react-native-nitro-storage 0.3.1 → 0.4.0

package/src/index.ts

@@ -1,4 +1,3 @@
-import { useRef, useSyncExternalStore } from "react";
 import { NitroModules } from "react-native-nitro-modules";
 import type { Storage } from "./Storage.nitro";
 import { StorageScope, AccessControl, BiometricLevel } from "./Storage.types";
@@ -11,6 +10,7 @@ import {
   decodeNativeBatchValue,
   serializeWithPrimitiveFastPath,
   deserializeWithPrimitiveFastPath,
+  toVersionToken,
   prefixKey,
   isNamespaced,
 } from "./internal";
@@ -23,6 +23,31 @@ export type Validator<T> = (value: unknown) => value is T;
 export type ExpirationConfig = {
   ttlMs: number;
 };
+export type StorageVersion = string;
+export type VersionedValue<T> = {
+  value: T;
+  version: StorageVersion;
+};
+export type StorageMetricsEvent = {
+  operation: string;
+  scope: StorageScope;
+  durationMs: number;
+  keysCount: number;
+};
+export type StorageMetricsObserver = (event: StorageMetricsEvent) => void;
+export type StorageMetricSummary = {
+  count: number;
+  totalDurationMs: number;
+  avgDurationMs: number;
+  maxDurationMs: number;
+};
+export type WebSecureStorageBackend = {
+  getItem: (key: string) => string | null;
+  setItem: (key: string, value: string) => void;
+  removeItem: (key: string) => void;
+  clear: () => void;
+  getAllKeys: () => string[];
+};
 
 export type MigrationContext = {
   scope: StorageScope;
@@ -56,11 +81,25 @@ type RawBatchPathItem = {
   _secureAccessControl?: AccessControl;
 };
 
-function asInternal(item: StorageItem<any>): StorageItemInternal<any> {
-  return item as unknown as StorageItemInternal<any>;
+function asInternal<T>(item: StorageItem<T>): StorageItemInternal<T> {
+  return item as StorageItemInternal<T>;
+}
+
+function isUpdater<T>(
+  valueOrFn: T | ((prev: T) => T),
+): valueOrFn is (prev: T) => T {
+  return typeof valueOrFn === "function";
+}
+
+function typedKeys<K extends string, V>(record: Record<K, V>): K[] {
+  return Object.keys(record) as K[];
 }
 type NonMemoryScope = StorageScope.Disk | StorageScope.Secure;
-type PendingSecureWrite = { key: string; value: string | undefined };
+type PendingSecureWrite = {
+  key: string;
+  value: string | undefined;
+  accessControl?: AccessControl;
+};
 
 const registeredMigrations = new Map<number, Migration>();
 const runMicrotask =
@@ -95,6 +134,52 @@ const scopedRawCache = new Map<NonMemoryScope, Map<string, string | undefined>>(
 const pendingSecureWrites = new Map<string, PendingSecureWrite>();
 let secureFlushScheduled = false;
 let secureDefaultAccessControl: AccessControl = AccessControl.WhenUnlocked;
+let metricsObserver: StorageMetricsObserver | undefined;
+const metricsCounters = new Map<
+  string,
+  { count: number; totalDurationMs: number; maxDurationMs: number }
+>();
+
+function recordMetric(
+  operation: string,
+  scope: StorageScope,
+  durationMs: number,
+  keysCount = 1,
+): void {
+  const existing = metricsCounters.get(operation);
+  if (!existing) {
+    metricsCounters.set(operation, {
+      count: 1,
+      totalDurationMs: durationMs,
+      maxDurationMs: durationMs,
+    });
+  } else {
+    existing.count += 1;
+    existing.totalDurationMs += durationMs;
+    existing.maxDurationMs = Math.max(existing.maxDurationMs, durationMs);
+  }
+
+  metricsObserver?.({
+    operation,
+    scope,
+    durationMs,
+    keysCount,
+  });
+}
+
+function measureOperation<T>(
+  operation: string,
+  scope: StorageScope,
+  fn: () => T,
+  keysCount = 1,
+): T {
+  const start = Date.now();
+  try {
+    return fn();
+  } finally {
+    recordMetric(operation, scope, Date.now() - start, keysCount);
+  }
+}
 
 function getScopedListeners(scope: NonMemoryScope): KeyListenerRegistry {
   return scopedListeners.get(scope)!;
@@ -185,31 +270,47 @@ function flushSecureWrites(): void {
   const writes = Array.from(pendingSecureWrites.values());
   pendingSecureWrites.clear();
 
-  const keysToSet: string[] = [];
-  const valuesToSet: string[] = [];
+  const groupedSetWrites = new Map<
+    AccessControl,
+    { keys: string[]; values: string[] }
+  >();
   const keysToRemove: string[] = [];
 
-  writes.forEach(({ key, value }) => {
+  writes.forEach(({ key, value, accessControl }) => {
     if (value === undefined) {
       keysToRemove.push(key);
     } else {
-      keysToSet.push(key);
-      valuesToSet.push(value);
+      const resolvedAccessControl = accessControl ?? secureDefaultAccessControl;
+      const existingGroup = groupedSetWrites.get(resolvedAccessControl);
+      const group = existingGroup ?? { keys: [], values: [] };
+      group.keys.push(key);
+      group.values.push(value);
+      if (!existingGroup) {
+        groupedSetWrites.set(resolvedAccessControl, group);
+      }
     }
   });
 
   const storageModule = getStorageModule();
-  storageModule.setSecureAccessControl(secureDefaultAccessControl);
-  if (keysToSet.length > 0) {
-    storageModule.setBatch(keysToSet, valuesToSet, StorageScope.Secure);
-  }
+  groupedSetWrites.forEach((group, accessControl) => {
+    storageModule.setSecureAccessControl(accessControl);
+    storageModule.setBatch(group.keys, group.values, StorageScope.Secure);
+  });
   if (keysToRemove.length > 0) {
     storageModule.removeBatch(keysToRemove, StorageScope.Secure);
   }
 }
 
-function scheduleSecureWrite(key: string, value: string | undefined): void {
-  pendingSecureWrites.set(key, { key, value });
+function scheduleSecureWrite(
+  key: string,
+  value: string | undefined,
+  accessControl?: AccessControl,
+): void {
+  const pendingWrite: PendingSecureWrite = { key, value };
+  if (accessControl !== undefined) {
+    pendingWrite.accessControl = accessControl;
+  }
+  pendingSecureWrites.set(key, pendingWrite);
   if (secureFlushScheduled) {
     return;
   }
@@ -323,103 +424,212 @@ function writeMigrationVersion(scope: StorageScope, version: number): void {
 
 export const storage = {
   clear: (scope: StorageScope) => {
-    if (scope === StorageScope.Memory) {
-      memoryStore.clear();
-      notifyAllListeners(memoryListeners);
-      return;
-    }
+    measureOperation("storage:clear", scope, () => {
+      if (scope === StorageScope.Memory) {
+        memoryStore.clear();
+        notifyAllListeners(memoryListeners);
+        return;
+      }
 
-    if (scope === StorageScope.Secure) {
-      flushSecureWrites();
-      pendingSecureWrites.clear();
-    }
+      if (scope === StorageScope.Secure) {
+        flushSecureWrites();
+        pendingSecureWrites.clear();
+      }
 
-    clearScopeRawCache(scope);
-    getStorageModule().clear(scope);
-    if (scope === StorageScope.Secure) {
-      getStorageModule().clearSecureBiometric();
-    }
+      clearScopeRawCache(scope);
+      getStorageModule().clear(scope);
+    });
   },
   clearAll: () => {
-    storage.clear(StorageScope.Memory);
-    storage.clear(StorageScope.Disk);
-    storage.clear(StorageScope.Secure);
+    measureOperation(
+      "storage:clearAll",
+      StorageScope.Memory,
+      () => {
+        storage.clear(StorageScope.Memory);
+        storage.clear(StorageScope.Disk);
+        storage.clear(StorageScope.Secure);
+      },
+      3,
+    );
   },
   clearNamespace: (namespace: string, scope: StorageScope) => {
-    assertValidScope(scope);
-    if (scope === StorageScope.Memory) {
-      for (const key of memoryStore.keys()) {
-        if (isNamespaced(key, namespace)) {
-          memoryStore.delete(key);
+    measureOperation("storage:clearNamespace", scope, () => {
+      assertValidScope(scope);
+      if (scope === StorageScope.Memory) {
+        for (const key of memoryStore.keys()) {
+          if (isNamespaced(key, namespace)) {
+            memoryStore.delete(key);
+          }
         }
+        notifyAllListeners(memoryListeners);
+        return;
       }
-      notifyAllListeners(memoryListeners);
-      return;
-    }
-    if (scope === StorageScope.Secure) {
-      flushSecureWrites();
-    }
-    const keys = getStorageModule().getAllKeys(scope);
-    const namespacedKeys = keys.filter((k) => isNamespaced(k, namespace));
-    if (namespacedKeys.length > 0) {
-      getStorageModule().removeBatch(namespacedKeys, scope);
-      namespacedKeys.forEach((k) => cacheRawValue(scope, k, undefined));
+
+      const keyPrefix = prefixKey(namespace, "");
       if (scope === StorageScope.Secure) {
-        namespacedKeys.forEach((k) => clearPendingSecureWrite(k));
+        flushSecureWrites();
       }
-    }
+
+      clearScopeRawCache(scope);
+      getStorageModule().removeByPrefix(keyPrefix, scope);
+    });
   },
   clearBiometric: () => {
-    getStorageModule().clearSecureBiometric();
+    measureOperation("storage:clearBiometric", StorageScope.Secure, () => {
+      getStorageModule().clearSecureBiometric();
+    });
   },
   has: (key: string, scope: StorageScope): boolean => {
-    assertValidScope(scope);
-    if (scope === StorageScope.Memory) {
-      return memoryStore.has(key);
-    }
-    return getStorageModule().has(key, scope);
+    return measureOperation("storage:has", scope, () => {
+      assertValidScope(scope);
+      if (scope === StorageScope.Memory) {
+        return memoryStore.has(key);
+      }
+      return getStorageModule().has(key, scope);
+    });
   },
   getAllKeys: (scope: StorageScope): string[] => {
-    assertValidScope(scope);
-    if (scope === StorageScope.Memory) {
-      return Array.from(memoryStore.keys());
-    }
-    return getStorageModule().getAllKeys(scope);
+    return measureOperation("storage:getAllKeys", scope, () => {
+      assertValidScope(scope);
+      if (scope === StorageScope.Memory) {
+        return Array.from(memoryStore.keys());
+      }
+      return getStorageModule().getAllKeys(scope);
+    });
+  },
+  getKeysByPrefix: (prefix: string, scope: StorageScope): string[] => {
+    return measureOperation("storage:getKeysByPrefix", scope, () => {
+      assertValidScope(scope);
+      if (scope === StorageScope.Memory) {
+        return Array.from(memoryStore.keys()).filter((key) =>
+          key.startsWith(prefix),
+        );
+      }
+      return getStorageModule().getKeysByPrefix(prefix, scope);
+    });
+  },
+  getByPrefix: (
+    prefix: string,
+    scope: StorageScope,
+  ): Record<string, string> => {
+    return measureOperation("storage:getByPrefix", scope, () => {
+      const result: Record<string, string> = {};
+      const keys = storage.getKeysByPrefix(prefix, scope);
+      if (keys.length === 0) {
+        return result;
+      }
+
+      if (scope === StorageScope.Memory) {
+        keys.forEach((key) => {
+          const value = memoryStore.get(key);
+          if (typeof value === "string") {
+            result[key] = value;
+          }
+        });
+        return result;
+      }
+
+      const values = getStorageModule().getBatch(keys, scope);
+      keys.forEach((key, idx) => {
+        const value = decodeNativeBatchValue(values[idx]);
+        if (value !== undefined) {
+          result[key] = value;
+        }
+      });
+      return result;
+    });
   },
   getAll: (scope: StorageScope): Record<string, string> => {
-    assertValidScope(scope);
-    const result: Record<string, string> = {};
-    if (scope === StorageScope.Memory) {
-      memoryStore.forEach((value, key) => {
-        if (typeof value === "string") result[key] = value;
+    return measureOperation("storage:getAll", scope, () => {
+      assertValidScope(scope);
+      const result: Record<string, string> = {};
+      if (scope === StorageScope.Memory) {
+        memoryStore.forEach((value, key) => {
+          if (typeof value === "string") result[key] = value;
+        });
+        return result;
+      }
+      const keys = getStorageModule().getAllKeys(scope);
+      if (keys.length === 0) return result;
+      const values = getStorageModule().getBatch(keys, scope);
+      keys.forEach((key, idx) => {
+        const val = decodeNativeBatchValue(values[idx]);
+        if (val !== undefined) result[key] = val;
       });
       return result;
-    }
-    const keys = getStorageModule().getAllKeys(scope);
-    if (keys.length === 0) return result;
-    const values = getStorageModule().getBatch(keys, scope);
-    keys.forEach((key, idx) => {
-      const val = decodeNativeBatchValue(values[idx]);
-      if (val !== undefined) result[key] = val;
     });
-    return result;
   },
   size: (scope: StorageScope): number => {
-    assertValidScope(scope);
-    if (scope === StorageScope.Memory) {
-      return memoryStore.size;
-    }
-    return getStorageModule().size(scope);
+    return measureOperation("storage:size", scope, () => {
+      assertValidScope(scope);
+      if (scope === StorageScope.Memory) {
+        return memoryStore.size;
+      }
+      return getStorageModule().size(scope);
+    });
   },
   setAccessControl: (level: AccessControl) => {
-    secureDefaultAccessControl = level;
-    getStorageModule().setSecureAccessControl(level);
+    measureOperation("storage:setAccessControl", StorageScope.Secure, () => {
+      secureDefaultAccessControl = level;
+      getStorageModule().setSecureAccessControl(level);
+    });
+  },
+  setSecureWritesAsync: (enabled: boolean) => {
+    measureOperation(
+      "storage:setSecureWritesAsync",
+      StorageScope.Secure,
+      () => {
+        getStorageModule().setSecureWritesAsync(enabled);
+      },
+    );
+  },
+  flushSecureWrites: () => {
+    measureOperation("storage:flushSecureWrites", StorageScope.Secure, () => {
+      flushSecureWrites();
+    });
   },
   setKeychainAccessGroup: (group: string) => {
-    getStorageModule().setKeychainAccessGroup(group);
+    measureOperation(
+      "storage:setKeychainAccessGroup",
+      StorageScope.Secure,
+      () => {
+        getStorageModule().setKeychainAccessGroup(group);
+      },
+    );
+  },
+  setMetricsObserver: (observer?: StorageMetricsObserver) => {
+    metricsObserver = observer;
+  },
+  getMetricsSnapshot: (): Record<string, StorageMetricSummary> => {
+    const snapshot: Record<string, StorageMetricSummary> = {};
+    metricsCounters.forEach((value, key) => {
+      snapshot[key] = {
+        count: value.count,
+        totalDurationMs: value.totalDurationMs,
+        avgDurationMs:
+          value.count === 0 ? 0 : value.totalDurationMs / value.count,
+        maxDurationMs: value.maxDurationMs,
+      };
+    });
+    return snapshot;
+  },
+  resetMetrics: () => {
+    metricsCounters.clear();
   },
 };
 
+export function setWebSecureStorageBackend(
+  _backend?: WebSecureStorageBackend,
+): void {
+  // Native platforms do not use web secure backends.
+}
+
+export function getWebSecureStorageBackend():
+  | WebSecureStorageBackend
+  | undefined {
+  return undefined;
+}
+
 export interface StorageItemConfig<T> {
   key: string;
   scope: StorageScope;
@@ -434,12 +644,18 @@ export interface StorageItemConfig<T> {
   coalesceSecureWrites?: boolean;
   namespace?: string;
   biometric?: boolean;
+  biometricLevel?: BiometricLevel;
   accessControl?: AccessControl;
 }
 
 export interface StorageItem<T> {
   get: () => T;
+  getWithVersion: () => VersionedValue<T>;
   set: (value: T | ((prev: T) => T)) => void;
+  setIfVersion: (
+    version: StorageVersion,
+    value: T | ((prev: T) => T),
+  ) => boolean;
   delete: () => void;
   has: () => boolean;
   subscribe: (callback: () => void) => () => void;
@@ -455,6 +671,7 @@ type StorageItemInternal<T> = StorageItem<T> & {
   _hasExpiration: boolean;
   _readCacheEnabled: boolean;
   _isBiometric: boolean;
+  _defaultValue: T;
   _secureAccessControl?: AccessControl;
 };
 
@@ -467,6 +684,14 @@ function canUseRawBatchPath(item: RawBatchPathItem): boolean {
   );
 }
 
+function canUseSecureRawBatchPath(item: RawBatchPathItem): boolean {
+  return (
+    item._hasExpiration === false &&
+    item._hasValidation === false &&
+    item._isBiometric !== true
+  );
+}
+
 function defaultSerialize<T>(value: T): string {
   return serializeWithPrimitiveFastPath(value);
 }
@@ -482,8 +707,14 @@ export function createStorageItem<T = undefined>(
   const serialize = config.serialize ?? defaultSerialize;
   const deserialize = config.deserialize ?? defaultDeserialize;
   const isMemory = config.scope === StorageScope.Memory;
-  const isBiometric =
-    config.biometric === true && config.scope === StorageScope.Secure;
+  const resolvedBiometricLevel =
+    config.scope === StorageScope.Secure
+      ? (config.biometricLevel ??
+        (config.biometric === true
+          ? BiometricLevel.BiometryOnly
+          : BiometricLevel.None))
+      : BiometricLevel.None;
+  const isBiometric = resolvedBiometricLevel !== BiometricLevel.None;
   const secureAccessControl = config.accessControl;
   const validate = config.validate;
   const onValidationError = config.onValidationError;
@@ -496,8 +727,8 @@ export function createStorageItem<T = undefined>(
   const coalesceSecureWrites =
     config.scope === StorageScope.Secure &&
     config.coalesceSecureWrites === true &&
-    !isBiometric &&
-    secureAccessControl === undefined;
+    !isBiometric;
+  const defaultValue = config.defaultValue as T;
   const nonMemoryScope: NonMemoryScope | null =
     config.scope === StorageScope.Disk
       ? StorageScope.Disk
@@ -514,11 +745,13 @@ export function createStorageItem<T = undefined>(
   let lastRaw: unknown = undefined;
   let lastValue: T | undefined;
   let hasLastValue = false;
+  let lastExpiresAt: number | null | undefined = undefined;
 
   const invalidateParsedCache = () => {
     lastRaw = undefined;
     lastValue = undefined;
     hasLastValue = false;
+    lastExpiresAt = undefined;
   };
 
   const ensureSubscription = () => {
@@ -556,7 +789,7 @@ export function createStorageItem<T = undefined>(
           return undefined;
         }
       }
-      return memoryStore.get(storageKey) as T | undefined;
+      return memoryStore.get(storageKey);
     }
 
     if (
@@ -584,14 +817,22 @@ export function createStorageItem<T = undefined>(
 
   const writeStoredRaw = (rawValue: string): void => {
     if (isBiometric) {
-      getStorageModule().setSecureBiometric(storageKey, rawValue);
+      getStorageModule().setSecureBiometricWithLevel(
+        storageKey,
+        rawValue,
+        resolvedBiometricLevel,
+      );
       return;
     }
 
     cacheRawValue(nonMemoryScope!, storageKey, rawValue);
 
     if (coalesceSecureWrites) {
-      scheduleSecureWrite(storageKey, rawValue);
+      scheduleSecureWrite(
+        storageKey,
+        rawValue,
+        secureAccessControl ?? secureDefaultAccessControl,
+      );
       return;
     }
 
@@ -614,7 +855,11 @@ export function createStorageItem<T = undefined>(
     cacheRawValue(nonMemoryScope!, storageKey, undefined);
 
     if (coalesceSecureWrites) {
-      scheduleSecureWrite(storageKey, undefined);
+      scheduleSecureWrite(
+        storageKey,
+        undefined,
+        secureAccessControl ?? secureDefaultAccessControl,
+      );
       return;
     }
 
@@ -654,7 +899,7 @@ export function createStorageItem<T = undefined>(
       return onValidationError(invalidValue);
     }
 
-    return config.defaultValue as T;
+    return defaultValue;
   };
 
   const ensureValidatedValue = (
@@ -667,7 +912,7 @@ export function createStorageItem<T = undefined>(
 
     const resolved = resolveInvalidValue(candidate);
     if (validate && !validate(resolved)) {
-      return config.defaultValue as T;
+      return defaultValue;
     }
     if (hadStoredValue) {
       writeValueWithoutValidation(resolved);
@@ -675,39 +920,64 @@ export function createStorageItem<T = undefined>(
     return resolved;
   };
 
-  const get = (): T => {
+  const getInternal = (): T => {
     const raw = readStoredRaw();
 
-    const canUseCachedValue = !expiration && !memoryExpiration;
-    if (canUseCachedValue && raw === lastRaw && hasLastValue) {
-      return lastValue as T;
+    if (!memoryExpiration && raw === lastRaw && hasLastValue) {
+      if (!expiration || lastExpiresAt === null) {
+        return lastValue as T;
+      }
+
+      if (typeof lastExpiresAt === "number") {
+        if (lastExpiresAt > Date.now()) {
+          return lastValue as T;
+        }
+
+        removeStoredRaw();
+        invalidateParsedCache();
+        onExpired?.(storageKey);
+        lastValue = ensureValidatedValue(defaultValue, false);
+        hasLastValue = true;
+        return lastValue;
+      }
     }
 
     lastRaw = raw;
 
     if (raw === undefined) {
-      lastValue = ensureValidatedValue(config.defaultValue, false);
+      lastExpiresAt = undefined;
+      lastValue = ensureValidatedValue(defaultValue, false);
       hasLastValue = true;
       return lastValue;
     }
 
     if (isMemory) {
+      lastExpiresAt = undefined;
       lastValue = ensureValidatedValue(raw, true);
       hasLastValue = true;
       return lastValue;
     }
 
-    let deserializableRaw = raw as string;
+    if (typeof raw !== "string") {
+      lastExpiresAt = undefined;
+      lastValue = ensureValidatedValue(defaultValue, false);
+      hasLastValue = true;
+      return lastValue;
+    }
+
+    let deserializableRaw = raw;
 
     if (expiration) {
+      let envelopeExpiresAt: number | null = null;
       try {
-        const parsed = JSON.parse(raw as string) as unknown;
+        const parsed = JSON.parse(raw) as unknown;
         if (isStoredEnvelope(parsed)) {
+          envelopeExpiresAt = parsed.expiresAt;
           if (parsed.expiresAt <= Date.now()) {
             removeStoredRaw();
             invalidateParsedCache();
             onExpired?.(storageKey);
-            lastValue = ensureValidatedValue(config.defaultValue, false);
+            lastValue = ensureValidatedValue(defaultValue, false);
             hasLastValue = true;
             return lastValue;
           }
@@ -717,6 +987,9 @@ export function createStorageItem<T = undefined>(
       } catch {
         // Keep backward compatibility with legacy raw values.
       }
+      lastExpiresAt = envelopeExpiresAt;
+    } else {
+      lastExpiresAt = undefined;
     }
 
     lastValue = ensureValidatedValue(deserialize(deserializableRaw), true);
@@ -724,44 +997,74 @@ export function createStorageItem<T = undefined>(
     return lastValue;
   };
 
+  const getCurrentVersion = (): StorageVersion => {
+    const raw = readStoredRaw();
+    return toVersionToken(raw);
+  };
+
+  const get = (): T =>
+    measureOperation("item:get", config.scope, () => getInternal());
+
+  const getWithVersion = (): VersionedValue<T> =>
+    measureOperation("item:getWithVersion", config.scope, () => ({
+      value: getInternal(),
+      version: getCurrentVersion(),
+    }));
+
   const set = (valueOrFn: T | ((prev: T) => T)): void => {
-    const currentValue = get();
-    const newValue =
-      typeof valueOrFn === "function"
-        ? (valueOrFn as (prev: T) => T)(currentValue)
+    measureOperation("item:set", config.scope, () => {
+      const newValue = isUpdater(valueOrFn)
+        ? valueOrFn(getInternal())
         : valueOrFn;
 
-    invalidateParsedCache();
+      invalidateParsedCache();
 
-    if (validate && !validate(newValue)) {
-      throw new Error(
-        `Validation failed for key "${storageKey}" in scope "${StorageScope[config.scope]}".`,
-      );
-    }
+      if (validate && !validate(newValue)) {
+        throw new Error(
+          `Validation failed for key "${storageKey}" in scope "${StorageScope[config.scope]}".`,
+        );
+      }
 
-    writeValueWithoutValidation(newValue);
+      writeValueWithoutValidation(newValue);
+    });
   };
 
+  const setIfVersion = (
+    version: StorageVersion,
+    valueOrFn: T | ((prev: T) => T),
+  ): boolean =>
+    measureOperation("item:setIfVersion", config.scope, () => {
+      const currentVersion = getCurrentVersion();
+      if (currentVersion !== version) {
+        return false;
+      }
+      set(valueOrFn);
+      return true;
+    });
+
   const deleteItem = (): void => {
-    invalidateParsedCache();
+    measureOperation("item:delete", config.scope, () => {
+      invalidateParsedCache();
 
-    if (isMemory) {
-      if (memoryExpiration) {
-        memoryExpiration.delete(storageKey);
+      if (isMemory) {
+        if (memoryExpiration) {
+          memoryExpiration.delete(storageKey);
+        }
+        memoryStore.delete(storageKey);
+        notifyKeyListeners(memoryListeners, storageKey);
+        return;
       }
-      memoryStore.delete(storageKey);
-      notifyKeyListeners(memoryListeners, storageKey);
-      return;
-    }
 
-    removeStoredRaw();
+      removeStoredRaw();
+    });
   };
 
-  const hasItem = (): boolean => {
-    if (isMemory) return memoryStore.has(storageKey);
-    if (isBiometric) return getStorageModule().hasSecureBiometric(storageKey);
-    return getStorageModule().has(storageKey, config.scope);
-  };
+  const hasItem = (): boolean =>
+    measureOperation("item:has", config.scope, () => {
+      if (isMemory) return memoryStore.has(storageKey);
+      if (isBiometric) return getStorageModule().hasSecureBiometric(storageKey);
+      return getStorageModule().has(storageKey, config.scope);
+    });
 
   const subscribe = (callback: () => void): (() => void) => {
     ensureSubscription();
@@ -780,7 +1083,9 @@ export function createStorageItem<T = undefined>(
 
   const storageItem: StorageItemInternal<T> = {
     get,
+    getWithVersion,
     set,
+    setIfVersion,
     delete: deleteItem,
     has: hasItem,
     subscribe,
@@ -794,54 +1099,18 @@ export function createStorageItem<T = undefined>(
     _hasExpiration: expiration !== undefined,
     _readCacheEnabled: readCache,
     _isBiometric: isBiometric,
-    _secureAccessControl: secureAccessControl,
+    _defaultValue: defaultValue,
+    ...(secureAccessControl !== undefined
+      ? { _secureAccessControl: secureAccessControl }
+      : {}),
     scope: config.scope,
     key: storageKey,
   };
 
-  return storageItem as StorageItem<T>;
-}
-
-export function useStorage<T>(
-  item: StorageItem<T>,
-): [T, (value: T | ((prev: T) => T)) => void] {
-  const value = useSyncExternalStore(item.subscribe, item.get, item.get);
-  return [value, item.set];
-}
-
-export function useStorageSelector<T, TSelected>(
-  item: StorageItem<T>,
-  selector: (value: T) => TSelected,
-  isEqual: (prev: TSelected, next: TSelected) => boolean = Object.is,
-): [TSelected, (value: T | ((prev: T) => T)) => void] {
-  const selectedRef = useRef<
-    { hasValue: false } | { hasValue: true; value: TSelected }
-  >({
-    hasValue: false,
-  });
-
-  const getSelectedSnapshot = () => {
-    const nextSelected = selector(item.get());
-    const current = selectedRef.current;
-    if (current.hasValue && isEqual(current.value, nextSelected)) {
-      return current.value;
-    }
-
-    selectedRef.current = { hasValue: true, value: nextSelected };
-    return nextSelected;
-  };
-
-  const selectedValue = useSyncExternalStore(
-    item.subscribe,
-    getSelectedSnapshot,
-    getSelectedSnapshot,
-  );
-  return [selectedValue, item.set];
+  return storageItem;
 }
 
-export function useSetStorage<T>(item: StorageItem<T>) {
-  return item.set;
-}
+export { useStorage, useStorageSelector, useSetStorage } from "./storage-hooks";
 
 type BatchReadItem<T> = Pick<
   StorageItem<T>,
@@ -851,6 +1120,7 @@ type BatchReadItem<T> = Pick<
   _hasExpiration?: boolean;
   _readCacheEnabled?: boolean;
   _isBiometric?: boolean;
+  _defaultValue?: unknown;
   _secureAccessControl?: AccessControl;
 };
 type BatchRemoveItem = Pick<StorageItem<unknown>, "key" | "scope" | "delete">;
@@ -864,113 +1134,179 @@ export function getBatch(
   items: readonly BatchReadItem<unknown>[],
   scope: StorageScope,
 ): unknown[] {
-  assertBatchScope(items, scope);
+  return measureOperation(
+    "batch:get",
+    scope,
+    () => {
+      assertBatchScope(items, scope);
 
-  if (scope === StorageScope.Memory) {
-    return items.map((item) => item.get());
-  }
+      if (scope === StorageScope.Memory) {
+        return items.map((item) => item.get());
+      }
 
-  const useRawBatchPath = items.every((item) => canUseRawBatchPath(item));
-  if (!useRawBatchPath) {
-    return items.map((item) => item.get());
-  }
-  const useBatchCache = items.every((item) => item._readCacheEnabled === true);
+      const useRawBatchPath = items.every((item) =>
+        scope === StorageScope.Secure
+          ? canUseSecureRawBatchPath(item)
+          : canUseRawBatchPath(item),
+      );
+      if (!useRawBatchPath) {
+        return items.map((item) => item.get());
+      }
 
-  const rawValues = new Array<string | undefined>(items.length);
-  const keysToFetch: string[] = [];
-  const keyIndexes: number[] = [];
+      const rawValues = new Array<string | undefined>(items.length);
+      const keysToFetch: string[] = [];
+      const keyIndexes: number[] = [];
 
-  items.forEach((item, index) => {
-    if (scope === StorageScope.Secure) {
-      if (hasPendingSecureWrite(item.key)) {
-        rawValues[index] = readPendingSecureWrite(item.key);
-        return;
-      }
-    }
+      items.forEach((item, index) => {
+        if (scope === StorageScope.Secure) {
+          if (hasPendingSecureWrite(item.key)) {
+            rawValues[index] = readPendingSecureWrite(item.key);
+            return;
+          }
+        }
 
-    if (useBatchCache) {
-      if (hasCachedRawValue(scope, item.key)) {
-        rawValues[index] = readCachedRawValue(scope, item.key);
-        return;
-      }
-    }
+        if (item._readCacheEnabled === true) {
+          if (hasCachedRawValue(scope, item.key)) {
+            rawValues[index] = readCachedRawValue(scope, item.key);
+            return;
+          }
+        }
 
-    keysToFetch.push(item.key);
-    keyIndexes.push(index);
-  });
+        keysToFetch.push(item.key);
+        keyIndexes.push(index);
+      });
 
-  if (keysToFetch.length > 0) {
-    const fetchedValues = getStorageModule()
-      .getBatch(keysToFetch, scope)
-      .map((value) => decodeNativeBatchValue(value));
+      if (keysToFetch.length > 0) {
+        const fetchedValues = getStorageModule()
+          .getBatch(keysToFetch, scope)
+          .map((value) => decodeNativeBatchValue(value));
 
-    fetchedValues.forEach((value, index) => {
-      const key = keysToFetch[index];
-      const targetIndex = keyIndexes[index];
-      rawValues[targetIndex] = value;
-      cacheRawValue(scope, key, value);
-    });
-  }
+        fetchedValues.forEach((value, index) => {
+          const key = keysToFetch[index];
+          const targetIndex = keyIndexes[index];
+          if (key === undefined || targetIndex === undefined) {
+            return;
+          }
+          rawValues[targetIndex] = value;
+          cacheRawValue(scope, key, value);
+        });
+      }
 
-  return items.map((item, index) => {
-    const raw = rawValues[index];
-    if (raw === undefined) {
-      return item.get();
-    }
-    return item.deserialize(raw);
-  });
+      return items.map((item, index) => {
+        const raw = rawValues[index];
+        if (raw === undefined) {
+          return asInternal(item as StorageItem<unknown>)._defaultValue;
+        }
+        return item.deserialize(raw);
+      });
+    },
+    items.length,
+  );
 }
 
 export function setBatch<T>(
   items: readonly StorageBatchSetItem<T>[],
   scope: StorageScope,
 ): void {
-  assertBatchScope(
-    items.map((batchEntry) => batchEntry.item),
+  measureOperation(
+    "batch:set",
     scope,
-  );
+    () => {
+      assertBatchScope(
+        items.map((batchEntry) => batchEntry.item),
+        scope,
+      );
 
-  if (scope === StorageScope.Memory) {
-    items.forEach(({ item, value }) => item.set(value));
-    return;
-  }
+      if (scope === StorageScope.Memory) {
+        items.forEach(({ item, value }) => item.set(value));
+        return;
+      }
 
-  const useRawBatchPath = items.every(({ item }) =>
-    canUseRawBatchPath(asInternal(item)),
-  );
-  if (!useRawBatchPath) {
-    items.forEach(({ item, value }) => item.set(value));
-    return;
-  }
+      if (scope === StorageScope.Secure) {
+        const secureEntries = items.map(({ item, value }) => ({
+          item,
+          value,
+          internal: asInternal(item),
+        }));
+        const canUseSecureBatchPath = secureEntries.every(({ internal }) =>
+          canUseSecureRawBatchPath(internal),
+        );
+        if (!canUseSecureBatchPath) {
+          items.forEach(({ item, value }) => item.set(value));
+          return;
+        }
 
-  const keys = items.map((entry) => entry.item.key);
-  const values = items.map((entry) => entry.item.serialize(entry.value));
+        flushSecureWrites();
+        const storageModule = getStorageModule();
+        const groupedByAccessControl = new Map<
+          number,
+          { keys: string[]; values: string[] }
+        >();
+
+        secureEntries.forEach(({ item, value, internal }) => {
+          const accessControl =
+            internal._secureAccessControl ?? secureDefaultAccessControl;
+          const existingGroup = groupedByAccessControl.get(accessControl);
+          const group = existingGroup ?? { keys: [], values: [] };
+          group.keys.push(item.key);
+          group.values.push(item.serialize(value));
+          if (!existingGroup) {
+            groupedByAccessControl.set(accessControl, group);
+          }
+        });
+
+        groupedByAccessControl.forEach((group, accessControl) => {
+          storageModule.setSecureAccessControl(accessControl);
+          storageModule.setBatch(group.keys, group.values, scope);
+          group.keys.forEach((key, index) =>
+            cacheRawValue(scope, key, group.values[index]),
+          );
+        });
+        return;
+      }
 
-  if (scope === StorageScope.Secure) {
-    flushSecureWrites();
-    getStorageModule().setSecureAccessControl(secureDefaultAccessControl);
-  }
-  getStorageModule().setBatch(keys, values, scope);
-  keys.forEach((key, index) => cacheRawValue(scope, key, values[index]));
+      const useRawBatchPath = items.every(({ item }) =>
+        canUseRawBatchPath(asInternal(item)),
+      );
+      if (!useRawBatchPath) {
+        items.forEach(({ item, value }) => item.set(value));
+        return;
+      }
+
+      const keys = items.map((entry) => entry.item.key);
+      const values = items.map((entry) => entry.item.serialize(entry.value));
+
+      getStorageModule().setBatch(keys, values, scope);
+      keys.forEach((key, index) => cacheRawValue(scope, key, values[index]));
+    },
+    items.length,
+  );
 }
 
 export function removeBatch(
   items: readonly BatchRemoveItem[],
   scope: StorageScope,
 ): void {
-  assertBatchScope(items, scope);
+  measureOperation(
+    "batch:remove",
+    scope,
+    () => {
+      assertBatchScope(items, scope);
 
-  if (scope === StorageScope.Memory) {
-    items.forEach((item) => item.delete());
-    return;
-  }
+      if (scope === StorageScope.Memory) {
+        items.forEach((item) => item.delete());
+        return;
+      }
 
-  const keys = items.map((item) => item.key);
-  if (scope === StorageScope.Secure) {
-    flushSecureWrites();
-  }
-  getStorageModule().removeBatch(keys, scope);
-  keys.forEach((key) => cacheRawValue(scope, key, undefined));
+      const keys = items.map((item) => item.key);
+      if (scope === StorageScope.Secure) {
+        flushSecureWrites();
+      }
+      getStorageModule().removeBatch(keys, scope);
+      keys.forEach((key) => cacheRawValue(scope, key, undefined));
+    },
+    items.length,
+  );
 }
 
 export function registerMigration(version: number, migration: Migration): void {
@@ -988,92 +1324,124 @@ export function registerMigration(version: number, migration: Migration): void {
 export function migrateToLatest(
   scope: StorageScope = StorageScope.Disk,
 ): number {
-  assertValidScope(scope);
-  const currentVersion = readMigrationVersion(scope);
-  const versions = Array.from(registeredMigrations.keys())
-    .filter((version) => version > currentVersion)
-    .sort((a, b) => a - b);
+  return measureOperation("migration:run", scope, () => {
+    assertValidScope(scope);
+    const currentVersion = readMigrationVersion(scope);
+    const versions = Array.from(registeredMigrations.keys())
+      .filter((version) => version > currentVersion)
+      .sort((a, b) => a - b);
+
+    let appliedVersion = currentVersion;
+    const context: MigrationContext = {
+      scope,
+      getRaw: (key) => getRawValue(key, scope),
+      setRaw: (key, value) => setRawValue(key, value, scope),
+      removeRaw: (key) => removeRawValue(key, scope),
+    };
 
-  let appliedVersion = currentVersion;
-  const context: MigrationContext = {
-    scope,
-    getRaw: (key) => getRawValue(key, scope),
-    setRaw: (key, value) => setRawValue(key, value, scope),
-    removeRaw: (key) => removeRawValue(key, scope),
-  };
+    versions.forEach((version) => {
+      const migration = registeredMigrations.get(version);
+      if (!migration) {
+        return;
+      }
+      migration(context);
+      writeMigrationVersion(scope, version);
+      appliedVersion = version;
+    });
 
-  versions.forEach((version) => {
-    const migration = registeredMigrations.get(version);
-    if (!migration) {
-      return;
-    }
-    migration(context);
-    writeMigrationVersion(scope, version);
-    appliedVersion = version;
+    return appliedVersion;
   });
-
-  return appliedVersion;
 }
 
 export function runTransaction<T>(
   scope: StorageScope,
   transaction: (context: TransactionContext) => T,
 ): T {
-  assertValidScope(scope);
-  if (scope === StorageScope.Secure) {
-    flushSecureWrites();
-  }
+  return measureOperation("transaction:run", scope, () => {
+    assertValidScope(scope);
+    if (scope === StorageScope.Secure) {
+      flushSecureWrites();
+    }
 
-  const rollback = new Map<string, string | undefined>();
+    const rollback = new Map<string, string | undefined>();
 
-  const rememberRollback = (key: string) => {
-    if (rollback.has(key)) {
-      return;
-    }
-    rollback.set(key, getRawValue(key, scope));
-  };
+    const rememberRollback = (key: string) => {
+      if (rollback.has(key)) {
+        return;
+      }
+      rollback.set(key, getRawValue(key, scope));
+    };
 
-  const tx: TransactionContext = {
-    scope,
-    getRaw: (key) => getRawValue(key, scope),
-    setRaw: (key, value) => {
-      rememberRollback(key);
-      setRawValue(key, value, scope);
-    },
-    removeRaw: (key) => {
-      rememberRollback(key);
-      removeRawValue(key, scope);
-    },
-    getItem: (item) => {
-      assertBatchScope([item], scope);
-      return item.get();
-    },
-    setItem: (item, value) => {
-      assertBatchScope([item], scope);
-      rememberRollback(item.key);
-      item.set(value);
-    },
-    removeItem: (item) => {
-      assertBatchScope([item], scope);
-      rememberRollback(item.key);
-      item.delete();
-    },
-  };
+    const tx: TransactionContext = {
+      scope,
+      getRaw: (key) => getRawValue(key, scope),
+      setRaw: (key, value) => {
+        rememberRollback(key);
+        setRawValue(key, value, scope);
+      },
+      removeRaw: (key) => {
+        rememberRollback(key);
+        removeRawValue(key, scope);
+      },
+      getItem: (item) => {
+        assertBatchScope([item], scope);
+        return item.get();
+      },
+      setItem: (item, value) => {
+        assertBatchScope([item], scope);
+        rememberRollback(item.key);
+        item.set(value);
+      },
+      removeItem: (item) => {
+        assertBatchScope([item], scope);
+        rememberRollback(item.key);
+        item.delete();
+      },
+    };
 
-  try {
-    return transaction(tx);
-  } catch (error) {
-    Array.from(rollback.entries())
-      .reverse()
-      .forEach(([key, previousValue]) => {
-        if (previousValue === undefined) {
-          removeRawValue(key, scope);
-        } else {
-          setRawValue(key, previousValue, scope);
+    try {
+      return transaction(tx);
+    } catch (error) {
+      const rollbackEntries = Array.from(rollback.entries()).reverse();
+      if (scope === StorageScope.Memory) {
+        rollbackEntries.forEach(([key, previousValue]) => {
+          if (previousValue === undefined) {
+            removeRawValue(key, scope);
+          } else {
+            setRawValue(key, previousValue, scope);
+          }
+        });
+      } else {
+        const keysToSet: string[] = [];
+        const valuesToSet: string[] = [];
+        const keysToRemove: string[] = [];
+
+        rollbackEntries.forEach(([key, previousValue]) => {
+          if (previousValue === undefined) {
+            keysToRemove.push(key);
+          } else {
+            keysToSet.push(key);
+            valuesToSet.push(previousValue);
+          }
+        });
+
+        if (scope === StorageScope.Secure) {
+          flushSecureWrites();
         }
-      });
-    throw error;
-  }
+        if (keysToSet.length > 0) {
+          getStorageModule().setBatch(keysToSet, valuesToSet, scope);
+          keysToSet.forEach((key, index) =>
+            cacheRawValue(scope, key, valuesToSet[index]),
+          );
+        }
+        if (keysToRemove.length > 0) {
+          getStorageModule().removeBatch(keysToRemove, scope);
+          keysToRemove.forEach((key) => cacheRawValue(scope, key, undefined));
+        }
+      }
+      throw error;
+    }
+  });
 }
 
 export type SecureAuthStorageConfig<K extends string = string> = Record<
@@ -1081,6 +1449,7 @@ export type SecureAuthStorageConfig<K extends string = string> = Record<
   {
     ttlMs?: number;
     biometric?: boolean;
+    biometricLevel?: BiometricLevel;
     accessControl?: AccessControl;
   }
 >;
@@ -1090,20 +1459,31 @@ export function createSecureAuthStorage<K extends string>(
   options?: { namespace?: string },
 ): Record<K, StorageItem<string>> {
   const ns = options?.namespace ?? "auth";
-  const result = {} as Record<K, StorageItem<string>>;
+  const result: Partial<Record<K, StorageItem<string>>> = {};
 
-  for (const key of Object.keys(config) as K[]) {
+  for (const key of typedKeys(config)) {
     const itemConfig = config[key];
+    const expirationConfig =
+      itemConfig.ttlMs !== undefined ? { ttlMs: itemConfig.ttlMs } : undefined;
     result[key] = createStorageItem<string>({
       key,
       scope: StorageScope.Secure,
       defaultValue: "",
       namespace: ns,
-      biometric: itemConfig.biometric,
-      accessControl: itemConfig.accessControl,
-      expiration: itemConfig.ttlMs ? { ttlMs: itemConfig.ttlMs } : undefined,
+      ...(itemConfig.biometric !== undefined
+        ? { biometric: itemConfig.biometric }
+        : {}),
+      ...(itemConfig.biometricLevel !== undefined
+        ? { biometricLevel: itemConfig.biometricLevel }
+        : {}),
+      ...(itemConfig.accessControl !== undefined
+        ? { accessControl: itemConfig.accessControl }
+        : {}),
+      ...(expirationConfig !== undefined
+        ? { expiration: expirationConfig }
+        : {}),
     });
   }
 
-  return result;
+  return result as Record<K, StorageItem<string>>;
 }