": true,
+			"os": [
+				"freebsd"
+			],
+			"engines": {
+				"node": ">= 12.0.0"
+			},
+			"funding": {
+				"type": "opencollective",
+				"url": "https://opencollective.com/parcel"
+			}
+		},
+		"node_modules/lightningcss-linux-arm-gnueabihf": {
+			"version": "1.30.1",
+			"resolved": "https://registry.npmjs.org/lightningcss-linux-arm-gnueabihf/-/lightningcss-linux-arm-gnueabihf-1.30.1.tgz",
+			"integrity": "sha512-MjxUShl1v8pit+6D/zSPq9S9dQ2NPFSQwGvxBCYaBYLPlCWuPh9/t1MRS8iUaR8i+a6w7aps+B4N0S1TYP/R+Q==",
+			"cpu": [
+				"arm"
+			],
+			"license": "MPL-2.0",
+			"optional": true,
+			"os": [
+				"linux"
+			],
+			"engines": {
+				"node": ">= 12.0.0"
+			},
+			"funding": {
+				"type": "opencollective",
+				"url": "https://opencollective.com/parcel"
+			}
+		},
+		"node_modules/lightningcss-linux-arm64-gnu": {
+			"version": "1.30.1",
+			"resolved": "https://registry.npmjs.org/lightningcss-linux-arm64-gnu/-/lightningcss-linux-arm64-gnu-1.30.1.tgz",
+			"integrity": "sha512-gB72maP8rmrKsnKYy8XUuXi/4OctJiuQjcuqWNlJQ6jZiWqtPvqFziskH3hnajfvKB27ynbVCucKSm2rkQp4Bw==",
+			"cpu": [
+				"arm64"
+			],
+			"license": "MPL-2.0",
+			"optional": true,
+			"os": [
+				"linux"
+			],
+			"engines": {
+				"node": ">= 12.0.0"
+			},
+			"funding": {
+				"type": "opencollective",
+				"url": "https://opencollective.com/parcel"
+			}
+		},
+		"node_modules/lightningcss-linux-arm64-musl": {
+			"version": "1.30.1",
+			"resolved": "https://registry.npmjs.org/lightningcss-linux-arm64-musl/-/lightningcss-linux-arm64-musl-1.30.1.tgz",
+			"integrity": "sha512-jmUQVx4331m6LIX+0wUhBbmMX7TCfjF5FoOH6SD1CttzuYlGNVpA7QnrmLxrsub43ClTINfGSYyHe2HWeLl5CQ==",
+			"cpu": [
+				"arm64"
+			],
+			"license": "MPL-2.0",
+			"optional": true,
+			"os": [
+				"linux"
+			],
+			"engines": {
+				"node": ">= 12.0.0"
+			},
+			"funding": {
+				"type": "opencollective",
+				"url": "https://opencollective.com/parcel"
+			}
+		},
+		"node_modules/lightningcss-linux-x64-gnu": {
+			"version": "1.30.1",
+			"resolved": "https://registry.npmjs.org/lightningcss-linux-x64-gnu/-/lightningcss-linux-x64-gnu-1.30.1.tgz",
+			"integrity": "sha512-piWx3z4wN8J8z3+O5kO74+yr6ze/dKmPnI7vLqfSqI8bccaTGY5xiSGVIJBDd5K5BHlvVLpUB3S2YCfelyJ1bw==",
+			"cpu": [
+				"x64"
+			],
+			"license": "MPL-2.0",
+			"optional": true,
+			"os": [
+				"linux"
+			],
+			"engines": {
+				"node": ">= 12.0.0"
+			},
+			"funding": {
+				"type": "opencollective",
+				"url": "https://opencollective.com/parcel"
+			}
+		},
+		"node_modules/lightningcss-linux-x64-musl": {
+			"version": "1.30.1",
+			"resolved": "https://registry.npmjs.org/lightningcss-linux-x64-musl/-/lightningcss-linux-x64-musl-1.30.1.tgz",
+			"integrity": "sha512-rRomAK7eIkL+tHY0YPxbc5Dra2gXlI63HL+v1Pdi1a3sC+tJTcFrHX+E86sulgAXeI7rSzDYhPSeHHjqFhqfeQ==",
+			"cpu": [
+				"x64"
+			],
+			"license": "MPL-2.0",
+			"optional": true,
+			"os": [
+				"linux"
+			],
+			"engines": {
+				"node": ">= 12.0.0"
+			},
+			"funding": {
+				"type": "opencollective",
+				"url": "https://opencollective.com/parcel"
+			}
+		},
+		"node_modules/lightningcss-win32-arm64-msvc": {
+			"version": "1.30.1",
+			"resolved": "https://registry.npmjs.org/lightningcss-win32-arm64-msvc/-/lightningcss-win32-arm64-msvc-1.30.1.tgz",
+			"integrity": "sha512-mSL4rqPi4iXq5YVqzSsJgMVFENoa4nGTT/GjO2c0Yl9OuQfPsIfncvLrEW6RbbB24WtZ3xP/2CCmI3tNkNV4oA==",
+			"cpu": [
+				"arm64"
+			],
+			"license": "MPL-2.0",
+			"optional": true,
+			"os": [
+				"win32"
+			],
+			"engines": {
+				"node": ">= 12.0.0"
+			},
+			"funding": {
+				"type": "opencollective",
+				"url": "https://opencollective.com/parcel"
+			}
+		},
+		"node_modules/lightningcss-win32-x64-msvc": {
+			"version": "1.30.1",
+			"resolved": "https://registry.npmjs.org/lightningcss-win32-x64-msvc/-/lightningcss-win32-x64-msvc-1.30.1.tgz",
+			"integrity": "sha512-PVqXh48wh4T53F/1CCu8PIPCxLzWyCnn/9T5W1Jpmdy5h9Cwd+0YQS6/LwhHXSafuc61/xg9Lv5OrCby6a++jg==",
+			"cpu": [
+				"x64"
+			],
+			"license": "MPL-2.0",
+			"optional": true,
+			"os": [
+				"win32"
+			],
+			"engines": {
+				"node": ">= 12.0.0"
+			},
+			"funding": {
+				"type": "opencollective",
+				"url": "https://opencollective.com/parcel"
+			}
+		},
+		"node_modules/lilconfig": {
+			"version": "2.1.0",
+			"resolved": "https://registry.npmjs.org/lilconfig/-/lilconfig-2.1.0.tgz",
+			"integrity": "sha512-utWOt/GHzuUxnLKxB6dk81RoOeoNeHgbrXiuGk4yyF5qlRz+iIVWu56E2fqGHFrXz0QNUhLB/8nKqvRH66JKGQ==",
+			"dev": true,
+			"license": "MIT",
+			"engines": {
+				"node": ">=10"
+			}
+		},
+		"node_modules/locate-character": {
+			"version": "3.0.0",
+			"resolved": "https://registry.npmjs.org/locate-character/-/locate-character-3.0.0.tgz",
+			"integrity": "sha512-SW13ws7BjaeJ6p7Q6CO2nchbYEc3X3J6WrmTTDto7yMPqVSZTUyY5Tjbid+Ab8gLnATtygYtiDIJGQRRn2ZOiA==",
+			"license": "MIT"
+		},
+		"node_modules/locate-path": {
+			"version": "6.0.0",
+			"resolved": "https://registry.npmjs.org/locate-path/-/locate-path-6.0.0.tgz",
+			"integrity": "sha512-iPZK6eYjbxRu3uB4/WZ3EsEIMJFMqAoopl3R+zuq0UjcAm/MO6KCweDgPfP3elTztoKP3KtnVHxTn2NHBSDVUw==",
+			"dev": true,
+			"license": "MIT",
+			"dependencies": {
+				"p-locate": "^5.0.0"
+			},
+			"engines": {
+				"node": ">=10"
+			},
+			"funding": {
+				"url": "https://github.com/sponsors/sindresorhus"
+			}
+		},
+		"node_modules/lodash.merge": {
+			"version": "4.6.2",
+			"resolved": "https://registry.npmjs.org/lodash.merge/-/lodash.merge-4.6.2.tgz",
+			"integrity": "sha512-0KpjqXRVvrYyCsX1swR/XTK0va6VQkQM6MNo7PqW77ByjAhoARA8EfrP1N4+KlKj8YS0ZUCtRT/YUuhyYDujIQ==",
+			"dev": true,
+			"license": "MIT"
+		},
+		"node_modules/lucide-svelte": {
+			"version": "0.536.0",
+			"resolved": "https://registry.npmjs.org/lucide-svelte/-/lucide-svelte-0.536.0.tgz",
+			"integrity": "sha512-UIm/R2IYZMs4HW134ik7rDqEDXdvXb109Fznb8mG7OFQShnXkRpAaoyytJ8FzXR5W6GbfQ+r5jHBnIUs6uQp9w==",
+			"license": "ISC",
+			"peerDependencies": {
+				"svelte": "^3 || ^4 || ^5.0.0-next.42"
+			}
+		},
+		"node_modules/magic-string": {
+			"version": "0.30.17",
+			"resolved": "https://registry.npmjs.org/magic-string/-/magic-string-0.30.17.tgz",
+			"integrity": "sha512-sNPKHvyjVf7gyjwS4xGTaW/mCnF8wnjtifKBEhxfZ7E/S8tQ0rssrwGNn6q8JH/ohItJfSQp9mBtQYuTlH5QnA==",
+			"license": "MIT",
+			"dependencies": {
+				"@jridgewell/sourcemap-codec": "^1.5.0"
+			}
+		},
+		"node_modules/merge2": {
+			"version": "1.4.1",
+			"resolved": "https://registry.npmjs.org/merge2/-/merge2-1.4.1.tgz",
+			"integrity": "sha512-8q7VEgMJW4J8tcfVPy8g09NcQwZdbwFEqhe/WZkoIzjn/3TGDwtOCYtXGxA3O8tPzpczCCDgv+P2P5y00ZJOOg==",
+			"dev": true,
+			"license": "MIT",
+			"engines": {
+				"node": ">= 8"
+			}
+		},
+		"node_modules/micromatch": {
+			"version": "4.0.8",
+			"resolved": "https://registry.npmjs.org/micromatch/-/micromatch-4.0.8.tgz",
+			"integrity": "sha512-PXwfBhYu0hBCPw8Dn0E+WDYb7af3dSLVWKi3HGv84IdF4TyFoC0ysxFd0Goxw7nSv4T/PzEJQxsYsEiFCKo2BA==",
+			"devOptional": true,
+			"license": "MIT",
+			"dependencies": {
+				"braces": "^3.0.3",
+				"picomatch": "^2.3.1"
+			},
+			"engines": {
+				"node": ">=8.6"
+			}
+		},
+		"node_modules/micromatch/node_modules/picomatch": {
+			"version": "2.3.1",
+			"resolved": "https://registry.npmjs.org/picomatch/-/picomatch-2.3.1.tgz",
+			"integrity": "sha512-JU3teHTNjmE2VCGFzuY8EXzCDVwEqB2a8fsIvwaStHhAWJEeVd1o1QD80CU6+ZdEXXSLbSsuLwJjkCBWqRQUVA==",
+			"devOptional": true,
+			"license": "MIT",
+			"engines": {
+				"node": ">=8.6"
+			},
+			"funding": {
+				"url": "https://github.com/sponsors/jonschlinkert"
+			}
+		},
+		"node_modules/minimatch": {
+			"version": "3.1.2",
+			"resolved": "https://registry.npmjs.org/minimatch/-/minimatch-3.1.2.tgz",
+			"integrity": "sha512-J7p63hRiAjw1NDEww1W7i37+ByIrOWO5XQQAzZ3VOcL0PNybwpfmV/N05zFAzwQ9USyEcX6t3UO+K5aqBQOIHw==",
+			"dev": true,
+			"license": "ISC",
+			"dependencies": {
+				"brace-expansion": "^1.1.7"
+			},
+			"engines": {
+				"node": "*"
+			}
+		},
+		"node_modules/minipass": {
+			"version": "7.1.2",
+			"resolved": "https://registry.npmjs.org/minipass/-/minipass-7.1.2.tgz",
+			"integrity": "sha512-qOOzS1cBTWYF4BH8fVePDBOO9iptMnGUEZwNc/cMWnTV2nVLZ7VoNWEPHkYczZA0pdoA7dl6e7FL659nX9S2aw==",
+			"dev": true,
+			"license": "ISC",
+			"engines": {
+				"node": ">=16 || 14 >=14.17"
+			}
+		},
+		"node_modules/minizlib": {
+			"version": "3.0.2",
+			"resolved": "https://registry.npmjs.org/minizlib/-/minizlib-3.0.2.tgz",
+			"integrity": "sha512-oG62iEk+CYt5Xj2YqI5Xi9xWUeZhDI8jjQmC5oThVH5JGCTgIjr7ciJDzC7MBzYd//WvR1OTmP5Q38Q8ShQtVA==",
+			"dev": true,
+			"license": "MIT",
+			"dependencies": {
+				"minipass": "^7.1.2"
+			},
+			"engines": {
+				"node": ">= 18"
+			}
+		},
+		"node_modules/mkdirp": {
+			"version": "3.0.1",
+			"resolved": "https://registry.npmjs.org/mkdirp/-/mkdirp-3.0.1.tgz",
+			"integrity": "sha512-+NsyUUAZDmo6YVHzL/stxSu3t9YS1iljliy3BSDrXJ/dkn1KYdmtZODGGjLcc9XLgVVpH4KshHB8XmZgMhaBXg==",
+			"dev": true,
+			"license": "MIT",
+			"bin": {
+				"mkdirp": "dist/cjs/src/bin.js"
+			},
+			"engines": {
+				"node": ">=10"
+			},
+			"funding": {
+				"url": "https://github.com/sponsors/isaacs"
+			}
+		},
+		"node_modules/mri": {
+			"version": "1.2.0",
+			"resolved": "https://registry.npmjs.org/mri/-/mri-1.2.0.tgz",
+			"integrity": "sha512-tzzskb3bG8LvYGFF/mDTpq3jpI6Q9wc3LEmBaghu+DdCssd1FakN7Bc0hVNmEyGq1bq3RgfkCb3cmQLpNPOroA==",
+			"license": "MIT",
+			"engines": {
+				"node": ">=4"
+			}
+		},
+		"node_modules/mrmime": {
+			"version": "2.0.1",
+			"resolved": "https://registry.npmjs.org/mrmime/-/mrmime-2.0.1.tgz",
+			"integrity": "sha512-Y3wQdFg2Va6etvQ5I82yUhGdsKrcYox6p7FfL1LbK2J4V01F9TGlepTIhnK24t7koZibmg82KGglhA1XK5IsLQ==",
+			"license": "MIT",
+			"engines": {
+				"node": ">=10"
+			}
+		},
+		"node_modules/ms": {
+			"version": "2.1.3",
+			"resolved": "https://registry.npmjs.org/ms/-/ms-2.1.3.tgz",
+			"integrity": "sha512-6FlzubTLZG3J2a/NVCAleEhjzq5oxgHyaCU9yYXvcLsvoVaHJq/s5xXI6/XXP6tz7R9xAOtHnSO/tXtF3WRTlA==",
+			"license": "MIT"
+		},
+		"node_modules/nanoid": {
+			"version": "3.3.11",
+			"resolved": "https://registry.npmjs.org/nanoid/-/nanoid-3.3.11.tgz",
+			"integrity": "sha512-N8SpfPUnUp1bK+PMYW8qSWdl9U+wwNWI4QKxOYDy9JAro3WMX7p2OeVRF9v+347pnakNevPmiHhNmZ2HbFA76w==",
+			"funding": [
+				{
+					"type": "github",
+					"url": "https://github.com/sponsors/ai"
+				}
+			],
+			"license": "MIT",
+			"bin": {
+				"nanoid": "bin/nanoid.cjs"
+			},
+			"engines": {
+				"node": "^10 || ^12 || ^13.7 || ^14 || >=15.0.1"
+			}
+		},
+		"node_modules/natural-compare": {
+			"version": "1.4.0",
+			"resolved": "https://registry.npmjs.org/natural-compare/-/natural-compare-1.4.0.tgz",
+			"integrity": "sha512-OWND8ei3VtNC9h7V60qff3SVobHr996CTwgxubgyQYEpg290h9J0buyECNNJexkFm5sOajh5G116RYA1c8ZMSw==",
+			"dev": true,
+			"license": "MIT"
+		},
+		"node_modules/node-addon-api": {
+			"version": "7.1.1",
+			"resolved": "https://registry.npmjs.org/node-addon-api/-/node-addon-api-7.1.1.tgz",
+			"integrity": "sha512-5m3bsyrjFWE1xf7nz7YXdN4udnVtXK6/Yfgn5qnahL6bCkf2yKt4k3nuTKAtT4r3IG8JNR2ncsIMdZuAzJjHQQ==",
+			"license": "MIT",
+			"optional": true
+		},
+		"node_modules/optionator": {
+			"version": "0.9.4",
+			"resolved": "https://registry.npmjs.org/optionator/-/optionator-0.9.4.tgz",
+			"integrity": "sha512-6IpQ7mKUxRcZNLIObR0hz7lxsapSSIYNZJwXPGeF0mTVqGKFIXj1DQcMoT22S3ROcLyY/rz0PWaWZ9ayWmad9g==",
+			"dev": true,
+			"license": "MIT",
+			"dependencies": {
+				"deep-is": "^0.1.3",
+				"fast-levenshtein": "^2.0.6",
+				"levn": "^0.4.1",
+				"prelude-ls": "^1.2.1",
+				"type-check": "^0.4.0",
+				"word-wrap": "^1.2.5"
+			},
+			"engines": {
+				"node": ">= 0.8.0"
+			}
+		},
+		"node_modules/p-limit": {
+			"version": "3.1.0",
+			"resolved": "https://registry.npmjs.org/p-limit/-/p-limit-3.1.0.tgz",
+			"integrity": "sha512-TYOanM3wGwNGsZN2cVTYPArw454xnXj5qmWF1bEoAc4+cU/ol7GVh7odevjp1FNHduHc3KZMcFduxU5Xc6uJRQ==",
+			"dev": true,
+			"license": "MIT",
+			"dependencies": {
+				"yocto-queue": "^0.1.0"
+			},
+			"engines": {
+				"node": ">=10"
+			},
+			"funding": {
+				"url": "https://github.com/sponsors/sindresorhus"
+			}
+		},
+		"node_modules/p-locate": {
+			"version": "5.0.0",
+			"resolved": "https://registry.npmjs.org/p-locate/-/p-locate-5.0.0.tgz",
+			"integrity": "sha512-LaNjtRWUBY++zB5nE/NwcaoMylSPk+S+ZHNB1TzdbMJMny6dynpAGt7X/tl/QYq3TIeE6nxHppbo2LGymrG5Pw==",
+			"dev": true,
+			"license": "MIT",
+			"dependencies": {
+				"p-limit": "^3.0.2"
+			},
+			"engines": {
+				"node": ">=10"
+			},
+			"funding": {
+				"url": "https://github.com/sponsors/sindresorhus"
+			}
+		},
+		"node_modules/parent-module": {
+			"version": "1.0.1",
+			"resolved": "https://registry.npmjs.org/parent-module/-/parent-module-1.0.1.tgz",
+			"integrity": "sha512-GQ2EWRpQV8/o+Aw8YqtfZZPfNRWZYkbidE9k5rpl/hC3vtHHBfGm2Ifi6qWV+coDGkrUKZAxE3Lot5kcsRlh+g==",
+			"dev": true,
+			"license": "MIT",
+			"dependencies": {
+				"callsites": "^3.0.0"
+			},
+			"engines": {
+				"node": ">=6"
+			}
+		},
+		"node_modules/path-exists": {
+			"version": "4.0.0",
+			"resolved": "https://registry.npmjs.org/path-exists/-/path-exists-4.0.0.tgz",
+			"integrity": "sha512-ak9Qy5Q7jYb2Wwcey5Fpvg2KoAc/ZIhLSLOSBmRmygPsGwkVVt0fZa0qrtMz+m6tJTAHfZQ8FnmB4MG4LWy7/w==",
+			"dev": true,
+			"license": "MIT",
+			"engines": {
+				"node": ">=8"
+			}
+		},
+		"node_modules/path-key": {
+			"version": "3.1.1",
+			"resolved": "https://registry.npmjs.org/path-key/-/path-key-3.1.1.tgz",
+			"integrity": "sha512-ojmeN0qd+y0jszEtoY48r0Peq5dwMEkIlCOu6Q5f41lfkswXuKtYrhgoTpLnyIcHm24Uhqx+5Tqm2InSwLhE6Q==",
+			"dev": true,
+			"license": "MIT",
+			"engines": {
+				"node": ">=8"
+			}
+		},
+		"node_modules/picocolors": {
+			"version": "1.1.1",
+			"resolved": "https://registry.npmjs.org/picocolors/-/picocolors-1.1.1.tgz",
+			"integrity": "sha512-xceH2snhtb5M9liqDsmEw56le376mTZkEX/jEb/RxNFyegNul7eNslCXP9FDj/Lcu0X8KEyMceP2ntpaHrDEVA==",
+			"license": "ISC"
+		},
+		"node_modules/picomatch": {
+			"version": "4.0.3",
+			"resolved": "https://registry.npmjs.org/picomatch/-/picomatch-4.0.3.tgz",
+			"integrity": "sha512-5gTmgEY/sqK6gFXLIsQNH19lWb4ebPDLA4SdLP7dsWkIXHWlG66oPuVvXSGFPppYZz8ZDZq0dYYrbHfBCVUb1Q==",
+			"license": "MIT",
+			"engines": {
+				"node": ">=12"
+			},
+			"funding": {
+				"url": "https://github.com/sponsors/jonschlinkert"
+			}
+		},
+		"node_modules/playwright": {
+			"version": "1.54.2",
+			"resolved": "https://registry.npmjs.org/playwright/-/playwright-1.54.2.tgz",
+			"integrity": "sha512-Hu/BMoA1NAdRUuulyvQC0pEqZ4vQbGfn8f7wPXcnqQmM+zct9UliKxsIkLNmz/ku7LElUNqmaiv1TG/aL5ACsw==",
+			"dev": true,
+			"license": "Apache-2.0",
+			"dependencies": {
+				"playwright-core": "1.54.2"
+			},
+			"bin": {
+				"playwright": "cli.js"
+			},
+			"engines": {
+				"node": ">=18"
+			},
+			"optionalDependencies": {
+				"fsevents": "2.3.2"
+			}
+		},
+		"node_modules/playwright-core": {
+			"version": "1.54.2",
+			"resolved": "https://registry.npmjs.org/playwright-core/-/playwright-core-1.54.2.tgz",
+			"integrity": "sha512-n5r4HFbMmWsB4twG7tJLDN9gmBUeSPcsBZiWSE4DnYz9mJMAFqr2ID7+eGC9kpEnxExJ1epttwR59LEWCk8mtA==",
+			"dev": true,
+			"license": "Apache-2.0",
+			"bin": {
+				"playwright-core": "cli.js"
+			},
+			"engines": {
+				"node": ">=18"
+			}
+		},
+		"node_modules/postcss": {
+			"version": "8.5.6",
+			"resolved": "https://registry.npmjs.org/postcss/-/postcss-8.5.6.tgz",
+			"integrity": "sha512-3Ybi1tAuwAP9s0r1UQ2J4n5Y0G05bJkpUIO0/bI9MhwmD70S5aTWbXGBwxHrelT+XM1k6dM0pk+SwNkpTRN7Pg==",
+			"funding": [
+				{
+					"type": "opencollective",
+					"url": "https://opencollective.com/postcss/"
+				},
+				{
+					"type": "tidelift",
+					"url": "https://tidelift.com/funding/github/npm/postcss"
+				},
+				{
+					"type": "github",
+					"url": "https://github.com/sponsors/ai"
+				}
+			],
+			"license": "MIT",
+			"dependencies": {
+				"nanoid": "^3.3.11",
+				"picocolors": "^1.1.1",
+				"source-map-js": "^1.2.1"
+			},
+			"engines": {
+				"node": "^10 || ^12 || >=14"
+			}
+		},
+		"node_modules/postcss-load-config": {
+			"version": "3.1.4",
+			"resolved": "https://registry.npmjs.org/postcss-load-config/-/postcss-load-config-3.1.4.tgz",
+			"integrity": "sha512-6DiM4E7v4coTE4uzA8U//WhtPwyhiim3eyjEMFCnUpzbrkK9wJHgKDT2mR+HbtSrd/NubVaYTOpSpjUl8NQeRg==",
+			"dev": true,
+			"license": "MIT",
+			"dependencies": {
+				"lilconfig": "^2.0.5",
+				"yaml": "^1.10.2"
+			},
+			"engines": {
+				"node": ">= 10"
+			},
+			"funding": {
+				"type": "opencollective",
+				"url": "https://opencollective.com/postcss/"
+			},
+			"peerDependencies": {
+				"postcss": ">=8.0.9",
+				"ts-node": ">=9.0.0"
+			},
+			"peerDependenciesMeta": {
+				"postcss": {
+					"optional": true
+				},
+				"ts-node": {
+					"optional": true
+				}
+			}
+		},
+		"node_modules/postcss-load-config/node_modules/yaml": {
+			"version": "1.10.2",
+			"resolved": "https://registry.npmjs.org/yaml/-/yaml-1.10.2.tgz",
+			"integrity": "sha512-r3vXyErRCYJ7wg28yvBY5VSoAF8ZvlcW9/BwUzEtUsjvX/DKs24dIkuwjtuprwJJHsbyUbLApepYTR1BN4uHrg==",
+			"dev": true,
+			"license": "ISC",
+			"engines": {
+				"node": ">= 6"
+			}
+		},
+		"node_modules/postcss-safe-parser": {
+			"version": "7.0.1",
+			"resolved": "https://registry.npmjs.org/postcss-safe-parser/-/postcss-safe-parser-7.0.1.tgz",
+			"integrity": "sha512-0AioNCJZ2DPYz5ABT6bddIqlhgwhpHZ/l65YAYo0BCIn0xiDpsnTHz0gnoTGk0OXZW0JRs+cDwL8u/teRdz+8A==",
+			"dev": true,
+			"funding": [
+				{
+					"type": "opencollective",
+					"url": "https://opencollective.com/postcss/"
+				},
+				{
+					"type": "tidelift",
+					"url": "https://tidelift.com/funding/github/npm/postcss-safe-parser"
+				},
+				{
+					"type": "github",
+					"url": "https://github.com/sponsors/ai"
+				}
+			],
+			"license": "MIT",
+			"engines": {
+				"node": ">=18.0"
+			},
+			"peerDependencies": {
+				"postcss": "^8.4.31"
+			}
+		},
+		"node_modules/postcss-scss": {
+			"version": "4.0.9",
+			"resolved": "https://registry.npmjs.org/postcss-scss/-/postcss-scss-4.0.9.tgz",
+			"integrity": "sha512-AjKOeiwAitL/MXxQW2DliT28EKukvvbEWx3LBmJIRN8KfBGZbRTxNYW0kSqi1COiTZ57nZ9NW06S6ux//N1c9A==",
+			"dev": true,
+			"funding": [
+				{
+					"type": "opencollective",
+					"url": "https://opencollective.com/postcss/"
+				},
+				{
+					"type": "tidelift",
+					"url": "https://tidelift.com/funding/github/npm/postcss-scss"
+				},
+				{
+					"type": "github",
+					"url": "https://github.com/sponsors/ai"
+				}
+			],
+			"license": "MIT",
+			"engines": {
+				"node": ">=12.0"
+			},
+			"peerDependencies": {
+				"postcss": "^8.4.29"
+			}
+		},
+		"node_modules/postcss-selector-parser": {
+			"version": "7.1.0",
+			"resolved": "https://registry.npmjs.org/postcss-selector-parser/-/postcss-selector-parser-7.1.0.tgz",
+			"integrity": "sha512-8sLjZwK0R+JlxlYcTuVnyT2v+htpdrjDOKuMcOVdYjt52Lh8hWRYpxBPoKx/Zg+bcjc3wx6fmQevMmUztS/ccA==",
+			"dev": true,
+			"license": "MIT",
+			"dependencies": {
+				"cssesc": "^3.0.0",
+				"util-deprecate": "^1.0.2"
+			},
+			"engines": {
+				"node": ">=4"
+			}
+		},
+		"node_modules/prelude-ls": {
+			"version": "1.2.1",
+			"resolved": "https://registry.npmjs.org/prelude-ls/-/prelude-ls-1.2.1.tgz",
+			"integrity": "sha512-vkcDPrRZo1QZLbn5RLGPpg/WmIQ65qoWWhcGKf/b5eplkkarX0m9z8ppCat4mlOqUsWpyNuYgO3VRyrYHSzX5g==",
+			"dev": true,
+			"license": "MIT",
+			"engines": {
+				"node": ">= 0.8.0"
+			}
+		},
+		"node_modules/prettier": {
+			"version": "3.6.2",
+			"resolved": "https://registry.npmjs.org/prettier/-/prettier-3.6.2.tgz",
+			"integrity": "sha512-I7AIg5boAr5R0FFtJ6rCfD+LFsWHp81dolrFD8S79U9tb8Az2nGrJncnMSnys+bpQJfRUzqs9hnA81OAA3hCuQ==",
+			"dev": true,
+			"license": "MIT",
+			"bin": {
+				"prettier": "bin/prettier.cjs"
+			},
+			"engines": {
+				"node": ">=14"
+			},
+			"funding": {
+				"url": "https://github.com/prettier/prettier?sponsor=1"
+			}
+		},
+		"node_modules/prettier-plugin-svelte": {
+			"version": "3.4.0",
+			"resolved": "https://registry.npmjs.org/prettier-plugin-svelte/-/prettier-plugin-svelte-3.4.0.tgz",
+			"integrity": "sha512-pn1ra/0mPObzqoIQn/vUTR3ZZI6UuZ0sHqMK5x2jMLGrs53h0sXhkVuDcrlssHwIMk7FYrMjHBPoUSyyEEDlBQ==",
+			"dev": true,
+			"license": "MIT",
+			"peerDependencies": {
+				"prettier": "^3.0.0",
+				"svelte": "^3.2.0 || ^4.0.0-next.0 || ^5.0.0-next.0"
+			}
+		},
+		"node_modules/prettier-plugin-tailwindcss": {
+			"version": "0.6.14",
+			"resolved": "https://registry.npmjs.org/prettier-plugin-tailwindcss/-/prettier-plugin-tailwindcss-0.6.14.tgz",
+			"integrity": "sha512-pi2e/+ZygeIqntN+vC573BcW5Cve8zUB0SSAGxqpB4f96boZF4M3phPVoOFCeypwkpRYdi7+jQ5YJJUwrkGUAg==",
+			"dev": true,
+			"license": "MIT",
+			"engines": {
+				"node": ">=14.21.3"
+			},
+			"peerDependencies": {
+				"@ianvs/prettier-plugin-sort-imports": "*",
+				"@prettier/plugin-hermes": "*",
+				"@prettier/plugin-oxc": "*",
+				"@prettier/plugin-pug": "*",
+				"@shopify/prettier-plugin-liquid": "*",
+				"@trivago/prettier-plugin-sort-imports": "*",
+				"@zackad/prettier-plugin-twig": "*",
+				"prettier": "^3.0",
+				"prettier-plugin-astro": "*",
+				"prettier-plugin-css-order": "*",
+				"prettier-plugin-import-sort": "*",
+				"prettier-plugin-jsdoc": "*",
+				"prettier-plugin-marko": "*",
+				"prettier-plugin-multiline-arrays": "*",
+				"prettier-plugin-organize-attributes": "*",
+				"prettier-plugin-organize-imports": "*",
+				"prettier-plugin-sort-imports": "*",
+				"prettier-plugin-style-order": "*",
+				"prettier-plugin-svelte": "*"
+			},
+			"peerDependenciesMeta": {
+				"@ianvs/prettier-plugin-sort-imports": {
+					"optional": true
+				},
+				"@prettier/plugin-hermes": {
+					"optional": true
+				},
+				"@prettier/plugin-oxc": {
+					"optional": true
+				},
+				"@prettier/plugin-pug": {
+					"optional": true
+				},
+				"@shopify/prettier-plugin-liquid": {
+					"optional": true
+				},
+				"@trivago/prettier-plugin-sort-imports": {
+					"optional": true
+				},
+				"@zackad/prettier-plugin-twig": {
+					"optional": true
+				},
+				"prettier-plugin-astro": {
+					"optional": true
+				},
+				"prettier-plugin-css-order": {
+					"optional": true
+				},
+				"prettier-plugin-import-sort": {
+					"optional": true
+				},
+				"prettier-plugin-jsdoc": {
+					"optional": true
+				},
+				"prettier-plugin-marko": {
+					"optional": true
+				},
+				"prettier-plugin-multiline-arrays": {
+					"optional": true
+				},
+				"prettier-plugin-organize-attributes": {
+					"optional": true
+				},
+				"prettier-plugin-organize-imports": {
+					"optional": true
+				},
+				"prettier-plugin-sort-imports": {
+					"optional": true
+				},
+				"prettier-plugin-style-order": {
+					"optional": true
+				},
+				"prettier-plugin-svelte": {
+					"optional": true
+				}
+			}
+		},
+		"node_modules/punycode": {
+			"version": "2.3.1",
+			"resolved": "https://registry.npmjs.org/punycode/-/punycode-2.3.1.tgz",
+			"integrity": "sha512-vYt7UD1U9Wg6138shLtLOvdAu+8DsC/ilFtEVHcH+wydcSpNE20AfSOduf6MkRFahL5FY7X1oU7nKVZFtfq8Fg==",
+			"dev": true,
+			"license": "MIT",
+			"engines": {
+				"node": ">=6"
+			}
+		},
+		"node_modules/queue-microtask": {
+			"version": "1.2.3",
+			"resolved": "https://registry.npmjs.org/queue-microtask/-/queue-microtask-1.2.3.tgz",
+			"integrity": "sha512-NuaNSa6flKT5JaSYQzJok04JzTL1CA6aGhv5rfLW3PgqA+M2ChpZQnAC8h8i4ZFkBS8X5RqkDBHA7r4hej3K9A==",
+			"dev": true,
+			"funding": [
+				{
+					"type": "github",
+					"url": "https://github.com/sponsors/feross"
+				},
+				{
+					"type": "patreon",
+					"url": "https://www.patreon.com/feross"
+				},
+				{
+					"type": "consulting",
+					"url": "https://feross.org/support"
+				}
+			],
+			"license": "MIT"
+		},
+		"node_modules/readdirp": {
+			"version": "4.1.2",
+			"resolved": "https://registry.npmjs.org/readdirp/-/readdirp-4.1.2.tgz",
+			"integrity": "sha512-GDhwkLfywWL2s6vEjyhri+eXmfH6j1L7JE27WhqLeYzoh/A3DBaYGEj2H/HFZCn/kMfim73FXxEJTw06WtxQwg==",
+			"license": "MIT",
+			"engines": {
+				"node": ">= 14.18.0"
+			},
+			"funding": {
+				"type": "individual",
+				"url": "https://paulmillr.com/funding/"
+			}
+		},
+		"node_modules/resolve-from": {
+			"version": "4.0.0",
+			"resolved": "https://registry.npmjs.org/resolve-from/-/resolve-from-4.0.0.tgz",
+			"integrity": "sha512-pb/MYmXstAkysRFx8piNI1tGFNQIFA3vkE3Gq4EuA1dF6gHp/+vgZqsCGJapvy8N3Q+4o7FwvquPJcnZ7RYy4g==",
+			"dev": true,
+			"license": "MIT",
+			"engines": {
+				"node": ">=4"
+			}
+		},
+		"node_modules/reusify": {
+			"version": "1.1.0",
+			"resolved": "https://registry.npmjs.org/reusify/-/reusify-1.1.0.tgz",
+			"integrity": "sha512-g6QUff04oZpHs0eG5p83rFLhHeV00ug/Yf9nZM6fLeUrPguBTkTQOdpAWWspMh55TZfVQDPaN3NQJfbVRAxdIw==",
+			"dev": true,
+			"license": "MIT",
+			"engines": {
+				"iojs": ">=1.0.0",
+				"node": ">=0.10.0"
+			}
+		},
+		"node_modules/rollup": {
+			"version": "4.46.2",
+			"resolved": "https://registry.npmjs.org/rollup/-/rollup-4.46.2.tgz",
+			"integrity": "sha512-WMmLFI+Boh6xbop+OAGo9cQ3OgX9MIg7xOQjn+pTCwOkk+FNDAeAemXkJ3HzDJrVXleLOFVa1ipuc1AmEx1Dwg==",
+			"license": "MIT",
+			"dependencies": {
+				"@types/estree": "1.0.8"
+			},
+			"bin": {
+				"rollup": "dist/bin/rollup"
+			},
+			"engines": {
+				"node": ">=18.0.0",
+				"npm": ">=8.0.0"
+			},
+			"optionalDependencies": {
+				"@rollup/rollup-android-arm-eabi": "4.46.2",
+				"@rollup/rollup-android-arm64": "4.46.2",
+				"@rollup/rollup-darwin-arm64": "4.46.2",
+				"@rollup/rollup-darwin-x64": "4.46.2",
+				"@rollup/rollup-freebsd-arm64": "4.46.2",
+				"@rollup/rollup-freebsd-x64": "4.46.2",
+				"@rollup/rollup-linux-arm-gnueabihf": "4.46.2",
+				"@rollup/rollup-linux-arm-musleabihf": "4.46.2",
+				"@rollup/rollup-linux-arm64-gnu": "4.46.2",
+				"@rollup/rollup-linux-arm64-musl": "4.46.2",
+				"@rollup/rollup-linux-loongarch64-gnu": "4.46.2",
+				"@rollup/rollup-linux-ppc64-gnu": "4.46.2",
+				"@rollup/rollup-linux-riscv64-gnu": "4.46.2",
+				"@rollup/rollup-linux-riscv64-musl": "4.46.2",
+				"@rollup/rollup-linux-s390x-gnu": "4.46.2",
+				"@rollup/rollup-linux-x64-gnu": "4.46.2",
+				"@rollup/rollup-linux-x64-musl": "4.46.2",
+				"@rollup/rollup-win32-arm64-msvc": "4.46.2",
+				"@rollup/rollup-win32-ia32-msvc": "4.46.2",
+				"@rollup/rollup-win32-x64-msvc": "4.46.2",
+				"fsevents": "~2.3.2"
+			}
+		},
+		"node_modules/run-parallel": {
+			"version": "1.2.0",
+			"resolved": "https://registry.npmjs.org/run-parallel/-/run-parallel-1.2.0.tgz",
+			"integrity": "sha512-5l4VyZR86LZ/lDxZTR6jqL8AFE2S0IFLMP26AbjsLVADxHdhB/c0GUsH+y39UfCi3dzz8OlQuPmnaJOMoDHQBA==",
+			"dev": true,
+			"funding": [
+				{
+					"type": "github",
+					"url": "https://github.com/sponsors/feross"
+				},
+				{
+					"type": "patreon",
+					"url": "https://www.patreon.com/feross"
+				},
+				{
+					"type": "consulting",
+					"url": "https://feross.org/support"
+				}
+			],
+			"license": "MIT",
+			"dependencies": {
+				"queue-microtask": "^1.2.2"
+			}
+		},
+		"node_modules/sade": {
+			"version": "1.8.1",
+			"resolved": "https://registry.npmjs.org/sade/-/sade-1.8.1.tgz",
+			"integrity": "sha512-xal3CZX1Xlo/k4ApwCFrHVACi9fBqJ7V+mwhBsuf/1IOKbBy098Fex+Wa/5QMubw09pSZ/u8EY8PWgevJsXp1A==",
+			"license": "MIT",
+			"dependencies": {
+				"mri": "^1.1.0"
+			},
+			"engines": {
+				"node": ">=6"
+			}
+		},
+		"node_modules/sass": {
+			"version": "1.90.0",
+			"resolved": "https://registry.npmjs.org/sass/-/sass-1.90.0.tgz",
+			"integrity": "sha512-9GUyuksjw70uNpb1MTYWsH9MQHOHY6kwfnkafC24+7aOMZn9+rVMBxRbLvw756mrBFbIsFg6Xw9IkR2Fnn3k+Q==",
+			"license": "MIT",
+			"dependencies": {
+				"chokidar": "^4.0.0",
+				"immutable": "^5.0.2",
+				"source-map-js": ">=0.6.2 <2.0.0"
+			},
+			"bin": {
+				"sass": "sass.js"
+			},
+			"engines": {
+				"node": ">=14.0.0"
+			},
+			"optionalDependencies": {
+				"@parcel/watcher": "^2.4.1"
+			}
+		},
+		"node_modules/semver": {
+			"version": "7.7.2",
+			"resolved": "https://registry.npmjs.org/semver/-/semver-7.7.2.tgz",
+			"integrity": "sha512-RF0Fw+rO5AMf9MAyaRXI4AV0Ulj5lMHqVxxdSgiVbixSCXoEmmX/jk0CuJw4+3SqroYO9VoUh+HcuJivvtJemA==",
+			"dev": true,
+			"license": "ISC",
+			"bin": {
+				"semver": "bin/semver.js"
+			},
+			"engines": {
+				"node": ">=10"
+			}
+		},
+		"node_modules/set-cookie-parser": {
+			"version": "2.7.1",
+			"resolved": "https://registry.npmjs.org/set-cookie-parser/-/set-cookie-parser-2.7.1.tgz",
+			"integrity": "sha512-IOc8uWeOZgnb3ptbCURJWNjWUPcO3ZnTTdzsurqERrP6nPyv+paC55vJM0LpOlT2ne+Ix+9+CRG1MNLlyZ4GjQ==",
+			"license": "MIT"
+		},
+		"node_modules/shebang-command": {
+			"version": "2.0.0",
+			"resolved": "https://registry.npmjs.org/shebang-command/-/shebang-command-2.0.0.tgz",
+			"integrity": "sha512-kHxr2zZpYtdmrN1qDjrrX/Z1rR1kG8Dx+gkpK1G4eXmvXswmcE1hTWBWYUzlraYw1/yZp6YuDY77YtvbN0dmDA==",
+			"dev": true,
+			"license": "MIT",
+			"dependencies": {
+				"shebang-regex": "^3.0.0"
+			},
+			"engines": {
+				"node": ">=8"
+			}
+		},
+		"node_modules/shebang-regex": {
+			"version": "3.0.0",
+			"resolved": "https://registry.npmjs.org/shebang-regex/-/shebang-regex-3.0.0.tgz",
+			"integrity": "sha512-7++dFhtcx3353uBaq8DDR4NuxBetBzC7ZQOhmTQInHEd6bSrXdiEyzCvG07Z44UYdLShWUyXt5M/yhz8ekcb1A==",
+			"dev": true,
+			"license": "MIT",
+			"engines": {
+				"node": ">=8"
+			}
+		},
+		"node_modules/sirv": {
+			"version": "3.0.1",
+			"resolved": "https://registry.npmjs.org/sirv/-/sirv-3.0.1.tgz",
+			"integrity": "sha512-FoqMu0NCGBLCcAkS1qA+XJIQTR6/JHfQXl+uGteNCQ76T91DMUjPa9xfmeqMY3z80nLSg9yQmNjK0Px6RWsH/A==",
+			"license": "MIT",
+			"dependencies": {
+				"@polka/url": "^1.0.0-next.24",
+				"mrmime": "^2.0.0",
+				"totalist": "^3.0.0"
+			},
+			"engines": {
+				"node": ">=18"
+			}
+		},
+		"node_modules/source-map-js": {
+			"version": "1.2.1",
+			"resolved": "https://registry.npmjs.org/source-map-js/-/source-map-js-1.2.1.tgz",
+			"integrity": "sha512-UXWMKhLOwVKb728IUtQPXxfYU+usdybtUrK/8uGE8CQMvrhOpwvzDBwj0QhSL7MQc7vIsISBG8VQ8+IDQxpfQA==",
+			"license": "BSD-3-Clause",
+			"engines": {
+				"node": ">=0.10.0"
+			}
+		},
+		"node_modules/strip-json-comments": {
+			"version": "3.1.1",
+			"resolved": "https://registry.npmjs.org/strip-json-comments/-/strip-json-comments-3.1.1.tgz",
+			"integrity": "sha512-6fPc+R4ihwqP6N/aIv2f1gMH8lOVtWQHoqC4yK6oSDVVocumAsfCqjkXnqiYMhmMwS/mEHLp7Vehlt3ql6lEig==",
+			"dev": true,
+			"license": "MIT",
+			"engines": {
+				"node": ">=8"
+			},
+			"funding": {
+				"url": "https://github.com/sponsors/sindresorhus"
+			}
+		},
+		"node_modules/supports-color": {
+			"version": "7.2.0",
+			"resolved": "https://registry.npmjs.org/supports-color/-/supports-color-7.2.0.tgz",
+			"integrity": "sha512-qpCAvRl9stuOHveKsn7HncJRvv501qIacKzQlO/+Lwxc9+0q2wLyv4Dfvt80/DPn2pqOBsJdDiogXGR9+OvwRw==",
+			"dev": true,
+			"license": "MIT",
+			"dependencies": {
+				"has-flag": "^4.0.0"
+			},
+			"engines": {
+				"node": ">=8"
+			}
+		},
+		"node_modules/svelte": {
+			"version": "5.37.3",
+			"resolved": "https://registry.npmjs.org/svelte/-/svelte-5.37.3.tgz",
+			"integrity": "sha512-7t/ejshehHd+95z3Z7ebS7wsqHDQxi/8nBTuTRwpMgNegfRBfuitCSKTUDKIBOExqfT2+DhQ2VLG8Xn+cBXoaQ==",
+			"license": "MIT",
+			"dependencies": {
+				"@ampproject/remapping": "^2.3.0",
+				"@jridgewell/sourcemap-codec": "^1.5.0",
+				"@sveltejs/acorn-typescript": "^1.0.5",
+				"@types/estree": "^1.0.5",
+				"acorn": "^8.12.1",
+				"aria-query": "^5.3.1",
+				"axobject-query": "^4.1.0",
+				"clsx": "^2.1.1",
+				"esm-env": "^1.2.1",
+				"esrap": "^2.1.0",
+				"is-reference": "^3.0.3",
+				"locate-character": "^3.0.0",
+				"magic-string": "^0.30.11",
+				"zimmerframe": "^1.1.2"
+			},
+			"engines": {
+				"node": ">=18"
+			}
+		},
+		"node_modules/svelte-check": {
+			"version": "4.3.1",
+			"resolved": "https://registry.npmjs.org/svelte-check/-/svelte-check-4.3.1.tgz",
+			"integrity": "sha512-lkh8gff5gpHLjxIV+IaApMxQhTGnir2pNUAqcNgeKkvK5bT/30Ey/nzBxNLDlkztCH4dP7PixkMt9SWEKFPBWg==",
+			"dev": true,
+			"license": "MIT",
+			"dependencies": {
+				"@jridgewell/trace-mapping": "^0.3.25",
+				"chokidar": "^4.0.1",
+				"fdir": "^6.2.0",
+				"picocolors": "^1.0.0",
+				"sade": "^1.7.4"
+			},
+			"bin": {
+				"svelte-check": "bin/svelte-check"
+			},
+			"engines": {
+				"node": ">= 18.0.0"
+			},
+			"peerDependencies": {
+				"svelte": "^4.0.0 || ^5.0.0-next.0",
+				"typescript": ">=5.0.0"
+			}
+		},
+		"node_modules/svelte-eslint-parser": {
+			"version": "1.3.1",
+			"resolved": "https://registry.npmjs.org/svelte-eslint-parser/-/svelte-eslint-parser-1.3.1.tgz",
+			"integrity": "sha512-0Iztj5vcOVOVkhy1pbo5uA9r+d3yaVoE5XPc9eABIWDOSJZ2mOsZ4D+t45rphWCOr0uMw3jtSG2fh2e7GvKnPg==",
+			"dev": true,
+			"license": "MIT",
+			"dependencies": {
+				"eslint-scope": "^8.2.0",
+				"eslint-visitor-keys": "^4.0.0",
+				"espree": "^10.0.0",
+				"postcss": "^8.4.49",
+				"postcss-scss": "^4.0.9",
+				"postcss-selector-parser": "^7.0.0"
+			},
+			"engines": {
+				"node": "^18.18.0 || ^20.9.0 || >=21.1.0"
+			},
+			"funding": {
+				"url": "https://github.com/sponsors/ota-meshi"
+			},
+			"peerDependencies": {
+				"svelte": "^3.37.0 || ^4.0.0 || ^5.0.0"
+			},
+			"peerDependenciesMeta": {
+				"svelte": {
+					"optional": true
+				}
+			}
+		},
+		"node_modules/tailwindcss": {
+			"version": "4.1.11",
+			"resolved": "https://registry.npmjs.org/tailwindcss/-/tailwindcss-4.1.11.tgz",
+			"integrity": "sha512-2E9TBm6MDD/xKYe+dvJZAmg3yxIEDNRc0jwlNyDg/4Fil2QcSLjFKGVff0lAf1jjeaArlG/M75Ey/EYr/OJtBA==",
+			"license": "MIT"
+		},
+		"node_modules/tapable": {
+			"version": "2.2.2",
+			"resolved": "https://registry.npmjs.org/tapable/-/tapable-2.2.2.tgz",
+			"integrity": "sha512-Re10+NauLTMCudc7T5WLFLAwDhQ0JWdrMK+9B2M8zR5hRExKmsRDCBA7/aV/pNJFltmBFO5BAMlQFi/vq3nKOg==",
+			"dev": true,
+			"license": "MIT",
+			"engines": {
+				"node": ">=6"
+			}
+		},
+		"node_modules/tar": {
+			"version": "7.4.3",
+			"resolved": "https://registry.npmjs.org/tar/-/tar-7.4.3.tgz",
+			"integrity": "sha512-5S7Va8hKfV7W5U6g3aYxXmlPoZVAwUMy9AOKyF2fVuZa2UD3qZjg578OrLRt8PcNN1PleVaL/5/yYATNL0ICUw==",
+			"dev": true,
+			"license": "ISC",
+			"dependencies": {
+				"@isaacs/fs-minipass": "^4.0.0",
+				"chownr": "^3.0.0",
+				"minipass": "^7.1.2",
+				"minizlib": "^3.0.1",
+				"mkdirp": "^3.0.1",
+				"yallist": "^5.0.0"
+			},
+			"engines": {
+				"node": ">=18"
+			}
+		},
+		"node_modules/tinyglobby": {
+			"version": "0.2.14",
+			"resolved": "https://registry.npmjs.org/tinyglobby/-/tinyglobby-0.2.14.tgz",
+			"integrity": "sha512-tX5e7OM1HnYr2+a2C/4V0htOcSQcoSTH9KgJnVvNm5zm/cyEWKJ7j7YutsH9CxMdtOkkLFy2AHrMci9IM8IPZQ==",
+			"license": "MIT",
+			"dependencies": {
+				"fdir": "^6.4.4",
+				"picomatch": "^4.0.2"
+			},
+			"engines": {
+				"node": ">=12.0.0"
+			},
+			"funding": {
+				"url": "https://github.com/sponsors/SuperchupuDev"
+			}
+		},
+		"node_modules/to-regex-range": {
+			"version": "5.0.1",
+			"resolved": "https://registry.npmjs.org/to-regex-range/-/to-regex-range-5.0.1.tgz",
+			"integrity": "sha512-65P7iz6X5yEr1cwcgvQxbbIw7Uk3gOy5dIdtZ4rDveLqhrdJP+Li/Hx6tyK0NEb+2GCyneCMJiGqrADCSNk8sQ==",
+			"devOptional": true,
+			"license": "MIT",
+			"dependencies": {
+				"is-number": "^7.0.0"
+			},
+			"engines": {
+				"node": ">=8.0"
+			}
+		},
+		"node_modules/totalist": {
+			"version": "3.0.1",
+			"resolved": "https://registry.npmjs.org/totalist/-/totalist-3.0.1.tgz",
+			"integrity": "sha512-sf4i37nQ2LBx4m3wB74y+ubopq6W/dIzXg0FDGjsYnZHVa1Da8FH853wlL2gtUhg+xJXjfk3kUZS3BRoQeoQBQ==",
+			"license": "MIT",
+			"engines": {
+				"node": ">=6"
+			}
+		},
+		"node_modules/ts-api-utils": {
+			"version": "2.1.0",
+			"resolved": "https://registry.npmjs.org/ts-api-utils/-/ts-api-utils-2.1.0.tgz",
+			"integrity": "sha512-CUgTZL1irw8u29bzrOD/nH85jqyc74D6SshFgujOIA7osm2Rz7dYH77agkx7H4FBNxDq7Cjf+IjaX/8zwFW+ZQ==",
+			"dev": true,
+			"license": "MIT",
+			"engines": {
+				"node": ">=18.12"
+			},
+			"peerDependencies": {
+				"typescript": ">=4.8.4"
+			}
+		},
+		"node_modules/type-check": {
+			"version": "0.4.0",
+			"resolved": "https://registry.npmjs.org/type-check/-/type-check-0.4.0.tgz",
+			"integrity": "sha512-XleUoc9uwGXqjWwXaUTZAmzMcFZ5858QA2vvx1Ur5xIcixXIP+8LnFDgRplU30us6teqdlskFfu+ae4K79Ooew==",
+			"dev": true,
+			"license": "MIT",
+			"dependencies": {
+				"prelude-ls": "^1.2.1"
+			},
+			"engines": {
+				"node": ">= 0.8.0"
+			}
+		},
+		"node_modules/typescript": {
+			"version": "5.9.2",
+			"resolved": "https://registry.npmjs.org/typescript/-/typescript-5.9.2.tgz",
+			"integrity": "sha512-CWBzXQrc/qOkhidw1OzBTQuYRbfyxDXJMVJ1XNwUHGROVmuaeiEm3OslpZ1RV96d7SKKjZKrSJu3+t/xlw3R9A==",
+			"dev": true,
+			"license": "Apache-2.0",
+			"bin": {
+				"tsc": "bin/tsc",
+				"tsserver": "bin/tsserver"
+			},
+			"engines": {
+				"node": ">=14.17"
+			}
+		},
+		"node_modules/typescript-eslint": {
+			"version": "8.39.0",
+			"resolved": "https://registry.npmjs.org/typescript-eslint/-/typescript-eslint-8.39.0.tgz",
+			"integrity": "sha512-lH8FvtdtzcHJCkMOKnN73LIn6SLTpoojgJqDAxPm1jCR14eWSGPX8ul/gggBdPMk/d5+u9V854vTYQ8T5jF/1Q==",
+			"dev": true,
+			"license": "MIT",
+			"dependencies": {
+				"@typescript-eslint/eslint-plugin": "8.39.0",
+				"@typescript-eslint/parser": "8.39.0",
+				"@typescript-eslint/typescript-estree": "8.39.0",
+				"@typescript-eslint/utils": "8.39.0"
+			},
+			"engines": {
+				"node": "^18.18.0 || ^20.9.0 || >=21.1.0"
+			},
+			"funding": {
+				"type": "opencollective",
+				"url": "https://opencollective.com/typescript-eslint"
+			},
+			"peerDependencies": {
+				"eslint": "^8.57.0 || ^9.0.0",
+				"typescript": ">=4.8.4 <6.0.0"
+			}
+		},
+		"node_modules/uri-js": {
+			"version": "4.4.1",
+			"resolved": "https://registry.npmjs.org/uri-js/-/uri-js-4.4.1.tgz",
+			"integrity": "sha512-7rKUyy33Q1yc98pQ1DAmLtwX109F7TIfWlW1Ydo8Wl1ii1SeHieeh0HHfPeL2fMXK6z0s8ecKs9frCuLJvndBg==",
+			"dev": true,
+			"license": "BSD-2-Clause",
+			"dependencies": {
+				"punycode": "^2.1.0"
+			}
+		},
+		"node_modules/util-deprecate": {
+			"version": "1.0.2",
+			"resolved": "https://registry.npmjs.org/util-deprecate/-/util-deprecate-1.0.2.tgz",
+			"integrity": "sha512-EPD5q1uXyFxJpCrLnCc1nHnq3gOa6DZBocAIiI2TaSCA7VCJ1UJDMagCzIkXNsUYfD1daK//LTEQ8xiIbrHtcw==",
+			"dev": true,
+			"license": "MIT"
+		},
+		"node_modules/vite": {
+			"version": "7.0.6",
+			"resolved": "https://registry.npmjs.org/vite/-/vite-7.0.6.tgz",
+			"integrity": "sha512-MHFiOENNBd+Bd9uvc8GEsIzdkn1JxMmEeYX35tI3fv0sJBUTfW5tQsoaOwuY4KhBI09A3dUJ/DXf2yxPVPUceg==",
+			"license": "MIT",
+			"dependencies": {
+				"esbuild": "^0.25.0",
+				"fdir": "^6.4.6",
+				"picomatch": "^4.0.3",
+				"postcss": "^8.5.6",
+				"rollup": "^4.40.0",
+				"tinyglobby": "^0.2.14"
+			},
+			"bin": {
+				"vite": "bin/vite.js"
+			},
+			"engines": {
+				"node": "^20.19.0 || >=22.12.0"
+			},
+			"funding": {
+				"url": "https://github.com/vitejs/vite?sponsor=1"
+			},
+			"optionalDependencies": {
+				"fsevents": "~2.3.3"
+			},
+			"peerDependencies": {
+				"@types/node": "^20.19.0 || >=22.12.0",
+				"jiti": ">=1.21.0",
+				"less": "^4.0.0",
+				"lightningcss": "^1.21.0",
+				"sass": "^1.70.0",
+				"sass-embedded": "^1.70.0",
+				"stylus": ">=0.54.8",
+				"sugarss": "^5.0.0",
+				"terser": "^5.16.0",
+				"tsx": "^4.8.1",
+				"yaml": "^2.4.2"
+			},
+			"peerDependenciesMeta": {
+				"@types/node": {
+					"optional": true
+				},
+				"jiti": {
+					"optional": true
+				},
+				"less": {
+					"optional": true
+				},
+				"lightningcss": {
+					"optional": true
+				},
+				"sass": {
+					"optional": true
+				},
+				"sass-embedded": {
+					"optional": true
+				},
+				"stylus": {
+					"optional": true
+				},
+				"sugarss": {
+					"optional": true
+				},
+				"terser": {
+					"optional": true
+				},
+				"tsx": {
+					"optional": true
+				},
+				"yaml": {
+					"optional": true
+				}
+			}
+		},
+		"node_modules/vite/node_modules/fsevents": {
+			"version": "2.3.3",
+			"resolved": "https://registry.npmjs.org/fsevents/-/fsevents-2.3.3.tgz",
+			"integrity": "sha512-5xoDfX+fL7faATnagmWPpbFtwh/R77WmMMqqHGS65C3vvB0YHrgF+B1YmZ3441tMj5n63k0212XNoJwzlhffQw==",
+			"hasInstallScript": true,
+			"license": "MIT",
+			"optional": true,
+			"os": [
+				"darwin"
+			],
+			"engines": {
+				"node": "^8.16.0 || ^10.6.0 || >=11.0.0"
+			}
+		},
+		"node_modules/vitefu": {
+			"version": "1.1.1",
+			"resolved": "https://registry.npmjs.org/vitefu/-/vitefu-1.1.1.tgz",
+			"integrity": "sha512-B/Fegf3i8zh0yFbpzZ21amWzHmuNlLlmJT6n7bu5e+pCHUKQIfXSYokrqOBGEMMe9UG2sostKQF9mml/vYaWJQ==",
+			"license": "MIT",
+			"workspaces": [
+				"tests/deps/*",
+				"tests/projects/*",
+				"tests/projects/workspace/packages/*"
+			],
+			"peerDependencies": {
+				"vite": "^3.0.0 || ^4.0.0 || ^5.0.0 || ^6.0.0 || ^7.0.0-beta.0"
+			},
+			"peerDependenciesMeta": {
+				"vite": {
+					"optional": true
+				}
+			}
+		},
+		"node_modules/which": {
+			"version": "2.0.2",
+			"resolved": "https://registry.npmjs.org/which/-/which-2.0.2.tgz",
+			"integrity": "sha512-BLI3Tl1TW3Pvl70l3yq3Y64i+awpwXqsGBYWkkqMtnbXgrMD+yj7rhW0kuEDxzJaYXGjEW5ogapKNMEKNMjibA==",
+			"dev": true,
+			"license": "ISC",
+			"dependencies": {
+				"isexe": "^2.0.0"
+			},
+			"bin": {
+				"node-which": "bin/node-which"
+			},
+			"engines": {
+				"node": ">= 8"
+			}
+		},
+		"node_modules/word-wrap": {
+			"version": "1.2.5",
+			"resolved": "https://registry.npmjs.org/word-wrap/-/word-wrap-1.2.5.tgz",
+			"integrity": "sha512-BN22B5eaMMI9UMtjrGd5g5eCYPpCPDUy0FJXbYsaT5zYxjFOckS53SQDE3pWkVoWpHXVb3BrYcEN4Twa55B5cA==",
+			"dev": true,
+			"license": "MIT",
+			"engines": {
+				"node": ">=0.10.0"
+			}
+		},
+		"node_modules/yallist": {
+			"version": "5.0.0",
+			"resolved": "https://registry.npmjs.org/yallist/-/yallist-5.0.0.tgz",
+			"integrity": "sha512-YgvUTfwqyc7UXVMrB+SImsVYSmTS8X/tSrtdNZMImM+n7+QTriRXyXim0mBrTXNeqzVF0KWGgHPeiyViFFrNDw==",
+			"dev": true,
+			"license": "BlueOak-1.0.0",
+			"engines": {
+				"node": ">=18"
+			}
+		},
+		"node_modules/yocto-queue": {
+			"version": "0.1.0",
+			"resolved": "https://registry.npmjs.org/yocto-queue/-/yocto-queue-0.1.0.tgz",
+			"integrity": "sha512-rVksvsnNCdJ/ohGc6xgPwyN8eheCxsiLM8mxuE/t/mOVqJewPuO1miLpTHQiRgTKCLexL4MeAFVagts7HmNZ2Q==",
+			"dev": true,
+			"license": "MIT",
+			"engines": {
+				"node": ">=10"
+			},
+			"funding": {
+				"url": "https://github.com/sponsors/sindresorhus"
+			}
+		},
+		"node_modules/zimmerframe": {
+			"version": "1.1.2",
+			"resolved": "https://registry.npmjs.org/zimmerframe/-/zimmerframe-1.1.2.tgz",
+			"integrity": "sha512-rAbqEGa8ovJy4pyBxZM70hg4pE6gDgaQ0Sl9M3enG3I0d6H4XSAM3GeNGLKnsBpuijUow064sf7ww1nutC5/3w==",
+			"license": "MIT"
+		}
+	}
+}
diff --git a/examples/encrypted_chat/frontend/package.json b/examples/encrypted_chat/frontend/package.json
new file mode 100644
index 00000000..14815ab3
--- /dev/null
+++ b/examples/encrypted_chat/frontend/package.json
@@ -0,0 +1,50 @@
+{
+	"name": "svelte-latest",
+	"private": true,
+	"version": "0.0.1",
+	"type": "module",
+	"scripts": {
+		"dev": "vite dev",
+		"build": "vite build",
+		"preview": "vite preview",
+		"prepare": "svelte-kit sync || echo ''",
+		"check": "svelte-kit sync && svelte-check --tsconfig ./tsconfig.json",
+		"check:watch": "svelte-kit sync && svelte-check --tsconfig ./tsconfig.json --watch",
+		"lint": "eslint . && prettier --check .",
+		"format": "prettier --write .",
+		"test:e2e": "playwright test",
+		"test": "npm run test:e2e"
+	},
+	"devDependencies": {
+		"@eslint/compat": "^1.2.5",
+		"@eslint/js": "^9.18.0",
+		"@playwright/test": "^1.49.1",
+		"@sveltejs/adapter-auto": "^6.0.0",
+		"@sveltejs/kit": "^2.22.0",
+		"@sveltejs/vite-plugin-svelte": "^6.0.0",
+		"@tailwindcss/vite": "^4.0.0",
+		"eslint": "^9.18.0",
+		"eslint-config-prettier": "^10.0.1",
+		"eslint-plugin-svelte": "^3.0.0",
+		"globals": "^16.0.0",
+		"prettier": "^3.4.2",
+		"prettier-plugin-svelte": "^3.3.3",
+		"prettier-plugin-tailwindcss": "^0.6.11",
+		"svelte": "^5.0.0",
+		"svelte-check": "^4.0.0",
+		"tailwindcss": "^4.0.0",
+		"typescript": "^5.0.0",
+		"typescript-eslint": "^8.20.0",
+		"vite": "^7.0.4"
+	},
+	"dependencies": {
+		"@dfinity/agent": "^3.1.0",
+		"@dfinity/auth-client": "^3.1.0",
+		"@skeletonlabs/skeleton": "^3.1.7",
+		"@skeletonlabs/tw-plugin": "^0.4.1",
+		"@sveltejs/adapter-static": "^3.0.8",
+		"idb-keyval": "^6.2.2",
+		"lucide-svelte": "^0.536.0",
+		"sass": "^1.90.0"
+	}
+}
diff --git a/examples/encrypted_chat/frontend/playwright.config.ts b/examples/encrypted_chat/frontend/playwright.config.ts
new file mode 100644
index 00000000..f6c81af8
--- /dev/null
+++ b/examples/encrypted_chat/frontend/playwright.config.ts
@@ -0,0 +1,9 @@
+import { defineConfig } from '@playwright/test';
+
+export default defineConfig({
+	webServer: {
+		command: 'npm run build && npm run preview',
+		port: 4173
+	},
+	testDir: 'e2e'
+});
diff --git a/examples/encrypted_chat/frontend/src/app.css b/examples/encrypted_chat/frontend/src/app.css
new file mode 100644
index 00000000..a4d02052
--- /dev/null
+++ b/examples/encrypted_chat/frontend/src/app.css
@@ -0,0 +1,7 @@
+@import 'tailwindcss';
+
+@import '@skeletonlabs/skeleton';
+@import '@skeletonlabs/skeleton/optional/presets';
+@import '@skeletonlabs/skeleton/themes/modern';
+
+@source '../node_modules/@skeletonlabs/skeleton-svelte/dist';
diff --git a/examples/encrypted_chat/frontend/src/app.d.ts b/examples/encrypted_chat/frontend/src/app.d.ts
new file mode 100644
index 00000000..da08e6da
--- /dev/null
+++ b/examples/encrypted_chat/frontend/src/app.d.ts
@@ -0,0 +1,13 @@
+// See https://svelte.dev/docs/kit/types#app.d.ts
+// for information about these interfaces
+declare global {
+	namespace App {
+		// interface Error {}
+		// interface Locals {}
+		// interface PageData {}
+		// interface PageState {}
+		// interface Platform {}
+	}
+}
+
+export {};
diff --git a/examples/encrypted_chat/frontend/src/app.html b/examples/encrypted_chat/frontend/src/app.html
new file mode 100644
index 00000000..ba84abc9
--- /dev/null
+++ b/examples/encrypted_chat/frontend/src/app.html
@@ -0,0 +1,12 @@
+<!doctype html>
+<html lang="en">
+	<head>
+		<meta charset="utf-8" />
+		<meta name="viewport" content="width=device-width, initial-scale=1" />
+		<title>VetKeys Encrypted Chat</title>
+		%sveltekit.head%
+	</head>
+	<body data-sveltekit-preload-data="hover" data-theme="modern">
+		<div style="display: contents">%sveltekit.body%</div>
+	</body>
+</html>
diff --git a/examples/encrypted_chat/frontend/src/lib/assets/favicon.svg b/examples/encrypted_chat/frontend/src/lib/assets/favicon.svg
new file mode 100644
index 00000000..cc5dc66a
--- /dev/null
+++ b/examples/encrypted_chat/frontend/src/lib/assets/favicon.svg
@@ -0,0 +1 @@
+<svg xmlns="http://www.w3.org/2000/svg" width="107" height="128" viewBox="0 0 107 128"><title>svelte-logo</title><path d="M94.157 22.819c-10.4-14.885-30.94-19.297-45.792-9.835L22.282 29.608A29.92 29.92 0 0 0 8.764 49.65a31.5 31.5 0 0 0 3.108 20.231 30 30 0 0 0-4.477 11.183 31.9 31.9 0 0 0 5.448 24.116c10.402 14.887 30.942 19.297 45.791 9.835l26.083-16.624A29.92 29.92 0 0 0 98.235 78.35a31.53 31.53 0 0 0-3.105-20.232 30 30 0 0 0 4.474-11.182 31.88 31.88 0 0 0-5.447-24.116" style="fill:#ff3e00"/><path d="M45.817 106.582a20.72 20.72 0 0 1-22.237-8.243 19.17 19.17 0 0 1-3.277-14.503 18 18 0 0 1 .624-2.435l.49-1.498 1.337.981a33.6 33.6 0 0 0 10.203 5.098l.97.294-.09.968a5.85 5.85 0 0 0 1.052 3.878 6.24 6.24 0 0 0 6.695 2.485 5.8 5.8 0 0 0 1.603-.704L69.27 76.28a5.43 5.43 0 0 0 2.45-3.631 5.8 5.8 0 0 0-.987-4.371 6.24 6.24 0 0 0-6.698-2.487 5.7 5.7 0 0 0-1.6.704l-9.953 6.345a19 19 0 0 1-5.296 2.326 20.72 20.72 0 0 1-22.237-8.243 19.17 19.17 0 0 1-3.277-14.502 17.99 17.99 0 0 1 8.13-12.052l26.081-16.623a19 19 0 0 1 5.3-2.329 20.72 20.72 0 0 1 22.237 8.243 19.17 19.17 0 0 1 3.277 14.503 18 18 0 0 1-.624 2.435l-.49 1.498-1.337-.98a33.6 33.6 0 0 0-10.203-5.1l-.97-.294.09-.968a5.86 5.86 0 0 0-1.052-3.878 6.24 6.24 0 0 0-6.696-2.485 5.8 5.8 0 0 0-1.602.704L37.73 51.72a5.42 5.42 0 0 0-2.449 3.63 5.79 5.79 0 0 0 .986 4.372 6.24 6.24 0 0 0 6.698 2.486 5.8 5.8 0 0 0 1.602-.704l9.952-6.342a19 19 0 0 1 5.295-2.328 20.72 20.72 0 0 1 22.237 8.242 19.17 19.17 0 0 1 3.277 14.503 18 18 0 0 1-8.13 12.053l-26.081 16.622a19 19 0 0 1-5.3 2.328" style="fill:#fff"/></svg>
\ No newline at end of file
diff --git a/examples/encrypted_chat/frontend/src/lib/components/ChatHeader.svelte b/examples/encrypted_chat/frontend/src/lib/components/ChatHeader.svelte
new file mode 100644
index 00000000..e3320428
--- /dev/null
+++ b/examples/encrypted_chat/frontend/src/lib/components/ChatHeader.svelte
@@ -0,0 +1,309 @@
+<script lang="ts">
+	import { Settings, RotateCcw, Info, ArrowLeft } from 'lucide-svelte';
+	import type { Chat, RatchetStats } from '../types';
+	import { chatAPI } from '../services/api';
+	import { chatActions } from '../stores/chat';
+	import GroupManagementModal from './GroupManagementModal.svelte';
+
+	export let chat: Chat;
+	export let showMobileBackButton = false;
+	export let onMobileBack: (() => void) | undefined = undefined;
+
+	let showChatInfo = false;
+	let ratchetStats: RatchetStats | null = null;
+	let loadingRatchetStats = false;
+	let showGroupManagement = false;
+
+	async function handleChatInfoToggle() {
+		showChatInfo = !showChatInfo;
+		if (showChatInfo && !ratchetStats && !loadingRatchetStats) {
+			await loadRatchetStats();
+		}
+	}
+
+	async function loadRatchetStats() {
+		if (!chat) return;
+
+		loadingRatchetStats = true;
+		try {
+			ratchetStats = await chatAPI.getRatchetStats(chat.id);
+		} catch (error) {
+			console.error('Failed to load ratchet stats:', error);
+		} finally {
+			loadingRatchetStats = false;
+		}
+	}
+
+	function getDisplayName(): string {
+		if (chat.type === 'direct') {
+			return chat.participants.find((p) => p.id !== 'current-user')?.name || 'Unknown';
+		}
+		return chat.name;
+	}
+
+	function getDisplayAvatar(): string {
+		if (chat.type === 'direct') {
+			return chat.participants.find((p) => p.id !== 'current-user')?.avatar || '👤';
+		}
+		return chat.avatar || '👥';
+	}
+
+	function getOnlineStatus(): string {
+		if (chat.type === 'direct') {
+			const otherUser = chat.participants.find((p) => p.id !== 'current-user');
+			if (otherUser?.isOnline) return 'Online';
+			if (otherUser?.lastSeen) {
+				const lastSeen = new Date(otherUser.lastSeen);
+				const diff = Date.now() - lastSeen.getTime();
+				const hours = Math.floor(diff / (1000 * 60 * 60));
+				const days = Math.floor(diff / (1000 * 60 * 60 * 24));
+
+				if (hours < 1) return 'Last seen recently';
+				if (hours < 24) return `Last seen ${hours}h ago`;
+				return `Last seen ${days}d ago`;
+			}
+			return 'Offline';
+		}
+		const onlineCount = chat.participants.filter((p) => p.isOnline).length;
+		return `${onlineCount} of ${chat.participants.length} online`;
+	}
+
+	async function rotateKeys() {
+		await chatActions.rotateKeys(chat.id);
+		// Reload ratchet stats after rotation
+		ratchetStats = null;
+		await loadRatchetStats();
+	}
+
+	function formatDate(date: Date): string {
+		return date.toLocaleString();
+	}
+
+	async function handleGroupManagementSave(
+		event: CustomEvent<{ addUsers: string[]; removeUsers: string[]; allowHistoryForNew: boolean }>
+	) {
+		const { addUsers, removeUsers, allowHistoryForNew } = event.detail;
+
+		try {
+			await chatAPI.updateGroupMembers(chat.id, addUsers, removeUsers, allowHistoryForNew);
+
+			chatActions.addNotification({
+				type: 'success',
+				title: 'Group Updated',
+				message: `Successfully updated group membership.`,
+				isDismissible: true,
+				duration: 3000
+			});
+
+			// Here you would typically reload the chat data
+			// For now, we'll just show a success message
+		} catch (error) {
+			console.error('Failed to update group:', error);
+			chatActions.addNotification({
+				type: 'error',
+				title: 'Update Failed',
+				message: 'Failed to update group membership. Please try again.',
+				isDismissible: true
+			});
+		}
+	}
+</script>
+
+<div class="chat-header bg-surface-100-800-token border-surface-300-600-token border-b p-4">
+	<div class="flex items-center justify-between">
+		<!-- Chat info -->
+		<div class="flex items-center gap-3">
+			<!-- Mobile back button -->
+			{#if showMobileBackButton}
+				<button
+					class="variant-ghost-surface btn-icon md:hidden"
+					on:click={onMobileBack}
+					aria-label="Back to chat list"
+				>
+					<ArrowLeft class="h-5 w-5" />
+				</button>
+			{/if}
+			<div
+				class="avatar flex h-10 w-10 items-center justify-center rounded-full bg-primary-500 text-lg"
+			>
+				{getDisplayAvatar()}
+			</div>
+			<div>
+				<h2 class="text-lg font-semibold">{getDisplayName()}</h2>
+				<p class="text-surface-600-300-token text-sm">{getOnlineStatus()}</p>
+			</div>
+		</div>
+
+		<!-- Actions -->
+		<div class="flex items-center gap-2">
+			{#if chat.keyRotationStatus.isRotationNeeded}
+				<button
+					class="variant-filled-warning btn"
+					on:click={rotateKeys}
+					disabled={chat.isUpdating}
+					title="Rotate encryption keys"
+				>
+					<RotateCcw class="h-4 w-4 {chat.isUpdating ? 'animate-spin' : ''}" />
+					Rotate Keys
+				</button>
+			{/if}
+
+			<button
+				class="variant-ghost-surface btn-icon"
+				on:click={handleChatInfoToggle}
+				title="Chat information"
+			>
+				<Info class="h-5 w-5" />
+			</button>
+
+			{#if chat.type === 'group'}
+				<button
+					class="variant-ghost-surface btn-icon"
+					on:click={() => (showGroupManagement = true)}
+					title="Manage group"
+				>
+					<Settings class="h-5 w-5" />
+				</button>
+			{/if}
+		</div>
+	</div>
+
+	<!-- Chat info panel -->
+	{#if showChatInfo}
+		<div class="chat-info bg-surface-200-700-token mt-4 rounded-lg p-4">
+			<h3 class="mb-3 font-semibold">Chat Information</h3>
+
+			<div class="grid grid-cols-1 gap-4 md:grid-cols-2">
+				<!-- Basic info -->
+				<div>
+					<h4 class="mb-2 font-medium">Details</h4>
+					<div class="space-y-2 text-sm">
+						<div class="flex justify-between">
+							<span class="text-surface-600-300-token">Type:</span>
+							<span class="capitalize">{chat.type}</span>
+						</div>
+						<div class="flex justify-between">
+							<span class="text-surface-600-300-token">Participants:</span>
+							<span>{chat.participants.length}</span>
+						</div>
+						<div class="flex justify-between">
+							<span class="text-surface-600-300-token">Disappearing messages:</span>
+							<span
+								>{chat.disappearingMessagesDuration === 0
+									? 'Disabled'
+									: `${chat.disappearingMessagesDuration} days`}</span
+							>
+						</div>
+						<div class="flex justify-between">
+							<span class="text-surface-600-300-token">Status:</span>
+							<span class="flex items-center gap-1">
+								<div
+									class="h-2 w-2 rounded-full {chat.isReady ? 'bg-success-500' : 'bg-error-500'}"
+								></div>
+								{chat.isReady ? 'Ready' : 'Not ready'}
+							</span>
+						</div>
+					</div>
+				</div>
+
+				<!-- Encryption info -->
+				<div>
+					<h4 class="mb-2 font-medium">Encryption</h4>
+					<div class="space-y-2 text-sm">
+						<div class="flex justify-between">
+							<span class="text-surface-600-300-token">Ratchet epoch:</span>
+							<span>{chat.ratchetEpoch}</span>
+						</div>
+						<div class="flex justify-between">
+							<span class="text-surface-600-300-token">Last key rotation:</span>
+							<span>{formatDate(chat.keyRotationStatus.lastRotation)}</span>
+						</div>
+						<div class="flex justify-between">
+							<span class="text-surface-600-300-token">Next rotation:</span>
+							<span>{formatDate(chat.keyRotationStatus.nextRotation)}</span>
+						</div>
+						<div class="flex justify-between">
+							<span class="text-surface-600-300-token">Rotation needed:</span>
+							<span
+								class="text-{chat.keyRotationStatus.isRotationNeeded ? 'warning' : 'success'}-500"
+							>
+								{chat.keyRotationStatus.isRotationNeeded ? 'Yes' : 'No'}
+							</span>
+						</div>
+					</div>
+				</div>
+
+				<!-- Ratchet statistics -->
+				{#if ratchetStats}
+					<div class="col-span-full">
+						<h4 class="mb-2 font-medium">Ratchet Statistics</h4>
+						<div class="grid grid-cols-2 gap-4 text-sm">
+							<div class="flex justify-between">
+								<span class="text-surface-600-300-token">Current epoch:</span>
+								<span>{ratchetStats.currentEpoch}</span>
+							</div>
+							<div class="flex justify-between">
+								<span class="text-surface-600-300-token">Messages in epoch:</span>
+								<span>{ratchetStats.messagesInCurrentEpoch}</span>
+							</div>
+							<div class="flex justify-between">
+								<span class="text-surface-600-300-token">Last rotation:</span>
+								<span>{formatDate(ratchetStats.lastRotation)}</span>
+							</div>
+							<div class="flex justify-between">
+								<span class="text-surface-600-300-token">Next scheduled:</span>
+								<span>{formatDate(ratchetStats.nextScheduledRotation)}</span>
+							</div>
+						</div>
+					</div>
+				{:else if loadingRatchetStats}
+					<div class="col-span-full flex items-center justify-center py-4">
+						<div class="flex items-center gap-2">
+							<RotateCcw class="h-4 w-4 animate-spin" />
+							<span class="text-sm">Loading ratchet statistics...</span>
+						</div>
+					</div>
+				{/if}
+
+				<!-- Participants (for group chats) -->
+				{#if chat.type === 'group'}
+					<div class="col-span-full">
+						<h4 class="mb-2 font-medium">Participants</h4>
+						<div class="space-y-2">
+							{#each chat.participants as participant (participant.id)}
+								<div class="flex items-center gap-2 text-sm">
+									<div
+										class="avatar flex h-6 w-6 items-center justify-center rounded-full bg-primary-500 text-xs"
+									>
+										{participant.avatar || '👤'}
+									</div>
+									<span class="flex-1">{participant.name}</span>
+									<div class="flex items-center gap-1">
+										<div
+											class="h-2 w-2 rounded-full {participant.isOnline
+												? 'bg-success-500'
+												: 'bg-surface-400'}"
+										></div>
+										<span class="text-surface-600-300-token">
+											{participant.isOnline ? 'Online' : 'Offline'}
+										</span>
+									</div>
+								</div>
+							{/each}
+						</div>
+					</div>
+				{/if}
+			</div>
+		</div>
+	{/if}
+</div>
+
+<!-- Group Management Modal -->
+{#if chat.type === 'group'}
+	<GroupManagementModal
+		bind:show={showGroupManagement}
+		groupChat={chat}
+		on:save={handleGroupManagementSave}
+		on:close={() => (showGroupManagement = false)}
+	/>
+{/if}
diff --git a/examples/encrypted_chat/frontend/src/lib/components/ChatInterface.svelte b/examples/encrypted_chat/frontend/src/lib/components/ChatInterface.svelte
new file mode 100644
index 00000000..43ff877a
--- /dev/null
+++ b/examples/encrypted_chat/frontend/src/lib/components/ChatInterface.svelte
@@ -0,0 +1,95 @@
+<script lang="ts">
+	import { selectedChat, chatActions } from '../stores/chat';
+	import ChatHeader from './ChatHeader.svelte';
+	import MessageHistory from './MessageHistory.svelte';
+	import MessageInput from './MessageInput.svelte';
+	import type { FileUpload } from '../types';
+
+	export let isMobile = false;
+	export let onMobileBack: (() => void) | undefined = undefined;
+
+	async function handleSendMessage(event: CustomEvent<{ content: string; file?: FileUpload }>) {
+		if (!$selectedChat) return;
+
+		const { content, file } = event.detail;
+
+		let fileData;
+		if (file && file.isValid) {
+			// Convert file to array buffer for storage
+			const arrayBuffer = await file.file.arrayBuffer();
+			fileData = {
+				name: file.file.name,
+				size: file.file.size,
+				type: file.file.type,
+				data: arrayBuffer
+			};
+		}
+
+		await chatActions.sendMessage($selectedChat.id, content, fileData);
+	}
+</script>
+
+<div class="chat-interface flex h-full flex-col">
+	{#if $selectedChat}
+		<!-- Chat Header -->
+		<ChatHeader chat={$selectedChat} showMobileBackButton={isMobile} {onMobileBack} />
+
+		<!-- Message History -->
+		<MessageHistory />
+
+		<!-- Message Input -->
+		<MessageInput
+			disabled={!$selectedChat.isReady}
+			placeholder={$selectedChat.isReady ? 'Type a message...' : 'Chat is not ready...'}
+			on:send={handleSendMessage}
+		/>
+	{:else}
+		<!-- No chat selected state -->
+		<div class="no-chat-selected flex flex-1 items-center justify-center">
+			<div class="max-w-md p-8 text-center">
+				<div
+					class="bg-surface-200-700-token mx-auto mb-6 flex h-24 w-24 items-center justify-center rounded-full text-4xl"
+				>
+					💬
+				</div>
+				<h2 class="mb-2 text-xl font-bold">Welcome to VetKeys Chat</h2>
+				<p class="text-surface-600-300-token mb-6">
+					Select a conversation from the sidebar to start chatting securely with end-to-end
+					encryption.
+				</p>
+				<div class="text-surface-600-300-token space-y-2 text-sm">
+					<div class="flex items-center justify-center gap-2">
+						<span>🔒</span>
+						<span>End-to-end encrypted messages</span>
+					</div>
+					<div class="flex items-center justify-center gap-2">
+						<span>🔑</span>
+						<span>Automatic key rotation</span>
+					</div>
+					<div class="flex items-center justify-center gap-2">
+						<span>⏰</span>
+						<span>Disappearing messages support</span>
+					</div>
+				</div>
+			</div>
+		</div>
+	{/if}
+</div>
+
+<style>
+	.chat-interface {
+		background: var(--color-surface-50);
+	}
+
+	:global(.dark) .chat-interface {
+		background: var(--color-surface-900);
+	}
+
+	.no-chat-selected {
+		background: var(--color-surface-100);
+	}
+
+	:global(.dark) .no-chat-selected {
+		background: var(--color-surface-800);
+	}
+</style>
diff --git a/examples/encrypted_chat/frontend/src/lib/components/ChatList.svelte b/examples/encrypted_chat/frontend/src/lib/components/ChatList.svelte
new file mode 100644
index 00000000..5ce90088
--- /dev/null
+++ b/examples/encrypted_chat/frontend/src/lib/components/ChatList.svelte
@@ -0,0 +1,54 @@
+<script lang="ts">
+	import { chats, selectedChatId, chatActions } from '../stores/chat';
+	import ChatListItem from './ChatListItem.svelte';
+	import UserProfile from './UserProfile.svelte';
+
+	function handleChatSelect(event: CustomEvent<string>) {
+		const chatId = event.detail;
+		chatActions.selectChat(chatId);
+
+		// Load messages for the selected chat
+		chatActions.loadChatMessages(chatId);
+	}
+</script>
+
+<div
+	class="chat-list bg-surface-50-900-token border-surface-300-600-token flex h-full flex-col border-r"
+>
+	<!-- User Profile -->
+	<UserProfile />
+
+	<!-- Chat List Header -->
+	<div class="border-surface-300-600-token border-b p-4">
+		<h2 class="text-lg font-bold">Chats</h2>
+		<p class="text-surface-600-300-token text-sm">
+			{$chats.length} conversation{$chats.length !== 1 ? 's' : ''}
+		</p>
+	</div>
+
+	<!-- Chat List -->
+	<div class="scrollbar-thin flex-1 overflow-y-auto">
+		{#each $chats as chat (chat.id)}
+			<ChatListItem {chat} isSelected={$selectedChatId === chat.id} on:select={handleChatSelect} />
+		{:else}
+			<div class="p-8 text-center text-surface-600-300-token">
+				<p class="text-lg mb-2">No chats yet</p>
+				<p class="text-sm">Your conversations will appear here</p>
+			</div>
+		{/each}
+	</div>
+</div>
+
+<style>
+	.chat-list {
+		width: 320px;
+		min-width: 280px;
+	}
+
+	@media (max-width: 768px) {
+		.chat-list {
+			width: 100%;
+			min-width: 100%;
+		}
+	}
+</style>
diff --git a/examples/encrypted_chat/frontend/src/lib/components/ChatListItem.svelte b/examples/encrypted_chat/frontend/src/lib/components/ChatListItem.svelte
new file mode 100644
index 00000000..31519ee7
--- /dev/null
+++ b/examples/encrypted_chat/frontend/src/lib/components/ChatListItem.svelte
@@ -0,0 +1,166 @@
+<script lang="ts">
+	import { createEventDispatcher } from 'svelte';
+	import { Clock, Users, User, Loader2, AlertCircle, CheckCircle } from 'lucide-svelte';
+	import type { Chat } from '../types';
+
+	export let chat: Chat;
+	export let isSelected = false;
+
+	const dispatch = createEventDispatcher<{
+		select: string;
+	}>();
+
+	function handleClick() {
+		dispatch('select', chat.id);
+	}
+
+	function formatTime(date: Date): string {
+		const now = new Date();
+		const diff = now.getTime() - date.getTime();
+		const minutes = Math.floor(diff / (1000 * 60));
+		const hours = Math.floor(diff / (1000 * 60 * 60));
+		const days = Math.floor(diff / (1000 * 60 * 60 * 24));
+
+		if (minutes < 1) return 'now';
+		if (minutes < 60) return `${minutes}m`;
+		if (hours < 24) return `${hours}h`;
+		if (days < 7) return `${days}d`;
+		return date.toLocaleDateString();
+	}
+
+	function getDisplayName(): string {
+		if (chat.type === 'direct') {
+			return chat.participants.find((p) => p.id !== 'current-user')?.name || 'Unknown';
+		}
+		return chat.name;
+	}
+
+	function getDisplayAvatar(): string {
+		if (chat.type === 'direct') {
+			return chat.participants.find((p) => p.id !== 'current-user')?.avatar || '👤';
+		}
+		return chat.avatar || '👥';
+	}
+
+	function getStatusColor(): string {
+		if (!chat.isReady) return 'status-error';
+		if (chat.isUpdating) return 'status-updating';
+		return 'status-ready';
+	}
+
+	function getStatusIcon() {
+		if (!chat.isReady) return AlertCircle;
+		if (chat.isUpdating) return Loader2;
+		return CheckCircle;
+	}
+</script>
+
+<button
+	class="chat-item w-full p-3 text-left transition-colors duration-200 {isSelected
+		? 'selected'
+		: 'hover:bg-surface-100-800-token'}"
+	on:click={handleClick}
+>
+	<div class="flex items-center gap-3">
+		<!-- Avatar -->
+		<div class="relative">
+			<div
+				class="avatar flex h-12 w-12 items-center justify-center rounded-full bg-primary-500 text-lg"
+			>
+				{getDisplayAvatar()}
+			</div>
+			<!-- Status indicator -->
+			<div class="absolute -right-1 -bottom-1">
+				<div class="h-4 w-4 rounded-full {getStatusColor()} flex items-center justify-center">
+					<svelte:component this={getStatusIcon()} class="h-2.5 w-2.5 text-white" />
+				</div>
+			</div>
+		</div>
+
+		<!-- Chat info -->
+		<div class="min-w-0 flex-1">
+			<div class="mb-1 flex items-center justify-between">
+				<h3 class="truncate text-sm font-semibold">{getDisplayName()}</h3>
+				<div class="flex items-center gap-2">
+					{#if chat.type === 'group'}
+						<Users class="text-surface-600-300-token h-3 w-3" />
+					{:else}
+						<User class="text-surface-600-300-token h-3 w-3" />
+					{/if}
+					<span class="text-surface-600-300-token text-xs">
+						{formatTime(chat.lastActivity)}
+					</span>
+				</div>
+			</div>
+
+			<div class="flex items-center justify-between">
+				<p class="text-surface-600-300-token truncate text-sm">
+					{#if chat.lastMessage}
+						{chat.lastMessage.content}
+					{:else}
+						No messages yet
+					{/if}
+				</p>
+
+				{#if chat.unreadCount > 0}
+					<div
+						class="unread-badge flex h-5 min-w-[20px] items-center justify-center rounded-full bg-primary-500 px-2 py-1 text-xs text-white"
+					>
+						{chat.unreadCount > 99 ? '99+' : chat.unreadCount}
+					</div>
+				{/if}
+			</div>
+
+			<!-- Chat status info -->
+			<div class="mt-1 flex items-center gap-2">
+				{#if chat.disappearingMessagesDuration > 0}
+					<div
+						class="status-chip bg-surface-200-700-token flex items-center gap-1 rounded px-2 py-0.5 text-xs"
+					>
+						<Clock class="h-3 w-3" />
+						{chat.disappearingMessagesDuration}d
+					</div>
+				{/if}
+
+				{#if chat.keyRotationStatus.isRotationNeeded}
+					<div class="status-chip rounded bg-warning-500 px-2 py-0.5 text-xs text-white">
+						Key rotation needed
+					</div>
+				{/if}
+
+				<div class="status-chip bg-surface-200-700-token rounded px-2 py-0.5 text-xs">
+					Epoch {chat.ratchetEpoch}
+				</div>
+			</div>
+		</div>
+	</div>
+</button>
+
+<style>
+	.chat-item {
+		border-bottom: 1px solid var(--color-surface-300);
+	}
+
+	:global(.dark) .chat-item {
+		border-bottom-color: var(--color-surface-600);
+	}
+
+	.chat-item.selected {
+		background: var(--color-primary-100);
+		border-right: 3px solid var(--color-primary-500);
+	}
+
+	:global(.dark) .chat-item.selected {
+		background: var(--color-primary-900);
+	}
+
+	.unread-badge {
+		font-size: 10px;
+		line-height: 1;
+	}
+
+	.status-chip {
+		font-size: 10px;
+		line-height: 1;
+	}
+</style>
diff --git a/examples/encrypted_chat/frontend/src/lib/components/EmojiPicker.svelte b/examples/encrypted_chat/frontend/src/lib/components/EmojiPicker.svelte
new file mode 100644
index 00000000..95c0fda1
--- /dev/null
+++ b/examples/encrypted_chat/frontend/src/lib/components/EmojiPicker.svelte
@@ -0,0 +1,228 @@
+<script lang="ts">
+	import { createEventDispatcher } from 'svelte';
+
+	export let show = false;
+
+	const dispatch = createEventDispatcher<{
+		select: string;
+		close: void;
+	}>();
+
+	const emojiCategories = {
+		Faces: [
+			'😀',
+			'😃',
+			'😄',
+			'😁',
+			'😆',
+			'😅',
+			'😂',
+			'🤣',
+			'😊',
+			'😇',
+			'🙂',
+			'🙃',
+			'😉',
+			'😌',
+			'😍',
+			'🥰',
+			'😘',
+			'😗',
+			'😙',
+			'😚',
+			'😋',
+			'😛',
+			'😝',
+			'😜',
+			'🤪',
+			'🤨',
+			'🧐',
+			'🤓',
+			'😎',
+			'🤩'
+		],
+		Hands: [
+			'👍',
+			'👎',
+			'👌',
+			'🤌',
+			'🤏',
+			'✌️',
+			'🤞',
+			'🤟',
+			'🤘',
+			'🤙',
+			'👈',
+			'👉',
+			'👆',
+			'🖕',
+			'👇',
+			'☝️',
+			'👋',
+			'🤚',
+			'🖐️',
+			'✋',
+			'🖖',
+			'👏',
+			'🙌',
+			'🤲',
+			'🤝',
+			'🙏'
+		],
+		Objects: [
+			'❤️',
+			'🧡',
+			'💛',
+			'💚',
+			'💙',
+			'💜',
+			'🖤',
+			'🤍',
+			'🤎',
+			'💔',
+			'❣️',
+			'💕',
+			'💞',
+			'💓',
+			'💗',
+			'💖',
+			'💘',
+			'💝',
+			'💟',
+			'⚡',
+			'💥',
+			'💫',
+			'⭐',
+			'🌟',
+			'✨',
+			'💎',
+			'🔥',
+			'💯'
+		],
+		Symbols: [
+			'✅',
+			'❌',
+			'⚠️',
+			'🚀',
+			'🔒',
+			'🔓',
+			'🔑',
+			'🛡️',
+			'⭐',
+			'💫',
+			'✨',
+			'🎯',
+			'🏆',
+			'🎉',
+			'🎊',
+			'💡',
+			'📢',
+			'📣',
+			'📯',
+			'🔔',
+			'🔕',
+			'🆕',
+			'🆓',
+			'🆒',
+			'🔥',
+			'💯',
+			'✔️',
+			'❗',
+			'❓',
+			'ℹ️'
+		]
+	};
+
+	function selectEmoji(emoji: string) {
+		dispatch('select', emoji);
+		show = false;
+	}
+
+	function closeModal() {
+		dispatch('close');
+		show = false;
+	}
+
+	// Close on outside click
+	function handleOutsideClick(event: MouseEvent) {
+		const target = event.target as Element;
+		if (target && !target.closest('.emoji-picker')) {
+			closeModal();
+		}
+	}
+</script>
+
+{#if show}
+	<!-- Backdrop -->
+	<div
+		class="bg-opacity-25 fixed inset-0 z-40 bg-black"
+		on:click={handleOutsideClick}
+		role="button"
+		tabindex="-1"
+		on:keydown={() => {}}
+	></div>
+
+	<!-- Emoji Picker -->
+	<div
+		class="emoji-picker bg-surface-100-800-token border-surface-300-600-token fixed right-4 bottom-20 z-50 max-w-sm rounded-lg border p-4 shadow-xl"
+	>
+		<div class="mb-4 flex items-center justify-between">
+			<h3 class="text-sm font-semibold">Add Emoji</h3>
+			<button
+				class="variant-ghost-surface btn-icon"
+				on:click={closeModal}
+				aria-label="Close emoji picker"
+			>
+				×
+			</button>
+		</div>
+
+		<div class="emoji-grid scrollbar-thin max-h-64 overflow-y-auto">
+			{#each Object.entries(emojiCategories) as [category, emojis] (category)}
+				<div class="emoji-category mb-4">
+					<h4 class="text-surface-600-300-token mb-2 text-xs font-medium">{category}</h4>
+					<div class="grid grid-cols-8 gap-1">
+						{#each emojis as emoji (emoji)}
+							<button
+								class="emoji-button hover:bg-surface-200-700-token flex h-8 w-8 items-center justify-center rounded text-lg transition-colors"
+								on:click={() => selectEmoji(emoji)}
+								title={emoji}
+							>
+								{emoji}
+							</button>
+						{/each}
+					</div>
+				</div>
+			{/each}
+		</div>
+
+		<div class="border-surface-300-600-token mt-4 border-t pt-3">
+			<p class="text-surface-600-300-token text-xs">
+				You can also type emoji shortcodes like <code>:smile:</code>, <code>:heart:</code>,
+				<code>:rocket:</code>
+			</p>
+		</div>
+	</div>
+{/if}
+
+<style>
+	.emoji-picker {
+		width: 320px;
+		max-height: 400px;
+	}
+
+	.emoji-button:hover {
+		transform: scale(1.1);
+	}
+
+	code {
+		background: var(--color-surface-200);
+		padding: 1px 4px;
+		border-radius: 3px;
+		font-size: 10px;
+	}
+
+	:global(.dark) code {
+		background: var(--color-surface-700);
+	}
+</style>
diff --git a/examples/encrypted_chat/frontend/src/lib/components/GroupManagementModal.svelte b/examples/encrypted_chat/frontend/src/lib/components/GroupManagementModal.svelte
new file mode 100644
index 00000000..86356ee5
--- /dev/null
+++ b/examples/encrypted_chat/frontend/src/lib/components/GroupManagementModal.svelte
@@ -0,0 +1,258 @@
+<script lang="ts">
+	import { createEventDispatcher } from 'svelte';
+	import { UserPlus, UserMinus, X, Save, Users } from 'lucide-svelte';
+	import type { GroupChat, User } from '../types';
+
+	export let show = false;
+	export let groupChat: GroupChat;
+
+	const dispatch = createEventDispatcher<{
+		close: void;
+		save: { addUsers: string[]; removeUsers: string[]; allowHistoryForNew: boolean };
+	}>();
+
+	// Dummy users that could be added to the group
+	const availableUsers: User[] = [
+		{ id: 'user-frank', name: 'Frank Miller', avatar: '👨‍🏫', isOnline: true },
+		{ id: 'user-grace', name: 'Grace Lee', avatar: '👩‍⚕️', isOnline: false },
+		{ id: 'user-henry', name: 'Henry Taylor', avatar: '👨‍🎤', isOnline: true },
+		{ id: 'user-ivy', name: 'Ivy Chen', avatar: '👩‍🎨', isOnline: false }
+	];
+
+	let selectedToAdd: string[] = [];
+	let selectedToRemove: string[] = [];
+	let allowHistoryForNew = false;
+
+	function toggleAddUser(userId: string) {
+		if (selectedToAdd.includes(userId)) {
+			selectedToAdd = selectedToAdd.filter((id) => id !== userId);
+		} else {
+			selectedToAdd = [...selectedToAdd, userId];
+		}
+	}
+
+	function toggleRemoveUser(userId: string) {
+		if (selectedToRemove.includes(userId)) {
+			selectedToRemove = selectedToRemove.filter((id) => id !== userId);
+		} else {
+			selectedToRemove = [...selectedToRemove, userId];
+		}
+	}
+
+	function handleSave() {
+		dispatch('save', {
+			addUsers: selectedToAdd,
+			removeUsers: selectedToRemove,
+			allowHistoryForNew
+		});
+		handleClose();
+	}
+
+	function handleClose() {
+		show = false;
+		selectedToAdd = [];
+		selectedToRemove = [];
+		allowHistoryForNew = false;
+		dispatch('close');
+	}
+
+	function canRemoveUser(userId: string): boolean {
+		// Can't remove current user or admin
+		return userId !== 'current-user' && userId !== groupChat.adminId;
+	}
+
+	// Filter available users to only show those not in the group
+	let usersToShow: User[] = [];
+	$: usersToShow = availableUsers.filter(
+		(user) => !groupChat.participants.some((p) => p.id === user.id)
+	);
+</script>
+
+{#if show}
+	<!-- Backdrop -->
+	<div class="bg-opacity-50 fixed inset-0 z-50 flex items-center justify-center bg-black p-4">
+		<!-- Modal -->
+		<div
+			class="bg-surface-100-800-token max-h-[80vh] w-full max-w-2xl overflow-hidden rounded-lg shadow-xl"
+		>
+			<!-- Header -->
+			<div class="border-surface-300-600-token flex items-center justify-between border-b p-6">
+				<div class="flex items-center gap-3">
+					<Users class="h-6 w-6" />
+					<h2 class="text-lg font-bold">Manage Group: {groupChat.name}</h2>
+				</div>
+				<button class="variant-ghost-surface btn-icon" on:click={handleClose} aria-label="Close">
+					<X class="h-5 w-5" />
+				</button>
+			</div>
+
+			<!-- Content -->
+			<div class="max-h-[60vh] space-y-6 overflow-y-auto p-6">
+				<!-- Current Members -->
+				<div>
+					<h3 class="mb-3 font-semibold">Current Members ({groupChat.participants.length})</h3>
+					<div class="space-y-2">
+						{#each groupChat.participants as member (member.id)}
+							<div
+								class="bg-surface-200-700-token flex items-center justify-between rounded-lg p-3"
+							>
+								<div class="flex items-center gap-3">
+									<div
+										class="avatar flex h-8 w-8 items-center justify-center rounded-full bg-primary-500 text-sm"
+									>
+										{member.avatar || '👤'}
+									</div>
+									<div>
+										<p class="text-sm font-medium">{member.name}</p>
+										<div class="text-surface-600-300-token flex items-center gap-2 text-xs">
+											<div
+												class="h-2 w-2 rounded-full {member.isOnline
+													? 'bg-success-500'
+													: 'bg-surface-400'}"
+											></div>
+											{member.isOnline ? 'Online' : 'Offline'}
+											{#if member.id === groupChat.adminId}
+												<span class="rounded bg-primary-500 px-2 py-0.5 text-xs text-white"
+													>Admin</span
+												>
+											{/if}
+											{#if member.id === 'current-user'}
+												<span class="rounded bg-surface-400 px-2 py-0.5 text-xs text-white"
+													>You</span
+												>
+											{/if}
+										</div>
+									</div>
+								</div>
+
+								{#if canRemoveUser(member.id)}
+									<button
+										class="variant-ghost-error btn-icon"
+										on:click={() => toggleRemoveUser(member.id)}
+										class:variant-filled-error={selectedToRemove.includes(member.id)}
+										title="Remove from group"
+									>
+										<UserMinus class="h-4 w-4" />
+									</button>
+								{/if}
+							</div>
+						{/each}
+					</div>
+				</div>
+
+				<!-- Add New Members -->
+				{#if usersToShow.length > 0}
+					<div>
+						<h3 class="mb-3 font-semibold">Add Members</h3>
+						<div class="space-y-2">
+							{#each usersToShow as user (user.id)}
+								<div
+									class="bg-surface-200-700-token flex items-center justify-between rounded-lg p-3"
+								>
+									<div class="flex items-center gap-3">
+										<div
+											class="avatar flex h-8 w-8 items-center justify-center rounded-full bg-primary-500 text-sm"
+										>
+											{user.avatar || '👤'}
+										</div>
+										<div>
+											<p class="text-sm font-medium">{user.name}</p>
+											<div class="text-surface-600-300-token flex items-center gap-2 text-xs">
+												<div
+													class="h-2 w-2 rounded-full {user.isOnline
+														? 'bg-success-500'
+														: 'bg-surface-400'}"
+												></div>
+												{user.isOnline ? 'Online' : 'Offline'}
+											</div>
+										</div>
+									</div>
+
+									<button
+										class="variant-ghost-success btn-icon"
+										on:click={() => toggleAddUser(user.id)}
+										class:variant-filled-success={selectedToAdd.includes(user.id)}
+										title="Add to group"
+									>
+										<UserPlus class="h-4 w-4" />
+									</button>
+								</div>
+							{/each}
+						</div>
+					</div>
+				{:else}
+					<div class="text-surface-600-300-token py-8 text-center">
+						<Users class="mx-auto mb-2 h-12 w-12 opacity-50" />
+						<p>No additional users available to add</p>
+					</div>
+				{/if}
+
+				<!-- Options -->
+				{#if selectedToAdd.length > 0}
+					<div>
+						<h3 class="mb-3 font-semibold">Options</h3>
+						<label
+							class="bg-surface-200-700-token flex cursor-pointer items-center gap-3 rounded-lg p-3"
+						>
+							<input type="checkbox" bind:checked={allowHistoryForNew} class="checkbox" />
+							<div>
+								<p class="text-sm font-medium">Allow new members to see chat history</p>
+								<p class="text-surface-600-300-token text-xs">
+									New members will be able to see messages sent before they joined
+								</p>
+							</div>
+						</label>
+					</div>
+				{/if}
+
+				<!-- Summary -->
+				{#if selectedToAdd.length > 0 || selectedToRemove.length > 0}
+					<div class="rounded-lg border border-primary-500/20 bg-primary-500/10 p-4">
+						<h4 class="mb-2 text-sm font-semibold">Changes Summary</h4>
+						<div class="space-y-1 text-sm">
+							{#if selectedToAdd.length > 0}
+								<p class="text-success-500">
+									+ {selectedToAdd.length} member{selectedToAdd.length !== 1 ? 's' : ''} to add
+								</p>
+							{/if}
+							{#if selectedToRemove.length > 0}
+								<p class="text-error-500">
+									- {selectedToRemove.length} member{selectedToRemove.length !== 1 ? 's' : ''} to remove
+								</p>
+							{/if}
+						</div>
+					</div>
+				{/if}
+			</div>
+
+			<!-- Footer -->
+			<div class="border-surface-300-600-token flex items-center justify-end gap-3 border-t p-6">
+				<button class="variant-ghost-surface btn" on:click={handleClose}> Cancel </button>
+				<button
+					class="variant-filled-primary btn"
+					on:click={handleSave}
+					disabled={selectedToAdd.length === 0 && selectedToRemove.length === 0}
+				>
+					<Save class="mr-2 h-4 w-4" />
+					Save Changes
+				</button>
+			</div>
+		</div>
+	</div>
+{/if}
+
+<style>
+	.checkbox {
+		width: 1rem;
+		height: 1rem;
+		border: 2px solid var(--color-surface-400);
+		border-radius: 0.25rem;
+		background: transparent;
+		cursor: pointer;
+	}
+
+	.checkbox:checked {
+		background: var(--color-primary-500);
+		border-color: var(--color-primary-500);
+	}
+</style>
diff --git a/examples/encrypted_chat/frontend/src/lib/components/MessageBubble.svelte b/examples/encrypted_chat/frontend/src/lib/components/MessageBubble.svelte
new file mode 100644
index 00000000..c0705901
--- /dev/null
+++ b/examples/encrypted_chat/frontend/src/lib/components/MessageBubble.svelte
@@ -0,0 +1,188 @@
+<script lang="ts">
+	import { Download, File } from 'lucide-svelte';
+	import type { Message, User } from '../types';
+
+	export let message: Message;
+	export let sender: User | null = null;
+	export let isOwnMessage: boolean = false;
+	export let showAvatar: boolean = true;
+	export let showTimestamp: boolean = true;
+
+	function formatTime(date: Date): string {
+		return date.toLocaleTimeString([], { hour: '2-digit', minute: '2-digit' });
+	}
+
+	function formatFileSize(bytes: number): string {
+		if (bytes === 0) return '0 B';
+		const k = 1024;
+		const sizes = ['B', 'KB', 'MB', 'GB'];
+		const i = Math.floor(Math.log(bytes) / Math.log(k));
+		return parseFloat((bytes / Math.pow(k, i)).toFixed(1)) + ' ' + sizes[i];
+	}
+
+	function downloadFile() {
+		if (!message.fileData) return;
+
+		const blob = new Blob([message.fileData.data], { type: message.fileData.type });
+		const url = URL.createObjectURL(blob);
+		const a = document.createElement('a');
+		a.href = url;
+		a.download = message.fileData.name;
+		document.body.appendChild(a);
+		a.click();
+		document.body.removeChild(a);
+		URL.revokeObjectURL(url);
+	}
+
+	function isImageFile(type: string): boolean {
+		return type.startsWith('image/');
+	}
+
+	// Convert emoji shortcodes to actual emojis (simple implementation)
+	function parseEmojis(text: string): string {
+		const emojiMap: { [key: string]: string } = {
+			':smile:': '😊',
+			':heart:': '❤️',
+			':thumbs_up:': '👍',
+			':fire:': '🔥',
+			':rocket:': '🚀',
+			':check:': '✅',
+			':x:': '❌',
+			':warning:': '⚠️',
+			':info:': 'ℹ️',
+			':question:': '❓',
+			':exclamation:': '❗',
+			':lock:': '🔒',
+			':unlock:': '🔓',
+			':key:': '🔑'
+		};
+
+		let result = text;
+		for (const [shortcode, emoji] of Object.entries(emojiMap)) {
+			result = result.replace(new RegExp(shortcode, 'g'), emoji);
+		}
+		return result;
+	}
+</script>
+
+<div
+	class="message-container flex gap-3 px-4 py-2 {isOwnMessage ? 'flex-row-reverse' : 'flex-row'}"
+>
+	<!-- Avatar -->
+	{#if showAvatar && !isOwnMessage}
+		<div
+			class="avatar flex h-8 w-8 flex-shrink-0 items-center justify-center rounded-full bg-primary-500 text-sm"
+		>
+			{sender?.avatar || '👤'}
+		</div>
+	{:else if showAvatar && isOwnMessage}
+		<div class="w-8"></div>
+	{/if}
+
+	<!-- Message content -->
+	<div class="message-content max-w-[70%] {isOwnMessage ? 'text-right' : 'text-left'}">
+		<!-- Sender name (for group chats when not own message) -->
+		{#if !isOwnMessage && sender && showAvatar}
+			<div class="text-surface-600-300-token mb-1 text-xs font-medium">
+				{sender.name}
+			</div>
+		{/if}
+
+		<!-- Message bubble -->
+		<div
+			class="message-bubble {isOwnMessage
+				? 'own-message'
+				: 'other-message'} max-w-full rounded-2xl px-3 py-2 break-words"
+		>
+			{#if message.type === 'text'}
+				<!-- eslint-disable-next-line svelte/no-at-html-tags -->
+				<p class="text-sm whitespace-pre-wrap">{@html parseEmojis(message.content)}</p>
+			{:else if message.type === 'file' && message.fileData}
+				<div class="file-message">
+					{#if isImageFile(message.fileData.type)}
+						<div class="image-preview mb-2">
+							<img
+								src="data:{message.fileData.type};base64,{btoa(
+									String.fromCharCode(...new Uint8Array(message.fileData.data))
+								)}"
+								alt={message.fileData.name}
+								class="h-auto max-w-full rounded-lg"
+								style="max-height: 300px;"
+							/>
+						</div>
+					{:else}
+						<div class="file-icon mb-2">
+							<File class="text-surface-600-300-token mx-auto h-8 w-8" />
+						</div>
+					{/if}
+
+					<div class="file-info bg-surface-100-800-token rounded p-2">
+						<div class="flex items-center justify-between">
+							<div class="min-w-0 flex-1">
+								<p class="truncate text-sm font-medium">{message.fileData.name}</p>
+								<p class="text-surface-600-300-token text-xs">
+									{formatFileSize(message.fileData.size)}
+								</p>
+							</div>
+							<button
+								class="variant-ghost-surface ml-2 btn-icon"
+								on:click={downloadFile}
+								aria-label="Download file"
+							>
+								<Download class="h-4 w-4" />
+							</button>
+						</div>
+					</div>
+				</div>
+			{/if}
+		</div>
+
+		<!-- Timestamp and status -->
+		{#if showTimestamp}
+			<div
+				class="message-meta text-surface-600-300-token mt-1 text-xs {isOwnMessage
+					? 'text-right'
+					: 'text-left'}"
+			>
+				<span>{formatTime(message.timestamp)}</span>
+				{#if message.isEncrypted}
+					<span class="ml-1">🔒</span>
+				{/if}
+				<span class="ml-1 opacity-70">Epoch {message.ratchetEpoch}</span>
+			</div>
+		{/if}
+	</div>
+</div>
+
+<style>
+	.message-bubble.own-message {
+		background: var(--color-primary-500);
+		color: white;
+	}
+
+	.message-bubble.other-message {
+		background: var(--color-surface-200);
+		color: var(--color-surface-900);
+	}
+
+	:global(.dark) .message-bubble.other-message {
+		background: var(--color-surface-700);
+		color: var(--color-surface-100);
+	}
+
+	.file-message {
+		min-width: 200px;
+	}
+
+	.message-container {
+		transition: all 0.2s ease;
+	}
+
+	.message-container:hover {
+		background: var(--color-surface-100);
+	}
+
+	:global(.dark) .message-container:hover {
+		background: var(--color-surface-800);
+	}
+</style>
diff --git a/examples/encrypted_chat/frontend/src/lib/components/MessageHistory.svelte b/examples/encrypted_chat/frontend/src/lib/components/MessageHistory.svelte
new file mode 100644
index 00000000..c1ff2468
--- /dev/null
+++ b/examples/encrypted_chat/frontend/src/lib/components/MessageHistory.svelte
@@ -0,0 +1,237 @@
+<script lang="ts">
+	import { selectedChatMessages, selectedChat } from '../stores/chat';
+	import MessageBubble from './MessageBubble.svelte';
+	import type { Message, User } from '../types';
+	import { SvelteDate } from 'svelte/reactivity';
+
+	let messagesContainer: HTMLDivElement | undefined = $state(undefined);
+	let autoScroll = $state(true);
+
+	// Scroll to bottom when new messages arrive
+	$effect(() => {
+		if (autoScroll && messagesContainer && $selectedChatMessages) {
+			messagesContainer.scrollTop = messagesContainer.scrollHeight;
+		}
+	});
+
+	// Check if user has scrolled up (disable auto-scroll)
+	function handleScroll() {
+		if (!messagesContainer) return;
+
+		const { scrollTop, scrollHeight, clientHeight } = messagesContainer;
+		const isAtBottom = scrollTop + clientHeight >= scrollHeight - 50;
+		autoScroll = isAtBottom;
+	}
+
+	function scrollToBottom() {
+		if (messagesContainer) {
+			messagesContainer.scrollTop = messagesContainer.scrollHeight;
+			autoScroll = true;
+		}
+	}
+
+	function getSender(message: Message): User | null {
+		if (!$selectedChat) return null;
+
+		return $selectedChat.participants.find((p) => p.id === message.senderId) || null;
+	}
+
+	function isOwnMessage(message: Message): boolean {
+		return message.senderId === 'current-user';
+	}
+
+	function shouldShowAvatar(message: Message, index: number): boolean {
+		if (isOwnMessage(message)) return false;
+		if (index === 0) return true;
+
+		const prevMessage = $selectedChatMessages[index - 1];
+		return prevMessage.senderId !== message.senderId;
+	}
+
+	function shouldShowTimestamp(message: Message, index: number): boolean {
+		if (index === $selectedChatMessages.length - 1) return true;
+
+		const nextMessage = $selectedChatMessages[index + 1];
+		const timeDiff = nextMessage.timestamp.getTime() - message.timestamp.getTime();
+
+		// Show timestamp if next message is more than 5 minutes later
+		return timeDiff > 5 * 60 * 1000;
+	}
+
+	function formatDateSeparator(date: Date): string {
+		const today = new SvelteDate();
+		const yesterday = new SvelteDate(today);
+		yesterday.setDate(yesterday.getDate() - 1);
+
+		if (date.toDateString() === today.toDateString()) {
+			return 'Today';
+		} else if (date.toDateString() === yesterday.toDateString()) {
+			return 'Yesterday';
+		} else {
+			return date.toLocaleDateString();
+		}
+	}
+
+	function shouldShowDateSeparator(message: Message, index: number): boolean {
+		if (index === 0) return true;
+
+		const prevMessage = $selectedChatMessages[index - 1];
+		const messageDate = message.timestamp;
+		const prevDate = prevMessage.timestamp;
+
+		return messageDate.toDateString() !== prevDate.toDateString();
+	}
+
+	// Get participant info for display
+	function getParticipantInfo(): string {
+		if (!$selectedChat) return '';
+
+		if ($selectedChat.type === 'direct') {
+			const otherUser = $selectedChat.participants.find((p) => p.id !== 'current-user');
+			return otherUser ? `This is the beginning of your conversation with ${otherUser.name}` : '';
+		}
+
+		return `This is the beginning of the ${$selectedChat.name} group chat`;
+	}
+</script>
+
+<div class="message-history flex min-h-0 flex-1 flex-col">
+	{#if $selectedChat}
+		<div
+			bind:this={messagesContainer}
+			onscroll={handleScroll}
+			class="messages-container scrollbar-thin flex-1 overflow-y-auto"
+		>
+			{#if $selectedChatMessages.length === 0}
+				<!-- Empty state -->
+				<div class="empty-state flex h-full flex-col items-center justify-center p-8 text-center">
+					<div
+						class="avatar mb-4 flex h-16 w-16 items-center justify-center rounded-full bg-primary-500 text-2xl"
+					>
+						{#if $selectedChat.type === 'direct'}
+							{$selectedChat.participants.find((p) => p.id !== 'current-user')?.avatar || '👤'}
+						{:else}
+							{$selectedChat.avatar || '👥'}
+						{/if}
+					</div>
+					<h3 class="mb-2 text-lg font-semibold">
+						{#if $selectedChat.type === 'direct'}
+							{$selectedChat.participants.find((p) => p.id !== 'current-user')?.name || 'Unknown'}
+						{:else}
+							{$selectedChat.name}
+						{/if}
+					</h3>
+					<p class="text-surface-600-300-token mb-4 max-w-md">
+						{getParticipantInfo()}
+					</p>
+					{#if $selectedChat.disappearingMessagesDuration > 0}
+						<div class="alert variant-ghost-warning">
+							<span class="text-sm">
+								🕐 Messages disappear after {$selectedChat.disappearingMessagesDuration} day{$selectedChat.disappearingMessagesDuration !==
+								1
+									? 's'
+									: ''}
+							</span>
+						</div>
+					{/if}
+				</div>
+			{:else}
+				<!-- Messages -->
+				<div class="messages-list py-4">
+					{#each $selectedChatMessages as message, index (message.id)}
+						<!-- Date separator -->
+						{#if shouldShowDateSeparator(message, index)}
+							<div class="date-separator flex items-center justify-center py-4">
+								<div
+									class="bg-surface-200-700-token text-surface-600-300-token rounded-full px-3 py-1 text-xs"
+								>
+									{formatDateSeparator(message.timestamp)}
+								</div>
+							</div>
+						{/if}
+
+						<!-- Message -->
+						<div class="message-enter">
+							<MessageBubble
+								{message}
+								sender={getSender(message)}
+								isOwnMessage={isOwnMessage(message)}
+								showAvatar={shouldShowAvatar(message, index)}
+								showTimestamp={shouldShowTimestamp(message, index)}
+							/>
+						</div>
+					{/each}
+				</div>
+			{/if}
+		</div>
+
+		<!-- Scroll to bottom button -->
+		{#if !autoScroll}
+			<div class="scroll-to-bottom absolute right-4 bottom-20">
+				<button
+					class="variant-filled-primary btn rounded-full"
+					onclick={scrollToBottom}
+					title="Scroll to bottom"
+				>
+					↓
+				</button>
+			</div>
+		{/if}
+	{:else}
+		<!-- No chat selected -->
+		<div class="no-chat-selected flex h-full flex-col items-center justify-center p-8 text-center">
+			<div
+				class="bg-surface-200-700-token mb-6 flex h-24 w-24 items-center justify-center rounded-full text-4xl"
+			>
+				💬
+			</div>
+			<h2 class="mb-2 text-xl font-bold">Welcome to VetKeys Chat</h2>
+			<p class="text-surface-600-300-token mb-6 max-w-md">
+				Select a conversation from the sidebar to start chatting securely with end-to-end
+				encryption.
+			</p>
+			<div class="text-surface-600-300-token space-y-2 text-sm">
+				<div class="flex items-center gap-2">
+					<span>🔒</span>
+					<span>End-to-end encrypted messages</span>
+				</div>
+				<div class="flex items-center gap-2">
+					<span>🔑</span>
+					<span>Automatic key rotation</span>
+				</div>
+				<div class="flex items-center gap-2">
+					<span>⏰</span>
+					<span>Disappearing messages support</span>
+				</div>
+			</div>
+		</div>
+	{/if}
+</div>
+
+<style>
+	.message-history {
+		position: relative;
+	}
+
+	.messages-container {
+		scroll-behavior: smooth;
+	}
+
+	.scroll-to-bottom {
+		z-index: 10;
+	}
+
+	.date-separator {
+		margin: 8px 0;
+	}
+
+	.empty-state,
+	.no-chat-selected {
+		background: var(--color-surface-50);
+	}
+
+	:global(.dark) .empty-state,
+	:global(.dark) .no-chat-selected {
+		background: var(--color-surface-900);
+	}
+</style>
diff --git a/examples/encrypted_chat/frontend/src/lib/components/MessageInput.svelte b/examples/encrypted_chat/frontend/src/lib/components/MessageInput.svelte
new file mode 100644
index 00000000..4132f126
--- /dev/null
+++ b/examples/encrypted_chat/frontend/src/lib/components/MessageInput.svelte
@@ -0,0 +1,223 @@
+<script lang="ts">
+	import { createEventDispatcher } from 'svelte';
+	import { Send, Paperclip, Smile, X } from 'lucide-svelte';
+	import EmojiPicker from './EmojiPicker.svelte';
+	import type { FileUpload } from '../types';
+
+	export let disabled = false;
+	export let placeholder = 'Type a message...';
+
+	const dispatch = createEventDispatcher<{
+		send: { content: string; file?: FileUpload };
+	}>();
+
+	let messageText = '';
+	let showEmojiPicker = false;
+	let fileInput: HTMLInputElement;
+	let selectedFile: FileUpload | null = null;
+
+	const MAX_FILE_SIZE = 100 * 1024; // 100KB
+
+	function handleSend() {
+		const content = messageText.trim();
+		if (!content && !selectedFile) return;
+
+		dispatch('send', {
+			content: content || (selectedFile ? `📎 ${selectedFile.file.name}` : ''),
+			file: selectedFile || undefined
+		});
+
+		messageText = '';
+		selectedFile = null;
+		showEmojiPicker = false;
+	}
+
+	function handleKeydown(event: KeyboardEvent) {
+		if (event.key === 'Enter' && !event.shiftKey) {
+			event.preventDefault();
+			handleSend();
+		}
+	}
+
+	function handleFileSelect() {
+		fileInput.click();
+	}
+
+	function handleFileChange(event: Event) {
+		const target = event.target as HTMLInputElement;
+		const file = target.files?.[0];
+
+		if (!file) return;
+
+		if (file.size > MAX_FILE_SIZE) {
+			selectedFile = {
+				file,
+				isValid: false,
+				error: `File too large. Maximum size is ${MAX_FILE_SIZE / 1024}KB.`
+			};
+			return;
+		}
+
+		selectedFile = {
+			file,
+			isValid: true
+		};
+
+		// Generate preview for images
+		if (file.type.startsWith('image/')) {
+			const reader = new FileReader();
+			reader.onload = (e) => {
+				if (selectedFile) {
+					selectedFile.preview = e.target?.result as string;
+				}
+			};
+			reader.readAsDataURL(file);
+		}
+	}
+
+	function removeFile() {
+		selectedFile = null;
+		if (fileInput) {
+			fileInput.value = '';
+		}
+	}
+
+	function handleEmojiSelect(event: CustomEvent<string>) {
+		const emoji = event.detail;
+		messageText = messageText + emoji;
+		showEmojiPicker = false;
+
+		// Focus back on input
+		const textarea = document.querySelector('.message-input') as HTMLTextAreaElement;
+		if (textarea) {
+			textarea.focus();
+		}
+	}
+
+	function formatFileSize(bytes: number): string {
+		if (bytes === 0) return '0 B';
+		const k = 1024;
+		const sizes = ['B', 'KB', 'MB', 'GB'];
+		const i = Math.floor(Math.log(bytes) / Math.log(k));
+		return parseFloat((bytes / Math.pow(k, i)).toFixed(1)) + ' ' + sizes[i];
+	}
+</script>
+
+<div
+	class="message-input-container bg-surface-100-800-token border-surface-300-600-token border-t p-4"
+>
+	<!-- File preview -->
+	{#if selectedFile}
+		<div class="file-preview bg-surface-200-700-token mb-3 rounded-lg p-3">
+			<div class="flex items-start gap-3">
+				{#if selectedFile.preview}
+					<img src={selectedFile.preview} alt="Preview" class="h-16 w-16 rounded object-cover" />
+				{:else}
+					<div class="bg-surface-300-600-token flex h-16 w-16 items-center justify-center rounded">
+						<Paperclip class="h-6 w-6" />
+					</div>
+				{/if}
+
+				<div class="min-w-0 flex-1">
+					<p class="truncate text-sm font-medium">{selectedFile.file.name}</p>
+					<p class="text-surface-600-300-token text-xs">{formatFileSize(selectedFile.file.size)}</p>
+					{#if !selectedFile.isValid && selectedFile.error}
+						<p class="mt-1 text-xs text-error-500">{selectedFile.error}</p>
+					{/if}
+				</div>
+
+				<button
+					class="variant-ghost-surface btn-icon"
+					on:click={removeFile}
+					aria-label="Remove file"
+				>
+					<X class="h-4 w-4" />
+				</button>
+			</div>
+		</div>
+	{/if}
+
+	<!-- Input area -->
+	<div class="flex items-end gap-2">
+		<!-- File input -->
+		<input
+			type="file"
+			bind:this={fileInput}
+			on:change={handleFileChange}
+			accept="image/*,.pdf,.doc,.docx,.txt,.zip"
+			style="display: none;"
+		/>
+
+		<!-- File button -->
+		<button
+			class="variant-ghost-surface btn-icon"
+			on:click={handleFileSelect}
+			{disabled}
+			aria-label="Attach file"
+		>
+			<Paperclip class="h-5 w-5" />
+		</button>
+
+		<!-- Message input -->
+		<div class="relative flex-1">
+			<textarea
+				bind:value={messageText}
+				on:keydown={handleKeydown}
+				{placeholder}
+				{disabled}
+				rows="1"
+				class="message-input bg-surface-200-700-token border-surface-300-600-token w-full resize-none rounded-lg border px-3 py-2 pr-10 text-sm focus:border-transparent focus:ring-2 focus:ring-primary-500 focus:outline-none"
+				style="min-height: 40px; max-height: 120px;"
+			></textarea>
+
+			<!-- Emoji button -->
+			<button
+				class="variant-ghost-surface absolute top-1/2 right-2 btn-icon -translate-y-1/2"
+				on:click={() => (showEmojiPicker = !showEmojiPicker)}
+				{disabled}
+				aria-label="Add emoji"
+			>
+				<Smile class="h-4 w-4" />
+			</button>
+		</div>
+
+		<!-- Send button -->
+		<button
+			class="variant-filled-primary btn"
+			on:click={handleSend}
+			disabled={disabled ||
+				(!messageText.trim() && !selectedFile) ||
+				(selectedFile && !selectedFile.isValid)}
+			aria-label="Send message"
+		>
+			<Send class="h-5 w-5" />
+		</button>
+	</div>
+
+	<!-- File size info -->
+	<div class="text-surface-600-300-token mt-2 text-xs">
+		Maximum file size: {MAX_FILE_SIZE / 1024}KB
+	</div>
+</div>
+
+<!-- Emoji Picker -->
+<EmojiPicker
+	bind:show={showEmojiPicker}
+	on:select={handleEmojiSelect}
+	on:close={() => (showEmojiPicker = false)}
+/>
+
+<style>
+	.message-input {
+		scrollbar-width: thin;
+	}
+
+	.message-input::-webkit-scrollbar {
+		width: 4px;
+	}
+
+	.message-input::-webkit-scrollbar-thumb {
+		background-color: var(--color-surface-400);
+		border-radius: 2px;
+	}
+</style>
diff --git a/examples/encrypted_chat/frontend/src/lib/components/NotificationBanner.svelte b/examples/encrypted_chat/frontend/src/lib/components/NotificationBanner.svelte
new file mode 100644
index 00000000..55a98086
--- /dev/null
+++ b/examples/encrypted_chat/frontend/src/lib/components/NotificationBanner.svelte
@@ -0,0 +1,120 @@
+<script lang="ts">
+	import { onMount } from 'svelte';
+	import { fly } from 'svelte/transition';
+	import { X, AlertTriangle, Info, CheckCircle, XCircle } from 'lucide-svelte';
+	import { notifications, chatActions } from '../stores/chat';
+	import { storageService } from '../services/storage';
+	import type { Notification } from '../types';
+
+	let showDisclaimer = false;
+
+	onMount(async () => {
+		const dismissed = await storageService.isDisclaimerDismissed();
+		showDisclaimer = !dismissed;
+	});
+
+	async function dismissDisclaimer() {
+		showDisclaimer = false;
+		await storageService.setDisclaimerDismissed();
+	}
+
+	function getNotificationIcon(type: Notification['type']) {
+		switch (type) {
+			case 'warning':
+				return AlertTriangle;
+			case 'error':
+				return XCircle;
+			case 'success':
+				return CheckCircle;
+			default:
+				return Info;
+		}
+	}
+
+	function getNotificationColor(type: Notification['type']) {
+		switch (type) {
+			case 'warning':
+				return 'variant-filled-warning';
+			case 'error':
+				return 'variant-filled-error';
+			case 'success':
+				return 'variant-filled-success';
+			default:
+				return 'variant-filled-primary';
+		}
+	}
+</script>
+
+<!-- Disclaimer Banner -->
+{#if showDisclaimer}
+	<div
+		class="alert variant-filled-warning fixed top-0 right-0 left-0 z-50 rounded-none border-0 border-b"
+		transition:fly={{ y: -100, duration: 300 }}
+	>
+		<AlertTriangle class="h-6 w-6" />
+		<div class="alert-message flex-1">
+			<h3 class="h4">Disclaimer</h3>
+			<p>
+				This sample dapp is intended exclusively for experimental purpose. You are advised not to
+				use this dapp for storing your critical data such as keys or passwords.
+			</p>
+		</div>
+		<div class="alert-actions">
+			<button
+				class="variant-filled btn-icon"
+				on:click={dismissDisclaimer}
+				aria-label="Dismiss disclaimer"
+			>
+				<X class="h-4 w-4" />
+			</button>
+		</div>
+	</div>
+{/if}
+
+<!-- Notification Stack -->
+<div class="fixed top-4 right-4 z-40 max-w-sm space-y-2">
+	{#each $notifications as notification (notification.id)}
+		<div
+			class="alert {getNotificationColor(notification.type)} shadow-lg"
+			transition:fly={{ x: 300, duration: 300 }}
+		>
+			<svelte:component this={getNotificationIcon(notification.type)} class="h-5 w-5" />
+			<div class="alert-message flex-1">
+				<h4 class="font-semibold">{notification.title}</h4>
+				<p class="text-sm opacity-90">{notification.message}</p>
+			</div>
+			{#if notification.isDismissible}
+				<div class="alert-actions">
+					<button
+						class="variant-soft btn-icon"
+						on:click={() => chatActions.dismissNotification(notification.id)}
+						aria-label="Dismiss notification"
+					>
+						<X class="h-4 w-4" />
+					</button>
+				</div>
+			{/if}
+		</div>
+	{/each}
+</div>
+
+<style>
+	.alert {
+		display: flex;
+		align-items: center;
+		gap: 0.75rem;
+		padding: 1rem;
+		border-radius: 0.5rem;
+	}
+
+	.alert-message {
+		flex: 1 1 0%;
+		min-width: 0;
+	}
+
+	.alert-actions {
+		display: flex;
+		align-items: center;
+		gap: 0.5rem;
+	}
+</style>
diff --git a/examples/encrypted_chat/frontend/src/lib/components/UserProfile.svelte b/examples/encrypted_chat/frontend/src/lib/components/UserProfile.svelte
new file mode 100644
index 00000000..ebf6875f
--- /dev/null
+++ b/examples/encrypted_chat/frontend/src/lib/components/UserProfile.svelte
@@ -0,0 +1,87 @@
+<script lang="ts">
+	import { Settings } from 'lucide-svelte';
+	import { currentUser, userConfig, chatActions } from '../stores/chat';
+
+	let showConfig = false;
+	let configForm = {
+		cacheRetentionDays: 7
+	};
+
+	$: if ($userConfig) {
+		configForm.cacheRetentionDays = $userConfig.cacheRetentionDays;
+	}
+
+	function toggleConfig() {
+		showConfig = !showConfig;
+	}
+
+	async function saveConfig() {
+		await chatActions.updateUserConfig(configForm);
+		showConfig = false;
+	}
+</script>
+
+<div class="user-profile border-surface-300-600-token border-b p-4">
+	<div class="flex items-center justify-between">
+		<div class="flex items-center gap-3">
+			<div
+				class="avatar flex h-10 w-10 items-center justify-center rounded-full bg-primary-500 text-lg"
+			>
+				{$currentUser?.avatar || '👤'}
+			</div>
+			<div>
+				<h3 class="text-sm font-semibold">{$currentUser?.name || 'User'}</h3>
+				<div class="flex items-center gap-1">
+					<div class="h-2 w-2 rounded-full bg-success-500"></div>
+					<span class="text-surface-600-300-token text-xs">Online</span>
+				</div>
+			</div>
+		</div>
+		<button class="variant-ghost-surface btn-icon" on:click={toggleConfig} aria-label="Settings">
+			<Settings class="h-5 w-5" />
+		</button>
+	</div>
+
+	{#if showConfig}
+		<div class="config-panel bg-surface-200-700-token mt-4 rounded-lg p-3">
+			<h4 class="mb-3 text-sm font-semibold">Configuration</h4>
+
+			<div class="space-y-4">
+				<div>
+					<label for="cache-retention" class="mb-1 block text-sm font-medium">
+						Cache Retention (days)
+					</label>
+					<input
+						id="cache-retention"
+						type="number"
+						min="1"
+						max="365"
+						bind:value={configForm.cacheRetentionDays}
+						class="input w-full"
+						placeholder="7"
+					/>
+					<p class="text-surface-600-300-token mt-1 text-xs">
+						How often to remove user's cache data
+					</p>
+				</div>
+			</div>
+
+			<div class="mt-4 flex gap-2">
+				<button class="variant-filled-primary btn flex-1" on:click={saveConfig}> Save </button>
+				<button class="variant-ghost-surface btn flex-1" on:click={() => (showConfig = false)}>
+					Cancel
+				</button>
+			</div>
+		</div>
+	{/if}
+</div>
+
+<style>
+	.user-profile {
+		background: var(--color-surface-100);
+	}
+
+	:global(.dark) .user-profile {
+		background: var(--color-surface-800);
+	}
+</style>
diff --git a/examples/encrypted_chat/frontend/src/lib/index.ts b/examples/encrypted_chat/frontend/src/lib/index.ts
new file mode 100644
index 00000000..856f2b6c
--- /dev/null
+++ b/examples/encrypted_chat/frontend/src/lib/index.ts
@@ -0,0 +1 @@
+// place files you want to import through the `$lib` alias in this folder.
diff --git a/examples/encrypted_chat/frontend/src/lib/services/api.ts b/examples/encrypted_chat/frontend/src/lib/services/api.ts
new file mode 100644
index 00000000..947e8054
--- /dev/null
+++ b/examples/encrypted_chat/frontend/src/lib/services/api.ts
@@ -0,0 +1,323 @@
+import type { Chat, Message, KeyRotationStatus, RatchetStats } from '../types';
+
+// Dummy API service that simulates backend calls
+// In real implementation, these would make actual API calls to the backend
+
+export class ChatAPI {
+	// Simulate network delay
+	private async delay(ms: number = 300): Promise<void> {
+		return new Promise((resolve) => setTimeout(resolve, ms));
+	}
+
+	async getChats(): Promise<Chat[]> {
+		await this.delay();
+		return [
+			{
+				id: 'direct-1',
+				name: 'Alice Johnson',
+				type: 'direct',
+				participants: [
+					{
+						id: 'user-alice',
+						name: 'Alice Johnson',
+						isOnline: true,
+						avatar: '👩‍💼'
+					}
+				],
+				lastActivity: new Date(Date.now() - 1000 * 60 * 30), // 30 minutes ago
+				isReady: true,
+				isUpdating: false,
+				disappearingMessagesDuration: 7,
+				keyRotationStatus: {
+					lastRotation: new Date(Date.now() - 1000 * 60 * 60 * 12), // 12 hours ago
+					nextRotation: new Date(Date.now() + 1000 * 60 * 60 * 12), // 12 hours from now
+					isRotationNeeded: false,
+					currentEpoch: 15
+				},
+				ratchetEpoch: 15,
+				unreadCount: 2,
+				lastMessage: {
+					id: 'msg-1',
+					chatId: 'direct-1',
+					senderId: 'user-alice',
+					content: 'Hey! How are you doing?',
+					timestamp: new Date(Date.now() - 1000 * 60 * 30),
+					type: 'text',
+					isEncrypted: true,
+					ratchetEpoch: 15
+				}
+			},
+			{
+				id: 'direct-2',
+				name: 'Bob Smith',
+				type: 'direct',
+				participants: [
+					{
+						id: 'user-bob',
+						name: 'Bob Smith',
+						isOnline: false,
+						lastSeen: new Date(Date.now() - 1000 * 60 * 60 * 2), // 2 hours ago
+						avatar: '👨‍💻'
+					}
+				],
+				lastActivity: new Date(Date.now() - 1000 * 60 * 60 * 4), // 4 hours ago
+				isReady: true,
+				isUpdating: false,
+				disappearingMessagesDuration: 30,
+				keyRotationStatus: {
+					lastRotation: new Date(Date.now() - 1000 * 60 * 60 * 18),
+					nextRotation: new Date(Date.now() + 1000 * 60 * 60 * 6),
+					isRotationNeeded: true,
+					currentEpoch: 8
+				},
+				ratchetEpoch: 8,
+				unreadCount: 0,
+				lastMessage: {
+					id: 'msg-2',
+					chatId: 'direct-2',
+					senderId: 'current-user',
+					content: 'Thanks for the help earlier!',
+					timestamp: new Date(Date.now() - 1000 * 60 * 60 * 4),
+					type: 'text',
+					isEncrypted: true,
+					ratchetEpoch: 8
+				}
+			},
+			{
+				id: 'group-1',
+				name: 'Project Team',
+				type: 'group',
+				participants: [
+					{
+						id: 'user-alice',
+						name: 'Alice Johnson',
+						isOnline: true,
+						avatar: '👩‍💼'
+					},
+					{
+						id: 'user-charlie',
+						name: 'Charlie Davis',
+						isOnline: true,
+						avatar: '👨‍🎨'
+					},
+					{
+						id: 'user-diana',
+						name: 'Diana Wilson',
+						isOnline: false,
+						lastSeen: new Date(Date.now() - 1000 * 60 * 45),
+						avatar: '👩‍🔬'
+					}
+				],
+				lastActivity: new Date(Date.now() - 1000 * 60 * 15), // 15 minutes ago
+				isReady: true,
+				isUpdating: false,
+				disappearingMessagesDuration: 14,
+				keyRotationStatus: {
+					lastRotation: new Date(Date.now() - 1000 * 60 * 60 * 6),
+					nextRotation: new Date(Date.now() + 1000 * 60 * 60 * 18),
+					isRotationNeeded: false,
+					currentEpoch: 23
+				},
+				ratchetEpoch: 23,
+				unreadCount: 5,
+				avatar: '🏢',
+				lastMessage: {
+					id: 'msg-3',
+					chatId: 'group-1',
+					senderId: 'user-charlie',
+					content: 'Meeting at 3 PM today?',
+					timestamp: new Date(Date.now() - 1000 * 60 * 15),
+					type: 'text',
+					isEncrypted: true,
+					ratchetEpoch: 23
+				}
+			},
+			{
+				id: 'group-2',
+				name: 'Friends Chat',
+				type: 'group',
+				participants: [
+					{
+						id: 'user-bob',
+						name: 'Bob Smith',
+						isOnline: false,
+						lastSeen: new Date(Date.now() - 1000 * 60 * 60 * 2),
+						avatar: '👨‍💻'
+					},
+					{
+						id: 'user-eve',
+						name: 'Eve Martinez',
+						isOnline: true,
+						avatar: '👩‍🎭'
+					}
+				],
+				lastActivity: new Date(Date.now() - 1000 * 60 * 60 * 8), // 8 hours ago
+				isReady: false,
+				isUpdating: true,
+				disappearingMessagesDuration: 1,
+				keyRotationStatus: {
+					lastRotation: new Date(Date.now() - 1000 * 60 * 60 * 24),
+					nextRotation: new Date(Date.now() + 1000 * 60 * 60),
+					isRotationNeeded: true,
+					currentEpoch: 5
+				},
+				ratchetEpoch: 5,
+				unreadCount: 0,
+				avatar: '🎉'
+			}
+		];
+	}
+
+	async getChatMessages(chatId: string): Promise<Message[]> {
+		await this.delay();
+
+		// Return different message sets based on chat ID
+		if (chatId === 'direct-1') {
+			return [
+				{
+					id: 'msg-d1-1',
+					chatId: 'direct-1',
+					senderId: 'user-alice',
+					content: 'Hello! How are you today?',
+					timestamp: new Date(Date.now() - 1000 * 60 * 60 * 2),
+					type: 'text',
+					isEncrypted: true,
+					ratchetEpoch: 15
+				},
+				{
+					id: 'msg-d1-2',
+					chatId: 'direct-1',
+					senderId: 'current-user',
+					content: "Hey Alice! I'm doing great, thanks for asking. How about you?",
+					timestamp: new Date(Date.now() - 1000 * 60 * 45),
+					type: 'text',
+					isEncrypted: true,
+					ratchetEpoch: 15
+				},
+				{
+					id: 'msg-d1-3',
+					chatId: 'direct-1',
+					senderId: 'user-alice',
+					content: "I'm fantastic! Working on some exciting new features 🚀",
+					timestamp: new Date(Date.now() - 1000 * 60 * 30),
+					type: 'text',
+					isEncrypted: true,
+					ratchetEpoch: 15
+				}
+			];
+		}
+
+		if (chatId === 'group-1') {
+			return [
+				{
+					id: 'msg-g1-1',
+					chatId: 'group-1',
+					senderId: 'user-alice',
+					content: "Team, let's discuss the project timeline",
+					timestamp: new Date(Date.now() - 1000 * 60 * 60),
+					type: 'text',
+					isEncrypted: true,
+					ratchetEpoch: 23
+				},
+				{
+					id: 'msg-g1-2',
+					chatId: 'group-1',
+					senderId: 'user-charlie',
+					content: 'Sure! I think we can finish the UI by Friday',
+					timestamp: new Date(Date.now() - 1000 * 60 * 45),
+					type: 'text',
+					isEncrypted: true,
+					ratchetEpoch: 23
+				},
+				{
+					id: 'msg-g1-3',
+					chatId: 'group-1',
+					senderId: 'current-user',
+					content: "Great! I'll have the backend ready by then too",
+					timestamp: new Date(Date.now() - 1000 * 60 * 30),
+					type: 'text',
+					isEncrypted: true,
+					ratchetEpoch: 23
+				},
+				{
+					id: 'msg-g1-4',
+					chatId: 'group-1',
+					senderId: 'user-charlie',
+					content: 'Meeting at 3 PM today?',
+					timestamp: new Date(Date.now() - 1000 * 60 * 15),
+					type: 'text',
+					isEncrypted: true,
+					ratchetEpoch: 23
+				}
+			];
+		}
+
+		return [];
+	}
+
+	async sendMessage(
+		chatId: string,
+		content: string,
+		type: 'text' | 'file' = 'text',
+		fileData?: ArrayBuffer
+	): Promise<Message> {
+		await this.delay(500);
+
+		const message: Message = {
+			id: `msg-${Date.now()}`,
+			chatId,
+			senderId: 'current-user',
+			content,
+			timestamp: new Date(),
+			type,
+			fileData,
+			isEncrypted: true,
+			ratchetEpoch: Math.floor(Math.random() * 30) + 1
+		};
+
+		return message;
+	}
+
+	async checkKeyRotation(_chatId: string): Promise<boolean> {
+		await this.delay(200);
+		// Simulate some chats needing rotation
+		return _chatId === 'direct-2' || _chatId === 'group-2';
+	}
+
+	async rotateKeys(): Promise<KeyRotationStatus> {
+		await this.delay(1000);
+
+		return {
+			lastRotation: new Date(),
+			nextRotation: new Date(Date.now() + 1000 * 60 * 60 * 24), // 24 hours from now
+			isRotationNeeded: false,
+			currentEpoch: Math.floor(Math.random() * 50) + 1
+		};
+	}
+
+	async getRatchetStats(): Promise<RatchetStats> {
+		await this.delay(150);
+
+		return {
+			currentEpoch: Math.floor(Math.random() * 30) + 1,
+			messagesInCurrentEpoch: Math.floor(Math.random() * 50) + 1,
+			lastRotation: new Date(Date.now() - 1000 * 60 * 60 * Math.random() * 24),
+			nextScheduledRotation: new Date(Date.now() + 1000 * 60 * 60 * Math.random() * 24)
+		};
+	}
+
+	async updateGroupMembers(
+		chatId: string,
+		addUsers: string[],
+		removeUsers: string[],
+		allowHistoryForNew: boolean
+	): Promise<boolean> {
+		await this.delay(800);
+		console.log(
+			`Group ${chatId} updated: +${addUsers.length}, -${removeUsers.length}, history: ${allowHistoryForNew}`
+		);
+		return true;
+	}
+}
+
+export const chatAPI = new ChatAPI();
diff --git a/examples/encrypted_chat/frontend/src/lib/services/identity.ts b/examples/encrypted_chat/frontend/src/lib/services/identity.ts
new file mode 100644
index 00000000..a57e994a
--- /dev/null
+++ b/examples/encrypted_chat/frontend/src/lib/services/identity.ts
@@ -0,0 +1,83 @@
+import { AuthClient } from '@dfinity/auth-client';
+import type { Identity } from '@dfinity/agent';
+import type { User } from '../types';
+
+// Identity service using @dfinity/agent
+export class IdentityService {
+	private authClient: AuthClient | null = null;
+	private currentUser: User | null = null;
+
+	async init(): Promise<void> {
+		this.authClient = await AuthClient.create();
+		await this.checkAuthentication();
+	}
+
+	async checkAuthentication(): Promise<boolean> {
+		if (!this.authClient) return false;
+
+		const isAuthenticated = await this.authClient.isAuthenticated();
+		if (isAuthenticated) {
+			const identity = this.authClient.getIdentity();
+			this.currentUser = await this.createUserFromIdentity(identity);
+			return true;
+		}
+		return false;
+	}
+
+	async login(): Promise<User | null> {
+		if (!this.authClient) return null;
+
+		return new Promise((resolve) => {
+			this.authClient!.login({
+				onSuccess: async () => {
+					const identity = this.authClient!.getIdentity();
+					this.currentUser = await this.createUserFromIdentity(identity);
+					resolve(this.currentUser);
+				},
+				onError: () => {
+					resolve(null);
+				}
+			});
+		});
+	}
+
+	async logout(): Promise<void> {
+		if (this.authClient) {
+			await this.authClient.logout();
+		}
+		this.currentUser = null;
+	}
+
+	getCurrentUser(): User | null {
+		return this.currentUser;
+	}
+
+	getIdentity(): Identity | null {
+		return this.authClient?.getIdentity() || null;
+	}
+
+	private async createUserFromIdentity(identity: Identity): Promise<User> {
+		// In a real implementation, you would extract user info from the identity
+		// For now, we'll create a dummy user with the principal as the ID
+		const principal = identity.getPrincipal();
+
+		return {
+			id: principal.toString(),
+			name: `User ${principal.toString().slice(0, 8)}...`,
+			avatar: '👤',
+			isOnline: true
+		};
+	}
+
+	// Dummy implementation for demo purposes
+	async getDummyCurrentUser(): Promise<User> {
+		return {
+			id: 'current-user',
+			name: 'You',
+			avatar: '👤',
+			isOnline: true
+		};
+	}
+}
+
+export const identityService = new IdentityService();
diff --git a/examples/encrypted_chat/frontend/src/lib/services/storage.ts b/examples/encrypted_chat/frontend/src/lib/services/storage.ts
new file mode 100644
index 00000000..e5a4f4a7
--- /dev/null
+++ b/examples/encrypted_chat/frontend/src/lib/services/storage.ts
@@ -0,0 +1,135 @@
+import { get, set, del, clear, keys } from 'idb-keyval';
+import type { Message, Chat, UserConfig } from '../types';
+
+// IndexedDB storage service for persistent chat data
+export class StorageService {
+	private readonly MESSAGE_PREFIX = 'msg_';
+	private readonly CHAT_PREFIX = 'chat_';
+	private readonly CONFIG_KEY = 'user_config';
+	private readonly DISCLAIMER_KEY = 'disclaimer_dismissed';
+
+	// Message storage
+	async saveMessage(message: Message): Promise<void> {
+		const key = `${this.MESSAGE_PREFIX}${message.chatId}_${message.id}`;
+		await set(key, message);
+	}
+
+	async getMessages(chatId: string): Promise<Message[]> {
+		const allKeys = await keys();
+		const chatMessageKeys = allKeys.filter(
+			(key) => typeof key === 'string' && key.startsWith(`${this.MESSAGE_PREFIX}${chatId}_`)
+		);
+
+		const messages: Message[] = [];
+		for (const key of chatMessageKeys) {
+			const message = await get(key);
+			if (message) {
+				// Ensure timestamp is a Date object
+				if (typeof message.timestamp === 'string') {
+					message.timestamp = new Date(message.timestamp);
+				}
+				messages.push(message);
+			}
+		}
+
+		// Sort by timestamp
+		return messages.sort((a, b) => a.timestamp.getTime() - b.timestamp.getTime());
+	}
+
+	async deleteMessage(chatId: string, messageId: string): Promise<void> {
+		const key = `${this.MESSAGE_PREFIX}${chatId}_${messageId}`;
+		await del(key);
+	}
+
+	// Clean up old messages based on disappearing messages setting
+	async cleanupOldMessages(chatId: string, retentionDays: number): Promise<void> {
+		if (retentionDays === 0) return; // Never delete if 0
+
+		const cutoffDate = new Date(Date.now() - retentionDays * 24 * 60 * 60 * 1000);
+		const messages = await this.getMessages(chatId);
+
+		for (const message of messages) {
+			if (message.timestamp < cutoffDate) {
+				await this.deleteMessage(chatId, message.id);
+			}
+		}
+	}
+
+	// Chat metadata storage
+	async saveChat(chat: Chat): Promise<void> {
+		const key = `${this.CHAT_PREFIX}${chat.id}`;
+		await set(key, chat);
+	}
+
+	async getChat(chatId: string): Promise<Chat | null> {
+		const key = `${this.CHAT_PREFIX}${chatId}`;
+		return (await get(key)) || null;
+	}
+
+	async getAllChats(): Promise<Chat[]> {
+		const allKeys = await keys();
+		const chatKeys = allKeys.filter(
+			(key) => typeof key === 'string' && key.startsWith(this.CHAT_PREFIX)
+		);
+
+		const chats: Chat[] = [];
+		for (const key of chatKeys) {
+			const chat = await get(key);
+			if (chat) {
+				chats.push(chat);
+			}
+		}
+
+		return chats.sort((a, b) => b.lastActivity.getTime() - a.lastActivity.getTime());
+	}
+
+	// User configuration
+	async saveUserConfig(config: UserConfig): Promise<void> {
+		await set(this.CONFIG_KEY, config);
+	}
+
+	async getUserConfig(): Promise<UserConfig | null> {
+		return (await get(this.CONFIG_KEY)) || null;
+	}
+
+	async getDefaultUserConfig(): Promise<UserConfig> {
+		return {
+			cacheRetentionDays: 7,
+			userId: 'current-user',
+			userName: 'You',
+			userAvatar: '👤'
+		};
+	}
+
+	// Disclaimer
+	async setDisclaimerDismissed(): Promise<void> {
+		await set(this.DISCLAIMER_KEY, true);
+	}
+
+	async isDisclaimerDismissed(): Promise<boolean> {
+		return (await get(this.DISCLAIMER_KEY)) || false;
+	}
+
+	// Cache cleanup based on user config
+	async cleanupUserCache(retentionDays: number): Promise<void> {
+		const cutoffDate = new Date(Date.now() - retentionDays * 24 * 60 * 60 * 1000);
+		const allKeys = await keys();
+
+		// Clean up old message keys
+		for (const key of allKeys) {
+			if (typeof key === 'string' && key.startsWith(this.MESSAGE_PREFIX)) {
+				const message = await get(key);
+				if (message && new Date(message.timestamp) < cutoffDate) {
+					await del(key);
+				}
+			}
+		}
+	}
+
+	// Clear all data (for testing/reset)
+	async clearAllData(): Promise<void> {
+		await clear();
+	}
+}
+
+export const storageService = new StorageService();
diff --git a/examples/encrypted_chat/frontend/src/lib/stores/chat.ts b/examples/encrypted_chat/frontend/src/lib/stores/chat.ts
new file mode 100644
index 00000000..c44ca34f
--- /dev/null
+++ b/examples/encrypted_chat/frontend/src/lib/stores/chat.ts
@@ -0,0 +1,265 @@
+import { writable, derived, get } from 'svelte/store';
+import type { Chat, Message, User, UserConfig, Notification } from '../types';
+import { chatAPI } from '../services/api';
+import { storageService } from '../services/storage';
+import { identityService } from '../services/identity';
+
+// Chat stores
+export const chats = writable<Chat[]>([]);
+export const selectedChatId = writable<string | null>(null);
+export const messages = writable<{ [chatId: string]: Message[] }>({});
+export const currentUser = writable<User | null>(null);
+export const userConfig = writable<UserConfig | null>(null);
+export const notifications = writable<Notification[]>([]);
+export const isLoading = writable(false);
+
+// Derived stores
+export const selectedChat = derived([chats, selectedChatId], ([$chats, $selectedChatId]) => {
+	if (!$selectedChatId) return null;
+	return $chats.find((chat) => chat.id === $selectedChatId) || null;
+});
+
+export const selectedChatMessages = derived(
+	[messages, selectedChatId],
+	([$messages, $selectedChatId]) => {
+		if (!$selectedChatId) return [];
+		return $messages[$selectedChatId] || [];
+	}
+);
+
+export const unreadMessageCount = derived(chats, ($chats) =>
+	$chats.reduce((total, chat) => total + chat.unreadCount, 0)
+);
+
+// Chat actions
+export const chatActions = {
+	async initialize() {
+		isLoading.set(true);
+		try {
+			// Initialize identity service
+			await identityService.init();
+
+			// Load user config
+			let config = await storageService.getUserConfig();
+			if (!config) {
+				config = await storageService.getDefaultUserConfig();
+				await storageService.saveUserConfig(config);
+			}
+			userConfig.set(config);
+
+			// Set current user (dummy for now)
+			const user = await identityService.getDummyCurrentUser();
+			currentUser.set(user);
+
+			// Load chats from API
+			const chatList = await chatAPI.getChats();
+			chats.set(chatList);
+
+			// Load messages for each chat from storage and merge with API data
+			const messageMap: { [chatId: string]: Message[] } = {};
+			for (const chat of chatList) {
+				// First load from storage
+				let chatMessages = await storageService.getMessages(chat.id);
+
+				// If no stored messages, load from API
+				if (chatMessages.length === 0) {
+					chatMessages = await chatAPI.getChatMessages(chat.id);
+					// Save to storage
+					for (const message of chatMessages) {
+						await storageService.saveMessage(message);
+					}
+				}
+
+				messageMap[chat.id] = chatMessages;
+			}
+			messages.set(messageMap);
+
+			// Set up periodic cleanup
+			setInterval(() => {
+				chatActions.cleanupDisappearingMessages();
+			}, 60000); // Check every minute
+		} catch (error) {
+			console.error('Failed to initialize chat:', error);
+			chatActions.addNotification({
+				type: 'error',
+				title: 'Initialization Error',
+				message: 'Failed to load chat data. Please refresh the page.',
+				isDismissible: true
+			});
+		} finally {
+			isLoading.set(false);
+		}
+	},
+
+	selectChat(chatId: string) {
+		selectedChatId.set(chatId);
+
+		// Mark as read
+		chats.update(($chats) =>
+			$chats.map((chat) => (chat.id === chatId ? { ...chat, unreadCount: 0 } : chat))
+		);
+	},
+
+	async loadChatMessages(chatId: string) {
+		try {
+			const chatMessages = await chatAPI.getChatMessages(chatId);
+
+			messages.update(($messages) => ({
+				...$messages,
+				[chatId]: chatMessages
+			}));
+
+			// Save to storage
+			for (const message of chatMessages) {
+				await storageService.saveMessage(message);
+			}
+		} catch (error) {
+			console.error('Failed to load messages:', error);
+			chatActions.addNotification({
+				type: 'error',
+				title: 'Load Error',
+				message: 'Failed to load messages for this chat.',
+				isDismissible: true
+			});
+		}
+	},
+
+	async sendMessage(
+		chatId: string,
+		content: string,
+		fileData?: { name: string; size: number; type: string; data: ArrayBuffer }
+	) {
+		try {
+			// Check if key rotation is needed
+			const needsRotation = await chatAPI.checkKeyRotation(chatId);
+			if (needsRotation) {
+				await chatActions.rotateKeys(chatId);
+			}
+
+			const message = await chatAPI.sendMessage(
+				chatId,
+				content,
+				fileData ? 'file' : 'text',
+				fileData
+			);
+
+			// Add to messages
+			messages.update(($messages) => ({
+				...$messages,
+				[chatId]: [...($messages[chatId] || []), message]
+			}));
+
+			// Update chat last activity
+			chats.update(($chats) =>
+				$chats.map((chat) =>
+					chat.id === chatId ? { ...chat, lastActivity: new Date(), lastMessage: message } : chat
+				)
+			);
+
+			// Save to storage
+			await storageService.saveMessage(message);
+		} catch (error) {
+			console.error('Failed to send message:', error);
+			chatActions.addNotification({
+				type: 'error',
+				title: 'Send Error',
+				message: 'Failed to send message. Please try again.',
+				isDismissible: true
+			});
+		}
+	},
+
+	async rotateKeys(chatId: string) {
+		try {
+			// Mark chat as updating
+			chats.update(($chats) =>
+				$chats.map((chat) => (chat.id === chatId ? { ...chat, isUpdating: true } : chat))
+			);
+
+			const newKeyStatus = await chatAPI.rotateKeys(chatId);
+
+			// Update chat with new key status
+			chats.update(($chats) =>
+				$chats.map((chat) =>
+					chat.id === chatId
+						? {
+								...chat,
+								isUpdating: false,
+								keyRotationStatus: newKeyStatus,
+								ratchetEpoch: newKeyStatus.currentEpoch
+							}
+						: chat
+				)
+			);
+
+			chatActions.addNotification({
+				type: 'success',
+				title: 'Keys Rotated',
+				message: 'Chat encryption keys have been successfully rotated.',
+				isDismissible: true,
+				duration: 3000
+			});
+		} catch (error) {
+			console.error('Failed to rotate keys:', error);
+
+			// Mark chat as not updating
+			chats.update(($chats) =>
+				$chats.map((chat) => (chat.id === chatId ? { ...chat, isUpdating: false } : chat))
+			);
+
+			chatActions.addNotification({
+				type: 'error',
+				title: 'Key Rotation Failed',
+				message: 'Failed to rotate encryption keys. Please try again.',
+				isDismissible: true
+			});
+		}
+	},
+
+	async updateUserConfig(config: Partial<UserConfig>) {
+		const currentConfig = get(userConfig);
+		if (!currentConfig) return;
+
+		const newConfig = { ...currentConfig, ...config };
+		userConfig.set(newConfig);
+		await storageService.saveUserConfig(newConfig);
+
+		// Trigger cache cleanup if retention days changed
+		if (config.cacheRetentionDays !== undefined) {
+			await storageService.cleanupUserCache(config.cacheRetentionDays);
+		}
+	},
+
+	addNotification(notification: Omit<Notification, 'id'>) {
+		const id = `notification-${Date.now()}-${Math.random()}`;
+		const newNotification: Notification = { ...notification, id };
+
+		notifications.update(($notifications) => [...$notifications, newNotification]);
+
+		// Auto-dismiss if duration is set
+		if (notification.duration) {
+			setTimeout(() => {
+				chatActions.dismissNotification(id);
+			}, notification.duration);
+		}
+	},
+
+	dismissNotification(id: string) {
+		notifications.update(($notifications) => $notifications.filter((n) => n.id !== id));
+	},
+
+	async cleanupDisappearingMessages() {
+		const $chats = get(chats);
+
+		for (const chat of $chats) {
+			if (chat.disappearingMessagesDuration > 0) {
+				await storageService.cleanupOldMessages(chat.id, chat.disappearingMessagesDuration);
+			}
+		}
+	}
+};
+
+// Initialize on module load
+if (typeof window !== 'undefined') {
+	chatActions.initialize();
+}
diff --git a/examples/encrypted_chat/frontend/src/lib/types/index.ts b/examples/encrypted_chat/frontend/src/lib/types/index.ts
new file mode 100644
index 00000000..3a14abed
--- /dev/null
+++ b/examples/encrypted_chat/frontend/src/lib/types/index.ts
@@ -0,0 +1,100 @@
+export interface User {
+	id: string;
+	name: string;
+	avatar?: string;
+	isOnline: boolean;
+	lastSeen?: Date;
+}
+
+export interface Message {
+	id: string;
+	chatId: string;
+	senderId: string;
+	content: string;
+	timestamp: Date;
+	type: 'text' | 'file' | 'image';
+	fileData?: {
+		name: string;
+		size: number;
+		type: string;
+		data: ArrayBuffer;
+	};
+	isEncrypted: boolean;
+	ratchetEpoch: number;
+}
+
+export interface Chat {
+	id: string;
+	name: string;
+	type: 'direct' | 'group';
+	participants: User[];
+	lastMessage?: Message;
+	lastActivity: Date;
+	isReady: boolean;
+	isUpdating: boolean;
+	disappearingMessagesDuration: number; // in days, 0 = never
+	keyRotationStatus: KeyRotationStatus;
+	ratchetEpoch: number;
+	unreadCount: number;
+	avatar?: string;
+}
+
+export interface DirectChat extends Chat {
+	type: 'direct';
+	otherParticipant: User;
+}
+
+export interface GroupChat extends Chat {
+	type: 'group';
+	adminId: string;
+	canModify: boolean;
+	allowHistoryForNewMembers: boolean;
+}
+
+export interface KeyRotationStatus {
+	lastRotation: Date;
+	nextRotation: Date;
+	isRotationNeeded: boolean;
+	currentEpoch: number;
+}
+
+export interface RatchetStats {
+	currentEpoch: number;
+	messagesInCurrentEpoch: number;
+	lastRotation: Date;
+	nextScheduledRotation: Date;
+}
+
+export interface UserConfig {
+	cacheRetentionDays: number;
+	userId: string;
+	userName: string;
+	userAvatar?: string;
+}
+
+export interface ChatStatus {
+	isReady: boolean;
+	isUpdating: boolean;
+	lastSync: Date;
+	additionalInfo?: string;
+}
+
+export interface FileUpload {
+	file: File;
+	preview?: string;
+	isValid: boolean;
+	error?: string;
+}
+
+export type ChatType = 'direct' | 'group';
+export type MessageType = 'text' | 'file' | 'image';
+export type NotificationType = 'info' | 'warning' | 'error' | 'success';
+
+export interface Notification {
+	id: string;
+	type: NotificationType;
+	title: string;
+	message: string;
+	isDismissible: boolean;
+	duration?: number; // auto-dismiss after ms, undefined = manual dismiss
+}
diff --git a/examples/encrypted_chat/frontend/src/routes/+layout.svelte b/examples/encrypted_chat/frontend/src/routes/+layout.svelte
new file mode 100644
index 00000000..8d1beaa8
--- /dev/null
+++ b/examples/encrypted_chat/frontend/src/routes/+layout.svelte
@@ -0,0 +1,27 @@
+<script lang="ts">
+    import '../app.css';
+	import favicon from '$lib/assets/favicon.svg';
+	import NotificationBanner from '$lib/components/NotificationBanner.svelte';
+
+	let { children } = $props();
+</script>
+
+<svelte:head>
+	<link rel="icon" href={favicon} />
+</svelte:head>
+
+<div class="app">
+	<!-- Global notifications -->
+	<NotificationBanner />
+
+	<!-- Main content -->
+	{@render children?.()}
+</div>
+
+<style>
+	.app {
+		height: 100vh;
+		height: 100dvh; /* For mobile browsers */
+		overflow: hidden;
+	}
+</style>
diff --git a/examples/encrypted_chat/frontend/src/routes/+layout.ts b/examples/encrypted_chat/frontend/src/routes/+layout.ts
new file mode 100644
index 00000000..c8cacf08
--- /dev/null
+++ b/examples/encrypted_chat/frontend/src/routes/+layout.ts
@@ -0,0 +1 @@
+export const prerender = true;
\ No newline at end of file
diff --git a/examples/encrypted_chat/frontend/src/routes/+page.svelte b/examples/encrypted_chat/frontend/src/routes/+page.svelte
new file mode 100644
index 00000000..a9f22493
--- /dev/null
+++ b/examples/encrypted_chat/frontend/src/routes/+page.svelte
@@ -0,0 +1,118 @@
+<script lang="ts">
+	import { onMount } from 'svelte';
+	import ChatList from '$lib/components/ChatList.svelte';
+	import ChatInterface from '$lib/components/ChatInterface.svelte';
+	import { isLoading, selectedChatId } from '$lib/stores/chat';
+
+	let showMobileChatList = false;
+	let isMobile = false;
+
+	onMount(() => {
+		// Check if mobile
+		const checkMobile = () => {
+			isMobile = window.innerWidth < 768;
+		};
+
+		checkMobile();
+		window.addEventListener('resize', checkMobile);
+
+		return () => {
+			window.removeEventListener('resize', checkMobile);
+		};
+	});
+
+	function handleMobileBackToChatList() {
+		showMobileChatList = true;
+	}
+
+	// Update mobile chat list visibility when chat is selected
+	$: if (isMobile && $selectedChatId) {
+		showMobileChatList = false;
+	}
+</script>
+
+<svelte:head>
+	<title>VetKeys Encrypted Chat</title>
+	<meta name="description" content="Secure encrypted chat application using VetKeys" />
+</svelte:head>
+
+{#if $isLoading}
+	<!-- Loading state -->
+	<div class="loading-screen bg-surface-100-800-token flex h-full items-center justify-center">
+		<div class="text-center">
+			<div
+				class="mx-auto mb-4 h-16 w-16 animate-spin rounded-full border-4 border-primary-500 border-t-transparent"
+			></div>
+			<h2 class="mb-2 text-lg font-semibold">Loading VetKeys Chat</h2>
+			<p class="text-surface-600-300-token">Initializing secure communication...</p>
+		</div>
+	</div>
+{:else}
+	<!-- Main chat interface -->
+	<div class="chat-container flex h-full">
+		<!-- Chat List Sidebar (Desktop) or Full Screen (Mobile) -->
+		<div class="chat-list-wrapper {isMobile ? (showMobileChatList ? 'block' : 'hidden') : 'block'}">
+			<ChatList />
+		</div>
+
+		<!-- Chat Interface (Desktop) or Full Screen when chat selected (Mobile) -->
+		<div
+			class="chat-interface-wrapper flex-1 {isMobile
+				? showMobileChatList
+					? 'hidden'
+					: 'block'
+				: 'block'}"
+		>
+			<ChatInterface {isMobile} onMobileBack={handleMobileBackToChatList} />
+		</div>
+	</div>
+{/if}
+
+<style>
+	.chat-container {
+		background: var(--color-surface-50);
+	}
+
+	:global(.dark) .chat-container {
+		background: var(--color-surface-900);
+	}
+
+	.chat-list-wrapper {
+		position: relative;
+		z-index: 10;
+	}
+
+	.chat-interface-wrapper {
+		position: relative;
+		z-index: 5;
+	}
+
+	@media (max-width: 767px) {
+		.chat-list-wrapper {
+			position: absolute;
+			top: 0;
+			left: 0;
+			right: 0;
+			bottom: 0;
+			z-index: 20;
+		}
+
+		.chat-interface-wrapper {
+			position: absolute;
+			top: 0;
+			left: 0;
+			right: 0;
+			bottom: 0;
+			z-index: 10;
+		}
+	}
+
+	.loading-screen {
+		position: fixed;
+		top: 0;
+		left: 0;
+		right: 0;
+		bottom: 0;
+		z-index: 50;
+	}
+</style>
diff --git a/examples/encrypted_chat/frontend/static/robots.txt b/examples/encrypted_chat/frontend/static/robots.txt
new file mode 100644
index 00000000..b6dd6670
--- /dev/null
+++ b/examples/encrypted_chat/frontend/static/robots.txt
@@ -0,0 +1,3 @@
+# allow crawling everything by default
+User-agent: *
+Disallow:
diff --git a/examples/encrypted_chat/frontend/svelte.config.js b/examples/encrypted_chat/frontend/svelte.config.js
new file mode 100644
index 00000000..ecf93682
--- /dev/null
+++ b/examples/encrypted_chat/frontend/svelte.config.js
@@ -0,0 +1,11 @@
+import { vitePreprocess } from '@sveltejs/vite-plugin-svelte';
+import adapter from '@sveltejs/adapter-static';
+
+const config = {
+	preprocess: vitePreprocess(),
+	kit: {
+		adapter: adapter()
+	}
+};
+
+export default config;
diff --git a/examples/encrypted_chat/frontend/tailwind.config.js b/examples/encrypted_chat/frontend/tailwind.config.js
new file mode 100644
index 00000000..9978db24
--- /dev/null
+++ b/examples/encrypted_chat/frontend/tailwind.config.js
@@ -0,0 +1,24 @@
+import { skeleton } from '@skeletonlabs/tw-plugin';
+
+/** @type {import('tailwindcss').Config} */
+export default {
+	darkMode: 'selector',
+	content: [
+		'./src/**/*.{html,js,svelte,ts}',
+		'./node_modules/@skeletonlabs/skeleton/**/*.{html,js,svelte,ts}'
+	],
+	theme: {
+		extend: {
+			fontFamily: {
+				sans: ['Inter', 'system-ui', 'sans-serif']
+			}
+		}
+	},
+	plugins: [
+		skeleton({
+			themes: {
+				preset: ['modern']
+			}
+		})
+	]
+};
diff --git a/examples/encrypted_chat/frontend/tsconfig.json b/examples/encrypted_chat/frontend/tsconfig.json
new file mode 100644
index 00000000..0b2d8865
--- /dev/null
+++ b/examples/encrypted_chat/frontend/tsconfig.json
@@ -0,0 +1,19 @@
+{
+	"extends": "./.svelte-kit/tsconfig.json",
+	"compilerOptions": {
+		"allowJs": true,
+		"checkJs": true,
+		"esModuleInterop": true,
+		"forceConsistentCasingInFileNames": true,
+		"resolveJsonModule": true,
+		"skipLibCheck": true,
+		"sourceMap": true,
+		"strict": true,
+		"moduleResolution": "bundler"
+	}
+	// Path aliases are handled by https://svelte.dev/docs/kit/configuration#alias
+	// except $lib which is handled by https://svelte.dev/docs/kit/configuration#files
+	//
+	// If you want to overwrite includes/excludes, make sure to copy over the relevant includes/excludes
+	// from the referenced tsconfig.json - TypeScript does not merge them in
+}
diff --git a/examples/encrypted_chat/frontend/vite.config.ts b/examples/encrypted_chat/frontend/vite.config.ts
new file mode 100644
index 00000000..2f222dba
--- /dev/null
+++ b/examples/encrypted_chat/frontend/vite.config.ts
@@ -0,0 +1,7 @@
+import { sveltekit } from '@sveltejs/kit/vite';
+import { defineConfig } from 'vite';
+import tailwindcss from '@tailwindcss/vite';
+
+export default defineConfig({
+	plugins: [tailwindcss(), sveltekit()]
+});

From 095789582ec82796050d65009922d915510586ff Mon Sep 17 00:00:00 2001
From: Oleksandr Tkachenko <oleksandr.tkachenko@dfinity.org>
Date: Wed, 6 Aug 2025 11:54:44 +0200
Subject: [PATCH 11/62] postcss

---
 examples/encrypted_chat/frontend/src/routes/+page.svelte | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/examples/encrypted_chat/frontend/src/routes/+page.svelte b/examples/encrypted_chat/frontend/src/routes/+page.svelte
index a9f22493..13ece121 100644
--- a/examples/encrypted_chat/frontend/src/routes/+page.svelte
+++ b/examples/encrypted_chat/frontend/src/routes/+page.svelte
@@ -68,7 +68,9 @@
 	</div>
 {/if}
 
-<style>
+<style lang="postcss">
+    @reference "tailwindcss";
+
 	.chat-container {
 		background: var(--color-surface-50);
 	}
@@ -115,4 +117,4 @@
 		bottom: 0;
 		z-index: 50;
 	}
-</style>
+</style>
\ No newline at end of file

From 5d75b13de2f9c06b311d86b832475fed57a03814 Mon Sep 17 00:00:00 2001
From: Oleksandr Tkachenko <oleksandr.tkachenko@dfinity.org>
Date: Wed, 6 Aug 2025 11:56:04 +0200
Subject: [PATCH 12/62] rm unused styles

---
 .../frontend/src/routes/+page.svelte          | 47 -------------------
 1 file changed, 47 deletions(-)

diff --git a/examples/encrypted_chat/frontend/src/routes/+page.svelte b/examples/encrypted_chat/frontend/src/routes/+page.svelte
index 13ece121..11eb3e15 100644
--- a/examples/encrypted_chat/frontend/src/routes/+page.svelte
+++ b/examples/encrypted_chat/frontend/src/routes/+page.svelte
@@ -70,51 +70,4 @@
 
 <style lang="postcss">
     @reference "tailwindcss";
-
-	.chat-container {
-		background: var(--color-surface-50);
-	}
-
-	:global(.dark) .chat-container {
-		background: var(--color-surface-900);
-	}
-
-	.chat-list-wrapper {
-		position: relative;
-		z-index: 10;
-	}
-
-	.chat-interface-wrapper {
-		position: relative;
-		z-index: 5;
-	}
-
-	@media (max-width: 767px) {
-		.chat-list-wrapper {
-			position: absolute;
-			top: 0;
-			left: 0;
-			right: 0;
-			bottom: 0;
-			z-index: 20;
-		}
-
-		.chat-interface-wrapper {
-			position: absolute;
-			top: 0;
-			left: 0;
-			right: 0;
-			bottom: 0;
-			z-index: 10;
-		}
-	}
-
-	.loading-screen {
-		position: fixed;
-		top: 0;
-		left: 0;
-		right: 0;
-		bottom: 0;
-		z-index: 50;
-	}
 </style>
\ No newline at end of file

From 742e8594b2ae4d2bc7956ba496f95644bdba13ae Mon Sep 17 00:00:00 2001
From: Oleksandr Tkachenko <oleksandr.tkachenko@dfinity.org>
Date: Wed, 6 Aug 2025 15:48:11 +0200
Subject: [PATCH 13/62] single script output

---
 .../encrypted_chat/frontend/package-lock.json | 176 +++++++++++++++++-
 examples/encrypted_chat/frontend/package.json |   6 +-
 .../frontend/src/lib/services/api.ts          |   2 +-
 .../encrypted_chat/frontend/svelte.config.js  |   5 +-
 .../encrypted_chat/frontend/vite.config.ts    |  12 +-
 5 files changed, 195 insertions(+), 6 deletions(-)

diff --git a/examples/encrypted_chat/frontend/package-lock.json b/examples/encrypted_chat/frontend/package-lock.json
index 79468e80..850b1f6d 100644
--- a/examples/encrypted_chat/frontend/package-lock.json
+++ b/examples/encrypted_chat/frontend/package-lock.json
@@ -21,6 +21,7 @@
 				"@eslint/compat": "^1.2.5",
 				"@eslint/js": "^9.18.0",
 				"@playwright/test": "^1.49.1",
+				"@rollup/plugin-typescript": "^12.1.4",
 				"@sveltejs/adapter-auto": "^6.0.0",
 				"@sveltejs/kit": "^2.22.0",
 				"@sveltejs/vite-plugin-svelte": "^6.0.0",
@@ -32,12 +33,15 @@
 				"prettier": "^3.4.2",
 				"prettier-plugin-svelte": "^3.3.3",
 				"prettier-plugin-tailwindcss": "^0.6.11",
+				"rollup-plugin-css-only": "^4.5.2",
 				"svelte": "^5.0.0",
 				"svelte-check": "^4.0.0",
 				"tailwindcss": "^4.0.0",
+				"tslib": "^2.8.1",
 				"typescript": "^5.0.0",
 				"typescript-eslint": "^8.20.0",
-				"vite": "^7.0.4"
+				"vite": "^7.0.4",
+				"vite-plugin-environment": "^1.1.3"
 			}
 		},
 		"node_modules/@ampproject/remapping": {
@@ -1220,6 +1224,56 @@
 			"integrity": "sha512-wwQAWhWSuHaag8c4q/KN/vCoeOJYshAIvMQwD4GpSb3OiZklFfvAgmj0VCBBImRpuF/aFgIRzllXlVX93Jevww==",
 			"license": "MIT"
 		},
+		"node_modules/@rollup/plugin-typescript": {
+			"version": "12.1.4",
+			"resolved": "https://registry.npmjs.org/@rollup/plugin-typescript/-/plugin-typescript-12.1.4.tgz",
+			"integrity": "sha512-s5Hx+EtN60LMlDBvl5f04bEiFZmAepk27Q+mr85L/00zPDn1jtzlTV6FWn81MaIwqfWzKxmOJrBWHU6vtQyedQ==",
+			"dev": true,
+			"license": "MIT",
+			"dependencies": {
+				"@rollup/pluginutils": "^5.1.0",
+				"resolve": "^1.22.1"
+			},
+			"engines": {
+				"node": ">=14.0.0"
+			},
+			"peerDependencies": {
+				"rollup": "^2.14.0||^3.0.0||^4.0.0",
+				"tslib": "*",
+				"typescript": ">=3.7.0"
+			},
+			"peerDependenciesMeta": {
+				"rollup": {
+					"optional": true
+				},
+				"tslib": {
+					"optional": true
+				}
+			}
+		},
+		"node_modules/@rollup/pluginutils": {
+			"version": "5.2.0",
+			"resolved": "https://registry.npmjs.org/@rollup/pluginutils/-/pluginutils-5.2.0.tgz",
+			"integrity": "sha512-qWJ2ZTbmumwiLFomfzTyt5Kng4hwPi9rwCYN4SHb6eaRU1KNO4ccxINHr/VhH4GgPlt1XfSTLX2LBTme8ne4Zw==",
+			"dev": true,
+			"license": "MIT",
+			"dependencies": {
+				"@types/estree": "^1.0.0",
+				"estree-walker": "^2.0.2",
+				"picomatch": "^4.0.2"
+			},
+			"engines": {
+				"node": ">=14.0.0"
+			},
+			"peerDependencies": {
+				"rollup": "^1.20.0||^2.0.0||^3.0.0||^4.0.0"
+			},
+			"peerDependenciesMeta": {
+				"rollup": {
+					"optional": true
+				}
+			}
+		},
 		"node_modules/@rollup/rollup-android-arm-eabi": {
 			"version": "4.46.2",
 			"resolved": "https://registry.npmjs.org/@rollup/rollup-android-arm-eabi/-/rollup-android-arm-eabi-4.46.2.tgz",
@@ -2719,6 +2773,13 @@
 				"node": ">=4.0"
 			}
 		},
+		"node_modules/estree-walker": {
+			"version": "2.0.2",
+			"resolved": "https://registry.npmjs.org/estree-walker/-/estree-walker-2.0.2.tgz",
+			"integrity": "sha512-Rfkk/Mp/DL7JVje3u18FxFujQlTNR2q6QfMSMB7AvCBx91NGj/ba3kCfza0f6dVDbw7YlRf/nDrn7pQrCCyQ/w==",
+			"dev": true,
+			"license": "MIT"
+		},
 		"node_modules/esutils": {
 			"version": "2.0.3",
 			"resolved": "https://registry.npmjs.org/esutils/-/esutils-2.0.3.tgz",
@@ -2882,6 +2943,16 @@
 				"node": "^8.16.0 || ^10.6.0 || >=11.0.0"
 			}
 		},
+		"node_modules/function-bind": {
+			"version": "1.1.2",
+			"resolved": "https://registry.npmjs.org/function-bind/-/function-bind-1.1.2.tgz",
+			"integrity": "sha512-7XHNxH7qX9xG5mIwxkhumTox/MIRNcOgDrxWsMt2pAr23WHp6MrRlN7FBSFpCpr+oVO0F744iUgR82nJMfG2SA==",
+			"dev": true,
+			"license": "MIT",
+			"funding": {
+				"url": "https://github.com/sponsors/ljharb"
+			}
+		},
 		"node_modules/glob-parent": {
 			"version": "6.0.2",
 			"resolved": "https://registry.npmjs.org/glob-parent/-/glob-parent-6.0.2.tgz",
@@ -2932,6 +3003,19 @@
 				"node": ">=8"
 			}
 		},
+		"node_modules/hasown": {
+			"version": "2.0.2",
+			"resolved": "https://registry.npmjs.org/hasown/-/hasown-2.0.2.tgz",
+			"integrity": "sha512-0hJU9SCPvmMzIBdZFqNPXWa6dqh7WdH0cII9y+CyS8rG3nL48Bclra9HmKhVVUHyPWNH5Y7xDwAB7bfgSjkUMQ==",
+			"dev": true,
+			"license": "MIT",
+			"dependencies": {
+				"function-bind": "^1.1.2"
+			},
+			"engines": {
+				"node": ">= 0.4"
+			}
+		},
 		"node_modules/idb": {
 			"version": "7.1.1",
 			"resolved": "https://registry.npmjs.org/idb/-/idb-7.1.1.tgz",
@@ -2987,6 +3071,22 @@
 				"node": ">=0.8.19"
 			}
 		},
+		"node_modules/is-core-module": {
+			"version": "2.16.1",
+			"resolved": "https://registry.npmjs.org/is-core-module/-/is-core-module-2.16.1.tgz",
+			"integrity": "sha512-UfoeMA6fIJ8wTYFEUjelnaGI67v6+N7qXJEvQuIGa99l4xsCruSYOVSQ0uPANn4dAzm8lkYPaKLrrijLq7x23w==",
+			"dev": true,
+			"license": "MIT",
+			"dependencies": {
+				"hasown": "^2.0.2"
+			},
+			"engines": {
+				"node": ">= 0.4"
+			},
+			"funding": {
+				"url": "https://github.com/sponsors/ljharb"
+			}
+		},
 		"node_modules/is-extglob": {
 			"version": "2.1.1",
 			"resolved": "https://registry.npmjs.org/is-extglob/-/is-extglob-2.1.1.tgz",
@@ -3634,6 +3734,13 @@
 				"node": ">=8"
 			}
 		},
+		"node_modules/path-parse": {
+			"version": "1.0.7",
+			"resolved": "https://registry.npmjs.org/path-parse/-/path-parse-1.0.7.tgz",
+			"integrity": "sha512-LDJzPVEEEPR+y48z93A0Ed0yXb8pAByGWo/k5YYdYgpY2/2EsOsksJrq7lOHxryrVOn1ejG6oAp8ahvOIQD8sw==",
+			"dev": true,
+			"license": "MIT"
+		},
 		"node_modules/picocolors": {
 			"version": "1.1.1",
 			"resolved": "https://registry.npmjs.org/picocolors/-/picocolors-1.1.1.tgz",
@@ -3988,6 +4095,27 @@
 				"url": "https://paulmillr.com/funding/"
 			}
 		},
+		"node_modules/resolve": {
+			"version": "1.22.10",
+			"resolved": "https://registry.npmjs.org/resolve/-/resolve-1.22.10.tgz",
+			"integrity": "sha512-NPRy+/ncIMeDlTAsuqwKIiferiawhefFJtkNSW0qZJEqMEb+qBt/77B/jGeeek+F0uOeN05CDa6HXbbIgtVX4w==",
+			"dev": true,
+			"license": "MIT",
+			"dependencies": {
+				"is-core-module": "^2.16.0",
+				"path-parse": "^1.0.7",
+				"supports-preserve-symlinks-flag": "^1.0.0"
+			},
+			"bin": {
+				"resolve": "bin/resolve"
+			},
+			"engines": {
+				"node": ">= 0.4"
+			},
+			"funding": {
+				"url": "https://github.com/sponsors/ljharb"
+			}
+		},
 		"node_modules/resolve-from": {
 			"version": "4.0.0",
 			"resolved": "https://registry.npmjs.org/resolve-from/-/resolve-from-4.0.0.tgz",
@@ -4048,6 +4176,22 @@
 				"fsevents": "~2.3.2"
 			}
 		},
+		"node_modules/rollup-plugin-css-only": {
+			"version": "4.5.2",
+			"resolved": "https://registry.npmjs.org/rollup-plugin-css-only/-/rollup-plugin-css-only-4.5.2.tgz",
+			"integrity": "sha512-7rj9+jB17Pz8LNcPgtMUb16JcgD8lxQMK9HcGfAVhMK3na/WXes3oGIo5QsrQQVqtgAU6q6KnQNXJrYunaUIQQ==",
+			"dev": true,
+			"license": "MIT",
+			"dependencies": {
+				"@rollup/pluginutils": "5"
+			},
+			"engines": {
+				"node": ">=14"
+			},
+			"peerDependencies": {
+				"rollup": "<5"
+			}
+		},
 		"node_modules/run-parallel": {
 			"version": "1.2.0",
 			"resolved": "https://registry.npmjs.org/run-parallel/-/run-parallel-1.2.0.tgz",
@@ -4195,6 +4339,19 @@
 				"node": ">=8"
 			}
 		},
+		"node_modules/supports-preserve-symlinks-flag": {
+			"version": "1.0.0",
+			"resolved": "https://registry.npmjs.org/supports-preserve-symlinks-flag/-/supports-preserve-symlinks-flag-1.0.0.tgz",
+			"integrity": "sha512-ot0WnXS9fgdkgIcePe6RHNk1WA8+muPa6cSjeR3V8K27q9BB1rTE3R1p7Hv0z1ZyAc8s6Vvv8DIyWf681MAt0w==",
+			"dev": true,
+			"license": "MIT",
+			"engines": {
+				"node": ">= 0.4"
+			},
+			"funding": {
+				"url": "https://github.com/sponsors/ljharb"
+			}
+		},
 		"node_modules/svelte": {
 			"version": "5.37.3",
 			"resolved": "https://registry.npmjs.org/svelte/-/svelte-5.37.3.tgz",
@@ -4358,6 +4515,13 @@
 				"typescript": ">=4.8.4"
 			}
 		},
+		"node_modules/tslib": {
+			"version": "2.8.1",
+			"resolved": "https://registry.npmjs.org/tslib/-/tslib-2.8.1.tgz",
+			"integrity": "sha512-oJFu94HQb+KVduSUQL7wnpmqnfmLsOA/nAh6b6EH0wCEoK0/mPeXU6c3wKDV83MkOuHPRHtSXKKU99IBazS/2w==",
+			"dev": true,
+			"license": "0BSD"
+		},
 		"node_modules/type-check": {
 			"version": "0.4.0",
 			"resolved": "https://registry.npmjs.org/type-check/-/type-check-0.4.0.tgz",
@@ -4500,6 +4664,16 @@
 				}
 			}
 		},
+		"node_modules/vite-plugin-environment": {
+			"version": "1.1.3",
+			"resolved": "https://registry.npmjs.org/vite-plugin-environment/-/vite-plugin-environment-1.1.3.tgz",
+			"integrity": "sha512-9LBhB0lx+2lXVBEWxFZC+WO7PKEyE/ykJ7EPWCq95NEcCpblxamTbs5Dm3DLBGzwODpJMEnzQywJU8fw6XGGGA==",
+			"dev": true,
+			"license": "MIT",
+			"peerDependencies": {
+				"vite": ">= 2.7"
+			}
+		},
 		"node_modules/vite/node_modules/fsevents": {
 			"version": "2.3.3",
 			"resolved": "https://registry.npmjs.org/fsevents/-/fsevents-2.3.3.tgz",
diff --git a/examples/encrypted_chat/frontend/package.json b/examples/encrypted_chat/frontend/package.json
index 14815ab3..6552cd1a 100644
--- a/examples/encrypted_chat/frontend/package.json
+++ b/examples/encrypted_chat/frontend/package.json
@@ -19,6 +19,7 @@
 		"@eslint/compat": "^1.2.5",
 		"@eslint/js": "^9.18.0",
 		"@playwright/test": "^1.49.1",
+		"@rollup/plugin-typescript": "^12.1.4",
 		"@sveltejs/adapter-auto": "^6.0.0",
 		"@sveltejs/kit": "^2.22.0",
 		"@sveltejs/vite-plugin-svelte": "^6.0.0",
@@ -30,12 +31,15 @@
 		"prettier": "^3.4.2",
 		"prettier-plugin-svelte": "^3.3.3",
 		"prettier-plugin-tailwindcss": "^0.6.11",
+		"rollup-plugin-css-only": "^4.5.2",
 		"svelte": "^5.0.0",
 		"svelte-check": "^4.0.0",
 		"tailwindcss": "^4.0.0",
+		"tslib": "^2.8.1",
 		"typescript": "^5.0.0",
 		"typescript-eslint": "^8.20.0",
-		"vite": "^7.0.4"
+		"vite": "^7.0.4",
+		"vite-plugin-environment": "^1.1.3"
 	},
 	"dependencies": {
 		"@dfinity/agent": "^3.1.0",
diff --git a/examples/encrypted_chat/frontend/src/lib/services/api.ts b/examples/encrypted_chat/frontend/src/lib/services/api.ts
index 947e8054..f5dc0d15 100644
--- a/examples/encrypted_chat/frontend/src/lib/services/api.ts
+++ b/examples/encrypted_chat/frontend/src/lib/services/api.ts
@@ -284,7 +284,7 @@ export class ChatAPI {
 		return _chatId === 'direct-2' || _chatId === 'group-2';
 	}
 
-	async rotateKeys(): Promise<KeyRotationStatus> {
+	async rotateKeys(_chatId: string): Promise<KeyRotationStatus> {
 		await this.delay(1000);
 
 		return {
diff --git a/examples/encrypted_chat/frontend/svelte.config.js b/examples/encrypted_chat/frontend/svelte.config.js
index ecf93682..87124351 100644
--- a/examples/encrypted_chat/frontend/svelte.config.js
+++ b/examples/encrypted_chat/frontend/svelte.config.js
@@ -4,7 +4,10 @@ import adapter from '@sveltejs/adapter-static';
 const config = {
 	preprocess: vitePreprocess(),
 	kit: {
-		adapter: adapter()
+		adapter: adapter(),
+		output: {
+			bundleStrategy: 'single'
+		}
 	}
 };
 
diff --git a/examples/encrypted_chat/frontend/vite.config.ts b/examples/encrypted_chat/frontend/vite.config.ts
index 2f222dba..e774b1b2 100644
--- a/examples/encrypted_chat/frontend/vite.config.ts
+++ b/examples/encrypted_chat/frontend/vite.config.ts
@@ -1,7 +1,15 @@
 import { sveltekit } from '@sveltejs/kit/vite';
 import { defineConfig } from 'vite';
 import tailwindcss from '@tailwindcss/vite';
+import environment from 'vite-plugin-environment';
+import typescript from '@rollup/plugin-typescript';
 
 export default defineConfig({
-	plugins: [tailwindcss(), sveltekit()]
-});
+	plugins: [
+	  typescript(),
+      tailwindcss(),
+	  sveltekit(),
+	  environment("all", { prefix: "CANISTER_" }),
+	  environment("all", { prefix: "DFX_" }),
+	],
+})

From 6d41345be144c1e7585333e9aaeb57aceb4a2fd5 Mon Sep 17 00:00:00 2001
From: Oleksandr Tkachenko <oleksandr.tkachenko@dfinity.org>
Date: Wed, 6 Aug 2025 15:50:40 +0200
Subject: [PATCH 14/62] lint

---
 .../frontend/src/lib/services/api.ts               |  6 +++++-
 .../frontend/src/routes/+layout.svelte             |  2 +-
 .../encrypted_chat/frontend/src/routes/+layout.ts  |  2 +-
 .../frontend/src/routes/+page.svelte               |  4 ++--
 examples/encrypted_chat/frontend/vite.config.ts    | 14 +++++++-------
 5 files changed, 16 insertions(+), 12 deletions(-)

diff --git a/examples/encrypted_chat/frontend/src/lib/services/api.ts b/examples/encrypted_chat/frontend/src/lib/services/api.ts
index f5dc0d15..d2ea14b8 100644
--- a/examples/encrypted_chat/frontend/src/lib/services/api.ts
+++ b/examples/encrypted_chat/frontend/src/lib/services/api.ts
@@ -284,7 +284,11 @@ export class ChatAPI {
 		return _chatId === 'direct-2' || _chatId === 'group-2';
 	}
 
-	async rotateKeys(_chatId: string): Promise<KeyRotationStatus> {
+	async rotateKeys(chatId: string): Promise<KeyRotationStatus> {
+		// TODO: Implement actual key rotation
+		if (chatId === 'direct-2') {
+			await this.delay(1000);
+		}
 		await this.delay(1000);
 
 		return {
diff --git a/examples/encrypted_chat/frontend/src/routes/+layout.svelte b/examples/encrypted_chat/frontend/src/routes/+layout.svelte
index 8d1beaa8..819d4b92 100644
--- a/examples/encrypted_chat/frontend/src/routes/+layout.svelte
+++ b/examples/encrypted_chat/frontend/src/routes/+layout.svelte
@@ -1,5 +1,5 @@
 <script lang="ts">
-    import '../app.css';
+	import '../app.css';
 	import favicon from '$lib/assets/favicon.svg';
 	import NotificationBanner from '$lib/components/NotificationBanner.svelte';
 
diff --git a/examples/encrypted_chat/frontend/src/routes/+layout.ts b/examples/encrypted_chat/frontend/src/routes/+layout.ts
index c8cacf08..189f71e2 100644
--- a/examples/encrypted_chat/frontend/src/routes/+layout.ts
+++ b/examples/encrypted_chat/frontend/src/routes/+layout.ts
@@ -1 +1 @@
-export const prerender = true;
\ No newline at end of file
+export const prerender = true;
diff --git a/examples/encrypted_chat/frontend/src/routes/+page.svelte b/examples/encrypted_chat/frontend/src/routes/+page.svelte
index 11eb3e15..fe59b6be 100644
--- a/examples/encrypted_chat/frontend/src/routes/+page.svelte
+++ b/examples/encrypted_chat/frontend/src/routes/+page.svelte
@@ -69,5 +69,5 @@
 {/if}
 
 <style lang="postcss">
-    @reference "tailwindcss";
-</style>
\ No newline at end of file
+	@reference "tailwindcss";
+</style>
diff --git a/examples/encrypted_chat/frontend/vite.config.ts b/examples/encrypted_chat/frontend/vite.config.ts
index e774b1b2..1b0e2f7e 100644
--- a/examples/encrypted_chat/frontend/vite.config.ts
+++ b/examples/encrypted_chat/frontend/vite.config.ts
@@ -6,10 +6,10 @@ import typescript from '@rollup/plugin-typescript';
 
 export default defineConfig({
 	plugins: [
-	  typescript(),
-      tailwindcss(),
-	  sveltekit(),
-	  environment("all", { prefix: "CANISTER_" }),
-	  environment("all", { prefix: "DFX_" }),
-	],
-})
+		typescript(),
+		tailwindcss(),
+		sveltekit(),
+		environment('all', { prefix: 'CANISTER_' }),
+		environment('all', { prefix: 'DFX_' })
+	]
+});

From 3250c790ca230fcbe5573fffeecfe004e19bb943 Mon Sep 17 00:00:00 2001
From: Oleksandr Tkachenko <oleksandr.tkachenko@dfinity.org>
Date: Wed, 6 Aug 2025 18:12:53 +0200
Subject: [PATCH 15/62] improve some UI stuff

---
 .../encrypted_chat/frontend/package-lock.json | 104 +++++++-
 examples/encrypted_chat/frontend/package.json |   1 +
 examples/encrypted_chat/frontend/src/app.css  | 238 +++++++++++++++++-
 .../src/lib/components/ChatHeader.svelte      |  90 +++----
 .../src/lib/components/ChatInterface.svelte   |  40 +--
 .../src/lib/components/ChatList.svelte        |  16 +-
 .../src/lib/components/ChatListItem.svelte    |  37 ++-
 .../src/lib/components/EmojiPicker.svelte     |   2 +-
 .../components/GroupManagementModal.svelte    |  18 +-
 .../src/lib/components/MessageBubble.svelte   |  95 ++++++-
 .../src/lib/components/MessageHistory.svelte  |   8 +-
 .../src/lib/components/MessageInput.svelte    |  91 ++++---
 .../lib/components/NotificationBanner.svelte  |  27 +-
 .../src/lib/components/UserProfile.svelte     |  84 +++++--
 .../frontend/src/routes/+page.svelte          |  25 +-
 15 files changed, 685 insertions(+), 191 deletions(-)

diff --git a/examples/encrypted_chat/frontend/package-lock.json b/examples/encrypted_chat/frontend/package-lock.json
index 850b1f6d..66280861 100644
--- a/examples/encrypted_chat/frontend/package-lock.json
+++ b/examples/encrypted_chat/frontend/package-lock.json
@@ -10,6 +10,7 @@
 			"dependencies": {
 				"@dfinity/agent": "^3.1.0",
 				"@dfinity/auth-client": "^3.1.0",
+				"@melt-ui/svelte": "^0.86.6",
 				"@skeletonlabs/skeleton": "^3.1.7",
 				"@skeletonlabs/tw-plugin": "^0.4.1",
 				"@sveltejs/adapter-static": "^3.0.8",
@@ -714,6 +715,31 @@
 				"node": "^18.18.0 || ^20.9.0 || >=21.1.0"
 			}
 		},
+		"node_modules/@floating-ui/core": {
+			"version": "1.7.3",
+			"resolved": "https://registry.npmjs.org/@floating-ui/core/-/core-1.7.3.tgz",
+			"integrity": "sha512-sGnvb5dmrJaKEZ+LDIpguvdX3bDlEllmv4/ClQ9awcmCZrlx5jQyyMWFM5kBI+EyNOCDDiKk8il0zeuX3Zlg/w==",
+			"license": "MIT",
+			"dependencies": {
+				"@floating-ui/utils": "^0.2.10"
+			}
+		},
+		"node_modules/@floating-ui/dom": {
+			"version": "1.7.3",
+			"resolved": "https://registry.npmjs.org/@floating-ui/dom/-/dom-1.7.3.tgz",
+			"integrity": "sha512-uZA413QEpNuhtb3/iIKoYMSK07keHPYeXF02Zhd6e213j+d1NamLix/mCLxBUDW/Gx52sPH2m+chlUsyaBs/Ag==",
+			"license": "MIT",
+			"dependencies": {
+				"@floating-ui/core": "^1.7.3",
+				"@floating-ui/utils": "^0.2.10"
+			}
+		},
+		"node_modules/@floating-ui/utils": {
+			"version": "0.2.10",
+			"resolved": "https://registry.npmjs.org/@floating-ui/utils/-/utils-0.2.10.tgz",
+			"integrity": "sha512-aGTxbpbg8/b5JfU1HXSrbH3wXZuLPJcNEcZQFMxLs3oSzgtVu6nFPkbbGGUvBcUjKV2YyB9Wxxabo+HEH9tcRQ==",
+			"license": "MIT"
+		},
 		"node_modules/@humanfs/core": {
 			"version": "0.19.1",
 			"resolved": "https://registry.npmjs.org/@humanfs/core/-/core-0.19.1.tgz",
@@ -780,6 +806,15 @@
 				"url": "https://github.com/sponsors/nzakas"
 			}
 		},
+		"node_modules/@internationalized/date": {
+			"version": "3.8.2",
+			"resolved": "https://registry.npmjs.org/@internationalized/date/-/date-3.8.2.tgz",
+			"integrity": "sha512-/wENk7CbvLbkUvX1tu0mwq49CVkkWpkXubGel6birjRPyo6uQ4nQpnq5xZu823zRCwwn82zgHrvgF1vZyvmVgA==",
+			"license": "Apache-2.0",
+			"dependencies": {
+				"@swc/helpers": "^0.5.0"
+			}
+		},
 		"node_modules/@isaacs/fs-minipass": {
 			"version": "4.0.1",
 			"resolved": "https://registry.npmjs.org/@isaacs/fs-minipass/-/fs-minipass-4.0.1.tgz",
@@ -828,6 +863,41 @@
 				"@jridgewell/sourcemap-codec": "^1.4.14"
 			}
 		},
+		"node_modules/@melt-ui/svelte": {
+			"version": "0.86.6",
+			"resolved": "https://registry.npmjs.org/@melt-ui/svelte/-/svelte-0.86.6.tgz",
+			"integrity": "sha512-Jer+M7DgIwT5IHfTayb4Iw/fkkxWNmC/mqn/nMh9JrbPbkxmyabfLQnhJ+JDn5HK77f84j34lubO3iqFtYAfMg==",
+			"license": "MIT",
+			"dependencies": {
+				"@floating-ui/core": "^1.3.1",
+				"@floating-ui/dom": "^1.4.5",
+				"@internationalized/date": "^3.5.0",
+				"dequal": "^2.0.3",
+				"focus-trap": "^7.5.2",
+				"nanoid": "^5.0.4"
+			},
+			"peerDependencies": {
+				"svelte": "^3.0.0 || ^4.0.0 || ^5.0.0-next.118"
+			}
+		},
+		"node_modules/@melt-ui/svelte/node_modules/nanoid": {
+			"version": "5.1.5",
+			"resolved": "https://registry.npmjs.org/nanoid/-/nanoid-5.1.5.tgz",
+			"integrity": "sha512-Ir/+ZpE9fDsNH0hQ3C68uyThDXzYcim2EqcZ8zn8Chtt1iylPT9xXJB0kPCnqzgcEGikO9RxSrh63MsmVCU7Fw==",
+			"funding": [
+				{
+					"type": "github",
+					"url": "https://github.com/sponsors/ai"
+				}
+			],
+			"license": "MIT",
+			"bin": {
+				"nanoid": "bin/nanoid.js"
+			},
+			"engines": {
+				"node": "^18 || >=20"
+			}
+		},
 		"node_modules/@noble/curves": {
 			"version": "1.9.6",
 			"resolved": "https://registry.npmjs.org/@noble/curves/-/curves-1.9.6.tgz",
@@ -1656,6 +1726,15 @@
 				"vite": "^6.3.0 || ^7.0.0"
 			}
 		},
+		"node_modules/@swc/helpers": {
+			"version": "0.5.17",
+			"resolved": "https://registry.npmjs.org/@swc/helpers/-/helpers-0.5.17.tgz",
+			"integrity": "sha512-5IKx/Y13RsYd+sauPb2x+U/xZikHjolzfuDgTAl/Tdf3Q8rslRvC19NKDLgAJQ6wsqADk10ntlv08nPFw/gO/A==",
+			"license": "Apache-2.0",
+			"dependencies": {
+				"tslib": "^2.8.0"
+			}
+		},
 		"node_modules/@tailwindcss/node": {
 			"version": "4.1.11",
 			"resolved": "https://registry.npmjs.org/@tailwindcss/node/-/node-4.1.11.tgz",
@@ -2479,6 +2558,15 @@
 				"node": ">=0.10.0"
 			}
 		},
+		"node_modules/dequal": {
+			"version": "2.0.3",
+			"resolved": "https://registry.npmjs.org/dequal/-/dequal-2.0.3.tgz",
+			"integrity": "sha512-0je+qPKHEMohvfRTCEo3CrPG6cAzAYgmzKyxRiYSSDkS6eGJdyVJm7WaYA5ECaAD9wLB2T4EEeymA5aFVcYXCA==",
+			"license": "MIT",
+			"engines": {
+				"node": ">=6"
+			}
+		},
 		"node_modules/detect-libc": {
 			"version": "2.0.4",
 			"resolved": "https://registry.npmjs.org/detect-libc/-/detect-libc-2.0.4.tgz",
@@ -2929,6 +3017,15 @@
 			"dev": true,
 			"license": "ISC"
 		},
+		"node_modules/focus-trap": {
+			"version": "7.6.5",
+			"resolved": "https://registry.npmjs.org/focus-trap/-/focus-trap-7.6.5.tgz",
+			"integrity": "sha512-7Ke1jyybbbPZyZXFxEftUtxFGLMpE2n6A+z//m4CRDlj0hW+o3iYSmh8nFlYMurOiJVDmJRilUQtJr08KfIxlg==",
+			"license": "MIT",
+			"dependencies": {
+				"tabbable": "^6.2.0"
+			}
+		},
 		"node_modules/fsevents": {
 			"version": "2.3.2",
 			"resolved": "https://registry.npmjs.org/fsevents/-/fsevents-2.3.2.tgz",
@@ -4430,6 +4527,12 @@
 				}
 			}
 		},
+		"node_modules/tabbable": {
+			"version": "6.2.0",
+			"resolved": "https://registry.npmjs.org/tabbable/-/tabbable-6.2.0.tgz",
+			"integrity": "sha512-Cat63mxsVJlzYvN51JmVXIgNoUokrIaT2zLclCXjRd8boZ0004U4KCs/sToJ75C6sdlByWxpYnb5Boif1VSFew==",
+			"license": "MIT"
+		},
 		"node_modules/tailwindcss": {
 			"version": "4.1.11",
 			"resolved": "https://registry.npmjs.org/tailwindcss/-/tailwindcss-4.1.11.tgz",
@@ -4519,7 +4622,6 @@
 			"version": "2.8.1",
 			"resolved": "https://registry.npmjs.org/tslib/-/tslib-2.8.1.tgz",
 			"integrity": "sha512-oJFu94HQb+KVduSUQL7wnpmqnfmLsOA/nAh6b6EH0wCEoK0/mPeXU6c3wKDV83MkOuHPRHtSXKKU99IBazS/2w==",
-			"dev": true,
 			"license": "0BSD"
 		},
 		"node_modules/type-check": {
diff --git a/examples/encrypted_chat/frontend/package.json b/examples/encrypted_chat/frontend/package.json
index 6552cd1a..c963dc04 100644
--- a/examples/encrypted_chat/frontend/package.json
+++ b/examples/encrypted_chat/frontend/package.json
@@ -44,6 +44,7 @@
 	"dependencies": {
 		"@dfinity/agent": "^3.1.0",
 		"@dfinity/auth-client": "^3.1.0",
+		"@melt-ui/svelte": "^0.86.6",
 		"@skeletonlabs/skeleton": "^3.1.7",
 		"@skeletonlabs/tw-plugin": "^0.4.1",
 		"@sveltejs/adapter-static": "^3.0.8",
diff --git a/examples/encrypted_chat/frontend/src/app.css b/examples/encrypted_chat/frontend/src/app.css
index a4d02052..2b8486f6 100644
--- a/examples/encrypted_chat/frontend/src/app.css
+++ b/examples/encrypted_chat/frontend/src/app.css
@@ -1,7 +1,237 @@
 @import 'tailwindcss';
 
-@import '@skeletonlabs/skeleton';
-@import '@skeletonlabs/skeleton/optional/presets';
-@import '@skeletonlabs/skeleton/themes/modern';
+/* Modern Professional Design System */
+:root {
+  /* Color Palette - Professional & Modern */
+  --primary-50: #eff6ff;
+  --primary-100: #dbeafe;
+  --primary-200: #bfdbfe;
+  --primary-300: #93c5fd;
+  --primary-400: #60a5fa;
+  --primary-500: #3b82f6;
+  --primary-600: #2563eb;
+  --primary-700: #1d4ed8;
+  --primary-800: #1e40af;
+  --primary-900: #1e3a8a;
 
-@source '../node_modules/@skeletonlabs/skeleton-svelte/dist';
+  /* CSS variable mappings for primary colors */
+  --color-primary-50: var(--primary-50);
+  --color-primary-100: var(--primary-100);
+  --color-primary-200: var(--primary-200);
+  --color-primary-300: var(--primary-300);
+  --color-primary-400: var(--primary-400);
+  --color-primary-500: var(--primary-500);
+  --color-primary-600: var(--primary-600);
+  --color-primary-700: var(--primary-700);
+  --color-primary-800: var(--primary-800);
+  --color-primary-900: var(--primary-900);
+
+  /* CSS variable mappings for surface colors */
+  --color-surface-50: var(--gray-50);
+  --color-surface-100: var(--gray-100);
+  --color-surface-200: var(--gray-200);
+  --color-surface-300: var(--gray-300);
+  --color-surface-400: var(--gray-400);
+  --color-surface-500: var(--gray-500);
+  --color-surface-600: var(--gray-600);
+  --color-surface-700: var(--gray-700);
+  --color-surface-800: var(--gray-800);
+  --color-surface-900: var(--gray-900);
+
+  --gray-50: #f9fafb;
+  --gray-100: #f3f4f6;
+  --gray-200: #e5e7eb;
+  --gray-300: #d1d5db;
+  --gray-400: #9ca3af;
+  --gray-500: #6b7280;
+  --gray-600: #4b5563;
+  --gray-700: #374151;
+  --gray-800: #1f2937;
+  --gray-900: #111827;
+
+  /* Modern shadows */
+  --shadow-xs: 0 1px 2px 0 rgb(0 0 0 / 0.05);
+  --shadow-sm: 0 1px 3px 0 rgb(0 0 0 / 0.1), 0 1px 2px -1px rgb(0 0 0 / 0.1);
+  --shadow-md: 0 4px 6px -1px rgb(0 0 0 / 0.1), 0 2px 4px -2px rgb(0 0 0 / 0.1);
+  --shadow-lg: 0 10px 15px -3px rgb(0 0 0 / 0.1), 0 4px 6px -4px rgb(0 0 0 / 0.1);
+  --shadow-xl: 0 20px 25px -5px rgb(0 0 0 / 0.1), 0 8px 10px -6px rgb(0 0 0 / 0.1);
+
+  /* Border radius */
+  --radius-sm: 0.375rem;
+  --radius: 0.5rem;
+  --radius-md: 0.75rem;
+  --radius-lg: 1rem;
+  --radius-xl: 1.5rem;
+}
+
+/* Dark mode */
+.dark {
+  --gray-50: #111827;
+  --gray-100: #1f2937;
+  --gray-200: #374151;
+  --gray-300: #4b5563;
+  --gray-400: #6b7280;
+  --gray-500: #9ca3af;
+  --gray-600: #d1d5db;
+  --gray-700: #e5e7eb;
+  --gray-800: #f3f4f6;
+  --gray-900: #f9fafb;
+}
+
+/* Professional Component Styles */
+.btn {
+  @apply inline-flex items-center justify-center whitespace-nowrap rounded-lg text-sm font-medium transition-all duration-200;
+  @apply focus-visible:outline-none focus-visible:ring-2 focus-visible:ring-blue-500 focus-visible:ring-offset-2;
+  @apply disabled:pointer-events-none disabled:opacity-50;
+}
+
+.btn-sm {
+  @apply h-9 px-3;
+}
+
+.btn-md {
+  @apply h-10 px-4;
+}
+
+.btn-lg {
+  @apply h-11 px-8;
+}
+
+.variant-filled-primary {
+  @apply bg-blue-600 text-white hover:bg-blue-700 shadow-md hover:shadow-lg transform hover:-translate-y-0.5;
+}
+
+.variant-outline-primary {
+  @apply border border-blue-200 bg-white text-blue-700 hover:bg-blue-50 shadow-sm hover:shadow-md;
+  @apply dark:border-blue-800 dark:bg-gray-800 dark:text-blue-300 dark:hover:bg-gray-700;
+}
+
+.variant-ghost-primary {
+  @apply text-blue-700 hover:bg-blue-100 hover:text-blue-800;
+  @apply dark:text-blue-300 dark:hover:bg-gray-800 dark:hover:text-blue-200;
+}
+
+.card {
+  @apply rounded-xl border border-gray-200 bg-white shadow-lg dark:border-gray-700 dark:bg-gray-800;
+}
+
+.input {
+  @apply flex w-full rounded-lg border border-gray-200 bg-white px-3 py-2 text-sm transition-all;
+  @apply focus:border-blue-500 focus:outline-none focus:ring-2 focus:ring-blue-500/20;
+  @apply dark:border-gray-700 dark:bg-gray-800 dark:text-gray-100;
+}
+
+.badge {
+  @apply inline-flex items-center rounded-full px-2.5 py-0.5 text-xs font-medium;
+}
+
+.badge-secondary {
+  @apply bg-gray-100 text-gray-800 dark:bg-gray-700 dark:text-gray-300;
+}
+
+/* Modern Chat Interface Classes */
+.bg-surface-50-900 {
+  @apply bg-gray-50 dark:bg-gray-900;
+}
+
+.bg-surface-100-800 {
+  @apply bg-gray-100 dark:bg-gray-800;
+}
+
+.bg-surface-200-700 {
+  @apply bg-gray-200 dark:bg-gray-700;
+}
+
+.border-surface-200-700 {
+  @apply border-gray-200 dark:border-gray-700;
+}
+
+.text-surface-500-400 {
+  @apply text-gray-500 dark:text-gray-400;
+}
+
+/* Professional glass effect */
+.glass-effect {
+  backdrop-filter: blur(16px);
+  background: rgba(255, 255, 255, 0.9);
+  border: 1px solid rgba(255, 255, 255, 0.2);
+  box-shadow: 0 20px 25px -5px rgba(0, 0, 0, 0.1), 0 8px 10px -6px rgba(0, 0, 0, 0.1);
+}
+
+.dark .glass-effect {
+  background: rgba(17, 24, 39, 0.9);
+  border: 1px solid rgba(75, 85, 99, 0.2);
+}
+
+/* Message bubbles */
+.message-bubble-own {
+  @apply bg-blue-600 text-white rounded-2xl rounded-br-md shadow-lg;
+}
+
+.message-bubble-other {
+  @apply bg-white border border-gray-200 text-gray-900 rounded-2xl rounded-bl-md shadow-lg;
+  @apply dark:bg-gray-700 dark:border-gray-600 dark:text-gray-100;
+}
+
+/* Modern scrollbar */
+.modern-scrollbar {
+  scrollbar-width: thin;
+  scrollbar-color: rgb(156 163 175) transparent;
+}
+
+.modern-scrollbar::-webkit-scrollbar {
+  width: 6px;
+}
+
+.modern-scrollbar::-webkit-scrollbar-track {
+  background: transparent;
+}
+
+.modern-scrollbar::-webkit-scrollbar-thumb {
+  @apply bg-gray-300 hover:bg-gray-400 rounded-full;
+}
+
+.dark .modern-scrollbar::-webkit-scrollbar-thumb {
+  @apply bg-gray-600 hover:bg-gray-500;
+}
+
+/* Professional animations */
+@keyframes fade-in {
+  from { opacity: 0; transform: translateY(10px); }
+  to { opacity: 1; transform: translateY(0); }
+}
+
+@keyframes slide-in {
+  from { opacity: 0; transform: translateX(-20px); }
+  to { opacity: 1; transform: translateX(0); }
+}
+
+@keyframes pulse-glow {
+  0%, 100% { box-shadow: 0 0 0 0 rgba(59, 130, 246, 0.4); }
+  50% { box-shadow: 0 0 0 10px rgba(59, 130, 246, 0); }
+}
+
+.animate-fade-in {
+  animation: fade-in 0.3s ease-out;
+}
+
+.animate-slide-in {
+  animation: slide-in 0.3s ease-out;
+}
+
+.animate-pulse-glow {
+  animation: pulse-glow 2s infinite;
+}
+
+/* Professional gradients */
+.gradient-primary {
+  background: linear-gradient(135deg, #667eea 0%, #764ba2 100%);
+}
+
+.gradient-secondary {
+  background: linear-gradient(135deg, #f093fb 0%, #f5576c 100%);
+}
+
+.gradient-success {
+  background: linear-gradient(135deg, #4facfe 0%, #00f2fe 100%);
+}
diff --git a/examples/encrypted_chat/frontend/src/lib/components/ChatHeader.svelte b/examples/encrypted_chat/frontend/src/lib/components/ChatHeader.svelte
index e3320428..5c689382 100644
--- a/examples/encrypted_chat/frontend/src/lib/components/ChatHeader.svelte
+++ b/examples/encrypted_chat/frontend/src/lib/components/ChatHeader.svelte
@@ -1,6 +1,8 @@
 <script lang="ts">
 	import { Settings, RotateCcw, Info, ArrowLeft } from 'lucide-svelte';
-	import type { Chat, RatchetStats } from '../types';
+	import Button from './ui/Button.svelte';
+	import Card from './ui/Card.svelte';
+	import type { Chat, RatchetStats, GroupChat } from '../types';
 	import { chatAPI } from '../services/api';
 	import { chatActions } from '../stores/chat';
 	import GroupManagementModal from './GroupManagementModal.svelte';
@@ -14,6 +16,14 @@
 	let loadingRatchetStats = false;
 	let showGroupManagement = false;
 
+	// Reset state when chat changes
+	$: if (chat) {
+		showChatInfo = false;
+		ratchetStats = null;
+		loadingRatchetStats = false;
+		showGroupManagement = false;
+	}
+
 	async function handleChatInfoToggle() {
 		showChatInfo = !showChatInfo;
 		if (showChatInfo && !ratchetStats && !loadingRatchetStats) {
@@ -26,7 +36,7 @@
 
 		loadingRatchetStats = true;
 		try {
-			ratchetStats = await chatAPI.getRatchetStats(chat.id);
+			ratchetStats = await chatAPI.getRatchetStats();
 		} catch (error) {
 			console.error('Failed to load ratchet stats:', error);
 		} finally {
@@ -109,68 +119,60 @@
 	}
 </script>
 
-<div class="chat-header bg-surface-100-800-token border-surface-300-600-token border-b p-4">
+<div class="chat-header glass-effect border-b border-white/10 p-6 backdrop-blur-xl">
 	<div class="flex items-center justify-between">
 		<!-- Chat info -->
 		<div class="flex items-center gap-3">
 			<!-- Mobile back button -->
 			{#if showMobileBackButton}
-				<button
-					class="variant-ghost-surface btn-icon md:hidden"
-					on:click={onMobileBack}
+				<Button
+					variant="ghost"
+					size="sm"
+					class="md:hidden"
+					on:click={onMobileBack || (() => {})}
 					aria-label="Back to chat list"
 				>
 					<ArrowLeft class="h-5 w-5" />
-				</button>
+				</Button>
 			{/if}
 			<div
-				class="avatar flex h-10 w-10 items-center justify-center rounded-full bg-primary-500 text-lg"
+				class="avatar flex h-12 w-12 items-center justify-center rounded-full bg-gradient-to-br from-blue-500 to-purple-600 text-white text-lg font-bold shadow-lg"
 			>
 				{getDisplayAvatar()}
 			</div>
 			<div>
-				<h2 class="text-lg font-semibold">{getDisplayName()}</h2>
-				<p class="text-surface-600-300-token text-sm">{getOnlineStatus()}</p>
+				<h2 class="text-xl font-bold bg-gradient-to-r from-gray-800 to-gray-600 bg-clip-text text-transparent dark:from-gray-100 dark:to-gray-300">{getDisplayName()}</h2>
+				<p class="text-gray-500 dark:text-gray-400 text-sm font-medium">{getOnlineStatus()}</p>
 			</div>
 		</div>
 
 		<!-- Actions -->
 		<div class="flex items-center gap-2">
-			{#if chat.keyRotationStatus.isRotationNeeded}
-				<button
-					class="variant-filled-warning btn"
-					on:click={rotateKeys}
-					disabled={chat.isUpdating}
-					title="Rotate encryption keys"
-				>
-					<RotateCcw class="h-4 w-4 {chat.isUpdating ? 'animate-spin' : ''}" />
-					Rotate Keys
-				</button>
-			{/if}
-
-			<button
-				class="variant-ghost-surface btn-icon"
+			<Button
+				variant="ghost"
+				size="sm"
 				on:click={handleChatInfoToggle}
 				title="Chat information"
 			>
 				<Info class="h-5 w-5" />
-			</button>
+			</Button>
 
 			{#if chat.type === 'group'}
-				<button
-					class="variant-ghost-surface btn-icon"
+				<Button
+					variant="ghost"
+					size="sm"
 					on:click={() => (showGroupManagement = true)}
 					title="Manage group"
 				>
 					<Settings class="h-5 w-5" />
-				</button>
+				</Button>
 			{/if}
 		</div>
 	</div>
 
 	<!-- Chat info panel -->
 	{#if showChatInfo}
-		<div class="chat-info bg-surface-200-700-token mt-4 rounded-lg p-4">
+		<Card class="mt-4">
 			<h3 class="mb-3 font-semibold">Chat Information</h3>
 
 			<div class="grid grid-cols-1 gap-4 md:grid-cols-2">
@@ -179,15 +181,15 @@
 					<h4 class="mb-2 font-medium">Details</h4>
 					<div class="space-y-2 text-sm">
 						<div class="flex justify-between">
-							<span class="text-surface-600-300-token">Type:</span>
+							<span class="text-surface-500-400">Type:</span>
 							<span class="capitalize">{chat.type}</span>
 						</div>
 						<div class="flex justify-between">
-							<span class="text-surface-600-300-token">Participants:</span>
+							<span class="text-surface-500-400">Participants:</span>
 							<span>{chat.participants.length}</span>
 						</div>
 						<div class="flex justify-between">
-							<span class="text-surface-600-300-token">Disappearing messages:</span>
+							<span class="text-surface-500-400">Disappearing messages:</span>
 							<span
 								>{chat.disappearingMessagesDuration === 0
 									? 'Disabled'
@@ -195,7 +197,7 @@
 							>
 						</div>
 						<div class="flex justify-between">
-							<span class="text-surface-600-300-token">Status:</span>
+							<span class="text-surface-500-400">Status:</span>
 							<span class="flex items-center gap-1">
 								<div
 									class="h-2 w-2 rounded-full {chat.isReady ? 'bg-success-500' : 'bg-error-500'}"
@@ -211,19 +213,19 @@
 					<h4 class="mb-2 font-medium">Encryption</h4>
 					<div class="space-y-2 text-sm">
 						<div class="flex justify-between">
-							<span class="text-surface-600-300-token">Ratchet epoch:</span>
+							<span class="text-surface-500-400">Ratchet epoch:</span>
 							<span>{chat.ratchetEpoch}</span>
 						</div>
 						<div class="flex justify-between">
-							<span class="text-surface-600-300-token">Last key rotation:</span>
+							<span class="text-surface-500-400">Last key rotation:</span>
 							<span>{formatDate(chat.keyRotationStatus.lastRotation)}</span>
 						</div>
 						<div class="flex justify-between">
-							<span class="text-surface-600-300-token">Next rotation:</span>
+							<span class="text-surface-500-400">Next rotation:</span>
 							<span>{formatDate(chat.keyRotationStatus.nextRotation)}</span>
 						</div>
 						<div class="flex justify-between">
-							<span class="text-surface-600-300-token">Rotation needed:</span>
+							<span class="text-surface-500-400">Rotation needed:</span>
 							<span
 								class="text-{chat.keyRotationStatus.isRotationNeeded ? 'warning' : 'success'}-500"
 							>
@@ -239,19 +241,19 @@
 						<h4 class="mb-2 font-medium">Ratchet Statistics</h4>
 						<div class="grid grid-cols-2 gap-4 text-sm">
 							<div class="flex justify-between">
-								<span class="text-surface-600-300-token">Current epoch:</span>
+								<span class="text-surface-500-400">Current epoch:</span>
 								<span>{ratchetStats.currentEpoch}</span>
 							</div>
 							<div class="flex justify-between">
-								<span class="text-surface-600-300-token">Messages in epoch:</span>
+								<span class="text-surface-500-400">Messages in epoch:</span>
 								<span>{ratchetStats.messagesInCurrentEpoch}</span>
 							</div>
 							<div class="flex justify-between">
-								<span class="text-surface-600-300-token">Last rotation:</span>
+								<span class="text-surface-500-400">Last rotation:</span>
 								<span>{formatDate(ratchetStats.lastRotation)}</span>
 							</div>
 							<div class="flex justify-between">
-								<span class="text-surface-600-300-token">Next scheduled:</span>
+								<span class="text-surface-500-400">Next scheduled:</span>
 								<span>{formatDate(ratchetStats.nextScheduledRotation)}</span>
 							</div>
 						</div>
@@ -284,7 +286,7 @@
 												? 'bg-success-500'
 												: 'bg-surface-400'}"
 										></div>
-										<span class="text-surface-600-300-token">
+										<span class="text-surface-500-400">
 											{participant.isOnline ? 'Online' : 'Offline'}
 										</span>
 									</div>
@@ -294,7 +296,7 @@
 					</div>
 				{/if}
 			</div>
-		</div>
+		</Card>
 	{/if}
 </div>
 
@@ -302,7 +304,7 @@
 {#if chat.type === 'group'}
 	<GroupManagementModal
 		bind:show={showGroupManagement}
-		groupChat={chat}
+		groupChat={chat as GroupChat}
 		on:save={handleGroupManagementSave}
 		on:close={() => (showGroupManagement = false)}
 	/>
diff --git a/examples/encrypted_chat/frontend/src/lib/components/ChatInterface.svelte b/examples/encrypted_chat/frontend/src/lib/components/ChatInterface.svelte
index 43ff877a..330df85e 100644
--- a/examples/encrypted_chat/frontend/src/lib/components/ChatInterface.svelte
+++ b/examples/encrypted_chat/frontend/src/lib/components/ChatInterface.svelte
@@ -31,21 +31,31 @@
 
 <div class="chat-interface flex h-full flex-col">
 	{#if $selectedChat}
-		<!-- Chat Header -->
-		<ChatHeader chat={$selectedChat} showMobileBackButton={isMobile} {onMobileBack} />
+		{#key $selectedChat.id}
+			<!-- Chat Header -->
+			<ChatHeader chat={$selectedChat} showMobileBackButton={isMobile} {onMobileBack} />
 
-		<!-- Message History -->
-		<MessageHistory />
+			<!-- Message History -->
+			<MessageHistory />
 
-		<!-- Message Input -->
-		<MessageInput
-			disabled={!$selectedChat.isReady}
-			placeholder={$selectedChat.isReady ? 'Type a message...' : 'Chat is not ready...'}
-			on:send={handleSendMessage}
-		/>
-	{:else}
+			<!-- Message Input -->
+			<MessageInput
+				disabled={!$selectedChat.isReady}
+				placeholder={$selectedChat.isReady ? 'Type a message...' : 'Chat is not ready...'}
+				on:send={handleSendMessage}
+			/>
+		{/key}
+{:else}
 		<!-- No chat selected state -->
-		<div class="no-chat-selected flex flex-1 items-center justify-center">
+		<!-- Empty Chat Header -->
+		<div class="glass-effect border-b border-white/10 p-6">
+			<div class="flex items-center justify-center">
+				<h2 class="text-xl font-bold bg-gradient-to-r from-gray-800 to-gray-600 bg-clip-text text-transparent dark:from-gray-100 dark:to-gray-300">VetKeys Chat</h2>
+			</div>
+		</div>
+		
+		<!-- Welcome content -->
+		<div class="flex flex-1 items-center justify-center">
 			<div class="max-w-md p-8 text-center">
 				<div
 					class="bg-surface-200-700-token mx-auto mb-6 flex h-24 w-24 items-center justify-center rounded-full text-4xl"
@@ -85,11 +95,5 @@
 		background: var(--color-surface-900);
 	}
 
-	.no-chat-selected {
-		background: var(--color-surface-100);
-	}
 
-	:global(.dark) .no-chat-selected {
-		background: var(--color-surface-800);
-	}
 </style>
diff --git a/examples/encrypted_chat/frontend/src/lib/components/ChatList.svelte b/examples/encrypted_chat/frontend/src/lib/components/ChatList.svelte
index 5ce90088..e879aa79 100644
--- a/examples/encrypted_chat/frontend/src/lib/components/ChatList.svelte
+++ b/examples/encrypted_chat/frontend/src/lib/components/ChatList.svelte
@@ -13,25 +13,25 @@
 </script>
 
 <div
-	class="chat-list bg-surface-50-900-token border-surface-300-600-token flex h-full flex-col border-r"
+	class="chat-list glass-effect flex h-full flex-col border-r border-white/20 backdrop-blur-xl"
 >
 	<!-- User Profile -->
 	<UserProfile />
 
 	<!-- Chat List Header -->
-	<div class="border-surface-300-600-token border-b p-4">
-		<h2 class="text-lg font-bold">Chats</h2>
-		<p class="text-surface-600-300-token text-sm">
+	<div class="border-b border-white/10 p-6">
+		<h2 class="text-xl font-bold bg-gradient-to-r from-blue-600 to-purple-600 bg-clip-text text-transparent">Chats</h2>
+		<p class="text-gray-500 dark:text-gray-400 text-sm font-medium mt-1">
 			{$chats.length} conversation{$chats.length !== 1 ? 's' : ''}
 		</p>
 	</div>
 
 	<!-- Chat List -->
-	<div class="scrollbar-thin flex-1 overflow-y-auto">
+	<div class="scrollbar-thin flex-1 overflow-y-auto p-2">
 		{#each $chats as chat (chat.id)}
 			<ChatListItem {chat} isSelected={$selectedChatId === chat.id} on:select={handleChatSelect} />
 		{:else}
-			<div class="p-8 text-center text-surface-600-300-token">
+			<div class="p-8 text-center text-surface-600-500">
 				<p class="text-lg mb-2">No chats yet</p>
 				<p class="text-sm">Your conversations will appear here</p>
 			</div>
@@ -47,8 +47,8 @@
 
 	@media (max-width: 768px) {
 		.chat-list {
-			width: 100%;
-			min-width: 100%;
+			width: 50%;
+			min-width: 50%;
 		}
 	}
 </style>
diff --git a/examples/encrypted_chat/frontend/src/lib/components/ChatListItem.svelte b/examples/encrypted_chat/frontend/src/lib/components/ChatListItem.svelte
index 31519ee7..c14ff22c 100644
--- a/examples/encrypted_chat/frontend/src/lib/components/ChatListItem.svelte
+++ b/examples/encrypted_chat/frontend/src/lib/components/ChatListItem.svelte
@@ -56,7 +56,7 @@
 </script>
 
 <button
-	class="chat-item w-full p-3 text-left transition-colors duration-200 {isSelected
+	class="chat-item w-full p-3 text-left overflow-hidden transition-colors duration-200 {isSelected
 		? 'selected'
 		: 'hover:bg-surface-100-800-token'}"
 	on:click={handleClick}
@@ -78,7 +78,7 @@
 		</div>
 
 		<!-- Chat info -->
-		<div class="min-w-0 flex-1">
+		<div class="min-w-0 flex-1 overflow-hidden">
 			<div class="mb-1 flex items-center justify-between">
 				<h3 class="truncate text-sm font-semibold">{getDisplayName()}</h3>
 				<div class="flex items-center gap-2">
@@ -121,37 +121,50 @@
 						{chat.disappearingMessagesDuration}d
 					</div>
 				{/if}
-
-				{#if chat.keyRotationStatus.isRotationNeeded}
-					<div class="status-chip rounded bg-warning-500 px-2 py-0.5 text-xs text-white">
-						Key rotation needed
-					</div>
-				{/if}
-
-				<div class="status-chip bg-surface-200-700-token rounded px-2 py-0.5 text-xs">
-					Epoch {chat.ratchetEpoch}
-				</div>
 			</div>
 		</div>
 	</div>
 </button>
 
 <style>
+
 	.chat-item {
 		border-bottom: 1px solid var(--color-surface-300);
+		margin: 2px 0px;
+		padding: 5px 5px;
+		border-radius: 12px;
+		border: 1px solid var(--color-surface-200);
+		transition: all 0.2s ease;
+	}
+
+	.chat-item:hover {
+		background: var(--color-surface-100);
+		border-color: var(--color-surface-300);
+		box-shadow: 0 2px 8px rgba(0, 0, 0, 0.05);
 	}
 
 	:global(.dark) .chat-item {
 		border-bottom-color: var(--color-surface-600);
+		border-color: var(--color-surface-700);
+	}
+
+	:global(.dark) .chat-item:hover {
+		background: var(--color-surface-700);
+		border-color: var(--color-surface-600);
+		box-shadow: 0 2px 8px rgba(0, 0, 0, 0.2);
 	}
 
 	.chat-item.selected {
 		background: var(--color-primary-100);
+		border-color: var(--color-primary-300);
 		border-right: 3px solid var(--color-primary-500);
+		box-shadow: 0 2px 12px rgba(59, 130, 246, 0.15);
 	}
 
 	:global(.dark) .chat-item.selected {
 		background: var(--color-primary-900);
+		border-color: var(--color-primary-700);
+		box-shadow: 0 2px 12px rgba(59, 130, 246, 0.25);
 	}
 
 	.unread-badge {
diff --git a/examples/encrypted_chat/frontend/src/lib/components/EmojiPicker.svelte b/examples/encrypted_chat/frontend/src/lib/components/EmojiPicker.svelte
index 95c0fda1..332c508a 100644
--- a/examples/encrypted_chat/frontend/src/lib/components/EmojiPicker.svelte
+++ b/examples/encrypted_chat/frontend/src/lib/components/EmojiPicker.svelte
@@ -155,7 +155,7 @@
 {#if show}
 	<!-- Backdrop -->
 	<div
-		class="bg-opacity-25 fixed inset-0 z-40 bg-black"
+		class="fixed inset-0 z-40 bg-black/25"
 		on:click={handleOutsideClick}
 		role="button"
 		tabindex="-1"
diff --git a/examples/encrypted_chat/frontend/src/lib/components/GroupManagementModal.svelte b/examples/encrypted_chat/frontend/src/lib/components/GroupManagementModal.svelte
index 86356ee5..56f1604a 100644
--- a/examples/encrypted_chat/frontend/src/lib/components/GroupManagementModal.svelte
+++ b/examples/encrypted_chat/frontend/src/lib/components/GroupManagementModal.svelte
@@ -70,10 +70,10 @@
 
 {#if show}
 	<!-- Backdrop -->
-	<div class="bg-opacity-50 fixed inset-0 z-50 flex items-center justify-center bg-black p-4">
+	<div class="fixed inset-0 z-50 flex items-center justify-center bg-black/50 p-4">
 		<!-- Modal -->
 		<div
-			class="bg-surface-100-800-token max-h-[80vh] w-full max-w-2xl overflow-hidden rounded-lg shadow-xl"
+			class="card max-h-[80vh] w-full max-w-2xl overflow-hidden rounded-xl shadow-2xl backdrop-blur-xl"
 		>
 			<!-- Header -->
 			<div class="border-surface-300-600-token flex items-center justify-between border-b p-6">
@@ -227,14 +227,22 @@
 
 			<!-- Footer -->
 			<div class="border-surface-300-600-token flex items-center justify-end gap-3 border-t p-6">
-				<button class="variant-ghost-surface btn" on:click={handleClose}> Cancel </button>
+				<button 
+					class="variant-ghost-surface btn" 
+					on:click={handleClose}
+					title="Cancel"
+					aria-label="Cancel"
+				> 
+					<X class="h-4 w-4" />
+				</button>
 				<button
 					class="variant-filled-primary btn"
 					on:click={handleSave}
 					disabled={selectedToAdd.length === 0 && selectedToRemove.length === 0}
+					title="Save Changes"
+					aria-label="Save Changes"
 				>
-					<Save class="mr-2 h-4 w-4" />
-					Save Changes
+					<Save class="h-4 w-4" />
 				</button>
 			</div>
 		</div>
diff --git a/examples/encrypted_chat/frontend/src/lib/components/MessageBubble.svelte b/examples/encrypted_chat/frontend/src/lib/components/MessageBubble.svelte
index c0705901..5133c174 100644
--- a/examples/encrypted_chat/frontend/src/lib/components/MessageBubble.svelte
+++ b/examples/encrypted_chat/frontend/src/lib/components/MessageBubble.svelte
@@ -1,5 +1,6 @@
 <script lang="ts">
 	import { Download, File } from 'lucide-svelte';
+	import Button from './ui/Button.svelte';
 	import type { Message, User } from '../types';
 
 	export let message: Message;
@@ -7,6 +8,7 @@
 	export let isOwnMessage: boolean = false;
 	export let showAvatar: boolean = true;
 	export let showTimestamp: boolean = true;
+	export let isGroupChat: boolean = false;
 
 	function formatTime(date: Date): string {
 		return date.toLocaleTimeString([], { hour: '2-digit', minute: '2-digit' });
@@ -63,6 +65,46 @@
 		}
 		return result;
 	}
+
+	// Generate a consistent color for a user based on their name
+	function getUserColor(userName: string): string {
+		if (!userName) return 'bg-gray-500';
+		
+		// Predefined color palette for better visual consistency
+		const colors = [
+			'bg-purple-500',
+			'bg-blue-500', 
+			'bg-green-500',
+			'bg-yellow-500',
+			'bg-red-500',
+			'bg-indigo-500',
+			'bg-pink-500',
+			'bg-teal-500',
+			'bg-orange-500',
+			'bg-cyan-500',
+			'bg-lime-500',
+			'bg-rose-500'
+		];
+
+		// Simple hash function for consistency
+		let hash = 0;
+		for (let i = 0; i < userName.length; i++) {
+			hash = userName.charCodeAt(i) + ((hash << 5) - hash);
+		}
+		const index = Math.abs(hash) % colors.length;
+		return colors[index];
+	}
+
+	// Get message bubble color classes
+	function getMessageBubbleClasses(): string {
+		if (isOwnMessage) {
+			return 'own-message';
+		} else if (isGroupChat && sender) {
+			return `other-message group-message ${getUserColor(sender.name)}`;
+		} else {
+			return 'other-message';
+		}
+	}
 </script>
 
 <div
@@ -90,9 +132,7 @@
 
 		<!-- Message bubble -->
 		<div
-			class="message-bubble {isOwnMessage
-				? 'own-message'
-				: 'other-message'} max-w-full rounded-2xl px-3 py-2 break-words"
+			class="message-bubble {getMessageBubbleClasses()} max-w-full rounded-2xl px-3 py-2 break-words inline-block"
 		>
 			{#if message.type === 'text'}
 				<!-- eslint-disable-next-line svelte/no-at-html-tags -->
@@ -120,17 +160,19 @@
 						<div class="flex items-center justify-between">
 							<div class="min-w-0 flex-1">
 								<p class="truncate text-sm font-medium">{message.fileData.name}</p>
-								<p class="text-surface-600-300-token text-xs">
+								<p class="text-xs text-surface-500-400">
 									{formatFileSize(message.fileData.size)}
 								</p>
 							</div>
-							<button
-								class="variant-ghost-surface ml-2 btn-icon"
+							<Button
+								variant="ghost"
+								size="sm"
+								class="ml-2"
 								on:click={downloadFile}
 								aria-label="Download file"
 							>
 								<Download class="h-4 w-4" />
-							</button>
+							</Button>
 						</div>
 					</div>
 				</div>
@@ -156,8 +198,9 @@
 
 <style>
 	.message-bubble.own-message {
-		background: var(--color-primary-500);
+		background: var(--color-primary-600);
 		color: white;
+		border: 1px solid var(--color-primary-700);
 	}
 
 	.message-bubble.other-message {
@@ -170,12 +213,48 @@
 		color: var(--color-surface-100);
 	}
 
+	/* Group chat message colors */
+	.message-bubble.group-message {
+		color: white !important;
+		border: 1px solid rgba(255, 255, 255, 0.2);
+	}
+
+	/* User-specific colors for group chats */
+	.message-bubble.bg-purple-500 { background: #8b5cf6; }
+	.message-bubble.bg-blue-500 { background: #3b82f6; }
+	.message-bubble.bg-green-500 { background: #10b981; }
+	.message-bubble.bg-yellow-500 { background: #f59e0b; }
+	.message-bubble.bg-red-500 { background: #ef4444; }
+	.message-bubble.bg-indigo-500 { background: #6366f1; }
+	.message-bubble.bg-pink-500 { background: #ec4899; }
+	.message-bubble.bg-teal-500 { background: #14b8a6; }
+	.message-bubble.bg-orange-500 { background: #f97316; }
+	.message-bubble.bg-cyan-500 { background: #06b6d4; }
+	.message-bubble.bg-lime-500 { background: #84cc16; }
+	.message-bubble.bg-rose-500 { background: #f43f5e; }
+
+	/* Dark mode variants */
+	:global(.dark) .message-bubble.bg-purple-500 { background: #7c3aed; }
+	:global(.dark) .message-bubble.bg-blue-500 { background: #2563eb; }
+	:global(.dark) .message-bubble.bg-green-500 { background: #059669; }
+	:global(.dark) .message-bubble.bg-yellow-500 { background: #d97706; }
+	:global(.dark) .message-bubble.bg-red-500 { background: #dc2626; }
+	:global(.dark) .message-bubble.bg-indigo-500 { background: #4f46e5; }
+	:global(.dark) .message-bubble.bg-pink-500 { background: #db2777; }
+	:global(.dark) .message-bubble.bg-teal-500 { background: #0d9488; }
+	:global(.dark) .message-bubble.bg-orange-500 { background: #ea580c; }
+	:global(.dark) .message-bubble.bg-cyan-500 { background: #0891b2; }
+	:global(.dark) .message-bubble.bg-lime-500 { background: #65a30d; }
+	:global(.dark) .message-bubble.bg-rose-500 { background: #e11d48; }
+
 	.file-message {
 		min-width: 200px;
 	}
 
 	.message-container {
 		transition: all 0.2s ease;
+		margin: 4px 0;
+		border-radius: 8px;
 	}
 
 	.message-container:hover {
diff --git a/examples/encrypted_chat/frontend/src/lib/components/MessageHistory.svelte b/examples/encrypted_chat/frontend/src/lib/components/MessageHistory.svelte
index c1ff2468..b9892920 100644
--- a/examples/encrypted_chat/frontend/src/lib/components/MessageHistory.svelte
+++ b/examples/encrypted_chat/frontend/src/lib/components/MessageHistory.svelte
@@ -104,7 +104,7 @@
 		>
 			{#if $selectedChatMessages.length === 0}
 				<!-- Empty state -->
-				<div class="empty-state flex h-full flex-col items-center justify-center p-8 text-center">
+				<div class="empty-state flex h-full flex-col items-center justify-center p-8 pt-12 text-center">
 					<div
 						class="avatar mb-4 flex h-16 w-16 items-center justify-center rounded-full bg-primary-500 text-2xl"
 					>
@@ -158,6 +158,7 @@
 								isOwnMessage={isOwnMessage(message)}
 								showAvatar={shouldShowAvatar(message, index)}
 								showTimestamp={shouldShowTimestamp(message, index)}
+								isGroupChat={$selectedChat?.type === 'group'}
 							/>
 						</div>
 					{/each}
@@ -225,11 +226,6 @@
 		margin: 8px 0;
 	}
 
-	.empty-state,
-	.no-chat-selected {
-		background: var(--color-surface-50);
-	}
-
 	:global(.dark) .empty-state,
 	:global(.dark) .no-chat-selected {
 		background: var(--color-surface-900);
diff --git a/examples/encrypted_chat/frontend/src/lib/components/MessageInput.svelte b/examples/encrypted_chat/frontend/src/lib/components/MessageInput.svelte
index 4132f126..35493184 100644
--- a/examples/encrypted_chat/frontend/src/lib/components/MessageInput.svelte
+++ b/examples/encrypted_chat/frontend/src/lib/components/MessageInput.svelte
@@ -2,6 +2,8 @@
 	import { createEventDispatcher } from 'svelte';
 	import { Send, Paperclip, Smile, X } from 'lucide-svelte';
 	import EmojiPicker from './EmojiPicker.svelte';
+	import Button from './ui/Button.svelte';
+	import Card from './ui/Card.svelte';
 	import type { FileUpload } from '../types';
 
 	export let disabled = false;
@@ -103,38 +105,32 @@
 	}
 </script>
 
-<div
-	class="message-input-container bg-surface-100-800-token border-surface-300-600-token border-t p-4"
->
+<div class="border-t border-white/10 glass-effect p-6 backdrop-blur-xl">
 	<!-- File preview -->
 	{#if selectedFile}
-		<div class="file-preview bg-surface-200-700-token mb-3 rounded-lg p-3">
+		<Card padding="sm" class="mb-3">
 			<div class="flex items-start gap-3">
 				{#if selectedFile.preview}
 					<img src={selectedFile.preview} alt="Preview" class="h-16 w-16 rounded object-cover" />
 				{:else}
-					<div class="bg-surface-300-600-token flex h-16 w-16 items-center justify-center rounded">
+					<div class="flex h-16 w-16 items-center justify-center rounded bg-surface-200-700">
 						<Paperclip class="h-6 w-6" />
 					</div>
 				{/if}
 
 				<div class="min-w-0 flex-1">
 					<p class="truncate text-sm font-medium">{selectedFile.file.name}</p>
-					<p class="text-surface-600-300-token text-xs">{formatFileSize(selectedFile.file.size)}</p>
+					<p class="text-xs text-surface-500-400">{formatFileSize(selectedFile.file.size)}</p>
 					{#if !selectedFile.isValid && selectedFile.error}
 						<p class="mt-1 text-xs text-error-500">{selectedFile.error}</p>
 					{/if}
 				</div>
 
-				<button
-					class="variant-ghost-surface btn-icon"
-					on:click={removeFile}
-					aria-label="Remove file"
-				>
+				<Button variant="ghost" size="sm" on:click={removeFile} aria-label="Remove file">
 					<X class="h-4 w-4" />
-				</button>
+				</Button>
 			</div>
-		</div>
+		</Card>
 	{/if}
 
 	<!-- Input area -->
@@ -148,16 +144,6 @@
 			style="display: none;"
 		/>
 
-		<!-- File button -->
-		<button
-			class="variant-ghost-surface btn-icon"
-			on:click={handleFileSelect}
-			{disabled}
-			aria-label="Attach file"
-		>
-			<Paperclip class="h-5 w-5" />
-		</button>
-
 		<!-- Message input -->
 		<div class="relative flex-1">
 			<textarea
@@ -166,37 +152,48 @@
 				{placeholder}
 				{disabled}
 				rows="1"
-				class="message-input bg-surface-200-700-token border-surface-300-600-token w-full resize-none rounded-lg border px-3 py-2 pr-10 text-sm focus:border-transparent focus:ring-2 focus:ring-primary-500 focus:outline-none"
-				style="min-height: 40px; max-height: 120px;"
+				class="message-input w-full resize-none rounded-xl border border-gray-200/50 bg-white/80 backdrop-blur-sm px-4 py-3 pr-20 text-sm shadow-lg focus:border-blue-500 focus:ring-2 focus:ring-blue-500/20 focus:outline-none dark:border-gray-700/50 dark:bg-gray-800/80"
+				style="min-height: 44px; max-height: 120px;"
 			></textarea>
 
-			<!-- Emoji button -->
-			<button
-				class="variant-ghost-surface absolute top-1/2 right-2 btn-icon -translate-y-1/2"
-				on:click={() => (showEmojiPicker = !showEmojiPicker)}
-				{disabled}
-				aria-label="Add emoji"
-			>
-				<Smile class="h-4 w-4" />
-			</button>
+			<!-- Attachment and Emoji buttons -->
+			<div class="absolute top-1/2 right-2 -translate-y-1/2 flex items-center gap-1">
+				<!-- Attachment button -->
+				<Button
+					variant="ghost"
+					size="sm"
+					on:click={handleFileSelect}
+					{disabled}
+					title="Attach file (max {MAX_FILE_SIZE / 1024}KB)"
+					aria-label="Attach file"
+				>
+					<Paperclip class="h-4 w-4" />
+				</Button>
+
+				<!-- Emoji button -->
+				<Button
+					variant="ghost"
+					size="sm"
+					on:click={() => (showEmojiPicker = !showEmojiPicker)}
+					{disabled}
+					aria-label="Add emoji"
+				>
+					<Smile class="h-4 w-4" />
+				</Button>
+			</div>
 		</div>
 
 		<!-- Send button -->
-		<button
-			class="variant-filled-primary btn"
+		<Button
+			variant="filled"
 			on:click={handleSend}
-			disabled={disabled ||
-				(!messageText.trim() && !selectedFile) ||
-				(selectedFile && !selectedFile.isValid)}
+			disabled={disabled || 
+				(!messageText.trim() && !selectedFile) || 
+				!!(selectedFile && selectedFile.isValid === false)}
 			aria-label="Send message"
 		>
 			<Send class="h-5 w-5" />
-		</button>
-	</div>
-
-	<!-- File size info -->
-	<div class="text-surface-600-300-token mt-2 text-xs">
-		Maximum file size: {MAX_FILE_SIZE / 1024}KB
+		</Button>
 	</div>
 </div>
 
@@ -208,6 +205,8 @@
 />
 
 <style>
+	@reference "tailwindcss";
+	
 	.message-input {
 		scrollbar-width: thin;
 	}
@@ -217,7 +216,7 @@
 	}
 
 	.message-input::-webkit-scrollbar-thumb {
-		background-color: var(--color-surface-400);
+		@apply bg-gray-400;
 		border-radius: 2px;
 	}
 </style>
diff --git a/examples/encrypted_chat/frontend/src/lib/components/NotificationBanner.svelte b/examples/encrypted_chat/frontend/src/lib/components/NotificationBanner.svelte
index 55a98086..5bbdbc7e 100644
--- a/examples/encrypted_chat/frontend/src/lib/components/NotificationBanner.svelte
+++ b/examples/encrypted_chat/frontend/src/lib/components/NotificationBanner.svelte
@@ -45,23 +45,22 @@
 	}
 </script>
 
-<!-- Disclaimer Banner -->
+<!-- Disclaimer Banner - Bottom Overlay -->
 {#if showDisclaimer}
 	<div
-		class="alert variant-filled-warning fixed top-0 right-0 left-0 z-50 rounded-none border-0 border-b"
-		transition:fly={{ y: -100, duration: 300 }}
+		class="fixed bottom-0 right-0 left-0 z-50 bg-orange-100 border-t-2 border-orange-400 shadow-lg"
+		transition:fly={{ y: 100, duration: 300 }}
 	>
-		<AlertTriangle class="h-6 w-6" />
-		<div class="alert-message flex-1">
-			<h3 class="h4">Disclaimer</h3>
-			<p>
-				This sample dapp is intended exclusively for experimental purpose. You are advised not to
-				use this dapp for storing your critical data such as keys or passwords.
-			</p>
-		</div>
-		<div class="alert-actions">
+		<div class="flex items-center gap-3 p-3">
+			<AlertTriangle class="h-5 w-5 text-orange-600" />
+			<div class="flex-1">
+				<span class="text-sm text-orange-800">
+					<strong>Disclaimer:</strong> This sample dapp is intended exclusively for experimental purposes. 
+					You are advised not to use this dapp for storing your critical data such as keys or passwords.
+				</span>
+			</div>
 			<button
-				class="variant-filled btn-icon"
+				class="text-orange-600 hover:text-orange-800 p-1 rounded transition-colors"
 				on:click={dismissDisclaimer}
 				aria-label="Dismiss disclaimer"
 			>
@@ -117,4 +116,6 @@
 		align-items: center;
 		gap: 0.5rem;
 	}
+
+
 </style>
diff --git a/examples/encrypted_chat/frontend/src/lib/components/UserProfile.svelte b/examples/encrypted_chat/frontend/src/lib/components/UserProfile.svelte
index ebf6875f..2fd8dee7 100644
--- a/examples/encrypted_chat/frontend/src/lib/components/UserProfile.svelte
+++ b/examples/encrypted_chat/frontend/src/lib/components/UserProfile.svelte
@@ -1,5 +1,5 @@
 <script lang="ts">
-	import { Settings } from 'lucide-svelte';
+	import { Settings, X, Check } from 'lucide-svelte';
 	import { currentUser, userConfig, chatActions } from '../stores/chat';
 
 	let showConfig = false;
@@ -19,6 +19,12 @@
 		await chatActions.updateUserConfig(configForm);
 		showConfig = false;
 	}
+
+	function handleBackdropClick(event: MouseEvent) {
+		if (event.target === event.currentTarget) {
+			showConfig = false;
+		}
+	}
 </script>
 
 <div class="user-profile border-surface-300-600-token border-b p-4">
@@ -42,13 +48,38 @@
 		</button>
 	</div>
 
-	{#if showConfig}
-		<div class="config-panel bg-surface-200-700-token mt-4 rounded-lg p-3">
-			<h4 class="mb-3 text-sm font-semibold">Configuration</h4>
+</div>
+
+<!-- Settings Modal -->
+{#if showConfig}
+	<!-- Backdrop -->
+	<div
+		class="fixed inset-0 z-50 bg-black/50 backdrop-blur-sm"
+		on:click={handleBackdropClick}
+		role="button"
+		tabindex="-1"
+		on:keydown={() => {}}
+	></div>
+
+	<!-- Modal -->
+	<div class="fixed inset-0 z-50 flex items-center justify-center p-4">
+		<div class="config-modal bg-white dark:bg-gray-800 rounded-2xl shadow-2xl border border-gray-200 dark:border-gray-700 w-full max-w-md">
+			<!-- Header -->
+			<div class="flex items-center justify-between p-6 border-b border-gray-200 dark:border-gray-700">
+				<h3 class="text-lg font-semibold text-gray-900 dark:text-gray-100">Settings</h3>
+				<button
+					class="text-gray-400 hover:text-gray-600 dark:hover:text-gray-300 p-1 rounded-lg hover:bg-gray-100 dark:hover:bg-gray-700 transition-colors"
+					on:click={() => (showConfig = false)}
+					aria-label="Close settings"
+				>
+					<X class="h-5 w-5" />
+				</button>
+			</div>
 
-			<div class="space-y-4">
+			<!-- Content -->
+			<div class="p-6 space-y-4">
 				<div>
-					<label for="cache-retention" class="mb-1 block text-sm font-medium">
+					<label for="cache-retention" class="block text-sm font-medium text-gray-700 dark:text-gray-300 mb-2">
 						Cache Retention (days)
 					</label>
 					<input
@@ -57,24 +88,34 @@
 						min="1"
 						max="365"
 						bind:value={configForm.cacheRetentionDays}
-						class="input w-full"
+						class="w-full px-3 py-2 border border-gray-300 dark:border-gray-600 rounded-lg bg-white dark:bg-gray-800 text-gray-900 dark:text-gray-100 focus:ring-2 focus:ring-blue-500 focus:border-transparent outline-none transition-all"
 						placeholder="7"
 					/>
-					<p class="text-surface-600-300-token mt-1 text-xs">
-						How often to remove user's cache data
+					<p class="mt-1 text-xs text-gray-500 dark:text-gray-400">
+						How long to keep cached data before automatic cleanup
 					</p>
 				</div>
 			</div>
 
-			<div class="mt-4 flex gap-2">
-				<button class="variant-filled-primary btn flex-1" on:click={saveConfig}> Save </button>
-				<button class="variant-ghost-surface btn flex-1" on:click={() => (showConfig = false)}>
+			<!-- Footer -->
+			<div class="flex items-center justify-end gap-3 p-6 border-t border-gray-200 dark:border-gray-700">
+				<button
+					class="px-4 py-2 text-gray-700 dark:text-gray-300 hover:bg-gray-100 dark:hover:bg-gray-700 rounded-lg transition-colors"
+					on:click={() => (showConfig = false)}
+				>
 					Cancel
 				</button>
+				<button
+					class="px-4 py-2 bg-blue-600 hover:bg-blue-700 text-white rounded-lg transition-colors flex items-center gap-2"
+					on:click={saveConfig}
+				>
+					<Check class="h-4 w-4" />
+					Save
+				</button>
 			</div>
 		</div>
-	{/if}
-</div>
+	</div>
+{/if}
 
 <style>
 	.user-profile {
@@ -84,4 +125,19 @@
 	:global(.dark) .user-profile {
 		background: var(--color-surface-800);
 	}
+
+	.config-modal {
+		animation: modalSlideIn 0.2s ease-out;
+	}
+
+	@keyframes modalSlideIn {
+		from {
+			opacity: 0;
+			transform: scale(0.95);
+		}
+		to {
+			opacity: 1;
+			transform: scale(1);
+		}
+	}
 </style>
diff --git a/examples/encrypted_chat/frontend/src/routes/+page.svelte b/examples/encrypted_chat/frontend/src/routes/+page.svelte
index fe59b6be..9586d374 100644
--- a/examples/encrypted_chat/frontend/src/routes/+page.svelte
+++ b/examples/encrypted_chat/frontend/src/routes/+page.svelte
@@ -38,20 +38,23 @@
 
 {#if $isLoading}
 	<!-- Loading state -->
-	<div class="loading-screen bg-surface-100-800-token flex h-full items-center justify-center">
-		<div class="text-center">
-			<div
-				class="mx-auto mb-4 h-16 w-16 animate-spin rounded-full border-4 border-primary-500 border-t-transparent"
-			></div>
-			<h2 class="mb-2 text-lg font-semibold">Loading VetKeys Chat</h2>
-			<p class="text-surface-600-300-token">Initializing secure communication...</p>
+	<div class="loading-screen bg-gradient-to-br from-blue-50 to-indigo-100 dark:from-gray-900 dark:to-gray-800 flex h-full items-center justify-center">
+		<div class="text-center animate-fade-in">
+			<div class="mx-auto mb-6 h-16 w-16 animate-spin rounded-full border-4 border-blue-500 border-t-transparent shadow-lg"></div>
+			<h2 class="mb-3 text-xl font-bold bg-gradient-to-r from-blue-600 to-purple-600 bg-clip-text text-transparent">Loading VetKeys Chat</h2>
+			<p class="text-gray-600 dark:text-gray-400 font-medium">Initializing secure communication...</p>
+			<div class="mt-4 flex justify-center space-x-1">
+				<div class="h-2 w-2 bg-blue-500 rounded-full animate-bounce"></div>
+				<div class="h-2 w-2 bg-blue-500 rounded-full animate-bounce" style="animation-delay: 0.1s"></div>
+				<div class="h-2 w-2 bg-blue-500 rounded-full animate-bounce" style="animation-delay: 0.2s"></div>
+			</div>
 		</div>
 	</div>
 {:else}
 	<!-- Main chat interface -->
-	<div class="chat-container flex h-full">
+	<div class="chat-container flex h-full bg-gradient-to-br from-gray-50 via-blue-50 to-indigo-50 dark:from-gray-900 dark:via-gray-800 dark:to-gray-900">
 		<!-- Chat List Sidebar (Desktop) or Full Screen (Mobile) -->
-		<div class="chat-list-wrapper {isMobile ? (showMobileChatList ? 'block' : 'hidden') : 'block'}">
+		<div class="chat-list-wrapper width-full {isMobile ? (showMobileChatList ? 'block' : 'hidden') : 'block'}">
 			<ChatList />
 		</div>
 
@@ -69,5 +72,5 @@
 {/if}
 
 <style lang="postcss">
-	@reference "tailwindcss";
-</style>
+    @reference "tailwindcss";
+</style>
\ No newline at end of file

From 8cec3a4a740da858daee8986da5cc29f53e31a86 Mon Sep 17 00:00:00 2001
From: Oleksandr Tkachenko <oleksandr.tkachenko@dfinity.org>
Date: Wed, 6 Aug 2025 18:23:57 +0200
Subject: [PATCH 16/62] colors

---
 .../src/lib/components/ChatListItem.svelte    | 81 ++++++++++++++-----
 1 file changed, 60 insertions(+), 21 deletions(-)

diff --git a/examples/encrypted_chat/frontend/src/lib/components/ChatListItem.svelte b/examples/encrypted_chat/frontend/src/lib/components/ChatListItem.svelte
index c14ff22c..2cf006df 100644
--- a/examples/encrypted_chat/frontend/src/lib/components/ChatListItem.svelte
+++ b/examples/encrypted_chat/frontend/src/lib/components/ChatListItem.svelte
@@ -56,7 +56,7 @@
 </script>
 
 <button
-	class="chat-item w-full p-3 text-left overflow-hidden transition-colors duration-200 {isSelected
+	class="chat-item w-full p-3 text-left overflow-hidden transition-all duration-200 {isSelected
 		? 'selected'
 		: 'hover:bg-surface-100-800-token'}"
 	on:click={handleClick}
@@ -65,13 +65,13 @@
 		<!-- Avatar -->
 		<div class="relative">
 			<div
-				class="avatar flex h-12 w-12 items-center justify-center rounded-full bg-primary-500 text-lg"
+				class="avatar flex h-12 w-12 items-center justify-center rounded-full bg-gradient-to-br from-primary-500 to-primary-600 text-white text-lg shadow-sm"
 			>
 				{getDisplayAvatar()}
 			</div>
 			<!-- Status indicator -->
 			<div class="absolute -right-1 -bottom-1">
-				<div class="h-4 w-4 rounded-full {getStatusColor()} flex items-center justify-center">
+				<div class="h-4 w-4 rounded-full {getStatusColor()} flex items-center justify-center shadow-sm">
 					<svelte:component this={getStatusIcon()} class="h-2.5 w-2.5 text-white" />
 				</div>
 			</div>
@@ -80,14 +80,14 @@
 		<!-- Chat info -->
 		<div class="min-w-0 flex-1 overflow-hidden">
 			<div class="mb-1 flex items-center justify-between">
-				<h3 class="truncate text-sm font-semibold">{getDisplayName()}</h3>
+				<h3 class="truncate text-sm font-semibold text-surface-900-100-token">{getDisplayName()}</h3>
 				<div class="flex items-center gap-2">
 					{#if chat.type === 'group'}
-						<Users class="text-surface-600-300-token h-3 w-3" />
+						<Users class="text-surface-500-400-token h-3 w-3" />
 					{:else}
-						<User class="text-surface-600-300-token h-3 w-3" />
+						<User class="text-surface-500-400-token h-3 w-3" />
 					{/if}
-					<span class="text-surface-600-300-token text-xs">
+					<span class="text-surface-500-400-token text-xs">
 						{formatTime(chat.lastActivity)}
 					</span>
 				</div>
@@ -104,7 +104,7 @@
 
 				{#if chat.unreadCount > 0}
 					<div
-						class="unread-badge flex h-5 min-w-[20px] items-center justify-center rounded-full bg-primary-500 px-2 py-1 text-xs text-white"
+						class="unread-badge flex h-5 min-w-[20px] items-center justify-center rounded-full bg-gradient-to-r from-primary-500 to-primary-600 px-2 py-1 text-xs text-white shadow-sm"
 					>
 						{chat.unreadCount > 99 ? '99+' : chat.unreadCount}
 					</div>
@@ -115,7 +115,7 @@
 			<div class="mt-1 flex items-center gap-2">
 				{#if chat.disappearingMessagesDuration > 0}
 					<div
-						class="status-chip bg-surface-200-700-token flex items-center gap-1 rounded px-2 py-0.5 text-xs"
+						class="status-chip bg-gradient-to-r from-amber-100 to-amber-200 text-amber-800 flex items-center gap-1 rounded-full px-2 py-0.5 text-xs shadow-sm"
 					>
 						<Clock class="h-3 w-3" />
 						{chat.disappearingMessagesDuration}d
@@ -127,53 +127,92 @@
 </button>
 
 <style>
-
 	.chat-item {
-		border-bottom: 1px solid var(--color-surface-300);
 		margin: 2px 0px;
-		padding: 5px 5px;
+		padding: 12px 16px;
 		border-radius: 12px;
 		border: 1px solid var(--color-surface-200);
+		background: var(--color-surface-50);
 		transition: all 0.2s ease;
+		position: relative;
 	}
 
 	.chat-item:hover {
 		background: var(--color-surface-100);
 		border-color: var(--color-surface-300);
-		box-shadow: 0 2px 8px rgba(0, 0, 0, 0.05);
+		box-shadow: 0 2px 8px rgba(0, 0, 0, 0.08);
+		transform: translateY(-1px);
 	}
 
 	:global(.dark) .chat-item {
-		border-bottom-color: var(--color-surface-600);
+		background: var(--color-surface-800);
 		border-color: var(--color-surface-700);
 	}
 
 	:global(.dark) .chat-item:hover {
 		background: var(--color-surface-700);
 		border-color: var(--color-surface-600);
-		box-shadow: 0 2px 8px rgba(0, 0, 0, 0.2);
+		box-shadow: 0 2px 8px rgba(0, 0, 0, 0.3);
 	}
 
 	.chat-item.selected {
-		background: var(--color-primary-100);
-		border-color: var(--color-primary-300);
-		border-right: 3px solid var(--color-primary-500);
-		box-shadow: 0 2px 12px rgba(59, 130, 246, 0.15);
+		background: linear-gradient(135deg, var(--color-primary-50), var(--color-primary-100));
+		border-color: var(--color-primary-200);
+		border-left: 4px solid var(--color-primary-500);
+		box-shadow: 0 4px 16px rgba(59, 130, 246, 0.15);
+		transform: translateY(-1px);
 	}
 
 	:global(.dark) .chat-item.selected {
-		background: var(--color-primary-900);
+		background: linear-gradient(135deg, var(--color-primary-900), var(--color-primary-800));
 		border-color: var(--color-primary-700);
-		box-shadow: 0 2px 12px rgba(59, 130, 246, 0.25);
+		box-shadow: 0 4px 16px rgba(59, 130, 246, 0.25);
+	}
+
+	.status-ready {
+		background: linear-gradient(135deg, #10b981, #059669);
+	}
+
+	.status-updating {
+		background: linear-gradient(135deg, #f59e0b, #d97706);
+		animation: pulse 2s infinite;
+	}
+
+	.status-error {
+		background: linear-gradient(135deg, #ef4444, #dc2626);
+	}
+
+	@keyframes pulse {
+		0%, 100% {
+			opacity: 1;
+		}
+		50% {
+			opacity: 0.7;
+		}
 	}
 
 	.unread-badge {
 		font-size: 10px;
 		line-height: 1;
+		font-weight: 600;
 	}
 
 	.status-chip {
 		font-size: 10px;
 		line-height: 1;
+		font-weight: 500;
+	}
+
+	:global(.dark) .status-chip {
+		background: linear-gradient(135deg, #92400e, #78350f);
+		color: #fef3c7;
+	}
+
+	.avatar {
+		transition: transform 0.2s ease;
+	}
+
+	.chat-item:hover .avatar {
+		transform: scale(1.05);
 	}
 </style>

From 3ca1ea0c89ae179d668fbf3679b03b13818d4c06 Mon Sep 17 00:00:00 2001
From: Oleksandr Tkachenko <oleksandr.tkachenko@dfinity.org>
Date: Thu, 7 Aug 2025 11:57:48 +0200
Subject: [PATCH 17/62] frontend...

---
 examples/encrypted_chat/frontend/package.json    |  5 +++--
 .../frontend/scripts/gen_bindings.sh             | 11 +++++++++++
 .../encrypted_chat/frontend/static/robots.txt    |  3 ---
 .../encrypted_chat/frontend/svelte.config.js     | 16 ++++++++++++++--
 examples/encrypted_chat/frontend/tsconfig.json   |  2 +-
 examples/encrypted_chat/rust/backend/Makefile    | 15 +++++++++++++++
 examples/encrypted_chat/rust/frontend            |  1 +
 7 files changed, 45 insertions(+), 8 deletions(-)
 create mode 100644 examples/encrypted_chat/frontend/scripts/gen_bindings.sh
 delete mode 100644 examples/encrypted_chat/frontend/static/robots.txt
 create mode 100644 examples/encrypted_chat/rust/backend/Makefile
 create mode 120000 examples/encrypted_chat/rust/frontend

diff --git a/examples/encrypted_chat/frontend/package.json b/examples/encrypted_chat/frontend/package.json
index c963dc04..8d45b35a 100644
--- a/examples/encrypted_chat/frontend/package.json
+++ b/examples/encrypted_chat/frontend/package.json
@@ -4,8 +4,9 @@
 	"version": "0.0.1",
 	"type": "module",
 	"scripts": {
-		"dev": "vite dev",
-		"build": "vite build",
+        "build": "npm run build:bindings && vite build",
+        "dev": "npm run build:bindings && vite dev",
+        "build:bindings": "cd scripts && ./gen_bindings.sh",
 		"preview": "vite preview",
 		"prepare": "svelte-kit sync || echo ''",
 		"check": "svelte-kit sync && svelte-check --tsconfig ./tsconfig.json",
diff --git a/examples/encrypted_chat/frontend/scripts/gen_bindings.sh b/examples/encrypted_chat/frontend/scripts/gen_bindings.sh
new file mode 100644
index 00000000..0ff62bd1
--- /dev/null
+++ b/examples/encrypted_chat/frontend/scripts/gen_bindings.sh
@@ -0,0 +1,11 @@
+#!/bin/bash
+
+cd ../../backend && make extract-candid
+
+cd .. && dfx generate encrypted_chat || exit 1
+
+rm -r frontend/src/declarations/encrypted_chat > /dev/null 2>&1 || true
+
+mkdir -p frontend/src/declarations/encrypted_chat
+mv src/declarations/encrypted_chat frontend/src/declarations
+rmdir -p src/declarations > /dev/null 2>&1 || true
\ No newline at end of file
diff --git a/examples/encrypted_chat/frontend/static/robots.txt b/examples/encrypted_chat/frontend/static/robots.txt
deleted file mode 100644
index b6dd6670..00000000
--- a/examples/encrypted_chat/frontend/static/robots.txt
+++ /dev/null
@@ -1,3 +0,0 @@
-# allow crawling everything by default
-User-agent: *
-Disallow:
diff --git a/examples/encrypted_chat/frontend/svelte.config.js b/examples/encrypted_chat/frontend/svelte.config.js
index 87124351..bb8bd6fc 100644
--- a/examples/encrypted_chat/frontend/svelte.config.js
+++ b/examples/encrypted_chat/frontend/svelte.config.js
@@ -4,11 +4,23 @@ import adapter from '@sveltejs/adapter-static';
 const config = {
 	preprocess: vitePreprocess(),
 	kit: {
-		adapter: adapter(),
+		adapter: adapter({
+			pages: 'dist',
+			assets: 'dist',
+			fallback: null,
+			precompress: true
+		}),
+		prerender: {
+			entries: ['*'] // ensures all routes are prerendered
+		},
 		output: {
 			bundleStrategy: 'single'
 		}
+	},
+	compilerOptions: {
+		experimental: {
+			async: true
+		}
 	}
 };
-
 export default config;
diff --git a/examples/encrypted_chat/frontend/tsconfig.json b/examples/encrypted_chat/frontend/tsconfig.json
index 0b2d8865..78ea2167 100644
--- a/examples/encrypted_chat/frontend/tsconfig.json
+++ b/examples/encrypted_chat/frontend/tsconfig.json
@@ -7,7 +7,7 @@
 		"forceConsistentCasingInFileNames": true,
 		"resolveJsonModule": true,
 		"skipLibCheck": true,
-		"sourceMap": true,
+		"sourceMap": false,
 		"strict": true,
 		"moduleResolution": "bundler"
 	}
diff --git a/examples/encrypted_chat/rust/backend/Makefile b/examples/encrypted_chat/rust/backend/Makefile
new file mode 100644
index 00000000..fa945cea
--- /dev/null
+++ b/examples/encrypted_chat/rust/backend/Makefile
@@ -0,0 +1,15 @@
+.PHONY: compile-wasm
+.SILENT: compile-wasm
+compile-wasm:
+	cargo build --release --target wasm32-unknown-unknown
+
+.PHONY: extract-candid
+.SILENT: extract-candid
+extract-candid: compile-wasm
+	candid-extractor ../target/wasm32-unknown-unknown/release/ic-vetkeys-example-encrypted-chat-backend.wasm > backend.did
+
+.PHONY: clean
+.SILENT: clean
+clean:
+	cargo clean
+	rm -rf ../.dfx
\ No newline at end of file
diff --git a/examples/encrypted_chat/rust/frontend b/examples/encrypted_chat/rust/frontend
new file mode 120000
index 00000000..af288785
--- /dev/null
+++ b/examples/encrypted_chat/rust/frontend
@@ -0,0 +1 @@
+../frontend
\ No newline at end of file

From cea44c393621dfda80d02b6477288b96e1dc1fff Mon Sep 17 00:00:00 2001
From: Oleksandr Tkachenko <oleksandr.tkachenko@dfinity.org>
Date: Thu, 7 Aug 2025 11:58:26 +0200
Subject: [PATCH 18/62] add files for UI component to git that I forgot to add
 before

---
 .../src/lib/components/ui/Badge.svelte        | 17 ++++
 .../src/lib/components/ui/Button.svelte       | 34 ++++++++
 .../src/lib/components/ui/Card.svelte         | 29 +++++++
 .../src/lib/components/ui/Dialog.svelte       | 80 +++++++++++++++++++
 .../src/lib/components/ui/Input.svelte        | 36 +++++++++
 5 files changed, 196 insertions(+)
 create mode 100644 examples/encrypted_chat/frontend/src/lib/components/ui/Badge.svelte
 create mode 100644 examples/encrypted_chat/frontend/src/lib/components/ui/Button.svelte
 create mode 100644 examples/encrypted_chat/frontend/src/lib/components/ui/Card.svelte
 create mode 100644 examples/encrypted_chat/frontend/src/lib/components/ui/Dialog.svelte
 create mode 100644 examples/encrypted_chat/frontend/src/lib/components/ui/Input.svelte

diff --git a/examples/encrypted_chat/frontend/src/lib/components/ui/Badge.svelte b/examples/encrypted_chat/frontend/src/lib/components/ui/Badge.svelte
new file mode 100644
index 00000000..a2919190
--- /dev/null
+++ b/examples/encrypted_chat/frontend/src/lib/components/ui/Badge.svelte
@@ -0,0 +1,17 @@
+<script lang="ts">
+	export let variant: 'filled' | 'outline' | 'soft' = 'filled';
+	export let color: 'primary' | 'secondary' | 'tertiary' | 'success' | 'warning' | 'error' = 'primary';
+	let className: string = '';
+	export { className as class };
+
+	$: classes = [
+		'badge',
+		`variant-${variant}-${color}`,
+		'transition-all duration-200',
+		className
+	].filter(Boolean).join(' ');
+</script>
+
+<span class={classes} {...$$restProps}>
+	<slot />
+</span>
\ No newline at end of file
diff --git a/examples/encrypted_chat/frontend/src/lib/components/ui/Button.svelte b/examples/encrypted_chat/frontend/src/lib/components/ui/Button.svelte
new file mode 100644
index 00000000..21f15654
--- /dev/null
+++ b/examples/encrypted_chat/frontend/src/lib/components/ui/Button.svelte
@@ -0,0 +1,34 @@
+<script lang="ts">
+	export let variant: 'filled' | 'outline' | 'ghost' | 'gradient' = 'filled';
+	export let size: 'sm' | 'md' | 'lg' = 'md';
+	export let disabled: boolean = false;
+	export let type: 'button' | 'submit' | 'reset' = 'button';
+	let className: string = '';
+	export { className as class };
+
+	// Define variant classes using Skeleton v3's design tokens
+	const variantClasses = {
+		filled: 'variant-filled-primary',
+		outline: 'variant-outline-primary',
+		ghost: 'variant-ghost-primary',
+		gradient: 'bg-gradient-to-r from-primary-500 to-secondary-500 text-on-primary-token hover:from-primary-600 hover:to-secondary-600'
+	};
+
+	const sizeClasses = {
+		sm: 'btn-sm',
+		md: 'btn-md',
+		lg: 'btn-lg'
+	};
+
+	$: classes = [
+		'btn',
+		variantClasses[variant],
+		sizeClasses[size],
+		'transition-all duration-200',
+		className
+	].filter(Boolean).join(' ');
+</script>
+
+<button class={classes} {disabled} {type} {...$$restProps} on:click>
+	<slot />
+</button>
\ No newline at end of file
diff --git a/examples/encrypted_chat/frontend/src/lib/components/ui/Card.svelte b/examples/encrypted_chat/frontend/src/lib/components/ui/Card.svelte
new file mode 100644
index 00000000..1cc7260b
--- /dev/null
+++ b/examples/encrypted_chat/frontend/src/lib/components/ui/Card.svelte
@@ -0,0 +1,29 @@
+<script lang="ts">
+	export let variant: 'filled' | 'glass' | 'outlined' = 'filled';
+	export let padding: 'none' | 'sm' | 'md' | 'lg' = 'md';
+	let className: string = '';
+	export { className as class };
+
+	const variantClasses = {
+		filled: 'card',
+		glass: 'card variant-glass',
+		outlined: 'card variant-outline'
+	};
+
+	const paddingClasses = {
+		none: '',
+		sm: 'p-4',
+		md: 'p-6',
+		lg: 'p-8'
+	};
+
+	$: classes = [
+		variantClasses[variant],
+		paddingClasses[padding],
+		className
+	].filter(Boolean).join(' ');
+</script>
+
+<div class={classes} {...$$restProps}>
+	<slot />
+</div>
\ No newline at end of file
diff --git a/examples/encrypted_chat/frontend/src/lib/components/ui/Dialog.svelte b/examples/encrypted_chat/frontend/src/lib/components/ui/Dialog.svelte
new file mode 100644
index 00000000..3838639e
--- /dev/null
+++ b/examples/encrypted_chat/frontend/src/lib/components/ui/Dialog.svelte
@@ -0,0 +1,80 @@
+<script lang="ts">
+	import { createDialog, melt } from '@melt-ui/svelte';
+	import { fade, fly } from 'svelte/transition';
+	import { X } from 'lucide-svelte';
+
+	export let open: boolean = false;
+	export let title: string = '';
+	let className: string = '';
+	export { className as class };
+
+	const {
+		elements: { trigger, overlay, content, title: titleEl, description, close },
+		states: { open: openState }
+	} = createDialog({
+		defaultOpen: open
+	});
+
+	// Sync the open state bidirectionally
+	$: openState.set(open);
+	$: open = $openState;
+</script>
+
+<!-- Trigger slot (optional) -->
+{#if $$slots.trigger}
+	<slot name="trigger" {trigger} />
+{/if}
+
+{#if $openState}
+	<!-- Overlay -->
+	<div
+		use:melt={$overlay}
+		class="fixed inset-0 z-50 bg-black/50 backdrop-blur-sm"
+		transition:fade={{ duration: 150 }}
+	></div>
+
+	<!-- Dialog Content -->
+	<div
+		use:melt={$content}
+		class="fixed left-1/2 top-1/2 z-50 max-h-[85vh] w-[90vw] max-w-md -translate-x-1/2 -translate-y-1/2 card p-6 shadow-lg {className}"
+		transition:fly={{ y: -50, duration: 200 }}
+	>
+		<!-- Close Button -->
+		<button
+			use:melt={$close}
+			class="absolute right-4 top-4 btn-icon btn-icon-sm variant-ghost-surface hover:variant-filled-surface"
+			aria-label="Close dialog"
+		>
+			<X size={16} />
+		</button>
+
+		<!-- Header -->
+		{#if title || $$slots.header}
+			<div class="mb-4">
+				{#if title}
+					<h2 use:melt={$titleEl} class="text-lg font-semibold text-on-surface-token">
+						{title}
+					</h2>
+				{/if}
+				<slot name="header" />
+			</div>
+		{/if}
+
+		<!-- Description (for accessibility) -->
+		<div use:melt={$description} class="sr-only">
+			<slot name="description" />
+		</div>
+
+		<!-- Content -->
+		<div class="dialog-content">
+			<slot />
+		</div>
+
+		<!-- Footer -->
+		{#if $$slots.footer}
+			<div class="mt-6 flex justify-end gap-2">
+				<slot name="footer" {close} />
+			</div>
+		{/if}
+	</div>
+{/if}
\ No newline at end of file
diff --git a/examples/encrypted_chat/frontend/src/lib/components/ui/Input.svelte b/examples/encrypted_chat/frontend/src/lib/components/ui/Input.svelte
new file mode 100644
index 00000000..1ab82f3f
--- /dev/null
+++ b/examples/encrypted_chat/frontend/src/lib/components/ui/Input.svelte
@@ -0,0 +1,36 @@
+<script lang="ts">
+	export let value: string | number = '';
+	export let type: string = 'text';
+	export let placeholder: string = '';
+	export let disabled: boolean = false;
+	export let required: boolean = false;
+	export let variant: 'default' | 'minimal' = 'default';
+	let className: string = '';
+	export { className as class };
+
+	const variantClasses = {
+		default: 'input',
+		minimal: 'input variant-form-material'
+	};
+
+	$: classes = [
+		variantClasses[variant],
+		'transition-all duration-200',
+		'focus:ring-2 focus:ring-primary-500 focus:ring-offset-2',
+		className
+	].filter(Boolean).join(' ');
+</script>
+
+<input
+	class={classes}
+	{type}
+	{placeholder}
+	{disabled}
+	{required}
+	bind:value
+	{...$$restProps}
+	on:input
+	on:change
+	on:blur
+	on:focus
+/>
\ No newline at end of file

From a0bb83233ab65494069e845b27fa72865cd4d64e Mon Sep 17 00:00:00 2001
From: Oleksandr Tkachenko <oleksandr.tkachenko@dfinity.org>
Date: Thu, 7 Aug 2025 12:02:09 +0200
Subject: [PATCH 19/62] typo

---
 examples/encrypted_chat/frontend/scripts/gen_bindings.sh | 0
 examples/encrypted_chat/rust/backend/Makefile            | 2 +-
 2 files changed, 1 insertion(+), 1 deletion(-)
 mode change 100644 => 100755 examples/encrypted_chat/frontend/scripts/gen_bindings.sh

diff --git a/examples/encrypted_chat/frontend/scripts/gen_bindings.sh b/examples/encrypted_chat/frontend/scripts/gen_bindings.sh
old mode 100644
new mode 100755
diff --git a/examples/encrypted_chat/rust/backend/Makefile b/examples/encrypted_chat/rust/backend/Makefile
index fa945cea..a8ffe99b 100644
--- a/examples/encrypted_chat/rust/backend/Makefile
+++ b/examples/encrypted_chat/rust/backend/Makefile
@@ -6,7 +6,7 @@ compile-wasm:
 .PHONY: extract-candid
 .SILENT: extract-candid
 extract-candid: compile-wasm
-	candid-extractor ../target/wasm32-unknown-unknown/release/ic-vetkeys-example-encrypted-chat-backend.wasm > backend.did
+	candid-extractor ../target/wasm32-unknown-unknown/release/ic_vetkeys_example_encrypted_chat_backend.wasm > backend.did
 
 .PHONY: clean
 .SILENT: clean

From 420b5e6673485f88b0d221d8ca514a889673183b Mon Sep 17 00:00:00 2001
From: Oleksandr Tkachenko <oleksandr.tkachenko@dfinity.org>
Date: Fri, 8 Aug 2025 18:16:07 +0200
Subject: [PATCH 20/62] frontend wip

---
 .../encrypted_chat/frontend/eslint.config.js  |  10 +
 .../encrypted_chat/frontend/package-lock.json |  77 ++++
 examples/encrypted_chat/frontend/package.json |   9 +-
 examples/encrypted_chat/frontend/src/app.css  | 257 ++++++------
 .../src/lib/components/ChatHeader.svelte      |  36 +-
 .../src/lib/components/ChatInterface.svelte   |  45 +-
 .../src/lib/components/ChatList.svelte        |  37 +-
 .../src/lib/components/ChatListItem.svelte    |  21 +-
 .../src/lib/components/DisclaimerCopy.svelte  |   4 +
 .../src/lib/components/EmojiPicker.svelte     |   8 +-
 .../components/GroupManagementModal.svelte    |  26 +-
 .../frontend/src/lib/components/Hero.svelte   |  35 ++
 .../src/lib/components/MessageBubble.svelte   | 118 ++++--
 .../src/lib/components/MessageHistory.svelte  |  64 +--
 .../src/lib/components/MessageInput.svelte    |  36 +-
 .../lib/components/NotificationBanner.svelte  |  16 +-
 .../src/lib/components/Spinner.svelte         |   5 +
 .../src/lib/components/UserProfile.svelte     |  88 ++--
 .../src/lib/components/ui/Badge.svelte        |  24 +-
 .../src/lib/components/ui/Button.svelte       |  40 +-
 .../src/lib/components/ui/Card.svelte         |  21 +-
 .../src/lib/components/ui/Dialog.svelte       |  80 ----
 .../src/lib/components/ui/Input.svelte        |  36 --
 .../frontend/src/lib/services/api.ts          | 384 +++++-------------
 .../frontend/src/lib/services/identity.ts     |  83 ----
 .../frontend/src/lib/stores/auth.svelte.ts    | 100 +++++
 .../lib/stores/{chat.ts => chat.svelte.ts}    | 176 ++++----
 .../frontend/src/lib/types/index.ts           |  18 +-
 .../frontend/src/routes/+page.svelte          |  67 ++-
 .../encrypted_chat/rust/backend/backend.did   |   3 +-
 .../encrypted_chat/rust/backend/src/lib.rs    |  20 +-
 .../encrypted_chat/rust/backend/src/types.rs  |   1 +
 .../rust/backend/tests/direct_chat.rs         |  31 +-
 .../rust/backend/tests/group_chat.rs          |   4 +
 34 files changed, 997 insertions(+), 983 deletions(-)
 create mode 100644 examples/encrypted_chat/frontend/src/lib/components/DisclaimerCopy.svelte
 create mode 100644 examples/encrypted_chat/frontend/src/lib/components/Hero.svelte
 create mode 100644 examples/encrypted_chat/frontend/src/lib/components/Spinner.svelte
 delete mode 100644 examples/encrypted_chat/frontend/src/lib/services/identity.ts
 create mode 100644 examples/encrypted_chat/frontend/src/lib/stores/auth.svelte.ts
 rename examples/encrypted_chat/frontend/src/lib/stores/{chat.ts => chat.svelte.ts} (55%)

diff --git a/examples/encrypted_chat/frontend/eslint.config.js b/examples/encrypted_chat/frontend/eslint.config.js
index a9628784..34f48500 100644
--- a/examples/encrypted_chat/frontend/eslint.config.js
+++ b/examples/encrypted_chat/frontend/eslint.config.js
@@ -36,5 +36,15 @@ export default ts.config(
 				svelteConfig
 			}
 		}
+	},
+	{
+		ignores: [
+			'dist/',
+			'src/declarations',
+			'*.config.js',
+			'*.config.cjs',
+			'*.config.mjs',
+			'.svelte-kit'
+		]
 	}
 );
diff --git a/examples/encrypted_chat/frontend/package-lock.json b/examples/encrypted_chat/frontend/package-lock.json
index 66280861..42e688be 100644
--- a/examples/encrypted_chat/frontend/package-lock.json
+++ b/examples/encrypted_chat/frontend/package-lock.json
@@ -14,7 +14,9 @@
 				"@skeletonlabs/skeleton": "^3.1.7",
 				"@skeletonlabs/tw-plugin": "^0.4.1",
 				"@sveltejs/adapter-static": "^3.0.8",
+				"fake-indexeddb": "^6.0.1",
 				"idb-keyval": "^6.2.2",
+				"isomorphic-fetch": "^3.0.0",
 				"lucide-svelte": "^0.536.0",
 				"sass": "^1.90.0"
 			},
@@ -27,6 +29,7 @@
 				"@sveltejs/kit": "^2.22.0",
 				"@sveltejs/vite-plugin-svelte": "^6.0.0",
 				"@tailwindcss/vite": "^4.0.0",
+				"@types/isomorphic-fetch": "^0.0.39",
 				"eslint": "^9.18.0",
 				"eslint-config-prettier": "^10.0.1",
 				"eslint-plugin-svelte": "^3.0.0",
@@ -2024,6 +2027,13 @@
 			"integrity": "sha512-dWHzHa2WqEXI/O1E9OjrocMTKJl2mSrEolh1Iomrv6U+JuNwaHXsXx9bLu5gG7BUWFIN0skIQJQ/L1rIex4X6w==",
 			"license": "MIT"
 		},
+		"node_modules/@types/isomorphic-fetch": {
+			"version": "0.0.39",
+			"resolved": "https://registry.npmjs.org/@types/isomorphic-fetch/-/isomorphic-fetch-0.0.39.tgz",
+			"integrity": "sha512-I0gou/ZdA1vMG7t7gMzL7VYu2xAKU78rW9U1l10MI0nn77pEHq3tQqHQ8hMmXdMpBlkxZOorjI4sO594Z3kKJw==",
+			"dev": true,
+			"license": "MIT"
+		},
 		"node_modules/@types/json-schema": {
 			"version": "7.0.15",
 			"resolved": "https://registry.npmjs.org/@types/json-schema/-/json-schema-7.0.15.tgz",
@@ -2878,6 +2888,15 @@
 				"node": ">=0.10.0"
 			}
 		},
+		"node_modules/fake-indexeddb": {
+			"version": "6.0.1",
+			"resolved": "https://registry.npmjs.org/fake-indexeddb/-/fake-indexeddb-6.0.1.tgz",
+			"integrity": "sha512-He2AjQGHe46svIFq5+L2Nx/eHDTI1oKgoevBP+TthnjymXiKkeJQ3+ITeWey99Y5+2OaPFbI1qEsx/5RsGtWnQ==",
+			"license": "Apache-2.0",
+			"engines": {
+				"node": ">=18"
+			}
+		},
 		"node_modules/fast-deep-equal": {
 			"version": "3.1.3",
 			"resolved": "https://registry.npmjs.org/fast-deep-equal/-/fast-deep-equal-3.1.3.tgz",
@@ -3233,6 +3252,16 @@
 			"dev": true,
 			"license": "ISC"
 		},
+		"node_modules/isomorphic-fetch": {
+			"version": "3.0.0",
+			"resolved": "https://registry.npmjs.org/isomorphic-fetch/-/isomorphic-fetch-3.0.0.tgz",
+			"integrity": "sha512-qvUtwJ3j6qwsF3jLxkZ72qCgjMysPzDfeV240JHiGZsANBYd+EEuu35v7dfrJ9Up0Ak07D7GGSkGhCHTqg/5wA==",
+			"license": "MIT",
+			"dependencies": {
+				"node-fetch": "^2.6.1",
+				"whatwg-fetch": "^3.4.1"
+			}
+		},
 		"node_modules/jiti": {
 			"version": "2.5.1",
 			"resolved": "https://registry.npmjs.org/jiti/-/jiti-2.5.1.tgz",
@@ -3748,6 +3777,26 @@
 			"license": "MIT",
 			"optional": true
 		},
+		"node_modules/node-fetch": {
+			"version": "2.7.0",
+			"resolved": "https://registry.npmjs.org/node-fetch/-/node-fetch-2.7.0.tgz",
+			"integrity": "sha512-c4FRfUm/dbcWZ7U+1Wq0AwCyFL+3nt2bEw05wfxSz+DWpWsitgmSgYmy2dQdWyKC1694ELPqMs/YzUSNozLt8A==",
+			"license": "MIT",
+			"dependencies": {
+				"whatwg-url": "^5.0.0"
+			},
+			"engines": {
+				"node": "4.x || >=6.0.0"
+			},
+			"peerDependencies": {
+				"encoding": "^0.1.0"
+			},
+			"peerDependenciesMeta": {
+				"encoding": {
+					"optional": true
+				}
+			}
+		},
 		"node_modules/optionator": {
 			"version": "0.9.4",
 			"resolved": "https://registry.npmjs.org/optionator/-/optionator-0.9.4.tgz",
@@ -4605,6 +4654,12 @@
 				"node": ">=6"
 			}
 		},
+		"node_modules/tr46": {
+			"version": "0.0.3",
+			"resolved": "https://registry.npmjs.org/tr46/-/tr46-0.0.3.tgz",
+			"integrity": "sha512-N3WMsuqV66lT30CrXNbEjx4GEwlow3v6rr4mCcv6prnfwhS01rkgyFdjPNBYd9br7LpXV1+Emh01fHnq2Gdgrw==",
+			"license": "MIT"
+		},
 		"node_modules/ts-api-utils": {
 			"version": "2.1.0",
 			"resolved": "https://registry.npmjs.org/ts-api-utils/-/ts-api-utils-2.1.0.tgz",
@@ -4809,6 +4864,28 @@
 				}
 			}
 		},
+		"node_modules/webidl-conversions": {
+			"version": "3.0.1",
+			"resolved": "https://registry.npmjs.org/webidl-conversions/-/webidl-conversions-3.0.1.tgz",
+			"integrity": "sha512-2JAn3z8AR6rjK8Sm8orRC0h/bcl/DqL7tRPdGZ4I1CjdF+EaMLmYxBHyXuKL849eucPFhvBoxMsflfOb8kxaeQ==",
+			"license": "BSD-2-Clause"
+		},
+		"node_modules/whatwg-fetch": {
+			"version": "3.6.20",
+			"resolved": "https://registry.npmjs.org/whatwg-fetch/-/whatwg-fetch-3.6.20.tgz",
+			"integrity": "sha512-EqhiFU6daOA8kpjOWTL0olhVOF3i7OrFzSYiGsEMB8GcXS+RrzauAERX65xMeNWVqxA6HXH2m69Z9LaKKdisfg==",
+			"license": "MIT"
+		},
+		"node_modules/whatwg-url": {
+			"version": "5.0.0",
+			"resolved": "https://registry.npmjs.org/whatwg-url/-/whatwg-url-5.0.0.tgz",
+			"integrity": "sha512-saE57nupxk6v3HY35+jzBwYa0rKSy0XR8JSxZPwgLr7ys0IBzhGviA1/TUGJLmSVqs8pb9AnvICXEuOHLprYTw==",
+			"license": "MIT",
+			"dependencies": {
+				"tr46": "~0.0.3",
+				"webidl-conversions": "^3.0.0"
+			}
+		},
 		"node_modules/which": {
 			"version": "2.0.2",
 			"resolved": "https://registry.npmjs.org/which/-/which-2.0.2.tgz",
diff --git a/examples/encrypted_chat/frontend/package.json b/examples/encrypted_chat/frontend/package.json
index 8d45b35a..73b876f9 100644
--- a/examples/encrypted_chat/frontend/package.json
+++ b/examples/encrypted_chat/frontend/package.json
@@ -4,9 +4,9 @@
 	"version": "0.0.1",
 	"type": "module",
 	"scripts": {
-        "build": "npm run build:bindings && vite build",
-        "dev": "npm run build:bindings && vite dev",
-        "build:bindings": "cd scripts && ./gen_bindings.sh",
+		"build": "npm run build:bindings && vite build",
+		"dev": "npm run build:bindings && vite dev",
+		"build:bindings": "cd scripts && ./gen_bindings.sh",
 		"preview": "vite preview",
 		"prepare": "svelte-kit sync || echo ''",
 		"check": "svelte-kit sync && svelte-check --tsconfig ./tsconfig.json",
@@ -25,6 +25,7 @@
 		"@sveltejs/kit": "^2.22.0",
 		"@sveltejs/vite-plugin-svelte": "^6.0.0",
 		"@tailwindcss/vite": "^4.0.0",
+		"@types/isomorphic-fetch": "^0.0.39",
 		"eslint": "^9.18.0",
 		"eslint-config-prettier": "^10.0.1",
 		"eslint-plugin-svelte": "^3.0.0",
@@ -49,7 +50,9 @@
 		"@skeletonlabs/skeleton": "^3.1.7",
 		"@skeletonlabs/tw-plugin": "^0.4.1",
 		"@sveltejs/adapter-static": "^3.0.8",
+		"fake-indexeddb": "^6.0.1",
 		"idb-keyval": "^6.2.2",
+		"isomorphic-fetch": "^3.0.0",
 		"lucide-svelte": "^0.536.0",
 		"sass": "^1.90.0"
 	}
diff --git a/examples/encrypted_chat/frontend/src/app.css b/examples/encrypted_chat/frontend/src/app.css
index 2b8486f6..67adec49 100644
--- a/examples/encrypted_chat/frontend/src/app.css
+++ b/examples/encrypted_chat/frontend/src/app.css
@@ -2,236 +2,255 @@
 
 /* Modern Professional Design System */
 :root {
-  /* Color Palette - Professional & Modern */
-  --primary-50: #eff6ff;
-  --primary-100: #dbeafe;
-  --primary-200: #bfdbfe;
-  --primary-300: #93c5fd;
-  --primary-400: #60a5fa;
-  --primary-500: #3b82f6;
-  --primary-600: #2563eb;
-  --primary-700: #1d4ed8;
-  --primary-800: #1e40af;
-  --primary-900: #1e3a8a;
-
-  /* CSS variable mappings for primary colors */
-  --color-primary-50: var(--primary-50);
-  --color-primary-100: var(--primary-100);
-  --color-primary-200: var(--primary-200);
-  --color-primary-300: var(--primary-300);
-  --color-primary-400: var(--primary-400);
-  --color-primary-500: var(--primary-500);
-  --color-primary-600: var(--primary-600);
-  --color-primary-700: var(--primary-700);
-  --color-primary-800: var(--primary-800);
-  --color-primary-900: var(--primary-900);
-
-  /* CSS variable mappings for surface colors */
-  --color-surface-50: var(--gray-50);
-  --color-surface-100: var(--gray-100);
-  --color-surface-200: var(--gray-200);
-  --color-surface-300: var(--gray-300);
-  --color-surface-400: var(--gray-400);
-  --color-surface-500: var(--gray-500);
-  --color-surface-600: var(--gray-600);
-  --color-surface-700: var(--gray-700);
-  --color-surface-800: var(--gray-800);
-  --color-surface-900: var(--gray-900);
-
-  --gray-50: #f9fafb;
-  --gray-100: #f3f4f6;
-  --gray-200: #e5e7eb;
-  --gray-300: #d1d5db;
-  --gray-400: #9ca3af;
-  --gray-500: #6b7280;
-  --gray-600: #4b5563;
-  --gray-700: #374151;
-  --gray-800: #1f2937;
-  --gray-900: #111827;
-
-  /* Modern shadows */
-  --shadow-xs: 0 1px 2px 0 rgb(0 0 0 / 0.05);
-  --shadow-sm: 0 1px 3px 0 rgb(0 0 0 / 0.1), 0 1px 2px -1px rgb(0 0 0 / 0.1);
-  --shadow-md: 0 4px 6px -1px rgb(0 0 0 / 0.1), 0 2px 4px -2px rgb(0 0 0 / 0.1);
-  --shadow-lg: 0 10px 15px -3px rgb(0 0 0 / 0.1), 0 4px 6px -4px rgb(0 0 0 / 0.1);
-  --shadow-xl: 0 20px 25px -5px rgb(0 0 0 / 0.1), 0 8px 10px -6px rgb(0 0 0 / 0.1);
-
-  /* Border radius */
-  --radius-sm: 0.375rem;
-  --radius: 0.5rem;
-  --radius-md: 0.75rem;
-  --radius-lg: 1rem;
-  --radius-xl: 1.5rem;
+	/* Color Palette - Professional & Modern */
+	--primary-50: #eff6ff;
+	--primary-100: #dbeafe;
+	--primary-200: #bfdbfe;
+	--primary-300: #93c5fd;
+	--primary-400: #60a5fa;
+	--primary-500: #3b82f6;
+	--primary-600: #2563eb;
+	--primary-700: #1d4ed8;
+	--primary-800: #1e40af;
+	--primary-900: #1e3a8a;
+
+	/* CSS variable mappings for primary colors */
+	--color-primary-50: var(--primary-50);
+	--color-primary-100: var(--primary-100);
+	--color-primary-200: var(--primary-200);
+	--color-primary-300: var(--primary-300);
+	--color-primary-400: var(--primary-400);
+	--color-primary-500: var(--primary-500);
+	--color-primary-600: var(--primary-600);
+	--color-primary-700: var(--primary-700);
+	--color-primary-800: var(--primary-800);
+	--color-primary-900: var(--primary-900);
+
+	/* CSS variable mappings for surface colors */
+	--color-surface-50: var(--gray-50);
+	--color-surface-100: var(--gray-100);
+	--color-surface-200: var(--gray-200);
+	--color-surface-300: var(--gray-300);
+	--color-surface-400: var(--gray-400);
+	--color-surface-500: var(--gray-500);
+	--color-surface-600: var(--gray-600);
+	--color-surface-700: var(--gray-700);
+	--color-surface-800: var(--gray-800);
+	--color-surface-900: var(--gray-900);
+
+	--gray-50: #f9fafb;
+	--gray-100: #f3f4f6;
+	--gray-200: #e5e7eb;
+	--gray-300: #d1d5db;
+	--gray-400: #9ca3af;
+	--gray-500: #6b7280;
+	--gray-600: #4b5563;
+	--gray-700: #374151;
+	--gray-800: #1f2937;
+	--gray-900: #111827;
+
+	/* Modern shadows */
+	--shadow-xs: 0 1px 2px 0 rgb(0 0 0 / 0.05);
+	--shadow-sm: 0 1px 3px 0 rgb(0 0 0 / 0.1), 0 1px 2px -1px rgb(0 0 0 / 0.1);
+	--shadow-md: 0 4px 6px -1px rgb(0 0 0 / 0.1), 0 2px 4px -2px rgb(0 0 0 / 0.1);
+	--shadow-lg: 0 10px 15px -3px rgb(0 0 0 / 0.1), 0 4px 6px -4px rgb(0 0 0 / 0.1);
+	--shadow-xl: 0 20px 25px -5px rgb(0 0 0 / 0.1), 0 8px 10px -6px rgb(0 0 0 / 0.1);
+
+	/* Border radius */
+	--radius-sm: 0.375rem;
+	--radius: 0.5rem;
+	--radius-md: 0.75rem;
+	--radius-lg: 1rem;
+	--radius-xl: 1.5rem;
 }
 
 /* Dark mode */
 .dark {
-  --gray-50: #111827;
-  --gray-100: #1f2937;
-  --gray-200: #374151;
-  --gray-300: #4b5563;
-  --gray-400: #6b7280;
-  --gray-500: #9ca3af;
-  --gray-600: #d1d5db;
-  --gray-700: #e5e7eb;
-  --gray-800: #f3f4f6;
-  --gray-900: #f9fafb;
+	--gray-50: #111827;
+	--gray-100: #1f2937;
+	--gray-200: #374151;
+	--gray-300: #4b5563;
+	--gray-400: #6b7280;
+	--gray-500: #9ca3af;
+	--gray-600: #d1d5db;
+	--gray-700: #e5e7eb;
+	--gray-800: #f3f4f6;
+	--gray-900: #f9fafb;
 }
 
 /* Professional Component Styles */
 .btn {
-  @apply inline-flex items-center justify-center whitespace-nowrap rounded-lg text-sm font-medium transition-all duration-200;
-  @apply focus-visible:outline-none focus-visible:ring-2 focus-visible:ring-blue-500 focus-visible:ring-offset-2;
-  @apply disabled:pointer-events-none disabled:opacity-50;
+	@apply inline-flex items-center justify-center rounded-lg text-sm font-medium whitespace-nowrap transition-all duration-200;
+	@apply focus-visible:ring-2 focus-visible:ring-blue-500 focus-visible:ring-offset-2 focus-visible:outline-none;
+	@apply disabled:pointer-events-none disabled:opacity-50;
 }
 
 .btn-sm {
-  @apply h-9 px-3;
+	@apply h-9 px-3;
 }
 
 .btn-md {
-  @apply h-10 px-4;
+	@apply h-10 px-4;
 }
 
 .btn-lg {
-  @apply h-11 px-8;
+	@apply h-11 px-8;
 }
 
 .variant-filled-primary {
-  @apply bg-blue-600 text-white hover:bg-blue-700 shadow-md hover:shadow-lg transform hover:-translate-y-0.5;
+	@apply transform bg-blue-600 text-white shadow-md hover:-translate-y-0.5 hover:bg-blue-700 hover:shadow-lg;
 }
 
 .variant-outline-primary {
-  @apply border border-blue-200 bg-white text-blue-700 hover:bg-blue-50 shadow-sm hover:shadow-md;
-  @apply dark:border-blue-800 dark:bg-gray-800 dark:text-blue-300 dark:hover:bg-gray-700;
+	@apply border border-blue-200 bg-white text-blue-700 shadow-sm hover:bg-blue-50 hover:shadow-md;
+	@apply dark:border-blue-800 dark:bg-gray-800 dark:text-blue-300 dark:hover:bg-gray-700;
 }
 
 .variant-ghost-primary {
-  @apply text-blue-700 hover:bg-blue-100 hover:text-blue-800;
-  @apply dark:text-blue-300 dark:hover:bg-gray-800 dark:hover:text-blue-200;
+	@apply text-blue-700 hover:bg-blue-100 hover:text-blue-800;
+	@apply dark:text-blue-300 dark:hover:bg-gray-800 dark:hover:text-blue-200;
 }
 
 .card {
-  @apply rounded-xl border border-gray-200 bg-white shadow-lg dark:border-gray-700 dark:bg-gray-800;
+	@apply rounded-xl border border-gray-200 bg-white shadow-lg dark:border-gray-700 dark:bg-gray-800;
 }
 
 .input {
-  @apply flex w-full rounded-lg border border-gray-200 bg-white px-3 py-2 text-sm transition-all;
-  @apply focus:border-blue-500 focus:outline-none focus:ring-2 focus:ring-blue-500/20;
-  @apply dark:border-gray-700 dark:bg-gray-800 dark:text-gray-100;
+	@apply flex w-full rounded-lg border border-gray-200 bg-white px-3 py-2 text-sm transition-all;
+	@apply focus:border-blue-500 focus:ring-2 focus:ring-blue-500/20 focus:outline-none;
+	@apply dark:border-gray-700 dark:bg-gray-800 dark:text-gray-100;
 }
 
 .badge {
-  @apply inline-flex items-center rounded-full px-2.5 py-0.5 text-xs font-medium;
+	@apply inline-flex items-center rounded-full px-2.5 py-0.5 text-xs font-medium;
 }
 
 .badge-secondary {
-  @apply bg-gray-100 text-gray-800 dark:bg-gray-700 dark:text-gray-300;
+	@apply bg-gray-100 text-gray-800 dark:bg-gray-700 dark:text-gray-300;
 }
 
 /* Modern Chat Interface Classes */
 .bg-surface-50-900 {
-  @apply bg-gray-50 dark:bg-gray-900;
+	@apply bg-gray-50 dark:bg-gray-900;
 }
 
 .bg-surface-100-800 {
-  @apply bg-gray-100 dark:bg-gray-800;
+	@apply bg-gray-100 dark:bg-gray-800;
 }
 
 .bg-surface-200-700 {
-  @apply bg-gray-200 dark:bg-gray-700;
+	@apply bg-gray-200 dark:bg-gray-700;
 }
 
 .border-surface-200-700 {
-  @apply border-gray-200 dark:border-gray-700;
+	@apply border-gray-200 dark:border-gray-700;
 }
 
 .text-surface-500-400 {
-  @apply text-gray-500 dark:text-gray-400;
+	@apply text-gray-500 dark:text-gray-400;
 }
 
 /* Professional glass effect */
 .glass-effect {
-  backdrop-filter: blur(16px);
-  background: rgba(255, 255, 255, 0.9);
-  border: 1px solid rgba(255, 255, 255, 0.2);
-  box-shadow: 0 20px 25px -5px rgba(0, 0, 0, 0.1), 0 8px 10px -6px rgba(0, 0, 0, 0.1);
+	backdrop-filter: blur(16px);
+	background: rgba(255, 255, 255, 0.9);
+	border: 1px solid rgba(255, 255, 255, 0.2);
+	box-shadow:
+		0 20px 25px -5px rgba(0, 0, 0, 0.1),
+		0 8px 10px -6px rgba(0, 0, 0, 0.1);
 }
 
 .dark .glass-effect {
-  background: rgba(17, 24, 39, 0.9);
-  border: 1px solid rgba(75, 85, 99, 0.2);
+	background: rgba(17, 24, 39, 0.9);
+	border: 1px solid rgba(75, 85, 99, 0.2);
 }
 
 /* Message bubbles */
 .message-bubble-own {
-  @apply bg-blue-600 text-white rounded-2xl rounded-br-md shadow-lg;
+	@apply rounded-2xl rounded-br-md bg-blue-600 text-white shadow-lg;
 }
 
 .message-bubble-other {
-  @apply bg-white border border-gray-200 text-gray-900 rounded-2xl rounded-bl-md shadow-lg;
-  @apply dark:bg-gray-700 dark:border-gray-600 dark:text-gray-100;
+	@apply rounded-2xl rounded-bl-md border border-gray-200 bg-white text-gray-900 shadow-lg;
+	@apply dark:border-gray-600 dark:bg-gray-700 dark:text-gray-100;
 }
 
 /* Modern scrollbar */
 .modern-scrollbar {
-  scrollbar-width: thin;
-  scrollbar-color: rgb(156 163 175) transparent;
+	scrollbar-width: thin;
+	scrollbar-color: rgb(156 163 175) transparent;
 }
 
 .modern-scrollbar::-webkit-scrollbar {
-  width: 6px;
+	width: 6px;
 }
 
 .modern-scrollbar::-webkit-scrollbar-track {
-  background: transparent;
+	background: transparent;
 }
 
 .modern-scrollbar::-webkit-scrollbar-thumb {
-  @apply bg-gray-300 hover:bg-gray-400 rounded-full;
+	@apply rounded-full bg-gray-300 hover:bg-gray-400;
 }
 
 .dark .modern-scrollbar::-webkit-scrollbar-thumb {
-  @apply bg-gray-600 hover:bg-gray-500;
+	@apply bg-gray-600 hover:bg-gray-500;
 }
 
 /* Professional animations */
 @keyframes fade-in {
-  from { opacity: 0; transform: translateY(10px); }
-  to { opacity: 1; transform: translateY(0); }
+	from {
+		opacity: 0;
+		transform: translateY(10px);
+	}
+	to {
+		opacity: 1;
+		transform: translateY(0);
+	}
 }
 
 @keyframes slide-in {
-  from { opacity: 0; transform: translateX(-20px); }
-  to { opacity: 1; transform: translateX(0); }
+	from {
+		opacity: 0;
+		transform: translateX(-20px);
+	}
+	to {
+		opacity: 1;
+		transform: translateX(0);
+	}
 }
 
 @keyframes pulse-glow {
-  0%, 100% { box-shadow: 0 0 0 0 rgba(59, 130, 246, 0.4); }
-  50% { box-shadow: 0 0 0 10px rgba(59, 130, 246, 0); }
+	0%,
+	100% {
+		box-shadow: 0 0 0 0 rgba(59, 130, 246, 0.4);
+	}
+	50% {
+		box-shadow: 0 0 0 10px rgba(59, 130, 246, 0);
+	}
 }
 
 .animate-fade-in {
-  animation: fade-in 0.3s ease-out;
+	animation: fade-in 0.3s ease-out;
 }
 
 .animate-slide-in {
-  animation: slide-in 0.3s ease-out;
+	animation: slide-in 0.3s ease-out;
 }
 
 .animate-pulse-glow {
-  animation: pulse-glow 2s infinite;
+	animation: pulse-glow 2s infinite;
 }
 
 /* Professional gradients */
 .gradient-primary {
-  background: linear-gradient(135deg, #667eea 0%, #764ba2 100%);
+	background: linear-gradient(135deg, #667eea 0%, #764ba2 100%);
 }
 
 .gradient-secondary {
-  background: linear-gradient(135deg, #f093fb 0%, #f5576c 100%);
+	background: linear-gradient(135deg, #f093fb 0%, #f5576c 100%);
 }
 
 .gradient-success {
-  background: linear-gradient(135deg, #4facfe 0%, #00f2fe 100%);
+	background: linear-gradient(135deg, #4facfe 0%, #00f2fe 100%);
 }
diff --git a/examples/encrypted_chat/frontend/src/lib/components/ChatHeader.svelte b/examples/encrypted_chat/frontend/src/lib/components/ChatHeader.svelte
index 5c689382..da326129 100644
--- a/examples/encrypted_chat/frontend/src/lib/components/ChatHeader.svelte
+++ b/examples/encrypted_chat/frontend/src/lib/components/ChatHeader.svelte
@@ -2,9 +2,9 @@
 	import { Settings, RotateCcw, Info, ArrowLeft } from 'lucide-svelte';
 	import Button from './ui/Button.svelte';
 	import Card from './ui/Card.svelte';
-	import type { Chat, RatchetStats, GroupChat } from '../types';
+	import type { Chat, SymmetricRatchetStats, GroupChat } from '../types';
 	import { chatAPI } from '../services/api';
-	import { chatActions } from '../stores/chat';
+	import { chatActions } from '../stores/chat.svelte';
 	import GroupManagementModal from './GroupManagementModal.svelte';
 
 	export let chat: Chat;
@@ -12,7 +12,7 @@
 	export let onMobileBack: (() => void) | undefined = undefined;
 
 	let showChatInfo = false;
-	let ratchetStats: RatchetStats | null = null;
+	let ratchetStats: SymmetricRatchetStats | null = null;
 	let loadingRatchetStats = false;
 	let showGroupManagement = false;
 
@@ -78,13 +78,6 @@
 		return `${onlineCount} of ${chat.participants.length} online`;
 	}
 
-	async function rotateKeys() {
-		await chatActions.rotateKeys(chat.id);
-		// Reload ratchet stats after rotation
-		ratchetStats = null;
-		await loadRatchetStats();
-	}
-
 	function formatDate(date: Date): string {
 		return date.toLocaleString();
 	}
@@ -129,31 +122,30 @@
 					variant="ghost"
 					size="sm"
 					class="md:hidden"
-					on:click={onMobileBack || (() => {})}
+					onclick={onMobileBack || (() => {})}
 					aria-label="Back to chat list"
 				>
 					<ArrowLeft class="h-5 w-5" />
 				</Button>
 			{/if}
 			<div
-				class="avatar flex h-12 w-12 items-center justify-center rounded-full bg-gradient-to-br from-blue-500 to-purple-600 text-white text-lg font-bold shadow-lg"
+				class="avatar flex h-12 w-12 items-center justify-center rounded-full bg-gradient-to-br from-blue-500 to-purple-600 text-lg font-bold text-white shadow-lg"
 			>
 				{getDisplayAvatar()}
 			</div>
 			<div>
-				<h2 class="text-xl font-bold bg-gradient-to-r from-gray-800 to-gray-600 bg-clip-text text-transparent dark:from-gray-100 dark:to-gray-300">{getDisplayName()}</h2>
-				<p class="text-gray-500 dark:text-gray-400 text-sm font-medium">{getOnlineStatus()}</p>
+				<h2
+					class="bg-gradient-to-r from-gray-800 to-gray-600 bg-clip-text text-xl font-bold text-transparent dark:from-gray-100 dark:to-gray-300"
+				>
+					{getDisplayName()}
+				</h2>
+				<p class="text-sm font-medium text-gray-500 dark:text-gray-400">{getOnlineStatus()}</p>
 			</div>
 		</div>
 
 		<!-- Actions -->
 		<div class="flex items-center gap-2">
-			<Button
-				variant="ghost"
-				size="sm"
-				on:click={handleChatInfoToggle}
-				title="Chat information"
-			>
+			<Button variant="ghost" size="sm" onclick={handleChatInfoToggle} title="Chat information">
 				<Info class="h-5 w-5" />
 			</Button>
 
@@ -161,7 +153,7 @@
 				<Button
 					variant="ghost"
 					size="sm"
-					on:click={() => (showGroupManagement = true)}
+					onclick={() => (showGroupManagement = true)}
 					title="Manage group"
 				>
 					<Settings class="h-5 w-5" />
@@ -275,7 +267,7 @@
 							{#each chat.participants as participant (participant.id)}
 								<div class="flex items-center gap-2 text-sm">
 									<div
-										class="avatar flex h-6 w-6 items-center justify-center rounded-full bg-primary-500 text-xs"
+										class="avatar bg-primary-500 flex h-6 w-6 items-center justify-center rounded-full text-xs"
 									>
 										{participant.avatar || '👤'}
 									</div>
diff --git a/examples/encrypted_chat/frontend/src/lib/components/ChatInterface.svelte b/examples/encrypted_chat/frontend/src/lib/components/ChatInterface.svelte
index 330df85e..00ab8293 100644
--- a/examples/encrypted_chat/frontend/src/lib/components/ChatInterface.svelte
+++ b/examples/encrypted_chat/frontend/src/lib/components/ChatInterface.svelte
@@ -1,15 +1,20 @@
 <script lang="ts">
-	import { selectedChat, chatActions } from '../stores/chat';
+	import { chatActions, chats, selectedChatId } from '../stores/chat.svelte';
 	import ChatHeader from './ChatHeader.svelte';
 	import MessageHistory from './MessageHistory.svelte';
 	import MessageInput from './MessageInput.svelte';
 	import type { FileUpload } from '../types';
 
-	export let isMobile = false;
-	export let onMobileBack: (() => void) | undefined = undefined;
+	let { isMobile, onMobileBack } = $props();
+
+	const selectedChat = $derived(
+		selectedChatId.state
+			? (chats.state.find((chat) => chat.id === selectedChatId.state) ?? null)
+			: null
+	);
 
 	async function handleSendMessage(event: CustomEvent<{ content: string; file?: FileUpload }>) {
-		if (!$selectedChat) return;
+		if (!selectedChat) return;
 
 		const { content, file } = event.detail;
 
@@ -25,35 +30,39 @@
 			};
 		}
 
-		await chatActions.sendMessage($selectedChat.id, content, fileData);
+		await chatActions.sendMessage(selectedChat.id, content, fileData);
 	}
 </script>
 
 <div class="chat-interface flex h-full flex-col">
-	{#if $selectedChat}
-		{#key $selectedChat.id}
-			<!-- Chat Header -->
-			<ChatHeader chat={$selectedChat} showMobileBackButton={isMobile} {onMobileBack} />
+	{#if selectedChat}
+		<!-- Chat Header -->
+		<ChatHeader chat={selectedChat} showMobileBackButton={isMobile} {onMobileBack} />
 
-			<!-- Message History -->
-			<MessageHistory />
+		<!-- Message History -->
+		<MessageHistory />
 
-			<!-- Message Input -->
+		<!-- Message Input (keyed to reset input state per chat without remounting the whole pane) -->
+		{#key selectedChat.id}
 			<MessageInput
-				disabled={!$selectedChat.isReady}
-				placeholder={$selectedChat.isReady ? 'Type a message...' : 'Chat is not ready...'}
+				disabled={!selectedChat.isReady}
+				placeholder={selectedChat.isReady ? 'Type a message...' : 'Chat is not ready...'}
 				on:send={handleSendMessage}
 			/>
 		{/key}
-{:else}
+	{:else}
 		<!-- No chat selected state -->
 		<!-- Empty Chat Header -->
 		<div class="glass-effect border-b border-white/10 p-6">
 			<div class="flex items-center justify-center">
-				<h2 class="text-xl font-bold bg-gradient-to-r from-gray-800 to-gray-600 bg-clip-text text-transparent dark:from-gray-100 dark:to-gray-300">VetKeys Chat</h2>
+				<h2
+					class="bg-gradient-to-r from-gray-800 to-gray-600 bg-clip-text text-xl font-bold text-transparent dark:from-gray-100 dark:to-gray-300"
+				>
+					VetKeys Chat
+				</h2>
 			</div>
 		</div>
-		
+
 		<!-- Welcome content -->
 		<div class="flex flex-1 items-center justify-center">
 			<div class="max-w-md p-8 text-center">
@@ -94,6 +103,4 @@
 	:global(.dark) .chat-interface {
 		background: var(--color-surface-900);
 	}
-
-
 </style>
diff --git a/examples/encrypted_chat/frontend/src/lib/components/ChatList.svelte b/examples/encrypted_chat/frontend/src/lib/components/ChatList.svelte
index e879aa79..f04bfcc4 100644
--- a/examples/encrypted_chat/frontend/src/lib/components/ChatList.svelte
+++ b/examples/encrypted_chat/frontend/src/lib/components/ChatList.svelte
@@ -1,35 +1,40 @@
 <script lang="ts">
-	import { chats, selectedChatId, chatActions } from '../stores/chat';
+	import { chats, selectedChatId, chatActions } from '../stores/chat.svelte';
+	import { auth } from '$lib/stores/auth.svelte';
 	import ChatListItem from './ChatListItem.svelte';
 	import UserProfile from './UserProfile.svelte';
 
-	function handleChatSelect(event: CustomEvent<string>) {
-		const chatId = event.detail;
-		chatActions.selectChat(chatId);
-
-		// Load messages for the selected chat
-		chatActions.loadChatMessages(chatId);
-	}
+	$effect(() => {
+		if (selectedChatId.$) {
+			chatActions.loadChatMessages(selectedChatId.state);
+		}
+	});
 </script>
 
-<div
-	class="chat-list glass-effect flex h-full flex-col border-r border-white/20 backdrop-blur-xl"
->
+<div class="chat-list glass-effect flex h-full flex-col border-r border-white/20 backdrop-blur-xl">
 	<!-- User Profile -->
 	<UserProfile />
 
 	<!-- Chat List Header -->
 	<div class="border-b border-white/10 p-6">
-		<h2 class="text-xl font-bold bg-gradient-to-r from-blue-600 to-purple-600 bg-clip-text text-transparent">Chats</h2>
-		<p class="text-gray-500 dark:text-gray-400 text-sm font-medium mt-1">
-			{$chats.length} conversation{$chats.length !== 1 ? 's' : ''}
+		<h2
+			class="bg-gradient-to-r from-blue-600 to-purple-600 bg-clip-text text-xl font-bold text-transparent"
+		>
+			Chats
+		</h2>
+		<p class="mt-1 text-sm font-medium text-gray-500 dark:text-gray-400">
+			{chats.state.length} conversation{chats.state.length !== 1 ? 's' : ''}
 		</p>
 	</div>
 
 	<!-- Chat List -->
 	<div class="scrollbar-thin flex-1 overflow-y-auto p-2">
-		{#each $chats as chat (chat.id)}
-			<ChatListItem {chat} isSelected={$selectedChatId === chat.id} on:select={handleChatSelect} />
+		{#each chats.state as chat (chat.id)}
+			<ChatListItem
+				{chat}
+				isSelected={selectedChatId.state === chat.id}
+				on:select={(e) => (selectedChatId.state = e.detail)}
+			/>
 		{:else}
 			<div class="p-8 text-center text-surface-600-500">
 				<p class="text-lg mb-2">No chats yet</p>
diff --git a/examples/encrypted_chat/frontend/src/lib/components/ChatListItem.svelte b/examples/encrypted_chat/frontend/src/lib/components/ChatListItem.svelte
index 2cf006df..abb7ea06 100644
--- a/examples/encrypted_chat/frontend/src/lib/components/ChatListItem.svelte
+++ b/examples/encrypted_chat/frontend/src/lib/components/ChatListItem.svelte
@@ -56,22 +56,24 @@
 </script>
 
 <button
-	class="chat-item w-full p-3 text-left overflow-hidden transition-all duration-200 {isSelected
+	class="chat-item w-full overflow-hidden p-3 text-left transition-all duration-200 {isSelected
 		? 'selected'
 		: 'hover:bg-surface-100-800-token'}"
-	on:click={handleClick}
+	onclick={handleClick}
 >
 	<div class="flex items-center gap-3">
 		<!-- Avatar -->
 		<div class="relative">
 			<div
-				class="avatar flex h-12 w-12 items-center justify-center rounded-full bg-gradient-to-br from-primary-500 to-primary-600 text-white text-lg shadow-sm"
+				class="avatar from-primary-500 to-primary-600 flex h-12 w-12 items-center justify-center rounded-full bg-gradient-to-br text-lg text-white shadow-sm"
 			>
 				{getDisplayAvatar()}
 			</div>
 			<!-- Status indicator -->
 			<div class="absolute -right-1 -bottom-1">
-				<div class="h-4 w-4 rounded-full {getStatusColor()} flex items-center justify-center shadow-sm">
+				<div
+					class="h-4 w-4 rounded-full {getStatusColor()} flex items-center justify-center shadow-sm"
+				>
 					<svelte:component this={getStatusIcon()} class="h-2.5 w-2.5 text-white" />
 				</div>
 			</div>
@@ -80,7 +82,9 @@
 		<!-- Chat info -->
 		<div class="min-w-0 flex-1 overflow-hidden">
 			<div class="mb-1 flex items-center justify-between">
-				<h3 class="truncate text-sm font-semibold text-surface-900-100-token">{getDisplayName()}</h3>
+				<h3 class="text-surface-900-100-token truncate text-sm font-semibold">
+					{getDisplayName()}
+				</h3>
 				<div class="flex items-center gap-2">
 					{#if chat.type === 'group'}
 						<Users class="text-surface-500-400-token h-3 w-3" />
@@ -104,7 +108,7 @@
 
 				{#if chat.unreadCount > 0}
 					<div
-						class="unread-badge flex h-5 min-w-[20px] items-center justify-center rounded-full bg-gradient-to-r from-primary-500 to-primary-600 px-2 py-1 text-xs text-white shadow-sm"
+						class="unread-badge from-primary-500 to-primary-600 flex h-5 min-w-[20px] items-center justify-center rounded-full bg-gradient-to-r px-2 py-1 text-xs text-white shadow-sm"
 					>
 						{chat.unreadCount > 99 ? '99+' : chat.unreadCount}
 					</div>
@@ -115,7 +119,7 @@
 			<div class="mt-1 flex items-center gap-2">
 				{#if chat.disappearingMessagesDuration > 0}
 					<div
-						class="status-chip bg-gradient-to-r from-amber-100 to-amber-200 text-amber-800 flex items-center gap-1 rounded-full px-2 py-0.5 text-xs shadow-sm"
+						class="status-chip flex items-center gap-1 rounded-full bg-gradient-to-r from-amber-100 to-amber-200 px-2 py-0.5 text-xs text-amber-800 shadow-sm"
 					>
 						<Clock class="h-3 w-3" />
 						{chat.disappearingMessagesDuration}d
@@ -183,7 +187,8 @@
 	}
 
 	@keyframes pulse {
-		0%, 100% {
+		0%,
+		100% {
 			opacity: 1;
 		}
 		50% {
diff --git a/examples/encrypted_chat/frontend/src/lib/components/DisclaimerCopy.svelte b/examples/encrypted_chat/frontend/src/lib/components/DisclaimerCopy.svelte
new file mode 100644
index 00000000..82446f72
--- /dev/null
+++ b/examples/encrypted_chat/frontend/src/lib/components/DisclaimerCopy.svelte
@@ -0,0 +1,4 @@
+<script lang="ts"></script>
+
+<strong>Disclaimer:</strong> This sample dapp is intended exclusively for experimental purpose. You are
+advised not to use this dapp for storing your critical data such as keys or passwords.
diff --git a/examples/encrypted_chat/frontend/src/lib/components/EmojiPicker.svelte b/examples/encrypted_chat/frontend/src/lib/components/EmojiPicker.svelte
index 332c508a..94607719 100644
--- a/examples/encrypted_chat/frontend/src/lib/components/EmojiPicker.svelte
+++ b/examples/encrypted_chat/frontend/src/lib/components/EmojiPicker.svelte
@@ -156,10 +156,10 @@
 	<!-- Backdrop -->
 	<div
 		class="fixed inset-0 z-40 bg-black/25"
-		on:click={handleOutsideClick}
+		onclick={handleOutsideClick}
 		role="button"
 		tabindex="-1"
-		on:keydown={() => {}}
+		onkeydown={() => {}}
 	></div>
 
 	<!-- Emoji Picker -->
@@ -170,7 +170,7 @@
 			<h3 class="text-sm font-semibold">Add Emoji</h3>
 			<button
 				class="variant-ghost-surface btn-icon"
-				on:click={closeModal}
+				onclick={closeModal}
 				aria-label="Close emoji picker"
 			>
 				×
@@ -185,7 +185,7 @@
 						{#each emojis as emoji (emoji)}
 							<button
 								class="emoji-button hover:bg-surface-200-700-token flex h-8 w-8 items-center justify-center rounded text-lg transition-colors"
-								on:click={() => selectEmoji(emoji)}
+								onclick={() => selectEmoji(emoji)}
 								title={emoji}
 							>
 								{emoji}
diff --git a/examples/encrypted_chat/frontend/src/lib/components/GroupManagementModal.svelte b/examples/encrypted_chat/frontend/src/lib/components/GroupManagementModal.svelte
index 56f1604a..bf662f2f 100644
--- a/examples/encrypted_chat/frontend/src/lib/components/GroupManagementModal.svelte
+++ b/examples/encrypted_chat/frontend/src/lib/components/GroupManagementModal.svelte
@@ -81,7 +81,7 @@
 					<Users class="h-6 w-6" />
 					<h2 class="text-lg font-bold">Manage Group: {groupChat.name}</h2>
 				</div>
-				<button class="variant-ghost-surface btn-icon" on:click={handleClose} aria-label="Close">
+				<button class="variant-ghost-surface btn-icon" onclick={handleClose} aria-label="Close">
 					<X class="h-5 w-5" />
 				</button>
 			</div>
@@ -98,7 +98,7 @@
 							>
 								<div class="flex items-center gap-3">
 									<div
-										class="avatar flex h-8 w-8 items-center justify-center rounded-full bg-primary-500 text-sm"
+										class="avatar bg-primary-500 flex h-8 w-8 items-center justify-center rounded-full text-sm"
 									>
 										{member.avatar || '👤'}
 									</div>
@@ -112,12 +112,12 @@
 											></div>
 											{member.isOnline ? 'Online' : 'Offline'}
 											{#if member.id === groupChat.adminId}
-												<span class="rounded bg-primary-500 px-2 py-0.5 text-xs text-white"
+												<span class="bg-primary-500 rounded px-2 py-0.5 text-xs text-white"
 													>Admin</span
 												>
 											{/if}
 											{#if member.id === 'current-user'}
-												<span class="rounded bg-surface-400 px-2 py-0.5 text-xs text-white"
+												<span class="bg-surface-400 rounded px-2 py-0.5 text-xs text-white"
 													>You</span
 												>
 											{/if}
@@ -128,7 +128,7 @@
 								{#if canRemoveUser(member.id)}
 									<button
 										class="variant-ghost-error btn-icon"
-										on:click={() => toggleRemoveUser(member.id)}
+										onclick={() => toggleRemoveUser(member.id)}
 										class:variant-filled-error={selectedToRemove.includes(member.id)}
 										title="Remove from group"
 									>
@@ -151,7 +151,7 @@
 								>
 									<div class="flex items-center gap-3">
 										<div
-											class="avatar flex h-8 w-8 items-center justify-center rounded-full bg-primary-500 text-sm"
+											class="avatar bg-primary-500 flex h-8 w-8 items-center justify-center rounded-full text-sm"
 										>
 											{user.avatar || '👤'}
 										</div>
@@ -170,7 +170,7 @@
 
 									<button
 										class="variant-ghost-success btn-icon"
-										on:click={() => toggleAddUser(user.id)}
+										onclick={() => toggleAddUser(user.id)}
 										class:variant-filled-success={selectedToAdd.includes(user.id)}
 										title="Add to group"
 									>
@@ -207,7 +207,7 @@
 
 				<!-- Summary -->
 				{#if selectedToAdd.length > 0 || selectedToRemove.length > 0}
-					<div class="rounded-lg border border-primary-500/20 bg-primary-500/10 p-4">
+					<div class="border-primary-500/20 bg-primary-500/10 rounded-lg border p-4">
 						<h4 class="mb-2 text-sm font-semibold">Changes Summary</h4>
 						<div class="space-y-1 text-sm">
 							{#if selectedToAdd.length > 0}
@@ -227,17 +227,17 @@
 
 			<!-- Footer -->
 			<div class="border-surface-300-600-token flex items-center justify-end gap-3 border-t p-6">
-				<button 
-					class="variant-ghost-surface btn" 
-					on:click={handleClose}
+				<button
+					class="variant-ghost-surface btn"
+					onclick={handleClose}
 					title="Cancel"
 					aria-label="Cancel"
-				> 
+				>
 					<X class="h-4 w-4" />
 				</button>
 				<button
 					class="variant-filled-primary btn"
-					on:click={handleSave}
+					onclick={handleSave}
 					disabled={selectedToAdd.length === 0 && selectedToRemove.length === 0}
 					title="Save Changes"
 					aria-label="Save Changes"
diff --git a/examples/encrypted_chat/frontend/src/lib/components/Hero.svelte b/examples/encrypted_chat/frontend/src/lib/components/Hero.svelte
new file mode 100644
index 00000000..af9cdb8f
--- /dev/null
+++ b/examples/encrypted_chat/frontend/src/lib/components/Hero.svelte
@@ -0,0 +1,35 @@
+<script lang="ts">
+	import { login } from '$lib/stores/auth.svelte';
+	import DisclaimerCopy from './DisclaimerCopy.svelte';
+	import Spinner from './Spinner.svelte';
+	import { auth } from '$lib/stores/auth.svelte';
+</script>
+
+<div class="hero min-h-screen content-start pt-8 sm:content-center sm:pt-0">
+	<div class="hero-content text-center">
+		<div class="max-w-xl">
+			<h1 class="text-primary mb-5 text-4xl font-bold sm:text-5xl dark:text-white">
+				Encrypted Chat using vetKeys
+			</h1>
+			<p class="mb-5 text-xl font-semibold">Your private chat on the Internet Computer.</p>
+			<p class="mb-5">A safe place to store your personal messages and much more...</p>
+
+			{#if auth.state.label === 'initializing-auth'}
+				<div class="mt-8 text-lg font-semibold">
+					<Spinner />
+					Initializing...
+				</div>
+			{:else if auth.state.label === 'anonymous'}
+				<button onclick={() => login()} class="btn btn-lg variant-filled-primary animate-fade-in">
+					Please login to start chatting
+				</button>
+			{:else if auth.state.label === 'error'}
+				<div class="mt-8 text-lg font-semibold">An error occurred.</div>
+			{/if}
+
+			<div class="mt-8 mb-12 text-xs opacity-75 sm:mt-12 sm:mb-32">
+				<DisclaimerCopy />
+			</div>
+		</div>
+	</div>
+</div>
diff --git a/examples/encrypted_chat/frontend/src/lib/components/MessageBubble.svelte b/examples/encrypted_chat/frontend/src/lib/components/MessageBubble.svelte
index 5133c174..09772b2b 100644
--- a/examples/encrypted_chat/frontend/src/lib/components/MessageBubble.svelte
+++ b/examples/encrypted_chat/frontend/src/lib/components/MessageBubble.svelte
@@ -3,12 +3,10 @@
 	import Button from './ui/Button.svelte';
 	import type { Message, User } from '../types';
 
-	export let message: Message;
-	export let sender: User | null = null;
-	export let isOwnMessage: boolean = false;
-	export let showAvatar: boolean = true;
-	export let showTimestamp: boolean = true;
-	export let isGroupChat: boolean = false;
+	/** @type {{ message: Message }}
+	 *  @type {{ sender: User | null }}
+	 */
+	let { message, sender = null, isOwnMessage = false, showAvatar = true, showTimestamp = true, isGroupChat = false } = $props();
 
 	function formatTime(date: Date): string {
 		return date.toLocaleTimeString([], { hour: '2-digit', minute: '2-digit' });
@@ -69,11 +67,11 @@
 	// Generate a consistent color for a user based on their name
 	function getUserColor(userName: string): string {
 		if (!userName) return 'bg-gray-500';
-		
+
 		// Predefined color palette for better visual consistency
 		const colors = [
 			'bg-purple-500',
-			'bg-blue-500', 
+			'bg-blue-500',
 			'bg-green-500',
 			'bg-yellow-500',
 			'bg-red-500',
@@ -113,7 +111,7 @@
 	<!-- Avatar -->
 	{#if showAvatar && !isOwnMessage}
 		<div
-			class="avatar flex h-8 w-8 flex-shrink-0 items-center justify-center rounded-full bg-primary-500 text-sm"
+			class="avatar bg-primary-500 flex h-8 w-8 flex-shrink-0 items-center justify-center rounded-full text-sm"
 		>
 			{sender?.avatar || '👤'}
 		</div>
@@ -132,7 +130,7 @@
 
 		<!-- Message bubble -->
 		<div
-			class="message-bubble {getMessageBubbleClasses()} max-w-full rounded-2xl px-3 py-2 break-words inline-block"
+			class="message-bubble {getMessageBubbleClasses()} inline-block max-w-full rounded-2xl px-3 py-2 break-words"
 		>
 			{#if message.type === 'text'}
 				<!-- eslint-disable-next-line svelte/no-at-html-tags -->
@@ -160,7 +158,7 @@
 						<div class="flex items-center justify-between">
 							<div class="min-w-0 flex-1">
 								<p class="truncate text-sm font-medium">{message.fileData.name}</p>
-								<p class="text-xs text-surface-500-400">
+								<p class="text-surface-500-400 text-xs">
 									{formatFileSize(message.fileData.size)}
 								</p>
 							</div>
@@ -168,7 +166,7 @@
 								variant="ghost"
 								size="sm"
 								class="ml-2"
-								on:click={downloadFile}
+								onclick={downloadFile}
 								aria-label="Download file"
 							>
 								<Download class="h-4 w-4" />
@@ -220,32 +218,80 @@
 	}
 
 	/* User-specific colors for group chats */
-	.message-bubble.bg-purple-500 { background: #8b5cf6; }
-	.message-bubble.bg-blue-500 { background: #3b82f6; }
-	.message-bubble.bg-green-500 { background: #10b981; }
-	.message-bubble.bg-yellow-500 { background: #f59e0b; }
-	.message-bubble.bg-red-500 { background: #ef4444; }
-	.message-bubble.bg-indigo-500 { background: #6366f1; }
-	.message-bubble.bg-pink-500 { background: #ec4899; }
-	.message-bubble.bg-teal-500 { background: #14b8a6; }
-	.message-bubble.bg-orange-500 { background: #f97316; }
-	.message-bubble.bg-cyan-500 { background: #06b6d4; }
-	.message-bubble.bg-lime-500 { background: #84cc16; }
-	.message-bubble.bg-rose-500 { background: #f43f5e; }
+	.message-bubble.bg-purple-500 {
+		background: #8b5cf6;
+	}
+	.message-bubble.bg-blue-500 {
+		background: #3b82f6;
+	}
+	.message-bubble.bg-green-500 {
+		background: #10b981;
+	}
+	.message-bubble.bg-yellow-500 {
+		background: #f59e0b;
+	}
+	.message-bubble.bg-red-500 {
+		background: #ef4444;
+	}
+	.message-bubble.bg-indigo-500 {
+		background: #6366f1;
+	}
+	.message-bubble.bg-pink-500 {
+		background: #ec4899;
+	}
+	.message-bubble.bg-teal-500 {
+		background: #14b8a6;
+	}
+	.message-bubble.bg-orange-500 {
+		background: #f97316;
+	}
+	.message-bubble.bg-cyan-500 {
+		background: #06b6d4;
+	}
+	.message-bubble.bg-lime-500 {
+		background: #84cc16;
+	}
+	.message-bubble.bg-rose-500 {
+		background: #f43f5e;
+	}
 
 	/* Dark mode variants */
-	:global(.dark) .message-bubble.bg-purple-500 { background: #7c3aed; }
-	:global(.dark) .message-bubble.bg-blue-500 { background: #2563eb; }
-	:global(.dark) .message-bubble.bg-green-500 { background: #059669; }
-	:global(.dark) .message-bubble.bg-yellow-500 { background: #d97706; }
-	:global(.dark) .message-bubble.bg-red-500 { background: #dc2626; }
-	:global(.dark) .message-bubble.bg-indigo-500 { background: #4f46e5; }
-	:global(.dark) .message-bubble.bg-pink-500 { background: #db2777; }
-	:global(.dark) .message-bubble.bg-teal-500 { background: #0d9488; }
-	:global(.dark) .message-bubble.bg-orange-500 { background: #ea580c; }
-	:global(.dark) .message-bubble.bg-cyan-500 { background: #0891b2; }
-	:global(.dark) .message-bubble.bg-lime-500 { background: #65a30d; }
-	:global(.dark) .message-bubble.bg-rose-500 { background: #e11d48; }
+	:global(.dark) .message-bubble.bg-purple-500 {
+		background: #7c3aed;
+	}
+	:global(.dark) .message-bubble.bg-blue-500 {
+		background: #2563eb;
+	}
+	:global(.dark) .message-bubble.bg-green-500 {
+		background: #059669;
+	}
+	:global(.dark) .message-bubble.bg-yellow-500 {
+		background: #d97706;
+	}
+	:global(.dark) .message-bubble.bg-red-500 {
+		background: #dc2626;
+	}
+	:global(.dark) .message-bubble.bg-indigo-500 {
+		background: #4f46e5;
+	}
+	:global(.dark) .message-bubble.bg-pink-500 {
+		background: #db2777;
+	}
+	:global(.dark) .message-bubble.bg-teal-500 {
+		background: #0d9488;
+	}
+	:global(.dark) .message-bubble.bg-orange-500 {
+		background: #ea580c;
+	}
+	:global(.dark) .message-bubble.bg-cyan-500 {
+		background: #0891b2;
+	}
+	:global(.dark) .message-bubble.bg-lime-500 {
+		background: #65a30d;
+	}
+	:global(.dark) .message-bubble.bg-rose-500 {
+		background: #e11d48;
+	}
 
 	.file-message {
 		min-width: 200px;
diff --git a/examples/encrypted_chat/frontend/src/lib/components/MessageHistory.svelte b/examples/encrypted_chat/frontend/src/lib/components/MessageHistory.svelte
index b9892920..8f52fc76 100644
--- a/examples/encrypted_chat/frontend/src/lib/components/MessageHistory.svelte
+++ b/examples/encrypted_chat/frontend/src/lib/components/MessageHistory.svelte
@@ -1,5 +1,5 @@
 <script lang="ts">
-	import { selectedChatMessages, selectedChat } from '../stores/chat';
+	import { chats, selectedChatId, messages } from '../stores/chat.svelte';
 	import MessageBubble from './MessageBubble.svelte';
 	import type { Message, User } from '../types';
 	import { SvelteDate } from 'svelte/reactivity';
@@ -7,9 +7,19 @@
 	let messagesContainer: HTMLDivElement | undefined = $state(undefined);
 	let autoScroll = $state(true);
 
+	const selectedChat = $derived(
+		selectedChatId.state
+			? (chats.state.find((chat) => chat.id === selectedChatId.state) ?? null)
+			: null
+	);
+
+	const selectedChatMessages = $derived(
+		selectedChatId.state ? (messages.state[selectedChatId.state] ?? []) : []
+	);
+
 	// Scroll to bottom when new messages arrive
 	$effect(() => {
-		if (autoScroll && messagesContainer && $selectedChatMessages) {
+		if (autoScroll && messagesContainer && selectedChatMessages) {
 			messagesContainer.scrollTop = messagesContainer.scrollHeight;
 		}
 	});
@@ -31,9 +41,9 @@
 	}
 
 	function getSender(message: Message): User | null {
-		if (!$selectedChat) return null;
+		if (!selectedChat) return null;
 
-		return $selectedChat.participants.find((p) => p.id === message.senderId) || null;
+		return selectedChat.participants.find((p) => p.id === message.senderId) || null;
 	}
 
 	function isOwnMessage(message: Message): boolean {
@@ -44,14 +54,14 @@
 		if (isOwnMessage(message)) return false;
 		if (index === 0) return true;
 
-		const prevMessage = $selectedChatMessages[index - 1];
+		const prevMessage = selectedChatMessages[index - 1];
 		return prevMessage.senderId !== message.senderId;
 	}
 
 	function shouldShowTimestamp(message: Message, index: number): boolean {
-		if (index === $selectedChatMessages.length - 1) return true;
+		if (index === selectedChatMessages.length - 1) return true;
 
-		const nextMessage = $selectedChatMessages[index + 1];
+		const nextMessage = selectedChatMessages[index + 1];
 		const timeDiff = nextMessage.timestamp.getTime() - message.timestamp.getTime();
 
 		// Show timestamp if next message is more than 5 minutes later
@@ -75,7 +85,7 @@
 	function shouldShowDateSeparator(message: Message, index: number): boolean {
 		if (index === 0) return true;
 
-		const prevMessage = $selectedChatMessages[index - 1];
+		const prevMessage = selectedChatMessages[index - 1];
 		const messageDate = message.timestamp;
 		const prevDate = prevMessage.timestamp;
 
@@ -84,50 +94,52 @@
 
 	// Get participant info for display
 	function getParticipantInfo(): string {
-		if (!$selectedChat) return '';
+		if (!selectedChat) return '';
 
-		if ($selectedChat.type === 'direct') {
-			const otherUser = $selectedChat.participants.find((p) => p.id !== 'current-user');
+		if (selectedChat.type === 'direct') {
+			const otherUser = selectedChat.participants.find((p) => p.id !== 'current-user');
 			return otherUser ? `This is the beginning of your conversation with ${otherUser.name}` : '';
 		}
 
-		return `This is the beginning of the ${$selectedChat.name} group chat`;
+		return `This is the beginning of the ${selectedChat.name} group chat`;
 	}
 </script>
 
 <div class="message-history flex min-h-0 flex-1 flex-col">
-	{#if $selectedChat}
+	{#if selectedChat}
 		<div
 			bind:this={messagesContainer}
 			onscroll={handleScroll}
 			class="messages-container scrollbar-thin flex-1 overflow-y-auto"
 		>
-			{#if $selectedChatMessages.length === 0}
+			{#if selectedChatMessages.length === 0}
 				<!-- Empty state -->
-				<div class="empty-state flex h-full flex-col items-center justify-center p-8 pt-12 text-center">
+				<div
+					class="empty-state flex h-full flex-col items-center justify-center p-8 pt-12 text-center"
+				>
 					<div
-						class="avatar mb-4 flex h-16 w-16 items-center justify-center rounded-full bg-primary-500 text-2xl"
+						class="avatar bg-primary-500 mb-4 flex h-16 w-16 items-center justify-center rounded-full text-2xl"
 					>
-						{#if $selectedChat.type === 'direct'}
-							{$selectedChat.participants.find((p) => p.id !== 'current-user')?.avatar || '👤'}
+						{#if selectedChat.type === 'direct'}
+							{selectedChat.participants.find((p) => p.id !== 'current-user')?.avatar || '👤'}
 						{:else}
-							{$selectedChat.avatar || '👥'}
+							{selectedChat.avatar || '👥'}
 						{/if}
 					</div>
 					<h3 class="mb-2 text-lg font-semibold">
-						{#if $selectedChat.type === 'direct'}
-							{$selectedChat.participants.find((p) => p.id !== 'current-user')?.name || 'Unknown'}
+						{#if selectedChat.type === 'direct'}
+							{selectedChat.participants.find((p) => p.id !== 'current-user')?.name || 'Unknown'}
 						{:else}
-							{$selectedChat.name}
+							{selectedChat.name}
 						{/if}
 					</h3>
 					<p class="text-surface-600-300-token mb-4 max-w-md">
 						{getParticipantInfo()}
 					</p>
-					{#if $selectedChat.disappearingMessagesDuration > 0}
+					{#if selectedChat.disappearingMessagesDuration > 0}
 						<div class="alert variant-ghost-warning">
 							<span class="text-sm">
-								🕐 Messages disappear after {$selectedChat.disappearingMessagesDuration} day{$selectedChat.disappearingMessagesDuration !==
+								🕐 Messages disappear after {selectedChat.disappearingMessagesDuration} day{selectedChat.disappearingMessagesDuration !==
 								1
 									? 's'
 									: ''}
@@ -138,7 +150,7 @@
 			{:else}
 				<!-- Messages -->
 				<div class="messages-list py-4">
-					{#each $selectedChatMessages as message, index (message.id)}
+					{#each selectedChatMessages as message, index (message.id)}
 						<!-- Date separator -->
 						{#if shouldShowDateSeparator(message, index)}
 							<div class="date-separator flex items-center justify-center py-4">
@@ -158,7 +170,7 @@
 								isOwnMessage={isOwnMessage(message)}
 								showAvatar={shouldShowAvatar(message, index)}
 								showTimestamp={shouldShowTimestamp(message, index)}
-								isGroupChat={$selectedChat?.type === 'group'}
+								isGroupChat={selectedChat?.type === 'group'}
 							/>
 						</div>
 					{/each}
diff --git a/examples/encrypted_chat/frontend/src/lib/components/MessageInput.svelte b/examples/encrypted_chat/frontend/src/lib/components/MessageInput.svelte
index 35493184..b21af38b 100644
--- a/examples/encrypted_chat/frontend/src/lib/components/MessageInput.svelte
+++ b/examples/encrypted_chat/frontend/src/lib/components/MessageInput.svelte
@@ -105,7 +105,7 @@
 	}
 </script>
 
-<div class="border-t border-white/10 glass-effect p-6 backdrop-blur-xl">
+<div class="glass-effect border-t border-white/10 p-6 backdrop-blur-xl">
 	<!-- File preview -->
 	{#if selectedFile}
 		<Card padding="sm" class="mb-3">
@@ -113,20 +113,20 @@
 				{#if selectedFile.preview}
 					<img src={selectedFile.preview} alt="Preview" class="h-16 w-16 rounded object-cover" />
 				{:else}
-					<div class="flex h-16 w-16 items-center justify-center rounded bg-surface-200-700">
+					<div class="bg-surface-200-700 flex h-16 w-16 items-center justify-center rounded">
 						<Paperclip class="h-6 w-6" />
 					</div>
 				{/if}
 
 				<div class="min-w-0 flex-1">
 					<p class="truncate text-sm font-medium">{selectedFile.file.name}</p>
-					<p class="text-xs text-surface-500-400">{formatFileSize(selectedFile.file.size)}</p>
+					<p class="text-surface-500-400 text-xs">{formatFileSize(selectedFile.file.size)}</p>
 					{#if !selectedFile.isValid && selectedFile.error}
-						<p class="mt-1 text-xs text-error-500">{selectedFile.error}</p>
+						<p class="text-error-500 mt-1 text-xs">{selectedFile.error}</p>
 					{/if}
 				</div>
 
-				<Button variant="ghost" size="sm" on:click={removeFile} aria-label="Remove file">
+				<Button variant="ghost" size="sm" onclick={removeFile} aria-label="Remove file">
 					<X class="h-4 w-4" />
 				</Button>
 			</div>
@@ -139,7 +139,7 @@
 		<input
 			type="file"
 			bind:this={fileInput}
-			on:change={handleFileChange}
+			onchange={handleFileChange}
 			accept="image/*,.pdf,.doc,.docx,.txt,.zip"
 			style="display: none;"
 		/>
@@ -148,21 +148,21 @@
 		<div class="relative flex-1">
 			<textarea
 				bind:value={messageText}
-				on:keydown={handleKeydown}
+				onkeydown={handleKeydown}
 				{placeholder}
 				{disabled}
 				rows="1"
-				class="message-input w-full resize-none rounded-xl border border-gray-200/50 bg-white/80 backdrop-blur-sm px-4 py-3 pr-20 text-sm shadow-lg focus:border-blue-500 focus:ring-2 focus:ring-blue-500/20 focus:outline-none dark:border-gray-700/50 dark:bg-gray-800/80"
+				class="message-input w-full resize-none rounded-xl border border-gray-200/50 bg-white/80 px-4 py-3 pr-20 text-sm shadow-lg backdrop-blur-sm focus:border-blue-500 focus:ring-2 focus:ring-blue-500/20 focus:outline-none dark:border-gray-700/50 dark:bg-gray-800/80"
 				style="min-height: 44px; max-height: 120px;"
 			></textarea>
 
 			<!-- Attachment and Emoji buttons -->
-			<div class="absolute top-1/2 right-2 -translate-y-1/2 flex items-center gap-1">
+			<div class="absolute top-1/2 right-2 flex -translate-y-1/2 items-center gap-1">
 				<!-- Attachment button -->
 				<Button
 					variant="ghost"
 					size="sm"
-					on:click={handleFileSelect}
+					onclick={handleFileSelect}
 					{disabled}
 					title="Attach file (max {MAX_FILE_SIZE / 1024}KB)"
 					aria-label="Attach file"
@@ -174,7 +174,7 @@
 				<Button
 					variant="ghost"
 					size="sm"
-					on:click={() => (showEmojiPicker = !showEmojiPicker)}
+					onclick={() => (showEmojiPicker = !showEmojiPicker)}
 					{disabled}
 					aria-label="Add emoji"
 				>
@@ -184,16 +184,18 @@
 		</div>
 
 		<!-- Send button -->
+		<div class="pb-2">
 		<Button
 			variant="filled"
-			on:click={handleSend}
-			disabled={disabled || 
-				(!messageText.trim() && !selectedFile) || 
+			onclick={handleSend}
+			disabled={disabled ||
+				(!messageText.trim() && !selectedFile) ||
 				!!(selectedFile && selectedFile.isValid === false)}
 			aria-label="Send message"
 		>
-			<Send class="h-5 w-5" />
-		</Button>
+				<Send class="h-5 w-5" />
+			</Button>
+		</div>
 	</div>
 </div>
 
@@ -206,7 +208,7 @@
 
 <style>
 	@reference "tailwindcss";
-	
+
 	.message-input {
 		scrollbar-width: thin;
 	}
diff --git a/examples/encrypted_chat/frontend/src/lib/components/NotificationBanner.svelte b/examples/encrypted_chat/frontend/src/lib/components/NotificationBanner.svelte
index 5bbdbc7e..1fa0e495 100644
--- a/examples/encrypted_chat/frontend/src/lib/components/NotificationBanner.svelte
+++ b/examples/encrypted_chat/frontend/src/lib/components/NotificationBanner.svelte
@@ -2,7 +2,7 @@
 	import { onMount } from 'svelte';
 	import { fly } from 'svelte/transition';
 	import { X, AlertTriangle, Info, CheckCircle, XCircle } from 'lucide-svelte';
-	import { notifications, chatActions } from '../stores/chat';
+	import { notifications, chatActions } from '../stores/chat.svelte';
 	import { storageService } from '../services/storage';
 	import type { Notification } from '../types';
 
@@ -48,20 +48,20 @@
 <!-- Disclaimer Banner - Bottom Overlay -->
 {#if showDisclaimer}
 	<div
-		class="fixed bottom-0 right-0 left-0 z-50 bg-orange-100 border-t-2 border-orange-400 shadow-lg"
+		class="fixed right-0 bottom-0 left-0 z-50 border-t-2 border-orange-400 bg-orange-100 shadow-lg"
 		transition:fly={{ y: 100, duration: 300 }}
 	>
 		<div class="flex items-center gap-3 p-3">
 			<AlertTriangle class="h-5 w-5 text-orange-600" />
 			<div class="flex-1">
 				<span class="text-sm text-orange-800">
-					<strong>Disclaimer:</strong> This sample dapp is intended exclusively for experimental purposes. 
+					<strong>Disclaimer:</strong> This sample dapp is intended exclusively for experimental purposes.
 					You are advised not to use this dapp for storing your critical data such as keys or passwords.
 				</span>
 			</div>
 			<button
-				class="text-orange-600 hover:text-orange-800 p-1 rounded transition-colors"
-				on:click={dismissDisclaimer}
+				class="rounded p-1 text-orange-600 transition-colors hover:text-orange-800"
+				onclick={dismissDisclaimer}
 				aria-label="Dismiss disclaimer"
 			>
 				<X class="h-4 w-4" />
@@ -72,7 +72,7 @@
 
 <!-- Notification Stack -->
 <div class="fixed top-4 right-4 z-40 max-w-sm space-y-2">
-	{#each $notifications as notification (notification.id)}
+	{#each notifications.state as notification (notification.id)}
 		<div
 			class="alert {getNotificationColor(notification.type)} shadow-lg"
 			transition:fly={{ x: 300, duration: 300 }}
@@ -86,7 +86,7 @@
 				<div class="alert-actions">
 					<button
 						class="variant-soft btn-icon"
-						on:click={() => chatActions.dismissNotification(notification.id)}
+						onclick={() => chatActions.dismissNotification(notification.id)}
 						aria-label="Dismiss notification"
 					>
 						<X class="h-4 w-4" />
@@ -116,6 +116,4 @@
 		align-items: center;
 		gap: 0.5rem;
 	}
-
-
 </style>
diff --git a/examples/encrypted_chat/frontend/src/lib/components/Spinner.svelte b/examples/encrypted_chat/frontend/src/lib/components/Spinner.svelte
new file mode 100644
index 00000000..e421e791
--- /dev/null
+++ b/examples/encrypted_chat/frontend/src/lib/components/Spinner.svelte
@@ -0,0 +1,5 @@
+<script lang="ts"></script>
+
+<span
+	class="mr-2 inline-block h-4 w-4 animate-spin rounded-full border-2 border-t-transparent border-r-current border-b-current border-l-transparent"
+></span>
diff --git a/examples/encrypted_chat/frontend/src/lib/components/UserProfile.svelte b/examples/encrypted_chat/frontend/src/lib/components/UserProfile.svelte
index 2fd8dee7..0dde7c3f 100644
--- a/examples/encrypted_chat/frontend/src/lib/components/UserProfile.svelte
+++ b/examples/encrypted_chat/frontend/src/lib/components/UserProfile.svelte
@@ -1,15 +1,38 @@
 <script lang="ts">
 	import { Settings, X, Check } from 'lucide-svelte';
-	import { currentUser, userConfig, chatActions } from '../stores/chat';
+	import { userConfig, chatActions } from '../stores/chat.svelte';
+	import { auth } from '$lib/stores/auth.svelte';
+	import type { User } from '$lib/types';
+	
+	const currentUser = $derived<{ state: User | null }>({
+		state: {
+			...getDummyCurrentUser(),
+			name:
+				auth.state.label === 'initialized'
+					? auth.state.client.getIdentity().getPrincipal().toString()
+					: ''
+		}
+	});
+
+	function getDummyCurrentUser(): User {
+		return {
+			id: 'current-user',
+			name: 'You',
+			avatar: '👤',
+			isOnline: true
+		};
+	}
 
-	let showConfig = false;
-	let configForm = {
+	let showConfig = $state(false);
+	let configForm = $state({
 		cacheRetentionDays: 7
-	};
+	});
 
-	$: if ($userConfig) {
-		configForm.cacheRetentionDays = $userConfig.cacheRetentionDays;
-	}
+	$effect(() => {
+		if (userConfig.state) {
+			configForm.cacheRetentionDays = userConfig.state.cacheRetentionDays;
+		}
+	});
 
 	function toggleConfig() {
 		showConfig = !showConfig;
@@ -31,23 +54,19 @@
 	<div class="flex items-center justify-between">
 		<div class="flex items-center gap-3">
 			<div
-				class="avatar flex h-10 w-10 items-center justify-center rounded-full bg-primary-500 text-lg"
+				class="avatar bg-primary-500 flex h-10 w-10 items-center justify-center rounded-full text-lg"
 			>
-				{$currentUser?.avatar || '👤'}
+				{currentUser.state?.avatar || '👤'}
 			</div>
 			<div>
-				<h3 class="text-sm font-semibold">{$currentUser?.name || 'User'}</h3>
-				<div class="flex items-center gap-1">
-					<div class="h-2 w-2 rounded-full bg-success-500"></div>
-					<span class="text-surface-600-300-token text-xs">Online</span>
-				</div>
+				<h3 class="text-sm font-semibold">Name: ---<br /></h3>
+				<h4 class="text-xs font-semibold">{currentUser.state?.name}</h4>
 			</div>
 		</div>
-		<button class="variant-ghost-surface btn-icon" on:click={toggleConfig} aria-label="Settings">
+		<button class="variant-ghost-surface btn-icon" onclick={toggleConfig} aria-label="Settings">
 			<Settings class="h-5 w-5" />
 		</button>
 	</div>
-
 </div>
 
 <!-- Settings Modal -->
@@ -55,21 +74,25 @@
 	<!-- Backdrop -->
 	<div
 		class="fixed inset-0 z-50 bg-black/50 backdrop-blur-sm"
-		on:click={handleBackdropClick}
+		onclick={handleBackdropClick}
 		role="button"
 		tabindex="-1"
-		on:keydown={() => {}}
+		onkeydown={() => {}}
 	></div>
 
 	<!-- Modal -->
 	<div class="fixed inset-0 z-50 flex items-center justify-center p-4">
-		<div class="config-modal bg-white dark:bg-gray-800 rounded-2xl shadow-2xl border border-gray-200 dark:border-gray-700 w-full max-w-md">
+		<div
+			class="config-modal w-full max-w-md rounded-2xl border border-gray-200 bg-white shadow-2xl dark:border-gray-700 dark:bg-gray-800"
+		>
 			<!-- Header -->
-			<div class="flex items-center justify-between p-6 border-b border-gray-200 dark:border-gray-700">
+			<div
+				class="flex items-center justify-between border-b border-gray-200 p-6 dark:border-gray-700"
+			>
 				<h3 class="text-lg font-semibold text-gray-900 dark:text-gray-100">Settings</h3>
 				<button
-					class="text-gray-400 hover:text-gray-600 dark:hover:text-gray-300 p-1 rounded-lg hover:bg-gray-100 dark:hover:bg-gray-700 transition-colors"
-					on:click={() => (showConfig = false)}
+					class="rounded-lg p-1 text-gray-400 transition-colors hover:bg-gray-100 hover:text-gray-600 dark:hover:bg-gray-700 dark:hover:text-gray-300"
+					onclick={() => (showConfig = false)}
 					aria-label="Close settings"
 				>
 					<X class="h-5 w-5" />
@@ -77,9 +100,12 @@
 			</div>
 
 			<!-- Content -->
-			<div class="p-6 space-y-4">
+			<div class="space-y-4 p-6">
 				<div>
-					<label for="cache-retention" class="block text-sm font-medium text-gray-700 dark:text-gray-300 mb-2">
+					<label
+						for="cache-retention"
+						class="mb-2 block text-sm font-medium text-gray-700 dark:text-gray-300"
+					>
 						Cache Retention (days)
 					</label>
 					<input
@@ -88,7 +114,7 @@
 						min="1"
 						max="365"
 						bind:value={configForm.cacheRetentionDays}
-						class="w-full px-3 py-2 border border-gray-300 dark:border-gray-600 rounded-lg bg-white dark:bg-gray-800 text-gray-900 dark:text-gray-100 focus:ring-2 focus:ring-blue-500 focus:border-transparent outline-none transition-all"
+						class="w-full rounded-lg border border-gray-300 bg-white px-3 py-2 text-gray-900 transition-all outline-none focus:border-transparent focus:ring-2 focus:ring-blue-500 dark:border-gray-600 dark:bg-gray-800 dark:text-gray-100"
 						placeholder="7"
 					/>
 					<p class="mt-1 text-xs text-gray-500 dark:text-gray-400">
@@ -98,16 +124,18 @@
 			</div>
 
 			<!-- Footer -->
-			<div class="flex items-center justify-end gap-3 p-6 border-t border-gray-200 dark:border-gray-700">
+			<div
+				class="flex items-center justify-end gap-3 border-t border-gray-200 p-6 dark:border-gray-700"
+			>
 				<button
-					class="px-4 py-2 text-gray-700 dark:text-gray-300 hover:bg-gray-100 dark:hover:bg-gray-700 rounded-lg transition-colors"
-					on:click={() => (showConfig = false)}
+					class="rounded-lg px-4 py-2 text-gray-700 transition-colors hover:bg-gray-100 dark:text-gray-300 dark:hover:bg-gray-700"
+					onclick={() => (showConfig = false)}
 				>
 					Cancel
 				</button>
 				<button
-					class="px-4 py-2 bg-blue-600 hover:bg-blue-700 text-white rounded-lg transition-colors flex items-center gap-2"
-					on:click={saveConfig}
+					class="flex items-center gap-2 rounded-lg bg-blue-600 px-4 py-2 text-white transition-colors hover:bg-blue-700"
+					onclick={saveConfig}
 				>
 					<Check class="h-4 w-4" />
 					Save
diff --git a/examples/encrypted_chat/frontend/src/lib/components/ui/Badge.svelte b/examples/encrypted_chat/frontend/src/lib/components/ui/Badge.svelte
index a2919190..bbbb3f1a 100644
--- a/examples/encrypted_chat/frontend/src/lib/components/ui/Badge.svelte
+++ b/examples/encrypted_chat/frontend/src/lib/components/ui/Badge.svelte
@@ -1,17 +1,17 @@
 <script lang="ts">
-	export let variant: 'filled' | 'outline' | 'soft' = 'filled';
-	export let color: 'primary' | 'secondary' | 'tertiary' | 'success' | 'warning' | 'error' = 'primary';
-	let className: string = '';
+	/** @type {{ variant: 'filled' | 'outline' | 'soft' }}
+	 *  @type {{ color: 'primary' | 'secondary' | 'tertiary' | 'success' | 'warning' | 'error' }}
+	 */
+	let { variant = 'filled', color = 'primary', children, className = '', ...rest } = $props();
 	export { className as class };
 
-	$: classes = [
-		'badge',
-		`variant-${variant}-${color}`,
-		'transition-all duration-200',
-		className
-	].filter(Boolean).join(' ');
+	let classes = $derived(
+		['badge', `variant-${variant}-${color}`, 'transition-all duration-200', className]
+			.filter(Boolean)
+			.join(' ')
+	);
 </script>
 
-<span class={classes} {...$$restProps}>
-	<slot />
-</span>
\ No newline at end of file
+<span class={classes} {...rest}>
+	{@render children?.()}
+</span>
diff --git a/examples/encrypted_chat/frontend/src/lib/components/ui/Button.svelte b/examples/encrypted_chat/frontend/src/lib/components/ui/Button.svelte
index 21f15654..4e00a324 100644
--- a/examples/encrypted_chat/frontend/src/lib/components/ui/Button.svelte
+++ b/examples/encrypted_chat/frontend/src/lib/components/ui/Button.svelte
@@ -1,9 +1,18 @@
 <script lang="ts">
-	export let variant: 'filled' | 'outline' | 'ghost' | 'gradient' = 'filled';
-	export let size: 'sm' | 'md' | 'lg' = 'md';
-	export let disabled: boolean = false;
-	export let type: 'button' | 'submit' | 'reset' = 'button';
-	let className: string = '';
+	/** @type {{ variant: 'filled' | 'outline' | 'ghost' | 'gradient' }}
+	 *  @type {{ size: 'sm' | 'md' | 'lg' }}
+	 *  @type {{ type: 'button' | 'submit' | 'reset' }}
+	 */
+	let {
+		onclick,
+		variant = 'filled',
+		size = 'md',
+		disabled = false,
+		type = 'button',
+		className = '',
+		children,
+		...rest
+	} = $props();
 	export { className as class };
 
 	// Define variant classes using Skeleton v3's design tokens
@@ -11,7 +20,8 @@
 		filled: 'variant-filled-primary',
 		outline: 'variant-outline-primary',
 		ghost: 'variant-ghost-primary',
-		gradient: 'bg-gradient-to-r from-primary-500 to-secondary-500 text-on-primary-token hover:from-primary-600 hover:to-secondary-600'
+		gradient:
+			'bg-gradient-to-r from-primary-500 to-secondary-500 text-on-primary-token hover:from-primary-600 hover:to-secondary-600'
 	};
 
 	const sizeClasses = {
@@ -20,15 +30,13 @@
 		lg: 'btn-lg'
 	};
 
-	$: classes = [
-		'btn',
-		variantClasses[variant],
-		sizeClasses[size],
-		'transition-all duration-200',
-		className
-	].filter(Boolean).join(' ');
+	let classes = $derived(
+		['btn', variantClasses[variant], sizeClasses[size], 'transition-all duration-200', className]
+			.filter(Boolean)
+			.join(' ')
+	);
 </script>
 
-<button class={classes} {disabled} {type} {...$$restProps} on:click>
-	<slot />
-</button>
\ No newline at end of file
+<button class={classes} {disabled} {type} {...rest} {onclick}>
+	{@render children?.()}
+</button>
diff --git a/examples/encrypted_chat/frontend/src/lib/components/ui/Card.svelte b/examples/encrypted_chat/frontend/src/lib/components/ui/Card.svelte
index 1cc7260b..43cb26dc 100644
--- a/examples/encrypted_chat/frontend/src/lib/components/ui/Card.svelte
+++ b/examples/encrypted_chat/frontend/src/lib/components/ui/Card.svelte
@@ -1,7 +1,8 @@
 <script lang="ts">
-	export let variant: 'filled' | 'glass' | 'outlined' = 'filled';
-	export let padding: 'none' | 'sm' | 'md' | 'lg' = 'md';
-	let className: string = '';
+	/** @type {{ variant: 'filled' | 'glass' | 'outlined' }}
+	 *  @type {{ padding: 'none' | 'sm' | 'md' | 'lg' }}
+	 */
+	let { variant = 'filled', padding = 'md', children, className = '', ...rest } = $props();
 	export { className as class };
 
 	const variantClasses = {
@@ -17,13 +18,11 @@
 		lg: 'p-8'
 	};
 
-	$: classes = [
-		variantClasses[variant],
-		paddingClasses[padding],
-		className
-	].filter(Boolean).join(' ');
+	let classes = $derived(
+		[variantClasses[variant], paddingClasses[padding], className].filter(Boolean).join(' ')
+	);
 </script>
 
-<div class={classes} {...$$restProps}>
-	<slot />
-</div>
\ No newline at end of file
+<div class={classes} {...rest}>
+	{@render children?.()}
+</div>
diff --git a/examples/encrypted_chat/frontend/src/lib/components/ui/Dialog.svelte b/examples/encrypted_chat/frontend/src/lib/components/ui/Dialog.svelte
index 3838639e..e69de29b 100644
--- a/examples/encrypted_chat/frontend/src/lib/components/ui/Dialog.svelte
+++ b/examples/encrypted_chat/frontend/src/lib/components/ui/Dialog.svelte
@@ -1,80 +0,0 @@
-<script lang="ts">
-	import { createDialog, melt } from '@melt-ui/svelte';
-	import { fade, fly } from 'svelte/transition';
-	import { X } from 'lucide-svelte';
-
-	export let open: boolean = false;
-	export let title: string = '';
-	let className: string = '';
-	export { className as class };
-
-	const {
-		elements: { trigger, overlay, content, title: titleEl, description, close },
-		states: { open: openState }
-	} = createDialog({
-		defaultOpen: open
-	});
-
-	// Sync the open state bidirectionally
-	$: openState.set(open);
-	$: open = $openState;
-</script>
-
-<!-- Trigger slot (optional) -->
-{#if $$slots.trigger}
-	<slot name="trigger" {trigger} />
-{/if}
-
-{#if $openState}
-	<!-- Overlay -->
-	<div
-		use:melt={$overlay}
-		class="fixed inset-0 z-50 bg-black/50 backdrop-blur-sm"
-		transition:fade={{ duration: 150 }}
-	></div>
-
-	<!-- Dialog Content -->
-	<div
-		use:melt={$content}
-		class="fixed left-1/2 top-1/2 z-50 max-h-[85vh] w-[90vw] max-w-md -translate-x-1/2 -translate-y-1/2 card p-6 shadow-lg {className}"
-		transition:fly={{ y: -50, duration: 200 }}
-	>
-		<!-- Close Button -->
-		<button
-			use:melt={$close}
-			class="absolute right-4 top-4 btn-icon btn-icon-sm variant-ghost-surface hover:variant-filled-surface"
-			aria-label="Close dialog"
-		>
-			<X size={16} />
-		</button>
-
-		<!-- Header -->
-		{#if title || $$slots.header}
-			<div class="mb-4">
-				{#if title}
-					<h2 use:melt={$titleEl} class="text-lg font-semibold text-on-surface-token">
-						{title}
-					</h2>
-				{/if}
-				<slot name="header" />
-			</div>
-		{/if}
-
-		<!-- Description (for accessibility) -->
-		<div use:melt={$description} class="sr-only">
-			<slot name="description" />
-		</div>
-
-		<!-- Content -->
-		<div class="dialog-content">
-			<slot />
-		</div>
-
-		<!-- Footer -->
-		{#if $$slots.footer}
-			<div class="mt-6 flex justify-end gap-2">
-				<slot name="footer" {close} />
-			</div>
-		{/if}
-	</div>
-{/if}
\ No newline at end of file
diff --git a/examples/encrypted_chat/frontend/src/lib/components/ui/Input.svelte b/examples/encrypted_chat/frontend/src/lib/components/ui/Input.svelte
index 1ab82f3f..e69de29b 100644
--- a/examples/encrypted_chat/frontend/src/lib/components/ui/Input.svelte
+++ b/examples/encrypted_chat/frontend/src/lib/components/ui/Input.svelte
@@ -1,36 +0,0 @@
-<script lang="ts">
-	export let value: string | number = '';
-	export let type: string = 'text';
-	export let placeholder: string = '';
-	export let disabled: boolean = false;
-	export let required: boolean = false;
-	export let variant: 'default' | 'minimal' = 'default';
-	let className: string = '';
-	export { className as class };
-
-	const variantClasses = {
-		default: 'input',
-		minimal: 'input variant-form-material'
-	};
-
-	$: classes = [
-		variantClasses[variant],
-		'transition-all duration-200',
-		'focus:ring-2 focus:ring-primary-500 focus:ring-offset-2',
-		className
-	].filter(Boolean).join(' ');
-</script>
-
-<input
-	class={classes}
-	{type}
-	{placeholder}
-	{disabled}
-	{required}
-	bind:value
-	{...$$restProps}
-	on:input
-	on:change
-	on:blur
-	on:focus
-/>
\ No newline at end of file
diff --git a/examples/encrypted_chat/frontend/src/lib/services/api.ts b/examples/encrypted_chat/frontend/src/lib/services/api.ts
index d2ea14b8..d74bd780 100644
--- a/examples/encrypted_chat/frontend/src/lib/services/api.ts
+++ b/examples/encrypted_chat/frontend/src/lib/services/api.ts
@@ -1,310 +1,106 @@
-import type { Chat, Message, KeyRotationStatus, RatchetStats } from '../types';
+import type { ActorSubclass } from '@dfinity/agent';
+import type { SymmetricRatchetStats } from '../types';
+import type {
+	_SERVICE,
+	ChatId,
+	EncryptedMessage,
+	GroupChatMetadata,
+	UserMessage,
+	VetKeyEpochMetadata
+} from '../../declarations/encrypted_chat/encrypted_chat.did';
+import { Principal } from '@dfinity/principal';
 
 // Dummy API service that simulates backend calls
 // In real implementation, these would make actual API calls to the backend
 
 export class ChatAPI {
-	// Simulate network delay
-	private async delay(ms: number = 300): Promise<void> {
-		return new Promise((resolve) => setTimeout(resolve, ms));
-	}
-
-	async getChats(): Promise<Chat[]> {
-		await this.delay();
-		return [
-			{
-				id: 'direct-1',
-				name: 'Alice Johnson',
-				type: 'direct',
-				participants: [
-					{
-						id: 'user-alice',
-						name: 'Alice Johnson',
-						isOnline: true,
-						avatar: '👩‍💼'
-					}
-				],
-				lastActivity: new Date(Date.now() - 1000 * 60 * 30), // 30 minutes ago
-				isReady: true,
-				isUpdating: false,
-				disappearingMessagesDuration: 7,
-				keyRotationStatus: {
-					lastRotation: new Date(Date.now() - 1000 * 60 * 60 * 12), // 12 hours ago
-					nextRotation: new Date(Date.now() + 1000 * 60 * 60 * 12), // 12 hours from now
-					isRotationNeeded: false,
-					currentEpoch: 15
-				},
-				ratchetEpoch: 15,
-				unreadCount: 2,
-				lastMessage: {
-					id: 'msg-1',
-					chatId: 'direct-1',
-					senderId: 'user-alice',
-					content: 'Hey! How are you doing?',
-					timestamp: new Date(Date.now() - 1000 * 60 * 30),
-					type: 'text',
-					isEncrypted: true,
-					ratchetEpoch: 15
-				}
-			},
-			{
-				id: 'direct-2',
-				name: 'Bob Smith',
-				type: 'direct',
-				participants: [
-					{
-						id: 'user-bob',
-						name: 'Bob Smith',
-						isOnline: false,
-						lastSeen: new Date(Date.now() - 1000 * 60 * 60 * 2), // 2 hours ago
-						avatar: '👨‍💻'
-					}
-				],
-				lastActivity: new Date(Date.now() - 1000 * 60 * 60 * 4), // 4 hours ago
-				isReady: true,
-				isUpdating: false,
-				disappearingMessagesDuration: 30,
-				keyRotationStatus: {
-					lastRotation: new Date(Date.now() - 1000 * 60 * 60 * 18),
-					nextRotation: new Date(Date.now() + 1000 * 60 * 60 * 6),
-					isRotationNeeded: true,
-					currentEpoch: 8
-				},
-				ratchetEpoch: 8,
-				unreadCount: 0,
-				lastMessage: {
-					id: 'msg-2',
-					chatId: 'direct-2',
-					senderId: 'current-user',
-					content: 'Thanks for the help earlier!',
-					timestamp: new Date(Date.now() - 1000 * 60 * 60 * 4),
-					type: 'text',
-					isEncrypted: true,
-					ratchetEpoch: 8
-				}
-			},
-			{
-				id: 'group-1',
-				name: 'Project Team',
-				type: 'group',
-				participants: [
-					{
-						id: 'user-alice',
-						name: 'Alice Johnson',
-						isOnline: true,
-						avatar: '👩‍💼'
-					},
-					{
-						id: 'user-charlie',
-						name: 'Charlie Davis',
-						isOnline: true,
-						avatar: '👨‍🎨'
-					},
-					{
-						id: 'user-diana',
-						name: 'Diana Wilson',
-						isOnline: false,
-						lastSeen: new Date(Date.now() - 1000 * 60 * 45),
-						avatar: '👩‍🔬'
-					}
-				],
-				lastActivity: new Date(Date.now() - 1000 * 60 * 15), // 15 minutes ago
-				isReady: true,
-				isUpdating: false,
-				disappearingMessagesDuration: 14,
-				keyRotationStatus: {
-					lastRotation: new Date(Date.now() - 1000 * 60 * 60 * 6),
-					nextRotation: new Date(Date.now() + 1000 * 60 * 60 * 18),
-					isRotationNeeded: false,
-					currentEpoch: 23
-				},
-				ratchetEpoch: 23,
-				unreadCount: 5,
-				avatar: '🏢',
-				lastMessage: {
-					id: 'msg-3',
-					chatId: 'group-1',
-					senderId: 'user-charlie',
-					content: 'Meeting at 3 PM today?',
-					timestamp: new Date(Date.now() - 1000 * 60 * 15),
-					type: 'text',
-					isEncrypted: true,
-					ratchetEpoch: 23
-				}
-			},
-			{
-				id: 'group-2',
-				name: 'Friends Chat',
-				type: 'group',
-				participants: [
-					{
-						id: 'user-bob',
-						name: 'Bob Smith',
-						isOnline: false,
-						lastSeen: new Date(Date.now() - 1000 * 60 * 60 * 2),
-						avatar: '👨‍💻'
-					},
-					{
-						id: 'user-eve',
-						name: 'Eve Martinez',
-						isOnline: true,
-						avatar: '👩‍🎭'
-					}
-				],
-				lastActivity: new Date(Date.now() - 1000 * 60 * 60 * 8), // 8 hours ago
-				isReady: false,
-				isUpdating: true,
-				disappearingMessagesDuration: 1,
-				keyRotationStatus: {
-					lastRotation: new Date(Date.now() - 1000 * 60 * 60 * 24),
-					nextRotation: new Date(Date.now() + 1000 * 60 * 60),
-					isRotationNeeded: true,
-					currentEpoch: 5
-				},
-				ratchetEpoch: 5,
-				unreadCount: 0,
-				avatar: '🎉'
-			}
-		];
+	async createDirectChat(
+		actor: ActorSubclass<_SERVICE>,
+		receiver: Principal,
+		symmetricKeyRotationDurationMinutes: bigint,
+		messageExpirationDurationMinutes: bigint
+	): Promise<{ creationDate: Date }> {
+		const result = await actor.create_direct_chat(
+			receiver,
+			symmetricKeyRotationDurationMinutes,
+			messageExpirationDurationMinutes
+		);
+		if ('Ok' in result) {
+			return { creationDate: new Date(Number(result.Ok / BigInt(1_000_000))) };
+		} else {
+			throw new Error(result.Err);
+		}
 	}
 
-	async getChatMessages(chatId: string): Promise<Message[]> {
-		await this.delay();
-
-		// Return different message sets based on chat ID
-		if (chatId === 'direct-1') {
-			return [
-				{
-					id: 'msg-d1-1',
-					chatId: 'direct-1',
-					senderId: 'user-alice',
-					content: 'Hello! How are you today?',
-					timestamp: new Date(Date.now() - 1000 * 60 * 60 * 2),
-					type: 'text',
-					isEncrypted: true,
-					ratchetEpoch: 15
-				},
-				{
-					id: 'msg-d1-2',
-					chatId: 'direct-1',
-					senderId: 'current-user',
-					content: "Hey Alice! I'm doing great, thanks for asking. How about you?",
-					timestamp: new Date(Date.now() - 1000 * 60 * 45),
-					type: 'text',
-					isEncrypted: true,
-					ratchetEpoch: 15
-				},
-				{
-					id: 'msg-d1-3',
-					chatId: 'direct-1',
-					senderId: 'user-alice',
-					content: "I'm fantastic! Working on some exciting new features 🚀",
-					timestamp: new Date(Date.now() - 1000 * 60 * 30),
-					type: 'text',
-					isEncrypted: true,
-					ratchetEpoch: 15
-				}
-			];
+	async createGroupChat(
+		actor: ActorSubclass<_SERVICE>,
+		otherParticipants: Principal[],
+		symmetricKeyRotationDurationMinutes: bigint,
+		messageExpirationDurationMinutes: bigint
+	): Promise<GroupChatMetadata> {
+		const result = await actor.create_group_chat(
+			otherParticipants,
+			symmetricKeyRotationDurationMinutes,
+			messageExpirationDurationMinutes
+		);
+		if ('Ok' in result) {
+			return result.Ok;
+		} else {
+			throw new Error(result.Err);
 		}
+	}
 
-		if (chatId === 'group-1') {
-			return [
-				{
-					id: 'msg-g1-1',
-					chatId: 'group-1',
-					senderId: 'user-alice',
-					content: "Team, let's discuss the project timeline",
-					timestamp: new Date(Date.now() - 1000 * 60 * 60),
-					type: 'text',
-					isEncrypted: true,
-					ratchetEpoch: 23
-				},
-				{
-					id: 'msg-g1-2',
-					chatId: 'group-1',
-					senderId: 'user-charlie',
-					content: 'Sure! I think we can finish the UI by Friday',
-					timestamp: new Date(Date.now() - 1000 * 60 * 45),
-					type: 'text',
-					isEncrypted: true,
-					ratchetEpoch: 23
-				},
-				{
-					id: 'msg-g1-3',
-					chatId: 'group-1',
-					senderId: 'current-user',
-					content: "Great! I'll have the backend ready by then too",
-					timestamp: new Date(Date.now() - 1000 * 60 * 30),
-					type: 'text',
-					isEncrypted: true,
-					ratchetEpoch: 23
-				},
-				{
-					id: 'msg-g1-4',
-					chatId: 'group-1',
-					senderId: 'user-charlie',
-					content: 'Meeting at 3 PM today?',
-					timestamp: new Date(Date.now() - 1000 * 60 * 15),
-					type: 'text',
-					isEncrypted: true,
-					ratchetEpoch: 23
-				}
-			];
+	async sendDirectMessage(
+		actor: ActorSubclass<_SERVICE>,
+		receiver: Principal,
+		message: UserMessage
+	): Promise<{ chatMessageId: bigint }> {
+		const result = await actor.send_direct_message(message, receiver);
+		if ('Ok' in result) {
+			return { chatMessageId: result.Ok };
+		} else {
+			throw new Error(result.Err);
 		}
-
-		return [];
 	}
 
-	async sendMessage(
-		chatId: string,
-		content: string,
-		type: 'text' | 'file' = 'text',
-		fileData?: ArrayBuffer
-	): Promise<Message> {
-		await this.delay(500);
-
-		const message: Message = {
-			id: `msg-${Date.now()}`,
-			chatId,
-			senderId: 'current-user',
-			content,
-			timestamp: new Date(),
-			type,
-			fileData,
-			isEncrypted: true,
-			ratchetEpoch: Math.floor(Math.random() * 30) + 1
-		};
-
-		return message;
+	async sendGroupMessage(
+		actor: ActorSubclass<_SERVICE>,
+		groupChatId: bigint,
+		message: UserMessage
+	): Promise<{ chatMessageId: bigint }> {
+		const result = await actor.send_group_message(message, groupChatId);
+		if ('Ok' in result) {
+			return { chatMessageId: result.Ok };
+		} else {
+			throw new Error(result.Err);
+		}
 	}
 
-	async checkKeyRotation(_chatId: string): Promise<boolean> {
-		await this.delay(200);
-		// Simulate some chats needing rotation
-		return _chatId === 'direct-2' || _chatId === 'group-2';
+	async getChatIdsAndCurrentNumbersOfMessages(
+		actor: ActorSubclass<_SERVICE>
+	): Promise<{ chatId: ChatId; numMessages: bigint }[]> {
+		const chatIds = await actor.get_my_chat_ids();
+		return chatIds.map(([chatId, numMessages]) => {
+			return { chatId, numMessages };
+		});
 	}
 
-	async rotateKeys(chatId: string): Promise<KeyRotationStatus> {
-		// TODO: Implement actual key rotation
-		if (chatId === 'direct-2') {
-			await this.delay(1000);
+	async getAccessibleVetKeyEpochMetadata(
+		actor: ActorSubclass<_SERVICE>,
+		chatId: ChatId
+	): Promise<VetKeyEpochMetadata> {
+		const metadata = await actor.get_latest_chat_vetkey_epoch_metadata(chatId);
+		if ('Ok' in metadata) {
+			return metadata.Ok;
+		} else {
+			throw new Error(metadata.Err);
 		}
-		await this.delay(1000);
-
-		return {
-			lastRotation: new Date(),
-			nextRotation: new Date(Date.now() + 1000 * 60 * 60 * 24), // 24 hours from now
-			isRotationNeeded: false,
-			currentEpoch: Math.floor(Math.random() * 50) + 1
-		};
 	}
 
-	async getRatchetStats(): Promise<RatchetStats> {
-		await this.delay(150);
-
+	async getRatchetStats(): Promise<SymmetricRatchetStats> {
 		return {
-			currentEpoch: Math.floor(Math.random() * 30) + 1,
-			messagesInCurrentEpoch: Math.floor(Math.random() * 50) + 1,
+			vetKeyEpoch: Math.floor(Math.random() * 30) + 1,
+			rotationDurationNs: Math.floor(Math.random() * 50) + 1,
 			lastRotation: new Date(Date.now() - 1000 * 60 * 60 * Math.random() * 24),
 			nextScheduledRotation: new Date(Date.now() + 1000 * 60 * 60 * Math.random() * 24)
 		};
@@ -316,12 +112,24 @@ export class ChatAPI {
 		removeUsers: string[],
 		allowHistoryForNew: boolean
 	): Promise<boolean> {
-		await this.delay(800);
 		console.log(
 			`Group ${chatId} updated: +${addUsers.length}, -${removeUsers.length}, history: ${allowHistoryForNew}`
 		);
 		return true;
 	}
+
+	async fetchEncryptedMessages(
+		actor: ActorSubclass<_SERVICE>,
+		chatId: ChatId,
+		startId: bigint,
+		limit: bigint | undefined
+	): Promise<EncryptedMessage[]> {
+		return await actor.get_some_messages_for_chat_starting_from(
+			chatId,
+			startId,
+			limit ? [Number(limit)] : []
+		);
+	}
 }
 
 export const chatAPI = new ChatAPI();
diff --git a/examples/encrypted_chat/frontend/src/lib/services/identity.ts b/examples/encrypted_chat/frontend/src/lib/services/identity.ts
deleted file mode 100644
index a57e994a..00000000
--- a/examples/encrypted_chat/frontend/src/lib/services/identity.ts
+++ /dev/null
@@ -1,83 +0,0 @@
-import { AuthClient } from '@dfinity/auth-client';
-import type { Identity } from '@dfinity/agent';
-import type { User } from '../types';
-
-// Identity service using @dfinity/agent
-export class IdentityService {
-	private authClient: AuthClient | null = null;
-	private currentUser: User | null = null;
-
-	async init(): Promise<void> {
-		this.authClient = await AuthClient.create();
-		await this.checkAuthentication();
-	}
-
-	async checkAuthentication(): Promise<boolean> {
-		if (!this.authClient) return false;
-
-		const isAuthenticated = await this.authClient.isAuthenticated();
-		if (isAuthenticated) {
-			const identity = this.authClient.getIdentity();
-			this.currentUser = await this.createUserFromIdentity(identity);
-			return true;
-		}
-		return false;
-	}
-
-	async login(): Promise<User | null> {
-		if (!this.authClient) return null;
-
-		return new Promise((resolve) => {
-			this.authClient!.login({
-				onSuccess: async () => {
-					const identity = this.authClient!.getIdentity();
-					this.currentUser = await this.createUserFromIdentity(identity);
-					resolve(this.currentUser);
-				},
-				onError: () => {
-					resolve(null);
-				}
-			});
-		});
-	}
-
-	async logout(): Promise<void> {
-		if (this.authClient) {
-			await this.authClient.logout();
-		}
-		this.currentUser = null;
-	}
-
-	getCurrentUser(): User | null {
-		return this.currentUser;
-	}
-
-	getIdentity(): Identity | null {
-		return this.authClient?.getIdentity() || null;
-	}
-
-	private async createUserFromIdentity(identity: Identity): Promise<User> {
-		// In a real implementation, you would extract user info from the identity
-		// For now, we'll create a dummy user with the principal as the ID
-		const principal = identity.getPrincipal();
-
-		return {
-			id: principal.toString(),
-			name: `User ${principal.toString().slice(0, 8)}...`,
-			avatar: '👤',
-			isOnline: true
-		};
-	}
-
-	// Dummy implementation for demo purposes
-	async getDummyCurrentUser(): Promise<User> {
-		return {
-			id: 'current-user',
-			name: 'You',
-			avatar: '👤',
-			isOnline: true
-		};
-	}
-}
-
-export const identityService = new IdentityService();
diff --git a/examples/encrypted_chat/frontend/src/lib/stores/auth.svelte.ts b/examples/encrypted_chat/frontend/src/lib/stores/auth.svelte.ts
new file mode 100644
index 00000000..26c4802b
--- /dev/null
+++ b/examples/encrypted_chat/frontend/src/lib/stores/auth.svelte.ts
@@ -0,0 +1,100 @@
+import { AuthClient } from '@dfinity/auth-client';
+
+if (import.meta.env.SSR || typeof window === 'undefined') {
+	const {
+		indexedDB,
+		IDBKeyRange,
+		IDBRequest,
+		IDBDatabase,
+		IDBTransaction,
+		IDBCursor,
+		IDBIndex,
+		IDBObjectStore,
+		IDBOpenDBRequest
+	} = await import('fake-indexeddb');
+	globalThis.indexedDB = indexedDB;
+	globalThis.IDBKeyRange = IDBKeyRange;
+	globalThis.IDBDatabase = IDBDatabase;
+	globalThis.IDBTransaction = IDBTransaction;
+	globalThis.IDBRequest = IDBRequest;
+	globalThis.IDBCursor = IDBCursor;
+	globalThis.IDBIndex = IDBIndex;
+	globalThis.IDBObjectStore = IDBObjectStore;
+	globalThis.IDBOpenDBRequest = IDBOpenDBRequest;
+}
+
+export type AuthState =
+	| {
+			label: 'initializing-auth';
+	  }
+	| {
+			label: 'anonymous';
+			client: AuthClient;
+	  }
+	| {
+			label: 'initialized';
+			client: AuthClient;
+	  }
+	| {
+			label: 'error';
+			error: string;
+	  };
+
+export type AuthStateWrapper = {
+	state: AuthState;
+};
+
+export const auth = $state<AuthStateWrapper>({
+	state: { label: 'initializing-auth' }
+});
+
+async function initAuth() {
+	const client = await AuthClient.create();
+	if (await client.isAuthenticated()) {
+		auth.state = {
+			label: 'initialized',
+			client
+		};
+	} else {
+		auth.state = {
+			label: 'anonymous',
+			client
+		};
+	}
+}
+
+void initAuth();
+
+export async function login() {
+	if (auth.state.label === 'anonymous') {
+		const client = $state.snapshot(auth.state.client) as AuthClient;
+		await client.login({
+			maxTimeToLive: BigInt(8 * 3600) * BigInt(1_000_000_000), // 8 hours
+			identityProvider:
+				globalThis.process.env.DFX_NETWORK === 'ic'
+					? 'https://identity.ic0.app/#authorize'
+					: `http://rdmx6-jaaaa-aaaaa-aaadq-cai.localhost:8000/#authorize`,
+			onSuccess: async () => {
+				authenticate(client);
+			},
+			onError: (e) => console.error('Failed to authenticate with internet identity: ' + e)
+		});
+	}
+}
+
+function authenticate(client: AuthClient) {
+	auth.state = {
+		label: 'initialized',
+		client
+	};
+}
+
+export async function logout() {
+	if (auth.state.label === 'initialized') {
+		await auth.state.client.logout();
+		auth.state = {
+			label: 'anonymous',
+			client: auth.state.client
+		};
+	}
+}
diff --git a/examples/encrypted_chat/frontend/src/lib/stores/chat.ts b/examples/encrypted_chat/frontend/src/lib/stores/chat.svelte.ts
similarity index 55%
rename from examples/encrypted_chat/frontend/src/lib/stores/chat.ts
rename to examples/encrypted_chat/frontend/src/lib/stores/chat.svelte.ts
index c44ca34f..4a95f2f5 100644
--- a/examples/encrypted_chat/frontend/src/lib/stores/chat.ts
+++ b/examples/encrypted_chat/frontend/src/lib/stores/chat.svelte.ts
@@ -1,62 +1,44 @@
-import { writable, derived, get } from 'svelte/store';
-import type { Chat, Message, User, UserConfig, Notification } from '../types';
+import type { Chat, Message, UserConfig, Notification } from '../types';
 import { chatAPI } from '../services/api';
 import { storageService } from '../services/storage';
-import { identityService } from '../services/identity';
-
-// Chat stores
-export const chats = writable<Chat[]>([]);
-export const selectedChatId = writable<string | null>(null);
-export const messages = writable<{ [chatId: string]: Message[] }>({});
-export const currentUser = writable<User | null>(null);
-export const userConfig = writable<UserConfig | null>(null);
-export const notifications = writable<Notification[]>([]);
-export const isLoading = writable(false);
-
-// Derived stores
-export const selectedChat = derived([chats, selectedChatId], ([$chats, $selectedChatId]) => {
-	if (!$selectedChatId) return null;
-	return $chats.find((chat) => chat.id === $selectedChatId) || null;
-});
-
-export const selectedChatMessages = derived(
-	[messages, selectedChatId],
-	([$messages, $selectedChatId]) => {
-		if (!$selectedChatId) return [];
-		return $messages[$selectedChatId] || [];
-	}
-);
-
-export const unreadMessageCount = derived(chats, ($chats) =>
-	$chats.reduce((total, chat) => total + chat.unreadCount, 0)
-);
+import { SvelteDate } from 'svelte/reactivity';
+import { auth } from '$lib/stores/auth.svelte';
+import { createActor } from '../../declarations/encrypted_chat';
+import { HttpAgent, type ActorSubclass } from '@dfinity/agent';
+import fetch from 'isomorphic-fetch';
+import type { _SERVICE , ChatId, EncryptedMessage, } from '../../declarations/encrypted_chat/encrypted_chat.did';
+import { SvelteMap } from 'svelte/reactivity';
+
+export const chats = $state<{ state: Chat[] }>({ state: [] });
+export const selectedChatId = $state<{ state: string | null }>({ state: null });
+export const userConfig = $state<{ state: UserConfig | null }>({ state: null });
+export const notifications = $state<{ state: Notification[] }>({ state: [] });
+export const isLoading = $state({ state: false });
+export const isBlocked = $state({ state: false });
+export const availableChats = $state({ state: [] });
+export const messages = new SvelteMap<[ChatId, bigint], EncryptedMessage>(); 
 
-// Chat actions
 export const chatActions = {
 	async initialize() {
-		isLoading.set(true);
+		isLoading.state = true;
 		try {
-			// Initialize identity service
-			await identityService.init();
-
 			// Load user config
 			let config = await storageService.getUserConfig();
 			if (!config) {
 				config = await storageService.getDefaultUserConfig();
 				await storageService.saveUserConfig(config);
 			}
-			userConfig.set(config);
-
-			// Set current user (dummy for now)
-			const user = await identityService.getDummyCurrentUser();
-			currentUser.set(user);
+			userConfig.state = config;
 
 			// Load chats from API
-			const chatList = await chatAPI.getChats();
-			chats.set(chatList);
+			const actor = await getActor();
+			if (actor) {
+				const chatList = await chatAPI.getChatIdsAndCurrentNumbersOfMessages(actor);
+				chats.state = chatList;
+			}
 
 			// Load messages for each chat from storage and merge with API data
-			const messageMap: { [chatId: string]: Message[] } = {};
+			const messageMap: Record<string, Message[]> = {};
 			for (const chat of chatList) {
 				// First load from storage
 				let chatMessages = await storageService.getMessages(chat.id);
@@ -72,12 +54,12 @@ export const chatActions = {
 
 				messageMap[chat.id] = chatMessages;
 			}
-			messages.set(messageMap);
+			messages.state = messageMap;
 
 			// Set up periodic cleanup
 			setInterval(() => {
 				chatActions.cleanupDisappearingMessages();
-			}, 60000); // Check every minute
+			}, 60000);
 		} catch (error) {
 			console.error('Failed to initialize chat:', error);
 			chatActions.addNotification({
@@ -87,16 +69,24 @@ export const chatActions = {
 				isDismissible: true
 			});
 		} finally {
-			isLoading.set(false);
+			isLoading.state = false;
+		}
+	},
+
+	async refreshChats() {
+		const actor = await getActor();
+		if (actor) {
+			const chats = await actor.get_my_chat_ids();
+			console.log('fetched ' + (await chats).length + ' chats');
 		}
 	},
 
 	selectChat(chatId: string) {
-		selectedChatId.set(chatId);
+		selectedChatId.state = chatId;
 
 		// Mark as read
-		chats.update(($chats) =>
-			$chats.map((chat) => (chat.id === chatId ? { ...chat, unreadCount: 0 } : chat))
+		chats.state = chats.state.map((chat) =>
+			chat.id === chatId ? { ...chat, unreadCount: 0 } : chat
 		);
 	},
 
@@ -104,10 +94,7 @@ export const chatActions = {
 		try {
 			const chatMessages = await chatAPI.getChatMessages(chatId);
 
-			messages.update(($messages) => ({
-				...$messages,
-				[chatId]: chatMessages
-			}));
+			messages.state = { ...messages.state, [chatId]: chatMessages };
 
 			// Save to storage
 			for (const message of chatMessages) {
@@ -140,20 +127,20 @@ export const chatActions = {
 				chatId,
 				content,
 				fileData ? 'file' : 'text',
-				fileData
+				fileData ? fileData.data : undefined
 			);
 
 			// Add to messages
-			messages.update(($messages) => ({
-				...$messages,
-				[chatId]: [...($messages[chatId] || []), message]
-			}));
+			messages.state = {
+				...messages.state,
+				[chatId]: [...(messages.state[chatId] || []), message]
+			};
 
 			// Update chat last activity
-			chats.update(($chats) =>
-				$chats.map((chat) =>
-					chat.id === chatId ? { ...chat, lastActivity: new Date(), lastMessage: message } : chat
-				)
+			chats.state = chats.state.map((chat) =>
+				chat.id === chatId
+					? { ...chat, lastActivity: new SvelteDate(), lastMessage: message }
+					: chat
 			);
 
 			// Save to storage
@@ -172,24 +159,22 @@ export const chatActions = {
 	async rotateKeys(chatId: string) {
 		try {
 			// Mark chat as updating
-			chats.update(($chats) =>
-				$chats.map((chat) => (chat.id === chatId ? { ...chat, isUpdating: true } : chat))
+			chats.state = chats.state.map((chat) =>
+				chat.id === chatId ? { ...chat, isUpdating: true } : chat
 			);
 
 			const newKeyStatus = await chatAPI.rotateKeys(chatId);
 
 			// Update chat with new key status
-			chats.update(($chats) =>
-				$chats.map((chat) =>
-					chat.id === chatId
-						? {
-								...chat,
-								isUpdating: false,
-								keyRotationStatus: newKeyStatus,
-								ratchetEpoch: newKeyStatus.currentEpoch
-							}
-						: chat
-				)
+			chats.state = chats.state.map((chat) =>
+				chat.id === chatId
+					? {
+							...chat,
+							isUpdating: false,
+							keyRotationStatus: newKeyStatus,
+							ratchetEpoch: newKeyStatus.currentEpoch
+						}
+					: chat
 			);
 
 			chatActions.addNotification({
@@ -203,8 +188,8 @@ export const chatActions = {
 			console.error('Failed to rotate keys:', error);
 
 			// Mark chat as not updating
-			chats.update(($chats) =>
-				$chats.map((chat) => (chat.id === chatId ? { ...chat, isUpdating: false } : chat))
+			chats.state = chats.state.map((chat) =>
+				chat.id === chatId ? { ...chat, isUpdating: false } : chat
 			);
 
 			chatActions.addNotification({
@@ -217,11 +202,10 @@ export const chatActions = {
 	},
 
 	async updateUserConfig(config: Partial<UserConfig>) {
-		const currentConfig = get(userConfig);
-		if (!currentConfig) return;
+		if (!userConfig.state) return;
 
-		const newConfig = { ...currentConfig, ...config };
-		userConfig.set(newConfig);
+		const newConfig = { ...userConfig.state, ...config };
+		userConfig.state = newConfig;
 		await storageService.saveUserConfig(newConfig);
 
 		// Trigger cache cleanup if retention days changed
@@ -233,8 +217,7 @@ export const chatActions = {
 	addNotification(notification: Omit<Notification, 'id'>) {
 		const id = `notification-${Date.now()}-${Math.random()}`;
 		const newNotification: Notification = { ...notification, id };
-
-		notifications.update(($notifications) => [...$notifications, newNotification]);
+		notifications.state = [...notifications.state, newNotification];
 
 		// Auto-dismiss if duration is set
 		if (notification.duration) {
@@ -245,13 +228,11 @@ export const chatActions = {
 	},
 
 	dismissNotification(id: string) {
-		notifications.update(($notifications) => $notifications.filter((n) => n.id !== id));
+		notifications.state = notifications.state.filter((n) => n.id !== id);
 	},
 
 	async cleanupDisappearingMessages() {
-		const $chats = get(chats);
-
-		for (const chat of $chats) {
+		for (const chat of chats.state) {
 			if (chat.disappearingMessagesDuration > 0) {
 				await storageService.cleanupOldMessages(chat.id, chat.disappearingMessagesDuration);
 			}
@@ -259,7 +240,24 @@ export const chatActions = {
 	}
 };
 
-// Initialize on module load
+async function getActor(): Promise<ActorSubclass<_SERVICE> | undefined> {
+	if (auth.state.label === 'initialized') {
+		const host = process.env.DFX_NETWORK === 'ic' ? 'https://icp-api.io' : 'http://127.0.0.1:8000';
+		const agent = HttpAgent.createSync({
+			identity: auth.state.client.getIdentity(),
+			fetch,
+			host
+		});
+		if (!process.env.CANISTER_ID_ENCRYPTED_CHAT) {
+			throw new Error('CANISTER_ID_ENCRYPTED_CHAT is not set');
+		}
+		return createActor(process.env.CANISTER_ID_ENCRYPTED_CHAT, { agent });
+	} else {
+		return undefined;
+	}
+}
+
+// Initialize on module load (browser only)
 if (typeof window !== 'undefined') {
-	chatActions.initialize();
+	void chatActions.initialize();
 }
diff --git a/examples/encrypted_chat/frontend/src/lib/types/index.ts b/examples/encrypted_chat/frontend/src/lib/types/index.ts
index 3a14abed..ce69f065 100644
--- a/examples/encrypted_chat/frontend/src/lib/types/index.ts
+++ b/examples/encrypted_chat/frontend/src/lib/types/index.ts
@@ -27,14 +27,14 @@ export interface Chat {
 	id: string;
 	name: string;
 	type: 'direct' | 'group';
-	participants: User[];
 	lastMessage?: Message;
 	lastActivity: Date;
 	isReady: boolean;
 	isUpdating: boolean;
 	disappearingMessagesDuration: number; // in days, 0 = never
-	keyRotationStatus: KeyRotationStatus;
-	ratchetEpoch: number;
+	keyRotationStatus: VetKeyRotationStatus;
+	vetKeyEpoch: number;
+	symmetricRatchetEpoch: number;
 	unreadCount: number;
 	avatar?: string;
 }
@@ -46,21 +46,19 @@ export interface DirectChat extends Chat {
 
 export interface GroupChat extends Chat {
 	type: 'group';
-	adminId: string;
-	canModify: boolean;
-	allowHistoryForNewMembers: boolean;
+	otherParticipants: User[];
 }
 
-export interface KeyRotationStatus {
+export interface VetKeyRotationStatus {
 	lastRotation: Date;
 	nextRotation: Date;
 	isRotationNeeded: boolean;
 	currentEpoch: number;
 }
 
-export interface RatchetStats {
-	currentEpoch: number;
-	messagesInCurrentEpoch: number;
+export interface SymmetricRatchetStats {
+	vetKeyEpoch: number;
+	rotationDurationNs: number;
 	lastRotation: Date;
 	nextScheduledRotation: Date;
 }
diff --git a/examples/encrypted_chat/frontend/src/routes/+page.svelte b/examples/encrypted_chat/frontend/src/routes/+page.svelte
index 9586d374..1d2397ad 100644
--- a/examples/encrypted_chat/frontend/src/routes/+page.svelte
+++ b/examples/encrypted_chat/frontend/src/routes/+page.svelte
@@ -2,10 +2,12 @@
 	import { onMount } from 'svelte';
 	import ChatList from '$lib/components/ChatList.svelte';
 	import ChatInterface from '$lib/components/ChatInterface.svelte';
-	import { isLoading, selectedChatId } from '$lib/stores/chat';
+	import { isLoading, selectedChatId } from '$lib/stores/chat.svelte';
+	import Hero from '$lib/components/Hero.svelte';
+	import { auth } from '$lib/stores/auth.svelte';
 
-	let showMobileChatList = false;
-	let isMobile = false;
+	let isMobile = $state(false);
+	let showMobileChatList = $derived(isMobile && selectedChatId);
 
 	onMount(() => {
 		// Check if mobile
@@ -24,37 +26,58 @@
 	function handleMobileBackToChatList() {
 		showMobileChatList = true;
 	}
-
-	// Update mobile chat list visibility when chat is selected
-	$: if (isMobile && $selectedChatId) {
-		showMobileChatList = false;
-	}
 </script>
 
 <svelte:head>
-	<title>VetKeys Encrypted Chat</title>
+	<title>Encrypted Chat using vetKeys</title>
 	<meta name="description" content="Secure encrypted chat application using VetKeys" />
 </svelte:head>
 
-{#if $isLoading}
+{#if auth.state.label !== 'initialized'}
+	<Hero/>
+{:else if isLoading.state}
 	<!-- Loading state -->
-	<div class="loading-screen bg-gradient-to-br from-blue-50 to-indigo-100 dark:from-gray-900 dark:to-gray-800 flex h-full items-center justify-center">
-		<div class="text-center animate-fade-in">
-			<div class="mx-auto mb-6 h-16 w-16 animate-spin rounded-full border-4 border-blue-500 border-t-transparent shadow-lg"></div>
-			<h2 class="mb-3 text-xl font-bold bg-gradient-to-r from-blue-600 to-purple-600 bg-clip-text text-transparent">Loading VetKeys Chat</h2>
-			<p class="text-gray-600 dark:text-gray-400 font-medium">Initializing secure communication...</p>
+	<div
+		class="loading-screen flex h-full items-center justify-center bg-gradient-to-br from-blue-50 to-indigo-100 dark:from-gray-900 dark:to-gray-800"
+	>
+		<div class="animate-fade-in text-center">
+			<div
+				class="mx-auto mb-6 h-16 w-16 animate-spin rounded-full border-4 border-blue-500 border-t-transparent shadow-lg"
+			></div>
+			<h2
+				class="mb-3 bg-gradient-to-r from-blue-600 to-purple-600 bg-clip-text text-xl font-bold text-transparent"
+			>
+				Loading vetKeys Chat
+			</h2>
+			<p class="font-medium text-gray-600 dark:text-gray-400">
+				Initializing secure communication...
+			</p>
 			<div class="mt-4 flex justify-center space-x-1">
-				<div class="h-2 w-2 bg-blue-500 rounded-full animate-bounce"></div>
-				<div class="h-2 w-2 bg-blue-500 rounded-full animate-bounce" style="animation-delay: 0.1s"></div>
-				<div class="h-2 w-2 bg-blue-500 rounded-full animate-bounce" style="animation-delay: 0.2s"></div>
+				<div class="h-2 w-2 animate-bounce rounded-full bg-blue-500"></div>
+				<div
+					class="h-2 w-2 animate-bounce rounded-full bg-blue-500"
+					style="animation-delay: 0.1s"
+				></div>
+				<div
+					class="h-2 w-2 animate-bounce rounded-full bg-blue-500"
+					style="animation-delay: 0.2s"
+				></div>
 			</div>
 		</div>
 	</div>
 {:else}
 	<!-- Main chat interface -->
-	<div class="chat-container flex h-full bg-gradient-to-br from-gray-50 via-blue-50 to-indigo-50 dark:from-gray-900 dark:via-gray-800 dark:to-gray-900">
+	<div
+		class="chat-container flex h-full bg-gradient-to-br from-gray-50 via-blue-50 to-indigo-50 dark:from-gray-900 dark:via-gray-800 dark:to-gray-900"
+	>
 		<!-- Chat List Sidebar (Desktop) or Full Screen (Mobile) -->
-		<div class="chat-list-wrapper width-full {isMobile ? (showMobileChatList ? 'block' : 'hidden') : 'block'}">
+		<div
+			class="chat-list-wrapper width-full {isMobile
+				? showMobileChatList
+					? 'block'
+					: 'hidden'
+				: 'block'}"
+		>
 			<ChatList />
 		</div>
 
@@ -72,5 +95,5 @@
 {/if}
 
 <style lang="postcss">
-    @reference "tailwindcss";
-</style>
\ No newline at end of file
+	@reference "tailwindcss";
+</style>
diff --git a/examples/encrypted_chat/rust/backend/backend.did b/examples/encrypted_chat/rust/backend/backend.did
index 631c1e28..495bca5d 100644
--- a/examples/encrypted_chat/rust/backend/backend.did
+++ b/examples/encrypted_chat/rust/backend/backend.did
@@ -33,6 +33,7 @@ type UserMessage = record {
 type VetKeyEpochMetadata = record {
   symmetric_key_rotation_duration : nat64;
   participants : vec principal;
+  messages_start_with_id : nat64;
   creation_timestamp : nat64;
   epoch_id : nat64;
 };
@@ -54,7 +55,7 @@ service : (text) -> {
   derive_chat_vetkey : (ChatId, opt nat64, blob) -> (Result_2);
   get_encrypted_vetkey_for_my_cache_storage : (blob) -> (blob);
   get_latest_chat_vetkey_epoch_metadata : (ChatId) -> (Result_3) query;
-  get_my_chat_ids : () -> (vec ChatId) query;
+  get_my_chat_ids : () -> (vec record { ChatId; nat64 }) query;
   get_my_reshared_ibe_encrypted_vetkey : (ChatId, nat64) -> (Result_4);
   get_my_symmetric_key_cache : (ChatId, nat64) -> (Result_4);
   // Returns messages for a chat starting from a given message id.
diff --git a/examples/encrypted_chat/rust/backend/src/lib.rs b/examples/encrypted_chat/rust/backend/src/lib.rs
index 91cc9ebd..beca14f7 100644
--- a/examples/encrypted_chat/rust/backend/src/lib.rs
+++ b/examples/encrypted_chat/rust/backend/src/lib.rs
@@ -137,6 +137,7 @@ fn create_direct_chat(
             participants: vec![caller, receiver],
             creation_timestamp: now,
             symmetric_key_rotation_duration,
+            messages_start_with_id: ChatMessageId(0),
         };
         metadata.insert((chat_id, now), vetkey_epoch_metadata.clone())
     });
@@ -218,6 +219,7 @@ fn create_group_chat(
             participants: participants.clone(),
             creation_timestamp: now,
             symmetric_key_rotation_duration,
+            messages_start_with_id: ChatMessageId(0),
         };
         metadata.insert((chat_id, now), vetkey_epoch_metadata.clone())
     });
@@ -326,11 +328,16 @@ fn rotate_chat_vetkey(chat_id: ChatId) -> Result<VetKeyEpochId, String> {
         latest_vetkey_epoch_metadata(chat_id).ok_or(format!("No chat {chat_id:?} found"))?;
     ensure_user_has_access_to_chat_at_epoch(caller, chat_id, latest_epoch_metadata.epoch_id)?;
 
+    let messages_start_with_id = CHAT_TO_MESSAGE_COUNTERS.with_borrow(|counters| {
+        counters.get(&chat_id).expect("bug: uninitialized chat message counter")
+    });
+
     let new_vetkey_epoch_id = CHAT_TO_VETKEYS_METADATA.with_borrow_mut(|metadata| {
         let new_vetkey_epoch_id = VetKeyEpochId(latest_epoch_metadata.epoch_id.0 + 1);
         let new_vetkey_epoch_metadata = VetKeyEpochMetadata {
             epoch_id: new_vetkey_epoch_id,
             creation_timestamp: now,
+            messages_start_with_id,
             ..latest_epoch_metadata
         };
 
@@ -473,13 +480,15 @@ fn send_group_message(
 }
 
 #[ic_cdk::query]
-fn get_my_chat_ids() -> Vec<ChatId> {
+fn get_my_chat_ids() -> Vec<(ChatId, ChatMessageId)> {
     let caller = ic_cdk::api::msg_caller();
     USER_TO_CHAT_MAP.with_borrow(|map| {
+        CHAT_TO_MESSAGE_COUNTERS.with_borrow(|counters| {
         map.keys_range((caller, ChatId::MIN_VALUE, VetKeyEpochId(0))..)
             .take_while(|(user, _, _)| user == &caller)
-            .map(|(_, chat_id, _)| chat_id)
-            .collect()
+                    .map(|(_, chat_id, _)| (chat_id, ChatMessageId(counters.get(&chat_id).expect("bug: uninitialized chat message counter").0)))
+                .collect()
+        })
     })
 }
 
@@ -817,6 +826,10 @@ fn modify_group_chat_participants(
         .retain(|participant| !group_modification.remove_participants.contains(participant));
     new_participants.sort();
 
+    let messages_start_with_id = CHAT_TO_MESSAGE_COUNTERS.with_borrow(|counters| {
+        counters.get(&chat_id).expect("bug: uninitialized chat message counter")
+    });
+
     let new_vetkey_epoch_id = CHAT_TO_VETKEYS_METADATA.with_borrow_mut(|metadata| {
         let new_vetkey_epoch_id = VetKeyEpochId(latest_epoch_metadata.epoch_id.0 + 1);
         let new_vetkey_epoch_metadata = VetKeyEpochMetadata {
@@ -824,6 +837,7 @@ fn modify_group_chat_participants(
             creation_timestamp: now,
             participants: new_participants,
             symmetric_key_rotation_duration: latest_epoch_metadata.symmetric_key_rotation_duration,
+            messages_start_with_id,
         };
 
         for participant in new_vetkey_epoch_metadata.participants.iter().copied() {
diff --git a/examples/encrypted_chat/rust/backend/src/types.rs b/examples/encrypted_chat/rust/backend/src/types.rs
index 573e2eb1..ae7799b5 100644
--- a/examples/encrypted_chat/rust/backend/src/types.rs
+++ b/examples/encrypted_chat/rust/backend/src/types.rs
@@ -206,6 +206,7 @@ pub struct VetKeyEpochMetadata {
     pub participants: Vec<Principal>,
     pub creation_timestamp: Time,
     pub symmetric_key_rotation_duration: Time,
+    pub messages_start_with_id: ChatMessageId,
 }
 
 storable_unbounded!(VetKeyEpochMetadata);
diff --git a/examples/encrypted_chat/rust/backend/tests/direct_chat.rs b/examples/encrypted_chat/rust/backend/tests/direct_chat.rs
index bd9b6c21..e3df0825 100644
--- a/examples/encrypted_chat/rust/backend/tests/direct_chat.rs
+++ b/examples/encrypted_chat/rust/backend/tests/direct_chat.rs
@@ -22,7 +22,11 @@ fn can_create_chat() {
 
     for p in [env.principal_0, env.principal_1] {
         assert_eq!(
-            env.query::<Vec<ChatId>>(p, "get_my_chat_ids", encode_args(()).unwrap()),
+            env.query::<Vec<(ChatId, ChatMessageId)>>(
+                p,
+                "get_my_chat_ids",
+                encode_args(()).unwrap()
+            ),
             vec![]
         );
     }
@@ -34,12 +38,16 @@ fn can_create_chat() {
     )
     .unwrap();
 
-    let chat_ids: Vec<ChatId> =
+    let chat_ids: Vec<(ChatId, ChatMessageId)> =
         env.query(env.principal_0, "get_my_chat_ids", encode_args(()).unwrap());
-    assert_eq!(chat_ids, vec![p0_self_chat_id]);
+    assert_eq!(chat_ids, vec![(p0_self_chat_id, ChatMessageId(0))]);
 
     assert_eq!(
-        env.query::<Vec<ChatId>>(env.principal_1, "get_my_chat_ids", encode_args(()).unwrap()),
+        env.query::<Vec<(ChatId, ChatMessageId)>>(
+            env.principal_1,
+            "get_my_chat_ids",
+            encode_args(()).unwrap()
+        ),
         vec![]
     );
 
@@ -51,15 +59,18 @@ fn can_create_chat() {
     .unwrap();
 
     assert_eq!(
-        env.query::<Vec<ChatId>>(env.principal_1, "get_my_chat_ids", encode_args(()).unwrap()),
-        vec![p0_p1_chat_id]
+        env.query::<Vec<(ChatId, ChatMessageId)>>(
+            env.principal_1,
+            "get_my_chat_ids",
+            encode_args(()).unwrap()
+        ),
+        vec![(p0_p1_chat_id, ChatMessageId(0))]
     );
 
-    let chat_ids: Vec<ChatId> =
+    let chat_ids: Vec<(ChatId, ChatMessageId)> =
         env.query(env.principal_0, "get_my_chat_ids", encode_args(()).unwrap());
-    for chat_id in vec![p0_self_chat_id, p0_p1_chat_id] {
-        assert!(chat_ids.contains(&chat_id));
-    }
+    assert!(chat_ids.contains(&(p0_self_chat_id, ChatMessageId(0))));
+    assert!(chat_ids.contains(&(p0_p1_chat_id, ChatMessageId(0))));
     assert_eq!(chat_ids.len(), 2);
 }
 
diff --git a/examples/encrypted_chat/rust/backend/tests/group_chat.rs b/examples/encrypted_chat/rust/backend/tests/group_chat.rs
index a8347821..b167eecd 100644
--- a/examples/encrypted_chat/rust/backend/tests/group_chat.rs
+++ b/examples/encrypted_chat/rust/backend/tests/group_chat.rs
@@ -1147,6 +1147,7 @@ fn modify_chat_participants() {
                 participants: sorted_principals(vec![principal_0, principal_1]),
                 creation_timestamp: Time(env.pic.get_time().as_nanos_since_unix_epoch()),
                 symmetric_key_rotation_duration,
+                messages_start_with_id: ChatMessageId(0),
             }
         );
     }
@@ -1186,6 +1187,7 @@ fn modify_chat_participants() {
                 ]),
                 creation_timestamp: Time(env.pic.get_time().as_nanos_since_unix_epoch()),
                 symmetric_key_rotation_duration,
+                messages_start_with_id: ChatMessageId(0),
             }
         );
     }
@@ -1220,6 +1222,7 @@ fn modify_chat_participants() {
                 participants: sorted_principals(vec![principal_0, principal_3]),
                 creation_timestamp: Time(env.pic.get_time().as_nanos_since_unix_epoch()),
                 symmetric_key_rotation_duration,
+                messages_start_with_id: ChatMessageId(0),
             }
         );
     }
@@ -1254,6 +1257,7 @@ fn modify_chat_participants() {
                 participants: sorted_principals(vec![principal_0, principal_1, principal_2]),
                 creation_timestamp: Time(env.pic.get_time().as_nanos_since_unix_epoch()),
                 symmetric_key_rotation_duration,
+                messages_start_with_id: ChatMessageId(0),
             }
         );
     }

From 8666fe8339b07e5f9f742560f8fe6c881035a696 Mon Sep 17 00:00:00 2001
From: Oleksandr Tkachenko <oleksandr.tkachenko@dfinity.org>
Date: Fri, 8 Aug 2025 20:20:07 +0200
Subject: [PATCH 21/62] some more wip

---
 .../src/lib/components/ChatList.svelte        |  21 +-
 .../src/lib/components/ui/Button.svelte       |  20 +-
 .../src/lib/components/ui/Card.svelte         |  20 +-
 .../frontend/src/lib/services/api.ts          |  19 +-
 .../frontend/src/lib/stores/chat.svelte.ts    | 334 ++++++++++++++----
 .../frontend/src/lib/types/index.ts           |  13 +-
 .../frontend/src/routes/+page.svelte          |  14 +-
 7 files changed, 344 insertions(+), 97 deletions(-)

diff --git a/examples/encrypted_chat/frontend/src/lib/components/ChatList.svelte b/examples/encrypted_chat/frontend/src/lib/components/ChatList.svelte
index f04bfcc4..137df3be 100644
--- a/examples/encrypted_chat/frontend/src/lib/components/ChatList.svelte
+++ b/examples/encrypted_chat/frontend/src/lib/components/ChatList.svelte
@@ -1,14 +1,18 @@
 <script lang="ts">
-	import { chats, selectedChatId, chatActions } from '../stores/chat.svelte';
+    import { chats, selectedChatId, chatActions } from '../stores/chat.svelte';
 	import { auth } from '$lib/stores/auth.svelte';
 	import ChatListItem from './ChatListItem.svelte';
 	import UserProfile from './UserProfile.svelte';
+    import Button from './ui/Button.svelte';
+    import NewChatModal from './NewChatModal.svelte';
 
-	$effect(() => {
-		if (selectedChatId.$) {
-			chatActions.loadChatMessages(selectedChatId.state);
-		}
-	});
+    $effect(() => {
+        if (selectedChatId.state) {
+            chatActions.loadChatMessages(selectedChatId.state);
+        }
+    });
+
+    let showNewChat = $state(false);
 </script>
 
 <div class="chat-list glass-effect flex h-full flex-col border-r border-white/20 backdrop-blur-xl">
@@ -25,6 +29,9 @@
 		<p class="mt-1 text-sm font-medium text-gray-500 dark:text-gray-400">
 			{chats.state.length} conversation{chats.state.length !== 1 ? 's' : ''}
 		</p>
+    <div class="mt-3 flex gap-2">
+      <Button size="sm" variant="filled" onclick={() => (showNewChat = true)}>New Chat</Button>
+    </div>
 	</div>
 
 	<!-- Chat List -->
@@ -44,6 +51,8 @@
 	</div>
 </div>
 
+<NewChatModal bind:show={showNewChat} />
+
 <style>
 	.chat-list {
 		width: 320px;
diff --git a/examples/encrypted_chat/frontend/src/lib/components/ui/Button.svelte b/examples/encrypted_chat/frontend/src/lib/components/ui/Button.svelte
index 4e00a324..ce11b509 100644
--- a/examples/encrypted_chat/frontend/src/lib/components/ui/Button.svelte
+++ b/examples/encrypted_chat/frontend/src/lib/components/ui/Button.svelte
@@ -16,27 +16,33 @@
 	export { className as class };
 
 	// Define variant classes using Skeleton v3's design tokens
-	const variantClasses = {
+    const variantClasses = {
 		filled: 'variant-filled-primary',
 		outline: 'variant-outline-primary',
 		ghost: 'variant-ghost-primary',
 		gradient:
 			'bg-gradient-to-r from-primary-500 to-secondary-500 text-on-primary-token hover:from-primary-600 hover:to-secondary-600'
-	};
+    } as const;
 
-	const sizeClasses = {
+    const sizeClasses = {
 		sm: 'btn-sm',
 		md: 'btn-md',
 		lg: 'btn-lg'
-	};
+    } as const;
 
-	let classes = $derived(
-		['btn', variantClasses[variant], sizeClasses[size], 'transition-all duration-200', className]
+    let classes = $derived(
+        [
+            'btn',
+            variantClasses[variant as keyof typeof variantClasses],
+            sizeClasses[size as keyof typeof sizeClasses],
+            'transition-all duration-200',
+            className
+        ]
 			.filter(Boolean)
 			.join(' ')
 	);
 </script>
 
-<button class={classes} {disabled} {type} {...rest} {onclick}>
+<button class={classes} {disabled} type={type as 'button' | 'submit' | 'reset' | undefined} {...rest} {onclick}>
 	{@render children?.()}
 </button>
diff --git a/examples/encrypted_chat/frontend/src/lib/components/ui/Card.svelte b/examples/encrypted_chat/frontend/src/lib/components/ui/Card.svelte
index 43cb26dc..7d99c437 100644
--- a/examples/encrypted_chat/frontend/src/lib/components/ui/Card.svelte
+++ b/examples/encrypted_chat/frontend/src/lib/components/ui/Card.svelte
@@ -5,22 +5,28 @@
 	let { variant = 'filled', padding = 'md', children, className = '', ...rest } = $props();
 	export { className as class };
 
-	const variantClasses = {
+    const variantClasses = {
 		filled: 'card',
 		glass: 'card variant-glass',
 		outlined: 'card variant-outline'
-	};
+    } as const;
 
-	const paddingClasses = {
+    const paddingClasses = {
 		none: '',
 		sm: 'p-4',
 		md: 'p-6',
 		lg: 'p-8'
-	};
+    } as const;
 
-	let classes = $derived(
-		[variantClasses[variant], paddingClasses[padding], className].filter(Boolean).join(' ')
-	);
+    let classes = $derived(
+        [
+            variantClasses[variant as keyof typeof variantClasses],
+            paddingClasses[padding as keyof typeof paddingClasses],
+            className
+        ]
+            .filter(Boolean)
+            .join(' ')
+    );
 </script>
 
 <div class={classes} {...rest}>
diff --git a/examples/encrypted_chat/frontend/src/lib/services/api.ts b/examples/encrypted_chat/frontend/src/lib/services/api.ts
index d74bd780..59c8c0ba 100644
--- a/examples/encrypted_chat/frontend/src/lib/services/api.ts
+++ b/examples/encrypted_chat/frontend/src/lib/services/api.ts
@@ -97,14 +97,17 @@ export class ChatAPI {
 		}
 	}
 
-	async getRatchetStats(): Promise<SymmetricRatchetStats> {
-		return {
-			vetKeyEpoch: Math.floor(Math.random() * 30) + 1,
-			rotationDurationNs: Math.floor(Math.random() * 50) + 1,
-			lastRotation: new Date(Date.now() - 1000 * 60 * 60 * Math.random() * 24),
-			nextScheduledRotation: new Date(Date.now() + 1000 * 60 * 60 * Math.random() * 24)
-		};
-	}
+  async getRatchetStats(): Promise<SymmetricRatchetStats> {
+    const now = Date.now();
+    const last = new Date(now - 1000 * 60 * 60 * Math.random() * 24);
+    const next = new Date(now + 1000 * 60 * 60 * Math.random() * 24);
+    return {
+      currentEpoch: Math.floor(Math.random() * 30) + 1,
+      messagesInCurrentEpoch: Math.floor(Math.random() * 200),
+      lastRotation: last,
+      nextScheduledRotation: next
+    };
+  }
 
 	async updateGroupMembers(
 		chatId: string,
diff --git a/examples/encrypted_chat/frontend/src/lib/stores/chat.svelte.ts b/examples/encrypted_chat/frontend/src/lib/stores/chat.svelte.ts
index 4a95f2f5..83d2a1d6 100644
--- a/examples/encrypted_chat/frontend/src/lib/stores/chat.svelte.ts
+++ b/examples/encrypted_chat/frontend/src/lib/stores/chat.svelte.ts
@@ -1,4 +1,4 @@
-import type { Chat, Message, UserConfig, Notification } from '../types';
+import type { Chat, Message, UserConfig, Notification, SymmetricRatchetStats } from '../types';
 import { chatAPI } from '../services/api';
 import { storageService } from '../services/storage';
 import { SvelteDate } from 'svelte/reactivity';
@@ -6,7 +6,13 @@ import { auth } from '$lib/stores/auth.svelte';
 import { createActor } from '../../declarations/encrypted_chat';
 import { HttpAgent, type ActorSubclass } from '@dfinity/agent';
 import fetch from 'isomorphic-fetch';
-import type { _SERVICE , ChatId, EncryptedMessage, } from '../../declarations/encrypted_chat/encrypted_chat.did';
+import type {
+	_SERVICE,
+	ChatId,
+	EncryptedMessage,
+	VetKeyEpochMetadata
+} from '../../declarations/encrypted_chat/encrypted_chat.did';
+import { Principal } from '@dfinity/principal';
 import { SvelteMap } from 'svelte/reactivity';
 
 export const chats = $state<{ state: Chat[] }>({ state: [] });
@@ -16,11 +22,15 @@ export const notifications = $state<{ state: Notification[] }>({ state: [] });
 export const isLoading = $state({ state: false });
 export const isBlocked = $state({ state: false });
 export const availableChats = $state({ state: [] });
-export const messages = new SvelteMap<[ChatId, bigint], EncryptedMessage>(); 
+export const messages = $state<{ state: Record<string, Message[]> }>({ state: {} });
+
+// Keep a mapping from string chat id to the actor ChatId
+const chatIdStringToVetKeyEpochMetadata = new SvelteMap<ChatId, VetKeyEpochMetadata>();
 
 export const chatActions = {
 	async initialize() {
 		isLoading.state = true;
+
 		try {
 			// Load user config
 			let config = await storageService.getUserConfig();
@@ -30,31 +40,7 @@ export const chatActions = {
 			}
 			userConfig.state = config;
 
-			// Load chats from API
-			const actor = await getActor();
-			if (actor) {
-				const chatList = await chatAPI.getChatIdsAndCurrentNumbersOfMessages(actor);
-				chats.state = chatList;
-			}
-
-			// Load messages for each chat from storage and merge with API data
-			const messageMap: Record<string, Message[]> = {};
-			for (const chat of chatList) {
-				// First load from storage
-				let chatMessages = await storageService.getMessages(chat.id);
-
-				// If no stored messages, load from API
-				if (chatMessages.length === 0) {
-					chatMessages = await chatAPI.getChatMessages(chat.id);
-					// Save to storage
-					for (const message of chatMessages) {
-						await storageService.saveMessage(message);
-					}
-				}
-
-				messageMap[chat.id] = chatMessages;
-			}
-			messages.state = messageMap;
+			await this.refreshChats();
 
 			// Set up periodic cleanup
 			setInterval(() => {
@@ -76,8 +62,78 @@ export const chatActions = {
 	async refreshChats() {
 		const actor = await getActor();
 		if (actor) {
-			const chats = await actor.get_my_chat_ids();
-			console.log('fetched ' + (await chats).length + ' chats');
+			const chatIds = await actor.get_my_chat_ids();
+			console.log('fetched ' + (await chatIds).length + ' chats');
+			for (const [chatId] of chatIds) {
+				if (!chatIdStringToVetKeyEpochMetadata.has(chatId)) {
+					const result = await actor.get_latest_chat_vetkey_epoch_metadata(chatId);
+					if ('Ok' in result) {
+						chatIdStringToVetKeyEpochMetadata.set(chatId, result.Ok);
+					} else {
+						console.error('Failed to get vetkey epoch metadata:', result.Err);
+					}
+				}
+			}
+
+			for (const [chatId, meta] of chatIdStringToVetKeyEpochMetadata.entries()) {
+				const chatIdStr = chatIdToString(chatId);
+
+				const participants = meta?.participants;
+				if (!participants) {
+					console.error('Failed to get participants for chat:', chatId);
+					continue;
+				}
+				const isGroup = 'Group' in chatId;
+				if (auth.state.label !== 'initialized') {
+					throw new Error('Unexpectedly not authenticated');
+				}
+				const myPrincipalText = auth.state.client.getIdentity().getPrincipal().toText();
+				const name = isGroup
+					? `Group: ${shortenId(String(meta?.epoch_id ?? 0n))}`
+					: `Direct: ${participants.find((p) => p.toString() !== myPrincipalText)?.toString()}`;
+				const now = new SvelteDate();
+
+				const chat: Chat = {
+					id: chatIdStr,
+					name,
+					type: isGroup ? 'group' : 'direct',
+					participants: participants.map((p) => ({
+						id: p.toText(),
+						name: myPrincipalText === p.toText() ? 'Note to Self' : 'Principal: ' + p.toText(),
+						avatar: '👤',
+						isOnline: true
+					})),
+					lastMessage: undefined,
+					lastActivity: now,
+					isReady: true,
+					isUpdating: false,
+					disappearingMessagesDuration: 0,
+					keyRotationStatus: buildDummyRotationStatus(),
+					vetKeyEpoch: Number(meta?.epoch_id ?? 0n),
+					symmetricRatchetEpoch: 0,
+					ratchetEpoch: 0,
+					unreadCount: 0,
+					avatar: isGroup ? '👥' : '👤'
+				};
+
+				if (!chats.state.find((c) => c.id === chatIdStr)) {
+					chats.state.push(chat);
+				} else if (
+					chats.state.find(
+						(c) => c.id === chatIdStr && c.vetKeyEpoch !== Number(meta?.epoch_id ?? 0n)
+					)
+				) {
+					const pos = chats.state.findIndex(
+						(c) => c.id === chatIdStr && c.vetKeyEpoch !== Number(meta?.epoch_id ?? 0n)
+					);
+					chats.state[pos] = chat;
+				} else {
+					continue;
+				}
+
+				// Initialize empty messages cache; we lazy-load on demand
+				if (!messages.state[chatIdStr]) messages.state[chatIdStr] = [];
+			}
 		}
 	},
 
@@ -90,16 +146,17 @@ export const chatActions = {
 		);
 	},
 
-	async loadChatMessages(chatId: string) {
+	async loadChatMessages(chatId: ChatId) {
 		try {
-			const chatMessages = await chatAPI.getChatMessages(chatId);
-
-			messages.state = { ...messages.state, [chatId]: chatMessages };
-
-			// Save to storage
-			for (const message of chatMessages) {
-				await storageService.saveMessage(message);
-			}
+			const actor = await getActor();
+			if (!actor) return;
+			const meta = chatIdStringToVetKeyEpochMetadata.get(chatId);
+			if (!meta) return;
+			const startId = meta.messages_start_with_id;
+			const enc = await chatAPI.fetchEncryptedMessages(actor, chatId, startId, undefined);
+			const mapped: Message[] = enc.map((m) => toUiMessage(chatIdToString(chatId), m));
+			messages.state = { ...messages.state, [chatIdToString(chatId)]: mapped };
+			for (const m of mapped) await storageService.saveMessage(m);
 		} catch (error) {
 			console.error('Failed to load messages:', error);
 			chatActions.addNotification({
@@ -112,39 +169,36 @@ export const chatActions = {
 	},
 
 	async sendMessage(
-		chatId: string,
+		chatIdStr: string,
 		content: string,
 		fileData?: { name: string; size: number; type: string; data: ArrayBuffer }
 	) {
 		try {
-			// Check if key rotation is needed
-			const needsRotation = await chatAPI.checkKeyRotation(chatId);
-			if (needsRotation) {
-				await chatActions.rotateKeys(chatId);
-			}
-
-			const message = await chatAPI.sendMessage(
-				chatId,
-				content,
-				fileData ? 'file' : 'text',
-				fileData ? fileData.data : undefined
-			);
-
-			// Add to messages
+			const newMessage: Message = {
+				id: `${Date.now()}`,
+				chatId: chatIdStr,
+				senderId: 'current-user',
+				content: content,
+				timestamp: new SvelteDate(),
+				type: fileData ? 'file' : 'text',
+				fileData,
+				isEncrypted: false,
+				ratchetEpoch: 0
+			};
 			messages.state = {
 				...messages.state,
-				[chatId]: [...(messages.state[chatId] || []), message]
+				[chatIdStr]: [...(messages.state[chatIdStr] || []), newMessage]
 			};
 
 			// Update chat last activity
 			chats.state = chats.state.map((chat) =>
-				chat.id === chatId
-					? { ...chat, lastActivity: new SvelteDate(), lastMessage: message }
+				chat.id === chatIdStr
+					? { ...chat, lastActivity: new SvelteDate(), lastMessage: newMessage }
 					: chat
 			);
 
 			// Save to storage
-			await storageService.saveMessage(message);
+			await storageService.saveMessage(newMessage);
 		} catch (error) {
 			console.error('Failed to send message:', error);
 			chatActions.addNotification({
@@ -163,16 +217,21 @@ export const chatActions = {
 				chat.id === chatId ? { ...chat, isUpdating: true } : chat
 			);
 
-			const newKeyStatus = await chatAPI.rotateKeys(chatId);
+			const stats: SymmetricRatchetStats = await chatAPI.getRatchetStats();
 
-			// Update chat with new key status
+			// Update chat with new key status (dummy update)
 			chats.state = chats.state.map((chat) =>
 				chat.id === chatId
 					? {
 							...chat,
 							isUpdating: false,
-							keyRotationStatus: newKeyStatus,
-							ratchetEpoch: newKeyStatus.currentEpoch
+							keyRotationStatus: {
+								lastRotation: stats.lastRotation,
+								nextRotation: stats.nextScheduledRotation,
+								isRotationNeeded: false,
+								currentEpoch: stats.currentEpoch
+							},
+							ratchetEpoch: stats.currentEpoch
 						}
 					: chat
 			);
@@ -237,12 +296,84 @@ export const chatActions = {
 				await storageService.cleanupOldMessages(chat.id, chat.disappearingMessagesDuration);
 			}
 		}
+	},
+
+	async createDirectChat(
+		receiverPrincipalText: string,
+		rotationMinutes: number,
+		expirationMinutes: number
+	) {
+		try {
+			const actor = await getActor();
+			if (!actor) throw new Error('Not authenticated');
+			const receiver = Principal.fromText(receiverPrincipalText.trim());
+			await chatAPI.createDirectChat(
+				actor,
+				receiver,
+				BigInt(Math.max(0, Math.trunc(rotationMinutes))),
+				BigInt(Math.max(0, Math.trunc(expirationMinutes)))
+			);
+			chatActions.addNotification({
+				type: 'success',
+				title: 'Chat Created',
+				message: 'Direct chat created successfully.',
+				isDismissible: true,
+				duration: 3000
+			});
+			await chatActions.refreshChats();
+		} catch (error) {
+			console.error('Failed to create direct chat:', error);
+			chatActions.addNotification({
+				type: 'error',
+				title: 'Create Chat Failed',
+				message: 'Failed to create direct chat. Check the Principal and try again.',
+				isDismissible: true
+			});
+		}
+	},
+
+	async createGroupChat(
+		participantPrincipalTexts: string[],
+		rotationMinutes: number,
+		expirationMinutes: number
+	) {
+		try {
+			const actor = await getActor();
+			if (!actor) throw new Error('Not authenticated');
+			const { Principal } = await import('@dfinity/principal');
+			const participants = participantPrincipalTexts
+				.map((t) => t.trim())
+				.filter(Boolean)
+				.map((t) => Principal.fromText(t));
+			const meta = await chatAPI.createGroupChat(
+				actor,
+				participants,
+				BigInt(Math.max(0, Math.trunc(rotationMinutes))),
+				BigInt(Math.max(0, Math.trunc(expirationMinutes)))
+			);
+			chatActions.addNotification({
+				type: 'success',
+				title: 'Group Created',
+				message: `Group chat #${meta.chat_id.toString()} created successfully.`,
+				isDismissible: true,
+				duration: 3000
+			});
+			await chatActions.refreshChats();
+		} catch (error) {
+			console.error('Failed to create group chat:', error);
+			chatActions.addNotification({
+				type: 'error',
+				title: 'Create Group Failed',
+				message: 'Failed to create group chat. Check the Principals and try again.',
+				isDismissible: true
+			});
+		}
 	}
 };
 
 async function getActor(): Promise<ActorSubclass<_SERVICE> | undefined> {
 	if (auth.state.label === 'initialized') {
-		const host = process.env.DFX_NETWORK === 'ic' ? 'https://icp-api.io' : 'http://127.0.0.1:8000';
+		const host = process.env.DFX_NETWORK === 'ic' ? 'https://icp-api.io' : 'http://localhost:8000';
 		const agent = HttpAgent.createSync({
 			identity: auth.state.client.getIdentity(),
 			fetch,
@@ -257,6 +388,83 @@ async function getActor(): Promise<ActorSubclass<_SERVICE> | undefined> {
 	}
 }
 
+function chatIdToString(chatId: ChatId): string {
+	if ('Group' in chatId) return `group-${chatId.Group.toString()}`;
+	const [a, b] = chatId.Direct;
+	return `direct-${a.toString()}-${b.toString()}`;
+}
+
+function shortenId(id: string): string {
+	return id.length > 8 ? `${id.slice(0, 6)}…${id.slice(-2)}` : id;
+}
+
+function buildDummyParticipants(principals: readonly Principal[] | undefined) {
+	const currentPrincipal =
+		auth.state.label === 'initialized'
+			? auth.state.client.getIdentity().getPrincipal().toString()
+			: undefined;
+	const defaultOther = {
+		id: 'other-user',
+		name: 'Friend',
+		avatar: '🧑',
+		isOnline: true
+	};
+	if (!principals || principals.length === 0) {
+		return [{ id: 'current-user', name: 'You', avatar: '👤', isOnline: true }, defaultOther];
+	}
+	return principals.map((p, idx) => {
+		const pid = p.toString();
+		const isSelf = currentPrincipal && pid === currentPrincipal;
+		return {
+			id: isSelf ? 'current-user' : pid,
+			name: isSelf ? 'You' : `User ${idx + 1}`,
+			avatar: isSelf ? '👤' : ['🧑', '👩', '👨', '🧔', '🧕'][idx % 5],
+			isOnline: isSelf ? true : Math.random() > 0.3
+		};
+	});
+}
+
+function buildDummyRotationStatus() {
+	return {
+		lastRotation: new SvelteDate(1000000000000000),
+		nextRotation: new SvelteDate(2000000000000000),
+		isRotationNeeded: false,
+		currentEpoch: 0
+	};
+}
+
+function toUiMessage(chatIdStr: string, m: EncryptedMessage): Message {
+	const senderPrincipal = (m.metadata.sender as unknown as Principal).toString?.() ?? 'unknown';
+	const currentPrincipal =
+		auth.state.label === 'initialized'
+			? auth.state.client.getIdentity().getPrincipal().toString()
+			: undefined;
+	const senderId =
+		currentPrincipal && senderPrincipal === currentPrincipal ? 'current-user' : senderPrincipal;
+	return {
+		id: m.metadata.chat_message_id.toString(),
+		chatId: chatIdStr,
+		senderId,
+		content: `[encrypted ${m.content.length} bytes]`,
+		timestamp: new SvelteDate(Number(m.metadata.timestamp / BigInt(1_000_000))),
+		type: 'text',
+		isEncrypted: true,
+		ratchetEpoch: Number(m.metadata.symmetric_key_epoch)
+	};
+}
+
+async function safeGetEpochMetadata(
+	actor: ActorSubclass<_SERVICE>,
+	chatId: ChatId
+): Promise<VetKeyEpochMetadata | undefined> {
+	try {
+		const res = await chatAPI.getAccessibleVetKeyEpochMetadata(actor, chatId);
+		return res;
+	} catch {
+		return undefined;
+	}
+}
+
 // Initialize on module load (browser only)
 if (typeof window !== 'undefined') {
 	void chatActions.initialize();
diff --git a/examples/encrypted_chat/frontend/src/lib/types/index.ts b/examples/encrypted_chat/frontend/src/lib/types/index.ts
index ce69f065..d684e020 100644
--- a/examples/encrypted_chat/frontend/src/lib/types/index.ts
+++ b/examples/encrypted_chat/frontend/src/lib/types/index.ts
@@ -27,6 +27,8 @@ export interface Chat {
 	id: string;
 	name: string;
 	type: 'direct' | 'group';
+  // Participants are required by UI components like ChatHeader/ChatListItem
+  participants: User[];
 	lastMessage?: Message;
 	lastActivity: Date;
 	isReady: boolean;
@@ -35,6 +37,8 @@ export interface Chat {
 	keyRotationStatus: VetKeyRotationStatus;
 	vetKeyEpoch: number;
 	symmetricRatchetEpoch: number;
+  // Some components read ratchetEpoch directly
+  ratchetEpoch: number;
 	unreadCount: number;
 	avatar?: string;
 }
@@ -47,6 +51,7 @@ export interface DirectChat extends Chat {
 export interface GroupChat extends Chat {
 	type: 'group';
 	otherParticipants: User[];
+  adminId?: string;
 }
 
 export interface VetKeyRotationStatus {
@@ -57,10 +62,10 @@ export interface VetKeyRotationStatus {
 }
 
 export interface SymmetricRatchetStats {
-	vetKeyEpoch: number;
-	rotationDurationNs: number;
-	lastRotation: Date;
-	nextScheduledRotation: Date;
+  currentEpoch: number;
+  messagesInCurrentEpoch: number;
+  lastRotation: Date;
+  nextScheduledRotation: Date;
 }
 
 export interface UserConfig {
diff --git a/examples/encrypted_chat/frontend/src/routes/+page.svelte b/examples/encrypted_chat/frontend/src/routes/+page.svelte
index 1d2397ad..f154b810 100644
--- a/examples/encrypted_chat/frontend/src/routes/+page.svelte
+++ b/examples/encrypted_chat/frontend/src/routes/+page.svelte
@@ -2,7 +2,7 @@
 	import { onMount } from 'svelte';
 	import ChatList from '$lib/components/ChatList.svelte';
 	import ChatInterface from '$lib/components/ChatInterface.svelte';
-	import { isLoading, selectedChatId } from '$lib/stores/chat.svelte';
+	import { isLoading, selectedChatId, chatActions } from '$lib/stores/chat.svelte';
 	import Hero from '$lib/components/Hero.svelte';
 	import { auth } from '$lib/stores/auth.svelte';
 
@@ -23,6 +23,16 @@
 		};
 	});
 
+	onMount(() => {
+		const interval = setInterval(async () => {
+			if (auth.state.label === 'initialized') {
+			    await chatActions.refreshChats();
+			}
+		}, 1000);
+
+		return () => clearInterval(interval);
+	});
+
 	function handleMobileBackToChatList() {
 		showMobileChatList = true;
 	}
@@ -34,7 +44,7 @@
 </svelte:head>
 
 {#if auth.state.label !== 'initialized'}
-	<Hero/>
+	<Hero />
 {:else if isLoading.state}
 	<!-- Loading state -->
 	<div

From 26c8ba1c1732f632d90816e4b82f7d11c7b5c3b3 Mon Sep 17 00:00:00 2001
From: Oleksandr Tkachenko <oleksandr.tkachenko@dfinity.org>
Date: Fri, 8 Aug 2025 20:20:30 +0200
Subject: [PATCH 22/62] add file

---
 .../src/lib/components/NewChatModal.svelte    | 110 ++++++++++++++++++
 1 file changed, 110 insertions(+)
 create mode 100644 examples/encrypted_chat/frontend/src/lib/components/NewChatModal.svelte

diff --git a/examples/encrypted_chat/frontend/src/lib/components/NewChatModal.svelte b/examples/encrypted_chat/frontend/src/lib/components/NewChatModal.svelte
new file mode 100644
index 00000000..a6fa958d
--- /dev/null
+++ b/examples/encrypted_chat/frontend/src/lib/components/NewChatModal.svelte
@@ -0,0 +1,110 @@
+<script lang="ts">
+  import { X, Plus, Users, User } from 'lucide-svelte';
+  import Card from './ui/Card.svelte';
+  import Button from './ui/Button.svelte';
+  import { chatActions } from '$lib/stores/chat.svelte';
+
+  /** @type {{ show: boolean }} */
+  let { show = $bindable(false) } = $props();
+
+  let tab: 'direct' | 'group' = $state('direct');
+
+  // Direct chat form
+  let directPrincipal = $state('');
+  let directRotationMinutes = $state(60);
+  let directExpirationMinutes = $state(0);
+
+  // Group chat form
+  let groupPrincipalsText = $state('');
+  let groupRotationMinutes = $state(60);
+  let groupExpirationMinutes = $state(0);
+
+  function close() {
+    show = false;
+  }
+
+  async function createDirect() {
+    await chatActions.createDirectChat(directPrincipal, directRotationMinutes, directExpirationMinutes);
+    close();
+  }
+
+  async function createGroup() {
+    const principals = groupPrincipalsText.split(/[\s,]+/).filter(Boolean);
+    await chatActions.createGroupChat(principals, groupRotationMinutes, groupExpirationMinutes);
+    close();
+  }
+</script>
+
+{#if show}
+  <div class="fixed inset-0 z-50 flex items-center justify-center bg-black/50 p-4" role="dialog" aria-modal="true">
+    <Card class="w-full max-w-lg">
+      <div class="mb-4 flex items-center justify-between">
+        <h3 class="text-lg font-semibold">Create Chat</h3>
+        <button class="variant-ghost-surface btn-icon" onclick={close} aria-label="Close">
+          <X class="h-5 w-5" />
+        </button>
+      </div>
+
+      <div class="mb-4 flex gap-2">
+        <button class="btn {tab === 'direct' ? 'variant-filled-primary' : 'variant-ghost-surface'}" onclick={() => (tab = 'direct')}>
+          <User class="h-4 w-4" />
+          <span class="ml-1">Direct</span>
+        </button>
+        <button class="btn {tab === 'group' ? 'variant-filled-primary' : 'variant-ghost-surface'}" onclick={() => (tab = 'group')}>
+          <Users class="h-4 w-4" />
+          <span class="ml-1">Group</span>
+        </button>
+      </div>
+
+      {#if tab === 'direct'}
+        <div class="space-y-3">
+          <label class="block text-sm">
+            <span class="mb-1 block font-medium">Receiver Principal</span>
+            <input class="w-full rounded border px-3 py-2" bind:value={directPrincipal} placeholder="aaaaa-aa" />
+          </label>
+          <div class="grid grid-cols-2 gap-3">
+            <label class="block text-sm">
+              <span class="mb-1 block font-medium">Rotation (min)</span>
+              <input type="number" min="0" class="w-full rounded border px-3 py-2" bind:value={directRotationMinutes} />
+            </label>
+            <label class="block text-sm">
+              <span class="mb-1 block font-medium">Expiration (min)</span>
+              <input type="number" min="0" class="w-full rounded border px-3 py-2" bind:value={directExpirationMinutes} />
+            </label>
+          </div>
+          <div class="flex justify-end gap-2">
+            <Button onclick={createDirect} disabled={!directPrincipal.trim()}>
+              <Plus class="h-4 w-4" />
+              <span class="ml-1">Create</span>
+            </Button>
+          </div>
+        </div>
+      {:else}
+        <div class="space-y-3">
+          <label class="block text-sm">
+            <span class="mb-1 block font-medium">Participant Principals</span>
+            <textarea rows="3" class="w-full rounded border px-3 py-2" bind:value={groupPrincipalsText} placeholder="comma or space separated principals"></textarea>
+          </label>
+          <div class="grid grid-cols-2 gap-3">
+            <label class="block text-sm">
+              <span class="mb-1 block font-medium">Rotation (min)</span>
+              <input type="number" min="0" class="w-full rounded border px-3 py-2" bind:value={groupRotationMinutes} />
+            </label>
+            <label class="block text-sm">
+              <span class="mb-1 block font-medium">Expiration (min)</span>
+              <input type="number" min="0" class="w-full rounded border px-3 py-2" bind:value={groupExpirationMinutes} />
+            </label>
+          </div>
+          <div class="flex justify-end gap-2">
+            <Button onclick={createGroup} disabled={!groupPrincipalsText.trim()}>
+              <Plus class="h-4 w-4" />
+              <span class="ml-1">Create Group</span>
+            </Button>
+          </div>
+        </div>
+      {/if}
+    </Card>
+  </div>
+{/if}
+
+

From 4d5ee1ea3c131f89a5befc8150a54b7baef601ac Mon Sep 17 00:00:00 2001
From: Oleksandr Tkachenko <oleksandr.tkachenko@dfinity.org>
Date: Wed, 13 Aug 2025 13:28:59 +0200
Subject: [PATCH 23/62] frontend wip

---
 .../encrypted_chat/frontend/eslint.config.js  |  22 +-
 examples/encrypted_chat/frontend/package.json |   2 +-
 .../src/lib/components/ChatHeader.svelte      |  53 +-
 .../src/lib/components/ChatInterface.svelte   |   9 +-
 .../src/lib/components/ChatList.svelte        |  54 +-
 .../src/lib/components/ChatListItem.svelte    |  18 +-
 .../frontend/src/lib/components/Hero.svelte   |   4 +-
 .../src/lib/components/MessageBubble.svelte   |  24 +-
 .../src/lib/components/MessageHistory.svelte  |  30 +-
 .../src/lib/components/MessageInput.svelte    |  24 +-
 .../src/lib/components/NewChatModal.svelte    | 233 +++---
 .../src/lib/components/UserProfile.svelte     |   6 +-
 .../src/lib/components/ui/Badge.svelte        |   1 +
 .../src/lib/components/ui/Button.svelte       |  33 +-
 .../src/lib/components/ui/Card.svelte         |  27 +-
 .../frontend/src/lib/services/api.ts          |  94 ++-
 .../frontend/src/lib/services/storage.ts      |  35 +-
 .../frontend/src/lib/stores/auth.svelte.ts    |   8 +-
 .../frontend/src/lib/stores/chat.svelte.ts    | 704 +++++++++++++++---
 .../frontend/src/lib/types/index.ts           |  28 +-
 .../frontend/src/routes/+layout.svelte        |   1 +
 .../frontend/src/routes/+page.svelte          |  21 +-
 .../encrypted_chat/rust/backend/backend.did   |   1 +
 .../encrypted_chat/rust/backend/src/lib.rs    |   2 +
 .../encrypted_chat/rust/backend/src/types.rs  |  12 +-
 .../rust/backend/tests/common/mod.rs          | 131 ++++
 .../rust/backend/tests/direct_chat.rs         | 130 +---
 .../rust/backend/tests/group_chat.rs          | 130 +---
 .../encrypted_chat/rust/backend/tests/misc.rs |  99 +++
 29 files changed, 1281 insertions(+), 655 deletions(-)
 create mode 100644 examples/encrypted_chat/rust/backend/tests/common/mod.rs

diff --git a/examples/encrypted_chat/frontend/eslint.config.js b/examples/encrypted_chat/frontend/eslint.config.js
index 34f48500..52621ab2 100644
--- a/examples/encrypted_chat/frontend/eslint.config.js
+++ b/examples/encrypted_chat/frontend/eslint.config.js
@@ -6,13 +6,14 @@ import globals from 'globals';
 import { fileURLToPath } from 'node:url';
 import ts from 'typescript-eslint';
 import svelteConfig from './svelte.config.js';
+import path from 'node:path';
 
 const gitignorePath = fileURLToPath(new URL('./.gitignore', import.meta.url));
 
 export default ts.config(
 	includeIgnoreFile(gitignorePath),
 	js.configs.recommended,
-	...ts.configs.recommended,
+	...ts.configs.recommendedTypeChecked,
 	...svelte.configs.recommended,
 	prettier,
 	...svelte.configs.prettier,
@@ -27,13 +28,24 @@ export default ts.config(
 		}
 	},
 	{
-		files: ['**/*.svelte', '**/*.svelte.ts', '**/*.svelte.js'],
+		files: ['**/*.ts'],
 		languageOptions: {
+			parser: ts.parser,
 			parserOptions: {
 				projectService: true,
+				tsconfigRootDir: import.meta.dirname
+			}
+		}
+	},
+	{
+		files: ['**/*.svelte', '**/*.svelte.ts', '**/*.svelte.js'],
+		languageOptions: {
+			parserOptions: {
 				extraFileExtensions: ['.svelte'],
 				parser: ts.parser,
-				svelteConfig
+				svelteConfig,
+				projectService: true,
+				tsconfigRootDir: import.meta.dirname
 			}
 		}
 	},
@@ -42,9 +54,11 @@ export default ts.config(
 			'dist/',
 			'src/declarations',
 			'*.config.js',
+			'*.config.ts',
 			'*.config.cjs',
 			'*.config.mjs',
-			'.svelte-kit'
+			'.svelte-kit',
+			'e2e/'
 		]
 	}
 );
diff --git a/examples/encrypted_chat/frontend/package.json b/examples/encrypted_chat/frontend/package.json
index 73b876f9..7b2a2191 100644
--- a/examples/encrypted_chat/frontend/package.json
+++ b/examples/encrypted_chat/frontend/package.json
@@ -5,7 +5,7 @@
 	"type": "module",
 	"scripts": {
 		"build": "npm run build:bindings && vite build",
-		"dev": "npm run build:bindings && vite dev",
+		"dev": "npm run build:bindings && vite dev --host",
 		"build:bindings": "cd scripts && ./gen_bindings.sh",
 		"preview": "vite preview",
 		"prepare": "svelte-kit sync || echo ''",
diff --git a/examples/encrypted_chat/frontend/src/lib/components/ChatHeader.svelte b/examples/encrypted_chat/frontend/src/lib/components/ChatHeader.svelte
index da326129..91ec3ef0 100644
--- a/examples/encrypted_chat/frontend/src/lib/components/ChatHeader.svelte
+++ b/examples/encrypted_chat/frontend/src/lib/components/ChatHeader.svelte
@@ -6,6 +6,7 @@
 	import { chatAPI } from '../services/api';
 	import { chatActions } from '../stores/chat.svelte';
 	import GroupManagementModal from './GroupManagementModal.svelte';
+	import { Principal } from '@dfinity/principal';
 
 	export let chat: Chat;
 	export let showMobileBackButton = false;
@@ -24,19 +25,19 @@
 		showGroupManagement = false;
 	}
 
-	async function handleChatInfoToggle() {
+	function handleChatInfoToggle() {
 		showChatInfo = !showChatInfo;
 		if (showChatInfo && !ratchetStats && !loadingRatchetStats) {
-			await loadRatchetStats();
+			loadRatchetStats();
 		}
 	}
 
-	async function loadRatchetStats() {
+	function loadRatchetStats() {
 		if (!chat) return;
 
 		loadingRatchetStats = true;
 		try {
-			ratchetStats = await chatAPI.getRatchetStats();
+			ratchetStats = chatAPI.getRatchetStats();
 		} catch (error) {
 			console.error('Failed to load ratchet stats:', error);
 		} finally {
@@ -45,50 +46,39 @@
 	}
 
 	function getDisplayName(): string {
-		if (chat.type === 'direct') {
-			return chat.participants.find((p) => p.id !== 'current-user')?.name || 'Unknown';
-		}
 		return chat.name;
 	}
 
 	function getDisplayAvatar(): string {
 		if (chat.type === 'direct') {
-			return chat.participants.find((p) => p.id !== 'current-user')?.avatar || '👤';
+			return '👤';
 		}
 		return chat.avatar || '👥';
 	}
 
-	function getOnlineStatus(): string {
-		if (chat.type === 'direct') {
-			const otherUser = chat.participants.find((p) => p.id !== 'current-user');
-			if (otherUser?.isOnline) return 'Online';
-			if (otherUser?.lastSeen) {
-				const lastSeen = new Date(otherUser.lastSeen);
-				const diff = Date.now() - lastSeen.getTime();
-				const hours = Math.floor(diff / (1000 * 60 * 60));
-				const days = Math.floor(diff / (1000 * 60 * 60 * 24));
-
-				if (hours < 1) return 'Last seen recently';
-				if (hours < 24) return `Last seen ${hours}h ago`;
-				return `Last seen ${days}d ago`;
-			}
-			return 'Offline';
-		}
-		const onlineCount = chat.participants.filter((p) => p.isOnline).length;
-		return `${onlineCount} of ${chat.participants.length} online`;
-	}
-
 	function formatDate(date: Date): string {
 		return date.toLocaleString();
 	}
 
-	async function handleGroupManagementSave(
-		event: CustomEvent<{ addUsers: string[]; removeUsers: string[]; allowHistoryForNew: boolean }>
+	function handleGroupManagementSave(
+		event: CustomEvent<{
+			addUsers: string[];
+			removeUsers: string[];
+			allowHistoryForNew: boolean;
+		}>
 	) {
 		const { addUsers, removeUsers, allowHistoryForNew } = event.detail;
 
+		const addUsersPrincipal = addUsers.map((id) => Principal.fromText(id));
+		const removeUsersPrincipal = removeUsers.map((id) => Principal.fromText(id));
+
 		try {
-			await chatAPI.updateGroupMembers(chat.id, addUsers, removeUsers, allowHistoryForNew);
+			chatAPI.updateGroupMembers(
+				chat.id,
+				addUsersPrincipal,
+				removeUsersPrincipal,
+				allowHistoryForNew
+			);
 
 			chatActions.addNotification({
 				type: 'success',
@@ -139,7 +129,6 @@
 				>
 					{getDisplayName()}
 				</h2>
-				<p class="text-sm font-medium text-gray-500 dark:text-gray-400">{getOnlineStatus()}</p>
 			</div>
 		</div>
 
diff --git a/examples/encrypted_chat/frontend/src/lib/components/ChatInterface.svelte b/examples/encrypted_chat/frontend/src/lib/components/ChatInterface.svelte
index 00ab8293..71eb0adf 100644
--- a/examples/encrypted_chat/frontend/src/lib/components/ChatInterface.svelte
+++ b/examples/encrypted_chat/frontend/src/lib/components/ChatInterface.svelte
@@ -1,5 +1,5 @@
 <script lang="ts">
-	import { chatActions, chats, selectedChatId } from '../stores/chat.svelte';
+	import { chatActions, chatIdToString, chats, selectedChatId } from '../stores/chat.svelte';
 	import ChatHeader from './ChatHeader.svelte';
 	import MessageHistory from './MessageHistory.svelte';
 	import MessageInput from './MessageInput.svelte';
@@ -9,7 +9,11 @@
 
 	const selectedChat = $derived(
 		selectedChatId.state
-			? (chats.state.find((chat) => chat.id === selectedChatId.state) ?? null)
+			? chats.state.find((chat) =>
+					selectedChatId.state
+						? chatIdToString(chat.id) === chatIdToString(selectedChatId.state)
+						: false
+				)
 			: null
 	);
 
@@ -29,7 +33,6 @@
 				data: arrayBuffer
 			};
 		}
-
 		await chatActions.sendMessage(selectedChat.id, content, fileData);
 	}
 </script>
diff --git a/examples/encrypted_chat/frontend/src/lib/components/ChatList.svelte b/examples/encrypted_chat/frontend/src/lib/components/ChatList.svelte
index 137df3be..b5cf6f60 100644
--- a/examples/encrypted_chat/frontend/src/lib/components/ChatList.svelte
+++ b/examples/encrypted_chat/frontend/src/lib/components/ChatList.svelte
@@ -1,18 +1,40 @@
 <script lang="ts">
-    import { chats, selectedChatId, chatActions } from '../stores/chat.svelte';
-	import { auth } from '$lib/stores/auth.svelte';
+	import {
+		chats,
+		selectedChatId,
+		chatActions,
+		chatIdToString,
+		chatIdFromStr,
+		getNumberOfMessagesIs,
+		chatIdStringToNumberOfMessagesShould,
+		getChatIds
+	} from '../stores/chat.svelte';
 	import ChatListItem from './ChatListItem.svelte';
 	import UserProfile from './UserProfile.svelte';
-    import Button from './ui/Button.svelte';
-    import NewChatModal from './NewChatModal.svelte';
+	import Button from './ui/Button.svelte';
+	import NewChatModal from './NewChatModal.svelte';
 
-    $effect(() => {
-        if (selectedChatId.state) {
-            chatActions.loadChatMessages(selectedChatId.state);
-        }
-    });
+	$effect(() => {
+		console.log(`$effect loadChatMessages`);
+		const numMessagesShoulds = getChatIds().map((chatId) => {
+			const should = chatIdStringToNumberOfMessagesShould.get(chatIdToString(chatId)) ?? 0n;
+			const is = getNumberOfMessagesIs(chatId);
+			return { chatId, should, is };
+		});
+		(async () => {
+			for (const { chatId, should, is } of numMessagesShoulds) {
+				if (!is || is !== should) {
+					await chatActions.loadChatMessages(chatId, is);
+				} else {
+					console.log(
+						`SKIPPING $effect loadChatMessages for ${chatIdToString(chatId)}: is  ${is.toString()}, should ${should.toString()}`
+					);
+				}
+			}
+		})().catch(console.error);
+	});
 
-    let showNewChat = $state(false);
+	let showNewChat = $state(false);
 </script>
 
 <div class="chat-list glass-effect flex h-full flex-col border-r border-white/20 backdrop-blur-xl">
@@ -29,9 +51,9 @@
 		<p class="mt-1 text-sm font-medium text-gray-500 dark:text-gray-400">
 			{chats.state.length} conversation{chats.state.length !== 1 ? 's' : ''}
 		</p>
-    <div class="mt-3 flex gap-2">
-      <Button size="sm" variant="filled" onclick={() => (showNewChat = true)}>New Chat</Button>
-    </div>
+		<div class="mt-3 flex gap-2">
+			<Button size="sm" variant="filled" onclick={() => (showNewChat = true)}>New Chat</Button>
+		</div>
 	</div>
 
 	<!-- Chat List -->
@@ -39,8 +61,10 @@
 		{#each chats.state as chat (chat.id)}
 			<ChatListItem
 				{chat}
-				isSelected={selectedChatId.state === chat.id}
-				on:select={(e) => (selectedChatId.state = e.detail)}
+				isSelected={selectedChatId.state
+					? chatIdToString(selectedChatId.state) === chatIdToString(chat.id)
+					: false}
+				on:select={(e: CustomEvent<string>) => (selectedChatId.state = chatIdFromStr(e.detail))}
 			/>
 		{:else}
 			<div class="p-8 text-center text-surface-600-500">
diff --git a/examples/encrypted_chat/frontend/src/lib/components/ChatListItem.svelte b/examples/encrypted_chat/frontend/src/lib/components/ChatListItem.svelte
index abb7ea06..0ab73543 100644
--- a/examples/encrypted_chat/frontend/src/lib/components/ChatListItem.svelte
+++ b/examples/encrypted_chat/frontend/src/lib/components/ChatListItem.svelte
@@ -2,6 +2,7 @@
 	import { createEventDispatcher } from 'svelte';
 	import { Clock, Users, User, Loader2, AlertCircle, CheckCircle } from 'lucide-svelte';
 	import type { Chat } from '../types';
+	import { chatIdToString } from '$lib/stores/chat.svelte';
 
 	export let chat: Chat;
 	export let isSelected = false;
@@ -11,7 +12,7 @@
 	}>();
 
 	function handleClick() {
-		dispatch('select', chat.id);
+		dispatch('select', chatIdToString(chat.id));
 	}
 
 	function formatTime(date: Date): string {
@@ -29,19 +30,9 @@
 	}
 
 	function getDisplayName(): string {
-		if (chat.type === 'direct') {
-			return chat.participants.find((p) => p.id !== 'current-user')?.name || 'Unknown';
-		}
 		return chat.name;
 	}
 
-	function getDisplayAvatar(): string {
-		if (chat.type === 'direct') {
-			return chat.participants.find((p) => p.id !== 'current-user')?.avatar || '👤';
-		}
-		return chat.avatar || '👥';
-	}
-
 	function getStatusColor(): string {
 		if (!chat.isReady) return 'status-error';
 		if (chat.isUpdating) return 'status-updating';
@@ -67,7 +58,7 @@
 			<div
 				class="avatar from-primary-500 to-primary-600 flex h-12 w-12 items-center justify-center rounded-full bg-gradient-to-br text-lg text-white shadow-sm"
 			>
-				{getDisplayAvatar()}
+				?????
 			</div>
 			<!-- Status indicator -->
 			<div class="absolute -right-1 -bottom-1">
@@ -91,9 +82,6 @@
 					{:else}
 						<User class="text-surface-500-400-token h-3 w-3" />
 					{/if}
-					<span class="text-surface-500-400-token text-xs">
-						{formatTime(chat.lastActivity)}
-					</span>
 				</div>
 			</div>
 
diff --git a/examples/encrypted_chat/frontend/src/lib/components/Hero.svelte b/examples/encrypted_chat/frontend/src/lib/components/Hero.svelte
index af9cdb8f..0efb13d1 100644
--- a/examples/encrypted_chat/frontend/src/lib/components/Hero.svelte
+++ b/examples/encrypted_chat/frontend/src/lib/components/Hero.svelte
@@ -5,8 +5,8 @@
 	import { auth } from '$lib/stores/auth.svelte';
 </script>
 
-<div class="hero min-h-screen content-start pt-8 sm:content-center sm:pt-0">
-	<div class="hero-content text-center">
+<div class="flex min-h-screen flex-col items-center justify-start pt-8 sm:justify-center sm:pt-0">
+	<div class="flex max-w-xl flex-col items-center text-center">
 		<div class="max-w-xl">
 			<h1 class="text-primary mb-5 text-4xl font-bold sm:text-5xl dark:text-white">
 				Encrypted Chat using vetKeys
diff --git a/examples/encrypted_chat/frontend/src/lib/components/MessageBubble.svelte b/examples/encrypted_chat/frontend/src/lib/components/MessageBubble.svelte
index 09772b2b..44b2847d 100644
--- a/examples/encrypted_chat/frontend/src/lib/components/MessageBubble.svelte
+++ b/examples/encrypted_chat/frontend/src/lib/components/MessageBubble.svelte
@@ -3,10 +3,21 @@
 	import Button from './ui/Button.svelte';
 	import type { Message, User } from '../types';
 
-	/** @type {{ message: Message }}
-	 *  @type {{ sender: User | null }}
-	 */
-	let { message, sender = null, isOwnMessage = false, showAvatar = true, showTimestamp = true, isGroupChat = false } = $props();
+	let {
+		message,
+		sender = null,
+		isOwnMessage = false,
+		showAvatar = true,
+		showTimestamp = true,
+		isGroupChat = false
+	}: {
+		message: Message;
+		sender: User | null;
+		isOwnMessage: boolean;
+		showAvatar: boolean;
+		showTimestamp: boolean;
+		isGroupChat: boolean;
+	} = $props();
 
 	function formatTime(date: Date): string {
 		return date.toLocaleTimeString([], { hour: '2-digit', minute: '2-digit' });
@@ -188,7 +199,10 @@
 				{#if message.isEncrypted}
 					<span class="ml-1">🔒</span>
 				{/if}
-				<span class="ml-1 opacity-70">Epoch {message.ratchetEpoch}</span>
+				<span class="ml-1 opacity-70"
+					>vetKeyEpoch
+					{message.vetkeyEpoch} SymmRatchetEpoch {message.symmetricRatchetEpoch}</span
+				>
 			</div>
 		{/if}
 	</div>
diff --git a/examples/encrypted_chat/frontend/src/lib/components/MessageHistory.svelte b/examples/encrypted_chat/frontend/src/lib/components/MessageHistory.svelte
index 8f52fc76..f1b3eaef 100644
--- a/examples/encrypted_chat/frontend/src/lib/components/MessageHistory.svelte
+++ b/examples/encrypted_chat/frontend/src/lib/components/MessageHistory.svelte
@@ -1,25 +1,28 @@
 <script lang="ts">
-	import { chats, selectedChatId, messages } from '../stores/chat.svelte';
+	import { chats, selectedChatId, messages, chatIdToString } from '../stores/chat.svelte';
 	import MessageBubble from './MessageBubble.svelte';
 	import type { Message, User } from '../types';
 	import { SvelteDate } from 'svelte/reactivity';
+	import { auth, getMyPrincipal } from '$lib/stores/auth.svelte';
 
 	let messagesContainer: HTMLDivElement | undefined = $state(undefined);
 	let autoScroll = $state(true);
 
 	const selectedChat = $derived(
 		selectedChatId.state
-			? (chats.state.find((chat) => chat.id === selectedChatId.state) ?? null)
+			? (chats.state.find((chat) => selectedChatId.state && chatIdToString(chat.id) === chatIdToString(selectedChatId.state)) ??
+				null)
 			: null
 	);
 
 	const selectedChatMessages = $derived(
-		selectedChatId.state ? (messages.state[selectedChatId.state] ?? []) : []
+		selectedChatId.state ? (messages.state[chatIdToString(selectedChatId.state)] ?? []) : []
 	);
 
 	// Scroll to bottom when new messages arrive
 	$effect(() => {
 		if (autoScroll && messagesContainer && selectedChatMessages) {
+			// eslint-disable-next-line @typescript-eslint/no-unsafe-assignment
 			messagesContainer.scrollTop = messagesContainer.scrollHeight;
 		}
 	});
@@ -43,11 +46,13 @@
 	function getSender(message: Message): User | null {
 		if (!selectedChat) return null;
 
-		return selectedChat.participants.find((p) => p.id === message.senderId) || null;
+		return selectedChat.participants.find((p) => p.id.toString() === message.senderId) || null;
 	}
 
 	function isOwnMessage(message: Message): boolean {
-		return message.senderId === 'current-user';
+		if (auth.state.label !== 'initialized') throw new Error('Unexpectedly not authenticated');
+		const myPrincipal = auth.state.client.getIdentity().getPrincipal();
+		return message.senderId === myPrincipal.toString();
 	}
 
 	function shouldShowAvatar(message: Message, index: number): boolean {
@@ -96,8 +101,13 @@
 	function getParticipantInfo(): string {
 		if (!selectedChat) return '';
 
+		if (auth.state.label !== 'initialized') throw new Error('Unexpectedly not authenticated');
+		const myPrincipal = auth.state.client.getIdentity().getPrincipal();
+
 		if (selectedChat.type === 'direct') {
-			const otherUser = selectedChat.participants.find((p) => p.id !== 'current-user');
+			const otherUser = selectedChat.participants.find(
+				(p) => p.id.toString() !== myPrincipal.toString()
+			);
 			return otherUser ? `This is the beginning of your conversation with ${otherUser.name}` : '';
 		}
 
@@ -121,14 +131,18 @@
 						class="avatar bg-primary-500 mb-4 flex h-16 w-16 items-center justify-center rounded-full text-2xl"
 					>
 						{#if selectedChat.type === 'direct'}
-							{selectedChat.participants.find((p) => p.id !== 'current-user')?.avatar || '👤'}
+							{selectedChat.participants.find(
+								(p) => p.id.toString() !== getMyPrincipal().toString()
+							)?.avatar || '👤'}
 						{:else}
 							{selectedChat.avatar || '👥'}
 						{/if}
 					</div>
 					<h3 class="mb-2 text-lg font-semibold">
 						{#if selectedChat.type === 'direct'}
-							{selectedChat.participants.find((p) => p.id !== 'current-user')?.name || 'Unknown'}
+							{selectedChat.participants.find(
+								(p) => p.id.toString() !== getMyPrincipal().toString()
+							)?.name || 'Me'}
 						{:else}
 							{selectedChat.name}
 						{/if}
diff --git a/examples/encrypted_chat/frontend/src/lib/components/MessageInput.svelte b/examples/encrypted_chat/frontend/src/lib/components/MessageInput.svelte
index b21af38b..f1fb9b51 100644
--- a/examples/encrypted_chat/frontend/src/lib/components/MessageInput.svelte
+++ b/examples/encrypted_chat/frontend/src/lib/components/MessageInput.svelte
@@ -18,7 +18,7 @@
 	let fileInput: HTMLInputElement;
 	let selectedFile: FileUpload | null = null;
 
-	const MAX_FILE_SIZE = 100 * 1024; // 100KB
+	const MAX_FILE_SIZE_1_MB = 1_000 * 1024; // 100KB
 
 	function handleSend() {
 		const content = messageText.trim();
@@ -51,11 +51,11 @@
 
 		if (!file) return;
 
-		if (file.size > MAX_FILE_SIZE) {
+		if (file.size > MAX_FILE_SIZE_1_MB) {
 			selectedFile = {
 				file,
 				isValid: false,
-				error: `File too large. Maximum size is ${MAX_FILE_SIZE / 1024}KB.`
+				error: `File too large. Maximum size is ${MAX_FILE_SIZE_1_MB / (1024 * 1024)}MB.`
 			};
 			return;
 		}
@@ -164,7 +164,7 @@
 					size="sm"
 					onclick={handleFileSelect}
 					{disabled}
-					title="Attach file (max {MAX_FILE_SIZE / 1024}KB)"
+					title="Attach file (max {MAX_FILE_SIZE_1_MB / (1024 * 1024)}MB)"
 					aria-label="Attach file"
 				>
 					<Paperclip class="h-4 w-4" />
@@ -185,14 +185,14 @@
 
 		<!-- Send button -->
 		<div class="pb-2">
-		<Button
-			variant="filled"
-			onclick={handleSend}
-			disabled={disabled ||
-				(!messageText.trim() && !selectedFile) ||
-				!!(selectedFile && selectedFile.isValid === false)}
-			aria-label="Send message"
-		>
+			<Button
+				variant="filled"
+				onclick={handleSend}
+				disabled={disabled ||
+					(!messageText.trim() && !selectedFile) ||
+					!!(selectedFile && selectedFile.isValid === false)}
+				aria-label="Send message"
+			>
 				<Send class="h-5 w-5" />
 			</Button>
 		</div>
diff --git a/examples/encrypted_chat/frontend/src/lib/components/NewChatModal.svelte b/examples/encrypted_chat/frontend/src/lib/components/NewChatModal.svelte
index a6fa958d..a9dee118 100644
--- a/examples/encrypted_chat/frontend/src/lib/components/NewChatModal.svelte
+++ b/examples/encrypted_chat/frontend/src/lib/components/NewChatModal.svelte
@@ -1,110 +1,151 @@
 <script lang="ts">
-  import { X, Plus, Users, User } from 'lucide-svelte';
-  import Card from './ui/Card.svelte';
-  import Button from './ui/Button.svelte';
-  import { chatActions } from '$lib/stores/chat.svelte';
+	import { X, Plus, Users, User } from 'lucide-svelte';
+	import Card from './ui/Card.svelte';
+	import Button from './ui/Button.svelte';
+	import { chatActions } from '$lib/stores/chat.svelte';
 
-  /** @type {{ show: boolean }} */
-  let { show = $bindable(false) } = $props();
+	/** @type {{ show: boolean }} */
+	let { show = $bindable(false) } = $props();
 
-  let tab: 'direct' | 'group' = $state('direct');
+	let tab: 'direct' | 'group' = $state('direct');
 
-  // Direct chat form
-  let directPrincipal = $state('');
-  let directRotationMinutes = $state(60);
-  let directExpirationMinutes = $state(0);
+	// Direct chat form
+	let directPrincipal = $state('');
+	let directRotationMinutes = $state(60);
+	let directExpirationMinutes = $state(0);
 
-  // Group chat form
-  let groupPrincipalsText = $state('');
-  let groupRotationMinutes = $state(60);
-  let groupExpirationMinutes = $state(0);
+	// Group chat form
+	let groupPrincipalsText = $state('');
+	let groupRotationMinutes = $state(60);
+	let groupExpirationMinutes = $state(0);
 
-  function close() {
-    show = false;
-  }
+	function close() {
+		show = false;
+	}
 
-  async function createDirect() {
-    await chatActions.createDirectChat(directPrincipal, directRotationMinutes, directExpirationMinutes);
-    close();
-  }
+	async function createDirect() {
+		await chatActions.createDirectChat(
+			directPrincipal,
+			directRotationMinutes,
+			directExpirationMinutes
+		);
+		close();
+	}
 
-  async function createGroup() {
-    const principals = groupPrincipalsText.split(/[\s,]+/).filter(Boolean);
-    await chatActions.createGroupChat(principals, groupRotationMinutes, groupExpirationMinutes);
-    close();
-  }
+	async function createGroup() {
+		const principals = groupPrincipalsText.split(/[\s,]+/).filter(Boolean);
+		await chatActions.createGroupChat(principals, groupRotationMinutes, groupExpirationMinutes);
+		close();
+	}
 </script>
 
 {#if show}
-  <div class="fixed inset-0 z-50 flex items-center justify-center bg-black/50 p-4" role="dialog" aria-modal="true">
-    <Card class="w-full max-w-lg">
-      <div class="mb-4 flex items-center justify-between">
-        <h3 class="text-lg font-semibold">Create Chat</h3>
-        <button class="variant-ghost-surface btn-icon" onclick={close} aria-label="Close">
-          <X class="h-5 w-5" />
-        </button>
-      </div>
+	<div
+		class="fixed inset-0 z-50 flex items-center justify-center bg-black/50 p-4"
+		role="dialog"
+		aria-modal="true"
+	>
+		<Card class="w-full max-w-lg">
+			<div class="mb-4 flex items-center justify-between">
+				<h3 class="text-lg font-semibold">Create Chat</h3>
+				<button class="variant-ghost-surface btn-icon" onclick={close} aria-label="Close">
+					<X class="h-5 w-5" />
+				</button>
+			</div>
 
-      <div class="mb-4 flex gap-2">
-        <button class="btn {tab === 'direct' ? 'variant-filled-primary' : 'variant-ghost-surface'}" onclick={() => (tab = 'direct')}>
-          <User class="h-4 w-4" />
-          <span class="ml-1">Direct</span>
-        </button>
-        <button class="btn {tab === 'group' ? 'variant-filled-primary' : 'variant-ghost-surface'}" onclick={() => (tab = 'group')}>
-          <Users class="h-4 w-4" />
-          <span class="ml-1">Group</span>
-        </button>
-      </div>
+			<div class="mb-4 flex gap-2">
+				<button
+					class="btn {tab === 'direct' ? 'variant-filled-primary' : 'variant-ghost-surface'}"
+					onclick={() => (tab = 'direct')}
+				>
+					<User class="h-4 w-4" />
+					<span class="ml-1">Direct</span>
+				</button>
+				<button
+					class="btn {tab === 'group' ? 'variant-filled-primary' : 'variant-ghost-surface'}"
+					onclick={() => (tab = 'group')}
+				>
+					<Users class="h-4 w-4" />
+					<span class="ml-1">Group</span>
+				</button>
+			</div>
 
-      {#if tab === 'direct'}
-        <div class="space-y-3">
-          <label class="block text-sm">
-            <span class="mb-1 block font-medium">Receiver Principal</span>
-            <input class="w-full rounded border px-3 py-2" bind:value={directPrincipal} placeholder="aaaaa-aa" />
-          </label>
-          <div class="grid grid-cols-2 gap-3">
-            <label class="block text-sm">
-              <span class="mb-1 block font-medium">Rotation (min)</span>
-              <input type="number" min="0" class="w-full rounded border px-3 py-2" bind:value={directRotationMinutes} />
-            </label>
-            <label class="block text-sm">
-              <span class="mb-1 block font-medium">Expiration (min)</span>
-              <input type="number" min="0" class="w-full rounded border px-3 py-2" bind:value={directExpirationMinutes} />
-            </label>
-          </div>
-          <div class="flex justify-end gap-2">
-            <Button onclick={createDirect} disabled={!directPrincipal.trim()}>
-              <Plus class="h-4 w-4" />
-              <span class="ml-1">Create</span>
-            </Button>
-          </div>
-        </div>
-      {:else}
-        <div class="space-y-3">
-          <label class="block text-sm">
-            <span class="mb-1 block font-medium">Participant Principals</span>
-            <textarea rows="3" class="w-full rounded border px-3 py-2" bind:value={groupPrincipalsText} placeholder="comma or space separated principals"></textarea>
-          </label>
-          <div class="grid grid-cols-2 gap-3">
-            <label class="block text-sm">
-              <span class="mb-1 block font-medium">Rotation (min)</span>
-              <input type="number" min="0" class="w-full rounded border px-3 py-2" bind:value={groupRotationMinutes} />
-            </label>
-            <label class="block text-sm">
-              <span class="mb-1 block font-medium">Expiration (min)</span>
-              <input type="number" min="0" class="w-full rounded border px-3 py-2" bind:value={groupExpirationMinutes} />
-            </label>
-          </div>
-          <div class="flex justify-end gap-2">
-            <Button onclick={createGroup} disabled={!groupPrincipalsText.trim()}>
-              <Plus class="h-4 w-4" />
-              <span class="ml-1">Create Group</span>
-            </Button>
-          </div>
-        </div>
-      {/if}
-    </Card>
-  </div>
+			{#if tab === 'direct'}
+				<div class="space-y-3">
+					<label class="block text-sm">
+						<span class="mb-1 block font-medium">Receiver Principal</span>
+						<input
+							class="w-full rounded border px-3 py-2"
+							bind:value={directPrincipal}
+							placeholder="aaaaa-aa"
+						/>
+					</label>
+					<div class="grid grid-cols-2 gap-3">
+						<label class="block text-sm">
+							<span class="mb-1 block font-medium">Rotation (min)</span>
+							<input
+								type="number"
+								min="0"
+								class="w-full rounded border px-3 py-2"
+								bind:value={directRotationMinutes}
+							/>
+						</label>
+						<label class="block text-sm">
+							<span class="mb-1 block font-medium">Expiration (min)</span>
+							<input
+								type="number"
+								min="0"
+								class="w-full rounded border px-3 py-2"
+								bind:value={directExpirationMinutes}
+							/>
+						</label>
+					</div>
+					<div class="flex justify-end gap-2">
+						<Button onclick={createDirect} disabled={!directPrincipal.trim()}>
+							<Plus class="h-4 w-4" />
+							<span class="ml-1">Create</span>
+						</Button>
+					</div>
+				</div>
+			{:else}
+				<div class="space-y-3">
+					<label class="block text-sm">
+						<span class="mb-1 block font-medium">Participant Principals</span>
+						<textarea
+							rows="3"
+							class="w-full rounded border px-3 py-2"
+							bind:value={groupPrincipalsText}
+							placeholder="comma or space separated principals"
+						></textarea>
+					</label>
+					<div class="grid grid-cols-2 gap-3">
+						<label class="block text-sm">
+							<span class="mb-1 block font-medium">Rotation (min)</span>
+							<input
+								type="number"
+								min="0"
+								class="w-full rounded border px-3 py-2"
+								bind:value={groupRotationMinutes}
+							/>
+						</label>
+						<label class="block text-sm">
+							<span class="mb-1 block font-medium">Expiration (min)</span>
+							<input
+								type="number"
+								min="0"
+								class="w-full rounded border px-3 py-2"
+								bind:value={groupExpirationMinutes}
+							/>
+						</label>
+					</div>
+					<div class="flex justify-end gap-2">
+						<Button onclick={createGroup} disabled={!groupPrincipalsText.trim()}>
+							<Plus class="h-4 w-4" />
+							<span class="ml-1">Create Group</span>
+						</Button>
+					</div>
+				</div>
+			{/if}
+		</Card>
+	</div>
 {/if}
-
-
diff --git a/examples/encrypted_chat/frontend/src/lib/components/UserProfile.svelte b/examples/encrypted_chat/frontend/src/lib/components/UserProfile.svelte
index 0dde7c3f..d72cd9c7 100644
--- a/examples/encrypted_chat/frontend/src/lib/components/UserProfile.svelte
+++ b/examples/encrypted_chat/frontend/src/lib/components/UserProfile.svelte
@@ -1,9 +1,9 @@
 <script lang="ts">
 	import { Settings, X, Check } from 'lucide-svelte';
 	import { userConfig, chatActions } from '../stores/chat.svelte';
-	import { auth } from '$lib/stores/auth.svelte';
+	import { auth, getMyPrincipal } from '$lib/stores/auth.svelte';
 	import type { User } from '$lib/types';
-	
+
 	const currentUser = $derived<{ state: User | null }>({
 		state: {
 			...getDummyCurrentUser(),
@@ -16,7 +16,7 @@
 
 	function getDummyCurrentUser(): User {
 		return {
-			id: 'current-user',
+			id: getMyPrincipal(),
 			name: 'You',
 			avatar: '👤',
 			isOnline: true
diff --git a/examples/encrypted_chat/frontend/src/lib/components/ui/Badge.svelte b/examples/encrypted_chat/frontend/src/lib/components/ui/Badge.svelte
index bbbb3f1a..88122377 100644
--- a/examples/encrypted_chat/frontend/src/lib/components/ui/Badge.svelte
+++ b/examples/encrypted_chat/frontend/src/lib/components/ui/Badge.svelte
@@ -13,5 +13,6 @@
 </script>
 
 <span class={classes} {...rest}>
+	<!-- eslint-disable-next-line @typescript-eslint/no-unsafe-call -->
 	{@render children?.()}
 </span>
diff --git a/examples/encrypted_chat/frontend/src/lib/components/ui/Button.svelte b/examples/encrypted_chat/frontend/src/lib/components/ui/Button.svelte
index ce11b509..174cdfeb 100644
--- a/examples/encrypted_chat/frontend/src/lib/components/ui/Button.svelte
+++ b/examples/encrypted_chat/frontend/src/lib/components/ui/Button.svelte
@@ -16,33 +16,40 @@
 	export { className as class };
 
 	// Define variant classes using Skeleton v3's design tokens
-    const variantClasses = {
+	const variantClasses = {
 		filled: 'variant-filled-primary',
 		outline: 'variant-outline-primary',
 		ghost: 'variant-ghost-primary',
 		gradient:
 			'bg-gradient-to-r from-primary-500 to-secondary-500 text-on-primary-token hover:from-primary-600 hover:to-secondary-600'
-    } as const;
+	} as const;
 
-    const sizeClasses = {
+	const sizeClasses = {
 		sm: 'btn-sm',
 		md: 'btn-md',
 		lg: 'btn-lg'
-    } as const;
+	} as const;
 
-    let classes = $derived(
-        [
-            'btn',
-            variantClasses[variant as keyof typeof variantClasses],
-            sizeClasses[size as keyof typeof sizeClasses],
-            'transition-all duration-200',
-            className
-        ]
+	let classes = $derived(
+		[
+			'btn',
+			variantClasses[variant as keyof typeof variantClasses],
+			sizeClasses[size as keyof typeof sizeClasses],
+			'transition-all duration-200',
+			className
+		]
 			.filter(Boolean)
 			.join(' ')
 	);
 </script>
 
-<button class={classes} {disabled} type={type as 'button' | 'submit' | 'reset' | undefined} {...rest} {onclick}>
+<button
+	class={classes}
+	{disabled}
+	type={type as 'button' | 'submit' | 'reset' | undefined}
+	{...rest}
+	{onclick}
+>
+	<!-- eslint-disable-next-line @typescript-eslint/no-unsafe-call -->
 	{@render children?.()}
 </button>
diff --git a/examples/encrypted_chat/frontend/src/lib/components/ui/Card.svelte b/examples/encrypted_chat/frontend/src/lib/components/ui/Card.svelte
index 7d99c437..67462836 100644
--- a/examples/encrypted_chat/frontend/src/lib/components/ui/Card.svelte
+++ b/examples/encrypted_chat/frontend/src/lib/components/ui/Card.svelte
@@ -5,30 +5,31 @@
 	let { variant = 'filled', padding = 'md', children, className = '', ...rest } = $props();
 	export { className as class };
 
-    const variantClasses = {
+	const variantClasses = {
 		filled: 'card',
 		glass: 'card variant-glass',
 		outlined: 'card variant-outline'
-    } as const;
+	} as const;
 
-    const paddingClasses = {
+	const paddingClasses = {
 		none: '',
 		sm: 'p-4',
 		md: 'p-6',
 		lg: 'p-8'
-    } as const;
+	} as const;
 
-    let classes = $derived(
-        [
-            variantClasses[variant as keyof typeof variantClasses],
-            paddingClasses[padding as keyof typeof paddingClasses],
-            className
-        ]
-            .filter(Boolean)
-            .join(' ')
-    );
+	let classes = $derived(
+		[
+			variantClasses[variant as keyof typeof variantClasses],
+			paddingClasses[padding as keyof typeof paddingClasses],
+			className
+		]
+			.filter(Boolean)
+			.join(' ')
+	);
 </script>
 
 <div class={classes} {...rest}>
+	<!-- eslint-disable-next-line @typescript-eslint/no-unsafe-call -->
 	{@render children?.()}
 </div>
diff --git a/examples/encrypted_chat/frontend/src/lib/services/api.ts b/examples/encrypted_chat/frontend/src/lib/services/api.ts
index 59c8c0ba..f3012e49 100644
--- a/examples/encrypted_chat/frontend/src/lib/services/api.ts
+++ b/examples/encrypted_chat/frontend/src/lib/services/api.ts
@@ -9,6 +9,8 @@ import type {
 	VetKeyEpochMetadata
 } from '../../declarations/encrypted_chat/encrypted_chat.did';
 import { Principal } from '@dfinity/principal';
+import { chatIdToString, stringifyBigInt } from '$lib/stores/chat.svelte';
+import { TransportSecretKey, EncryptedVetKey, DerivedPublicKey, VetKey } from '@dfinity/vetkeys';
 
 // Dummy API service that simulates backend calls
 // In real implementation, these would make actual API calls to the backend
@@ -25,10 +27,10 @@ export class ChatAPI {
 			symmetricKeyRotationDurationMinutes,
 			messageExpirationDurationMinutes
 		);
-		if ('Ok' in result) {
-			return { creationDate: new Date(Number(result.Ok / BigInt(1_000_000))) };
-		} else {
+		if ('Err' in result) {
 			throw new Error(result.Err);
+		} else {
+			return { creationDate: new Date(Number(result.Ok / BigInt(1_000_000))) };
 		}
 	}
 
@@ -56,6 +58,9 @@ export class ChatAPI {
 		message: UserMessage
 	): Promise<{ chatMessageId: bigint }> {
 		const result = await actor.send_direct_message(message, receiver);
+		console.log(
+			`sendDirectMessage: ${stringifyBigInt(message)} to ${receiver.toText()} with result ${stringifyBigInt(result)}`
+		);
 		if ('Ok' in result) {
 			return { chatMessageId: result.Ok };
 		} else {
@@ -69,6 +74,9 @@ export class ChatAPI {
 		message: UserMessage
 	): Promise<{ chatMessageId: bigint }> {
 		const result = await actor.send_group_message(message, groupChatId);
+		console.log(
+			`sendGroupMessage: ${stringifyBigInt(message)} to ${groupChatId} with result ${stringifyBigInt(result)}`
+		);
 		if ('Ok' in result) {
 			return { chatMessageId: result.Ok };
 		} else {
@@ -80,16 +88,23 @@ export class ChatAPI {
 		actor: ActorSubclass<_SERVICE>
 	): Promise<{ chatId: ChatId; numMessages: bigint }[]> {
 		const chatIds = await actor.get_my_chat_ids();
+		const summary: string = chatIds.reduce((acc, [chatId, numMessages]) => {
+			return acc + ' ' + chatIdToString(chatId) + ' ' + numMessages.toString();
+		}, '');
+		console.log('getChatIdsAndCurrentNumbersOfMessages: ' + summary);
 		return chatIds.map(([chatId, numMessages]) => {
 			return { chatId, numMessages };
 		});
 	}
 
-	async getAccessibleVetKeyEpochMetadata(
+	async getLatestVetKeyEpochMetadata(
 		actor: ActorSubclass<_SERVICE>,
 		chatId: ChatId
 	): Promise<VetKeyEpochMetadata> {
 		const metadata = await actor.get_latest_chat_vetkey_epoch_metadata(chatId);
+		console.log(
+			`getLatestVetKeyEpochMetadata: ${stringifyBigInt(chatId)} with result ${stringifyBigInt(metadata)}`
+		);
 		if ('Ok' in metadata) {
 			return metadata.Ok;
 		} else {
@@ -97,26 +112,57 @@ export class ChatAPI {
 		}
 	}
 
-  async getRatchetStats(): Promise<SymmetricRatchetStats> {
-    const now = Date.now();
-    const last = new Date(now - 1000 * 60 * 60 * Math.random() * 24);
-    const next = new Date(now + 1000 * 60 * 60 * Math.random() * 24);
-    return {
-      currentEpoch: Math.floor(Math.random() * 30) + 1,
-      messagesInCurrentEpoch: Math.floor(Math.random() * 200),
-      lastRotation: last,
-      nextScheduledRotation: next
-    };
-  }
+	async getDerivedPublicKey(
+		actor: ActorSubclass<_SERVICE>,
+		chatId: ChatId,
+		vetKeyEpoch: bigint,
+		transportKey: TransportSecretKey
+	): Promise<DerivedPublicKey> {
+		const bytes = await actor.chat_public_key(chatId, vetKeyEpoch);
+		console.log(
+			`getDerivedPublicKey: ${stringifyBigInt(chatId)} with result ${stringifyBigInt(bytes)}`
+		);
+		return DerivedPublicKey.deserialize(Uint8Array.from(bytes));
+	}
+
+	async getVetKey(
+		actor: ActorSubclass<_SERVICE>,
+		chatId: ChatId,
+		vetKeyEpoch: bigint
+	): Promise<VetKey> {
+		const tsk = TransportSecretKey.random();
+		const result = await actor.derive_chat_vetkey(chatId, [vetKeyEpoch], tsk.publicKeyBytes());
+		console.log(`getVetKey: ${stringifyBigInt(chatId)} with result ${stringifyBigInt(result)}`);
+		if ('Ok' in result) {
+			const encryptedVetKey = EncryptedVetKey.deserialize(Uint8Array.from(result.Ok));
+			const derivedPublicKey = await this.getDerivedPublicKey(actor, chatId, vetKeyEpoch, tsk);
+			const vetKey = encryptedVetKey.decryptAndVerify(tsk, derivedPublicKey, new Uint8Array());
+			return vetKey;
+		} else {
+			throw new Error(result.Err);
+		}
+	}
+
+	getRatchetStats(): SymmetricRatchetStats {
+		const now = Date.now();
+		const last = new Date(now - 1000 * 60 * 60 * Math.random() * 24);
+		const next = new Date(now + 1000 * 60 * 60 * Math.random() * 24);
+		return {
+			currentEpoch: Math.floor(Math.random() * 30) + 1,
+			messagesInCurrentEpoch: Math.floor(Math.random() * 200),
+			lastRotation: last,
+			nextScheduledRotation: next
+		};
+	}
 
-	async updateGroupMembers(
-		chatId: string,
-		addUsers: string[],
-		removeUsers: string[],
+	updateGroupMembers(
+		chatId: ChatId,
+		addUsers: Principal[],
+		removeUsers: Principal[],
 		allowHistoryForNew: boolean
-	): Promise<boolean> {
+	): boolean {
 		console.log(
-			`Group ${chatId} updated: +${addUsers.length}, -${removeUsers.length}, history: ${allowHistoryForNew}`
+			`Group ${chatIdToString(chatId)} updated: +${addUsers.length}, -${removeUsers.length}, history: ${allowHistoryForNew}`
 		);
 		return true;
 	}
@@ -127,11 +173,15 @@ export class ChatAPI {
 		startId: bigint,
 		limit: bigint | undefined
 	): Promise<EncryptedMessage[]> {
-		return await actor.get_some_messages_for_chat_starting_from(
+		const result = await actor.get_some_messages_for_chat_starting_from(
 			chatId,
 			startId,
 			limit ? [Number(limit)] : []
 		);
+		console.log(
+			`fetchEncryptedMessages: ${stringifyBigInt(chatId)} from ${startId.toString()} with limit ${limit} with result ${stringifyBigInt(result)}`
+		);
+		return result;
 	}
 }
 
diff --git a/examples/encrypted_chat/frontend/src/lib/services/storage.ts b/examples/encrypted_chat/frontend/src/lib/services/storage.ts
index e5a4f4a7..8f8980d8 100644
--- a/examples/encrypted_chat/frontend/src/lib/services/storage.ts
+++ b/examples/encrypted_chat/frontend/src/lib/services/storage.ts
@@ -1,17 +1,18 @@
 import { get, set, del, clear, keys } from 'idb-keyval';
 import type { Message, Chat, UserConfig } from '../types';
+import { chatIdToString } from '$lib/stores/chat.svelte';
 
 // IndexedDB storage service for persistent chat data
 export class StorageService {
-	private readonly MESSAGE_PREFIX = 'msg_';
-	private readonly CHAT_PREFIX = 'chat_';
+	private readonly MESSAGE_PREFIX = 'messages';
+	private readonly VETKEY_EPOCH_KEY_PREFIX = 'vetkey_epoch_key';
 	private readonly CONFIG_KEY = 'user_config';
 	private readonly DISCLAIMER_KEY = 'disclaimer_dismissed';
+	private readonly CHAT_PREFIX = 'chat_';
 
 	// Message storage
 	async saveMessage(message: Message): Promise<void> {
-		const key = `${this.MESSAGE_PREFIX}${message.chatId}_${message.id}`;
-		await set(key, message);
+		await set([this.MESSAGE_PREFIX, message.chatId, message.id], message);
 	}
 
 	async getMessages(chatId: string): Promise<Message[]> {
@@ -22,7 +23,7 @@ export class StorageService {
 
 		const messages: Message[] = [];
 		for (const key of chatMessageKeys) {
-			const message = await get(key);
+			const message = (await get(key)) as Message;
 			if (message) {
 				// Ensure timestamp is a Date object
 				if (typeof message.timestamp === 'string') {
@@ -41,23 +42,9 @@ export class StorageService {
 		await del(key);
 	}
 
-	// Clean up old messages based on disappearing messages setting
-	async cleanupOldMessages(chatId: string, retentionDays: number): Promise<void> {
-		if (retentionDays === 0) return; // Never delete if 0
-
-		const cutoffDate = new Date(Date.now() - retentionDays * 24 * 60 * 60 * 1000);
-		const messages = await this.getMessages(chatId);
-
-		for (const message of messages) {
-			if (message.timestamp < cutoffDate) {
-				await this.deleteMessage(chatId, message.id);
-			}
-		}
-	}
-
 	// Chat metadata storage
 	async saveChat(chat: Chat): Promise<void> {
-		const key = `${this.CHAT_PREFIX}${chat.id}`;
+		const key = `${this.CHAT_PREFIX}${chatIdToString(chat.id)}`;
 		await set(key, chat);
 	}
 
@@ -74,7 +61,7 @@ export class StorageService {
 
 		const chats: Chat[] = [];
 		for (const key of chatKeys) {
-			const chat = await get(key);
+			const chat = (await get(key)) as Chat;
 			if (chat) {
 				chats.push(chat);
 			}
@@ -92,10 +79,10 @@ export class StorageService {
 		return (await get(this.CONFIG_KEY)) || null;
 	}
 
-	async getDefaultUserConfig(): Promise<UserConfig> {
+	getMyUserConfig(): UserConfig {
 		return {
 			cacheRetentionDays: 7,
-			userId: 'current-user',
+			userId: 'Me',
 			userName: 'You',
 			userAvatar: '👤'
 		};
@@ -118,7 +105,7 @@ export class StorageService {
 		// Clean up old message keys
 		for (const key of allKeys) {
 			if (typeof key === 'string' && key.startsWith(this.MESSAGE_PREFIX)) {
-				const message = await get(key);
+				const message = (await get(key)) as Message;
 				if (message && new Date(message.timestamp) < cutoffDate) {
 					await del(key);
 				}
diff --git a/examples/encrypted_chat/frontend/src/lib/stores/auth.svelte.ts b/examples/encrypted_chat/frontend/src/lib/stores/auth.svelte.ts
index 26c4802b..eafbd5e3 100644
--- a/examples/encrypted_chat/frontend/src/lib/stores/auth.svelte.ts
+++ b/examples/encrypted_chat/frontend/src/lib/stores/auth.svelte.ts
@@ -1,4 +1,5 @@
 import { AuthClient } from '@dfinity/auth-client';
+import type { Principal } from '@dfinity/principal';
 
 if (import.meta.env.SSR || typeof window === 'undefined') {
 	const {
@@ -74,7 +75,7 @@ export async function login() {
 				globalThis.process.env.DFX_NETWORK === 'ic'
 					? 'https://identity.ic0.app/#authorize'
 					: `http://rdmx6-jaaaa-aaaaa-aaadq-cai.localhost:8000/#authorize`,
-			onSuccess: async () => {
+			onSuccess: () => {
 				authenticate(client);
 			},
 			onError: (e) => console.error('Failed to authenticate with internet identity: ' + e)
@@ -98,3 +99,8 @@ export async function logout() {
 		};
 	}
 }
+
+export function getMyPrincipal(): Principal {
+	if (auth.state.label !== 'initialized') throw new Error('Unexpectedly not authenticated');
+	return auth.state.client.getIdentity().getPrincipal();
+}
diff --git a/examples/encrypted_chat/frontend/src/lib/stores/chat.svelte.ts b/examples/encrypted_chat/frontend/src/lib/stores/chat.svelte.ts
index 83d2a1d6..9fb9bbe7 100644
--- a/examples/encrypted_chat/frontend/src/lib/stores/chat.svelte.ts
+++ b/examples/encrypted_chat/frontend/src/lib/stores/chat.svelte.ts
@@ -10,13 +10,22 @@ import type {
 	_SERVICE,
 	ChatId,
 	EncryptedMessage,
-	VetKeyEpochMetadata
+	VetKeyEpochMetadata,
+	UserMessage,
+	GroupChatMetadata
 } from '../../declarations/encrypted_chat/encrypted_chat.did';
 import { Principal } from '@dfinity/principal';
 import { SvelteMap } from 'svelte/reactivity';
+import { DerivedKeyMaterial, deriveSymmetricKey } from '@dfinity/vetkeys';
+
+const DOMAIN_RATCHET_INIT = sizePrefixedBytesFromString('ic-vetkeys-chat-example-ratchet-init');
+const DOMAIN_RATCHET_STEP = sizePrefixedBytesFromString('ic-vetkeys-chat-example-ratchet-step');
+const DOMAIN_MESSAGE_ENCRYPTION = sizePrefixedBytesFromString(
+	'ic-vetkeys-chat-example-message-encryption'
+);
 
 export const chats = $state<{ state: Chat[] }>({ state: [] });
-export const selectedChatId = $state<{ state: string | null }>({ state: null });
+export const selectedChatId = $state<{ state: ChatId | null }>({ state: null });
 export const userConfig = $state<{ state: UserConfig | null }>({ state: null });
 export const notifications = $state<{ state: Notification[] }>({ state: [] });
 export const isLoading = $state({ state: false });
@@ -24,8 +33,109 @@ export const isBlocked = $state({ state: false });
 export const availableChats = $state({ state: [] });
 export const messages = $state<{ state: Record<string, Message[]> }>({ state: {} });
 
+type VetKeyEpochMetadataState =
+	| { status: 'missing' }
+	| { status: 'loading'; promise: Promise<VetKeyEpochMetadata> }
+	| { status: 'ready'; metadata: VetKeyEpochMetadata }
+	| { status: 'error'; error: string };
+
 // Keep a mapping from string chat id to the actor ChatId
-const chatIdStringToVetKeyEpochMetadata = new SvelteMap<ChatId, VetKeyEpochMetadata>();
+const chatIdStringToVetKeyEpochMetadata = new SvelteMap<string, VetKeyEpochMetadataState>();
+
+type KeyState =
+	| { status: 'missing' }
+	| { status: 'loading'; promise: Promise<CryptoKey> }
+	| { status: 'ready'; symmetricKeyEpoch: bigint; key: CryptoKey }
+	| { status: 'error'; error: string };
+
+export const chatIdStringToEpochKeyState = new SvelteMap<string, KeyState>();
+
+const chatIdStringToNumberOfMessagesIs = new Map<string, bigint>();
+export const chatIdStringToNumberOfMessagesShould = new SvelteMap<string, bigint>();
+
+export function getNumberOfMessagesIs(chatId: ChatId): bigint | undefined {
+	const chatIdStr = chatIdToString(chatId);
+	return chatIdStringToNumberOfMessagesIs.get(chatIdStr);
+}
+
+export function getChatIds(): ChatId[] {
+	return chats.state.map((c) => c.id);
+}
+
+export function initVetKeyReactions() {
+	$effect.root(() => {
+		$effect(() => {
+			if (auth.state.label !== 'initialized') return;
+
+			for (const chat of chats.state) {
+				if (chatIdStringToVetKeyEpochMetadata.has(chatIdToString(chat.id))) {
+					console.log(
+						'chatIdStringToVetKeyEpochMetadata already has ',
+						chatIdToString(chat.id),
+						' -- skipping'
+					);
+					continue;
+				}
+				const actor = getActor();
+				if (!actor) throw new Error('Not authenticated');
+				chatIdStringToVetKeyEpochMetadata.set(chatIdToString(chat.id), {
+					status: 'loading',
+					promise: chatAPI.getLatestVetKeyEpochMetadata(actor, chat.id)
+				});
+				console.log('chatIdStringToVetKeyEpochMetadata loading ', chatIdToString(chat.id));
+				ensureVetKeyEpochMetadata(actor, chat.id).catch((error) => {
+					console.error(
+						`Failed to get vetkey epoch metadata for chat ${chatIdToString(chat.id)}: `,
+						error
+					);
+				});
+			}
+		});
+
+		$effect(() => {
+			if (auth.state.label !== 'initialized') return;
+
+			for (const [chatIdStr, meta] of chatIdStringToVetKeyEpochMetadata.entries()) {
+				if (meta.status !== 'ready') continue;
+				const key = `${chatIdStr}/${meta.metadata.epoch_id.toString()}`;
+				if (chatIdStringToEpochKeyState.has(key)) {
+					console.log(
+						'chatIdStringToEpochKeyState already has ',
+						key,
+						meta.metadata.epoch_id.toString(),
+						' -- skipping'
+					);
+					continue;
+				}
+				const actor = getActor();
+				if (!actor) throw new Error('Not authenticated');
+				const chatId = chatIdFromStr(chatIdStr);
+
+				const p1 = chatAPI.getVetKey(actor, chatId, meta.metadata.epoch_id);
+				const p2 = Promise.resolve(p1).then(async (vetKey) => {
+					const rootKey = deriveSymmetricKey(new Uint8Array(), DOMAIN_RATCHET_INIT, 32);
+					const exportable = false;
+					return await globalThis.crypto.subtle.importKey(
+						'raw',
+						new Uint8Array(rootKey),
+						'HKDF',
+						exportable,
+						['deriveKey', 'deriveBits']
+					);
+				});
+
+				chatIdStringToEpochKeyState.set(key, {
+					status: 'loading',
+					promise: p2
+				});
+				console.log('chatIdStringToEpochKeyState loading ', key, meta.metadata.epoch_id.toString());
+				ensureRootKey(actor, chatId, meta.metadata.epoch_id).catch((error) => {
+					console.error(`Failed to get vetkey epoch metadata for chat ${chatIdStr}: `, error);
+				});
+			}
+		});
+	});
+}
 
 export const chatActions = {
 	async initialize() {
@@ -35,7 +145,7 @@ export const chatActions = {
 			// Load user config
 			let config = await storageService.getUserConfig();
 			if (!config) {
-				config = await storageService.getDefaultUserConfig();
+				config = storageService.getMyUserConfig();
 				await storageService.saveUserConfig(config);
 			}
 			userConfig.state = config;
@@ -43,9 +153,9 @@ export const chatActions = {
 			await this.refreshChats();
 
 			// Set up periodic cleanup
-			setInterval(() => {
-				chatActions.cleanupDisappearingMessages();
-			}, 60000);
+			//setInterval(() => {
+			// TODO: cleanup disappearing messages
+			//	}, 60000);
 		} catch (error) {
 			console.error('Failed to initialize chat:', error);
 			chatActions.addNotification({
@@ -60,25 +170,52 @@ export const chatActions = {
 	},
 
 	async refreshChats() {
-		const actor = await getActor();
+		const actor = getActor();
 		if (actor) {
 			const chatIds = await actor.get_my_chat_ids();
-			console.log('fetched ' + (await chatIds).length + ' chats');
+			for (const [chatId, numMessages] of chatIds) {
+				const numMessagesShould = chatIdStringToNumberOfMessagesShould.get(chatIdToString(chatId));
+				if (!numMessagesShould || numMessagesShould !== numMessages) {
+					console.log(
+						`refreshChats: setting numberOfMessagesShould for chat ${chatIdToString(chatId)} from ${numMessagesShould} to ${numMessages}`
+					);
+					chatIdStringToNumberOfMessagesShould.set(chatIdToString(chatId), numMessages);
+				}
+			}
+			const summary: string = chatIds.reduce((acc, [chatId, numMessages]) => {
+				if ('Direct' in chatId) {
+					return (
+						acc +
+						' ' +
+						chatId.Direct[0].toText() +
+						' ' +
+						chatId.Direct[1].toText() +
+						' ' +
+						numMessages.toString()
+					);
+				} else {
+					return acc + ' ' + chatId.Group.toString() + ' ' + numMessages.toString();
+				}
+			}, '');
+			console.log('fetched ' + chatIds.length + ' chats: ' + summary);
 			for (const [chatId] of chatIds) {
-				if (!chatIdStringToVetKeyEpochMetadata.has(chatId)) {
+				if (!chatIdStringToVetKeyEpochMetadata.has(chatIdToString(chatId))) {
 					const result = await actor.get_latest_chat_vetkey_epoch_metadata(chatId);
 					if ('Ok' in result) {
-						chatIdStringToVetKeyEpochMetadata.set(chatId, result.Ok);
+						chatIdStringToVetKeyEpochMetadata.set(chatIdToString(chatId), {
+							status: 'ready',
+							metadata: result.Ok
+						});
 					} else {
 						console.error('Failed to get vetkey epoch metadata:', result.Err);
 					}
 				}
 			}
 
-			for (const [chatId, meta] of chatIdStringToVetKeyEpochMetadata.entries()) {
-				const chatIdStr = chatIdToString(chatId);
+			for (const [chatIdStr, meta] of chatIdStringToVetKeyEpochMetadata.entries()) {
+				const chatId = chatIdFromStr(chatIdStr);
 
-				const participants = meta?.participants;
+				const participants = meta.status === 'ready' ? meta.metadata.participants : [];
 				if (!participants) {
 					console.error('Failed to get participants for chat:', chatId);
 					continue;
@@ -89,17 +226,19 @@ export const chatActions = {
 				}
 				const myPrincipalText = auth.state.client.getIdentity().getPrincipal().toText();
 				const name = isGroup
-					? `Group: ${shortenId(String(meta?.epoch_id ?? 0n))}`
-					: `Direct: ${participants.find((p) => p.toString() !== myPrincipalText)?.toString()}`;
+					? `Group: ${shortenId(String(chatId.Group.toString()))}`
+					: participants[0].toString() === participants[1].toString()
+						? 'Note to Self'
+						: `Direct: ${participants.find((p) => p.toString() !== myPrincipalText)?.toString()}`;
 				const now = new SvelteDate();
 
 				const chat: Chat = {
-					id: chatIdStr,
+					id: chatId,
 					name,
 					type: isGroup ? 'group' : 'direct',
 					participants: participants.map((p) => ({
-						id: p.toText(),
-						name: myPrincipalText === p.toText() ? 'Note to Self' : 'Principal: ' + p.toText(),
+						id: p,
+						name: myPrincipalText === p.toText() ? 'Me' : p.toText(),
 						avatar: '👤',
 						isOnline: true
 					})),
@@ -109,22 +248,26 @@ export const chatActions = {
 					isUpdating: false,
 					disappearingMessagesDuration: 0,
 					keyRotationStatus: buildDummyRotationStatus(),
-					vetKeyEpoch: Number(meta?.epoch_id ?? 0n),
+					vetKeyEpoch: Number(meta.status === 'ready' ? meta.metadata.epoch_id : 0n),
 					symmetricRatchetEpoch: 0,
 					ratchetEpoch: 0,
 					unreadCount: 0,
 					avatar: isGroup ? '👥' : '👤'
 				};
 
-				if (!chats.state.find((c) => c.id === chatIdStr)) {
+				if (!chats.state.find((c) => chatIdToString(c.id) === chatIdStr)) {
 					chats.state.push(chat);
 				} else if (
 					chats.state.find(
-						(c) => c.id === chatIdStr && c.vetKeyEpoch !== Number(meta?.epoch_id ?? 0n)
+						(c) =>
+							chatIdToString(c.id) === chatIdStr &&
+							c.vetKeyEpoch !== Number(meta.status === 'ready' ? meta.metadata.epoch_id : 0n)
 					)
 				) {
 					const pos = chats.state.findIndex(
-						(c) => c.id === chatIdStr && c.vetKeyEpoch !== Number(meta?.epoch_id ?? 0n)
+						(c) =>
+							chatIdToString(c.id) === chatIdStr &&
+							c.vetKeyEpoch !== Number(meta.status === 'ready' ? meta.metadata.epoch_id : 0n)
 					);
 					chats.state[pos] = chat;
 				} else {
@@ -137,7 +280,7 @@ export const chatActions = {
 		}
 	},
 
-	selectChat(chatId: string) {
+	selectChat(chatId: ChatId) {
 		selectedChatId.state = chatId;
 
 		// Mark as read
@@ -146,16 +289,61 @@ export const chatActions = {
 		);
 	},
 
-	async loadChatMessages(chatId: ChatId) {
+	async loadChatMessages(chatId: ChatId, numMessagesIs: bigint | undefined) {
+		console.log('loadChatMessages:', chatIdToString(chatId));
 		try {
-			const actor = await getActor();
+			const chatIdStr = chatIdToString(chatId);
+			const chat = chats.state.find((c) => chatIdToString(c.id) === chatIdStr);
+			if (!chat) {
+				console.error('loadChatMessages: chat not found:', chatIdStr);
+				return;
+			}
+			const lastMessageId = numMessagesIs ? numMessagesIs : 0n;
+			const actor = getActor();
 			if (!actor) return;
-			const meta = chatIdStringToVetKeyEpochMetadata.get(chatId);
-			if (!meta) return;
-			const startId = meta.messages_start_with_id;
-			const enc = await chatAPI.fetchEncryptedMessages(actor, chatId, startId, undefined);
-			const mapped: Message[] = enc.map((m) => toUiMessage(chatIdToString(chatId), m));
-			messages.state = { ...messages.state, [chatIdToString(chatId)]: mapped };
+			const meta = chatIdStringToVetKeyEpochMetadata.get(chatIdStr);
+			if (!meta) {
+				console.error('loadChatMessages: Failed to get vetkey epoch metadata for chat:', chatIdStr);
+				return;
+			}
+			const enc = await chatAPI.fetchEncryptedMessages(actor, chatId, lastMessageId, undefined);
+			const mapped: Message[] = [];
+			for (const m of enc) {
+				const plaintextMessageContent = await decryptMessageContent(
+					chatId,
+					BigInt(m.metadata.vetkey_epoch),
+					BigInt(m.metadata.symmetric_key_epoch),
+					m.metadata.sender,
+					new Uint8Array(m.content),
+					m.metadata.sender_message_id
+				);
+				`/// decryptMessageContent: ${chatIdToString(chatId)} vetkeyEpoch: ${BigInt(m.metadata.vetkey_epoch).toString()} symmetricKeyEpoch: ${BigInt(m.metadata.symmetric_key_epoch).toString()} sender: ${m.metadata.sender.toText()} userMessageId: ${m.metadata.sender_message_id.toString()}`;
+				m.content = plaintextMessageContent;
+				mapped.push(toUiMessage(chatIdToString(chatId), m));
+			}
+			if (mapped.length !== 0) {
+				console.log('loadChatMessages: mapped:', stringifyBigInt(mapped));
+			} else {
+				console.log('loadChatMessages: no messages loaded for chat:', chatIdStr);
+			}
+			messages.state[chatIdStr].push(...mapped);
+			if (mapped.length !== 0) {
+				const pos = chats.state.findIndex((c) => chatIdToString(c.id) === chatIdStr);
+				const lastMessageBefore = chats.state[pos].lastMessage;
+				chats.state[pos].lastMessage = mapped[mapped.length - 1];
+				chatIdStringToNumberOfMessagesIs.set(
+					chatIdToString(chat.id),
+					BigInt(mapped[mapped.length - 1].id) + 1n
+				);
+				const lastMessageAfter = chats.state[pos].lastMessage;
+				if (lastMessageBefore && lastMessageAfter && lastMessageBefore.id === lastMessageAfter.id) {
+					console.log('loadChatMessages: last message is the same:', chatIdStr);
+				} else {
+					console.log(
+						`loadChatMessages: loaded ${mapped.length} messages for chat ${chatIdStr}. Old last message id: ${lastMessageBefore?.id.toString()}, new last message id: ${lastMessageAfter?.id.toString()}`
+					);
+				}
+			}
 			for (const m of mapped) await storageService.saveMessage(m);
 		} catch (error) {
 			console.error('Failed to load messages:', error);
@@ -169,36 +357,63 @@ export const chatActions = {
 	},
 
 	async sendMessage(
-		chatIdStr: string,
+		chatId: ChatId,
 		content: string,
 		fileData?: { name: string; size: number; type: string; data: ArrayBuffer }
 	) {
-		try {
-			const newMessage: Message = {
-				id: `${Date.now()}`,
-				chatId: chatIdStr,
-				senderId: 'current-user',
-				content: content,
-				timestamp: new SvelteDate(),
-				type: fileData ? 'file' : 'text',
-				fileData,
-				isEncrypted: false,
-				ratchetEpoch: 0
-			};
-			messages.state = {
-				...messages.state,
-				[chatIdStr]: [...(messages.state[chatIdStr] || []), newMessage]
-			};
+		const actor = getActor();
+		if (!actor) throw new Error('Not authenticated');
 
-			// Update chat last activity
-			chats.state = chats.state.map((chat) =>
-				chat.id === chatIdStr
-					? { ...chat, lastActivity: new SvelteDate(), lastMessage: newMessage }
-					: chat
+		const chatIdStr = chatIdToString(chatId);
+
+		if (auth.state.label !== 'initialized') {
+			throw new Error('Unexpectedly not authenticated');
+		}
+		const myPrincipal = auth.state.client.getIdentity().getPrincipal();
+
+		try {
+			const vetKeyEpochMeta = chatIdStringToVetKeyEpochMetadata.get(chatIdStr);
+			if (vetKeyEpochMeta?.status !== 'ready') {
+				console.error('Failed to get vetkey epoch metadata for chat:', chatId);
+				return;
+			}
+			const vetKeyEpochId = vetKeyEpochMeta.metadata.epoch_id;
+			const elapsedSinceVetKeyEpoch =
+				BigInt(Date.now()) * 1_000_000n - vetKeyEpochMeta.metadata.creation_timestamp;
+			const symmetricKeyEpoch =
+				elapsedSinceVetKeyEpoch / vetKeyEpochMeta.metadata.symmetric_key_rotation_duration;
+
+			const buf = new Uint8Array(8);
+			globalThis.crypto.getRandomValues(buf);
+			let message_id = 0n;
+			for (const b of buf) message_id = (message_id << 8n) | BigInt(b);
+
+			const messageContent = JSON.stringify({ content, fileData });
+			const encryptedMessageContent = await encryptMessageContent(
+				chatId,
+				vetKeyEpochId,
+				symmetricKeyEpoch,
+				myPrincipal,
+				new TextEncoder().encode(messageContent),
+				message_id
 			);
 
-			// Save to storage
-			await storageService.saveMessage(newMessage);
+			const message: UserMessage = {
+				vetkey_epoch: vetKeyEpochId,
+				content: encryptedMessageContent,
+				symmetric_key_epoch: symmetricKeyEpoch,
+				message_id
+			};
+
+			if ('Direct' in chatId) {
+				const receiver =
+					chatId.Direct[0].toString() === myPrincipal.toString()
+						? chatId.Direct[1]
+						: chatId.Direct[0];
+				await chatAPI.sendDirectMessage(actor, receiver, message);
+			} else {
+				await chatAPI.sendGroupMessage(actor, chatId.Group, message);
+			}
 		} catch (error) {
 			console.error('Failed to send message:', error);
 			chatActions.addNotification({
@@ -210,18 +425,18 @@ export const chatActions = {
 		}
 	},
 
-	async rotateKeys(chatId: string) {
+	rotateKeys(chatId: string) {
 		try {
 			// Mark chat as updating
 			chats.state = chats.state.map((chat) =>
-				chat.id === chatId ? { ...chat, isUpdating: true } : chat
+				chatIdToString(chat.id) === chatId ? { ...chat, isUpdating: true } : chat
 			);
 
-			const stats: SymmetricRatchetStats = await chatAPI.getRatchetStats();
+			const stats: SymmetricRatchetStats = chatAPI.getRatchetStats();
 
 			// Update chat with new key status (dummy update)
 			chats.state = chats.state.map((chat) =>
-				chat.id === chatId
+				chatIdToString(chat.id) === chatId
 					? {
 							...chat,
 							isUpdating: false,
@@ -248,7 +463,7 @@ export const chatActions = {
 
 			// Mark chat as not updating
 			chats.state = chats.state.map((chat) =>
-				chat.id === chatId ? { ...chat, isUpdating: false } : chat
+				chatIdToString(chat.id) === chatId ? { ...chat, isUpdating: false } : chat
 			);
 
 			chatActions.addNotification({
@@ -290,21 +505,13 @@ export const chatActions = {
 		notifications.state = notifications.state.filter((n) => n.id !== id);
 	},
 
-	async cleanupDisappearingMessages() {
-		for (const chat of chats.state) {
-			if (chat.disappearingMessagesDuration > 0) {
-				await storageService.cleanupOldMessages(chat.id, chat.disappearingMessagesDuration);
-			}
-		}
-	},
-
 	async createDirectChat(
 		receiverPrincipalText: string,
 		rotationMinutes: number,
 		expirationMinutes: number
 	) {
 		try {
-			const actor = await getActor();
+			const actor = getActor();
 			if (!actor) throw new Error('Not authenticated');
 			const receiver = Principal.fromText(receiverPrincipalText.trim());
 			await chatAPI.createDirectChat(
@@ -338,9 +545,8 @@ export const chatActions = {
 		expirationMinutes: number
 	) {
 		try {
-			const actor = await getActor();
+			const actor = getActor();
 			if (!actor) throw new Error('Not authenticated');
-			const { Principal } = await import('@dfinity/principal');
 			const participants = participantPrincipalTexts
 				.map((t) => t.trim())
 				.filter(Boolean)
@@ -371,13 +577,15 @@ export const chatActions = {
 	}
 };
 
-async function getActor(): Promise<ActorSubclass<_SERVICE> | undefined> {
+function getActor(): ActorSubclass<_SERVICE> | undefined {
 	if (auth.state.label === 'initialized') {
 		const host = process.env.DFX_NETWORK === 'ic' ? 'https://icp-api.io' : 'http://localhost:8000';
+		const shouldFetchRootKey = process.env.DFX_NETWORK !== 'ic';
 		const agent = HttpAgent.createSync({
 			identity: auth.state.client.getIdentity(),
 			fetch,
-			host
+			host,
+			shouldFetchRootKey
 		});
 		if (!process.env.CANISTER_ID_ENCRYPTED_CHAT) {
 			throw new Error('CANISTER_ID_ENCRYPTED_CHAT is not set');
@@ -388,40 +596,22 @@ async function getActor(): Promise<ActorSubclass<_SERVICE> | undefined> {
 	}
 }
 
-function chatIdToString(chatId: ChatId): string {
-	if ('Group' in chatId) return `group-${chatId.Group.toString()}`;
+export function chatIdToString(chatId: ChatId): string {
+	if ('Group' in chatId) return `group/${chatId.Group.toString()}`;
 	const [a, b] = chatId.Direct;
-	return `direct-${a.toString()}-${b.toString()}`;
+	return `direct/${a.toString()}/${b.toString()}`;
 }
 
-function shortenId(id: string): string {
-	return id.length > 8 ? `${id.slice(0, 6)}…${id.slice(-2)}` : id;
+export function chatIdFromStr(chatIdStr: string): ChatId {
+	if (typeof chatIdStr !== 'string')
+		throw new Error('chatIdStr is not a string but ' + typeof chatIdStr);
+	if (chatIdStr.startsWith('group/')) return { Group: BigInt(chatIdStr.slice(6)) };
+	const [a, b] = chatIdStr.split('/').slice(1);
+	return { Direct: [Principal.fromText(a), Principal.fromText(b)] };
 }
 
-function buildDummyParticipants(principals: readonly Principal[] | undefined) {
-	const currentPrincipal =
-		auth.state.label === 'initialized'
-			? auth.state.client.getIdentity().getPrincipal().toString()
-			: undefined;
-	const defaultOther = {
-		id: 'other-user',
-		name: 'Friend',
-		avatar: '🧑',
-		isOnline: true
-	};
-	if (!principals || principals.length === 0) {
-		return [{ id: 'current-user', name: 'You', avatar: '👤', isOnline: true }, defaultOther];
-	}
-	return principals.map((p, idx) => {
-		const pid = p.toString();
-		const isSelf = currentPrincipal && pid === currentPrincipal;
-		return {
-			id: isSelf ? 'current-user' : pid,
-			name: isSelf ? 'You' : `User ${idx + 1}`,
-			avatar: isSelf ? '👤' : ['🧑', '👩', '👨', '🧔', '🧕'][idx % 5],
-			isOnline: isSelf ? true : Math.random() > 0.3
-		};
-	});
+function shortenId(id: string): string {
+	return id.length > 8 ? `${id.slice(0, 6)}…${id.slice(-2)}` : id;
 }
 
 function buildDummyRotationStatus() {
@@ -434,38 +624,322 @@ function buildDummyRotationStatus() {
 }
 
 function toUiMessage(chatIdStr: string, m: EncryptedMessage): Message {
-	const senderPrincipal = (m.metadata.sender as unknown as Principal).toString?.() ?? 'unknown';
+	const senderPrincipal = m.metadata.sender.toText();
 	const currentPrincipal =
 		auth.state.label === 'initialized'
 			? auth.state.client.getIdentity().getPrincipal().toString()
 			: undefined;
 	const senderId =
 		currentPrincipal && senderPrincipal === currentPrincipal ? 'current-user' : senderPrincipal;
+	const contentStr = new TextDecoder().decode(new Uint8Array(m.content));
+	const contentTyped: {
+		content: string;
+		fileData?: { name: string; size: number; type: string; data: ArrayBuffer };
+	} = JSON.parse(contentStr);
 	return {
 		id: m.metadata.chat_message_id.toString(),
 		chatId: chatIdStr,
 		senderId,
-		content: `[encrypted ${m.content.length} bytes]`,
+		content: contentTyped.content,
 		timestamp: new SvelteDate(Number(m.metadata.timestamp / BigInt(1_000_000))),
 		type: 'text',
 		isEncrypted: true,
-		ratchetEpoch: Number(m.metadata.symmetric_key_epoch)
+		vetkeyEpoch: Number(m.metadata.vetkey_epoch),
+		symmetricRatchetEpoch: Number(m.metadata.symmetric_key_epoch)
 	};
 }
 
-async function safeGetEpochMetadata(
-	actor: ActorSubclass<_SERVICE>,
-	chatId: ChatId
-): Promise<VetKeyEpochMetadata | undefined> {
-	try {
-		const res = await chatAPI.getAccessibleVetKeyEpochMetadata(actor, chatId);
-		return res;
-	} catch {
-		return undefined;
+async function ensureVetKeyEpochMetadata(actor: ActorSubclass<_SERVICE>, chatId: ChatId) {
+	const chatIdStr = chatIdToString(chatId);
+	console.log('ensureVetKeyEpochMetadata', chatIdStr);
+	const cur = chatIdStringToVetKeyEpochMetadata.get(chatIdStr);
+
+	if (cur?.status === 'loading') {
+		if (!actor) throw new Error('Not authenticated');
+
+		await cur.promise
+			.then((metadata) => {
+				// transition to ready when it resolves
+				chatIdStringToVetKeyEpochMetadata.set(chatIdStr, { status: 'ready', metadata });
+				console.log('ensureVetKeyEpochMetadata ready', chatIdStr);
+				return metadata;
+			})
+			.catch((error) => {
+				// transition to error so UI can react
+				chatIdStringToVetKeyEpochMetadata.set(chatIdStr, { status: 'error', error });
+				console.log('ensureVetKeyEpochMetadata error', chatIdStr);
+				throw error;
+			});
+	}
+}
+
+async function fastForwardSymmetricRatchetWithoutSavingUntil(
+	chatId: ChatId,
+	vetkeyEpoch: bigint,
+	symmetricKeyEpoch: bigint
+): Promise<DerivedKeyMaterial> {
+	const chatIdStr = chatIdToString(chatId);
+	const mapKey = `${chatIdStr}/${vetkeyEpoch.toString()}`;
+	const cur = chatIdStringToEpochKeyState.get(mapKey);
+	if (!cur) {
+		throw new Error('Bug: failed to get epoch key');
+	}
+	if (cur.status !== 'ready') {
+		throw new Error('Bug: epoch key is not ready for symmetric ratchet');
+	}
+	const { key, symmetricKeyEpoch: currentSymmetricKeyEpoch } = cur;
+	if (currentSymmetricKeyEpoch >= symmetricKeyEpoch) {
+		return DerivedKeyMaterial.fromCryptoKey(key);
+	}
+
+	let derivedKeyState = { epochKey: key, symmetricKeyEpoch: currentSymmetricKeyEpoch };
+	while (derivedKeyState.symmetricKeyEpoch < symmetricKeyEpoch) {
+		derivedKeyState = {
+			epochKey: await deriveNextEpochKey(
+				derivedKeyState.epochKey,
+				derivedKeyState.symmetricKeyEpoch
+			),
+			symmetricKeyEpoch: derivedKeyState.symmetricKeyEpoch + 1n
+		};
+	}
+	return DerivedKeyMaterial.fromCryptoKey(derivedKeyState.epochKey);
+}
+
+async function ensureRootKey(actor: ActorSubclass<_SERVICE>, chatId: ChatId, epochId: bigint) {
+	const chatIdStr = chatIdToString(chatId);
+	const mapKey = `${chatIdStr}/${epochId.toString()}`;
+	const cur = chatIdStringToEpochKeyState.get(mapKey);
+
+	if (cur?.status === 'loading') {
+		await cur.promise
+			.then((key) => {
+				console.log('ensureRootKey ready', chatIdStr);
+				chatIdStringToEpochKeyState.set(mapKey, {
+					status: 'ready',
+					symmetricKeyEpoch: 0n,
+					key
+				});
+				return key;
+			})
+			.catch((error) => {
+				console.log('ensureRootKey error', chatIdStr);
+				chatIdStringToEpochKeyState.set(mapKey, {
+					status: 'error',
+					error
+				});
+				throw error;
+			});
+	}
+}
+
+async function symmetricRatchetUntil(
+	chatId: ChatId,
+	vetkeyEpoch: bigint,
+	symmetricKeyEpoch: bigint
+) {
+	while ((await getCurrentSymmetricEpoch(chatId, vetkeyEpoch)) < symmetricKeyEpoch) {
+		try {
+			const currentSymmetricEpoch = await getCurrentSymmetricEpoch(chatId, vetkeyEpoch);
+			const chatIdStr = chatIdToString(chatId);
+			const mapKey = `${chatIdStr}/${vetkeyEpoch.toString()}`;
+			chatIdStringToEpochKeyState.set(mapKey, {
+				status: 'ready',
+				symmetricKeyEpoch: currentSymmetricEpoch + 1n,
+				key: await symmetricRatchet(chatId, vetkeyEpoch, currentSymmetricEpoch)
+			});
+		} catch (error) {
+			console.warn('symmetricRatchetUntil: ', error);
+		}
 	}
 }
 
+async function symmetricRatchet(
+	chatId: ChatId,
+	vetkeyEpoch: bigint,
+	expectedSymmetricKeyEpoch: bigint
+) {
+	const chatIdStr = chatIdToString(chatId);
+	const mapKey = `${chatIdStr}/${vetkeyEpoch.toString()}`;
+	const cur = chatIdStringToEpochKeyState.get(mapKey);
+	console.log(
+		`symmetricRatchet: ${chatIdStr} vetkeyEpoch: ${vetkeyEpoch.toString()} expectedSymmetricKeyEpoch: ${expectedSymmetricKeyEpoch.toString()}`
+	);
+	if (!cur) {
+		throw new Error('Bug: failed to get epoch key');
+	}
+	if (cur.status !== 'ready') {
+		throw new Error('Bug: epoch key is not ready for symmetric ratchet');
+	}
+	const { key, symmetricKeyEpoch: currentSymmetricKeyEpoch } = cur;
+	if (currentSymmetricKeyEpoch !== expectedSymmetricKeyEpoch) {
+		throw new Error(
+			`Failed to send message: wrong symmetric key epoch in message: expected ${expectedSymmetricKeyEpoch} but got ${currentSymmetricKeyEpoch}`
+		);
+	}
+
+	return await deriveNextEpochKey(key, currentSymmetricKeyEpoch);
+}
+
+async function deriveNextEpochKey(
+	epochKey: CryptoKey,
+	currentSymmetricKeyEpoch: bigint
+): Promise<CryptoKey> {
+	console.log(`deriveNextEpochKey: ${currentSymmetricKeyEpoch.toString()}`);
+	const exportable = false;
+	const domainSeparator = new Uint8Array([
+		...DOMAIN_RATCHET_STEP,
+		...uBigIntTo8ByteUint8ArrayBigEndian(currentSymmetricKeyEpoch)
+	]);
+	const algorithm = {
+		name: 'HKDF',
+		hash: 'SHA-256',
+		length: 32 * 8,
+		info: domainSeparator,
+		salt: new Uint8Array()
+	};
+
+	const rawKey = await globalThis.crypto.subtle.deriveBits(algorithm, epochKey, 8 * 32);
+
+	return await globalThis.crypto.subtle.importKey('raw', rawKey, algorithm, exportable, [
+		'deriveKey',
+		'deriveBits'
+	]);
+}
+
 // Initialize on module load (browser only)
 if (typeof window !== 'undefined') {
 	void chatActions.initialize();
 }
+
+export function stringifyBigInt(value: any): string {
+	return JSON.stringify(value, (_key, value) => {
+		if (typeof value === 'bigint') {
+			return value.toString();
+		}
+		return value;
+	});
+}
+
+async function getCurrentSymmetricEpoch(chatId: ChatId, vetkeyEpoch: bigint): Promise<bigint> {
+	const chatIdStr = chatIdToString(chatId);
+	const mapKey = `${chatIdStr}/${vetkeyEpoch.toString()}`;
+	while (true) {
+		const cur = chatIdStringToEpochKeyState.get(mapKey);
+		if (cur?.status === 'ready') {
+			return cur.symmetricKeyEpoch;
+		}
+		await new Promise((resolve) => setTimeout(resolve, 100));
+	}
+}
+
+async function getSymmetricEpochKey(
+	chatId: ChatId,
+	vetkeyEpoch: bigint,
+	symmetricKeyEpoch: bigint
+): Promise<DerivedKeyMaterial> {
+	const chatIdStr = chatIdToString(chatId);
+	const mapKey = `${chatIdStr}/${vetkeyEpoch.toString()}`;
+	let cur: KeyState | undefined = undefined; // wait in a loop with timeout till we get the key
+
+	console.log(
+		`getSymmetricEpochKey: ${chatIdStr} vetkeyEpoch: ${vetkeyEpoch.toString()} symmetricKeyEpoch: ${symmetricKeyEpoch.toString()}`
+	);
+
+	const startTime = Date.now();
+	while (!cur || cur.status !== 'ready') {
+		cur = chatIdStringToEpochKeyState.get(mapKey);
+		if (cur && cur.status === 'error') {
+			throw new Error('Failed to get epoch key: ' + cur.error);
+		}
+		if (!cur || cur.status !== 'ready') {
+			if (Date.now() - startTime > 30000) {
+				chatActions.addNotification({
+					type: 'error',
+					title: 'Load Error',
+					message: 'Failed to load messages for this chat.',
+					isDismissible: true
+				});
+				throw new Error('Failed to send message: failed to get epoch key after 30 seconds');
+			}
+			await new Promise((resolve) => setTimeout(resolve, 100));
+		}
+	}
+	if (!cur) {
+		throw new Error('Bug: failed to get epoch key');
+	}
+
+	const { key, symmetricKeyEpoch: symmetricKeyEpochKeyState } = cur;
+
+	if (symmetricKeyEpochKeyState !== symmetricKeyEpoch) {
+		throw new Error(
+			`Failed to send message: wrong symmetric key epoch in message: expected ${symmetricKeyEpoch} but got ${symmetricKeyEpochKeyState}`
+		);
+	}
+
+	return DerivedKeyMaterial.fromCryptoKey(key);
+}
+
+async function encryptMessageContent(
+	chatId: ChatId,
+	vetkeyEpoch: bigint,
+	symmetricKeyEpoch: bigint,
+	sender: Principal,
+	plaintextMessageContent: Uint8Array,
+	userMessageId: bigint
+): Promise<Uint8Array> {
+	const epochKey = await fastForwardSymmetricRatchetWithoutSavingUntil(
+		chatId,
+		vetkeyEpoch,
+		symmetricKeyEpoch
+	);
+	const domainSeparator = messageEncryptionDomainSeparator(sender, userMessageId);
+	return await epochKey.encryptMessage(plaintextMessageContent, domainSeparator);
+}
+
+async function decryptMessageContent(
+	chatId: ChatId,
+	vetkeyEpoch: bigint,
+	symmetricKeyEpoch: bigint,
+	sender: Principal,
+	encryptedMessageContent: Uint8Array,
+	userMessageId: bigint
+): Promise<Uint8Array> {
+	console.log(
+		`decryptMessageContent: ${chatIdToString(chatId)} vetkeyEpoch: ${vetkeyEpoch.toString()} symmetricKeyEpoch: ${symmetricKeyEpoch.toString()} sender: ${sender.toText()} userMessageId: ${userMessageId.toString()}`
+	);
+	const currentSymmetricEpoch = await getCurrentSymmetricEpoch(chatId, vetkeyEpoch);
+	if (currentSymmetricEpoch < symmetricKeyEpoch) {
+		await symmetricRatchetUntil(chatId, vetkeyEpoch, symmetricKeyEpoch);
+	}
+	const epochKey = await getSymmetricEpochKey(chatId, vetkeyEpoch, symmetricKeyEpoch);
+	const domainSeparator = messageEncryptionDomainSeparator(sender, userMessageId);
+	return await epochKey.decryptMessage(encryptedMessageContent, domainSeparator);
+}
+
+function messageEncryptionDomainSeparator(sender: Principal, messageId: bigint): Uint8Array {
+	return new Uint8Array([
+		...DOMAIN_MESSAGE_ENCRYPTION,
+		...sender.toUint8Array(),
+		...uBigIntTo8ByteUint8ArrayBigEndian(messageId)
+	]);
+}
+
+function uBigIntTo8ByteUint8ArrayBigEndian(value: bigint): Uint8Array {
+	if (value < 0n) throw new RangeError('Accpts only bigint n >= 0');
+
+	const bytes = new Uint8Array(8);
+	for (let i = 0; i < 8; i++) {
+		bytes[i] = Number((value >> BigInt(i * 8)) & 0xffn);
+	}
+	return bytes;
+}
+
+function sizePrefixedBytesFromString(text: string): Uint8Array {
+	const bytes = new TextEncoder().encode(text);
+	if (bytes.length > 255) {
+		throw new Error('Text is too long');
+	}
+	const size = new Uint8Array(1);
+	size[0] = bytes.length & 0xff;
+	return new Uint8Array([...size, ...bytes]);
+}
diff --git a/examples/encrypted_chat/frontend/src/lib/types/index.ts b/examples/encrypted_chat/frontend/src/lib/types/index.ts
index d684e020..25f90a10 100644
--- a/examples/encrypted_chat/frontend/src/lib/types/index.ts
+++ b/examples/encrypted_chat/frontend/src/lib/types/index.ts
@@ -1,5 +1,8 @@
+import type { ChatId } from '../../declarations/encrypted_chat/encrypted_chat.did';
+import type { Principal } from '@dfinity/principal';
+
 export interface User {
-	id: string;
+	id: Principal;
 	name: string;
 	avatar?: string;
 	isOnline: boolean;
@@ -20,15 +23,16 @@ export interface Message {
 		data: ArrayBuffer;
 	};
 	isEncrypted: boolean;
-	ratchetEpoch: number;
+	vetkeyEpoch: number;
+	symmetricRatchetEpoch: number;
 }
 
 export interface Chat {
-	id: string;
+	id: ChatId;
 	name: string;
 	type: 'direct' | 'group';
-  // Participants are required by UI components like ChatHeader/ChatListItem
-  participants: User[];
+	// Participants are required by UI components like ChatHeader/ChatListItem
+	participants: User[];
 	lastMessage?: Message;
 	lastActivity: Date;
 	isReady: boolean;
@@ -37,8 +41,8 @@ export interface Chat {
 	keyRotationStatus: VetKeyRotationStatus;
 	vetKeyEpoch: number;
 	symmetricRatchetEpoch: number;
-  // Some components read ratchetEpoch directly
-  ratchetEpoch: number;
+	// Some components read ratchetEpoch directly
+	ratchetEpoch: number;
 	unreadCount: number;
 	avatar?: string;
 }
@@ -51,7 +55,7 @@ export interface DirectChat extends Chat {
 export interface GroupChat extends Chat {
 	type: 'group';
 	otherParticipants: User[];
-  adminId?: string;
+	adminId?: string;
 }
 
 export interface VetKeyRotationStatus {
@@ -62,10 +66,10 @@ export interface VetKeyRotationStatus {
 }
 
 export interface SymmetricRatchetStats {
-  currentEpoch: number;
-  messagesInCurrentEpoch: number;
-  lastRotation: Date;
-  nextScheduledRotation: Date;
+	currentEpoch: number;
+	messagesInCurrentEpoch: number;
+	lastRotation: Date;
+	nextScheduledRotation: Date;
 }
 
 export interface UserConfig {
diff --git a/examples/encrypted_chat/frontend/src/routes/+layout.svelte b/examples/encrypted_chat/frontend/src/routes/+layout.svelte
index 819d4b92..41856db6 100644
--- a/examples/encrypted_chat/frontend/src/routes/+layout.svelte
+++ b/examples/encrypted_chat/frontend/src/routes/+layout.svelte
@@ -15,6 +15,7 @@
 	<NotificationBanner />
 
 	<!-- Main content -->
+	<!-- eslint-disable-next-line @typescript-eslint/no-unsafe-call -->
 	{@render children?.()}
 </div>
 
diff --git a/examples/encrypted_chat/frontend/src/routes/+page.svelte b/examples/encrypted_chat/frontend/src/routes/+page.svelte
index f154b810..0cc4c1af 100644
--- a/examples/encrypted_chat/frontend/src/routes/+page.svelte
+++ b/examples/encrypted_chat/frontend/src/routes/+page.svelte
@@ -2,7 +2,12 @@
 	import { onMount } from 'svelte';
 	import ChatList from '$lib/components/ChatList.svelte';
 	import ChatInterface from '$lib/components/ChatInterface.svelte';
-	import { isLoading, selectedChatId, chatActions } from '$lib/stores/chat.svelte';
+	import {
+		isLoading,
+		selectedChatId,
+		chatActions,
+		initVetKeyReactions
+	} from '$lib/stores/chat.svelte';
 	import Hero from '$lib/components/Hero.svelte';
 	import { auth } from '$lib/stores/auth.svelte';
 
@@ -24,15 +29,21 @@
 	});
 
 	onMount(() => {
-		const interval = setInterval(async () => {
-			if (auth.state.label === 'initialized') {
-			    await chatActions.refreshChats();
-			}
+		const interval = setInterval(() => {
+			(async () => {
+				if (auth.state.label === 'initialized') {
+					await chatActions.refreshChats();
+				}
+			})().catch(console.error);
 		}, 1000);
 
 		return () => clearInterval(interval);
 	});
 
+	onMount(() => {
+		initVetKeyReactions();
+	});
+
 	function handleMobileBackToChatList() {
 		showMobileChatList = true;
 	}
diff --git a/examples/encrypted_chat/rust/backend/backend.did b/examples/encrypted_chat/rust/backend/backend.did
index 495bca5d..fd8905bf 100644
--- a/examples/encrypted_chat/rust/backend/backend.did
+++ b/examples/encrypted_chat/rust/backend/backend.did
@@ -12,6 +12,7 @@ type EncryptedMessageMetadata = record {
   symmetric_key_epoch : nat64;
   chat_message_id : nat64;
   timestamp : nat64;
+  sender_message_id : nat64;
 };
 type GroupChatMetadata = record { creation_timestamp : nat64; chat_id : nat64 };
 type GroupModification = record {
diff --git a/examples/encrypted_chat/rust/backend/src/lib.rs b/examples/encrypted_chat/rust/backend/src/lib.rs
index beca14f7..f84a49cb 100644
--- a/examples/encrypted_chat/rust/backend/src/lib.rs
+++ b/examples/encrypted_chat/rust/backend/src/lib.rs
@@ -392,6 +392,7 @@ fn send_direct_message(user_message: UserMessage, receiver: Principal) -> Result
             vetkey_epoch: user_message.vetkey_epoch,
             symmetric_key_epoch: user_message.symmetric_key_epoch,
             chat_message_id,
+            sender_message_id: user_message.message_id,
         },
     };
 
@@ -453,6 +454,7 @@ fn send_group_message(
             vetkey_epoch: user_message.vetkey_epoch,
             symmetric_key_epoch: user_message.symmetric_key_epoch,
             chat_message_id,
+            sender_message_id: user_message.message_id,
         },
     };
 
diff --git a/examples/encrypted_chat/rust/backend/src/types.rs b/examples/encrypted_chat/rust/backend/src/types.rs
index ae7799b5..4a277f4e 100644
--- a/examples/encrypted_chat/rust/backend/src/types.rs
+++ b/examples/encrypted_chat/rust/backend/src/types.rs
@@ -59,6 +59,7 @@ pub struct EncryptedMessageMetadata {
     pub vetkey_epoch: VetKeyEpochId,
     pub symmetric_key_epoch: SymmetricKeyEpochId,
     pub chat_message_id: ChatMessageId,
+    pub sender_message_id: SenderMessageId,
 }
 
 impl Storable for EncryptedMessageMetadata {
@@ -69,6 +70,7 @@ impl Storable for EncryptedMessageMetadata {
         bytes.extend_from_slice(&self.vetkey_epoch.0.to_le_bytes());
         bytes.extend_from_slice(&self.symmetric_key_epoch.0.to_le_bytes());
         bytes.extend_from_slice(&self.chat_message_id.0.to_le_bytes());
+        bytes.extend_from_slice(&self.sender_message_id.0.to_le_bytes());
         Cow::Owned(bytes)
     }
 
@@ -88,26 +90,32 @@ impl Storable for EncryptedMessageMetadata {
         let vetkey_epoch =
             VetKeyEpochId(u64::from_le_bytes(vetkey_epoch_bytes.try_into().unwrap()));
 
-        let (symmetric_key_epoch_bytes, chat_message_id_bytes) = rest.split_at(8);
+        let (symmetric_key_epoch_bytes, rest) = rest.split_at(8);
         let symmetric_key_epoch = SymmetricKeyEpochId(u64::from_le_bytes(
             symmetric_key_epoch_bytes.try_into().unwrap(),
         ));
 
+        let (chat_message_id_bytes, sender_message_id_bytes) = rest.split_at(8);
         let chat_message_id = ChatMessageId(u64::from_le_bytes(
             chat_message_id_bytes.try_into().unwrap(),
         ));
 
+        let sender_message_id = SenderMessageId(u64::from_le_bytes(
+            sender_message_id_bytes.try_into().unwrap(),
+        ));
+
         Self {
             sender,
             timestamp,
             vetkey_epoch,
             symmetric_key_epoch,
             chat_message_id,
+            sender_message_id,
         }
     }
 
     const BOUND: Bound = Bound::Bounded {
-        max_size: Principal::MAX_LENGTH_IN_BYTES as u32 + 3 * 8,
+        max_size: Principal::MAX_LENGTH_IN_BYTES as u32 + 4 * 8,
         is_fixed_size: false,
     };
 }
diff --git a/examples/encrypted_chat/rust/backend/tests/common/mod.rs b/examples/encrypted_chat/rust/backend/tests/common/mod.rs
new file mode 100644
index 00000000..3ae1e89f
--- /dev/null
+++ b/examples/encrypted_chat/rust/backend/tests/common/mod.rs
@@ -0,0 +1,131 @@
+use candid::{decode_one, encode_one, CandidType, Principal};
+use pocket_ic::{PocketIc, PocketIcBuilder};
+use rand::{CryptoRng, Rng, SeedableRng};
+use rand_chacha::ChaCha20Rng;
+use std::path::Path;
+
+#[allow(dead_code)]
+pub const NANOSECONDS_IN_MINUTE: u64 = 60_000_000_000;
+
+pub fn reproducible_rng() -> ChaCha20Rng {
+    let mut seed = [0u8; 32];
+    rand::rng().fill(&mut seed);
+    let rng = ChaCha20Rng::from_seed(seed);
+    println!("{seed:?}");
+    rng
+}
+
+pub fn random_self_authenticating_principal<R: Rng + CryptoRng>(rng: &mut R) -> Principal {
+    let fake_pk = random_bytes(32, rng);
+    Principal::self_authenticating(&fake_pk)
+}
+
+pub fn random_bytes<R: Rng + CryptoRng>(size: usize, rng: &mut R) -> Vec<u8> {
+    let mut buf = vec![0; size];
+    rng.fill_bytes(&mut buf);
+    buf
+}
+
+pub struct TestEnvironment {
+    pub pic: PocketIc,
+    pub canister_id: Principal,
+    #[allow(dead_code)]
+    pub principal_0: Principal,
+    #[allow(dead_code)]
+    pub principal_1: Principal,
+    #[allow(dead_code)]
+    pub principal_2: Principal,
+}
+
+impl TestEnvironment {
+    pub fn new<R: Rng + CryptoRng>(rng: &mut R) -> Self {
+        let pic = PocketIcBuilder::new()
+            .with_application_subnet()
+            .with_ii_subnet()
+            .with_fiduciary_subnet()
+            .with_nonmainnet_features(true)
+            .build();
+
+        let canister_id = pic.create_canister();
+        pic.add_cycles(canister_id, 2_000_000_000_000);
+
+        let wasm_bytes = load_canister_wasm();
+        pic.install_canister(
+            canister_id,
+            wasm_bytes,
+            encode_one("dfx_test_key").unwrap(),
+            None,
+        );
+
+        // Make sure the canister is properly initialized
+        fast_forward(&pic, 5);
+
+        Self {
+            pic,
+            canister_id,
+            principal_0: random_self_authenticating_principal(rng),
+            principal_1: random_self_authenticating_principal(rng),
+            principal_2: random_self_authenticating_principal(rng),
+        }
+    }
+
+    pub fn update<T: CandidType + for<'de> candid::Deserialize<'de>>(
+        &self,
+        caller: Principal,
+        method_name: &str,
+        args: Vec<u8>,
+    ) -> T {
+        let reply = self
+            .pic
+            .update_call(self.canister_id, caller, method_name, args);
+        match reply {
+            Ok(data) => decode_one(&data).expect("failed to decode reply"),
+            Err(user_error) => panic!("canister returned a user error: {user_error}"),
+        }
+    }
+
+    pub fn query<T: CandidType + for<'de> candid::Deserialize<'de>>(
+        &self,
+        caller: Principal,
+        method_name: &str,
+        args: Vec<u8>,
+    ) -> T {
+        let reply = self
+            .pic
+            .query_call(self.canister_id, caller, method_name, args);
+        match reply {
+            Ok(data) => decode_one(&data).expect("failed to decode reply"),
+            Err(user_error) => panic!("canister returned a user error: {user_error}"),
+        }
+    }
+}
+
+fn fast_forward(ic: &PocketIc, ticks: u64) {
+    for _ in 0..ticks - 1 {
+        ic.tick();
+    }
+}
+
+fn load_canister_wasm() -> Vec<u8> {
+    let wasm_path_string = match std::env::var("CUSTOM_WASM_PATH") {
+        Ok(path) if !path.is_empty() => path,
+        _ => format!(
+            "{}/examples/encrypted_chat/rust/target/wasm32-unknown-unknown/release/ic_vetkeys_example_encrypted_chat_backend.wasm",
+            git_root_dir()
+        ),
+    };
+    let wasm_path = Path::new(&wasm_path_string);
+    std::fs::read(wasm_path)
+        .expect("wasm does not exist - run `cargo build --release --target wasm32-unknown-unknown`")
+}
+
+pub fn git_root_dir() -> String {
+    let output = std::process::Command::new("git")
+        .args(["rev-parse", "--show-toplevel"])
+        .output()
+        .expect("Failed to execute git command");
+    assert!(output.status.success());
+    let root_dir_with_newline =
+        String::from_utf8(output.stdout).expect("Failed to convert stdout to string");
+    root_dir_with_newline.trim_end_matches('\n').to_string()
+}
diff --git a/examples/encrypted_chat/rust/backend/tests/direct_chat.rs b/examples/encrypted_chat/rust/backend/tests/direct_chat.rs
index e3df0825..2a9fb836 100644
--- a/examples/encrypted_chat/rust/backend/tests/direct_chat.rs
+++ b/examples/encrypted_chat/rust/backend/tests/direct_chat.rs
@@ -1,16 +1,13 @@
-use candid::{decode_one, encode_args, encode_one, CandidType, Principal};
+use candid::{encode_args, Principal};
 use ic_vetkeys_example_encrypted_chat_backend::types::{
     ChatId, ChatMessageId, DirectChatId, EncryptedMessage, EncryptedMessageMetadata,
     EncryptedSymmetricKeyEpochCache, IbeEncryptedVetKey, SenderMessageId, SymmetricKeyEpochId,
     Time, UserMessage, VetKeyEpochId,
 };
-use pocket_ic::{PocketIc, PocketIcBuilder};
-use rand::{CryptoRng, Rng, SeedableRng};
-use rand_chacha::ChaCha20Rng;
 use serde_bytes::ByteBuf;
-use std::path::Path;
 
-const NANOSECONDS_IN_MINUTE: u64 = 60_000_000_000;
+mod common;
+use common::*;
 
 #[test]
 fn can_create_chat() {
@@ -172,6 +169,7 @@ fn can_send_and_get_messages() {
                     vetkey_epoch: VetKeyEpochId(0),
                     symmetric_key_epoch: SymmetricKeyEpochId(0),
                     chat_message_id: ChatMessageId(expected_chat_history.len() as u64),
+                    sender_message_id: SenderMessageId(message_id_raw),
                 },
             };
 
@@ -1542,123 +1540,3 @@ fn time_job_reports_cleaned_up_expired_items() {
     });
     assert_eq!(log_string, "Timer job: cleaned up 8 expired direct messages, 0 expired group messages, 4 expired vetkey epochs caches, 4 expired reshared vetkeys");
 }
-
-fn reproducible_rng() -> ChaCha20Rng {
-    let mut seed = [0u8; 32];
-    rand::rng().fill(&mut seed);
-    let rng = ChaCha20Rng::from_seed(seed);
-    println!("{seed:?}");
-    rng
-}
-
-fn random_self_authenticating_principal<R: Rng + CryptoRng>(rng: &mut R) -> Principal {
-    let fake_pk = random_bytes(32, rng);
-    Principal::self_authenticating(&fake_pk)
-}
-
-fn random_bytes<R: Rng + CryptoRng>(size: usize, rng: &mut R) -> Vec<u8> {
-    let mut buf = vec![0; size];
-    rng.fill_bytes(&mut buf);
-    buf
-}
-
-struct TestEnvironment {
-    pic: PocketIc,
-    canister_id: Principal,
-    principal_0: Principal,
-    principal_1: Principal,
-    principal_2: Principal,
-}
-
-impl TestEnvironment {
-    fn new<R: Rng + CryptoRng>(rng: &mut R) -> Self {
-        let pic = PocketIcBuilder::new()
-            .with_application_subnet()
-            .with_ii_subnet()
-            .with_fiduciary_subnet()
-            .with_nonmainnet_features(true)
-            .build();
-
-        let canister_id = pic.create_canister();
-        pic.add_cycles(canister_id, 2_000_000_000_000);
-
-        let wasm_bytes = load_canister_wasm();
-        pic.install_canister(
-            canister_id,
-            wasm_bytes,
-            encode_one("dfx_test_key").unwrap(),
-            None,
-        );
-
-        // Make sure the canister is properly initialized
-        fast_forward(&pic, 5);
-
-        Self {
-            pic,
-            canister_id,
-            principal_0: random_self_authenticating_principal(rng),
-            principal_1: random_self_authenticating_principal(rng),
-            principal_2: random_self_authenticating_principal(rng),
-        }
-    }
-
-    fn update<T: CandidType + for<'de> candid::Deserialize<'de>>(
-        &self,
-        caller: Principal,
-        method_name: &str,
-        args: Vec<u8>,
-    ) -> T {
-        let reply = self
-            .pic
-            .update_call(self.canister_id, caller, method_name, args);
-        match reply {
-            Ok(data) => decode_one(&data).expect("failed to decode reply"),
-            Err(user_error) => panic!("canister returned a user error: {user_error}"),
-        }
-    }
-
-    fn query<T: CandidType + for<'de> candid::Deserialize<'de>>(
-        &self,
-        caller: Principal,
-        method_name: &str,
-        args: Vec<u8>,
-    ) -> T {
-        let reply = self
-            .pic
-            .query_call(self.canister_id, caller, method_name, args);
-        match reply {
-            Ok(data) => decode_one(&data).expect("failed to decode reply"),
-            Err(user_error) => panic!("canister returned a user error: {user_error}"),
-        }
-    }
-}
-
-fn fast_forward(ic: &PocketIc, ticks: u64) {
-    for _ in 0..ticks - 1 {
-        ic.tick();
-    }
-}
-
-fn load_canister_wasm() -> Vec<u8> {
-    let wasm_path_string = match std::env::var("CUSTOM_WASM_PATH") {
-        Ok(path) if !path.is_empty() => path,
-        _ => format!(
-            "{}/examples/encrypted_chat/rust/target/wasm32-unknown-unknown/release/ic_vetkeys_example_encrypted_chat_backend.wasm",
-            git_root_dir()
-        ),
-    };
-    let wasm_path = Path::new(&wasm_path_string);
-    std::fs::read(wasm_path)
-        .expect("wasm does not exist - run `cargo build --release --target wasm32-unknown-unknown`")
-}
-
-pub fn git_root_dir() -> String {
-    let output = std::process::Command::new("git")
-        .args(["rev-parse", "--show-toplevel"])
-        .output()
-        .expect("Failed to execute git command");
-    assert!(output.status.success());
-    let root_dir_with_newline =
-        String::from_utf8(output.stdout).expect("Failed to convert stdout to string");
-    root_dir_with_newline.trim_end_matches('\n').to_string()
-}
diff --git a/examples/encrypted_chat/rust/backend/tests/group_chat.rs b/examples/encrypted_chat/rust/backend/tests/group_chat.rs
index b167eecd..9f39ffc0 100644
--- a/examples/encrypted_chat/rust/backend/tests/group_chat.rs
+++ b/examples/encrypted_chat/rust/backend/tests/group_chat.rs
@@ -1,17 +1,14 @@
-use candid::{decode_one, encode_args, encode_one, CandidType, Principal};
+use candid::{ encode_args, Principal};
 use ic_vetkeys_example_encrypted_chat_backend::types::{
     ChatId, ChatMessageId, EncryptedMessage, EncryptedMessageMetadata,
     EncryptedSymmetricKeyEpochCache, GroupChatId, GroupChatMetadata, GroupModification,
     IbeEncryptedVetKey, SenderMessageId, SymmetricKeyEpochId, Time, UserMessage, VetKeyEpochId,
     VetKeyEpochMetadata,
 };
-use pocket_ic::{PocketIc, PocketIcBuilder};
-use rand::{CryptoRng, Rng, SeedableRng};
-use rand_chacha::ChaCha20Rng;
 use serde_bytes::ByteBuf;
-use std::path::Path;
 
-const NANOSECONDS_IN_MINUTE: u64 = 60_000_000_000;
+mod common;
+use common::*;
 
 #[test]
 fn can_create_chat() {
@@ -120,6 +117,7 @@ fn can_send_and_get_messages() {
                         vetkey_epoch: VetKeyEpochId(0),
                         symmetric_key_epoch: SymmetricKeyEpochId(0),
                         chat_message_id: ChatMessageId(expected_chat_history.len() as u64),
+                        sender_message_id: SenderMessageId(message_id_raw),
                     },
                 };
 
@@ -1937,123 +1935,3 @@ fn time_job_reports_cleaned_up_expired_items() {
     });
     assert_eq!(log_string, "Timer job: cleaned up 0 expired direct messages, 8 expired group messages, 4 expired vetkey epochs caches, 4 expired reshared vetkeys");
 }
-
-fn reproducible_rng() -> ChaCha20Rng {
-    let mut seed = [0u8; 32];
-    rand::rng().fill(&mut seed);
-    let rng = ChaCha20Rng::from_seed(seed);
-    println!("{seed:?}");
-    rng
-}
-
-fn random_self_authenticating_principal<R: Rng + CryptoRng>(rng: &mut R) -> Principal {
-    let fake_pk = random_bytes(32, rng);
-    Principal::self_authenticating(&fake_pk)
-}
-
-fn random_bytes<R: Rng + CryptoRng>(size: usize, rng: &mut R) -> Vec<u8> {
-    let mut buf = vec![0; size];
-    rng.fill_bytes(&mut buf);
-    buf
-}
-
-struct TestEnvironment {
-    pic: PocketIc,
-    canister_id: Principal,
-    principal_0: Principal,
-    principal_1: Principal,
-    principal_2: Principal,
-}
-
-impl TestEnvironment {
-    fn new<R: Rng + CryptoRng>(rng: &mut R) -> Self {
-        let pic = PocketIcBuilder::new()
-            .with_application_subnet()
-            .with_ii_subnet()
-            .with_fiduciary_subnet()
-            .with_nonmainnet_features(true)
-            .build();
-
-        let canister_id = pic.create_canister();
-        pic.add_cycles(canister_id, 2_000_000_000_000);
-
-        let wasm_bytes = load_canister_wasm();
-        pic.install_canister(
-            canister_id,
-            wasm_bytes,
-            encode_one("dfx_test_key").unwrap(),
-            None,
-        );
-
-        // Make sure the canister is properly initialized
-        fast_forward(&pic, 5);
-
-        Self {
-            pic,
-            canister_id,
-            principal_0: random_self_authenticating_principal(rng),
-            principal_1: random_self_authenticating_principal(rng),
-            principal_2: random_self_authenticating_principal(rng),
-        }
-    }
-
-    fn update<T: CandidType + for<'de> candid::Deserialize<'de>>(
-        &self,
-        caller: Principal,
-        method_name: &str,
-        args: Vec<u8>,
-    ) -> T {
-        let reply = self
-            .pic
-            .update_call(self.canister_id, caller, method_name, args);
-        match reply {
-            Ok(data) => decode_one(&data).expect("failed to decode reply"),
-            Err(user_error) => panic!("canister returned a user error: {user_error}"),
-        }
-    }
-
-    fn query<T: CandidType + for<'de> candid::Deserialize<'de>>(
-        &self,
-        caller: Principal,
-        method_name: &str,
-        args: Vec<u8>,
-    ) -> T {
-        let reply = self
-            .pic
-            .query_call(self.canister_id, caller, method_name, args);
-        match reply {
-            Ok(data) => decode_one(&data).expect("failed to decode reply"),
-            Err(user_error) => panic!("canister returned a user error: {user_error}"),
-        }
-    }
-}
-
-fn fast_forward(ic: &PocketIc, ticks: u64) {
-    for _ in 0..ticks - 1 {
-        ic.tick();
-    }
-}
-
-fn load_canister_wasm() -> Vec<u8> {
-    let wasm_path_string = match std::env::var("CUSTOM_WASM_PATH") {
-        Ok(path) if !path.is_empty() => path,
-        _ => format!(
-            "{}/examples/encrypted_chat/rust/target/wasm32-unknown-unknown/release/ic_vetkeys_example_encrypted_chat_backend.wasm",
-            git_root_dir()
-        ),
-    };
-    let wasm_path = Path::new(&wasm_path_string);
-    std::fs::read(wasm_path)
-        .expect("wasm does not exist - run `cargo build --release --target wasm32-unknown-unknown`")
-}
-
-pub fn git_root_dir() -> String {
-    let output = std::process::Command::new("git")
-        .args(["rev-parse", "--show-toplevel"])
-        .output()
-        .expect("Failed to execute git command");
-    assert!(output.status.success());
-    let root_dir_with_newline =
-        String::from_utf8(output.stdout).expect("Failed to convert stdout to string");
-    root_dir_with_newline.trim_end_matches('\n').to_string()
-}
diff --git a/examples/encrypted_chat/rust/backend/tests/misc.rs b/examples/encrypted_chat/rust/backend/tests/misc.rs
index 8c8c9d7e..de339a71 100644
--- a/examples/encrypted_chat/rust/backend/tests/misc.rs
+++ b/examples/encrypted_chat/rust/backend/tests/misc.rs
@@ -1,5 +1,11 @@
+use candid::encode_args;
 use candid::Principal;
 use ic_vetkeys_example_encrypted_chat_backend::types::*;
+use rand::seq::SliceRandom;
+use rand::Rng;
+
+mod common;
+use common::*;
 
 /// This test ensures that the minimum value of the ChatId enum is the direct chat with the management canister as both participants.
 #[test]
@@ -20,3 +26,96 @@ fn test_chat_id_min_value() {
         ChatId::Group(_) => {}
     };
 }
+
+#[test]
+fn can_create_many_chats() {
+    let rng = &mut reproducible_rng();
+    let env = TestEnvironment::new(rng);
+
+    let mut num_group_chats = 0;
+    let mut num_direct_chats = 0;
+
+    let participants = (0..10)
+        .map(|_| random_self_authenticating_principal(rng))
+        .collect::<Vec<_>>();
+
+    let mut expected_chat_ids = std::collections::BTreeMap::new();
+
+    while num_group_chats < 10 || num_direct_chats < 10 {
+        let direct = rng.random_bool(0.5);
+
+        if direct {
+            let p_0 = participants[0];
+            let p_1 = participants[rng.random_range(0..participants.len())];
+
+            let chat_id = ChatId::Direct(DirectChatId::new((p_0, p_1)));
+            if expected_chat_ids.insert((p_0, chat_id), ()).is_some() {
+                continue;
+            }
+            expected_chat_ids.insert((p_1, chat_id), ());
+
+            env.update::<Result<Time, String>>(
+                p_0,
+                "create_direct_chat",
+                encode_args((p_1, Time(1_000), Time(10_000))).unwrap(),
+            )
+            .unwrap();
+
+            num_direct_chats += 1;
+        } else {
+            let number_of_participants = rng.random_range(1..5);
+            let mut invited_participants = participants.clone();
+            invited_participants.shuffle(rng);
+            invited_participants.truncate(number_of_participants);
+            let group_creator = invited_participants.split_off(0);
+
+            if group_creator[0] != participants[0]
+                && !invited_participants.contains(&participants[0])
+            {
+                invited_participants.push(participants[0].clone());
+            }
+
+            let chat_id = ChatId::Group(GroupChatId(num_group_chats));
+
+            assert!(expected_chat_ids
+                .insert((group_creator[0], chat_id), ())
+                .is_none());
+            for p in invited_participants.clone() {
+                assert!(expected_chat_ids.insert((p, chat_id), ()).is_none());
+            }
+
+            env.update::<Result<GroupChatMetadata, String>>(
+                group_creator[0],
+                "create_group_chat",
+                encode_args((invited_participants, Time(1_000), Time(10_000))).unwrap(),
+            )
+            .unwrap();
+
+            num_group_chats += 1;
+        }
+
+        for p in participants.clone() {
+            let my_chat_ids = env.query::<Vec<(ChatId, ChatMessageId)>>(
+                p,
+                "get_my_chat_ids",
+                encode_args(()).unwrap(),
+            );
+
+            let expected_chat_ids = expected_chat_ids
+                .range((p, ChatId::MIN_VALUE)..)
+                .take_while(|(key, _)| key.0 == p)
+                .map(|(key, _value)| (key.1, ChatMessageId(0)))
+                .collect::<Vec<_>>();
+
+            assert_eq!(my_chat_ids, expected_chat_ids);
+        }
+
+        let p0_chat_ids = env.query::<Vec<(ChatId, ChatMessageId)>>(
+            participants[0],
+            "get_my_chat_ids",
+            encode_args(()).unwrap(),
+        );
+
+        assert_eq!(p0_chat_ids.len() as u64, num_group_chats + num_direct_chats);
+    }
+}

From 1060938c740e71f6a729af640dc77ae0dcce8daf Mon Sep 17 00:00:00 2001
From: Oleksandr Tkachenko <oleksandr.tkachenko@dfinity.org>
Date: Wed, 13 Aug 2025 13:40:40 +0200
Subject: [PATCH 24/62] message reencryption draft

---
 .../frontend/src/lib/stores/chat.svelte.ts    | 124 ++++++++++--------
 1 file changed, 72 insertions(+), 52 deletions(-)

diff --git a/examples/encrypted_chat/frontend/src/lib/stores/chat.svelte.ts b/examples/encrypted_chat/frontend/src/lib/stores/chat.svelte.ts
index 9fb9bbe7..1f004580 100644
--- a/examples/encrypted_chat/frontend/src/lib/stores/chat.svelte.ts
+++ b/examples/encrypted_chat/frontend/src/lib/stores/chat.svelte.ts
@@ -366,62 +366,82 @@ export const chatActions = {
 
 		const chatIdStr = chatIdToString(chatId);
 
-		if (auth.state.label !== 'initialized') {
-			throw new Error('Unexpectedly not authenticated');
-		}
-		const myPrincipal = auth.state.client.getIdentity().getPrincipal();
+		let repetitions = 0;
+		const MAX_REPETITIONS = 10;
 
-		try {
-			const vetKeyEpochMeta = chatIdStringToVetKeyEpochMetadata.get(chatIdStr);
-			if (vetKeyEpochMeta?.status !== 'ready') {
-				console.error('Failed to get vetkey epoch metadata for chat:', chatId);
-				return;
+		// reencrypt and resend the message if vetkey or symmetric key epoch has changed
+		while (repetitions < MAX_REPETITIONS) {
+			if (auth.state.label !== 'initialized') {
+				throw new Error('Unexpectedly not authenticated');
 			}
-			const vetKeyEpochId = vetKeyEpochMeta.metadata.epoch_id;
-			const elapsedSinceVetKeyEpoch =
-				BigInt(Date.now()) * 1_000_000n - vetKeyEpochMeta.metadata.creation_timestamp;
-			const symmetricKeyEpoch =
-				elapsedSinceVetKeyEpoch / vetKeyEpochMeta.metadata.symmetric_key_rotation_duration;
-
-			const buf = new Uint8Array(8);
-			globalThis.crypto.getRandomValues(buf);
-			let message_id = 0n;
-			for (const b of buf) message_id = (message_id << 8n) | BigInt(b);
-
-			const messageContent = JSON.stringify({ content, fileData });
-			const encryptedMessageContent = await encryptMessageContent(
-				chatId,
-				vetKeyEpochId,
-				symmetricKeyEpoch,
-				myPrincipal,
-				new TextEncoder().encode(messageContent),
-				message_id
-			);
+			const myPrincipal = auth.state.client.getIdentity().getPrincipal();
 
-			const message: UserMessage = {
-				vetkey_epoch: vetKeyEpochId,
-				content: encryptedMessageContent,
-				symmetric_key_epoch: symmetricKeyEpoch,
-				message_id
-			};
-
-			if ('Direct' in chatId) {
-				const receiver =
-					chatId.Direct[0].toString() === myPrincipal.toString()
-						? chatId.Direct[1]
-						: chatId.Direct[0];
-				await chatAPI.sendDirectMessage(actor, receiver, message);
-			} else {
-				await chatAPI.sendGroupMessage(actor, chatId.Group, message);
+			try {
+				const vetKeyEpochMeta = chatIdStringToVetKeyEpochMetadata.get(chatIdStr);
+				if (vetKeyEpochMeta?.status !== 'ready') {
+					console.error('Failed to get vetkey epoch metadata for chat:', chatId);
+					return;
+				}
+				const vetKeyEpochId = vetKeyEpochMeta.metadata.epoch_id;
+				const elapsedSinceVetKeyEpoch =
+					BigInt(Date.now()) * 1_000_000n - vetKeyEpochMeta.metadata.creation_timestamp;
+				const symmetricKeyEpoch =
+					elapsedSinceVetKeyEpoch / vetKeyEpochMeta.metadata.symmetric_key_rotation_duration;
+
+				const buf = new Uint8Array(8);
+				globalThis.crypto.getRandomValues(buf);
+				let messageId = 0n;
+				for (const b of buf) messageId = (messageId << 8n) | BigInt(b);
+
+				const messageContent = JSON.stringify({ content, fileData });
+				const encryptedMessageContent = await encryptMessageContent(
+					chatId,
+					vetKeyEpochId,
+					symmetricKeyEpoch,
+					myPrincipal,
+					new TextEncoder().encode(messageContent),
+					messageId
+				);
+
+				const message: UserMessage = {
+					vetkey_epoch: vetKeyEpochId,
+					content: encryptedMessageContent,
+					symmetric_key_epoch: symmetricKeyEpoch,
+					message_id: messageId
+				};
+
+				if ('Direct' in chatId) {
+					const receiver =
+						chatId.Direct[0].toString() === myPrincipal.toString()
+							? chatId.Direct[1]
+							: chatId.Direct[0];
+					await chatAPI.sendDirectMessage(actor, receiver, message);
+				} else {
+					await chatAPI.sendGroupMessage(actor, chatId.Group, message);
+				}
+				break;
+			} catch (error) {
+				if (
+					error instanceof Error &&
+					(error.message.startsWith('Wrong vetkey epoch') ||
+						error.message.startsWith('Wrong symmetric key epoch'))
+				) {
+					console.info(
+						`Failed to send message - wrong vetkey or symmetric key epoch in message: ${error.message}`
+					);
+					await new Promise((resolve) => setTimeout(resolve, 1000));
+					repetitions++;
+					continue;
+				} else {
+					console.error('Failed to send message:', error);
+					chatActions.addNotification({
+						type: 'error',
+						title: 'Send Error',
+						message: 'Failed to send message. Please try again.',
+						isDismissible: true
+					});
+				}
 			}
-		} catch (error) {
-			console.error('Failed to send message:', error);
-			chatActions.addNotification({
-				type: 'error',
-				title: 'Send Error',
-				message: 'Failed to send message. Please try again.',
-				isDismissible: true
-			});
 		}
 	},
 

From 48e4e4b093318c812c2f5d9c6dd051ee39cd9643 Mon Sep 17 00:00:00 2001
From: Oleksandr Tkachenko <oleksandr.tkachenko@dfinity.org>
Date: Wed, 13 Aug 2025 15:31:27 +0200
Subject: [PATCH 25/62] group changes

---
 .../components/GroupManagementModal.svelte    | 158 ++++++++++--------
 .../src/lib/components/MessageHistory.svelte  |  22 ++-
 .../frontend/src/lib/stores/chat.svelte.ts    |  15 +-
 3 files changed, 112 insertions(+), 83 deletions(-)

diff --git a/examples/encrypted_chat/frontend/src/lib/components/GroupManagementModal.svelte b/examples/encrypted_chat/frontend/src/lib/components/GroupManagementModal.svelte
index bf662f2f..bece5627 100644
--- a/examples/encrypted_chat/frontend/src/lib/components/GroupManagementModal.svelte
+++ b/examples/encrypted_chat/frontend/src/lib/components/GroupManagementModal.svelte
@@ -2,6 +2,9 @@
 	import { createEventDispatcher } from 'svelte';
 	import { UserPlus, UserMinus, X, Save, Users } from 'lucide-svelte';
 	import type { GroupChat, User } from '../types';
+	import { getMyPrincipal } from '$lib/stores/auth.svelte';
+	import { Principal } from '@dfinity/principal';
+	import type { Principal as PrincipalType } from '@dfinity/principal';
 
 	export let show = false;
 	export let groupChat: GroupChat;
@@ -11,17 +14,42 @@
 		save: { addUsers: string[]; removeUsers: string[]; allowHistoryForNew: boolean };
 	}>();
 
-	// Dummy users that could be added to the group
-	const availableUsers: User[] = [
-		{ id: 'user-frank', name: 'Frank Miller', avatar: '👨‍🏫', isOnline: true },
-		{ id: 'user-grace', name: 'Grace Lee', avatar: '👩‍⚕️', isOnline: false },
-		{ id: 'user-henry', name: 'Henry Taylor', avatar: '👨‍🎤', isOnline: true },
-		{ id: 'user-ivy', name: 'Ivy Chen', avatar: '👩‍🎨', isOnline: false }
-	];
-
 	let selectedToAdd: string[] = [];
 	let selectedToRemove: string[] = [];
-	let allowHistoryForNew = false;
+	let allowHistoryForNew = true;
+	let usersToShow: User[] = [];
+
+	// Text input for adding multiple principals
+	let principalsInput = '';
+	let validPrincipalStrings: string[] = [];
+	let invalidPrincipalTokens: string[] = [];
+
+	// Reactively parse and validate principals from text input
+	$: {
+		const rawTokens = principalsInput
+			.split(/[\s,;\n\r]+/)
+			.map((t) => t.trim())
+			.filter((t) => t.length > 0);
+		const uniqueTokens = Array.from(new Set(rawTokens));
+		const nextValid: string[] = [];
+		const nextInvalid: string[] = [];
+		for (const token of uniqueTokens) {
+			try {
+				// Validate deserialization. Keep original string for dispatching.
+				Principal.fromText(token);
+				nextValid.push(token);
+			} catch (_) {
+				nextInvalid.push(token);
+			}
+		}
+		validPrincipalStrings = nextValid;
+		invalidPrincipalTokens = nextInvalid;
+	}
+
+	// Total adds including typed principals
+	$: totalAddCount = selectedToAdd.length + validPrincipalStrings.length;
+	$: canSave =
+		(totalAddCount > 0 || selectedToRemove.length > 0) && invalidPrincipalTokens.length === 0;
 
 	function toggleAddUser(userId: string) {
 		if (selectedToAdd.includes(userId)) {
@@ -40,8 +68,13 @@
 	}
 
 	function handleSave() {
+		// Block saving if any invalid principals are present
+		if (invalidPrincipalTokens.length > 0) {
+			return;
+		}
+		const combinedAddUsers = Array.from(new Set([...selectedToAdd, ...validPrincipalStrings]));
 		dispatch('save', {
-			addUsers: selectedToAdd,
+			addUsers: combinedAddUsers,
 			removeUsers: selectedToRemove,
 			allowHistoryForNew
 		});
@@ -53,19 +86,18 @@
 		selectedToAdd = [];
 		selectedToRemove = [];
 		allowHistoryForNew = false;
+		principalsInput = '';
+		validPrincipalStrings = [];
+		invalidPrincipalTokens = [];
 		dispatch('close');
 	}
 
-	function canRemoveUser(userId: string): boolean {
+	function canRemoveUser(userId: PrincipalType): boolean {
 		// Can't remove current user or admin
-		return userId !== 'current-user' && userId !== groupChat.adminId;
+		return (
+			userId.toString() !== getMyPrincipal().toString() && userId.toString() !== groupChat.adminId
+		);
 	}
-
-	// Filter available users to only show those not in the group
-	let usersToShow: User[] = [];
-	$: usersToShow = availableUsers.filter(
-		(user) => !groupChat.participants.some((p) => p.id === user.id)
-	);
 </script>
 
 {#if show}
@@ -111,12 +143,12 @@
 													: 'bg-surface-400'}"
 											></div>
 											{member.isOnline ? 'Online' : 'Offline'}
-											{#if member.id === groupChat.adminId}
+											{#if member.id.toString() === groupChat.adminId}
 												<span class="bg-primary-500 rounded px-2 py-0.5 text-xs text-white"
 													>Admin</span
 												>
 											{/if}
-											{#if member.id === 'current-user'}
+											{#if member.id.toString() === getMyPrincipal().toString()}
 												<span class="bg-surface-400 rounded px-2 py-0.5 text-xs text-white"
 													>You</span
 												>
@@ -128,8 +160,8 @@
 								{#if canRemoveUser(member.id)}
 									<button
 										class="variant-ghost-error btn-icon"
-										onclick={() => toggleRemoveUser(member.id)}
-										class:variant-filled-error={selectedToRemove.includes(member.id)}
+										onclick={() => toggleRemoveUser(member.id.toString())}
+										class:variant-filled-error={selectedToRemove.includes(member.id.toString())}
 										title="Remove from group"
 									>
 										<UserMinus class="h-4 w-4" />
@@ -140,55 +172,37 @@
 					</div>
 				</div>
 
-				<!-- Add New Members -->
-				{#if usersToShow.length > 0}
-					<div>
-						<h3 class="mb-3 font-semibold">Add Members</h3>
-						<div class="space-y-2">
-							{#each usersToShow as user (user.id)}
-								<div
-									class="bg-surface-200-700-token flex items-center justify-between rounded-lg p-3"
-								>
-									<div class="flex items-center gap-3">
-										<div
-											class="avatar bg-primary-500 flex h-8 w-8 items-center justify-center rounded-full text-sm"
-										>
-											{user.avatar || '👤'}
-										</div>
-										<div>
-											<p class="text-sm font-medium">{user.name}</p>
-											<div class="text-surface-600-300-token flex items-center gap-2 text-xs">
-												<div
-													class="h-2 w-2 rounded-full {user.isOnline
-														? 'bg-success-500'
-														: 'bg-surface-400'}"
-												></div>
-												{user.isOnline ? 'Online' : 'Offline'}
-											</div>
-										</div>
-									</div>
+				<!-- Add by Principal Text Input -->
+				<div>
+					<h3 class="mb-3 font-semibold">Add by Principal</h3>
+					<div class="space-y-2">
+						<textarea
+							class="border-surface-300-600-token w-full rounded-lg border p-3 text-sm focus:outline-none"
+							class:border-error-500={invalidPrincipalTokens.length > 0}
+							rows="3"
+							bind:value={principalsInput}
+							placeholder="Enter one or more principals separated by commas or whitespace"
+						></textarea>
 
-									<button
-										class="variant-ghost-success btn-icon"
-										onclick={() => toggleAddUser(user.id)}
-										class:variant-filled-success={selectedToAdd.includes(user.id)}
-										title="Add to group"
-									>
-										<UserPlus class="h-4 w-4" />
-									</button>
+						{#if invalidPrincipalTokens.length > 0}
+							<div class="text-error-500 text-xs">
+								Invalid principals:
+								<div class="mt-1 flex flex-wrap gap-1">
+									{#each invalidPrincipalTokens as t}
+										<span class="bg-error-500/10 text-error-600 rounded px-2 py-0.5">{t}</span>
+									{/each}
 								</div>
-							{/each}
-						</div>
-					</div>
-				{:else}
-					<div class="text-surface-600-300-token py-8 text-center">
-						<Users class="mx-auto mb-2 h-12 w-12 opacity-50" />
-						<p>No additional users available to add</p>
+							</div>
+						{:else if validPrincipalStrings.length > 0}
+							<div class="text-surface-600-300-token text-xs">
+								Will add {validPrincipalStrings.length} principal{validPrincipalStrings.length !== 1 ? 's' : ''}
+							</div>
+						{/if}
 					</div>
-				{/if}
+				</div>
 
-				<!-- Options -->
-				{#if selectedToAdd.length > 0}
+			<!-- Options -->
+			{#if totalAddCount > 0}
 					<div>
 						<h3 class="mb-3 font-semibold">Options</h3>
 						<label
@@ -205,14 +219,14 @@
 					</div>
 				{/if}
 
-				<!-- Summary -->
-				{#if selectedToAdd.length > 0 || selectedToRemove.length > 0}
+			<!-- Summary -->
+			{#if totalAddCount > 0 || selectedToRemove.length > 0}
 					<div class="border-primary-500/20 bg-primary-500/10 rounded-lg border p-4">
 						<h4 class="mb-2 text-sm font-semibold">Changes Summary</h4>
 						<div class="space-y-1 text-sm">
-							{#if selectedToAdd.length > 0}
+						{#if totalAddCount > 0}
 								<p class="text-success-500">
-									+ {selectedToAdd.length} member{selectedToAdd.length !== 1 ? 's' : ''} to add
+								+ {totalAddCount} member{totalAddCount !== 1 ? 's' : ''} to add
 								</p>
 							{/if}
 							{#if selectedToRemove.length > 0}
@@ -238,7 +252,7 @@
 				<button
 					class="variant-filled-primary btn"
 					onclick={handleSave}
-					disabled={selectedToAdd.length === 0 && selectedToRemove.length === 0}
+					disabled={!canSave}
 					title="Save Changes"
 					aria-label="Save Changes"
 				>
diff --git a/examples/encrypted_chat/frontend/src/lib/components/MessageHistory.svelte b/examples/encrypted_chat/frontend/src/lib/components/MessageHistory.svelte
index f1b3eaef..aa341017 100644
--- a/examples/encrypted_chat/frontend/src/lib/components/MessageHistory.svelte
+++ b/examples/encrypted_chat/frontend/src/lib/components/MessageHistory.svelte
@@ -19,11 +19,14 @@
 		selectedChatId.state ? (messages.state[chatIdToString(selectedChatId.state)] ?? []) : []
 	);
 
-	// Scroll to bottom when new messages arrive
+	// Scroll to bottom when new messages arrive (after DOM updates)
 	$effect(() => {
-		if (autoScroll && messagesContainer && selectedChatMessages) {
-			// eslint-disable-next-line @typescript-eslint/no-unsafe-assignment
-			messagesContainer.scrollTop = messagesContainer.scrollHeight;
+		const messageCount = selectedChatMessages.length;
+		if (autoScroll && messagesContainer) {
+			requestAnimationFrame(() => {
+				if (!messagesContainer) return;
+				messagesContainer.scrollTop = messagesContainer.scrollHeight;
+			});
 		}
 	});
 
@@ -38,8 +41,11 @@
 
 	function scrollToBottom() {
 		if (messagesContainer) {
-			messagesContainer.scrollTop = messagesContainer.scrollHeight;
-			autoScroll = true;
+			requestAnimationFrame(() => {
+				if (!messagesContainer) return;
+				messagesContainer.scrollTop = messagesContainer.scrollHeight;
+				autoScroll = true;
+			});
 		}
 	}
 
@@ -51,8 +57,8 @@
 
 	function isOwnMessage(message: Message): boolean {
 		if (auth.state.label !== 'initialized') throw new Error('Unexpectedly not authenticated');
-		const myPrincipal = auth.state.client.getIdentity().getPrincipal();
-		return message.senderId === myPrincipal.toString();
+		console.log('isOwnMessage', message.senderId, getMyPrincipal().toString());
+		return message.senderId === getMyPrincipal().toString();
 	}
 
 	function shouldShowAvatar(message: Message, index: number): boolean {
diff --git a/examples/encrypted_chat/frontend/src/lib/stores/chat.svelte.ts b/examples/encrypted_chat/frontend/src/lib/stores/chat.svelte.ts
index 1f004580..f36203d9 100644
--- a/examples/encrypted_chat/frontend/src/lib/stores/chat.svelte.ts
+++ b/examples/encrypted_chat/frontend/src/lib/stores/chat.svelte.ts
@@ -2,7 +2,7 @@ import type { Chat, Message, UserConfig, Notification, SymmetricRatchetStats } f
 import { chatAPI } from '../services/api';
 import { storageService } from '../services/storage';
 import { SvelteDate } from 'svelte/reactivity';
-import { auth } from '$lib/stores/auth.svelte';
+import { auth, getMyPrincipal } from '$lib/stores/auth.svelte';
 import { createActor } from '../../declarations/encrypted_chat';
 import { HttpAgent, type ActorSubclass } from '@dfinity/agent';
 import fetch from 'isomorphic-fetch';
@@ -326,7 +326,14 @@ export const chatActions = {
 			} else {
 				console.log('loadChatMessages: no messages loaded for chat:', chatIdStr);
 			}
-			messages.state[chatIdStr].push(...mapped);
+            // Reassign to trigger reactivity for consumers relying on identity changes
+            messages.state = {
+                ...messages.state,
+                [chatIdStr]: [
+                    ...((messages.state[chatIdStr] as Message[] | undefined) ?? []),
+                    ...mapped
+                ]
+            };
 			if (mapped.length !== 0) {
 				const pos = chats.state.findIndex((c) => chatIdToString(c.id) === chatIdStr);
 				const lastMessageBefore = chats.state[pos].lastMessage;
@@ -650,7 +657,9 @@ function toUiMessage(chatIdStr: string, m: EncryptedMessage): Message {
 			? auth.state.client.getIdentity().getPrincipal().toString()
 			: undefined;
 	const senderId =
-		currentPrincipal && senderPrincipal === currentPrincipal ? 'current-user' : senderPrincipal;
+		currentPrincipal && senderPrincipal === currentPrincipal
+			? getMyPrincipal().toString()
+			: senderPrincipal;
 	const contentStr = new TextDecoder().decode(new Uint8Array(m.content));
 	const contentTyped: {
 		content: string;

From 7620cdce9e0678d8e7c00c08e4a51ea30e636d4d Mon Sep 17 00:00:00 2001
From: Oleksandr Tkachenko <oleksandr.tkachenko@dfinity.org>
Date: Wed, 13 Aug 2025 16:07:07 +0200
Subject: [PATCH 26/62] new chat

---
 .../src/lib/components/NewChatModal.svelte    | 52 ++++++++++---------
 .../src/lib/components/UserProfile.svelte     |  2 +-
 2 files changed, 28 insertions(+), 26 deletions(-)

diff --git a/examples/encrypted_chat/frontend/src/lib/components/NewChatModal.svelte b/examples/encrypted_chat/frontend/src/lib/components/NewChatModal.svelte
index a9dee118..2ee6e2e5 100644
--- a/examples/encrypted_chat/frontend/src/lib/components/NewChatModal.svelte
+++ b/examples/encrypted_chat/frontend/src/lib/components/NewChatModal.svelte
@@ -41,19 +41,20 @@
 
 {#if show}
 	<div
-		class="fixed inset-0 z-50 flex items-center justify-center bg-black/50 p-4"
+		class="fixed inset-0 z-50 flex items-center justify-center bg-black/50 backdrop-blur-sm p-4"
 		role="dialog"
 		aria-modal="true"
 	>
-		<Card class="w-full max-w-lg">
-			<div class="mb-4 flex items-center justify-between">
-				<h3 class="text-lg font-semibold">Create Chat</h3>
-				<button class="variant-ghost-surface btn-icon" onclick={close} aria-label="Close">
-					<X class="h-5 w-5" />
-				</button>
-			</div>
+		<Card class="w-full max-w-lg rounded-xl shadow-2xl ring-1 ring-black/10 dark:ring-white/10 bg-white dark:bg-neutral-900">
+			<div class="p-6 md:p-8">
+				<div class="mb-4 flex items-center justify-between border-b border-black/5 dark:border-white/10 pb-4">
+					<h3 class="text-lg font-semibold">Create Chat</h3>
+					<button class="variant-ghost-surface btn-icon" onclick={close} aria-label="Close">
+						<X class="h-5 w-5" />
+					</button>
+				</div>
 
-			<div class="mb-4 flex gap-2">
+				<div class="mb-4 flex gap-2">
 				<button
 					class="btn {tab === 'direct' ? 'variant-filled-primary' : 'variant-ghost-surface'}"
 					onclick={() => (tab = 'direct')}
@@ -68,34 +69,34 @@
 					<Users class="h-4 w-4" />
 					<span class="ml-1">Group</span>
 				</button>
-			</div>
+				</div>
 
-			{#if tab === 'direct'}
-				<div class="space-y-3">
+				{#if tab === 'direct'}
+					<div class="space-y-3">
 					<label class="block text-sm">
 						<span class="mb-1 block font-medium">Receiver Principal</span>
 						<input
-							class="w-full rounded border px-3 py-2"
+							class="w-full rounded-md border px-3 py-2 bg-white dark:bg-neutral-800"
 							bind:value={directPrincipal}
 							placeholder="aaaaa-aa"
 						/>
 					</label>
 					<div class="grid grid-cols-2 gap-3">
 						<label class="block text-sm">
-							<span class="mb-1 block font-medium">Rotation (min)</span>
+							<span class="mb-1 block font-medium">Symmetric Key Rotation (min)</span>
 							<input
 								type="number"
 								min="0"
-								class="w-full rounded border px-3 py-2"
+								class="w-full rounded-md border px-3 py-2 bg-white dark:bg-neutral-800"
 								bind:value={directRotationMinutes}
 							/>
 						</label>
 						<label class="block text-sm">
-							<span class="mb-1 block font-medium">Expiration (min)</span>
+							<span class="mb-1 block font-medium">Message Expiration (min)</span>
 							<input
 								type="number"
 								min="0"
-								class="w-full rounded border px-3 py-2"
+								class="w-full rounded-md border px-3 py-2 bg-white dark:bg-neutral-800"
 								bind:value={directExpirationMinutes}
 							/>
 						</label>
@@ -106,14 +107,14 @@
 							<span class="ml-1">Create</span>
 						</Button>
 					</div>
-				</div>
-			{:else}
-				<div class="space-y-3">
+					</div>
+				{:else}
+					<div class="space-y-3">
 					<label class="block text-sm">
 						<span class="mb-1 block font-medium">Participant Principals</span>
 						<textarea
 							rows="3"
-							class="w-full rounded border px-3 py-2"
+							class="w-full rounded-md border px-3 py-2 bg-white dark:bg-neutral-800"
 							bind:value={groupPrincipalsText}
 							placeholder="comma or space separated principals"
 						></textarea>
@@ -124,7 +125,7 @@
 							<input
 								type="number"
 								min="0"
-								class="w-full rounded border px-3 py-2"
+								class="w-full rounded-md border px-3 py-2 bg-white dark:bg-neutral-800"
 								bind:value={groupRotationMinutes}
 							/>
 						</label>
@@ -133,7 +134,7 @@
 							<input
 								type="number"
 								min="0"
-								class="w-full rounded border px-3 py-2"
+								class="w-full rounded-md border px-3 py-2 bg-white dark:bg-neutral-800"
 								bind:value={groupExpirationMinutes}
 							/>
 						</label>
@@ -144,8 +145,9 @@
 							<span class="ml-1">Create Group</span>
 						</Button>
 					</div>
-				</div>
-			{/if}
+					</div>
+				{/if}
+			</div>
 		</Card>
 	</div>
 {/if}
diff --git a/examples/encrypted_chat/frontend/src/lib/components/UserProfile.svelte b/examples/encrypted_chat/frontend/src/lib/components/UserProfile.svelte
index d72cd9c7..5038a4bf 100644
--- a/examples/encrypted_chat/frontend/src/lib/components/UserProfile.svelte
+++ b/examples/encrypted_chat/frontend/src/lib/components/UserProfile.svelte
@@ -118,7 +118,7 @@
 						placeholder="7"
 					/>
 					<p class="mt-1 text-xs text-gray-500 dark:text-gray-400">
-						How long to keep cached data before automatic cleanup
+						How long to keep symmetric key cache before automatic cleanup
 					</p>
 				</div>
 			</div>

From 65dfb8492356f77f32a1b102df9d7278623aecd1 Mon Sep 17 00:00:00 2001
From: Oleksandr Tkachenko <oleksandr.tkachenko@dfinity.org>
Date: Wed, 13 Aug 2025 16:15:32 +0200
Subject: [PATCH 27/62] more consistent style

---
 .../components/GroupManagementModal.svelte    | 66 +++++++++----------
 1 file changed, 30 insertions(+), 36 deletions(-)

diff --git a/examples/encrypted_chat/frontend/src/lib/components/GroupManagementModal.svelte b/examples/encrypted_chat/frontend/src/lib/components/GroupManagementModal.svelte
index bece5627..66a4608a 100644
--- a/examples/encrypted_chat/frontend/src/lib/components/GroupManagementModal.svelte
+++ b/examples/encrypted_chat/frontend/src/lib/components/GroupManagementModal.svelte
@@ -5,6 +5,8 @@
 	import { getMyPrincipal } from '$lib/stores/auth.svelte';
 	import { Principal } from '@dfinity/principal';
 	import type { Principal as PrincipalType } from '@dfinity/principal';
+	import Card from './ui/Card.svelte';
+	import Button from './ui/Button.svelte';
 
 	export let show = false;
 	export let groupChat: GroupChat;
@@ -102,24 +104,24 @@
 
 {#if show}
 	<!-- Backdrop -->
-	<div class="fixed inset-0 z-50 flex items-center justify-center bg-black/50 p-4">
+	<div class="fixed inset-0 z-50 flex items-center justify-center bg-black/50 backdrop-blur-sm p-4">
 		<!-- Modal -->
-		<div
-			class="card max-h-[80vh] w-full max-w-2xl overflow-hidden rounded-xl shadow-2xl backdrop-blur-xl"
-		>
-			<!-- Header -->
-			<div class="border-surface-300-600-token flex items-center justify-between border-b p-6">
-				<div class="flex items-center gap-3">
-					<Users class="h-6 w-6" />
-					<h2 class="text-lg font-bold">Manage Group: {groupChat.name}</h2>
+		<Card class="w-full max-w-2xl rounded-xl shadow-2xl ring-1 ring-black/10 dark:ring-white/10 bg-white dark:bg-neutral-900">
+			<div class="p-6 md:p-8">
+				<!-- Header -->
+				<div class="mb-4 flex items-center justify-between border-b border-black/5 dark:border-white/10 pb-4">
+					<div class="flex items-center gap-3">
+						<Users class="h-6 w-6" />
+						<h2 class="text-lg font-semibold">Manage Group</h2>
+						<span class="text-surface-600-300-token text-sm truncate">{groupChat.name}</span>
+					</div>
+					<button class="variant-ghost-surface btn-icon" onclick={handleClose} aria-label="Close">
+						<X class="h-5 w-5" />
+					</button>
 				</div>
-				<button class="variant-ghost-surface btn-icon" onclick={handleClose} aria-label="Close">
-					<X class="h-5 w-5" />
-				</button>
-			</div>
 
-			<!-- Content -->
-			<div class="max-h-[60vh] space-y-6 overflow-y-auto p-6">
+				<!-- Content -->
+				<div class="max-h-[60vh] space-y-6 overflow-y-auto">
 				<!-- Current Members -->
 				<div>
 					<h3 class="mb-3 font-semibold">Current Members ({groupChat.participants.length})</h3>
@@ -237,29 +239,21 @@
 						</div>
 					</div>
 				{/if}
-			</div>
+				</div>
 
-			<!-- Footer -->
-			<div class="border-surface-300-600-token flex items-center justify-end gap-3 border-t p-6">
-				<button
-					class="variant-ghost-surface btn"
-					onclick={handleClose}
-					title="Cancel"
-					aria-label="Cancel"
-				>
-					<X class="h-4 w-4" />
-				</button>
-				<button
-					class="variant-filled-primary btn"
-					onclick={handleSave}
-					disabled={!canSave}
-					title="Save Changes"
-					aria-label="Save Changes"
-				>
-					<Save class="h-4 w-4" />
-				</button>
+				<!-- Footer -->
+				<div class="mt-4 flex justify-end gap-2">
+					<Button variant="ghost" onclick={handleClose} aria-label="Cancel">
+						<X class="h-4 w-4" />
+						<span class="ml-1">Cancel</span>
+					</Button>
+					<Button onclick={handleSave} disabled={!canSave} aria-label="Save Changes">
+						<Save class="h-4 w-4" />
+						<span class="ml-1">Save Changes</span>
+					</Button>
+				</div>
 			</div>
-		</div>
+		</Card>
 	</div>
 {/if}
 

From 31a9bda07f588f850d3623ab6e3ed28565ba8b64 Mon Sep 17 00:00:00 2001
From: Oleksandr Tkachenko <oleksandr.tkachenko@dfinity.org>
Date: Wed, 13 Aug 2025 16:26:42 +0200
Subject: [PATCH 28/62] logout

---
 .../src/lib/components/UserProfile.svelte         | 15 ++++++++++-----
 1 file changed, 10 insertions(+), 5 deletions(-)

diff --git a/examples/encrypted_chat/frontend/src/lib/components/UserProfile.svelte b/examples/encrypted_chat/frontend/src/lib/components/UserProfile.svelte
index 5038a4bf..5af2a047 100644
--- a/examples/encrypted_chat/frontend/src/lib/components/UserProfile.svelte
+++ b/examples/encrypted_chat/frontend/src/lib/components/UserProfile.svelte
@@ -1,7 +1,7 @@
 <script lang="ts">
-	import { Settings, X, Check } from 'lucide-svelte';
+	import { Settings, X, Check, LogOut } from 'lucide-svelte';
 	import { userConfig, chatActions } from '../stores/chat.svelte';
-	import { auth, getMyPrincipal } from '$lib/stores/auth.svelte';
+	import { auth, getMyPrincipal, logout } from '$lib/stores/auth.svelte';
 	import type { User } from '$lib/types';
 
 	const currentUser = $derived<{ state: User | null }>({
@@ -62,10 +62,15 @@
 				<h3 class="text-sm font-semibold">Name: ---<br /></h3>
 				<h4 class="text-xs font-semibold">{currentUser.state?.name}</h4>
 			</div>
+	</div>
+		<div class="flex items-center gap-2">
+			<button class="variant-ghost-surface btn-icon" onclick={logout} aria-label="Logout">
+				<LogOut class="h-5 w-5" />
+			</button>
+			<button class="variant-ghost-surface btn-icon" onclick={toggleConfig} aria-label="Settings">
+				<Settings class="h-5 w-5" />
+			</button>
 		</div>
-		<button class="variant-ghost-surface btn-icon" onclick={toggleConfig} aria-label="Settings">
-			<Settings class="h-5 w-5" />
-		</button>
 	</div>
 </div>
 

From 1f46f549684ab85691c1defbff113f003f782d59 Mon Sep 17 00:00:00 2001
From: Oleksandr Tkachenko <oleksandr.tkachenko@dfinity.org>
Date: Wed, 13 Aug 2025 20:42:27 +0200
Subject: [PATCH 29/62] key cache

---
 .../encrypted_chat/frontend/package-lock.json |  15 +-
 examples/encrypted_chat/frontend/package.json |   1 +
 .../src/lib/components/ChatInterface.svelte   |   5 +-
 .../src/lib/components/ChatList.svelte        |   5 +-
 .../src/lib/components/ChatListItem.svelte    |   2 +-
 .../src/lib/components/MessageHistory.svelte  |   5 +-
 .../frontend/src/lib/services/api.ts          |   2 +-
 .../frontend/src/lib/services/storage.ts      |   2 +-
 .../frontend/src/lib/stores/chat.svelte.ts    | 152 +++++-----
 .../frontend/src/lib/types/index.ts           | 273 +++++++++++++++++-
 .../encrypted_chat/rust/backend/src/lib.rs    |  28 +-
 11 files changed, 389 insertions(+), 101 deletions(-)

diff --git a/examples/encrypted_chat/frontend/package-lock.json b/examples/encrypted_chat/frontend/package-lock.json
index 42e688be..5c0f606e 100644
--- a/examples/encrypted_chat/frontend/package-lock.json
+++ b/examples/encrypted_chat/frontend/package-lock.json
@@ -10,6 +10,7 @@
 			"dependencies": {
 				"@dfinity/agent": "^3.1.0",
 				"@dfinity/auth-client": "^3.1.0",
+				"@dfinity/vetkeys": "^0.4.0",
 				"@melt-ui/svelte": "^0.86.6",
 				"@skeletonlabs/skeleton": "^3.1.7",
 				"@skeletonlabs/tw-plugin": "^0.4.1",
@@ -95,7 +96,6 @@
 			"resolved": "https://registry.npmjs.org/@dfinity/candid/-/candid-3.1.0.tgz",
 			"integrity": "sha512-YwZJROFmzPa4GCJJyGCoOYJ2pKmp9rboixGQSbLPekX0n0oU0mcEbuVKJFu6HY6CnoDoI8YKc9x+jlqh4n0u5A==",
 			"license": "Apache-2.0",
-			"peer": true,
 			"peerDependencies": {
 				"@dfinity/principal": "3.1.0"
 			}
@@ -125,11 +125,22 @@
 			"resolved": "https://registry.npmjs.org/@dfinity/principal/-/principal-3.1.0.tgz",
 			"integrity": "sha512-ef2JbgwQGtam0s19bH9CaR8ztpuoNx10eC6/kBjR/R8VC2eIBlaJHvD0lXDrBWGtOPZGzEy/XAugeBr3raxZ8A==",
 			"license": "Apache-2.0",
-			"peer": true,
 			"dependencies": {
 				"@noble/hashes": "^1.8.0"
 			}
 		},
+		"node_modules/@dfinity/vetkeys": {
+			"version": "0.4.0",
+			"resolved": "https://registry.npmjs.org/@dfinity/vetkeys/-/vetkeys-0.4.0.tgz",
+			"integrity": "sha512-MLa5UvseEOVB6HgcKYtIDOZc6De0tdRm61dZlmAVKKqjnZuXoUJqypDbMe30EnofH0JMjvGQP2jGvxGRKC6nGQ==",
+			"license": "Apache-2.0",
+			"dependencies": {
+				"@dfinity/agent": "^3.1.0",
+				"@dfinity/candid": "^3.1.0",
+				"@dfinity/principal": "^3.1.0",
+				"idb-keyval": "^6.2.1"
+			}
+		},
 		"node_modules/@esbuild/aix-ppc64": {
 			"version": "0.25.8",
 			"resolved": "https://registry.npmjs.org/@esbuild/aix-ppc64/-/aix-ppc64-0.25.8.tgz",
diff --git a/examples/encrypted_chat/frontend/package.json b/examples/encrypted_chat/frontend/package.json
index 7b2a2191..e2c381bf 100644
--- a/examples/encrypted_chat/frontend/package.json
+++ b/examples/encrypted_chat/frontend/package.json
@@ -46,6 +46,7 @@
 	"dependencies": {
 		"@dfinity/agent": "^3.1.0",
 		"@dfinity/auth-client": "^3.1.0",
+		"@dfinity/vetkeys": "^0.4.0",
 		"@melt-ui/svelte": "^0.86.6",
 		"@skeletonlabs/skeleton": "^3.1.7",
 		"@skeletonlabs/tw-plugin": "^0.4.1",
diff --git a/examples/encrypted_chat/frontend/src/lib/components/ChatInterface.svelte b/examples/encrypted_chat/frontend/src/lib/components/ChatInterface.svelte
index 71eb0adf..6236b75b 100644
--- a/examples/encrypted_chat/frontend/src/lib/components/ChatInterface.svelte
+++ b/examples/encrypted_chat/frontend/src/lib/components/ChatInterface.svelte
@@ -1,10 +1,11 @@
 <script lang="ts">
-	import { chatActions, chatIdToString, chats, selectedChatId } from '../stores/chat.svelte';
+	import { chatActions, chats, selectedChatId } from '../stores/chat.svelte';
 	import ChatHeader from './ChatHeader.svelte';
 	import MessageHistory from './MessageHistory.svelte';
 	import MessageInput from './MessageInput.svelte';
 	import type { FileUpload } from '../types';
-
+	import { chatIdToString } from '$lib/utils';
+	
 	let { isMobile, onMobileBack } = $props();
 
 	const selectedChat = $derived(
diff --git a/examples/encrypted_chat/frontend/src/lib/components/ChatList.svelte b/examples/encrypted_chat/frontend/src/lib/components/ChatList.svelte
index b5cf6f60..54a97a13 100644
--- a/examples/encrypted_chat/frontend/src/lib/components/ChatList.svelte
+++ b/examples/encrypted_chat/frontend/src/lib/components/ChatList.svelte
@@ -3,8 +3,6 @@
 		chats,
 		selectedChatId,
 		chatActions,
-		chatIdToString,
-		chatIdFromStr,
 		getNumberOfMessagesIs,
 		chatIdStringToNumberOfMessagesShould,
 		getChatIds
@@ -13,6 +11,7 @@
 	import UserProfile from './UserProfile.svelte';
 	import Button from './ui/Button.svelte';
 	import NewChatModal from './NewChatModal.svelte';
+	import { chatIdToString, chatIdFromString } from '$lib/utils';
 
 	$effect(() => {
 		console.log(`$effect loadChatMessages`);
@@ -64,7 +63,7 @@
 				isSelected={selectedChatId.state
 					? chatIdToString(selectedChatId.state) === chatIdToString(chat.id)
 					: false}
-				on:select={(e: CustomEvent<string>) => (selectedChatId.state = chatIdFromStr(e.detail))}
+				on:select={(e: CustomEvent<string>) => (selectedChatId.state = chatIdFromString(e.detail))}
 			/>
 		{:else}
 			<div class="p-8 text-center text-surface-600-500">
diff --git a/examples/encrypted_chat/frontend/src/lib/components/ChatListItem.svelte b/examples/encrypted_chat/frontend/src/lib/components/ChatListItem.svelte
index 0ab73543..76263c5d 100644
--- a/examples/encrypted_chat/frontend/src/lib/components/ChatListItem.svelte
+++ b/examples/encrypted_chat/frontend/src/lib/components/ChatListItem.svelte
@@ -2,7 +2,7 @@
 	import { createEventDispatcher } from 'svelte';
 	import { Clock, Users, User, Loader2, AlertCircle, CheckCircle } from 'lucide-svelte';
 	import type { Chat } from '../types';
-	import { chatIdToString } from '$lib/stores/chat.svelte';
+	import { chatIdToString } from '$lib/utils';
 
 	export let chat: Chat;
 	export let isSelected = false;
diff --git a/examples/encrypted_chat/frontend/src/lib/components/MessageHistory.svelte b/examples/encrypted_chat/frontend/src/lib/components/MessageHistory.svelte
index aa341017..33a6939f 100644
--- a/examples/encrypted_chat/frontend/src/lib/components/MessageHistory.svelte
+++ b/examples/encrypted_chat/frontend/src/lib/components/MessageHistory.svelte
@@ -1,10 +1,11 @@
 <script lang="ts">
-	import { chats, selectedChatId, messages, chatIdToString } from '../stores/chat.svelte';
+	import { chats, selectedChatId, messages } from '../stores/chat.svelte';
 	import MessageBubble from './MessageBubble.svelte';
 	import type { Message, User } from '../types';
 	import { SvelteDate } from 'svelte/reactivity';
 	import { auth, getMyPrincipal } from '$lib/stores/auth.svelte';
-
+	import { chatIdToString } from '$lib/utils';
+	
 	let messagesContainer: HTMLDivElement | undefined = $state(undefined);
 	let autoScroll = $state(true);
 
diff --git a/examples/encrypted_chat/frontend/src/lib/services/api.ts b/examples/encrypted_chat/frontend/src/lib/services/api.ts
index f3012e49..2b7f21a4 100644
--- a/examples/encrypted_chat/frontend/src/lib/services/api.ts
+++ b/examples/encrypted_chat/frontend/src/lib/services/api.ts
@@ -9,7 +9,7 @@ import type {
 	VetKeyEpochMetadata
 } from '../../declarations/encrypted_chat/encrypted_chat.did';
 import { Principal } from '@dfinity/principal';
-import { chatIdToString, stringifyBigInt } from '$lib/stores/chat.svelte';
+import { chatIdToString, stringifyBigInt } from '$lib/utils';
 import { TransportSecretKey, EncryptedVetKey, DerivedPublicKey, VetKey } from '@dfinity/vetkeys';
 
 // Dummy API service that simulates backend calls
diff --git a/examples/encrypted_chat/frontend/src/lib/services/storage.ts b/examples/encrypted_chat/frontend/src/lib/services/storage.ts
index 8f8980d8..e59a02cf 100644
--- a/examples/encrypted_chat/frontend/src/lib/services/storage.ts
+++ b/examples/encrypted_chat/frontend/src/lib/services/storage.ts
@@ -1,6 +1,6 @@
 import { get, set, del, clear, keys } from 'idb-keyval';
 import type { Message, Chat, UserConfig } from '../types';
-import { chatIdToString } from '$lib/stores/chat.svelte';
+import { chatIdToString } from '$lib/utils';
 
 // IndexedDB storage service for persistent chat data
 export class StorageService {
diff --git a/examples/encrypted_chat/frontend/src/lib/stores/chat.svelte.ts b/examples/encrypted_chat/frontend/src/lib/stores/chat.svelte.ts
index f36203d9..76f86ef9 100644
--- a/examples/encrypted_chat/frontend/src/lib/stores/chat.svelte.ts
+++ b/examples/encrypted_chat/frontend/src/lib/stores/chat.svelte.ts
@@ -1,4 +1,11 @@
-import type { Chat, Message, UserConfig, Notification, SymmetricRatchetStats } from '../types';
+import {
+	type Chat,
+	type Message,
+	type UserConfig,
+	type Notification,
+	type SymmetricRatchetStats,
+	VetKeyEncryptedCache
+} from '../types';
 import { chatAPI } from '../services/api';
 import { storageService } from '../services/storage';
 import { SvelteDate } from 'svelte/reactivity';
@@ -11,12 +18,19 @@ import type {
 	ChatId,
 	EncryptedMessage,
 	VetKeyEpochMetadata,
-	UserMessage,
-	GroupChatMetadata
+	UserMessage
 } from '../../declarations/encrypted_chat/encrypted_chat.did';
 import { Principal } from '@dfinity/principal';
 import { SvelteMap } from 'svelte/reactivity';
 import { DerivedKeyMaterial, deriveSymmetricKey } from '@dfinity/vetkeys';
+import {
+	chatIdFromString,
+	chatIdToString,
+	chatIdVetKeyEpochToString,
+	sizePrefixedBytesFromString,
+	stringifyBigInt,
+	uBigIntTo8ByteUint8ArrayBigEndian
+} from '$lib/utils';
 
 const DOMAIN_RATCHET_INIT = sizePrefixedBytesFromString('ic-vetkeys-chat-example-ratchet-init');
 const DOMAIN_RATCHET_STEP = sizePrefixedBytesFromString('ic-vetkeys-chat-example-ratchet-step');
@@ -44,12 +58,13 @@ const chatIdStringToVetKeyEpochMetadata = new SvelteMap<string, VetKeyEpochMetad
 
 type KeyState =
 	| { status: 'missing' }
-	| { status: 'loading'; promise: Promise<CryptoKey> }
+	| { status: 'loading'; promise: Promise<{ key: CryptoKey; symmetricKeyEpoch: bigint }> }
 	| { status: 'ready'; symmetricKeyEpoch: bigint; key: CryptoKey }
 	| { status: 'error'; error: string };
 
 export const chatIdStringToEpochKeyState = new SvelteMap<string, KeyState>();
 
+// eslint-disable-next-line svelte/prefer-svelte-reactivity
 const chatIdStringToNumberOfMessagesIs = new Map<string, bigint>();
 export const chatIdStringToNumberOfMessagesShould = new SvelteMap<string, bigint>();
 
@@ -109,19 +124,44 @@ export function initVetKeyReactions() {
 				}
 				const actor = getActor();
 				if (!actor) throw new Error('Not authenticated');
-				const chatId = chatIdFromStr(chatIdStr);
-
-				const p1 = chatAPI.getVetKey(actor, chatId, meta.metadata.epoch_id);
-				const p2 = Promise.resolve(p1).then(async (vetKey) => {
-					const rootKey = deriveSymmetricKey(new Uint8Array(), DOMAIN_RATCHET_INIT, 32);
+				const chatId = chatIdFromString(chatIdStr);
+
+				const vetKeyEncryptedCache = new VetKeyEncryptedCache(getMyPrincipal(), actor);
+				const rootKeyPromise = vetKeyEncryptedCache
+					.fetchAndDecryptFor(chatId, meta.metadata.epoch_id)
+
+					.catch((error) => {
+						console.info(`User doesn't have key cache for chat ${chatIdStr}: `, error);
+						return Promise.resolve(chatAPI.getVetKey(actor, chatId, meta.metadata.epoch_id)).then(
+							(vetKey) => {
+								const rootKey = deriveSymmetricKey(
+									vetKey.signatureBytes(),
+									DOMAIN_RATCHET_INIT,
+									32
+								);
+								console.log(
+									`Computed rootKey=${stringifyBigInt(rootKey)} from vetKey=${stringifyBigInt(vetKey.signatureBytes())}`
+								);
+								console.log('starting to store the root key in cache: ', rootKey);
+								const vetKeyEncryptedCache = new VetKeyEncryptedCache(getMyPrincipal(), actor);
+								const keyState = { keyBytes: rootKey, symmetricKeyEpoch: 0n };
+								// await this future in background
+								vetKeyEncryptedCache.encryptAndStoreFor(chatId, meta.metadata.epoch_id, keyState);
+
+								return keyState;
+							}
+						);
+					});
+				const p2 = Promise.resolve(rootKeyPromise).then(async ({ keyBytes, symmetricKeyEpoch }) => {
 					const exportable = false;
-					return await globalThis.crypto.subtle.importKey(
+					const key = await globalThis.crypto.subtle.importKey(
 						'raw',
-						new Uint8Array(rootKey),
+						new Uint8Array(keyBytes),
 						'HKDF',
 						exportable,
 						['deriveKey', 'deriveBits']
 					);
+					return { key, symmetricKeyEpoch };
 				});
 
 				chatIdStringToEpochKeyState.set(key, {
@@ -213,7 +253,7 @@ export const chatActions = {
 			}
 
 			for (const [chatIdStr, meta] of chatIdStringToVetKeyEpochMetadata.entries()) {
-				const chatId = chatIdFromStr(chatIdStr);
+				const chatId = chatIdFromString(chatIdStr);
 
 				const participants = meta.status === 'ready' ? meta.metadata.participants : [];
 				if (!participants) {
@@ -317,7 +357,6 @@ export const chatActions = {
 					new Uint8Array(m.content),
 					m.metadata.sender_message_id
 				);
-				`/// decryptMessageContent: ${chatIdToString(chatId)} vetkeyEpoch: ${BigInt(m.metadata.vetkey_epoch).toString()} symmetricKeyEpoch: ${BigInt(m.metadata.symmetric_key_epoch).toString()} sender: ${m.metadata.sender.toText()} userMessageId: ${m.metadata.sender_message_id.toString()}`;
 				m.content = plaintextMessageContent;
 				mapped.push(toUiMessage(chatIdToString(chatId), m));
 			}
@@ -326,14 +365,11 @@ export const chatActions = {
 			} else {
 				console.log('loadChatMessages: no messages loaded for chat:', chatIdStr);
 			}
-            // Reassign to trigger reactivity for consumers relying on identity changes
-            messages.state = {
-                ...messages.state,
-                [chatIdStr]: [
-                    ...((messages.state[chatIdStr] as Message[] | undefined) ?? []),
-                    ...mapped
-                ]
-            };
+			// Reassign to trigger reactivity for consumers relying on identity changes
+			messages.state = {
+				...messages.state,
+				[chatIdStr]: [...((messages.state[chatIdStr] as Message[] | undefined) ?? []), ...mapped]
+			};
 			if (mapped.length !== 0) {
 				const pos = chats.state.findIndex((c) => chatIdToString(c.id) === chatIdStr);
 				const lastMessageBefore = chats.state[pos].lastMessage;
@@ -623,20 +659,6 @@ function getActor(): ActorSubclass<_SERVICE> | undefined {
 	}
 }
 
-export function chatIdToString(chatId: ChatId): string {
-	if ('Group' in chatId) return `group/${chatId.Group.toString()}`;
-	const [a, b] = chatId.Direct;
-	return `direct/${a.toString()}/${b.toString()}`;
-}
-
-export function chatIdFromStr(chatIdStr: string): ChatId {
-	if (typeof chatIdStr !== 'string')
-		throw new Error('chatIdStr is not a string but ' + typeof chatIdStr);
-	if (chatIdStr.startsWith('group/')) return { Group: BigInt(chatIdStr.slice(6)) };
-	const [a, b] = chatIdStr.split('/').slice(1);
-	return { Direct: [Principal.fromText(a), Principal.fromText(b)] };
-}
-
 function shortenId(id: string): string {
 	return id.length > 8 ? `${id.slice(0, 6)}…${id.slice(-2)}` : id;
 }
@@ -661,10 +683,10 @@ function toUiMessage(chatIdStr: string, m: EncryptedMessage): Message {
 			? getMyPrincipal().toString()
 			: senderPrincipal;
 	const contentStr = new TextDecoder().decode(new Uint8Array(m.content));
-	const contentTyped: {
+	const contentTyped = JSON.parse(contentStr) as {
 		content: string;
 		fileData?: { name: string; size: number; type: string; data: ArrayBuffer };
-	} = JSON.parse(contentStr);
+	};
 	return {
 		id: m.metadata.chat_message_id.toString(),
 		chatId: chatIdStr,
@@ -695,7 +717,10 @@ async function ensureVetKeyEpochMetadata(actor: ActorSubclass<_SERVICE>, chatId:
 			})
 			.catch((error) => {
 				// transition to error so UI can react
-				chatIdStringToVetKeyEpochMetadata.set(chatIdStr, { status: 'error', error });
+				chatIdStringToVetKeyEpochMetadata.set(chatIdStr, {
+					status: 'error',
+					error: error instanceof Error ? error.message : 'Unknown error'
+				});
 				console.log('ensureVetKeyEpochMetadata error', chatIdStr);
 				throw error;
 			});
@@ -707,8 +732,7 @@ async function fastForwardSymmetricRatchetWithoutSavingUntil(
 	vetkeyEpoch: bigint,
 	symmetricKeyEpoch: bigint
 ): Promise<DerivedKeyMaterial> {
-	const chatIdStr = chatIdToString(chatId);
-	const mapKey = `${chatIdStr}/${vetkeyEpoch.toString()}`;
+	const mapKey = chatIdVetKeyEpochToString(chatId, vetkeyEpoch);
 	const cur = chatIdStringToEpochKeyState.get(mapKey);
 	if (!cur) {
 		throw new Error('Bug: failed to get epoch key');
@@ -741,20 +765,19 @@ async function ensureRootKey(actor: ActorSubclass<_SERVICE>, chatId: ChatId, epo
 
 	if (cur?.status === 'loading') {
 		await cur.promise
-			.then((key) => {
+			.then(({ key, symmetricKeyEpoch }) => {
 				console.log('ensureRootKey ready', chatIdStr);
 				chatIdStringToEpochKeyState.set(mapKey, {
 					status: 'ready',
-					symmetricKeyEpoch: 0n,
+					symmetricKeyEpoch,
 					key
 				});
-				return key;
 			})
 			.catch((error) => {
 				console.log('ensureRootKey error', chatIdStr);
 				chatIdStringToEpochKeyState.set(mapKey, {
 					status: 'error',
-					error
+					error: error instanceof Error ? error.message : 'Unknown error'
 				});
 				throw error;
 			});
@@ -769,8 +792,7 @@ async function symmetricRatchetUntil(
 	while ((await getCurrentSymmetricEpoch(chatId, vetkeyEpoch)) < symmetricKeyEpoch) {
 		try {
 			const currentSymmetricEpoch = await getCurrentSymmetricEpoch(chatId, vetkeyEpoch);
-			const chatIdStr = chatIdToString(chatId);
-			const mapKey = `${chatIdStr}/${vetkeyEpoch.toString()}`;
+			const mapKey = chatIdVetKeyEpochToString(chatId, vetkeyEpoch);
 			chatIdStringToEpochKeyState.set(mapKey, {
 				status: 'ready',
 				symmetricKeyEpoch: currentSymmetricEpoch + 1n,
@@ -788,7 +810,7 @@ async function symmetricRatchet(
 	expectedSymmetricKeyEpoch: bigint
 ) {
 	const chatIdStr = chatIdToString(chatId);
-	const mapKey = `${chatIdStr}/${vetkeyEpoch.toString()}`;
+	const mapKey = chatIdVetKeyEpochToString(chatId, vetkeyEpoch);
 	const cur = chatIdStringToEpochKeyState.get(mapKey);
 	console.log(
 		`symmetricRatchet: ${chatIdStr} vetkeyEpoch: ${vetkeyEpoch.toString()} expectedSymmetricKeyEpoch: ${expectedSymmetricKeyEpoch.toString()}`
@@ -840,18 +862,8 @@ if (typeof window !== 'undefined') {
 	void chatActions.initialize();
 }
 
-export function stringifyBigInt(value: any): string {
-	return JSON.stringify(value, (_key, value) => {
-		if (typeof value === 'bigint') {
-			return value.toString();
-		}
-		return value;
-	});
-}
-
 async function getCurrentSymmetricEpoch(chatId: ChatId, vetkeyEpoch: bigint): Promise<bigint> {
-	const chatIdStr = chatIdToString(chatId);
-	const mapKey = `${chatIdStr}/${vetkeyEpoch.toString()}`;
+	const mapKey = chatIdVetKeyEpochToString(chatId, vetkeyEpoch);
 	while (true) {
 		const cur = chatIdStringToEpochKeyState.get(mapKey);
 		if (cur?.status === 'ready') {
@@ -867,7 +879,7 @@ async function getSymmetricEpochKey(
 	symmetricKeyEpoch: bigint
 ): Promise<DerivedKeyMaterial> {
 	const chatIdStr = chatIdToString(chatId);
-	const mapKey = `${chatIdStr}/${vetkeyEpoch.toString()}`;
+	const mapKey = chatIdVetKeyEpochToString(chatId, vetkeyEpoch);
 	let cur: KeyState | undefined = undefined; // wait in a loop with timeout till we get the key
 
 	console.log(
@@ -945,30 +957,10 @@ async function decryptMessageContent(
 	return await epochKey.decryptMessage(encryptedMessageContent, domainSeparator);
 }
 
-function messageEncryptionDomainSeparator(sender: Principal, messageId: bigint): Uint8Array {
+export function messageEncryptionDomainSeparator(sender: Principal, messageId: bigint): Uint8Array {
 	return new Uint8Array([
 		...DOMAIN_MESSAGE_ENCRYPTION,
 		...sender.toUint8Array(),
 		...uBigIntTo8ByteUint8ArrayBigEndian(messageId)
 	]);
 }
-
-function uBigIntTo8ByteUint8ArrayBigEndian(value: bigint): Uint8Array {
-	if (value < 0n) throw new RangeError('Accpts only bigint n >= 0');
-
-	const bytes = new Uint8Array(8);
-	for (let i = 0; i < 8; i++) {
-		bytes[i] = Number((value >> BigInt(i * 8)) & 0xffn);
-	}
-	return bytes;
-}
-
-function sizePrefixedBytesFromString(text: string): Uint8Array {
-	const bytes = new TextEncoder().encode(text);
-	if (bytes.length > 255) {
-		throw new Error('Text is too long');
-	}
-	const size = new Uint8Array(1);
-	size[0] = bytes.length & 0xff;
-	return new Uint8Array([...size, ...bytes]);
-}
diff --git a/examples/encrypted_chat/frontend/src/lib/types/index.ts b/examples/encrypted_chat/frontend/src/lib/types/index.ts
index 25f90a10..eb9d0bb2 100644
--- a/examples/encrypted_chat/frontend/src/lib/types/index.ts
+++ b/examples/encrypted_chat/frontend/src/lib/types/index.ts
@@ -1,5 +1,19 @@
-import type { ChatId } from '../../declarations/encrypted_chat/encrypted_chat.did';
-import type { Principal } from '@dfinity/principal';
+import type { ChatId, _SERVICE } from '../../declarations/encrypted_chat/encrypted_chat.did';
+import { Principal } from '@dfinity/principal';
+import {
+	EncryptedMaps,
+	type AccessRights,
+	type ByteBuf,
+	type EncryptedMapData,
+	type EncryptedMapsClient
+} from '@dfinity/vetkeys/encrypted_maps';
+import type { ActorSubclass } from '@dfinity/agent';
+import {
+	chatIdToString,
+	stringifyBigInt,
+	u8ByteUint8ArrayBigEndianToUBigInt,
+	uBigIntTo8ByteUint8ArrayBigEndian
+} from '$lib/utils';
 
 export interface User {
 	id: Principal;
@@ -105,3 +119,258 @@ export interface Notification {
 	isDismissible: boolean;
 	duration?: number; // auto-dismiss after ms, undefined = manual dismiss
 }
+
+class EncryptedMapsClientForEncryptedCache implements EncryptedMapsClient {
+	#actor: ActorSubclass<_SERVICE>;
+
+	constructor(actor: ActorSubclass<_SERVICE>) {
+		this.#actor = actor;
+	}
+
+	get_accessible_shared_map_names(): Promise<[Principal, ByteBuf][]> {
+		throw Error('unavailable EncryptedMaps function get_accessible_shared_map_names');
+	}
+
+	get_shared_user_access_for_map(
+		// eslint-disable-next-line @typescript-eslint/no-unused-vars
+		owner: Principal,
+		// eslint-disable-next-line @typescript-eslint/no-unused-vars
+		mapName: ByteBuf
+	): Promise<{ Ok: Array<[Principal, AccessRights]> } | { Err: string }> {
+		throw Error('unavailable EncryptedMaps function get_shared_user_access_for_map');
+	}
+
+	get_owned_non_empty_map_names(): Promise<Array<ByteBuf>> {
+		throw Error('unavailable EncryptedMaps function get_owned_non_empty_map_names');
+	}
+
+	get_all_accessible_encrypted_values(): Promise<[[Principal, ByteBuf], [ByteBuf, ByteBuf][]][]> {
+		throw Error('unavailable EncryptedMaps function get_all_accessible_encrypted_values');
+	}
+
+	get_all_accessible_encrypted_maps(): Promise<Array<EncryptedMapData>> {
+		throw Error('unavailable EncryptedMaps function get_all_accessible_encrypted_maps');
+	}
+
+	get_encrypted_value(
+		// eslint-disable-next-line @typescript-eslint/no-unused-vars
+		mapOwner: Principal,
+		// eslint-disable-next-line @typescript-eslint/no-unused-vars
+		mapName: ByteBuf,
+		// eslint-disable-next-line @typescript-eslint/no-unused-vars
+		mapKey: ByteBuf
+	): Promise<{ Ok: [] | [ByteBuf] } | { Err: string }> {
+		throw Error('unavailable EncryptedMaps function get_encrypted_value');
+	}
+
+	get_encrypted_values_for_map(
+		// eslint-disable-next-line @typescript-eslint/no-unused-vars
+		mapOwner: Principal,
+		// eslint-disable-next-line @typescript-eslint/no-unused-vars
+		mapName: ByteBuf
+	): Promise<{ Ok: Array<[ByteBuf, ByteBuf]> } | { Err: string }> {
+		throw Error('unavailable EncryptedMaps function get_encrypted_values_for_map');
+	}
+
+	async get_encrypted_vetkey(
+		mapOwner: Principal,
+		mapName: ByteBuf,
+		transportKey: ByteBuf
+	): Promise<{ Ok: ByteBuf } | { Err: string }> {
+		const data = new Uint8Array(
+			await this.#actor.get_encrypted_vetkey_for_my_cache_storage(transportKey.inner)
+		);
+		const result: { Ok: ByteBuf } | { Err: string } = {
+			Ok: { inner: data }
+		};
+		if (data.length !== 192) {
+			console.error(`get_encrypted_value: invalid data length: expected 192, got ${data.length}`);
+		}
+		if (result.Ok.inner.length !== 192) {
+			console.error(
+				`get_encrypted_value: invalid data length: expected 192, got ${result.Ok.inner.length}`
+			);
+		}
+		if ('Ok' in result) {
+			console.log(
+				`get_encrypted_vetkey: size=${result.Ok.inner.length}, value=${JSON.stringify(result.Ok.inner)}`
+			);
+		}
+		return Promise.resolve(result);
+	}
+
+	insert_encrypted_value(
+		// eslint-disable-next-line @typescript-eslint/no-unused-vars
+		mapOwner: Principal,
+		// eslint-disable-next-line @typescript-eslint/no-unused-vars
+		mapName: ByteBuf,
+		// eslint-disable-next-line @typescript-eslint/no-unused-vars
+		mapKey: ByteBuf,
+		// eslint-disable-next-line @typescript-eslint/no-unused-vars
+		data: ByteBuf
+	): Promise<{ Ok: [] | [ByteBuf] } | { Err: string }> {
+		throw Error('unavailable EncryptedMaps function insert_encrypted_value');
+	}
+
+	remove_encrypted_value(
+		// eslint-disable-next-line @typescript-eslint/no-unused-vars
+		mapOwner: Principal,
+		// eslint-disable-next-line @typescript-eslint/no-unused-vars
+		mapName: ByteBuf,
+		// eslint-disable-next-line @typescript-eslint/no-unused-vars
+		mapKey: ByteBuf
+	): Promise<{ Ok: [] | [ByteBuf] } | { Err: string }> {
+		throw Error('unavailable EncryptedMaps function remove_encrypted_value');
+	}
+
+	remove_map_values(
+		// eslint-disable-next-line @typescript-eslint/no-unused-vars
+		mapOwner: Principal,
+		// eslint-disable-next-line @typescript-eslint/no-unused-vars
+		mapName: ByteBuf
+	): Promise<{ Ok: Array<ByteBuf> } | { Err: string }> {
+		throw Error('unavailable EncryptedMaps function remove_map_values');
+	}
+
+	async get_vetkey_verification_key(): Promise<ByteBuf> {
+		return { inner: await this.#actor.get_vetkey_verification_key_for_my_cache_storage() };
+	}
+
+	set_user_rights(
+		// eslint-disable-next-line @typescript-eslint/no-unused-vars
+		owner: Principal,
+		// eslint-disable-next-line @typescript-eslint/no-unused-vars
+		mapName: ByteBuf,
+		// eslint-disable-next-line @typescript-eslint/no-unused-vars
+		user: Principal,
+		// eslint-disable-next-line @typescript-eslint/no-unused-vars
+		userRights: AccessRights
+	): Promise<{ Ok: [] | [AccessRights] } | { Err: string }> {
+		throw Error('unavailable EncryptedMaps function set_user_rights');
+	}
+
+	get_user_rights(
+		// eslint-disable-next-line @typescript-eslint/no-unused-vars
+		owner: Principal,
+		// eslint-disable-next-line @typescript-eslint/no-unused-vars
+		mapName: ByteBuf,
+		// eslint-disable-next-line @typescript-eslint/no-unused-vars
+		user: Principal
+	): Promise<{ Ok: [] | [AccessRights] } | { Err: string }> {
+		throw Error('unavailable EncryptedMaps function get_user_rights');
+	}
+
+	remove_user(
+		// eslint-disable-next-line @typescript-eslint/no-unused-vars
+		owner: Principal,
+		// eslint-disable-next-line @typescript-eslint/no-unused-vars
+		mapName: ByteBuf,
+		// eslint-disable-next-line @typescript-eslint/no-unused-vars
+		user: Principal
+	): Promise<{ Ok: [] | [AccessRights] } | { Err: string }> {
+		throw Error('unavailable EncryptedMaps function remove_user');
+	}
+}
+
+function mapName(): Uint8Array {
+	return new TextEncoder().encode('encrypted_chat_cache');
+}
+
+async function mapKeyId(chat_id: ChatId, vetkey_epoch_id: bigint): Promise<Uint8Array> {
+	const input = serializeChatId(chat_id);
+
+	const hashBuffer = await crypto.subtle.digest(
+		'SHA-256',
+		new Uint8Array([...input, ...uBigIntTo8ByteUint8ArrayBigEndian(vetkey_epoch_id)])
+	);
+	return new Uint8Array(hashBuffer);
+}
+
+function serializeChatId(chatId: ChatId): Uint8Array {
+	if ('Direct' in chatId) {
+		return new Uint8Array([
+			0,
+			...chatId.Direct[0].toUint8Array(),
+			...chatId.Direct[1].toUint8Array()
+		]);
+	} else {
+		return new Uint8Array([1, ...uBigIntTo8ByteUint8ArrayBigEndian(chatId.Group)]);
+	}
+}
+
+export class VetKeyEncryptedCache {
+	#encryptedMaps: EncryptedMaps;
+	#myPrincipal: Principal;
+	#actor: ActorSubclass<_SERVICE>;
+
+	constructor(myPrincipal: Principal, actor: ActorSubclass<_SERVICE>) {
+		this.#myPrincipal = myPrincipal;
+		this.#encryptedMaps = new EncryptedMaps(new EncryptedMapsClientForEncryptedCache(actor));
+		this.#actor = actor;
+	}
+
+	async fetchAndDecryptFor(
+		chatId: ChatId,
+		vetKeyEpoch: bigint
+	): Promise<{ keyBytes: Uint8Array; symmetricKeyEpoch: bigint }> {
+		const keyCacheBytes = await this.#actor.get_my_symmetric_key_cache(chatId, vetKeyEpoch);
+		if ('Err' in keyCacheBytes) {
+			throw new Error('Failed to get key cache bytes: ' + keyCacheBytes.Err);
+		} else if (keyCacheBytes.Ok.length === 0) {
+			throw new Error('Failed to get key cache bytes: no key cache found');
+		}
+
+		const mapName_ = mapName();
+		const mapKey = await mapKeyId(chatId, vetKeyEpoch);
+		const decryptedBytes = await this.#encryptedMaps.decryptFor(
+			this.#myPrincipal,
+			mapName_,
+			mapKey,
+			new Uint8Array(keyCacheBytes.Ok[0])
+		);
+
+		console.log(
+			`VetKeyEncryptedCache: successfully fetched and decrypted key cache for chatId=${chatIdToString(chatId)} vetKeyEpoch=${vetKeyEpoch.toString()}: ${stringifyBigInt(deserializeCache(decryptedBytes))}`
+		);
+		return deserializeCache(decryptedBytes);
+	}
+
+	async encryptAndStoreFor(
+		chatId: ChatId,
+		vetKeyEpoch: bigint,
+		cache: { keyBytes: Uint8Array; symmetricKeyEpoch: bigint }
+	): Promise<void> {
+		console.log('encryptAndStoreFor: starting to store the root key in cache: ', cache);
+		const mapName_ = mapName();
+		const mapKey = await mapKeyId(chatId, vetKeyEpoch);
+
+		const ciphertext = await this.#encryptedMaps.encryptFor(
+			this.#myPrincipal,
+			mapName_,
+			mapKey,
+			serializeCache(cache)
+		);
+		const result = await this.#actor.update_my_symmetric_key_cache(chatId, vetKeyEpoch, ciphertext);
+		if ('Err' in result) {
+			throw new Error('Failed to update key cache: ' + result.Err);
+		} else {
+			console.log(
+				`VetKeyEncryptedCache: successfully stored key cache for chatId=${chatIdToString(chatId)} vetKeyEpoch=${vetKeyEpoch.toString()}: ${stringifyBigInt(serializeCache(cache))}`
+			);
+		}
+	}
+}
+
+function serializeCache(cache: { keyBytes: Uint8Array; symmetricKeyEpoch: bigint }): Uint8Array {
+	return new Uint8Array([
+		...cache.keyBytes,
+		...uBigIntTo8ByteUint8ArrayBigEndian(cache.symmetricKeyEpoch)
+	]);
+}
+
+function deserializeCache(data: Uint8Array): { keyBytes: Uint8Array; symmetricKeyEpoch: bigint } {
+	return {
+		keyBytes: data.slice(0, 32),
+		symmetricKeyEpoch: u8ByteUint8ArrayBigEndianToUBigInt(data.slice(32))
+	};
+}
diff --git a/examples/encrypted_chat/rust/backend/src/lib.rs b/examples/encrypted_chat/rust/backend/src/lib.rs
index f84a49cb..f0070f55 100644
--- a/examples/encrypted_chat/rust/backend/src/lib.rs
+++ b/examples/encrypted_chat/rust/backend/src/lib.rs
@@ -329,7 +329,9 @@ fn rotate_chat_vetkey(chat_id: ChatId) -> Result<VetKeyEpochId, String> {
     ensure_user_has_access_to_chat_at_epoch(caller, chat_id, latest_epoch_metadata.epoch_id)?;
 
     let messages_start_with_id = CHAT_TO_MESSAGE_COUNTERS.with_borrow(|counters| {
-        counters.get(&chat_id).expect("bug: uninitialized chat message counter")
+        counters
+            .get(&chat_id)
+            .expect("bug: uninitialized chat message counter")
     });
 
     let new_vetkey_epoch_id = CHAT_TO_VETKEYS_METADATA.with_borrow_mut(|metadata| {
@@ -486,9 +488,19 @@ fn get_my_chat_ids() -> Vec<(ChatId, ChatMessageId)> {
     let caller = ic_cdk::api::msg_caller();
     USER_TO_CHAT_MAP.with_borrow(|map| {
         CHAT_TO_MESSAGE_COUNTERS.with_borrow(|counters| {
-        map.keys_range((caller, ChatId::MIN_VALUE, VetKeyEpochId(0))..)
-            .take_while(|(user, _, _)| user == &caller)
-                    .map(|(_, chat_id, _)| (chat_id, ChatMessageId(counters.get(&chat_id).expect("bug: uninitialized chat message counter").0)))
+            map.keys_range((caller, ChatId::MIN_VALUE, VetKeyEpochId(0))..)
+                .take_while(|(user, _, _)| user == &caller)
+                .map(|(_, chat_id, _)| {
+                    (
+                        chat_id,
+                        ChatMessageId(
+                            counters
+                                .get(&chat_id)
+                                .expect("bug: uninitialized chat message counter")
+                                .0,
+                        ),
+                    )
+                })
                 .collect()
         })
     })
@@ -675,7 +687,7 @@ async fn get_encrypted_vetkey_for_my_cache_storage(
         })
         .await;
 
-    serde_bytes::ByteBuf::from(encrypted_vetkey.into_bytes())
+    serde_bytes::ByteBuf::from(encrypted_vetkey.as_ref().to_vec())
 }
 
 #[ic_cdk::update]
@@ -689,7 +701,7 @@ async fn get_vetkey_verification_key_for_my_cache_storage() -> serde_bytes::Byte
         })
         .await;
 
-    serde_bytes::ByteBuf::from(verification_key.into_bytes())
+    serde_bytes::ByteBuf::from(verification_key.as_ref().to_vec())
 }
 
 #[ic_cdk::update]
@@ -829,7 +841,9 @@ fn modify_group_chat_participants(
     new_participants.sort();
 
     let messages_start_with_id = CHAT_TO_MESSAGE_COUNTERS.with_borrow(|counters| {
-        counters.get(&chat_id).expect("bug: uninitialized chat message counter")
+        counters
+            .get(&chat_id)
+            .expect("bug: uninitialized chat message counter")
     });
 
     let new_vetkey_epoch_id = CHAT_TO_VETKEYS_METADATA.with_borrow_mut(|metadata| {

From 453e91bcd01d632d9ba0446b31fab429a3da1aee Mon Sep 17 00:00:00 2001
From: Oleksandr Tkachenko <oleksandr.tkachenko@dfinity.org>
Date: Thu, 14 Aug 2025 10:24:11 +0200
Subject: [PATCH 30/62] key resharing

---
 .../frontend/src/lib/stores/chat.svelte.ts    | 242 +++++++++++++++---
 .../encrypted_chat/rust/backend/backend.did   |   2 +-
 .../encrypted_chat/rust/backend/src/lib.rs    |   5 +-
 3 files changed, 205 insertions(+), 44 deletions(-)

diff --git a/examples/encrypted_chat/frontend/src/lib/stores/chat.svelte.ts b/examples/encrypted_chat/frontend/src/lib/stores/chat.svelte.ts
index 76f86ef9..82ae2d6a 100644
--- a/examples/encrypted_chat/frontend/src/lib/stores/chat.svelte.ts
+++ b/examples/encrypted_chat/frontend/src/lib/stores/chat.svelte.ts
@@ -4,7 +4,7 @@ import {
 	type UserConfig,
 	type Notification,
 	type SymmetricRatchetStats,
-	VetKeyEncryptedCache
+	VetKeyEncryptedCache as VetKeyEncryptedCacheManager
 } from '../types';
 import { chatAPI } from '../services/api';
 import { storageService } from '../services/storage';
@@ -22,7 +22,16 @@ import type {
 } from '../../declarations/encrypted_chat/encrypted_chat.did';
 import { Principal } from '@dfinity/principal';
 import { SvelteMap } from 'svelte/reactivity';
-import { DerivedKeyMaterial, deriveSymmetricKey } from '@dfinity/vetkeys';
+import {
+	DerivedKeyMaterial,
+	deriveSymmetricKey,
+	DerivedPublicKey,
+	IbeCiphertext,
+	IbeIdentity,
+	IbeSeed,
+	TransportSecretKey,
+	EncryptedVetKey
+} from '@dfinity/vetkeys';
 import {
 	chatIdFromString,
 	chatIdToString,
@@ -126,47 +135,79 @@ export function initVetKeyReactions() {
 				if (!actor) throw new Error('Not authenticated');
 				const chatId = chatIdFromString(chatIdStr);
 
-				const vetKeyEncryptedCache = new VetKeyEncryptedCache(getMyPrincipal(), actor);
-				const rootKeyPromise = vetKeyEncryptedCache
+				const vetKeyEncryptedCacheManager = new VetKeyEncryptedCacheManager(
+					getMyPrincipal(),
+					actor
+				);
+				const rootKeyPromise = vetKeyEncryptedCacheManager
 					.fetchAndDecryptFor(chatId, meta.metadata.epoch_id)
 
 					.catch((error) => {
 						console.info(`User doesn't have key cache for chat ${chatIdStr}: `, error);
-						return Promise.resolve(chatAPI.getVetKey(actor, chatId, meta.metadata.epoch_id)).then(
-							(vetKey) => {
-								const rootKey = deriveSymmetricKey(
-									vetKey.signatureBytes(),
-									DOMAIN_RATCHET_INIT,
-									32
-								);
-								console.log(
-									`Computed rootKey=${stringifyBigInt(rootKey)} from vetKey=${stringifyBigInt(vetKey.signatureBytes())}`
+
+						return fetchResharedIbeEncryptedVetKeys(
+							actor,
+							chatId,
+							meta.metadata.epoch_id,
+							getMyPrincipal()
+						)
+							.then((resharedVetKey) => {
+								console.log('successfully fetched reshared IBE encrypted vetkey: ', resharedVetKey);
+								return deriveRootKeyAndDispatchCaching(
+									actor,
+									chatId,
+									meta.metadata.epoch_id,
+									resharedVetKey
 								);
-								console.log('starting to store the root key in cache: ', rootKey);
-								const vetKeyEncryptedCache = new VetKeyEncryptedCache(getMyPrincipal(), actor);
-								const keyState = { keyBytes: rootKey, symmetricKeyEpoch: 0n };
-								// await this future in background
-								vetKeyEncryptedCache.encryptAndStoreFor(chatId, meta.metadata.epoch_id, keyState);
-
-								return keyState;
-							}
-						);
+							})
+							.catch((error) => {
+								console.error('Failed to fetch reshared IBE encrypted vetkey: ', error);
+								return Promise.resolve(
+									chatAPI.getVetKey(actor, chatId, meta.metadata.epoch_id)
+								).then((vetKey) => {
+									const otherParticipants = meta.metadata.participants.filter(
+										(p) => p.toString() !== getMyPrincipal().toString()
+									);
+
+									reshareIbeEncryptedVetKeys(
+										actor,
+										chatId,
+										meta.metadata.epoch_id,
+										otherParticipants,
+										vetKey.signatureBytes()
+									).catch((error) => {
+										console.error(
+											`Failed to reshare IBE encrypted vetkeys for chat ${chatIdToString(chatId)} vetkeyEpoch ${meta.metadata.epoch_id.toString()}: `,
+											error
+										);
+									});
+
+									return deriveRootKeyAndDispatchCaching(
+										actor,
+										chatId,
+										meta.metadata.epoch_id,
+										vetKey.signatureBytes()
+									);
+								});
+							});
 					});
-				const p2 = Promise.resolve(rootKeyPromise).then(async ({ keyBytes, symmetricKeyEpoch }) => {
-					const exportable = false;
-					const key = await globalThis.crypto.subtle.importKey(
-						'raw',
-						new Uint8Array(keyBytes),
-						'HKDF',
-						exportable,
-						['deriveKey', 'deriveBits']
-					);
-					return { key, symmetricKeyEpoch };
-				});
+				const cryptoKeyPromise = Promise.resolve(rootKeyPromise).then(
+					async ({ keyBytes, symmetricKeyEpoch }) => {
+						const exportable = false;
+						const key = await globalThis.crypto.subtle.importKey(
+							'raw',
+							new Uint8Array(keyBytes),
+							'HKDF',
+							exportable,
+							['deriveKey', 'deriveBits']
+						);
+						return { key, symmetricKeyEpoch };
+					}
+				);
 
 				chatIdStringToEpochKeyState.set(key, {
 					status: 'loading',
-					promise: p2
+					promise: cryptoKeyPromise
 				});
 				console.log('chatIdStringToEpochKeyState loading ', key, meta.metadata.epoch_id.toString());
 				ensureRootKey(actor, chatId, meta.metadata.epoch_id).catch((error) => {
@@ -729,10 +770,10 @@ async function ensureVetKeyEpochMetadata(actor: ActorSubclass<_SERVICE>, chatId:
 
 async function fastForwardSymmetricRatchetWithoutSavingUntil(
 	chatId: ChatId,
-	vetkeyEpoch: bigint,
-	symmetricKeyEpoch: bigint
+	currentVetkeyEpoch: bigint,
+	neededSymmetricKeyEpoch: bigint
 ): Promise<DerivedKeyMaterial> {
-	const mapKey = chatIdVetKeyEpochToString(chatId, vetkeyEpoch);
+	const mapKey = chatIdVetKeyEpochToString(chatId, currentVetkeyEpoch);
 	const cur = chatIdStringToEpochKeyState.get(mapKey);
 	if (!cur) {
 		throw new Error('Bug: failed to get epoch key');
@@ -741,12 +782,12 @@ async function fastForwardSymmetricRatchetWithoutSavingUntil(
 		throw new Error('Bug: epoch key is not ready for symmetric ratchet');
 	}
 	const { key, symmetricKeyEpoch: currentSymmetricKeyEpoch } = cur;
-	if (currentSymmetricKeyEpoch >= symmetricKeyEpoch) {
+	if (currentSymmetricKeyEpoch >= neededSymmetricKeyEpoch) {
 		return DerivedKeyMaterial.fromCryptoKey(key);
 	}
 
 	let derivedKeyState = { epochKey: key, symmetricKeyEpoch: currentSymmetricKeyEpoch };
-	while (derivedKeyState.symmetricKeyEpoch < symmetricKeyEpoch) {
+	while (derivedKeyState.symmetricKeyEpoch < neededSymmetricKeyEpoch) {
 		derivedKeyState = {
 			epochKey: await deriveNextEpochKey(
 				derivedKeyState.epochKey,
@@ -954,7 +995,13 @@ async function decryptMessageContent(
 	}
 	const epochKey = await getSymmetricEpochKey(chatId, vetkeyEpoch, symmetricKeyEpoch);
 	const domainSeparator = messageEncryptionDomainSeparator(sender, userMessageId);
-	return await epochKey.decryptMessage(encryptedMessageContent, domainSeparator);
+	return await epochKey.decryptMessage(encryptedMessageContent, domainSeparator).catch((error) => {
+		console.error(
+			`decryptMessageContent: failed to decrypt message in chat ${chatIdToString(chatId)} for vetkeyEpoch ${vetkeyEpoch.toString()} and symmetricKeyEpoch: ${symmetricKeyEpoch.toString()} from sender ${sender.toText()} with userMessageId ${userMessageId.toString()}`,
+			error
+		);
+		return new TextEncoder().encode('<decryption failed>');
+	});
 }
 
 export function messageEncryptionDomainSeparator(sender: Principal, messageId: bigint): Uint8Array {
@@ -964,3 +1011,118 @@ export function messageEncryptionDomainSeparator(sender: Principal, messageId: b
 		...uBigIntTo8ByteUint8ArrayBigEndian(messageId)
 	]);
 }
+
+async function reshareIbeEncryptedVetKeys(
+	actor: ActorSubclass<_SERVICE>,
+	chatId: ChatId,
+	vetkeyEpoch: bigint,
+	otherParticipants: Principal[],
+	vetKeyBytes: Uint8Array
+): Promise<void> {
+	if (otherParticipants.length > 0) {
+		console.log(
+			'reshareIbeEncryptedVetkeys: ',
+			chatId,
+			vetkeyEpoch,
+			otherParticipants,
+			vetKeyBytes
+		);
+		// try to reshare with other participants
+		return await Promise.all(
+			otherParticipants.map(async (p) => {
+				const ibePublicKey = DerivedPublicKey.deserialize(
+					new Uint8Array(await actor.get_vetkey_resharing_ibe_encryption_key(p))
+				);
+				const ibeIdentity = IbeIdentity.fromBytes(new Uint8Array());
+				const ibeSeed = IbeSeed.random();
+				const ibeCiphertext = IbeCiphertext.encrypt(
+					ibePublicKey,
+					ibeIdentity,
+					vetKeyBytes,
+					ibeSeed
+				);
+				const ibeCiphertextBytes = ibeCiphertext.serialize();
+				const result: [Principal, Uint8Array<ArrayBufferLike>] = [p, ibeCiphertextBytes];
+				return result;
+			})
+		).then(async (ibeEncryptedVetKeysPromise) => {
+			await actor
+				.reshare_ibe_encrypted_vetkeys(chatId, vetkeyEpoch, ibeEncryptedVetKeysPromise)
+				.then((result) => {
+					if ('Ok' in result) {
+						console.log(
+							`Successfully resharded IBE encrypted vetkeys for chat ${chatIdToString(chatId)} vetkeyEpoch ${vetkeyEpoch.toString()}`
+						);
+					} else {
+						console.info(
+							`Failed to reshare IBE encrypted vetkeys for chat ${chatIdToString(chatId)} vetkeyEpoch ${vetkeyEpoch.toString()}: `,
+							result.Err
+						);
+					}
+				});
+		});
+	} else {
+		console.log('no other participants to reshare vetKey with');
+	}
+}
+
+async function fetchResharedIbeEncryptedVetKeys(
+	actor: ActorSubclass<_SERVICE>,
+	chatId: ChatId,
+	vetkeyEpoch: bigint,
+	myPrincipal: Principal
+): Promise<Uint8Array> {
+	console.log('fetchResharedIbeEncryptedVetKeys: ', chatId, vetkeyEpoch, myPrincipal);
+	const tsk = TransportSecretKey.random();
+	const myResharedIbeEncryptedVetkey = await actor.get_my_reshared_ibe_encrypted_vetkey(
+		chatId,
+		vetkeyEpoch
+	);
+	if ('Err' in myResharedIbeEncryptedVetkey) {
+		throw new Error(
+			'Failed to get my reshared IBE encrypted vetkey: ' + myResharedIbeEncryptedVetkey.Err
+		);
+	} else if (myResharedIbeEncryptedVetkey.Ok.length === 0) {
+		throw new Error('Failed to get my reshared IBE encrypted vetkey: no reshared vetkey');
+	}
+	const ibeCiphertext = IbeCiphertext.deserialize(
+		new Uint8Array(myResharedIbeEncryptedVetkey.Ok[0])
+	);
+
+	const publicIbeKeyBytes = await actor.get_vetkey_resharing_ibe_encryption_key(myPrincipal);
+	const publicIbeKey = DerivedPublicKey.deserialize(new Uint8Array(publicIbeKeyBytes));
+
+	// TODO:cache this key
+	const privateEncryptedIbeKeyBytes = await actor.get_vetkey_resharing_ibe_decryption_key(
+		tsk.publicKeyBytes()
+	);
+	const encryptedVetKey = EncryptedVetKey.deserialize(new Uint8Array(privateEncryptedIbeKeyBytes));
+	const privateIbeKey = encryptedVetKey.decryptAndVerify(tsk, publicIbeKey, new Uint8Array());
+
+	const ibePlaintext = ibeCiphertext.decrypt(privateIbeKey);
+	return ibePlaintext;
+}
+
+function deriveRootKeyAndDispatchCaching(
+	actor: ActorSubclass<_SERVICE>,
+	chatId: ChatId,
+	vetKeyEpoch: bigint,
+	vetKeyBytes: Uint8Array
+): { keyBytes: Uint8Array; symmetricKeyEpoch: bigint } {
+	const rootKey = deriveSymmetricKey(vetKeyBytes, DOMAIN_RATCHET_INIT, 32);
+	console.log(
+		`Computed rootKey=${stringifyBigInt(rootKey)} from vetKey=${stringifyBigInt(vetKeyBytes)}`
+	);
+
+	console.log('starting to store the root key in cache: ', rootKey);
+	const vetKeyEncryptedCache = new VetKeyEncryptedCacheManager(getMyPrincipal(), actor);
+	const keyState = { keyBytes: rootKey, symmetricKeyEpoch: 0n };
+	// await this future in background
+	vetKeyEncryptedCache.encryptAndStoreFor(chatId, vetKeyEpoch, keyState).catch((error) => {
+		console.error(
+			`Failed to store root key in cache for chat ${chatIdToString(chatId)} vetkeyEpoch ${vetKeyEpoch.toString()}: `,
+			error
+		);
+	});
+	return keyState;
+}
diff --git a/examples/encrypted_chat/rust/backend/backend.did b/examples/encrypted_chat/rust/backend/backend.did
index fd8905bf..c84e120a 100644
--- a/examples/encrypted_chat/rust/backend/backend.did
+++ b/examples/encrypted_chat/rust/backend/backend.did
@@ -72,7 +72,7 @@ service : (text) -> {
       vec EncryptedMessage,
     ) query;
   get_vetkey_resharing_ibe_decryption_key : (blob) -> (blob);
-  get_vetkey_resharing_ibe_encryption_key : () -> (blob);
+  get_vetkey_resharing_ibe_encryption_key : (principal) -> (blob);
   get_vetkey_verification_key_for_my_cache_storage : () -> (blob);
   modify_group_chat_participants : (nat64, GroupModification) -> (Result);
   reshare_ibe_encrypted_vetkeys : (
diff --git a/examples/encrypted_chat/rust/backend/src/lib.rs b/examples/encrypted_chat/rust/backend/src/lib.rs
index f0070f55..634ccc5a 100644
--- a/examples/encrypted_chat/rust/backend/src/lib.rs
+++ b/examples/encrypted_chat/rust/backend/src/lib.rs
@@ -776,11 +776,10 @@ async fn get_vetkey_resharing_ibe_decryption_key(
 }
 
 #[ic_cdk::update]
-async fn get_vetkey_resharing_ibe_encryption_key() -> serde_bytes::ByteBuf {
-    let caller = ic_cdk::api::msg_caller();
+async fn get_vetkey_resharing_ibe_encryption_key(user: Principal) -> serde_bytes::ByteBuf {
     let args = ic_cdk::management_canister::VetKDPublicKeyArgs {
         canister_id: None,
-        context: resharing_context(caller),
+        context: resharing_context(user),
         key_id: key_id(),
     };
     let result = ic_cdk::management_canister::vetkd_public_key(&args)

From 09749e4b9368abbe8d7adb6dbfd224cd1c023706 Mon Sep 17 00:00:00 2001
From: Oleksandr Tkachenko <oleksandr.tkachenko@dfinity.org>
Date: Thu, 14 Aug 2025 15:00:36 +0200
Subject: [PATCH 31/62] wip rotation

---
 .../src/lib/components/ChatHeader.svelte      |   4 +-
 .../components/GroupManagementModal.svelte    |  13 +-
 .../frontend/src/lib/services/api.ts          |  15 +-
 .../frontend/src/lib/stores/chat.svelte.ts    | 185 +++++++++++++-----
 4 files changed, 140 insertions(+), 77 deletions(-)

diff --git a/examples/encrypted_chat/frontend/src/lib/components/ChatHeader.svelte b/examples/encrypted_chat/frontend/src/lib/components/ChatHeader.svelte
index 91ec3ef0..b384b8bf 100644
--- a/examples/encrypted_chat/frontend/src/lib/components/ChatHeader.svelte
+++ b/examples/encrypted_chat/frontend/src/lib/components/ChatHeader.svelte
@@ -60,7 +60,7 @@
 		return date.toLocaleString();
 	}
 
-	function handleGroupManagementSave(
+	async function handleGroupManagementSave(
 		event: CustomEvent<{
 			addUsers: string[];
 			removeUsers: string[];
@@ -73,7 +73,7 @@
 		const removeUsersPrincipal = removeUsers.map((id) => Principal.fromText(id));
 
 		try {
-			chatAPI.updateGroupMembers(
+			await chatActions.updateGroupMembers(
 				chat.id,
 				addUsersPrincipal,
 				removeUsersPrincipal,
diff --git a/examples/encrypted_chat/frontend/src/lib/components/GroupManagementModal.svelte b/examples/encrypted_chat/frontend/src/lib/components/GroupManagementModal.svelte
index 66a4608a..3be5247a 100644
--- a/examples/encrypted_chat/frontend/src/lib/components/GroupManagementModal.svelte
+++ b/examples/encrypted_chat/frontend/src/lib/components/GroupManagementModal.svelte
@@ -1,6 +1,6 @@
 <script lang="ts">
 	import { createEventDispatcher } from 'svelte';
-	import { UserPlus, UserMinus, X, Save, Users } from 'lucide-svelte';
+	import { UserMinus, X, Save, Users } from 'lucide-svelte';
 	import type { GroupChat, User } from '../types';
 	import { getMyPrincipal } from '$lib/stores/auth.svelte';
 	import { Principal } from '@dfinity/principal';
@@ -19,7 +19,6 @@
 	let selectedToAdd: string[] = [];
 	let selectedToRemove: string[] = [];
 	let allowHistoryForNew = true;
-	let usersToShow: User[] = [];
 
 	// Text input for adding multiple principals
 	let principalsInput = '';
@@ -40,7 +39,7 @@
 				// Validate deserialization. Keep original string for dispatching.
 				Principal.fromText(token);
 				nextValid.push(token);
-			} catch (_) {
+			} catch {
 				nextInvalid.push(token);
 			}
 		}
@@ -53,14 +52,6 @@
 	$: canSave =
 		(totalAddCount > 0 || selectedToRemove.length > 0) && invalidPrincipalTokens.length === 0;
 
-	function toggleAddUser(userId: string) {
-		if (selectedToAdd.includes(userId)) {
-			selectedToAdd = selectedToAdd.filter((id) => id !== userId);
-		} else {
-			selectedToAdd = [...selectedToAdd, userId];
-		}
-	}
-
 	function toggleRemoveUser(userId: string) {
 		if (selectedToRemove.includes(userId)) {
 			selectedToRemove = selectedToRemove.filter((id) => id !== userId);
diff --git a/examples/encrypted_chat/frontend/src/lib/services/api.ts b/examples/encrypted_chat/frontend/src/lib/services/api.ts
index 2b7f21a4..49be8335 100644
--- a/examples/encrypted_chat/frontend/src/lib/services/api.ts
+++ b/examples/encrypted_chat/frontend/src/lib/services/api.ts
@@ -116,7 +116,6 @@ export class ChatAPI {
 		actor: ActorSubclass<_SERVICE>,
 		chatId: ChatId,
 		vetKeyEpoch: bigint,
-		transportKey: TransportSecretKey
 	): Promise<DerivedPublicKey> {
 		const bytes = await actor.chat_public_key(chatId, vetKeyEpoch);
 		console.log(
@@ -135,7 +134,7 @@ export class ChatAPI {
 		console.log(`getVetKey: ${stringifyBigInt(chatId)} with result ${stringifyBigInt(result)}`);
 		if ('Ok' in result) {
 			const encryptedVetKey = EncryptedVetKey.deserialize(Uint8Array.from(result.Ok));
-			const derivedPublicKey = await this.getDerivedPublicKey(actor, chatId, vetKeyEpoch, tsk);
+			const derivedPublicKey = await this.getDerivedPublicKey(actor, chatId, vetKeyEpoch);
 			const vetKey = encryptedVetKey.decryptAndVerify(tsk, derivedPublicKey, new Uint8Array());
 			return vetKey;
 		} else {
@@ -155,18 +154,6 @@ export class ChatAPI {
 		};
 	}
 
-	updateGroupMembers(
-		chatId: ChatId,
-		addUsers: Principal[],
-		removeUsers: Principal[],
-		allowHistoryForNew: boolean
-	): boolean {
-		console.log(
-			`Group ${chatIdToString(chatId)} updated: +${addUsers.length}, -${removeUsers.length}, history: ${allowHistoryForNew}`
-		);
-		return true;
-	}
-
 	async fetchEncryptedMessages(
 		actor: ActorSubclass<_SERVICE>,
 		chatId: ChatId,
diff --git a/examples/encrypted_chat/frontend/src/lib/stores/chat.svelte.ts b/examples/encrypted_chat/frontend/src/lib/stores/chat.svelte.ts
index 82ae2d6a..ed7aaa03 100644
--- a/examples/encrypted_chat/frontend/src/lib/stores/chat.svelte.ts
+++ b/examples/encrypted_chat/frontend/src/lib/stores/chat.svelte.ts
@@ -18,7 +18,8 @@ import type {
 	ChatId,
 	EncryptedMessage,
 	VetKeyEpochMetadata,
-	UserMessage
+	UserMessage,
+	GroupModification
 } from '../../declarations/encrypted_chat/encrypted_chat.did';
 import { Principal } from '@dfinity/principal';
 import { SvelteMap } from 'svelte/reactivity';
@@ -33,8 +34,8 @@ import {
 	EncryptedVetKey
 } from '@dfinity/vetkeys';
 import {
-	chatIdFromString,
 	chatIdToString,
+	chatIdVetKeyEpochFromString,
 	chatIdVetKeyEpochToString,
 	sizePrefixedBytesFromString,
 	stringifyBigInt,
@@ -63,7 +64,10 @@ type VetKeyEpochMetadataState =
 	| { status: 'error'; error: string };
 
 // Keep a mapping from string chat id to the actor ChatId
-const chatIdStringToVetKeyEpochMetadata = new SvelteMap<string, VetKeyEpochMetadataState>();
+const chatIdVetKeyEpochStringToVetKeyEpochMetadata = new SvelteMap<
+	string,
+	VetKeyEpochMetadataState
+>();
 
 type KeyState =
 	| { status: 'missing' }
@@ -92,24 +96,33 @@ export function initVetKeyReactions() {
 			if (auth.state.label !== 'initialized') return;
 
 			for (const chat of chats.state) {
-				if (chatIdStringToVetKeyEpochMetadata.has(chatIdToString(chat.id))) {
+				const chatIdVetKeyEpochStr = chatIdVetKeyEpochToString(chat.id, BigInt(chat.vetKeyEpoch));
+				const meta = chatIdVetKeyEpochStringToVetKeyEpochMetadata.get(chatIdVetKeyEpochStr);
+				if (meta?.status === 'ready' || meta?.status === 'loading') {
 					console.log(
-						'chatIdStringToVetKeyEpochMetadata already has ',
-						chatIdToString(chat.id),
+						'chatIdVetKeyEpochStringToVetKeyEpochMetadata already has or loading ',
+						chatIdVetKeyEpochStr,
 						' -- skipping'
 					);
 					continue;
 				}
 				const actor = getActor();
 				if (!actor) throw new Error('Not authenticated');
-				chatIdStringToVetKeyEpochMetadata.set(chatIdToString(chat.id), {
-					status: 'loading',
-					promise: chatAPI.getLatestVetKeyEpochMetadata(actor, chat.id)
-				});
-				console.log('chatIdStringToVetKeyEpochMetadata loading ', chatIdToString(chat.id));
-				ensureVetKeyEpochMetadata(actor, chat.id).catch((error) => {
+
+				if (meta?.status === 'missing') {
+					chatIdVetKeyEpochStringToVetKeyEpochMetadata.set(chatIdVetKeyEpochStr, {
+						status: 'loading',
+						promise: chatAPI.getLatestVetKeyEpochMetadata(actor, chat.id)
+					});
+				}
+
+				console.log(
+					'chatIdVetKeyEpochStringToVetKeyEpochMetadata loading ',
+					chatIdVetKeyEpochToString(chat.id, BigInt(chat.vetKeyEpoch))
+				);
+				ensureVetKeyEpochMetadata(actor, chat.id, BigInt(chat.vetKeyEpoch)).catch((error) => {
 					console.error(
-						`Failed to get vetkey epoch metadata for chat ${chatIdToString(chat.id)}: `,
+						`Failed to get vetkey epoch metadata for chat ${chatIdVetKeyEpochToString(chat.id, BigInt(chat.vetKeyEpoch))}: `,
 						error
 					);
 				});
@@ -119,13 +132,15 @@ export function initVetKeyReactions() {
 		$effect(() => {
 			if (auth.state.label !== 'initialized') return;
 
-			for (const [chatIdStr, meta] of chatIdStringToVetKeyEpochMetadata.entries()) {
+			for (const [
+				chatIdStrVetKeyEpoch,
+				meta
+			] of chatIdVetKeyEpochStringToVetKeyEpochMetadata.entries()) {
 				if (meta.status !== 'ready') continue;
-				const key = `${chatIdStr}/${meta.metadata.epoch_id.toString()}`;
-				if (chatIdStringToEpochKeyState.has(key)) {
+				if (chatIdStringToEpochKeyState.has(chatIdStrVetKeyEpoch)) {
 					console.log(
 						'chatIdStringToEpochKeyState already has ',
-						key,
+						chatIdStrVetKeyEpoch,
 						meta.metadata.epoch_id.toString(),
 						' -- skipping'
 					);
@@ -133,7 +148,7 @@ export function initVetKeyReactions() {
 				}
 				const actor = getActor();
 				if (!actor) throw new Error('Not authenticated');
-				const chatId = chatIdFromString(chatIdStr);
+				const { chatId, vetKeyEpoch } = chatIdVetKeyEpochFromString(chatIdStrVetKeyEpoch);
 
 				const vetKeyEncryptedCacheManager = new VetKeyEncryptedCacheManager(
 					getMyPrincipal(),
@@ -143,7 +158,10 @@ export function initVetKeyReactions() {
 					.fetchAndDecryptFor(chatId, meta.metadata.epoch_id)
 
 					.catch((error) => {
-						console.info(`User doesn't have key cache for chat ${chatIdStr}: `, error);
+						console.info(
+							`User doesn't have key cache for chat ${chatIdToString(chatId)} and vetKey epoch ${vetKeyEpoch.toString()}: `,
+							error
+						);
 
 						return fetchResharedIbeEncryptedVetKeys(
 							actor,
@@ -205,13 +223,20 @@ export function initVetKeyReactions() {
 					}
 				);
 
-				chatIdStringToEpochKeyState.set(key, {
+				chatIdStringToEpochKeyState.set(chatIdStrVetKeyEpoch, {
 					status: 'loading',
 					promise: cryptoKeyPromise
 				});
-				console.log('chatIdStringToEpochKeyState loading ', key, meta.metadata.epoch_id.toString());
+				console.log(
+					'chatIdStringToEpochKeyState loading ',
+					chatIdStrVetKeyEpoch,
+					meta.metadata.epoch_id.toString()
+				);
 				ensureRootKey(actor, chatId, meta.metadata.epoch_id).catch((error) => {
-					console.error(`Failed to get vetkey epoch metadata for chat ${chatIdStr}: `, error);
+					console.error(
+						`Failed to get root key for chat ${chatIdToString(chatId)} and vetKey epoch ${vetKeyEpoch.toString()}: `,
+						error
+					);
 				});
 			}
 		});
@@ -280,21 +305,29 @@ export const chatActions = {
 			}, '');
 			console.log('fetched ' + chatIds.length + ' chats: ' + summary);
 			for (const [chatId] of chatIds) {
-				if (!chatIdStringToVetKeyEpochMetadata.has(chatIdToString(chatId))) {
-					const result = await actor.get_latest_chat_vetkey_epoch_metadata(chatId);
-					if ('Ok' in result) {
-						chatIdStringToVetKeyEpochMetadata.set(chatIdToString(chatId), {
+				const chatIdStr = chatIdToString(chatId);
+				const vetKeyEpochStr = chatIdVetKeyEpochToString(
+					chatId,
+					BigInt(chats.state.find((c) => chatIdToString(c.id) === chatIdStr)?.vetKeyEpoch ?? 0n)
+				);
+				if (!chatIdVetKeyEpochStringToVetKeyEpochMetadata.has(vetKeyEpochStr)) {
+					const result = await chatAPI.getLatestVetKeyEpochMetadata(actor, chatId);
+					chatIdVetKeyEpochStringToVetKeyEpochMetadata.set(
+						chatIdVetKeyEpochToString(chatId, result.epoch_id),
+						{
 							status: 'ready',
-							metadata: result.Ok
-						});
-					} else {
-						console.error('Failed to get vetkey epoch metadata:', result.Err);
-					}
+							metadata: result
+						}
+					);
 				}
 			}
 
-			for (const [chatIdStr, meta] of chatIdStringToVetKeyEpochMetadata.entries()) {
-				const chatId = chatIdFromString(chatIdStr);
+			for (const [
+				chatIdStrVetKeyEpoch,
+				meta
+			] of chatIdVetKeyEpochStringToVetKeyEpochMetadata.entries()) {
+				const { chatId } = chatIdVetKeyEpochFromString(chatIdStrVetKeyEpoch);
+				const chatIdStr = chatIdToString(chatId);
 
 				const participants = meta.status === 'ready' ? meta.metadata.participants : [];
 				if (!participants) {
@@ -382,7 +415,7 @@ export const chatActions = {
 			const lastMessageId = numMessagesIs ? numMessagesIs : 0n;
 			const actor = getActor();
 			if (!actor) return;
-			const meta = chatIdStringToVetKeyEpochMetadata.get(chatIdStr);
+			const meta = chatIdVetKeyEpochStringToVetKeyEpochMetadata.get(chatIdStr);
 			if (!meta) {
 				console.error('loadChatMessages: Failed to get vetkey epoch metadata for chat:', chatIdStr);
 				return;
@@ -448,7 +481,11 @@ export const chatActions = {
 		const actor = getActor();
 		if (!actor) throw new Error('Not authenticated');
 
-		const chatIdStr = chatIdToString(chatId);
+		// get the latest vetkey epoch metadata from chats
+		const vetKeyEpoch =
+			chats.state.find((c) => chatIdToString(c.id) === chatIdToString(chatId))?.vetKeyEpoch ?? 0n;
+
+		const chatIdVetKeyEpochStr = chatIdVetKeyEpochToString(chatId, BigInt(vetKeyEpoch));
 
 		let repetitions = 0;
 		const MAX_REPETITIONS = 10;
@@ -461,7 +498,8 @@ export const chatActions = {
 			const myPrincipal = auth.state.client.getIdentity().getPrincipal();
 
 			try {
-				const vetKeyEpochMeta = chatIdStringToVetKeyEpochMetadata.get(chatIdStr);
+				const vetKeyEpochMeta =
+					chatIdVetKeyEpochStringToVetKeyEpochMetadata.get(chatIdVetKeyEpochStr);
 				if (vetKeyEpochMeta?.status !== 'ready') {
 					console.error('Failed to get vetkey epoch metadata for chat:', chatId);
 					return;
@@ -505,14 +543,25 @@ export const chatActions = {
 				}
 				break;
 			} catch (error) {
-				if (
-					error instanceof Error &&
-					(error.message.startsWith('Wrong vetkey epoch') ||
-						error.message.startsWith('Wrong symmetric key epoch'))
-				) {
+				if (error instanceof Error && error.message.startsWith('Wrong symmetric key epoch')) {
+					console.info(
+						`Failed to send message - wrong symmetric key epoch in message: ${error.message}`
+					);
+					await new Promise((resolve) => setTimeout(resolve, 1000));
+					repetitions++;
+					continue;
+				} else if (error instanceof Error && error.message.startsWith('Wrong vetKey epoch')) {
 					console.info(
-						`Failed to send message - wrong vetkey or symmetric key epoch in message: ${error.message}`
+						`Failed to send message - wrong symmetric key epoch in message: ${error.message}`
 					);
+
+					const result = await chatAPI.getLatestVetKeyEpochMetadata(actor, chatId);
+					const chatIdVetKeyEpochStr = chatIdVetKeyEpochToString(chatId, BigInt(result.epoch_id));
+					if (!chatIdVetKeyEpochStringToVetKeyEpochMetadata.has(chatIdVetKeyEpochStr)) {
+						chatIdVetKeyEpochStringToVetKeyEpochMetadata.set(chatIdVetKeyEpochStr, {
+							status: 'missing'
+						});
+					}
 					await new Promise((resolve) => setTimeout(resolve, 1000));
 					repetitions++;
 					continue;
@@ -678,6 +727,33 @@ export const chatActions = {
 				isDismissible: true
 			});
 		}
+	},
+
+	async updateGroupMembers(
+		chatId: ChatId,
+		addUsers: Principal[],
+		removeUsers: Principal[],
+		// TODO: implement this
+		// eslint-disable-next-line @typescript-eslint/no-unused-vars
+		allowHistoryForNew: boolean
+	) {
+		if ('Direct' in chatId) {
+			throw new Error('updateGroupMembers: chatId is a direct chat');
+		}
+		const actor = getActor();
+		if (!actor) throw new Error('Not authenticated');
+		const modification: GroupModification = {
+			remove_participants: removeUsers,
+			add_participants: addUsers
+		};
+		const result = await actor.modify_group_chat_participants(chatId.Group, modification);
+		if ('Ok' in result) {
+			console.log(
+				`Group ${chatIdToString(chatId)} updated: +${addUsers.length}, -${removeUsers.length}, history: ${allowHistoryForNew}`
+			);
+		} else {
+			throw new Error(result.Err);
+		}
 	}
 };
 
@@ -741,10 +817,14 @@ function toUiMessage(chatIdStr: string, m: EncryptedMessage): Message {
 	};
 }
 
-async function ensureVetKeyEpochMetadata(actor: ActorSubclass<_SERVICE>, chatId: ChatId) {
-	const chatIdStr = chatIdToString(chatId);
-	console.log('ensureVetKeyEpochMetadata', chatIdStr);
-	const cur = chatIdStringToVetKeyEpochMetadata.get(chatIdStr);
+async function ensureVetKeyEpochMetadata(
+	actor: ActorSubclass<_SERVICE>,
+	chatId: ChatId,
+	vetKeyEpoch: bigint
+) {
+	const chatIdVetKeyEpochStr = chatIdVetKeyEpochToString(chatId, vetKeyEpoch);
+	console.log('ensureVetKeyEpochMetadata', chatIdVetKeyEpochStr);
+	const cur = chatIdVetKeyEpochStringToVetKeyEpochMetadata.get(chatIdVetKeyEpochStr);
 
 	if (cur?.status === 'loading') {
 		if (!actor) throw new Error('Not authenticated');
@@ -752,19 +832,24 @@ async function ensureVetKeyEpochMetadata(actor: ActorSubclass<_SERVICE>, chatId:
 		await cur.promise
 			.then((metadata) => {
 				// transition to ready when it resolves
-				chatIdStringToVetKeyEpochMetadata.set(chatIdStr, { status: 'ready', metadata });
-				console.log('ensureVetKeyEpochMetadata ready', chatIdStr);
+				chatIdVetKeyEpochStringToVetKeyEpochMetadata.set(chatIdVetKeyEpochStr, {
+					status: 'ready',
+					metadata
+				});
+				console.log('ensureVetKeyEpochMetadata ready', chatIdVetKeyEpochStr);
 				return metadata;
 			})
 			.catch((error) => {
 				// transition to error so UI can react
-				chatIdStringToVetKeyEpochMetadata.set(chatIdStr, {
+				chatIdVetKeyEpochStringToVetKeyEpochMetadata.set(chatIdVetKeyEpochStr, {
 					status: 'error',
 					error: error instanceof Error ? error.message : 'Unknown error'
 				});
-				console.log('ensureVetKeyEpochMetadata error', chatIdStr);
+				console.log('ensureVetKeyEpochMetadata error', chatIdVetKeyEpochStr);
 				throw error;
 			});
+	} else {
+		console.error('Bug: vetkey epoch metadata is not loading or ready');
 	}
 }
 

From 304ad9fec83b69d4d1b9ac801bae65a04f1fda87 Mon Sep 17 00:00:00 2001
From: Oleksandr Tkachenko <oleksandr.tkachenko@dfinity.org>
Date: Mon, 18 Aug 2025 09:26:27 +0200
Subject: [PATCH 32/62] group rotation works with some bugs -- sometimes needs
 page reloading

---
 .../lib/components/NotificationBanner.svelte  |   2 +-
 .../frontend/src/lib/services/keyStorage.ts   |   0
 .../{storage.ts => messageStorage.ts}         |   0
 .../frontend/src/lib/stores/chat.svelte.ts    | 681 +++++-------------
 .../frontend/src/lib/stores/crypto.svelte.ts  | 403 +++++++++++
 .../frontend/src/lib/types/index.ts           |   2 +-
 .../frontend/src/lib/utils/index.ts           |  65 ++
 .../encrypted_chat/rust/backend/src/lib.rs    |   2 +
 8 files changed, 663 insertions(+), 492 deletions(-)
 create mode 100644 examples/encrypted_chat/frontend/src/lib/services/keyStorage.ts
 rename examples/encrypted_chat/frontend/src/lib/services/{storage.ts => messageStorage.ts} (100%)
 create mode 100644 examples/encrypted_chat/frontend/src/lib/stores/crypto.svelte.ts
 create mode 100644 examples/encrypted_chat/frontend/src/lib/utils/index.ts

diff --git a/examples/encrypted_chat/frontend/src/lib/components/NotificationBanner.svelte b/examples/encrypted_chat/frontend/src/lib/components/NotificationBanner.svelte
index 1fa0e495..270bcf6b 100644
--- a/examples/encrypted_chat/frontend/src/lib/components/NotificationBanner.svelte
+++ b/examples/encrypted_chat/frontend/src/lib/components/NotificationBanner.svelte
@@ -3,7 +3,7 @@
 	import { fly } from 'svelte/transition';
 	import { X, AlertTriangle, Info, CheckCircle, XCircle } from 'lucide-svelte';
 	import { notifications, chatActions } from '../stores/chat.svelte';
-	import { storageService } from '../services/storage';
+	import { storageService } from '../services/messageStorage';
 	import type { Notification } from '../types';
 
 	let showDisclaimer = false;
diff --git a/examples/encrypted_chat/frontend/src/lib/services/keyStorage.ts b/examples/encrypted_chat/frontend/src/lib/services/keyStorage.ts
new file mode 100644
index 00000000..e69de29b
diff --git a/examples/encrypted_chat/frontend/src/lib/services/storage.ts b/examples/encrypted_chat/frontend/src/lib/services/messageStorage.ts
similarity index 100%
rename from examples/encrypted_chat/frontend/src/lib/services/storage.ts
rename to examples/encrypted_chat/frontend/src/lib/services/messageStorage.ts
diff --git a/examples/encrypted_chat/frontend/src/lib/stores/chat.svelte.ts b/examples/encrypted_chat/frontend/src/lib/stores/chat.svelte.ts
index ed7aaa03..88e3171d 100644
--- a/examples/encrypted_chat/frontend/src/lib/stores/chat.svelte.ts
+++ b/examples/encrypted_chat/frontend/src/lib/stores/chat.svelte.ts
@@ -4,10 +4,10 @@ import {
 	type UserConfig,
 	type Notification,
 	type SymmetricRatchetStats,
-	VetKeyEncryptedCache as VetKeyEncryptedCacheManager
+	EncryptedCacheManager as EncryptedCacheManager
 } from '../types';
 import { chatAPI } from '../services/api';
-import { storageService } from '../services/storage';
+import { storageService } from '../services/messageStorage';
 import { SvelteDate } from 'svelte/reactivity';
 import { auth, getMyPrincipal } from '$lib/stores/auth.svelte';
 import { createActor } from '../../declarations/encrypted_chat';
@@ -23,30 +23,21 @@ import type {
 } from '../../declarations/encrypted_chat/encrypted_chat.did';
 import { Principal } from '@dfinity/principal';
 import { SvelteMap } from 'svelte/reactivity';
-import {
-	DerivedKeyMaterial,
-	deriveSymmetricKey,
-	DerivedPublicKey,
-	IbeCiphertext,
-	IbeIdentity,
-	IbeSeed,
-	TransportSecretKey,
-	EncryptedVetKey
-} from '@dfinity/vetkeys';
 import {
 	chatIdToString,
 	chatIdVetKeyEpochFromString,
 	chatIdVetKeyEpochToString,
-	sizePrefixedBytesFromString,
-	stringifyBigInt,
-	uBigIntTo8ByteUint8ArrayBigEndian
+	stringifyBigInt
 } from '$lib/utils';
-
-const DOMAIN_RATCHET_INIT = sizePrefixedBytesFromString('ic-vetkeys-chat-example-ratchet-init');
-const DOMAIN_RATCHET_STEP = sizePrefixedBytesFromString('ic-vetkeys-chat-example-ratchet-step');
-const DOMAIN_MESSAGE_ENCRYPTION = sizePrefixedBytesFromString(
-	'ic-vetkeys-chat-example-message-encryption'
-);
+import {
+	encryptMessageContent,
+	decryptMessageContent,
+	fetchResharedIbeEncryptedVetKeys,
+	chatIdStringToEpochKeyState,
+	deriveRootKeyAndDispatchCaching,
+	ensureRootKey,
+	reshareIbeEncryptedVetKeys
+} from './crypto.svelte';
 
 export const chats = $state<{ state: Chat[] }>({ state: [] });
 export const selectedChatId = $state<{ state: ChatId | null }>({ state: null });
@@ -63,20 +54,11 @@ type VetKeyEpochMetadataState =
 	| { status: 'ready'; metadata: VetKeyEpochMetadata }
 	| { status: 'error'; error: string };
 
-// Keep a mapping from string chat id to the actor ChatId
 const chatIdVetKeyEpochStringToVetKeyEpochMetadata = new SvelteMap<
 	string,
 	VetKeyEpochMetadataState
 >();
 
-type KeyState =
-	| { status: 'missing' }
-	| { status: 'loading'; promise: Promise<{ key: CryptoKey; symmetricKeyEpoch: bigint }> }
-	| { status: 'ready'; symmetricKeyEpoch: bigint; key: CryptoKey }
-	| { status: 'error'; error: string };
-
-export const chatIdStringToEpochKeyState = new SvelteMap<string, KeyState>();
-
 // eslint-disable-next-line svelte/prefer-svelte-reactivity
 const chatIdStringToNumberOfMessagesIs = new Map<string, bigint>();
 export const chatIdStringToNumberOfMessagesShould = new SvelteMap<string, bigint>();
@@ -93,6 +75,7 @@ export function getChatIds(): ChatId[] {
 export function initVetKeyReactions() {
 	$effect.root(() => {
 		$effect(() => {
+			console.log('Running vetKey loader $effect...');
 			if (auth.state.label !== 'initialized') return;
 
 			for (const chat of chats.state) {
@@ -110,6 +93,11 @@ export function initVetKeyReactions() {
 				if (!actor) throw new Error('Not authenticated');
 
 				if (meta?.status === 'missing') {
+					console.log(
+						'chatIdVetKeyEpochStringToVetKeyEpochMetadata missing ',
+						chatIdVetKeyEpochStr,
+						' -- adding a promise to fetch it'
+					);
 					chatIdVetKeyEpochStringToVetKeyEpochMetadata.set(chatIdVetKeyEpochStr, {
 						status: 'loading',
 						promise: chatAPI.getLatestVetKeyEpochMetadata(actor, chat.id)
@@ -122,7 +110,7 @@ export function initVetKeyReactions() {
 				);
 				ensureVetKeyEpochMetadata(actor, chat.id, BigInt(chat.vetKeyEpoch)).catch((error) => {
 					console.error(
-						`Failed to get vetkey epoch metadata for chat ${chatIdVetKeyEpochToString(chat.id, BigInt(chat.vetKeyEpoch))}: `,
+						`Failed to get vetkey epoch metadata for chat ${chatIdToString(chat.id)} and vetkey epoch ${chat.vetKeyEpoch}: `,
 						error
 					);
 				});
@@ -130,83 +118,103 @@ export function initVetKeyReactions() {
 		});
 
 		$effect(() => {
+			console.log('Running metadata to key state $effect...');
 			if (auth.state.label !== 'initialized') return;
 
-			for (const [
-				chatIdStrVetKeyEpoch,
-				meta
-			] of chatIdVetKeyEpochStringToVetKeyEpochMetadata.entries()) {
-				if (meta.status !== 'ready') continue;
+			for (const chatIdStrVetKeyEpoch of chatIdVetKeyEpochStringToVetKeyEpochMetadata.keys()) {
 				if (chatIdStringToEpochKeyState.has(chatIdStrVetKeyEpoch)) {
 					console.log(
 						'chatIdStringToEpochKeyState already has ',
 						chatIdStrVetKeyEpoch,
-						meta.metadata.epoch_id.toString(),
+						' -- skipping'
+					);
+				} else {
+					console.log(
+						'chatIdStringToEpochKeyState has no entry for ',
+						chatIdStrVetKeyEpoch,
+						' -- adding a missing entry'
+					);
+					chatIdStringToEpochKeyState.set(chatIdStrVetKeyEpoch, {
+						status: 'missing'
+					});
+				}
+			}
+		});
+
+		$effect(() => {
+			console.log('Running ensureEpochKey $effect...');
+			if (auth.state.label !== 'initialized') return;
+			const actor = getActor();
+			if (!actor) throw new Error('Not authenticated');
+
+			// eslint-disable-next-line @typescript-eslint/no-unused-vars
+			for (const [chatIdStrVetKeyEpoch, state] of chatIdStringToEpochKeyState.entries()) {
+				if (state.status !== 'missing') {
+					console.log(
+						'chatIdStringToEpochKeyState already has ',
+						chatIdStrVetKeyEpoch,
+						'with status',
+						state.status,
 						' -- skipping'
 					);
 					continue;
 				}
-				const actor = getActor();
-				if (!actor) throw new Error('Not authenticated');
+				console.log(
+					'Running ensureEpochKey $effect for chatIdStrVetKeyEpoch: ',
+					chatIdStrVetKeyEpoch
+				);
 				const { chatId, vetKeyEpoch } = chatIdVetKeyEpochFromString(chatIdStrVetKeyEpoch);
 
-				const vetKeyEncryptedCacheManager = new VetKeyEncryptedCacheManager(
-					getMyPrincipal(),
-					actor
-				);
+				const vetKeyEncryptedCacheManager = new EncryptedCacheManager(getMyPrincipal(), actor);
 				const rootKeyPromise = vetKeyEncryptedCacheManager
-					.fetchAndDecryptFor(chatId, meta.metadata.epoch_id)
-
+					.fetchAndDecryptFor(chatId, vetKeyEpoch)
 					.catch((error) => {
 						console.info(
 							`User doesn't have key cache for chat ${chatIdToString(chatId)} and vetKey epoch ${vetKeyEpoch.toString()}: `,
 							error
 						);
 
-						return fetchResharedIbeEncryptedVetKeys(
-							actor,
-							chatId,
-							meta.metadata.epoch_id,
-							getMyPrincipal()
-						)
+						return fetchResharedIbeEncryptedVetKeys(actor, chatId, vetKeyEpoch, getMyPrincipal())
 							.then((resharedVetKey) => {
 								console.log('successfully fetched reshared IBE encrypted vetkey: ', resharedVetKey);
-								return deriveRootKeyAndDispatchCaching(
-									actor,
-									chatId,
-									meta.metadata.epoch_id,
-									resharedVetKey
-								);
+								return deriveRootKeyAndDispatchCaching(actor, chatId, vetKeyEpoch, resharedVetKey);
 							})
 							.catch((error) => {
-								console.error('Failed to fetch reshared IBE encrypted vetkey: ', error);
-								return Promise.resolve(
-									chatAPI.getVetKey(actor, chatId, meta.metadata.epoch_id)
-								).then((vetKey) => {
-									const otherParticipants = meta.metadata.participants.filter(
-										(p) => p.toString() !== getMyPrincipal().toString()
-									);
-
-									reshareIbeEncryptedVetKeys(
-										actor,
-										chatId,
-										meta.metadata.epoch_id,
-										otherParticipants,
-										vetKey.signatureBytes()
-									).catch((error) => {
-										console.error(
-											`Failed to reshare IBE encrypted vetkeys for chat ${chatIdToString(chatId)} vetkeyEpoch ${meta.metadata.epoch_id.toString()}: `,
-											error
+								console.info('Failed to fetch reshared IBE encrypted vetkey: ', error);
+								return Promise.resolve(chatAPI.getVetKey(actor, chatId, vetKeyEpoch)).then(
+									(vetKey) => {
+										const meta =
+											chatIdVetKeyEpochStringToVetKeyEpochMetadata.get(chatIdStrVetKeyEpoch);
+										if (meta?.status !== 'ready') {
+											throw new Error(
+												`No vetKey epoch metadata for chat ${chatIdToString(chatId)} and vetkey epoch ${vetKeyEpoch.toString()}: metadata status ${meta?.status}`
+											);
+										}
+										const otherParticipants = meta.metadata.participants.filter(
+											(p) => p.toString() !== getMyPrincipal().toString()
 										);
-									});
-
-									return deriveRootKeyAndDispatchCaching(
-										actor,
-										chatId,
-										meta.metadata.epoch_id,
-										vetKey.signatureBytes()
-									);
-								});
+
+										reshareIbeEncryptedVetKeys(
+											actor,
+											chatId,
+											vetKeyEpoch,
+											otherParticipants,
+											vetKey.signatureBytes()
+										).catch((error) => {
+											console.error(
+												`Failed to reshare IBE encrypted vetkeys for chat ${chatIdToString(chatId)} vetkeyEpoch ${meta.metadata.epoch_id.toString()}: `,
+												error
+											);
+										});
+
+										return deriveRootKeyAndDispatchCaching(
+											actor,
+											chatId,
+											vetKeyEpoch,
+											vetKey.signatureBytes()
+										);
+									}
+								);
 							});
 					});
 				const cryptoKeyPromise = Promise.resolve(rootKeyPromise).then(
@@ -227,12 +235,8 @@ export function initVetKeyReactions() {
 					status: 'loading',
 					promise: cryptoKeyPromise
 				});
-				console.log(
-					'chatIdStringToEpochKeyState loading ',
-					chatIdStrVetKeyEpoch,
-					meta.metadata.epoch_id.toString()
-				);
-				ensureRootKey(actor, chatId, meta.metadata.epoch_id).catch((error) => {
+				console.log('chatIdStringToEpochKeyState loading ', chatIdStrVetKeyEpoch, vetKeyEpoch);
+				ensureRootKey(chatId, vetKeyEpoch).catch((error) => {
 					console.error(
 						`Failed to get root key for chat ${chatIdToString(chatId)} and vetKey epoch ${vetKeyEpoch.toString()}: `,
 						error
@@ -279,8 +283,13 @@ export const chatActions = {
 		const actor = getActor();
 		if (actor) {
 			const chatIds = await actor.get_my_chat_ids();
+			// eslint-disable-next-line svelte/prefer-svelte-reactivity
+			const newChatIds = new Set<ChatId>();
 			for (const [chatId, numMessages] of chatIds) {
 				const numMessagesShould = chatIdStringToNumberOfMessagesShould.get(chatIdToString(chatId));
+				if (!numMessagesShould) {
+					newChatIds.add(chatId);
+				}
 				if (!numMessagesShould || numMessagesShould !== numMessages) {
 					console.log(
 						`refreshChats: setting numberOfMessagesShould for chat ${chatIdToString(chatId)} from ${numMessagesShould} to ${numMessages}`
@@ -292,33 +301,37 @@ export const chatActions = {
 				if ('Direct' in chatId) {
 					return (
 						acc +
-						' ' +
+						(acc.length > 0 ? ' | ' : '') +
 						chatId.Direct[0].toText() +
 						' ' +
 						chatId.Direct[1].toText() +
-						' ' +
+						' #' +
 						numMessages.toString()
 					);
 				} else {
-					return acc + ' ' + chatId.Group.toString() + ' ' + numMessages.toString();
+					return (
+						acc +
+						(acc.length > 0 ? ' | ' : '') +
+						chatId.Group.toString() +
+						' #' +
+						numMessages.toString()
+					);
 				}
 			}, '');
 			console.log('fetched ' + chatIds.length + ' chats: ' + summary);
 			for (const [chatId] of chatIds) {
-				const chatIdStr = chatIdToString(chatId);
-				const vetKeyEpochStr = chatIdVetKeyEpochToString(
-					chatId,
-					BigInt(chats.state.find((c) => chatIdToString(c.id) === chatIdStr)?.vetKeyEpoch ?? 0n)
-				);
-				if (!chatIdVetKeyEpochStringToVetKeyEpochMetadata.has(vetKeyEpochStr)) {
-					const result = await chatAPI.getLatestVetKeyEpochMetadata(actor, chatId);
-					chatIdVetKeyEpochStringToVetKeyEpochMetadata.set(
-						chatIdVetKeyEpochToString(chatId, result.epoch_id),
-						{
-							status: 'ready',
-							metadata: result
-						}
-					);
+				if (newChatIds.has(chatId)) {
+					const metadata = await chatAPI.getLatestVetKeyEpochMetadata(actor, chatId);
+					const vetKeyEpochStr = chatIdVetKeyEpochToString(chatId, metadata.epoch_id);
+					if (!chatIdVetKeyEpochStringToVetKeyEpochMetadata.has(vetKeyEpochStr)) {
+						chatIdVetKeyEpochStringToVetKeyEpochMetadata.set(
+							chatIdVetKeyEpochToString(chatId, metadata.epoch_id),
+							{
+								status: 'ready',
+								metadata
+							}
+						);
+					}
 				}
 			}
 
@@ -326,7 +339,7 @@ export const chatActions = {
 				chatIdStrVetKeyEpoch,
 				meta
 			] of chatIdVetKeyEpochStringToVetKeyEpochMetadata.entries()) {
-				const { chatId } = chatIdVetKeyEpochFromString(chatIdStrVetKeyEpoch);
+				const { chatId, vetKeyEpoch } = chatIdVetKeyEpochFromString(chatIdStrVetKeyEpoch);
 				const chatIdStr = chatIdToString(chatId);
 
 				const participants = meta.status === 'ready' ? meta.metadata.participants : [];
@@ -362,7 +375,7 @@ export const chatActions = {
 					isUpdating: false,
 					disappearingMessagesDuration: 0,
 					keyRotationStatus: buildDummyRotationStatus(),
-					vetKeyEpoch: Number(meta.status === 'ready' ? meta.metadata.epoch_id : 0n),
+					vetKeyEpoch: Number(vetKeyEpoch),
 					symmetricRatchetEpoch: 0,
 					ratchetEpoch: 0,
 					unreadCount: 0,
@@ -412,28 +425,59 @@ export const chatActions = {
 				console.error('loadChatMessages: chat not found:', chatIdStr);
 				return;
 			}
+			const vetKeyEpoch = BigInt(chat.vetKeyEpoch);
 			const lastMessageId = numMessagesIs ? numMessagesIs : 0n;
 			const actor = getActor();
 			if (!actor) return;
-			const meta = chatIdVetKeyEpochStringToVetKeyEpochMetadata.get(chatIdStr);
+			const chatIdVetKeyEpochStr = chatIdVetKeyEpochToString(chatId, vetKeyEpoch);
+			const meta = chatIdVetKeyEpochStringToVetKeyEpochMetadata.get(chatIdVetKeyEpochStr);
 			if (!meta) {
-				console.error('loadChatMessages: Failed to get vetkey epoch metadata for chat:', chatIdStr);
+				console.error(
+					'loadChatMessages: Failed to get vetkey epoch metadata for chat and vetkey epoch:',
+					chatIdVetKeyEpochStr
+				);
 				return;
 			}
 			const enc = await chatAPI.fetchEncryptedMessages(actor, chatId, lastMessageId, undefined);
 			const mapped: Message[] = [];
-			for (const m of enc) {
-				const plaintextMessageContent = await decryptMessageContent(
-					chatId,
-					BigInt(m.metadata.vetkey_epoch),
-					BigInt(m.metadata.symmetric_key_epoch),
-					m.metadata.sender,
-					new Uint8Array(m.content),
-					m.metadata.sender_message_id
-				);
-				m.content = plaintextMessageContent;
-				mapped.push(toUiMessage(chatIdToString(chatId), m));
+			for (let i = enc.length - 1; i >= 0; i--) {
+				try {
+					console.log(
+						`decryptMessageContent: ${chatIdToString(chatId)} vetkeyEpoch: ${enc[i].metadata.vetkey_epoch.toString()} symmetricKeyEpoch: ${enc[i].metadata.symmetric_key_epoch.toString()} sender: ${enc[i].metadata.sender.toText()} userMessageId: ${enc[i].metadata.sender_message_id.toString()} messageId: ${enc[i].metadata.chat_message_id.toString()}`
+					);
+					const plaintextMessageContent = await decryptMessageContent(
+						chatId,
+						BigInt(enc[i].metadata.vetkey_epoch),
+						BigInt(enc[i].metadata.symmetric_key_epoch),
+						enc[i].metadata.sender,
+						new Uint8Array(enc[i].content),
+						enc[i].metadata.sender_message_id
+					);
+					enc[i].content = plaintextMessageContent;
+					mapped.push(toUiMessage(chatIdToString(chatId), enc[i]));
+				} catch (error) {
+					if (error instanceof Error && error.message.startsWith('Wrong vetKey epoch')) {
+						console.info(
+							"Can't decrypt messages at or earlier than vetkey epoch ",
+							enc[i].metadata.vetkey_epoch,
+							' for chat ',
+							chatIdStr,
+							': ',
+							error
+						);
+					} else {
+						console.error(
+							'loadChatMessages: Failed to decrypt message ',
+							enc[i].metadata.sender_message_id,
+							' for chat ',
+							chatIdStr,
+							': ',
+							error
+						);
+					}
+				}
 			}
+			mapped.reverse();
 			if (mapped.length !== 0) {
 				console.log('loadChatMessages: mapped:', stringifyBigInt(mapped));
 			} else {
@@ -481,28 +525,28 @@ export const chatActions = {
 		const actor = getActor();
 		if (!actor) throw new Error('Not authenticated');
 
-		// get the latest vetkey epoch metadata from chats
-		const vetKeyEpoch =
-			chats.state.find((c) => chatIdToString(c.id) === chatIdToString(chatId))?.vetKeyEpoch ?? 0n;
-
-		const chatIdVetKeyEpochStr = chatIdVetKeyEpochToString(chatId, BigInt(vetKeyEpoch));
-
 		let repetitions = 0;
-		const MAX_REPETITIONS = 10;
+		const MAX_RETRIES = 10;
 
 		// reencrypt and resend the message if vetkey or symmetric key epoch has changed
-		while (repetitions < MAX_REPETITIONS) {
+		while (repetitions < MAX_RETRIES) {
 			if (auth.state.label !== 'initialized') {
 				throw new Error('Unexpectedly not authenticated');
 			}
 			const myPrincipal = auth.state.client.getIdentity().getPrincipal();
 
 			try {
+				// get the latest vetkey epoch metadata from chats
+				const vetKeyEpoch =
+					chats.state.find((c) => chatIdToString(c.id) === chatIdToString(chatId))?.vetKeyEpoch ??
+					0n;
+
+				const chatIdVetKeyEpochStr = chatIdVetKeyEpochToString(chatId, BigInt(vetKeyEpoch));
+
 				const vetKeyEpochMeta =
 					chatIdVetKeyEpochStringToVetKeyEpochMetadata.get(chatIdVetKeyEpochStr);
 				if (vetKeyEpochMeta?.status !== 'ready') {
-					console.error('Failed to get vetkey epoch metadata for chat:', chatId);
-					return;
+					throw new Error('Failed to get vetkey epoch metadata for chat: ' + chatIdVetKeyEpochStr);
 				}
 				const vetKeyEpochId = vetKeyEpochMeta.metadata.epoch_id;
 				const elapsedSinceVetKeyEpoch =
@@ -545,19 +589,24 @@ export const chatActions = {
 			} catch (error) {
 				if (error instanceof Error && error.message.startsWith('Wrong symmetric key epoch')) {
 					console.info(
-						`Failed to send message - wrong symmetric key epoch in message: ${error.message}`
+						`Retrying failed to send message - wrong symmetric key epoch in message: ${error.message}`
 					);
 					await new Promise((resolve) => setTimeout(resolve, 1000));
 					repetitions++;
 					continue;
 				} else if (error instanceof Error && error.message.startsWith('Wrong vetKey epoch')) {
 					console.info(
-						`Failed to send message - wrong symmetric key epoch in message: ${error.message}`
+						`Retrying failed to send message - wrong vetKey key epoch in message: ${error.message}`
 					);
 
 					const result = await chatAPI.getLatestVetKeyEpochMetadata(actor, chatId);
 					const chatIdVetKeyEpochStr = chatIdVetKeyEpochToString(chatId, BigInt(result.epoch_id));
 					if (!chatIdVetKeyEpochStringToVetKeyEpochMetadata.has(chatIdVetKeyEpochStr)) {
+						console.log(
+							'chatIdVetKeyEpochStringToVetKeyEpochMetadata missing ',
+							chatIdVetKeyEpochStr,
+							' -- adding a promise to fetch it'
+						);
 						chatIdVetKeyEpochStringToVetKeyEpochMetadata.set(chatIdVetKeyEpochStr, {
 							status: 'missing'
 						});
@@ -565,14 +614,20 @@ export const chatActions = {
 					await new Promise((resolve) => setTimeout(resolve, 1000));
 					repetitions++;
 					continue;
-				} else {
-					console.error('Failed to send message:', error);
+				} else if (repetitions >= MAX_RETRIES) {
+					console.error('Failed to send message after ', MAX_RETRIES, ' retries:', error);
 					chatActions.addNotification({
 						type: 'error',
 						title: 'Send Error',
 						message: 'Failed to send message. Please try again.',
 						isDismissible: true
 					});
+					break;
+				} else {
+					console.error('Retrying failed to send message: ', error);
+					await new Promise((resolve) => setTimeout(resolve, 1000));
+					repetitions++;
+					continue;
 				}
 			}
 		}
@@ -853,361 +908,7 @@ async function ensureVetKeyEpochMetadata(
 	}
 }
 
-async function fastForwardSymmetricRatchetWithoutSavingUntil(
-	chatId: ChatId,
-	currentVetkeyEpoch: bigint,
-	neededSymmetricKeyEpoch: bigint
-): Promise<DerivedKeyMaterial> {
-	const mapKey = chatIdVetKeyEpochToString(chatId, currentVetkeyEpoch);
-	const cur = chatIdStringToEpochKeyState.get(mapKey);
-	if (!cur) {
-		throw new Error('Bug: failed to get epoch key');
-	}
-	if (cur.status !== 'ready') {
-		throw new Error('Bug: epoch key is not ready for symmetric ratchet');
-	}
-	const { key, symmetricKeyEpoch: currentSymmetricKeyEpoch } = cur;
-	if (currentSymmetricKeyEpoch >= neededSymmetricKeyEpoch) {
-		return DerivedKeyMaterial.fromCryptoKey(key);
-	}
-
-	let derivedKeyState = { epochKey: key, symmetricKeyEpoch: currentSymmetricKeyEpoch };
-	while (derivedKeyState.symmetricKeyEpoch < neededSymmetricKeyEpoch) {
-		derivedKeyState = {
-			epochKey: await deriveNextEpochKey(
-				derivedKeyState.epochKey,
-				derivedKeyState.symmetricKeyEpoch
-			),
-			symmetricKeyEpoch: derivedKeyState.symmetricKeyEpoch + 1n
-		};
-	}
-	return DerivedKeyMaterial.fromCryptoKey(derivedKeyState.epochKey);
-}
-
-async function ensureRootKey(actor: ActorSubclass<_SERVICE>, chatId: ChatId, epochId: bigint) {
-	const chatIdStr = chatIdToString(chatId);
-	const mapKey = `${chatIdStr}/${epochId.toString()}`;
-	const cur = chatIdStringToEpochKeyState.get(mapKey);
-
-	if (cur?.status === 'loading') {
-		await cur.promise
-			.then(({ key, symmetricKeyEpoch }) => {
-				console.log('ensureRootKey ready', chatIdStr);
-				chatIdStringToEpochKeyState.set(mapKey, {
-					status: 'ready',
-					symmetricKeyEpoch,
-					key
-				});
-			})
-			.catch((error) => {
-				console.log('ensureRootKey error', chatIdStr);
-				chatIdStringToEpochKeyState.set(mapKey, {
-					status: 'error',
-					error: error instanceof Error ? error.message : 'Unknown error'
-				});
-				throw error;
-			});
-	}
-}
-
-async function symmetricRatchetUntil(
-	chatId: ChatId,
-	vetkeyEpoch: bigint,
-	symmetricKeyEpoch: bigint
-) {
-	while ((await getCurrentSymmetricEpoch(chatId, vetkeyEpoch)) < symmetricKeyEpoch) {
-		try {
-			const currentSymmetricEpoch = await getCurrentSymmetricEpoch(chatId, vetkeyEpoch);
-			const mapKey = chatIdVetKeyEpochToString(chatId, vetkeyEpoch);
-			chatIdStringToEpochKeyState.set(mapKey, {
-				status: 'ready',
-				symmetricKeyEpoch: currentSymmetricEpoch + 1n,
-				key: await symmetricRatchet(chatId, vetkeyEpoch, currentSymmetricEpoch)
-			});
-		} catch (error) {
-			console.warn('symmetricRatchetUntil: ', error);
-		}
-	}
-}
-
-async function symmetricRatchet(
-	chatId: ChatId,
-	vetkeyEpoch: bigint,
-	expectedSymmetricKeyEpoch: bigint
-) {
-	const chatIdStr = chatIdToString(chatId);
-	const mapKey = chatIdVetKeyEpochToString(chatId, vetkeyEpoch);
-	const cur = chatIdStringToEpochKeyState.get(mapKey);
-	console.log(
-		`symmetricRatchet: ${chatIdStr} vetkeyEpoch: ${vetkeyEpoch.toString()} expectedSymmetricKeyEpoch: ${expectedSymmetricKeyEpoch.toString()}`
-	);
-	if (!cur) {
-		throw new Error('Bug: failed to get epoch key');
-	}
-	if (cur.status !== 'ready') {
-		throw new Error('Bug: epoch key is not ready for symmetric ratchet');
-	}
-	const { key, symmetricKeyEpoch: currentSymmetricKeyEpoch } = cur;
-	if (currentSymmetricKeyEpoch !== expectedSymmetricKeyEpoch) {
-		throw new Error(
-			`Failed to send message: wrong symmetric key epoch in message: expected ${expectedSymmetricKeyEpoch} but got ${currentSymmetricKeyEpoch}`
-		);
-	}
-
-	return await deriveNextEpochKey(key, currentSymmetricKeyEpoch);
-}
-
-async function deriveNextEpochKey(
-	epochKey: CryptoKey,
-	currentSymmetricKeyEpoch: bigint
-): Promise<CryptoKey> {
-	console.log(`deriveNextEpochKey: ${currentSymmetricKeyEpoch.toString()}`);
-	const exportable = false;
-	const domainSeparator = new Uint8Array([
-		...DOMAIN_RATCHET_STEP,
-		...uBigIntTo8ByteUint8ArrayBigEndian(currentSymmetricKeyEpoch)
-	]);
-	const algorithm = {
-		name: 'HKDF',
-		hash: 'SHA-256',
-		length: 32 * 8,
-		info: domainSeparator,
-		salt: new Uint8Array()
-	};
-
-	const rawKey = await globalThis.crypto.subtle.deriveBits(algorithm, epochKey, 8 * 32);
-
-	return await globalThis.crypto.subtle.importKey('raw', rawKey, algorithm, exportable, [
-		'deriveKey',
-		'deriveBits'
-	]);
-}
-
 // Initialize on module load (browser only)
 if (typeof window !== 'undefined') {
 	void chatActions.initialize();
 }
-
-async function getCurrentSymmetricEpoch(chatId: ChatId, vetkeyEpoch: bigint): Promise<bigint> {
-	const mapKey = chatIdVetKeyEpochToString(chatId, vetkeyEpoch);
-	while (true) {
-		const cur = chatIdStringToEpochKeyState.get(mapKey);
-		if (cur?.status === 'ready') {
-			return cur.symmetricKeyEpoch;
-		}
-		await new Promise((resolve) => setTimeout(resolve, 100));
-	}
-}
-
-async function getSymmetricEpochKey(
-	chatId: ChatId,
-	vetkeyEpoch: bigint,
-	symmetricKeyEpoch: bigint
-): Promise<DerivedKeyMaterial> {
-	const chatIdStr = chatIdToString(chatId);
-	const mapKey = chatIdVetKeyEpochToString(chatId, vetkeyEpoch);
-	let cur: KeyState | undefined = undefined; // wait in a loop with timeout till we get the key
-
-	console.log(
-		`getSymmetricEpochKey: ${chatIdStr} vetkeyEpoch: ${vetkeyEpoch.toString()} symmetricKeyEpoch: ${symmetricKeyEpoch.toString()}`
-	);
-
-	const startTime = Date.now();
-	while (!cur || cur.status !== 'ready') {
-		cur = chatIdStringToEpochKeyState.get(mapKey);
-		if (cur && cur.status === 'error') {
-			throw new Error('Failed to get epoch key: ' + cur.error);
-		}
-		if (!cur || cur.status !== 'ready') {
-			if (Date.now() - startTime > 30000) {
-				chatActions.addNotification({
-					type: 'error',
-					title: 'Load Error',
-					message: 'Failed to load messages for this chat.',
-					isDismissible: true
-				});
-				throw new Error('Failed to send message: failed to get epoch key after 30 seconds');
-			}
-			await new Promise((resolve) => setTimeout(resolve, 100));
-		}
-	}
-	if (!cur) {
-		throw new Error('Bug: failed to get epoch key');
-	}
-
-	const { key, symmetricKeyEpoch: symmetricKeyEpochKeyState } = cur;
-
-	if (symmetricKeyEpochKeyState !== symmetricKeyEpoch) {
-		throw new Error(
-			`Failed to send message: wrong symmetric key epoch in message: expected ${symmetricKeyEpoch} but got ${symmetricKeyEpochKeyState}`
-		);
-	}
-
-	return DerivedKeyMaterial.fromCryptoKey(key);
-}
-
-async function encryptMessageContent(
-	chatId: ChatId,
-	vetkeyEpoch: bigint,
-	symmetricKeyEpoch: bigint,
-	sender: Principal,
-	plaintextMessageContent: Uint8Array,
-	userMessageId: bigint
-): Promise<Uint8Array> {
-	const epochKey = await fastForwardSymmetricRatchetWithoutSavingUntil(
-		chatId,
-		vetkeyEpoch,
-		symmetricKeyEpoch
-	);
-	const domainSeparator = messageEncryptionDomainSeparator(sender, userMessageId);
-	return await epochKey.encryptMessage(plaintextMessageContent, domainSeparator);
-}
-
-async function decryptMessageContent(
-	chatId: ChatId,
-	vetkeyEpoch: bigint,
-	symmetricKeyEpoch: bigint,
-	sender: Principal,
-	encryptedMessageContent: Uint8Array,
-	userMessageId: bigint
-): Promise<Uint8Array> {
-	console.log(
-		`decryptMessageContent: ${chatIdToString(chatId)} vetkeyEpoch: ${vetkeyEpoch.toString()} symmetricKeyEpoch: ${symmetricKeyEpoch.toString()} sender: ${sender.toText()} userMessageId: ${userMessageId.toString()}`
-	);
-	const currentSymmetricEpoch = await getCurrentSymmetricEpoch(chatId, vetkeyEpoch);
-	if (currentSymmetricEpoch < symmetricKeyEpoch) {
-		await symmetricRatchetUntil(chatId, vetkeyEpoch, symmetricKeyEpoch);
-	}
-	const epochKey = await getSymmetricEpochKey(chatId, vetkeyEpoch, symmetricKeyEpoch);
-	const domainSeparator = messageEncryptionDomainSeparator(sender, userMessageId);
-	return await epochKey.decryptMessage(encryptedMessageContent, domainSeparator).catch((error) => {
-		console.error(
-			`decryptMessageContent: failed to decrypt message in chat ${chatIdToString(chatId)} for vetkeyEpoch ${vetkeyEpoch.toString()} and symmetricKeyEpoch: ${symmetricKeyEpoch.toString()} from sender ${sender.toText()} with userMessageId ${userMessageId.toString()}`,
-			error
-		);
-		return new TextEncoder().encode('<decryption failed>');
-	});
-}
-
-export function messageEncryptionDomainSeparator(sender: Principal, messageId: bigint): Uint8Array {
-	return new Uint8Array([
-		...DOMAIN_MESSAGE_ENCRYPTION,
-		...sender.toUint8Array(),
-		...uBigIntTo8ByteUint8ArrayBigEndian(messageId)
-	]);
-}
-
-async function reshareIbeEncryptedVetKeys(
-	actor: ActorSubclass<_SERVICE>,
-	chatId: ChatId,
-	vetkeyEpoch: bigint,
-	otherParticipants: Principal[],
-	vetKeyBytes: Uint8Array
-): Promise<void> {
-	if (otherParticipants.length > 0) {
-		console.log(
-			'reshareIbeEncryptedVetkeys: ',
-			chatId,
-			vetkeyEpoch,
-			otherParticipants,
-			vetKeyBytes
-		);
-		// try to reshare with other participants
-		return await Promise.all(
-			otherParticipants.map(async (p) => {
-				const ibePublicKey = DerivedPublicKey.deserialize(
-					new Uint8Array(await actor.get_vetkey_resharing_ibe_encryption_key(p))
-				);
-				const ibeIdentity = IbeIdentity.fromBytes(new Uint8Array());
-				const ibeSeed = IbeSeed.random();
-				const ibeCiphertext = IbeCiphertext.encrypt(
-					ibePublicKey,
-					ibeIdentity,
-					vetKeyBytes,
-					ibeSeed
-				);
-				const ibeCiphertextBytes = ibeCiphertext.serialize();
-				const result: [Principal, Uint8Array<ArrayBufferLike>] = [p, ibeCiphertextBytes];
-				return result;
-			})
-		).then(async (ibeEncryptedVetKeysPromise) => {
-			await actor
-				.reshare_ibe_encrypted_vetkeys(chatId, vetkeyEpoch, ibeEncryptedVetKeysPromise)
-				.then((result) => {
-					if ('Ok' in result) {
-						console.log(
-							`Successfully resharded IBE encrypted vetkeys for chat ${chatIdToString(chatId)} vetkeyEpoch ${vetkeyEpoch.toString()}`
-						);
-					} else {
-						console.info(
-							`Failed to reshare IBE encrypted vetkeys for chat ${chatIdToString(chatId)} vetkeyEpoch ${vetkeyEpoch.toString()}: `,
-							result.Err
-						);
-					}
-				});
-		});
-	} else {
-		console.log('no other participants to reshare vetKey with');
-	}
-}
-
-async function fetchResharedIbeEncryptedVetKeys(
-	actor: ActorSubclass<_SERVICE>,
-	chatId: ChatId,
-	vetkeyEpoch: bigint,
-	myPrincipal: Principal
-): Promise<Uint8Array> {
-	console.log('fetchResharedIbeEncryptedVetKeys: ', chatId, vetkeyEpoch, myPrincipal);
-	const tsk = TransportSecretKey.random();
-	const myResharedIbeEncryptedVetkey = await actor.get_my_reshared_ibe_encrypted_vetkey(
-		chatId,
-		vetkeyEpoch
-	);
-	if ('Err' in myResharedIbeEncryptedVetkey) {
-		throw new Error(
-			'Failed to get my reshared IBE encrypted vetkey: ' + myResharedIbeEncryptedVetkey.Err
-		);
-	} else if (myResharedIbeEncryptedVetkey.Ok.length === 0) {
-		throw new Error('Failed to get my reshared IBE encrypted vetkey: no reshared vetkey');
-	}
-	const ibeCiphertext = IbeCiphertext.deserialize(
-		new Uint8Array(myResharedIbeEncryptedVetkey.Ok[0])
-	);
-
-	const publicIbeKeyBytes = await actor.get_vetkey_resharing_ibe_encryption_key(myPrincipal);
-	const publicIbeKey = DerivedPublicKey.deserialize(new Uint8Array(publicIbeKeyBytes));
-
-	// TODO:cache this key
-	const privateEncryptedIbeKeyBytes = await actor.get_vetkey_resharing_ibe_decryption_key(
-		tsk.publicKeyBytes()
-	);
-	const encryptedVetKey = EncryptedVetKey.deserialize(new Uint8Array(privateEncryptedIbeKeyBytes));
-	const privateIbeKey = encryptedVetKey.decryptAndVerify(tsk, publicIbeKey, new Uint8Array());
-
-	const ibePlaintext = ibeCiphertext.decrypt(privateIbeKey);
-	return ibePlaintext;
-}
-
-function deriveRootKeyAndDispatchCaching(
-	actor: ActorSubclass<_SERVICE>,
-	chatId: ChatId,
-	vetKeyEpoch: bigint,
-	vetKeyBytes: Uint8Array
-): { keyBytes: Uint8Array; symmetricKeyEpoch: bigint } {
-	const rootKey = deriveSymmetricKey(vetKeyBytes, DOMAIN_RATCHET_INIT, 32);
-	console.log(
-		`Computed rootKey=${stringifyBigInt(rootKey)} from vetKey=${stringifyBigInt(vetKeyBytes)}`
-	);
-
-	console.log('starting to store the root key in cache: ', rootKey);
-	const vetKeyEncryptedCache = new VetKeyEncryptedCacheManager(getMyPrincipal(), actor);
-	const keyState = { keyBytes: rootKey, symmetricKeyEpoch: 0n };
-	// await this future in background
-	vetKeyEncryptedCache.encryptAndStoreFor(chatId, vetKeyEpoch, keyState).catch((error) => {
-		console.error(
-			`Failed to store root key in cache for chat ${chatIdToString(chatId)} vetkeyEpoch ${vetKeyEpoch.toString()}: `,
-			error
-		);
-	});
-	return keyState;
-}
diff --git a/examples/encrypted_chat/frontend/src/lib/stores/crypto.svelte.ts b/examples/encrypted_chat/frontend/src/lib/stores/crypto.svelte.ts
new file mode 100644
index 00000000..da52cce1
--- /dev/null
+++ b/examples/encrypted_chat/frontend/src/lib/stores/crypto.svelte.ts
@@ -0,0 +1,403 @@
+import {
+	chatIdToString,
+	chatIdVetKeyEpochToString,
+	sizePrefixedBytesFromString,
+	stringifyBigInt,
+	uBigIntTo8ByteUint8ArrayBigEndian
+} from '$lib/utils';
+import { Principal } from '@dfinity/principal';
+import {
+	DerivedKeyMaterial,
+	DerivedPublicKey,
+	deriveSymmetricKey,
+	EncryptedVetKey,
+	IbeCiphertext,
+	IbeIdentity,
+	IbeSeed,
+	TransportSecretKey
+} from '@dfinity/vetkeys';
+import type { _SERVICE, ChatId } from '../../declarations/encrypted_chat/encrypted_chat.did';
+import { SvelteMap } from 'svelte/reactivity';
+import type { ActorSubclass } from '@dfinity/agent';
+import { getMyPrincipal } from './auth.svelte';
+import { EncryptedCacheManager } from '../types';
+
+const DOMAIN_RATCHET_INIT = sizePrefixedBytesFromString('ic-vetkeys-chat-example-ratchet-init');
+const DOMAIN_RATCHET_STEP = sizePrefixedBytesFromString('ic-vetkeys-chat-example-ratchet-step');
+const DOMAIN_MESSAGE_ENCRYPTION = sizePrefixedBytesFromString(
+	'ic-vetkeys-chat-example-message-encryption'
+);
+
+type KeyState =
+	| { status: 'missing' }
+	| { status: 'loading'; promise: Promise<{ key: CryptoKey; symmetricKeyEpoch: bigint }> }
+	| { status: 'ready'; symmetricKeyEpoch: bigint; key: CryptoKey }
+	| { status: 'error'; error: string };
+
+export const chatIdStringToEpochKeyState = new SvelteMap<string, KeyState>();
+
+export async function ensureRootKey(chatId: ChatId, epochId: bigint) {
+	const chatIdStr = chatIdToString(chatId);
+	const mapKey = `${chatIdStr}/${epochId.toString()}`;
+	const cur = chatIdStringToEpochKeyState.get(mapKey);
+
+	if (cur?.status === 'loading') {
+		await cur.promise
+			.then(({ key, symmetricKeyEpoch }) => {
+				console.log('ensureRootKey ready', chatIdStr);
+				chatIdStringToEpochKeyState.set(mapKey, {
+					status: 'ready',
+					symmetricKeyEpoch,
+					key
+				});
+			})
+			.catch((error) => {
+				console.log('ensureRootKey error', chatIdStr);
+				chatIdStringToEpochKeyState.set(mapKey, {
+					status: 'error',
+					error: error instanceof Error ? error.message : 'Unknown error'
+				});
+				throw error;
+			});
+	}
+}
+
+async function getCurrentSymmetricEpoch(chatId: ChatId, vetkeyEpoch: bigint): Promise<bigint> {
+	const mapKey = chatIdVetKeyEpochToString(chatId, vetkeyEpoch);
+	console.log(
+		`getCurrentSymmetricEpoch: ${chatIdToString(chatId)} vetkeyEpoch: ${vetkeyEpoch.toString()}`
+	);
+	while (true) {
+		const cur = chatIdStringToEpochKeyState.get(mapKey);
+		if (cur === undefined) {
+			console.log(
+				`getCurrentSymmetricEpoch: no vetKey state for ${vetkeyEpoch.toString()} for chat ${chatIdToString(chatId)} in  chatIdStringToEpochKeyState -- adding a missing entry`
+			);
+			chatIdStringToEpochKeyState.set(mapKey, {
+				status: 'missing'
+			});
+		} else if (cur.status === 'ready') {
+			return cur.symmetricKeyEpoch;
+		}
+		await new Promise((resolve) => setTimeout(resolve, 100));
+	}
+}
+
+async function getSymmetricEpochKey(
+	chatId: ChatId,
+	vetkeyEpoch: bigint,
+	symmetricKeyEpoch: bigint
+): Promise<DerivedKeyMaterial> {
+	const chatIdStr = chatIdToString(chatId);
+	const mapKey = chatIdVetKeyEpochToString(chatId, vetkeyEpoch);
+	let cur: KeyState | undefined = undefined; // wait in a loop with timeout till we get the key
+
+	console.log(
+		`getSymmetricEpochKey: ${chatIdStr} vetkeyEpoch: ${vetkeyEpoch.toString()} symmetricKeyEpoch: ${symmetricKeyEpoch.toString()}`
+	);
+
+	const startTime = Date.now();
+	while (!cur || cur.status !== 'ready') {
+		cur = chatIdStringToEpochKeyState.get(mapKey);
+		if (cur && cur.status === 'error') {
+			throw new Error('Failed to get epoch key: ' + cur.error);
+		}
+		if (!cur || cur.status !== 'ready') {
+			if (Date.now() - startTime > 30000) {
+				throw new Error('Failed to send message: failed to get epoch key after 30 seconds');
+			}
+			await new Promise((resolve) => setTimeout(resolve, 100));
+		}
+	}
+	if (!cur) {
+		throw new Error('Bug: failed to get epoch key');
+	}
+
+	const { key, symmetricKeyEpoch: symmetricKeyEpochKeyState } = cur;
+
+	if (symmetricKeyEpochKeyState !== symmetricKeyEpoch) {
+		throw new Error(
+			`Failed to send message: wrong symmetric key epoch in message: expected ${symmetricKeyEpoch} but got ${symmetricKeyEpochKeyState}`
+		);
+	}
+
+	return DerivedKeyMaterial.fromCryptoKey(key);
+}
+
+export async function reshareIbeEncryptedVetKeys(
+	actor: ActorSubclass<_SERVICE>,
+	chatId: ChatId,
+	vetkeyEpoch: bigint,
+	otherParticipants: Principal[],
+	vetKeyBytes: Uint8Array
+): Promise<void> {
+	if (otherParticipants.length > 0) {
+		console.log(
+			'reshareIbeEncryptedVetkeys: ',
+			chatId,
+			vetkeyEpoch,
+			otherParticipants,
+			vetKeyBytes
+		);
+		// try to reshare with other participants
+		return await Promise.all(
+			otherParticipants.map(async (p) => {
+				const ibePublicKey = DerivedPublicKey.deserialize(
+					new Uint8Array(await actor.get_vetkey_resharing_ibe_encryption_key(p))
+				);
+				const ibeIdentity = IbeIdentity.fromBytes(new Uint8Array());
+				const ibeSeed = IbeSeed.random();
+				const ibeCiphertext = IbeCiphertext.encrypt(
+					ibePublicKey,
+					ibeIdentity,
+					vetKeyBytes,
+					ibeSeed
+				);
+				const ibeCiphertextBytes = ibeCiphertext.serialize();
+				const result: [Principal, Uint8Array<ArrayBufferLike>] = [p, ibeCiphertextBytes];
+				return result;
+			})
+		).then(async (ibeEncryptedVetKeysPromise) => {
+			await actor
+				.reshare_ibe_encrypted_vetkeys(chatId, vetkeyEpoch, ibeEncryptedVetKeysPromise)
+				.then((result) => {
+					if ('Ok' in result) {
+						console.log(
+							`Successfully resharded IBE encrypted vetkeys for chat ${chatIdToString(chatId)} vetkeyEpoch ${vetkeyEpoch.toString()}`
+						);
+					} else {
+						console.info(
+							`Failed to reshare IBE encrypted vetkeys for chat ${chatIdToString(chatId)} vetkeyEpoch ${vetkeyEpoch.toString()}: `,
+							result.Err
+						);
+					}
+				});
+		});
+	} else {
+		console.log('no other participants to reshare vetKey with');
+	}
+}
+
+export async function fetchResharedIbeEncryptedVetKeys(
+	actor: ActorSubclass<_SERVICE>,
+	chatId: ChatId,
+	vetkeyEpoch: bigint,
+	myPrincipal: Principal
+): Promise<Uint8Array> {
+	console.log('fetchResharedIbeEncryptedVetKeys: ', chatId, vetkeyEpoch, myPrincipal);
+	const tsk = TransportSecretKey.random();
+	const myResharedIbeEncryptedVetkey = await actor.get_my_reshared_ibe_encrypted_vetkey(
+		chatId,
+		vetkeyEpoch
+	);
+	if ('Err' in myResharedIbeEncryptedVetkey) {
+		throw new Error(
+			'Failed to get my reshared IBE encrypted vetkey: ' + myResharedIbeEncryptedVetkey.Err
+		);
+	} else if (myResharedIbeEncryptedVetkey.Ok.length === 0) {
+		throw new Error('Failed to get my reshared IBE encrypted vetkey: no reshared vetkey');
+	}
+	const ibeCiphertext = IbeCiphertext.deserialize(
+		new Uint8Array(myResharedIbeEncryptedVetkey.Ok[0])
+	);
+
+	const publicIbeKeyBytes = await actor.get_vetkey_resharing_ibe_encryption_key(myPrincipal);
+	const publicIbeKey = DerivedPublicKey.deserialize(new Uint8Array(publicIbeKeyBytes));
+
+	// TODO:cache this key
+	const privateEncryptedIbeKeyBytes = await actor.get_vetkey_resharing_ibe_decryption_key(
+		tsk.publicKeyBytes()
+	);
+	const encryptedVetKey = EncryptedVetKey.deserialize(new Uint8Array(privateEncryptedIbeKeyBytes));
+	const privateIbeKey = encryptedVetKey.decryptAndVerify(tsk, publicIbeKey, new Uint8Array());
+
+	const ibePlaintext = ibeCiphertext.decrypt(privateIbeKey);
+	return ibePlaintext;
+}
+
+export function deriveRootKeyAndDispatchCaching(
+	actor: ActorSubclass<_SERVICE>,
+	chatId: ChatId,
+	vetKeyEpoch: bigint,
+	vetKeyBytes: Uint8Array
+): { keyBytes: Uint8Array; symmetricKeyEpoch: bigint } {
+	const rootKey = deriveRootKeyBytes(vetKeyBytes);
+	console.log(
+		`Computed rootKey=${stringifyBigInt(rootKey)} from vetKey=${stringifyBigInt(vetKeyBytes)}`
+	);
+
+	console.log('starting to store the root key in cache: ', rootKey);
+	const vetKeyEncryptedCache = new EncryptedCacheManager(getMyPrincipal(), actor);
+	const keyState = { keyBytes: rootKey, symmetricKeyEpoch: 0n };
+	// await this future in background
+	vetKeyEncryptedCache.encryptAndStoreFor(chatId, vetKeyEpoch, keyState).catch((error) => {
+		console.error(
+			`Failed to store root key in cache for chat ${chatIdToString(chatId)} vetkeyEpoch ${vetKeyEpoch.toString()}: `,
+			error
+		);
+	});
+	return keyState;
+}
+
+export async function deriveNextEpochKey(
+	epochKey: CryptoKey,
+	currentSymmetricKeyEpoch: bigint
+): Promise<CryptoKey> {
+	console.log(`deriveNextEpochKey: ${currentSymmetricKeyEpoch.toString()}`);
+	const exportable = false;
+	const domainSeparator = new Uint8Array([
+		...DOMAIN_RATCHET_STEP,
+		...uBigIntTo8ByteUint8ArrayBigEndian(currentSymmetricKeyEpoch)
+	]);
+	const algorithm = {
+		name: 'HKDF',
+		hash: 'SHA-256',
+		length: 32 * 8,
+		info: domainSeparator,
+		salt: new Uint8Array()
+	};
+
+	const rawKey = await globalThis.crypto.subtle.deriveBits(algorithm, epochKey, 8 * 32);
+
+	return await globalThis.crypto.subtle.importKey('raw', rawKey, algorithm, exportable, [
+		'deriveKey',
+		'deriveBits'
+	]);
+}
+
+async function symmetricRatchet(
+	chatId: ChatId,
+	vetkeyEpoch: bigint,
+	expectedSymmetricKeyEpoch: bigint
+) {
+	const chatIdStr = chatIdToString(chatId);
+	const mapKey = chatIdVetKeyEpochToString(chatId, vetkeyEpoch);
+	const cur = chatIdStringToEpochKeyState.get(mapKey);
+	console.log(
+		`symmetricRatchet: ${chatIdStr} vetkeyEpoch: ${vetkeyEpoch.toString()} expectedSymmetricKeyEpoch: ${expectedSymmetricKeyEpoch.toString()}`
+	);
+	if (!cur) {
+		throw new Error('Bug: failed to get epoch key');
+	}
+	if (cur.status !== 'ready') {
+		throw new Error('Bug: epoch key is not ready for symmetric ratchet');
+	}
+	const { key, symmetricKeyEpoch: currentSymmetricKeyEpoch } = cur;
+	if (currentSymmetricKeyEpoch !== expectedSymmetricKeyEpoch) {
+		throw new Error(
+			`Failed to send message: wrong symmetric key epoch in message: expected ${expectedSymmetricKeyEpoch} but got ${currentSymmetricKeyEpoch}`
+		);
+	}
+
+	return await deriveNextEpochKey(key, currentSymmetricKeyEpoch);
+}
+
+async function symmetricRatchetUntil(
+	chatId: ChatId,
+	vetkeyEpoch: bigint,
+	symmetricKeyEpoch: bigint
+) {
+	while ((await getCurrentSymmetricEpoch(chatId, vetkeyEpoch)) < symmetricKeyEpoch) {
+		try {
+			const currentSymmetricEpoch = await getCurrentSymmetricEpoch(chatId, vetkeyEpoch);
+			const mapKey = chatIdVetKeyEpochToString(chatId, vetkeyEpoch);
+			chatIdStringToEpochKeyState.set(mapKey, {
+				status: 'ready',
+				symmetricKeyEpoch: currentSymmetricEpoch + 1n,
+				key: await symmetricRatchet(chatId, vetkeyEpoch, currentSymmetricEpoch)
+			});
+		} catch (error) {
+			console.warn('symmetricRatchetUntil: ', error);
+		}
+	}
+}
+
+async function fastForwardSymmetricRatchetWithoutSavingUntil(
+	chatId: ChatId,
+	currentVetkeyEpoch: bigint,
+	neededSymmetricKeyEpoch: bigint
+): Promise<DerivedKeyMaterial> {
+	const mapKey = chatIdVetKeyEpochToString(chatId, currentVetkeyEpoch);
+	const cur = chatIdStringToEpochKeyState.get(mapKey);
+	if (!cur) {
+		throw new Error('Bug: failed to get epoch key');
+	}
+	if (cur.status !== 'ready') {
+		throw new Error('Bug: epoch key is not ready for symmetric ratchet');
+	}
+	const { key, symmetricKeyEpoch: currentSymmetricKeyEpoch } = cur;
+	if (currentSymmetricKeyEpoch >= neededSymmetricKeyEpoch) {
+		return DerivedKeyMaterial.fromCryptoKey(key);
+	}
+
+	let derivedKeyState = { epochKey: key, symmetricKeyEpoch: currentSymmetricKeyEpoch };
+	while (derivedKeyState.symmetricKeyEpoch < neededSymmetricKeyEpoch) {
+		derivedKeyState = {
+			epochKey: await deriveNextEpochKey(
+				derivedKeyState.epochKey,
+				derivedKeyState.symmetricKeyEpoch
+			),
+			symmetricKeyEpoch: derivedKeyState.symmetricKeyEpoch + 1n
+		};
+	}
+	return DerivedKeyMaterial.fromCryptoKey(derivedKeyState.epochKey);
+}
+
+export async function encryptMessageContent(
+	chatId: ChatId,
+	vetkeyEpoch: bigint,
+	symmetricKeyEpoch: bigint,
+	sender: Principal,
+	plaintextMessageContent: Uint8Array,
+	userMessageId: bigint
+): Promise<Uint8Array> {
+	const epochKey = await fastForwardSymmetricRatchetWithoutSavingUntil(
+		chatId,
+		vetkeyEpoch,
+		symmetricKeyEpoch
+	);
+	const domainSeparator = messageEncryptionDomainSeparator(sender, userMessageId);
+	return await epochKey.encryptMessage(plaintextMessageContent, domainSeparator);
+}
+
+export async function decryptMessageContent(
+	chatId: ChatId,
+	vetkeyEpoch: bigint,
+	symmetricKeyEpoch: bigint,
+	sender: Principal,
+	encryptedMessageContent: Uint8Array,
+	userMessageId: bigint
+): Promise<Uint8Array> {
+	console.log(
+		`decryptMessageContent: ${chatIdToString(chatId)} vetkeyEpoch: ${vetkeyEpoch.toString()} symmetricKeyEpoch: ${symmetricKeyEpoch.toString()} sender: ${sender.toText()} userMessageId: ${userMessageId.toString()}`
+	);
+	const currentSymmetricEpoch = await getCurrentSymmetricEpoch(chatId, vetkeyEpoch);
+	if (currentSymmetricEpoch < symmetricKeyEpoch) {
+		console.log(
+			'decryptMessageContent: advancing symmetric ratchet until symmetricKeyEpoch: ',
+			symmetricKeyEpoch
+		);
+		await symmetricRatchetUntil(chatId, vetkeyEpoch, symmetricKeyEpoch);
+	}
+	const epochKey = await getSymmetricEpochKey(chatId, vetkeyEpoch, symmetricKeyEpoch);
+	const domainSeparator = messageEncryptionDomainSeparator(sender, userMessageId);
+	return await epochKey.decryptMessage(encryptedMessageContent, domainSeparator).catch((error) => {
+		console.error(
+			`decryptMessageContent: failed to decrypt message in chat ${chatIdToString(chatId)} for vetkeyEpoch ${vetkeyEpoch.toString()} and symmetricKeyEpoch: ${symmetricKeyEpoch.toString()} from sender ${sender.toText()} with userMessageId ${userMessageId.toString()}`,
+			error
+		);
+		return new TextEncoder().encode('<decryption failed>');
+	});
+}
+
+export function messageEncryptionDomainSeparator(sender: Principal, messageId: bigint): Uint8Array {
+	return new Uint8Array([
+		...DOMAIN_MESSAGE_ENCRYPTION,
+		...sender.toUint8Array(),
+		...uBigIntTo8ByteUint8ArrayBigEndian(messageId)
+	]);
+}
+
+export function deriveRootKeyBytes(vetKeyBytes: Uint8Array): Uint8Array {
+	return deriveSymmetricKey(vetKeyBytes, DOMAIN_RATCHET_INIT, 32);
+}
diff --git a/examples/encrypted_chat/frontend/src/lib/types/index.ts b/examples/encrypted_chat/frontend/src/lib/types/index.ts
index eb9d0bb2..1e0e4dc8 100644
--- a/examples/encrypted_chat/frontend/src/lib/types/index.ts
+++ b/examples/encrypted_chat/frontend/src/lib/types/index.ts
@@ -298,7 +298,7 @@ function serializeChatId(chatId: ChatId): Uint8Array {
 	}
 }
 
-export class VetKeyEncryptedCache {
+export class EncryptedCacheManager {
 	#encryptedMaps: EncryptedMaps;
 	#myPrincipal: Principal;
 	#actor: ActorSubclass<_SERVICE>;
diff --git a/examples/encrypted_chat/frontend/src/lib/utils/index.ts b/examples/encrypted_chat/frontend/src/lib/utils/index.ts
new file mode 100644
index 00000000..06b99a27
--- /dev/null
+++ b/examples/encrypted_chat/frontend/src/lib/utils/index.ts
@@ -0,0 +1,65 @@
+import type { ChatId } from '../../declarations/encrypted_chat/encrypted_chat.did';
+import { Principal } from '@dfinity/principal';
+
+export function chatIdToString(chatId: ChatId): string {
+	if ('Group' in chatId) return `group/${chatId.Group.toString()}`;
+	const [a, b] = chatId.Direct;
+	return `direct/${a.toString()}/${b.toString()}`;
+}
+
+export function chatIdFromString(str: string): ChatId {
+	if (typeof str !== 'string') throw new Error('chatIdStr is not a string but ' + typeof str);
+	if (str.startsWith('group/')) return { Group: BigInt(str.slice(6)) };
+	const [a, b] = str.split('/').slice(1);
+	return { Direct: [Principal.fromText(a), Principal.fromText(b)] };
+}
+
+export function chatIdVetKeyEpochToString(chatId: ChatId, vetKeyEpoch: bigint): string {
+	return chatIdToString(chatId) + '/' + vetKeyEpoch.toString();
+}
+
+export function chatIdVetKeyEpochFromString(str: string): { chatId: ChatId; vetKeyEpoch: bigint } {
+	const vetKeyEpochStr = str.split('/').pop()!;
+	const chatIdStr = str.slice(0, str.lastIndexOf(`/${vetKeyEpochStr}`));
+	return { chatId: chatIdFromString(chatIdStr), vetKeyEpoch: BigInt(vetKeyEpochStr) };
+}
+
+// eslint-disable-next-line @typescript-eslint/no-explicit-any
+export function stringifyBigInt(value: any): string {
+	return JSON.stringify(value, (_key, value) => {
+		if (typeof value === 'bigint') {
+			return value.toString();
+		}
+		// eslint-disable-next-line @typescript-eslint/no-unsafe-return
+		return value;
+	});
+}
+
+export function uBigIntTo8ByteUint8ArrayBigEndian(value: bigint): Uint8Array {
+	if (value < 0n) throw new RangeError('Accpts only bigint n >= 0');
+
+	const bytes = new Uint8Array(8);
+	for (let i = 0; i < 8; i++) {
+		bytes[i] = Number((value >> BigInt(i * 8)) & 0xffn);
+	}
+	return bytes;
+}
+
+export function u8ByteUint8ArrayBigEndianToUBigInt(bytes: Uint8Array): bigint {
+	if (bytes.length !== 8) throw new Error('Expected 8 bytes');
+	let value = 0n;
+	for (let i = 0; i < 8; i++) {
+		value += BigInt(bytes[i]) << BigInt(i * 8);
+	}
+	return value;
+}
+
+export function sizePrefixedBytesFromString(text: string): Uint8Array {
+	const bytes = new TextEncoder().encode(text);
+	if (bytes.length > 255) {
+		throw new Error('Text is too long');
+	}
+	const size = new Uint8Array(1);
+	size[0] = bytes.length & 0xff;
+	return new Uint8Array([...size, ...bytes]);
+}
diff --git a/examples/encrypted_chat/rust/backend/src/lib.rs b/examples/encrypted_chat/rust/backend/src/lib.rs
index 634ccc5a..37469a07 100644
--- a/examples/encrypted_chat/rust/backend/src/lib.rs
+++ b/examples/encrypted_chat/rust/backend/src/lib.rs
@@ -501,6 +501,8 @@ fn get_my_chat_ids() -> Vec<(ChatId, ChatMessageId)> {
                         ),
                     )
                 })
+                .collect::<std::collections::BTreeSet<_>>()
+                .into_iter()
                 .collect()
         })
     })

From ae9d00f870d633e9a4eb03e4956956a5e66c265d Mon Sep 17 00:00:00 2001
From: Oleksandr Tkachenko <oleksandr.tkachenko@dfinity.org>
Date: Mon, 18 Aug 2025 14:25:28 +0200
Subject: [PATCH 33/62] typos

---
 .../frontend/src/lib/components/NewChatModal.svelte         | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/examples/encrypted_chat/frontend/src/lib/components/NewChatModal.svelte b/examples/encrypted_chat/frontend/src/lib/components/NewChatModal.svelte
index 2ee6e2e5..ef0ce5aa 100644
--- a/examples/encrypted_chat/frontend/src/lib/components/NewChatModal.svelte
+++ b/examples/encrypted_chat/frontend/src/lib/components/NewChatModal.svelte
@@ -83,7 +83,7 @@
 					</label>
 					<div class="grid grid-cols-2 gap-3">
 						<label class="block text-sm">
-							<span class="mb-1 block font-medium">Symmetric Key Rotation (min)</span>
+							<span class="mb-1 block font-medium">Symmetric Key Ratchet (min)</span>
 							<input
 								type="number"
 								min="0"
@@ -121,7 +121,7 @@
 					</label>
 					<div class="grid grid-cols-2 gap-3">
 						<label class="block text-sm">
-							<span class="mb-1 block font-medium">Rotation (min)</span>
+							<span class="mb-1 block font-medium">Symmetric Key Ratchet (min)</span>
 							<input
 								type="number"
 								min="0"
@@ -130,7 +130,7 @@
 							/>
 						</label>
 						<label class="block text-sm">
-							<span class="mb-1 block font-medium">Expiration (min)</span>
+							<span class="mb-1 block font-medium">Message Expiration (min)</span>
 							<input
 								type="number"
 								min="0"

From 16406be5acc347b717c7f4eb3d27cec750073c57 Mon Sep 17 00:00:00 2001
From: Oleksandr Tkachenko <oleksandr.tkachenko@dfinity.org>
Date: Mon, 18 Aug 2025 14:25:59 +0200
Subject: [PATCH 34/62] rm obsolete debugging info

---
 .../encrypted_chat/frontend/src/lib/types/index.ts  | 13 -------------
 1 file changed, 13 deletions(-)

diff --git a/examples/encrypted_chat/frontend/src/lib/types/index.ts b/examples/encrypted_chat/frontend/src/lib/types/index.ts
index 1e0e4dc8..3d265e2c 100644
--- a/examples/encrypted_chat/frontend/src/lib/types/index.ts
+++ b/examples/encrypted_chat/frontend/src/lib/types/index.ts
@@ -183,19 +183,6 @@ class EncryptedMapsClientForEncryptedCache implements EncryptedMapsClient {
 		const result: { Ok: ByteBuf } | { Err: string } = {
 			Ok: { inner: data }
 		};
-		if (data.length !== 192) {
-			console.error(`get_encrypted_value: invalid data length: expected 192, got ${data.length}`);
-		}
-		if (result.Ok.inner.length !== 192) {
-			console.error(
-				`get_encrypted_value: invalid data length: expected 192, got ${result.Ok.inner.length}`
-			);
-		}
-		if ('Ok' in result) {
-			console.log(
-				`get_encrypted_vetkey: size=${result.Ok.inner.length}, value=${JSON.stringify(result.Ok.inner)}`
-			);
-		}
 		return Promise.resolve(result);
 	}
 

From 934dffc586b0b6eeeaaa44e56db1ea859eed0938 Mon Sep 17 00:00:00 2001
From: Oleksandr Tkachenko <oleksandr.tkachenko@dfinity.org>
Date: Tue, 19 Aug 2025 19:33:14 +0200
Subject: [PATCH 35/62] wip

---
 .../src/lib/components/ChatHeader.svelte      |  57 +-
 .../src/lib/components/ChatInterface.svelte   |  16 +-
 .../src/lib/components/ChatList.svelte        |   4 +-
 .../src/lib/components/ChatListItem.svelte    |  19 +-
 .../components/GroupManagementModal.svelte    | 233 ++++----
 .../frontend/src/lib/components/Hero.svelte   |   2 +-
 .../src/lib/components/MessageHistory.svelte  |  29 +-
 .../lib/components/NotificationBanner.svelte  |   6 +-
 .../src/lib/components/UserProfile.svelte     |   2 +-
 .../lib/services/{api.ts => canisteApi.ts}    |  34 +-
 .../frontend/src/lib/services/chatStorage.ts  | 142 +++++
 .../frontend/src/lib/services/keyStorage.ts   |  47 ++
 .../src/lib/services/messageStorage.ts        | 122 ----
 .../frontend/src/lib/stores/auth.svelte.ts    |   2 +
 .../frontend/src/lib/stores/chat.svelte.ts    | 534 ++++++++++++------
 .../frontend/src/lib/stores/crypto.svelte.ts  | 103 +++-
 .../frontend/src/lib/types/index.ts           |  27 +-
 .../frontend/src/lib/utils/index.ts           |  32 ++
 .../encrypted_chat/rust/backend/backend.did   |   2 +
 .../encrypted_chat/rust/backend/src/lib.rs    |  77 +--
 .../rust/backend/tests/group_chat.rs          |   2 +-
 21 files changed, 923 insertions(+), 569 deletions(-)
 rename examples/encrypted_chat/frontend/src/lib/services/{api.ts => canisteApi.ts} (86%)
 create mode 100644 examples/encrypted_chat/frontend/src/lib/services/chatStorage.ts
 delete mode 100644 examples/encrypted_chat/frontend/src/lib/services/messageStorage.ts

diff --git a/examples/encrypted_chat/frontend/src/lib/components/ChatHeader.svelte b/examples/encrypted_chat/frontend/src/lib/components/ChatHeader.svelte
index b384b8bf..20f66c5a 100644
--- a/examples/encrypted_chat/frontend/src/lib/components/ChatHeader.svelte
+++ b/examples/encrypted_chat/frontend/src/lib/components/ChatHeader.svelte
@@ -3,27 +3,31 @@
 	import Button from './ui/Button.svelte';
 	import Card from './ui/Card.svelte';
 	import type { Chat, SymmetricRatchetStats, GroupChat } from '../types';
-	import { chatAPI } from '../services/api';
+	import { canisterAPI } from '../services/canisteApi';
 	import { chatActions } from '../stores/chat.svelte';
 	import GroupManagementModal from './GroupManagementModal.svelte';
 	import { Principal } from '@dfinity/principal';
+	import { chatIdFromString } from '$lib/utils';
 
-	export let chat: Chat;
-	export let showMobileBackButton = false;
-	export let onMobileBack: (() => void) | undefined = undefined;
+	const {
+		chat,
+		showMobileBackButton,
+		onMobileBack
+	}: { chat: Chat; showMobileBackButton: boolean; onMobileBack: (() => void) | undefined } =
+		$props();
 
-	let showChatInfo = false;
-	let ratchetStats: SymmetricRatchetStats | null = null;
-	let loadingRatchetStats = false;
-	let showGroupManagement = false;
+	let showChatInfo = $state(false);
+	let ratchetStats: SymmetricRatchetStats | null = $state(null);
+	let loadingRatchetStats = $state(false);
+	let showGroupManagement = $state(false);
 
 	// Reset state when chat changes
-	$: if (chat) {
+	$effect(() => {
 		showChatInfo = false;
 		ratchetStats = null;
 		loadingRatchetStats = false;
 		showGroupManagement = false;
-	}
+	});
 
 	function handleChatInfoToggle() {
 		showChatInfo = !showChatInfo;
@@ -37,7 +41,7 @@
 
 		loadingRatchetStats = true;
 		try {
-			ratchetStats = chatAPI.getRatchetStats();
+			ratchetStats = canisterAPI.getRatchetStats();
 		} catch (error) {
 			console.error('Failed to load ratchet stats:', error);
 		} finally {
@@ -68,13 +72,14 @@
 		}>
 	) {
 		const { addUsers, removeUsers, allowHistoryForNew } = event.detail;
+		console.log(`handleGroupManagementSave: ${JSON.stringify(event.detail)}`);
 
 		const addUsersPrincipal = addUsers.map((id) => Principal.fromText(id));
 		const removeUsersPrincipal = removeUsers.map((id) => Principal.fromText(id));
 
 		try {
 			await chatActions.updateGroupMembers(
-				chat.id,
+				chatIdFromString(chat.idStr),
 				addUsersPrincipal,
 				removeUsersPrincipal,
 				allowHistoryForNew
@@ -193,26 +198,10 @@
 				<div>
 					<h4 class="mb-2 font-medium">Encryption</h4>
 					<div class="space-y-2 text-sm">
-						<div class="flex justify-between">
-							<span class="text-surface-500-400">Ratchet epoch:</span>
-							<span>{chat.ratchetEpoch}</span>
-						</div>
 						<div class="flex justify-between">
 							<span class="text-surface-500-400">Last key rotation:</span>
 							<span>{formatDate(chat.keyRotationStatus.lastRotation)}</span>
 						</div>
-						<div class="flex justify-between">
-							<span class="text-surface-500-400">Next rotation:</span>
-							<span>{formatDate(chat.keyRotationStatus.nextRotation)}</span>
-						</div>
-						<div class="flex justify-between">
-							<span class="text-surface-500-400">Rotation needed:</span>
-							<span
-								class="text-{chat.keyRotationStatus.isRotationNeeded ? 'warning' : 'success'}-500"
-							>
-								{chat.keyRotationStatus.isRotationNeeded ? 'Yes' : 'No'}
-							</span>
-						</div>
 					</div>
 				</div>
 
@@ -253,7 +242,7 @@
 					<div class="col-span-full">
 						<h4 class="mb-2 font-medium">Participants</h4>
 						<div class="space-y-2">
-							{#each chat.participants as participant (participant.id)}
+							{#each chat.participants as participant (participant.principal)}
 								<div class="flex items-center gap-2 text-sm">
 									<div
 										class="avatar bg-primary-500 flex h-6 w-6 items-center justify-center rounded-full text-xs"
@@ -261,16 +250,6 @@
 										{participant.avatar || '👤'}
 									</div>
 									<span class="flex-1">{participant.name}</span>
-									<div class="flex items-center gap-1">
-										<div
-											class="h-2 w-2 rounded-full {participant.isOnline
-												? 'bg-success-500'
-												: 'bg-surface-400'}"
-										></div>
-										<span class="text-surface-500-400">
-											{participant.isOnline ? 'Online' : 'Offline'}
-										</span>
-									</div>
 								</div>
 							{/each}
 						</div>
diff --git a/examples/encrypted_chat/frontend/src/lib/components/ChatInterface.svelte b/examples/encrypted_chat/frontend/src/lib/components/ChatInterface.svelte
index 6236b75b..5bb750a3 100644
--- a/examples/encrypted_chat/frontend/src/lib/components/ChatInterface.svelte
+++ b/examples/encrypted_chat/frontend/src/lib/components/ChatInterface.svelte
@@ -4,16 +4,14 @@
 	import MessageHistory from './MessageHistory.svelte';
 	import MessageInput from './MessageInput.svelte';
 	import type { FileUpload } from '../types';
-	import { chatIdToString } from '$lib/utils';
-	
+	import { chatIdFromString, chatIdToString } from '$lib/utils';
+
 	let { isMobile, onMobileBack } = $props();
 
 	const selectedChat = $derived(
 		selectedChatId.state
 			? chats.state.find((chat) =>
-					selectedChatId.state
-						? chatIdToString(chat.id) === chatIdToString(selectedChatId.state)
-						: false
+					selectedChatId.state ? chat.idStr === chatIdToString(selectedChatId.state) : false
 				)
 			: null
 	);
@@ -34,7 +32,11 @@
 				data: arrayBuffer
 			};
 		}
-		await chatActions.sendMessage(selectedChat.id, content, fileData);
+		await chatActions.encryptAndSendMessage(
+			chatIdFromString(selectedChat.idStr),
+			content,
+			fileData
+		);
 	}
 </script>
 
@@ -47,7 +49,7 @@
 		<MessageHistory />
 
 		<!-- Message Input (keyed to reset input state per chat without remounting the whole pane) -->
-		{#key selectedChat.id}
+		{#key selectedChat.idStr}
 			<MessageInput
 				disabled={!selectedChat.isReady}
 				placeholder={selectedChat.isReady ? 'Type a message...' : 'Chat is not ready...'}
diff --git a/examples/encrypted_chat/frontend/src/lib/components/ChatList.svelte b/examples/encrypted_chat/frontend/src/lib/components/ChatList.svelte
index 54a97a13..d3399959 100644
--- a/examples/encrypted_chat/frontend/src/lib/components/ChatList.svelte
+++ b/examples/encrypted_chat/frontend/src/lib/components/ChatList.svelte
@@ -57,11 +57,11 @@
 
 	<!-- Chat List -->
 	<div class="scrollbar-thin flex-1 overflow-y-auto p-2">
-		{#each chats.state as chat (chat.id)}
+		{#each chats.state as chat (chat.idStr)}
 			<ChatListItem
 				{chat}
 				isSelected={selectedChatId.state
-					? chatIdToString(selectedChatId.state) === chatIdToString(chat.id)
+					? chatIdToString(selectedChatId.state) === chat.idStr
 					: false}
 				on:select={(e: CustomEvent<string>) => (selectedChatId.state = chatIdFromString(e.detail))}
 			/>
diff --git a/examples/encrypted_chat/frontend/src/lib/components/ChatListItem.svelte b/examples/encrypted_chat/frontend/src/lib/components/ChatListItem.svelte
index 76263c5d..527a0b85 100644
--- a/examples/encrypted_chat/frontend/src/lib/components/ChatListItem.svelte
+++ b/examples/encrypted_chat/frontend/src/lib/components/ChatListItem.svelte
@@ -2,7 +2,6 @@
 	import { createEventDispatcher } from 'svelte';
 	import { Clock, Users, User, Loader2, AlertCircle, CheckCircle } from 'lucide-svelte';
 	import type { Chat } from '../types';
-	import { chatIdToString } from '$lib/utils';
 
 	export let chat: Chat;
 	export let isSelected = false;
@@ -12,21 +11,7 @@
 	}>();
 
 	function handleClick() {
-		dispatch('select', chatIdToString(chat.id));
-	}
-
-	function formatTime(date: Date): string {
-		const now = new Date();
-		const diff = now.getTime() - date.getTime();
-		const minutes = Math.floor(diff / (1000 * 60));
-		const hours = Math.floor(diff / (1000 * 60 * 60));
-		const days = Math.floor(diff / (1000 * 60 * 60 * 24));
-
-		if (minutes < 1) return 'now';
-		if (minutes < 60) return `${minutes}m`;
-		if (hours < 24) return `${hours}h`;
-		if (days < 7) return `${days}d`;
-		return date.toLocaleDateString();
+		dispatch('select', chat.idStr);
 	}
 
 	function getDisplayName(): string {
@@ -61,7 +46,7 @@
 				?????
 			</div>
 			<!-- Status indicator -->
-			<div class="absolute -right-1 -bottom-1">
+			<div class="absolute -bottom-1 -right-1">
 				<div
 					class="h-4 w-4 rounded-full {getStatusColor()} flex items-center justify-center shadow-sm"
 				>
diff --git a/examples/encrypted_chat/frontend/src/lib/components/GroupManagementModal.svelte b/examples/encrypted_chat/frontend/src/lib/components/GroupManagementModal.svelte
index 3be5247a..eb5c3937 100644
--- a/examples/encrypted_chat/frontend/src/lib/components/GroupManagementModal.svelte
+++ b/examples/encrypted_chat/frontend/src/lib/components/GroupManagementModal.svelte
@@ -1,10 +1,9 @@
 <script lang="ts">
 	import { createEventDispatcher } from 'svelte';
 	import { UserMinus, X, Save, Users } from 'lucide-svelte';
-	import type { GroupChat, User } from '../types';
+	import type { GroupChat } from '../types';
 	import { getMyPrincipal } from '$lib/stores/auth.svelte';
 	import { Principal } from '@dfinity/principal';
-	import type { Principal as PrincipalType } from '@dfinity/principal';
 	import Card from './ui/Card.svelte';
 	import Button from './ui/Button.svelte';
 
@@ -53,6 +52,7 @@
 		(totalAddCount > 0 || selectedToRemove.length > 0) && invalidPrincipalTokens.length === 0;
 
 	function toggleRemoveUser(userId: string) {
+		console.log(`toggleRemoveUser: ${userId}`);
 		if (selectedToRemove.includes(userId)) {
 			selectedToRemove = selectedToRemove.filter((id) => id !== userId);
 		} else {
@@ -85,26 +85,28 @@
 		dispatch('close');
 	}
 
-	function canRemoveUser(userId: PrincipalType): boolean {
+	function canRemoveUser(userId: Principal): boolean {
 		// Can't remove current user or admin
-		return (
-			userId.toString() !== getMyPrincipal().toString() && userId.toString() !== groupChat.adminId
-		);
+		return userId.toText() !== getMyPrincipal().toText();
 	}
 </script>
 
 {#if show}
 	<!-- Backdrop -->
-	<div class="fixed inset-0 z-50 flex items-center justify-center bg-black/50 backdrop-blur-sm p-4">
+	<div class="fixed inset-0 z-50 flex items-center justify-center bg-black/50 p-4 backdrop-blur-sm">
 		<!-- Modal -->
-		<Card class="w-full max-w-2xl rounded-xl shadow-2xl ring-1 ring-black/10 dark:ring-white/10 bg-white dark:bg-neutral-900">
+		<Card
+			class="w-full max-w-2xl rounded-xl bg-white shadow-2xl ring-1 ring-black/10 dark:bg-neutral-900 dark:ring-white/10"
+		>
 			<div class="p-6 md:p-8">
 				<!-- Header -->
-				<div class="mb-4 flex items-center justify-between border-b border-black/5 dark:border-white/10 pb-4">
+				<div
+					class="mb-4 flex items-center justify-between border-b border-black/5 pb-4 dark:border-white/10"
+				>
 					<div class="flex items-center gap-3">
 						<Users class="h-6 w-6" />
 						<h2 class="text-lg font-semibold">Manage Group</h2>
-						<span class="text-surface-600-300-token text-sm truncate">{groupChat.name}</span>
+						<span class="text-surface-600-300-token truncate text-sm">{groupChat.name}</span>
 					</div>
 					<button class="variant-ghost-surface btn-icon" onclick={handleClose} aria-label="Close">
 						<X class="h-5 w-5" />
@@ -113,123 +115,122 @@
 
 				<!-- Content -->
 				<div class="max-h-[60vh] space-y-6 overflow-y-auto">
-				<!-- Current Members -->
-				<div>
-					<h3 class="mb-3 font-semibold">Current Members ({groupChat.participants.length})</h3>
-					<div class="space-y-2">
-						{#each groupChat.participants as member (member.id)}
-							<div
-								class="bg-surface-200-700-token flex items-center justify-between rounded-lg p-3"
-							>
-								<div class="flex items-center gap-3">
-									<div
-										class="avatar bg-primary-500 flex h-8 w-8 items-center justify-center rounded-full text-sm"
-									>
-										{member.avatar || '👤'}
-									</div>
-									<div>
-										<p class="text-sm font-medium">{member.name}</p>
-										<div class="text-surface-600-300-token flex items-center gap-2 text-xs">
-											<div
-												class="h-2 w-2 rounded-full {member.isOnline
-													? 'bg-success-500'
-													: 'bg-surface-400'}"
-											></div>
-											{member.isOnline ? 'Online' : 'Offline'}
-											{#if member.id.toString() === groupChat.adminId}
-												<span class="bg-primary-500 rounded px-2 py-0.5 text-xs text-white"
-													>Admin</span
-												>
-											{/if}
-											{#if member.id.toString() === getMyPrincipal().toString()}
-												<span class="bg-surface-400 rounded px-2 py-0.5 text-xs text-white"
-													>You</span
-												>
-											{/if}
+					<!-- Current Members -->
+					<div>
+						<h3 class="mb-3 font-semibold">Current Members ({groupChat.participants.length})</h3>
+						<div class="space-y-2">
+							{#each groupChat.participants as member (member.principal)}
+								<div
+									class="bg-surface-200-700-token flex items-center justify-between rounded-lg p-3"
+								>
+									<div class="flex items-center gap-3">
+										<div
+											class="avatar bg-primary-500 flex h-8 w-8 items-center justify-center rounded-full text-sm"
+										>
+											{member.avatar || '👤'}
+										</div>
+										<div>
+											<p class="text-sm font-medium">{member.name}</p>
+											<div class="text-surface-600-300-token flex items-center gap-2 text-xs">
+												<div
+													class="h-2 w-2 rounded-full {member.isOnline
+														? 'bg-success-500'
+														: 'bg-surface-400'}"
+												></div>
+												{#if member.principal.toText() === getMyPrincipal().toText()}
+													<span class="bg-surface-400 rounded px-2 py-0.5 text-xs text-white"
+														>Me</span
+													>
+												{/if}
+											</div>
 										</div>
 									</div>
-								</div>
 
-								{#if canRemoveUser(member.id)}
-									<button
-										class="variant-ghost-error btn-icon"
-										onclick={() => toggleRemoveUser(member.id.toString())}
-										class:variant-filled-error={selectedToRemove.includes(member.id.toString())}
-										title="Remove from group"
-									>
-										<UserMinus class="h-4 w-4" />
-									</button>
-								{/if}
-							</div>
-						{/each}
-					</div>
-				</div>
-
-				<!-- Add by Principal Text Input -->
-				<div>
-					<h3 class="mb-3 font-semibold">Add by Principal</h3>
-					<div class="space-y-2">
-						<textarea
-							class="border-surface-300-600-token w-full rounded-lg border p-3 text-sm focus:outline-none"
-							class:border-error-500={invalidPrincipalTokens.length > 0}
-							rows="3"
-							bind:value={principalsInput}
-							placeholder="Enter one or more principals separated by commas or whitespace"
-						></textarea>
-
-						{#if invalidPrincipalTokens.length > 0}
-							<div class="text-error-500 text-xs">
-								Invalid principals:
-								<div class="mt-1 flex flex-wrap gap-1">
-									{#each invalidPrincipalTokens as t}
-										<span class="bg-error-500/10 text-error-600 rounded px-2 py-0.5">{t}</span>
-									{/each}
+									{#if canRemoveUser(member.principal)}
+										<button
+											class="variant-ghost-error btn-icon"
+											onclick={() => toggleRemoveUser(member.principal.toText())}
+											class:variant-filled-error={selectedToRemove.includes(
+												member.principal.toText()
+											)}
+											title="Remove from group"
+										>
+											<UserMinus class="h-4 w-4" />
+										</button>
+									{/if}
 								</div>
-							</div>
-						{:else if validPrincipalStrings.length > 0}
-							<div class="text-surface-600-300-token text-xs">
-								Will add {validPrincipalStrings.length} principal{validPrincipalStrings.length !== 1 ? 's' : ''}
-							</div>
-						{/if}
+							{/each}
+						</div>
 					</div>
-				</div>
 
-			<!-- Options -->
-			{#if totalAddCount > 0}
+					<!-- Add by Principal Text Input -->
 					<div>
-						<h3 class="mb-3 font-semibold">Options</h3>
-						<label
-							class="bg-surface-200-700-token flex cursor-pointer items-center gap-3 rounded-lg p-3"
-						>
-							<input type="checkbox" bind:checked={allowHistoryForNew} class="checkbox" />
-							<div>
-								<p class="text-sm font-medium">Allow new members to see chat history</p>
-								<p class="text-surface-600-300-token text-xs">
-									New members will be able to see messages sent before they joined
-								</p>
-							</div>
-						</label>
-					</div>
-				{/if}
+						<h3 class="mb-3 font-semibold">Add by Principal</h3>
+						<div class="space-y-2">
+							<textarea
+								class="border-surface-300-600-token w-full rounded-lg border p-3 text-sm focus:outline-none"
+								class:border-error-500={invalidPrincipalTokens.length > 0}
+								rows="3"
+								bind:value={principalsInput}
+								placeholder="Enter one or more principals separated by commas or whitespace"
+							></textarea>
 
-			<!-- Summary -->
-			{#if totalAddCount > 0 || selectedToRemove.length > 0}
-					<div class="border-primary-500/20 bg-primary-500/10 rounded-lg border p-4">
-						<h4 class="mb-2 text-sm font-semibold">Changes Summary</h4>
-						<div class="space-y-1 text-sm">
-						{#if totalAddCount > 0}
-								<p class="text-success-500">
-								+ {totalAddCount} member{totalAddCount !== 1 ? 's' : ''} to add
-								</p>
-							{/if}
-							{#if selectedToRemove.length > 0}
-								<p class="text-error-500">
-									- {selectedToRemove.length} member{selectedToRemove.length !== 1 ? 's' : ''} to remove
-								</p>
+							{#if invalidPrincipalTokens.length > 0}
+								<div class="text-error-500 text-xs">
+									Invalid principals:
+									<div class="mt-1 flex flex-wrap gap-1">
+										{#each invalidPrincipalTokens as t (t)}
+											<span class="bg-error-500/10 text-error-600 rounded px-2 py-0.5">{t}</span>
+										{/each}
+									</div>
+								</div>
+							{:else if validPrincipalStrings.length > 0}
+								<div class="text-surface-600-300-token text-xs">
+									Will add {validPrincipalStrings.length} principal{validPrincipalStrings.length !==
+									1
+										? 's'
+										: ''}
+								</div>
 							{/if}
 						</div>
 					</div>
-				{/if}
+
+					<!-- Options -->
+					{#if totalAddCount > 0}
+						<div>
+							<h3 class="mb-3 font-semibold">Options</h3>
+							<label
+								class="bg-surface-200-700-token flex cursor-pointer items-center gap-3 rounded-lg p-3"
+							>
+								<input type="checkbox" bind:checked={allowHistoryForNew} class="checkbox" />
+								<div>
+									<p class="text-sm font-medium">Allow new members to see chat history</p>
+									<p class="text-surface-600-300-token text-xs">
+										New members will be able to see messages sent before they joined
+									</p>
+								</div>
+							</label>
+						</div>
+					{/if}
+
+					<!-- Summary -->
+					{#if totalAddCount > 0 || selectedToRemove.length > 0}
+						<div class="border-primary-500/20 bg-primary-500/10 rounded-lg border p-4">
+							<h4 class="mb-2 text-sm font-semibold">Changes Summary</h4>
+							<div class="space-y-1 text-sm">
+								{#if totalAddCount > 0}
+									<p class="text-success-500">
+										+ {totalAddCount} member{totalAddCount !== 1 ? 's' : ''} to add
+									</p>
+								{/if}
+								{#if selectedToRemove.length > 0}
+									<p class="text-error-500">
+										- {selectedToRemove.length} member{selectedToRemove.length !== 1 ? 's' : ''} to remove
+									</p>
+								{/if}
+							</div>
+						</div>
+					{/if}
 				</div>
 
 				<!-- Footer -->
diff --git a/examples/encrypted_chat/frontend/src/lib/components/Hero.svelte b/examples/encrypted_chat/frontend/src/lib/components/Hero.svelte
index 0efb13d1..03aa75ad 100644
--- a/examples/encrypted_chat/frontend/src/lib/components/Hero.svelte
+++ b/examples/encrypted_chat/frontend/src/lib/components/Hero.svelte
@@ -27,7 +27,7 @@
 				<div class="mt-8 text-lg font-semibold">An error occurred.</div>
 			{/if}
 
-			<div class="mt-8 mb-12 text-xs opacity-75 sm:mt-12 sm:mb-32">
+			<div class="mb-12 mt-8 text-xs opacity-75 sm:mb-32 sm:mt-12">
 				<DisclaimerCopy />
 			</div>
 		</div>
diff --git a/examples/encrypted_chat/frontend/src/lib/components/MessageHistory.svelte b/examples/encrypted_chat/frontend/src/lib/components/MessageHistory.svelte
index 33a6939f..fc8defff 100644
--- a/examples/encrypted_chat/frontend/src/lib/components/MessageHistory.svelte
+++ b/examples/encrypted_chat/frontend/src/lib/components/MessageHistory.svelte
@@ -5,14 +5,15 @@
 	import { SvelteDate } from 'svelte/reactivity';
 	import { auth, getMyPrincipal } from '$lib/stores/auth.svelte';
 	import { chatIdToString } from '$lib/utils';
-	
+
 	let messagesContainer: HTMLDivElement | undefined = $state(undefined);
 	let autoScroll = $state(true);
 
 	const selectedChat = $derived(
 		selectedChatId.state
-			? (chats.state.find((chat) => selectedChatId.state && chatIdToString(chat.id) === chatIdToString(selectedChatId.state)) ??
-				null)
+			? (chats.state.find(
+					(chat) => selectedChatId.state && chat.idStr === chatIdToString(selectedChatId.state)
+				) ?? null)
 			: null
 	);
 
@@ -22,7 +23,6 @@
 
 	// Scroll to bottom when new messages arrive (after DOM updates)
 	$effect(() => {
-		const messageCount = selectedChatMessages.length;
 		if (autoScroll && messagesContainer) {
 			requestAnimationFrame(() => {
 				if (!messagesContainer) return;
@@ -53,12 +53,19 @@
 	function getSender(message: Message): User | null {
 		if (!selectedChat) return null;
 
-		return selectedChat.participants.find((p) => p.id.toString() === message.senderId) || null;
+		console.log(
+			`getSender: message.senderId=${message.senderId} selectedChat.participants=${JSON.stringify(
+				selectedChat.participants
+			)}`
+		);
+
+		return (
+			selectedChat.participants.find((p) => p.principal.toString() === message.senderId) || null
+		);
 	}
 
 	function isOwnMessage(message: Message): boolean {
 		if (auth.state.label !== 'initialized') throw new Error('Unexpectedly not authenticated');
-		console.log('isOwnMessage', message.senderId, getMyPrincipal().toString());
 		return message.senderId === getMyPrincipal().toString();
 	}
 
@@ -113,7 +120,7 @@
 
 		if (selectedChat.type === 'direct') {
 			const otherUser = selectedChat.participants.find(
-				(p) => p.id.toString() !== myPrincipal.toString()
+				(p) => p.principal.toString() !== myPrincipal.toString()
 			);
 			return otherUser ? `This is the beginning of your conversation with ${otherUser.name}` : '';
 		}
@@ -139,7 +146,7 @@
 					>
 						{#if selectedChat.type === 'direct'}
 							{selectedChat.participants.find(
-								(p) => p.id.toString() !== getMyPrincipal().toString()
+								(p) => p.principal.toString() !== getMyPrincipal().toString()
 							)?.avatar || '👤'}
 						{:else}
 							{selectedChat.avatar || '👥'}
@@ -148,7 +155,7 @@
 					<h3 class="mb-2 text-lg font-semibold">
 						{#if selectedChat.type === 'direct'}
 							{selectedChat.participants.find(
-								(p) => p.id.toString() !== getMyPrincipal().toString()
+								(p) => p.principal.toString() !== getMyPrincipal().toString()
 							)?.name || 'Me'}
 						{:else}
 							{selectedChat.name}
@@ -171,7 +178,7 @@
 			{:else}
 				<!-- Messages -->
 				<div class="messages-list py-4">
-					{#each selectedChatMessages as message, index (message.id)}
+					{#each selectedChatMessages as message, index (message.chatMessageId)}
 						<!-- Date separator -->
 						{#if shouldShowDateSeparator(message, index)}
 							<div class="date-separator flex items-center justify-center py-4">
@@ -201,7 +208,7 @@
 
 		<!-- Scroll to bottom button -->
 		{#if !autoScroll}
-			<div class="scroll-to-bottom absolute right-4 bottom-20">
+			<div class="scroll-to-bottom absolute bottom-20 right-4">
 				<button
 					class="variant-filled-primary btn rounded-full"
 					onclick={scrollToBottom}
diff --git a/examples/encrypted_chat/frontend/src/lib/components/NotificationBanner.svelte b/examples/encrypted_chat/frontend/src/lib/components/NotificationBanner.svelte
index 270bcf6b..0e89daa6 100644
--- a/examples/encrypted_chat/frontend/src/lib/components/NotificationBanner.svelte
+++ b/examples/encrypted_chat/frontend/src/lib/components/NotificationBanner.svelte
@@ -3,19 +3,19 @@
 	import { fly } from 'svelte/transition';
 	import { X, AlertTriangle, Info, CheckCircle, XCircle } from 'lucide-svelte';
 	import { notifications, chatActions } from '../stores/chat.svelte';
-	import { storageService } from '../services/messageStorage';
+	import { chatStorageService } from '../services/chatStorage';
 	import type { Notification } from '../types';
 
 	let showDisclaimer = false;
 
 	onMount(async () => {
-		const dismissed = await storageService.isDisclaimerDismissed();
+		const dismissed = await chatStorageService.isDisclaimerDismissed();
 		showDisclaimer = !dismissed;
 	});
 
 	async function dismissDisclaimer() {
 		showDisclaimer = false;
-		await storageService.setDisclaimerDismissed();
+		await chatStorageService.setDisclaimerDismissed();
 	}
 
 	function getNotificationIcon(type: Notification['type']) {
diff --git a/examples/encrypted_chat/frontend/src/lib/components/UserProfile.svelte b/examples/encrypted_chat/frontend/src/lib/components/UserProfile.svelte
index 5af2a047..cd1a1873 100644
--- a/examples/encrypted_chat/frontend/src/lib/components/UserProfile.svelte
+++ b/examples/encrypted_chat/frontend/src/lib/components/UserProfile.svelte
@@ -16,7 +16,7 @@
 
 	function getDummyCurrentUser(): User {
 		return {
-			id: getMyPrincipal(),
+			principal: getMyPrincipal(),
 			name: 'You',
 			avatar: '👤',
 			isOnline: true
diff --git a/examples/encrypted_chat/frontend/src/lib/services/api.ts b/examples/encrypted_chat/frontend/src/lib/services/canisteApi.ts
similarity index 86%
rename from examples/encrypted_chat/frontend/src/lib/services/api.ts
rename to examples/encrypted_chat/frontend/src/lib/services/canisteApi.ts
index 49be8335..a7e46396 100644
--- a/examples/encrypted_chat/frontend/src/lib/services/api.ts
+++ b/examples/encrypted_chat/frontend/src/lib/services/canisteApi.ts
@@ -15,7 +15,7 @@ import { TransportSecretKey, EncryptedVetKey, DerivedPublicKey, VetKey } from '@
 // Dummy API service that simulates backend calls
 // In real implementation, these would make actual API calls to the backend
 
-export class ChatAPI {
+export class CanisterAPI {
 	async createDirectChat(
 		actor: ActorSubclass<_SERVICE>,
 		receiver: Principal,
@@ -112,10 +112,26 @@ export class ChatAPI {
 		}
 	}
 
+	async getVetKeyEpochMetadata(
+		actor: ActorSubclass<_SERVICE>,
+		chatId: ChatId,
+		vetKeyEpoch: bigint
+	): Promise<VetKeyEpochMetadata> {
+		const metadata = await actor.get_vetkey_epoch_metadata(chatId, vetKeyEpoch);
+		console.log(
+			`getLatestVetKeyEpochMetadata: ${stringifyBigInt(chatId)} with result ${stringifyBigInt(metadata)}`
+		);
+		if ('Ok' in metadata) {
+			return metadata.Ok;
+		} else {
+			throw new Error(metadata.Err);
+		}
+	}
+
 	async getDerivedPublicKey(
 		actor: ActorSubclass<_SERVICE>,
 		chatId: ChatId,
-		vetKeyEpoch: bigint,
+		vetKeyEpoch: bigint
 	): Promise<DerivedPublicKey> {
 		const bytes = await actor.chat_public_key(chatId, vetKeyEpoch);
 		console.log(
@@ -170,6 +186,18 @@ export class ChatAPI {
 		);
 		return result;
 	}
+
+	async firstAccessibleMessageId(
+		actor: ActorSubclass<_SERVICE>,
+		groupChatId: bigint
+	): Promise<bigint | undefined> {
+		const result = await actor.first_accessible_message_id(groupChatId);
+		if (result.length === 0) {
+			return undefined;
+		} else {
+			return result[0];
+		}
+	}
 }
 
-export const chatAPI = new ChatAPI();
+export const canisterAPI = new CanisterAPI();
diff --git a/examples/encrypted_chat/frontend/src/lib/services/chatStorage.ts b/examples/encrypted_chat/frontend/src/lib/services/chatStorage.ts
new file mode 100644
index 00000000..bbe37868
--- /dev/null
+++ b/examples/encrypted_chat/frontend/src/lib/services/chatStorage.ts
@@ -0,0 +1,142 @@
+import { get, set, del, clear, keys } from 'idb-keyval';
+import type { Message, Chat, UserConfig } from '../types';
+import { storagePrefixes } from '../types';
+
+// IndexedDB storage service for persistent chat data
+export class ChatStorageService {
+	async saveMessage(message: Message): Promise<void> {
+		console.log(
+			`ChatStorageService: Saving from chat ${message.chatId} message ${message.chatMessageId} to indexedDB`
+		);
+		await set([storagePrefixes.MESSAGE_PREFIX, message.chatId, message.chatMessageId], message);
+	}
+
+	async getMessages(chatId: string): Promise<Message[]> {
+		const allKeys = await keys();
+		const chatMessageKeys = allKeys.filter(
+			(key) => Array.isArray(key) && key[0] === storagePrefixes.MESSAGE_PREFIX
+		);
+		if (chatMessageKeys.length === 0) {
+			console.log(`ChatStorageService: No messages found in indexedDB for chat ${chatId}`);
+		} else {
+			console.log(
+				`ChatStorageService: Loaded ${chatMessageKeys.length} messages in indexedDB for chat ${chatId}`
+			);
+		}
+
+		const messages: Message[] = [];
+		for (const key of chatMessageKeys) {
+			const message = (await get(key)) as Message;
+			if (message) {
+				// Ensure timestamp is a Date object
+				if (typeof message.timestamp === 'string') {
+					message.timestamp = new Date(message.timestamp);
+				}
+				messages.push(message);
+			}
+		}
+
+		// Sort by timestamp
+		return messages.sort((a, b) => a.timestamp.getTime() - b.timestamp.getTime());
+	}
+
+	async deleteMessage(chatId: string, messageId: string): Promise<void> {
+		await del([storagePrefixes.MESSAGE_PREFIX, chatId, messageId]);
+	}
+
+	// Chat metadata storage
+	async saveChat(chat: Chat): Promise<void> {
+		console.log(`ChatStorageService: Saving chat ${chat.idStr} to indexedDB`);
+		const value = JSON.stringify(chat);
+		if (!value) {
+			throw new Error('ChatStorageService: Failed to stringify chat');
+		}
+		await set([storagePrefixes.CHAT_PREFIX, chat.idStr], value);
+	}
+
+	async getAllChats(): Promise<Chat[]> {
+		const allKeys = await keys();
+		const chatKeys = allKeys.filter((key) => {
+			console.log(
+				'getAllChats: key',
+				key,
+				Array.isArray(key) && key[0] === storagePrefixes.CHAT_PREFIX
+			);
+			return Array.isArray(key) && key[0] === storagePrefixes.CHAT_PREFIX;
+		});
+
+		console.log(`ChatStorageService: Getting ${chatKeys.length} chats from indexedDB`);
+
+		const chats: Chat[] = [];
+		for (const key of chatKeys) {
+			const chatStr = (await get(key)) as string;
+			if (chatStr) {
+				console.log('getAllChats: getting key', key, ' with value ', chatStr);
+				chats.push(JSON.parse(chatStr) as Chat);
+			}
+		}
+		return chats;
+	}
+
+	// User configuration
+	async saveUserConfig(config: UserConfig): Promise<void> {
+		console.log(`ChatStorageService: Saving user config to indexedDB`);
+		await set([storagePrefixes.CONFIG_KEY], config);
+	}
+
+	async getUserConfig(): Promise<UserConfig | null> {
+		console.log(`ChatStorageService: Getting user config from indexedDB`);
+		return (await get([storagePrefixes.CONFIG_KEY])) || null;
+	}
+
+	getMyUserConfig(): UserConfig {
+		console.log(`ChatStorageService: Getting my user config from indexedDB`);
+		return {
+			cacheRetentionDays: 7,
+			userId: 'Me',
+			userName: 'You',
+			userAvatar: '👤'
+		};
+	}
+
+	// Disclaimer
+	async setDisclaimerDismissed(): Promise<void> {
+		console.log(`ChatStorageService: Setting disclaimer dismissed to true in indexedDB`);
+		await set([storagePrefixes.DISCLAIMER_KEY], true);
+	}
+
+	async isDisclaimerDismissed(): Promise<boolean> {
+		console.log(`ChatStorageService: Getting disclaimer dismissed from indexedDB`);
+		return (await get([storagePrefixes.DISCLAIMER_KEY])) || false;
+	}
+
+	// Cache cleanup based on user config
+	async cleanupUserCache(retentionDays: number): Promise<void> {
+		console.log(`ChatStorageService: Cleaning up user cache for ${retentionDays} days`);
+		const cutoffDate = new Date(Date.now() - retentionDays * 24 * 60 * 60 * 1000);
+		const allKeys = await keys();
+
+		// Clean up old message keys
+		for (const key of allKeys) {
+			if (typeof key === 'string' && key.startsWith(storagePrefixes.MESSAGE_PREFIX)) {
+				const message = (await get(key)) as Message;
+				if (message && new Date(message.timestamp) < cutoffDate) {
+					await del(key);
+				}
+			}
+		}
+	}
+
+	async discardCacheCompletely(): Promise<void> {
+		console.log(`ChatStorageService: Discarding cache completely`);
+		await clear();
+	}
+
+	// Clear all data (for testing/reset)
+	async clearAllData(): Promise<void> {
+		console.log(`ChatStorageService: Clearing all data from indexedDB`);
+		await clear();
+	}
+}
+
+export const chatStorageService = new ChatStorageService();
diff --git a/examples/encrypted_chat/frontend/src/lib/services/keyStorage.ts b/examples/encrypted_chat/frontend/src/lib/services/keyStorage.ts
index e69de29b..d37d38cb 100644
--- a/examples/encrypted_chat/frontend/src/lib/services/keyStorage.ts
+++ b/examples/encrypted_chat/frontend/src/lib/services/keyStorage.ts
@@ -0,0 +1,47 @@
+import { chatIdToString } from '$lib/utils';
+import type { ChatId } from '../../declarations/encrypted_chat/encrypted_chat.did';
+import { storagePrefixes } from '../types';
+import { get, set } from 'idb-keyval';
+
+// IndexedDB storage service for persistent key data
+export class KeyStorageService {
+	async getSymmetricKeyState(
+		chat: ChatId,
+		vetKeyEpoch: bigint
+	): Promise<{ key: CryptoKey; symmetricKeyEpoch: bigint } | undefined> {
+		console.log(
+			`KeyStorageService: Getting key state for chat ${chatIdToString(chat)} vetkeyEpoch ${vetKeyEpoch.toString()}`
+		);
+		return await get([
+			storagePrefixes.CHAT_EPOCH_KEY_PREFIX,
+			chatIdToString(chat),
+			vetKeyEpoch.toString()
+		]);
+	}
+
+	async saveSymmetricKeyState(
+		chat: ChatId,
+		vetKeyEpoch: bigint,
+		keyState: { key: CryptoKey; symmetricKeyEpoch: bigint }
+	) {
+		console.log(
+			`KeyStorageService: Saving key state for chat ${chatIdToString(chat)} vetkeyEpoch ${vetKeyEpoch.toString()}`
+		);
+		await set(
+			[storagePrefixes.CHAT_EPOCH_KEY_PREFIX, chatIdToString(chat), vetKeyEpoch.toString()],
+			keyState
+		);
+	}
+
+	async saveIbeDecryptionKey(keyBytes: Uint8Array) {
+		console.log(`KeyStorageService: Saving IBE decryption key`);
+		await set([storagePrefixes.CHAT_IBE_DECRYPTION_KEY_PREFIX], keyBytes);
+	}
+
+	async getIbeDecryptionKey(): Promise<Uint8Array | undefined> {
+		console.log(`KeyStorageService: Getting IBE decryption key`);
+		return await get([storagePrefixes.CHAT_IBE_DECRYPTION_KEY_PREFIX]);
+	}
+}
+
+export const keyStorageService = new KeyStorageService();
diff --git a/examples/encrypted_chat/frontend/src/lib/services/messageStorage.ts b/examples/encrypted_chat/frontend/src/lib/services/messageStorage.ts
deleted file mode 100644
index e59a02cf..00000000
--- a/examples/encrypted_chat/frontend/src/lib/services/messageStorage.ts
+++ /dev/null
@@ -1,122 +0,0 @@
-import { get, set, del, clear, keys } from 'idb-keyval';
-import type { Message, Chat, UserConfig } from '../types';
-import { chatIdToString } from '$lib/utils';
-
-// IndexedDB storage service for persistent chat data
-export class StorageService {
-	private readonly MESSAGE_PREFIX = 'messages';
-	private readonly VETKEY_EPOCH_KEY_PREFIX = 'vetkey_epoch_key';
-	private readonly CONFIG_KEY = 'user_config';
-	private readonly DISCLAIMER_KEY = 'disclaimer_dismissed';
-	private readonly CHAT_PREFIX = 'chat_';
-
-	// Message storage
-	async saveMessage(message: Message): Promise<void> {
-		await set([this.MESSAGE_PREFIX, message.chatId, message.id], message);
-	}
-
-	async getMessages(chatId: string): Promise<Message[]> {
-		const allKeys = await keys();
-		const chatMessageKeys = allKeys.filter(
-			(key) => typeof key === 'string' && key.startsWith(`${this.MESSAGE_PREFIX}${chatId}_`)
-		);
-
-		const messages: Message[] = [];
-		for (const key of chatMessageKeys) {
-			const message = (await get(key)) as Message;
-			if (message) {
-				// Ensure timestamp is a Date object
-				if (typeof message.timestamp === 'string') {
-					message.timestamp = new Date(message.timestamp);
-				}
-				messages.push(message);
-			}
-		}
-
-		// Sort by timestamp
-		return messages.sort((a, b) => a.timestamp.getTime() - b.timestamp.getTime());
-	}
-
-	async deleteMessage(chatId: string, messageId: string): Promise<void> {
-		const key = `${this.MESSAGE_PREFIX}${chatId}_${messageId}`;
-		await del(key);
-	}
-
-	// Chat metadata storage
-	async saveChat(chat: Chat): Promise<void> {
-		const key = `${this.CHAT_PREFIX}${chatIdToString(chat.id)}`;
-		await set(key, chat);
-	}
-
-	async getChat(chatId: string): Promise<Chat | null> {
-		const key = `${this.CHAT_PREFIX}${chatId}`;
-		return (await get(key)) || null;
-	}
-
-	async getAllChats(): Promise<Chat[]> {
-		const allKeys = await keys();
-		const chatKeys = allKeys.filter(
-			(key) => typeof key === 'string' && key.startsWith(this.CHAT_PREFIX)
-		);
-
-		const chats: Chat[] = [];
-		for (const key of chatKeys) {
-			const chat = (await get(key)) as Chat;
-			if (chat) {
-				chats.push(chat);
-			}
-		}
-
-		return chats.sort((a, b) => b.lastActivity.getTime() - a.lastActivity.getTime());
-	}
-
-	// User configuration
-	async saveUserConfig(config: UserConfig): Promise<void> {
-		await set(this.CONFIG_KEY, config);
-	}
-
-	async getUserConfig(): Promise<UserConfig | null> {
-		return (await get(this.CONFIG_KEY)) || null;
-	}
-
-	getMyUserConfig(): UserConfig {
-		return {
-			cacheRetentionDays: 7,
-			userId: 'Me',
-			userName: 'You',
-			userAvatar: '👤'
-		};
-	}
-
-	// Disclaimer
-	async setDisclaimerDismissed(): Promise<void> {
-		await set(this.DISCLAIMER_KEY, true);
-	}
-
-	async isDisclaimerDismissed(): Promise<boolean> {
-		return (await get(this.DISCLAIMER_KEY)) || false;
-	}
-
-	// Cache cleanup based on user config
-	async cleanupUserCache(retentionDays: number): Promise<void> {
-		const cutoffDate = new Date(Date.now() - retentionDays * 24 * 60 * 60 * 1000);
-		const allKeys = await keys();
-
-		// Clean up old message keys
-		for (const key of allKeys) {
-			if (typeof key === 'string' && key.startsWith(this.MESSAGE_PREFIX)) {
-				const message = (await get(key)) as Message;
-				if (message && new Date(message.timestamp) < cutoffDate) {
-					await del(key);
-				}
-			}
-		}
-	}
-
-	// Clear all data (for testing/reset)
-	async clearAllData(): Promise<void> {
-		await clear();
-	}
-}
-
-export const storageService = new StorageService();
diff --git a/examples/encrypted_chat/frontend/src/lib/stores/auth.svelte.ts b/examples/encrypted_chat/frontend/src/lib/stores/auth.svelte.ts
index eafbd5e3..ac3e972d 100644
--- a/examples/encrypted_chat/frontend/src/lib/stores/auth.svelte.ts
+++ b/examples/encrypted_chat/frontend/src/lib/stores/auth.svelte.ts
@@ -1,3 +1,4 @@
+import { chatStorageService } from '$lib/services/chatStorage';
 import { AuthClient } from '@dfinity/auth-client';
 import type { Principal } from '@dfinity/principal';
 
@@ -97,6 +98,7 @@ export async function logout() {
 			label: 'anonymous',
 			client: auth.state.client
 		};
+		await chatStorageService.discardCacheCompletely();
 	}
 }
 
diff --git a/examples/encrypted_chat/frontend/src/lib/stores/chat.svelte.ts b/examples/encrypted_chat/frontend/src/lib/stores/chat.svelte.ts
index 88e3171d..8399b1c7 100644
--- a/examples/encrypted_chat/frontend/src/lib/stores/chat.svelte.ts
+++ b/examples/encrypted_chat/frontend/src/lib/stores/chat.svelte.ts
@@ -6,8 +6,8 @@ import {
 	type SymmetricRatchetStats,
 	EncryptedCacheManager as EncryptedCacheManager
 } from '../types';
-import { chatAPI } from '../services/api';
-import { storageService } from '../services/messageStorage';
+import { canisterAPI } from '../services/canisteApi';
+import { chatStorageService } from '../services/chatStorage';
 import { SvelteDate } from 'svelte/reactivity';
 import { auth, getMyPrincipal } from '$lib/stores/auth.svelte';
 import { createActor } from '../../declarations/encrypted_chat';
@@ -24,9 +24,12 @@ import type {
 import { Principal } from '@dfinity/principal';
 import { SvelteMap } from 'svelte/reactivity';
 import {
+	chatIdFromString,
+	chatIdsNumMessagesToSummary,
 	chatIdToString,
 	chatIdVetKeyEpochFromString,
 	chatIdVetKeyEpochToString,
+	randomSenderMessageId,
 	stringifyBigInt
 } from '$lib/utils';
 import {
@@ -35,9 +38,11 @@ import {
 	fetchResharedIbeEncryptedVetKeys,
 	chatIdStringToEpochKeyState,
 	deriveRootKeyAndDispatchCaching,
-	ensureRootKey,
-	reshareIbeEncryptedVetKeys
+	ensureSymmetricKeyState,
+	reshareIbeEncryptedVetKeys,
+	importKeyFromBytes as importKeyStateFromBytes
 } from './crypto.svelte';
+import { keyStorageService } from '$lib/services/keyStorage';
 
 export const chats = $state<{ state: Chat[] }>({ state: [] });
 export const selectedChatId = $state<{ state: ChatId | null }>({ state: null });
@@ -69,17 +74,31 @@ export function getNumberOfMessagesIs(chatId: ChatId): bigint | undefined {
 }
 
 export function getChatIds(): ChatId[] {
-	return chats.state.map((c) => c.id);
+	return chats.state.map((c) => chatIdFromString(c.idStr));
 }
 
 export function initVetKeyReactions() {
 	$effect.root(() => {
+		$effect(() => {
+			console.log('Running chat saver $effect...');
+			if (auth.state.label !== 'initialized') return;
+
+			for (const chat of chats.state) {
+				chatStorageService.saveChat(chat).catch((error) => {
+					console.error('Failed to save chat:', error);
+				});
+			}
+		});
+
 		$effect(() => {
 			console.log('Running vetKey loader $effect...');
 			if (auth.state.label !== 'initialized') return;
 
 			for (const chat of chats.state) {
-				const chatIdVetKeyEpochStr = chatIdVetKeyEpochToString(chat.id, BigInt(chat.vetKeyEpoch));
+				const chatIdVetKeyEpochStr = chatIdVetKeyEpochToString(
+					chatIdFromString(chat.idStr),
+					BigInt(chat.vetKeyEpoch)
+				);
 				const meta = chatIdVetKeyEpochStringToVetKeyEpochMetadata.get(chatIdVetKeyEpochStr);
 				if (meta?.status === 'ready' || meta?.status === 'loading') {
 					console.log(
@@ -92,7 +111,7 @@ export function initVetKeyReactions() {
 				const actor = getActor();
 				if (!actor) throw new Error('Not authenticated');
 
-				if (meta?.status === 'missing') {
+				if (meta?.status !== 'error') {
 					console.log(
 						'chatIdVetKeyEpochStringToVetKeyEpochMetadata missing ',
 						chatIdVetKeyEpochStr,
@@ -100,20 +119,22 @@ export function initVetKeyReactions() {
 					);
 					chatIdVetKeyEpochStringToVetKeyEpochMetadata.set(chatIdVetKeyEpochStr, {
 						status: 'loading',
-						promise: chatAPI.getLatestVetKeyEpochMetadata(actor, chat.id)
+						promise: canisterAPI.getLatestVetKeyEpochMetadata(actor, chatIdFromString(chat.idStr))
 					});
 				}
 
 				console.log(
 					'chatIdVetKeyEpochStringToVetKeyEpochMetadata loading ',
-					chatIdVetKeyEpochToString(chat.id, BigInt(chat.vetKeyEpoch))
+					chatIdVetKeyEpochToString(chatIdFromString(chat.idStr), BigInt(chat.vetKeyEpoch))
+				);
+				ensureVetKeyEpochMetadata(chatIdFromString(chat.idStr), BigInt(chat.vetKeyEpoch)).catch(
+					(error) => {
+						console.error(
+							`Failed to get vetkey epoch metadata for chat ${chat.idStr} and vetkey epoch ${chat.vetKeyEpoch}: `,
+							error
+						);
+					}
 				);
-				ensureVetKeyEpochMetadata(actor, chat.id, BigInt(chat.vetKeyEpoch)).catch((error) => {
-					console.error(
-						`Failed to get vetkey epoch metadata for chat ${chatIdToString(chat.id)} and vetkey epoch ${chat.vetKeyEpoch}: `,
-						error
-					);
-				});
 			}
 		});
 
@@ -147,7 +168,6 @@ export function initVetKeyReactions() {
 			const actor = getActor();
 			if (!actor) throw new Error('Not authenticated');
 
-			// eslint-disable-next-line @typescript-eslint/no-unused-vars
 			for (const [chatIdStrVetKeyEpoch, state] of chatIdStringToEpochKeyState.entries()) {
 				if (state.status !== 'missing') {
 					console.log(
@@ -165,82 +185,23 @@ export function initVetKeyReactions() {
 				);
 				const { chatId, vetKeyEpoch } = chatIdVetKeyEpochFromString(chatIdStrVetKeyEpoch);
 
-				const vetKeyEncryptedCacheManager = new EncryptedCacheManager(getMyPrincipal(), actor);
-				const rootKeyPromise = vetKeyEncryptedCacheManager
-					.fetchAndDecryptFor(chatId, vetKeyEpoch)
-					.catch((error) => {
-						console.info(
-							`User doesn't have key cache for chat ${chatIdToString(chatId)} and vetKey epoch ${vetKeyEpoch.toString()}: `,
-							error
-						);
-
-						return fetchResharedIbeEncryptedVetKeys(actor, chatId, vetKeyEpoch, getMyPrincipal())
-							.then((resharedVetKey) => {
-								console.log('successfully fetched reshared IBE encrypted vetkey: ', resharedVetKey);
-								return deriveRootKeyAndDispatchCaching(actor, chatId, vetKeyEpoch, resharedVetKey);
-							})
-							.catch((error) => {
-								console.info('Failed to fetch reshared IBE encrypted vetkey: ', error);
-								return Promise.resolve(chatAPI.getVetKey(actor, chatId, vetKeyEpoch)).then(
-									(vetKey) => {
-										const meta =
-											chatIdVetKeyEpochStringToVetKeyEpochMetadata.get(chatIdStrVetKeyEpoch);
-										if (meta?.status !== 'ready') {
-											throw new Error(
-												`No vetKey epoch metadata for chat ${chatIdToString(chatId)} and vetkey epoch ${vetKeyEpoch.toString()}: metadata status ${meta?.status}`
-											);
-										}
-										const otherParticipants = meta.metadata.participants.filter(
-											(p) => p.toString() !== getMyPrincipal().toString()
-										);
-
-										reshareIbeEncryptedVetKeys(
-											actor,
-											chatId,
-											vetKeyEpoch,
-											otherParticipants,
-											vetKey.signatureBytes()
-										).catch((error) => {
-											console.error(
-												`Failed to reshare IBE encrypted vetkeys for chat ${chatIdToString(chatId)} vetkeyEpoch ${meta.metadata.epoch_id.toString()}: `,
-												error
-											);
-										});
-
-										return deriveRootKeyAndDispatchCaching(
-											actor,
-											chatId,
-											vetKeyEpoch,
-											vetKey.signatureBytes()
-										);
-									}
-								);
-							});
-					});
-				const cryptoKeyPromise = Promise.resolve(rootKeyPromise).then(
-					async ({ keyBytes, symmetricKeyEpoch }) => {
-						const exportable = false;
-						const key = await globalThis.crypto.subtle.importKey(
-							'raw',
-							new Uint8Array(keyBytes),
-							'HKDF',
-							exportable,
-							['deriveKey', 'deriveBits']
-						);
-						return { key, symmetricKeyEpoch };
-					}
+				const cryptoKeyStatePromise = getCryptoKeyStateAndIfNeededReshareAndCache(
+					chatId,
+					vetKeyEpoch
 				);
 
+				console.log('chatIdStringToEpochKeyState loading ', chatIdStrVetKeyEpoch, vetKeyEpoch);
 				chatIdStringToEpochKeyState.set(chatIdStrVetKeyEpoch, {
 					status: 'loading',
-					promise: cryptoKeyPromise
-				});
-				console.log('chatIdStringToEpochKeyState loading ', chatIdStrVetKeyEpoch, vetKeyEpoch);
-				ensureRootKey(chatId, vetKeyEpoch).catch((error) => {
-					console.error(
-						`Failed to get root key for chat ${chatIdToString(chatId)} and vetKey epoch ${vetKeyEpoch.toString()}: `,
-						error
-					);
+					promise: cryptoKeyStatePromise.then((keyState) => {
+						ensureSymmetricKeyState(chatId, vetKeyEpoch).catch((error) => {
+							console.error(
+								`Failed to get epoch key for chat ${chatIdToString(chatId)} and vetKey epoch ${vetKeyEpoch.toString()}: `,
+								error
+							);
+						});
+						return keyState;
+					})
 				});
 			}
 		});
@@ -253,13 +214,31 @@ export const chatActions = {
 
 		try {
 			// Load user config
-			let config = await storageService.getUserConfig();
+			let config = await chatStorageService.getUserConfig();
 			if (!config) {
-				config = storageService.getMyUserConfig();
-				await storageService.saveUserConfig(config);
+				config = chatStorageService.getMyUserConfig();
+				await chatStorageService.saveUserConfig(config);
 			}
 			userConfig.state = config;
 
+			// Load chats
+			const allChats = await chatStorageService.getAllChats();
+			chats.state = [...allChats];
+
+			// Load messages
+			for (const chat of allChats) {
+				const chatMessages = await chatStorageService.getMessages(chat.idStr);
+				console.log(
+					'initialize: adding ',
+					chatMessages.length,
+					' messages from indexedDB for chat ',
+					chat.idStr
+				);
+				chatIdStringToNumberOfMessagesIs.set(chat.idStr, BigInt(chatMessages.length));
+				chatIdStringToNumberOfMessagesShould.set(chat.idStr, BigInt(chatMessages.length));
+				messages.state[chat.idStr] = [...chatMessages];
+			}
+
 			await this.refreshChats();
 
 			// Set up periodic cleanup
@@ -297,31 +276,22 @@ export const chatActions = {
 					chatIdStringToNumberOfMessagesShould.set(chatIdToString(chatId), numMessages);
 				}
 			}
-			const summary: string = chatIds.reduce((acc, [chatId, numMessages]) => {
-				if ('Direct' in chatId) {
-					return (
-						acc +
-						(acc.length > 0 ? ' | ' : '') +
-						chatId.Direct[0].toText() +
-						' ' +
-						chatId.Direct[1].toText() +
-						' #' +
-						numMessages.toString()
-					);
-				} else {
-					return (
-						acc +
-						(acc.length > 0 ? ' | ' : '') +
-						chatId.Group.toString() +
-						' #' +
-						numMessages.toString()
-					);
-				}
-			}, '');
+			const summary = chatIdsNumMessagesToSummary(chatIds);
 			console.log('fetched ' + chatIds.length + ' chats: ' + summary);
+			// eslint-disable-next-line svelte/prefer-svelte-reactivity
+			const firstAccessibleMessageIds = new Map<ChatId, bigint>();
 			for (const [chatId] of chatIds) {
 				if (newChatIds.has(chatId)) {
-					const metadata = await chatAPI.getLatestVetKeyEpochMetadata(actor, chatId);
+					if ('Group' in chatId) {
+						const firstAccessibleMessageId = await canisterAPI.firstAccessibleMessageId(
+							actor,
+							chatId.Group
+						);
+						if (firstAccessibleMessageId) {
+							firstAccessibleMessageIds.set(chatId, firstAccessibleMessageId);
+						}
+					}
+					const metadata = await canisterAPI.getLatestVetKeyEpochMetadata(actor, chatId);
 					const vetKeyEpochStr = chatIdVetKeyEpochToString(chatId, metadata.epoch_id);
 					if (!chatIdVetKeyEpochStringToVetKeyEpochMetadata.has(vetKeyEpochStr)) {
 						chatIdVetKeyEpochStringToVetKeyEpochMetadata.set(
@@ -342,16 +312,18 @@ export const chatActions = {
 				const { chatId, vetKeyEpoch } = chatIdVetKeyEpochFromString(chatIdStrVetKeyEpoch);
 				const chatIdStr = chatIdToString(chatId);
 
-				const participants = meta.status === 'ready' ? meta.metadata.participants : [];
+				if (chats.state.find((c) => c.idStr === chatIdStr)) {
+					console.log('refreshChats: chat already exists -- skipping:', chatIdStr);
+					continue;
+				}
+
+				const participants = meta.status === 'ready' ? meta.metadata.participants : undefined;
 				if (!participants) {
 					console.error('Failed to get participants for chat:', chatId);
 					continue;
 				}
+				const myPrincipalText = getMyPrincipal().toText();
 				const isGroup = 'Group' in chatId;
-				if (auth.state.label !== 'initialized') {
-					throw new Error('Unexpectedly not authenticated');
-				}
-				const myPrincipalText = auth.state.client.getIdentity().getPrincipal().toText();
 				const name = isGroup
 					? `Group: ${shortenId(String(chatId.Group.toString()))}`
 					: participants[0].toString() === participants[1].toString()
@@ -360,11 +332,11 @@ export const chatActions = {
 				const now = new SvelteDate();
 
 				const chat: Chat = {
-					id: chatId,
+					idStr: chatIdStr,
 					name,
 					type: isGroup ? 'group' : 'direct',
 					participants: participants.map((p) => ({
-						id: p,
+						principal: p,
 						name: myPrincipalText === p.toText() ? 'Me' : p.toText(),
 						avatar: '👤',
 						isOnline: true
@@ -377,23 +349,23 @@ export const chatActions = {
 					keyRotationStatus: buildDummyRotationStatus(),
 					vetKeyEpoch: Number(vetKeyEpoch),
 					symmetricRatchetEpoch: 0,
-					ratchetEpoch: 0,
 					unreadCount: 0,
-					avatar: isGroup ? '👥' : '👤'
+					avatar: isGroup ? '👥' : '👤',
+					firstAccessibleMessageId: Number(firstAccessibleMessageIds.get(chatId) ?? 0n)
 				};
 
-				if (!chats.state.find((c) => chatIdToString(c.id) === chatIdStr)) {
+				if (!chats.state.find((c) => c.idStr === chatIdStr)) {
 					chats.state.push(chat);
 				} else if (
 					chats.state.find(
 						(c) =>
-							chatIdToString(c.id) === chatIdStr &&
+							c.idStr === chatIdStr &&
 							c.vetKeyEpoch !== Number(meta.status === 'ready' ? meta.metadata.epoch_id : 0n)
 					)
 				) {
 					const pos = chats.state.findIndex(
 						(c) =>
-							chatIdToString(c.id) === chatIdStr &&
+							c.idStr === chatIdStr &&
 							c.vetKeyEpoch !== Number(meta.status === 'ready' ? meta.metadata.epoch_id : 0n)
 					);
 					chats.state[pos] = chat;
@@ -412,7 +384,7 @@ export const chatActions = {
 
 		// Mark as read
 		chats.state = chats.state.map((chat) =>
-			chat.id === chatId ? { ...chat, unreadCount: 0 } : chat
+			chat.idStr === chatIdToString(chatId) ? { ...chat, unreadCount: 0 } : chat
 		);
 	},
 
@@ -420,13 +392,14 @@ export const chatActions = {
 		console.log('loadChatMessages:', chatIdToString(chatId));
 		try {
 			const chatIdStr = chatIdToString(chatId);
-			const chat = chats.state.find((c) => chatIdToString(c.id) === chatIdStr);
+			const chat = chats.state.find((c) => c.idStr === chatIdStr);
 			if (!chat) {
 				console.error('loadChatMessages: chat not found:', chatIdStr);
 				return;
 			}
 			const vetKeyEpoch = BigInt(chat.vetKeyEpoch);
-			const lastMessageId = numMessagesIs ? numMessagesIs : 0n;
+			const lastMessageId =
+				BigInt(chat.firstAccessibleMessageId) + (numMessagesIs ? numMessagesIs : 0n);
 			const actor = getActor();
 			if (!actor) return;
 			const chatIdVetKeyEpochStr = chatIdVetKeyEpochToString(chatId, vetKeyEpoch);
@@ -438,9 +411,9 @@ export const chatActions = {
 				);
 				return;
 			}
-			const enc = await chatAPI.fetchEncryptedMessages(actor, chatId, lastMessageId, undefined);
+			const enc = await canisterAPI.fetchEncryptedMessages(actor, chatId, lastMessageId, undefined);
 			const mapped: Message[] = [];
-			for (let i = enc.length - 1; i >= 0; i--) {
+			for (let i = 0; i < enc.length; i++) {
 				try {
 					console.log(
 						`decryptMessageContent: ${chatIdToString(chatId)} vetkeyEpoch: ${enc[i].metadata.vetkey_epoch.toString()} symmetricKeyEpoch: ${enc[i].metadata.symmetric_key_epoch.toString()} sender: ${enc[i].metadata.sender.toText()} userMessageId: ${enc[i].metadata.sender_message_id.toString()} messageId: ${enc[i].metadata.chat_message_id.toString()}`
@@ -477,35 +450,82 @@ export const chatActions = {
 					}
 				}
 			}
-			mapped.reverse();
 			if (mapped.length !== 0) {
 				console.log('loadChatMessages: mapped:', stringifyBigInt(mapped));
 			} else {
 				console.log('loadChatMessages: no messages loaded for chat:', chatIdStr);
 			}
+			{
+				// eslint-disable-next-line svelte/prefer-svelte-reactivity
+				const ids = new Set<string>();
+				for (const m of messages.state[chatIdStr]) {
+					if (ids.has(m.chatMessageId.toString())) {
+						console.error(
+							'loadChatMessages: before adding messages, duplicate id for chat ',
+							chatIdStr,
+							' in messages:',
+							m.chatMessageId.toString(),
+							m.content
+						);
+					}
+					ids.add(m.chatMessageId.toString());
+				}
+			}
+
+			// Filter out messages that already exist in the state to prevent duplicates
+			const existingMessageIds = messages.state[chatIdStr].map((m) => m.chatMessageId);
+			const newMessages = mapped.filter((m) => !existingMessageIds.includes(m.chatMessageId));
+
 			// Reassign to trigger reactivity for consumers relying on identity changes
 			messages.state = {
 				...messages.state,
-				[chatIdStr]: [...((messages.state[chatIdStr] as Message[] | undefined) ?? []), ...mapped]
+				[chatIdStr]: [...messages.state[chatIdStr], ...newMessages]
 			};
-			if (mapped.length !== 0) {
-				const pos = chats.state.findIndex((c) => chatIdToString(c.id) === chatIdStr);
+			// check there are no duplicate ids in the messages
+
+			{
+				// eslint-disable-next-line svelte/prefer-svelte-reactivity
+				const ids = new Set<string>();
+				for (const m of messages.state[chatIdStr]) {
+					if (ids.has(m.chatMessageId.toString())) {
+						console.error(
+							'loadChatMessages: after adding messages, duplicate id for chat ',
+							chatIdStr,
+							' in messages:',
+							m.chatMessageId.toString(),
+							m.content
+						);
+					}
+					ids.add(m.chatMessageId.toString());
+				}
+			}
+
+			if (newMessages.length !== 0) {
+				const pos = chats.state.findIndex((c) => c.idStr === chatIdStr);
 				const lastMessageBefore = chats.state[pos].lastMessage;
-				chats.state[pos].lastMessage = mapped[mapped.length - 1];
+				chats.state[pos].lastMessage = newMessages[newMessages.length - 1];
 				chatIdStringToNumberOfMessagesIs.set(
-					chatIdToString(chat.id),
-					BigInt(mapped[mapped.length - 1].id) + 1n
+					chat.idStr,
+					BigInt(newMessages[newMessages.length - 1].chatMessageId) + 1n
 				);
 				const lastMessageAfter = chats.state[pos].lastMessage;
-				if (lastMessageBefore && lastMessageAfter && lastMessageBefore.id === lastMessageAfter.id) {
+				if (
+					lastMessageBefore &&
+					lastMessageAfter &&
+					lastMessageBefore.chatMessageId === lastMessageAfter.chatMessageId
+				) {
 					console.log('loadChatMessages: last message is the same:', chatIdStr);
 				} else {
 					console.log(
-						`loadChatMessages: loaded ${mapped.length} messages for chat ${chatIdStr}. Old last message id: ${lastMessageBefore?.id.toString()}, new last message id: ${lastMessageAfter?.id.toString()}`
+						`loadChatMessages: loaded ${newMessages.length} new messages for chat ${chatIdStr} (${mapped.length} total, ${mapped.length - newMessages.length} duplicates filtered). Old last message id: ${lastMessageBefore?.chatMessageId.toString()}, new last message id: ${lastMessageAfter?.chatMessageId.toString()}`
 					);
 				}
+			} else if (mapped.length !== 0) {
+				console.log(
+					`loadChatMessages: all ${mapped.length} messages for chat ${chatIdStr} were already present in state`
+				);
 			}
-			for (const m of mapped) await storageService.saveMessage(m);
+			for (const m of newMessages) await chatStorageService.saveMessage(m);
 		} catch (error) {
 			console.error('Failed to load messages:', error);
 			chatActions.addNotification({
@@ -517,7 +537,7 @@ export const chatActions = {
 		}
 	},
 
-	async sendMessage(
+	async encryptAndSendMessage(
 		chatId: ChatId,
 		content: string,
 		fileData?: { name: string; size: number; type: string; data: ArrayBuffer }
@@ -526,22 +546,21 @@ export const chatActions = {
 		if (!actor) throw new Error('Not authenticated');
 
 		let repetitions = 0;
-		const MAX_RETRIES = 10;
+		const MAX_RETRIES = 100;
+
+		const senderMessageId = randomSenderMessageId();
 
 		// reencrypt and resend the message if vetkey or symmetric key epoch has changed
 		while (repetitions < MAX_RETRIES) {
-			if (auth.state.label !== 'initialized') {
-				throw new Error('Unexpectedly not authenticated');
-			}
-			const myPrincipal = auth.state.client.getIdentity().getPrincipal();
+			const myPrincipal = getMyPrincipal();
 
 			try {
 				// get the latest vetkey epoch metadata from chats
-				const vetKeyEpoch =
-					chats.state.find((c) => chatIdToString(c.id) === chatIdToString(chatId))?.vetKeyEpoch ??
-					0n;
+				const currentVetKeyEpoch =
+					chats.state.find((c) => c.idStr === chatIdToString(chatId))?.vetKeyEpoch ?? 0n;
+				console.log('encryptAndSendMessage: currentVetKeyEpoch:', currentVetKeyEpoch);
 
-				const chatIdVetKeyEpochStr = chatIdVetKeyEpochToString(chatId, BigInt(vetKeyEpoch));
+				const chatIdVetKeyEpochStr = chatIdVetKeyEpochToString(chatId, BigInt(currentVetKeyEpoch));
 
 				const vetKeyEpochMeta =
 					chatIdVetKeyEpochStringToVetKeyEpochMetadata.get(chatIdVetKeyEpochStr);
@@ -554,11 +573,6 @@ export const chatActions = {
 				const symmetricKeyEpoch =
 					elapsedSinceVetKeyEpoch / vetKeyEpochMeta.metadata.symmetric_key_rotation_duration;
 
-				const buf = new Uint8Array(8);
-				globalThis.crypto.getRandomValues(buf);
-				let messageId = 0n;
-				for (const b of buf) messageId = (messageId << 8n) | BigInt(b);
-
 				const messageContent = JSON.stringify({ content, fileData });
 				const encryptedMessageContent = await encryptMessageContent(
 					chatId,
@@ -566,14 +580,14 @@ export const chatActions = {
 					symmetricKeyEpoch,
 					myPrincipal,
 					new TextEncoder().encode(messageContent),
-					messageId
+					senderMessageId
 				);
 
 				const message: UserMessage = {
 					vetkey_epoch: vetKeyEpochId,
 					content: encryptedMessageContent,
 					symmetric_key_epoch: symmetricKeyEpoch,
-					message_id: messageId
+					message_id: senderMessageId
 				};
 
 				if ('Direct' in chatId) {
@@ -581,26 +595,32 @@ export const chatActions = {
 						chatId.Direct[0].toString() === myPrincipal.toString()
 							? chatId.Direct[1]
 							: chatId.Direct[0];
-					await chatAPI.sendDirectMessage(actor, receiver, message);
+					await canisterAPI.sendDirectMessage(actor, receiver, message);
 				} else {
-					await chatAPI.sendGroupMessage(actor, chatId.Group, message);
+					await canisterAPI.sendGroupMessage(actor, chatId.Group, message);
 				}
 				break;
 			} catch (error) {
-				if (error instanceof Error && error.message.startsWith('Wrong symmetric key epoch')) {
+				if (
+					error instanceof Error &&
+					error.message.toLowerCase().startsWith('Wrong symmetric key epoch')
+				) {
 					console.info(
 						`Retrying failed to send message - wrong symmetric key epoch in message: ${error.message}`
 					);
-					await new Promise((resolve) => setTimeout(resolve, 1000));
+					await new Promise((resolve) => setTimeout(resolve, 100));
 					repetitions++;
 					continue;
-				} else if (error instanceof Error && error.message.startsWith('Wrong vetKey epoch')) {
+				} else if (
+					error instanceof Error &&
+					error.message.toLowerCase().startsWith('wrong vetKey epoch')
+				) {
 					console.info(
 						`Retrying failed to send message - wrong vetKey key epoch in message: ${error.message}`
 					);
 
-					const result = await chatAPI.getLatestVetKeyEpochMetadata(actor, chatId);
-					const chatIdVetKeyEpochStr = chatIdVetKeyEpochToString(chatId, BigInt(result.epoch_id));
+					const metadata = await canisterAPI.getLatestVetKeyEpochMetadata(actor, chatId);
+					const chatIdVetKeyEpochStr = chatIdVetKeyEpochToString(chatId, BigInt(metadata.epoch_id));
 					if (!chatIdVetKeyEpochStringToVetKeyEpochMetadata.has(chatIdVetKeyEpochStr)) {
 						console.log(
 							'chatIdVetKeyEpochStringToVetKeyEpochMetadata missing ',
@@ -608,10 +628,21 @@ export const chatActions = {
 							' -- adding a promise to fetch it'
 						);
 						chatIdVetKeyEpochStringToVetKeyEpochMetadata.set(chatIdVetKeyEpochStr, {
-							status: 'missing'
+							status: 'ready',
+							metadata
 						});
 					}
-					await new Promise((resolve) => setTimeout(resolve, 1000));
+					const pos = chats.state.findIndex((c) => c.idStr === chatIdToString(chatId));
+					chats.state[pos].vetKeyEpoch = Number(metadata.epoch_id);
+					await new Promise((resolve) => setTimeout(resolve, 100));
+					repetitions++;
+					continue;
+				} else if (
+					error instanceof Error &&
+					error.message === 'Epoch key is not ready for symmetric ratchet'
+				) {
+					console.log('Waiting for epoch key to be ready for symmetric ratchet: ', error.message);
+					await new Promise((resolve) => setTimeout(resolve, 100));
 					repetitions++;
 					continue;
 				} else if (repetitions >= MAX_RETRIES) {
@@ -625,7 +656,7 @@ export const chatActions = {
 					break;
 				} else {
 					console.error('Retrying failed to send message: ', error);
-					await new Promise((resolve) => setTimeout(resolve, 1000));
+					await new Promise((resolve) => setTimeout(resolve, 100));
 					repetitions++;
 					continue;
 				}
@@ -637,14 +668,14 @@ export const chatActions = {
 		try {
 			// Mark chat as updating
 			chats.state = chats.state.map((chat) =>
-				chatIdToString(chat.id) === chatId ? { ...chat, isUpdating: true } : chat
+				chat.idStr === chatId ? { ...chat, isUpdating: true } : chat
 			);
 
-			const stats: SymmetricRatchetStats = chatAPI.getRatchetStats();
+			const stats: SymmetricRatchetStats = canisterAPI.getRatchetStats();
 
 			// Update chat with new key status (dummy update)
 			chats.state = chats.state.map((chat) =>
-				chatIdToString(chat.id) === chatId
+				chat.idStr === chatId
 					? {
 							...chat,
 							isUpdating: false,
@@ -671,7 +702,7 @@ export const chatActions = {
 
 			// Mark chat as not updating
 			chats.state = chats.state.map((chat) =>
-				chatIdToString(chat.id) === chatId ? { ...chat, isUpdating: false } : chat
+				chat.idStr === chatId ? { ...chat, isUpdating: false } : chat
 			);
 
 			chatActions.addNotification({
@@ -688,11 +719,11 @@ export const chatActions = {
 
 		const newConfig = { ...userConfig.state, ...config };
 		userConfig.state = newConfig;
-		await storageService.saveUserConfig(newConfig);
+		await chatStorageService.saveUserConfig(newConfig);
 
 		// Trigger cache cleanup if retention days changed
 		if (config.cacheRetentionDays !== undefined) {
-			await storageService.cleanupUserCache(config.cacheRetentionDays);
+			await chatStorageService.cleanupUserCache(config.cacheRetentionDays);
 		}
 	},
 
@@ -722,7 +753,7 @@ export const chatActions = {
 			const actor = getActor();
 			if (!actor) throw new Error('Not authenticated');
 			const receiver = Principal.fromText(receiverPrincipalText.trim());
-			await chatAPI.createDirectChat(
+			await canisterAPI.createDirectChat(
 				actor,
 				receiver,
 				BigInt(Math.max(0, Math.trunc(rotationMinutes))),
@@ -759,7 +790,7 @@ export const chatActions = {
 				.map((t) => t.trim())
 				.filter(Boolean)
 				.map((t) => Principal.fromText(t));
-			const meta = await chatAPI.createGroupChat(
+			const meta = await canisterAPI.createGroupChat(
 				actor,
 				participants,
 				BigInt(Math.max(0, Math.trunc(rotationMinutes))),
@@ -860,7 +891,7 @@ function toUiMessage(chatIdStr: string, m: EncryptedMessage): Message {
 		fileData?: { name: string; size: number; type: string; data: ArrayBuffer };
 	};
 	return {
-		id: m.metadata.chat_message_id.toString(),
+		chatMessageId: m.metadata.chat_message_id.toString(),
 		chatId: chatIdStr,
 		senderId,
 		content: contentTyped.content,
@@ -872,15 +903,14 @@ function toUiMessage(chatIdStr: string, m: EncryptedMessage): Message {
 	};
 }
 
-async function ensureVetKeyEpochMetadata(
-	actor: ActorSubclass<_SERVICE>,
-	chatId: ChatId,
-	vetKeyEpoch: bigint
-) {
+async function ensureVetKeyEpochMetadata(chatId: ChatId, vetKeyEpoch: bigint) {
 	const chatIdVetKeyEpochStr = chatIdVetKeyEpochToString(chatId, vetKeyEpoch);
 	console.log('ensureVetKeyEpochMetadata', chatIdVetKeyEpochStr);
 	const cur = chatIdVetKeyEpochStringToVetKeyEpochMetadata.get(chatIdVetKeyEpochStr);
 
+	const actor = getActor();
+	if (!actor) throw new Error('Not authenticated');
+
 	if (cur?.status === 'loading') {
 		if (!actor) throw new Error('Not authenticated');
 
@@ -908,6 +938,148 @@ async function ensureVetKeyEpochMetadata(
 	}
 }
 
+async function cryptoKeyStateFromLocalStorage(chatId: ChatId, vetKeyEpoch: bigint) {
+	return keyStorageService.getSymmetricKeyState(chatId, vetKeyEpoch).then((keyState) => {
+		if (keyState) {
+			console.log('Key state found in key storage: ', keyState);
+			return keyState;
+		} else {
+			console.log('Key state not found in key storage: ', chatId, vetKeyEpoch);
+			throw new Error('Key state not found in key storage');
+		}
+	});
+}
+
+async function cryptoKeyStateFromRemoteCache(chatId: ChatId, vetKeyEpoch: bigint) {
+	const actor = getActor();
+	if (!actor) throw new Error('Not authenticated');
+	const vetKeyEncryptedCacheManager = new EncryptedCacheManager(getMyPrincipal(), actor);
+	return vetKeyEncryptedCacheManager
+		.fetchAndDecryptFor(chatId, vetKeyEpoch)
+		.then((epochKeyState) => {
+			return importKeyStateFromBytes(epochKeyState);
+		});
+}
+
+async function cryptoKeyStateFromResharedVetKey(chatId: ChatId, vetKeyEpoch: bigint) {
+	const actor = getActor();
+	if (!actor) throw new Error('Not authenticated');
+	return fetchResharedIbeEncryptedVetKeys(actor, chatId, vetKeyEpoch, getMyPrincipal()).then(
+		(resharedVetKey) => {
+			console.log('successfully fetched reshared IBE encrypted vetkey: ', resharedVetKey);
+			return importKeyStateFromBytes(
+				deriveRootKeyAndDispatchCaching(actor, chatId, vetKeyEpoch, resharedVetKey)
+			);
+		}
+	);
+}
+
+function getCryptoKeyStateAndIfNeededReshareAndCache(chatId: ChatId, vetKeyEpoch: bigint) {
+	const actor = getActor();
+	if (!actor) throw new Error('Not authenticated');
+
+	const chatIdStrVetKeyEpoch = chatIdVetKeyEpochToString(chatId, vetKeyEpoch);
+
+	const keyFromStoragePromise = cryptoKeyStateFromLocalStorage(chatId, vetKeyEpoch);
+
+	const cryptoKeyStateFromRemoteCachePromise = Promise.resolve(keyFromStoragePromise).catch(
+		(error) => {
+			console.info(
+				`User doesn't have key in persistent storage for chat ${chatIdToString(chatId)} and vetKey epoch ${vetKeyEpoch.toString()}: `,
+				error
+			);
+			return cryptoKeyStateFromRemoteCache(chatId, vetKeyEpoch);
+		}
+	);
+
+	const cryptoKeyStateFromResharedVetKeyPromise = cryptoKeyStateFromRemoteCachePromise.catch(
+		(error) => {
+			console.info(
+				`User doesn't have key cache for chat ${chatIdToString(chatId)} and vetKey epoch ${vetKeyEpoch.toString()}: `,
+				error
+			);
+
+			return cryptoKeyStateFromResharedVetKey(chatId, vetKeyEpoch);
+		}
+	);
+
+	return cryptoKeyStateFromResharedVetKeyPromise.catch((error) => {
+		console.info('Failed to fetch reshared IBE encrypted vetkey: ', error);
+		return Promise.resolve(canisterAPI.getVetKey(actor, chatId, vetKeyEpoch)).then(
+			async (vetKey) => {
+				while (true) {
+					console.log('waiting for vetKey epoch metadata in a loop');
+					{
+						const meta = chatIdVetKeyEpochStringToVetKeyEpochMetadata.get(chatIdStrVetKeyEpoch);
+						if (!meta) {
+							const actor = getActor();
+							if (!actor) throw new Error('Not authenticated');
+							const promise = canisterAPI.getVetKeyEpochMetadata(actor, chatId, vetKeyEpoch);
+							chatIdVetKeyEpochStringToVetKeyEpochMetadata.set(chatIdStrVetKeyEpoch, {
+								status: 'loading',
+								promise: promise.then((metadata) => {
+									chatIdVetKeyEpochStringToVetKeyEpochMetadata.set(chatIdStrVetKeyEpoch, {
+										status: 'ready',
+										metadata
+									});
+									return metadata;
+								})
+							});
+							console.log(
+								'added missing vetkey epoch metadata to chatIdVetKeyEpochStringToVetKeyEpochMetadata loading ',
+								chatIdStrVetKeyEpoch
+							);
+							continue;
+						}
+					}
+
+					const meta = chatIdVetKeyEpochStringToVetKeyEpochMetadata.get(chatIdStrVetKeyEpoch);
+					if (!meta || meta.status === 'error') {
+						throw new Error(
+							`No vetKey epoch metadata for chat ${chatIdToString(chatId)} and vetkey epoch ${vetKeyEpoch.toString()}: metadata status ${meta?.status}`
+						);
+					} else if (meta.status !== 'ready') {
+						await new Promise((resolve) => setTimeout(resolve, 100));
+						continue;
+					}
+					const otherParticipants = meta.metadata.participants.filter(
+						(p) => p.toString() !== getMyPrincipal().toString()
+					);
+
+					reshareIbeEncryptedVetKeys(
+						actor,
+						chatId,
+						vetKeyEpoch,
+						otherParticipants,
+						vetKey.signatureBytes()
+					).catch((error) => {
+						console.error(
+							`Failed to reshare IBE encrypted vetkeys for chat ${chatIdToString(chatId)} vetkeyEpoch ${meta.metadata.epoch_id.toString()}: `,
+							error
+						);
+					});
+
+					const freshCryptoKeyState = importKeyStateFromBytes(
+						deriveRootKeyAndDispatchCaching(actor, chatId, vetKeyEpoch, vetKey.signatureBytes())
+					).then((freshCryptoKeyState) => {
+						keyStorageService
+							.saveSymmetricKeyState(chatId, vetKeyEpoch, freshCryptoKeyState)
+							.catch((error) => {
+								console.error(
+									`Failed to save key state for chat ${chatIdToString(chatId)} vetkeyEpoch ${vetKeyEpoch.toString()}: `,
+									error
+								);
+							});
+						return freshCryptoKeyState;
+					});
+
+					return freshCryptoKeyState;
+				}
+			}
+		);
+	});
+}
+
 // Initialize on module load (browser only)
 if (typeof window !== 'undefined') {
 	void chatActions.initialize();
diff --git a/examples/encrypted_chat/frontend/src/lib/stores/crypto.svelte.ts b/examples/encrypted_chat/frontend/src/lib/stores/crypto.svelte.ts
index da52cce1..2154f0bd 100644
--- a/examples/encrypted_chat/frontend/src/lib/stores/crypto.svelte.ts
+++ b/examples/encrypted_chat/frontend/src/lib/stores/crypto.svelte.ts
@@ -21,6 +21,7 @@ import { SvelteMap } from 'svelte/reactivity';
 import type { ActorSubclass } from '@dfinity/agent';
 import { getMyPrincipal } from './auth.svelte';
 import { EncryptedCacheManager } from '../types';
+import { keyStorageService } from '$lib/services/keyStorage';
 
 const DOMAIN_RATCHET_INIT = sizePrefixedBytesFromString('ic-vetkeys-chat-example-ratchet-init');
 const DOMAIN_RATCHET_STEP = sizePrefixedBytesFromString('ic-vetkeys-chat-example-ratchet-step');
@@ -36,7 +37,7 @@ type KeyState =
 
 export const chatIdStringToEpochKeyState = new SvelteMap<string, KeyState>();
 
-export async function ensureRootKey(chatId: ChatId, epochId: bigint) {
+export async function ensureSymmetricKeyState(chatId: ChatId, epochId: bigint) {
 	const chatIdStr = chatIdToString(chatId);
 	const mapKey = `${chatIdStr}/${epochId.toString()}`;
 	const cur = chatIdStringToEpochKeyState.get(mapKey);
@@ -59,6 +60,13 @@ export async function ensureRootKey(chatId: ChatId, epochId: bigint) {
 				});
 				throw error;
 			});
+	} else {
+		console.error(
+			'Bug: ensureSymmetricKeyState: chatIdStrVetKeyEpoch: ',
+			chatIdStr,
+			' should be loading but instead is ',
+			cur?.status
+		);
 	}
 }
 
@@ -68,6 +76,7 @@ async function getCurrentSymmetricEpoch(chatId: ChatId, vetkeyEpoch: bigint): Pr
 		`getCurrentSymmetricEpoch: ${chatIdToString(chatId)} vetkeyEpoch: ${vetkeyEpoch.toString()}`
 	);
 	while (true) {
+		console.log('getCurrentSymmetricEpoch: waiting for vetKey state in a loop');
 		const cur = chatIdStringToEpochKeyState.get(mapKey);
 		if (cur === undefined) {
 			console.log(
@@ -110,7 +119,7 @@ async function getSymmetricEpochKey(
 		}
 	}
 	if (!cur) {
-		throw new Error('Bug: failed to get epoch key');
+		throw new Error('getSymmetricEpochKey: bug: failed to get epoch key: ' + mapKey);
 	}
 
 	const { key, symmetricKeyEpoch: symmetricKeyEpochKeyState } = cur;
@@ -204,10 +213,25 @@ export async function fetchResharedIbeEncryptedVetKeys(
 	const publicIbeKeyBytes = await actor.get_vetkey_resharing_ibe_encryption_key(myPrincipal);
 	const publicIbeKey = DerivedPublicKey.deserialize(new Uint8Array(publicIbeKeyBytes));
 
+	const maybeIbeDecryptionKeyFromStorage = await keyStorageService.getIbeDecryptionKey();
 	// TODO:cache this key
-	const privateEncryptedIbeKeyBytes = await actor.get_vetkey_resharing_ibe_decryption_key(
-		tsk.publicKeyBytes()
-	);
+	const privateEncryptedIbeKeyBytes =
+		maybeIbeDecryptionKeyFromStorage ??
+		new Uint8Array(await actor.get_vetkey_resharing_ibe_decryption_key(tsk.publicKeyBytes()));
+	if (!maybeIbeDecryptionKeyFromStorage) {
+		console.log(
+			`Saving IBE decryption key for chat ${chatIdToString(chatId)} vetkeyEpoch ${vetkeyEpoch.toString()}`
+		);
+		keyStorageService
+			.saveIbeDecryptionKey(new Uint8Array(privateEncryptedIbeKeyBytes))
+			.catch((error) => {
+				console.error(
+					`Failed to save IBE decryption key for chat ${chatIdToString(chatId)} vetkeyEpoch ${vetkeyEpoch.toString()}: `,
+					error
+				);
+			});
+	}
+
 	const encryptedVetKey = EncryptedVetKey.deserialize(new Uint8Array(privateEncryptedIbeKeyBytes));
 	const privateIbeKey = encryptedVetKey.decryptAndVerify(tsk, publicIbeKey, new Uint8Array());
 
@@ -239,7 +263,7 @@ export function deriveRootKeyAndDispatchCaching(
 	return keyState;
 }
 
-export async function deriveNextEpochKey(
+export async function deriveNextSymmetricRatchetEpochCryptoKey(
 	epochKey: CryptoKey,
 	currentSymmetricKeyEpoch: bigint
 ): Promise<CryptoKey> {
@@ -272,24 +296,32 @@ async function symmetricRatchet(
 ) {
 	const chatIdStr = chatIdToString(chatId);
 	const mapKey = chatIdVetKeyEpochToString(chatId, vetkeyEpoch);
-	const cur = chatIdStringToEpochKeyState.get(mapKey);
 	console.log(
 		`symmetricRatchet: ${chatIdStr} vetkeyEpoch: ${vetkeyEpoch.toString()} expectedSymmetricKeyEpoch: ${expectedSymmetricKeyEpoch.toString()}`
 	);
-	if (!cur) {
-		throw new Error('Bug: failed to get epoch key');
-	}
-	if (cur.status !== 'ready') {
-		throw new Error('Bug: epoch key is not ready for symmetric ratchet');
-	}
-	const { key, symmetricKeyEpoch: currentSymmetricKeyEpoch } = cur;
-	if (currentSymmetricKeyEpoch !== expectedSymmetricKeyEpoch) {
-		throw new Error(
-			`Failed to send message: wrong symmetric key epoch in message: expected ${expectedSymmetricKeyEpoch} but got ${currentSymmetricKeyEpoch}`
-		);
-	}
+	while (true) {
+		console.log('symmetricRatchet: waiting for vetKey state in a loop');
+		const cur = chatIdStringToEpochKeyState.get(mapKey);
+		if (!cur) {
+			throw new Error('Bug: failed to get epoch key');
+		}
+		if (cur.status === 'error') {
+			throw new Error('Failed to get epoch key: ' + cur.error);
+		}
+		if (cur.status !== 'ready') {
+			await new Promise((resolve) => setTimeout(resolve, 100));
+			continue;
+		}
+
+		const { key, symmetricKeyEpoch: currentSymmetricKeyEpoch } = cur;
+		if (currentSymmetricKeyEpoch !== expectedSymmetricKeyEpoch) {
+			throw new Error(
+				`Failed to send message: wrong symmetric key epoch in message: expected ${expectedSymmetricKeyEpoch} but got ${currentSymmetricKeyEpoch}`
+			);
+		}
 
-	return await deriveNextEpochKey(key, currentSymmetricKeyEpoch);
+		return await deriveNextSymmetricRatchetEpochCryptoKey(key, currentSymmetricKeyEpoch);
+	}
 }
 
 async function symmetricRatchetUntil(
@@ -320,10 +352,20 @@ async function fastForwardSymmetricRatchetWithoutSavingUntil(
 	const mapKey = chatIdVetKeyEpochToString(chatId, currentVetkeyEpoch);
 	const cur = chatIdStringToEpochKeyState.get(mapKey);
 	if (!cur) {
-		throw new Error('Bug: failed to get epoch key');
+		chatIdStringToEpochKeyState.set(mapKey, {
+			status: 'missing'
+		});
+		return await fastForwardSymmetricRatchetWithoutSavingUntil(
+			chatId,
+			currentVetkeyEpoch,
+			neededSymmetricKeyEpoch
+		);
+	}
+	if (cur.status === 'error') {
+		throw new Error('Failed to get epoch key: ' + cur.error);
 	}
 	if (cur.status !== 'ready') {
-		throw new Error('Bug: epoch key is not ready for symmetric ratchet');
+		throw new Error('Epoch key is not ready for symmetric ratchet');
 	}
 	const { key, symmetricKeyEpoch: currentSymmetricKeyEpoch } = cur;
 	if (currentSymmetricKeyEpoch >= neededSymmetricKeyEpoch) {
@@ -333,7 +375,7 @@ async function fastForwardSymmetricRatchetWithoutSavingUntil(
 	let derivedKeyState = { epochKey: key, symmetricKeyEpoch: currentSymmetricKeyEpoch };
 	while (derivedKeyState.symmetricKeyEpoch < neededSymmetricKeyEpoch) {
 		derivedKeyState = {
-			epochKey: await deriveNextEpochKey(
+			epochKey: await deriveNextSymmetricRatchetEpochCryptoKey(
 				derivedKeyState.epochKey,
 				derivedKeyState.symmetricKeyEpoch
 			),
@@ -401,3 +443,18 @@ export function messageEncryptionDomainSeparator(sender: Principal, messageId: b
 export function deriveRootKeyBytes(vetKeyBytes: Uint8Array): Uint8Array {
 	return deriveSymmetricKey(vetKeyBytes, DOMAIN_RATCHET_INIT, 32);
 }
+
+export async function importKeyFromBytes(params: {
+	keyBytes: Uint8Array;
+	symmetricKeyEpoch: bigint;
+}): Promise<{ key: CryptoKey; symmetricKeyEpoch: bigint }> {
+	const exportable = false;
+	const key = await globalThis.crypto.subtle.importKey(
+		'raw',
+		new Uint8Array(params.keyBytes),
+		'HKDF',
+		exportable,
+		['deriveKey', 'deriveBits']
+	);
+	return { key, symmetricKeyEpoch: params.symmetricKeyEpoch };
+}
diff --git a/examples/encrypted_chat/frontend/src/lib/types/index.ts b/examples/encrypted_chat/frontend/src/lib/types/index.ts
index 3d265e2c..94ca40d9 100644
--- a/examples/encrypted_chat/frontend/src/lib/types/index.ts
+++ b/examples/encrypted_chat/frontend/src/lib/types/index.ts
@@ -16,7 +16,7 @@ import {
 } from '$lib/utils';
 
 export interface User {
-	id: Principal;
+	principal: Principal;
 	name: string;
 	avatar?: string;
 	isOnline: boolean;
@@ -24,7 +24,7 @@ export interface User {
 }
 
 export interface Message {
-	id: string;
+	chatMessageId: string;
 	chatId: string;
 	senderId: string;
 	content: string;
@@ -42,7 +42,7 @@ export interface Message {
 }
 
 export interface Chat {
-	id: ChatId;
+	idStr: string;
 	name: string;
 	type: 'direct' | 'group';
 	// Participants are required by UI components like ChatHeader/ChatListItem
@@ -55,10 +55,9 @@ export interface Chat {
 	keyRotationStatus: VetKeyRotationStatus;
 	vetKeyEpoch: number;
 	symmetricRatchetEpoch: number;
-	// Some components read ratchetEpoch directly
-	ratchetEpoch: number;
 	unreadCount: number;
 	avatar?: string;
+	firstAccessibleMessageId: number;
 }
 
 export interface DirectChat extends Chat {
@@ -69,13 +68,10 @@ export interface DirectChat extends Chat {
 export interface GroupChat extends Chat {
 	type: 'group';
 	otherParticipants: User[];
-	adminId?: string;
 }
 
 export interface VetKeyRotationStatus {
 	lastRotation: Date;
-	nextRotation: Date;
-	isRotationNeeded: boolean;
 	currentEpoch: number;
 }
 
@@ -300,6 +296,9 @@ export class EncryptedCacheManager {
 		chatId: ChatId,
 		vetKeyEpoch: bigint
 	): Promise<{ keyBytes: Uint8Array; symmetricKeyEpoch: bigint }> {
+		console.log(
+			`get_my_symmetric_key_cache: chatId=${chatIdToString(chatId)} vetKeyEpoch=${vetKeyEpoch.toString()}`
+		);
 		const keyCacheBytes = await this.#actor.get_my_symmetric_key_cache(chatId, vetKeyEpoch);
 		if ('Err' in keyCacheBytes) {
 			throw new Error('Failed to get key cache bytes: ' + keyCacheBytes.Err);
@@ -361,3 +360,15 @@ function deserializeCache(data: Uint8Array): { keyBytes: Uint8Array; symmetricKe
 		symmetricKeyEpoch: u8ByteUint8ArrayBigEndianToUBigInt(data.slice(32))
 	};
 }
+
+export class StoragePrefixesClass {
+	public readonly MESSAGE_PREFIX: string = 'messages';
+	public readonly CONFIG_KEY: string = 'user_config';
+	public readonly DISCLAIMER_KEY: string = 'disclaimer_dismissed';
+	public readonly CHAT_PREFIX: string = 'chat';
+
+	public readonly CHAT_EPOCH_KEY_PREFIX: string = 'chat_epoch_keys';
+	public readonly CHAT_IBE_DECRYPTION_KEY_PREFIX: string = 'chat_ibe_decryption_key';
+}
+
+export const storagePrefixes = new StoragePrefixesClass();
diff --git a/examples/encrypted_chat/frontend/src/lib/utils/index.ts b/examples/encrypted_chat/frontend/src/lib/utils/index.ts
index 06b99a27..468d5b62 100644
--- a/examples/encrypted_chat/frontend/src/lib/utils/index.ts
+++ b/examples/encrypted_chat/frontend/src/lib/utils/index.ts
@@ -63,3 +63,35 @@ export function sizePrefixedBytesFromString(text: string): Uint8Array {
 	size[0] = bytes.length & 0xff;
 	return new Uint8Array([...size, ...bytes]);
 }
+
+export function chatIdsNumMessagesToSummary(chatIdsNumMessages: [ChatId, bigint][]): string {
+	return chatIdsNumMessages.reduce((acc, [chatId, numMessages]) => {
+		if ('Direct' in chatId) {
+			return (
+				acc +
+				(acc.length > 0 ? ' | ' : '') +
+				chatId.Direct[0].toText() +
+				' ' +
+				chatId.Direct[1].toText() +
+				' #' +
+				numMessages.toString()
+			);
+		} else {
+			return (
+				acc +
+				(acc.length > 0 ? ' | ' : '') +
+				chatId.Group.toString() +
+				' #' +
+				numMessages.toString()
+			);
+		}
+	}, '');
+}
+
+export function randomSenderMessageId(): bigint {
+	const buf = new Uint8Array(8);
+	globalThis.crypto.getRandomValues(buf);
+	let senderMessageId = 0n;
+	for (const b of buf) senderMessageId = (senderMessageId << 8n) | BigInt(b);
+	return senderMessageId;
+}
diff --git a/examples/encrypted_chat/rust/backend/backend.did b/examples/encrypted_chat/rust/backend/backend.did
index c84e120a..a206978d 100644
--- a/examples/encrypted_chat/rust/backend/backend.did
+++ b/examples/encrypted_chat/rust/backend/backend.did
@@ -54,6 +54,7 @@ service : (text) -> {
   // * If the user does not have access to the chat or vetKey epoch.
   // * If the user has already cached the key.
   derive_chat_vetkey : (ChatId, opt nat64, blob) -> (Result_2);
+  first_accessible_message_id : (nat64) -> (opt nat64) query;
   get_encrypted_vetkey_for_my_cache_storage : (blob) -> (blob);
   get_latest_chat_vetkey_epoch_metadata : (ChatId) -> (Result_3) query;
   get_my_chat_ids : () -> (vec record { ChatId; nat64 }) query;
@@ -71,6 +72,7 @@ service : (text) -> {
   get_some_messages_for_chat_starting_from : (ChatId, nat64, opt nat32) -> (
       vec EncryptedMessage,
     ) query;
+  get_vetkey_epoch_metadata : (ChatId, nat64) -> (Result_3) query;
   get_vetkey_resharing_ibe_decryption_key : (blob) -> (blob);
   get_vetkey_resharing_ibe_encryption_key : (principal) -> (blob);
   get_vetkey_verification_key_for_my_cache_storage : () -> (blob);
diff --git a/examples/encrypted_chat/rust/backend/src/lib.rs b/examples/encrypted_chat/rust/backend/src/lib.rs
index 37469a07..43aa3c81 100644
--- a/examples/encrypted_chat/rust/backend/src/lib.rs
+++ b/examples/encrypted_chat/rust/backend/src/lib.rs
@@ -251,6 +251,21 @@ fn create_group_chat(
     Ok(group_chat_metadata)
 }
 
+#[ic_cdk::query]
+async fn first_accessible_message_id(group_chat_id: GroupChatId) -> Option<ChatMessageId> {
+    let caller = ic_cdk::api::msg_caller();
+    let chat_id = ChatId::Group(group_chat_id);
+
+    CHAT_TO_VETKEYS_METADATA.with_borrow(|metadata| {
+        metadata
+            .range(&(chat_id, Time(0))..)
+            .take_while(|metadata| metadata.key().0 == chat_id)
+            .filter(|metadata| metadata.value().participants.contains(&caller))
+            .next()
+            .map(|metadata| metadata.value().messages_start_with_id)
+    })
+}
+
 #[ic_cdk::update]
 async fn chat_public_key(chat_id: ChatId, vetkey_epoch_id: VetKeyEpochId) -> serde_bytes::ByteBuf {
     let request = VetKDPublicKeyArgs {
@@ -319,6 +334,32 @@ fn get_latest_chat_vetkey_epoch_metadata(chat_id: ChatId) -> Result<VetKeyEpochM
     Ok(latest_epoch_metadata)
 }
 
+#[ic_cdk::query]
+fn get_vetkey_epoch_metadata(
+    chat_id: ChatId,
+    vetkey_epoch_id: VetKeyEpochId,
+) -> Result<VetKeyEpochMetadata, String> {
+    let caller = ic_cdk::api::msg_caller();
+
+    ensure_user_has_access_to_chat_at_epoch(caller, chat_id, vetkey_epoch_id)?;
+
+    let epoch_metadata = CHAT_TO_VETKEYS_METADATA
+        .with_borrow(|metadata| {
+            metadata
+                .range(&(chat_id, Time(0))..)
+                .take_while(|metadata| {
+                    metadata.key().0 == chat_id && metadata.value().epoch_id == vetkey_epoch_id
+                })
+                .last()
+                .map(|metadata| metadata.value())
+        })
+        .ok_or(format!(
+            "No vetkey epoch {vetkey_epoch_id:?} found for chat {chat_id:?}"
+        ))?;
+
+    Ok(epoch_metadata)
+}
+
 #[ic_cdk::update]
 fn rotate_chat_vetkey(chat_id: ChatId) -> Result<VetKeyEpochId, String> {
     let caller: Principal = ic_cdk::api::msg_caller();
@@ -623,7 +664,6 @@ fn update_my_symmetric_key_cache(
     let caller = ic_cdk::api::msg_caller();
     ensure_chat_and_vetkey_epoch_exist(chat_id, vetkey_epoch_id)?;
     ensure_user_has_access_to_chat_at_epoch(caller, chat_id, vetkey_epoch_id)?;
-    ensure_vetkey_epoch_did_not_expire(chat_id, vetkey_epoch_id)?;
     ensure_payload_has_reasonable_size_for_key(&user_cache.0)?;
 
     ENCRYPTED_MAPS.with_borrow_mut(|opt_maps| {
@@ -660,7 +700,8 @@ fn get_my_symmetric_key_cache(
     let caller = ic_cdk::api::msg_caller();
     ensure_chat_and_vetkey_epoch_exist(chat_id, vetkey_epoch_id)?;
     ensure_user_has_access_to_chat_at_epoch(caller, chat_id, vetkey_epoch_id)?;
-    ensure_vetkey_epoch_did_not_expire(chat_id, vetkey_epoch_id)?;
+
+    ic_cdk::println!("get_my_symmetric_key_cache: chat_id={:?}, vetkey_epoch_id={:?}", chat_id, vetkey_epoch_id);
 
     ENCRYPTED_MAPS.with_borrow(|opt_maps| {
         let maps = opt_maps
@@ -715,7 +756,6 @@ fn reshare_ibe_encrypted_vetkeys(
     let caller = ic_cdk::api::msg_caller();
     ensure_chat_and_vetkey_epoch_exist(chat_id, vetkey_epoch_id)?;
     ensure_user_has_access_to_chat_at_epoch(caller, chat_id, vetkey_epoch_id)?;
-    ensure_vetkey_epoch_did_not_expire(chat_id, vetkey_epoch_id)?;
 
     users_and_encrypted_vetkeys.iter().map(|(user, _encrypted_vetkey)| {
         ensure_user_has_access_to_chat_at_epoch(*user, chat_id, vetkey_epoch_id)?;
@@ -754,7 +794,6 @@ fn get_my_reshared_ibe_encrypted_vetkey(
     let caller = ic_cdk::api::msg_caller();
 
     ensure_chat_and_vetkey_epoch_exist(chat_id, vetkey_epoch_id)?;
-    ensure_vetkey_epoch_did_not_expire(chat_id, vetkey_epoch_id)?;
 
     Ok(RESHARED_VETKEYS
         .with_borrow(|reshared_vetkeys| reshared_vetkeys.get(&(chat_id, vetkey_epoch_id, caller))))
@@ -1081,36 +1120,6 @@ fn ensure_message_id_is_unique(
     }
 }
 
-fn ensure_vetkey_epoch_did_not_expire(
-    chat_id: ChatId,
-    vetkey_epoch_id: VetKeyEpochId,
-) -> Result<(), String> {
-    let now = ic_cdk::api::time();
-
-    let chat_message_expiry_setting =
-        CHAT_TO_MESSAGE_EXPIRY_SETTING.with_borrow(|expiry_settings| {
-            expiry_settings
-                .get(&chat_id)
-                .expect("bug: expiry should always exist for existing chats")
-        });
-
-    let opt_creation_timestamp = CHAT_TO_VETKEYS_METADATA.with_borrow(|metadata| {
-        metadata
-            .range(&(chat_id, Time(0))..)
-            .take_while(|metadata| metadata.key().0 == chat_id)
-            .filter(|metadata| metadata.value().epoch_id == vetkey_epoch_id)
-            .next()
-            .map(|metadata| metadata.value().creation_timestamp)
-    });
-
-    match opt_creation_timestamp {
-        Some(creation_timestamp) if now < creation_timestamp.0 + chat_message_expiry_setting.0 => {
-            Ok(())
-        }
-        _ => Err(format!("vetKey epoch {vetkey_epoch_id:?} expired",)),
-    }
-}
-
 fn ensure_payload_has_reasonable_size_for_key(payload: &[u8]) -> Result<(), String> {
     if payload.len() > 200 {
         Err(format!(
diff --git a/examples/encrypted_chat/rust/backend/tests/group_chat.rs b/examples/encrypted_chat/rust/backend/tests/group_chat.rs
index 9f39ffc0..28e10b80 100644
--- a/examples/encrypted_chat/rust/backend/tests/group_chat.rs
+++ b/examples/encrypted_chat/rust/backend/tests/group_chat.rs
@@ -1,4 +1,4 @@
-use candid::{ encode_args, Principal};
+use candid::{encode_args, Principal};
 use ic_vetkeys_example_encrypted_chat_backend::types::{
     ChatId, ChatMessageId, EncryptedMessage, EncryptedMessageMetadata,
     EncryptedSymmetricKeyEpochCache, GroupChatId, GroupChatMetadata, GroupModification,

From 829cf440f4b70ca7652faa818a9cfd51241b6ccd Mon Sep 17 00:00:00 2001
From: Oleksandr Tkachenko <oleksandr.tkachenko@dfinity.org>
Date: Tue, 26 Aug 2025 09:23:34 +0200
Subject: [PATCH 36/62] add abstractions

---
 .../src/lib/components/ChatHeader.svelte      |   9 +-
 .../src/lib/components/ChatInterface.svelte   |   4 +-
 .../src/lib/components/ChatList.svelte        |  29 +-
 .../src/lib/components/NewChatModal.svelte    | 171 ++--
 .../lib/components/NotificationBanner.svelte  |   8 +-
 .../src/lib/components/UserProfile.svelte     |   8 +-
 .../frontend/src/lib/crypto/keyManager.ts     |  95 ++
 .../src/lib/crypto/symmetricRatchet.ts        | 414 ++++++++
 .../services/RatchetInitializationService.ts  | 194 ++++
 .../frontend/src/lib/services/canisteApi.ts   |   6 +-
 .../frontend/src/lib/services/chatStorage.ts  |   4 +
 .../services/encryptedCanisterCacheService.ts | 230 +++++
 .../lib/services/encryptedMessagingService.ts | 467 +++++++++
 .../frontend/src/lib/services/keyStorage.ts   |  25 +-
 .../lib/services/vetKeyResharingService.ts    | 122 +++
 .../frontend/src/lib/stores/auth.svelte.ts    |  28 +-
 .../frontend/src/lib/stores/chat.svelte.ts    | 910 +++---------------
 .../frontend/src/lib/stores/crypto.svelte.ts  | 460 ---------
 .../frontend/src/lib/types/index.ts           | 280 +-----
 .../frontend/src/lib/utils/index.ts           |   5 +-
 .../frontend/src/routes/+page.svelte          |   7 +-
 .../encrypted_chat/rust/backend/src/lib.rs    |  52 +-
 22 files changed, 1828 insertions(+), 1700 deletions(-)
 create mode 100644 examples/encrypted_chat/frontend/src/lib/crypto/keyManager.ts
 create mode 100644 examples/encrypted_chat/frontend/src/lib/crypto/symmetricRatchet.ts
 create mode 100644 examples/encrypted_chat/frontend/src/lib/services/RatchetInitializationService.ts
 create mode 100644 examples/encrypted_chat/frontend/src/lib/services/encryptedCanisterCacheService.ts
 create mode 100644 examples/encrypted_chat/frontend/src/lib/services/encryptedMessagingService.ts
 create mode 100644 examples/encrypted_chat/frontend/src/lib/services/vetKeyResharingService.ts
 delete mode 100644 examples/encrypted_chat/frontend/src/lib/stores/crypto.svelte.ts

diff --git a/examples/encrypted_chat/frontend/src/lib/components/ChatHeader.svelte b/examples/encrypted_chat/frontend/src/lib/components/ChatHeader.svelte
index 20f66c5a..bfe2493a 100644
--- a/examples/encrypted_chat/frontend/src/lib/components/ChatHeader.svelte
+++ b/examples/encrypted_chat/frontend/src/lib/components/ChatHeader.svelte
@@ -4,7 +4,7 @@
 	import Card from './ui/Card.svelte';
 	import type { Chat, SymmetricRatchetStats, GroupChat } from '../types';
 	import { canisterAPI } from '../services/canisteApi';
-	import { chatActions } from '../stores/chat.svelte';
+	import { chatUIActions } from '../stores/chat.svelte';
 	import GroupManagementModal from './GroupManagementModal.svelte';
 	import { Principal } from '@dfinity/principal';
 	import { chatIdFromString } from '$lib/utils';
@@ -78,26 +78,25 @@
 		const removeUsersPrincipal = removeUsers.map((id) => Principal.fromText(id));
 
 		try {
-			await chatActions.updateGroupMembers(
+			await chatUIActions.updateGroupMembers(
 				chatIdFromString(chat.idStr),
 				addUsersPrincipal,
 				removeUsersPrincipal,
 				allowHistoryForNew
 			);
 
-			chatActions.addNotification({
+			chatUIActions.addNotification({
 				type: 'success',
 				title: 'Group Updated',
 				message: `Successfully updated group membership.`,
 				isDismissible: true,
 				duration: 3000
 			});
-
 			// Here you would typically reload the chat data
 			// For now, we'll just show a success message
 		} catch (error) {
 			console.error('Failed to update group:', error);
-			chatActions.addNotification({
+			chatUIActions.addNotification({
 				type: 'error',
 				title: 'Update Failed',
 				message: 'Failed to update group membership. Please try again.',
diff --git a/examples/encrypted_chat/frontend/src/lib/components/ChatInterface.svelte b/examples/encrypted_chat/frontend/src/lib/components/ChatInterface.svelte
index 5bb750a3..e9da2a3e 100644
--- a/examples/encrypted_chat/frontend/src/lib/components/ChatInterface.svelte
+++ b/examples/encrypted_chat/frontend/src/lib/components/ChatInterface.svelte
@@ -1,5 +1,5 @@
 <script lang="ts">
-	import { chatActions, chats, selectedChatId } from '../stores/chat.svelte';
+	import { chatUIActions, chats, selectedChatId } from '../stores/chat.svelte';
 	import ChatHeader from './ChatHeader.svelte';
 	import MessageHistory from './MessageHistory.svelte';
 	import MessageInput from './MessageInput.svelte';
@@ -32,7 +32,7 @@
 				data: arrayBuffer
 			};
 		}
-		await chatActions.encryptAndSendMessage(
+		await chatUIActions.enqueueEncryptAndSendMessage(
 			chatIdFromString(selectedChat.idStr),
 			content,
 			fileData
diff --git a/examples/encrypted_chat/frontend/src/lib/components/ChatList.svelte b/examples/encrypted_chat/frontend/src/lib/components/ChatList.svelte
index d3399959..ff61ff03 100644
--- a/examples/encrypted_chat/frontend/src/lib/components/ChatList.svelte
+++ b/examples/encrypted_chat/frontend/src/lib/components/ChatList.svelte
@@ -1,38 +1,11 @@
 <script lang="ts">
-	import {
-		chats,
-		selectedChatId,
-		chatActions,
-		getNumberOfMessagesIs,
-		chatIdStringToNumberOfMessagesShould,
-		getChatIds
-	} from '../stores/chat.svelte';
+	import { chats, selectedChatId } from '../stores/chat.svelte';
 	import ChatListItem from './ChatListItem.svelte';
 	import UserProfile from './UserProfile.svelte';
 	import Button from './ui/Button.svelte';
 	import NewChatModal from './NewChatModal.svelte';
 	import { chatIdToString, chatIdFromString } from '$lib/utils';
 
-	$effect(() => {
-		console.log(`$effect loadChatMessages`);
-		const numMessagesShoulds = getChatIds().map((chatId) => {
-			const should = chatIdStringToNumberOfMessagesShould.get(chatIdToString(chatId)) ?? 0n;
-			const is = getNumberOfMessagesIs(chatId);
-			return { chatId, should, is };
-		});
-		(async () => {
-			for (const { chatId, should, is } of numMessagesShoulds) {
-				if (!is || is !== should) {
-					await chatActions.loadChatMessages(chatId, is);
-				} else {
-					console.log(
-						`SKIPPING $effect loadChatMessages for ${chatIdToString(chatId)}: is  ${is.toString()}, should ${should.toString()}`
-					);
-				}
-			}
-		})().catch(console.error);
-	});
-
 	let showNewChat = $state(false);
 </script>
 
diff --git a/examples/encrypted_chat/frontend/src/lib/components/NewChatModal.svelte b/examples/encrypted_chat/frontend/src/lib/components/NewChatModal.svelte
index ef0ce5aa..33209e08 100644
--- a/examples/encrypted_chat/frontend/src/lib/components/NewChatModal.svelte
+++ b/examples/encrypted_chat/frontend/src/lib/components/NewChatModal.svelte
@@ -2,8 +2,7 @@
 	import { X, Plus, Users, User } from 'lucide-svelte';
 	import Card from './ui/Card.svelte';
 	import Button from './ui/Button.svelte';
-	import { chatActions } from '$lib/stores/chat.svelte';
-
+	import { chatUIActions } from '$lib/stores/chat.svelte';
 	/** @type {{ show: boolean }} */
 	let { show = $bindable(false) } = $props();
 
@@ -24,7 +23,7 @@
 	}
 
 	async function createDirect() {
-		await chatActions.createDirectChat(
+		await chatUIActions.createDirectChat(
 			directPrincipal,
 			directRotationMinutes,
 			directExpirationMinutes
@@ -34,20 +33,24 @@
 
 	async function createGroup() {
 		const principals = groupPrincipalsText.split(/[\s,]+/).filter(Boolean);
-		await chatActions.createGroupChat(principals, groupRotationMinutes, groupExpirationMinutes);
+		await chatUIActions.createGroupChat(principals, groupRotationMinutes, groupExpirationMinutes);
 		close();
 	}
 </script>
 
 {#if show}
 	<div
-		class="fixed inset-0 z-50 flex items-center justify-center bg-black/50 backdrop-blur-sm p-4"
+		class="fixed inset-0 z-50 flex items-center justify-center bg-black/50 p-4 backdrop-blur-sm"
 		role="dialog"
 		aria-modal="true"
 	>
-		<Card class="w-full max-w-lg rounded-xl shadow-2xl ring-1 ring-black/10 dark:ring-white/10 bg-white dark:bg-neutral-900">
+		<Card
+			class="w-full max-w-lg rounded-xl bg-white shadow-2xl ring-1 ring-black/10 dark:bg-neutral-900 dark:ring-white/10"
+		>
 			<div class="p-6 md:p-8">
-				<div class="mb-4 flex items-center justify-between border-b border-black/5 dark:border-white/10 pb-4">
+				<div
+					class="mb-4 flex items-center justify-between border-b border-black/5 pb-4 dark:border-white/10"
+				>
 					<h3 class="text-lg font-semibold">Create Chat</h3>
 					<button class="variant-ghost-surface btn-icon" onclick={close} aria-label="Close">
 						<X class="h-5 w-5" />
@@ -55,96 +58,96 @@
 				</div>
 
 				<div class="mb-4 flex gap-2">
-				<button
-					class="btn {tab === 'direct' ? 'variant-filled-primary' : 'variant-ghost-surface'}"
-					onclick={() => (tab = 'direct')}
-				>
-					<User class="h-4 w-4" />
-					<span class="ml-1">Direct</span>
-				</button>
-				<button
-					class="btn {tab === 'group' ? 'variant-filled-primary' : 'variant-ghost-surface'}"
-					onclick={() => (tab = 'group')}
-				>
-					<Users class="h-4 w-4" />
-					<span class="ml-1">Group</span>
-				</button>
+					<button
+						class="btn {tab === 'direct' ? 'variant-filled-primary' : 'variant-ghost-surface'}"
+						onclick={() => (tab = 'direct')}
+					>
+						<User class="h-4 w-4" />
+						<span class="ml-1">Direct</span>
+					</button>
+					<button
+						class="btn {tab === 'group' ? 'variant-filled-primary' : 'variant-ghost-surface'}"
+						onclick={() => (tab = 'group')}
+					>
+						<Users class="h-4 w-4" />
+						<span class="ml-1">Group</span>
+					</button>
 				</div>
 
 				{#if tab === 'direct'}
 					<div class="space-y-3">
-					<label class="block text-sm">
-						<span class="mb-1 block font-medium">Receiver Principal</span>
-						<input
-							class="w-full rounded-md border px-3 py-2 bg-white dark:bg-neutral-800"
-							bind:value={directPrincipal}
-							placeholder="aaaaa-aa"
-						/>
-					</label>
-					<div class="grid grid-cols-2 gap-3">
-						<label class="block text-sm">
-							<span class="mb-1 block font-medium">Symmetric Key Ratchet (min)</span>
-							<input
-								type="number"
-								min="0"
-								class="w-full rounded-md border px-3 py-2 bg-white dark:bg-neutral-800"
-								bind:value={directRotationMinutes}
-							/>
-						</label>
 						<label class="block text-sm">
-							<span class="mb-1 block font-medium">Message Expiration (min)</span>
+							<span class="mb-1 block font-medium">Receiver Principal</span>
 							<input
-								type="number"
-								min="0"
-								class="w-full rounded-md border px-3 py-2 bg-white dark:bg-neutral-800"
-								bind:value={directExpirationMinutes}
+								class="w-full rounded-md border bg-white px-3 py-2 dark:bg-neutral-800"
+								bind:value={directPrincipal}
+								placeholder="aaaaa-aa"
 							/>
 						</label>
-					</div>
-					<div class="flex justify-end gap-2">
-						<Button onclick={createDirect} disabled={!directPrincipal.trim()}>
-							<Plus class="h-4 w-4" />
-							<span class="ml-1">Create</span>
-						</Button>
-					</div>
+						<div class="grid grid-cols-2 gap-3">
+							<label class="block text-sm">
+								<span class="mb-1 block font-medium">Symmetric Key Ratchet (min)</span>
+								<input
+									type="number"
+									min="0"
+									class="w-full rounded-md border bg-white px-3 py-2 dark:bg-neutral-800"
+									bind:value={directRotationMinutes}
+								/>
+							</label>
+							<label class="block text-sm">
+								<span class="mb-1 block font-medium">Message Expiration (min)</span>
+								<input
+									type="number"
+									min="0"
+									class="w-full rounded-md border bg-white px-3 py-2 dark:bg-neutral-800"
+									bind:value={directExpirationMinutes}
+								/>
+							</label>
+						</div>
+						<div class="flex justify-end gap-2">
+							<Button onclick={createDirect} disabled={!directPrincipal.trim()}>
+								<Plus class="h-4 w-4" />
+								<span class="ml-1">Create</span>
+							</Button>
+						</div>
 					</div>
 				{:else}
 					<div class="space-y-3">
-					<label class="block text-sm">
-						<span class="mb-1 block font-medium">Participant Principals</span>
-						<textarea
-							rows="3"
-							class="w-full rounded-md border px-3 py-2 bg-white dark:bg-neutral-800"
-							bind:value={groupPrincipalsText}
-							placeholder="comma or space separated principals"
-						></textarea>
-					</label>
-					<div class="grid grid-cols-2 gap-3">
-						<label class="block text-sm">
-							<span class="mb-1 block font-medium">Symmetric Key Ratchet (min)</span>
-							<input
-								type="number"
-								min="0"
-								class="w-full rounded-md border px-3 py-2 bg-white dark:bg-neutral-800"
-								bind:value={groupRotationMinutes}
-							/>
-						</label>
 						<label class="block text-sm">
-							<span class="mb-1 block font-medium">Message Expiration (min)</span>
-							<input
-								type="number"
-								min="0"
-								class="w-full rounded-md border px-3 py-2 bg-white dark:bg-neutral-800"
-								bind:value={groupExpirationMinutes}
-							/>
+							<span class="mb-1 block font-medium">Participant Principals</span>
+							<textarea
+								rows="3"
+								class="w-full rounded-md border bg-white px-3 py-2 dark:bg-neutral-800"
+								bind:value={groupPrincipalsText}
+								placeholder="comma or space separated principals"
+							></textarea>
 						</label>
-					</div>
-					<div class="flex justify-end gap-2">
-						<Button onclick={createGroup} disabled={!groupPrincipalsText.trim()}>
-							<Plus class="h-4 w-4" />
-							<span class="ml-1">Create Group</span>
-						</Button>
-					</div>
+						<div class="grid grid-cols-2 gap-3">
+							<label class="block text-sm">
+								<span class="mb-1 block font-medium">Symmetric Key Ratchet (min)</span>
+								<input
+									type="number"
+									min="0"
+									class="w-full rounded-md border bg-white px-3 py-2 dark:bg-neutral-800"
+									bind:value={groupRotationMinutes}
+								/>
+							</label>
+							<label class="block text-sm">
+								<span class="mb-1 block font-medium">Message Expiration (min)</span>
+								<input
+									type="number"
+									min="0"
+									class="w-full rounded-md border bg-white px-3 py-2 dark:bg-neutral-800"
+									bind:value={groupExpirationMinutes}
+								/>
+							</label>
+						</div>
+						<div class="flex justify-end gap-2">
+							<Button onclick={createGroup} disabled={!groupPrincipalsText.trim()}>
+								<Plus class="h-4 w-4" />
+								<span class="ml-1">Create Group</span>
+							</Button>
+						</div>
 					</div>
 				{/if}
 			</div>
diff --git a/examples/encrypted_chat/frontend/src/lib/components/NotificationBanner.svelte b/examples/encrypted_chat/frontend/src/lib/components/NotificationBanner.svelte
index 0e89daa6..d766b189 100644
--- a/examples/encrypted_chat/frontend/src/lib/components/NotificationBanner.svelte
+++ b/examples/encrypted_chat/frontend/src/lib/components/NotificationBanner.svelte
@@ -2,7 +2,7 @@
 	import { onMount } from 'svelte';
 	import { fly } from 'svelte/transition';
 	import { X, AlertTriangle, Info, CheckCircle, XCircle } from 'lucide-svelte';
-	import { notifications, chatActions } from '../stores/chat.svelte';
+	import { notifications, chatUIActions } from '../stores/chat.svelte';
 	import { chatStorageService } from '../services/chatStorage';
 	import type { Notification } from '../types';
 
@@ -48,7 +48,7 @@
 <!-- Disclaimer Banner - Bottom Overlay -->
 {#if showDisclaimer}
 	<div
-		class="fixed right-0 bottom-0 left-0 z-50 border-t-2 border-orange-400 bg-orange-100 shadow-lg"
+		class="fixed bottom-0 left-0 right-0 z-50 border-t-2 border-orange-400 bg-orange-100 shadow-lg"
 		transition:fly={{ y: 100, duration: 300 }}
 	>
 		<div class="flex items-center gap-3 p-3">
@@ -71,7 +71,7 @@
 {/if}
 
 <!-- Notification Stack -->
-<div class="fixed top-4 right-4 z-40 max-w-sm space-y-2">
+<div class="fixed right-4 top-4 z-40 max-w-sm space-y-2">
 	{#each notifications.state as notification (notification.id)}
 		<div
 			class="alert {getNotificationColor(notification.type)} shadow-lg"
@@ -86,7 +86,7 @@
 				<div class="alert-actions">
 					<button
 						class="variant-soft btn-icon"
-						onclick={() => chatActions.dismissNotification(notification.id)}
+						onclick={() => chatUIActions.dismissNotification(notification.id)}
 						aria-label="Dismiss notification"
 					>
 						<X class="h-4 w-4" />
diff --git a/examples/encrypted_chat/frontend/src/lib/components/UserProfile.svelte b/examples/encrypted_chat/frontend/src/lib/components/UserProfile.svelte
index cd1a1873..8d96623f 100644
--- a/examples/encrypted_chat/frontend/src/lib/components/UserProfile.svelte
+++ b/examples/encrypted_chat/frontend/src/lib/components/UserProfile.svelte
@@ -1,6 +1,6 @@
 <script lang="ts">
 	import { Settings, X, Check, LogOut } from 'lucide-svelte';
-	import { userConfig, chatActions } from '../stores/chat.svelte';
+	import { userConfig, chatUIActions } from '../stores/chat.svelte';
 	import { auth, getMyPrincipal, logout } from '$lib/stores/auth.svelte';
 	import type { User } from '$lib/types';
 
@@ -39,7 +39,7 @@
 	}
 
 	async function saveConfig() {
-		await chatActions.updateUserConfig(configForm);
+		await chatUIActions.updateUserConfig(configForm);
 		showConfig = false;
 	}
 
@@ -62,7 +62,7 @@
 				<h3 class="text-sm font-semibold">Name: ---<br /></h3>
 				<h4 class="text-xs font-semibold">{currentUser.state?.name}</h4>
 			</div>
-	</div>
+		</div>
 		<div class="flex items-center gap-2">
 			<button class="variant-ghost-surface btn-icon" onclick={logout} aria-label="Logout">
 				<LogOut class="h-5 w-5" />
@@ -119,7 +119,7 @@
 						min="1"
 						max="365"
 						bind:value={configForm.cacheRetentionDays}
-						class="w-full rounded-lg border border-gray-300 bg-white px-3 py-2 text-gray-900 transition-all outline-none focus:border-transparent focus:ring-2 focus:ring-blue-500 dark:border-gray-600 dark:bg-gray-800 dark:text-gray-100"
+						class="w-full rounded-lg border border-gray-300 bg-white px-3 py-2 text-gray-900 outline-none transition-all focus:border-transparent focus:ring-2 focus:ring-blue-500 dark:border-gray-600 dark:bg-gray-800 dark:text-gray-100"
 						placeholder="7"
 					/>
 					<p class="mt-1 text-xs text-gray-500 dark:text-gray-400">
diff --git a/examples/encrypted_chat/frontend/src/lib/crypto/keyManager.ts b/examples/encrypted_chat/frontend/src/lib/crypto/keyManager.ts
new file mode 100644
index 00000000..73066f29
--- /dev/null
+++ b/examples/encrypted_chat/frontend/src/lib/crypto/keyManager.ts
@@ -0,0 +1,95 @@
+import { SymmetricRatchetState } from './symmetricRatchet';
+import { Principal } from '@dfinity/principal';
+
+export class KeyManager {
+	#symmetricRatchetStates: Map<string, Map<bigint, SymmetricRatchetState>> = new Map();
+
+	constructor() {}
+
+	getCurrentChatIdStrs(): string[] {
+		return Array.from(this.#symmetricRatchetStates.keys());
+	}
+
+	inductSymmetricRatchetState(chatId: string, vetKeyEpoch: bigint, state: SymmetricRatchetState) {
+		if (this.#symmetricRatchetStates.get(chatId)?.has(vetKeyEpoch)) {
+			throw new Error(
+				`KeyManager.inductState: Symmetric ratchet state for chatId ${chatId} and vetKeyEpoch ${vetKeyEpoch} already exists`
+			);
+		}
+		console.log(
+			`KeyManager.inductState: Inducting state for chatId ${chatId} and vetKeyEpoch ${vetKeyEpoch}`
+		);
+		this.#symmetricRatchetStates.set(chatId, new Map([[vetKeyEpoch, state]]));
+	}
+
+	async encryptNow(
+		chatId: string,
+		sender: Principal,
+		senderMessageId: bigint,
+		message: Uint8Array
+	): Promise<{ encryptedBytes: Uint8Array; vetKeyEpoch: bigint; symmetricRatchetEpoch: bigint }> {
+		const { vetKeyEpoch, symmetricRatchetState } = this.lastVetKeyEpoch(chatId);
+		const { encryptedBytes, symmetricRatchetEpoch } = await symmetricRatchetState.encryptNow(
+			sender,
+			senderMessageId,
+			message
+		);
+
+		return { encryptedBytes, vetKeyEpoch, symmetricRatchetEpoch };
+	}
+
+	async decryptAtTimeAndEvolveIfNeeded(
+		chatId: string,
+		sender: Principal,
+		senderMessageId: bigint,
+		vetKeyEpoch: bigint,
+		encryptedBytes: Uint8Array,
+		time: Date
+	): Promise<Uint8Array> {
+		const symmetricRatchetState = this.#symmetricRatchetStates.get(chatId)?.get(vetKeyEpoch);
+		if (!symmetricRatchetState) {
+			throw new Error(
+				`KeyManager.decryptAtTimeAndEvolveIfNeeded: No symmetric ratchet states found for chatId ${chatId} and vetKeyEpoch ${vetKeyEpoch}`
+			);
+		}
+		return await symmetricRatchetState.decryptAtTimeAndEvolveIfNeeded(
+			sender,
+			senderMessageId,
+			encryptedBytes,
+			time
+		);
+	}
+
+	doesChatHaveKeys(chatId: string): boolean {
+		return this.#symmetricRatchetStates.has(chatId);
+	}
+
+	doesChatHaveRatchetStateForEpoch(chatId: string, vetKeyEpoch: bigint): boolean {
+		return this.#symmetricRatchetStates.get(chatId)?.has(vetKeyEpoch) ?? false;
+	}
+
+	private lastVetKeyEpoch(chatId: string): {
+		vetKeyEpoch: bigint;
+		symmetricRatchetState: SymmetricRatchetState;
+	} {
+		const chatIdEpochStates = this.#symmetricRatchetStates.get(chatId);
+		if (!chatIdEpochStates) {
+			throw new Error(
+				`KeyManager.lastVetKeyEpoch: No symmetric ratchet states found for chatId ${chatId}`
+			);
+		}
+		let last = null;
+
+		for (const [vetKeyEpoch, state] of chatIdEpochStates.entries()) {
+			if (last === null || vetKeyEpoch > last.vetKeyEpoch) {
+				last = { vetKeyEpoch, symmetricRatchetState: state };
+			}
+		}
+		if (last === null) {
+			throw new Error(
+				`Bug: KeyManager.lastVetKeyEpoch: chatIdEpochStates.size === 0 for chatId ${chatId}`
+			);
+		}
+		return last;
+	}
+}
diff --git a/examples/encrypted_chat/frontend/src/lib/crypto/symmetricRatchet.ts b/examples/encrypted_chat/frontend/src/lib/crypto/symmetricRatchet.ts
new file mode 100644
index 00000000..132e9ab4
--- /dev/null
+++ b/examples/encrypted_chat/frontend/src/lib/crypto/symmetricRatchet.ts
@@ -0,0 +1,414 @@
+import { DerivedKeyMaterial, deriveSymmetricKey, type VetKey } from '@dfinity/vetkeys';
+import {
+	sizePrefixedBytesFromString,
+	u8ByteUint8ArrayBigEndianToUBigInt,
+	uBigIntTo8ByteUint8ArrayBigEndian
+} from '../utils';
+import { Principal } from '@dfinity/principal';
+
+const DOMAIN_RATCHET_INIT = sizePrefixedBytesFromString('ic-vetkeys-chat-example-ratchet-init');
+const DOMAIN_RATCHET_STEP = sizePrefixedBytesFromString('ic-vetkeys-chat-example-ratchet-step');
+const DOMAIN_MESSAGE_ENCRYPTION = sizePrefixedBytesFromString(
+	'ic-vetkeys-chat-example-message-encryption'
+);
+
+// Notes
+//
+// We need the following functionalities here:
+// - Raw key
+//   - Derive the root epoch key from a vetKey as bytes. Those bytes can be cached in a canister in encrypted form.
+//   - Import bytes from a canister's decrypted cache.
+//   - Eventually evolve the state to the needed epoch.
+// - CryptoKey
+//   - Store the epoch key in CryptoKey form in RAM and indexedDB.
+//   - Evolve the crypto key.
+//   - Peek at a future key without evolving the state, e.g., we encrypt our message with a key in the next epoch
+//     but we are not sure if the canister holds a message that we will need to decrypt using the current key.
+//   - Encrypt/decrypt messages using the crypto key.
+//
+// In summary, the raw key state allows to cache the key and the CryptoKey state allows to encrypt/decrypt messages.
+
+export class SymmetricRatchetState {
+	#cryptoKey: CryptoKey;
+	#symmetricRatchetEpoch: bigint;
+	readonly #creationTime: Date;
+	readonly #rotationDuration: Date;
+
+	constructor(
+		key: CryptoKey,
+		symmetricRatchetEpoch: bigint,
+		creationTime: Date,
+		rotationDuration: Date
+	) {
+		this.#cryptoKey = key;
+		this.#symmetricRatchetEpoch = symmetricRatchetEpoch;
+		this.#creationTime = creationTime;
+		this.#rotationDuration = rotationDuration;
+	}
+
+	static async fromRawKeyState(
+		rawKeyState: CacheableSymmetricRatchetState
+	): Promise<SymmetricRatchetState> {
+		const { key, symmetricKeyEpoch } = await importKeyFromBytes(
+			rawKeyState.rawKey,
+			rawKeyState.symmetricRatchetEpoch
+		);
+		return new SymmetricRatchetState(
+			key,
+			symmetricKeyEpoch,
+			rawKeyState.creationTime,
+			rawKeyState.rotationDuration
+		);
+	}
+
+	async decryptAtTimeAndEvolveIfNeeded(
+		sender: Principal,
+		senderMessageId: bigint,
+		message: Uint8Array,
+		time: Date
+	): Promise<Uint8Array> {
+		if (time < this.#creationTime) {
+			throw new Error('Cannot decrypt message before the state was created');
+		}
+		const expectedEpoch = this.getExpectedEpochAtTime(time);
+		await this.evolveTo(expectedEpoch);
+		const domainSeparator = messageEncryptionDomainSeparator(sender, senderMessageId);
+		const derivedKeyMaterial = DerivedKeyMaterial.fromCryptoKey(this.#cryptoKey);
+		return await derivedKeyMaterial.decryptMessage(message, domainSeparator);
+	}
+
+	async encryptNow(
+		sender: Principal,
+		senderMessageId: bigint,
+		message: Uint8Array
+	): Promise<{ encryptedBytes: Uint8Array; symmetricRatchetEpoch: bigint }> {
+		const now = new Date(Date.now());
+		if (now < this.#creationTime) {
+			throw new Error('Cannot decrypt message before the state was created');
+		}
+		const expectedEpoch = this.getExpectedEpochAtTime(now);
+		const neededSymmetricRatchetState = await this.peekAtEpoch(expectedEpoch);
+		const domainSeparator = messageEncryptionDomainSeparator(sender, senderMessageId);
+		const derivedKeyMaterial = DerivedKeyMaterial.fromCryptoKey(
+			neededSymmetricRatchetState.#cryptoKey
+		);
+		const encryptedBytes = await derivedKeyMaterial.encryptMessage(message, domainSeparator);
+		console.log(
+			`SymmetricRatchetState.encryptNow: encrypted message symmetric ratchet epoch ${neededSymmetricRatchetState.#symmetricRatchetEpoch.toString()}`
+		);
+		return {
+			encryptedBytes,
+			symmetricRatchetEpoch: neededSymmetricRatchetState.#symmetricRatchetEpoch
+		};
+	}
+
+	/// Evolve the state to the next epoch.
+	async evolve() {
+		const newCryptoKey = await deriveNextSymmetricRatchetEpochCryptoKey(
+			this.#cryptoKey,
+			this.#symmetricRatchetEpoch
+		);
+
+		this.#cryptoKey = newCryptoKey;
+		this.#symmetricRatchetEpoch += 1n;
+	}
+
+	async evolveTo(symmetricKeyEpoch: bigint) {
+		if (symmetricKeyEpoch < this.#symmetricRatchetEpoch) {
+			throw new Error(
+				`SymmetricRatchetState.evolveTo: symmetricKeyEpoch ${symmetricKeyEpoch.toString()} is less than the current epoch ${this.#symmetricRatchetEpoch.toString()}`
+			);
+		}
+		if (symmetricKeyEpoch === this.#symmetricRatchetEpoch) {
+			return;
+		}
+		while (symmetricKeyEpoch < this.#symmetricRatchetEpoch) {
+			console.log(
+				`SymmetricRatchetState.evolveTo: evolving from epoch ${this.#symmetricRatchetEpoch.toString()} to epoch ${symmetricKeyEpoch.toString()}`
+			);
+			await this.evolve();
+		}
+	}
+
+	/// Peek at a future epoch without evolving the state.
+	///
+	/// Returns an error if symmetricKeyEpoch is less than the current epoch.
+	async peekAtEpoch(symmetricKeyEpoch: bigint): Promise<SymmetricRatchetState> {
+		if (symmetricKeyEpoch < this.#symmetricRatchetEpoch) {
+			throw new Error(
+				`Cannot peek at epoch ${symmetricKeyEpoch} because the current epoch is ${this.#symmetricRatchetEpoch}`
+			);
+		} else if (symmetricKeyEpoch === this.#symmetricRatchetEpoch) {
+			return this;
+		}
+		const newSymmetricRatchetState = new SymmetricRatchetState(
+			this.#cryptoKey,
+			symmetricKeyEpoch,
+			this.#creationTime,
+			this.#rotationDuration
+		);
+		await newSymmetricRatchetState.evolveTo(symmetricKeyEpoch);
+		return newSymmetricRatchetState;
+	}
+
+	getExpectedEpochAtTime(time: Date): bigint {
+		if (time < this.#creationTime) {
+			throw new Error('Cannot get expected epoch before the state was created');
+		}
+
+		const elapsedSinceCreation = time.getTime() - this.#creationTime.getTime();
+		const result = BigInt(Math.floor(elapsedSinceCreation / this.#rotationDuration.getTime()));
+		console.log(
+			`SymmetricRatchetState.getExpectedEpochAtTime: now ${time.toUTCString()} creationTime ${this.#creationTime.toUTCString()} elapsedSinceCreation ${elapsedSinceCreation.toString()}ms expectedEpoch ${result.toString()}`
+		);
+		return result;
+	}
+}
+
+/// Contains a raw key and the symmetric ratchet epoch.
+///
+/// The raw key can be exported e.g. to a canister's encrypted cache.
+export class CacheableSymmetricRatchetState {
+	rawKey: Uint8Array;
+	symmetricRatchetEpoch: bigint;
+	creationTime: Date;
+	rotationDuration: Date;
+
+	private constructor(
+		rawKey: Uint8Array,
+		symmetricRatchetEpoch: bigint,
+		creationTime: Date,
+		rotationDuration: Date
+	) {
+		this.rawKey = rawKey;
+		this.symmetricRatchetEpoch = symmetricRatchetEpoch;
+		this.creationTime = creationTime;
+		this.rotationDuration = rotationDuration;
+	}
+
+	/// Evolve the state to the next epoch.
+	evolve() {
+		this.symmetricRatchetEpoch += 1n;
+		const domainSeparator = new Uint8Array([
+			...DOMAIN_RATCHET_STEP,
+			...uBigIntTo8ByteUint8ArrayBigEndian(this.symmetricRatchetEpoch)
+		]);
+		const newRawKey = deriveSymmetricKey(this.rawKey, domainSeparator, 32);
+		this.rawKey = newRawKey;
+		this.symmetricRatchetEpoch += 1n;
+	}
+
+	evolveTo(symmetricKeyEpoch: bigint) {
+		if (symmetricKeyEpoch < this.symmetricRatchetEpoch) {
+			throw new Error(
+				`Cannot evolve to epoch ${symmetricKeyEpoch} because the current epoch is ${this.symmetricRatchetEpoch}`
+			);
+		}
+		while (symmetricKeyEpoch > this.symmetricRatchetEpoch) {
+			this.evolve();
+		}
+	}
+
+	/// Peek at a future epoch without evolving the state.
+	///
+	/// Returns an error if symmetricKeyEpoch is less than the current epoch.
+	peekAtEpoch(symmetricKeyEpoch: bigint): CacheableSymmetricRatchetState {
+		const clonedRawKey = structuredClone(this.rawKey);
+		const newEpoch = this.symmetricRatchetEpoch + 1n;
+		const newState = new CacheableSymmetricRatchetState(
+			clonedRawKey,
+			newEpoch,
+			this.creationTime,
+			this.rotationDuration
+		);
+		newState.evolveTo(symmetricKeyEpoch);
+		return newState;
+	}
+
+	toSymmetricRatchetState(): Promise<SymmetricRatchetState> {
+		return SymmetricRatchetState.fromRawKeyState(this);
+	}
+
+	static initializeFromVetKey(
+		vetKey: VetKey,
+		creationTime: Date,
+		rotationDuration: Date
+	): CacheableSymmetricRatchetState {
+		const vetKeyBytes = vetKey.signatureBytes();
+		const rawKey = deriveSymmetricKey(vetKeyBytes, DOMAIN_RATCHET_INIT, 32);
+		return new CacheableSymmetricRatchetState(rawKey, 0n, creationTime, rotationDuration);
+	}
+
+	serialize(): Uint8Array {
+		return new Uint8Array([
+			...this.rawKey,
+			...uBigIntTo8ByteUint8ArrayBigEndian(this.symmetricRatchetEpoch),
+			...uBigIntTo8ByteUint8ArrayBigEndian(BigInt(this.creationTime.getMilliseconds())),
+			...uBigIntTo8ByteUint8ArrayBigEndian(BigInt(this.rotationDuration.getMilliseconds()))
+		]);
+	}
+
+	static deserialize(bytes: Uint8Array): CacheableSymmetricRatchetState {
+		if (bytes.length !== 32 + 3 * 8) {
+			throw new Error('Invalid serialized state');
+		}
+		const rawKey = bytes.slice(0, 32);
+		const symmetricRatchetEpoch = u8ByteUint8ArrayBigEndianToUBigInt(bytes.slice(32));
+		const creationTime = new Date(Number(u8ByteUint8ArrayBigEndianToUBigInt(bytes.slice(32 + 8))));
+		const rotationDuration = new Date(
+			Number(u8ByteUint8ArrayBigEndianToUBigInt(bytes.slice(32 + 8 + 8)))
+		);
+		return new CacheableSymmetricRatchetState(
+			rawKey,
+			symmetricRatchetEpoch,
+			creationTime,
+			rotationDuration
+		);
+	}
+}
+
+export function vetKeyToSymmetricRatchetStateBytes(vetKey: VetKey): Uint8Array {
+	const vetKeyBytes = vetKey.signatureBytes();
+	return deriveSymmetricKey(vetKeyBytes, DOMAIN_RATCHET_INIT, 32);
+}
+
+async function deriveNextSymmetricRatchetEpochCryptoKey(
+	epochKey: CryptoKey,
+	currentSymmetricKeyEpoch: bigint
+): Promise<CryptoKey> {
+	console.log(`deriveNextEpochKey: ${currentSymmetricKeyEpoch.toString()}`);
+	const exportable = false;
+	const domainSeparator = new Uint8Array([
+		...DOMAIN_RATCHET_STEP,
+		...uBigIntTo8ByteUint8ArrayBigEndian(currentSymmetricKeyEpoch)
+	]);
+	const algorithm = {
+		name: 'HKDF',
+		hash: 'SHA-256',
+		length: 32 * 8,
+		info: domainSeparator,
+		salt: new Uint8Array()
+	};
+
+	const rawKey = await globalThis.crypto.subtle.deriveBits(algorithm, epochKey, 8 * 32);
+
+	return await globalThis.crypto.subtle.importKey('raw', rawKey, algorithm, exportable, [
+		'deriveKey',
+		'deriveBits'
+	]);
+}
+
+async function importKeyFromBytes(
+	keyBytes: Uint8Array,
+	symmetricKeyEpoch: bigint
+): Promise<{ key: CryptoKey; symmetricKeyEpoch: bigint }> {
+	const exportable = false;
+	const key = await globalThis.crypto.subtle.importKey(
+		'raw',
+		new Uint8Array(keyBytes),
+		'HKDF',
+		exportable,
+		['deriveKey', 'deriveBits']
+	);
+	return { key, symmetricKeyEpoch: symmetricKeyEpoch };
+}
+
+export function messageEncryptionDomainSeparator(
+	sender: Principal,
+	senderMessageId: bigint
+): Uint8Array {
+	return new Uint8Array([
+		...DOMAIN_MESSAGE_ENCRYPTION,
+		...sender.toUint8Array(),
+		...uBigIntTo8ByteUint8ArrayBigEndian(senderMessageId)
+	]);
+}
+
+export function deriveRootKeyBytes(vetKeyBytes: Uint8Array): Uint8Array {
+	return deriveSymmetricKey(vetKeyBytes, DOMAIN_RATCHET_INIT, 32);
+}
+
+// function deriveSymmetricRatchetRootKey(
+// 	actor: ActorSubclass<_SERVICE>,
+// 	chatId: ChatId,
+// 	vetKeyEpoch: bigint,
+// 	vetKeyBytes: Uint8Array
+// ): { keyBytes: Uint8Array; symmetricKeyEpoch: bigint } {
+// 	const rootKey = deriveSymmetricKey(vetKeyBytes, DOMAIN_RATCHET_INIT, 32);
+// 	console.log(
+// 		`Computed rootKey=${stringifyBigInt(rootKey)} from vetKey=${stringifyBigInt(vetKeyBytes)}`
+// 	);
+
+// 	console.log('starting to store the root key in cache: ', rootKey);
+// 	const vetKeyEncryptedCache = new EncryptedCacheManager(getMyPrincipal(), actor);
+// 	const keyState = { keyBytes: rootKey, symmetricKeyEpoch: 0n };
+// 	// await this future in background
+// 	vetKeyEncryptedCache.encryptAndStoreFor(chatId, vetKeyEpoch, keyState).catch((error) => {
+// 		console.error(
+// 			`Failed to store root key in cache for chat ${chatIdToString(chatId)} vetkeyEpoch ${vetKeyEpoch.toString()}: `,
+// 			error
+// 		);
+// 	});
+// 	return keyState;
+// }
+
+// async function symmetricRatchetUntil(
+// 	chatId: ChatId,
+// 	vetkeyEpoch: bigint,
+// 	symmetricKeyEpoch: bigint
+// ) {
+// 	while ((await getCurrentSymmetricEpoch(chatId, vetkeyEpoch)) < symmetricKeyEpoch) {
+// 		try {
+// 			const currentSymmetricEpoch = await getCurrentSymmetricEpoch(chatId, vetkeyEpoch);
+// 			const mapKey = chatIdVetKeyEpochToString(chatId, vetkeyEpoch);
+// 			chatIdStringToEpochKeyState.set(mapKey, {
+// 				status: 'ready',
+// 				symmetricKeyEpoch: currentSymmetricEpoch + 1n,
+// 				key: await symmetricRatchet(chatId, vetkeyEpoch, currentSymmetricEpoch)
+// 			});
+// 		} catch (error) {
+// 			console.warn('symmetricRatchetUntil: ', error);
+// 		}
+// 	}
+// }
+
+// async function fastForwardSymmetricRatchetWithoutSavingUntil(
+// 	chatId: ChatId,
+// 	currentVetkeyEpoch: bigint,
+// 	neededSymmetricKeyEpoch: bigint
+// ): Promise<DerivedKeyMaterial> {
+// 	const mapKey = chatIdVetKeyEpochToString(chatId, currentVetkeyEpoch);
+// 	const cur = chatIdStringToEpochKeyState.get(mapKey);
+// 	if (!cur) {
+// 		chatIdStringToEpochKeyState.set(mapKey, {
+// 			status: 'missing'
+// 		});
+// 		return await fastForwardSymmetricRatchetWithoutSavingUntil(
+// 			chatId,
+// 			currentVetkeyEpoch,
+// 			neededSymmetricKeyEpoch
+// 		);
+// 	}
+// 	if (cur.status === 'error') {
+// 		throw new Error('Failed to get epoch key: ' + cur.error);
+// 	}
+// 	if (cur.status !== 'ready') {
+// 		throw new Error('Epoch key is not ready for symmetric ratchet');
+// 	}
+// 	const { key, symmetricKeyEpoch: currentSymmetricKeyEpoch } = cur;
+// 	if (currentSymmetricKeyEpoch >= neededSymmetricKeyEpoch) {
+// 		return DerivedKeyMaterial.fromCryptoKey(key);
+// 	}
+
+// 	let derivedKeyState = { epochKey: key, symmetricKeyEpoch: currentSymmetricKeyEpoch };
+// 	while (derivedKeyState.symmetricKeyEpoch < neededSymmetricKeyEpoch) {
+// 		derivedKeyState = {
+// 			epochKey: await deriveNextSymmetricRatchetEpochCryptoKey(
+// 				derivedKeyState.epochKey,
+// 				derivedKeyState.symmetricKeyEpoch
+// 			),
+// 			symmetricKeyEpoch: derivedKeyState.symmetricKeyEpoch + 1n
+// 		};
+// 	}
+// 	return DerivedKeyMaterial.fromCryptoKey(derivedKeyState.epochKey);
+// }
diff --git a/examples/encrypted_chat/frontend/src/lib/services/RatchetInitializationService.ts b/examples/encrypted_chat/frontend/src/lib/services/RatchetInitializationService.ts
new file mode 100644
index 00000000..63d8fa0f
--- /dev/null
+++ b/examples/encrypted_chat/frontend/src/lib/services/RatchetInitializationService.ts
@@ -0,0 +1,194 @@
+import { deriveRootKeyBytes, SymmetricRatchetState } from '$lib/crypto/symmetricRatchet';
+import type { ChatId } from '../../declarations/encrypted_chat/encrypted_chat.did';
+import { getActor, getMyPrincipal } from '$lib/stores/auth.svelte';
+import { stringifyBigInt, chatIdToString } from '$lib/utils';
+import { canisterAPI } from './canisteApi';
+import { keyStorageService } from './keyStorage';
+import { EncryptedCanisterCacheService } from './encryptedCanisterCacheService';
+import { VetKeyResharingService } from './vetKeyResharingService';
+
+export class RatchetInitializationService {
+	#vetKeyResharingService: VetKeyResharingService;
+	#encryptedCanisterCacheService: EncryptedCanisterCacheService;
+
+	constructor() {
+		this.#vetKeyResharingService = new VetKeyResharingService();
+		this.#encryptedCanisterCacheService = new EncryptedCanisterCacheService();
+	}
+
+	async initializeRatchetStateAndReshareAndCacheIfNeeded(
+		chatId: ChatId,
+		vetKeyEpoch: bigint
+	): Promise<SymmetricRatchetState> {
+		const metadata = await canisterAPI.getVetKeyEpochMetadata(getActor(), chatId, vetKeyEpoch);
+		const creationTime = new Date(Number(metadata.creation_timestamp / 1_000_000n));
+		const rotationDuration = new Date(
+			Number(metadata.symmetric_key_rotation_duration / 1_000_000n)
+		);
+
+		try {
+			const keyState = await this.cryptoKeyStateFromLocalStorage(chatId, vetKeyEpoch);
+			return new SymmetricRatchetState(keyState.key, vetKeyEpoch, creationTime, rotationDuration);
+		} catch (error) {
+			console.info(
+				`User doesn't have key in persistent storage for chat ${chatIdToString(chatId)} and vetKey epoch ${vetKeyEpoch.toString()}: `,
+				error
+			);
+		}
+
+		try {
+			const keyState = await this.cryptoKeyStateFromRemoteCache(chatId, vetKeyEpoch);
+			return new SymmetricRatchetState(keyState.key, vetKeyEpoch, creationTime, rotationDuration);
+		} catch (error) {
+			console.info(
+				`User doesn't have key in remote cache for chat ${chatIdToString(chatId)} and vetKey epoch ${vetKeyEpoch.toString()}: `,
+				error
+			);
+		}
+
+		try {
+			const keyState = await this.cryptoKeyStateFromResharedVetKey(chatId, vetKeyEpoch);
+			return new SymmetricRatchetState(keyState.key, vetKeyEpoch, creationTime, rotationDuration);
+		} catch (error) {
+			console.info('Failed to fetch reshared IBE encrypted vetkey: ', error);
+		}
+
+		try {
+			const keyState = await this.fetchAndReshareAndCacheVetKey(chatId, vetKeyEpoch);
+			return new SymmetricRatchetState(keyState.key, vetKeyEpoch, creationTime, rotationDuration);
+		} catch (error) {
+			console.info('Failed to fetch vetkey: ', error);
+		}
+
+		throw new Error('Failed to initialize ratchet state');
+	}
+
+	async cryptoKeyStateFromLocalStorage(
+		chatId: ChatId,
+		vetKeyEpoch: bigint
+	): Promise<{ key: CryptoKey; symmetricKeyEpoch: bigint }> {
+		return keyStorageService
+			.getSymmetricKeyState(chatIdToString(chatId), vetKeyEpoch.toString())
+			.then((keyState) => {
+				if (keyState) {
+					console.log('Key state found in key storage: ', keyState);
+					return keyState;
+				} else {
+					console.log(
+						'Key state not found in key storage: ',
+						chatIdToString(chatId),
+						vetKeyEpoch.toString()
+					);
+					throw new Error('Key state not found in key storage');
+				}
+			});
+	}
+
+	cryptoKeyStateFromRemoteCache(
+		chatId: ChatId,
+		vetKeyEpoch: bigint
+	): Promise<{ key: CryptoKey; symmetricKeyEpoch: bigint }> {
+		return this.#encryptedCanisterCacheService
+			.fetchAndDecryptFor(chatId, vetKeyEpoch)
+			.then((epochKeyState) => {
+				return importKeyStateFromBytes(epochKeyState);
+			});
+	}
+
+	cryptoKeyStateFromResharedVetKey(
+		chatId: ChatId,
+		vetKeyEpoch: bigint
+	): Promise<{ key: CryptoKey; symmetricKeyEpoch: bigint }> {
+		return this.#vetKeyResharingService
+			.fetchResharedIbeEncryptedVetKey(chatId, vetKeyEpoch)
+			.then((resharedVetKey) => {
+				console.log('successfully fetched reshared IBE encrypted vetkey: ', resharedVetKey);
+				return importKeyStateFromBytes(
+					deriveRootKeyAndDispatchCaching(chatId, vetKeyEpoch, resharedVetKey)
+				);
+			});
+	}
+
+	async fetchAndReshareAndCacheVetKey(
+		chatId: ChatId,
+		vetKeyEpoch: bigint
+	): Promise<{ key: CryptoKey; symmetricKeyEpoch: bigint }> {
+		const vetKey = await canisterAPI.getVetKey(getActor(), chatId, vetKeyEpoch);
+		while (true) {
+			console.log('waiting for vetKey epoch metadata in a loop');
+
+			const meta = await canisterAPI.getVetKeyEpochMetadata(getActor(), chatId, vetKeyEpoch);
+
+			const otherParticipants = meta.participants.filter(
+				(p) => p.toString() !== getMyPrincipal().toString()
+			);
+
+			this.#vetKeyResharingService
+				.reshareIbeEncryptedVetKeys(chatId, vetKeyEpoch, otherParticipants, vetKey.signatureBytes())
+				.catch((error) => {
+					console.error(
+						`Failed to reshare IBE encrypted vetkeys for chat ${chatIdToString(chatId)} vetkeyEpoch ${meta.epoch_id.toString()}: `,
+						error
+					);
+				});
+
+			const freshCryptoKeyState = importKeyStateFromBytes(
+				deriveRootKeyAndDispatchCaching(chatId, vetKeyEpoch, vetKey.signatureBytes())
+			).then((freshCryptoKeyState) => {
+				keyStorageService
+					.saveSymmetricKeyState(
+						chatIdToString(chatId),
+						vetKeyEpoch.toString(),
+						freshCryptoKeyState
+					)
+					.catch((error) => {
+						console.error(
+							`Failed to save key state for chat ${chatIdToString(chatId)} vetkeyEpoch ${vetKeyEpoch.toString()}: `,
+							error
+						);
+					});
+				return freshCryptoKeyState;
+			});
+
+			return freshCryptoKeyState;
+		}
+	}
+}
+
+function deriveRootKeyAndDispatchCaching(
+	chatId: ChatId,
+	vetKeyEpoch: bigint,
+	vetKeyBytes: Uint8Array
+): { keyBytes: Uint8Array; symmetricKeyEpoch: bigint } {
+	const rootKey = deriveRootKeyBytes(vetKeyBytes);
+	console.log(
+		`Computed rootKey=${stringifyBigInt(rootKey)} from vetKey=${stringifyBigInt(vetKeyBytes)}`
+	);
+
+	console.log('starting to store the root key in cache: ', rootKey);
+	const vetKeyEncryptedCache = new EncryptedCanisterCacheService();
+	const keyState = { keyBytes: rootKey, symmetricKeyEpoch: 0n };
+	// await this future in background
+	vetKeyEncryptedCache.encryptAndStoreFor(chatId, vetKeyEpoch, keyState).catch((error) => {
+		console.error(
+			`Failed to store root key in cache for chat ${chatIdToString(chatId)} vetkeyEpoch ${vetKeyEpoch.toString()}: `,
+			error
+		);
+	});
+	return keyState;
+}
+
+export async function importKeyStateFromBytes(params: {
+	keyBytes: Uint8Array;
+	symmetricKeyEpoch: bigint;
+}): Promise<{ key: CryptoKey; symmetricKeyEpoch: bigint }> {
+	const exportable = false;
+	const key = await globalThis.crypto.subtle.importKey(
+		'raw',
+		new Uint8Array(params.keyBytes),
+		'HKDF',
+		exportable,
+		['deriveKey', 'deriveBits']
+	);
+	return { key, symmetricKeyEpoch: params.symmetricKeyEpoch };
+}
diff --git a/examples/encrypted_chat/frontend/src/lib/services/canisteApi.ts b/examples/encrypted_chat/frontend/src/lib/services/canisteApi.ts
index a7e46396..34009bb0 100644
--- a/examples/encrypted_chat/frontend/src/lib/services/canisteApi.ts
+++ b/examples/encrypted_chat/frontend/src/lib/services/canisteApi.ts
@@ -9,7 +9,7 @@ import type {
 	VetKeyEpochMetadata
 } from '../../declarations/encrypted_chat/encrypted_chat.did';
 import { Principal } from '@dfinity/principal';
-import { chatIdToString, stringifyBigInt } from '$lib/utils';
+import { stringifyBigInt } from '$lib/utils';
 import { TransportSecretKey, EncryptedVetKey, DerivedPublicKey, VetKey } from '@dfinity/vetkeys';
 
 // Dummy API service that simulates backend calls
@@ -88,10 +88,6 @@ export class CanisterAPI {
 		actor: ActorSubclass<_SERVICE>
 	): Promise<{ chatId: ChatId; numMessages: bigint }[]> {
 		const chatIds = await actor.get_my_chat_ids();
-		const summary: string = chatIds.reduce((acc, [chatId, numMessages]) => {
-			return acc + ' ' + chatIdToString(chatId) + ' ' + numMessages.toString();
-		}, '');
-		console.log('getChatIdsAndCurrentNumbersOfMessages: ' + summary);
 		return chatIds.map(([chatId, numMessages]) => {
 			return { chatId, numMessages };
 		});
diff --git a/examples/encrypted_chat/frontend/src/lib/services/chatStorage.ts b/examples/encrypted_chat/frontend/src/lib/services/chatStorage.ts
index bbe37868..a6e8dfc5 100644
--- a/examples/encrypted_chat/frontend/src/lib/services/chatStorage.ts
+++ b/examples/encrypted_chat/frontend/src/lib/services/chatStorage.ts
@@ -54,6 +54,10 @@ export class ChatStorageService {
 		await set([storagePrefixes.CHAT_PREFIX, chat.idStr], value);
 	}
 
+	async deleteChat(chatId: string): Promise<void> {
+		await del([storagePrefixes.CHAT_PREFIX, chatId]);
+	}
+
 	async getAllChats(): Promise<Chat[]> {
 		const allKeys = await keys();
 		const chatKeys = allKeys.filter((key) => {
diff --git a/examples/encrypted_chat/frontend/src/lib/services/encryptedCanisterCacheService.ts b/examples/encrypted_chat/frontend/src/lib/services/encryptedCanisterCacheService.ts
new file mode 100644
index 00000000..a46b21e1
--- /dev/null
+++ b/examples/encrypted_chat/frontend/src/lib/services/encryptedCanisterCacheService.ts
@@ -0,0 +1,230 @@
+import {
+	chatIdToString,
+	stringifyBigInt,
+	uBigIntTo8ByteUint8ArrayBigEndian,
+	u8ByteUint8ArrayBigEndianToUBigInt
+} from '$lib/utils';
+import {
+	EncryptedMaps,
+	type AccessRights,
+	type ByteBuf,
+	type EncryptedMapData,
+	type EncryptedMapsClient
+} from '@dfinity/vetkeys/encrypted_maps';
+import type { ChatId } from '../../declarations/encrypted_chat/encrypted_chat.did';
+import type { Principal } from '@dfinity/principal';
+import { getActor, getMyPrincipal } from '$lib/stores/auth.svelte';
+
+export class EncryptedCanisterCacheService {
+	#encryptedMaps: EncryptedMaps;
+
+	constructor() {
+		this.#encryptedMaps = new EncryptedMaps(new EncryptedMapsClientForEncryptedCache());
+	}
+
+	async fetchAndDecryptFor(
+		chatId: ChatId,
+		vetKeyEpoch: bigint
+	): Promise<{ keyBytes: Uint8Array; symmetricKeyEpoch: bigint }> {
+		console.log(
+			`get_my_symmetric_key_cache: chatId=${chatIdToString(chatId)} vetKeyEpoch=${vetKeyEpoch.toString()}`
+		);
+		const keyCacheBytes = await getActor().get_my_symmetric_key_cache(chatId, vetKeyEpoch);
+		if ('Err' in keyCacheBytes) {
+			throw new Error('Failed to get key cache bytes: ' + keyCacheBytes.Err);
+		} else if (keyCacheBytes.Ok.length === 0) {
+			throw new Error('Failed to get key cache bytes: no key cache found');
+		}
+
+		const mapName_ = mapName();
+		const mapKey = await mapKeyId(chatId, vetKeyEpoch);
+		const decryptedBytes = await this.#encryptedMaps.decryptFor(
+			getMyPrincipal(),
+			mapName_,
+			mapKey,
+			new Uint8Array(keyCacheBytes.Ok[0])
+		);
+
+		console.log(
+			`VetKeyEncryptedCache: successfully fetched and decrypted key cache for chatId=${chatIdToString(chatId)} vetKeyEpoch=${vetKeyEpoch.toString()}: ${stringifyBigInt(deserializeCache(decryptedBytes))}`
+		);
+		return deserializeCache(decryptedBytes);
+	}
+
+	async encryptAndStoreFor(
+		chatId: ChatId,
+		vetKeyEpoch: bigint,
+		cache: { keyBytes: Uint8Array; symmetricKeyEpoch: bigint }
+	): Promise<void> {
+		console.log('encryptAndStoreFor: starting to store the root key in cache: ', cache);
+		const mapName_ = mapName();
+		const mapKey = await mapKeyId(chatId, vetKeyEpoch);
+
+		const ciphertext = await this.#encryptedMaps.encryptFor(
+			getMyPrincipal(),
+			mapName_,
+			mapKey,
+			serializeCache(cache)
+		);
+		const result = await getActor().update_my_symmetric_key_cache(chatId, vetKeyEpoch, ciphertext);
+		if ('Err' in result) {
+			throw new Error('Failed to update key cache: ' + result.Err);
+		} else {
+			console.log(
+				`VetKeyEncryptedCache: successfully stored key cache for chatId=${chatIdToString(chatId)} vetKeyEpoch=${vetKeyEpoch.toString()}: ${stringifyBigInt(serializeCache(cache))}`
+			);
+		}
+	}
+}
+
+function serializeCache(cache: { keyBytes: Uint8Array; symmetricKeyEpoch: bigint }): Uint8Array {
+	return new Uint8Array([
+		...cache.keyBytes,
+		...uBigIntTo8ByteUint8ArrayBigEndian(cache.symmetricKeyEpoch)
+	]);
+}
+
+function deserializeCache(data: Uint8Array): { keyBytes: Uint8Array; symmetricKeyEpoch: bigint } {
+	return {
+		keyBytes: data.slice(0, 32),
+		symmetricKeyEpoch: u8ByteUint8ArrayBigEndianToUBigInt(data.slice(32))
+	};
+}
+
+/* eslint-disable @typescript-eslint/no-unused-vars */
+class EncryptedMapsClientForEncryptedCache implements EncryptedMapsClient {
+	constructor() {}
+
+	get_accessible_shared_map_names(): Promise<[Principal, ByteBuf][]> {
+		throw Error('unavailable EncryptedMaps function get_accessible_shared_map_names');
+	}
+
+	get_shared_user_access_for_map(
+		owner: Principal,
+		mapName: ByteBuf
+	): Promise<{ Ok: Array<[Principal, AccessRights]> } | { Err: string }> {
+		throw Error('unavailable EncryptedMaps function get_shared_user_access_for_map');
+	}
+
+	get_owned_non_empty_map_names(): Promise<Array<ByteBuf>> {
+		throw Error('unavailable EncryptedMaps function get_owned_non_empty_map_names');
+	}
+
+	get_all_accessible_encrypted_values(): Promise<[[Principal, ByteBuf], [ByteBuf, ByteBuf][]][]> {
+		throw Error('unavailable EncryptedMaps function get_all_accessible_encrypted_values');
+	}
+
+	get_all_accessible_encrypted_maps(): Promise<Array<EncryptedMapData>> {
+		throw Error('unavailable EncryptedMaps function get_all_accessible_encrypted_maps');
+	}
+
+	get_encrypted_value(
+		mapOwner: Principal,
+		mapName: ByteBuf,
+
+		mapKey: ByteBuf
+	): Promise<{ Ok: [] | [ByteBuf] } | { Err: string }> {
+		throw Error('unavailable EncryptedMaps function get_encrypted_value');
+	}
+
+	get_encrypted_values_for_map(
+		mapOwner: Principal,
+		mapName: ByteBuf
+	): Promise<{ Ok: Array<[ByteBuf, ByteBuf]> } | { Err: string }> {
+		throw Error('unavailable EncryptedMaps function get_encrypted_values_for_map');
+	}
+
+	async get_encrypted_vetkey(
+		mapOwner: Principal,
+		mapName: ByteBuf,
+		transportKey: ByteBuf
+	): Promise<{ Ok: ByteBuf } | { Err: string }> {
+		const data = new Uint8Array(
+			await getActor().get_encrypted_vetkey_for_my_cache_storage(transportKey.inner)
+		);
+		const result: { Ok: ByteBuf } | { Err: string } = {
+			Ok: { inner: data }
+		};
+		return Promise.resolve(result);
+	}
+
+	insert_encrypted_value(
+		mapOwner: Principal,
+		mapName: ByteBuf,
+		mapKey: ByteBuf,
+		data: ByteBuf
+	): Promise<{ Ok: [] | [ByteBuf] } | { Err: string }> {
+		throw Error('unavailable EncryptedMaps function insert_encrypted_value');
+	}
+
+	remove_encrypted_value(
+		mapOwner: Principal,
+		mapName: ByteBuf,
+		mapKey: ByteBuf
+	): Promise<{ Ok: [] | [ByteBuf] } | { Err: string }> {
+		throw Error('unavailable EncryptedMaps function remove_encrypted_value');
+	}
+
+	remove_map_values(
+		mapOwner: Principal,
+		mapName: ByteBuf
+	): Promise<{ Ok: Array<ByteBuf> } | { Err: string }> {
+		throw Error('unavailable EncryptedMaps function remove_map_values');
+	}
+
+	async get_vetkey_verification_key(): Promise<ByteBuf> {
+		return { inner: await getActor().get_vetkey_verification_key_for_my_cache_storage() };
+	}
+
+	set_user_rights(
+		owner: Principal,
+		mapName: ByteBuf,
+		user: Principal,
+		userRights: AccessRights
+	): Promise<{ Ok: [] | [AccessRights] } | { Err: string }> {
+		throw Error('unavailable EncryptedMaps function set_user_rights');
+	}
+
+	get_user_rights(
+		owner: Principal,
+		mapName: ByteBuf,
+		user: Principal
+	): Promise<{ Ok: [] | [AccessRights] } | { Err: string }> {
+		throw Error('unavailable EncryptedMaps function get_user_rights');
+	}
+
+	remove_user(
+		owner: Principal,
+		mapName: ByteBuf,
+		user: Principal
+	): Promise<{ Ok: [] | [AccessRights] } | { Err: string }> {
+		throw Error('unavailable EncryptedMaps function remove_user');
+	}
+}
+/* eslint-enable @typescript-eslint/no-unused-vars */
+
+function mapName(): Uint8Array {
+	return new TextEncoder().encode('encrypted_chat_cache');
+}
+
+async function mapKeyId(chat_id: ChatId, vetkey_epoch_id: bigint): Promise<Uint8Array> {
+	const input = serializeChatId(chat_id);
+
+	const hashBuffer = await crypto.subtle.digest(
+		'SHA-256',
+		new Uint8Array([...input, ...uBigIntTo8ByteUint8ArrayBigEndian(vetkey_epoch_id)])
+	);
+	return new Uint8Array(hashBuffer);
+}
+
+function serializeChatId(chatId: ChatId): Uint8Array {
+	if ('Direct' in chatId) {
+		return new Uint8Array([
+			0,
+			...chatId.Direct[0].toUint8Array(),
+			...chatId.Direct[1].toUint8Array()
+		]);
+	} else {
+		return new Uint8Array([1, ...uBigIntTo8ByteUint8ArrayBigEndian(chatId.Group)]);
+	}
+}
diff --git a/examples/encrypted_chat/frontend/src/lib/services/encryptedMessagingService.ts b/examples/encrypted_chat/frontend/src/lib/services/encryptedMessagingService.ts
new file mode 100644
index 00000000..7acaf001
--- /dev/null
+++ b/examples/encrypted_chat/frontend/src/lib/services/encryptedMessagingService.ts
@@ -0,0 +1,467 @@
+import { auth, getActor, getMyPrincipal } from '$lib/stores/auth.svelte';
+import type { ActorSubclass } from '@dfinity/agent';
+import type {
+	_SERVICE,
+	ChatId,
+	EncryptedMessage,
+	EncryptedMessageMetadata
+} from '../../declarations/encrypted_chat/encrypted_chat.did';
+import { KeyManager } from '$lib/crypto/keyManager';
+import { RatchetInitializationService } from './RatchetInitializationService';
+import { SymmetricRatchetEpochError, VetKeyEpochError, type Message } from '$lib/types';
+import { canisterAPI } from './canisteApi';
+import {
+	chatIdFromString,
+	chatIdsNumMessagesToSummary,
+	chatIdToString,
+	randomSenderMessageId
+} from '$lib/utils';
+
+type MessageContent = {
+	textContent: string;
+	fileData?: { name: string; size: number; type: string; data: ArrayBuffer };
+};
+
+export class EncryptedMessagingService {
+	#ratchetInitializationService: RatchetInitializationService;
+	#keyManager: KeyManager;
+
+	#sendingQueue: Map<string, string[]>;
+
+	#receivingQueue: Map<string, Message[]>;
+	#receivingQueueToDecrypt: Map<string, EncryptedMessage[]>;
+	#firstAccessibleMessageId: Map<string, bigint>;
+	#chatIdToCurrentNumberOfRemoteMessages: Map<string, bigint>;
+	#chatIdToCurrentNumberOfFetchedMessages: Map<string, bigint>;
+
+	#backgroundWorker: BackgroundWorker;
+
+	constructor() {
+		this.#ratchetInitializationService = new RatchetInitializationService();
+		this.#keyManager = new KeyManager();
+
+		// Initialize sending and receiving queues
+		this.#sendingQueue = new Map();
+		this.#receivingQueue = new Map();
+		this.#receivingQueueToDecrypt = new Map();
+
+		this.#firstAccessibleMessageId = new Map();
+		this.#chatIdToCurrentNumberOfRemoteMessages = new Map();
+		this.#chatIdToCurrentNumberOfFetchedMessages = new Map();
+
+		// Start the background worker to handle encryption, sending, polling, and decryption
+		this.#backgroundWorker = new BackgroundWorker();
+	}
+
+	start() {
+		// Start the worker loop
+		// The worker will periodically:
+		// 1. Take outgoing messages from the sending queue, encrypt using RatchetInitializationService, and send via the actor.
+		// 2. Poll for new encrypted messages from the canister, queue them for decryption.
+		// 3. Decrypt received messages using RatchetInitializationService and put them into the receiving queue.
+		void this.#backgroundWorker.start(
+			async () => {
+				await this.#pollForNewMessages();
+				await this.#decryptReceivedMessages();
+			},
+			async () => this.#handleOutgoingMessages()
+		);
+	}
+
+	skipMessagesAvailableLocally(chatId: ChatId, numMessages: bigint) {
+		console.log(
+			'skipMessagesAvailableLocally: chatId',
+			chatIdToString(chatId),
+			'numMessages',
+			numMessages.toString()
+		);
+		this.#chatIdToCurrentNumberOfFetchedMessages.set(chatIdToString(chatId), numMessages);
+	}
+
+	getCurrentChatIds(): ChatId[] {
+		return this.#keyManager.getCurrentChatIdStrs().map(chatIdFromString);
+	}
+
+	enqueueSendMessage(chatId: ChatId, content: string) {
+		this.#sendingQueue.set(chatIdToString(chatId), [
+			...(this.#sendingQueue.get(chatIdToString(chatId)) || []),
+			content
+		]);
+	}
+
+	takeReceivedMessages(): Map<string, Message[]> {
+		const messages = this.#receivingQueue;
+		this.#receivingQueue = new Map();
+		return messages;
+	}
+
+	signalStopWorker() {
+		this.#backgroundWorker.abortController.abort();
+	}
+
+	/**
+	 * Handle outgoing messages: encrypt and send
+	 */
+	async #handleOutgoingMessages(): Promise<void> {
+		for (const [chatId, contents] of this.#sendingQueue.entries()) {
+			while (true) {
+				const content = contents.shift();
+				if (!content) {
+					break;
+				}
+				await this.#handleOutgoingMessage(chatId, content);
+			}
+			this.#sendingQueue.delete(chatId);
+		}
+	}
+
+	async #handleOutgoingMessage(chatIdStr: string, content: string) {
+		const MAX_RETRIES = 50;
+		const TIMEOUT_MS = 1000;
+
+		const senderMessageId = randomSenderMessageId();
+		for (let i = 0; i < MAX_RETRIES; i++) {
+			try {
+				const encrypted = await this.#keyManager.encryptNow(
+					chatIdStr,
+					getMyPrincipal(),
+					senderMessageId,
+					new TextEncoder().encode(content)
+				);
+				await sendMessage(
+					getActor(),
+					chatIdFromString(chatIdStr),
+					encrypted.vetKeyEpoch,
+					encrypted.symmetricRatchetEpoch,
+					senderMessageId,
+					encrypted.encryptedBytes
+				);
+				break;
+			} catch (e) {
+				console.info('#handleOutgoingMessage: VetKeyEpochError', e);
+				if (e instanceof VetKeyEpochError) {
+					const ratchetState =
+						await this.#ratchetInitializationService.initializeRatchetStateAndReshareAndCacheIfNeeded(
+							chatIdFromString(chatIdStr),
+							e.requiredVetKeyEpoch
+						);
+					this.#keyManager.inductSymmetricRatchetState(
+						chatIdStr,
+						e.requiredVetKeyEpoch,
+						ratchetState
+					);
+				} else if (e instanceof SymmetricRatchetEpochError) {
+					console.log('#handleOutgoingMessage: Symmetric ratchet epoch error', e);
+				} else {
+					// Errors in sending are non-fatal.
+					console.error('#handleOutgoingMessage: Unknown error', e);
+				}
+				await new Promise((resolve) => setTimeout(resolve, TIMEOUT_MS));
+			}
+		}
+	}
+
+	/**
+	 * Poll for new messages from canister
+	 */
+	async #pollForNewMessages(): Promise<void> {
+		if (auth.state.label !== 'initialized') return;
+
+		// Get chat IDs and check for new messages
+		const chatIds = await canisterAPI.getChatIdsAndCurrentNumbersOfMessages(getActor());
+
+		const summary = chatIdsNumMessagesToSummary(chatIds);
+		console.log('fetched ' + chatIds.length + ' chats: ' + summary);
+
+		for (const { chatId, numMessages } of chatIds) {
+			if (!this.#keyManager.doesChatHaveKeys(chatIdToString(chatId))) {
+				console.log(
+					'#pollForNewMessages: chatId',
+					chatIdToString(chatId),
+					'does not have keys, initializing'
+				);
+				const latestVetKeyEpoch = (
+					await canisterAPI.getLatestVetKeyEpochMetadata(getActor(), chatId)
+				).epoch_id;
+				const ratchetState =
+					await this.#ratchetInitializationService.initializeRatchetStateAndReshareAndCacheIfNeeded(
+						chatId,
+						latestVetKeyEpoch
+					);
+				this.#keyManager.inductSymmetricRatchetState(
+					chatIdToString(chatId),
+					latestVetKeyEpoch,
+					ratchetState
+				);
+			}
+
+			const currentNumberOfFetchedMessages =
+				this.#chatIdToCurrentNumberOfFetchedMessages.get(chatIdToString(chatId)) ?? 0n;
+			this.#chatIdToCurrentNumberOfRemoteMessages.set(chatIdToString(chatId), numMessages);
+
+			if (
+				(this.#firstAccessibleMessageId.get(chatIdToString(chatId)) ?? 0n) +
+					currentNumberOfFetchedMessages >=
+				numMessages
+			) {
+				continue;
+			}
+
+			console.log(
+				`#pollForNewMessages: new messages for chatId: ${chatIdToString(chatId)}, currentNumberOfFetchedMessages: ${currentNumberOfFetchedMessages}, numMessages: ${numMessages}, firstAccessibleMessageId: ${this.#firstAccessibleMessageId.get(chatIdToString(chatId)) ?? 0n}`
+			);
+
+			// Get messages starting from the last known message ID
+			const startId =
+				(await this.#getFirstAccessibleMessageId(chatIdToString(chatId))) +
+				currentNumberOfFetchedMessages;
+
+			try {
+				const messages = await canisterAPI.fetchEncryptedMessages(
+					getActor(),
+					chatId,
+					startId,
+					undefined
+				);
+
+				console.log(
+					`#pollForNewMessages: fetched ${messages.length} messages for chatId ${chatIdToString(
+						chatId
+					)}, currentNumberOfFetchedMessages: ${currentNumberOfFetchedMessages}, numMessages: ${numMessages}, firstAccessibleMessageId: ${this.#firstAccessibleMessageId.get(chatIdToString(chatId)) ?? 0n} new fetched messages count: ${currentNumberOfFetchedMessages + BigInt(messages.length)}`
+				);
+
+				console.log(
+					'#pollForNewMessages: old map this.#chatIdToCurrentNumberOfFetchedMessages ',
+					this.#chatIdToCurrentNumberOfFetchedMessages
+				);
+
+				this.#chatIdToCurrentNumberOfFetchedMessages.set(
+					chatIdToString(chatId),
+					currentNumberOfFetchedMessages + BigInt(messages.length)
+				);
+
+				console.log(
+					'#pollForNewMessages: new map this.#chatIdToCurrentNumberOfFetchedMessages ',
+					this.#chatIdToCurrentNumberOfFetchedMessages
+				);
+
+				this.#receivingQueueToDecrypt.set(chatIdToString(chatId), [
+					...(this.#receivingQueueToDecrypt.get(chatIdToString(chatId)) || []),
+					...messages
+				]);
+			} catch (error) {
+				// Polling errors are non-fatal if some messages are too big to receive several at once,
+				// and polling just one message works
+				console.info(
+					'Failed to poll for new messages, trying again to pull just one message...',
+					error
+				);
+				const messages = await canisterAPI.fetchEncryptedMessages(getActor(), chatId, startId, 1n);
+
+				this.#chatIdToCurrentNumberOfFetchedMessages.set(
+					chatIdToString(chatId),
+					currentNumberOfFetchedMessages + BigInt(messages.length)
+				);
+
+				this.#receivingQueueToDecrypt.set(chatIdToString(chatId), [
+					...(this.#receivingQueueToDecrypt.get(chatIdToString(chatId)) || []),
+					...messages
+				]);
+			}
+		}
+	}
+
+	/**
+	 * Decrypt received messages and put into receiving queue
+	 */
+	async #decryptReceivedMessages(): Promise<void> {
+		if (this.#receivingQueueToDecrypt.size !== 0) {
+			console.log(
+				'#decryptReceivedMessages: decrypting',
+				this.#receivingQueueToDecrypt.size,
+				'messages'
+			);
+		}
+		for (const [chatIdStr, encryptedMessages] of this.#receivingQueueToDecrypt.entries()) {
+			for (const encryptedMessage of encryptedMessages) {
+				const decrypted = await this.#decryptMessage(chatIdStr, encryptedMessage);
+				this.#receivingQueueToDecrypt.get(chatIdStr)?.shift();
+				this.#receivingQueue.set(chatIdStr, [
+					...(this.#receivingQueue.get(chatIdStr) || []),
+					decrypted
+				]);
+			}
+			this.#receivingQueueToDecrypt.delete(chatIdStr);
+		}
+	}
+
+	async #decryptMessage(chatIdStr: string, encryptedMessage: EncryptedMessage): Promise<Message> {
+		console.log(
+			'#decryptMessage: decrypting',
+			encryptedMessage.metadata.chat_message_id.toString(),
+			'for chatId',
+			chatIdStr
+		);
+		for (let i = 0; i < 2; i++) {
+			try {
+				const decrypted = await this.#keyManager.decryptAtTimeAndEvolveIfNeeded(
+					chatIdStr,
+					encryptedMessage.metadata.sender,
+					encryptedMessage.metadata.sender_message_id,
+					encryptedMessage.metadata.vetkey_epoch,
+					new Uint8Array(encryptedMessage.content),
+					new Date(Number(encryptedMessage.metadata.timestamp / 1_000_000n))
+				);
+
+				return this.#parseMessage(chatIdStr, encryptedMessage.metadata, decrypted);
+			} catch (error) {
+				if (
+					i === 0 &&
+					!this.#keyManager.doesChatHaveRatchetStateForEpoch(
+						chatIdStr,
+						encryptedMessage.metadata.vetkey_epoch
+					)
+				) {
+					console.info(
+						`#decryptMessage: Failed to decrypt message ${encryptedMessage.metadata.chat_message_id.toString()}, trying again... Caught error: ${error instanceof Error ? error.message : 'Unknown error'}`
+					);
+					const ratchetState =
+						await this.#ratchetInitializationService.initializeRatchetStateAndReshareAndCacheIfNeeded(
+							chatIdFromString(chatIdStr),
+							encryptedMessage.metadata.vetkey_epoch
+						);
+					this.#keyManager.inductSymmetricRatchetState(
+						chatIdStr,
+						encryptedMessage.metadata.vetkey_epoch,
+						ratchetState
+					);
+				} else {
+					throw error;
+				}
+			}
+		}
+
+		throw Error('unreachable code');
+	}
+
+	#parseMessage(
+		chatIdStr: string,
+		metadata: EncryptedMessageMetadata,
+		decrypted: Uint8Array
+	): Message {
+		const json = JSON.parse(new TextDecoder().decode(decrypted)) as MessageContent;
+
+		return {
+			chatMessageId: metadata.chat_message_id.toString(),
+			chatId: chatIdStr,
+			senderId: metadata.sender.toText(),
+			content: json.textContent,
+			timestamp: new Date(Number(metadata.timestamp / 1_000_000n)),
+			type: 'text',
+			fileData: json.fileData,
+			vetkeyEpoch: Number(metadata.vetkey_epoch),
+			symmetricRatchetEpoch: Number(metadata.symmetric_key_epoch)
+		};
+	}
+
+	async #getFirstAccessibleMessageId(chatIdStr: string) {
+		const chatId = chatIdFromString(chatIdStr);
+		if ('Direct' in chatId) {
+			return 0n;
+		}
+
+		if (this.#firstAccessibleMessageId.has(chatIdStr)) {
+			return this.#firstAccessibleMessageId.get(chatIdStr)!;
+		}
+
+		const id = (await canisterAPI.firstAccessibleMessageId(getActor(), chatId.Group)) ?? 0n;
+		this.#firstAccessibleMessageId.set(chatIdStr, id);
+
+		return id;
+	}
+}
+
+class BackgroundWorker {
+	abortController: AbortController;
+
+	constructor() {
+		this.abortController = new AbortController();
+	}
+
+	async start(
+		receiverFunction: () => Promise<void>,
+		senderFunction: () => Promise<void>
+	): Promise<void> {
+		const sleep = (ms: number) => new Promise<void>((r) => setTimeout(r, ms));
+
+		const run = async (fn: () => Promise<void>) => {
+			while (!this.abortController.signal.aborted) {
+				try {
+					await fn();
+				} catch (error) {
+					console.error('Background worker error:', error);
+				}
+				if (this.abortController.signal.aborted) break;
+				await sleep(100);
+			}
+		};
+
+		const tasks = [run(receiverFunction), run(senderFunction)];
+
+		if (this.abortController.signal.aborted) {
+			await Promise.all(tasks);
+			return;
+		}
+
+		// Resolve after an abort signal and after both loops finish
+		await new Promise<void>((resolve) => {
+			this.abortController.signal.addEventListener('abort', () => resolve(), { once: true });
+		});
+
+		await Promise.all(tasks);
+	}
+}
+
+async function sendMessage(
+	actor: ActorSubclass<_SERVICE>,
+	chatId: ChatId,
+	vetKeyEpoch: bigint,
+	symmetricRatchetEpoch: bigint,
+	senderMessageId: bigint,
+	encryptedBytes: Uint8Array
+) {
+	// Create UserMessage for the canister
+	const userMessage = {
+		vetkey_epoch: vetKeyEpoch,
+		content: encryptedBytes,
+		symmetric_key_epoch: symmetricRatchetEpoch,
+		message_id: senderMessageId
+	};
+
+	// Send to canister using the appropriate method based on chat type
+	try {
+		if ('Direct' in chatId) {
+			const receiver =
+				getMyPrincipal().toText() === chatId.Direct[0].toText()
+					? chatId.Direct[1]
+					: chatId.Direct[0];
+			await canisterAPI.sendDirectMessage(actor, receiver, userMessage);
+		} else {
+			await canisterAPI.sendGroupMessage(actor, chatId.Group, userMessage);
+		}
+	} catch (e) {
+		if (e instanceof Error && e.message.toLowerCase().includes('wrong vetkey epoch')) {
+			throw new VetKeyEpochError(
+				e.message,
+				(await canisterAPI.getLatestVetKeyEpochMetadata(actor, chatId)).epoch_id
+			);
+		} else if (
+			e instanceof Error &&
+			e.message.toLowerCase().includes('wrong symmetric ratchet epoch')
+		) {
+			throw new SymmetricRatchetEpochError(e.message);
+		} else {
+			throw e;
+		}
+	}
+}
diff --git a/examples/encrypted_chat/frontend/src/lib/services/keyStorage.ts b/examples/encrypted_chat/frontend/src/lib/services/keyStorage.ts
index d37d38cb..30a1747a 100644
--- a/examples/encrypted_chat/frontend/src/lib/services/keyStorage.ts
+++ b/examples/encrypted_chat/frontend/src/lib/services/keyStorage.ts
@@ -1,36 +1,27 @@
-import { chatIdToString } from '$lib/utils';
-import type { ChatId } from '../../declarations/encrypted_chat/encrypted_chat.did';
 import { storagePrefixes } from '../types';
 import { get, set } from 'idb-keyval';
 
 // IndexedDB storage service for persistent key data
 export class KeyStorageService {
 	async getSymmetricKeyState(
-		chat: ChatId,
-		vetKeyEpoch: bigint
+		chatIdStr: string,
+		vetKeyEpochStr: string
 	): Promise<{ key: CryptoKey; symmetricKeyEpoch: bigint } | undefined> {
 		console.log(
-			`KeyStorageService: Getting key state for chat ${chatIdToString(chat)} vetkeyEpoch ${vetKeyEpoch.toString()}`
+			`KeyStorageService: Getting key state for chat ${chatIdStr} vetkeyEpoch ${vetKeyEpochStr}`
 		);
-		return await get([
-			storagePrefixes.CHAT_EPOCH_KEY_PREFIX,
-			chatIdToString(chat),
-			vetKeyEpoch.toString()
-		]);
+		return await get([storagePrefixes.CHAT_EPOCH_KEY_PREFIX, chatIdStr, vetKeyEpochStr]);
 	}
 
 	async saveSymmetricKeyState(
-		chat: ChatId,
-		vetKeyEpoch: bigint,
+		chatIdStr: string,
+		vetKeyEpochStr: string,
 		keyState: { key: CryptoKey; symmetricKeyEpoch: bigint }
 	) {
 		console.log(
-			`KeyStorageService: Saving key state for chat ${chatIdToString(chat)} vetkeyEpoch ${vetKeyEpoch.toString()}`
-		);
-		await set(
-			[storagePrefixes.CHAT_EPOCH_KEY_PREFIX, chatIdToString(chat), vetKeyEpoch.toString()],
-			keyState
+			`KeyStorageService: Saving key state for chat ${chatIdStr} vetkeyEpoch ${vetKeyEpochStr}`
 		);
+		await set([storagePrefixes.CHAT_EPOCH_KEY_PREFIX, chatIdStr, vetKeyEpochStr], keyState);
 	}
 
 	async saveIbeDecryptionKey(keyBytes: Uint8Array) {
diff --git a/examples/encrypted_chat/frontend/src/lib/services/vetKeyResharingService.ts b/examples/encrypted_chat/frontend/src/lib/services/vetKeyResharingService.ts
new file mode 100644
index 00000000..5e486b5a
--- /dev/null
+++ b/examples/encrypted_chat/frontend/src/lib/services/vetKeyResharingService.ts
@@ -0,0 +1,122 @@
+import { chatIdToString } from '$lib/utils';
+import {
+	DerivedPublicKey,
+	IbeIdentity,
+	IbeSeed,
+	IbeCiphertext,
+	TransportSecretKey,
+	EncryptedVetKey
+} from '@dfinity/vetkeys';
+import type { ChatId } from '../../declarations/encrypted_chat/encrypted_chat.did';
+import { keyStorageService } from './keyStorage';
+import type { Principal } from '@dfinity/principal';
+import { getActor, getMyPrincipal } from '$lib/stores/auth.svelte';
+
+export class VetKeyResharingService {
+	constructor() {}
+
+	async reshareIbeEncryptedVetKeys(
+		chatId: ChatId,
+		vetkeyEpoch: bigint,
+		otherParticipants: Principal[],
+		vetKeyBytes: Uint8Array
+	): Promise<void> {
+		if (otherParticipants.length > 0) {
+			console.log(
+				'reshareIbeEncryptedVetkeys: ',
+				chatId,
+				vetkeyEpoch,
+				otherParticipants,
+				vetKeyBytes
+			);
+			// try to reshare with other participants
+			return await Promise.all(
+				otherParticipants.map(async (p) => {
+					const ibePublicKey = DerivedPublicKey.deserialize(
+						new Uint8Array(await getActor().get_vetkey_resharing_ibe_encryption_key(p))
+					);
+					const ibeIdentity = IbeIdentity.fromBytes(new Uint8Array());
+					const ibeSeed = IbeSeed.random();
+					const ibeCiphertext = IbeCiphertext.encrypt(
+						ibePublicKey,
+						ibeIdentity,
+						vetKeyBytes,
+						ibeSeed
+					);
+					const ibeCiphertextBytes = ibeCiphertext.serialize();
+					const result: [Principal, Uint8Array<ArrayBufferLike>] = [p, ibeCiphertextBytes];
+					return result;
+				})
+			).then(async (ibeEncryptedVetKeysPromise) => {
+				await getActor()
+					.reshare_ibe_encrypted_vetkeys(chatId, vetkeyEpoch, ibeEncryptedVetKeysPromise)
+					.then((result) => {
+						if ('Ok' in result) {
+							console.log(
+								`Successfully resharded IBE encrypted vetkeys for chat ${chatIdToString(chatId)} vetkeyEpoch ${vetkeyEpoch.toString()}`
+							);
+						} else {
+							console.info(
+								`Failed to reshare IBE encrypted vetkeys for chat ${chatIdToString(chatId)} vetkeyEpoch ${vetkeyEpoch.toString()}: `,
+								result.Err
+							);
+						}
+					});
+			});
+		} else {
+			console.log('no other participants to reshare vetKey with');
+		}
+	}
+
+	async fetchResharedIbeEncryptedVetKey(chatId: ChatId, vetkeyEpoch: bigint): Promise<Uint8Array> {
+		console.log('fetchResharedIbeEncryptedVetKeys: ', chatId, vetkeyEpoch, getMyPrincipal());
+		const tsk = TransportSecretKey.random();
+		const myResharedIbeEncryptedVetkey = await getActor().get_my_reshared_ibe_encrypted_vetkey(
+			chatId,
+			vetkeyEpoch
+		);
+		if ('Err' in myResharedIbeEncryptedVetkey) {
+			throw new Error(
+				'Failed to get my reshared IBE encrypted vetkey: ' + myResharedIbeEncryptedVetkey.Err
+			);
+		} else if (myResharedIbeEncryptedVetkey.Ok.length === 0) {
+			throw new Error('Failed to get my reshared IBE encrypted vetkey: no reshared vetkey');
+		}
+		const ibeCiphertext = IbeCiphertext.deserialize(
+			new Uint8Array(myResharedIbeEncryptedVetkey.Ok[0])
+		);
+
+		const publicIbeKeyBytes =
+			await getActor().get_vetkey_resharing_ibe_encryption_key(getMyPrincipal());
+		const publicIbeKey = DerivedPublicKey.deserialize(new Uint8Array(publicIbeKeyBytes));
+
+		const maybeIbeDecryptionKeyFromStorage = await keyStorageService.getIbeDecryptionKey();
+		// TODO:cache this key
+		const privateEncryptedIbeKeyBytes =
+			maybeIbeDecryptionKeyFromStorage ??
+			new Uint8Array(
+				await getActor().get_vetkey_resharing_ibe_decryption_key(tsk.publicKeyBytes())
+			);
+		if (!maybeIbeDecryptionKeyFromStorage) {
+			console.log(
+				`Saving IBE decryption key for chat ${chatIdToString(chatId)} vetkeyEpoch ${vetkeyEpoch.toString()}`
+			);
+			keyStorageService
+				.saveIbeDecryptionKey(new Uint8Array(privateEncryptedIbeKeyBytes))
+				.catch((error) => {
+					console.error(
+						`Failed to save IBE decryption key for chat ${chatIdToString(chatId)} vetkeyEpoch ${vetkeyEpoch.toString()}: `,
+						error
+					);
+				});
+		}
+
+		const encryptedVetKey = EncryptedVetKey.deserialize(
+			new Uint8Array(privateEncryptedIbeKeyBytes)
+		);
+		const privateIbeKey = encryptedVetKey.decryptAndVerify(tsk, publicIbeKey, new Uint8Array());
+
+		const ibePlaintext = ibeCiphertext.decrypt(privateIbeKey);
+		return ibePlaintext;
+	}
+}
diff --git a/examples/encrypted_chat/frontend/src/lib/stores/auth.svelte.ts b/examples/encrypted_chat/frontend/src/lib/stores/auth.svelte.ts
index ac3e972d..2b2334d0 100644
--- a/examples/encrypted_chat/frontend/src/lib/stores/auth.svelte.ts
+++ b/examples/encrypted_chat/frontend/src/lib/stores/auth.svelte.ts
@@ -1,6 +1,9 @@
 import { chatStorageService } from '$lib/services/chatStorage';
+import { HttpAgent, type ActorSubclass } from '@dfinity/agent';
 import { AuthClient } from '@dfinity/auth-client';
 import type { Principal } from '@dfinity/principal';
+import type { _SERVICE } from '../../declarations/encrypted_chat/encrypted_chat.did';
+import { createActor } from '../../declarations/encrypted_chat';
 
 if (import.meta.env.SSR || typeof window === 'undefined') {
 	const {
@@ -42,11 +45,7 @@ export type AuthState =
 			error: string;
 	  };
 
-export type AuthStateWrapper = {
-	state: AuthState;
-};
-
-export const auth = $state<AuthStateWrapper>({
+export const auth = $state<{ state: AuthState }>({
 	state: { label: 'initializing-auth' }
 });
 
@@ -106,3 +105,22 @@ export function getMyPrincipal(): Principal {
 	if (auth.state.label !== 'initialized') throw new Error('Unexpectedly not authenticated');
 	return auth.state.client.getIdentity().getPrincipal();
 }
+
+export function getActor(): ActorSubclass<_SERVICE> {
+	if (auth.state.label === 'initialized') {
+		const host = process.env.DFX_NETWORK === 'ic' ? 'https://icp-api.io' : 'http://localhost:8000';
+		const shouldFetchRootKey = process.env.DFX_NETWORK !== 'ic';
+		const agent = HttpAgent.createSync({
+			identity: auth.state.client.getIdentity(),
+			fetch,
+			host,
+			shouldFetchRootKey
+		});
+		if (!process.env.CANISTER_ID_ENCRYPTED_CHAT) {
+			throw new Error('CANISTER_ID_ENCRYPTED_CHAT is not set');
+		}
+		return createActor(process.env.CANISTER_ID_ENCRYPTED_CHAT, { agent });
+	} else {
+		throw new Error('Not authenticated');
+	}
+}
diff --git a/examples/encrypted_chat/frontend/src/lib/stores/chat.svelte.ts b/examples/encrypted_chat/frontend/src/lib/stores/chat.svelte.ts
index 8399b1c7..58761072 100644
--- a/examples/encrypted_chat/frontend/src/lib/stores/chat.svelte.ts
+++ b/examples/encrypted_chat/frontend/src/lib/stores/chat.svelte.ts
@@ -3,46 +3,19 @@ import {
 	type Message,
 	type UserConfig,
 	type Notification,
-	type SymmetricRatchetStats,
-	EncryptedCacheManager as EncryptedCacheManager
+	type SymmetricRatchetStats
 } from '../types';
 import { canisterAPI } from '../services/canisteApi';
 import { chatStorageService } from '../services/chatStorage';
 import { SvelteDate } from 'svelte/reactivity';
-import { auth, getMyPrincipal } from '$lib/stores/auth.svelte';
-import { createActor } from '../../declarations/encrypted_chat';
-import { HttpAgent, type ActorSubclass } from '@dfinity/agent';
-import fetch from 'isomorphic-fetch';
+import { auth, getActor, getMyPrincipal } from '$lib/stores/auth.svelte';
 import type {
-	_SERVICE,
 	ChatId,
-	EncryptedMessage,
-	VetKeyEpochMetadata,
-	UserMessage,
 	GroupModification
 } from '../../declarations/encrypted_chat/encrypted_chat.did';
 import { Principal } from '@dfinity/principal';
-import { SvelteMap } from 'svelte/reactivity';
-import {
-	chatIdFromString,
-	chatIdsNumMessagesToSummary,
-	chatIdToString,
-	chatIdVetKeyEpochFromString,
-	chatIdVetKeyEpochToString,
-	randomSenderMessageId,
-	stringifyBigInt
-} from '$lib/utils';
-import {
-	encryptMessageContent,
-	decryptMessageContent,
-	fetchResharedIbeEncryptedVetKeys,
-	chatIdStringToEpochKeyState,
-	deriveRootKeyAndDispatchCaching,
-	ensureSymmetricKeyState,
-	reshareIbeEncryptedVetKeys,
-	importKeyFromBytes as importKeyStateFromBytes
-} from './crypto.svelte';
-import { keyStorageService } from '$lib/services/keyStorage';
+import { chatIdFromString, chatIdToString } from '$lib/utils';
+import { EncryptedMessagingService } from '$lib/services/encryptedMessagingService';
 
 export const chats = $state<{ state: Chat[] }>({ state: [] });
 export const selectedChatId = $state<{ state: ChatId | null }>({ state: null });
@@ -53,29 +26,7 @@ export const isBlocked = $state({ state: false });
 export const availableChats = $state({ state: [] });
 export const messages = $state<{ state: Record<string, Message[]> }>({ state: {} });
 
-type VetKeyEpochMetadataState =
-	| { status: 'missing' }
-	| { status: 'loading'; promise: Promise<VetKeyEpochMetadata> }
-	| { status: 'ready'; metadata: VetKeyEpochMetadata }
-	| { status: 'error'; error: string };
-
-const chatIdVetKeyEpochStringToVetKeyEpochMetadata = new SvelteMap<
-	string,
-	VetKeyEpochMetadataState
->();
-
-// eslint-disable-next-line svelte/prefer-svelte-reactivity
-const chatIdStringToNumberOfMessagesIs = new Map<string, bigint>();
-export const chatIdStringToNumberOfMessagesShould = new SvelteMap<string, bigint>();
-
-export function getNumberOfMessagesIs(chatId: ChatId): bigint | undefined {
-	const chatIdStr = chatIdToString(chatId);
-	return chatIdStringToNumberOfMessagesIs.get(chatIdStr);
-}
-
-export function getChatIds(): ChatId[] {
-	return chats.state.map((c) => chatIdFromString(c.idStr));
-}
+const encryptedMessagingService = new EncryptedMessagingService();
 
 export function initVetKeyReactions() {
 	$effect.root(() => {
@@ -88,128 +39,21 @@ export function initVetKeyReactions() {
 					console.error('Failed to save chat:', error);
 				});
 			}
-		});
-
-		$effect(() => {
-			console.log('Running vetKey loader $effect...');
-			if (auth.state.label !== 'initialized') return;
-
-			for (const chat of chats.state) {
-				const chatIdVetKeyEpochStr = chatIdVetKeyEpochToString(
-					chatIdFromString(chat.idStr),
-					BigInt(chat.vetKeyEpoch)
-				);
-				const meta = chatIdVetKeyEpochStringToVetKeyEpochMetadata.get(chatIdVetKeyEpochStr);
-				if (meta?.status === 'ready' || meta?.status === 'loading') {
-					console.log(
-						'chatIdVetKeyEpochStringToVetKeyEpochMetadata already has or loading ',
-						chatIdVetKeyEpochStr,
-						' -- skipping'
-					);
-					continue;
-				}
-				const actor = getActor();
-				if (!actor) throw new Error('Not authenticated');
 
-				if (meta?.status !== 'error') {
-					console.log(
-						'chatIdVetKeyEpochStringToVetKeyEpochMetadata missing ',
-						chatIdVetKeyEpochStr,
-						' -- adding a promise to fetch it'
-					);
-					chatIdVetKeyEpochStringToVetKeyEpochMetadata.set(chatIdVetKeyEpochStr, {
-						status: 'loading',
-						promise: canisterAPI.getLatestVetKeyEpochMetadata(actor, chatIdFromString(chat.idStr))
-					});
-				}
-
-				console.log(
-					'chatIdVetKeyEpochStringToVetKeyEpochMetadata loading ',
-					chatIdVetKeyEpochToString(chatIdFromString(chat.idStr), BigInt(chat.vetKeyEpoch))
-				);
-				ensureVetKeyEpochMetadata(chatIdFromString(chat.idStr), BigInt(chat.vetKeyEpoch)).catch(
-					(error) => {
-						console.error(
-							`Failed to get vetkey epoch metadata for chat ${chat.idStr} and vetkey epoch ${chat.vetKeyEpoch}: `,
-							error
-						);
-					}
-				);
-			}
-		});
-
-		$effect(() => {
-			console.log('Running metadata to key state $effect...');
-			if (auth.state.label !== 'initialized') return;
-
-			for (const chatIdStrVetKeyEpoch of chatIdVetKeyEpochStringToVetKeyEpochMetadata.keys()) {
-				if (chatIdStringToEpochKeyState.has(chatIdStrVetKeyEpoch)) {
-					console.log(
-						'chatIdStringToEpochKeyState already has ',
-						chatIdStrVetKeyEpoch,
-						' -- skipping'
-					);
-				} else {
-					console.log(
-						'chatIdStringToEpochKeyState has no entry for ',
-						chatIdStrVetKeyEpoch,
-						' -- adding a missing entry'
-					);
-					chatIdStringToEpochKeyState.set(chatIdStrVetKeyEpoch, {
-						status: 'missing'
-					});
-				}
-			}
-		});
-
-		$effect(() => {
-			console.log('Running ensureEpochKey $effect...');
-			if (auth.state.label !== 'initialized') return;
-			const actor = getActor();
-			if (!actor) throw new Error('Not authenticated');
-
-			for (const [chatIdStrVetKeyEpoch, state] of chatIdStringToEpochKeyState.entries()) {
-				if (state.status !== 'missing') {
-					console.log(
-						'chatIdStringToEpochKeyState already has ',
-						chatIdStrVetKeyEpoch,
-						'with status',
-						state.status,
-						' -- skipping'
-					);
-					continue;
-				}
-				console.log(
-					'Running ensureEpochKey $effect for chatIdStrVetKeyEpoch: ',
-					chatIdStrVetKeyEpoch
-				);
-				const { chatId, vetKeyEpoch } = chatIdVetKeyEpochFromString(chatIdStrVetKeyEpoch);
-
-				const cryptoKeyStatePromise = getCryptoKeyStateAndIfNeededReshareAndCache(
-					chatId,
-					vetKeyEpoch
-				);
-
-				console.log('chatIdStringToEpochKeyState loading ', chatIdStrVetKeyEpoch, vetKeyEpoch);
-				chatIdStringToEpochKeyState.set(chatIdStrVetKeyEpoch, {
-					status: 'loading',
-					promise: cryptoKeyStatePromise.then((keyState) => {
-						ensureSymmetricKeyState(chatId, vetKeyEpoch).catch((error) => {
-							console.error(
-								`Failed to get epoch key for chat ${chatIdToString(chatId)} and vetKey epoch ${vetKeyEpoch.toString()}: `,
-								error
-							);
-						});
-						return keyState;
-					})
-				});
-			}
+			// for (const [_chatIdStr, messagesArray] of messages.state.entries() {
+			// 	for (const message of messagesArray) {
+			// 		chatStorageService.saveMessage(message).catch((error) => {
+			// 			console.error('Failed to save message:', error);
+			// 		});
+			// 	}
+			// }
 		});
 	});
 }
 
-export const chatActions = {
+export const chatUIActions = {
 	async initialize() {
+		console.log('chatActions.initialize');
 		isLoading.state = true;
 
 		try {
@@ -234,11 +78,17 @@ export const chatActions = {
 					' messages from indexedDB for chat ',
 					chat.idStr
 				);
-				chatIdStringToNumberOfMessagesIs.set(chat.idStr, BigInt(chatMessages.length));
-				chatIdStringToNumberOfMessagesShould.set(chat.idStr, BigInt(chatMessages.length));
+				if (chatMessages.length !== 0) {
+					encryptedMessagingService.skipMessagesAvailableLocally(
+						chatIdFromString(chat.idStr),
+						BigInt(chatMessages[chatMessages.length - 1].chatMessageId) + 1n
+					);
+				}
 				messages.state[chat.idStr] = [...chatMessages];
 			}
 
+			encryptedMessagingService.start();
+
 			await this.refreshChats();
 
 			// Set up periodic cleanup
@@ -247,7 +97,7 @@ export const chatActions = {
 			//	}, 60000);
 		} catch (error) {
 			console.error('Failed to initialize chat:', error);
-			chatActions.addNotification({
+			chatUIActions.addNotification({
 				type: 'error',
 				title: 'Initialization Error',
 				message: 'Failed to load chat data. Please refresh the page.',
@@ -259,123 +109,87 @@ export const chatActions = {
 	},
 
 	async refreshChats() {
-		const actor = getActor();
-		if (actor) {
-			const chatIds = await actor.get_my_chat_ids();
-			// eslint-disable-next-line svelte/prefer-svelte-reactivity
-			const newChatIds = new Set<ChatId>();
-			for (const [chatId, numMessages] of chatIds) {
-				const numMessagesShould = chatIdStringToNumberOfMessagesShould.get(chatIdToString(chatId));
-				if (!numMessagesShould) {
-					newChatIds.add(chatId);
-				}
-				if (!numMessagesShould || numMessagesShould !== numMessages) {
-					console.log(
-						`refreshChats: setting numberOfMessagesShould for chat ${chatIdToString(chatId)} from ${numMessagesShould} to ${numMessages}`
-					);
-					chatIdStringToNumberOfMessagesShould.set(chatIdToString(chatId), numMessages);
-				}
-			}
-			const summary = chatIdsNumMessagesToSummary(chatIds);
-			console.log('fetched ' + chatIds.length + ' chats: ' + summary);
-			// eslint-disable-next-line svelte/prefer-svelte-reactivity
-			const firstAccessibleMessageIds = new Map<ChatId, bigint>();
-			for (const [chatId] of chatIds) {
-				if (newChatIds.has(chatId)) {
-					if ('Group' in chatId) {
-						const firstAccessibleMessageId = await canisterAPI.firstAccessibleMessageId(
-							actor,
-							chatId.Group
-						);
-						if (firstAccessibleMessageId) {
-							firstAccessibleMessageIds.set(chatId, firstAccessibleMessageId);
-						}
-					}
-					const metadata = await canisterAPI.getLatestVetKeyEpochMetadata(actor, chatId);
-					const vetKeyEpochStr = chatIdVetKeyEpochToString(chatId, metadata.epoch_id);
-					if (!chatIdVetKeyEpochStringToVetKeyEpochMetadata.has(vetKeyEpochStr)) {
-						chatIdVetKeyEpochStringToVetKeyEpochMetadata.set(
-							chatIdVetKeyEpochToString(chatId, metadata.epoch_id),
-							{
-								status: 'ready',
-								metadata
-							}
-						);
-					}
-				}
-			}
+		console.log('refreshChats');
+		const currentChatIds = encryptedMessagingService.getCurrentChatIds();
 
-			for (const [
-				chatIdStrVetKeyEpoch,
-				meta
-			] of chatIdVetKeyEpochStringToVetKeyEpochMetadata.entries()) {
-				const { chatId, vetKeyEpoch } = chatIdVetKeyEpochFromString(chatIdStrVetKeyEpoch);
-				const chatIdStr = chatIdToString(chatId);
+		const chatsToRemoveFromUi = chats.state.filter(
+			(c) => !currentChatIds.find((chatId) => chatIdToString(chatId) === c.idStr)
+		);
+		if (chatsToRemoveFromUi.length > 0) {
+			for (const chat of chatsToRemoveFromUi) {
+				await chatStorageService.deleteChat(chat.idStr);
+			}
+			console.log(
+				'refreshChats: removing chats ',
+				chatsToRemoveFromUi.map((c) => c.idStr),
+				' from chats.state ',
+				chats.state.map((c) => c.idStr),
+				' because in currentChatIds from encryptedMessagingService we have ',
+				currentChatIds.map((c) => chatIdToString(c))
+			);
+			chats.state = chats.state.filter((c) => currentChatIds.includes(chatIdFromString(c.idStr)));
+		}
+		const chatsToAddToUi = currentChatIds.filter(
+			(chatId) => !chats.state.find((chat) => chat.idStr === chatIdToString(chatId))
+		);
 
-				if (chats.state.find((c) => c.idStr === chatIdStr)) {
-					console.log('refreshChats: chat already exists -- skipping:', chatIdStr);
-					continue;
-				}
+		for (const chatId of chatsToAddToUi) {
+			const chatIdStr = chatIdToString(chatId);
+			console.log('refreshChats: adding chat ', chatIdStr);
 
-				const participants = meta.status === 'ready' ? meta.metadata.participants : undefined;
-				if (!participants) {
-					console.error('Failed to get participants for chat:', chatId);
-					continue;
-				}
-				const myPrincipalText = getMyPrincipal().toText();
-				const isGroup = 'Group' in chatId;
-				const name = isGroup
-					? `Group: ${shortenId(String(chatId.Group.toString()))}`
-					: participants[0].toString() === participants[1].toString()
-						? 'Note to Self'
-						: `Direct: ${participants.find((p) => p.toString() !== myPrincipalText)?.toString()}`;
-				const now = new SvelteDate();
+			if (chats.state.find((c) => c.idStr === chatIdStr)) {
+				continue;
+			}
 
-				const chat: Chat = {
-					idStr: chatIdStr,
-					name,
-					type: isGroup ? 'group' : 'direct',
-					participants: participants.map((p) => ({
-						principal: p,
-						name: myPrincipalText === p.toText() ? 'Me' : p.toText(),
-						avatar: '👤',
-						isOnline: true
-					})),
-					lastMessage: undefined,
-					lastActivity: now,
-					isReady: true,
-					isUpdating: false,
-					disappearingMessagesDuration: 0,
-					keyRotationStatus: buildDummyRotationStatus(),
-					vetKeyEpoch: Number(vetKeyEpoch),
-					symmetricRatchetEpoch: 0,
-					unreadCount: 0,
-					avatar: isGroup ? '👥' : '👤',
-					firstAccessibleMessageId: Number(firstAccessibleMessageIds.get(chatId) ?? 0n)
-				};
+			const vetKeyEpochMetadata = await canisterAPI.getLatestVetKeyEpochMetadata(
+				getActor(),
+				chatId
+			);
 
-				if (!chats.state.find((c) => c.idStr === chatIdStr)) {
-					chats.state.push(chat);
-				} else if (
-					chats.state.find(
-						(c) =>
-							c.idStr === chatIdStr &&
-							c.vetKeyEpoch !== Number(meta.status === 'ready' ? meta.metadata.epoch_id : 0n)
-					)
-				) {
-					const pos = chats.state.findIndex(
-						(c) =>
-							c.idStr === chatIdStr &&
-							c.vetKeyEpoch !== Number(meta.status === 'ready' ? meta.metadata.epoch_id : 0n)
-					);
-					chats.state[pos] = chat;
-				} else {
-					continue;
-				}
+			const isGroup = 'Group' in chatId;
+			const firstAccessibleMessageId = isGroup
+				? await canisterAPI.firstAccessibleMessageId(getActor(), chatId.Group)
+				: 0n;
 
-				// Initialize empty messages cache; we lazy-load on demand
-				if (!messages.state[chatIdStr]) messages.state[chatIdStr] = [];
+			const participants = vetKeyEpochMetadata.participants;
+			if (!participants) {
+				console.error('Failed to get participants for chat:', chatId);
+				continue;
 			}
+			const myPrincipalText = getMyPrincipal().toText();
+			const name = isGroup
+				? `Group: ${shortenId(String(chatId.Group.toString()))}`
+				: participants[0].toString() === participants[1].toString()
+					? 'Note to Self'
+					: `Direct: ${participants.find((p) => p.toString() !== myPrincipalText)?.toString()}`;
+			const now = new SvelteDate();
+
+			const chat: Chat = {
+				idStr: chatIdStr,
+				name,
+				type: isGroup ? 'group' : 'direct',
+				participants: participants.map((p) => ({
+					principal: p,
+					name: myPrincipalText === p.toText() ? 'Me' : p.toText(),
+					avatar: '👤',
+					isOnline: true
+				})),
+				lastMessage: undefined,
+				lastActivity: now,
+				isReady: true,
+				isUpdating: false,
+				disappearingMessagesDuration: 0,
+				keyRotationStatus: buildDummyRotationStatus(),
+				vetKeyEpoch: Number(vetKeyEpochMetadata.epoch_id),
+				symmetricRatchetEpoch: 0,
+				unreadCount: 0,
+				avatar: isGroup ? '👥' : '👤',
+				firstAccessibleMessageId: Number(firstAccessibleMessageId)
+			};
+			chats.state.push(chat);
+
+			// Initialize empty messages cache; we lazy-load on demand
+			if (!messages.state[chatIdStr]) messages.state[chatIdStr] = [];
 		}
 	},
 
@@ -388,280 +202,36 @@ export const chatActions = {
 		);
 	},
 
-	async loadChatMessages(chatId: ChatId, numMessagesIs: bigint | undefined) {
-		console.log('loadChatMessages:', chatIdToString(chatId));
-		try {
-			const chatIdStr = chatIdToString(chatId);
+	async loadChatMessages() {
+		const newMessages = encryptedMessagingService.takeReceivedMessages();
+		console.log(
+			'loadChatMessages: encryptedMessagingService.takeReceivedMessages() ',
+			newMessages.size,
+			'messages'
+		);
+		for (const [chatIdStr, messagesArray] of newMessages.entries()) {
 			const chat = chats.state.find((c) => c.idStr === chatIdStr);
 			if (!chat) {
-				console.error('loadChatMessages: chat not found:', chatIdStr);
+				console.error('Bug in loadChatMessages: chat not found for a new message: ', chatIdStr);
 				return;
 			}
-			const vetKeyEpoch = BigInt(chat.vetKeyEpoch);
-			const lastMessageId =
-				BigInt(chat.firstAccessibleMessageId) + (numMessagesIs ? numMessagesIs : 0n);
-			const actor = getActor();
-			if (!actor) return;
-			const chatIdVetKeyEpochStr = chatIdVetKeyEpochToString(chatId, vetKeyEpoch);
-			const meta = chatIdVetKeyEpochStringToVetKeyEpochMetadata.get(chatIdVetKeyEpochStr);
-			if (!meta) {
-				console.error(
-					'loadChatMessages: Failed to get vetkey epoch metadata for chat and vetkey epoch:',
-					chatIdVetKeyEpochStr
-				);
-				return;
-			}
-			const enc = await canisterAPI.fetchEncryptedMessages(actor, chatId, lastMessageId, undefined);
-			const mapped: Message[] = [];
-			for (let i = 0; i < enc.length; i++) {
-				try {
-					console.log(
-						`decryptMessageContent: ${chatIdToString(chatId)} vetkeyEpoch: ${enc[i].metadata.vetkey_epoch.toString()} symmetricKeyEpoch: ${enc[i].metadata.symmetric_key_epoch.toString()} sender: ${enc[i].metadata.sender.toText()} userMessageId: ${enc[i].metadata.sender_message_id.toString()} messageId: ${enc[i].metadata.chat_message_id.toString()}`
-					);
-					const plaintextMessageContent = await decryptMessageContent(
-						chatId,
-						BigInt(enc[i].metadata.vetkey_epoch),
-						BigInt(enc[i].metadata.symmetric_key_epoch),
-						enc[i].metadata.sender,
-						new Uint8Array(enc[i].content),
-						enc[i].metadata.sender_message_id
-					);
-					enc[i].content = plaintextMessageContent;
-					mapped.push(toUiMessage(chatIdToString(chatId), enc[i]));
-				} catch (error) {
-					if (error instanceof Error && error.message.startsWith('Wrong vetKey epoch')) {
-						console.info(
-							"Can't decrypt messages at or earlier than vetkey epoch ",
-							enc[i].metadata.vetkey_epoch,
-							' for chat ',
-							chatIdStr,
-							': ',
-							error
-						);
-					} else {
-						console.error(
-							'loadChatMessages: Failed to decrypt message ',
-							enc[i].metadata.sender_message_id,
-							' for chat ',
-							chatIdStr,
-							': ',
-							error
-						);
-					}
-				}
-			}
-			if (mapped.length !== 0) {
-				console.log('loadChatMessages: mapped:', stringifyBigInt(mapped));
-			} else {
-				console.log('loadChatMessages: no messages loaded for chat:', chatIdStr);
-			}
-			{
-				// eslint-disable-next-line svelte/prefer-svelte-reactivity
-				const ids = new Set<string>();
-				for (const m of messages.state[chatIdStr]) {
-					if (ids.has(m.chatMessageId.toString())) {
-						console.error(
-							'loadChatMessages: before adding messages, duplicate id for chat ',
-							chatIdStr,
-							' in messages:',
-							m.chatMessageId.toString(),
-							m.content
-						);
-					}
-					ids.add(m.chatMessageId.toString());
-				}
-			}
 
-			// Filter out messages that already exist in the state to prevent duplicates
-			const existingMessageIds = messages.state[chatIdStr].map((m) => m.chatMessageId);
-			const newMessages = mapped.filter((m) => !existingMessageIds.includes(m.chatMessageId));
+			for (const m of messagesArray) await chatStorageService.saveMessage(m);
 
-			// Reassign to trigger reactivity for consumers relying on identity changes
 			messages.state = {
 				...messages.state,
-				[chatIdStr]: [...messages.state[chatIdStr], ...newMessages]
+				[chatIdStr]: [...messages.state[chatIdStr], ...messagesArray]
 			};
-			// check there are no duplicate ids in the messages
-
-			{
-				// eslint-disable-next-line svelte/prefer-svelte-reactivity
-				const ids = new Set<string>();
-				for (const m of messages.state[chatIdStr]) {
-					if (ids.has(m.chatMessageId.toString())) {
-						console.error(
-							'loadChatMessages: after adding messages, duplicate id for chat ',
-							chatIdStr,
-							' in messages:',
-							m.chatMessageId.toString(),
-							m.content
-						);
-					}
-					ids.add(m.chatMessageId.toString());
-				}
-			}
-
-			if (newMessages.length !== 0) {
-				const pos = chats.state.findIndex((c) => c.idStr === chatIdStr);
-				const lastMessageBefore = chats.state[pos].lastMessage;
-				chats.state[pos].lastMessage = newMessages[newMessages.length - 1];
-				chatIdStringToNumberOfMessagesIs.set(
-					chat.idStr,
-					BigInt(newMessages[newMessages.length - 1].chatMessageId) + 1n
-				);
-				const lastMessageAfter = chats.state[pos].lastMessage;
-				if (
-					lastMessageBefore &&
-					lastMessageAfter &&
-					lastMessageBefore.chatMessageId === lastMessageAfter.chatMessageId
-				) {
-					console.log('loadChatMessages: last message is the same:', chatIdStr);
-				} else {
-					console.log(
-						`loadChatMessages: loaded ${newMessages.length} new messages for chat ${chatIdStr} (${mapped.length} total, ${mapped.length - newMessages.length} duplicates filtered). Old last message id: ${lastMessageBefore?.chatMessageId.toString()}, new last message id: ${lastMessageAfter?.chatMessageId.toString()}`
-					);
-				}
-			} else if (mapped.length !== 0) {
-				console.log(
-					`loadChatMessages: all ${mapped.length} messages for chat ${chatIdStr} were already present in state`
-				);
-			}
-			for (const m of newMessages) await chatStorageService.saveMessage(m);
-		} catch (error) {
-			console.error('Failed to load messages:', error);
-			chatActions.addNotification({
-				type: 'error',
-				title: 'Load Error',
-				message: 'Failed to load messages for this chat.',
-				isDismissible: true
-			});
 		}
 	},
 
-	async encryptAndSendMessage(
+	enqueueEncryptAndSendMessage(
 		chatId: ChatId,
-		content: string,
+		textContent: string,
 		fileData?: { name: string; size: number; type: string; data: ArrayBuffer }
 	) {
-		const actor = getActor();
-		if (!actor) throw new Error('Not authenticated');
-
-		let repetitions = 0;
-		const MAX_RETRIES = 100;
-
-		const senderMessageId = randomSenderMessageId();
-
-		// reencrypt and resend the message if vetkey or symmetric key epoch has changed
-		while (repetitions < MAX_RETRIES) {
-			const myPrincipal = getMyPrincipal();
-
-			try {
-				// get the latest vetkey epoch metadata from chats
-				const currentVetKeyEpoch =
-					chats.state.find((c) => c.idStr === chatIdToString(chatId))?.vetKeyEpoch ?? 0n;
-				console.log('encryptAndSendMessage: currentVetKeyEpoch:', currentVetKeyEpoch);
-
-				const chatIdVetKeyEpochStr = chatIdVetKeyEpochToString(chatId, BigInt(currentVetKeyEpoch));
-
-				const vetKeyEpochMeta =
-					chatIdVetKeyEpochStringToVetKeyEpochMetadata.get(chatIdVetKeyEpochStr);
-				if (vetKeyEpochMeta?.status !== 'ready') {
-					throw new Error('Failed to get vetkey epoch metadata for chat: ' + chatIdVetKeyEpochStr);
-				}
-				const vetKeyEpochId = vetKeyEpochMeta.metadata.epoch_id;
-				const elapsedSinceVetKeyEpoch =
-					BigInt(Date.now()) * 1_000_000n - vetKeyEpochMeta.metadata.creation_timestamp;
-				const symmetricKeyEpoch =
-					elapsedSinceVetKeyEpoch / vetKeyEpochMeta.metadata.symmetric_key_rotation_duration;
-
-				const messageContent = JSON.stringify({ content, fileData });
-				const encryptedMessageContent = await encryptMessageContent(
-					chatId,
-					vetKeyEpochId,
-					symmetricKeyEpoch,
-					myPrincipal,
-					new TextEncoder().encode(messageContent),
-					senderMessageId
-				);
-
-				const message: UserMessage = {
-					vetkey_epoch: vetKeyEpochId,
-					content: encryptedMessageContent,
-					symmetric_key_epoch: symmetricKeyEpoch,
-					message_id: senderMessageId
-				};
-
-				if ('Direct' in chatId) {
-					const receiver =
-						chatId.Direct[0].toString() === myPrincipal.toString()
-							? chatId.Direct[1]
-							: chatId.Direct[0];
-					await canisterAPI.sendDirectMessage(actor, receiver, message);
-				} else {
-					await canisterAPI.sendGroupMessage(actor, chatId.Group, message);
-				}
-				break;
-			} catch (error) {
-				if (
-					error instanceof Error &&
-					error.message.toLowerCase().startsWith('Wrong symmetric key epoch')
-				) {
-					console.info(
-						`Retrying failed to send message - wrong symmetric key epoch in message: ${error.message}`
-					);
-					await new Promise((resolve) => setTimeout(resolve, 100));
-					repetitions++;
-					continue;
-				} else if (
-					error instanceof Error &&
-					error.message.toLowerCase().startsWith('wrong vetKey epoch')
-				) {
-					console.info(
-						`Retrying failed to send message - wrong vetKey key epoch in message: ${error.message}`
-					);
-
-					const metadata = await canisterAPI.getLatestVetKeyEpochMetadata(actor, chatId);
-					const chatIdVetKeyEpochStr = chatIdVetKeyEpochToString(chatId, BigInt(metadata.epoch_id));
-					if (!chatIdVetKeyEpochStringToVetKeyEpochMetadata.has(chatIdVetKeyEpochStr)) {
-						console.log(
-							'chatIdVetKeyEpochStringToVetKeyEpochMetadata missing ',
-							chatIdVetKeyEpochStr,
-							' -- adding a promise to fetch it'
-						);
-						chatIdVetKeyEpochStringToVetKeyEpochMetadata.set(chatIdVetKeyEpochStr, {
-							status: 'ready',
-							metadata
-						});
-					}
-					const pos = chats.state.findIndex((c) => c.idStr === chatIdToString(chatId));
-					chats.state[pos].vetKeyEpoch = Number(metadata.epoch_id);
-					await new Promise((resolve) => setTimeout(resolve, 100));
-					repetitions++;
-					continue;
-				} else if (
-					error instanceof Error &&
-					error.message === 'Epoch key is not ready for symmetric ratchet'
-				) {
-					console.log('Waiting for epoch key to be ready for symmetric ratchet: ', error.message);
-					await new Promise((resolve) => setTimeout(resolve, 100));
-					repetitions++;
-					continue;
-				} else if (repetitions >= MAX_RETRIES) {
-					console.error('Failed to send message after ', MAX_RETRIES, ' retries:', error);
-					chatActions.addNotification({
-						type: 'error',
-						title: 'Send Error',
-						message: 'Failed to send message. Please try again.',
-						isDismissible: true
-					});
-					break;
-				} else {
-					console.error('Retrying failed to send message: ', error);
-					await new Promise((resolve) => setTimeout(resolve, 100));
-					repetitions++;
-					continue;
-				}
-			}
-		}
+		const messageContent = JSON.stringify({ textContent, fileData });
+		encryptedMessagingService.enqueueSendMessage(chatId, messageContent);
 	},
 
 	rotateKeys(chatId: string) {
@@ -690,7 +260,7 @@ export const chatActions = {
 					: chat
 			);
 
-			chatActions.addNotification({
+			chatUIActions.addNotification({
 				type: 'success',
 				title: 'Keys Rotated',
 				message: 'Chat encryption keys have been successfully rotated.',
@@ -705,7 +275,7 @@ export const chatActions = {
 				chat.idStr === chatId ? { ...chat, isUpdating: false } : chat
 			);
 
-			chatActions.addNotification({
+			chatUIActions.addNotification({
 				type: 'error',
 				title: 'Key Rotation Failed',
 				message: 'Failed to rotate encryption keys. Please try again.',
@@ -735,7 +305,7 @@ export const chatActions = {
 		// Auto-dismiss if duration is set
 		if (notification.duration) {
 			setTimeout(() => {
-				chatActions.dismissNotification(id);
+				chatUIActions.dismissNotification(id);
 			}, notification.duration);
 		}
 	},
@@ -750,26 +320,24 @@ export const chatActions = {
 		expirationMinutes: number
 	) {
 		try {
-			const actor = getActor();
-			if (!actor) throw new Error('Not authenticated');
 			const receiver = Principal.fromText(receiverPrincipalText.trim());
 			await canisterAPI.createDirectChat(
-				actor,
+				getActor(),
 				receiver,
 				BigInt(Math.max(0, Math.trunc(rotationMinutes))),
 				BigInt(Math.max(0, Math.trunc(expirationMinutes)))
 			);
-			chatActions.addNotification({
+			chatUIActions.addNotification({
 				type: 'success',
 				title: 'Chat Created',
 				message: 'Direct chat created successfully.',
 				isDismissible: true,
 				duration: 3000
 			});
-			await chatActions.refreshChats();
+			await chatUIActions.refreshChats();
 		} catch (error) {
 			console.error('Failed to create direct chat:', error);
-			chatActions.addNotification({
+			chatUIActions.addNotification({
 				type: 'error',
 				title: 'Create Chat Failed',
 				message: 'Failed to create direct chat. Check the Principal and try again.',
@@ -784,29 +352,27 @@ export const chatActions = {
 		expirationMinutes: number
 	) {
 		try {
-			const actor = getActor();
-			if (!actor) throw new Error('Not authenticated');
 			const participants = participantPrincipalTexts
 				.map((t) => t.trim())
 				.filter(Boolean)
 				.map((t) => Principal.fromText(t));
 			const meta = await canisterAPI.createGroupChat(
-				actor,
+				getActor(),
 				participants,
 				BigInt(Math.max(0, Math.trunc(rotationMinutes))),
 				BigInt(Math.max(0, Math.trunc(expirationMinutes)))
 			);
-			chatActions.addNotification({
+			chatUIActions.addNotification({
 				type: 'success',
 				title: 'Group Created',
 				message: `Group chat #${meta.chat_id.toString()} created successfully.`,
 				isDismissible: true,
 				duration: 3000
 			});
-			await chatActions.refreshChats();
+			await chatUIActions.refreshChats();
 		} catch (error) {
 			console.error('Failed to create group chat:', error);
-			chatActions.addNotification({
+			chatUIActions.addNotification({
 				type: 'error',
 				title: 'Create Group Failed',
 				message: 'Failed to create group chat. Check the Principals and try again.',
@@ -826,13 +392,11 @@ export const chatActions = {
 		if ('Direct' in chatId) {
 			throw new Error('updateGroupMembers: chatId is a direct chat');
 		}
-		const actor = getActor();
-		if (!actor) throw new Error('Not authenticated');
 		const modification: GroupModification = {
 			remove_participants: removeUsers,
 			add_participants: addUsers
 		};
-		const result = await actor.modify_group_chat_participants(chatId.Group, modification);
+		const result = await getActor().modify_group_chat_participants(chatId.Group, modification);
 		if ('Ok' in result) {
 			console.log(
 				`Group ${chatIdToString(chatId)} updated: +${addUsers.length}, -${removeUsers.length}, history: ${allowHistoryForNew}`
@@ -843,25 +407,6 @@ export const chatActions = {
 	}
 };
 
-function getActor(): ActorSubclass<_SERVICE> | undefined {
-	if (auth.state.label === 'initialized') {
-		const host = process.env.DFX_NETWORK === 'ic' ? 'https://icp-api.io' : 'http://localhost:8000';
-		const shouldFetchRootKey = process.env.DFX_NETWORK !== 'ic';
-		const agent = HttpAgent.createSync({
-			identity: auth.state.client.getIdentity(),
-			fetch,
-			host,
-			shouldFetchRootKey
-		});
-		if (!process.env.CANISTER_ID_ENCRYPTED_CHAT) {
-			throw new Error('CANISTER_ID_ENCRYPTED_CHAT is not set');
-		}
-		return createActor(process.env.CANISTER_ID_ENCRYPTED_CHAT, { agent });
-	} else {
-		return undefined;
-	}
-}
-
 function shortenId(id: string): string {
 	return id.length > 8 ? `${id.slice(0, 6)}…${id.slice(-2)}` : id;
 }
@@ -875,212 +420,7 @@ function buildDummyRotationStatus() {
 	};
 }
 
-function toUiMessage(chatIdStr: string, m: EncryptedMessage): Message {
-	const senderPrincipal = m.metadata.sender.toText();
-	const currentPrincipal =
-		auth.state.label === 'initialized'
-			? auth.state.client.getIdentity().getPrincipal().toString()
-			: undefined;
-	const senderId =
-		currentPrincipal && senderPrincipal === currentPrincipal
-			? getMyPrincipal().toString()
-			: senderPrincipal;
-	const contentStr = new TextDecoder().decode(new Uint8Array(m.content));
-	const contentTyped = JSON.parse(contentStr) as {
-		content: string;
-		fileData?: { name: string; size: number; type: string; data: ArrayBuffer };
-	};
-	return {
-		chatMessageId: m.metadata.chat_message_id.toString(),
-		chatId: chatIdStr,
-		senderId,
-		content: contentTyped.content,
-		timestamp: new SvelteDate(Number(m.metadata.timestamp / BigInt(1_000_000))),
-		type: 'text',
-		isEncrypted: true,
-		vetkeyEpoch: Number(m.metadata.vetkey_epoch),
-		symmetricRatchetEpoch: Number(m.metadata.symmetric_key_epoch)
-	};
-}
-
-async function ensureVetKeyEpochMetadata(chatId: ChatId, vetKeyEpoch: bigint) {
-	const chatIdVetKeyEpochStr = chatIdVetKeyEpochToString(chatId, vetKeyEpoch);
-	console.log('ensureVetKeyEpochMetadata', chatIdVetKeyEpochStr);
-	const cur = chatIdVetKeyEpochStringToVetKeyEpochMetadata.get(chatIdVetKeyEpochStr);
-
-	const actor = getActor();
-	if (!actor) throw new Error('Not authenticated');
-
-	if (cur?.status === 'loading') {
-		if (!actor) throw new Error('Not authenticated');
-
-		await cur.promise
-			.then((metadata) => {
-				// transition to ready when it resolves
-				chatIdVetKeyEpochStringToVetKeyEpochMetadata.set(chatIdVetKeyEpochStr, {
-					status: 'ready',
-					metadata
-				});
-				console.log('ensureVetKeyEpochMetadata ready', chatIdVetKeyEpochStr);
-				return metadata;
-			})
-			.catch((error) => {
-				// transition to error so UI can react
-				chatIdVetKeyEpochStringToVetKeyEpochMetadata.set(chatIdVetKeyEpochStr, {
-					status: 'error',
-					error: error instanceof Error ? error.message : 'Unknown error'
-				});
-				console.log('ensureVetKeyEpochMetadata error', chatIdVetKeyEpochStr);
-				throw error;
-			});
-	} else {
-		console.error('Bug: vetkey epoch metadata is not loading or ready');
-	}
-}
-
-async function cryptoKeyStateFromLocalStorage(chatId: ChatId, vetKeyEpoch: bigint) {
-	return keyStorageService.getSymmetricKeyState(chatId, vetKeyEpoch).then((keyState) => {
-		if (keyState) {
-			console.log('Key state found in key storage: ', keyState);
-			return keyState;
-		} else {
-			console.log('Key state not found in key storage: ', chatId, vetKeyEpoch);
-			throw new Error('Key state not found in key storage');
-		}
-	});
-}
-
-async function cryptoKeyStateFromRemoteCache(chatId: ChatId, vetKeyEpoch: bigint) {
-	const actor = getActor();
-	if (!actor) throw new Error('Not authenticated');
-	const vetKeyEncryptedCacheManager = new EncryptedCacheManager(getMyPrincipal(), actor);
-	return vetKeyEncryptedCacheManager
-		.fetchAndDecryptFor(chatId, vetKeyEpoch)
-		.then((epochKeyState) => {
-			return importKeyStateFromBytes(epochKeyState);
-		});
-}
-
-async function cryptoKeyStateFromResharedVetKey(chatId: ChatId, vetKeyEpoch: bigint) {
-	const actor = getActor();
-	if (!actor) throw new Error('Not authenticated');
-	return fetchResharedIbeEncryptedVetKeys(actor, chatId, vetKeyEpoch, getMyPrincipal()).then(
-		(resharedVetKey) => {
-			console.log('successfully fetched reshared IBE encrypted vetkey: ', resharedVetKey);
-			return importKeyStateFromBytes(
-				deriveRootKeyAndDispatchCaching(actor, chatId, vetKeyEpoch, resharedVetKey)
-			);
-		}
-	);
-}
-
-function getCryptoKeyStateAndIfNeededReshareAndCache(chatId: ChatId, vetKeyEpoch: bigint) {
-	const actor = getActor();
-	if (!actor) throw new Error('Not authenticated');
-
-	const chatIdStrVetKeyEpoch = chatIdVetKeyEpochToString(chatId, vetKeyEpoch);
-
-	const keyFromStoragePromise = cryptoKeyStateFromLocalStorage(chatId, vetKeyEpoch);
-
-	const cryptoKeyStateFromRemoteCachePromise = Promise.resolve(keyFromStoragePromise).catch(
-		(error) => {
-			console.info(
-				`User doesn't have key in persistent storage for chat ${chatIdToString(chatId)} and vetKey epoch ${vetKeyEpoch.toString()}: `,
-				error
-			);
-			return cryptoKeyStateFromRemoteCache(chatId, vetKeyEpoch);
-		}
-	);
-
-	const cryptoKeyStateFromResharedVetKeyPromise = cryptoKeyStateFromRemoteCachePromise.catch(
-		(error) => {
-			console.info(
-				`User doesn't have key cache for chat ${chatIdToString(chatId)} and vetKey epoch ${vetKeyEpoch.toString()}: `,
-				error
-			);
-
-			return cryptoKeyStateFromResharedVetKey(chatId, vetKeyEpoch);
-		}
-	);
-
-	return cryptoKeyStateFromResharedVetKeyPromise.catch((error) => {
-		console.info('Failed to fetch reshared IBE encrypted vetkey: ', error);
-		return Promise.resolve(canisterAPI.getVetKey(actor, chatId, vetKeyEpoch)).then(
-			async (vetKey) => {
-				while (true) {
-					console.log('waiting for vetKey epoch metadata in a loop');
-					{
-						const meta = chatIdVetKeyEpochStringToVetKeyEpochMetadata.get(chatIdStrVetKeyEpoch);
-						if (!meta) {
-							const actor = getActor();
-							if (!actor) throw new Error('Not authenticated');
-							const promise = canisterAPI.getVetKeyEpochMetadata(actor, chatId, vetKeyEpoch);
-							chatIdVetKeyEpochStringToVetKeyEpochMetadata.set(chatIdStrVetKeyEpoch, {
-								status: 'loading',
-								promise: promise.then((metadata) => {
-									chatIdVetKeyEpochStringToVetKeyEpochMetadata.set(chatIdStrVetKeyEpoch, {
-										status: 'ready',
-										metadata
-									});
-									return metadata;
-								})
-							});
-							console.log(
-								'added missing vetkey epoch metadata to chatIdVetKeyEpochStringToVetKeyEpochMetadata loading ',
-								chatIdStrVetKeyEpoch
-							);
-							continue;
-						}
-					}
-
-					const meta = chatIdVetKeyEpochStringToVetKeyEpochMetadata.get(chatIdStrVetKeyEpoch);
-					if (!meta || meta.status === 'error') {
-						throw new Error(
-							`No vetKey epoch metadata for chat ${chatIdToString(chatId)} and vetkey epoch ${vetKeyEpoch.toString()}: metadata status ${meta?.status}`
-						);
-					} else if (meta.status !== 'ready') {
-						await new Promise((resolve) => setTimeout(resolve, 100));
-						continue;
-					}
-					const otherParticipants = meta.metadata.participants.filter(
-						(p) => p.toString() !== getMyPrincipal().toString()
-					);
-
-					reshareIbeEncryptedVetKeys(
-						actor,
-						chatId,
-						vetKeyEpoch,
-						otherParticipants,
-						vetKey.signatureBytes()
-					).catch((error) => {
-						console.error(
-							`Failed to reshare IBE encrypted vetkeys for chat ${chatIdToString(chatId)} vetkeyEpoch ${meta.metadata.epoch_id.toString()}: `,
-							error
-						);
-					});
-
-					const freshCryptoKeyState = importKeyStateFromBytes(
-						deriveRootKeyAndDispatchCaching(actor, chatId, vetKeyEpoch, vetKey.signatureBytes())
-					).then((freshCryptoKeyState) => {
-						keyStorageService
-							.saveSymmetricKeyState(chatId, vetKeyEpoch, freshCryptoKeyState)
-							.catch((error) => {
-								console.error(
-									`Failed to save key state for chat ${chatIdToString(chatId)} vetkeyEpoch ${vetKeyEpoch.toString()}: `,
-									error
-								);
-							});
-						return freshCryptoKeyState;
-					});
-
-					return freshCryptoKeyState;
-				}
-			}
-		);
-	});
-}
-
 // Initialize on module load (browser only)
 if (typeof window !== 'undefined') {
-	void chatActions.initialize();
+	void chatUIActions.initialize();
 }
diff --git a/examples/encrypted_chat/frontend/src/lib/stores/crypto.svelte.ts b/examples/encrypted_chat/frontend/src/lib/stores/crypto.svelte.ts
deleted file mode 100644
index 2154f0bd..00000000
--- a/examples/encrypted_chat/frontend/src/lib/stores/crypto.svelte.ts
+++ /dev/null
@@ -1,460 +0,0 @@
-import {
-	chatIdToString,
-	chatIdVetKeyEpochToString,
-	sizePrefixedBytesFromString,
-	stringifyBigInt,
-	uBigIntTo8ByteUint8ArrayBigEndian
-} from '$lib/utils';
-import { Principal } from '@dfinity/principal';
-import {
-	DerivedKeyMaterial,
-	DerivedPublicKey,
-	deriveSymmetricKey,
-	EncryptedVetKey,
-	IbeCiphertext,
-	IbeIdentity,
-	IbeSeed,
-	TransportSecretKey
-} from '@dfinity/vetkeys';
-import type { _SERVICE, ChatId } from '../../declarations/encrypted_chat/encrypted_chat.did';
-import { SvelteMap } from 'svelte/reactivity';
-import type { ActorSubclass } from '@dfinity/agent';
-import { getMyPrincipal } from './auth.svelte';
-import { EncryptedCacheManager } from '../types';
-import { keyStorageService } from '$lib/services/keyStorage';
-
-const DOMAIN_RATCHET_INIT = sizePrefixedBytesFromString('ic-vetkeys-chat-example-ratchet-init');
-const DOMAIN_RATCHET_STEP = sizePrefixedBytesFromString('ic-vetkeys-chat-example-ratchet-step');
-const DOMAIN_MESSAGE_ENCRYPTION = sizePrefixedBytesFromString(
-	'ic-vetkeys-chat-example-message-encryption'
-);
-
-type KeyState =
-	| { status: 'missing' }
-	| { status: 'loading'; promise: Promise<{ key: CryptoKey; symmetricKeyEpoch: bigint }> }
-	| { status: 'ready'; symmetricKeyEpoch: bigint; key: CryptoKey }
-	| { status: 'error'; error: string };
-
-export const chatIdStringToEpochKeyState = new SvelteMap<string, KeyState>();
-
-export async function ensureSymmetricKeyState(chatId: ChatId, epochId: bigint) {
-	const chatIdStr = chatIdToString(chatId);
-	const mapKey = `${chatIdStr}/${epochId.toString()}`;
-	const cur = chatIdStringToEpochKeyState.get(mapKey);
-
-	if (cur?.status === 'loading') {
-		await cur.promise
-			.then(({ key, symmetricKeyEpoch }) => {
-				console.log('ensureRootKey ready', chatIdStr);
-				chatIdStringToEpochKeyState.set(mapKey, {
-					status: 'ready',
-					symmetricKeyEpoch,
-					key
-				});
-			})
-			.catch((error) => {
-				console.log('ensureRootKey error', chatIdStr);
-				chatIdStringToEpochKeyState.set(mapKey, {
-					status: 'error',
-					error: error instanceof Error ? error.message : 'Unknown error'
-				});
-				throw error;
-			});
-	} else {
-		console.error(
-			'Bug: ensureSymmetricKeyState: chatIdStrVetKeyEpoch: ',
-			chatIdStr,
-			' should be loading but instead is ',
-			cur?.status
-		);
-	}
-}
-
-async function getCurrentSymmetricEpoch(chatId: ChatId, vetkeyEpoch: bigint): Promise<bigint> {
-	const mapKey = chatIdVetKeyEpochToString(chatId, vetkeyEpoch);
-	console.log(
-		`getCurrentSymmetricEpoch: ${chatIdToString(chatId)} vetkeyEpoch: ${vetkeyEpoch.toString()}`
-	);
-	while (true) {
-		console.log('getCurrentSymmetricEpoch: waiting for vetKey state in a loop');
-		const cur = chatIdStringToEpochKeyState.get(mapKey);
-		if (cur === undefined) {
-			console.log(
-				`getCurrentSymmetricEpoch: no vetKey state for ${vetkeyEpoch.toString()} for chat ${chatIdToString(chatId)} in  chatIdStringToEpochKeyState -- adding a missing entry`
-			);
-			chatIdStringToEpochKeyState.set(mapKey, {
-				status: 'missing'
-			});
-		} else if (cur.status === 'ready') {
-			return cur.symmetricKeyEpoch;
-		}
-		await new Promise((resolve) => setTimeout(resolve, 100));
-	}
-}
-
-async function getSymmetricEpochKey(
-	chatId: ChatId,
-	vetkeyEpoch: bigint,
-	symmetricKeyEpoch: bigint
-): Promise<DerivedKeyMaterial> {
-	const chatIdStr = chatIdToString(chatId);
-	const mapKey = chatIdVetKeyEpochToString(chatId, vetkeyEpoch);
-	let cur: KeyState | undefined = undefined; // wait in a loop with timeout till we get the key
-
-	console.log(
-		`getSymmetricEpochKey: ${chatIdStr} vetkeyEpoch: ${vetkeyEpoch.toString()} symmetricKeyEpoch: ${symmetricKeyEpoch.toString()}`
-	);
-
-	const startTime = Date.now();
-	while (!cur || cur.status !== 'ready') {
-		cur = chatIdStringToEpochKeyState.get(mapKey);
-		if (cur && cur.status === 'error') {
-			throw new Error('Failed to get epoch key: ' + cur.error);
-		}
-		if (!cur || cur.status !== 'ready') {
-			if (Date.now() - startTime > 30000) {
-				throw new Error('Failed to send message: failed to get epoch key after 30 seconds');
-			}
-			await new Promise((resolve) => setTimeout(resolve, 100));
-		}
-	}
-	if (!cur) {
-		throw new Error('getSymmetricEpochKey: bug: failed to get epoch key: ' + mapKey);
-	}
-
-	const { key, symmetricKeyEpoch: symmetricKeyEpochKeyState } = cur;
-
-	if (symmetricKeyEpochKeyState !== symmetricKeyEpoch) {
-		throw new Error(
-			`Failed to send message: wrong symmetric key epoch in message: expected ${symmetricKeyEpoch} but got ${symmetricKeyEpochKeyState}`
-		);
-	}
-
-	return DerivedKeyMaterial.fromCryptoKey(key);
-}
-
-export async function reshareIbeEncryptedVetKeys(
-	actor: ActorSubclass<_SERVICE>,
-	chatId: ChatId,
-	vetkeyEpoch: bigint,
-	otherParticipants: Principal[],
-	vetKeyBytes: Uint8Array
-): Promise<void> {
-	if (otherParticipants.length > 0) {
-		console.log(
-			'reshareIbeEncryptedVetkeys: ',
-			chatId,
-			vetkeyEpoch,
-			otherParticipants,
-			vetKeyBytes
-		);
-		// try to reshare with other participants
-		return await Promise.all(
-			otherParticipants.map(async (p) => {
-				const ibePublicKey = DerivedPublicKey.deserialize(
-					new Uint8Array(await actor.get_vetkey_resharing_ibe_encryption_key(p))
-				);
-				const ibeIdentity = IbeIdentity.fromBytes(new Uint8Array());
-				const ibeSeed = IbeSeed.random();
-				const ibeCiphertext = IbeCiphertext.encrypt(
-					ibePublicKey,
-					ibeIdentity,
-					vetKeyBytes,
-					ibeSeed
-				);
-				const ibeCiphertextBytes = ibeCiphertext.serialize();
-				const result: [Principal, Uint8Array<ArrayBufferLike>] = [p, ibeCiphertextBytes];
-				return result;
-			})
-		).then(async (ibeEncryptedVetKeysPromise) => {
-			await actor
-				.reshare_ibe_encrypted_vetkeys(chatId, vetkeyEpoch, ibeEncryptedVetKeysPromise)
-				.then((result) => {
-					if ('Ok' in result) {
-						console.log(
-							`Successfully resharded IBE encrypted vetkeys for chat ${chatIdToString(chatId)} vetkeyEpoch ${vetkeyEpoch.toString()}`
-						);
-					} else {
-						console.info(
-							`Failed to reshare IBE encrypted vetkeys for chat ${chatIdToString(chatId)} vetkeyEpoch ${vetkeyEpoch.toString()}: `,
-							result.Err
-						);
-					}
-				});
-		});
-	} else {
-		console.log('no other participants to reshare vetKey with');
-	}
-}
-
-export async function fetchResharedIbeEncryptedVetKeys(
-	actor: ActorSubclass<_SERVICE>,
-	chatId: ChatId,
-	vetkeyEpoch: bigint,
-	myPrincipal: Principal
-): Promise<Uint8Array> {
-	console.log('fetchResharedIbeEncryptedVetKeys: ', chatId, vetkeyEpoch, myPrincipal);
-	const tsk = TransportSecretKey.random();
-	const myResharedIbeEncryptedVetkey = await actor.get_my_reshared_ibe_encrypted_vetkey(
-		chatId,
-		vetkeyEpoch
-	);
-	if ('Err' in myResharedIbeEncryptedVetkey) {
-		throw new Error(
-			'Failed to get my reshared IBE encrypted vetkey: ' + myResharedIbeEncryptedVetkey.Err
-		);
-	} else if (myResharedIbeEncryptedVetkey.Ok.length === 0) {
-		throw new Error('Failed to get my reshared IBE encrypted vetkey: no reshared vetkey');
-	}
-	const ibeCiphertext = IbeCiphertext.deserialize(
-		new Uint8Array(myResharedIbeEncryptedVetkey.Ok[0])
-	);
-
-	const publicIbeKeyBytes = await actor.get_vetkey_resharing_ibe_encryption_key(myPrincipal);
-	const publicIbeKey = DerivedPublicKey.deserialize(new Uint8Array(publicIbeKeyBytes));
-
-	const maybeIbeDecryptionKeyFromStorage = await keyStorageService.getIbeDecryptionKey();
-	// TODO:cache this key
-	const privateEncryptedIbeKeyBytes =
-		maybeIbeDecryptionKeyFromStorage ??
-		new Uint8Array(await actor.get_vetkey_resharing_ibe_decryption_key(tsk.publicKeyBytes()));
-	if (!maybeIbeDecryptionKeyFromStorage) {
-		console.log(
-			`Saving IBE decryption key for chat ${chatIdToString(chatId)} vetkeyEpoch ${vetkeyEpoch.toString()}`
-		);
-		keyStorageService
-			.saveIbeDecryptionKey(new Uint8Array(privateEncryptedIbeKeyBytes))
-			.catch((error) => {
-				console.error(
-					`Failed to save IBE decryption key for chat ${chatIdToString(chatId)} vetkeyEpoch ${vetkeyEpoch.toString()}: `,
-					error
-				);
-			});
-	}
-
-	const encryptedVetKey = EncryptedVetKey.deserialize(new Uint8Array(privateEncryptedIbeKeyBytes));
-	const privateIbeKey = encryptedVetKey.decryptAndVerify(tsk, publicIbeKey, new Uint8Array());
-
-	const ibePlaintext = ibeCiphertext.decrypt(privateIbeKey);
-	return ibePlaintext;
-}
-
-export function deriveRootKeyAndDispatchCaching(
-	actor: ActorSubclass<_SERVICE>,
-	chatId: ChatId,
-	vetKeyEpoch: bigint,
-	vetKeyBytes: Uint8Array
-): { keyBytes: Uint8Array; symmetricKeyEpoch: bigint } {
-	const rootKey = deriveRootKeyBytes(vetKeyBytes);
-	console.log(
-		`Computed rootKey=${stringifyBigInt(rootKey)} from vetKey=${stringifyBigInt(vetKeyBytes)}`
-	);
-
-	console.log('starting to store the root key in cache: ', rootKey);
-	const vetKeyEncryptedCache = new EncryptedCacheManager(getMyPrincipal(), actor);
-	const keyState = { keyBytes: rootKey, symmetricKeyEpoch: 0n };
-	// await this future in background
-	vetKeyEncryptedCache.encryptAndStoreFor(chatId, vetKeyEpoch, keyState).catch((error) => {
-		console.error(
-			`Failed to store root key in cache for chat ${chatIdToString(chatId)} vetkeyEpoch ${vetKeyEpoch.toString()}: `,
-			error
-		);
-	});
-	return keyState;
-}
-
-export async function deriveNextSymmetricRatchetEpochCryptoKey(
-	epochKey: CryptoKey,
-	currentSymmetricKeyEpoch: bigint
-): Promise<CryptoKey> {
-	console.log(`deriveNextEpochKey: ${currentSymmetricKeyEpoch.toString()}`);
-	const exportable = false;
-	const domainSeparator = new Uint8Array([
-		...DOMAIN_RATCHET_STEP,
-		...uBigIntTo8ByteUint8ArrayBigEndian(currentSymmetricKeyEpoch)
-	]);
-	const algorithm = {
-		name: 'HKDF',
-		hash: 'SHA-256',
-		length: 32 * 8,
-		info: domainSeparator,
-		salt: new Uint8Array()
-	};
-
-	const rawKey = await globalThis.crypto.subtle.deriveBits(algorithm, epochKey, 8 * 32);
-
-	return await globalThis.crypto.subtle.importKey('raw', rawKey, algorithm, exportable, [
-		'deriveKey',
-		'deriveBits'
-	]);
-}
-
-async function symmetricRatchet(
-	chatId: ChatId,
-	vetkeyEpoch: bigint,
-	expectedSymmetricKeyEpoch: bigint
-) {
-	const chatIdStr = chatIdToString(chatId);
-	const mapKey = chatIdVetKeyEpochToString(chatId, vetkeyEpoch);
-	console.log(
-		`symmetricRatchet: ${chatIdStr} vetkeyEpoch: ${vetkeyEpoch.toString()} expectedSymmetricKeyEpoch: ${expectedSymmetricKeyEpoch.toString()}`
-	);
-	while (true) {
-		console.log('symmetricRatchet: waiting for vetKey state in a loop');
-		const cur = chatIdStringToEpochKeyState.get(mapKey);
-		if (!cur) {
-			throw new Error('Bug: failed to get epoch key');
-		}
-		if (cur.status === 'error') {
-			throw new Error('Failed to get epoch key: ' + cur.error);
-		}
-		if (cur.status !== 'ready') {
-			await new Promise((resolve) => setTimeout(resolve, 100));
-			continue;
-		}
-
-		const { key, symmetricKeyEpoch: currentSymmetricKeyEpoch } = cur;
-		if (currentSymmetricKeyEpoch !== expectedSymmetricKeyEpoch) {
-			throw new Error(
-				`Failed to send message: wrong symmetric key epoch in message: expected ${expectedSymmetricKeyEpoch} but got ${currentSymmetricKeyEpoch}`
-			);
-		}
-
-		return await deriveNextSymmetricRatchetEpochCryptoKey(key, currentSymmetricKeyEpoch);
-	}
-}
-
-async function symmetricRatchetUntil(
-	chatId: ChatId,
-	vetkeyEpoch: bigint,
-	symmetricKeyEpoch: bigint
-) {
-	while ((await getCurrentSymmetricEpoch(chatId, vetkeyEpoch)) < symmetricKeyEpoch) {
-		try {
-			const currentSymmetricEpoch = await getCurrentSymmetricEpoch(chatId, vetkeyEpoch);
-			const mapKey = chatIdVetKeyEpochToString(chatId, vetkeyEpoch);
-			chatIdStringToEpochKeyState.set(mapKey, {
-				status: 'ready',
-				symmetricKeyEpoch: currentSymmetricEpoch + 1n,
-				key: await symmetricRatchet(chatId, vetkeyEpoch, currentSymmetricEpoch)
-			});
-		} catch (error) {
-			console.warn('symmetricRatchetUntil: ', error);
-		}
-	}
-}
-
-async function fastForwardSymmetricRatchetWithoutSavingUntil(
-	chatId: ChatId,
-	currentVetkeyEpoch: bigint,
-	neededSymmetricKeyEpoch: bigint
-): Promise<DerivedKeyMaterial> {
-	const mapKey = chatIdVetKeyEpochToString(chatId, currentVetkeyEpoch);
-	const cur = chatIdStringToEpochKeyState.get(mapKey);
-	if (!cur) {
-		chatIdStringToEpochKeyState.set(mapKey, {
-			status: 'missing'
-		});
-		return await fastForwardSymmetricRatchetWithoutSavingUntil(
-			chatId,
-			currentVetkeyEpoch,
-			neededSymmetricKeyEpoch
-		);
-	}
-	if (cur.status === 'error') {
-		throw new Error('Failed to get epoch key: ' + cur.error);
-	}
-	if (cur.status !== 'ready') {
-		throw new Error('Epoch key is not ready for symmetric ratchet');
-	}
-	const { key, symmetricKeyEpoch: currentSymmetricKeyEpoch } = cur;
-	if (currentSymmetricKeyEpoch >= neededSymmetricKeyEpoch) {
-		return DerivedKeyMaterial.fromCryptoKey(key);
-	}
-
-	let derivedKeyState = { epochKey: key, symmetricKeyEpoch: currentSymmetricKeyEpoch };
-	while (derivedKeyState.symmetricKeyEpoch < neededSymmetricKeyEpoch) {
-		derivedKeyState = {
-			epochKey: await deriveNextSymmetricRatchetEpochCryptoKey(
-				derivedKeyState.epochKey,
-				derivedKeyState.symmetricKeyEpoch
-			),
-			symmetricKeyEpoch: derivedKeyState.symmetricKeyEpoch + 1n
-		};
-	}
-	return DerivedKeyMaterial.fromCryptoKey(derivedKeyState.epochKey);
-}
-
-export async function encryptMessageContent(
-	chatId: ChatId,
-	vetkeyEpoch: bigint,
-	symmetricKeyEpoch: bigint,
-	sender: Principal,
-	plaintextMessageContent: Uint8Array,
-	userMessageId: bigint
-): Promise<Uint8Array> {
-	const epochKey = await fastForwardSymmetricRatchetWithoutSavingUntil(
-		chatId,
-		vetkeyEpoch,
-		symmetricKeyEpoch
-	);
-	const domainSeparator = messageEncryptionDomainSeparator(sender, userMessageId);
-	return await epochKey.encryptMessage(plaintextMessageContent, domainSeparator);
-}
-
-export async function decryptMessageContent(
-	chatId: ChatId,
-	vetkeyEpoch: bigint,
-	symmetricKeyEpoch: bigint,
-	sender: Principal,
-	encryptedMessageContent: Uint8Array,
-	userMessageId: bigint
-): Promise<Uint8Array> {
-	console.log(
-		`decryptMessageContent: ${chatIdToString(chatId)} vetkeyEpoch: ${vetkeyEpoch.toString()} symmetricKeyEpoch: ${symmetricKeyEpoch.toString()} sender: ${sender.toText()} userMessageId: ${userMessageId.toString()}`
-	);
-	const currentSymmetricEpoch = await getCurrentSymmetricEpoch(chatId, vetkeyEpoch);
-	if (currentSymmetricEpoch < symmetricKeyEpoch) {
-		console.log(
-			'decryptMessageContent: advancing symmetric ratchet until symmetricKeyEpoch: ',
-			symmetricKeyEpoch
-		);
-		await symmetricRatchetUntil(chatId, vetkeyEpoch, symmetricKeyEpoch);
-	}
-	const epochKey = await getSymmetricEpochKey(chatId, vetkeyEpoch, symmetricKeyEpoch);
-	const domainSeparator = messageEncryptionDomainSeparator(sender, userMessageId);
-	return await epochKey.decryptMessage(encryptedMessageContent, domainSeparator).catch((error) => {
-		console.error(
-			`decryptMessageContent: failed to decrypt message in chat ${chatIdToString(chatId)} for vetkeyEpoch ${vetkeyEpoch.toString()} and symmetricKeyEpoch: ${symmetricKeyEpoch.toString()} from sender ${sender.toText()} with userMessageId ${userMessageId.toString()}`,
-			error
-		);
-		return new TextEncoder().encode('<decryption failed>');
-	});
-}
-
-export function messageEncryptionDomainSeparator(sender: Principal, messageId: bigint): Uint8Array {
-	return new Uint8Array([
-		...DOMAIN_MESSAGE_ENCRYPTION,
-		...sender.toUint8Array(),
-		...uBigIntTo8ByteUint8ArrayBigEndian(messageId)
-	]);
-}
-
-export function deriveRootKeyBytes(vetKeyBytes: Uint8Array): Uint8Array {
-	return deriveSymmetricKey(vetKeyBytes, DOMAIN_RATCHET_INIT, 32);
-}
-
-export async function importKeyFromBytes(params: {
-	keyBytes: Uint8Array;
-	symmetricKeyEpoch: bigint;
-}): Promise<{ key: CryptoKey; symmetricKeyEpoch: bigint }> {
-	const exportable = false;
-	const key = await globalThis.crypto.subtle.importKey(
-		'raw',
-		new Uint8Array(params.keyBytes),
-		'HKDF',
-		exportable,
-		['deriveKey', 'deriveBits']
-	);
-	return { key, symmetricKeyEpoch: params.symmetricKeyEpoch };
-}
diff --git a/examples/encrypted_chat/frontend/src/lib/types/index.ts b/examples/encrypted_chat/frontend/src/lib/types/index.ts
index 94ca40d9..1aa4c978 100644
--- a/examples/encrypted_chat/frontend/src/lib/types/index.ts
+++ b/examples/encrypted_chat/frontend/src/lib/types/index.ts
@@ -1,19 +1,4 @@
-import type { ChatId, _SERVICE } from '../../declarations/encrypted_chat/encrypted_chat.did';
 import { Principal } from '@dfinity/principal';
-import {
-	EncryptedMaps,
-	type AccessRights,
-	type ByteBuf,
-	type EncryptedMapData,
-	type EncryptedMapsClient
-} from '@dfinity/vetkeys/encrypted_maps';
-import type { ActorSubclass } from '@dfinity/agent';
-import {
-	chatIdToString,
-	stringifyBigInt,
-	u8ByteUint8ArrayBigEndianToUBigInt,
-	uBigIntTo8ByteUint8ArrayBigEndian
-} from '$lib/utils';
 
 export interface User {
 	principal: Principal;
@@ -36,7 +21,6 @@ export interface Message {
 		type: string;
 		data: ArrayBuffer;
 	};
-	isEncrypted: boolean;
 	vetkeyEpoch: number;
 	symmetricRatchetEpoch: number;
 }
@@ -116,251 +100,6 @@ export interface Notification {
 	duration?: number; // auto-dismiss after ms, undefined = manual dismiss
 }
 
-class EncryptedMapsClientForEncryptedCache implements EncryptedMapsClient {
-	#actor: ActorSubclass<_SERVICE>;
-
-	constructor(actor: ActorSubclass<_SERVICE>) {
-		this.#actor = actor;
-	}
-
-	get_accessible_shared_map_names(): Promise<[Principal, ByteBuf][]> {
-		throw Error('unavailable EncryptedMaps function get_accessible_shared_map_names');
-	}
-
-	get_shared_user_access_for_map(
-		// eslint-disable-next-line @typescript-eslint/no-unused-vars
-		owner: Principal,
-		// eslint-disable-next-line @typescript-eslint/no-unused-vars
-		mapName: ByteBuf
-	): Promise<{ Ok: Array<[Principal, AccessRights]> } | { Err: string }> {
-		throw Error('unavailable EncryptedMaps function get_shared_user_access_for_map');
-	}
-
-	get_owned_non_empty_map_names(): Promise<Array<ByteBuf>> {
-		throw Error('unavailable EncryptedMaps function get_owned_non_empty_map_names');
-	}
-
-	get_all_accessible_encrypted_values(): Promise<[[Principal, ByteBuf], [ByteBuf, ByteBuf][]][]> {
-		throw Error('unavailable EncryptedMaps function get_all_accessible_encrypted_values');
-	}
-
-	get_all_accessible_encrypted_maps(): Promise<Array<EncryptedMapData>> {
-		throw Error('unavailable EncryptedMaps function get_all_accessible_encrypted_maps');
-	}
-
-	get_encrypted_value(
-		// eslint-disable-next-line @typescript-eslint/no-unused-vars
-		mapOwner: Principal,
-		// eslint-disable-next-line @typescript-eslint/no-unused-vars
-		mapName: ByteBuf,
-		// eslint-disable-next-line @typescript-eslint/no-unused-vars
-		mapKey: ByteBuf
-	): Promise<{ Ok: [] | [ByteBuf] } | { Err: string }> {
-		throw Error('unavailable EncryptedMaps function get_encrypted_value');
-	}
-
-	get_encrypted_values_for_map(
-		// eslint-disable-next-line @typescript-eslint/no-unused-vars
-		mapOwner: Principal,
-		// eslint-disable-next-line @typescript-eslint/no-unused-vars
-		mapName: ByteBuf
-	): Promise<{ Ok: Array<[ByteBuf, ByteBuf]> } | { Err: string }> {
-		throw Error('unavailable EncryptedMaps function get_encrypted_values_for_map');
-	}
-
-	async get_encrypted_vetkey(
-		mapOwner: Principal,
-		mapName: ByteBuf,
-		transportKey: ByteBuf
-	): Promise<{ Ok: ByteBuf } | { Err: string }> {
-		const data = new Uint8Array(
-			await this.#actor.get_encrypted_vetkey_for_my_cache_storage(transportKey.inner)
-		);
-		const result: { Ok: ByteBuf } | { Err: string } = {
-			Ok: { inner: data }
-		};
-		return Promise.resolve(result);
-	}
-
-	insert_encrypted_value(
-		// eslint-disable-next-line @typescript-eslint/no-unused-vars
-		mapOwner: Principal,
-		// eslint-disable-next-line @typescript-eslint/no-unused-vars
-		mapName: ByteBuf,
-		// eslint-disable-next-line @typescript-eslint/no-unused-vars
-		mapKey: ByteBuf,
-		// eslint-disable-next-line @typescript-eslint/no-unused-vars
-		data: ByteBuf
-	): Promise<{ Ok: [] | [ByteBuf] } | { Err: string }> {
-		throw Error('unavailable EncryptedMaps function insert_encrypted_value');
-	}
-
-	remove_encrypted_value(
-		// eslint-disable-next-line @typescript-eslint/no-unused-vars
-		mapOwner: Principal,
-		// eslint-disable-next-line @typescript-eslint/no-unused-vars
-		mapName: ByteBuf,
-		// eslint-disable-next-line @typescript-eslint/no-unused-vars
-		mapKey: ByteBuf
-	): Promise<{ Ok: [] | [ByteBuf] } | { Err: string }> {
-		throw Error('unavailable EncryptedMaps function remove_encrypted_value');
-	}
-
-	remove_map_values(
-		// eslint-disable-next-line @typescript-eslint/no-unused-vars
-		mapOwner: Principal,
-		// eslint-disable-next-line @typescript-eslint/no-unused-vars
-		mapName: ByteBuf
-	): Promise<{ Ok: Array<ByteBuf> } | { Err: string }> {
-		throw Error('unavailable EncryptedMaps function remove_map_values');
-	}
-
-	async get_vetkey_verification_key(): Promise<ByteBuf> {
-		return { inner: await this.#actor.get_vetkey_verification_key_for_my_cache_storage() };
-	}
-
-	set_user_rights(
-		// eslint-disable-next-line @typescript-eslint/no-unused-vars
-		owner: Principal,
-		// eslint-disable-next-line @typescript-eslint/no-unused-vars
-		mapName: ByteBuf,
-		// eslint-disable-next-line @typescript-eslint/no-unused-vars
-		user: Principal,
-		// eslint-disable-next-line @typescript-eslint/no-unused-vars
-		userRights: AccessRights
-	): Promise<{ Ok: [] | [AccessRights] } | { Err: string }> {
-		throw Error('unavailable EncryptedMaps function set_user_rights');
-	}
-
-	get_user_rights(
-		// eslint-disable-next-line @typescript-eslint/no-unused-vars
-		owner: Principal,
-		// eslint-disable-next-line @typescript-eslint/no-unused-vars
-		mapName: ByteBuf,
-		// eslint-disable-next-line @typescript-eslint/no-unused-vars
-		user: Principal
-	): Promise<{ Ok: [] | [AccessRights] } | { Err: string }> {
-		throw Error('unavailable EncryptedMaps function get_user_rights');
-	}
-
-	remove_user(
-		// eslint-disable-next-line @typescript-eslint/no-unused-vars
-		owner: Principal,
-		// eslint-disable-next-line @typescript-eslint/no-unused-vars
-		mapName: ByteBuf,
-		// eslint-disable-next-line @typescript-eslint/no-unused-vars
-		user: Principal
-	): Promise<{ Ok: [] | [AccessRights] } | { Err: string }> {
-		throw Error('unavailable EncryptedMaps function remove_user');
-	}
-}
-
-function mapName(): Uint8Array {
-	return new TextEncoder().encode('encrypted_chat_cache');
-}
-
-async function mapKeyId(chat_id: ChatId, vetkey_epoch_id: bigint): Promise<Uint8Array> {
-	const input = serializeChatId(chat_id);
-
-	const hashBuffer = await crypto.subtle.digest(
-		'SHA-256',
-		new Uint8Array([...input, ...uBigIntTo8ByteUint8ArrayBigEndian(vetkey_epoch_id)])
-	);
-	return new Uint8Array(hashBuffer);
-}
-
-function serializeChatId(chatId: ChatId): Uint8Array {
-	if ('Direct' in chatId) {
-		return new Uint8Array([
-			0,
-			...chatId.Direct[0].toUint8Array(),
-			...chatId.Direct[1].toUint8Array()
-		]);
-	} else {
-		return new Uint8Array([1, ...uBigIntTo8ByteUint8ArrayBigEndian(chatId.Group)]);
-	}
-}
-
-export class EncryptedCacheManager {
-	#encryptedMaps: EncryptedMaps;
-	#myPrincipal: Principal;
-	#actor: ActorSubclass<_SERVICE>;
-
-	constructor(myPrincipal: Principal, actor: ActorSubclass<_SERVICE>) {
-		this.#myPrincipal = myPrincipal;
-		this.#encryptedMaps = new EncryptedMaps(new EncryptedMapsClientForEncryptedCache(actor));
-		this.#actor = actor;
-	}
-
-	async fetchAndDecryptFor(
-		chatId: ChatId,
-		vetKeyEpoch: bigint
-	): Promise<{ keyBytes: Uint8Array; symmetricKeyEpoch: bigint }> {
-		console.log(
-			`get_my_symmetric_key_cache: chatId=${chatIdToString(chatId)} vetKeyEpoch=${vetKeyEpoch.toString()}`
-		);
-		const keyCacheBytes = await this.#actor.get_my_symmetric_key_cache(chatId, vetKeyEpoch);
-		if ('Err' in keyCacheBytes) {
-			throw new Error('Failed to get key cache bytes: ' + keyCacheBytes.Err);
-		} else if (keyCacheBytes.Ok.length === 0) {
-			throw new Error('Failed to get key cache bytes: no key cache found');
-		}
-
-		const mapName_ = mapName();
-		const mapKey = await mapKeyId(chatId, vetKeyEpoch);
-		const decryptedBytes = await this.#encryptedMaps.decryptFor(
-			this.#myPrincipal,
-			mapName_,
-			mapKey,
-			new Uint8Array(keyCacheBytes.Ok[0])
-		);
-
-		console.log(
-			`VetKeyEncryptedCache: successfully fetched and decrypted key cache for chatId=${chatIdToString(chatId)} vetKeyEpoch=${vetKeyEpoch.toString()}: ${stringifyBigInt(deserializeCache(decryptedBytes))}`
-		);
-		return deserializeCache(decryptedBytes);
-	}
-
-	async encryptAndStoreFor(
-		chatId: ChatId,
-		vetKeyEpoch: bigint,
-		cache: { keyBytes: Uint8Array; symmetricKeyEpoch: bigint }
-	): Promise<void> {
-		console.log('encryptAndStoreFor: starting to store the root key in cache: ', cache);
-		const mapName_ = mapName();
-		const mapKey = await mapKeyId(chatId, vetKeyEpoch);
-
-		const ciphertext = await this.#encryptedMaps.encryptFor(
-			this.#myPrincipal,
-			mapName_,
-			mapKey,
-			serializeCache(cache)
-		);
-		const result = await this.#actor.update_my_symmetric_key_cache(chatId, vetKeyEpoch, ciphertext);
-		if ('Err' in result) {
-			throw new Error('Failed to update key cache: ' + result.Err);
-		} else {
-			console.log(
-				`VetKeyEncryptedCache: successfully stored key cache for chatId=${chatIdToString(chatId)} vetKeyEpoch=${vetKeyEpoch.toString()}: ${stringifyBigInt(serializeCache(cache))}`
-			);
-		}
-	}
-}
-
-function serializeCache(cache: { keyBytes: Uint8Array; symmetricKeyEpoch: bigint }): Uint8Array {
-	return new Uint8Array([
-		...cache.keyBytes,
-		...uBigIntTo8ByteUint8ArrayBigEndian(cache.symmetricKeyEpoch)
-	]);
-}
-
-function deserializeCache(data: Uint8Array): { keyBytes: Uint8Array; symmetricKeyEpoch: bigint } {
-	return {
-		keyBytes: data.slice(0, 32),
-		symmetricKeyEpoch: u8ByteUint8ArrayBigEndianToUBigInt(data.slice(32))
-	};
-}
-
 export class StoragePrefixesClass {
 	public readonly MESSAGE_PREFIX: string = 'messages';
 	public readonly CONFIG_KEY: string = 'user_config';
@@ -372,3 +111,22 @@ export class StoragePrefixesClass {
 }
 
 export const storagePrefixes = new StoragePrefixesClass();
+
+export class VetKeyEpochError extends Error {
+	requiredVetKeyEpoch: bigint;
+
+	constructor(message: string, requiredVetKeyEpoch: bigint) {
+		super(message);
+		this.name = 'VetKeyEpochError';
+		this.requiredVetKeyEpoch = requiredVetKeyEpoch;
+		Object.setPrototypeOf(this, VetKeyEpochError.prototype);
+	}
+}
+
+export class SymmetricRatchetEpochError extends Error {
+	constructor(message: string) {
+		super(message);
+		this.name = 'SymmetricRatchetEpochError';
+		Object.setPrototypeOf(this, SymmetricRatchetEpochError.prototype);
+	}
+}
diff --git a/examples/encrypted_chat/frontend/src/lib/utils/index.ts b/examples/encrypted_chat/frontend/src/lib/utils/index.ts
index 468d5b62..8555e1f7 100644
--- a/examples/encrypted_chat/frontend/src/lib/utils/index.ts
+++ b/examples/encrypted_chat/frontend/src/lib/utils/index.ts
@@ -64,12 +64,11 @@ export function sizePrefixedBytesFromString(text: string): Uint8Array {
 	return new Uint8Array([...size, ...bytes]);
 }
 
-export function chatIdsNumMessagesToSummary(chatIdsNumMessages: [ChatId, bigint][]): string {
-	return chatIdsNumMessages.reduce((acc, [chatId, numMessages]) => {
+export function chatIdsNumMessagesToSummary(args: { chatId: ChatId; numMessages: bigint }[]): string {
+	return args.reduce((acc, { chatId, numMessages }) => {
 		if ('Direct' in chatId) {
 			return (
 				acc +
-				(acc.length > 0 ? ' | ' : '') +
 				chatId.Direct[0].toText() +
 				' ' +
 				chatId.Direct[1].toText() +
diff --git a/examples/encrypted_chat/frontend/src/routes/+page.svelte b/examples/encrypted_chat/frontend/src/routes/+page.svelte
index 0cc4c1af..e98e3c23 100644
--- a/examples/encrypted_chat/frontend/src/routes/+page.svelte
+++ b/examples/encrypted_chat/frontend/src/routes/+page.svelte
@@ -5,7 +5,7 @@
 	import {
 		isLoading,
 		selectedChatId,
-		chatActions,
+		chatUIActions,
 		initVetKeyReactions
 	} from '$lib/stores/chat.svelte';
 	import Hero from '$lib/components/Hero.svelte';
@@ -32,10 +32,11 @@
 		const interval = setInterval(() => {
 			(async () => {
 				if (auth.state.label === 'initialized') {
-					await chatActions.refreshChats();
+					await chatUIActions.refreshChats();
+					await chatUIActions.loadChatMessages();
 				}
 			})().catch(console.error);
-		}, 1000);
+		}, 500);
 
 		return () => clearInterval(interval);
 	});
diff --git a/examples/encrypted_chat/rust/backend/src/lib.rs b/examples/encrypted_chat/rust/backend/src/lib.rs
index 43aa3c81..fa665195 100644
--- a/examples/encrypted_chat/rust/backend/src/lib.rs
+++ b/examples/encrypted_chat/rust/backend/src/lib.rs
@@ -128,7 +128,7 @@ fn create_direct_chat(
         symmetric_key_rotation_duration_minutes
             .0
             .checked_mul(NANOSECONDS_IN_MINUTE)
-            .ok_or(format!("Overflow: too symmetric key rotation time"))?,
+            .ok_or("Overflow: too symmetric key rotation time".to_string())?,
     );
 
     let todo_remove_1 = CHAT_TO_VETKEYS_METADATA.with_borrow_mut(|metadata| {
@@ -160,7 +160,7 @@ fn create_direct_chat(
         message_expiry_time_minutes
             .0
             .checked_mul(NANOSECONDS_IN_MINUTE)
-            .ok_or(format!("Overflow: too large expiry time"))?,
+            .ok_or("Overflow: too large expiry time".to_string())?,
     );
 
     let todo_remove = CHAT_TO_MESSAGE_EXPIRY_SETTING
@@ -196,10 +196,7 @@ fn create_group_chat(
 
     let chat_id = ChatId::Group(group_chat_id);
 
-    let mut participants: Vec<_> = [caller]
-        .into_iter()
-        .chain(other_participants.into_iter())
-        .collect();
+    let mut participants: Vec<_> = [caller].into_iter().chain(other_participants).collect();
 
     participants.sort();
 
@@ -210,7 +207,7 @@ fn create_group_chat(
         symmetric_key_rotation_duration_minutes
             .0
             .checked_mul(NANOSECONDS_IN_MINUTE)
-            .ok_or(format!("Overflow: too symmetric key rotation time"))?,
+            .ok_or("Overflow: too symmetric key rotation time".to_string())?,
     );
 
     let todo_remove_1 = CHAT_TO_VETKEYS_METADATA.with_borrow_mut(|metadata| {
@@ -240,7 +237,7 @@ fn create_group_chat(
         message_expiry_time_minutes
             .0
             .checked_mul(NANOSECONDS_IN_MINUTE)
-            .ok_or(format!("Overflow: too large expiry time"))?,
+            .ok_or("Overflow: too large expiry time".to_string())?,
     );
 
     let todo_remove = CHAT_TO_MESSAGE_EXPIRY_SETTING
@@ -260,8 +257,7 @@ async fn first_accessible_message_id(group_chat_id: GroupChatId) -> Option<ChatM
         metadata
             .range(&(chat_id, Time(0))..)
             .take_while(|metadata| metadata.key().0 == chat_id)
-            .filter(|metadata| metadata.value().participants.contains(&caller))
-            .next()
+            .find(|metadata| metadata.value().participants.contains(&caller))
             .map(|metadata| metadata.value().messages_start_with_id)
     })
 }
@@ -347,9 +343,8 @@ fn get_vetkey_epoch_metadata(
         .with_borrow(|metadata| {
             metadata
                 .range(&(chat_id, Time(0))..)
-                .take_while(|metadata| {
-                    metadata.key().0 == chat_id && metadata.value().epoch_id == vetkey_epoch_id
-                })
+                .take_while(|metadata| metadata.key().0 == chat_id)
+                .filter(|metadata| metadata.value().epoch_id == vetkey_epoch_id)
                 .last()
                 .map(|metadata| metadata.value())
         })
@@ -701,8 +696,6 @@ fn get_my_symmetric_key_cache(
     ensure_chat_and_vetkey_epoch_exist(chat_id, vetkey_epoch_id)?;
     ensure_user_has_access_to_chat_at_epoch(caller, chat_id, vetkey_epoch_id)?;
 
-    ic_cdk::println!("get_my_symmetric_key_cache: chat_id={:?}, vetkey_epoch_id={:?}", chat_id, vetkey_epoch_id);
-
     ENCRYPTED_MAPS.with_borrow(|opt_maps| {
         let maps = opt_maps
             .as_ref()
@@ -849,25 +842,16 @@ fn modify_group_chat_participants(
         latest_vetkey_epoch_metadata(chat_id).ok_or(format!("No chat {chat_id:?} found"))?;
     ensure_user_has_access_to_chat_at_epoch(caller, chat_id, latest_epoch_metadata.epoch_id)?;
 
-    let vetkey_epoch_id = latest_epoch_metadata.epoch_id;
-
-    if vetkey_epoch_id != latest_epoch_metadata.epoch_id {
-        return Err(format!(
-            "Wrong vetKey epoch: expected {:?} but got {:?}",
-            latest_epoch_metadata.epoch_id, vetkey_epoch_id
-        ));
-    }
-
-    for participant in group_modification.add_participants.iter().copied() {
-        if latest_epoch_metadata.participants.contains(&participant) {
+    for participant in group_modification.add_participants.iter() {
+        if latest_epoch_metadata.participants.contains(participant) {
             return Err(format!(
                 "Participant {participant} is already a member of the group chat and cannot be added"
             ));
         }
     }
 
-    for participant in group_modification.remove_participants.iter().copied() {
-        if !latest_epoch_metadata.participants.contains(&participant) {
+    for participant in group_modification.remove_participants.iter() {
+        if !latest_epoch_metadata.participants.contains(participant) {
             return Err(format!(
                 "Participant {participant} is not a member of the group chat and cannot be removed"
             ));
@@ -905,7 +889,8 @@ fn modify_group_chat_participants(
 
         for participant in group_modification.remove_participants.iter().copied() {
             USER_TO_CHAT_MAP.with_borrow_mut(|map| {
-                let todo_remove = map.remove(&(participant, chat_id, vetkey_epoch_id));
+                let todo_remove =
+                    map.remove(&(participant, chat_id, latest_epoch_metadata.epoch_id));
                 assert!(todo_remove.is_some());
             });
         }
@@ -1095,8 +1080,7 @@ fn ensure_chat_and_vetkey_epoch_exist(
         metadata
             .range(&(chat_id, Time(0))..)
             .take_while(|metadata| metadata.key().0 == chat_id)
-            .filter(|metadata| metadata.value().epoch_id == vetkey_epoch_id)
-            .next()
+            .find(|metadata| metadata.value().epoch_id == vetkey_epoch_id)
             .map(|_| ())
             .ok_or(format!(
                 "vetKey epoch {vetkey_epoch_id:?} not found for chat {chat_id:?}"
@@ -1189,7 +1173,7 @@ pub fn ratchet_context(chat_id: ChatId, vetkey_epoch_id: VetKeyEpochId) -> Vec<u
     let chat_id_bytes = chat_id.to_bytes();
     let mut context = vec![];
 
-    context.extend_from_slice(&[DOMAIN_SEPARATOR_VETKEY_ROTATION.as_bytes().len() as u8]);
+    context.extend_from_slice(&[DOMAIN_SEPARATOR_VETKEY_ROTATION.len() as u8]);
     context.extend_from_slice(DOMAIN_SEPARATOR_VETKEY_ROTATION.as_bytes());
 
     context.extend_from_slice(&[chat_id_bytes.len() as u8]);
@@ -1203,10 +1187,10 @@ pub fn ratchet_context(chat_id: ChatId, vetkey_epoch_id: VetKeyEpochId) -> Vec<u
 pub fn resharing_context(caller: Principal) -> Vec<u8> {
     let mut context = vec![];
 
-    context.extend_from_slice(&[DOMAIN_SEPARATOR_VETKEY_RESHARING.as_bytes().len() as u8]);
+    context.extend_from_slice(&[DOMAIN_SEPARATOR_VETKEY_RESHARING.len() as u8]);
     context.extend_from_slice(DOMAIN_SEPARATOR_VETKEY_ROTATION.as_bytes());
 
-    context.extend_from_slice(&caller.as_slice());
+    context.extend_from_slice(caller.as_slice());
 
     context
 }

From 83fcf2dbdf0e6bd5d03097db9e08003e0461b3b7 Mon Sep 17 00:00:00 2001
From: Oleksandr Tkachenko <oleksandr.tkachenko@dfinity.org>
Date: Tue, 26 Aug 2025 09:57:30 +0200
Subject: [PATCH 37/62] small improvements

---
 .../frontend/src/lib/stores/chat.svelte.ts        | 11 +++++++++++
 examples/encrypted_chat/rust/backend/src/lib.rs   | 15 +++++++++++----
 2 files changed, 22 insertions(+), 4 deletions(-)

diff --git a/examples/encrypted_chat/frontend/src/lib/stores/chat.svelte.ts b/examples/encrypted_chat/frontend/src/lib/stores/chat.svelte.ts
index 58761072..01279fbb 100644
--- a/examples/encrypted_chat/frontend/src/lib/stores/chat.svelte.ts
+++ b/examples/encrypted_chat/frontend/src/lib/stores/chat.svelte.ts
@@ -195,6 +195,7 @@ export const chatUIActions = {
 
 	selectChat(chatId: ChatId) {
 		selectedChatId.state = chatId;
+		console.log('selectChat: selected chat ', chatIdToString(chatId));
 
 		// Mark as read
 		chats.state = chats.state.map((chat) =>
@@ -222,6 +223,16 @@ export const chatUIActions = {
 				...messages.state,
 				[chatIdStr]: [...messages.state[chatIdStr], ...messagesArray]
 			};
+
+			chats.state = chats.state.map((c) =>
+				c.idStr === chatIdStr
+					? {
+							...c,
+							unreadCount: c.unreadCount + messagesArray.length,
+							lastMessage: messagesArray[messagesArray.length - 1]
+						}
+					: c
+			);
 		}
 	},
 
diff --git a/examples/encrypted_chat/rust/backend/src/lib.rs b/examples/encrypted_chat/rust/backend/src/lib.rs
index fa665195..e18f4361 100644
--- a/examples/encrypted_chat/rust/backend/src/lib.rs
+++ b/examples/encrypted_chat/rust/backend/src/lib.rs
@@ -887,11 +887,18 @@ fn modify_group_chat_participants(
             });
         }
 
-        for participant in group_modification.remove_participants.iter().copied() {
+        for participant in group_modification.remove_participants.iter() {
             USER_TO_CHAT_MAP.with_borrow_mut(|map| {
-                let todo_remove =
-                    map.remove(&(participant, chat_id, latest_epoch_metadata.epoch_id));
-                assert!(todo_remove.is_some());
+                let keys_to_remove = map
+                    .keys_range((caller, chat_id, VetKeyEpochId(0))..)
+                    .take_while(|(user, this_chat_id, _)| {
+                        user == participant && *this_chat_id == chat_id
+                    })
+                    .collect::<Vec<_>>();
+                for key_to_remove in keys_to_remove {
+                    let todo_remove = map.remove(&key_to_remove);
+                    assert!(todo_remove.is_some());
+                }
             });
         }
 

From 00ea77bf8af58af5e200310524d792d7cc636321 Mon Sep 17 00:00:00 2001
From: Oleksandr Tkachenko <oleksandr.tkachenko@dfinity.org>
Date: Wed, 27 Aug 2025 13:59:50 +0200
Subject: [PATCH 38/62] fix npm run dev

---
 .../frontend/src/lib/stores/auth.svelte.ts    |  7 +-
 .../encrypted_chat/frontend/vite.config.ts    | 10 ++-
 examples/encrypted_chat/rust/dfx.json         | 88 ++++++++++---------
 3 files changed, 58 insertions(+), 47 deletions(-)

diff --git a/examples/encrypted_chat/frontend/src/lib/stores/auth.svelte.ts b/examples/encrypted_chat/frontend/src/lib/stores/auth.svelte.ts
index 2b2334d0..2fd7fae9 100644
--- a/examples/encrypted_chat/frontend/src/lib/stores/auth.svelte.ts
+++ b/examples/encrypted_chat/frontend/src/lib/stores/auth.svelte.ts
@@ -4,6 +4,7 @@ import { AuthClient } from '@dfinity/auth-client';
 import type { Principal } from '@dfinity/principal';
 import type { _SERVICE } from '../../declarations/encrypted_chat/encrypted_chat.did';
 import { createActor } from '../../declarations/encrypted_chat';
+import fetch from 'isomorphic-fetch';
 
 if (import.meta.env.SSR || typeof window === 'undefined') {
 	const {
@@ -74,7 +75,7 @@ export async function login() {
 			identityProvider:
 				globalThis.process.env.DFX_NETWORK === 'ic'
 					? 'https://identity.ic0.app/#authorize'
-					: `http://rdmx6-jaaaa-aaaaa-aaadq-cai.localhost:8000/#authorize`,
+					: `http://rdmx6-jaaaa-aaaaa-aaadq-cai.localhost:4943/#authorize`,
 			onSuccess: () => {
 				authenticate(client);
 			},
@@ -108,11 +109,11 @@ export function getMyPrincipal(): Principal {
 
 export function getActor(): ActorSubclass<_SERVICE> {
 	if (auth.state.label === 'initialized') {
-		const host = process.env.DFX_NETWORK === 'ic' ? 'https://icp-api.io' : 'http://localhost:8000';
+		const host = process.env.DFX_NETWORK === 'ic' ? 'https://icp0.app' : 'http://localhost:4943';
 		const shouldFetchRootKey = process.env.DFX_NETWORK !== 'ic';
 		const agent = HttpAgent.createSync({
 			identity: auth.state.client.getIdentity(),
-			fetch,
+			fetch: fetch,
 			host,
 			shouldFetchRootKey
 		});
diff --git a/examples/encrypted_chat/frontend/vite.config.ts b/examples/encrypted_chat/frontend/vite.config.ts
index 1b0e2f7e..eedf0d83 100644
--- a/examples/encrypted_chat/frontend/vite.config.ts
+++ b/examples/encrypted_chat/frontend/vite.config.ts
@@ -11,5 +11,13 @@ export default defineConfig({
 		sveltekit(),
 		environment('all', { prefix: 'CANISTER_' }),
 		environment('all', { prefix: 'DFX_' })
-	]
+	],
+	server: {
+		proxy: {
+			'/api': {
+				target: 'http://localhost:4943',
+				changeOrigin: true
+			}
+		}
+	}
 });
diff --git a/examples/encrypted_chat/rust/dfx.json b/examples/encrypted_chat/rust/dfx.json
index a0f5953e..1bfb7dae 100644
--- a/examples/encrypted_chat/rust/dfx.json
+++ b/examples/encrypted_chat/rust/dfx.json
@@ -1,48 +1,50 @@
 {
-    "canisters": {
-      "encrypted_chat": {
-        "candid": "backend/backend.did",
-        "type": "custom",
-        "init_arg": "(\"test_key_1\")",
-        "gzip": true,
-        "wasm": "target/wasm32-unknown-unknown/release/ic_vetkeys_example_encrypted_chat_backend.wasm",
-        "build": [
-          "cd backend && cargo build --release --target wasm32-unknown-unknown && candid-extractor ../target/wasm32-unknown-unknown/release/ic_vetkeys_example_encrypted_chat_backend.wasm > backend.did"
-        ],
-        "metadata": [
-          {
-            "name": "candid:service",
-            "visibility": "public"
-          }
-        ]
-      },
-      "internet-identity": {
-        "candid": "https://github.com/dfinity/internet-identity/releases/latest/download/internet_identity.did",
-        "type": "custom",
-        "specified_id": "rdmx6-jaaaa-aaaaa-aaadq-cai",
-        "remote": {
+  "canisters": {
+    "encrypted_chat": {
+      "candid": "backend/backend.did",
+      "type": "custom",
+      "init_arg": "(\"test_key_1\")",
+      "gzip": true,
+      "wasm": "target/wasm32-unknown-unknown/release/ic_vetkeys_example_encrypted_chat_backend.wasm",
+      "build": [
+        "cd backend && cargo build --release --target wasm32-unknown-unknown && candid-extractor ../target/wasm32-unknown-unknown/release/ic_vetkeys_example_encrypted_chat_backend.wasm > backend.did"
+      ],
+      "metadata": [
+        {
+          "name": "candid:service",
+          "visibility": "public"
+        }
+      ]
+    },
+    "internet-identity": {
+      "candid": "https://github.com/dfinity/internet-identity/releases/latest/download/internet_identity.did",
+      "type": "custom",
+      "specified_id": "rdmx6-jaaaa-aaaaa-aaadq-cai",
+      "remote": {
         "id": {
-            "ic": "rdmx6-jaaaa-aaaaa-aaadq-cai"
-          }
-        },
-        "wasm": "https://github.com/dfinity/internet-identity/releases/latest/download/internet_identity_dev.wasm.gz"
+          "ic": "rdmx6-jaaaa-aaaaa-aaadq-cai"
+        }
       },
-      "www": {
-        "dependencies": ["encrypted_chat", "internet-identity"],
-        "build": ["cd frontend && npm i --include=dev && npm run build && cd - && rm -r dist > /dev/null 2>&1; mv frontend/dist ./"],
-        "frontend": {
-          "entrypoint": "dist/index.html"
-        },
-        "gzip": true,
-        "source": ["dist/"],
-        "type": "assets",
-        "output_env_file": "frontend/.env"
-      }
+      "wasm": "https://github.com/dfinity/internet-identity/releases/latest/download/internet_identity_dev.wasm.gz"
     },
-    "networks": {
-      "local": {
-        "bind": "localhost:8000",
-        "type": "ephemeral"
-      }
+    "www": {
+      "dependencies": ["encrypted_chat", "internet-identity"],
+      "build": [
+        "cp .env frontend/.env && cd frontend && npm i --include=dev && npm run build && cd - && rm -r dist > /dev/null 2>&1; mv frontend/dist ./"
+      ],
+      "frontend": {
+        "entrypoint": "dist/index.html"
+      },
+      "gzip": true,
+      "source": ["dist/"],
+      "type": "assets"
+    }
+  },
+  "output_env_file": ".env",
+  "networks": {
+    "local": {
+      "bind": "localhost:4943",
+      "type": "ephemeral"
     }
-  }
\ No newline at end of file
+  }
+}

From 4061a6279f760fef897abf8f6cade2b2a9c4a79c Mon Sep 17 00:00:00 2001
From: Oleksandr Tkachenko <oleksandr.tkachenko@dfinity.org>
Date: Wed, 27 Aug 2025 14:00:48 +0200
Subject: [PATCH 39/62] mv file

---
 .../frontend/src/lib/services/encryptedMessagingService.ts      | 2 +-
 ...InitializationService.ts => ratchetInitializationService.ts} | 0
 2 files changed, 1 insertion(+), 1 deletion(-)
 rename examples/encrypted_chat/frontend/src/lib/services/{RatchetInitializationService.ts => ratchetInitializationService.ts} (100%)

diff --git a/examples/encrypted_chat/frontend/src/lib/services/encryptedMessagingService.ts b/examples/encrypted_chat/frontend/src/lib/services/encryptedMessagingService.ts
index 7acaf001..0c992683 100644
--- a/examples/encrypted_chat/frontend/src/lib/services/encryptedMessagingService.ts
+++ b/examples/encrypted_chat/frontend/src/lib/services/encryptedMessagingService.ts
@@ -7,7 +7,7 @@ import type {
 	EncryptedMessageMetadata
 } from '../../declarations/encrypted_chat/encrypted_chat.did';
 import { KeyManager } from '$lib/crypto/keyManager';
-import { RatchetInitializationService } from './RatchetInitializationService';
+import { RatchetInitializationService } from './ratchetInitializationService';
 import { SymmetricRatchetEpochError, VetKeyEpochError, type Message } from '$lib/types';
 import { canisterAPI } from './canisteApi';
 import {
diff --git a/examples/encrypted_chat/frontend/src/lib/services/RatchetInitializationService.ts b/examples/encrypted_chat/frontend/src/lib/services/ratchetInitializationService.ts
similarity index 100%
rename from examples/encrypted_chat/frontend/src/lib/services/RatchetInitializationService.ts
rename to examples/encrypted_chat/frontend/src/lib/services/ratchetInitializationService.ts

From 19d7e13bca1c209f658c3046e70f6b75c69e8554 Mon Sep 17 00:00:00 2001
From: Oleksandr Tkachenko <oleksandr.tkachenko@dfinity.org>
Date: Tue, 7 Oct 2025 10:26:02 +0200
Subject: [PATCH 40/62] wip

---
 examples/encrypted_chat/README.md             |  1 +
 .../encrypted_chat/frontend/package-lock.json | 91 +++++++++++++------
 .../src/lib/components/ChatList.svelte        | 10 +-
 .../src/lib/components/MessageBubble.svelte   |  8 +-
 .../src/lib/components/MessageHistory.svelte  | 20 +++-
 .../src/lib/components/NewChatModal.svelte    |  4 +-
 .../frontend/src/lib/crypto/keyManager.ts     |  6 +-
 .../src/lib/crypto/symmetricRatchet.ts        |  8 ++
 .../frontend/src/lib/services/canisteApi.ts   |  6 +-
 .../frontend/src/lib/services/chatStorage.ts  |  4 +-
 .../lib/services/encryptedMessagingService.ts |  5 +-
 .../services/ratchetInitializationService.ts  | 26 +++++-
 .../frontend/src/lib/stores/auth.svelte.ts    | 15 +--
 .../frontend/src/lib/stores/chat.svelte.ts    | 10 +-
 .../frontend/src/lib/types/index.ts           |  3 +-
 .../encrypted_chat/frontend/svelte.config.js  |  3 +
 .../encrypted_chat/rust/backend/backend.did   | 12 +--
 .../encrypted_chat/rust/backend/src/lib.rs    | 12 +--
 .../encrypted_chat/rust/backend/src/types.rs  | 16 ++--
 19 files changed, 168 insertions(+), 92 deletions(-)

diff --git a/examples/encrypted_chat/README.md b/examples/encrypted_chat/README.md
index e69de29b..6af52c58 100644
--- a/examples/encrypted_chat/README.md
+++ b/examples/encrypted_chat/README.md
@@ -0,0 +1 @@
+https://icp.ninja/editor?g=https://github.com/dfinity/vetkeys/tree/alex/encrypted-chat/examples/encrypted_chat/rust
\ No newline at end of file
diff --git a/examples/encrypted_chat/frontend/package-lock.json b/examples/encrypted_chat/frontend/package-lock.json
index 5c0f606e..227bc364 100644
--- a/examples/encrypted_chat/frontend/package-lock.json
+++ b/examples/encrypted_chat/frontend/package-lock.json
@@ -67,6 +67,7 @@
 			"resolved": "https://registry.npmjs.org/@dfinity/agent/-/agent-3.1.0.tgz",
 			"integrity": "sha512-4ktWU9KoB+Y0y84i0c2up9xmek2WjwSsbh4zGUK+o3VwZyqH8Cck4Fh4eiTa5jOve/vtfSVDbUVNFXsaS3Gttw==",
 			"license": "Apache-2.0",
+			"peer": true,
 			"dependencies": {
 				"@dfinity/cbor": "^0.2.2",
 				"@noble/curves": "^1.9.2"
@@ -96,6 +97,7 @@
 			"resolved": "https://registry.npmjs.org/@dfinity/candid/-/candid-3.1.0.tgz",
 			"integrity": "sha512-YwZJROFmzPa4GCJJyGCoOYJ2pKmp9rboixGQSbLPekX0n0oU0mcEbuVKJFu6HY6CnoDoI8YKc9x+jlqh4n0u5A==",
 			"license": "Apache-2.0",
+			"peer": true,
 			"peerDependencies": {
 				"@dfinity/principal": "3.1.0"
 			}
@@ -125,6 +127,7 @@
 			"resolved": "https://registry.npmjs.org/@dfinity/principal/-/principal-3.1.0.tgz",
 			"integrity": "sha512-ef2JbgwQGtam0s19bH9CaR8ztpuoNx10eC6/kBjR/R8VC2eIBlaJHvD0lXDrBWGtOPZGzEy/XAugeBr3raxZ8A==",
 			"license": "Apache-2.0",
+			"peer": true,
 			"dependencies": {
 				"@noble/hashes": "^1.8.0"
 			}
@@ -917,6 +920,7 @@
 			"resolved": "https://registry.npmjs.org/@noble/curves/-/curves-1.9.6.tgz",
 			"integrity": "sha512-GIKz/j99FRthB8icyJQA51E8Uk5hXmdyThjgQXRKiv9h0zeRlzSCLIzFw6K1LotZ3XuB7yzlf76qk7uBmTdFqA==",
 			"license": "MIT",
+			"peer": true,
 			"dependencies": {
 				"@noble/hashes": "1.8.0"
 			},
@@ -932,6 +936,7 @@
 			"resolved": "https://registry.npmjs.org/@noble/hashes/-/hashes-1.8.0.tgz",
 			"integrity": "sha512-jCs9ldd7NwzpgXDIf6P3+NrHh9/sD6CQdxHyjQI+h/6rDNo88ypBxxz45UDuZHz9r3tNz7N/VInSVoVdtXEI4A==",
 			"license": "MIT",
+			"peer": true,
 			"engines": {
 				"node": "^14.21.3 || >=16"
 			},
@@ -1652,9 +1657,9 @@
 			}
 		},
 		"node_modules/@sveltejs/adapter-auto": {
-			"version": "6.0.1",
-			"resolved": "https://registry.npmjs.org/@sveltejs/adapter-auto/-/adapter-auto-6.0.1.tgz",
-			"integrity": "sha512-mcWud3pYGPWM2Pphdj8G9Qiq24nZ8L4LB7coCUckUEy5Y7wOWGJ/enaZ4AtJTcSm5dNK1rIkBRoqt+ae4zlxcQ==",
+			"version": "6.1.1",
+			"resolved": "https://registry.npmjs.org/@sveltejs/adapter-auto/-/adapter-auto-6.1.1.tgz",
+			"integrity": "sha512-cBNt4jgH4KuaNO5gRSB2CZKkGtz+OCZ8lPjRQGjhvVUD4akotnj2weUia6imLl2v07K3IgsQRyM36909miSwoQ==",
 			"dev": true,
 			"license": "MIT",
 			"peerDependencies": {
@@ -1662,26 +1667,27 @@
 			}
 		},
 		"node_modules/@sveltejs/adapter-static": {
-			"version": "3.0.8",
-			"resolved": "https://registry.npmjs.org/@sveltejs/adapter-static/-/adapter-static-3.0.8.tgz",
-			"integrity": "sha512-YaDrquRpZwfcXbnlDsSrBQNCChVOT9MGuSg+dMAyfsAa1SmiAhrA5jUYUiIMC59G92kIbY/AaQOWcBdq+lh+zg==",
+			"version": "3.0.10",
+			"resolved": "https://registry.npmjs.org/@sveltejs/adapter-static/-/adapter-static-3.0.10.tgz",
+			"integrity": "sha512-7D9lYFWJmB7zxZyTE/qxjksvMqzMuYrrsyh1f4AlZqeZeACPRySjbC3aFiY55wb1tWUaKOQG9PVbm74JcN2Iew==",
 			"license": "MIT",
 			"peerDependencies": {
 				"@sveltejs/kit": "^2.0.0"
 			}
 		},
 		"node_modules/@sveltejs/kit": {
-			"version": "2.27.1",
-			"resolved": "https://registry.npmjs.org/@sveltejs/kit/-/kit-2.27.1.tgz",
-			"integrity": "sha512-u5HbL9T4TgWZwXZM7hwdT0f5sDkGaNxsSrLYQoql+eiz2+9rcbbq4MiOAPoRtXG0dys5P5ixBmyQdqZedwZUlA==",
+			"version": "2.44.0",
+			"resolved": "https://registry.npmjs.org/@sveltejs/kit/-/kit-2.44.0.tgz",
+			"integrity": "sha512-xU5qP7PiYmrSH70Whm/I+nf0j4xBnHyRQNkC1SEfaBOwCCkkeuL6WNxSb8q4Ib7+Z+sZ4JUTDYHfoyVm02EXVQ==",
 			"license": "MIT",
+			"peer": true,
 			"dependencies": {
 				"@standard-schema/spec": "^1.0.0",
 				"@sveltejs/acorn-typescript": "^1.0.5",
 				"@types/cookie": "^0.6.0",
 				"acorn": "^8.14.1",
 				"cookie": "^0.6.0",
-				"devalue": "^5.1.0",
+				"devalue": "^5.3.2",
 				"esm-env": "^1.2.2",
 				"kleur": "^4.1.5",
 				"magic-string": "^0.30.5",
@@ -1697,9 +1703,15 @@
 				"node": ">=18.13"
 			},
 			"peerDependencies": {
+				"@opentelemetry/api": "^1.0.0",
 				"@sveltejs/vite-plugin-svelte": "^3.0.0 || ^4.0.0-next.1 || ^5.0.0 || ^6.0.0-next.0",
 				"svelte": "^4.0.0 || ^5.0.0-next.0",
 				"vite": "^5.0.3 || ^6.0.0 || ^7.0.0-beta.0"
+			},
+			"peerDependenciesMeta": {
+				"@opentelemetry/api": {
+					"optional": true
+				}
 			}
 		},
 		"node_modules/@sveltejs/vite-plugin-svelte": {
@@ -1707,6 +1719,7 @@
 			"resolved": "https://registry.npmjs.org/@sveltejs/vite-plugin-svelte/-/vite-plugin-svelte-6.1.0.tgz",
 			"integrity": "sha512-+U6lz1wvGEG/BvQyL4z/flyNdQ9xDNv5vrh+vWBWTHaebqT0c9RNggpZTo/XSPoHsSCWBlYaTlRX8pZ9GATXCw==",
 			"license": "MIT",
+			"peer": true,
 			"dependencies": {
 				"@sveltejs/vite-plugin-svelte-inspector": "^5.0.0-next.1",
 				"debug": "^4.4.1",
@@ -2098,6 +2111,7 @@
 			"integrity": "sha512-g3WpVQHngx0aLXn6kfIYCZxM6rRJlWzEkVpqEFLT3SgEDsp9cpCbxxgwnE504q4H+ruSDh/VGS6nqZIDynP+vg==",
 			"dev": true,
 			"license": "MIT",
+			"peer": true,
 			"dependencies": {
 				"@typescript-eslint/scope-manager": "8.39.0",
 				"@typescript-eslint/types": "8.39.0",
@@ -2315,6 +2329,7 @@
 			"resolved": "https://registry.npmjs.org/acorn/-/acorn-8.15.0.tgz",
 			"integrity": "sha512-NZyJarBfL7nWwIq+FDL6Zp/yHEhePMNnnJ0y3qfieCrmNvYct8uvtiV41UvlSe6apAfk0fY1FbWx+NwfmpvtTg==",
 			"license": "MIT",
+			"peer": true,
 			"bin": {
 				"acorn": "bin/acorn"
 			},
@@ -2599,9 +2614,9 @@
 			}
 		},
 		"node_modules/devalue": {
-			"version": "5.1.1",
-			"resolved": "https://registry.npmjs.org/devalue/-/devalue-5.1.1.tgz",
-			"integrity": "sha512-maua5KUiapvEwiEAe+XnlZ3Rh0GD+qI1J/nb9vrJc3muPXvcF/8gXYTWF76+5DAqHyDUtOIImEuo0YKE9mshVw==",
+			"version": "5.3.2",
+			"resolved": "https://registry.npmjs.org/devalue/-/devalue-5.3.2.tgz",
+			"integrity": "sha512-UDsjUbpQn9kvm68slnrs+mfxwFkIflOhkanmyabZ8zOYk8SMEIbJ3TK+88g70hSIeytu4y18f0z/hYHMTrXIWw==",
 			"license": "MIT"
 		},
 		"node_modules/enhanced-resolve": {
@@ -2678,6 +2693,7 @@
 			"integrity": "sha512-LSehfdpgMeWcTZkWZVIJl+tkZ2nuSkyyB9C27MZqFWXuph7DvaowgcTvKqxvpLW1JZIk8PN7hFY3Rj9LQ7m7lg==",
 			"dev": true,
 			"license": "MIT",
+			"peer": true,
 			"dependencies": {
 				"@eslint-community/eslint-utils": "^4.2.0",
 				"@eslint-community/regexpp": "^4.12.1",
@@ -2970,10 +2986,13 @@
 			}
 		},
 		"node_modules/fdir": {
-			"version": "6.4.6",
-			"resolved": "https://registry.npmjs.org/fdir/-/fdir-6.4.6.tgz",
-			"integrity": "sha512-hiFoqpyZcfNm1yc4u8oWCf9A2c4D3QjCrks3zmoVKVxpQRzmPNar1hUJcBG2RQHvEVGDN+Jm81ZheVLAQMK6+w==",
+			"version": "6.5.0",
+			"resolved": "https://registry.npmjs.org/fdir/-/fdir-6.5.0.tgz",
+			"integrity": "sha512-tIbYtZbucOs0BRGqPJkshJUYdL+SDH7dVM8gjy+ERp3WAUjLEFJE+02kanyHtwjWOnwrKYBiwAmM0p4kLJAnXg==",
 			"license": "MIT",
+			"engines": {
+				"node": ">=12.0.0"
+			},
 			"peerDependencies": {
 				"picomatch": "^3 || ^4"
 			},
@@ -3967,6 +3986,7 @@
 				}
 			],
 			"license": "MIT",
+			"peer": true,
 			"dependencies": {
 				"nanoid": "^3.3.11",
 				"picocolors": "^1.1.1",
@@ -4100,6 +4120,7 @@
 			"integrity": "sha512-I7AIg5boAr5R0FFtJ6rCfD+LFsWHp81dolrFD8S79U9tb8Az2nGrJncnMSnys+bpQJfRUzqs9hnA81OAA3hCuQ==",
 			"dev": true,
 			"license": "MIT",
+			"peer": true,
 			"bin": {
 				"prettier": "bin/prettier.cjs"
 			},
@@ -4116,6 +4137,7 @@
 			"integrity": "sha512-pn1ra/0mPObzqoIQn/vUTR3ZZI6UuZ0sHqMK5x2jMLGrs53h0sXhkVuDcrlssHwIMk7FYrMjHBPoUSyyEEDlBQ==",
 			"dev": true,
 			"license": "MIT",
+			"peer": true,
 			"peerDependencies": {
 				"prettier": "^3.0.0",
 				"svelte": "^3.2.0 || ^4.0.0-next.0 || ^5.0.0-next.0"
@@ -4299,6 +4321,7 @@
 			"resolved": "https://registry.npmjs.org/rollup/-/rollup-4.46.2.tgz",
 			"integrity": "sha512-WMmLFI+Boh6xbop+OAGo9cQ3OgX9MIg7xOQjn+pTCwOkk+FNDAeAemXkJ3HzDJrVXleLOFVa1ipuc1AmEx1Dwg==",
 			"license": "MIT",
+			"peer": true,
 			"dependencies": {
 				"@types/estree": "1.0.8"
 			},
@@ -4390,6 +4413,7 @@
 			"resolved": "https://registry.npmjs.org/sass/-/sass-1.90.0.tgz",
 			"integrity": "sha512-9GUyuksjw70uNpb1MTYWsH9MQHOHY6kwfnkafC24+7aOMZn9+rVMBxRbLvw756mrBFbIsFg6Xw9IkR2Fnn3k+Q==",
 			"license": "MIT",
+			"peer": true,
 			"dependencies": {
 				"chokidar": "^4.0.0",
 				"immutable": "^5.0.2",
@@ -4514,6 +4538,7 @@
 			"resolved": "https://registry.npmjs.org/svelte/-/svelte-5.37.3.tgz",
 			"integrity": "sha512-7t/ejshehHd+95z3Z7ebS7wsqHDQxi/8nBTuTRwpMgNegfRBfuitCSKTUDKIBOExqfT2+DhQ2VLG8Xn+cBXoaQ==",
 			"license": "MIT",
+			"peer": true,
 			"dependencies": {
 				"@ampproject/remapping": "^2.3.0",
 				"@jridgewell/sourcemap-codec": "^1.5.0",
@@ -4597,7 +4622,8 @@
 			"version": "4.1.11",
 			"resolved": "https://registry.npmjs.org/tailwindcss/-/tailwindcss-4.1.11.tgz",
 			"integrity": "sha512-2E9TBm6MDD/xKYe+dvJZAmg3yxIEDNRc0jwlNyDg/4Fil2QcSLjFKGVff0lAf1jjeaArlG/M75Ey/EYr/OJtBA==",
-			"license": "MIT"
+			"license": "MIT",
+			"peer": true
 		},
 		"node_modules/tapable": {
 			"version": "2.2.2",
@@ -4628,13 +4654,13 @@
 			}
 		},
 		"node_modules/tinyglobby": {
-			"version": "0.2.14",
-			"resolved": "https://registry.npmjs.org/tinyglobby/-/tinyglobby-0.2.14.tgz",
-			"integrity": "sha512-tX5e7OM1HnYr2+a2C/4V0htOcSQcoSTH9KgJnVvNm5zm/cyEWKJ7j7YutsH9CxMdtOkkLFy2AHrMci9IM8IPZQ==",
+			"version": "0.2.15",
+			"resolved": "https://registry.npmjs.org/tinyglobby/-/tinyglobby-0.2.15.tgz",
+			"integrity": "sha512-j2Zq4NyQYG5XMST4cbs02Ak8iJUdxRM0XI5QyxXuZOzKOINmWurp3smXu3y5wDcJrptwpSjgXHzIQxR0omXljQ==",
 			"license": "MIT",
 			"dependencies": {
-				"fdir": "^6.4.4",
-				"picomatch": "^4.0.2"
+				"fdir": "^6.5.0",
+				"picomatch": "^4.0.3"
 			},
 			"engines": {
 				"node": ">=12.0.0"
@@ -4709,6 +4735,7 @@
 			"integrity": "sha512-CWBzXQrc/qOkhidw1OzBTQuYRbfyxDXJMVJ1XNwUHGROVmuaeiEm3OslpZ1RV96d7SKKjZKrSJu3+t/xlw3R9A==",
 			"dev": true,
 			"license": "Apache-2.0",
+			"peer": true,
 			"bin": {
 				"tsc": "bin/tsc",
 				"tsserver": "bin/tsserver"
@@ -4741,6 +4768,13 @@
 				"typescript": ">=4.8.4 <6.0.0"
 			}
 		},
+		"node_modules/undici-types": {
+			"version": "7.14.0",
+			"resolved": "https://registry.npmjs.org/undici-types/-/undici-types-7.14.0.tgz",
+			"integrity": "sha512-QQiYxHuyZ9gQUIrmPo3IA+hUl4KYk8uSA7cHrcKd/l3p1OTpZcM0Tbp9x7FAtXdAYhlasd60ncPpgu6ihG6TOA==",
+			"license": "MIT",
+			"optional": true
+		},
 		"node_modules/uri-js": {
 			"version": "4.4.1",
 			"resolved": "https://registry.npmjs.org/uri-js/-/uri-js-4.4.1.tgz",
@@ -4759,17 +4793,18 @@
 			"license": "MIT"
 		},
 		"node_modules/vite": {
-			"version": "7.0.6",
-			"resolved": "https://registry.npmjs.org/vite/-/vite-7.0.6.tgz",
-			"integrity": "sha512-MHFiOENNBd+Bd9uvc8GEsIzdkn1JxMmEeYX35tI3fv0sJBUTfW5tQsoaOwuY4KhBI09A3dUJ/DXf2yxPVPUceg==",
+			"version": "7.1.9",
+			"resolved": "https://registry.npmjs.org/vite/-/vite-7.1.9.tgz",
+			"integrity": "sha512-4nVGliEpxmhCL8DslSAUdxlB6+SMrhB0a1v5ijlh1xB1nEPuy1mxaHxysVucLHuWryAxLWg6a5ei+U4TLn/rFg==",
 			"license": "MIT",
+			"peer": true,
 			"dependencies": {
 				"esbuild": "^0.25.0",
-				"fdir": "^6.4.6",
+				"fdir": "^6.5.0",
 				"picomatch": "^4.0.3",
 				"postcss": "^8.5.6",
-				"rollup": "^4.40.0",
-				"tinyglobby": "^0.2.14"
+				"rollup": "^4.43.0",
+				"tinyglobby": "^0.2.15"
 			},
 			"bin": {
 				"vite": "bin/vite.js"
diff --git a/examples/encrypted_chat/frontend/src/lib/components/ChatList.svelte b/examples/encrypted_chat/frontend/src/lib/components/ChatList.svelte
index ff61ff03..74373b27 100644
--- a/examples/encrypted_chat/frontend/src/lib/components/ChatList.svelte
+++ b/examples/encrypted_chat/frontend/src/lib/components/ChatList.svelte
@@ -7,6 +7,11 @@
 	import { chatIdToString, chatIdFromString } from '$lib/utils';
 
 	let showNewChat = $state(false);
+
+	function handleSelect(e: CustomEvent<string>) {
+		const chatId = e.detail;
+		selectedChatId.state = chatIdFromString(chatId);
+	}
 </script>
 
 <div class="chat-list glass-effect flex h-full flex-col border-r border-white/20 backdrop-blur-xl">
@@ -33,10 +38,11 @@
 		{#each chats.state as chat (chat.idStr)}
 			<ChatListItem
 				{chat}
-				isSelected={selectedChatId.state
+				isSelected={
+				selectedChatId.state
 					? chatIdToString(selectedChatId.state) === chat.idStr
 					: false}
-				on:select={(e: CustomEvent<string>) => (selectedChatId.state = chatIdFromString(e.detail))}
+				on:select={handleSelect}
 			/>
 		{:else}
 			<div class="p-8 text-center text-surface-600-500">
diff --git a/examples/encrypted_chat/frontend/src/lib/components/MessageBubble.svelte b/examples/encrypted_chat/frontend/src/lib/components/MessageBubble.svelte
index 44b2847d..c551e8eb 100644
--- a/examples/encrypted_chat/frontend/src/lib/components/MessageBubble.svelte
+++ b/examples/encrypted_chat/frontend/src/lib/components/MessageBubble.svelte
@@ -143,10 +143,10 @@
 		<div
 			class="message-bubble {getMessageBubbleClasses()} inline-block max-w-full rounded-2xl px-3 py-2 break-words"
 		>
-			{#if message.type === 'text'}
+			{#if message.fileData === undefined}
 				<!-- eslint-disable-next-line svelte/no-at-html-tags -->
 				<p class="text-sm whitespace-pre-wrap">{@html parseEmojis(message.content)}</p>
-			{:else if message.type === 'file' && message.fileData}
+			{:else if message.fileData !== undefined}
 				<div class="file-message">
 					{#if isImageFile(message.fileData.type)}
 						<div class="image-preview mb-2">
@@ -196,9 +196,7 @@
 					: 'text-left'}"
 			>
 				<span>{formatTime(message.timestamp)}</span>
-				{#if message.isEncrypted}
-					<span class="ml-1">🔒</span>
-				{/if}
+				<span class="ml-1">🔒</span>
 				<span class="ml-1 opacity-70"
 					>vetKeyEpoch
 					{message.vetkeyEpoch} SymmRatchetEpoch {message.symmetricRatchetEpoch}</span
diff --git a/examples/encrypted_chat/frontend/src/lib/components/MessageHistory.svelte b/examples/encrypted_chat/frontend/src/lib/components/MessageHistory.svelte
index fc8defff..67f7473d 100644
--- a/examples/encrypted_chat/frontend/src/lib/components/MessageHistory.svelte
+++ b/examples/encrypted_chat/frontend/src/lib/components/MessageHistory.svelte
@@ -5,6 +5,7 @@
 	import { SvelteDate } from 'svelte/reactivity';
 	import { auth, getMyPrincipal } from '$lib/stores/auth.svelte';
 	import { chatIdToString } from '$lib/utils';
+	import type { ChatId } from '../../declarations/encrypted_chat/encrypted_chat.did';
 
 	let messagesContainer: HTMLDivElement | undefined = $state(undefined);
 	let autoScroll = $state(true);
@@ -17,9 +18,7 @@
 			: null
 	);
 
-	const selectedChatMessages = $derived(
-		selectedChatId.state ? (messages.state[chatIdToString(selectedChatId.state)] ?? []) : []
-	);
+	const selectedChatMessages = $derived(setSelectedChatMessages());
 
 	// Scroll to bottom when new messages arrive (after DOM updates)
 	$effect(() => {
@@ -31,6 +30,19 @@
 		}
 	});
 
+	$effect(() => {
+		console.log(
+			'selectedChatMessages',
+			selectedChatMessages.map((m) => m.messageId)
+		);
+	});
+
+	function setSelectedChatMessages(): Message[] {
+		if (!selectedChatId.state) return [];
+		const selectedChatIdStr = chatIdToString(selectedChatId.state);
+		return messages.state[selectedChatIdStr] ?? [];
+	}
+
 	// Check if user has scrolled up (disable auto-scroll)
 	function handleScroll() {
 		if (!messagesContainer) return;
@@ -178,7 +190,7 @@
 			{:else}
 				<!-- Messages -->
 				<div class="messages-list py-4">
-					{#each selectedChatMessages as message, index (message.chatMessageId)}
+					{#each selectedChatMessages as message, index (message.messageId)}
 						<!-- Date separator -->
 						{#if shouldShowDateSeparator(message, index)}
 							<div class="date-separator flex items-center justify-center py-4">
diff --git a/examples/encrypted_chat/frontend/src/lib/components/NewChatModal.svelte b/examples/encrypted_chat/frontend/src/lib/components/NewChatModal.svelte
index 33209e08..28c227f2 100644
--- a/examples/encrypted_chat/frontend/src/lib/components/NewChatModal.svelte
+++ b/examples/encrypted_chat/frontend/src/lib/components/NewChatModal.svelte
@@ -11,12 +11,12 @@
 	// Direct chat form
 	let directPrincipal = $state('');
 	let directRotationMinutes = $state(60);
-	let directExpirationMinutes = $state(0);
+	let directExpirationMinutes = $state(1440);
 
 	// Group chat form
 	let groupPrincipalsText = $state('');
 	let groupRotationMinutes = $state(60);
-	let groupExpirationMinutes = $state(0);
+	let groupExpirationMinutes = $state(1440);
 
 	function close() {
 		show = false;
diff --git a/examples/encrypted_chat/frontend/src/lib/crypto/keyManager.ts b/examples/encrypted_chat/frontend/src/lib/crypto/keyManager.ts
index 73066f29..69c7394a 100644
--- a/examples/encrypted_chat/frontend/src/lib/crypto/keyManager.ts
+++ b/examples/encrypted_chat/frontend/src/lib/crypto/keyManager.ts
@@ -17,7 +17,7 @@ export class KeyManager {
 			);
 		}
 		console.log(
-			`KeyManager.inductState: Inducting state for chatId ${chatId} and vetKeyEpoch ${vetKeyEpoch}`
+			`KeyManager.inductState: Inducting state for chatId ${chatId} and vetKeyEpoch ${vetKeyEpoch} with creation time ${state.getCreationTime().toUTCString()} and ratchet epoch ${state.getCurrentEpoch().toString()}`
 		);
 		this.#symmetricRatchetStates.set(chatId, new Map([[vetKeyEpoch, state]]));
 	}
@@ -80,9 +80,9 @@ export class KeyManager {
 		}
 		let last = null;
 
-		for (const [vetKeyEpoch, state] of chatIdEpochStates.entries()) {
+		for (const [vetKeyEpoch, symmetricRatchetState] of chatIdEpochStates.entries()) {
 			if (last === null || vetKeyEpoch > last.vetKeyEpoch) {
-				last = { vetKeyEpoch, symmetricRatchetState: state };
+				last = { vetKeyEpoch, symmetricRatchetState };
 			}
 		}
 		if (last === null) {
diff --git a/examples/encrypted_chat/frontend/src/lib/crypto/symmetricRatchet.ts b/examples/encrypted_chat/frontend/src/lib/crypto/symmetricRatchet.ts
index 132e9ab4..cbe028b1 100644
--- a/examples/encrypted_chat/frontend/src/lib/crypto/symmetricRatchet.ts
+++ b/examples/encrypted_chat/frontend/src/lib/crypto/symmetricRatchet.ts
@@ -163,6 +163,14 @@ export class SymmetricRatchetState {
 		);
 		return result;
 	}
+
+	getCurrentEpoch(): bigint {
+		return this.#symmetricRatchetEpoch;
+	}
+
+	getCreationTime(): Date {
+		return this.#creationTime;
+	}
 }
 
 /// Contains a raw key and the symmetric ratchet epoch.
diff --git a/examples/encrypted_chat/frontend/src/lib/services/canisteApi.ts b/examples/encrypted_chat/frontend/src/lib/services/canisteApi.ts
index 34009bb0..7eea0e8d 100644
--- a/examples/encrypted_chat/frontend/src/lib/services/canisteApi.ts
+++ b/examples/encrypted_chat/frontend/src/lib/services/canisteApi.ts
@@ -172,11 +172,7 @@ export class CanisterAPI {
 		startId: bigint,
 		limit: bigint | undefined
 	): Promise<EncryptedMessage[]> {
-		const result = await actor.get_some_messages_for_chat_starting_from(
-			chatId,
-			startId,
-			limit ? [Number(limit)] : []
-		);
+		const result = await actor.get_messages(chatId, startId, limit ? [Number(limit)] : []);
 		console.log(
 			`fetchEncryptedMessages: ${stringifyBigInt(chatId)} from ${startId.toString()} with limit ${limit} with result ${stringifyBigInt(result)}`
 		);
diff --git a/examples/encrypted_chat/frontend/src/lib/services/chatStorage.ts b/examples/encrypted_chat/frontend/src/lib/services/chatStorage.ts
index a6e8dfc5..e3c1d26c 100644
--- a/examples/encrypted_chat/frontend/src/lib/services/chatStorage.ts
+++ b/examples/encrypted_chat/frontend/src/lib/services/chatStorage.ts
@@ -6,9 +6,9 @@ import { storagePrefixes } from '../types';
 export class ChatStorageService {
 	async saveMessage(message: Message): Promise<void> {
 		console.log(
-			`ChatStorageService: Saving from chat ${message.chatId} message ${message.chatMessageId} to indexedDB`
+			`ChatStorageService: Saving from chat ${message.chatId} message ${message.messageId} to indexedDB`
 		);
-		await set([storagePrefixes.MESSAGE_PREFIX, message.chatId, message.chatMessageId], message);
+		await set([storagePrefixes.MESSAGE_PREFIX, message.chatId, message.messageId], message);
 	}
 
 	async getMessages(chatId: string): Promise<Message[]> {
diff --git a/examples/encrypted_chat/frontend/src/lib/services/encryptedMessagingService.ts b/examples/encrypted_chat/frontend/src/lib/services/encryptedMessagingService.ts
index 0c992683..ce980ce8 100644
--- a/examples/encrypted_chat/frontend/src/lib/services/encryptedMessagingService.ts
+++ b/examples/encrypted_chat/frontend/src/lib/services/encryptedMessagingService.ts
@@ -307,7 +307,7 @@ export class EncryptedMessagingService {
 				const decrypted = await this.#keyManager.decryptAtTimeAndEvolveIfNeeded(
 					chatIdStr,
 					encryptedMessage.metadata.sender,
-					encryptedMessage.metadata.sender_message_id,
+					encryptedMessage.metadata.nonce,
 					encryptedMessage.metadata.vetkey_epoch,
 					new Uint8Array(encryptedMessage.content),
 					new Date(Number(encryptedMessage.metadata.timestamp / 1_000_000n))
@@ -352,12 +352,11 @@ export class EncryptedMessagingService {
 		const json = JSON.parse(new TextDecoder().decode(decrypted)) as MessageContent;
 
 		return {
-			chatMessageId: metadata.chat_message_id.toString(),
+			messageId: metadata.chat_message_id.toString(),
 			chatId: chatIdStr,
 			senderId: metadata.sender.toText(),
 			content: json.textContent,
 			timestamp: new Date(Number(metadata.timestamp / 1_000_000n)),
-			type: 'text',
 			fileData: json.fileData,
 			vetkeyEpoch: Number(metadata.vetkey_epoch),
 			symmetricRatchetEpoch: Number(metadata.symmetric_key_epoch)
diff --git a/examples/encrypted_chat/frontend/src/lib/services/ratchetInitializationService.ts b/examples/encrypted_chat/frontend/src/lib/services/ratchetInitializationService.ts
index 63d8fa0f..9431743e 100644
--- a/examples/encrypted_chat/frontend/src/lib/services/ratchetInitializationService.ts
+++ b/examples/encrypted_chat/frontend/src/lib/services/ratchetInitializationService.ts
@@ -25,10 +25,13 @@ export class RatchetInitializationService {
 		const rotationDuration = new Date(
 			Number(metadata.symmetric_key_rotation_duration / 1_000_000n)
 		);
+		console.log(
+			`RatchetInitializationService.initializeRatchetStateAndReshareAndCacheIfNeeded: Initializing ratchet state for chat ${chatIdToString(chatId)} and vetKey epoch ${vetKeyEpoch.toString()} with creation time ${creationTime.toUTCString()} and rotation duration ${rotationDuration.toUTCString()}`
+		);
 
 		try {
 			const keyState = await this.cryptoKeyStateFromLocalStorage(chatId, vetKeyEpoch);
-			return new SymmetricRatchetState(keyState.key, vetKeyEpoch, creationTime, rotationDuration);
+			return new SymmetricRatchetState(keyState.key, 0n, creationTime, rotationDuration);
 		} catch (error) {
 			console.info(
 				`User doesn't have key in persistent storage for chat ${chatIdToString(chatId)} and vetKey epoch ${vetKeyEpoch.toString()}: `,
@@ -38,7 +41,12 @@ export class RatchetInitializationService {
 
 		try {
 			const keyState = await this.cryptoKeyStateFromRemoteCache(chatId, vetKeyEpoch);
-			return new SymmetricRatchetState(keyState.key, vetKeyEpoch, creationTime, rotationDuration);
+			return new SymmetricRatchetState(
+				keyState.key,
+				keyState.symmetricKeyEpoch,
+				creationTime,
+				rotationDuration
+			);
 		} catch (error) {
 			console.info(
 				`User doesn't have key in remote cache for chat ${chatIdToString(chatId)} and vetKey epoch ${vetKeyEpoch.toString()}: `,
@@ -48,14 +56,24 @@ export class RatchetInitializationService {
 
 		try {
 			const keyState = await this.cryptoKeyStateFromResharedVetKey(chatId, vetKeyEpoch);
-			return new SymmetricRatchetState(keyState.key, vetKeyEpoch, creationTime, rotationDuration);
+			return new SymmetricRatchetState(
+				keyState.key,
+				keyState.symmetricKeyEpoch,
+				creationTime,
+				rotationDuration
+			);
 		} catch (error) {
 			console.info('Failed to fetch reshared IBE encrypted vetkey: ', error);
 		}
 
 		try {
 			const keyState = await this.fetchAndReshareAndCacheVetKey(chatId, vetKeyEpoch);
-			return new SymmetricRatchetState(keyState.key, vetKeyEpoch, creationTime, rotationDuration);
+			return new SymmetricRatchetState(
+				keyState.key,
+				keyState.symmetricKeyEpoch,
+				creationTime,
+				rotationDuration
+			);
 		} catch (error) {
 			console.info('Failed to fetch vetkey: ', error);
 		}
diff --git a/examples/encrypted_chat/frontend/src/lib/stores/auth.svelte.ts b/examples/encrypted_chat/frontend/src/lib/stores/auth.svelte.ts
index 2fd7fae9..a176a736 100644
--- a/examples/encrypted_chat/frontend/src/lib/stores/auth.svelte.ts
+++ b/examples/encrypted_chat/frontend/src/lib/stores/auth.svelte.ts
@@ -5,6 +5,7 @@ import type { Principal } from '@dfinity/principal';
 import type { _SERVICE } from '../../declarations/encrypted_chat/encrypted_chat.did';
 import { createActor } from '../../declarations/encrypted_chat';
 import fetch from 'isomorphic-fetch';
+import { DFX_NETWORK, CANISTER_ID_ENCRYPTED_CHAT } from '$env/static/public';
 
 if (import.meta.env.SSR || typeof window === 'undefined') {
 	const {
@@ -69,11 +70,11 @@ void initAuth();
 
 export async function login() {
 	if (auth.state.label === 'anonymous') {
-		const client = $state.snapshot(auth.state.client) as AuthClient;
+		const client = auth.state.client;
 		await client.login({
 			maxTimeToLive: BigInt(8 * 3600) * BigInt(1_000_000_000), // 8 hours
 			identityProvider:
-				globalThis.process.env.DFX_NETWORK === 'ic'
+				DFX_NETWORK === 'ic'
 					? 'https://identity.ic0.app/#authorize'
 					: `http://rdmx6-jaaaa-aaaaa-aaadq-cai.localhost:4943/#authorize`,
 			onSuccess: () => {
@@ -109,18 +110,18 @@ export function getMyPrincipal(): Principal {
 
 export function getActor(): ActorSubclass<_SERVICE> {
 	if (auth.state.label === 'initialized') {
-		const host = process.env.DFX_NETWORK === 'ic' ? 'https://icp0.app' : 'http://localhost:4943';
-		const shouldFetchRootKey = process.env.DFX_NETWORK !== 'ic';
+		const host = DFX_NETWORK === 'ic' ? 'https://icp0.app' : 'http://localhost:4943';
+		const shouldFetchRootKey = DFX_NETWORK !== 'ic';
 		const agent = HttpAgent.createSync({
 			identity: auth.state.client.getIdentity(),
 			fetch: fetch,
 			host,
 			shouldFetchRootKey
 		});
-		if (!process.env.CANISTER_ID_ENCRYPTED_CHAT) {
+		if (!CANISTER_ID_ENCRYPTED_CHAT) {
 			throw new Error('CANISTER_ID_ENCRYPTED_CHAT is not set');
-		}
-		return createActor(process.env.CANISTER_ID_ENCRYPTED_CHAT, { agent });
+		} 
+		return createActor(CANISTER_ID_ENCRYPTED_CHAT, { agent });
 	} else {
 		throw new Error('Not authenticated');
 	}
diff --git a/examples/encrypted_chat/frontend/src/lib/stores/chat.svelte.ts b/examples/encrypted_chat/frontend/src/lib/stores/chat.svelte.ts
index 01279fbb..25429713 100644
--- a/examples/encrypted_chat/frontend/src/lib/stores/chat.svelte.ts
+++ b/examples/encrypted_chat/frontend/src/lib/stores/chat.svelte.ts
@@ -81,7 +81,7 @@ export const chatUIActions = {
 				if (chatMessages.length !== 0) {
 					encryptedMessagingService.skipMessagesAvailableLocally(
 						chatIdFromString(chat.idStr),
-						BigInt(chatMessages[chatMessages.length - 1].chatMessageId) + 1n
+						BigInt(chatMessages[chatMessages.length - 1].messageId) + 1n
 					);
 				}
 				messages.state[chat.idStr] = [...chatMessages];
@@ -219,11 +219,15 @@ export const chatUIActions = {
 
 			for (const m of messagesArray) await chatStorageService.saveMessage(m);
 
-			messages.state = {
+			const chatMessages = [...messages.state[chatIdStr], ...messagesArray];
+
+			const newMessagesState = {
 				...messages.state,
-				[chatIdStr]: [...messages.state[chatIdStr], ...messagesArray]
+				[chatIdStr]: chatMessages
 			};
 
+			messages.state = newMessagesState;
+
 			chats.state = chats.state.map((c) =>
 				c.idStr === chatIdStr
 					? {
diff --git a/examples/encrypted_chat/frontend/src/lib/types/index.ts b/examples/encrypted_chat/frontend/src/lib/types/index.ts
index 1aa4c978..34b541d3 100644
--- a/examples/encrypted_chat/frontend/src/lib/types/index.ts
+++ b/examples/encrypted_chat/frontend/src/lib/types/index.ts
@@ -9,12 +9,11 @@ export interface User {
 }
 
 export interface Message {
-	chatMessageId: string;
+	messageId: string;
 	chatId: string;
 	senderId: string;
 	content: string;
 	timestamp: Date;
-	type: 'text' | 'file' | 'image';
 	fileData?: {
 		name: string;
 		size: number;
diff --git a/examples/encrypted_chat/frontend/svelte.config.js b/examples/encrypted_chat/frontend/svelte.config.js
index bb8bd6fc..0cf8ed3f 100644
--- a/examples/encrypted_chat/frontend/svelte.config.js
+++ b/examples/encrypted_chat/frontend/svelte.config.js
@@ -15,6 +15,9 @@ const config = {
 		},
 		output: {
 			bundleStrategy: 'single'
+		},
+		env: {
+			publicPrefix: ''
 		}
 	},
 	compilerOptions: {
diff --git a/examples/encrypted_chat/rust/backend/backend.did b/examples/encrypted_chat/rust/backend/backend.did
index a206978d..758402d4 100644
--- a/examples/encrypted_chat/rust/backend/backend.did
+++ b/examples/encrypted_chat/rust/backend/backend.did
@@ -11,8 +11,8 @@ type EncryptedMessageMetadata = record {
   sender : principal;
   symmetric_key_epoch : nat64;
   chat_message_id : nat64;
+  nonce : nat64;
   timestamp : nat64;
-  sender_message_id : nat64;
 };
 type GroupChatMetadata = record { creation_timestamp : nat64; chat_id : nat64 };
 type GroupModification = record {
@@ -57,9 +57,6 @@ service : (text) -> {
   first_accessible_message_id : (nat64) -> (opt nat64) query;
   get_encrypted_vetkey_for_my_cache_storage : (blob) -> (blob);
   get_latest_chat_vetkey_epoch_metadata : (ChatId) -> (Result_3) query;
-  get_my_chat_ids : () -> (vec record { ChatId; nat64 }) query;
-  get_my_reshared_ibe_encrypted_vetkey : (ChatId, nat64) -> (Result_4);
-  get_my_symmetric_key_cache : (ChatId, nat64) -> (Result_4);
   // Returns messages for a chat starting from a given message id.
   // 
   // # Arguments
@@ -69,9 +66,10 @@ service : (text) -> {
   // 
   // # Notes
   // * Does not fail if the chat does not exist or the user has no access -- returns empty vector instead.
-  get_some_messages_for_chat_starting_from : (ChatId, nat64, opt nat32) -> (
-      vec EncryptedMessage,
-    ) query;
+  get_messages : (ChatId, nat64, opt nat32) -> (vec EncryptedMessage) query;
+  get_my_chat_ids : () -> (vec record { ChatId; nat64 }) query;
+  get_my_reshared_ibe_encrypted_vetkey : (ChatId, nat64) -> (Result_4);
+  get_my_symmetric_key_cache : (ChatId, nat64) -> (Result_4);
   get_vetkey_epoch_metadata : (ChatId, nat64) -> (Result_3) query;
   get_vetkey_resharing_ibe_decryption_key : (blob) -> (blob);
   get_vetkey_resharing_ibe_encryption_key : (principal) -> (blob);
diff --git a/examples/encrypted_chat/rust/backend/src/lib.rs b/examples/encrypted_chat/rust/backend/src/lib.rs
index e18f4361..4c9d0392 100644
--- a/examples/encrypted_chat/rust/backend/src/lib.rs
+++ b/examples/encrypted_chat/rust/backend/src/lib.rs
@@ -430,7 +430,7 @@ fn send_direct_message(user_message: UserMessage, receiver: Principal) -> Result
             vetkey_epoch: user_message.vetkey_epoch,
             symmetric_key_epoch: user_message.symmetric_key_epoch,
             chat_message_id,
-            sender_message_id: user_message.message_id,
+            nonce: user_message.message_id,
         },
     };
 
@@ -492,7 +492,7 @@ fn send_group_message(
             vetkey_epoch: user_message.vetkey_epoch,
             symmetric_key_epoch: user_message.symmetric_key_epoch,
             chat_message_id,
-            sender_message_id: user_message.message_id,
+            nonce: user_message.message_id,
         },
     };
 
@@ -554,7 +554,7 @@ fn get_my_chat_ids() -> Vec<(ChatId, ChatMessageId)> {
 /// # Notes
 /// * Does not fail if the chat does not exist or the user has no access -- returns empty vector instead.
 #[ic_cdk::query]
-fn get_some_messages_for_chat_starting_from(
+fn get_messages(
     chat_id: ChatId,
     message_id: ChatMessageId,
     limit: Option<u32>,
@@ -1097,15 +1097,15 @@ fn ensure_chat_and_vetkey_epoch_exist(
 
 fn ensure_message_id_is_unique(
     chat_id: ChatId,
-    sender_message_id: SenderMessageId,
+    nonce: SenderMessageId,
 ) -> Result<(), String> {
     let caller = ic_cdk::api::msg_caller();
     let maybe_existing_id = SET_CHAT_AND_SENDER_AND_USER_MESSAGE_ID
-        .with_borrow(|message_ids| message_ids.get(&(chat_id, Sender(caller), sender_message_id)));
+        .with_borrow(|message_ids| message_ids.get(&(chat_id, Sender(caller), nonce)));
 
     match maybe_existing_id {
         Some(_) => Err(format!(
-            "Message {sender_message_id:?} already exists for sender {caller} chat {chat_id:?}"
+            "Message {nonce:?} already exists for sender {caller} chat {chat_id:?}"
         )),
         None => Ok(()),
     }
diff --git a/examples/encrypted_chat/rust/backend/src/types.rs b/examples/encrypted_chat/rust/backend/src/types.rs
index 4a277f4e..81c6897c 100644
--- a/examples/encrypted_chat/rust/backend/src/types.rs
+++ b/examples/encrypted_chat/rust/backend/src/types.rs
@@ -59,7 +59,7 @@ pub struct EncryptedMessageMetadata {
     pub vetkey_epoch: VetKeyEpochId,
     pub symmetric_key_epoch: SymmetricKeyEpochId,
     pub chat_message_id: ChatMessageId,
-    pub sender_message_id: SenderMessageId,
+    pub nonce: SenderMessageId,
 }
 
 impl Storable for EncryptedMessageMetadata {
@@ -70,7 +70,7 @@ impl Storable for EncryptedMessageMetadata {
         bytes.extend_from_slice(&self.vetkey_epoch.0.to_le_bytes());
         bytes.extend_from_slice(&self.symmetric_key_epoch.0.to_le_bytes());
         bytes.extend_from_slice(&self.chat_message_id.0.to_le_bytes());
-        bytes.extend_from_slice(&self.sender_message_id.0.to_le_bytes());
+        bytes.extend_from_slice(&self.nonce.0.to_le_bytes());
         Cow::Owned(bytes)
     }
 
@@ -95,13 +95,11 @@ impl Storable for EncryptedMessageMetadata {
             symmetric_key_epoch_bytes.try_into().unwrap(),
         ));
 
-        let (chat_message_id_bytes, sender_message_id_bytes) = rest.split_at(8);
-        let chat_message_id = ChatMessageId(u64::from_le_bytes(
-            chat_message_id_bytes.try_into().unwrap(),
-        ));
+        let (chat_message_id_bytes, nonce_bytes) = rest.split_at(8);
+        let chat_message_id = ChatMessageId(u64::from_le_bytes(chat_message_id_bytes.try_into().unwrap()));
 
-        let sender_message_id = SenderMessageId(u64::from_le_bytes(
-            sender_message_id_bytes.try_into().unwrap(),
+        let nonce = SenderMessageId(u64::from_le_bytes(
+            nonce_bytes.try_into().unwrap(),
         ));
 
         Self {
@@ -110,7 +108,7 @@ impl Storable for EncryptedMessageMetadata {
             vetkey_epoch,
             symmetric_key_epoch,
             chat_message_id,
-            sender_message_id,
+            nonce,
         }
     }
 

From 6a6d8961ec05b59a14918c86af9db6561ff593d1 Mon Sep 17 00:00:00 2001
From: Oleksandr Tkachenko <oleksandr.tkachenko@dfinity.org>
Date: Tue, 7 Oct 2025 17:53:21 +0200
Subject: [PATCH 41/62] wip

---
 .../encrypted_chat/frontend/package-lock.json | 153 +++++++++++++++++-
 examples/encrypted_chat/frontend/package.json |   2 +
 examples/encrypted_chat/frontend/src/app.css  |  13 ++
 .../src/lib/components/MessageBubble.svelte   |  13 +-
 .../src/lib/components/MessageInput.svelte    |  17 --
 .../src/lib/components/ui/Dialog.svelte       |   0
 .../src/lib/components/ui/Input.svelte        |   0
 .../lib/services/encryptedMessagingService.ts |  17 +-
 .../frontend/src/lib/stores/chat.svelte.ts    |   3 +-
 .../frontend/src/lib/types/index.ts           |   2 +-
 10 files changed, 179 insertions(+), 41 deletions(-)
 delete mode 100644 examples/encrypted_chat/frontend/src/lib/components/ui/Dialog.svelte
 delete mode 100644 examples/encrypted_chat/frontend/src/lib/components/ui/Input.svelte

diff --git a/examples/encrypted_chat/frontend/package-lock.json b/examples/encrypted_chat/frontend/package-lock.json
index 227bc364..e7f44624 100644
--- a/examples/encrypted_chat/frontend/package-lock.json
+++ b/examples/encrypted_chat/frontend/package-lock.json
@@ -15,6 +15,8 @@
 				"@skeletonlabs/skeleton": "^3.1.7",
 				"@skeletonlabs/tw-plugin": "^0.4.1",
 				"@sveltejs/adapter-static": "^3.0.8",
+				"base64-js": "^1.5.1",
+				"cbor-x": "^1.6.0",
 				"fake-indexeddb": "^6.0.1",
 				"idb-keyval": "^6.2.2",
 				"isomorphic-fetch": "^3.0.0",
@@ -62,6 +64,84 @@
 				"node": ">=6.0.0"
 			}
 		},
+		"node_modules/@cbor-extract/cbor-extract-darwin-arm64": {
+			"version": "2.2.0",
+			"resolved": "https://registry.npmjs.org/@cbor-extract/cbor-extract-darwin-arm64/-/cbor-extract-darwin-arm64-2.2.0.tgz",
+			"integrity": "sha512-P7swiOAdF7aSi0H+tHtHtr6zrpF3aAq/W9FXx5HektRvLTM2O89xCyXF3pk7pLc7QpaY7AoaE8UowVf9QBdh3w==",
+			"cpu": [
+				"arm64"
+			],
+			"license": "MIT",
+			"optional": true,
+			"os": [
+				"darwin"
+			]
+		},
+		"node_modules/@cbor-extract/cbor-extract-darwin-x64": {
+			"version": "2.2.0",
+			"resolved": "https://registry.npmjs.org/@cbor-extract/cbor-extract-darwin-x64/-/cbor-extract-darwin-x64-2.2.0.tgz",
+			"integrity": "sha512-1liF6fgowph0JxBbYnAS7ZlqNYLf000Qnj4KjqPNW4GViKrEql2MgZnAsExhY9LSy8dnvA4C0qHEBgPrll0z0w==",
+			"cpu": [
+				"x64"
+			],
+			"license": "MIT",
+			"optional": true,
+			"os": [
+				"darwin"
+			]
+		},
+		"node_modules/@cbor-extract/cbor-extract-linux-arm": {
+			"version": "2.2.0",
+			"resolved": "https://registry.npmjs.org/@cbor-extract/cbor-extract-linux-arm/-/cbor-extract-linux-arm-2.2.0.tgz",
+			"integrity": "sha512-QeBcBXk964zOytiedMPQNZr7sg0TNavZeuUCD6ON4vEOU/25+pLhNN6EDIKJ9VLTKaZ7K7EaAriyYQ1NQ05s/Q==",
+			"cpu": [
+				"arm"
+			],
+			"license": "MIT",
+			"optional": true,
+			"os": [
+				"linux"
+			]
+		},
+		"node_modules/@cbor-extract/cbor-extract-linux-arm64": {
+			"version": "2.2.0",
+			"resolved": "https://registry.npmjs.org/@cbor-extract/cbor-extract-linux-arm64/-/cbor-extract-linux-arm64-2.2.0.tgz",
+			"integrity": "sha512-rQvhNmDuhjTVXSPFLolmQ47/ydGOFXtbR7+wgkSY0bdOxCFept1hvg59uiLPT2fVDuJFuEy16EImo5tE2x3RsQ==",
+			"cpu": [
+				"arm64"
+			],
+			"license": "MIT",
+			"optional": true,
+			"os": [
+				"linux"
+			]
+		},
+		"node_modules/@cbor-extract/cbor-extract-linux-x64": {
+			"version": "2.2.0",
+			"resolved": "https://registry.npmjs.org/@cbor-extract/cbor-extract-linux-x64/-/cbor-extract-linux-x64-2.2.0.tgz",
+			"integrity": "sha512-cWLAWtT3kNLHSvP4RKDzSTX9o0wvQEEAj4SKvhWuOVZxiDAeQazr9A+PSiRILK1VYMLeDml89ohxCnUNQNQNCw==",
+			"cpu": [
+				"x64"
+			],
+			"license": "MIT",
+			"optional": true,
+			"os": [
+				"linux"
+			]
+		},
+		"node_modules/@cbor-extract/cbor-extract-win32-x64": {
+			"version": "2.2.0",
+			"resolved": "https://registry.npmjs.org/@cbor-extract/cbor-extract-win32-x64/-/cbor-extract-win32-x64-2.2.0.tgz",
+			"integrity": "sha512-l2M+Z8DO2vbvADOBNLbbh9y5ST1RY5sqkWOg/58GkUPBYou/cuNZ68SGQ644f1CvZ8kcOxyZtw06+dxWHIoN/w==",
+			"cpu": [
+				"x64"
+			],
+			"license": "MIT",
+			"optional": true,
+			"os": [
+				"win32"
+			]
+		},
 		"node_modules/@dfinity/agent": {
 			"version": "3.1.0",
 			"resolved": "https://registry.npmjs.org/@dfinity/agent/-/agent-3.1.0.tgz",
@@ -2412,6 +2492,26 @@
 			"dev": true,
 			"license": "MIT"
 		},
+		"node_modules/base64-js": {
+			"version": "1.5.1",
+			"resolved": "https://registry.npmjs.org/base64-js/-/base64-js-1.5.1.tgz",
+			"integrity": "sha512-AKpaYlHn8t4SVbOHCy+b5+KKgvR4vrsD8vbvrbiQJps7fKDTkjkDry6ji0rUJjC0kzbNePLwzxq8iypo41qeWA==",
+			"funding": [
+				{
+					"type": "github",
+					"url": "https://github.com/sponsors/feross"
+				},
+				{
+					"type": "patreon",
+					"url": "https://www.patreon.com/feross"
+				},
+				{
+					"type": "consulting",
+					"url": "https://feross.org/support"
+				}
+			],
+			"license": "MIT"
+		},
 		"node_modules/brace-expansion": {
 			"version": "1.1.12",
 			"resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.12.tgz",
@@ -2446,6 +2546,37 @@
 				"node": ">=6"
 			}
 		},
+		"node_modules/cbor-extract": {
+			"version": "2.2.0",
+			"resolved": "https://registry.npmjs.org/cbor-extract/-/cbor-extract-2.2.0.tgz",
+			"integrity": "sha512-Ig1zM66BjLfTXpNgKpvBePq271BPOvu8MR0Jl080yG7Jsl+wAZunfrwiwA+9ruzm/WEdIV5QF/bjDZTqyAIVHA==",
+			"hasInstallScript": true,
+			"license": "MIT",
+			"optional": true,
+			"dependencies": {
+				"node-gyp-build-optional-packages": "5.1.1"
+			},
+			"bin": {
+				"download-cbor-prebuilds": "bin/download-prebuilds.js"
+			},
+			"optionalDependencies": {
+				"@cbor-extract/cbor-extract-darwin-arm64": "2.2.0",
+				"@cbor-extract/cbor-extract-darwin-x64": "2.2.0",
+				"@cbor-extract/cbor-extract-linux-arm": "2.2.0",
+				"@cbor-extract/cbor-extract-linux-arm64": "2.2.0",
+				"@cbor-extract/cbor-extract-linux-x64": "2.2.0",
+				"@cbor-extract/cbor-extract-win32-x64": "2.2.0"
+			}
+		},
+		"node_modules/cbor-x": {
+			"version": "1.6.0",
+			"resolved": "https://registry.npmjs.org/cbor-x/-/cbor-x-1.6.0.tgz",
+			"integrity": "sha512-0kareyRwHSkL6ws5VXHEf8uY1liitysCVJjlmhaLG+IXLqhSaOO+t63coaso7yjwEzWZzLy8fJo06gZDVQM9Qg==",
+			"license": "MIT",
+			"optionalDependencies": {
+				"cbor-extract": "^2.2.0"
+			}
+		},
 		"node_modules/chalk": {
 			"version": "4.1.2",
 			"resolved": "https://registry.npmjs.org/chalk/-/chalk-4.1.2.tgz",
@@ -3827,6 +3958,21 @@
 				}
 			}
 		},
+		"node_modules/node-gyp-build-optional-packages": {
+			"version": "5.1.1",
+			"resolved": "https://registry.npmjs.org/node-gyp-build-optional-packages/-/node-gyp-build-optional-packages-5.1.1.tgz",
+			"integrity": "sha512-+P72GAjVAbTxjjwUmwjVrqrdZROD4nf8KgpBoDxqXXTiYZZt/ud60dE5yvCSr9lRO8e8yv6kgJIC0K0PfZFVQw==",
+			"license": "MIT",
+			"optional": true,
+			"dependencies": {
+				"detect-libc": "^2.0.1"
+			},
+			"bin": {
+				"node-gyp-build-optional-packages": "bin.js",
+				"node-gyp-build-optional-packages-optional": "optional.js",
+				"node-gyp-build-optional-packages-test": "build-test.js"
+			}
+		},
 		"node_modules/optionator": {
 			"version": "0.9.4",
 			"resolved": "https://registry.npmjs.org/optionator/-/optionator-0.9.4.tgz",
@@ -4768,13 +4914,6 @@
 				"typescript": ">=4.8.4 <6.0.0"
 			}
 		},
-		"node_modules/undici-types": {
-			"version": "7.14.0",
-			"resolved": "https://registry.npmjs.org/undici-types/-/undici-types-7.14.0.tgz",
-			"integrity": "sha512-QQiYxHuyZ9gQUIrmPo3IA+hUl4KYk8uSA7cHrcKd/l3p1OTpZcM0Tbp9x7FAtXdAYhlasd60ncPpgu6ihG6TOA==",
-			"license": "MIT",
-			"optional": true
-		},
 		"node_modules/uri-js": {
 			"version": "4.4.1",
 			"resolved": "https://registry.npmjs.org/uri-js/-/uri-js-4.4.1.tgz",
diff --git a/examples/encrypted_chat/frontend/package.json b/examples/encrypted_chat/frontend/package.json
index e2c381bf..8f3a6058 100644
--- a/examples/encrypted_chat/frontend/package.json
+++ b/examples/encrypted_chat/frontend/package.json
@@ -51,6 +51,8 @@
 		"@skeletonlabs/skeleton": "^3.1.7",
 		"@skeletonlabs/tw-plugin": "^0.4.1",
 		"@sveltejs/adapter-static": "^3.0.8",
+		"base64-js": "^1.5.1",
+		"cbor-x": "^1.6.0",
 		"fake-indexeddb": "^6.0.1",
 		"idb-keyval": "^6.2.2",
 		"isomorphic-fetch": "^3.0.0",
diff --git a/examples/encrypted_chat/frontend/src/app.css b/examples/encrypted_chat/frontend/src/app.css
index 67adec49..9e88b82f 100644
--- a/examples/encrypted_chat/frontend/src/app.css
+++ b/examples/encrypted_chat/frontend/src/app.css
@@ -254,3 +254,16 @@
 .gradient-success {
 	background: linear-gradient(135deg, #4facfe 0%, #00f2fe 100%);
 }
+
+.message-input {
+	scrollbar-width: thin;
+}
+
+.message-input::-webkit-scrollbar {
+	width: 4px;
+}
+
+.message-input::-webkit-scrollbar-thumb {
+	@apply bg-gray-400;
+	border-radius: 2px;
+}
\ No newline at end of file
diff --git a/examples/encrypted_chat/frontend/src/lib/components/MessageBubble.svelte b/examples/encrypted_chat/frontend/src/lib/components/MessageBubble.svelte
index c551e8eb..e4478877 100644
--- a/examples/encrypted_chat/frontend/src/lib/components/MessageBubble.svelte
+++ b/examples/encrypted_chat/frontend/src/lib/components/MessageBubble.svelte
@@ -2,6 +2,7 @@
 	import { Download, File } from 'lucide-svelte';
 	import Button from './ui/Button.svelte';
 	import type { Message, User } from '../types';
+	import * as base64 from 'base64-js';
 
 	let {
 		message,
@@ -34,7 +35,7 @@
 	function downloadFile() {
 		if (!message.fileData) return;
 
-		const blob = new Blob([message.fileData.data], { type: message.fileData.type });
+		const blob = new Blob([new Uint8Array(message.fileData.data)], { type: message.fileData.type });
 		const url = URL.createObjectURL(blob);
 		const a = document.createElement('a');
 		a.href = url;
@@ -141,19 +142,17 @@
 
 		<!-- Message bubble -->
 		<div
-			class="message-bubble {getMessageBubbleClasses()} inline-block max-w-full rounded-2xl px-3 py-2 break-words"
+			class="message-bubble {getMessageBubbleClasses()} inline-block max-w-full break-words rounded-2xl px-3 py-2"
 		>
 			{#if message.fileData === undefined}
 				<!-- eslint-disable-next-line svelte/no-at-html-tags -->
-				<p class="text-sm whitespace-pre-wrap">{@html parseEmojis(message.content)}</p>
+				<p class="whitespace-pre-wrap text-sm">{@html parseEmojis(message.content)}</p>
 			{:else if message.fileData !== undefined}
 				<div class="file-message">
 					{#if isImageFile(message.fileData.type)}
 						<div class="image-preview mb-2">
 							<img
-								src="data:{message.fileData.type};base64,{btoa(
-									String.fromCharCode(...new Uint8Array(message.fileData.data))
-								)}"
+								src="data:{message.fileData.type};base64,{base64.fromByteArray(message.fileData.data)}"
 								alt={message.fileData.name}
 								class="h-auto max-w-full rounded-lg"
 								style="max-height: 300px;"
@@ -169,7 +168,7 @@
 						<div class="flex items-center justify-between">
 							<div class="min-w-0 flex-1">
 								<p class="truncate text-sm font-medium">{message.fileData.name}</p>
-								<p class="text-surface-500-400 text-xs">
+								<p class="text-xs">
 									{formatFileSize(message.fileData.size)}
 								</p>
 							</div>
diff --git a/examples/encrypted_chat/frontend/src/lib/components/MessageInput.svelte b/examples/encrypted_chat/frontend/src/lib/components/MessageInput.svelte
index f1fb9b51..063eadd7 100644
--- a/examples/encrypted_chat/frontend/src/lib/components/MessageInput.svelte
+++ b/examples/encrypted_chat/frontend/src/lib/components/MessageInput.svelte
@@ -205,20 +205,3 @@
 	on:select={handleEmojiSelect}
 	on:close={() => (showEmojiPicker = false)}
 />
-
-<style>
-	@reference "tailwindcss";
-
-	.message-input {
-		scrollbar-width: thin;
-	}
-
-	.message-input::-webkit-scrollbar {
-		width: 4px;
-	}
-
-	.message-input::-webkit-scrollbar-thumb {
-		@apply bg-gray-400;
-		border-radius: 2px;
-	}
-</style>
diff --git a/examples/encrypted_chat/frontend/src/lib/components/ui/Dialog.svelte b/examples/encrypted_chat/frontend/src/lib/components/ui/Dialog.svelte
deleted file mode 100644
index e69de29b..00000000
diff --git a/examples/encrypted_chat/frontend/src/lib/components/ui/Input.svelte b/examples/encrypted_chat/frontend/src/lib/components/ui/Input.svelte
deleted file mode 100644
index e69de29b..00000000
diff --git a/examples/encrypted_chat/frontend/src/lib/services/encryptedMessagingService.ts b/examples/encrypted_chat/frontend/src/lib/services/encryptedMessagingService.ts
index ce980ce8..2ec61265 100644
--- a/examples/encrypted_chat/frontend/src/lib/services/encryptedMessagingService.ts
+++ b/examples/encrypted_chat/frontend/src/lib/services/encryptedMessagingService.ts
@@ -16,17 +16,18 @@ import {
 	chatIdToString,
 	randomSenderMessageId
 } from '$lib/utils';
+import * as cbor from 'cbor-x';
 
 type MessageContent = {
 	textContent: string;
-	fileData?: { name: string; size: number; type: string; data: ArrayBuffer };
+	fileData?: { name: string; size: number; type: string; data: Uint8Array };
 };
 
 export class EncryptedMessagingService {
 	#ratchetInitializationService: RatchetInitializationService;
 	#keyManager: KeyManager;
 
-	#sendingQueue: Map<string, string[]>;
+	#sendingQueue: Map<string, Uint8Array[]>;
 
 	#receivingQueue: Map<string, Message[]>;
 	#receivingQueueToDecrypt: Map<string, EncryptedMessage[]>;
@@ -82,7 +83,7 @@ export class EncryptedMessagingService {
 		return this.#keyManager.getCurrentChatIdStrs().map(chatIdFromString);
 	}
 
-	enqueueSendMessage(chatId: ChatId, content: string) {
+	enqueueSendMessage(chatId: ChatId, content: Uint8Array) {
 		this.#sendingQueue.set(chatIdToString(chatId), [
 			...(this.#sendingQueue.get(chatIdToString(chatId)) || []),
 			content
@@ -115,7 +116,7 @@ export class EncryptedMessagingService {
 		}
 	}
 
-	async #handleOutgoingMessage(chatIdStr: string, content: string) {
+	async #handleOutgoingMessage(chatIdStr: string, content: Uint8Array) {
 		const MAX_RETRIES = 50;
 		const TIMEOUT_MS = 1000;
 
@@ -126,7 +127,7 @@ export class EncryptedMessagingService {
 					chatIdStr,
 					getMyPrincipal(),
 					senderMessageId,
-					new TextEncoder().encode(content)
+					content
 				);
 				await sendMessage(
 					getActor(),
@@ -349,15 +350,15 @@ export class EncryptedMessagingService {
 		metadata: EncryptedMessageMetadata,
 		decrypted: Uint8Array
 	): Message {
-		const json = JSON.parse(new TextDecoder().decode(decrypted)) as MessageContent;
+		const messageContent = cbor.decode(decrypted) as MessageContent;
 
 		return {
 			messageId: metadata.chat_message_id.toString(),
 			chatId: chatIdStr,
 			senderId: metadata.sender.toText(),
-			content: json.textContent,
+			content: messageContent.textContent,
 			timestamp: new Date(Number(metadata.timestamp / 1_000_000n)),
-			fileData: json.fileData,
+			fileData: messageContent.fileData,
 			vetkeyEpoch: Number(metadata.vetkey_epoch),
 			symmetricRatchetEpoch: Number(metadata.symmetric_key_epoch)
 		};
diff --git a/examples/encrypted_chat/frontend/src/lib/stores/chat.svelte.ts b/examples/encrypted_chat/frontend/src/lib/stores/chat.svelte.ts
index 25429713..390c78df 100644
--- a/examples/encrypted_chat/frontend/src/lib/stores/chat.svelte.ts
+++ b/examples/encrypted_chat/frontend/src/lib/stores/chat.svelte.ts
@@ -16,6 +16,7 @@ import type {
 import { Principal } from '@dfinity/principal';
 import { chatIdFromString, chatIdToString } from '$lib/utils';
 import { EncryptedMessagingService } from '$lib/services/encryptedMessagingService';
+import * as cbor from 'cbor-x';
 
 export const chats = $state<{ state: Chat[] }>({ state: [] });
 export const selectedChatId = $state<{ state: ChatId | null }>({ state: null });
@@ -245,7 +246,7 @@ export const chatUIActions = {
 		textContent: string,
 		fileData?: { name: string; size: number; type: string; data: ArrayBuffer }
 	) {
-		const messageContent = JSON.stringify({ textContent, fileData });
+		const messageContent = cbor.encode({ textContent, fileData }) as Uint8Array;
 		encryptedMessagingService.enqueueSendMessage(chatId, messageContent);
 	},
 
diff --git a/examples/encrypted_chat/frontend/src/lib/types/index.ts b/examples/encrypted_chat/frontend/src/lib/types/index.ts
index 34b541d3..abf4d4b0 100644
--- a/examples/encrypted_chat/frontend/src/lib/types/index.ts
+++ b/examples/encrypted_chat/frontend/src/lib/types/index.ts
@@ -18,7 +18,7 @@ export interface Message {
 		name: string;
 		size: number;
 		type: string;
-		data: ArrayBuffer;
+		data: Uint8Array;
 	};
 	vetkeyEpoch: number;
 	symmetricRatchetEpoch: number;

From bb02b2bfa665bac351faf5bbf5782cc1f77a6eec Mon Sep 17 00:00:00 2001
From: Oleksandr Tkachenko <oleksandr.tkachenko@dfinity.org>
Date: Wed, 8 Oct 2025 10:29:34 +0200
Subject: [PATCH 42/62] wip

---
 .../src/lib/components/ChatList.svelte        |  4 +-
 .../src/lib/components/ChatListItem.svelte    | 39 +++++++++++++++----
 .../src/lib/components/UserProfile.svelte     |  3 --
 .../frontend/src/lib/stores/chat.svelte.ts    |  7 +++-
 4 files changed, 39 insertions(+), 14 deletions(-)

diff --git a/examples/encrypted_chat/frontend/src/lib/components/ChatList.svelte b/examples/encrypted_chat/frontend/src/lib/components/ChatList.svelte
index 74373b27..993d5709 100644
--- a/examples/encrypted_chat/frontend/src/lib/components/ChatList.svelte
+++ b/examples/encrypted_chat/frontend/src/lib/components/ChatList.svelte
@@ -1,5 +1,5 @@
 <script lang="ts">
-	import { chats, selectedChatId } from '../stores/chat.svelte';
+	import { chats, selectedChatId, chatUIActions } from '../stores/chat.svelte';
 	import ChatListItem from './ChatListItem.svelte';
 	import UserProfile from './UserProfile.svelte';
 	import Button from './ui/Button.svelte';
@@ -10,7 +10,7 @@
 
 	function handleSelect(e: CustomEvent<string>) {
 		const chatId = e.detail;
-		selectedChatId.state = chatIdFromString(chatId);
+		chatUIActions.selectChat(chatIdFromString(chatId));
 	}
 </script>
 
diff --git a/examples/encrypted_chat/frontend/src/lib/components/ChatListItem.svelte b/examples/encrypted_chat/frontend/src/lib/components/ChatListItem.svelte
index 527a0b85..8c813bef 100644
--- a/examples/encrypted_chat/frontend/src/lib/components/ChatListItem.svelte
+++ b/examples/encrypted_chat/frontend/src/lib/components/ChatListItem.svelte
@@ -79,13 +79,13 @@
 					{/if}
 				</p>
 
-				{#if chat.unreadCount > 0}
-					<div
-						class="unread-badge from-primary-500 to-primary-600 flex h-5 min-w-[20px] items-center justify-center rounded-full bg-gradient-to-r px-2 py-1 text-xs text-white shadow-sm"
-					>
-						{chat.unreadCount > 99 ? '99+' : chat.unreadCount}
-					</div>
-				{/if}
+			{#if chat.unreadCount > 0}
+				<div
+					class="unread-badge flex h-5 min-w-[20px] items-center justify-center rounded-full px-2 py-1 text-xs text-white"
+				>
+					{chat.unreadCount > 99 ? '99+' : chat.unreadCount}
+				</div>
+			{/if}
 			</div>
 
 			<!-- Chat status info -->
@@ -172,7 +172,30 @@
 	.unread-badge {
 		font-size: 10px;
 		line-height: 1;
-		font-weight: 600;
+		font-weight: 700;
+		background: linear-gradient(135deg, #3b82f6, #2563eb);
+		box-shadow:
+			0 2px 8px rgba(59, 130, 246, 0.4),
+			0 0 0 2px rgba(255, 255, 255, 0.9);
+		animation: badge-pulse 2s ease-in-out infinite;
+	}
+
+	:global(.dark) .unread-badge {
+		background: linear-gradient(135deg, #60a5fa, #3b82f6);
+		box-shadow:
+			0 2px 8px rgba(59, 130, 246, 0.6),
+			0 0 0 2px rgba(0, 0, 0, 0.3);
+	}
+
+	@keyframes badge-pulse {
+		0%,
+		100% {
+			transform: scale(1);
+		}
+		50% {
+			transform: scale(1.05);
+			filter: brightness(1.1);
+		}
 	}
 
 	.status-chip {
diff --git a/examples/encrypted_chat/frontend/src/lib/components/UserProfile.svelte b/examples/encrypted_chat/frontend/src/lib/components/UserProfile.svelte
index 8d96623f..21e164e9 100644
--- a/examples/encrypted_chat/frontend/src/lib/components/UserProfile.svelte
+++ b/examples/encrypted_chat/frontend/src/lib/components/UserProfile.svelte
@@ -67,9 +67,6 @@
 			<button class="variant-ghost-surface btn-icon" onclick={logout} aria-label="Logout">
 				<LogOut class="h-5 w-5" />
 			</button>
-			<button class="variant-ghost-surface btn-icon" onclick={toggleConfig} aria-label="Settings">
-				<Settings class="h-5 w-5" />
-			</button>
 		</div>
 	</div>
 </div>
diff --git a/examples/encrypted_chat/frontend/src/lib/stores/chat.svelte.ts b/examples/encrypted_chat/frontend/src/lib/stores/chat.svelte.ts
index 390c78df..d7dac93b 100644
--- a/examples/encrypted_chat/frontend/src/lib/stores/chat.svelte.ts
+++ b/examples/encrypted_chat/frontend/src/lib/stores/chat.svelte.ts
@@ -229,11 +229,16 @@ export const chatUIActions = {
 
 			messages.state = newMessagesState;
 
+			// Check if this chat is currently selected
+			const isCurrentlySelected =
+				selectedChatId.state && chatIdToString(selectedChatId.state) === chatIdStr;
+
 			chats.state = chats.state.map((c) =>
 				c.idStr === chatIdStr
 					? {
 							...c,
-							unreadCount: c.unreadCount + messagesArray.length,
+							// Don't increment unread count if chat is currently selected
+							unreadCount: isCurrentlySelected ? 0 : c.unreadCount + messagesArray.length,
 							lastMessage: messagesArray[messagesArray.length - 1]
 						}
 					: c

From f928fea3356476d631d70e48ec0cdef14ddce6c7 Mon Sep 17 00:00:00 2001
From: Oleksandr Tkachenko <oleksandr.tkachenko@dfinity.org>
Date: Wed, 8 Oct 2025 10:37:55 +0200
Subject: [PATCH 43/62] remove obsolete setting

---
 .../src/lib/components/ChatHeader.svelte      |  4 +--
 .../components/GroupManagementModal.svelte    | 25 ++-----------------
 .../frontend/src/lib/stores/chat.svelte.ts    |  5 +---
 3 files changed, 4 insertions(+), 30 deletions(-)

diff --git a/examples/encrypted_chat/frontend/src/lib/components/ChatHeader.svelte b/examples/encrypted_chat/frontend/src/lib/components/ChatHeader.svelte
index bfe2493a..8a08340a 100644
--- a/examples/encrypted_chat/frontend/src/lib/components/ChatHeader.svelte
+++ b/examples/encrypted_chat/frontend/src/lib/components/ChatHeader.svelte
@@ -68,10 +68,9 @@
 		event: CustomEvent<{
 			addUsers: string[];
 			removeUsers: string[];
-			allowHistoryForNew: boolean;
 		}>
 	) {
-		const { addUsers, removeUsers, allowHistoryForNew } = event.detail;
+		const { addUsers, removeUsers } = event.detail;
 		console.log(`handleGroupManagementSave: ${JSON.stringify(event.detail)}`);
 
 		const addUsersPrincipal = addUsers.map((id) => Principal.fromText(id));
@@ -82,7 +81,6 @@
 				chatIdFromString(chat.idStr),
 				addUsersPrincipal,
 				removeUsersPrincipal,
-				allowHistoryForNew
 			);
 
 			chatUIActions.addNotification({
diff --git a/examples/encrypted_chat/frontend/src/lib/components/GroupManagementModal.svelte b/examples/encrypted_chat/frontend/src/lib/components/GroupManagementModal.svelte
index eb5c3937..835821bc 100644
--- a/examples/encrypted_chat/frontend/src/lib/components/GroupManagementModal.svelte
+++ b/examples/encrypted_chat/frontend/src/lib/components/GroupManagementModal.svelte
@@ -12,12 +12,11 @@
 
 	const dispatch = createEventDispatcher<{
 		close: void;
-		save: { addUsers: string[]; removeUsers: string[]; allowHistoryForNew: boolean };
+		save: { addUsers: string[]; removeUsers: string[] };
 	}>();
 
 	let selectedToAdd: string[] = [];
 	let selectedToRemove: string[] = [];
-	let allowHistoryForNew = true;
 
 	// Text input for adding multiple principals
 	let principalsInput = '';
@@ -68,8 +67,7 @@
 		const combinedAddUsers = Array.from(new Set([...selectedToAdd, ...validPrincipalStrings]));
 		dispatch('save', {
 			addUsers: combinedAddUsers,
-			removeUsers: selectedToRemove,
-			allowHistoryForNew
+			removeUsers: selectedToRemove
 		});
 		handleClose();
 	}
@@ -78,7 +76,6 @@
 		show = false;
 		selectedToAdd = [];
 		selectedToRemove = [];
-		allowHistoryForNew = false;
 		principalsInput = '';
 		validPrincipalStrings = [];
 		invalidPrincipalTokens = [];
@@ -195,24 +192,6 @@
 						</div>
 					</div>
 
-					<!-- Options -->
-					{#if totalAddCount > 0}
-						<div>
-							<h3 class="mb-3 font-semibold">Options</h3>
-							<label
-								class="bg-surface-200-700-token flex cursor-pointer items-center gap-3 rounded-lg p-3"
-							>
-								<input type="checkbox" bind:checked={allowHistoryForNew} class="checkbox" />
-								<div>
-									<p class="text-sm font-medium">Allow new members to see chat history</p>
-									<p class="text-surface-600-300-token text-xs">
-										New members will be able to see messages sent before they joined
-									</p>
-								</div>
-							</label>
-						</div>
-					{/if}
-
 					<!-- Summary -->
 					{#if totalAddCount > 0 || selectedToRemove.length > 0}
 						<div class="border-primary-500/20 bg-primary-500/10 rounded-lg border p-4">
diff --git a/examples/encrypted_chat/frontend/src/lib/stores/chat.svelte.ts b/examples/encrypted_chat/frontend/src/lib/stores/chat.svelte.ts
index d7dac93b..a750f2e8 100644
--- a/examples/encrypted_chat/frontend/src/lib/stores/chat.svelte.ts
+++ b/examples/encrypted_chat/frontend/src/lib/stores/chat.svelte.ts
@@ -406,9 +406,6 @@ export const chatUIActions = {
 		chatId: ChatId,
 		addUsers: Principal[],
 		removeUsers: Principal[],
-		// TODO: implement this
-		// eslint-disable-next-line @typescript-eslint/no-unused-vars
-		allowHistoryForNew: boolean
 	) {
 		if ('Direct' in chatId) {
 			throw new Error('updateGroupMembers: chatId is a direct chat');
@@ -420,7 +417,7 @@ export const chatUIActions = {
 		const result = await getActor().modify_group_chat_participants(chatId.Group, modification);
 		if ('Ok' in result) {
 			console.log(
-				`Group ${chatIdToString(chatId)} updated: +${addUsers.length}, -${removeUsers.length}, history: ${allowHistoryForNew}`
+				`Group ${chatIdToString(chatId)} updated: +${addUsers.length}, -${removeUsers.length}`
 			);
 		} else {
 			throw new Error(result.Err);

From 354824654cf743e43aec60acf9154ae037f86978 Mon Sep 17 00:00:00 2001
From: Oleksandr Tkachenko <oleksandr.tkachenko@dfinity.org>
Date: Wed, 8 Oct 2025 10:41:49 +0200
Subject: [PATCH 44/62] allow for empty other users list in group chat creation

---
 .../frontend/src/lib/components/NewChatModal.svelte             | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/examples/encrypted_chat/frontend/src/lib/components/NewChatModal.svelte b/examples/encrypted_chat/frontend/src/lib/components/NewChatModal.svelte
index 28c227f2..b4b80c73 100644
--- a/examples/encrypted_chat/frontend/src/lib/components/NewChatModal.svelte
+++ b/examples/encrypted_chat/frontend/src/lib/components/NewChatModal.svelte
@@ -143,7 +143,7 @@
 							</label>
 						</div>
 						<div class="flex justify-end gap-2">
-							<Button onclick={createGroup} disabled={!groupPrincipalsText.trim()}>
+							<Button onclick={createGroup}>
 								<Plus class="h-4 w-4" />
 								<span class="ml-1">Create Group</span>
 							</Button>

From b9b01785f8ece7b84d6798bcd28bf89eb7ac993a Mon Sep 17 00:00:00 2001
From: Oleksandr Tkachenko <oleksandr.tkachenko@dfinity.org>
Date: Wed, 8 Oct 2025 10:46:41 +0200
Subject: [PATCH 45/62] opaque notifications

---
 examples/encrypted_chat/frontend/src/app.css  | 55 ++++++++++++++++++-
 .../lib/components/NotificationBanner.svelte  | 21 -------
 2 files changed, 54 insertions(+), 22 deletions(-)

diff --git a/examples/encrypted_chat/frontend/src/app.css b/examples/encrypted_chat/frontend/src/app.css
index 9e88b82f..3decd0b0 100644
--- a/examples/encrypted_chat/frontend/src/app.css
+++ b/examples/encrypted_chat/frontend/src/app.css
@@ -266,4 +266,57 @@
 .message-input::-webkit-scrollbar-thumb {
 	@apply bg-gray-400;
 	border-radius: 2px;
-}
\ No newline at end of file
+}
+
+.alert {
+	display: flex;
+	align-items: center;
+	gap: 0.75rem;
+	padding: 1rem;
+	border-radius: 0.5rem;
+}
+
+.alert-message {
+	flex: 1 1 0%;
+	min-width: 0;
+}
+
+.alert-actions {
+	display: flex;
+	align-items: center;
+	gap: 0.5rem;
+}
+
+/* Alert/Notification variants with softer, muted colors */
+.variant-filled-primary.alert {
+	@apply bg-blue-50 text-blue-900 border border-blue-200;
+}
+
+.variant-filled-success.alert {
+	@apply bg-green-50 text-green-900 border border-green-200;
+}
+
+.variant-filled-warning.alert {
+	@apply bg-orange-50 text-orange-900 border border-orange-200;
+}
+
+.variant-filled-error.alert {
+	@apply bg-red-50 text-red-900 border border-red-200;
+}
+
+/* Dark mode adjustments for alerts */
+.dark .variant-filled-primary.alert {
+	@apply bg-blue-950 text-blue-100 border-blue-800;
+}
+
+.dark .variant-filled-success.alert {
+	@apply bg-green-950 text-green-100 border-green-800;
+}
+
+.dark .variant-filled-warning.alert {
+	@apply bg-orange-950 text-orange-100 border-orange-800;
+}
+
+.dark .variant-filled-error.alert {
+	@apply bg-red-950 text-red-100 border-red-800;
+}
diff --git a/examples/encrypted_chat/frontend/src/lib/components/NotificationBanner.svelte b/examples/encrypted_chat/frontend/src/lib/components/NotificationBanner.svelte
index d766b189..5ce7cbe5 100644
--- a/examples/encrypted_chat/frontend/src/lib/components/NotificationBanner.svelte
+++ b/examples/encrypted_chat/frontend/src/lib/components/NotificationBanner.svelte
@@ -96,24 +96,3 @@
 		</div>
 	{/each}
 </div>
-
-<style>
-	.alert {
-		display: flex;
-		align-items: center;
-		gap: 0.75rem;
-		padding: 1rem;
-		border-radius: 0.5rem;
-	}
-
-	.alert-message {
-		flex: 1 1 0%;
-		min-width: 0;
-	}
-
-	.alert-actions {
-		display: flex;
-		align-items: center;
-		gap: 0.5rem;
-	}
-</style>

From 8c576f63cf02b22458caa09b165a1786697bc646 Mon Sep 17 00:00:00 2001
From: Oleksandr Tkachenko <oleksandr.tkachenko@dfinity.org>
Date: Wed, 8 Oct 2025 10:53:59 +0200
Subject: [PATCH 46/62] rm dark mode

---
 examples/encrypted_chat/frontend/src/app.css  | 57 +++----------------
 .../src/lib/components/ChatHeader.svelte      |  2 +-
 .../src/lib/components/ChatInterface.svelte   |  6 +-
 .../src/lib/components/ChatList.svelte        |  2 +-
 .../components/GroupManagementModal.svelte    |  4 +-
 .../frontend/src/lib/components/Hero.svelte   |  2 +-
 .../src/lib/components/MessageInput.svelte    |  2 +-
 .../src/lib/components/NewChatModal.svelte    | 16 +++---
 .../src/lib/components/UserProfile.svelte     | 24 ++++----
 .../frontend/src/routes/+page.svelte          |  6 +-
 .../frontend/tailwind.config.js               |  1 -
 11 files changed, 35 insertions(+), 87 deletions(-)

diff --git a/examples/encrypted_chat/frontend/src/app.css b/examples/encrypted_chat/frontend/src/app.css
index 3decd0b0..bda1fcb2 100644
--- a/examples/encrypted_chat/frontend/src/app.css
+++ b/examples/encrypted_chat/frontend/src/app.css
@@ -64,19 +64,6 @@
 	--radius-xl: 1.5rem;
 }
 
-/* Dark mode */
-.dark {
-	--gray-50: #111827;
-	--gray-100: #1f2937;
-	--gray-200: #374151;
-	--gray-300: #4b5563;
-	--gray-400: #6b7280;
-	--gray-500: #9ca3af;
-	--gray-600: #d1d5db;
-	--gray-700: #e5e7eb;
-	--gray-800: #f3f4f6;
-	--gray-900: #f9fafb;
-}
 
 /* Professional Component Styles */
 .btn {
@@ -103,22 +90,19 @@
 
 .variant-outline-primary {
 	@apply border border-blue-200 bg-white text-blue-700 shadow-sm hover:bg-blue-50 hover:shadow-md;
-	@apply dark:border-blue-800 dark:bg-gray-800 dark:text-blue-300 dark:hover:bg-gray-700;
 }
 
 .variant-ghost-primary {
 	@apply text-blue-700 hover:bg-blue-100 hover:text-blue-800;
-	@apply dark:text-blue-300 dark:hover:bg-gray-800 dark:hover:text-blue-200;
 }
 
 .card {
-	@apply rounded-xl border border-gray-200 bg-white shadow-lg dark:border-gray-700 dark:bg-gray-800;
+	@apply rounded-xl border border-gray-200 bg-white shadow-lg;
 }
 
 .input {
 	@apply flex w-full rounded-lg border border-gray-200 bg-white px-3 py-2 text-sm transition-all;
 	@apply focus:border-blue-500 focus:ring-2 focus:ring-blue-500/20 focus:outline-none;
-	@apply dark:border-gray-700 dark:bg-gray-800 dark:text-gray-100;
 }
 
 .badge {
@@ -126,28 +110,28 @@
 }
 
 .badge-secondary {
-	@apply bg-gray-100 text-gray-800 dark:bg-gray-700 dark:text-gray-300;
+	@apply bg-gray-100 text-gray-800;
 }
 
 /* Modern Chat Interface Classes */
 .bg-surface-50-900 {
-	@apply bg-gray-50 dark:bg-gray-900;
+	@apply bg-gray-50;
 }
 
 .bg-surface-100-800 {
-	@apply bg-gray-100 dark:bg-gray-800;
+	@apply bg-gray-100;
 }
 
 .bg-surface-200-700 {
-	@apply bg-gray-200 dark:bg-gray-700;
+	@apply bg-gray-200;
 }
 
 .border-surface-200-700 {
-	@apply border-gray-200 dark:border-gray-700;
+	@apply border-gray-200;
 }
 
 .text-surface-500-400 {
-	@apply text-gray-500 dark:text-gray-400;
+	@apply text-gray-500;
 }
 
 /* Professional glass effect */
@@ -160,11 +144,6 @@
 		0 8px 10px -6px rgba(0, 0, 0, 0.1);
 }
 
-.dark .glass-effect {
-	background: rgba(17, 24, 39, 0.9);
-	border: 1px solid rgba(75, 85, 99, 0.2);
-}
-
 /* Message bubbles */
 .message-bubble-own {
 	@apply rounded-2xl rounded-br-md bg-blue-600 text-white shadow-lg;
@@ -172,7 +151,6 @@
 
 .message-bubble-other {
 	@apply rounded-2xl rounded-bl-md border border-gray-200 bg-white text-gray-900 shadow-lg;
-	@apply dark:border-gray-600 dark:bg-gray-700 dark:text-gray-100;
 }
 
 /* Modern scrollbar */
@@ -193,10 +171,6 @@
 	@apply rounded-full bg-gray-300 hover:bg-gray-400;
 }
 
-.dark .modern-scrollbar::-webkit-scrollbar-thumb {
-	@apply bg-gray-600 hover:bg-gray-500;
-}
-
 /* Professional animations */
 @keyframes fade-in {
 	from {
@@ -303,20 +277,3 @@
 .variant-filled-error.alert {
 	@apply bg-red-50 text-red-900 border border-red-200;
 }
-
-/* Dark mode adjustments for alerts */
-.dark .variant-filled-primary.alert {
-	@apply bg-blue-950 text-blue-100 border-blue-800;
-}
-
-.dark .variant-filled-success.alert {
-	@apply bg-green-950 text-green-100 border-green-800;
-}
-
-.dark .variant-filled-warning.alert {
-	@apply bg-orange-950 text-orange-100 border-orange-800;
-}
-
-.dark .variant-filled-error.alert {
-	@apply bg-red-950 text-red-100 border-red-800;
-}
diff --git a/examples/encrypted_chat/frontend/src/lib/components/ChatHeader.svelte b/examples/encrypted_chat/frontend/src/lib/components/ChatHeader.svelte
index 8a08340a..55824db8 100644
--- a/examples/encrypted_chat/frontend/src/lib/components/ChatHeader.svelte
+++ b/examples/encrypted_chat/frontend/src/lib/components/ChatHeader.svelte
@@ -127,7 +127,7 @@
 			</div>
 			<div>
 				<h2
-					class="bg-gradient-to-r from-gray-800 to-gray-600 bg-clip-text text-xl font-bold text-transparent dark:from-gray-100 dark:to-gray-300"
+					class="bg-gradient-to-r from-gray-800 to-gray-600 bg-clip-text text-xl font-bold text-transparent"
 				>
 					{getDisplayName()}
 				</h2>
diff --git a/examples/encrypted_chat/frontend/src/lib/components/ChatInterface.svelte b/examples/encrypted_chat/frontend/src/lib/components/ChatInterface.svelte
index e9da2a3e..5c7342f0 100644
--- a/examples/encrypted_chat/frontend/src/lib/components/ChatInterface.svelte
+++ b/examples/encrypted_chat/frontend/src/lib/components/ChatInterface.svelte
@@ -62,7 +62,7 @@
 		<div class="glass-effect border-b border-white/10 p-6">
 			<div class="flex items-center justify-center">
 				<h2
-					class="bg-gradient-to-r from-gray-800 to-gray-600 bg-clip-text text-xl font-bold text-transparent dark:from-gray-100 dark:to-gray-300"
+					class="bg-gradient-to-r from-gray-800 to-gray-600 bg-clip-text text-xl font-bold text-transparent"
 				>
 					VetKeys Chat
 				</h2>
@@ -105,8 +105,4 @@
 	.chat-interface {
 		background: var(--color-surface-50);
 	}
-
-	:global(.dark) .chat-interface {
-		background: var(--color-surface-900);
-	}
 </style>
diff --git a/examples/encrypted_chat/frontend/src/lib/components/ChatList.svelte b/examples/encrypted_chat/frontend/src/lib/components/ChatList.svelte
index 993d5709..fb63924a 100644
--- a/examples/encrypted_chat/frontend/src/lib/components/ChatList.svelte
+++ b/examples/encrypted_chat/frontend/src/lib/components/ChatList.svelte
@@ -25,7 +25,7 @@
 		>
 			Chats
 		</h2>
-		<p class="mt-1 text-sm font-medium text-gray-500 dark:text-gray-400">
+		<p class="mt-1 text-sm font-medium text-gray-500">
 			{chats.state.length} conversation{chats.state.length !== 1 ? 's' : ''}
 		</p>
 		<div class="mt-3 flex gap-2">
diff --git a/examples/encrypted_chat/frontend/src/lib/components/GroupManagementModal.svelte b/examples/encrypted_chat/frontend/src/lib/components/GroupManagementModal.svelte
index 835821bc..190af63d 100644
--- a/examples/encrypted_chat/frontend/src/lib/components/GroupManagementModal.svelte
+++ b/examples/encrypted_chat/frontend/src/lib/components/GroupManagementModal.svelte
@@ -93,12 +93,12 @@
 	<div class="fixed inset-0 z-50 flex items-center justify-center bg-black/50 p-4 backdrop-blur-sm">
 		<!-- Modal -->
 		<Card
-			class="w-full max-w-2xl rounded-xl bg-white shadow-2xl ring-1 ring-black/10 dark:bg-neutral-900 dark:ring-white/10"
+			class="w-full max-w-2xl rounded-xl bg-white shadow-2xl ring-1 ring-black/10"
 		>
 			<div class="p-6 md:p-8">
 				<!-- Header -->
 				<div
-					class="mb-4 flex items-center justify-between border-b border-black/5 pb-4 dark:border-white/10"
+					class="mb-4 flex items-center justify-between border-b border-black/5 pb-4"
 				>
 					<div class="flex items-center gap-3">
 						<Users class="h-6 w-6" />
diff --git a/examples/encrypted_chat/frontend/src/lib/components/Hero.svelte b/examples/encrypted_chat/frontend/src/lib/components/Hero.svelte
index 03aa75ad..5a52e4d5 100644
--- a/examples/encrypted_chat/frontend/src/lib/components/Hero.svelte
+++ b/examples/encrypted_chat/frontend/src/lib/components/Hero.svelte
@@ -8,7 +8,7 @@
 <div class="flex min-h-screen flex-col items-center justify-start pt-8 sm:justify-center sm:pt-0">
 	<div class="flex max-w-xl flex-col items-center text-center">
 		<div class="max-w-xl">
-			<h1 class="text-primary mb-5 text-4xl font-bold sm:text-5xl dark:text-white">
+			<h1 class="text-primary mb-5 text-4xl font-bold sm:text-5xl">
 				Encrypted Chat using vetKeys
 			</h1>
 			<p class="mb-5 text-xl font-semibold">Your private chat on the Internet Computer.</p>
diff --git a/examples/encrypted_chat/frontend/src/lib/components/MessageInput.svelte b/examples/encrypted_chat/frontend/src/lib/components/MessageInput.svelte
index 063eadd7..f5add7e4 100644
--- a/examples/encrypted_chat/frontend/src/lib/components/MessageInput.svelte
+++ b/examples/encrypted_chat/frontend/src/lib/components/MessageInput.svelte
@@ -152,7 +152,7 @@
 				{placeholder}
 				{disabled}
 				rows="1"
-				class="message-input w-full resize-none rounded-xl border border-gray-200/50 bg-white/80 px-4 py-3 pr-20 text-sm shadow-lg backdrop-blur-sm focus:border-blue-500 focus:ring-2 focus:ring-blue-500/20 focus:outline-none dark:border-gray-700/50 dark:bg-gray-800/80"
+				class="message-input w-full resize-none rounded-xl border border-gray-200/50 bg-white/80 px-4 py-3 pr-20 text-sm shadow-lg backdrop-blur-sm focus:border-blue-500 focus:ring-2 focus:ring-blue-500/20 focus:outline-none"
 				style="min-height: 44px; max-height: 120px;"
 			></textarea>
 
diff --git a/examples/encrypted_chat/frontend/src/lib/components/NewChatModal.svelte b/examples/encrypted_chat/frontend/src/lib/components/NewChatModal.svelte
index b4b80c73..0d7803a3 100644
--- a/examples/encrypted_chat/frontend/src/lib/components/NewChatModal.svelte
+++ b/examples/encrypted_chat/frontend/src/lib/components/NewChatModal.svelte
@@ -45,11 +45,11 @@
 		aria-modal="true"
 	>
 		<Card
-			class="w-full max-w-lg rounded-xl bg-white shadow-2xl ring-1 ring-black/10 dark:bg-neutral-900 dark:ring-white/10"
+			class="w-full max-w-lg rounded-xl bg-white shadow-2xl ring-1 ring-black/10"
 		>
 			<div class="p-6 md:p-8">
 				<div
-					class="mb-4 flex items-center justify-between border-b border-black/5 pb-4 dark:border-white/10"
+					class="mb-4 flex items-center justify-between border-b border-black/5 pb-4"
 				>
 					<h3 class="text-lg font-semibold">Create Chat</h3>
 					<button class="variant-ghost-surface btn-icon" onclick={close} aria-label="Close">
@@ -79,7 +79,7 @@
 						<label class="block text-sm">
 							<span class="mb-1 block font-medium">Receiver Principal</span>
 							<input
-								class="w-full rounded-md border bg-white px-3 py-2 dark:bg-neutral-800"
+								class="w-full rounded-md border bg-white px-3 py-2"
 								bind:value={directPrincipal}
 								placeholder="aaaaa-aa"
 							/>
@@ -90,7 +90,7 @@
 								<input
 									type="number"
 									min="0"
-									class="w-full rounded-md border bg-white px-3 py-2 dark:bg-neutral-800"
+									class="w-full rounded-md border bg-white px-3 py-2"
 									bind:value={directRotationMinutes}
 								/>
 							</label>
@@ -99,7 +99,7 @@
 								<input
 									type="number"
 									min="0"
-									class="w-full rounded-md border bg-white px-3 py-2 dark:bg-neutral-800"
+									class="w-full rounded-md border bg-white px-3 py-2"
 									bind:value={directExpirationMinutes}
 								/>
 							</label>
@@ -117,7 +117,7 @@
 							<span class="mb-1 block font-medium">Participant Principals</span>
 							<textarea
 								rows="3"
-								class="w-full rounded-md border bg-white px-3 py-2 dark:bg-neutral-800"
+								class="w-full rounded-md border bg-white px-3 py-2"
 								bind:value={groupPrincipalsText}
 								placeholder="comma or space separated principals"
 							></textarea>
@@ -128,7 +128,7 @@
 								<input
 									type="number"
 									min="0"
-									class="w-full rounded-md border bg-white px-3 py-2 dark:bg-neutral-800"
+									class="w-full rounded-md border bg-white px-3 py-2"
 									bind:value={groupRotationMinutes}
 								/>
 							</label>
@@ -137,7 +137,7 @@
 								<input
 									type="number"
 									min="0"
-									class="w-full rounded-md border bg-white px-3 py-2 dark:bg-neutral-800"
+									class="w-full rounded-md border bg-white px-3 py-2"
 									bind:value={groupExpirationMinutes}
 								/>
 							</label>
diff --git a/examples/encrypted_chat/frontend/src/lib/components/UserProfile.svelte b/examples/encrypted_chat/frontend/src/lib/components/UserProfile.svelte
index 21e164e9..1a738757 100644
--- a/examples/encrypted_chat/frontend/src/lib/components/UserProfile.svelte
+++ b/examples/encrypted_chat/frontend/src/lib/components/UserProfile.svelte
@@ -65,7 +65,7 @@
 		</div>
 		<div class="flex items-center gap-2">
 			<button class="variant-ghost-surface btn-icon" onclick={logout} aria-label="Logout">
-				<LogOut class="h-5 w-5" />
+				<LogOut class="h-5 w-6" />
 			</button>
 		</div>
 	</div>
@@ -85,15 +85,15 @@
 	<!-- Modal -->
 	<div class="fixed inset-0 z-50 flex items-center justify-center p-4">
 		<div
-			class="config-modal w-full max-w-md rounded-2xl border border-gray-200 bg-white shadow-2xl dark:border-gray-700 dark:bg-gray-800"
+			class="config-modal w-full max-w-md rounded-2xl border border-gray-200 bg-white shadow-2xl"
 		>
 			<!-- Header -->
 			<div
-				class="flex items-center justify-between border-b border-gray-200 p-6 dark:border-gray-700"
+				class="flex items-center justify-between border-b border-gray-200 p-6"
 			>
-				<h3 class="text-lg font-semibold text-gray-900 dark:text-gray-100">Settings</h3>
+				<h3 class="text-lg font-semibold text-gray-900">Settings</h3>
 				<button
-					class="rounded-lg p-1 text-gray-400 transition-colors hover:bg-gray-100 hover:text-gray-600 dark:hover:bg-gray-700 dark:hover:text-gray-300"
+					class="rounded-lg p-1 text-gray-400 transition-colors hover:bg-gray-100 hover:text-gray-600"
 					onclick={() => (showConfig = false)}
 					aria-label="Close settings"
 				>
@@ -106,7 +106,7 @@
 				<div>
 					<label
 						for="cache-retention"
-						class="mb-2 block text-sm font-medium text-gray-700 dark:text-gray-300"
+						class="mb-2 block text-sm font-medium text-gray-700"
 					>
 						Cache Retention (days)
 					</label>
@@ -116,10 +116,10 @@
 						min="1"
 						max="365"
 						bind:value={configForm.cacheRetentionDays}
-						class="w-full rounded-lg border border-gray-300 bg-white px-3 py-2 text-gray-900 outline-none transition-all focus:border-transparent focus:ring-2 focus:ring-blue-500 dark:border-gray-600 dark:bg-gray-800 dark:text-gray-100"
+						class="w-full rounded-lg border border-gray-300 bg-white px-3 py-2 text-gray-900 outline-none transition-all focus:border-transparent focus:ring-2 focus:ring-blue-500"
 						placeholder="7"
 					/>
-					<p class="mt-1 text-xs text-gray-500 dark:text-gray-400">
+					<p class="mt-1 text-xs text-gray-500">
 						How long to keep symmetric key cache before automatic cleanup
 					</p>
 				</div>
@@ -127,10 +127,10 @@
 
 			<!-- Footer -->
 			<div
-				class="flex items-center justify-end gap-3 border-t border-gray-200 p-6 dark:border-gray-700"
+				class="flex items-center justify-end gap-3 border-t border-gray-200 p-6"
 			>
 				<button
-					class="rounded-lg px-4 py-2 text-gray-700 transition-colors hover:bg-gray-100 dark:text-gray-300 dark:hover:bg-gray-700"
+					class="rounded-lg px-4 py-2 text-gray-700 transition-colors hover:bg-gray-100"
 					onclick={() => (showConfig = false)}
 				>
 					Cancel
@@ -152,10 +152,6 @@
 		background: var(--color-surface-100);
 	}
 
-	:global(.dark) .user-profile {
-		background: var(--color-surface-800);
-	}
-
 	.config-modal {
 		animation: modalSlideIn 0.2s ease-out;
 	}
diff --git a/examples/encrypted_chat/frontend/src/routes/+page.svelte b/examples/encrypted_chat/frontend/src/routes/+page.svelte
index e98e3c23..de7c5733 100644
--- a/examples/encrypted_chat/frontend/src/routes/+page.svelte
+++ b/examples/encrypted_chat/frontend/src/routes/+page.svelte
@@ -60,7 +60,7 @@
 {:else if isLoading.state}
 	<!-- Loading state -->
 	<div
-		class="loading-screen flex h-full items-center justify-center bg-gradient-to-br from-blue-50 to-indigo-100 dark:from-gray-900 dark:to-gray-800"
+		class="loading-screen flex h-full items-center justify-center bg-gradient-to-br from-blue-50 to-indigo-100"
 	>
 		<div class="animate-fade-in text-center">
 			<div
@@ -71,7 +71,7 @@
 			>
 				Loading vetKeys Chat
 			</h2>
-			<p class="font-medium text-gray-600 dark:text-gray-400">
+			<p class="font-medium text-gray-600">
 				Initializing secure communication...
 			</p>
 			<div class="mt-4 flex justify-center space-x-1">
@@ -90,7 +90,7 @@
 {:else}
 	<!-- Main chat interface -->
 	<div
-		class="chat-container flex h-full bg-gradient-to-br from-gray-50 via-blue-50 to-indigo-50 dark:from-gray-900 dark:via-gray-800 dark:to-gray-900"
+		class="chat-container flex h-full bg-gradient-to-br from-gray-50 via-blue-50 to-indigo-50"
 	>
 		<!-- Chat List Sidebar (Desktop) or Full Screen (Mobile) -->
 		<div
diff --git a/examples/encrypted_chat/frontend/tailwind.config.js b/examples/encrypted_chat/frontend/tailwind.config.js
index 9978db24..30966375 100644
--- a/examples/encrypted_chat/frontend/tailwind.config.js
+++ b/examples/encrypted_chat/frontend/tailwind.config.js
@@ -2,7 +2,6 @@ import { skeleton } from '@skeletonlabs/tw-plugin';
 
 /** @type {import('tailwindcss').Config} */
 export default {
-	darkMode: 'selector',
 	content: [
 		'./src/**/*.{html,js,svelte,ts}',
 		'./node_modules/@skeletonlabs/skeleton/**/*.{html,js,svelte,ts}'

From 3f44643d653e3b7bc0b9c3a8f70878d4ba1825bc Mon Sep 17 00:00:00 2001
From: Oleksandr Tkachenko <oleksandr.tkachenko@dfinity.org>
Date: Wed, 8 Oct 2025 11:10:23 +0200
Subject: [PATCH 47/62] less frequent queries

---
 .../frontend/src/lib/services/encryptedMessagingService.ts      | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/examples/encrypted_chat/frontend/src/lib/services/encryptedMessagingService.ts b/examples/encrypted_chat/frontend/src/lib/services/encryptedMessagingService.ts
index 2ec61265..985d3b92 100644
--- a/examples/encrypted_chat/frontend/src/lib/services/encryptedMessagingService.ts
+++ b/examples/encrypted_chat/frontend/src/lib/services/encryptedMessagingService.ts
@@ -402,7 +402,7 @@ class BackgroundWorker {
 					console.error('Background worker error:', error);
 				}
 				if (this.abortController.signal.aborted) break;
-				await sleep(100);
+				await sleep(250);
 			}
 		};
 

From f8bd7a2a68e1265b85c4f5d8b28bce4cb4799392 Mon Sep 17 00:00:00 2001
From: Oleksandr Tkachenko <oleksandr.tkachenko@dfinity.org>
Date: Wed, 8 Oct 2025 11:16:33 +0200
Subject: [PATCH 48/62] nicer emojipicker

---
 .../src/lib/components/EmojiPicker.svelte     | 31 +++++++++++--------
 1 file changed, 18 insertions(+), 13 deletions(-)

diff --git a/examples/encrypted_chat/frontend/src/lib/components/EmojiPicker.svelte b/examples/encrypted_chat/frontend/src/lib/components/EmojiPicker.svelte
index 94607719..9502d5bb 100644
--- a/examples/encrypted_chat/frontend/src/lib/components/EmojiPicker.svelte
+++ b/examples/encrypted_chat/frontend/src/lib/components/EmojiPicker.svelte
@@ -164,12 +164,12 @@
 
 	<!-- Emoji Picker -->
 	<div
-		class="emoji-picker bg-surface-100-800-token border-surface-300-600-token fixed right-4 bottom-20 z-50 max-w-sm rounded-lg border p-4 shadow-xl"
+		class="emoji-picker fixed right-4 bottom-20 z-50 max-w-sm rounded-lg border border-gray-300 bg-white p-4 shadow-xl"
 	>
 		<div class="mb-4 flex items-center justify-between">
-			<h3 class="text-sm font-semibold">Add Emoji</h3>
+			<h3 class="text-sm font-semibold text-gray-800">Add Emoji</h3>
 			<button
-				class="variant-ghost-surface btn-icon"
+				class="flex h-8 w-8 items-center justify-center rounded text-xl text-gray-600 hover:bg-gray-100"
 				onclick={closeModal}
 				aria-label="Close emoji picker"
 			>
@@ -177,14 +177,14 @@
 			</button>
 		</div>
 
-		<div class="emoji-grid scrollbar-thin max-h-64 overflow-y-auto">
+		<div class="emoji-grid max-h-64 overflow-y-auto scrollbar-hide">
 			{#each Object.entries(emojiCategories) as [category, emojis] (category)}
 				<div class="emoji-category mb-4">
-					<h4 class="text-surface-600-300-token mb-2 text-xs font-medium">{category}</h4>
+					<h4 class="mb-2 text-xs font-medium text-gray-600">{category}</h4>
 					<div class="grid grid-cols-8 gap-1">
 						{#each emojis as emoji (emoji)}
 							<button
-								class="emoji-button hover:bg-surface-200-700-token flex h-8 w-8 items-center justify-center rounded text-lg transition-colors"
+								class="emoji-button flex h-8 w-8 items-center justify-center rounded text-lg transition-colors hover:bg-gray-100"
 								onclick={() => selectEmoji(emoji)}
 								title={emoji}
 							>
@@ -196,8 +196,8 @@
 			{/each}
 		</div>
 
-		<div class="border-surface-300-600-token mt-4 border-t pt-3">
-			<p class="text-surface-600-300-token text-xs">
+		<div class="mt-4 border-t border-gray-200 pt-3">
+			<p class="text-xs text-gray-600">
 				You can also type emoji shortcodes like <code>:smile:</code>, <code>:heart:</code>,
 				<code>:rocket:</code>
 			</p>
@@ -211,18 +211,23 @@
 		max-height: 400px;
 	}
 
+	.emoji-grid {
+		scrollbar-width: none; /* Firefox */
+		-ms-overflow-style: none; /* IE and Edge */
+	}
+
+	.emoji-grid::-webkit-scrollbar {
+		display: none; /* Chrome, Safari, Opera */
+	}
+
 	.emoji-button:hover {
 		transform: scale(1.1);
 	}
 
 	code {
-		background: var(--color-surface-200);
+		background: #f3f4f6;
 		padding: 1px 4px;
 		border-radius: 3px;
 		font-size: 10px;
 	}
-
-	:global(.dark) code {
-		background: var(--color-surface-700);
-	}
 </style>

From 619395e0bd66d928ad9520a3162a21757f3657ad Mon Sep 17 00:00:00 2001
From: Oleksandr Tkachenko <oleksandr.tkachenko@dfinity.org>
Date: Wed, 8 Oct 2025 16:27:58 +0200
Subject: [PATCH 49/62] fix typo

---
 examples/encrypted_chat/frontend/src/lib/stores/auth.svelte.ts | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/examples/encrypted_chat/frontend/src/lib/stores/auth.svelte.ts b/examples/encrypted_chat/frontend/src/lib/stores/auth.svelte.ts
index a176a736..b18db0d8 100644
--- a/examples/encrypted_chat/frontend/src/lib/stores/auth.svelte.ts
+++ b/examples/encrypted_chat/frontend/src/lib/stores/auth.svelte.ts
@@ -110,7 +110,7 @@ export function getMyPrincipal(): Principal {
 
 export function getActor(): ActorSubclass<_SERVICE> {
 	if (auth.state.label === 'initialized') {
-		const host = DFX_NETWORK === 'ic' ? 'https://icp0.app' : 'http://localhost:4943';
+		const host = DFX_NETWORK === 'ic' ? 'https://ic0.app' : 'http://localhost:4943';
 		const shouldFetchRootKey = DFX_NETWORK !== 'ic';
 		const agent = HttpAgent.createSync({
 			identity: auth.state.client.getIdentity(),

From 45e4bb833768ec5d4308875326efe339524602be Mon Sep 17 00:00:00 2001
From: Oleksandr Tkachenko <oleksandr.tkachenko@dfinity.org>
Date: Wed, 8 Oct 2025 16:56:57 +0200
Subject: [PATCH 50/62] replace placeholder '??????' with a todo comment

---
 .../frontend/src/lib/components/ChatListItem.svelte             | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/examples/encrypted_chat/frontend/src/lib/components/ChatListItem.svelte b/examples/encrypted_chat/frontend/src/lib/components/ChatListItem.svelte
index 8c813bef..585f7c8e 100644
--- a/examples/encrypted_chat/frontend/src/lib/components/ChatListItem.svelte
+++ b/examples/encrypted_chat/frontend/src/lib/components/ChatListItem.svelte
@@ -43,7 +43,7 @@
 			<div
 				class="avatar from-primary-500 to-primary-600 flex h-12 w-12 items-center justify-center rounded-full bg-gradient-to-br text-lg text-white shadow-sm"
 			>
-				?????
+		<!-- TODO -->
 			</div>
 			<!-- Status indicator -->
 			<div class="absolute -bottom-1 -right-1">

From b55453d582698c714757843d9141be754b0330fe Mon Sep 17 00:00:00 2001
From: Oleksandr Tkachenko <oleksandr.tkachenko@dfinity.org>
Date: Wed, 8 Oct 2025 17:04:40 +0200
Subject: [PATCH 51/62] fix a few bugs

---
 .../encrypted_chat/frontend/src/lib/stores/chat.svelte.ts | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/examples/encrypted_chat/frontend/src/lib/stores/chat.svelte.ts b/examples/encrypted_chat/frontend/src/lib/stores/chat.svelte.ts
index a750f2e8..357407c1 100644
--- a/examples/encrypted_chat/frontend/src/lib/stores/chat.svelte.ts
+++ b/examples/encrypted_chat/frontend/src/lib/stores/chat.svelte.ts
@@ -128,7 +128,9 @@ export const chatUIActions = {
 				' because in currentChatIds from encryptedMessagingService we have ',
 				currentChatIds.map((c) => chatIdToString(c))
 			);
-			chats.state = chats.state.filter((c) => currentChatIds.includes(chatIdFromString(c.idStr)));
+			chats.state = chats.state.filter((c) =>
+				currentChatIds.find((chatId) => chatIdToString(chatId) === c.idStr)
+			);
 		}
 		const chatsToAddToUi = currentChatIds.filter(
 			(chatId) => !chats.state.find((chat) => chat.idStr === chatIdToString(chatId))
@@ -187,7 +189,7 @@ export const chatUIActions = {
 				avatar: isGroup ? '👥' : '👤',
 				firstAccessibleMessageId: Number(firstAccessibleMessageId)
 			};
-			chats.state.push(chat);
+			chats.state = [...chats.state, chat];
 
 			// Initialize empty messages cache; we lazy-load on demand
 			if (!messages.state[chatIdStr]) messages.state[chatIdStr] = [];
@@ -215,7 +217,7 @@ export const chatUIActions = {
 			const chat = chats.state.find((c) => c.idStr === chatIdStr);
 			if (!chat) {
 				console.error('Bug in loadChatMessages: chat not found for a new message: ', chatIdStr);
-				return;
+				continue;
 			}
 
 			for (const m of messagesArray) await chatStorageService.saveMessage(m);

From e271cafb6ff9059b9013772bf684890a1510ec51 Mon Sep 17 00:00:00 2001
From: Oleksandr Tkachenko <oleksandr.tkachenko@dfinity.org>
Date: Thu, 16 Oct 2025 08:37:18 +0200
Subject: [PATCH 52/62] small fixes

---
 examples/encrypted_chat/frontend/package.json |  2 +-
 .../src/lib/components/ChatHeader.svelte      |  2 +-
 .../components/GroupManagementModal.svelte    | 16 ----
 .../{canisteApi.ts => canisterApi.ts}         |  0
 .../lib/services/encryptedMessagingService.ts |  4 +-
 .../services/ratchetInitializationService.ts  |  2 +-
 .../frontend/src/lib/stores/chat.svelte.ts    | 78 ++++++++++++-------
 .../encrypted_chat/frontend/tsconfig.json     |  1 -
 .../encrypted_chat/frontend/vite.config.ts    |  3 +
 9 files changed, 56 insertions(+), 52 deletions(-)
 rename examples/encrypted_chat/frontend/src/lib/services/{canisteApi.ts => canisterApi.ts} (100%)

diff --git a/examples/encrypted_chat/frontend/package.json b/examples/encrypted_chat/frontend/package.json
index 8f3a6058..acc0fe1c 100644
--- a/examples/encrypted_chat/frontend/package.json
+++ b/examples/encrypted_chat/frontend/package.json
@@ -5,7 +5,7 @@
 	"type": "module",
 	"scripts": {
 		"build": "npm run build:bindings && vite build",
-		"dev": "npm run build:bindings && vite dev --host",
+		"dev": "npm run build:bindings && vite build --mode development && vite dev --host",
 		"build:bindings": "cd scripts && ./gen_bindings.sh",
 		"preview": "vite preview",
 		"prepare": "svelte-kit sync || echo ''",
diff --git a/examples/encrypted_chat/frontend/src/lib/components/ChatHeader.svelte b/examples/encrypted_chat/frontend/src/lib/components/ChatHeader.svelte
index 55824db8..5b2ddd3f 100644
--- a/examples/encrypted_chat/frontend/src/lib/components/ChatHeader.svelte
+++ b/examples/encrypted_chat/frontend/src/lib/components/ChatHeader.svelte
@@ -3,7 +3,7 @@
 	import Button from './ui/Button.svelte';
 	import Card from './ui/Card.svelte';
 	import type { Chat, SymmetricRatchetStats, GroupChat } from '../types';
-	import { canisterAPI } from '../services/canisteApi';
+	import { canisterAPI } from '../services/canisterApi';
 	import { chatUIActions } from '../stores/chat.svelte';
 	import GroupManagementModal from './GroupManagementModal.svelte';
 	import { Principal } from '@dfinity/principal';
diff --git a/examples/encrypted_chat/frontend/src/lib/components/GroupManagementModal.svelte b/examples/encrypted_chat/frontend/src/lib/components/GroupManagementModal.svelte
index 190af63d..e8846c44 100644
--- a/examples/encrypted_chat/frontend/src/lib/components/GroupManagementModal.svelte
+++ b/examples/encrypted_chat/frontend/src/lib/components/GroupManagementModal.svelte
@@ -227,19 +227,3 @@
 		</Card>
 	</div>
 {/if}
-
-<style>
-	.checkbox {
-		width: 1rem;
-		height: 1rem;
-		border: 2px solid var(--color-surface-400);
-		border-radius: 0.25rem;
-		background: transparent;
-		cursor: pointer;
-	}
-
-	.checkbox:checked {
-		background: var(--color-primary-500);
-		border-color: var(--color-primary-500);
-	}
-</style>
diff --git a/examples/encrypted_chat/frontend/src/lib/services/canisteApi.ts b/examples/encrypted_chat/frontend/src/lib/services/canisterApi.ts
similarity index 100%
rename from examples/encrypted_chat/frontend/src/lib/services/canisteApi.ts
rename to examples/encrypted_chat/frontend/src/lib/services/canisterApi.ts
diff --git a/examples/encrypted_chat/frontend/src/lib/services/encryptedMessagingService.ts b/examples/encrypted_chat/frontend/src/lib/services/encryptedMessagingService.ts
index 985d3b92..f8a5e77b 100644
--- a/examples/encrypted_chat/frontend/src/lib/services/encryptedMessagingService.ts
+++ b/examples/encrypted_chat/frontend/src/lib/services/encryptedMessagingService.ts
@@ -9,7 +9,7 @@ import type {
 import { KeyManager } from '$lib/crypto/keyManager';
 import { RatchetInitializationService } from './ratchetInitializationService';
 import { SymmetricRatchetEpochError, VetKeyEpochError, type Message } from '$lib/types';
-import { canisterAPI } from './canisteApi';
+import { canisterAPI } from './canisterApi';
 import {
 	chatIdFromString,
 	chatIdsNumMessagesToSummary,
@@ -402,7 +402,7 @@ class BackgroundWorker {
 					console.error('Background worker error:', error);
 				}
 				if (this.abortController.signal.aborted) break;
-				await sleep(250);
+				await sleep(500);
 			}
 		};
 
diff --git a/examples/encrypted_chat/frontend/src/lib/services/ratchetInitializationService.ts b/examples/encrypted_chat/frontend/src/lib/services/ratchetInitializationService.ts
index 9431743e..b354374d 100644
--- a/examples/encrypted_chat/frontend/src/lib/services/ratchetInitializationService.ts
+++ b/examples/encrypted_chat/frontend/src/lib/services/ratchetInitializationService.ts
@@ -2,7 +2,7 @@ import { deriveRootKeyBytes, SymmetricRatchetState } from '$lib/crypto/symmetric
 import type { ChatId } from '../../declarations/encrypted_chat/encrypted_chat.did';
 import { getActor, getMyPrincipal } from '$lib/stores/auth.svelte';
 import { stringifyBigInt, chatIdToString } from '$lib/utils';
-import { canisterAPI } from './canisteApi';
+import { canisterAPI } from './canisterApi';
 import { keyStorageService } from './keyStorage';
 import { EncryptedCanisterCacheService } from './encryptedCanisterCacheService';
 import { VetKeyResharingService } from './vetKeyResharingService';
diff --git a/examples/encrypted_chat/frontend/src/lib/stores/chat.svelte.ts b/examples/encrypted_chat/frontend/src/lib/stores/chat.svelte.ts
index 357407c1..1a24622c 100644
--- a/examples/encrypted_chat/frontend/src/lib/stores/chat.svelte.ts
+++ b/examples/encrypted_chat/frontend/src/lib/stores/chat.svelte.ts
@@ -5,7 +5,7 @@ import {
 	type Notification,
 	type SymmetricRatchetStats
 } from '../types';
-import { canisterAPI } from '../services/canisteApi';
+import { canisterAPI } from '../services/canisterApi';
 import { chatStorageService } from '../services/chatStorage';
 import { SvelteDate } from 'svelte/reactivity';
 import { auth, getActor, getMyPrincipal } from '$lib/stores/auth.svelte';
@@ -85,7 +85,7 @@ export const chatUIActions = {
 						BigInt(chatMessages[chatMessages.length - 1].messageId) + 1n
 					);
 				}
-				messages.state[chat.idStr] = [...chatMessages];
+				messages.state[chat.idStr] = [...(messages.state[chat.idStr] ?? []), ...chatMessages];
 			}
 
 			encryptedMessagingService.start();
@@ -117,9 +117,6 @@ export const chatUIActions = {
 			(c) => !currentChatIds.find((chatId) => chatIdToString(chatId) === c.idStr)
 		);
 		if (chatsToRemoveFromUi.length > 0) {
-			for (const chat of chatsToRemoveFromUi) {
-				await chatStorageService.deleteChat(chat.idStr);
-			}
 			console.log(
 				'refreshChats: removing chats ',
 				chatsToRemoveFromUi.map((c) => c.idStr),
@@ -128,33 +125,40 @@ export const chatUIActions = {
 				' because in currentChatIds from encryptedMessagingService we have ',
 				currentChatIds.map((c) => chatIdToString(c))
 			);
-			chats.state = chats.state.filter((c) =>
-				currentChatIds.find((chatId) => chatIdToString(chatId) === c.idStr)
-			);
 		}
+
 		const chatsToAddToUi = currentChatIds.filter(
 			(chatId) => !chats.state.find((chat) => chat.idStr === chatIdToString(chatId))
 		);
 
+		const vetKeyEpochMetaData = [];
+		const firstAccessibleMessageIds = [];
+
 		for (const chatId of chatsToAddToUi) {
 			const chatIdStr = chatIdToString(chatId);
 			console.log('refreshChats: adding chat ', chatIdStr);
 
+			vetKeyEpochMetaData.push(await canisterAPI.getLatestVetKeyEpochMetadata(getActor(), chatId));
+			const isGroup = 'Group' in chatId;
+			firstAccessibleMessageIds.push(
+				isGroup ? await canisterAPI.firstAccessibleMessageId(getActor(), chatId.Group) : 0n
+			);
+		}
+
+		const newChats: Chat[] = [];
+
+		for (let i = 0; i < chatsToAddToUi.length; i++) {
+			const chatId = chatsToAddToUi[i];
+			const chatIdStr = chatIdToString(chatId);
+			console.log('refreshChats: adding chat ', chatIdStr);
+
 			if (chats.state.find((c) => c.idStr === chatIdStr)) {
 				continue;
 			}
 
-			const vetKeyEpochMetadata = await canisterAPI.getLatestVetKeyEpochMetadata(
-				getActor(),
-				chatId
-			);
-
 			const isGroup = 'Group' in chatId;
-			const firstAccessibleMessageId = isGroup
-				? await canisterAPI.firstAccessibleMessageId(getActor(), chatId.Group)
-				: 0n;
 
-			const participants = vetKeyEpochMetadata.participants;
+			const participants = vetKeyEpochMetaData[i].participants;
 			if (!participants) {
 				console.error('Failed to get participants for chat:', chatId);
 				continue;
@@ -183,16 +187,31 @@ export const chatUIActions = {
 				isUpdating: false,
 				disappearingMessagesDuration: 0,
 				keyRotationStatus: buildDummyRotationStatus(),
-				vetKeyEpoch: Number(vetKeyEpochMetadata.epoch_id),
+				vetKeyEpoch: Number(vetKeyEpochMetaData[i].epoch_id),
 				symmetricRatchetEpoch: 0,
 				unreadCount: 0,
 				avatar: isGroup ? '👥' : '👤',
-				firstAccessibleMessageId: Number(firstAccessibleMessageId)
+				firstAccessibleMessageId: Number(firstAccessibleMessageIds[i])
 			};
-			chats.state = [...chats.state, chat];
+			newChats.push(chat);
+		}
+
+		chats.state = [
+			...chats.state.filter((c) =>
+				currentChatIds.find((chatId) => chatIdToString(chatId) === c.idStr)
+			),
+			...newChats.filter((c) => !chats.state.find((c2) => c2.idStr === c.idStr))
+		];
+
+		// Initialize empty messages cache; we lazy-load on demand
+		for (const chat of newChats) {
+			if (!messages.state[chat.idStr]) messages.state[chat.idStr] = [];
+		}
 
-			// Initialize empty messages cache; we lazy-load on demand
-			if (!messages.state[chatIdStr]) messages.state[chatIdStr] = [];
+		if (chatsToRemoveFromUi.length > 0) {
+			for (const chat of chatsToRemoveFromUi) {
+				await chatStorageService.deleteChat(chat.idStr);
+			}
 		}
 	},
 
@@ -201,9 +220,12 @@ export const chatUIActions = {
 		console.log('selectChat: selected chat ', chatIdToString(chatId));
 
 		// Mark as read
-		chats.state = chats.state.map((chat) =>
-			chat.idStr === chatIdToString(chatId) ? { ...chat, unreadCount: 0 } : chat
-		);
+		const index = chats.state.findIndex((c) => c.idStr === chatIdToString(chatId)); 
+		if (index >= 0) {
+			chats.state[index].unreadCount = 0;
+		} else {
+			console.error('selectChat: chat not found: ', chatIdToString(chatId));
+		}
 	},
 
 	async loadChatMessages() {
@@ -404,11 +426,7 @@ export const chatUIActions = {
 		}
 	},
 
-	async updateGroupMembers(
-		chatId: ChatId,
-		addUsers: Principal[],
-		removeUsers: Principal[],
-	) {
+	async updateGroupMembers(chatId: ChatId, addUsers: Principal[], removeUsers: Principal[]) {
 		if ('Direct' in chatId) {
 			throw new Error('updateGroupMembers: chatId is a direct chat');
 		}
diff --git a/examples/encrypted_chat/frontend/tsconfig.json b/examples/encrypted_chat/frontend/tsconfig.json
index 78ea2167..95faaf66 100644
--- a/examples/encrypted_chat/frontend/tsconfig.json
+++ b/examples/encrypted_chat/frontend/tsconfig.json
@@ -7,7 +7,6 @@
 		"forceConsistentCasingInFileNames": true,
 		"resolveJsonModule": true,
 		"skipLibCheck": true,
-		"sourceMap": false,
 		"strict": true,
 		"moduleResolution": "bundler"
 	}
diff --git a/examples/encrypted_chat/frontend/vite.config.ts b/examples/encrypted_chat/frontend/vite.config.ts
index eedf0d83..24886d00 100644
--- a/examples/encrypted_chat/frontend/vite.config.ts
+++ b/examples/encrypted_chat/frontend/vite.config.ts
@@ -19,5 +19,8 @@ export default defineConfig({
 				changeOrigin: true
 			}
 		}
+	},
+	build: {
+		sourcemap: true,
 	}
 });

From 6839cc49c6b591e7430f13384bb774fcf26d2a63 Mon Sep 17 00:00:00 2001
From: Oleksandr Tkachenko <oleksandr.tkachenko@dfinity.org>
Date: Fri, 17 Oct 2025 09:49:25 +0200
Subject: [PATCH 53/62] fix indexedDB

---
 .../encrypted_chat/frontend/package-lock.json |  7 ++
 examples/encrypted_chat/frontend/package.json |  1 +
 .../src/lib/crypto/symmetricRatchet.ts        | 16 +++++
 .../frontend/src/lib/services/chatStorage.ts  | 26 +++++++-
 .../lib/services/encryptedMessagingService.ts |  5 ++
 .../frontend/src/lib/services/keyStorage.ts   | 66 ++++++++++++++++---
 .../services/ratchetInitializationService.ts  | 58 +++++++++-------
 .../frontend/src/lib/stores/chat.svelte.ts    | 49 +++++++++++---
 .../frontend/src/lib/utils/index.ts           | 23 ++++++-
 9 files changed, 205 insertions(+), 46 deletions(-)

diff --git a/examples/encrypted_chat/frontend/package-lock.json b/examples/encrypted_chat/frontend/package-lock.json
index e7f44624..c1290d5a 100644
--- a/examples/encrypted_chat/frontend/package-lock.json
+++ b/examples/encrypted_chat/frontend/package-lock.json
@@ -20,6 +20,7 @@
 				"fake-indexeddb": "^6.0.1",
 				"idb-keyval": "^6.2.2",
 				"isomorphic-fetch": "^3.0.0",
+				"js-base64": "^3.7.8",
 				"lucide-svelte": "^0.536.0",
 				"sass": "^1.90.0"
 			},
@@ -3433,6 +3434,12 @@
 				"jiti": "lib/jiti-cli.mjs"
 			}
 		},
+		"node_modules/js-base64": {
+			"version": "3.7.8",
+			"resolved": "https://registry.npmjs.org/js-base64/-/js-base64-3.7.8.tgz",
+			"integrity": "sha512-hNngCeKxIUQiEUN3GPJOkz4wF/YvdUdbNL9hsBcMQTkKzboD7T/q3OYOuuPZLUE6dBxSGpwhk5mwuDud7JVAow==",
+			"license": "BSD-3-Clause"
+		},
 		"node_modules/js-yaml": {
 			"version": "4.1.0",
 			"resolved": "https://registry.npmjs.org/js-yaml/-/js-yaml-4.1.0.tgz",
diff --git a/examples/encrypted_chat/frontend/package.json b/examples/encrypted_chat/frontend/package.json
index acc0fe1c..c4d01e61 100644
--- a/examples/encrypted_chat/frontend/package.json
+++ b/examples/encrypted_chat/frontend/package.json
@@ -56,6 +56,7 @@
 		"fake-indexeddb": "^6.0.1",
 		"idb-keyval": "^6.2.2",
 		"isomorphic-fetch": "^3.0.0",
+		"js-base64": "^3.7.8",
 		"lucide-svelte": "^0.536.0",
 		"sass": "^1.90.0"
 	}
diff --git a/examples/encrypted_chat/frontend/src/lib/crypto/symmetricRatchet.ts b/examples/encrypted_chat/frontend/src/lib/crypto/symmetricRatchet.ts
index cbe028b1..c044f0e6 100644
--- a/examples/encrypted_chat/frontend/src/lib/crypto/symmetricRatchet.ts
+++ b/examples/encrypted_chat/frontend/src/lib/crypto/symmetricRatchet.ts
@@ -28,6 +28,13 @@ const DOMAIN_MESSAGE_ENCRYPTION = sizePrefixedBytesFromString(
 //
 // In summary, the raw key state allows to cache the key and the CryptoKey state allows to encrypt/decrypt messages.
 
+export type StorableSymmetricRatchetState = {
+	cryptoKey: CryptoKey;
+	symmetricRatchetEpoch: bigint;
+	creationTime: Date;
+	rotationDuration: Date;
+};
+
 export class SymmetricRatchetState {
 	#cryptoKey: CryptoKey;
 	#symmetricRatchetEpoch: bigint;
@@ -46,6 +53,15 @@ export class SymmetricRatchetState {
 		this.#rotationDuration = rotationDuration;
 	}
 
+	toStorable(): StorableSymmetricRatchetState {
+		return {
+			cryptoKey: this.#cryptoKey,
+			symmetricRatchetEpoch: this.#symmetricRatchetEpoch,
+			creationTime: this.#creationTime,
+			rotationDuration: this.#rotationDuration
+		};
+	}
+
 	static async fromRawKeyState(
 		rawKeyState: CacheableSymmetricRatchetState
 	): Promise<SymmetricRatchetState> {
diff --git a/examples/encrypted_chat/frontend/src/lib/services/chatStorage.ts b/examples/encrypted_chat/frontend/src/lib/services/chatStorage.ts
index e3c1d26c..d42d3ff8 100644
--- a/examples/encrypted_chat/frontend/src/lib/services/chatStorage.ts
+++ b/examples/encrypted_chat/frontend/src/lib/services/chatStorage.ts
@@ -1,6 +1,8 @@
 import { get, set, del, clear, keys } from 'idb-keyval';
 import type { Message, Chat, UserConfig } from '../types';
 import { storagePrefixes } from '../types';
+import * as cbor from 'cbor-x';
+import { fromHex, toHex } from '$lib/utils';
 
 // IndexedDB storage service for persistent chat data
 export class ChatStorageService {
@@ -8,13 +10,16 @@ export class ChatStorageService {
 		console.log(
 			`ChatStorageService: Saving from chat ${message.chatId} message ${message.messageId} to indexedDB`
 		);
-		await set([storagePrefixes.MESSAGE_PREFIX, message.chatId, message.messageId], message);
+
+		const encodedMessage = toHex(cbor.encode(message) as Uint8Array);
+
+		await set([storagePrefixes.MESSAGE_PREFIX, message.chatId, message.messageId], encodedMessage);
 	}
 
 	async getMessages(chatId: string): Promise<Message[]> {
 		const allKeys = await keys();
 		const chatMessageKeys = allKeys.filter(
-			(key) => Array.isArray(key) && key[0] === storagePrefixes.MESSAGE_PREFIX
+			(key) => Array.isArray(key) && key[0] === storagePrefixes.MESSAGE_PREFIX && key[1] === chatId
 		);
 		if (chatMessageKeys.length === 0) {
 			console.log(`ChatStorageService: No messages found in indexedDB for chat ${chatId}`);
@@ -26,7 +31,12 @@ export class ChatStorageService {
 
 		const messages: Message[] = [];
 		for (const key of chatMessageKeys) {
-			const message = (await get(key)) as Message;
+			const encodedMessage = await get(key) as string;
+			if (!encodedMessage) {
+				console.error("ChatStorageService: Failed to get encoded message from indexedDB");
+				continue;
+			}
+			const message = cbor.decode(fromHex(encodedMessage)) as Message;
 			if (message) {
 				// Ensure timestamp is a Date object
 				if (typeof message.timestamp === 'string') {
@@ -44,6 +54,16 @@ export class ChatStorageService {
 		await del([storagePrefixes.MESSAGE_PREFIX, chatId, messageId]);
 	}
 
+	async containsMessage(chatId: string, messageId: string): Promise<boolean> {
+		return (await keys()).some(
+			(key) =>
+				Array.isArray(key) &&
+				key[0] === storagePrefixes.MESSAGE_PREFIX &&
+				key[1] === chatId &&
+				key[2] === messageId
+		);
+	}
+
 	// Chat metadata storage
 	async saveChat(chat: Chat): Promise<void> {
 		console.log(`ChatStorageService: Saving chat ${chat.idStr} to indexedDB`);
diff --git a/examples/encrypted_chat/frontend/src/lib/services/encryptedMessagingService.ts b/examples/encrypted_chat/frontend/src/lib/services/encryptedMessagingService.ts
index f8a5e77b..9c48a070 100644
--- a/examples/encrypted_chat/frontend/src/lib/services/encryptedMessagingService.ts
+++ b/examples/encrypted_chat/frontend/src/lib/services/encryptedMessagingService.ts
@@ -17,6 +17,7 @@ import {
 	randomSenderMessageId
 } from '$lib/utils';
 import * as cbor from 'cbor-x';
+import type { SymmetricRatchetState } from '$lib/crypto/symmetricRatchet';
 
 type MessageContent = {
 	textContent: string;
@@ -69,6 +70,10 @@ export class EncryptedMessagingService {
 		);
 	}
 
+	inductSymmetricRatchetState(chatIdStr: string, vetKeyEpoch: bigint, symmetricRatchetState: SymmetricRatchetState) {
+		this.#keyManager.inductSymmetricRatchetState(chatIdStr, vetKeyEpoch, symmetricRatchetState);
+	}
+
 	skipMessagesAvailableLocally(chatId: ChatId, numMessages: bigint) {
 		console.log(
 			'skipMessagesAvailableLocally: chatId',
diff --git a/examples/encrypted_chat/frontend/src/lib/services/keyStorage.ts b/examples/encrypted_chat/frontend/src/lib/services/keyStorage.ts
index 30a1747a..bf55d57d 100644
--- a/examples/encrypted_chat/frontend/src/lib/services/keyStorage.ts
+++ b/examples/encrypted_chat/frontend/src/lib/services/keyStorage.ts
@@ -1,27 +1,77 @@
+import {
+	SymmetricRatchetState,
+	type StorableSymmetricRatchetState as StorableSymmetricRatchetState
+} from '$lib/crypto/symmetricRatchet';
 import { storagePrefixes } from '../types';
-import { get, set } from 'idb-keyval';
+import { get, keys, set } from 'idb-keyval';
 
 // IndexedDB storage service for persistent key data
 export class KeyStorageService {
-	async getSymmetricKeyState(
+	async getSymmetricRatchetState(
 		chatIdStr: string,
 		vetKeyEpochStr: string
-	): Promise<{ key: CryptoKey; symmetricKeyEpoch: bigint } | undefined> {
+	): Promise<SymmetricRatchetState | undefined> {
 		console.log(
 			`KeyStorageService: Getting key state for chat ${chatIdStr} vetkeyEpoch ${vetKeyEpochStr}`
 		);
-		return await get([storagePrefixes.CHAT_EPOCH_KEY_PREFIX, chatIdStr, vetKeyEpochStr]);
+		const stateRecord = (await get([
+			storagePrefixes.CHAT_EPOCH_KEY_PREFIX,
+			chatIdStr,
+			vetKeyEpochStr
+		])) as StorableSymmetricRatchetState;
+		if (!stateRecord) {
+			throw new Error(
+				`KeyStorageService: No symmetric ratchet state found for chat ${chatIdStr} vetkeyEpoch ${vetKeyEpochStr}`
+			);
+		}
+		console.log(
+			`KeyStorageService.getSymmetricRatchetState: Got symmetric ratchet state for chat ${chatIdStr} vetkeyEpoch ${vetKeyEpochStr}: state`,
+			stateRecord
+		);
+		return new SymmetricRatchetState(
+			stateRecord.cryptoKey,
+			stateRecord.symmetricRatchetEpoch,
+			stateRecord.creationTime,
+			stateRecord.rotationDuration
+		);
 	}
 
-	async saveSymmetricKeyState(
+	async saveSymmetricRatchetState(
 		chatIdStr: string,
 		vetKeyEpochStr: string,
-		keyState: { key: CryptoKey; symmetricKeyEpoch: bigint }
+		state: SymmetricRatchetState
 	) {
 		console.log(
-			`KeyStorageService: Saving key state for chat ${chatIdStr} vetkeyEpoch ${vetKeyEpochStr}`
+			`KeyStorageService: Saving key state for chat ${chatIdStr} vetkeyEpoch ${vetKeyEpochStr}: state`,
+			state
 		);
-		await set([storagePrefixes.CHAT_EPOCH_KEY_PREFIX, chatIdStr, vetKeyEpochStr], keyState);
+		await set([storagePrefixes.CHAT_EPOCH_KEY_PREFIX, chatIdStr, vetKeyEpochStr], state.toStorable());
+	}
+
+	async getAllSymmetricRatchetStates(): Promise<
+		{ chatIdStr: string; vetKeyEpoch: bigint; state: SymmetricRatchetState }[]
+	> {
+		console.log(`KeyStorageService: Getting all symmetric key states`);
+		const allKeys = await keys();
+		const symmetricKeyStates: {
+			chatIdStr: string;
+			vetKeyEpoch: bigint;
+			state: SymmetricRatchetState;
+		}[] = [];
+		for (const key of allKeys) {
+			console.log(`KeyStorageService: getAllSymmetricRatchetStates key`, key);
+			if (Array.isArray(key) && key[0] === storagePrefixes.CHAT_EPOCH_KEY_PREFIX) {
+				const state = await this.getSymmetricRatchetState(key[1] as string, key[2] as string);
+				if (state) {
+					symmetricKeyStates.push({
+						chatIdStr: key[1] as string,
+						vetKeyEpoch: BigInt(key[2] as string),
+						state
+					});
+				}
+			}
+		}
+		return symmetricKeyStates;
 	}
 
 	async saveIbeDecryptionKey(keyBytes: Uint8Array) {
diff --git a/examples/encrypted_chat/frontend/src/lib/services/ratchetInitializationService.ts b/examples/encrypted_chat/frontend/src/lib/services/ratchetInitializationService.ts
index b354374d..14c31e12 100644
--- a/examples/encrypted_chat/frontend/src/lib/services/ratchetInitializationService.ts
+++ b/examples/encrypted_chat/frontend/src/lib/services/ratchetInitializationService.ts
@@ -30,8 +30,7 @@ export class RatchetInitializationService {
 		);
 
 		try {
-			const keyState = await this.cryptoKeyStateFromLocalStorage(chatId, vetKeyEpoch);
-			return new SymmetricRatchetState(keyState.key, 0n, creationTime, rotationDuration);
+			return await this.cryptoKeyStateFromLocalStorage(chatId, vetKeyEpoch);
 		} catch (error) {
 			console.info(
 				`User doesn't have key in persistent storage for chat ${chatIdToString(chatId)} and vetKey epoch ${vetKeyEpoch.toString()}: `,
@@ -41,12 +40,26 @@ export class RatchetInitializationService {
 
 		try {
 			const keyState = await this.cryptoKeyStateFromRemoteCache(chatId, vetKeyEpoch);
-			return new SymmetricRatchetState(
+			const symmetricRatchetState = new SymmetricRatchetState(
 				keyState.key,
 				keyState.symmetricKeyEpoch,
 				creationTime,
 				rotationDuration
 			);
+
+			keyStorageService
+				.saveSymmetricRatchetState(
+					chatIdToString(chatId),
+					vetKeyEpoch.toString(),
+					symmetricRatchetState
+				)
+				.catch((error) => {
+					console.error(
+						`Failed to save key state for chat ${chatIdToString(chatId)} vetkeyEpoch ${vetKeyEpoch.toString()}: `,
+						error
+					);
+				});
+			return symmetricRatchetState;
 		} catch (error) {
 			console.info(
 				`User doesn't have key in remote cache for chat ${chatIdToString(chatId)} and vetKey epoch ${vetKeyEpoch.toString()}: `,
@@ -68,12 +81,25 @@ export class RatchetInitializationService {
 
 		try {
 			const keyState = await this.fetchAndReshareAndCacheVetKey(chatId, vetKeyEpoch);
-			return new SymmetricRatchetState(
+			const symmetricRatchetState = new SymmetricRatchetState(
 				keyState.key,
 				keyState.symmetricKeyEpoch,
 				creationTime,
 				rotationDuration
 			);
+			keyStorageService
+				.saveSymmetricRatchetState(
+					chatIdToString(chatId),
+					vetKeyEpoch.toString(),
+					symmetricRatchetState
+				)
+				.catch((error) => {
+					console.error(
+						`Failed to save key state for chat ${chatIdToString(chatId)} vetkeyEpoch ${vetKeyEpoch.toString()}: `,
+						error
+					);
+				});
+			return symmetricRatchetState;
 		} catch (error) {
 			console.info('Failed to fetch vetkey: ', error);
 		}
@@ -84,9 +110,9 @@ export class RatchetInitializationService {
 	async cryptoKeyStateFromLocalStorage(
 		chatId: ChatId,
 		vetKeyEpoch: bigint
-	): Promise<{ key: CryptoKey; symmetricKeyEpoch: bigint }> {
+	): Promise<SymmetricRatchetState> {
 		return keyStorageService
-			.getSymmetricKeyState(chatIdToString(chatId), vetKeyEpoch.toString())
+			.getSymmetricRatchetState(chatIdToString(chatId), vetKeyEpoch.toString())
 			.then((keyState) => {
 				if (keyState) {
 					console.log('Key state found in key storage: ', keyState);
@@ -150,25 +176,9 @@ export class RatchetInitializationService {
 					);
 				});
 
-			const freshCryptoKeyState = importKeyStateFromBytes(
+			return await importKeyStateFromBytes(
 				deriveRootKeyAndDispatchCaching(chatId, vetKeyEpoch, vetKey.signatureBytes())
-			).then((freshCryptoKeyState) => {
-				keyStorageService
-					.saveSymmetricKeyState(
-						chatIdToString(chatId),
-						vetKeyEpoch.toString(),
-						freshCryptoKeyState
-					)
-					.catch((error) => {
-						console.error(
-							`Failed to save key state for chat ${chatIdToString(chatId)} vetkeyEpoch ${vetKeyEpoch.toString()}: `,
-							error
-						);
-					});
-				return freshCryptoKeyState;
-			});
-
-			return freshCryptoKeyState;
+			);
 		}
 	}
 }
diff --git a/examples/encrypted_chat/frontend/src/lib/stores/chat.svelte.ts b/examples/encrypted_chat/frontend/src/lib/stores/chat.svelte.ts
index 1a24622c..0452a203 100644
--- a/examples/encrypted_chat/frontend/src/lib/stores/chat.svelte.ts
+++ b/examples/encrypted_chat/frontend/src/lib/stores/chat.svelte.ts
@@ -17,6 +17,7 @@ import { Principal } from '@dfinity/principal';
 import { chatIdFromString, chatIdToString } from '$lib/utils';
 import { EncryptedMessagingService } from '$lib/services/encryptedMessagingService';
 import * as cbor from 'cbor-x';
+import { KeyStorageService } from '$lib/services/keyStorage';
 
 export const chats = $state<{ state: Chat[] }>({ state: [] });
 export const selectedChatId = $state<{ state: ChatId | null }>({ state: null });
@@ -41,13 +42,17 @@ export function initVetKeyReactions() {
 				});
 			}
 
-			// for (const [_chatIdStr, messagesArray] of messages.state.entries() {
-			// 	for (const message of messagesArray) {
-			// 		chatStorageService.saveMessage(message).catch((error) => {
-			// 			console.error('Failed to save message:', error);
-			// 		});
-			// 	}
-			// }
+			for (const [chatIdStr, messagesArray] of Object.entries(messages.state)) {
+				for (const message of messagesArray) {
+					void chatStorageService.containsMessage(chatIdStr, message.messageId).then((exists) => {
+						if (!exists) {
+							chatStorageService.saveMessage(message).catch((error) => {
+								console.error('Failed to save message:', error);
+							});
+						}
+					});
+				}
+			}
 		});
 	});
 }
@@ -68,8 +73,10 @@ export const chatUIActions = {
 
 			// Load chats
 			const allChats = await chatStorageService.getAllChats();
-			chats.state = [...allChats];
 
+			console.log('initialize: allChats', allChats);
+
+			const allMessages: Record<string, Message[]> = {};
 			// Load messages
 			for (const chat of allChats) {
 				const chatMessages = await chatStorageService.getMessages(chat.idStr);
@@ -85,7 +92,29 @@ export const chatUIActions = {
 						BigInt(chatMessages[chatMessages.length - 1].messageId) + 1n
 					);
 				}
-				messages.state[chat.idStr] = [...(messages.state[chat.idStr] ?? []), ...chatMessages];
+				allMessages[chat.idStr] = [...(allMessages[chat.idStr] ?? []), ...chatMessages];
+			}
+
+			// set the last message for each chat
+			allChats.forEach((chat) => {
+				const lastMessage = allMessages[chat.idStr][allMessages[chat.idStr].length - 1];
+				chat.lastMessage = lastMessage;
+			});
+			console.log('initialize: allMessages', allMessages);
+			console.log('initialize: allChats', allChats);
+			chats.state = allChats;
+			messages.state = allMessages;
+			const symmetricRatchetStates = await new KeyStorageService().getAllSymmetricRatchetStates();
+			for (const { chatIdStr, vetKeyEpoch, state } of symmetricRatchetStates) {
+				console.log(
+					'initialize: inducting symmetric ratchet state for chatId',
+					chatIdStr,
+					'vetKeyEpoch',
+					vetKeyEpoch,
+					'symmetricRatchetState',
+					state
+				);
+				encryptedMessagingService.inductSymmetricRatchetState(chatIdStr, vetKeyEpoch, state);
 			}
 
 			encryptedMessagingService.start();
@@ -220,7 +249,7 @@ export const chatUIActions = {
 		console.log('selectChat: selected chat ', chatIdToString(chatId));
 
 		// Mark as read
-		const index = chats.state.findIndex((c) => c.idStr === chatIdToString(chatId)); 
+		const index = chats.state.findIndex((c) => c.idStr === chatIdToString(chatId));
 		if (index >= 0) {
 			chats.state[index].unreadCount = 0;
 		} else {
diff --git a/examples/encrypted_chat/frontend/src/lib/utils/index.ts b/examples/encrypted_chat/frontend/src/lib/utils/index.ts
index 8555e1f7..55ae88ba 100644
--- a/examples/encrypted_chat/frontend/src/lib/utils/index.ts
+++ b/examples/encrypted_chat/frontend/src/lib/utils/index.ts
@@ -64,7 +64,9 @@ export function sizePrefixedBytesFromString(text: string): Uint8Array {
 	return new Uint8Array([...size, ...bytes]);
 }
 
-export function chatIdsNumMessagesToSummary(args: { chatId: ChatId; numMessages: bigint }[]): string {
+export function chatIdsNumMessagesToSummary(
+	args: { chatId: ChatId; numMessages: bigint }[]
+): string {
 	return args.reduce((acc, { chatId, numMessages }) => {
 		if ('Direct' in chatId) {
 			return (
@@ -94,3 +96,22 @@ export function randomSenderMessageId(): bigint {
 	for (const b of buf) senderMessageId = (senderMessageId << 8n) | BigInt(b);
 	return senderMessageId;
 }
+
+export function toHex(bytes: Uint8Array): string {
+	const hex: string[] = [];
+	for (let i = 0; i < bytes.length; i++) {
+		const v = bytes[i].toString(16);
+		hex[i] = v.length === 1 ? '0' + v : v;
+	}
+	return hex.join('');
+}
+
+export function fromHex(hex: string): Uint8Array {
+	if (hex.length % 2 !== 0) throw new Error('Invalid hex string');
+	const len = hex.length / 2;
+	const bytes = new Uint8Array(len);
+	for (let i = 0; i < len; i++) {
+		bytes[i] = parseInt(hex.substr(i * 2, 2), 16);
+	}
+	return bytes;
+}

From 6885d79631d22d7a10576d1e32249dbe94f6b97c Mon Sep 17 00:00:00 2001
From: Oleksandr Tkachenko <oleksandr.tkachenko@dfinity.org>
Date: Fri, 17 Oct 2025 13:31:52 +0200
Subject: [PATCH 54/62] rm first accessible message id and fix JSON.stringify
 for principals

---
 .../frontend/src/lib/services/canisterApi.ts  | 12 ------
 .../frontend/src/lib/services/chatStorage.ts  | 28 +++++++++++--
 .../lib/services/encryptedMessagingService.ts | 40 ++++---------------
 .../frontend/src/lib/services/keyStorage.ts   |  9 +++--
 .../frontend/src/lib/stores/auth.svelte.ts    |  3 ++
 .../frontend/src/lib/stores/chat.svelte.ts    |  9 +----
 .../frontend/src/lib/types/index.ts           |  1 -
 .../encrypted_chat/rust/backend/backend.did   |  1 -
 .../encrypted_chat/rust/backend/src/lib.rs    | 14 -------
 9 files changed, 41 insertions(+), 76 deletions(-)

diff --git a/examples/encrypted_chat/frontend/src/lib/services/canisterApi.ts b/examples/encrypted_chat/frontend/src/lib/services/canisterApi.ts
index 7eea0e8d..77983d1a 100644
--- a/examples/encrypted_chat/frontend/src/lib/services/canisterApi.ts
+++ b/examples/encrypted_chat/frontend/src/lib/services/canisterApi.ts
@@ -178,18 +178,6 @@ export class CanisterAPI {
 		);
 		return result;
 	}
-
-	async firstAccessibleMessageId(
-		actor: ActorSubclass<_SERVICE>,
-		groupChatId: bigint
-	): Promise<bigint | undefined> {
-		const result = await actor.first_accessible_message_id(groupChatId);
-		if (result.length === 0) {
-			return undefined;
-		} else {
-			return result[0];
-		}
-	}
 }
 
 export const canisterAPI = new CanisterAPI();
diff --git a/examples/encrypted_chat/frontend/src/lib/services/chatStorage.ts b/examples/encrypted_chat/frontend/src/lib/services/chatStorage.ts
index d42d3ff8..e2d6564b 100644
--- a/examples/encrypted_chat/frontend/src/lib/services/chatStorage.ts
+++ b/examples/encrypted_chat/frontend/src/lib/services/chatStorage.ts
@@ -3,6 +3,7 @@ import type { Message, Chat, UserConfig } from '../types';
 import { storagePrefixes } from '../types';
 import * as cbor from 'cbor-x';
 import { fromHex, toHex } from '$lib/utils';
+import { Principal } from '@dfinity/principal';
 
 // IndexedDB storage service for persistent chat data
 export class ChatStorageService {
@@ -31,9 +32,9 @@ export class ChatStorageService {
 
 		const messages: Message[] = [];
 		for (const key of chatMessageKeys) {
-			const encodedMessage = await get(key) as string;
+			const encodedMessage = (await get(key)) as string;
 			if (!encodedMessage) {
-				console.error("ChatStorageService: Failed to get encoded message from indexedDB");
+				console.error('ChatStorageService: Failed to get encoded message from indexedDB');
 				continue;
 			}
 			const message = cbor.decode(fromHex(encodedMessage)) as Message;
@@ -67,7 +68,17 @@ export class ChatStorageService {
 	// Chat metadata storage
 	async saveChat(chat: Chat): Promise<void> {
 		console.log(`ChatStorageService: Saving chat ${chat.idStr} to indexedDB`);
-		const value = JSON.stringify(chat);
+		// example of the JSON encoding is
+		const value = JSON.stringify(chat, (key, value) => {
+			if (value instanceof Principal) {
+				const principal = {
+					__principal__: true,
+					value: value.toText()
+				};
+				return principal;
+			}
+			return value as unknown;
+		});
 		if (!value) {
 			throw new Error('ChatStorageService: Failed to stringify chat');
 		}
@@ -96,7 +107,16 @@ export class ChatStorageService {
 			const chatStr = (await get(key)) as string;
 			if (chatStr) {
 				console.log('getAllChats: getting key', key, ' with value ', chatStr);
-				chats.push(JSON.parse(chatStr) as Chat);
+				chats.push(
+					JSON.parse(chatStr, (key, value) => {
+						if (typeof value === 'object' && value !== null && '__principal__' in value) {
+							// eslint-disable-next-line @typescript-eslint/no-unsafe-member-access
+							const principal = Principal.fromText(value.__principal__ as string);
+							return principal;
+						}
+						return value as unknown;
+					}) as Chat
+				);
 			}
 		}
 		return chats;
diff --git a/examples/encrypted_chat/frontend/src/lib/services/encryptedMessagingService.ts b/examples/encrypted_chat/frontend/src/lib/services/encryptedMessagingService.ts
index 9c48a070..5ead32a3 100644
--- a/examples/encrypted_chat/frontend/src/lib/services/encryptedMessagingService.ts
+++ b/examples/encrypted_chat/frontend/src/lib/services/encryptedMessagingService.ts
@@ -32,7 +32,6 @@ export class EncryptedMessagingService {
 
 	#receivingQueue: Map<string, Message[]>;
 	#receivingQueueToDecrypt: Map<string, EncryptedMessage[]>;
-	#firstAccessibleMessageId: Map<string, bigint>;
 	#chatIdToCurrentNumberOfRemoteMessages: Map<string, bigint>;
 	#chatIdToCurrentNumberOfFetchedMessages: Map<string, bigint>;
 
@@ -47,7 +46,6 @@ export class EncryptedMessagingService {
 		this.#receivingQueue = new Map();
 		this.#receivingQueueToDecrypt = new Map();
 
-		this.#firstAccessibleMessageId = new Map();
 		this.#chatIdToCurrentNumberOfRemoteMessages = new Map();
 		this.#chatIdToCurrentNumberOfFetchedMessages = new Map();
 
@@ -70,7 +68,11 @@ export class EncryptedMessagingService {
 		);
 	}
 
-	inductSymmetricRatchetState(chatIdStr: string, vetKeyEpoch: bigint, symmetricRatchetState: SymmetricRatchetState) {
+	inductSymmetricRatchetState(
+		chatIdStr: string,
+		vetKeyEpoch: bigint,
+		symmetricRatchetState: SymmetricRatchetState
+	) {
 		this.#keyManager.inductSymmetricRatchetState(chatIdStr, vetKeyEpoch, symmetricRatchetState);
 	}
 
@@ -205,22 +207,12 @@ export class EncryptedMessagingService {
 				this.#chatIdToCurrentNumberOfFetchedMessages.get(chatIdToString(chatId)) ?? 0n;
 			this.#chatIdToCurrentNumberOfRemoteMessages.set(chatIdToString(chatId), numMessages);
 
-			if (
-				(this.#firstAccessibleMessageId.get(chatIdToString(chatId)) ?? 0n) +
-					currentNumberOfFetchedMessages >=
-				numMessages
-			) {
-				continue;
-			}
-
 			console.log(
-				`#pollForNewMessages: new messages for chatId: ${chatIdToString(chatId)}, currentNumberOfFetchedMessages: ${currentNumberOfFetchedMessages}, numMessages: ${numMessages}, firstAccessibleMessageId: ${this.#firstAccessibleMessageId.get(chatIdToString(chatId)) ?? 0n}`
+				`#pollForNewMessages: new messages for chatId: ${chatIdToString(chatId)}, currentNumberOfFetchedMessages: ${currentNumberOfFetchedMessages}, numMessages: ${numMessages}`
 			);
 
 			// Get messages starting from the last known message ID
-			const startId =
-				(await this.#getFirstAccessibleMessageId(chatIdToString(chatId))) +
-				currentNumberOfFetchedMessages;
+			const startId = 0n + currentNumberOfFetchedMessages;
 
 			try {
 				const messages = await canisterAPI.fetchEncryptedMessages(
@@ -233,7 +225,7 @@ export class EncryptedMessagingService {
 				console.log(
 					`#pollForNewMessages: fetched ${messages.length} messages for chatId ${chatIdToString(
 						chatId
-					)}, currentNumberOfFetchedMessages: ${currentNumberOfFetchedMessages}, numMessages: ${numMessages}, firstAccessibleMessageId: ${this.#firstAccessibleMessageId.get(chatIdToString(chatId)) ?? 0n} new fetched messages count: ${currentNumberOfFetchedMessages + BigInt(messages.length)}`
+					)}, currentNumberOfFetchedMessages: ${currentNumberOfFetchedMessages}, numMessages: ${numMessages}, new fetched messages count: ${currentNumberOfFetchedMessages + BigInt(messages.length)}`
 				);
 
 				console.log(
@@ -368,22 +360,6 @@ export class EncryptedMessagingService {
 			symmetricRatchetEpoch: Number(metadata.symmetric_key_epoch)
 		};
 	}
-
-	async #getFirstAccessibleMessageId(chatIdStr: string) {
-		const chatId = chatIdFromString(chatIdStr);
-		if ('Direct' in chatId) {
-			return 0n;
-		}
-
-		if (this.#firstAccessibleMessageId.has(chatIdStr)) {
-			return this.#firstAccessibleMessageId.get(chatIdStr)!;
-		}
-
-		const id = (await canisterAPI.firstAccessibleMessageId(getActor(), chatId.Group)) ?? 0n;
-		this.#firstAccessibleMessageId.set(chatIdStr, id);
-
-		return id;
-	}
 }
 
 class BackgroundWorker {
diff --git a/examples/encrypted_chat/frontend/src/lib/services/keyStorage.ts b/examples/encrypted_chat/frontend/src/lib/services/keyStorage.ts
index bf55d57d..06ee28f4 100644
--- a/examples/encrypted_chat/frontend/src/lib/services/keyStorage.ts
+++ b/examples/encrypted_chat/frontend/src/lib/services/keyStorage.ts
@@ -20,9 +20,7 @@ export class KeyStorageService {
 			vetKeyEpochStr
 		])) as StorableSymmetricRatchetState;
 		if (!stateRecord) {
-			throw new Error(
-				`KeyStorageService: No symmetric ratchet state found for chat ${chatIdStr} vetkeyEpoch ${vetKeyEpochStr}`
-			);
+			return undefined;
 		}
 		console.log(
 			`KeyStorageService.getSymmetricRatchetState: Got symmetric ratchet state for chat ${chatIdStr} vetkeyEpoch ${vetKeyEpochStr}: state`,
@@ -45,7 +43,10 @@ export class KeyStorageService {
 			`KeyStorageService: Saving key state for chat ${chatIdStr} vetkeyEpoch ${vetKeyEpochStr}: state`,
 			state
 		);
-		await set([storagePrefixes.CHAT_EPOCH_KEY_PREFIX, chatIdStr, vetKeyEpochStr], state.toStorable());
+		await set(
+			[storagePrefixes.CHAT_EPOCH_KEY_PREFIX, chatIdStr, vetKeyEpochStr],
+			state.toStorable()
+		);
 	}
 
 	async getAllSymmetricRatchetStates(): Promise<
diff --git a/examples/encrypted_chat/frontend/src/lib/stores/auth.svelte.ts b/examples/encrypted_chat/frontend/src/lib/stores/auth.svelte.ts
index b18db0d8..82062093 100644
--- a/examples/encrypted_chat/frontend/src/lib/stores/auth.svelte.ts
+++ b/examples/encrypted_chat/frontend/src/lib/stores/auth.svelte.ts
@@ -105,6 +105,9 @@ export async function logout() {
 
 export function getMyPrincipal(): Principal {
 	if (auth.state.label !== 'initialized') throw new Error('Unexpectedly not authenticated');
+	if (!auth.state.client.getIdentity().getPrincipal()) {
+		console.error('Unexpectedly not authenticated: undefined principal', auth.state.client.getIdentity().getPrincipal());
+	}
 	return auth.state.client.getIdentity().getPrincipal();
 }
 
diff --git a/examples/encrypted_chat/frontend/src/lib/stores/chat.svelte.ts b/examples/encrypted_chat/frontend/src/lib/stores/chat.svelte.ts
index 0452a203..acaa7f74 100644
--- a/examples/encrypted_chat/frontend/src/lib/stores/chat.svelte.ts
+++ b/examples/encrypted_chat/frontend/src/lib/stores/chat.svelte.ts
@@ -161,17 +161,11 @@ export const chatUIActions = {
 		);
 
 		const vetKeyEpochMetaData = [];
-		const firstAccessibleMessageIds = [];
 
 		for (const chatId of chatsToAddToUi) {
 			const chatIdStr = chatIdToString(chatId);
 			console.log('refreshChats: adding chat ', chatIdStr);
-
 			vetKeyEpochMetaData.push(await canisterAPI.getLatestVetKeyEpochMetadata(getActor(), chatId));
-			const isGroup = 'Group' in chatId;
-			firstAccessibleMessageIds.push(
-				isGroup ? await canisterAPI.firstAccessibleMessageId(getActor(), chatId.Group) : 0n
-			);
 		}
 
 		const newChats: Chat[] = [];
@@ -219,8 +213,7 @@ export const chatUIActions = {
 				vetKeyEpoch: Number(vetKeyEpochMetaData[i].epoch_id),
 				symmetricRatchetEpoch: 0,
 				unreadCount: 0,
-				avatar: isGroup ? '👥' : '👤',
-				firstAccessibleMessageId: Number(firstAccessibleMessageIds[i])
+				avatar: isGroup ? '👥' : '👤'
 			};
 			newChats.push(chat);
 		}
diff --git a/examples/encrypted_chat/frontend/src/lib/types/index.ts b/examples/encrypted_chat/frontend/src/lib/types/index.ts
index abf4d4b0..618be057 100644
--- a/examples/encrypted_chat/frontend/src/lib/types/index.ts
+++ b/examples/encrypted_chat/frontend/src/lib/types/index.ts
@@ -40,7 +40,6 @@ export interface Chat {
 	symmetricRatchetEpoch: number;
 	unreadCount: number;
 	avatar?: string;
-	firstAccessibleMessageId: number;
 }
 
 export interface DirectChat extends Chat {
diff --git a/examples/encrypted_chat/rust/backend/backend.did b/examples/encrypted_chat/rust/backend/backend.did
index 758402d4..ae392965 100644
--- a/examples/encrypted_chat/rust/backend/backend.did
+++ b/examples/encrypted_chat/rust/backend/backend.did
@@ -54,7 +54,6 @@ service : (text) -> {
   // * If the user does not have access to the chat or vetKey epoch.
   // * If the user has already cached the key.
   derive_chat_vetkey : (ChatId, opt nat64, blob) -> (Result_2);
-  first_accessible_message_id : (nat64) -> (opt nat64) query;
   get_encrypted_vetkey_for_my_cache_storage : (blob) -> (blob);
   get_latest_chat_vetkey_epoch_metadata : (ChatId) -> (Result_3) query;
   // Returns messages for a chat starting from a given message id.
diff --git a/examples/encrypted_chat/rust/backend/src/lib.rs b/examples/encrypted_chat/rust/backend/src/lib.rs
index 4c9d0392..c9113c21 100644
--- a/examples/encrypted_chat/rust/backend/src/lib.rs
+++ b/examples/encrypted_chat/rust/backend/src/lib.rs
@@ -248,20 +248,6 @@ fn create_group_chat(
     Ok(group_chat_metadata)
 }
 
-#[ic_cdk::query]
-async fn first_accessible_message_id(group_chat_id: GroupChatId) -> Option<ChatMessageId> {
-    let caller = ic_cdk::api::msg_caller();
-    let chat_id = ChatId::Group(group_chat_id);
-
-    CHAT_TO_VETKEYS_METADATA.with_borrow(|metadata| {
-        metadata
-            .range(&(chat_id, Time(0))..)
-            .take_while(|metadata| metadata.key().0 == chat_id)
-            .find(|metadata| metadata.value().participants.contains(&caller))
-            .map(|metadata| metadata.value().messages_start_with_id)
-    })
-}
-
 #[ic_cdk::update]
 async fn chat_public_key(chat_id: ChatId, vetkey_epoch_id: VetKeyEpochId) -> serde_bytes::ByteBuf {
     let request = VetKDPublicKeyArgs {

From cb028d3fabc82f22f547f4b69911d03fdd5dc7cb Mon Sep 17 00:00:00 2001
From: Oleksandr Tkachenko <oleksandr.tkachenko@dfinity.org>
Date: Thu, 30 Oct 2025 13:38:47 +0100
Subject: [PATCH 55/62] wip

---
 .../frontend/src/lib/crypto/keyManager.ts     | 109 ++++-
 .../src/lib/crypto/symmetricRatchet.ts        |  69 +++-
 .../frontend/src/lib/services/canisterApi.ts  |  24 +-
 .../lib/services/encryptedMessagingService.ts |  62 ++-
 ...s => encryptedRatchetStateCacheService.ts} |   2 +-
 .../frontend/src/lib/services/keyStorage.ts   |   7 +-
 .../services/ratchetInitializationService.ts  |  22 +-
 .../encrypted_chat/rust/backend/backend.did   |  19 +-
 .../encrypted_chat/rust/backend/src/lib.rs    | 371 +++++++++++++-----
 .../encrypted_chat/rust/backend/src/types.rs  |  32 +-
 .../rust/backend/tests/direct_chat.rs         | 172 +++++---
 .../rust/backend/tests/group_chat.rs          |  80 ++--
 .../encrypted_chat/rust/backend/tests/misc.rs |  26 +-
 13 files changed, 741 insertions(+), 254 deletions(-)
 rename examples/encrypted_chat/frontend/src/lib/services/{encryptedCanisterCacheService.ts => encryptedRatchetStateCacheService.ts} (99%)

diff --git a/examples/encrypted_chat/frontend/src/lib/crypto/keyManager.ts b/examples/encrypted_chat/frontend/src/lib/crypto/keyManager.ts
index 69c7394a..318345c0 100644
--- a/examples/encrypted_chat/frontend/src/lib/crypto/keyManager.ts
+++ b/examples/encrypted_chat/frontend/src/lib/crypto/keyManager.ts
@@ -2,10 +2,110 @@ import { SymmetricRatchetState } from './symmetricRatchet';
 import { Principal } from '@dfinity/principal';
 
 export class KeyManager {
-	#symmetricRatchetStates: Map<string, Map<bigint, SymmetricRatchetState>> = new Map();
+	#symmetricRatchetStates: Map<
+		string,
+		{ states: Map<bigint, SymmetricRatchetState>; stateRecoveryDuration: Date }
+	> = new Map();
+	#consensusTime: Date | null = null;
 
 	constructor() {}
 
+	ratchetVersions(): {
+		chatIdStr: string;
+		vetKeyEpochId: bigint;
+		oldestSymmetricRatchetEpochId: bigint;
+	}[] {
+		const versions: {
+			chatIdStr: string;
+			vetKeyEpochId: bigint;
+			oldestSymmetricRatchetEpochId: bigint;
+		}[] = [];
+		for (const [chatIdStr, { states }] of this.#symmetricRatchetStates.entries()) {
+			for (const [vetKeyEpochId, symmetricRatchetState] of states.entries()) {
+				versions.push({
+					chatIdStr,
+					vetKeyEpochId,
+					oldestSymmetricRatchetEpochId: symmetricRatchetState.getCurrentEpoch()
+				});
+			}
+		}
+		return versions;
+	}
+
+	async setExpiry(chatIdStr: string, expiry: Date) {
+		const map = this.#symmetricRatchetStates.get(chatIdStr);
+		if (!map) {
+			throw new Error(`KeyManager.setExpiry: No ratchet states found for chatId ${chatIdStr}`);
+		}
+		const oldExpiry = map.stateRecoveryDuration;
+		map.stateRecoveryDuration = expiry;
+		if (expiry > oldExpiry) {
+			await this.evolveAndCleanupExpiredStates(chatIdStr);
+		}
+	}
+
+	async evolveAndCleanupExpiredStates(chatIdStr: string) {
+		const map = this.#symmetricRatchetStates.get(chatIdStr);
+		if (!map) {
+			return;
+		}
+		if (map.states.size === 0) {
+			return;
+		}
+		if (this.#consensusTime === null) {
+			console.warn('KeyManager.evolveAndCleanupExpiredStates: Consensus time is not set');
+			return;
+		}
+
+		const recovery = map.stateRecoveryDuration;
+
+		const keys = map.states.keys().toArray();
+		for (let i = 1; i < keys.length; i++) {
+			const value = map.states.get(keys[i]);
+			if (!value) {
+				console.error('Bug in KeyManager.evolveAndCleanupExpiredStates: Inconsistent map');
+				continue;
+			}
+
+			if (value.getCreationTime().getTime() + recovery.getTime() < this.#consensusTime.getTime()) {
+				map.states.delete(keys[i]);
+			}
+		}
+
+		for (const [vetKeyEpochId, state] of states.entries()) {
+			await state.evolveIfNeeded(new Date(consensusTime.getTime() - expiry.getTime()));
+		}
+
+		states.forEach(
+			async (state) =>
+				await state.evolveIfNeeded(new Date(consensusTime.getTime() - expiry.getTime()))
+		);
+	}
+
+	async setConsensusTimeAndEvolveStates(time: Date) {
+		if (this.#consensusTime && time < this.#consensusTime) {
+			throw new Error(
+				`KeyManager.setConsensusTimestamp: Timestamp ${time.toISOString()} is before the current consensus timestamp ${this.#consensusTime.toISOString()}`
+			);
+		}
+		this.#consensusTime = time;
+		await this.#evolveRatchetStatesIfNeeded();
+	}
+
+	async #evolveRatchetStatesIfNeeded() {
+		if (!this.#consensusTime) {
+			return;
+		}
+		for (const chatStates of this.#symmetricRatchetStates.values()) {
+			for (const [, state] of chatStates) {
+				await state.evolveIfNeeded(this.#consensusTime);
+			}
+		}
+		// TODO: Implement
+		// This should be called when consensus timestamp changes. Not necessarily on every change though, although it generally makes sense to do so.
+		// We need to update the symmetric ratchet states if they are too old.
+	}
+
 	getCurrentChatIdStrs(): string[] {
 		return Array.from(this.#symmetricRatchetStates.keys());
 	}
@@ -52,12 +152,7 @@ export class KeyManager {
 				`KeyManager.decryptAtTimeAndEvolveIfNeeded: No symmetric ratchet states found for chatId ${chatId} and vetKeyEpoch ${vetKeyEpoch}`
 			);
 		}
-		return await symmetricRatchetState.decryptAtTimeAndEvolveIfNeeded(
-			sender,
-			senderMessageId,
-			encryptedBytes,
-			time
-		);
+		return await symmetricRatchetState.decryptAtTime(sender, senderMessageId, encryptedBytes, time);
 	}
 
 	doesChatHaveKeys(chatId: string): boolean {
diff --git a/examples/encrypted_chat/frontend/src/lib/crypto/symmetricRatchet.ts b/examples/encrypted_chat/frontend/src/lib/crypto/symmetricRatchet.ts
index c044f0e6..7b62d26e 100644
--- a/examples/encrypted_chat/frontend/src/lib/crypto/symmetricRatchet.ts
+++ b/examples/encrypted_chat/frontend/src/lib/crypto/symmetricRatchet.ts
@@ -33,6 +33,7 @@ export type StorableSymmetricRatchetState = {
 	symmetricRatchetEpoch: bigint;
 	creationTime: Date;
 	rotationDuration: Date;
+	stateRecoveryDuration: Date;
 };
 
 export class SymmetricRatchetState {
@@ -45,12 +46,19 @@ export class SymmetricRatchetState {
 		key: CryptoKey,
 		symmetricRatchetEpoch: bigint,
 		creationTime: Date,
-		rotationDuration: Date
+		rotationDuration: Date,
+		stateRecoveryDuration: Date
 	) {
 		this.#cryptoKey = key;
 		this.#symmetricRatchetEpoch = symmetricRatchetEpoch;
 		this.#creationTime = creationTime;
 		this.#rotationDuration = rotationDuration;
+		this.#stateRecoveryDuration = stateRecoveryDuration;
+	}
+
+	updateStateRecoveryDurationAndEvolve(stateRecoveryDuration: Date) {
+		this.#stateRecoveryDuration = stateRecoveryDuration;
+		// TODO: Implement
 	}
 
 	toStorable(): StorableSymmetricRatchetState {
@@ -58,7 +66,8 @@ export class SymmetricRatchetState {
 			cryptoKey: this.#cryptoKey,
 			symmetricRatchetEpoch: this.#symmetricRatchetEpoch,
 			creationTime: this.#creationTime,
-			rotationDuration: this.#rotationDuration
+			rotationDuration: this.#rotationDuration,
+			stateRecoveryDuration: this.#stateRecoveryDuration
 		};
 	}
 
@@ -73,11 +82,12 @@ export class SymmetricRatchetState {
 			key,
 			symmetricKeyEpoch,
 			rawKeyState.creationTime,
-			rawKeyState.rotationDuration
+			rawKeyState.rotationDuration,
+			rawKeyState.stateRecoveryDuration
 		);
 	}
 
-	async decryptAtTimeAndEvolveIfNeeded(
+	async decryptAtTime(
 		sender: Principal,
 		senderMessageId: bigint,
 		message: Uint8Array,
@@ -87,9 +97,11 @@ export class SymmetricRatchetState {
 			throw new Error('Cannot decrypt message before the state was created');
 		}
 		const expectedEpoch = this.getExpectedEpochAtTime(time);
-		await this.evolveTo(expectedEpoch);
+		const neededSymmetricRatchetState = await this.peekAtEpoch(expectedEpoch);
 		const domainSeparator = messageEncryptionDomainSeparator(sender, senderMessageId);
-		const derivedKeyMaterial = DerivedKeyMaterial.fromCryptoKey(this.#cryptoKey);
+		const derivedKeyMaterial = DerivedKeyMaterial.fromCryptoKey(
+			neededSymmetricRatchetState.#cryptoKey
+		);
 		return await derivedKeyMaterial.decryptMessage(message, domainSeparator);
 	}
 
@@ -118,6 +130,22 @@ export class SymmetricRatchetState {
 		};
 	}
 
+	async evolveIfNeeded(consensusTime: Date) {
+		while (true) {
+			const epoch = Number(this.#symmetricRatchetEpoch);
+			const creationMs = this.#creationTime.getMilliseconds();
+			const rotationMs = this.#rotationDuration.getMilliseconds();
+			const recoveryMs = this.#stateRecoveryDuration.getMilliseconds();
+			const consensusMs = consensusTime.getMilliseconds();
+
+			if (creationMs + epoch * rotationMs + recoveryMs < consensusMs) {
+				await this.evolve();
+			} else {
+				return;
+			}
+		}
+	}
+
 	/// Evolve the state to the next epoch.
 	async evolve() {
 		const newCryptoKey = await deriveNextSymmetricRatchetEpochCryptoKey(
@@ -161,7 +189,8 @@ export class SymmetricRatchetState {
 			this.#cryptoKey,
 			symmetricKeyEpoch,
 			this.#creationTime,
-			this.#rotationDuration
+			this.#rotationDuration,
+			this.#stateRecoveryDuration
 		);
 		await newSymmetricRatchetState.evolveTo(symmetricKeyEpoch);
 		return newSymmetricRatchetState;
@@ -197,17 +226,20 @@ export class CacheableSymmetricRatchetState {
 	symmetricRatchetEpoch: bigint;
 	creationTime: Date;
 	rotationDuration: Date;
+	stateRecoveryDuration: Date;
 
 	private constructor(
 		rawKey: Uint8Array,
 		symmetricRatchetEpoch: bigint,
 		creationTime: Date,
-		rotationDuration: Date
+		rotationDuration: Date,
+		stateRecoveryDuration: Date
 	) {
 		this.rawKey = rawKey;
 		this.symmetricRatchetEpoch = symmetricRatchetEpoch;
 		this.creationTime = creationTime;
 		this.rotationDuration = rotationDuration;
+		this.stateRecoveryDuration = stateRecoveryDuration;
 	}
 
 	/// Evolve the state to the next epoch.
@@ -243,7 +275,8 @@ export class CacheableSymmetricRatchetState {
 			clonedRawKey,
 			newEpoch,
 			this.creationTime,
-			this.rotationDuration
+			this.rotationDuration,
+			this.stateRecoveryDuration
 		);
 		newState.evolveTo(symmetricKeyEpoch);
 		return newState;
@@ -256,11 +289,18 @@ export class CacheableSymmetricRatchetState {
 	static initializeFromVetKey(
 		vetKey: VetKey,
 		creationTime: Date,
-		rotationDuration: Date
+		rotationDuration: Date,
+		stateRecoveryDuration: Date
 	): CacheableSymmetricRatchetState {
 		const vetKeyBytes = vetKey.signatureBytes();
 		const rawKey = deriveSymmetricKey(vetKeyBytes, DOMAIN_RATCHET_INIT, 32);
-		return new CacheableSymmetricRatchetState(rawKey, 0n, creationTime, rotationDuration);
+		return new CacheableSymmetricRatchetState(
+			rawKey,
+			0n,
+			creationTime,
+			rotationDuration,
+			stateRecoveryDuration
+		);
 	}
 
 	serialize(): Uint8Array {
@@ -282,11 +322,16 @@ export class CacheableSymmetricRatchetState {
 		const rotationDuration = new Date(
 			Number(u8ByteUint8ArrayBigEndianToUBigInt(bytes.slice(32 + 8 + 8)))
 		);
+		const stateRecoveryDuration = new Date(
+			Number(u8ByteUint8ArrayBigEndianToUBigInt(bytes.slice(32 + 8 + 8 + 8)))
+		);
+
 		return new CacheableSymmetricRatchetState(
 			rawKey,
 			symmetricRatchetEpoch,
 			creationTime,
-			rotationDuration
+			rotationDuration,
+			stateRecoveryDuration
 		);
 	}
 }
diff --git a/examples/encrypted_chat/frontend/src/lib/services/canisterApi.ts b/examples/encrypted_chat/frontend/src/lib/services/canisterApi.ts
index 77983d1a..fadd0ce0 100644
--- a/examples/encrypted_chat/frontend/src/lib/services/canisterApi.ts
+++ b/examples/encrypted_chat/frontend/src/lib/services/canisterApi.ts
@@ -3,6 +3,7 @@ import type { SymmetricRatchetStats } from '../types';
 import type {
 	_SERVICE,
 	ChatId,
+	ChatMetadata,
 	EncryptedMessage,
 	GroupChatMetadata,
 	UserMessage,
@@ -84,13 +85,24 @@ export class CanisterAPI {
 		}
 	}
 
-	async getChatIdsAndCurrentNumbersOfMessages(
+	async getChatsAndTime(
 		actor: ActorSubclass<_SERVICE>
-	): Promise<{ chatId: ChatId; numMessages: bigint }[]> {
-		const chatIds = await actor.get_my_chat_ids();
-		return chatIds.map(([chatId, numMessages]) => {
-			return { chatId, numMessages };
-		});
+	): Promise<{ chats: ChatMetadata[]; currentConsensusTime: Date }> {
+		const chatsAndTime = await actor.get_my_chats_and_time();
+		return {
+			chats: chatsAndTime.chats_metadata,
+			currentConsensusTime: new Date(Number(chatsAndTime.current_consensus_time / 1_000_000n))
+		};
+	}
+
+	async getExpiry(actor: ActorSubclass<_SERVICE>, chatId: ChatId): Promise<Date> {
+		const result = await actor.get_expiry(chatId);
+		if ('Ok' in result) {
+			const MILLISECONDS_IN_MINUTE = 60000n;
+			return new Date(Number(result.Ok * MILLISECONDS_IN_MINUTE));
+		} else {
+			throw new Error(result.Err);
+		}
 	}
 
 	async getLatestVetKeyEpochMetadata(
diff --git a/examples/encrypted_chat/frontend/src/lib/services/encryptedMessagingService.ts b/examples/encrypted_chat/frontend/src/lib/services/encryptedMessagingService.ts
index 5ead32a3..12805b97 100644
--- a/examples/encrypted_chat/frontend/src/lib/services/encryptedMessagingService.ts
+++ b/examples/encrypted_chat/frontend/src/lib/services/encryptedMessagingService.ts
@@ -35,6 +35,8 @@ export class EncryptedMessagingService {
 	#chatIdToCurrentNumberOfRemoteMessages: Map<string, bigint>;
 	#chatIdToCurrentNumberOfFetchedMessages: Map<string, bigint>;
 
+	#currentConsensusTime: Date;
+
 	#backgroundWorker: BackgroundWorker;
 
 	constructor() {
@@ -49,10 +51,20 @@ export class EncryptedMessagingService {
 		this.#chatIdToCurrentNumberOfRemoteMessages = new Map();
 		this.#chatIdToCurrentNumberOfFetchedMessages = new Map();
 
+		this.#currentConsensusTime = new Date(0);
+
 		// Start the background worker to handle encryption, sending, polling, and decryption
 		this.#backgroundWorker = new BackgroundWorker();
 	}
 
+	ratchetVersion(): {
+		chatIdStr: string;
+		vetKeyEpochId: bigint;
+		oldestSymmetricRatchetEpochId: bigint;
+	}[] {
+		return this.#keyManager.ratchetVersions();
+	}
+
 	start() {
 		// Start the worker loop
 		// The worker will periodically:
@@ -68,6 +80,10 @@ export class EncryptedMessagingService {
 		);
 	}
 
+	getConsensusTime(): Date {
+		return this.#currentConsensusTime;
+	}
+
 	inductSymmetricRatchetState(
 		chatIdStr: string,
 		vetKeyEpoch: bigint,
@@ -148,16 +164,22 @@ export class EncryptedMessagingService {
 			} catch (e) {
 				console.info('#handleOutgoingMessage: VetKeyEpochError', e);
 				if (e instanceof VetKeyEpochError) {
+					const messageExpiry = await canisterAPI.getExpiry(
+						getActor(),
+						chatIdFromString(chatIdStr)
+					);
 					const ratchetState =
 						await this.#ratchetInitializationService.initializeRatchetStateAndReshareAndCacheIfNeeded(
 							chatIdFromString(chatIdStr),
-							e.requiredVetKeyEpoch
+							e.requiredVetKeyEpoch,
+							messageExpiry
 						);
 					this.#keyManager.inductSymmetricRatchetState(
 						chatIdStr,
 						e.requiredVetKeyEpoch,
 						ratchetState
 					);
+					this.#keyManager.setExpiry(chatIdStr, messageExpiry);
 				} else if (e instanceof SymmetricRatchetEpochError) {
 					console.log('#handleOutgoingMessage: Symmetric ratchet epoch error', e);
 				} else {
@@ -176,12 +198,23 @@ export class EncryptedMessagingService {
 		if (auth.state.label !== 'initialized') return;
 
 		// Get chat IDs and check for new messages
-		const chatIds = await canisterAPI.getChatIdsAndCurrentNumbersOfMessages(getActor());
-
-		const summary = chatIdsNumMessagesToSummary(chatIds);
-		console.log('fetched ' + chatIds.length + ' chats: ' + summary);
+		const { chats, currentConsensusTime } = await canisterAPI.getChatsAndTime(getActor());
+
+		this.#currentConsensusTime = currentConsensusTime;
+
+		const summary = chatIdsNumMessagesToSummary(
+			Array.from(
+				chats.values().map((chat) => {
+					return {
+						chatId: chat.chat_id,
+						numMessages: chat.number_of_messages
+					};
+				})
+			)
+		);
+		console.log('fetched ' + chats.length + ' chats: ' + summary);
 
-		for (const { chatId, numMessages } of chatIds) {
+		for (const { chat_id: chatId, number_of_messages: numMessages } of chats) {
 			if (!this.#keyManager.doesChatHaveKeys(chatIdToString(chatId))) {
 				console.log(
 					'#pollForNewMessages: chatId',
@@ -191,10 +224,12 @@ export class EncryptedMessagingService {
 				const latestVetKeyEpoch = (
 					await canisterAPI.getLatestVetKeyEpochMetadata(getActor(), chatId)
 				).epoch_id;
+				const messageExpiry = await canisterAPI.getExpiry(getActor(), chatId);
 				const ratchetState =
 					await this.#ratchetInitializationService.initializeRatchetStateAndReshareAndCacheIfNeeded(
 						chatId,
-						latestVetKeyEpoch
+						latestVetKeyEpoch,
+						messageExpiry
 					);
 				this.#keyManager.inductSymmetricRatchetState(
 					chatIdToString(chatId),
@@ -323,10 +358,15 @@ export class EncryptedMessagingService {
 					console.info(
 						`#decryptMessage: Failed to decrypt message ${encryptedMessage.metadata.chat_message_id.toString()}, trying again... Caught error: ${error instanceof Error ? error.message : 'Unknown error'}`
 					);
+					const messageExpiry = await canisterAPI.getExpiry(
+						getActor(),
+						chatIdFromString(chatIdStr)
+					);
 					const ratchetState =
 						await this.#ratchetInitializationService.initializeRatchetStateAndReshareAndCacheIfNeeded(
 							chatIdFromString(chatIdStr),
-							encryptedMessage.metadata.vetkey_epoch
+							encryptedMessage.metadata.vetkey_epoch,
+							messageExpiry
 						);
 					this.#keyManager.inductSymmetricRatchetState(
 						chatIdStr,
@@ -408,7 +448,7 @@ async function sendMessage(
 	chatId: ChatId,
 	vetKeyEpoch: bigint,
 	symmetricRatchetEpoch: bigint,
-	senderMessageId: bigint,
+	nonce: bigint,
 	encryptedBytes: Uint8Array
 ) {
 	// Create UserMessage for the canister
@@ -416,7 +456,7 @@ async function sendMessage(
 		vetkey_epoch: vetKeyEpoch,
 		content: encryptedBytes,
 		symmetric_key_epoch: symmetricRatchetEpoch,
-		message_id: senderMessageId
+		nonce
 	};
 
 	// Send to canister using the appropriate method based on chat type
@@ -446,3 +486,5 @@ async function sendMessage(
 		}
 	}
 }
+
+// TODO: handling of expiry time changes doesn't work yet.
diff --git a/examples/encrypted_chat/frontend/src/lib/services/encryptedCanisterCacheService.ts b/examples/encrypted_chat/frontend/src/lib/services/encryptedRatchetStateCacheService.ts
similarity index 99%
rename from examples/encrypted_chat/frontend/src/lib/services/encryptedCanisterCacheService.ts
rename to examples/encrypted_chat/frontend/src/lib/services/encryptedRatchetStateCacheService.ts
index a46b21e1..d3e56cd9 100644
--- a/examples/encrypted_chat/frontend/src/lib/services/encryptedCanisterCacheService.ts
+++ b/examples/encrypted_chat/frontend/src/lib/services/encryptedRatchetStateCacheService.ts
@@ -15,7 +15,7 @@ import type { ChatId } from '../../declarations/encrypted_chat/encrypted_chat.di
 import type { Principal } from '@dfinity/principal';
 import { getActor, getMyPrincipal } from '$lib/stores/auth.svelte';
 
-export class EncryptedCanisterCacheService {
+export class EncryptedRatchetStateCacheService {
 	#encryptedMaps: EncryptedMaps;
 
 	constructor() {
diff --git a/examples/encrypted_chat/frontend/src/lib/services/keyStorage.ts b/examples/encrypted_chat/frontend/src/lib/services/keyStorage.ts
index 06ee28f4..ce661aea 100644
--- a/examples/encrypted_chat/frontend/src/lib/services/keyStorage.ts
+++ b/examples/encrypted_chat/frontend/src/lib/services/keyStorage.ts
@@ -20,6 +20,10 @@ export class KeyStorageService {
 			vetKeyEpochStr
 		])) as StorableSymmetricRatchetState;
 		if (!stateRecord) {
+			console.warn(
+				`KeyStorageService.getSymmetricRatchetState: failed to load symmetric ratchet state for chat ${chatIdStr} vetkeyEpoch ${vetKeyEpochStr}: state`,
+				stateRecord
+			);
 			return undefined;
 		}
 		console.log(
@@ -30,7 +34,8 @@ export class KeyStorageService {
 			stateRecord.cryptoKey,
 			stateRecord.symmetricRatchetEpoch,
 			stateRecord.creationTime,
-			stateRecord.rotationDuration
+			stateRecord.rotationDuration,
+			stateRecord.stateRecoveryDuration
 		);
 	}
 
diff --git a/examples/encrypted_chat/frontend/src/lib/services/ratchetInitializationService.ts b/examples/encrypted_chat/frontend/src/lib/services/ratchetInitializationService.ts
index 14c31e12..87d4d594 100644
--- a/examples/encrypted_chat/frontend/src/lib/services/ratchetInitializationService.ts
+++ b/examples/encrypted_chat/frontend/src/lib/services/ratchetInitializationService.ts
@@ -4,21 +4,22 @@ import { getActor, getMyPrincipal } from '$lib/stores/auth.svelte';
 import { stringifyBigInt, chatIdToString } from '$lib/utils';
 import { canisterAPI } from './canisterApi';
 import { keyStorageService } from './keyStorage';
-import { EncryptedCanisterCacheService } from './encryptedCanisterCacheService';
+import { EncryptedRatchetStateCacheService } from './encryptedRatchetStateCacheService';
 import { VetKeyResharingService } from './vetKeyResharingService';
 
 export class RatchetInitializationService {
 	#vetKeyResharingService: VetKeyResharingService;
-	#encryptedCanisterCacheService: EncryptedCanisterCacheService;
+	#encryptedRatchetStateCacheService: EncryptedRatchetStateCacheService;
 
 	constructor() {
 		this.#vetKeyResharingService = new VetKeyResharingService();
-		this.#encryptedCanisterCacheService = new EncryptedCanisterCacheService();
+		this.#encryptedRatchetStateCacheService = new EncryptedRatchetStateCacheService();
 	}
 
 	async initializeRatchetStateAndReshareAndCacheIfNeeded(
 		chatId: ChatId,
-		vetKeyEpoch: bigint
+		vetKeyEpoch: bigint,
+		stateRecoveryDuration: Date
 	): Promise<SymmetricRatchetState> {
 		const metadata = await canisterAPI.getVetKeyEpochMetadata(getActor(), chatId, vetKeyEpoch);
 		const creationTime = new Date(Number(metadata.creation_timestamp / 1_000_000n));
@@ -44,7 +45,8 @@ export class RatchetInitializationService {
 				keyState.key,
 				keyState.symmetricKeyEpoch,
 				creationTime,
-				rotationDuration
+				rotationDuration,
+				stateRecoveryDuration
 			);
 
 			keyStorageService
@@ -73,7 +75,8 @@ export class RatchetInitializationService {
 				keyState.key,
 				keyState.symmetricKeyEpoch,
 				creationTime,
-				rotationDuration
+				rotationDuration,
+				stateRecoveryDuration
 			);
 		} catch (error) {
 			console.info('Failed to fetch reshared IBE encrypted vetkey: ', error);
@@ -85,7 +88,8 @@ export class RatchetInitializationService {
 				keyState.key,
 				keyState.symmetricKeyEpoch,
 				creationTime,
-				rotationDuration
+				rotationDuration,
+				stateRecoveryDuration
 			);
 			keyStorageService
 				.saveSymmetricRatchetState(
@@ -132,7 +136,7 @@ export class RatchetInitializationService {
 		chatId: ChatId,
 		vetKeyEpoch: bigint
 	): Promise<{ key: CryptoKey; symmetricKeyEpoch: bigint }> {
-		return this.#encryptedCanisterCacheService
+		return this.#encryptedRatchetStateCacheService
 			.fetchAndDecryptFor(chatId, vetKeyEpoch)
 			.then((epochKeyState) => {
 				return importKeyStateFromBytes(epochKeyState);
@@ -194,7 +198,7 @@ function deriveRootKeyAndDispatchCaching(
 	);
 
 	console.log('starting to store the root key in cache: ', rootKey);
-	const vetKeyEncryptedCache = new EncryptedCanisterCacheService();
+	const vetKeyEncryptedCache = new EncryptedRatchetStateCacheService();
 	const keyState = { keyBytes: rootKey, symmetricKeyEpoch: 0n };
 	// await this future in background
 	vetKeyEncryptedCache.encryptAndStoreFor(chatId, vetKeyEpoch, keyState).catch((error) => {
diff --git a/examples/encrypted_chat/rust/backend/backend.did b/examples/encrypted_chat/rust/backend/backend.did
index ae392965..1b1a64c7 100644
--- a/examples/encrypted_chat/rust/backend/backend.did
+++ b/examples/encrypted_chat/rust/backend/backend.did
@@ -2,6 +2,14 @@ type ChatId = variant {
   Group : nat64;
   Direct : record { principal; principal };
 };
+type ChatMetadata = record {
+  first_non_expired_message_id : opt nat64;
+  disappearing_messages_duration : nat64;
+  latest_vetkey_epoch_id : nat64;
+  first_non_expired_vetkey_epoch_id : nat64;
+  chat_id : ChatId;
+  number_of_messages : nat64;
+};
 type EncryptedMessage = record {
   content : blob;
   metadata : EncryptedMessageMetadata;
@@ -14,6 +22,10 @@ type EncryptedMessageMetadata = record {
   nonce : nat64;
   timestamp : nat64;
 };
+type GetMyChatsAndTimeResponse = record {
+  chats_metadata : vec ChatMetadata;
+  current_consensus_time : nat64;
+};
 type GroupChatMetadata = record { creation_timestamp : nat64; chat_id : nat64 };
 type GroupModification = record {
   remove_participants : vec principal;
@@ -25,11 +37,12 @@ type Result_2 = variant { Ok : blob; Err : text };
 type Result_3 = variant { Ok : VetKeyEpochMetadata; Err : text };
 type Result_4 = variant { Ok : opt blob; Err : text };
 type Result_5 = variant { Ok; Err : text };
+type Result_6 = variant { Ok : opt nat64; Err : text };
 type UserMessage = record {
   vetkey_epoch : nat64;
   content : blob;
   symmetric_key_epoch : nat64;
-  message_id : nat64;
+  nonce : nat64;
 };
 type VetKeyEpochMetadata = record {
   symmetric_key_rotation_duration : nat64;
@@ -55,6 +68,7 @@ service : (text) -> {
   // * If the user has already cached the key.
   derive_chat_vetkey : (ChatId, opt nat64, blob) -> (Result_2);
   get_encrypted_vetkey_for_my_cache_storage : (blob) -> (blob);
+  get_expiry : (ChatId) -> (Result) query;
   get_latest_chat_vetkey_epoch_metadata : (ChatId) -> (Result_3) query;
   // Returns messages for a chat starting from a given message id.
   // 
@@ -66,7 +80,7 @@ service : (text) -> {
   // # Notes
   // * Does not fail if the chat does not exist or the user has no access -- returns empty vector instead.
   get_messages : (ChatId, nat64, opt nat32) -> (vec EncryptedMessage) query;
-  get_my_chat_ids : () -> (vec record { ChatId; nat64 }) query;
+  get_my_chats_and_time : () -> (GetMyChatsAndTimeResponse) query;
   get_my_reshared_ibe_encrypted_vetkey : (ChatId, nat64) -> (Result_4);
   get_my_symmetric_key_cache : (ChatId, nat64) -> (Result_4);
   get_vetkey_epoch_metadata : (ChatId, nat64) -> (Result_3) query;
@@ -82,5 +96,6 @@ service : (text) -> {
   rotate_chat_vetkey : (ChatId) -> (Result);
   send_direct_message : (UserMessage, principal) -> (Result);
   send_group_message : (UserMessage, nat64) -> (Result);
+  set_expiry : (ChatId, nat64) -> (Result_6) query;
   update_my_symmetric_key_cache : (ChatId, nat64, blob) -> (Result_5);
 }
diff --git a/examples/encrypted_chat/rust/backend/src/lib.rs b/examples/encrypted_chat/rust/backend/src/lib.rs
index c9113c21..82140fff 100644
--- a/examples/encrypted_chat/rust/backend/src/lib.rs
+++ b/examples/encrypted_chat/rust/backend/src/lib.rs
@@ -42,7 +42,7 @@ thread_local! {
         MEMORY_MANAGER.with(|m| m.borrow().get(MemoryId::new(3))),
     ));
 
-    static SET_CHAT_AND_SENDER_AND_USER_MESSAGE_ID: RefCell<StableBTreeMap<(ChatId, Sender, SenderMessageId), (), Memory>> = RefCell::new(StableBTreeMap::init(
+    static SET_CHAT_AND_SENDER_AND_USER_MESSAGE_ID: RefCell<StableBTreeMap<(ChatId, Sender, Nonce), (), Memory>> = RefCell::new(StableBTreeMap::init(
         MEMORY_MANAGER.with(|m| m.borrow().get(MemoryId::new(4))),
     ));
 
@@ -58,7 +58,7 @@ thread_local! {
         MEMORY_MANAGER.with(|m| m.borrow().get(MemoryId::new(7))),
     ));
 
-    static EXPIRING_VETKEY_EPOCHS_CACHES: RefCell<StableBTreeMap<(Time, ChatId, Principal),  VetKeyEpochId, Memory>> = RefCell::new(StableBTreeMap::init(
+    static EXPIRING_VETKEY_EPOCHS: RefCell<StableBTreeMap<(Time, ChatId, VetKeyEpochId), (), Memory>> = RefCell::new(StableBTreeMap::init(
         MEMORY_MANAGER.with(|m| m.borrow().get(MemoryId::new(8))),
     ));
 
@@ -67,7 +67,7 @@ thread_local! {
     ));
 
     static RESHARED_VETKEYS: RefCell<StableBTreeMap<(ChatId, VetKeyEpochId, Principal), IbeEncryptedVetKey, Memory>> = RefCell::new(StableBTreeMap::init(
-        MEMORY_MANAGER.with(|m| m.borrow().get(MemoryId::new(11))),
+        MEMORY_MANAGER.with(|m| m.borrow().get(MemoryId::new(10))),
     ));
 
     // Store symmetric key cache in encrypted maps. On a high level, store the cache in:
@@ -325,7 +325,14 @@ fn get_vetkey_epoch_metadata(
 
     ensure_user_has_access_to_chat_at_epoch(caller, chat_id, vetkey_epoch_id)?;
 
-    let epoch_metadata = CHAT_TO_VETKEYS_METADATA
+    get_vetkey_epoch_metadata_access_unchecked(chat_id, vetkey_epoch_id)
+}
+
+fn get_vetkey_epoch_metadata_access_unchecked(
+    chat_id: ChatId,
+    vetkey_epoch_id: VetKeyEpochId,
+) -> Result<VetKeyEpochMetadata, String> {
+    CHAT_TO_VETKEYS_METADATA
         .with_borrow(|metadata| {
             metadata
                 .range(&(chat_id, Time(0))..)
@@ -336,9 +343,7 @@ fn get_vetkey_epoch_metadata(
         })
         .ok_or(format!(
             "No vetkey epoch {vetkey_epoch_id:?} found for chat {chat_id:?}"
-        ))?;
-
-    Ok(epoch_metadata)
+        ))
 }
 
 #[ic_cdk::update]
@@ -375,11 +380,14 @@ fn rotate_chat_vetkey(chat_id: ChatId) -> Result<VetKeyEpochId, String> {
         let todo_remove = metadata.insert((chat_id, now), new_vetkey_epoch_metadata);
         assert!(todo_remove.is_none());
 
-        clean_up_expired_vetkey_epochs(metadata, chat_id);
-
         new_vetkey_epoch_id
     });
 
+    mark_vetkey_epoch_as_expiring(chat_id, latest_epoch_metadata.epoch_id);
+    let (num_expired_vetkey_epochs, num_expired_vetkey_epochs_caches, num_expired_reshared_vetkeys) =
+        remove_expired_vetkey_epochs_and_caches()?;
+    ic_cdk::println!("removed {num_expired_vetkey_epochs} expired vetkey epochs, {num_expired_vetkey_epochs_caches} expired vetkey epochs caches, {num_expired_reshared_vetkeys} expired reshared vetkeys");
+
     Ok(new_vetkey_epoch_id)
 }
 
@@ -396,7 +404,7 @@ fn send_direct_message(user_message: UserMessage, receiver: Principal) -> Result
         user_message.vetkey_epoch,
         user_message.symmetric_key_epoch,
     )?;
-    ensure_message_id_is_unique(chat_id, user_message.message_id)?;
+    ensure_nonce_is_unique(chat_id, user_message.nonce)?;
 
     let now = Time(ic_cdk::api::time());
 
@@ -416,12 +424,12 @@ fn send_direct_message(user_message: UserMessage, receiver: Principal) -> Result
             vetkey_epoch: user_message.vetkey_epoch,
             symmetric_key_epoch: user_message.symmetric_key_epoch,
             chat_message_id,
-            nonce: user_message.message_id,
+            nonce: user_message.nonce,
         },
     };
 
     SET_CHAT_AND_SENDER_AND_USER_MESSAGE_ID.with_borrow_mut(|message_times| {
-        message_times.insert((chat_id, Sender(caller), user_message.message_id), ());
+        message_times.insert((chat_id, Sender(caller), user_message.nonce), ());
     });
 
     DIRECT_CHAT_MESSAGES.with_borrow_mut(|messages| {
@@ -458,7 +466,7 @@ fn send_group_message(
         user_message.vetkey_epoch,
         user_message.symmetric_key_epoch,
     )?;
-    ensure_message_id_is_unique(chat_id, user_message.message_id)?;
+    ensure_nonce_is_unique(chat_id, user_message.nonce)?;
 
     let now = Time(ic_cdk::api::time());
 
@@ -478,12 +486,12 @@ fn send_group_message(
             vetkey_epoch: user_message.vetkey_epoch,
             symmetric_key_epoch: user_message.symmetric_key_epoch,
             chat_message_id,
-            nonce: user_message.message_id,
+            nonce: user_message.nonce,
         },
     };
 
     SET_CHAT_AND_SENDER_AND_USER_MESSAGE_ID.with_borrow_mut(|message_times| {
-        message_times.insert((chat_id, Sender(caller), user_message.message_id), ());
+        message_times.insert((chat_id, Sender(caller), user_message.nonce), ());
     });
 
     GROUP_CHAT_MESSAGES.with_borrow_mut(|messages| {
@@ -506,27 +514,113 @@ fn send_group_message(
 }
 
 #[ic_cdk::query]
-fn get_my_chat_ids() -> Vec<(ChatId, ChatMessageId)> {
+fn get_my_chats_and_time() -> GetMyChatsAndTimeResponse {
     let caller = ic_cdk::api::msg_caller();
-    USER_TO_CHAT_MAP.with_borrow(|map| {
+    let chats_metadata = USER_TO_CHAT_MAP.with_borrow(|map| {
         CHAT_TO_MESSAGE_COUNTERS.with_borrow(|counters| {
-            map.keys_range((caller, ChatId::MIN_VALUE, VetKeyEpochId(0))..)
-                .take_while(|(user, _, _)| user == &caller)
-                .map(|(_, chat_id, _)| {
-                    (
+            CHAT_TO_MESSAGE_EXPIRY_SETTING.with_borrow(|expiry_settings| {
+                map.keys_range((caller, ChatId::MIN_VALUE, VetKeyEpochId(0))..)
+                    .take_while(|(user, _, _)| user == &caller)
+                    .map(|(_, chat_id, _)| ChatMetadata {
                         chat_id,
-                        ChatMessageId(
+                        number_of_messages: ChatMessageId(
                             counters
                                 .get(&chat_id)
                                 .expect("bug: uninitialized chat message counter")
                                 .0,
                         ),
-                    )
-                })
-                .collect::<std::collections::BTreeSet<_>>()
-                .into_iter()
-                .collect()
+                        latest_vetkey_epoch_id: latest_vetkey_epoch_id(chat_id).unwrap(),
+                        disappearing_messages_duration: expiry_settings
+                            .get(&chat_id)
+                            .expect("bug: uninitialized expiry setting"),
+                        first_non_expired_message_id: get_first_non_expired_message_id(chat_id),
+                        first_non_expired_vetkey_epoch_id: get_first_non_expired_vetkey_epoch_id(
+                            chat_id,
+                        ),
+                    })
+                    .collect::<std::collections::BTreeSet<_>>()
+                    .into_iter()
+                    .collect()
+            })
         })
+    });
+
+    GetMyChatsAndTimeResponse {
+        chats_metadata,
+        current_consensus_time: ic_cdk::api::time(),
+    }
+}
+
+#[ic_cdk::query]
+fn get_expiry(chat_id: ChatId) -> Result<Time, String> {
+    let caller = ic_cdk::api::msg_caller();
+    let latest_epoch_metadata =
+        latest_vetkey_epoch_metadata(chat_id).ok_or(format!("No chat {chat_id:?} found"))?;
+
+    ensure_user_has_access_to_chat_at_epoch(caller, chat_id, latest_epoch_metadata.epoch_id)?;
+
+    let expiry_time_minutes = Time(
+        CHAT_TO_MESSAGE_EXPIRY_SETTING
+            .with_borrow(|expiry_settings| {
+                expiry_settings
+                    .get(&chat_id)
+                    .expect("bug: uninitialized expiry setting")
+            })
+            .0
+            / NANOSECONDS_IN_MINUTE,
+    );
+
+    Ok(expiry_time_minutes)
+}
+
+#[ic_cdk::query]
+fn set_expiry(chat_id: ChatId, new_expiry_time_minutes: Time) -> Result<Option<Time>, String> {
+    let caller = ic_cdk::api::msg_caller();
+    let latest_epoch_metadata =
+        latest_vetkey_epoch_metadata(chat_id).ok_or(format!("No chat {chat_id:?} found"))?;
+    let new_expiry_time_nanos = Time(
+        new_expiry_time_minutes
+            .0
+            .checked_mul(NANOSECONDS_IN_MINUTE)
+            .ok_or("Overflow: too large expiry time".to_string())?,
+    );
+
+    ensure_user_has_access_to_chat_at_epoch(caller, chat_id, latest_epoch_metadata.epoch_id)?;
+
+    let old_expiry_time_minutes = CHAT_TO_MESSAGE_EXPIRY_SETTING
+        .with_borrow_mut(|expiry_settings| expiry_settings.insert(chat_id, new_expiry_time_nanos))
+        .map(|old_expiry_time_nanos| Time(old_expiry_time_nanos.0 / NANOSECONDS_IN_MINUTE));
+
+    ic_cdk::println!("set_expiry: {}", cleanup_of_expired_items());
+
+    Ok(old_expiry_time_minutes)
+}
+
+fn get_first_non_expired_message_id(chat_id: ChatId) -> Option<ChatMessageId> {
+    match chat_id {
+        ChatId::Direct(direct_chat) => DIRECT_CHAT_MESSAGES.with_borrow(|messages| {
+            messages
+                .range(&(direct_chat, ChatMessageId(0))..)
+                .map(|kv| kv.key().1)
+                .next()
+        }),
+        ChatId::Group(group_chat) => GROUP_CHAT_MESSAGES.with_borrow(|messages| {
+            messages
+                .range(&(group_chat, ChatMessageId(0))..)
+                .map(|kv| kv.key().1)
+                .next()
+        }),
+    }
+}
+
+fn get_first_non_expired_vetkey_epoch_id(chat_id: ChatId) -> VetKeyEpochId {
+    CHAT_TO_VETKEYS_METADATA.with_borrow(|metadata| {
+        metadata
+            .range(&(chat_id, Time(0))..)
+            .take_while(|metadata| metadata.key().0 == chat_id)
+            .map(|metadata| metadata.value().epoch_id)
+            .next()
+            .expect("bug: no non-expired vetkey epoch found")
     })
 }
 
@@ -643,8 +737,10 @@ fn update_my_symmetric_key_cache(
     user_cache: EncryptedSymmetricKeyEpochCache,
 ) -> Result<(), String> {
     let caller = ic_cdk::api::msg_caller();
+
     ensure_chat_and_vetkey_epoch_exist(chat_id, vetkey_epoch_id)?;
     ensure_user_has_access_to_chat_at_epoch(caller, chat_id, vetkey_epoch_id)?;
+    ensure_vetkey_epoch_did_not_expire(chat_id, vetkey_epoch_id)?;
     ensure_payload_has_reasonable_size_for_key(&user_cache.0)?;
 
     ENCRYPTED_MAPS.with_borrow_mut(|opt_maps| {
@@ -661,11 +757,6 @@ fn update_my_symmetric_key_cache(
             .expect("bug: failed to insert encrypted value");
     });
 
-    let now = Time(ic_cdk::api::time());
-    EXPIRING_VETKEY_EPOCHS_CACHES.with_borrow_mut(|caches| {
-        caches.insert((now, chat_id, caller), vetkey_epoch_id);
-    });
-
     RESHARED_VETKEYS.with_borrow_mut(|reshared_vetkeys| {
         let _ = reshared_vetkeys.remove(&(chat_id, vetkey_epoch_id, caller));
     });
@@ -681,6 +772,7 @@ fn get_my_symmetric_key_cache(
     let caller = ic_cdk::api::msg_caller();
     ensure_chat_and_vetkey_epoch_exist(chat_id, vetkey_epoch_id)?;
     ensure_user_has_access_to_chat_at_epoch(caller, chat_id, vetkey_epoch_id)?;
+    ensure_vetkey_epoch_did_not_expire(chat_id, vetkey_epoch_id)?;
 
     ENCRYPTED_MAPS.with_borrow(|opt_maps| {
         let maps = opt_maps
@@ -734,6 +826,7 @@ fn reshare_ibe_encrypted_vetkeys(
 ) -> Result<(), String> {
     let caller = ic_cdk::api::msg_caller();
     ensure_chat_and_vetkey_epoch_exist(chat_id, vetkey_epoch_id)?;
+    ensure_vetkey_epoch_did_not_expire(chat_id, vetkey_epoch_id)?;
     ensure_user_has_access_to_chat_at_epoch(caller, chat_id, vetkey_epoch_id)?;
 
     users_and_encrypted_vetkeys.iter().map(|(user, _encrypted_vetkey)| {
@@ -773,6 +866,8 @@ fn get_my_reshared_ibe_encrypted_vetkey(
     let caller = ic_cdk::api::msg_caller();
 
     ensure_chat_and_vetkey_epoch_exist(chat_id, vetkey_epoch_id)?;
+    ensure_vetkey_epoch_did_not_expire(chat_id, vetkey_epoch_id)?;
+    ensure_user_has_access_to_chat_at_epoch(caller, chat_id, vetkey_epoch_id)?;
 
     Ok(RESHARED_VETKEYS
         .with_borrow(|reshared_vetkeys| reshared_vetkeys.get(&(chat_id, vetkey_epoch_id, caller))))
@@ -891,26 +986,59 @@ fn modify_group_chat_participants(
         let todo_remove = metadata.insert((chat_id, now), new_vetkey_epoch_metadata);
         assert!(todo_remove.is_none());
 
-        clean_up_expired_vetkey_epochs(metadata, chat_id);
-
         new_vetkey_epoch_id
     });
 
+    mark_vetkey_epoch_as_expiring(chat_id, latest_epoch_metadata.epoch_id);
+
+    let (num_expired_vetkey_epochs, num_expired_vetkey_epochs_caches, num_expired_reshared_vetkeys) =
+        remove_expired_vetkey_epochs_and_caches()?;
+    ic_cdk::println!("removed {num_expired_vetkey_epochs} expired vetkey epochs, {num_expired_vetkey_epochs_caches} expired vetkey epochs caches, {num_expired_reshared_vetkeys} expired reshared vetkeys");
+
     Ok(new_vetkey_epoch_id)
 }
 
+fn mark_vetkey_epoch_as_expiring(chat_id: ChatId, vetkey_epoch_id: VetKeyEpochId) {
+    let expiry_time = CHAT_TO_MESSAGE_EXPIRY_SETTING.with_borrow(|expiry_settings| {
+        expiry_settings
+            .get(&chat_id)
+            .expect("bug: uninitialized expiry setting")
+    });
+
+    EXPIRING_VETKEY_EPOCHS.with_borrow_mut(|expiring_vetkey_epochs| {
+        let todo_insert = expiring_vetkey_epochs.insert(
+            (
+                Time(ic_cdk::api::time() + expiry_time.0),
+                chat_id,
+                vetkey_epoch_id,
+            ),
+            (),
+        );
+        assert!(todo_insert.is_none());
+    });
+}
+
 fn start_expired_cleanup_timer_job_with_interval(secs: u64) {
     let secs = std::time::Duration::from_secs(secs);
     let _timer_id = ic_cdk_timers::set_timer_interval(secs, periodic_cleanup_of_expired_items);
 }
 
 fn periodic_cleanup_of_expired_items() {
-    let now = Time(ic_cdk::api::time());
+    ic_cdk::println!("Timer job: {}", cleanup_of_expired_items());
+}
 
+fn cleanup_of_expired_items() -> String {
+    let (num_expired_direct_messages, num_expired_group_messages) = remove_expired_messages();
+    let (num_expired_vetkey_epochs, num_expired_vetkey_epochs_caches, num_expired_reshared_vetkeys) =
+        remove_expired_vetkey_epochs_and_caches()
+            .expect("bug: expected to always remove expired vetkey epochs");
+
+    format!("cleaned up {num_expired_direct_messages} expired direct messages, {num_expired_group_messages} expired group messages, {num_expired_vetkey_epochs} expired vetkey epochs ({num_expired_vetkey_epochs_caches} caches), {num_expired_reshared_vetkeys} expired reshared vetkeys")
+}
+
+fn remove_expired_messages() -> (usize, usize) {
     let mut num_expired_direct_messages: usize = 0;
     let mut num_expired_group_messages: usize = 0;
-    let mut num_expired_vetkey_epochs_caches: usize = 0;
-    let mut num_expired_reshared_vetkeys: usize = 0;
 
     EXPIRING_MESSAGES.with_borrow_mut(|expiring_messages| {
         let now = Time(ic_cdk::api::time());
@@ -942,82 +1070,74 @@ fn periodic_cleanup_of_expired_items() {
         }
     });
 
-    EXPIRING_VETKEY_EPOCHS_CACHES.with_borrow_mut(|expiring_vetkey_epochs_caches| {
-        let mut expired_vetkey_epochs = std::collections::BTreeSet::new();
-        let expired_vetkey_epochs_caches: Vec<_> = expiring_vetkey_epochs_caches
+    (num_expired_direct_messages, num_expired_group_messages)
+}
+
+fn remove_expired_vetkey_epochs_and_caches() -> Result<(usize, usize, usize), String> {
+    let mut num_expired_vetkey_epochs: usize = 0;
+    let mut num_expired_vetkey_epochs_caches: usize = 0;
+    let mut num_expired_reshared_vetkeys: usize = 0;
+
+    let now = Time(ic_cdk::api::time());
+
+    let expired_vetkey_epochs = EXPIRING_VETKEY_EPOCHS.with_borrow_mut(|expiring_vetkey_epochs| {
+        let expired_vetkey_epochs: Vec<_> = expiring_vetkey_epochs
             .iter()
             .filter(|entry| entry.key().0 <= now)
-            .map(|entry| (*entry.key(), entry.value()))
+            .map(|entry| *entry.key())
             .collect();
-        for ((time, chat_id, principal), vetkey_epoch_id) in expired_vetkey_epochs_caches {
-            expired_vetkey_epochs.insert((chat_id, vetkey_epoch_id));
-            let todo_remove_1 = expiring_vetkey_epochs_caches.remove(&(time, chat_id, principal));
-            assert!(todo_remove_1.is_some());
-
-            ENCRYPTED_MAPS.with_borrow_mut(|opt_maps| {
-                let maps = opt_maps.as_mut().expect(
-                    "bug: encrypted maps should be initialized after canister initialization",
-                );
-                if maps
-                    .remove_encrypted_value(
-                        principal,
-                        map_id(principal),
-                        map_key_id(chat_id, vetkey_epoch_id),
-                    )
-                    .unwrap()
-                    .is_some()
-                {
-                    num_expired_vetkey_epochs_caches += 1
-                }
-            });
+        for (time, chat_id, vetkey_epoch_id) in expired_vetkey_epochs.iter().copied() {
+            let todo_remove = expiring_vetkey_epochs.remove(&(time, chat_id, vetkey_epoch_id));
+            assert!(todo_remove.is_some());
+            num_expired_vetkey_epochs += 1;
         }
+        expired_vetkey_epochs
+    });
 
-        for (chat_id, vetkey_epoch_id) in expired_vetkey_epochs {
+    let vetkey_epochs_metadata = expired_vetkey_epochs
+        .iter()
+        .map(|(_time, chat_id, vetkey_epoch_id)| {
+            get_vetkey_epoch_metadata_access_unchecked(*chat_id, *vetkey_epoch_id)
+        })
+        .collect::<Result<Vec<_>, String>>()?;
+    for ((_time, chat_id, vetkey_epoch_id), metadata) in expired_vetkey_epochs
+        .into_iter()
+        .zip(vetkey_epochs_metadata.into_iter())
+    {
+        ENCRYPTED_MAPS.with_borrow_mut(|opt_maps| {
             RESHARED_VETKEYS.with_borrow_mut(|reshared_vetkeys| {
-                let reshared_vetkeys_to_remove: Vec<_> = reshared_vetkeys
-                    .range(&(chat_id, vetkey_epoch_id, Principal::management_canister())..)
-                    .filter(|entry| entry.key().0 == chat_id && entry.key().1 == vetkey_epoch_id)
-                    .map(|entry| *entry.key())
-                    .collect();
-                for key in reshared_vetkeys_to_remove {
-                    let todo_remove = reshared_vetkeys.remove(&key);
-                    assert!(todo_remove.is_some());
-                    num_expired_reshared_vetkeys += 1;
+                for principal in metadata.participants.iter().copied() {
+                    let maps = opt_maps.as_mut().expect(
+                        "bug: encrypted maps should be initialized after canister initialization",
+                    );
+                    if maps
+                        .remove_encrypted_value(
+                            principal,
+                            map_id(principal),
+                            map_key_id(chat_id, vetkey_epoch_id),
+                        )
+                        .unwrap()
+                        .is_some()
+                    {
+                        num_expired_vetkey_epochs_caches += 1
+                    }
+
+                    if reshared_vetkeys
+                        .remove(&(chat_id, vetkey_epoch_id, principal))
+                        .is_some()
+                    {
+                        num_expired_reshared_vetkeys += 1;
+                    }
                 }
             });
-        }
-    });
+        });
+    }
 
-    ic_cdk::println!(
-        "Timer job: cleaned up {} expired direct messages, {} expired group messages, {} expired vetkey epochs caches, {} expired reshared vetkeys",
-        num_expired_direct_messages,
-        num_expired_group_messages,
+    Ok((
+        num_expired_vetkey_epochs,
         num_expired_vetkey_epochs_caches,
-        num_expired_reshared_vetkeys
-    );
-}
-
-fn clean_up_expired_vetkey_epochs(
-    metadata: &mut StableBTreeMap<(ChatId, Time), VetKeyEpochMetadata, Memory>,
-    chat_id: ChatId,
-) {
-    let now = Time(ic_cdk::api::time());
-    let message_expiry_setting = CHAT_TO_MESSAGE_EXPIRY_SETTING
-        .with_borrow(|expiry_settings| expiry_settings.get(&chat_id))
-        .expect("bug: expiry should always exist for existing chats");
-
-    let expired_epochs: Vec<_> = metadata
-        .range((chat_id, Time(0))..)
-        .take_while(|metadata| {
-            (metadata.key().1 .0 + message_expiry_setting.0) < now.0 && metadata.key().0 == chat_id
-        })
-        .map(|metadata| metadata.value())
-        .collect();
-
-    for epoch in expired_epochs {
-        let todo_remove = metadata.remove(&(chat_id, epoch.creation_timestamp));
-        assert!(todo_remove.is_some());
-    }
+        num_expired_reshared_vetkeys,
+    ))
 }
 
 fn ensure_user_has_access_to_chat_at_epoch(
@@ -1081,10 +1201,7 @@ fn ensure_chat_and_vetkey_epoch_exist(
     })
 }
 
-fn ensure_message_id_is_unique(
-    chat_id: ChatId,
-    nonce: SenderMessageId,
-) -> Result<(), String> {
+fn ensure_nonce_is_unique(chat_id: ChatId, nonce: Nonce) -> Result<(), String> {
     let caller = ic_cdk::api::msg_caller();
     let maybe_existing_id = SET_CHAT_AND_SENDER_AND_USER_MESSAGE_ID
         .with_borrow(|message_ids| message_ids.get(&(chat_id, Sender(caller), nonce)));
@@ -1188,4 +1305,44 @@ pub fn resharing_context(caller: Principal) -> Vec<u8> {
     context
 }
 
+fn ensure_vetkey_epoch_did_not_expire(
+    chat_id: ChatId,
+    vetkey_epoch_id: VetKeyEpochId,
+) -> Result<(), String> {
+    let latest_epoch_metadata =
+        latest_vetkey_epoch_metadata(chat_id).ok_or(format!("No chat {chat_id:?} found"))?;
+
+    if vetkey_epoch_id == latest_epoch_metadata.epoch_id {
+        return Ok(());
+    } else if vetkey_epoch_id.0 > latest_epoch_metadata.epoch_id.0 {
+        return Err(format!(
+            "Vetkey epoch {vetkey_epoch_id:?} is greater than the latest vetkey epoch {:?}",
+            latest_epoch_metadata.epoch_id
+        ));
+    }
+
+    let next_epoch_metadata = if vetkey_epoch_id.0 + 1 == latest_epoch_metadata.epoch_id.0 {
+        latest_epoch_metadata
+    } else {
+        get_vetkey_epoch_metadata(chat_id, VetKeyEpochId(vetkey_epoch_id.0 + 1))?
+    };
+
+    let now = ic_cdk::api::time();
+    let creation = next_epoch_metadata.creation_timestamp.0;
+
+    let expiry_time: u64 = CHAT_TO_MESSAGE_EXPIRY_SETTING
+        .with_borrow(|expiry_settings| {
+            expiry_settings
+                .get(&chat_id)
+                .expect("bug: expiry should always exist for existing chats")
+        })
+        .0;
+
+    if now >= creation.checked_add(expiry_time).expect("bug: overflow") {
+        Err(format!("vetKey epoch {vetkey_epoch_id:?} expired"))
+    } else {
+        Ok(())
+    }
+}
+
 ic_cdk::export_candid!();
diff --git a/examples/encrypted_chat/rust/backend/src/types.rs b/examples/encrypted_chat/rust/backend/src/types.rs
index 81c6897c..d9dc5749 100644
--- a/examples/encrypted_chat/rust/backend/src/types.rs
+++ b/examples/encrypted_chat/rust/backend/src/types.rs
@@ -43,6 +43,22 @@ macro_rules! storable_delegate {
     };
 }
 
+#[derive(CandidType, Serialize, Deserialize, PartialEq, Eq, PartialOrd, Ord, Clone, Debug)]
+pub struct GetMyChatsAndTimeResponse {
+    pub chats_metadata: Vec<ChatMetadata>,
+    pub current_consensus_time: u64,
+}
+
+#[derive(CandidType, Serialize, Deserialize, PartialEq, Eq, PartialOrd, Ord, Clone, Debug)]
+pub struct ChatMetadata {
+    pub chat_id: ChatId,
+    pub number_of_messages: ChatMessageId,
+    pub latest_vetkey_epoch_id: VetKeyEpochId,
+    pub disappearing_messages_duration: Time,
+    pub first_non_expired_message_id: Option<ChatMessageId>,
+    pub first_non_expired_vetkey_epoch_id: VetKeyEpochId,
+}
+
 #[derive(CandidType, Serialize, Deserialize, PartialEq, Eq, PartialOrd, Ord, Clone, Debug)]
 pub struct EncryptedMessage {
     pub content: Vec<u8>,
@@ -59,7 +75,7 @@ pub struct EncryptedMessageMetadata {
     pub vetkey_epoch: VetKeyEpochId,
     pub symmetric_key_epoch: SymmetricKeyEpochId,
     pub chat_message_id: ChatMessageId,
-    pub nonce: SenderMessageId,
+    pub nonce: Nonce,
 }
 
 impl Storable for EncryptedMessageMetadata {
@@ -96,12 +112,12 @@ impl Storable for EncryptedMessageMetadata {
         ));
 
         let (chat_message_id_bytes, nonce_bytes) = rest.split_at(8);
-        let chat_message_id = ChatMessageId(u64::from_le_bytes(chat_message_id_bytes.try_into().unwrap()));
-
-        let nonce = SenderMessageId(u64::from_le_bytes(
-            nonce_bytes.try_into().unwrap(),
+        let chat_message_id = ChatMessageId(u64::from_le_bytes(
+            chat_message_id_bytes.try_into().unwrap(),
         ));
 
+        let nonce = Nonce(u64::from_le_bytes(nonce_bytes.try_into().unwrap()));
+
         Self {
             sender,
             timestamp,
@@ -123,7 +139,7 @@ pub struct UserMessage {
     pub content: Vec<u8>,
     pub vetkey_epoch: VetKeyEpochId,
     pub symmetric_key_epoch: SymmetricKeyEpochId,
-    pub message_id: SenderMessageId,
+    pub nonce: Nonce,
 }
 
 storable_unbounded!(UserMessage);
@@ -266,9 +282,9 @@ impl Storable for ChatId {
 #[derive(
     CandidType, Serialize, Deserialize, PartialEq, Eq, PartialOrd, Ord, Clone, Debug, Copy,
 )]
-pub struct SenderMessageId(pub u64);
+pub struct Nonce(pub u64);
 
-storable_delegate!(SenderMessageId, u64);
+storable_delegate!(Nonce, u64);
 
 /// Chat message id is assigned to each message in the chat sequentially.
 /// The IDs are assigned from an incrementing counter for a chat for all users.
diff --git a/examples/encrypted_chat/rust/backend/tests/direct_chat.rs b/examples/encrypted_chat/rust/backend/tests/direct_chat.rs
index 2a9fb836..d5cc57f9 100644
--- a/examples/encrypted_chat/rust/backend/tests/direct_chat.rs
+++ b/examples/encrypted_chat/rust/backend/tests/direct_chat.rs
@@ -1,8 +1,8 @@
 use candid::{encode_args, Principal};
 use ic_vetkeys_example_encrypted_chat_backend::types::{
-    ChatId, ChatMessageId, DirectChatId, EncryptedMessage, EncryptedMessageMetadata,
-    EncryptedSymmetricKeyEpochCache, IbeEncryptedVetKey, SenderMessageId, SymmetricKeyEpochId,
-    Time, UserMessage, VetKeyEpochId,
+    ChatId, ChatMessageId, ChatMetadata, DirectChatId, EncryptedMessage, EncryptedMessageMetadata,
+    EncryptedSymmetricKeyEpochCache, GetMyChatsAndTimeResponse, IbeEncryptedVetKey, Nonce,
+    SymmetricKeyEpochId, Time, UserMessage, VetKeyEpochId,
 };
 use serde_bytes::ByteBuf;
 
@@ -19,11 +19,12 @@ fn can_create_chat() {
 
     for p in [env.principal_0, env.principal_1] {
         assert_eq!(
-            env.query::<Vec<(ChatId, ChatMessageId)>>(
+            env.query::<GetMyChatsAndTimeResponse>(
                 p,
-                "get_my_chat_ids",
+                "get_my_chats_and_time",
                 encode_args(()).unwrap()
-            ),
+            )
+            .chats_metadata,
             vec![]
         );
     }
@@ -35,16 +36,30 @@ fn can_create_chat() {
     )
     .unwrap();
 
-    let chat_ids: Vec<(ChatId, ChatMessageId)> =
-        env.query(env.principal_0, "get_my_chat_ids", encode_args(()).unwrap());
-    assert_eq!(chat_ids, vec![(p0_self_chat_id, ChatMessageId(0))]);
+    let chat_ids: GetMyChatsAndTimeResponse = env.query(
+        env.principal_0,
+        "get_my_chats_and_time",
+        encode_args(()).unwrap(),
+    );
+    assert_eq!(
+        chat_ids.chats_metadata,
+        vec![ChatMetadata {
+            chat_id: p0_self_chat_id,
+            number_of_messages: ChatMessageId(0),
+            latest_vetkey_epoch_id: VetKeyEpochId(0),
+            disappearing_messages_duration: Time(NANOSECONDS_IN_MINUTE * 10_000),
+            first_non_expired_message_id: None,
+            first_non_expired_vetkey_epoch_id: VetKeyEpochId(0),
+        }]
+    );
 
     assert_eq!(
-        env.query::<Vec<(ChatId, ChatMessageId)>>(
+        env.query::<GetMyChatsAndTimeResponse>(
             env.principal_1,
-            "get_my_chat_ids",
+            "get_my_chats_and_time",
             encode_args(()).unwrap()
-        ),
+        )
+        .chats_metadata,
         vec![]
     );
 
@@ -56,19 +71,44 @@ fn can_create_chat() {
     .unwrap();
 
     assert_eq!(
-        env.query::<Vec<(ChatId, ChatMessageId)>>(
+        env.query::<GetMyChatsAndTimeResponse>(
             env.principal_1,
-            "get_my_chat_ids",
+            "get_my_chats_and_time",
             encode_args(()).unwrap()
-        ),
-        vec![(p0_p1_chat_id, ChatMessageId(0))]
+        )
+        .chats_metadata,
+        vec![ChatMetadata {
+            chat_id: p0_p1_chat_id,
+            number_of_messages: ChatMessageId(0),
+            latest_vetkey_epoch_id: VetKeyEpochId(0),
+            disappearing_messages_duration: Time(NANOSECONDS_IN_MINUTE * 10_000),
+            first_non_expired_message_id: None,
+            first_non_expired_vetkey_epoch_id: VetKeyEpochId(0),
+        }]
     );
 
-    let chat_ids: Vec<(ChatId, ChatMessageId)> =
-        env.query(env.principal_0, "get_my_chat_ids", encode_args(()).unwrap());
-    assert!(chat_ids.contains(&(p0_self_chat_id, ChatMessageId(0))));
-    assert!(chat_ids.contains(&(p0_p1_chat_id, ChatMessageId(0))));
-    assert_eq!(chat_ids.len(), 2);
+    let chat_ids: GetMyChatsAndTimeResponse = env.query(
+        env.principal_0,
+        "get_my_chats_and_time",
+        encode_args(()).unwrap(),
+    );
+    assert!(chat_ids.chats_metadata.contains(&ChatMetadata {
+        chat_id: p0_self_chat_id,
+        number_of_messages: ChatMessageId(0),
+        latest_vetkey_epoch_id: VetKeyEpochId(0),
+        disappearing_messages_duration: Time(NANOSECONDS_IN_MINUTE * 10_000),
+        first_non_expired_message_id: None,
+        first_non_expired_vetkey_epoch_id: VetKeyEpochId(0),
+    }));
+    assert!(chat_ids.chats_metadata.contains(&ChatMetadata {
+        chat_id: p0_p1_chat_id,
+        number_of_messages: ChatMessageId(0),
+        latest_vetkey_epoch_id: VetKeyEpochId(0),
+        disappearing_messages_duration: Time(NANOSECONDS_IN_MINUTE * 10_000),
+        first_non_expired_message_id: None,
+        first_non_expired_vetkey_epoch_id: VetKeyEpochId(0),
+    }));
+    assert_eq!(chat_ids.chats_metadata.len(), 2);
 }
 
 #[test]
@@ -123,7 +163,7 @@ fn can_send_and_get_messages() {
         assert_eq!(
             env.update::<Vec<EncryptedMessage>>(
                 caller,
-                "get_some_messages_for_chat_starting_from",
+                "get_messages",
                 encode_args((chat_id, ChatMessageId(0), Option::<u32>::None)).unwrap(),
             ),
             vec![]
@@ -132,14 +172,14 @@ fn can_send_and_get_messages() {
 
     for _ in 0..10 {
         for sender in [env.principal_0, env.principal_1].iter().copied() {
-            let message_id_raw = *message_id_counters.get(&sender).unwrap();
-            message_id_counters.insert(sender, message_id_raw + 1);
+            let nonce_raw = *message_id_counters.get(&sender).unwrap();
+            message_id_counters.insert(sender, nonce_raw + 1);
 
             let user_message = UserMessage {
                 content: message_content.clone(),
                 vetkey_epoch: VetKeyEpochId(0),
                 symmetric_key_epoch: SymmetricKeyEpochId(0),
-                message_id: SenderMessageId(message_id_raw),
+                nonce: Nonce(nonce_raw),
             };
 
             // + 1 is because the update call calls `tick` internally
@@ -169,7 +209,7 @@ fn can_send_and_get_messages() {
                     vetkey_epoch: VetKeyEpochId(0),
                     symmetric_key_epoch: SymmetricKeyEpochId(0),
                     chat_message_id: ChatMessageId(expected_chat_history.len() as u64),
-                    sender_message_id: SenderMessageId(message_id_raw),
+                    nonce: Nonce(nonce_raw),
                 },
             };
 
@@ -179,7 +219,7 @@ fn can_send_and_get_messages() {
                 assert_eq!(
                     env.update::<Vec<EncryptedMessage>>(
                         caller,
-                        "get_some_messages_for_chat_starting_from",
+                        "get_messages",
                         encode_args((chat_id, ChatMessageId(0), Option::<u32>::None)).unwrap(),
                     ),
                     expected_chat_history
@@ -223,7 +263,7 @@ fn fails_to_send_messages_with_wrong_symmetric_key_epoch() {
                 content: message_content.clone(),
                 vetkey_epoch: VetKeyEpochId(0),
                 symmetric_key_epoch,
-                message_id: SenderMessageId(0),
+                nonce: Nonce(0),
             };
 
             let result = env.update::<Result<Time, String>>(
@@ -273,7 +313,7 @@ fn fails_to_send_messages_with_wrong_symmetric_key_epoch() {
                     content: message_content.clone(),
                     vetkey_epoch: VetKeyEpochId(0),
                     symmetric_key_epoch,
-                    message_id: SenderMessageId(0),
+                    nonce: Nonce(0),
                 };
 
                 let result = env.update::<Result<Time, String>>(
@@ -310,7 +350,7 @@ fn fails_to_send_messages_with_wrong_symmetric_key_epoch() {
                     content: message_content.clone(),
                     vetkey_epoch: VetKeyEpochId(0),
                     symmetric_key_epoch,
-                    message_id: SenderMessageId(0),
+                    nonce: Nonce(0),
                 };
 
                 let result = env.update::<Result<Time, String>>(
@@ -357,7 +397,7 @@ fn fails_to_send_messages_with_wrong_symmetric_key_epoch() {
         assert_eq!(
             env.update::<Vec<EncryptedMessage>>(
                 caller,
-                "get_some_messages_for_chat_starting_from",
+                "get_messages",
                 encode_args((chat_id, ChatMessageId(0), Option::<u32>::None)).unwrap(),
             ),
             vec![]
@@ -546,7 +586,7 @@ fn fails_to_send_messages_with_wrong_vetkey_epoch() {
                 content: message_content.clone(),
                 vetkey_epoch: VetKeyEpochId(latest_epoch + 1),
                 symmetric_key_epoch: SymmetricKeyEpochId(0),
-                message_id: SenderMessageId(0),
+                nonce: Nonce(0),
             };
 
             let result = env.update::<Result<Time, String>>(
@@ -588,7 +628,7 @@ fn fails_to_send_messages_with_wrong_vetkey_epoch() {
         assert_eq!(
             env.update::<Vec<EncryptedMessage>>(
                 caller,
-                "get_some_messages_for_chat_starting_from",
+                "get_messages",
                 encode_args((chat_id, ChatMessageId(0), Option::<u32>::None)).unwrap(),
             ),
             vec![]
@@ -861,13 +901,12 @@ fn cannot_access_cache_after_vetkey_epoch_expires() {
 
     let expiry_setting_minutes = 10_000;
 
-    let chat_creation_time = env
-        .update::<Result<Time, String>>(
-            env.principal_0,
-            "create_direct_chat",
-            encode_args((env.principal_1, Time(1_000), Time(expiry_setting_minutes))).unwrap(),
-        )
-        .unwrap();
+    env.update::<Result<Time, String>>(
+        env.principal_0,
+        "create_direct_chat",
+        encode_args((env.principal_1, Time(1_000), Time(expiry_setting_minutes))).unwrap(),
+    )
+    .unwrap();
 
     let chat_id = ChatId::Direct(DirectChatId::new((env.principal_0, env.principal_1)));
     let cache_data = b"dummy symmetric key cache".to_vec();
@@ -883,7 +922,18 @@ fn cannot_access_cache_after_vetkey_epoch_expires() {
         .unwrap();
     }
 
-    let expiry_time = chat_creation_time.0 + expiry_setting_minutes * NANOSECONDS_IN_MINUTE;
+    let new_epoch = env
+        .update::<Result<VetKeyEpochId, String>>(
+            env.principal_0,
+            "rotate_chat_vetkey",
+            encode_args((chat_id,)).unwrap(),
+        )
+        .unwrap();
+    assert_eq!(new_epoch, VetKeyEpochId(1));
+
+    let rotation_time = env.pic.get_time().as_nanos_since_unix_epoch();
+
+    let expiry_time = rotation_time + expiry_setting_minutes * NANOSECONDS_IN_MINUTE;
     // Fast forward time to expire epoch 0
     env.pic
         .set_time(pocket_ic::Time::from_nanos_since_unix_epoch(expiry_time));
@@ -1301,15 +1351,14 @@ fn fails_to_reshare_or_get_reshared_vetkeys_for_invalid_vetkey_epochs() {
     let rng = &mut reproducible_rng();
     let env = TestEnvironment::new(rng);
 
-    let message_expiry_time_minutes = Time(10_000);
+    let message_expiry_time_minutes = Time(100);
 
-    let chat_creation_time = env
-        .update::<Result<Time, String>>(
-            env.principal_0,
-            "create_direct_chat",
-            encode_args((env.principal_1, Time(1_000), message_expiry_time_minutes)).unwrap(),
-        )
-        .unwrap();
+    env.update::<Result<Time, String>>(
+        env.principal_0,
+        "create_direct_chat",
+        encode_args((env.principal_1, Time(10), message_expiry_time_minutes)).unwrap(),
+    )
+    .unwrap();
 
     let chat_id = ChatId::Direct(DirectChatId::new((env.principal_0, env.principal_1)));
 
@@ -1367,6 +1416,8 @@ fn fails_to_reshare_or_get_reshared_vetkeys_for_invalid_vetkey_epochs() {
         .unwrap();
     assert_eq!(new_epoch, VetKeyEpochId(1));
 
+    let rotation_time_0 = env.pic.get_time().as_nanos_since_unix_epoch();
+
     let result = env.update::<Result<Option<IbeEncryptedVetKey>, String>>(
         env.principal_1,
         "get_my_reshared_ibe_encrypted_vetkey",
@@ -1394,7 +1445,7 @@ fn fails_to_reshare_or_get_reshared_vetkeys_for_invalid_vetkey_epochs() {
 
     env.pic
         .set_time(pocket_ic::Time::from_nanos_since_unix_epoch(
-            chat_creation_time.0 + message_expiry_time_minutes.0 * NANOSECONDS_IN_MINUTE,
+            rotation_time_0 + message_expiry_time_minutes.0 * NANOSECONDS_IN_MINUTE,
         ));
 
     let result = env.update::<Result<Option<IbeEncryptedVetKey>, String>>(
@@ -1415,7 +1466,21 @@ fn fails_to_reshare_or_get_reshared_vetkeys_for_invalid_vetkey_epochs() {
     )
     .unwrap();
 
-    env.pic.advance_time(std::time::Duration::from_nanos(10));
+    let new_epoch = env
+        .update::<Result<VetKeyEpochId, String>>(
+            env.principal_0,
+            "rotate_chat_vetkey",
+            encode_args((chat_id,)).unwrap(),
+        )
+        .unwrap();
+    assert_eq!(new_epoch, VetKeyEpochId(2));
+
+    let rotation_time_1 = env.pic.get_time().as_nanos_since_unix_epoch();
+
+    env.pic
+        .set_time(pocket_ic::Time::from_nanos_since_unix_epoch(
+            rotation_time_1 + message_expiry_time_minutes.0 * NANOSECONDS_IN_MINUTE,
+        ));
 
     let result = env.update::<Result<Option<IbeEncryptedVetKey>, String>>(
         env.principal_1,
@@ -1477,7 +1542,7 @@ fn time_job_reports_cleaned_up_expired_items() {
                 content: b"hello".to_vec(),
                 vetkey_epoch: VetKeyEpochId(i),
                 symmetric_key_epoch: SymmetricKeyEpochId(0),
-                message_id: SenderMessageId(i + 2 * j),
+                nonce: Nonce(i + 2 * j),
             };
             env.update::<Result<Time, String>>(
                 env.principal_0,
@@ -1538,5 +1603,6 @@ fn time_job_reports_cleaned_up_expired_items() {
     let log_string = logs.iter().fold(String::new(), |acc, log| {
         format!("{acc}{}", String::from_utf8(log.content.clone()).unwrap())
     });
-    assert_eq!(log_string, "Timer job: cleaned up 8 expired direct messages, 0 expired group messages, 4 expired vetkey epochs caches, 4 expired reshared vetkeys");
+    let index = log_string.find("Timer job").expect("no timer job found");
+    assert_eq!(&log_string[index..], "Timer job: cleaned up 8 expired direct messages, 0 expired group messages, 2 expired vetkey epochs (2 caches), 2 expired reshared vetkeys");
 }
diff --git a/examples/encrypted_chat/rust/backend/tests/group_chat.rs b/examples/encrypted_chat/rust/backend/tests/group_chat.rs
index 28e10b80..45f2ab9e 100644
--- a/examples/encrypted_chat/rust/backend/tests/group_chat.rs
+++ b/examples/encrypted_chat/rust/backend/tests/group_chat.rs
@@ -2,7 +2,7 @@ use candid::{encode_args, Principal};
 use ic_vetkeys_example_encrypted_chat_backend::types::{
     ChatId, ChatMessageId, EncryptedMessage, EncryptedMessageMetadata,
     EncryptedSymmetricKeyEpochCache, GroupChatId, GroupChatMetadata, GroupModification,
-    IbeEncryptedVetKey, SenderMessageId, SymmetricKeyEpochId, Time, UserMessage, VetKeyEpochId,
+    IbeEncryptedVetKey, Nonce, SymmetricKeyEpochId, Time, UserMessage, VetKeyEpochId,
     VetKeyEpochMetadata,
 };
 use serde_bytes::ByteBuf;
@@ -15,13 +15,14 @@ fn can_create_chat() {
     let rng = &mut reproducible_rng();
     let env = TestEnvironment::new(rng);
 
-    let mut expected_chat_id = 0;
-
-    for other_participants in [
+    for (expected_chat_id, other_participants) in [
         vec![],
         vec![env.principal_1],
         vec![env.principal_1, env.principal_2],
-    ] {
+    ]
+    .into_iter()
+    .enumerate()
+    {
         let result = env.update::<Result<GroupChatMetadata, String>>(
             env.principal_0,
             "create_group_chat",
@@ -31,12 +32,10 @@ fn can_create_chat() {
         assert_eq!(
             result,
             Ok(GroupChatMetadata {
-                chat_id: GroupChatId(expected_chat_id),
+                chat_id: GroupChatId(expected_chat_id as u64),
                 creation_timestamp: Time(env.pic.get_time().as_nanos_since_unix_epoch()),
             })
         );
-
-        expected_chat_id += 1;
     }
 }
 
@@ -79,7 +78,7 @@ fn can_send_and_get_messages() {
             assert_eq!(
                 env.update::<Vec<EncryptedMessage>>(
                     caller,
-                    "get_some_messages_for_chat_starting_from",
+                    "get_messages",
                     encode_args((chat_id, ChatMessageId(0), Option::<u32>::None)).unwrap(),
                 ),
                 vec![]
@@ -88,14 +87,14 @@ fn can_send_and_get_messages() {
 
         for _ in 0..10 {
             for sender in all_participants.iter().copied() {
-                let message_id_raw = *message_id_counters.get(&sender).unwrap();
-                message_id_counters.insert(sender, message_id_raw + 1);
+                let nonce_raw = *message_id_counters.get(&sender).unwrap();
+                message_id_counters.insert(sender, nonce_raw + 1);
 
                 let user_message = UserMessage {
                     content: message_content.clone(),
                     vetkey_epoch: VetKeyEpochId(0),
                     symmetric_key_epoch: SymmetricKeyEpochId(0),
-                    message_id: SenderMessageId(message_id_raw),
+                    nonce: Nonce(nonce_raw),
                 };
 
                 // + 1 is because the update call calls `tick` internally
@@ -117,7 +116,7 @@ fn can_send_and_get_messages() {
                         vetkey_epoch: VetKeyEpochId(0),
                         symmetric_key_epoch: SymmetricKeyEpochId(0),
                         chat_message_id: ChatMessageId(expected_chat_history.len() as u64),
-                        sender_message_id: SenderMessageId(message_id_raw),
+                        nonce: Nonce(nonce_raw),
                     },
                 };
 
@@ -127,7 +126,7 @@ fn can_send_and_get_messages() {
                     assert_eq!(
                         env.update::<Vec<EncryptedMessage>>(
                             caller,
-                            "get_some_messages_for_chat_starting_from",
+                            "get_messages",
                             encode_args((chat_id, ChatMessageId(0), Option::<u32>::None)).unwrap(),
                         ),
                         expected_chat_history
@@ -182,7 +181,7 @@ fn fails_to_send_messages_with_wrong_symmetric_key_epoch() {
                     content: message_content.clone(),
                     vetkey_epoch: VetKeyEpochId(0),
                     symmetric_key_epoch,
-                    message_id: SenderMessageId(0),
+                    nonce: Nonce(0),
                 };
 
                 let result = env.update::<Result<Time, String>>(
@@ -225,7 +224,7 @@ fn fails_to_send_messages_with_wrong_symmetric_key_epoch() {
                         content: message_content.clone(),
                         vetkey_epoch: VetKeyEpochId(0),
                         symmetric_key_epoch,
-                        message_id: SenderMessageId(0),
+                        nonce: Nonce(0),
                     };
 
                     let result = env.update::<Result<Time, String>>(
@@ -254,7 +253,7 @@ fn fails_to_send_messages_with_wrong_symmetric_key_epoch() {
                         content: message_content.clone(),
                         vetkey_epoch: VetKeyEpochId(0),
                         symmetric_key_epoch,
-                        message_id: SenderMessageId(0),
+                        nonce: Nonce(0),
                     };
 
                     let result = env.update::<Result<Time, String>>(
@@ -293,7 +292,7 @@ fn fails_to_send_messages_with_wrong_symmetric_key_epoch() {
             assert_eq!(
                 env.update::<Vec<EncryptedMessage>>(
                     caller,
-                    "get_some_messages_for_chat_starting_from",
+                    "get_messages",
                     encode_args((chat_id, ChatMessageId(0), Option::<u32>::None)).unwrap(),
                 ),
                 vec![]
@@ -507,7 +506,7 @@ fn fails_to_send_group_chat_message_with_wrong_vetkey_epoch() {
                     content: message_content.clone(),
                     vetkey_epoch: VetKeyEpochId(latest_epoch + 1),
                     symmetric_key_epoch: SymmetricKeyEpochId(0),
-                    message_id: SenderMessageId(0),
+                    nonce: Nonce(0),
                 };
 
                 let result = env.update::<Result<Time, String>>(
@@ -541,7 +540,7 @@ fn fails_to_send_group_chat_message_with_wrong_vetkey_epoch() {
             assert_eq!(
                 env.update::<Vec<EncryptedMessage>>(
                     caller,
-                    "get_some_messages_for_chat_starting_from",
+                    "get_messages",
                     encode_args((chat_id, ChatMessageId(0), Option::<u32>::None)).unwrap(),
                 ),
                 vec![]
@@ -855,6 +854,7 @@ fn unauthorized_user_cannot_access_symmetric_key_cache() {
 fn cannot_access_cache_after_vetkey_epoch_expires() {
     let rng = &mut reproducible_rng();
     let env = TestEnvironment::new(rng);
+    let expiry_setting_minutes = 10_000;
 
     for other_participants in [
         vec![],
@@ -870,7 +870,12 @@ fn cannot_access_cache_after_vetkey_epoch_expires() {
             .update::<Result<GroupChatMetadata, String>>(
                 env.principal_0,
                 "create_group_chat",
-                encode_args((other_participants.clone(), Time(1_000), Time(10_000))).unwrap(),
+                encode_args((
+                    other_participants.clone(),
+                    Time(1_000),
+                    Time(expiry_setting_minutes),
+                ))
+                .unwrap(),
             )
             .unwrap();
 
@@ -898,9 +903,9 @@ fn cannot_access_cache_after_vetkey_epoch_expires() {
             .unwrap();
         assert_eq!(new_epoch, VetKeyEpochId(1));
 
-        let expiry_setting_minutes = 10_000;
-        let expiry_time = group_chat_metadata.creation_timestamp.0
-            + expiry_setting_minutes * NANOSECONDS_IN_MINUTE;
+        let rotation_time = env.pic.get_time().as_nanos_since_unix_epoch();
+
+        let expiry_time = rotation_time + expiry_setting_minutes * NANOSECONDS_IN_MINUTE;
         // Fast forward time to expire epoch 0
         env.pic
             .set_time(pocket_ic::Time::from_nanos_since_unix_epoch(expiry_time));
@@ -908,7 +913,7 @@ fn cannot_access_cache_after_vetkey_epoch_expires() {
         // Neither authorized nor unauthorized users can access expired epoch cache
         for caller in [env.principal_0, env.principal_1, env.principal_2]
             .into_iter()
-            .filter(|p| *p == env.principal_0 || other_participants.contains(&p))
+            .filter(|p| *p == env.principal_0 || other_participants.contains(p))
         {
             // Cannot update cache for expired epoch
             let result = env.update::<Result<(), String>>(
@@ -1750,6 +1755,8 @@ fn fails_to_reshare_or_get_reshared_vetkeys_for_invalid_vetkey_epochs() {
             .unwrap();
         assert_eq!(new_epoch, VetKeyEpochId(1));
 
+        let rotation_time_1 = env.pic.get_time().as_nanos_since_unix_epoch();
+
         // Verify epoch 0 reshared vetkey is still available
         let result = env.update::<Result<Option<IbeEncryptedVetKey>, String>>(
             participants[1],
@@ -1778,8 +1785,7 @@ fn fails_to_reshare_or_get_reshared_vetkeys_for_invalid_vetkey_epochs() {
         );
 
         // Fast forward time to expire epoch 0
-        let expiry_time = group_chat_metadata.creation_timestamp.0
-            + expiry_setting_minutes.0 * NANOSECONDS_IN_MINUTE;
+        let expiry_time = rotation_time_1 + expiry_setting_minutes.0 * NANOSECONDS_IN_MINUTE;
         env.pic
             .set_time(pocket_ic::Time::from_nanos_since_unix_epoch(expiry_time));
 
@@ -1803,8 +1809,20 @@ fn fails_to_reshare_or_get_reshared_vetkeys_for_invalid_vetkey_epochs() {
         )
         .unwrap();
 
+        // Rotate to epoch 1
+        let new_epoch = env
+            .update::<Result<VetKeyEpochId, String>>(
+                participants[0],
+                "rotate_chat_vetkey",
+                encode_args((chat_id,)).unwrap(),
+            )
+            .unwrap();
+        assert_eq!(new_epoch, VetKeyEpochId(2));
+
         // Fast forward time to expire epoch 1
-        env.pic.advance_time(std::time::Duration::from_nanos(10));
+        env.pic.advance_time(std::time::Duration::from_nanos(
+            expiry_setting_minutes.0 * NANOSECONDS_IN_MINUTE,
+        ));
 
         let result = env.update::<Result<Option<IbeEncryptedVetKey>, String>>(
             participants[1],
@@ -1872,7 +1890,7 @@ fn time_job_reports_cleaned_up_expired_items() {
                 content: b"hello".to_vec(),
                 vetkey_epoch: VetKeyEpochId(i),
                 symmetric_key_epoch: SymmetricKeyEpochId(0),
-                message_id: SenderMessageId(i + 2 * j),
+                nonce: Nonce(i + 2 * j),
             };
             env.update::<Result<Time, String>>(
                 env.principal_0,
@@ -1933,5 +1951,7 @@ fn time_job_reports_cleaned_up_expired_items() {
     let log_string = logs.iter().fold(String::new(), |acc, log| {
         format!("{acc}{}", String::from_utf8(log.content.clone()).unwrap())
     });
-    assert_eq!(log_string, "Timer job: cleaned up 0 expired direct messages, 8 expired group messages, 4 expired vetkey epochs caches, 4 expired reshared vetkeys");
+
+    let index = log_string.find("Timer job").expect("no timer job found");
+    assert_eq!(&log_string[index..], "Timer job: cleaned up 0 expired direct messages, 8 expired group messages, 2 expired vetkey epochs (2 caches), 2 expired reshared vetkeys");
 }
diff --git a/examples/encrypted_chat/rust/backend/tests/misc.rs b/examples/encrypted_chat/rust/backend/tests/misc.rs
index de339a71..cd4516da 100644
--- a/examples/encrypted_chat/rust/backend/tests/misc.rs
+++ b/examples/encrypted_chat/rust/backend/tests/misc.rs
@@ -72,7 +72,7 @@ fn can_create_many_chats() {
             if group_creator[0] != participants[0]
                 && !invited_participants.contains(&participants[0])
             {
-                invited_participants.push(participants[0].clone());
+                invited_participants.push(participants[0]);
             }
 
             let chat_id = ChatId::Group(GroupChatId(num_group_chats));
@@ -95,27 +95,37 @@ fn can_create_many_chats() {
         }
 
         for p in participants.clone() {
-            let my_chat_ids = env.query::<Vec<(ChatId, ChatMessageId)>>(
+            let my_chat_ids = env.query::<GetMyChatsAndTimeResponse>(
                 p,
-                "get_my_chat_ids",
+                "get_my_chats_and_time",
                 encode_args(()).unwrap(),
             );
 
             let expected_chat_ids = expected_chat_ids
                 .range((p, ChatId::MIN_VALUE)..)
                 .take_while(|(key, _)| key.0 == p)
-                .map(|(key, _value)| (key.1, ChatMessageId(0)))
+                .map(|(key, _value)| ChatMetadata {
+                    chat_id: key.1,
+                    number_of_messages: ChatMessageId(0),
+                    latest_vetkey_epoch_id: VetKeyEpochId(0),
+                    disappearing_messages_duration: Time(NANOSECONDS_IN_MINUTE * 10_000),
+                    first_non_expired_message_id: None,
+                    first_non_expired_vetkey_epoch_id: VetKeyEpochId(0),
+                })
                 .collect::<Vec<_>>();
 
-            assert_eq!(my_chat_ids, expected_chat_ids);
+            assert_eq!(my_chat_ids.chats_metadata, expected_chat_ids);
         }
 
-        let p0_chat_ids = env.query::<Vec<(ChatId, ChatMessageId)>>(
+        let p0_chat_ids = env.query::<GetMyChatsAndTimeResponse>(
             participants[0],
-            "get_my_chat_ids",
+            "get_my_chats_and_time",
             encode_args(()).unwrap(),
         );
 
-        assert_eq!(p0_chat_ids.len() as u64, num_group_chats + num_direct_chats);
+        assert_eq!(
+            p0_chat_ids.chats_metadata.len() as u64,
+            num_group_chats + num_direct_chats
+        );
     }
 }

From d18413a6fe315c16e53a804a1b647790252c7f15 Mon Sep 17 00:00:00 2001
From: Franz-Stefan Preiss <franzstefan@dfinity.org>
Date: Mon, 12 Jan 2026 14:04:04 +0100
Subject: [PATCH 56/62] Revert "wip"

This reverts commit cb028d3fabc82f22f547f4b69911d03fdd5dc7cb.
---
 .../frontend/src/lib/crypto/keyManager.ts     | 109 +----
 .../src/lib/crypto/symmetricRatchet.ts        |  69 +---
 .../frontend/src/lib/services/canisterApi.ts  |  24 +-
 ...ce.ts => encryptedCanisterCacheService.ts} |   2 +-
 .../lib/services/encryptedMessagingService.ts |  62 +--
 .../frontend/src/lib/services/keyStorage.ts   |   7 +-
 .../services/ratchetInitializationService.ts  |  22 +-
 .../encrypted_chat/rust/backend/backend.did   |  19 +-
 .../encrypted_chat/rust/backend/src/lib.rs    | 371 +++++-------------
 .../encrypted_chat/rust/backend/src/types.rs  |  32 +-
 .../rust/backend/tests/direct_chat.rs         | 172 +++-----
 .../rust/backend/tests/group_chat.rs          |  80 ++--
 .../encrypted_chat/rust/backend/tests/misc.rs |  26 +-
 13 files changed, 254 insertions(+), 741 deletions(-)
 rename examples/encrypted_chat/frontend/src/lib/services/{encryptedRatchetStateCacheService.ts => encryptedCanisterCacheService.ts} (99%)

diff --git a/examples/encrypted_chat/frontend/src/lib/crypto/keyManager.ts b/examples/encrypted_chat/frontend/src/lib/crypto/keyManager.ts
index 318345c0..69c7394a 100644
--- a/examples/encrypted_chat/frontend/src/lib/crypto/keyManager.ts
+++ b/examples/encrypted_chat/frontend/src/lib/crypto/keyManager.ts
@@ -2,110 +2,10 @@ import { SymmetricRatchetState } from './symmetricRatchet';
 import { Principal } from '@dfinity/principal';
 
 export class KeyManager {
-	#symmetricRatchetStates: Map<
-		string,
-		{ states: Map<bigint, SymmetricRatchetState>; stateRecoveryDuration: Date }
-	> = new Map();
-	#consensusTime: Date | null = null;
+	#symmetricRatchetStates: Map<string, Map<bigint, SymmetricRatchetState>> = new Map();
 
 	constructor() {}
 
-	ratchetVersions(): {
-		chatIdStr: string;
-		vetKeyEpochId: bigint;
-		oldestSymmetricRatchetEpochId: bigint;
-	}[] {
-		const versions: {
-			chatIdStr: string;
-			vetKeyEpochId: bigint;
-			oldestSymmetricRatchetEpochId: bigint;
-		}[] = [];
-		for (const [chatIdStr, { states }] of this.#symmetricRatchetStates.entries()) {
-			for (const [vetKeyEpochId, symmetricRatchetState] of states.entries()) {
-				versions.push({
-					chatIdStr,
-					vetKeyEpochId,
-					oldestSymmetricRatchetEpochId: symmetricRatchetState.getCurrentEpoch()
-				});
-			}
-		}
-		return versions;
-	}
-
-	async setExpiry(chatIdStr: string, expiry: Date) {
-		const map = this.#symmetricRatchetStates.get(chatIdStr);
-		if (!map) {
-			throw new Error(`KeyManager.setExpiry: No ratchet states found for chatId ${chatIdStr}`);
-		}
-		const oldExpiry = map.stateRecoveryDuration;
-		map.stateRecoveryDuration = expiry;
-		if (expiry > oldExpiry) {
-			await this.evolveAndCleanupExpiredStates(chatIdStr);
-		}
-	}
-
-	async evolveAndCleanupExpiredStates(chatIdStr: string) {
-		const map = this.#symmetricRatchetStates.get(chatIdStr);
-		if (!map) {
-			return;
-		}
-		if (map.states.size === 0) {
-			return;
-		}
-		if (this.#consensusTime === null) {
-			console.warn('KeyManager.evolveAndCleanupExpiredStates: Consensus time is not set');
-			return;
-		}
-
-		const recovery = map.stateRecoveryDuration;
-
-		const keys = map.states.keys().toArray();
-		for (let i = 1; i < keys.length; i++) {
-			const value = map.states.get(keys[i]);
-			if (!value) {
-				console.error('Bug in KeyManager.evolveAndCleanupExpiredStates: Inconsistent map');
-				continue;
-			}
-
-			if (value.getCreationTime().getTime() + recovery.getTime() < this.#consensusTime.getTime()) {
-				map.states.delete(keys[i]);
-			}
-		}
-
-		for (const [vetKeyEpochId, state] of states.entries()) {
-			await state.evolveIfNeeded(new Date(consensusTime.getTime() - expiry.getTime()));
-		}
-
-		states.forEach(
-			async (state) =>
-				await state.evolveIfNeeded(new Date(consensusTime.getTime() - expiry.getTime()))
-		);
-	}
-
-	async setConsensusTimeAndEvolveStates(time: Date) {
-		if (this.#consensusTime && time < this.#consensusTime) {
-			throw new Error(
-				`KeyManager.setConsensusTimestamp: Timestamp ${time.toISOString()} is before the current consensus timestamp ${this.#consensusTime.toISOString()}`
-			);
-		}
-		this.#consensusTime = time;
-		await this.#evolveRatchetStatesIfNeeded();
-	}
-
-	async #evolveRatchetStatesIfNeeded() {
-		if (!this.#consensusTime) {
-			return;
-		}
-		for (const chatStates of this.#symmetricRatchetStates.values()) {
-			for (const [, state] of chatStates) {
-				await state.evolveIfNeeded(this.#consensusTime);
-			}
-		}
-		// TODO: Implement
-		// This should be called when consensus timestamp changes. Not necessarily on every change though, although it generally makes sense to do so.
-		// We need to update the symmetric ratchet states if they are too old.
-	}
-
 	getCurrentChatIdStrs(): string[] {
 		return Array.from(this.#symmetricRatchetStates.keys());
 	}
@@ -152,7 +52,12 @@ export class KeyManager {
 				`KeyManager.decryptAtTimeAndEvolveIfNeeded: No symmetric ratchet states found for chatId ${chatId} and vetKeyEpoch ${vetKeyEpoch}`
 			);
 		}
-		return await symmetricRatchetState.decryptAtTime(sender, senderMessageId, encryptedBytes, time);
+		return await symmetricRatchetState.decryptAtTimeAndEvolveIfNeeded(
+			sender,
+			senderMessageId,
+			encryptedBytes,
+			time
+		);
 	}
 
 	doesChatHaveKeys(chatId: string): boolean {
diff --git a/examples/encrypted_chat/frontend/src/lib/crypto/symmetricRatchet.ts b/examples/encrypted_chat/frontend/src/lib/crypto/symmetricRatchet.ts
index 7b62d26e..c044f0e6 100644
--- a/examples/encrypted_chat/frontend/src/lib/crypto/symmetricRatchet.ts
+++ b/examples/encrypted_chat/frontend/src/lib/crypto/symmetricRatchet.ts
@@ -33,7 +33,6 @@ export type StorableSymmetricRatchetState = {
 	symmetricRatchetEpoch: bigint;
 	creationTime: Date;
 	rotationDuration: Date;
-	stateRecoveryDuration: Date;
 };
 
 export class SymmetricRatchetState {
@@ -46,19 +45,12 @@ export class SymmetricRatchetState {
 		key: CryptoKey,
 		symmetricRatchetEpoch: bigint,
 		creationTime: Date,
-		rotationDuration: Date,
-		stateRecoveryDuration: Date
+		rotationDuration: Date
 	) {
 		this.#cryptoKey = key;
 		this.#symmetricRatchetEpoch = symmetricRatchetEpoch;
 		this.#creationTime = creationTime;
 		this.#rotationDuration = rotationDuration;
-		this.#stateRecoveryDuration = stateRecoveryDuration;
-	}
-
-	updateStateRecoveryDurationAndEvolve(stateRecoveryDuration: Date) {
-		this.#stateRecoveryDuration = stateRecoveryDuration;
-		// TODO: Implement
 	}
 
 	toStorable(): StorableSymmetricRatchetState {
@@ -66,8 +58,7 @@ export class SymmetricRatchetState {
 			cryptoKey: this.#cryptoKey,
 			symmetricRatchetEpoch: this.#symmetricRatchetEpoch,
 			creationTime: this.#creationTime,
-			rotationDuration: this.#rotationDuration,
-			stateRecoveryDuration: this.#stateRecoveryDuration
+			rotationDuration: this.#rotationDuration
 		};
 	}
 
@@ -82,12 +73,11 @@ export class SymmetricRatchetState {
 			key,
 			symmetricKeyEpoch,
 			rawKeyState.creationTime,
-			rawKeyState.rotationDuration,
-			rawKeyState.stateRecoveryDuration
+			rawKeyState.rotationDuration
 		);
 	}
 
-	async decryptAtTime(
+	async decryptAtTimeAndEvolveIfNeeded(
 		sender: Principal,
 		senderMessageId: bigint,
 		message: Uint8Array,
@@ -97,11 +87,9 @@ export class SymmetricRatchetState {
 			throw new Error('Cannot decrypt message before the state was created');
 		}
 		const expectedEpoch = this.getExpectedEpochAtTime(time);
-		const neededSymmetricRatchetState = await this.peekAtEpoch(expectedEpoch);
+		await this.evolveTo(expectedEpoch);
 		const domainSeparator = messageEncryptionDomainSeparator(sender, senderMessageId);
-		const derivedKeyMaterial = DerivedKeyMaterial.fromCryptoKey(
-			neededSymmetricRatchetState.#cryptoKey
-		);
+		const derivedKeyMaterial = DerivedKeyMaterial.fromCryptoKey(this.#cryptoKey);
 		return await derivedKeyMaterial.decryptMessage(message, domainSeparator);
 	}
 
@@ -130,22 +118,6 @@ export class SymmetricRatchetState {
 		};
 	}
 
-	async evolveIfNeeded(consensusTime: Date) {
-		while (true) {
-			const epoch = Number(this.#symmetricRatchetEpoch);
-			const creationMs = this.#creationTime.getMilliseconds();
-			const rotationMs = this.#rotationDuration.getMilliseconds();
-			const recoveryMs = this.#stateRecoveryDuration.getMilliseconds();
-			const consensusMs = consensusTime.getMilliseconds();
-
-			if (creationMs + epoch * rotationMs + recoveryMs < consensusMs) {
-				await this.evolve();
-			} else {
-				return;
-			}
-		}
-	}
-
 	/// Evolve the state to the next epoch.
 	async evolve() {
 		const newCryptoKey = await deriveNextSymmetricRatchetEpochCryptoKey(
@@ -189,8 +161,7 @@ export class SymmetricRatchetState {
 			this.#cryptoKey,
 			symmetricKeyEpoch,
 			this.#creationTime,
-			this.#rotationDuration,
-			this.#stateRecoveryDuration
+			this.#rotationDuration
 		);
 		await newSymmetricRatchetState.evolveTo(symmetricKeyEpoch);
 		return newSymmetricRatchetState;
@@ -226,20 +197,17 @@ export class CacheableSymmetricRatchetState {
 	symmetricRatchetEpoch: bigint;
 	creationTime: Date;
 	rotationDuration: Date;
-	stateRecoveryDuration: Date;
 
 	private constructor(
 		rawKey: Uint8Array,
 		symmetricRatchetEpoch: bigint,
 		creationTime: Date,
-		rotationDuration: Date,
-		stateRecoveryDuration: Date
+		rotationDuration: Date
 	) {
 		this.rawKey = rawKey;
 		this.symmetricRatchetEpoch = symmetricRatchetEpoch;
 		this.creationTime = creationTime;
 		this.rotationDuration = rotationDuration;
-		this.stateRecoveryDuration = stateRecoveryDuration;
 	}
 
 	/// Evolve the state to the next epoch.
@@ -275,8 +243,7 @@ export class CacheableSymmetricRatchetState {
 			clonedRawKey,
 			newEpoch,
 			this.creationTime,
-			this.rotationDuration,
-			this.stateRecoveryDuration
+			this.rotationDuration
 		);
 		newState.evolveTo(symmetricKeyEpoch);
 		return newState;
@@ -289,18 +256,11 @@ export class CacheableSymmetricRatchetState {
 	static initializeFromVetKey(
 		vetKey: VetKey,
 		creationTime: Date,
-		rotationDuration: Date,
-		stateRecoveryDuration: Date
+		rotationDuration: Date
 	): CacheableSymmetricRatchetState {
 		const vetKeyBytes = vetKey.signatureBytes();
 		const rawKey = deriveSymmetricKey(vetKeyBytes, DOMAIN_RATCHET_INIT, 32);
-		return new CacheableSymmetricRatchetState(
-			rawKey,
-			0n,
-			creationTime,
-			rotationDuration,
-			stateRecoveryDuration
-		);
+		return new CacheableSymmetricRatchetState(rawKey, 0n, creationTime, rotationDuration);
 	}
 
 	serialize(): Uint8Array {
@@ -322,16 +282,11 @@ export class CacheableSymmetricRatchetState {
 		const rotationDuration = new Date(
 			Number(u8ByteUint8ArrayBigEndianToUBigInt(bytes.slice(32 + 8 + 8)))
 		);
-		const stateRecoveryDuration = new Date(
-			Number(u8ByteUint8ArrayBigEndianToUBigInt(bytes.slice(32 + 8 + 8 + 8)))
-		);
-
 		return new CacheableSymmetricRatchetState(
 			rawKey,
 			symmetricRatchetEpoch,
 			creationTime,
-			rotationDuration,
-			stateRecoveryDuration
+			rotationDuration
 		);
 	}
 }
diff --git a/examples/encrypted_chat/frontend/src/lib/services/canisterApi.ts b/examples/encrypted_chat/frontend/src/lib/services/canisterApi.ts
index fadd0ce0..77983d1a 100644
--- a/examples/encrypted_chat/frontend/src/lib/services/canisterApi.ts
+++ b/examples/encrypted_chat/frontend/src/lib/services/canisterApi.ts
@@ -3,7 +3,6 @@ import type { SymmetricRatchetStats } from '../types';
 import type {
 	_SERVICE,
 	ChatId,
-	ChatMetadata,
 	EncryptedMessage,
 	GroupChatMetadata,
 	UserMessage,
@@ -85,24 +84,13 @@ export class CanisterAPI {
 		}
 	}
 
-	async getChatsAndTime(
+	async getChatIdsAndCurrentNumbersOfMessages(
 		actor: ActorSubclass<_SERVICE>
-	): Promise<{ chats: ChatMetadata[]; currentConsensusTime: Date }> {
-		const chatsAndTime = await actor.get_my_chats_and_time();
-		return {
-			chats: chatsAndTime.chats_metadata,
-			currentConsensusTime: new Date(Number(chatsAndTime.current_consensus_time / 1_000_000n))
-		};
-	}
-
-	async getExpiry(actor: ActorSubclass<_SERVICE>, chatId: ChatId): Promise<Date> {
-		const result = await actor.get_expiry(chatId);
-		if ('Ok' in result) {
-			const MILLISECONDS_IN_MINUTE = 60000n;
-			return new Date(Number(result.Ok * MILLISECONDS_IN_MINUTE));
-		} else {
-			throw new Error(result.Err);
-		}
+	): Promise<{ chatId: ChatId; numMessages: bigint }[]> {
+		const chatIds = await actor.get_my_chat_ids();
+		return chatIds.map(([chatId, numMessages]) => {
+			return { chatId, numMessages };
+		});
 	}
 
 	async getLatestVetKeyEpochMetadata(
diff --git a/examples/encrypted_chat/frontend/src/lib/services/encryptedRatchetStateCacheService.ts b/examples/encrypted_chat/frontend/src/lib/services/encryptedCanisterCacheService.ts
similarity index 99%
rename from examples/encrypted_chat/frontend/src/lib/services/encryptedRatchetStateCacheService.ts
rename to examples/encrypted_chat/frontend/src/lib/services/encryptedCanisterCacheService.ts
index d3e56cd9..a46b21e1 100644
--- a/examples/encrypted_chat/frontend/src/lib/services/encryptedRatchetStateCacheService.ts
+++ b/examples/encrypted_chat/frontend/src/lib/services/encryptedCanisterCacheService.ts
@@ -15,7 +15,7 @@ import type { ChatId } from '../../declarations/encrypted_chat/encrypted_chat.di
 import type { Principal } from '@dfinity/principal';
 import { getActor, getMyPrincipal } from '$lib/stores/auth.svelte';
 
-export class EncryptedRatchetStateCacheService {
+export class EncryptedCanisterCacheService {
 	#encryptedMaps: EncryptedMaps;
 
 	constructor() {
diff --git a/examples/encrypted_chat/frontend/src/lib/services/encryptedMessagingService.ts b/examples/encrypted_chat/frontend/src/lib/services/encryptedMessagingService.ts
index 12805b97..5ead32a3 100644
--- a/examples/encrypted_chat/frontend/src/lib/services/encryptedMessagingService.ts
+++ b/examples/encrypted_chat/frontend/src/lib/services/encryptedMessagingService.ts
@@ -35,8 +35,6 @@ export class EncryptedMessagingService {
 	#chatIdToCurrentNumberOfRemoteMessages: Map<string, bigint>;
 	#chatIdToCurrentNumberOfFetchedMessages: Map<string, bigint>;
 
-	#currentConsensusTime: Date;
-
 	#backgroundWorker: BackgroundWorker;
 
 	constructor() {
@@ -51,20 +49,10 @@ export class EncryptedMessagingService {
 		this.#chatIdToCurrentNumberOfRemoteMessages = new Map();
 		this.#chatIdToCurrentNumberOfFetchedMessages = new Map();
 
-		this.#currentConsensusTime = new Date(0);
-
 		// Start the background worker to handle encryption, sending, polling, and decryption
 		this.#backgroundWorker = new BackgroundWorker();
 	}
 
-	ratchetVersion(): {
-		chatIdStr: string;
-		vetKeyEpochId: bigint;
-		oldestSymmetricRatchetEpochId: bigint;
-	}[] {
-		return this.#keyManager.ratchetVersions();
-	}
-
 	start() {
 		// Start the worker loop
 		// The worker will periodically:
@@ -80,10 +68,6 @@ export class EncryptedMessagingService {
 		);
 	}
 
-	getConsensusTime(): Date {
-		return this.#currentConsensusTime;
-	}
-
 	inductSymmetricRatchetState(
 		chatIdStr: string,
 		vetKeyEpoch: bigint,
@@ -164,22 +148,16 @@ export class EncryptedMessagingService {
 			} catch (e) {
 				console.info('#handleOutgoingMessage: VetKeyEpochError', e);
 				if (e instanceof VetKeyEpochError) {
-					const messageExpiry = await canisterAPI.getExpiry(
-						getActor(),
-						chatIdFromString(chatIdStr)
-					);
 					const ratchetState =
 						await this.#ratchetInitializationService.initializeRatchetStateAndReshareAndCacheIfNeeded(
 							chatIdFromString(chatIdStr),
-							e.requiredVetKeyEpoch,
-							messageExpiry
+							e.requiredVetKeyEpoch
 						);
 					this.#keyManager.inductSymmetricRatchetState(
 						chatIdStr,
 						e.requiredVetKeyEpoch,
 						ratchetState
 					);
-					this.#keyManager.setExpiry(chatIdStr, messageExpiry);
 				} else if (e instanceof SymmetricRatchetEpochError) {
 					console.log('#handleOutgoingMessage: Symmetric ratchet epoch error', e);
 				} else {
@@ -198,23 +176,12 @@ export class EncryptedMessagingService {
 		if (auth.state.label !== 'initialized') return;
 
 		// Get chat IDs and check for new messages
-		const { chats, currentConsensusTime } = await canisterAPI.getChatsAndTime(getActor());
-
-		this.#currentConsensusTime = currentConsensusTime;
-
-		const summary = chatIdsNumMessagesToSummary(
-			Array.from(
-				chats.values().map((chat) => {
-					return {
-						chatId: chat.chat_id,
-						numMessages: chat.number_of_messages
-					};
-				})
-			)
-		);
-		console.log('fetched ' + chats.length + ' chats: ' + summary);
+		const chatIds = await canisterAPI.getChatIdsAndCurrentNumbersOfMessages(getActor());
+
+		const summary = chatIdsNumMessagesToSummary(chatIds);
+		console.log('fetched ' + chatIds.length + ' chats: ' + summary);
 
-		for (const { chat_id: chatId, number_of_messages: numMessages } of chats) {
+		for (const { chatId, numMessages } of chatIds) {
 			if (!this.#keyManager.doesChatHaveKeys(chatIdToString(chatId))) {
 				console.log(
 					'#pollForNewMessages: chatId',
@@ -224,12 +191,10 @@ export class EncryptedMessagingService {
 				const latestVetKeyEpoch = (
 					await canisterAPI.getLatestVetKeyEpochMetadata(getActor(), chatId)
 				).epoch_id;
-				const messageExpiry = await canisterAPI.getExpiry(getActor(), chatId);
 				const ratchetState =
 					await this.#ratchetInitializationService.initializeRatchetStateAndReshareAndCacheIfNeeded(
 						chatId,
-						latestVetKeyEpoch,
-						messageExpiry
+						latestVetKeyEpoch
 					);
 				this.#keyManager.inductSymmetricRatchetState(
 					chatIdToString(chatId),
@@ -358,15 +323,10 @@ export class EncryptedMessagingService {
 					console.info(
 						`#decryptMessage: Failed to decrypt message ${encryptedMessage.metadata.chat_message_id.toString()}, trying again... Caught error: ${error instanceof Error ? error.message : 'Unknown error'}`
 					);
-					const messageExpiry = await canisterAPI.getExpiry(
-						getActor(),
-						chatIdFromString(chatIdStr)
-					);
 					const ratchetState =
 						await this.#ratchetInitializationService.initializeRatchetStateAndReshareAndCacheIfNeeded(
 							chatIdFromString(chatIdStr),
-							encryptedMessage.metadata.vetkey_epoch,
-							messageExpiry
+							encryptedMessage.metadata.vetkey_epoch
 						);
 					this.#keyManager.inductSymmetricRatchetState(
 						chatIdStr,
@@ -448,7 +408,7 @@ async function sendMessage(
 	chatId: ChatId,
 	vetKeyEpoch: bigint,
 	symmetricRatchetEpoch: bigint,
-	nonce: bigint,
+	senderMessageId: bigint,
 	encryptedBytes: Uint8Array
 ) {
 	// Create UserMessage for the canister
@@ -456,7 +416,7 @@ async function sendMessage(
 		vetkey_epoch: vetKeyEpoch,
 		content: encryptedBytes,
 		symmetric_key_epoch: symmetricRatchetEpoch,
-		nonce
+		message_id: senderMessageId
 	};
 
 	// Send to canister using the appropriate method based on chat type
@@ -486,5 +446,3 @@ async function sendMessage(
 		}
 	}
 }
-
-// TODO: handling of expiry time changes doesn't work yet.
diff --git a/examples/encrypted_chat/frontend/src/lib/services/keyStorage.ts b/examples/encrypted_chat/frontend/src/lib/services/keyStorage.ts
index ce661aea..06ee28f4 100644
--- a/examples/encrypted_chat/frontend/src/lib/services/keyStorage.ts
+++ b/examples/encrypted_chat/frontend/src/lib/services/keyStorage.ts
@@ -20,10 +20,6 @@ export class KeyStorageService {
 			vetKeyEpochStr
 		])) as StorableSymmetricRatchetState;
 		if (!stateRecord) {
-			console.warn(
-				`KeyStorageService.getSymmetricRatchetState: failed to load symmetric ratchet state for chat ${chatIdStr} vetkeyEpoch ${vetKeyEpochStr}: state`,
-				stateRecord
-			);
 			return undefined;
 		}
 		console.log(
@@ -34,8 +30,7 @@ export class KeyStorageService {
 			stateRecord.cryptoKey,
 			stateRecord.symmetricRatchetEpoch,
 			stateRecord.creationTime,
-			stateRecord.rotationDuration,
-			stateRecord.stateRecoveryDuration
+			stateRecord.rotationDuration
 		);
 	}
 
diff --git a/examples/encrypted_chat/frontend/src/lib/services/ratchetInitializationService.ts b/examples/encrypted_chat/frontend/src/lib/services/ratchetInitializationService.ts
index 87d4d594..14c31e12 100644
--- a/examples/encrypted_chat/frontend/src/lib/services/ratchetInitializationService.ts
+++ b/examples/encrypted_chat/frontend/src/lib/services/ratchetInitializationService.ts
@@ -4,22 +4,21 @@ import { getActor, getMyPrincipal } from '$lib/stores/auth.svelte';
 import { stringifyBigInt, chatIdToString } from '$lib/utils';
 import { canisterAPI } from './canisterApi';
 import { keyStorageService } from './keyStorage';
-import { EncryptedRatchetStateCacheService } from './encryptedRatchetStateCacheService';
+import { EncryptedCanisterCacheService } from './encryptedCanisterCacheService';
 import { VetKeyResharingService } from './vetKeyResharingService';
 
 export class RatchetInitializationService {
 	#vetKeyResharingService: VetKeyResharingService;
-	#encryptedRatchetStateCacheService: EncryptedRatchetStateCacheService;
+	#encryptedCanisterCacheService: EncryptedCanisterCacheService;
 
 	constructor() {
 		this.#vetKeyResharingService = new VetKeyResharingService();
-		this.#encryptedRatchetStateCacheService = new EncryptedRatchetStateCacheService();
+		this.#encryptedCanisterCacheService = new EncryptedCanisterCacheService();
 	}
 
 	async initializeRatchetStateAndReshareAndCacheIfNeeded(
 		chatId: ChatId,
-		vetKeyEpoch: bigint,
-		stateRecoveryDuration: Date
+		vetKeyEpoch: bigint
 	): Promise<SymmetricRatchetState> {
 		const metadata = await canisterAPI.getVetKeyEpochMetadata(getActor(), chatId, vetKeyEpoch);
 		const creationTime = new Date(Number(metadata.creation_timestamp / 1_000_000n));
@@ -45,8 +44,7 @@ export class RatchetInitializationService {
 				keyState.key,
 				keyState.symmetricKeyEpoch,
 				creationTime,
-				rotationDuration,
-				stateRecoveryDuration
+				rotationDuration
 			);
 
 			keyStorageService
@@ -75,8 +73,7 @@ export class RatchetInitializationService {
 				keyState.key,
 				keyState.symmetricKeyEpoch,
 				creationTime,
-				rotationDuration,
-				stateRecoveryDuration
+				rotationDuration
 			);
 		} catch (error) {
 			console.info('Failed to fetch reshared IBE encrypted vetkey: ', error);
@@ -88,8 +85,7 @@ export class RatchetInitializationService {
 				keyState.key,
 				keyState.symmetricKeyEpoch,
 				creationTime,
-				rotationDuration,
-				stateRecoveryDuration
+				rotationDuration
 			);
 			keyStorageService
 				.saveSymmetricRatchetState(
@@ -136,7 +132,7 @@ export class RatchetInitializationService {
 		chatId: ChatId,
 		vetKeyEpoch: bigint
 	): Promise<{ key: CryptoKey; symmetricKeyEpoch: bigint }> {
-		return this.#encryptedRatchetStateCacheService
+		return this.#encryptedCanisterCacheService
 			.fetchAndDecryptFor(chatId, vetKeyEpoch)
 			.then((epochKeyState) => {
 				return importKeyStateFromBytes(epochKeyState);
@@ -198,7 +194,7 @@ function deriveRootKeyAndDispatchCaching(
 	);
 
 	console.log('starting to store the root key in cache: ', rootKey);
-	const vetKeyEncryptedCache = new EncryptedRatchetStateCacheService();
+	const vetKeyEncryptedCache = new EncryptedCanisterCacheService();
 	const keyState = { keyBytes: rootKey, symmetricKeyEpoch: 0n };
 	// await this future in background
 	vetKeyEncryptedCache.encryptAndStoreFor(chatId, vetKeyEpoch, keyState).catch((error) => {
diff --git a/examples/encrypted_chat/rust/backend/backend.did b/examples/encrypted_chat/rust/backend/backend.did
index 1b1a64c7..ae392965 100644
--- a/examples/encrypted_chat/rust/backend/backend.did
+++ b/examples/encrypted_chat/rust/backend/backend.did
@@ -2,14 +2,6 @@ type ChatId = variant {
   Group : nat64;
   Direct : record { principal; principal };
 };
-type ChatMetadata = record {
-  first_non_expired_message_id : opt nat64;
-  disappearing_messages_duration : nat64;
-  latest_vetkey_epoch_id : nat64;
-  first_non_expired_vetkey_epoch_id : nat64;
-  chat_id : ChatId;
-  number_of_messages : nat64;
-};
 type EncryptedMessage = record {
   content : blob;
   metadata : EncryptedMessageMetadata;
@@ -22,10 +14,6 @@ type EncryptedMessageMetadata = record {
   nonce : nat64;
   timestamp : nat64;
 };
-type GetMyChatsAndTimeResponse = record {
-  chats_metadata : vec ChatMetadata;
-  current_consensus_time : nat64;
-};
 type GroupChatMetadata = record { creation_timestamp : nat64; chat_id : nat64 };
 type GroupModification = record {
   remove_participants : vec principal;
@@ -37,12 +25,11 @@ type Result_2 = variant { Ok : blob; Err : text };
 type Result_3 = variant { Ok : VetKeyEpochMetadata; Err : text };
 type Result_4 = variant { Ok : opt blob; Err : text };
 type Result_5 = variant { Ok; Err : text };
-type Result_6 = variant { Ok : opt nat64; Err : text };
 type UserMessage = record {
   vetkey_epoch : nat64;
   content : blob;
   symmetric_key_epoch : nat64;
-  nonce : nat64;
+  message_id : nat64;
 };
 type VetKeyEpochMetadata = record {
   symmetric_key_rotation_duration : nat64;
@@ -68,7 +55,6 @@ service : (text) -> {
   // * If the user has already cached the key.
   derive_chat_vetkey : (ChatId, opt nat64, blob) -> (Result_2);
   get_encrypted_vetkey_for_my_cache_storage : (blob) -> (blob);
-  get_expiry : (ChatId) -> (Result) query;
   get_latest_chat_vetkey_epoch_metadata : (ChatId) -> (Result_3) query;
   // Returns messages for a chat starting from a given message id.
   // 
@@ -80,7 +66,7 @@ service : (text) -> {
   // # Notes
   // * Does not fail if the chat does not exist or the user has no access -- returns empty vector instead.
   get_messages : (ChatId, nat64, opt nat32) -> (vec EncryptedMessage) query;
-  get_my_chats_and_time : () -> (GetMyChatsAndTimeResponse) query;
+  get_my_chat_ids : () -> (vec record { ChatId; nat64 }) query;
   get_my_reshared_ibe_encrypted_vetkey : (ChatId, nat64) -> (Result_4);
   get_my_symmetric_key_cache : (ChatId, nat64) -> (Result_4);
   get_vetkey_epoch_metadata : (ChatId, nat64) -> (Result_3) query;
@@ -96,6 +82,5 @@ service : (text) -> {
   rotate_chat_vetkey : (ChatId) -> (Result);
   send_direct_message : (UserMessage, principal) -> (Result);
   send_group_message : (UserMessage, nat64) -> (Result);
-  set_expiry : (ChatId, nat64) -> (Result_6) query;
   update_my_symmetric_key_cache : (ChatId, nat64, blob) -> (Result_5);
 }
diff --git a/examples/encrypted_chat/rust/backend/src/lib.rs b/examples/encrypted_chat/rust/backend/src/lib.rs
index 82140fff..c9113c21 100644
--- a/examples/encrypted_chat/rust/backend/src/lib.rs
+++ b/examples/encrypted_chat/rust/backend/src/lib.rs
@@ -42,7 +42,7 @@ thread_local! {
         MEMORY_MANAGER.with(|m| m.borrow().get(MemoryId::new(3))),
     ));
 
-    static SET_CHAT_AND_SENDER_AND_USER_MESSAGE_ID: RefCell<StableBTreeMap<(ChatId, Sender, Nonce), (), Memory>> = RefCell::new(StableBTreeMap::init(
+    static SET_CHAT_AND_SENDER_AND_USER_MESSAGE_ID: RefCell<StableBTreeMap<(ChatId, Sender, SenderMessageId), (), Memory>> = RefCell::new(StableBTreeMap::init(
         MEMORY_MANAGER.with(|m| m.borrow().get(MemoryId::new(4))),
     ));
 
@@ -58,7 +58,7 @@ thread_local! {
         MEMORY_MANAGER.with(|m| m.borrow().get(MemoryId::new(7))),
     ));
 
-    static EXPIRING_VETKEY_EPOCHS: RefCell<StableBTreeMap<(Time, ChatId, VetKeyEpochId), (), Memory>> = RefCell::new(StableBTreeMap::init(
+    static EXPIRING_VETKEY_EPOCHS_CACHES: RefCell<StableBTreeMap<(Time, ChatId, Principal),  VetKeyEpochId, Memory>> = RefCell::new(StableBTreeMap::init(
         MEMORY_MANAGER.with(|m| m.borrow().get(MemoryId::new(8))),
     ));
 
@@ -67,7 +67,7 @@ thread_local! {
     ));
 
     static RESHARED_VETKEYS: RefCell<StableBTreeMap<(ChatId, VetKeyEpochId, Principal), IbeEncryptedVetKey, Memory>> = RefCell::new(StableBTreeMap::init(
-        MEMORY_MANAGER.with(|m| m.borrow().get(MemoryId::new(10))),
+        MEMORY_MANAGER.with(|m| m.borrow().get(MemoryId::new(11))),
     ));
 
     // Store symmetric key cache in encrypted maps. On a high level, store the cache in:
@@ -325,14 +325,7 @@ fn get_vetkey_epoch_metadata(
 
     ensure_user_has_access_to_chat_at_epoch(caller, chat_id, vetkey_epoch_id)?;
 
-    get_vetkey_epoch_metadata_access_unchecked(chat_id, vetkey_epoch_id)
-}
-
-fn get_vetkey_epoch_metadata_access_unchecked(
-    chat_id: ChatId,
-    vetkey_epoch_id: VetKeyEpochId,
-) -> Result<VetKeyEpochMetadata, String> {
-    CHAT_TO_VETKEYS_METADATA
+    let epoch_metadata = CHAT_TO_VETKEYS_METADATA
         .with_borrow(|metadata| {
             metadata
                 .range(&(chat_id, Time(0))..)
@@ -343,7 +336,9 @@ fn get_vetkey_epoch_metadata_access_unchecked(
         })
         .ok_or(format!(
             "No vetkey epoch {vetkey_epoch_id:?} found for chat {chat_id:?}"
-        ))
+        ))?;
+
+    Ok(epoch_metadata)
 }
 
 #[ic_cdk::update]
@@ -380,14 +375,11 @@ fn rotate_chat_vetkey(chat_id: ChatId) -> Result<VetKeyEpochId, String> {
         let todo_remove = metadata.insert((chat_id, now), new_vetkey_epoch_metadata);
         assert!(todo_remove.is_none());
 
+        clean_up_expired_vetkey_epochs(metadata, chat_id);
+
         new_vetkey_epoch_id
     });
 
-    mark_vetkey_epoch_as_expiring(chat_id, latest_epoch_metadata.epoch_id);
-    let (num_expired_vetkey_epochs, num_expired_vetkey_epochs_caches, num_expired_reshared_vetkeys) =
-        remove_expired_vetkey_epochs_and_caches()?;
-    ic_cdk::println!("removed {num_expired_vetkey_epochs} expired vetkey epochs, {num_expired_vetkey_epochs_caches} expired vetkey epochs caches, {num_expired_reshared_vetkeys} expired reshared vetkeys");
-
     Ok(new_vetkey_epoch_id)
 }
 
@@ -404,7 +396,7 @@ fn send_direct_message(user_message: UserMessage, receiver: Principal) -> Result
         user_message.vetkey_epoch,
         user_message.symmetric_key_epoch,
     )?;
-    ensure_nonce_is_unique(chat_id, user_message.nonce)?;
+    ensure_message_id_is_unique(chat_id, user_message.message_id)?;
 
     let now = Time(ic_cdk::api::time());
 
@@ -424,12 +416,12 @@ fn send_direct_message(user_message: UserMessage, receiver: Principal) -> Result
             vetkey_epoch: user_message.vetkey_epoch,
             symmetric_key_epoch: user_message.symmetric_key_epoch,
             chat_message_id,
-            nonce: user_message.nonce,
+            nonce: user_message.message_id,
         },
     };
 
     SET_CHAT_AND_SENDER_AND_USER_MESSAGE_ID.with_borrow_mut(|message_times| {
-        message_times.insert((chat_id, Sender(caller), user_message.nonce), ());
+        message_times.insert((chat_id, Sender(caller), user_message.message_id), ());
     });
 
     DIRECT_CHAT_MESSAGES.with_borrow_mut(|messages| {
@@ -466,7 +458,7 @@ fn send_group_message(
         user_message.vetkey_epoch,
         user_message.symmetric_key_epoch,
     )?;
-    ensure_nonce_is_unique(chat_id, user_message.nonce)?;
+    ensure_message_id_is_unique(chat_id, user_message.message_id)?;
 
     let now = Time(ic_cdk::api::time());
 
@@ -486,12 +478,12 @@ fn send_group_message(
             vetkey_epoch: user_message.vetkey_epoch,
             symmetric_key_epoch: user_message.symmetric_key_epoch,
             chat_message_id,
-            nonce: user_message.nonce,
+            nonce: user_message.message_id,
         },
     };
 
     SET_CHAT_AND_SENDER_AND_USER_MESSAGE_ID.with_borrow_mut(|message_times| {
-        message_times.insert((chat_id, Sender(caller), user_message.nonce), ());
+        message_times.insert((chat_id, Sender(caller), user_message.message_id), ());
     });
 
     GROUP_CHAT_MESSAGES.with_borrow_mut(|messages| {
@@ -514,113 +506,27 @@ fn send_group_message(
 }
 
 #[ic_cdk::query]
-fn get_my_chats_and_time() -> GetMyChatsAndTimeResponse {
+fn get_my_chat_ids() -> Vec<(ChatId, ChatMessageId)> {
     let caller = ic_cdk::api::msg_caller();
-    let chats_metadata = USER_TO_CHAT_MAP.with_borrow(|map| {
+    USER_TO_CHAT_MAP.with_borrow(|map| {
         CHAT_TO_MESSAGE_COUNTERS.with_borrow(|counters| {
-            CHAT_TO_MESSAGE_EXPIRY_SETTING.with_borrow(|expiry_settings| {
-                map.keys_range((caller, ChatId::MIN_VALUE, VetKeyEpochId(0))..)
-                    .take_while(|(user, _, _)| user == &caller)
-                    .map(|(_, chat_id, _)| ChatMetadata {
+            map.keys_range((caller, ChatId::MIN_VALUE, VetKeyEpochId(0))..)
+                .take_while(|(user, _, _)| user == &caller)
+                .map(|(_, chat_id, _)| {
+                    (
                         chat_id,
-                        number_of_messages: ChatMessageId(
+                        ChatMessageId(
                             counters
                                 .get(&chat_id)
                                 .expect("bug: uninitialized chat message counter")
                                 .0,
                         ),
-                        latest_vetkey_epoch_id: latest_vetkey_epoch_id(chat_id).unwrap(),
-                        disappearing_messages_duration: expiry_settings
-                            .get(&chat_id)
-                            .expect("bug: uninitialized expiry setting"),
-                        first_non_expired_message_id: get_first_non_expired_message_id(chat_id),
-                        first_non_expired_vetkey_epoch_id: get_first_non_expired_vetkey_epoch_id(
-                            chat_id,
-                        ),
-                    })
-                    .collect::<std::collections::BTreeSet<_>>()
-                    .into_iter()
-                    .collect()
-            })
+                    )
+                })
+                .collect::<std::collections::BTreeSet<_>>()
+                .into_iter()
+                .collect()
         })
-    });
-
-    GetMyChatsAndTimeResponse {
-        chats_metadata,
-        current_consensus_time: ic_cdk::api::time(),
-    }
-}
-
-#[ic_cdk::query]
-fn get_expiry(chat_id: ChatId) -> Result<Time, String> {
-    let caller = ic_cdk::api::msg_caller();
-    let latest_epoch_metadata =
-        latest_vetkey_epoch_metadata(chat_id).ok_or(format!("No chat {chat_id:?} found"))?;
-
-    ensure_user_has_access_to_chat_at_epoch(caller, chat_id, latest_epoch_metadata.epoch_id)?;
-
-    let expiry_time_minutes = Time(
-        CHAT_TO_MESSAGE_EXPIRY_SETTING
-            .with_borrow(|expiry_settings| {
-                expiry_settings
-                    .get(&chat_id)
-                    .expect("bug: uninitialized expiry setting")
-            })
-            .0
-            / NANOSECONDS_IN_MINUTE,
-    );
-
-    Ok(expiry_time_minutes)
-}
-
-#[ic_cdk::query]
-fn set_expiry(chat_id: ChatId, new_expiry_time_minutes: Time) -> Result<Option<Time>, String> {
-    let caller = ic_cdk::api::msg_caller();
-    let latest_epoch_metadata =
-        latest_vetkey_epoch_metadata(chat_id).ok_or(format!("No chat {chat_id:?} found"))?;
-    let new_expiry_time_nanos = Time(
-        new_expiry_time_minutes
-            .0
-            .checked_mul(NANOSECONDS_IN_MINUTE)
-            .ok_or("Overflow: too large expiry time".to_string())?,
-    );
-
-    ensure_user_has_access_to_chat_at_epoch(caller, chat_id, latest_epoch_metadata.epoch_id)?;
-
-    let old_expiry_time_minutes = CHAT_TO_MESSAGE_EXPIRY_SETTING
-        .with_borrow_mut(|expiry_settings| expiry_settings.insert(chat_id, new_expiry_time_nanos))
-        .map(|old_expiry_time_nanos| Time(old_expiry_time_nanos.0 / NANOSECONDS_IN_MINUTE));
-
-    ic_cdk::println!("set_expiry: {}", cleanup_of_expired_items());
-
-    Ok(old_expiry_time_minutes)
-}
-
-fn get_first_non_expired_message_id(chat_id: ChatId) -> Option<ChatMessageId> {
-    match chat_id {
-        ChatId::Direct(direct_chat) => DIRECT_CHAT_MESSAGES.with_borrow(|messages| {
-            messages
-                .range(&(direct_chat, ChatMessageId(0))..)
-                .map(|kv| kv.key().1)
-                .next()
-        }),
-        ChatId::Group(group_chat) => GROUP_CHAT_MESSAGES.with_borrow(|messages| {
-            messages
-                .range(&(group_chat, ChatMessageId(0))..)
-                .map(|kv| kv.key().1)
-                .next()
-        }),
-    }
-}
-
-fn get_first_non_expired_vetkey_epoch_id(chat_id: ChatId) -> VetKeyEpochId {
-    CHAT_TO_VETKEYS_METADATA.with_borrow(|metadata| {
-        metadata
-            .range(&(chat_id, Time(0))..)
-            .take_while(|metadata| metadata.key().0 == chat_id)
-            .map(|metadata| metadata.value().epoch_id)
-            .next()
-            .expect("bug: no non-expired vetkey epoch found")
     })
 }
 
@@ -737,10 +643,8 @@ fn update_my_symmetric_key_cache(
     user_cache: EncryptedSymmetricKeyEpochCache,
 ) -> Result<(), String> {
     let caller = ic_cdk::api::msg_caller();
-
     ensure_chat_and_vetkey_epoch_exist(chat_id, vetkey_epoch_id)?;
     ensure_user_has_access_to_chat_at_epoch(caller, chat_id, vetkey_epoch_id)?;
-    ensure_vetkey_epoch_did_not_expire(chat_id, vetkey_epoch_id)?;
     ensure_payload_has_reasonable_size_for_key(&user_cache.0)?;
 
     ENCRYPTED_MAPS.with_borrow_mut(|opt_maps| {
@@ -757,6 +661,11 @@ fn update_my_symmetric_key_cache(
             .expect("bug: failed to insert encrypted value");
     });
 
+    let now = Time(ic_cdk::api::time());
+    EXPIRING_VETKEY_EPOCHS_CACHES.with_borrow_mut(|caches| {
+        caches.insert((now, chat_id, caller), vetkey_epoch_id);
+    });
+
     RESHARED_VETKEYS.with_borrow_mut(|reshared_vetkeys| {
         let _ = reshared_vetkeys.remove(&(chat_id, vetkey_epoch_id, caller));
     });
@@ -772,7 +681,6 @@ fn get_my_symmetric_key_cache(
     let caller = ic_cdk::api::msg_caller();
     ensure_chat_and_vetkey_epoch_exist(chat_id, vetkey_epoch_id)?;
     ensure_user_has_access_to_chat_at_epoch(caller, chat_id, vetkey_epoch_id)?;
-    ensure_vetkey_epoch_did_not_expire(chat_id, vetkey_epoch_id)?;
 
     ENCRYPTED_MAPS.with_borrow(|opt_maps| {
         let maps = opt_maps
@@ -826,7 +734,6 @@ fn reshare_ibe_encrypted_vetkeys(
 ) -> Result<(), String> {
     let caller = ic_cdk::api::msg_caller();
     ensure_chat_and_vetkey_epoch_exist(chat_id, vetkey_epoch_id)?;
-    ensure_vetkey_epoch_did_not_expire(chat_id, vetkey_epoch_id)?;
     ensure_user_has_access_to_chat_at_epoch(caller, chat_id, vetkey_epoch_id)?;
 
     users_and_encrypted_vetkeys.iter().map(|(user, _encrypted_vetkey)| {
@@ -866,8 +773,6 @@ fn get_my_reshared_ibe_encrypted_vetkey(
     let caller = ic_cdk::api::msg_caller();
 
     ensure_chat_and_vetkey_epoch_exist(chat_id, vetkey_epoch_id)?;
-    ensure_vetkey_epoch_did_not_expire(chat_id, vetkey_epoch_id)?;
-    ensure_user_has_access_to_chat_at_epoch(caller, chat_id, vetkey_epoch_id)?;
 
     Ok(RESHARED_VETKEYS
         .with_borrow(|reshared_vetkeys| reshared_vetkeys.get(&(chat_id, vetkey_epoch_id, caller))))
@@ -986,59 +891,26 @@ fn modify_group_chat_participants(
         let todo_remove = metadata.insert((chat_id, now), new_vetkey_epoch_metadata);
         assert!(todo_remove.is_none());
 
+        clean_up_expired_vetkey_epochs(metadata, chat_id);
+
         new_vetkey_epoch_id
     });
 
-    mark_vetkey_epoch_as_expiring(chat_id, latest_epoch_metadata.epoch_id);
-
-    let (num_expired_vetkey_epochs, num_expired_vetkey_epochs_caches, num_expired_reshared_vetkeys) =
-        remove_expired_vetkey_epochs_and_caches()?;
-    ic_cdk::println!("removed {num_expired_vetkey_epochs} expired vetkey epochs, {num_expired_vetkey_epochs_caches} expired vetkey epochs caches, {num_expired_reshared_vetkeys} expired reshared vetkeys");
-
     Ok(new_vetkey_epoch_id)
 }
 
-fn mark_vetkey_epoch_as_expiring(chat_id: ChatId, vetkey_epoch_id: VetKeyEpochId) {
-    let expiry_time = CHAT_TO_MESSAGE_EXPIRY_SETTING.with_borrow(|expiry_settings| {
-        expiry_settings
-            .get(&chat_id)
-            .expect("bug: uninitialized expiry setting")
-    });
-
-    EXPIRING_VETKEY_EPOCHS.with_borrow_mut(|expiring_vetkey_epochs| {
-        let todo_insert = expiring_vetkey_epochs.insert(
-            (
-                Time(ic_cdk::api::time() + expiry_time.0),
-                chat_id,
-                vetkey_epoch_id,
-            ),
-            (),
-        );
-        assert!(todo_insert.is_none());
-    });
-}
-
 fn start_expired_cleanup_timer_job_with_interval(secs: u64) {
     let secs = std::time::Duration::from_secs(secs);
     let _timer_id = ic_cdk_timers::set_timer_interval(secs, periodic_cleanup_of_expired_items);
 }
 
 fn periodic_cleanup_of_expired_items() {
-    ic_cdk::println!("Timer job: {}", cleanup_of_expired_items());
-}
-
-fn cleanup_of_expired_items() -> String {
-    let (num_expired_direct_messages, num_expired_group_messages) = remove_expired_messages();
-    let (num_expired_vetkey_epochs, num_expired_vetkey_epochs_caches, num_expired_reshared_vetkeys) =
-        remove_expired_vetkey_epochs_and_caches()
-            .expect("bug: expected to always remove expired vetkey epochs");
-
-    format!("cleaned up {num_expired_direct_messages} expired direct messages, {num_expired_group_messages} expired group messages, {num_expired_vetkey_epochs} expired vetkey epochs ({num_expired_vetkey_epochs_caches} caches), {num_expired_reshared_vetkeys} expired reshared vetkeys")
-}
+    let now = Time(ic_cdk::api::time());
 
-fn remove_expired_messages() -> (usize, usize) {
     let mut num_expired_direct_messages: usize = 0;
     let mut num_expired_group_messages: usize = 0;
+    let mut num_expired_vetkey_epochs_caches: usize = 0;
+    let mut num_expired_reshared_vetkeys: usize = 0;
 
     EXPIRING_MESSAGES.with_borrow_mut(|expiring_messages| {
         let now = Time(ic_cdk::api::time());
@@ -1070,74 +942,82 @@ fn remove_expired_messages() -> (usize, usize) {
         }
     });
 
-    (num_expired_direct_messages, num_expired_group_messages)
-}
-
-fn remove_expired_vetkey_epochs_and_caches() -> Result<(usize, usize, usize), String> {
-    let mut num_expired_vetkey_epochs: usize = 0;
-    let mut num_expired_vetkey_epochs_caches: usize = 0;
-    let mut num_expired_reshared_vetkeys: usize = 0;
-
-    let now = Time(ic_cdk::api::time());
-
-    let expired_vetkey_epochs = EXPIRING_VETKEY_EPOCHS.with_borrow_mut(|expiring_vetkey_epochs| {
-        let expired_vetkey_epochs: Vec<_> = expiring_vetkey_epochs
+    EXPIRING_VETKEY_EPOCHS_CACHES.with_borrow_mut(|expiring_vetkey_epochs_caches| {
+        let mut expired_vetkey_epochs = std::collections::BTreeSet::new();
+        let expired_vetkey_epochs_caches: Vec<_> = expiring_vetkey_epochs_caches
             .iter()
             .filter(|entry| entry.key().0 <= now)
-            .map(|entry| *entry.key())
+            .map(|entry| (*entry.key(), entry.value()))
             .collect();
-        for (time, chat_id, vetkey_epoch_id) in expired_vetkey_epochs.iter().copied() {
-            let todo_remove = expiring_vetkey_epochs.remove(&(time, chat_id, vetkey_epoch_id));
-            assert!(todo_remove.is_some());
-            num_expired_vetkey_epochs += 1;
+        for ((time, chat_id, principal), vetkey_epoch_id) in expired_vetkey_epochs_caches {
+            expired_vetkey_epochs.insert((chat_id, vetkey_epoch_id));
+            let todo_remove_1 = expiring_vetkey_epochs_caches.remove(&(time, chat_id, principal));
+            assert!(todo_remove_1.is_some());
+
+            ENCRYPTED_MAPS.with_borrow_mut(|opt_maps| {
+                let maps = opt_maps.as_mut().expect(
+                    "bug: encrypted maps should be initialized after canister initialization",
+                );
+                if maps
+                    .remove_encrypted_value(
+                        principal,
+                        map_id(principal),
+                        map_key_id(chat_id, vetkey_epoch_id),
+                    )
+                    .unwrap()
+                    .is_some()
+                {
+                    num_expired_vetkey_epochs_caches += 1
+                }
+            });
         }
-        expired_vetkey_epochs
-    });
 
-    let vetkey_epochs_metadata = expired_vetkey_epochs
-        .iter()
-        .map(|(_time, chat_id, vetkey_epoch_id)| {
-            get_vetkey_epoch_metadata_access_unchecked(*chat_id, *vetkey_epoch_id)
-        })
-        .collect::<Result<Vec<_>, String>>()?;
-    for ((_time, chat_id, vetkey_epoch_id), metadata) in expired_vetkey_epochs
-        .into_iter()
-        .zip(vetkey_epochs_metadata.into_iter())
-    {
-        ENCRYPTED_MAPS.with_borrow_mut(|opt_maps| {
+        for (chat_id, vetkey_epoch_id) in expired_vetkey_epochs {
             RESHARED_VETKEYS.with_borrow_mut(|reshared_vetkeys| {
-                for principal in metadata.participants.iter().copied() {
-                    let maps = opt_maps.as_mut().expect(
-                        "bug: encrypted maps should be initialized after canister initialization",
-                    );
-                    if maps
-                        .remove_encrypted_value(
-                            principal,
-                            map_id(principal),
-                            map_key_id(chat_id, vetkey_epoch_id),
-                        )
-                        .unwrap()
-                        .is_some()
-                    {
-                        num_expired_vetkey_epochs_caches += 1
-                    }
-
-                    if reshared_vetkeys
-                        .remove(&(chat_id, vetkey_epoch_id, principal))
-                        .is_some()
-                    {
-                        num_expired_reshared_vetkeys += 1;
-                    }
+                let reshared_vetkeys_to_remove: Vec<_> = reshared_vetkeys
+                    .range(&(chat_id, vetkey_epoch_id, Principal::management_canister())..)
+                    .filter(|entry| entry.key().0 == chat_id && entry.key().1 == vetkey_epoch_id)
+                    .map(|entry| *entry.key())
+                    .collect();
+                for key in reshared_vetkeys_to_remove {
+                    let todo_remove = reshared_vetkeys.remove(&key);
+                    assert!(todo_remove.is_some());
+                    num_expired_reshared_vetkeys += 1;
                 }
             });
-        });
-    }
+        }
+    });
 
-    Ok((
-        num_expired_vetkey_epochs,
+    ic_cdk::println!(
+        "Timer job: cleaned up {} expired direct messages, {} expired group messages, {} expired vetkey epochs caches, {} expired reshared vetkeys",
+        num_expired_direct_messages,
+        num_expired_group_messages,
         num_expired_vetkey_epochs_caches,
-        num_expired_reshared_vetkeys,
-    ))
+        num_expired_reshared_vetkeys
+    );
+}
+
+fn clean_up_expired_vetkey_epochs(
+    metadata: &mut StableBTreeMap<(ChatId, Time), VetKeyEpochMetadata, Memory>,
+    chat_id: ChatId,
+) {
+    let now = Time(ic_cdk::api::time());
+    let message_expiry_setting = CHAT_TO_MESSAGE_EXPIRY_SETTING
+        .with_borrow(|expiry_settings| expiry_settings.get(&chat_id))
+        .expect("bug: expiry should always exist for existing chats");
+
+    let expired_epochs: Vec<_> = metadata
+        .range((chat_id, Time(0))..)
+        .take_while(|metadata| {
+            (metadata.key().1 .0 + message_expiry_setting.0) < now.0 && metadata.key().0 == chat_id
+        })
+        .map(|metadata| metadata.value())
+        .collect();
+
+    for epoch in expired_epochs {
+        let todo_remove = metadata.remove(&(chat_id, epoch.creation_timestamp));
+        assert!(todo_remove.is_some());
+    }
 }
 
 fn ensure_user_has_access_to_chat_at_epoch(
@@ -1201,7 +1081,10 @@ fn ensure_chat_and_vetkey_epoch_exist(
     })
 }
 
-fn ensure_nonce_is_unique(chat_id: ChatId, nonce: Nonce) -> Result<(), String> {
+fn ensure_message_id_is_unique(
+    chat_id: ChatId,
+    nonce: SenderMessageId,
+) -> Result<(), String> {
     let caller = ic_cdk::api::msg_caller();
     let maybe_existing_id = SET_CHAT_AND_SENDER_AND_USER_MESSAGE_ID
         .with_borrow(|message_ids| message_ids.get(&(chat_id, Sender(caller), nonce)));
@@ -1305,44 +1188,4 @@ pub fn resharing_context(caller: Principal) -> Vec<u8> {
     context
 }
 
-fn ensure_vetkey_epoch_did_not_expire(
-    chat_id: ChatId,
-    vetkey_epoch_id: VetKeyEpochId,
-) -> Result<(), String> {
-    let latest_epoch_metadata =
-        latest_vetkey_epoch_metadata(chat_id).ok_or(format!("No chat {chat_id:?} found"))?;
-
-    if vetkey_epoch_id == latest_epoch_metadata.epoch_id {
-        return Ok(());
-    } else if vetkey_epoch_id.0 > latest_epoch_metadata.epoch_id.0 {
-        return Err(format!(
-            "Vetkey epoch {vetkey_epoch_id:?} is greater than the latest vetkey epoch {:?}",
-            latest_epoch_metadata.epoch_id
-        ));
-    }
-
-    let next_epoch_metadata = if vetkey_epoch_id.0 + 1 == latest_epoch_metadata.epoch_id.0 {
-        latest_epoch_metadata
-    } else {
-        get_vetkey_epoch_metadata(chat_id, VetKeyEpochId(vetkey_epoch_id.0 + 1))?
-    };
-
-    let now = ic_cdk::api::time();
-    let creation = next_epoch_metadata.creation_timestamp.0;
-
-    let expiry_time: u64 = CHAT_TO_MESSAGE_EXPIRY_SETTING
-        .with_borrow(|expiry_settings| {
-            expiry_settings
-                .get(&chat_id)
-                .expect("bug: expiry should always exist for existing chats")
-        })
-        .0;
-
-    if now >= creation.checked_add(expiry_time).expect("bug: overflow") {
-        Err(format!("vetKey epoch {vetkey_epoch_id:?} expired"))
-    } else {
-        Ok(())
-    }
-}
-
 ic_cdk::export_candid!();
diff --git a/examples/encrypted_chat/rust/backend/src/types.rs b/examples/encrypted_chat/rust/backend/src/types.rs
index d9dc5749..81c6897c 100644
--- a/examples/encrypted_chat/rust/backend/src/types.rs
+++ b/examples/encrypted_chat/rust/backend/src/types.rs
@@ -43,22 +43,6 @@ macro_rules! storable_delegate {
     };
 }
 
-#[derive(CandidType, Serialize, Deserialize, PartialEq, Eq, PartialOrd, Ord, Clone, Debug)]
-pub struct GetMyChatsAndTimeResponse {
-    pub chats_metadata: Vec<ChatMetadata>,
-    pub current_consensus_time: u64,
-}
-
-#[derive(CandidType, Serialize, Deserialize, PartialEq, Eq, PartialOrd, Ord, Clone, Debug)]
-pub struct ChatMetadata {
-    pub chat_id: ChatId,
-    pub number_of_messages: ChatMessageId,
-    pub latest_vetkey_epoch_id: VetKeyEpochId,
-    pub disappearing_messages_duration: Time,
-    pub first_non_expired_message_id: Option<ChatMessageId>,
-    pub first_non_expired_vetkey_epoch_id: VetKeyEpochId,
-}
-
 #[derive(CandidType, Serialize, Deserialize, PartialEq, Eq, PartialOrd, Ord, Clone, Debug)]
 pub struct EncryptedMessage {
     pub content: Vec<u8>,
@@ -75,7 +59,7 @@ pub struct EncryptedMessageMetadata {
     pub vetkey_epoch: VetKeyEpochId,
     pub symmetric_key_epoch: SymmetricKeyEpochId,
     pub chat_message_id: ChatMessageId,
-    pub nonce: Nonce,
+    pub nonce: SenderMessageId,
 }
 
 impl Storable for EncryptedMessageMetadata {
@@ -112,11 +96,11 @@ impl Storable for EncryptedMessageMetadata {
         ));
 
         let (chat_message_id_bytes, nonce_bytes) = rest.split_at(8);
-        let chat_message_id = ChatMessageId(u64::from_le_bytes(
-            chat_message_id_bytes.try_into().unwrap(),
-        ));
+        let chat_message_id = ChatMessageId(u64::from_le_bytes(chat_message_id_bytes.try_into().unwrap()));
 
-        let nonce = Nonce(u64::from_le_bytes(nonce_bytes.try_into().unwrap()));
+        let nonce = SenderMessageId(u64::from_le_bytes(
+            nonce_bytes.try_into().unwrap(),
+        ));
 
         Self {
             sender,
@@ -139,7 +123,7 @@ pub struct UserMessage {
     pub content: Vec<u8>,
     pub vetkey_epoch: VetKeyEpochId,
     pub symmetric_key_epoch: SymmetricKeyEpochId,
-    pub nonce: Nonce,
+    pub message_id: SenderMessageId,
 }
 
 storable_unbounded!(UserMessage);
@@ -282,9 +266,9 @@ impl Storable for ChatId {
 #[derive(
     CandidType, Serialize, Deserialize, PartialEq, Eq, PartialOrd, Ord, Clone, Debug, Copy,
 )]
-pub struct Nonce(pub u64);
+pub struct SenderMessageId(pub u64);
 
-storable_delegate!(Nonce, u64);
+storable_delegate!(SenderMessageId, u64);
 
 /// Chat message id is assigned to each message in the chat sequentially.
 /// The IDs are assigned from an incrementing counter for a chat for all users.
diff --git a/examples/encrypted_chat/rust/backend/tests/direct_chat.rs b/examples/encrypted_chat/rust/backend/tests/direct_chat.rs
index d5cc57f9..2a9fb836 100644
--- a/examples/encrypted_chat/rust/backend/tests/direct_chat.rs
+++ b/examples/encrypted_chat/rust/backend/tests/direct_chat.rs
@@ -1,8 +1,8 @@
 use candid::{encode_args, Principal};
 use ic_vetkeys_example_encrypted_chat_backend::types::{
-    ChatId, ChatMessageId, ChatMetadata, DirectChatId, EncryptedMessage, EncryptedMessageMetadata,
-    EncryptedSymmetricKeyEpochCache, GetMyChatsAndTimeResponse, IbeEncryptedVetKey, Nonce,
-    SymmetricKeyEpochId, Time, UserMessage, VetKeyEpochId,
+    ChatId, ChatMessageId, DirectChatId, EncryptedMessage, EncryptedMessageMetadata,
+    EncryptedSymmetricKeyEpochCache, IbeEncryptedVetKey, SenderMessageId, SymmetricKeyEpochId,
+    Time, UserMessage, VetKeyEpochId,
 };
 use serde_bytes::ByteBuf;
 
@@ -19,12 +19,11 @@ fn can_create_chat() {
 
     for p in [env.principal_0, env.principal_1] {
         assert_eq!(
-            env.query::<GetMyChatsAndTimeResponse>(
+            env.query::<Vec<(ChatId, ChatMessageId)>>(
                 p,
-                "get_my_chats_and_time",
+                "get_my_chat_ids",
                 encode_args(()).unwrap()
-            )
-            .chats_metadata,
+            ),
             vec![]
         );
     }
@@ -36,30 +35,16 @@ fn can_create_chat() {
     )
     .unwrap();
 
-    let chat_ids: GetMyChatsAndTimeResponse = env.query(
-        env.principal_0,
-        "get_my_chats_and_time",
-        encode_args(()).unwrap(),
-    );
-    assert_eq!(
-        chat_ids.chats_metadata,
-        vec![ChatMetadata {
-            chat_id: p0_self_chat_id,
-            number_of_messages: ChatMessageId(0),
-            latest_vetkey_epoch_id: VetKeyEpochId(0),
-            disappearing_messages_duration: Time(NANOSECONDS_IN_MINUTE * 10_000),
-            first_non_expired_message_id: None,
-            first_non_expired_vetkey_epoch_id: VetKeyEpochId(0),
-        }]
-    );
+    let chat_ids: Vec<(ChatId, ChatMessageId)> =
+        env.query(env.principal_0, "get_my_chat_ids", encode_args(()).unwrap());
+    assert_eq!(chat_ids, vec![(p0_self_chat_id, ChatMessageId(0))]);
 
     assert_eq!(
-        env.query::<GetMyChatsAndTimeResponse>(
+        env.query::<Vec<(ChatId, ChatMessageId)>>(
             env.principal_1,
-            "get_my_chats_and_time",
+            "get_my_chat_ids",
             encode_args(()).unwrap()
-        )
-        .chats_metadata,
+        ),
         vec![]
     );
 
@@ -71,44 +56,19 @@ fn can_create_chat() {
     .unwrap();
 
     assert_eq!(
-        env.query::<GetMyChatsAndTimeResponse>(
+        env.query::<Vec<(ChatId, ChatMessageId)>>(
             env.principal_1,
-            "get_my_chats_and_time",
+            "get_my_chat_ids",
             encode_args(()).unwrap()
-        )
-        .chats_metadata,
-        vec![ChatMetadata {
-            chat_id: p0_p1_chat_id,
-            number_of_messages: ChatMessageId(0),
-            latest_vetkey_epoch_id: VetKeyEpochId(0),
-            disappearing_messages_duration: Time(NANOSECONDS_IN_MINUTE * 10_000),
-            first_non_expired_message_id: None,
-            first_non_expired_vetkey_epoch_id: VetKeyEpochId(0),
-        }]
+        ),
+        vec![(p0_p1_chat_id, ChatMessageId(0))]
     );
 
-    let chat_ids: GetMyChatsAndTimeResponse = env.query(
-        env.principal_0,
-        "get_my_chats_and_time",
-        encode_args(()).unwrap(),
-    );
-    assert!(chat_ids.chats_metadata.contains(&ChatMetadata {
-        chat_id: p0_self_chat_id,
-        number_of_messages: ChatMessageId(0),
-        latest_vetkey_epoch_id: VetKeyEpochId(0),
-        disappearing_messages_duration: Time(NANOSECONDS_IN_MINUTE * 10_000),
-        first_non_expired_message_id: None,
-        first_non_expired_vetkey_epoch_id: VetKeyEpochId(0),
-    }));
-    assert!(chat_ids.chats_metadata.contains(&ChatMetadata {
-        chat_id: p0_p1_chat_id,
-        number_of_messages: ChatMessageId(0),
-        latest_vetkey_epoch_id: VetKeyEpochId(0),
-        disappearing_messages_duration: Time(NANOSECONDS_IN_MINUTE * 10_000),
-        first_non_expired_message_id: None,
-        first_non_expired_vetkey_epoch_id: VetKeyEpochId(0),
-    }));
-    assert_eq!(chat_ids.chats_metadata.len(), 2);
+    let chat_ids: Vec<(ChatId, ChatMessageId)> =
+        env.query(env.principal_0, "get_my_chat_ids", encode_args(()).unwrap());
+    assert!(chat_ids.contains(&(p0_self_chat_id, ChatMessageId(0))));
+    assert!(chat_ids.contains(&(p0_p1_chat_id, ChatMessageId(0))));
+    assert_eq!(chat_ids.len(), 2);
 }
 
 #[test]
@@ -163,7 +123,7 @@ fn can_send_and_get_messages() {
         assert_eq!(
             env.update::<Vec<EncryptedMessage>>(
                 caller,
-                "get_messages",
+                "get_some_messages_for_chat_starting_from",
                 encode_args((chat_id, ChatMessageId(0), Option::<u32>::None)).unwrap(),
             ),
             vec![]
@@ -172,14 +132,14 @@ fn can_send_and_get_messages() {
 
     for _ in 0..10 {
         for sender in [env.principal_0, env.principal_1].iter().copied() {
-            let nonce_raw = *message_id_counters.get(&sender).unwrap();
-            message_id_counters.insert(sender, nonce_raw + 1);
+            let message_id_raw = *message_id_counters.get(&sender).unwrap();
+            message_id_counters.insert(sender, message_id_raw + 1);
 
             let user_message = UserMessage {
                 content: message_content.clone(),
                 vetkey_epoch: VetKeyEpochId(0),
                 symmetric_key_epoch: SymmetricKeyEpochId(0),
-                nonce: Nonce(nonce_raw),
+                message_id: SenderMessageId(message_id_raw),
             };
 
             // + 1 is because the update call calls `tick` internally
@@ -209,7 +169,7 @@ fn can_send_and_get_messages() {
                     vetkey_epoch: VetKeyEpochId(0),
                     symmetric_key_epoch: SymmetricKeyEpochId(0),
                     chat_message_id: ChatMessageId(expected_chat_history.len() as u64),
-                    nonce: Nonce(nonce_raw),
+                    sender_message_id: SenderMessageId(message_id_raw),
                 },
             };
 
@@ -219,7 +179,7 @@ fn can_send_and_get_messages() {
                 assert_eq!(
                     env.update::<Vec<EncryptedMessage>>(
                         caller,
-                        "get_messages",
+                        "get_some_messages_for_chat_starting_from",
                         encode_args((chat_id, ChatMessageId(0), Option::<u32>::None)).unwrap(),
                     ),
                     expected_chat_history
@@ -263,7 +223,7 @@ fn fails_to_send_messages_with_wrong_symmetric_key_epoch() {
                 content: message_content.clone(),
                 vetkey_epoch: VetKeyEpochId(0),
                 symmetric_key_epoch,
-                nonce: Nonce(0),
+                message_id: SenderMessageId(0),
             };
 
             let result = env.update::<Result<Time, String>>(
@@ -313,7 +273,7 @@ fn fails_to_send_messages_with_wrong_symmetric_key_epoch() {
                     content: message_content.clone(),
                     vetkey_epoch: VetKeyEpochId(0),
                     symmetric_key_epoch,
-                    nonce: Nonce(0),
+                    message_id: SenderMessageId(0),
                 };
 
                 let result = env.update::<Result<Time, String>>(
@@ -350,7 +310,7 @@ fn fails_to_send_messages_with_wrong_symmetric_key_epoch() {
                     content: message_content.clone(),
                     vetkey_epoch: VetKeyEpochId(0),
                     symmetric_key_epoch,
-                    nonce: Nonce(0),
+                    message_id: SenderMessageId(0),
                 };
 
                 let result = env.update::<Result<Time, String>>(
@@ -397,7 +357,7 @@ fn fails_to_send_messages_with_wrong_symmetric_key_epoch() {
         assert_eq!(
             env.update::<Vec<EncryptedMessage>>(
                 caller,
-                "get_messages",
+                "get_some_messages_for_chat_starting_from",
                 encode_args((chat_id, ChatMessageId(0), Option::<u32>::None)).unwrap(),
             ),
             vec![]
@@ -586,7 +546,7 @@ fn fails_to_send_messages_with_wrong_vetkey_epoch() {
                 content: message_content.clone(),
                 vetkey_epoch: VetKeyEpochId(latest_epoch + 1),
                 symmetric_key_epoch: SymmetricKeyEpochId(0),
-                nonce: Nonce(0),
+                message_id: SenderMessageId(0),
             };
 
             let result = env.update::<Result<Time, String>>(
@@ -628,7 +588,7 @@ fn fails_to_send_messages_with_wrong_vetkey_epoch() {
         assert_eq!(
             env.update::<Vec<EncryptedMessage>>(
                 caller,
-                "get_messages",
+                "get_some_messages_for_chat_starting_from",
                 encode_args((chat_id, ChatMessageId(0), Option::<u32>::None)).unwrap(),
             ),
             vec![]
@@ -901,12 +861,13 @@ fn cannot_access_cache_after_vetkey_epoch_expires() {
 
     let expiry_setting_minutes = 10_000;
 
-    env.update::<Result<Time, String>>(
-        env.principal_0,
-        "create_direct_chat",
-        encode_args((env.principal_1, Time(1_000), Time(expiry_setting_minutes))).unwrap(),
-    )
-    .unwrap();
+    let chat_creation_time = env
+        .update::<Result<Time, String>>(
+            env.principal_0,
+            "create_direct_chat",
+            encode_args((env.principal_1, Time(1_000), Time(expiry_setting_minutes))).unwrap(),
+        )
+        .unwrap();
 
     let chat_id = ChatId::Direct(DirectChatId::new((env.principal_0, env.principal_1)));
     let cache_data = b"dummy symmetric key cache".to_vec();
@@ -922,18 +883,7 @@ fn cannot_access_cache_after_vetkey_epoch_expires() {
         .unwrap();
     }
 
-    let new_epoch = env
-        .update::<Result<VetKeyEpochId, String>>(
-            env.principal_0,
-            "rotate_chat_vetkey",
-            encode_args((chat_id,)).unwrap(),
-        )
-        .unwrap();
-    assert_eq!(new_epoch, VetKeyEpochId(1));
-
-    let rotation_time = env.pic.get_time().as_nanos_since_unix_epoch();
-
-    let expiry_time = rotation_time + expiry_setting_minutes * NANOSECONDS_IN_MINUTE;
+    let expiry_time = chat_creation_time.0 + expiry_setting_minutes * NANOSECONDS_IN_MINUTE;
     // Fast forward time to expire epoch 0
     env.pic
         .set_time(pocket_ic::Time::from_nanos_since_unix_epoch(expiry_time));
@@ -1351,14 +1301,15 @@ fn fails_to_reshare_or_get_reshared_vetkeys_for_invalid_vetkey_epochs() {
     let rng = &mut reproducible_rng();
     let env = TestEnvironment::new(rng);
 
-    let message_expiry_time_minutes = Time(100);
+    let message_expiry_time_minutes = Time(10_000);
 
-    env.update::<Result<Time, String>>(
-        env.principal_0,
-        "create_direct_chat",
-        encode_args((env.principal_1, Time(10), message_expiry_time_minutes)).unwrap(),
-    )
-    .unwrap();
+    let chat_creation_time = env
+        .update::<Result<Time, String>>(
+            env.principal_0,
+            "create_direct_chat",
+            encode_args((env.principal_1, Time(1_000), message_expiry_time_minutes)).unwrap(),
+        )
+        .unwrap();
 
     let chat_id = ChatId::Direct(DirectChatId::new((env.principal_0, env.principal_1)));
 
@@ -1416,8 +1367,6 @@ fn fails_to_reshare_or_get_reshared_vetkeys_for_invalid_vetkey_epochs() {
         .unwrap();
     assert_eq!(new_epoch, VetKeyEpochId(1));
 
-    let rotation_time_0 = env.pic.get_time().as_nanos_since_unix_epoch();
-
     let result = env.update::<Result<Option<IbeEncryptedVetKey>, String>>(
         env.principal_1,
         "get_my_reshared_ibe_encrypted_vetkey",
@@ -1445,7 +1394,7 @@ fn fails_to_reshare_or_get_reshared_vetkeys_for_invalid_vetkey_epochs() {
 
     env.pic
         .set_time(pocket_ic::Time::from_nanos_since_unix_epoch(
-            rotation_time_0 + message_expiry_time_minutes.0 * NANOSECONDS_IN_MINUTE,
+            chat_creation_time.0 + message_expiry_time_minutes.0 * NANOSECONDS_IN_MINUTE,
         ));
 
     let result = env.update::<Result<Option<IbeEncryptedVetKey>, String>>(
@@ -1466,21 +1415,7 @@ fn fails_to_reshare_or_get_reshared_vetkeys_for_invalid_vetkey_epochs() {
     )
     .unwrap();
 
-    let new_epoch = env
-        .update::<Result<VetKeyEpochId, String>>(
-            env.principal_0,
-            "rotate_chat_vetkey",
-            encode_args((chat_id,)).unwrap(),
-        )
-        .unwrap();
-    assert_eq!(new_epoch, VetKeyEpochId(2));
-
-    let rotation_time_1 = env.pic.get_time().as_nanos_since_unix_epoch();
-
-    env.pic
-        .set_time(pocket_ic::Time::from_nanos_since_unix_epoch(
-            rotation_time_1 + message_expiry_time_minutes.0 * NANOSECONDS_IN_MINUTE,
-        ));
+    env.pic.advance_time(std::time::Duration::from_nanos(10));
 
     let result = env.update::<Result<Option<IbeEncryptedVetKey>, String>>(
         env.principal_1,
@@ -1542,7 +1477,7 @@ fn time_job_reports_cleaned_up_expired_items() {
                 content: b"hello".to_vec(),
                 vetkey_epoch: VetKeyEpochId(i),
                 symmetric_key_epoch: SymmetricKeyEpochId(0),
-                nonce: Nonce(i + 2 * j),
+                message_id: SenderMessageId(i + 2 * j),
             };
             env.update::<Result<Time, String>>(
                 env.principal_0,
@@ -1603,6 +1538,5 @@ fn time_job_reports_cleaned_up_expired_items() {
     let log_string = logs.iter().fold(String::new(), |acc, log| {
         format!("{acc}{}", String::from_utf8(log.content.clone()).unwrap())
     });
-    let index = log_string.find("Timer job").expect("no timer job found");
-    assert_eq!(&log_string[index..], "Timer job: cleaned up 8 expired direct messages, 0 expired group messages, 2 expired vetkey epochs (2 caches), 2 expired reshared vetkeys");
+    assert_eq!(log_string, "Timer job: cleaned up 8 expired direct messages, 0 expired group messages, 4 expired vetkey epochs caches, 4 expired reshared vetkeys");
 }
diff --git a/examples/encrypted_chat/rust/backend/tests/group_chat.rs b/examples/encrypted_chat/rust/backend/tests/group_chat.rs
index 45f2ab9e..28e10b80 100644
--- a/examples/encrypted_chat/rust/backend/tests/group_chat.rs
+++ b/examples/encrypted_chat/rust/backend/tests/group_chat.rs
@@ -2,7 +2,7 @@ use candid::{encode_args, Principal};
 use ic_vetkeys_example_encrypted_chat_backend::types::{
     ChatId, ChatMessageId, EncryptedMessage, EncryptedMessageMetadata,
     EncryptedSymmetricKeyEpochCache, GroupChatId, GroupChatMetadata, GroupModification,
-    IbeEncryptedVetKey, Nonce, SymmetricKeyEpochId, Time, UserMessage, VetKeyEpochId,
+    IbeEncryptedVetKey, SenderMessageId, SymmetricKeyEpochId, Time, UserMessage, VetKeyEpochId,
     VetKeyEpochMetadata,
 };
 use serde_bytes::ByteBuf;
@@ -15,14 +15,13 @@ fn can_create_chat() {
     let rng = &mut reproducible_rng();
     let env = TestEnvironment::new(rng);
 
-    for (expected_chat_id, other_participants) in [
+    let mut expected_chat_id = 0;
+
+    for other_participants in [
         vec![],
         vec![env.principal_1],
         vec![env.principal_1, env.principal_2],
-    ]
-    .into_iter()
-    .enumerate()
-    {
+    ] {
         let result = env.update::<Result<GroupChatMetadata, String>>(
             env.principal_0,
             "create_group_chat",
@@ -32,10 +31,12 @@ fn can_create_chat() {
         assert_eq!(
             result,
             Ok(GroupChatMetadata {
-                chat_id: GroupChatId(expected_chat_id as u64),
+                chat_id: GroupChatId(expected_chat_id),
                 creation_timestamp: Time(env.pic.get_time().as_nanos_since_unix_epoch()),
             })
         );
+
+        expected_chat_id += 1;
     }
 }
 
@@ -78,7 +79,7 @@ fn can_send_and_get_messages() {
             assert_eq!(
                 env.update::<Vec<EncryptedMessage>>(
                     caller,
-                    "get_messages",
+                    "get_some_messages_for_chat_starting_from",
                     encode_args((chat_id, ChatMessageId(0), Option::<u32>::None)).unwrap(),
                 ),
                 vec![]
@@ -87,14 +88,14 @@ fn can_send_and_get_messages() {
 
         for _ in 0..10 {
             for sender in all_participants.iter().copied() {
-                let nonce_raw = *message_id_counters.get(&sender).unwrap();
-                message_id_counters.insert(sender, nonce_raw + 1);
+                let message_id_raw = *message_id_counters.get(&sender).unwrap();
+                message_id_counters.insert(sender, message_id_raw + 1);
 
                 let user_message = UserMessage {
                     content: message_content.clone(),
                     vetkey_epoch: VetKeyEpochId(0),
                     symmetric_key_epoch: SymmetricKeyEpochId(0),
-                    nonce: Nonce(nonce_raw),
+                    message_id: SenderMessageId(message_id_raw),
                 };
 
                 // + 1 is because the update call calls `tick` internally
@@ -116,7 +117,7 @@ fn can_send_and_get_messages() {
                         vetkey_epoch: VetKeyEpochId(0),
                         symmetric_key_epoch: SymmetricKeyEpochId(0),
                         chat_message_id: ChatMessageId(expected_chat_history.len() as u64),
-                        nonce: Nonce(nonce_raw),
+                        sender_message_id: SenderMessageId(message_id_raw),
                     },
                 };
 
@@ -126,7 +127,7 @@ fn can_send_and_get_messages() {
                     assert_eq!(
                         env.update::<Vec<EncryptedMessage>>(
                             caller,
-                            "get_messages",
+                            "get_some_messages_for_chat_starting_from",
                             encode_args((chat_id, ChatMessageId(0), Option::<u32>::None)).unwrap(),
                         ),
                         expected_chat_history
@@ -181,7 +182,7 @@ fn fails_to_send_messages_with_wrong_symmetric_key_epoch() {
                     content: message_content.clone(),
                     vetkey_epoch: VetKeyEpochId(0),
                     symmetric_key_epoch,
-                    nonce: Nonce(0),
+                    message_id: SenderMessageId(0),
                 };
 
                 let result = env.update::<Result<Time, String>>(
@@ -224,7 +225,7 @@ fn fails_to_send_messages_with_wrong_symmetric_key_epoch() {
                         content: message_content.clone(),
                         vetkey_epoch: VetKeyEpochId(0),
                         symmetric_key_epoch,
-                        nonce: Nonce(0),
+                        message_id: SenderMessageId(0),
                     };
 
                     let result = env.update::<Result<Time, String>>(
@@ -253,7 +254,7 @@ fn fails_to_send_messages_with_wrong_symmetric_key_epoch() {
                         content: message_content.clone(),
                         vetkey_epoch: VetKeyEpochId(0),
                         symmetric_key_epoch,
-                        nonce: Nonce(0),
+                        message_id: SenderMessageId(0),
                     };
 
                     let result = env.update::<Result<Time, String>>(
@@ -292,7 +293,7 @@ fn fails_to_send_messages_with_wrong_symmetric_key_epoch() {
             assert_eq!(
                 env.update::<Vec<EncryptedMessage>>(
                     caller,
-                    "get_messages",
+                    "get_some_messages_for_chat_starting_from",
                     encode_args((chat_id, ChatMessageId(0), Option::<u32>::None)).unwrap(),
                 ),
                 vec![]
@@ -506,7 +507,7 @@ fn fails_to_send_group_chat_message_with_wrong_vetkey_epoch() {
                     content: message_content.clone(),
                     vetkey_epoch: VetKeyEpochId(latest_epoch + 1),
                     symmetric_key_epoch: SymmetricKeyEpochId(0),
-                    nonce: Nonce(0),
+                    message_id: SenderMessageId(0),
                 };
 
                 let result = env.update::<Result<Time, String>>(
@@ -540,7 +541,7 @@ fn fails_to_send_group_chat_message_with_wrong_vetkey_epoch() {
             assert_eq!(
                 env.update::<Vec<EncryptedMessage>>(
                     caller,
-                    "get_messages",
+                    "get_some_messages_for_chat_starting_from",
                     encode_args((chat_id, ChatMessageId(0), Option::<u32>::None)).unwrap(),
                 ),
                 vec![]
@@ -854,7 +855,6 @@ fn unauthorized_user_cannot_access_symmetric_key_cache() {
 fn cannot_access_cache_after_vetkey_epoch_expires() {
     let rng = &mut reproducible_rng();
     let env = TestEnvironment::new(rng);
-    let expiry_setting_minutes = 10_000;
 
     for other_participants in [
         vec![],
@@ -870,12 +870,7 @@ fn cannot_access_cache_after_vetkey_epoch_expires() {
             .update::<Result<GroupChatMetadata, String>>(
                 env.principal_0,
                 "create_group_chat",
-                encode_args((
-                    other_participants.clone(),
-                    Time(1_000),
-                    Time(expiry_setting_minutes),
-                ))
-                .unwrap(),
+                encode_args((other_participants.clone(), Time(1_000), Time(10_000))).unwrap(),
             )
             .unwrap();
 
@@ -903,9 +898,9 @@ fn cannot_access_cache_after_vetkey_epoch_expires() {
             .unwrap();
         assert_eq!(new_epoch, VetKeyEpochId(1));
 
-        let rotation_time = env.pic.get_time().as_nanos_since_unix_epoch();
-
-        let expiry_time = rotation_time + expiry_setting_minutes * NANOSECONDS_IN_MINUTE;
+        let expiry_setting_minutes = 10_000;
+        let expiry_time = group_chat_metadata.creation_timestamp.0
+            + expiry_setting_minutes * NANOSECONDS_IN_MINUTE;
         // Fast forward time to expire epoch 0
         env.pic
             .set_time(pocket_ic::Time::from_nanos_since_unix_epoch(expiry_time));
@@ -913,7 +908,7 @@ fn cannot_access_cache_after_vetkey_epoch_expires() {
         // Neither authorized nor unauthorized users can access expired epoch cache
         for caller in [env.principal_0, env.principal_1, env.principal_2]
             .into_iter()
-            .filter(|p| *p == env.principal_0 || other_participants.contains(p))
+            .filter(|p| *p == env.principal_0 || other_participants.contains(&p))
         {
             // Cannot update cache for expired epoch
             let result = env.update::<Result<(), String>>(
@@ -1755,8 +1750,6 @@ fn fails_to_reshare_or_get_reshared_vetkeys_for_invalid_vetkey_epochs() {
             .unwrap();
         assert_eq!(new_epoch, VetKeyEpochId(1));
 
-        let rotation_time_1 = env.pic.get_time().as_nanos_since_unix_epoch();
-
         // Verify epoch 0 reshared vetkey is still available
         let result = env.update::<Result<Option<IbeEncryptedVetKey>, String>>(
             participants[1],
@@ -1785,7 +1778,8 @@ fn fails_to_reshare_or_get_reshared_vetkeys_for_invalid_vetkey_epochs() {
         );
 
         // Fast forward time to expire epoch 0
-        let expiry_time = rotation_time_1 + expiry_setting_minutes.0 * NANOSECONDS_IN_MINUTE;
+        let expiry_time = group_chat_metadata.creation_timestamp.0
+            + expiry_setting_minutes.0 * NANOSECONDS_IN_MINUTE;
         env.pic
             .set_time(pocket_ic::Time::from_nanos_since_unix_epoch(expiry_time));
 
@@ -1809,20 +1803,8 @@ fn fails_to_reshare_or_get_reshared_vetkeys_for_invalid_vetkey_epochs() {
         )
         .unwrap();
 
-        // Rotate to epoch 1
-        let new_epoch = env
-            .update::<Result<VetKeyEpochId, String>>(
-                participants[0],
-                "rotate_chat_vetkey",
-                encode_args((chat_id,)).unwrap(),
-            )
-            .unwrap();
-        assert_eq!(new_epoch, VetKeyEpochId(2));
-
         // Fast forward time to expire epoch 1
-        env.pic.advance_time(std::time::Duration::from_nanos(
-            expiry_setting_minutes.0 * NANOSECONDS_IN_MINUTE,
-        ));
+        env.pic.advance_time(std::time::Duration::from_nanos(10));
 
         let result = env.update::<Result<Option<IbeEncryptedVetKey>, String>>(
             participants[1],
@@ -1890,7 +1872,7 @@ fn time_job_reports_cleaned_up_expired_items() {
                 content: b"hello".to_vec(),
                 vetkey_epoch: VetKeyEpochId(i),
                 symmetric_key_epoch: SymmetricKeyEpochId(0),
-                nonce: Nonce(i + 2 * j),
+                message_id: SenderMessageId(i + 2 * j),
             };
             env.update::<Result<Time, String>>(
                 env.principal_0,
@@ -1951,7 +1933,5 @@ fn time_job_reports_cleaned_up_expired_items() {
     let log_string = logs.iter().fold(String::new(), |acc, log| {
         format!("{acc}{}", String::from_utf8(log.content.clone()).unwrap())
     });
-
-    let index = log_string.find("Timer job").expect("no timer job found");
-    assert_eq!(&log_string[index..], "Timer job: cleaned up 0 expired direct messages, 8 expired group messages, 2 expired vetkey epochs (2 caches), 2 expired reshared vetkeys");
+    assert_eq!(log_string, "Timer job: cleaned up 0 expired direct messages, 8 expired group messages, 4 expired vetkey epochs caches, 4 expired reshared vetkeys");
 }
diff --git a/examples/encrypted_chat/rust/backend/tests/misc.rs b/examples/encrypted_chat/rust/backend/tests/misc.rs
index cd4516da..de339a71 100644
--- a/examples/encrypted_chat/rust/backend/tests/misc.rs
+++ b/examples/encrypted_chat/rust/backend/tests/misc.rs
@@ -72,7 +72,7 @@ fn can_create_many_chats() {
             if group_creator[0] != participants[0]
                 && !invited_participants.contains(&participants[0])
             {
-                invited_participants.push(participants[0]);
+                invited_participants.push(participants[0].clone());
             }
 
             let chat_id = ChatId::Group(GroupChatId(num_group_chats));
@@ -95,37 +95,27 @@ fn can_create_many_chats() {
         }
 
         for p in participants.clone() {
-            let my_chat_ids = env.query::<GetMyChatsAndTimeResponse>(
+            let my_chat_ids = env.query::<Vec<(ChatId, ChatMessageId)>>(
                 p,
-                "get_my_chats_and_time",
+                "get_my_chat_ids",
                 encode_args(()).unwrap(),
             );
 
             let expected_chat_ids = expected_chat_ids
                 .range((p, ChatId::MIN_VALUE)..)
                 .take_while(|(key, _)| key.0 == p)
-                .map(|(key, _value)| ChatMetadata {
-                    chat_id: key.1,
-                    number_of_messages: ChatMessageId(0),
-                    latest_vetkey_epoch_id: VetKeyEpochId(0),
-                    disappearing_messages_duration: Time(NANOSECONDS_IN_MINUTE * 10_000),
-                    first_non_expired_message_id: None,
-                    first_non_expired_vetkey_epoch_id: VetKeyEpochId(0),
-                })
+                .map(|(key, _value)| (key.1, ChatMessageId(0)))
                 .collect::<Vec<_>>();
 
-            assert_eq!(my_chat_ids.chats_metadata, expected_chat_ids);
+            assert_eq!(my_chat_ids, expected_chat_ids);
         }
 
-        let p0_chat_ids = env.query::<GetMyChatsAndTimeResponse>(
+        let p0_chat_ids = env.query::<Vec<(ChatId, ChatMessageId)>>(
             participants[0],
-            "get_my_chats_and_time",
+            "get_my_chat_ids",
             encode_args(()).unwrap(),
         );
 
-        assert_eq!(
-            p0_chat_ids.chats_metadata.len() as u64,
-            num_group_chats + num_direct_chats
-        );
+        assert_eq!(p0_chat_ids.len() as u64, num_group_chats + num_direct_chats);
     }
 }

From 03fa32b97298000b193abf42825571f719fb958e Mon Sep 17 00:00:00 2001
From: Franz-Stefan Preiss <franzstefan@dfinity.org>
Date: Mon, 12 Jan 2026 14:10:08 +0100
Subject: [PATCH 57/62] dfx.json: bin to 127.0.0.1 instead of localhost

---
 examples/encrypted_chat/rust/dfx.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/examples/encrypted_chat/rust/dfx.json b/examples/encrypted_chat/rust/dfx.json
index 1bfb7dae..55826bfd 100644
--- a/examples/encrypted_chat/rust/dfx.json
+++ b/examples/encrypted_chat/rust/dfx.json
@@ -43,7 +43,7 @@
   "output_env_file": ".env",
   "networks": {
     "local": {
-      "bind": "localhost:4943",
+      "bind": "127.0.0.1:4943",
       "type": "ephemeral"
     }
   }

From adc96a15e1e83e61054cc63abab30764f2a13849 Mon Sep 17 00:00:00 2001
From: Franz-Stefan Preiss <franzstefan@dfinity.org>
Date: Mon, 12 Jan 2026 15:44:15 +0100
Subject: [PATCH 58/62] Rename message ID to nonce

---
 .../lib/services/encryptedMessagingService.ts | 12 +++++-----
 .../frontend/src/lib/utils/index.ts           |  8 +++----
 .../encrypted_chat/rust/backend/backend.did   |  2 +-
 .../encrypted_chat/rust/backend/src/lib.rs    | 19 +++++++---------
 .../encrypted_chat/rust/backend/src/types.rs  | 18 +++++++--------
 .../rust/backend/tests/direct_chat.rs         | 22 +++++++++----------
 .../rust/backend/tests/group_chat.rs          | 16 +++++++-------
 7 files changed, 47 insertions(+), 50 deletions(-)

diff --git a/examples/encrypted_chat/frontend/src/lib/services/encryptedMessagingService.ts b/examples/encrypted_chat/frontend/src/lib/services/encryptedMessagingService.ts
index 5ead32a3..c3fa4689 100644
--- a/examples/encrypted_chat/frontend/src/lib/services/encryptedMessagingService.ts
+++ b/examples/encrypted_chat/frontend/src/lib/services/encryptedMessagingService.ts
@@ -14,7 +14,7 @@ import {
 	chatIdFromString,
 	chatIdsNumMessagesToSummary,
 	chatIdToString,
-	randomSenderMessageId
+	randomNonce
 } from '$lib/utils';
 import * as cbor from 'cbor-x';
 import type { SymmetricRatchetState } from '$lib/crypto/symmetricRatchet';
@@ -127,13 +127,13 @@ export class EncryptedMessagingService {
 		const MAX_RETRIES = 50;
 		const TIMEOUT_MS = 1000;
 
-		const senderMessageId = randomSenderMessageId();
+		const nonce = randomNonce();
 		for (let i = 0; i < MAX_RETRIES; i++) {
 			try {
 				const encrypted = await this.#keyManager.encryptNow(
 					chatIdStr,
 					getMyPrincipal(),
-					senderMessageId,
+					nonce,
 					content
 				);
 				await sendMessage(
@@ -141,7 +141,7 @@ export class EncryptedMessagingService {
 					chatIdFromString(chatIdStr),
 					encrypted.vetKeyEpoch,
 					encrypted.symmetricRatchetEpoch,
-					senderMessageId,
+					nonce,
 					encrypted.encryptedBytes
 				);
 				break;
@@ -408,7 +408,7 @@ async function sendMessage(
 	chatId: ChatId,
 	vetKeyEpoch: bigint,
 	symmetricRatchetEpoch: bigint,
-	senderMessageId: bigint,
+	nonce: bigint,
 	encryptedBytes: Uint8Array
 ) {
 	// Create UserMessage for the canister
@@ -416,7 +416,7 @@ async function sendMessage(
 		vetkey_epoch: vetKeyEpoch,
 		content: encryptedBytes,
 		symmetric_key_epoch: symmetricRatchetEpoch,
-		message_id: senderMessageId
+		nonce: nonce
 	};
 
 	// Send to canister using the appropriate method based on chat type
diff --git a/examples/encrypted_chat/frontend/src/lib/utils/index.ts b/examples/encrypted_chat/frontend/src/lib/utils/index.ts
index 55ae88ba..b2281684 100644
--- a/examples/encrypted_chat/frontend/src/lib/utils/index.ts
+++ b/examples/encrypted_chat/frontend/src/lib/utils/index.ts
@@ -89,12 +89,12 @@ export function chatIdsNumMessagesToSummary(
 	}, '');
 }
 
-export function randomSenderMessageId(): bigint {
+export function randomNonce(): bigint {
 	const buf = new Uint8Array(8);
 	globalThis.crypto.getRandomValues(buf);
-	let senderMessageId = 0n;
-	for (const b of buf) senderMessageId = (senderMessageId << 8n) | BigInt(b);
-	return senderMessageId;
+	let nonce = 0n;
+	for (const b of buf) nonce = (nonce << 8n) | BigInt(b);
+	return nonce;
 }
 
 export function toHex(bytes: Uint8Array): string {
diff --git a/examples/encrypted_chat/rust/backend/backend.did b/examples/encrypted_chat/rust/backend/backend.did
index ae392965..968830f2 100644
--- a/examples/encrypted_chat/rust/backend/backend.did
+++ b/examples/encrypted_chat/rust/backend/backend.did
@@ -29,7 +29,7 @@ type UserMessage = record {
   vetkey_epoch : nat64;
   content : blob;
   symmetric_key_epoch : nat64;
-  message_id : nat64;
+  nonce : nat64;
 };
 type VetKeyEpochMetadata = record {
   symmetric_key_rotation_duration : nat64;
diff --git a/examples/encrypted_chat/rust/backend/src/lib.rs b/examples/encrypted_chat/rust/backend/src/lib.rs
index c9113c21..3009b382 100644
--- a/examples/encrypted_chat/rust/backend/src/lib.rs
+++ b/examples/encrypted_chat/rust/backend/src/lib.rs
@@ -42,7 +42,7 @@ thread_local! {
         MEMORY_MANAGER.with(|m| m.borrow().get(MemoryId::new(3))),
     ));
 
-    static SET_CHAT_AND_SENDER_AND_USER_MESSAGE_ID: RefCell<StableBTreeMap<(ChatId, Sender, SenderMessageId), (), Memory>> = RefCell::new(StableBTreeMap::init(
+    static SET_CHAT_AND_SENDER_AND_USER_MESSAGE_ID: RefCell<StableBTreeMap<(ChatId, Sender, Nonce), (), Memory>> = RefCell::new(StableBTreeMap::init(
         MEMORY_MANAGER.with(|m| m.borrow().get(MemoryId::new(4))),
     ));
 
@@ -396,7 +396,7 @@ fn send_direct_message(user_message: UserMessage, receiver: Principal) -> Result
         user_message.vetkey_epoch,
         user_message.symmetric_key_epoch,
     )?;
-    ensure_message_id_is_unique(chat_id, user_message.message_id)?;
+    ensure_nonce_is_unique(chat_id, user_message.nonce)?;
 
     let now = Time(ic_cdk::api::time());
 
@@ -416,12 +416,12 @@ fn send_direct_message(user_message: UserMessage, receiver: Principal) -> Result
             vetkey_epoch: user_message.vetkey_epoch,
             symmetric_key_epoch: user_message.symmetric_key_epoch,
             chat_message_id,
-            nonce: user_message.message_id,
+            nonce: user_message.nonce,
         },
     };
 
     SET_CHAT_AND_SENDER_AND_USER_MESSAGE_ID.with_borrow_mut(|message_times| {
-        message_times.insert((chat_id, Sender(caller), user_message.message_id), ());
+        message_times.insert((chat_id, Sender(caller), user_message.nonce), ());
     });
 
     DIRECT_CHAT_MESSAGES.with_borrow_mut(|messages| {
@@ -458,7 +458,7 @@ fn send_group_message(
         user_message.vetkey_epoch,
         user_message.symmetric_key_epoch,
     )?;
-    ensure_message_id_is_unique(chat_id, user_message.message_id)?;
+    ensure_nonce_is_unique(chat_id, user_message.nonce)?;
 
     let now = Time(ic_cdk::api::time());
 
@@ -478,12 +478,12 @@ fn send_group_message(
             vetkey_epoch: user_message.vetkey_epoch,
             symmetric_key_epoch: user_message.symmetric_key_epoch,
             chat_message_id,
-            nonce: user_message.message_id,
+            nonce: user_message.nonce,
         },
     };
 
     SET_CHAT_AND_SENDER_AND_USER_MESSAGE_ID.with_borrow_mut(|message_times| {
-        message_times.insert((chat_id, Sender(caller), user_message.message_id), ());
+        message_times.insert((chat_id, Sender(caller), user_message.nonce), ());
     });
 
     GROUP_CHAT_MESSAGES.with_borrow_mut(|messages| {
@@ -1081,10 +1081,7 @@ fn ensure_chat_and_vetkey_epoch_exist(
     })
 }
 
-fn ensure_message_id_is_unique(
-    chat_id: ChatId,
-    nonce: SenderMessageId,
-) -> Result<(), String> {
+fn ensure_nonce_is_unique(chat_id: ChatId, nonce: Nonce) -> Result<(), String> {
     let caller = ic_cdk::api::msg_caller();
     let maybe_existing_id = SET_CHAT_AND_SENDER_AND_USER_MESSAGE_ID
         .with_borrow(|message_ids| message_ids.get(&(chat_id, Sender(caller), nonce)));
diff --git a/examples/encrypted_chat/rust/backend/src/types.rs b/examples/encrypted_chat/rust/backend/src/types.rs
index 81c6897c..fe5dd998 100644
--- a/examples/encrypted_chat/rust/backend/src/types.rs
+++ b/examples/encrypted_chat/rust/backend/src/types.rs
@@ -59,7 +59,7 @@ pub struct EncryptedMessageMetadata {
     pub vetkey_epoch: VetKeyEpochId,
     pub symmetric_key_epoch: SymmetricKeyEpochId,
     pub chat_message_id: ChatMessageId,
-    pub nonce: SenderMessageId,
+    pub nonce: Nonce,
 }
 
 impl Storable for EncryptedMessageMetadata {
@@ -96,12 +96,12 @@ impl Storable for EncryptedMessageMetadata {
         ));
 
         let (chat_message_id_bytes, nonce_bytes) = rest.split_at(8);
-        let chat_message_id = ChatMessageId(u64::from_le_bytes(chat_message_id_bytes.try_into().unwrap()));
-
-        let nonce = SenderMessageId(u64::from_le_bytes(
-            nonce_bytes.try_into().unwrap(),
+        let chat_message_id = ChatMessageId(u64::from_le_bytes(
+            chat_message_id_bytes.try_into().unwrap(),
         ));
 
+        let nonce = Nonce(u64::from_le_bytes(nonce_bytes.try_into().unwrap()));
+
         Self {
             sender,
             timestamp,
@@ -123,7 +123,7 @@ pub struct UserMessage {
     pub content: Vec<u8>,
     pub vetkey_epoch: VetKeyEpochId,
     pub symmetric_key_epoch: SymmetricKeyEpochId,
-    pub message_id: SenderMessageId,
+    pub nonce: Nonce,
 }
 
 storable_unbounded!(UserMessage);
@@ -262,13 +262,13 @@ impl Storable for ChatId {
     };
 }
 
-/// Per-sender, user-assigned message id.
+/// User-assigned nonce used for message encryption.
 #[derive(
     CandidType, Serialize, Deserialize, PartialEq, Eq, PartialOrd, Ord, Clone, Debug, Copy,
 )]
-pub struct SenderMessageId(pub u64);
+pub struct Nonce(pub u64);
 
-storable_delegate!(SenderMessageId, u64);
+storable_delegate!(Nonce, u64);
 
 /// Chat message id is assigned to each message in the chat sequentially.
 /// The IDs are assigned from an incrementing counter for a chat for all users.
diff --git a/examples/encrypted_chat/rust/backend/tests/direct_chat.rs b/examples/encrypted_chat/rust/backend/tests/direct_chat.rs
index 2a9fb836..34114622 100644
--- a/examples/encrypted_chat/rust/backend/tests/direct_chat.rs
+++ b/examples/encrypted_chat/rust/backend/tests/direct_chat.rs
@@ -1,8 +1,8 @@
 use candid::{encode_args, Principal};
 use ic_vetkeys_example_encrypted_chat_backend::types::{
     ChatId, ChatMessageId, DirectChatId, EncryptedMessage, EncryptedMessageMetadata,
-    EncryptedSymmetricKeyEpochCache, IbeEncryptedVetKey, SenderMessageId, SymmetricKeyEpochId,
-    Time, UserMessage, VetKeyEpochId,
+    EncryptedSymmetricKeyEpochCache, IbeEncryptedVetKey, Nonce, SymmetricKeyEpochId, Time,
+    UserMessage, VetKeyEpochId,
 };
 use serde_bytes::ByteBuf;
 
@@ -132,14 +132,14 @@ fn can_send_and_get_messages() {
 
     for _ in 0..10 {
         for sender in [env.principal_0, env.principal_1].iter().copied() {
-            let message_id_raw = *message_id_counters.get(&sender).unwrap();
-            message_id_counters.insert(sender, message_id_raw + 1);
+            let nonce_raw = *message_id_counters.get(&sender).unwrap();
+            message_id_counters.insert(sender, nonce_raw + 1);
 
             let user_message = UserMessage {
                 content: message_content.clone(),
                 vetkey_epoch: VetKeyEpochId(0),
                 symmetric_key_epoch: SymmetricKeyEpochId(0),
-                message_id: SenderMessageId(message_id_raw),
+                nonce: Nonce(nonce_raw),
             };
 
             // + 1 is because the update call calls `tick` internally
@@ -169,7 +169,7 @@ fn can_send_and_get_messages() {
                     vetkey_epoch: VetKeyEpochId(0),
                     symmetric_key_epoch: SymmetricKeyEpochId(0),
                     chat_message_id: ChatMessageId(expected_chat_history.len() as u64),
-                    sender_message_id: SenderMessageId(message_id_raw),
+                    nonce: Nonce(nonce_raw),
                 },
             };
 
@@ -223,7 +223,7 @@ fn fails_to_send_messages_with_wrong_symmetric_key_epoch() {
                 content: message_content.clone(),
                 vetkey_epoch: VetKeyEpochId(0),
                 symmetric_key_epoch,
-                message_id: SenderMessageId(0),
+                nonce: Nonce(0),
             };
 
             let result = env.update::<Result<Time, String>>(
@@ -273,7 +273,7 @@ fn fails_to_send_messages_with_wrong_symmetric_key_epoch() {
                     content: message_content.clone(),
                     vetkey_epoch: VetKeyEpochId(0),
                     symmetric_key_epoch,
-                    message_id: SenderMessageId(0),
+                    nonce: Nonce(0),
                 };
 
                 let result = env.update::<Result<Time, String>>(
@@ -310,7 +310,7 @@ fn fails_to_send_messages_with_wrong_symmetric_key_epoch() {
                     content: message_content.clone(),
                     vetkey_epoch: VetKeyEpochId(0),
                     symmetric_key_epoch,
-                    message_id: SenderMessageId(0),
+                    nonce: Nonce(0),
                 };
 
                 let result = env.update::<Result<Time, String>>(
@@ -546,7 +546,7 @@ fn fails_to_send_messages_with_wrong_vetkey_epoch() {
                 content: message_content.clone(),
                 vetkey_epoch: VetKeyEpochId(latest_epoch + 1),
                 symmetric_key_epoch: SymmetricKeyEpochId(0),
-                message_id: SenderMessageId(0),
+                nonce: Nonce(0),
             };
 
             let result = env.update::<Result<Time, String>>(
@@ -1477,7 +1477,7 @@ fn time_job_reports_cleaned_up_expired_items() {
                 content: b"hello".to_vec(),
                 vetkey_epoch: VetKeyEpochId(i),
                 symmetric_key_epoch: SymmetricKeyEpochId(0),
-                message_id: SenderMessageId(i + 2 * j),
+                nonce: Nonce(i + 2 * j),
             };
             env.update::<Result<Time, String>>(
                 env.principal_0,
diff --git a/examples/encrypted_chat/rust/backend/tests/group_chat.rs b/examples/encrypted_chat/rust/backend/tests/group_chat.rs
index 28e10b80..b193d011 100644
--- a/examples/encrypted_chat/rust/backend/tests/group_chat.rs
+++ b/examples/encrypted_chat/rust/backend/tests/group_chat.rs
@@ -2,7 +2,7 @@ use candid::{encode_args, Principal};
 use ic_vetkeys_example_encrypted_chat_backend::types::{
     ChatId, ChatMessageId, EncryptedMessage, EncryptedMessageMetadata,
     EncryptedSymmetricKeyEpochCache, GroupChatId, GroupChatMetadata, GroupModification,
-    IbeEncryptedVetKey, SenderMessageId, SymmetricKeyEpochId, Time, UserMessage, VetKeyEpochId,
+    IbeEncryptedVetKey, Nonce, SymmetricKeyEpochId, Time, UserMessage, VetKeyEpochId,
     VetKeyEpochMetadata,
 };
 use serde_bytes::ByteBuf;
@@ -95,7 +95,7 @@ fn can_send_and_get_messages() {
                     content: message_content.clone(),
                     vetkey_epoch: VetKeyEpochId(0),
                     symmetric_key_epoch: SymmetricKeyEpochId(0),
-                    message_id: SenderMessageId(message_id_raw),
+                    nonce: Nonce(message_id_raw),
                 };
 
                 // + 1 is because the update call calls `tick` internally
@@ -117,7 +117,7 @@ fn can_send_and_get_messages() {
                         vetkey_epoch: VetKeyEpochId(0),
                         symmetric_key_epoch: SymmetricKeyEpochId(0),
                         chat_message_id: ChatMessageId(expected_chat_history.len() as u64),
-                        sender_message_id: SenderMessageId(message_id_raw),
+                        nonce: Nonce(message_id_raw),
                     },
                 };
 
@@ -182,7 +182,7 @@ fn fails_to_send_messages_with_wrong_symmetric_key_epoch() {
                     content: message_content.clone(),
                     vetkey_epoch: VetKeyEpochId(0),
                     symmetric_key_epoch,
-                    message_id: SenderMessageId(0),
+                    nonce: Nonce(0),
                 };
 
                 let result = env.update::<Result<Time, String>>(
@@ -225,7 +225,7 @@ fn fails_to_send_messages_with_wrong_symmetric_key_epoch() {
                         content: message_content.clone(),
                         vetkey_epoch: VetKeyEpochId(0),
                         symmetric_key_epoch,
-                        message_id: SenderMessageId(0),
+                        nonce: Nonce(0),
                     };
 
                     let result = env.update::<Result<Time, String>>(
@@ -254,7 +254,7 @@ fn fails_to_send_messages_with_wrong_symmetric_key_epoch() {
                         content: message_content.clone(),
                         vetkey_epoch: VetKeyEpochId(0),
                         symmetric_key_epoch,
-                        message_id: SenderMessageId(0),
+                        nonce: Nonce(0),
                     };
 
                     let result = env.update::<Result<Time, String>>(
@@ -507,7 +507,7 @@ fn fails_to_send_group_chat_message_with_wrong_vetkey_epoch() {
                     content: message_content.clone(),
                     vetkey_epoch: VetKeyEpochId(latest_epoch + 1),
                     symmetric_key_epoch: SymmetricKeyEpochId(0),
-                    message_id: SenderMessageId(0),
+                    nonce: Nonce(0),
                 };
 
                 let result = env.update::<Result<Time, String>>(
@@ -1872,7 +1872,7 @@ fn time_job_reports_cleaned_up_expired_items() {
                 content: b"hello".to_vec(),
                 vetkey_epoch: VetKeyEpochId(i),
                 symmetric_key_epoch: SymmetricKeyEpochId(0),
-                message_id: SenderMessageId(i + 2 * j),
+                nonce: Nonce(i + 2 * j),
             };
             env.update::<Result<Time, String>>(
                 env.principal_0,

From e8d2fcf788c6250103fc445ebf8a2c90af2bade6 Mon Sep 17 00:00:00 2001
From: Franz-Stefan Preiss <franzstefan@dfinity.org>
Date: Mon, 12 Jan 2026 15:52:36 +0100
Subject: [PATCH 59/62] get_some_messages_for_chat_starting_from ->
 get_messages

---
 examples/encrypted_chat/rust/backend/tests/direct_chat.rs | 8 ++++----
 examples/encrypted_chat/rust/backend/tests/group_chat.rs  | 8 ++++----
 2 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/examples/encrypted_chat/rust/backend/tests/direct_chat.rs b/examples/encrypted_chat/rust/backend/tests/direct_chat.rs
index 34114622..977340bf 100644
--- a/examples/encrypted_chat/rust/backend/tests/direct_chat.rs
+++ b/examples/encrypted_chat/rust/backend/tests/direct_chat.rs
@@ -123,7 +123,7 @@ fn can_send_and_get_messages() {
         assert_eq!(
             env.update::<Vec<EncryptedMessage>>(
                 caller,
-                "get_some_messages_for_chat_starting_from",
+                "get_messages",
                 encode_args((chat_id, ChatMessageId(0), Option::<u32>::None)).unwrap(),
             ),
             vec![]
@@ -179,7 +179,7 @@ fn can_send_and_get_messages() {
                 assert_eq!(
                     env.update::<Vec<EncryptedMessage>>(
                         caller,
-                        "get_some_messages_for_chat_starting_from",
+                        "get_messages",
                         encode_args((chat_id, ChatMessageId(0), Option::<u32>::None)).unwrap(),
                     ),
                     expected_chat_history
@@ -357,7 +357,7 @@ fn fails_to_send_messages_with_wrong_symmetric_key_epoch() {
         assert_eq!(
             env.update::<Vec<EncryptedMessage>>(
                 caller,
-                "get_some_messages_for_chat_starting_from",
+                "get_messages",
                 encode_args((chat_id, ChatMessageId(0), Option::<u32>::None)).unwrap(),
             ),
             vec![]
@@ -588,7 +588,7 @@ fn fails_to_send_messages_with_wrong_vetkey_epoch() {
         assert_eq!(
             env.update::<Vec<EncryptedMessage>>(
                 caller,
-                "get_some_messages_for_chat_starting_from",
+                "get_messages",
                 encode_args((chat_id, ChatMessageId(0), Option::<u32>::None)).unwrap(),
             ),
             vec![]
diff --git a/examples/encrypted_chat/rust/backend/tests/group_chat.rs b/examples/encrypted_chat/rust/backend/tests/group_chat.rs
index b193d011..2f298581 100644
--- a/examples/encrypted_chat/rust/backend/tests/group_chat.rs
+++ b/examples/encrypted_chat/rust/backend/tests/group_chat.rs
@@ -79,7 +79,7 @@ fn can_send_and_get_messages() {
             assert_eq!(
                 env.update::<Vec<EncryptedMessage>>(
                     caller,
-                    "get_some_messages_for_chat_starting_from",
+                    "get_messages",
                     encode_args((chat_id, ChatMessageId(0), Option::<u32>::None)).unwrap(),
                 ),
                 vec![]
@@ -127,7 +127,7 @@ fn can_send_and_get_messages() {
                     assert_eq!(
                         env.update::<Vec<EncryptedMessage>>(
                             caller,
-                            "get_some_messages_for_chat_starting_from",
+                            "get_messages",
                             encode_args((chat_id, ChatMessageId(0), Option::<u32>::None)).unwrap(),
                         ),
                         expected_chat_history
@@ -293,7 +293,7 @@ fn fails_to_send_messages_with_wrong_symmetric_key_epoch() {
             assert_eq!(
                 env.update::<Vec<EncryptedMessage>>(
                     caller,
-                    "get_some_messages_for_chat_starting_from",
+                    "get_messages",
                     encode_args((chat_id, ChatMessageId(0), Option::<u32>::None)).unwrap(),
                 ),
                 vec![]
@@ -541,7 +541,7 @@ fn fails_to_send_group_chat_message_with_wrong_vetkey_epoch() {
             assert_eq!(
                 env.update::<Vec<EncryptedMessage>>(
                     caller,
-                    "get_some_messages_for_chat_starting_from",
+                    "get_messages",
                     encode_args((chat_id, ChatMessageId(0), Option::<u32>::None)).unwrap(),
                 ),
                 vec![]

From 6ca43ce436889a49e46aa9c30be85de3a1f83234 Mon Sep 17 00:00:00 2001
From: Franz-Stefan Preiss <franzstefan@dfinity.org>
Date: Tue, 13 Jan 2026 03:27:29 +0100
Subject: [PATCH 60/62] ignore failing tests related to vetkey epoch expiry

---
 examples/encrypted_chat/rust/backend/tests/direct_chat.rs | 2 ++
 examples/encrypted_chat/rust/backend/tests/group_chat.rs  | 2 ++
 2 files changed, 4 insertions(+)

diff --git a/examples/encrypted_chat/rust/backend/tests/direct_chat.rs b/examples/encrypted_chat/rust/backend/tests/direct_chat.rs
index 977340bf..cea335cf 100644
--- a/examples/encrypted_chat/rust/backend/tests/direct_chat.rs
+++ b/examples/encrypted_chat/rust/backend/tests/direct_chat.rs
@@ -855,6 +855,7 @@ fn unauthorized_user_cannot_access_symmetric_key_cache() {
 }
 
 #[test]
+#[ignore = "vetkey epoch expiry not fully implemented yet"]
 fn cannot_access_cache_after_vetkey_epoch_expires() {
     let rng = &mut reproducible_rng();
     let env = TestEnvironment::new(rng);
@@ -1297,6 +1298,7 @@ fn fails_to_reshare_vetkey_with_oneself() {
 }
 
 #[test]
+#[ignore = "vetkey epoch expiry not fully implemented yet"]
 fn fails_to_reshare_or_get_reshared_vetkeys_for_invalid_vetkey_epochs() {
     let rng = &mut reproducible_rng();
     let env = TestEnvironment::new(rng);
diff --git a/examples/encrypted_chat/rust/backend/tests/group_chat.rs b/examples/encrypted_chat/rust/backend/tests/group_chat.rs
index 2f298581..d727fa63 100644
--- a/examples/encrypted_chat/rust/backend/tests/group_chat.rs
+++ b/examples/encrypted_chat/rust/backend/tests/group_chat.rs
@@ -852,6 +852,7 @@ fn unauthorized_user_cannot_access_symmetric_key_cache() {
 }
 
 #[test]
+#[ignore = "vetkey epoch expiry not fully implemented yet"]
 fn cannot_access_cache_after_vetkey_epoch_expires() {
     let rng = &mut reproducible_rng();
     let env = TestEnvironment::new(rng);
@@ -1669,6 +1670,7 @@ fn fails_to_reshare_vetkey_with_oneself() {
 }
 
 #[test]
+#[ignore = "vetkey epoch expiry not fully implemented yet"]
 fn fails_to_reshare_or_get_reshared_vetkeys_for_invalid_vetkey_epochs() {
     let rng = &mut reproducible_rng();
     let env = TestEnvironment::new(rng);

From fe0871076bba790e38160751dd37a7e3a35e749b Mon Sep 17 00:00:00 2001
From: Franz-Stefan Preiss <franzstefan@dfinity.org>
Date: Tue, 13 Jan 2026 03:42:57 +0100
Subject: [PATCH 61/62] Add disclaimer to encrypted chat README

---
 examples/encrypted_chat/README.md | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/examples/encrypted_chat/README.md b/examples/encrypted_chat/README.md
index 6af52c58..8c9f70ef 100644
--- a/examples/encrypted_chat/README.md
+++ b/examples/encrypted_chat/README.md
@@ -1 +1,5 @@
-https://icp.ninja/editor?g=https://github.com/dfinity/vetkeys/tree/alex/encrypted-chat/examples/encrypted_chat/rust
\ No newline at end of file
+> **Disclaimer**: This example is an *unfinished* prototype for a vetKeys-based encrypted chat app according to the [SPEC.md](./SPEC.md).
+> 
+> DO NOT USE IN PRODUCTION!!
+
+[![](https://icp.ninja/assets/open.svg)](https://icp.ninja/editor?g=https://github.com/dfinity/vetkeys/tree/alex/encrypted-chat/examples/encrypted_chat/rust)
\ No newline at end of file

From 94a7ca6486298e15ee961d64b5a4beb1ddfe7bcf Mon Sep 17 00:00:00 2001
From: Franz-Stefan Preiss <franzstefan@dfinity.org>
Date: Tue, 13 Jan 2026 03:43:35 +0100
Subject: [PATCH 62/62] List encryted chat as example app in vetKeys repo
 README

---
 README.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/README.md b/README.md
index b0c8ae39..05344df2 100644
--- a/README.md
+++ b/README.md
@@ -49,3 +49,4 @@ Tools for frontend developers to interact with VetKD enabled canisters.
 - **[Password Manager](examples/password_manager)** - A secure, decentralized password manager using Encrypted Maps for vault-based password storage and sharing.
 - **[Password Manager with Metadata](examples/password_manager_with_metadata)** - Extends the basic password manager to support unencrypted metadata alongside encrypted passwords.
 - **[Encrypted Notes](examples/encrypted_notes_dapp_vetkd)** - A secure note-taking application that uses vetKeys for encryption and enables sharing notes between users without device management.
+- **[Encrypted Chat](examples/encrypted_chat)** - An *unfinished prototype* for an end-to-end encrypted messaging application based on vetKeys.