npm - @xtr-dev/rondevu-server - Versions diffs - 0.5.1 → 0.5.7 - Mend

@xtr-dev/rondevu-server 0.5.1 → 0.5.7

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (31) hide show

package/.github/workflows/claude-code-review.yml +57 -0
package/.github/workflows/claude.yml +50 -0
package/.idea/modules.xml +8 -0
package/.idea/rondevu-server.iml +8 -0
package/.idea/workspace.xml +17 -0
package/README.md +80 -199
package/build.js +4 -1
package/dist/index.js +2891 -1446
package/dist/index.js.map +4 -4
package/migrations/fresh_schema.sql +36 -41
package/package.json +10 -4
package/src/app.ts +38 -18
package/src/config.ts +183 -9
package/src/crypto.ts +361 -263
package/src/index.ts +20 -25
package/src/rpc.ts +714 -403
package/src/storage/d1.ts +338 -263
package/src/storage/factory.ts +69 -0
package/src/storage/hash-id.ts +13 -9
package/src/storage/memory.ts +579 -0
package/src/storage/mysql.ts +616 -0
package/src/storage/postgres.ts +623 -0
package/src/storage/schemas/mysql.sql +59 -0
package/src/storage/schemas/postgres.sql +64 -0
package/src/storage/sqlite.ts +325 -269
package/src/storage/types.ts +137 -109
package/src/worker.ts +15 -34
package/tests/integration/api.test.ts +395 -0
package/tests/integration/setup.ts +170 -0
package/wrangler.toml +25 -26
package/ADVANCED.md +0 -502

package/src/storage/d1.ts CHANGED Viewed

@@ -4,41 +4,41 @@ import {
   Offer,
   IceCandidate,
   CreateOfferRequest,
-  Username,
-  ClaimUsernameRequest,
-  Service,
-  CreateServiceRequest,
+  Credential,
+  GenerateCredentialsRequest,
 } from './types.ts';
 import { generateOfferHash } from './hash-id.ts';
-import { parseServiceFqn } from '../crypto.ts';
 const YEAR_IN_MS = 365 * 24 * 60 * 60 * 1000; // 365 days
 /**
- * D1 storage adapter for rondevu DNS-like system using Cloudflare D1
+ * D1 storage adapter for rondevu signaling system using Cloudflare D1
  */
 export class D1Storage implements Storage {
   private db: D1Database;
+  private masterEncryptionKey: string;
   /**
    * Creates a new D1 storage instance
    * @param db D1Database instance from Cloudflare Workers environment
+   * @param masterEncryptionKey 64-char hex string for encrypting secrets (32 bytes)
    */
-  constructor(db: D1Database) {
+  constructor(db: D1Database, masterEncryptionKey: string) {
     this.db = db;
+    this.masterEncryptionKey = masterEncryptionKey;
   }
   /**
-   * Initializes database schema with username and service-based structure
+   * Initializes database schema with tags-based offers
    * This should be run once during setup, not on every request
    */
   async initializeDatabase(): Promise<void> {
     await this.db.exec(`
-      -- WebRTC signaling offers
+      -- WebRTC signaling offers with tags
       CREATE TABLE IF NOT EXISTS offers (
         id TEXT PRIMARY KEY,
         username TEXT NOT NULL,
-        service_id TEXT,
+        tags TEXT NOT NULL,
         sdp TEXT NOT NULL,
         created_at INTEGER NOT NULL,
         expires_at INTEGER NOT NULL,
@@ -49,7 +49,6 @@ export class D1Storage implements Storage {
       );
       CREATE INDEX IF NOT EXISTS idx_offers_username ON offers(username);
-      CREATE INDEX IF NOT EXISTS idx_offers_service ON offers(service_id);
       CREATE INDEX IF NOT EXISTS idx_offers_expires ON offers(expires_at);
       CREATE INDEX IF NOT EXISTS idx_offers_last_seen ON offers(last_seen);
       CREATE INDEX IF NOT EXISTS idx_offers_answerer ON offers(answerer_username);
@@ -69,37 +68,35 @@ export class D1Storage implements Storage {
       CREATE INDEX IF NOT EXISTS idx_ice_username ON ice_candidates(username);
       CREATE INDEX IF NOT EXISTS idx_ice_created ON ice_candidates(created_at);
-      -- Usernames table
-      CREATE TABLE IF NOT EXISTS usernames (
-        username TEXT PRIMARY KEY,
-        public_key TEXT NOT NULL UNIQUE,
-        claimed_at INTEGER NOT NULL,
+      -- Credentials table (replaces usernames with simpler name + secret auth)
+      CREATE TABLE IF NOT EXISTS credentials (
+        name TEXT PRIMARY KEY,
+        secret TEXT NOT NULL UNIQUE,
+        created_at INTEGER NOT NULL,
         expires_at INTEGER NOT NULL,
         last_used INTEGER NOT NULL,
-        metadata TEXT,
-        CHECK(length(username) >= 3 AND length(username) <= 32)
+        CHECK(length(name) >= 3 AND length(name) <= 32)
       );
-      CREATE INDEX IF NOT EXISTS idx_usernames_expires ON usernames(expires_at);
-      CREATE INDEX IF NOT EXISTS idx_usernames_public_key ON usernames(public_key);
+      CREATE INDEX IF NOT EXISTS idx_credentials_expires ON credentials(expires_at);
+      CREATE INDEX IF NOT EXISTS idx_credentials_secret ON credentials(secret);
-      -- Services table (new schema with extracted fields for discovery)
-      CREATE TABLE IF NOT EXISTS services (
-        id TEXT PRIMARY KEY,
-        service_fqn TEXT NOT NULL,
-        service_name TEXT NOT NULL,
-        version TEXT NOT NULL,
-        username TEXT NOT NULL,
-        created_at INTEGER NOT NULL,
-        expires_at INTEGER NOT NULL,
-        FOREIGN KEY (username) REFERENCES usernames(username) ON DELETE CASCADE,
-        UNIQUE(service_fqn)
+      -- Rate limits table (for distributed rate limiting)
+      CREATE TABLE IF NOT EXISTS rate_limits (
+        identifier TEXT PRIMARY KEY,
+        count INTEGER NOT NULL,
+        reset_time INTEGER NOT NULL
+      );
+      CREATE INDEX IF NOT EXISTS idx_rate_limits_reset ON rate_limits(reset_time);
+      -- Nonces table (for replay attack prevention)
+      CREATE TABLE IF NOT EXISTS nonces (
+        nonce_key TEXT PRIMARY KEY,
+        expires_at INTEGER NOT NULL
       );
-      CREATE INDEX IF NOT EXISTS idx_services_fqn ON services(service_fqn);
-      CREATE INDEX IF NOT EXISTS idx_services_discovery ON services(service_name, version);
-      CREATE INDEX IF NOT EXISTS idx_services_username ON services(username);
-      CREATE INDEX IF NOT EXISTS idx_services_expires ON services(expires_at);
+      CREATE INDEX IF NOT EXISTS idx_nonces_expires ON nonces(expires_at);
     `);
   }
@@ -114,15 +111,14 @@ export class D1Storage implements Storage {
       const now = Date.now();
       await this.db.prepare(`
-        INSERT INTO offers (id, username, service_id, sdp, created_at, expires_at, last_seen)
+        INSERT INTO offers (id, username, tags, sdp, created_at, expires_at, last_seen)
         VALUES (?, ?, ?, ?, ?, ?, ?)
-      `).bind(id, offer.username, offer.serviceId || null, offer.sdp, now, offer.expiresAt, now).run();
+      `).bind(id, offer.username, JSON.stringify(offer.tags), offer.sdp, now, offer.expiresAt, now).run();
       created.push({
         id,
         username: offer.username,
-        serviceId: offer.serviceId,
-        serviceFqn: offer.serviceFqn,
+        tags: offer.tags,
         sdp: offer.sdp,
         createdAt: now,
         expiresAt: offer.expiresAt,
@@ -231,6 +227,94 @@ export class D1Storage implements Storage {
     return result.results.map(row => this.rowToOffer(row as any));
   }
+  async getOffersAnsweredBy(answererUsername: string): Promise<Offer[]> {
+    const result = await this.db.prepare(`
+      SELECT * FROM offers
+      WHERE answerer_username = ? AND expires_at > ?
+      ORDER BY answered_at DESC
+    `).bind(answererUsername, Date.now()).all();
+    if (!result.results) {
+      return [];
+    }
+    return result.results.map(row => this.rowToOffer(row as any));
+  }
+  // ===== Discovery =====
+  async discoverOffers(
+    tags: string[],
+    excludeUsername: string | null,
+    limit: number,
+    offset: number
+  ): Promise<Offer[]> {
+    if (tags.length === 0) {
+      return [];
+    }
+    // Build query with JSON tag matching (OR logic)
+    // D1/SQLite: Use json_each() to expand tags array and check if any tag matches
+    const placeholders = tags.map(() => '?').join(',');
+    let query = `
+      SELECT DISTINCT o.* FROM offers o, json_each(o.tags) as t
+      WHERE t.value IN (${placeholders})
+        AND o.expires_at > ?
+        AND o.answerer_username IS NULL
+    `;
+    const params: any[] = [...tags, Date.now()];
+    if (excludeUsername) {
+      query += ' AND o.username != ?';
+      params.push(excludeUsername);
+    }
+    query += ' ORDER BY o.created_at DESC LIMIT ? OFFSET ?';
+    params.push(limit, offset);
+    const result = await this.db.prepare(query).bind(...params).all();
+    if (!result.results) {
+      return [];
+    }
+    return result.results.map(row => this.rowToOffer(row as any));
+  }
+  async getRandomOffer(
+    tags: string[],
+    excludeUsername: string | null
+  ): Promise<Offer | null> {
+    if (tags.length === 0) {
+      return null;
+    }
+    // Build query with JSON tag matching (OR logic)
+    const placeholders = tags.map(() => '?').join(',');
+    let query = `
+      SELECT DISTINCT o.* FROM offers o, json_each(o.tags) as t
+      WHERE t.value IN (${placeholders})
+        AND o.expires_at > ?
+        AND o.answerer_username IS NULL
+    `;
+    const params: any[] = [...tags, Date.now()];
+    if (excludeUsername) {
+      query += ' AND o.username != ?';
+      params.push(excludeUsername);
+    }
+    query += ' ORDER BY RANDOM() LIMIT 1';
+    const result = await this.db.prepare(query).bind(...params).first();
+    return result ? this.rowToOffer(result as any) : null;
+  }
   // ===== ICE Candidate Management =====
   async addIceCandidates(
@@ -292,270 +376,251 @@ export class D1Storage implements Storage {
     }));
   }
-  // ===== Username Management =====
-  async claimUsername(request: ClaimUsernameRequest): Promise<Username> {
-    const now = Date.now();
-    const expiresAt = now + YEAR_IN_MS;
+  async getIceCandidatesForMultipleOffers(
+    offerIds: string[],
+    username: string,
+    since?: number
+  ): Promise<Map<string, IceCandidate[]>> {
+    const result = new Map<string, IceCandidate[]>();
-    try {
-      // Try to insert or update
-      const result = await this.db.prepare(`
-        INSERT INTO usernames (username, public_key, claimed_at, expires_at, last_used, metadata)
-        VALUES (?, ?, ?, ?, ?, NULL)
-        ON CONFLICT(username) DO UPDATE SET
-          expires_at = ?,
-          last_used = ?
-        WHERE public_key = ?
-      `).bind(
-        request.username,
-        request.publicKey,
-        now,
-        expiresAt,
-        now,
-        expiresAt,
-        now,
-        request.publicKey
-      ).run();
+    // Return empty map if no offer IDs provided
+    if (offerIds.length === 0) {
+      return result;
+    }
-      if ((result.meta.changes || 0) === 0) {
-        throw new Error('Username already claimed by different public key');
-      }
+    // Validate array contains only strings
+    if (!Array.isArray(offerIds) || !offerIds.every(id => typeof id === 'string')) {
+      throw new Error('Invalid offer IDs: must be array of strings');
+    }
-      return {
-        username: request.username,
-        publicKey: request.publicKey,
-        claimedAt: now,
-        expiresAt,
-        lastUsed: now,
-      };
-    } catch (err: any) {
-      // Handle UNIQUE constraint on public_key
-      if (err.message?.includes('UNIQUE constraint failed: usernames.public_key')) {
-        throw new Error('This public key has already claimed a different username');
-      }
-      throw err;
+    // Prevent DoS attacks from extremely large IN clauses
+    if (offerIds.length > 1000) {
+      throw new Error('Too many offer IDs (max 1000)');
     }
-  }
-  async getUsername(username: string): Promise<Username | null> {
-    const result = await this.db.prepare(`
-      SELECT * FROM usernames
-      WHERE username = ? AND expires_at > ?
-    `).bind(username, Date.now()).first();
+    // Build query that fetches candidates from the OTHER peer only
+    const placeholders = offerIds.map(() => '?').join(',');
-    if (!result) {
-      return null;
+    let query = `
+      SELECT ic.*, o.username as offer_username
+      FROM ice_candidates ic
+      INNER JOIN offers o ON o.id = ic.offer_id
+      WHERE ic.offer_id IN (${placeholders})
+      AND (
+        (o.username = ? AND ic.role = 'answerer')
+        OR (o.answerer_username = ? AND ic.role = 'offerer')
+      )
+    `;
+    const params: any[] = [...offerIds, username, username];
+    if (since !== undefined) {
+      query += ' AND ic.created_at > ?';
+      params.push(since);
     }
-    const row = result as any;
+    query += ' ORDER BY ic.created_at ASC';
-    return {
-      username: row.username,
-      publicKey: row.public_key,
-      claimedAt: row.claimed_at,
-      expiresAt: row.expires_at,
-      lastUsed: row.last_used,
-      metadata: row.metadata || undefined,
-    };
-  }
+    const queryResult = await this.db.prepare(query).bind(...params).all();
+    if (!queryResult.results) {
+      return result;
+    }
-  async deleteExpiredUsernames(now: number): Promise<number> {
-    const result = await this.db.prepare(`
-      DELETE FROM usernames WHERE expires_at < ?
-    `).bind(now).run();
+    // Group candidates by offer_id
+    for (const row of queryResult.results as any[]) {
+      const candidate: IceCandidate = {
+        id: row.id,
+        offerId: row.offer_id,
+        username: row.username,
+        role: row.role,
+        candidate: JSON.parse(row.candidate),
+        createdAt: row.created_at,
+      };
-    return result.meta.changes || 0;
+      if (!result.has(row.offer_id)) {
+        result.set(row.offer_id, []);
+      }
+      result.get(row.offer_id)!.push(candidate);
+    }
+    return result;
   }
-  // ===== Service Management =====
+  // ===== Credential Management =====
-  async createService(request: CreateServiceRequest): Promise<{
-    service: Service;
-    offers: Offer[];
-  }> {
-    const serviceId = crypto.randomUUID();
+  async generateCredentials(request: GenerateCredentialsRequest): Promise<Credential> {
     const now = Date.now();
+    const expiresAt = request.expiresAt || (now + YEAR_IN_MS);
-    // Parse FQN to extract components
-    const parsed = parseServiceFqn(request.serviceFqn);
-    if (!parsed) {
-      throw new Error(`Invalid service FQN: ${request.serviceFqn}`);
-    }
-    if (!parsed.username) {
-      throw new Error(`Service FQN must include username: ${request.serviceFqn}`);
-    }
-    const { serviceName, version, username } = parsed;
+    const { generateCredentialName, generateSecret } = await import('../crypto.ts');
-    // Delete existing service with same (service_name, version, username) and its related offers (upsert behavior)
-    // First get the existing service
-    const existingService = await this.db.prepare(`
-      SELECT id FROM services
-      WHERE service_name = ? AND version = ? AND username = ?
-    `).bind(serviceName, version, username).first();
+    let name: string;
-    if (existingService) {
-      // Delete related offers first (no FK cascade from offers to services)
-      await this.db.prepare(`
-        DELETE FROM offers WHERE service_id = ?
-      `).bind(existingService.id).run();
+    if (request.name) {
+      // User requested specific username - check if available
+      const existing = await this.db.prepare(`
+        SELECT name FROM credentials WHERE name = ?
+      `).bind(request.name).first();
-      // Delete the service
-      await this.db.prepare(`
-        DELETE FROM services WHERE id = ?
-      `).bind(existingService.id).run();
-    }
+      if (existing) {
+        throw new Error('Username already taken');
+      }
-    // Insert new service with extracted fields
-    await this.db.prepare(`
-      INSERT INTO services (id, service_fqn, service_name, version, username, created_at, expires_at)
-      VALUES (?, ?, ?, ?, ?, ?, ?)
-    `).bind(
-      serviceId,
-      request.serviceFqn,
-      serviceName,
-      version,
-      username,
-      now,
-      request.expiresAt
-    ).run();
-    // Create offers with serviceId
-    const offerRequests = request.offers.map(offer => ({
-      ...offer,
-      serviceId,
-    }));
-    const offers = await this.createOffers(offerRequests);
+      name = request.name;
+    } else {
+      // Generate random name - retry until unique
+      let attempts = 0;
+      const maxAttempts = 100;
-    // Touch username to extend expiry (inline logic)
-    const expiresAt = now + YEAR_IN_MS;
-    await this.db.prepare(`
-      UPDATE usernames
-      SET last_used = ?, expires_at = ?
-      WHERE username = ? AND expires_at > ?
-    `).bind(now, expiresAt, username, now).run();
+      while (attempts < maxAttempts) {
+        name = generateCredentialName();
-    return {
-      service: {
-        id: serviceId,
-        serviceFqn: request.serviceFqn,
-        serviceName,
-        version,
-        username,
-        createdAt: now,
-        expiresAt: request.expiresAt,
-      },
-      offers,
-    };
-  }
+        const existing = await this.db.prepare(`
+          SELECT name FROM credentials WHERE name = ?
+        `).bind(name).first();
+        if (!existing) {
+          break;
+        }
-  async getOffersForService(serviceId: string): Promise<Offer[]> {
-    const result = await this.db.prepare(`
-      SELECT * FROM offers
-      WHERE service_id = ? AND expires_at > ?
-      ORDER BY created_at ASC
-    `).bind(serviceId, Date.now()).all();
+        attempts++;
+      }
-    if (!result.results) {
-      return [];
+      if (attempts >= maxAttempts) {
+        throw new Error(`Failed to generate unique credential name after ${maxAttempts} attempts`);
+      }
     }
-    return result.results.map(row => this.rowToOffer(row as any));
+    const secret = generateSecret();
+    // Encrypt secret before storing (AES-256-GCM)
+    const { encryptSecret } = await import('../crypto.ts');
+    const encryptedSecret = await encryptSecret(secret, this.masterEncryptionKey);
+    // Insert credential with encrypted secret
+    await this.db.prepare(`
+      INSERT INTO credentials (name, secret, created_at, expires_at, last_used)
+      VALUES (?, ?, ?, ?, ?)
+    `).bind(name!, encryptedSecret, now, expiresAt, now).run();
+    // Return plaintext secret to user (only time they'll see it)
+    return {
+      name: name!,
+      secret, // Return plaintext secret, not encrypted
+      createdAt: now,
+      expiresAt,
+      lastUsed: now,
+    };
   }
-  async getServiceById(serviceId: string): Promise<Service | null> {
+  async getCredential(name: string): Promise<Credential | null> {
     const result = await this.db.prepare(`
-      SELECT * FROM services
-      WHERE id = ? AND expires_at > ?
-    `).bind(serviceId, Date.now()).first();
+      SELECT * FROM credentials
+      WHERE name = ? AND expires_at > ?
+    `).bind(name, Date.now()).first();
     if (!result) {
       return null;
     }
-    return this.rowToService(result as any);
-  }
+    const row = result as any;
-  async getServiceByFqn(serviceFqn: string): Promise<Service | null> {
-    const result = await this.db.prepare(`
-      SELECT * FROM services
-      WHERE service_fqn = ? AND expires_at > ?
-    `).bind(serviceFqn, Date.now()).first();
+    // Decrypt secret before returning
+    // If decryption fails (e.g., master key rotated), treat as credential not found
+    try {
+      const { decryptSecret } = await import('../crypto.ts');
+      const decryptedSecret = await decryptSecret(row.secret, this.masterEncryptionKey);
-    if (!result) {
-      return null;
+      return {
+        name: row.name,
+        secret: decryptedSecret, // Return decrypted secret
+        createdAt: row.created_at,
+        expiresAt: row.expires_at,
+        lastUsed: row.last_used,
+      };
+    } catch (error) {
+      console.error(`Failed to decrypt secret for credential '${name}':`, error);
+      return null; // Treat as credential not found (fail-safe behavior)
     }
+  }
-    return this.rowToService(result as any);
+  async updateCredentialUsage(name: string, lastUsed: number, expiresAt: number): Promise<void> {
+    await this.db.prepare(`
+      UPDATE credentials
+      SET last_used = ?, expires_at = ?
+      WHERE name = ?
+    `).bind(lastUsed, expiresAt, name).run();
   }
+  async deleteExpiredCredentials(now: number): Promise<number> {
+    const result = await this.db.prepare(`
+      DELETE FROM credentials WHERE expires_at < ?
+    `).bind(now).run();
+    return result.meta.changes || 0;
+  }
+  // ===== Rate Limiting =====
+  async checkRateLimit(identifier: string, limit: number, windowMs: number): Promise<boolean> {
+    const now = Date.now();
+    const resetTime = now + windowMs;
-  async discoverServices(
-    serviceName: string,
-    version: string,
-    limit: number,
-    offset: number
-  ): Promise<Service[]> {
-    // Query for unique services with available offers
-    // We join with offers and filter for available ones (answerer_username IS NULL)
+    // Atomic UPSERT: Insert or increment count, reset if expired
+    // This prevents TOCTOU race conditions by doing check+increment in single operation
     const result = await this.db.prepare(`
-      SELECT DISTINCT s.* FROM services s
-      INNER JOIN offers o ON o.service_id = s.id
-      WHERE s.service_name = ?
-        AND s.version = ?
-        AND s.expires_at > ?
-        AND o.answerer_username IS NULL
-        AND o.expires_at > ?
-      ORDER BY s.created_at DESC
-      LIMIT ? OFFSET ?
-    `).bind(serviceName, version, Date.now(), Date.now(), limit, offset).all();
-    if (!result.results) {
-      return [];
-    }
-    return result.results.map(row => this.rowToService(row as any));
+      INSERT INTO rate_limits (identifier, count, reset_time)
+      VALUES (?, 1, ?)
+      ON CONFLICT(identifier) DO UPDATE SET
+        count = CASE
+          WHEN reset_time < ? THEN 1
+          ELSE count + 1
+        END,
+        reset_time = CASE
+          WHEN reset_time < ? THEN ?
+          ELSE reset_time
+        END
+      RETURNING count
+    `).bind(identifier, resetTime, now, now, resetTime).first() as { count: number } | null;
+    // Check if limit exceeded
+    return result ? result.count <= limit : false;
   }
-  async getRandomService(serviceName: string, version: string): Promise<Service | null> {
-    // Get a random service with an available offer
+  async deleteExpiredRateLimits(now: number): Promise<number> {
     const result = await this.db.prepare(`
-      SELECT s.* FROM services s
-      INNER JOIN offers o ON o.service_id = s.id
-      WHERE s.service_name = ?
-        AND s.version = ?
-        AND s.expires_at > ?
-        AND o.answerer_username IS NULL
-        AND o.expires_at > ?
-      ORDER BY RANDOM()
-      LIMIT 1
-    `).bind(serviceName, version, Date.now(), Date.now()).first();
-    if (!result) {
-      return null;
-    }
+      DELETE FROM rate_limits WHERE reset_time < ?
+    `).bind(now).run();
-    return this.rowToService(result as any);
+    return result.meta.changes || 0;
   }
-  async deleteService(serviceId: string, username: string): Promise<boolean> {
-    const result = await this.db.prepare(`
-      DELETE FROM services
-      WHERE id = ? AND username = ?
-    `).bind(serviceId, username).run();
+  // ===== Nonce Tracking (Replay Protection) =====
-    return (result.meta.changes || 0) > 0;
+  async checkAndMarkNonce(nonceKey: string, expiresAt: number): Promise<boolean> {
+    try {
+      // Atomic INSERT - if nonce already exists, this will fail with UNIQUE constraint
+      // This prevents replay attacks by ensuring each nonce is only used once
+      const result = await this.db.prepare(`
+        INSERT INTO nonces (nonce_key, expires_at)
+        VALUES (?, ?)
+      `).bind(nonceKey, expiresAt).run();
+      // D1 returns success=true if insert succeeded
+      return result.success;
+    } catch (error: any) {
+      // UNIQUE constraint violation means nonce already used (replay attack)
+      if (error?.message?.includes('UNIQUE constraint failed')) {
+        return false;
+      }
+      throw error; // Other errors should propagate
+    }
   }
-  async deleteExpiredServices(now: number): Promise<number> {
+  async deleteExpiredNonces(now: number): Promise<number> {
     const result = await this.db.prepare(`
-      DELETE FROM services WHERE expires_at < ?
+      DELETE FROM nonces WHERE expires_at < ?
     `).bind(now).run();
     return result.meta.changes || 0;
@@ -566,6 +631,32 @@ export class D1Storage implements Storage {
     // Connections are managed by the Cloudflare Workers runtime
   }
+  // ===== Count Methods (for resource limits) =====
+  async getOfferCount(): Promise<number> {
+    const result = await this.db.prepare('SELECT COUNT(*) as count FROM offers').first() as { count: number } | null;
+    return result?.count ?? 0;
+  }
+  async getOfferCountByUsername(username: string): Promise<number> {
+    const result = await this.db.prepare('SELECT COUNT(*) as count FROM offers WHERE username = ?')
+      .bind(username)
+      .first() as { count: number } | null;
+    return result?.count ?? 0;
+  }
+  async getCredentialCount(): Promise<number> {
+    const result = await this.db.prepare('SELECT COUNT(*) as count FROM credentials').first() as { count: number } | null;
+    return result?.count ?? 0;
+  }
+  async getIceCandidateCount(offerId: string): Promise<number> {
+    const result = await this.db.prepare('SELECT COUNT(*) as count FROM ice_candidates WHERE offer_id = ?')
+      .bind(offerId)
+      .first() as { count: number } | null;
+    return result?.count ?? 0;
+  }
   // ===== Helper Methods =====
   /**
@@ -575,8 +666,7 @@ export class D1Storage implements Storage {
     return {
       id: row.id,
       username: row.username,
-      serviceId: row.service_id || undefined,
-      serviceFqn: row.service_fqn || undefined,
+      tags: JSON.parse(row.tags),
       sdp: row.sdp,
       createdAt: row.created_at,
       expiresAt: row.expires_at,
@@ -586,19 +676,4 @@ export class D1Storage implements Storage {
       answeredAt: row.answered_at || undefined,
     };
   }
-  /**
-   * Helper method to convert database row to Service object
-   */
-  private rowToService(row: any): Service {
-    return {
-      id: row.id,
-      serviceFqn: row.service_fqn,
-      serviceName: row.service_name,
-      version: row.version,
-      username: row.username,
-      createdAt: row.created_at,
-      expiresAt: row.expires_at,
-    };
-  }
 }