A local, private AI chat running entirely on your browser and saved on your Val Town. Your conversations are encrypted client-side before being stored, and your password never leaves your device.

• 🔒 Client-side encryption - All chats encrypted with AES-256-GCM before storage
• 🔑 Master password protection - Single password protects all your conversations
• 💾 Self-hosted on Val Town - Your data stays in your own Val Town SQLite database
• 🚫 No tracking - No analytics, no third parties
• 🧠 Local AI - Uses WebLLM to run AI models directly in your browser
• 🎛️ Multiple AI models - Choose between light, medium, and large models
• 🍴 Fork-friendly - Easy to remix and run your own instance

1. Set a master password on first use to protect all your chats
2. Create unlimited chats with custom names
3. Your messages are encrypted in the browser using your master password
4. Encrypted data is stored in your Val Town SQLite database
5. Only you can decrypt your chats with the correct password

Your password is never sent to the server. Encryption happens entirely in your browser.

If you don't already have one, create a free account on Val.Town.

1. Click the "Remix" button on Val Town (or fork this repository)
2. This creates your own copy of the entire project with all files (main.ts, api/storage.ts, etc.)

Note: In Val.Town, this is one val/project with multiple files. Each file that exports a default function gets its own HTTP endpoint when Val.Town serves it.

After forking, you need to find the HTTP endpoint for your api/storage.ts file:

1. In your forked val, navigate to the api/storage.ts file

2. Val.Town will show you the HTTP endpoint URL for this file (usually displayed at the top)

3. Copy this URL - it will look something like:

   • https://yourname--a1b2c3d4e5f6.web.val.run

   (The actual format depends on how Val.Town generates endpoints for your val files)

4. This is your STORAGE_URL - you'll need it in the next step

Now configure the environment variables for your entire val/project.

Important: Environment variables in Val.Town are global for the entire project, not per-file. When you set them, they apply to both main.ts and api/storage.ts.

1. Visit your main val's URL (the main.ts endpoint) in your browser

2. Check the browser console or the Val.Town logs. You'll see messages like:

   ⚠️  STORAGE_API_KEY not set! Auto-generated key: a1b2c3d4-e5f6-7890-abcd-ef1234567890
   ⚠️  Save this key to your STORAGE_API_KEY environment variable!
   ❌ STORAGE_URL not set! Please set it in your environment variables.
   

3. In your Val.Town project settings, go to Environment Variables

4. Add these two variables:

   • Name: STORAGE_API_KEY Value: The auto-generated key from the console logs
   • Name: STORAGE_URL Value: The HTTP endpoint URL for api/storage.ts (from Step 3) Example: https://yourname--a1b2c3d4e5f6.web.val.run

5. Save the environment variables

Since environment variables are global, both main.ts and api/storage.ts will now have access to the same STORAGE_API_KEY and can communicate securely.

Visit your main val's URL (the main.ts endpoint):

1. Set a strong master password on first visit
2. Create your first chat with the "+ New Chat" button
3. Select your preferred AI model from the dropdown
4. Start chatting - all messages are automatically encrypted and saved!

✅ SQL Injection Prevention - All database queries use parameterized statements ✅ API Authentication - Storage endpoint requires API key ✅ Client-side Encryption - AES-256-GCM with PBKDF2 key derivation ✅ Master Password Protection - Single password encrypts all conversations ✅ Session Management - Password stored only in sessionStorage, cleared on lock

• Algorithm: AES-GCM (256-bit)
• Key Derivation: PBKDF2 with 100,000 iterations
• Random Salt & IV: Generated for each encryption
• Password: Never leaves your device

Your Val Town SQLite database stores:

• Chat ID (random UUID)
• Chat name (plain text)
• Encrypted chat data (ciphertext + salt + IV)
• Timestamps

Without your password, the encrypted data is unreadable.

Variable	Required	Description
STORAGE_URL	Yes	URL of your storage val (e.g., https://yourname--storage.web.val.run)
STORAGE_API_KEY	Yes	Protects your storage API from unauthorized access (auto-generated on first run)
FRONTEND_URL	No	Optional CORS restriction (e.g., https://yourapp.val.run)

┌─────────────────┐
│   Browser       │
│  (React App)    │
│                 │
│  • WebLLM AI    │
│  • Encryption   │
│  • UI           │
└────────┬────────┘
         │
         │ HTTPS + API Key
         │
┌────────▼────────┐
│   Val Town      │
│  Storage API    │
│                 │
│  • SQLite DB    │
│  • Auth Check   │
└─────────────────┘

├── main.ts                      # Entry point, serves HTML
├── App.tsx                      # Main app with master password flow
├── api/
│   └── storage.ts               # Storage API with authentication
├── lib/
│   ├── api.ts                   # Client-side API calls
│   ├── crypto.ts                # Encryption/decryption logic
│   └── models.ts                # AI model definitions
├── hooks/
│   ├── useEncryption.ts         # Encryption state management
│   └── useWebLLM.ts             # AI model integration
├── screens/
│   ├── MasterPasswordScreen.tsx # Password creation/verification
│   └── MainScreen.tsx           # Main chat interface with sidebar
└── components/
    ├── MessageBubble.tsx        # Message display
    ├── StatusBadge.tsx          # AI status indicator
    ├── EmptyState.tsx           # Empty state UI
    ├── ModelSelector.tsx        # AI model selection dropdown
    ├── OptionsMenu.tsx          # Lock/delete options menu
    └── ChatNameModal.tsx        # Create/rename chat modal

Use a strong, unique master password. Since encryption happens client-side, your master password is the only thing protecting ALL your data.

There is no password recovery. If you forget your master password, ALL your chat data is permanently inaccessible. This is by design - the server (in this case Val-Town) don't have access to your data or password.

The app offers three AI models:

• Phi-3 Mini (2.3GB) - Fastest, best for quick responses
• Llama 3.2 3B (1.9GB) - Balanced performance and quality (default)
• Llama 3.1 8B (4.7GB) - Highest quality responses, slower

Models download to your browser once and persist. You can switch models anytime in the chat interface.

Problem: API calls return 401 Unauthorized

Solution:

1. Check that STORAGE_API_KEY is set in environment variables
2. Make sure the key matches in both your main val and storage val
3. Restart both vals after setting the variable

Problem: Can't unlock the app

Solution:

• Double-check your master password (passwords are case-sensitive)
• There is no password recovery - if you forgot it, all your chats are inaccessible

Problem: No chats appear on home screen

Solution:

1. Check browser console for errors
2. Verify STORAGE_URL environment variable is set correctly in Val Town settings
3. Ensure storage val is running and accessible
4. Check that both vals have the same STORAGE_API_KEY

Problem: WebLLM status shows error

Solution:

• WebLLM downloads models to browser (can be 1-2 GB)
• Check your internet connection
• Try refreshing the page
• Check browser console for specific errors

For stronger encryption, increase iterations in lib/crypto.ts (line 25):

iterations: 600000,  // Increased from 100,000

Trade-off: Higher security, slower encryption/decryption.

To only allow requests from your frontend:

1. Set FRONTEND_URL environment variable
2. Value: https://your-main-val.val.run
3. Restart storage val

This prevents other websites from calling your API (browser-level protection).

To add additional AI models beyond the three included:

1. Edit lib/models.ts to add model definitions
2. Add to the AVAILABLE_MODELS array with model ID, name, size, and description
3. Find compatible model IDs in the WebLLM documentation

• Lock App: Click the options menu (•••) in the bottom-right to lock the app. This clears your password from the session and returns to the master password screen.
• Delete All Data: Use the options menu to permanently delete all chats from your database. This action cannot be undone.

None. This app doesn't collect, track, or transmit any data beyond what's necessary for functionality:

• Your chats are encrypted and stored in your Val Town SQLite database
• Your password never leaves your browser
• No analytics, no tracking, no third parties

Only you. When you fork this val:

• You own the Val Town vals
• You control the database
• You set the API key
• You hold the encryption passwords

No one else (including the original author) can access your chats.

Found a bug or want to improve the code? Feel free to:

1. Fork this val
2. Make your improvements
3. Share your enhanced version!

This is open source - make it your own.

While this app implements strong encryption and security practices, please note:

• ⚠️ This is a personal project, not audited by security professionals
• ⚠️ API keys are visible in browser DevTools (use strong, unique keys)
• ⚠️ Val Town is a public platform - keep your vals private if needed
• ⚠️ No rate limiting implemented (could be added if needed)

For maximum security:

• Use strong, unique passwords
• Set a strong STORAGE_API_KEY
• Keep your Val Town account secure
• Consider enabling 2FA on your Val Town account

Built with:

• Val Town - Hosting & SQLite
• React - UI framework
• WebLLM - Browser-based AI
• Web Crypto API - Encryption
• Tailwind CSS - Styling

MIT License - Feel free to fork, remix, and make it your own!

---

Remember: Your master password is your key. Keep it safe, keep it secret.