npm - @xtr-dev/rondevu-server - Versions diffs - 0.1.5 → 0.2.0 - Mend

@xtr-dev/rondevu-server 0.1.5 → 0.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (9) hide show

package/dist/index.js CHANGED Viewed

@@ -29,10 +29,464 @@ var import_node_server = require("@hono/node-server");
 var import_hono = require("hono");
 var import_cors = require("hono/cors");
+// node_modules/@noble/ed25519/index.js
+var ed25519_CURVE = {
+  p: 0x7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffedn,
+  n: 0x1000000000000000000000000000000014def9dea2f79cd65812631a5cf5d3edn,
+  h: 8n,
+  a: 0x7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffecn,
+  d: 0x52036cee2b6ffe738cc740797779e89800700a4d4141d8ab75eb4dca135978a3n,
+  Gx: 0x216936d3cd6e53fec0a4e231fdd6dc5c692cc7609525a7b2c9562d608f25d51an,
+  Gy: 0x6666666666666666666666666666666666666666666666666666666666666658n
+};
+var { p: P, n: N, Gx, Gy, a: _a, d: _d, h } = ed25519_CURVE;
+var L = 32;
+var L2 = 64;
+var captureTrace = (...args) => {
+  if ("captureStackTrace" in Error && typeof Error.captureStackTrace === "function") {
+    Error.captureStackTrace(...args);
+  }
+};
+var err = (message = "") => {
+  const e = new Error(message);
+  captureTrace(e, err);
+  throw e;
+};
+var isBig = (n) => typeof n === "bigint";
+var isStr = (s) => typeof s === "string";
+var isBytes = (a) => a instanceof Uint8Array || ArrayBuffer.isView(a) && a.constructor.name === "Uint8Array";
+var abytes = (value, length, title = "") => {
+  const bytes = isBytes(value);
+  const len = value?.length;
+  const needsLen = length !== void 0;
+  if (!bytes || needsLen && len !== length) {
+    const prefix = title && `"${title}" `;
+    const ofLen = needsLen ? ` of length ${length}` : "";
+    const got = bytes ? `length=${len}` : `type=${typeof value}`;
+    err(prefix + "expected Uint8Array" + ofLen + ", got " + got);
+  }
+  return value;
+};
+var u8n = (len) => new Uint8Array(len);
+var u8fr = (buf) => Uint8Array.from(buf);
+var padh = (n, pad) => n.toString(16).padStart(pad, "0");
+var bytesToHex = (b) => Array.from(abytes(b)).map((e) => padh(e, 2)).join("");
+var C = { _0: 48, _9: 57, A: 65, F: 70, a: 97, f: 102 };
+var _ch = (ch) => {
+  if (ch >= C._0 && ch <= C._9)
+    return ch - C._0;
+  if (ch >= C.A && ch <= C.F)
+    return ch - (C.A - 10);
+  if (ch >= C.a && ch <= C.f)
+    return ch - (C.a - 10);
+  return;
+};
+var hexToBytes = (hex) => {
+  const e = "hex invalid";
+  if (!isStr(hex))
+    return err(e);
+  const hl = hex.length;
+  const al = hl / 2;
+  if (hl % 2)
+    return err(e);
+  const array = u8n(al);
+  for (let ai = 0, hi = 0; ai < al; ai++, hi += 2) {
+    const n1 = _ch(hex.charCodeAt(hi));
+    const n2 = _ch(hex.charCodeAt(hi + 1));
+    if (n1 === void 0 || n2 === void 0)
+      return err(e);
+    array[ai] = n1 * 16 + n2;
+  }
+  return array;
+};
+var cr = () => globalThis?.crypto;
+var subtle = () => cr()?.subtle ?? err("crypto.subtle must be defined, consider polyfill");
+var concatBytes = (...arrs) => {
+  const r = u8n(arrs.reduce((sum, a) => sum + abytes(a).length, 0));
+  let pad = 0;
+  arrs.forEach((a) => {
+    r.set(a, pad);
+    pad += a.length;
+  });
+  return r;
+};
+var big = BigInt;
+var assertRange = (n, min, max, msg = "bad number: out of range") => isBig(n) && min <= n && n < max ? n : err(msg);
+var M = (a, b = P) => {
+  const r = a % b;
+  return r >= 0n ? r : b + r;
+};
+var modN = (a) => M(a, N);
+var invert = (num, md) => {
+  if (num === 0n || md <= 0n)
+    err("no inverse n=" + num + " mod=" + md);
+  let a = M(num, md), b = md, x = 0n, y = 1n, u = 1n, v = 0n;
+  while (a !== 0n) {
+    const q = b / a, r = b % a;
+    const m = x - u * q, n = y - v * q;
+    b = a, a = r, x = u, y = v, u = m, v = n;
+  }
+  return b === 1n ? M(x, md) : err("no inverse");
+};
+var callHash = (name) => {
+  const fn = hashes[name];
+  if (typeof fn !== "function")
+    err("hashes." + name + " not set");
+  return fn;
+};
+var apoint = (p) => p instanceof Point ? p : err("Point expected");
+var B256 = 2n ** 256n;
+var Point = class _Point {
+  static BASE;
+  static ZERO;
+  X;
+  Y;
+  Z;
+  T;
+  constructor(X, Y, Z, T) {
+    const max = B256;
+    this.X = assertRange(X, 0n, max);
+    this.Y = assertRange(Y, 0n, max);
+    this.Z = assertRange(Z, 1n, max);
+    this.T = assertRange(T, 0n, max);
+    Object.freeze(this);
+  }
+  static CURVE() {
+    return ed25519_CURVE;
+  }
+  static fromAffine(p) {
+    return new _Point(p.x, p.y, 1n, M(p.x * p.y));
+  }
+  /** RFC8032 5.1.3: Uint8Array to Point. */
+  static fromBytes(hex, zip215 = false) {
+    const d = _d;
+    const normed = u8fr(abytes(hex, L));
+    const lastByte = hex[31];
+    normed[31] = lastByte & ~128;
+    const y = bytesToNumLE(normed);
+    const max = zip215 ? B256 : P;
+    assertRange(y, 0n, max);
+    const y2 = M(y * y);
+    const u = M(y2 - 1n);
+    const v = M(d * y2 + 1n);
+    let { isValid, value: x } = uvRatio(u, v);
+    if (!isValid)
+      err("bad point: y not sqrt");
+    const isXOdd = (x & 1n) === 1n;
+    const isLastByteOdd = (lastByte & 128) !== 0;
+    if (!zip215 && x === 0n && isLastByteOdd)
+      err("bad point: x==0, isLastByteOdd");
+    if (isLastByteOdd !== isXOdd)
+      x = M(-x);
+    return new _Point(x, y, 1n, M(x * y));
+  }
+  static fromHex(hex, zip215) {
+    return _Point.fromBytes(hexToBytes(hex), zip215);
+  }
+  get x() {
+    return this.toAffine().x;
+  }
+  get y() {
+    return this.toAffine().y;
+  }
+  /** Checks if the point is valid and on-curve. */
+  assertValidity() {
+    const a = _a;
+    const d = _d;
+    const p = this;
+    if (p.is0())
+      return err("bad point: ZERO");
+    const { X, Y, Z, T } = p;
+    const X2 = M(X * X);
+    const Y2 = M(Y * Y);
+    const Z2 = M(Z * Z);
+    const Z4 = M(Z2 * Z2);
+    const aX2 = M(X2 * a);
+    const left = M(Z2 * M(aX2 + Y2));
+    const right = M(Z4 + M(d * M(X2 * Y2)));
+    if (left !== right)
+      return err("bad point: equation left != right (1)");
+    const XY = M(X * Y);
+    const ZT = M(Z * T);
+    if (XY !== ZT)
+      return err("bad point: equation left != right (2)");
+    return this;
+  }
+  /** Equality check: compare points P&Q. */
+  equals(other) {
+    const { X: X1, Y: Y1, Z: Z1 } = this;
+    const { X: X2, Y: Y2, Z: Z2 } = apoint(other);
+    const X1Z2 = M(X1 * Z2);
+    const X2Z1 = M(X2 * Z1);
+    const Y1Z2 = M(Y1 * Z2);
+    const Y2Z1 = M(Y2 * Z1);
+    return X1Z2 === X2Z1 && Y1Z2 === Y2Z1;
+  }
+  is0() {
+    return this.equals(I);
+  }
+  /** Flip point over y coordinate. */
+  negate() {
+    return new _Point(M(-this.X), this.Y, this.Z, M(-this.T));
+  }
+  /** Point doubling. Complete formula. Cost: `4M + 4S + 1*a + 6add + 1*2`. */
+  double() {
+    const { X: X1, Y: Y1, Z: Z1 } = this;
+    const a = _a;
+    const A = M(X1 * X1);
+    const B = M(Y1 * Y1);
+    const C2 = M(2n * M(Z1 * Z1));
+    const D = M(a * A);
+    const x1y1 = X1 + Y1;
+    const E = M(M(x1y1 * x1y1) - A - B);
+    const G2 = D + B;
+    const F = G2 - C2;
+    const H = D - B;
+    const X3 = M(E * F);
+    const Y3 = M(G2 * H);
+    const T3 = M(E * H);
+    const Z3 = M(F * G2);
+    return new _Point(X3, Y3, Z3, T3);
+  }
+  /** Point addition. Complete formula. Cost: `8M + 1*k + 8add + 1*2`. */
+  add(other) {
+    const { X: X1, Y: Y1, Z: Z1, T: T1 } = this;
+    const { X: X2, Y: Y2, Z: Z2, T: T2 } = apoint(other);
+    const a = _a;
+    const d = _d;
+    const A = M(X1 * X2);
+    const B = M(Y1 * Y2);
+    const C2 = M(T1 * d * T2);
+    const D = M(Z1 * Z2);
+    const E = M((X1 + Y1) * (X2 + Y2) - A - B);
+    const F = M(D - C2);
+    const G2 = M(D + C2);
+    const H = M(B - a * A);
+    const X3 = M(E * F);
+    const Y3 = M(G2 * H);
+    const T3 = M(E * H);
+    const Z3 = M(F * G2);
+    return new _Point(X3, Y3, Z3, T3);
+  }
+  subtract(other) {
+    return this.add(apoint(other).negate());
+  }
+  /**
+   * Point-by-scalar multiplication. Scalar must be in range 1 <= n < CURVE.n.
+   * Uses {@link wNAF} for base point.
+   * Uses fake point to mitigate side-channel leakage.
+   * @param n scalar by which point is multiplied
+   * @param safe safe mode guards against timing attacks; unsafe mode is faster
+   */
+  multiply(n, safe = true) {
+    if (!safe && (n === 0n || this.is0()))
+      return I;
+    assertRange(n, 1n, N);
+    if (n === 1n)
+      return this;
+    if (this.equals(G))
+      return wNAF(n).p;
+    let p = I;
+    let f = G;
+    for (let d = this; n > 0n; d = d.double(), n >>= 1n) {
+      if (n & 1n)
+        p = p.add(d);
+      else if (safe)
+        f = f.add(d);
+    }
+    return p;
+  }
+  multiplyUnsafe(scalar) {
+    return this.multiply(scalar, false);
+  }
+  /** Convert point to 2d xy affine point. (X, Y, Z) ∋ (x=X/Z, y=Y/Z) */
+  toAffine() {
+    const { X, Y, Z } = this;
+    if (this.equals(I))
+      return { x: 0n, y: 1n };
+    const iz = invert(Z, P);
+    if (M(Z * iz) !== 1n)
+      err("invalid inverse");
+    const x = M(X * iz);
+    const y = M(Y * iz);
+    return { x, y };
+  }
+  toBytes() {
+    const { x, y } = this.assertValidity().toAffine();
+    const b = numTo32bLE(y);
+    b[31] |= x & 1n ? 128 : 0;
+    return b;
+  }
+  toHex() {
+    return bytesToHex(this.toBytes());
+  }
+  clearCofactor() {
+    return this.multiply(big(h), false);
+  }
+  isSmallOrder() {
+    return this.clearCofactor().is0();
+  }
+  isTorsionFree() {
+    let p = this.multiply(N / 2n, false).double();
+    if (N % 2n)
+      p = p.add(this);
+    return p.is0();
+  }
+};
+var G = new Point(Gx, Gy, 1n, M(Gx * Gy));
+var I = new Point(0n, 1n, 1n, 0n);
+Point.BASE = G;
+Point.ZERO = I;
+var numTo32bLE = (num) => hexToBytes(padh(assertRange(num, 0n, B256), L2)).reverse();
+var bytesToNumLE = (b) => big("0x" + bytesToHex(u8fr(abytes(b)).reverse()));
+var pow2 = (x, power) => {
+  let r = x;
+  while (power-- > 0n) {
+    r *= r;
+    r %= P;
+  }
+  return r;
+};
+var pow_2_252_3 = (x) => {
+  const x2 = x * x % P;
+  const b2 = x2 * x % P;
+  const b4 = pow2(b2, 2n) * b2 % P;
+  const b5 = pow2(b4, 1n) * x % P;
+  const b10 = pow2(b5, 5n) * b5 % P;
+  const b20 = pow2(b10, 10n) * b10 % P;
+  const b40 = pow2(b20, 20n) * b20 % P;
+  const b80 = pow2(b40, 40n) * b40 % P;
+  const b160 = pow2(b80, 80n) * b80 % P;
+  const b240 = pow2(b160, 80n) * b80 % P;
+  const b250 = pow2(b240, 10n) * b10 % P;
+  const pow_p_5_8 = pow2(b250, 2n) * x % P;
+  return { pow_p_5_8, b2 };
+};
+var RM1 = 0x2b8324804fc1df0b2b4d00993dfbd7a72f431806ad2fe478c4ee1b274a0ea0b0n;
+var uvRatio = (u, v) => {
+  const v3 = M(v * v * v);
+  const v7 = M(v3 * v3 * v);
+  const pow = pow_2_252_3(u * v7).pow_p_5_8;
+  let x = M(u * v3 * pow);
+  const vx2 = M(v * x * x);
+  const root1 = x;
+  const root2 = M(x * RM1);
+  const useRoot1 = vx2 === u;
+  const useRoot2 = vx2 === M(-u);
+  const noRoot = vx2 === M(-u * RM1);
+  if (useRoot1)
+    x = root1;
+  if (useRoot2 || noRoot)
+    x = root2;
+  if ((M(x) & 1n) === 1n)
+    x = M(-x);
+  return { isValid: useRoot1 || useRoot2, value: x };
+};
+var modL_LE = (hash) => modN(bytesToNumLE(hash));
+var sha512s = (...m) => callHash("sha512")(concatBytes(...m));
+var hashFinishS = (res) => res.finish(sha512s(res.hashable));
+var defaultVerifyOpts = { zip215: true };
+var _verify = (sig, msg, pub, opts = defaultVerifyOpts) => {
+  sig = abytes(sig, L2);
+  msg = abytes(msg);
+  pub = abytes(pub, L);
+  const { zip215 } = opts;
+  let A;
+  let R;
+  let s;
+  let SB;
+  let hashable = Uint8Array.of();
+  try {
+    A = Point.fromBytes(pub, zip215);
+    R = Point.fromBytes(sig.slice(0, L), zip215);
+    s = bytesToNumLE(sig.slice(L, L2));
+    SB = G.multiply(s, false);
+    hashable = concatBytes(R.toBytes(), A.toBytes(), msg);
+  } catch (error) {
+  }
+  const finish = (hashed) => {
+    if (SB == null)
+      return false;
+    if (!zip215 && A.isSmallOrder())
+      return false;
+    const k = modL_LE(hashed);
+    const RkA = R.add(A.multiply(k, false));
+    return RkA.add(SB.negate()).clearCofactor().is0();
+  };
+  return { hashable, finish };
+};
+var verify = (signature, message, publicKey, opts = defaultVerifyOpts) => hashFinishS(_verify(signature, message, publicKey, opts));
+var hashes = {
+  sha512Async: async (message) => {
+    const s = subtle();
+    const m = concatBytes(message);
+    return u8n(await s.digest("SHA-512", m.buffer));
+  },
+  sha512: void 0
+};
+var W = 8;
+var scalarBits = 256;
+var pwindows = Math.ceil(scalarBits / W) + 1;
+var pwindowSize = 2 ** (W - 1);
+var precompute = () => {
+  const points = [];
+  let p = G;
+  let b = p;
+  for (let w = 0; w < pwindows; w++) {
+    b = p;
+    points.push(b);
+    for (let i = 1; i < pwindowSize; i++) {
+      b = b.add(p);
+      points.push(b);
+    }
+    p = b.double();
+  }
+  return points;
+};
+var Gpows = void 0;
+var ctneg = (cnd, p) => {
+  const n = p.negate();
+  return cnd ? n : p;
+};
+var wNAF = (n) => {
+  const comp = Gpows || (Gpows = precompute());
+  let p = I;
+  let f = G;
+  const pow_2_w = 2 ** W;
+  const maxNum = pow_2_w;
+  const mask = big(pow_2_w - 1);
+  const shiftBy = big(W);
+  for (let w = 0; w < pwindows; w++) {
+    let wbits = Number(n & mask);
+    n >>= shiftBy;
+    if (wbits > pwindowSize) {
+      wbits -= maxNum;
+      n += 1n;
+    }
+    const off = w * pwindowSize;
+    const offF = off;
+    const offP = off + Math.abs(wbits) - 1;
+    const isEven = w % 2 !== 0;
+    const isNeg = wbits < 0;
+    if (wbits === 0) {
+      f = f.add(ctneg(isEven, comp[offF]));
+    } else {
+      p = p.add(ctneg(isNeg, comp[offP]));
+    }
+  }
+  if (n !== 0n)
+    err("invalid wnaf");
+  return { p, f };
+};
 // src/crypto.ts
 var ALGORITHM = "AES-GCM";
 var IV_LENGTH = 12;
 var KEY_LENGTH = 32;
+var USERNAME_REGEX = /^[a-z0-9][a-z0-9-]*[a-z0-9]$/;
+var USERNAME_MIN_LENGTH = 3;
+var USERNAME_MAX_LENGTH = 32;
+var TIMESTAMP_TOLERANCE_MS = 5 * 60 * 1e3;
 function generatePeerId() {
   const bytes = crypto.getRandomValues(new Uint8Array(16));
   return Array.from(bytes).map((b) => b.toString(16).padStart(2, "0")).join("");
@@ -41,7 +495,7 @@ function generateSecretKey() {
   const bytes = crypto.getRandomValues(new Uint8Array(KEY_LENGTH));
   return Array.from(bytes).map((b) => b.toString(16).padStart(2, "0")).join("");
 }
-function hexToBytes(hex) {
+function hexToBytes2(hex) {
   const bytes = new Uint8Array(hex.length / 2);
   for (let i = 0; i < hex.length; i += 2) {
     bytes[i / 2] = parseInt(hex.substring(i, i + 2), 16);
@@ -60,7 +514,7 @@ function base64ToBytes(base64) {
   return Uint8Array.from(binString, (char) => char.codePointAt(0));
 }
 async function encryptPeerId(peerId, secretKeyHex) {
-  const keyBytes = hexToBytes(secretKeyHex);
+  const keyBytes = hexToBytes2(secretKeyHex);
   if (keyBytes.length !== KEY_LENGTH) {
     throw new Error(`Secret key must be ${KEY_LENGTH * 2} hex characters (${KEY_LENGTH} bytes)`);
   }
@@ -86,7 +540,7 @@ async function encryptPeerId(peerId, secretKeyHex) {
 }
 async function decryptPeerId(encryptedSecret, secretKeyHex) {
   try {
-    const keyBytes = hexToBytes(secretKeyHex);
+    const keyBytes = hexToBytes2(secretKeyHex);
     if (keyBytes.length !== KEY_LENGTH) {
       throw new Error(`Secret key must be ${KEY_LENGTH * 2} hex characters (${KEY_LENGTH} bytes)`);
     }
@@ -107,7 +561,7 @@ async function decryptPeerId(encryptedSecret, secretKeyHex) {
     );
     const decoder = new TextDecoder();
     return decoder.decode(decrypted);
-  } catch (err) {
+  } catch (err2) {
     throw new Error("Failed to decrypt peer ID: invalid secret or secret key");
   }
 }
@@ -119,6 +573,90 @@ async function validateCredentials(peerId, encryptedSecret, secretKey) {
     return false;
   }
 }
+function validateUsername(username) {
+  if (typeof username !== "string") {
+    return { valid: false, error: "Username must be a string" };
+  }
+  if (username.length < USERNAME_MIN_LENGTH) {
+    return { valid: false, error: `Username must be at least ${USERNAME_MIN_LENGTH} characters` };
+  }
+  if (username.length > USERNAME_MAX_LENGTH) {
+    return { valid: false, error: `Username must be at most ${USERNAME_MAX_LENGTH} characters` };
+  }
+  if (!USERNAME_REGEX.test(username)) {
+    return { valid: false, error: "Username must be lowercase alphanumeric with optional dashes, and start/end with alphanumeric" };
+  }
+  return { valid: true };
+}
+function validateServiceFqn(fqn) {
+  if (typeof fqn !== "string") {
+    return { valid: false, error: "Service FQN must be a string" };
+  }
+  const parts = fqn.split("@");
+  if (parts.length !== 2) {
+    return { valid: false, error: "Service FQN must be in format: service-name@version" };
+  }
+  const [serviceName, version] = parts;
+  const serviceNameRegex = /^[a-z0-9]([a-z0-9-]*[a-z0-9])?(\.[a-z0-9]([a-z0-9-]*[a-z0-9])?)+$/;
+  if (!serviceNameRegex.test(serviceName)) {
+    return { valid: false, error: "Service name must be reverse domain notation (e.g., com.example.service)" };
+  }
+  if (serviceName.length < 3 || serviceName.length > 128) {
+    return { valid: false, error: "Service name must be 3-128 characters" };
+  }
+  const versionRegex = /^[0-9]+\.[0-9]+\.[0-9]+(-[a-z0-9.-]+)?$/;
+  if (!versionRegex.test(version)) {
+    return { valid: false, error: "Version must be semantic versioning (e.g., 1.0.0, 2.1.3-beta)" };
+  }
+  return { valid: true };
+}
+function validateTimestamp(timestamp) {
+  if (typeof timestamp !== "number" || !Number.isFinite(timestamp)) {
+    return { valid: false, error: "Timestamp must be a finite number" };
+  }
+  const now = Date.now();
+  const diff = Math.abs(now - timestamp);
+  if (diff > TIMESTAMP_TOLERANCE_MS) {
+    return { valid: false, error: `Timestamp too old or too far in future (tolerance: ${TIMESTAMP_TOLERANCE_MS / 1e3}s)` };
+  }
+  return { valid: true };
+}
+async function verifyEd25519Signature(publicKey, signature, message) {
+  try {
+    const publicKeyBytes = base64ToBytes(publicKey);
+    const signatureBytes = base64ToBytes(signature);
+    const encoder = new TextEncoder();
+    const messageBytes = encoder.encode(message);
+    const isValid = await verify(signatureBytes, messageBytes, publicKeyBytes);
+    return isValid;
+  } catch (err2) {
+    console.error("Ed25519 signature verification failed:", err2);
+    return false;
+  }
+}
+async function validateUsernameClaim(username, publicKey, signature, message) {
+  const usernameCheck = validateUsername(username);
+  if (!usernameCheck.valid) {
+    return usernameCheck;
+  }
+  const parts = message.split(":");
+  if (parts.length !== 3 || parts[0] !== "claim" || parts[1] !== username) {
+    return { valid: false, error: "Invalid message format (expected: claim:{username}:{timestamp})" };
+  }
+  const timestamp = parseInt(parts[2], 10);
+  if (isNaN(timestamp)) {
+    return { valid: false, error: "Invalid timestamp in message" };
+  }
+  const timestampCheck = validateTimestamp(timestamp);
+  if (!timestampCheck.valid) {
+    return timestampCheck;
+  }
+  const signatureValid = await verifyEd25519Signature(publicKey, signature, message);
+  if (!signatureValid) {
+    return { valid: false, error: "Invalid signature" };
+  }
+  return { valid: true };
+}
 // src/middleware/auth.ts
 function createAuthMiddleware(authSecret) {
@@ -152,57 +690,6 @@ function getAuthenticatedPeerId(c) {
   return peerId;
 }
-// src/bloom.ts
-var BloomFilter = class {
-  /**
-   * Creates a bloom filter from a base64 encoded bit array
-   */
-  constructor(base64Data, numHashes = 3) {
-    const binaryString = atob(base64Data);
-    const bytes = new Uint8Array(binaryString.length);
-    for (let i = 0; i < binaryString.length; i++) {
-      bytes[i] = binaryString.charCodeAt(i);
-    }
-    this.bits = bytes;
-    this.size = this.bits.length * 8;
-    this.numHashes = numHashes;
-  }
-  /**
-   * Test if a peer ID might be in the filter
-   * Returns true if possibly in set, false if definitely not in set
-   */
-  test(peerId) {
-    for (let i = 0; i < this.numHashes; i++) {
-      const hash = this.hash(peerId, i);
-      const index = hash % this.size;
-      const byteIndex = Math.floor(index / 8);
-      const bitIndex = index % 8;
-      if (!(this.bits[byteIndex] & 1 << bitIndex)) {
-        return false;
-      }
-    }
-    return true;
-  }
-  /**
-   * Simple hash function (FNV-1a variant)
-   */
-  hash(str, seed) {
-    let hash = 2166136261 ^ seed;
-    for (let i = 0; i < str.length; i++) {
-      hash ^= str.charCodeAt(i);
-      hash += (hash << 1) + (hash << 4) + (hash << 7) + (hash << 8) + (hash << 24);
-    }
-    return hash >>> 0;
-  }
-};
-function parseBloomFilter(base64) {
-  try {
-    return new BloomFilter(base64);
-  } catch {
-    return null;
-  }
-}
 // src/app.ts
 function createApp(storage, config) {
   const app = new import_hono.Hono();
@@ -227,7 +714,7 @@ function createApp(storage, config) {
     return c.json({
       version: config.version,
       name: "Rondevu",
-      description: "Topic-based peer discovery and signaling server"
+      description: "DNS-like WebRTC signaling with username claiming and service discovery"
     });
   });
   app.get("/health", (c) => {
@@ -245,204 +732,271 @@ function createApp(storage, config) {
         peerId,
         secret
       }, 200);
-    } catch (err) {
-      console.error("Error registering peer:", err);
+    } catch (err2) {
+      console.error("Error registering peer:", err2);
       return c.json({ error: "Internal server error" }, 500);
     }
   });
-  app.post("/offers", authMiddleware, async (c) => {
+  app.post("/usernames/claim", async (c) => {
     try {
       const body = await c.req.json();
-      const { offers } = body;
-      if (!Array.isArray(offers) || offers.length === 0) {
-        return c.json({ error: "Missing or invalid required parameter: offers (must be non-empty array)" }, 400);
+      const { username, publicKey, signature, message } = body;
+      if (!username || !publicKey || !signature || !message) {
+        return c.json({ error: "Missing required parameters: username, publicKey, signature, message" }, 400);
       }
-      if (offers.length > config.maxOffersPerRequest) {
-        return c.json({ error: `Too many offers. Maximum ${config.maxOffersPerRequest} per request` }, 400);
+      const validation = await validateUsernameClaim(username, publicKey, signature, message);
+      if (!validation.valid) {
+        return c.json({ error: validation.error }, 400);
       }
-      const peerId = getAuthenticatedPeerId(c);
-      const offerRequests = [];
-      for (const offer of offers) {
-        if (!offer.sdp || typeof offer.sdp !== "string") {
-          return c.json({ error: "Each offer must have an sdp field" }, 400);
-        }
-        if (offer.sdp.length > 65536) {
-          return c.json({ error: "SDP must be 64KB or less" }, 400);
-        }
-        if (offer.secret !== void 0) {
-          if (typeof offer.secret !== "string") {
-            return c.json({ error: "Secret must be a string" }, 400);
-          }
-          if (offer.secret.length > 128) {
-            return c.json({ error: "Secret must be 128 characters or less" }, 400);
-          }
-        }
-        if (offer.info !== void 0) {
-          if (typeof offer.info !== "string") {
-            return c.json({ error: "Info must be a string" }, 400);
-          }
-          if (offer.info.length > 128) {
-            return c.json({ error: "Info must be 128 characters or less" }, 400);
-          }
-        }
-        if (!Array.isArray(offer.topics) || offer.topics.length === 0) {
-          return c.json({ error: "Each offer must have a non-empty topics array" }, 400);
-        }
-        if (offer.topics.length > config.maxTopicsPerOffer) {
-          return c.json({ error: `Too many topics. Maximum ${config.maxTopicsPerOffer} per offer` }, 400);
-        }
-        for (const topic of offer.topics) {
-          if (typeof topic !== "string" || topic.length === 0 || topic.length > 256) {
-            return c.json({ error: "Each topic must be a string between 1 and 256 characters" }, 400);
-          }
-        }
-        let ttl = offer.ttl || config.offerDefaultTtl;
-        if (ttl < config.offerMinTtl) {
-          ttl = config.offerMinTtl;
-        }
-        if (ttl > config.offerMaxTtl) {
-          ttl = config.offerMaxTtl;
-        }
-        offerRequests.push({
-          id: offer.id,
-          peerId,
-          sdp: offer.sdp,
-          topics: offer.topics,
-          expiresAt: Date.now() + ttl,
-          secret: offer.secret,
-          info: offer.info
+      try {
+        const claimed = await storage.claimUsername({
+          username,
+          publicKey,
+          signature,
+          message
         });
+        return c.json({
+          username: claimed.username,
+          claimedAt: claimed.claimedAt,
+          expiresAt: claimed.expiresAt
+        }, 200);
+      } catch (err2) {
+        if (err2.message?.includes("already claimed")) {
+          return c.json({ error: "Username already claimed by different public key" }, 409);
+        }
+        throw err2;
+      }
+    } catch (err2) {
+      console.error("Error claiming username:", err2);
+      return c.json({ error: "Internal server error" }, 500);
+    }
+  });
+  app.get("/usernames/:username", async (c) => {
+    try {
+      const username = c.req.param("username");
+      const claimed = await storage.getUsername(username);
+      if (!claimed) {
+        return c.json({
+          username,
+          available: true
+        }, 200);
       }
-      const createdOffers = await storage.createOffers(offerRequests);
       return c.json({
-        offers: createdOffers.map((o) => ({
-          id: o.id,
-          peerId: o.peerId,
-          topics: o.topics,
-          expiresAt: o.expiresAt
-        }))
+        username: claimed.username,
+        available: false,
+        claimedAt: claimed.claimedAt,
+        expiresAt: claimed.expiresAt,
+        publicKey: claimed.publicKey
       }, 200);
-    } catch (err) {
-      console.error("Error creating offers:", err);
+    } catch (err2) {
+      console.error("Error checking username:", err2);
       return c.json({ error: "Internal server error" }, 500);
     }
   });
-  app.get("/offers/by-topic/:topic", async (c) => {
+  app.get("/usernames/:username/services", async (c) => {
     try {
-      const topic = c.req.param("topic");
-      const bloomParam = c.req.query("bloom");
-      const limitParam = c.req.query("limit");
-      const limit = limitParam ? Math.min(parseInt(limitParam, 10), 200) : 50;
-      let excludePeerIds = [];
-      if (bloomParam) {
-        const bloom = parseBloomFilter(bloomParam);
-        if (!bloom) {
-          return c.json({ error: "Invalid bloom filter format" }, 400);
-        }
-        const allOffers = await storage.getOffersByTopic(topic);
-        const excludeSet = /* @__PURE__ */ new Set();
-        for (const offer of allOffers) {
-          if (bloom.test(offer.peerId)) {
-            excludeSet.add(offer.peerId);
-          }
-        }
-        excludePeerIds = Array.from(excludeSet);
-      }
-      let offers = await storage.getOffersByTopic(topic, excludePeerIds.length > 0 ? excludePeerIds : void 0);
-      const total = offers.length;
-      offers = offers.slice(0, limit);
+      const username = c.req.param("username");
+      const services = await storage.listServicesForUsername(username);
       return c.json({
-        topic,
-        offers: offers.map((o) => ({
-          id: o.id,
-          peerId: o.peerId,
-          sdp: o.sdp,
-          topics: o.topics,
-          expiresAt: o.expiresAt,
-          lastSeen: o.lastSeen,
-          hasSecret: !!o.secret,
-          // Indicate if secret is required without exposing it
-          info: o.info
-          // Public info field
-        })),
-        total: bloomParam ? total + excludePeerIds.length : total,
-        returned: offers.length
+        username,
+        services
       }, 200);
-    } catch (err) {
-      console.error("Error fetching offers by topic:", err);
+    } catch (err2) {
+      console.error("Error listing services:", err2);
       return c.json({ error: "Internal server error" }, 500);
     }
   });
-  app.get("/topics", async (c) => {
+  app.post("/services", authMiddleware, async (c) => {
     try {
-      const limitParam = c.req.query("limit");
-      const offsetParam = c.req.query("offset");
-      const startsWithParam = c.req.query("startsWith");
-      const limit = limitParam ? Math.min(parseInt(limitParam, 10), 200) : 50;
-      const offset = offsetParam ? parseInt(offsetParam, 10) : 0;
-      const startsWith = startsWithParam || void 0;
-      const result = await storage.getTopics(limit, offset, startsWith);
+      const body = await c.req.json();
+      const { username, serviceFqn, sdp, ttl, isPublic, metadata, signature, message } = body;
+      if (!username || !serviceFqn || !sdp) {
+        return c.json({ error: "Missing required parameters: username, serviceFqn, sdp" }, 400);
+      }
+      const fqnValidation = validateServiceFqn(serviceFqn);
+      if (!fqnValidation.valid) {
+        return c.json({ error: fqnValidation.error }, 400);
+      }
+      if (!signature || !message) {
+        return c.json({ error: "Missing signature or message for username verification" }, 400);
+      }
+      const usernameRecord = await storage.getUsername(username);
+      if (!usernameRecord) {
+        return c.json({ error: "Username not claimed" }, 404);
+      }
+      const signatureValidation = await validateUsernameClaim(username, usernameRecord.publicKey, signature, message);
+      if (!signatureValidation.valid) {
+        return c.json({ error: "Invalid signature for username" }, 403);
+      }
+      if (typeof sdp !== "string" || sdp.length === 0) {
+        return c.json({ error: "Invalid SDP" }, 400);
+      }
+      if (sdp.length > 64 * 1024) {
+        return c.json({ error: "SDP too large (max 64KB)" }, 400);
+      }
+      const peerId = getAuthenticatedPeerId(c);
+      const offerTtl = Math.min(
+        Math.max(ttl || config.offerDefaultTtl, config.offerMinTtl),
+        config.offerMaxTtl
+      );
+      const expiresAt = Date.now() + offerTtl;
+      const offers = await storage.createOffers([{
+        peerId,
+        sdp,
+        expiresAt
+      }]);
+      if (offers.length === 0) {
+        return c.json({ error: "Failed to create offer" }, 500);
+      }
+      const offer = offers[0];
+      const result = await storage.createService({
+        username,
+        serviceFqn,
+        offerId: offer.id,
+        expiresAt,
+        isPublic: isPublic || false,
+        metadata: metadata ? JSON.stringify(metadata) : void 0
+      });
+      return c.json({
+        serviceId: result.service.id,
+        uuid: result.indexUuid,
+        offerId: offer.id,
+        expiresAt: result.service.expiresAt
+      }, 201);
+    } catch (err2) {
+      console.error("Error creating service:", err2);
+      return c.json({ error: "Internal server error" }, 500);
+    }
+  });
+  app.get("/services/:uuid", async (c) => {
+    try {
+      const uuid = c.req.param("uuid");
+      const service = await storage.getServiceByUuid(uuid);
+      if (!service) {
+        return c.json({ error: "Service not found" }, 404);
+      }
+      const offer = await storage.getOfferById(service.offerId);
+      if (!offer) {
+        return c.json({ error: "Associated offer not found" }, 404);
+      }
       return c.json({
-        topics: result.topics,
-        total: result.total,
-        limit,
-        offset,
-        ...startsWith && { startsWith }
+        serviceId: service.id,
+        username: service.username,
+        serviceFqn: service.serviceFqn,
+        offerId: service.offerId,
+        sdp: offer.sdp,
+        isPublic: service.isPublic,
+        metadata: service.metadata ? JSON.parse(service.metadata) : void 0,
+        createdAt: service.createdAt,
+        expiresAt: service.expiresAt
       }, 200);
-    } catch (err) {
-      console.error("Error fetching topics:", err);
+    } catch (err2) {
+      console.error("Error getting service:", err2);
       return c.json({ error: "Internal server error" }, 500);
     }
   });
-  app.get("/peers/:peerId/offers", async (c) => {
+  app.delete("/services/:serviceId", authMiddleware, async (c) => {
     try {
-      const peerId = c.req.param("peerId");
-      const offers = await storage.getOffersByPeerId(peerId);
-      const topicsSet = /* @__PURE__ */ new Set();
-      offers.forEach((o) => o.topics.forEach((t) => topicsSet.add(t)));
+      const serviceId = c.req.param("serviceId");
+      const body = await c.req.json();
+      const { username } = body;
+      if (!username) {
+        return c.json({ error: "Missing required parameter: username" }, 400);
+      }
+      const deleted = await storage.deleteService(serviceId, username);
+      if (!deleted) {
+        return c.json({ error: "Service not found or not owned by this username" }, 404);
+      }
+      return c.json({ success: true }, 200);
+    } catch (err2) {
+      console.error("Error deleting service:", err2);
+      return c.json({ error: "Internal server error" }, 500);
+    }
+  });
+  app.post("/index/:username/query", async (c) => {
+    try {
+      const username = c.req.param("username");
+      const body = await c.req.json();
+      const { serviceFqn } = body;
+      if (!serviceFqn) {
+        return c.json({ error: "Missing required parameter: serviceFqn" }, 400);
+      }
+      const uuid = await storage.queryService(username, serviceFqn);
+      if (!uuid) {
+        return c.json({ error: "Service not found" }, 404);
+      }
       return c.json({
-        peerId,
-        offers: offers.map((o) => ({
-          id: o.id,
-          sdp: o.sdp,
-          topics: o.topics,
-          expiresAt: o.expiresAt,
-          lastSeen: o.lastSeen,
-          hasSecret: !!o.secret,
-          // Indicate if secret is required without exposing it
-          info: o.info
-          // Public info field
-        })),
-        topics: Array.from(topicsSet)
+        uuid,
+        allowed: true
       }, 200);
-    } catch (err) {
-      console.error("Error fetching peer offers:", err);
+    } catch (err2) {
+      console.error("Error querying service:", err2);
       return c.json({ error: "Internal server error" }, 500);
     }
   });
+  app.post("/offers", authMiddleware, async (c) => {
+    try {
+      const body = await c.req.json();
+      const { offers } = body;
+      if (!Array.isArray(offers) || offers.length === 0) {
+        return c.json({ error: "Missing or invalid required parameter: offers (must be non-empty array)" }, 400);
+      }
+      if (offers.length > config.maxOffersPerRequest) {
+        return c.json({ error: `Too many offers (max ${config.maxOffersPerRequest})` }, 400);
+      }
+      const peerId = getAuthenticatedPeerId(c);
+      const validated = offers.map((offer) => {
+        const { sdp, ttl, secret } = offer;
+        if (typeof sdp !== "string" || sdp.length === 0) {
+          throw new Error("Invalid SDP in offer");
+        }
+        if (sdp.length > 64 * 1024) {
+          throw new Error("SDP too large (max 64KB)");
+        }
+        const offerTtl = Math.min(
+          Math.max(ttl || config.offerDefaultTtl, config.offerMinTtl),
+          config.offerMaxTtl
+        );
+        return {
+          peerId,
+          sdp,
+          expiresAt: Date.now() + offerTtl,
+          secret: secret ? String(secret).substring(0, 128) : void 0
+        };
+      });
+      const created = await storage.createOffers(validated);
+      return c.json({
+        offers: created.map((offer) => ({
+          id: offer.id,
+          peerId: offer.peerId,
+          expiresAt: offer.expiresAt,
+          createdAt: offer.createdAt,
+          hasSecret: !!offer.secret
+        }))
+      }, 201);
+    } catch (err2) {
+      console.error("Error creating offers:", err2);
+      return c.json({ error: err2.message || "Internal server error" }, 500);
+    }
+  });
   app.get("/offers/mine", authMiddleware, async (c) => {
     try {
       const peerId = getAuthenticatedPeerId(c);
       const offers = await storage.getOffersByPeerId(peerId);
       return c.json({
-        peerId,
-        offers: offers.map((o) => ({
-          id: o.id,
-          sdp: o.sdp,
-          topics: o.topics,
-          createdAt: o.createdAt,
-          expiresAt: o.expiresAt,
-          lastSeen: o.lastSeen,
-          secret: o.secret,
-          // Owner can see the secret
-          info: o.info,
-          // Owner can see the info
-          answererPeerId: o.answererPeerId,
-          answeredAt: o.answeredAt
+        offers: offers.map((offer) => ({
+          id: offer.id,
+          sdp: offer.sdp,
+          createdAt: offer.createdAt,
+          expiresAt: offer.expiresAt,
+          lastSeen: offer.lastSeen,
+          hasSecret: !!offer.secret,
+          answererPeerId: offer.answererPeerId,
+          answered: !!offer.answererPeerId
         }))
       }, 200);
-    } catch (err) {
-      console.error("Error fetching own offers:", err);
+    } catch (err2) {
+      console.error("Error getting offers:", err2);
       return c.json({ error: "Internal server error" }, 500);
     }
   });
@@ -452,40 +1006,36 @@ function createApp(storage, config) {
       const peerId = getAuthenticatedPeerId(c);
       const deleted = await storage.deleteOffer(offerId, peerId);
       if (!deleted) {
-        return c.json({ error: "Offer not found or not authorized" }, 404);
+        return c.json({ error: "Offer not found or not owned by this peer" }, 404);
       }
-      return c.json({ deleted: true }, 200);
-    } catch (err) {
-      console.error("Error deleting offer:", err);
+      return c.json({ success: true }, 200);
+    } catch (err2) {
+      console.error("Error deleting offer:", err2);
       return c.json({ error: "Internal server error" }, 500);
     }
   });
   app.post("/offers/:offerId/answer", authMiddleware, async (c) => {
     try {
       const offerId = c.req.param("offerId");
-      const peerId = getAuthenticatedPeerId(c);
       const body = await c.req.json();
       const { sdp, secret } = body;
-      if (!sdp || typeof sdp !== "string") {
-        return c.json({ error: "Missing or invalid required parameter: sdp" }, 400);
+      if (!sdp) {
+        return c.json({ error: "Missing required parameter: sdp" }, 400);
       }
-      if (sdp.length > 65536) {
-        return c.json({ error: "SDP must be 64KB or less" }, 400);
+      if (typeof sdp !== "string" || sdp.length === 0) {
+        return c.json({ error: "Invalid SDP" }, 400);
       }
-      if (secret !== void 0 && typeof secret !== "string") {
-        return c.json({ error: "Secret must be a string" }, 400);
+      if (sdp.length > 64 * 1024) {
+        return c.json({ error: "SDP too large (max 64KB)" }, 400);
       }
-      const result = await storage.answerOffer(offerId, peerId, sdp, secret);
+      const answererPeerId = getAuthenticatedPeerId(c);
+      const result = await storage.answerOffer(offerId, answererPeerId, sdp, secret);
       if (!result.success) {
         return c.json({ error: result.error }, 400);
       }
-      return c.json({
-        offerId,
-        answererId: peerId,
-        answeredAt: Date.now()
-      }, 200);
-    } catch (err) {
-      console.error("Error answering offer:", err);
+      return c.json({ success: true }, 200);
+    } catch (err2) {
+      console.error("Error answering offer:", err2);
       return c.json({ error: "Internal server error" }, 500);
     }
   });
@@ -494,83 +1044,59 @@ function createApp(storage, config) {
       const peerId = getAuthenticatedPeerId(c);
       const offers = await storage.getAnsweredOffers(peerId);
       return c.json({
-        answers: offers.map((o) => ({
-          offerId: o.id,
-          answererId: o.answererPeerId,
-          sdp: o.answerSdp,
-          answeredAt: o.answeredAt,
-          topics: o.topics
+        answers: offers.map((offer) => ({
+          offerId: offer.id,
+          answererPeerId: offer.answererPeerId,
+          answerSdp: offer.answerSdp,
+          answeredAt: offer.answeredAt
         }))
       }, 200);
-    } catch (err) {
-      console.error("Error fetching answers:", err);
+    } catch (err2) {
+      console.error("Error getting answers:", err2);
       return c.json({ error: "Internal server error" }, 500);
     }
   });
   app.post("/offers/:offerId/ice-candidates", authMiddleware, async (c) => {
     try {
       const offerId = c.req.param("offerId");
-      const peerId = getAuthenticatedPeerId(c);
       const body = await c.req.json();
       const { candidates } = body;
       if (!Array.isArray(candidates) || candidates.length === 0) {
-        return c.json({ error: "Missing or invalid required parameter: candidates (must be non-empty array)" }, 400);
+        return c.json({ error: "Missing or invalid required parameter: candidates" }, 400);
       }
+      const peerId = getAuthenticatedPeerId(c);
       const offer = await storage.getOfferById(offerId);
       if (!offer) {
-        return c.json({ error: "Offer not found or expired" }, 404);
+        return c.json({ error: "Offer not found" }, 404);
       }
-      let role;
-      if (offer.peerId === peerId) {
-        role = "offerer";
-      } else if (offer.answererPeerId === peerId) {
-        role = "answerer";
-      } else {
-        return c.json({ error: "Not authorized to post ICE candidates for this offer" }, 403);
-      }
-      const added = await storage.addIceCandidates(offerId, peerId, role, candidates);
-      return c.json({
-        offerId,
-        candidatesAdded: added
-      }, 200);
-    } catch (err) {
-      console.error("Error adding ICE candidates:", err);
+      const role = offer.peerId === peerId ? "offerer" : "answerer";
+      const count = await storage.addIceCandidates(offerId, peerId, role, candidates);
+      return c.json({ count }, 200);
+    } catch (err2) {
+      console.error("Error adding ICE candidates:", err2);
       return c.json({ error: "Internal server error" }, 500);
     }
   });
   app.get("/offers/:offerId/ice-candidates", authMiddleware, async (c) => {
     try {
       const offerId = c.req.param("offerId");
+      const since = c.req.query("since");
       const peerId = getAuthenticatedPeerId(c);
-      const sinceParam = c.req.query("since");
-      const since = sinceParam ? parseInt(sinceParam, 10) : void 0;
       const offer = await storage.getOfferById(offerId);
       if (!offer) {
-        return c.json({ error: "Offer not found or expired" }, 404);
-      }
-      let targetRole;
-      if (offer.peerId === peerId) {
-        targetRole = "answerer";
-        console.log(`[ICE GET] Offerer ${peerId} requesting answerer ICE candidates for offer ${offerId}, since=${since}, answererPeerId=${offer.answererPeerId}`);
-      } else if (offer.answererPeerId === peerId) {
-        targetRole = "offerer";
-        console.log(`[ICE GET] Answerer ${peerId} requesting offerer ICE candidates for offer ${offerId}, since=${since}, offererPeerId=${offer.peerId}`);
-      } else {
-        return c.json({ error: "Not authorized to view ICE candidates for this offer" }, 403);
-      }
-      const candidates = await storage.getIceCandidates(offerId, targetRole, since);
-      console.log(`[ICE GET] Found ${candidates.length} candidates for offer ${offerId}, targetRole=${targetRole}, since=${since}`);
+        return c.json({ error: "Offer not found" }, 404);
+      }
+      const targetRole = offer.peerId === peerId ? "answerer" : "offerer";
+      const sinceTimestamp = since ? parseInt(since, 10) : void 0;
+      const candidates = await storage.getIceCandidates(offerId, targetRole, sinceTimestamp);
       return c.json({
-        offerId,
         candidates: candidates.map((c2) => ({
           candidate: c2.candidate,
-          peerId: c2.peerId,
-          role: c2.role,
           createdAt: c2.createdAt
         }))
       }, 200);
-    } catch (err) {
-      console.error("Error fetching ICE candidates:", err);
+    } catch (err2) {
+      console.error("Error getting ICE candidates:", err2);
       return c.json({ error: "Internal server error" }, 500);
     }
   });
@@ -604,6 +1130,7 @@ function loadConfig() {
 // src/storage/sqlite.ts
 var import_better_sqlite3 = __toESM(require("better-sqlite3"));
+var import_crypto4 = require("crypto");
 // src/storage/hash-id.ts
 async function generateOfferHash(sdp, topics) {
@@ -622,6 +1149,7 @@ async function generateOfferHash(sdp, topics) {
 }
 // src/storage/sqlite.ts
+var YEAR_IN_MS = 365 * 24 * 60 * 60 * 1e3;
 var SQLiteStorage = class {
   /**
    * Creates a new SQLite storage instance
@@ -632,10 +1160,11 @@ var SQLiteStorage = class {
     this.initializeDatabase();
   }
   /**
-   * Initializes database schema with new topic-based structure
+   * Initializes database schema with username and service-based structure
    */
   initializeDatabase() {
     this.db.exec(`
+      -- Offers table (no topics)
       CREATE TABLE IF NOT EXISTS offers (
         id TEXT PRIMARY KEY,
         peer_id TEXT NOT NULL,
@@ -654,22 +1183,13 @@ var SQLiteStorage = class {
       CREATE INDEX IF NOT EXISTS idx_offers_last_seen ON offers(last_seen);
       CREATE INDEX IF NOT EXISTS idx_offers_answerer ON offers(answerer_peer_id);
-      CREATE TABLE IF NOT EXISTS offer_topics (
-        offer_id TEXT NOT NULL,
-        topic TEXT NOT NULL,
-        PRIMARY KEY (offer_id, topic),
-        FOREIGN KEY (offer_id) REFERENCES offers(id) ON DELETE CASCADE
-      );
-      CREATE INDEX IF NOT EXISTS idx_topics_topic ON offer_topics(topic);
-      CREATE INDEX IF NOT EXISTS idx_topics_offer ON offer_topics(offer_id);
+      -- ICE candidates table
       CREATE TABLE IF NOT EXISTS ice_candidates (
         id INTEGER PRIMARY KEY AUTOINCREMENT,
         offer_id TEXT NOT NULL,
         peer_id TEXT NOT NULL,
         role TEXT NOT NULL CHECK(role IN ('offerer', 'answerer')),
-        candidate TEXT NOT NULL, -- JSON: RTCIceCandidateInit object
+        candidate TEXT NOT NULL,
         created_at INTEGER NOT NULL,
         FOREIGN KEY (offer_id) REFERENCES offers(id) ON DELETE CASCADE
       );
@@ -677,15 +1197,64 @@ var SQLiteStorage = class {
       CREATE INDEX IF NOT EXISTS idx_ice_offer ON ice_candidates(offer_id);
       CREATE INDEX IF NOT EXISTS idx_ice_peer ON ice_candidates(peer_id);
       CREATE INDEX IF NOT EXISTS idx_ice_created ON ice_candidates(created_at);
+      -- Usernames table
+      CREATE TABLE IF NOT EXISTS usernames (
+        username TEXT PRIMARY KEY,
+        public_key TEXT NOT NULL UNIQUE,
+        claimed_at INTEGER NOT NULL,
+        expires_at INTEGER NOT NULL,
+        last_used INTEGER NOT NULL,
+        metadata TEXT,
+        CHECK(length(username) >= 3 AND length(username) <= 32)
+      );
+      CREATE INDEX IF NOT EXISTS idx_usernames_expires ON usernames(expires_at);
+      CREATE INDEX IF NOT EXISTS idx_usernames_public_key ON usernames(public_key);
+      -- Services table
+      CREATE TABLE IF NOT EXISTS services (
+        id TEXT PRIMARY KEY,
+        username TEXT NOT NULL,
+        service_fqn TEXT NOT NULL,
+        offer_id TEXT NOT NULL,
+        created_at INTEGER NOT NULL,
+        expires_at INTEGER NOT NULL,
+        is_public INTEGER NOT NULL DEFAULT 0,
+        metadata TEXT,
+        FOREIGN KEY (username) REFERENCES usernames(username) ON DELETE CASCADE,
+        FOREIGN KEY (offer_id) REFERENCES offers(id) ON DELETE CASCADE,
+        UNIQUE(username, service_fqn)
+      );
+      CREATE INDEX IF NOT EXISTS idx_services_username ON services(username);
+      CREATE INDEX IF NOT EXISTS idx_services_fqn ON services(service_fqn);
+      CREATE INDEX IF NOT EXISTS idx_services_expires ON services(expires_at);
+      CREATE INDEX IF NOT EXISTS idx_services_offer ON services(offer_id);
+      -- Service index table (privacy layer)
+      CREATE TABLE IF NOT EXISTS service_index (
+        uuid TEXT PRIMARY KEY,
+        service_id TEXT NOT NULL,
+        username TEXT NOT NULL,
+        service_fqn TEXT NOT NULL,
+        created_at INTEGER NOT NULL,
+        expires_at INTEGER NOT NULL,
+        FOREIGN KEY (service_id) REFERENCES services(id) ON DELETE CASCADE
+      );
+      CREATE INDEX IF NOT EXISTS idx_service_index_username ON service_index(username);
+      CREATE INDEX IF NOT EXISTS idx_service_index_expires ON service_index(expires_at);
     `);
     this.db.pragma("foreign_keys = ON");
   }
+  // ===== Offer Management =====
   async createOffers(offers) {
     const created = [];
     const offersWithIds = await Promise.all(
       offers.map(async (offer) => ({
         ...offer,
-        id: offer.id || await generateOfferHash(offer.sdp, offer.topics)
+        id: offer.id || await generateOfferHash(offer.sdp, [])
       }))
     );
     const transaction = this.db.transaction((offersWithIds2) => {
@@ -693,10 +1262,6 @@ var SQLiteStorage = class {
         INSERT INTO offers (id, peer_id, sdp, created_at, expires_at, last_seen, secret)
         VALUES (?, ?, ?, ?, ?, ?, ?)
       `);
-      const topicStmt = this.db.prepare(`
-        INSERT INTO offer_topics (offer_id, topic)
-        VALUES (?, ?)
-      `);
       for (const offer of offersWithIds2) {
         const now = Date.now();
         offerStmt.run(
@@ -708,14 +1273,10 @@ var SQLiteStorage = class {
           now,
           offer.secret || null
         );
-        for (const topic of offer.topics) {
-          topicStmt.run(offer.id, topic);
-        }
         created.push({
           id: offer.id,
           peerId: offer.peerId,
           sdp: offer.sdp,
-          topics: offer.topics,
           createdAt: now,
           expiresAt: offer.expiresAt,
           lastSeen: now,
@@ -726,24 +1287,6 @@ var SQLiteStorage = class {
     transaction(offersWithIds);
     return created;
   }
-  async getOffersByTopic(topic, excludePeerIds) {
-    let query = `
-      SELECT DISTINCT o.*
-      FROM offers o
-      INNER JOIN offer_topics ot ON o.id = ot.offer_id
-      WHERE ot.topic = ? AND o.expires_at > ?
-    `;
-    const params = [topic, Date.now()];
-    if (excludePeerIds && excludePeerIds.length > 0) {
-      const placeholders = excludePeerIds.map(() => "?").join(",");
-      query += ` AND o.peer_id NOT IN (${placeholders})`;
-      params.push(...excludePeerIds);
-    }
-    query += " ORDER BY o.last_seen DESC";
-    const stmt = this.db.prepare(query);
-    const rows = stmt.all(...params);
-    return Promise.all(rows.map((row) => this.rowToOffer(row)));
-  }
   async getOffersByPeerId(peerId) {
     const stmt = this.db.prepare(`
       SELECT * FROM offers
@@ -751,7 +1294,7 @@ var SQLiteStorage = class {
       ORDER BY last_seen DESC
     `);
     const rows = stmt.all(peerId, Date.now());
-    return Promise.all(rows.map((row) => this.rowToOffer(row)));
+    return rows.map((row) => this.rowToOffer(row));
   }
   async getOfferById(offerId) {
     const stmt = this.db.prepare(`
@@ -818,8 +1361,9 @@ var SQLiteStorage = class {
       ORDER BY answered_at DESC
     `);
     const rows = stmt.all(offererPeerId, Date.now());
-    return Promise.all(rows.map((row) => this.rowToOffer(row)));
+    return rows.map((row) => this.rowToOffer(row));
   }
+  // ===== ICE Candidate Management =====
   async addIceCandidates(offerId, peerId, role, candidates) {
     const stmt = this.db.prepare(`
       INSERT INTO ice_candidates (offer_id, peer_id, role, candidate, created_at)
@@ -833,9 +1377,7 @@ var SQLiteStorage = class {
           peerId,
           role,
           JSON.stringify(candidates2[i]),
-          // Store full object as JSON
           baseTimestamp + i
-          // Ensure unique timestamps to avoid "since" filtering issues
         );
       }
     });
@@ -861,61 +1403,198 @@ var SQLiteStorage = class {
       peerId: row.peer_id,
       role: row.role,
       candidate: JSON.parse(row.candidate),
-      // Parse JSON back to object
       createdAt: row.created_at
     }));
   }
-  async getTopics(limit, offset, startsWith) {
+  // ===== Username Management =====
+  async claimUsername(request) {
     const now = Date.now();
-    const whereClause = startsWith ? "o.expires_at > ? AND ot.topic LIKE ?" : "o.expires_at > ?";
-    const startsWithPattern = startsWith ? `${startsWith}%` : null;
-    const countQuery = `
-      SELECT COUNT(DISTINCT ot.topic) as count
-      FROM offer_topics ot
-      INNER JOIN offers o ON ot.offer_id = o.id
-      WHERE ${whereClause}
-    `;
-    const countStmt = this.db.prepare(countQuery);
-    const countParams = startsWith ? [now, startsWithPattern] : [now];
-    const countRow = countStmt.get(...countParams);
-    const total = countRow.count;
-    const topicsQuery = `
-      SELECT
-        ot.topic,
-        COUNT(DISTINCT o.peer_id) as active_peers
-      FROM offer_topics ot
-      INNER JOIN offers o ON ot.offer_id = o.id
-      WHERE ${whereClause}
-      GROUP BY ot.topic
-      ORDER BY active_peers DESC, ot.topic ASC
-      LIMIT ? OFFSET ?
-    `;
-    const topicsStmt = this.db.prepare(topicsQuery);
-    const topicsParams = startsWith ? [now, startsWithPattern, limit, offset] : [now, limit, offset];
-    const rows = topicsStmt.all(...topicsParams);
-    const topics = rows.map((row) => ({
-      topic: row.topic,
-      activePeers: row.active_peers
+    const expiresAt = now + YEAR_IN_MS;
+    const stmt = this.db.prepare(`
+      INSERT INTO usernames (username, public_key, claimed_at, expires_at, last_used, metadata)
+      VALUES (?, ?, ?, ?, ?, NULL)
+      ON CONFLICT(username) DO UPDATE SET
+        expires_at = ?,
+        last_used = ?
+      WHERE public_key = ?
+    `);
+    const result = stmt.run(
+      request.username,
+      request.publicKey,
+      now,
+      expiresAt,
+      now,
+      expiresAt,
+      now,
+      request.publicKey
+    );
+    if (result.changes === 0) {
+      throw new Error("Username already claimed by different public key");
+    }
+    return {
+      username: request.username,
+      publicKey: request.publicKey,
+      claimedAt: now,
+      expiresAt,
+      lastUsed: now
+    };
+  }
+  async getUsername(username) {
+    const stmt = this.db.prepare(`
+      SELECT * FROM usernames
+      WHERE username = ? AND expires_at > ?
+    `);
+    const row = stmt.get(username, Date.now());
+    if (!row) {
+      return null;
+    }
+    return {
+      username: row.username,
+      publicKey: row.public_key,
+      claimedAt: row.claimed_at,
+      expiresAt: row.expires_at,
+      lastUsed: row.last_used,
+      metadata: row.metadata || void 0
+    };
+  }
+  async touchUsername(username) {
+    const now = Date.now();
+    const expiresAt = now + YEAR_IN_MS;
+    const stmt = this.db.prepare(`
+      UPDATE usernames
+      SET last_used = ?, expires_at = ?
+      WHERE username = ? AND expires_at > ?
+    `);
+    const result = stmt.run(now, expiresAt, username, now);
+    return result.changes > 0;
+  }
+  async deleteExpiredUsernames(now) {
+    const stmt = this.db.prepare("DELETE FROM usernames WHERE expires_at < ?");
+    const result = stmt.run(now);
+    return result.changes;
+  }
+  // ===== Service Management =====
+  async createService(request) {
+    const serviceId = (0, import_crypto4.randomUUID)();
+    const indexUuid = (0, import_crypto4.randomUUID)();
+    const now = Date.now();
+    const transaction = this.db.transaction(() => {
+      const serviceStmt = this.db.prepare(`
+        INSERT INTO services (id, username, service_fqn, offer_id, created_at, expires_at, is_public, metadata)
+        VALUES (?, ?, ?, ?, ?, ?, ?, ?)
+      `);
+      serviceStmt.run(
+        serviceId,
+        request.username,
+        request.serviceFqn,
+        request.offerId,
+        now,
+        request.expiresAt,
+        request.isPublic ? 1 : 0,
+        request.metadata || null
+      );
+      const indexStmt = this.db.prepare(`
+        INSERT INTO service_index (uuid, service_id, username, service_fqn, created_at, expires_at)
+        VALUES (?, ?, ?, ?, ?, ?)
+      `);
+      indexStmt.run(
+        indexUuid,
+        serviceId,
+        request.username,
+        request.serviceFqn,
+        now,
+        request.expiresAt
+      );
+      this.touchUsername(request.username);
+    });
+    transaction();
+    return {
+      service: {
+        id: serviceId,
+        username: request.username,
+        serviceFqn: request.serviceFqn,
+        offerId: request.offerId,
+        createdAt: now,
+        expiresAt: request.expiresAt,
+        isPublic: request.isPublic || false,
+        metadata: request.metadata
+      },
+      indexUuid
+    };
+  }
+  async getServiceById(serviceId) {
+    const stmt = this.db.prepare(`
+      SELECT * FROM services
+      WHERE id = ? AND expires_at > ?
+    `);
+    const row = stmt.get(serviceId, Date.now());
+    if (!row) {
+      return null;
+    }
+    return this.rowToService(row);
+  }
+  async getServiceByUuid(uuid) {
+    const stmt = this.db.prepare(`
+      SELECT s.* FROM services s
+      INNER JOIN service_index si ON s.id = si.service_id
+      WHERE si.uuid = ? AND s.expires_at > ?
+    `);
+    const row = stmt.get(uuid, Date.now());
+    if (!row) {
+      return null;
+    }
+    return this.rowToService(row);
+  }
+  async listServicesForUsername(username) {
+    const stmt = this.db.prepare(`
+      SELECT si.uuid, s.is_public, s.service_fqn, s.metadata
+      FROM service_index si
+      INNER JOIN services s ON si.service_id = s.id
+      WHERE si.username = ? AND si.expires_at > ?
+      ORDER BY s.created_at DESC
+    `);
+    const rows = stmt.all(username, Date.now());
+    return rows.map((row) => ({
+      uuid: row.uuid,
+      isPublic: row.is_public === 1,
+      serviceFqn: row.is_public === 1 ? row.service_fqn : void 0,
+      metadata: row.is_public === 1 ? row.metadata || void 0 : void 0
     }));
-    return { topics, total };
+  }
+  async queryService(username, serviceFqn) {
+    const stmt = this.db.prepare(`
+      SELECT si.uuid FROM service_index si
+      INNER JOIN services s ON si.service_id = s.id
+      WHERE si.username = ? AND si.service_fqn = ? AND si.expires_at > ?
+    `);
+    const row = stmt.get(username, serviceFqn, Date.now());
+    return row ? row.uuid : null;
+  }
+  async deleteService(serviceId, username) {
+    const stmt = this.db.prepare(`
+      DELETE FROM services
+      WHERE id = ? AND username = ?
+    `);
+    const result = stmt.run(serviceId, username);
+    return result.changes > 0;
+  }
+  async deleteExpiredServices(now) {
+    const stmt = this.db.prepare("DELETE FROM services WHERE expires_at < ?");
+    const result = stmt.run(now);
+    return result.changes;
   }
   async close() {
     this.db.close();
   }
+  // ===== Helper Methods =====
   /**
-   * Helper method to convert database row to Offer object with topics
+   * Helper method to convert database row to Offer object
    */
-  async rowToOffer(row) {
-    const topicStmt = this.db.prepare(`
-      SELECT topic FROM offer_topics WHERE offer_id = ?
-    `);
-    const topicRows = topicStmt.all(row.id);
-    const topics = topicRows.map((t) => t.topic);
+  rowToOffer(row) {
     return {
       id: row.id,
       peerId: row.peer_id,
       sdp: row.sdp,
-      topics,
       createdAt: row.created_at,
       expiresAt: row.expires_at,
       lastSeen: row.last_seen,
@@ -925,6 +1604,21 @@ var SQLiteStorage = class {
       answeredAt: row.answered_at || void 0
     };
   }
+  /**
+   * Helper method to convert database row to Service object
+   */
+  rowToService(row) {
+    return {
+      id: row.id,
+      username: row.username,
+      serviceFqn: row.service_fqn,
+      offerId: row.offer_id,
+      createdAt: row.created_at,
+      expiresAt: row.expires_at,
+      isPublic: row.is_public === 1,
+      metadata: row.metadata || void 0
+    };
+  }
 };
 // src/index.ts
@@ -958,8 +1652,8 @@ async function main() {
       if (deleted > 0) {
         console.log(`Cleanup: Deleted ${deleted} expired offer(s)`);
       }
-    } catch (err) {
-      console.error("Cleanup error:", err);
+    } catch (err2) {
+      console.error("Cleanup error:", err2);
     }
   }, config.cleanupInterval);
   const app = createApp(storage, config);
@@ -978,8 +1672,13 @@ async function main() {
   process.on("SIGINT", shutdown);
   process.on("SIGTERM", shutdown);
 }
-main().catch((err) => {
-  console.error("Fatal error:", err);
+main().catch((err2) => {
+  console.error("Fatal error:", err2);
   process.exit(1);
 });
+/*! Bundled license information:
+@noble/ed25519/index.js:
+  (*! noble-ed25519 - MIT License (c) 2019 Paul Miller (paulmillr.com) *)
+*/
 //# sourceMappingURL=index.js.map