@xtr-dev/rondevu-server 0.5.1 → 0.5.7

package/src/storage/sqlite.ts

@@ -1,58 +1,55 @@
 import Database from 'better-sqlite3';
-import { randomUUID } from 'node:crypto';
 import {
   Storage,
   Offer,
   IceCandidate,
   CreateOfferRequest,
-  Username,
-  ClaimUsernameRequest,
-  Service,
-  CreateServiceRequest,
+  Credential,
+  GenerateCredentialsRequest,
 } from './types.ts';
 import { generateOfferHash } from './hash-id.ts';
-import { parseServiceFqn } from '../crypto.ts';
 
 const YEAR_IN_MS = 365 * 24 * 60 * 60 * 1000; // 365 days
 
 /**
- * SQLite storage adapter for rondevu DNS-like system
+ * SQLite storage adapter for rondevu signaling system
  * Supports both file-based and in-memory databases
  */
 export class SQLiteStorage implements Storage {
   private db: Database.Database;
+  private masterEncryptionKey: string;
 
   /**
    * Creates a new SQLite storage instance
    * @param path Path to SQLite database file, or ':memory:' for in-memory database
+   * @param masterEncryptionKey 64-char hex string for encrypting secrets (32 bytes)
    */
-  constructor(path: string = ':memory:') {
+  constructor(path: string = ':memory:', masterEncryptionKey: string) {
     this.db = new Database(path);
+    this.masterEncryptionKey = masterEncryptionKey;
     this.initializeDatabase();
   }
 
   /**
-   * Initializes database schema with username and service-based structure
+   * Initializes database schema with tags-based offers
    */
   private initializeDatabase(): void {
     this.db.exec(`
-      -- WebRTC signaling offers
+      -- WebRTC signaling offers with tags
       CREATE TABLE IF NOT EXISTS offers (
         id TEXT PRIMARY KEY,
         username TEXT NOT NULL,
-        service_id TEXT,
+        tags TEXT NOT NULL,
         sdp TEXT NOT NULL,
         created_at INTEGER NOT NULL,
         expires_at INTEGER NOT NULL,
         last_seen INTEGER NOT NULL,
         answerer_username TEXT,
         answer_sdp TEXT,
-        answered_at INTEGER,
-        FOREIGN KEY (service_id) REFERENCES services(id) ON DELETE CASCADE
+        answered_at INTEGER
       );
 
       CREATE INDEX IF NOT EXISTS idx_offers_username ON offers(username);
-      CREATE INDEX IF NOT EXISTS idx_offers_service ON offers(service_id);
       CREATE INDEX IF NOT EXISTS idx_offers_expires ON offers(expires_at);
       CREATE INDEX IF NOT EXISTS idx_offers_last_seen ON offers(last_seen);
       CREATE INDEX IF NOT EXISTS idx_offers_answerer ON offers(answerer_username);
@@ -72,37 +69,35 @@ export class SQLiteStorage implements Storage {
       CREATE INDEX IF NOT EXISTS idx_ice_username ON ice_candidates(username);
       CREATE INDEX IF NOT EXISTS idx_ice_created ON ice_candidates(created_at);
 
-      -- Usernames table
-      CREATE TABLE IF NOT EXISTS usernames (
-        username TEXT PRIMARY KEY,
-        public_key TEXT NOT NULL UNIQUE,
-        claimed_at INTEGER NOT NULL,
+      -- Credentials table (replaces usernames with simpler name + secret auth)
+      CREATE TABLE IF NOT EXISTS credentials (
+        name TEXT PRIMARY KEY,
+        secret TEXT NOT NULL UNIQUE,
+        created_at INTEGER NOT NULL,
         expires_at INTEGER NOT NULL,
         last_used INTEGER NOT NULL,
-        metadata TEXT,
-        CHECK(length(username) >= 3 AND length(username) <= 32)
+        CHECK(length(name) >= 3 AND length(name) <= 32)
       );
 
-      CREATE INDEX IF NOT EXISTS idx_usernames_expires ON usernames(expires_at);
-      CREATE INDEX IF NOT EXISTS idx_usernames_public_key ON usernames(public_key);
+      CREATE INDEX IF NOT EXISTS idx_credentials_expires ON credentials(expires_at);
+      CREATE INDEX IF NOT EXISTS idx_credentials_secret ON credentials(secret);
 
-      -- Services table (new schema with extracted fields for discovery)
-      CREATE TABLE IF NOT EXISTS services (
-        id TEXT PRIMARY KEY,
-        service_fqn TEXT NOT NULL,
-        service_name TEXT NOT NULL,
-        version TEXT NOT NULL,
-        username TEXT NOT NULL,
-        created_at INTEGER NOT NULL,
-        expires_at INTEGER NOT NULL,
-        FOREIGN KEY (username) REFERENCES usernames(username) ON DELETE CASCADE,
-        UNIQUE(service_fqn)
+      -- Rate limits table (for distributed rate limiting)
+      CREATE TABLE IF NOT EXISTS rate_limits (
+        identifier TEXT PRIMARY KEY,
+        count INTEGER NOT NULL,
+        reset_time INTEGER NOT NULL
+      );
+
+      CREATE INDEX IF NOT EXISTS idx_rate_limits_reset ON rate_limits(reset_time);
+
+      -- Nonces table (for replay attack prevention)
+      CREATE TABLE IF NOT EXISTS nonces (
+        nonce_key TEXT PRIMARY KEY,
+        expires_at INTEGER NOT NULL
       );
 
-      CREATE INDEX IF NOT EXISTS idx_services_fqn ON services(service_fqn);
-      CREATE INDEX IF NOT EXISTS idx_services_discovery ON services(service_name, version);
-      CREATE INDEX IF NOT EXISTS idx_services_username ON services(username);
-      CREATE INDEX IF NOT EXISTS idx_services_expires ON services(expires_at);
+      CREATE INDEX IF NOT EXISTS idx_nonces_expires ON nonces(expires_at);
     `);
 
     // Enable foreign keys
@@ -125,18 +120,18 @@ export class SQLiteStorage implements Storage {
     // Use transaction for atomic creation
     const transaction = this.db.transaction((offersWithIds: (CreateOfferRequest & { id: string })[]) => {
       const offerStmt = this.db.prepare(`
-        INSERT INTO offers (id, username, service_id, sdp, created_at, expires_at, last_seen)
+        INSERT INTO offers (id, username, tags, sdp, created_at, expires_at, last_seen)
         VALUES (?, ?, ?, ?, ?, ?, ?)
       `);
 
       for (const offer of offersWithIds) {
         const now = Date.now();
 
-        // Insert offer
+        // Insert offer with JSON-serialized tags
         offerStmt.run(
           offer.id,
           offer.username,
-          offer.serviceId || null,
+          JSON.stringify(offer.tags),
           offer.sdp,
           now,
           offer.expiresAt,
@@ -146,8 +141,7 @@ export class SQLiteStorage implements Storage {
         created.push({
           id: offer.id,
           username: offer.username,
-          serviceId: offer.serviceId || undefined,
-          serviceFqn: offer.serviceFqn,
+          tags: offer.tags,
           sdp: offer.sdp,
           createdAt: now,
           expiresAt: offer.expiresAt,
@@ -255,6 +249,88 @@ export class SQLiteStorage implements Storage {
     return rows.map(row => this.rowToOffer(row));
   }
 
+  async getOffersAnsweredBy(answererUsername: string): Promise<Offer[]> {
+    const stmt = this.db.prepare(`
+      SELECT * FROM offers
+      WHERE answerer_username = ? AND expires_at > ?
+      ORDER BY answered_at DESC
+    `);
+
+    const rows = stmt.all(answererUsername, Date.now()) as any[];
+    return rows.map(row => this.rowToOffer(row));
+  }
+
+  // ===== Discovery =====
+
+  async discoverOffers(
+    tags: string[],
+    excludeUsername: string | null,
+    limit: number,
+    offset: number
+  ): Promise<Offer[]> {
+    if (tags.length === 0) {
+      return [];
+    }
+
+    // Build query with JSON tag matching (OR logic)
+    // SQLite: Use json_each() to expand tags array and check if any tag matches
+    const placeholders = tags.map(() => '?').join(',');
+
+    let query = `
+      SELECT DISTINCT o.* FROM offers o, json_each(o.tags) as t
+      WHERE t.value IN (${placeholders})
+        AND o.expires_at > ?
+        AND o.answerer_username IS NULL
+    `;
+
+    const params: any[] = [...tags, Date.now()];
+
+    if (excludeUsername) {
+      query += ' AND o.username != ?';
+      params.push(excludeUsername);
+    }
+
+    query += ' ORDER BY o.created_at DESC LIMIT ? OFFSET ?';
+    params.push(limit, offset);
+
+    const stmt = this.db.prepare(query);
+    const rows = stmt.all(...params) as any[];
+    return rows.map(row => this.rowToOffer(row));
+  }
+
+  async getRandomOffer(
+    tags: string[],
+    excludeUsername: string | null
+  ): Promise<Offer | null> {
+    if (tags.length === 0) {
+      return null;
+    }
+
+    // Build query with JSON tag matching (OR logic)
+    const placeholders = tags.map(() => '?').join(',');
+
+    let query = `
+      SELECT DISTINCT o.* FROM offers o, json_each(o.tags) as t
+      WHERE t.value IN (${placeholders})
+        AND o.expires_at > ?
+        AND o.answerer_username IS NULL
+    `;
+
+    const params: any[] = [...tags, Date.now()];
+
+    if (excludeUsername) {
+      query += ' AND o.username != ?';
+      params.push(excludeUsername);
+    }
+
+    query += ' ORDER BY RANDOM() LIMIT 1';
+
+    const stmt = this.db.prepare(query);
+    const row = stmt.get(...params) as any;
+
+    return row ? this.rowToOffer(row) : null;
+  }
+
   // ===== ICE Candidate Management =====
 
   async addIceCandidates(
@@ -317,273 +393,247 @@ export class SQLiteStorage implements Storage {
     }));
   }
 
-  // ===== Username Management =====
-
-  async claimUsername(request: ClaimUsernameRequest): Promise<Username> {
-    const now = Date.now();
-    const expiresAt = now + YEAR_IN_MS;
+  async getIceCandidatesForMultipleOffers(
+    offerIds: string[],
+    username: string,
+    since?: number
+  ): Promise<Map<string, IceCandidate[]>> {
+    const result = new Map<string, IceCandidate[]>();
 
-    // Try to insert or update
-    const stmt = this.db.prepare(`
-      INSERT INTO usernames (username, public_key, claimed_at, expires_at, last_used, metadata)
-      VALUES (?, ?, ?, ?, ?, NULL)
-      ON CONFLICT(username) DO UPDATE SET
-        expires_at = ?,
-        last_used = ?
-      WHERE public_key = ?
-    `);
+    // Return empty map if no offer IDs provided
+    if (offerIds.length === 0) {
+      return result;
+    }
 
-    const result = stmt.run(
-      request.username,
-      request.publicKey,
-      now,
-      expiresAt,
-      now,
-      expiresAt,
-      now,
-      request.publicKey
-    );
+    // Validate array contains only strings
+    if (!Array.isArray(offerIds) || !offerIds.every(id => typeof id === 'string')) {
+      throw new Error('Invalid offer IDs: must be array of strings');
+    }
 
-    if (result.changes === 0) {
-      throw new Error('Username already claimed by different public key');
+    // Prevent DoS attacks from extremely large IN clauses
+    if (offerIds.length > 1000) {
+      throw new Error('Too many offer IDs (max 1000)');
     }
 
-    return {
-      username: request.username,
-      publicKey: request.publicKey,
-      claimedAt: now,
-      expiresAt,
-      lastUsed: now,
-    };
-  }
+    // Build query that fetches candidates from the OTHER peer only
+    // For each offer, determine if user is offerer or answerer and get opposite role
+    const placeholders = offerIds.map(() => '?').join(',');
 
-  async getUsername(username: string): Promise<Username | null> {
-    const stmt = this.db.prepare(`
-      SELECT * FROM usernames
-      WHERE username = ? AND expires_at > ?
-    `);
+    let query = `
+      SELECT ic.*, o.username as offer_username
+      FROM ice_candidates ic
+      INNER JOIN offers o ON o.id = ic.offer_id
+      WHERE ic.offer_id IN (${placeholders})
+      AND (
+        (o.username = ? AND ic.role = 'answerer')
+        OR (o.answerer_username = ? AND ic.role = 'offerer')
+      )
+    `;
 
-    const row = stmt.get(username, Date.now()) as any;
+    const params: any[] = [...offerIds, username, username];
 
-    if (!row) {
-      return null;
+    if (since !== undefined) {
+      query += ' AND ic.created_at > ?';
+      params.push(since);
     }
 
-    return {
-      username: row.username,
-      publicKey: row.public_key,
-      claimedAt: row.claimed_at,
-      expiresAt: row.expires_at,
-      lastUsed: row.last_used,
-      metadata: row.metadata || undefined,
-    };
-  }
+    query += ' ORDER BY ic.created_at ASC';
 
-  async touchUsername(username: string): Promise<boolean> {
-    const now = Date.now();
-    const expiresAt = now + YEAR_IN_MS;
+    const stmt = this.db.prepare(query);
+    const rows = stmt.all(...params) as any[];
 
-    const stmt = this.db.prepare(`
-      UPDATE usernames
-      SET last_used = ?, expires_at = ?
-      WHERE username = ? AND expires_at > ?
-    `);
+    // Group candidates by offer_id
+    for (const row of rows) {
+      const candidate: IceCandidate = {
+        id: row.id,
+        offerId: row.offer_id,
+        username: row.username,
+        role: row.role,
+        candidate: JSON.parse(row.candidate),
+        createdAt: row.created_at,
+      };
 
-    const result = stmt.run(now, expiresAt, username, now);
-    return result.changes > 0;
-  }
+      if (!result.has(row.offer_id)) {
+        result.set(row.offer_id, []);
+      }
+      result.get(row.offer_id)!.push(candidate);
+    }
 
-  async deleteExpiredUsernames(now: number): Promise<number> {
-    const stmt = this.db.prepare('DELETE FROM usernames WHERE expires_at < ?');
-    const result = stmt.run(now);
-    return result.changes;
+    return result;
   }
 
-  // ===== Service Management =====
+  // ===== Credential Management =====
 
-  async createService(request: CreateServiceRequest): Promise<{
-    service: Service;
-    offers: Offer[];
-  }> {
-    const serviceId = randomUUID();
+  async generateCredentials(request: GenerateCredentialsRequest): Promise<Credential> {
     const now = Date.now();
+    const expiresAt = request.expiresAt || (now + YEAR_IN_MS);
 
-    // Parse FQN to extract components
-    const parsed = parseServiceFqn(request.serviceFqn);
-    if (!parsed) {
-      throw new Error(`Invalid service FQN: ${request.serviceFqn}`);
-    }
-    if (!parsed.username) {
-      throw new Error(`Service FQN must include username: ${request.serviceFqn}`);
-    }
+    const { generateCredentialName, generateSecret } = await import('../crypto.ts');
 
-    const { serviceName, version, username } = parsed;
-
-    const transaction = this.db.transaction(() => {
-      // Delete existing service with same (service_name, version, username) and its related offers (upsert behavior)
-      const existingService = this.db.prepare(`
-        SELECT id FROM services
-        WHERE service_name = ? AND version = ? AND username = ?
-      `).get(serviceName, version, username) as any;
-
-      if (existingService) {
-        // Delete related offers first (no FK cascade from offers to services)
-        this.db.prepare(`
-          DELETE FROM offers WHERE service_id = ?
-        `).run(existingService.id);
-
-        // Delete the service
-        this.db.prepare(`
-          DELETE FROM services WHERE id = ?
-        `).run(existingService.id);
+    let name: string;
+
+    if (request.name) {
+      // User requested specific username - check if available
+      const existing = this.db.prepare(`
+        SELECT name FROM credentials WHERE name = ?
+      `).get(request.name);
+
+      if (existing) {
+        throw new Error('Username already taken');
       }
 
-      // Insert new service with extracted fields
-      this.db.prepare(`
-        INSERT INTO services (id, service_fqn, service_name, version, username, created_at, expires_at)
-        VALUES (?, ?, ?, ?, ?, ?, ?)
-      `).run(
-        serviceId,
-        request.serviceFqn,
-        serviceName,
-        version,
-        username,
-        now,
-        request.expiresAt
-      );
+      name = request.name;
+    } else {
+      // Generate random name - retry until unique
+      let attempts = 0;
+      const maxAttempts = 100;
 
-      // Touch username to extend expiry (inline logic)
-      const expiresAt = now + YEAR_IN_MS;
-      this.db.prepare(`
-        UPDATE usernames
-        SET last_used = ?, expires_at = ?
-        WHERE username = ? AND expires_at > ?
-      `).run(now, expiresAt, username, now);
-    });
+      while (attempts < maxAttempts) {
+        name = generateCredentialName();
 
-    transaction();
+        const existing = this.db.prepare(`
+          SELECT name FROM credentials WHERE name = ?
+        `).get(name);
 
-    // Create offers with serviceId (after transaction)
-    const offerRequests = request.offers.map(offer => ({
-      ...offer,
-      serviceId,
-    }));
-    const offers = await this.createOffers(offerRequests);
+        if (!existing) {
+          break;
+        }
 
-    return {
-      service: {
-        id: serviceId,
-        serviceFqn: request.serviceFqn,
-        serviceName,
-        version,
-        username,
-        createdAt: now,
-        expiresAt: request.expiresAt,
-      },
-      offers,
-    };
-  }
+        attempts++;
+      }
 
-  async getOffersForService(serviceId: string): Promise<Offer[]> {
-    const stmt = this.db.prepare(`
-      SELECT * FROM offers
-      WHERE service_id = ? AND expires_at > ?
-      ORDER BY created_at ASC
-    `);
+      if (attempts >= maxAttempts) {
+        throw new Error(`Failed to generate unique credential name after ${maxAttempts} attempts`);
+      }
+    }
 
-    const rows = stmt.all(serviceId, Date.now()) as any[];
-    return rows.map(row => this.rowToOffer(row));
-  }
+    const secret = generateSecret();
 
-  async getServiceById(serviceId: string): Promise<Service | null> {
+    // Encrypt secret before storing (AES-256-GCM)
+    const { encryptSecret } = await import('../crypto.ts');
+    const encryptedSecret = await encryptSecret(secret, this.masterEncryptionKey);
+
+    // Insert credential with encrypted secret
     const stmt = this.db.prepare(`
-      SELECT * FROM services
-      WHERE id = ? AND expires_at > ?
+      INSERT INTO credentials (name, secret, created_at, expires_at, last_used)
+      VALUES (?, ?, ?, ?, ?)
     `);
 
-    const row = stmt.get(serviceId, Date.now()) as any;
-
-    if (!row) {
-      return null;
-    }
+    stmt.run(name!, encryptedSecret, now, expiresAt, now);
 
-    return this.rowToService(row);
+    // Return plaintext secret to user (only time they'll see it)
+    return {
+      name: name!,
+      secret, // Return plaintext secret, not encrypted
+      createdAt: now,
+      expiresAt,
+      lastUsed: now,
+    };
   }
 
-  async getServiceByFqn(serviceFqn: string): Promise<Service | null> {
+  async getCredential(name: string): Promise<Credential | null> {
     const stmt = this.db.prepare(`
-      SELECT * FROM services
-      WHERE service_fqn = ? AND expires_at > ?
+      SELECT * FROM credentials
+      WHERE name = ? AND expires_at > ?
     `);
 
-    const row = stmt.get(serviceFqn, Date.now()) as any;
+    const row = stmt.get(name, Date.now()) as any;
 
     if (!row) {
       return null;
     }
 
-    return this.rowToService(row);
+    // Decrypt secret before returning
+    // If decryption fails (e.g., master key rotated), treat as credential not found
+    try {
+      const { decryptSecret } = await import('../crypto.ts');
+      const decryptedSecret = await decryptSecret(row.secret, this.masterEncryptionKey);
+
+      return {
+        name: row.name,
+        secret: decryptedSecret, // Return decrypted secret
+        createdAt: row.created_at,
+        expiresAt: row.expires_at,
+        lastUsed: row.last_used,
+      };
+    } catch (error) {
+      console.error(`Failed to decrypt secret for credential '${name}':`, error);
+      return null; // Treat as credential not found (fail-safe behavior)
+    }
   }
 
-  async discoverServices(
-    serviceName: string,
-    version: string,
-    limit: number,
-    offset: number
-  ): Promise<Service[]> {
-    // Query for unique services with available offers
-    // We join with offers and filter for available ones (answerer_username IS NULL)
+  async updateCredentialUsage(name: string, lastUsed: number, expiresAt: number): Promise<void> {
     const stmt = this.db.prepare(`
-      SELECT DISTINCT s.* FROM services s
-      INNER JOIN offers o ON o.service_id = s.id
-      WHERE s.service_name = ?
-        AND s.version = ?
-        AND s.expires_at > ?
-        AND o.answerer_username IS NULL
-        AND o.expires_at > ?
-      ORDER BY s.created_at DESC
-      LIMIT ? OFFSET ?
+      UPDATE credentials
+      SET last_used = ?, expires_at = ?
+      WHERE name = ?
     `);
 
-    const rows = stmt.all(serviceName, version, Date.now(), Date.now(), limit, offset) as any[];
-    return rows.map(row => this.rowToService(row));
+    stmt.run(lastUsed, expiresAt, name);
   }
 
-  async getRandomService(serviceName: string, version: string): Promise<Service | null> {
-    // Get a random service with an available offer
-    const stmt = this.db.prepare(`
-      SELECT s.* FROM services s
-      INNER JOIN offers o ON o.service_id = s.id
-      WHERE s.service_name = ?
-        AND s.version = ?
-        AND s.expires_at > ?
-        AND o.answerer_username IS NULL
-        AND o.expires_at > ?
-      ORDER BY RANDOM()
-      LIMIT 1
-    `);
+  async deleteExpiredCredentials(now: number): Promise<number> {
+    const stmt = this.db.prepare('DELETE FROM credentials WHERE expires_at < ?');
+    const result = stmt.run(now);
+    return result.changes;
+  }
 
-    const row = stmt.get(serviceName, version, Date.now(), Date.now()) as any;
+  // ===== Rate Limiting =====
 
-    if (!row) {
-      return null;
-    }
+  async checkRateLimit(identifier: string, limit: number, windowMs: number): Promise<boolean> {
+    const now = Date.now();
+    const resetTime = now + windowMs;
+
+    // Atomic UPSERT: Insert or increment count, reset if expired
+    // This prevents TOCTOU race conditions by doing check+increment in single operation
+    const result = this.db.prepare(`
+      INSERT INTO rate_limits (identifier, count, reset_time)
+      VALUES (?, 1, ?)
+      ON CONFLICT(identifier) DO UPDATE SET
+        count = CASE
+          WHEN reset_time < ? THEN 1
+          ELSE count + 1
+        END,
+        reset_time = CASE
+          WHEN reset_time < ? THEN ?
+          ELSE reset_time
+        END
+      RETURNING count
+    `).get(identifier, resetTime, now, now, resetTime) as { count: number };
+
+    // Check if limit exceeded
+    return result.count <= limit;
+  }
 
-    return this.rowToService(row);
+  async deleteExpiredRateLimits(now: number): Promise<number> {
+    const stmt = this.db.prepare('DELETE FROM rate_limits WHERE reset_time < ?');
+    const result = stmt.run(now);
+    return result.changes;
   }
 
-  async deleteService(serviceId: string, username: string): Promise<boolean> {
-    const stmt = this.db.prepare(`
-      DELETE FROM services
-      WHERE id = ? AND username = ?
-    `);
+  // ===== Nonce Tracking (Replay Protection) =====
 
-    const result = stmt.run(serviceId, username);
-    return result.changes > 0;
+  async checkAndMarkNonce(nonceKey: string, expiresAt: number): Promise<boolean> {
+    try {
+      // Atomic INSERT - if nonce already exists, this will fail with UNIQUE constraint
+      // This prevents replay attacks by ensuring each nonce is only used once
+      const stmt = this.db.prepare(`
+        INSERT INTO nonces (nonce_key, expires_at)
+        VALUES (?, ?)
+      `);
+      stmt.run(nonceKey, expiresAt);
+      return true; // Nonce is new, request allowed
+    } catch (error: any) {
+      // SQLITE_CONSTRAINT error code for UNIQUE constraint violation
+      if (error?.code === 'SQLITE_CONSTRAINT') {
+        return false; // Nonce already used, replay attack detected
+      }
+      throw error; // Other errors should propagate
+    }
   }
 
-  async deleteExpiredServices(now: number): Promise<number> {
-    const stmt = this.db.prepare('DELETE FROM services WHERE expires_at < ?');
+  async deleteExpiredNonces(now: number): Promise<number> {
+    const stmt = this.db.prepare('DELETE FROM nonces WHERE expires_at < ?');
     const result = stmt.run(now);
     return result.changes;
   }
@@ -592,6 +642,28 @@ export class SQLiteStorage implements Storage {
     this.db.close();
   }
 
+  // ===== Count Methods (for resource limits) =====
+
+  async getOfferCount(): Promise<number> {
+    const result = this.db.prepare('SELECT COUNT(*) as count FROM offers').get() as { count: number };
+    return result.count;
+  }
+
+  async getOfferCountByUsername(username: string): Promise<number> {
+    const result = this.db.prepare('SELECT COUNT(*) as count FROM offers WHERE username = ?').get(username) as { count: number };
+    return result.count;
+  }
+
+  async getCredentialCount(): Promise<number> {
+    const result = this.db.prepare('SELECT COUNT(*) as count FROM credentials').get() as { count: number };
+    return result.count;
+  }
+
+  async getIceCandidateCount(offerId: string): Promise<number> {
+    const result = this.db.prepare('SELECT COUNT(*) as count FROM ice_candidates WHERE offer_id = ?').get(offerId) as { count: number };
+    return result.count;
+  }
+
   // ===== Helper Methods =====
 
   /**
@@ -601,8 +673,7 @@ export class SQLiteStorage implements Storage {
     return {
       id: row.id,
       username: row.username,
-      serviceId: row.service_id || undefined,
-      serviceFqn: row.service_fqn || undefined,
+      tags: JSON.parse(row.tags),
       sdp: row.sdp,
       createdAt: row.created_at,
       expiresAt: row.expires_at,
@@ -612,19 +683,4 @@ export class SQLiteStorage implements Storage {
       answeredAt: row.answered_at || undefined,
     };
   }
-
-  /**
-   * Helper method to convert database row to Service object
-   */
-  private rowToService(row: any): Service {
-    return {
-      id: row.id,
-      serviceFqn: row.service_fqn,
-      serviceName: row.service_name,
-      version: row.version,
-      username: row.username,
-      createdAt: row.created_at,
-      expiresAt: row.expires_at,
-    };
-  }
 }