refactor: persist only identity (keys/nonces) in DO, not messages

Split snapshot into identity-only persistence to stay within the
Durable Object 128 KiB storage limit. Messages, acks, presence, and
reviews are now ephemeral (in-memory only). Keys and nonces are the
only state that requires persistence across DO restarts.

Includes migration from legacy relay_snapshot_v1 key to
relay_identity_v1.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: mizchi

src/cloudflare_worker.ts

@@ -13,9 +13,9 @@ import {
   DEFAULT_WS_PING_INTERVAL_MS,
   healthResponse,
   isValidRoomName,
+  type IdentitySnapshot,
   type MemoryRelayOptions,
   type MemoryRelayService,
-  type RelaySnapshot,
 } from './memory_handler.ts';
 import { GitServeSession } from './git_serve_session.ts';
 
@@ -31,6 +31,7 @@ interface DurableObjectNamespaceLike {
 interface DurableObjectStorageLike {
   get(key: string): Promise<unknown>;
   put(key: string, value: unknown): Promise<void>;
+  delete(key: string): Promise<boolean>;
 }
 
 interface DurableObjectStateLike {
@@ -60,7 +61,7 @@ export interface RelayWorkerEnv {
   GIT_SERVE_SESSION_TTL_SEC?: string;
 }
 
-const SNAPSHOT_KEY = 'relay_snapshot_v1';
+const IDENTITY_KEY = 'relay_identity_v1';
 let fallbackService: MemoryRelayService | null = null;
 
 function parsePositiveInt(raw: string | undefined, fallback: number): number {
@@ -334,13 +335,24 @@ export class RelayRoom {
     this.service = createMemoryRelayService(buildOptions(env));
     const restore = async () => {
       try {
-        const snapshot = await this.state.storage.get(SNAPSHOT_KEY);
-        if (!snapshot || typeof snapshot !== 'object') {
+        // Try identity-only snapshot first (v1), fall back to legacy full snapshot
+        const identity = await this.state.storage.get(IDENTITY_KEY);
+        if (identity && typeof identity === 'object') {
+          this.service.restoreIdentity(identity as IdentitySnapshot);
           return;
         }
-        this.service.restore(snapshot as RelaySnapshot);
+        // Legacy: migrate from full snapshot if present
+        const legacy = await this.state.storage.get('relay_snapshot_v1');
+        if (legacy && typeof legacy === 'object') {
+          const legacyData = legacy as Record<string, unknown>;
+          if (legacyData.keys_by_sender || legacyData.nonces_by_sender) {
+            this.service.restoreIdentity(legacyData as IdentitySnapshot);
+          }
+          // Clean up legacy key
+          await this.state.storage.delete('relay_snapshot_v1');
+        }
       } catch {
-        console.error('Failed to restore relay snapshot; starting fresh');
+        console.error('Failed to restore relay identity; starting fresh');
       }
     };
     if (typeof this.state.blockConcurrencyWhile === 'function') {
@@ -354,22 +366,19 @@ export class RelayRoom {
     await this.ready;
     const response = await this.service.fetch(request);
 
+    // Persist identity (keys + nonces) on operations that modify them.
+    // Messages, acks, and presence are ephemeral — not persisted.
     const pathname = new URL(request.url).pathname;
     if (
       pathname === '/api/v1/publish' ||
-      pathname === '/api/v1/inbox/ack' ||
-      pathname === '/api/v1/presence/heartbeat' ||
       pathname === '/api/v1/key/rotate' ||
       pathname === '/api/v1/key/verify-github' ||
-      (pathname === '/api/v1/presence' && request.method === 'DELETE') ||
       (pathname === '/api/v1/review' && request.method === 'POST')
     ) {
       try {
-        await this.state.storage.put(SNAPSHOT_KEY, this.service.snapshot());
+        await this.state.storage.put(IDENTITY_KEY, this.service.identitySnapshot());
       } catch {
-        // Snapshot may exceed Durable Object storage limit (128 KiB).
-        // The in-memory state is still valid; persistence is best-effort.
-        console.error('Failed to persist relay snapshot (likely size limit exceeded)');
+        console.error('Failed to persist relay identity');
       }
     }
     return response;

src/memory_handler.ts

@@ -126,6 +126,11 @@ export interface RelaySnapshot {
   nonces_by_sender: Record<string, Record<string, number>>;
 }
 
+export interface IdentitySnapshot {
+  keys_by_sender: Record<string, SnapshotKeyRecord>;
+  nonces_by_sender: Record<string, Record<string, number>>;
+}
+
 export interface MemoryRelayOptions {
   authToken?: string;
   maxMessagesPerRoom?: number;
@@ -150,6 +155,8 @@ export interface MemoryRelayService {
   fetch(request: Request): Promise<Response>;
   snapshot(): RelaySnapshot;
   restore(snapshot: RelaySnapshot): void;
+  identitySnapshot(): IdentitySnapshot;
+  restoreIdentity(snapshot: IdentitySnapshot): void;
   close(): void;
 }
 
@@ -1725,6 +1732,86 @@ export function createMemoryRelayService(options: MemoryRelayOptions = {}): Memo
     };
   }
 
+  function identitySnapshot(): IdentitySnapshot {
+    const keysBySender: Record<string, SnapshotKeyRecord> = {};
+    for (const [sender, key] of keyRegistry.entries()) {
+      keysBySender[sender] = {
+        public_key: key.publicKey,
+        status: key.status,
+        first_seen_at: key.firstSeenAt,
+        last_seen_at: key.lastSeenAt,
+        rotated_at: key.rotatedAt,
+        revoked_at: key.revokedAt,
+        github_username: key.githubUsername,
+        github_verified_at: key.githubVerifiedAt,
+      };
+    }
+
+    const noncesData: Record<string, Record<string, number>> = {};
+    for (const [sender, nonces] of noncesBySender.entries()) {
+      const senderNonces: Record<string, number> = {};
+      for (const [nonce, ts] of nonces.entries()) {
+        senderNonces[nonce] = ts;
+      }
+      noncesData[sender] = senderNonces;
+    }
+
+    return {
+      keys_by_sender: keysBySender,
+      nonces_by_sender: noncesData,
+    };
+  }
+
+  function restoreIdentity(snapshotData: IdentitySnapshot): void {
+    keyRegistry.clear();
+    noncesBySender.clear();
+
+    if (!isObjectRecord(snapshotData)) {
+      return;
+    }
+
+    if (isObjectRecord(snapshotData.keys_by_sender)) {
+      for (const [sender, value] of Object.entries(snapshotData.keys_by_sender)) {
+        if (!isObjectRecord(value)) continue;
+        const publicKey = (typeof value.public_key === 'string' ? value.public_key : '').trim();
+        if (sender.trim().length === 0 || publicKey.length === 0) continue;
+        const status: KeyStatus = value.status === 'revoked' ? 'revoked' : 'active';
+        keyRegistry.set(sender, {
+          publicKey,
+          status,
+          firstSeenAt: typeof value.first_seen_at === 'number'
+            ? Math.trunc(value.first_seen_at)
+            : 0,
+          lastSeenAt: typeof value.last_seen_at === 'number' ? Math.trunc(value.last_seen_at) : 0,
+          rotatedAt: typeof value.rotated_at === 'number' ? Math.trunc(value.rotated_at) : null,
+          revokedAt: typeof value.revoked_at === 'number' ? Math.trunc(value.revoked_at) : null,
+          githubUsername: typeof value.github_username === 'string' ? value.github_username : null,
+          githubVerifiedAt: typeof value.github_verified_at === 'number'
+            ? Math.trunc(value.github_verified_at)
+            : null,
+        });
+      }
+    }
+
+    if (isObjectRecord(snapshotData.nonces_by_sender)) {
+      const nowSec = nowEpochSec();
+      for (const [sender, value] of Object.entries(snapshotData.nonces_by_sender)) {
+        if (!isObjectRecord(value)) continue;
+        const map = new Map<string, number>();
+        for (const [nonce, tsRaw] of Object.entries(value)) {
+          if (nonce.trim().length === 0) continue;
+          if (typeof tsRaw !== 'number' || !Number.isFinite(tsRaw)) continue;
+          const ts = Math.trunc(tsRaw);
+          if (nowSec - ts > nonceTtlSec) continue;
+          map.set(nonce, ts);
+        }
+        if (map.size > 0) {
+          noncesBySender.set(sender, map);
+        }
+      }
+    }
+  }
+
   function restore(snapshotData: RelaySnapshot): void {
     rooms.clear();
     keyRegistry.clear();
@@ -1883,6 +1970,8 @@ export function createMemoryRelayService(options: MemoryRelayOptions = {}): Memo
     fetch,
     snapshot,
     restore,
+    identitySnapshot,
+    restoreIdentity,
     close,
   };
 }