A private, encrypted AI chat application running entirely on Val Town. Your conversations are encrypted client-side before being stored, and your password never leaves your device.

• 🔒 Client-side encryption - All chats encrypted with AES-256-GCM before storage
• 🔑 Password-protected - Each chat requires a password to unlock
• 💾 Self-hosted on Val Town - Your data stays in your own Val Town SQLite database
• 🚫 No tracking - No analytics, no third parties
• 🧠 Local AI - Uses WebLLM to run AI models directly in your browser
• 🍴 Fork-friendly - Easy to remix and run your own instance

1. Create a chat with a password
2. Your messages are encrypted in the browser using your password
3. Encrypted data is stored in your Val Town SQLite database
4. Only you can decrypt your chats with the correct password

Your password is never sent to the server. Encryption happens entirely in your browser.

1. Click the "Remix" button on Val Town (or fork this repository)
2. This creates your own private copy of the app

When you first run your forked val, check the console logs. You'll see a message like:

⚠️  STORAGE_API_KEY not set! Auto-generated key: a1b2c3d4-e5f6-7890-abcd-ef1234567890
⚠️  Save this key to your STORAGE_API_KEY environment variable!

Important: Save this API key! It protects your storage endpoint.

1. Go to your Val Town settings
2. Navigate to Environment Variables
3. Add a new variable:
   • Name: STORAGE_API_KEY
   • Value: (paste the key from console logs)
4. Save and restart your val

In lib/api.ts, update line 3 with your storage val URL:

const STORAGE_URL = "https://your-username--your-storage-val-id.web.val.run";

You can find this URL from your forked storage val.

Visit your main val's URL and start chatting! Create your first encrypted chat with a strong password.

✅ SQL Injection Prevention - All database queries use parameterized statements ✅ API Authentication - Storage endpoint requires API key ✅ Client-side Encryption - AES-256-GCM with PBKDF2 key derivation ✅ Password Protection - Each chat requires password to unlock

• Algorithm: AES-GCM (256-bit)
• Key Derivation: PBKDF2 with 100,000 iterations
• Random Salt & IV: Generated for each encryption
• Password: Never leaves your device

Your Val Town SQLite database stores:

• Chat ID (random UUID)
• Chat name (plain text)
• Encrypted chat data (ciphertext + salt + IV)
• Timestamps

Without your password, the encrypted data is unreadable.

Variable	Required	Description
STORAGE_API_KEY	Yes	Protects your storage API from unauthorized access
FRONTEND_URL	No	Optional CORS restriction (e.g., https://yourapp.val.run)

┌─────────────────┐
│   Browser       │
│  (React App)    │
│                 │
│  • WebLLM AI    │
│  • Encryption   │
│  • UI           │
└────────┬────────┘
         │
         │ HTTPS + API Key
         │
┌────────▼────────┐
│   Val Town      │
│  Storage API    │
│                 │
│  • SQLite DB    │
│  • Auth Check   │
└─────────────────┘

├── main.ts                 # Entry point, serves HTML
├── App.tsx                 # Main React component
├── api/
│   └── storage.ts          # Storage API with authentication
├── lib/
│   ├── api.ts              # Client-side API calls
│   └── crypto.ts           # Encryption/decryption logic
├── hooks/
│   ├── useEncryption.ts    # Encryption state management
│   └── useWebLLM.ts        # AI model integration
├── screens/
│   ├── HomeScreen.tsx      # Chat list
│   ├── UnlockScreen.tsx    # Password entry
│   ├── NewChatScreen.tsx   # Create new chat
│   └── ChatScreen.tsx      # Chat interface
└── components/
    ├── MessageBubble.tsx   # Message display
    ├── StatusBadge.tsx     # AI status indicator
    └── EmptyState.tsx      # Empty state UI

Use strong, unique passwords for each chat. Since encryption happens client-side, your password is the only thing protecting your data.

There is no password recovery. If you forget your password, your chat data is permanently inaccessible. This is by design - we don't have access to your passwords.

Since this is self-hosted, you're responsible for backups. Val Town SQLite data persists, but you may want to:

1. Export your encrypted data periodically
2. Save your passwords securely (use a password manager)
3. Consider backing up your Val Town val

Problem: API calls return 401 Unauthorized

Solution:

1. Check that STORAGE_API_KEY is set in environment variables
2. Make sure the key matches in both your main val and storage val
3. Restart both vals after setting the variable

Problem: Can't unlock a chat

Solution:

• Double-check your password (passwords are case-sensitive)
• There is no password recovery - if you forgot it, the chat is inaccessible

Problem: No chats appear on home screen

Solution:

1. Check browser console for errors
2. Verify STORAGE_URL in lib/api.ts points to your storage val
3. Ensure storage val is running and accessible

Problem: WebLLM status shows error

Solution:

• WebLLM downloads models to browser (can be 1-2 GB)
• Check your internet connection
• Try refreshing the page
• Check browser console for specific errors

For stronger encryption, increase iterations in lib/crypto.ts (line 25):

iterations: 600000,  // Increased from 100,000

Trade-off: Higher security, slower encryption/decryption.

To only allow requests from your frontend:

1. Set FRONTEND_URL environment variable
2. Value: https://your-main-val.val.run
3. Restart storage val

This prevents other websites from calling your API (browser-level protection).

Edit hooks/useWebLLM.ts to use a different WebLLM-supported model. See WebLLM documentation for available models.

None. This app doesn't collect, track, or transmit any data beyond what's necessary for functionality:

• Your chats are encrypted and stored in your Val Town SQLite database
• Your password never leaves your browser
• No analytics, no tracking, no third parties

Only you. When you fork this val:

• You own the Val Town vals
• You control the database
• You set the API key
• You hold the encryption passwords

No one else (including the original author) can access your chats.

Found a bug or want to improve the code? Feel free to:

1. Fork this val
2. Make your improvements
3. Share your enhanced version!

This is open source - make it your own.

While this app implements strong encryption and security practices, please note:

• ⚠️ This is a personal project, not audited by security professionals
• ⚠️ API keys are visible in browser DevTools (use strong, unique keys)
• ⚠️ Val Town is a public platform - keep your vals private if needed
• ⚠️ No rate limiting implemented (could be added if needed)

For maximum security:

• Use strong, unique passwords
• Set a strong STORAGE_API_KEY
• Keep your Val Town account secure
• Consider enabling 2FA on your Val Town account

Built with:

• Val Town - Hosting & SQLite
• React - UI framework
• WebLLM - Browser-based AI
• Web Crypto API - Encryption
• Tailwind CSS - Styling

MIT License - Feel free to fork, remix, and make it your own!

---

Remember: Your password is your key. Keep it safe, keep it secret, keep it strong.