사소한 리팩토링

네트워크 호출 결과가 IndexedDB에 캐시되지 않던 버그 수정
홈, 갤러리, 캐시 설정, 썸네일 설정 페이지에서의 네트워크 호출 최적화
2026-02-04 16:16:55 +00:00 · 2026-01-02 00:31:58 +09:00 · 2026-01-01 23:52:47 +09:00 · 2026-01-01 23:31:01 +09:00 · 2026-01-01 21:41:53 +09:00 · 2025-12-31 02:43:07 +09:00
189 changed files with 6394 additions and 5284 deletions
--- a/.dockerignore
+++ b/.dockerignore
@@ -1,5 +1,6 @@
 .git
 node_modules
+/Makefile

 # Output
 .output
@@ -10,13 +11,15 @@ node_modules
 /build
 /data
 /library
+/thumbnails

 # OS
 .DS_Store
 Thumbs.db

-# VSCode
+# Editors
 /.vscode
+/.idea

 # Env
 .env
--- a/.env.example
+++ b/.env.example
@@ -11,3 +11,4 @@ SESSION_EXPIRES=
 USER_CLIENT_CHALLENGE_EXPIRES=
 SESSION_UPGRADE_CHALLENGE_EXPIRES=
 LIBRARY_PATH=
+THUMBNAILS_PATH=
--- a/.gitignore
+++ b/.gitignore
@@ -9,13 +9,15 @@ node_modules
 /build
 /data
 /library
+/thumbnails

 # OS
 .DS_Store
 Thumbs.db

-# VSCode
+# Editors
 /.vscode
+/.idea

 # Env
 .env
--- a/8
+++ b/8
@@ -2,11 +2,7 @@
 FROM node:22-alpine AS base
 WORKDIR /app

-RUN apk add --no-cache bash curl && \
-    curl -o /usr/local/bin/wait-for-it https://raw.githubusercontent.com/vishnubob/wait-for-it/master/wait-for-it.sh && \
-    chmod +x /usr/local/bin/wait-for-it
-
-RUN npm install -g pnpm@9
+RUN npm install -g pnpm@10
 COPY pnpm-lock.yaml .

 # Build Stage
@@ -29,4 +25,4 @@ COPY --from=build /app/build ./build

 EXPOSE 3000
 ENV BODY_SIZE_LIMIT=Infinity
-CMD ["bash", "-c", "wait-for-it ${DATABASE_HOST:-localhost}:${DATABASE_PORT:-5432} -- node ./build/index.js"]
+CMD ["node", "./build/index.js"]
--- a/docker-compose.dev.yaml
+++ b/docker-compose.dev.yaml
@@ -1,7 +1,7 @@
 services:
  database:
-    image: postgres:17.2
-    restart: on-failure
+    image: postgres:17
+    restart: always
    volumes:
      - database:/var/lib/postgresql/data
    environment:
--- a/docker-compose.yaml
+++ b/docker-compose.yaml
@@ -1,12 +1,14 @@
 services:
  server:
    build: .
-    restart: on-failure
+    restart: unless-stopped
    depends_on:
-      - database
+      database:
+        condition: service_healthy
    user: ${CONTAINER_UID:-0}:${CONTAINER_GID:-0}
    volumes:
      - ./data/library:/app/data/library
+      - ./data/thumbnails:/app/data/thumbnails
    environment:
      # ArkVault
      - DATABASE_HOST=database
@@ -17,6 +19,7 @@ services:
      - USER_CLIENT_CHALLENGE_EXPIRES
      - SESSION_UPGRADE_CHALLENGE_EXPIRES
      - LIBRARY_PATH=/app/data/library
+      - THUMBNAILS_PATH=/app/data/thumbnails
      # SvelteKit
      - ADDRESS_HEADER=${TRUST_PROXY:+X-Forwarded-For}
      - XFF_DEPTH=${TRUST_PROXY:-}
@@ -25,11 +28,16 @@ services:
      - ${PORT:-80}:3000

  database:
-    image: postgres:17.2-alpine
-    restart: on-failure
+    image: postgres:17-alpine
+    restart: unless-stopped
    user: ${CONTAINER_UID:-0}:${CONTAINER_GID:-0}
    volumes:
      - ./data/database:/var/lib/postgresql/data
    environment:
      - POSTGRES_USER=arkvault
      - POSTGRES_PASSWORD=${DATABASE_PASSWORD:?}
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready -U $${POSTGRES_USER}"]
+      interval: 5s
+      timeout: 5s
+      retries: 5
--- a/eslint.config.js
+++ b/eslint.config.js
@@ -1,21 +1,24 @@
-import prettier from "eslint-config-prettier";
-import js from "@eslint/js";
 import { includeIgnoreFile } from "@eslint/compat";
+import js from "@eslint/js";
+import { defineConfig } from "eslint/config";
+import prettier from "eslint-config-prettier";
 import svelte from "eslint-plugin-svelte";
 import tailwind from "eslint-plugin-tailwindcss";
 import globals from "globals";
-import { fileURLToPath } from "node:url";
 import ts from "typescript-eslint";
+import { fileURLToPath } from "url";
+import svelteConfig from "./svelte.config.js";
+
 const gitignorePath = fileURLToPath(new URL("./.gitignore", import.meta.url));

-export default ts.config(
+export default defineConfig(
  includeIgnoreFile(gitignorePath),
  js.configs.recommended,
  ...ts.configs.recommended,
-  ...svelte.configs["flat/recommended"],
+  ...svelte.configs.recommended,
  ...tailwind.configs["flat/recommended"],
  prettier,
-  ...svelte.configs["flat/prettier"],
+  ...svelte.configs.prettier,
  {
    languageOptions: {
      globals: {
@@ -23,13 +26,18 @@ export default ts.config(
        ...globals.node,
      },
    },
+    rules: {
+      "no-undef": "off",
+    },
  },
  {
-    files: ["**/*.svelte"],
-
+    files: ["**/*.svelte", "**/*.svelte.ts", "**/*.svelte.js"],
    languageOptions: {
      parserOptions: {
+        projectService: true,
+        extraFileExtensions: [".svelte"],
        parser: ts.parser,
+        svelteConfig,
      },
    },
  },
--- a/package.json
+++ b/package.json
@@ -1,7 +1,7 @@
 {
  "name": "arkvault",
  "private": true,
-  "version": "0.4.0",
+  "version": "0.6.0",
  "type": "module",
  "scripts": {
    "dev": "vite dev",
@@ -16,52 +16,57 @@
    "db:migrate": "kysely migrate"
  },
  "devDependencies": {
-    "@eslint/compat": "^1.2.4",
-    "@iconify-json/material-symbols": "^1.2.12",
-    "@sveltejs/adapter-node": "^5.2.11",
-    "@sveltejs/kit": "^2.15.2",
-    "@sveltejs/vite-plugin-svelte": "^4.0.4",
+    "@eslint/compat": "^2.0.0",
+    "@iconify-json/material-symbols": "^1.2.50",
+    "@sveltejs/adapter-node": "^5.4.0",
+    "@sveltejs/kit": "^2.49.2",
+    "@sveltejs/vite-plugin-svelte": "^6.2.1",
+    "@tanstack/svelte-virtual": "^3.13.13",
+    "@trpc/client": "^11.8.1",
    "@types/file-saver": "^2.0.7",
    "@types/ms": "^0.7.34",
-    "@types/node-schedule": "^2.1.7",
-    "@types/pg": "^8.11.10",
-    "autoprefixer": "^10.4.20",
-    "axios": "^1.7.9",
-    "dexie": "^4.0.10",
-    "eslint": "^9.17.0",
-    "eslint-config-prettier": "^9.1.0",
-    "eslint-plugin-svelte": "^2.46.1",
-    "eslint-plugin-tailwindcss": "^3.17.5",
-    "exifreader": "^4.26.0",
+    "@types/node-schedule": "^2.1.8",
+    "@types/pg": "^8.16.0",
+    "autoprefixer": "^10.4.23",
+    "axios": "^1.13.2",
+    "dexie": "^4.2.1",
+    "eslint": "^9.39.2",
+    "eslint-config-prettier": "^10.1.8",
+    "eslint-plugin-svelte": "^3.13.1",
+    "eslint-plugin-tailwindcss": "^3.18.2",
+    "exifreader": "^4.33.1",
    "file-saver": "^2.0.5",
-    "globals": "^15.14.0",
+    "globals": "^16.5.0",
    "heic2any": "^0.0.4",
-    "kysely-ctl": "^0.10.1",
-    "mime": "^4.0.6",
-    "p-limit": "^6.2.0",
-    "prettier": "^3.4.2",
-    "prettier-plugin-svelte": "^3.3.2",
-    "prettier-plugin-tailwindcss": "^0.6.9",
-    "svelte": "^5.19.1",
-    "svelte-check": "^4.1.3",
-    "tailwindcss": "^3.4.17",
-    "typescript": "^5.7.3",
-    "typescript-eslint": "^8.19.1",
-    "unplugin-icons": "^0.22.0",
-    "vite": "^5.4.11"
+    "kysely-ctl": "^0.19.0",
+    "lru-cache": "^11.2.4",
+    "mime": "^4.1.0",
+    "p-limit": "^7.2.0",
+    "prettier": "^3.7.4",
+    "prettier-plugin-svelte": "^3.4.1",
+    "prettier-plugin-tailwindcss": "^0.7.2",
+    "svelte": "^5.46.1",
+    "svelte-check": "^4.3.5",
+    "tailwindcss": "^3.4.19",
+    "typescript": "^5.9.3",
+    "typescript-eslint": "^8.50.1",
+    "unplugin-icons": "^22.5.0",
+    "vite": "^7.3.0"
  },
  "dependencies": {
-    "@fastify/busboy": "^3.1.1",
-    "argon2": "^0.41.1",
-    "kysely": "^0.27.5",
+    "@fastify/busboy": "^3.2.0",
+    "@trpc/server": "^11.8.1",
+    "argon2": "^0.44.0",
+    "kysely": "^0.28.9",
    "ms": "^2.1.3",
    "node-schedule": "^2.1.1",
-    "pg": "^8.13.1",
-    "uuid": "^11.0.4",
-    "zod": "^3.24.1"
+    "pg": "^8.16.3",
+    "superjson": "^2.2.6",
+    "uuid": "^13.0.0",
+    "zod": "^4.2.1"
  },
  "engines": {
    "node": "^22.0.0",
-    "pnpm": "^9.0.0"
+    "pnpm": "^10.0.0"
  }
 }
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
--- a/src/hooks.client.ts
+++ b/src/hooks.client.ts
@@ -4,6 +4,15 @@ import { prepareFileCache } from "$lib/modules/file";
 import { prepareOpfs } from "$lib/modules/opfs";
 import { clientKeyStore, masterKeyStore, hmacSecretStore } from "$lib/stores";

+const requestPersistentStorage = async () => {
+  const isPersistent = await navigator.storage.persist();
+  if (isPersistent) {
+    console.log("[ArkVault] Persistent storage granted.");
+  } else {
+    console.warn("[ArkVault] Persistent storage not granted.");
+  }
+};
+
 const prepareClientKeyStore = async () => {
  const [encryptKey, decryptKey, signKey, verifyKey] = await Promise.all([
    getClientKey("encrypt"),
@@ -32,6 +41,7 @@ const prepareHmacSecretStore = async () => {

 export const init: ClientInit = async () => {
  await Promise.all([
+    requestPersistentStorage(),
    prepareFileCache(),
    prepareClientKeyStore(),
    prepareMasterKeyStore(),
--- a/src/lib/components/atoms/RowVirtualizer.svelte
+++ b/src/lib/components/atoms/RowVirtualizer.svelte
@@ -0,0 +1,60 @@
+<script lang="ts">
+  import { createWindowVirtualizer } from "@tanstack/svelte-virtual";
+  import type { Snippet } from "svelte";
+  import type { ClassValue } from "svelte/elements";
+
+  interface Props {
+    class?: ClassValue;
+    count: number;
+    item: Snippet<[index: number]>;
+    itemHeight: (index: number) => number;
+    itemGap?: number;
+    placeholder?: Snippet;
+  }
+
+  let { class: className, count, item, itemHeight, itemGap, placeholder }: Props = $props();
+
+  let element: HTMLElement | undefined = $state();
+  let scrollMargin = $state(0);
+
+  let virtualizer = $derived(
+    createWindowVirtualizer({
+      count,
+      estimateSize: itemHeight,
+      gap: itemGap,
+      scrollMargin,
+    }),
+  );
+
+  const measureItem = (node: HTMLElement) => {
+    $effect(() => $virtualizer.measureElement(node));
+  };
+
+  $effect(() => {
+    if (!element) return;
+
+    const observer = new ResizeObserver(() => {
+      scrollMargin = element!.getBoundingClientRect().top + window.scrollY;
+    });
+    observer.observe(element.parentElement!);
+    return () => observer.disconnect();
+  });
+</script>
+
+<div bind:this={element} class={["relative", className]}>
+  <div style:height="{$virtualizer.getTotalSize()}px">
+    {#each $virtualizer.getVirtualItems() as virtualItem (virtualItem.key)}
+      <div
+        class="absolute left-0 top-0 w-full"
+        style:transform="translateY({virtualItem.start - scrollMargin}px)"
+        data-index={virtualItem.index}
+        use:measureItem
+      >
+        {@render item(virtualItem.index)}
+      </div>
+    {/each}
+  </div>
+  {#if placeholder && $virtualizer.getVirtualItems().length === 0}
+    {@render placeholder()}
+  {/if}
+</div>
--- a/src/lib/components/atoms/buttons/FileThumbnailButton.svelte
+++ b/src/lib/components/atoms/buttons/FileThumbnailButton.svelte
@@ -0,0 +1,34 @@
+<script lang="ts">
+  import { browser } from "$app/environment";
+  import type { SummarizedFileInfo } from "$lib/modules/filesystem";
+  import { requestFileThumbnailDownload } from "$lib/services/file";
+
+  interface Props {
+    info: SummarizedFileInfo;
+    onclick?: (file: SummarizedFileInfo) => void;
+  }
+
+  let { info, onclick }: Props = $props();
+
+  let showThumbnail = $derived(
+    browser && (info.contentType.startsWith("image/") || info.contentType.startsWith("video/")),
+  );
+  let thumbnailPromise = $derived(
+    showThumbnail ? requestFileThumbnailDownload(info.id, info.dataKey?.key) : null,
+  );
+</script>
+
+<button
+  onclick={onclick && (() => setTimeout(() => onclick(info), 100))}
+  class="aspect-square overflow-hidden rounded transition active:scale-95 active:brightness-90"
+>
+  {#await thumbnailPromise}
+    <div class="h-full w-full bg-gray-100"></div>
+  {:then thumbnail}
+    {#if thumbnail}
+      <img src={thumbnail} alt={info.name} class="h-full w-full object-cover" />
+    {:else}
+      <div class="h-full w-full bg-gray-100"></div>
+    {/if}
+  {/await}
+</button>
--- a/src/lib/components/atoms/buttons/index.ts
+++ b/src/lib/components/atoms/buttons/index.ts
@@ -1,5 +1,6 @@
 export { default as ActionEntryButton } from "./ActionEntryButton.svelte";
 export { default as Button } from "./Button.svelte";
 export { default as EntryButton } from "./EntryButton.svelte";
+export { default as FileThumbnailButton } from "./FileThumbnailButton.svelte";
 export { default as FloatingButton } from "./FloatingButton.svelte";
 export { default as TextButton } from "./TextButton.svelte";
--- a/src/lib/components/atoms/divs/FullscreenDiv.svelte
+++ b/src/lib/components/atoms/divs/FullscreenDiv.svelte
@@ -1,7 +1,15 @@
 <script lang="ts">
-  let { children } = $props();
+  import type { Snippet } from "svelte";
+  import type { ClassValue } from "svelte/elements";
+
+  interface Props {
+    children: Snippet;
+    class?: ClassValue;
+  }
+
+  let { children, class: className }: Props = $props();
 </script>

-<div class="flex flex-grow flex-col justify-between px-4">
+<div class={["flex flex-grow flex-col justify-between px-4", className]}>
  {@render children()}
 </div>
--- a/src/lib/components/atoms/index.ts
+++ b/src/lib/components/atoms/index.ts
@@ -3,3 +3,4 @@ export * from "./buttons";
 export * from "./divs";
 export * from "./inputs";
 export { default as Modal } from "./Modal.svelte";
+export { default as RowVirtualizer } from "./RowVirtualizer.svelte";
--- a/src/lib/components/molecules/ActionModal.svelte
+++ b/src/lib/components/molecules/ActionModal.svelte
@@ -12,6 +12,7 @@
    confirmText: string;
    isOpen: boolean;
    onbeforeclose?: () => void;
+    oncancel?: () => void;
    onConfirmClick: ConfirmHandler;
    title: string;
  }
@@ -22,6 +23,7 @@
    confirmText,
    isOpen = $bindable(),
    onbeforeclose,
+    oncancel,
    onConfirmClick,
    title,
  }: Props = $props();
@@ -31,6 +33,11 @@
    isOpen = false;
  };

+  const cancelAction = () => {
+    oncancel?.();
+    closeModal();
+  };
+
  const confirmAction = async () => {
    if ((await onConfirmClick()) !== false) {
      closeModal();
@@ -38,13 +45,13 @@
  };
 </script>

-<Modal bind:isOpen onclose={closeModal} class="space-y-4">
+<Modal bind:isOpen onclose={cancelAction} class="space-y-4">
  <div class="flex flex-col gap-y-2 break-keep">
    <p class="text-xl font-bold">{title}</p>
    {@render children()}
  </div>
  <div class="flex gap-x-2">
-    <Button color="gray" onclick={closeModal} class="flex-1">{cancelText}</Button>
+    <Button color="gray" onclick={cancelAction} class="flex-1">{cancelText}</Button>
    <Button onclick={confirmAction} class="flex-1">{confirmText}</Button>
  </div>
 </Modal>
--- a/src/lib/components/molecules/Categories/Categories.svelte
+++ b/src/lib/components/molecules/Categories/Categories.svelte
@@ -1,59 +1,29 @@
 <script lang="ts">
-  import { untrack, type Component } from "svelte";
+  import type { Component } from "svelte";
  import type { SvelteHTMLElements } from "svelte/elements";
-  import { get, type Writable } from "svelte/store";
-  import type { CategoryInfo } from "$lib/modules/filesystem";
-  import { SortBy, sortEntries } from "$lib/modules/util";
+  import type { SubCategoryInfo } from "$lib/modules/filesystem";
+  import { SortBy, sortEntries } from "$lib/utils";
  import Category from "./Category.svelte";
  import type { SelectedCategory } from "./service";

  interface Props {
-    categories: Writable<CategoryInfo | null>[];
+    categories: SubCategoryInfo[];
    categoryMenuIcon?: Component<SvelteHTMLElements["svg"]>;
    onCategoryClick: (category: SelectedCategory) => void;
    onCategoryMenuClick?: (category: SelectedCategory) => void;
    sortBy?: SortBy;
  }

-  let {
-    categories,
-    categoryMenuIcon,
-    onCategoryClick,
-    onCategoryMenuClick,
-    sortBy = SortBy.NAME_ASC,
-  }: Props = $props();
+  let { categories, categoryMenuIcon, onCategoryClick, onCategoryMenuClick }: Props = $props();

-  let categoriesWithName: { name?: string; info: Writable<CategoryInfo | null> }[] = $state([]);
-
-  $effect(() => {
-    categoriesWithName = categories.map((category) => ({
-      name: get(category)?.name,
-      info: category,
-    }));
-
-    const sort = () => {
-      sortEntries(categoriesWithName, sortBy);
-    };
-    return untrack(() => {
-      sort();
-
-      const unsubscribes = categoriesWithName.map((category) =>
-        category.info.subscribe((value) => {
-          if (category.name === value?.name) return;
-          category.name = value?.name;
-          sort();
-        }),
-      );
-      return () => unsubscribes.forEach((unsubscribe) => unsubscribe());
-    });
-  });
+  let categoriesWithName = $derived(sortEntries(structuredClone($state.snapshot(categories))));
 </script>

 {#if categoriesWithName.length > 0}
  <div class="space-y-1">
-    {#each categoriesWithName as { info }}
+    {#each categoriesWithName as category}
      <Category
-        {info}
+        info={category}
        menuIcon={categoryMenuIcon}
        onclick={onCategoryClick}
        onMenuClick={onCategoryMenuClick}
--- a/src/lib/components/molecules/Categories/Category.svelte
+++ b/src/lib/components/molecules/Categories/Category.svelte
@@ -1,43 +1,26 @@
 <script lang="ts">
  import type { Component } from "svelte";
  import type { SvelteHTMLElements } from "svelte/elements";
-  import type { Writable } from "svelte/store";
  import { ActionEntryButton } from "$lib/components/atoms";
  import { CategoryLabel } from "$lib/components/molecules";
-  import type { CategoryInfo } from "$lib/modules/filesystem";
+  import type { SubCategoryInfo } from "$lib/modules/filesystem";
  import type { SelectedCategory } from "./service";

  interface Props {
-    info: Writable<CategoryInfo | null>;
+    info: SubCategoryInfo;
    menuIcon?: Component<SvelteHTMLElements["svg"]>;
    onclick: (category: SelectedCategory) => void;
    onMenuClick?: (category: SelectedCategory) => void;
  }

  let { info, menuIcon, onclick, onMenuClick }: Props = $props();
-
-  const openCategory = () => {
-    const { id, dataKey, dataKeyVersion, name } = $info as CategoryInfo;
-    if (!dataKey || !dataKeyVersion) return; // TODO: Error handling
-
-    onclick({ id, dataKey, dataKeyVersion, name });
-  };
-
-  const openMenu = () => {
-    const { id, dataKey, dataKeyVersion, name } = $info as CategoryInfo;
-    if (!dataKey || !dataKeyVersion) return; // TODO: Error handling
-
-    onMenuClick!({ id, dataKey, dataKeyVersion, name });
-  };
 </script>

-{#if $info}
-  <ActionEntryButton
-    class="h-12"
-    onclick={openCategory}
-    actionButtonIcon={menuIcon}
-    onActionButtonClick={openMenu}
-  >
-    <CategoryLabel name={$info.name!} />
-  </ActionEntryButton>
-{/if}
+<ActionEntryButton
+  class="h-12"
+  onclick={() => onclick(info)}
+  actionButtonIcon={menuIcon}
+  onActionButtonClick={() => onMenuClick?.(info)}
+>
+  <CategoryLabel name={info.name} />
+</ActionEntryButton>
--- a/src/lib/components/molecules/Categories/service.ts
+++ b/src/lib/components/molecules/Categories/service.ts
@@ -1,6 +1,7 @@
+import type { DataKey } from "$lib/modules/filesystem";
+
 export interface SelectedCategory {
  id: number;
-  dataKey: CryptoKey;
-  dataKeyVersion: Date;
+  dataKey?: DataKey;
  name: string;
 }
--- a/src/lib/components/molecules/SubCategories.svelte
+++ b/src/lib/components/molecules/SubCategories.svelte
@@ -1,10 +1,8 @@
 <script lang="ts">
  import type { Component } from "svelte";
  import type { ClassValue, SvelteHTMLElements } from "svelte/elements";
-  import type { Writable } from "svelte/store";
  import { Categories, IconEntryButton, type SelectedCategory } from "$lib/components/molecules";
-  import { getCategoryInfo, type CategoryInfo } from "$lib/modules/filesystem";
-  import { masterKeyStore } from "$lib/stores";
+  import type { CategoryInfo } from "$lib/modules/filesystem";

  import IconAddCircle from "~icons/material-symbols/add-circle";

@@ -27,14 +25,6 @@
    subCategoryCreatePosition = "bottom",
    subCategoryMenuIcon,
  }: Props = $props();
-
-  let subCategories: Writable<CategoryInfo | null>[] = $state([]);
-
-  $effect(() => {
-    subCategories = info.subCategoryIds.map((id) =>
-      getCategoryInfo(id, $masterKeyStore?.get(1)?.key!),
-    );
-  });
 </script>

 <div class={["space-y-1", className]}>
@@ -53,14 +43,12 @@
  {#if subCategoryCreatePosition === "top"}
    {@render subCategoryCreate()}
  {/if}
-  {#key info}
-    <Categories
-      categories={subCategories}
-      categoryMenuIcon={subCategoryMenuIcon}
-      onCategoryClick={onSubCategoryClick}
-      onCategoryMenuClick={onSubCategoryMenuClick}
-    />
-  {/key}
+  <Categories
+    categories={info.subCategories}
+    categoryMenuIcon={subCategoryMenuIcon}
+    onCategoryClick={onSubCategoryClick}
+    onCategoryMenuClick={onSubCategoryMenuClick}
+  />
  {#if subCategoryCreatePosition === "bottom"}
    {@render subCategoryCreate()}
  {/if}
--- a/src/lib/components/molecules/labels/DirectoryEntryLabel.svelte
+++ b/src/lib/components/molecules/labels/DirectoryEntryLabel.svelte
@@ -3,6 +3,7 @@
  import { IconLabel } from "$lib/components/molecules";

  import IconFolder from "~icons/material-symbols/folder";
+  import IconDriveFolderUpload from "~icons/material-symbols/drive-folder-upload";
  import IconDraft from "~icons/material-symbols/draft";

  interface Props {
@@ -10,19 +11,40 @@
    name: string;
    subtext?: string;
    textClass?: ClassValue;
-    type: "directory" | "file";
+    thumbnail?: string;
+    type: "directory" | "parent-directory" | "file";
  }

-  let { class: className, name, subtext, textClass: textClassName, type }: Props = $props();
+  let {
+    class: className,
+    name,
+    subtext,
+    textClass: textClassName,
+    thumbnail,
+    type,
+  }: Props = $props();
 </script>

+{#snippet iconSnippet()}
+  <div class="flex h-10 w-10 items-center justify-center text-xl">
+    {#if thumbnail}
+      <img src={thumbnail} alt={name} loading="lazy" class="aspect-square rounded object-cover" />
+    {:else if type === "directory"}
+      <IconFolder />
+    {:else if type === "parent-directory"}
+      <IconDriveFolderUpload class="text-yellow-500" />
+    {:else}
+      <IconDraft class="text-blue-400" />
+    {/if}
+  </div>
+{/snippet}
+
 {#snippet subtextSnippet()}
  {subtext}
 {/snippet}

 <IconLabel
-  icon={type === "directory" ? IconFolder : IconDraft}
-  iconClass={type === "file" ? "text-blue-400" : undefined}
+  {iconSnippet}
  subtext={subtext ? subtextSnippet : undefined}
  class={className}
  textClass={textClassName}
--- a/src/lib/components/molecules/labels/IconLabel.svelte
+++ b/src/lib/components/molecules/labels/IconLabel.svelte
@@ -5,8 +5,9 @@
  interface Props {
    children: Snippet;
    class?: ClassValue;
-    icon: Component<SvelteHTMLElements["svg"]>;
+    icon?: Component<SvelteHTMLElements["svg"]>;
    iconClass?: ClassValue;
+    iconSnippet?: Snippet;
    subtext?: Snippet;
    textClass?: ClassValue;
  }
@@ -16,15 +17,22 @@
    class: className,
    icon: Icon,
    iconClass: iconClassName,
+    iconSnippet,
    subtext,
    textClass: textClassName,
  }: Props = $props();
 </script>

 <div class={["flex items-center gap-x-4", className]}>
-  <div class={["flex-shrink-0 text-lg", iconClassName]}>
-    <Icon />
-  </div>
+  {#if iconSnippet}
+    <div class={["flex-shrink-0", iconClassName]}>
+      {@render iconSnippet()}
+    </div>
+  {:else if Icon}
+    <div class={["flex-shrink-0 text-lg", iconClassName]}>
+      <Icon />
+    </div>
+  {/if}
  <div class="flex flex-grow flex-col overflow-x-hidden text-left">
    <p class={["truncate font-medium", textClassName]}>
      {@render children()}
--- a/src/lib/components/organisms/Category/Category.svelte
+++ b/src/lib/components/organisms/Category/Category.svelte
@@ -1,11 +1,9 @@
 <script lang="ts">
-  import { untrack } from "svelte";
-  import { get, type Writable } from "svelte/store";
-  import { CheckBox } from "$lib/components/atoms";
+  import { CheckBox, RowVirtualizer } from "$lib/components/atoms";
  import { SubCategories, type SelectedCategory } from "$lib/components/molecules";
-  import { getFileInfo, type FileInfo, type CategoryInfo } from "$lib/modules/filesystem";
-  import { SortBy, sortEntries } from "$lib/modules/util";
-  import { masterKeyStore } from "$lib/stores";
+  import { updateCategoryInfo } from "$lib/indexedDB";
+  import type { CategoryInfo } from "$lib/modules/filesystem";
+  import { sortEntries } from "$lib/utils";
  import File from "./File.svelte";
  import type { SelectedFile } from "./service";

@@ -13,13 +11,12 @@

  interface Props {
    info: CategoryInfo;
+    isFileRecursive: boolean | undefined;
    onFileClick: (file: SelectedFile) => void;
    onFileRemoveClick: (file: SelectedFile) => void;
    onSubCategoryClick: (subCategory: SelectedCategory) => void;
    onSubCategoryCreateClick: () => void;
    onSubCategoryMenuClick: (subCategory: SelectedCategory) => void;
-    sortBy?: SortBy;
-    isFileRecursive: boolean;
  }

  let {
@@ -29,42 +26,31 @@
    onSubCategoryClick,
    onSubCategoryCreateClick,
    onSubCategoryMenuClick,
-    sortBy = SortBy.NAME_ASC,
    isFileRecursive = $bindable(),
  }: Props = $props();

-  let files: { name?: string; info: Writable<FileInfo | null>; isRecursive: boolean }[] = $state(
-    [],
+  let lastCategoryId = $state<CategoryInfo["id"] | undefined>();
+  let lastIsFileRecursive = $state<boolean | undefined>();
+
+  let files = $derived(
+    sortEntries(
+      info.files
+        ?.map((file) => ({ name: file.name, details: file }))
+        .filter(({ details }) => isFileRecursive || !details.isRecursive) ?? [],
+    ),
  );

  $effect(() => {
-    files =
-      info.files
-        ?.filter(({ isRecursive }) => isFileRecursive || !isRecursive)
-        .map(({ id, isRecursive }) => {
-          const info = getFileInfo(id, $masterKeyStore?.get(1)?.key!);
-          return {
-            name: get(info)?.name,
-            info,
-            isRecursive,
-          };
-        }) ?? [];
+    if (info.id === "root" || isFileRecursive === undefined) return;
+    if (lastCategoryId !== info.id) {
+      lastCategoryId = info.id;
+      lastIsFileRecursive = isFileRecursive;
+      return;
+    }
+    if (lastIsFileRecursive === isFileRecursive) return;

-    const sort = () => {
-      sortEntries(files, sortBy);
-    };
-    return untrack(() => {
-      sort();
-
-      const unsubscribes = files.map((file) =>
-        file.info.subscribe((value) => {
-          if (file.name === value?.name) return;
-          file.name = value?.name;
-          sort();
-        }),
-      );
-      return () => unsubscribes.forEach((unsubscribe) => unsubscribe());
-    });
+    lastIsFileRecursive = isFileRecursive;
+    void updateCategoryInfo(info.id, { isFileRecursive });
  });
 </script>

@@ -89,19 +75,19 @@
          <p class="font-medium">하위 카테고리의 파일</p>
        </CheckBox>
      </div>
-      <div class="space-y-1">
-        {#key info}
-          {#each files as { info, isRecursive }}
-            <File
-              {info}
-              onclick={onFileClick}
-              onRemoveClick={!isRecursive ? onFileRemoveClick : undefined}
-            />
-          {:else}
-            <p class="text-gray-500 text-center">이 카테고리에 추가된 파일이 없어요.</p>
-          {/each}
-        {/key}
-      </div>
+      <RowVirtualizer count={files.length} itemHeight={() => 48} itemGap={4}>
+        {#snippet item(index)}
+          {@const { details } = files[index]!}
+          <File
+            info={details}
+            onclick={onFileClick}
+            onRemoveClick={!details.isRecursive ? onFileRemoveClick : undefined}
+          />
+        {/snippet}
+        {#snippet placeholder()}
+          <p class="text-center text-gray-500">이 카테고리에 추가된 파일이 없어요.</p>
+        {/snippet}
+      </RowVirtualizer>
    </div>
  {/if}
 </div>
--- a/src/lib/components/organisms/Category/File.svelte
+++ b/src/lib/components/organisms/Category/File.svelte
@@ -1,42 +1,38 @@
 <script lang="ts">
-  import type { Writable } from "svelte/store";
+  import { browser } from "$app/environment";
  import { ActionEntryButton } from "$lib/components/atoms";
  import { DirectoryEntryLabel } from "$lib/components/molecules";
-  import type { FileInfo } from "$lib/modules/filesystem";
+  import type { CategoryFileInfo } from "$lib/modules/filesystem";
+  import { requestFileThumbnailDownload } from "$lib/services/file";
  import type { SelectedFile } from "./service";

  import IconClose from "~icons/material-symbols/close";

  interface Props {
-    info: Writable<FileInfo | null>;
-    onclick: (selectedFile: SelectedFile) => void;
-    onRemoveClick?: (selectedFile: SelectedFile) => void;
+    info: CategoryFileInfo;
+    onclick: (file: SelectedFile) => void;
+    onRemoveClick?: (file: SelectedFile) => void;
  }

  let { info, onclick, onRemoveClick }: Props = $props();

-  const openFile = () => {
-    const { id, dataKey, dataKeyVersion, name } = $info as FileInfo;
-    if (!dataKey || !dataKeyVersion) return; // TODO: Error handling
-
-    onclick({ id, dataKey, dataKeyVersion, name });
-  };
-
-  const removeFile = () => {
-    const { id, dataKey, dataKeyVersion, name } = $info as FileInfo;
-    if (!dataKey || !dataKeyVersion) return; // TODO: Error handling
-
-    onRemoveClick!({ id, dataKey, dataKeyVersion, name });
-  };
+  let showThumbnail = $derived(
+    browser && (info.contentType.startsWith("image/") || info.contentType.startsWith("video/")),
+  );
+  let thumbnailPromise = $derived(
+    showThumbnail ? requestFileThumbnailDownload(info.id, info.dataKey?.key) : null,
+  );
 </script>

-{#if $info}
-  <ActionEntryButton
-    class="h-12"
-    onclick={openFile}
-    actionButtonIcon={onRemoveClick && IconClose}
-    onActionButtonClick={removeFile}
-  >
-    <DirectoryEntryLabel type="file" name={$info.name} />
-  </ActionEntryButton>
-{/if}
+<ActionEntryButton
+  class="h-12"
+  onclick={() => onclick(info)}
+  actionButtonIcon={onRemoveClick && IconClose}
+  onActionButtonClick={() => onRemoveClick?.(info)}
+>
+  {#await thumbnailPromise}
+    <DirectoryEntryLabel type="file" name={info.name} />
+  {:then thumbnail}
+    <DirectoryEntryLabel type="file" thumbnail={thumbnail ?? undefined} name={info.name} />
+  {/await}
+</ActionEntryButton>
--- a/src/lib/components/organisms/Category/service.ts
+++ b/src/lib/components/organisms/Category/service.ts
@@ -1,6 +1,4 @@
 export interface SelectedFile {
  id: number;
-  dataKey: CryptoKey;
-  dataKeyVersion: Date;
  name: string;
 }
--- a/src/lib/components/organisms/Gallery.svelte
+++ b/src/lib/components/organisms/Gallery.svelte
@@ -0,0 +1,82 @@
+<script lang="ts">
+  import { FileThumbnailButton, RowVirtualizer } from "$lib/components/atoms";
+  import type { SummarizedFileInfo } from "$lib/modules/filesystem";
+  import { formatDate, formatDateSortable, SortBy, sortEntries } from "$lib/utils";
+
+  interface Props {
+    files: SummarizedFileInfo[];
+    onFileClick?: (file: SummarizedFileInfo) => void;
+  }
+
+  let { files, onFileClick }: Props = $props();
+
+  type Row =
+    | { type: "header"; label: string }
+    | { type: "items"; files: SummarizedFileInfo[]; isLast: boolean };
+
+  let rows = $derived.by(() => {
+    const groups = Map.groupBy(
+      files.filter(
+        (file) => file.contentType.startsWith("image/") || file.contentType.startsWith("video/"),
+      ),
+      (file) => formatDateSortable(file.createdAt ?? file.lastModifiedAt),
+    );
+    return Array.from(groups.entries())
+      .sort(([dateA], [dateB]) => dateB.localeCompare(dateA))
+      .flatMap(([_, entries]) => {
+        const sortedEntries = [...entries];
+        sortEntries(sortedEntries, SortBy.DATE_DESC);
+
+        return [
+          {
+            type: "header",
+            label: formatDate(sortedEntries[0]!.createdAt ?? sortedEntries[0]!.lastModifiedAt),
+          },
+          ...Array.from({ length: Math.ceil(sortedEntries.length / 4) }, (_, i) => {
+            const start = i * 4;
+            const end = start + 4;
+            return {
+              type: "items" as const,
+              files: sortedEntries.slice(start, end),
+              isLast: end >= sortedEntries.length,
+            };
+          }),
+        ] satisfies Row[];
+      });
+  });
+</script>
+
+<RowVirtualizer
+  count={rows.length}
+  itemHeight={(index) =>
+    rows[index]!.type === "header"
+      ? 28
+      : Math.ceil(rows[index]!.files.length / 4) * 181 +
+        (Math.ceil(rows[index]!.files.length / 4) - 1) * 4 +
+        16}
+  class="flex flex-grow flex-col"
+>
+  {#snippet item(index)}
+    {@const row = rows[index]!}
+    {#if row.type === "header"}
+      <p class="pb-2 text-sm font-medium">{row.label}</p>
+    {:else}
+      <div class={["grid grid-cols-4 gap-x-1", row.isLast ? "pb-4" : "pb-1"]}>
+        {#each row.files as file}
+          <FileThumbnailButton info={file} onclick={onFileClick} />
+        {/each}
+      </div>
+    {/if}
+  {/snippet}
+  {#snippet placeholder()}
+    <div class="flex h-full flex-grow items-center justify-center">
+      <p class="text-gray-500">
+        {#if files.length === 0}
+          업로드된 파일이 없어요.
+        {:else}
+          사진 또는 동영상이 없어요.
+        {/if}
+      </p>
+    </div>
+  {/snippet}
+</RowVirtualizer>
--- a/src/lib/components/organisms/index.ts
+++ b/src/lib/components/organisms/index.ts
@@ -1,3 +1,4 @@
 export * from "./Category";
 export { default as Category } from "./Category";
+export { default as Gallery } from "./Gallery.svelte";
 export * from "./modals";
--- a/src/lib/components/organisms/modals/ForceLoginModal.svelte
+++ b/src/lib/components/organisms/modals/ForceLoginModal.svelte
@@ -0,0 +1,22 @@
+<script lang="ts">
+  import { ActionModal } from "$lib/components/molecules";
+
+  interface Props {
+    isOpen: boolean;
+    oncancel?: () => void;
+    onLoginClick: () => void;
+  }
+
+  let { isOpen = $bindable(), oncancel, onLoginClick }: Props = $props();
+</script>
+
+<ActionModal
+  bind:isOpen
+  title="다른 디바이스에 이미 로그인되어 있어요."
+  cancelText="아니요"
+  {oncancel}
+  confirmText="네"
+  onConfirmClick={onLoginClick}
+>
+  <p>다른 디바이스에서는 로그아웃하고, 이 디바이스에서 로그인할까요?</p>
+</ActionModal>
--- a/src/lib/components/organisms/modals/index.ts
+++ b/src/lib/components/organisms/modals/index.ts
@@ -1,3 +1,4 @@
 export { default as CategoryCreateModal } from "./CategoryCreateModal.svelte";
+export { default as ForceLoginModal } from "./ForceLoginModal.svelte";
 export { default as RenameModal } from "./RenameModal.svelte";
 export { default as TextInputModal } from "./TextInputModal.svelte";
--- a/src/lib/hooks/callApi.ts
+++ b/src/lib/hooks/callApi.ts
@@ -1,11 +0,0 @@
-export const callGetApi = async (input: RequestInfo, fetchInternal = fetch) => {
-  return await fetchInternal(input);
-};
-
-export const callPostApi = async <T>(input: RequestInfo, payload?: T, fetchInternal = fetch) => {
-  return await fetchInternal(input, {
-    method: "POST",
-    headers: { "Content-Type": "application/json" },
-    body: payload ? JSON.stringify(payload) : undefined,
-  });
-};
--- a/src/lib/hooks/index.ts
+++ b/src/lib/hooks/index.ts
@@ -1,2 +0,0 @@
-export * from "./callApi";
-export * from "./gotoStateful";
--- a/src/lib/indexedDB/filesystem.ts
+++ b/src/lib/indexedDB/filesystem.ts
@@ -1,7 +1,5 @@
 import { Dexie, type EntityTable } from "dexie";

-export type DirectoryId = "root" | number;
-
 interface DirectoryInfo {
  id: number;
  parentId: DirectoryId;
@@ -18,13 +16,12 @@ interface FileInfo {
  categoryIds: number[];
 }

-export type CategoryId = "root" | number;
-
 interface CategoryInfo {
  id: number;
  parentId: CategoryId;
  name: string;
  files: { id: number; isRecursive: boolean }[];
+  isFileRecursive: boolean;
 }

 const filesystem = new Dexie("filesystem") as Dexie & {
@@ -33,11 +30,21 @@ const filesystem = new Dexie("filesystem") as Dexie & {
  category: EntityTable<CategoryInfo, "id">;
 };

-filesystem.version(2).stores({
-  directory: "id, parentId",
-  file: "id, parentId",
-  category: "id, parentId",
-});
+filesystem
+  .version(3)
+  .stores({
+    directory: "id, parentId",
+    file: "id, parentId",
+    category: "id, parentId",
+  })
+  .upgrade(async (trx) => {
+    await trx
+      .table("category")
+      .toCollection()
+      .modify((category) => {
+        category.isFileRecursive = false;
+      });
+  });

 export const getDirectoryInfos = async (parentId: DirectoryId) => {
  return await filesystem.directory.where({ parentId }).toArray();
@@ -55,6 +62,10 @@ export const deleteDirectoryInfo = async (id: number) => {
  await filesystem.directory.delete(id);
 };

+export const getAllFileInfos = async () => {
+  return await filesystem.file.toArray();
+};
+
 export const getFileInfos = async (parentId: DirectoryId) => {
  return await filesystem.file.where({ parentId }).toArray();
 };
@@ -63,6 +74,10 @@ export const getFileInfo = async (id: number) => {
  return await filesystem.file.get(id);
 };

+export const bulkGetFileInfos = async (ids: number[]) => {
+  return await filesystem.file.bulkGet(ids);
+};
+
 export const storeFileInfo = async (fileInfo: FileInfo) => {
  await filesystem.file.put(fileInfo);
 };
@@ -83,6 +98,10 @@ export const storeCategoryInfo = async (categoryInfo: CategoryInfo) => {
  await filesystem.category.put(categoryInfo);
 };

+export const updateCategoryInfo = async (id: number, changes: { isFileRecursive?: boolean }) => {
+  await filesystem.category.update(id, changes);
+};
+
 export const deleteCategoryInfo = async (id: number) => {
  await filesystem.category.delete(id);
 };
--- a/src/lib/modules/crypto/rsa.ts
+++ b/src/lib/modules/crypto/rsa.ts
@@ -46,6 +46,56 @@ export const exportRSAKeyToBase64 = async (key: CryptoKey) => {
  return encodeToBase64((await exportRSAKey(key)).key);
 };

+export const importEncryptionKeyPairFromBase64 = async (
+  encryptKeyBase64: string,
+  decryptKeyBase64: string,
+) => {
+  const algorithm: RsaHashedImportParams = {
+    name: "RSA-OAEP",
+    hash: "SHA-256",
+  };
+  const encryptKey = await window.crypto.subtle.importKey(
+    "spki",
+    decodeFromBase64(encryptKeyBase64),
+    algorithm,
+    true,
+    ["encrypt", "wrapKey"],
+  );
+  const decryptKey = await window.crypto.subtle.importKey(
+    "pkcs8",
+    decodeFromBase64(decryptKeyBase64),
+    algorithm,
+    true,
+    ["decrypt", "unwrapKey"],
+  );
+  return { encryptKey, decryptKey };
+};
+
+export const importSigningKeyPairFromBase64 = async (
+  signKeyBase64: string,
+  verifyKeyBase64: string,
+) => {
+  const algorithm: RsaHashedImportParams = {
+    name: "RSA-PSS",
+    hash: "SHA-256",
+  };
+  const signKey = await window.crypto.subtle.importKey(
+    "pkcs8",
+    decodeFromBase64(signKeyBase64),
+    algorithm,
+    true,
+    ["sign"],
+  );
+  const verifyKey = await window.crypto.subtle.importKey(
+    "spki",
+    decodeFromBase64(verifyKeyBase64),
+    algorithm,
+    true,
+    ["verify"],
+  );
+  return { signKey, verifyKey };
+};
+
 export const makeRSAKeyNonextractable = async (key: CryptoKey) => {
  const { key: exportedKey, format } = await exportRSAKey(key);
  return await window.crypto.subtle.importKey(
--- a/src/lib/modules/file/cache.ts
+++ b/src/lib/modules/file/cache.ts
@@ -1,12 +1,15 @@
+import { LRUCache } from "lru-cache";
 import {
  getFileCacheIndex as getFileCacheIndexFromIndexedDB,
  storeFileCacheIndex,
  deleteFileCacheIndex,
  type FileCacheIndex,
 } from "$lib/indexedDB";
-import { readFile, writeFile, deleteFile } from "$lib/modules/opfs";
+import { readFile, writeFile, deleteFile, deleteDirectory } from "$lib/modules/opfs";
+import { getThumbnailUrl } from "$lib/modules/thumbnail";

 const fileCacheIndex = new Map<number, FileCacheIndex>();
+const loadedThumbnails = new LRUCache<number, string>({ max: 100 });

 export const prepareFileCache = async () => {
  for (const cache of await getFileCacheIndexFromIndexedDB()) {
@@ -48,3 +51,30 @@ export const deleteFileCache = async (fileId: number) => {
  await deleteFile(`/cache/${fileId}`);
  await deleteFileCacheIndex(fileId);
 };
+
+export const getFileThumbnailCache = async (fileId: number) => {
+  const thumbnail = loadedThumbnails.get(fileId);
+  if (thumbnail) return thumbnail;
+
+  const thumbnailBuffer = await readFile(`/thumbnail/file/${fileId}`);
+  if (!thumbnailBuffer) return null;
+
+  const thumbnailUrl = getThumbnailUrl(thumbnailBuffer);
+  loadedThumbnails.set(fileId, thumbnailUrl);
+  return thumbnailUrl;
+};
+
+export const storeFileThumbnailCache = async (fileId: number, thumbnailBuffer: ArrayBuffer) => {
+  await writeFile(`/thumbnail/file/${fileId}`, thumbnailBuffer);
+  loadedThumbnails.set(fileId, getThumbnailUrl(thumbnailBuffer));
+};
+
+export const deleteFileThumbnailCache = async (fileId: number) => {
+  loadedThumbnails.delete(fileId);
+  await deleteFile(`/thumbnail/file/${fileId}`);
+};
+
+export const deleteAllFileThumbnailCaches = async () => {
+  loadedThumbnails.clear();
+  await deleteDirectory("/thumbnail/file");
+};
--- a/src/lib/modules/file/download.svelte.ts
+++ b/src/lib/modules/file/download.svelte.ts
@@ -0,0 +1,95 @@
+import axios from "axios";
+import { limitFunction } from "p-limit";
+import { decryptData } from "$lib/modules/crypto";
+
+export interface FileDownloadState {
+  id: number;
+  status:
+    | "download-pending"
+    | "downloading"
+    | "decryption-pending"
+    | "decrypting"
+    | "decrypted"
+    | "canceled"
+    | "error";
+  progress?: number;
+  rate?: number;
+  estimated?: number;
+  result?: ArrayBuffer;
+}
+
+type LiveFileDownloadState = FileDownloadState & {
+  status: "download-pending" | "downloading" | "decryption-pending" | "decrypting";
+};
+
+let downloadingFiles: FileDownloadState[] = $state([]);
+
+export const isFileDownloading = (
+  status: FileDownloadState["status"],
+): status is LiveFileDownloadState["status"] =>
+  ["download-pending", "downloading", "decryption-pending", "decrypting"].includes(status);
+
+export const getFileDownloadState = (fileId: number) => {
+  return downloadingFiles.find((file) => file.id === fileId && isFileDownloading(file.status));
+};
+
+export const getDownloadingFiles = () => {
+  return downloadingFiles.filter((file) => isFileDownloading(file.status));
+};
+
+export const clearDownloadedFiles = () => {
+  downloadingFiles = downloadingFiles.filter((file) => isFileDownloading(file.status));
+};
+
+const requestFileDownload = limitFunction(
+  async (state: FileDownloadState, id: number) => {
+    state.status = "downloading";
+
+    const res = await axios.get(`/api/file/${id}/download`, {
+      responseType: "arraybuffer",
+      onDownloadProgress: ({ progress, rate, estimated }) => {
+        state.progress = progress;
+        state.rate = rate;
+        state.estimated = estimated;
+      },
+    });
+    const fileEncrypted: ArrayBuffer = res.data;
+
+    state.status = "decryption-pending";
+    return fileEncrypted;
+  },
+  { concurrency: 1 },
+);
+
+const decryptFile = limitFunction(
+  async (
+    state: FileDownloadState,
+    fileEncrypted: ArrayBuffer,
+    fileEncryptedIv: string,
+    dataKey: CryptoKey,
+  ) => {
+    state.status = "decrypting";
+
+    const fileBuffer = await decryptData(fileEncrypted, fileEncryptedIv, dataKey);
+
+    state.status = "decrypted";
+    state.result = fileBuffer;
+    return fileBuffer;
+  },
+  { concurrency: 4 },
+);
+
+export const downloadFile = async (id: number, fileEncryptedIv: string, dataKey: CryptoKey) => {
+  downloadingFiles.push({
+    id,
+    status: "download-pending",
+  });
+  const state = downloadingFiles.at(-1)!;
+
+  try {
+    return await decryptFile(state, await requestFileDownload(state, id), fileEncryptedIv, dataKey);
+  } catch (e) {
+    state.status = "error";
+    throw e;
+  }
+};
--- a/src/lib/modules/file/download.ts
+++ b/src/lib/modules/file/download.ts
@@ -1,84 +0,0 @@
-import axios from "axios";
-import { limitFunction } from "p-limit";
-import { writable, type Writable } from "svelte/store";
-import { decryptData } from "$lib/modules/crypto";
-import { fileDownloadStatusStore, type FileDownloadStatus } from "$lib/stores";
-
-const requestFileDownload = limitFunction(
-  async (status: Writable<FileDownloadStatus>, id: number) => {
-    status.update((value) => {
-      value.status = "downloading";
-      return value;
-    });
-
-    const res = await axios.get(`/api/file/${id}/download`, {
-      responseType: "arraybuffer",
-      onDownloadProgress: ({ progress, rate, estimated }) => {
-        status.update((value) => {
-          value.progress = progress;
-          value.rate = rate;
-          value.estimated = estimated;
-          return value;
-        });
-      },
-    });
-    const fileEncrypted: ArrayBuffer = res.data;
-
-    status.update((value) => {
-      value.status = "decryption-pending";
-      return value;
-    });
-    return fileEncrypted;
-  },
-  { concurrency: 1 },
-);
-
-const decryptFile = limitFunction(
-  async (
-    status: Writable<FileDownloadStatus>,
-    fileEncrypted: ArrayBuffer,
-    fileEncryptedIv: string,
-    dataKey: CryptoKey,
-  ) => {
-    status.update((value) => {
-      value.status = "decrypting";
-      return value;
-    });
-
-    const fileBuffer = await decryptData(fileEncrypted, fileEncryptedIv, dataKey);
-
-    status.update((value) => {
-      value.status = "decrypted";
-      value.result = fileBuffer;
-      return value;
-    });
-    return fileBuffer;
-  },
-  { concurrency: 4 },
-);
-
-export const downloadFile = async (id: number, fileEncryptedIv: string, dataKey: CryptoKey) => {
-  const status = writable<FileDownloadStatus>({
-    id,
-    status: "download-pending",
-  });
-  fileDownloadStatusStore.update((value) => {
-    value.push(status);
-    return value;
-  });
-
-  try {
-    return await decryptFile(
-      status,
-      await requestFileDownload(status, id),
-      fileEncryptedIv,
-      dataKey,
-    );
-  } catch (e) {
-    status.update((value) => {
-      value.status = "error";
-      return value;
-    });
-    throw e;
-  }
-};
--- a/src/lib/modules/file/index.ts
+++ b/src/lib/modules/file/index.ts
@@ -1,3 +1,3 @@
 export * from "./cache";
-export * from "./download";
-export * from "./upload";
+export * from "./download.svelte";
+export * from "./upload.svelte";
--- a/src/lib/modules/file/upload.svelte.ts
+++ b/src/lib/modules/file/upload.svelte.ts
@@ -1,7 +1,6 @@
 import axios from "axios";
 import ExifReader from "exifreader";
 import { limitFunction } from "p-limit";
-import { writable, type Writable } from "svelte/store";
 import {
  encodeToBase64,
  generateDataKey,
@@ -11,30 +10,60 @@ import {
  digestMessage,
  signMessageHmac,
 } from "$lib/modules/crypto";
+import { generateThumbnail } from "$lib/modules/thumbnail";
 import type {
-  DuplicateFileScanRequest,
-  DuplicateFileScanResponse,
+  FileThumbnailUploadRequest,
  FileUploadRequest,
  FileUploadResponse,
 } from "$lib/server/schemas";
-import {
-  fileUploadStatusStore,
-  type MasterKey,
-  type HmacSecret,
-  type FileUploadStatus,
-} from "$lib/stores";
+import type { MasterKey, HmacSecret } from "$lib/stores";
+import { trpc } from "$trpc/client";
+
+export interface FileUploadState {
+  name: string;
+  parentId: DirectoryId;
+  status:
+    | "encryption-pending"
+    | "encrypting"
+    | "upload-pending"
+    | "uploading"
+    | "uploaded"
+    | "canceled"
+    | "error";
+  progress?: number;
+  rate?: number;
+  estimated?: number;
+}
+
+export type LiveFileUploadState = FileUploadState & {
+  status: "encryption-pending" | "encrypting" | "upload-pending" | "uploading";
+};
+
+let uploadingFiles: FileUploadState[] = $state([]);
+
+const isFileUploading = (status: FileUploadState["status"]) =>
+  ["encryption-pending", "encrypting", "upload-pending", "uploading"].includes(status);
+
+export const getUploadingFiles = (parentId?: DirectoryId) => {
+  return uploadingFiles.filter(
+    (file) =>
+      (parentId === undefined || file.parentId === parentId) && isFileUploading(file.status),
+  );
+};
+
+export const clearUploadedFiles = () => {
+  uploadingFiles = uploadingFiles.filter((file) => isFileUploading(file.status));
+};

 const requestDuplicateFileScan = limitFunction(
  async (file: File, hmacSecret: HmacSecret, onDuplicate: () => Promise<boolean>) => {
    const fileBuffer = await file.arrayBuffer();
    const fileSigned = encodeToBase64(await signMessageHmac(fileBuffer, hmacSecret.secret));

-    const res = await axios.post("/api/file/scanDuplicates", {
+    const files = await trpc().file.listByHash.query({
      hskVersion: hmacSecret.version,
      contentHmac: fileSigned,
-    } satisfies DuplicateFileScanRequest);
-    const { files }: DuplicateFileScanResponse = res.data;
-
+    });
    if (files.length === 0 || (await onDuplicate())) {
      return { fileBuffer, fileSigned };
    } else {
@@ -77,16 +106,8 @@ const extractExifDateTime = (fileBuffer: ArrayBuffer) => {
 };

 const encryptFile = limitFunction(
-  async (
-    status: Writable<FileUploadStatus>,
-    file: File,
-    fileBuffer: ArrayBuffer,
-    masterKey: MasterKey,
-  ) => {
-    status.update((value) => {
-      value.status = "encrypting";
-      return value;
-    });
+  async (state: FileUploadState, file: File, fileBuffer: ArrayBuffer, masterKey: MasterKey) => {
+    state.status = "encrypting";

    const fileType = getFileType(file);

@@ -106,10 +127,11 @@ const encryptFile = limitFunction(
      createdAt && (await encryptString(createdAt.getTime().toString(), dataKey));
    const lastModifiedAtEncrypted = await encryptString(file.lastModified.toString(), dataKey);

-    status.update((value) => {
-      value.status = "upload-pending";
-      return value;
-    });
+    const thumbnail = await generateThumbnail(fileBuffer, fileType);
+    const thumbnailBuffer = await thumbnail?.arrayBuffer();
+    const thumbnailEncrypted = thumbnailBuffer && (await encryptData(thumbnailBuffer, dataKey));
+
+    state.status = "upload-pending";

    return {
      dataKeyWrapped,
@@ -120,34 +142,35 @@ const encryptFile = limitFunction(
      nameEncrypted,
      createdAtEncrypted,
      lastModifiedAtEncrypted,
+      thumbnail: thumbnailEncrypted && { plaintext: thumbnailBuffer, ...thumbnailEncrypted },
    };
  },
  { concurrency: 4 },
 );

 const requestFileUpload = limitFunction(
-  async (status: Writable<FileUploadStatus>, form: FormData) => {
-    status.update((value) => {
-      value.status = "uploading";
-      return value;
-    });
+  async (state: FileUploadState, form: FormData, thumbnailForm: FormData | null) => {
+    state.status = "uploading";

    const res = await axios.post("/api/file/upload", form, {
      onUploadProgress: ({ progress, rate, estimated }) => {
-        status.update((value) => {
-          value.progress = progress;
-          value.rate = rate;
-          value.estimated = estimated;
-          return value;
-        });
+        state.progress = progress;
+        state.rate = rate;
+        state.estimated = estimated;
      },
    });
    const { file }: FileUploadResponse = res.data;

-    status.update((value) => {
-      value.status = "uploaded";
-      return value;
-    });
+    if (thumbnailForm) {
+      try {
+        await axios.post(`/api/file/${file}/thumbnail/upload`, thumbnailForm);
+      } catch (e) {
+        // TODO
+        console.error(e);
+      }
+    }
+
+    state.status = "uploaded";

    return { fileId: file };
  },
@@ -160,16 +183,15 @@ export const uploadFile = async (
  hmacSecret: HmacSecret,
  masterKey: MasterKey,
  onDuplicate: () => Promise<boolean>,
-): Promise<{ fileId: number; fileBuffer: ArrayBuffer } | undefined> => {
-  const status = writable<FileUploadStatus>({
+): Promise<
+  { fileId: number; fileBuffer: ArrayBuffer; thumbnailBuffer?: ArrayBuffer } | undefined
+> => {
+  uploadingFiles.push({
    name: file.name,
    parentId,
    status: "encryption-pending",
  });
-  fileUploadStatusStore.update((value) => {
-    value.push(status);
-    return value;
-  });
+  const state = uploadingFiles.at(-1)!;

  try {
    const { fileBuffer, fileSigned } = await requestDuplicateFileScan(
@@ -178,14 +200,8 @@ export const uploadFile = async (
      onDuplicate,
    );
    if (!fileBuffer || !fileSigned) {
-      status.update((value) => {
-        value.status = "canceled";
-        return value;
-      });
-      fileUploadStatusStore.update((value) => {
-        value = value.filter((v) => v !== status);
-        return value;
-      });
+      state.status = "canceled";
+      uploadingFiles = uploadingFiles.filter((file) => file !== state);
      return undefined;
    }

@@ -198,7 +214,8 @@ export const uploadFile = async (
      nameEncrypted,
      createdAtEncrypted,
      lastModifiedAtEncrypted,
-    } = await encryptFile(status, file, fileBuffer, masterKey);
+      thumbnail,
+    } = await encryptFile(state, file, fileBuffer, masterKey);

    const form = new FormData();
    form.set(
@@ -218,18 +235,28 @@ export const uploadFile = async (
        createdAtIv: createdAtEncrypted?.iv,
        lastModifiedAt: lastModifiedAtEncrypted.ciphertext,
        lastModifiedAtIv: lastModifiedAtEncrypted.iv,
-      } as FileUploadRequest),
+      } satisfies FileUploadRequest),
    );
    form.set("content", new Blob([fileEncrypted.ciphertext]));
    form.set("checksum", fileEncryptedHash);

-    const { fileId } = await requestFileUpload(status, form);
-    return { fileId, fileBuffer };
+    let thumbnailForm = null;
+    if (thumbnail) {
+      thumbnailForm = new FormData();
+      thumbnailForm.set(
+        "metadata",
+        JSON.stringify({
+          dekVersion: dataKeyVersion.toISOString(),
+          contentIv: thumbnail.iv,
+        } satisfies FileThumbnailUploadRequest),
+      );
+      thumbnailForm.set("content", new Blob([thumbnail.ciphertext]));
+    }
+
+    const { fileId } = await requestFileUpload(state, form, thumbnailForm);
+    return { fileId, fileBuffer, thumbnailBuffer: thumbnail?.plaintext };
  } catch (e) {
-    status.update((value) => {
-      value.status = "error";
-      return value;
-    });
+    state.status = "error";
    throw e;
  }
 };
--- a/src/lib/modules/filesystem.ts
+++ b/src/lib/modules/filesystem.ts
@@ -1,329 +0,0 @@
-import { get, writable, type Writable } from "svelte/store";
-import { callGetApi } from "$lib/hooks";
-import {
-  getDirectoryInfos as getDirectoryInfosFromIndexedDB,
-  getDirectoryInfo as getDirectoryInfoFromIndexedDB,
-  storeDirectoryInfo,
-  deleteDirectoryInfo,
-  getFileInfos as getFileInfosFromIndexedDB,
-  getFileInfo as getFileInfoFromIndexedDB,
-  storeFileInfo,
-  deleteFileInfo,
-  getCategoryInfos as getCategoryInfosFromIndexedDB,
-  getCategoryInfo as getCategoryInfoFromIndexedDB,
-  storeCategoryInfo,
-  deleteCategoryInfo,
-  type DirectoryId,
-  type CategoryId,
-} from "$lib/indexedDB";
-import { unwrapDataKey, decryptString } from "$lib/modules/crypto";
-import type {
-  CategoryInfoResponse,
-  CategoryFileListResponse,
-  DirectoryInfoResponse,
-  FileInfoResponse,
-} from "$lib/server/schemas";
-
-export type DirectoryInfo =
-  | {
-      id: "root";
-      dataKey?: undefined;
-      dataKeyVersion?: undefined;
-      name?: undefined;
-      subDirectoryIds: number[];
-      fileIds: number[];
-    }
-  | {
-      id: number;
-      dataKey?: CryptoKey;
-      dataKeyVersion?: Date;
-      name: string;
-      subDirectoryIds: number[];
-      fileIds: number[];
-    };
-
-export interface FileInfo {
-  id: number;
-  dataKey?: CryptoKey;
-  dataKeyVersion?: Date;
-  contentType: string;
-  contentIv?: string;
-  name: string;
-  createdAt?: Date;
-  lastModifiedAt: Date;
-  categoryIds: number[];
-}
-
-export type CategoryInfo =
-  | {
-      id: "root";
-      dataKey?: undefined;
-      dataKeyVersion?: undefined;
-      name?: undefined;
-      subCategoryIds: number[];
-      files?: undefined;
-    }
-  | {
-      id: number;
-      dataKey?: CryptoKey;
-      dataKeyVersion?: Date;
-      name: string;
-      subCategoryIds: number[];
-      files: { id: number; isRecursive: boolean }[];
-    };
-
-const directoryInfoStore = new Map<DirectoryId, Writable<DirectoryInfo | null>>();
-const fileInfoStore = new Map<number, Writable<FileInfo | null>>();
-const categoryInfoStore = new Map<CategoryId, Writable<CategoryInfo | null>>();
-
-const fetchDirectoryInfoFromIndexedDB = async (
-  id: DirectoryId,
-  info: Writable<DirectoryInfo | null>,
-) => {
-  if (get(info)) return;
-
-  const [directory, subDirectories, files] = await Promise.all([
-    id !== "root" ? getDirectoryInfoFromIndexedDB(id) : undefined,
-    getDirectoryInfosFromIndexedDB(id),
-    getFileInfosFromIndexedDB(id),
-  ]);
-  const subDirectoryIds = subDirectories.map(({ id }) => id);
-  const fileIds = files.map(({ id }) => id);
-
-  if (id === "root") {
-    info.set({ id, subDirectoryIds, fileIds });
-  } else {
-    if (!directory) return;
-    info.set({ id, name: directory.name, subDirectoryIds, fileIds });
-  }
-};
-
-const fetchDirectoryInfoFromServer = async (
-  id: DirectoryId,
-  info: Writable<DirectoryInfo | null>,
-  masterKey: CryptoKey,
-) => {
-  const res = await callGetApi(`/api/directory/${id}`);
-  if (res.status === 404) {
-    info.set(null);
-    await deleteDirectoryInfo(id as number);
-    return;
-  } else if (!res.ok) {
-    throw new Error("Failed to fetch directory information");
-  }
-
-  const {
-    metadata,
-    subDirectories: subDirectoryIds,
-    files: fileIds,
-  }: DirectoryInfoResponse = await res.json();
-
-  if (id === "root") {
-    info.set({ id, subDirectoryIds, fileIds });
-  } else {
-    const { dataKey } = await unwrapDataKey(metadata!.dek, masterKey);
-    const name = await decryptString(metadata!.name, metadata!.nameIv, dataKey);
-
-    info.set({
-      id,
-      dataKey,
-      dataKeyVersion: new Date(metadata!.dekVersion),
-      name,
-      subDirectoryIds,
-      fileIds,
-    });
-    await storeDirectoryInfo({ id, parentId: metadata!.parent, name });
-  }
-};
-
-const fetchDirectoryInfo = async (
-  id: DirectoryId,
-  info: Writable<DirectoryInfo | null>,
-  masterKey: CryptoKey,
-) => {
-  await fetchDirectoryInfoFromIndexedDB(id, info);
-  await fetchDirectoryInfoFromServer(id, info, masterKey);
-};
-
-export const getDirectoryInfo = (id: DirectoryId, masterKey: CryptoKey) => {
-  // TODO: MEK rotation
-
-  let info = directoryInfoStore.get(id);
-  if (!info) {
-    info = writable(null);
-    directoryInfoStore.set(id, info);
-  }
-
-  fetchDirectoryInfo(id, info, masterKey); // Intended
-  return info;
-};
-
-const fetchFileInfoFromIndexedDB = async (id: number, info: Writable<FileInfo | null>) => {
-  if (get(info)) return;
-
-  const file = await getFileInfoFromIndexedDB(id);
-  if (!file) return;
-
-  info.set(file);
-};
-
-const decryptDate = async (ciphertext: string, iv: string, dataKey: CryptoKey) => {
-  return new Date(parseInt(await decryptString(ciphertext, iv, dataKey), 10));
-};
-
-const fetchFileInfoFromServer = async (
-  id: number,
-  info: Writable<FileInfo | null>,
-  masterKey: CryptoKey,
-) => {
-  const res = await callGetApi(`/api/file/${id}`);
-  if (res.status === 404) {
-    info.set(null);
-    await deleteFileInfo(id);
-    return;
-  } else if (!res.ok) {
-    throw new Error("Failed to fetch file information");
-  }
-
-  const metadata: FileInfoResponse = await res.json();
-  const { dataKey } = await unwrapDataKey(metadata.dek, masterKey);
-
-  const name = await decryptString(metadata.name, metadata.nameIv, dataKey);
-  const createdAt =
-    metadata.createdAt && metadata.createdAtIv
-      ? await decryptDate(metadata.createdAt, metadata.createdAtIv, dataKey)
-      : undefined;
-  const lastModifiedAt = await decryptDate(
-    metadata.lastModifiedAt,
-    metadata.lastModifiedAtIv,
-    dataKey,
-  );
-
-  info.set({
-    id,
-    dataKey,
-    dataKeyVersion: new Date(metadata.dekVersion),
-    contentType: metadata.contentType,
-    contentIv: metadata.contentIv,
-    name,
-    createdAt,
-    lastModifiedAt,
-    categoryIds: metadata.categories,
-  });
-  await storeFileInfo({
-    id,
-    parentId: metadata.parent,
-    name,
-    contentType: metadata.contentType,
-    createdAt,
-    lastModifiedAt,
-    categoryIds: metadata.categories,
-  });
-};
-
-const fetchFileInfo = async (id: number, info: Writable<FileInfo | null>, masterKey: CryptoKey) => {
-  await fetchFileInfoFromIndexedDB(id, info);
-  await fetchFileInfoFromServer(id, info, masterKey);
-};
-
-export const getFileInfo = (fileId: number, masterKey: CryptoKey) => {
-  // TODO: MEK rotation
-
-  let info = fileInfoStore.get(fileId);
-  if (!info) {
-    info = writable(null);
-    fileInfoStore.set(fileId, info);
-  }
-
-  fetchFileInfo(fileId, info, masterKey); // Intended
-  return info;
-};
-
-const fetchCategoryInfoFromIndexedDB = async (
-  id: CategoryId,
-  info: Writable<CategoryInfo | null>,
-) => {
-  if (get(info)) return;
-
-  const [category, subCategories] = await Promise.all([
-    id !== "root" ? getCategoryInfoFromIndexedDB(id) : undefined,
-    getCategoryInfosFromIndexedDB(id),
-  ]);
-  const subCategoryIds = subCategories.map(({ id }) => id);
-
-  if (id === "root") {
-    info.set({ id, subCategoryIds });
-  } else {
-    if (!category) return;
-    info.set({ id, name: category.name, subCategoryIds, files: category.files });
-  }
-};
-
-const fetchCategoryInfoFromServer = async (
-  id: CategoryId,
-  info: Writable<CategoryInfo | null>,
-  masterKey: CryptoKey,
-) => {
-  let res = await callGetApi(`/api/category/${id}`);
-  if (res.status === 404) {
-    info.set(null);
-    await deleteCategoryInfo(id as number);
-    return;
-  } else if (!res.ok) {
-    throw new Error("Failed to fetch category information");
-  }
-
-  const { metadata, subCategories }: CategoryInfoResponse = await res.json();
-
-  if (id === "root") {
-    info.set({ id, subCategoryIds: subCategories });
-  } else {
-    const { dataKey } = await unwrapDataKey(metadata!.dek, masterKey);
-    const name = await decryptString(metadata!.name, metadata!.nameIv, dataKey);
-
-    res = await callGetApi(`/api/category/${id}/file/list?recurse=true`);
-    if (!res.ok) {
-      throw new Error("Failed to fetch category files");
-    }
-
-    const { files }: CategoryFileListResponse = await res.json();
-    const filesMapped = files.map(({ file, isRecursive }) => ({ id: file, isRecursive }));
-
-    info.set({
-      id,
-      dataKey,
-      dataKeyVersion: new Date(metadata!.dekVersion),
-      name,
-      subCategoryIds: subCategories,
-      files: filesMapped,
-    });
-    await storeCategoryInfo({
-      id,
-      parentId: metadata!.parent,
-      name,
-      files: filesMapped,
-    });
-  }
-};
-
-const fetchCategoryInfo = async (
-  id: CategoryId,
-  info: Writable<CategoryInfo | null>,
-  masterKey: CryptoKey,
-) => {
-  await fetchCategoryInfoFromIndexedDB(id, info);
-  await fetchCategoryInfoFromServer(id, info, masterKey);
-};
-
-export const getCategoryInfo = (categoryId: CategoryId, masterKey: CryptoKey) => {
-  // TODO: MEK rotation
-
-  let info = categoryInfoStore.get(categoryId);
-  if (!info) {
-    info = writable(null);
-    categoryInfoStore.set(categoryId, info);
-  }
-
-  fetchCategoryInfo(categoryId, info, masterKey); // Intended
-  return info;
-};
--- a/src/lib/modules/filesystem/category.ts
+++ b/src/lib/modules/filesystem/category.ts
@@ -0,0 +1,164 @@
+import * as IndexedDB from "$lib/indexedDB";
+import { trpc, isTRPCClientError } from "$trpc/client";
+import { FilesystemCache, decryptFileMetadata, decryptCategoryMetadata } from "./internal.svelte";
+import type { MaybeCategoryInfo } from "./types";
+
+const cache = new FilesystemCache<CategoryId, MaybeCategoryInfo, Partial<MaybeCategoryInfo>>();
+
+const fetchFromIndexedDB = async (id: CategoryId) => {
+  const [category, subCategories] = await Promise.all([
+    id !== "root" ? IndexedDB.getCategoryInfo(id) : undefined,
+    IndexedDB.getCategoryInfos(id),
+  ]);
+  const files = category
+    ? await Promise.all(
+        category.files.map(async (file) => {
+          const fileInfo = await IndexedDB.getFileInfo(file.id);
+          return fileInfo
+            ? {
+                id: file.id,
+                contentType: fileInfo.contentType,
+                name: fileInfo.name,
+                createdAt: fileInfo.createdAt,
+                lastModifiedAt: fileInfo.lastModifiedAt,
+                isRecursive: file.isRecursive,
+              }
+            : undefined;
+        }),
+      )
+    : undefined;
+
+  if (id === "root") {
+    return {
+      id,
+      exists: true as const,
+      subCategories,
+    };
+  } else if (category) {
+    return {
+      id,
+      exists: true as const,
+      name: category.name,
+      subCategories,
+      files: files!.filter((file) => !!file),
+      isFileRecursive: category.isFileRecursive,
+    };
+  }
+};
+
+const fetchFromServer = async (id: CategoryId, masterKey: CryptoKey) => {
+  try {
+    const {
+      metadata,
+      subCategories: subCategoriesRaw,
+      files: filesRaw,
+    } = await trpc().category.get.query({ id, recurse: true });
+    const subCategories = await Promise.all(
+      subCategoriesRaw.map(async (category) => {
+        const decrypted = await decryptCategoryMetadata(category, masterKey);
+        const existing = await IndexedDB.getCategoryInfo(category.id);
+        await IndexedDB.storeCategoryInfo({
+          id: category.id,
+          parentId: id,
+          name: decrypted.name,
+          files: existing?.files ?? [],
+          isFileRecursive: existing?.isFileRecursive ?? false,
+        });
+        return {
+          id: category.id,
+          ...decrypted,
+        };
+      }),
+    );
+
+    const existingFiles = filesRaw
+      ? await IndexedDB.bulkGetFileInfos(filesRaw.map((file) => file.id))
+      : [];
+    const files = filesRaw
+      ? await Promise.all(
+          filesRaw.map(async (file, index) => {
+            const decrypted = await decryptFileMetadata(file, masterKey);
+            const existing = existingFiles[index];
+            if (existing) {
+              const categoryIds = file.isRecursive
+                ? existing.categoryIds
+                : Array.from(new Set([...existing.categoryIds, id as number]));
+              await IndexedDB.storeFileInfo({
+                id: file.id,
+                parentId: existing.parentId,
+                contentType: file.contentType,
+                name: decrypted.name,
+                createdAt: decrypted.createdAt,
+                lastModifiedAt: decrypted.lastModifiedAt,
+                categoryIds,
+              });
+            }
+            return {
+              id: file.id,
+              contentType: file.contentType,
+              isRecursive: file.isRecursive,
+              ...decrypted,
+            };
+          }),
+        )
+      : undefined;
+
+    const decryptedMetadata = metadata
+      ? await decryptCategoryMetadata(metadata, masterKey)
+      : undefined;
+    if (id !== "root" && metadata && decryptedMetadata) {
+      const existingCategory = await IndexedDB.getCategoryInfo(id);
+      await IndexedDB.storeCategoryInfo({
+        id: id as number,
+        parentId: metadata.parent,
+        name: decryptedMetadata.name,
+        files:
+          files?.map((file) => ({
+            id: file.id,
+            isRecursive: file.isRecursive,
+          })) ??
+          existingCategory?.files ??
+          [],
+        isFileRecursive: existingCategory?.isFileRecursive ?? false,
+      });
+    }
+
+    if (id === "root") {
+      return {
+        id,
+        exists: true as const,
+        subCategories,
+      };
+    } else {
+      return {
+        id,
+        exists: true as const,
+        subCategories,
+        files,
+        ...decryptedMetadata!,
+      };
+    }
+  } catch (e) {
+    if (isTRPCClientError(e) && e.data?.code === "NOT_FOUND") {
+      await IndexedDB.deleteCategoryInfo(id as number);
+      return { id, exists: false as const };
+    }
+    throw e;
+  }
+};
+
+export const getCategoryInfo = async (id: CategoryId, masterKey: CryptoKey) => {
+  return await cache.get(id, async (isInitial, resolve) => {
+    if (isInitial) {
+      const info = await fetchFromIndexedDB(id);
+      if (info) {
+        resolve(info);
+      }
+    }
+
+    const info = await fetchFromServer(id, masterKey);
+    if (info) {
+      resolve(info);
+    }
+  });
+};
--- a/src/lib/modules/filesystem/directory.ts
+++ b/src/lib/modules/filesystem/directory.ts
@@ -0,0 +1,121 @@
+import * as IndexedDB from "$lib/indexedDB";
+import { monotonicResolve } from "$lib/utils";
+import { trpc, isTRPCClientError } from "$trpc/client";
+import { FilesystemCache, decryptDirectoryMetadata, decryptFileMetadata } from "./internal.svelte";
+import type { MaybeDirectoryInfo } from "./types";
+
+const cache = new FilesystemCache<DirectoryId, MaybeDirectoryInfo>();
+
+const fetchFromIndexedDB = async (id: DirectoryId) => {
+  const [directory, subDirectories, files] = await Promise.all([
+    id !== "root" ? IndexedDB.getDirectoryInfo(id) : undefined,
+    IndexedDB.getDirectoryInfos(id),
+    IndexedDB.getFileInfos(id),
+  ]);
+
+  if (id === "root") {
+    return {
+      id,
+      exists: true as const,
+      subDirectories,
+      files,
+    };
+  } else if (directory) {
+    return {
+      id,
+      exists: true as const,
+      parentId: directory.parentId,
+      name: directory.name,
+      subDirectories,
+      files,
+    };
+  }
+};
+
+const fetchFromServer = async (id: DirectoryId, masterKey: CryptoKey) => {
+  try {
+    const {
+      metadata,
+      subDirectories: subDirectoriesRaw,
+      files: filesRaw,
+    } = await trpc().directory.get.query({ id });
+    const existingFiles = await IndexedDB.bulkGetFileInfos(filesRaw.map((file) => file.id));
+    const [subDirectories, files, decryptedMetadata] = await Promise.all([
+      Promise.all(
+        subDirectoriesRaw.map(async (directory) => {
+          const decrypted = await decryptDirectoryMetadata(directory, masterKey);
+          await IndexedDB.storeDirectoryInfo({
+            id: directory.id,
+            parentId: id,
+            name: decrypted.name,
+          });
+          return {
+            id: directory.id,
+            ...decrypted,
+          };
+        }),
+      ),
+      Promise.all(
+        filesRaw.map(async (file, index) => {
+          const decrypted = await decryptFileMetadata(file, masterKey);
+          await IndexedDB.storeFileInfo({
+            id: file.id,
+            parentId: id,
+            contentType: file.contentType,
+            name: decrypted.name,
+            createdAt: decrypted.createdAt,
+            lastModifiedAt: decrypted.lastModifiedAt,
+            categoryIds: existingFiles[index]?.categoryIds ?? [],
+          });
+          return {
+            id: file.id,
+            contentType: file.contentType,
+            ...decrypted,
+          };
+        }),
+      ),
+      metadata ? decryptDirectoryMetadata(metadata, masterKey) : undefined,
+    ]);
+
+    if (id !== "root" && metadata && decryptedMetadata) {
+      await IndexedDB.storeDirectoryInfo({
+        id,
+        parentId: metadata.parent,
+        name: decryptedMetadata.name,
+      });
+    }
+
+    if (id === "root") {
+      return {
+        id,
+        exists: true as const,
+        subDirectories,
+        files,
+      };
+    } else {
+      return {
+        id,
+        exists: true as const,
+        parentId: metadata!.parent,
+        subDirectories,
+        files,
+        ...decryptedMetadata!,
+      };
+    }
+  } catch (e) {
+    if (isTRPCClientError(e) && e.data?.code === "NOT_FOUND") {
+      await IndexedDB.deleteDirectoryInfo(id as number);
+      return { id, exists: false as const };
+    }
+    throw e;
+  }
+};
+
+export const getDirectoryInfo = async (id: DirectoryId, masterKey: CryptoKey) => {
+  return await cache.get(id, (isInitial, resolve) =>
+    monotonicResolve(
+      [isInitial && fetchFromIndexedDB(id), fetchFromServer(id, masterKey)],
+      resolve,
+    ),
+  );
+};
--- a/src/lib/modules/filesystem/file.ts
+++ b/src/lib/modules/filesystem/file.ts
@@ -0,0 +1,175 @@
+import * as IndexedDB from "$lib/indexedDB";
+import { monotonicResolve } from "$lib/utils";
+import { trpc, isTRPCClientError } from "$trpc/client";
+import { FilesystemCache, decryptFileMetadata, decryptCategoryMetadata } from "./internal.svelte";
+import type { MaybeFileInfo } from "./types";
+
+const cache = new FilesystemCache<number, MaybeFileInfo>();
+
+const fetchFromIndexedDB = async (id: number) => {
+  const file = await IndexedDB.getFileInfo(id);
+  const categories = file
+    ? await Promise.all(
+        file.categoryIds.map(async (categoryId) => {
+          const category = await IndexedDB.getCategoryInfo(categoryId);
+          return category ? { id: category.id, name: category.name } : undefined;
+        }),
+      )
+    : undefined;
+
+  if (file) {
+    return {
+      id,
+      exists: true as const,
+      parentId: file.parentId,
+      contentType: file.contentType,
+      name: file.name,
+      createdAt: file.createdAt,
+      lastModifiedAt: file.lastModifiedAt,
+      categories: categories!.filter((category) => !!category),
+    };
+  }
+};
+
+const bulkFetchFromIndexedDB = async (ids: number[]) => {
+  const files = await IndexedDB.bulkGetFileInfos(ids);
+  const categories = await Promise.all(
+    files.map(async (file) =>
+      file
+        ? await Promise.all(
+            file.categoryIds.map(async (categoryId) => {
+              const category = await IndexedDB.getCategoryInfo(categoryId);
+              return category ? { id: category.id, name: category.name } : undefined;
+            }),
+          )
+        : undefined,
+    ),
+  );
+  return new Map(
+    files
+      .map((file, index) =>
+        file
+          ? ([
+              file.id,
+              {
+                ...file,
+                exists: true,
+                categories: categories[index]!.filter((category) => !!category),
+              },
+            ] as const)
+          : undefined,
+      )
+      .filter((file) => !!file),
+  );
+};
+
+const fetchFromServer = async (id: number, masterKey: CryptoKey) => {
+  try {
+    const { categories: categoriesRaw, ...metadata } = await trpc().file.get.query({ id });
+    const [categories, decryptedMetadata] = await Promise.all([
+      Promise.all(
+        categoriesRaw.map(async (category) => ({
+          id: category.id,
+          ...(await decryptCategoryMetadata(category, masterKey)),
+        })),
+      ),
+      decryptFileMetadata(metadata, masterKey),
+    ]);
+
+    await IndexedDB.storeFileInfo({
+      id,
+      parentId: metadata.parent,
+      contentType: metadata.contentType,
+      name: decryptedMetadata.name,
+      createdAt: decryptedMetadata.createdAt,
+      lastModifiedAt: decryptedMetadata.lastModifiedAt,
+      categoryIds: categories.map((category) => category.id),
+    });
+
+    return {
+      id,
+      exists: true as const,
+      parentId: metadata.parent,
+      contentType: metadata.contentType,
+      contentIv: metadata.contentIv,
+      categories,
+      ...decryptedMetadata,
+    };
+  } catch (e) {
+    if (isTRPCClientError(e) && e.data?.code === "NOT_FOUND") {
+      await IndexedDB.deleteFileInfo(id);
+      return { id, exists: false as const };
+    }
+    throw e;
+  }
+};
+
+const bulkFetchFromServer = async (ids: number[], masterKey: CryptoKey) => {
+  const filesRaw = await trpc().file.bulkGet.query({ ids });
+  const files = await Promise.all(
+    filesRaw.map(async (file) => {
+      const [categories, decryptedMetadata] = await Promise.all([
+        Promise.all(
+          file.categories.map(async (category) => ({
+            id: category.id,
+            ...(await decryptCategoryMetadata(category, masterKey)),
+          })),
+        ),
+        decryptFileMetadata(file, masterKey),
+      ]);
+
+      await IndexedDB.storeFileInfo({
+        id: file.id,
+        parentId: file.parent,
+        contentType: file.contentType,
+        name: decryptedMetadata.name,
+        createdAt: decryptedMetadata.createdAt,
+        lastModifiedAt: decryptedMetadata.lastModifiedAt,
+        categoryIds: categories.map((category) => category.id),
+      });
+      return {
+        id: file.id,
+        exists: true as const,
+        parentId: file.parent,
+        contentType: file.contentType,
+        contentIv: file.contentIv,
+        categories,
+        ...decryptedMetadata,
+      };
+    }),
+  );
+
+  const existingIds = new Set(filesRaw.map(({ id }) => id));
+  return new Map<number, MaybeFileInfo>([
+    ...files.map((file) => [file.id, file] as const),
+    ...ids.filter((id) => !existingIds.has(id)).map((id) => [id, { id, exists: false }] as const),
+  ]);
+};
+
+export const getFileInfo = async (id: number, masterKey: CryptoKey) => {
+  return await cache.get(id, (isInitial, resolve) =>
+    monotonicResolve(
+      [isInitial && fetchFromIndexedDB(id), fetchFromServer(id, masterKey)],
+      resolve,
+    ),
+  );
+};
+
+export const bulkGetFileInfo = async (ids: number[], masterKey: CryptoKey) => {
+  return await cache.bulkGet(new Set(ids), (keys, resolve) =>
+    monotonicResolve(
+      [
+        bulkFetchFromIndexedDB(
+          Array.from(
+            keys
+              .entries()
+              .filter(([, isInitial]) => isInitial)
+              .map(([key]) => key),
+          ),
+        ),
+        bulkFetchFromServer(Array.from(keys.keys()), masterKey),
+      ],
+      resolve,
+    ),
+  );
+};
--- a/src/lib/modules/filesystem/index.ts
+++ b/src/lib/modules/filesystem/index.ts
@@ -0,0 +1,4 @@
+export * from "./category";
+export * from "./directory";
+export * from "./file";
+export * from "./types";
--- a/src/lib/modules/filesystem/internal.svelte.ts
+++ b/src/lib/modules/filesystem/internal.svelte.ts
@@ -0,0 +1,130 @@
+import { unwrapDataKey, decryptString } from "$lib/modules/crypto";
+
+export class FilesystemCache<K, V extends RV, RV = V> {
+  private map = new Map<K, V | Promise<V>>();
+
+  get(key: K, loader: (isInitial: boolean, resolve: (value: RV | undefined) => void) => void) {
+    const info = this.map.get(key);
+    if (info instanceof Promise) {
+      return info;
+    }
+
+    const { promise, resolve } = Promise.withResolvers<V>();
+    if (!info) {
+      this.map.set(key, promise);
+    }
+
+    loader(!info, (loadedInfo) => {
+      if (!loadedInfo) return;
+
+      const info = this.map.get(key)!;
+      if (info instanceof Promise) {
+        const state = $state(loadedInfo);
+        this.map.set(key, state as V);
+        resolve(state as V);
+      } else {
+        Object.assign(info, loadedInfo);
+        resolve(info);
+      }
+    });
+
+    return info ?? promise;
+  }
+
+  async bulkGet(
+    keys: Set<K>,
+    loader: (keys: Map<K, boolean>, resolve: (values: Map<K, RV>) => void) => void,
+  ) {
+    const states = new Map<K, V>();
+    const promises = new Map<K, Promise<V>>();
+    const resolvers = new Map<K, (value: V) => void>();
+
+    keys.forEach((key) => {
+      const info = this.map.get(key);
+      if (info instanceof Promise) {
+        promises.set(key, info);
+      } else if (info) {
+        states.set(key, info);
+      } else {
+        const { promise, resolve } = Promise.withResolvers<V>();
+        this.map.set(key, promise);
+        promises.set(key, promise);
+        resolvers.set(key, resolve);
+      }
+    });
+
+    loader(
+      new Map([
+        ...states.keys().map((key) => [key, false] as const),
+        ...resolvers.keys().map((key) => [key, true] as const),
+      ]),
+      (loadedInfos) =>
+        loadedInfos.forEach((loadedInfo, key) => {
+          const info = this.map.get(key)!;
+          const resolve = resolvers.get(key);
+          if (info instanceof Promise) {
+            const state = $state(loadedInfo);
+            this.map.set(key, state as V);
+            resolve?.(state as V);
+          } else {
+            Object.assign(info, loadedInfo);
+            resolve?.(info);
+          }
+        }),
+    );
+
+    const newStates = await Promise.all(
+      promises.entries().map(async ([key, promise]) => [key, await promise] as const),
+    );
+    return new Map([...states, ...newStates]);
+  }
+}
+
+export const decryptDirectoryMetadata = async (
+  metadata: { dek: string; dekVersion: Date; name: string; nameIv: string },
+  masterKey: CryptoKey,
+) => {
+  const { dataKey } = await unwrapDataKey(metadata.dek, masterKey);
+  const name = await decryptString(metadata.name, metadata.nameIv, dataKey);
+
+  return {
+    dataKey: { key: dataKey, version: metadata.dekVersion },
+    name,
+  };
+};
+
+const decryptDate = async (ciphertext: string, iv: string, dataKey: CryptoKey) => {
+  return new Date(parseInt(await decryptString(ciphertext, iv, dataKey), 10));
+};
+
+export const decryptFileMetadata = async (
+  metadata: {
+    dek: string;
+    dekVersion: Date;
+    name: string;
+    nameIv: string;
+    createdAt?: string;
+    createdAtIv?: string;
+    lastModifiedAt: string;
+    lastModifiedAtIv: string;
+  },
+  masterKey: CryptoKey,
+) => {
+  const { dataKey } = await unwrapDataKey(metadata.dek, masterKey);
+  const [name, createdAt, lastModifiedAt] = await Promise.all([
+    decryptString(metadata.name, metadata.nameIv, dataKey),
+    metadata.createdAt
+      ? decryptDate(metadata.createdAt, metadata.createdAtIv!, dataKey)
+      : undefined,
+    decryptDate(metadata.lastModifiedAt, metadata.lastModifiedAtIv, dataKey),
+  ]);
+
+  return {
+    dataKey: { key: dataKey, version: metadata.dekVersion },
+    name,
+    createdAt,
+    lastModifiedAt,
+  };
+};
+
+export const decryptCategoryMetadata = decryptDirectoryMetadata;
--- a/src/lib/modules/filesystem/types.ts
+++ b/src/lib/modules/filesystem/types.ts
@@ -0,0 +1,71 @@
+export type DataKey = { key: CryptoKey; version: Date };
+type AllUndefined<T> = { [K in keyof T]?: undefined };
+
+interface LocalDirectoryInfo {
+  id: number;
+  parentId: DirectoryId;
+  dataKey?: DataKey;
+  name: string;
+  subDirectories: SubDirectoryInfo[];
+  files: SummarizedFileInfo[];
+}
+
+interface RootDirectoryInfo {
+  id: "root";
+  parentId?: undefined;
+  dataKey?: undefined;
+  name?: undefined;
+  subDirectories: SubDirectoryInfo[];
+  files: SummarizedFileInfo[];
+}
+
+export type DirectoryInfo = LocalDirectoryInfo | RootDirectoryInfo;
+export type SubDirectoryInfo = Omit<LocalDirectoryInfo, "parentId" | "subDirectories" | "files">;
+export type MaybeDirectoryInfo =
+  | (DirectoryInfo & { exists: true })
+  | ({ id: DirectoryId; exists: false } & AllUndefined<Omit<DirectoryInfo, "id">>);
+
+export interface FileInfo {
+  id: number;
+  parentId: DirectoryId;
+  dataKey?: DataKey;
+  contentType: string;
+  contentIv?: string;
+  name: string;
+  createdAt?: Date;
+  lastModifiedAt: Date;
+  categories: { id: number; name: string }[];
+}
+
+export type SummarizedFileInfo = Omit<FileInfo, "parentId" | "contentIv" | "categories">;
+export type CategoryFileInfo = SummarizedFileInfo & { isRecursive: boolean };
+export type MaybeFileInfo =
+  | (FileInfo & { exists: true })
+  | ({ id: number; exists: false } & AllUndefined<Omit<FileInfo, "id">>);
+
+interface LocalCategoryInfo {
+  id: number;
+  dataKey?: DataKey;
+  name: string;
+  subCategories: SubCategoryInfo[];
+  files: CategoryFileInfo[];
+  isFileRecursive: boolean;
+}
+
+interface RootCategoryInfo {
+  id: "root";
+  dataKey?: undefined;
+  name?: undefined;
+  subCategories: SubCategoryInfo[];
+  files?: undefined;
+  isFileRecursive?: undefined;
+}
+
+export type CategoryInfo = LocalCategoryInfo | RootCategoryInfo;
+export type SubCategoryInfo = Omit<
+  LocalCategoryInfo,
+  "subCategories" | "files" | "isFileRecursive"
+>;
+export type MaybeCategoryInfo =
+  | (CategoryInfo & { exists: true })
+  | ({ id: CategoryId; exists: false } & AllUndefined<Omit<CategoryInfo, "id">>);
--- a/src/lib/modules/key.ts
+++ b/src/lib/modules/key.ts
@@ -0,0 +1,65 @@
+import { z } from "zod";
+import { storeClientKey } from "$lib/indexedDB";
+import type { ClientKeys } from "$lib/stores";
+
+const serializedClientKeysSchema = z.intersection(
+  z.object({
+    generator: z.literal("ArkVault"),
+    exportedAt: z.iso.datetime(),
+  }),
+  z.object({
+    version: z.literal(1),
+    encryptKey: z.base64().nonempty(),
+    decryptKey: z.base64().nonempty(),
+    signKey: z.base64().nonempty(),
+    verifyKey: z.base64().nonempty(),
+  }),
+);
+
+type SerializedClientKeys = z.infer<typeof serializedClientKeysSchema>;
+
+type DeserializedClientKeys = {
+  encryptKeyBase64: string;
+  decryptKeyBase64: string;
+  signKeyBase64: string;
+  verifyKeyBase64: string;
+};
+
+export const serializeClientKeys = ({
+  encryptKeyBase64,
+  decryptKeyBase64,
+  signKeyBase64,
+  verifyKeyBase64,
+}: DeserializedClientKeys) => {
+  return JSON.stringify({
+    version: 1,
+    generator: "ArkVault",
+    exportedAt: new Date().toISOString(),
+    encryptKey: encryptKeyBase64,
+    decryptKey: decryptKeyBase64,
+    signKey: signKeyBase64,
+    verifyKey: verifyKeyBase64,
+  } satisfies SerializedClientKeys);
+};
+
+export const deserializeClientKeys = (serialized: string) => {
+  const zodRes = serializedClientKeysSchema.safeParse(JSON.parse(serialized));
+  if (zodRes.success) {
+    return {
+      encryptKeyBase64: zodRes.data.encryptKey,
+      decryptKeyBase64: zodRes.data.decryptKey,
+      signKeyBase64: zodRes.data.signKey,
+      verifyKeyBase64: zodRes.data.verifyKey,
+    } satisfies DeserializedClientKeys;
+  }
+  return undefined;
+};
+
+export const storeClientKeys = async (clientKeys: ClientKeys) => {
+  await Promise.all([
+    storeClientKey(clientKeys.encryptKey, "encrypt"),
+    storeClientKey(clientKeys.decryptKey, "decrypt"),
+    storeClientKey(clientKeys.signKey, "sign"),
+    storeClientKey(clientKeys.verifyKey, "verify"),
+  ]);
+};
--- a/src/lib/modules/opfs.ts
+++ b/src/lib/modules/opfs.ts
@@ -59,3 +59,39 @@ export const deleteFile = async (path: string) => {

  await parentHandle.removeEntry(filename);
 };
+
+const getDirectoryHandle = async (path: string) => {
+  if (!rootHandle) {
+    throw new Error("OPFS not prepared");
+  } else if (path[0] !== "/") {
+    throw new Error("Path must be absolute");
+  }
+
+  const parts = path.split("/");
+  if (parts.length <= 1) {
+    throw new Error("Invalid path");
+  }
+
+  try {
+    let directoryHandle = rootHandle;
+    let parentHandle;
+    for (const part of parts.slice(1)) {
+      if (!part) continue;
+      parentHandle = directoryHandle;
+      directoryHandle = await directoryHandle.getDirectoryHandle(part);
+    }
+    return { directoryHandle, parentHandle };
+  } catch (e) {
+    if (e instanceof DOMException && e.name === "NotFoundError") {
+      return {};
+    }
+    throw e;
+  }
+};
+
+export const deleteDirectory = async (path: string) => {
+  const { directoryHandle, parentHandle } = await getDirectoryHandle(path);
+  if (!parentHandle) return;
+
+  await parentHandle.removeEntry(directoryHandle.name, { recursive: true });
+};
--- a/src/lib/modules/thumbnail.ts
+++ b/src/lib/modules/thumbnail.ts
@@ -0,0 +1,127 @@
+import { encodeToBase64 } from "$lib/modules/crypto";
+
+const scaleSize = (width: number, height: number, targetSize: number) => {
+  if (width <= targetSize || height <= targetSize) {
+    return { width, height };
+  }
+
+  const scale = targetSize / Math.min(width, height);
+  return {
+    width: Math.round(width * scale),
+    height: Math.round(height * scale),
+  };
+};
+
+const capture = (
+  width: number,
+  height: number,
+  drawer: (context: CanvasRenderingContext2D, width: number, height: number) => void,
+  targetSize = 250,
+) => {
+  return new Promise<Blob>((resolve, reject) => {
+    const canvas = document.createElement("canvas");
+    const { width: scaledWidth, height: scaledHeight } = scaleSize(width, height, targetSize);
+
+    canvas.width = scaledWidth;
+    canvas.height = scaledHeight;
+
+    const context = canvas.getContext("2d");
+    if (!context) {
+      return reject(new Error("Failed to generate thumbnail"));
+    }
+
+    drawer(context, scaledWidth, scaledHeight);
+    canvas.toBlob((blob) => {
+      if (blob && blob.type === "image/webp") {
+        resolve(blob);
+      } else {
+        reject(new Error("Failed to generate thumbnail"));
+      }
+    }, "image/webp");
+  });
+};
+
+const generateImageThumbnail = (imageUrl: string) => {
+  return new Promise<Blob>((resolve, reject) => {
+    const image = new Image();
+    image.onload = () => {
+      capture(image.width, image.height, (context, width, height) => {
+        context.drawImage(image, 0, 0, width, height);
+      })
+        .then(resolve)
+        .catch(reject);
+    };
+    image.onerror = reject;
+
+    image.src = imageUrl;
+  });
+};
+
+export const captureVideoThumbnail = (video: HTMLVideoElement) => {
+  return capture(video.videoWidth, video.videoHeight, (context, width, height) => {
+    context.drawImage(video, 0, 0, width, height);
+  });
+};
+
+const generateVideoThumbnail = (videoUrl: string, time = 0) => {
+  return new Promise<Blob>((resolve, reject) => {
+    const video = document.createElement("video");
+    video.onloadedmetadata = () => {
+      if (video.videoWidth === 0 || video.videoHeight === 0) {
+        return reject();
+      }
+
+      const callbackId = video.requestVideoFrameCallback(() => {
+        captureVideoThumbnail(video).then(resolve).catch(reject);
+        video.cancelVideoFrameCallback(callbackId);
+      });
+      video.currentTime = Math.min(time, video.duration);
+    };
+    video.onerror = reject;
+
+    video.muted = true;
+    video.playsInline = true;
+    video.src = videoUrl;
+  });
+};
+
+export const generateThumbnail = async (fileBuffer: ArrayBuffer, fileType: string) => {
+  let url;
+  try {
+    if (fileType.startsWith("image/")) {
+      const fileBlob = new Blob([fileBuffer], { type: fileType });
+      url = URL.createObjectURL(fileBlob);
+
+      try {
+        return await generateImageThumbnail(url);
+      } catch {
+        URL.revokeObjectURL(url);
+        url = undefined;
+
+        if (fileType === "image/heic") {
+          const { default: heic2any } = await import("heic2any");
+          url = URL.createObjectURL(
+            (await heic2any({ blob: fileBlob, toType: "image/png" })) as Blob,
+          );
+          return await generateImageThumbnail(url);
+        } else {
+          return null;
+        }
+      }
+    } else if (fileType.startsWith("video/")) {
+      url = URL.createObjectURL(new Blob([fileBuffer], { type: fileType }));
+      return await generateVideoThumbnail(url);
+    }
+    return null;
+  } catch {
+    return null;
+  } finally {
+    if (url) {
+      URL.revokeObjectURL(url);
+    }
+  }
+};
+
+export const getThumbnailUrl = (thumbnailBuffer: ArrayBuffer) => {
+  return `data:image/webp;base64,${encodeToBase64(thumbnailBuffer)}`;
+};
--- a/src/lib/server/db/category.ts
+++ b/src/lib/server/db/category.ts
@@ -2,8 +2,6 @@ import { IntegrityError } from "./error";
 import db from "./kysely";
 import type { Ciphertext } from "./schema";

-export type CategoryId = "root" | number;
-
 interface Category {
  id: number;
  parentId: CategoryId;
--- a/src/lib/server/db/client.ts
+++ b/src/lib/server/db/client.ts
@@ -98,22 +98,6 @@ export const createUserClient = async (userId: number, clientId: number) => {
  }
 };

-export const getAllUserClients = async (userId: number) => {
-  const userClients = await db
-    .selectFrom("user_client")
-    .selectAll()
-    .where("user_id", "=", userId)
-    .execute();
-  return userClients.map(
-    ({ user_id, client_id, state }) =>
-      ({
-        userId: user_id,
-        clientId: client_id,
-        state,
-      }) satisfies UserClient,
-  );
-};
-
 export const getUserClient = async (userId: number, clientId: number) => {
  const userClient = await db
    .selectFrom("user_client")
@@ -178,7 +162,7 @@ export const registerUserClientChallenge = async (
  allowedIp: string,
  expiresAt: Date,
 ) => {
-  await db
+  const { id } = await db
    .insertInto("user_client_challenge")
    .values({
      user_id: userId,
@@ -187,19 +171,25 @@ export const registerUserClientChallenge = async (
      allowed_ip: allowedIp,
      expires_at: expiresAt,
    })
-    .execute();
+    .returning("id")
+    .executeTakeFirstOrThrow();
+  return { id };
 };

-export const consumeUserClientChallenge = async (userId: number, answer: string, ip: string) => {
+export const consumeUserClientChallenge = async (
+  challengeId: number,
+  userId: number,
+  ip: string,
+) => {
  const challenge = await db
    .deleteFrom("user_client_challenge")
+    .where("id", "=", challengeId)
    .where("user_id", "=", userId)
-    .where("answer", "=", answer)
    .where("allowed_ip", "=", ip)
    .where("expires_at", ">", new Date())
-    .returning("client_id")
+    .returning(["client_id", "answer"])
    .executeTakeFirst();
-  return challenge ? { clientId: challenge.client_id } : null;
+  return challenge ? { clientId: challenge.client_id, answer: challenge.answer } : null;
 };

 export const cleanupExpiredUserClientChallenges = async () => {
--- a/src/lib/server/db/file.ts
+++ b/src/lib/server/db/file.ts
@@ -1,11 +1,10 @@
-import { sql, type NotNull } from "kysely";
+import { sql } from "kysely";
+import { jsonArrayFrom } from "kysely/helpers/postgres";
 import pg from "pg";
 import { IntegrityError } from "./error";
 import db from "./kysely";
 import type { Ciphertext } from "./schema";

-export type DirectoryId = "root" | number;
-
 interface Directory {
  id: number;
  parentId: DirectoryId;
@@ -38,6 +37,14 @@ interface File {

 export type NewFile = Omit<File, "id">;

+interface FileCategory {
+  id: number;
+  mekVersion: number;
+  encDek: string;
+  dekVersion: Date;
+  encName: Ciphertext;
+}
+
 export const registerDirectory = async (params: NewDirectory) => {
  await db.transaction().execute(async (trx) => {
    const mek = await trx
@@ -163,16 +170,24 @@ export const unregisterDirectory = async (userId: number, directoryId: number) =
    .setIsolationLevel("repeatable read") // TODO: Sufficient?
    .execute(async (trx) => {
      const unregisterFiles = async (parentId: number) => {
-        return await trx
+        const files = await trx
+          .selectFrom("file")
+          .leftJoin("thumbnail", "file.id", "thumbnail.file_id")
+          .select(["file.id", "file.path", "thumbnail.path as thumbnailPath"])
+          .where("file.parent_id", "=", parentId)
+          .where("file.user_id", "=", userId)
+          .forUpdate("file")
+          .execute();
+        await trx
          .deleteFrom("file")
          .where("parent_id", "=", parentId)
          .where("user_id", "=", userId)
-          .returning(["id", "path"])
          .execute();
+        return files;
      };
      const unregisterDirectoryRecursively = async (
        directoryId: number,
-      ): Promise<{ id: number; path: string }[]> => {
+      ): Promise<{ id: number; path: string; thumbnailPath: string | null }[]> => {
        const files = await unregisterFiles(directoryId);
        const subDirectories = await trx
          .selectFrom("directory")
@@ -298,38 +313,56 @@ export const getAllFilesByCategory = async (
  recurse: boolean,
 ) => {
  const files = await db
-    .withRecursive("cte", (db) =>
+    .withRecursive("category_tree", (db) =>
      db
        .selectFrom("category")
-        .leftJoin("file_category", "category.id", "file_category.category_id")
-        .select(["id", "parent_id", "user_id", "file_category.file_id"])
-        .select(sql<number>`0`.as("depth"))
+        .select(["id", sql<number>`0`.as("depth")])
        .where("id", "=", categoryId)
+        .where("user_id", "=", userId)
        .$if(recurse, (qb) =>
          qb.unionAll((db) =>
            db
              .selectFrom("category")
-              .leftJoin("file_category", "category.id", "file_category.category_id")
-              .innerJoin("cte", "category.parent_id", "cte.id")
-              .select([
-                "category.id",
-                "category.parent_id",
-                "category.user_id",
-                "file_category.file_id",
-              ])
-              .select(sql<number>`cte.depth + 1`.as("depth")),
+              .innerJoin("category_tree", "category.parent_id", "category_tree.id")
+              .select(["category.id", sql<number>`depth + 1`.as("depth")]),
          ),
        ),
    )
-    .selectFrom("cte")
+    .selectFrom("category_tree")
+    .innerJoin("file_category", "category_tree.id", "file_category.category_id")
+    .innerJoin("file", "file_category.file_id", "file.id")
    .select(["file_id", "depth"])
+    .selectAll("file")
    .distinctOn("file_id")
-    .where("user_id", "=", userId)
-    .where("file_id", "is not", null)
-    .$narrowType<{ file_id: NotNull }>()
-    .orderBy(["file_id", "depth"])
+    .orderBy("file_id")
+    .orderBy("depth")
    .execute();
-  return files.map(({ file_id, depth }) => ({ id: file_id, isRecursive: depth > 0 }));
+  return files.map(
+    (file) =>
+      ({
+        id: file.file_id,
+        parentId: file.parent_id ?? "root",
+        userId: file.user_id,
+        path: file.path,
+        mekVersion: file.master_encryption_key_version,
+        encDek: file.encrypted_data_encryption_key,
+        dekVersion: file.data_encryption_key_version,
+        hskVersion: file.hmac_secret_key_version,
+        contentHmac: file.content_hmac,
+        contentType: file.content_type,
+        encContentIv: file.encrypted_content_iv,
+        encContentHash: file.encrypted_content_hash,
+        encName: file.encrypted_name,
+        encCreatedAt: file.encrypted_created_at,
+        encLastModifiedAt: file.encrypted_last_modified_at,
+        isRecursive: file.depth > 0,
+      }) satisfies File & { isRecursive: boolean },
+  );
+};
+
+export const getAllFileIds = async (userId: number) => {
+  const files = await db.selectFrom("file").select("id").where("user_id", "=", userId).execute();
+  return files.map(({ id }) => id);
 };

 export const getAllFileIdsByContentHmac = async (
@@ -344,7 +377,7 @@ export const getAllFileIdsByContentHmac = async (
    .where("hmac_secret_key_version", "=", hskVersion)
    .where("content_hmac", "=", contentHmac)
    .execute();
-  return files.map(({ id }) => ({ id }));
+  return files.map(({ id }) => id);
 };

 export const getFile = async (userId: number, fileId: number) => {
@@ -376,6 +409,51 @@ export const getFile = async (userId: number, fileId: number) => {
    : null;
 };

+export const getFilesWithCategories = async (userId: number, fileIds: number[]) => {
+  const files = await db
+    .selectFrom("file")
+    .selectAll()
+    .select((eb) =>
+      jsonArrayFrom(
+        eb
+          .selectFrom("file_category")
+          .innerJoin("category", "file_category.category_id", "category.id")
+          .where("file_category.file_id", "=", eb.ref("file.id"))
+          .selectAll("category"),
+      ).as("categories"),
+    )
+    .where("id", "=", (eb) => eb.fn.any(eb.val(fileIds)))
+    .where("user_id", "=", userId)
+    .execute();
+  return files.map(
+    (file) =>
+      ({
+        id: file.id,
+        parentId: file.parent_id ?? "root",
+        userId: file.user_id,
+        path: file.path,
+        mekVersion: file.master_encryption_key_version,
+        encDek: file.encrypted_data_encryption_key,
+        dekVersion: file.data_encryption_key_version,
+        hskVersion: file.hmac_secret_key_version,
+        contentHmac: file.content_hmac,
+        contentType: file.content_type,
+        encContentIv: file.encrypted_content_iv,
+        encContentHash: file.encrypted_content_hash,
+        encName: file.encrypted_name,
+        encCreatedAt: file.encrypted_created_at,
+        encLastModifiedAt: file.encrypted_last_modified_at,
+        categories: file.categories.map((category) => ({
+          id: category.id,
+          mekVersion: category.master_encryption_key_version,
+          encDek: category.encrypted_data_encryption_key,
+          dekVersion: new Date(category.data_encryption_key_version),
+          encName: category.encrypted_name,
+        })),
+      }) satisfies File & { categories: FileCategory[] },
+  );
+};
+
 export const setFileEncName = async (
  userId: number,
  fileId: number,
@@ -416,16 +494,22 @@ export const setFileEncName = async (
 };

 export const unregisterFile = async (userId: number, fileId: number) => {
-  const file = await db
-    .deleteFrom("file")
-    .where("id", "=", fileId)
-    .where("user_id", "=", userId)
-    .returning("path")
-    .executeTakeFirst();
-  if (!file) {
-    throw new IntegrityError("File not found");
-  }
-  return { path: file.path };
+  return await db.transaction().execute(async (trx) => {
+    const file = await trx
+      .selectFrom("file")
+      .leftJoin("thumbnail", "file.id", "thumbnail.file_id")
+      .select(["file.path", "thumbnail.path as thumbnailPath"])
+      .where("file.id", "=", fileId)
+      .where("file.user_id", "=", userId)
+      .forUpdate("file")
+      .executeTakeFirst();
+    if (!file) {
+      throw new IntegrityError("File not found");
+    }
+
+    await trx.deleteFrom("file").where("id", "=", fileId).execute();
+    return file;
+  });
 };

 export const addFileToCategory = async (fileId: number, categoryId: number) => {
@@ -456,10 +540,20 @@ export const addFileToCategory = async (fileId: number, categoryId: number) => {
 export const getAllFileCategories = async (fileId: number) => {
  const categories = await db
    .selectFrom("file_category")
-    .select("category_id")
+    .innerJoin("category", "file_category.category_id", "category.id")
+    .selectAll("category")
    .where("file_id", "=", fileId)
    .execute();
-  return categories.map(({ category_id }) => ({ id: category_id }));
+  return categories.map(
+    (category) =>
+      ({
+        id: category.id,
+        mekVersion: category.master_encryption_key_version,
+        encDek: category.encrypted_data_encryption_key,
+        dekVersion: category.data_encryption_key_version,
+        encName: category.encrypted_name,
+      }) satisfies FileCategory,
+  );
 };

 export const removeFileFromCategory = async (fileId: number, categoryId: number) => {
--- a/src/lib/server/db/index.ts
+++ b/src/lib/server/db/index.ts
@@ -0,0 +1,10 @@
+export * as CategoryRepo from "./category";
+export * as ClientRepo from "./client";
+export * as FileRepo from "./file";
+export * as HskRepo from "./hsk";
+export * as MediaRepo from "./media";
+export * as MekRepo from "./mek";
+export * as SessionRepo from "./session";
+export * as UserRepo from "./user";
+
+export * from "./error";
--- a/src/lib/server/db/media.ts
+++ b/src/lib/server/db/media.ts
@@ -0,0 +1,110 @@
+import type { NotNull } from "kysely";
+import { IntegrityError } from "./error";
+import db from "./kysely";
+
+interface Thumbnail {
+  id: number;
+  path: string;
+  updatedAt: Date;
+  encContentIv: string;
+}
+
+interface FileThumbnail extends Thumbnail {
+  fileId: number;
+}
+
+export const updateFileThumbnail = async (
+  userId: number,
+  fileId: number,
+  dekVersion: Date,
+  path: string,
+  encContentIv: string,
+) => {
+  return await db.transaction().execute(async (trx) => {
+    const file = await trx
+      .selectFrom("file")
+      .select("data_encryption_key_version")
+      .where("id", "=", fileId)
+      .where("user_id", "=", userId)
+      .limit(1)
+      .forUpdate()
+      .executeTakeFirst();
+    if (!file) {
+      throw new IntegrityError("File not found");
+    } else if (file.data_encryption_key_version.getTime() !== dekVersion.getTime()) {
+      throw new IntegrityError("Invalid DEK version");
+    }
+
+    const thumbnail = await trx
+      .selectFrom("thumbnail")
+      .select("path as oldPath")
+      .where("file_id", "=", fileId)
+      .limit(1)
+      .forUpdate()
+      .executeTakeFirst();
+    const now = new Date();
+
+    await trx
+      .insertInto("thumbnail")
+      .values({
+        file_id: fileId,
+        path,
+        updated_at: now,
+        encrypted_content_iv: encContentIv,
+      })
+      .onConflict((oc) =>
+        oc.column("file_id").doUpdateSet({
+          path,
+          updated_at: now,
+          encrypted_content_iv: encContentIv,
+        }),
+      )
+      .execute();
+    return thumbnail?.oldPath ?? null;
+  });
+};
+
+export const getFileThumbnail = async (userId: number, fileId: number) => {
+  const thumbnail = await db
+    .selectFrom("thumbnail")
+    .innerJoin("file", "thumbnail.file_id", "file.id")
+    .selectAll("thumbnail")
+    .where("file.id", "=", fileId)
+    .where("file.user_id", "=", userId)
+    .$narrowType<{ file_id: NotNull }>()
+    .limit(1)
+    .executeTakeFirst();
+  return thumbnail
+    ? ({
+        id: thumbnail.id,
+        fileId: thumbnail.file_id,
+        path: thumbnail.path,
+        encContentIv: thumbnail.encrypted_content_iv,
+        updatedAt: thumbnail.updated_at,
+      } satisfies FileThumbnail)
+    : null;
+};
+
+export const getMissingFileThumbnails = async (userId: number, limit: number = 100) => {
+  const files = await db
+    .selectFrom("file")
+    .select("id")
+    .where("user_id", "=", userId)
+    .where((eb) =>
+      eb.or([eb("content_type", "like", "image/%"), eb("content_type", "like", "video/%")]),
+    )
+    .where((eb) =>
+      eb.not(
+        eb.exists(
+          eb
+            .selectFrom("thumbnail")
+            .select("thumbnail.id")
+            .whereRef("thumbnail.file_id", "=", "file.id")
+            .limit(1),
+        ),
+      ),
+    )
+    .limit(limit)
+    .execute();
+  return files.map(({ id }) => id);
+};
--- a/src/lib/server/db/mek.ts
+++ b/src/lib/server/db/mek.ts
@@ -60,19 +60,6 @@ export const registerInitialMek = async (
  });
 };

-export const getInitialMek = async (userId: number) => {
-  const mek = await db
-    .selectFrom("master_encryption_key")
-    .selectAll()
-    .where("user_id", "=", userId)
-    .where("version", "=", 1)
-    .limit(1)
-    .executeTakeFirst();
-  return mek
-    ? ({ userId: mek.user_id, version: mek.version, state: mek.state } satisfies Mek)
-    : null;
-};
-
 export const getAllValidClientMeks = async (userId: number, clientId: number) => {
  const clientMeks = await db
    .selectFrom("client_master_encryption_key")
--- a/src/lib/server/db/migrations/1738409340-AddThumbnail.ts
+++ b/src/lib/server/db/migrations/1738409340-AddThumbnail.ts
@@ -0,0 +1,31 @@
+import { Kysely, sql } from "kysely";
+
+// eslint-disable-next-line @typescript-eslint/no-explicit-any
+export const up = async (db: Kysely<any>) => {
+  // media.ts
+  await db.schema
+    .createTable("thumbnail")
+    .addColumn("id", "integer", (col) => col.primaryKey().generatedAlwaysAsIdentity())
+    .addColumn("directory_id", "integer", (col) =>
+      col.references("directory.id").onDelete("cascade").unique(),
+    )
+    .addColumn("file_id", "integer", (col) =>
+      col.references("file.id").onDelete("cascade").unique(),
+    )
+    .addColumn("category_id", "integer", (col) =>
+      col.references("category.id").onDelete("cascade").unique(),
+    )
+    .addColumn("path", "text", (col) => col.unique().notNull())
+    .addColumn("updated_at", "timestamp(3)", (col) => col.notNull())
+    .addColumn("encrypted_content_iv", "text", (col) => col.notNull())
+    .addCheckConstraint(
+      "thumbnail_ck01",
+      sql`(file_id IS NOT NULL)::integer + (directory_id IS NOT NULL)::integer + (category_id IS NOT NULL)::integer = 1`,
+    )
+    .execute();
+};
+
+// eslint-disable-next-line @typescript-eslint/no-explicit-any
+export const down = async (db: Kysely<any>) => {
+  await db.schema.dropTable("thumbnail").execute();
+};
--- a/src/lib/server/db/migrations/index.ts
+++ b/src/lib/server/db/migrations/index.ts
@@ -1,7 +1,9 @@
 import * as Initial1737357000 from "./1737357000-Initial";
 import * as AddFileCategory1737422340 from "./1737422340-AddFileCategory";
+import * as AddThumbnail1738409340 from "./1738409340-AddThumbnail";

 export default {
  "1737357000-Initial": Initial1737357000,
  "1737422340-AddFileCategory": AddFileCategory1737422340,
+  "1738409340-AddThumbnail": AddThumbnail1738409340,
 };
--- a/src/lib/server/db/schema/index.ts
+++ b/src/lib/server/db/schema/index.ts
@@ -2,6 +2,7 @@ export * from "./category";
 export * from "./client";
 export * from "./file";
 export * from "./hsk";
+export * from "./media";
 export * from "./mek";
 export * from "./session";
 export * from "./user";
--- a/src/lib/server/db/schema/media.ts
+++ b/src/lib/server/db/schema/media.ts
@@ -0,0 +1,17 @@
+import type { Generated } from "kysely";
+
+interface ThumbnailTable {
+  id: Generated<number>;
+  directory_id: number | null;
+  file_id: number | null;
+  category_id: number | null;
+  path: string;
+  updated_at: Date;
+  encrypted_content_iv: string; // Base64
+}
+
+declare module "./index" {
+  interface Database {
+    thumbnail: ThumbnailTable;
+  }
+}
--- a/src/lib/server/db/session.ts
+++ b/src/lib/server/db/session.ts
@@ -5,31 +5,22 @@ import db from "./kysely";

 export const createSession = async (
  userId: number,
-  clientId: number | null,
  sessionId: string,
  ip: string | null,
  agent: string | null,
 ) => {
-  try {
-    const now = new Date();
-    await db
-      .insertInto("session")
-      .values({
-        id: sessionId,
-        user_id: userId,
-        client_id: clientId,
-        created_at: now,
-        last_used_at: now,
-        last_used_by_ip: ip || null,
-        last_used_by_agent: agent || null,
-      })
-      .execute();
-  } catch (e) {
-    if (e instanceof pg.DatabaseError && e.code === "23505") {
-      throw new IntegrityError("Session already exists");
-    }
-    throw e;
-  }
+  const now = new Date();
+  await db
+    .insertInto("session")
+    .values({
+      id: sessionId,
+      user_id: userId,
+      created_at: now,
+      last_used_at: now,
+      last_used_by_ip: ip || null,
+      last_used_by_agent: agent || null,
+    })
+    .execute();
 };

 export const refreshSession = async (
@@ -55,15 +46,37 @@ export const refreshSession = async (
  return { userId: session.user_id, clientId: session.client_id };
 };

-export const upgradeSession = async (sessionId: string, clientId: number) => {
-  const res = await db
-    .updateTable("session")
-    .set({ client_id: clientId })
-    .where("id", "=", sessionId)
-    .where("client_id", "is", null)
-    .executeTakeFirst();
-  if (res.numUpdatedRows === 0n) {
-    throw new IntegrityError("Session not found");
+export const upgradeSession = async (
+  userId: number,
+  sessionId: string,
+  clientId: number,
+  force: boolean,
+) => {
+  try {
+    await db.transaction().execute(async (trx) => {
+      if (force) {
+        await trx
+          .deleteFrom("session")
+          .where("id", "!=", sessionId)
+          .where("user_id", "=", userId)
+          .where("client_id", "=", clientId)
+          .execute();
+      }
+      const res = await trx
+        .updateTable("session")
+        .set({ client_id: clientId })
+        .where("id", "=", sessionId)
+        .where("client_id", "is", null)
+        .executeTakeFirst();
+      if (res.numUpdatedRows === 0n) {
+        throw new IntegrityError("Session not found");
+      }
+    });
+  } catch (e) {
+    if (e instanceof pg.DatabaseError && e.code === "23505") {
+      throw new IntegrityError("Session already exists");
+    }
+    throw e;
  }
 };

@@ -94,7 +107,7 @@ export const registerSessionUpgradeChallenge = async (
  expiresAt: Date,
 ) => {
  try {
-    await db
+    const { id } = await db
      .insertInto("session_upgrade_challenge")
      .values({
        session_id: sessionId,
@@ -103,7 +116,9 @@ export const registerSessionUpgradeChallenge = async (
        allowed_ip: allowedIp,
        expires_at: expiresAt,
      })
-      .execute();
+      .returning("id")
+      .executeTakeFirstOrThrow();
+    return { id };
  } catch (e) {
    if (e instanceof pg.DatabaseError && e.code === "23505") {
      throw new IntegrityError("Challenge already registered");
@@ -113,19 +128,19 @@ export const registerSessionUpgradeChallenge = async (
 };

 export const consumeSessionUpgradeChallenge = async (
+  challengeId: number,
  sessionId: string,
-  answer: string,
  ip: string,
 ) => {
  const challenge = await db
    .deleteFrom("session_upgrade_challenge")
+    .where("id", "=", challengeId)
    .where("session_id", "=", sessionId)
-    .where("answer", "=", answer)
    .where("allowed_ip", "=", ip)
    .where("expires_at", ">", new Date())
-    .returning("client_id")
+    .returning(["client_id", "answer"])
    .executeTakeFirst();
-  return challenge ? { clientId: challenge.client_id } : null;
+  return challenge ? { clientId: challenge.client_id, answer: challenge.answer } : null;
 };

 export const cleanupExpiredSessionUpgradeChallenges = async () => {
--- a/src/lib/server/db/user.ts
+++ b/src/lib/server/db/user.ts
@@ -27,10 +27,6 @@ export const getUserByEmail = async (email: string) => {
  return user ? (user satisfies User) : null;
 };

-export const setUserNickname = async (userId: number, nickname: string) => {
-  await db.updateTable("user").set({ nickname }).where("id", "=", userId).execute();
-};
-
 export const setUserPassword = async (userId: number, password: string) => {
  await db.updateTable("user").set({ password }).where("id", "=", userId).execute();
 };
--- a/src/lib/server/loadenv.ts
+++ b/src/lib/server/loadenv.ts
@@ -25,4 +25,5 @@ export default {
    sessionUpgradeExp: ms(env.SESSION_UPGRADE_CHALLENGE_EXPIRES || "5m"),
  },
  libraryPath: env.LIBRARY_PATH || "library",
+  thumbnailsPath: env.THUMBNAILS_PATH || "thumbnails",
 };
--- a/src/lib/server/middlewares/authenticate.ts
+++ b/src/lib/server/middlewares/authenticate.ts
@@ -1,12 +1,7 @@
 import { error, redirect, type Handle } from "@sveltejs/kit";
-import { authenticate, AuthenticationError } from "$lib/server/modules/auth";
+import { cookieOptions, authenticate, AuthenticationError } from "$lib/server/modules/auth";

 export const authenticateMiddleware: Handle = async ({ event, resolve }) => {
-  const { pathname, search } = event.url;
-  if (pathname === "/api/auth/login") {
-    return await resolve(event);
-  }
-
  try {
    const sessionIdSigned = event.cookies.get("sessionId");
    if (!sessionIdSigned) {
@@ -15,9 +10,11 @@ export const authenticateMiddleware: Handle = async ({ event, resolve }) => {

    const { ip, userAgent } = event.locals;
    event.locals.session = await authenticate(sessionIdSigned, ip, userAgent);
+    event.cookies.set("sessionId", sessionIdSigned, cookieOptions);
  } catch (e) {
    if (e instanceof AuthenticationError) {
-      if (pathname === "/auth/login") {
+      const { pathname, search } = event.url;
+      if (pathname === "/auth/login" || pathname.startsWith("/api/trpc")) {
        return await resolve(event);
      } else if (pathname.startsWith("/api")) {
        error(e.status, e.message);
--- a/src/lib/server/modules/auth.ts
+++ b/src/lib/server/modules/auth.ts
@@ -1,20 +1,25 @@
 import { error } from "@sveltejs/kit";
-import { getUserClient } from "$lib/server/db/client";
-import { IntegrityError } from "$lib/server/db/error";
-import { createSession, refreshSession } from "$lib/server/db/session";
+import { ClientRepo, SessionRepo, IntegrityError } from "$lib/server/db";
 import env from "$lib/server/loadenv";
-import { issueSessionId, verifySessionId } from "$lib/server/modules/crypto";
+import { verifySessionId } from "$lib/server/modules/crypto";

-interface Session {
+export interface Session {
  sessionId: string;
  userId: number;
  clientId?: number;
 }

-interface ClientSession extends Session {
+export interface ClientSession extends Session {
  clientId: number;
 }

+export type SessionPermission =
+  | "any"
+  | "notClient"
+  | "anyClient"
+  | "pendingClient"
+  | "activeClient";
+
 export class AuthenticationError extends Error {
  constructor(
    public status: 400 | 401,
@@ -25,11 +30,22 @@ export class AuthenticationError extends Error {
  }
 }

-export const startSession = async (userId: number, ip: string, userAgent: string) => {
-  const { sessionId, sessionIdSigned } = await issueSessionId(32, env.session.secret);
-  await createSession(userId, null, sessionId, ip, userAgent);
-  return sessionIdSigned;
-};
+export class AuthorizationError extends Error {
+  constructor(
+    public status: 403 | 500,
+    message: string,
+  ) {
+    super(message);
+    this.name = "AuthorizationError";
+  }
+}
+
+export const cookieOptions = {
+  path: "/",
+  maxAge: env.session.exp / 1000,
+  secure: true,
+  sameSite: "strict",
+} as const;

 export const authenticate = async (sessionIdSigned: string, ip: string, userAgent: string) => {
  const sessionId = verifySessionId(sessionIdSigned, env.session.secret);
@@ -38,7 +54,7 @@ export const authenticate = async (sessionIdSigned: string, ip: string, userAgen
  }

  try {
-    const { userId, clientId } = await refreshSession(sessionId, ip, userAgent);
+    const { userId, clientId } = await SessionRepo.refreshSession(sessionId, ip, userAgent);
    return {
      id: sessionId,
      userId,
@@ -52,34 +68,12 @@ export const authenticate = async (sessionIdSigned: string, ip: string, userAgen
  }
 };

-export async function authorize(locals: App.Locals, requiredPermission: "any"): Promise<Session>;
-
-export async function authorize(
+export const authorizeInternal = async (
  locals: App.Locals,
-  requiredPermission: "notClient",
-): Promise<Session>;
-
-export async function authorize(
-  locals: App.Locals,
-  requiredPermission: "anyClient",
-): Promise<ClientSession>;
-
-export async function authorize(
-  locals: App.Locals,
-  requiredPermission: "pendingClient",
-): Promise<ClientSession>;
-
-export async function authorize(
-  locals: App.Locals,
-  requiredPermission: "activeClient",
-): Promise<ClientSession>;
-
-export async function authorize(
-  locals: App.Locals,
-  requiredPermission: "any" | "notClient" | "anyClient" | "pendingClient" | "activeClient",
-): Promise<Session> {
+  requiredPermission: SessionPermission,
+): Promise<Session> => {
  if (!locals.session) {
-    error(500, "Unauthenticated");
+    throw new AuthorizationError(500, "Unauthenticated");
  }

  const { id: sessionId, userId, clientId } = locals.session;
@@ -89,39 +83,63 @@ export async function authorize(
      break;
    case "notClient":
      if (clientId) {
-        error(403, "Forbidden");
+        throw new AuthorizationError(403, "Forbidden");
      }
      break;
    case "anyClient":
      if (!clientId) {
-        error(403, "Forbidden");
+        throw new AuthorizationError(403, "Forbidden");
      }
      break;
    case "pendingClient": {
      if (!clientId) {
-        error(403, "Forbidden");
+        throw new AuthorizationError(403, "Forbidden");
      }
-      const userClient = await getUserClient(userId, clientId);
+      const userClient = await ClientRepo.getUserClient(userId, clientId);
      if (!userClient) {
-        error(500, "Invalid session id");
+        throw new AuthorizationError(500, "Invalid session id");
      } else if (userClient.state !== "pending") {
-        error(403, "Forbidden");
+        throw new AuthorizationError(403, "Forbidden");
      }
      break;
    }
    case "activeClient": {
      if (!clientId) {
-        error(403, "Forbidden");
+        throw new AuthorizationError(403, "Forbidden");
      }
-      const userClient = await getUserClient(userId, clientId);
+      const userClient = await ClientRepo.getUserClient(userId, clientId);
      if (!userClient) {
-        error(500, "Invalid session id");
+        throw new AuthorizationError(500, "Invalid session id");
      } else if (userClient.state !== "active") {
-        error(403, "Forbidden");
+        throw new AuthorizationError(403, "Forbidden");
      }
      break;
    }
  }

  return { sessionId, userId, clientId };
+};
+
+export async function authorize(
+  locals: App.Locals,
+  requiredPermission: "any" | "notClient",
+): Promise<Session>;
+
+export async function authorize(
+  locals: App.Locals,
+  requiredPermission: "anyClient" | "pendingClient" | "activeClient",
+): Promise<ClientSession>;
+
+export async function authorize(
+  locals: App.Locals,
+  requiredPermission: SessionPermission,
+): Promise<Session> {
+  try {
+    return await authorizeInternal(locals, requiredPermission);
+  } catch (e) {
+    if (e instanceof AuthorizationError) {
+      error(e.status, e.message);
+    }
+    throw e;
+  }
 }
--- a/src/lib/server/modules/filesystem.ts
+++ b/src/lib/server/modules/filesystem.ts
@@ -0,0 +1,7 @@
+import { unlink } from "fs/promises";
+
+export const safeUnlink = async (path: string | null | undefined) => {
+  if (path) {
+    await unlink(path).catch(console.error);
+  }
+};
--- a/src/lib/server/modules/mek.ts
+++ b/src/lib/server/modules/mek.ts
@@ -1,25 +0,0 @@
-import { error } from "@sveltejs/kit";
-import { getUserClientWithDetails } from "$lib/server/db/client";
-import { getInitialMek } from "$lib/server/db/mek";
-import { verifySignature } from "$lib/server/modules/crypto";
-
-export const isInitialMekNeeded = async (userId: number) => {
-  const initialMek = await getInitialMek(userId);
-  return !initialMek;
-};
-
-export const verifyClientEncMekSig = async (
-  userId: number,
-  clientId: number,
-  version: number,
-  encMek: string,
-  encMekSig: string,
-) => {
-  const userClient = await getUserClientWithDetails(userId, clientId);
-  if (!userClient) {
-    error(500, "Invalid session id");
-  }
-
-  const data = JSON.stringify({ version, key: encMek });
-  return verifySignature(Buffer.from(data), encMekSig, userClient.sigPubKey);
-};
--- a/src/lib/server/schemas/auth.ts
+++ b/src/lib/server/schemas/auth.ts
@@ -1,30 +0,0 @@
-import { z } from "zod";
-
-export const passwordChangeRequest = z.object({
-  oldPassword: z.string().trim().nonempty(),
-  newPassword: z.string().trim().nonempty(),
-});
-export type PasswordChangeRequest = z.infer<typeof passwordChangeRequest>;
-
-export const loginRequest = z.object({
-  email: z.string().email(),
-  password: z.string().trim().nonempty(),
-});
-export type LoginRequest = z.infer<typeof loginRequest>;
-
-export const sessionUpgradeRequest = z.object({
-  encPubKey: z.string().base64().nonempty(),
-  sigPubKey: z.string().base64().nonempty(),
-});
-export type SessionUpgradeRequest = z.infer<typeof sessionUpgradeRequest>;
-
-export const sessionUpgradeResponse = z.object({
-  challenge: z.string().base64().nonempty(),
-});
-export type SessionUpgradeResponse = z.infer<typeof sessionUpgradeResponse>;
-
-export const sessionUpgradeVerifyRequest = z.object({
-  answer: z.string().base64().nonempty(),
-  answerSig: z.string().base64().nonempty(),
-});
-export type SessionUpgradeVerifyRequest = z.infer<typeof sessionUpgradeVerifyRequest>;
--- a/src/lib/server/schemas/category.ts
+++ b/src/lib/server/schemas/category.ts
@@ -1,55 +1,3 @@
 import { z } from "zod";

-export const categoryIdSchema = z.union([z.literal("root"), z.number().int().positive()]);
-
-export const categoryInfoResponse = z.object({
-  metadata: z
-    .object({
-      parent: categoryIdSchema,
-      mekVersion: z.number().int().positive(),
-      dek: z.string().base64().nonempty(),
-      dekVersion: z.string().datetime(),
-      name: z.string().base64().nonempty(),
-      nameIv: z.string().base64().nonempty(),
-    })
-    .optional(),
-  subCategories: z.number().int().positive().array(),
-});
-export type CategoryInfoResponse = z.infer<typeof categoryInfoResponse>;
-
-export const categoryFileAddRequest = z.object({
-  file: z.number().int().positive(),
-});
-export type CategoryFileAddRequest = z.infer<typeof categoryFileAddRequest>;
-
-export const categoryFileListResponse = z.object({
-  files: z.array(
-    z.object({
-      file: z.number().int().positive(),
-      isRecursive: z.boolean(),
-    }),
-  ),
-});
-export type CategoryFileListResponse = z.infer<typeof categoryFileListResponse>;
-
-export const categoryFileRemoveRequest = z.object({
-  file: z.number().int().positive(),
-});
-export type CategoryFileRemoveRequest = z.infer<typeof categoryFileRemoveRequest>;
-
-export const categoryRenameRequest = z.object({
-  dekVersion: z.string().datetime(),
-  name: z.string().base64().nonempty(),
-  nameIv: z.string().base64().nonempty(),
-});
-export type CategoryRenameRequest = z.infer<typeof categoryRenameRequest>;
-
-export const categoryCreateRequest = z.object({
-  parent: categoryIdSchema,
-  mekVersion: z.number().int().positive(),
-  dek: z.string().base64().nonempty(),
-  dekVersion: z.string().datetime(),
-  name: z.string().base64().nonempty(),
-  nameIv: z.string().base64().nonempty(),
-});
-export type CategoryCreateRequest = z.infer<typeof categoryCreateRequest>;
+export const categoryIdSchema = z.union([z.literal("root"), z.int().positive()]);
--- a/src/lib/server/schemas/client.ts
+++ b/src/lib/server/schemas/client.ts
@@ -1,35 +0,0 @@
-import { z } from "zod";
-
-export const clientListResponse = z.object({
-  clients: z.array(
-    z.object({
-      id: z.number().int().positive(),
-      state: z.enum(["pending", "active"]),
-    }),
-  ),
-});
-export type ClientListResponse = z.infer<typeof clientListResponse>;
-
-export const clientRegisterRequest = z.object({
-  encPubKey: z.string().base64().nonempty(),
-  sigPubKey: z.string().base64().nonempty(),
-});
-export type ClientRegisterRequest = z.infer<typeof clientRegisterRequest>;
-
-export const clientRegisterResponse = z.object({
-  challenge: z.string().base64().nonempty(),
-});
-export type ClientRegisterResponse = z.infer<typeof clientRegisterResponse>;
-
-export const clientRegisterVerifyRequest = z.object({
-  answer: z.string().base64().nonempty(),
-  answerSig: z.string().base64().nonempty(),
-});
-export type ClientRegisterVerifyRequest = z.infer<typeof clientRegisterVerifyRequest>;
-
-export const clientStatusResponse = z.object({
-  id: z.number().int().positive(),
-  state: z.enum(["pending", "active"]),
-  isInitialMekNeeded: z.boolean(),
-});
-export type ClientStatusResponse = z.infer<typeof clientStatusResponse>;
--- a/src/lib/server/schemas/directory.ts
+++ b/src/lib/server/schemas/directory.ts
@@ -1,41 +1,3 @@
 import { z } from "zod";

-export const directoryIdSchema = z.union([z.literal("root"), z.number().int().positive()]);
-
-export const directoryInfoResponse = z.object({
-  metadata: z
-    .object({
-      parent: directoryIdSchema,
-      mekVersion: z.number().int().positive(),
-      dek: z.string().base64().nonempty(),
-      dekVersion: z.string().datetime(),
-      name: z.string().base64().nonempty(),
-      nameIv: z.string().base64().nonempty(),
-    })
-    .optional(),
-  subDirectories: z.number().int().positive().array(),
-  files: z.number().int().positive().array(),
-});
-export type DirectoryInfoResponse = z.infer<typeof directoryInfoResponse>;
-
-export const directoryDeleteResponse = z.object({
-  deletedFiles: z.number().int().positive().array(),
-});
-export type DirectoryDeleteResponse = z.infer<typeof directoryDeleteResponse>;
-
-export const directoryRenameRequest = z.object({
-  dekVersion: z.string().datetime(),
-  name: z.string().base64().nonempty(),
-  nameIv: z.string().base64().nonempty(),
-});
-export type DirectoryRenameRequest = z.infer<typeof directoryRenameRequest>;
-
-export const directoryCreateRequest = z.object({
-  parent: directoryIdSchema,
-  mekVersion: z.number().int().positive(),
-  dek: z.string().base64().nonempty(),
-  dekVersion: z.string().datetime(),
-  name: z.string().base64().nonempty(),
-  nameIv: z.string().base64().nonempty(),
-});
-export type DirectoryCreateRequest = z.infer<typeof directoryCreateRequest>;
+export const directoryIdSchema = z.union([z.literal("root"), z.int().positive()]);
--- a/src/lib/server/schemas/file.ts
+++ b/src/lib/server/schemas/file.ts
@@ -2,68 +2,35 @@ import mime from "mime";
 import { z } from "zod";
 import { directoryIdSchema } from "./directory";

-export const fileInfoResponse = z.object({
-  parent: directoryIdSchema,
-  mekVersion: z.number().int().positive(),
-  dek: z.string().base64().nonempty(),
-  dekVersion: z.string().datetime(),
-  contentType: z
-    .string()
-    .trim()
-    .nonempty()
-    .refine((value) => mime.getExtension(value) !== null), // MIME type
-  contentIv: z.string().base64().nonempty(),
-  name: z.string().base64().nonempty(),
-  nameIv: z.string().base64().nonempty(),
-  createdAt: z.string().base64().nonempty().optional(),
-  createdAtIv: z.string().base64().nonempty().optional(),
-  lastModifiedAt: z.string().base64().nonempty(),
-  lastModifiedAtIv: z.string().base64().nonempty(),
-  categories: z.number().int().positive().array(),
+export const fileThumbnailUploadRequest = z.object({
+  dekVersion: z.iso.datetime(),
+  contentIv: z.base64().nonempty(),
 });
-export type FileInfoResponse = z.infer<typeof fileInfoResponse>;
-
-export const fileRenameRequest = z.object({
-  dekVersion: z.string().datetime(),
-  name: z.string().base64().nonempty(),
-  nameIv: z.string().base64().nonempty(),
-});
-export type FileRenameRequest = z.infer<typeof fileRenameRequest>;
-
-export const duplicateFileScanRequest = z.object({
-  hskVersion: z.number().int().positive(),
-  contentHmac: z.string().base64().nonempty(),
-});
-export type DuplicateFileScanRequest = z.infer<typeof duplicateFileScanRequest>;
-
-export const duplicateFileScanResponse = z.object({
-  files: z.number().int().positive().array(),
-});
-export type DuplicateFileScanResponse = z.infer<typeof duplicateFileScanResponse>;
+export type FileThumbnailUploadRequest = z.input<typeof fileThumbnailUploadRequest>;

 export const fileUploadRequest = z.object({
  parent: directoryIdSchema,
-  mekVersion: z.number().int().positive(),
-  dek: z.string().base64().nonempty(),
-  dekVersion: z.string().datetime(),
-  hskVersion: z.number().int().positive(),
-  contentHmac: z.string().base64().nonempty(),
+  mekVersion: z.int().positive(),
+  dek: z.base64().nonempty(),
+  dekVersion: z.iso.datetime(),
+  hskVersion: z.int().positive(),
+  contentHmac: z.base64().nonempty(),
  contentType: z
    .string()
    .trim()
    .nonempty()
    .refine((value) => mime.getExtension(value) !== null), // MIME type
-  contentIv: z.string().base64().nonempty(),
-  name: z.string().base64().nonempty(),
-  nameIv: z.string().base64().nonempty(),
-  createdAt: z.string().base64().nonempty().optional(),
-  createdAtIv: z.string().base64().nonempty().optional(),
-  lastModifiedAt: z.string().base64().nonempty(),
-  lastModifiedAtIv: z.string().base64().nonempty(),
+  contentIv: z.base64().nonempty(),
+  name: z.base64().nonempty(),
+  nameIv: z.base64().nonempty(),
+  createdAt: z.base64().nonempty().optional(),
+  createdAtIv: z.base64().nonempty().optional(),
+  lastModifiedAt: z.base64().nonempty(),
+  lastModifiedAtIv: z.base64().nonempty(),
 });
-export type FileUploadRequest = z.infer<typeof fileUploadRequest>;
+export type FileUploadRequest = z.input<typeof fileUploadRequest>;

 export const fileUploadResponse = z.object({
-  file: z.number().int().positive(),
+  file: z.int().positive(),
 });
-export type FileUploadResponse = z.infer<typeof fileUploadResponse>;
+export type FileUploadResponse = z.output<typeof fileUploadResponse>;
--- a/src/lib/server/schemas/hsk.ts
+++ b/src/lib/server/schemas/hsk.ts
@@ -1,19 +0,0 @@
-import { z } from "zod";
-
-export const hmacSecretListResponse = z.object({
-  hsks: z.array(
-    z.object({
-      version: z.number().int().positive(),
-      state: z.enum(["active"]),
-      mekVersion: z.number().int().positive(),
-      hsk: z.string().base64().nonempty(),
-    }),
-  ),
-});
-export type HmacSecretListResponse = z.infer<typeof hmacSecretListResponse>;
-
-export const initialHmacSecretRegisterRequest = z.object({
-  mekVersion: z.number().int().positive(),
-  hsk: z.string().base64().nonempty(),
-});
-export type InitialHmacSecretRegisterRequest = z.infer<typeof initialHmacSecretRegisterRequest>;
--- a/src/lib/server/schemas/index.ts
+++ b/src/lib/server/schemas/index.ts
@@ -1,8 +1,3 @@
-export * from "./auth";
 export * from "./category";
-export * from "./client";
 export * from "./directory";
 export * from "./file";
-export * from "./hsk";
-export * from "./mek";
-export * from "./user";
--- a/src/lib/server/schemas/mek.ts
+++ b/src/lib/server/schemas/mek.ts
@@ -1,19 +0,0 @@
-import { z } from "zod";
-
-export const masterKeyListResponse = z.object({
-  meks: z.array(
-    z.object({
-      version: z.number().int().positive(),
-      state: z.enum(["active", "retired"]),
-      mek: z.string().base64().nonempty(),
-      mekSig: z.string().base64().nonempty(),
-    }),
-  ),
-});
-export type MasterKeyListResponse = z.infer<typeof masterKeyListResponse>;
-
-export const initialMasterKeyRegisterRequest = z.object({
-  mek: z.string().base64().nonempty(),
-  mekSig: z.string().base64().nonempty(),
-});
-export type InitialMasterKeyRegisterRequest = z.infer<typeof initialMasterKeyRegisterRequest>;
--- a/src/lib/server/schemas/user.ts
+++ b/src/lib/server/schemas/user.ts
@@ -1,12 +0,0 @@
-import { z } from "zod";
-
-export const userInfoResponse = z.object({
-  email: z.string().email(),
-  nickname: z.string().nonempty(),
-});
-export type UserInfoResponse = z.infer<typeof userInfoResponse>;
-
-export const nicknameChangeRequest = z.object({
-  newNickname: z.string().trim().min(2).max(8),
-});
-export type NicknameChangeRequest = z.infer<typeof nicknameChangeRequest>;
--- a/src/lib/server/services/auth.ts
+++ b/src/lib/server/services/auth.ts
@@ -1,121 +0,0 @@
-import { error } from "@sveltejs/kit";
-import argon2 from "argon2";
-import { getClient, getClientByPubKeys, getUserClient } from "$lib/server/db/client";
-import { IntegrityError } from "$lib/server/db/error";
-import {
-  upgradeSession,
-  deleteSession,
-  deleteAllOtherSessions,
-  registerSessionUpgradeChallenge,
-  consumeSessionUpgradeChallenge,
-} from "$lib/server/db/session";
-import { getUser, getUserByEmail, setUserPassword } from "$lib/server/db/user";
-import env from "$lib/server/loadenv";
-import { startSession } from "$lib/server/modules/auth";
-import { verifySignature, generateChallenge } from "$lib/server/modules/crypto";
-
-const hashPassword = async (password: string) => {
-  return await argon2.hash(password);
-};
-
-const verifyPassword = async (hash: string, password: string) => {
-  return await argon2.verify(hash, password);
-};
-
-export const changePassword = async (
-  userId: number,
-  sessionId: string,
-  oldPassword: string,
-  newPassword: string,
-) => {
-  if (oldPassword === newPassword) {
-    error(400, "Same passwords");
-  } else if (newPassword.length < 8) {
-    error(400, "Too short password");
-  }
-
-  const user = await getUser(userId);
-  if (!user) {
-    error(500, "Invalid session id");
-  } else if (!(await verifyPassword(user.password, oldPassword))) {
-    error(403, "Invalid password");
-  }
-
-  await setUserPassword(userId, await hashPassword(newPassword));
-  await deleteAllOtherSessions(userId, sessionId);
-};
-
-export const login = async (email: string, password: string, ip: string, userAgent: string) => {
-  const user = await getUserByEmail(email);
-  if (!user || !(await verifyPassword(user.password, password))) {
-    error(401, "Invalid email or password");
-  }
-
-  try {
-    return { sessionIdSigned: await startSession(user.id, ip, userAgent) };
-  } catch (e) {
-    if (e instanceof IntegrityError && e.message === "Session already exists") {
-      error(403, "Already logged in");
-    }
-    throw e;
-  }
-};
-
-export const logout = async (sessionId: string) => {
-  await deleteSession(sessionId);
-};
-
-export const createSessionUpgradeChallenge = async (
-  sessionId: string,
-  userId: number,
-  ip: string,
-  encPubKey: string,
-  sigPubKey: string,
-) => {
-  const client = await getClientByPubKeys(encPubKey, sigPubKey);
-  const userClient = client ? await getUserClient(userId, client.id) : undefined;
-  if (!client) {
-    error(401, "Invalid public key(s)");
-  } else if (!userClient || userClient.state === "challenging") {
-    error(403, "Unregistered client");
-  }
-
-  const { answer, challenge } = await generateChallenge(32, encPubKey);
-  await registerSessionUpgradeChallenge(
-    sessionId,
-    client.id,
-    answer.toString("base64"),
-    ip,
-    new Date(Date.now() + env.challenge.sessionUpgradeExp),
-  );
-
-  return { challenge: challenge.toString("base64") };
-};
-
-export const verifySessionUpgradeChallenge = async (
-  sessionId: string,
-  ip: string,
-  answer: string,
-  answerSig: string,
-) => {
-  const challenge = await consumeSessionUpgradeChallenge(sessionId, answer, ip);
-  if (!challenge) {
-    error(403, "Invalid challenge answer");
-  }
-
-  const client = await getClient(challenge.clientId);
-  if (!client) {
-    error(500, "Invalid challenge answer");
-  } else if (!verifySignature(Buffer.from(answer, "base64"), answerSig, client.sigPubKey)) {
-    error(403, "Invalid challenge answer signature");
-  }
-
-  try {
-    await upgradeSession(sessionId, client.id);
-  } catch (e) {
-    if (e instanceof IntegrityError && e.message === "Session not found") {
-      error(500, "Invalid challenge answer");
-    }
-    throw e;
-  }
-};
--- a/src/lib/server/services/category.ts
+++ b/src/lib/server/services/category.ts
@@ -1,133 +0,0 @@
-import { error } from "@sveltejs/kit";
-import {
-  registerCategory,
-  getAllCategoriesByParent,
-  getCategory,
-  setCategoryEncName,
-  unregisterCategory,
-  type CategoryId,
-  type NewCategory,
-} from "$lib/server/db/category";
-import { IntegrityError } from "$lib/server/db/error";
-import {
-  getAllFilesByCategory,
-  getFile,
-  addFileToCategory,
-  removeFileFromCategory,
-} from "$lib/server/db/file";
-import type { Ciphertext } from "$lib/server/db/schema";
-
-export const getCategoryInformation = async (userId: number, categoryId: CategoryId) => {
-  const category = categoryId !== "root" ? await getCategory(userId, categoryId) : undefined;
-  if (category === null) {
-    error(404, "Invalid category id");
-  }
-
-  const categories = await getAllCategoriesByParent(userId, categoryId);
-  return {
-    metadata: category && {
-      parentId: category.parentId ?? ("root" as const),
-      mekVersion: category.mekVersion,
-      encDek: category.encDek,
-      dekVersion: category.dekVersion,
-      encName: category.encName,
-    },
-    categories: categories.map(({ id }) => id),
-  };
-};
-
-export const deleteCategory = async (userId: number, categoryId: number) => {
-  try {
-    await unregisterCategory(userId, categoryId);
-  } catch (e) {
-    if (e instanceof IntegrityError && e.message === "Category not found") {
-      error(404, "Invalid category id");
-    }
-    throw e;
-  }
-};
-
-export const addCategoryFile = async (userId: number, categoryId: number, fileId: number) => {
-  const category = await getCategory(userId, categoryId);
-  const file = await getFile(userId, fileId);
-  if (!category) {
-    error(404, "Invalid category id");
-  } else if (!file) {
-    error(404, "Invalid file id");
-  }
-
-  try {
-    await addFileToCategory(fileId, categoryId);
-  } catch (e) {
-    if (e instanceof IntegrityError && e.message === "File already added to category") {
-      error(400, "File already added");
-    }
-    throw e;
-  }
-};
-
-export const getCategoryFiles = async (userId: number, categoryId: number, recurse: boolean) => {
-  const category = await getCategory(userId, categoryId);
-  if (!category) {
-    error(404, "Invalid category id");
-  }
-
-  const files = await getAllFilesByCategory(userId, categoryId, recurse);
-  return { files };
-};
-
-export const removeCategoryFile = async (userId: number, categoryId: number, fileId: number) => {
-  const category = await getCategory(userId, categoryId);
-  const file = await getFile(userId, fileId);
-  if (!category) {
-    error(404, "Invalid category id");
-  } else if (!file) {
-    error(404, "Invalid file id");
-  }
-
-  try {
-    await removeFileFromCategory(fileId, categoryId);
-  } catch (e) {
-    if (e instanceof IntegrityError && e.message === "File not found in category") {
-      error(400, "File not added");
-    }
-    throw e;
-  }
-};
-
-export const renameCategory = async (
-  userId: number,
-  categoryId: number,
-  dekVersion: Date,
-  newEncName: Ciphertext,
-) => {
-  try {
-    await setCategoryEncName(userId, categoryId, dekVersion, newEncName);
-  } catch (e) {
-    if (e instanceof IntegrityError) {
-      if (e.message === "Category not found") {
-        error(404, "Invalid category id");
-      } else if (e.message === "Invalid DEK version") {
-        error(400, "Invalid DEK version");
-      }
-    }
-    throw e;
-  }
-};
-
-export const createCategory = async (params: NewCategory) => {
-  const oneMinuteAgo = new Date(Date.now() - 60 * 1000);
-  const oneMinuteLater = new Date(Date.now() + 60 * 1000);
-  if (params.dekVersion <= oneMinuteAgo || params.dekVersion >= oneMinuteLater) {
-    error(400, "Invalid DEK version");
-  }
-
-  try {
-    await registerCategory(params);
-  } catch (e) {
-    if (e instanceof IntegrityError && e.message === "Inactive MEK version") {
-      error(400, "Inactive MEK version");
-    }
-    throw e;
-  }
-};
--- a/src/lib/server/services/client.ts
+++ b/src/lib/server/services/client.ts
@@ -1,108 +0,0 @@
-import { error } from "@sveltejs/kit";
-import {
-  createClient,
-  getClient,
-  getClientByPubKeys,
-  createUserClient,
-  getAllUserClients,
-  getUserClient,
-  setUserClientStateToPending,
-  registerUserClientChallenge,
-  consumeUserClientChallenge,
-} from "$lib/server/db/client";
-import { IntegrityError } from "$lib/server/db/error";
-import { verifyPubKey, verifySignature, generateChallenge } from "$lib/server/modules/crypto";
-import { isInitialMekNeeded } from "$lib/server/modules/mek";
-import env from "$lib/server/loadenv";
-
-export const getUserClientList = async (userId: number) => {
-  const userClients = await getAllUserClients(userId);
-  return {
-    userClients: userClients.map(({ clientId, state }) => ({
-      id: clientId,
-      state: state as "pending" | "active",
-    })),
-  };
-};
-
-const expiresAt = () => new Date(Date.now() + env.challenge.userClientExp);
-
-const createUserClientChallenge = async (
-  ip: string,
-  userId: number,
-  clientId: number,
-  encPubKey: string,
-) => {
-  const { answer, challenge } = await generateChallenge(32, encPubKey);
-  await registerUserClientChallenge(userId, clientId, answer.toString("base64"), ip, expiresAt());
-  return challenge.toString("base64");
-};
-
-export const registerUserClient = async (
-  userId: number,
-  ip: string,
-  encPubKey: string,
-  sigPubKey: string,
-) => {
-  const client = await getClientByPubKeys(encPubKey, sigPubKey);
-  if (client) {
-    try {
-      await createUserClient(userId, client.id);
-      return { challenge: await createUserClientChallenge(ip, userId, client.id, encPubKey) };
-    } catch (e) {
-      if (e instanceof IntegrityError && e.message === "User client already exists") {
-        error(409, "Client already registered");
-      }
-      throw e;
-    }
-  } else {
-    if (encPubKey === sigPubKey) {
-      error(400, "Same public keys");
-    } else if (!verifyPubKey(encPubKey) || !verifyPubKey(sigPubKey)) {
-      error(400, "Invalid public key(s)");
-    }
-
-    try {
-      const { id: clientId } = await createClient(encPubKey, sigPubKey, userId);
-      return { challenge: await createUserClientChallenge(ip, userId, clientId, encPubKey) };
-    } catch (e) {
-      if (e instanceof IntegrityError && e.message === "Public key(s) already registered") {
-        error(409, "Public key(s) already used");
-      }
-      throw e;
-    }
-  }
-};
-
-export const verifyUserClient = async (
-  userId: number,
-  ip: string,
-  answer: string,
-  answerSig: string,
-) => {
-  const challenge = await consumeUserClientChallenge(userId, answer, ip);
-  if (!challenge) {
-    error(403, "Invalid challenge answer");
-  }
-
-  const client = await getClient(challenge.clientId);
-  if (!client) {
-    error(500, "Invalid challenge answer");
-  } else if (!verifySignature(Buffer.from(answer, "base64"), answerSig, client.sigPubKey)) {
-    error(403, "Invalid challenge answer signature");
-  }
-
-  await setUserClientStateToPending(userId, client.id);
-};
-
-export const getUserClientStatus = async (userId: number, clientId: number) => {
-  const userClient = await getUserClient(userId, clientId);
-  if (!userClient) {
-    error(500, "Invalid session id");
-  }
-
-  return {
-    state: userClient.state as "pending" | "active",
-    isInitialMekNeeded: await isInitialMekNeeded(userId),
-  };
-};
--- a/src/lib/server/services/directory.ts
+++ b/src/lib/server/services/directory.ts
@@ -1,89 +0,0 @@
-import { error } from "@sveltejs/kit";
-import { unlink } from "fs/promises";
-import { IntegrityError } from "$lib/server/db/error";
-import {
-  registerDirectory,
-  getAllDirectoriesByParent,
-  getDirectory,
-  setDirectoryEncName,
-  unregisterDirectory,
-  getAllFilesByParent,
-  type DirectoryId,
-  type NewDirectory,
-} from "$lib/server/db/file";
-import type { Ciphertext } from "$lib/server/db/schema";
-
-export const getDirectoryInformation = async (userId: number, directoryId: DirectoryId) => {
-  const directory = directoryId !== "root" ? await getDirectory(userId, directoryId) : undefined;
-  if (directory === null) {
-    error(404, "Invalid directory id");
-  }
-
-  const directories = await getAllDirectoriesByParent(userId, directoryId);
-  const files = await getAllFilesByParent(userId, directoryId);
-  return {
-    metadata: directory && {
-      parentId: directory.parentId ?? ("root" as const),
-      mekVersion: directory.mekVersion,
-      encDek: directory.encDek,
-      dekVersion: directory.dekVersion,
-      encName: directory.encName,
-    },
-    directories: directories.map(({ id }) => id),
-    files: files.map(({ id }) => id),
-  };
-};
-
-export const deleteDirectory = async (userId: number, directoryId: number) => {
-  try {
-    const files = await unregisterDirectory(userId, directoryId);
-    return {
-      files: files.map(({ id, path }) => {
-        unlink(path); // Intended
-        return id;
-      }),
-    };
-  } catch (e) {
-    if (e instanceof IntegrityError && e.message === "Directory not found") {
-      error(404, "Invalid directory id");
-    }
-    throw e;
-  }
-};
-
-export const renameDirectory = async (
-  userId: number,
-  directoryId: number,
-  dekVersion: Date,
-  newEncName: Ciphertext,
-) => {
-  try {
-    await setDirectoryEncName(userId, directoryId, dekVersion, newEncName);
-  } catch (e) {
-    if (e instanceof IntegrityError) {
-      if (e.message === "Directory not found") {
-        error(404, "Invalid directory id");
-      } else if (e.message === "Invalid DEK version") {
-        error(400, "Invalid DEK version");
-      }
-    }
-    throw e;
-  }
-};
-
-export const createDirectory = async (params: NewDirectory) => {
-  const oneMinuteAgo = new Date(Date.now() - 60 * 1000);
-  const oneMinuteLater = new Date(Date.now() + 60 * 1000);
-  if (params.dekVersion <= oneMinuteAgo || params.dekVersion >= oneMinuteLater) {
-    error(400, "Invalid DEK version");
-  }
-
-  try {
-    await registerDirectory(params);
-  } catch (e) {
-    if (e instanceof IntegrityError && e.message === "Inactive MEK version") {
-      error(400, "Invalid MEK version");
-    }
-    throw e;
-  }
-};
--- a/src/lib/server/services/file.ts
+++ b/src/lib/server/services/file.ts
@@ -1,59 +1,17 @@
 import { error } from "@sveltejs/kit";
 import { createHash } from "crypto";
 import { createReadStream, createWriteStream } from "fs";
-import { mkdir, stat, unlink } from "fs/promises";
+import { mkdir, stat } from "fs/promises";
 import { dirname } from "path";
 import { Readable } from "stream";
 import { pipeline } from "stream/promises";
 import { v4 as uuidv4 } from "uuid";
-import { IntegrityError } from "$lib/server/db/error";
-import {
-  registerFile,
-  getAllFileIdsByContentHmac,
-  getFile,
-  setFileEncName,
-  unregisterFile,
-  getAllFileCategories,
-  type NewFile,
-} from "$lib/server/db/file";
-import type { Ciphertext } from "$lib/server/db/schema";
+import { FileRepo, MediaRepo, IntegrityError } from "$lib/server/db";
 import env from "$lib/server/loadenv";
-
-export const getFileInformation = async (userId: number, fileId: number) => {
-  const file = await getFile(userId, fileId);
-  if (!file) {
-    error(404, "Invalid file id");
-  }
-
-  const categories = await getAllFileCategories(fileId);
-  return {
-    parentId: file.parentId ?? ("root" as const),
-    mekVersion: file.mekVersion,
-    encDek: file.encDek,
-    dekVersion: file.dekVersion,
-    contentType: file.contentType,
-    encContentIv: file.encContentIv,
-    encName: file.encName,
-    encCreatedAt: file.encCreatedAt,
-    encLastModifiedAt: file.encLastModifiedAt,
-    categories: categories.map(({ id }) => id),
-  };
-};
-
-export const deleteFile = async (userId: number, fileId: number) => {
-  try {
-    const { path } = await unregisterFile(userId, fileId);
-    unlink(path); // Intended
-  } catch (e) {
-    if (e instanceof IntegrityError && e.message === "File not found") {
-      error(404, "Invalid file id");
-    }
-    throw e;
-  }
-};
+import { safeUnlink } from "$lib/server/modules/filesystem";

 export const getFileStream = async (userId: number, fileId: number) => {
-  const file = await getFile(userId, fileId);
+  const file = await FileRepo.getFile(userId, fileId);
  if (!file) {
    error(404, "Invalid file id");
  }
@@ -65,41 +23,56 @@ export const getFileStream = async (userId: number, fileId: number) => {
  };
 };

-export const renameFile = async (
+export const getFileThumbnailStream = async (userId: number, fileId: number) => {
+  const thumbnail = await MediaRepo.getFileThumbnail(userId, fileId);
+  if (!thumbnail) {
+    error(404, "File or its thumbnail not found");
+  }
+
+  const { size } = await stat(thumbnail.path);
+  return {
+    encContentStream: Readable.toWeb(createReadStream(thumbnail.path)),
+    encContentSize: size,
+  };
+};
+
+export const uploadFileThumbnail = async (
  userId: number,
  fileId: number,
  dekVersion: Date,
-  newEncName: Ciphertext,
+  encContentIv: string,
+  encContentStream: Readable,
 ) => {
+  const path = `${env.thumbnailsPath}/${userId}/${uuidv4()}`;
+  await mkdir(dirname(path), { recursive: true });
+
  try {
-    await setFileEncName(userId, fileId, dekVersion, newEncName);
+    await pipeline(encContentStream, createWriteStream(path, { flags: "wx", mode: 0o600 }));
+
+    const oldPath = await MediaRepo.updateFileThumbnail(
+      userId,
+      fileId,
+      dekVersion,
+      path,
+      encContentIv,
+    );
+    safeUnlink(oldPath); // Intended
  } catch (e) {
+    await safeUnlink(path);
+
    if (e instanceof IntegrityError) {
      if (e.message === "File not found") {
-        error(404, "Invalid file id");
+        error(404, "File not found");
      } else if (e.message === "Invalid DEK version") {
-        error(400, "Invalid DEK version");
+        error(400, "Mismatched DEK version");
      }
    }
    throw e;
  }
 };

-export const scanDuplicateFiles = async (
-  userId: number,
-  hskVersion: number,
-  contentHmac: string,
-) => {
-  const fileIds = await getAllFileIdsByContentHmac(userId, hskVersion, contentHmac);
-  return { files: fileIds.map(({ id }) => id) };
-};
-
-const safeUnlink = async (path: string) => {
-  await unlink(path).catch(console.error);
-};
-
 export const uploadFile = async (
-  params: Omit<NewFile, "path" | "encContentHash">,
+  params: Omit<FileRepo.NewFile, "path" | "encContentHash">,
  encContentStream: Readable,
  encContentHash: Promise<string>,
 ) => {
@@ -131,7 +104,7 @@ export const uploadFile = async (
      throw new Error("Invalid checksum");
    }

-    const { id: fileId } = await registerFile({
+    const { id: fileId } = await FileRepo.registerFile({
      ...params,
      path,
      encContentHash: hash,
--- a/src/lib/server/services/hsk.ts
+++ b/src/lib/server/services/hsk.ts
@@ -1,31 +0,0 @@
-import { error } from "@sveltejs/kit";
-import { IntegrityError } from "$lib/server/db/error";
-import { registerInitialHsk, getAllValidHsks } from "$lib/server/db/hsk";
-
-export const getHskList = async (userId: number) => {
-  const hsks = await getAllValidHsks(userId);
-  return {
-    encHsks: hsks.map(({ version, state, mekVersion, encHsk }) => ({
-      version,
-      state,
-      mekVersion,
-      encHsk,
-    })),
-  };
-};
-
-export const registerInitialActiveHsk = async (
-  userId: number,
-  createdBy: number,
-  mekVersion: number,
-  encHsk: string,
-) => {
-  try {
-    await registerInitialHsk(userId, createdBy, mekVersion, encHsk);
-  } catch (e) {
-    if (e instanceof IntegrityError && e.message === "HSK already registered") {
-      error(409, "Initial HSK already registered");
-    }
-    throw e;
-  }
-};
--- a/src/lib/server/services/mek.ts
+++ b/src/lib/server/services/mek.ts
@@ -1,38 +0,0 @@
-import { error } from "@sveltejs/kit";
-import { setUserClientStateToActive } from "$lib/server/db/client";
-import { IntegrityError } from "$lib/server/db/error";
-import { registerInitialMek, getAllValidClientMeks } from "$lib/server/db/mek";
-import { verifyClientEncMekSig } from "$lib/server/modules/mek";
-
-export const getClientMekList = async (userId: number, clientId: number) => {
-  const clientMeks = await getAllValidClientMeks(userId, clientId);
-  return {
-    encMeks: clientMeks.map(({ version, state, encMek, encMekSig }) => ({
-      version,
-      state,
-      encMek,
-      encMekSig,
-    })),
-  };
-};
-
-export const registerInitialActiveMek = async (
-  userId: number,
-  createdBy: number,
-  encMek: string,
-  encMekSig: string,
-) => {
-  if (!(await verifyClientEncMekSig(userId, createdBy, 1, encMek, encMekSig))) {
-    error(400, "Invalid signature");
-  }
-
-  try {
-    await registerInitialMek(userId, createdBy, encMek, encMekSig);
-    await setUserClientStateToActive(userId, createdBy);
-  } catch (e) {
-    if (e instanceof IntegrityError && e.message === "MEK already registered") {
-      error(409, "Initial MEK already registered");
-    }
-    throw e;
-  }
-};
--- a/src/lib/server/services/user.ts
+++ b/src/lib/server/services/user.ts
@@ -1,15 +0,0 @@
-import { error } from "@sveltejs/kit";
-import { getUser, setUserNickname } from "$lib/server/db/user";
-
-export const getUserInformation = async (userId: number) => {
-  const user = await getUser(userId);
-  if (!user) {
-    error(500, "Invalid session id");
-  }
-
-  return { email: user.email, nickname: user.nickname };
-};
-
-export const changeNickname = async (userId: number, nickname: string) => {
-  await setUserNickname(userId, nickname);
-};
--- a/src/lib/services/auth.ts
+++ b/src/lib/services/auth.ts
@@ -1,30 +1,50 @@
-import { callPostApi } from "$lib/hooks";
 import { encodeToBase64, decryptChallenge, signMessageRSA } from "$lib/modules/crypto";
-import type {
-  SessionUpgradeRequest,
-  SessionUpgradeResponse,
-  SessionUpgradeVerifyRequest,
-} from "$lib/server/schemas";
+import { trpc, isTRPCClientError } from "$trpc/client";

 export const requestSessionUpgrade = async (
  encryptKeyBase64: string,
  decryptKey: CryptoKey,
  verifyKeyBase64: string,
  signKey: CryptoKey,
+  force = false,
 ) => {
-  let res = await callPostApi<SessionUpgradeRequest>("/api/auth/upgradeSession", {
-    encPubKey: encryptKeyBase64,
-    sigPubKey: verifyKeyBase64,
-  });
-  if (!res.ok) return false;
-
-  const { challenge }: SessionUpgradeResponse = await res.json();
+  let id, challenge;
+  try {
+    ({ id, challenge } = await trpc().auth.upgrade.mutate({
+      encPubKey: encryptKeyBase64,
+      sigPubKey: verifyKeyBase64,
+    }));
+  } catch (e) {
+    if (isTRPCClientError(e) && e.data?.code === "FORBIDDEN") {
+      return [false, "Unregistered client"] as const;
+    }
+    return [false] as const;
+  }
  const answer = await decryptChallenge(challenge, decryptKey);
  const answerSig = await signMessageRSA(answer, signKey);

-  res = await callPostApi<SessionUpgradeVerifyRequest>("/api/auth/upgradeSession/verify", {
-    answer: encodeToBase64(answer),
-    answerSig: encodeToBase64(answerSig),
-  });
-  return res.ok;
+  try {
+    await trpc().auth.verifyUpgrade.mutate({
+      id,
+      answerSig: encodeToBase64(answerSig),
+      force,
+    });
+  } catch (e) {
+    if (isTRPCClientError(e) && e.data?.code === "CONFLICT") {
+      return [false, "Already logged in"] as const;
+    }
+    return [false] as const;
+  }
+
+  return [true] as const;
+};
+
+export const requestLogout = async () => {
+  try {
+    await trpc().auth.logout.mutate();
+    return true;
+  } catch {
+    // TODO: Error Handling
+    return false;
+  }
 };
--- a/src/lib/services/category.ts
+++ b/src/lib/services/category.ts
@@ -1,7 +1,6 @@
-import { callPostApi } from "$lib/hooks";
 import { generateDataKey, wrapDataKey, encryptString } from "$lib/modules/crypto";
-import type { CategoryCreateRequest, CategoryFileRemoveRequest } from "$lib/server/schemas";
 import type { MasterKey } from "$lib/stores";
+import { trpc } from "$trpc/client";

 export const requestCategoryCreation = async (
  name: string,
@@ -11,21 +10,28 @@ export const requestCategoryCreation = async (
  const { dataKey, dataKeyVersion } = await generateDataKey();
  const nameEncrypted = await encryptString(name, dataKey);

-  const res = await callPostApi<CategoryCreateRequest>("/api/category/create", {
-    parent: parentId,
-    mekVersion: masterKey.version,
-    dek: await wrapDataKey(dataKey, masterKey.key),
-    dekVersion: dataKeyVersion.toISOString(),
-    name: nameEncrypted.ciphertext,
-    nameIv: nameEncrypted.iv,
-  });
-  return res.ok;
+  try {
+    await trpc().category.create.mutate({
+      parent: parentId,
+      mekVersion: masterKey.version,
+      dek: await wrapDataKey(dataKey, masterKey.key),
+      dekVersion: dataKeyVersion,
+      name: nameEncrypted.ciphertext,
+      nameIv: nameEncrypted.iv,
+    });
+    return true;
+  } catch {
+    // TODO: Error Handling
+    return false;
+  }
 };

 export const requestFileRemovalFromCategory = async (fileId: number, categoryId: number) => {
-  const res = await callPostApi<CategoryFileRemoveRequest>(
-    `/api/category/${categoryId}/file/remove`,
-    { file: fileId },
-  );
-  return res.ok;
+  try {
+    await trpc().category.removeFile.mutate({ id: categoryId, file: fileId });
+    return true;
+  } catch {
+    // TODO: Error Handling
+    return false;
+  }
 };
--- a/src/lib/services/file.ts
+++ b/src/lib/services/file.ts
@@ -0,0 +1,87 @@
+import { getAllFileInfos } from "$lib/indexedDB/filesystem";
+import { decryptData } from "$lib/modules/crypto";
+import {
+  getFileCache,
+  storeFileCache,
+  deleteFileCache,
+  getFileThumbnailCache,
+  storeFileThumbnailCache,
+  deleteFileThumbnailCache,
+  downloadFile,
+} from "$lib/modules/file";
+import { getThumbnailUrl } from "$lib/modules/thumbnail";
+import type { FileThumbnailUploadRequest } from "$lib/server/schemas";
+import { trpc } from "$trpc/client";
+
+export const requestFileDownload = async (
+  fileId: number,
+  fileEncryptedIv: string,
+  dataKey: CryptoKey,
+) => {
+  const cache = await getFileCache(fileId);
+  if (cache) return cache;
+
+  const fileBuffer = await downloadFile(fileId, fileEncryptedIv, dataKey);
+  storeFileCache(fileId, fileBuffer); // Intended
+  return fileBuffer;
+};
+
+export const requestFileThumbnailUpload = async (
+  fileId: number,
+  dataKeyVersion: Date,
+  thumbnailEncrypted: { ciphertext: ArrayBuffer; iv: string },
+) => {
+  const form = new FormData();
+  form.set(
+    "metadata",
+    JSON.stringify({
+      dekVersion: dataKeyVersion.toISOString(),
+      contentIv: thumbnailEncrypted.iv,
+    } satisfies FileThumbnailUploadRequest),
+  );
+  form.set("content", new Blob([thumbnailEncrypted.ciphertext]));
+
+  return await fetch(`/api/file/${fileId}/thumbnail/upload`, { method: "POST", body: form });
+};
+
+export const requestFileThumbnailDownload = async (fileId: number, dataKey?: CryptoKey) => {
+  const cache = await getFileThumbnailCache(fileId);
+  if (cache || !dataKey) return cache;
+
+  let thumbnailInfo;
+  try {
+    thumbnailInfo = await trpc().file.thumbnail.query({ id: fileId });
+  } catch {
+    // TODO: Error Handling
+    return null;
+  }
+  const { contentIv: thumbnailEncryptedIv } = thumbnailInfo;
+
+  const res = await fetch(`/api/file/${fileId}/thumbnail/download`);
+  if (!res.ok) return null;
+
+  const thumbnailEncrypted = await res.arrayBuffer();
+  const thumbnailBuffer = await decryptData(thumbnailEncrypted, thumbnailEncryptedIv, dataKey);
+
+  storeFileThumbnailCache(fileId, thumbnailBuffer); // Intended
+  return getThumbnailUrl(thumbnailBuffer);
+};
+
+export const requestDeletedFilesCleanup = async () => {
+  let liveFiles;
+  try {
+    liveFiles = await trpc().file.list.query();
+  } catch {
+    // TODO: Error Handling
+    return;
+  }
+
+  const liveFilesSet = new Set(liveFiles);
+  const maybeCachedFiles = await getAllFileInfos();
+
+  await Promise.all(
+    maybeCachedFiles
+      .filter(({ id }) => !liveFilesSet.has(id))
+      .flatMap(({ id }) => [deleteFileCache(id), deleteFileThumbnailCache(id)]),
+  );
+};
--- a/src/lib/services/key.ts
+++ b/src/lib/services/key.ts
@@ -1,19 +1,16 @@
-import { callGetApi, callPostApi } from "$lib/hooks";
 import { storeMasterKeys } from "$lib/indexedDB";
 import {
  encodeToBase64,
+  exportRSAKeyToBase64,
  decryptChallenge,
  signMessageRSA,
  unwrapMasterKey,
+  signMasterKeyWrapped,
  verifyMasterKeyWrapped,
 } from "$lib/modules/crypto";
-import type {
-  ClientRegisterRequest,
-  ClientRegisterResponse,
-  ClientRegisterVerifyRequest,
-  MasterKeyListResponse,
-} from "$lib/server/schemas";
-import { masterKeyStore } from "$lib/stores";
+import { requestSessionUpgrade } from "$lib/services/auth";
+import { masterKeyStore, type ClientKeys } from "$lib/stores";
+import { trpc, isTRPCClientError } from "$trpc/client";

 export const requestClientRegistration = async (
  encryptKeyBase64: string,
@@ -21,28 +18,62 @@ export const requestClientRegistration = async (
  verifyKeyBase64: string,
  signKey: CryptoKey,
 ) => {
-  let res = await callPostApi<ClientRegisterRequest>("/api/client/register", {
-    encPubKey: encryptKeyBase64,
-    sigPubKey: verifyKeyBase64,
-  });
-  if (!res.ok) return false;
+  try {
+    const { id, challenge } = await trpc().client.register.mutate({
+      encPubKey: encryptKeyBase64,
+      sigPubKey: verifyKeyBase64,
+    });
+    const answer = await decryptChallenge(challenge, decryptKey);
+    const answerSig = await signMessageRSA(answer, signKey);
+    await trpc().client.verify.mutate({
+      id,
+      answerSig: encodeToBase64(answerSig),
+    });
+    return true;
+  } catch {
+    // TODO: Error Handling
+    return false;
+  }
+};

-  const { challenge }: ClientRegisterResponse = await res.json();
-  const answer = await decryptChallenge(challenge, decryptKey);
-  const answerSig = await signMessageRSA(answer, signKey);
+export const requestClientRegistrationAndSessionUpgrade = async (
+  { encryptKey, decryptKey, signKey, verifyKey }: ClientKeys,
+  force: boolean,
+) => {
+  const encryptKeyBase64 = await exportRSAKeyToBase64(encryptKey);
+  const verifyKeyBase64 = await exportRSAKeyToBase64(verifyKey);
+  const [res, error] = await requestSessionUpgrade(
+    encryptKeyBase64,
+    decryptKey,
+    verifyKeyBase64,
+    signKey,
+    force,
+  );
+  if (error === undefined) return [res] as const;

-  res = await callPostApi<ClientRegisterVerifyRequest>("/api/client/register/verify", {
-    answer: encodeToBase64(answer),
-    answerSig: encodeToBase64(answerSig),
-  });
-  return res.ok;
+  if (
+    error === "Unregistered client" &&
+    !(await requestClientRegistration(encryptKeyBase64, decryptKey, verifyKeyBase64, signKey))
+  ) {
+    return [false] as const;
+  } else if (error === "Already logged in") {
+    return [false, force ? undefined : error] as const;
+  }
+
+  return [
+    (await requestSessionUpgrade(encryptKeyBase64, decryptKey, verifyKeyBase64, signKey))[0],
+  ] as const;
 };

 export const requestMasterKeyDownload = async (decryptKey: CryptoKey, verifyKey: CryptoKey) => {
-  const res = await callGetApi("/api/mek/list");
-  if (!res.ok) return false;
+  let masterKeysWrapped;
+  try {
+    masterKeysWrapped = await trpc().mek.list.query();
+  } catch {
+    // TODO: Error Handling
+    return false;
+  }

-  const { meks: masterKeysWrapped }: MasterKeyListResponse = await res.json();
  const masterKeys = await Promise.all(
    masterKeysWrapped.map(
      async ({ version, state, mek: masterKeyWrapped, mekSig: masterKeyWrappedSig }) => {
@@ -68,3 +99,33 @@ export const requestMasterKeyDownload = async (decryptKey: CryptoKey, verifyKey:

  return true;
 };
+
+export const requestInitialMasterKeyAndHmacSecretRegistration = async (
+  masterKeyWrapped: string,
+  hmacSecretWrapped: string,
+  signKey: CryptoKey,
+) => {
+  try {
+    await trpc().mek.registerInitial.mutate({
+      mek: masterKeyWrapped,
+      mekSig: await signMasterKeyWrapped(masterKeyWrapped, 1, signKey),
+    });
+  } catch (e) {
+    if (isTRPCClientError(e) && (e.data?.code === "FORBIDDEN" || e.data?.code === "CONFLICT")) {
+      return true;
+    }
+    // TODO: Error Handling
+    return false;
+  }
+
+  try {
+    await trpc().hsk.registerInitial.mutate({
+      mekVersion: 1,
+      hsk: hmacSecretWrapped,
+    });
+    return true;
+  } catch {
+    // TODO: Error Handling
+    return false;
+  }
+};
--- a/src/lib/stores/file.ts
+++ b/src/lib/stores/file.ts
@@ -1,49 +0,0 @@
-import { writable, type Writable } from "svelte/store";
-
-export interface FileUploadStatus {
-  name: string;
-  parentId: "root" | number;
-  status:
-    | "encryption-pending"
-    | "encrypting"
-    | "upload-pending"
-    | "uploading"
-    | "uploaded"
-    | "canceled"
-    | "error";
-  progress?: number;
-  rate?: number;
-  estimated?: number;
-}
-
-export interface FileDownloadStatus {
-  id: number;
-  status:
-    | "download-pending"
-    | "downloading"
-    | "decryption-pending"
-    | "decrypting"
-    | "decrypted"
-    | "canceled"
-    | "error";
-  progress?: number;
-  rate?: number;
-  estimated?: number;
-  result?: ArrayBuffer;
-}
-
-export const fileUploadStatusStore = writable<Writable<FileUploadStatus>[]>([]);
-
-export const fileDownloadStatusStore = writable<Writable<FileDownloadStatus>[]>([]);
-
-export const isFileUploading = (
-  status: FileUploadStatus["status"],
-): status is "encryption-pending" | "encrypting" | "upload-pending" | "uploading" => {
-  return ["encryption-pending", "encrypting", "upload-pending", "uploading"].includes(status);
-};
-
-export const isFileDownloading = (
-  status: FileDownloadStatus["status"],
-): status is "download-pending" | "downloading" | "decryption-pending" | "decrypting" => {
-  return ["download-pending", "downloading", "decryption-pending", "decrypting"].includes(status);
-};
--- a/src/lib/stores/index.ts
+++ b/src/lib/stores/index.ts
@@ -1,2 +1 @@
-export * from "./file";
 export * from "./key";
--- a/src/lib/types/filesystem.d.ts
+++ b/src/lib/types/filesystem.d.ts
@@ -0,0 +1,2 @@
+type DirectoryId = "root" | number;
+type CategoryId = "root" | number;
--- a/src/lib/utils/format.ts
+++ b/src/lib/utils/format.ts
@@ -7,6 +7,13 @@ export const formatDate = (date: Date) => {
  return `${year}. ${month}. ${day}.`;
 };

+export const formatDateSortable = (date: Date) => {
+  const year = date.getFullYear();
+  const month = pad2(date.getMonth() + 1);
+  const day = pad2(date.getDate());
+  return `${year}${month}${day}`;
+};
+
 export const formatDateTime = (date: Date) => {
  const dateFormatted = formatDate(date);
  const hours = date.getHours();
@@ -32,32 +39,3 @@ export const truncateString = (str: string, maxLength = 20) => {
  if (str.length <= maxLength) return str;
  return `${str.slice(0, maxLength)}...`;
 };
-
-export enum SortBy {
-  NAME_ASC,
-  NAME_DESC,
-}
-
-type SortFunc = (a?: string, b?: string) => number;
-
-const collator = new Intl.Collator(undefined, { numeric: true, sensitivity: "base" });
-
-const sortByNameAsc: SortFunc = (a, b) => {
-  if (a && b) return collator.compare(a, b);
-  if (a) return -1;
-  if (b) return 1;
-  return 0;
-};
-
-const sortByNameDesc: SortFunc = (a, b) => -sortByNameAsc(a, b);
-
-export const sortEntries = <T extends { name?: string }>(entries: T[], sortBy: SortBy) => {
-  let sortFunc: SortFunc;
-  if (sortBy === SortBy.NAME_ASC) {
-    sortFunc = sortByNameAsc;
-  } else {
-    sortFunc = sortByNameDesc;
-  }
-
-  entries.sort((a, b) => sortFunc(a.name, b.name));
-};
--- a/src/lib/utils/gotoStateful.ts
+++ b/src/lib/utils/gotoStateful.ts
--- a/src/lib/utils/index.ts
+++ b/src/lib/utils/index.ts
@@ -0,0 +1,4 @@
+export * from "./format";
+export * from "./gotoStateful";
+export * from "./promise";
+export * from "./sort";
--- a/src/lib/utils/promise.ts
+++ b/src/lib/utils/promise.ts
@@ -0,0 +1,16 @@
+export const monotonicResolve = <T>(
+  promises: (Promise<T> | false)[],
+  callback: (value: T) => void,
+) => {
+  let latestResolvedIndex = -1;
+  promises
+    .filter((promise) => !!promise)
+    .forEach((promise, index) => {
+      promise.then((value) => {
+        if (index > latestResolvedIndex) {
+          latestResolvedIndex = index;
+          callback(value);
+        }
+      });
+    });
+};
--- a/src/lib/utils/sort.ts
+++ b/src/lib/utils/sort.ts
@@ -0,0 +1,58 @@
+interface SortEntry {
+  name?: string;
+  date?: Date;
+}
+
+export enum SortBy {
+  NAME_ASC,
+  NAME_DESC,
+  DATE_ASC,
+  DATE_DESC,
+}
+
+type SortFunc = (a: SortEntry, b: SortEntry) => number;
+
+const collator = new Intl.Collator(undefined, { numeric: true, sensitivity: "base" });
+
+const sortByNameAsc: SortFunc = ({ name: a }, { name: b }) => {
+  if (a && b) return collator.compare(a, b);
+  if (a) return -1;
+  if (b) return 1;
+  return 0;
+};
+
+const sortByNameDesc: SortFunc = (a, b) => -sortByNameAsc(a, b);
+
+const sortByDateAsc: SortFunc = ({ date: a }, { date: b }) => {
+  if (a && b) return a.getTime() - b.getTime();
+  if (a) return -1;
+  if (b) return 1;
+  return 0;
+};
+
+const sortByDateDesc: SortFunc = (a, b) => -sortByDateAsc(a, b);
+
+export const sortEntries = <T extends SortEntry>(entries: T[], sortBy = SortBy.NAME_ASC) => {
+  let sortFunc: SortFunc;
+
+  switch (sortBy) {
+    case SortBy.NAME_ASC:
+      sortFunc = sortByNameAsc;
+      break;
+    case SortBy.NAME_DESC:
+      sortFunc = sortByNameDesc;
+      break;
+    case SortBy.DATE_ASC:
+      sortFunc = sortByDateAsc;
+      break;
+    case SortBy.DATE_DESC:
+      sortFunc = sortByDateDesc;
+      break;
+    default:
+      const exhaustive: never = sortBy;
+      sortFunc = exhaustive;
+  }
+
+  entries.sort(sortFunc);
+  return entries;
+};
--- a/src/routes/(fullscreen)/auth/changePassword/+page.svelte
+++ b/src/routes/(fullscreen)/auth/changePassword/+page.svelte
@@ -6,8 +6,14 @@

  let oldPassword = $state("");
  let newPassword = $state("");
+  let confirmPassword = $state("");

  const changePassword = async () => {
+    if (newPassword !== confirmPassword) {
+      // TODO: Alert
+      return;
+    }
+
    if (await requestPasswordChange(oldPassword, newPassword)) {
      await goto("/menu");
    }
@@ -30,6 +36,7 @@

    <TextInput bind:value={oldPassword} placeholder="기존 비밀번호" type="password" />
    <TextInput bind:value={newPassword} placeholder="새 비밀번호" type="password" />
+    <TextInput bind:value={confirmPassword} placeholder="새 비밀번호 확인" type="password" />
  </TitledDiv>
  <BottomDiv>
    <Button onclick={changePassword} class="w-full">비밀번호 바꾸기</Button>
--- a/src/routes/(fullscreen)/auth/changePassword/service.ts
+++ b/src/routes/(fullscreen)/auth/changePassword/service.ts
@@ -1,10 +1,11 @@
-import { callPostApi } from "$lib/hooks";
-import type { PasswordChangeRequest } from "$lib/server/schemas";
+import { trpc } from "$trpc/client";

 export const requestPasswordChange = async (oldPassword: string, newPassword: string) => {
-  const res = await callPostApi<PasswordChangeRequest>("/api/auth/changePassword", {
-    oldPassword,
-    newPassword,
-  });
-  return res.ok;
+  try {
+    await trpc().auth.changePassword.mutate({ oldPassword, newPassword });
+    return true;
+  } catch {
+    // TODO: Error Handling
+    return false;
+  }
 };
--- a/src/routes/(fullscreen)/auth/login/+page.svelte
+++ b/src/routes/(fullscreen)/auth/login/+page.svelte
@@ -2,18 +2,57 @@
  import { goto } from "$app/navigation";
  import { BottomDiv, Button, FullscreenDiv, TextButton, TextInput } from "$lib/components/atoms";
  import { TitledDiv } from "$lib/components/molecules";
+  import { ForceLoginModal } from "$lib/components/organisms";
  import { clientKeyStore, masterKeyStore } from "$lib/stores";
-  import { requestLogin, requestSessionUpgrade, requestMasterKeyDownload } from "./service";
+  import {
+    requestLogin,
+    requestClientRegistrationAndSessionUpgrade,
+    requestMasterKeyDownload,
+    requestDeletedFilesCleanup,
+    requestLogout,
+  } from "./service";

  let { data } = $props();

  let email = $state("");
  let password = $state("");

+  let isForceLoginModalOpen = $state(false);
+
  const redirect = async (url: string) => {
    return await goto(`${url}?redirect=${encodeURIComponent(data.redirectPath)}`);
  };

+  const upgradeSession = async (force: boolean) => {
+    try {
+      const [upgradeRes, upgradeError] = await requestClientRegistrationAndSessionUpgrade(
+        $clientKeyStore!,
+        force,
+      );
+      if (!force && upgradeError === "Already logged in") {
+        isForceLoginModalOpen = true;
+        return;
+      } else if (!upgradeRes) {
+        throw new Error("Failed to upgrade session");
+      }
+
+      // TODO: Multi-user support
+
+      if (
+        $masterKeyStore ||
+        (await requestMasterKeyDownload($clientKeyStore!.decryptKey, $clientKeyStore!.verifyKey))
+      ) {
+        await requestDeletedFilesCleanup();
+        await goto(data.redirectPath);
+      } else {
+        await redirect("/client/pending");
+      }
+    } catch (e) {
+      // TODO
+      throw e;
+    }
+  };
+
  const login = async () => {
    // TODO: Validation

@@ -22,19 +61,7 @@

      if (!$clientKeyStore) return await redirect("/key/generate");

-      if (!(await requestSessionUpgrade($clientKeyStore)))
-        throw new Error("Failed to upgrade session");
-
-      // TODO: Multi-user support
-
-      if (
-        $masterKeyStore ||
-        (await requestMasterKeyDownload($clientKeyStore.decryptKey, $clientKeyStore.verifyKey))
-      ) {
-        await goto(data.redirectPath);
-      } else {
-        await redirect("/client/pending");
-      }
+      await upgradeSession(false);
    } catch (e) {
      // TODO: Alert
      throw e;
@@ -63,3 +90,9 @@
    <TextButton>계정이 없어요</TextButton>
  </BottomDiv>
 </FullscreenDiv>
+
+<ForceLoginModal
+  bind:isOpen={isForceLoginModalOpen}
+  oncancel={requestLogout}
+  onLoginClick={() => upgradeSession(true)}
+/>
--- a/src/routes/(fullscreen)/auth/login/service.ts
+++ b/src/routes/(fullscreen)/auth/login/service.ts
@@ -1,37 +1,18 @@
-import { callPostApi } from "$lib/hooks";
-import { exportRSAKeyToBase64 } from "$lib/modules/crypto";
-import type { LoginRequest } from "$lib/server/schemas";
-import { requestSessionUpgrade as requestSessionUpgradeInternal } from "$lib/services/auth";
-import { requestClientRegistration } from "$lib/services/key";
-import type { ClientKeys } from "$lib/stores";
+import { trpc } from "$trpc/client";

-export { requestMasterKeyDownload } from "$lib/services/key";
+export { requestLogout } from "$lib/services/auth";
+export { requestDeletedFilesCleanup } from "$lib/services/file";
+export {
+  requestClientRegistrationAndSessionUpgrade,
+  requestMasterKeyDownload,
+} from "$lib/services/key";

 export const requestLogin = async (email: string, password: string) => {
-  const res = await callPostApi<LoginRequest>("/api/auth/login", { email, password });
-  return res.ok;
-};
-
-export const requestSessionUpgrade = async ({
-  encryptKey,
-  decryptKey,
-  signKey,
-  verifyKey,
-}: ClientKeys) => {
-  const encryptKeyBase64 = await exportRSAKeyToBase64(encryptKey);
-  const verifyKeyBase64 = await exportRSAKeyToBase64(verifyKey);
-  if (await requestSessionUpgradeInternal(encryptKeyBase64, decryptKey, verifyKeyBase64, signKey)) {
+  try {
+    await trpc().auth.login.mutate({ email, password });
    return true;
-  }
-
-  if (await requestClientRegistration(encryptKeyBase64, decryptKey, verifyKeyBase64, signKey)) {
-    return await requestSessionUpgradeInternal(
-      encryptKeyBase64,
-      decryptKey,
-      verifyKeyBase64,
-      signKey,
-    );
-  } else {
+  } catch {
+    // TODO: Error Handling
    return false;
  }
 };
--- a/src/routes/(fullscreen)/file/[id]/+page.svelte
+++ b/src/routes/(fullscreen)/file/[id]/+page.svelte
@@ -1,85 +1,93 @@
 <script lang="ts">
  import FileSaver from "file-saver";
  import { untrack } from "svelte";
-  import { get, type Writable } from "svelte/store";
  import { goto } from "$app/navigation";
+  import { page } from "$app/state";
  import { FullscreenDiv } from "$lib/components/atoms";
  import { Categories, IconEntryButton, TopBar } from "$lib/components/molecules";
-  import {
-    getFileInfo,
-    getCategoryInfo,
-    type FileInfo,
-    type CategoryInfo,
-  } from "$lib/modules/filesystem";
-  import { fileDownloadStatusStore, isFileDownloading, masterKeyStore } from "$lib/stores";
+  import { getFileInfo, type FileInfo, type MaybeFileInfo } from "$lib/modules/filesystem";
+  import { captureVideoThumbnail } from "$lib/modules/thumbnail";
+  import { getFileDownloadState } from "$lib/modules/file";
+  import { masterKeyStore } from "$lib/stores";
  import AddToCategoryBottomSheet from "./AddToCategoryBottomSheet.svelte";
  import DownloadStatus from "./DownloadStatus.svelte";
  import {
    requestFileRemovalFromCategory,
    requestFileDownload,
+    requestThumbnailUpload,
    requestFileAdditionToCategory,
  } from "./service";
+  import TopBarMenu from "./TopBarMenu.svelte";

+  import IconMoreVert from "~icons/material-symbols/more-vert";
+  import IconCamera from "~icons/material-symbols/camera";
  import IconClose from "~icons/material-symbols/close";
  import IconAddCircle from "~icons/material-symbols/add-circle";

  let { data } = $props();

-  let info: Writable<FileInfo | null> | undefined = $state();
-  let categories: Writable<CategoryInfo | null>[] = $state([]);
+  let infoPromise: Promise<MaybeFileInfo> | undefined = $state();
+  let info: FileInfo | null = $state(null);
+  let downloadState = $derived(getFileDownloadState(data.id));

+  let isMenuOpen = $state(false);
  let isAddToCategoryBottomSheetOpen = $state(false);

-  let downloadStatus = $derived(
-    $fileDownloadStatusStore.find((statusStore) => {
-      const { id, status } = get(statusStore);
-      return id === data.id && isFileDownloading(status);
-    }),
-  );
-
  let isDownloadRequested = $state(false);
  let viewerType: "image" | "video" | undefined = $state();
+  let fileBlob: Blob | undefined = $state();
  let fileBlobUrl: string | undefined = $state();
+  let videoElement: HTMLVideoElement | undefined = $state();

  const updateViewer = async (buffer: ArrayBuffer, contentType: string) => {
-    const fileBlob = new Blob([buffer], { type: contentType });
-    if (contentType === "image/heic") {
-      const { default: heic2any } = await import("heic2any");
-      fileBlobUrl = URL.createObjectURL(
-        (await heic2any({ blob: fileBlob, toType: "image/jpeg" })) as Blob,
-      );
-    } else if (viewerType) {
-      fileBlobUrl = URL.createObjectURL(fileBlob);
-    }
-
+    fileBlob = new Blob([buffer], { type: contentType });
+    fileBlobUrl = URL.createObjectURL(fileBlob);
    return fileBlob;
  };

+  const convertHeicToJpeg = async () => {
+    if (fileBlob?.type !== "image/heic") return;
+
+    URL.revokeObjectURL(fileBlobUrl!);
+    fileBlobUrl = undefined;
+
+    const { default: heic2any } = await import("heic2any");
+    fileBlobUrl = URL.createObjectURL(
+      (await heic2any({ blob: fileBlob, toType: "image/jpeg" })) as Blob,
+    );
+  };
+
+  const updateThumbnail = async (dataKey: CryptoKey, dataKeyVersion: Date) => {
+    const thumbnail = await captureVideoThumbnail(videoElement!);
+    await requestThumbnailUpload(data.id, thumbnail, dataKey, dataKeyVersion);
+  };
+
  const addToCategory = async (categoryId: number) => {
    await requestFileAdditionToCategory(data.id, categoryId);
    isAddToCategoryBottomSheetOpen = false;
-    info = getFileInfo(data.id, $masterKeyStore?.get(1)?.key!); // TODO: FIXME
+    infoPromise = getFileInfo(data.id, $masterKeyStore?.get(1)?.key!); // TODO: FIXME
  };

  const removeFromCategory = async (categoryId: number) => {
    await requestFileRemovalFromCategory(data.id, categoryId);
-    info = getFileInfo(data.id, $masterKeyStore?.get(1)?.key!); // TODO: FIXME
+    infoPromise = getFileInfo(data.id, $masterKeyStore?.get(1)?.key!); // TODO: FIXME
  };

  $effect(() => {
-    info = getFileInfo(data.id, $masterKeyStore?.get(1)?.key!);
+    infoPromise = getFileInfo(data.id, $masterKeyStore?.get(1)?.key!).then((fileInfo) => {
+      if (fileInfo.exists) {
+        info = fileInfo;
+      }
+      return fileInfo;
+    });
+    info = null;
    isDownloadRequested = false;
    viewerType = undefined;
  });

  $effect(() => {
-    categories =
-      $info?.categoryIds.map((id) => getCategoryInfo(id, $masterKeyStore?.get(1)?.key!)) ?? [];
-  });
-
-  $effect(() => {
-    if ($info && $info.dataKey && $info.contentIv) {
-      const contentType = $info.contentType;
+    if (info?.dataKey) {
+      const contentType = info.contentType;
      if (contentType.startsWith("image")) {
        viewerType = "image";
      } else if (contentType.startsWith("video")) {
@@ -87,24 +95,24 @@
      }

      untrack(() => {
-        if (!downloadStatus && !isDownloadRequested) {
+        if (!downloadState && !isDownloadRequested) {
          isDownloadRequested = true;
-          requestFileDownload(data.id, $info.contentIv!, $info.dataKey!).then(async (buffer) => {
-            const blob = await updateViewer(buffer, contentType);
-            if (!viewerType) {
-              FileSaver.saveAs(blob, $info.name);
-            }
-          });
+          requestFileDownload(data.id, info!.contentIv!, info!.dataKey!.key).then(
+            async (buffer) => {
+              const blob = await updateViewer(buffer, contentType);
+              if (!viewerType) {
+                FileSaver.saveAs(blob, info!.name);
+              }
+            },
+          );
        }
      });
    }
  });

  $effect(() => {
-    if ($info && $downloadStatus?.status === "decrypted") {
-      untrack(
-        () => !isDownloadRequested && updateViewer($downloadStatus.result!, $info.contentType),
-      );
+    if (info && downloadState?.status === "decrypted") {
+      untrack(() => !isDownloadRequested && updateViewer(downloadState.result!, info!.contentType));
    }
  });

@@ -115,56 +123,88 @@
  <title>파일</title>
 </svelte:head>

-<TopBar title={$info?.name} />
-<FullscreenDiv>
-  <div class="space-y-4 pb-4">
-    <DownloadStatus status={downloadStatus} />
-    {#if $info && viewerType}
-      <div class="flex w-full justify-center">
-        {#snippet viewerLoading(message: string)}
-          <p class="text-gray-500">{message}</p>
-        {/snippet}
+{#if info}
+  <TopBar title={info.name}>
+    <!-- svelte-ignore a11y_no_static_element_interactions -->
+    <!-- svelte-ignore a11y_click_events_have_key_events -->
+    <div onclick={(e) => e.stopPropagation()}>
+      <button
+        onclick={() => (isMenuOpen = !isMenuOpen)}
+        class="w-[2.3rem] flex-shrink-0 rounded-full p-1 active:bg-black active:bg-opacity-[0.04]"
+      >
+        <IconMoreVert class="text-2xl" />
+      </button>
+      <TopBarMenu
+        bind:isOpen={isMenuOpen}
+        directoryId={["category", "gallery"].includes(page.url.searchParams.get("from") ?? "")
+          ? info.parentId
+          : undefined}
+        {fileBlob}
+        filename={info.name}
+      />
+    </div>
+  </TopBar>
+  <FullscreenDiv>
+    <div class="space-y-4 pb-4">
+      {#if downloadState}
+        <DownloadStatus state={downloadState} />
+      {/if}
+      {#if viewerType}
+        <div class="flex w-full justify-center">
+          {#snippet viewerLoading(message: string)}
+            <p class="text-gray-500">{message}</p>
+          {/snippet}

-        {#if viewerType === "image"}
-          {#if fileBlobUrl}
-            <img src={fileBlobUrl} alt={$info.name} />
-          {:else}
-            {@render viewerLoading("이미지를 불러오고 있어요.")}
+          {#if viewerType === "image"}
+            {#if fileBlobUrl}
+              <img src={fileBlobUrl} alt={info.name} onerror={convertHeicToJpeg} />
+            {:else}
+              {@render viewerLoading("이미지를 불러오고 있어요.")}
+            {/if}
+          {:else if viewerType === "video"}
+            {#if fileBlobUrl}
+              <div class="flex flex-col space-y-2">
+                <!-- svelte-ignore a11y_media_has_caption -->
+                <video bind:this={videoElement} src={fileBlobUrl} controls muted></video>
+                <IconEntryButton
+                  icon={IconCamera}
+                  onclick={() => updateThumbnail(info?.dataKey?.key!, info?.dataKey?.version!)}
+                  class="w-full"
+                >
+                  이 장면을 썸네일로 설정하기
+                </IconEntryButton>
+              </div>
+            {:else}
+              {@render viewerLoading("비디오를 불러오고 있어요.")}
+            {/if}
          {/if}
-        {:else if viewerType === "video"}
-          {#if fileBlobUrl}
-            <!-- svelte-ignore a11y_media_has_caption -->
-            <video src={fileBlobUrl} controls></video>
-          {:else}
-            {@render viewerLoading("비디오를 불러오고 있어요.")}
-          {/if}
-        {/if}
-      </div>
-    {/if}
-    <div class="space-y-2">
-      <p class="text-lg font-bold">카테고리</p>
-      <div class="space-y-1">
-        <Categories
-          {categories}
-          categoryMenuIcon={IconClose}
-          onCategoryClick={({ id }) => goto(`/category/${id}`)}
-          onCategoryMenuClick={({ id }) => removeFromCategory(id)}
-        />
-        <IconEntryButton
-          icon={IconAddCircle}
-          onclick={() => (isAddToCategoryBottomSheetOpen = true)}
-          class="h-12 w-full"
-          iconClass="text-gray-600"
-          textClass="text-gray-700"
-        >
-          카테고리에 추가하기
-        </IconEntryButton>
+        </div>
+      {/if}
+      <div class="space-y-2">
+        <p class="text-lg font-bold">카테고리</p>
+        <div class="space-y-1">
+          <Categories
+            categories={info.categories}
+            categoryMenuIcon={IconClose}
+            onCategoryClick={({ id }) => goto(`/category/${id}`)}
+            onCategoryMenuClick={({ id }) => removeFromCategory(id)}
+          />
+          <IconEntryButton
+            icon={IconAddCircle}
+            onclick={() => (isAddToCategoryBottomSheetOpen = true)}
+            class="h-12 w-full"
+            iconClass="text-gray-600"
+            textClass="text-gray-700"
+          >
+            카테고리에 추가하기
+          </IconEntryButton>
+        </div>
      </div>
    </div>
-  </div>
-</FullscreenDiv>
+  </FullscreenDiv>

-<AddToCategoryBottomSheet
-  bind:isOpen={isAddToCategoryBottomSheetOpen}
-  onAddToCategoryClick={addToCategory}
-/>
+  <AddToCategoryBottomSheet
+    bind:isOpen={isAddToCategoryBottomSheetOpen}
+    onAddToCategoryClick={addToCategory}
+  />
+{/if}
--- a/src/routes/(fullscreen)/file/[id]/AddToCategoryBottomSheet.svelte
+++ b/src/routes/(fullscreen)/file/[id]/AddToCategoryBottomSheet.svelte
@@ -1,9 +1,8 @@
 <script lang="ts">
-  import type { Writable } from "svelte/store";
  import { BottomDiv, BottomSheet, Button, FullscreenDiv } from "$lib/components/atoms";
  import { SubCategories } from "$lib/components/molecules";
  import { CategoryCreateModal } from "$lib/components/organisms";
-  import { getCategoryInfo, type CategoryInfo } from "$lib/modules/filesystem";
+  import { getCategoryInfo, type MaybeCategoryInfo } from "$lib/modules/filesystem";
  import { masterKeyStore } from "$lib/stores";
  import { requestCategoryCreation } from "./service";

@@ -14,46 +13,48 @@

  let { onAddToCategoryClick, isOpen = $bindable() }: Props = $props();

-  let category: Writable<CategoryInfo | null> | undefined = $state();
+  let categoryInfoPromise: Promise<MaybeCategoryInfo> | undefined = $state();

  let isCategoryCreateModalOpen = $state(false);

  $effect(() => {
    if (isOpen) {
-      category = getCategoryInfo("root", $masterKeyStore?.get(1)?.key!);
+      categoryInfoPromise = getCategoryInfo("root", $masterKeyStore?.get(1)?.key!);
    }
  });
 </script>

-{#if $category}
-  <BottomSheet bind:isOpen class="flex flex-col">
-    <FullscreenDiv>
-      <SubCategories
-        class="py-4"
-        info={$category}
-        onSubCategoryClick={({ id }) =>
-          (category = getCategoryInfo(id, $masterKeyStore?.get(1)?.key!))}
-        onSubCategoryCreateClick={() => (isCategoryCreateModalOpen = true)}
-        subCategoryCreatePosition="top"
-      />
-      {#if $category.id !== "root"}
-        <BottomDiv>
-          <Button onclick={() => onAddToCategoryClick($category.id)} class="w-full">
-            이 카테고리에 추가하기
-          </Button>
-        </BottomDiv>
-      {/if}
-    </FullscreenDiv>
-  </BottomSheet>
-{/if}
+{#await categoryInfoPromise then categoryInfo}
+  {#if categoryInfo?.exists}
+    <BottomSheet bind:isOpen class="flex flex-col">
+      <FullscreenDiv>
+        <SubCategories
+          class="py-4"
+          info={categoryInfo}
+          onSubCategoryClick={({ id }) =>
+            (categoryInfoPromise = getCategoryInfo(id, $masterKeyStore?.get(1)?.key!))}
+          onSubCategoryCreateClick={() => (isCategoryCreateModalOpen = true)}
+          subCategoryCreatePosition="top"
+        />
+        {#if categoryInfo.id !== "root"}
+          <BottomDiv>
+            <Button onclick={() => onAddToCategoryClick(categoryInfo.id)} class="w-full">
+              이 카테고리에 추가하기
+            </Button>
+          </BottomDiv>
+        {/if}
+      </FullscreenDiv>
+    </BottomSheet>

-<CategoryCreateModal
-  bind:isOpen={isCategoryCreateModalOpen}
-  onCreateClick={async (name: string) => {
-    if (await requestCategoryCreation(name, $category!.id, $masterKeyStore?.get(1)!)) {
-      category = getCategoryInfo($category!.id, $masterKeyStore?.get(1)?.key!); // TODO: FIXME
-      return true;
-    }
-    return false;
-  }}
-/>
+    <CategoryCreateModal
+      bind:isOpen={isCategoryCreateModalOpen}
+      onCreateClick={async (name: string) => {
+        if (await requestCategoryCreation(name, categoryInfo.id, $masterKeyStore?.get(1)!)) {
+          categoryInfoPromise = getCategoryInfo(categoryInfo.id, $masterKeyStore?.get(1)?.key!); // TODO: FIXME
+          return true;
+        }
+        return false;
+      }}
+    />
+  {/if}
+{/await}
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
static	d1f9018213	사소한 리팩토링	2026-01-02 00:31:58 +09:00
static	2e3cd4f8a2	네트워크 호출 결과가 IndexedDB에 캐시되지 않던 버그 수정	2026-01-01 23:52:47 +09:00
static	d98be331ad	홈, 갤러리, 캐시 설정, 썸네일 설정 페이지에서의 네트워크 호출 최적화	2026-01-01 23:31:01 +09:00
static	841c57e8fc	삭제된 파일의 캐시가 존재하는 경우 캐시 페이지의 로딩이 끝나지 않는 버그 수정	2026-01-01 21:41:53 +09:00
static	182ec18a2b	사소한 리팩토링	2025-12-31 02:43:07 +09:00
static	7b666cf692	파일이 다운로드/업로드된 직후에 다운로드/업로드 페이지의 목록에서 바로 사라지던 버그 수정	2025-12-31 01:32:54 +09:00
static	26323c2d4d	프론트엔드 파일시스템 모듈 리팩토링	2025-12-31 00:43:12 +09:00
static	e4413ddbf6	파일 페이지에서의 네트워크 호출 최적화	2025-12-30 23:30:50 +09:00
static	b5522a4c6d	카테고리 페이지에서의 네트워크 호출 최적화	2025-12-30 20:53:20 +09:00
static	1e57941f4c	디렉터리 페이지에서 하위 디렉터리도 가상 리스트로 표시하도록 개선	2025-12-30 18:44:46 +09:00
static	409ae09f4f	디렉터리 페이지에서의 네트워크 호출 최적화	2025-12-30 17:21:54 +09:00
static	cdb652cacf	사진 또는 동영상이 없을 때 홈 페이지의 레이아웃이 깨지는 버그 수정	2025-12-29 19:43:25 +09:00
static	15b6a53710	사소한 리팩토링 2	2025-12-29 18:14:42 +09:00
static	174305ca1b	파일 페이지와 카테고리 페이지에서 파일 목록을 표시할 때도 가상 리스트를 사용하여 효율적으로 랜더링하도록 개선	2025-12-27 23:27:57 +09:00
static	0d13d3baef	사소한 리팩토링	2025-12-27 14:10:33 +09:00
static	576d41da7f	디렉터리 페이지에 상위 디렉터리로 이동 버튼 추가	2025-12-27 03:04:09 +09:00
static	9eb67d5877	파일 페이지에 다운로드 및 폴더로 이동 메뉴 추가	2025-12-27 02:37:56 +09:00
static	a9da8435cb	tRPC 클라이언트에 최대 URL 길이 설정	2025-12-26 23:54:49 +09:00
static	3e98e3d591	갤러리 페이지에서 파일이 표시되지 않던 버그 수정	2025-12-26 23:29:29 +09:00
static	27a46bcc2e	eslint.config.js 파일 업데이트	2025-12-26 23:12:37 +09:00
static	a1f30ee154	홈 페이지와 갤러리 페이지에서 사진 및 동영상만 표시되도록 개선	2025-12-26 22:58:09 +09:00
static	6d02178c69	홈 페이지 구현	2025-12-26 22:47:31 +09:00
static	ed21a9cd31	갤러리 페이지 구현	2025-12-26 22:29:44 +09:00
static	b7a7536461	Merge pull request #14 from kmc7468/migrate-to-trpc tRPC 도입	2025-12-26 15:58:24 +09:00
static	3eb7411438	사소한 리팩토링 3	2025-12-26 15:57:05 +09:00
static	c9d4b10356	사소한 리팩토링 2	2025-12-26 15:45:03 +09:00
static	d94d14cf83	사소한 리팩토링	2025-12-26 15:07:59 +09:00
static	3fc29cf8db	/api/auth 아래의 Endpoint들을 tRPC로 마이그레이션	2025-12-25 23:44:23 +09:00
static	b92b4a0b1b	Zod 4 마이그레이션	2025-12-25 22:53:51 +09:00
static	6d95059450	/api/category, /api/directory, /api/file 아래의 대부분의 Endpoint들을 tRPC로 마이그레이션	2025-12-25 22:45:55 +09:00
static	a08ddf2c09	tRPC Endpoint를 /api/trpc로 변경	2025-12-25 20:22:58 +09:00
static	208252f6b2	/api/hsk, /api/mek, /api/user 아래의 Endpoint들을 tRPC로 마이그레이션	2025-12-25 20:00:15 +09:00
static	aa4a1a74ea	/api/client 아래의 Endpoint들을 tRPC로 마이그레이션	2025-12-25 18:59:41 +09:00
static	640e12d2c3	tRPC Authorization 미들웨어 구현	2025-12-25 16:50:41 +09:00
static	7779910949	tRPC 초기 설정	2025-11-02 23:09:01 +09:00
static	328baba395	패키지 버전 업데이트	2025-11-02 02:57:18 +09:00
static	4e91cdad95	서버로부터 파일의 DEK를 다운로드한 후에야 썸네일이 표시되던 현상 수정	2025-07-20 05:17:38 +09:00
static	9f53874d1d	비디오 재생이 지원되지 않는 포맷일 때 썸네일 생성 작업이 무한히 끝나지 않던 버그 수정	2025-07-17 01:54:58 +09:00
static	af20f6ec4e	package.json 파일 업데이트	2025-07-12 19:47:59 +09:00
static	301216915e	브라우저가 heic 디코딩을 지원하는 경우 heic2any를 사용하지 않도록 개선 및 브라우저가 webp 인코딩을 지원하지 않는 경우 썸네일을 생성하지 않도록 수정	2025-07-12 19:44:16 +09:00
static	393bba45db	비밀번호 변경시 비밀번호 확인 필드 추가	2025-07-12 18:24:43 +09:00
static	3ebfcdaa7d	하위 카테고리의 파일 표시 여부를 기억하도록 개선	2025-07-12 18:14:33 +09:00
static	89921ef1df	사소한 리팩토링 3	2025-07-12 05:58:35 +09:00
static	4679b1d6bd	동영상의 썸네일이 가끔 흰색으로 잘못 생성되던 버그 수정	2025-07-12 05:39:39 +09:00
static	0d35f0b607	사소한 리팩토링 2	2025-07-12 04:57:15 +09:00
static	1304cc3868	사소한 리팩토링	2025-07-12 04:22:26 +09:00
static	823ad7f59a	패키지 버전 업데이트	2025-07-12 03:46:23 +09:00
static	01732037a6	package.json 파일 업데이트	2025-07-12 03:40:28 +09:00
static	381edce0c5	페이지가 열릴 때 영구 저장소 사용을 요청하도록 개선	2025-07-12 03:37:47 +09:00
static	eda5ff7570	로그인할 때마다 다른 디바이스에서 삭제된 파일을 스캔하여 현재 디바이스에서도 삭제하도록 구현	2025-07-12 03:27:49 +09:00
static	fa7ba451c3	비디오의 경우 원하는 장면으로 썸네일을 변경할 수 있도록 개선	2025-07-12 02:53:30 +09:00
static	eac81abe5a	키 가져오기 기능 추가	2025-07-12 01:28:44 +09:00
static	c47885d571	강제 로그인 기능 추가	2025-07-11 23:15:35 +09:00
static	fa8c163347	.dockerignore 및 .gitignore 파일 업데이트	2025-07-11 20:06:26 +09:00
static	6e14b45656	이미 클라이언트가 로그인된 상태에서 세션을 업그레이드하려는 경우 발생하던 500 오류 수정	2025-07-08 19:38:49 +09:00
static	983cb2cc57	세션 쿠키를 계속 롤링하도록 개선하여 세션이 유효함에도 브라우저에서 쿠키가 삭제되던 문제 해결	2025-07-08 13:49:48 +09:00
static	18660844e6	썸네일을 일괄적으로 생성하는 경우 발생하던 Out of Memory 문제 해결	2025-07-08 04:31:19 +09:00
static	69b31ad9af	Merge pull request #11 from kmc7468/add-file-thumbnail 파일에 대한 썸네일 기능 구현	2025-07-08 02:34:58 +09:00
static	2c7d085e6d	사소한 리팩토링 3	2025-07-08 02:34:14 +09:00
static	a42ec28176	사소한 리팩토링 2	2025-07-08 02:26:51 +09:00
static	9b1e27c20b	사소한 리팩토링	2025-07-08 02:07:54 +09:00
static	5d9042d149	세로로 긴 썸네일이 정사각형으로 제대로 표시되지 않던 버그 수정	2025-07-07 23:09:43 +09:00
static	40a87aa81f	파일 썸네일이 캐시되는 OPFS의 경로 변경	2025-07-07 18:29:04 +09:00
static	d3de06a7f9	파일 목록이 랜더링되지 않던 버그 수정	2025-07-07 17:48:55 +09:00
static	c092545b58	Merge branch 'dev' into add-file-thumbnail	2025-07-07 00:43:41 +09:00
static	e4cce6b8a0	OPFS에 캐시된 썸네일을 모두 삭제하는 기능 추가	2025-07-07 00:30:38 +09:00
static	8fefbc1bcb	썸네일 설정 페이지 완성	2025-07-06 23:17:48 +09:00
static	bcb969dc22	heic 파일에 대한 썸네일 지원 추가 및 카테고리 페이지에서도 파일의 썸네일이 표시되도록 개선	2025-07-06 19:55:13 +09:00
static	8975a0200d	파일을 삭제할 경우 서버와 클라이언트에 저장된 썸네일을 함께 삭제하도록 개선	2025-07-06 17:38:04 +09:00
static	781642fed6	썸네일을 메모리와 OPFS에 캐시하도록 개선	2025-07-06 05:36:05 +09:00
static	3a637b14b4	누락된 썸네일 생성 기능 구현	2025-07-06 00:25:50 +09:00
static	9e67920968	썸네일 표시 구현	2025-07-05 18:18:10 +09:00
static	eaf2d7f202	썸네일 업로드 구현	2025-07-05 16:55:09 +09:00
static	c236242136	thumbnail 테이블의 created_at 컬럼의 이름을 updated_at으로 변경	2025-07-05 05:54:55 +09:00
static	36d082e0f8	/api/file/[id]/thumbnail, /api/file/[id]/thumbnail/download, /api/file/[id]/thumbnail/upload Endpoint 구현	2025-07-05 05:44:00 +09:00
static	7b88679ff0	패키지 버전 업데이트 2	2025-07-05 04:13:39 +09:00
static	c9331ae5b7	클라이언트가 Decryption Oracle로 사용될 수 있는 취약점 수정	2025-07-04 23:26:58 +09:00
static	13bac59824	패키지 버전 업데이트	2025-07-04 22:33:44 +09:00
static	2a5200fe9d	Revert "데모용 임시 회원가입 구현" This reverts commit eb913366646f43fda669f0550788e0888c44b95a.	2025-05-31 21:36:27 +09:00
static	451dd3c129	데모용 임시 회원가입 구현	2025-05-28 18:00:17 +09:00
static	2105b66cc3	DB에 thumbnail 테이블 추가	2025-02-01 20:33:41 +09:00
static	ad0f3ff950	이미지/비디오 썸네일 생성 함수 구현	2025-01-31 00:37:23 +09:00