JoaoPauloCMarra
diff --git a/‎.github/workflows/ci.yml‎
Lines changed: 23 additions & 79 deletions b/‎.github/workflows/ci.yml‎
Lines changed: 23 additions & 79 deletions
diff --git a/‎CHANGELOG.md‎
Lines changed: 26 additions & 0 deletions b/‎CHANGELOG.md‎
Lines changed: 26 additions & 0 deletions
diff --git a/‎README.md‎
Lines changed: 39 additions & 0 deletions b/‎README.md‎
Lines changed: 39 additions & 0 deletions
diff --git a/‎apps/example/.maestro/main.yaml‎
Lines changed: 27 additions & 0 deletions b/‎apps/example/.maestro/main.yaml‎
Lines changed: 27 additions & 0 deletions
diff --git a/‎apps/example/app.json‎
Lines changed: 1 addition & 1 deletion b/‎apps/example/app.json‎
Lines changed: 1 addition & 1 deletion
@@ -1,110 +1,54 @@
 name: CI
 
 on:
-  push:
-    branches: [main]
   pull_request:
     branches: [main]
 
+env:
+  TZ: UTC
+  BUN_VERSION: "1.3.10"
+
 jobs:
   quality:
-    name: Quality Checks
+    name: Lint, Typecheck & Unit Tests
     runs-on: ubuntu-latest
 
     steps:
-      - name: Checkout code
-        uses: actions/checkout@v4
+      - uses: actions/checkout@v6
 
-      - name: Setup Bun
-        uses: oven-sh/setup-bun@v2
+      - uses: oven-sh/setup-bun@v2
         with:
-          bun-version: 1.3.9
+          bun-version: ${{ env.BUN_VERSION }}
 
-      - name: Cache dependencies
-        uses: actions/cache@v4
+      - uses: actions/cache@v5
         with:
           path: |
             ~/.bun/install/cache
             node_modules
             packages/*/node_modules
+            apps/*/node_modules
           key: ${{ runner.os }}-bun-${{ hashFiles('**/bun.lock') }}
-          restore-keys: |
-            ${{ runner.os }}-bun-
+          restore-keys: ${{ runner.os }}-bun-
+
+      - run: bun install --frozen-lockfile
 
-      - name: Install dependencies
-        run: bun install
+      - name: Lint
+        run: bun run lint
 
-      - name: Run type checking
+      - name: Format check
+        run: bun run format:check
+
+      - name: Typecheck
         run: bun run typecheck
 
-      - name: Run type-level API tests
+      - name: Type-level API tests
         run: bun run test:types
 
-      - name: Run JavaScript tests
-        run: bun run test
-
-      - name: Run JavaScript tests with coverage
+      - name: Unit tests with coverage
         run: bun run test:coverage
 
-      - name: Run benchmark regression checks
+      - name: Benchmark regression checks
         run: bun run benchmark
 
-      - name: Setup CMake (for C++ tests)
-        run: |
-          cmake --version
-          gcc --version || clang --version || echo "C++ compiler available"
-
-      - name: Run C++ tests
+      - name: C++ tests
         run: bun run test:cpp
-
-      - name: Build packages
-        run: bun run build
-
-      - name: Verify build artifacts
-        run: |
-          # Check that lib directories were created
-          [ -d "packages/react-native-nitro-storage/lib" ] || exit 1
-          # Check that TypeScript definitions exist
-          [ -f "packages/react-native-nitro-storage/lib/typescript/index.d.ts" ] || exit 1
-          # Check that all build targets exist
-          [ -d "packages/react-native-nitro-storage/lib/commonjs" ] || exit 1
-          [ -d "packages/react-native-nitro-storage/lib/module" ] || exit 1
-          echo "✅ Build artifacts verified"
-
-      - name: Test package packaging
-        run: |
-          cd packages/react-native-nitro-storage
-          bun run check:pack
-
-  build-example-android:
-    name: Android Example Build
-    runs-on: ubuntu-latest
-    needs: quality
-
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v4
-
-      - name: Setup Bun
-        uses: oven-sh/setup-bun@v2
-        with:
-          bun-version: 1.3.9
-
-      - name: Setup Java
-        uses: actions/setup-java@v4
-        with:
-          distribution: temurin
-          java-version: "17"
-
-      - name: Install dependencies
-        run: bun install
-
-      - name: Expo prebuild (Android)
-        run: bun run example:prebuild:clean -- -- --platform android --non-interactive
-        env:
-          EXPO_NO_TELEMETRY: 1
-
-      - name: Gradle build check
-        working-directory: apps/example/android
-        run: ./gradlew assembleDebug --no-daemon -q
-
@@ -4,6 +4,32 @@ All notable changes to this project are documented in this file.
 
 The format follows Keep a Changelog and the project adheres to SemVer.
 
+## 0.4.2/0.4.3 - 2026-03-05
+
+### Fixed
+
+- Fix crash on Android devices without biometric hardware — all biometric storage paths now catch initialization failures gracefully (non-biometric operations unaffected).
+- Fix Android keystore corruption recovery incorrectly wiping data on a locked keystore — only `AEADBadTagException` now triggers wipe; all other init failures throw without touching stored data.
+- Synchronize `AndroidStorageAdapter.invalidateSecureKeysCache()` under instance lock to close a race between concurrent reads and writes.
+- Synchronize `setSecureBatch`/`deleteSecureBatch` under instance lock to prevent cache rebuild racing a mid-batch write.
+- Propagate `SharedPreferences.commit()` failures out of `applySecureEditor` instead of swallowing them.
+- Fix `IOSStorageAdapterCpp::clearDisk()` using `dictionaryRepresentation` (includes OS-injected keys) — switched to `persistentDomainForName:` scoped strictly to the app suite.
+- Fix `clearSecure()`/`clearSecureBiometric()` clearing the in-memory key cache before confirming `SecItemDelete` succeeded — cache is now only updated after the deletion is confirmed.
+- Fix potential unexpected biometric auth prompt in `getSecure()` — added `kSecUseAuthenticationUI = kSecUseAuthenticationUIFail` consistent with `hasSecure()`.
+- Fix `setKeychainAccessGroup()` race where a concurrent `getAllKeysSecure()` could observe a stale cache between group update and cache invalidation — both are now updated atomically under both mutexes.
+- Fix CFErrorRef leak in `SecAccessControlCreateWithFlags` error path.
+- Fix `setSecureBiometricWithLevel()` incorrectly reporting "value restored" when backup restoration itself threw — now propagates the composite error.
+- Mark `secureKeyCacheHydrated_` as `std::atomic<bool>` to satisfy the C++ memory model.
+- Fix `HybridStorage::addOnChange()` unsubscribe lambda capturing `this` raw pointer — switched to `std::weak_ptr` capture to prevent use-after-free if `HybridStorage` is destroyed before the JS unsubscribe callback fires.
+- Validate access control level in `setSecureAccessControl()` (must be 0–4) and biometric level in `setSecureBiometricWithLevel()` (must be 0–2) — invalid values now throw instead of being silently passed to the native adapter.
+- Fix `clearSecureBiometric()` calling `onScopeClear` which unnecessarily evicted all secure keys from the index — now only marks the index stale for lazy re-hydration.
+- Fix `fromJavaStringArray()` silently dropping null JNI array elements — null entries are now preserved as empty strings to maintain positional alignment.
+- Extend `isKeychainLockedError()` to detect Android `KeyPermanentlyInvalidatedException` and `InvalidKeyException` in addition to existing iOS/Android patterns.
+- Fix web `getAll()` performing O(n) individual reads — switched to `WebStorage.getBatch()`.
+- Fix web `subscribe()` accumulating `window.addEventListener("storage", …)` calls — now reference-counted and removed when the last subscriber unsubscribes.
+- Fix web `import()` for Secure scope skipping `flushSecureWrites()` and `setSecureAccessControl()` before writing.
+- Expand ProGuard/R8 keep rules with explicit method-signature patterns so JNI-callable methods survive aggressive R8 shrinking in release builds.
+
 ## 0.4.1 - 2026-03-04
 
 ### Added
 
@@ -47,6 +47,8 @@ Every feature in this package is documented with at least one runnable example i
 - Transactions — see Transactions and Atomic Balance Transfer
 - Migrations (`registerMigration`, `migrateToLatest`) — see Migrations
 - MMKV migration (`migrateFromMMKV`) — see MMKV Migration and Migrating From MMKV
+- Raw string API (`getString`, `setString`, `deleteString`) — see Raw String API
+- Keychain locked detection (`isKeychainLockedError`) — see `isKeychainLockedError(err)`
 - Auth storage factory (`createSecureAuthStorage`) — see Auth Token Management
 
 ## Requirements
@@ -280,6 +282,9 @@ import { storage, StorageScope } from "react-native-nitro-storage";
 | `storage.setSecureWritesAsync(enabled)`  | Toggle async secure writes on Android (`false` by default)                   |
 | `storage.flushSecureWrites()`            | Force flush of queued secure writes when coalescing is enabled               |
 | `storage.setKeychainAccessGroup(group)`  | Set keychain access group for app sharing (native only)                      |
+| `storage.getString(key, scope)`          | Read a raw string value directly (bypasses serialization)                    |
+| `storage.setString(key, value, scope)`   | Write a raw string value directly (bypasses serialization)                   |
+| `storage.deleteString(key, scope)`       | Delete a raw string value by key                                             |
 | `storage.import(data, scope)`            | Bulk-load a `Record<string, string>` of raw key/value pairs into a scope     |
 | `storage.setMetricsObserver(observer?)`  | Subscribe to per-operation timing events                                     |
 | `storage.getMetricsSnapshot()`           | Get aggregate counters/latency stats keyed by operation                      |
@@ -509,6 +514,40 @@ const migrated = migrateFromMMKV(mmkv, myStorageItem, true);
 
 ---
 
+### Raw String API
+
+For cases where you want to bypass `createStorageItem` serialization entirely and work with raw key/value strings:
+
+```ts
+import { storage, StorageScope } from "react-native-nitro-storage";
+
+storage.setString("raw-key", "raw-value", StorageScope.Disk);
+const value = storage.getString("raw-key", StorageScope.Disk); // "raw-value" | undefined
+storage.deleteString("raw-key", StorageScope.Disk);
+```
+
+These are synchronous and go directly to the native backend without any serialize/deserialize step.
+
+---
+
+### `isKeychainLockedError(err)`
+
+Utility to detect iOS Keychain locked errors and Android key invalidation errors in secure storage operations. Returns `true` if the error was caused by a locked keychain (device locked, first unlock not yet performed, etc.) or an Android `KeyPermanentlyInvalidatedException` / `InvalidKeyException`. Always returns `false` on web.
+
+```ts
+import { isKeychainLockedError } from "react-native-nitro-storage";
+
+try {
+  secureItem.get();
+} catch (err) {
+  if (isKeychainLockedError(err)) {
+    // device is locked — retry after unlock
+  }
+}
+```
+
+---
+
 ### Enums
 
 #### `AccessControl`
 
@@ -0,0 +1,27 @@
+appId: com.nitrostorage.example
+name: "Nitro Storage - Smoke Test"
+---
+- launchApp:
+    clearState: true
+
+# Scroll to the Smoke Test runner at the bottom
+- scrollUntilVisible:
+    element:
+      id: "smoke-run-all"
+    direction: DOWN
+    timeout: 20000
+    speed: 80
+
+# Tap "Run All" to execute every smoke test
+- tapOn:
+    id: "smoke-run-all"
+
+# Wait for the test run to complete (button text reverts to "Run All")
+- extendedWaitUntil:
+    visible:
+      text: "Run All"
+      id: "smoke-run-all"
+    timeout: 30000
+
+# Assert no test failed
+- assertNotVisible: "failed"
@@ -9,7 +9,7 @@
     "userInterfaceStyle": "automatic",
     "ios": {
       "supportsTablet": true,
-      "bundleIdentifier": "com.nitrostorage.example"
+      "bundleIdentifier": "com.nitrostorage.example",
     },
     "android": {
       "package": "com.nitrostorage.example"