diff --git a/apps/miniprogram/src/services/request.ts b/apps/miniprogram/src/services/request.ts
index dc7444b..1789df8 100644
--- a/apps/miniprogram/src/services/request.ts
+++ b/apps/miniprogram/src/services/request.ts
@@ -21,11 +21,7 @@ const ERROR_CODE_MAP: Record<string, string> = {
 };
 
 function safeGet(key: string): string {
-  try {
-    return secureGet(key);
-  } catch {
-    return Taro.getStorageSync(key) || '';
-  }
+  return secureGet(key);
 }
 
 // --- Concurrency limiter ---
diff --git a/apps/miniprogram/src/stores/auth.ts b/apps/miniprogram/src/stores/auth.ts
index 002c196..ecd4f57 100644
--- a/apps/miniprogram/src/stores/auth.ts
+++ b/apps/miniprogram/src/stores/auth.ts
@@ -4,11 +4,9 @@ import * as authApi from '@/services/auth';
 import { secureGet, secureSet, secureRemove } from '@/utils/secure-storage';
 import { clearRequestCache, markLoggingOut, clearLoggingOut, setCachedPatientId } from '@/services/request';
 
-// secureGet fallback: _es_ 加密键为空时尝试明文键（兼容 MCP 注入等场景）
+// secureGet 已内置明文键 fallback，无需再手动 fallback
 function storageGet(key: string): string {
-  const val = secureGet(key);
-  if (val) return val;
-  return Taro.getStorageSync(key) || '';
+  return secureGet(key);
 }
 import { resetAllStores } from './index';
 
diff --git a/apps/miniprogram/src/utils/secure-storage.ts b/apps/miniprogram/src/utils/secure-storage.ts
index 70479a5..0e4b77c 100644
--- a/apps/miniprogram/src/utils/secure-storage.ts
+++ b/apps/miniprogram/src/utils/secure-storage.ts
@@ -12,11 +12,9 @@ function xorEncrypt(data: string, key: string): string {
 
 function toBase64(str: string): string {
   try {
-    const buffer = new Uint8Array(str.length);
-    for (let i = 0; i < str.length; i++) {
-      buffer[i] = str.charCodeAt(i);
-    }
-    return Taro.arrayBufferToBase64(buffer.buffer);
+    const encoder = new TextEncoder();
+    const uint8 = encoder.encode(str);
+    return Taro.arrayBufferToBase64(uint8.buffer as ArrayBuffer);
   } catch {
     return '';
   }
@@ -25,12 +23,8 @@ function toBase64(str: string): string {
 function fromBase64(b64: string): string {
   try {
     const buffer = Taro.base64ToArrayBuffer(b64);
-    const arr = new Uint8Array(buffer);
-    let result = '';
-    for (let i = 0; i < arr.length; i++) {
-      result += String.fromCharCode(arr[i]);
-    }
-    return result;
+    const decoder = new TextDecoder();
+    return decoder.decode(new Uint8Array(buffer));
   } catch {
     return '';
   }
@@ -55,7 +49,11 @@ export function secureSet(key: string, value: string): void {
 export function secureGet(key: string): string {
   const prefixedKey = STORAGE_PREFIX + key;
   const raw = Taro.getStorageSync(prefixedKey);
-  if (!raw || typeof raw !== 'string') return '';
+  if (!raw || typeof raw !== 'string') {
+    // fallback: 尝试读取明文键（兼容 MCP 注入等场景）
+    const plain = Taro.getStorageSync(key);
+    return (plain && typeof plain === 'string') ? plain : '';
+  }
 
   // 始终尝试 base64 解码 + XOR 解密（secureSet 的写入格式）
   try {