Look up a credential by its credentialId. Returns null when not found.
Return all credentials registered for a given userId.
Atomically insert a new credential record.
MUST throw WebAuthnCredentialStorageError({ reason: "duplicate-credential" })
if a record with the same credentialId already exists. The existing
record MUST be preserved unchanged — no partial mutation on failure.
Concurrency contract: N concurrent calls with the same credentialId
MUST result in exactly one success and N-1 throws of
WebAuthnCredentialStorageError({ reason: "duplicate-credential" }).
Per spec §2.3.1 + Codex Round 5 P2 (TOCTOU fix).
Remove a credential by its credentialId. No-op if not found.
Atomic compare-and-set for signCount (spec §2.3.1, Codex fix #4).
Updates signCount and lastUsedAt IFF the stored signCount equals
expectedCurrentSignCount at the moment of the write.
true if the CAS succeeded; false if the stored signCount
did not match expectedCurrentSignCount (concurrent update race).
Callers MUST treat false as a replay/clone attack signal.
Storage contract for WebAuthn credential records (spec §2.3.1).
Implementations MUST be safe to call concurrently. The updateSignCount method is the critical path — it MUST be an atomic compare-and-set (CAS) to prevent replay-window races between concurrent verify calls.
Throws WebAuthnCredentialStorageError with the appropriate
reasondiscriminator on domain-level failures (see registerCredential).