npm - @xtr-dev/rondevu-server - Versions diffs - 0.3.0 → 0.5.0 - Mend

@xtr-dev/rondevu-server 0.3.0 → 0.5.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (19) hide show

package/ADVANCED.md +502 -0
package/README.md +139 -251
package/dist/index.js +715 -770
package/dist/index.js.map +4 -4
package/migrations/0006_service_offer_refactor.sql +40 -0
package/migrations/0007_simplify_schema.sql +54 -0
package/migrations/0008_peer_id_to_username.sql +67 -0
package/migrations/fresh_schema.sql +81 -0
package/package.json +2 -1
package/src/app.ts +38 -677
package/src/config.ts +0 -13
package/src/crypto.ts +98 -133
package/src/rpc.ts +725 -0
package/src/storage/d1.ts +169 -182
package/src/storage/sqlite.ts +142 -168
package/src/storage/types.ts +51 -95
package/src/worker.ts +0 -6
package/wrangler.toml +3 -3
package/src/middleware/auth.ts +0 -51

package/dist/index.js CHANGED Viewed

@@ -477,98 +477,32 @@ var wNAF = (n) => {
 hashes.sha512Async = async (message) => {
   return new Uint8Array(await crypto.subtle.digest("SHA-512", message));
 };
-var ALGORITHM = "AES-GCM";
-var IV_LENGTH = 12;
-var KEY_LENGTH = 32;
 var USERNAME_REGEX = /^[a-z0-9][a-z0-9-]*[a-z0-9]$/;
 var USERNAME_MIN_LENGTH = 3;
 var USERNAME_MAX_LENGTH = 32;
 var TIMESTAMP_TOLERANCE_MS = 5 * 60 * 1e3;
-function generatePeerId() {
-  const bytes = crypto.getRandomValues(new Uint8Array(16));
-  return Array.from(bytes).map((b) => b.toString(16).padStart(2, "0")).join("");
-}
-function generateSecretKey() {
-  const bytes = crypto.getRandomValues(new Uint8Array(KEY_LENGTH));
-  return Array.from(bytes).map((b) => b.toString(16).padStart(2, "0")).join("");
-}
-function hexToBytes2(hex) {
-  const bytes = new Uint8Array(hex.length / 2);
-  for (let i = 0; i < hex.length; i += 2) {
-    bytes[i / 2] = parseInt(hex.substring(i, i + 2), 16);
-  }
-  return bytes;
-}
-function bytesToBase64(bytes) {
-  const binString = Array.from(
-    bytes,
-    (byte) => String.fromCodePoint(byte)
-  ).join("");
-  return btoa(binString);
-}
 function base64ToBytes(base64) {
   const binString = atob(base64);
   return Uint8Array.from(binString, (char) => char.codePointAt(0));
 }
-async function encryptPeerId(peerId, secretKeyHex) {
-  const keyBytes = hexToBytes2(secretKeyHex);
-  if (keyBytes.length !== KEY_LENGTH) {
-    throw new Error(`Secret key must be ${KEY_LENGTH * 2} hex characters (${KEY_LENGTH} bytes)`);
-  }
-  const key = await crypto.subtle.importKey(
-    "raw",
-    keyBytes,
-    { name: ALGORITHM, length: 256 },
-    false,
-    ["encrypt"]
-  );
-  const iv = crypto.getRandomValues(new Uint8Array(IV_LENGTH));
-  const encoder = new TextEncoder();
-  const data = encoder.encode(peerId);
-  const encrypted = await crypto.subtle.encrypt(
-    { name: ALGORITHM, iv },
-    key,
-    data
-  );
-  const combined = new Uint8Array(iv.length + encrypted.byteLength);
-  combined.set(iv, 0);
-  combined.set(new Uint8Array(encrypted), iv.length);
-  return bytesToBase64(combined);
-}
-async function decryptPeerId(encryptedSecret, secretKeyHex) {
-  try {
-    const keyBytes = hexToBytes2(secretKeyHex);
-    if (keyBytes.length !== KEY_LENGTH) {
-      throw new Error(`Secret key must be ${KEY_LENGTH * 2} hex characters (${KEY_LENGTH} bytes)`);
-    }
-    const combined = base64ToBytes(encryptedSecret);
-    const iv = combined.slice(0, IV_LENGTH);
-    const ciphertext = combined.slice(IV_LENGTH);
-    const key = await crypto.subtle.importKey(
-      "raw",
-      keyBytes,
-      { name: ALGORITHM, length: 256 },
-      false,
-      ["decrypt"]
-    );
-    const decrypted = await crypto.subtle.decrypt(
-      { name: ALGORITHM, iv },
-      key,
-      ciphertext
-    );
-    const decoder = new TextDecoder();
-    return decoder.decode(decrypted);
-  } catch (err2) {
-    throw new Error("Failed to decrypt peer ID: invalid secret or secret key");
+function validateAuthMessage(expectedUsername, message) {
+  const parts = message.split(":");
+  if (parts.length < 3) {
+    return { valid: false, error: "Invalid message format: must have at least action:username:timestamp" };
   }
-}
-async function validateCredentials(peerId, encryptedSecret, secretKey) {
-  try {
-    const decryptedPeerId = await decryptPeerId(encryptedSecret, secretKey);
-    return decryptedPeerId === peerId;
-  } catch {
-    return false;
+  const messageUsername = parts[1];
+  const timestamp = parseInt(parts[parts.length - 1], 10);
+  if (messageUsername !== expectedUsername) {
+    return { valid: false, error: "Username in message does not match authenticated username" };
   }
+  if (isNaN(timestamp)) {
+    return { valid: false, error: "Invalid timestamp in message" };
+  }
+  const timestampCheck = validateTimestamp(timestamp);
+  if (!timestampCheck.valid) {
+    return timestampCheck;
+  }
+  return { valid: true };
 }
 function validateUsername(username) {
   if (typeof username !== "string") {
@@ -589,24 +523,74 @@ function validateServiceFqn(fqn) {
   if (typeof fqn !== "string") {
     return { valid: false, error: "Service FQN must be a string" };
   }
-  const parts = fqn.split("@");
-  if (parts.length !== 2) {
-    return { valid: false, error: "Service FQN must be in format: service-name@version" };
+  const parsed = parseServiceFqn(fqn);
+  if (!parsed) {
+    return { valid: false, error: "Service FQN must be in format: service:version[@username]" };
   }
-  const [serviceName, version] = parts;
-  const serviceNameRegex = /^[a-z0-9]([a-z0-9-]*[a-z0-9])?(\.[a-z0-9]([a-z0-9-]*[a-z0-9])?)+$/;
+  const { serviceName, version, username } = parsed;
+  const serviceNameRegex = /^[a-z0-9]([a-z0-9.-]*[a-z0-9])?$/;
   if (!serviceNameRegex.test(serviceName)) {
-    return { valid: false, error: "Service name must be reverse domain notation (e.g., com.example.service)" };
+    return { valid: false, error: "Service name must be lowercase alphanumeric with optional dots/dashes" };
   }
-  if (serviceName.length < 3 || serviceName.length > 128) {
-    return { valid: false, error: "Service name must be 3-128 characters" };
+  if (serviceName.length < 1 || serviceName.length > 128) {
+    return { valid: false, error: "Service name must be 1-128 characters" };
   }
   const versionRegex = /^[0-9]+\.[0-9]+\.[0-9]+(-[a-z0-9.-]+)?$/;
   if (!versionRegex.test(version)) {
     return { valid: false, error: "Version must be semantic versioning (e.g., 1.0.0, 2.1.3-beta)" };
   }
+  if (username) {
+    const usernameCheck = validateUsername(username);
+    if (!usernameCheck.valid) {
+      return usernameCheck;
+    }
+  }
   return { valid: true };
 }
+function parseVersion(version) {
+  const match = version.match(/^([0-9]+)\.([0-9]+)\.([0-9]+)(-[a-z0-9.-]+)?$/);
+  if (!match) return null;
+  return {
+    major: parseInt(match[1], 10),
+    minor: parseInt(match[2], 10),
+    patch: parseInt(match[3], 10),
+    prerelease: match[4]?.substring(1)
+    // Remove leading dash
+  };
+}
+function isVersionCompatible(requested, available) {
+  const req = parseVersion(requested);
+  const avail = parseVersion(available);
+  if (!req || !avail) return false;
+  if (req.major !== avail.major) return false;
+  if (req.major === 0 && req.minor !== avail.minor) return false;
+  if (avail.minor < req.minor) return false;
+  if (avail.minor === req.minor && avail.patch < req.patch) return false;
+  if (req.prerelease && req.prerelease !== avail.prerelease) return false;
+  return true;
+}
+function parseServiceFqn(fqn) {
+  if (!fqn || typeof fqn !== "string") return null;
+  const atIndex = fqn.lastIndexOf("@");
+  let serviceVersion;
+  let username = null;
+  if (atIndex > 0) {
+    serviceVersion = fqn.substring(0, atIndex);
+    username = fqn.substring(atIndex + 1);
+  } else {
+    serviceVersion = fqn;
+  }
+  const colonIndex = serviceVersion.indexOf(":");
+  if (colonIndex <= 0) return null;
+  const serviceName = serviceVersion.substring(0, colonIndex);
+  const version = serviceVersion.substring(colonIndex + 1);
+  if (!serviceName || !version) return null;
+  return {
+    serviceName,
+    version,
+    username
+  };
+}
 function validateTimestamp(timestamp) {
   if (typeof timestamp !== "number" || !Number.isFinite(timestamp)) {
     return { valid: false, error: "Timestamp must be a finite number" };
@@ -631,605 +615,582 @@ async function verifyEd25519Signature(publicKey, signature, message) {
     return false;
   }
 }
-async function validateUsernameClaim(username, publicKey, signature, message) {
-  const usernameCheck = validateUsername(username);
-  if (!usernameCheck.valid) {
-    return usernameCheck;
-  }
-  const parts = message.split(":");
-  if (parts.length !== 3 || parts[0] !== "claim" || parts[1] !== username) {
-    return { valid: false, error: "Invalid message format (expected: claim:{username}:{timestamp})" };
-  }
-  const timestamp = parseInt(parts[2], 10);
-  if (isNaN(timestamp)) {
-    return { valid: false, error: "Invalid timestamp in message" };
-  }
-  const timestampCheck = validateTimestamp(timestamp);
-  if (!timestampCheck.valid) {
-    return timestampCheck;
+// src/rpc.ts
+var MAX_PAGE_SIZE = 100;
+async function verifyAuth(username, message, signature, publicKey, storage) {
+  let usernameRecord = await storage.getUsername(username);
+  if (!usernameRecord) {
+    if (!publicKey) {
+      return {
+        valid: false,
+        error: `Username "${username}" is not claimed and no public key provided for auto-claim.`
+      };
+    }
+    const usernameValidation = validateUsername(username);
+    if (!usernameValidation.valid) {
+      return usernameValidation;
+    }
+    const signatureValid = await verifyEd25519Signature(publicKey, signature, message);
+    if (!signatureValid) {
+      return { valid: false, error: "Invalid signature for auto-claim" };
+    }
+    const expiresAt = Date.now() + 365 * 24 * 60 * 60 * 1e3;
+    await storage.claimUsername({
+      username,
+      publicKey,
+      expiresAt
+    });
+    usernameRecord = await storage.getUsername(username);
+    if (!usernameRecord) {
+      return { valid: false, error: "Failed to claim username" };
+    }
   }
-  const signatureValid = await verifyEd25519Signature(publicKey, signature, message);
-  if (!signatureValid) {
+  const isValid = await verifyEd25519Signature(
+    usernameRecord.publicKey,
+    signature,
+    message
+  );
+  if (!isValid) {
     return { valid: false, error: "Invalid signature" };
   }
-  return { valid: true };
-}
-async function validateServicePublish(username, serviceFqn, publicKey, signature, message) {
-  const usernameCheck = validateUsername(username);
-  if (!usernameCheck.valid) {
-    return usernameCheck;
-  }
-  const parts = message.split(":");
-  if (parts.length !== 4 || parts[0] !== "publish" || parts[1] !== username || parts[2] !== serviceFqn) {
-    return { valid: false, error: "Invalid message format (expected: publish:{username}:{serviceFqn}:{timestamp})" };
-  }
-  const timestamp = parseInt(parts[3], 10);
-  if (isNaN(timestamp)) {
-    return { valid: false, error: "Invalid timestamp in message" };
-  }
-  const timestampCheck = validateTimestamp(timestamp);
-  if (!timestampCheck.valid) {
-    return timestampCheck;
-  }
-  const signatureValid = await verifyEd25519Signature(publicKey, signature, message);
-  if (!signatureValid) {
-    return { valid: false, error: "Invalid signature" };
+  const validation = validateAuthMessage(username, message);
+  if (!validation.valid) {
+    return { valid: false, error: validation.error };
   }
   return { valid: true };
 }
-// src/middleware/auth.ts
-function createAuthMiddleware(authSecret) {
-  return async (c, next) => {
-    const authHeader = c.req.header("Authorization");
-    if (!authHeader) {
-      return c.json({ error: "Missing Authorization header" }, 401);
-    }
-    const parts = authHeader.split(" ");
-    if (parts.length !== 2 || parts[0] !== "Bearer") {
-      return c.json({ error: "Invalid Authorization header format. Expected: Bearer {peerId}:{secret}" }, 401);
-    }
-    const credentials = parts[1].split(":");
-    if (credentials.length !== 2) {
-      return c.json({ error: "Invalid credentials format. Expected: {peerId}:{secret}" }, 401);
-    }
-    const [peerId, encryptedSecret] = credentials;
-    const isValid = await validateCredentials(peerId, encryptedSecret, authSecret);
-    if (!isValid) {
-      return c.json({ error: "Invalid credentials" }, 401);
-    }
-    c.set("peerId", peerId);
-    await next();
-  };
-}
-function getAuthenticatedPeerId(c) {
-  const peerId = c.get("peerId");
-  if (!peerId) {
-    throw new Error("No authenticated peer ID in context");
-  }
-  return peerId;
+function extractUsername(message) {
+  const parts = message.split(":");
+  if (parts.length < 2) return null;
+  return parts[1];
 }
-// src/app.ts
-function createApp(storage, config) {
-  const app = new import_hono.Hono();
-  const authMiddleware = createAuthMiddleware(config.authSecret);
-  app.use("/*", (0, import_cors.cors)({
-    origin: (origin) => {
-      if (config.corsOrigins.length === 1 && config.corsOrigins[0] === "*") {
-        return origin;
-      }
-      if (config.corsOrigins.includes(origin)) {
-        return origin;
-      }
-      return config.corsOrigins[0];
-    },
-    allowMethods: ["GET", "POST", "PUT", "DELETE", "OPTIONS"],
-    allowHeaders: ["Content-Type", "Origin", "Authorization"],
-    exposeHeaders: ["Content-Type"],
-    maxAge: 600,
-    credentials: true
-  }));
-  app.get("/", (c) => {
-    return c.json({
-      version: config.version,
-      name: "Rondevu",
-      description: "DNS-like WebRTC signaling with username claiming and service discovery"
-    });
-  });
-  app.get("/health", (c) => {
-    return c.json({
-      status: "ok",
-      timestamp: Date.now(),
-      version: config.version
-    });
-  });
-  app.post("/register", async (c) => {
-    try {
-      const peerId = generatePeerId();
-      const secret = await encryptPeerId(peerId, config.authSecret);
-      return c.json({
-        peerId,
-        secret
-      }, 200);
-    } catch (err2) {
-      console.error("Error registering peer:", err2);
-      return c.json({ error: "Internal server error" }, 500);
+var handlers = {
+  /**
+   * Check if username is available
+   */
+  async getUser(params, message, signature, publicKey, storage, config) {
+    const { username } = params;
+    const claimed = await storage.getUsername(username);
+    if (!claimed) {
+      return {
+        username,
+        available: true
+      };
     }
-  });
-  app.get("/users/:username", async (c) => {
-    try {
-      const username = c.req.param("username");
-      const claimed = await storage.getUsername(username);
-      if (!claimed) {
-        return c.json({
-          username,
-          available: true
-        }, 200);
+    return {
+      username: claimed.username,
+      available: false,
+      claimedAt: claimed.claimedAt,
+      expiresAt: claimed.expiresAt,
+      publicKey: claimed.publicKey
+    };
+  },
+  /**
+   * Get service by FQN - Supports 3 modes:
+   * 1. Direct lookup: FQN includes @username
+   * 2. Paginated discovery: FQN without @username, with limit/offset
+   * 3. Random discovery: FQN without @username, no limit
+   */
+  async getService(params, message, signature, publicKey, storage, config) {
+    const { serviceFqn, limit, offset } = params;
+    const username = extractUsername(message);
+    if (username) {
+      const auth = await verifyAuth(username, message, signature, publicKey, storage);
+      if (!auth.valid) {
+        throw new Error(auth.error);
       }
-      return c.json({
-        username: claimed.username,
-        available: false,
-        claimedAt: claimed.claimedAt,
-        expiresAt: claimed.expiresAt,
-        publicKey: claimed.publicKey
-      }, 200);
-    } catch (err2) {
-      console.error("Error checking username:", err2);
-      return c.json({ error: "Internal server error" }, 500);
     }
-  });
-  app.post("/users/:username", async (c) => {
-    try {
-      const username = c.req.param("username");
-      const body = await c.req.json();
-      const { publicKey, signature, message } = body;
-      if (!publicKey || !signature || !message) {
-        return c.json({ error: "Missing required parameters: publicKey, signature, message" }, 400);
-      }
-      const validation = await validateUsernameClaim(username, publicKey, signature, message);
-      if (!validation.valid) {
-        return c.json({ error: validation.error }, 400);
-      }
-      try {
-        const claimed = await storage.claimUsername({
-          username,
-          publicKey,
-          signature,
-          message
-        });
-        return c.json({
-          username: claimed.username,
-          claimedAt: claimed.claimedAt,
-          expiresAt: claimed.expiresAt
-        }, 201);
-      } catch (err2) {
-        if (err2.message?.includes("already claimed")) {
-          return c.json({ error: "Username already claimed by different public key" }, 409);
-        }
-        throw err2;
-      }
-    } catch (err2) {
-      console.error("Error claiming username:", err2);
-      return c.json({ error: "Internal server error" }, 500);
+    const fqnValidation = validateServiceFqn(serviceFqn);
+    if (!fqnValidation.valid) {
+      throw new Error(fqnValidation.error || "Invalid service FQN");
     }
-  });
-  app.get("/users/:username/services", async (c) => {
-    try {
-      const username = c.req.param("username");
-      const services = await storage.listServicesForUsername(username);
-      return c.json({
-        username,
-        services
-      }, 200);
-    } catch (err2) {
-      console.error("Error listing services:", err2);
-      return c.json({ error: "Internal server error" }, 500);
+    const parsed = parseServiceFqn(serviceFqn);
+    if (!parsed) {
+      throw new Error("Failed to parse service FQN");
     }
-  });
-  app.get("/users/:username/services/:fqn", async (c) => {
-    try {
-      const username = c.req.param("username");
-      const serviceFqn = decodeURIComponent(c.req.param("fqn"));
-      const uuid = await storage.queryService(username, serviceFqn);
-      if (!uuid) {
-        return c.json({ error: "Service not found" }, 404);
+    const filterCompatibleServices = (services) => {
+      return services.filter((s) => {
+        const serviceVersion = parseServiceFqn(s.serviceFqn);
+        return serviceVersion && isVersionCompatible(parsed.version, serviceVersion.version);
+      });
+    };
+    const findAvailableOffer = async (service) => {
+      const offers = await storage.getOffersForService(service.id);
+      return offers.find((o) => !o.answererUsername);
+    };
+    const buildServiceResponse = (service, offer) => ({
+      serviceId: service.id,
+      username: service.username,
+      serviceFqn: service.serviceFqn,
+      offerId: offer.id,
+      sdp: offer.sdp,
+      createdAt: service.createdAt,
+      expiresAt: service.expiresAt
+    });
+    if (limit !== void 0) {
+      const pageLimit = Math.min(Math.max(1, limit), MAX_PAGE_SIZE);
+      const pageOffset = Math.max(0, offset || 0);
+      const allServices2 = await storage.getServicesByName(parsed.service, parsed.version);
+      const compatibleServices2 = filterCompatibleServices(allServices2);
+      const usernameSet = /* @__PURE__ */ new Set();
+      const uniqueServices = [];
+      for (const service of compatibleServices2) {
+        if (!usernameSet.has(service.username)) {
+          usernameSet.add(service.username);
+          const availableOffer2 = await findAvailableOffer(service);
+          if (availableOffer2) {
+            uniqueServices.push(buildServiceResponse(service, availableOffer2));
+          }
+        }
       }
-      const service = await storage.getServiceByUuid(uuid);
+      const paginatedServices = uniqueServices.slice(pageOffset, pageOffset + pageLimit);
+      return {
+        services: paginatedServices,
+        count: paginatedServices.length,
+        limit: pageLimit,
+        offset: pageOffset
+      };
+    }
+    if (parsed.username) {
+      const service = await storage.getServiceByFqn(serviceFqn);
       if (!service) {
-        return c.json({ error: "Service not found" }, 404);
+        throw new Error("Service not found");
       }
-      const initialOffer = await storage.getOfferById(service.offerId);
-      if (!initialOffer) {
-        return c.json({ error: "Associated offer not found" }, 404);
+      const availableOffer2 = await findAvailableOffer(service);
+      if (!availableOffer2) {
+        throw new Error("Service has no available offers");
       }
-      const peerOffers = await storage.getOffersByPeerId(initialOffer.peerId);
-      const availableOffer = peerOffers.find((offer) => !offer.answererPeerId);
-      if (!availableOffer) {
-        return c.json({
-          error: "No available offers",
-          message: "All offers from this service are currently in use. Please try again later."
-        }, 503);
-      }
-      return c.json({
-        uuid,
-        serviceId: service.id,
-        username: service.username,
-        serviceFqn: service.serviceFqn,
-        offerId: availableOffer.id,
-        sdp: availableOffer.sdp,
-        isPublic: service.isPublic,
-        metadata: service.metadata ? JSON.parse(service.metadata) : void 0,
-        createdAt: service.createdAt,
-        expiresAt: service.expiresAt
-      }, 200);
-    } catch (err2) {
-      console.error("Error getting service:", err2);
-      return c.json({ error: "Internal server error" }, 500);
+      return buildServiceResponse(service, availableOffer2);
     }
-  });
-  app.post("/users/:username/services", authMiddleware, async (c) => {
-    let serviceFqn;
-    let offers = [];
-    try {
-      const username = c.req.param("username");
-      const body = await c.req.json();
-      serviceFqn = body.serviceFqn;
-      const { sdp, ttl, isPublic, metadata, signature, message } = body;
-      if (!serviceFqn || !sdp) {
-        return c.json({ error: "Missing required parameters: serviceFqn, sdp" }, 400);
-      }
-      const fqnValidation = validateServiceFqn(serviceFqn);
-      if (!fqnValidation.valid) {
-        return c.json({ error: fqnValidation.error }, 400);
-      }
-      if (!signature || !message) {
-        return c.json({ error: "Missing signature or message for username verification" }, 400);
-      }
-      const usernameRecord = await storage.getUsername(username);
-      if (!usernameRecord) {
-        return c.json({ error: "Username not claimed" }, 404);
-      }
-      const signatureValidation = await validateServicePublish(username, serviceFqn, usernameRecord.publicKey, signature, message);
-      if (!signatureValidation.valid) {
-        return c.json({ error: "Invalid signature for username" }, 403);
-      }
-      const existingUuid = await storage.queryService(username, serviceFqn);
-      if (existingUuid) {
-        const existingService = await storage.getServiceByUuid(existingUuid);
-        if (existingService) {
-          await storage.deleteService(existingService.id, username);
-        }
-      }
-      if (typeof sdp !== "string" || sdp.length === 0) {
-        return c.json({ error: "Invalid SDP" }, 400);
+    const allServices = await storage.getServicesByName(parsed.service, parsed.version);
+    const compatibleServices = filterCompatibleServices(allServices);
+    if (compatibleServices.length === 0) {
+      throw new Error("No services found");
+    }
+    const randomService = compatibleServices[Math.floor(Math.random() * compatibleServices.length)];
+    const availableOffer = await findAvailableOffer(randomService);
+    if (!availableOffer) {
+      throw new Error("Service has no available offers");
+    }
+    return buildServiceResponse(randomService, availableOffer);
+  },
+  /**
+   * Publish a service
+   */
+  async publishService(params, message, signature, publicKey, storage, config) {
+    const { serviceFqn, offers, ttl } = params;
+    const username = extractUsername(message);
+    if (!username) {
+      throw new Error("Username required for service publishing");
+    }
+    const auth = await verifyAuth(username, message, signature, publicKey, storage);
+    if (!auth.valid) {
+      throw new Error(auth.error);
+    }
+    const fqnValidation = validateServiceFqn(serviceFqn);
+    if (!fqnValidation.valid) {
+      throw new Error(fqnValidation.error || "Invalid service FQN");
+    }
+    const parsed = parseServiceFqn(serviceFqn);
+    if (!parsed || !parsed.username) {
+      throw new Error("Service FQN must include username");
+    }
+    if (parsed.username !== username) {
+      throw new Error("Service FQN username must match authenticated username");
+    }
+    if (!offers || !Array.isArray(offers) || offers.length === 0) {
+      throw new Error("Must provide at least one offer");
+    }
+    if (offers.length > config.maxOffersPerRequest) {
+      throw new Error(
+        `Too many offers (max ${config.maxOffersPerRequest})`
+      );
+    }
+    offers.forEach((offer, index) => {
+      if (!offer || typeof offer !== "object") {
+        throw new Error(`Invalid offer at index ${index}: must be an object`);
       }
-      if (sdp.length > 64 * 1024) {
-        return c.json({ error: "SDP too large (max 64KB)" }, 400);
+      if (!offer.sdp || typeof offer.sdp !== "string") {
+        throw new Error(`Invalid offer at index ${index}: missing or invalid SDP`);
       }
-      const peerId = getAuthenticatedPeerId(c);
-      const offerTtl = Math.min(
-        Math.max(ttl || config.offerDefaultTtl, config.offerMinTtl),
-        config.offerMaxTtl
-      );
-      const expiresAt = Date.now() + offerTtl;
-      offers = await storage.createOffers([{
-        peerId,
-        sdp,
-        expiresAt
-      }]);
-      if (offers.length === 0) {
-        return c.json({ error: "Failed to create offer" }, 500);
+      if (!offer.sdp.trim()) {
+        throw new Error(`Invalid offer at index ${index}: SDP cannot be empty`);
       }
-      const offer = offers[0];
-      const result = await storage.createService({
-        username,
-        serviceFqn,
-        offerId: offer.id,
-        expiresAt,
-        isPublic: isPublic || false,
-        metadata: metadata ? JSON.stringify(metadata) : void 0
-      });
-      return c.json({
-        uuid: result.indexUuid,
-        serviceFqn,
-        username,
-        serviceId: result.service.id,
+    });
+    const now = Date.now();
+    const offerTtl = ttl !== void 0 ? Math.min(
+      Math.max(ttl, config.offerMinTtl),
+      config.offerMaxTtl
+    ) : config.offerDefaultTtl;
+    const expiresAt = now + offerTtl;
+    const offerRequests = offers.map((offer) => ({
+      username,
+      serviceFqn,
+      sdp: offer.sdp,
+      expiresAt
+    }));
+    const result = await storage.createService({
+      serviceFqn,
+      expiresAt,
+      offers: offerRequests
+    });
+    return {
+      serviceId: result.service.id,
+      username: result.service.username,
+      serviceFqn: result.service.serviceFqn,
+      offers: result.offers.map((offer) => ({
         offerId: offer.id,
         sdp: offer.sdp,
-        isPublic: result.service.isPublic,
-        metadata,
-        createdAt: result.service.createdAt,
-        expiresAt: result.service.expiresAt
-      }, 201);
-    } catch (err2) {
-      console.error("Error creating service:", err2);
-      console.error("Error details:", {
-        message: err2.message,
-        stack: err2.stack,
-        username: c.req.param("username"),
-        serviceFqn,
-        offerId: offers[0]?.id
-      });
-      return c.json({
-        error: "Internal server error",
-        details: err2.message
-      }, 500);
+        createdAt: offer.createdAt,
+        expiresAt: offer.expiresAt
+      })),
+      createdAt: result.service.createdAt,
+      expiresAt: result.service.expiresAt
+    };
+  },
+  /**
+   * Delete a service
+   */
+  async deleteService(params, message, signature, publicKey, storage, config) {
+    const { serviceFqn } = params;
+    const username = extractUsername(message);
+    if (!username) {
+      throw new Error("Username required");
     }
-  });
-  app.delete("/users/:username/services/:fqn", authMiddleware, async (c) => {
-    try {
-      const username = c.req.param("username");
-      const serviceFqn = decodeURIComponent(c.req.param("fqn"));
-      const uuid = await storage.queryService(username, serviceFqn);
-      if (!uuid) {
-        return c.json({ error: "Service not found" }, 404);
-      }
-      const service = await storage.getServiceByUuid(uuid);
-      if (!service) {
-        return c.json({ error: "Service not found" }, 404);
-      }
-      const deleted = await storage.deleteService(service.id, username);
-      if (!deleted) {
-        return c.json({ error: "Service not found or not owned by this username" }, 404);
-      }
-      return c.json({ success: true }, 200);
-    } catch (err2) {
-      console.error("Error deleting service:", err2);
-      return c.json({ error: "Internal server error" }, 500);
+    const auth = await verifyAuth(username, message, signature, publicKey, storage);
+    if (!auth.valid) {
+      throw new Error(auth.error);
     }
-  });
-  app.get("/services/:uuid", async (c) => {
-    try {
-      const uuid = c.req.param("uuid");
-      const service = await storage.getServiceByUuid(uuid);
-      if (!service) {
-        return c.json({ error: "Service not found" }, 404);
-      }
-      const initialOffer = await storage.getOfferById(service.offerId);
-      if (!initialOffer) {
-        return c.json({ error: "Associated offer not found" }, 404);
-      }
-      const peerOffers = await storage.getOffersByPeerId(initialOffer.peerId);
-      const availableOffer = peerOffers.find((offer) => !offer.answererPeerId);
-      if (!availableOffer) {
-        return c.json({
-          error: "No available offers",
-          message: "All offers from this service are currently in use. Please try again later."
-        }, 503);
-      }
-      return c.json({
-        uuid,
-        serviceId: service.id,
-        username: service.username,
-        serviceFqn: service.serviceFqn,
-        offerId: availableOffer.id,
-        sdp: availableOffer.sdp,
-        isPublic: service.isPublic,
-        metadata: service.metadata ? JSON.parse(service.metadata) : void 0,
-        createdAt: service.createdAt,
-        expiresAt: service.expiresAt
-      }, 200);
-    } catch (err2) {
-      console.error("Error getting service:", err2);
-      return c.json({ error: "Internal server error" }, 500);
+    const parsed = parseServiceFqn(serviceFqn);
+    if (!parsed || !parsed.username) {
+      throw new Error("Service FQN must include username");
     }
-  });
-  app.post("/offers", authMiddleware, async (c) => {
-    try {
-      const body = await c.req.json();
-      const { offers } = body;
-      if (!Array.isArray(offers) || offers.length === 0) {
-        return c.json({ error: "Missing or invalid required parameter: offers (must be non-empty array)" }, 400);
-      }
-      if (offers.length > config.maxOffersPerRequest) {
-        return c.json({ error: `Too many offers (max ${config.maxOffersPerRequest})` }, 400);
-      }
-      const peerId = getAuthenticatedPeerId(c);
-      const validated = offers.map((offer) => {
-        const { sdp, ttl, secret } = offer;
-        if (typeof sdp !== "string" || sdp.length === 0) {
-          throw new Error("Invalid SDP in offer");
-        }
-        if (sdp.length > 64 * 1024) {
-          throw new Error("SDP too large (max 64KB)");
-        }
-        const offerTtl = Math.min(
-          Math.max(ttl || config.offerDefaultTtl, config.offerMinTtl),
-          config.offerMaxTtl
-        );
-        return {
-          peerId,
-          sdp,
-          expiresAt: Date.now() + offerTtl,
-          secret: secret ? String(secret).substring(0, 128) : void 0
-        };
-      });
-      const created = await storage.createOffers(validated);
-      return c.json({
-        offers: created.map((offer) => ({
-          id: offer.id,
-          peerId: offer.peerId,
-          expiresAt: offer.expiresAt,
-          createdAt: offer.createdAt,
-          hasSecret: !!offer.secret
-        }))
-      }, 201);
-    } catch (err2) {
-      console.error("Error creating offers:", err2);
-      return c.json({ error: err2.message || "Internal server error" }, 500);
+    const service = await storage.getServiceByFqn(serviceFqn);
+    if (!service) {
+      throw new Error("Service not found");
     }
-  });
-  app.get("/offers/mine", authMiddleware, async (c) => {
-    try {
-      const peerId = getAuthenticatedPeerId(c);
-      const offers = await storage.getOffersByPeerId(peerId);
-      return c.json({
-        offers: offers.map((offer) => ({
-          id: offer.id,
-          sdp: offer.sdp,
-          createdAt: offer.createdAt,
-          expiresAt: offer.expiresAt,
-          lastSeen: offer.lastSeen,
-          hasSecret: !!offer.secret,
-          answererPeerId: offer.answererPeerId,
-          answered: !!offer.answererPeerId
-        }))
-      }, 200);
-    } catch (err2) {
-      console.error("Error getting offers:", err2);
-      return c.json({ error: "Internal server error" }, 500);
+    const deleted = await storage.deleteService(service.id, username);
+    if (!deleted) {
+      throw new Error("Service not found or not owned by this username");
     }
-  });
-  app.get("/offers/:offerId", authMiddleware, async (c) => {
-    try {
-      const offerId = c.req.param("offerId");
-      const offer = await storage.getOfferById(offerId);
-      if (!offer) {
-        return c.json({ error: "Offer not found" }, 404);
+    return { success: true };
+  },
+  /**
+   * Answer an offer
+   */
+  async answerOffer(params, message, signature, publicKey, storage, config) {
+    const { serviceFqn, offerId, sdp } = params;
+    const username = extractUsername(message);
+    if (!username) {
+      throw new Error("Username required");
+    }
+    const auth = await verifyAuth(username, message, signature, publicKey, storage);
+    if (!auth.valid) {
+      throw new Error(auth.error);
+    }
+    if (!sdp || typeof sdp !== "string" || sdp.length === 0) {
+      throw new Error("Invalid SDP");
+    }
+    if (sdp.length > 64 * 1024) {
+      throw new Error("SDP too large (max 64KB)");
+    }
+    const offer = await storage.getOfferById(offerId);
+    if (!offer) {
+      throw new Error("Offer not found");
+    }
+    if (offer.answererUsername) {
+      throw new Error("Offer already answered");
+    }
+    await storage.answerOffer(offerId, username, sdp);
+    return { success: true, offerId };
+  },
+  /**
+   * Get answer for an offer
+   */
+  async getOfferAnswer(params, message, signature, publicKey, storage, config) {
+    const { serviceFqn, offerId } = params;
+    const username = extractUsername(message);
+    if (!username) {
+      throw new Error("Username required");
+    }
+    const auth = await verifyAuth(username, message, signature, publicKey, storage);
+    if (!auth.valid) {
+      throw new Error(auth.error);
+    }
+    const offer = await storage.getOfferById(offerId);
+    if (!offer) {
+      throw new Error("Offer not found");
+    }
+    if (offer.username !== username) {
+      throw new Error("Not authorized to access this offer");
+    }
+    if (!offer.answererUsername || !offer.answerSdp) {
+      throw new Error("Offer not yet answered");
+    }
+    return {
+      sdp: offer.answerSdp,
+      offerId: offer.id,
+      answererId: offer.answererUsername,
+      answeredAt: offer.answeredAt
+    };
+  },
+  /**
+   * Combined polling for answers and ICE candidates
+   */
+  async poll(params, message, signature, publicKey, storage, config) {
+    const { since } = params;
+    const username = extractUsername(message);
+    if (!username) {
+      throw new Error("Username required");
+    }
+    const auth = await verifyAuth(username, message, signature, publicKey, storage);
+    if (!auth.valid) {
+      throw new Error(auth.error);
+    }
+    const sinceTimestamp = since || 0;
+    const answeredOffers = await storage.getAnsweredOffers(username);
+    const filteredAnswers = answeredOffers.filter(
+      (offer) => offer.answeredAt && offer.answeredAt > sinceTimestamp
+    );
+    const allOffers = await storage.getOffersByUsername(username);
+    const iceCandidatesByOffer = {};
+    for (const offer of allOffers) {
+      const offererCandidates = await storage.getIceCandidates(
+        offer.id,
+        "offerer",
+        sinceTimestamp
+      );
+      const answererCandidates = await storage.getIceCandidates(
+        offer.id,
+        "answerer",
+        sinceTimestamp
+      );
+      const allCandidates = [
+        ...offererCandidates.map((c) => ({
+          ...c,
+          role: "offerer"
+        })),
+        ...answererCandidates.map((c) => ({
+          ...c,
+          role: "answerer"
+        }))
+      ];
+      if (allCandidates.length > 0) {
+        const isOfferer = offer.username === username;
+        const filtered = allCandidates.filter(
+          (c) => isOfferer ? c.role === "answerer" : c.role === "offerer"
+        );
+        if (filtered.length > 0) {
+          iceCandidatesByOffer[offer.id] = filtered;
+        }
       }
-      return c.json({
-        id: offer.id,
-        peerId: offer.peerId,
-        sdp: offer.sdp,
-        createdAt: offer.createdAt,
-        expiresAt: offer.expiresAt,
-        answererPeerId: offer.answererPeerId,
-        answered: !!offer.answererPeerId,
-        answerSdp: offer.answerSdp
-      }, 200);
-    } catch (err2) {
-      console.error("Error getting offer:", err2);
-      return c.json({ error: "Internal server error" }, 500);
     }
-  });
-  app.delete("/offers/:offerId", authMiddleware, async (c) => {
-    try {
-      const offerId = c.req.param("offerId");
-      const peerId = getAuthenticatedPeerId(c);
-      const deleted = await storage.deleteOffer(offerId, peerId);
-      if (!deleted) {
-        return c.json({ error: "Offer not found or not owned by this peer" }, 404);
+    return {
+      answers: filteredAnswers.map((offer) => ({
+        offerId: offer.id,
+        serviceId: offer.serviceId,
+        answererId: offer.answererUsername,
+        sdp: offer.answerSdp,
+        answeredAt: offer.answeredAt
+      })),
+      iceCandidates: iceCandidatesByOffer
+    };
+  },
+  /**
+   * Add ICE candidates
+   */
+  async addIceCandidates(params, message, signature, publicKey, storage, config) {
+    const { serviceFqn, offerId, candidates } = params;
+    const username = extractUsername(message);
+    if (!username) {
+      throw new Error("Username required");
+    }
+    const auth = await verifyAuth(username, message, signature, publicKey, storage);
+    if (!auth.valid) {
+      throw new Error(auth.error);
+    }
+    if (!Array.isArray(candidates) || candidates.length === 0) {
+      throw new Error("Missing or invalid required parameter: candidates");
+    }
+    candidates.forEach((candidate, index) => {
+      if (!candidate || typeof candidate !== "object") {
+        throw new Error(`Invalid candidate at index ${index}: must be an object`);
       }
-      return c.json({ success: true }, 200);
-    } catch (err2) {
-      console.error("Error deleting offer:", err2);
-      return c.json({ error: "Internal server error" }, 500);
+    });
+    const offer = await storage.getOfferById(offerId);
+    if (!offer) {
+      throw new Error("Offer not found");
     }
-  });
-  app.post("/offers/:offerId/answer", authMiddleware, async (c) => {
+    const role = offer.username === username ? "offerer" : "answerer";
+    const count = await storage.addIceCandidates(
+      offerId,
+      username,
+      role,
+      candidates
+    );
+    return { count, offerId };
+  },
+  /**
+   * Get ICE candidates
+   */
+  async getIceCandidates(params, message, signature, publicKey, storage, config) {
+    const { serviceFqn, offerId, since } = params;
+    const username = extractUsername(message);
+    if (!username) {
+      throw new Error("Username required");
+    }
+    const auth = await verifyAuth(username, message, signature, publicKey, storage);
+    if (!auth.valid) {
+      throw new Error(auth.error);
+    }
+    const sinceTimestamp = since || 0;
+    const offer = await storage.getOfferById(offerId);
+    if (!offer) {
+      throw new Error("Offer not found");
+    }
+    const isOfferer = offer.username === username;
+    const role = isOfferer ? "answerer" : "offerer";
+    const candidates = await storage.getIceCandidates(
+      offerId,
+      role,
+      sinceTimestamp
+    );
+    return {
+      candidates: candidates.map((c) => ({
+        candidate: c.candidate,
+        createdAt: c.createdAt
+      })),
+      offerId
+    };
+  }
+};
+async function handleRpc(requests, storage, config) {
+  const responses = [];
+  for (const request of requests) {
     try {
-      const offerId = c.req.param("offerId");
-      const body = await c.req.json();
-      const { sdp, secret } = body;
-      if (!sdp) {
-        return c.json({ error: "Missing required parameter: sdp" }, 400);
+      const { method, message, signature, publicKey, params } = request;
+      if (!method || typeof method !== "string") {
+        responses.push({
+          success: false,
+          error: "Missing or invalid method"
+        });
+        continue;
       }
-      if (typeof sdp !== "string" || sdp.length === 0) {
-        return c.json({ error: "Invalid SDP" }, 400);
+      if (!message || typeof message !== "string") {
+        responses.push({
+          success: false,
+          error: "Missing or invalid message"
+        });
+        continue;
       }
-      if (sdp.length > 64 * 1024) {
-        return c.json({ error: "SDP too large (max 64KB)" }, 400);
+      if (!signature || typeof signature !== "string") {
+        responses.push({
+          success: false,
+          error: "Missing or invalid signature"
+        });
+        continue;
       }
-      const answererPeerId = getAuthenticatedPeerId(c);
-      const result = await storage.answerOffer(offerId, answererPeerId, sdp, secret);
-      if (!result.success) {
-        return c.json({ error: result.error }, 400);
+      const handler = handlers[method];
+      if (!handler) {
+        responses.push({
+          success: false,
+          error: `Unknown method: ${method}`
+        });
+        continue;
       }
-      return c.json({ success: true }, 200);
+      const result = await handler(
+        params || {},
+        message,
+        signature,
+        publicKey,
+        storage,
+        config
+      );
+      responses.push({
+        success: true,
+        result
+      });
     } catch (err2) {
-      console.error("Error answering offer:", err2);
-      return c.json({ error: "Internal server error" }, 500);
+      responses.push({
+        success: false,
+        error: err2.message || "Internal server error"
+      });
     }
-  });
-  app.get("/offers/:offerId/answer", authMiddleware, async (c) => {
-    try {
-      const offerId = c.req.param("offerId");
-      const peerId = getAuthenticatedPeerId(c);
-      const offer = await storage.getOfferById(offerId);
-      if (!offer) {
-        return c.json({ error: "Offer not found" }, 404);
-      }
-      if (offer.peerId !== peerId) {
-        return c.json({ error: "Not authorized to view this answer" }, 403);
+  }
+  return responses;
+}
+// src/app.ts
+var MAX_BATCH_SIZE = 100;
+function createApp(storage, config) {
+  const app = new import_hono.Hono();
+  app.use("/*", (0, import_cors.cors)({
+    origin: (origin) => {
+      if (config.corsOrigins.length === 1 && config.corsOrigins[0] === "*") {
+        return origin;
       }
-      if (!offer.answererPeerId || !offer.answerSdp) {
-        return c.json({ error: "Offer not yet answered" }, 404);
+      if (config.corsOrigins.includes(origin)) {
+        return origin;
       }
-      return c.json({
-        offerId: offer.id,
-        answererId: offer.answererPeerId,
-        sdp: offer.answerSdp,
-        answeredAt: offer.answeredAt
-      }, 200);
-    } catch (err2) {
-      console.error("Error getting answer:", err2);
-      return c.json({ error: "Internal server error" }, 500);
-    }
+      return config.corsOrigins[0];
+    },
+    allowMethods: ["GET", "POST", "OPTIONS"],
+    allowHeaders: ["Content-Type", "Origin"],
+    exposeHeaders: ["Content-Type"],
+    credentials: false,
+    maxAge: 86400
+  }));
+  app.get("/", (c) => {
+    return c.json({
+      version: config.version,
+      name: "Rondevu",
+      description: "WebRTC signaling with RPC interface and Ed25519 authentication"
+    }, 200);
   });
-  app.post("/offers/:offerId/ice-candidates", authMiddleware, async (c) => {
+  app.get("/health", (c) => {
+    return c.json({
+      status: "ok",
+      timestamp: Date.now(),
+      version: config.version
+    }, 200);
+  });
+  app.post("/rpc", async (c) => {
     try {
-      const offerId = c.req.param("offerId");
       const body = await c.req.json();
-      const { candidates } = body;
-      if (!Array.isArray(candidates) || candidates.length === 0) {
-        return c.json({ error: "Missing or invalid required parameter: candidates" }, 400);
+      const requests = Array.isArray(body) ? body : [body];
+      if (requests.length === 0) {
+        return c.json({ error: "Empty request array" }, 400);
       }
-      const peerId = getAuthenticatedPeerId(c);
-      const offer = await storage.getOfferById(offerId);
-      if (!offer) {
-        return c.json({ error: "Offer not found" }, 404);
+      if (requests.length > MAX_BATCH_SIZE) {
+        return c.json({ error: `Too many requests in batch (max ${MAX_BATCH_SIZE})` }, 400);
       }
-      const role = offer.peerId === peerId ? "offerer" : "answerer";
-      const count = await storage.addIceCandidates(offerId, peerId, role, candidates);
-      return c.json({ count }, 200);
+      const responses = await handleRpc(requests, storage, config);
+      return c.json(Array.isArray(body) ? responses : responses[0], 200);
     } catch (err2) {
-      console.error("Error adding ICE candidates:", err2);
-      return c.json({ error: "Internal server error" }, 500);
-    }
-  });
-  app.get("/offers/:offerId/ice-candidates", authMiddleware, async (c) => {
-    try {
-      const offerId = c.req.param("offerId");
-      const since = c.req.query("since");
-      const peerId = getAuthenticatedPeerId(c);
-      const offer = await storage.getOfferById(offerId);
-      if (!offer) {
-        return c.json({ error: "Offer not found" }, 404);
-      }
-      const targetRole = offer.peerId === peerId ? "answerer" : "offerer";
-      const sinceTimestamp = since ? parseInt(since, 10) : void 0;
-      const candidates = await storage.getIceCandidates(offerId, targetRole, sinceTimestamp);
+      console.error("RPC error:", err2);
       return c.json({
-        candidates: candidates.map((c2) => ({
-          candidate: c2.candidate,
-          createdAt: c2.createdAt
-        }))
-      }, 200);
-    } catch (err2) {
-      console.error("Error getting ICE candidates:", err2);
-      return c.json({ error: "Internal server error" }, 500);
+        success: false,
+        error: "Invalid request format"
+      }, 400);
     }
   });
+  app.all("*", (c) => {
+    return c.json({
+      error: "Not found. Use POST /rpc for all API calls."
+    }, 404);
+  });
   return app;
 }
 // src/config.ts
 function loadConfig() {
-  let authSecret = process.env.AUTH_SECRET;
-  if (!authSecret) {
-    authSecret = generateSecretKey();
-    console.warn("WARNING: No AUTH_SECRET provided. Generated temporary secret:", authSecret);
-    console.warn("All peer credentials will be invalidated on server restart.");
-    console.warn("Set AUTH_SECRET environment variable to persist credentials across restarts.");
-  }
   return {
     port: parseInt(process.env.PORT || "3000", 10),
     storageType: process.env.STORAGE_TYPE || "sqlite",
     storagePath: process.env.STORAGE_PATH || ":memory:",
     corsOrigins: process.env.CORS_ORIGINS ? process.env.CORS_ORIGINS.split(",").map((o) => o.trim()) : ["*"],
     version: process.env.VERSION || "unknown",
-    authSecret,
     offerDefaultTtl: parseInt(process.env.OFFER_DEFAULT_TTL || "60000", 10),
     offerMaxTtl: parseInt(process.env.OFFER_MAX_TTL || "86400000", 10),
     offerMinTtl: parseInt(process.env.OFFER_MIN_TTL || "60000", 10),
@@ -1275,30 +1236,29 @@ var SQLiteStorage = class {
       -- WebRTC signaling offers
       CREATE TABLE IF NOT EXISTS offers (
         id TEXT PRIMARY KEY,
-        peer_id TEXT NOT NULL,
+        username TEXT NOT NULL,
         service_id TEXT,
         sdp TEXT NOT NULL,
         created_at INTEGER NOT NULL,
         expires_at INTEGER NOT NULL,
         last_seen INTEGER NOT NULL,
-        secret TEXT,
-        answerer_peer_id TEXT,
+        answerer_username TEXT,
         answer_sdp TEXT,
         answered_at INTEGER,
         FOREIGN KEY (service_id) REFERENCES services(id) ON DELETE CASCADE
       );
-      CREATE INDEX IF NOT EXISTS idx_offers_peer ON offers(peer_id);
+      CREATE INDEX IF NOT EXISTS idx_offers_username ON offers(username);
       CREATE INDEX IF NOT EXISTS idx_offers_service ON offers(service_id);
       CREATE INDEX IF NOT EXISTS idx_offers_expires ON offers(expires_at);
       CREATE INDEX IF NOT EXISTS idx_offers_last_seen ON offers(last_seen);
-      CREATE INDEX IF NOT EXISTS idx_offers_answerer ON offers(answerer_peer_id);
+      CREATE INDEX IF NOT EXISTS idx_offers_answerer ON offers(answerer_username);
       -- ICE candidates table
       CREATE TABLE IF NOT EXISTS ice_candidates (
         id INTEGER PRIMARY KEY AUTOINCREMENT,
         offer_id TEXT NOT NULL,
-        peer_id TEXT NOT NULL,
+        username TEXT NOT NULL,
         role TEXT NOT NULL CHECK(role IN ('offerer', 'answerer')),
         candidate TEXT NOT NULL,
         created_at INTEGER NOT NULL,
@@ -1306,7 +1266,7 @@ var SQLiteStorage = class {
       );
       CREATE INDEX IF NOT EXISTS idx_ice_offer ON ice_candidates(offer_id);
-      CREATE INDEX IF NOT EXISTS idx_ice_peer ON ice_candidates(peer_id);
+      CREATE INDEX IF NOT EXISTS idx_ice_username ON ice_candidates(username);
       CREATE INDEX IF NOT EXISTS idx_ice_created ON ice_candidates(created_at);
       -- Usernames table
@@ -1323,36 +1283,23 @@ var SQLiteStorage = class {
       CREATE INDEX IF NOT EXISTS idx_usernames_expires ON usernames(expires_at);
       CREATE INDEX IF NOT EXISTS idx_usernames_public_key ON usernames(public_key);
-      -- Services table (one service can have multiple offers)
+      -- Services table (new schema with extracted fields for discovery)
       CREATE TABLE IF NOT EXISTS services (
         id TEXT PRIMARY KEY,
-        username TEXT NOT NULL,
         service_fqn TEXT NOT NULL,
+        service_name TEXT NOT NULL,
+        version TEXT NOT NULL,
+        username TEXT NOT NULL,
         created_at INTEGER NOT NULL,
         expires_at INTEGER NOT NULL,
-        is_public INTEGER NOT NULL DEFAULT 0,
-        metadata TEXT,
         FOREIGN KEY (username) REFERENCES usernames(username) ON DELETE CASCADE,
-        UNIQUE(username, service_fqn)
+        UNIQUE(service_fqn)
       );
-      CREATE INDEX IF NOT EXISTS idx_services_username ON services(username);
       CREATE INDEX IF NOT EXISTS idx_services_fqn ON services(service_fqn);
+      CREATE INDEX IF NOT EXISTS idx_services_discovery ON services(service_name, version);
+      CREATE INDEX IF NOT EXISTS idx_services_username ON services(username);
       CREATE INDEX IF NOT EXISTS idx_services_expires ON services(expires_at);
-      -- Service index table (privacy layer)
-      CREATE TABLE IF NOT EXISTS service_index (
-        uuid TEXT PRIMARY KEY,
-        service_id TEXT NOT NULL,
-        username TEXT NOT NULL,
-        service_fqn TEXT NOT NULL,
-        created_at INTEGER NOT NULL,
-        expires_at INTEGER NOT NULL,
-        FOREIGN KEY (service_id) REFERENCES services(id) ON DELETE CASCADE
-      );
-      CREATE INDEX IF NOT EXISTS idx_service_index_username ON service_index(username);
-      CREATE INDEX IF NOT EXISTS idx_service_index_expires ON service_index(expires_at);
     `);
     this.db.pragma("foreign_keys = ON");
   }
@@ -1362,49 +1309,47 @@ var SQLiteStorage = class {
     const offersWithIds = await Promise.all(
       offers.map(async (offer) => ({
         ...offer,
-        serviceId: offer.serviceId || null,
         id: offer.id || await generateOfferHash(offer.sdp)
       }))
     );
     const transaction = this.db.transaction((offersWithIds2) => {
       const offerStmt = this.db.prepare(`
-        INSERT INTO offers (id, peer_id, service_id, sdp, created_at, expires_at, last_seen, secret)
-        VALUES (?, ?, ?, ?, ?, ?, ?, ?)
+        INSERT INTO offers (id, username, service_id, sdp, created_at, expires_at, last_seen)
+        VALUES (?, ?, ?, ?, ?, ?, ?)
       `);
       for (const offer of offersWithIds2) {
         const now = Date.now();
         offerStmt.run(
           offer.id,
-          offer.peerId,
+          offer.username,
           offer.serviceId || null,
           offer.sdp,
           now,
           offer.expiresAt,
-          now,
-          offer.secret || null
+          now
         );
         created.push({
           id: offer.id,
-          peerId: offer.peerId,
-          serviceId: offer.serviceId,
+          username: offer.username,
+          serviceId: offer.serviceId || void 0,
+          serviceFqn: offer.serviceFqn,
           sdp: offer.sdp,
           createdAt: now,
           expiresAt: offer.expiresAt,
-          lastSeen: now,
-          secret: offer.secret
+          lastSeen: now
         });
       }
     });
     transaction(offersWithIds);
     return created;
   }
-  async getOffersByPeerId(peerId) {
+  async getOffersByUsername(username) {
     const stmt = this.db.prepare(`
       SELECT * FROM offers
-      WHERE peer_id = ? AND expires_at > ?
+      WHERE username = ? AND expires_at > ?
       ORDER BY last_seen DESC
     `);
-    const rows = stmt.all(peerId, Date.now());
+    const rows = stmt.all(username, Date.now());
     return rows.map((row) => this.rowToOffer(row));
   }
   async getOfferById(offerId) {
@@ -1418,12 +1363,12 @@ var SQLiteStorage = class {
     }
     return this.rowToOffer(row);
   }
-  async deleteOffer(offerId, ownerPeerId) {
+  async deleteOffer(offerId, ownerUsername) {
     const stmt = this.db.prepare(`
       DELETE FROM offers
-      WHERE id = ? AND peer_id = ?
+      WHERE id = ? AND username = ?
     `);
-    const result = stmt.run(offerId, ownerPeerId);
+    const result = stmt.run(offerId, ownerUsername);
     return result.changes > 0;
   }
   async deleteExpiredOffers(now) {
@@ -1431,7 +1376,7 @@ var SQLiteStorage = class {
     const result = stmt.run(now);
     return result.changes;
   }
-  async answerOffer(offerId, answererPeerId, answerSdp, secret) {
+  async answerOffer(offerId, answererUsername, answerSdp) {
     const offer = await this.getOfferById(offerId);
     if (!offer) {
       return {
@@ -1439,13 +1384,7 @@ var SQLiteStorage = class {
         error: "Offer not found or expired"
       };
     }
-    if (offer.secret && offer.secret !== secret) {
-      return {
-        success: false,
-        error: "Invalid or missing secret"
-      };
-    }
-    if (offer.answererPeerId) {
+    if (offer.answererUsername) {
       return {
         success: false,
         error: "Offer already answered"
@@ -1453,10 +1392,10 @@ var SQLiteStorage = class {
     }
     const stmt = this.db.prepare(`
       UPDATE offers
-      SET answerer_peer_id = ?, answer_sdp = ?, answered_at = ?
-      WHERE id = ? AND answerer_peer_id IS NULL
+      SET answerer_username = ?, answer_sdp = ?, answered_at = ?
+      WHERE id = ? AND answerer_username IS NULL
     `);
-    const result = stmt.run(answererPeerId, answerSdp, Date.now(), offerId);
+    const result = stmt.run(answererUsername, answerSdp, Date.now(), offerId);
     if (result.changes === 0) {
       return {
         success: false,
@@ -1465,19 +1404,19 @@ var SQLiteStorage = class {
     }
     return { success: true };
   }
-  async getAnsweredOffers(offererPeerId) {
+  async getAnsweredOffers(offererUsername) {
     const stmt = this.db.prepare(`
       SELECT * FROM offers
-      WHERE peer_id = ? AND answerer_peer_id IS NOT NULL AND expires_at > ?
+      WHERE username = ? AND answerer_username IS NOT NULL AND expires_at > ?
       ORDER BY answered_at DESC
     `);
-    const rows = stmt.all(offererPeerId, Date.now());
+    const rows = stmt.all(offererUsername, Date.now());
     return rows.map((row) => this.rowToOffer(row));
   }
   // ===== ICE Candidate Management =====
-  async addIceCandidates(offerId, peerId, role, candidates) {
+  async addIceCandidates(offerId, username, role, candidates) {
     const stmt = this.db.prepare(`
-      INSERT INTO ice_candidates (offer_id, peer_id, role, candidate, created_at)
+      INSERT INTO ice_candidates (offer_id, username, role, candidate, created_at)
       VALUES (?, ?, ?, ?, ?)
     `);
     const baseTimestamp = Date.now();
@@ -1485,7 +1424,7 @@ var SQLiteStorage = class {
       for (let i = 0; i < candidates2.length; i++) {
         stmt.run(
           offerId,
-          peerId,
+          username,
           role,
           JSON.stringify(candidates2[i]),
           baseTimestamp + i
@@ -1511,7 +1450,7 @@ var SQLiteStorage = class {
     return rows.map((row) => ({
       id: row.id,
       offerId: row.offer_id,
-      peerId: row.peer_id,
+      username: row.username,
       role: row.role,
       candidate: JSON.parse(row.candidate),
       createdAt: row.created_at
@@ -1587,63 +1526,74 @@ var SQLiteStorage = class {
   // ===== Service Management =====
   async createService(request) {
     const serviceId = (0, import_node_crypto.randomUUID)();
-    const indexUuid = (0, import_node_crypto.randomUUID)();
     const now = Date.now();
-    const offerRequests = request.offers.map((offer) => ({
-      ...offer,
-      serviceId
-    }));
-    const offers = await this.createOffers(offerRequests);
+    const parsed = parseServiceFqn(request.serviceFqn);
+    if (!parsed) {
+      throw new Error(`Invalid service FQN: ${request.serviceFqn}`);
+    }
+    if (!parsed.username) {
+      throw new Error(`Service FQN must include username: ${request.serviceFqn}`);
+    }
+    const { serviceName, version, username } = parsed;
     const transaction = this.db.transaction(() => {
-      const serviceStmt = this.db.prepare(`
-        INSERT INTO services (id, username, service_fqn, created_at, expires_at, is_public, metadata)
+      const existingService = this.db.prepare(`
+        SELECT id FROM services
+        WHERE service_name = ? AND version = ? AND username = ?
+      `).get(serviceName, version, username);
+      if (existingService) {
+        this.db.prepare(`
+          DELETE FROM offers WHERE service_id = ?
+        `).run(existingService.id);
+        this.db.prepare(`
+          DELETE FROM services WHERE id = ?
+        `).run(existingService.id);
+      }
+      this.db.prepare(`
+        INSERT INTO services (id, service_fqn, service_name, version, username, created_at, expires_at)
         VALUES (?, ?, ?, ?, ?, ?, ?)
-      `);
-      serviceStmt.run(
+      `).run(
         serviceId,
-        request.username,
-        request.serviceFqn,
-        now,
-        request.expiresAt,
-        request.isPublic ? 1 : 0,
-        request.metadata || null
-      );
-      const indexStmt = this.db.prepare(`
-        INSERT INTO service_index (uuid, service_id, username, service_fqn, created_at, expires_at)
-        VALUES (?, ?, ?, ?, ?, ?)
-      `);
-      indexStmt.run(
-        indexUuid,
-        serviceId,
-        request.username,
         request.serviceFqn,
+        serviceName,
+        version,
+        username,
         now,
         request.expiresAt
       );
-      this.touchUsername(request.username);
+      const expiresAt = now + YEAR_IN_MS;
+      this.db.prepare(`
+        UPDATE usernames
+        SET last_used = ?, expires_at = ?
+        WHERE username = ? AND expires_at > ?
+      `).run(now, expiresAt, username, now);
     });
     transaction();
+    const offerRequests = request.offers.map((offer) => ({
+      ...offer,
+      serviceId
+    }));
+    const offers = await this.createOffers(offerRequests);
     return {
       service: {
         id: serviceId,
-        username: request.username,
         serviceFqn: request.serviceFqn,
+        serviceName,
+        version,
+        username,
         createdAt: now,
-        expiresAt: request.expiresAt,
-        isPublic: request.isPublic || false,
-        metadata: request.metadata
+        expiresAt: request.expiresAt
       },
-      indexUuid,
       offers
     };
   }
-  async batchCreateServices(requests) {
-    const results = [];
-    for (const request of requests) {
-      const result = await this.createService(request);
-      results.push(result);
-    }
-    return results;
+  async getOffersForService(serviceId) {
+    const stmt = this.db.prepare(`
+      SELECT * FROM offers
+      WHERE service_id = ? AND expires_at > ?
+      ORDER BY created_at ASC
+    `);
+    const rows = stmt.all(serviceId, Date.now());
+    return rows.map((row) => this.rowToOffer(row));
   }
   async getServiceById(serviceId) {
     const stmt = this.db.prepare(`
@@ -1656,42 +1606,49 @@ var SQLiteStorage = class {
     }
     return this.rowToService(row);
   }
-  async getServiceByUuid(uuid) {
+  async getServiceByFqn(serviceFqn) {
     const stmt = this.db.prepare(`
-      SELECT s.* FROM services s
-      INNER JOIN service_index si ON s.id = si.service_id
-      WHERE si.uuid = ? AND s.expires_at > ?
+      SELECT * FROM services
+      WHERE service_fqn = ? AND expires_at > ?
     `);
-    const row = stmt.get(uuid, Date.now());
+    const row = stmt.get(serviceFqn, Date.now());
     if (!row) {
       return null;
     }
     return this.rowToService(row);
   }
-  async listServicesForUsername(username) {
+  async discoverServices(serviceName, version, limit, offset) {
     const stmt = this.db.prepare(`
-      SELECT si.uuid, s.is_public, s.service_fqn, s.metadata
-      FROM service_index si
-      INNER JOIN services s ON si.service_id = s.id
-      WHERE si.username = ? AND si.expires_at > ?
+      SELECT DISTINCT s.* FROM services s
+      INNER JOIN offers o ON o.service_id = s.id
+      WHERE s.service_name = ?
+        AND s.version = ?
+        AND s.expires_at > ?
+        AND o.answerer_username IS NULL
+        AND o.expires_at > ?
       ORDER BY s.created_at DESC
+      LIMIT ? OFFSET ?
     `);
-    const rows = stmt.all(username, Date.now());
-    return rows.map((row) => ({
-      uuid: row.uuid,
-      isPublic: row.is_public === 1,
-      serviceFqn: row.is_public === 1 ? row.service_fqn : void 0,
-      metadata: row.is_public === 1 ? row.metadata || void 0 : void 0
-    }));
+    const rows = stmt.all(serviceName, version, Date.now(), Date.now(), limit, offset);
+    return rows.map((row) => this.rowToService(row));
   }
-  async queryService(username, serviceFqn) {
+  async getRandomService(serviceName, version) {
     const stmt = this.db.prepare(`
-      SELECT si.uuid FROM service_index si
-      INNER JOIN services s ON si.service_id = s.id
-      WHERE si.username = ? AND si.service_fqn = ? AND si.expires_at > ?
+      SELECT s.* FROM services s
+      INNER JOIN offers o ON o.service_id = s.id
+      WHERE s.service_name = ?
+        AND s.version = ?
+        AND s.expires_at > ?
+        AND o.answerer_username IS NULL
+        AND o.expires_at > ?
+      ORDER BY RANDOM()
+      LIMIT 1
     `);
-    const row = stmt.get(username, serviceFqn, Date.now());
-    return row ? row.uuid : null;
+    const row = stmt.get(serviceName, version, Date.now(), Date.now());
+    if (!row) {
+      return null;
+    }
+    return this.rowToService(row);
   }
   async deleteService(serviceId, username) {
     const stmt = this.db.prepare(`
@@ -1716,14 +1673,14 @@ var SQLiteStorage = class {
   rowToOffer(row) {
     return {
       id: row.id,
-      peerId: row.peer_id,
+      username: row.username,
       serviceId: row.service_id || void 0,
+      serviceFqn: row.service_fqn || void 0,
       sdp: row.sdp,
       createdAt: row.created_at,
       expiresAt: row.expires_at,
       lastSeen: row.last_seen,
-      secret: row.secret || void 0,
-      answererPeerId: row.answerer_peer_id || void 0,
+      answererUsername: row.answerer_username || void 0,
       answerSdp: row.answer_sdp || void 0,
       answeredAt: row.answered_at || void 0
     };
@@ -1734,26 +1691,14 @@ var SQLiteStorage = class {
   rowToService(row) {
     return {
       id: row.id,
-      username: row.username,
       serviceFqn: row.service_fqn,
+      serviceName: row.service_name,
+      version: row.version,
+      username: row.username,
       createdAt: row.created_at,
-      expiresAt: row.expires_at,
-      isPublic: row.is_public === 1,
-      metadata: row.metadata || void 0
+      expiresAt: row.expires_at
     };
   }
-  /**
-   * Get all offers for a service
-   */
-  async getOffersForService(serviceId) {
-    const stmt = this.db.prepare(`
-      SELECT * FROM offers
-      WHERE service_id = ? AND expires_at > ?
-      ORDER BY created_at ASC
-    `);
-    const rows = stmt.all(serviceId, Date.now());
-    return rows.map((row) => this.rowToOffer(row));
-  }
 };
 // src/index.ts