react-native-nitro-storage 0.1.4 → 0.3.1

package/lib/commonjs/index.web.js

@@ -3,193 +3,689 @@
 Object.defineProperty(exports, "__esModule", {
   value: true
 });
-exports.StorageScope = void 0;
+Object.defineProperty(exports, "AccessControl", {
+  enumerable: true,
+  get: function () {
+    return _Storage.AccessControl;
+  }
+});
+Object.defineProperty(exports, "BiometricLevel", {
+  enumerable: true,
+  get: function () {
+    return _Storage.BiometricLevel;
+  }
+});
+Object.defineProperty(exports, "StorageScope", {
+  enumerable: true,
+  get: function () {
+    return _Storage.StorageScope;
+  }
+});
+exports.createSecureAuthStorage = createSecureAuthStorage;
 exports.createStorageItem = createStorageItem;
 exports.getBatch = getBatch;
+Object.defineProperty(exports, "migrateFromMMKV", {
+  enumerable: true,
+  get: function () {
+    return _migration.migrateFromMMKV;
+  }
+});
+exports.migrateToLatest = migrateToLatest;
+exports.registerMigration = registerMigration;
 exports.removeBatch = removeBatch;
+exports.runTransaction = runTransaction;
 exports.setBatch = setBatch;
 exports.storage = void 0;
 exports.useSetStorage = useSetStorage;
 exports.useStorage = useStorage;
+exports.useStorageSelector = useStorageSelector;
 var _react = require("react");
-let StorageScope = exports.StorageScope = /*#__PURE__*/function (StorageScope) {
-  StorageScope[StorageScope["Memory"] = 0] = "Memory";
-  StorageScope[StorageScope["Disk"] = 1] = "Disk";
-  StorageScope[StorageScope["Secure"] = 2] = "Secure";
-  return StorageScope;
-}({});
-const diskListeners = new Map();
-const secureListeners = new Map();
-function notifyDiskListeners(key) {
-  diskListeners.get(key)?.forEach(cb => cb());
-}
-function notifySecureListeners(key) {
-  secureListeners.get(key)?.forEach(cb => cb());
+var _Storage = require("./Storage.types");
+var _internal = require("./internal");
+var _migration = require("./migration");
+function asInternal(item) {
+  return item;
+}
+const registeredMigrations = new Map();
+const runMicrotask = typeof queueMicrotask === "function" ? queueMicrotask : task => {
+  Promise.resolve().then(task);
+};
+const memoryStore = new Map();
+const memoryListeners = new Map();
+const webScopeListeners = new Map([[_Storage.StorageScope.Disk, new Map()], [_Storage.StorageScope.Secure, new Map()]]);
+const scopedRawCache = new Map([[_Storage.StorageScope.Disk, new Map()], [_Storage.StorageScope.Secure, new Map()]]);
+const pendingSecureWrites = new Map();
+let secureFlushScheduled = false;
+const SECURE_WEB_PREFIX = "__secure_";
+const BIOMETRIC_WEB_PREFIX = "__bio_";
+let hasWarnedAboutWebBiometricFallback = false;
+function getBrowserStorage(scope) {
+  if (scope === _Storage.StorageScope.Disk) {
+    return globalThis.localStorage;
+  }
+  if (scope === _Storage.StorageScope.Secure) {
+    return globalThis.localStorage;
+  }
+  return undefined;
+}
+function toSecureStorageKey(key) {
+  return `${SECURE_WEB_PREFIX}${key}`;
+}
+function fromSecureStorageKey(key) {
+  return key.slice(SECURE_WEB_PREFIX.length);
+}
+function toBiometricStorageKey(key) {
+  return `${BIOMETRIC_WEB_PREFIX}${key}`;
+}
+function fromBiometricStorageKey(key) {
+  return key.slice(BIOMETRIC_WEB_PREFIX.length);
+}
+function getScopedListeners(scope) {
+  return webScopeListeners.get(scope);
+}
+function getScopeRawCache(scope) {
+  return scopedRawCache.get(scope);
+}
+function cacheRawValue(scope, key, value) {
+  getScopeRawCache(scope).set(key, value);
+}
+function readCachedRawValue(scope, key) {
+  return getScopeRawCache(scope).get(key);
+}
+function hasCachedRawValue(scope, key) {
+  return getScopeRawCache(scope).has(key);
+}
+function clearScopeRawCache(scope) {
+  getScopeRawCache(scope).clear();
+}
+function notifyKeyListeners(registry, key) {
+  registry.get(key)?.forEach(listener => listener());
+}
+function notifyAllListeners(registry) {
+  registry.forEach(listeners => {
+    listeners.forEach(listener => listener());
+  });
+}
+function addKeyListener(registry, key, listener) {
+  let listeners = registry.get(key);
+  if (!listeners) {
+    listeners = new Set();
+    registry.set(key, listeners);
+  }
+  listeners.add(listener);
+  return () => {
+    const scopedListeners = registry.get(key);
+    if (!scopedListeners) {
+      return;
+    }
+    scopedListeners.delete(listener);
+    if (scopedListeners.size === 0) {
+      registry.delete(key);
+    }
+  };
+}
+function readPendingSecureWrite(key) {
+  return pendingSecureWrites.get(key)?.value;
+}
+function hasPendingSecureWrite(key) {
+  return pendingSecureWrites.has(key);
+}
+function clearPendingSecureWrite(key) {
+  pendingSecureWrites.delete(key);
+}
+function flushSecureWrites() {
+  secureFlushScheduled = false;
+  if (pendingSecureWrites.size === 0) {
+    return;
+  }
+  const writes = Array.from(pendingSecureWrites.values());
+  pendingSecureWrites.clear();
+  const keysToSet = [];
+  const valuesToSet = [];
+  const keysToRemove = [];
+  writes.forEach(({
+    key,
+    value
+  }) => {
+    if (value === undefined) {
+      keysToRemove.push(key);
+    } else {
+      keysToSet.push(key);
+      valuesToSet.push(value);
+    }
+  });
+  if (keysToSet.length > 0) {
+    WebStorage.setBatch(keysToSet, valuesToSet, _Storage.StorageScope.Secure);
+  }
+  if (keysToRemove.length > 0) {
+    WebStorage.removeBatch(keysToRemove, _Storage.StorageScope.Secure);
+  }
+}
+function scheduleSecureWrite(key, value) {
+  pendingSecureWrites.set(key, {
+    key,
+    value
+  });
+  if (secureFlushScheduled) {
+    return;
+  }
+  secureFlushScheduled = true;
+  runMicrotask(flushSecureWrites);
 }
 const WebStorage = {
   name: "Storage",
   equals: other => other === WebStorage,
   dispose: () => {},
   set: (key, value, scope) => {
-    if (scope === StorageScope.Disk) {
-      localStorage?.setItem(key, value);
-      notifyDiskListeners(key);
-    } else if (scope === StorageScope.Secure) {
-      sessionStorage?.setItem(key, value);
-      notifySecureListeners(key);
+    const storage = getBrowserStorage(scope);
+    if (!storage) {
+      return;
+    }
+    const storageKey = scope === _Storage.StorageScope.Secure ? toSecureStorageKey(key) : key;
+    storage.setItem(storageKey, value);
+    if (scope === _Storage.StorageScope.Disk || scope === _Storage.StorageScope.Secure) {
+      notifyKeyListeners(getScopedListeners(scope), key);
     }
   },
   get: (key, scope) => {
-    if (scope === StorageScope.Disk) {
-      return localStorage?.getItem(key) ?? undefined;
-    } else if (scope === StorageScope.Secure) {
-      return sessionStorage?.getItem(key) ?? undefined;
-    }
-    return undefined;
+    const storage = getBrowserStorage(scope);
+    const storageKey = scope === _Storage.StorageScope.Secure ? toSecureStorageKey(key) : key;
+    return storage?.getItem(storageKey) ?? undefined;
   },
   remove: (key, scope) => {
-    if (scope === StorageScope.Disk) {
-      localStorage?.removeItem(key);
-      notifyDiskListeners(key);
-    } else if (scope === StorageScope.Secure) {
-      sessionStorage?.removeItem(key);
-      notifySecureListeners(key);
+    const storage = getBrowserStorage(scope);
+    if (!storage) {
+      return;
+    }
+    if (scope === _Storage.StorageScope.Secure) {
+      storage.removeItem(toSecureStorageKey(key));
+      storage.removeItem(toBiometricStorageKey(key));
+    } else {
+      storage.removeItem(key);
+    }
+    if (scope === _Storage.StorageScope.Disk || scope === _Storage.StorageScope.Secure) {
+      notifyKeyListeners(getScopedListeners(scope), key);
     }
   },
   clear: scope => {
-    if (scope === StorageScope.Disk) {
-      localStorage?.clear();
-      diskListeners.forEach(listeners => {
-        listeners.forEach(cb => cb());
-      });
-    } else if (scope === StorageScope.Secure) {
-      sessionStorage?.clear();
-      secureListeners.forEach(listeners => {
-        listeners.forEach(cb => cb());
-      });
+    const storage = getBrowserStorage(scope);
+    if (!storage) {
+      return;
+    }
+    if (scope === _Storage.StorageScope.Secure) {
+      const keysToRemove = [];
+      for (let i = 0; i < storage.length; i++) {
+        const key = storage.key(i);
+        if (key?.startsWith(SECURE_WEB_PREFIX) || key?.startsWith(BIOMETRIC_WEB_PREFIX)) {
+          keysToRemove.push(key);
+        }
+      }
+      keysToRemove.forEach(key => storage.removeItem(key));
+    } else if (scope === _Storage.StorageScope.Disk) {
+      const keysToRemove = [];
+      for (let i = 0; i < storage.length; i++) {
+        const key = storage.key(i);
+        if (key && !key.startsWith(SECURE_WEB_PREFIX) && !key.startsWith(BIOMETRIC_WEB_PREFIX)) {
+          keysToRemove.push(key);
+        }
+      }
+      keysToRemove.forEach(key => storage.removeItem(key));
+    } else {
+      storage.clear();
+    }
+    if (scope === _Storage.StorageScope.Disk || scope === _Storage.StorageScope.Secure) {
+      notifyAllListeners(getScopedListeners(scope));
     }
   },
   setBatch: (keys, values, scope) => {
-    keys.forEach((key, i) => WebStorage.set(key, values[i], scope));
+    const storage = getBrowserStorage(scope);
+    if (!storage) {
+      return;
+    }
+    keys.forEach((key, index) => {
+      const storageKey = scope === _Storage.StorageScope.Secure ? toSecureStorageKey(key) : key;
+      storage.setItem(storageKey, values[index]);
+    });
+    if (scope === _Storage.StorageScope.Disk || scope === _Storage.StorageScope.Secure) {
+      const listeners = getScopedListeners(scope);
+      keys.forEach(key => notifyKeyListeners(listeners, key));
+    }
   },
   getBatch: (keys, scope) => {
-    return keys.map(key => WebStorage.get(key, scope));
+    const storage = getBrowserStorage(scope);
+    return keys.map(key => {
+      const storageKey = scope === _Storage.StorageScope.Secure ? toSecureStorageKey(key) : key;
+      return storage?.getItem(storageKey) ?? undefined;
+    });
   },
   removeBatch: (keys, scope) => {
-    keys.forEach(key => WebStorage.remove(key, scope));
+    keys.forEach(key => {
+      WebStorage.remove(key, scope);
+    });
   },
   addOnChange: (_scope, _callback) => {
     return () => {};
+  },
+  has: (key, scope) => {
+    const storage = getBrowserStorage(scope);
+    if (scope === _Storage.StorageScope.Secure) {
+      return storage?.getItem(toSecureStorageKey(key)) !== null || storage?.getItem(toBiometricStorageKey(key)) !== null;
+    }
+    return storage?.getItem(key) !== null;
+  },
+  getAllKeys: scope => {
+    const storage = getBrowserStorage(scope);
+    if (!storage) return [];
+    const keys = new Set();
+    for (let i = 0; i < storage.length; i++) {
+      const k = storage.key(i);
+      if (!k) {
+        continue;
+      }
+      if (scope === _Storage.StorageScope.Secure) {
+        if (k.startsWith(SECURE_WEB_PREFIX)) {
+          keys.add(fromSecureStorageKey(k));
+        } else if (k.startsWith(BIOMETRIC_WEB_PREFIX)) {
+          keys.add(fromBiometricStorageKey(k));
+        }
+        continue;
+      }
+      if (k.startsWith(SECURE_WEB_PREFIX) || k.startsWith(BIOMETRIC_WEB_PREFIX)) {
+        continue;
+      }
+      keys.add(k);
+    }
+    return Array.from(keys);
+  },
+  size: scope => {
+    return WebStorage.getAllKeys(scope).length;
+  },
+  setSecureAccessControl: () => {},
+  setKeychainAccessGroup: () => {},
+  setSecureBiometric: (key, value) => {
+    if (typeof __DEV__ !== "undefined" && __DEV__ && !hasWarnedAboutWebBiometricFallback) {
+      hasWarnedAboutWebBiometricFallback = true;
+      console.warn("[NitroStorage] Biometric storage is not supported on web. Using localStorage.");
+    }
+    globalThis.localStorage?.setItem(toBiometricStorageKey(key), value);
+    notifyKeyListeners(getScopedListeners(_Storage.StorageScope.Secure), key);
+  },
+  getSecureBiometric: key => {
+    return globalThis.localStorage?.getItem(toBiometricStorageKey(key)) ?? undefined;
+  },
+  deleteSecureBiometric: key => {
+    globalThis.localStorage?.removeItem(toBiometricStorageKey(key));
+    notifyKeyListeners(getScopedListeners(_Storage.StorageScope.Secure), key);
+  },
+  hasSecureBiometric: key => {
+    return globalThis.localStorage?.getItem(toBiometricStorageKey(key)) !== null;
+  },
+  clearSecureBiometric: () => {
+    const storage = globalThis.localStorage;
+    if (!storage) return;
+    const keysToNotify = [];
+    const toRemove = [];
+    for (let i = 0; i < storage.length; i++) {
+      const k = storage.key(i);
+      if (k?.startsWith(BIOMETRIC_WEB_PREFIX)) {
+        toRemove.push(k);
+        keysToNotify.push(fromBiometricStorageKey(k));
+      }
+    }
+    toRemove.forEach(k => storage.removeItem(k));
+    const listeners = getScopedListeners(_Storage.StorageScope.Secure);
+    keysToNotify.forEach(key => notifyKeyListeners(listeners, key));
   }
 };
-const memoryStore = new Map();
-const memoryListeners = new Set();
-function notifyMemoryListeners(key, value) {
-  memoryListeners.forEach(listener => listener(key, value));
+function getRawValue(key, scope) {
+  (0, _internal.assertValidScope)(scope);
+  if (scope === _Storage.StorageScope.Memory) {
+    const value = memoryStore.get(key);
+    return typeof value === "string" ? value : undefined;
+  }
+  if (scope === _Storage.StorageScope.Secure && hasPendingSecureWrite(key)) {
+    return readPendingSecureWrite(key);
+  }
+  return WebStorage.get(key, scope);
+}
+function setRawValue(key, value, scope) {
+  (0, _internal.assertValidScope)(scope);
+  if (scope === _Storage.StorageScope.Memory) {
+    memoryStore.set(key, value);
+    notifyKeyListeners(memoryListeners, key);
+    return;
+  }
+  if (scope === _Storage.StorageScope.Secure) {
+    flushSecureWrites();
+    clearPendingSecureWrite(key);
+  }
+  WebStorage.set(key, value, scope);
+  cacheRawValue(scope, key, value);
+}
+function removeRawValue(key, scope) {
+  (0, _internal.assertValidScope)(scope);
+  if (scope === _Storage.StorageScope.Memory) {
+    memoryStore.delete(key);
+    notifyKeyListeners(memoryListeners, key);
+    return;
+  }
+  if (scope === _Storage.StorageScope.Secure) {
+    flushSecureWrites();
+    clearPendingSecureWrite(key);
+  }
+  WebStorage.remove(key, scope);
+  cacheRawValue(scope, key, undefined);
+}
+function readMigrationVersion(scope) {
+  const raw = getRawValue(_internal.MIGRATION_VERSION_KEY, scope);
+  if (raw === undefined) {
+    return 0;
+  }
+  const parsed = Number.parseInt(raw, 10);
+  return Number.isFinite(parsed) && parsed > 0 ? parsed : 0;
+}
+function writeMigrationVersion(scope, version) {
+  setRawValue(_internal.MIGRATION_VERSION_KEY, String(version), scope);
 }
 const storage = exports.storage = {
   clear: scope => {
-    if (scope === StorageScope.Memory) {
+    if (scope === _Storage.StorageScope.Memory) {
       memoryStore.clear();
-      notifyMemoryListeners("", undefined);
-    } else {
-      WebStorage.clear(scope);
+      notifyAllListeners(memoryListeners);
+      return;
+    }
+    if (scope === _Storage.StorageScope.Secure) {
+      flushSecureWrites();
+      pendingSecureWrites.clear();
+    }
+    clearScopeRawCache(scope);
+    WebStorage.clear(scope);
+    if (scope === _Storage.StorageScope.Secure) {
+      WebStorage.clearSecureBiometric();
     }
   },
   clearAll: () => {
-    storage.clear(StorageScope.Memory);
-    storage.clear(StorageScope.Disk);
-    storage.clear(StorageScope.Secure);
-  }
+    storage.clear(_Storage.StorageScope.Memory);
+    storage.clear(_Storage.StorageScope.Disk);
+    storage.clear(_Storage.StorageScope.Secure);
+  },
+  clearNamespace: (namespace, scope) => {
+    (0, _internal.assertValidScope)(scope);
+    if (scope === _Storage.StorageScope.Memory) {
+      for (const key of memoryStore.keys()) {
+        if ((0, _internal.isNamespaced)(key, namespace)) {
+          memoryStore.delete(key);
+        }
+      }
+      notifyAllListeners(memoryListeners);
+      return;
+    }
+    if (scope === _Storage.StorageScope.Secure) {
+      flushSecureWrites();
+    }
+    const keys = WebStorage.getAllKeys(scope);
+    const namespacedKeys = keys.filter(k => (0, _internal.isNamespaced)(k, namespace));
+    if (namespacedKeys.length > 0) {
+      WebStorage.removeBatch(namespacedKeys, scope);
+      namespacedKeys.forEach(k => cacheRawValue(scope, k, undefined));
+      if (scope === _Storage.StorageScope.Secure) {
+        namespacedKeys.forEach(k => clearPendingSecureWrite(k));
+      }
+    }
+  },
+  clearBiometric: () => {
+    WebStorage.clearSecureBiometric();
+  },
+  has: (key, scope) => {
+    (0, _internal.assertValidScope)(scope);
+    if (scope === _Storage.StorageScope.Memory) return memoryStore.has(key);
+    return WebStorage.has(key, scope);
+  },
+  getAllKeys: scope => {
+    (0, _internal.assertValidScope)(scope);
+    if (scope === _Storage.StorageScope.Memory) return Array.from(memoryStore.keys());
+    return WebStorage.getAllKeys(scope);
+  },
+  getAll: scope => {
+    (0, _internal.assertValidScope)(scope);
+    const result = {};
+    if (scope === _Storage.StorageScope.Memory) {
+      memoryStore.forEach((value, key) => {
+        if (typeof value === "string") result[key] = value;
+      });
+      return result;
+    }
+    const keys = WebStorage.getAllKeys(scope);
+    keys.forEach(key => {
+      const val = WebStorage.get(key, scope);
+      if (val !== undefined) result[key] = val;
+    });
+    return result;
+  },
+  size: scope => {
+    (0, _internal.assertValidScope)(scope);
+    if (scope === _Storage.StorageScope.Memory) return memoryStore.size;
+    return WebStorage.size(scope);
+  },
+  setAccessControl: _level => {},
+  setKeychainAccessGroup: _group => {}
 };
+function canUseRawBatchPath(item) {
+  return item._hasExpiration === false && item._hasValidation === false && item._isBiometric !== true && item._secureAccessControl === undefined;
+}
 function defaultSerialize(value) {
-  return JSON.stringify(value);
+  return (0, _internal.serializeWithPrimitiveFastPath)(value);
 }
 function defaultDeserialize(value) {
-  return JSON.parse(value);
+  return (0, _internal.deserializeWithPrimitiveFastPath)(value);
 }
 function createStorageItem(config) {
+  const storageKey = (0, _internal.prefixKey)(config.namespace, config.key);
   const serialize = config.serialize ?? defaultSerialize;
   const deserialize = config.deserialize ?? defaultDeserialize;
-  const isMemory = config.scope === StorageScope.Memory;
+  const isMemory = config.scope === _Storage.StorageScope.Memory;
+  const isBiometric = config.biometric === true && config.scope === _Storage.StorageScope.Secure;
+  const secureAccessControl = config.accessControl;
+  const validate = config.validate;
+  const onValidationError = config.onValidationError;
+  const expiration = config.expiration;
+  const onExpired = config.onExpired;
+  const expirationTtlMs = expiration?.ttlMs;
+  const memoryExpiration = expiration && isMemory ? new Map() : null;
+  const readCache = !isMemory && config.readCache === true;
+  const coalesceSecureWrites = config.scope === _Storage.StorageScope.Secure && config.coalesceSecureWrites === true && !isBiometric && secureAccessControl === undefined;
+  const nonMemoryScope = config.scope === _Storage.StorageScope.Disk ? _Storage.StorageScope.Disk : config.scope === _Storage.StorageScope.Secure ? _Storage.StorageScope.Secure : null;
+  if (expiration && expiration.ttlMs <= 0) {
+    throw new Error("expiration.ttlMs must be greater than 0.");
+  }
   const listeners = new Set();
   let unsubscribe = null;
-  let lastRaw;
+  let lastRaw = undefined;
   let lastValue;
+  let hasLastValue = false;
+  const invalidateParsedCache = () => {
+    lastRaw = undefined;
+    lastValue = undefined;
+    hasLastValue = false;
+  };
   const ensureSubscription = () => {
-    if (!unsubscribe) {
-      if (isMemory) {
-        const listener = key => {
-          if (key === "" || key === config.key) {
-            lastRaw = undefined;
-            lastValue = undefined;
-            listeners.forEach(l => l());
-          }
-        };
-        memoryListeners.add(listener);
-        unsubscribe = () => memoryListeners.delete(listener);
-      } else if (config.scope === StorageScope.Disk) {
-        const listener = () => {
-          lastRaw = undefined;
-          lastValue = undefined;
-          listeners.forEach(l => l());
-        };
-        if (!diskListeners.has(config.key)) {
-          diskListeners.set(config.key, new Set());
-        }
-        diskListeners.get(config.key).add(listener);
-        unsubscribe = () => diskListeners.get(config.key)?.delete(listener);
-      } else if (config.scope === StorageScope.Secure) {
-        const listener = () => {
-          lastRaw = undefined;
-          lastValue = undefined;
-          listeners.forEach(l => l());
-        };
-        if (!secureListeners.has(config.key)) {
-          secureListeners.set(config.key, new Set());
+    if (unsubscribe) {
+      return;
+    }
+    const listener = () => {
+      invalidateParsedCache();
+      listeners.forEach(callback => callback());
+    };
+    if (isMemory) {
+      unsubscribe = addKeyListener(memoryListeners, storageKey, listener);
+      return;
+    }
+    unsubscribe = addKeyListener(getScopedListeners(nonMemoryScope), storageKey, listener);
+  };
+  const readStoredRaw = () => {
+    if (isMemory) {
+      if (memoryExpiration) {
+        const expiresAt = memoryExpiration.get(storageKey);
+        if (expiresAt !== undefined && expiresAt <= Date.now()) {
+          memoryExpiration.delete(storageKey);
+          memoryStore.delete(storageKey);
+          notifyKeyListeners(memoryListeners, storageKey);
+          onExpired?.(storageKey);
+          return undefined;
         }
-        secureListeners.get(config.key).add(listener);
-        unsubscribe = () => secureListeners.get(config.key)?.delete(listener);
+      }
+      return memoryStore.get(storageKey);
+    }
+    if (nonMemoryScope === _Storage.StorageScope.Secure && !isBiometric && hasPendingSecureWrite(storageKey)) {
+      return readPendingSecureWrite(storageKey);
+    }
+    if (readCache) {
+      if (hasCachedRawValue(nonMemoryScope, storageKey)) {
+        return readCachedRawValue(nonMemoryScope, storageKey);
       }
     }
+    if (isBiometric) {
+      return WebStorage.getSecureBiometric(storageKey);
+    }
+    const raw = WebStorage.get(storageKey, config.scope);
+    cacheRawValue(nonMemoryScope, storageKey, raw);
+    return raw;
   };
-  const get = () => {
-    let raw;
+  const writeStoredRaw = rawValue => {
+    if (isBiometric) {
+      WebStorage.setSecureBiometric(storageKey, rawValue);
+      return;
+    }
+    cacheRawValue(nonMemoryScope, storageKey, rawValue);
+    if (coalesceSecureWrites) {
+      scheduleSecureWrite(storageKey, rawValue);
+      return;
+    }
+    if (nonMemoryScope === _Storage.StorageScope.Secure) {
+      clearPendingSecureWrite(storageKey);
+    }
+    WebStorage.set(storageKey, rawValue, config.scope);
+  };
+  const removeStoredRaw = () => {
+    if (isBiometric) {
+      WebStorage.deleteSecureBiometric(storageKey);
+      return;
+    }
+    cacheRawValue(nonMemoryScope, storageKey, undefined);
+    if (coalesceSecureWrites) {
+      scheduleSecureWrite(storageKey, undefined);
+      return;
+    }
+    if (nonMemoryScope === _Storage.StorageScope.Secure) {
+      clearPendingSecureWrite(storageKey);
+    }
+    WebStorage.remove(storageKey, config.scope);
+  };
+  const writeValueWithoutValidation = value => {
     if (isMemory) {
-      raw = memoryStore.get(config.key);
-    } else {
-      raw = WebStorage.get(config.key, config.scope);
+      if (memoryExpiration) {
+        memoryExpiration.set(storageKey, Date.now() + (expirationTtlMs ?? 0));
+      }
+      memoryStore.set(storageKey, value);
+      notifyKeyListeners(memoryListeners, storageKey);
+      return;
+    }
+    const serialized = serialize(value);
+    if (expiration) {
+      const envelope = {
+        __nitroStorageEnvelope: true,
+        expiresAt: Date.now() + expiration.ttlMs,
+        payload: serialized
+      };
+      writeStoredRaw(JSON.stringify(envelope));
+      return;
+    }
+    writeStoredRaw(serialized);
+  };
+  const resolveInvalidValue = invalidValue => {
+    if (onValidationError) {
+      return onValidationError(invalidValue);
+    }
+    return config.defaultValue;
+  };
+  const ensureValidatedValue = (candidate, hadStoredValue) => {
+    if (!validate || validate(candidate)) {
+      return candidate;
+    }
+    const resolved = resolveInvalidValue(candidate);
+    if (validate && !validate(resolved)) {
+      return config.defaultValue;
+    }
+    if (hadStoredValue) {
+      writeValueWithoutValidation(resolved);
     }
-    if (raw === lastRaw && lastValue !== undefined) {
+    return resolved;
+  };
+  const get = () => {
+    const raw = readStoredRaw();
+    const canUseCachedValue = !expiration && !memoryExpiration;
+    if (canUseCachedValue && raw === lastRaw && hasLastValue) {
       return lastValue;
     }
     lastRaw = raw;
     if (raw === undefined) {
-      lastValue = config.defaultValue;
-    } else {
-      lastValue = isMemory ? raw : deserialize(raw);
+      lastValue = ensureValidatedValue(config.defaultValue, false);
+      hasLastValue = true;
+      return lastValue;
+    }
+    if (isMemory) {
+      lastValue = ensureValidatedValue(raw, true);
+      hasLastValue = true;
+      return lastValue;
     }
+    let deserializableRaw = raw;
+    if (expiration) {
+      try {
+        const parsed = JSON.parse(raw);
+        if ((0, _internal.isStoredEnvelope)(parsed)) {
+          if (parsed.expiresAt <= Date.now()) {
+            removeStoredRaw();
+            invalidateParsedCache();
+            onExpired?.(storageKey);
+            lastValue = ensureValidatedValue(config.defaultValue, false);
+            hasLastValue = true;
+            return lastValue;
+          }
+          deserializableRaw = parsed.payload;
+        }
+      } catch {
+        // Keep backward compatibility with legacy raw values.
+      }
+    }
+    lastValue = ensureValidatedValue(deserialize(deserializableRaw), true);
+    hasLastValue = true;
     return lastValue;
   };
   const set = valueOrFn => {
     const currentValue = get();
     const newValue = typeof valueOrFn === "function" ? valueOrFn(currentValue) : valueOrFn;
-    lastRaw = undefined;
-    if (isMemory) {
-      memoryStore.set(config.key, newValue);
-      notifyMemoryListeners(config.key, newValue);
-    } else {
-      WebStorage.set(config.key, serialize(newValue), config.scope);
+    invalidateParsedCache();
+    if (validate && !validate(newValue)) {
+      throw new Error(`Validation failed for key "${storageKey}" in scope "${_Storage.StorageScope[config.scope]}".`);
     }
+    writeValueWithoutValidation(newValue);
   };
   const deleteItem = () => {
-    lastRaw = undefined;
+    invalidateParsedCache();
     if (isMemory) {
-      memoryStore.delete(config.key);
-      notifyMemoryListeners(config.key, undefined);
-    } else {
-      WebStorage.remove(config.key, config.scope);
+      if (memoryExpiration) {
+        memoryExpiration.delete(storageKey);
+      }
+      memoryStore.delete(storageKey);
+      notifyKeyListeners(memoryListeners, storageKey);
+      return;
     }
+    removeStoredRaw();
+  };
+  const hasItem = () => {
+    if (isMemory) return memoryStore.has(storageKey);
+    if (isBiometric) return WebStorage.hasSecureBiometric(storageKey);
+    return WebStorage.has(storageKey, config.scope);
   };
   const subscribe = callback => {
     ensureSubscription();
@@ -202,37 +698,94 @@ function createStorageItem(config) {
       }
     };
   };
-  return {
+  const storageItem = {
     get,
     set,
     delete: deleteItem,
+    has: hasItem,
     subscribe,
     serialize,
     deserialize,
     _triggerListeners: () => {
-      lastRaw = undefined;
-      lastValue = undefined;
-      listeners.forEach(l => l());
+      invalidateParsedCache();
+      listeners.forEach(listener => listener());
     },
+    _hasValidation: validate !== undefined,
+    _hasExpiration: expiration !== undefined,
+    _readCacheEnabled: readCache,
+    _isBiometric: isBiometric,
+    _secureAccessControl: secureAccessControl,
     scope: config.scope,
-    key: config.key
+    key: storageKey
   };
+  return storageItem;
 }
 function useStorage(item) {
   const value = (0, _react.useSyncExternalStore)(item.subscribe, item.get, item.get);
   return [value, item.set];
 }
+function useStorageSelector(item, selector, isEqual = Object.is) {
+  const selectedRef = (0, _react.useRef)({
+    hasValue: false
+  });
+  const getSelectedSnapshot = () => {
+    const nextSelected = selector(item.get());
+    const current = selectedRef.current;
+    if (current.hasValue && isEqual(current.value, nextSelected)) {
+      return current.value;
+    }
+    selectedRef.current = {
+      hasValue: true,
+      value: nextSelected
+    };
+    return nextSelected;
+  };
+  const selectedValue = (0, _react.useSyncExternalStore)(item.subscribe, getSelectedSnapshot, getSelectedSnapshot);
+  return [selectedValue, item.set];
+}
 function useSetStorage(item) {
   return item.set;
 }
 function getBatch(items, scope) {
-  if (scope === StorageScope.Memory) {
+  (0, _internal.assertBatchScope)(items, scope);
+  if (scope === _Storage.StorageScope.Memory) {
     return items.map(item => item.get());
   }
-  const keys = items.map(item => item.key);
-  const rawValues = WebStorage.getBatch(keys, scope);
-  return items.map((item, idx) => {
-    const raw = rawValues[idx];
+  const useRawBatchPath = items.every(item => canUseRawBatchPath(item));
+  if (!useRawBatchPath) {
+    return items.map(item => item.get());
+  }
+  const useBatchCache = items.every(item => item._readCacheEnabled === true);
+  const rawValues = new Array(items.length);
+  const keysToFetch = [];
+  const keyIndexes = [];
+  items.forEach((item, index) => {
+    if (scope === _Storage.StorageScope.Secure) {
+      if (hasPendingSecureWrite(item.key)) {
+        rawValues[index] = readPendingSecureWrite(item.key);
+        return;
+      }
+    }
+    if (useBatchCache) {
+      if (hasCachedRawValue(scope, item.key)) {
+        rawValues[index] = readCachedRawValue(scope, item.key);
+        return;
+      }
+    }
+    keysToFetch.push(item.key);
+    keyIndexes.push(index);
+  });
+  if (keysToFetch.length > 0) {
+    const fetchedValues = WebStorage.getBatch(keysToFetch, scope);
+    fetchedValues.forEach((value, index) => {
+      const key = keysToFetch[index];
+      const targetIndex = keyIndexes[index];
+      rawValues[targetIndex] = value;
+      cacheRawValue(scope, key, value);
+    });
+  }
+  return items.map((item, index) => {
+    const raw = rawValues[index];
     if (raw === undefined) {
       return item.get();
     }
@@ -240,29 +793,144 @@ function getBatch(items, scope) {
   });
 }
 function setBatch(items, scope) {
-  if (scope === StorageScope.Memory) {
+  (0, _internal.assertBatchScope)(items.map(batchEntry => batchEntry.item), scope);
+  if (scope === _Storage.StorageScope.Memory) {
     items.forEach(({
       item,
       value
     }) => item.set(value));
     return;
   }
-  const keys = items.map(i => i.item.key);
-  const values = items.map(i => i.item.serialize(i.value));
-  WebStorage.setBatch(keys, values, scope);
-  items.forEach(({
+  const useRawBatchPath = items.every(({
     item
-  }) => {
-    item._triggerListeners();
-  });
+  }) => canUseRawBatchPath(asInternal(item)));
+  if (!useRawBatchPath) {
+    items.forEach(({
+      item,
+      value
+    }) => item.set(value));
+    return;
+  }
+  const keys = items.map(entry => entry.item.key);
+  const values = items.map(entry => entry.item.serialize(entry.value));
+  if (scope === _Storage.StorageScope.Secure) {
+    flushSecureWrites();
+  }
+  WebStorage.setBatch(keys, values, scope);
+  keys.forEach((key, index) => cacheRawValue(scope, key, values[index]));
 }
 function removeBatch(items, scope) {
-  if (scope === StorageScope.Memory) {
+  (0, _internal.assertBatchScope)(items, scope);
+  if (scope === _Storage.StorageScope.Memory) {
     items.forEach(item => item.delete());
     return;
   }
   const keys = items.map(item => item.key);
+  if (scope === _Storage.StorageScope.Secure) {
+    flushSecureWrites();
+  }
   WebStorage.removeBatch(keys, scope);
-  items.forEach(item => item.delete());
+  keys.forEach(key => cacheRawValue(scope, key, undefined));
+}
+function registerMigration(version, migration) {
+  if (!Number.isInteger(version) || version <= 0) {
+    throw new Error("Migration version must be a positive integer.");
+  }
+  if (registeredMigrations.has(version)) {
+    throw new Error(`Migration version ${version} is already registered.`);
+  }
+  registeredMigrations.set(version, migration);
+}
+function migrateToLatest(scope = _Storage.StorageScope.Disk) {
+  (0, _internal.assertValidScope)(scope);
+  const currentVersion = readMigrationVersion(scope);
+  const versions = Array.from(registeredMigrations.keys()).filter(version => version > currentVersion).sort((a, b) => a - b);
+  let appliedVersion = currentVersion;
+  const context = {
+    scope,
+    getRaw: key => getRawValue(key, scope),
+    setRaw: (key, value) => setRawValue(key, value, scope),
+    removeRaw: key => removeRawValue(key, scope)
+  };
+  versions.forEach(version => {
+    const migration = registeredMigrations.get(version);
+    if (!migration) {
+      return;
+    }
+    migration(context);
+    writeMigrationVersion(scope, version);
+    appliedVersion = version;
+  });
+  return appliedVersion;
+}
+function runTransaction(scope, transaction) {
+  (0, _internal.assertValidScope)(scope);
+  if (scope === _Storage.StorageScope.Secure) {
+    flushSecureWrites();
+  }
+  const rollback = new Map();
+  const rememberRollback = key => {
+    if (rollback.has(key)) {
+      return;
+    }
+    rollback.set(key, getRawValue(key, scope));
+  };
+  const tx = {
+    scope,
+    getRaw: key => getRawValue(key, scope),
+    setRaw: (key, value) => {
+      rememberRollback(key);
+      setRawValue(key, value, scope);
+    },
+    removeRaw: key => {
+      rememberRollback(key);
+      removeRawValue(key, scope);
+    },
+    getItem: item => {
+      (0, _internal.assertBatchScope)([item], scope);
+      return item.get();
+    },
+    setItem: (item, value) => {
+      (0, _internal.assertBatchScope)([item], scope);
+      rememberRollback(item.key);
+      item.set(value);
+    },
+    removeItem: item => {
+      (0, _internal.assertBatchScope)([item], scope);
+      rememberRollback(item.key);
+      item.delete();
+    }
+  };
+  try {
+    return transaction(tx);
+  } catch (error) {
+    Array.from(rollback.entries()).reverse().forEach(([key, previousValue]) => {
+      if (previousValue === undefined) {
+        removeRawValue(key, scope);
+      } else {
+        setRawValue(key, previousValue, scope);
+      }
+    });
+    throw error;
+  }
+}
+function createSecureAuthStorage(config, options) {
+  const ns = options?.namespace ?? "auth";
+  const result = {};
+  for (const key of Object.keys(config)) {
+    const itemConfig = config[key];
+    result[key] = createStorageItem({
+      key,
+      scope: _Storage.StorageScope.Secure,
+      defaultValue: "",
+      namespace: ns,
+      biometric: itemConfig.biometric,
+      accessControl: itemConfig.accessControl,
+      expiration: itemConfig.ttlMs ? {
+        ttlMs: itemConfig.ttlMs
+      } : undefined
+    });
+  }
+  return result;
 }
 //# sourceMappingURL=index.web.js.map