npm - @xtr-dev/rondevu-server - Versions diffs - 0.5.0 → 0.5.6 - Mend

@xtr-dev/rondevu-server 0.5.0 → 0.5.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (31) hide show

package/.github/workflows/claude-code-review.yml +57 -0
package/.github/workflows/claude.yml +50 -0
package/.idea/modules.xml +8 -0
package/.idea/rondevu-server.iml +8 -0
package/.idea/workspace.xml +17 -0
package/README.md +80 -199
package/build.js +4 -1
package/dist/index.js +2755 -1448
package/dist/index.js.map +4 -4
package/migrations/fresh_schema.sql +36 -41
package/package.json +10 -4
package/src/app.ts +38 -18
package/src/config.ts +155 -9
package/src/crypto.ts +362 -265
package/src/index.ts +20 -25
package/src/rpc.ts +658 -405
package/src/storage/d1.ts +312 -263
package/src/storage/factory.ts +69 -0
package/src/storage/hash-id.ts +13 -9
package/src/storage/memory.ts +559 -0
package/src/storage/mysql.ts +588 -0
package/src/storage/postgres.ts +595 -0
package/src/storage/schemas/mysql.sql +59 -0
package/src/storage/schemas/postgres.sql +64 -0
package/src/storage/sqlite.ts +303 -269
package/src/storage/types.ts +113 -113
package/src/worker.ts +15 -34
package/tests/integration/api.test.ts +395 -0
package/tests/integration/setup.ts +170 -0
package/wrangler.toml +25 -26
package/ADVANCED.md +0 -502

package/dist/index.js CHANGED Viewed

@@ -5,22 +5,2183 @@ var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
 var __getOwnPropNames = Object.getOwnPropertyNames;
 var __getProtoOf = Object.getPrototypeOf;
 var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __esm = (fn, res) => function __init() {
+  return fn && (res = (0, fn[__getOwnPropNames(fn)[0]])(fn = 0)), res;
+};
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
 var __copyProps = (to, from, except, desc) => {
   if (from && typeof from === "object" || typeof from === "function") {
     for (let key of __getOwnPropNames(from))
       if (!__hasOwnProp.call(to, key) && key !== except)
         __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
   }
-  return to;
-};
-var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
-  // If the importer is in node compatibility mode or this is not an ESM
-  // file that has been converted to a CommonJS file using a Babel-
-  // compatible transform (i.e. "__esModule" has not been set), then set
-  // "default" to the CommonJS "module.exports" for node compatibility.
-  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
-  mod
-));
+  return to;
+};
+var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
+  // If the importer is in node compatibility mode or this is not an ESM
+  // file that has been converted to a CommonJS file using a Babel-
+  // compatible transform (i.e. "__esModule" has not been set), then set
+  // "default" to the CommonJS "module.exports" for node compatibility.
+  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
+  mod
+));
+// src/crypto.ts
+var crypto_exports = {};
+__export(crypto_exports, {
+  buildSignatureMessage: () => buildSignatureMessage,
+  decryptSecret: () => decryptSecret,
+  encryptSecret: () => encryptSecret,
+  generateCredentialName: () => generateCredentialName,
+  generateSecret: () => generateSecret,
+  generateSignature: () => generateSignature,
+  validateTag: () => validateTag,
+  validateTags: () => validateTags,
+  validateUsername: () => validateUsername,
+  verifySignature: () => verifySignature
+});
+function generateCredentialName() {
+  const adjectives = [
+    "brave",
+    "calm",
+    "eager",
+    "fancy",
+    "gentle",
+    "happy",
+    "jolly",
+    "kind",
+    "lively",
+    "merry",
+    "nice",
+    "proud",
+    "quiet",
+    "swift",
+    "witty",
+    "young",
+    "bright",
+    "clever",
+    "daring",
+    "fair",
+    "grand",
+    "humble",
+    "noble",
+    "quick"
+  ];
+  const nouns = [
+    "tiger",
+    "eagle",
+    "river",
+    "mountain",
+    "ocean",
+    "forest",
+    "desert",
+    "valley",
+    "thunder",
+    "wind",
+    "fire",
+    "stone",
+    "cloud",
+    "star",
+    "moon",
+    "sun",
+    "wolf",
+    "bear",
+    "hawk",
+    "lion",
+    "fox",
+    "deer",
+    "owl",
+    "swan"
+  ];
+  const adjective = adjectives[Math.floor(Math.random() * adjectives.length)];
+  const noun = nouns[Math.floor(Math.random() * nouns.length)];
+  const random = crypto.getRandomValues(new Uint8Array(8));
+  const hex = Array.from(random).map((b) => b.toString(16).padStart(2, "0")).join("");
+  return `${adjective}-${noun}-${hex}`;
+}
+function generateSecret() {
+  const bytes = crypto.getRandomValues(new Uint8Array(32));
+  const secret = Array.from(bytes).map((b) => b.toString(16).padStart(2, "0")).join("");
+  if (secret.length !== 64) {
+    throw new Error("Secret generation failed: invalid length");
+  }
+  for (let i = 0; i < secret.length; i++) {
+    const c = secret[i];
+    if ((c < "0" || c > "9") && (c < "a" || c > "f")) {
+      throw new Error(`Secret generation failed: invalid hex character at position ${i}: '${c}'`);
+    }
+  }
+  return secret;
+}
+function hexToBytes(hex) {
+  if (hex.length % 2 !== 0) {
+    throw new Error("Hex string must have even length");
+  }
+  for (let i = 0; i < hex.length; i++) {
+    const c = hex[i].toLowerCase();
+    if ((c < "0" || c > "9") && (c < "a" || c > "f")) {
+      throw new Error(`Invalid hex character at position ${i}: '${hex[i]}'`);
+    }
+  }
+  const match = hex.match(/.{1,2}/g);
+  if (!match) {
+    throw new Error("Invalid hex string format");
+  }
+  return new Uint8Array(match.map((byte) => {
+    const parsed = parseInt(byte, 16);
+    if (isNaN(parsed)) {
+      throw new Error(`Invalid hex byte: ${byte}`);
+    }
+    return parsed;
+  }));
+}
+async function encryptSecret(secret, masterKeyHex) {
+  if (!masterKeyHex || masterKeyHex.length !== 64) {
+    throw new Error("Master key must be 64-character hex string (32 bytes)");
+  }
+  const keyBytes = hexToBytes(masterKeyHex);
+  const key = await crypto.subtle.importKey(
+    "raw",
+    keyBytes,
+    { name: "AES-GCM", length: 256 },
+    false,
+    ["encrypt"]
+  );
+  const iv = crypto.getRandomValues(new Uint8Array(12));
+  const encoder = new TextEncoder();
+  const secretBytes = encoder.encode(secret);
+  const ciphertext = await crypto.subtle.encrypt(
+    { name: "AES-GCM", iv, tagLength: 128 },
+    key,
+    secretBytes
+  );
+  const ivHex = Array.from(iv).map((b) => b.toString(16).padStart(2, "0")).join("");
+  const ciphertextHex = Array.from(new Uint8Array(ciphertext)).map((b) => b.toString(16).padStart(2, "0")).join("");
+  return `${ivHex}:${ciphertextHex}`;
+}
+async function decryptSecret(encryptedSecret, masterKeyHex) {
+  if (!masterKeyHex || masterKeyHex.length !== 64) {
+    throw new Error("Master key must be 64-character hex string (32 bytes)");
+  }
+  const parts = encryptedSecret.split(":");
+  if (parts.length !== 2) {
+    throw new Error("Invalid encrypted secret format (expected iv:ciphertext)");
+  }
+  const [ivHex, ciphertextHex] = parts;
+  if (ivHex.length !== 24) {
+    throw new Error("Invalid IV length (expected 12 bytes = 24 hex characters)");
+  }
+  if (ciphertextHex.length < 32) {
+    throw new Error("Invalid ciphertext length (must include 16-byte auth tag)");
+  }
+  const iv = hexToBytes(ivHex);
+  const ciphertext = hexToBytes(ciphertextHex);
+  const keyBytes = hexToBytes(masterKeyHex);
+  const key = await crypto.subtle.importKey(
+    "raw",
+    keyBytes,
+    { name: "AES-GCM", length: 256 },
+    false,
+    ["decrypt"]
+  );
+  const decryptedBytes = await crypto.subtle.decrypt(
+    { name: "AES-GCM", iv, tagLength: 128 },
+    key,
+    ciphertext
+  );
+  const decoder = new TextDecoder();
+  return decoder.decode(decryptedBytes);
+}
+async function generateSignature(secret, message) {
+  const secretBytes = hexToBytes(secret);
+  const key = await crypto.subtle.importKey(
+    "raw",
+    secretBytes,
+    { name: "HMAC", hash: "SHA-256" },
+    false,
+    ["sign"]
+  );
+  const encoder = new TextEncoder();
+  const messageBytes = encoder.encode(message);
+  const signatureBytes = await crypto.subtle.sign("HMAC", key, messageBytes);
+  return import_node_buffer.Buffer.from(signatureBytes).toString("base64");
+}
+async function verifySignature(secret, message, signature) {
+  try {
+    const secretBytes = hexToBytes(secret);
+    const key = await crypto.subtle.importKey(
+      "raw",
+      secretBytes,
+      { name: "HMAC", hash: "SHA-256" },
+      false,
+      ["verify"]
+    );
+    const encoder = new TextEncoder();
+    const messageBytes = encoder.encode(message);
+    const signatureBytes = import_node_buffer.Buffer.from(signature, "base64");
+    return await crypto.subtle.verify("HMAC", key, signatureBytes, messageBytes);
+  } catch (error) {
+    console.error("Signature verification error:", error);
+    return false;
+  }
+}
+function canonicalJSON(obj, depth = 0) {
+  const MAX_DEPTH = 100;
+  if (depth > MAX_DEPTH) {
+    throw new Error("Object nesting too deep for canonicalization");
+  }
+  if (obj === null) return "null";
+  if (obj === void 0) return JSON.stringify(void 0);
+  const type = typeof obj;
+  if (type === "function") throw new Error("Functions are not supported in RPC parameters");
+  if (type === "symbol" || type === "bigint") throw new Error(`${type} is not supported in RPC parameters`);
+  if (type === "number" && !Number.isFinite(obj)) throw new Error("NaN and Infinity are not supported in RPC parameters");
+  if (type !== "object") return JSON.stringify(obj);
+  if (Array.isArray(obj)) {
+    return "[" + obj.map((item) => canonicalJSON(item, depth + 1)).join(",") + "]";
+  }
+  const sortedKeys = Object.keys(obj).sort();
+  const pairs = sortedKeys.map((key) => JSON.stringify(key) + ":" + canonicalJSON(obj[key], depth + 1));
+  return "{" + pairs.join(",") + "}";
+}
+function buildSignatureMessage(timestamp, nonce, method, params) {
+  if (nonce.length !== 36) {
+    throw new Error("Nonce must be a valid UUID v4 (use crypto.randomUUID())");
+  }
+  if (nonce[8] !== "-" || nonce[13] !== "-" || nonce[18] !== "-" || nonce[23] !== "-") {
+    throw new Error("Nonce must be a valid UUID v4 (use crypto.randomUUID())");
+  }
+  if (nonce[14] !== "4") {
+    throw new Error("Nonce must be a valid UUID v4 (use crypto.randomUUID())");
+  }
+  const variant = nonce[19].toLowerCase();
+  if (variant !== "8" && variant !== "9" && variant !== "a" && variant !== "b") {
+    throw new Error("Nonce must be a valid UUID v4 (use crypto.randomUUID())");
+  }
+  const hexChars = nonce.replace(/-/g, "");
+  for (let i = 0; i < hexChars.length; i++) {
+    const c = hexChars[i].toLowerCase();
+    if ((c < "0" || c > "9") && (c < "a" || c > "f")) {
+      throw new Error("Nonce must be a valid UUID v4 (use crypto.randomUUID())");
+    }
+  }
+  const paramsStr = canonicalJSON(params || {});
+  return `${timestamp}:${nonce}:${method}:${paramsStr}`;
+}
+function validateUsername(username) {
+  if (typeof username !== "string") {
+    return { valid: false, error: "Username must be a string" };
+  }
+  if (username.length < USERNAME_MIN_LENGTH) {
+    return { valid: false, error: `Username must be at least ${USERNAME_MIN_LENGTH} characters` };
+  }
+  if (username.length > USERNAME_MAX_LENGTH) {
+    return { valid: false, error: `Username must be at most ${USERNAME_MAX_LENGTH} characters` };
+  }
+  if (!USERNAME_REGEX.test(username)) {
+    return { valid: false, error: "Username must be lowercase alphanumeric with optional dashes/periods, and start/end with alphanumeric" };
+  }
+  return { valid: true };
+}
+function validateTag(tag) {
+  if (typeof tag !== "string") {
+    return { valid: false, error: "Tag must be a string" };
+  }
+  if (tag.length < TAG_MIN_LENGTH) {
+    return { valid: false, error: `Tag must be at least ${TAG_MIN_LENGTH} character` };
+  }
+  if (tag.length > TAG_MAX_LENGTH) {
+    return { valid: false, error: `Tag must be at most ${TAG_MAX_LENGTH} characters` };
+  }
+  if (tag.length === 1) {
+    if (!/^[a-z0-9]$/.test(tag)) {
+      return { valid: false, error: "Tag must be lowercase alphanumeric" };
+    }
+    return { valid: true };
+  }
+  if (!TAG_REGEX.test(tag)) {
+    return { valid: false, error: "Tag must be lowercase alphanumeric with optional dots/dashes, and start/end with alphanumeric" };
+  }
+  return { valid: true };
+}
+function validateTags(tags, maxTags = 20) {
+  if (!Array.isArray(tags)) {
+    return { valid: false, error: "Tags must be an array" };
+  }
+  if (tags.length === 0) {
+    return { valid: false, error: "At least one tag is required" };
+  }
+  if (tags.length > maxTags) {
+    return { valid: false, error: `Maximum ${maxTags} tags allowed` };
+  }
+  for (let i = 0; i < tags.length; i++) {
+    const result = validateTag(tags[i]);
+    if (!result.valid) {
+      return { valid: false, error: `Tag ${i + 1}: ${result.error}` };
+    }
+  }
+  const uniqueTags = new Set(tags);
+  if (uniqueTags.size !== tags.length) {
+    return { valid: false, error: "Duplicate tags are not allowed" };
+  }
+  return { valid: true };
+}
+var import_node_buffer, USERNAME_REGEX, USERNAME_MIN_LENGTH, USERNAME_MAX_LENGTH, TAG_MIN_LENGTH, TAG_MAX_LENGTH, TAG_REGEX;
+var init_crypto = __esm({
+  "src/crypto.ts"() {
+    "use strict";
+    import_node_buffer = require("node:buffer");
+    USERNAME_REGEX = /^[a-z0-9][a-z0-9.-]*[a-z0-9]$/;
+    USERNAME_MIN_LENGTH = 4;
+    USERNAME_MAX_LENGTH = 32;
+    TAG_MIN_LENGTH = 1;
+    TAG_MAX_LENGTH = 64;
+    TAG_REGEX = /^[a-z0-9]([a-z0-9.-]*[a-z0-9])?$/;
+  }
+});
+// src/storage/hash-id.ts
+async function generateOfferHash(sdp) {
+  const randomBytes = crypto.getRandomValues(new Uint8Array(8));
+  const randomHex = Array.from(randomBytes).map((b) => b.toString(16).padStart(2, "0")).join("");
+  const hashInput = {
+    sdp,
+    timestamp: Date.now(),
+    nonce: randomHex
+  };
+  const jsonString = JSON.stringify(hashInput);
+  const encoder = new TextEncoder();
+  const data = encoder.encode(jsonString);
+  const hashBuffer = await crypto.subtle.digest("SHA-256", data);
+  const hashArray = Array.from(new Uint8Array(hashBuffer));
+  const hashHex = hashArray.map((b) => b.toString(16).padStart(2, "0")).join("");
+  return hashHex;
+}
+var init_hash_id = __esm({
+  "src/storage/hash-id.ts"() {
+    "use strict";
+  }
+});
+// src/storage/memory.ts
+var memory_exports = {};
+__export(memory_exports, {
+  MemoryStorage: () => MemoryStorage
+});
+var YEAR_IN_MS, MemoryStorage;
+var init_memory = __esm({
+  "src/storage/memory.ts"() {
+    "use strict";
+    init_hash_id();
+    YEAR_IN_MS = 365 * 24 * 60 * 60 * 1e3;
+    MemoryStorage = class {
+      constructor(masterEncryptionKey) {
+        // Primary storage
+        this.credentials = /* @__PURE__ */ new Map();
+        this.offers = /* @__PURE__ */ new Map();
+        this.iceCandidates = /* @__PURE__ */ new Map();
+        // offerId → candidates
+        this.rateLimits = /* @__PURE__ */ new Map();
+        this.nonces = /* @__PURE__ */ new Map();
+        // Secondary indexes for efficient lookups
+        this.offersByUsername = /* @__PURE__ */ new Map();
+        // username → offer IDs
+        this.offersByTag = /* @__PURE__ */ new Map();
+        // tag → offer IDs
+        this.offersByAnswerer = /* @__PURE__ */ new Map();
+        // answerer username → offer IDs
+        // Auto-increment counter for ICE candidates
+        this.iceCandidateIdCounter = 0;
+        this.masterEncryptionKey = masterEncryptionKey;
+      }
+      // ===== Offer Management =====
+      async createOffers(offers) {
+        const created = [];
+        const now = Date.now();
+        for (const request of offers) {
+          const id = request.id || await generateOfferHash(request.sdp);
+          const offer = {
+            id,
+            username: request.username,
+            tags: request.tags,
+            sdp: request.sdp,
+            createdAt: now,
+            expiresAt: request.expiresAt,
+            lastSeen: now
+          };
+          this.offers.set(id, offer);
+          if (!this.offersByUsername.has(request.username)) {
+            this.offersByUsername.set(request.username, /* @__PURE__ */ new Set());
+          }
+          this.offersByUsername.get(request.username).add(id);
+          for (const tag of request.tags) {
+            if (!this.offersByTag.has(tag)) {
+              this.offersByTag.set(tag, /* @__PURE__ */ new Set());
+            }
+            this.offersByTag.get(tag).add(id);
+          }
+          created.push(offer);
+        }
+        return created;
+      }
+      async getOffersByUsername(username) {
+        const now = Date.now();
+        const offerIds = this.offersByUsername.get(username);
+        if (!offerIds) return [];
+        const offers = [];
+        for (const id of offerIds) {
+          const offer = this.offers.get(id);
+          if (offer && offer.expiresAt > now) {
+            offers.push(offer);
+          }
+        }
+        return offers.sort((a, b) => b.lastSeen - a.lastSeen);
+      }
+      async getOfferById(offerId) {
+        const offer = this.offers.get(offerId);
+        if (!offer || offer.expiresAt <= Date.now()) {
+          return null;
+        }
+        return offer;
+      }
+      async deleteOffer(offerId, ownerUsername) {
+        const offer = this.offers.get(offerId);
+        if (!offer || offer.username !== ownerUsername) {
+          return false;
+        }
+        this.removeOfferFromIndexes(offer);
+        this.offers.delete(offerId);
+        this.iceCandidates.delete(offerId);
+        return true;
+      }
+      async deleteExpiredOffers(now) {
+        let count = 0;
+        for (const [id, offer] of this.offers) {
+          if (offer.expiresAt < now) {
+            this.removeOfferFromIndexes(offer);
+            this.offers.delete(id);
+            this.iceCandidates.delete(id);
+            count++;
+          }
+        }
+        return count;
+      }
+      async answerOffer(offerId, answererUsername, answerSdp) {
+        const offer = await this.getOfferById(offerId);
+        if (!offer) {
+          return { success: false, error: "Offer not found or expired" };
+        }
+        if (offer.answererUsername) {
+          return { success: false, error: "Offer already answered" };
+        }
+        const now = Date.now();
+        offer.answererUsername = answererUsername;
+        offer.answerSdp = answerSdp;
+        offer.answeredAt = now;
+        if (!this.offersByAnswerer.has(answererUsername)) {
+          this.offersByAnswerer.set(answererUsername, /* @__PURE__ */ new Set());
+        }
+        this.offersByAnswerer.get(answererUsername).add(offerId);
+        return { success: true };
+      }
+      async getAnsweredOffers(offererUsername) {
+        const now = Date.now();
+        const offerIds = this.offersByUsername.get(offererUsername);
+        if (!offerIds) return [];
+        const offers = [];
+        for (const id of offerIds) {
+          const offer = this.offers.get(id);
+          if (offer && offer.answererUsername && offer.expiresAt > now) {
+            offers.push(offer);
+          }
+        }
+        return offers.sort((a, b) => (b.answeredAt || 0) - (a.answeredAt || 0));
+      }
+      async getOffersAnsweredBy(answererUsername) {
+        const now = Date.now();
+        const offerIds = this.offersByAnswerer.get(answererUsername);
+        if (!offerIds) return [];
+        const offers = [];
+        for (const id of offerIds) {
+          const offer = this.offers.get(id);
+          if (offer && offer.expiresAt > now) {
+            offers.push(offer);
+          }
+        }
+        return offers.sort((a, b) => (b.answeredAt || 0) - (a.answeredAt || 0));
+      }
+      // ===== Discovery =====
+      async discoverOffers(tags, excludeUsername, limit, offset) {
+        if (tags.length === 0) return [];
+        const now = Date.now();
+        const matchingOfferIds = /* @__PURE__ */ new Set();
+        for (const tag of tags) {
+          const offerIds = this.offersByTag.get(tag);
+          if (offerIds) {
+            for (const id of offerIds) {
+              matchingOfferIds.add(id);
+            }
+          }
+        }
+        const offers = [];
+        for (const id of matchingOfferIds) {
+          const offer = this.offers.get(id);
+          if (offer && offer.expiresAt > now && !offer.answererUsername && (!excludeUsername || offer.username !== excludeUsername)) {
+            offers.push(offer);
+          }
+        }
+        offers.sort((a, b) => b.createdAt - a.createdAt);
+        return offers.slice(offset, offset + limit);
+      }
+      async getRandomOffer(tags, excludeUsername) {
+        if (tags.length === 0) return null;
+        const now = Date.now();
+        const matchingOffers = [];
+        const matchingOfferIds = /* @__PURE__ */ new Set();
+        for (const tag of tags) {
+          const offerIds = this.offersByTag.get(tag);
+          if (offerIds) {
+            for (const id of offerIds) {
+              matchingOfferIds.add(id);
+            }
+          }
+        }
+        for (const id of matchingOfferIds) {
+          const offer = this.offers.get(id);
+          if (offer && offer.expiresAt > now && !offer.answererUsername && (!excludeUsername || offer.username !== excludeUsername)) {
+            matchingOffers.push(offer);
+          }
+        }
+        if (matchingOffers.length === 0) return null;
+        const randomIndex = Math.floor(Math.random() * matchingOffers.length);
+        return matchingOffers[randomIndex];
+      }
+      // ===== ICE Candidate Management =====
+      async addIceCandidates(offerId, username, role, candidates) {
+        const baseTimestamp = Date.now();
+        if (!this.iceCandidates.has(offerId)) {
+          this.iceCandidates.set(offerId, []);
+        }
+        const candidateList = this.iceCandidates.get(offerId);
+        for (let i = 0; i < candidates.length; i++) {
+          const candidate = {
+            id: ++this.iceCandidateIdCounter,
+            offerId,
+            username,
+            role,
+            candidate: candidates[i],
+            createdAt: baseTimestamp + i
+          };
+          candidateList.push(candidate);
+        }
+        return candidates.length;
+      }
+      async getIceCandidates(offerId, targetRole, since) {
+        const candidates = this.iceCandidates.get(offerId) || [];
+        return candidates.filter((c) => c.role === targetRole && (since === void 0 || c.createdAt > since)).sort((a, b) => a.createdAt - b.createdAt);
+      }
+      async getIceCandidatesForMultipleOffers(offerIds, username, since) {
+        const result = /* @__PURE__ */ new Map();
+        if (offerIds.length === 0) return result;
+        if (offerIds.length > 1e3) {
+          throw new Error("Too many offer IDs (max 1000)");
+        }
+        for (const offerId of offerIds) {
+          const offer = this.offers.get(offerId);
+          if (!offer) continue;
+          const candidates = this.iceCandidates.get(offerId) || [];
+          const isOfferer = offer.username === username;
+          const isAnswerer = offer.answererUsername === username;
+          if (!isOfferer && !isAnswerer) continue;
+          const targetRole = isOfferer ? "answerer" : "offerer";
+          const filteredCandidates = candidates.filter((c) => c.role === targetRole && (since === void 0 || c.createdAt > since)).sort((a, b) => a.createdAt - b.createdAt);
+          if (filteredCandidates.length > 0) {
+            result.set(offerId, filteredCandidates);
+          }
+        }
+        return result;
+      }
+      // ===== Credential Management =====
+      async generateCredentials(request) {
+        const now = Date.now();
+        const expiresAt = request.expiresAt || now + YEAR_IN_MS;
+        const { generateCredentialName: generateCredentialName2, generateSecret: generateSecret2, encryptSecret: encryptSecret2 } = await Promise.resolve().then(() => (init_crypto(), crypto_exports));
+        let name;
+        if (request.name) {
+          if (this.credentials.has(request.name)) {
+            throw new Error("Username already taken");
+          }
+          name = request.name;
+        } else {
+          let attempts = 0;
+          const maxAttempts = 100;
+          while (attempts < maxAttempts) {
+            name = generateCredentialName2();
+            if (!this.credentials.has(name)) break;
+            attempts++;
+          }
+          if (attempts >= maxAttempts) {
+            throw new Error(`Failed to generate unique credential name after ${maxAttempts} attempts`);
+          }
+        }
+        const secret = generateSecret2();
+        const encryptedSecret = await encryptSecret2(secret, this.masterEncryptionKey);
+        const credential = {
+          name,
+          secret: encryptedSecret,
+          createdAt: now,
+          expiresAt,
+          lastUsed: now
+        };
+        this.credentials.set(name, credential);
+        return {
+          ...credential,
+          secret
+          // Return plaintext, not encrypted
+        };
+      }
+      async getCredential(name) {
+        const credential = this.credentials.get(name);
+        if (!credential || credential.expiresAt <= Date.now()) {
+          return null;
+        }
+        try {
+          const { decryptSecret: decryptSecret2 } = await Promise.resolve().then(() => (init_crypto(), crypto_exports));
+          const decryptedSecret = await decryptSecret2(credential.secret, this.masterEncryptionKey);
+          return {
+            ...credential,
+            secret: decryptedSecret
+          };
+        } catch (error) {
+          console.error(`Failed to decrypt secret for credential '${name}':`, error);
+          return null;
+        }
+      }
+      async updateCredentialUsage(name, lastUsed, expiresAt) {
+        const credential = this.credentials.get(name);
+        if (credential) {
+          credential.lastUsed = lastUsed;
+          credential.expiresAt = expiresAt;
+        }
+      }
+      async deleteExpiredCredentials(now) {
+        let count = 0;
+        for (const [name, credential] of this.credentials) {
+          if (credential.expiresAt < now) {
+            this.credentials.delete(name);
+            count++;
+          }
+        }
+        return count;
+      }
+      // ===== Rate Limiting =====
+      async checkRateLimit(identifier, limit, windowMs) {
+        const now = Date.now();
+        const existing = this.rateLimits.get(identifier);
+        if (!existing || existing.resetTime < now) {
+          this.rateLimits.set(identifier, {
+            count: 1,
+            resetTime: now + windowMs
+          });
+          return true;
+        }
+        existing.count++;
+        return existing.count <= limit;
+      }
+      async deleteExpiredRateLimits(now) {
+        let count = 0;
+        for (const [identifier, rateLimit] of this.rateLimits) {
+          if (rateLimit.resetTime < now) {
+            this.rateLimits.delete(identifier);
+            count++;
+          }
+        }
+        return count;
+      }
+      // ===== Nonce Tracking (Replay Protection) =====
+      async checkAndMarkNonce(nonceKey, expiresAt) {
+        if (this.nonces.has(nonceKey)) {
+          return false;
+        }
+        this.nonces.set(nonceKey, { expiresAt });
+        return true;
+      }
+      async deleteExpiredNonces(now) {
+        let count = 0;
+        for (const [key, entry] of this.nonces) {
+          if (entry.expiresAt < now) {
+            this.nonces.delete(key);
+            count++;
+          }
+        }
+        return count;
+      }
+      async close() {
+        this.credentials.clear();
+        this.offers.clear();
+        this.iceCandidates.clear();
+        this.rateLimits.clear();
+        this.nonces.clear();
+        this.offersByUsername.clear();
+        this.offersByTag.clear();
+        this.offersByAnswerer.clear();
+      }
+      // ===== Helper Methods =====
+      removeOfferFromIndexes(offer) {
+        const usernameOffers = this.offersByUsername.get(offer.username);
+        if (usernameOffers) {
+          usernameOffers.delete(offer.id);
+          if (usernameOffers.size === 0) {
+            this.offersByUsername.delete(offer.username);
+          }
+        }
+        for (const tag of offer.tags) {
+          const tagOffers = this.offersByTag.get(tag);
+          if (tagOffers) {
+            tagOffers.delete(offer.id);
+            if (tagOffers.size === 0) {
+              this.offersByTag.delete(tag);
+            }
+          }
+        }
+        if (offer.answererUsername) {
+          const answererOffers = this.offersByAnswerer.get(offer.answererUsername);
+          if (answererOffers) {
+            answererOffers.delete(offer.id);
+            if (answererOffers.size === 0) {
+              this.offersByAnswerer.delete(offer.answererUsername);
+            }
+          }
+        }
+      }
+    };
+  }
+});
+// src/storage/sqlite.ts
+var sqlite_exports = {};
+__export(sqlite_exports, {
+  SQLiteStorage: () => SQLiteStorage
+});
+var import_better_sqlite3, YEAR_IN_MS2, SQLiteStorage;
+var init_sqlite = __esm({
+  "src/storage/sqlite.ts"() {
+    "use strict";
+    import_better_sqlite3 = __toESM(require("better-sqlite3"));
+    init_hash_id();
+    YEAR_IN_MS2 = 365 * 24 * 60 * 60 * 1e3;
+    SQLiteStorage = class {
+      /**
+       * Creates a new SQLite storage instance
+       * @param path Path to SQLite database file, or ':memory:' for in-memory database
+       * @param masterEncryptionKey 64-char hex string for encrypting secrets (32 bytes)
+       */
+      constructor(path = ":memory:", masterEncryptionKey) {
+        this.db = new import_better_sqlite3.default(path);
+        this.masterEncryptionKey = masterEncryptionKey;
+        this.initializeDatabase();
+      }
+      /**
+       * Initializes database schema with tags-based offers
+       */
+      initializeDatabase() {
+        this.db.exec(`
+      -- WebRTC signaling offers with tags
+      CREATE TABLE IF NOT EXISTS offers (
+        id TEXT PRIMARY KEY,
+        username TEXT NOT NULL,
+        tags TEXT NOT NULL,
+        sdp TEXT NOT NULL,
+        created_at INTEGER NOT NULL,
+        expires_at INTEGER NOT NULL,
+        last_seen INTEGER NOT NULL,
+        answerer_username TEXT,
+        answer_sdp TEXT,
+        answered_at INTEGER
+      );
+      CREATE INDEX IF NOT EXISTS idx_offers_username ON offers(username);
+      CREATE INDEX IF NOT EXISTS idx_offers_expires ON offers(expires_at);
+      CREATE INDEX IF NOT EXISTS idx_offers_last_seen ON offers(last_seen);
+      CREATE INDEX IF NOT EXISTS idx_offers_answerer ON offers(answerer_username);
+      -- ICE candidates table
+      CREATE TABLE IF NOT EXISTS ice_candidates (
+        id INTEGER PRIMARY KEY AUTOINCREMENT,
+        offer_id TEXT NOT NULL,
+        username TEXT NOT NULL,
+        role TEXT NOT NULL CHECK(role IN ('offerer', 'answerer')),
+        candidate TEXT NOT NULL,
+        created_at INTEGER NOT NULL,
+        FOREIGN KEY (offer_id) REFERENCES offers(id) ON DELETE CASCADE
+      );
+      CREATE INDEX IF NOT EXISTS idx_ice_offer ON ice_candidates(offer_id);
+      CREATE INDEX IF NOT EXISTS idx_ice_username ON ice_candidates(username);
+      CREATE INDEX IF NOT EXISTS idx_ice_created ON ice_candidates(created_at);
+      -- Credentials table (replaces usernames with simpler name + secret auth)
+      CREATE TABLE IF NOT EXISTS credentials (
+        name TEXT PRIMARY KEY,
+        secret TEXT NOT NULL UNIQUE,
+        created_at INTEGER NOT NULL,
+        expires_at INTEGER NOT NULL,
+        last_used INTEGER NOT NULL,
+        CHECK(length(name) >= 3 AND length(name) <= 32)
+      );
+      CREATE INDEX IF NOT EXISTS idx_credentials_expires ON credentials(expires_at);
+      CREATE INDEX IF NOT EXISTS idx_credentials_secret ON credentials(secret);
+      -- Rate limits table (for distributed rate limiting)
+      CREATE TABLE IF NOT EXISTS rate_limits (
+        identifier TEXT PRIMARY KEY,
+        count INTEGER NOT NULL,
+        reset_time INTEGER NOT NULL
+      );
+      CREATE INDEX IF NOT EXISTS idx_rate_limits_reset ON rate_limits(reset_time);
+      -- Nonces table (for replay attack prevention)
+      CREATE TABLE IF NOT EXISTS nonces (
+        nonce_key TEXT PRIMARY KEY,
+        expires_at INTEGER NOT NULL
+      );
+      CREATE INDEX IF NOT EXISTS idx_nonces_expires ON nonces(expires_at);
+    `);
+        this.db.pragma("foreign_keys = ON");
+      }
+      // ===== Offer Management =====
+      async createOffers(offers) {
+        const created = [];
+        const offersWithIds = await Promise.all(
+          offers.map(async (offer) => ({
+            ...offer,
+            id: offer.id || await generateOfferHash(offer.sdp)
+          }))
+        );
+        const transaction = this.db.transaction((offersWithIds2) => {
+          const offerStmt = this.db.prepare(`
+        INSERT INTO offers (id, username, tags, sdp, created_at, expires_at, last_seen)
+        VALUES (?, ?, ?, ?, ?, ?, ?)
+      `);
+          for (const offer of offersWithIds2) {
+            const now = Date.now();
+            offerStmt.run(
+              offer.id,
+              offer.username,
+              JSON.stringify(offer.tags),
+              offer.sdp,
+              now,
+              offer.expiresAt,
+              now
+            );
+            created.push({
+              id: offer.id,
+              username: offer.username,
+              tags: offer.tags,
+              sdp: offer.sdp,
+              createdAt: now,
+              expiresAt: offer.expiresAt,
+              lastSeen: now
+            });
+          }
+        });
+        transaction(offersWithIds);
+        return created;
+      }
+      async getOffersByUsername(username) {
+        const stmt = this.db.prepare(`
+      SELECT * FROM offers
+      WHERE username = ? AND expires_at > ?
+      ORDER BY last_seen DESC
+    `);
+        const rows = stmt.all(username, Date.now());
+        return rows.map((row) => this.rowToOffer(row));
+      }
+      async getOfferById(offerId) {
+        const stmt = this.db.prepare(`
+      SELECT * FROM offers
+      WHERE id = ? AND expires_at > ?
+    `);
+        const row = stmt.get(offerId, Date.now());
+        if (!row) {
+          return null;
+        }
+        return this.rowToOffer(row);
+      }
+      async deleteOffer(offerId, ownerUsername) {
+        const stmt = this.db.prepare(`
+      DELETE FROM offers
+      WHERE id = ? AND username = ?
+    `);
+        const result = stmt.run(offerId, ownerUsername);
+        return result.changes > 0;
+      }
+      async deleteExpiredOffers(now) {
+        const stmt = this.db.prepare("DELETE FROM offers WHERE expires_at < ?");
+        const result = stmt.run(now);
+        return result.changes;
+      }
+      async answerOffer(offerId, answererUsername, answerSdp) {
+        const offer = await this.getOfferById(offerId);
+        if (!offer) {
+          return {
+            success: false,
+            error: "Offer not found or expired"
+          };
+        }
+        if (offer.answererUsername) {
+          return {
+            success: false,
+            error: "Offer already answered"
+          };
+        }
+        const stmt = this.db.prepare(`
+      UPDATE offers
+      SET answerer_username = ?, answer_sdp = ?, answered_at = ?
+      WHERE id = ? AND answerer_username IS NULL
+    `);
+        const result = stmt.run(answererUsername, answerSdp, Date.now(), offerId);
+        if (result.changes === 0) {
+          return {
+            success: false,
+            error: "Offer already answered (race condition)"
+          };
+        }
+        return { success: true };
+      }
+      async getAnsweredOffers(offererUsername) {
+        const stmt = this.db.prepare(`
+      SELECT * FROM offers
+      WHERE username = ? AND answerer_username IS NOT NULL AND expires_at > ?
+      ORDER BY answered_at DESC
+    `);
+        const rows = stmt.all(offererUsername, Date.now());
+        return rows.map((row) => this.rowToOffer(row));
+      }
+      async getOffersAnsweredBy(answererUsername) {
+        const stmt = this.db.prepare(`
+      SELECT * FROM offers
+      WHERE answerer_username = ? AND expires_at > ?
+      ORDER BY answered_at DESC
+    `);
+        const rows = stmt.all(answererUsername, Date.now());
+        return rows.map((row) => this.rowToOffer(row));
+      }
+      // ===== Discovery =====
+      async discoverOffers(tags, excludeUsername, limit, offset) {
+        if (tags.length === 0) {
+          return [];
+        }
+        const placeholders = tags.map(() => "?").join(",");
+        let query = `
+      SELECT DISTINCT o.* FROM offers o, json_each(o.tags) as t
+      WHERE t.value IN (${placeholders})
+        AND o.expires_at > ?
+        AND o.answerer_username IS NULL
+    `;
+        const params = [...tags, Date.now()];
+        if (excludeUsername) {
+          query += " AND o.username != ?";
+          params.push(excludeUsername);
+        }
+        query += " ORDER BY o.created_at DESC LIMIT ? OFFSET ?";
+        params.push(limit, offset);
+        const stmt = this.db.prepare(query);
+        const rows = stmt.all(...params);
+        return rows.map((row) => this.rowToOffer(row));
+      }
+      async getRandomOffer(tags, excludeUsername) {
+        if (tags.length === 0) {
+          return null;
+        }
+        const placeholders = tags.map(() => "?").join(",");
+        let query = `
+      SELECT DISTINCT o.* FROM offers o, json_each(o.tags) as t
+      WHERE t.value IN (${placeholders})
+        AND o.expires_at > ?
+        AND o.answerer_username IS NULL
+    `;
+        const params = [...tags, Date.now()];
+        if (excludeUsername) {
+          query += " AND o.username != ?";
+          params.push(excludeUsername);
+        }
+        query += " ORDER BY RANDOM() LIMIT 1";
+        const stmt = this.db.prepare(query);
+        const row = stmt.get(...params);
+        return row ? this.rowToOffer(row) : null;
+      }
+      // ===== ICE Candidate Management =====
+      async addIceCandidates(offerId, username, role, candidates) {
+        const stmt = this.db.prepare(`
+      INSERT INTO ice_candidates (offer_id, username, role, candidate, created_at)
+      VALUES (?, ?, ?, ?, ?)
+    `);
+        const baseTimestamp = Date.now();
+        const transaction = this.db.transaction((candidates2) => {
+          for (let i = 0; i < candidates2.length; i++) {
+            stmt.run(
+              offerId,
+              username,
+              role,
+              JSON.stringify(candidates2[i]),
+              baseTimestamp + i
+            );
+          }
+        });
+        transaction(candidates);
+        return candidates.length;
+      }
+      async getIceCandidates(offerId, targetRole, since) {
+        let query = `
+      SELECT * FROM ice_candidates
+      WHERE offer_id = ? AND role = ?
+    `;
+        const params = [offerId, targetRole];
+        if (since !== void 0) {
+          query += " AND created_at > ?";
+          params.push(since);
+        }
+        query += " ORDER BY created_at ASC";
+        const stmt = this.db.prepare(query);
+        const rows = stmt.all(...params);
+        return rows.map((row) => ({
+          id: row.id,
+          offerId: row.offer_id,
+          username: row.username,
+          role: row.role,
+          candidate: JSON.parse(row.candidate),
+          createdAt: row.created_at
+        }));
+      }
+      async getIceCandidatesForMultipleOffers(offerIds, username, since) {
+        const result = /* @__PURE__ */ new Map();
+        if (offerIds.length === 0) {
+          return result;
+        }
+        if (!Array.isArray(offerIds) || !offerIds.every((id) => typeof id === "string")) {
+          throw new Error("Invalid offer IDs: must be array of strings");
+        }
+        if (offerIds.length > 1e3) {
+          throw new Error("Too many offer IDs (max 1000)");
+        }
+        const placeholders = offerIds.map(() => "?").join(",");
+        let query = `
+      SELECT ic.*, o.username as offer_username
+      FROM ice_candidates ic
+      INNER JOIN offers o ON o.id = ic.offer_id
+      WHERE ic.offer_id IN (${placeholders})
+      AND (
+        (o.username = ? AND ic.role = 'answerer')
+        OR (o.answerer_username = ? AND ic.role = 'offerer')
+      )
+    `;
+        const params = [...offerIds, username, username];
+        if (since !== void 0) {
+          query += " AND ic.created_at > ?";
+          params.push(since);
+        }
+        query += " ORDER BY ic.created_at ASC";
+        const stmt = this.db.prepare(query);
+        const rows = stmt.all(...params);
+        for (const row of rows) {
+          const candidate = {
+            id: row.id,
+            offerId: row.offer_id,
+            username: row.username,
+            role: row.role,
+            candidate: JSON.parse(row.candidate),
+            createdAt: row.created_at
+          };
+          if (!result.has(row.offer_id)) {
+            result.set(row.offer_id, []);
+          }
+          result.get(row.offer_id).push(candidate);
+        }
+        return result;
+      }
+      // ===== Credential Management =====
+      async generateCredentials(request) {
+        const now = Date.now();
+        const expiresAt = request.expiresAt || now + YEAR_IN_MS2;
+        const { generateCredentialName: generateCredentialName2, generateSecret: generateSecret2 } = await Promise.resolve().then(() => (init_crypto(), crypto_exports));
+        let name;
+        if (request.name) {
+          const existing = this.db.prepare(`
+        SELECT name FROM credentials WHERE name = ?
+      `).get(request.name);
+          if (existing) {
+            throw new Error("Username already taken");
+          }
+          name = request.name;
+        } else {
+          let attempts = 0;
+          const maxAttempts = 100;
+          while (attempts < maxAttempts) {
+            name = generateCredentialName2();
+            const existing = this.db.prepare(`
+          SELECT name FROM credentials WHERE name = ?
+        `).get(name);
+            if (!existing) {
+              break;
+            }
+            attempts++;
+          }
+          if (attempts >= maxAttempts) {
+            throw new Error(`Failed to generate unique credential name after ${maxAttempts} attempts`);
+          }
+        }
+        const secret = generateSecret2();
+        const { encryptSecret: encryptSecret2 } = await Promise.resolve().then(() => (init_crypto(), crypto_exports));
+        const encryptedSecret = await encryptSecret2(secret, this.masterEncryptionKey);
+        const stmt = this.db.prepare(`
+      INSERT INTO credentials (name, secret, created_at, expires_at, last_used)
+      VALUES (?, ?, ?, ?, ?)
+    `);
+        stmt.run(name, encryptedSecret, now, expiresAt, now);
+        return {
+          name,
+          secret,
+          // Return plaintext secret, not encrypted
+          createdAt: now,
+          expiresAt,
+          lastUsed: now
+        };
+      }
+      async getCredential(name) {
+        const stmt = this.db.prepare(`
+      SELECT * FROM credentials
+      WHERE name = ? AND expires_at > ?
+    `);
+        const row = stmt.get(name, Date.now());
+        if (!row) {
+          return null;
+        }
+        try {
+          const { decryptSecret: decryptSecret2 } = await Promise.resolve().then(() => (init_crypto(), crypto_exports));
+          const decryptedSecret = await decryptSecret2(row.secret, this.masterEncryptionKey);
+          return {
+            name: row.name,
+            secret: decryptedSecret,
+            // Return decrypted secret
+            createdAt: row.created_at,
+            expiresAt: row.expires_at,
+            lastUsed: row.last_used
+          };
+        } catch (error) {
+          console.error(`Failed to decrypt secret for credential '${name}':`, error);
+          return null;
+        }
+      }
+      async updateCredentialUsage(name, lastUsed, expiresAt) {
+        const stmt = this.db.prepare(`
+      UPDATE credentials
+      SET last_used = ?, expires_at = ?
+      WHERE name = ?
+    `);
+        stmt.run(lastUsed, expiresAt, name);
+      }
+      async deleteExpiredCredentials(now) {
+        const stmt = this.db.prepare("DELETE FROM credentials WHERE expires_at < ?");
+        const result = stmt.run(now);
+        return result.changes;
+      }
+      // ===== Rate Limiting =====
+      async checkRateLimit(identifier, limit, windowMs) {
+        const now = Date.now();
+        const resetTime = now + windowMs;
+        const result = this.db.prepare(`
+      INSERT INTO rate_limits (identifier, count, reset_time)
+      VALUES (?, 1, ?)
+      ON CONFLICT(identifier) DO UPDATE SET
+        count = CASE
+          WHEN reset_time < ? THEN 1
+          ELSE count + 1
+        END,
+        reset_time = CASE
+          WHEN reset_time < ? THEN ?
+          ELSE reset_time
+        END
+      RETURNING count
+    `).get(identifier, resetTime, now, now, resetTime);
+        return result.count <= limit;
+      }
+      async deleteExpiredRateLimits(now) {
+        const stmt = this.db.prepare("DELETE FROM rate_limits WHERE reset_time < ?");
+        const result = stmt.run(now);
+        return result.changes;
+      }
+      // ===== Nonce Tracking (Replay Protection) =====
+      async checkAndMarkNonce(nonceKey, expiresAt) {
+        try {
+          const stmt = this.db.prepare(`
+        INSERT INTO nonces (nonce_key, expires_at)
+        VALUES (?, ?)
+      `);
+          stmt.run(nonceKey, expiresAt);
+          return true;
+        } catch (error) {
+          if (error?.code === "SQLITE_CONSTRAINT") {
+            return false;
+          }
+          throw error;
+        }
+      }
+      async deleteExpiredNonces(now) {
+        const stmt = this.db.prepare("DELETE FROM nonces WHERE expires_at < ?");
+        const result = stmt.run(now);
+        return result.changes;
+      }
+      async close() {
+        this.db.close();
+      }
+      // ===== Helper Methods =====
+      /**
+       * Helper method to convert database row to Offer object
+       */
+      rowToOffer(row) {
+        return {
+          id: row.id,
+          username: row.username,
+          tags: JSON.parse(row.tags),
+          sdp: row.sdp,
+          createdAt: row.created_at,
+          expiresAt: row.expires_at,
+          lastSeen: row.last_seen,
+          answererUsername: row.answerer_username || void 0,
+          answerSdp: row.answer_sdp || void 0,
+          answeredAt: row.answered_at || void 0
+        };
+      }
+    };
+  }
+});
+// src/storage/mysql.ts
+var mysql_exports = {};
+__export(mysql_exports, {
+  MySQLStorage: () => MySQLStorage
+});
+var import_promise, YEAR_IN_MS3, MySQLStorage;
+var init_mysql = __esm({
+  "src/storage/mysql.ts"() {
+    "use strict";
+    import_promise = __toESM(require("mysql2/promise"));
+    init_hash_id();
+    YEAR_IN_MS3 = 365 * 24 * 60 * 60 * 1e3;
+    MySQLStorage = class _MySQLStorage {
+      constructor(pool, masterEncryptionKey) {
+        this.pool = pool;
+        this.masterEncryptionKey = masterEncryptionKey;
+      }
+      /**
+       * Creates a new MySQL storage instance with connection pooling
+       * @param connectionString MySQL connection URL
+       * @param masterEncryptionKey 64-char hex string for encrypting secrets
+       * @param poolSize Maximum number of connections in the pool
+       */
+      static async create(connectionString, masterEncryptionKey, poolSize = 10) {
+        const pool = import_promise.default.createPool({
+          uri: connectionString,
+          waitForConnections: true,
+          connectionLimit: poolSize,
+          queueLimit: 0,
+          enableKeepAlive: true,
+          keepAliveInitialDelay: 1e4
+        });
+        const storage = new _MySQLStorage(pool, masterEncryptionKey);
+        await storage.initializeDatabase();
+        return storage;
+      }
+      async initializeDatabase() {
+        const conn = await this.pool.getConnection();
+        try {
+          await conn.query(`
+        CREATE TABLE IF NOT EXISTS offers (
+          id VARCHAR(64) PRIMARY KEY,
+          username VARCHAR(32) NOT NULL,
+          tags JSON NOT NULL,
+          sdp MEDIUMTEXT NOT NULL,
+          created_at BIGINT NOT NULL,
+          expires_at BIGINT NOT NULL,
+          last_seen BIGINT NOT NULL,
+          answerer_username VARCHAR(32),
+          answer_sdp MEDIUMTEXT,
+          answered_at BIGINT,
+          INDEX idx_offers_username (username),
+          INDEX idx_offers_expires (expires_at),
+          INDEX idx_offers_last_seen (last_seen),
+          INDEX idx_offers_answerer (answerer_username)
+        ) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_unicode_ci
+      `);
+          await conn.query(`
+        CREATE TABLE IF NOT EXISTS ice_candidates (
+          id BIGINT AUTO_INCREMENT PRIMARY KEY,
+          offer_id VARCHAR(64) NOT NULL,
+          username VARCHAR(32) NOT NULL,
+          role ENUM('offerer', 'answerer') NOT NULL,
+          candidate JSON NOT NULL,
+          created_at BIGINT NOT NULL,
+          INDEX idx_ice_offer (offer_id),
+          INDEX idx_ice_username (username),
+          INDEX idx_ice_created (created_at),
+          FOREIGN KEY (offer_id) REFERENCES offers(id) ON DELETE CASCADE
+        ) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_unicode_ci
+      `);
+          await conn.query(`
+        CREATE TABLE IF NOT EXISTS credentials (
+          name VARCHAR(32) PRIMARY KEY,
+          secret VARCHAR(512) NOT NULL UNIQUE,
+          created_at BIGINT NOT NULL,
+          expires_at BIGINT NOT NULL,
+          last_used BIGINT NOT NULL,
+          INDEX idx_credentials_expires (expires_at)
+        ) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_unicode_ci
+      `);
+          await conn.query(`
+        CREATE TABLE IF NOT EXISTS rate_limits (
+          identifier VARCHAR(255) PRIMARY KEY,
+          count INT NOT NULL,
+          reset_time BIGINT NOT NULL,
+          INDEX idx_rate_limits_reset (reset_time)
+        ) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_unicode_ci
+      `);
+          await conn.query(`
+        CREATE TABLE IF NOT EXISTS nonces (
+          nonce_key VARCHAR(255) PRIMARY KEY,
+          expires_at BIGINT NOT NULL,
+          INDEX idx_nonces_expires (expires_at)
+        ) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_unicode_ci
+      `);
+        } finally {
+          conn.release();
+        }
+      }
+      // ===== Offer Management =====
+      async createOffers(offers) {
+        if (offers.length === 0) return [];
+        const created = [];
+        const now = Date.now();
+        const conn = await this.pool.getConnection();
+        try {
+          await conn.beginTransaction();
+          for (const request of offers) {
+            const id = request.id || await generateOfferHash(request.sdp);
+            await conn.query(
+              `INSERT INTO offers (id, username, tags, sdp, created_at, expires_at, last_seen)
+           VALUES (?, ?, ?, ?, ?, ?, ?)`,
+              [id, request.username, JSON.stringify(request.tags), request.sdp, now, request.expiresAt, now]
+            );
+            created.push({
+              id,
+              username: request.username,
+              tags: request.tags,
+              sdp: request.sdp,
+              createdAt: now,
+              expiresAt: request.expiresAt,
+              lastSeen: now
+            });
+          }
+          await conn.commit();
+        } catch (error) {
+          await conn.rollback();
+          throw error;
+        } finally {
+          conn.release();
+        }
+        return created;
+      }
+      async getOffersByUsername(username) {
+        const [rows] = await this.pool.query(
+          `SELECT * FROM offers WHERE username = ? AND expires_at > ? ORDER BY last_seen DESC`,
+          [username, Date.now()]
+        );
+        return rows.map((row) => this.rowToOffer(row));
+      }
+      async getOfferById(offerId) {
+        const [rows] = await this.pool.query(
+          `SELECT * FROM offers WHERE id = ? AND expires_at > ?`,
+          [offerId, Date.now()]
+        );
+        return rows.length > 0 ? this.rowToOffer(rows[0]) : null;
+      }
+      async deleteOffer(offerId, ownerUsername) {
+        const [result] = await this.pool.query(
+          `DELETE FROM offers WHERE id = ? AND username = ?`,
+          [offerId, ownerUsername]
+        );
+        return result.affectedRows > 0;
+      }
+      async deleteExpiredOffers(now) {
+        const [result] = await this.pool.query(
+          `DELETE FROM offers WHERE expires_at < ?`,
+          [now]
+        );
+        return result.affectedRows;
+      }
+      async answerOffer(offerId, answererUsername, answerSdp) {
+        const offer = await this.getOfferById(offerId);
+        if (!offer) {
+          return { success: false, error: "Offer not found or expired" };
+        }
+        if (offer.answererUsername) {
+          return { success: false, error: "Offer already answered" };
+        }
+        const [result] = await this.pool.query(
+          `UPDATE offers SET answerer_username = ?, answer_sdp = ?, answered_at = ?
+       WHERE id = ? AND answerer_username IS NULL`,
+          [answererUsername, answerSdp, Date.now(), offerId]
+        );
+        if (result.affectedRows === 0) {
+          return { success: false, error: "Offer already answered (race condition)" };
+        }
+        return { success: true };
+      }
+      async getAnsweredOffers(offererUsername) {
+        const [rows] = await this.pool.query(
+          `SELECT * FROM offers
+       WHERE username = ? AND answerer_username IS NOT NULL AND expires_at > ?
+       ORDER BY answered_at DESC`,
+          [offererUsername, Date.now()]
+        );
+        return rows.map((row) => this.rowToOffer(row));
+      }
+      async getOffersAnsweredBy(answererUsername) {
+        const [rows] = await this.pool.query(
+          `SELECT * FROM offers
+       WHERE answerer_username = ? AND expires_at > ?
+       ORDER BY answered_at DESC`,
+          [answererUsername, Date.now()]
+        );
+        return rows.map((row) => this.rowToOffer(row));
+      }
+      // ===== Discovery =====
+      async discoverOffers(tags, excludeUsername, limit, offset) {
+        if (tags.length === 0) return [];
+        const tagArray = JSON.stringify(tags);
+        let query = `
+      SELECT DISTINCT o.* FROM offers o
+      WHERE JSON_OVERLAPS(o.tags, ?)
+        AND o.expires_at > ?
+        AND o.answerer_username IS NULL
+    `;
+        const params = [tagArray, Date.now()];
+        if (excludeUsername) {
+          query += " AND o.username != ?";
+          params.push(excludeUsername);
+        }
+        query += " ORDER BY o.created_at DESC LIMIT ? OFFSET ?";
+        params.push(limit, offset);
+        const [rows] = await this.pool.query(query, params);
+        return rows.map((row) => this.rowToOffer(row));
+      }
+      async getRandomOffer(tags, excludeUsername) {
+        if (tags.length === 0) return null;
+        const tagArray = JSON.stringify(tags);
+        let query = `
+      SELECT DISTINCT o.* FROM offers o
+      WHERE JSON_OVERLAPS(o.tags, ?)
+        AND o.expires_at > ?
+        AND o.answerer_username IS NULL
+    `;
+        const params = [tagArray, Date.now()];
+        if (excludeUsername) {
+          query += " AND o.username != ?";
+          params.push(excludeUsername);
+        }
+        query += " ORDER BY RAND() LIMIT 1";
+        const [rows] = await this.pool.query(query, params);
+        return rows.length > 0 ? this.rowToOffer(rows[0]) : null;
+      }
+      // ===== ICE Candidate Management =====
+      async addIceCandidates(offerId, username, role, candidates) {
+        if (candidates.length === 0) return 0;
+        const baseTimestamp = Date.now();
+        const values = candidates.map((c, i) => [
+          offerId,
+          username,
+          role,
+          JSON.stringify(c),
+          baseTimestamp + i
+        ]);
+        await this.pool.query(
+          `INSERT INTO ice_candidates (offer_id, username, role, candidate, created_at)
+       VALUES ?`,
+          [values]
+        );
+        return candidates.length;
+      }
+      async getIceCandidates(offerId, targetRole, since) {
+        let query = `SELECT * FROM ice_candidates WHERE offer_id = ? AND role = ?`;
+        const params = [offerId, targetRole];
+        if (since !== void 0) {
+          query += " AND created_at > ?";
+          params.push(since);
+        }
+        query += " ORDER BY created_at ASC";
+        const [rows] = await this.pool.query(query, params);
+        return rows.map((row) => this.rowToIceCandidate(row));
+      }
+      async getIceCandidatesForMultipleOffers(offerIds, username, since) {
+        const result = /* @__PURE__ */ new Map();
+        if (offerIds.length === 0) return result;
+        if (offerIds.length > 1e3) {
+          throw new Error("Too many offer IDs (max 1000)");
+        }
+        const placeholders = offerIds.map(() => "?").join(",");
+        let query = `
+      SELECT ic.*, o.username as offer_username
+      FROM ice_candidates ic
+      INNER JOIN offers o ON o.id = ic.offer_id
+      WHERE ic.offer_id IN (${placeholders})
+      AND (
+        (o.username = ? AND ic.role = 'answerer')
+        OR (o.answerer_username = ? AND ic.role = 'offerer')
+      )
+    `;
+        const params = [...offerIds, username, username];
+        if (since !== void 0) {
+          query += " AND ic.created_at > ?";
+          params.push(since);
+        }
+        query += " ORDER BY ic.created_at ASC";
+        const [rows] = await this.pool.query(query, params);
+        for (const row of rows) {
+          const candidate = this.rowToIceCandidate(row);
+          if (!result.has(row.offer_id)) {
+            result.set(row.offer_id, []);
+          }
+          result.get(row.offer_id).push(candidate);
+        }
+        return result;
+      }
+      // ===== Credential Management =====
+      async generateCredentials(request) {
+        const now = Date.now();
+        const expiresAt = request.expiresAt || now + YEAR_IN_MS3;
+        const { generateCredentialName: generateCredentialName2, generateSecret: generateSecret2, encryptSecret: encryptSecret2 } = await Promise.resolve().then(() => (init_crypto(), crypto_exports));
+        let name;
+        if (request.name) {
+          const [existing] = await this.pool.query(
+            `SELECT name FROM credentials WHERE name = ?`,
+            [request.name]
+          );
+          if (existing.length > 0) {
+            throw new Error("Username already taken");
+          }
+          name = request.name;
+        } else {
+          let attempts = 0;
+          const maxAttempts = 100;
+          while (attempts < maxAttempts) {
+            name = generateCredentialName2();
+            const [existing] = await this.pool.query(
+              `SELECT name FROM credentials WHERE name = ?`,
+              [name]
+            );
+            if (existing.length === 0) break;
+            attempts++;
+          }
+          if (attempts >= maxAttempts) {
+            throw new Error(`Failed to generate unique credential name after ${maxAttempts} attempts`);
+          }
+        }
+        const secret = generateSecret2();
+        const encryptedSecret = await encryptSecret2(secret, this.masterEncryptionKey);
+        await this.pool.query(
+          `INSERT INTO credentials (name, secret, created_at, expires_at, last_used)
+       VALUES (?, ?, ?, ?, ?)`,
+          [name, encryptedSecret, now, expiresAt, now]
+        );
+        return {
+          name,
+          secret,
+          createdAt: now,
+          expiresAt,
+          lastUsed: now
+        };
+      }
+      async getCredential(name) {
+        const [rows] = await this.pool.query(
+          `SELECT * FROM credentials WHERE name = ? AND expires_at > ?`,
+          [name, Date.now()]
+        );
+        if (rows.length === 0) return null;
+        try {
+          const { decryptSecret: decryptSecret2 } = await Promise.resolve().then(() => (init_crypto(), crypto_exports));
+          const decryptedSecret = await decryptSecret2(rows[0].secret, this.masterEncryptionKey);
+          return {
+            name: rows[0].name,
+            secret: decryptedSecret,
+            createdAt: Number(rows[0].created_at),
+            expiresAt: Number(rows[0].expires_at),
+            lastUsed: Number(rows[0].last_used)
+          };
+        } catch (error) {
+          console.error(`Failed to decrypt secret for credential '${name}':`, error);
+          return null;
+        }
+      }
+      async updateCredentialUsage(name, lastUsed, expiresAt) {
+        await this.pool.query(
+          `UPDATE credentials SET last_used = ?, expires_at = ? WHERE name = ?`,
+          [lastUsed, expiresAt, name]
+        );
+      }
+      async deleteExpiredCredentials(now) {
+        const [result] = await this.pool.query(
+          `DELETE FROM credentials WHERE expires_at < ?`,
+          [now]
+        );
+        return result.affectedRows;
+      }
+      // ===== Rate Limiting =====
+      async checkRateLimit(identifier, limit, windowMs) {
+        const now = Date.now();
+        const resetTime = now + windowMs;
+        await this.pool.query(
+          `INSERT INTO rate_limits (identifier, count, reset_time)
+       VALUES (?, 1, ?)
+       ON DUPLICATE KEY UPDATE
+         count = IF(reset_time < ?, 1, count + 1),
+         reset_time = IF(reset_time < ?, ?, reset_time)`,
+          [identifier, resetTime, now, now, resetTime]
+        );
+        const [rows] = await this.pool.query(
+          `SELECT count FROM rate_limits WHERE identifier = ?`,
+          [identifier]
+        );
+        return rows.length > 0 && rows[0].count <= limit;
+      }
+      async deleteExpiredRateLimits(now) {
+        const [result] = await this.pool.query(
+          `DELETE FROM rate_limits WHERE reset_time < ?`,
+          [now]
+        );
+        return result.affectedRows;
+      }
+      // ===== Nonce Tracking (Replay Protection) =====
+      async checkAndMarkNonce(nonceKey, expiresAt) {
+        try {
+          await this.pool.query(
+            `INSERT INTO nonces (nonce_key, expires_at) VALUES (?, ?)`,
+            [nonceKey, expiresAt]
+          );
+          return true;
+        } catch (error) {
+          if (error.code === "ER_DUP_ENTRY") {
+            return false;
+          }
+          throw error;
+        }
+      }
+      async deleteExpiredNonces(now) {
+        const [result] = await this.pool.query(
+          `DELETE FROM nonces WHERE expires_at < ?`,
+          [now]
+        );
+        return result.affectedRows;
+      }
+      async close() {
+        await this.pool.end();
+      }
+      // ===== Helper Methods =====
+      rowToOffer(row) {
+        return {
+          id: row.id,
+          username: row.username,
+          tags: typeof row.tags === "string" ? JSON.parse(row.tags) : row.tags,
+          sdp: row.sdp,
+          createdAt: Number(row.created_at),
+          expiresAt: Number(row.expires_at),
+          lastSeen: Number(row.last_seen),
+          answererUsername: row.answerer_username || void 0,
+          answerSdp: row.answer_sdp || void 0,
+          answeredAt: row.answered_at ? Number(row.answered_at) : void 0
+        };
+      }
+      rowToIceCandidate(row) {
+        return {
+          id: Number(row.id),
+          offerId: row.offer_id,
+          username: row.username,
+          role: row.role,
+          candidate: typeof row.candidate === "string" ? JSON.parse(row.candidate) : row.candidate,
+          createdAt: Number(row.created_at)
+        };
+      }
+    };
+  }
+});
+// src/storage/postgres.ts
+var postgres_exports = {};
+__export(postgres_exports, {
+  PostgreSQLStorage: () => PostgreSQLStorage
+});
+var import_pg, YEAR_IN_MS4, PostgreSQLStorage;
+var init_postgres = __esm({
+  "src/storage/postgres.ts"() {
+    "use strict";
+    import_pg = require("pg");
+    init_hash_id();
+    YEAR_IN_MS4 = 365 * 24 * 60 * 60 * 1e3;
+    PostgreSQLStorage = class _PostgreSQLStorage {
+      constructor(pool, masterEncryptionKey) {
+        this.pool = pool;
+        this.masterEncryptionKey = masterEncryptionKey;
+      }
+      /**
+       * Creates a new PostgreSQL storage instance with connection pooling
+       * @param connectionString PostgreSQL connection URL
+       * @param masterEncryptionKey 64-char hex string for encrypting secrets
+       * @param poolSize Maximum number of connections in the pool
+       */
+      static async create(connectionString, masterEncryptionKey, poolSize = 10) {
+        const pool = new import_pg.Pool({
+          connectionString,
+          max: poolSize,
+          idleTimeoutMillis: 3e4,
+          connectionTimeoutMillis: 5e3
+        });
+        const storage = new _PostgreSQLStorage(pool, masterEncryptionKey);
+        await storage.initializeDatabase();
+        return storage;
+      }
+      async initializeDatabase() {
+        const client = await this.pool.connect();
+        try {
+          await client.query(`
+        CREATE TABLE IF NOT EXISTS offers (
+          id VARCHAR(64) PRIMARY KEY,
+          username VARCHAR(32) NOT NULL,
+          tags JSONB NOT NULL,
+          sdp TEXT NOT NULL,
+          created_at BIGINT NOT NULL,
+          expires_at BIGINT NOT NULL,
+          last_seen BIGINT NOT NULL,
+          answerer_username VARCHAR(32),
+          answer_sdp TEXT,
+          answered_at BIGINT
+        )
+      `);
+          await client.query(`CREATE INDEX IF NOT EXISTS idx_offers_username ON offers(username)`);
+          await client.query(`CREATE INDEX IF NOT EXISTS idx_offers_expires ON offers(expires_at)`);
+          await client.query(`CREATE INDEX IF NOT EXISTS idx_offers_last_seen ON offers(last_seen)`);
+          await client.query(`CREATE INDEX IF NOT EXISTS idx_offers_answerer ON offers(answerer_username)`);
+          await client.query(`CREATE INDEX IF NOT EXISTS idx_offers_tags ON offers USING GIN(tags)`);
+          await client.query(`
+        CREATE TABLE IF NOT EXISTS ice_candidates (
+          id BIGSERIAL PRIMARY KEY,
+          offer_id VARCHAR(64) NOT NULL REFERENCES offers(id) ON DELETE CASCADE,
+          username VARCHAR(32) NOT NULL,
+          role VARCHAR(8) NOT NULL CHECK (role IN ('offerer', 'answerer')),
+          candidate JSONB NOT NULL,
+          created_at BIGINT NOT NULL
+        )
+      `);
+          await client.query(`CREATE INDEX IF NOT EXISTS idx_ice_offer ON ice_candidates(offer_id)`);
+          await client.query(`CREATE INDEX IF NOT EXISTS idx_ice_username ON ice_candidates(username)`);
+          await client.query(`CREATE INDEX IF NOT EXISTS idx_ice_created ON ice_candidates(created_at)`);
+          await client.query(`
+        CREATE TABLE IF NOT EXISTS credentials (
+          name VARCHAR(32) PRIMARY KEY,
+          secret VARCHAR(512) NOT NULL UNIQUE,
+          created_at BIGINT NOT NULL,
+          expires_at BIGINT NOT NULL,
+          last_used BIGINT NOT NULL
+        )
+      `);
+          await client.query(`CREATE INDEX IF NOT EXISTS idx_credentials_expires ON credentials(expires_at)`);
+          await client.query(`
+        CREATE TABLE IF NOT EXISTS rate_limits (
+          identifier VARCHAR(255) PRIMARY KEY,
+          count INT NOT NULL,
+          reset_time BIGINT NOT NULL
+        )
+      `);
+          await client.query(`CREATE INDEX IF NOT EXISTS idx_rate_limits_reset ON rate_limits(reset_time)`);
+          await client.query(`
+        CREATE TABLE IF NOT EXISTS nonces (
+          nonce_key VARCHAR(255) PRIMARY KEY,
+          expires_at BIGINT NOT NULL
+        )
+      `);
+          await client.query(`CREATE INDEX IF NOT EXISTS idx_nonces_expires ON nonces(expires_at)`);
+        } finally {
+          client.release();
+        }
+      }
+      // ===== Offer Management =====
+      async createOffers(offers) {
+        if (offers.length === 0) return [];
+        const created = [];
+        const now = Date.now();
+        const client = await this.pool.connect();
+        try {
+          await client.query("BEGIN");
+          for (const request of offers) {
+            const id = request.id || await generateOfferHash(request.sdp);
+            await client.query(
+              `INSERT INTO offers (id, username, tags, sdp, created_at, expires_at, last_seen)
+           VALUES ($1, $2, $3, $4, $5, $6, $7)`,
+              [id, request.username, JSON.stringify(request.tags), request.sdp, now, request.expiresAt, now]
+            );
+            created.push({
+              id,
+              username: request.username,
+              tags: request.tags,
+              sdp: request.sdp,
+              createdAt: now,
+              expiresAt: request.expiresAt,
+              lastSeen: now
+            });
+          }
+          await client.query("COMMIT");
+        } catch (error) {
+          await client.query("ROLLBACK");
+          throw error;
+        } finally {
+          client.release();
+        }
+        return created;
+      }
+      async getOffersByUsername(username) {
+        const result = await this.pool.query(
+          `SELECT * FROM offers WHERE username = $1 AND expires_at > $2 ORDER BY last_seen DESC`,
+          [username, Date.now()]
+        );
+        return result.rows.map((row) => this.rowToOffer(row));
+      }
+      async getOfferById(offerId) {
+        const result = await this.pool.query(
+          `SELECT * FROM offers WHERE id = $1 AND expires_at > $2`,
+          [offerId, Date.now()]
+        );
+        return result.rows.length > 0 ? this.rowToOffer(result.rows[0]) : null;
+      }
+      async deleteOffer(offerId, ownerUsername) {
+        const result = await this.pool.query(
+          `DELETE FROM offers WHERE id = $1 AND username = $2`,
+          [offerId, ownerUsername]
+        );
+        return (result.rowCount ?? 0) > 0;
+      }
+      async deleteExpiredOffers(now) {
+        const result = await this.pool.query(
+          `DELETE FROM offers WHERE expires_at < $1`,
+          [now]
+        );
+        return result.rowCount ?? 0;
+      }
+      async answerOffer(offerId, answererUsername, answerSdp) {
+        const offer = await this.getOfferById(offerId);
+        if (!offer) {
+          return { success: false, error: "Offer not found or expired" };
+        }
+        if (offer.answererUsername) {
+          return { success: false, error: "Offer already answered" };
+        }
+        const result = await this.pool.query(
+          `UPDATE offers SET answerer_username = $1, answer_sdp = $2, answered_at = $3
+       WHERE id = $4 AND answerer_username IS NULL`,
+          [answererUsername, answerSdp, Date.now(), offerId]
+        );
+        if ((result.rowCount ?? 0) === 0) {
+          return { success: false, error: "Offer already answered (race condition)" };
+        }
+        return { success: true };
+      }
+      async getAnsweredOffers(offererUsername) {
+        const result = await this.pool.query(
+          `SELECT * FROM offers
+       WHERE username = $1 AND answerer_username IS NOT NULL AND expires_at > $2
+       ORDER BY answered_at DESC`,
+          [offererUsername, Date.now()]
+        );
+        return result.rows.map((row) => this.rowToOffer(row));
+      }
+      async getOffersAnsweredBy(answererUsername) {
+        const result = await this.pool.query(
+          `SELECT * FROM offers
+       WHERE answerer_username = $1 AND expires_at > $2
+       ORDER BY answered_at DESC`,
+          [answererUsername, Date.now()]
+        );
+        return result.rows.map((row) => this.rowToOffer(row));
+      }
+      // ===== Discovery =====
+      async discoverOffers(tags, excludeUsername, limit, offset) {
+        if (tags.length === 0) return [];
+        let query = `
+      SELECT DISTINCT o.* FROM offers o
+      WHERE o.tags ?| $1
+        AND o.expires_at > $2
+        AND o.answerer_username IS NULL
+    `;
+        const params = [tags, Date.now()];
+        let paramIndex = 3;
+        if (excludeUsername) {
+          query += ` AND o.username != $${paramIndex}`;
+          params.push(excludeUsername);
+          paramIndex++;
+        }
+        query += ` ORDER BY o.created_at DESC LIMIT $${paramIndex} OFFSET $${paramIndex + 1}`;
+        params.push(limit, offset);
+        const result = await this.pool.query(query, params);
+        return result.rows.map((row) => this.rowToOffer(row));
+      }
+      async getRandomOffer(tags, excludeUsername) {
+        if (tags.length === 0) return null;
+        let query = `
+      SELECT DISTINCT o.* FROM offers o
+      WHERE o.tags ?| $1
+        AND o.expires_at > $2
+        AND o.answerer_username IS NULL
+    `;
+        const params = [tags, Date.now()];
+        let paramIndex = 3;
+        if (excludeUsername) {
+          query += ` AND o.username != $${paramIndex}`;
+          params.push(excludeUsername);
+        }
+        query += " ORDER BY RANDOM() LIMIT 1";
+        const result = await this.pool.query(query, params);
+        return result.rows.length > 0 ? this.rowToOffer(result.rows[0]) : null;
+      }
+      // ===== ICE Candidate Management =====
+      async addIceCandidates(offerId, username, role, candidates) {
+        if (candidates.length === 0) return 0;
+        const baseTimestamp = Date.now();
+        const client = await this.pool.connect();
+        try {
+          await client.query("BEGIN");
+          for (let i = 0; i < candidates.length; i++) {
+            await client.query(
+              `INSERT INTO ice_candidates (offer_id, username, role, candidate, created_at)
+           VALUES ($1, $2, $3, $4, $5)`,
+              [offerId, username, role, JSON.stringify(candidates[i]), baseTimestamp + i]
+            );
+          }
+          await client.query("COMMIT");
+        } catch (error) {
+          await client.query("ROLLBACK");
+          throw error;
+        } finally {
+          client.release();
+        }
+        return candidates.length;
+      }
+      async getIceCandidates(offerId, targetRole, since) {
+        let query = `SELECT * FROM ice_candidates WHERE offer_id = $1 AND role = $2`;
+        const params = [offerId, targetRole];
+        if (since !== void 0) {
+          query += " AND created_at > $3";
+          params.push(since);
+        }
+        query += " ORDER BY created_at ASC";
+        const result = await this.pool.query(query, params);
+        return result.rows.map((row) => this.rowToIceCandidate(row));
+      }
+      async getIceCandidatesForMultipleOffers(offerIds, username, since) {
+        const resultMap = /* @__PURE__ */ new Map();
+        if (offerIds.length === 0) return resultMap;
+        if (offerIds.length > 1e3) {
+          throw new Error("Too many offer IDs (max 1000)");
+        }
+        let query = `
+      SELECT ic.*, o.username as offer_username
+      FROM ice_candidates ic
+      INNER JOIN offers o ON o.id = ic.offer_id
+      WHERE ic.offer_id = ANY($1)
+      AND (
+        (o.username = $2 AND ic.role = 'answerer')
+        OR (o.answerer_username = $2 AND ic.role = 'offerer')
+      )
+    `;
+        const params = [offerIds, username];
+        if (since !== void 0) {
+          query += " AND ic.created_at > $3";
+          params.push(since);
+        }
+        query += " ORDER BY ic.created_at ASC";
+        const result = await this.pool.query(query, params);
+        for (const row of result.rows) {
+          const candidate = this.rowToIceCandidate(row);
+          if (!resultMap.has(row.offer_id)) {
+            resultMap.set(row.offer_id, []);
+          }
+          resultMap.get(row.offer_id).push(candidate);
+        }
+        return resultMap;
+      }
+      // ===== Credential Management =====
+      async generateCredentials(request) {
+        const now = Date.now();
+        const expiresAt = request.expiresAt || now + YEAR_IN_MS4;
+        const { generateCredentialName: generateCredentialName2, generateSecret: generateSecret2, encryptSecret: encryptSecret2 } = await Promise.resolve().then(() => (init_crypto(), crypto_exports));
+        let name;
+        if (request.name) {
+          const existing = await this.pool.query(
+            `SELECT name FROM credentials WHERE name = $1`,
+            [request.name]
+          );
+          if (existing.rows.length > 0) {
+            throw new Error("Username already taken");
+          }
+          name = request.name;
+        } else {
+          let attempts = 0;
+          const maxAttempts = 100;
+          while (attempts < maxAttempts) {
+            name = generateCredentialName2();
+            const existing = await this.pool.query(
+              `SELECT name FROM credentials WHERE name = $1`,
+              [name]
+            );
+            if (existing.rows.length === 0) break;
+            attempts++;
+          }
+          if (attempts >= maxAttempts) {
+            throw new Error(`Failed to generate unique credential name after ${maxAttempts} attempts`);
+          }
+        }
+        const secret = generateSecret2();
+        const encryptedSecret = await encryptSecret2(secret, this.masterEncryptionKey);
+        await this.pool.query(
+          `INSERT INTO credentials (name, secret, created_at, expires_at, last_used)
+       VALUES ($1, $2, $3, $4, $5)`,
+          [name, encryptedSecret, now, expiresAt, now]
+        );
+        return {
+          name,
+          secret,
+          createdAt: now,
+          expiresAt,
+          lastUsed: now
+        };
+      }
+      async getCredential(name) {
+        const result = await this.pool.query(
+          `SELECT * FROM credentials WHERE name = $1 AND expires_at > $2`,
+          [name, Date.now()]
+        );
+        if (result.rows.length === 0) return null;
+        try {
+          const { decryptSecret: decryptSecret2 } = await Promise.resolve().then(() => (init_crypto(), crypto_exports));
+          const decryptedSecret = await decryptSecret2(result.rows[0].secret, this.masterEncryptionKey);
+          return {
+            name: result.rows[0].name,
+            secret: decryptedSecret,
+            createdAt: Number(result.rows[0].created_at),
+            expiresAt: Number(result.rows[0].expires_at),
+            lastUsed: Number(result.rows[0].last_used)
+          };
+        } catch (error) {
+          console.error(`Failed to decrypt secret for credential '${name}':`, error);
+          return null;
+        }
+      }
+      async updateCredentialUsage(name, lastUsed, expiresAt) {
+        await this.pool.query(
+          `UPDATE credentials SET last_used = $1, expires_at = $2 WHERE name = $3`,
+          [lastUsed, expiresAt, name]
+        );
+      }
+      async deleteExpiredCredentials(now) {
+        const result = await this.pool.query(
+          `DELETE FROM credentials WHERE expires_at < $1`,
+          [now]
+        );
+        return result.rowCount ?? 0;
+      }
+      // ===== Rate Limiting =====
+      async checkRateLimit(identifier, limit, windowMs) {
+        const now = Date.now();
+        const resetTime = now + windowMs;
+        const result = await this.pool.query(
+          `INSERT INTO rate_limits (identifier, count, reset_time)
+       VALUES ($1, 1, $2)
+       ON CONFLICT (identifier) DO UPDATE SET
+         count = CASE
+           WHEN rate_limits.reset_time < $3 THEN 1
+           ELSE rate_limits.count + 1
+         END,
+         reset_time = CASE
+           WHEN rate_limits.reset_time < $3 THEN $2
+           ELSE rate_limits.reset_time
+         END
+       RETURNING count`,
+          [identifier, resetTime, now]
+        );
+        return result.rows[0].count <= limit;
+      }
+      async deleteExpiredRateLimits(now) {
+        const result = await this.pool.query(
+          `DELETE FROM rate_limits WHERE reset_time < $1`,
+          [now]
+        );
+        return result.rowCount ?? 0;
+      }
+      // ===== Nonce Tracking (Replay Protection) =====
+      async checkAndMarkNonce(nonceKey, expiresAt) {
+        try {
+          await this.pool.query(
+            `INSERT INTO nonces (nonce_key, expires_at) VALUES ($1, $2)`,
+            [nonceKey, expiresAt]
+          );
+          return true;
+        } catch (error) {
+          if (error.code === "23505") {
+            return false;
+          }
+          throw error;
+        }
+      }
+      async deleteExpiredNonces(now) {
+        const result = await this.pool.query(
+          `DELETE FROM nonces WHERE expires_at < $1`,
+          [now]
+        );
+        return result.rowCount ?? 0;
+      }
+      async close() {
+        await this.pool.end();
+      }
+      // ===== Helper Methods =====
+      rowToOffer(row) {
+        return {
+          id: row.id,
+          username: row.username,
+          tags: typeof row.tags === "string" ? JSON.parse(row.tags) : row.tags,
+          sdp: row.sdp,
+          createdAt: Number(row.created_at),
+          expiresAt: Number(row.expires_at),
+          lastSeen: Number(row.last_seen),
+          answererUsername: row.answerer_username || void 0,
+          answerSdp: row.answer_sdp || void 0,
+          answeredAt: row.answered_at ? Number(row.answered_at) : void 0
+        };
+      }
+      rowToIceCandidate(row) {
+        return {
+          id: Number(row.id),
+          offerId: row.offer_id,
+          username: row.username,
+          role: row.role,
+          candidate: typeof row.candidate === "string" ? JSON.parse(row.candidate) : row.candidate,
+          createdAt: Number(row.created_at)
+        };
+      }
+    };
+  }
+});
 // src/index.ts
 var import_node_server = require("@hono/node-server");
@@ -29,795 +2190,262 @@ var import_node_server = require("@hono/node-server");
 var import_hono = require("hono");
 var import_cors = require("hono/cors");
-// node_modules/@noble/ed25519/index.js
-var ed25519_CURVE = {
-  p: 0x7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffedn,
-  n: 0x1000000000000000000000000000000014def9dea2f79cd65812631a5cf5d3edn,
-  h: 8n,
-  a: 0x7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffecn,
-  d: 0x52036cee2b6ffe738cc740797779e89800700a4d4141d8ab75eb4dca135978a3n,
-  Gx: 0x216936d3cd6e53fec0a4e231fdd6dc5c692cc7609525a7b2c9562d608f25d51an,
-  Gy: 0x6666666666666666666666666666666666666666666666666666666666666658n
-};
-var { p: P, n: N, Gx, Gy, a: _a, d: _d, h } = ed25519_CURVE;
-var L = 32;
-var L2 = 64;
-var captureTrace = (...args) => {
-  if ("captureStackTrace" in Error && typeof Error.captureStackTrace === "function") {
-    Error.captureStackTrace(...args);
-  }
-};
-var err = (message = "") => {
-  const e = new Error(message);
-  captureTrace(e, err);
-  throw e;
-};
-var isBig = (n) => typeof n === "bigint";
-var isStr = (s) => typeof s === "string";
-var isBytes = (a) => a instanceof Uint8Array || ArrayBuffer.isView(a) && a.constructor.name === "Uint8Array";
-var abytes = (value, length, title = "") => {
-  const bytes = isBytes(value);
-  const len = value?.length;
-  const needsLen = length !== void 0;
-  if (!bytes || needsLen && len !== length) {
-    const prefix = title && `"${title}" `;
-    const ofLen = needsLen ? ` of length ${length}` : "";
-    const got = bytes ? `length=${len}` : `type=${typeof value}`;
-    err(prefix + "expected Uint8Array" + ofLen + ", got " + got);
-  }
-  return value;
-};
-var u8n = (len) => new Uint8Array(len);
-var u8fr = (buf) => Uint8Array.from(buf);
-var padh = (n, pad) => n.toString(16).padStart(pad, "0");
-var bytesToHex = (b) => Array.from(abytes(b)).map((e) => padh(e, 2)).join("");
-var C = { _0: 48, _9: 57, A: 65, F: 70, a: 97, f: 102 };
-var _ch = (ch) => {
-  if (ch >= C._0 && ch <= C._9)
-    return ch - C._0;
-  if (ch >= C.A && ch <= C.F)
-    return ch - (C.A - 10);
-  if (ch >= C.a && ch <= C.f)
-    return ch - (C.a - 10);
-  return;
-};
-var hexToBytes = (hex) => {
-  const e = "hex invalid";
-  if (!isStr(hex))
-    return err(e);
-  const hl = hex.length;
-  const al = hl / 2;
-  if (hl % 2)
-    return err(e);
-  const array = u8n(al);
-  for (let ai = 0, hi = 0; ai < al; ai++, hi += 2) {
-    const n1 = _ch(hex.charCodeAt(hi));
-    const n2 = _ch(hex.charCodeAt(hi + 1));
-    if (n1 === void 0 || n2 === void 0)
-      return err(e);
-    array[ai] = n1 * 16 + n2;
-  }
-  return array;
-};
-var cr = () => globalThis?.crypto;
-var subtle = () => cr()?.subtle ?? err("crypto.subtle must be defined, consider polyfill");
-var concatBytes = (...arrs) => {
-  const r = u8n(arrs.reduce((sum, a) => sum + abytes(a).length, 0));
-  let pad = 0;
-  arrs.forEach((a) => {
-    r.set(a, pad);
-    pad += a.length;
-  });
-  return r;
-};
-var big = BigInt;
-var assertRange = (n, min, max, msg = "bad number: out of range") => isBig(n) && min <= n && n < max ? n : err(msg);
-var M = (a, b = P) => {
-  const r = a % b;
-  return r >= 0n ? r : b + r;
-};
-var modN = (a) => M(a, N);
-var invert = (num, md) => {
-  if (num === 0n || md <= 0n)
-    err("no inverse n=" + num + " mod=" + md);
-  let a = M(num, md), b = md, x = 0n, y = 1n, u = 1n, v = 0n;
-  while (a !== 0n) {
-    const q = b / a, r = b % a;
-    const m = x - u * q, n = y - v * q;
-    b = a, a = r, x = u, y = v, u = m, v = n;
-  }
-  return b === 1n ? M(x, md) : err("no inverse");
-};
-var apoint = (p) => p instanceof Point ? p : err("Point expected");
-var B256 = 2n ** 256n;
-var Point = class _Point {
-  static BASE;
-  static ZERO;
-  X;
-  Y;
-  Z;
-  T;
-  constructor(X, Y, Z, T) {
-    const max = B256;
-    this.X = assertRange(X, 0n, max);
-    this.Y = assertRange(Y, 0n, max);
-    this.Z = assertRange(Z, 1n, max);
-    this.T = assertRange(T, 0n, max);
-    Object.freeze(this);
-  }
-  static CURVE() {
-    return ed25519_CURVE;
-  }
-  static fromAffine(p) {
-    return new _Point(p.x, p.y, 1n, M(p.x * p.y));
-  }
-  /** RFC8032 5.1.3: Uint8Array to Point. */
-  static fromBytes(hex, zip215 = false) {
-    const d = _d;
-    const normed = u8fr(abytes(hex, L));
-    const lastByte = hex[31];
-    normed[31] = lastByte & ~128;
-    const y = bytesToNumLE(normed);
-    const max = zip215 ? B256 : P;
-    assertRange(y, 0n, max);
-    const y2 = M(y * y);
-    const u = M(y2 - 1n);
-    const v = M(d * y2 + 1n);
-    let { isValid, value: x } = uvRatio(u, v);
-    if (!isValid)
-      err("bad point: y not sqrt");
-    const isXOdd = (x & 1n) === 1n;
-    const isLastByteOdd = (lastByte & 128) !== 0;
-    if (!zip215 && x === 0n && isLastByteOdd)
-      err("bad point: x==0, isLastByteOdd");
-    if (isLastByteOdd !== isXOdd)
-      x = M(-x);
-    return new _Point(x, y, 1n, M(x * y));
-  }
-  static fromHex(hex, zip215) {
-    return _Point.fromBytes(hexToBytes(hex), zip215);
-  }
-  get x() {
-    return this.toAffine().x;
-  }
-  get y() {
-    return this.toAffine().y;
-  }
-  /** Checks if the point is valid and on-curve. */
-  assertValidity() {
-    const a = _a;
-    const d = _d;
-    const p = this;
-    if (p.is0())
-      return err("bad point: ZERO");
-    const { X, Y, Z, T } = p;
-    const X2 = M(X * X);
-    const Y2 = M(Y * Y);
-    const Z2 = M(Z * Z);
-    const Z4 = M(Z2 * Z2);
-    const aX2 = M(X2 * a);
-    const left = M(Z2 * M(aX2 + Y2));
-    const right = M(Z4 + M(d * M(X2 * Y2)));
-    if (left !== right)
-      return err("bad point: equation left != right (1)");
-    const XY = M(X * Y);
-    const ZT = M(Z * T);
-    if (XY !== ZT)
-      return err("bad point: equation left != right (2)");
-    return this;
-  }
-  /** Equality check: compare points P&Q. */
-  equals(other) {
-    const { X: X1, Y: Y1, Z: Z1 } = this;
-    const { X: X2, Y: Y2, Z: Z2 } = apoint(other);
-    const X1Z2 = M(X1 * Z2);
-    const X2Z1 = M(X2 * Z1);
-    const Y1Z2 = M(Y1 * Z2);
-    const Y2Z1 = M(Y2 * Z1);
-    return X1Z2 === X2Z1 && Y1Z2 === Y2Z1;
-  }
-  is0() {
-    return this.equals(I);
-  }
-  /** Flip point over y coordinate. */
-  negate() {
-    return new _Point(M(-this.X), this.Y, this.Z, M(-this.T));
-  }
-  /** Point doubling. Complete formula. Cost: `4M + 4S + 1*a + 6add + 1*2`. */
-  double() {
-    const { X: X1, Y: Y1, Z: Z1 } = this;
-    const a = _a;
-    const A = M(X1 * X1);
-    const B = M(Y1 * Y1);
-    const C2 = M(2n * M(Z1 * Z1));
-    const D = M(a * A);
-    const x1y1 = X1 + Y1;
-    const E = M(M(x1y1 * x1y1) - A - B);
-    const G2 = D + B;
-    const F = G2 - C2;
-    const H = D - B;
-    const X3 = M(E * F);
-    const Y3 = M(G2 * H);
-    const T3 = M(E * H);
-    const Z3 = M(F * G2);
-    return new _Point(X3, Y3, Z3, T3);
-  }
-  /** Point addition. Complete formula. Cost: `8M + 1*k + 8add + 1*2`. */
-  add(other) {
-    const { X: X1, Y: Y1, Z: Z1, T: T1 } = this;
-    const { X: X2, Y: Y2, Z: Z2, T: T2 } = apoint(other);
-    const a = _a;
-    const d = _d;
-    const A = M(X1 * X2);
-    const B = M(Y1 * Y2);
-    const C2 = M(T1 * d * T2);
-    const D = M(Z1 * Z2);
-    const E = M((X1 + Y1) * (X2 + Y2) - A - B);
-    const F = M(D - C2);
-    const G2 = M(D + C2);
-    const H = M(B - a * A);
-    const X3 = M(E * F);
-    const Y3 = M(G2 * H);
-    const T3 = M(E * H);
-    const Z3 = M(F * G2);
-    return new _Point(X3, Y3, Z3, T3);
-  }
-  subtract(other) {
-    return this.add(apoint(other).negate());
-  }
-  /**
-   * Point-by-scalar multiplication. Scalar must be in range 1 <= n < CURVE.n.
-   * Uses {@link wNAF} for base point.
-   * Uses fake point to mitigate side-channel leakage.
-   * @param n scalar by which point is multiplied
-   * @param safe safe mode guards against timing attacks; unsafe mode is faster
-   */
-  multiply(n, safe = true) {
-    if (!safe && (n === 0n || this.is0()))
-      return I;
-    assertRange(n, 1n, N);
-    if (n === 1n)
-      return this;
-    if (this.equals(G))
-      return wNAF(n).p;
-    let p = I;
-    let f = G;
-    for (let d = this; n > 0n; d = d.double(), n >>= 1n) {
-      if (n & 1n)
-        p = p.add(d);
-      else if (safe)
-        f = f.add(d);
-    }
-    return p;
-  }
-  multiplyUnsafe(scalar) {
-    return this.multiply(scalar, false);
-  }
-  /** Convert point to 2d xy affine point. (X, Y, Z) ∋ (x=X/Z, y=Y/Z) */
-  toAffine() {
-    const { X, Y, Z } = this;
-    if (this.equals(I))
-      return { x: 0n, y: 1n };
-    const iz = invert(Z, P);
-    if (M(Z * iz) !== 1n)
-      err("invalid inverse");
-    const x = M(X * iz);
-    const y = M(Y * iz);
-    return { x, y };
-  }
-  toBytes() {
-    const { x, y } = this.assertValidity().toAffine();
-    const b = numTo32bLE(y);
-    b[31] |= x & 1n ? 128 : 0;
-    return b;
-  }
-  toHex() {
-    return bytesToHex(this.toBytes());
-  }
-  clearCofactor() {
-    return this.multiply(big(h), false);
-  }
-  isSmallOrder() {
-    return this.clearCofactor().is0();
-  }
-  isTorsionFree() {
-    let p = this.multiply(N / 2n, false).double();
-    if (N % 2n)
-      p = p.add(this);
-    return p.is0();
-  }
-};
-var G = new Point(Gx, Gy, 1n, M(Gx * Gy));
-var I = new Point(0n, 1n, 1n, 0n);
-Point.BASE = G;
-Point.ZERO = I;
-var numTo32bLE = (num) => hexToBytes(padh(assertRange(num, 0n, B256), L2)).reverse();
-var bytesToNumLE = (b) => big("0x" + bytesToHex(u8fr(abytes(b)).reverse()));
-var pow2 = (x, power) => {
-  let r = x;
-  while (power-- > 0n) {
-    r *= r;
-    r %= P;
-  }
-  return r;
-};
-var pow_2_252_3 = (x) => {
-  const x2 = x * x % P;
-  const b2 = x2 * x % P;
-  const b4 = pow2(b2, 2n) * b2 % P;
-  const b5 = pow2(b4, 1n) * x % P;
-  const b10 = pow2(b5, 5n) * b5 % P;
-  const b20 = pow2(b10, 10n) * b10 % P;
-  const b40 = pow2(b20, 20n) * b20 % P;
-  const b80 = pow2(b40, 40n) * b40 % P;
-  const b160 = pow2(b80, 80n) * b80 % P;
-  const b240 = pow2(b160, 80n) * b80 % P;
-  const b250 = pow2(b240, 10n) * b10 % P;
-  const pow_p_5_8 = pow2(b250, 2n) * x % P;
-  return { pow_p_5_8, b2 };
-};
-var RM1 = 0x2b8324804fc1df0b2b4d00993dfbd7a72f431806ad2fe478c4ee1b274a0ea0b0n;
-var uvRatio = (u, v) => {
-  const v3 = M(v * v * v);
-  const v7 = M(v3 * v3 * v);
-  const pow = pow_2_252_3(u * v7).pow_p_5_8;
-  let x = M(u * v3 * pow);
-  const vx2 = M(v * x * x);
-  const root1 = x;
-  const root2 = M(x * RM1);
-  const useRoot1 = vx2 === u;
-  const useRoot2 = vx2 === M(-u);
-  const noRoot = vx2 === M(-u * RM1);
-  if (useRoot1)
-    x = root1;
-  if (useRoot2 || noRoot)
-    x = root2;
-  if ((M(x) & 1n) === 1n)
-    x = M(-x);
-  return { isValid: useRoot1 || useRoot2, value: x };
-};
-var modL_LE = (hash) => modN(bytesToNumLE(hash));
-var sha512a = (...m) => hashes.sha512Async(concatBytes(...m));
-var hashFinishA = (res) => sha512a(res.hashable).then(res.finish);
-var defaultVerifyOpts = { zip215: true };
-var _verify = (sig, msg, pub, opts = defaultVerifyOpts) => {
-  sig = abytes(sig, L2);
-  msg = abytes(msg);
-  pub = abytes(pub, L);
-  const { zip215 } = opts;
-  let A;
-  let R;
-  let s;
-  let SB;
-  let hashable = Uint8Array.of();
-  try {
-    A = Point.fromBytes(pub, zip215);
-    R = Point.fromBytes(sig.slice(0, L), zip215);
-    s = bytesToNumLE(sig.slice(L, L2));
-    SB = G.multiply(s, false);
-    hashable = concatBytes(R.toBytes(), A.toBytes(), msg);
-  } catch (error) {
-  }
-  const finish = (hashed) => {
-    if (SB == null)
-      return false;
-    if (!zip215 && A.isSmallOrder())
-      return false;
-    const k = modL_LE(hashed);
-    const RkA = R.add(A.multiply(k, false));
-    return RkA.add(SB.negate()).clearCofactor().is0();
-  };
-  return { hashable, finish };
-};
-var verifyAsync = async (signature, message, publicKey, opts = defaultVerifyOpts) => hashFinishA(_verify(signature, message, publicKey, opts));
-var hashes = {
-  sha512Async: async (message) => {
-    const s = subtle();
-    const m = concatBytes(message);
-    return u8n(await s.digest("SHA-512", m.buffer));
-  },
-  sha512: void 0
-};
-var W = 8;
-var scalarBits = 256;
-var pwindows = Math.ceil(scalarBits / W) + 1;
-var pwindowSize = 2 ** (W - 1);
-var precompute = () => {
-  const points = [];
-  let p = G;
-  let b = p;
-  for (let w = 0; w < pwindows; w++) {
-    b = p;
-    points.push(b);
-    for (let i = 1; i < pwindowSize; i++) {
-      b = b.add(p);
-      points.push(b);
-    }
-    p = b.double();
-  }
-  return points;
-};
-var Gpows = void 0;
-var ctneg = (cnd, p) => {
-  const n = p.negate();
-  return cnd ? n : p;
-};
-var wNAF = (n) => {
-  const comp = Gpows || (Gpows = precompute());
-  let p = I;
-  let f = G;
-  const pow_2_w = 2 ** W;
-  const maxNum = pow_2_w;
-  const mask = big(pow_2_w - 1);
-  const shiftBy = big(W);
-  for (let w = 0; w < pwindows; w++) {
-    let wbits = Number(n & mask);
-    n >>= shiftBy;
-    if (wbits > pwindowSize) {
-      wbits -= maxNum;
-      n += 1n;
-    }
-    const off = w * pwindowSize;
-    const offF = off;
-    const offP = off + Math.abs(wbits) - 1;
-    const isEven = w % 2 !== 0;
-    const isNeg = wbits < 0;
-    if (wbits === 0) {
-      f = f.add(ctneg(isEven, comp[offF]));
-    } else {
-      p = p.add(ctneg(isNeg, comp[offP]));
-    }
-  }
-  if (n !== 0n)
-    err("invalid wnaf");
-  return { p, f };
-};
-// src/crypto.ts
-hashes.sha512Async = async (message) => {
-  return new Uint8Array(await crypto.subtle.digest("SHA-512", message));
-};
-var USERNAME_REGEX = /^[a-z0-9][a-z0-9-]*[a-z0-9]$/;
-var USERNAME_MIN_LENGTH = 3;
-var USERNAME_MAX_LENGTH = 32;
-var TIMESTAMP_TOLERANCE_MS = 5 * 60 * 1e3;
-function base64ToBytes(base64) {
-  const binString = atob(base64);
-  return Uint8Array.from(binString, (char) => char.codePointAt(0));
-}
-function validateAuthMessage(expectedUsername, message) {
-  const parts = message.split(":");
-  if (parts.length < 3) {
-    return { valid: false, error: "Invalid message format: must have at least action:username:timestamp" };
-  }
-  const messageUsername = parts[1];
-  const timestamp = parseInt(parts[parts.length - 1], 10);
-  if (messageUsername !== expectedUsername) {
-    return { valid: false, error: "Username in message does not match authenticated username" };
-  }
-  if (isNaN(timestamp)) {
-    return { valid: false, error: "Invalid timestamp in message" };
-  }
-  const timestampCheck = validateTimestamp(timestamp);
-  if (!timestampCheck.valid) {
-    return timestampCheck;
-  }
-  return { valid: true };
-}
-function validateUsername(username) {
-  if (typeof username !== "string") {
-    return { valid: false, error: "Username must be a string" };
-  }
-  if (username.length < USERNAME_MIN_LENGTH) {
-    return { valid: false, error: `Username must be at least ${USERNAME_MIN_LENGTH} characters` };
-  }
-  if (username.length > USERNAME_MAX_LENGTH) {
-    return { valid: false, error: `Username must be at most ${USERNAME_MAX_LENGTH} characters` };
-  }
-  if (!USERNAME_REGEX.test(username)) {
-    return { valid: false, error: "Username must be lowercase alphanumeric with optional dashes, and start/end with alphanumeric" };
-  }
-  return { valid: true };
-}
-function validateServiceFqn(fqn) {
-  if (typeof fqn !== "string") {
-    return { valid: false, error: "Service FQN must be a string" };
-  }
-  const parsed = parseServiceFqn(fqn);
-  if (!parsed) {
-    return { valid: false, error: "Service FQN must be in format: service:version[@username]" };
-  }
-  const { serviceName, version, username } = parsed;
-  const serviceNameRegex = /^[a-z0-9]([a-z0-9.-]*[a-z0-9])?$/;
-  if (!serviceNameRegex.test(serviceName)) {
-    return { valid: false, error: "Service name must be lowercase alphanumeric with optional dots/dashes" };
-  }
-  if (serviceName.length < 1 || serviceName.length > 128) {
-    return { valid: false, error: "Service name must be 1-128 characters" };
-  }
-  const versionRegex = /^[0-9]+\.[0-9]+\.[0-9]+(-[a-z0-9.-]+)?$/;
-  if (!versionRegex.test(version)) {
-    return { valid: false, error: "Version must be semantic versioning (e.g., 1.0.0, 2.1.3-beta)" };
-  }
-  if (username) {
-    const usernameCheck = validateUsername(username);
-    if (!usernameCheck.valid) {
-      return usernameCheck;
+// src/rpc.ts
+init_crypto();
+var MAX_PAGE_SIZE = 100;
+var CREDENTIAL_RATE_LIMIT = 1;
+var CREDENTIAL_RATE_WINDOW = 1e3;
+function getJsonDepth(obj, maxDepth, currentDepth = 0) {
+  if (obj === null || typeof obj !== "object") {
+    return currentDepth;
+  }
+  if (currentDepth >= maxDepth) {
+    return currentDepth + 1;
+  }
+  let maxChildDepth = currentDepth;
+  for (const key in obj) {
+    if (Object.prototype.hasOwnProperty.call(obj, key)) {
+      const childDepth = getJsonDepth(obj[key], maxDepth, currentDepth + 1);
+      maxChildDepth = Math.max(maxChildDepth, childDepth);
+      if (maxChildDepth > maxDepth) {
+        return maxChildDepth;
+      }
     }
   }
-  return { valid: true };
-}
-function parseVersion(version) {
-  const match = version.match(/^([0-9]+)\.([0-9]+)\.([0-9]+)(-[a-z0-9.-]+)?$/);
-  if (!match) return null;
-  return {
-    major: parseInt(match[1], 10),
-    minor: parseInt(match[2], 10),
-    patch: parseInt(match[3], 10),
-    prerelease: match[4]?.substring(1)
-    // Remove leading dash
-  };
-}
-function isVersionCompatible(requested, available) {
-  const req = parseVersion(requested);
-  const avail = parseVersion(available);
-  if (!req || !avail) return false;
-  if (req.major !== avail.major) return false;
-  if (req.major === 0 && req.minor !== avail.minor) return false;
-  if (avail.minor < req.minor) return false;
-  if (avail.minor === req.minor && avail.patch < req.patch) return false;
-  if (req.prerelease && req.prerelease !== avail.prerelease) return false;
-  return true;
+  return maxChildDepth;
 }
-function parseServiceFqn(fqn) {
-  if (!fqn || typeof fqn !== "string") return null;
-  const atIndex = fqn.lastIndexOf("@");
-  let serviceVersion;
-  let username = null;
-  if (atIndex > 0) {
-    serviceVersion = fqn.substring(0, atIndex);
-    username = fqn.substring(atIndex + 1);
-  } else {
-    serviceVersion = fqn;
+function validateStringParam(value, paramName) {
+  if (typeof value !== "string" || value.length === 0) {
+    throw new RpcError(ErrorCodes.INVALID_PARAMS, `${paramName} must be a non-empty string`);
   }
-  const colonIndex = serviceVersion.indexOf(":");
-  if (colonIndex <= 0) return null;
-  const serviceName = serviceVersion.substring(0, colonIndex);
-  const version = serviceVersion.substring(colonIndex + 1);
-  if (!serviceName || !version) return null;
-  return {
-    serviceName,
-    version,
-    username
-  };
 }
-function validateTimestamp(timestamp) {
-  if (typeof timestamp !== "number" || !Number.isFinite(timestamp)) {
-    return { valid: false, error: "Timestamp must be a finite number" };
+var ErrorCodes = {
+  // Authentication errors
+  AUTH_REQUIRED: "AUTH_REQUIRED",
+  INVALID_CREDENTIALS: "INVALID_CREDENTIALS",
+  // Validation errors
+  INVALID_NAME: "INVALID_NAME",
+  INVALID_TAG: "INVALID_TAG",
+  INVALID_SDP: "INVALID_SDP",
+  INVALID_PARAMS: "INVALID_PARAMS",
+  MISSING_PARAMS: "MISSING_PARAMS",
+  // Resource errors
+  OFFER_NOT_FOUND: "OFFER_NOT_FOUND",
+  OFFER_ALREADY_ANSWERED: "OFFER_ALREADY_ANSWERED",
+  OFFER_NOT_ANSWERED: "OFFER_NOT_ANSWERED",
+  NO_AVAILABLE_OFFERS: "NO_AVAILABLE_OFFERS",
+  // Authorization errors
+  NOT_AUTHORIZED: "NOT_AUTHORIZED",
+  OWNERSHIP_MISMATCH: "OWNERSHIP_MISMATCH",
+  // Limit errors
+  TOO_MANY_OFFERS: "TOO_MANY_OFFERS",
+  SDP_TOO_LARGE: "SDP_TOO_LARGE",
+  BATCH_TOO_LARGE: "BATCH_TOO_LARGE",
+  RATE_LIMIT_EXCEEDED: "RATE_LIMIT_EXCEEDED",
+  // Generic errors
+  INTERNAL_ERROR: "INTERNAL_ERROR",
+  UNKNOWN_METHOD: "UNKNOWN_METHOD"
+};
+var RpcError = class extends Error {
+  constructor(errorCode, message) {
+    super(message);
+    this.errorCode = errorCode;
+    this.name = "RpcError";
   }
+};
+function validateTimestamp(timestamp, config) {
   const now = Date.now();
-  const diff = Math.abs(now - timestamp);
-  if (diff > TIMESTAMP_TOLERANCE_MS) {
-    return { valid: false, error: `Timestamp too old or too far in future (tolerance: ${TIMESTAMP_TOLERANCE_MS / 1e3}s)` };
+  if (now - timestamp > config.timestampMaxAge) {
+    throw new RpcError(ErrorCodes.INVALID_PARAMS, "Timestamp too old");
   }
-  return { valid: true };
-}
-async function verifyEd25519Signature(publicKey, signature, message) {
-  try {
-    const publicKeyBytes = base64ToBytes(publicKey);
-    const signatureBytes = base64ToBytes(signature);
-    const encoder = new TextEncoder();
-    const messageBytes = encoder.encode(message);
-    const isValid = await verifyAsync(signatureBytes, messageBytes, publicKeyBytes);
-    return isValid;
-  } catch (err2) {
-    console.error("Ed25519 signature verification failed:", err2);
-    return false;
+  if (timestamp - now > config.timestampMaxFuture) {
+    throw new RpcError(ErrorCodes.INVALID_PARAMS, "Timestamp too far in future");
   }
 }
-// src/rpc.ts
-var MAX_PAGE_SIZE = 100;
-async function verifyAuth(username, message, signature, publicKey, storage) {
-  let usernameRecord = await storage.getUsername(username);
-  if (!usernameRecord) {
-    if (!publicKey) {
-      return {
-        valid: false,
-        error: `Username "${username}" is not claimed and no public key provided for auto-claim.`
-      };
-    }
-    const usernameValidation = validateUsername(username);
-    if (!usernameValidation.valid) {
-      return usernameValidation;
-    }
-    const signatureValid = await verifyEd25519Signature(publicKey, signature, message);
-    if (!signatureValid) {
-      return { valid: false, error: "Invalid signature for auto-claim" };
-    }
-    const expiresAt = Date.now() + 365 * 24 * 60 * 60 * 1e3;
-    await storage.claimUsername({
-      username,
-      publicKey,
-      expiresAt
-    });
-    usernameRecord = await storage.getUsername(username);
-    if (!usernameRecord) {
-      return { valid: false, error: "Failed to claim username" };
-    }
-  }
-  const isValid = await verifyEd25519Signature(
-    usernameRecord.publicKey,
-    signature,
-    message
-  );
+async function verifyRequestSignature(name, timestamp, nonce, signature, method, params, storage, config) {
+  validateTimestamp(timestamp, config);
+  const credential = await storage.getCredential(name);
+  if (!credential) {
+    throw new RpcError(ErrorCodes.INVALID_CREDENTIALS, "Invalid credentials");
+  }
+  const message = buildSignatureMessage(timestamp, nonce, method, params);
+  const isValid = await verifySignature(credential.secret, message, signature);
   if (!isValid) {
-    return { valid: false, error: "Invalid signature" };
+    throw new RpcError(ErrorCodes.INVALID_CREDENTIALS, "Invalid signature");
   }
-  const validation = validateAuthMessage(username, message);
-  if (!validation.valid) {
-    return { valid: false, error: validation.error };
+  const nonceKey = `nonce:${name}:${nonce}`;
+  const nonceExpiresAt = timestamp + config.timestampMaxAge;
+  const nonceIsNew = await storage.checkAndMarkNonce(nonceKey, nonceExpiresAt);
+  if (!nonceIsNew) {
+    throw new RpcError(ErrorCodes.INVALID_CREDENTIALS, "Nonce already used (replay attack detected)");
   }
-  return { valid: true };
-}
-function extractUsername(message) {
-  const parts = message.split(":");
-  if (parts.length < 2) return null;
-  return parts[1];
+  const now = Date.now();
+  const credentialExpiresAt = now + 365 * 24 * 60 * 60 * 1e3;
+  await storage.updateCredentialUsage(name, now, credentialExpiresAt);
 }
 var handlers = {
   /**
-   * Check if username is available
+   * Generate new credentials (name + secret pair)
+   * No authentication required - this is how users get started
+   * SECURITY: Rate limited per IP to prevent abuse (database-backed for multi-instance support)
    */
-  async getUser(params, message, signature, publicKey, storage, config) {
-    const { username } = params;
-    const claimed = await storage.getUsername(username);
-    if (!claimed) {
+  async generateCredentials(params, name, timestamp, signature, storage, config, request) {
+    let rateLimitKey;
+    let rateLimit;
+    if (!request.clientIp) {
+      console.warn("\u26A0\uFE0F  WARNING: Unable to determine client IP for credential generation. Using global rate limit.");
+      rateLimitKey = "cred_gen:global_unknown";
+      rateLimit = 2;
+    } else {
+      rateLimitKey = `cred_gen:${request.clientIp}`;
+      rateLimit = CREDENTIAL_RATE_LIMIT;
+    }
+    const allowed = await storage.checkRateLimit(
+      rateLimitKey,
+      rateLimit,
+      CREDENTIAL_RATE_WINDOW
+    );
+    if (!allowed) {
+      throw new RpcError(
+        ErrorCodes.RATE_LIMIT_EXCEEDED,
+        `Rate limit exceeded. Maximum ${rateLimit} credential per second${request.clientIp ? " per IP" : " (global limit for unidentified IPs)"}.`
+      );
+    }
+    if (params.name !== void 0) {
+      if (typeof params.name !== "string") {
+        throw new RpcError(ErrorCodes.INVALID_PARAMS, "name must be a string");
+      }
+      const usernameValidation = validateUsername(params.name);
+      if (!usernameValidation.valid) {
+        throw new RpcError(ErrorCodes.INVALID_PARAMS, usernameValidation.error || "Invalid username");
+      }
+    }
+    if (params.expiresAt !== void 0) {
+      if (typeof params.expiresAt !== "number" || isNaN(params.expiresAt) || !Number.isFinite(params.expiresAt)) {
+        throw new RpcError(ErrorCodes.INVALID_PARAMS, "expiresAt must be a valid timestamp");
+      }
+      const now = Date.now();
+      if (params.expiresAt < now - 6e4) {
+        throw new RpcError(ErrorCodes.INVALID_PARAMS, "expiresAt cannot be in the past");
+      }
+      const maxFuture = now + 10 * 365 * 24 * 60 * 60 * 1e3;
+      if (params.expiresAt > maxFuture) {
+        throw new RpcError(ErrorCodes.INVALID_PARAMS, "expiresAt cannot be more than 10 years in the future");
+      }
+    }
+    try {
+      const credential = await storage.generateCredentials({
+        name: params.name,
+        expiresAt: params.expiresAt
+      });
       return {
-        username,
-        available: true
+        name: credential.name,
+        secret: credential.secret,
+        createdAt: credential.createdAt,
+        expiresAt: credential.expiresAt
       };
+    } catch (error) {
+      if (error.message === "Username already taken") {
+        throw new RpcError(ErrorCodes.INVALID_PARAMS, "Username already taken");
+      }
+      throw error;
     }
-    return {
-      username: claimed.username,
-      available: false,
-      claimedAt: claimed.claimedAt,
-      expiresAt: claimed.expiresAt,
-      publicKey: claimed.publicKey
-    };
   },
   /**
-   * Get service by FQN - Supports 3 modes:
-   * 1. Direct lookup: FQN includes @username
-   * 2. Paginated discovery: FQN without @username, with limit/offset
-   * 3. Random discovery: FQN without @username, no limit
+   * Discover offers by tags - Supports 2 modes:
+   * 1. Paginated discovery: tags array with limit/offset
+   * 2. Random discovery: tags array without limit (returns single random offer)
    */
-  async getService(params, message, signature, publicKey, storage, config) {
-    const { serviceFqn, limit, offset } = params;
-    const username = extractUsername(message);
-    if (username) {
-      const auth = await verifyAuth(username, message, signature, publicKey, storage);
-      if (!auth.valid) {
-        throw new Error(auth.error);
-      }
-    }
-    const fqnValidation = validateServiceFqn(serviceFqn);
-    if (!fqnValidation.valid) {
-      throw new Error(fqnValidation.error || "Invalid service FQN");
-    }
-    const parsed = parseServiceFqn(serviceFqn);
-    if (!parsed) {
-      throw new Error("Failed to parse service FQN");
+  async discover(params, name, timestamp, signature, storage, config, request) {
+    const { tags, limit, offset } = params;
+    const tagsValidation = validateTags(tags);
+    if (!tagsValidation.valid) {
+      throw new RpcError(ErrorCodes.INVALID_TAG, tagsValidation.error || "Invalid tags");
     }
-    const filterCompatibleServices = (services) => {
-      return services.filter((s) => {
-        const serviceVersion = parseServiceFqn(s.serviceFqn);
-        return serviceVersion && isVersionCompatible(parsed.version, serviceVersion.version);
-      });
-    };
-    const findAvailableOffer = async (service) => {
-      const offers = await storage.getOffersForService(service.id);
-      return offers.find((o) => !o.answererUsername);
-    };
-    const buildServiceResponse = (service, offer) => ({
-      serviceId: service.id,
-      username: service.username,
-      serviceFqn: service.serviceFqn,
-      offerId: offer.id,
-      sdp: offer.sdp,
-      createdAt: service.createdAt,
-      expiresAt: service.expiresAt
-    });
     if (limit !== void 0) {
+      if (typeof limit !== "number" || !Number.isInteger(limit) || limit < 0) {
+        throw new RpcError(ErrorCodes.INVALID_PARAMS, "limit must be a non-negative integer");
+      }
+      if (offset !== void 0 && (typeof offset !== "number" || !Number.isInteger(offset) || offset < 0)) {
+        throw new RpcError(ErrorCodes.INVALID_PARAMS, "offset must be a non-negative integer");
+      }
       const pageLimit = Math.min(Math.max(1, limit), MAX_PAGE_SIZE);
       const pageOffset = Math.max(0, offset || 0);
-      const allServices2 = await storage.getServicesByName(parsed.service, parsed.version);
-      const compatibleServices2 = filterCompatibleServices(allServices2);
-      const usernameSet = /* @__PURE__ */ new Set();
-      const uniqueServices = [];
-      for (const service of compatibleServices2) {
-        if (!usernameSet.has(service.username)) {
-          usernameSet.add(service.username);
-          const availableOffer2 = await findAvailableOffer(service);
-          if (availableOffer2) {
-            uniqueServices.push(buildServiceResponse(service, availableOffer2));
-          }
-        }
-      }
-      const paginatedServices = uniqueServices.slice(pageOffset, pageOffset + pageLimit);
+      const excludeUsername2 = name || null;
+      const offers = await storage.discoverOffers(
+        tags,
+        excludeUsername2,
+        pageLimit,
+        pageOffset
+      );
       return {
-        services: paginatedServices,
-        count: paginatedServices.length,
+        offers: offers.map((offer2) => ({
+          offerId: offer2.id,
+          username: offer2.username,
+          tags: offer2.tags,
+          sdp: offer2.sdp,
+          createdAt: offer2.createdAt,
+          expiresAt: offer2.expiresAt
+        })),
+        count: offers.length,
         limit: pageLimit,
         offset: pageOffset
       };
     }
-    if (parsed.username) {
-      const service = await storage.getServiceByFqn(serviceFqn);
-      if (!service) {
-        throw new Error("Service not found");
-      }
-      const availableOffer2 = await findAvailableOffer(service);
-      if (!availableOffer2) {
-        throw new Error("Service has no available offers");
-      }
-      return buildServiceResponse(service, availableOffer2);
-    }
-    const allServices = await storage.getServicesByName(parsed.service, parsed.version);
-    const compatibleServices = filterCompatibleServices(allServices);
-    if (compatibleServices.length === 0) {
-      throw new Error("No services found");
-    }
-    const randomService = compatibleServices[Math.floor(Math.random() * compatibleServices.length)];
-    const availableOffer = await findAvailableOffer(randomService);
-    if (!availableOffer) {
-      throw new Error("Service has no available offers");
+    const excludeUsername = name || null;
+    const offer = await storage.getRandomOffer(tags, excludeUsername);
+    if (!offer) {
+      throw new RpcError(ErrorCodes.OFFER_NOT_FOUND, "No offers found matching tags");
     }
-    return buildServiceResponse(randomService, availableOffer);
+    return {
+      offerId: offer.id,
+      username: offer.username,
+      tags: offer.tags,
+      sdp: offer.sdp,
+      createdAt: offer.createdAt,
+      expiresAt: offer.expiresAt
+    };
   },
   /**
-   * Publish a service
+   * Publish offers with tags
    */
-  async publishService(params, message, signature, publicKey, storage, config) {
-    const { serviceFqn, offers, ttl } = params;
-    const username = extractUsername(message);
-    if (!username) {
-      throw new Error("Username required for service publishing");
-    }
-    const auth = await verifyAuth(username, message, signature, publicKey, storage);
-    if (!auth.valid) {
-      throw new Error(auth.error);
-    }
-    const fqnValidation = validateServiceFqn(serviceFqn);
-    if (!fqnValidation.valid) {
-      throw new Error(fqnValidation.error || "Invalid service FQN");
+  async publishOffer(params, name, timestamp, signature, storage, config, request) {
+    const { tags, offers, ttl } = params;
+    if (!name) {
+      throw new RpcError(ErrorCodes.AUTH_REQUIRED, "Name required for offer publishing");
     }
-    const parsed = parseServiceFqn(serviceFqn);
-    if (!parsed || !parsed.username) {
-      throw new Error("Service FQN must include username");
-    }
-    if (parsed.username !== username) {
-      throw new Error("Service FQN username must match authenticated username");
+    const tagsValidation = validateTags(tags);
+    if (!tagsValidation.valid) {
+      throw new RpcError(ErrorCodes.INVALID_TAG, tagsValidation.error || "Invalid tags");
     }
     if (!offers || !Array.isArray(offers) || offers.length === 0) {
-      throw new Error("Must provide at least one offer");
+      throw new RpcError(ErrorCodes.MISSING_PARAMS, "Must provide at least one offer");
     }
     if (offers.length > config.maxOffersPerRequest) {
-      throw new Error(
+      throw new RpcError(
+        ErrorCodes.TOO_MANY_OFFERS,
         `Too many offers (max ${config.maxOffersPerRequest})`
       );
     }
     offers.forEach((offer, index) => {
       if (!offer || typeof offer !== "object") {
-        throw new Error(`Invalid offer at index ${index}: must be an object`);
+        throw new RpcError(ErrorCodes.INVALID_PARAMS, `Invalid offer at index ${index}: must be an object`);
       }
       if (!offer.sdp || typeof offer.sdp !== "string") {
-        throw new Error(`Invalid offer at index ${index}: missing or invalid SDP`);
+        throw new RpcError(ErrorCodes.INVALID_SDP, `Invalid offer at index ${index}: missing or invalid SDP`);
       }
       if (!offer.sdp.trim()) {
-        throw new Error(`Invalid offer at index ${index}: SDP cannot be empty`);
+        throw new RpcError(ErrorCodes.INVALID_SDP, `Invalid offer at index ${index}: SDP cannot be empty`);
+      }
+      if (offer.sdp.length > config.maxSdpSize) {
+        throw new RpcError(ErrorCodes.SDP_TOO_LARGE, `SDP too large at index ${index} (max ${config.maxSdpSize} bytes)`);
       }
     });
+    if (ttl !== void 0) {
+      if (typeof ttl !== "number" || isNaN(ttl) || ttl < 0) {
+        throw new RpcError(ErrorCodes.INVALID_PARAMS, "TTL must be a non-negative number");
+      }
+    }
     const now = Date.now();
     const offerTtl = ttl !== void 0 ? Math.min(
       Math.max(ttl, config.offerMinTtl),
@@ -825,108 +2453,83 @@ var handlers = {
     ) : config.offerDefaultTtl;
     const expiresAt = now + offerTtl;
     const offerRequests = offers.map((offer) => ({
-      username,
-      serviceFqn,
+      username: name,
+      tags,
       sdp: offer.sdp,
       expiresAt
     }));
-    const result = await storage.createService({
-      serviceFqn,
-      expiresAt,
-      offers: offerRequests
-    });
+    const createdOffers = await storage.createOffers(offerRequests);
     return {
-      serviceId: result.service.id,
-      username: result.service.username,
-      serviceFqn: result.service.serviceFqn,
-      offers: result.offers.map((offer) => ({
+      username: name,
+      tags,
+      offers: createdOffers.map((offer) => ({
         offerId: offer.id,
         sdp: offer.sdp,
         createdAt: offer.createdAt,
         expiresAt: offer.expiresAt
       })),
-      createdAt: result.service.createdAt,
-      expiresAt: result.service.expiresAt
+      createdAt: now,
+      expiresAt
     };
   },
-  /**
-   * Delete a service
-   */
-  async deleteService(params, message, signature, publicKey, storage, config) {
-    const { serviceFqn } = params;
-    const username = extractUsername(message);
-    if (!username) {
-      throw new Error("Username required");
-    }
-    const auth = await verifyAuth(username, message, signature, publicKey, storage);
-    if (!auth.valid) {
-      throw new Error(auth.error);
-    }
-    const parsed = parseServiceFqn(serviceFqn);
-    if (!parsed || !parsed.username) {
-      throw new Error("Service FQN must include username");
-    }
-    const service = await storage.getServiceByFqn(serviceFqn);
-    if (!service) {
-      throw new Error("Service not found");
+  /**
+   * Delete an offer by ID
+   */
+  async deleteOffer(params, name, timestamp, signature, storage, config, request) {
+    const { offerId } = params;
+    if (!name) {
+      throw new RpcError(ErrorCodes.AUTH_REQUIRED, "Name required");
     }
-    const deleted = await storage.deleteService(service.id, username);
+    validateStringParam(offerId, "offerId");
+    const deleted = await storage.deleteOffer(offerId, name);
     if (!deleted) {
-      throw new Error("Service not found or not owned by this username");
+      throw new RpcError(ErrorCodes.NOT_AUTHORIZED, "Offer not found or not owned by this name");
     }
     return { success: true };
   },
   /**
    * Answer an offer
    */
-  async answerOffer(params, message, signature, publicKey, storage, config) {
-    const { serviceFqn, offerId, sdp } = params;
-    const username = extractUsername(message);
-    if (!username) {
-      throw new Error("Username required");
-    }
-    const auth = await verifyAuth(username, message, signature, publicKey, storage);
-    if (!auth.valid) {
-      throw new Error(auth.error);
+  async answerOffer(params, name, timestamp, signature, storage, config, request) {
+    const { offerId, sdp } = params;
+    validateStringParam(offerId, "offerId");
+    if (!name) {
+      throw new RpcError(ErrorCodes.AUTH_REQUIRED, "Name required");
     }
     if (!sdp || typeof sdp !== "string" || sdp.length === 0) {
-      throw new Error("Invalid SDP");
+      throw new RpcError(ErrorCodes.INVALID_SDP, "Invalid SDP");
     }
-    if (sdp.length > 64 * 1024) {
-      throw new Error("SDP too large (max 64KB)");
+    if (sdp.length > config.maxSdpSize) {
+      throw new RpcError(ErrorCodes.SDP_TOO_LARGE, `SDP too large (max ${config.maxSdpSize} bytes)`);
     }
     const offer = await storage.getOfferById(offerId);
     if (!offer) {
-      throw new Error("Offer not found");
+      throw new RpcError(ErrorCodes.OFFER_NOT_FOUND, "Offer not found");
     }
     if (offer.answererUsername) {
-      throw new Error("Offer already answered");
+      throw new RpcError(ErrorCodes.OFFER_ALREADY_ANSWERED, "Offer already answered");
     }
-    await storage.answerOffer(offerId, username, sdp);
+    await storage.answerOffer(offerId, name, sdp);
     return { success: true, offerId };
   },
   /**
    * Get answer for an offer
    */
-  async getOfferAnswer(params, message, signature, publicKey, storage, config) {
-    const { serviceFqn, offerId } = params;
-    const username = extractUsername(message);
-    if (!username) {
-      throw new Error("Username required");
-    }
-    const auth = await verifyAuth(username, message, signature, publicKey, storage);
-    if (!auth.valid) {
-      throw new Error(auth.error);
+  async getOfferAnswer(params, name, timestamp, signature, storage, config, request) {
+    const { offerId } = params;
+    validateStringParam(offerId, "offerId");
+    if (!name) {
+      throw new RpcError(ErrorCodes.AUTH_REQUIRED, "Name required");
     }
     const offer = await storage.getOfferById(offerId);
     if (!offer) {
-      throw new Error("Offer not found");
+      throw new RpcError(ErrorCodes.OFFER_NOT_FOUND, "Offer not found");
     }
-    if (offer.username !== username) {
-      throw new Error("Not authorized to access this offer");
+    if (offer.username !== name) {
+      throw new RpcError(ErrorCodes.NOT_AUTHORIZED, "Not authorized to access this offer");
     }
     if (!offer.answererUsername || !offer.answerSdp) {
-      throw new Error("Offer not yet answered");
+      throw new RpcError(ErrorCodes.OFFER_NOT_ANSWERED, "Offer not yet answered");
     }
     return {
       sdp: offer.answerSdp,
@@ -938,58 +2541,38 @@ var handlers = {
   /**
    * Combined polling for answers and ICE candidates
    */
-  async poll(params, message, signature, publicKey, storage, config) {
+  async poll(params, name, timestamp, signature, storage, config, request) {
     const { since } = params;
-    const username = extractUsername(message);
-    if (!username) {
-      throw new Error("Username required");
+    if (!name) {
+      throw new RpcError(ErrorCodes.AUTH_REQUIRED, "Name required");
     }
-    const auth = await verifyAuth(username, message, signature, publicKey, storage);
-    if (!auth.valid) {
-      throw new Error(auth.error);
+    if (since !== void 0 && (typeof since !== "number" || since < 0 || !Number.isFinite(since))) {
+      throw new RpcError(ErrorCodes.INVALID_PARAMS, "Invalid since parameter: must be a non-negative number");
     }
-    const sinceTimestamp = since || 0;
-    const answeredOffers = await storage.getAnsweredOffers(username);
+    const sinceTimestamp = since !== void 0 ? since : 0;
+    const answeredOffers = await storage.getAnsweredOffers(name);
     const filteredAnswers = answeredOffers.filter(
       (offer) => offer.answeredAt && offer.answeredAt > sinceTimestamp
     );
-    const allOffers = await storage.getOffersByUsername(username);
+    const ownedOffers = await storage.getOffersByUsername(name);
+    const answeredByUser = await storage.getOffersAnsweredBy(name);
+    const allOfferIds = [
+      ...ownedOffers.map((offer) => offer.id),
+      ...answeredByUser.map((offer) => offer.id)
+    ];
+    const offerIds = [...new Set(allOfferIds)];
+    const iceCandidatesMap = await storage.getIceCandidatesForMultipleOffers(
+      offerIds,
+      name,
+      sinceTimestamp
+    );
     const iceCandidatesByOffer = {};
-    for (const offer of allOffers) {
-      const offererCandidates = await storage.getIceCandidates(
-        offer.id,
-        "offerer",
-        sinceTimestamp
-      );
-      const answererCandidates = await storage.getIceCandidates(
-        offer.id,
-        "answerer",
-        sinceTimestamp
-      );
-      const allCandidates = [
-        ...offererCandidates.map((c) => ({
-          ...c,
-          role: "offerer"
-        })),
-        ...answererCandidates.map((c) => ({
-          ...c,
-          role: "answerer"
-        }))
-      ];
-      if (allCandidates.length > 0) {
-        const isOfferer = offer.username === username;
-        const filtered = allCandidates.filter(
-          (c) => isOfferer ? c.role === "answerer" : c.role === "offerer"
-        );
-        if (filtered.length > 0) {
-          iceCandidatesByOffer[offer.id] = filtered;
-        }
-      }
+    for (const [offerId, candidates] of iceCandidatesMap.entries()) {
+      iceCandidatesByOffer[offerId] = candidates;
     }
     return {
       answers: filteredAnswers.map((offer) => ({
         offerId: offer.id,
-        serviceId: offer.serviceId,
         answererId: offer.answererUsername,
         sdp: offer.answerSdp,
         answeredAt: offer.answeredAt
@@ -1000,32 +2583,53 @@ var handlers = {
   /**
    * Add ICE candidates
    */
-  async addIceCandidates(params, message, signature, publicKey, storage, config) {
-    const { serviceFqn, offerId, candidates } = params;
-    const username = extractUsername(message);
-    if (!username) {
-      throw new Error("Username required");
-    }
-    const auth = await verifyAuth(username, message, signature, publicKey, storage);
-    if (!auth.valid) {
-      throw new Error(auth.error);
+  async addIceCandidates(params, name, timestamp, signature, storage, config, request) {
+    const { offerId, candidates } = params;
+    validateStringParam(offerId, "offerId");
+    if (!name) {
+      throw new RpcError(ErrorCodes.AUTH_REQUIRED, "Name required");
     }
     if (!Array.isArray(candidates) || candidates.length === 0) {
-      throw new Error("Missing or invalid required parameter: candidates");
+      throw new RpcError(ErrorCodes.MISSING_PARAMS, "Missing or invalid required parameter: candidates");
+    }
+    if (candidates.length > config.maxCandidatesPerRequest) {
+      throw new RpcError(
+        ErrorCodes.INVALID_PARAMS,
+        `Too many candidates (max ${config.maxCandidatesPerRequest})`
+      );
     }
     candidates.forEach((candidate, index) => {
       if (!candidate || typeof candidate !== "object") {
-        throw new Error(`Invalid candidate at index ${index}: must be an object`);
+        throw new RpcError(ErrorCodes.INVALID_PARAMS, `Invalid candidate at index ${index}: must be an object`);
+      }
+      const depth = getJsonDepth(candidate, config.maxCandidateDepth + 1);
+      if (depth > config.maxCandidateDepth) {
+        throw new RpcError(
+          ErrorCodes.INVALID_PARAMS,
+          `Candidate at index ${index} too deeply nested (max depth ${config.maxCandidateDepth})`
+        );
+      }
+      let candidateJson;
+      try {
+        candidateJson = JSON.stringify(candidate);
+      } catch (e) {
+        throw new RpcError(ErrorCodes.INVALID_PARAMS, `Candidate at index ${index} is not serializable`);
+      }
+      if (candidateJson.length > config.maxCandidateSize) {
+        throw new RpcError(
+          ErrorCodes.INVALID_PARAMS,
+          `Candidate at index ${index} too large (max ${config.maxCandidateSize} bytes)`
+        );
       }
     });
     const offer = await storage.getOfferById(offerId);
     if (!offer) {
-      throw new Error("Offer not found");
+      throw new RpcError(ErrorCodes.OFFER_NOT_FOUND, "Offer not found");
     }
-    const role = offer.username === username ? "offerer" : "answerer";
+    const role = offer.username === name ? "offerer" : "answerer";
     const count = await storage.addIceCandidates(
       offerId,
-      username,
+      name,
       role,
       candidates
     );
@@ -1034,22 +2638,25 @@ var handlers = {
   /**
    * Get ICE candidates
    */
-  async getIceCandidates(params, message, signature, publicKey, storage, config) {
-    const { serviceFqn, offerId, since } = params;
-    const username = extractUsername(message);
-    if (!username) {
-      throw new Error("Username required");
+  async getIceCandidates(params, name, timestamp, signature, storage, config, request) {
+    const { offerId, since } = params;
+    validateStringParam(offerId, "offerId");
+    if (!name) {
+      throw new RpcError(ErrorCodes.AUTH_REQUIRED, "Name required");
     }
-    const auth = await verifyAuth(username, message, signature, publicKey, storage);
-    if (!auth.valid) {
-      throw new Error(auth.error);
+    if (since !== void 0 && (typeof since !== "number" || since < 0 || !Number.isFinite(since))) {
+      throw new RpcError(ErrorCodes.INVALID_PARAMS, "Invalid since parameter: must be a non-negative number");
     }
-    const sinceTimestamp = since || 0;
+    const sinceTimestamp = since !== void 0 ? since : 0;
     const offer = await storage.getOfferById(offerId);
     if (!offer) {
-      throw new Error("Offer not found");
+      throw new RpcError(ErrorCodes.OFFER_NOT_FOUND, "Offer not found");
+    }
+    const isOfferer = offer.username === name;
+    const isAnswerer = offer.answererUsername === name;
+    if (!isOfferer && !isAnswerer) {
+      throw new RpcError(ErrorCodes.NOT_AUTHORIZED, "Not authorized to access ICE candidates for this offer");
     }
-    const isOfferer = offer.username === username;
     const role = isOfferer ? "answerer" : "offerer";
     const candidates = await storage.getIceCandidates(
       offerId,
@@ -1065,64 +2672,150 @@ var handlers = {
     };
   }
 };
-async function handleRpc(requests, storage, config) {
+var UNAUTHENTICATED_METHODS = /* @__PURE__ */ new Set(["generateCredentials", "discover"]);
+async function handleRpc(requests, ctx, storage, config) {
   const responses = [];
+  const clientIp = ctx.req.header("cf-connecting-ip") || // Cloudflare
+  ctx.req.header("x-real-ip") || // Nginx
+  ctx.req.header("x-forwarded-for")?.split(",")[0].trim() || void 0;
+  const name = ctx.req.header("X-Name");
+  const timestampHeader = ctx.req.header("X-Timestamp");
+  const nonce = ctx.req.header("X-Nonce");
+  const signature = ctx.req.header("X-Signature");
+  const timestamp = timestampHeader ? parseInt(timestampHeader, 10) : 0;
+  let totalOperations = 0;
+  for (const request of requests) {
+    const { method, params } = request;
+    if (method === "publishOffer" && params?.offers && Array.isArray(params.offers)) {
+      totalOperations += params.offers.length;
+    } else if (method === "addIceCandidates" && params?.candidates && Array.isArray(params.candidates)) {
+      totalOperations += params.candidates.length;
+    } else {
+      totalOperations += 1;
+    }
+  }
+  if (totalOperations > config.maxTotalOperations) {
+    return requests.map(() => ({
+      success: false,
+      error: `Total operations across batch exceed limit: ${totalOperations} > ${config.maxTotalOperations}`,
+      errorCode: ErrorCodes.BATCH_TOO_LARGE
+    }));
+  }
   for (const request of requests) {
     try {
-      const { method, message, signature, publicKey, params } = request;
+      const { method, params } = request;
       if (!method || typeof method !== "string") {
         responses.push({
           success: false,
-          error: "Missing or invalid method"
+          error: "Missing or invalid method",
+          errorCode: ErrorCodes.INVALID_PARAMS
         });
         continue;
       }
-      if (!message || typeof message !== "string") {
+      const handler = handlers[method];
+      if (!handler) {
         responses.push({
           success: false,
-          error: "Missing or invalid message"
+          error: `Unknown method: ${method}`,
+          errorCode: ErrorCodes.UNKNOWN_METHOD
         });
         continue;
       }
-      if (!signature || typeof signature !== "string") {
+      const requiresAuth = !UNAUTHENTICATED_METHODS.has(method);
+      if (requiresAuth) {
+        if (!name || typeof name !== "string") {
+          responses.push({
+            success: false,
+            error: "Missing or invalid X-Name header",
+            errorCode: ErrorCodes.AUTH_REQUIRED
+          });
+          continue;
+        }
+        if (!timestampHeader || typeof timestampHeader !== "string" || isNaN(timestamp)) {
+          responses.push({
+            success: false,
+            error: "Missing or invalid X-Timestamp header",
+            errorCode: ErrorCodes.AUTH_REQUIRED
+          });
+          continue;
+        }
+        if (!nonce || typeof nonce !== "string") {
+          responses.push({
+            success: false,
+            error: "Missing or invalid X-Nonce header (use crypto.randomUUID())",
+            errorCode: ErrorCodes.AUTH_REQUIRED
+          });
+          continue;
+        }
+        if (!signature || typeof signature !== "string") {
+          responses.push({
+            success: false,
+            error: "Missing or invalid X-Signature header",
+            errorCode: ErrorCodes.AUTH_REQUIRED
+          });
+          continue;
+        }
+        await verifyRequestSignature(
+          name,
+          timestamp,
+          nonce,
+          signature,
+          method,
+          params,
+          storage,
+          config
+        );
+        const result = await handler(
+          params || {},
+          name,
+          timestamp,
+          signature,
+          storage,
+          config,
+          { ...request, clientIp }
+        );
+        responses.push({
+          success: true,
+          result
+        });
+      } else {
+        const result = await handler(
+          params || {},
+          name || "",
+          0,
+          // timestamp
+          "",
+          // signature
+          storage,
+          config,
+          { ...request, clientIp }
+        );
+        responses.push({
+          success: true,
+          result
+        });
+      }
+    } catch (err) {
+      if (err instanceof RpcError) {
         responses.push({
           success: false,
-          error: "Missing or invalid signature"
+          error: err.message,
+          errorCode: err.errorCode
         });
-        continue;
-      }
-      const handler = handlers[method];
-      if (!handler) {
+      } else {
+        console.error("Unexpected RPC error:", err);
         responses.push({
           success: false,
-          error: `Unknown method: ${method}`
+          error: "Internal server error",
+          errorCode: ErrorCodes.INTERNAL_ERROR
         });
-        continue;
       }
-      const result = await handler(
-        params || {},
-        message,
-        signature,
-        publicKey,
-        storage,
-        config
-      );
-      responses.push({
-        success: true,
-        result
-      });
-    } catch (err2) {
-      responses.push({
-        success: false,
-        error: err2.message || "Internal server error"
-      });
     }
   }
   return responses;
 }
 // src/app.ts
-var MAX_BATCH_SIZE = 100;
 function createApp(storage, config) {
   const app = new import_hono.Hono();
   app.use("/*", (0, import_cors.cors)({
@@ -1136,7 +2829,7 @@ function createApp(storage, config) {
       return config.corsOrigins[0];
     },
     allowMethods: ["GET", "POST", "OPTIONS"],
-    allowHeaders: ["Content-Type", "Origin"],
+    allowHeaders: ["Content-Type", "Origin", "X-Name", "X-Timestamp", "X-Nonce", "X-Signature"],
     exposeHeaders: ["Content-Type"],
     credentials: false,
     maxAge: 86400
@@ -1145,7 +2838,7 @@ function createApp(storage, config) {
     return c.json({
       version: config.version,
       name: "Rondevu",
-      description: "WebRTC signaling with RPC interface and Ed25519 authentication"
+      description: "WebRTC signaling with RPC interface and HMAC signature-based authentication"
     }, 200);
   });
   app.get("/health", (c) => {
@@ -1158,21 +2851,38 @@ function createApp(storage, config) {
   app.post("/rpc", async (c) => {
     try {
       const body = await c.req.json();
-      const requests = Array.isArray(body) ? body : [body];
+      if (!Array.isArray(body)) {
+        return c.json([{
+          success: false,
+          error: "Request must be an array of RPC calls",
+          errorCode: "INVALID_PARAMS"
+        }], 400);
+      }
+      const requests = body;
       if (requests.length === 0) {
-        return c.json({ error: "Empty request array" }, 400);
+        return c.json([{
+          success: false,
+          error: "Empty request array",
+          errorCode: "INVALID_PARAMS"
+        }], 400);
       }
-      if (requests.length > MAX_BATCH_SIZE) {
-        return c.json({ error: `Too many requests in batch (max ${MAX_BATCH_SIZE})` }, 400);
+      if (requests.length > config.maxBatchSize) {
+        return c.json([{
+          success: false,
+          error: `Too many requests in batch (max ${config.maxBatchSize})`,
+          errorCode: "BATCH_TOO_LARGE"
+        }], 413);
       }
-      const responses = await handleRpc(requests, storage, config);
-      return c.json(Array.isArray(body) ? responses : responses[0], 200);
-    } catch (err2) {
-      console.error("RPC error:", err2);
-      return c.json({
+      const responses = await handleRpc(requests, c, storage, config);
+      return c.json(responses, 200);
+    } catch (err) {
+      console.error("RPC error:", err);
+      const errorMsg = err instanceof SyntaxError ? "Invalid JSON in request body" : "Request must be valid JSON array";
+      return c.json([{
         success: false,
-        error: "Invalid request format"
-      }, 400);
+        error: errorMsg,
+        errorCode: "INVALID_PARAMS"
+      }], 400);
     }
   });
   app.all("*", (c) => {
@@ -1185,521 +2895,124 @@ function createApp(storage, config) {
 // src/config.ts
 function loadConfig() {
-  return {
-    port: parseInt(process.env.PORT || "3000", 10),
-    storageType: process.env.STORAGE_TYPE || "sqlite",
+  let masterEncryptionKey = process.env.MASTER_ENCRYPTION_KEY;
+  if (!masterEncryptionKey) {
+    const isDevelopment = process.env.NODE_ENV === "development";
+    if (!isDevelopment) {
+      throw new Error(
+        "MASTER_ENCRYPTION_KEY environment variable must be set. Generate with: openssl rand -hex 32\nFor development only, set NODE_ENV=development to use insecure dev key."
+      );
+    }
+    console.error("\u26A0\uFE0F  WARNING: Using insecure deterministic development key");
+    console.error("\u26A0\uFE0F  ONLY use NODE_ENV=development for local development");
+    console.error("\u26A0\uFE0F  Generate production key with: openssl rand -hex 32");
+    masterEncryptionKey = "a3f8b9c2d1e4f5a6b7c8d9e0f1a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6d7e8f9a0b1c2";
+  }
+  if (masterEncryptionKey.length !== 64 || !/^[0-9a-fA-F]{64}$/.test(masterEncryptionKey)) {
+    throw new Error("MASTER_ENCRYPTION_KEY must be 64-character hex string (32 bytes). Generate with: openssl rand -hex 32");
+  }
+  function parsePositiveInt(value, defaultValue, name, min = 1) {
+    const parsed = parseInt(value || defaultValue, 10);
+    if (isNaN(parsed)) {
+      throw new Error(`${name} must be a valid integer (got: ${value})`);
+    }
+    if (parsed < min) {
+      throw new Error(`${name} must be >= ${min} (got: ${parsed})`);
+    }
+    return parsed;
+  }
+  const config = {
+    port: parsePositiveInt(process.env.PORT, "3000", "PORT", 1),
+    storageType: process.env.STORAGE_TYPE || "memory",
     storagePath: process.env.STORAGE_PATH || ":memory:",
+    databaseUrl: process.env.DATABASE_URL || "",
+    dbPoolSize: parsePositiveInt(process.env.DB_POOL_SIZE, "10", "DB_POOL_SIZE", 1),
     corsOrigins: process.env.CORS_ORIGINS ? process.env.CORS_ORIGINS.split(",").map((o) => o.trim()) : ["*"],
     version: process.env.VERSION || "unknown",
-    offerDefaultTtl: parseInt(process.env.OFFER_DEFAULT_TTL || "60000", 10),
-    offerMaxTtl: parseInt(process.env.OFFER_MAX_TTL || "86400000", 10),
-    offerMinTtl: parseInt(process.env.OFFER_MIN_TTL || "60000", 10),
-    cleanupInterval: parseInt(process.env.CLEANUP_INTERVAL || "60000", 10),
-    maxOffersPerRequest: parseInt(process.env.MAX_OFFERS_PER_REQUEST || "100", 10)
+    offerDefaultTtl: parsePositiveInt(process.env.OFFER_DEFAULT_TTL, "60000", "OFFER_DEFAULT_TTL", 1e3),
+    offerMaxTtl: parsePositiveInt(process.env.OFFER_MAX_TTL, "86400000", "OFFER_MAX_TTL", 1e3),
+    offerMinTtl: parsePositiveInt(process.env.OFFER_MIN_TTL, "60000", "OFFER_MIN_TTL", 1e3),
+    cleanupInterval: parsePositiveInt(process.env.CLEANUP_INTERVAL, "60000", "CLEANUP_INTERVAL", 1e3),
+    maxOffersPerRequest: parsePositiveInt(process.env.MAX_OFFERS_PER_REQUEST, "100", "MAX_OFFERS_PER_REQUEST", 1),
+    maxBatchSize: parsePositiveInt(process.env.MAX_BATCH_SIZE, "100", "MAX_BATCH_SIZE", 1),
+    maxSdpSize: parsePositiveInt(process.env.MAX_SDP_SIZE, String(64 * 1024), "MAX_SDP_SIZE", 1024),
+    // Min 1KB
+    maxCandidateSize: parsePositiveInt(process.env.MAX_CANDIDATE_SIZE, String(4 * 1024), "MAX_CANDIDATE_SIZE", 256),
+    // Min 256 bytes
+    maxCandidateDepth: parsePositiveInt(process.env.MAX_CANDIDATE_DEPTH, "10", "MAX_CANDIDATE_DEPTH", 1),
+    maxCandidatesPerRequest: parsePositiveInt(process.env.MAX_CANDIDATES_PER_REQUEST, "100", "MAX_CANDIDATES_PER_REQUEST", 1),
+    maxTotalOperations: parsePositiveInt(process.env.MAX_TOTAL_OPERATIONS, "1000", "MAX_TOTAL_OPERATIONS", 1),
+    timestampMaxAge: parsePositiveInt(process.env.TIMESTAMP_MAX_AGE, "60000", "TIMESTAMP_MAX_AGE", 1e3),
+    // Min 1 second
+    timestampMaxFuture: parsePositiveInt(process.env.TIMESTAMP_MAX_FUTURE, "60000", "TIMESTAMP_MAX_FUTURE", 1e3),
+    // Min 1 second
+    masterEncryptionKey
   };
+  return config;
 }
-// src/storage/sqlite.ts
-var import_better_sqlite3 = __toESM(require("better-sqlite3"));
-var import_node_crypto = require("node:crypto");
-// src/storage/hash-id.ts
-async function generateOfferHash(sdp) {
-  const sanitizedOffer = {
-    sdp
-  };
-  const jsonString = JSON.stringify(sanitizedOffer);
-  const encoder = new TextEncoder();
-  const data = encoder.encode(jsonString);
-  const hashBuffer = await crypto.subtle.digest("SHA-256", data);
-  const hashArray = Array.from(new Uint8Array(hashBuffer));
-  const hashHex = hashArray.map((b) => b.toString(16).padStart(2, "0")).join("");
-  return hashHex;
+var CONFIG_DEFAULTS = {
+  offerDefaultTtl: 6e4,
+  offerMaxTtl: 864e5,
+  offerMinTtl: 6e4,
+  cleanupInterval: 6e4,
+  maxOffersPerRequest: 100,
+  maxBatchSize: 100,
+  maxSdpSize: 64 * 1024,
+  maxCandidateSize: 4 * 1024,
+  maxCandidateDepth: 10,
+  maxCandidatesPerRequest: 100,
+  maxTotalOperations: 1e3,
+  timestampMaxAge: 6e4,
+  timestampMaxFuture: 6e4
+};
+async function runCleanup(storage, now) {
+  const offers = await storage.deleteExpiredOffers(now);
+  const credentials = await storage.deleteExpiredCredentials(now);
+  const rateLimits = await storage.deleteExpiredRateLimits(now);
+  const nonces = await storage.deleteExpiredNonces(now);
+  return { offers, credentials, rateLimits, nonces };
 }
-// src/storage/sqlite.ts
-var YEAR_IN_MS = 365 * 24 * 60 * 60 * 1e3;
-var SQLiteStorage = class {
-  /**
-   * Creates a new SQLite storage instance
-   * @param path Path to SQLite database file, or ':memory:' for in-memory database
-   */
-  constructor(path = ":memory:") {
-    this.db = new import_better_sqlite3.default(path);
-    this.initializeDatabase();
-  }
-  /**
-   * Initializes database schema with username and service-based structure
-   */
-  initializeDatabase() {
-    this.db.exec(`
-      -- WebRTC signaling offers
-      CREATE TABLE IF NOT EXISTS offers (
-        id TEXT PRIMARY KEY,
-        username TEXT NOT NULL,
-        service_id TEXT,
-        sdp TEXT NOT NULL,
-        created_at INTEGER NOT NULL,
-        expires_at INTEGER NOT NULL,
-        last_seen INTEGER NOT NULL,
-        answerer_username TEXT,
-        answer_sdp TEXT,
-        answered_at INTEGER,
-        FOREIGN KEY (service_id) REFERENCES services(id) ON DELETE CASCADE
-      );
-      CREATE INDEX IF NOT EXISTS idx_offers_username ON offers(username);
-      CREATE INDEX IF NOT EXISTS idx_offers_service ON offers(service_id);
-      CREATE INDEX IF NOT EXISTS idx_offers_expires ON offers(expires_at);
-      CREATE INDEX IF NOT EXISTS idx_offers_last_seen ON offers(last_seen);
-      CREATE INDEX IF NOT EXISTS idx_offers_answerer ON offers(answerer_username);
-      -- ICE candidates table
-      CREATE TABLE IF NOT EXISTS ice_candidates (
-        id INTEGER PRIMARY KEY AUTOINCREMENT,
-        offer_id TEXT NOT NULL,
-        username TEXT NOT NULL,
-        role TEXT NOT NULL CHECK(role IN ('offerer', 'answerer')),
-        candidate TEXT NOT NULL,
-        created_at INTEGER NOT NULL,
-        FOREIGN KEY (offer_id) REFERENCES offers(id) ON DELETE CASCADE
-      );
-      CREATE INDEX IF NOT EXISTS idx_ice_offer ON ice_candidates(offer_id);
-      CREATE INDEX IF NOT EXISTS idx_ice_username ON ice_candidates(username);
-      CREATE INDEX IF NOT EXISTS idx_ice_created ON ice_candidates(created_at);
-      -- Usernames table
-      CREATE TABLE IF NOT EXISTS usernames (
-        username TEXT PRIMARY KEY,
-        public_key TEXT NOT NULL UNIQUE,
-        claimed_at INTEGER NOT NULL,
-        expires_at INTEGER NOT NULL,
-        last_used INTEGER NOT NULL,
-        metadata TEXT,
-        CHECK(length(username) >= 3 AND length(username) <= 32)
-      );
-      CREATE INDEX IF NOT EXISTS idx_usernames_expires ON usernames(expires_at);
-      CREATE INDEX IF NOT EXISTS idx_usernames_public_key ON usernames(public_key);
-      -- Services table (new schema with extracted fields for discovery)
-      CREATE TABLE IF NOT EXISTS services (
-        id TEXT PRIMARY KEY,
-        service_fqn TEXT NOT NULL,
-        service_name TEXT NOT NULL,
-        version TEXT NOT NULL,
-        username TEXT NOT NULL,
-        created_at INTEGER NOT NULL,
-        expires_at INTEGER NOT NULL,
-        FOREIGN KEY (username) REFERENCES usernames(username) ON DELETE CASCADE,
-        UNIQUE(service_fqn)
+// src/storage/factory.ts
+async function createStorage(config) {
+  switch (config.type) {
+    case "memory": {
+      const { MemoryStorage: MemoryStorage2 } = await Promise.resolve().then(() => (init_memory(), memory_exports));
+      return new MemoryStorage2(config.masterEncryptionKey);
+    }
+    case "sqlite": {
+      const { SQLiteStorage: SQLiteStorage2 } = await Promise.resolve().then(() => (init_sqlite(), sqlite_exports));
+      return new SQLiteStorage2(
+        config.sqlitePath || ":memory:",
+        config.masterEncryptionKey
       );
-      CREATE INDEX IF NOT EXISTS idx_services_fqn ON services(service_fqn);
-      CREATE INDEX IF NOT EXISTS idx_services_discovery ON services(service_name, version);
-      CREATE INDEX IF NOT EXISTS idx_services_username ON services(username);
-      CREATE INDEX IF NOT EXISTS idx_services_expires ON services(expires_at);
-    `);
-    this.db.pragma("foreign_keys = ON");
-  }
-  // ===== Offer Management =====
-  async createOffers(offers) {
-    const created = [];
-    const offersWithIds = await Promise.all(
-      offers.map(async (offer) => ({
-        ...offer,
-        id: offer.id || await generateOfferHash(offer.sdp)
-      }))
-    );
-    const transaction = this.db.transaction((offersWithIds2) => {
-      const offerStmt = this.db.prepare(`
-        INSERT INTO offers (id, username, service_id, sdp, created_at, expires_at, last_seen)
-        VALUES (?, ?, ?, ?, ?, ?, ?)
-      `);
-      for (const offer of offersWithIds2) {
-        const now = Date.now();
-        offerStmt.run(
-          offer.id,
-          offer.username,
-          offer.serviceId || null,
-          offer.sdp,
-          now,
-          offer.expiresAt,
-          now
-        );
-        created.push({
-          id: offer.id,
-          username: offer.username,
-          serviceId: offer.serviceId || void 0,
-          serviceFqn: offer.serviceFqn,
-          sdp: offer.sdp,
-          createdAt: now,
-          expiresAt: offer.expiresAt,
-          lastSeen: now
-        });
-      }
-    });
-    transaction(offersWithIds);
-    return created;
-  }
-  async getOffersByUsername(username) {
-    const stmt = this.db.prepare(`
-      SELECT * FROM offers
-      WHERE username = ? AND expires_at > ?
-      ORDER BY last_seen DESC
-    `);
-    const rows = stmt.all(username, Date.now());
-    return rows.map((row) => this.rowToOffer(row));
-  }
-  async getOfferById(offerId) {
-    const stmt = this.db.prepare(`
-      SELECT * FROM offers
-      WHERE id = ? AND expires_at > ?
-    `);
-    const row = stmt.get(offerId, Date.now());
-    if (!row) {
-      return null;
-    }
-    return this.rowToOffer(row);
-  }
-  async deleteOffer(offerId, ownerUsername) {
-    const stmt = this.db.prepare(`
-      DELETE FROM offers
-      WHERE id = ? AND username = ?
-    `);
-    const result = stmt.run(offerId, ownerUsername);
-    return result.changes > 0;
-  }
-  async deleteExpiredOffers(now) {
-    const stmt = this.db.prepare("DELETE FROM offers WHERE expires_at < ?");
-    const result = stmt.run(now);
-    return result.changes;
-  }
-  async answerOffer(offerId, answererUsername, answerSdp) {
-    const offer = await this.getOfferById(offerId);
-    if (!offer) {
-      return {
-        success: false,
-        error: "Offer not found or expired"
-      };
-    }
-    if (offer.answererUsername) {
-      return {
-        success: false,
-        error: "Offer already answered"
-      };
-    }
-    const stmt = this.db.prepare(`
-      UPDATE offers
-      SET answerer_username = ?, answer_sdp = ?, answered_at = ?
-      WHERE id = ? AND answerer_username IS NULL
-    `);
-    const result = stmt.run(answererUsername, answerSdp, Date.now(), offerId);
-    if (result.changes === 0) {
-      return {
-        success: false,
-        error: "Offer already answered (race condition)"
-      };
     }
-    return { success: true };
-  }
-  async getAnsweredOffers(offererUsername) {
-    const stmt = this.db.prepare(`
-      SELECT * FROM offers
-      WHERE username = ? AND answerer_username IS NOT NULL AND expires_at > ?
-      ORDER BY answered_at DESC
-    `);
-    const rows = stmt.all(offererUsername, Date.now());
-    return rows.map((row) => this.rowToOffer(row));
-  }
-  // ===== ICE Candidate Management =====
-  async addIceCandidates(offerId, username, role, candidates) {
-    const stmt = this.db.prepare(`
-      INSERT INTO ice_candidates (offer_id, username, role, candidate, created_at)
-      VALUES (?, ?, ?, ?, ?)
-    `);
-    const baseTimestamp = Date.now();
-    const transaction = this.db.transaction((candidates2) => {
-      for (let i = 0; i < candidates2.length; i++) {
-        stmt.run(
-          offerId,
-          username,
-          role,
-          JSON.stringify(candidates2[i]),
-          baseTimestamp + i
-        );
+    case "mysql": {
+      if (!config.connectionString) {
+        throw new Error("MySQL storage requires DATABASE_URL connection string");
       }
-    });
-    transaction(candidates);
-    return candidates.length;
-  }
-  async getIceCandidates(offerId, targetRole, since) {
-    let query = `
-      SELECT * FROM ice_candidates
-      WHERE offer_id = ? AND role = ?
-    `;
-    const params = [offerId, targetRole];
-    if (since !== void 0) {
-      query += " AND created_at > ?";
-      params.push(since);
-    }
-    query += " ORDER BY created_at ASC";
-    const stmt = this.db.prepare(query);
-    const rows = stmt.all(...params);
-    return rows.map((row) => ({
-      id: row.id,
-      offerId: row.offer_id,
-      username: row.username,
-      role: row.role,
-      candidate: JSON.parse(row.candidate),
-      createdAt: row.created_at
-    }));
-  }
-  // ===== Username Management =====
-  async claimUsername(request) {
-    const now = Date.now();
-    const expiresAt = now + YEAR_IN_MS;
-    const stmt = this.db.prepare(`
-      INSERT INTO usernames (username, public_key, claimed_at, expires_at, last_used, metadata)
-      VALUES (?, ?, ?, ?, ?, NULL)
-      ON CONFLICT(username) DO UPDATE SET
-        expires_at = ?,
-        last_used = ?
-      WHERE public_key = ?
-    `);
-    const result = stmt.run(
-      request.username,
-      request.publicKey,
-      now,
-      expiresAt,
-      now,
-      expiresAt,
-      now,
-      request.publicKey
-    );
-    if (result.changes === 0) {
-      throw new Error("Username already claimed by different public key");
-    }
-    return {
-      username: request.username,
-      publicKey: request.publicKey,
-      claimedAt: now,
-      expiresAt,
-      lastUsed: now
-    };
-  }
-  async getUsername(username) {
-    const stmt = this.db.prepare(`
-      SELECT * FROM usernames
-      WHERE username = ? AND expires_at > ?
-    `);
-    const row = stmt.get(username, Date.now());
-    if (!row) {
-      return null;
-    }
-    return {
-      username: row.username,
-      publicKey: row.public_key,
-      claimedAt: row.claimed_at,
-      expiresAt: row.expires_at,
-      lastUsed: row.last_used,
-      metadata: row.metadata || void 0
-    };
-  }
-  async touchUsername(username) {
-    const now = Date.now();
-    const expiresAt = now + YEAR_IN_MS;
-    const stmt = this.db.prepare(`
-      UPDATE usernames
-      SET last_used = ?, expires_at = ?
-      WHERE username = ? AND expires_at > ?
-    `);
-    const result = stmt.run(now, expiresAt, username, now);
-    return result.changes > 0;
-  }
-  async deleteExpiredUsernames(now) {
-    const stmt = this.db.prepare("DELETE FROM usernames WHERE expires_at < ?");
-    const result = stmt.run(now);
-    return result.changes;
-  }
-  // ===== Service Management =====
-  async createService(request) {
-    const serviceId = (0, import_node_crypto.randomUUID)();
-    const now = Date.now();
-    const parsed = parseServiceFqn(request.serviceFqn);
-    if (!parsed) {
-      throw new Error(`Invalid service FQN: ${request.serviceFqn}`);
-    }
-    if (!parsed.username) {
-      throw new Error(`Service FQN must include username: ${request.serviceFqn}`);
-    }
-    const { serviceName, version, username } = parsed;
-    const transaction = this.db.transaction(() => {
-      const existingService = this.db.prepare(`
-        SELECT id FROM services
-        WHERE service_name = ? AND version = ? AND username = ?
-      `).get(serviceName, version, username);
-      if (existingService) {
-        this.db.prepare(`
-          DELETE FROM offers WHERE service_id = ?
-        `).run(existingService.id);
-        this.db.prepare(`
-          DELETE FROM services WHERE id = ?
-        `).run(existingService.id);
-      }
-      this.db.prepare(`
-        INSERT INTO services (id, service_fqn, service_name, version, username, created_at, expires_at)
-        VALUES (?, ?, ?, ?, ?, ?, ?)
-      `).run(
-        serviceId,
-        request.serviceFqn,
-        serviceName,
-        version,
-        username,
-        now,
-        request.expiresAt
+      const { MySQLStorage: MySQLStorage2 } = await Promise.resolve().then(() => (init_mysql(), mysql_exports));
+      return MySQLStorage2.create(
+        config.connectionString,
+        config.masterEncryptionKey,
+        config.poolSize || 10
       );
-      const expiresAt = now + YEAR_IN_MS;
-      this.db.prepare(`
-        UPDATE usernames
-        SET last_used = ?, expires_at = ?
-        WHERE username = ? AND expires_at > ?
-      `).run(now, expiresAt, username, now);
-    });
-    transaction();
-    const offerRequests = request.offers.map((offer) => ({
-      ...offer,
-      serviceId
-    }));
-    const offers = await this.createOffers(offerRequests);
-    return {
-      service: {
-        id: serviceId,
-        serviceFqn: request.serviceFqn,
-        serviceName,
-        version,
-        username,
-        createdAt: now,
-        expiresAt: request.expiresAt
-      },
-      offers
-    };
-  }
-  async getOffersForService(serviceId) {
-    const stmt = this.db.prepare(`
-      SELECT * FROM offers
-      WHERE service_id = ? AND expires_at > ?
-      ORDER BY created_at ASC
-    `);
-    const rows = stmt.all(serviceId, Date.now());
-    return rows.map((row) => this.rowToOffer(row));
-  }
-  async getServiceById(serviceId) {
-    const stmt = this.db.prepare(`
-      SELECT * FROM services
-      WHERE id = ? AND expires_at > ?
-    `);
-    const row = stmt.get(serviceId, Date.now());
-    if (!row) {
-      return null;
-    }
-    return this.rowToService(row);
-  }
-  async getServiceByFqn(serviceFqn) {
-    const stmt = this.db.prepare(`
-      SELECT * FROM services
-      WHERE service_fqn = ? AND expires_at > ?
-    `);
-    const row = stmt.get(serviceFqn, Date.now());
-    if (!row) {
-      return null;
     }
-    return this.rowToService(row);
-  }
-  async discoverServices(serviceName, version, limit, offset) {
-    const stmt = this.db.prepare(`
-      SELECT DISTINCT s.* FROM services s
-      INNER JOIN offers o ON o.service_id = s.id
-      WHERE s.service_name = ?
-        AND s.version = ?
-        AND s.expires_at > ?
-        AND o.answerer_username IS NULL
-        AND o.expires_at > ?
-      ORDER BY s.created_at DESC
-      LIMIT ? OFFSET ?
-    `);
-    const rows = stmt.all(serviceName, version, Date.now(), Date.now(), limit, offset);
-    return rows.map((row) => this.rowToService(row));
-  }
-  async getRandomService(serviceName, version) {
-    const stmt = this.db.prepare(`
-      SELECT s.* FROM services s
-      INNER JOIN offers o ON o.service_id = s.id
-      WHERE s.service_name = ?
-        AND s.version = ?
-        AND s.expires_at > ?
-        AND o.answerer_username IS NULL
-        AND o.expires_at > ?
-      ORDER BY RANDOM()
-      LIMIT 1
-    `);
-    const row = stmt.get(serviceName, version, Date.now(), Date.now());
-    if (!row) {
-      return null;
+    case "postgres": {
+      if (!config.connectionString) {
+        throw new Error("PostgreSQL storage requires DATABASE_URL connection string");
+      }
+      const { PostgreSQLStorage: PostgreSQLStorage2 } = await Promise.resolve().then(() => (init_postgres(), postgres_exports));
+      return PostgreSQLStorage2.create(
+        config.connectionString,
+        config.masterEncryptionKey,
+        config.poolSize || 10
+      );
     }
-    return this.rowToService(row);
-  }
-  async deleteService(serviceId, username) {
-    const stmt = this.db.prepare(`
-      DELETE FROM services
-      WHERE id = ? AND username = ?
-    `);
-    const result = stmt.run(serviceId, username);
-    return result.changes > 0;
-  }
-  async deleteExpiredServices(now) {
-    const stmt = this.db.prepare("DELETE FROM services WHERE expires_at < ?");
-    const result = stmt.run(now);
-    return result.changes;
-  }
-  async close() {
-    this.db.close();
+    default:
+      throw new Error(`Unsupported storage type: ${config.type}`);
   }
-  // ===== Helper Methods =====
-  /**
-   * Helper method to convert database row to Offer object
-   */
-  rowToOffer(row) {
-    return {
-      id: row.id,
-      username: row.username,
-      serviceId: row.service_id || void 0,
-      serviceFqn: row.service_fqn || void 0,
-      sdp: row.sdp,
-      createdAt: row.created_at,
-      expiresAt: row.expires_at,
-      lastSeen: row.last_seen,
-      answererUsername: row.answerer_username || void 0,
-      answerSdp: row.answer_sdp || void 0,
-      answeredAt: row.answered_at || void 0
-    };
-  }
-  /**
-   * Helper method to convert database row to Service object
-   */
-  rowToService(row) {
-    return {
-      id: row.id,
-      serviceFqn: row.service_fqn,
-      serviceName: row.service_name,
-      version: row.version,
-      username: row.username,
-      createdAt: row.created_at,
-      expiresAt: row.expires_at
-    };
-  }
-};
+}
 // src/index.ts
 async function main() {
@@ -1708,31 +3021,30 @@ async function main() {
   console.log("Configuration:", {
     port: config.port,
     storageType: config.storageType,
-    storagePath: config.storagePath,
+    storagePath: config.storageType === "sqlite" ? config.storagePath : void 0,
+    databaseUrl: config.databaseUrl ? "[configured]" : void 0,
+    dbPoolSize: ["mysql", "postgres"].includes(config.storageType) ? config.dbPoolSize : void 0,
     offerDefaultTtl: `${config.offerDefaultTtl}ms`,
-    offerMaxTtl: `${config.offerMaxTtl}ms`,
-    offerMinTtl: `${config.offerMinTtl}ms`,
     cleanupInterval: `${config.cleanupInterval}ms`,
-    maxOffersPerRequest: config.maxOffersPerRequest,
-    corsOrigins: config.corsOrigins,
     version: config.version
   });
-  let storage;
-  if (config.storageType === "sqlite") {
-    storage = new SQLiteStorage(config.storagePath);
-    console.log("Using SQLite storage");
-  } else {
-    throw new Error("Unsupported storage type");
-  }
-  const cleanupInterval = setInterval(async () => {
+  const storage = await createStorage({
+    type: config.storageType,
+    masterEncryptionKey: config.masterEncryptionKey,
+    sqlitePath: config.storagePath,
+    connectionString: config.databaseUrl,
+    poolSize: config.dbPoolSize
+  });
+  console.log(`Using ${config.storageType} storage`);
+  const cleanupTimer = setInterval(async () => {
     try {
-      const now = Date.now();
-      const deleted = await storage.deleteExpiredOffers(now);
-      if (deleted > 0) {
-        console.log(`Cleanup: Deleted ${deleted} expired offer(s)`);
+      const result = await runCleanup(storage, Date.now());
+      const total = result.offers + result.credentials + result.rateLimits + result.nonces;
+      if (total > 0) {
+        console.log(`Cleanup: ${result.offers} offers, ${result.credentials} credentials, ${result.rateLimits} rate limits, ${result.nonces} nonces`);
       }
-    } catch (err2) {
-      console.error("Cleanup error:", err2);
+    } catch (err) {
+      console.error("Cleanup error:", err);
     }
   }, config.cleanupInterval);
   const app = createApp(storage, config);
@@ -1744,20 +3056,15 @@ async function main() {
   console.log("Ready to accept connections");
   const shutdown = async () => {
     console.log("\nShutting down gracefully...");
-    clearInterval(cleanupInterval);
+    clearInterval(cleanupTimer);
     await storage.close();
     process.exit(0);
   };
   process.on("SIGINT", shutdown);
   process.on("SIGTERM", shutdown);
 }
-main().catch((err2) => {
-  console.error("Fatal error:", err2);
+main().catch((err) => {
+  console.error("Fatal error:", err);
   process.exit(1);
 });
-/*! Bundled license information:
-@noble/ed25519/index.js:
-  (*! noble-ed25519 - MIT License (c) 2019 Paul Miller (paulmillr.com) *)
-*/
 //# sourceMappingURL=index.js.map