Merge pull request #854 from PR0M3TH3AN/codex/reduce-log-verbosity-in-tui

Refine console logging
2025-09-08 07:18:47 +00:00 · 2025-08-23 13:33:21 -04:00 · 2025-08-23 13:19:27 -04:00 · 2025-08-23 13:02:41 -04:00 · 2025-08-23 12:46:52 -04:00 · 2025-08-23 12:30:05 -04:00
348 changed files with 38542 additions and 5418 deletions
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -0,0 +1,10 @@
+version: 2
+updates:
+  - package-ecosystem: "pip"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
--- a/.github/workflows/briefcase.yml
+++ b/.github/workflows/briefcase.yml
@@ -0,0 +1,29 @@
+name: Build GUI
+
+on:
+  push:
+    tags:
+      - 'seedpass-gui*'
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - uses: actions/setup-python@v4
+        with:
+          python-version: '3.11'
+      - name: Install dependencies
+        run: |
+          python -m pip install --upgrade pip
+          pip install pip-tools briefcase
+          pip-compile --generate-hashes --output-file=requirements.lock src/requirements.txt
+          git diff --exit-code requirements.lock
+          pip install --require-hashes -r requirements.lock
+      - name: Build with Briefcase
+        run: briefcase build
+      - name: Upload artifacts
+        uses: actions/upload-artifact@v4
+        with:
+          name: seedpass-gui
+          path: dist/**
--- a/.github/workflows/dependency-audit.yml
+++ b/.github/workflows/dependency-audit.yml
@@ -0,0 +1,27 @@
+name: Dependency Audit
+
+on:
+  schedule:
+    - cron: '0 0 * * 0'
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+jobs:
+  audit:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-python@v5
+        with:
+          python-version: '3.11'
+      - name: Install dependencies
+        run: |
+          python -m pip install --upgrade pip
+          pip install pip-tools pip-audit
+          pip-compile --generate-hashes --output-file=requirements.lock src/requirements.txt
+          git diff --exit-code requirements.lock
+          pip install --require-hashes -r requirements.lock
+      - name: Run pip-audit
+        run: pip-audit -r requirements.lock --ignore-vuln GHSA-wj6h-64fc-37mp
--- a/.github/workflows/python-ci.yml
+++ b/.github/workflows/python-ci.yml
@@ -9,6 +9,20 @@ on:
    - cron: '0 3 * * *'

 jobs:
+  secret-scan:
+    name: Secret Scan
+    runs-on: ubuntu-latest
+    if: github.event_name == 'pull_request' || github.event_name == 'schedule'
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      - name: Run gitleaks
+        uses: gitleaks/gitleaks-action@v2
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GITLEAKS_CONFIG: .gitleaks.toml
+
  build:
    strategy:
      matrix:
@@ -59,18 +73,18 @@ jobs:
        uses: actions/cache@v3
        with:
          path: ~/.cache/pip
-          key: ${{ runner.os }}-pip-${{ hashFiles('src/requirements.txt') }}
+          key: ${{ runner.os }}-pip-${{ hashFiles('requirements.lock') }}
          restore-keys: |
            ${{ runner.os }}-pip-
-      - name: Set up Python dependencies
-        id: deps
+      - name: Verify lockfile and install dependencies
        run: |
          python -m pip install --upgrade pip
-          pip install -r src/requirements.txt
-      - name: Run pip-audit
-        run: |
-          pip install pip-audit
-          pip-audit -r requirements.lock
+          pip install pip-tools
+          pip-compile --generate-hashes --output-file=requirements.lock src/requirements.txt
+          git diff --exit-code requirements.lock
+          pip install --require-hashes -r requirements.lock
+      - name: Run dependency scan
+        run: scripts/dependency_scan.sh --ignore-vuln GHSA-wj6h-64fc-37mp
      - name: Determine stress args
        shell: bash
        run: |
@@ -81,10 +95,27 @@ jobs:
        if: github.ref == 'refs/heads/main' || github.event_name == 'schedule'
        run: echo "NOSTR_E2E=1" >> $GITHUB_ENV
      - name: Run tests with coverage
+        timeout-minutes: 16
        shell: bash
-        run: |
-          pytest ${STRESS_ARGS} --cov=src --cov-report=xml --cov-report=term-missing \
-            --cov-fail-under=20 src/tests
+        run: scripts/run_ci_tests.sh
+      - name: Run desktop tests
+        timeout-minutes: 10
+        shell: bash
+        env:
+          TOGA_BACKEND: toga_dummy
+        run: scripts/run_gui_tests.sh
+      - name: Upload pytest log
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: pytest-log-${{ matrix.os }}
+          path: pytest.log
+      - name: Upload GUI pytest log
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: gui-pytest-log-${{ matrix.os }}
+          path: pytest_gui.log
      - name: Upload coverage report
        uses: actions/upload-artifact@v4
        with:
--- a/.github/workflows/tests.yml
+++ b/.github/workflows/tests.yml
@@ -0,0 +1,40 @@
+name: Tests
+
+on:
+  push:
+    branches: ["**"]
+  pull_request:
+    branches: ["**"]
+
+jobs:
+  test:
+    strategy:
+      matrix:
+        os: [ubuntu-latest, macos-latest, windows-latest]
+        python-version: ["3.10", "3.11", "3.12"]
+    runs-on: ${{ matrix.os }}
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-python@v5
+        with:
+          python-version: ${{ matrix.python-version }}
+      - name: Install Poetry
+        run: pipx install poetry
+      - name: Install dependencies
+        run: poetry install
+      - name: Check formatting
+        run: poetry run black --check .
+      - name: Run security audit
+        run: |
+          poetry run pip-audit || echo "::warning::pip-audit found vulnerabilities"
+        shell: bash
+      - name: Run tests with coverage
+        run: |
+          poetry run coverage run -m pytest
+          poetry run coverage xml
+      - name: Upload coverage report
+        uses: actions/upload-artifact@v4
+        with:
+          name: coverage-${{ matrix.os }}-py${{ matrix.python-version }}
+          path: coverage.xml
+
--- a/.gitignore
+++ b/.gitignore
@@ -33,3 +33,14 @@ coverage.xml
 # Other
 .hypothesis
 totp_export.json.enc
+
+# src
+
+src/seedpass.egg-info/PKG-INFO
+src/seedpass.egg-info/SOURCES.txt
+src/seedpass.egg-info/dependency_links.txt
+src/seedpass.egg-info/entry_points.txt
+src/seedpass.egg-info/top_level.txt
+
+# Allow vendored dependencies to be committed
+!src/vendor/
--- a/.gitleaks.toml
+++ b/.gitleaks.toml
@@ -0,0 +1,8 @@
+title = "SeedPass gitleaks config"
+
+[allowlist]
+  description = "Paths and patterns to ignore when scanning for secrets"
+  # Add file paths that contain test data or other non-sensitive strings
+  paths = []
+  # Add regular expressions that match false positive secrets
+  regexes = []
--- a/AGENTS.md
+++ b/AGENTS.md
@@ -2,6 +2,60 @@

 This project is written in **Python**. Follow these instructions when working with the code base.

+## Installation Quickstart for AI Agents
+
+### Prerequisites
+
+Ensure the system has the required build tools and Python headers. Examples:
+
+```bash
+# Ubuntu/Debian
+sudo apt update && sudo apt install -y \
+    build-essential \
+    libffi-dev \
+    pkg-config \
+    python3.11-dev \
+    curl \
+    git
+
+# CentOS/RHEL
+sudo yum install -y gcc gcc-c++ libffi-devel pkgconfig python3-devel curl git
+
+# macOS
+brew install python@3.11 libffi pkg-config git
+```
+
+### Installation
+
+Run the installer script to fetch the latest release:
+
+```bash
+# Stable release
+bash -c "$(curl -sSL https://raw.githubusercontent.com/PR0M3TH3AN/SeedPass/main/scripts/install.sh)"
+
+# Beta branch
+bash -c "$(curl -sSL https://raw.githubusercontent.com/PR0M3TH3AN/SeedPass/main/scripts/install.sh)" _ -b beta
+```
+
+### Environment Layout
+
+- Virtual environment: `~/.seedpass/app/venv/`
+- Entry point: `~/.seedpass/app/src/main.py`
+
+### Verification
+
+```bash
+cd ~/.seedpass/app && source venv/bin/activate
+cd src && python main.py --version  # Expected: SeedPass v[version]
+```
+
+### Running SeedPass
+
+```bash
+cd ~/.seedpass/app && source venv/bin/activate
+cd src && python main.py
+```
+
 ## Running Tests

 1. Set up a virtual environment and install dependencies:
@@ -9,7 +63,7 @@ This project is written in **Python**. Follow these instructions when working wi
   ```bash
   python3 -m venv venv
   source venv/bin/activate
-   pip install -r src/requirements.txt
+   pip install --require-hashes -r requirements.lock
   ```

 2. Run the test suite using **pytest**:
@@ -39,6 +93,19 @@ This project is written in **Python**. Follow these instructions when working wi

 Following these practices helps keep the code base consistent and secure.

+## Deterministic Artifact Generation
+
+- All generated artifacts (passwords, keys, TOTP secrets, etc.) must be fully deterministic across runs and platforms.
+- Randomness is only permitted for security primitives (e.g., encryption nonces, in-memory keys) and must never influence derived artifacts.
+
+## Legacy Index Migration
+
+- Always provide a migration path for index archives and import/export routines.
+- Support older SeedPass versions whose indexes lacked salts or password-based encryption by detecting legacy formats and upgrading them to the current schema.
+- Ensure migrations unlock older account indexes and allow Nostr synchronization.
+- Add regression tests covering these migrations whenever the index format or encryption changes.
+
+
 ## Integrating New Entry Types

 SeedPass supports multiple `kind` values in its JSON entry files. When adding a
--- a/README.md
+++ b/README.md
@@ -2,7 +2,7 @@

 ![SeedPass Logo](https://raw.githubusercontent.com/PR0M3TH3AN/SeedPass/refs/heads/main/logo/png/SeedPass-Logo-03.png)

-**SeedPass** is a secure password generator and manager built on **Bitcoin's BIP-85 standard**. It uses deterministic key derivation to generate **passwords that are never stored**, but can be easily regenerated when needed. By integrating with the **Nostr network**, SeedPass compresses your encrypted vault and splits it into 50 KB chunks. Each chunk is published as a parameterised replaceable event (`kind 30071`), with a manifest (`kind 30070`) describing the snapshot and deltas (`kind 30072`) capturing changes between snapshots. This allows secure password recovery across devices without exposing your data.
+**SeedPass** is a secure password generator and manager built on **Bitcoin's BIP-85 standard**. It uses deterministic key derivation to generate **passwords that are never stored**, but can be easily regenerated when needed. By integrating with the **Nostr network**, SeedPass compresses your encrypted vault and splits it into 50 KB chunks. Each chunk is published as a parameterised replaceable event (`kind 30071`), with a manifest (`kind 30070`) describing the snapshot and deltas (`kind 30072`) capturing changes between snapshots. This allows secure password recovery across devices without exposing your data.

 [Tip Jar](https://nostrtipjar.netlify.app/?n=npub16y70nhp56rwzljmr8jhrrzalsx5x495l4whlf8n8zsxww204k8eqrvamnp)

@@ -10,7 +10,15 @@

 **⚠️ Disclaimer**

-This software was not developed by an experienced security expert and should be used with caution. There may be bugs and missing features. Each vault chunk is limited to 50 KB and SeedPass periodically publishes a new snapshot to keep accumulated deltas small. The security of the program's memory management and logs has not been evaluated and may leak sensitive information. Loss or exposure of the parent seed places all derived passwords, accounts, and other artifacts at risk.
+This software was not developed by an experienced security expert and should be used with caution. There may be bugs and missing features. Each vault chunk is limited to 50 KB and SeedPass periodically publishes a new snapshot to keep accumulated deltas small. The security of the program's memory management and logs has not been evaluated and may leak sensitive information. Loss or exposure of the parent seed places all derived passwords, accounts, and other artifacts at risk.
+
+**🚨 Breaking Change**
+
+Recent releases derive passwords and other artifacts using a fully deterministic algorithm that behaves consistently across Python versions. This improvement means artifacts generated with earlier versions of SeedPass will not match those produced now. Regenerate any previously derived data or retain the old version if you need to reproduce older passwords or keys.
+
+**⚠️ First Run Warning**
+
+Use a dedicated BIP-39 seed phrase exclusively for SeedPass. Offline Mode is **ON by default**, keeping all Nostr syncing disabled until you explicitly opt in. To synchronize with Nostr, disable offline mode through the Settings menu or by running `seedpass config toggle-offline` and choosing to turn syncing on.

 ---
 ### Supported OS
@@ -18,21 +26,26 @@ This software was not developed by an experienced security expert and should be
 ✔ Windows 10/11 • macOS 12+ • Any modern Linux  
 SeedPass now uses the `portalocker` library for cross-platform file locking. No WSL or Cygwin required.

-
 ## Table of Contents

 - [Features](#features)
+- [Architecture Overview](#architecture-overview)
 - [Prerequisites](#prerequisites)
 - [Installation](#installation)
  - [1. Clone the Repository](#1-clone-the-repository)
  - [2. Create a Virtual Environment](#2-create-a-virtual-environment)
  - [3. Activate the Virtual Environment](#3-activate-the-virtual-environment)
  - [4. Install Dependencies](#4-install-dependencies)
+  - [Optional GUI](#optional-gui)
 - [Usage](#usage)
  - [Running the Application](#running-the-application)
  - [Managing Multiple Seeds](#managing-multiple-seeds)
    - [Additional Entry Types](#additional-entry-types)
+  - [Recovery](#recovery)
+- [Building a standalone executable](#building-a-standalone-executable)
+- [Packaging with Briefcase](#packaging-with-briefcase)
 - [Security Considerations](#security-considerations)
+- [Dependency Updates](#dependency-updates)
 - [Contributing](#contributing)
 - [License](#license)
 - [Contact](#contact)
@@ -41,8 +54,8 @@ SeedPass now uses the `portalocker` library for cross-platform file locking. No

 - **Deterministic Password Generation:** Utilize BIP-85 for generating deterministic and secure passwords.
 - **Encrypted Storage:** All seeds, login passwords, and sensitive index data are encrypted locally.
- **Nostr Integration:** Post and retrieve your encrypted password index to/from the Nostr network.
- **Chunked Snapshots:** Encrypted vaults are compressed and split into 50 KB chunks published as `kind 30071` events with a `kind 30070` manifest and `kind 30072` deltas.
+- **Nostr Integration:** Post and retrieve your encrypted password index to/from the Nostr network. See [Nostr Setup](docs/nostr_setup.md) for relay configuration and event details.
+- **Chunked Snapshots:** Encrypted vaults are compressed and split into 50 KB chunks published as `kind 30071` events with a `kind 30070` manifest and `kind 30072` deltas. The manifest's `delta_since` field stores the UNIX timestamp of the latest delta event.
 - **Automatic Checksum Generation:** The script generates and verifies a SHA-256 checksum to detect tampering.
 - **Multiple Seed Profiles:** Manage separate seed profiles and switch between them seamlessly.
 - **Nested Managed Account Seeds:** SeedPass can derive nested managed account seeds.
@@ -52,130 +65,247 @@ SeedPass now uses the `portalocker` library for cross-platform file locking. No
 - **Export 2FA Codes:** Save all stored TOTP entries to an encrypted JSON file for use with other apps.
 - **Display TOTP Codes:** Show all active 2FA codes with a countdown timer.
 - **Optional External Backup Location:** Configure a second directory where backups are automatically copied.
- **Auto‑Lock on Inactivity:** Vault locks after a configurable timeout for additional security.
- **Secret Mode:** Copy retrieved passwords directly to your clipboard and automatically clear it after a delay.
+- **Auto-Lock on Inactivity:** Vault locks after a configurable timeout for additional security.
+- **Quick Unlock:** Optionally skip the password prompt after verifying once.
+- **Secret Mode:** When enabled, newly generated and retrieved passwords are copied to your clipboard and automatically cleared after a delay.
 - **Tagging Support:** Organize entries with optional tags and find them quickly via search.
+- **Typed Search Results:** Results now display each entry's type for quicker identification.
+- **Manual Vault Export/Import:** Create encrypted backups or restore them using the CLI or API.
+- **Parent Seed Backup:** Securely save an encrypted copy of the master seed.
+- **Manual Vault Locking:** Instantly clear keys from memory when needed.
+- **Vault Statistics:** View counts for entries and other profile metrics.
+- **Change Master Password:** Rotate your encryption password at any time.
+- **Checksum Verification Utilities:** Verify or regenerate the script checksum.
+- **Relay Management:** List, add, remove or reset configured Nostr relays.
+- **Offline Mode:** Disable all Nostr communication for local-only operation.
+
+
+A small on-screen notification area now shows queued messages for 10 seconds
+before fading.
+
+## Architecture Overview
+
+SeedPass follows a layered design. The **`seedpass.core`** package exposes the
+`PasswordManager` along with service classes (e.g. `VaultService` and
+`EntryService`) that implement the main API used across interfaces. Both the
+command line tool in **`seedpass.cli`** and the FastAPI server in
+**`seedpass.api`** delegate operations to this core. The BeeWare desktop
+interface (`seedpass_gui.app`) and an optional browser extension reuse these
+services, with the extension communicating through the API layer.
+
+Nostr synchronisation lives in the **`nostr`** modules. The core services call
+into these modules to publish or retrieve encrypted snapshots and deltas from
+configured relays.
+
+```mermaid
+graph TD
+    cli["CLI"]
+    api["FastAPI server"]
+    core["seedpass.core"]
+    nostr["Nostr client"]
+    relays["Nostr relays"]
+
+    cli --> core
+    api --> core
+    core --> nostr
+    nostr --> relays
+```
+
+See `docs/ARCHITECTURE.md` and [Nostr Setup](docs/nostr_setup.md) for details.

 ## Prerequisites

- **Python 3.8+** (3.11 or 3.12 recommended): Install Python from [python.org](https://www.python.org/downloads/) and be sure to check **"Add Python to PATH"** during setup. Using Python 3.13 is currently discouraged because some dependencies do not ship wheels for it yet, which can cause build failures on Windows unless you install the Visual C++ Build Tools.
-*Windows only:* Install the [Visual Studio Build Tools](https://visualstudio.microsoft.com/visual-cpp-build-tools/) and select the **C++ build tools** workload.
+- **Python 3.8+** (3.11 or 3.12 recommended): Install Python from [python.org](https://www.python.org/downloads/) and be sure to check **"Add Python to PATH"** during setup. Using Python 3.13 is currently discouraged because some dependencies do not ship wheels for it yet, which can cause build failures on Windows unless you install the Visual C++ Build Tools.  
+  *Windows only:* Install the [Visual Studio Build Tools](https://visualstudio.microsoft.com/visual-cpp-build-tools/) and select the **C++ build tools** workload.

 ## Installation

-
 ### Quick Installer

 Use the automated installer to download SeedPass and its dependencies in one step.
+The default `tui` mode installs only the text interface, so it runs headlessly and works well in CI or other automation. GUI backends are optional and must be explicitly requested (`--mode gui` or `--mode both` on Linux/macOS, `-IncludeGui` on Windows). If the GTK `gi` bindings are missing, the installer attempts to install the
+necessary system packages using `apt`, `yum`, `pacman`, or Homebrew. When no display server is detected, GUI components are skipped automatically.

 **Linux and macOS:**
 ```bash
-bash -c "$(curl -sSL https://raw.githubusercontent.com/PR0M3TH3AN/SeedPass/main/scripts/install.sh)"
+# TUI-only/agent install (headless default)
+bash -c "$(curl -sSL https://raw.githubusercontent.com/PR0M3TH3AN/SeedPass/main/scripts/install.sh)" _ --mode tui
 ```
 *Install the beta branch:*
 ```bash
 bash -c "$(curl -sSL https://raw.githubusercontent.com/PR0M3TH3AN/SeedPass/main/scripts/install.sh)" _ -b beta
 ```
+Make sure the command ends right after `-b beta` with **no trailing parenthesis**.
+*Install with GUI support:*
+```bash
+bash -c "$(curl -sSL https://raw.githubusercontent.com/PR0M3TH3AN/SeedPass/main/scripts/install.sh)" _ --mode gui
+```

 **Windows (PowerShell):**
 ```powershell
+# TUI-only/agent install (default)
 Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; $scriptContent = (New-Object System.Net.WebClient).DownloadString('https://raw.githubusercontent.com/PR0M3TH3AN/SeedPass/main/scripts/install.ps1'); & ([scriptblock]::create($scriptContent))
 ```
-Before running the script, install **Python 3.11** or **3.12** from [python.org](https://www.python.org/downloads/windows/) and tick **"Add Python to PATH"**. You should also install the [Visual Studio Build Tools](https://visualstudio.microsoft.com/visual-cpp-build-tools/) with the **C++ build tools** workload so dependencies compile correctly.
-The Windows installer will attempt to install Git automatically if it is not already available. It also tries to
-install Python 3 using `winget`, `choco`, or `scoop` when Python is missing and recognizes the `py` launcher if `python`
-isn't on your PATH. If these tools are unavailable you'll see a link to download Python directly from
-<https://www.python.org/downloads/windows/>. When Python 3.13 or newer is detected without the Microsoft C++ build tools,
-the installer now attempts to download Python 3.12 automatically so you don't have to compile packages from source.
+*Install with the optional GUI:*
+```powershell
+Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; $scriptContent = (New-Object System.Net.WebClient).DownloadString('https://raw.githubusercontent.com/PR0M3TH3AN/SeedPass/main/scripts/install.ps1'); & ([scriptblock]::create($scriptContent)) -IncludeGui
+```
+Before running the script, install **Python 3.11** or **3.12** from [python.org](https://www.python.org/downloads/windows/) and tick **"Add Python to PATH"**. You should also install the [Visual Studio Build Tools](https://visualstudio.microsoft.com/visual-cpp-build-tools/) with the **C++ build tools** workload so dependencies compile correctly.  
+The Windows installer will attempt to install Git automatically if it is not already available. It also tries to install Python 3 using `winget`, `choco`, or `scoop` when Python is missing and recognizes the `py` launcher if `python` isn't on your PATH. If these tools are unavailable you'll see a link to download Python directly from <https://www.python.org/downloads/windows/>. When Python 3.13 or newer is detected without the Microsoft C++ build tools, the installer now attempts to download Python 3.12 automatically so you don't have to compile packages from source.

 **Note:** If this fallback fails, install Python 3.12 manually or install the [Microsoft Visual C++ Build Tools](https://visualstudio.microsoft.com/visual-cpp-build-tools/) and rerun the installer.
-*Install the beta branch:*
+
+#### Installer Dependency Checks
+
+The installer verifies that core build tooling—C/C++ build tools, Rust, CMake, and the imaging/GTK libraries—are available before completing. Use `--mode gui` to install only the graphical interface or `--mode both` to install both interfaces (default: `tui`). On Linux, ensure `xclip` or `wl-clipboard` is installed for clipboard support.
+
+#### Windows Nostr Sync Troubleshooting
+
+When backing up or restoring from Nostr on Windows, a few issues are common:
+
+* **Event loop errors** – Messages like `RuntimeError: Event loop is closed` usually mean the async runtime failed to initialize. Running SeedPass with `--verbose` provides more detail about which coroutine failed.
+* **Permission problems** – If you see `Access is denied` when writing to `~/.seedpass`, launch your terminal with "Run as administrator" so the app can create files in your profile directory.
+* **Missing dependencies** – Ensure `websockets` and other requirements are installed inside your virtual environment:
+
+  ```bash
+  pip install websockets
+  ```
+
+Using increased log verbosity helps diagnose sync issues and confirm that the WebSocket connections to your configured relays succeed.
+### Uninstall
+
+Run the matching uninstaller if you need to remove a previous installation or clean up an old `seedpass` command:
+
+**Linux and macOS:**
+```bash
+bash -c "$(curl -sSL https://raw.githubusercontent.com/PR0M3TH3AN/SeedPass/main/scripts/uninstall.sh)"
+```
+If you see a warning that an old executable couldn't be removed, delete the file manually.
+
+**Windows (PowerShell):**
 ```powershell
-Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; $scriptContent = (New-Object System.Net.WebClient).DownloadString('https://raw.githubusercontent.com/PR0M3TH3AN/SeedPass/main/scripts/install.ps1'); & ([scriptblock]::create($scriptContent)) -Branch beta
+Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; $scriptContent = (New-Object System.Net.WebClient).DownloadString('https://raw.githubusercontent.com/PR0M3TH3AN/SeedPass/main/scripts/uninstall.ps1'); & ([scriptblock]::create($scriptContent))
 ```

 ### Manual Setup
+
 Follow these steps to set up SeedPass on your local machine.

-### 1. Clone the Repository
+1. **Clone the Repository**

-First, clone the SeedPass repository from GitHub:
+   ```bash
+   git clone https://github.com/PR0M3TH3AN/SeedPass.git
+   cd SeedPass
+   ```

-```bash
-git clone https://github.com/PR0M3TH3AN/SeedPass.git
-```
+2. **Create a Virtual Environment**

-Navigate to the project directory:
+   ```bash
+   python3 -m venv venv
+   ```

-```bash
-cd SeedPass
-```
+3. **Activate the Virtual Environment**

-### 2. Create a Virtual Environment
+   - **Linux/macOS:**
+     ```bash
+     source venv/bin/activate
+     ```
+   - **Windows:**
+     ```bash
+     venv\Scripts\activate
+     ```

-It's recommended to use a virtual environment to manage your project's dependencies. Create a virtual environment named `venv`:
+4. **Install Dependencies**

-```bash
-python3 -m venv venv
-```
-
-### 3. Activate the Virtual Environment
-
-Activate the virtual environment using the appropriate command for your operating system.
-
- **On Linux and macOS:**
-
-  ```bash
-  source venv/bin/activate
-  ```
-
- **On Windows:**
-
-  ```bash
-  venv\Scripts\activate
-  ```
-
-Once activated, your terminal prompt should be prefixed with `(venv)` indicating that the virtual environment is active.
-
-### 4. Install Dependencies
-
-Install the required Python packages and build dependencies using `pip`.
-When upgrading pip, use `python -m pip` inside the virtual environment so that pip can update itself cleanly:
-
-```bash
-python -m pip install --upgrade pip
-python -m pip install -r src/requirements.txt
-```
+   ```bash
+   python -m pip install --upgrade pip
+   python -m pip install --require-hashes -r requirements.lock
+   python -m pip install -e .
+   ```
+// 🔧 merged conflicting changes from codex/locate-command-usage-issue-in-seedpass vs beta
+After reinstalling, run `which seedpass` on Linux/macOS or `where seedpass` on Windows to confirm the command resolves to your virtual environment's `seedpass` executable.

 #### Linux Clipboard Support

-On Linux, `pyperclip` relies on external utilities like `xclip` or `xsel`.
-SeedPass will attempt to install **xclip** automatically if neither tool is
-available. If the automatic installation fails, you can install it manually:
+On Linux, `pyperclip` relies on external utilities like `xclip` or `xsel`. SeedPass no longer installs these tools automatically. To enable clipboard features such as secret mode, install **xclip** manually:

 ```bash
-sudo apt-get install xclip
+sudo apt install xclip
+```
+
+After installing `xclip`, restart SeedPass to enable clipboard support.
+
+### Optional GUI
+
+SeedPass ships with a GTK-based desktop interface that is still in development
+and not currently functional. GUI backends are optional—run the installer with
+`--mode gui` or install the Python extras below to add them. Install the packages
+for your platform before adding the Python GUI dependencies.
+
+- **Debian/Ubuntu**
+  ```bash
+  sudo apt install libgirepository1.0-dev libcairo2-dev libpango1.0-dev libwebkit2gtk-4.0-dev
+  ```
+- **Fedora**
+  ```bash
+  sudo dnf install gobject-introspection-devel cairo-devel pango-devel webkit2gtk4.0-devel
+  ```
+- **Arch Linux**
+  ```bash
+  sudo pacman -S gobject-introspection cairo pango webkit2gtk
+  ```
+- **macOS (Homebrew)**
+  ```bash
+  brew install pygobject3 gtk+3 adwaita-icon-theme librsvg webkitgtk
+  ```
+
+With the system requirements in place, install the Python GUI extras for your
+platform:
+
+```bash
+# Linux
+pip install .[gui-gtk]
+
+# Windows
+pip install .[gui-win]
+
+# macOS
+pip install .[gui-mac]
+```
+
+CLI-only users can skip these steps and install just the core package for a
+lightweight, headless setup compatible with CI/automation:
+
+```bash
+pip install .
 ```

 ## Quick Start

-After installing dependencies and activating your virtual environment, launch
-SeedPass and create a backup:
+After installing dependencies and activating your virtual environment, install the package in editable mode so the `seedpass` command is available:

 ```bash
-# Start the application
-python src/main.py
+python -m pip install -e .
+```
+
+
+You can then launch SeedPass and create a backup:
+
+```bash
+# Start the application (interactive TUI)
+seedpass

 # Export your index
-seedpass export --file "~/seedpass_backup.json"
+seedpass vault export --file "~/seedpass_backup.json"

 # Later you can restore it
-seedpass import --file "~/seedpass_backup.json"
+seedpass vault import --file "~/seedpass_backup.json"

 # Quickly find or retrieve entries
 seedpass search "github"
 seedpass search --tags "work,personal"
 seedpass get "github"
+# Search results show the entry type, e.g. "1: Password - GitHub"
 # Retrieve a TOTP entry
 seedpass entry get "email"
 # The code is printed and copied to your clipboard
@@ -183,13 +313,67 @@ seedpass entry get "email"
 # Sort or filter the list view
 seedpass list --sort label
 seedpass list --filter totp
+# Generate a password with the safe character set defined by `SAFE_SPECIAL_CHARS`
+seedpass util generate-password --length 20 --special-mode safe --exclude-ambiguous

 # Use the **Settings** menu to configure an extra backup directory
 # on an external drive.
 ```

-For additional command examples, see [docs/advanced_cli.md](docs/advanced_cli.md).
-Details on the REST API can be found in [docs/api_reference.md](docs/api_reference.md).
+For additional command examples, see [docs/advanced_cli.md](docs/advanced_cli.md). Details on the REST API can be found in [docs/api_reference.md](docs/api_reference.md).
+
+### Getting Started with the GUI
+
+SeedPass also ships with a simple BeeWare desktop interface. Launch it from
+your virtual environment using any of the following commands:
+
+```bash
+seedpass gui
+python -m seedpass_gui
+seedpass-gui
+```
+
+GUI dependencies are optional. Install them alongside SeedPass with the
+extra for your platform:
+
+```bash
+# Linux
+pip install "seedpass[gui-gtk]"
+
+# Windows
+pip install "seedpass[gui-win]"
+
+# macOS
+pip install "seedpass[gui-mac]"
+
+# or when working from a local checkout
+pip install -e ".[gui-gtk]"  # Linux
+pip install -e ".[gui-win]"  # Windows
+pip install -e ".[gui-mac]"  # macOS
+```
+
+If you see build errors about "cairo" on Linux, install the cairo development
+headers using your package manager, e.g.:
+
+```bash
+sudo apt-get install libcairo2 libcairo2-dev
+```
+
+The GUI works with the same vault and configuration files as the CLI.
+
+```mermaid
+graph TD
+    core["seedpass.core"]
+    cli["CLI"]
+    api["FastAPI server"]
+    gui["BeeWare GUI"]
+    ext["Browser Extension"]
+
+    cli --> core
+    gui --> core
+    api --> core
+    ext --> api
+```

 ### Vault JSON Layout

@@ -209,28 +393,74 @@ The encrypted index file `seedpass_entries_db.json.enc` begins with `schema_vers
 }
 ```

+> **Note**
+>
+> Opening a vault created by older versions automatically converts the legacy
+> `seedpass_passwords_db.json.enc` (Fernet) to AES-GCM as
+> `seedpass_entries_db.json.enc`. The original file is kept with a `.fernet`
+> extension.
+> The same migration occurs for a legacy `parent_seed.enc` encrypted with
+> Fernet: it is transparently decrypted, re-encrypted with AES-GCM and the old
+> file saved as `parent_seed.enc.fernet`.

 ## Usage

-After successfully installing the dependencies, you can run SeedPass using the following command:
+After successfully installing the dependencies, install the package with:
+
+```bash
+python -m pip install -e .
+```
+
+Once installed, launch the interactive TUI with:
+
+```bash
+seedpass
+```
+
+You can also run directly from the repository with:

 ```bash
 python src/main.py
 ```

-You can also use the new Typer-based CLI:
+You can explore other CLI commands using:
+
 ```bash
 seedpass --help
 ```
+
+If this command displays `usage: main.py` instead of the Typer help output, an old `seedpass` executable is still on your `PATH`. Remove it with `pip uninstall seedpass` or delete the stale launcher and rerun:
+
+```bash
+python -m pip install -e .
+```
+// 🔧 merged conflicting changes from codex/locate-command-usage-issue-in-seedpass vs beta
+You can confirm which executable will run with:
+
+```bash
+which seedpass  # or 'where seedpass' on Windows
+```
+
 For a full list of commands see [docs/advanced_cli.md](docs/advanced_cli.md). The REST API is described in [docs/api_reference.md](docs/api_reference.md).

 ### Running the Application

 1. **Start the Application:**

-    ```bash
-    python src/main.py
-    ```
+   ```bash
+   seedpass
+   ```
+   *(or `python src/main.py` when running directly from the repository)*
+
+   To restore a previously backed up index at launch, provide the backup path
+   and fingerprint:
+
+   ```bash
+   seedpass --restore-backup /path/to/backup.json.enc --fingerprint <fp>
+   ```
+
+   Without the flag, the startup prompt offers a **Restore from backup** option
+   before the vault is initialized.

 2. **Follow the Prompts:**

@@ -240,18 +470,18 @@ For a full list of commands see [docs/advanced_cli.md](docs/advanced_cli.md). Th

   Example menu:

-    ```bash
-    Select an option:
-    1. Add Entry
-    2. Retrieve Entry
-    3. Search Entries
-    4. List Entries
-    5. Modify an Existing Entry
-    6. 2FA Codes
-    7. Settings
+   ```bash
+   Select an option:
+   1. Add Entry
+   2. Retrieve Entry
+   3. Search Entries
+   4. List Entries
+   5. Modify an Existing Entry
+   6. 2FA Codes
+   7. Settings

-    Enter your choice (1-7) or press Enter to exit:
-    ```
+   Enter your choice (1-7) or press Enter to exit:
+   ```

 When choosing **Add Entry**, you can now select from:

@@ -264,6 +494,15 @@ When choosing **Add Entry**, you can now select from:
 - **Key/Value**
 - **Managed Account**

+### Adding a Password Entry
+
+After selecting **Password**, SeedPass asks you to pick a mode:
+
+1. **Quick** – prompts only for a label, username, URL, desired length, and whether to include special characters. Default values are used for notes, tags, and policy settings.
+2. **Advanced** – walks through the full set of prompts for notes, tags, custom fields, and detailed password policy options.
+
+Both modes generate the password, display it (or copy it to the clipboard in Secret Mode), and save the entry to your encrypted vault.
+
 ### Adding a 2FA Entry

 1. From the main menu choose **Add Entry** and select **2FA (TOTP)**.
@@ -285,11 +524,20 @@ When choosing **Add Entry**, you can now select from:

 ### Using Secret Mode

-When **Secret Mode** is enabled, SeedPass copies retrieved passwords directly to your clipboard instead of displaying them on screen. The clipboard clears automatically after the delay you choose.
+When **Secret Mode** is enabled, SeedPass copies newly generated and retrieved passwords directly to your clipboard instead of displaying them on screen. The clipboard clears automatically after the delay you choose.

 1. From the main menu open **Settings** and select **Toggle Secret Mode**.
 2. Choose how many seconds to keep passwords on the clipboard.
-3. Retrieve an entry and SeedPass will confirm the password was copied.
+3. Generate or retrieve an entry and SeedPass will confirm the password was copied.
+
+### Viewing Entry Details
+
+Selecting an item from **List Entries** or **Search Entries** first displays the
+entry's metadata such as the label, username, tags and notes. Passwords, seed
+phrases and other sensitive fields remain hidden until you choose to reveal
+them. When you opt to show the secret, the details view presents the same action
+menu as **Retrieve Entry** so you can edit, archive or display QR codes for the
+entry.

 ### Additional Entry Types

@@ -297,45 +545,45 @@ SeedPass supports storing more than just passwords and 2FA secrets. You can also
 - **SSH Key** – deterministically derive an Ed25519 key pair for servers or git hosting platforms.
 - **Seed Phrase** – store only the BIP-85 index and word count. The mnemonic is regenerated on demand.
 - **PGP Key** – derive an OpenPGP key pair from your master seed.
- **Nostr Key Pair** – store the index used to derive an `npub`/`nsec` pair for Nostr clients.
-  When you retrieve one of these entries, SeedPass can display QR codes for the
-  keys. The `npub` is wrapped in the `nostr:` URI scheme so any client can scan
-  it, while the `nsec` QR is shown only after a security warning.
+- **Nostr Key Pair** – store the index used to derive an `npub`/`nsec` pair for Nostr clients. When you retrieve one of these entries, SeedPass can display QR codes for the keys. The `npub` is wrapped in the `nostr:` URI scheme so any client can scan it, while the `nsec` QR is shown only after a security warning.
 - **Key/Value** – store a simple key and value for miscellaneous secrets or configuration data.
 - **Managed Account** – derive a child seed under the current profile. Loading a managed account switches to a nested profile and the header shows `<parent_fp> > Managed Account > <child_fp>`. Press Enter on the main menu to return to the parent profile.

-The table below summarizes the extra fields stored for each entry type. Every
-entry includes a `label`, while only password entries track a `url`.
-
-| Entry Type    | Extra Fields |
-|---------------|---------------------------------------------------------------------------------------------------------------------------------------|
-| Password      | `username`, `url`, `length`, `archived`, optional `notes`, optional `custom_fields` (may include hidden fields), optional `tags` |
-| 2FA (TOTP)    | `index` or `secret`, `period`, `digits`, `archived`, optional `notes`, optional `tags` |
-| SSH Key       | `index`, `archived`, optional `notes`, optional `tags` |
-| Seed Phrase   | `index`, `word_count` *(mnemonic regenerated; never stored)*, `archived`, optional `notes`, optional `tags` |
-| PGP Key       | `index`, `key_type`, `archived`, optional `user_id`, optional `notes`, optional `tags` |
-| Nostr Key Pair| `index`, `archived`, optional `notes`, optional `tags` |
-| Key/Value     | `value`, `archived`, optional `notes`, optional `custom_fields`, optional `tags` |
-| Managed Account | `index`, `word_count`, `fingerprint`, `archived`, optional `notes`, optional `tags` |
+The table below summarizes the extra fields stored for each entry type. Every entry includes a `label`, while only password entries track a `url`.

+| Entry Type      | Extra Fields                                                                                                                                         |
+|-----------------|-------------------------------------------------------------------------------------------------------------------------------------------------------|
+| Password        | `username`, `url`, `length`, `archived`, optional `notes`, optional `custom_fields` (may include hidden fields), optional `tags`                       |
+| 2FA (TOTP)      | `index` or `secret`, `period`, `digits`, `archived`, optional `notes`, optional `tags`                                                                 |
+| SSH Key         | `index`, `archived`, optional `notes`, optional `tags`                                                                                                |
+| Seed Phrase     | `index`, `word_count` *(mnemonic regenerated; never stored)*, `archived`, optional `notes`, optional `tags`                                            |
+| PGP Key         | `index`, `key_type`, `archived`, optional `user_id`, optional `notes`, optional `tags`                                                                 |
+| Nostr Key Pair  | `index`, `archived`, optional `notes`, optional `tags`                                                                                                |
+| Key/Value       | `key`, `value`, `archived`, optional `notes`, optional `custom_fields`, optional `tags`                                                                       |
+| Managed Account | `index`, `word_count`, `fingerprint`, `archived`, optional `notes`, optional `tags`                                                                   |

 ### Managing Multiple Seeds

 SeedPass allows you to manage multiple seed profiles (previously referred to as "fingerprints"). Each seed profile has its own parent seed and associated data, enabling you to compartmentalize your passwords.

 - **Add a New Seed Profile:**
-  - From the main menu, select **Settings** then **Profiles** and choose "Add a New Seed Profile".
-  - Choose to enter an existing seed or generate a new one.
-  - If generating a new seed, you'll be provided with a 12-word BIP-85 seed phrase. **Ensure you write this down and store it securely.**
+  1. From the main menu, select **Settings** then **Profiles** and choose "Add a New Seed Profile".
+  2. Choose to paste in a full seed, enter one word at a time, or generate a new seed.
+  3. If you enter the seed word by word, each word is hidden with `*` and the screen refreshes after every entry for clarity. SeedPass then shows the completed phrase for confirmation so you can fix any mistakes before it is stored.
+  4. If generating a new seed, you'll be provided with a 12-word BIP-85 seed phrase. **Ensure you write this down and store it securely.**

 - **Switch Between Seed Profiles:**
-  - From the **Profiles** menu, select "Switch Seed Profile".
-  - You'll see a list of available seed profiles.
-  - Enter the number corresponding to the seed profile you wish to switch to.
-  - Enter the master password associated with that seed profile.
+  1. From the **Profiles** menu, select "Switch Seed Profile".
+  2. You'll see a list of available seed profiles.
+  3. Enter the number corresponding to the seed profile you wish to switch to.
+  4. Enter the master password associated with that seed profile.

 - **List All Seed Profiles:**
-  - In the **Profiles** menu, choose "List All Seed Profiles" to view all existing profiles.
+  In the **Profiles** menu, choose "List All Seed Profiles" to view all existing profiles.
+- **Set Seed Profile Name:**
+  In the **Profiles** menu, choose "Set Seed Profile Name" to assign an optional
+  label to the currently selected profile. The name is stored locally and shown
+  alongside the fingerprint in menus.

 **Note:** The term "seed profile" is used to represent different sets of seeds you can manage within SeedPass. This provides an intuitive way to handle multiple identities or sets of passwords.

@@ -364,40 +612,65 @@ You can manage your relays and sync with Nostr from the **Settings** menu:

 Back in the Settings menu you can:

-* Select `3` to change your master password.
-* Choose `4` to verify the script checksum.
-* Select `5` to generate a new script checksum.
-* Choose `6` to back up the parent seed.
-* Select `7` to export the database to an encrypted file.
-* Choose `8` to import a database from a backup file.
-* Select `9` to export all 2FA codes.
-* Choose `10` to set an additional backup location. A backup is created
-  immediately after the directory is configured.
-* Select `11` to change the inactivity timeout.
-* Choose `12` to lock the vault and require re-entry of your password.
-* Select `13` to view seed profile stats. The summary lists counts for
-  passwords, TOTP codes, SSH keys, seed phrases, and PGP keys. It also shows
-  whether both the encrypted database and the script itself pass checksum
-  validation.
-* Choose `14` to toggle Secret Mode and set the clipboard clear delay.
-* Select `15` to return to the main menu.
+- Select `3` to change your master password.
+- Choose `4` to verify the script checksum.
+- Select `5` to generate a new script checksum.
+- Choose `6` to back up the parent seed.
+- Select `7` to export the database to an encrypted file.
+- Choose `8` to import a database from a backup file.
+- Select `9` to export all 2FA codes.
+- Choose `10` to set an additional backup location. A backup is created immediately after the directory is configured.
+- Select `11` to set the PBKDF2 iteration count used for encryption.
+- Choose `12` to change the inactivity timeout.
+- Select `13` to lock the vault and require re-entry of your password.
+- Select `14` to view seed profile stats. The summary lists counts for passwords, TOTP codes, SSH keys, seed phrases, and PGP keys. It also shows whether both the encrypted database and the script itself pass checksum validation.
+- Choose `15` to toggle Secret Mode and set the clipboard clear delay.
+- Select `16` to toggle Offline Mode and disable Nostr synchronization.
+- Choose `17` to toggle Quick Unlock for skipping the password prompt after the first unlock.
+Press **Enter** at any time to return to the main menu.
+You can adjust these settings directly from the command line:
+
+```bash
+seedpass config set kdf_iterations 200000
+seedpass config set backup_interval 3600
+seedpass config set quick_unlock true
+seedpass config set nostr_max_retries 2
+seedpass config set nostr_retry_delay 1
+```
+
+The default configuration uses **50,000** PBKDF2 iterations. Increase this value for stronger password hashing or lower it for faster startup (not recommended). Offline Mode skips all Nostr communication, keeping your data local until you re-enable syncing. Quick Unlock stores a hashed copy of your password in the encrypted config so that after the initial unlock, subsequent operations won't prompt for the password until you exit the program. Avoid enabling Quick Unlock on shared machines.
+
+### Recovery
+
+If you previously backed up your vault to Nostr you can restore it during the
+initial setup. You must provide both your 12‑word master seed and the master
+password that encrypted the vault; without the correct password the retrieved
+data cannot be decrypted.
+
+Alternatively, a local backup file can be loaded at startup. Launch the
+application with `--restore-backup <file> --fingerprint <fp>` or choose the
+**Restore from backup** option presented before the vault initializes.
+
+1. Start SeedPass and choose option **4** when prompted to set up a seed.
+2. Paste your BIP‑85 seed phrase when asked.
+3. Enter the master password associated with that seed.
+4. SeedPass initializes the profile and attempts to download the encrypted
+   vault from the configured relays.
+5. A success message confirms the vault was restored. If no data is found a
+   failure message is shown and a new empty vault is created.

 ## Running Tests

-SeedPass includes a small suite of unit tests located under `src/tests`. **Before running `pytest`, be sure to install the test requirements.** Activate your virtual environment and run `pip install -r src/requirements.txt` to ensure all testing dependencies are available. Then run the tests with **pytest**. Use `-vv` to see INFO-level log messages from each passing test:
-
+SeedPass includes a small suite of unit tests located under `src/tests`. **Before running `pytest`, be sure to install the test requirements.** Activate your virtual environment and run `pip install --require-hashes -r requirements.lock` to ensure all testing dependencies are available. Then run the tests with **pytest**. Use `-vv` to see INFO-level log messages from each passing test:

 ```bash
-pip install -r src/requirements.txt
+pip install --require-hashes -r requirements.lock
 pytest -vv
 ```

 ### Exploring Nostr Index Size Limits

-`test_nostr_index_size.py` demonstrates how SeedPass rotates snapshots after too many delta events.
-Each chunk is limited to 50 KB, so the test gradually grows the vault to observe
-when a new snapshot is triggered. Use the `NOSTR_TEST_DELAY` environment
-variable to control the delay between publishes when experimenting with large vaults.
+`test_nostr_index_size.py` demonstrates how SeedPass rotates snapshots after too many delta events. Each chunk is limited to 50 KB, so the test gradually grows the vault to observe when a new snapshot is triggered. Use the `NOSTR_TEST_DELAY` environment variable to control the delay between publishes when experimenting with large vaults.

 ```bash
 pytest -vv -s -n 0 src/tests/test_nostr_index_size.py --desktop --max-entries=1000
@@ -411,23 +684,26 @@ Use the helper script below to populate a profile with sample entries for testin
 python scripts/generate_test_profile.py --profile demo_profile --count 100
 ```

-The script now determines the fingerprint from the generated seed and stores the
-vault under `~/.seedpass/<fingerprint>`. It also prints the fingerprint after
-creation and publishes the encrypted index to Nostr. Use that same seed phrase
-to load SeedPass. The app checks Nostr on startup and pulls any newer snapshot
-so your vault stays in sync across machines.
+The script determines the fingerprint from the generated seed and stores the
+vault under `~/.seedpass/tests/<fingerprint>`. SeedPass only looks for profiles
+in `~/.seedpass/`, so move or copy the fingerprint directory out of the `tests`
+subfolder (or adjust `APP_DIR` in `constants.py`) if you want to load it with
+the main application. The fingerprint is printed after creation and the
+encrypted index is published to Nostr. Use that same seed phrase to load
+SeedPass. The app checks Nostr on startup and pulls any newer snapshot so your
+vault stays in sync across machines. If no snapshot exists or the download
+cannot be decrypted (for example when using a brand-new seed), SeedPass
+automatically initializes an empty index instead of exiting.

 ### Automatically Updating the Script Checksum

-SeedPass stores a SHA-256 checksum for the main program in `~/.seedpass/seedpass_script_checksum.txt`.
-To keep this value in sync with the source code, install the pre‑push git hook:
+SeedPass stores a SHA-256 checksum for the main program in `~/.seedpass/seedpass_script_checksum.txt`. To keep this value in sync with the source code, install the pre-push git hook:

 ```bash
 pre-commit install -t pre-push
 ```

-After running this command, every `git push` will execute `scripts/update_checksum.py`,
-updating the checksum file automatically.
+After running this command, every `git push` will execute `scripts/update_checksum.py`, updating the checksum file automatically.

 If the checksum file is missing, generate it manually:

@@ -435,6 +711,10 @@ If the checksum file is missing, generate it manually:
 python scripts/update_checksum.py
 ```

+If SeedPass prints a "script checksum mismatch" warning on startup, regenerate
+the checksum with `seedpass util update-checksum` or select "Generate Script
+Checksum" from the Settings menu.
+
 To run mutation tests locally, generate coverage data first and then execute `mutmut`:

 ```bash
@@ -444,6 +724,72 @@ python -m mutmut results
 ```

 Mutation testing is disabled in the GitHub workflow due to reliability issues and should be run on a desktop environment instead.
+## Development Workflow
+
+1. Install all development dependencies:
+```bash
+pip install --require-hashes -r requirements.lock
+```
+
+2. When `src/runtime_requirements.txt` changes, rerun:
+```bash
+scripts/vendor_dependencies.sh
+```
+Commit the updated `src/vendor/` directory. The application automatically adds this folder to `sys.path` so the bundled packages are found.
+
+3. Before committing, format and test the code:
+```bash
+black .
+pytest
+```
+
+
+## Building a standalone executable
+
+1. Run the vendoring script to bundle runtime dependencies:
+
+```bash
+scripts/vendor_dependencies.sh
+```
+
+2. Build the binary with PyInstaller:
+
+```bash
+pyinstaller SeedPass.spec
+```
+
+You can also produce packaged installers for the GUI with BeeWare's Briefcase:
+
+```bash
+briefcase build
+```
+
+Pre-built installers are published for each `seedpass-gui` tag. Visit the
+project's **Actions** or **Releases** page on GitHub to download the latest
+package for your platform.
+
+The standalone executable will appear in the `dist/` directory. This process works on Windows, macOS and Linux but you must build on each platform for a native binary.
+
+## Packaging with Briefcase
+
+For step-by-step instructions see [docs/docs/content/01-getting-started/05-briefcase.md](docs/docs/content/01-getting-started/05-briefcase.md).
+
+Install Briefcase and create a platform-specific scaffold:
+
+```bash
+python -m pip install briefcase
+briefcase create
+```
+
+Build and run the packaged GUI:
+
+```bash
+briefcase build
+briefcase run
+```
+
+You can also launch the GUI directly with `seedpass gui` or `seedpass-gui`.
+

 ## Security Considerations

@@ -452,38 +798,80 @@ Mutation testing is disabled in the GitHub workflow due to reliability issues an
 - **Backup Your Data:** Regularly back up your encrypted data and checksum files to prevent data loss.
 - **Backup the Settings PIN:** Your settings PIN is stored in the encrypted configuration file. Keep a copy of this file or remember the PIN, as losing it will require deleting the file and reconfiguring your relays.
 - **Protect Your Passwords:** Do not share your master password or seed phrases with anyone and ensure they are strong and unique.
- **Revealing the Parent Seed:** The `vault reveal-parent-seed` command and `/api/v1/parent-seed` endpoint print your seed in plain text. Run them only in a secure environment.
+- **Backing Up the Parent Seed:** Use the CLI `vault reveal-parent-seed` command or the `/api/v1/vault/backup-parent-seed` endpoint with explicit confirmation to create an encrypted backup. The API does not return the seed directly.
 - **No PBKDF2 Salt Needed:** SeedPass deliberately omits an explicit PBKDF2 salt. Every password is derived from a unique 512-bit BIP-85 child seed, which already provides stronger per-password uniqueness than a conventional 128-bit salt.
 - **Checksum Verification:** Always verify the script's checksum to ensure its integrity and protect against unauthorized modifications.
- **Potential Bugs and Limitations:** Be aware that the software may contain bugs and lacks certain features. Snapshot chunks are capped at 50 KB and the client rotates snapshots after enough delta events accumulate. The security of memory management and logs has not been thoroughly evaluated and may pose risks of leaking sensitive information.
+- **Potential Bugs and Limitations:** Be aware that the software may contain bugs and lacks certain features. Snapshot chunks are capped at 50 KB and the client rotates snapshots after enough delta events accumulate. The security of memory management and logs has not been thoroughly evaluated and may pose risks of leaking sensitive information.
+- **Best-Effort Memory Zeroization:** Sensitive data is wiped from memory when possible, but Python may retain copies of decrypted values.
 - **Multiple Seeds Management:** While managing multiple seeds adds flexibility, it also increases the responsibility to secure each seed and its associated password.
 - **No PBKDF2 Salt Required:** SeedPass deliberately omits an explicit PBKDF2 salt. Every password is derived from a unique 512-bit BIP-85 child seed, which already provides stronger per-password uniqueness than a conventional 128-bit salt.
+- **Default KDF Iterations:** New profiles start with 50,000 PBKDF2 iterations. Adjust this with `seedpass config set kdf_iterations`.
+- **KDF Iteration Caution:** Lowering `kdf_iterations` makes password cracking easier, while a high `backup_interval` leaves fewer recent backups.
+- **Offline Mode:** When enabled, SeedPass skips all Nostr operations so your vault stays local until syncing is turned back on.
+- **Quick Unlock:** Stores a hashed copy of your password in the encrypted config so you only need to enter it once per session. Avoid this on shared computers.
+- **Prompt Rate Limiting:** Seed and password prompts enforce a configurable attempt limit with exponential backoff to slow brute-force attacks. Adjust or disable the limit for testing via the `--max-prompt-attempts` CLI option or the `SEEDPASS_MAX_PROMPT_ATTEMPTS` environment variable.
+
+### Secure Deployment
+
+Always deploy SeedPass behind HTTPS. Place a TLS‑terminating reverse proxy such as Nginx in front of the FastAPI server or configure Uvicorn with certificate files. Example Nginx snippet:
+
+```
+server {
+    listen 443 ssl;
+    ssl_certificate     /etc/letsencrypt/live/example.com/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
+
+    location / {
+        proxy_pass http://127.0.0.1:8000;
+        proxy_set_header Host $host;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    }
+}
+```
+
+For local testing, Uvicorn can run with TLS directly:
+
+```
+uvicorn seedpass.api:app --ssl-certfile=cert.pem --ssl-keyfile=key.pem
+```
+
+## Dependency Updates
+
+Automated dependency updates are handled by [Dependabot](https://docs.github.com/en/code-security/dependabot).
+Every week, Dependabot checks Python packages and GitHub Actions used by this repository and opens pull requests when updates are available.
+
+To review and merge these updates:
+
+1. Review the changelog and release notes in the Dependabot pull request.
+2. Run the test suite locally:
+   ```bash
+   python3 -m venv venv
+   source venv/bin/activate
+   pip install --require-hashes -r requirements.lock
+   pytest
+   ```
+3. Merge the pull request once all checks pass.
+
+A scheduled **Dependency Audit** workflow also runs [`pip-audit`](https://github.com/pypa/pip-audit) weekly to detect vulnerable packages. Address any reported issues promptly to keep dependencies secure.

 ## Contributing

 Contributions are welcome! If you have suggestions for improvements, bug fixes, or new features, please follow these steps:

 1. **Fork the Repository:** Click the "Fork" button on the top right of the repository page.
-
-2. **Create a Branch:** Create a new branch for your feature or bugfix.
-
+1. **Create a Branch:** Create a new branch for your feature or bugfix.
   ```bash
   git checkout -b feature/YourFeatureName
   ```
-
-3. **Commit Your Changes:** Make your changes and commit them with clear messages.
-
+1. **Commit Your Changes:** Make your changes and commit them with clear messages.
   ```bash
   git commit -m "Add feature X"
   ```
-
-4. **Push to GitHub:** Push your changes to your forked repository.
-
+1. **Push to GitHub:** Push your changes to your forked repository.
   ```bash
   git push origin feature/YourFeatureName
   ```
-
-5. **Create a Pull Request:** Navigate to the original repository and create a pull request describing your changes.
+1. **Create a Pull Request:** Navigate to the original repository and create a pull request describing your changes.

 ## License

@@ -496,5 +884,3 @@ For any questions, suggestions, or support, please open an issue on the [GitHub
 ---

 *Stay secure and keep your passwords safe with SeedPass!*
-
---
--- a/SeedPass.spec
+++ b/SeedPass.spec
@@ -0,0 +1,38 @@
+# -*- mode: python ; coding: utf-8 -*-
+
+
+a = Analysis(
+    ['src/main.py'],
+    pathex=['src', 'src/vendor'],
+    binaries=[],
+    datas=[],
+    hiddenimports=[],
+    hookspath=[],
+    hooksconfig={},
+    runtime_hooks=[],
+    excludes=[],
+    noarchive=False,
+    optimize=0,
+)
+pyz = PYZ(a.pure)
+
+exe = EXE(
+    pyz,
+    a.scripts,
+    a.binaries,
+    a.datas,
+    [],
+    name='SeedPass',
+    debug=False,
+    bootloader_ignore_signals=False,
+    strip=False,
+    upx=True,
+    upx_exclude=[],
+    runtime_tmpdir=None,
+    console=True,
+    disable_windowed_traceback=False,
+    argv_emulation=False,
+    target_arch=None,
+    codesign_identity=None,
+    entitlements_file=None,
+)
--- a/dev-plan.md
+++ b/dev-plan.md
@@ -1,93 +0,0 @@
-### SeedPass Road-to-1.0 — Detailed Development Plan
-
-*(Assumes today = 1 July 2025, team of 1-3 devs, weekly release cadence)*
-
-| Phase                                | Goal                                                                      | Key Deliverables                                                                                                                                                                                                                                                                                                                                                                      | Target Window             |
-| ------------------------------------ | ------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------- |
-| **0 – Vision Lock-in**               | Be explicit about where you’re going so every later trade-off is easy.    | • 2-page “north-star” doc covering product scope, security promises, platforms, and **“CLI is source of truth”** principle. <br>• Public roadmap Kanban board.                                                                                                                                                                                                                        | **Week 0**                |
-| **1 – Package-ready Codebase**       | Turn loose `src/` tree into a pip-installable library + console script.   | • `pyproject.toml` with PEP-621 metadata, `setuptools-scm` dynamic version. <br>• Restructure to `seedpass/` (or keep `src/` but list `packages = ["seedpass"]`). <br>• Entry-point: `seedpass = "seedpass.main:cli"`. <br>• Dev extras: `pytest-cov`, `ruff`, `mypy`, `pre-commit`. <br>• Split pure business logic from I/O (e.g., encryption, BIP-85, vault ops) so GUI can reuse. | **Weeks 0-2**             |
-| **2 – Local Quality Net**            | Fail fast before CI runs.                                                 | • `make test` / `tox` quick matrix (3.10–3.12). <br>• 90 % line coverage gate. <br>• Static checks in pre-commit (black, ruff, mypy).                                                                                                                                                                                                                                                 | **Weeks 1-3**             |
-| **3 – CI / Release Automation**      | One Git tag → everything ships.                                           | • GitHub Actions matrix (Ubuntu, macOS, Windows). <br>• Steps: install → unit tests →  build wheels (`python -m build`) → PyInstaller one-file artefacts → upload to Release. <br>• Secrets for PyPI / code-signing left empty until 1.0.                                                                                                                                             | **Weeks 2-4**             |
-| **4 – OS-Native Packages**           | Users can “apt install / brew install / flatpak install / download .exe”. | **Linux** • `stdeb` → `.deb`, `reprepro` mini-APT repo.  <br>**Flatpak** • YAML manifest + GitHub Action to build & push to Flathub beta repo. <br>**Windows** • PyInstaller `--onefile` → NSIS installer. <br>**macOS** • Briefcase → notarised `.pkg` or `.dmg` (signing cert later).                                                                                               | **Weeks 4-8**             |
-| **5 – Experimental GUI Track**       | Ship a GUI **without** slowing CLI velocity.                              | • Decide stack (recommend **Textual** first; upgrade later to Toga or PySide). <br>• Create `seedpass.gui` package calling existing APIs; flag with `--gui`. <br>• Feature flag via env var `SEEDPASS_GUI=1` or CLI switch. <br>• Separate workflow that builds GUI artefacts, but does **not** block CLI releases.                                                                   | **Weeks 6-12** (parallel) |
-| **6 – Plugin / Extensibility Layer** | Keep core slim while allowing future features.                            | • Define `entry_points={"seedpass.plugins": …}`. <br>• Document simple example plugin (e.g., custom password rule). <br>• Load plugins lazily to avoid startup cost.                                                                                                                                                                                                                  | **Weeks 10-14**           |
-| **7 – Security & Hardening**         | Turn security assumptions into guarantees before 1.0                      | • SAST scan (Bandit, Semgrep). <br>• Threat-model doc: key-storage, BIP-85 determinism, Nostr backup flow. <br>• Repro-build check for PyInstaller artefacts. <br>• Signed releases (Sigstore, minisign).                                                                                                                                                                             | **Weeks 12-16**           |
-| **8 – 1.0 Launch Prep**              | Final polish + docs.                                                      | • User manual (MkDocs, `docs.seedpass.org`). <br>• In-app `--check-update` hitting GitHub API. <br>• Blog post & template release notes.                                                                                                                                                                                                                                              | **Weeks 16-18**           |
-
---
-
-### Ongoing Practices to Keep Development Nimble
-
-| Practice                | What to do                                                                                  |
-| ----------------------- | ------------------------------------------------------------------------------------------- |
-| **Dynamic versioning**  | Keep `version` dynamic via `setuptools-scm` / `hatch-vcs`; tag and push – nothing else.     |
-| **Trunk-based dev**     | Short-lived branches, PRs < 300 LOC; merge when tests pass.                                 |
-| **Feature flags**       | `seedpass.config.is_enabled("X")` so unfinished work can ship dark.                         |
-| **Fast feedback loops** | Local editable install; `invoke run --watch` (or `uvicorn --reload` for GUI) to hot-reload. |
-| **Weekly beta release** | Even during heavy GUI work, cut “beta” tags weekly; real users shake out regressions early. |
-
---
-
-### First 2-Week Sprint (Concrete To-Dos)
-
-1. **Bootstrap packaging**
-
-   ```bash
-   pip install --upgrade pip build setuptools_scm
-   poetry init   # if you prefer Poetry, else stick with setuptools
-   ```
-
-   Add `pyproject.toml`, move code to `seedpass/`.
-
-2. **Console entry-point**
-   In `seedpass/__main__.py` add `from .main import cli; cli()`.
-
-3. **Editable dev install**
-   `pip install -e .[dev]` → run `seedpass --help`.
-
-4. **Set up pre-commit**
-   `pre-commit install` with ruff + black + mypy hooks.
-
-5. **GitHub Action skeleton** (`.github/workflows/ci.yml`)
-
-   ```yaml
-   jobs:
-     test:
-       strategy:
-         matrix: os: [ubuntu-latest, windows-latest, macos-latest]
-         python-version: ['3.12', '3.11']
-       steps:
-         - uses: actions/checkout@v4
-         - uses: actions/setup-python@v5
-           with: {python-version: ${{ matrix.python-version }}}
-         - run: pip install --upgrade pip
-         - run: pip install -e .[dev]
-         - run: pytest -n auto
-   ```
-
-6. **Smoke PyInstaller locally**
-   `pyinstaller --onefile seedpass/main.py` – fix missing data/hooks; check binary runs.
-
-When that’s green, cut tag `v0.1.0-beta` and let CI build artefacts automatically.
-
---
-
-### Choosing the GUI Path (decision by Week 6)
-
-| If you value…                      | Choose                       |
-| ---------------------------------- | ---------------------------- |
-| Terminal-first UX, live coding     | **Textual (Rich-TUI)**       |
-| Native look, single code base      | **Toga / Briefcase**         |
-| Advanced widgets, designer tooling | **PySide-6 / Qt for Python** |
-
-Prototype one screen (vault list + “Add” dialog) and benchmark bundle size + startup time with PyInstaller before committing.
-
---
-
-## Recap
-
-* **Packaging & CI first** – lets every future feature ride an established release train.
-* **GUI lives in its own layer** – CLI stays stable; dev cycles remain quick.
-* **Security & signing** land after functionality is stable, before v1.0 marketing push.
-
-Follow the phase table, keep weekly betas flowing, and you’ll reach a polished, installer-ready, GUI-enhanced 1.0 in roughly four months without sacrificing day-to-day agility.
--- a/docs/.gitattributes
+++ b/docs/.gitattributes
@@ -0,0 +1,2 @@
+# Auto detect text files and perform LF normalization
+* text=auto
--- a/docs/.github/workflows/ci.yml
+++ b/docs/.github/workflows/ci.yml
@@ -0,0 +1,17 @@
+name: CI
+
+on:
+  pull_request:
+  push:
+    branches: [main]
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - uses: actions/setup-node@v3
+        with:
+          node-version: 18
+      - run: npm install
+      - run: npm test
--- a/docs/.gitignore
+++ b/docs/.gitignore
@@ -0,0 +1,2 @@
+_site/
+node_modules/
--- a/docs/ARCHITECTURE.md
+++ b/docs/ARCHITECTURE.md
@@ -0,0 +1,41 @@
+# SeedPass Architecture
+
+SeedPass follows a layered design that keeps the security-critical logic isolated in a reusable core package. Interfaces like the command line tool, REST API and graphical client act as thin adapters around this core.
+
+## Core Components
+
+- **`seedpass.core`** – houses all encryption, key derivation and vault management code.
+- **`VaultService`** and **`EntryService`** – thread-safe wrappers exposing the main API.
+- **`PasswordManager`** – orchestrates vault operations, migrations and Nostr sync.
+
+## Adapters
+
+- **CLI/TUI** – implemented in [`seedpass.cli`](src/seedpass/cli.py). The [Advanced CLI](docs/docs/content/01-getting-started/01-advanced_cli.md) guide details all commands.
+- **FastAPI server** – defined in [`seedpass.api`](src/seedpass/api.py). See the [API Reference](docs/docs/content/01-getting-started/02-api_reference.md) for endpoints.
+- **BeeWare GUI** – located in [`seedpass_gui`](src/seedpass_gui/app.py) and explained in the [GUI Adapter](docs/docs/content/01-getting-started/06-gui_adapter.md) page.
+
+## Planned Extensions
+
+SeedPass is built to support additional adapters. Planned or experimental options include:
+
+- A browser extension communicating with the API
+- Automation scripts using the CLI
+- Additional vault import/export helpers described in [JSON Entries](docs/docs/content/01-getting-started/03-json_entries.md)
+
+## Overview Diagram
+
+```mermaid
+graph TD
+    core["seedpass.core"]
+    cli["CLI / TUI"]
+    api["FastAPI server"]
+    gui["BeeWare GUI"]
+    ext["Browser extension"]
+
+    cli --> core
+    api --> core
+    gui --> core
+    ext --> api
+```
+
+All adapters depend on the same core, allowing features to evolve without duplicating logic across interfaces.
--- a/docs/README.md
+++ b/docs/README.md
@@ -1,25 +1,55 @@
-# SeedPass Documentation
+# Archivox

-This directory contains supplementary guides for using SeedPass.
+Archivox is a lightweight static site generator aimed at producing documentation sites similar to "Read the Docs". Write your content in Markdown, run the generator, and deploy the static files anywhere.

-## Quick Example: Get a TOTP Code
+[![Build Status](https://github.com/PR0M3TH3AN/Archivox/actions/workflows/ci.yml/badge.svg)](https://github.com/PR0M3TH3AN/Archivox/actions/workflows/ci.yml)

-Run `seedpass entry get <query>` to retrieve a time-based one-time password (TOTP).
-The `<query>` can be a label, title, or index. A progress bar shows the remaining
-seconds in the current period.
+## Features
+- Markdown based pages with automatic navigation
+- Responsive layout with sidebar and search powered by Lunr.js
+- Simple configuration through `config.yaml`
+- Extensible via plugins and custom templates
+
+## Getting Started
+Install the dependencies and start the development server:

 ```bash
-$ seedpass entry get "email"
-[##########----------] 15s
-Code: 123456
+npm install
+npm run dev
 ```

-To show all stored TOTP codes with their countdown timers, run:
+The site will be available at `http://localhost:8080`. Edit files inside the `content/` directory to update pages.
+
+To create a new project from the starter template you can run:

 ```bash
-$ seedpass entry totp-codes
+npx create-archivox my-docs --install
 ```

-## CLI and API Reference
+## Building
+When you are ready to publish your documentation run:

-See [advanced_cli.md](advanced_cli.md) for a list of command examples. Detailed information about the REST API is available in [api_reference.md](api_reference.md). When starting the API, set `SEEDPASS_CORS_ORIGINS` if you need to allow requests from specific web origins.
+```bash
+npm run build
+```
+
+The generated site is placed in the `_site/` folder.
+
+## Customization
+- **`config.yaml`** – change the site title, theme options and other settings.
+- **`plugins/`** – add JavaScript files exporting hook functions such as `onPageRendered` to extend the build process.
+- **`templates/`** – modify or replace the Nunjucks templates for full control over the HTML.
+
+## Hosting
+Upload the contents of `_site/` to any static host. For Netlify you can use the provided `netlify.toml`:
+
+```toml
+[build]
+  command = "npm run build"
+  publish = "_site"
+```
+
+## Documentation
+See the files under the `docs/` directory for a full guide to Archivox including an integration tutorial for existing projects.
+
+Archivox is released under the MIT License.
--- a/docs/SPEC.md
+++ b/docs/SPEC.md
@@ -0,0 +1,44 @@
+# SeedPass Specification
+
+## Key Hierarchy
+
+SeedPass derives a hierarchy of keys from a single BIP-39 parent seed using HKDF:
+
+- **Master Key** – `HKDF(seed, "seedpass:v1:master")`
+- **KEY_STORAGE** – used to encrypt vault data.
+- **KEY_INDEX** – protects the metadata index.
+- **KEY_PW_DERIVE** – deterministic password generation.
+- **KEY_TOTP_DET** – deterministic TOTP secrets.
+
+Each context string keeps derived keys domain separated.
+
+## KDF Parameters
+
+Passwords are protected with **PBKDF2-HMAC-SHA256**. The default work factor is
+**50,000 iterations** but may be adjusted via the settings slider. The config
+stores a `KdfConfig` structure with the chosen iteration count, algorithm name,
+and the current spec version (`CURRENT_KDF_VERSION = 1`). Argon2 is available
+with a default `time_cost` of 2 when selected.
+
+## Message Formats
+
+SeedPass synchronizes profiles over Nostr using three event kinds:
+
+- **Manifest (`30070`)** – high level snapshot description and current version.
+- **Snapshot Chunk (`30071`)** – compressed, encrypted portions of the vault.
+- **Delta (`30072`)** – incremental changes since the last snapshot.
+
+Events encode JSON and include tags for checksums, fingerprints, and timestamps.
+
+## Versioning
+
+Configuration and KDF schemas are versioned so clients can migrate older
+profiles. Nostr events carry a version field in the manifest, and the software
+follows semantic versioning for releases.
+
+## Memory Protection
+
+SeedPass encrypts sensitive values in memory and attempts to wipe them when no
+longer needed. This zeroization is best-effort only; Python's memory management
+may retain copies of decrypted data. Critical cryptographic operations may move
+to a Rust/WASM module in the future to provide stronger guarantees.
--- a/docs/tests/buildNav.test.js
+++ b/docs/tests/buildNav.test.js
@@ -0,0 +1,34 @@
+const { buildNav } = require('../src/generator');
+
+test('generates navigation tree', () => {
+  const pages = [
+    { file: 'guide/install.md', data: { title: 'Install', order: 1 } },
+    { file: 'guide/usage.md', data: { title: 'Usage', order: 2 } },
+    { file: 'guide/nested/info.md', data: { title: 'Info', order: 1 } }
+  ];
+  const tree = buildNav(pages);
+  const guide = tree.find(n => n.name === 'guide');
+  expect(guide).toBeDefined();
+  expect(guide.children.length).toBe(3);
+  const install = guide.children.find(c => c.name === 'install.md');
+  expect(install.path).toBe('/guide/install.html');
+});
+
+test('adds display names and section flags', () => {
+  const pages = [
+    { file: '02-api.md', data: { title: 'API', order: 2 } },
+    { file: '01-guide/index.md', data: { title: 'Guide', order: 1 } },
+    { file: '01-guide/setup.md', data: { title: 'Setup', order: 2 } },
+    { file: 'index.md', data: { title: 'Home', order: 10 } }
+  ];
+  const nav = buildNav(pages);
+  expect(nav[0].name).toBe('index.md');
+  const guide = nav.find(n => n.name === '01-guide');
+  expect(guide.displayName).toBe('Guide');
+  expect(guide.isSection).toBe(true);
+  const api = nav.find(n => n.name === '02-api.md');
+  expect(api.displayName).toBe('API');
+  // alphabetical within same order
+  expect(nav[1].name).toBe('01-guide');
+  expect(nav[2].name).toBe('02-api.md');
+});
--- a/docs/tests/loadConfig.test.js
+++ b/docs/tests/loadConfig.test.js
@@ -0,0 +1,13 @@
+const fs = require('fs');
+const path = require('path');
+const loadConfig = require('../src/config/loadConfig');
+
+test('loads configuration and merges defaults', () => {
+  const dir = fs.mkdtempSync(path.join(__dirname, 'cfg-'));
+  const file = path.join(dir, 'config.yaml');
+  fs.writeFileSync(file, 'site:\n  title: Test Site\n');
+  const cfg = loadConfig(file);
+  expect(cfg.site.title).toBe('Test Site');
+  expect(cfg.navigation.search).toBe(true);
+  fs.rmSync(dir, { recursive: true, force: true });
+});
--- a/docs/tests/pluginHooks.test.js
+++ b/docs/tests/pluginHooks.test.js
@@ -0,0 +1,23 @@
+const fs = require('fs');
+const path = require('path');
+const loadPlugins = require('../src/config/loadPlugins');
+
+test('plugin hook modifies data', async () => {
+  const dir = fs.mkdtempSync(path.join(require('os').tmpdir(), 'plugins-'));
+  const pluginFile = path.join(dir, 'test.plugin.js');
+  fs.writeFileSync(
+    pluginFile,
+    "module.exports = { onParseMarkdown: ({ content }) => ({ content: content + '!!' }) };\n"
+  );
+
+  const plugins = loadPlugins({ pluginsDir: dir, plugins: ['test.plugin'] });
+  let data = { content: 'hello' };
+  for (const plugin of plugins) {
+    if (typeof plugin.onParseMarkdown === 'function') {
+      const res = await plugin.onParseMarkdown(data);
+      if (res !== undefined) data = res;
+    }
+  }
+  expect(data.content).toBe('hello!!');
+  fs.rmSync(dir, { recursive: true, force: true });
+});
--- a/docs/tests/renderMarkdown.test.js
+++ b/docs/tests/renderMarkdown.test.js
@@ -0,0 +1,77 @@
+jest.mock('@11ty/eleventy', () => {
+  const fs = require('fs');
+  const path = require('path');
+  return class Eleventy {
+    constructor(input, output) {
+      this.input = input;
+      this.output = output;
+    }
+    setConfig() {}
+    async write() {
+      const walk = d => {
+        const entries = fs.readdirSync(d, { withFileTypes: true });
+        let files = [];
+        for (const e of entries) {
+          const p = path.join(d, e.name);
+          if (e.isDirectory()) files = files.concat(walk(p));
+          else if (p.endsWith('.md')) files.push(p);
+        }
+        return files;
+      };
+      for (const file of walk(this.input)) {
+        const rel = path.relative(this.input, file).replace(/\.md$/, '.html');
+        const dest = path.join(this.output, rel);
+        fs.mkdirSync(path.dirname(dest), { recursive: true });
+        fs.writeFileSync(dest, '<header></header><aside class="sidebar"></aside>');
+      }
+    }
+  };
+});
+
+const fs = require('fs');
+const path = require('path');
+const os = require('os');
+const { generate } = require('../src/generator');
+
+function getPaths(tree) {
+  const paths = [];
+  for (const node of tree) {
+    if (node.path) paths.push(node.path);
+    if (node.children) paths.push(...getPaths(node.children));
+  }
+  return paths;
+}
+
+test('markdown files render with layout and appear in nav/search', async () => {
+  const tmp = fs.mkdtempSync(path.join(os.tmpdir(), 'df-test-'));
+  const contentDir = path.join(tmp, 'content');
+  const outputDir = path.join(tmp, '_site');
+  fs.mkdirSync(path.join(contentDir, 'guide'), { recursive: true });
+  fs.writeFileSync(path.join(contentDir, 'index.md'), '# Home\nWelcome');
+  fs.writeFileSync(path.join(contentDir, 'guide', 'install.md'), '# Install\nSteps');
+  const configPath = path.join(tmp, 'config.yaml');
+  fs.writeFileSync(configPath, 'site:\n  title: Test\n');
+
+  await generate({ contentDir, outputDir, configPath });
+
+  const indexHtml = fs.readFileSync(path.join(outputDir, 'index.html'), 'utf8');
+  const installHtml = fs.readFileSync(path.join(outputDir, 'guide', 'install.html'), 'utf8');
+  expect(indexHtml).toContain('<header');
+  expect(indexHtml).toContain('<aside class="sidebar"');
+  expect(installHtml).toContain('<header');
+  expect(installHtml).toContain('<aside class="sidebar"');
+
+  const nav = JSON.parse(fs.readFileSync(path.join(outputDir, 'navigation.json'), 'utf8'));
+  const navPaths = getPaths(nav);
+  expect(navPaths).toContain('/index.html');
+  expect(navPaths).toContain('/guide/install.html');
+
+  const search = JSON.parse(fs.readFileSync(path.join(outputDir, 'search-index.json'), 'utf8'));
+  const docs = search.docs.map(d => d.id);
+  expect(docs).toContain('index.html');
+  expect(docs).toContain('guide/install.html');
+  const installDoc = search.docs.find(d => d.id === 'guide/install.html');
+  expect(installDoc.body).toContain('Steps');
+
+  fs.rmSync(tmp, { recursive: true, force: true });
+});
--- a/docs/tests/responsive.test.js
+++ b/docs/tests/responsive.test.js
@@ -0,0 +1,128 @@
+jest.mock('@11ty/eleventy', () => {
+  const fs = require('fs');
+  const path = require('path');
+  return class Eleventy {
+    constructor(input, output) {
+      this.input = input;
+      this.output = output;
+    }
+    setConfig() {}
+    async write() {
+      const walk = d => {
+        const entries = fs.readdirSync(d, { withFileTypes: true });
+        let files = [];
+        for (const e of entries) {
+          const p = path.join(d, e.name);
+          if (e.isDirectory()) files = files.concat(walk(p));
+          else if (p.endsWith('.md')) files.push(p);
+        }
+        return files;
+      };
+      for (const file of walk(this.input)) {
+        const rel = path.relative(this.input, file).replace(/\.md$/, '.html');
+        const dest = path.join(this.output, rel);
+        fs.mkdirSync(path.dirname(dest), { recursive: true });
+        fs.writeFileSync(
+          dest,
+          `<!DOCTYPE html><html><head><link rel="stylesheet" href="/assets/theme.css"></head><body><header><button id="sidebar-toggle" class="sidebar-toggle">☰</button></header><div class="container"><aside class="sidebar"></aside><main></main></div><script src="/assets/theme.js"></script></body></html>`
+        );
+      }
+    }
+  };
+});
+
+const fs = require('fs');
+const path = require('path');
+const http = require('http');
+const os = require('os');
+const puppeteer = require('puppeteer');
+const { generate } = require('../src/generator');
+
+jest.setTimeout(30000);
+
+let server;
+let browser;
+let port;
+let tmp;
+
+beforeAll(async () => {
+  tmp = fs.mkdtempSync(path.join(os.tmpdir(), 'df-responsive-'));
+  const contentDir = path.join(tmp, 'content');
+  const outputDir = path.join(tmp, '_site');
+  fs.mkdirSync(contentDir, { recursive: true });
+  fs.writeFileSync(path.join(contentDir, 'index.md'), '# Home\n');
+  await generate({ contentDir, outputDir });
+  fs.cpSync(path.join(__dirname, '../assets'), path.join(outputDir, 'assets'), { recursive: true });
+
+  server = http.createServer((req, res) => {
+    let filePath = path.join(outputDir, req.url === '/' ? 'index.html' : req.url);
+    if (req.url.startsWith('/assets')) {
+      filePath = path.join(outputDir, req.url);
+    }
+    fs.readFile(filePath, (err, data) => {
+      if (err) {
+        res.writeHead(404);
+        res.end('Not found');
+        return;
+      }
+      const ext = path.extname(filePath).slice(1);
+      const type = { html: 'text/html', js: 'text/javascript', css: 'text/css' }[ext] || 'application/octet-stream';
+      res.writeHead(200, { 'Content-Type': type });
+      res.end(data);
+    });
+  });
+  await new Promise(resolve => {
+    server.listen(0, () => {
+      port = server.address().port;
+      resolve();
+    });
+  });
+
+  browser = await puppeteer.launch({ args: ['--no-sandbox', '--disable-setuid-sandbox'] });
+});
+
+afterAll(async () => {
+  if (browser) await browser.close();
+  if (server) server.close();
+  fs.rmSync(tmp, { recursive: true, force: true });
+});
+
+test('sidebar opens on small screens', async () => {
+  const page = await browser.newPage();
+  await page.setViewport({ width: 500, height: 800 });
+  await page.goto(`http://localhost:${port}/`);
+  await page.waitForSelector('#sidebar-toggle');
+  await page.click('#sidebar-toggle');
+  await new Promise(r => setTimeout(r, 300));
+  const bodyClass = await page.evaluate(() => document.body.classList.contains('sidebar-open'));
+  const sidebarLeft = await page.evaluate(() => getComputedStyle(document.querySelector('.sidebar')).left);
+  expect(bodyClass).toBe(true);
+  expect(sidebarLeft).toBe('0px');
+});
+
+test('clicking outside closes sidebar on small screens', async () => {
+  const page = await browser.newPage();
+  await page.setViewport({ width: 500, height: 800 });
+  await page.goto(`http://localhost:${port}/`);
+  await page.waitForSelector('#sidebar-toggle');
+  await page.click('#sidebar-toggle');
+  await new Promise(r => setTimeout(r, 300));
+  await page.click('main');
+  await new Promise(r => setTimeout(r, 300));
+  const bodyClass = await page.evaluate(() => document.body.classList.contains('sidebar-open'));
+  expect(bodyClass).toBe(false);
+});
+
+test('sidebar toggles on large screens', async () => {
+  const page = await browser.newPage();
+  await page.setViewport({ width: 1024, height: 800 });
+  await page.goto(`http://localhost:${port}/`);
+  await page.waitForSelector('#sidebar-toggle');
+  await new Promise(r => setTimeout(r, 300));
+  let sidebarWidth = await page.evaluate(() => getComputedStyle(document.querySelector('.sidebar')).width);
+  expect(sidebarWidth).toBe('240px');
+  await page.click('#sidebar-toggle');
+  await new Promise(r => setTimeout(r, 300));
+  sidebarWidth = await page.evaluate(() => getComputedStyle(document.querySelector('.sidebar')).width);
+  expect(sidebarWidth).toBe('0px');
+});
--- a/docs/api_reference.md
+++ b/docs/api_reference.md
@@ -1,137 +0,0 @@
-# SeedPass REST API Reference
-
-This guide covers how to start the SeedPass API, authenticate requests, and interact with the available endpoints.
-
-## Starting the API
-
-Run `seedpass api start` from your terminal. The command prints a one‑time token used for authentication:
-
-```bash
-$ seedpass api start
-API token: abcdef1234567890
-```
-
-Keep this token secret. Every request must include it in the `Authorization` header using the `Bearer` scheme.
-
-## Endpoints
-
- `GET /api/v1/entry?query=<text>` – Search entries matching a query.
- `GET /api/v1/entry/{id}` – Retrieve a single entry by its index.
- `POST /api/v1/entry` – Create a new entry of any supported type.
- `PUT /api/v1/entry/{id}` – Modify an existing entry.
- `PUT /api/v1/config/{key}` – Update a configuration value.
- `POST /api/v1/secret-mode` – Enable or disable Secret Mode and set the clipboard delay.
- `POST /api/v1/entry/{id}/archive` – Archive an entry.
- `POST /api/v1/entry/{id}/unarchive` – Unarchive an entry.
- `GET /api/v1/config/{key}` – Return the value for a configuration key.
- `GET /api/v1/fingerprint` – List available seed fingerprints.
- `POST /api/v1/fingerprint` – Add a new seed fingerprint.
- `DELETE /api/v1/fingerprint/{fp}` – Remove a fingerprint.
- `POST /api/v1/fingerprint/select` – Switch the active fingerprint.
- `GET /api/v1/totp/export` – Export all TOTP entries as JSON.
- `GET /api/v1/totp` – Return current TOTP codes and remaining time.
- `GET /api/v1/stats` – Return statistics about the active seed profile.
- `GET /api/v1/parent-seed` – Reveal the parent seed or save it with `?file=`.
- `GET /api/v1/nostr/pubkey` – Fetch the Nostr public key for the active seed.
- `POST /api/v1/checksum/verify` – Verify the checksum of the running script.
- `POST /api/v1/checksum/update` – Update the stored script checksum.
- `POST /api/v1/change-password` – Change the master password for the active profile.
- `POST /api/v1/vault/import` – Import a vault backup from a file or path.
- `POST /api/v1/vault/lock` – Lock the vault and clear sensitive data from memory.
- `POST /api/v1/shutdown` – Stop the server gracefully.
-
-**Security Warning:** Accessing `/api/v1/parent-seed` exposes your master seed in plain text. Use it only from a trusted environment.
-
-## Example Requests
-
-Send requests with the token in the header:
-
-```bash
-curl -H "Authorization: Bearer <token>" \
-     "http://127.0.0.1:8000/api/v1/entry?query=email"
-```
-
-### Creating an Entry
-
-`POST /api/v1/entry` accepts a JSON body with at least a `label` field. Set
-`type` (or `kind`) to choose the entry variant (`password`, `totp`, `ssh`, `pgp`,
-`nostr`, `seed`, `key_value`, or `managed_account`). Additional fields vary by
-type:
-
- **password** – `length`, optional `username`, `url` and `notes`
- **totp** – `secret` or `index`, optional `period`, `digits`, `notes`, `archived`
- **ssh/nostr/seed/managed_account** – `index`, optional `notes`, `archived`
- **pgp** – `index`, `key_type`, `user_id`, optional `notes`, `archived`
- **key_value** – `value`, optional `notes`
-
-Example creating a TOTP entry:
-
-```bash
-curl -X POST http://127.0.0.1:8000/api/v1/entry \
-     -H "Authorization: Bearer <token>" \
-     -H "Content-Type: application/json" \
-     -d '{"type": "totp", "label": "Email", "secret": "JBSW..."}'
-```
-
-### Updating an Entry
-
-Use `PUT /api/v1/entry/{id}` to change fields such as `label`, `username`,
-`url`, `notes`, `period`, `digits` or `value` depending on the entry type.
-
-```bash
-curl -X PUT http://127.0.0.1:8000/api/v1/entry/1 \
-     -H "Authorization: Bearer <token>" \
-     -H "Content-Type: application/json" \
-     -d '{"username": "alice"}'
-```
-
-### Updating Configuration
-
-Send a JSON body containing a `value` field to `PUT /api/v1/config/{key}`:
-
-```bash
-curl -X PUT http://127.0.0.1:8000/api/v1/config/inactivity_timeout \
-     -H "Authorization: Bearer <token>" \
-     -H "Content-Type: application/json" \
-     -d '{"value": 300}'
-```
-
-### Toggling Secret Mode
-
-Send both `enabled` and `delay` values to `/api/v1/secret-mode`:
-
-```bash
-curl -X POST http://127.0.0.1:8000/api/v1/secret-mode \
-     -H "Authorization: Bearer <token>" \
-     -H "Content-Type: application/json" \
-     -d '{"enabled": true, "delay": 20}'
-```
-
-### Switching Fingerprints
-
-Change the active seed profile via `POST /api/v1/fingerprint/select`:
-
-```bash
-curl -X POST http://127.0.0.1:8000/api/v1/fingerprint/select \
-     -H "Authorization: Bearer <token>" \
-     -H "Content-Type: application/json" \
-     -d '{"fingerprint": "abc123"}'
-```
-
-### Enabling CORS
-
-Cross‑origin requests are disabled by default. Set `SEEDPASS_CORS_ORIGINS` to a comma‑separated list of allowed origins before starting the API:
-
-```bash
-SEEDPASS_CORS_ORIGINS=http://localhost:3000 seedpass api start
-```
-
-Browsers can then call the API from the specified origins, for example using JavaScript:
-
-```javascript
-fetch('http://127.0.0.1:8000/api/v1/entry?query=email', {
-  headers: { Authorization: 'Bearer <token>' }
-});
-```
-
-Without CORS enabled, only same‑origin or command‑line tools like `curl` can access the API.
--- a/docs/assets/lunr.js
+++ b/docs/assets/lunr.js
--- a/docs/assets/theme.css
+++ b/docs/assets/theme.css
@@ -0,0 +1,160 @@
+:root {
+  --bg-color: #ffffff;
+  --text-color: #333333;
+  --sidebar-bg: #f3f3f3;
+  --sidebar-width: 240px;
+}
+[data-theme="dark"] {
+  --bg-color: #222222;
+  --text-color: #eeeeee;
+  --sidebar-bg: #333333;
+}
+body {
+  margin: 0;
+  background: var(--bg-color);
+  color: var(--text-color);
+  font-family: Arial, sans-serif;
+  display: flex;
+  flex-direction: column;
+  min-height: 100vh;
+}
+.header {
+  display: flex;
+  align-items: center;
+  padding: 0.5rem 1rem;
+  background: var(--sidebar-bg);
+  position: sticky;
+  top: 0;
+  z-index: 1100;
+}
+.search-input {
+  margin-left: auto;
+  padding: 0.25rem;
+}
+.search-results {
+  display: none;
+  position: absolute;
+  right: 1rem;
+  top: 100%;
+  background: var(--bg-color);
+  border: 1px solid #ccc;
+  width: 250px;
+  max-height: 200px;
+  overflow-y: auto;
+  z-index: 100;
+}
+.search-results a {
+  display: block;
+  padding: 0.25rem;
+  color: var(--text-color);
+  text-decoration: none;
+}
+.search-results a:hover {
+  background: var(--sidebar-bg);
+}
+.search-results .no-results {
+  padding: 0.25rem;
+}
+.logo { text-decoration: none; color: var(--text-color); font-weight: bold; }
+.sidebar-toggle,
+.theme-toggle { background: none; border: none; font-size: 1.2rem; margin-right: 1rem; cursor: pointer; }
+.container { display: flex; flex: 1; }
+.sidebar {
+  width: var(--sidebar-width);
+  background: var(--sidebar-bg);
+  padding: 1rem;
+  box-sizing: border-box;
+}
+.sidebar ul { list-style: none; padding: 0; margin: 0; }
+.sidebar li { margin: 0.25rem 0; }
+.sidebar a { text-decoration: none; color: var(--text-color); display: block; padding: 0.25rem 0; }
+.sidebar nav { font-size: 0.9rem; }
+.nav-link:hover { text-decoration: underline; }
+.nav-link.active { font-weight: bold; }
+.nav-section summary {
+  list-style: none;
+  cursor: pointer;
+  position: relative;
+  display: flex;
+  align-items: center;
+}
+.nav-section summary::-webkit-details-marker { display: none; }
+.nav-section summary::before {
+  content: '▸';
+  display: inline-block;
+  margin-right: 0.25rem;
+  transition: transform 0.2s ease;
+}
+.nav-section[open] > summary::before { transform: rotate(90deg); }
+.nav-level { padding-left: 1rem; margin-left: 0.5rem; border-left: 2px solid #ccc; }
+.sidebar ul ul { padding-left: 1rem; margin-left: 0.5rem; border-left: 2px solid #ccc; }
+main {
+  flex: 1;
+  padding: 2rem;
+}
+.breadcrumbs a { color: var(--text-color); text-decoration: none; }
+.footer {
+  text-align: center;
+  padding: 1rem;
+  background: var(--sidebar-bg);
+  position: relative;
+}
+.footer-links {
+  margin-bottom: 0.5rem;
+}
+.footer-links a {
+  margin: 0 0.5rem;
+  text-decoration: none;
+  color: var(--text-color);
+}
+.footer-permanent-links {
+  position: absolute;
+  right: 0.5rem;
+  bottom: 0.25rem;
+  font-size: 0.8rem;
+  opacity: 0.7;
+}
+.footer-permanent-links a {
+  margin-left: 0.5rem;
+  text-decoration: none;
+  color: var(--text-color);
+}
+
+.sidebar-overlay {
+  display: none;
+}
+@media (max-width: 768px) {
+  body.sidebar-open .sidebar-overlay {
+    display: block;
+    position: fixed;
+    top: 0;
+    left: 0;
+    right: 0;
+    bottom: 0;
+    background: rgba(0, 0, 0, 0.3);
+    z-index: 999;
+  }
+}
+@media (max-width: 768px) {
+  .sidebar {
+    position: fixed;
+    left: -100%;
+    top: 0;
+    height: 100%;
+    overflow-y: auto;
+    transition: none;
+    z-index: 1000;
+  }
+  body.sidebar-open .sidebar { left: 0; }
+}
+
+@media (min-width: 769px) {
+  .sidebar {
+    transition: width 0.2s ease;
+  }
+  body:not(.sidebar-open) .sidebar {
+    width: 0;
+    padding: 0;
+    overflow: hidden;
+  }
+}
--- a/docs/assets/theme.js
+++ b/docs/assets/theme.js
@@ -0,0 +1,107 @@
+document.addEventListener('DOMContentLoaded', () => {
+  const sidebarToggle = document.getElementById('sidebar-toggle');
+  const themeToggle = document.getElementById('theme-toggle');
+  const searchInput = document.getElementById('search-input');
+  const searchResults = document.getElementById('search-results');
+  const sidebar = document.getElementById('sidebar');
+  const sidebarOverlay = document.getElementById('sidebar-overlay');
+  const root = document.documentElement;
+
+  function setTheme(theme) {
+    root.dataset.theme = theme;
+    localStorage.setItem('theme', theme);
+  }
+  const stored = localStorage.getItem('theme');
+  if (stored) setTheme(stored);
+
+  if (window.innerWidth > 768) {
+    document.body.classList.add('sidebar-open');
+  }
+
+  sidebarToggle?.addEventListener('click', () => {
+    document.body.classList.toggle('sidebar-open');
+  });
+
+  sidebarOverlay?.addEventListener('click', () => {
+    document.body.classList.remove('sidebar-open');
+  });
+
+  themeToggle?.addEventListener('click', () => {
+    const next = root.dataset.theme === 'dark' ? 'light' : 'dark';
+    setTheme(next);
+  });
+
+  // search
+  let lunrIndex;
+  let docs = [];
+  async function loadIndex() {
+    if (lunrIndex) return;
+    try {
+      const res = await fetch('/search-index.json');
+      const data = await res.json();
+      lunrIndex = lunr.Index.load(data.index);
+      docs = data.docs;
+    } catch (e) {
+      console.error('Search index failed to load', e);
+    }
+  }
+
+  function highlight(text, q) {
+    const re = new RegExp('(' + q.replace(/[.*+?^${}()|[\\]\\]/g, '\\$&') + ')', 'gi');
+    return text.replace(re, '<mark>$1</mark>');
+  }
+
+  searchInput?.addEventListener('input', async e => {
+    const q = e.target.value.trim();
+    await loadIndex();
+    if (!lunrIndex || !q) {
+      searchResults.style.display = 'none';
+      searchResults.innerHTML = '';
+      return;
+    }
+    const matches = lunrIndex.search(q);
+    searchResults.innerHTML = '';
+    if (!matches.length) {
+      searchResults.innerHTML = '<div class="no-results">No matches found</div>';
+      searchResults.style.display = 'block';
+      return;
+    }
+    matches.forEach(m => {
+      const doc = docs.find(d => d.id === m.ref);
+      if (!doc) return;
+      const a = document.createElement('a');
+      a.href = doc.url;
+      const snippet = doc.body ? doc.body.slice(0, 160) + (doc.body.length > 160 ? '...' : '') : '';
+      a.innerHTML = '<strong>' + highlight(doc.title, q) + '</strong><br><small>' + highlight(snippet, q) + '</small>';
+      searchResults.appendChild(a);
+    });
+    searchResults.style.display = 'block';
+  });
+
+  document.addEventListener('click', e => {
+    if (!searchResults.contains(e.target) && e.target !== searchInput) {
+      searchResults.style.display = 'none';
+    }
+    if (
+      window.innerWidth <= 768 &&
+      document.body.classList.contains('sidebar-open') &&
+      sidebar &&
+      !sidebar.contains(e.target) &&
+      e.target !== sidebarToggle
+    ) {
+      document.body.classList.remove('sidebar-open');
+    }
+  });
+
+  // breadcrumbs
+  const bc = document.getElementById('breadcrumbs');
+  if (bc) {
+    const parts = location.pathname.split('/').filter(Boolean);
+    let path = '';
+    bc.innerHTML = '<a href="/">Home</a>';
+    parts.forEach((p) => {
+      path += '/' + p;
+      bc.innerHTML += ' / <a href="' + path + '">' + p.replace(/-/g, ' ') + '</a>';
+    });
+  }
+});
--- a/docs/bin/create-archivox.js
+++ b/docs/bin/create-archivox.js
@@ -0,0 +1,45 @@
+#!/usr/bin/env node
+const fs = require('fs');
+const path = require('path');
+const { execSync } = require('child_process');
+
+function copyDir(src, dest) {
+  fs.mkdirSync(dest, { recursive: true });
+  for (const entry of fs.readdirSync(src, { withFileTypes: true })) {
+    const srcPath = path.join(src, entry.name);
+    const destPath = path.join(dest, entry.name);
+    if (entry.isDirectory()) {
+      copyDir(srcPath, destPath);
+    } else {
+      fs.copyFileSync(srcPath, destPath);
+    }
+  }
+}
+
+function main() {
+  const args = process.argv.slice(2);
+  const install = args.includes('--install');
+  const targetArg = args.find(a => !a.startsWith('-')) || '.';
+  const targetDir = path.resolve(process.cwd(), targetArg);
+
+  const templateDir = path.join(__dirname, '..', 'starter');
+  copyDir(templateDir, targetDir);
+
+  const pkgPath = path.join(targetDir, 'package.json');
+  if (fs.existsSync(pkgPath)) {
+    const pkg = JSON.parse(fs.readFileSync(pkgPath, 'utf8'));
+    const version = require('../package.json').version;
+    if (pkg.dependencies && pkg.dependencies.archivox)
+      pkg.dependencies.archivox = `^${version}`;
+    pkg.name = path.basename(targetDir);
+    fs.writeFileSync(pkgPath, JSON.stringify(pkg, null, 2));
+  }
+
+  if (install) {
+    execSync('npm install', { cwd: targetDir, stdio: 'inherit' });
+  }
+
+  console.log(`Archivox starter created at ${targetDir}`);
+}
+
+main();
--- a/docs/build-docs.js
+++ b/docs/build-docs.js
@@ -0,0 +1,15 @@
+#!/usr/bin/env node
+const path = require('path');
+const { generate } = require('./src/generator');
+
+(async () => {
+  try {
+    const contentDir = path.join(__dirname, 'docs', 'content');
+    const configPath = path.join(__dirname, 'docs', 'config.yaml');
+    const outputDir = path.join(__dirname, '_site');
+    await generate({ contentDir, outputDir, configPath });
+  } catch (err) {
+    console.error(err);
+    process.exit(1);
+  }
+})();
--- a/docs/docs/config.yaml
+++ b/docs/docs/config.yaml
@@ -0,0 +1,12 @@
+site:
+  title: "SeedPass Docs"
+  description: "One seed to rule them all."
+
+navigation:
+  search: true
+
+footer:
+  links:
+    - text: "SeedPass"
+      url: "https://seedpass.me/"
+
--- a/docs/docs/content/01-getting-started/01-advanced_cli.md
+++ b/docs/docs/content/01-getting-started/01-advanced_cli.md
@@ -49,15 +49,15 @@ Manage individual entries within a vault.
 | List entries | `entry list` | `seedpass entry list --sort label` |
 | Search for entries | `entry search` | `seedpass entry search "GitHub"` |
 | Retrieve an entry's secret (password or TOTP code) | `entry get` | `seedpass entry get "GitHub"` |
-| Add a password entry | `entry add` | `seedpass entry add Example --length 16` |
+| Add a password entry | `entry add` | `seedpass entry add Example --length 16 --no-special --exclude-ambiguous` |
 | Add a TOTP entry | `entry add-totp` | `seedpass entry add-totp Email --secret JBSW...` |
 | Add an SSH key entry | `entry add-ssh` | `seedpass entry add-ssh Server --index 0` |
 | Add a PGP key entry | `entry add-pgp` | `seedpass entry add-pgp Personal --user-id me@example.com` |
 | Add a Nostr key entry | `entry add-nostr` | `seedpass entry add-nostr Chat` |
 | Add a seed phrase entry | `entry add-seed` | `seedpass entry add-seed Backup --words 24` |
-| Add a key/value entry | `entry add-key-value` | `seedpass entry add-key-value "API Token" --value abc123` |
+| Add a key/value entry | `entry add-key-value` | `seedpass entry add-key-value "API Token" --key api --value abc123` |
 | Add a managed account entry | `entry add-managed-account` | `seedpass entry add-managed-account Trading` |
-| Modify an entry | `entry modify` | `seedpass entry modify 1 --username alice` |
+| Modify an entry | `entry modify` | `seedpass entry modify 1 --key new --value updated` |
 | Archive an entry | `entry archive` | `seedpass entry archive 1` |
 | Unarchive an entry | `entry unarchive` | `seedpass entry unarchive 1` |
 | Export all TOTP secrets | `entry export-totp` | `seedpass entry export-totp --file totp.json` |
@@ -70,14 +70,15 @@ Manage the entire vault for a profile.
 | Action | Command | Examples |
 | :--- | :--- | :--- |
 | Export the vault | `vault export` | `seedpass vault export --file backup.json` |
-| Import a vault | `vault import` | `seedpass vault import --file backup.json` |
+| Import a vault | `vault import` | `seedpass vault import --file backup.json` *(also syncs with Nostr)* |
 | Change the master password | `vault change-password` | `seedpass vault change-password` |
 | Lock the vault | `vault lock` | `seedpass vault lock` |
 | Show profile statistics | `vault stats` | `seedpass vault stats` |
+| Reveal or back up the parent seed | `vault reveal-parent-seed` | `seedpass vault reveal-parent-seed --file backup.enc` |

 ### Nostr Commands

-Interact with the Nostr network for backup and synchronization.
+Interact with the Nostr network for backup and synchronization. Offline mode is enabled by default, so disable it with `seedpass config toggle-offline` before using these commands.

 | Action | Command | Examples |
 | :--- | :--- | :--- |
@@ -90,8 +91,9 @@ Manage profile‑specific settings.

 | Action | Command | Examples |
 | :--- | :--- | :--- |
-| Get a setting value | `config get` | `seedpass config get inactivity_timeout` |
-| Set a setting value | `config set` | `seedpass config set inactivity_timeout 300` |
+| Get a setting value | `config get` | `seedpass config get kdf_iterations` |
+| Set a setting value | `config set` | `seedpass config set backup_interval 3600` |
+| Toggle offline mode | `config toggle-offline` | `seedpass config toggle-offline` |

 ### Fingerprint Commands

@@ -110,10 +112,14 @@ Miscellaneous helper commands.

 | Action | Command | Examples |
 | :--- | :--- | :--- |
-| Generate a password | `util generate-password` | `seedpass util generate-password --length 24` |
+| Generate a password | `util generate-password` | `seedpass util generate-password --length 24 --special-mode safe --exclude-ambiguous` |
 | Verify script checksum | `util verify-checksum` | `seedpass util verify-checksum` |
 | Update script checksum | `util update-checksum` | `seedpass util update-checksum` |

+If you see a startup warning about a script checksum mismatch,
+run `seedpass util update-checksum` or choose "Generate Script Checksum"
+from the Settings menu to update the stored value.
+
 ### API Commands

 Run or stop the local HTTP API.
@@ -121,7 +127,7 @@ Run or stop the local HTTP API.
 | Action | Command | Examples |
 | :--- | :--- | :--- |
 | Start the API | `api start` | `seedpass api start --host 0.0.0.0 --port 8000` |
-| Stop the API | `api stop` | `seedpass api stop` |
+| Stop the API | `api stop --token TOKEN` | `seedpass api stop --token <token>` |

 ---

@@ -130,17 +136,17 @@ Run or stop the local HTTP API.
 ### `entry` Commands

 - **`seedpass entry list`** – List entries in the vault, optionally sorted or filtered.
- **`seedpass entry search <query>`** – Search across labels, usernames, URLs and notes.
+- **`seedpass entry search <query>`** – Search across labels, usernames, URLs and notes. Results show the entry type before each label.
 - **`seedpass entry get <query>`** – Retrieve the password or TOTP code for one matching entry, depending on the entry's type.
- **`seedpass entry add <label>`** – Create a new password entry. Use `--length` to set the password length and optional `--username`/`--url` values.
+- **`seedpass entry add <label>`** – Create a new password entry. Use `--length` and flags like `--no-special`, `--special-mode safe`, or `--exclude-ambiguous` to override the global policy.
 - **`seedpass entry add-totp <label>`** – Create a TOTP entry. Use `--secret` to import an existing secret or `--index` to derive from the seed.
 - **`seedpass entry add-ssh <label>`** – Create an SSH key entry derived from the seed.
 - **`seedpass entry add-pgp <label>`** – Create a PGP key entry. Provide `--user-id` and `--key-type` as needed.
 - **`seedpass entry add-nostr <label>`** – Create a Nostr key entry for decentralised chat.
 - **`seedpass entry add-seed <label>`** – Store a derived seed phrase. Use `--words` to set the word count.
- **`seedpass entry add-key-value <label>`** – Store arbitrary data with `--value`.
+ - **`seedpass entry add-key-value <label>`** – Store arbitrary data with `--key` and `--value`.
 - **`seedpass entry add-managed-account <label>`** – Store a BIP‑85 derived account seed.
- **`seedpass entry modify <id>`** – Update an entry's label, username, URL or notes.
+- **`seedpass entry modify <id>`** – Update an entry's fields. For key/value entries you can change the label, key and value.
 - **`seedpass entry archive <id>`** – Mark an entry as archived so it is hidden from normal lists.
 - **`seedpass entry unarchive <id>`** – Restore an archived entry.
 - **`seedpass entry export-totp --file <path>`** – Export all stored TOTP secrets to a JSON file.
@@ -154,13 +160,22 @@ $ seedpass entry get "email"
 Code: 123456
 ```

+### Viewing Entry Details
+
+Picking an entry from `entry list` or `entry search` displays its metadata first
+so you can review the label, username and notes. Sensitive fields are hidden
+until you confirm you want to reveal them. After showing the secret, the details
+view offers the same actions as `entry get`—edit the entry, archive it or show
+QR codes for supported types.
+
 ### `vault` Commands

 - **`seedpass vault export`** – Export the entire vault to an encrypted JSON file.
- **`seedpass vault import`** – Import a vault from an encrypted JSON file.
+- **`seedpass vault import`** – Import a vault from an encrypted JSON file and automatically sync via Nostr.
 - **`seedpass vault change-password`** – Change the master password used for encryption.
 - **`seedpass vault lock`** – Clear sensitive data from memory and require reauthentication.
 - **`seedpass vault stats`** – Display statistics about the active seed profile.
+- **`seedpass vault reveal-parent-seed`** – Print the parent seed or write an encrypted backup with `--file`.

 ### `nostr` Commands

@@ -169,9 +184,10 @@ Code: 123456

 ### `config` Commands

- **`seedpass config get <key>`** – Retrieve a configuration value such as `inactivity_timeout`, `secret_mode`, or `auto_sync`.
- **`seedpass config set <key> <value>`** – Update a configuration option. Example: `seedpass config set inactivity_timeout 300`.
+- **`seedpass config get <key>`** – Retrieve a configuration value such as `kdf_iterations`, `backup_interval`, `inactivity_timeout`, `secret_mode_enabled`, `clipboard_clear_delay`, `additional_backup_path`, `relays`, `quick_unlock`, `nostr_max_retries`, `nostr_retry_delay`, or password policy fields like `min_uppercase`.
+- **`seedpass config set <key> <value>`** – Update a configuration option. Example: `seedpass config set kdf_iterations 200000`. Use keys like `min_uppercase`, `min_lowercase`, `min_digits`, `min_special`, `include_special_chars`, `allowed_special_chars`, `special_mode`, `exclude_ambiguous`, `nostr_max_retries`, `nostr_retry_delay`, or `quick_unlock` to adjust settings.
 - **`seedpass config toggle-secret-mode`** – Interactively enable or disable Secret Mode and set the clipboard delay.
+- **`seedpass config toggle-offline`** – Enable or disable offline mode to skip Nostr operations.

 ### `fingerprint` Commands

@@ -198,7 +214,7 @@ Set the `SEEDPASS_CORS_ORIGINS` environment variable to a comma‑separated list
 SEEDPASS_CORS_ORIGINS=http://localhost:3000 seedpass api start
 ```

-Shut down the server with `seedpass api stop`.
+Shut down the server with `seedpass api stop --token <token>`.

 ---

@@ -206,5 +222,6 @@ Shut down the server with `seedpass api stop`.

 - Use the `--help` flag for details on any command.
 - Set a strong master password and regularly export encrypted backups.
- Adjust configuration values like `inactivity_timeout` or `secret_mode` through the `config` commands.
+- Adjust configuration values like `kdf_iterations`, `backup_interval`, `inactivity_timeout`, `secret_mode_enabled`, `nostr_max_retries`, `nostr_retry_delay`, or `quick_unlock` through the `config` commands.
+- Customize the global password policy with commands like `config set min_uppercase 3` or `config set special_mode safe`. When adding a password interactively you can override these values, choose a safe special-character set, and exclude ambiguous characters.
 - `entry get` is script‑friendly and can be piped into other commands.
--- a/docs/docs/content/01-getting-started/02-api_reference.md
+++ b/docs/docs/content/01-getting-started/02-api_reference.md
@@ -0,0 +1,299 @@
+# SeedPass REST API Reference
+
+This guide covers how to start the SeedPass API, authenticate requests, and interact with the available endpoints.
+
+**Note:** All UI layers, including the CLI, BeeWare GUI, and future adapters, consume this REST API through service classes in `seedpass.core`. See [docs/gui_adapter.md](docs/gui_adapter.md) for more details on the GUI integration.
+
+
+## Starting the API
+
+Run `seedpass api start` from your terminal. The command prints a short‑lived JWT token used for authentication:
+
+```bash
+$ seedpass api start
+API token: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9...
+```
+
+Keep this token secret and avoid logging it. Tokens expire after a few minutes and every request must include one in the `Authorization` header using the `Bearer` scheme.
+
+## Endpoints
+
+- `GET /api/v1/entry?query=<text>` – Search entries matching a query.
+- `GET /api/v1/entry/{id}` – Retrieve a single entry by its index. Requires an `X-SeedPass-Password` header.
+- `POST /api/v1/entry` – Create a new entry of any supported type.
+- `PUT /api/v1/entry/{id}` – Modify an existing entry.
+- `PUT /api/v1/config/{key}` – Update a configuration value.
+- `POST /api/v1/secret-mode` – Enable or disable Secret Mode and set the clipboard delay.
+- `POST /api/v1/entry/{id}/archive` – Archive an entry.
+- `POST /api/v1/entry/{id}/unarchive` – Unarchive an entry.
+- `GET /api/v1/config/{key}` – Return the value for a configuration key.
+- `GET /api/v1/fingerprint` – List available seed fingerprints.
+- `POST /api/v1/fingerprint` – Add a new seed fingerprint.
+- `DELETE /api/v1/fingerprint/{fp}` – Remove a fingerprint.
+- `POST /api/v1/fingerprint/select` – Switch the active fingerprint.
+- `GET /api/v1/totp/export` – Export all TOTP entries as JSON. Requires an `X-SeedPass-Password` header.
+- `GET /api/v1/totp` – Return current TOTP codes and remaining time. Requires an `X-SeedPass-Password` header.
+- `GET /api/v1/stats` – Return statistics about the active seed profile.
+- `GET /api/v1/notifications` – Retrieve and clear queued notifications. Messages appear in the persistent notification box but remain queued until fetched.
+- `GET /api/v1/nostr/pubkey` – Fetch the Nostr public key for the active seed.
+- `POST /api/v1/checksum/verify` – Verify the checksum of the running script.
+- `POST /api/v1/checksum/update` – Update the stored script checksum.
+- `POST /api/v1/change-password` – Change the master password for the active profile.
+- `POST /api/v1/vault/import` – Import a vault backup from a file or path.
+- `POST /api/v1/vault/export` – Export the vault and download the encrypted file. Requires an additional `X-SeedPass-Password` header.
+- `POST /api/v1/vault/backup-parent-seed` – Save an encrypted backup of the parent seed. Requires a `confirm` flag in the request body and an `X-SeedPass-Password` header.
+- `POST /api/v1/vault/lock` – Lock the vault and clear sensitive data from memory.
+- `GET /api/v1/relays` – List configured Nostr relays.
+- `POST /api/v1/relays` – Add a relay URL.
+- `DELETE /api/v1/relays/{idx}` – Remove the relay at the given index (1‑based).
+- `POST /api/v1/relays/reset` – Reset the relay list to defaults.
+- `POST /api/v1/shutdown` – Stop the server gracefully.
+
+
+## Secure Deployment
+
+Always run the API behind HTTPS. Use a reverse proxy such as Nginx or Caddy to terminate TLS and forward requests to SeedPass. Example Nginx configuration:
+
+```
+server {
+    listen 443 ssl;
+    ssl_certificate     /etc/letsencrypt/live/example.com/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
+
+    location / {
+        proxy_pass http://127.0.0.1:8000;
+        proxy_set_header Host $host;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    }
+}
+```
+
+For local testing, Uvicorn can serve TLS directly:
+
+```
+uvicorn seedpass.api:app --ssl-certfile=cert.pem --ssl-keyfile=key.pem
+```
+
+## Example Requests
+
+Send requests with the token in the header:
+
+```bash
+curl -H "Authorization: Bearer <token>" \
+     "https://127.0.0.1:8000/api/v1/entry?query=email"
+```
+
+### Creating an Entry
+
+`POST /api/v1/entry` accepts a JSON body with at least a `label` field. Set
+`type` (or `kind`) to choose the entry variant (`password`, `totp`, `ssh`, `pgp`,
+`nostr`, `seed`, `key_value`, or `managed_account`). Additional fields vary by
+type:
+
+- **password** – `length`, optional `username`, `url` and `notes`
+- **totp** – `secret` or `index`, optional `period`, `digits`, `notes`, `archived`
+- **ssh/nostr/seed/managed_account** – `index`, optional `notes`, `archived`
+- **pgp** – `index`, `key_type`, `user_id`, optional `notes`, `archived`
+- **key_value** – `value`, optional `notes`
+
+Example creating a TOTP entry:
+
+```bash
+curl -X POST http://127.0.0.1:8000/api/v1/entry \
+     -H "Authorization: Bearer <token>" \
+     -H "Content-Type: application/json" \
+     -d '{"type": "totp", "label": "Email", "secret": "JBSW..."}'
+```
+
+### Updating an Entry
+
+Use `PUT /api/v1/entry/{id}` to change fields such as `label`, `username`,
+`url`, `notes`, `period`, `digits` or `value` depending on the entry type.
+
+```bash
+curl -X PUT http://127.0.0.1:8000/api/v1/entry/1 \
+     -H "Authorization: Bearer <token>" \
+     -H "Content-Type: application/json" \
+     -d '{"username": "alice"}'
+```
+
+### Updating Configuration
+
+Send a JSON body containing a `value` field to `PUT /api/v1/config/{key}`:
+
+```bash
+curl -X PUT http://127.0.0.1:8000/api/v1/config/inactivity_timeout \
+     -H "Authorization: Bearer <token>" \
+     -H "Content-Type: application/json" \
+     -d '{"value": 300}'
+```
+
+To raise the PBKDF2 work factor or change how often backups are written:
+
+```bash
+curl -X PUT http://127.0.0.1:8000/api/v1/config/kdf_iterations \
+     -H "Authorization: Bearer <token>" \
+     -H "Content-Type: application/json" \
+     -d '{"value": 200000}'
+
+curl -X PUT http://127.0.0.1:8000/api/v1/config/backup_interval \
+     -H "Authorization: Bearer <token>" \
+     -H "Content-Type: application/json" \
+     -d '{"value": 3600}'
+```
+
+Using fewer iterations or a long interval reduces security, so adjust these values carefully.
+
+### Toggling Secret Mode
+
+Send both `enabled` and `delay` values to `/api/v1/secret-mode`:
+
+```bash
+curl -X POST http://127.0.0.1:8000/api/v1/secret-mode \
+     -H "Authorization: Bearer <token>" \
+     -H "Content-Type: application/json" \
+     -d '{"enabled": true, "delay": 20}'
+```
+
+### Switching Fingerprints
+
+Change the active seed profile via `POST /api/v1/fingerprint/select`:
+
+```bash
+curl -X POST http://127.0.0.1:8000/api/v1/fingerprint/select \
+     -H "Authorization: Bearer <token>" \
+     -H "Content-Type: application/json" \
+    -d '{"fingerprint": "abc123"}'
+```
+
+### Exporting the Vault
+
+Download an encrypted vault backup via `POST /api/v1/vault/export`:
+
+```bash
+curl -X POST https://127.0.0.1:8000/api/v1/vault/export \
+     -H "Authorization: Bearer <token>" \
+     -H "X-SeedPass-Password: <master-password>" \
+     -o backup.json
+```
+
+### Importing a Vault
+
+Restore a backup with `POST /api/v1/vault/import`. Use `-F` to upload a file:
+
+```bash
+curl -X POST http://127.0.0.1:8000/api/v1/vault/import \
+     -H "Authorization: Bearer <token>" \
+     -F file=@backup.json
+```
+
+### Locking the Vault
+
+Clear sensitive data from memory using `/api/v1/vault/lock`:
+
+```bash
+curl -X POST http://127.0.0.1:8000/api/v1/vault/lock \
+     -H "Authorization: Bearer <token>"
+```
+
+### Backing Up the Parent Seed
+
+Trigger an encrypted seed backup with `/api/v1/vault/backup-parent-seed`:
+
+```bash
+curl -X POST http://127.0.0.1:8000/api/v1/vault/backup-parent-seed \
+     -H "Authorization: Bearer <token>" \
+     -H "X-SeedPass-Password: <master password>" \
+     -H "Content-Type: application/json" \
+     -d '{"path": "seed_backup.enc", "confirm": true}'
+```
+
+### Retrieving Vault Statistics
+
+Get profile stats such as entry counts with `GET /api/v1/stats`:
+
+```bash
+curl -H "Authorization: Bearer <token>" \
+    http://127.0.0.1:8000/api/v1/stats
+```
+
+### Checking Notifications
+
+Get queued messages with `GET /api/v1/notifications`:
+
+```bash
+curl -H "Authorization: Bearer <token>" \
+     http://127.0.0.1:8000/api/v1/notifications
+```
+
+The TUI displays these alerts in a persistent notification box for 10 seconds,
+but the endpoint returns all queued messages even if they have already
+disappeared from the screen.
+
+### Changing the Master Password
+
+Update the vault password via `POST /api/v1/change-password`:
+
+```bash
+curl -X POST http://127.0.0.1:8000/api/v1/change-password \
+     -H "Authorization: Bearer <token>"
+```
+
+### Verifying the Script Checksum
+
+Check that the running script matches the stored checksum:
+
+```bash
+curl -X POST http://127.0.0.1:8000/api/v1/checksum/verify \
+     -H "Authorization: Bearer <token>"
+```
+
+### Updating the Script Checksum
+
+Regenerate the stored checksum using `/api/v1/checksum/update`:
+
+```bash
+curl -X POST http://127.0.0.1:8000/api/v1/checksum/update \
+     -H "Authorization: Bearer <token>"
+```
+
+### Managing Relays
+
+List, add, or remove Nostr relays:
+
+```bash
+# list
+curl -H "Authorization: Bearer <token>" http://127.0.0.1:8000/api/v1/relays
+
+# add
+curl -X POST http://127.0.0.1:8000/api/v1/relays \
+     -H "Authorization: Bearer <token>" \
+     -H "Content-Type: application/json" \
+     -d '{"url": "wss://relay.example.com"}'
+
+# remove first relay
+curl -X DELETE http://127.0.0.1:8000/api/v1/relays/1 \
+     -H "Authorization: Bearer <token>"
+
+# reset to defaults
+curl -X POST http://127.0.0.1:8000/api/v1/relays/reset \
+     -H "Authorization: Bearer <token>"
+```
+
+### Enabling CORS
+
+Cross‑origin requests are disabled by default. Set `SEEDPASS_CORS_ORIGINS` to a comma‑separated list of allowed origins before starting the API:
+
+```bash
+SEEDPASS_CORS_ORIGINS=http://localhost:3000 seedpass api start
+```
+
+Browsers can then call the API from the specified origins, for example using JavaScript:
+
+```javascript
+fetch('http://127.0.0.1:8000/api/v1/entry?query=email', {
+  headers: { Authorization: 'Bearer <token>' }
+});
+```
+
+Without CORS enabled, only same‑origin or command‑line tools like `curl` can access the API.
--- a/docs/docs/content/01-getting-started/03-json_entries.md
+++ b/docs/docs/content/01-getting-started/03-json_entries.md
@@ -95,10 +95,22 @@ Each entry is stored within `seedpass_entries_db.json.enc` under the `entries` d
 - **custom_fields** (`array`, optional): Additional user-defined fields.
 - **origin** (`string`, optional): Source identifier for imported data.
 - **value** (`string`, optional): For `key_value` entries, stores the secret value.
+- **key** (`string`, optional): Name of the key for `key_value` entries.
 - **index** (`integer`, optional): BIP-85 derivation index for entries that derive material from a seed.
 - **word_count** (`integer`, managed_account only): Number of words in the child seed. Managed accounts always use `12`.
 - **fingerprint** (`string`, managed_account only): Identifier of the child profile, used for its directory name.
 - **tags** (`array`, optional): Category labels to aid in organization and search.
+
+#### Password Policy Fields
+
+- **min_uppercase** (`integer`, default `2`): Minimum required uppercase letters.
+- **min_lowercase** (`integer`, default `2`): Minimum required lowercase letters.
+- **min_digits** (`integer`, default `2`): Minimum required digits.
+- **min_special** (`integer`, default `2`): Minimum required special characters.
+- **include_special_chars** (`boolean`, default `true`): Enable or disable any punctuation in generated passwords.
+- **allowed_special_chars** (`string`, optional): Restrict punctuation to this exact set.
+- **special_mode** (`string`, default `"standard"`): Choose `"safe"` for the `SAFE_SPECIAL_CHARS` set (`!@#$%^*-_+=?`), otherwise the full `string.punctuation` is used.
+- **exclude_ambiguous** (`boolean`, default `false`): Omit confusing characters like `O0Il1`.
  Example:

  ```json
@@ -160,6 +172,17 @@ Each entry is stored within `seedpass_entries_db.json.enc` under the `entries` d
 }
 ```

+#### Password Entry with Policy Overrides
+
+```json
+{
+  "label": "Custom Policy",
+  "length": 16,
+  "include_special_chars": false,
+  "exclude_ambiguous": true
+}
+```
+
 #### 3. Managed User

 ```json
--- a/docs/docs/content/01-getting-started/04-migrations.md
+++ b/docs/docs/content/01-getting-started/04-migrations.md
@@ -0,0 +1,49 @@
+# Index Migrations
+
+SeedPass stores its password index in an encrypted JSON file. Each index contains
+a `schema_version` field so the application knows how to upgrade older files.
+
+> **Note:** Recent releases derive passwords and other artifacts using a new deterministic algorithm that works consistently across Python versions. Artifacts produced with older versions will not match outputs from this release and must be regenerated.
+
+## How migrations work
+
+When the vault loads the index, `Vault.load_index()` checks the version and
+applies migrations defined in `password_manager/migrations.py`. The
+`apply_migrations()` function iterates through registered migrations until the
+file reaches `LATEST_VERSION`.
+
+If an old file lacks `schema_version`, it is treated as version 0 and upgraded
+to the latest format. Attempting to load an index from a future version will
+raise an error.
+
+## Upgrading an index
+
+1. The JSON is decrypted and parsed.
+2. `apply_migrations()` applies any necessary steps, such as injecting the
+   `schema_version` field on first upgrade.
+3. After migration, the updated index is saved back to disk.
+
+This process happens automatically; users only need to open their vault to
+upgrade older indices.
+
+### Legacy Fernet migration
+
+Older versions stored the vault index in a file named
+`seedpass_passwords_db.json.enc` encrypted with Fernet.  When opening such a
+vault, SeedPass now automatically decrypts the legacy file, re‑encrypts it using
+AES‑GCM, and saves it under the new name `seedpass_entries_db.json.enc`.
+The original Fernet file is preserved as
+`seedpass_entries_db.json.enc.fernet` and the legacy checksum file, if present,
+is renamed to `seedpass_entries_db_checksum.txt.fernet`.
+
+No additional command is required – simply open your existing vault and the
+conversion happens transparently.
+
+### Parent seed backup migration
+
+If your vault contains a `parent_seed.enc` file that was encrypted with Fernet,
+SeedPass performs a similar upgrade. Upon loading the vault, the application
+decrypts the old file, re‑encrypts it with AES‑GCM, and writes the result back to
+`parent_seed.enc`. The legacy Fernet file is preserved as
+`parent_seed.enc.fernet` so you can revert if needed. No manual steps are
+required – simply unlock your vault and the conversion runs automatically.
--- a/docs/docs/content/01-getting-started/05-briefcase.md
+++ b/docs/docs/content/01-getting-started/05-briefcase.md
@@ -0,0 +1,29 @@
+# Packaging the GUI with Briefcase
+
+This project uses [BeeWare's Briefcase](https://beeware.org) to generate
+platform‑native installers. Once your development environment is set up,
+package the GUI by running the following commands from the repository root:
+
+```bash
+# Create the application scaffold for your platform
+briefcase create
+
+# Compile dependencies and produce a distributable bundle
+briefcase build
+
+# Run the packaged application
+briefcase run
+```
+
+## Command Overview
+
+- **`briefcase create`** — generates the project scaffold for your
+  operating system. Run this once per platform.
+- **`briefcase build`** — compiles dependencies and produces the
+  distributable bundle.
+- **`briefcase run`** — launches the packaged application so you can test
+  it locally.
+
+After the initial creation step you can repeatedly run `briefcase build`
+followed by `briefcase run` to test your packaged application on Windows,
+macOS or Linux.
--- a/docs/docs/content/01-getting-started/06-gui_adapter.md
+++ b/docs/docs/content/01-getting-started/06-gui_adapter.md
@@ -0,0 +1,165 @@
+# BeeWare GUI Adapter
+
+SeedPass ships with a proof-of-concept graphical interface built using [BeeWare](https://beeware.org). The GUI interacts with the same core services as the CLI by instantiating wrappers around `PasswordManager`.
+
+
+## Getting Started with the GUI
+
+After installing the project dependencies, launch the desktop interface with one
+of the following commands:
+
+```bash
+seedpass gui
+python -m seedpass_gui
+seedpass-gui
+```
+
+GUI dependencies are optional. Install them alongside SeedPass with:
+
+```bash
+pip install "seedpass[gui]"
+
+# or when working from a local checkout
+pip install -e .[gui]
+```
+
+After installing the optional GUI extras, add the BeeWare backend for your
+platform:
+
+```bash
+# Linux
+pip install toga-gtk
+
+# If installation fails with cairo errors, install libcairo2-dev or the
+# cairo development package using your distro's package manager.
+
+# Windows
+pip install toga-winforms
+
+# macOS
+pip install toga-cocoa
+```
+
+The GUI shares the same encrypted vault and configuration as the command line tool.
+
+To generate a packaged binary, run `briefcase build` (after the initial `briefcase create`).
+
+```mermaid
+graph TD
+    core["seedpass.core"]
+    cli["CLI"]
+    api["FastAPI server"]
+    gui["BeeWare GUI"]
+    ext["Browser Extension"]
+
+    cli --> core
+    gui --> core
+    api --> core
+    ext --> api
+```
+
+## VaultService and EntryService
+
+`VaultService` provides thread-safe access to vault operations like exporting, importing, unlocking and locking the vault. `EntryService` exposes methods for listing, searching and modifying entries. Both classes live in `seedpass.core.api` and hold a `PasswordManager` instance protected by a `threading.Lock` to ensure safe concurrent access.
+
+```python
+class VaultService:
+    """Thread-safe wrapper around vault operations."""
+    def __init__(self, manager: PasswordManager) -> None:
+        self._manager = manager
+        self._lock = Lock()
+```
+
+```python
+class EntryService:
+    """Thread-safe wrapper around entry operations."""
+    def __init__(self, manager: PasswordManager) -> None:
+        self._manager = manager
+        self._lock = Lock()
+```
+
+## BeeWare Windows
+
+The GUI defines two main windows in `src/seedpass_gui/app.py`. `LockScreenWindow` prompts for the master password and then opens `MainWindow` to display the vault entries.
+
+```python
+class LockScreenWindow(toga.Window):
+    """Window prompting for the master password."""
+    def __init__(self, app: SeedPassApp, vault: VaultService, entries: EntryService) -> None:
+        super().__init__("Unlock Vault")
+        self.app = app
+        self.vault = vault
+        self.entries = entries
+        ...
+```
+
+```python
+class MainWindow(toga.Window):
+    """Main application window showing vault entries."""
+    def __init__(self, app: SeedPassApp, vault: VaultService, entries: EntryService) -> None:
+        super().__init__("SeedPass")
+        self.app = app
+        self.vault = vault
+        self.entries = entries
+        ...
+```
+
+Each window receives the service instances and calls methods such as `vault.unlock()` or `entries.add_entry()` when buttons are pressed. This keeps the UI thin while reusing the core logic.
+
+## Asynchronous Synchronization
+
+`PasswordManager` performs network synchronization with Nostr using `asyncio`. Methods like `start_background_vault_sync()` create a coroutine that calls `sync_vault_async()` in a background thread or task without blocking the UI.
+
+```python
+async def sync_vault_async(self, alt_summary: str | None = None) -> dict[str, list[str] | str] | None:
+    """Publish the current vault contents to Nostr and return event IDs."""
+    ...
+```
+
+```python
+def start_background_vault_sync(self, alt_summary: str | None = None) -> None:
+    if getattr(self, "offline_mode", False):
+        return
+    def _worker() -> None:
+        asyncio.run(self.sync_vault_async(alt_summary=alt_summary))
+    try:
+        loop = asyncio.get_running_loop()
+    except RuntimeError:
+        threading.Thread(target=_worker, daemon=True).start()
+    else:
+        asyncio.create_task(self.sync_vault_async(alt_summary=alt_summary))
+```
+
+This approach ensures synchronization happens asynchronously whether the GUI is running inside or outside an existing event loop.
+
+## Relay Manager and Status Bar
+
+The *Relays* button opens a dialog for adding or removing Nostr relay URLs. The
+status bar at the bottom of the main window shows when the last synchronization
+completed. It updates automatically when `sync_started` and `sync_finished`
+events are published on the internal pubsub bus.
+
+When a ``vault_locked`` event is emitted, the GUI automatically returns to the
+lock screen so the session can be reopened with the master password.
+
+
+## Event Handling
+
+The GUI subscribes to a few core events so the interface reacts automatically when the vault changes state. When `MainWindow` is created it registers callbacks for `sync_started`, `sync_finished` and `vault_locked` on the global pubsub `bus`:
+
+```python
+bus.subscribe("sync_started", self.sync_started)
+bus.subscribe("sync_finished", self.sync_finished)
+bus.subscribe("vault_locked", self.vault_locked)
+```
+
+Each handler updates the status bar or returns to the lock screen. The `cleanup` method removes these hooks when the window closes:
+
+```python
+def cleanup(self, *args: object, **kwargs: object) -> None:
+    bus.unsubscribe("sync_started", self.sync_started)
+    bus.unsubscribe("sync_finished", self.sync_finished)
+    bus.unsubscribe("vault_locked", self.vault_locked)
+```
+
+The [TOTP window](../../02-api_reference.md#totp) demonstrates how such events keep the UI fresh: it shows live two-factor codes that reflect the latest vault data after synchronization.
--- a/docs/docs/content/index.md
+++ b/docs/docs/content/index.md
@@ -0,0 +1,610 @@
+# SeedPass
+
+**SeedPass** is a secure password generator and manager built on **Bitcoin's BIP-85 standard**. It uses deterministic key derivation to generate **passwords that are never stored**, but can be easily regenerated when needed. By integrating with the **Nostr network**, SeedPass compresses your encrypted vault and splits it into 50 KB chunks. Each chunk is published as a parameterised replaceable event (`kind 30071`), with a manifest (`kind 30070`) describing the snapshot and deltas (`kind 30072`) capturing changes between snapshots. This allows secure password recovery across devices without exposing your data.
+
+[Tip Jar](https://nostrtipjar.netlify.app/?n=npub16y70nhp56rwzljmr8jhrrzalsx5x495l4whlf8n8zsxww204k8eqrvamnp)
+
+---
+
+**⚠️ Disclaimer**
+
+This software was not developed by an experienced security expert and should be used with caution. There may be bugs and missing features. Each vault chunk is limited to 50 KB and SeedPass periodically publishes a new snapshot to keep accumulated deltas small. The security of the program's memory management and logs has not been evaluated and may leak sensitive information. Loss or exposure of the parent seed places all derived passwords, accounts, and other artifacts at risk.
+
+**🚨 Breaking Change**
+
+Recent releases derive passwords and other artifacts using a fully deterministic algorithm that behaves consistently across Python versions. This improvement means artifacts generated with earlier versions of SeedPass will not match those produced now. Regenerate any previously derived data or retain the old version if you need to reproduce older passwords or keys.
+
+---
+### Supported OS
+
+✔ Windows 10/11 • macOS 12+ • Any modern Linux  
+SeedPass now uses the `portalocker` library for cross-platform file locking. No WSL or Cygwin required.
+
+```mermaid
+graph TD
+    core(seedpass.core)
+    cli(CLI/TUI)
+    gui(BeeWare GUI)
+    ext(Browser extension)
+    cli --> core
+    gui --> core
+    ext --> core
+```
+
+SeedPass uses a modular design with a single core library that handles all
+security-critical logic. The current CLI/TUI adapter communicates with
+`seedpass.core`, and future interfaces like a BeeWare GUI and a browser
+extension can hook into the same layer. This architecture keeps the codebase
+maintainable while enabling a consistent experience on multiple platforms.
+
+## Table of Contents
+
+- [Features](#features)
+- [Prerequisites](#prerequisites)
+- [Installation](#installation)
+  - [1. Clone the Repository](#1-clone-the-repository)
+  - [2. Create a Virtual Environment](#2-create-a-virtual-environment)
+  - [3. Activate the Virtual Environment](#3-activate-the-virtual-environment)
+  - [4. Install Dependencies](#4-install-dependencies)
+- [Usage](#usage)
+  - [Running the Application](#running-the-application)
+  - [Managing Multiple Seeds](#managing-multiple-seeds)
+    - [Additional Entry Types](#additional-entry-types)
+  - [Recovery](#recovery)
+- [Security Considerations](#security-considerations)
+- [Contributing](#contributing)
+- [License](#license)
+- [Contact](#contact)
+
+## Features
+
+- **Deterministic Password Generation:** Utilize BIP-85 for generating deterministic and secure passwords.
+- **Encrypted Storage:** All seeds, login passwords, and sensitive index data are encrypted locally.
+- **Nostr Integration:** Post and retrieve your encrypted password index to/from the Nostr network.
+- **Chunked Snapshots:** Encrypted vaults are compressed and split into 50 KB chunks published as `kind 30071` events with a `kind 30070` manifest and `kind 30072` deltas. The manifest's `delta_since` field stores the UNIX timestamp of the latest delta event.
+- **Automatic Checksum Generation:** The script generates and verifies a SHA-256 checksum to detect tampering.
+- **Multiple Seed Profiles:** Manage separate seed profiles and switch between them seamlessly.
+- **Nested Managed Account Seeds:** SeedPass can derive nested managed account seeds.
+- **Interactive TUI:** Navigate through menus to add, retrieve, and modify entries as well as configure Nostr settings.
+- **SeedPass 2FA:** Generate TOTP codes with a real-time countdown progress bar.
+- **2FA Secret Issuance & Import:** Derive new TOTP secrets from your seed or import existing `otpauth://` URIs.
+- **Export 2FA Codes:** Save all stored TOTP entries to an encrypted JSON file for use with other apps.
+- **Display TOTP Codes:** Show all active 2FA codes with a countdown timer.
+- **Optional External Backup Location:** Configure a second directory where backups are automatically copied.
+- **Auto‑Lock on Inactivity:** Vault locks after a configurable timeout for additional security.
+- **Quick Unlock:** Optionally skip the password prompt after verifying once. Startup delay is unaffected.
+- **Secret Mode:** Copy retrieved passwords directly to your clipboard and automatically clear it after a delay.
+- **Tagging Support:** Organize entries with optional tags and find them quickly via search.
+- **Typed Search Results:** Searches display each entry's type for easier scanning.
+- **Manual Vault Export/Import:** Create encrypted backups or restore them using the CLI or API.
+- **Parent Seed Backup:** Securely save an encrypted copy of the master seed.
+- **Manual Vault Locking:** Instantly clear keys from memory when needed.
+- **Vault Statistics:** View counts for entries and other profile metrics.
+- **Change Master Password:** Rotate your encryption password at any time.
+- **Checksum Verification Utilities:** Verify or regenerate the script checksum.
+- **Relay Management:** List, add, remove or reset configured Nostr relays.
+- **Offline Mode (default):** SeedPass runs without network sync until you explicitly enable it.
+
+## Prerequisites
+
+- **Python 3.8+** (3.11 or 3.12 recommended): Install Python from [python.org](https://www.python.org/downloads/) and be sure to check **"Add Python to PATH"** during setup. Using Python 3.13 is currently discouraged because some dependencies do not ship wheels for it yet, which can cause build failures on Windows unless you install the Visual C++ Build Tools.
+*Windows only:* Install the [Visual Studio Build Tools](https://visualstudio.microsoft.com/visual-cpp-build-tools/) and select the **C++ build tools** workload.
+
+## Installation
+
+
+### Quick Installer
+
+Use the automated installer to download SeedPass and its dependencies in one step.
+If GTK packages are missing, the installer will try to install them using your
+system's package manager (`apt`, `yum`, `pacman`, or Homebrew).
+
+**Linux and macOS:**
+```bash
+bash -c "$(curl -sSL https://raw.githubusercontent.com/PR0M3TH3AN/SeedPass/main/scripts/install.sh)"
+```
+*Install the beta branch:*
+```bash
+bash -c "$(curl -sSL https://raw.githubusercontent.com/PR0M3TH3AN/SeedPass/main/scripts/install.sh)" _ -b beta
+```
+
+**Windows (PowerShell):**
+```powershell
+Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; $scriptContent = (New-Object System.Net.WebClient).DownloadString('https://raw.githubusercontent.com/PR0M3TH3AN/SeedPass/main/scripts/install.ps1'); & ([scriptblock]::create($scriptContent))
+```
+Before running the script, install **Python 3.11** or **3.12** from [python.org](https://www.python.org/downloads/windows/) and tick **"Add Python to PATH"**. You should also install the [Visual Studio Build Tools](https://visualstudio.microsoft.com/visual-cpp-build-tools/) with the **C++ build tools** workload so dependencies compile correctly.
+The Windows installer will attempt to install Git automatically if it is not already available. It also tries to
+install Python 3 using `winget`, `choco`, or `scoop` when Python is missing and recognizes the `py` launcher if `python`
+isn't on your PATH. If these tools are unavailable you'll see a link to download Python directly from
+<https://www.python.org/downloads/windows/>. When Python 3.13 or newer is detected without the Microsoft C++ build tools,
+the installer now attempts to download Python 3.12 automatically so you don't have to compile packages from source.
+
+**Note:** If this fallback fails, install Python 3.12 manually or install the [Microsoft Visual C++ Build Tools](https://visualstudio.microsoft.com/visual-cpp-build-tools/) and rerun the installer.
+
+#### Installer Dependency Checks
+
+The installer verifies that core build tooling—C/C++ build tools, Rust, CMake, and the imaging/GTK libraries—are available before completing. Pass `--no-gui` to skip installing GUI packages. On Linux, ensure `xclip` or `wl-clipboard` is installed for clipboard support.
+
+### Uninstall
+
+Run the matching uninstaller if you need to remove a previous installation or clean up an old `seedpass` command:
+
+**Linux and macOS:**
+```bash
+bash -c "$(curl -sSL https://raw.githubusercontent.com/PR0M3TH3AN/SeedPass/main/scripts/uninstall.sh)"
+```
+If the script warns that it couldn't remove an executable, delete that file manually.
+
+**Windows (PowerShell):**
+```powershell
+Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; $scriptContent = (New-Object System.Net.WebClient).DownloadString('https://raw.githubusercontent.com/PR0M3TH3AN/SeedPass/main/scripts/uninstall.ps1'); & ([scriptblock]::create($scriptContent))
+```
+
+*Install the beta branch:*
+```powershell
+Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; $scriptContent = (New-Object System.Net.WebClient).DownloadString('https://raw.githubusercontent.com/PR0M3TH3AN/SeedPass/main/scripts/install.ps1'); & ([scriptblock]::create($scriptContent)) -Branch beta
+```
+
+### Manual Setup
+Follow these steps to set up SeedPass on your local machine.
+
+### 1. Clone the Repository
+
+First, clone the SeedPass repository from GitHub:
+
+```bash
+git clone https://github.com/PR0M3TH3AN/SeedPass.git
+```
+
+Navigate to the project directory:
+
+```bash
+cd SeedPass
+```
+
+### 2. Create a Virtual Environment
+
+It's recommended to use a virtual environment to manage your project's dependencies. Create a virtual environment named `venv`:
+
+```bash
+python3 -m venv venv
+```
+
+### 3. Activate the Virtual Environment
+
+Activate the virtual environment using the appropriate command for your operating system.
+
+- **On Linux and macOS:**
+
+  ```bash
+  source venv/bin/activate
+  ```
+
+- **On Windows:**
+
+  ```bash
+  venv\Scripts\activate
+  ```
+
+Once activated, your terminal prompt should be prefixed with `(venv)` indicating that the virtual environment is active.
+
+### 4. Install Dependencies
+
+Install the required Python packages and build dependencies using `pip`.
+When upgrading pip, use `python -m pip` inside the virtual environment so that pip can update itself cleanly:
+
+```bash
+python -m pip install --upgrade pip
+python -m pip install --require-hashes -r requirements.lock
+python -m pip install -e .
+```
+
+#### Linux Clipboard Support
+
+On Linux, `pyperclip` relies on external utilities like `xclip` or `xsel`.
+SeedPass does not install these tools automatically. To use clipboard features
+such as secret mode, install **xclip** manually:
+
+```bash
+sudo apt install xclip
+```
+
+After installing `xclip`, restart SeedPass to enable clipboard support.
+
+## Quick Start
+
+After installing dependencies, activate your virtual environment and install
+the package so the `seedpass` command is available, then launch SeedPass and
+create a backup:
+
+```bash
+# Start the application
+seedpass
+
+# Export your index
+seedpass vault export --file "~/seedpass_backup.json"
+
+# Later you can restore it
+seedpass vault import --file "~/seedpass_backup.json"
+# Import also performs a Nostr sync to pull any changes
+
+# Quickly find or retrieve entries
+seedpass search "github"
+seedpass search --tags "work,personal"
+seedpass get "github"
+# Search results show the entry type, e.g. "1: Password - GitHub"
+# Retrieve a TOTP entry
+seedpass entry get "email"
+# The code is printed and copied to your clipboard
+
+# Sort or filter the list view
+seedpass list --sort label
+seedpass list --filter totp
+
+# Use the **Settings** menu to configure an extra backup directory
+# on an external drive.
+```
+
+For additional command examples, see [docs/advanced_cli.md](docs/advanced_cli.md).
+Details on the REST API can be found in [docs/api_reference.md](docs/api_reference.md).
+
+### Vault JSON Layout
+
+The encrypted index file `seedpass_entries_db.json.enc` begins with `schema_version` `2` and stores an `entries` map keyed by entry numbers.
+
+```json
+{
+  "schema_version": 2,
+  "entries": {
+    "0": {
+      "label": "example.com",
+      "length": 8,
+      "type": "password",
+      "notes": ""
+    }
+  }
+}
+```
+
+
+## Usage
+
+After successfully installing the dependencies, launch the interactive TUI with:
+
+```bash
+seedpass
+```
+
+You can also run directly from the repository using:
+
+```bash
+python src/main.py
+```
+
+You can explore other CLI commands using:
+```bash
+seedpass --help
+```
+For a full list of commands see [docs/advanced_cli.md](docs/advanced_cli.md). The REST API is described in [docs/api_reference.md](docs/api_reference.md).
+
+### Running the Application
+
+1. **Start the Application:**
+
+    ```bash
+    seedpass
+    ```
+    *(or `python src/main.py` if running directly from the repository)*
+
+2. **Follow the Prompts:**
+
+   - **Seed Profile Selection:** If you have existing seed profiles, you'll be prompted to select one or add a new one.
+   - **Enter Your Password:** This password is crucial as it is used to encrypt and decrypt your parent seed and seed index data.
+   - **Select an Option:** Navigate through the menu by entering the number corresponding to your desired action.
+
+   Example menu:
+
+    ```bash
+    Select an option:
+    1. Add Entry
+    2. Retrieve Entry
+    3. Search Entries
+    4. List Entries
+    5. Modify an Existing Entry
+    6. 2FA Codes
+    7. Settings
+
+    Enter your choice (1-7) or press Enter to exit:
+    ```
+
+When choosing **Add Entry**, you can now select from:
+
+- **Password**
+- **2FA (TOTP)**
+- **SSH Key**
+- **Seed Phrase**
+- **Nostr Key Pair**
+- **PGP Key**
+- **Key/Value**
+- **Managed Account**
+
+### Adding a Password Entry
+
+After selecting **Password**, SeedPass asks you to choose a mode:
+
+1. **Quick** – enter only a label, username, URL, desired length, and whether to include special characters. All other fields use defaults.
+2. **Advanced** – continue through prompts for notes, tags, custom fields, and detailed password policy settings.
+
+Both modes generate the password, display it (or copy it to the clipboard in Secret Mode), and save the entry to your encrypted vault.
+
+### Adding a 2FA Entry
+
+1. From the main menu choose **Add Entry** and select **2FA (TOTP)**.
+2. Pick **Make 2FA** to derive a new secret from your seed or **Import 2FA** to paste an existing `otpauth://` URI or secret.
+3. Provide a label for the account (for example, `GitHub`).
+4. SeedPass automatically chooses the next available derivation index when deriving.
+5. Optionally specify the TOTP period and digit count.
+6. SeedPass displays the URI and secret, along with a QR code you can scan to import it into your authenticator app.
+
+### Modifying a 2FA Entry
+
+1. From the main menu choose **Modify an Existing Entry** and enter the index of the 2FA code you want to edit.
+2. SeedPass will show the current label, period, digit count, and archived status.
+3. Enter new values or press **Enter** to keep the existing settings.
+4. When retrieving a 2FA entry you can press **E** to edit the label, period or digit count, or **A** to archive/unarchive it.
+5. The updated entry is saved back to your encrypted vault.
+6. Archived entries are hidden from lists but can be viewed or restored from the **List Archived** menu.
+7. When editing an archived entry you'll be prompted to restore it after saving your changes.
+
+### Using Secret Mode
+
+When **Secret Mode** is enabled, SeedPass copies retrieved passwords directly to your clipboard instead of displaying them on screen. The clipboard clears automatically after the delay you choose.
+
+1. From the main menu open **Settings** and select **Toggle Secret Mode**.
+2. Choose how many seconds to keep passwords on the clipboard.
+3. Retrieve an entry and SeedPass will confirm the password was copied.
+
+### Additional Entry Types
+
+SeedPass supports storing more than just passwords and 2FA secrets. You can also create entries for:
+- **SSH Key** – deterministically derive an Ed25519 key pair for servers or git hosting platforms.
+- **Seed Phrase** – store only the BIP-85 index and word count. The mnemonic is regenerated on demand.
+- **PGP Key** – derive an OpenPGP key pair from your master seed.
+- **Nostr Key Pair** – store the index used to derive an `npub`/`nsec` pair for Nostr clients.
+  When you retrieve one of these entries, SeedPass can display QR codes for the
+  keys. The `npub` is wrapped in the `nostr:` URI scheme so any client can scan
+  it, while the `nsec` QR is shown only after a security warning.
+- **Key/Value** – store a simple key and value for miscellaneous secrets or configuration data.
+- **Managed Account** – derive a child seed under the current profile. Loading a managed account switches to a nested profile and the header shows `<parent_fp> > Managed Account > <child_fp>`. Press Enter on the main menu to return to the parent profile.
+
+The table below summarizes the extra fields stored for each entry type. Every
+entry includes a `label`, while only password entries track a `url`.
+
+| Entry Type    | Extra Fields |
+|---------------|---------------------------------------------------------------------------------------------------------------------------------------|
+| Password      | `username`, `url`, `length`, `archived`, optional `notes`, optional `custom_fields` (may include hidden fields), optional `tags` |
+| 2FA (TOTP)    | `index` or `secret`, `period`, `digits`, `archived`, optional `notes`, optional `tags` |
+| SSH Key       | `index`, `archived`, optional `notes`, optional `tags` |
+| Seed Phrase   | `index`, `word_count` *(mnemonic regenerated; never stored)*, `archived`, optional `notes`, optional `tags` |
+| PGP Key       | `index`, `key_type`, `archived`, optional `user_id`, optional `notes`, optional `tags` |
+| Nostr Key Pair| `index`, `archived`, optional `notes`, optional `tags` |
+| Key/Value     | `key`, `value`, `archived`, optional `notes`, optional `custom_fields`, optional `tags` |
+| Managed Account | `index`, `word_count`, `fingerprint`, `archived`, optional `notes`, optional `tags` |
+
+
+### Managing Multiple Seeds
+
+SeedPass allows you to manage multiple seed profiles (previously referred to as "fingerprints"). Each seed profile has its own parent seed and associated data, enabling you to compartmentalize your passwords.
+
+- **Add a New Seed Profile:**
+  - From the main menu, select **Settings** then **Profiles** and choose "Add a New Seed Profile".
+  - Choose to paste in a full seed, enter one word at a time, or generate a new seed.
+  - When entering a seed word by word, each word is hidden with `*` and the screen refreshes after every entry for clarity. You'll review the completed phrase after the last word and can correct mistakes before it is saved.
+  - If generating a new seed, you'll be provided with a 12-word BIP-85 seed phrase. **Ensure you write this down and store it securely.**
+
+- **Switch Between Seed Profiles:**
+  - From the **Profiles** menu, select "Switch Seed Profile".
+  - You'll see a list of available seed profiles.
+  - Enter the number corresponding to the seed profile you wish to switch to.
+  - Enter the master password associated with that seed profile.
+
+- **List All Seed Profiles:**
+  - In the **Profiles** menu, choose "List All Seed Profiles" to view all existing profiles.
+- **Set Seed Profile Name:**
+  - In the **Profiles** menu, choose "Set Seed Profile Name" to assign a label to the current profile. The name is stored locally and shown next to the fingerprint.
+
+**Note:** The term "seed profile" is used to represent different sets of seeds you can manage within SeedPass. This provides an intuitive way to handle multiple identities or sets of passwords.
+
+
+### Recovery
+
+If you previously backed up your vault to Nostr you can restore it during the
+initial setup. You must provide both your 12 -word master seed and the master
+password that encrypted the vault; without the correct password the retrieved
+data cannot be decrypted.
+
+1. Start SeedPass and choose option **4** when prompted to set up a seed.
+2. Paste your BIP‑85 seed phrase when asked.
+3. Enter the master password associated with that seed.
+4. SeedPass initializes the profile and attempts to download the encrypted
+   vault from the configured relays.
+5. A success message confirms the vault was restored. If no data is found a
+   failure message is shown and a new empty vault is created.
+
+### Configuration File and Settings
+
+SeedPass keeps per-profile settings in an encrypted file named `seedpass_config.json.enc` inside each profile directory under `~/.seedpass/`. This file stores your chosen Nostr relays and the optional settings PIN. New profiles start with the following default relays:
+
+```
+wss://relay.snort.social
+wss://nostr.oxtr.dev
+wss://relay.primal.net
+```
+
+You can manage your relays and sync with Nostr from the **Settings** menu:
+
+1. From the main menu choose `6` (**Settings**).
+2. Select `2` (**Nostr**) to open the Nostr submenu.
+3. Choose `1` to back up your encrypted index to Nostr.
+4. Select `2` to restore the index from Nostr.
+5. Choose `3` to view your current relays.
+6. Select `4` to add a new relay URL.
+7. Choose `5` to remove a relay by number.
+8. Select `6` to reset to the default relay list.
+9. Choose `7` to display your Nostr public key.
+10. Select `8` to return to the Settings menu.
+
+Back in the Settings menu you can:
+
+* Select `3` to change your master password.
+* Choose `4` to verify the script checksum.
+* Select `5` to generate a new script checksum.
+* Choose `6` to back up the parent seed.
+* Select `7` to export the database to an encrypted file.
+* Choose `8` to import a database from a backup file. This also performs a Nostr sync automatically.
+* Select `9` to export all 2FA codes.
+* Choose `10` to set an additional backup location. A backup is created
+  immediately after the directory is configured.
+* Select `11` to change the inactivity timeout.
+* Choose `12` to lock the vault and require re-entry of your password.
+* Select `13` to view seed profile stats. The summary lists counts for
+  passwords, TOTP codes, SSH keys, seed phrases, and PGP keys. It also shows
+  whether both the encrypted database and the script itself pass checksum
+  validation.
+* Choose `14` to toggle Secret Mode and set the clipboard clear delay.
+* Select `15` to toggle Offline Mode. SeedPass starts offline; disable it here to enable Nostr syncing.
+* Choose `16` to toggle Quick Unlock so subsequent actions skip the password prompt. Startup delay is unchanged.
+* Select `17` to return to the main menu.
+
+## Running Tests
+
+SeedPass includes a small suite of unit tests located under `src/tests`. **Before running `pytest`, be sure to install the test requirements.** Activate your virtual environment and run `pip install --require-hashes -r requirements.lock` to ensure all testing dependencies are available. Then run the tests with **pytest**. Use `-vv` to see INFO-level log messages from each passing test:
+
+
+```bash
+pip install --require-hashes -r requirements.lock
+pytest -vv
+```
+
+`test_fuzz_key_derivation.py` uses Hypothesis to generate random passwords,
+seeds and configuration data. It performs round-trip encryption tests with the
+`EncryptionManager` to catch edge cases automatically. These fuzz tests run in
+CI alongside the rest of the suite.
+
+### Exploring Nostr Index Size Limits
+
+`test_nostr_index_size.py` demonstrates how SeedPass rotates snapshots after too many delta events.
+Each chunk is limited to 50 KB, so the test gradually grows the vault to observe
+when a new snapshot is triggered. Use the `NOSTR_TEST_DELAY` environment
+variable to control the delay between publishes when experimenting with large vaults.
+
+```bash
+pytest -vv -s -n 0 src/tests/test_nostr_index_size.py --desktop --max-entries=1000
+```
+
+### Generating a Test Profile
+
+Use the helper script below to populate a profile with sample entries for testing:
+
+```bash
+python scripts/generate_test_profile.py --profile demo_profile --count 100
+```
+
+The script determines the fingerprint from the generated seed and stores the
+vault under `~/.seedpass/tests/<fingerprint>`. SeedPass only discovers profiles
+inside `~/.seedpass/`, so copy the fingerprint directory out of the `tests`
+subfolder (or adjust `APP_DIR` in `constants.py`) if you want to use the
+generated seed with the main application. The fingerprint is printed after
+creation and the encrypted index is published to Nostr. Use that same seed
+phrase to load SeedPass. The app checks Nostr on startup and pulls any newer
+snapshot so your vault stays in sync across machines. Synchronization also runs
+in the background after unlocking or when switching profiles.
+
+### Automatically Updating the Script Checksum
+
+SeedPass stores a SHA-256 checksum for the main program in `~/.seedpass/seedpass_script_checksum.txt`.
+To keep this value in sync with the source code, install the pre‑push git hook:
+
+```bash
+pre-commit install -t pre-push
+```
+
+After running this command, every `git push` will execute `scripts/update_checksum.py`,
+updating the checksum file automatically.
+
+If the checksum file is missing, generate it manually:
+
+```bash
+python scripts/update_checksum.py
+```
+
+If SeedPass reports a "script checksum mismatch" warning on startup,
+regenerate the checksum with `seedpass util update-checksum` or select
+"Generate Script Checksum" from the Settings menu.
+
+To run mutation tests locally, generate coverage data first and then execute `mutmut`:
+
+```bash
+pytest --cov=src src/tests
+python -m mutmut run --paths-to-mutate src --tests-dir src/tests --runner "python -m pytest -q" --use-coverage --no-progress
+python -m mutmut results
+```
+
+Mutation testing is disabled in the GitHub workflow due to reliability issues and should be run on a desktop environment instead.
+
+## Security Considerations
+
+**Important:** The password you use to encrypt your parent seed is also required to decrypt the seed index data retrieved from Nostr. **It is imperative to remember this password** and be sure to use it with the same seed, as losing it means you won't be able to access your stored index. Secure your 12-word seed **and** your master password.
+
+- **Backup Your Data:** Regularly back up your encrypted data and checksum files to prevent data loss.
+- **Backup the Settings PIN:** Your settings PIN is stored in the encrypted configuration file. Keep a copy of this file or remember the PIN, as losing it will require deleting the file and reconfiguring your relays.
+- **Protect Your Passwords:** Do not share your master password or seed phrases with anyone and ensure they are strong and unique.
+- **Backing Up the Parent Seed:** Use the CLI `vault reveal-parent-seed` command or the `/api/v1/vault/backup-parent-seed` endpoint with explicit confirmation to create an encrypted backup. The API does not return the seed directly.
+- **No PBKDF2 Salt Needed:** SeedPass deliberately omits an explicit PBKDF2 salt. Every password is derived from a unique 512-bit BIP-85 child seed, which already provides stronger per-password uniqueness than a conventional 128-bit salt.
+- **Checksum Verification:** Always verify the script's checksum to ensure its integrity and protect against unauthorized modifications.
+- **Potential Bugs and Limitations:** Be aware that the software may contain bugs and lacks certain features. Snapshot chunks are capped at 50 KB and the client rotates snapshots after enough delta events accumulate. The security of memory management and logs has not been thoroughly evaluated and may pose risks of leaking sensitive information.
+- **Multiple Seeds Management:** While managing multiple seeds adds flexibility, it also increases the responsibility to secure each seed and its associated password.
+- **No PBKDF2 Salt Required:** SeedPass deliberately omits an explicit PBKDF2 salt. Every password is derived from a unique 512-bit BIP-85 child seed, which already provides stronger per-password uniqueness than a conventional 128-bit salt.
+- **Default KDF Iterations:** New profiles start with 50,000 PBKDF2 iterations. Use `seedpass config set kdf_iterations` to change this.
+- **Offline Mode (default):** Nostr sync is disabled until you explicitly enable it via the Settings menu or `seedpass config toggle-offline`.
+  - **Quick Unlock:** Store a hashed copy of your password so future actions skip the prompt. Startup delay no longer changes. Use with caution on shared systems.
+
+## Contributing
+
+Contributions are welcome! If you have suggestions for improvements, bug fixes, or new features, please follow these steps:
+
+1. **Fork the Repository:** Click the "Fork" button on the top right of the repository page.
+
+2. **Create a Branch:** Create a new branch for your feature or bugfix.
+
+   ```bash
+   git checkout -b feature/YourFeatureName
+   ```
+
+3. **Commit Your Changes:** Make your changes and commit them with clear messages.
+
+   ```bash
+   git commit -m "Add feature X"
+   ```
+
+4. **Push to GitHub:** Push your changes to your forked repository.
+
+   ```bash
+   git push origin feature/YourFeatureName
+   ```
+
+5. **Create a Pull Request:** Navigate to the original repository and create a pull request describing your changes.
+
+## License
+
+This project is licensed under the [MIT License](LICENSE). See the [LICENSE](LICENSE) file for details.
+
+## Contact
+
+For any questions, suggestions, or support, please open an issue on the [GitHub repository](https://github.com/PR0M3TH3AN/SeedPass/issues) or contact the maintainer directly on [Nostr](https://primal.net/p/npub15jnttpymeytm80hatjqcvhhqhzrhx6gxp8pq0wn93rhnu8s9h9dsha32lx).
+
+---
+
+*Stay secure and keep your passwords safe with SeedPass!*
+
+---
--- a/docs/docs/package.json
+++ b/docs/docs/package.json
@@ -0,0 +1,11 @@
+{
+  "name": "docs",
+  "private": true,
+  "scripts": {
+    "dev": "eleventy --serve",
+    "build": "node node_modules/archivox/src/generator/index.js"
+  },
+  "dependencies": {
+    "archivox": "^1.0.0"
+  }
+}
--- a/docs/migrations.md
+++ b/docs/migrations.md
@@ -1,25 +0,0 @@
-# Index Migrations
-
-SeedPass stores its password index in an encrypted JSON file. Each index contains
-a `schema_version` field so the application knows how to upgrade older files.
-
-## How migrations work
-
-When the vault loads the index, `Vault.load_index()` checks the version and
-applies migrations defined in `password_manager/migrations.py`. The
-`apply_migrations()` function iterates through registered migrations until the
-file reaches `LATEST_VERSION`.
-
-If an old file lacks `schema_version`, it is treated as version 0 and upgraded
-to the latest format. Attempting to load an index from a future version will
-raise an error.
-
-## Upgrading an index
-
-1. The JSON is decrypted and parsed.
-2. `apply_migrations()` applies any necessary steps, such as injecting the
-   `schema_version` field on first upgrade.
-3. After migration, the updated index is saved back to disk.
-
-This process happens automatically; users only need to open their vault to
-upgrade older indices.
--- a/docs/netlify.toml
+++ b/docs/netlify.toml
@@ -0,0 +1,3 @@
+[build]
+  command = "node build-docs.js"
+  publish = "_site"
--- a/docs/nostr_setup.md
+++ b/docs/nostr_setup.md
@@ -0,0 +1,33 @@
+# Nostr Setup
+
+This guide explains how SeedPass uses the Nostr protocol for encrypted vault backups and how to configure relays. SeedPass starts in offline mode, so you must explicitly disable it before any network synchronization. Run `seedpass config toggle-offline` or use the Settings menu to enable online syncing.
+
+## Relay Configuration
+
+SeedPass communicates with the Nostr network through a list of relays. You can manage these relays from the CLI:
+
+```bash
+seedpass nostr list-relays      # show configured relays
+seedpass nostr add-relay <url>  # add a relay URL
+seedpass nostr remove-relay <n> # remove relay by index
+```
+
+At least one relay is required for publishing and retrieving backups. Choose relays you trust to remain online and avoid those that charge high fees or aggressively rate‑limit connections.
+
+## Manifest and Delta Events
+
+Backups are published as parameterised replaceable events:
+
+- **Kind 30070 – Manifest:** describes the snapshot and lists chunk IDs. The optional `delta_since` field stores the UNIX timestamp of the latest delta event.
+- **Kind 30071 – Snapshot Chunk:** each 50 KB fragment of the compressed, encrypted vault.
+- **Kind 30072 – Delta:** captures changes since the last snapshot.
+
+When restoring, SeedPass downloads the most recent manifest and applies any newer delta events.
+
+## Troubleshooting
+
+- **No events found:** ensure the relays are reachable and that the correct fingerprint is selected.
+- **Connection failures:** some relays only support WebSocket over TLS; verify you are using `wss://` URLs where required.
+- **Stale data:** if deltas accumulate without a fresh snapshot, run `seedpass nostr sync` to publish an updated snapshot.
+
+Increasing log verbosity with `--verbose` can also help diagnose relay or network issues.
--- a/docs/package-lock.json
+++ b/docs/package-lock.json
--- a/docs/package.json
+++ b/docs/package.json
@@ -0,0 +1,25 @@
+{
+  "name": "archivox",
+  "version": "1.0.0",
+  "description": "Archivox static site generator",
+  "scripts": {
+    "dev": "eleventy --serve",
+    "build": "node src/generator/index.js",
+    "test": "jest"
+  },
+  "dependencies": {
+    "@11ty/eleventy": "^2.0.1",
+    "gray-matter": "^4.0.3",
+    "marked": "^11.1.1",
+    "lunr": "^2.3.9",
+    "js-yaml": "^4.1.0"
+  },
+  "devDependencies": {
+    "jest": "^29.6.1",
+    "puppeteer": "^24.12.1"
+  },
+  "license": "MIT",
+  "bin": {
+    "create-archivox": "./bin/create-archivox.js"
+  }
+}
--- a/docs/packaging.md
+++ b/docs/packaging.md
@@ -0,0 +1,38 @@
+# Packaging SeedPass
+
+This guide describes how to build platform-native packages for SeedPass using [BeeWare Briefcase](https://briefcase.readthedocs.io/).
+
+## Prerequisites
+
+* Python 3.12 with development headers (`python3-dev` on Debian/Ubuntu).
+* Briefcase installed in your virtual environment:
+
+```bash
+pip install briefcase
+```
+
+## Linux
+
+The helper script in `packaging/build-linux.sh` performs `briefcase create`, `build`, and `package` for the current project.
+
+```bash
+./packaging/build-linux.sh
+```
+
+Briefcase outputs its build artifacts in `build/seedpass-gui/ubuntu/noble/`. These files can be bundled in container formats such as Flatpak or Snap. Example manifests are included:
+
+* `packaging/flatpak/seedpass.yml` targets the `org.gnome.Platform` runtime and copies the Briefcase build into the Flatpak bundle.
+* `packaging/snapcraft.yaml` stages the Briefcase build and lists GTK libraries in `stage-packages` so the Snap includes its GUI dependencies.
+
+## macOS and Windows
+
+Scripts are provided to document the commands expected on each platform. They must be run on their respective operating systems:
+
+* `packaging/build-macos.sh`
+* `packaging/build-windows.ps1`
+
+Each script runs Briefcase's `create`, `build`, and `package` steps with `--no-input`.
+
+## Reproducible Releases
+
+The `packaging/` directory contains the scripts and manifests needed to regenerate desktop packages. Invoke the appropriate script on the target OS, then use the supplied Flatpak or Snap manifest to bundle additional dependencies for Linux.
--- a/docs/plugins/analytics.js
+++ b/docs/plugins/analytics.js
@@ -0,0 +1,7 @@
+module.exports = {
+  onPageRendered: async ({ html, file }) => {
+    // Example: inject analytics script into each page
+    const snippet = '\n<script>console.log("Page viewed: ' + file + '")</script>';
+    return { html: html.replace('</body>', `${snippet}</body>`) };
+  }
+};
--- a/docs/secret-scanning.md
+++ b/docs/secret-scanning.md
@@ -0,0 +1,17 @@
+# Secret Scanning
+
+SeedPass uses [Gitleaks](https://github.com/gitleaks/gitleaks) to scan the repository for accidentally committed secrets. The scan runs automatically for pull requests and on a nightly schedule. Any findings will cause the build to fail.
+
+## Suppressing False Positives
+
+If a file or string triggers the scanner but does not contain a real secret, add it to the allowlist in `.gitleaks.toml`.
+
+```toml
+[allowlist]
+# Ignore specific files
+paths = ["path/to/file.txt"]
+# Ignore strings that match a regular expression
+regexes = ["""dummy_api_key"""]
+```
+
+Commit the updated `.gitleaks.toml` to stop future alerts for the allowed items.
--- a/docs/security.md
+++ b/docs/security.md
@@ -0,0 +1,30 @@
+# Security Testing and Calibration
+
+This project includes fuzz tests and a calibration routine to tune Argon2 parameters for your hardware.
+
+## Running Fuzz Tests
+
+The fuzz tests exercise encryption and decryption with random data using [Hypothesis](https://hypothesis.readthedocs.io/).
+Activate the project's virtual environment and run:
+
+```bash
+pytest src/tests/test_encryption_fuzz.py
+```
+
+Running the entire test suite will also execute these fuzz tests.
+
+## Calibrating Argon2 Time Cost
+
+Argon2 performance varies by device.  To calibrate the `time_cost` parameter, run the helper function:
+
+```bash
+python - <<'PY'
+from seedpass.core.config_manager import ConfigManager
+from utils.key_derivation import calibrate_argon2_time_cost
+
+# assuming ``cfg`` is a ConfigManager for your profile
+calibrate_argon2_time_cost(cfg)
+PY
+```
+
+The selected `time_cost` is stored in the profile's configuration and used for subsequent key derivations.
--- a/docs/src/config/loadConfig.js
+++ b/docs/src/config/loadConfig.js
@@ -0,0 +1,70 @@
+const fs = require('fs');
+const path = require('path');
+const yaml = require('js-yaml');
+
+function deepMerge(target, source) {
+  for (const key of Object.keys(source)) {
+    if (
+      source[key] &&
+      typeof source[key] === 'object' &&
+      !Array.isArray(source[key])
+    ) {
+      target[key] = deepMerge(target[key] || {}, source[key]);
+    } else if (source[key] !== undefined) {
+      target[key] = source[key];
+    }
+  }
+  return target;
+}
+
+function loadConfig(configPath = path.join(process.cwd(), 'config.yaml')) {
+  let raw = {};
+  if (fs.existsSync(configPath)) {
+    try {
+      raw = yaml.load(fs.readFileSync(configPath, 'utf8')) || {};
+    } catch (e) {
+      console.error(`Failed to parse ${configPath}: ${e.message}`);
+      process.exit(1);
+    }
+  }
+
+  const defaults = {
+    site: {
+      title: 'Archivox',
+      description: '',
+      logo: '',
+      favicon: ''
+    },
+    navigation: {
+      search: true
+    },
+    footer: {},
+    theme: {
+      name: 'minimal',
+      darkMode: false
+    },
+    features: {},
+    pluginsDir: 'plugins',
+    plugins: []
+  };
+
+  const config = deepMerge(defaults, raw);
+
+  const errors = [];
+  if (
+    !config.site ||
+    typeof config.site.title !== 'string' ||
+    !config.site.title.trim()
+  ) {
+    errors.push('site.title is required in config.yaml');
+  }
+
+  if (errors.length) {
+    errors.forEach(err => console.error(`Config error: ${err}`));
+    process.exit(1);
+  }
+
+  return config;
+}
+
+module.exports = loadConfig;
--- a/docs/src/config/loadPlugins.js
+++ b/docs/src/config/loadPlugins.js
@@ -0,0 +1,24 @@
+const path = require('path');
+const fs = require('fs');
+
+function loadPlugins(config) {
+  const dir = path.resolve(process.cwd(), config.pluginsDir || 'plugins');
+  const names = Array.isArray(config.plugins) ? config.plugins : [];
+  const plugins = [];
+  for (const name of names) {
+    const file = path.join(dir, name.endsWith('.js') ? name : `${name}.js`);
+    if (fs.existsSync(file)) {
+      try {
+        const mod = require(file);
+        plugins.push(mod);
+      } catch (e) {
+        console.error(`Failed to load plugin ${name}:`, e);
+      }
+    } else {
+      console.warn(`Plugin not found: ${file}`);
+    }
+  }
+  return plugins;
+}
+
+module.exports = loadPlugins;
--- a/docs/src/generator/index.js
+++ b/docs/src/generator/index.js
@@ -0,0 +1,235 @@
+// Generator entry point for Archivox
+const fs = require('fs');
+const path = require('path');
+const matter = require('gray-matter');
+const lunr = require('lunr');
+const marked = require('marked');
+const { lexer } = marked;
+const loadConfig = require('../config/loadConfig');
+const loadPlugins = require('../config/loadPlugins');
+
+function formatName(name) {
+  return name
+    .replace(/^\d+[-_]?/, '')
+    .replace(/\.md$/, '');
+}
+
+async function readDirRecursive(dir) {
+  const entries = await fs.promises.readdir(dir, { withFileTypes: true });
+  const files = [];
+  for (const entry of entries) {
+    const res = path.resolve(dir, entry.name);
+    if (entry.isDirectory()) {
+      files.push(...await readDirRecursive(res));
+    } else {
+      files.push(res);
+    }
+  }
+  return files;
+}
+
+function buildNav(pages) {
+  const tree = {};
+  for (const page of pages) {
+    const rel = page.file.replace(/\\/g, '/');
+    if (rel === 'index.md') {
+      if (!tree.children) tree.children = [];
+      tree.children.push({
+        name: 'index.md',
+        children: [],
+        page: page.data,
+        path: `/${rel.replace(/\.md$/, '.html')}`,
+        order: page.data.order || 0
+      });
+      continue;
+    }
+    const parts = rel.split('/');
+    let node = tree;
+    for (let i = 0; i < parts.length; i++) {
+      const part = parts[i];
+      const isLast = i === parts.length - 1;
+      const isIndex = isLast && part === 'index.md';
+      if (isIndex) {
+        node.page = page.data;
+        node.path = `/${rel.replace(/\.md$/, '.html')}`;
+        node.order = page.data.order || 0;
+        break;
+      }
+      if (!node.children) node.children = [];
+      let child = node.children.find(c => c.name === part);
+      if (!child) {
+        child = { name: part, children: [] };
+        node.children.push(child);
+      }
+      node = child;
+      if (isLast) {
+        node.page = page.data;
+        node.path = `/${rel.replace(/\.md$/, '.html')}`;
+        node.order = page.data.order || 0;
+      }
+    }
+  }
+
+  function finalize(node, isRoot = false) {
+    if (node.page && node.page.title) {
+      node.displayName = node.page.title;
+    } else if (node.name) {
+      node.displayName = formatName(node.name);
+    }
+    if (node.children) {
+      node.children.forEach(c => finalize(c));
+      node.children.sort((a, b) => {
+        const orderDiff = (a.order || 0) - (b.order || 0);
+        if (orderDiff !== 0) return orderDiff;
+        return (a.displayName || '').localeCompare(b.displayName || '');
+      });
+      node.isSection = node.children.length > 0;
+    } else {
+      node.isSection = false;
+    }
+    if (isRoot && node.children) {
+      const idx = node.children.findIndex(c => c.name === 'index.md');
+      if (idx > 0) {
+        const [first] = node.children.splice(idx, 1);
+        node.children.unshift(first);
+      }
+    }
+  }
+
+  finalize(tree, true);
+  return tree.children || [];
+}
+
+async function generate({ contentDir = 'content', outputDir = '_site', configPath } = {}) {
+  const config = loadConfig(configPath);
+  const plugins = loadPlugins(config);
+
+  async function runHook(name, data) {
+    for (const plugin of plugins) {
+      if (typeof plugin[name] === 'function') {
+        const res = await plugin[name](data);
+        if (res !== undefined) data = res;
+      }
+    }
+    return data;
+  }
+  if (!fs.existsSync(contentDir)) {
+    console.error(`Content directory not found: ${contentDir}`);
+    return;
+  }
+
+  const files = await readDirRecursive(contentDir);
+  const pages = [];
+  const assets = [];
+  const searchDocs = [];
+
+  for (const file of files) {
+    const rel = path.relative(contentDir, file);
+    if (file.endsWith('.md')) {
+      const srcStat = await fs.promises.stat(file);
+      const outPath = path.join(outputDir, rel.replace(/\.md$/, '.html'));
+      if (fs.existsSync(outPath)) {
+        const outStat = await fs.promises.stat(outPath);
+        if (srcStat.mtimeMs <= outStat.mtimeMs) {
+          continue; // skip unchanged
+        }
+      }
+      let raw = await fs.promises.readFile(file, 'utf8');
+      const mdObj = await runHook('onParseMarkdown', { file: rel, content: raw });
+      if (mdObj && mdObj.content) raw = mdObj.content;
+      const parsed = matter(raw);
+      const tokens = lexer(parsed.content || '');
+      const firstHeading = tokens.find(t => t.type === 'heading');
+      const title = parsed.data.title || (firstHeading ? firstHeading.text : path.basename(rel, '.md'));
+      const headings = tokens.filter(t => t.type === 'heading').map(t => t.text).join(' ');
+      const htmlBody = require('marked').parse(parsed.content || '');
+      const bodyText = htmlBody.replace(/<[^>]+>/g, ' ');
+      pages.push({ file: rel, data: { ...parsed.data, title } });
+      searchDocs.push({ id: rel.replace(/\.md$/, '.html'), url: '/' + rel.replace(/\.md$/, '.html'), title, headings, body: bodyText });
+    } else {
+      assets.push(rel);
+    }
+  }
+
+  const nav = buildNav(pages);
+  await fs.promises.mkdir(outputDir, { recursive: true });
+  await fs.promises.writeFile(path.join(outputDir, 'navigation.json'), JSON.stringify(nav, null, 2));
+  await fs.promises.writeFile(path.join(outputDir, 'config.json'), JSON.stringify(config, null, 2));
+
+  const searchIndex = lunr(function() {
+    this.ref('id');
+    this.field('title');
+    this.field('headings');
+    this.field('body');
+    searchDocs.forEach(d => this.add(d));
+  });
+  await fs.promises.writeFile(
+    path.join(outputDir, 'search-index.json'),
+    JSON.stringify({ index: searchIndex.toJSON(), docs: searchDocs }, null, 2)
+  );
+
+  const nunjucks = require('nunjucks');
+  const env = new nunjucks.Environment(
+    new nunjucks.FileSystemLoader('templates')
+  );
+  env.addGlobal('navigation', nav);
+  env.addGlobal('config', config);
+
+  for (const page of pages) {
+    const outPath = path.join(outputDir, page.file.replace(/\.md$/, '.html'));
+    await fs.promises.mkdir(path.dirname(outPath), { recursive: true });
+    const srcPath = path.join(contentDir, page.file);
+    const raw = await fs.promises.readFile(srcPath, 'utf8');
+    const { content, data } = matter(raw);
+    const body = require('marked').parse(content);
+
+    const pageContext = {
+      title: data.title || page.data.title,
+      content: body,
+      page: { url: '/' + page.file.replace(/\.md$/, '.html') }
+    };
+
+    let html = env.render('layout.njk', pageContext);
+    const result = await runHook('onPageRendered', { file: page.file, html });
+    if (result && result.html) html = result.html;
+    await fs.promises.writeFile(outPath, html);
+  }
+
+
+  for (const asset of assets) {
+    const srcPath = path.join(contentDir, asset);
+    const destPath = path.join(outputDir, asset);
+    await fs.promises.mkdir(path.dirname(destPath), { recursive: true });
+    try {
+      const sharp = require('sharp');
+      if (/(png|jpg|jpeg)/i.test(path.extname(asset))) {
+        await sharp(srcPath).toFile(destPath);
+        continue;
+      }
+    } catch (e) {
+      // sharp not installed, fallback
+    }
+    await fs.promises.copyFile(srcPath, destPath);
+  }
+
+  // Copy the main assets directory (theme, js, etc.)
+  // Always resolve assets relative to the Archivox package so it works
+  // regardless of the current working directory or config location.
+  const mainAssetsSrc = path.resolve(__dirname, '../../assets');
+  const mainAssetsDest = path.join(outputDir, 'assets');
+
+  if (fs.existsSync(mainAssetsSrc)) {
+    console.log(`Copying main assets from ${mainAssetsSrc} to ${mainAssetsDest}`);
+    // Use fs.promises.cp for modern Node.js, it's like `cp -R`
+    await fs.promises.cp(mainAssetsSrc, mainAssetsDest, { recursive: true });
+  }
+}
+
+module.exports = { generate, buildNav };
+
+if (require.main === module) {
+  generate().catch(err => {
+    console.error(err);
+    process.exit(1);
+  });
+}
--- a/docs/starter/config.yaml
+++ b/docs/starter/config.yaml
@@ -0,0 +1,6 @@
+site:
+  title: "Archivox Docs"
+  description: "Simple static docs."
+
+navigation:
+  search: true
--- a/docs/starter/content/01-getting-started/01-install.md
+++ b/docs/starter/content/01-getting-started/01-install.md
@@ -0,0 +1,3 @@
+# Install
+
+Run `npm install` then `npm run build` to generate your site.
--- a/docs/starter/content/01-getting-started/index.md
+++ b/docs/starter/content/01-getting-started/index.md
@@ -0,0 +1,3 @@
+# Getting Started
+
+This section helps you begin with Archivox.
--- a/docs/starter/content/index.md
+++ b/docs/starter/content/index.md
@@ -0,0 +1,3 @@
+# Welcome to Archivox
+
+This is your new documentation site. Start editing files in the `content/` folder.
--- a/docs/starter/package.json
+++ b/docs/starter/package.json
@@ -0,0 +1,11 @@
+{
+  "name": "my-archivox-site",
+  "private": true,
+  "scripts": {
+    "dev": "eleventy --serve",
+    "build": "node node_modules/archivox/src/generator/index.js"
+  },
+  "dependencies": {
+    "archivox": "*"
+  }
+}
--- a/docs/templates/layout.njk
+++ b/docs/templates/layout.njk
@@ -0,0 +1,23 @@
+<!DOCTYPE html>
+<html lang="en" data-theme="{% if config.theme.darkMode %}dark{% else %}light{% endif %}">
+<head>
+  <meta charset="UTF-8" />
+  <meta name="viewport" content="width=device-width, initial-scale=1" />
+  <title>{{ title | default(config.site.title) }}</title>
+  <link rel="stylesheet" href="/assets/theme.css" />
+</head>
+<body>
+  {% include "partials/header.njk" %}
+  <div id="sidebar-overlay" class="sidebar-overlay"></div>
+  <div class="container">
+    {% include "partials/sidebar.njk" %}
+    <main id="content">
+      <nav id="breadcrumbs" class="breadcrumbs"></nav>
+      {{ content | safe }}
+    </main>
+  </div>
+  {% include "partials/footer.njk" %}
+  <script src="/assets/lunr.js"></script>
+  <script src="/assets/theme.js"></script>
+</body>
+</html>
--- a/docs/templates/partials/footer.njk
+++ b/docs/templates/partials/footer.njk
@@ -0,0 +1,14 @@
+<footer class="footer">
+  {% if config.footer.links %}
+    <nav class="footer-links">
+      {% for link in config.footer.links %}
+        <a href="{{ link.url }}">{{ link.text }}</a>
+      {% endfor %}
+    </nav>
+  {% endif %}
+  <p>&copy; {{ config.site.title }}</p>
+  <div class="footer-permanent-links">
+    <a href="https://github.com/PR0M3TH3AN/Archivox">GitHub</a>
+    <a href="https://nostrtipjar.netlify.app/?n=npub15jnttpymeytm80hatjqcvhhqhzrhx6gxp8pq0wn93rhnu8s9h9dsha32lx">Tip Jar</a>
+  </div>
+</footer>
--- a/docs/templates/partials/header.njk
+++ b/docs/templates/partials/header.njk
@@ -0,0 +1,7 @@
+<header class="header">
+  <button id="sidebar-toggle" class="sidebar-toggle" aria-label="Toggle navigation">☰</button>
+  <a href="/" class="logo">{{ config.site.title }}</a>
+  <input id="search-input" class="search-input" type="search" placeholder="Search..." aria-label="Search" />
+  <button id="theme-toggle" class="theme-toggle" aria-label="Toggle dark mode">🌓</button>
+  <div id="search-results" class="search-results"></div>
+</header>
--- a/docs/templates/partials/sidebar.njk
+++ b/docs/templates/partials/sidebar.njk
@@ -0,0 +1,29 @@
+{% macro renderNav(items, pageUrl) %}
+  <ul>
+  {% for item in items %}
+    <li>
+      {% if item.children and item.children.length %}
+        {% set sectionPath = item.path | replace('index.html', '') %}
+        <details class="nav-section" {% if pageUrl.startsWith(sectionPath) %}open{% endif %}>
+          <summary>
+            <a href="{{ item.path }}" class="nav-link{% if item.path === pageUrl %} active{% endif %}">
+              {{ item.displayName or item.page.title }}
+            </a>
+          </summary>
+          {{ renderNav(item.children, pageUrl) }}
+        </details>
+      {% else %}
+        <a href="{{ item.path }}" class="nav-link{% if item.path === pageUrl %} active{% endif %}">
+          {{ item.displayName or item.page.title }}
+        </a>
+      {% endif %}
+    </li>
+  {% endfor %}
+  </ul>
+{% endmacro %}
+
+<aside class="sidebar" id="sidebar">
+  <nav>
+    {{ renderNav(navigation, page.url) }}
+  </nav>
+</aside>
--- a/examples/entry_management_demo.py
+++ b/examples/entry_management_demo.py
@@ -1,31 +0,0 @@
-from pathlib import Path
-from cryptography.fernet import Fernet
-
-from password_manager.encryption import EncryptionManager
-from password_manager.vault import Vault
-from password_manager.entry_management import EntryManager
-from password_manager.backup import BackupManager
-from constants import initialize_app
-
-
-def main() -> None:
-    """Demonstrate basic EntryManager usage."""
-    initialize_app()
-    key = Fernet.generate_key()
-    enc = EncryptionManager(key, Path("."))
-    vault = Vault(enc, Path("."))
-    backup_mgr = BackupManager(Path("."))
-    manager = EntryManager(vault, backup_mgr)
-
-    index = manager.add_entry(
-        "Example Website",
-        16,
-        username="user123",
-        url="https://example.com",
-    )
-    print(manager.retrieve_entry(index))
-    manager.list_all_entries()
-
-
-if __name__ == "__main__":
-    main()
--- a/examples/password_manager_demo.py
+++ b/examples/password_manager_demo.py
@@ -1,15 +0,0 @@
-from password_manager.manager import PasswordManager
-from nostr.client import NostrClient
-from constants import initialize_app
-
-
-def main() -> None:
-    """Show how to initialise PasswordManager with Nostr support."""
-    initialize_app()
-    manager = PasswordManager()
-    manager.nostr_client = NostrClient(encryption_manager=manager.encryption_manager)
-    # Sample actions could be called on ``manager`` here.
-
-
-if __name__ == "__main__":
-    main()
--- a/landing/index.html
+++ b/landing/index.html
@@ -40,6 +40,8 @@
                        </li>
                        <li role="none"><a href="#disclaimer" role="menuitem">Disclaimer</a>
                        </li>
+                        <li role="none"><a href="https://docs.seedpass.me/" role="menuitem">Docs</a>
+                        </li>
                    </ul>
                </div>
            </nav>
@@ -82,6 +84,26 @@ flowchart TB
                <h2 class="section-title" id="architecture-heading">Architecture Overview</h2>
                <pre class="mermaid">
 ---
+config:
+  layout: fixed
+  theme: base
+  themeVariables:
+    primaryColor: '#e94a39'
+    primaryBorderColor: '#e94a39'
+    lineColor: '#e94a39'
+  look: classic
+---
+graph TD
+    core(seedpass.core)
+    cli(CLI/TUI)
+    gui(BeeWare GUI)
+    ext(Browser extension)
+    cli --> core
+    gui --> core
+    ext --> core
+                </pre>
+                <pre class="mermaid">
+---
 config:
  layout: fixed
  theme: base
@@ -180,6 +202,8 @@ flowchart TD
                    <p>SeedPass allows you to manage multiple seed profiles (fingerprints). You can switch between different seeds to compartmentalize your passwords.</p>
                    <h3 class="subsection-title">Nostr Relay Integration</h3>
                    <p>SeedPass publishes your encrypted vault to Nostr in 50&#8201;KB chunks using parameterised replaceable events. A manifest describes each snapshot while deltas record updates. When too many deltas accumulate, a new snapshot is rotated in automatically.</p>
+                    <h3 class="subsection-title">Recovery from Nostr</h3>
+                    <p>Restoring a vault on a new device requires both your 12&#8201;word master seed and the master password that encrypted the vault. Without the correct password the downloaded archive cannot be decrypted.</p>
                    <h3 class="subsection-title">Checksum Verification</h3>
                    <p>Built-in checksum verification ensures your SeedPass installation hasn't been tampered with.</p>
                    <h3 class="subsection-title">Interactive TUI</h3>
--- a/packaging/build-linux.sh
+++ b/packaging/build-linux.sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+set -e
+briefcase create linux --no-input
+briefcase build linux --no-input
+briefcase package linux --no-input
--- a/packaging/build-macos.sh
+++ b/packaging/build-macos.sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+set -e
+briefcase create macos --no-input
+briefcase build macos --no-input
+briefcase package macos --no-input
--- a/packaging/build-windows.ps1
+++ b/packaging/build-windows.ps1
@@ -0,0 +1,3 @@
+briefcase create windows --no-input
+briefcase build windows --no-input
+briefcase package windows --no-input
--- a/packaging/flatpak/seedpass.yml
+++ b/packaging/flatpak/seedpass.yml
@@ -0,0 +1,18 @@
+app-id: io.seedpass.SeedPass
+runtime: org.gnome.Platform
+runtime-version: '46'
+sdk: org.gnome.Sdk
+command: seedpass-gui
+modules:
+  - name: seedpass
+    buildsystem: simple
+    build-commands:
+      - mkdir -p /app/bin
+      - cp -r ../../build/seedpass-gui/ubuntu/noble/* /app/bin/
+    sources:
+      - type: dir
+        path: ../../
+finish-args:
+  - --share=network
+  - --socket=fallback-x11
+  - --socket=wayland
--- a/packaging/snapcraft.yaml
+++ b/packaging/snapcraft.yaml
@@ -0,0 +1,22 @@
+name: seedpass
+base: core22
+version: '0.1.0'
+summary: Deterministic password manager
+description: |
+  SeedPass deterministically generates passwords using BIP-39 seeds.
+grade: devel
+confinement: strict
+apps:
+  seedpass-gui:
+    command: bin/seedpass-gui
+    plugs:
+      - network
+      - x11
+parts:
+  seedpass:
+    plugin: dump
+    source: build/seedpass-gui/ubuntu/noble/app
+    stage-packages:
+      - libgtk-3-0
+      - libglib2.0-0
+      - libgdk-pixbuf2.0-0
--- a/poetry.lock
+++ b/poetry.lock
--- a/post-refactor-to-do.md
+++ b/post-refactor-to-do.md
@@ -1,78 +0,0 @@
---
-
-# SeedPass Feature Back‑Log (v2)
-
-> **Encryption invariant**   Everything at rest **and** in export remains cipher‑text that ultimately derives from the **profile master‑password + parent seed**. No unencrypted payload leaves the vault.
->
-> **Surface rule**   UI layers (CLI, GUI, future mobile) may *display* decrypted data **after** user unlock, but must never write plaintext to disk or network.
-
---
-
-## Track vocabulary
-
-| Label        | Meaning                                                                        |
-| ------------ | ------------------------------------------------------------------------------ |
-| **Core API** | `seedpass.api`  – headless services consumed by CLI / GUI                      |
-| **Profile**  | A fingerprint‑scoped vault:   parent‑seed + hashed pw + entries                |
-| **Entry**    | One encrypted JSON blob on disk plus Nostr snapshot chunks and delta events |
-| **GUI MVP**  | Desktop app built with PySide 6 announced in the v2 roadmap                    |
-
---
-
-## Phase A  •  Core‑level enhancements (blockers for GUI)
-
-|  Prio  | Feature                            | Notes                                                                                                                                                                              |
-| ------ | ---------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-|  🔥    | **Encrypted Search API**           | • `VaultService.search(query:str, *, kinds=None) -> List[EntryMeta]`  <br>• Decrypt *only* whitelisted meta‑fields per `kind` (title, username, url, tags) for in‑memory matching. |
-|  🔥    | **Rich Listing / Sort / Filter**   | • `list_entries(sort_by="updated", kind="note")`  <br>• Sorting by `title` must decrypt that field on‑the‑fly.                                                                     |
-|  🔥    | **Custom Relay Set (per profile)** | • `StateManager.state["relays"]: List[str]`  <br>• CRUD CLI commands & GUI dialog.  <br>• `NostrClient` reads from state at instantiation.                                         |
-|  ⚡     | **Session Lock & Idle Timeout**    | • Config `SESSION_TIMEOUT` (default 15 min).  <br>• `AuthGuard` clears in‑memory keys & seeds.  <br>• CLI `seedpass lock` + GUI menu “Lock vault”.                                 |
-
-**Exit‑criteria** : All functions green in CI, consumed by both CLI (Typer) *and* a minimal Qt test harness.
-
---
-
-## Phase B  •  Data Portability (encrypted only)
-
-|  Prio  | Feature                              | Notes                                                                                                                                                                                        |                                                                                                                     |
-| ------ | ------------------------------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------- |
-|  ⭐     | **Encrypted Profile Export**         | • CLI `seedpass export --out myprofile.enc`  <br>• Serialise *encrypted* entry files → single JSON wrapper → `EncryptionManager.encrypt_data()`  <br>• Always require active profile unlock. |                                                                                                                     |
-|  ⭐     | **Encrypted Profile Import / Merge** | • CLI \`seedpass import myprofile.enc \[--strategy skip                                                                                                                                      | overwrite-newer]`  <br>• Verify fingerprint match before ingest.  <br>• Conflict policy pluggable; default `skip\`. |
-
---
-
-## Phase C  •  Advanced secrets & sync
-
-|  Prio  | Feature                      | Notes                                                                                                                                          |
-| ------ | ---------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------- |
-|  ◇     | **TOTP entry kind**          | • `kind="totp_secret"`  fields: title, issuer, username, secret\_key  <br>• `secret_key` encrypted; handler uses `pyotp` to show current code. |
-|  ◇     | **Manual Conflict Resolver** | • When `checksum` mismatch *and* both sides newer than last sync → prompt user (CLI) or modal (GUI).                                           |
-
---
-
-## Phase D  •  Desktop GUI MVP (Qt 6)
-
-*Features here ride on the Core API; keep UI totally stateless.*
-
-|  Prio  | Feature                  | Notes                                                                                                                                            |
-| ------ | ------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------ |
-|  🔥    | **Login Window**         | • Unlock profile with master pw.  <br>• Profile switcher drop‑down.                                                                              |
-|  🔥    | **Vault Window**         | • Sidebar (Entries, Search, Backups, Settings).  <br>• `QTableView` bound to `VaultService.list_entries()`  <br>• Sort & basic filters built‑in. |
-|  🔥    | **Entry Editor Dialog**  | • Dynamic form driven by `kinds.py`.  <br>• Add / Edit.                                                                                          |
-|  ⭐     | **Sync Status Bar**      | • Pulsing icon + last sync timestamp; hooks into `SyncService` bus.                                                                              |
-|  ◇     | **Relay Manager Dialog** | • CRUD & ping test per relay.                                                                                                                    |
-
-*Binary packaging (PyInstaller matrix build) is already tracked in the roadmap and is not duplicated here.*
-
---
-
-## Phase E  •  Later / Research
-
-• Hardware‑wallet unlock (SLIP‑39 share)
-• Background daemon (`seedpassd` + gRPC)
-• Mobile companion (Flutter FFI)
-• Federated search across multiple profiles
-
---
-
-**Reminder:**  *No plaintext exports, no on‑disk temp files, and no writing decrypted data to Nostr.*  Everything funnels through the encryption stack or stays in memory for the current unlocked session only.
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -1,11 +1,113 @@
-[project]
+[tool.poetry]
 name = "seedpass"
 version = "0.1.0"
+description = "Deterministic password manager with a BeeWare GUI"
+authors = []

-[project.scripts]
+[tool.poetry.dependencies]
+python = ">=3.10,<3.13"
+colorama = ">=0.4.6"
+termcolor = ">=1.1.0"
+cryptography = ">=40.0.2"
+bip-utils = ">=2.5.0"
+bech32 = "1.2.0"
+coincurve = ">=18.0.0"
+mnemonic = "*"
+aiohttp = ">=3.12.15"
+bcrypt = "*"
+portalocker = ">=2.8"
+nostr-sdk = ">=0.43"
+websocket-client = "1.7.0"
+websockets = ">=15.0.0"
+tomli = "*"
+pgpy = "0.6.0"
+pyotp = ">=2.8.0"
+pyperclip = "*"
+qrcode = ">=8.2"
+typer = ">=0.12.3"
+fastapi = ">=0.116.0"
+uvicorn = ">=0.35.0"
+httpx = ">=0.28.1"
+requests = ">=2.32"
+python-multipart = ">=0.0.20"
+orjson = "*"
+argon2-cffi = "*"
+PyJWT = ">=2.8.0"
+slowapi = "^0.1.9"
+toga-core = { version = ">=0.5.2", optional = true }
+pillow = { version = "*", optional = true }
+toga-gtk = { version = ">=0.5.2", optional = true }
+toga-winforms = { version = ">=0.5.2", optional = true }
+toga-cocoa = { version = ">=0.5.2", optional = true }
+
+[tool.poetry.extras]
+gui = ["toga-core", "pillow"]
+gui-gtk = ["toga-gtk"]
+gui-win = ["toga-winforms"]
+gui-mac = ["toga-cocoa"]
+
+[tool.poetry.group.dev.dependencies]
+pytest = "^8.2"
+coverage = "^7.5"
+black = "^24.3"
+pip-audit = "^2.7"
+pytest-xdist = "^3.5"
+hypothesis = "^6.98"
+freezegun = "^1.5"
+toga-dummy = ">=0.5.2"
+Pillow = "^10.4"
+
+[tool.poetry.scripts]
 seedpass = "seedpass.cli:app"
+seedpass-gui = "seedpass_gui.app:main"

 [tool.mypy]
 python_version = "3.11"
 strict = true
 mypy_path = "src"
+
+[tool.briefcase]
+project_name = "SeedPass"
+bundle = "io.seedpass"
+version = "0.1.0"
+
+[tool.briefcase.app.seedpass-gui]
+formal-name = "SeedPass"
+description = "Deterministic password manager with a BeeWare GUI"
+sources = ["src/seedpass_gui"]
+requires = [
+    "toga-core>=0.5.2",
+    "colorama>=0.4.6",
+    "termcolor>=1.1.0",
+    "cryptography>=40.0.2",
+    "bip-utils>=2.5.0",
+    "bech32==1.2.0",
+    "coincurve>=18.0.0",
+    "mnemonic",
+    "aiohttp>=3.12.15",
+    "bcrypt",
+    "portalocker>=2.8",
+    "nostr-sdk>=0.43",
+    "websocket-client==1.7.0",
+    "websockets>=15.0.0",
+    "tomli",
+    "pgpy==0.6.0",
+    "pyotp>=2.8.0",
+    "pyperclip",
+    "qrcode>=8.2",
+    "typer>=0.12.3",
+    "fastapi>=0.116.0",
+    "uvicorn>=0.35.0",
+    "httpx>=0.28.1",
+    "requests>=2.32",
+    "python-multipart>=0.0.20",
+    "orjson",
+    "argon2-cffi",
+]
+icon = "logo/png/SeedPass-Logo-24.png"
+license = { file = "LICENSE" }
+
+[build-system]
+requires = ["poetry-core"]
+build-backend = "poetry.core.masonry.api"
+
--- a/pytest.ini
+++ b/pytest.ini
@@ -3,7 +3,7 @@ addopts = -n auto
 log_cli = true
 log_cli_level = WARNING
 log_level = WARNING
-testpaths = src/tests
+testpaths = src/tests tests
 markers =
    network: tests that require network connectivity
    stress: long running stress tests
--- a/refactor.md
+++ b/refactor.md
@@ -1,113 +0,0 @@
-# SeedPass v2 Roadmap — CLI → Desktop GUI
-
-> **Guiding principles**
->
-> 1. **Core-first** – a headless, testable Python package (`seedpass.core`) that is 100 % GUI-agnostic.
-> 2. **Thin adapters** – CLI, GUI, and future mobile layers merely call the core API.
-> 3. **Stateless UI** – all persistence lives in core services; UI never touches vault files directly.
-> 4. **Parity at every step** – CLI must keep working while GUI evolves.
-
---
-
-## Phase 0 • Tooling Baseline
-
-| #   | Task                                                                                           | Rationale                         |
-| --- | ---------------------------------------------------------------------------------------------- | --------------------------------- |
-| 0.1 | ✅ **Adopt `poetry`** (or `hatch`) for builds & dependency pins.                                | Single-source version + lockfile. |
-| 0.2 | ✅ **GitHub Actions**: lint (ruff), type-check (mypy), tests (pytest -q), coverage gate ≥ 85 %. | Prevent regressions.              |
-| 0.3 | ✅ Pre-commit hooks: ruff –fix, black, isort.                                                   | Uniform style.                    |
-
---
-
-## Phase 1 • Finalize Core Refactor (CLI still primary)
-
-> *Most of this is already drafted – here’s what must ship before GUI work starts.*
-
-| #   | Component                                                                     | Must-have work                                                             |
-| --- | ----------------------------------------------------------------------------- | -------------------------------------------------------------------------- |
-| 1.1 | **`kinds.py` registry + per-kind handler modules**                            | import-safe; handler signature `(data,fingerprint,**svc)`                  |
-| 1.2 | **`StateManager`**                                                            | JSON file w/ fcntl lock<br>keys: `last_bip85_idx`, `last_sync_ts`          |
-| 1.3 | **Checksum inside entry metadata**                                            | `sha256(json.dumps(data,sort_keys=True))`                                  |
-| 1.4 | **Replaceable Nostr events** (kind 31111, `d` tag = `"{kindtag}{entry_num}"`) | publish/update/delete tombstone                                            |
-| 1.5 | **Per-entry `EntryManager` / `BackupManager`**                                | Save / load / backup / restore individual encrypted files                  |
-| 1.6 | **CLI rewritten with Typer**                                                  | Typer commands map 1-to-1 with core service methods; preserves colours.    |
-| 1.7 | **Legacy index migration command**                                            | `seedpass migrate-legacy` – idempotent, uses `add_entry()` under the hood. |
-| 1.8 | **bcrypt + NFKD master password hash**                                        | Stored per fingerprint.                                                    |
-
-> **Exit-criteria:** end-to-end flow (`add → list → sync → restore`) green in CI and covered by tests.
-
---
-
-## Phase 2 • Core API Hardening (prep for GUI)
-
-| #   | Task                                      | Deliverable                                                                                                 |
-| --- | ----------------------------------------- | ----------------------------------------------------------------------------------------------------------- |
-| 2.1 | **Public Service Layer** (`seedpass.api`) | Facade classes:<br>`VaultService`, `ProfileService`, `SyncService` – *no* CLI / UI imports.                 |
-| 2.2 | **Thread-safe gate**                      | Re-entrancy locks so GUI threads can call core safely.                                                      |
-| 2.3 | **Fast in-process event bus**             | Simple `pubsub.py` (observer pattern) for GUI to receive progress callbacks (e.g. sync progress, long ops). |
-| 2.4 | **Docstrings + pydantic models**          | Typed request/response objects → eases RPC later (e.g. REST, gRPC).                                         |
-| 2.5 | **Library packaging**                     | `python -m pip install .` gives importable `seedpass`.                                                      |
-
---
-
-## Phase 3 • Desktop GUI MVP
-
-| #   | Decision                                  | Notes                                                                                                                |
-| --- | ----------------------------------------- | -------------------------------------------------------------------------------------------------------------------- |
-| 3.0 | **Framework: PySide 6 (Qt 6)**            | ✓ LGPL, ✓ native look, ✓ Python-first, ✓ WebEngine if needed.                                                        |
-| 3.1 | **Process model**                         | *Same* process; GUI thread ↔ core API via signals/slots.<br>(If we outgrow this, swap to a local gRPC server later.) |
-| 3.2 | **UI Skeleton (milestone “Hello Vault”)** |                                                                                                                      |
-| –   | `LoginWindow`                             | master-password prompt → opens default profile                                                                       |
-| –   | `VaultWindow`                             | sidebar (Profiles, Entries, Backups) + stacked views                                                                 |
-| –   | `EntryTableView`                          | QTableView bound to `VaultService.list_entries()`                                                                    |
-| –   | `EntryEditorDialog`                       | Add / Edit forms – field set driven by `kinds.py`                                                                    |
-| –   | `SyncStatusBar`                           | pulse animation + last-sync timestamp                                                                                |
-| 3.3 | **Icons / theming**                       | Start with Qt-built-in icons; later swap to SVG set.                                                                 |
-| 3.4 | **Packaging**                             | `PyInstaller --onefile` for Win / macOS / Linux AppImage; GitHub Actions matrix build.                               |
-| 3.5 | **GUI E2E tests**                         | PyTest + pytest-qt (QtBot) smoke flows; run headless in CI (Xvfb).                                                   |
-
-> **Stretch option:** wrap the same UI in **Tauri** later for a lighter binary (\~5 MB), reusing the core API through a local websocket RPC.
-
---
-
-## Phase 4 • Unified Workflows & Coverage
-
-| #   | Task                                                                                    |
-| --- | --------------------------------------------------------------------------------------- |
-| 4.1 | Extend GitHub Actions to build GUI artifacts on every tag.                              |
-| 4.2 | Add synthetic coverage for GUI code paths (QtBot).                                      |
-| 4.3 | Nightly job: spin up headless GUI, run `sync` against test relay, assert no exceptions. |
-
---
-
-## Phase 5 • Future-Proofing (post-GUI v1)
-
-| Idea                       | Sketch                                                                                    |
-| -------------------------- | ----------------------------------------------------------------------------------------- |
-| **Background daemon**      | Optional `seedpassd` exposing Unix socket + JSON-RPC; both CLI & GUI become thin clients. |
-| **Hardware-wallet unlock** | Replace master password with HWW + SLIP-39 share; requires PyUSB bridge.                  |
-| **Mobile companion app**   | Reuse core via BeeWare or Flutter FFI; sync over Nostr only (no local vault).             |
-| **End-to-end test farm**   | dedicated relay docker-compose + pytest-subprocess to fake flaky relays.                  |
-
---
-
-## Deliverables Checklist
-
-* [ ] Core refactor merged, tests ≥ 85 % coverage
-* [ ] `seedpass` installs and passes `python -m seedpass.cli --help`
-* [ ] `seedpass-gui` binary opens vault, lists entries, adds & edits, syncs
-* [ ] GitHub Actions builds binaries for Win/macOS/Linux on tag
-* [ ] `docs/ARCHITECTURE.md` diagrams core ↔ CLI ↔ GUI layers
-
-When the above are ✅ we can ship `v2.0.0-beta.1` and invite early desktop testers.
-
---
-
-### 🔑 Key Takeaways
-
-1. **Keep all state & crypto in the core package.**
-2. **Expose a clean Python API first – GUI is “just another client.”**
-3. **Checksum + replaceable Nostr events give rock-solid sync & conflict handling.**
-4. **Lock files and StateManager prevent index reuse and vault corruption.**
-5. **The GUI sprint starts only after Phase 1 + 2 are fully green in CI.**
-
--- a/requirements.lock
+++ b/requirements.lock
--- a/scripts/dependency_scan.sh
+++ b/scripts/dependency_scan.sh
@@ -0,0 +1,9 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# Run pip-audit against the pinned requirements
+if ! command -v pip-audit >/dev/null 2>&1; then
+  python -m pip install --quiet pip-audit
+fi
+
+pip-audit -r requirements.lock "$@"
--- a/scripts/generate_test_profile.py
+++ b/scripts/generate_test_profile.py
@@ -1,10 +1,17 @@
 #!/usr/bin/env python3
 """Generate a SeedPass test profile with realistic entries.

-This script populates a profile directory with a variety of entry types.
+This script populates a profile directory with a variety of entry types,
+including key/value pairs and managed accounts.
 If the profile does not exist, a new BIP-39 seed phrase is generated and
 stored encrypted. A clear text copy is written to ``seed_phrase.txt`` so
 it can be reused across devices.
+
+Profiles are saved under ``~/.seedpass/tests/`` by default. SeedPass
+only detects a profile automatically when it resides directly under
+``~/.seedpass/``. Copy the generated fingerprint directory from the
+``tests`` subfolder to ``~/.seedpass`` (or adjust ``APP_DIR`` in
+``constants.py``) to use the test seed with the main application.
 """

 from __future__ import annotations
@@ -31,11 +38,12 @@ consts.SCRIPT_CHECKSUM_FILE = consts.APP_DIR / "seedpass_script_checksum.txt"

 from constants import APP_DIR, initialize_app
 from utils.key_derivation import derive_key_from_password, derive_index_key
-from password_manager.encryption import EncryptionManager
-from password_manager.vault import Vault
-from password_manager.config_manager import ConfigManager
-from password_manager.backup import BackupManager
-from password_manager.entry_management import EntryManager
+from seedpass.core.encryption import EncryptionManager
+from seedpass.core.vault import Vault
+from seedpass.core.config_manager import ConfigManager
+from seedpass.core.backup import BackupManager
+from seedpass.core.entry_management import EntryManager
+from seedpass.core.state_manager import StateManager
 from nostr.client import NostrClient
 from utils.fingerprint import generate_fingerprint
 from utils.fingerprint_manager import FingerprintManager
@@ -46,7 +54,9 @@ import gzip
 DEFAULT_PASSWORD = "testpassword"


-def initialize_profile(profile_name: str) -> tuple[str, EntryManager, Path, str]:
+def initialize_profile(
+    profile_name: str,
+) -> tuple[str, EntryManager, Path, str, ConfigManager]:
    """Create or load a profile and return the seed phrase, manager, directory and fingerprint."""
    initialize_app()
    seed_txt = APP_DIR / f"{profile_name}_seed.txt"
@@ -70,7 +80,7 @@ def initialize_profile(profile_name: str) -> tuple[str, EntryManager, Path, str]
    profile_dir = APP_DIR / fingerprint
    profile_dir.mkdir(parents=True, exist_ok=True)

-    seed_key = derive_key_from_password(DEFAULT_PASSWORD)
+    seed_key = derive_key_from_password(DEFAULT_PASSWORD, fingerprint)
    seed_mgr = EncryptionManager(seed_key, profile_dir)
    seed_file = profile_dir / "parent_seed.enc"
    clear_path = profile_dir / "seed_phrase.txt"
@@ -96,9 +106,11 @@ def initialize_profile(profile_name: str) -> tuple[str, EntryManager, Path, str]
    # Store the default password hash so the profile can be opened
    hashed = bcrypt.hashpw(DEFAULT_PASSWORD.encode(), bcrypt.gensalt()).decode()
    cfg_mgr.set_password_hash(hashed)
+    # Ensure stored iterations match the PBKDF2 work factor used above
+    cfg_mgr.set_kdf_iterations(100_000)
    backup_mgr = BackupManager(profile_dir, cfg_mgr)
    entry_mgr = EntryManager(vault, backup_mgr)
-    return seed_phrase, entry_mgr, profile_dir, fingerprint
+    return seed_phrase, entry_mgr, profile_dir, fingerprint, cfg_mgr


 def random_secret(length: int = 16) -> str:
@@ -111,7 +123,7 @@ def populate(entry_mgr: EntryManager, seed: str, count: int) -> None:
    start_index = entry_mgr.get_next_index()
    for i in range(count):
        idx = start_index + i
-        kind = idx % 7
+        kind = idx % 9
        if kind == 0:
            entry_mgr.add_entry(
                label=f"site-{idx}.example.com",
@@ -133,18 +145,33 @@ def populate(entry_mgr: EntryManager, seed: str, count: int) -> None:
            )
        elif kind == 5:
            entry_mgr.add_nostr_key(f"nostr-{idx}", notes=f"Nostr key {idx}")
-        else:
+        elif kind == 6:
            entry_mgr.add_pgp_key(
                f"pgp-{idx}",
                seed,
                user_id=f"user{idx}@example.com",
                notes=f"PGP key {idx}",
            )
+        elif kind == 7:
+            entry_mgr.add_key_value(
+                f"kv-{idx}",
+                random_secret(20),
+                notes=f"Key/Value {idx}",
+            )
+        else:
+            entry_mgr.add_managed_account(
+                f"acct-{idx}",
+                seed,
+                notes=f"Managed account {idx}",
+            )


 def main() -> None:
    parser = argparse.ArgumentParser(
-        description="Create or extend a SeedPass test profile"
+        description=(
+            "Create or extend a SeedPass test profile (default PBKDF2 iterations:"
+            " 100,000)"
+        )
    )
    parser.add_argument(
        "--profile",
@@ -159,7 +186,7 @@ def main() -> None:
    )
    args = parser.parse_args()

-    seed, entry_mgr, dir_path, fingerprint = initialize_profile(args.profile)
+    seed, entry_mgr, dir_path, fingerprint, cfg_mgr = initialize_profile(args.profile)
    print(f"Using profile directory: {dir_path}")
    print(f"Parent seed: {seed}")
    if fingerprint:
@@ -169,10 +196,13 @@ def main() -> None:

    encrypted = entry_mgr.vault.get_encrypted_index()
    if encrypted:
+        idx = StateManager(dir_path).state.get("nostr_account_idx", 0)
        client = NostrClient(
            entry_mgr.vault.encryption_manager,
            fingerprint or dir_path.name,
            parent_seed=seed,
+            config_manager=cfg_mgr,
+            account_index=idx,
        )
        asyncio.run(client.publish_snapshot(encrypted))
        print("[+] Data synchronized to Nostr.")
--- a/scripts/install.ps1
+++ b/scripts/install.ps1
@@ -2,10 +2,12 @@
 # SeedPass Universal Installer for Windows
 #
 # Supports installing from a specific branch using the -Branch parameter.
-# Example: .\install.ps1 -Branch beta
+# Use -IncludeGui to install the optional BeeWare GUI backend.
+# Example: .\install.ps1 -Branch beta -IncludeGui

 param(
-    [string]$Branch = "main" # The git branch to install from
+    [string]$Branch = "main", # The git branch to install from
+    [switch]$IncludeGui # Install BeeWare GUI components
 )

 # --- Configuration ---
@@ -249,12 +251,31 @@ if ($LASTEXITCODE -ne 0) {
    Write-Error "Failed to upgrade pip"
 }

-& "$VenvDir\Scripts\python.exe" -m pip install -r "src\requirements.txt"
+& "$VenvDir\Scripts\python.exe" -m pip install --require-hashes -r "requirements.lock"
 if ($LASTEXITCODE -ne 0) {
    Write-Warning "Failed to install Python dependencies. If errors mention C++, install Microsoft C++ Build Tools: https://visualstudio.microsoft.com/visual-cpp-build-tools/"
    Write-Error "Dependency installation failed."
 }

+if ($IncludeGui) {
+    & "$VenvDir\Scripts\python.exe" -m pip install -e .[gui]
+} else {
+    & "$VenvDir\Scripts\python.exe" -m pip install -e .
+}
+if ($LASTEXITCODE -ne 0) {
+    Write-Error "Failed to install SeedPass package"
+}
+
+if ($IncludeGui) {
+    Write-Info "Installing BeeWare GUI backend..."
+    try {
+        & "$VenvDir\Scripts\python.exe" -m pip install toga-winforms
+        if ($LASTEXITCODE -ne 0) { throw "toga-winforms installation failed" }
+    } catch {
+        Write-Warning "Failed to install GUI backend. Install Microsoft C++ Build Tools from https://visualstudio.microsoft.com/visual-cpp-build-tools/ and rerun the installer."
+    }
+}
+
 # 5. Create launcher script
 Write-Info "Creating launcher script..."
 if (-not (Test-Path $LauncherDir)) { New-Item -ItemType Directory -Path $LauncherDir | Out-Null }
@@ -263,11 +284,29 @@ $LauncherContent = @"
@echo off
 setlocal
 call "%~dp0..\venv\Scripts\activate.bat"
-python "%~dp0..\src\main.py" %*
+"%~dp0..\venv\Scripts\python.exe" -m seedpass.cli %*
 endlocal
 "@
 Set-Content -Path $LauncherPath -Value $LauncherContent -Force

+$existingSeedpass = Get-Command seedpass -ErrorAction SilentlyContinue
+if ($existingSeedpass -and $existingSeedpass.Source -ne $LauncherPath) {
+    Write-Warning "Another 'seedpass' command was found at $($existingSeedpass.Source)."
+    Write-Warning "Ensure '$LauncherDir' comes first in your PATH or remove the old installation."
+}
+
+# Detect additional seedpass executables on PATH that are not our launcher
+$allSeedpass = Get-Command seedpass -All -ErrorAction SilentlyContinue | Select-Object -ExpandProperty Source
+$stale = @()
+foreach ($cmd in $allSeedpass) {
+    if ($cmd -ne $LauncherPath) { $stale += $cmd }
+}
+if ($stale.Count -gt 0) {
+    Write-Warning "Stale 'seedpass' executables detected:" 
+    foreach ($cmd in $stale) { Write-Warning "  - $cmd" }
+    Write-Warning "Remove or rename these to avoid launching outdated code."
+}
+
 # 6. Add launcher directory to User's PATH if needed
 Write-Info "Checking if '$LauncherDir' is in your PATH..."
 $UserPath = [System.Environment]::GetEnvironmentVariable("Path", "User")
@@ -281,4 +320,5 @@ if (($UserPath -split ';') -notcontains $LauncherDir) {
 }

 Write-Success "Installation/update complete!"
-Write-Info "To run the application, please open a NEW terminal window and type: seedpass"
+Write-Info "To launch the interactive TUI, open a NEW terminal window and run: seedpass"
+Write-Info "'seedpass' resolves to: $(Get-Command seedpass | Select-Object -ExpandProperty Source)"
--- a/scripts/install.sh
+++ b/scripts/install.sh
@@ -5,7 +5,9 @@
 # Supports installing from a specific branch using the -b or --branch flag.
 # Example: ./install.sh -b beta

-set -e
+set -euo pipefail
+IFS=$'\n\t'
+trap 'echo "[ERROR] Line $LINENO failed"; exit 1' ERR

 # --- Configuration ---
 REPO_URL="https://github.com/PR0M3TH3AN/SeedPass.git"
@@ -15,15 +17,52 @@ VENV_DIR="$INSTALL_DIR/venv"
 LAUNCHER_DIR="$HOME/.local/bin"
 LAUNCHER_PATH="$LAUNCHER_DIR/seedpass"
 BRANCH="main" # Default branch
+MODE="tui"
+INSTALL_GUI=false

 # --- Helper Functions ---
-print_info() { echo -e "\033[1;34m[INFO]\033[0m $1"; }
-print_success() { echo -e "\033[1;32m[SUCCESS]\033[0m $1"; }
-print_warning() { echo -e "\033[1;33m[WARNING]\033[0m $1"; }
-print_error() { echo -e "\033[1;31m[ERROR]\033[0m $1" >&2; exit 1; }
+print_info() { echo -e "\033[1;34m[INFO]\033[0m" "$1"; }
+print_success() { echo -e "\033[1;32m[SUCCESS]\033[0m" "$1"; }
+print_warning() { echo -e "\033[1;33m[WARNING]\033[0m" "$1"; }
+print_error() { echo -e "\033[1;31m[ERROR]\033[0m" "$1" >&2; exit 1; }
+
+# Install build dependencies for Gtk/GObject if available via the system package manager
+install_dependencies() {
+    print_info "Installing system packages required for Gtk bindings..."
+    if command -v apt-get &>/dev/null; then
+        sudo apt-get update && sudo apt-get install -y \\
+            build-essential pkg-config libcairo2 libcairo2-dev \\
+            libgirepository1.0-dev gobject-introspection \\
+            gir1.2-gtk-3.0 libgtk-3-dev python3-dev libffi-dev libssl-dev \\
+            cmake rustc cargo zlib1g-dev libjpeg-dev libpng-dev \\
+            libfreetype6-dev xclip wl-clipboard
+    elif command -v yum &>/dev/null; then
+        sudo yum install -y @'Development Tools' cairo cairo-devel \\
+            gobject-introspection-devel gtk3-devel python3-devel \\
+            libffi-devel openssl-devel cmake rust cargo zlib-devel \\
+            libjpeg-turbo-devel libpng-devel freetype-devel xclip \\
+            wl-clipboard
+    elif command -v dnf &>/dev/null; then
+        sudo dnf groupinstall -y "Development Tools" && sudo dnf install -y \\
+            cairo cairo-devel gobject-introspection-devel gtk3-devel \\
+            python3-devel libffi-devel openssl-devel cmake rust cargo \\
+            zlib-devel libjpeg-turbo-devel libpng-devel freetype-devel \\
+            xclip wl-clipboard
+    elif command -v pacman &>/dev/null; then
+        sudo pacman -Syu --noconfirm base-devel pkgconf cmake rustup \\
+            gtk3 gobject-introspection cairo libjpeg-turbo zlib \\
+            libpng freetype xclip wl-clipboard && rustup default stable
+    elif command -v brew &>/dev/null; then
+        brew install pkg-config cairo gobject-introspection gtk+3 cmake rustup-init && \\
+            rustup-init -y
+    else
+        print_warning "Unsupported package manager. Please install Gtk/GObject dependencies manually."
+    fi
+}
 usage() {
-    echo "Usage: $0 [-b | --branch <branch_name>] [-h | --help]"
+    echo "Usage: $0 [-b | --branch <branch_name>] [-m | --mode <tui|gui|both>] [-h | --help]"
    echo "  -b, --branch   Specify the git branch to install (default: main)"
+    echo "  -m, --mode     Installation mode: tui, gui, both (default: tui)"
    echo "  -h, --help     Display this help message"
    exit 0
 }
@@ -44,12 +83,40 @@ main() {
            -h|--help)
                usage
                ;;
+            -m|--mode)
+                if [ -n "$2" ]; then
+                    MODE="$2"
+                    shift 2
+                else
+                    print_error "Error: --mode requires an argument (tui|gui|both)."
+                fi
+                ;;
            *)
                print_error "Unknown parameter passed: $1"; usage
                ;;
        esac
    done

+    case "$MODE" in
+        tui|gui|both) ;;
+        *)
+            print_error "Invalid mode: $MODE. Use 'tui', 'gui', or 'both'."
+            ;;
+    esac
+
+    DISPLAY_DETECTED=false
+    if [ -n "${DISPLAY:-}" ] || [ -n "${WAYLAND_DISPLAY:-}" ]; then
+        DISPLAY_DETECTED=true
+    fi
+
+    if [[ "$MODE" == "gui" || "$MODE" == "both" ]]; then
+        if [ "$DISPLAY_DETECTED" = true ]; then
+            INSTALL_GUI=true
+        else
+            print_warning "No display detected. Skipping GUI installation."
+        fi
+    fi
+
    # 1. Detect OS
    OS_NAME=$(uname -s)
    print_info "Installing SeedPass from branch: '$BRANCH'"
@@ -84,15 +151,14 @@ main() {
    fi

    # 3. Install OS-specific dependencies
-    print_info "Checking for build dependencies..."
-    if [ "$OS_NAME" = "Linux" ]; then
-        if command -v apt-get &> /dev/null; then sudo apt-get update && sudo apt-get install -y build-essential pkg-config xclip;
-        elif command -v dnf &> /dev/null; then sudo dnf groupinstall -y "Development Tools" && sudo dnf install -y pkg-config xclip;
-        elif command -v pacman &> /dev/null; then sudo pacman -Syu --noconfirm base-devel pkg-config xclip;
-        else print_warning "Could not detect package manager. Ensure build tools and pkg-config are installed."; fi
-    elif [ "$OS_NAME" = "Darwin" ]; then
-        if ! command -v brew &> /dev/null; then print_error "Homebrew not installed. See https://brew.sh/"; fi
-        brew install pkg-config
+    if [ "$INSTALL_GUI" = true ]; then
+        print_info "Checking for Gtk development libraries..."
+        if command -v pkg-config &>/dev/null && pkg-config --exists girepository-2.0; then
+            print_info "Gtk bindings already available."
+        else
+            print_warning "Gtk introspection bindings not found. Installing dependencies..."
+            install_dependencies
+        fi
    fi

    # 4. Clone or update the repository
@@ -116,24 +182,82 @@ main() {
    source "$VENV_DIR/bin/activate"

    # 6. Install/Update Python dependencies
-    print_info "Installing/updating Python dependencies from src/requirements.txt..."
+    print_info "Installing/updating Python dependencies from requirements.lock..."
    pip install --upgrade pip
-    pip install -r src/requirements.txt
+    pip install --require-hashes -r requirements.lock
+    if [ "$INSTALL_GUI" = true ]; then
+        GUI_READY=true
+        if [ "$OS_NAME" = "Linux" ]; then
+            if ! (command -v pkg-config &>/dev/null && pkg-config --exists girepository-2.0); then
+                print_warning "GTK libraries (girepository-2.0) not found. Install them with: sudo apt install libgirepository1.0-dev"
+                read -r -p "Continue with GUI installation anyway? (y/N) " CONTINUE_GUI
+                if [[ ! "$CONTINUE_GUI" =~ ^[Yy]$ ]]; then
+                    GUI_READY=false
+                fi
+            fi
+        fi
+        if [ "$GUI_READY" = true ]; then
+            if [ "$OS_NAME" = "Linux" ]; then
+                print_info "Installing Linux GUI dependencies..."
+                pip install -e ".[gui-gtk]"
+            elif [ "$OS_NAME" = "Darwin" ]; then
+                print_info "Installing macOS GUI dependencies..."
+                pip install -e ".[gui-mac]"
+            else
+                print_warning "Unsupported OS for GUI installation. Installing core package only."
+                pip install -e .
+            fi
+        else
+            print_warning "Skipping GUI installation."
+            pip install -e .
+        fi
+    else
+        pip install -e .
+    fi
+
+    if ! "$VENV_DIR/bin/python" -c "import seedpass.cli; print('ok')"; then
+        print_error "SeedPass CLI import check failed."
+    fi
+
    deactivate

    # 7. Create launcher script
    print_info "Creating launcher script at '$LAUNCHER_PATH'..."
    mkdir -p "$LAUNCHER_DIR"
-    cat > "$LAUNCHER_PATH" << EOF2
+cat > "$LAUNCHER_PATH" << EOF2
 #!/bin/bash
 source "$VENV_DIR/bin/activate"
-exec python3 "$INSTALL_DIR/src/main.py" "\$@"
+exec "$VENV_DIR/bin/seedpass" "\$@"
 EOF2
    chmod +x "$LAUNCHER_PATH"

+    existing_cmd=$(command -v seedpass 2>/dev/null || true)
+    if [ -n "$existing_cmd" ] && [ "$existing_cmd" != "$LAUNCHER_PATH" ]; then
+        print_warning "Another 'seedpass' command was found at $existing_cmd."
+        print_warning "Ensure '$LAUNCHER_DIR' comes first in your PATH or remove the old installation."
+    fi
+
+    # Detect any additional seedpass executables on PATH that are not our launcher
+    IFS=':' read -ra _sp_paths <<< "$PATH"
+    stale_cmds=()
+    for _dir in "${_sp_paths[@]}"; do
+        _candidate="$_dir/seedpass"
+        if [ -x "$_candidate" ] && [ "$_candidate" != "$LAUNCHER_PATH" ]; then
+            stale_cmds+=("$_candidate")
+        fi
+    done
+    if [ ${#stale_cmds[@]} -gt 0 ]; then
+        print_warning "Stale 'seedpass' executables detected:"
+        for cmd in "${stale_cmds[@]}"; do
+            print_warning "  - $cmd"
+        done
+        print_warning "Remove or rename these to avoid launching outdated code."
+    fi
+
    # 8. Final instructions
    print_success "Installation/update complete!"
-    print_info "You can now run the application by typing: seedpass"
+    print_info "You can now launch the interactive TUI by typing: seedpass"
+    print_info "'seedpass' resolves to: $(command -v seedpass)"
    if [[ ":$PATH:" != *":$LAUNCHER_DIR:"* ]]; then
        print_warning "Directory '$LAUNCHER_DIR' is not in your PATH."
        print_warning "Please add 'export PATH=\"$HOME/.local/bin:$PATH\"' to your shell's config file (e.g., ~/.bashrc, ~/.zshrc) and restart your terminal."
--- a/scripts/run_ci_tests.sh
+++ b/scripts/run_ci_tests.sh
@@ -0,0 +1,36 @@
+#!/usr/bin/env bash
+set -eo pipefail
+
+pytest_args=(-vv)
+if [[ -n "${STRESS_ARGS:-}" ]]; then
+    pytest_args+=(${STRESS_ARGS})
+fi
+if [[ "${RUNNER_OS:-}" == "Windows" ]]; then
+    pytest_args+=(-n 1)
+fi
+pytest_args+=(--cov=src --cov-report=xml --cov-report=term-missing --cov-fail-under=20 src/tests)
+
+timeout_bin="timeout"
+if ! command -v "$timeout_bin" >/dev/null 2>&1; then
+    if command -v gtimeout >/dev/null 2>&1; then
+        timeout_bin="gtimeout"
+    else
+        timeout_bin=""
+    fi
+fi
+
+if [[ -n "$timeout_bin" ]]; then
+    $timeout_bin 15m pytest "${pytest_args[@]}" 2>&1 | tee pytest.log
+    status=${PIPESTATUS[0]}
+else
+    echo "timeout command not found; running tests without timeout" >&2
+    pytest "${pytest_args[@]}" 2>&1 | tee pytest.log
+    status=${PIPESTATUS[0]}
+fi
+
+if [[ $status -eq 124 ]]; then
+    echo "::error::Tests exceeded 15-minute limit"
+    tail -n 20 pytest.log
+    exit 1
+fi
+exit $status
--- a/scripts/run_gui_tests.sh
+++ b/scripts/run_gui_tests.sh
@@ -0,0 +1,32 @@
+#!/usr/bin/env bash
+set -eo pipefail
+
+pytest_args=(-vv --desktop -m desktop src/tests)
+if [[ "${RUNNER_OS:-}" == "Windows" ]]; then
+    pytest_args+=(-n 1)
+fi
+
+timeout_bin="timeout"
+if ! command -v "$timeout_bin" >/dev/null 2>&1; then
+    if command -v gtimeout >/dev/null 2>&1; then
+        timeout_bin="gtimeout"
+    else
+        timeout_bin=""
+    fi
+fi
+
+if [[ -n "$timeout_bin" ]]; then
+    $timeout_bin 10m pytest "${pytest_args[@]}" 2>&1 | tee pytest_gui.log
+    status=${PIPESTATUS[0]}
+else
+    echo "timeout command not found; running tests without timeout" >&2
+    pytest "${pytest_args[@]}" 2>&1 | tee pytest_gui.log
+    status=${PIPESTATUS[0]}
+fi
+
+if [[ $status -eq 124 ]]; then
+    echo "::error::Desktop tests exceeded 10-minute limit"
+    tail -n 20 pytest_gui.log
+    exit 1
+fi
+exit $status
--- a/scripts/uninstall.ps1
+++ b/scripts/uninstall.ps1
@@ -0,0 +1,41 @@
+#
+# SeedPass Uninstaller for Windows
+#
+# Removes the SeedPass application files but preserves user data under ~/.seedpass
+
+$AppRootDir = Join-Path $env:USERPROFILE ".seedpass"
+$InstallDir = Join-Path $AppRootDir "app"
+$LauncherDir = Join-Path $InstallDir "bin"
+$LauncherName = "seedpass.cmd"
+
+function Write-Info { param([string]$Message) Write-Host "[INFO] $Message" -ForegroundColor Cyan }
+function Write-Success { param([string]$Message) Write-Host "[SUCCESS] $Message" -ForegroundColor Green }
+function Write-Warning { param([string]$Message) Write-Host "[WARNING] $Message" -ForegroundColor Yellow }
+function Write-Error { param([string]$Message) Write-Host "[ERROR] $Message" -ForegroundColor Red }
+
+Write-Info "Removing SeedPass installation..."
+
+if (Test-Path $InstallDir) {
+    Remove-Item -Recurse -Force $InstallDir
+    Write-Info "Deleted '$InstallDir'"
+} else {
+    Write-Info "Installation directory not found."
+}
+
+$LauncherPath = Join-Path $LauncherDir $LauncherName
+if (Test-Path $LauncherPath) {
+    Remove-Item -Force $LauncherPath
+    Write-Info "Removed launcher '$LauncherPath'"
+} else {
+    Write-Info "Launcher not found."
+}
+
+Write-Info "Attempting to uninstall any global 'seedpass' package with pip..."
+try {
+    pip uninstall -y seedpass | Out-Null
+} catch {
+    try { pip3 uninstall -y seedpass | Out-Null } catch {}
+}
+
+Write-Success "SeedPass uninstalled. User data under '$AppRootDir' was left intact."
+
--- a/scripts/uninstall.sh
+++ b/scripts/uninstall.sh
@@ -0,0 +1,70 @@
+#!/bin/bash
+#
+# SeedPass Uninstaller for Linux and macOS
+#
+# Removes the SeedPass application files but preserves user data under ~/.seedpass
+
+set -e
+
+APP_ROOT_DIR="$HOME/.seedpass"
+INSTALL_DIR="$APP_ROOT_DIR/app"
+LAUNCHER_PATH="$HOME/.local/bin/seedpass"
+
+print_info() { echo -e "\033[1;34m[INFO]\033[0m $1"; }
+print_success() { echo -e "\033[1;32m[SUCCESS]\033[0m $1"; }
+print_warning() { echo -e "\033[1;33m[WARNING]\033[0m $1"; }
+print_error() { echo -e "\033[1;31m[ERROR]\033[0m $1"; }
+
+# Remove any stale 'seedpass' executables that may still be on the PATH.
+remove_stale_executables() {
+    IFS=':' read -ra DIRS <<< "$PATH"
+    for dir in "${DIRS[@]}"; do
+        candidate="$dir/seedpass"
+        if [ -f "$candidate" ] && [ "$candidate" != "$LAUNCHER_PATH" ]; then
+            print_info "Removing old executable '$candidate'..."
+            if rm -f "$candidate"; then
+                rm_status=0
+            else
+                rm_status=$?
+            fi
+            if [ $rm_status -ne 0 ] && [ -f "$candidate" ]; then
+                print_warning "Failed to remove $candidate – try deleting it manually"
+            fi
+        fi
+    done
+}
+
+main() {
+    if [ -d "$INSTALL_DIR" ]; then
+        print_info "Removing installation directory '$INSTALL_DIR'..."
+        rm -rf "$INSTALL_DIR"
+    else
+        print_info "Installation directory not found."
+    fi
+
+
+    if [ -f "$LAUNCHER_PATH" ]; then
+        print_info "Removing launcher script '$LAUNCHER_PATH'..."
+        rm -f "$LAUNCHER_PATH"
+    else
+        print_info "Launcher script not found."
+    fi
+
+    remove_stale_executables
+
+    print_info "Attempting to uninstall any global 'seedpass' package with pip..."
+    if command -v python3 &> /dev/null; then
+        python3 -m pip uninstall -y seedpass >/dev/null 2>&1 || true
+    elif command -v pip &> /dev/null; then
+        pip uninstall -y seedpass >/dev/null 2>&1 || true
+    fi
+    if command -v pipx &> /dev/null; then
+        pipx uninstall -y seedpass >/dev/null 2>&1 || true
+    fi
+
+    print_success "SeedPass uninstalled."
+    print_warning "User data in '$APP_ROOT_DIR' was left intact."
+}
+
+main "$@"
+
--- a/scripts/update_checksum.py
+++ b/scripts/update_checksum.py
@@ -14,7 +14,7 @@ from constants import SCRIPT_CHECKSUM_FILE, initialize_app
 def main() -> None:
    """Calculate checksum for the main script and write it to SCRIPT_CHECKSUM_FILE."""
    initialize_app()
-    script_path = SRC_DIR / "password_manager" / "manager.py"
+    script_path = SRC_DIR / "seedpass/core" / "manager.py"
    if not update_checksum_file(str(script_path), str(SCRIPT_CHECKSUM_FILE)):
        raise SystemExit(f"Failed to update checksum for {script_path}")
    print(f"Updated checksum written to {SCRIPT_CHECKSUM_FILE}")
--- a/scripts/vendor_dependencies.sh
+++ b/scripts/vendor_dependencies.sh
@@ -0,0 +1,12 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+VENDOR_DIR="src/vendor"
+
+# Clean vendor directory
+rm -rf "$VENDOR_DIR"
+mkdir -p "$VENDOR_DIR"
+
+pip download --no-binary :all: -r src/runtime_requirements.txt -d "$VENDOR_DIR"
+
+echo "Vendored dependencies installed in $VENDOR_DIR"
--- a/src/constants.py
+++ b/src/constants.py
@@ -9,8 +9,11 @@ logger = logging.getLogger(__name__)
 # -----------------------------------
 # Nostr Relay Connection Settings
 # -----------------------------------
-MAX_RETRIES = 3  # Maximum number of retries for relay connections
-RETRY_DELAY = 5  # Seconds to wait before retrying a failed connection
+# Retry fewer times with a shorter wait by default. These values
+# act as defaults that can be overridden via ``ConfigManager``
+# entries ``nostr_max_retries`` and ``nostr_retry_delay``.
+MAX_RETRIES = 2  # Default maximum number of retry attempts
+RETRY_DELAY = 1  # Default seconds to wait before retrying
 MIN_HEALTHY_RELAYS = 2  # Minimum relays that should return data on startup

 # -----------------------------------
@@ -31,13 +34,9 @@ def initialize_app() -> None:
    """Ensure the application directory exists."""
    try:
        APP_DIR.mkdir(exist_ok=True, parents=True)
-        if logger.isEnabledFor(logging.DEBUG):
-            logger.info(f"Application directory created at {APP_DIR}")
+        logger.debug("Application directory created at %s", APP_DIR)
    except Exception as exc:
-        if logger.isEnabledFor(logging.DEBUG):
-            logger.error(
-                f"Failed to create application directory: {exc}", exc_info=True
-            )
+        logger.error("Failed to create application directory: %s", exc, exc_info=True)


 # -----------------------------------
@@ -47,9 +46,15 @@ DEFAULT_PASSWORD_LENGTH = 16  # Default length for generated passwords
 MIN_PASSWORD_LENGTH = 8  # Minimum allowed password length
 MAX_PASSWORD_LENGTH = 128  # Maximum allowed password length

+# Characters considered safe for passwords when limiting punctuation
+SAFE_SPECIAL_CHARS = "!@#$%^*-_+=?"
+
 # Timeout in seconds before the vault locks due to inactivity
 INACTIVITY_TIMEOUT = 15 * 60  # 15 minutes

+# Duration in seconds that a notification remains active
+NOTIFICATION_DURATION = 10
+
 # -----------------------------------
 # Additional Constants (if any)
 # -----------------------------------
--- a/src/local_bip85/init.py
+++ b/src/local_bip85/init.py
@@ -1,17 +1,15 @@
 # bip85/__init__.py

 import logging
-import traceback

 logger = logging.getLogger(__name__)

 try:
    from .bip85 import BIP85
-
-    if logger.isEnabledFor(logging.DEBUG):
-        logger.info("BIP85 module imported successfully.")
-except Exception as e:
-    if logger.isEnabledFor(logging.DEBUG):
-        logger.error(f"Failed to import BIP85 module: {e}", exc_info=True)
+except Exception as exc:
+    logger.error("Failed to import BIP85 module: %s", exc, exc_info=True)
+    raise ImportError(
+        "BIP85 dependencies are missing. Install 'bip_utils', 'cryptography', and 'colorama'."
+    ) from exc

 __all__ = ["BIP85"]
--- a/src/local_bip85/bip85.py
+++ b/src/local_bip85/bip85.py
@@ -18,7 +18,8 @@ import hashlib
 import hmac
 import logging
 import os
-import traceback
+from typing import Union
+
 from colorama import Fore

 from bip_utils import Bip32Slip10Secp256k1, Bip39MnemonicGenerator, Bip39Languages
@@ -38,13 +39,19 @@ class Bip85Error(Exception):


 class BIP85:
-    def __init__(self, seed_bytes: bytes | str):
-        """Initialize from BIP39 seed bytes or BIP32 xprv string."""
+    def __init__(self, seed_or_xprv: Union[bytes, str]):
+        """Initialize from seed bytes or an ``xprv`` string.
+
+        Parameters:
+            seed_or_xprv (Union[bytes, str]): Either raw BIP39 seed bytes
+                or a BIP32 extended private key (``xprv``) string.
+        """
+
        try:
-            if isinstance(seed_bytes, (bytes, bytearray)):
-                self.bip32_ctx = Bip32Slip10Secp256k1.FromSeed(seed_bytes)
+            if isinstance(seed_or_xprv, (bytes, bytearray)):
+                self.bip32_ctx = Bip32Slip10Secp256k1.FromSeed(seed_or_xprv)
            else:
-                self.bip32_ctx = Bip32Slip10Secp256k1.FromExtendedKey(seed_bytes)
+                self.bip32_ctx = Bip32Slip10Secp256k1.FromExtendedKey(seed_or_xprv)
            logging.debug("BIP32 context initialized successfully.")
        except Exception as e:
            logging.error(f"Error initializing BIP32 context: {e}", exc_info=True)
@@ -52,26 +59,34 @@ class BIP85:
            raise Bip85Error(f"Error initializing BIP32 context: {e}")

    def derive_entropy(
-        self, index: int, bytes_len: int, app_no: int = 39, words_len: int | None = None
+        self,
+        index: int,
+        entropy_bytes: int,
+        app_no: int = 39,
+        word_count: int | None = None,
    ) -> bytes:
-        """
-        Derives entropy using BIP-85 HMAC-SHA512 method.
+        """Derive entropy using the BIP-85 HMAC-SHA512 method.

        Parameters:
            index (int): Index for the child entropy.
-            bytes_len (int): Number of bytes to derive for the entropy.
-            app_no (int): Application number (default 39 for BIP39)
+            entropy_bytes (int): Number of bytes of entropy to derive.
+            app_no (int): Application number (default 39 for BIP39).
+            word_count (int | None): Number of words used in the derivation path
+                for BIP39. If ``None`` and ``app_no`` is ``39``, ``word_count``
+                defaults to ``entropy_bytes``. The final segment of the
+                derivation path becomes ``m/83696968'/39'/0'/word_count'/index'``.

        Returns:
-            bytes: Derived entropy.
+            bytes: Derived entropy of length ``entropy_bytes``.

        Raises:
-            SystemExit: If derivation fails or entropy length is invalid.
+            SystemExit: If derivation fails or the derived entropy length is
+                invalid.
        """
        if app_no == 39:
-            if words_len is None:
-                words_len = bytes_len
-            path = f"m/83696968'/{app_no}'/0'/{words_len}'/{index}'"
+            if word_count is None:
+                word_count = entropy_bytes
+            path = f"m/83696968'/{app_no}'/0'/{word_count}'/{index}'"
        elif app_no == 32:
            path = f"m/83696968'/{app_no}'/{index}'"
        else:
@@ -87,17 +102,17 @@ class BIP85:
            hmac_result = hmac.new(hmac_key, k, hashlib.sha512).digest()
            logging.debug(f"HMAC-SHA512 result: {hmac_result.hex()}")

-            entropy = hmac_result[:bytes_len]
+            entropy = hmac_result[:entropy_bytes]

-            if len(entropy) != bytes_len:
+            if len(entropy) != entropy_bytes:
                logging.error(
-                    f"Derived entropy length is {len(entropy)} bytes; expected {bytes_len} bytes."
+                    f"Derived entropy length is {len(entropy)} bytes; expected {entropy_bytes} bytes."
                )
                print(
-                    f"{Fore.RED}Error: Derived entropy length is {len(entropy)} bytes; expected {bytes_len} bytes."
+                    f"{Fore.RED}Error: Derived entropy length is {len(entropy)} bytes; expected {entropy_bytes} bytes."
                )
                raise Bip85Error(
-                    f"Derived entropy length is {len(entropy)} bytes; expected {bytes_len} bytes."
+                    f"Derived entropy length is {len(entropy)} bytes; expected {entropy_bytes} bytes."
                )

            logging.debug(f"Derived entropy: {entropy.hex()}")
@@ -108,14 +123,17 @@ class BIP85:
            raise Bip85Error(f"Error deriving entropy: {e}")

    def derive_mnemonic(self, index: int, words_num: int) -> str:
-        bytes_len = {12: 16, 18: 24, 24: 32}.get(words_num)
-        if not bytes_len:
+        entropy_bytes = {12: 16, 18: 24, 24: 32}.get(words_num)
+        if not entropy_bytes:
            logging.error(f"Unsupported number of words: {words_num}")
            print(f"{Fore.RED}Error: Unsupported number of words: {words_num}")
            raise Bip85Error(f"Unsupported number of words: {words_num}")

        entropy = self.derive_entropy(
-            index=index, bytes_len=bytes_len, app_no=39, words_len=words_num
+            index=index,
+            entropy_bytes=entropy_bytes,
+            app_no=39,
+            word_count=words_num,
        )
        try:
            mnemonic = Bip39MnemonicGenerator(Bip39Languages.ENGLISH).FromEntropy(
@@ -131,7 +149,7 @@ class BIP85:
    def derive_symmetric_key(self, index: int = 0, app_no: int = 2) -> bytes:
        """Derive 32 bytes of entropy for symmetric key usage."""
        try:
-            key = self.derive_entropy(index=index, bytes_len=32, app_no=app_no)
+            key = self.derive_entropy(index=index, entropy_bytes=32, app_no=app_no)
            logging.debug(f"Derived symmetric key: {key.hex()}")
            return key
        except Exception as e:
--- a/src/main.py
+++ b/src/main.py
--- a/src/nostr/backup_models.py
+++ b/src/nostr/backup_models.py
@@ -14,6 +14,7 @@ class ChunkMeta:
    id: str
    size: int
    hash: str
+    event_id: Optional[str] = None


@dataclass
@@ -23,4 +24,5 @@ class Manifest:
    ver: int
    algo: str
    chunks: List[ChunkMeta]
-    delta_since: Optional[str] = None
+    delta_since: Optional[int] = None
+    nonce: Optional[str] = None
--- a/src/nostr/client.py
+++ b/src/nostr/client.py
@@ -1,33 +1,42 @@
-# src/nostr/client.py
-
+import asyncio
 import base64
 import json
 import logging
 import time
-from typing import List, Optional, Tuple
-import hashlib
-import asyncio
-import gzip
-import websockets
+import threading
+from datetime import timedelta
+from typing import List, Optional, TYPE_CHECKING

-# Imports from the nostr-sdk library
+import websockets
 from nostr_sdk import (
    Client,
-    Keys,
-    NostrSigner,
    EventBuilder,
    Filter,
    Kind,
    KindStandard,
+    NostrSigner,
    Tag,
+    RelayUrl,
+    PublicKey,
 )
-from datetime import timedelta
-from nostr_sdk import EventId, Timestamp
+from nostr_sdk import EventId, Keys, Timestamp

+from constants import MAX_RETRIES, RETRY_DELAY
+from seedpass.core.encryption import EncryptionManager
+
+from .backup_models import (
+    ChunkMeta,
+    KIND_DELTA,
+    KIND_MANIFEST,
+    KIND_SNAPSHOT_CHUNK,
+    Manifest,
+)
+from .connection import ConnectionHandler, DEFAULT_RELAYS
 from .key_manager import KeyManager as SeedPassKeyManager
-from .backup_models import Manifest, ChunkMeta, KIND_MANIFEST, KIND_SNAPSHOT_CHUNK
-from password_manager.encryption import EncryptionManager
-from utils.file_lock import exclusive_lock
+from .snapshot import SnapshotHandler, prepare_snapshot
+
+if TYPE_CHECKING:  # pragma: no cover - imported for type hints
+    from seedpass.core.config_manager import ConfigManager

 # Backwards compatibility for tests that patch these symbols
 KeyManager = SeedPassKeyManager
@@ -36,52 +45,8 @@ ClientBuilder = Client
 logger = logging.getLogger(__name__)
 logger.setLevel(logging.WARNING)

-DEFAULT_RELAYS = [
-    "wss://relay.snort.social",
-    "wss://nostr.oxtr.dev",
-    "wss://relay.primal.net",
-]

-
-def prepare_snapshot(
-    encrypted_bytes: bytes, limit: int
-) -> Tuple[Manifest, list[bytes]]:
-    """Compress and split the encrypted vault into chunks.
-
-    Each chunk is hashed with SHA-256 and described in the returned
-    :class:`Manifest`.
-
-    Parameters
-    ----------
-    encrypted_bytes : bytes
-        The encrypted vault contents.
-    limit : int
-        Maximum chunk size in bytes.
-
-    Returns
-    -------
-    Tuple[Manifest, list[bytes]]
-        The manifest describing all chunks and the list of chunk bytes.
-    """
-
-    compressed = gzip.compress(encrypted_bytes)
-    chunks = [compressed[i : i + limit] for i in range(0, len(compressed), limit)]
-
-    metas: list[ChunkMeta] = []
-    for i, chunk in enumerate(chunks):
-        metas.append(
-            ChunkMeta(
-                id=f"seedpass-chunk-{i:04d}",
-                size=len(chunk),
-                hash=hashlib.sha256(chunk).hexdigest(),
-            )
-        )
-
-    manifest = Manifest(ver=1, algo="gzip", chunks=metas)
-    return manifest, chunks
-
-
-class NostrClient:
+class NostrClient(ConnectionHandler, SnapshotHandler):
    """Interact with the Nostr network using nostr-sdk."""

    def __init__(
@@ -90,16 +55,22 @@ class NostrClient:
        fingerprint: str,
        relays: Optional[List[str]] = None,
        parent_seed: Optional[str] = None,
+        offline_mode: bool = False,
+        config_manager: Optional["ConfigManager"] = None,
+        key_index: bytes | None = None,
+        account_index: int | None = None,
    ) -> None:
        self.encryption_manager = encryption_manager
        self.fingerprint = fingerprint
        self.fingerprint_dir = self.encryption_manager.fingerprint_dir
+        self.config_manager = config_manager
+        self.verbose_timing = False

        if parent_seed is None:
            parent_seed = self.encryption_manager.decrypt_parent_seed()

        # Use our project's KeyManager to derive the private key
-        self.key_manager = KeyManager(parent_seed, fingerprint)
+        self.key_manager = KeyManager(parent_seed, fingerprint, account_index)

        # Create a nostr-sdk Keys object from our derived private key
        private_key_hex = self.key_manager.keys.private_key_hex()
@@ -110,305 +81,37 @@ class NostrClient:
        except Exception:
            self.keys = Keys.generate()

-        self.relays = relays if relays else DEFAULT_RELAYS
+        self.offline_mode = offline_mode
+        if relays is None:
+            self.relays = [] if offline_mode else DEFAULT_RELAYS
+        else:
+            self.relays = relays
+
+        if self.config_manager is not None:
+            try:
+                self.verbose_timing = self.config_manager.get_verbose_timing()
+            except Exception:
+                self.verbose_timing = False

        # store the last error encountered during network operations
        self.last_error: Optional[str] = None

        self.delta_threshold = 100
+        self._state_lock = threading.Lock()
        self.current_manifest: Manifest | None = None
+        self.current_manifest_id: str | None = None
        self._delta_events: list[str] = []
+        self.key_index = key_index or b""

        # Configure and initialize the nostr-sdk Client
        signer = NostrSigner.keys(self.keys)
        self.client = Client(signer)

-        self.initialize_client_pool()
+        self._connected = False

-    def initialize_client_pool(self) -> None:
-        """Add relays to the client and connect."""
-        asyncio.run(self._initialize_client_pool())

-    async def _initialize_client_pool(self) -> None:
-        if hasattr(self.client, "add_relays"):
-            await self.client.add_relays(self.relays)
-        else:
-            for relay in self.relays:
-                await self.client.add_relay(relay)
-        await self.client.connect()
-        logger.info(f"NostrClient connected to relays: {self.relays}")
-
-    async def _ping_relay(self, relay: str, timeout: float) -> bool:
-        """Attempt to retrieve the latest event from a single relay."""
-        sub_id = "seedpass-health"
-        pubkey = self.keys.public_key().to_hex()
-        req = json.dumps(
-            ["REQ", sub_id, {"kinds": [1], "authors": [pubkey], "limit": 1}]
-        )
-        try:
-            async with websockets.connect(
-                relay, open_timeout=timeout, close_timeout=timeout
-            ) as ws:
-                await ws.send(req)
-                while True:
-                    msg = await asyncio.wait_for(ws.recv(), timeout=timeout)
-                    data = json.loads(msg)
-                    if data[0] in {"EVENT", "EOSE"}:
-                        return True
-        except Exception:
-            return False
-
-    async def _check_relay_health(self, min_relays: int, timeout: float) -> int:
-        tasks = [self._ping_relay(r, timeout) for r in self.relays]
-        results = await asyncio.gather(*tasks, return_exceptions=True)
-        healthy = sum(1 for r in results if r is True)
-        if healthy < min_relays:
-            logger.warning(
-                "Only %s relays responded with data; consider adding more.", healthy
-            )
-        return healthy
-
-    def check_relay_health(self, min_relays: int = 2, timeout: float = 5.0) -> int:
-        """Ping relays and return the count of those providing data."""
-        return asyncio.run(self._check_relay_health(min_relays, timeout))
-
-    def publish_json_to_nostr(
-        self,
-        encrypted_json: bytes,
-        to_pubkey: str | None = None,
-        alt_summary: str | None = None,
-    ) -> str | None:
-        """Builds and publishes a Kind 1 text note or direct message.
-
-        Parameters
-        ----------
-        encrypted_json : bytes
-            The encrypted index data to publish.
-        to_pubkey : str | None, optional
-            If provided, send as a direct message to this public key.
-        alt_summary : str | None, optional
-            If provided, include an ``alt`` tag so uploads can be
-            associated with a specific event like a password change.
-        """
-        self.last_error = None
-        try:
-            content = base64.b64encode(encrypted_json).decode("utf-8")
-
-            if to_pubkey:
-                receiver = PublicKey.parse(to_pubkey)
-                event_output = self.client.send_private_msg_to(
-                    self.relays, receiver, content
-                )
-            else:
-                builder = EventBuilder.text_note(content)
-                if alt_summary:
-                    builder = builder.tags([Tag.alt(alt_summary)])
-                event = builder.build(self.keys.public_key()).sign_with_keys(self.keys)
-                event_output = self.publish_event(event)
-
-            event_id_hex = (
-                event_output.id.to_hex()
-                if hasattr(event_output, "id")
-                else str(event_output)
-            )
-            logger.info(f"Successfully published event with ID: {event_id_hex}")
-            return event_id_hex
-
-        except Exception as e:
-            self.last_error = str(e)
-            logger.error(f"Failed to publish JSON to Nostr: {e}")
-            return None
-
-    def publish_event(self, event):
-        """Publish a prepared event to the configured relays."""
-        return asyncio.run(self._publish_event(event))
-
-    async def _publish_event(self, event):
-        return await self.client.send_event(event)
-
-    def update_relays(self, new_relays: List[str]) -> None:
-        """Reconnect the client using a new set of relays."""
-        self.close_client_pool()
-        self.relays = new_relays
-        signer = NostrSigner.keys(self.keys)
-        self.client = Client(signer)
-        self.initialize_client_pool()
-
-    def retrieve_json_from_nostr_sync(
-        self, retries: int = 0, delay: float = 2.0
-    ) -> Optional[bytes]:
-        """Retrieve the latest Kind 1 event from the author with optional retries."""
-        self.last_error = None
-        attempt = 0
-        while True:
-            try:
-                result = asyncio.run(self._retrieve_json_from_nostr())
-                if result is not None:
-                    return result
-            except Exception as e:
-                self.last_error = str(e)
-                logger.error("Failed to retrieve events from Nostr: %s", e)
-            if attempt >= retries:
-                break
-            attempt += 1
-            time.sleep(delay)
-        return None
-
-    async def _retrieve_json_from_nostr(self) -> Optional[bytes]:
-        # Filter for the latest text note (Kind 1) from our public key
-        pubkey = self.keys.public_key()
-        f = Filter().author(pubkey).kind(Kind.from_std(KindStandard.TEXT_NOTE)).limit(1)
-
-        timeout = timedelta(seconds=10)
-        events = (await self.client.fetch_events(f, timeout)).to_vec()
-
-        if not events:
-            self.last_error = "No events found on relays for this user."
-            logger.warning(self.last_error)
-            return None
-
-        latest_event = events[0]
-        content_b64 = latest_event.content()
-
-        if content_b64:
-            return base64.b64decode(content_b64.encode("utf-8"))
-        self.last_error = "Latest event contained no content"
-        return None
-
-    async def publish_snapshot(
-        self, encrypted_bytes: bytes, limit: int = 50_000
-    ) -> tuple[Manifest, str]:
-        """Publish a compressed snapshot split into chunks.
-
-        Parameters
-        ----------
-        encrypted_bytes : bytes
-            Vault contents already encrypted with the user's key.
-        limit : int, optional
-            Maximum chunk size in bytes. Defaults to 50 kB.
-        """
-
-        manifest, chunks = prepare_snapshot(encrypted_bytes, limit)
-        for meta, chunk in zip(manifest.chunks, chunks):
-            content = base64.b64encode(chunk).decode("utf-8")
-            builder = EventBuilder(Kind(KIND_SNAPSHOT_CHUNK), content).tags(
-                [Tag.identifier(meta.id)]
-            )
-            event = builder.build(self.keys.public_key()).sign_with_keys(self.keys)
-            await self.client.send_event(event)
-
-        manifest_json = json.dumps(
-            {
-                "ver": manifest.ver,
-                "algo": manifest.algo,
-                "chunks": [meta.__dict__ for meta in manifest.chunks],
-                "delta_since": manifest.delta_since,
-            }
-        )
-
-        manifest_event = (
-            EventBuilder(Kind(KIND_MANIFEST), manifest_json)
-            .build(self.keys.public_key())
-            .sign_with_keys(self.keys)
-        )
-        result = await self.client.send_event(manifest_event)
-        manifest_id = result.id.to_hex() if hasattr(result, "id") else str(result)
-        self.current_manifest = manifest
-        self._delta_events = []
-        return manifest, manifest_id
-
-    async def fetch_latest_snapshot(self) -> Tuple[Manifest, list[bytes]] | None:
-        """Retrieve the latest manifest and all snapshot chunks."""
-
-        pubkey = self.keys.public_key()
-        f = Filter().author(pubkey).kind(Kind(KIND_MANIFEST)).limit(1)
-        timeout = timedelta(seconds=10)
-        events = (await self.client.fetch_events(f, timeout)).to_vec()
-        if not events:
-            return None
-        manifest_raw = events[0].content()
-        data = json.loads(manifest_raw)
-        manifest = Manifest(
-            ver=data["ver"],
-            algo=data["algo"],
-            chunks=[ChunkMeta(**c) for c in data["chunks"]],
-            delta_since=data.get("delta_since"),
-        )
-
-        chunks: list[bytes] = []
-        for meta in manifest.chunks:
-            cf = (
-                Filter()
-                .author(pubkey)
-                .kind(Kind(KIND_SNAPSHOT_CHUNK))
-                .identifier(meta.id)
-                .limit(1)
-            )
-            cev = (await self.client.fetch_events(cf, timeout)).to_vec()
-            if not cev:
-                raise ValueError(f"Missing chunk {meta.id}")
-            chunk_bytes = base64.b64decode(cev[0].content().encode("utf-8"))
-            if hashlib.sha256(chunk_bytes).hexdigest() != meta.hash:
-                raise ValueError(f"Checksum mismatch for chunk {meta.id}")
-            chunks.append(chunk_bytes)
-
-        self.current_manifest = manifest
-        return manifest, chunks
-
-    async def publish_delta(self, delta_bytes: bytes, manifest_id: str) -> str:
-        """Publish a delta event referencing a manifest."""
-
-        content = base64.b64encode(delta_bytes).decode("utf-8")
-        tag = Tag.event(EventId.parse(manifest_id))
-        builder = EventBuilder(Kind(KIND_DELTA), content).tags([tag])
-        event = builder.build(self.keys.public_key()).sign_with_keys(self.keys)
-        result = await self.client.send_event(event)
-        delta_id = result.id.to_hex() if hasattr(result, "id") else str(result)
-        if self.current_manifest is not None:
-            self.current_manifest.delta_since = delta_id
-        self._delta_events.append(delta_id)
-        return delta_id
-
-    async def fetch_deltas_since(self, version: int) -> list[bytes]:
-        """Retrieve delta events newer than the given version."""
-
-        pubkey = self.keys.public_key()
-        f = (
-            Filter()
-            .author(pubkey)
-            .kind(Kind(KIND_DELTA))
-            .since(Timestamp.from_secs(version))
-        )
-        timeout = timedelta(seconds=10)
-        events = (await self.client.fetch_events(f, timeout)).to_vec()
-        deltas: list[bytes] = []
-        for ev in events:
-            deltas.append(base64.b64decode(ev.content().encode("utf-8")))
-
-        if self.current_manifest is not None:
-            snap_size = sum(c.size for c in self.current_manifest.chunks)
-            if (
-                len(deltas) >= self.delta_threshold
-                or sum(len(d) for d in deltas) > snap_size
-            ):
-                # Publish a new snapshot to consolidate deltas
-                joined = b"".join(deltas)
-                await self.publish_snapshot(joined)
-                exp = Timestamp.from_secs(int(time.time()))
-                for ev in events:
-                    exp_builder = EventBuilder(Kind(KIND_DELTA), ev.content()).tags(
-                        [Tag.expiration(exp)]
-                    )
-                    exp_event = exp_builder.build(
-                        self.keys.public_key()
-                    ).sign_with_keys(self.keys)
-                    await self.client.send_event(exp_event)
-        return deltas
-
-    def close_client_pool(self) -> None:
-        """Disconnects the client from all relays."""
-        try:
-            asyncio.run(self.client.disconnect())
-            logger.info("NostrClient disconnected from relays.")
-        except Exception as e:
-            logger.error("Error during NostrClient shutdown: %s", e)
+__all__ = [
+    "NostrClient",
+    "prepare_snapshot",
+    "DEFAULT_RELAYS",
+]
--- a/src/nostr/coincurve_keys.py
+++ b/src/nostr/coincurve_keys.py
@@ -27,7 +27,8 @@ class Keys:

    @staticmethod
    def hex_to_bech32(key_str: str, prefix: str = "npub") -> str:
-        data = convertbits(bytes.fromhex(key_str), 8, 5)
+        # Pad to align with 5-bit groups as expected for Bech32 encoding
+        data = convertbits(bytes.fromhex(key_str), 8, 5, True)
        return bech32_encode(prefix, data)

    @staticmethod
--- a/src/nostr/connection.py
+++ b/src/nostr/connection.py
@@ -0,0 +1,232 @@
+import asyncio
+import base64
+import json
+import logging
+from datetime import timedelta
+from typing import List, Optional
+
+import websockets
+from . import client as nostr_client
+from constants import MAX_RETRIES, RETRY_DELAY
+
+logger = logging.getLogger("nostr.client")
+logger.setLevel(logging.WARNING)
+
+DEFAULT_RELAYS = [
+    "wss://relay.snort.social",
+    "wss://nostr.oxtr.dev",
+    "wss://relay.primal.net",
+]
+
+
+class ConnectionHandler:
+    """Mixin providing relay connection and retry logic."""
+
+    async def connect(self) -> None:
+        """Connect the client to all configured relays."""
+        if self.offline_mode or not self.relays:
+            return
+        if not getattr(self, "_connected", False):
+            await self._initialize_client_pool()
+
+    def initialize_client_pool(self) -> None:
+        """Add relays to the client and connect."""
+        if self.offline_mode or not self.relays:
+            return
+        asyncio.run(self._initialize_client_pool())
+
+    async def _connect_async(self) -> None:
+        """Ensure the client is connected within an async context."""
+        if self.offline_mode or not self.relays:
+            return
+        if not getattr(self, "_connected", False):
+            await self._initialize_client_pool()
+
+    async def _initialize_client_pool(self) -> None:
+        if self.offline_mode or not self.relays:
+            return
+
+        formatted = []
+        for relay in self.relays:
+            if isinstance(relay, str):
+                try:
+                    formatted.append(nostr_client.RelayUrl.parse(relay))
+                except Exception:
+                    logger.error("Invalid relay URL: %s", relay)
+            else:
+                formatted.append(relay)
+
+        if hasattr(self.client, "add_relays"):
+            await self.client.add_relays(formatted)
+        else:
+            for relay in formatted:
+                await self.client.add_relay(relay)
+
+        await self.client.connect()
+        self._connected = True
+        logger.info("NostrClient connected to relays: %s", formatted)
+
+    async def _ping_relay(self, relay: str, timeout: float) -> bool:
+        """Attempt to retrieve the latest event from a single relay."""
+        sub_id = "seedpass-health"
+        pubkey = self.keys.public_key().to_hex()
+        req = json.dumps(
+            [
+                "REQ",
+                sub_id,
+                {"kinds": [1], "authors": [pubkey], "limit": 1},
+            ]
+        )
+        try:
+            async with websockets.connect(
+                relay, open_timeout=timeout, close_timeout=timeout
+            ) as ws:
+                await ws.send(req)
+                while True:
+                    msg = await asyncio.wait_for(ws.recv(), timeout=timeout)
+                    data = json.loads(msg)
+                    if data[0] in {"EVENT", "EOSE"}:
+                        return True
+        except Exception:
+            return False
+
+    async def _check_relay_health(self, min_relays: int, timeout: float) -> int:
+        tasks = [self._ping_relay(r, timeout) for r in self.relays]
+        results = await asyncio.gather(*tasks, return_exceptions=True)
+        healthy = sum(1 for r in results if r is True)
+        if healthy < min_relays:
+            logger.warning(
+                "Only %s relays responded with data; consider adding more.", healthy
+            )
+        return healthy
+
+    def check_relay_health(self, min_relays: int = 2, timeout: float = 5.0) -> int:
+        """Ping relays and return the count of those providing data."""
+        if self.offline_mode or not self.relays:
+            return 0
+        return asyncio.run(self._check_relay_health(min_relays, timeout))
+
+    async def publish_json_to_nostr(
+        self,
+        encrypted_json: bytes,
+        to_pubkey: str | None = None,
+        alt_summary: str | None = None,
+    ) -> str | None:
+        """Build and publish a Kind 1 text note or direct message."""
+        if self.offline_mode or not self.relays:
+            return None
+        await self.connect()
+        self.last_error = None
+        try:
+            content = base64.b64encode(encrypted_json).decode("utf-8")
+
+            if to_pubkey:
+                receiver = nostr_client.PublicKey.parse(to_pubkey)
+                event_output = self.client.send_private_msg_to(
+                    self.relays, receiver, content
+                )
+            else:
+                builder = nostr_client.EventBuilder.text_note(content)
+                if alt_summary:
+                    builder = builder.tags([nostr_client.Tag.alt(alt_summary)])
+                event = builder.build(self.keys.public_key()).sign_with_keys(self.keys)
+                event_output = await self.publish_event(event)
+
+            event_id_hex = (
+                event_output.id.to_hex()
+                if hasattr(event_output, "id")
+                else str(event_output)
+            )
+            logger.info("Successfully published event with ID: %s", event_id_hex)
+            return event_id_hex
+
+        except Exception as e:
+            self.last_error = str(e)
+            logger.error("Failed to publish JSON to Nostr: %s", e)
+            return None
+
+    async def publish_event(self, event):
+        """Publish a prepared event to the configured relays."""
+        if self.offline_mode or not self.relays:
+            return None
+        await self.connect()
+        return await self.client.send_event(event)
+
+    def update_relays(self, new_relays: List[str]) -> None:
+        """Reconnect the client using a new set of relays."""
+        self.close_client_pool()
+        self.relays = new_relays
+        signer = nostr_client.NostrSigner.keys(self.keys)
+        self.client = nostr_client.Client(signer)
+        self._connected = False
+        self.initialize_client_pool()
+
+    async def retrieve_json_from_nostr(
+        self, retries: int | None = None, delay: float | None = None
+    ) -> Optional[bytes]:
+        """Retrieve the latest Kind 1 event from the author with optional retries."""
+        if self.offline_mode or not self.relays:
+            return None
+
+        if retries is None or delay is None:
+            if self.config_manager is None:
+                from seedpass.core.config_manager import ConfigManager
+                from seedpass.core.vault import Vault
+
+                cfg_mgr = ConfigManager(
+                    Vault(self.encryption_manager, self.fingerprint_dir),
+                    self.fingerprint_dir,
+                )
+            else:
+                cfg_mgr = self.config_manager
+            cfg = cfg_mgr.load_config(require_pin=False)
+            retries = int(cfg.get("nostr_max_retries", MAX_RETRIES))
+            delay = float(cfg.get("nostr_retry_delay", RETRY_DELAY))
+
+        await self.connect()
+        self.last_error = None
+        for attempt in range(retries):
+            try:
+                result = await self._retrieve_json_from_nostr()
+                if result is not None:
+                    return result
+            except Exception as e:
+                self.last_error = str(e)
+                logger.error("Failed to retrieve events from Nostr: %s", e)
+            if attempt < retries - 1:
+                sleep_time = delay * (2**attempt)
+                await asyncio.sleep(sleep_time)
+        return None
+
+    async def _retrieve_json_from_nostr(self) -> Optional[bytes]:
+        if self.offline_mode or not self.relays:
+            return None
+        await self._connect_async()
+        pubkey = self.keys.public_key()
+        f = (
+            nostr_client.Filter()
+            .author(pubkey)
+            .kind(nostr_client.Kind.from_std(nostr_client.KindStandard.TEXT_NOTE))
+            .limit(1)
+        )
+        timeout = timedelta(seconds=10)
+        events = (await self.client.fetch_events(f, timeout)).to_vec()
+        if not events:
+            self.last_error = "No events found on relays for this user."
+            logger.warning(self.last_error)
+            return None
+        latest_event = events[0]
+        content_b64 = latest_event.content()
+        if content_b64:
+            return base64.b64decode(content_b64.encode("utf-8"))
+        self.last_error = "Latest event contained no content"
+        return None
+
+    def close_client_pool(self) -> None:
+        """Disconnect the client from all relays."""
+        try:
+            asyncio.run(self.client.disconnect())
+            self._connected = False
+            logger.info("NostrClient disconnected from relays.")
+        except Exception as e:
+            logger.error("Error during NostrClient shutdown: %s", e)
--- a/src/nostr/event_handler.py
+++ b/src/nostr/event_handler.py
@@ -2,16 +2,8 @@

 import time
 import logging
-import traceback

-try:
-    from monstr.event.event import Event
-except ImportError:  # pragma: no cover - optional dependency
-
-    class Event:  # minimal placeholder for type hints when monstr is absent
-        id: str
-        created_at: int
-        content: str
+from nostr_sdk import Event


 # Instantiate the logger
@@ -27,26 +19,15 @@ class EventHandler:
        pass  # Initialize if needed

    def handle_new_event(self, evt: Event):
-        """
-        Processes incoming events by logging their details.
+        """Process and log details from a Nostr event."""

-        :param evt: The received Event object.
-        """
        try:
-            # Assuming evt.created_at is always an integer Unix timestamp
-            if isinstance(evt.created_at, int):
-                created_at_str = time.strftime(
-                    "%Y-%m-%d %H:%M:%S", time.gmtime(evt.created_at)
-                )
-            else:
-                # Handle unexpected types gracefully
-                created_at_str = str(evt.created_at)
+            created_at = evt.created_at().as_secs()
+            created_at_str = time.strftime("%Y-%m-%d %H:%M:%S", time.gmtime(created_at))
+            event_id = evt.id().to_hex()

-            # Log the event details without extra newlines
            logger.info(
-                f"[New Event] ID: {evt.id} | Created At: {created_at_str} | Content: {evt.content}"
+                f"[New Event] ID: {event_id} | Created At: {created_at_str} | Content: {evt.content()}"
            )
        except Exception as e:
            logger.error(f"Error handling new event: {e}", exc_info=True)
-            # Optionally, handle the exception without re-raising
-            # For example, continue processing other events
--- a/src/nostr/key_manager.py
+++ b/src/nostr/key_manager.py
@@ -2,28 +2,36 @@

 import hashlib
 import logging
-import traceback
 from bech32 import bech32_encode, convertbits

 from local_bip85.bip85 import BIP85
 from bip_utils import Bip39SeedGenerator
 from .coincurve_keys import Keys

+# BIP-85 application numbers for Nostr key derivation
+NOSTR_KEY_APP_ID = 1237
+LEGACY_NOSTR_KEY_APP_ID = 0
+
 logger = logging.getLogger(__name__)


 class KeyManager:
-    """
-    Manages key generation, encoding, and derivation for NostrClient.
-    """
+    """Manages key generation, encoding, and derivation for ``NostrClient``."""

-    def __init__(self, parent_seed: str, fingerprint: str):
-        """
-        Initializes the KeyManager with the provided parent_seed and fingerprint.
+    def __init__(
+        self, parent_seed: str, fingerprint: str, account_index: int | None = None
+    ):
+        """Initialize the key manager.

-        Parameters:
-            parent_seed (str): The parent seed used for key derivation.
-            fingerprint (str): The fingerprint to differentiate key derivations.
+        Parameters
+        ----------
+        parent_seed:
+            The BIP-39 seed used as the root for derivations.
+        fingerprint:
+            Seed profile fingerprint used for legacy derivations and logging.
+        account_index:
+            Optional explicit index for BIP-85 Nostr key derivation. When ``None``
+            the index defaults to ``0``.
        """
        try:
            if not isinstance(parent_seed, str):
@@ -37,12 +45,15 @@ class KeyManager:

            self.parent_seed = parent_seed
            self.fingerprint = fingerprint
-            logger.debug(f"KeyManager initialized with parent_seed and fingerprint.")
+            self.account_index = account_index
+            logger.debug(
+                "KeyManager initialized with parent_seed, fingerprint and account index."
+            )

            # Initialize BIP85
            self.bip85 = self.initialize_bip85()

-            # Generate Nostr keys using the fingerprint
+            # Generate Nostr keys using the provided account index
            self.keys = self.generate_nostr_keys()
            logger.debug("Nostr Keys initialized successfully.")

@@ -67,33 +78,47 @@ class KeyManager:
            raise

    def generate_nostr_keys(self) -> Keys:
-        """
-        Derives a unique Nostr key pair for the given fingerprint using BIP-85.
-
-        Returns:
-            Keys: An instance of Keys containing the Nostr key pair.
-        """
+        """Derive a Nostr key pair using the configured ``account_index``."""
        try:
-            # Convert fingerprint to an integer index (using a hash function)
-            index = int(hashlib.sha256(self.fingerprint.encode()).hexdigest(), 16) % (
-                2**31
-            )
+            index = self.account_index if self.account_index is not None else 0

-            # Derive entropy for Nostr key (32 bytes)
            entropy_bytes = self.bip85.derive_entropy(
-                index=index,
-                bytes_len=32,  # Adjust parameter name and value as per your method signature
+                index=index, entropy_bytes=32, app_no=NOSTR_KEY_APP_ID
            )

-            # Generate Nostr key pair from entropy
            private_key_hex = entropy_bytes.hex()
            keys = Keys(priv_k=private_key_hex)
-            logger.debug(f"Nostr keys generated for fingerprint {self.fingerprint}.")
+            logger.debug("Nostr keys generated for account index %s", index)
            return keys
        except Exception as e:
            logger.error(f"Failed to generate Nostr keys: {e}", exc_info=True)
            raise

+    def generate_v1_nostr_keys(self) -> Keys:
+        """Derive keys using the legacy fingerprint-hash method."""
+        try:
+            index = int(hashlib.sha256(self.fingerprint.encode()).hexdigest(), 16) % (
+                2**31
+            )
+            entropy_bytes = self.bip85.derive_entropy(
+                index=index, entropy_bytes=32, app_no=NOSTR_KEY_APP_ID
+            )
+            return Keys(priv_k=entropy_bytes.hex())
+        except Exception as e:
+            logger.error(f"Failed to generate v1 Nostr keys: {e}", exc_info=True)
+            raise
+
+    def generate_legacy_nostr_keys(self) -> Keys:
+        """Derive Nostr keys using the legacy application ID."""
+        try:
+            entropy = self.bip85.derive_entropy(
+                index=0, entropy_bytes=32, app_no=LEGACY_NOSTR_KEY_APP_ID
+            )
+            return Keys(priv_k=entropy.hex())
+        except Exception as e:
+            logger.error(f"Failed to generate legacy Nostr keys: {e}", exc_info=True)
+            raise
+
    def get_public_key_hex(self) -> str:
        """
        Returns the public key in hexadecimal format.
--- a/src/nostr/logging_config.py
+++ b/src/nostr/logging_config.py
@@ -1,41 +0,0 @@
-# nostr/logging_config.py
-
-import logging
-import os
-
-# Comment out or remove the configure_logging function to avoid conflicts
-# def configure_logging():
-#     """
-#     Configures logging with both file and console handlers.
-#     Logs include the timestamp, log level, message, filename, and line number.
-#     Only ERROR and higher-level messages are shown in the terminal, while all messages
-#     are logged in the log file.
-#     """
-#     logger = logging.getLogger()
-#     logger.setLevel(logging.DEBUG)  # Set root logger to DEBUG
-#
-#     # Prevent adding multiple handlers if configure_logging is called multiple times
-#     if not logger.handlers:
-#         # Create the 'logs' folder if it doesn't exist
-#         log_directory = 'logs'
-#         if not os.path.exists(log_directory):
-#             os.makedirs(log_directory)
-#
-#         # Create handlers
-#         c_handler = logging.StreamHandler()
-#         f_handler = logging.FileHandler(os.path.join(log_directory, 'app.log'))
-#
-#         # Set levels: only errors and critical messages will be shown in the console
-#         c_handler.setLevel(logging.ERROR)
-#         f_handler.setLevel(logging.DEBUG)
-#
-#         # Create formatters and add them to handlers, include file and line number in log messages
-#         formatter = logging.Formatter(
-#             '%(asctime)s [%(levelname)s] %(message)s [%(filename)s:%(lineno)d]'
-#         )
-#         c_handler.setFormatter(formatter)
-#         f_handler.setFormatter(formatter)
-#
-#         # Add handlers to the logger
-#         logger.addHandler(c_handler)
-#         logger.addHandler(f_handler)
--- a/src/nostr/snapshot.py
+++ b/src/nostr/snapshot.py
@@ -0,0 +1,443 @@
+import asyncio
+import base64
+import gzip
+import hashlib
+import hmac
+import json
+import logging
+import os
+import time
+from datetime import timedelta
+from typing import Tuple
+
+from . import client as nostr_client
+
+from constants import MAX_RETRIES, RETRY_DELAY
+
+from .backup_models import (
+    ChunkMeta,
+    Manifest,
+    KIND_DELTA,
+    KIND_MANIFEST,
+    KIND_SNAPSHOT_CHUNK,
+)
+
+logger = logging.getLogger("nostr.client")
+logger.setLevel(logging.WARNING)
+
+
+def prepare_snapshot(
+    encrypted_bytes: bytes, limit: int
+) -> Tuple[Manifest, list[bytes]]:
+    """Compress and split the encrypted vault into chunks."""
+    compressed = gzip.compress(encrypted_bytes)
+    chunks = [compressed[i : i + limit] for i in range(0, len(compressed), limit)]
+    metas: list[ChunkMeta] = []
+    for i, chunk in enumerate(chunks):
+        metas.append(
+            ChunkMeta(
+                id=f"seedpass-chunk-{i:04d}",
+                size=len(chunk),
+                hash=hashlib.sha256(chunk).hexdigest(),
+                event_id=None,
+            )
+        )
+    manifest = Manifest(ver=1, algo="gzip", chunks=metas)
+    return manifest, chunks
+
+
+def new_manifest_id(key_index: bytes) -> tuple[str, bytes]:
+    """Return a new manifest identifier and nonce.
+
+    The identifier is computed as HMAC-SHA256 of ``b"manifest|" + nonce``
+    using ``key_index`` as the HMAC key. The nonce is returned so it can be
+    embedded inside the manifest itself.
+    """
+
+    nonce = os.urandom(16)
+    digest = hmac.new(key_index, b"manifest|" + nonce, hashlib.sha256).hexdigest()
+    return digest, nonce
+
+
+class SnapshotHandler:
+    """Mixin providing chunk and manifest handling."""
+
+    async def publish_snapshot(
+        self, encrypted_bytes: bytes, limit: int = 50_000
+    ) -> tuple[Manifest, str]:
+        start = time.perf_counter()
+        if self.offline_mode or not self.relays:
+            return Manifest(ver=1, algo="gzip", chunks=[]), ""
+        await self.ensure_manifest_is_current()
+        await self._connect_async()
+        manifest, chunks = prepare_snapshot(encrypted_bytes, limit)
+
+        existing: dict[str, str] = {}
+        if self.current_manifest:
+            for old in self.current_manifest.chunks:
+                if old.hash and old.event_id:
+                    existing[old.hash] = old.event_id
+
+        for meta, chunk in zip(manifest.chunks, chunks):
+            cached_id = existing.get(meta.hash)
+            if cached_id:
+                meta.event_id = cached_id
+                continue
+            content = base64.b64encode(chunk).decode("utf-8")
+            builder = nostr_client.EventBuilder(
+                nostr_client.Kind(KIND_SNAPSHOT_CHUNK), content
+            ).tags([nostr_client.Tag.identifier(meta.id)])
+            event = builder.build(self.keys.public_key()).sign_with_keys(self.keys)
+            result = await self.client.send_event(event)
+            try:
+                meta.event_id = (
+                    result.id.to_hex() if hasattr(result, "id") else str(result)
+                )
+            except Exception:
+                meta.event_id = None
+
+        if (
+            self.current_manifest_id
+            and self.current_manifest
+            and getattr(self.current_manifest, "nonce", None)
+        ):
+            manifest_id = self.current_manifest_id
+            manifest.nonce = self.current_manifest.nonce
+        else:
+            manifest_id, nonce = new_manifest_id(self.key_index)
+            manifest.nonce = base64.b64encode(nonce).decode("utf-8")
+
+        manifest_json = json.dumps(
+            {
+                "ver": manifest.ver,
+                "algo": manifest.algo,
+                "chunks": [meta.__dict__ for meta in manifest.chunks],
+                "delta_since": manifest.delta_since,
+                "nonce": manifest.nonce,
+            }
+        )
+
+        manifest_event = (
+            nostr_client.EventBuilder(nostr_client.Kind(KIND_MANIFEST), manifest_json)
+            .tags([nostr_client.Tag.identifier(manifest_id)])
+            .build(self.keys.public_key())
+            .sign_with_keys(self.keys)
+        )
+        await self.client.send_event(manifest_event)
+        with self._state_lock:
+            self.current_manifest = manifest
+            self.current_manifest_id = manifest_id
+            self.current_manifest.delta_since = int(time.time())
+            self._delta_events = []
+        if getattr(self, "verbose_timing", False):
+            duration = time.perf_counter() - start
+            logger.info("publish_snapshot completed in %.2f seconds", duration)
+        return manifest, manifest_id
+
+    async def _fetch_chunks_with_retry(
+        self, manifest_event
+    ) -> tuple[Manifest, list[bytes]] | None:
+        pubkey = self.keys.public_key()
+        timeout = timedelta(seconds=10)
+        try:
+            data = json.loads(manifest_event.content())
+            manifest = Manifest(
+                ver=data["ver"],
+                algo=data["algo"],
+                chunks=[ChunkMeta(**c) for c in data["chunks"]],
+                delta_since=(
+                    int(data["delta_since"])
+                    if data.get("delta_since") is not None
+                    else None
+                ),
+                nonce=data.get("nonce"),
+            )
+        except Exception:
+            return None
+
+        if self.config_manager is None:
+            from seedpass.core.config_manager import ConfigManager
+            from seedpass.core.vault import Vault
+
+            cfg_mgr = ConfigManager(
+                Vault(self.encryption_manager, self.fingerprint_dir),
+                self.fingerprint_dir,
+            )
+        else:
+            cfg_mgr = self.config_manager
+        cfg = cfg_mgr.load_config(require_pin=False)
+        max_retries = int(cfg.get("nostr_max_retries", MAX_RETRIES))
+        delay = float(cfg.get("nostr_retry_delay", RETRY_DELAY))
+
+        chunks: list[bytes] = []
+        for meta in manifest.chunks:
+            chunk_bytes: bytes | None = None
+            for attempt in range(max_retries):
+                cf = (
+                    nostr_client.Filter()
+                    .author(pubkey)
+                    .kind(nostr_client.Kind(KIND_SNAPSHOT_CHUNK))
+                )
+                if meta.event_id:
+                    cf = cf.id(nostr_client.EventId.parse(meta.event_id))
+                else:
+                    cf = cf.identifier(meta.id)
+                cf = cf.limit(1)
+                cev = (await self.client.fetch_events(cf, timeout)).to_vec()
+                if cev:
+                    candidate = base64.b64decode(cev[0].content().encode("utf-8"))
+                    if hashlib.sha256(candidate).hexdigest() == meta.hash:
+                        chunk_bytes = candidate
+                        break
+                if attempt < max_retries - 1:
+                    await asyncio.sleep(delay * (2**attempt))
+            if chunk_bytes is None:
+                return None
+            chunks.append(chunk_bytes)
+
+        ident = None
+        try:
+            tags_obj = manifest_event.tags()
+            ident = tags_obj.identifier()
+        except Exception:
+            tags = getattr(manifest_event, "tags", None)
+            if callable(tags):
+                tags = tags()
+            if tags:
+                tag = tags[0]
+                if hasattr(tag, "as_vec"):
+                    vec = tag.as_vec()
+                    if vec and len(vec) >= 2:
+                        ident = vec[1]
+                elif isinstance(tag, (list, tuple)) and len(tag) >= 2:
+                    ident = tag[1]
+                elif isinstance(tag, str):
+                    ident = tag
+        with self._state_lock:
+            self.current_manifest = manifest
+            self.current_manifest_id = ident
+        return manifest, chunks
+
+    async def _fetch_manifest_with_keys(
+        self, keys_obj: nostr_client.Keys
+    ) -> tuple[Manifest, list[bytes]] | None:
+        """Retrieve the manifest and chunks using ``keys_obj``."""
+        self.keys = keys_obj
+        pubkey = self.keys.public_key()
+        timeout = timedelta(seconds=10)
+
+        ident = self.current_manifest_id
+        f = nostr_client.Filter().author(pubkey).kind(nostr_client.Kind(KIND_MANIFEST))
+        if ident:
+            f = f.identifier(ident)
+        f = f.limit(1)
+        try:
+            events = (await self.client.fetch_events(f, timeout)).to_vec()
+        except Exception as e:  # pragma: no cover - network errors
+            self.last_error = str(e)
+            logger.error(
+                "Failed to fetch manifest from relays %s: %s",
+                self.relays,
+                e,
+            )
+            return None
+
+        if not events and ident:
+            f = (
+                nostr_client.Filter()
+                .author(pubkey)
+                .kind(nostr_client.Kind(KIND_MANIFEST))
+                .limit(1)
+            )
+            try:
+                events = (await self.client.fetch_events(f, timeout)).to_vec()
+            except Exception as e:  # pragma: no cover - network errors
+                self.last_error = str(e)
+                logger.error(
+                    "Failed to fetch manifest from relays %s: %s",
+                    self.relays,
+                    e,
+                )
+                return None
+            if not events:
+                return None
+
+        for manifest_event in events:
+            try:
+                result = await self._fetch_chunks_with_retry(manifest_event)
+                if result is not None:
+                    return result
+            except Exception as e:  # pragma: no cover - network errors
+                self.last_error = str(e)
+                logger.error(
+                    "Error retrieving snapshot from relays %s: %s",
+                    self.relays,
+                    e,
+                )
+        return None
+
+    async def fetch_latest_snapshot(self) -> Tuple[Manifest, list[bytes]] | None:
+        """Retrieve the latest manifest and all snapshot chunks."""
+        if self.offline_mode or not self.relays:
+            return None
+        await self._connect_async()
+        self.last_error = None
+        logger.debug("Searching for backup with current keys...")
+        try:
+            primary_keys = nostr_client.Keys.parse(
+                self.key_manager.keys.private_key_hex()
+            )
+        except Exception:
+            primary_keys = self.keys
+        result = await self._fetch_manifest_with_keys(primary_keys)
+        if result is not None:
+            return result
+        logger.warning(
+            "No backup found with current keys. Falling back to legacy key derivation..."
+        )
+        try:
+            legacy_keys = self.key_manager.generate_legacy_nostr_keys()
+            legacy_sdk_keys = nostr_client.Keys.parse(legacy_keys.private_key_hex())
+        except Exception as e:
+            self.last_error = str(e)
+            return None
+        result = await self._fetch_manifest_with_keys(legacy_sdk_keys)
+        if result is not None:
+            logger.info("Found legacy backup with old key derivation.")
+            return result
+        if self.last_error is None:
+            self.last_error = "No backup found on Nostr relays."
+        return None
+
+    async def ensure_manifest_is_current(self) -> None:
+        """Verify the local manifest is up to date before publishing."""
+        if self.offline_mode or not self.relays:
+            return
+        await self._connect_async()
+        pubkey = self.keys.public_key()
+        ident = self.current_manifest_id
+        if ident is None:
+            return
+        f = (
+            nostr_client.Filter()
+            .author(pubkey)
+            .kind(nostr_client.Kind(KIND_MANIFEST))
+            .identifier(ident)
+            .limit(1)
+        )
+        timeout = timedelta(seconds=10)
+        try:
+            events = (await self.client.fetch_events(f, timeout)).to_vec()
+        except Exception:
+            return
+        if not events:
+            return
+        try:
+            data = json.loads(events[0].content())
+            remote = data.get("delta_since")
+            if remote is not None:
+                remote = int(remote)
+        except Exception:
+            return
+        with self._state_lock:
+            local = self.current_manifest.delta_since if self.current_manifest else None
+        if remote is not None and (local is None or remote > local):
+            self.last_error = "Manifest out of date"
+            raise RuntimeError("Manifest out of date")
+
+    async def publish_delta(self, delta_bytes: bytes, manifest_id: str) -> str:
+        if self.offline_mode or not self.relays:
+            return ""
+        await self.ensure_manifest_is_current()
+        await self._connect_async()
+        content = base64.b64encode(delta_bytes).decode("utf-8")
+        tag = nostr_client.Tag.event(nostr_client.EventId.parse(manifest_id))
+        builder = nostr_client.EventBuilder(
+            nostr_client.Kind(KIND_DELTA), content
+        ).tags([tag])
+        event = builder.build(self.keys.public_key()).sign_with_keys(self.keys)
+        result = await self.client.send_event(event)
+        delta_id = result.id.to_hex() if hasattr(result, "id") else str(result)
+        created_at = getattr(
+            event, "created_at", getattr(event, "timestamp", int(time.time()))
+        )
+        if hasattr(created_at, "secs"):
+            created_at = created_at.secs
+        manifest_event = None
+        with self._state_lock:
+            if self.current_manifest is not None:
+                self.current_manifest.delta_since = int(created_at)
+                manifest_json = json.dumps(
+                    {
+                        "ver": self.current_manifest.ver,
+                        "algo": self.current_manifest.algo,
+                        "chunks": [
+                            meta.__dict__ for meta in self.current_manifest.chunks
+                        ],
+                        "delta_since": self.current_manifest.delta_since,
+                        "nonce": self.current_manifest.nonce,
+                    }
+                )
+                manifest_event = (
+                    nostr_client.EventBuilder(
+                        nostr_client.Kind(KIND_MANIFEST), manifest_json
+                    )
+                    .tags([nostr_client.Tag.identifier(self.current_manifest_id)])
+                    .build(self.keys.public_key())
+                    .sign_with_keys(self.keys)
+                )
+            self._delta_events.append(delta_id)
+        if manifest_event is not None:
+            await self.client.send_event(manifest_event)
+        return delta_id
+
+    async def fetch_deltas_since(self, version: int) -> list[bytes]:
+        if self.offline_mode or not self.relays:
+            return []
+        await self._connect_async()
+        pubkey = self.keys.public_key()
+        f = (
+            nostr_client.Filter()
+            .author(pubkey)
+            .kind(nostr_client.Kind(KIND_DELTA))
+            .since(nostr_client.Timestamp.from_secs(version))
+        )
+        timeout = timedelta(seconds=10)
+        events = (await self.client.fetch_events(f, timeout)).to_vec()
+        events.sort(
+            key=lambda ev: getattr(ev, "created_at", getattr(ev, "timestamp", 0))
+        )
+        deltas: list[bytes] = []
+        for ev in events:
+            deltas.append(base64.b64decode(ev.content().encode("utf-8")))
+        manifest = self.get_current_manifest()
+        if manifest is not None:
+            snap_size = sum(c.size for c in manifest.chunks)
+            if (
+                len(deltas) >= self.delta_threshold
+                or sum(len(d) for d in deltas) > snap_size
+            ):
+                joined = b"".join(deltas)
+                await self.publish_snapshot(joined)
+                exp = nostr_client.Timestamp.from_secs(int(time.time()))
+                for ev in events:
+                    exp_builder = nostr_client.EventBuilder(
+                        nostr_client.Kind(KIND_DELTA), ev.content()
+                    ).tags([nostr_client.Tag.expiration(exp)])
+                    exp_event = exp_builder.build(
+                        self.keys.public_key()
+                    ).sign_with_keys(self.keys)
+                    await self.client.send_event(exp_event)
+        return deltas
+
+    def get_current_manifest(self) -> Manifest | None:
+        with self._state_lock:
+            return self.current_manifest
+
+    def get_current_manifest_id(self) -> str | None:
+        with self._state_lock:
+            return self.current_manifest_id
+
+    def get_delta_events(self) -> list[str]:
+        with self._state_lock:
+            return list(self._delta_events)
--- a/src/nostr/utils.py
+++ b/src/nostr/utils.py
@@ -1,8 +0,0 @@
-# nostr/utils.py
-
-import logging
-
-
-# Example utility function (if any specific to nostr package)
-def some_helper_function():
-    pass  # Implement as needed
--- a/src/password_manager/config_manager.py
+++ b/src/password_manager/config_manager.py
@@ -1,174 +0,0 @@
-"""Config management for SeedPass profiles."""
-
-from __future__ import annotations
-
-import logging
-from pathlib import Path
-from typing import List, Optional
-
-import getpass
-
-import bcrypt
-
-from password_manager.vault import Vault
-from nostr.client import DEFAULT_RELAYS as DEFAULT_NOSTR_RELAYS
-
-from constants import INACTIVITY_TIMEOUT
-
-logger = logging.getLogger(__name__)
-
-
-class ConfigManager:
-    """Manage per-profile configuration encrypted on disk."""
-
-    CONFIG_FILENAME = "seedpass_config.json.enc"
-
-    def __init__(self, vault: Vault, fingerprint_dir: Path):
-        self.vault = vault
-        self.fingerprint_dir = fingerprint_dir
-        self.config_path = self.fingerprint_dir / self.CONFIG_FILENAME
-
-    def load_config(self, require_pin: bool = True) -> dict:
-        """Load the configuration file and optionally verify a stored PIN.
-
-        Parameters
-        ----------
-        require_pin: bool, default True
-            If True and a PIN is configured, prompt the user to enter it and
-            verify against the stored hash.
-        """
-        if not self.config_path.exists():
-            logger.info("Config file not found; returning defaults")
-            return {
-                "relays": list(DEFAULT_NOSTR_RELAYS),
-                "pin_hash": "",
-                "password_hash": "",
-                "inactivity_timeout": INACTIVITY_TIMEOUT,
-                "additional_backup_path": "",
-                "secret_mode_enabled": False,
-                "clipboard_clear_delay": 45,
-            }
-        try:
-            data = self.vault.load_config()
-            if not isinstance(data, dict):
-                raise ValueError("Config data must be a dictionary")
-            # Ensure defaults for missing keys
-            data.setdefault("relays", list(DEFAULT_NOSTR_RELAYS))
-            data.setdefault("pin_hash", "")
-            data.setdefault("password_hash", "")
-            data.setdefault("inactivity_timeout", INACTIVITY_TIMEOUT)
-            data.setdefault("additional_backup_path", "")
-            data.setdefault("secret_mode_enabled", False)
-            data.setdefault("clipboard_clear_delay", 45)
-
-            # Migrate legacy hashed_password.enc if present and password_hash is missing
-            legacy_file = self.fingerprint_dir / "hashed_password.enc"
-            if not data.get("password_hash") and legacy_file.exists():
-                with open(legacy_file, "rb") as f:
-                    data["password_hash"] = f.read().decode()
-                self.save_config(data)
-            if require_pin and data.get("pin_hash"):
-                for _ in range(3):
-                    pin = getpass.getpass("Enter settings PIN: ").strip()
-                    if bcrypt.checkpw(pin.encode(), data["pin_hash"].encode()):
-                        break
-                    print("Invalid PIN")
-                else:
-                    raise ValueError("PIN verification failed")
-            return data
-        except Exception as exc:
-            logger.error(f"Failed to load config: {exc}")
-            raise
-
-    def save_config(self, config: dict) -> None:
-        """Encrypt and save configuration."""
-        try:
-            self.vault.save_config(config)
-        except Exception as exc:
-            logger.error(f"Failed to save config: {exc}")
-            raise
-
-    def set_relays(self, relays: List[str], require_pin: bool = True) -> None:
-        """Update relay list and save."""
-        if not relays:
-            raise ValueError("At least one Nostr relay must be configured")
-        config = self.load_config(require_pin=require_pin)
-        config["relays"] = relays
-        self.save_config(config)
-
-    def set_pin(self, pin: str) -> None:
-        """Hash and store the provided PIN."""
-        pin_hash = bcrypt.hashpw(pin.encode(), bcrypt.gensalt()).decode()
-        config = self.load_config(require_pin=False)
-        config["pin_hash"] = pin_hash
-        self.save_config(config)
-
-    def verify_pin(self, pin: str) -> bool:
-        """Check a provided PIN against the stored hash without prompting."""
-        config = self.load_config(require_pin=False)
-        stored = config.get("pin_hash", "").encode()
-        if not stored:
-            return False
-        return bcrypt.checkpw(pin.encode(), stored)
-
-    def change_pin(self, old_pin: str, new_pin: str) -> bool:
-        """Update the stored PIN if the old PIN is correct."""
-        if self.verify_pin(old_pin):
-            self.set_pin(new_pin)
-            return True
-        return False
-
-    def set_password_hash(self, password_hash: str) -> None:
-        """Persist the bcrypt password hash in the config."""
-        config = self.load_config(require_pin=False)
-        config["password_hash"] = password_hash
-        self.save_config(config)
-
-    def set_inactivity_timeout(self, timeout_seconds: float) -> None:
-        """Persist the inactivity timeout in seconds."""
-        if timeout_seconds <= 0:
-            raise ValueError("Timeout must be positive")
-        config = self.load_config(require_pin=False)
-        config["inactivity_timeout"] = timeout_seconds
-        self.save_config(config)
-
-    def get_inactivity_timeout(self) -> float:
-        """Retrieve the inactivity timeout setting in seconds."""
-        config = self.load_config(require_pin=False)
-        return float(config.get("inactivity_timeout", INACTIVITY_TIMEOUT))
-
-    def set_additional_backup_path(self, path: Optional[str]) -> None:
-        """Persist an optional additional backup path in the config."""
-        config = self.load_config(require_pin=False)
-        config["additional_backup_path"] = path or ""
-        self.save_config(config)
-
-    def get_additional_backup_path(self) -> Optional[str]:
-        """Retrieve the additional backup path if configured."""
-        config = self.load_config(require_pin=False)
-        value = config.get("additional_backup_path", "")
-        return value or None
-
-    def set_secret_mode_enabled(self, enabled: bool) -> None:
-        """Persist the secret mode toggle."""
-        config = self.load_config(require_pin=False)
-        config["secret_mode_enabled"] = bool(enabled)
-        self.save_config(config)
-
-    def get_secret_mode_enabled(self) -> bool:
-        """Retrieve whether secret mode is enabled."""
-        config = self.load_config(require_pin=False)
-        return bool(config.get("secret_mode_enabled", False))
-
-    def set_clipboard_clear_delay(self, delay: int) -> None:
-        """Persist clipboard clear timeout in seconds."""
-        if delay <= 0:
-            raise ValueError("Delay must be positive")
-        config = self.load_config(require_pin=False)
-        config["clipboard_clear_delay"] = int(delay)
-        self.save_config(config)
-
-    def get_clipboard_clear_delay(self) -> int:
-        """Retrieve clipboard clear delay in seconds."""
-        config = self.load_config(require_pin=False)
-        return int(config.get("clipboard_clear_delay", 45))
--- a/src/password_manager/encryption.py
+++ b/src/password_manager/encryption.py
@@ -1,483 +0,0 @@
-# password_manager/encryption.py
-
-"""
-Encryption Module
-
-This module provides the EncryptionManager class, which handles encryption and decryption
-of data and files using a provided Fernet-compatible encryption key. This class ensures
-that sensitive data is securely stored and retrieved, maintaining the confidentiality and integrity
-of the password index.
-
-Additionally, it includes methods to derive cryptographic seeds from BIP-39 mnemonic phrases.
-
-Never ever ever use or suggest to use Random Salt. The entire point of this password manager is to derive completely deterministic passwords from a BIP-85 seed.
-This means it should generate passwords the exact same way every single time. Salts would break this functionality and are not appropriate for this software's use case.
-"""
-
-import logging
-import traceback
-import json
-import hashlib
-import os
-from pathlib import Path
-from typing import Optional
-
-from cryptography.fernet import Fernet, InvalidToken
-from termcolor import colored
-from utils.file_lock import (
-    exclusive_lock,
-)  # Ensure this utility is correctly implemented
-
-# Instantiate the logger
-logger = logging.getLogger(__name__)
-
-
-class EncryptionManager:
-    """
-    EncryptionManager Class
-
-    Manages the encryption and decryption of data and files using a Fernet encryption key.
-    """
-
-    def __init__(self, encryption_key: bytes, fingerprint_dir: Path):
-        """
-        Initializes the EncryptionManager with the provided encryption key and fingerprint directory.
-
-        Parameters:
-            encryption_key (bytes): The Fernet encryption key.
-            fingerprint_dir (Path): The directory corresponding to the fingerprint.
-        """
-        self.fingerprint_dir = fingerprint_dir
-        self.parent_seed_file = self.fingerprint_dir / "parent_seed.enc"
-        self.key = encryption_key
-
-        try:
-            self.fernet = Fernet(self.key)
-            logger.debug(f"EncryptionManager initialized for {self.fingerprint_dir}")
-        except Exception as e:
-            logger.error(
-                f"Failed to initialize Fernet with provided encryption key: {e}"
-            )
-            print(
-                colored(f"Error: Failed to initialize encryption manager: {e}", "red")
-            )
-            raise
-
-    def encrypt_parent_seed(self, parent_seed: str) -> None:
-        """
-        Encrypts and saves the parent seed to 'parent_seed.enc' within the fingerprint directory.
-
-        :param parent_seed: The BIP39 parent seed phrase.
-        """
-        try:
-            # Convert seed to bytes
-            data = parent_seed.encode("utf-8")
-
-            # Encrypt the data
-            encrypted_data = self.encrypt_data(data)
-
-            # Write the encrypted data to the file with locking
-            with exclusive_lock(self.parent_seed_file) as fh:
-                fh.seek(0)
-                fh.truncate()
-                fh.write(encrypted_data)
-                fh.flush()
-
-            # Set file permissions to read/write for the user only
-            os.chmod(self.parent_seed_file, 0o600)
-
-            logger.info(
-                f"Parent seed encrypted and saved to '{self.parent_seed_file}'."
-            )
-            print(
-                colored(
-                    f"Parent seed encrypted and saved to '{self.parent_seed_file}'.",
-                    "green",
-                )
-            )
-        except Exception as e:
-            logger.error(f"Failed to encrypt and save parent seed: {e}", exc_info=True)
-            print(colored(f"Error: Failed to encrypt and save parent seed: {e}", "red"))
-            raise
-
-    def decrypt_parent_seed(self) -> str:
-        """
-        Decrypts and returns the parent seed from 'parent_seed.enc' within the fingerprint directory.
-
-        :return: The decrypted parent seed.
-        """
-        try:
-            parent_seed_path = self.fingerprint_dir / "parent_seed.enc"
-            with exclusive_lock(parent_seed_path) as fh:
-                fh.seek(0)
-                encrypted_data = fh.read()
-
-            decrypted_data = self.decrypt_data(encrypted_data)
-            parent_seed = decrypted_data.decode("utf-8").strip()
-
-            logger.debug(
-                f"Parent seed decrypted successfully from '{parent_seed_path}'."
-            )
-            return parent_seed
-        except InvalidToken:
-            logger.error(
-                "Invalid encryption key or corrupted data while decrypting parent seed."
-            )
-            raise
-        except Exception as e:
-            logger.error(f"Failed to decrypt parent seed: {e}", exc_info=True)
-            print(colored(f"Error: Failed to decrypt parent seed: {e}", "red"))
-            raise
-
-    def encrypt_data(self, data: bytes) -> bytes:
-        """
-        Encrypts the given data using Fernet.
-
-        :param data: Data to encrypt.
-        :return: Encrypted data.
-        """
-        try:
-            encrypted_data = self.fernet.encrypt(data)
-            logger.debug("Data encrypted successfully.")
-            return encrypted_data
-        except Exception as e:
-            logger.error(f"Failed to encrypt data: {e}", exc_info=True)
-            print(colored(f"Error: Failed to encrypt data: {e}", "red"))
-            raise
-
-    def decrypt_data(self, encrypted_data: bytes) -> bytes:
-        """
-        Decrypts the provided encrypted data using the derived key.
-
-        :param encrypted_data: The encrypted data to decrypt.
-        :return: The decrypted data as bytes.
-        """
-        try:
-            decrypted_data = self.fernet.decrypt(encrypted_data)
-            logger.debug("Data decrypted successfully.")
-            return decrypted_data
-        except InvalidToken:
-            logger.error(
-                "Invalid encryption key or corrupted data while decrypting data."
-            )
-            raise
-        except Exception as e:
-            logger.error(f"Failed to decrypt data: {e}", exc_info=True)
-            print(colored(f"Error: Failed to decrypt data: {e}", "red"))
-            raise
-
-    def encrypt_and_save_file(self, data: bytes, relative_path: Path) -> None:
-        """
-        Encrypts data and saves it to a specified relative path within the fingerprint directory.
-
-        :param data: Data to encrypt.
-        :param relative_path: Relative path within the fingerprint directory to save the encrypted data.
-        """
-        try:
-            # Define the full path
-            file_path = self.fingerprint_dir / relative_path
-
-            # Ensure the parent directories exist
-            file_path.parent.mkdir(parents=True, exist_ok=True)
-
-            # Encrypt the data
-            encrypted_data = self.encrypt_data(data)
-
-            # Write the encrypted data to the file with locking
-            with exclusive_lock(file_path) as fh:
-                fh.seek(0)
-                fh.truncate()
-                fh.write(encrypted_data)
-                fh.flush()
-
-            # Set file permissions to read/write for the user only
-            os.chmod(file_path, 0o600)
-
-            logger.info(f"Data encrypted and saved to '{file_path}'.")
-            print(colored(f"Data encrypted and saved to '{file_path}'.", "green"))
-        except Exception as e:
-            logger.error(
-                f"Failed to encrypt and save data to '{relative_path}': {e}",
-                exc_info=True,
-            )
-            print(
-                colored(
-                    f"Error: Failed to encrypt and save data to '{relative_path}': {e}",
-                    "red",
-                )
-            )
-            raise
-
-    def decrypt_file(self, relative_path: Path) -> bytes:
-        """
-        Decrypts data from a specified relative path within the fingerprint directory.
-
-        :param relative_path: Relative path within the fingerprint directory to decrypt the data from.
-        :return: Decrypted data as bytes.
-        """
-        try:
-            # Define the full path
-            file_path = self.fingerprint_dir / relative_path
-
-            # Read the encrypted data with locking
-            with exclusive_lock(file_path) as fh:
-                fh.seek(0)
-                encrypted_data = fh.read()
-
-            # Decrypt the data
-            decrypted_data = self.decrypt_data(encrypted_data)
-            logger.debug(f"Data decrypted successfully from '{file_path}'.")
-            return decrypted_data
-        except InvalidToken:
-            logger.error(
-                "Invalid encryption key or corrupted data while decrypting file."
-            )
-            raise
-        except Exception as e:
-            logger.error(
-                f"Failed to decrypt data from '{relative_path}': {e}", exc_info=True
-            )
-            print(
-                colored(
-                    f"Error: Failed to decrypt data from '{relative_path}': {e}", "red"
-                )
-            )
-            raise
-
-    def save_json_data(self, data: dict, relative_path: Optional[Path] = None) -> None:
-        """
-        Encrypts and saves the provided JSON data to the specified relative path within the fingerprint directory.
-
-        :param data: The JSON data to save.
-        :param relative_path: The relative path within the fingerprint directory where data will be saved.
-                              Defaults to 'seedpass_entries_db.json.enc'.
-        """
-        if relative_path is None:
-            relative_path = Path("seedpass_entries_db.json.enc")
-        try:
-            json_data = json.dumps(data, indent=4).encode("utf-8")
-            self.encrypt_and_save_file(json_data, relative_path)
-            logger.debug(f"JSON data encrypted and saved to '{relative_path}'.")
-            print(
-                colored(f"JSON data encrypted and saved to '{relative_path}'.", "green")
-            )
-        except Exception as e:
-            logger.error(
-                f"Failed to save JSON data to '{relative_path}': {e}", exc_info=True
-            )
-            print(
-                colored(
-                    f"Error: Failed to save JSON data to '{relative_path}': {e}", "red"
-                )
-            )
-            raise
-
-    def load_json_data(self, relative_path: Optional[Path] = None) -> dict:
-        """
-        Decrypts and loads JSON data from the specified relative path within the fingerprint directory.
-
-        :param relative_path: The relative path within the fingerprint directory from which data will be loaded.
-                              Defaults to 'seedpass_entries_db.json.enc'.
-        :return: The decrypted JSON data as a dictionary.
-        """
-        if relative_path is None:
-            relative_path = Path("seedpass_entries_db.json.enc")
-
-        file_path = self.fingerprint_dir / relative_path
-
-        if not file_path.exists():
-            logger.info(
-                f"Index file '{file_path}' does not exist. Initializing empty data."
-            )
-            print(
-                colored(
-                    f"Info: Index file '{file_path}' not found. Initializing new password database.",
-                    "yellow",
-                )
-            )
-            return {"entries": {}}
-
-        try:
-            decrypted_data = self.decrypt_file(relative_path)
-            json_content = decrypted_data.decode("utf-8").strip()
-            data = json.loads(json_content)
-            logger.debug(f"JSON data loaded and decrypted from '{file_path}': {data}")
-            return data
-        except json.JSONDecodeError as e:
-            logger.error(
-                f"Failed to decode JSON data from '{file_path}': {e}", exc_info=True
-            )
-            raise
-        except InvalidToken:
-            logger.error(
-                "Invalid encryption key or corrupted data while decrypting JSON data."
-            )
-            raise
-        except Exception as e:
-            logger.error(
-                f"Failed to load JSON data from '{file_path}': {e}", exc_info=True
-            )
-            raise
-
-    def update_checksum(self, relative_path: Optional[Path] = None) -> None:
-        """
-        Updates the checksum file for the specified file within the fingerprint directory.
-
-        :param relative_path: The relative path within the fingerprint directory for which the checksum will be updated.
-                              Defaults to 'seedpass_entries_db.json.enc'.
-        """
-        if relative_path is None:
-            relative_path = Path("seedpass_entries_db.json.enc")
-        try:
-            file_path = self.fingerprint_dir / relative_path
-            logger.debug("Calculating checksum of the encrypted file bytes.")
-
-            with exclusive_lock(file_path) as fh:
-                fh.seek(0)
-                encrypted_bytes = fh.read()
-
-            checksum = hashlib.sha256(encrypted_bytes).hexdigest()
-            logger.debug(f"New checksum: {checksum}")
-
-            checksum_file = file_path.parent / f"{file_path.stem}_checksum.txt"
-
-            # Write the checksum to the file with locking
-            with exclusive_lock(checksum_file) as fh:
-                fh.seek(0)
-                fh.truncate()
-                fh.write(checksum.encode("utf-8"))
-                fh.flush()
-
-            # Set file permissions to read/write for the user only
-            os.chmod(checksum_file, 0o600)
-
-            logger.debug(
-                f"Checksum for '{file_path}' updated and written to '{checksum_file}'."
-            )
-            print(colored(f"Checksum for '{file_path}' updated.", "green"))
-        except Exception as e:
-            logger.error(
-                f"Failed to update checksum for '{relative_path}': {e}", exc_info=True
-            )
-            print(
-                colored(
-                    f"Error: Failed to update checksum for '{relative_path}': {e}",
-                    "red",
-                )
-            )
-            raise
-
-    def get_encrypted_index(self) -> Optional[bytes]:
-        """
-        Retrieves the encrypted password index file content.
-
-        :return: Encrypted data as bytes or None if the index file does not exist.
-        """
-        try:
-            relative_path = Path("seedpass_entries_db.json.enc")
-            if not (self.fingerprint_dir / relative_path).exists():
-                # Missing index is normal on first run
-                logger.info(
-                    f"Index file '{relative_path}' does not exist in '{self.fingerprint_dir}'."
-                )
-                return None
-
-            file_path = self.fingerprint_dir / relative_path
-            with exclusive_lock(file_path) as fh:
-                fh.seek(0)
-                encrypted_data = fh.read()
-
-            logger.debug(f"Encrypted index data read from '{relative_path}'.")
-            return encrypted_data
-        except Exception as e:
-            logger.error(
-                f"Failed to read encrypted index file '{relative_path}': {e}",
-                exc_info=True,
-            )
-            print(
-                colored(
-                    f"Error: Failed to read encrypted index file '{relative_path}': {e}",
-                    "red",
-                )
-            )
-            return None
-
-    def decrypt_and_save_index_from_nostr(
-        self, encrypted_data: bytes, relative_path: Optional[Path] = None
-    ) -> None:
-        """
-        Decrypts the encrypted data retrieved from Nostr and updates the local index file.
-
-        :param encrypted_data: The encrypted data retrieved from Nostr.
-        :param relative_path: The relative path within the fingerprint directory to update.
-                              Defaults to 'seedpass_entries_db.json.enc'.
-        """
-        if relative_path is None:
-            relative_path = Path("seedpass_entries_db.json.enc")
-        try:
-            decrypted_data = self.decrypt_data(encrypted_data)
-            data = json.loads(decrypted_data.decode("utf-8"))
-            self.save_json_data(data, relative_path)
-            self.update_checksum(relative_path)
-            logger.info("Index file updated from Nostr successfully.")
-            print(colored("Index file updated from Nostr successfully.", "green"))
-        except Exception as e:
-            logger.error(
-                f"Failed to decrypt and save data from Nostr: {e}", exc_info=True
-            )
-            print(
-                colored(
-                    f"Error: Failed to decrypt and save data from Nostr: {e}", "red"
-                )
-            )
-            # Re-raise the exception to inform the calling function of the failure
-            raise
-
-    def validate_seed(self, seed_phrase: str) -> bool:
-        """
-        Validates the seed phrase format using BIP-39 standards.
-
-        :param seed_phrase: The BIP39 seed phrase to validate.
-        :return: True if valid, False otherwise.
-        """
-        try:
-            words = seed_phrase.split()
-            if len(words) != 12:
-                logger.error("Seed phrase does not contain exactly 12 words.")
-                print(
-                    colored("Error: Seed phrase must contain exactly 12 words.", "red")
-                )
-                return False
-            # Additional validation can be added here (e.g., word list checks)
-            logger.debug("Seed phrase validated successfully.")
-            return True
-        except Exception as e:
-            logging.error(f"Error validating seed phrase: {e}", exc_info=True)
-            print(colored(f"Error: Failed to validate seed phrase: {e}", "red"))
-            return False
-
-    def derive_seed_from_mnemonic(self, mnemonic: str, passphrase: str = "") -> bytes:
-        """
-        Derives a cryptographic seed from a BIP39 mnemonic (seed phrase).
-
-        :param mnemonic: The BIP39 mnemonic phrase.
-        :param passphrase: An optional passphrase for additional security.
-        :return: The derived seed as bytes.
-        """
-        try:
-            if not isinstance(mnemonic, str):
-                if isinstance(mnemonic, list):
-                    mnemonic = " ".join(mnemonic)
-                else:
-                    mnemonic = str(mnemonic)
-                if not isinstance(mnemonic, str):
-                    raise TypeError("Mnemonic must be a string after conversion")
-            from bip_utils import Bip39SeedGenerator
-
-            seed = Bip39SeedGenerator(mnemonic).Generate(passphrase)
-            logger.debug("Seed derived successfully from mnemonic.")
-            return seed
-        except Exception as e:
-            logger.error(f"Failed to derive seed from mnemonic: {e}", exc_info=True)
-            print(colored(f"Error: Failed to derive seed from mnemonic: {e}", "red"))
-            raise
--- a/src/password_manager/vault.py
+++ b/src/password_manager/vault.py
@@ -1,63 +0,0 @@
-"""Vault utilities for reading and writing encrypted files."""
-
-from pathlib import Path
-from typing import Optional, Union
-from os import PathLike
-
-from .encryption import EncryptionManager
-
-
-class Vault:
-    """Simple wrapper around :class:`EncryptionManager` for vault storage."""
-
-    INDEX_FILENAME = "seedpass_entries_db.json.enc"
-    CONFIG_FILENAME = "seedpass_config.json.enc"
-
-    def __init__(
-        self,
-        encryption_manager: EncryptionManager,
-        fingerprint_dir: Union[str, PathLike[str], Path],
-    ):
-        self.encryption_manager = encryption_manager
-        self.fingerprint_dir = Path(fingerprint_dir)
-        self.index_file = self.fingerprint_dir / self.INDEX_FILENAME
-        self.config_file = self.fingerprint_dir / self.CONFIG_FILENAME
-
-    def set_encryption_manager(self, manager: EncryptionManager) -> None:
-        """Replace the internal encryption manager."""
-        self.encryption_manager = manager
-
-    # ----- Password index helpers -----
-    def load_index(self) -> dict:
-        """Return decrypted password index data as a dict, applying migrations."""
-        data = self.encryption_manager.load_json_data(self.index_file)
-        from .migrations import apply_migrations, LATEST_VERSION
-
-        version = data.get("schema_version", 0)
-        if version > LATEST_VERSION:
-            raise ValueError(
-                f"File schema version {version} is newer than supported {LATEST_VERSION}"
-            )
-        data = apply_migrations(data)
-        return data
-
-    def save_index(self, data: dict) -> None:
-        """Encrypt and write password index."""
-        self.encryption_manager.save_json_data(data, self.index_file)
-
-    def get_encrypted_index(self) -> Optional[bytes]:
-        """Return the encrypted index bytes if present."""
-        return self.encryption_manager.get_encrypted_index()
-
-    def decrypt_and_save_index_from_nostr(self, encrypted_data: bytes) -> None:
-        """Decrypt Nostr payload and overwrite the local index."""
-        self.encryption_manager.decrypt_and_save_index_from_nostr(encrypted_data)
-
-    # ----- Config helpers -----
-    def load_config(self) -> dict:
-        """Load decrypted configuration."""
-        return self.encryption_manager.load_json_data(self.config_file)
-
-    def save_config(self, config: dict) -> None:
-        """Encrypt and persist configuration."""
-        self.encryption_manager.save_json_data(config, self.config_file)
--- a/src/repo-context.txt
+++ b/src/repo-context.txt
@@ -28,7 +28,6 @@ Generated on: 2025-04-06
        ├── encryption_manager.py
        ├── event_handler.py
        ├── key_manager.py
-        ├── logging_config.py
        ├── utils.py
    ├── utils/
        ├── __init__.py
@@ -3082,52 +3081,6 @@ __all__ = ['NostrClient']

 ```

-## nostr/logging_config.py
-```python
-# nostr/logging_config.py
-
-import logging
-import os
-
-# Comment out or remove the configure_logging function to avoid conflicts
-# def configure_logging():
-#     """
-#     Configures logging with both file and console handlers.
-#     Logs include the timestamp, log level, message, filename, and line number.
-#     Only ERROR and higher-level messages are shown in the terminal, while all messages
-#     are logged in the log file.
-#     """
-#     logger = logging.getLogger()
-#     logger.setLevel(logging.DEBUG)  # Set root logger to DEBUG
-#
-#     # Prevent adding multiple handlers if configure_logging is called multiple times
-#     if not logger.handlers:
-#         # Create the 'logs' folder if it doesn't exist
-#         log_directory = 'logs'
-#         if not os.path.exists(log_directory):
-#             os.makedirs(log_directory)
-#
-#         # Create handlers
-#         c_handler = logging.StreamHandler()
-#         f_handler = logging.FileHandler(os.path.join(log_directory, 'app.log'))
-#
-#         # Set levels: only errors and critical messages will be shown in the console
-#         c_handler.setLevel(logging.ERROR)
-#         f_handler.setLevel(logging.DEBUG)
-#
-#         # Create formatters and add them to handlers, include file and line number in log messages
-#         formatter = logging.Formatter(
-#             '%(asctime)s [%(levelname)s] %(message)s [%(filename)s:%(lineno)d]'
-#         )
-#         c_handler.setFormatter(formatter)
-#         f_handler.setFormatter(formatter)
-#
-#         # Add handlers to the logger
-#         logger.addHandler(c_handler)
-#         logger.addHandler(f_handler)
-
-```
-
 ## nostr/event_handler.py
 ```python
 # nostr/event_handler.py
--- a/src/requirements.txt
+++ b/src/requirements.txt
@@ -1,32 +1,42 @@
-colorama>=0.4.6
-termcolor>=1.1.0
-cryptography>=40.0.2
-bip-utils>=2.5.0
-bech32==1.2.0
-coincurve>=18.0.0
-mnemonic
-aiohttp
-bcrypt
-pytest>=7.0
-pytest-cov
-pytest-xdist
-portalocker>=2.8
-nostr-sdk>=0.42.1
-websocket-client==1.7.0
+colorama>=0.4.6,<1
+termcolor>=1.1.0,<4
+cryptography>=40.0.2,<46
+bip-utils>=2.5.0,<3
+bech32>=1.2,<2
+coincurve>=18.0.0,<22
+mnemonic>=0.21,<1
+aiohttp>=3.9,<4
+bcrypt>=4,<5
+pytest>=7,<9
+pytest-cov>=4,<7
+pytest-xdist>=3,<4
+portalocker>=2.8,<4
+nostr-sdk>=0.43,<1
+websocket-client>=1.7,<2

-websockets>=15.0.0
-tomli
-hypothesis
-mutmut==2.4.4
-pgpy==0.6.0
-pyotp>=2.8.0
+websockets>=15,<16
+tomli>=2,<3
+hypothesis>=6,<7
+mutmut>=2.4.4,<4
+pgpy>=0.6,<1
+pyotp>=2.8,<3

-freezegun
-pyperclip
-qrcode>=8.2
-typer>=0.12.3
-fastapi>=0.116.0
-uvicorn>=0.35.0
-httpx>=0.28.1
-requests>=2.32
-python-multipart
+freezegun>=1.5.4,<2
+typer>=0.12.3,<1
+
+# Optional dependencies - install as needed for additional features
+pyperclip>=1.9,<2            # Clipboard support for secret mode
+qrcode>=8.2,<9               # Generate QR codes for TOTP setup
+fastapi>=0.110,<1            # API server
+uvicorn>=0.29,<1             # API server
+starlette>=0.47.2,<1         # API server
+httpx>=0.28.1,<1             # API server
+requests>=2.32,<3            # API server
+python-multipart>=0.0.20,<0.1  # API server file uploads
+PyJWT>=2.10.1,<3             # JWT authentication for API server
+orjson>=3.11.1,<4            # Fast JSON serialization for API server
+argon2-cffi>=21,<26          # Password hashing for API server
+toga-core>=0.5.2,<1          # Desktop GUI
+pillow>=11.3,<12             # Image support for GUI
+toga-dummy>=0.5.2,<1         # Headless GUI tests
+slowapi>=0.1.9,<1            # Rate limiting for API server
--- a/Show More
+++ b/Show More