@pcircle/footprint 1.2.2 → 1.5.0

package/dist/src/lib/crypto/decrypt.js

@@ -1,4 +1,5 @@
-import { xchacha20poly1305 } from '@noble/ciphers/chacha';
+/* global TextDecoder */
+import { xchacha20poly1305 } from "@noble/ciphers/chacha.js";
 /**
  * Decrypt ciphertext using XChaCha20-Poly1305 AEAD
  *
@@ -10,10 +11,10 @@ import { xchacha20poly1305 } from '@noble/ciphers/chacha';
  */
 export function decrypt(ciphertext, nonce, key) {
     if (key.length !== 32) {
-        throw new Error('Key must be 32 bytes');
+        throw new Error("Key must be 32 bytes");
     }
     if (nonce.length !== 24) {
-        throw new Error('Nonce must be 24 bytes');
+        throw new Error("Nonce must be 24 bytes");
     }
     // Create cipher instance
     const cipher = xchacha20poly1305(key, nonce);
@@ -21,14 +22,17 @@ export function decrypt(ciphertext, nonce, key) {
         // Decrypt and verify authentication tag
         const plaintextBytes = cipher.decrypt(ciphertext);
         // Convert bytes back to string
-        return new TextDecoder().decode(plaintextBytes);
+        const result = new TextDecoder().decode(plaintextBytes);
+        // Zero decrypted bytes from memory (defense-in-depth)
+        plaintextBytes.fill(0);
+        return result;
     }
     catch (error) {
-        // Log detailed error for debugging (server-side only, never exposed to client)
-        const originalError = error instanceof Error ? error.message : String(error);
-        console.error('[Decrypt] Decryption failed:', originalError);
         // User-facing error remains generic (security best practice)
-        throw new Error('Decryption failed: invalid key or tampered data');
+        // Original error preserved in cause chain for debugging
+        throw new Error("Decryption failed: invalid key or tampered data", {
+            cause: error,
+        });
     }
 }
 //# sourceMappingURL=decrypt.js.map

package/dist/src/lib/crypto/decrypt.js.map

@@ -1 +1 @@
-{"version":3,"file":"decrypt.js","sourceRoot":"","sources":["../../../../src/lib/crypto/decrypt.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,iBAAiB,EAAE,MAAM,uBAAuB,CAAC;AAE1D;;;;;;;;GAQG;AACH,MAAM,UAAU,OAAO,CACrB,UAAsB,EACtB,KAAiB,EACjB,GAAe;IAEf,IAAI,GAAG,CAAC,MAAM,KAAK,EAAE,EAAE,CAAC;QACtB,MAAM,IAAI,KAAK,CAAC,sBAAsB,CAAC,CAAC;IAC1C,CAAC;IAED,IAAI,KAAK,CAAC,MAAM,KAAK,EAAE,EAAE,CAAC;QACxB,MAAM,IAAI,KAAK,CAAC,wBAAwB,CAAC,CAAC;IAC5C,CAAC;IAED,yBAAyB;IACzB,MAAM,MAAM,GAAG,iBAAiB,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC;IAE7C,IAAI,CAAC;QACH,wCAAwC;QACxC,MAAM,cAAc,GAAG,MAAM,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC;QAElD,+BAA+B;QAC/B,OAAO,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,cAAc,CAAC,CAAC;IAClD,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,+EAA+E;QAC/E,MAAM,aAAa,GAAG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;QAC7E,OAAO,CAAC,KAAK,CAAC,8BAA8B,EAAE,aAAa,CAAC,CAAC;QAE7D,6DAA6D;QAC7D,MAAM,IAAI,KAAK,CAAC,iDAAiD,CAAC,CAAC;IACrE,CAAC;AACH,CAAC"}
+{"version":3,"file":"decrypt.js","sourceRoot":"","sources":["../../../../src/lib/crypto/decrypt.ts"],"names":[],"mappings":"AAAA,wBAAwB;AACxB,OAAO,EAAE,iBAAiB,EAAE,MAAM,0BAA0B,CAAC;AAE7D;;;;;;;;GAQG;AACH,MAAM,UAAU,OAAO,CACrB,UAAsB,EACtB,KAAiB,EACjB,GAAe;IAEf,IAAI,GAAG,CAAC,MAAM,KAAK,EAAE,EAAE,CAAC;QACtB,MAAM,IAAI,KAAK,CAAC,sBAAsB,CAAC,CAAC;IAC1C,CAAC;IAED,IAAI,KAAK,CAAC,MAAM,KAAK,EAAE,EAAE,CAAC;QACxB,MAAM,IAAI,KAAK,CAAC,wBAAwB,CAAC,CAAC;IAC5C,CAAC;IAED,yBAAyB;IACzB,MAAM,MAAM,GAAG,iBAAiB,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC;IAE7C,IAAI,CAAC;QACH,wCAAwC;QACxC,MAAM,cAAc,GAAG,MAAM,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC;QAElD,+BAA+B;QAC/B,MAAM,MAAM,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,cAAc,CAAC,CAAC;QAExD,sDAAsD;QACtD,cAAc,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAEvB,OAAO,MAAM,CAAC;IAChB,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,6DAA6D;QAC7D,wDAAwD;QACxD,MAAM,IAAI,KAAK,CAAC,iDAAiD,EAAE;YACjE,KAAK,EAAE,KAAK;SACb,CAAC,CAAC;IACL,CAAC;AACH,CAAC"}

package/dist/src/lib/crypto/encrypt.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"encrypt.d.ts","sourceRoot":"","sources":["../../../../src/lib/crypto/encrypt.ts"],"names":[],"mappings":"AAGA,MAAM,WAAW,aAAa;IAC5B,UAAU,EAAE,UAAU,CAAC;IACvB,KAAK,EAAE,UAAU,CAAC;CACnB;AAED;;;;;;GAMG;AACH,wBAAgB,OAAO,CAAC,SAAS,EAAE,MAAM,EAAE,GAAG,EAAE,UAAU,GAAG,aAAa,CAkBzE"}
+{"version":3,"file":"encrypt.d.ts","sourceRoot":"","sources":["../../../../src/lib/crypto/encrypt.ts"],"names":[],"mappings":"AAIA,MAAM,WAAW,aAAa;IAC5B,UAAU,EAAE,UAAU,CAAC;IACvB,KAAK,EAAE,UAAU,CAAC;CACnB;AAED;;;;;;GAMG;AACH,wBAAgB,OAAO,CAAC,SAAS,EAAE,MAAM,EAAE,GAAG,EAAE,UAAU,GAAG,aAAa,CAqBzE"}

package/dist/src/lib/crypto/encrypt.js

@@ -1,5 +1,6 @@
-import { xchacha20poly1305 } from '@noble/ciphers/chacha';
-import { randomBytes } from '@noble/hashes/utils';
+/* global TextEncoder */
+import { xchacha20poly1305 } from "@noble/ciphers/chacha.js";
+import { randomBytes } from "@noble/hashes/utils.js";
 /**
  * Encrypt plaintext using XChaCha20-Poly1305 AEAD
  *
@@ -9,7 +10,7 @@ import { randomBytes } from '@noble/hashes/utils';
  */
 export function encrypt(plaintext, key) {
     if (key.length !== 32) {
-        throw new Error('Key must be 32 bytes');
+        throw new Error("Key must be 32 bytes");
     }
     // Generate random 24-byte nonce (XChaCha20 extended nonce)
     const nonce = randomBytes(24);
@@ -19,6 +20,8 @@ export function encrypt(plaintext, key) {
     const cipher = xchacha20poly1305(key, nonce);
     // Encrypt with authentication
     const ciphertext = cipher.encrypt(plaintextBytes);
+    // Zero plaintext bytes from memory (defense-in-depth)
+    plaintextBytes.fill(0);
     return { ciphertext, nonce };
 }
 //# sourceMappingURL=encrypt.js.map

package/dist/src/lib/crypto/encrypt.js.map

@@ -1 +1 @@
-{"version":3,"file":"encrypt.js","sourceRoot":"","sources":["../../../../src/lib/crypto/encrypt.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,iBAAiB,EAAE,MAAM,uBAAuB,CAAC;AAC1D,OAAO,EAAE,WAAW,EAAE,MAAM,qBAAqB,CAAC;AAOlD;;;;;;GAMG;AACH,MAAM,UAAU,OAAO,CAAC,SAAiB,EAAE,GAAe;IACxD,IAAI,GAAG,CAAC,MAAM,KAAK,EAAE,EAAE,CAAC;QACtB,MAAM,IAAI,KAAK,CAAC,sBAAsB,CAAC,CAAC;IAC1C,CAAC;IAED,2DAA2D;IAC3D,MAAM,KAAK,GAAG,WAAW,CAAC,EAAE,CAAC,CAAC;IAE9B,6BAA6B;IAC7B,MAAM,cAAc,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;IAE3D,yBAAyB;IACzB,MAAM,MAAM,GAAG,iBAAiB,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC;IAE7C,8BAA8B;IAC9B,MAAM,UAAU,GAAG,MAAM,CAAC,OAAO,CAAC,cAAc,CAAC,CAAC;IAElD,OAAO,EAAE,UAAU,EAAE,KAAK,EAAE,CAAC;AAC/B,CAAC"}
+{"version":3,"file":"encrypt.js","sourceRoot":"","sources":["../../../../src/lib/crypto/encrypt.ts"],"names":[],"mappings":"AAAA,wBAAwB;AACxB,OAAO,EAAE,iBAAiB,EAAE,MAAM,0BAA0B,CAAC;AAC7D,OAAO,EAAE,WAAW,EAAE,MAAM,wBAAwB,CAAC;AAOrD;;;;;;GAMG;AACH,MAAM,UAAU,OAAO,CAAC,SAAiB,EAAE,GAAe;IACxD,IAAI,GAAG,CAAC,MAAM,KAAK,EAAE,EAAE,CAAC;QACtB,MAAM,IAAI,KAAK,CAAC,sBAAsB,CAAC,CAAC;IAC1C,CAAC;IAED,2DAA2D;IAC3D,MAAM,KAAK,GAAG,WAAW,CAAC,EAAE,CAAC,CAAC;IAE9B,6BAA6B;IAC7B,MAAM,cAAc,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;IAE3D,yBAAyB;IACzB,MAAM,MAAM,GAAG,iBAAiB,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC;IAE7C,8BAA8B;IAC9B,MAAM,UAAU,GAAG,MAAM,CAAC,OAAO,CAAC,cAAc,CAAC,CAAC;IAElD,sDAAsD;IACtD,cAAc,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAEvB,OAAO,EAAE,UAAU,EAAE,KAAK,EAAE,CAAC;AAC/B,CAAC"}

package/dist/src/lib/crypto/key-derivation.d.ts

@@ -1,4 +1,4 @@
-import type { DerivedKey, KeyDerivationParams } from './types.js';
+import type { DerivedKey, KeyDerivationParams } from "./types.js";
 /**
  * Derive encryption key from password using Argon2id
  *

package/dist/src/lib/crypto/key-derivation.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"key-derivation.d.ts","sourceRoot":"","sources":["../../../../src/lib/crypto/key-derivation.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,UAAU,EAAE,mBAAmB,EAAE,MAAM,YAAY,CAAC;AAGlE;;;;;;;;;;;;;;;;;GAiBG;AACH,wBAAsB,SAAS,CAC7B,QAAQ,EAAE,MAAM,EAChB,MAAM,GAAE,OAAO,CAAC,mBAAmB,CAAM,GACxC,OAAO,CAAC,UAAU,CAAC,CAuBrB;AAED;;;;;;;;GAQG;AACH,wBAAsB,WAAW,CAC/B,QAAQ,EAAE,MAAM,EAChB,IAAI,EAAE,UAAU,EAChB,MAAM,GAAE,OAAO,CAAC,mBAAmB,CAAM,GACxC,OAAO,CAAC,UAAU,CAAC,CAwBrB;AAED;;;;;;;;;;;GAWG;AACH,wBAAsB,SAAS,CAC7B,QAAQ,EAAE,MAAM,EAChB,IAAI,EAAE,UAAU,EAChB,WAAW,EAAE,UAAU,EACvB,MAAM,GAAE,OAAO,CAAC,mBAAmB,CAAM,GACxC,OAAO,CAAC,OAAO,CAAC,CAkClB"}
+{"version":3,"file":"key-derivation.d.ts","sourceRoot":"","sources":["../../../../src/lib/crypto/key-derivation.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,UAAU,EAAE,mBAAmB,EAAE,MAAM,YAAY,CAAC;AAGlE;;;;;;;;;;;;;;;;;GAiBG;AACH,wBAAsB,SAAS,CAC7B,QAAQ,EAAE,MAAM,EAChB,MAAM,GAAE,OAAO,CAAC,mBAAmB,CAAM,GACxC,OAAO,CAAC,UAAU,CAAC,CAmBrB;AAED;;;;;;;;GAQG;AACH,wBAAsB,WAAW,CAC/B,QAAQ,EAAE,MAAM,EAChB,IAAI,EAAE,UAAU,EAChB,MAAM,GAAE,OAAO,CAAC,mBAAmB,CAAM,GACxC,OAAO,CAAC,UAAU,CAAC,CAoBrB;AAED;;;;;;;;;;;GAWG;AACH,wBAAsB,SAAS,CAC7B,QAAQ,EAAE,MAAM,EAChB,IAAI,EAAE,UAAU,EAChB,WAAW,EAAE,UAAU,EACvB,MAAM,GAAE,OAAO,CAAC,mBAAmB,CAAM,GACxC,OAAO,CAAC,OAAO,CAAC,CA8BlB"}

package/dist/src/lib/crypto/key-derivation.js

@@ -1,7 +1,7 @@
-import { argon2id } from '@noble/hashes/argon2';
-import { randomBytes } from '@noble/hashes/utils';
-import { timingSafeEqual } from 'node:crypto';
-import { DEFAULT_KDF_PARAMS } from './types.js';
+import { argon2id } from "@noble/hashes/argon2.js";
+import { randomBytes } from "@noble/hashes/utils.js";
+import { timingSafeEqual } from "node:crypto";
+import { DEFAULT_KDF_PARAMS } from "./types.js";
 /**
  * Derive encryption key from password using Argon2id
  *
@@ -22,7 +22,7 @@ import { DEFAULT_KDF_PARAMS } from './types.js';
  */
 export async function deriveKey(password, params = {}) {
     if (!password || password.length === 0) {
-        throw new Error('Password cannot be empty');
+        throw new Error("Password cannot be empty");
     }
     const kdfParams = { ...DEFAULT_KDF_PARAMS, ...params };
     // Generate random salt (16 bytes)
@@ -47,11 +47,11 @@ export async function deriveKey(password, params = {}) {
  */
 export async function rederiveKey(password, salt, params = {}) {
     if (!password || password.length === 0) {
-        throw new Error('Password cannot be empty');
+        throw new Error("Password cannot be empty");
     }
     const kdfParams = { ...DEFAULT_KDF_PARAMS, ...params };
     if (salt.length !== 16) {
-        throw new Error('Salt must be 16 bytes');
+        throw new Error("Salt must be 16 bytes");
     }
     // Re-derive key using same salt
     const key = argon2id(password, salt, {
@@ -76,13 +76,13 @@ export async function rederiveKey(password, salt, params = {}) {
  */
 export async function verifyKey(password, salt, expectedKey, params = {}) {
     if (!password || password.length === 0) {
-        throw new Error('Password cannot be empty');
+        throw new Error("Password cannot be empty");
     }
     if (salt.length !== 16) {
-        throw new Error('Salt must be 16 bytes');
+        throw new Error("Salt must be 16 bytes");
     }
     if (expectedKey.length !== 32) {
-        throw new Error('Expected key must be 32 bytes');
+        throw new Error("Expected key must be 32 bytes");
     }
     const kdfParams = { ...DEFAULT_KDF_PARAMS, ...params };
     // Re-derive key using same salt
@@ -94,7 +94,7 @@ export async function verifyKey(password, salt, expectedKey, params = {}) {
     });
     // Constant-time comparison to prevent timing attacks
     try {
-        return timingSafeEqual(Buffer.from(derivedKey), Buffer.from(expectedKey));
+        return timingSafeEqual(derivedKey, expectedKey);
     }
     catch {
         // timingSafeEqual throws if lengths don't match

package/dist/src/lib/crypto/key-derivation.js.map

@@ -1 +1 @@
-{"version":3,"file":"key-derivation.js","sourceRoot":"","sources":["../../../../src/lib/crypto/key-derivation.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,sBAAsB,CAAC;AAChD,OAAO,EAAE,WAAW,EAAE,MAAM,qBAAqB,CAAC;AAClD,OAAO,EAAE,eAAe,EAAE,MAAM,aAAa,CAAC;AAE9C,OAAO,EAAE,kBAAkB,EAAE,MAAM,YAAY,CAAC;AAEhD;;;;;;;;;;;;;;;;;GAiBG;AACH,MAAM,CAAC,KAAK,UAAU,SAAS,CAC7B,QAAgB,EAChB,SAAuC,EAAE;IAEzC,IAAI,CAAC,QAAQ,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACvC,MAAM,IAAI,KAAK,CAAC,0BAA0B,CAAC,CAAC;IAC9C,CAAC;IAED,MAAM,SAAS,GAAG,EAAE,GAAG,kBAAkB,EAAE,GAAG,MAAM,EAAE,CAAC;IAEvD,kCAAkC;IAClC,MAAM,IAAI,GAAG,WAAW,CAAC,EAAE,CAAC,CAAC;IAE7B,4BAA4B;IAC5B,MAAM,GAAG,GAAG,QAAQ,CAClB,QAAQ,EACR,IAAI,EACJ;QACE,CAAC,EAAE,SAAS,CAAC,MAAM;QACnB,CAAC,EAAE,SAAS,CAAC,UAAU;QACvB,CAAC,EAAE,SAAS,CAAC,WAAW;QACxB,KAAK,EAAE,SAAS,CAAC,SAAS;KAC3B,CACF,CAAC;IAEF,OAAO,EAAE,GAAG,EAAE,IAAI,EAAE,CAAC;AACvB,CAAC;AAED;;;;;;;;GAQG;AACH,MAAM,CAAC,KAAK,UAAU,WAAW,CAC/B,QAAgB,EAChB,IAAgB,EAChB,SAAuC,EAAE;IAEzC,IAAI,CAAC,QAAQ,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACvC,MAAM,IAAI,KAAK,CAAC,0BAA0B,CAAC,CAAC;IAC9C,CAAC;IAED,MAAM,SAAS,GAAG,EAAE,GAAG,kBAAkB,EAAE,GAAG,MAAM,EAAE,CAAC;IAEvD,IAAI,IAAI,CAAC,MAAM,KAAK,EAAE,EAAE,CAAC;QACvB,MAAM,IAAI,KAAK,CAAC,uBAAuB,CAAC,CAAC;IAC3C,CAAC;IAED,gCAAgC;IAChC,MAAM,GAAG,GAAG,QAAQ,CAClB,QAAQ,EACR,IAAI,EACJ;QACE,CAAC,EAAE,SAAS,CAAC,MAAM;QACnB,CAAC,EAAE,SAAS,CAAC,UAAU;QACvB,CAAC,EAAE,SAAS,CAAC,WAAW;QACxB,KAAK,EAAE,SAAS,CAAC,SAAS;KAC3B,CACF,CAAC;IAEF,OAAO,EAAE,GAAG,EAAE,IAAI,EAAE,CAAC;AACvB,CAAC;AAED;;;;;;;;;;;GAWG;AACH,MAAM,CAAC,KAAK,UAAU,SAAS,CAC7B,QAAgB,EAChB,IAAgB,EAChB,WAAuB,EACvB,SAAuC,EAAE;IAEzC,IAAI,CAAC,QAAQ,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACvC,MAAM,IAAI,KAAK,CAAC,0BAA0B,CAAC,CAAC;IAC9C,CAAC;IAED,IAAI,IAAI,CAAC,MAAM,KAAK,EAAE,EAAE,CAAC;QACvB,MAAM,IAAI,KAAK,CAAC,uBAAuB,CAAC,CAAC;IAC3C,CAAC;IAED,IAAI,WAAW,CAAC,MAAM,KAAK,EAAE,EAAE,CAAC;QAC9B,MAAM,IAAI,KAAK,CAAC,+BAA+B,CAAC,CAAC;IACnD,CAAC;IAED,MAAM,SAAS,GAAG,EAAE,GAAG,kBAAkB,EAAE,GAAG,MAAM,EAAE,CAAC;IAEvD,gCAAgC;IAChC,MAAM,UAAU,GAAG,QAAQ,CACzB,QAAQ,EACR,IAAI,EACJ;QACE,CAAC,EAAE,SAAS,CAAC,MAAM;QACnB,CAAC,EAAE,SAAS,CAAC,UAAU;QACvB,CAAC,EAAE,SAAS,CAAC,WAAW;QACxB,KAAK,EAAE,SAAS,CAAC,SAAS;KAC3B,CACF,CAAC;IAEF,qDAAqD;IACrD,IAAI,CAAC;QACH,OAAO,eAAe,CAAC,MAAM,CAAC,IAAI,CAAC,UAAU,CAAC,EAAE,MAAM,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC,CAAC;IAC5E,CAAC;IAAC,MAAM,CAAC;QACP,gDAAgD;QAChD,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC"}
+{"version":3,"file":"key-derivation.js","sourceRoot":"","sources":["../../../../src/lib/crypto/key-derivation.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,yBAAyB,CAAC;AACnD,OAAO,EAAE,WAAW,EAAE,MAAM,wBAAwB,CAAC;AACrD,OAAO,EAAE,eAAe,EAAE,MAAM,aAAa,CAAC;AAE9C,OAAO,EAAE,kBAAkB,EAAE,MAAM,YAAY,CAAC;AAEhD;;;;;;;;;;;;;;;;;GAiBG;AACH,MAAM,CAAC,KAAK,UAAU,SAAS,CAC7B,QAAgB,EAChB,SAAuC,EAAE;IAEzC,IAAI,CAAC,QAAQ,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACvC,MAAM,IAAI,KAAK,CAAC,0BAA0B,CAAC,CAAC;IAC9C,CAAC;IAED,MAAM,SAAS,GAAG,EAAE,GAAG,kBAAkB,EAAE,GAAG,MAAM,EAAE,CAAC;IAEvD,kCAAkC;IAClC,MAAM,IAAI,GAAG,WAAW,CAAC,EAAE,CAAC,CAAC;IAE7B,4BAA4B;IAC5B,MAAM,GAAG,GAAG,QAAQ,CAAC,QAAQ,EAAE,IAAI,EAAE;QACnC,CAAC,EAAE,SAAS,CAAC,MAAM;QACnB,CAAC,EAAE,SAAS,CAAC,UAAU;QACvB,CAAC,EAAE,SAAS,CAAC,WAAW;QACxB,KAAK,EAAE,SAAS,CAAC,SAAS;KAC3B,CAAC,CAAC;IAEH,OAAO,EAAE,GAAG,EAAE,IAAI,EAAE,CAAC;AACvB,CAAC;AAED;;;;;;;;GAQG;AACH,MAAM,CAAC,KAAK,UAAU,WAAW,CAC/B,QAAgB,EAChB,IAAgB,EAChB,SAAuC,EAAE;IAEzC,IAAI,CAAC,QAAQ,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACvC,MAAM,IAAI,KAAK,CAAC,0BAA0B,CAAC,CAAC;IAC9C,CAAC;IAED,MAAM,SAAS,GAAG,EAAE,GAAG,kBAAkB,EAAE,GAAG,MAAM,EAAE,CAAC;IAEvD,IAAI,IAAI,CAAC,MAAM,KAAK,EAAE,EAAE,CAAC;QACvB,MAAM,IAAI,KAAK,CAAC,uBAAuB,CAAC,CAAC;IAC3C,CAAC;IAED,gCAAgC;IAChC,MAAM,GAAG,GAAG,QAAQ,CAAC,QAAQ,EAAE,IAAI,EAAE;QACnC,CAAC,EAAE,SAAS,CAAC,MAAM;QACnB,CAAC,EAAE,SAAS,CAAC,UAAU;QACvB,CAAC,EAAE,SAAS,CAAC,WAAW;QACxB,KAAK,EAAE,SAAS,CAAC,SAAS;KAC3B,CAAC,CAAC;IAEH,OAAO,EAAE,GAAG,EAAE,IAAI,EAAE,CAAC;AACvB,CAAC;AAED;;;;;;;;;;;GAWG;AACH,MAAM,CAAC,KAAK,UAAU,SAAS,CAC7B,QAAgB,EAChB,IAAgB,EAChB,WAAuB,EACvB,SAAuC,EAAE;IAEzC,IAAI,CAAC,QAAQ,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACvC,MAAM,IAAI,KAAK,CAAC,0BAA0B,CAAC,CAAC;IAC9C,CAAC;IAED,IAAI,IAAI,CAAC,MAAM,KAAK,EAAE,EAAE,CAAC;QACvB,MAAM,IAAI,KAAK,CAAC,uBAAuB,CAAC,CAAC;IAC3C,CAAC;IAED,IAAI,WAAW,CAAC,MAAM,KAAK,EAAE,EAAE,CAAC;QAC9B,MAAM,IAAI,KAAK,CAAC,+BAA+B,CAAC,CAAC;IACnD,CAAC;IAED,MAAM,SAAS,GAAG,EAAE,GAAG,kBAAkB,EAAE,GAAG,MAAM,EAAE,CAAC;IAEvD,gCAAgC;IAChC,MAAM,UAAU,GAAG,QAAQ,CAAC,QAAQ,EAAE,IAAI,EAAE;QAC1C,CAAC,EAAE,SAAS,CAAC,MAAM;QACnB,CAAC,EAAE,SAAS,CAAC,UAAU;QACvB,CAAC,EAAE,SAAS,CAAC,WAAW;QACxB,KAAK,EAAE,SAAS,CAAC,SAAS;KAC3B,CAAC,CAAC;IAEH,qDAAqD;IACrD,IAAI,CAAC;QACH,OAAO,eAAe,CAAC,UAAU,EAAE,WAAW,CAAC,CAAC;IAClD,CAAC;IAAC,MAAM,CAAC;QACP,gDAAgD;QAChD,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC"}

package/dist/src/lib/storage/database.d.ts

@@ -1,5 +1,5 @@
-import Database from 'better-sqlite3';
-import type { Evidence } from './types.js';
+import Database from "better-sqlite3";
+import type { Evidence } from "./types.js";
 /**
  * Evidence database with CRUD operations
  * Manages encrypted evidence storage with SQLite backend
@@ -17,7 +17,7 @@ export declare class EvidenceDatabase {
      * @param evidence - Evidence data without id, createdAt, updatedAt
      * @returns UUID of created evidence
      */
-    create(evidence: Omit<Evidence, 'id' | 'createdAt' | 'updatedAt'>): string;
+    create(evidence: Omit<Evidence, "id" | "createdAt" | "updatedAt">): string;
     /**
      * Finds evidence by ID
      * @param id - Evidence UUID
@@ -53,6 +53,38 @@ export declare class EvidenceDatabase {
      * @throws Error if tags array is empty or all tags are whitespace
      */
     addTags(id: string, tags: string[]): void;
+    /**
+     * Builds a WHERE clause from search/filter options
+     * @param options - Filter criteria
+     * @returns SQL WHERE clause string and parameter values
+     */
+    private buildWhereClause;
+    /**
+     * Gets count of evidences matching filter criteria
+     * @param options - Filter criteria (query, tags, date range)
+     * @returns Number of matching evidences
+     */
+    getFilteredCount(options: {
+        query?: string;
+        tags?: string[];
+        dateFrom?: string;
+        dateTo?: string;
+    }): number;
+    /**
+     * Search evidences and return both paginated results and total matching count
+     * in a single pass (builds WHERE clause once instead of twice)
+     */
+    searchWithCount(options: {
+        query?: string;
+        tags?: string[];
+        dateFrom?: string;
+        dateTo?: string;
+        limit?: number;
+        offset?: number;
+    }): {
+        evidences: Evidence[];
+        total: number;
+    };
     /**
      * Search and filter evidences by various criteria
      * @param options - Search and filter options
@@ -105,6 +137,17 @@ export declare class EvidenceDatabase {
      * @returns Map of tag to count
      */
     getTagCounts(): Map<string, number>;
+    /**
+     * Gets total count of all evidence records
+     * @returns Total number of evidences in the database
+     */
+    getTotalCount(): number;
+    /**
+     * Gets count of evidence records matching a search query
+     * @param query - Search text to match against conversationId and tags
+     * @returns Number of matching evidences
+     */
+    getSearchCount(query: string): number;
     /**
      * Get the underlying database instance
      * Used for salt storage and other low-level operations

package/dist/src/lib/storage/database.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"database.d.ts","sourceRoot":"","sources":["../../../../src/lib/storage/database.ts"],"names":[],"mappings":"AAAA,OAAO,QAAQ,MAAM,gBAAgB,CAAC;AAEtC,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,YAAY,CAAC;AAqB3C;;;GAGG;AACH,qBAAa,gBAAgB;IAC3B,OAAO,CAAC,EAAE,CAAoB;IAE9B;;;;OAIG;gBACS,MAAM,EAAE,MAAM;IAW1B;;;;OAIG;IACH,MAAM,CAAC,QAAQ,EAAE,IAAI,CAAC,QAAQ,EAAE,IAAI,GAAG,WAAW,GAAG,WAAW,CAAC,GAAG,MAAM;IAmC1E;;;;OAIG;IACH,QAAQ,CAAC,EAAE,EAAE,MAAM,GAAG,QAAQ,GAAG,IAAI;IAkBrC;;;;OAIG;IACH,oBAAoB,CAAC,cAAc,EAAE,MAAM,GAAG,QAAQ,EAAE;IAiBxD;;;;OAIG;IACH,IAAI,CAAC,OAAO,CAAC,EAAE;QAAE,KAAK,CAAC,EAAE,MAAM,CAAC;QAAC,MAAM,CAAC,EAAE,MAAM,CAAA;KAAE,GAAG,QAAQ,EAAE;IA4B/D;;;;;OAKG;IACH,aAAa,CAAC,EAAE,EAAE,MAAM,EAAE,aAAa,EAAE,MAAM,EAAE,YAAY,EAAE,MAAM,GAAG,IAAI;IAoB5E;;;;;OAKG;IACH,OAAO,CAAC,EAAE,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,GAAG,IAAI;IAwCzC;;;;OAIG;IACH,MAAM,CAAC,OAAO,EAAE;QACd,KAAK,CAAC,EAAE,MAAM,CAAC;QACf,IAAI,CAAC,EAAE,MAAM,EAAE,CAAC;QAChB,QAAQ,CAAC,EAAE,MAAM,CAAC;QAClB,MAAM,CAAC,EAAE,MAAM,CAAC;QAChB,KAAK,CAAC,EAAE,MAAM,CAAC;QACf,MAAM,CAAC,EAAE,MAAM,CAAC;KACjB,GAAG,QAAQ,EAAE;IAqEd;;;;OAIG;IACH,MAAM,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO;IAU3B;;;;OAIG;IACH,UAAU,CAAC,GAAG,EAAE,MAAM,EAAE,GAAG,MAAM;IAajC;;;;;OAKG;IACH,UAAU,CAAC,EAAE,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,GAAG,IAAI,GAAG,OAAO;IAepD;;;;;;OAMG;IACH,SAAS,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,MAAM;IA4BjD;;;;;OAKG;IACH,SAAS,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM;IA4B9B;;;OAGG;IACH,YAAY,IAAI,GAAG,CAAC,MAAM,EAAE,MAAM,CAAC;IAmBnC;;;;;OAKG;IACH,KAAK,IAAI,QAAQ,CAAC,QAAQ;IAI1B;;;OAGG;IACH,KAAK,IAAI,IAAI;IAIb;;;;;OAKG;IACH,OAAO,CAAC,aAAa;CAiBtB"}
+{"version":3,"file":"database.d.ts","sourceRoot":"","sources":["../../../../src/lib/storage/database.ts"],"names":[],"mappings":"AACA,OAAO,QAAQ,MAAM,gBAAgB,CAAC;AAEtC,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,YAAY,CAAC;AAyB3C;;;GAGG;AACH,qBAAa,gBAAgB;IAC3B,OAAO,CAAC,EAAE,CAAoB;IAE9B;;;;OAIG;gBACS,MAAM,EAAE,MAAM;IAa1B;;;;OAIG;IACH,MAAM,CAAC,QAAQ,EAAE,IAAI,CAAC,QAAQ,EAAE,IAAI,GAAG,WAAW,GAAG,WAAW,CAAC,GAAG,MAAM;IAqC1E;;;;OAIG;IACH,QAAQ,CAAC,EAAE,EAAE,MAAM,GAAG,QAAQ,GAAG,IAAI;IAoBrC;;;;OAIG;IACH,oBAAoB,CAAC,cAAc,EAAE,MAAM,GAAG,QAAQ,EAAE;IAiBxD;;;;OAIG;IACH,IAAI,CAAC,OAAO,CAAC,EAAE;QAAE,KAAK,CAAC,EAAE,MAAM,CAAC;QAAC,MAAM,CAAC,EAAE,MAAM,CAAA;KAAE,GAAG,QAAQ,EAAE;IA8B/D;;;;;OAKG;IACH,aAAa,CAAC,EAAE,EAAE,MAAM,EAAE,aAAa,EAAE,MAAM,EAAE,YAAY,EAAE,MAAM,GAAG,IAAI;IA2B5E;;;;;OAKG;IACH,OAAO,CAAC,EAAE,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,GAAG,IAAI;IAiDzC;;;;OAIG;IACH,OAAO,CAAC,gBAAgB;IA8CxB;;;;OAIG;IACH,gBAAgB,CAAC,OAAO,EAAE;QACxB,KAAK,CAAC,EAAE,MAAM,CAAC;QACf,IAAI,CAAC,EAAE,MAAM,EAAE,CAAC;QAChB,QAAQ,CAAC,EAAE,MAAM,CAAC;QAClB,MAAM,CAAC,EAAE,MAAM,CAAC;KACjB,GAAG,MAAM;IAcV;;;OAGG;IACH,eAAe,CAAC,OAAO,EAAE;QACvB,KAAK,CAAC,EAAE,MAAM,CAAC;QACf,IAAI,CAAC,EAAE,MAAM,EAAE,CAAC;QAChB,QAAQ,CAAC,EAAE,MAAM,CAAC;QAClB,MAAM,CAAC,EAAE,MAAM,CAAC;QAChB,KAAK,CAAC,EAAE,MAAM,CAAC;QACf,MAAM,CAAC,EAAE,MAAM,CAAC;KACjB,GAAG;QAAE,SAAS,EAAE,QAAQ,EAAE,CAAC;QAAC,KAAK,EAAE,MAAM,CAAA;KAAE;IA6C5C;;;;OAIG;IACH,MAAM,CAAC,OAAO,EAAE;QACd,KAAK,CAAC,EAAE,MAAM,CAAC;QACf,IAAI,CAAC,EAAE,MAAM,EAAE,CAAC;QAChB,QAAQ,CAAC,EAAE,MAAM,CAAC;QAClB,MAAM,CAAC,EAAE,MAAM,CAAC;QAChB,KAAK,CAAC,EAAE,MAAM,CAAC;QACf,MAAM,CAAC,EAAE,MAAM,CAAC;KACjB,GAAG,QAAQ,EAAE;IAgCd;;;;OAIG;IACH,MAAM,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO;IAY3B;;;;OAIG;IACH,UAAU,CAAC,GAAG,EAAE,MAAM,EAAE,GAAG,MAAM;IA0BjC;;;;;OAKG;IACH,UAAU,CAAC,EAAE,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,GAAG,IAAI,GAAG,OAAO;IAiBpD;;;;;;OAMG;IACH,SAAS,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,MAAM;IA8BjD;;;;;OAKG;IACH,SAAS,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM;IAiC9B;;;OAGG;IACH,YAAY,IAAI,GAAG,CAAC,MAAM,EAAE,MAAM,CAAC;IA0BnC;;;OAGG;IACH,aAAa,IAAI,MAAM;IAOvB;;;;OAIG;IACH,cAAc,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM;IAIrC;;;;;OAKG;IACH,KAAK,IAAI,QAAQ,CAAC,QAAQ;IAI1B;;;OAGG;IACH,KAAK,IAAI,IAAI;IAIb;;;;;OAKG;IACH,OAAO,CAAC,aAAa;CAiBtB"}

package/dist/src/lib/storage/database.js

@@ -1,5 +1,9 @@
-import Database from 'better-sqlite3';
-import { createSchema } from './schema.js';
+/* global Buffer, crypto */
+import Database from "better-sqlite3";
+import { createSchema } from "./schema.js";
+function escapeLikePattern(pattern) {
+    return pattern.replace(/[%_\\]/g, "\\$&");
+}
 /**
  * Evidence database with CRUD operations
  * Manages encrypted evidence storage with SQLite backend
@@ -94,18 +98,18 @@ export class EvidenceDatabase {
         try {
             const limit = options?.limit;
             const offset = options?.offset ?? 0;
-            let query = 'SELECT * FROM evidences ORDER BY timestamp DESC';
+            let query = "SELECT * FROM evidences ORDER BY timestamp DESC";
             const params = [];
             if (limit !== undefined) {
-                query += ' LIMIT ?';
+                query += " LIMIT ?";
                 params.push(limit);
                 if (offset > 0) {
-                    query += ' OFFSET ?';
+                    query += " OFFSET ?";
                     params.push(offset);
                 }
             }
             else if (offset > 0) {
-                query += ' LIMIT -1 OFFSET ?';
+                query += " LIMIT -1 OFFSET ?";
                 params.push(offset);
             }
             const stmt = this.db.prepare(query);
@@ -149,37 +153,132 @@ export class EvidenceDatabase {
     addTags(id, tags) {
         try {
             if (tags.length === 0) {
-                throw new Error('Tags array cannot be empty');
+                throw new Error("Tags array cannot be empty");
             }
             // Filter out empty/whitespace-only tags
-            const validTags = tags.map(t => t.trim()).filter(t => t.length > 0);
+            const validTags = tags.map((t) => t.trim()).filter((t) => t.length > 0);
             if (validTags.length === 0) {
-                throw new Error('All provided tags are empty or whitespace');
-            }
-            // First, get existing tags
-            const evidence = this.findById(id);
-            if (!evidence) {
-                throw new Error(`Evidence with id ${id} not found`);
+                throw new Error("All provided tags are empty or whitespace");
             }
-            // Parse existing tags (comma-separated) or create empty array
-            const existingTags = evidence.tags
-                ? evidence.tags.split(',').map(t => t.trim()).filter(t => t)
-                : [];
-            // Merge tags (deduplicate) using validTags instead of raw tags
-            const mergedTags = [...new Set([...existingTags, ...validTags])];
-            // Update database with comma-separated format
-            const stmt = this.db.prepare(`
-        UPDATE evidences
-        SET tags = ?,
-            updatedAt = ?
-        WHERE id = ?
-      `);
-            stmt.run(mergedTags.join(','), new Date().toISOString(), id);
+            // Wrap in transaction to prevent read-modify-write race condition
+            const transaction = this.db.transaction(() => {
+                const evidence = this.findById(id);
+                if (!evidence) {
+                    throw new Error(`Evidence with id ${id} not found`);
+                }
+                // Parse existing tags (comma-separated) or create empty array
+                const existingTags = evidence.tags
+                    ? evidence.tags
+                        .split(",")
+                        .map((t) => t.trim())
+                        .filter((t) => t)
+                    : [];
+                // Merge tags (deduplicate) using validTags instead of raw tags
+                const mergedTags = [...new Set([...existingTags, ...validTags])];
+                // Update database with comma-separated format
+                const stmt = this.db.prepare(`
+          UPDATE evidences
+          SET tags = ?,
+              updatedAt = ?
+          WHERE id = ?
+        `);
+                stmt.run(mergedTags.join(","), new Date().toISOString(), id);
+            });
+            transaction();
         }
         catch (error) {
             throw new Error(`Failed to add tags: ${error instanceof Error ? error.message : String(error)}`);
         }
     }
+    /**
+     * Builds a WHERE clause from search/filter options
+     * @param options - Filter criteria
+     * @returns SQL WHERE clause string and parameter values
+     */
+    buildWhereClause(options) {
+        const conditions = [];
+        const params = [];
+        if (options.query && options.query.trim()) {
+            conditions.push(`(conversationId LIKE ? ESCAPE '\\' OR tags LIKE ? ESCAPE '\\')`);
+            const searchPattern = `%${escapeLikePattern(options.query.trim())}%`;
+            params.push(searchPattern, searchPattern);
+        }
+        if (options.tags && options.tags.length > 0) {
+            for (const tag of options.tags) {
+                conditions.push(`(tags LIKE ? ESCAPE '\\' OR tags LIKE ? ESCAPE '\\' OR tags LIKE ? ESCAPE '\\' OR tags = ?)`);
+                const trimmedTag = escapeLikePattern(tag.trim());
+                params.push(`${trimmedTag},%`, `%,${trimmedTag},%`, `%,${trimmedTag}`, tag.trim());
+            }
+        }
+        if (options.dateFrom) {
+            conditions.push(`timestamp >= ?`);
+            params.push(options.dateFrom);
+        }
+        if (options.dateTo) {
+            conditions.push(`timestamp <= ?`);
+            params.push(options.dateTo);
+        }
+        const sql = conditions.length > 0 ? " WHERE " + conditions.join(" AND ") : "";
+        return { sql, params };
+    }
+    /**
+     * Gets count of evidences matching filter criteria
+     * @param options - Filter criteria (query, tags, date range)
+     * @returns Number of matching evidences
+     */
+    getFilteredCount(options) {
+        try {
+            const { sql: whereClause, params } = this.buildWhereClause(options);
+            const row = this.db
+                .prepare(`SELECT COUNT(*) as count FROM evidences${whereClause}`)
+                .get(...params);
+            return row.count;
+        }
+        catch (error) {
+            throw new Error(`Failed to get filtered count: ${error instanceof Error ? error.message : String(error)}`);
+        }
+    }
+    /**
+     * Search evidences and return both paginated results and total matching count
+     * in a single pass (builds WHERE clause once instead of twice)
+     */
+    searchWithCount(options) {
+        try {
+            const { limit, offset = 0 } = options;
+            const { sql: whereClause, params: baseParams } = this.buildWhereClause(options);
+            // Wrap both queries in a transaction for consistent snapshot
+            const query = this.db.transaction(() => {
+                // Get total count with same WHERE clause
+                const countRow = this.db
+                    .prepare(`SELECT COUNT(*) as count FROM evidences${whereClause}`)
+                    .get(...baseParams);
+                // Build paginated query (clone params since we append to it)
+                const searchParams = [...baseParams];
+                let sql = `SELECT * FROM evidences${whereClause} ORDER BY timestamp DESC`;
+                if (limit !== undefined) {
+                    sql += " LIMIT ?";
+                    searchParams.push(limit);
+                    if (offset > 0) {
+                        sql += " OFFSET ?";
+                        searchParams.push(offset);
+                    }
+                }
+                else if (offset > 0) {
+                    sql += " LIMIT -1 OFFSET ?";
+                    searchParams.push(offset);
+                }
+                const rows = this.db.prepare(sql).all(...searchParams);
+                return {
+                    evidences: rows.map((row) => this.rowToEvidence(row)),
+                    total: countRow.count,
+                };
+            });
+            return query();
+        }
+        catch (error) {
+            throw new Error(`Failed to search evidences: ${error instanceof Error ? error.message : String(error)}`);
+        }
+    }
     /**
      * Search and filter evidences by various criteria
      * @param options - Search and filter options
@@ -187,56 +286,21 @@ export class EvidenceDatabase {
      */
     search(options) {
         try {
-            const { query, tags, dateFrom, dateTo, limit, offset = 0 } = options;
-            // Build WHERE conditions
-            const conditions = [];
-            const params = [];
-            // Text search in conversationId and tags
-            if (query && query.trim()) {
-                conditions.push(`(conversationId LIKE ? OR tags LIKE ?)`);
-                const searchPattern = `%${query.trim()}%`;
-                params.push(searchPattern, searchPattern);
-            }
-            // Tag filtering (AND logic - all specified tags must be present)
-            // Tags are stored as comma-separated strings: "tag1,tag2,tag3"
-            if (tags && tags.length > 0) {
-                for (const tag of tags) {
-                    // Match tag at start, middle, or end of comma-separated list
-                    conditions.push(`(tags LIKE ? OR tags LIKE ? OR tags LIKE ? OR tags = ?)`);
-                    const trimmedTag = tag.trim();
-                    params.push(`${trimmedTag},%`, // tag at start: "tag1,..."
-                    `%,${trimmedTag},%`, // tag in middle: "...,tag1,..."
-                    `%,${trimmedTag}`, // tag at end: "...,tag1"
-                    trimmedTag // exact match (single tag)
-                    );
-                }
-            }
-            // Date range filtering
-            if (dateFrom) {
-                conditions.push(`timestamp >= ?`);
-                params.push(dateFrom);
-            }
-            if (dateTo) {
-                conditions.push(`timestamp <= ?`);
-                params.push(dateTo);
-            }
+            const { limit, offset = 0 } = options;
+            const { sql: whereClause, params } = this.buildWhereClause(options);
             // Build final query
-            let sql = 'SELECT * FROM evidences';
-            if (conditions.length > 0) {
-                sql += ' WHERE ' + conditions.join(' AND ');
-            }
-            sql += ' ORDER BY timestamp DESC';
+            let sql = `SELECT * FROM evidences${whereClause} ORDER BY timestamp DESC`;
             // Add pagination
             if (limit !== undefined) {
-                sql += ' LIMIT ?';
+                sql += " LIMIT ?";
                 params.push(limit);
                 if (offset > 0) {
-                    sql += ' OFFSET ?';
+                    sql += " OFFSET ?";
                     params.push(offset);
                 }
             }
             else if (offset > 0) {
-                sql += ' LIMIT -1 OFFSET ?';
+                sql += " LIMIT -1 OFFSET ?";
                 params.push(offset);
             }
             const stmt = this.db.prepare(sql);
@@ -271,10 +335,17 @@ export class EvidenceDatabase {
         if (ids.length === 0)
             return 0;
         try {
-            const placeholders = ids.map(() => '?').join(',');
-            const stmt = this.db.prepare(`DELETE FROM evidences WHERE id IN (${placeholders})`);
-            const result = stmt.run(...ids);
-            return result.changes;
+            // Batch deletions to stay under SQLite's 999 parameter limit
+            const BATCH_SIZE = 999;
+            let totalDeleted = 0;
+            for (let i = 0; i < ids.length; i += BATCH_SIZE) {
+                const batch = ids.slice(i, i + BATCH_SIZE);
+                const placeholders = batch.map(() => "?").join(",");
+                const stmt = this.db.prepare(`DELETE FROM evidences WHERE id IN (${placeholders})`);
+                const result = stmt.run(...batch);
+                totalDeleted += result.changes;
+            }
+            return totalDeleted;
         }
         catch (error) {
             throw new Error(`Failed to delete evidences: ${error instanceof Error ? error.message : String(error)}`);
@@ -318,9 +389,9 @@ export class EvidenceDatabase {
                 for (const evidence of evidences) {
                     if (!evidence.tags)
                         continue;
-                    const tags = evidence.tags.split(',').map(t => t.trim());
-                    const newTags = tags.map(t => t === oldTag ? newTag : t);
-                    if (this.updateTags(evidence.id, newTags.join(','))) {
+                    const tags = evidence.tags.split(",").map((t) => t.trim());
+                    const newTags = tags.map((t) => (t === oldTag ? newTag : t));
+                    if (this.updateTags(evidence.id, newTags.join(","))) {
                         updatedCount++;
                     }
                 }
@@ -348,8 +419,11 @@ export class EvidenceDatabase {
                 for (const evidence of evidences) {
                     if (!evidence.tags)
                         continue;
-                    const tags = evidence.tags.split(',').map(t => t.trim()).filter(t => t !== tag);
-                    const newTags = tags.length > 0 ? tags.join(',') : null;
+                    const tags = evidence.tags
+                        .split(",")
+                        .map((t) => t.trim())
+                        .filter((t) => t !== tag);
+                    const newTags = tags.length > 0 ? tags.join(",") : null;
                     if (this.updateTags(evidence.id, newTags)) {
                         updatedCount++;
                     }
@@ -372,7 +446,10 @@ export class EvidenceDatabase {
             const rows = stmt.all();
             const tagCounts = new Map();
             for (const row of rows) {
-                const tags = row.tags.split(',').map(t => t.trim()).filter(t => t);
+                const tags = row.tags
+                    .split(",")
+                    .map((t) => t.trim())
+                    .filter((t) => t);
                 for (const tag of tags) {
                     tagCounts.set(tag, (tagCounts.get(tag) || 0) + 1);
                 }
@@ -383,6 +460,24 @@ export class EvidenceDatabase {
             throw new Error(`Failed to get tag counts: ${error instanceof Error ? error.message : String(error)}`);
         }
     }
+    /**
+     * Gets total count of all evidence records
+     * @returns Total number of evidences in the database
+     */
+    getTotalCount() {
+        const row = this.db
+            .prepare("SELECT COUNT(*) as count FROM evidences")
+            .get();
+        return row.count;
+    }
+    /**
+     * Gets count of evidence records matching a search query
+     * @param query - Search text to match against conversationId and tags
+     * @returns Number of matching evidences
+     */
+    getSearchCount(query) {
+        return this.getFilteredCount({ query });
+    }
     /**
      * Get the underlying database instance
      * Used for salt storage and other low-level operations
@@ -419,7 +514,7 @@ export class EvidenceDatabase {
             gitTimestamp: row.gitTimestamp,
             tags: row.tags,
             createdAt: row.createdAt,
-            updatedAt: row.updatedAt
+            updatedAt: row.updatedAt,
         };
     }
 }