mCodex
diff --git a/‎docs/ARCHITECTURE.md‎
Lines changed: 66 additions & 0 deletions b/‎docs/ARCHITECTURE.md‎
Lines changed: 66 additions & 0 deletions
diff --git a/‎docs/EXPO.md‎
Lines changed: 75 additions & 0 deletions b/‎docs/EXPO.md‎
Lines changed: 75 additions & 0 deletions
diff --git a/‎docs/MIGRATION.md‎
Lines changed: 88 additions & 0 deletions b/‎docs/MIGRATION.md‎
Lines changed: 88 additions & 0 deletions
diff --git a/‎docs/PERFORMANCE.md‎
Lines changed: 62 additions & 0 deletions b/‎docs/PERFORMANCE.md‎
Lines changed: 62 additions & 0 deletions
@@ -0,0 +1,66 @@
+# Architecture
+
+```
+┌──────────────────────────────────────────────────────────────────────┐
+│  Public API                                                          │
+│   ├── react-native-sensitive-info           (storage, errors, types) │
+│   ├── react-native-sensitive-info/hooks     (React hooks)            │
+│   └── react-native-sensitive-info/errors    (typed errors only)      │
+└────────────────────────────────────────────┬─────────────────────────┘
+                                             │
+┌────────────────────────────────────────────▼─────────────────────────┐
+│  TS layer (src/)                                                     │
+│   • core/storage.ts   ─ thin wrapper, normalizes options + classifies │
+│                         errors                                       │
+│   • internal/options  ─ defaults, service resolution                  │
+│   • internal/native   ─ lazy Nitro hybrid handle (Expo Go detection)  │
+│   • internal/validate ─ TS-side input contracts (key/service/value)   │
+│   • internal/errors   ─ marker-based error utilities                  │
+│   • errors.ts         ─ typed error classes + predicates              │
+│   • hooks/            ─ stable, memoized hook surface                 │
+└────────────────────────────────────────────┬─────────────────────────┘
+                                             │  Nitro JSI bridge
+┌────────────────────────────────────────────▼─────────────────────────┐
+│  Native layer                                                        │
+│   • iOS    ─ Swift / Keychain / Secure Enclave / CryptoKit           │
+│   • Android─ Kotlin / Keystore / StrongBox / AES-GCM                 │
+└──────────────────────────────────────────────────────────────────────┘
+```
+
+## Naming conventions
+
+### Service & key
+
+- `service` is a logical namespace (reverse-DNS recommended: `com.example.auth`). Defaults to
+  the bundle identifier when available, otherwise `'default'`.
+- `key` is the entry identifier within a service. Must be a non-empty UTF-8 string ≤ 1024 bytes.
+- Combined storage key on Android: `<service>::<key>`. On iOS: Keychain `service` attribute is
+  set to `service` and `account` to `key`.
+
+### Keystore aliases (Android)
+
+Each `service` owns a master key under the alias `rnsensitiveinfo.<service>.v<n>` where `n` is
+the active key version. `rotateKeys` increments `n` and either lazily re-encrypts on next access
+or eagerly walks the existing entries when `reEncryptEagerly: true`.
+
+### Versions
+
+- `keyVersion` is stored in `StorageMetadata`. Legacy entries default to `0` and are
+  opportunistically upgraded on read.
+- `integrityTag` is a base64 HMAC-SHA256 over metadata + ciphertext, signed with a derived
+  subkey of the master.
+
+## Cache locations
+
+| Cache               | Where                                | Lifetime                             |
+| ------------------- | ------------------------------------ | ------------------------------------ |
+| Nitro instance      | `src/internal/native.ts` module-scope | App process                          |
+| Stable options      | Per-hook `useRef` keyed by deepEqual | Component lifetime                   |
+| Service resolution  | `src/internal/options.ts`            | Recomputed on every call (cheap)     |
+| Key version (native)| Keystore / Keychain                  | Persistent until `clearService`      |
+
+## Tree-shaking
+
+The package sets `"sideEffects": false` and ships ESM via subpath exports. Hooks live behind
+`react-native-sensitive-info/hooks` so apps that only use the imperative API never pay for the
+hook bundle. Errors are also re-exported from `/errors` for the same reason.
@@ -0,0 +1,75 @@
+# Expo
+
+## Compatibility matrix
+
+| Library version | Expo SDK | React Native | Notes                                  |
+| --------------- | -------- | ------------ | -------------------------------------- |
+| `6.0.x`         | 52+      | 0.80–0.85    | Nitro Modules, New Architecture only.  |
+| `5.6.x`         | 49–51    | 0.71–0.74    | Legacy bridge build, maintenance mode. |
+
+`react-native-sensitive-info` ships native code, so it cannot run inside **Expo Go**. You need
+either a **custom Dev Client** (`npx expo run:ios` / `npx expo run:android`) or an **EAS Build**.
+
+When the native module is unavailable at runtime (typically Expo Go), every API throws a
+`SensitiveInfoError` with a hint that points to the Dev Client / EAS workflow.
+
+## Installation
+
+```bash
+npx expo install react-native-sensitive-info
+```
+
+Add the plugin to your `app.json` / `app.config.ts`:
+
+```json
+{
+	"expo": {
+		"plugins": [
+			[
+				"react-native-sensitive-info",
+				{
+					"faceIDPermission": "Authenticate to unlock your account.",
+					"enableNewArchitecture": true
+				}
+			]
+		]
+	}
+}
+```
+
+### Plugin options
+
+| Prop                    | Type      | Default                                       | Effect                                                                                                    |
+| ----------------------- | --------- | --------------------------------------------- | --------------------------------------------------------------------------------------------------------- |
+| `faceIDPermission`      | `string`  | `"Authenticate to access your secure data."` | Written to `NSFaceIDUsageDescription` if missing. A pre-existing value in your Info.plist is preserved. |
+| `faceIDPermission`      | `null`    | —                                             | Skips the Info.plist modifier entirely (use when another plugin owns the key).                            |
+| `enableNewArchitecture` | `boolean` | `true`                                        | Writes `newArchEnabled` (Android) and `RCT_NEW_ARCH_ENABLED` (iOS) flags.                                 |
+
+The plugin also adds the following Android permissions automatically:
+
+- `android.permission.USE_BIOMETRIC` (API 28+)
+- `android.permission.USE_FINGERPRINT` with `android:maxSdkVersion="28"` (legacy fallback)
+
+## Generating the native projects
+
+After adding the plugin:
+
+```bash
+npx expo prebuild --clean   # Regenerates ios/ and android/ with the plugin applied
+npx expo run:ios            # or run:android
+```
+
+For EAS Build:
+
+```bash
+eas build --profile development --platform ios
+```
+
+## Troubleshooting
+
+- **"native module is not available"** at runtime — you are running in Expo Go. Switch to a
+  Dev Client.
+- **Face ID prompt has no usage string** — confirm `NSFaceIDUsageDescription` is in the
+  rendered `ios/<app>/Info.plist` after `prebuild`.
+- **Biometric APIs return `software` security level on Android** — confirm the device is
+  enrolled and that `USE_BIOMETRIC` was written to the rendered `AndroidManifest.xml`.
@@ -0,0 +1,88 @@
+# Migration: 5.6 → 6.x
+
+`react-native-sensitive-info` 6 is a from-scratch rewrite on top of [Nitro Modules][nitro] and
+the React Native New Architecture. The public API is intentionally narrower and more typed than
+5.6.
+
+[nitro]: https://nitro.margelo.com/
+
+## Breaking changes at a glance
+
+| 5.6                                          | 6.x                                                                                                  |
+| -------------------------------------------- | ---------------------------------------------------------------------------------------------------- |
+| Bridge module, Old Architecture only         | Nitro hybrid object, **New Architecture required**                                                   |
+| `setItem(key, value, options)` returns void  | `setItem(key, value, options)` returns `Promise<StorageMetadata>`                                    |
+| `getItem(key, options)` returns the raw value or `null`         | `getItem(key, options)` returns `SensitiveInfoItem \| null` (`{ key, service, value, metadata }`) |
+| `getAllItems(options)` returns `Record<string, string>` | `getAllItems(options)` returns `SensitiveInfoItem[]`                                                                              |
+| `deleteItem(key, options)` returns void                                  | `deleteItem(key, options)` returns `Promise<boolean>` (`true` when removed)                                                                                |
+| Errors are plain `Error` instances           | Typed `SensitiveInfoError` subclasses + `is*Error` predicates                                        |
+| `kSecAccessControl*` strings on iOS          | `accessControl: 'secureEnclaveBiometry' \| 'biometryCurrentSet' \| 'biometryAny' \| 'devicePasscode' \| 'none'`                                  |
+| Android `keystore` config object             | `accessControl` only — backend is selected automatically (StrongBox → Keystore → EncryptedSharedPreferences) |
+| No metadata                                  | `StorageMetadata` returned with every read/write (`securityLevel`, `backend`, `keyVersion`, `integrityTag`)  |
+| No key rotation                              | `rotateKeys()` + `getKeyVersion()`                                                                  |
+| No React hooks                               | First-party hooks via `react-native-sensitive-info/hooks`                                            |
+
+## Step-by-step
+
+### 1. Update peer requirements
+
+- React Native ≥ 0.80 with **New Architecture enabled**.
+- Expo users: SDK 52+ and a custom Dev Client / EAS Build (Expo Go is not supported).
+
+### 2. Replace value-only reads
+
+```diff
+- const token = await getItem('token', { sharedPreferencesName: 'auth' })
++ const item = await getItem('token', { service: 'auth' })
++ const token = item?.value ?? null
+```
+
+> `sharedPreferencesName` (Android) and `keychainService` (iOS) are unified as `service`.
+
+### 3. Use typed errors
+
+```diff
+- try { await getItem('k', opts) }
+- catch (e) { if (e.message.includes('cancel')) return }
++ import { isAuthenticationCanceledError } from 'react-native-sensitive-info'
++ try { await getItem('k', opts) }
++ catch (e) { if (isAuthenticationCanceledError(e)) return }
+```
+
+Available predicates: `isNotFoundError`, `isAuthenticationCanceledError`,
+`isIntegrityViolationError`, `isKeyInvalidatedError`, `isRotationFailedError`,
+`isInvalidArgumentError`.
+
+### 4. Migrate access-control flags
+
+| 5.6 (`kSecAccessControl…`)                                   | 6.x (`accessControl`)        |
+| ------------------------------------------------------------ | ---------------------------- |
+| `kSecAccessControlBiometryCurrentSet` + Secure Enclave class | `secureEnclaveBiometry`      |
+| `kSecAccessControlBiometryCurrentSet`                        | `biometryCurrentSet`         |
+| `kSecAccessControlBiometryAny`                               | `biometryAny`                |
+| `kSecAccessControlDevicePasscode`                            | `devicePasscode`             |
+| (no policy)                                                  | `none`                       |
+
+### 5. Replace `setInvalidatedByBiometricEnrollment` etc.
+
+These were Apple-specific opt-outs. In 6.x, biometric-bound entries that the OS invalidates
+(re-enrollment, biometric reset) raise `KeyInvalidatedError` deterministically. Catch it and
+re-prompt the user to set up the secret again.
+
+### 6. Adopt hooks (optional)
+
+```ts
+import { useSecret } from 'react-native-sensitive-info/hooks'
+
+const { data, error, saveSecret, deleteSecret } = useSecret('token', {
+	service: 'auth',
+	includeValue: true,
+})
+```
+
+## Data migration
+
+5.6 → 6.x is **not** wire-compatible. Existing entries written by 5.6 are not readable by 6.x
+because the metadata envelope is different. To migrate live data, ship a one-time migration that
+reads with a vendored 5.6 helper and re-writes via 6.x `setItem`. For most apps the safer answer
+is "let users re-authenticate once" — secrets are short-lived by design.
@@ -0,0 +1,62 @@
+# Performance
+
+## Bundle policy
+
+- `"sideEffects": false` — every public surface tree-shakes cleanly.
+- Subpath exports keep the imperative API, the hooks, and the error classes in **separate**
+  ESM entry points so apps only pay for what they import.
+- The TypeScript-side dependency graph is intentionally flat. The whole runtime (errors,
+  options, native handle, validation, storage) is a few hundred lines of JS plus the Nitro
+  bridge.
+
+| Import                                        | Approximate min+gz size† |
+| --------------------------------------------- | ------------------------ |
+| `react-native-sensitive-info`                 | ~3.0 KB                  |
+| `react-native-sensitive-info/hooks`           | ~4.5 KB                  |
+| `react-native-sensitive-info/errors`          | ~1.0 KB                  |
+
+> † Numbers are a rough order-of-magnitude on RN Metro output; verify with your own bundler.
+
+## Hooks
+
+Every public hook follows the same recipe to keep re-renders cheap:
+
+1. Inline option literals are **deep-equal cached** through `useStableOptions`. Passing a fresh
+   object each render does not invalidate the underlying `useAsync` / `useMutation`.
+2. `useReducer` drives the lifecycle so `setState` cannot tear (loading + data + error always
+   commit together).
+3. The returned object is wrapped in `useMemo` with stable identity per state transition.
+4. Stable empty arrays (e.g. `EMPTY_ITEMS`) are frozen once at module scope so consumers can
+   safely use referential equality.
+
+That means you can pass result objects to `React.memo` children or to a `Context.Provider`
+without paying for spurious re-renders.
+
+## React Compiler (Babel plugin)
+
+The hooks are written so that the React Compiler **does not** need to see the source to keep
+them stable. We don't ship Compiler output; the optimization is done by hand and stays explicit.
+This keeps the runtime debuggable and avoids forcing consumers onto the Compiler.
+
+If you do enable the Compiler app-wide, the hooks remain correct: they don't rely on memo
+identity behaviour the Compiler would change.
+
+## Native call overhead
+
+- iOS: each call is a single Keychain transaction. The Secure Enclave path adds ~20–60 ms for
+  biometric prompts (user-driven).
+- Android: Keystore unwrap is on the critical path. StrongBox-backed keys add ~30–80 ms for
+  the IPC round-trip. `EncryptedSharedPreferences` fallback is ~3–5 ms per read.
+
+Always avoid calling `getItem` in tight render loops — fetch once, hoist into state.
+
+## Recommended patterns
+
+- **List metadata, fetch on demand.** Use `getAllItems({ includeValues: false })` (or
+  `useSecureStorage` with the same flag) to render a list cheaply, and only call `getItem` when
+  the user explicitly asks for the value.
+- **Batch on rotation.** `rotateKeys({ reEncryptEagerly: true })` walks all entries in one
+  native pass. Doing it lazily per-read is fine but spreads cost across the app's lifetime.
+- **Skip the biometric on enumeration.** iOS will not prompt for `hasItem` /
+  `getAllItems({ includeValues: false })` — keep enumeration silent and reserve prompts for
+  reads that actually need plaintext.