@jeanharo98/typed-storage 0.1.5 → 0.1.7

package/README.md

@@ -160,7 +160,56 @@ createStorage(schema, {
 
 ---
 
-## ⚙️ Options
+## 🗄️ Heavy data with IndexedDB
+
+For large datasets that exceed `localStorage`'s ~5MB limit (file lists, extensive history, large collections), use `createHeavyStorage` — a separate async API backed by IndexedDB.
+
+```typescript
+import { createHeavyStorage } from 'typed-storage';
+
+const heavyStorage = createHeavyStorage({
+    documents: [] as Document[],
+    userPhotos: [] as Photo[]
+}, {
+    dbName: 'myapp-storage',
+    ttl: 86400000  // optional — same TTL support as the sync API
+});
+
+// All operations are async — IndexedDB is asynchronous by nature
+await heavyStorage.documents.set([...manyDocuments]);
+const docs = await heavyStorage.documents.get();
+await heavyStorage.documents.remove();
+
+heavyStorage.documents.onChange((newValue) => {
+    console.log('documents changed:', newValue);
+});
+
+await heavyStorage.clear();
+```
+
+### Why a separate API?
+
+`createStorage()` uses a synchronous Signal-like API by design — that's the core value of typed-storage. IndexedDB is asynchronous by nature, so mixing it into the same API would break that synchronous contract.
+
+```
+createStorage()       → sync, Signal-like, for UI preferences and small state
+createHeavyStorage()  → async, Promise-based, for large datasets
+```
+
+If you only need small values (theme, language, settings), stick with `createStorage()`. Use `createHeavyStorage()` only when you specifically need to store data beyond localStorage's size limits.
+
+### `HeavySignal<T>` API
+
+| Member | Description |
+|--------|-------------|
+| `signal.get()` | Returns a Promise with the current value |
+| `signal.set(value)` | Stores the value, returns a Promise |
+| `signal.remove()` | Deletes the value, returns a Promise |
+| `signal.onChange(cb)` | Subscribes to value changes (called synchronously after set/remove) |
+
+---
+
+
 
 ```typescript
 const appStorage = createStorage(schema, options);
@@ -175,7 +224,8 @@ const appStorage = createStorage(schema, options);
 | `version` | `number` | — | Current schema version — required for migrations |
 | `migrations` | `Record<number, (data) => data>` | — | Migration functions per version |
 | `compress` | `boolean` | `false` | Compresses data with LZ-string before storing |
-| `encrypt` | `boolean` | `false` | Shows a security warning — see note below |
+| `encrypt` | `boolean` | `false` | Obfuscates data with XOR + Base64 — see security note below |
+| `secret` | `string` | — | Required when `encrypt: true` — the obfuscation key |
 
 ---
 
@@ -230,27 +280,79 @@ appStorage.theme.remove();     // → 'theme changed to: dark' (initialValue)
 
 ---
 
-## 🔒 A note on encryption
+## 🔒 Encryption (XOR obfuscation)
+
+`typed-storage` can obfuscate values using XOR + Base64 before storing them. This is **not real cryptography** — read this section carefully before using it.
+
+```typescript
+const secureStorage = createStorage({
+    token: ''
+}, {
+    encrypt: true,
+    secret: 'your-secret-key',  // required when encrypt is true
+    ttl: 3600000                // recommended — expire alongside your real token
+});
+
+secureStorage.token.set('eyJhbGciOiJIUzI1NiJ9.xxx.yyy');
+// Stored in localStorage as obfuscated text, not the readable JWT
+
+const token = secureStorage.token();
+// Automatically decrypted — returns the real JWT
+```
 
-If you pass `encrypt: true`, typed-storage will display a warning explaining why encrypting values in `localStorage` is not a secure practice — the encryption key must live in the frontend and is accessible to anyone who inspects your code.
+### ⚠️ What this actually protects against
 
-For sensitive data such as auth tokens or personal information, use **httpOnly cookies** set by your server:
+```
+✅ Hides the value from casual inspection in DevTools/Application/Storage
+✅ Discourages non-technical users from reading or copying the value
+✅ Combined with ttl, expires alongside your backend token
+
+❌ Does NOT protect against a technical attacker
+❌ Does NOT protect against debugger breakpoints — the secret and
+   decrypted value are visible in memory while the app runs
+❌ Is NOT equivalent to real cryptography (AES, etc.)
+```
+
+### Why this limitation exists — and why no frontend library can fix it
+
+The `secret` you pass lives in your JavaScript code, which runs in the user's browser. No matter the algorithm used (XOR, AES, anything), **the key must be present in the frontend to decrypt the value**, which means it's always inspectable:
+
+```
+1. The secret travels safely over HTTPS — that's not the problem
+2. Once it reaches the browser, it must be used by your JS to decrypt
+3. Anyone with DevTools open can set a breakpoint where decryption
+   happens and read the secret and the decrypted value directly
+4. This is true even with industry-standard encryption (Web Crypto AES) —
+   the algorithm's strength doesn't matter if the key is exposed
+```
+
+This is a fundamental limitation of any frontend-only encryption — not a flaw specific to typed-storage's XOR implementation.
+
+### For real security with auth tokens
 
 ```typescript
 // In your backend (Express / NestJS):
 res.cookie('authToken', token, {
-  httpOnly: true,   // not accessible from JavaScript
-  secure: true,     // HTTPS only
-  sameSite: 'strict'
+    httpOnly: true,   // JavaScript cannot read this — ever
+    secure: true,     // HTTPS only
+    sameSite: 'strict'
 });
 ```
 
-typed-storage is designed for:
-- ✅ UI preferences (theme, language, font size)
-- ✅ Navigation state (last visited, sidebar open)
-- ✅ Non-sensitive user settings
-- ❌ Auth tokens → use httpOnly cookies
-- ❌ Passwords or financial data → never in localStorage
+httpOnly cookies are the only approach where the token never becomes accessible to JavaScript running in the browser — because the browser itself enforces the restriction, not your code.
+
+### When `encrypt` is still worth using
+
+```
+✅ You understand it's obfuscation, not security
+✅ You want to deter casual inspection, not block determined attackers
+✅ You're combining it with ttl so values expire predictably
+✅ The data isn't critical enough to justify httpOnly cookie infrastructure
+   (e.g. you're prototyping, or it's a low-stakes internal tool)
+
+❌ Don't rely on this alone for banking, healthcare, or any data where
+   a breach has real consequences — use httpOnly cookies on the backend
+```
 
 ---
 

package/dist/create-storage.js

@@ -17,24 +17,6 @@ export function createStorage(schema, options) {
     }
     const sto = options?.storage === 'session' ? sessionStorage : localStorage;
     registerPrefix(options?.prefix ?? '', sto);
-    if (options?.encrypt) {
-        console.warn(`
-⚠️  typed-storage: la opción encrypt está activada.
-
-Encriptar valores en localStorage no es seguro — 
-la clave vive en el frontend y cualquier dev puede accederla.
-
-Para datos sensibles usa:
-    ✅ httpOnly cookies (tokens, sesiones)
-    ✅ Variables de entorno en el servidor
-  
-typed-storage es ideal para:
-    ✅ Preferencias de UI (theme, language)
-    ✅ Estado de navegación
-    ❌ Tokens de autenticación
-    ❌ Datos financieros o personales sensibles
-        `);
-    }
     const result = [];
     let keys = Object.keys(schema);
     for (let key of keys) {

package/dist/heavy-storage.d.ts

@@ -0,0 +1,19 @@
+interface HeavyStorageOptions {
+    dbName?: string;
+    ttl?: number;
+}
+interface HeavySignal<T> {
+    get(): Promise<T>;
+    set(value: T): Promise<void>;
+    remove(): Promise<void>;
+    onChange(callback: (value: T) => void): void;
+}
+export declare function createHeavySignal<T>(key: string, initialValue: T, options?: HeavyStorageOptions): HeavySignal<T>;
+type HeavyStorageSchema = Record<string, any>;
+type HeavyStorageResult<T extends HeavyStorageSchema> = {
+    [K in keyof T]: HeavySignal<T[K]>;
+} & {
+    clear(): Promise<void>;
+};
+export declare function createHeavyStorage<T extends HeavyStorageSchema>(schema: T, options?: HeavyStorageOptions): HeavyStorageResult<T>;
+export {};

package/dist/heavy-storage.js

@@ -0,0 +1,89 @@
+function openDB(dbName) {
+    return new Promise((resolve, reject) => {
+        const request = indexedDB.open(dbName, 1);
+        request.onupgradeneeded = (event) => {
+            const db = event.target.result;
+            if (!db.objectStoreNames.contains('storage')) {
+                db.createObjectStore('storage');
+            }
+        };
+        request.onsuccess = () => resolve(request.result);
+        request.onerror = () => reject(request.error);
+    });
+}
+function dbGet(db, key) {
+    return new Promise((resolve, reject) => {
+        const transaction = db.transaction('storage', 'readonly');
+        const store = transaction.objectStore('storage');
+        const request = store.get(key);
+        request.onsuccess = () => resolve(request.result);
+        request.onerror = () => reject(request.error);
+    });
+}
+function dbSet(db, key, value) {
+    return new Promise((resolve, reject) => {
+        const transaction = db.transaction('storage', 'readwrite');
+        const store = transaction.objectStore('storage');
+        const request = store.put(value, key);
+        request.onsuccess = () => resolve();
+        request.onerror = () => reject(request.error);
+    });
+}
+function dbDelete(db, key) {
+    return new Promise((resolve, reject) => {
+        const transaction = db.transaction('storage', 'readwrite');
+        const store = transaction.objectStore('storage');
+        const request = store.delete(key);
+        request.onsuccess = () => resolve();
+        request.onerror = () => reject(request.error);
+    });
+}
+export function createHeavySignal(key, initialValue, options) {
+    const dbName = options?.dbName ?? 'typed-storage-heavy';
+    const listeners = [];
+    function notify(value) {
+        listeners.forEach(cb => cb(value));
+    }
+    const signal = {};
+    signal.get = async function () {
+        const db = await openDB(dbName);
+        const stored = await dbGet(db, key);
+        if (stored === undefined)
+            return initialValue;
+        if (stored.expiresAt && Date.now() > stored.expiresAt) {
+            await dbDelete(db, key);
+            return initialValue;
+        }
+        return stored.value ?? initialValue;
+    };
+    signal.set = async function (value) {
+        const db = await openDB(dbName);
+        await dbSet(db, key, {
+            value,
+            expiresAt: options?.ttl ? Date.now() + options.ttl : undefined
+        });
+        notify(value);
+    };
+    signal.remove = async function () {
+        const db = await openDB(dbName);
+        await dbDelete(db, key);
+        notify(initialValue);
+    };
+    signal.onChange = function (callback) {
+        listeners.push(callback);
+    };
+    return signal;
+}
+export function createHeavyStorage(schema, options) {
+    const result = {};
+    const keys = Object.keys(schema);
+    for (const key of keys) {
+        result[key] = createHeavySignal(key, schema[key], options);
+    }
+    result.clear = async () => {
+        for (const key of keys) {
+            await result[key].remove();
+        }
+    };
+    return result;
+}

package/dist/index.d.ts

@@ -1,2 +1,3 @@
 export { createStorage } from './create-storage.js';
+export { createHeavyStorage } from './heavy-storage.js';
 export type { StorageSignal, StorageSchema, StorageResult, StorageSignalOptions } from './types.js';

package/dist/index.js

@@ -1 +1,2 @@
 export { createStorage } from './create-storage.js';
+export { createHeavyStorage } from './heavy-storage.js';

package/dist/storage-signal.js

@@ -1,5 +1,6 @@
 import LZString from 'lz-string';
 import { MemoryStorage } from "./memory-storage.js";
+import { xorEncrypt, xorDecrypt } from './xor.js';
 function safeParseJSON(value, fallback) {
     if (!value)
         return { value: fallback };
@@ -33,9 +34,17 @@ export function createStorageSignal(key, initialValue, options) {
         key = `${options.prefix}:${key}`;
     }
     const rawData = sto.getItem(key);
-    const savedData = options?.compress && rawData
+    let savedData = options?.compress && rawData
         ? LZString.decompress(rawData)
         : rawData;
+    if (options?.encrypt && options?.secret && savedData) {
+        try {
+            savedData = xorDecrypt(savedData, options.secret);
+        }
+        catch {
+            savedData = null;
+        }
+    }
     let currentValue;
     const listeners = [];
     function notify(value) {
@@ -64,9 +73,17 @@ export function createStorageSignal(key, initialValue, options) {
                     notify(initialValue);
                     return currentValue = initialValue;
                 }
-                const rawNewValue = options?.compress
+                let rawNewValue = options?.compress
                     ? LZString.decompress(event.newValue)
                     : event.newValue;
+                if (options?.encrypt && options?.secret) {
+                    try {
+                        rawNewValue = xorDecrypt(rawNewValue, options.secret);
+                    }
+                    catch {
+                        rawNewValue = '';
+                    }
+                }
                 const item = safeParseJSON(rawNewValue, initialValue);
                 notify(item.value);
                 return currentValue = item.value;
@@ -80,9 +97,12 @@ export function createStorageSignal(key, initialValue, options) {
             value: newValue,
             expiresAt: options?.ttl ? Date.now() + options.ttl : undefined
         });
-        const finalData = options?.compress
+        let finalData = options?.compress
             ? LZString.compress(dataToStore)
             : dataToStore;
+        if (options?.encrypt && options?.secret) {
+            finalData = xorEncrypt(finalData, options.secret);
+        }
         sto.setItem(key, finalData);
     };
     signalBase.reset = function () {

package/dist/types.d.ts

@@ -4,6 +4,7 @@ export interface StorageSignalOptions {
     ttl?: number;
     sync?: boolean;
     encrypt?: boolean;
+    secret?: string;
     version?: number;
     migrations?: Record<number, (data: any) => any>;
     compress?: boolean;

package/dist/xor.d.ts

@@ -0,0 +1,3 @@
+export declare function xorTransform(text: string, secret: string): string;
+export declare function xorEncrypt(text: string, secret: string): string;
+export declare function xorDecrypt(text: string, secret: string): string;

package/dist/xor.js

@@ -0,0 +1,14 @@
+export function xorTransform(text, secret) {
+    return text.split('').map((char, i) => {
+        const keyChar = secret[i % secret.length];
+        return String.fromCharCode(char.charCodeAt(0) ^ keyChar.charCodeAt(0));
+    }).join('');
+}
+export function xorEncrypt(text, secret) {
+    const xored = xorTransform(text, secret);
+    return btoa(xored);
+}
+export function xorDecrypt(text, secret) {
+    const xored = atob(text);
+    return xorTransform(xored, secret);
+}

package/index.html

@@ -7,28 +7,18 @@
     <script type="module">
         import { createStorage } from './dist/index.js';
 
-        const compressedStorage = createStorage({
-            bigData: { items: [] }
+        const secureStorage = createStorage({
+            token: ''
         }, {
-            prefix: 'compressed',
-            compress: true
+            prefix: 'secure',
+            encrypt: true,
+            secret: 'mi-clave-secreta',
+            ttl: 3600000
         });
 
-        // Genera datos grandes para probar
-        const bigArray = Array.from({ length: 100 }, (_, i) => ({
-            id: i,
-            name: `Item ${i}`,
-            description: 'Lorem ipsum dolor sit amet consectetur'
-        }));
-
-        compressedStorage.bigData.set({ items: bigArray });
-
-        console.log('Valor leído:', compressedStorage.bigData());
-        console.log('Tamaño en localStorage:', localStorage.getItem('compressed:bigData')?.length, 'caracteres');
-
-        // Compara con la versión sin comprimir
-        const uncompressedSize = JSON.stringify({ value: { items: bigArray } }).length;
-        console.log('Tamaño sin comprimir sería:', uncompressedSize, 'caracteres');
+        secureStorage.token.set('eyJhbGciOiJIUzI1NiJ9.test.jwt');
+        console.log('Valor leído:', secureStorage.token());
+        console.log('Valor en localStorage (debe estar ofuscado):', localStorage.getItem('secure:token'));
     </script>
 </body>
 </html>

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@jeanharo98/typed-storage",
-  "version": "0.1.5",
+  "version": "0.1.7",
   "description": "Type-safe localStorage with reactive signals",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
@@ -16,6 +16,7 @@
   },
   "devDependencies": {
     "@vitest/coverage-v8": "^4.1.8",
+    "fake-indexeddb": "^6.2.5",
     "jsdom": "^29.1.1",
     "ts-node": "^10.9.2",
     "typescript": "^6.0.3",

package/src/create-storage.ts

@@ -42,25 +42,6 @@ export function createStorage<T extends StorageSchema>(
     const sto = options?.storage === 'session' ? sessionStorage : localStorage;
     registerPrefix(options?.prefix ?? '', sto);
 
-    if ( options?.encrypt ) {
-        console.warn(`
-⚠️  typed-storage: la opción encrypt está activada.
-
-Encriptar valores en localStorage no es seguro — 
-la clave vive en el frontend y cualquier dev puede accederla.
-
-Para datos sensibles usa:
-    ✅ httpOnly cookies (tokens, sesiones)
-    ✅ Variables de entorno en el servidor
-  
-typed-storage es ideal para:
-    ✅ Preferencias de UI (theme, language)
-    ✅ Estado de navegación
-    ❌ Tokens de autenticación
-    ❌ Datos financieros o personales sensibles
-        `);
-    }
-
     const result: any = [];
 
     let keys = Object.keys(schema);

package/src/heavy-storage.test.ts

@@ -0,0 +1,99 @@
+import { describe, it, expect, beforeEach, vi } from 'vitest';
+import { createHeavyStorage } from './heavy-storage.js';
+
+describe('createHeavyStorage', () => {
+
+    it('debe retornar el initialValue si no hay datos guardados', async () => {
+        // crea heavyStorage con dbName único para este test
+        const heavyStorage = createHeavyStorage({
+            documents: [],
+            userPhotos: []
+        }, {
+            dbName: 'test-heavy-storage'
+        });
+
+        // verifica que get() retorna el initialValue
+        const result = await heavyStorage.documents.get();
+        expect(result).toEqual([]);
+    });
+
+    it('debe guardar y leer un valor con set/get', async () => {
+        // crea heavyStorage
+        const heavyStorage = createHeavyStorage({
+            documents: [] as any[]
+        }, {
+            dbName: 'test-db-2'
+        });
+
+
+        // llama set() con un valor
+        const newDocs = [{ id: 1, name: 'Doc 1' }];
+        await heavyStorage.documents.set(newDocs);
+
+        // verifica que get() retorna ese valor
+        const result = await heavyStorage.documents.get();
+        expect(result).toEqual(newDocs);
+    });
+
+    it('debe eliminar un valor con remove()', async () => {
+        // crea heavyStorage, set() un valor
+        const heavyStorage = createHeavyStorage({
+            documents: [] as any[]
+        }, {
+            dbName: 'test-db-3'
+        });
+        await heavyStorage.documents.set([{ id: 1, name: 'Doc 1' }]);
+
+        // llama remove()
+        await heavyStorage.documents.remove();
+
+        // verifica que get() retorna el initialValue
+        const result = await heavyStorage.documents.get();
+        expect(result).toEqual([]);
+    });
+
+    it('debe notificar a onChange cuando se llama set()', async () => {
+        // usa vi.fn() como callback
+        const heavyStorage = createHeavyStorage({
+            documents: [] as any[]
+        }, {
+            dbName: 'test-db-4'
+        });
+        const callback = vi.fn();
+
+        // registra onChange
+        heavyStorage.documents.onChange(callback);
+
+        // llama set()
+        const newDocs = [{ id: 1, name: 'Doc 1' }];
+        await heavyStorage.documents.set(newDocs);
+
+        // verifica que el callback fue llamado con el valor correcto
+        expect(callback).toHaveBeenCalledWith(newDocs);
+    });
+
+    it('clear() debe resetear todas las keys del schema', async () => {
+        // crea heavyStorage con 2 keys
+        const heavyStorage = createHeavyStorage({
+            documents: [] as any[],
+            userPhotos: [] as any[]
+        }, {
+            dbName: 'test-db-5'
+        });
+
+        // set() en ambas
+        await heavyStorage.documents.set([{ id: 1 }]);
+        await heavyStorage.userPhotos.set([{ url: 'photo.jpg' }]);
+
+        // llama clear()
+        await heavyStorage.clear();
+
+        // verifica que ambas vuelven a su initialValue
+        const docs = await heavyStorage.documents.get();
+        const photos = await heavyStorage.userPhotos.get();
+
+        expect(docs).toEqual([]);
+        expect(photos).toEqual([]);
+    });
+
+});

package/src/heavy-storage.ts

@@ -0,0 +1,146 @@
+// Abrir/crear la base de datos
+function openDB(dbName: string): Promise<IDBDatabase> {
+    return new Promise((resolve, reject) => {
+        const request = indexedDB.open(dbName, 1);
+
+        request.onupgradeneeded = (event) => {
+            const db = (event.target as IDBOpenDBRequest).result;
+            // Crea el "object store" — equivalente a una tabla
+            if (!db.objectStoreNames.contains('storage')) {
+                db.createObjectStore('storage');
+            }
+        };
+
+        request.onsuccess = () => resolve(request.result);
+        request.onerror = () => reject(request.error);
+    });
+}
+
+function dbGet(db: IDBDatabase, key: string): Promise<any> {
+    return new Promise((resolve, reject) => {
+        const transaction = db.transaction('storage', 'readonly');
+        const store = transaction.objectStore('storage');
+        const request = store.get(key);
+
+        request.onsuccess = () => resolve(request.result);
+        request.onerror = () => reject(request.error);
+    });
+}
+
+function dbSet(db: IDBDatabase, key: string, value: any): Promise<void> {
+    return new Promise((resolve, reject) => {
+        const transaction = db.transaction('storage', 'readwrite');
+        const store = transaction.objectStore('storage');
+        const request = store.put(value, key);
+
+        request.onsuccess = () => resolve();
+        request.onerror = () => reject(request.error);
+    });
+}
+
+function dbDelete(db: IDBDatabase, key: string): Promise<void> {
+    return new Promise((resolve, reject) => {
+        const transaction = db.transaction('storage', 'readwrite');
+        const store = transaction.objectStore('storage');
+        const request = store.delete(key);
+
+        request.onsuccess = () => resolve();
+        request.onerror = () => reject(request.error);
+    });
+}
+
+// ===========================================
+
+interface HeavyStorageOptions {
+    dbName?: string;
+    ttl?: number;
+}
+
+interface HeavySignal<T> {
+    get(): Promise<T>;
+    set(value: T): Promise<void>;
+    remove(): Promise<void>;
+    onChange(callback: (value: T) => void): void;
+}
+
+export function createHeavySignal<T>(
+    key: string,
+    initialValue: T,
+    options?: HeavyStorageOptions
+): HeavySignal<T> {
+    const dbName = options?.dbName ?? 'typed-storage-heavy';
+    const listeners: Array<(value: T) => void> = [];
+
+    function notify(value: T): void {
+        listeners.forEach(cb => cb(value));
+    }
+
+    const signal: any = {};
+
+    signal.get = async function(): Promise<T> {
+        const db = await openDB(dbName);
+        const stored = await dbGet(db, key);
+        
+        if (stored === undefined) return initialValue;
+
+        // Verifica TTL si existe
+        if (stored.expiresAt && Date.now() > stored.expiresAt) {
+            await dbDelete(db, key);
+            return initialValue;
+        }
+
+        return stored.value ?? initialValue;
+    };
+
+    signal.set = async function(value: T): Promise<void> {
+        const db = await openDB(dbName);
+        await dbSet(db, key, {
+            value,
+            expiresAt: options?.ttl ? Date.now() + options.ttl : undefined
+        });
+        notify(value);
+    };
+
+    signal.remove = async function(): Promise<void> {
+        const db = await openDB(dbName);
+        await dbDelete(db, key);
+        notify(initialValue);
+    };
+
+    signal.onChange = function(callback: (value: T) => void): void {
+        listeners.push(callback);
+    };
+
+    return signal as HeavySignal<T>;
+}
+
+// ===========================================
+// Iteramos el schema completo
+
+type HeavyStorageSchema = Record<string, any>;
+
+type HeavyStorageResult<T extends HeavyStorageSchema> = {
+    [K in keyof T]: HeavySignal<T[K]>;
+} & {
+    clear(): Promise<void>;
+};
+
+export function createHeavyStorage<T extends HeavyStorageSchema>(
+    schema: T,
+    options?: HeavyStorageOptions
+): HeavyStorageResult<T> {
+    const result: any = {};
+
+    const keys = Object.keys(schema);
+    for (const key of keys) {
+        result[key] = createHeavySignal(key, schema[key], options);
+    }
+
+    result.clear = async () => {
+        for (const key of keys) {
+            await result[key].remove();
+        }
+    };
+
+    return result as HeavyStorageResult<T>;
+}

package/src/index.ts

@@ -1,2 +1,8 @@
 export { createStorage } from './create-storage.js';
-export type { StorageSignal, StorageSchema, StorageResult, StorageSignalOptions } from './types.js';
+export { createHeavyStorage } from './heavy-storage.js';
+export type { 
+    StorageSignal, 
+    StorageSchema, 
+    StorageResult, 
+    StorageSignalOptions 
+} from './types.js';

package/src/storage-signal.test.ts

@@ -118,4 +118,44 @@ describe('compress option', () => {
         
         expect(compressedSize).toBeLessThan(uncompressedSize);
     });
+});
+
+describe('encrypt option', () => {
+    beforeEach(() => localStorage.clear());
+
+    it('debe ofuscar el valor guardado en localStorage', () => {
+        const signal = createStorageSignal('token', '', {
+            encrypt: true,
+            secret: 'mi-clave'
+        });
+
+        signal.set('eyJhbGciOiJIUzI1NiJ9.test.jwt');
+
+        const rawStored = localStorage.getItem('token');
+        // El valor crudo NO debe contener el JWT en texto plano
+        expect(rawStored).not.toContain('eyJhbGciOiJIUzI1NiJ9');
+    });
+
+    it('debe desencriptar correctamente al leer', () => {
+        const signal = createStorageSignal('token', '', {
+            encrypt: true,
+            secret: 'mi-clave'
+        });
+
+        const originalValue = 'eyJhbGciOiJIUzI1NiJ9.test.jwt';
+        signal.set(originalValue);
+
+        expect(signal()).toBe(originalValue);
+    });
+
+    it('debe funcionar junto con TTL', () => {
+        const signal = createStorageSignal('token', '', {
+            encrypt: true,
+            secret: 'mi-clave',
+            ttl: 1000
+        });
+
+        signal.set('mi-token');
+        expect(signal()).toBe('mi-token');
+    });
 });

package/src/storage-signal.ts

@@ -6,6 +6,9 @@ import { StorageSignal, StorageSignalOptions } from "./types.js";
 // Memory
 import { MemoryStorage } from "./memory-storage.js";
 
+// Xor
+import { xorEncrypt, xorDecrypt } from './xor.js';
+
 // Interface
 interface StoredValue<T> {
     value: T;
@@ -66,9 +69,18 @@ export function createStorageSignal<T>(
     }
 
     const rawData = sto.getItem(key);
-    const savedData = options?.compress && rawData 
+    let savedData = options?.compress && rawData 
                             ? LZString.decompress(rawData) 
                             : rawData;
+
+    // Desencripta si encrypt está activo
+    if ( options?.encrypt && options?.secret && savedData ) {
+        try {
+            savedData = xorDecrypt(savedData, options.secret);
+        } catch {
+            savedData = null; // si falla desencriptar, trata como vacío
+        }
+    }
     let currentValue: T;
 
     const listeners: Array<(value: T) => void> = [];
@@ -106,9 +118,17 @@ export function createStorageSignal<T>(
                 } 
 
                 // Parseamos el nuevo valor
-                const rawNewValue = options?.compress 
+                let rawNewValue = options?.compress 
                                         ? LZString.decompress(event.newValue)
                                         : event.newValue;
+
+                if ( options?.encrypt && options?.secret ) {
+                    try {
+                        rawNewValue = xorDecrypt(rawNewValue, options.secret);
+                    } catch {
+                        rawNewValue = '';
+                    }
+                }
                 const item = safeParseJSON(rawNewValue, initialValue);
 
                 notify(item.value as T);
@@ -126,10 +146,14 @@ export function createStorageSignal<T>(
             expiresAt: options?.ttl ? Date.now() + options.ttl : undefined
         });
 
-        const finalData = options?.compress 
+        let finalData = options?.compress 
                                 ? LZString.compress(dataToStore) 
                                 : dataToStore;
 
+        if ( options?.encrypt && options?.secret ) {
+            finalData = xorEncrypt(finalData, options.secret);
+        }
+
         sto.setItem( key, finalData );
     }
 

package/src/types.ts

@@ -5,6 +5,7 @@ export interface StorageSignalOptions {
     ttl?: number;
     sync?: boolean;
     encrypt?: boolean;
+    secret?: string; // Requerido si el encrypt es true
     version?: number;
     migrations?: Record<number, ( data: any ) => any>;
     compress?: boolean;

package/src/xor.ts

@@ -0,0 +1,18 @@
+export function xorTransform ( text: string, secret: string ): string {
+    return text.split('').map((char, i) => {
+        const keyChar = secret[i % secret.length];
+        return String.fromCharCode(
+            char.charCodeAt(0) ^ keyChar.charCodeAt(0)
+        );
+    }).join('');
+}
+
+export function xorEncrypt ( text: string, secret: string ): string {
+    const xored = xorTransform(text, secret);
+    return btoa(xored);
+}
+
+export function xorDecrypt ( text: string, secret: string ): string {
+    const xored = atob(text);
+    return xorTransform(xored, secret);
+}

package/vitest.config.ts

@@ -4,5 +4,6 @@ export default defineConfig({
     test: {
         environment: 'jsdom',
         globals: true,
+        setupFiles: ['./vitest.setup.ts']
     }
 });

package/vitest.setup.ts

@@ -0,0 +1 @@
+import 'fake-indexeddb/auto';