react-native-nitro-storage 0.3.2 → 0.4.1

package/src/index.ts

@@ -10,6 +10,7 @@ import {
   decodeNativeBatchValue,
   serializeWithPrimitiveFastPath,
   deserializeWithPrimitiveFastPath,
+  toVersionToken,
   prefixKey,
   isNamespaced,
 } from "./internal";
@@ -22,6 +23,31 @@ export type Validator<T> = (value: unknown) => value is T;
 export type ExpirationConfig = {
   ttlMs: number;
 };
+export type StorageVersion = string;
+export type VersionedValue<T> = {
+  value: T;
+  version: StorageVersion;
+};
+export type StorageMetricsEvent = {
+  operation: string;
+  scope: StorageScope;
+  durationMs: number;
+  keysCount: number;
+};
+export type StorageMetricsObserver = (event: StorageMetricsEvent) => void;
+export type StorageMetricSummary = {
+  count: number;
+  totalDurationMs: number;
+  avgDurationMs: number;
+  maxDurationMs: number;
+};
+export type WebSecureStorageBackend = {
+  getItem: (key: string) => string | null;
+  setItem: (key: string, value: string) => void;
+  removeItem: (key: string) => void;
+  clear: () => void;
+  getAllKeys: () => string[];
+};
 
 export type MigrationContext = {
   scope: StorageScope;
@@ -69,7 +95,11 @@ function typedKeys<K extends string, V>(record: Record<K, V>): K[] {
   return Object.keys(record) as K[];
 }
 type NonMemoryScope = StorageScope.Disk | StorageScope.Secure;
-type PendingSecureWrite = { key: string; value: string | undefined };
+type PendingSecureWrite = {
+  key: string;
+  value: string | undefined;
+  accessControl?: AccessControl;
+};
 
 const registeredMigrations = new Map<number, Migration>();
 const runMicrotask =
@@ -104,6 +134,52 @@ const scopedRawCache = new Map<NonMemoryScope, Map<string, string | undefined>>(
 const pendingSecureWrites = new Map<string, PendingSecureWrite>();
 let secureFlushScheduled = false;
 let secureDefaultAccessControl: AccessControl = AccessControl.WhenUnlocked;
+let metricsObserver: StorageMetricsObserver | undefined;
+const metricsCounters = new Map<
+  string,
+  { count: number; totalDurationMs: number; maxDurationMs: number }
+>();
+
+function recordMetric(
+  operation: string,
+  scope: StorageScope,
+  durationMs: number,
+  keysCount = 1,
+): void {
+  const existing = metricsCounters.get(operation);
+  if (!existing) {
+    metricsCounters.set(operation, {
+      count: 1,
+      totalDurationMs: durationMs,
+      maxDurationMs: durationMs,
+    });
+  } else {
+    existing.count += 1;
+    existing.totalDurationMs += durationMs;
+    existing.maxDurationMs = Math.max(existing.maxDurationMs, durationMs);
+  }
+
+  metricsObserver?.({
+    operation,
+    scope,
+    durationMs,
+    keysCount,
+  });
+}
+
+function measureOperation<T>(
+  operation: string,
+  scope: StorageScope,
+  fn: () => T,
+  keysCount = 1,
+): T {
+  const start = Date.now();
+  try {
+    return fn();
+  } finally {
+    recordMetric(operation, scope, Date.now() - start, keysCount);
+  }
+}
 
 function getScopedListeners(scope: NonMemoryScope): KeyListenerRegistry {
   return scopedListeners.get(scope)!;
@@ -194,31 +270,47 @@ function flushSecureWrites(): void {
   const writes = Array.from(pendingSecureWrites.values());
   pendingSecureWrites.clear();
 
-  const keysToSet: string[] = [];
-  const valuesToSet: string[] = [];
+  const groupedSetWrites = new Map<
+    AccessControl,
+    { keys: string[]; values: string[] }
+  >();
   const keysToRemove: string[] = [];
 
-  writes.forEach(({ key, value }) => {
+  writes.forEach(({ key, value, accessControl }) => {
     if (value === undefined) {
       keysToRemove.push(key);
     } else {
-      keysToSet.push(key);
-      valuesToSet.push(value);
+      const resolvedAccessControl = accessControl ?? secureDefaultAccessControl;
+      const existingGroup = groupedSetWrites.get(resolvedAccessControl);
+      const group = existingGroup ?? { keys: [], values: [] };
+      group.keys.push(key);
+      group.values.push(value);
+      if (!existingGroup) {
+        groupedSetWrites.set(resolvedAccessControl, group);
+      }
     }
   });
 
   const storageModule = getStorageModule();
-  storageModule.setSecureAccessControl(secureDefaultAccessControl);
-  if (keysToSet.length > 0) {
-    storageModule.setBatch(keysToSet, valuesToSet, StorageScope.Secure);
-  }
+  groupedSetWrites.forEach((group, accessControl) => {
+    storageModule.setSecureAccessControl(accessControl);
+    storageModule.setBatch(group.keys, group.values, StorageScope.Secure);
+  });
   if (keysToRemove.length > 0) {
     storageModule.removeBatch(keysToRemove, StorageScope.Secure);
   }
 }
 
-function scheduleSecureWrite(key: string, value: string | undefined): void {
-  pendingSecureWrites.set(key, { key, value });
+function scheduleSecureWrite(
+  key: string,
+  value: string | undefined,
+  accessControl?: AccessControl,
+): void {
+  const pendingWrite: PendingSecureWrite = { key, value };
+  if (accessControl !== undefined) {
+    pendingWrite.accessControl = accessControl;
+  }
+  pendingSecureWrites.set(key, pendingWrite);
   if (secureFlushScheduled) {
     return;
   }
@@ -332,102 +424,241 @@ function writeMigrationVersion(scope: StorageScope, version: number): void {
 
 export const storage = {
   clear: (scope: StorageScope) => {
-    if (scope === StorageScope.Memory) {
-      memoryStore.clear();
-      notifyAllListeners(memoryListeners);
-      return;
-    }
+    measureOperation("storage:clear", scope, () => {
+      if (scope === StorageScope.Memory) {
+        memoryStore.clear();
+        notifyAllListeners(memoryListeners);
+        return;
+      }
 
-    if (scope === StorageScope.Secure) {
-      flushSecureWrites();
-      pendingSecureWrites.clear();
-    }
+      if (scope === StorageScope.Secure) {
+        flushSecureWrites();
+        pendingSecureWrites.clear();
+      }
 
-    clearScopeRawCache(scope);
-    getStorageModule().clear(scope);
+      clearScopeRawCache(scope);
+      getStorageModule().clear(scope);
+    });
   },
   clearAll: () => {
-    storage.clear(StorageScope.Memory);
-    storage.clear(StorageScope.Disk);
-    storage.clear(StorageScope.Secure);
+    measureOperation(
+      "storage:clearAll",
+      StorageScope.Memory,
+      () => {
+        storage.clear(StorageScope.Memory);
+        storage.clear(StorageScope.Disk);
+        storage.clear(StorageScope.Secure);
+      },
+      3,
+    );
   },
   clearNamespace: (namespace: string, scope: StorageScope) => {
-    assertValidScope(scope);
-    if (scope === StorageScope.Memory) {
-      for (const key of memoryStore.keys()) {
-        if (isNamespaced(key, namespace)) {
-          memoryStore.delete(key);
+    measureOperation("storage:clearNamespace", scope, () => {
+      assertValidScope(scope);
+      if (scope === StorageScope.Memory) {
+        for (const key of memoryStore.keys()) {
+          if (isNamespaced(key, namespace)) {
+            memoryStore.delete(key);
+          }
         }
+        notifyAllListeners(memoryListeners);
+        return;
       }
-      notifyAllListeners(memoryListeners);
-      return;
-    }
 
-    const keyPrefix = prefixKey(namespace, "");
-    if (scope === StorageScope.Secure) {
-      flushSecureWrites();
-    }
+      const keyPrefix = prefixKey(namespace, "");
+      if (scope === StorageScope.Secure) {
+        flushSecureWrites();
+      }
 
-    clearScopeRawCache(scope);
-    getStorageModule().removeByPrefix(keyPrefix, scope);
+      clearScopeRawCache(scope);
+      getStorageModule().removeByPrefix(keyPrefix, scope);
+    });
   },
   clearBiometric: () => {
-    getStorageModule().clearSecureBiometric();
+    measureOperation("storage:clearBiometric", StorageScope.Secure, () => {
+      getStorageModule().clearSecureBiometric();
+    });
   },
   has: (key: string, scope: StorageScope): boolean => {
-    assertValidScope(scope);
-    if (scope === StorageScope.Memory) {
-      return memoryStore.has(key);
-    }
-    return getStorageModule().has(key, scope);
+    return measureOperation("storage:has", scope, () => {
+      assertValidScope(scope);
+      if (scope === StorageScope.Memory) {
+        return memoryStore.has(key);
+      }
+      return getStorageModule().has(key, scope);
+    });
   },
   getAllKeys: (scope: StorageScope): string[] => {
-    assertValidScope(scope);
-    if (scope === StorageScope.Memory) {
-      return Array.from(memoryStore.keys());
-    }
-    return getStorageModule().getAllKeys(scope);
+    return measureOperation("storage:getAllKeys", scope, () => {
+      assertValidScope(scope);
+      if (scope === StorageScope.Memory) {
+        return Array.from(memoryStore.keys());
+      }
+      return getStorageModule().getAllKeys(scope);
+    });
+  },
+  getKeysByPrefix: (prefix: string, scope: StorageScope): string[] => {
+    return measureOperation("storage:getKeysByPrefix", scope, () => {
+      assertValidScope(scope);
+      if (scope === StorageScope.Memory) {
+        return Array.from(memoryStore.keys()).filter((key) =>
+          key.startsWith(prefix),
+        );
+      }
+      return getStorageModule().getKeysByPrefix(prefix, scope);
+    });
+  },
+  getByPrefix: (
+    prefix: string,
+    scope: StorageScope,
+  ): Record<string, string> => {
+    return measureOperation("storage:getByPrefix", scope, () => {
+      const result: Record<string, string> = {};
+      const keys = storage.getKeysByPrefix(prefix, scope);
+      if (keys.length === 0) {
+        return result;
+      }
+
+      if (scope === StorageScope.Memory) {
+        keys.forEach((key) => {
+          const value = memoryStore.get(key);
+          if (typeof value === "string") {
+            result[key] = value;
+          }
+        });
+        return result;
+      }
+
+      const values = getStorageModule().getBatch(keys, scope);
+      keys.forEach((key, idx) => {
+        const value = decodeNativeBatchValue(values[idx]);
+        if (value !== undefined) {
+          result[key] = value;
+        }
+      });
+      return result;
+    });
   },
   getAll: (scope: StorageScope): Record<string, string> => {
-    assertValidScope(scope);
-    const result: Record<string, string> = {};
-    if (scope === StorageScope.Memory) {
-      memoryStore.forEach((value, key) => {
-        if (typeof value === "string") result[key] = value;
+    return measureOperation("storage:getAll", scope, () => {
+      assertValidScope(scope);
+      const result: Record<string, string> = {};
+      if (scope === StorageScope.Memory) {
+        memoryStore.forEach((value, key) => {
+          if (typeof value === "string") result[key] = value;
+        });
+        return result;
+      }
+      const keys = getStorageModule().getAllKeys(scope);
+      if (keys.length === 0) return result;
+      const values = getStorageModule().getBatch(keys, scope);
+      keys.forEach((key, idx) => {
+        const val = decodeNativeBatchValue(values[idx]);
+        if (val !== undefined) result[key] = val;
       });
       return result;
-    }
-    const keys = getStorageModule().getAllKeys(scope);
-    if (keys.length === 0) return result;
-    const values = getStorageModule().getBatch(keys, scope);
-    keys.forEach((key, idx) => {
-      const val = decodeNativeBatchValue(values[idx]);
-      if (val !== undefined) result[key] = val;
     });
-    return result;
   },
   size: (scope: StorageScope): number => {
-    assertValidScope(scope);
-    if (scope === StorageScope.Memory) {
-      return memoryStore.size;
-    }
-    return getStorageModule().size(scope);
+    return measureOperation("storage:size", scope, () => {
+      assertValidScope(scope);
+      if (scope === StorageScope.Memory) {
+        return memoryStore.size;
+      }
+      return getStorageModule().size(scope);
+    });
   },
   setAccessControl: (level: AccessControl) => {
-    secureDefaultAccessControl = level;
-    getStorageModule().setSecureAccessControl(level);
+    measureOperation("storage:setAccessControl", StorageScope.Secure, () => {
+      secureDefaultAccessControl = level;
+      getStorageModule().setSecureAccessControl(level);
+    });
   },
   setSecureWritesAsync: (enabled: boolean) => {
-    getStorageModule().setSecureWritesAsync(enabled);
+    measureOperation(
+      "storage:setSecureWritesAsync",
+      StorageScope.Secure,
+      () => {
+        getStorageModule().setSecureWritesAsync(enabled);
+      },
+    );
   },
   flushSecureWrites: () => {
-    flushSecureWrites();
+    measureOperation("storage:flushSecureWrites", StorageScope.Secure, () => {
+      flushSecureWrites();
+    });
   },
   setKeychainAccessGroup: (group: string) => {
-    getStorageModule().setKeychainAccessGroup(group);
+    measureOperation(
+      "storage:setKeychainAccessGroup",
+      StorageScope.Secure,
+      () => {
+        getStorageModule().setKeychainAccessGroup(group);
+      },
+    );
+  },
+  setMetricsObserver: (observer?: StorageMetricsObserver) => {
+    metricsObserver = observer;
+  },
+  getMetricsSnapshot: (): Record<string, StorageMetricSummary> => {
+    const snapshot: Record<string, StorageMetricSummary> = {};
+    metricsCounters.forEach((value, key) => {
+      snapshot[key] = {
+        count: value.count,
+        totalDurationMs: value.totalDurationMs,
+        avgDurationMs:
+          value.count === 0 ? 0 : value.totalDurationMs / value.count,
+        maxDurationMs: value.maxDurationMs,
+      };
+    });
+    return snapshot;
+  },
+  resetMetrics: () => {
+    metricsCounters.clear();
+  },
+  import: (data: Record<string, string>, scope: StorageScope): void => {
+    measureOperation(
+      "storage:import",
+      scope,
+      () => {
+        assertValidScope(scope);
+        const keys = Object.keys(data);
+        if (keys.length === 0) return;
+        const values = keys.map((k) => data[k]!);
+
+        if (scope === StorageScope.Memory) {
+          keys.forEach((key, index) => {
+            memoryStore.set(key, values[index]);
+          });
+          keys.forEach((key) => notifyKeyListeners(memoryListeners, key));
+          return;
+        }
+
+        if (scope === StorageScope.Secure) {
+          flushSecureWrites();
+          getStorageModule().setSecureAccessControl(secureDefaultAccessControl);
+        }
+
+        getStorageModule().setBatch(keys, values, scope);
+        keys.forEach((key, index) => cacheRawValue(scope, key, values[index]));
+      },
+      Object.keys(data).length,
+    );
   },
 };
 
+export function setWebSecureStorageBackend(
+  _backend?: WebSecureStorageBackend,
+): void {
+  // Native platforms do not use web secure backends.
+}
+
+export function getWebSecureStorageBackend():
+  | WebSecureStorageBackend
+  | undefined {
+  return undefined;
+}
+
 export interface StorageItemConfig<T> {
   key: string;
   scope: StorageScope;
@@ -442,12 +673,18 @@ export interface StorageItemConfig<T> {
   coalesceSecureWrites?: boolean;
   namespace?: string;
   biometric?: boolean;
+  biometricLevel?: BiometricLevel;
   accessControl?: AccessControl;
 }
 
 export interface StorageItem<T> {
   get: () => T;
+  getWithVersion: () => VersionedValue<T>;
   set: (value: T | ((prev: T) => T)) => void;
+  setIfVersion: (
+    version: StorageVersion,
+    value: T | ((prev: T) => T),
+  ) => boolean;
   delete: () => void;
   has: () => boolean;
   subscribe: (callback: () => void) => () => void;
@@ -459,10 +696,12 @@ export interface StorageItem<T> {
 
 type StorageItemInternal<T> = StorageItem<T> & {
   _triggerListeners: () => void;
+  _invalidateParsedCacheOnly: () => void;
   _hasValidation: boolean;
   _hasExpiration: boolean;
   _readCacheEnabled: boolean;
   _isBiometric: boolean;
+  _defaultValue: T;
   _secureAccessControl?: AccessControl;
 };
 
@@ -498,8 +737,14 @@ export function createStorageItem<T = undefined>(
   const serialize = config.serialize ?? defaultSerialize;
   const deserialize = config.deserialize ?? defaultDeserialize;
   const isMemory = config.scope === StorageScope.Memory;
-  const isBiometric =
-    config.biometric === true && config.scope === StorageScope.Secure;
+  const resolvedBiometricLevel =
+    config.scope === StorageScope.Secure
+      ? (config.biometricLevel ??
+        (config.biometric === true
+          ? BiometricLevel.BiometryOnly
+          : BiometricLevel.None))
+      : BiometricLevel.None;
+  const isBiometric = resolvedBiometricLevel !== BiometricLevel.None;
   const secureAccessControl = config.accessControl;
   const validate = config.validate;
   const onValidationError = config.onValidationError;
@@ -512,8 +757,7 @@ export function createStorageItem<T = undefined>(
   const coalesceSecureWrites =
     config.scope === StorageScope.Secure &&
     config.coalesceSecureWrites === true &&
-    !isBiometric &&
-    secureAccessControl === undefined;
+    !isBiometric;
   const defaultValue = config.defaultValue as T;
   const nonMemoryScope: NonMemoryScope | null =
     config.scope === StorageScope.Disk
@@ -603,14 +847,22 @@ export function createStorageItem<T = undefined>(
 
   const writeStoredRaw = (rawValue: string): void => {
     if (isBiometric) {
-      getStorageModule().setSecureBiometric(storageKey, rawValue);
+      getStorageModule().setSecureBiometricWithLevel(
+        storageKey,
+        rawValue,
+        resolvedBiometricLevel,
+      );
       return;
     }
 
     cacheRawValue(nonMemoryScope!, storageKey, rawValue);
 
     if (coalesceSecureWrites) {
-      scheduleSecureWrite(storageKey, rawValue);
+      scheduleSecureWrite(
+        storageKey,
+        rawValue,
+        secureAccessControl ?? secureDefaultAccessControl,
+      );
       return;
     }
 
@@ -633,7 +885,11 @@ export function createStorageItem<T = undefined>(
     cacheRawValue(nonMemoryScope!, storageKey, undefined);
 
     if (coalesceSecureWrites) {
-      scheduleSecureWrite(storageKey, undefined);
+      scheduleSecureWrite(
+        storageKey,
+        undefined,
+        secureAccessControl ?? secureDefaultAccessControl,
+      );
       return;
     }
 
@@ -694,7 +950,7 @@ export function createStorageItem<T = undefined>(
     return resolved;
   };
 
-  const get = (): T => {
+  const getInternal = (): T => {
     const raw = readStoredRaw();
 
     if (!memoryExpiration && raw === lastRaw && hasLastValue) {
@@ -712,6 +968,7 @@ export function createStorageItem<T = undefined>(
         onExpired?.(storageKey);
         lastValue = ensureValidatedValue(defaultValue, false);
         hasLastValue = true;
+        listeners.forEach((cb) => cb());
         return lastValue;
       }
     }
@@ -753,6 +1010,7 @@ export function createStorageItem<T = undefined>(
             onExpired?.(storageKey);
             lastValue = ensureValidatedValue(defaultValue, false);
             hasLastValue = true;
+            listeners.forEach((cb) => cb());
             return lastValue;
           }
 
@@ -771,40 +1029,74 @@ export function createStorageItem<T = undefined>(
     return lastValue;
   };
 
+  const getCurrentVersion = (): StorageVersion => {
+    const raw = readStoredRaw();
+    return toVersionToken(raw);
+  };
+
+  const get = (): T =>
+    measureOperation("item:get", config.scope, () => getInternal());
+
+  const getWithVersion = (): VersionedValue<T> =>
+    measureOperation("item:getWithVersion", config.scope, () => ({
+      value: getInternal(),
+      version: getCurrentVersion(),
+    }));
+
   const set = (valueOrFn: T | ((prev: T) => T)): void => {
-    const newValue = isUpdater(valueOrFn) ? valueOrFn(get()) : valueOrFn;
+    measureOperation("item:set", config.scope, () => {
+      const newValue = isUpdater(valueOrFn)
+        ? valueOrFn(getInternal())
+        : valueOrFn;
 
-    invalidateParsedCache();
+      invalidateParsedCache();
 
-    if (validate && !validate(newValue)) {
-      throw new Error(
-        `Validation failed for key "${storageKey}" in scope "${StorageScope[config.scope]}".`,
-      );
-    }
+      if (validate && !validate(newValue)) {
+        throw new Error(
+          `Validation failed for key "${storageKey}" in scope "${StorageScope[config.scope]}".`,
+        );
+      }
 
-    writeValueWithoutValidation(newValue);
+      writeValueWithoutValidation(newValue);
+    });
   };
 
+  const setIfVersion = (
+    version: StorageVersion,
+    valueOrFn: T | ((prev: T) => T),
+  ): boolean =>
+    measureOperation("item:setIfVersion", config.scope, () => {
+      const currentVersion = getCurrentVersion();
+      if (currentVersion !== version) {
+        return false;
+      }
+      set(valueOrFn);
+      return true;
+    });
+
   const deleteItem = (): void => {
-    invalidateParsedCache();
+    measureOperation("item:delete", config.scope, () => {
+      invalidateParsedCache();
 
-    if (isMemory) {
-      if (memoryExpiration) {
-        memoryExpiration.delete(storageKey);
+      if (isMemory) {
+        if (memoryExpiration) {
+          memoryExpiration.delete(storageKey);
+        }
+        memoryStore.delete(storageKey);
+        notifyKeyListeners(memoryListeners, storageKey);
+        return;
       }
-      memoryStore.delete(storageKey);
-      notifyKeyListeners(memoryListeners, storageKey);
-      return;
-    }
 
-    removeStoredRaw();
+      removeStoredRaw();
+    });
   };
 
-  const hasItem = (): boolean => {
-    if (isMemory) return memoryStore.has(storageKey);
-    if (isBiometric) return getStorageModule().hasSecureBiometric(storageKey);
-    return getStorageModule().has(storageKey, config.scope);
-  };
+  const hasItem = (): boolean =>
+    measureOperation("item:has", config.scope, () => {
+      if (isMemory) return memoryStore.has(storageKey);
+      if (isBiometric) return getStorageModule().hasSecureBiometric(storageKey);
+      return getStorageModule().has(storageKey, config.scope);
+    });
 
   const subscribe = (callback: () => void): (() => void) => {
     ensureSubscription();
@@ -823,7 +1115,9 @@ export function createStorageItem<T = undefined>(
 
   const storageItem: StorageItemInternal<T> = {
     get,
+    getWithVersion,
     set,
+    setIfVersion,
     delete: deleteItem,
     has: hasItem,
     subscribe,
@@ -833,10 +1127,14 @@ export function createStorageItem<T = undefined>(
       invalidateParsedCache();
       listeners.forEach((listener) => listener());
     },
+    _invalidateParsedCacheOnly: () => {
+      invalidateParsedCache();
+    },
     _hasValidation: validate !== undefined,
     _hasExpiration: expiration !== undefined,
     _readCacheEnabled: readCache,
     _isBiometric: isBiometric,
+    _defaultValue: defaultValue,
     ...(secureAccessControl !== undefined
       ? { _secureAccessControl: secureAccessControl }
       : {}),
@@ -848,6 +1146,7 @@ export function createStorageItem<T = undefined>(
 }
 
 export { useStorage, useStorageSelector, useSetStorage } from "./storage-hooks";
+export { createIndexedDBBackend } from "./indexeddb-backend";
 
 type BatchReadItem<T> = Pick<
   StorageItem<T>,
@@ -857,6 +1156,7 @@ type BatchReadItem<T> = Pick<
   _hasExpiration?: boolean;
   _readCacheEnabled?: boolean;
   _isBiometric?: boolean;
+  _defaultValue?: unknown;
   _secureAccessControl?: AccessControl;
 };
 type BatchRemoveItem = Pick<StorageItem<unknown>, "key" | "scope" | "delete">;
@@ -870,159 +1170,198 @@ export function getBatch(
   items: readonly BatchReadItem<unknown>[],
   scope: StorageScope,
 ): unknown[] {
-  assertBatchScope(items, scope);
+  return measureOperation(
+    "batch:get",
+    scope,
+    () => {
+      assertBatchScope(items, scope);
 
-  if (scope === StorageScope.Memory) {
-    return items.map((item) => item.get());
-  }
+      if (scope === StorageScope.Memory) {
+        return items.map((item) => item.get());
+      }
 
-  const useRawBatchPath = items.every((item) =>
-    scope === StorageScope.Secure
-      ? canUseSecureRawBatchPath(item)
-      : canUseRawBatchPath(item),
-  );
-  if (!useRawBatchPath) {
-    return items.map((item) => item.get());
-  }
-  const useBatchCache = items.every((item) => item._readCacheEnabled === true);
+      const useRawBatchPath = items.every((item) =>
+        scope === StorageScope.Secure
+          ? canUseSecureRawBatchPath(item)
+          : canUseRawBatchPath(item),
+      );
+      if (!useRawBatchPath) {
+        return items.map((item) => item.get());
+      }
 
-  const rawValues = new Array<string | undefined>(items.length);
-  const keysToFetch: string[] = [];
-  const keyIndexes: number[] = [];
+      const rawValues = new Array<string | undefined>(items.length);
+      const keysToFetch: string[] = [];
+      const keyIndexes: number[] = [];
 
-  items.forEach((item, index) => {
-    if (scope === StorageScope.Secure) {
-      if (hasPendingSecureWrite(item.key)) {
-        rawValues[index] = readPendingSecureWrite(item.key);
-        return;
-      }
-    }
+      items.forEach((item, index) => {
+        if (scope === StorageScope.Secure) {
+          if (hasPendingSecureWrite(item.key)) {
+            rawValues[index] = readPendingSecureWrite(item.key);
+            return;
+          }
+        }
 
-    if (useBatchCache) {
-      if (hasCachedRawValue(scope, item.key)) {
-        rawValues[index] = readCachedRawValue(scope, item.key);
-        return;
-      }
-    }
+        if (item._readCacheEnabled === true) {
+          if (hasCachedRawValue(scope, item.key)) {
+            rawValues[index] = readCachedRawValue(scope, item.key);
+            return;
+          }
+        }
 
-    keysToFetch.push(item.key);
-    keyIndexes.push(index);
-  });
+        keysToFetch.push(item.key);
+        keyIndexes.push(index);
+      });
 
-  if (keysToFetch.length > 0) {
-    const fetchedValues = getStorageModule()
-      .getBatch(keysToFetch, scope)
-      .map((value) => decodeNativeBatchValue(value));
+      if (keysToFetch.length > 0) {
+        const fetchedValues = getStorageModule()
+          .getBatch(keysToFetch, scope)
+          .map((value) => decodeNativeBatchValue(value));
 
-    fetchedValues.forEach((value, index) => {
-      const key = keysToFetch[index];
-      const targetIndex = keyIndexes[index];
-      if (key === undefined || targetIndex === undefined) {
-        return;
+        fetchedValues.forEach((value, index) => {
+          const key = keysToFetch[index];
+          const targetIndex = keyIndexes[index];
+          if (key === undefined || targetIndex === undefined) {
+            return;
+          }
+          rawValues[targetIndex] = value;
+          cacheRawValue(scope, key, value);
+        });
       }
-      rawValues[targetIndex] = value;
-      cacheRawValue(scope, key, value);
-    });
-  }
 
-  return items.map((item, index) => {
-    const raw = rawValues[index];
-    if (raw === undefined) {
-      return item.get();
-    }
-    return item.deserialize(raw);
-  });
+      return items.map((item, index) => {
+        const raw = rawValues[index];
+        if (raw === undefined) {
+          return asInternal(item as StorageItem<unknown>)._defaultValue;
+        }
+        return item.deserialize(raw);
+      });
+    },
+    items.length,
+  );
 }
 
 export function setBatch<T>(
   items: readonly StorageBatchSetItem<T>[],
   scope: StorageScope,
 ): void {
-  assertBatchScope(
-    items.map((batchEntry) => batchEntry.item),
+  measureOperation(
+    "batch:set",
     scope,
-  );
+    () => {
+      assertBatchScope(
+        items.map((batchEntry) => batchEntry.item),
+        scope,
+      );
 
-  if (scope === StorageScope.Memory) {
-    items.forEach(({ item, value }) => item.set(value));
-    return;
-  }
+      if (scope === StorageScope.Memory) {
+        // Determine if any item needs per-item handling (validation or TTL)
+        const needsIndividualSets = items.some(({ item }) => {
+          const internal = asInternal(item as StorageItem<unknown>);
+          return internal._hasValidation || internal._hasExpiration;
+        });
+
+        if (needsIndividualSets) {
+          // Fall back to individual sets to preserve validation and TTL semantics
+          items.forEach(({ item, value }) => item.set(value));
+          return;
+        }
 
-  if (scope === StorageScope.Secure) {
-    const secureEntries = items.map(({ item, value }) => ({
-      item,
-      value,
-      internal: asInternal(item),
-    }));
-    const canUseSecureBatchPath = secureEntries.every(({ internal }) =>
-      canUseSecureRawBatchPath(internal),
-    );
-    if (!canUseSecureBatchPath) {
-      items.forEach(({ item, value }) => item.set(value));
-      return;
-    }
+        // Atomic write: update all values in memoryStore, invalidate caches, then batch-notify
+        items.forEach(({ item, value }) => {
+          memoryStore.set(item.key, value);
+          asInternal(item as StorageItem<unknown>)._invalidateParsedCacheOnly();
+        });
+        items.forEach(({ item }) =>
+          notifyKeyListeners(memoryListeners, item.key),
+        );
+        return;
+      }
 
-    flushSecureWrites();
-    const storageModule = getStorageModule();
-    const groupedByAccessControl = new Map<
-      number,
-      { keys: string[]; values: string[] }
-    >();
-
-    secureEntries.forEach(({ item, value, internal }) => {
-      const accessControl =
-        internal._secureAccessControl ?? secureDefaultAccessControl;
-      const existingGroup = groupedByAccessControl.get(accessControl);
-      const group = existingGroup ?? { keys: [], values: [] };
-      group.keys.push(item.key);
-      group.values.push(item.serialize(value));
-      if (!existingGroup) {
-        groupedByAccessControl.set(accessControl, group);
+      if (scope === StorageScope.Secure) {
+        const secureEntries = items.map(({ item, value }) => ({
+          item,
+          value,
+          internal: asInternal(item),
+        }));
+        const canUseSecureBatchPath = secureEntries.every(({ internal }) =>
+          canUseSecureRawBatchPath(internal),
+        );
+        if (!canUseSecureBatchPath) {
+          items.forEach(({ item, value }) => item.set(value));
+          return;
+        }
+
+        flushSecureWrites();
+        const storageModule = getStorageModule();
+        const groupedByAccessControl = new Map<
+          number,
+          { keys: string[]; values: string[] }
+        >();
+
+        secureEntries.forEach(({ item, value, internal }) => {
+          const accessControl =
+            internal._secureAccessControl ?? secureDefaultAccessControl;
+          const existingGroup = groupedByAccessControl.get(accessControl);
+          const group = existingGroup ?? { keys: [], values: [] };
+          group.keys.push(item.key);
+          group.values.push(item.serialize(value));
+          if (!existingGroup) {
+            groupedByAccessControl.set(accessControl, group);
+          }
+        });
+
+        groupedByAccessControl.forEach((group, accessControl) => {
+          storageModule.setSecureAccessControl(accessControl);
+          storageModule.setBatch(group.keys, group.values, scope);
+          group.keys.forEach((key, index) =>
+            cacheRawValue(scope, key, group.values[index]),
+          );
+        });
+        return;
       }
-    });
 
-    groupedByAccessControl.forEach((group, accessControl) => {
-      storageModule.setSecureAccessControl(accessControl);
-      storageModule.setBatch(group.keys, group.values, scope);
-      group.keys.forEach((key, index) =>
-        cacheRawValue(scope, key, group.values[index]),
+      const useRawBatchPath = items.every(({ item }) =>
+        canUseRawBatchPath(asInternal(item)),
       );
-    });
-    return;
-  }
-
-  const useRawBatchPath = items.every(({ item }) =>
-    canUseRawBatchPath(asInternal(item)),
-  );
-  if (!useRawBatchPath) {
-    items.forEach(({ item, value }) => item.set(value));
-    return;
-  }
+      if (!useRawBatchPath) {
+        items.forEach(({ item, value }) => item.set(value));
+        return;
+      }
 
-  const keys = items.map((entry) => entry.item.key);
-  const values = items.map((entry) => entry.item.serialize(entry.value));
+      const keys = items.map((entry) => entry.item.key);
+      const values = items.map((entry) => entry.item.serialize(entry.value));
 
-  getStorageModule().setBatch(keys, values, scope);
-  keys.forEach((key, index) => cacheRawValue(scope, key, values[index]));
+      getStorageModule().setBatch(keys, values, scope);
+      keys.forEach((key, index) => cacheRawValue(scope, key, values[index]));
+    },
+    items.length,
+  );
 }
 
 export function removeBatch(
   items: readonly BatchRemoveItem[],
   scope: StorageScope,
 ): void {
-  assertBatchScope(items, scope);
+  measureOperation(
+    "batch:remove",
+    scope,
+    () => {
+      assertBatchScope(items, scope);
 
-  if (scope === StorageScope.Memory) {
-    items.forEach((item) => item.delete());
-    return;
-  }
+      if (scope === StorageScope.Memory) {
+        items.forEach((item) => item.delete());
+        return;
+      }
 
-  const keys = items.map((item) => item.key);
-  if (scope === StorageScope.Secure) {
-    flushSecureWrites();
-  }
-  getStorageModule().removeBatch(keys, scope);
-  keys.forEach((key) => cacheRawValue(scope, key, undefined));
+      const keys = items.map((item) => item.key);
+      if (scope === StorageScope.Secure) {
+        flushSecureWrites();
+      }
+      getStorageModule().removeBatch(keys, scope);
+      keys.forEach((key) => cacheRawValue(scope, key, undefined));
+    },
+    items.length,
+  );
 }
 
 export function registerMigration(version: number, migration: Migration): void {
@@ -1040,92 +1379,124 @@ export function registerMigration(version: number, migration: Migration): void {
 export function migrateToLatest(
   scope: StorageScope = StorageScope.Disk,
 ): number {
-  assertValidScope(scope);
-  const currentVersion = readMigrationVersion(scope);
-  const versions = Array.from(registeredMigrations.keys())
-    .filter((version) => version > currentVersion)
-    .sort((a, b) => a - b);
+  return measureOperation("migration:run", scope, () => {
+    assertValidScope(scope);
+    const currentVersion = readMigrationVersion(scope);
+    const versions = Array.from(registeredMigrations.keys())
+      .filter((version) => version > currentVersion)
+      .sort((a, b) => a - b);
+
+    let appliedVersion = currentVersion;
+    const context: MigrationContext = {
+      scope,
+      getRaw: (key) => getRawValue(key, scope),
+      setRaw: (key, value) => setRawValue(key, value, scope),
+      removeRaw: (key) => removeRawValue(key, scope),
+    };
 
-  let appliedVersion = currentVersion;
-  const context: MigrationContext = {
-    scope,
-    getRaw: (key) => getRawValue(key, scope),
-    setRaw: (key, value) => setRawValue(key, value, scope),
-    removeRaw: (key) => removeRawValue(key, scope),
-  };
+    versions.forEach((version) => {
+      const migration = registeredMigrations.get(version);
+      if (!migration) {
+        return;
+      }
+      migration(context);
+      writeMigrationVersion(scope, version);
+      appliedVersion = version;
+    });
 
-  versions.forEach((version) => {
-    const migration = registeredMigrations.get(version);
-    if (!migration) {
-      return;
-    }
-    migration(context);
-    writeMigrationVersion(scope, version);
-    appliedVersion = version;
+    return appliedVersion;
   });
-
-  return appliedVersion;
 }
 
 export function runTransaction<T>(
   scope: StorageScope,
   transaction: (context: TransactionContext) => T,
 ): T {
-  assertValidScope(scope);
-  if (scope === StorageScope.Secure) {
-    flushSecureWrites();
-  }
+  return measureOperation("transaction:run", scope, () => {
+    assertValidScope(scope);
+    if (scope === StorageScope.Secure) {
+      flushSecureWrites();
+    }
 
-  const rollback = new Map<string, string | undefined>();
+    const rollback = new Map<string, string | undefined>();
 
-  const rememberRollback = (key: string) => {
-    if (rollback.has(key)) {
-      return;
-    }
-    rollback.set(key, getRawValue(key, scope));
-  };
+    const rememberRollback = (key: string) => {
+      if (rollback.has(key)) {
+        return;
+      }
+      rollback.set(key, getRawValue(key, scope));
+    };
 
-  const tx: TransactionContext = {
-    scope,
-    getRaw: (key) => getRawValue(key, scope),
-    setRaw: (key, value) => {
-      rememberRollback(key);
-      setRawValue(key, value, scope);
-    },
-    removeRaw: (key) => {
-      rememberRollback(key);
-      removeRawValue(key, scope);
-    },
-    getItem: (item) => {
-      assertBatchScope([item], scope);
-      return item.get();
-    },
-    setItem: (item, value) => {
-      assertBatchScope([item], scope);
-      rememberRollback(item.key);
-      item.set(value);
-    },
-    removeItem: (item) => {
-      assertBatchScope([item], scope);
-      rememberRollback(item.key);
-      item.delete();
-    },
-  };
+    const tx: TransactionContext = {
+      scope,
+      getRaw: (key) => getRawValue(key, scope),
+      setRaw: (key, value) => {
+        rememberRollback(key);
+        setRawValue(key, value, scope);
+      },
+      removeRaw: (key) => {
+        rememberRollback(key);
+        removeRawValue(key, scope);
+      },
+      getItem: (item) => {
+        assertBatchScope([item], scope);
+        return item.get();
+      },
+      setItem: (item, value) => {
+        assertBatchScope([item], scope);
+        rememberRollback(item.key);
+        item.set(value);
+      },
+      removeItem: (item) => {
+        assertBatchScope([item], scope);
+        rememberRollback(item.key);
+        item.delete();
+      },
+    };
 
-  try {
-    return transaction(tx);
-  } catch (error) {
-    Array.from(rollback.entries())
-      .reverse()
-      .forEach(([key, previousValue]) => {
-        if (previousValue === undefined) {
-          removeRawValue(key, scope);
-        } else {
-          setRawValue(key, previousValue, scope);
+    try {
+      return transaction(tx);
+    } catch (error) {
+      const rollbackEntries = Array.from(rollback.entries()).reverse();
+      if (scope === StorageScope.Memory) {
+        rollbackEntries.forEach(([key, previousValue]) => {
+          if (previousValue === undefined) {
+            removeRawValue(key, scope);
+          } else {
+            setRawValue(key, previousValue, scope);
+          }
+        });
+      } else {
+        const keysToSet: string[] = [];
+        const valuesToSet: string[] = [];
+        const keysToRemove: string[] = [];
+
+        rollbackEntries.forEach(([key, previousValue]) => {
+          if (previousValue === undefined) {
+            keysToRemove.push(key);
+          } else {
+            keysToSet.push(key);
+            valuesToSet.push(previousValue);
+          }
+        });
+
+        if (scope === StorageScope.Secure) {
+          flushSecureWrites();
         }
-      });
-    throw error;
-  }
+        if (keysToSet.length > 0) {
+          getStorageModule().setBatch(keysToSet, valuesToSet, scope);
+          keysToSet.forEach((key, index) =>
+            cacheRawValue(scope, key, valuesToSet[index]),
+          );
+        }
+        if (keysToRemove.length > 0) {
+          getStorageModule().removeBatch(keysToRemove, scope);
+          keysToRemove.forEach((key) => cacheRawValue(scope, key, undefined));
+        }
+      }
+      throw error;
+    }
+  });
 }
 
 export type SecureAuthStorageConfig<K extends string = string> = Record<
@@ -1133,6 +1504,7 @@ export type SecureAuthStorageConfig<K extends string = string> = Record<
   {
     ttlMs?: number;
     biometric?: boolean;
+    biometricLevel?: BiometricLevel;
     accessControl?: AccessControl;
   }
 >;
@@ -1156,6 +1528,9 @@ export function createSecureAuthStorage<K extends string>(
       ...(itemConfig.biometric !== undefined
         ? { biometric: itemConfig.biometric }
         : {}),
+      ...(itemConfig.biometricLevel !== undefined
+        ? { biometricLevel: itemConfig.biometricLevel }
+        : {}),
       ...(itemConfig.accessControl !== undefined
         ? { accessControl: itemConfig.accessControl }
         : {}),