diff --git a/src/js/crypto.js b/src/js/crypto.js
index 4dc2615..a6d37e6 100644
--- a/src/js/crypto.js
+++ b/src/js/crypto.js
@@ -5,27 +5,47 @@
    ============================================================ */
 const Crypto = (() => {
 
+    const IV_LENGTH = 12;
+
     // Returns raw 32-byte Argon2id hash as Uint8Array
     async function deriveRaw(password, salt) {
-        return hashwasm.argon2id({
-            password,
-            salt,
-            parallelism: ARGON2_PAR,
-            iterations: ARGON2_ITER,
-            memorySize: ARGON2_MEM,
-            hashLength: 32,
-            outputType: 'binary',
-        });
+        // Normalize password input to Uint8Array for safe wiping
+        let passBytes = null;
+        if (password instanceof Uint8Array) {
+            passBytes = new Uint8Array(password);
+        } else if (password instanceof ArrayBuffer) {
+            passBytes = new Uint8Array(password.slice(0));
+        } else {
+            passBytes = new TextEncoder().encode(String(password || ''));
+        }
+        try {
+            return await hashwasm.argon2id({
+                password: passBytes,
+                salt,
+                parallelism: ARGON2_PAR,
+                iterations: ARGON2_ITER,
+                memorySize: ARGON2_MEM,
+                hashLength: 32,
+                outputType: 'binary',
+            });
+        } finally {
+            passBytes.fill(0);
+        }
     }
 
     async function deriveKey(password, salt) {
-        const hash = await deriveRaw(password, salt);
-        return crypto.subtle.importKey(
-            'raw', hash,
-            { name: 'AES-GCM' },
-            false,
-            ['encrypt', 'decrypt']
-        );
+        let hash = null;
+        try {
+            hash = await deriveRaw(password, salt);
+            return await crypto.subtle.importKey(
+                'raw', hash,
+                { name: 'AES-GCM' },
+                false,
+                ['encrypt', 'decrypt']
+            );
+        } finally {
+            if (hash && typeof hash.fill === 'function') hash.fill(0);
+        }
     }
 
     // Derives both the CryptoKey and the raw bytes in a single Argon2id pass.
@@ -47,29 +67,61 @@ const Crypto = (() => {
     }
 
     async function encrypt(key, data) {
-        const iv = crypto.getRandomValues(new Uint8Array(12));
-        const buf = data instanceof ArrayBuffer
-            ? data
-            : (data instanceof Uint8Array
+        const iv = crypto.getRandomValues(new Uint8Array(IV_LENGTH));
+        let buf = null, shouldWipeBuf = false;
+        if (data instanceof ArrayBuffer) buf = data;
+        else if (data instanceof Uint8Array) {
+            const fullView = data.byteOffset === 0 && data.byteLength === data.buffer.byteLength;
+            buf = fullView
                 ? data.buffer
-                : new TextEncoder().encode(typeof data === 'string' ? data : JSON.stringify(data)));
-        const ct = await crypto.subtle.encrypt({ name: 'AES-GCM', iv }, key, buf);
-        return { iv: Array.from(iv), blob: buf2b64(ct) };
+                : data.buffer.slice(data.byteOffset, data.byteOffset + data.byteLength);
+            shouldWipeBuf = !fullView;
+        }
+        else {
+            buf = new TextEncoder().encode(typeof data === 'string' ? data : JSON.stringify(data));
+            shouldWipeBuf = true;
+        }
+        try {
+            const ct = await crypto.subtle.encrypt({ name: 'AES-GCM', iv }, key, buf);
+            return { iv: Array.from(iv), blob: buf2b64(ct) };
+        } finally {
+            if (shouldWipeBuf && buf) new Uint8Array(buf).fill(0);
+        }
     }
 
     async function decrypt(key, iv, blobB64) {
+        if (!Array.isArray(iv) || iv.length !== IV_LENGTH) throw new Error('Invalid IV');
         const ivU8 = new Uint8Array(iv),
             buf = b642buf(blobB64);
-        return crypto.subtle.decrypt({ name: 'AES-GCM', iv: ivU8 }, key, buf);
+        try {
+            return await crypto.subtle.decrypt({ name: 'AES-GCM', iv: ivU8 }, key, buf);
+        } finally {
+            new Uint8Array(buf).fill(0);
+        }
     }
 
     async function encryptBin(key, buf) {
-        const iv = crypto.getRandomValues(new Uint8Array(12)),
-            ct = await crypto.subtle.encrypt({ name: 'AES-GCM', iv }, key, buf);
-        return { iv: Array.from(iv), blob: ct };
+        const iv = crypto.getRandomValues(new Uint8Array(IV_LENGTH));
+        if (!(buf instanceof ArrayBuffer) && !(buf instanceof Uint8Array)) {
+            throw new Error('Invalid plaintext buffer');
+        }
+        let copied = null;
+        const input = buf instanceof Uint8Array
+            ? (buf.byteOffset === 0 && buf.byteLength === buf.buffer.byteLength
+                ? buf.buffer
+                : (copied = buf.buffer.slice(buf.byteOffset, buf.byteOffset + buf.byteLength)))
+            : buf;
+        try {
+            const ct = await crypto.subtle.encrypt({ name: 'AES-GCM', iv }, key, input);
+            return { iv: Array.from(iv), blob: ct };
+        } finally {
+            if (copied) new Uint8Array(copied).fill(0);
+        }
     }
 
     async function decryptBin(key, iv, blob) {
+        if (!iv || iv.length !== IV_LENGTH) throw new Error('Invalid IV');
+        if (!(blob instanceof ArrayBuffer) && !(blob instanceof Uint8Array)) throw new Error('Invalid ciphertext buffer');
         return crypto.subtle.decrypt({ name: 'AES-GCM', iv: new Uint8Array(iv) }, key, blob);
     }
 
@@ -79,10 +131,15 @@ const Crypto = (() => {
     }
 
     async function checkVerification(key, iv, blob) {
+        let buf = null;
         try {
-            const buf = await decrypt(key, iv, blob);
+            buf = await decrypt(key, iv, blob);
             return new TextDecoder().decode(buf) === VERIFY_TEXT;
-        } catch { return false; }
+        } catch {
+            return false;
+        } finally {
+            if (buf) new Uint8Array(buf).fill(0);
+        }
     }
 
     return { deriveRaw, deriveKey, deriveKeyAndRaw, importRawKey, encrypt, decrypt, encryptBin, decryptBin, makeVerification, checkVerification };
diff --git a/src/js/db.js b/src/js/db.js
index 8be2302..a0af534 100644
--- a/src/js/db.js
+++ b/src/js/db.js
@@ -37,7 +37,14 @@ const DB = (() => {
                     InitLog.done('DB schema upgrade');
                 } catch (err) { InitLog.error('DB schema upgrade', err); fail(err); }
             };
-            req.onsuccess = e => done(e.target.result);
+            req.onsuccess = e => {
+                const db = e.target.result;
+                db.onversionchange = () => {
+                    try { db.close(); } catch { }
+                    _db = null;
+                };
+                done(db);
+            };
             req.onerror = () => fail(req.error);
             req.onblocked = () => {
                 // Another connection prevents upgrade; close it by requesting versionchange on self
@@ -48,8 +55,11 @@ const DB = (() => {
         });
     }
 
-    function rw(store) { return _db.transaction(store, 'readwrite').objectStore(store); }
-    function ro(store) { return _db.transaction(store, 'readonly').objectStore(store); }
+    function _ensureDb() {
+        if (!_db) throw new Error('Database is not initialized');
+    }
+    function rw(store) { _ensureDb(); return _db.transaction(store, 'readwrite').objectStore(store); }
+    function ro(store) { _ensureDb(); return _db.transaction(store, 'readonly').objectStore(store); }
     function wrap(req) { return new Promise((r, j) => { req.onsuccess = () => r(req.result); req.onerror = () => j(req.error); }); }
 
     // Reassemble a chunked file record: reads N chunks from 'chunks' store,
diff --git a/src/js/fileops.js b/src/js/fileops.js
index fea42ea..e1a6655 100644
--- a/src/js/fileops.js
+++ b/src/js/fileops.js
@@ -51,6 +51,8 @@ async function uploadFiles(files) {
                 mime = f.type || getMime(name),
                 { iv, blob } = await Crypto.encryptBin(App.key, bufs[bi]),
                 nodeId = uid();
+            // Wipe plaintext buffer after encryption
+            new Uint8Array(bufs[bi]).fill(0);
             VFS.add({
                 id: nodeId, type: 'file', name, mime, size: f.size,
                 parentId: App.folder, ctime: Date.now(), mtime: Date.now()
@@ -114,6 +116,8 @@ async function _uploadFileEntry(fileEntry, targetFolderId) {
         mime = file.type || getMime(name),
         { iv, blob } = await Crypto.encryptBin(App.key, buf),
         nodeId = uid(), now = Date.now();
+    // Wipe plaintext buffer after encryption
+    new Uint8Array(buf).fill(0);
     VFS.add({
         id: nodeId, type: 'file', name, mime, size: file.size,
         parentId: targetFolderId, ctime: now, mtime: now
@@ -234,6 +238,8 @@ async function downloadFile(node) {
         if (!rec) { toast('File data not found', 'error'); hideLoading(); return; }
         const buf = await Crypto.decryptBin(App.key, rec.iv, rec.blob);
         downloadBuf(buf, node.name, node.mime || getMime(node.name));
+        // Wipe decrypted plaintext after download is initiated
+        new Uint8Array(buf).fill(0);
         toast('Exported: ' + node.name, 'success');
         logActivity('download', node.name, 1, VFS.fullPath(node.id));
     } catch (e) { toast('Decryption failed: ' + e.message, 'error'); }
@@ -255,6 +261,9 @@ function _confirmExport(node, buf, mime) {
     document.getElementById('ec-ok').onclick = () => {
         Overlay.hide();
         downloadBuf(buf, node.name, mime);
+        // Wipe decrypted plaintext after download is initiated
+        if (buf instanceof ArrayBuffer) new Uint8Array(buf).fill(0);
+        else if (buf instanceof Uint8Array) buf.fill(0);
         toast('Exported: ' + node.name, 'success');
         logActivity('download', node.name, 1, VFS.fullPath(node.id));
     };
@@ -789,6 +798,9 @@ let _editorOriginal = '';
 function openEditor(node, buf) {
     _editorNode = node;
     const raw = new TextDecoder().decode(buf);
+    // Wipe the decrypted ArrayBuffer now that we have the string
+    if (buf instanceof ArrayBuffer) new Uint8Array(buf).fill(0);
+    else if (buf instanceof Uint8Array) buf.fill(0);
     // Normalize line endings to \n to match what <textarea> returns
     const text = raw.replace(/\r\n/g, '\n').replace(/\r/g, '\n');
     _editorOriginal = text;
@@ -922,6 +934,9 @@ function openViewer(node, buf, mime) {
     content.innerHTML = '';
     const blobObj = new Blob([buf], { type: mime }),
         url = URL.createObjectURL(blobObj);
+    // Wipe the decrypted ArrayBuffer now that the Blob holds the data
+    if (buf instanceof ArrayBuffer) new Uint8Array(buf).fill(0);
+    else if (buf instanceof Uint8Array) buf.fill(0);
     _viewerBlob = { url, node };
 
     document.getElementById('viewer-title').textContent = node.name;
@@ -1327,6 +1342,10 @@ async function exportAsZip(nodeIds, zipName) {
         if (!entries.length) { toast('Nothing to export', 'warn'); hideLoading(); return; }
         const zipParts = _buildZip(entries);
         downloadBuf(zipParts, zipName, 'application/zip');
+        // Wipe decrypted file data after ZIP is built
+        for (const e of entries) {
+            if (e.data instanceof Uint8Array) e.data.fill(0);
+        }
         toast(`Exported ${entries.length} file${entries.length !== 1 ? 's' : ''} as ZIP`, 'success');
         logActivity('export-zip', nodeIds.length === 1 ? (VFS.node(nodeIds[0])?.name ?? entries[0]?.name ?? '1 file') : `${entries.length} files`, entries.length, nodeIds.length === 1 ? VFS.fullPath(nodeIds[0]) : null);
     } catch (e) { toast('ZIP export failed: ' + e.message, 'error'); console.error(e); }
diff --git a/src/js/home.js b/src/js/home.js
index d28b2ca..02196d1 100644
--- a/src/js/home.js
+++ b/src/js/home.js
@@ -315,11 +315,16 @@ async function doChangePassword() {
         showLoading('Re-encrypting VFS…');
         const vfsRec = await DB.getVFS(c.id);
         if (vfsRec) {
-            const vfsBuf = typeof vfsRec.blob === 'string'
-                ? await Crypto.decrypt(oldKey, vfsRec.iv, vfsRec.blob)
-                : await Crypto.decryptBin(oldKey, vfsRec.iv, vfsRec.blob);
-            const { iv: newVfsIv, blob: newVfsBlob } = await Crypto.encryptBin(newKey, vfsBuf);
-            await DB.saveVFS(c.id, newVfsIv, newVfsBlob);
+            let vfsBuf = null;
+            try {
+                vfsBuf = typeof vfsRec.blob === 'string'
+                    ? await Crypto.decrypt(oldKey, vfsRec.iv, vfsRec.blob)
+                    : await Crypto.decryptBin(oldKey, vfsRec.iv, vfsRec.blob);
+                const { iv: newVfsIv, blob: newVfsBlob } = await Crypto.encryptBin(newKey, vfsBuf);
+                await DB.saveVFS(c.id, newVfsIv, newVfsBlob);
+            } finally {
+                if (vfsBuf) new Uint8Array(vfsBuf).fill(0);
+            }
         }
 
         // Expand lazy workspace (if never unlocked) so file blobs enter the re-encryption pass below.
@@ -350,11 +355,16 @@ async function doChangePassword() {
         let _reencDone = 0;
         const reencResults = await Promise.allSettled(files.map(async f => {
             const buf = await Crypto.decryptBin(oldKey, f.iv, f.blob);
-            const { iv, blob } = await Crypto.encryptBin(newKey, buf);
-            _reencDone++;
-            if (_reencDone % 4 === 0 || _reencDone === files.length)
-                showLoading(`Re-encrypting files\u2026 ${_reencDone}/${files.length}`);
-            return { id: f.id, cid: f.cid, iv: Array.from(iv), blob };
+            try {
+                const { iv, blob } = await Crypto.encryptBin(newKey, buf);
+                _reencDone++;
+                if (_reencDone % 4 === 0 || _reencDone === files.length)
+                    showLoading(`Re-encrypting files\u2026 ${_reencDone}/${files.length}`);
+                return { id: f.id, cid: f.cid, iv: Array.from(iv), blob };
+            } finally {
+                // Wipe decrypted plaintext buffer
+                new Uint8Array(buf).fill(0);
+            }
         }));
         const reencFiles = reencResults
             .filter(r => r.status === 'fulfilled')
@@ -817,6 +827,8 @@ async function doUnlock() {
             // Checkbox unchecked — clear any previously saved session
             clearSession(c.id);
         }
+        // Wipe raw key bytes — CryptoKey (App.key) holds it internally
+        _sessionRawKey.fill(0);
     } catch (e) {
         document.getElementById('unlock-error').innerHTML = '<svg width="14" height="14" viewBox="0 0 16 16" fill="none"><path d="M8 1.5a6.5 6.5 0 100 13 6.5 6.5 0 000-13zM7.25 5h1.5v4h-1.5V5zm0 5h1.5v1.5h-1.5V10z" fill="currentColor"/></svg> ' + escHtml(e.message);
         console.error(e);
@@ -857,7 +869,10 @@ async function deleteContainerConfirmed() {
 async function _resumeSession(c, rawKeyBytes) {
     showLoading('Restoring session...');
     try {
-        const key = await Crypto.importRawKey(rawKeyBytes),
+        // Wipe raw key bytes after import — CryptoKey will hold the key internally
+        const key = await Crypto.importRawKey(rawKeyBytes);
+        rawKeyBytes.fill(0);
+        const
             ok = await Crypto.checkVerification(key, c.verIv, c.verBlob);
         if (!ok) {
             // Stored session is invalid (password changed?) — clear it and open unlock view
diff --git a/src/js/state.js b/src/js/state.js
index b0a9131..c381477 100644
--- a/src/js/state.js
+++ b/src/js/state.js
@@ -50,16 +50,27 @@ async function _getOrCreateSessionKey() {
     if (stored) {
         try {
             const raw = Uint8Array.from(atob(stored), ch => ch.charCodeAt(0));
-            _sessionKey = await crypto.subtle.importKey('raw', raw, { name: 'AES-GCM' }, false, ['encrypt', 'decrypt']);
-            return _sessionKey;
+            try {
+                _sessionKey = await crypto.subtle.importKey('raw', raw, { name: 'AES-GCM' }, false, ['encrypt', 'decrypt']);
+                return _sessionKey;
+            } finally {
+                raw.fill(0);
+            }
         } catch { /* corrupted — regenerate below */ }
     }
-    const raw = crypto.getRandomValues(new Uint8Array(32)),
-        exp = await crypto.subtle.importKey('raw', raw, { name: 'AES-GCM' }, true, ['encrypt', 'decrypt']),
-        exported = await crypto.subtle.exportKey('raw', exp);
-    sessionStorage.setItem('snv-sk', btoa(String.fromCharCode(...new Uint8Array(exported))));
-    _sessionKey = await crypto.subtle.importKey('raw', exported, { name: 'AES-GCM' }, false, ['encrypt', 'decrypt']);
-    return _sessionKey;
+    const raw = crypto.getRandomValues(new Uint8Array(32));
+    let exportedU8 = null;
+    try {
+        const exp = await crypto.subtle.importKey('raw', raw, { name: 'AES-GCM' }, true, ['encrypt', 'decrypt']),
+            exported = await crypto.subtle.exportKey('raw', exp);
+        exportedU8 = new Uint8Array(exported);
+        sessionStorage.setItem('snv-sk', btoa(String.fromCharCode(...exportedU8)));
+        _sessionKey = await crypto.subtle.importKey('raw', exported, { name: 'AES-GCM' }, false, ['encrypt', 'decrypt']);
+        return _sessionKey;
+    } finally {
+        raw.fill(0);
+        if (exportedU8) exportedU8.fill(0);
+    }
 }
 
 /* ── Browser fingerprint → HKDF wrap-key (never stored) ──
@@ -210,18 +221,24 @@ async function _getOrCreateBrowserWrapKey() {
     combined[fpBytes.length + 1 + 32] = 0;
     combined.set(idbPart, fpBytes.length + 1 + 32 + 1);
 
-    const hkdf = await crypto.subtle.importKey('raw', combined, 'HKDF', false, ['deriveKey']),
-        salt = new Uint8Array(32), // all-zero deterministic salt
-        info = new TextEncoder().encode('snv-browser-wrap-v2');
-    _browserWrapKey = await crypto.subtle.deriveKey(
-        { name: 'HKDF', hash: 'SHA-256', salt, info },
-        hkdf,
-        { name: 'AES-GCM', length: 256 },
-        false,
-        ['encrypt', 'decrypt']
-    );
-    InitLog.done('wrap-key: HKDF derive');
-    return _browserWrapKey;
+    try {
+        const hkdf = await crypto.subtle.importKey('raw', combined, 'HKDF', false, ['deriveKey']),
+            salt = new Uint8Array(32), // all-zero deterministic salt
+            info = new TextEncoder().encode('snv-browser-wrap-v2');
+        _browserWrapKey = await crypto.subtle.deriveKey(
+            { name: 'HKDF', hash: 'SHA-256', salt, info },
+            hkdf,
+            { name: 'AES-GCM', length: 256 },
+            false,
+            ['encrypt', 'decrypt']
+        );
+        InitLog.done('wrap-key: HKDF derive');
+        return _browserWrapKey;
+    } finally {
+        combined.fill(0);
+        cookiePart.fill(0);
+        idbPart.fill(0);
+    }
 }
 
 /* ── Browser-scope session key (localStorage, shared across all tabs, wrap-encrypted) ── */
@@ -256,6 +273,8 @@ async function _getOrCreateBrowserScopeKey() {
                 newBlob.set(new Uint8Array(ct), 12);
                 localStorage.setItem('snv-bsk', btoa(String.fromCharCode(...newBlob)));
                 _browserScopeKey = await crypto.subtle.importKey('raw', rawExported, { name: 'AES-GCM' }, false, ['encrypt', 'decrypt']);
+                new Uint8Array(rawExported).fill(0);
+                blobBytes.fill(0);
                 InitLog.done('browser-scope-key', 'legacy-migrated');
                 return _browserScopeKey;
             } catch { /* corrupted legacy key — regenerate below */ }
@@ -265,22 +284,31 @@ async function _getOrCreateBrowserScopeKey() {
                 const iv = blobBytes.slice(0, 12), ct = blobBytes.slice(12);
                 const raw = await crypto.subtle.decrypt({ name: 'AES-GCM', iv }, wrapKey, ct);
                 _browserScopeKey = await crypto.subtle.importKey('raw', raw, { name: 'AES-GCM' }, false, ['encrypt', 'decrypt']);
+                new Uint8Array(raw).fill(0);
+                blobBytes.fill(0);
                 InitLog.done('browser-scope-key', 'existing');
                 return _browserScopeKey;
             } catch { /* fingerprint changed or corrupted — regenerate below */ }
         }
     }
     // Generate fresh snv-bsk and wrap it with the browser-specific key before storing
-    const raw = crypto.getRandomValues(new Uint8Array(32)),
-        wrapIV = crypto.getRandomValues(new Uint8Array(12)),
-        ct = await crypto.subtle.encrypt({ name: 'AES-GCM', iv: wrapIV }, wrapKey, raw),
-        blob = new Uint8Array(12 + ct.byteLength);
-    blob.set(wrapIV);
-    blob.set(new Uint8Array(ct), 12);
-    localStorage.setItem('snv-bsk', btoa(String.fromCharCode(...blob)));
-    _browserScopeKey = await crypto.subtle.importKey('raw', raw, { name: 'AES-GCM' }, false, ['encrypt', 'decrypt']);
-    InitLog.done('browser-scope-key', 'new');
-    return _browserScopeKey;
+    const raw = crypto.getRandomValues(new Uint8Array(32));
+    let rawCopy = null;
+    try {
+        const wrapIV = crypto.getRandomValues(new Uint8Array(12)),
+            ct = await crypto.subtle.encrypt({ name: 'AES-GCM', iv: wrapIV }, wrapKey, raw),
+            blob = new Uint8Array(12 + ct.byteLength);
+        blob.set(wrapIV);
+        blob.set(new Uint8Array(ct), 12);
+        localStorage.setItem('snv-bsk', btoa(String.fromCharCode(...blob)));
+        rawCopy = raw.slice();
+        _browserScopeKey = await crypto.subtle.importKey('raw', rawCopy, { name: 'AES-GCM' }, false, ['encrypt', 'decrypt']);
+        InitLog.done('browser-scope-key', 'new');
+        return _browserScopeKey;
+    } finally {
+        raw.fill(0);
+        if (rawCopy) rawCopy.fill(0);
+    }
 }
 
 // Browser-scope sessions expire after 7 days; tab-scope persist until tab closes
@@ -291,23 +319,35 @@ async function _encryptSessionPayload(key, cid, rawKeyBytes, expiryMs) {
         payload = new Uint8Array(8 + rawKeyBytes.length);
     new DataView(payload.buffer).setBigUint64(0, BigInt(expiryMs), true);
     payload.set(rawKeyBytes, 8);
-    const aad = new TextEncoder().encode('snv-session:' + cid),
-        ct = await crypto.subtle.encrypt({ name: 'AES-GCM', iv, additionalData: aad }, key, payload),
-        blob = new Uint8Array(12 + ct.byteLength);
-    blob.set(iv);
-    blob.set(new Uint8Array(ct), 12);
-    return btoa(String.fromCharCode(...blob));
+    try {
+        const aad = new TextEncoder().encode('snv-session:' + cid),
+            ct = await crypto.subtle.encrypt({ name: 'AES-GCM', iv, additionalData: aad }, key, payload),
+            blob = new Uint8Array(12 + ct.byteLength);
+        blob.set(iv);
+        blob.set(new Uint8Array(ct), 12);
+        return btoa(String.fromCharCode(...blob));
+    } finally {
+        payload.fill(0);
+    }
 }
 
 async function _decryptSessionPayload(key, cid, b64) {
     const blob = Uint8Array.from(atob(b64), ch => ch.charCodeAt(0)),
         iv = blob.slice(0, 12), ct = blob.slice(12);
-    const aad = new TextEncoder().encode('snv-session:' + cid),
-        dec = await crypto.subtle.decrypt({ name: 'AES-GCM', iv, additionalData: aad }, key, ct),
-        payload = new Uint8Array(dec),
-        expiry = Number(new DataView(payload.buffer).getBigUint64(0, true));
-    if (Date.now() > expiry) return null; // expired
-    return payload.slice(8); // 32-byte raw key material
+    let payload = null;
+    try {
+        const aad = new TextEncoder().encode('snv-session:' + cid),
+            dec = await crypto.subtle.decrypt({ name: 'AES-GCM', iv, additionalData: aad }, key, ct);
+        payload = new Uint8Array(dec);
+        const expiry = Number(new DataView(payload.buffer).getBigUint64(0, true));
+        if (Date.now() > expiry) return null; // expired
+        return payload.slice(8); // 32-byte raw key material
+    } finally {
+        if (payload) payload.fill(0);
+        blob.fill(0);
+        iv.fill(0);
+        ct.fill(0);
+    }
 }
 
 // rawKeyBytes — Uint8Array(32) from Crypto.deriveRaw(), never the plaintext password
@@ -369,6 +409,21 @@ async function loadSession(cid) {
 function clearSession(cid) {
     sessionStorage.removeItem('snv-s-' + cid);
     localStorage.removeItem('snv-sb-' + cid);
+    // Drop cached session key if no sessions remain
+    _dropSessionKeyIfUnused();
+}
+
+function _dropSessionKeyIfUnused() {
+    for (let i = 0; i < sessionStorage.length; i++) {
+        const k = sessionStorage.key(i);
+        if (k && k.startsWith('snv-s-')) return;
+    }
+    for (let i = 0; i < localStorage.length; i++) {
+        const k = localStorage.key(i);
+        if (k && k.startsWith('snv-sb-')) return;
+    }
+    _sessionKey = null;
+    sessionStorage.removeItem('snv-sk');
 }
 
 function hasSession(cid) {
@@ -478,6 +533,10 @@ const App = {
         document.title = 'SafeNova';
         if (this.container?.id) _stopContainerSession(this.container.id);
         this.key = null;
+        // Paranoid: scrub container object before releasing to GC
+        if (this.container) {
+            for (let k of Object.keys(this.container)) this.container[k] = null;
+        }
         this.container = null;
         this.folder = 'root';
         this.selection = new Set();
@@ -501,6 +560,10 @@ const App = {
         const cid = this.container?.id;
         if (cid) { _stopContainerSession(cid); clearSession(cid); }
         this.key = null;
+        // Paranoid: scrub container object before releasing to GC
+        if (this.container) {
+            for (let k of Object.keys(this.container)) this.container[k] = null;
+        }
         this.container = null;
         this.folder = 'root';
         this.selection = new Set();