npm - @xtr-dev/rondevu-server - Versions diffs - 0.5.0 → 0.5.6 - Mend

@xtr-dev/rondevu-server 0.5.0 → 0.5.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (31) hide show

package/.github/workflows/claude-code-review.yml +57 -0
package/.github/workflows/claude.yml +50 -0
package/.idea/modules.xml +8 -0
package/.idea/rondevu-server.iml +8 -0
package/.idea/workspace.xml +17 -0
package/README.md +80 -199
package/build.js +4 -1
package/dist/index.js +2755 -1448
package/dist/index.js.map +4 -4
package/migrations/fresh_schema.sql +36 -41
package/package.json +10 -4
package/src/app.ts +38 -18
package/src/config.ts +155 -9
package/src/crypto.ts +362 -265
package/src/index.ts +20 -25
package/src/rpc.ts +658 -405
package/src/storage/d1.ts +312 -263
package/src/storage/factory.ts +69 -0
package/src/storage/hash-id.ts +13 -9
package/src/storage/memory.ts +559 -0
package/src/storage/mysql.ts +588 -0
package/src/storage/postgres.ts +595 -0
package/src/storage/schemas/mysql.sql +59 -0
package/src/storage/schemas/postgres.sql +64 -0
package/src/storage/sqlite.ts +303 -269
package/src/storage/types.ts +113 -113
package/src/worker.ts +15 -34
package/tests/integration/api.test.ts +395 -0
package/tests/integration/setup.ts +170 -0
package/wrangler.toml +25 -26
package/ADVANCED.md +0 -502

package/src/storage/sqlite.ts CHANGED Viewed

@@ -1,58 +1,55 @@
 import Database from 'better-sqlite3';
-import { randomUUID } from 'node:crypto';
 import {
   Storage,
   Offer,
   IceCandidate,
   CreateOfferRequest,
-  Username,
-  ClaimUsernameRequest,
-  Service,
-  CreateServiceRequest,
+  Credential,
+  GenerateCredentialsRequest,
 } from './types.ts';
 import { generateOfferHash } from './hash-id.ts';
-import { parseServiceFqn } from '../crypto.ts';
 const YEAR_IN_MS = 365 * 24 * 60 * 60 * 1000; // 365 days
 /**
- * SQLite storage adapter for rondevu DNS-like system
+ * SQLite storage adapter for rondevu signaling system
  * Supports both file-based and in-memory databases
  */
 export class SQLiteStorage implements Storage {
   private db: Database.Database;
+  private masterEncryptionKey: string;
   /**
    * Creates a new SQLite storage instance
    * @param path Path to SQLite database file, or ':memory:' for in-memory database
+   * @param masterEncryptionKey 64-char hex string for encrypting secrets (32 bytes)
    */
-  constructor(path: string = ':memory:') {
+  constructor(path: string = ':memory:', masterEncryptionKey: string) {
     this.db = new Database(path);
+    this.masterEncryptionKey = masterEncryptionKey;
     this.initializeDatabase();
   }
   /**
-   * Initializes database schema with username and service-based structure
+   * Initializes database schema with tags-based offers
    */
   private initializeDatabase(): void {
     this.db.exec(`
-      -- WebRTC signaling offers
+      -- WebRTC signaling offers with tags
       CREATE TABLE IF NOT EXISTS offers (
         id TEXT PRIMARY KEY,
         username TEXT NOT NULL,
-        service_id TEXT,
+        tags TEXT NOT NULL,
         sdp TEXT NOT NULL,
         created_at INTEGER NOT NULL,
         expires_at INTEGER NOT NULL,
         last_seen INTEGER NOT NULL,
         answerer_username TEXT,
         answer_sdp TEXT,
-        answered_at INTEGER,
-        FOREIGN KEY (service_id) REFERENCES services(id) ON DELETE CASCADE
+        answered_at INTEGER
       );
       CREATE INDEX IF NOT EXISTS idx_offers_username ON offers(username);
-      CREATE INDEX IF NOT EXISTS idx_offers_service ON offers(service_id);
       CREATE INDEX IF NOT EXISTS idx_offers_expires ON offers(expires_at);
       CREATE INDEX IF NOT EXISTS idx_offers_last_seen ON offers(last_seen);
       CREATE INDEX IF NOT EXISTS idx_offers_answerer ON offers(answerer_username);
@@ -72,37 +69,35 @@ export class SQLiteStorage implements Storage {
       CREATE INDEX IF NOT EXISTS idx_ice_username ON ice_candidates(username);
       CREATE INDEX IF NOT EXISTS idx_ice_created ON ice_candidates(created_at);
-      -- Usernames table
-      CREATE TABLE IF NOT EXISTS usernames (
-        username TEXT PRIMARY KEY,
-        public_key TEXT NOT NULL UNIQUE,
-        claimed_at INTEGER NOT NULL,
+      -- Credentials table (replaces usernames with simpler name + secret auth)
+      CREATE TABLE IF NOT EXISTS credentials (
+        name TEXT PRIMARY KEY,
+        secret TEXT NOT NULL UNIQUE,
+        created_at INTEGER NOT NULL,
         expires_at INTEGER NOT NULL,
         last_used INTEGER NOT NULL,
-        metadata TEXT,
-        CHECK(length(username) >= 3 AND length(username) <= 32)
+        CHECK(length(name) >= 3 AND length(name) <= 32)
       );
-      CREATE INDEX IF NOT EXISTS idx_usernames_expires ON usernames(expires_at);
-      CREATE INDEX IF NOT EXISTS idx_usernames_public_key ON usernames(public_key);
+      CREATE INDEX IF NOT EXISTS idx_credentials_expires ON credentials(expires_at);
+      CREATE INDEX IF NOT EXISTS idx_credentials_secret ON credentials(secret);
-      -- Services table (new schema with extracted fields for discovery)
-      CREATE TABLE IF NOT EXISTS services (
-        id TEXT PRIMARY KEY,
-        service_fqn TEXT NOT NULL,
-        service_name TEXT NOT NULL,
-        version TEXT NOT NULL,
-        username TEXT NOT NULL,
-        created_at INTEGER NOT NULL,
-        expires_at INTEGER NOT NULL,
-        FOREIGN KEY (username) REFERENCES usernames(username) ON DELETE CASCADE,
-        UNIQUE(service_fqn)
+      -- Rate limits table (for distributed rate limiting)
+      CREATE TABLE IF NOT EXISTS rate_limits (
+        identifier TEXT PRIMARY KEY,
+        count INTEGER NOT NULL,
+        reset_time INTEGER NOT NULL
       );
-      CREATE INDEX IF NOT EXISTS idx_services_fqn ON services(service_fqn);
-      CREATE INDEX IF NOT EXISTS idx_services_discovery ON services(service_name, version);
-      CREATE INDEX IF NOT EXISTS idx_services_username ON services(username);
-      CREATE INDEX IF NOT EXISTS idx_services_expires ON services(expires_at);
+      CREATE INDEX IF NOT EXISTS idx_rate_limits_reset ON rate_limits(reset_time);
+      -- Nonces table (for replay attack prevention)
+      CREATE TABLE IF NOT EXISTS nonces (
+        nonce_key TEXT PRIMARY KEY,
+        expires_at INTEGER NOT NULL
+      );
+      CREATE INDEX IF NOT EXISTS idx_nonces_expires ON nonces(expires_at);
     `);
     // Enable foreign keys
@@ -125,18 +120,18 @@ export class SQLiteStorage implements Storage {
     // Use transaction for atomic creation
     const transaction = this.db.transaction((offersWithIds: (CreateOfferRequest & { id: string })[]) => {
       const offerStmt = this.db.prepare(`
-        INSERT INTO offers (id, username, service_id, sdp, created_at, expires_at, last_seen)
+        INSERT INTO offers (id, username, tags, sdp, created_at, expires_at, last_seen)
         VALUES (?, ?, ?, ?, ?, ?, ?)
       `);
       for (const offer of offersWithIds) {
         const now = Date.now();
-        // Insert offer
+        // Insert offer with JSON-serialized tags
         offerStmt.run(
           offer.id,
           offer.username,
-          offer.serviceId || null,
+          JSON.stringify(offer.tags),
           offer.sdp,
           now,
           offer.expiresAt,
@@ -146,8 +141,7 @@ export class SQLiteStorage implements Storage {
         created.push({
           id: offer.id,
           username: offer.username,
-          serviceId: offer.serviceId || undefined,
-          serviceFqn: offer.serviceFqn,
+          tags: offer.tags,
           sdp: offer.sdp,
           createdAt: now,
           expiresAt: offer.expiresAt,
@@ -255,6 +249,88 @@ export class SQLiteStorage implements Storage {
     return rows.map(row => this.rowToOffer(row));
   }
+  async getOffersAnsweredBy(answererUsername: string): Promise<Offer[]> {
+    const stmt = this.db.prepare(`
+      SELECT * FROM offers
+      WHERE answerer_username = ? AND expires_at > ?
+      ORDER BY answered_at DESC
+    `);
+    const rows = stmt.all(answererUsername, Date.now()) as any[];
+    return rows.map(row => this.rowToOffer(row));
+  }
+  // ===== Discovery =====
+  async discoverOffers(
+    tags: string[],
+    excludeUsername: string | null,
+    limit: number,
+    offset: number
+  ): Promise<Offer[]> {
+    if (tags.length === 0) {
+      return [];
+    }
+    // Build query with JSON tag matching (OR logic)
+    // SQLite: Use json_each() to expand tags array and check if any tag matches
+    const placeholders = tags.map(() => '?').join(',');
+    let query = `
+      SELECT DISTINCT o.* FROM offers o, json_each(o.tags) as t
+      WHERE t.value IN (${placeholders})
+        AND o.expires_at > ?
+        AND o.answerer_username IS NULL
+    `;
+    const params: any[] = [...tags, Date.now()];
+    if (excludeUsername) {
+      query += ' AND o.username != ?';
+      params.push(excludeUsername);
+    }
+    query += ' ORDER BY o.created_at DESC LIMIT ? OFFSET ?';
+    params.push(limit, offset);
+    const stmt = this.db.prepare(query);
+    const rows = stmt.all(...params) as any[];
+    return rows.map(row => this.rowToOffer(row));
+  }
+  async getRandomOffer(
+    tags: string[],
+    excludeUsername: string | null
+  ): Promise<Offer | null> {
+    if (tags.length === 0) {
+      return null;
+    }
+    // Build query with JSON tag matching (OR logic)
+    const placeholders = tags.map(() => '?').join(',');
+    let query = `
+      SELECT DISTINCT o.* FROM offers o, json_each(o.tags) as t
+      WHERE t.value IN (${placeholders})
+        AND o.expires_at > ?
+        AND o.answerer_username IS NULL
+    `;
+    const params: any[] = [...tags, Date.now()];
+    if (excludeUsername) {
+      query += ' AND o.username != ?';
+      params.push(excludeUsername);
+    }
+    query += ' ORDER BY RANDOM() LIMIT 1';
+    const stmt = this.db.prepare(query);
+    const row = stmt.get(...params) as any;
+    return row ? this.rowToOffer(row) : null;
+  }
   // ===== ICE Candidate Management =====
   async addIceCandidates(
@@ -317,273 +393,247 @@ export class SQLiteStorage implements Storage {
     }));
   }
-  // ===== Username Management =====
-  async claimUsername(request: ClaimUsernameRequest): Promise<Username> {
-    const now = Date.now();
-    const expiresAt = now + YEAR_IN_MS;
+  async getIceCandidatesForMultipleOffers(
+    offerIds: string[],
+    username: string,
+    since?: number
+  ): Promise<Map<string, IceCandidate[]>> {
+    const result = new Map<string, IceCandidate[]>();
-    // Try to insert or update
-    const stmt = this.db.prepare(`
-      INSERT INTO usernames (username, public_key, claimed_at, expires_at, last_used, metadata)
-      VALUES (?, ?, ?, ?, ?, NULL)
-      ON CONFLICT(username) DO UPDATE SET
-        expires_at = ?,
-        last_used = ?
-      WHERE public_key = ?
-    `);
+    // Return empty map if no offer IDs provided
+    if (offerIds.length === 0) {
+      return result;
+    }
-    const result = stmt.run(
-      request.username,
-      request.publicKey,
-      now,
-      expiresAt,
-      now,
-      expiresAt,
-      now,
-      request.publicKey
-    );
+    // Validate array contains only strings
+    if (!Array.isArray(offerIds) || !offerIds.every(id => typeof id === 'string')) {
+      throw new Error('Invalid offer IDs: must be array of strings');
+    }
-    if (result.changes === 0) {
-      throw new Error('Username already claimed by different public key');
+    // Prevent DoS attacks from extremely large IN clauses
+    if (offerIds.length > 1000) {
+      throw new Error('Too many offer IDs (max 1000)');
     }
-    return {
-      username: request.username,
-      publicKey: request.publicKey,
-      claimedAt: now,
-      expiresAt,
-      lastUsed: now,
-    };
-  }
+    // Build query that fetches candidates from the OTHER peer only
+    // For each offer, determine if user is offerer or answerer and get opposite role
+    const placeholders = offerIds.map(() => '?').join(',');
-  async getUsername(username: string): Promise<Username | null> {
-    const stmt = this.db.prepare(`
-      SELECT * FROM usernames
-      WHERE username = ? AND expires_at > ?
-    `);
+    let query = `
+      SELECT ic.*, o.username as offer_username
+      FROM ice_candidates ic
+      INNER JOIN offers o ON o.id = ic.offer_id
+      WHERE ic.offer_id IN (${placeholders})
+      AND (
+        (o.username = ? AND ic.role = 'answerer')
+        OR (o.answerer_username = ? AND ic.role = 'offerer')
+      )
+    `;
-    const row = stmt.get(username, Date.now()) as any;
+    const params: any[] = [...offerIds, username, username];
-    if (!row) {
-      return null;
+    if (since !== undefined) {
+      query += ' AND ic.created_at > ?';
+      params.push(since);
     }
-    return {
-      username: row.username,
-      publicKey: row.public_key,
-      claimedAt: row.claimed_at,
-      expiresAt: row.expires_at,
-      lastUsed: row.last_used,
-      metadata: row.metadata || undefined,
-    };
-  }
+    query += ' ORDER BY ic.created_at ASC';
-  async touchUsername(username: string): Promise<boolean> {
-    const now = Date.now();
-    const expiresAt = now + YEAR_IN_MS;
+    const stmt = this.db.prepare(query);
+    const rows = stmt.all(...params) as any[];
-    const stmt = this.db.prepare(`
-      UPDATE usernames
-      SET last_used = ?, expires_at = ?
-      WHERE username = ? AND expires_at > ?
-    `);
+    // Group candidates by offer_id
+    for (const row of rows) {
+      const candidate: IceCandidate = {
+        id: row.id,
+        offerId: row.offer_id,
+        username: row.username,
+        role: row.role,
+        candidate: JSON.parse(row.candidate),
+        createdAt: row.created_at,
+      };
-    const result = stmt.run(now, expiresAt, username, now);
-    return result.changes > 0;
-  }
+      if (!result.has(row.offer_id)) {
+        result.set(row.offer_id, []);
+      }
+      result.get(row.offer_id)!.push(candidate);
+    }
-  async deleteExpiredUsernames(now: number): Promise<number> {
-    const stmt = this.db.prepare('DELETE FROM usernames WHERE expires_at < ?');
-    const result = stmt.run(now);
-    return result.changes;
+    return result;
   }
-  // ===== Service Management =====
+  // ===== Credential Management =====
-  async createService(request: CreateServiceRequest): Promise<{
-    service: Service;
-    offers: Offer[];
-  }> {
-    const serviceId = randomUUID();
+  async generateCredentials(request: GenerateCredentialsRequest): Promise<Credential> {
     const now = Date.now();
+    const expiresAt = request.expiresAt || (now + YEAR_IN_MS);
-    // Parse FQN to extract components
-    const parsed = parseServiceFqn(request.serviceFqn);
-    if (!parsed) {
-      throw new Error(`Invalid service FQN: ${request.serviceFqn}`);
-    }
-    if (!parsed.username) {
-      throw new Error(`Service FQN must include username: ${request.serviceFqn}`);
-    }
+    const { generateCredentialName, generateSecret } = await import('../crypto.ts');
-    const { serviceName, version, username } = parsed;
-    const transaction = this.db.transaction(() => {
-      // Delete existing service with same (service_name, version, username) and its related offers (upsert behavior)
-      const existingService = this.db.prepare(`
-        SELECT id FROM services
-        WHERE service_name = ? AND version = ? AND username = ?
-      `).get(serviceName, version, username) as any;
-      if (existingService) {
-        // Delete related offers first (no FK cascade from offers to services)
-        this.db.prepare(`
-          DELETE FROM offers WHERE service_id = ?
-        `).run(existingService.id);
-        // Delete the service
-        this.db.prepare(`
-          DELETE FROM services WHERE id = ?
-        `).run(existingService.id);
+    let name: string;
+    if (request.name) {
+      // User requested specific username - check if available
+      const existing = this.db.prepare(`
+        SELECT name FROM credentials WHERE name = ?
+      `).get(request.name);
+      if (existing) {
+        throw new Error('Username already taken');
       }
-      // Insert new service with extracted fields
-      this.db.prepare(`
-        INSERT INTO services (id, service_fqn, service_name, version, username, created_at, expires_at)
-        VALUES (?, ?, ?, ?, ?, ?, ?)
-      `).run(
-        serviceId,
-        request.serviceFqn,
-        serviceName,
-        version,
-        username,
-        now,
-        request.expiresAt
-      );
+      name = request.name;
+    } else {
+      // Generate random name - retry until unique
+      let attempts = 0;
+      const maxAttempts = 100;
-      // Touch username to extend expiry (inline logic)
-      const expiresAt = now + YEAR_IN_MS;
-      this.db.prepare(`
-        UPDATE usernames
-        SET last_used = ?, expires_at = ?
-        WHERE username = ? AND expires_at > ?
-      `).run(now, expiresAt, username, now);
-    });
+      while (attempts < maxAttempts) {
+        name = generateCredentialName();
-    transaction();
+        const existing = this.db.prepare(`
+          SELECT name FROM credentials WHERE name = ?
+        `).get(name);
-    // Create offers with serviceId (after transaction)
-    const offerRequests = request.offers.map(offer => ({
-      ...offer,
-      serviceId,
-    }));
-    const offers = await this.createOffers(offerRequests);
+        if (!existing) {
+          break;
+        }
-    return {
-      service: {
-        id: serviceId,
-        serviceFqn: request.serviceFqn,
-        serviceName,
-        version,
-        username,
-        createdAt: now,
-        expiresAt: request.expiresAt,
-      },
-      offers,
-    };
-  }
+        attempts++;
+      }
-  async getOffersForService(serviceId: string): Promise<Offer[]> {
-    const stmt = this.db.prepare(`
-      SELECT * FROM offers
-      WHERE service_id = ? AND expires_at > ?
-      ORDER BY created_at ASC
-    `);
+      if (attempts >= maxAttempts) {
+        throw new Error(`Failed to generate unique credential name after ${maxAttempts} attempts`);
+      }
+    }
-    const rows = stmt.all(serviceId, Date.now()) as any[];
-    return rows.map(row => this.rowToOffer(row));
-  }
+    const secret = generateSecret();
+    // Encrypt secret before storing (AES-256-GCM)
+    const { encryptSecret } = await import('../crypto.ts');
+    const encryptedSecret = await encryptSecret(secret, this.masterEncryptionKey);
-  async getServiceById(serviceId: string): Promise<Service | null> {
+    // Insert credential with encrypted secret
     const stmt = this.db.prepare(`
-      SELECT * FROM services
-      WHERE id = ? AND expires_at > ?
+      INSERT INTO credentials (name, secret, created_at, expires_at, last_used)
+      VALUES (?, ?, ?, ?, ?)
     `);
-    const row = stmt.get(serviceId, Date.now()) as any;
-    if (!row) {
-      return null;
-    }
+    stmt.run(name!, encryptedSecret, now, expiresAt, now);
-    return this.rowToService(row);
+    // Return plaintext secret to user (only time they'll see it)
+    return {
+      name: name!,
+      secret, // Return plaintext secret, not encrypted
+      createdAt: now,
+      expiresAt,
+      lastUsed: now,
+    };
   }
-  async getServiceByFqn(serviceFqn: string): Promise<Service | null> {
+  async getCredential(name: string): Promise<Credential | null> {
     const stmt = this.db.prepare(`
-      SELECT * FROM services
-      WHERE service_fqn = ? AND expires_at > ?
+      SELECT * FROM credentials
+      WHERE name = ? AND expires_at > ?
     `);
-    const row = stmt.get(serviceFqn, Date.now()) as any;
+    const row = stmt.get(name, Date.now()) as any;
     if (!row) {
       return null;
     }
-    return this.rowToService(row);
+    // Decrypt secret before returning
+    // If decryption fails (e.g., master key rotated), treat as credential not found
+    try {
+      const { decryptSecret } = await import('../crypto.ts');
+      const decryptedSecret = await decryptSecret(row.secret, this.masterEncryptionKey);
+      return {
+        name: row.name,
+        secret: decryptedSecret, // Return decrypted secret
+        createdAt: row.created_at,
+        expiresAt: row.expires_at,
+        lastUsed: row.last_used,
+      };
+    } catch (error) {
+      console.error(`Failed to decrypt secret for credential '${name}':`, error);
+      return null; // Treat as credential not found (fail-safe behavior)
+    }
   }
-  async discoverServices(
-    serviceName: string,
-    version: string,
-    limit: number,
-    offset: number
-  ): Promise<Service[]> {
-    // Query for unique services with available offers
-    // We join with offers and filter for available ones (answerer_username IS NULL)
+  async updateCredentialUsage(name: string, lastUsed: number, expiresAt: number): Promise<void> {
     const stmt = this.db.prepare(`
-      SELECT DISTINCT s.* FROM services s
-      INNER JOIN offers o ON o.service_id = s.id
-      WHERE s.service_name = ?
-        AND s.version = ?
-        AND s.expires_at > ?
-        AND o.answerer_username IS NULL
-        AND o.expires_at > ?
-      ORDER BY s.created_at DESC
-      LIMIT ? OFFSET ?
+      UPDATE credentials
+      SET last_used = ?, expires_at = ?
+      WHERE name = ?
     `);
-    const rows = stmt.all(serviceName, version, Date.now(), Date.now(), limit, offset) as any[];
-    return rows.map(row => this.rowToService(row));
+    stmt.run(lastUsed, expiresAt, name);
   }
-  async getRandomService(serviceName: string, version: string): Promise<Service | null> {
-    // Get a random service with an available offer
-    const stmt = this.db.prepare(`
-      SELECT s.* FROM services s
-      INNER JOIN offers o ON o.service_id = s.id
-      WHERE s.service_name = ?
-        AND s.version = ?
-        AND s.expires_at > ?
-        AND o.answerer_username IS NULL
-        AND o.expires_at > ?
-      ORDER BY RANDOM()
-      LIMIT 1
-    `);
+  async deleteExpiredCredentials(now: number): Promise<number> {
+    const stmt = this.db.prepare('DELETE FROM credentials WHERE expires_at < ?');
+    const result = stmt.run(now);
+    return result.changes;
+  }
-    const row = stmt.get(serviceName, version, Date.now(), Date.now()) as any;
+  // ===== Rate Limiting =====
-    if (!row) {
-      return null;
-    }
+  async checkRateLimit(identifier: string, limit: number, windowMs: number): Promise<boolean> {
+    const now = Date.now();
+    const resetTime = now + windowMs;
+    // Atomic UPSERT: Insert or increment count, reset if expired
+    // This prevents TOCTOU race conditions by doing check+increment in single operation
+    const result = this.db.prepare(`
+      INSERT INTO rate_limits (identifier, count, reset_time)
+      VALUES (?, 1, ?)
+      ON CONFLICT(identifier) DO UPDATE SET
+        count = CASE
+          WHEN reset_time < ? THEN 1
+          ELSE count + 1
+        END,
+        reset_time = CASE
+          WHEN reset_time < ? THEN ?
+          ELSE reset_time
+        END
+      RETURNING count
+    `).get(identifier, resetTime, now, now, resetTime) as { count: number };
+    // Check if limit exceeded
+    return result.count <= limit;
+  }
-    return this.rowToService(row);
+  async deleteExpiredRateLimits(now: number): Promise<number> {
+    const stmt = this.db.prepare('DELETE FROM rate_limits WHERE reset_time < ?');
+    const result = stmt.run(now);
+    return result.changes;
   }
-  async deleteService(serviceId: string, username: string): Promise<boolean> {
-    const stmt = this.db.prepare(`
-      DELETE FROM services
-      WHERE id = ? AND username = ?
-    `);
+  // ===== Nonce Tracking (Replay Protection) =====
-    const result = stmt.run(serviceId, username);
-    return result.changes > 0;
+  async checkAndMarkNonce(nonceKey: string, expiresAt: number): Promise<boolean> {
+    try {
+      // Atomic INSERT - if nonce already exists, this will fail with UNIQUE constraint
+      // This prevents replay attacks by ensuring each nonce is only used once
+      const stmt = this.db.prepare(`
+        INSERT INTO nonces (nonce_key, expires_at)
+        VALUES (?, ?)
+      `);
+      stmt.run(nonceKey, expiresAt);
+      return true; // Nonce is new, request allowed
+    } catch (error: any) {
+      // SQLITE_CONSTRAINT error code for UNIQUE constraint violation
+      if (error?.code === 'SQLITE_CONSTRAINT') {
+        return false; // Nonce already used, replay attack detected
+      }
+      throw error; // Other errors should propagate
+    }
   }
-  async deleteExpiredServices(now: number): Promise<number> {
-    const stmt = this.db.prepare('DELETE FROM services WHERE expires_at < ?');
+  async deleteExpiredNonces(now: number): Promise<number> {
+    const stmt = this.db.prepare('DELETE FROM nonces WHERE expires_at < ?');
     const result = stmt.run(now);
     return result.changes;
   }
@@ -601,8 +651,7 @@ export class SQLiteStorage implements Storage {
     return {
       id: row.id,
       username: row.username,
-      serviceId: row.service_id || undefined,
-      serviceFqn: row.service_fqn || undefined,
+      tags: JSON.parse(row.tags),
       sdp: row.sdp,
       createdAt: row.created_at,
       expiresAt: row.expires_at,
@@ -612,19 +661,4 @@ export class SQLiteStorage implements Storage {
       answeredAt: row.answered_at || undefined,
     };
   }
-  /**
-   * Helper method to convert database row to Service object
-   */
-  private rowToService(row: any): Service {
-    return {
-      id: row.id,
-      serviceFqn: row.service_fqn,
-      serviceName: row.service_name,
-      version: row.version,
-      username: row.username,
-      createdAt: row.created_at,
-      expiresAt: row.expires_at,
-    };
-  }
 }