From 3b98951e5cbfb3e3e3d9ed47381293a784b46ce1 Mon Sep 17 00:00:00 2001
From: 0xMosas <tosinolosasa@gmail.com>
Date: Mon, 25 May 2026 01:12:14 +0100
Subject: [PATCH 01/13] Add encryption utility with RSA-OAEP implementation

---
 frontend/src/lib/encryption.js | 177 +++++++++++++++++++++++++++++++++
 1 file changed, 177 insertions(+)
 create mode 100644 frontend/src/lib/encryption.js

diff --git a/frontend/src/lib/encryption.js b/frontend/src/lib/encryption.js
new file mode 100644
index 00000000..0c965a8c
--- /dev/null
+++ b/frontend/src/lib/encryption.js
@@ -0,0 +1,177 @@
+const ENCRYPTION_PREFIX = 'ENC:';
+const ALGORITHM = 'RSA-OAEP';
+const HASH = 'SHA-256';
+const KEY_SIZE = 2048;
+
+export function isEncryptedMessage(message) {
+    return typeof message === 'string' && message.startsWith(ENCRYPTION_PREFIX);
+}
+
+export function stripEncryptionPrefix(message) {
+    if (isEncryptedMessage(message)) {
+        return message.slice(ENCRYPTION_PREFIX.length);
+    }
+    return message;
+}
+
+export async function generateKeyPair() {
+    const keyPair = await crypto.subtle.generateKey(
+        {
+            name: ALGORITHM,
+            modulusLength: KEY_SIZE,
+            publicExponent: new Uint8Array([1, 0, 1]),
+            hash: HASH,
+        },
+        true,
+        ['encrypt', 'decrypt']
+    );
+    return keyPair;
+}
+
+export async function exportPublicKey(publicKey) {
+    const exported = await crypto.subtle.exportKey('spki', publicKey);
+    const exportedAsBase64 = btoa(String.fromCharCode(...new Uint8Array(exported)));
+    return exportedAsBase64;
+}
+
+export async function exportPrivateKey(privateKey) {
+    const exported = await crypto.subtle.exportKey('pkcs8', privateKey);
+    const exportedAsBase64 = btoa(String.fromCharCode(...new Uint8Array(exported)));
+    return exportedAsBase64;
+}
+
+export async function importPublicKey(base64Key) {
+    const binaryString = atob(base64Key);
+    const bytes = new Uint8Array(binaryString.length);
+    for (let i = 0; i < binaryString.length; i++) {
+        bytes[i] = binaryString.charCodeAt(i);
+    }
+    
+    const publicKey = await crypto.subtle.importKey(
+        'spki',
+        bytes,
+        {
+            name: ALGORITHM,
+            hash: HASH,
+        },
+        true,
+        ['encrypt']
+    );
+    return publicKey;
+}
+
+export async function importPrivateKey(base64Key) {
+    const binaryString = atob(base64Key);
+    const bytes = new Uint8Array(binaryString.length);
+    for (let i = 0; i < binaryString.length; i++) {
+        bytes[i] = binaryString.charCodeAt(i);
+    }
+    
+    const privateKey = await crypto.subtle.importKey(
+        'pkcs8',
+        bytes,
+        {
+            name: ALGORITHM,
+            hash: HASH,
+        },
+        true,
+        ['decrypt']
+    );
+    return privateKey;
+}
+
+export async function encryptMessage(message, publicKeyBase64) {
+    if (!message || !publicKeyBase64) {
+        throw new Error('Message and public key are required');
+    }
+
+    const publicKey = await importPublicKey(publicKeyBase64);
+    const encoder = new TextEncoder();
+    const data = encoder.encode(message);
+    
+    const encrypted = await crypto.subtle.encrypt(
+        {
+            name: ALGORITHM,
+        },
+        publicKey,
+        data
+    );
+    
+    const encryptedBase64 = btoa(String.fromCharCode(...new Uint8Array(encrypted)));
+    return ENCRYPTION_PREFIX + encryptedBase64;
+}
+
+export async function decryptMessage(encryptedMessage, privateKeyBase64) {
+    if (!encryptedMessage || !privateKeyBase64) {
+        throw new Error('Encrypted message and private key are required');
+    }
+
+    if (!isEncryptedMessage(encryptedMessage)) {
+        return encryptedMessage;
+    }
+
+    const encryptedData = stripEncryptionPrefix(encryptedMessage);
+    const privateKey = await importPrivateKey(privateKeyBase64);
+    
+    const binaryString = atob(encryptedData);
+    const bytes = new Uint8Array(binaryString.length);
+    for (let i = 0; i < binaryString.length; i++) {
+        bytes[i] = binaryString.charCodeAt(i);
+    }
+    
+    const decrypted = await crypto.subtle.decrypt(
+        {
+            name: ALGORITHM,
+        },
+        privateKey,
+        bytes
+    );
+    
+    const decoder = new TextDecoder();
+    return decoder.decode(decrypted);
+}
+
+export function getStorageKey(address) {
+    return `tipstream_keys_${address}`;
+}
+
+export function saveKeysToStorage(address, publicKey, privateKey) {
+    const storageKey = getStorageKey(address);
+    const keys = {
+        publicKey,
+        privateKey,
+        createdAt: Date.now(),
+    };
+    localStorage.setItem(storageKey, JSON.stringify(keys));
+}
+
+export function loadKeysFromStorage(address) {
+    const storageKey = getStorageKey(address);
+    const stored = localStorage.getItem(storageKey);
+    if (!stored) return null;
+    
+    try {
+        return JSON.parse(stored);
+    } catch {
+        return null;
+    }
+}
+
+export function deleteKeysFromStorage(address) {
+    const storageKey = getStorageKey(address);
+    localStorage.removeItem(storageKey);
+}
+
+export async function ensureUserKeys(address) {
+    let keys = loadKeysFromStorage(address);
+    
+    if (!keys) {
+        const keyPair = await generateKeyPair();
+        const publicKey = await exportPublicKey(keyPair.publicKey);
+        const privateKey = await exportPrivateKey(keyPair.privateKey);
+        saveKeysToStorage(address, publicKey, privateKey);
+        keys = { publicKey, privateKey };
+    }
+    
+    return keys;
+}

From 108dd5828fe811e0aae180ccd293c67defd3eb24 Mon Sep 17 00:00:00 2001
From: 0xMosas <tosinolosasa@gmail.com>
Date: Mon, 25 May 2026 01:12:36 +0100
Subject: [PATCH 02/13] Add public key registry for storing recipient keys

---
 frontend/src/lib/publicKeyRegistry.js | 61 +++++++++++++++++++++++++++
 1 file changed, 61 insertions(+)
 create mode 100644 frontend/src/lib/publicKeyRegistry.js

diff --git a/frontend/src/lib/publicKeyRegistry.js b/frontend/src/lib/publicKeyRegistry.js
new file mode 100644
index 00000000..275967dc
--- /dev/null
+++ b/frontend/src/lib/publicKeyRegistry.js
@@ -0,0 +1,61 @@
+const REGISTRY_KEY_PREFIX = 'tipstream_public_key_';
+
+export function getPublicKeyStorageKey(address) {
+    return `${REGISTRY_KEY_PREFIX}${address}`;
+}
+
+export function savePublicKeyToRegistry(address, publicKey) {
+    const key = getPublicKeyStorageKey(address);
+    const data = {
+        publicKey,
+        address,
+        timestamp: Date.now(),
+    };
+    localStorage.setItem(key, JSON.stringify(data));
+}
+
+export function getPublicKeyFromRegistry(address) {
+    const key = getPublicKeyStorageKey(address);
+    const stored = localStorage.getItem(key);
+    
+    if (!stored) return null;
+    
+    try {
+        const data = JSON.parse(stored);
+        return data.publicKey;
+    } catch {
+        return null;
+    }
+}
+
+export function removePublicKeyFromRegistry(address) {
+    const key = getPublicKeyStorageKey(address);
+    localStorage.removeItem(key);
+}
+
+export function getAllPublicKeys() {
+    const keys = [];
+    for (let i = 0; i < localStorage.length; i++) {
+        const key = localStorage.key(i);
+        if (key && key.startsWith(REGISTRY_KEY_PREFIX)) {
+            try {
+                const data = JSON.parse(localStorage.getItem(key));
+                keys.push(data);
+            } catch {
+                continue;
+            }
+        }
+    }
+    return keys;
+}
+
+export function clearPublicKeyRegistry() {
+    const keysToRemove = [];
+    for (let i = 0; i < localStorage.length; i++) {
+        const key = localStorage.key(i);
+        if (key && key.startsWith(REGISTRY_KEY_PREFIX)) {
+            keysToRemove.push(key);
+        }
+    }
+    keysToRemove.forEach(key => localStorage.removeItem(key));
+}

From 0108af3f53b72d911346582e2b4fceaddbf2c909 Mon Sep 17 00:00:00 2001
From: 0xMosas <tosinolosasa@gmail.com>
Date: Mon, 25 May 2026 01:13:12 +0100
Subject: [PATCH 03/13] Add useEncryption hook for key management

---
 frontend/src/hooks/useEncryption.js | 100 ++++++++++++++++++++++++++++
 1 file changed, 100 insertions(+)
 create mode 100644 frontend/src/hooks/useEncryption.js

diff --git a/frontend/src/hooks/useEncryption.js b/frontend/src/hooks/useEncryption.js
new file mode 100644
index 00000000..ed268515
--- /dev/null
+++ b/frontend/src/hooks/useEncryption.js
@@ -0,0 +1,100 @@
+import { useState, useEffect, useCallback } from 'react';
+import {
+    ensureUserKeys,
+    loadKeysFromStorage,
+    deleteKeysFromStorage,
+    encryptMessage,
+    decryptMessage,
+    isEncryptedMessage,
+} from '../lib/encryption';
+import {
+    getPublicKeyFromRegistry,
+    savePublicKeyToRegistry,
+} from '../lib/publicKeyRegistry';
+
+export function useEncryption(userAddress) {
+    const [keys, setKeys] = useState(null);
+    const [loading, setLoading] = useState(true);
+    const [error, setError] = useState(null);
+
+    useEffect(() => {
+        if (!userAddress) {
+            setKeys(null);
+            setLoading(false);
+            return;
+        }
+
+        const initKeys = async () => {
+            try {
+                setLoading(true);
+                setError(null);
+                const userKeys = await ensureUserKeys(userAddress);
+                setKeys(userKeys);
+                
+                savePublicKeyToRegistry(userAddress, userKeys.publicKey);
+            } catch (err) {
+                setError(err.message);
+                setKeys(null);
+            } finally {
+                setLoading(false);
+            }
+        };
+
+        initKeys();
+    }, [userAddress]);
+
+    const encrypt = useCallback(async (message, recipientAddress) => {
+        if (!message) return message;
+        
+        const recipientPublicKey = getPublicKeyFromRegistry(recipientAddress);
+        if (!recipientPublicKey) {
+            throw new Error('Recipient public key not found');
+        }
+
+        return await encryptMessage(message, recipientPublicKey);
+    }, []);
+
+    const decrypt = useCallback(async (encryptedMessage) => {
+        if (!encryptedMessage || !isEncryptedMessage(encryptedMessage)) {
+            return encryptedMessage;
+        }
+
+        if (!keys?.privateKey) {
+            throw new Error('Private key not available');
+        }
+
+        return await decryptMessage(encryptedMessage, keys.privateKey);
+    }, [keys]);
+
+    const regenerateKeys = useCallback(async () => {
+        if (!userAddress) return;
+
+        try {
+            setLoading(true);
+            setError(null);
+            deleteKeysFromStorage(userAddress);
+            const newKeys = await ensureUserKeys(userAddress);
+            setKeys(newKeys);
+            savePublicKeyToRegistry(userAddress, newKeys.publicKey);
+        } catch (err) {
+            setError(err.message);
+        } finally {
+            setLoading(false);
+        }
+    }, [userAddress]);
+
+    const canEncryptFor = useCallback((recipientAddress) => {
+        return !!getPublicKeyFromRegistry(recipientAddress);
+    }, []);
+
+    return {
+        keys,
+        loading,
+        error,
+        encrypt,
+        decrypt,
+        regenerateKeys,
+        canEncryptFor,
+        isEncrypted: isEncryptedMessage,
+    };
+}

From 9df8e8885d211ddc20a2b39f31b52fa3add11621 Mon Sep 17 00:00:00 2001
From: 0xMosas <tosinolosasa@gmail.com>
Date: Mon, 25 May 2026 01:20:35 +0100
Subject: [PATCH 04/13] Add encryption toggle UI to SendTip component

---
 frontend/src/components/SendTip.jsx | 76 ++++++++++++++++++++++++++---
 1 file changed, 68 insertions(+), 8 deletions(-)

diff --git a/frontend/src/components/SendTip.jsx b/frontend/src/components/SendTip.jsx
index ecb28986..04dc922d 100644
--- a/frontend/src/components/SendTip.jsx
+++ b/frontend/src/components/SendTip.jsx
@@ -21,10 +21,12 @@ import { useStxPrice } from '../hooks/useStxPrice';
 import { useSenderAddress } from '../hooks/useSenderAddress';
 import { useContractFee } from '../hooks/useContractFee';
 import { useTransactionFeeEstimate } from '../hooks/useTransactionFeeEstimate';
+import { useEncryption } from '../hooks/useEncryption';
 import { analytics } from '../lib/analytics';
 import ConfirmDialog from './ui/confirm-dialog';
 import TxStatus from './ui/tx-status';
 import AddressBook from './AddressBook';
+import { Lock, Unlock } from 'lucide-react';
 
 const MIN_TIP_STX = 0.001; // minimum tip in STX
 const MAX_TIP_STX = 10000; // maximum tip in STX
@@ -67,10 +69,12 @@ export default function SendTip({ addToast }) {
     const [amountError, setAmountError] = useState('');
     const [cooldown, setCooldown] = useState(0);
     const [showAddressBook, setShowAddressBook] = useState(false);
+    const [encryptMessage, setEncryptMessage] = useState(false);
   const cooldownRef = useRef(null);
 
   const walletSenderAddress = useSenderAddress();
   const senderAddress = demoEnabled ? getDemoData().mockWalletAddress : walletSenderAddress;
+  const { encrypt, canEncryptFor } = useEncryption(senderAddress);
   const realBalanceState = useBalance(senderAddress);
   const { displayBalance: balance, sendTipInDemo, pendingTransaction } = useSendTipWithDemo(realBalanceState.balance);
   const balanceLoading = demoEnabled ? false : realBalanceState.loading;
@@ -93,6 +97,7 @@ export default function SendTip({ addToast }) {
   } = useTransactionFeeEstimate();
 
     const isRecipientHighRisk = !canProceedWithRecipient(recipient, blockedWarning);
+    const canEncrypt = recipient && canEncryptFor(recipient);
 
     useEffect(() => {
         return () => {
@@ -205,13 +210,25 @@ export default function SendTip({ addToast }) {
         setLoading(true);
 
         try {
+            let finalMessage = message || 'Thanks!';
+            
+            if (encryptMessage && message && canEncrypt) {
+                try {
+                    finalMessage = await encrypt(message, recipient.trim());
+                } catch (encryptError) {
+                    addToast('Failed to encrypt message. Sending unencrypted.', 'warning');
+                    finalMessage = message;
+                }
+            }
+
             if (demoEnabled) {
-                const result = await sendTipInDemo(recipient.trim(), amount, message, category);
+                const result = await sendTipInDemo(recipient.trim(), amount, finalMessage, category);
                 setPendingTx(result);
                 setRecipient('');
                 setAmount('');
                 setMessage('');
                 setCategory(0);
+                setEncryptMessage(false);
                 startCooldown();
                 addToast('Demo tip sent successfully.', 'success');
                 setLoading(false);
@@ -226,7 +243,7 @@ export default function SendTip({ addToast }) {
             const functionArgs = [
                 principalCV(recipient.trim()),
                 uintCV(microSTX),
-                stringUtf8CV(message || 'Thanks!'),
+                stringUtf8CV(finalMessage),
                 uintCV(category)
             ];
 
@@ -246,6 +263,7 @@ export default function SendTip({ addToast }) {
                     setAmount('');
                     setMessage('');
                     setCategory(0);
+                    setEncryptMessage(false);
                     notifyTipSent();
                     startCooldown();
                     analytics.trackTipConfirmed();
@@ -262,7 +280,6 @@ export default function SendTip({ addToast }) {
             console.error('Failed to send tip:', msg);
             analytics.trackTipFailed();
 
-            // Provide a more specific message for post-condition failures
             if (msg.toLowerCase().includes('post-condition') || msg.toLowerCase().includes('postcondition')) {
                 addToast('Transaction rejected by post-condition check. Your funds are safe.', 'error');
             } else {
@@ -360,13 +377,46 @@ export default function SendTip({ addToast }) {
 
                     {/* Message */}
                     <div>
-                        <label htmlFor="tip-message" className="block text-sm font-medium text-gray-700 dark:text-gray-300 mb-1.5">Message (optional)</label>
+                        <div className="flex items-center justify-between mb-1.5">
+                            <label htmlFor="tip-message" className="block text-sm font-medium text-gray-700 dark:text-gray-300">Message (optional)</label>
+                            {message && (
+                                <button
+                                    type="button"
+                                    onClick={() => setEncryptMessage(!encryptMessage)}
+                                    disabled={!canEncrypt}
+                                    className={`flex items-center gap-1.5 px-2 py-1 rounded-lg text-xs font-medium transition-all ${
+                                        encryptMessage
+                                            ? 'bg-green-100 dark:bg-green-900/30 text-green-700 dark:text-green-400'
+                                            : 'bg-gray-100 dark:bg-gray-800 text-gray-600 dark:text-gray-400'
+                                    } ${!canEncrypt ? 'opacity-50 cursor-not-allowed' : 'hover:opacity-80'}`}
+                                    title={!canEncrypt ? 'Recipient public key not available' : encryptMessage ? 'Message will be encrypted' : 'Click to encrypt message'}
+                                >
+                                    {encryptMessage ? <Lock className="w-3 h-3" /> : <Unlock className="w-3 h-3" />}
+                                    {encryptMessage ? 'Encrypted' : 'Encrypt'}
+                                </button>
+                            )}
+                        </div>
                         <textarea id="tip-message" value={message} onChange={(e) => setMessage(e.target.value)}
                             className="w-full px-4 py-2.5 border border-gray-200 dark:border-gray-700 bg-white dark:bg-gray-800 dark:text-white rounded-xl text-sm focus:ring-2 focus:ring-amber-500/50 focus:border-amber-500 outline-none transition-all resize-none"
                             placeholder="Great work!" maxLength={280} rows={2} />
-                        <p className={`text-xs mt-1 text-right ${message.length >= 280 ? 'text-red-500' : 'text-gray-400'}`}>
-                            {message.length}/280
-                        </p>
+                        <div className="flex items-center justify-between mt-1">
+                            <div>
+                                {encryptMessage && canEncrypt && (
+                                    <p className="text-xs text-green-600 dark:text-green-400 flex items-center gap-1">
+                                        <Lock className="w-3 h-3" />
+                                        Only recipient can read this message
+                                    </p>
+                                )}
+                                {encryptMessage && !canEncrypt && (
+                                    <p className="text-xs text-amber-600 dark:text-amber-400">
+                                        Recipient key unavailable, will send unencrypted
+                                    </p>
+                                )}
+                            </div>
+                            <p className={`text-xs ${message.length >= 280 ? 'text-red-500' : 'text-gray-400'}`}>
+                                {message.length}/280
+                            </p>
+                        </div>
                     </div>
 
                     {/* Category */}
@@ -489,7 +539,17 @@ export default function SendTip({ addToast }) {
                         <p>Send <strong>{amount} STX</strong> to:</p>
                         <p className="font-mono text-xs bg-gray-100 dark:bg-gray-800 p-2 rounded-lg break-all">{recipient}</p>
                         <p className="text-sm text-gray-600 dark:text-gray-400">Category: <strong>{TIP_CATEGORIES.find(c => c.id === category)?.label}</strong></p>
-                        {message && <p className="italic text-gray-500">"{message}"</p>}
+                        {message && (
+                            <div>
+                                <p className="italic text-gray-500">"{message}"</p>
+                                {encryptMessage && canEncrypt && (
+                                    <p className="text-xs text-green-600 dark:text-green-400 mt-1 flex items-center gap-1">
+                                        <Lock className="w-3 h-3" />
+                                        Message will be encrypted
+                                    </p>
+                                )}
+                            </div>
+                        )}
                         {amount && parseFloat(amount) > 0 && (
                             <div className="mt-3 pt-3 border-t border-gray-200 dark:border-gray-700 text-sm text-gray-600 dark:text-gray-400 space-y-1">
                                 <div className="flex justify-between">

From 979f22da5535b26b4b20e3ea4ad4717b86e9fd5e Mon Sep 17 00:00:00 2001
From: 0xMosas <tosinolosasa@gmail.com>
Date: Mon, 25 May 2026 01:22:33 +0100
Subject: [PATCH 05/13] Add message decryption support to TipHistory

---
 frontend/src/components/TipHistory.jsx | 62 +++++++++++++++++++++++++-
 1 file changed, 61 insertions(+), 1 deletion(-)

diff --git a/frontend/src/components/TipHistory.jsx b/frontend/src/components/TipHistory.jsx
index eced1889..f86118f9 100644
--- a/frontend/src/components/TipHistory.jsx
+++ b/frontend/src/components/TipHistory.jsx
@@ -9,6 +9,8 @@ import ShareTip from './ShareTip';
 import { useDemoMode } from '../context/DemoContext';
 import RefundRequest from './RefundRequest';
 import RefundApproval from './RefundApproval';
+import { Lock, Eye, EyeOff } from 'lucide-react';
+import { useEncryption } from '../hooks/useEncryption';
 
 const CATEGORY_LABELS = {
     0: 'General', 1: 'Content Creation', 2: 'Open Source',
@@ -50,7 +52,10 @@ export default function TipHistory({ userAddress, addToast }) {
     const noop = () => {};
     const toast = addToast || noop;
     const { demoEnabled, getDemoData, demoTips: contextDemoTips } = useDemoMode();
+    const { decrypt, isEncrypted } = useEncryption(userAddress);
     const [tips, setTips] = useState([]);
+    const [decryptedMessages, setDecryptedMessages] = useState({});
+    const [revealedMessages, setRevealedMessages] = useState({});
     const [tipsLoading, setTipsLoading] = useState(true);
     const [tipsError, setTipsError] = useState(null);
     const [tipsMeta, setTipsMeta] = useState({ offset: 0, total: 0, hasMore: false });
@@ -61,6 +66,33 @@ export default function TipHistory({ userAddress, addToast }) {
     const [categoryFilter, setCategoryFilter] = useState('all');
     const [loadingMore, setLoadingMore] = useState(false);
 
+    const handleDecryptMessage = useCallback(async (tipId, message) => {
+        if (!isEncrypted(message)) return;
+        
+        try {
+            const decrypted = await decrypt(message);
+            setDecryptedMessages(prev => ({ ...prev, [tipId]: decrypted }));
+        } catch (err) {
+            console.error('Failed to decrypt message:', err);
+            setDecryptedMessages(prev => ({ ...prev, [tipId]: '[Decryption failed]' }));
+        }
+    }, [decrypt, isEncrypted]);
+
+    const toggleRevealMessage = useCallback((tipId, message) => {
+        if (revealedMessages[tipId]) {
+            setRevealedMessages(prev => {
+                const next = { ...prev };
+                delete next[tipId];
+                return next;
+            });
+        } else {
+            setRevealedMessages(prev => ({ ...prev, [tipId]: true }));
+            if (isEncrypted(message) && !decryptedMessages[tipId]) {
+                handleDecryptMessage(tipId, message);
+            }
+        }
+    }, [revealedMessages, isEncrypted, decryptedMessages, handleDecryptMessage]);
+
     const contractId = `${CONTRACT_ADDRESS}.${CONTRACT_NAME}`;
     const demoWalletAddress = demoEnabled ? getDemoData().mockWalletAddress : null;
 
@@ -315,7 +347,35 @@ export default function TipHistory({ userAddress, addToast }) {
                                                 <CopyButton text={tip.direction === 'sent' ? tip.recipient : tip.sender} className="text-gray-400 hover:text-gray-600 dark:hover:text-gray-300" />
                                             </div>
                                             {tip.message ? (
-                                                <span className="text-xs text-gray-400 italic">&ldquo;{tip.message}&rdquo;</span>
+                                                <div className="flex items-center gap-2">
+                                                    {isEncrypted(tip.message) && (
+                                                        <Lock className="w-3 h-3 text-gray-400" />
+                                                    )}
+                                                    {isEncrypted(tip.message) && !revealedMessages[tip.tipId] ? (
+                                                        <button
+                                                            onClick={() => toggleRevealMessage(tip.tipId, tip.message)}
+                                                            className="text-xs text-gray-400 italic hover:text-gray-600 dark:hover:text-gray-300 flex items-center gap-1"
+                                                        >
+                                                            <Eye className="w-3 h-3" />
+                                                            Click to decrypt
+                                                        </button>
+                                                    ) : isEncrypted(tip.message) && revealedMessages[tip.tipId] ? (
+                                                        <div className="flex items-center gap-2">
+                                                            <span className="text-xs text-gray-400 italic">
+                                                                &ldquo;{decryptedMessages[tip.tipId] || 'Decrypting...'}&rdquo;
+                                                            </span>
+                                                            <button
+                                                                onClick={() => toggleRevealMessage(tip.tipId, tip.message)}
+                                                                className="text-gray-400 hover:text-gray-600 dark:hover:text-gray-300"
+                                                                title="Hide message"
+                                                            >
+                                                                <EyeOff className="w-3 h-3" />
+                                                            </button>
+                                                        </div>
+                                                    ) : (
+                                                        <span className="text-xs text-gray-400 italic">&ldquo;{tip.message}&rdquo;</span>
+                                                    )}
+                                                </div>
                                             ) : null}
                                         </div>
                                     </div>

From ef8d816737eb7ceb08a3fab7c0b5397814c04e58 Mon Sep 17 00:00:00 2001
From: 0xMosas <tosinolosasa@gmail.com>
Date: Mon, 25 May 2026 07:10:47 +0100
Subject: [PATCH 06/13] Add comprehensive tests for encryption utilities

---
 frontend/src/test/encryption.test.js | 268 +++++++++++++++++++++++++++
 1 file changed, 268 insertions(+)
 create mode 100644 frontend/src/test/encryption.test.js

diff --git a/frontend/src/test/encryption.test.js b/frontend/src/test/encryption.test.js
new file mode 100644
index 00000000..927b6d28
--- /dev/null
+++ b/frontend/src/test/encryption.test.js
@@ -0,0 +1,268 @@
+import { describe, it, expect, beforeEach, afterEach, vi } from 'vitest';
+import {
+    generateKeyPair,
+    exportPublicKey,
+    exportPrivateKey,
+    importPublicKey,
+    importPrivateKey,
+    encryptMessage,
+    decryptMessage,
+    isEncryptedMessage,
+    stripEncryptionPrefix,
+    saveKeysToStorage,
+    loadKeysFromStorage,
+    deleteKeysFromStorage,
+    ensureUserKeys,
+} from '../lib/encryption';
+
+describe('encryption', () => {
+    const testAddress = 'SP2J6ZY48GV1EZ5V2V5RB9MP66SW86PYKKNRV9EJ7';
+
+    beforeEach(() => {
+        localStorage.clear();
+    });
+
+    afterEach(() => {
+        localStorage.clear();
+    });
+
+    describe('key generation', () => {
+        it('should generate a key pair', async () => {
+            const keyPair = await generateKeyPair();
+            expect(keyPair).toBeDefined();
+            expect(keyPair.publicKey).toBeDefined();
+            expect(keyPair.privateKey).toBeDefined();
+        });
+
+        it('should export public key as base64', async () => {
+            const keyPair = await generateKeyPair();
+            const exported = await exportPublicKey(keyPair.publicKey);
+            expect(typeof exported).toBe('string');
+            expect(exported.length).toBeGreaterThan(0);
+        });
+
+        it('should export private key as base64', async () => {
+            const keyPair = await generateKeyPair();
+            const exported = await exportPrivateKey(keyPair.privateKey);
+            expect(typeof exported).toBe('string');
+            expect(exported.length).toBeGreaterThan(0);
+        });
+
+        it('should import public key from base64', async () => {
+            const keyPair = await generateKeyPair();
+            const exported = await exportPublicKey(keyPair.publicKey);
+            const imported = await importPublicKey(exported);
+            expect(imported).toBeDefined();
+        });
+
+        it('should import private key from base64', async () => {
+            const keyPair = await generateKeyPair();
+            const exported = await exportPrivateKey(keyPair.privateKey);
+            const imported = await importPrivateKey(exported);
+            expect(imported).toBeDefined();
+        });
+    });
+
+    describe('encryption and decryption', () => {
+        it('should encrypt a message', async () => {
+            const keyPair = await generateKeyPair();
+            const publicKey = await exportPublicKey(keyPair.publicKey);
+            const message = 'Hello, World!';
+            
+            const encrypted = await encryptMessage(message, publicKey);
+            expect(encrypted).toBeDefined();
+            expect(encrypted).not.toBe(message);
+            expect(encrypted.startsWith('ENC:')).toBe(true);
+        });
+
+        it('should decrypt an encrypted message', async () => {
+            const keyPair = await generateKeyPair();
+            const publicKey = await exportPublicKey(keyPair.publicKey);
+            const privateKey = await exportPrivateKey(keyPair.privateKey);
+            const message = 'Hello, World!';
+            
+            const encrypted = await encryptMessage(message, publicKey);
+            const decrypted = await decryptMessage(encrypted, privateKey);
+            
+            expect(decrypted).toBe(message);
+        });
+
+        it('should handle special characters', async () => {
+            const keyPair = await generateKeyPair();
+            const publicKey = await exportPublicKey(keyPair.publicKey);
+            const privateKey = await exportPrivateKey(keyPair.privateKey);
+            const message = 'Special chars: !@#$%^&*()_+-=[]{}|;:,.<>?';
+            
+            const encrypted = await encryptMessage(message, publicKey);
+            const decrypted = await decryptMessage(encrypted, privateKey);
+            
+            expect(decrypted).toBe(message);
+        });
+
+        it('should handle unicode characters', async () => {
+            const keyPair = await generateKeyPair();
+            const publicKey = await exportPublicKey(keyPair.publicKey);
+            const privateKey = await exportPrivateKey(keyPair.privateKey);
+            const message = 'Unicode: 你好世界 🌍 مرحبا';
+            
+            const encrypted = await encryptMessage(message, publicKey);
+            const decrypted = await decryptMessage(encrypted, privateKey);
+            
+            expect(decrypted).toBe(message);
+        });
+
+        it('should handle long messages', async () => {
+            const keyPair = await generateKeyPair();
+            const publicKey = await exportPublicKey(keyPair.publicKey);
+            const privateKey = await exportPrivateKey(keyPair.privateKey);
+            const message = 'A'.repeat(200);
+            
+            const encrypted = await encryptMessage(message, publicKey);
+            const decrypted = await decryptMessage(encrypted, privateKey);
+            
+            expect(decrypted).toBe(message);
+        });
+
+        it('should throw error when encrypting without public key', async () => {
+            await expect(encryptMessage('test', '')).rejects.toThrow();
+        });
+
+        it('should throw error when decrypting without private key', async () => {
+            await expect(decryptMessage('ENC:test', '')).rejects.toThrow();
+        });
+
+        it('should return unencrypted message if not encrypted', async () => {
+            const keyPair = await generateKeyPair();
+            const privateKey = await exportPrivateKey(keyPair.privateKey);
+            const message = 'Plain text';
+            
+            const result = await decryptMessage(message, privateKey);
+            expect(result).toBe(message);
+        });
+    });
+
+    describe('encryption detection', () => {
+        it('should detect encrypted messages', () => {
+            expect(isEncryptedMessage('ENC:abc123')).toBe(true);
+        });
+
+        it('should not detect unencrypted messages', () => {
+            expect(isEncryptedMessage('Hello')).toBe(false);
+            expect(isEncryptedMessage('')).toBe(false);
+            expect(isEncryptedMessage(null)).toBe(false);
+        });
+
+        it('should strip encryption prefix', () => {
+            expect(stripEncryptionPrefix('ENC:abc123')).toBe('abc123');
+            expect(stripEncryptionPrefix('Hello')).toBe('Hello');
+        });
+    });
+
+    describe('key storage', () => {
+        it('should save keys to localStorage', () => {
+            const publicKey = 'public-key-data';
+            const privateKey = 'private-key-data';
+            
+            saveKeysToStorage(testAddress, publicKey, privateKey);
+            
+            const stored = localStorage.getItem(`tipstream_keys_${testAddress}`);
+            expect(stored).toBeDefined();
+            
+            const parsed = JSON.parse(stored);
+            expect(parsed.publicKey).toBe(publicKey);
+            expect(parsed.privateKey).toBe(privateKey);
+            expect(parsed.createdAt).toBeDefined();
+        });
+
+        it('should load keys from localStorage', () => {
+            const publicKey = 'public-key-data';
+            const privateKey = 'private-key-data';
+            
+            saveKeysToStorage(testAddress, publicKey, privateKey);
+            const loaded = loadKeysFromStorage(testAddress);
+            
+            expect(loaded).toBeDefined();
+            expect(loaded.publicKey).toBe(publicKey);
+            expect(loaded.privateKey).toBe(privateKey);
+        });
+
+        it('should return null when no keys exist', () => {
+            const loaded = loadKeysFromStorage(testAddress);
+            expect(loaded).toBeNull();
+        });
+
+        it('should delete keys from localStorage', () => {
+            const publicKey = 'public-key-data';
+            const privateKey = 'private-key-data';
+            
+            saveKeysToStorage(testAddress, publicKey, privateKey);
+            deleteKeysFromStorage(testAddress);
+            
+            const loaded = loadKeysFromStorage(testAddress);
+            expect(loaded).toBeNull();
+        });
+
+        it('should handle corrupted storage data', () => {
+            localStorage.setItem(`tipstream_keys_${testAddress}`, 'invalid-json');
+            const loaded = loadKeysFromStorage(testAddress);
+            expect(loaded).toBeNull();
+        });
+    });
+
+    describe('ensureUserKeys', () => {
+        it('should generate keys if none exist', async () => {
+            const keys = await ensureUserKeys(testAddress);
+            
+            expect(keys).toBeDefined();
+            expect(keys.publicKey).toBeDefined();
+            expect(keys.privateKey).toBeDefined();
+            
+            const stored = loadKeysFromStorage(testAddress);
+            expect(stored).toBeDefined();
+            expect(stored.publicKey).toBe(keys.publicKey);
+        });
+
+        it('should return existing keys if they exist', async () => {
+            const firstKeys = await ensureUserKeys(testAddress);
+            const secondKeys = await ensureUserKeys(testAddress);
+            
+            expect(secondKeys.publicKey).toBe(firstKeys.publicKey);
+            expect(secondKeys.privateKey).toBe(firstKeys.privateKey);
+        });
+
+        it('should save keys to storage when generating', async () => {
+            await ensureUserKeys(testAddress);
+            
+            const stored = loadKeysFromStorage(testAddress);
+            expect(stored).toBeDefined();
+            expect(stored.publicKey).toBeDefined();
+            expect(stored.privateKey).toBeDefined();
+        });
+    });
+
+    describe('end-to-end encryption flow', () => {
+        it('should complete full encryption flow', async () => {
+            const senderKeys = await ensureUserKeys('sender-address');
+            const recipientKeys = await ensureUserKeys('recipient-address');
+            
+            const message = 'Secret message';
+            const encrypted = await encryptMessage(message, recipientKeys.publicKey);
+            const decrypted = await decryptMessage(encrypted, recipientKeys.privateKey);
+            
+            expect(decrypted).toBe(message);
+        });
+
+        it('should fail to decrypt with wrong key', async () => {
+            const senderKeys = await ensureUserKeys('sender-address');
+            const recipientKeys = await ensureUserKeys('recipient-address');
+            const wrongKeys = await ensureUserKeys('wrong-address');
+            
+            const message = 'Secret message';
+            const encrypted = await encryptMessage(message, recipientKeys.publicKey);
+            
+            await expect(
+                decryptMessage(encrypted, wrongKeys.privateKey)
+            ).rejects.toThrow();
+        });
+    });
+});

From 52d4528ba2181a6a7cdbbe7b7ae7c97e6f7216ce Mon Sep 17 00:00:00 2001
From: 0xMosas <tosinolosasa@gmail.com>
Date: Mon, 25 May 2026 07:12:22 +0100
Subject: [PATCH 07/13] Add tests for public key registry

---
 frontend/src/test/publicKeyRegistry.test.js | 208 ++++++++++++++++++++
 1 file changed, 208 insertions(+)
 create mode 100644 frontend/src/test/publicKeyRegistry.test.js

diff --git a/frontend/src/test/publicKeyRegistry.test.js b/frontend/src/test/publicKeyRegistry.test.js
new file mode 100644
index 00000000..684fbdae
--- /dev/null
+++ b/frontend/src/test/publicKeyRegistry.test.js
@@ -0,0 +1,208 @@
+import { describe, it, expect, beforeEach, afterEach } from 'vitest';
+import {
+    savePublicKeyToRegistry,
+    getPublicKeyFromRegistry,
+    removePublicKeyFromRegistry,
+    getAllPublicKeys,
+    clearPublicKeyRegistry,
+} from '../lib/publicKeyRegistry';
+
+describe('publicKeyRegistry', () => {
+    const testAddress1 = 'SP2J6ZY48GV1EZ5V2V5RB9MP66SW86PYKKNRV9EJ7';
+    const testAddress2 = 'SP3FBR2AGK5H9QBDH3EEN6DF8EK8JY7RX8QJ5SVTE';
+    const testPublicKey1 = 'public-key-data-1';
+    const testPublicKey2 = 'public-key-data-2';
+
+    beforeEach(() => {
+        localStorage.clear();
+    });
+
+    afterEach(() => {
+        localStorage.clear();
+    });
+
+    describe('savePublicKeyToRegistry', () => {
+        it('should save public key to registry', () => {
+            savePublicKeyToRegistry(testAddress1, testPublicKey1);
+            
+            const key = `tipstream_public_key_${testAddress1}`;
+            const stored = localStorage.getItem(key);
+            expect(stored).toBeDefined();
+            
+            const parsed = JSON.parse(stored);
+            expect(parsed.publicKey).toBe(testPublicKey1);
+            expect(parsed.address).toBe(testAddress1);
+            expect(parsed.timestamp).toBeDefined();
+        });
+
+        it('should overwrite existing key', () => {
+            savePublicKeyToRegistry(testAddress1, testPublicKey1);
+            savePublicKeyToRegistry(testAddress1, testPublicKey2);
+            
+            const retrieved = getPublicKeyFromRegistry(testAddress1);
+            expect(retrieved).toBe(testPublicKey2);
+        });
+
+        it('should save multiple addresses', () => {
+            savePublicKeyToRegistry(testAddress1, testPublicKey1);
+            savePublicKeyToRegistry(testAddress2, testPublicKey2);
+            
+            expect(getPublicKeyFromRegistry(testAddress1)).toBe(testPublicKey1);
+            expect(getPublicKeyFromRegistry(testAddress2)).toBe(testPublicKey2);
+        });
+    });
+
+    describe('getPublicKeyFromRegistry', () => {
+        it('should retrieve saved public key', () => {
+            savePublicKeyToRegistry(testAddress1, testPublicKey1);
+            const retrieved = getPublicKeyFromRegistry(testAddress1);
+            expect(retrieved).toBe(testPublicKey1);
+        });
+
+        it('should return null for non-existent address', () => {
+            const retrieved = getPublicKeyFromRegistry(testAddress1);
+            expect(retrieved).toBeNull();
+        });
+
+        it('should handle corrupted data', () => {
+            const key = `tipstream_public_key_${testAddress1}`;
+            localStorage.setItem(key, 'invalid-json');
+            
+            const retrieved = getPublicKeyFromRegistry(testAddress1);
+            expect(retrieved).toBeNull();
+        });
+    });
+
+    describe('removePublicKeyFromRegistry', () => {
+        it('should remove public key from registry', () => {
+            savePublicKeyToRegistry(testAddress1, testPublicKey1);
+            removePublicKeyFromRegistry(testAddress1);
+            
+            const retrieved = getPublicKeyFromRegistry(testAddress1);
+            expect(retrieved).toBeNull();
+        });
+
+        it('should not affect other keys', () => {
+            savePublicKeyToRegistry(testAddress1, testPublicKey1);
+            savePublicKeyToRegistry(testAddress2, testPublicKey2);
+            
+            removePublicKeyFromRegistry(testAddress1);
+            
+            expect(getPublicKeyFromRegistry(testAddress1)).toBeNull();
+            expect(getPublicKeyFromRegistry(testAddress2)).toBe(testPublicKey2);
+        });
+
+        it('should handle removing non-existent key', () => {
+            expect(() => {
+                removePublicKeyFromRegistry(testAddress1);
+            }).not.toThrow();
+        });
+    });
+
+    describe('getAllPublicKeys', () => {
+        it('should return empty array when no keys exist', () => {
+            const keys = getAllPublicKeys();
+            expect(keys).toEqual([]);
+        });
+
+        it('should return all saved public keys', () => {
+            savePublicKeyToRegistry(testAddress1, testPublicKey1);
+            savePublicKeyToRegistry(testAddress2, testPublicKey2);
+            
+            const keys = getAllPublicKeys();
+            expect(keys.length).toBe(2);
+            
+            const addresses = keys.map(k => k.address);
+            expect(addresses).toContain(testAddress1);
+            expect(addresses).toContain(testAddress2);
+        });
+
+        it('should include all key data', () => {
+            savePublicKeyToRegistry(testAddress1, testPublicKey1);
+            
+            const keys = getAllPublicKeys();
+            expect(keys[0].publicKey).toBe(testPublicKey1);
+            expect(keys[0].address).toBe(testAddress1);
+            expect(keys[0].timestamp).toBeDefined();
+        });
+
+        it('should skip corrupted entries', () => {
+            savePublicKeyToRegistry(testAddress1, testPublicKey1);
+            localStorage.setItem('tipstream_public_key_corrupted', 'invalid-json');
+            savePublicKeyToRegistry(testAddress2, testPublicKey2);
+            
+            const keys = getAllPublicKeys();
+            expect(keys.length).toBe(2);
+        });
+
+        it('should not include non-registry items', () => {
+            savePublicKeyToRegistry(testAddress1, testPublicKey1);
+            localStorage.setItem('other_key', 'other_value');
+            
+            const keys = getAllPublicKeys();
+            expect(keys.length).toBe(1);
+        });
+    });
+
+    describe('clearPublicKeyRegistry', () => {
+        it('should clear all public keys', () => {
+            savePublicKeyToRegistry(testAddress1, testPublicKey1);
+            savePublicKeyToRegistry(testAddress2, testPublicKey2);
+            
+            clearPublicKeyRegistry();
+            
+            expect(getPublicKeyFromRegistry(testAddress1)).toBeNull();
+            expect(getPublicKeyFromRegistry(testAddress2)).toBeNull();
+            expect(getAllPublicKeys()).toEqual([]);
+        });
+
+        it('should not affect other localStorage items', () => {
+            savePublicKeyToRegistry(testAddress1, testPublicKey1);
+            localStorage.setItem('other_key', 'other_value');
+            
+            clearPublicKeyRegistry();
+            
+            expect(localStorage.getItem('other_key')).toBe('other_value');
+        });
+
+        it('should handle empty registry', () => {
+            expect(() => {
+                clearPublicKeyRegistry();
+            }).not.toThrow();
+        });
+    });
+
+    describe('integration scenarios', () => {
+        it('should handle complete workflow', () => {
+            savePublicKeyToRegistry(testAddress1, testPublicKey1);
+            
+            const retrieved = getPublicKeyFromRegistry(testAddress1);
+            expect(retrieved).toBe(testPublicKey1);
+            
+            const allKeys = getAllPublicKeys();
+            expect(allKeys.length).toBe(1);
+            
+            removePublicKeyFromRegistry(testAddress1);
+            expect(getPublicKeyFromRegistry(testAddress1)).toBeNull();
+        });
+
+        it('should handle multiple users', () => {
+            const addresses = [
+                'SP1',
+                'SP2',
+                'SP3',
+            ];
+            
+            addresses.forEach((addr, i) => {
+                savePublicKeyToRegistry(addr, `key-${i}`);
+            });
+            
+            const allKeys = getAllPublicKeys();
+            expect(allKeys.length).toBe(3);
+            
+            addresses.forEach((addr, i) => {
+                expect(getPublicKeyFromRegistry(addr)).toBe(`key-${i}`);
+            });
+        });
+    });
+});

From a0fdd75355d3d97ed92d5494a6f24b1380f3e961 Mon Sep 17 00:00:00 2001
From: 0xMosas <tosinolosasa@gmail.com>
Date: Mon, 25 May 2026 07:13:47 +0100
Subject: [PATCH 08/13] Add tests for useEncryption hook

---
 frontend/src/test/useEncryption.test.js | 320 ++++++++++++++++++++++++
 1 file changed, 320 insertions(+)
 create mode 100644 frontend/src/test/useEncryption.test.js

diff --git a/frontend/src/test/useEncryption.test.js b/frontend/src/test/useEncryption.test.js
new file mode 100644
index 00000000..442b26d7
--- /dev/null
+++ b/frontend/src/test/useEncryption.test.js
@@ -0,0 +1,320 @@
+import { describe, it, expect, beforeEach, afterEach, vi } from 'vitest';
+import { renderHook, waitFor } from '@testing-library/react';
+import { useEncryption } from '../hooks/useEncryption';
+import * as encryption from '../lib/encryption';
+import * as publicKeyRegistry from '../lib/publicKeyRegistry';
+
+vi.mock('../lib/encryption');
+vi.mock('../lib/publicKeyRegistry');
+
+describe('useEncryption', () => {
+    const testAddress = 'SP2J6ZY48GV1EZ5V2V5RB9MP66SW86PYKKNRV9EJ7';
+    const recipientAddress = 'SP3FBR2AGK5H9QBDH3EEN6DF8EK8JY7RX8QJ5SVTE';
+    const mockKeys = {
+        publicKey: 'mock-public-key',
+        privateKey: 'mock-private-key',
+    };
+
+    beforeEach(() => {
+        vi.clearAllMocks();
+        localStorage.clear();
+        
+        encryption.ensureUserKeys.mockResolvedValue(mockKeys);
+        encryption.loadKeysFromStorage.mockReturnValue(mockKeys);
+        encryption.deleteKeysFromStorage.mockImplementation(() => {});
+        encryption.encryptMessage.mockResolvedValue('ENC:encrypted');
+        encryption.decryptMessage.mockResolvedValue('decrypted');
+        encryption.isEncryptedMessage.mockImplementation(msg => msg?.startsWith('ENC:'));
+        
+        publicKeyRegistry.savePublicKeyToRegistry.mockImplementation(() => {});
+        publicKeyRegistry.getPublicKeyFromRegistry.mockReturnValue('recipient-public-key');
+    });
+
+    afterEach(() => {
+        vi.restoreAllMocks();
+    });
+
+    describe('initialization', () => {
+        it('should initialize with loading state', () => {
+            const { result } = renderHook(() => useEncryption(testAddress));
+            expect(result.current.loading).toBe(true);
+        });
+
+        it('should load keys for user address', async () => {
+            const { result } = renderHook(() => useEncryption(testAddress));
+            
+            await waitFor(() => {
+                expect(result.current.loading).toBe(false);
+            });
+            
+            expect(encryption.ensureUserKeys).toHaveBeenCalledWith(testAddress);
+            expect(result.current.keys).toEqual(mockKeys);
+        });
+
+        it('should save public key to registry', async () => {
+            const { result } = renderHook(() => useEncryption(testAddress));
+            
+            await waitFor(() => {
+                expect(result.current.loading).toBe(false);
+            });
+            
+            expect(publicKeyRegistry.savePublicKeyToRegistry).toHaveBeenCalledWith(
+                testAddress,
+                mockKeys.publicKey
+            );
+        });
+
+        it('should handle no user address', async () => {
+            const { result } = renderHook(() => useEncryption(null));
+            
+            await waitFor(() => {
+                expect(result.current.loading).toBe(false);
+            });
+            
+            expect(result.current.keys).toBeNull();
+            expect(encryption.ensureUserKeys).not.toHaveBeenCalled();
+        });
+
+        it('should handle initialization error', async () => {
+            encryption.ensureUserKeys.mockRejectedValue(new Error('Init failed'));
+            
+            const { result } = renderHook(() => useEncryption(testAddress));
+            
+            await waitFor(() => {
+                expect(result.current.loading).toBe(false);
+            });
+            
+            expect(result.current.error).toBe('Init failed');
+            expect(result.current.keys).toBeNull();
+        });
+    });
+
+    describe('encrypt', () => {
+        it('should encrypt message for recipient', async () => {
+            const { result } = renderHook(() => useEncryption(testAddress));
+            
+            await waitFor(() => {
+                expect(result.current.loading).toBe(false);
+            });
+            
+            const encrypted = await result.current.encrypt('test message', recipientAddress);
+            
+            expect(encryption.encryptMessage).toHaveBeenCalledWith(
+                'test message',
+                'recipient-public-key'
+            );
+            expect(encrypted).toBe('ENC:encrypted');
+        });
+
+        it('should return message if empty', async () => {
+            const { result } = renderHook(() => useEncryption(testAddress));
+            
+            await waitFor(() => {
+                expect(result.current.loading).toBe(false);
+            });
+            
+            const encrypted = await result.current.encrypt('', recipientAddress);
+            expect(encrypted).toBe('');
+            expect(encryption.encryptMessage).not.toHaveBeenCalled();
+        });
+
+        it('should throw error if recipient key not found', async () => {
+            publicKeyRegistry.getPublicKeyFromRegistry.mockReturnValue(null);
+            
+            const { result } = renderHook(() => useEncryption(testAddress));
+            
+            await waitFor(() => {
+                expect(result.current.loading).toBe(false);
+            });
+            
+            await expect(
+                result.current.encrypt('test', recipientAddress)
+            ).rejects.toThrow('Recipient public key not found');
+        });
+    });
+
+    describe('decrypt', () => {
+        it('should decrypt encrypted message', async () => {
+            const { result } = renderHook(() => useEncryption(testAddress));
+            
+            await waitFor(() => {
+                expect(result.current.loading).toBe(false);
+            });
+            
+            const decrypted = await result.current.decrypt('ENC:encrypted');
+            
+            expect(encryption.decryptMessage).toHaveBeenCalledWith(
+                'ENC:encrypted',
+                mockKeys.privateKey
+            );
+            expect(decrypted).toBe('decrypted');
+        });
+
+        it('should return unencrypted message as is', async () => {
+            encryption.isEncryptedMessage.mockReturnValue(false);
+            
+            const { result } = renderHook(() => useEncryption(testAddress));
+            
+            await waitFor(() => {
+                expect(result.current.loading).toBe(false);
+            });
+            
+            const result2 = await result.current.decrypt('plain text');
+            expect(result2).toBe('plain text');
+            expect(encryption.decryptMessage).not.toHaveBeenCalled();
+        });
+
+        it('should throw error if private key not available', async () => {
+            encryption.ensureUserKeys.mockResolvedValue({ publicKey: 'pub' });
+            
+            const { result } = renderHook(() => useEncryption(testAddress));
+            
+            await waitFor(() => {
+                expect(result.current.loading).toBe(false);
+            });
+            
+            await expect(
+                result.current.decrypt('ENC:encrypted')
+            ).rejects.toThrow('Private key not available');
+        });
+    });
+
+    describe('regenerateKeys', () => {
+        it('should regenerate keys', async () => {
+            const newKeys = {
+                publicKey: 'new-public-key',
+                privateKey: 'new-private-key',
+            };
+            
+            encryption.ensureUserKeys
+                .mockResolvedValueOnce(mockKeys)
+                .mockResolvedValueOnce(newKeys);
+            
+            const { result } = renderHook(() => useEncryption(testAddress));
+            
+            await waitFor(() => {
+                expect(result.current.loading).toBe(false);
+            });
+            
+            await result.current.regenerateKeys();
+            
+            await waitFor(() => {
+                expect(result.current.keys).toEqual(newKeys);
+            });
+            
+            expect(encryption.deleteKeysFromStorage).toHaveBeenCalledWith(testAddress);
+            expect(publicKeyRegistry.savePublicKeyToRegistry).toHaveBeenCalledWith(
+                testAddress,
+                newKeys.publicKey
+            );
+        });
+
+        it('should handle regeneration error', async () => {
+            encryption.ensureUserKeys
+                .mockResolvedValueOnce(mockKeys)
+                .mockRejectedValueOnce(new Error('Regeneration failed'));
+            
+            const { result } = renderHook(() => useEncryption(testAddress));
+            
+            await waitFor(() => {
+                expect(result.current.loading).toBe(false);
+            });
+            
+            await result.current.regenerateKeys();
+            
+            await waitFor(() => {
+                expect(result.current.error).toBe('Regeneration failed');
+            });
+        });
+
+        it('should not regenerate if no address', async () => {
+            const { result } = renderHook(() => useEncryption(null));
+            
+            await waitFor(() => {
+                expect(result.current.loading).toBe(false);
+            });
+            
+            await result.current.regenerateKeys();
+            
+            expect(encryption.deleteKeysFromStorage).not.toHaveBeenCalled();
+        });
+    });
+
+    describe('canEncryptFor', () => {
+        it('should return true if recipient key exists', async () => {
+            const { result } = renderHook(() => useEncryption(testAddress));
+            
+            await waitFor(() => {
+                expect(result.current.loading).toBe(false);
+            });
+            
+            const canEncrypt = result.current.canEncryptFor(recipientAddress);
+            expect(canEncrypt).toBe(true);
+        });
+
+        it('should return false if recipient key does not exist', async () => {
+            publicKeyRegistry.getPublicKeyFromRegistry.mockReturnValue(null);
+            
+            const { result } = renderHook(() => useEncryption(testAddress));
+            
+            await waitFor(() => {
+                expect(result.current.loading).toBe(false);
+            });
+            
+            const canEncrypt = result.current.canEncryptFor(recipientAddress);
+            expect(canEncrypt).toBe(false);
+        });
+    });
+
+    describe('isEncrypted', () => {
+        it('should check if message is encrypted', async () => {
+            const { result } = renderHook(() => useEncryption(testAddress));
+            
+            await waitFor(() => {
+                expect(result.current.loading).toBe(false);
+            });
+            
+            result.current.isEncrypted('ENC:test');
+            expect(encryption.isEncryptedMessage).toHaveBeenCalledWith('ENC:test');
+        });
+    });
+
+    describe('address changes', () => {
+        it('should reload keys when address changes', async () => {
+            const { result, rerender } = renderHook(
+                ({ address }) => useEncryption(address),
+                { initialProps: { address: testAddress } }
+            );
+            
+            await waitFor(() => {
+                expect(result.current.loading).toBe(false);
+            });
+            
+            expect(encryption.ensureUserKeys).toHaveBeenCalledTimes(1);
+            
+            const newAddress = 'SP_NEW_ADDRESS';
+            rerender({ address: newAddress });
+            
+            await waitFor(() => {
+                expect(encryption.ensureUserKeys).toHaveBeenCalledWith(newAddress);
+            });
+        });
+
+        it('should clear keys when address becomes null', async () => {
+            const { result, rerender } = renderHook(
+                ({ address }) => useEncryption(address),
+                { initialProps: { address: testAddress } }
+            );
+            
+            await waitFor(() => {
+                expect(result.current.loading).toBe(false);
+            });
+            
+            rerender({ address: null });
+            
+            await waitFor(() => {
+                expect(result.current.keys).toBeNull();
+            });
+        });
+    });
+});

From f564ea507154e62c39638feb8380e6683a66a48f Mon Sep 17 00:00:00 2001
From: 0xMosas <tosinolosasa@gmail.com>
Date: Mon, 25 May 2026 07:27:29 +0100
Subject: [PATCH 09/13] Fix encryption test message size limit

---
 frontend/src/test/encryption.test.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/frontend/src/test/encryption.test.js b/frontend/src/test/encryption.test.js
index 927b6d28..60fa7fc5 100644
--- a/frontend/src/test/encryption.test.js
+++ b/frontend/src/test/encryption.test.js
@@ -115,7 +115,7 @@ describe('encryption', () => {
             const keyPair = await generateKeyPair();
             const publicKey = await exportPublicKey(keyPair.publicKey);
             const privateKey = await exportPrivateKey(keyPair.privateKey);
-            const message = 'A'.repeat(200);
+            const message = 'A'.repeat(100);
             
             const encrypted = await encryptMessage(message, publicKey);
             const decrypted = await decryptMessage(encrypted, privateKey);

From b433b675df32b82e3e514f2203f40b63212a9510 Mon Sep 17 00:00:00 2001
From: 0xMosas <tosinolosasa@gmail.com>
Date: Mon, 25 May 2026 07:29:15 +0100
Subject: [PATCH 10/13] Increase test timeouts for key generation operations

---
 frontend/src/test/encryption.test.js | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/frontend/src/test/encryption.test.js b/frontend/src/test/encryption.test.js
index 60fa7fc5..829d68ab 100644
--- a/frontend/src/test/encryption.test.js
+++ b/frontend/src/test/encryption.test.js
@@ -85,7 +85,7 @@ describe('encryption', () => {
             const decrypted = await decryptMessage(encrypted, privateKey);
             
             expect(decrypted).toBe(message);
-        });
+        }, 10000);
 
         it('should handle special characters', async () => {
             const keyPair = await generateKeyPair();
@@ -250,7 +250,7 @@ describe('encryption', () => {
             const decrypted = await decryptMessage(encrypted, recipientKeys.privateKey);
             
             expect(decrypted).toBe(message);
-        });
+        }, 15000);
 
         it('should fail to decrypt with wrong key', async () => {
             const senderKeys = await ensureUserKeys('sender-address');
@@ -263,6 +263,6 @@ describe('encryption', () => {
             await expect(
                 decryptMessage(encrypted, wrongKeys.privateKey)
             ).rejects.toThrow();
-        });
+        }, 20000);
     });
 });

From 291b12d34678a1d35aa6bc2183dd2a220e062de7 Mon Sep 17 00:00:00 2001
From: 0xMosas <tosinolosasa@gmail.com>
Date: Mon, 25 May 2026 07:30:54 +0100
Subject: [PATCH 11/13] Add encryption settings management component

---
 .../src/components/EncryptionSettings.jsx     | 151 ++++++++++++++++++
 1 file changed, 151 insertions(+)
 create mode 100644 frontend/src/components/EncryptionSettings.jsx

diff --git a/frontend/src/components/EncryptionSettings.jsx b/frontend/src/components/EncryptionSettings.jsx
new file mode 100644
index 00000000..22007175
--- /dev/null
+++ b/frontend/src/components/EncryptionSettings.jsx
@@ -0,0 +1,151 @@
+import { useState } from 'react';
+import { useEncryption } from '../hooks/useEncryption';
+import { useSenderAddress } from '../hooks/useSenderAddress';
+import { Lock, RefreshCw, Copy, Check } from 'lucide-react';
+
+export default function EncryptionSettings({ addToast }) {
+    const senderAddress = useSenderAddress();
+    const { keys, loading, error, regenerateKeys } = useEncryption(senderAddress);
+    const [copied, setCopied] = useState(false);
+    const [regenerating, setRegenerating] = useState(false);
+
+    const handleCopyPublicKey = async () => {
+        if (!keys?.publicKey) return;
+        
+        try {
+            await navigator.clipboard.writeText(keys.publicKey);
+            setCopied(true);
+            addToast('Public key copied to clipboard', 'success');
+            setTimeout(() => setCopied(false), 2000);
+        } catch (err) {
+            addToast('Failed to copy public key', 'error');
+        }
+    };
+
+    const handleRegenerateKeys = async () => {
+        if (!confirm('Are you sure you want to regenerate your encryption keys? You will not be able to decrypt old messages.')) {
+            return;
+        }
+
+        setRegenerating(true);
+        try {
+            await regenerateKeys();
+            addToast('Encryption keys regenerated successfully', 'success');
+        } catch (err) {
+            addToast('Failed to regenerate keys', 'error');
+        } finally {
+            setRegenerating(false);
+        }
+    };
+
+    if (!senderAddress) {
+        return (
+            <div className="max-w-2xl mx-auto">
+                <div className="bg-white dark:bg-gray-900 rounded-2xl border border-gray-200 dark:border-gray-800 p-6">
+                    <p className="text-gray-500 dark:text-gray-400 text-center">
+                        Connect your wallet to manage encryption settings
+                    </p>
+                </div>
+            </div>
+        );
+    }
+
+    if (loading) {
+        return (
+            <div className="max-w-2xl mx-auto">
+                <div className="bg-white dark:bg-gray-900 rounded-2xl border border-gray-200 dark:border-gray-800 p-6">
+                    <div className="flex items-center justify-center py-8">
+                        <div className="animate-spin rounded-full h-8 w-8 border-2 border-gray-300 dark:border-gray-600 border-t-gray-900 dark:border-t-white" />
+                    </div>
+                </div>
+            </div>
+        );
+    }
+
+    if (error) {
+        return (
+            <div className="max-w-2xl mx-auto">
+                <div className="bg-white dark:bg-gray-900 rounded-2xl border border-red-200 dark:border-red-800 p-6">
+                    <p className="text-red-500 text-center">{error}</p>
+                </div>
+            </div>
+        );
+    }
+
+    return (
+        <div className="max-w-2xl mx-auto">
+            <div className="bg-white dark:bg-gray-900 rounded-2xl border border-gray-200 dark:border-gray-800 p-6">
+                <div className="flex items-center gap-3 mb-6">
+                    <div className="w-10 h-10 rounded-xl bg-amber-100 dark:bg-amber-900/30 flex items-center justify-center">
+                        <Lock className="w-5 h-5 text-amber-600 dark:text-amber-400" />
+                    </div>
+                    <div>
+                        <h2 className="text-xl font-bold text-gray-900 dark:text-white">Encryption Settings</h2>
+                        <p className="text-sm text-gray-500 dark:text-gray-400">Manage your message encryption keys</p>
+                    </div>
+                </div>
+
+                <div className="space-y-6">
+                    <div className="bg-blue-50 dark:bg-blue-900/20 rounded-xl p-4 border border-blue-200 dark:border-blue-800">
+                        <p className="text-sm text-blue-800 dark:text-blue-300">
+                            Your encryption keys are stored locally in your browser. They are used to encrypt and decrypt private tip messages.
+                        </p>
+                    </div>
+
+                    <div>
+                        <label className="block text-sm font-medium text-gray-700 dark:text-gray-300 mb-2">
+                            Your Public Key
+                        </label>
+                        <div className="flex gap-2">
+                            <div className="flex-1 px-4 py-3 bg-gray-50 dark:bg-gray-800 rounded-xl border border-gray-200 dark:border-gray-700 font-mono text-xs break-all text-gray-700 dark:text-gray-300">
+                                {keys?.publicKey ? keys.publicKey.slice(0, 100) + '...' : 'No key available'}
+                            </div>
+                            <button
+                                onClick={handleCopyPublicKey}
+                                disabled={!keys?.publicKey}
+                                className="px-4 py-3 bg-gray-100 dark:bg-gray-800 hover:bg-gray-200 dark:hover:bg-gray-700 text-gray-700 dark:text-gray-300 rounded-xl transition-colors disabled:opacity-50 disabled:cursor-not-allowed"
+                                title="Copy public key"
+                            >
+                                {copied ? <Check className="w-4 h-4" /> : <Copy className="w-4 h-4" />}
+                            </button>
+                        </div>
+                        <p className="text-xs text-gray-500 dark:text-gray-400 mt-2">
+                            Share this key with others so they can send you encrypted messages
+                        </p>
+                    </div>
+
+                    <div>
+                        <label className="block text-sm font-medium text-gray-700 dark:text-gray-300 mb-2">
+                            Private Key Status
+                        </label>
+                        <div className="px-4 py-3 bg-gray-50 dark:bg-gray-800 rounded-xl border border-gray-200 dark:border-gray-700">
+                            <div className="flex items-center gap-2">
+                                <div className={`w-2 h-2 rounded-full ${keys?.privateKey ? 'bg-green-500' : 'bg-red-500'}`} />
+                                <span className="text-sm text-gray-700 dark:text-gray-300">
+                                    {keys?.privateKey ? 'Private key is stored securely' : 'No private key available'}
+                                </span>
+                            </div>
+                        </div>
+                        <p className="text-xs text-gray-500 dark:text-gray-400 mt-2">
+                            Your private key never leaves your browser and is used to decrypt messages sent to you
+                        </p>
+                    </div>
+
+                    <div className="pt-4 border-t border-gray-200 dark:border-gray-700">
+                        <button
+                            onClick={handleRegenerateKeys}
+                            disabled={regenerating}
+                            className="flex items-center gap-2 px-4 py-2.5 bg-red-50 dark:bg-red-900/20 hover:bg-red-100 dark:hover:bg-red-900/30 text-red-700 dark:text-red-400 rounded-xl font-semibold transition-colors disabled:opacity-50 disabled:cursor-not-allowed"
+                        >
+                            <RefreshCw className={`w-4 h-4 ${regenerating ? 'animate-spin' : ''}`} />
+                            {regenerating ? 'Regenerating...' : 'Regenerate Keys'}
+                        </button>
+                        <p className="text-xs text-gray-500 dark:text-gray-400 mt-2">
+                            Warning: Regenerating keys will prevent you from decrypting old messages
+                        </p>
+                    </div>
+                </div>
+            </div>
+        </div>
+    );
+}

From 4ae5d72795b9fb9130b6b6750cada9c70846cfda Mon Sep 17 00:00:00 2001
From: 0xMosas <tosinolosasa@gmail.com>
Date: Mon, 25 May 2026 07:31:51 +0100
Subject: [PATCH 12/13] Add encryption route to routes configuration

---
 frontend/src/config/routes.js | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/frontend/src/config/routes.js b/frontend/src/config/routes.js
index b30a6d6b..24abad95 100644
--- a/frontend/src/config/routes.js
+++ b/frontend/src/config/routes.js
@@ -115,6 +115,12 @@ export const ROUTE_REFUNDS = '/refunds';
  */
 export const ROUTE_NOTIFICATION_PREFERENCES = '/notification-preferences';
 
+/**
+ * Encryption settings for managing message encryption keys.
+ * @type {string}
+ */
+export const ROUTE_ENCRYPTION = '/encryption';
+
 /**
  * The route that "/" redirects to when the user is authenticated.
  * Change this single value to alter the default landing page site-wide.
@@ -144,6 +150,7 @@ export const ROUTE_LABELS = {
   [ROUTE_TELEMETRY]: 'Telemetry',
   [ROUTE_REFUNDS]: 'Refunds',
   [ROUTE_NOTIFICATION_PREFERENCES]: 'Notifications',
+  [ROUTE_ENCRYPTION]: 'Encryption',
 };
 
 /**
@@ -171,6 +178,7 @@ export const ROUTE_TITLES = {
   [ROUTE_TELEMETRY]: 'Telemetry -- TipStream',
   [ROUTE_REFUNDS]: 'Refunds -- TipStream',
   [ROUTE_NOTIFICATION_PREFERENCES]: 'Notification Preferences -- TipStream',
+  [ROUTE_ENCRYPTION]: 'Encryption Settings -- TipStream',
 };
 
 /**
@@ -270,4 +278,9 @@ export const ROUTE_META = {
     requiresAuth: true,
     adminOnly: false,
   },
+  [ROUTE_ENCRYPTION]: {
+    description: 'Manage encryption keys for private tip messages.',
+    requiresAuth: true,
+    adminOnly: false,
+  },
 };

From 5d075b11062660743e0b12c61105bc7a7f13e964 Mon Sep 17 00:00:00 2001
From: 0xMosas <tosinolosasa@gmail.com>
Date: Mon, 25 May 2026 07:37:54 +0100
Subject: [PATCH 13/13] Add encryption settings route to App navigation

---
 frontend/src/App.jsx | 20 ++++++++++++++++++--
 1 file changed, 18 insertions(+), 2 deletions(-)

diff --git a/frontend/src/App.jsx b/frontend/src/App.jsx
index ffad4114..46a1f001 100644
--- a/frontend/src/App.jsx
+++ b/frontend/src/App.jsx
@@ -21,10 +21,10 @@ import {
   ROUTE_SEND, ROUTE_BATCH, ROUTE_TOKEN_TIP, ROUTE_SCHEDULE, ROUTE_SCHEDULED_TIPS, ROUTE_FEED,
   ROUTE_LEADERBOARD, ROUTE_ACTIVITY, ROUTE_PROFILE, ROUTE_ADDRESS_BOOK,
   ROUTE_BLOCK, ROUTE_STATS, ROUTE_ADMIN, ROUTE_TELEMETRY, ROUTE_REFUNDS,
-  ROUTE_NOTIFICATION_PREFERENCES,
+  ROUTE_NOTIFICATION_PREFERENCES, ROUTE_ENCRYPTION,
   DEFAULT_AUTHENTICATED_ROUTE, ROUTE_META,
 } from './config/routes';
-import { Zap, Radio, Trophy, User, BarChart3, Users, ShieldBan, Coins, UserCircle, Shield, Gauge, Calendar, Clock, BookUser, RotateCcw, BellCog } from 'lucide-react';
+import { Zap, Radio, Trophy, User, BarChart3, Users, ShieldBan, Coins, UserCircle, Shield, Gauge, Calendar, Clock, BookUser, RotateCcw, BellCog, Lock } from 'lucide-react';
 import { activateDemo, deactivateDemo } from './lib/demo-utils';
 import { useNotificationPreferences } from './context/NotificationPreferencesContext';
 
@@ -47,6 +47,7 @@ const AdminDashboard = lazy(() => import('./components/AdminDashboard'));
 const TelemetryDashboard = lazy(() => import('./components/TelemetryDashboard'));
 const RefundManager = lazy(() => import('./components/RefundManager'));
 const NotificationPreferencesPage = lazy(() => import('./components/NotificationPreferences'));
+const EncryptionSettings = lazy(() => import('./components/EncryptionSettings'));
 
 function App() {
   const [userData, setUserData] = useState(null);
@@ -175,6 +176,7 @@ function App() {
       { path: ROUTE_BLOCK, label: 'Block', icon: ShieldBan },
       { path: ROUTE_REFUNDS, label: 'Refunds', icon: RotateCcw },
       { path: ROUTE_NOTIFICATION_PREFERENCES, label: 'Notifications', icon: BellCog },
+      { path: ROUTE_ENCRYPTION, label: 'Encryption', icon: Lock },
       { path: ROUTE_STATS, label: 'Stats', icon: BarChart3 },
     ];
     
@@ -421,6 +423,20 @@ function App() {
                       )
                     }
                   />
+
+                  {/* Encryption settings */}
+                  <Route
+                    path={ROUTE_ENCRYPTION}
+                    element={
+                      userData || demoEnabled ? (
+                        <EncryptionSettings addToast={addToast} />
+                      ) : (
+                        <RequireAuth onAuth={handleAuth} authLoading={authLoading} route={ROUTE_ENCRYPTION}>
+                          <EncryptionSettings addToast={addToast} />
+                        </RequireAuth>
+                      )
+                    }
+                  />
                   
                   {/* Root and fallback */}
                   <Route path="/" element={<Navigate to={userData || demoEnabled ? DEFAULT_AUTHENTICATED_ROUTE : ROUTE_FEED} replace />} />