npm - @xtr-dev/rondevu-server - Versions diffs - 0.4.0 → 0.5.1 - Mend

@xtr-dev/rondevu-server 0.4.0 → 0.5.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (19) hide show

package/ADVANCED.md +502 -0
package/README.md +136 -282
package/dist/index.js +694 -733
package/dist/index.js.map +4 -4
package/migrations/0006_service_offer_refactor.sql +40 -0
package/migrations/0007_simplify_schema.sql +54 -0
package/migrations/0008_peer_id_to_username.sql +67 -0
package/migrations/fresh_schema.sql +81 -0
package/package.json +2 -1
package/src/app.ts +38 -591
package/src/config.ts +0 -13
package/src/crypto.ts +103 -139
package/src/rpc.ts +725 -0
package/src/storage/d1.ts +169 -182
package/src/storage/sqlite.ts +142 -168
package/src/storage/types.ts +51 -95
package/src/worker.ts +0 -6
package/wrangler.toml +3 -3
package/src/middleware/auth.ts +0 -51

package/dist/index.js CHANGED Viewed

@@ -474,101 +474,35 @@ var wNAF = (n) => {
 };
 // src/crypto.ts
+var import_node_buffer = require("node:buffer");
 hashes.sha512Async = async (message) => {
   return new Uint8Array(await crypto.subtle.digest("SHA-512", message));
 };
-var ALGORITHM = "AES-GCM";
-var IV_LENGTH = 12;
-var KEY_LENGTH = 32;
 var USERNAME_REGEX = /^[a-z0-9][a-z0-9-]*[a-z0-9]$/;
 var USERNAME_MIN_LENGTH = 3;
 var USERNAME_MAX_LENGTH = 32;
 var TIMESTAMP_TOLERANCE_MS = 5 * 60 * 1e3;
-function generatePeerId() {
-  const bytes = crypto.getRandomValues(new Uint8Array(16));
-  return Array.from(bytes).map((b) => b.toString(16).padStart(2, "0")).join("");
-}
-function generateSecretKey() {
-  const bytes = crypto.getRandomValues(new Uint8Array(KEY_LENGTH));
-  return Array.from(bytes).map((b) => b.toString(16).padStart(2, "0")).join("");
-}
-function hexToBytes2(hex) {
-  const bytes = new Uint8Array(hex.length / 2);
-  for (let i = 0; i < hex.length; i += 2) {
-    bytes[i / 2] = parseInt(hex.substring(i, i + 2), 16);
-  }
-  return bytes;
-}
-function bytesToBase64(bytes) {
-  const binString = Array.from(
-    bytes,
-    (byte) => String.fromCodePoint(byte)
-  ).join("");
-  return btoa(binString);
-}
 function base64ToBytes(base64) {
-  const binString = atob(base64);
-  return Uint8Array.from(binString, (char) => char.codePointAt(0));
+  return new Uint8Array(import_node_buffer.Buffer.from(base64, "base64"));
 }
-async function encryptPeerId(peerId, secretKeyHex) {
-  const keyBytes = hexToBytes2(secretKeyHex);
-  if (keyBytes.length !== KEY_LENGTH) {
-    throw new Error(`Secret key must be ${KEY_LENGTH * 2} hex characters (${KEY_LENGTH} bytes)`);
-  }
-  const key = await crypto.subtle.importKey(
-    "raw",
-    keyBytes,
-    { name: ALGORITHM, length: 256 },
-    false,
-    ["encrypt"]
-  );
-  const iv = crypto.getRandomValues(new Uint8Array(IV_LENGTH));
-  const encoder = new TextEncoder();
-  const data = encoder.encode(peerId);
-  const encrypted = await crypto.subtle.encrypt(
-    { name: ALGORITHM, iv },
-    key,
-    data
-  );
-  const combined = new Uint8Array(iv.length + encrypted.byteLength);
-  combined.set(iv, 0);
-  combined.set(new Uint8Array(encrypted), iv.length);
-  return bytesToBase64(combined);
-}
-async function decryptPeerId(encryptedSecret, secretKeyHex) {
-  try {
-    const keyBytes = hexToBytes2(secretKeyHex);
-    if (keyBytes.length !== KEY_LENGTH) {
-      throw new Error(`Secret key must be ${KEY_LENGTH * 2} hex characters (${KEY_LENGTH} bytes)`);
-    }
-    const combined = base64ToBytes(encryptedSecret);
-    const iv = combined.slice(0, IV_LENGTH);
-    const ciphertext = combined.slice(IV_LENGTH);
-    const key = await crypto.subtle.importKey(
-      "raw",
-      keyBytes,
-      { name: ALGORITHM, length: 256 },
-      false,
-      ["decrypt"]
-    );
-    const decrypted = await crypto.subtle.decrypt(
-      { name: ALGORITHM, iv },
-      key,
-      ciphertext
-    );
-    const decoder = new TextDecoder();
-    return decoder.decode(decrypted);
-  } catch (err2) {
-    throw new Error("Failed to decrypt peer ID: invalid secret or secret key");
+function validateAuthMessage(expectedUsername, message) {
+  const parts = message.split(":");
+  if (parts.length < 3) {
+    return { valid: false, error: "Invalid message format: must have at least action:username:timestamp" };
   }
-}
-async function validateCredentials(peerId, encryptedSecret, secretKey) {
-  try {
-    const decryptedPeerId = await decryptPeerId(encryptedSecret, secretKey);
-    return decryptedPeerId === peerId;
-  } catch {
-    return false;
+  const messageUsername = parts[1];
+  const timestamp = parseInt(parts[parts.length - 1], 10);
+  if (messageUsername !== expectedUsername) {
+    return { valid: false, error: "Username in message does not match authenticated username" };
+  }
+  if (isNaN(timestamp)) {
+    return { valid: false, error: "Invalid timestamp in message" };
   }
+  const timestampCheck = validateTimestamp(timestamp);
+  if (!timestampCheck.valid) {
+    return timestampCheck;
+  }
+  return { valid: true };
 }
 function validateUsername(username) {
   if (typeof username !== "string") {
@@ -589,22 +523,28 @@ function validateServiceFqn(fqn) {
   if (typeof fqn !== "string") {
     return { valid: false, error: "Service FQN must be a string" };
   }
-  const parts = fqn.split("@");
-  if (parts.length !== 2) {
-    return { valid: false, error: "Service FQN must be in format: service-name@version" };
+  const parsed = parseServiceFqn(fqn);
+  if (!parsed) {
+    return { valid: false, error: "Service FQN must be in format: service:version[@username]" };
   }
-  const [serviceName, version] = parts;
-  const serviceNameRegex = /^[a-z0-9]([a-z0-9-]*[a-z0-9])?(\.[a-z0-9]([a-z0-9-]*[a-z0-9])?)+$/;
+  const { serviceName, version, username } = parsed;
+  const serviceNameRegex = /^[a-z0-9]([a-z0-9.-]*[a-z0-9])?$/;
   if (!serviceNameRegex.test(serviceName)) {
-    return { valid: false, error: "Service name must be reverse domain notation (e.g., com.example.service)" };
+    return { valid: false, error: "Service name must be lowercase alphanumeric with optional dots/dashes" };
   }
-  if (serviceName.length < 3 || serviceName.length > 128) {
-    return { valid: false, error: "Service name must be 3-128 characters" };
+  if (serviceName.length < 1 || serviceName.length > 128) {
+    return { valid: false, error: "Service name must be 1-128 characters" };
   }
   const versionRegex = /^[0-9]+\.[0-9]+\.[0-9]+(-[a-z0-9.-]+)?$/;
   if (!versionRegex.test(version)) {
     return { valid: false, error: "Version must be semantic versioning (e.g., 1.0.0, 2.1.3-beta)" };
   }
+  if (username) {
+    const usernameCheck = validateUsername(username);
+    if (!usernameCheck.valid) {
+      return usernameCheck;
+    }
+  }
   return { valid: true };
 }
 function parseVersion(version) {
@@ -630,11 +570,25 @@ function isVersionCompatible(requested, available) {
   return true;
 }
 function parseServiceFqn(fqn) {
-  const parts = fqn.split("@");
-  if (parts.length !== 2) return null;
+  if (!fqn || typeof fqn !== "string") return null;
+  const atIndex = fqn.lastIndexOf("@");
+  let serviceVersion;
+  let username = null;
+  if (atIndex > 0) {
+    serviceVersion = fqn.substring(0, atIndex);
+    username = fqn.substring(atIndex + 1);
+  } else {
+    serviceVersion = fqn;
+  }
+  const colonIndex = serviceVersion.indexOf(":");
+  if (colonIndex <= 0) return null;
+  const serviceName = serviceVersion.substring(0, colonIndex);
+  const version = serviceVersion.substring(colonIndex + 1);
+  if (!serviceName || !version) return null;
   return {
-    serviceName: parts[0],
-    version: parts[1]
+    serviceName,
+    version,
+    username
   };
 }
 function validateTimestamp(timestamp) {
@@ -661,89 +615,516 @@ async function verifyEd25519Signature(publicKey, signature, message) {
     return false;
   }
 }
-async function validateUsernameClaim(username, publicKey, signature, message) {
-  const usernameCheck = validateUsername(username);
-  if (!usernameCheck.valid) {
-    return usernameCheck;
-  }
-  const parts = message.split(":");
-  if (parts.length !== 3 || parts[0] !== "claim" || parts[1] !== username) {
-    return { valid: false, error: "Invalid message format (expected: claim:{username}:{timestamp})" };
-  }
-  const timestamp = parseInt(parts[2], 10);
-  if (isNaN(timestamp)) {
-    return { valid: false, error: "Invalid timestamp in message" };
-  }
-  const timestampCheck = validateTimestamp(timestamp);
-  if (!timestampCheck.valid) {
-    return timestampCheck;
+// src/rpc.ts
+var MAX_PAGE_SIZE = 100;
+async function verifyAuth(username, message, signature, publicKey, storage) {
+  let usernameRecord = await storage.getUsername(username);
+  if (!usernameRecord) {
+    if (!publicKey) {
+      return {
+        valid: false,
+        error: `Username "${username}" is not claimed and no public key provided for auto-claim.`
+      };
+    }
+    const usernameValidation = validateUsername(username);
+    if (!usernameValidation.valid) {
+      return usernameValidation;
+    }
+    const signatureValid = await verifyEd25519Signature(publicKey, signature, message);
+    if (!signatureValid) {
+      return { valid: false, error: "Invalid signature for auto-claim" };
+    }
+    const expiresAt = Date.now() + 365 * 24 * 60 * 60 * 1e3;
+    await storage.claimUsername({
+      username,
+      publicKey,
+      expiresAt
+    });
+    usernameRecord = await storage.getUsername(username);
+    if (!usernameRecord) {
+      return { valid: false, error: "Failed to claim username" };
+    }
   }
-  const signatureValid = await verifyEd25519Signature(publicKey, signature, message);
-  if (!signatureValid) {
+  const isValid = await verifyEd25519Signature(
+    usernameRecord.publicKey,
+    signature,
+    message
+  );
+  if (!isValid) {
     return { valid: false, error: "Invalid signature" };
   }
-  return { valid: true };
-}
-async function validateServicePublish(username, serviceFqn, publicKey, signature, message) {
-  const usernameCheck = validateUsername(username);
-  if (!usernameCheck.valid) {
-    return usernameCheck;
-  }
-  const parts = message.split(":");
-  if (parts.length !== 4 || parts[0] !== "publish" || parts[1] !== username || parts[2] !== serviceFqn) {
-    return { valid: false, error: "Invalid message format (expected: publish:{username}:{serviceFqn}:{timestamp})" };
-  }
-  const timestamp = parseInt(parts[3], 10);
-  if (isNaN(timestamp)) {
-    return { valid: false, error: "Invalid timestamp in message" };
-  }
-  const timestampCheck = validateTimestamp(timestamp);
-  if (!timestampCheck.valid) {
-    return timestampCheck;
-  }
-  const signatureValid = await verifyEd25519Signature(publicKey, signature, message);
-  if (!signatureValid) {
-    return { valid: false, error: "Invalid signature" };
+  const validation = validateAuthMessage(username, message);
+  if (!validation.valid) {
+    return { valid: false, error: validation.error };
   }
   return { valid: true };
 }
-// src/middleware/auth.ts
-function createAuthMiddleware(authSecret) {
-  return async (c, next) => {
-    const authHeader = c.req.header("Authorization");
-    if (!authHeader) {
-      return c.json({ error: "Missing Authorization header" }, 401);
-    }
-    const parts = authHeader.split(" ");
-    if (parts.length !== 2 || parts[0] !== "Bearer") {
-      return c.json({ error: "Invalid Authorization header format. Expected: Bearer {peerId}:{secret}" }, 401);
-    }
-    const credentials = parts[1].split(":");
-    if (credentials.length !== 2) {
-      return c.json({ error: "Invalid credentials format. Expected: {peerId}:{secret}" }, 401);
-    }
-    const [peerId, encryptedSecret] = credentials;
-    const isValid = await validateCredentials(peerId, encryptedSecret, authSecret);
-    if (!isValid) {
-      return c.json({ error: "Invalid credentials" }, 401);
-    }
-    c.set("peerId", peerId);
-    await next();
-  };
+function extractUsername(message) {
+  const parts = message.split(":");
+  if (parts.length < 2) return null;
+  return parts[1];
 }
-function getAuthenticatedPeerId(c) {
-  const peerId = c.get("peerId");
-  if (!peerId) {
-    throw new Error("No authenticated peer ID in context");
+var handlers = {
+  /**
+   * Check if username is available
+   */
+  async getUser(params, message, signature, publicKey, storage, config) {
+    const { username } = params;
+    const claimed = await storage.getUsername(username);
+    if (!claimed) {
+      return {
+        username,
+        available: true
+      };
+    }
+    return {
+      username: claimed.username,
+      available: false,
+      claimedAt: claimed.claimedAt,
+      expiresAt: claimed.expiresAt,
+      publicKey: claimed.publicKey
+    };
+  },
+  /**
+   * Get service by FQN - Supports 3 modes:
+   * 1. Direct lookup: FQN includes @username
+   * 2. Paginated discovery: FQN without @username, with limit/offset
+   * 3. Random discovery: FQN without @username, no limit
+   */
+  async getService(params, message, signature, publicKey, storage, config) {
+    const { serviceFqn, limit, offset } = params;
+    const username = extractUsername(message);
+    if (username) {
+      const auth = await verifyAuth(username, message, signature, publicKey, storage);
+      if (!auth.valid) {
+        throw new Error(auth.error);
+      }
+    }
+    const fqnValidation = validateServiceFqn(serviceFqn);
+    if (!fqnValidation.valid) {
+      throw new Error(fqnValidation.error || "Invalid service FQN");
+    }
+    const parsed = parseServiceFqn(serviceFqn);
+    if (!parsed) {
+      throw new Error("Failed to parse service FQN");
+    }
+    const filterCompatibleServices = (services) => {
+      return services.filter((s) => {
+        const serviceVersion = parseServiceFqn(s.serviceFqn);
+        return serviceVersion && isVersionCompatible(parsed.version, serviceVersion.version);
+      });
+    };
+    const findAvailableOffer = async (service) => {
+      const offers = await storage.getOffersForService(service.id);
+      return offers.find((o) => !o.answererUsername);
+    };
+    const buildServiceResponse = (service, offer) => ({
+      serviceId: service.id,
+      username: service.username,
+      serviceFqn: service.serviceFqn,
+      offerId: offer.id,
+      sdp: offer.sdp,
+      createdAt: service.createdAt,
+      expiresAt: service.expiresAt
+    });
+    if (limit !== void 0) {
+      const pageLimit = Math.min(Math.max(1, limit), MAX_PAGE_SIZE);
+      const pageOffset = Math.max(0, offset || 0);
+      const allServices2 = await storage.getServicesByName(parsed.service, parsed.version);
+      const compatibleServices2 = filterCompatibleServices(allServices2);
+      const usernameSet = /* @__PURE__ */ new Set();
+      const uniqueServices = [];
+      for (const service of compatibleServices2) {
+        if (!usernameSet.has(service.username)) {
+          usernameSet.add(service.username);
+          const availableOffer2 = await findAvailableOffer(service);
+          if (availableOffer2) {
+            uniqueServices.push(buildServiceResponse(service, availableOffer2));
+          }
+        }
+      }
+      const paginatedServices = uniqueServices.slice(pageOffset, pageOffset + pageLimit);
+      return {
+        services: paginatedServices,
+        count: paginatedServices.length,
+        limit: pageLimit,
+        offset: pageOffset
+      };
+    }
+    if (parsed.username) {
+      const service = await storage.getServiceByFqn(serviceFqn);
+      if (!service) {
+        throw new Error("Service not found");
+      }
+      const availableOffer2 = await findAvailableOffer(service);
+      if (!availableOffer2) {
+        throw new Error("Service has no available offers");
+      }
+      return buildServiceResponse(service, availableOffer2);
+    }
+    const allServices = await storage.getServicesByName(parsed.service, parsed.version);
+    const compatibleServices = filterCompatibleServices(allServices);
+    if (compatibleServices.length === 0) {
+      throw new Error("No services found");
+    }
+    const randomService = compatibleServices[Math.floor(Math.random() * compatibleServices.length)];
+    const availableOffer = await findAvailableOffer(randomService);
+    if (!availableOffer) {
+      throw new Error("Service has no available offers");
+    }
+    return buildServiceResponse(randomService, availableOffer);
+  },
+  /**
+   * Publish a service
+   */
+  async publishService(params, message, signature, publicKey, storage, config) {
+    const { serviceFqn, offers, ttl } = params;
+    const username = extractUsername(message);
+    if (!username) {
+      throw new Error("Username required for service publishing");
+    }
+    const auth = await verifyAuth(username, message, signature, publicKey, storage);
+    if (!auth.valid) {
+      throw new Error(auth.error);
+    }
+    const fqnValidation = validateServiceFqn(serviceFqn);
+    if (!fqnValidation.valid) {
+      throw new Error(fqnValidation.error || "Invalid service FQN");
+    }
+    const parsed = parseServiceFqn(serviceFqn);
+    if (!parsed || !parsed.username) {
+      throw new Error("Service FQN must include username");
+    }
+    if (parsed.username !== username) {
+      throw new Error("Service FQN username must match authenticated username");
+    }
+    if (!offers || !Array.isArray(offers) || offers.length === 0) {
+      throw new Error("Must provide at least one offer");
+    }
+    if (offers.length > config.maxOffersPerRequest) {
+      throw new Error(
+        `Too many offers (max ${config.maxOffersPerRequest})`
+      );
+    }
+    offers.forEach((offer, index) => {
+      if (!offer || typeof offer !== "object") {
+        throw new Error(`Invalid offer at index ${index}: must be an object`);
+      }
+      if (!offer.sdp || typeof offer.sdp !== "string") {
+        throw new Error(`Invalid offer at index ${index}: missing or invalid SDP`);
+      }
+      if (!offer.sdp.trim()) {
+        throw new Error(`Invalid offer at index ${index}: SDP cannot be empty`);
+      }
+    });
+    const now = Date.now();
+    const offerTtl = ttl !== void 0 ? Math.min(
+      Math.max(ttl, config.offerMinTtl),
+      config.offerMaxTtl
+    ) : config.offerDefaultTtl;
+    const expiresAt = now + offerTtl;
+    const offerRequests = offers.map((offer) => ({
+      username,
+      serviceFqn,
+      sdp: offer.sdp,
+      expiresAt
+    }));
+    const result = await storage.createService({
+      serviceFqn,
+      expiresAt,
+      offers: offerRequests
+    });
+    return {
+      serviceId: result.service.id,
+      username: result.service.username,
+      serviceFqn: result.service.serviceFqn,
+      offers: result.offers.map((offer) => ({
+        offerId: offer.id,
+        sdp: offer.sdp,
+        createdAt: offer.createdAt,
+        expiresAt: offer.expiresAt
+      })),
+      createdAt: result.service.createdAt,
+      expiresAt: result.service.expiresAt
+    };
+  },
+  /**
+   * Delete a service
+   */
+  async deleteService(params, message, signature, publicKey, storage, config) {
+    const { serviceFqn } = params;
+    const username = extractUsername(message);
+    if (!username) {
+      throw new Error("Username required");
+    }
+    const auth = await verifyAuth(username, message, signature, publicKey, storage);
+    if (!auth.valid) {
+      throw new Error(auth.error);
+    }
+    const parsed = parseServiceFqn(serviceFqn);
+    if (!parsed || !parsed.username) {
+      throw new Error("Service FQN must include username");
+    }
+    const service = await storage.getServiceByFqn(serviceFqn);
+    if (!service) {
+      throw new Error("Service not found");
+    }
+    const deleted = await storage.deleteService(service.id, username);
+    if (!deleted) {
+      throw new Error("Service not found or not owned by this username");
+    }
+    return { success: true };
+  },
+  /**
+   * Answer an offer
+   */
+  async answerOffer(params, message, signature, publicKey, storage, config) {
+    const { serviceFqn, offerId, sdp } = params;
+    const username = extractUsername(message);
+    if (!username) {
+      throw new Error("Username required");
+    }
+    const auth = await verifyAuth(username, message, signature, publicKey, storage);
+    if (!auth.valid) {
+      throw new Error(auth.error);
+    }
+    if (!sdp || typeof sdp !== "string" || sdp.length === 0) {
+      throw new Error("Invalid SDP");
+    }
+    if (sdp.length > 64 * 1024) {
+      throw new Error("SDP too large (max 64KB)");
+    }
+    const offer = await storage.getOfferById(offerId);
+    if (!offer) {
+      throw new Error("Offer not found");
+    }
+    if (offer.answererUsername) {
+      throw new Error("Offer already answered");
+    }
+    await storage.answerOffer(offerId, username, sdp);
+    return { success: true, offerId };
+  },
+  /**
+   * Get answer for an offer
+   */
+  async getOfferAnswer(params, message, signature, publicKey, storage, config) {
+    const { serviceFqn, offerId } = params;
+    const username = extractUsername(message);
+    if (!username) {
+      throw new Error("Username required");
+    }
+    const auth = await verifyAuth(username, message, signature, publicKey, storage);
+    if (!auth.valid) {
+      throw new Error(auth.error);
+    }
+    const offer = await storage.getOfferById(offerId);
+    if (!offer) {
+      throw new Error("Offer not found");
+    }
+    if (offer.username !== username) {
+      throw new Error("Not authorized to access this offer");
+    }
+    if (!offer.answererUsername || !offer.answerSdp) {
+      throw new Error("Offer not yet answered");
+    }
+    return {
+      sdp: offer.answerSdp,
+      offerId: offer.id,
+      answererId: offer.answererUsername,
+      answeredAt: offer.answeredAt
+    };
+  },
+  /**
+   * Combined polling for answers and ICE candidates
+   */
+  async poll(params, message, signature, publicKey, storage, config) {
+    const { since } = params;
+    const username = extractUsername(message);
+    if (!username) {
+      throw new Error("Username required");
+    }
+    const auth = await verifyAuth(username, message, signature, publicKey, storage);
+    if (!auth.valid) {
+      throw new Error(auth.error);
+    }
+    const sinceTimestamp = since || 0;
+    const answeredOffers = await storage.getAnsweredOffers(username);
+    const filteredAnswers = answeredOffers.filter(
+      (offer) => offer.answeredAt && offer.answeredAt > sinceTimestamp
+    );
+    const allOffers = await storage.getOffersByUsername(username);
+    const iceCandidatesByOffer = {};
+    for (const offer of allOffers) {
+      const offererCandidates = await storage.getIceCandidates(
+        offer.id,
+        "offerer",
+        sinceTimestamp
+      );
+      const answererCandidates = await storage.getIceCandidates(
+        offer.id,
+        "answerer",
+        sinceTimestamp
+      );
+      const allCandidates = [
+        ...offererCandidates.map((c) => ({
+          ...c,
+          role: "offerer"
+        })),
+        ...answererCandidates.map((c) => ({
+          ...c,
+          role: "answerer"
+        }))
+      ];
+      if (allCandidates.length > 0) {
+        const isOfferer = offer.username === username;
+        const filtered = allCandidates.filter(
+          (c) => isOfferer ? c.role === "answerer" : c.role === "offerer"
+        );
+        if (filtered.length > 0) {
+          iceCandidatesByOffer[offer.id] = filtered;
+        }
+      }
+    }
+    return {
+      answers: filteredAnswers.map((offer) => ({
+        offerId: offer.id,
+        serviceId: offer.serviceId,
+        answererId: offer.answererUsername,
+        sdp: offer.answerSdp,
+        answeredAt: offer.answeredAt
+      })),
+      iceCandidates: iceCandidatesByOffer
+    };
+  },
+  /**
+   * Add ICE candidates
+   */
+  async addIceCandidates(params, message, signature, publicKey, storage, config) {
+    const { serviceFqn, offerId, candidates } = params;
+    const username = extractUsername(message);
+    if (!username) {
+      throw new Error("Username required");
+    }
+    const auth = await verifyAuth(username, message, signature, publicKey, storage);
+    if (!auth.valid) {
+      throw new Error(auth.error);
+    }
+    if (!Array.isArray(candidates) || candidates.length === 0) {
+      throw new Error("Missing or invalid required parameter: candidates");
+    }
+    candidates.forEach((candidate, index) => {
+      if (!candidate || typeof candidate !== "object") {
+        throw new Error(`Invalid candidate at index ${index}: must be an object`);
+      }
+    });
+    const offer = await storage.getOfferById(offerId);
+    if (!offer) {
+      throw new Error("Offer not found");
+    }
+    const role = offer.username === username ? "offerer" : "answerer";
+    const count = await storage.addIceCandidates(
+      offerId,
+      username,
+      role,
+      candidates
+    );
+    return { count, offerId };
+  },
+  /**
+   * Get ICE candidates
+   */
+  async getIceCandidates(params, message, signature, publicKey, storage, config) {
+    const { serviceFqn, offerId, since } = params;
+    const username = extractUsername(message);
+    if (!username) {
+      throw new Error("Username required");
+    }
+    const auth = await verifyAuth(username, message, signature, publicKey, storage);
+    if (!auth.valid) {
+      throw new Error(auth.error);
+    }
+    const sinceTimestamp = since || 0;
+    const offer = await storage.getOfferById(offerId);
+    if (!offer) {
+      throw new Error("Offer not found");
+    }
+    const isOfferer = offer.username === username;
+    const role = isOfferer ? "answerer" : "offerer";
+    const candidates = await storage.getIceCandidates(
+      offerId,
+      role,
+      sinceTimestamp
+    );
+    return {
+      candidates: candidates.map((c) => ({
+        candidate: c.candidate,
+        createdAt: c.createdAt
+      })),
+      offerId
+    };
   }
-  return peerId;
+};
+async function handleRpc(requests, storage, config) {
+  const responses = [];
+  for (const request of requests) {
+    try {
+      const { method, message, signature, publicKey, params } = request;
+      if (!method || typeof method !== "string") {
+        responses.push({
+          success: false,
+          error: "Missing or invalid method"
+        });
+        continue;
+      }
+      if (!message || typeof message !== "string") {
+        responses.push({
+          success: false,
+          error: "Missing or invalid message"
+        });
+        continue;
+      }
+      if (!signature || typeof signature !== "string") {
+        responses.push({
+          success: false,
+          error: "Missing or invalid signature"
+        });
+        continue;
+      }
+      const handler = handlers[method];
+      if (!handler) {
+        responses.push({
+          success: false,
+          error: `Unknown method: ${method}`
+        });
+        continue;
+      }
+      const result = await handler(
+        params || {},
+        message,
+        signature,
+        publicKey,
+        storage,
+        config
+      );
+      responses.push({
+        success: true,
+        result
+      });
+    } catch (err2) {
+      responses.push({
+        success: false,
+        error: err2.message || "Internal server error"
+      });
+    }
+  }
+  return responses;
 }
 // src/app.ts
+var MAX_BATCH_SIZE = 100;
 function createApp(storage, config) {
   const app = new import_hono.Hono();
-  const authMiddleware = createAuthMiddleware(config.authSecret);
   app.use("/*", (0, import_cors.cors)({
     origin: (origin) => {
       if (config.corsOrigins.length === 1 && config.corsOrigins[0] === "*") {
@@ -754,458 +1135,62 @@ function createApp(storage, config) {
       }
       return config.corsOrigins[0];
     },
-    allowMethods: ["GET", "POST", "PUT", "DELETE", "OPTIONS"],
-    allowHeaders: ["Content-Type", "Origin", "Authorization"],
+    allowMethods: ["GET", "POST", "OPTIONS"],
+    allowHeaders: ["Content-Type", "Origin"],
     exposeHeaders: ["Content-Type"],
-    maxAge: 600,
-    credentials: true
+    credentials: false,
+    maxAge: 86400
   }));
   app.get("/", (c) => {
     return c.json({
       version: config.version,
       name: "Rondevu",
-      description: "DNS-like WebRTC signaling with username claiming and service discovery"
-    });
+      description: "WebRTC signaling with RPC interface and Ed25519 authentication"
+    }, 200);
   });
   app.get("/health", (c) => {
     return c.json({
       status: "ok",
       timestamp: Date.now(),
       version: config.version
-    });
+    }, 200);
   });
-  app.post("/register", async (c) => {
+  app.post("/rpc", async (c) => {
     try {
-      const peerId = generatePeerId();
-      const secret = await encryptPeerId(peerId, config.authSecret);
-      return c.json({
-        peerId,
-        secret
-      }, 200);
-    } catch (err2) {
-      console.error("Error registering peer:", err2);
-      return c.json({ error: "Internal server error" }, 500);
-    }
-  });
-  app.get("/users/:username", async (c) => {
-    try {
-      const username = c.req.param("username");
-      const claimed = await storage.getUsername(username);
-      if (!claimed) {
-        return c.json({
-          username,
-          available: true
-        }, 200);
-      }
-      return c.json({
-        username: claimed.username,
-        available: false,
-        claimedAt: claimed.claimedAt,
-        expiresAt: claimed.expiresAt,
-        publicKey: claimed.publicKey
-      }, 200);
-    } catch (err2) {
-      console.error("Error checking username:", err2);
-      return c.json({ error: "Internal server error" }, 500);
-    }
-  });
-  app.post("/users/:username", async (c) => {
-    try {
-      const username = c.req.param("username");
       const body = await c.req.json();
-      const { publicKey, signature, message } = body;
-      if (!publicKey || !signature || !message) {
-        return c.json({ error: "Missing required parameters: publicKey, signature, message" }, 400);
+      const requests = Array.isArray(body) ? body : [body];
+      if (requests.length === 0) {
+        return c.json({ error: "Empty request array" }, 400);
       }
-      const validation = await validateUsernameClaim(username, publicKey, signature, message);
-      if (!validation.valid) {
-        return c.json({ error: validation.error }, 400);
-      }
-      try {
-        const claimed = await storage.claimUsername({
-          username,
-          publicKey,
-          signature,
-          message
-        });
-        return c.json({
-          username: claimed.username,
-          claimedAt: claimed.claimedAt,
-          expiresAt: claimed.expiresAt
-        }, 201);
-      } catch (err2) {
-        if (err2.message?.includes("already claimed")) {
-          return c.json({ error: "Username already claimed by different public key" }, 409);
-        }
-        throw err2;
+      if (requests.length > MAX_BATCH_SIZE) {
+        return c.json({ error: `Too many requests in batch (max ${MAX_BATCH_SIZE})` }, 400);
       }
+      const responses = await handleRpc(requests, storage, config);
+      return c.json(Array.isArray(body) ? responses : responses[0], 200);
     } catch (err2) {
-      console.error("Error claiming username:", err2);
-      return c.json({ error: "Internal server error" }, 500);
-    }
-  });
-  app.get("/users/:username/services/:fqn", async (c) => {
-    try {
-      const username = c.req.param("username");
-      const serviceFqn = decodeURIComponent(c.req.param("fqn"));
-      const parsed = parseServiceFqn(serviceFqn);
-      if (!parsed) {
-        return c.json({ error: "Invalid service FQN format" }, 400);
-      }
-      const { serviceName, version: requestedVersion } = parsed;
-      const matchingServices = await storage.findServicesByName(username, serviceName);
-      if (matchingServices.length === 0) {
-        return c.json({ error: "Service not found" }, 404);
-      }
-      const compatibleServices = matchingServices.filter((service2) => {
-        const serviceParsed = parseServiceFqn(service2.serviceFqn);
-        if (!serviceParsed) return false;
-        return isVersionCompatible(requestedVersion, serviceParsed.version);
-      });
-      if (compatibleServices.length === 0) {
-        return c.json({
-          error: "No compatible version found",
-          message: `Requested ${serviceFqn}, but no compatible versions available`
-        }, 404);
-      }
-      const service = compatibleServices[0];
-      const uuid = await storage.queryService(username, service.serviceFqn);
-      if (!uuid) {
-        return c.json({ error: "Service index not found" }, 500);
-      }
-      const serviceOffers = await storage.getOffersForService(service.id);
-      if (serviceOffers.length === 0) {
-        return c.json({ error: "No offers found for this service" }, 404);
-      }
-      const availableOffer = serviceOffers.find((offer) => !offer.answererPeerId);
-      if (!availableOffer) {
-        return c.json({
-          error: "No available offers",
-          message: "All offers from this service are currently in use. Please try again later."
-        }, 503);
-      }
+      console.error("RPC error:", err2);
       return c.json({
-        uuid,
-        serviceId: service.id,
-        username: service.username,
-        serviceFqn: service.serviceFqn,
-        offerId: availableOffer.id,
-        sdp: availableOffer.sdp,
-        isPublic: service.isPublic,
-        metadata: service.metadata ? JSON.parse(service.metadata) : void 0,
-        createdAt: service.createdAt,
-        expiresAt: service.expiresAt
-      }, 200);
-    } catch (err2) {
-      console.error("Error getting service:", err2);
-      return c.json({ error: "Internal server error" }, 500);
-    }
-  });
-  app.post("/users/:username/services", authMiddleware, async (c) => {
-    let serviceFqn;
-    let createdOffers = [];
-    try {
-      const username = c.req.param("username");
-      const body = await c.req.json();
-      serviceFqn = body.serviceFqn;
-      const { offers, ttl, isPublic, metadata, signature, message } = body;
-      if (!serviceFqn || !offers || !Array.isArray(offers) || offers.length === 0) {
-        return c.json({ error: "Missing required parameters: serviceFqn, offers (must be non-empty array)" }, 400);
-      }
-      const fqnValidation = validateServiceFqn(serviceFqn);
-      if (!fqnValidation.valid) {
-        return c.json({ error: fqnValidation.error }, 400);
-      }
-      if (!signature || !message) {
-        return c.json({ error: "Missing signature or message for username verification" }, 400);
-      }
-      const usernameRecord = await storage.getUsername(username);
-      if (!usernameRecord) {
-        return c.json({ error: "Username not claimed" }, 404);
-      }
-      const signatureValidation = await validateServicePublish(username, serviceFqn, usernameRecord.publicKey, signature, message);
-      if (!signatureValidation.valid) {
-        return c.json({ error: "Invalid signature for username" }, 403);
-      }
-      const existingUuid = await storage.queryService(username, serviceFqn);
-      if (existingUuid) {
-        const existingService = await storage.getServiceByUuid(existingUuid);
-        if (existingService) {
-          await storage.deleteService(existingService.id, username);
-        }
-      }
-      for (const offer of offers) {
-        if (!offer.sdp || typeof offer.sdp !== "string" || offer.sdp.length === 0) {
-          return c.json({ error: "Invalid SDP in offers array" }, 400);
-        }
-        if (offer.sdp.length > 64 * 1024) {
-          return c.json({ error: "SDP too large (max 64KB)" }, 400);
-        }
-      }
-      const peerId = getAuthenticatedPeerId(c);
-      const offerTtl = Math.min(
-        Math.max(ttl || config.offerDefaultTtl, config.offerMinTtl),
-        config.offerMaxTtl
-      );
-      const expiresAt = Date.now() + offerTtl;
-      const offerRequests = offers.map((offer) => ({
-        peerId,
-        sdp: offer.sdp,
-        expiresAt
-      }));
-      const result = await storage.createService({
-        username,
-        serviceFqn,
-        expiresAt,
-        isPublic: isPublic || false,
-        metadata: metadata ? JSON.stringify(metadata) : void 0,
-        offers: offerRequests
-      });
-      createdOffers = result.offers;
-      return c.json({
-        uuid: result.indexUuid,
-        serviceFqn,
-        username,
-        serviceId: result.service.id,
-        offers: result.offers.map((o) => ({
-          offerId: o.id,
-          sdp: o.sdp,
-          createdAt: o.createdAt,
-          expiresAt: o.expiresAt
-        })),
-        isPublic: result.service.isPublic,
-        metadata,
-        createdAt: result.service.createdAt,
-        expiresAt: result.service.expiresAt
-      }, 201);
-    } catch (err2) {
-      console.error("Error creating service:", err2);
-      console.error("Error details:", {
-        message: err2.message,
-        stack: err2.stack,
-        username: c.req.param("username"),
-        serviceFqn,
-        offerIds: createdOffers.map((o) => o.id)
-      });
-      return c.json({
-        error: "Internal server error",
-        details: err2.message
-      }, 500);
-    }
-  });
-  app.delete("/users/:username/services/:fqn", authMiddleware, async (c) => {
-    try {
-      const username = c.req.param("username");
-      const serviceFqn = decodeURIComponent(c.req.param("fqn"));
-      const uuid = await storage.queryService(username, serviceFqn);
-      if (!uuid) {
-        return c.json({ error: "Service not found" }, 404);
-      }
-      const service = await storage.getServiceByUuid(uuid);
-      if (!service) {
-        return c.json({ error: "Service not found" }, 404);
-      }
-      const deleted = await storage.deleteService(service.id, username);
-      if (!deleted) {
-        return c.json({ error: "Service not found or not owned by this username" }, 404);
-      }
-      return c.json({ success: true }, 200);
-    } catch (err2) {
-      console.error("Error deleting service:", err2);
-      return c.json({ error: "Internal server error" }, 500);
-    }
-  });
-  app.get("/services/:uuid", async (c) => {
-    try {
-      const uuid = c.req.param("uuid");
-      const service = await storage.getServiceByUuid(uuid);
-      if (!service) {
-        return c.json({ error: "Service not found" }, 404);
-      }
-      const serviceOffers = await storage.getOffersForService(service.id);
-      if (serviceOffers.length === 0) {
-        return c.json({ error: "No offers found for this service" }, 404);
-      }
-      const availableOffer = serviceOffers.find((offer) => !offer.answererPeerId);
-      if (!availableOffer) {
-        return c.json({
-          error: "No available offers",
-          message: "All offers from this service are currently in use. Please try again later."
-        }, 503);
-      }
-      return c.json({
-        uuid,
-        serviceId: service.id,
-        username: service.username,
-        serviceFqn: service.serviceFqn,
-        offerId: availableOffer.id,
-        sdp: availableOffer.sdp,
-        isPublic: service.isPublic,
-        metadata: service.metadata ? JSON.parse(service.metadata) : void 0,
-        createdAt: service.createdAt,
-        expiresAt: service.expiresAt
-      }, 200);
-    } catch (err2) {
-      console.error("Error getting service:", err2);
-      return c.json({ error: "Internal server error" }, 500);
-    }
-  });
-  app.post("/services/:uuid/answer", authMiddleware, async (c) => {
-    try {
-      const uuid = c.req.param("uuid");
-      const body = await c.req.json();
-      const { sdp } = body;
-      if (!sdp) {
-        return c.json({ error: "Missing required parameter: sdp" }, 400);
-      }
-      if (typeof sdp !== "string" || sdp.length === 0) {
-        return c.json({ error: "Invalid SDP" }, 400);
-      }
-      if (sdp.length > 64 * 1024) {
-        return c.json({ error: "SDP too large (max 64KB)" }, 400);
-      }
-      const service = await storage.getServiceByUuid(uuid);
-      if (!service) {
-        return c.json({ error: "Service not found" }, 404);
-      }
-      const serviceOffers = await storage.getOffersForService(service.id);
-      const availableOffer = serviceOffers.find((offer) => !offer.answererPeerId);
-      if (!availableOffer) {
-        return c.json({ error: "No available offers" }, 503);
-      }
-      const answererPeerId = getAuthenticatedPeerId(c);
-      const result = await storage.answerOffer(availableOffer.id, answererPeerId, sdp);
-      if (!result.success) {
-        return c.json({ error: result.error }, 400);
-      }
-      return c.json({
-        success: true,
-        offerId: availableOffer.id
-      }, 200);
-    } catch (err2) {
-      console.error("Error answering service:", err2);
-      return c.json({ error: "Internal server error" }, 500);
-    }
-  });
-  app.get("/services/:uuid/answer", authMiddleware, async (c) => {
-    try {
-      const uuid = c.req.param("uuid");
-      const peerId = getAuthenticatedPeerId(c);
-      const service = await storage.getServiceByUuid(uuid);
-      if (!service) {
-        return c.json({ error: "Service not found" }, 404);
-      }
-      const serviceOffers = await storage.getOffersForService(service.id);
-      const myOffer = serviceOffers.find((offer) => offer.peerId === peerId && offer.answererPeerId);
-      if (!myOffer || !myOffer.answerSdp) {
-        return c.json({ error: "Offer not yet answered" }, 404);
-      }
-      return c.json({
-        offerId: myOffer.id,
-        answererId: myOffer.answererPeerId,
-        sdp: myOffer.answerSdp,
-        answeredAt: myOffer.answeredAt
-      }, 200);
-    } catch (err2) {
-      console.error("Error getting service answer:", err2);
-      return c.json({ error: "Internal server error" }, 500);
-    }
-  });
-  app.post("/services/:uuid/ice-candidates", authMiddleware, async (c) => {
-    try {
-      const uuid = c.req.param("uuid");
-      const body = await c.req.json();
-      const { candidates, offerId } = body;
-      if (!Array.isArray(candidates) || candidates.length === 0) {
-        return c.json({ error: "Missing or invalid required parameter: candidates" }, 400);
-      }
-      const peerId = getAuthenticatedPeerId(c);
-      const service = await storage.getServiceByUuid(uuid);
-      if (!service) {
-        return c.json({ error: "Service not found" }, 404);
-      }
-      let targetOfferId = offerId;
-      if (!targetOfferId) {
-        const serviceOffers = await storage.getOffersForService(service.id);
-        const myOffer = serviceOffers.find(
-          (offer2) => offer2.peerId === peerId || offer2.answererPeerId === peerId
-        );
-        if (!myOffer) {
-          return c.json({ error: "No offer found for this peer" }, 404);
-        }
-        targetOfferId = myOffer.id;
-      }
-      const offer = await storage.getOfferById(targetOfferId);
-      if (!offer) {
-        return c.json({ error: "Offer not found" }, 404);
-      }
-      const role = offer.peerId === peerId ? "offerer" : "answerer";
-      const count = await storage.addIceCandidates(targetOfferId, peerId, role, candidates);
-      return c.json({ count, offerId: targetOfferId }, 200);
-    } catch (err2) {
-      console.error("Error adding ICE candidates to service:", err2);
-      return c.json({ error: "Internal server error" }, 500);
+        success: false,
+        error: "Invalid request format"
+      }, 400);
     }
   });
-  app.get("/services/:uuid/ice-candidates", authMiddleware, async (c) => {
-    try {
-      const uuid = c.req.param("uuid");
-      const since = c.req.query("since");
-      const offerId = c.req.query("offerId");
-      const peerId = getAuthenticatedPeerId(c);
-      const service = await storage.getServiceByUuid(uuid);
-      if (!service) {
-        return c.json({ error: "Service not found" }, 404);
-      }
-      let targetOfferId = offerId;
-      if (!targetOfferId) {
-        const serviceOffers = await storage.getOffersForService(service.id);
-        const myOffer = serviceOffers.find(
-          (offer2) => offer2.peerId === peerId || offer2.answererPeerId === peerId
-        );
-        if (!myOffer) {
-          return c.json({ error: "No offer found for this peer" }, 404);
-        }
-        targetOfferId = myOffer.id;
-      }
-      const offer = await storage.getOfferById(targetOfferId);
-      if (!offer) {
-        return c.json({ error: "Offer not found" }, 404);
-      }
-      const targetRole = offer.peerId === peerId ? "answerer" : "offerer";
-      const sinceTimestamp = since ? parseInt(since, 10) : void 0;
-      const candidates = await storage.getIceCandidates(targetOfferId, targetRole, sinceTimestamp);
-      return c.json({
-        candidates: candidates.map((c2) => ({
-          candidate: c2.candidate,
-          createdAt: c2.createdAt
-        })),
-        offerId: targetOfferId
-      }, 200);
-    } catch (err2) {
-      console.error("Error getting ICE candidates for service:", err2);
-      return c.json({ error: "Internal server error" }, 500);
-    }
+  app.all("*", (c) => {
+    return c.json({
+      error: "Not found. Use POST /rpc for all API calls."
+    }, 404);
   });
   return app;
 }
 // src/config.ts
 function loadConfig() {
-  let authSecret = process.env.AUTH_SECRET;
-  if (!authSecret) {
-    authSecret = generateSecretKey();
-    console.warn("WARNING: No AUTH_SECRET provided. Generated temporary secret:", authSecret);
-    console.warn("All peer credentials will be invalidated on server restart.");
-    console.warn("Set AUTH_SECRET environment variable to persist credentials across restarts.");
-  }
   return {
     port: parseInt(process.env.PORT || "3000", 10),
     storageType: process.env.STORAGE_TYPE || "sqlite",
     storagePath: process.env.STORAGE_PATH || ":memory:",
     corsOrigins: process.env.CORS_ORIGINS ? process.env.CORS_ORIGINS.split(",").map((o) => o.trim()) : ["*"],
     version: process.env.VERSION || "unknown",
-    authSecret,
     offerDefaultTtl: parseInt(process.env.OFFER_DEFAULT_TTL || "60000", 10),
     offerMaxTtl: parseInt(process.env.OFFER_MAX_TTL || "86400000", 10),
     offerMinTtl: parseInt(process.env.OFFER_MIN_TTL || "60000", 10),
@@ -1251,30 +1236,29 @@ var SQLiteStorage = class {
       -- WebRTC signaling offers
       CREATE TABLE IF NOT EXISTS offers (
         id TEXT PRIMARY KEY,
-        peer_id TEXT NOT NULL,
+        username TEXT NOT NULL,
         service_id TEXT,
         sdp TEXT NOT NULL,
         created_at INTEGER NOT NULL,
         expires_at INTEGER NOT NULL,
         last_seen INTEGER NOT NULL,
-        secret TEXT,
-        answerer_peer_id TEXT,
+        answerer_username TEXT,
         answer_sdp TEXT,
         answered_at INTEGER,
         FOREIGN KEY (service_id) REFERENCES services(id) ON DELETE CASCADE
       );
-      CREATE INDEX IF NOT EXISTS idx_offers_peer ON offers(peer_id);
+      CREATE INDEX IF NOT EXISTS idx_offers_username ON offers(username);
       CREATE INDEX IF NOT EXISTS idx_offers_service ON offers(service_id);
       CREATE INDEX IF NOT EXISTS idx_offers_expires ON offers(expires_at);
       CREATE INDEX IF NOT EXISTS idx_offers_last_seen ON offers(last_seen);
-      CREATE INDEX IF NOT EXISTS idx_offers_answerer ON offers(answerer_peer_id);
+      CREATE INDEX IF NOT EXISTS idx_offers_answerer ON offers(answerer_username);
       -- ICE candidates table
       CREATE TABLE IF NOT EXISTS ice_candidates (
         id INTEGER PRIMARY KEY AUTOINCREMENT,
         offer_id TEXT NOT NULL,
-        peer_id TEXT NOT NULL,
+        username TEXT NOT NULL,
         role TEXT NOT NULL CHECK(role IN ('offerer', 'answerer')),
         candidate TEXT NOT NULL,
         created_at INTEGER NOT NULL,
@@ -1282,7 +1266,7 @@ var SQLiteStorage = class {
       );
       CREATE INDEX IF NOT EXISTS idx_ice_offer ON ice_candidates(offer_id);
-      CREATE INDEX IF NOT EXISTS idx_ice_peer ON ice_candidates(peer_id);
+      CREATE INDEX IF NOT EXISTS idx_ice_username ON ice_candidates(username);
       CREATE INDEX IF NOT EXISTS idx_ice_created ON ice_candidates(created_at);
       -- Usernames table
@@ -1299,36 +1283,23 @@ var SQLiteStorage = class {
       CREATE INDEX IF NOT EXISTS idx_usernames_expires ON usernames(expires_at);
       CREATE INDEX IF NOT EXISTS idx_usernames_public_key ON usernames(public_key);
-      -- Services table (one service can have multiple offers)
+      -- Services table (new schema with extracted fields for discovery)
       CREATE TABLE IF NOT EXISTS services (
         id TEXT PRIMARY KEY,
-        username TEXT NOT NULL,
         service_fqn TEXT NOT NULL,
+        service_name TEXT NOT NULL,
+        version TEXT NOT NULL,
+        username TEXT NOT NULL,
         created_at INTEGER NOT NULL,
         expires_at INTEGER NOT NULL,
-        is_public INTEGER NOT NULL DEFAULT 0,
-        metadata TEXT,
         FOREIGN KEY (username) REFERENCES usernames(username) ON DELETE CASCADE,
-        UNIQUE(username, service_fqn)
+        UNIQUE(service_fqn)
       );
-      CREATE INDEX IF NOT EXISTS idx_services_username ON services(username);
       CREATE INDEX IF NOT EXISTS idx_services_fqn ON services(service_fqn);
+      CREATE INDEX IF NOT EXISTS idx_services_discovery ON services(service_name, version);
+      CREATE INDEX IF NOT EXISTS idx_services_username ON services(username);
       CREATE INDEX IF NOT EXISTS idx_services_expires ON services(expires_at);
-      -- Service index table (privacy layer)
-      CREATE TABLE IF NOT EXISTS service_index (
-        uuid TEXT PRIMARY KEY,
-        service_id TEXT NOT NULL,
-        username TEXT NOT NULL,
-        service_fqn TEXT NOT NULL,
-        created_at INTEGER NOT NULL,
-        expires_at INTEGER NOT NULL,
-        FOREIGN KEY (service_id) REFERENCES services(id) ON DELETE CASCADE
-      );
-      CREATE INDEX IF NOT EXISTS idx_service_index_username ON service_index(username);
-      CREATE INDEX IF NOT EXISTS idx_service_index_expires ON service_index(expires_at);
     `);
     this.db.pragma("foreign_keys = ON");
   }
@@ -1343,43 +1314,42 @@ var SQLiteStorage = class {
     );
     const transaction = this.db.transaction((offersWithIds2) => {
       const offerStmt = this.db.prepare(`
-        INSERT INTO offers (id, peer_id, service_id, sdp, created_at, expires_at, last_seen, secret)
-        VALUES (?, ?, ?, ?, ?, ?, ?, ?)
+        INSERT INTO offers (id, username, service_id, sdp, created_at, expires_at, last_seen)
+        VALUES (?, ?, ?, ?, ?, ?, ?)
       `);
       for (const offer of offersWithIds2) {
         const now = Date.now();
         offerStmt.run(
           offer.id,
-          offer.peerId,
+          offer.username,
           offer.serviceId || null,
           offer.sdp,
           now,
           offer.expiresAt,
-          now,
-          offer.secret || null
+          now
         );
         created.push({
           id: offer.id,
-          peerId: offer.peerId,
+          username: offer.username,
           serviceId: offer.serviceId || void 0,
+          serviceFqn: offer.serviceFqn,
           sdp: offer.sdp,
           createdAt: now,
           expiresAt: offer.expiresAt,
-          lastSeen: now,
-          secret: offer.secret
+          lastSeen: now
         });
       }
     });
     transaction(offersWithIds);
     return created;
   }
-  async getOffersByPeerId(peerId) {
+  async getOffersByUsername(username) {
     const stmt = this.db.prepare(`
       SELECT * FROM offers
-      WHERE peer_id = ? AND expires_at > ?
+      WHERE username = ? AND expires_at > ?
       ORDER BY last_seen DESC
     `);
-    const rows = stmt.all(peerId, Date.now());
+    const rows = stmt.all(username, Date.now());
     return rows.map((row) => this.rowToOffer(row));
   }
   async getOfferById(offerId) {
@@ -1393,12 +1363,12 @@ var SQLiteStorage = class {
     }
     return this.rowToOffer(row);
   }
-  async deleteOffer(offerId, ownerPeerId) {
+  async deleteOffer(offerId, ownerUsername) {
     const stmt = this.db.prepare(`
       DELETE FROM offers
-      WHERE id = ? AND peer_id = ?
+      WHERE id = ? AND username = ?
     `);
-    const result = stmt.run(offerId, ownerPeerId);
+    const result = stmt.run(offerId, ownerUsername);
     return result.changes > 0;
   }
   async deleteExpiredOffers(now) {
@@ -1406,7 +1376,7 @@ var SQLiteStorage = class {
     const result = stmt.run(now);
     return result.changes;
   }
-  async answerOffer(offerId, answererPeerId, answerSdp, secret) {
+  async answerOffer(offerId, answererUsername, answerSdp) {
     const offer = await this.getOfferById(offerId);
     if (!offer) {
       return {
@@ -1414,13 +1384,7 @@ var SQLiteStorage = class {
         error: "Offer not found or expired"
       };
     }
-    if (offer.secret && offer.secret !== secret) {
-      return {
-        success: false,
-        error: "Invalid or missing secret"
-      };
-    }
-    if (offer.answererPeerId) {
+    if (offer.answererUsername) {
       return {
         success: false,
         error: "Offer already answered"
@@ -1428,10 +1392,10 @@ var SQLiteStorage = class {
     }
     const stmt = this.db.prepare(`
       UPDATE offers
-      SET answerer_peer_id = ?, answer_sdp = ?, answered_at = ?
-      WHERE id = ? AND answerer_peer_id IS NULL
+      SET answerer_username = ?, answer_sdp = ?, answered_at = ?
+      WHERE id = ? AND answerer_username IS NULL
     `);
-    const result = stmt.run(answererPeerId, answerSdp, Date.now(), offerId);
+    const result = stmt.run(answererUsername, answerSdp, Date.now(), offerId);
     if (result.changes === 0) {
       return {
         success: false,
@@ -1440,19 +1404,19 @@ var SQLiteStorage = class {
     }
     return { success: true };
   }
-  async getAnsweredOffers(offererPeerId) {
+  async getAnsweredOffers(offererUsername) {
     const stmt = this.db.prepare(`
       SELECT * FROM offers
-      WHERE peer_id = ? AND answerer_peer_id IS NOT NULL AND expires_at > ?
+      WHERE username = ? AND answerer_username IS NOT NULL AND expires_at > ?
       ORDER BY answered_at DESC
     `);
-    const rows = stmt.all(offererPeerId, Date.now());
+    const rows = stmt.all(offererUsername, Date.now());
     return rows.map((row) => this.rowToOffer(row));
   }
   // ===== ICE Candidate Management =====
-  async addIceCandidates(offerId, peerId, role, candidates) {
+  async addIceCandidates(offerId, username, role, candidates) {
     const stmt = this.db.prepare(`
-      INSERT INTO ice_candidates (offer_id, peer_id, role, candidate, created_at)
+      INSERT INTO ice_candidates (offer_id, username, role, candidate, created_at)
       VALUES (?, ?, ?, ?, ?)
     `);
     const baseTimestamp = Date.now();
@@ -1460,7 +1424,7 @@ var SQLiteStorage = class {
       for (let i = 0; i < candidates2.length; i++) {
         stmt.run(
           offerId,
-          peerId,
+          username,
           role,
           JSON.stringify(candidates2[i]),
           baseTimestamp + i
@@ -1486,7 +1450,7 @@ var SQLiteStorage = class {
     return rows.map((row) => ({
       id: row.id,
       offerId: row.offer_id,
-      peerId: row.peer_id,
+      username: row.username,
       role: row.role,
       candidate: JSON.parse(row.candidate),
       createdAt: row.created_at
@@ -1562,63 +1526,74 @@ var SQLiteStorage = class {
   // ===== Service Management =====
   async createService(request) {
     const serviceId = (0, import_node_crypto.randomUUID)();
-    const indexUuid = (0, import_node_crypto.randomUUID)();
     const now = Date.now();
-    const offerRequests = request.offers.map((offer) => ({
-      ...offer,
-      serviceId
-    }));
-    const offers = await this.createOffers(offerRequests);
+    const parsed = parseServiceFqn(request.serviceFqn);
+    if (!parsed) {
+      throw new Error(`Invalid service FQN: ${request.serviceFqn}`);
+    }
+    if (!parsed.username) {
+      throw new Error(`Service FQN must include username: ${request.serviceFqn}`);
+    }
+    const { serviceName, version, username } = parsed;
     const transaction = this.db.transaction(() => {
-      const serviceStmt = this.db.prepare(`
-        INSERT INTO services (id, username, service_fqn, created_at, expires_at, is_public, metadata)
+      const existingService = this.db.prepare(`
+        SELECT id FROM services
+        WHERE service_name = ? AND version = ? AND username = ?
+      `).get(serviceName, version, username);
+      if (existingService) {
+        this.db.prepare(`
+          DELETE FROM offers WHERE service_id = ?
+        `).run(existingService.id);
+        this.db.prepare(`
+          DELETE FROM services WHERE id = ?
+        `).run(existingService.id);
+      }
+      this.db.prepare(`
+        INSERT INTO services (id, service_fqn, service_name, version, username, created_at, expires_at)
         VALUES (?, ?, ?, ?, ?, ?, ?)
-      `);
-      serviceStmt.run(
+      `).run(
         serviceId,
-        request.username,
-        request.serviceFqn,
-        now,
-        request.expiresAt,
-        request.isPublic ? 1 : 0,
-        request.metadata || null
-      );
-      const indexStmt = this.db.prepare(`
-        INSERT INTO service_index (uuid, service_id, username, service_fqn, created_at, expires_at)
-        VALUES (?, ?, ?, ?, ?, ?)
-      `);
-      indexStmt.run(
-        indexUuid,
-        serviceId,
-        request.username,
         request.serviceFqn,
+        serviceName,
+        version,
+        username,
         now,
         request.expiresAt
       );
-      this.touchUsername(request.username);
+      const expiresAt = now + YEAR_IN_MS;
+      this.db.prepare(`
+        UPDATE usernames
+        SET last_used = ?, expires_at = ?
+        WHERE username = ? AND expires_at > ?
+      `).run(now, expiresAt, username, now);
     });
     transaction();
+    const offerRequests = request.offers.map((offer) => ({
+      ...offer,
+      serviceId
+    }));
+    const offers = await this.createOffers(offerRequests);
     return {
       service: {
         id: serviceId,
-        username: request.username,
         serviceFqn: request.serviceFqn,
+        serviceName,
+        version,
+        username,
         createdAt: now,
-        expiresAt: request.expiresAt,
-        isPublic: request.isPublic || false,
-        metadata: request.metadata
+        expiresAt: request.expiresAt
       },
-      indexUuid,
       offers
     };
   }
-  async batchCreateServices(requests) {
-    const results = [];
-    for (const request of requests) {
-      const result = await this.createService(request);
-      results.push(result);
-    }
-    return results;
+  async getOffersForService(serviceId) {
+    const stmt = this.db.prepare(`
+      SELECT * FROM offers
+      WHERE service_id = ? AND expires_at > ?
+      ORDER BY created_at ASC
+    `);
+    const rows = stmt.all(serviceId, Date.now());
+    return rows.map((row) => this.rowToOffer(row));
   }
   async getServiceById(serviceId) {
     const stmt = this.db.prepare(`
@@ -1631,51 +1606,49 @@ var SQLiteStorage = class {
     }
     return this.rowToService(row);
   }
-  async getServiceByUuid(uuid) {
+  async getServiceByFqn(serviceFqn) {
     const stmt = this.db.prepare(`
-      SELECT s.* FROM services s
-      INNER JOIN service_index si ON s.id = si.service_id
-      WHERE si.uuid = ? AND s.expires_at > ?
+      SELECT * FROM services
+      WHERE service_fqn = ? AND expires_at > ?
     `);
-    const row = stmt.get(uuid, Date.now());
+    const row = stmt.get(serviceFqn, Date.now());
     if (!row) {
       return null;
     }
     return this.rowToService(row);
   }
-  async listServicesForUsername(username) {
+  async discoverServices(serviceName, version, limit, offset) {
     const stmt = this.db.prepare(`
-      SELECT si.uuid, s.is_public, s.service_fqn, s.metadata
-      FROM service_index si
-      INNER JOIN services s ON si.service_id = s.id
-      WHERE si.username = ? AND si.expires_at > ?
+      SELECT DISTINCT s.* FROM services s
+      INNER JOIN offers o ON o.service_id = s.id
+      WHERE s.service_name = ?
+        AND s.version = ?
+        AND s.expires_at > ?
+        AND o.answerer_username IS NULL
+        AND o.expires_at > ?
       ORDER BY s.created_at DESC
+      LIMIT ? OFFSET ?
     `);
-    const rows = stmt.all(username, Date.now());
-    return rows.map((row) => ({
-      uuid: row.uuid,
-      isPublic: row.is_public === 1,
-      serviceFqn: row.is_public === 1 ? row.service_fqn : void 0,
-      metadata: row.is_public === 1 ? row.metadata || void 0 : void 0
-    }));
-  }
-  async queryService(username, serviceFqn) {
-    const stmt = this.db.prepare(`
-      SELECT si.uuid FROM service_index si
-      INNER JOIN services s ON si.service_id = s.id
-      WHERE si.username = ? AND si.service_fqn = ? AND si.expires_at > ?
-    `);
-    const row = stmt.get(username, serviceFqn, Date.now());
-    return row ? row.uuid : null;
+    const rows = stmt.all(serviceName, version, Date.now(), Date.now(), limit, offset);
+    return rows.map((row) => this.rowToService(row));
   }
-  async findServicesByName(username, serviceName) {
+  async getRandomService(serviceName, version) {
     const stmt = this.db.prepare(`
-      SELECT * FROM services
-      WHERE username = ? AND service_fqn LIKE ? AND expires_at > ?
-      ORDER BY created_at DESC
+      SELECT s.* FROM services s
+      INNER JOIN offers o ON o.service_id = s.id
+      WHERE s.service_name = ?
+        AND s.version = ?
+        AND s.expires_at > ?
+        AND o.answerer_username IS NULL
+        AND o.expires_at > ?
+      ORDER BY RANDOM()
+      LIMIT 1
     `);
-    const rows = stmt.all(username, `${serviceName}@%`, Date.now());
-    return rows.map((row) => this.rowToService(row));
+    const row = stmt.get(serviceName, version, Date.now(), Date.now());
+    if (!row) {
+      return null;
+    }
+    return this.rowToService(row);
   }
   async deleteService(serviceId, username) {
     const stmt = this.db.prepare(`
@@ -1700,14 +1673,14 @@ var SQLiteStorage = class {
   rowToOffer(row) {
     return {
       id: row.id,
-      peerId: row.peer_id,
+      username: row.username,
       serviceId: row.service_id || void 0,
+      serviceFqn: row.service_fqn || void 0,
       sdp: row.sdp,
       createdAt: row.created_at,
       expiresAt: row.expires_at,
       lastSeen: row.last_seen,
-      secret: row.secret || void 0,
-      answererPeerId: row.answerer_peer_id || void 0,
+      answererUsername: row.answerer_username || void 0,
       answerSdp: row.answer_sdp || void 0,
       answeredAt: row.answered_at || void 0
     };
@@ -1718,26 +1691,14 @@ var SQLiteStorage = class {
   rowToService(row) {
     return {
       id: row.id,
-      username: row.username,
       serviceFqn: row.service_fqn,
+      serviceName: row.service_name,
+      version: row.version,
+      username: row.username,
       createdAt: row.created_at,
-      expiresAt: row.expires_at,
-      isPublic: row.is_public === 1,
-      metadata: row.metadata || void 0
+      expiresAt: row.expires_at
     };
   }
-  /**
-   * Get all offers for a service
-   */
-  async getOffersForService(serviceId) {
-    const stmt = this.db.prepare(`
-      SELECT * FROM offers
-      WHERE service_id = ? AND expires_at > ?
-      ORDER BY created_at ASC
-    `);
-    const rows = stmt.all(serviceId, Date.now());
-    return rows.map((row) => this.rowToOffer(row));
-  }
 };
 // src/index.ts