commit b4c72b4a11904b70646224d244834a5b4309363e
Author: Soma Nakamura <p@centraworks.net>
Date:   Fri Feb 13 17:08:29 2026 +0900

    Initial commit

diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..136eccf
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,3 @@
+target/
+state.json
+*.log
diff --git a/Cargo.lock b/Cargo.lock
new file mode 100644
index 0000000..d4acc8d
--- /dev/null
+++ b/Cargo.lock
@@ -0,0 +1,2538 @@
+# This file is automatically @generated by Cargo.
+# It is not intended for manual editing.
+version = 4
+
+[[package]]
+name = "aho-corasick"
+version = "1.1.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ddd31a130427c27518df266943a5308ed92d4b226cc639f5a8f1002816174301"
+dependencies = [
+ "memchr",
+]
+
+[[package]]
+name = "allocator-api2"
+version = "0.2.21"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "683d7910e743518b0e34f1186f92494becacb047c7b6bf616c96772180fef923"
+
+[[package]]
+name = "anstream"
+version = "0.6.21"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "43d5b281e737544384e969a5ccad3f1cdd24b48086a0fc1b2a5262a26b8f4f4a"
+dependencies = [
+ "anstyle",
+ "anstyle-parse",
+ "anstyle-query",
+ "anstyle-wincon",
+ "colorchoice",
+ "is_terminal_polyfill",
+ "utf8parse",
+]
+
+[[package]]
+name = "anstyle"
+version = "1.0.13"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5192cca8006f1fd4f7237516f40fa183bb07f8fbdfedaa0036de5ea9b0b45e78"
+
+[[package]]
+name = "anstyle-parse"
+version = "0.2.7"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "4e7644824f0aa2c7b9384579234ef10eb7efb6a0deb83f9630a49594dd9c15c2"
+dependencies = [
+ "utf8parse",
+]
+
+[[package]]
+name = "anstyle-query"
+version = "1.1.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "40c48f72fd53cd289104fc64099abca73db4166ad86ea0b4341abe65af83dadc"
+dependencies = [
+ "windows-sys 0.61.2",
+]
+
+[[package]]
+name = "anstyle-wincon"
+version = "3.0.11"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "291e6a250ff86cd4a820112fb8898808a366d8f9f58ce16d1f538353ad55747d"
+dependencies = [
+ "anstyle",
+ "once_cell_polyfill",
+ "windows-sys 0.61.2",
+]
+
+[[package]]
+name = "anyhow"
+version = "1.0.100"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a23eb6b1614318a8071c9b2521f36b424b2c83db5eb3a0fead4a6c0809af6e61"
+
+[[package]]
+name = "arrayref"
+version = "0.3.9"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "76a2e8124351fda1ef8aaaa3bbd7ebbcb486bbcd4225aca0aa0d84bb2db8fecb"
+
+[[package]]
+name = "arrayvec"
+version = "0.7.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7c02d123df017efcdfbd739ef81735b36c5ba83ec3c59c80a9d7ecc718f92e50"
+
+[[package]]
+name = "async-trait"
+version = "0.1.89"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9035ad2d096bed7955a320ee7e2230574d28fd3c3a0f186cbea1ff3c7eed5dbb"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn",
+]
+
+[[package]]
+name = "atoi"
+version = "2.0.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f28d99ec8bfea296261ca1af174f24225171fea9664ba9003cbebee704810528"
+dependencies = [
+ "num-traits",
+]
+
+[[package]]
+name = "atomic-waker"
+version = "1.1.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1505bd5d3d116872e7271a6d4e16d81d0c8570876c8de68093a09ac269d8aac0"
+
+[[package]]
+name = "autocfg"
+version = "1.5.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c08606f8c3cbf4ce6ec8e28fb0014a2c086708fe954eaa885384a6165172e7e8"
+
+[[package]]
+name = "axum"
+version = "0.7.9"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "edca88bc138befd0323b20752846e6587272d3b03b0343c8ea28a6f819e6e71f"
+dependencies = [
+ "async-trait",
+ "axum-core",
+ "bytes",
+ "futures-util",
+ "http",
+ "http-body",
+ "http-body-util",
+ "hyper",
+ "hyper-util",
+ "itoa",
+ "matchit",
+ "memchr",
+ "mime",
+ "percent-encoding",
+ "pin-project-lite",
+ "rustversion",
+ "serde",
+ "serde_json",
+ "serde_path_to_error",
+ "serde_urlencoded",
+ "sync_wrapper",
+ "tokio",
+ "tower",
+ "tower-layer",
+ "tower-service",
+ "tracing",
+]
+
+[[package]]
+name = "axum-core"
+version = "0.4.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "09f2bd6146b97ae3359fa0cc6d6b376d9539582c7b4220f041a33ec24c226199"
+dependencies = [
+ "async-trait",
+ "bytes",
+ "futures-util",
+ "http",
+ "http-body",
+ "http-body-util",
+ "mime",
+ "pin-project-lite",
+ "rustversion",
+ "sync_wrapper",
+ "tower-layer",
+ "tower-service",
+ "tracing",
+]
+
+[[package]]
+name = "base64"
+version = "0.22.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "72b3254f16251a8381aa12e40e3c4d2f0199f8c6508fbecb9d91f575e0fbb8c6"
+
+[[package]]
+name = "base64ct"
+version = "1.8.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "2af50177e190e07a26ab74f8b1efbfe2ef87da2116221318cb1c2e82baf7de06"
+
+[[package]]
+name = "bitflags"
+version = "2.10.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "812e12b5285cc515a9c72a5c1d3b6d46a19dac5acfef5265968c166106e31dd3"
+dependencies = [
+ "serde_core",
+]
+
+[[package]]
+name = "blake3"
+version = "1.8.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "2468ef7d57b3fb7e16b576e8377cdbde2320c60e1491e961d11da40fc4f02a2d"
+dependencies = [
+ "arrayref",
+ "arrayvec",
+ "cc",
+ "cfg-if",
+ "constant_time_eq",
+ "cpufeatures",
+]
+
+[[package]]
+name = "block-buffer"
+version = "0.10.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "3078c7629b62d3f0439517fa394996acacc5cbc91c5a20d8c658e77abd503a71"
+dependencies = [
+ "generic-array",
+]
+
+[[package]]
+name = "bumpalo"
+version = "3.19.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5dd9dc738b7a8311c7ade152424974d8115f2cdad61e8dab8dac9f2362298510"
+
+[[package]]
+name = "byteorder"
+version = "1.5.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1fd0f2584146f6f2ef48085050886acf353beff7305ebd1ae69500e27c67f64b"
+
+[[package]]
+name = "bytes"
+version = "1.11.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b35204fbdc0b3f4446b89fc1ac2cf84a8a68971995d0bf2e925ec7cd960f9cb3"
+
+[[package]]
+name = "cc"
+version = "1.2.53"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "755d2fce177175ffca841e9a06afdb2c4ab0f593d53b4dee48147dfaade85932"
+dependencies = [
+ "find-msvc-tools",
+ "shlex",
+]
+
+[[package]]
+name = "cfg-if"
+version = "1.0.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9330f8b2ff13f34540b44e946ef35111825727b38d33286ef986142615121801"
+
+[[package]]
+name = "clap"
+version = "4.5.54"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c6e6ff9dcd79cff5cd969a17a545d79e84ab086e444102a591e288a8aa3ce394"
+dependencies = [
+ "clap_builder",
+ "clap_derive",
+]
+
+[[package]]
+name = "clap_builder"
+version = "4.5.54"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "fa42cf4d2b7a41bc8f663a7cab4031ebafa1bf3875705bfaf8466dc60ab52c00"
+dependencies = [
+ "anstream",
+ "anstyle",
+ "clap_lex",
+ "strsim",
+]
+
+[[package]]
+name = "clap_derive"
+version = "4.5.49"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "2a0b5487afeab2deb2ff4e03a807ad1a03ac532ff5a2cee5d86884440c7f7671"
+dependencies = [
+ "heck",
+ "proc-macro2",
+ "quote",
+ "syn",
+]
+
+[[package]]
+name = "clap_lex"
+version = "0.7.7"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c3e64b0cc0439b12df2fa678eae89a1c56a529fd067a9115f7827f1fffd22b32"
+
+[[package]]
+name = "colorchoice"
+version = "1.0.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b05b61dc5112cbb17e4b6cd61790d9845d13888356391624cbe7e41efeac1e75"
+
+[[package]]
+name = "concurrent-queue"
+version = "2.5.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "4ca0197aee26d1ae37445ee532fefce43251d24cc7c166799f4d46817f1d3973"
+dependencies = [
+ "crossbeam-utils",
+]
+
+[[package]]
+name = "const-oid"
+version = "0.9.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c2459377285ad874054d797f3ccebf984978aa39129f6eafde5cdc8315b612f8"
+
+[[package]]
+name = "constant_time_eq"
+version = "0.4.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "3d52eff69cd5e647efe296129160853a42795992097e8af39800e1060caeea9b"
+
+[[package]]
+name = "cpufeatures"
+version = "0.2.17"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "59ed5838eebb26a2bb2e58f6d5b5316989ae9d08bab10e0e6d103e656d1b0280"
+dependencies = [
+ "libc",
+]
+
+[[package]]
+name = "crc"
+version = "3.4.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5eb8a2a1cd12ab0d987a5d5e825195d372001a4094a0376319d5a0ad71c1ba0d"
+dependencies = [
+ "crc-catalog",
+]
+
+[[package]]
+name = "crc-catalog"
+version = "2.4.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "19d374276b40fb8bbdee95aef7c7fa6b5316ec764510eb64b8dd0e2ed0d7e7f5"
+
+[[package]]
+name = "crossbeam-queue"
+version = "0.3.12"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "0f58bbc28f91df819d0aa2a2c00cd19754769c2fad90579b3592b1c9ba7a3115"
+dependencies = [
+ "crossbeam-utils",
+]
+
+[[package]]
+name = "crossbeam-utils"
+version = "0.8.21"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d0a5c400df2834b80a4c3327b3aad3a4c4cd4de0629063962b03235697506a28"
+
+[[package]]
+name = "crypto-common"
+version = "0.1.7"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "78c8292055d1c1df0cce5d180393dc8cce0abec0a7102adb6c7b1eef6016d60a"
+dependencies = [
+ "generic-array",
+ "typenum",
+]
+
+[[package]]
+name = "der"
+version = "0.7.10"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e7c1832837b905bbfb5101e07cc24c8deddf52f93225eee6ead5f4d63d53ddcb"
+dependencies = [
+ "const-oid",
+ "pem-rfc7468",
+ "zeroize",
+]
+
+[[package]]
+name = "deranged"
+version = "0.5.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ececcb659e7ba858fb4f10388c250a7252eb0a27373f1a72b8748afdd248e587"
+dependencies = [
+ "powerfmt",
+ "serde_core",
+]
+
+[[package]]
+name = "digest"
+version = "0.10.7"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9ed9a281f7bc9b7576e61468ba615a66a5c8cfdff42420a70aa82701a3b1e292"
+dependencies = [
+ "block-buffer",
+ "const-oid",
+ "crypto-common",
+ "subtle",
+]
+
+[[package]]
+name = "displaydoc"
+version = "0.2.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "97369cbbc041bc366949bc74d34658d6cda5621039731c6310521892a3a20ae0"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn",
+]
+
+[[package]]
+name = "dotenvy"
+version = "0.15.7"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1aaf95b3e5c8f23aa320147307562d361db0ae0d51242340f558153b4eb2439b"
+
+[[package]]
+name = "either"
+version = "1.15.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "48c757948c5ede0e46177b7add2e67155f70e33c07fea8284df6576da70b3719"
+dependencies = [
+ "serde",
+]
+
+[[package]]
+name = "equivalent"
+version = "1.0.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "877a4ace8713b0bcf2a4e7eec82529c029f1d0619886d18145fea96c3ffe5c0f"
+
+[[package]]
+name = "etcetera"
+version = "0.8.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "136d1b5283a1ab77bd9257427ffd09d8667ced0570b6f938942bc7568ed5b943"
+dependencies = [
+ "cfg-if",
+ "home",
+ "windows-sys 0.48.0",
+]
+
+[[package]]
+name = "event-listener"
+version = "5.4.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e13b66accf52311f30a0db42147dadea9850cb48cd070028831ae5f5d4b856ab"
+dependencies = [
+ "concurrent-queue",
+ "parking",
+ "pin-project-lite",
+]
+
+[[package]]
+name = "find-msvc-tools"
+version = "0.1.8"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8591b0bcc8a98a64310a2fae1bb3e9b8564dd10e381e6e28010fde8e8e8568db"
+
+[[package]]
+name = "flume"
+version = "0.11.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "da0e4dd2a88388a1f4ccc7c9ce104604dab68d9f408dc34cd45823d5a9069095"
+dependencies = [
+ "futures-core",
+ "futures-sink",
+ "spin",
+]
+
+[[package]]
+name = "foldhash"
+version = "0.1.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d9c4f5dac5e15c24eb999c26181a6ca40b39fe946cbe4c263c7209467bc83af2"
+
+[[package]]
+name = "form_urlencoded"
+version = "1.2.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "cb4cb245038516f5f85277875cdaa4f7d2c9a0fa0468de06ed190163b1581fcf"
+dependencies = [
+ "percent-encoding",
+]
+
+[[package]]
+name = "futures-channel"
+version = "0.3.31"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "2dff15bf788c671c1934e366d07e30c1814a8ef514e1af724a602e8a2fbe1b10"
+dependencies = [
+ "futures-core",
+ "futures-sink",
+]
+
+[[package]]
+name = "futures-core"
+version = "0.3.31"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "05f29059c0c2090612e8d742178b0580d2dc940c837851ad723096f87af6663e"
+
+[[package]]
+name = "futures-executor"
+version = "0.3.31"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1e28d1d997f585e54aebc3f97d39e72338912123a67330d723fdbb564d646c9f"
+dependencies = [
+ "futures-core",
+ "futures-task",
+ "futures-util",
+]
+
+[[package]]
+name = "futures-intrusive"
+version = "0.5.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1d930c203dd0b6ff06e0201a4a2fe9149b43c684fd4420555b26d21b1a02956f"
+dependencies = [
+ "futures-core",
+ "lock_api",
+ "parking_lot",
+]
+
+[[package]]
+name = "futures-io"
+version = "0.3.31"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9e5c1b78ca4aae1ac06c48a526a655760685149f0d465d21f37abfe57ce075c6"
+
+[[package]]
+name = "futures-sink"
+version = "0.3.31"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e575fab7d1e0dcb8d0c7bcf9a63ee213816ab51902e6d244a95819acacf1d4f7"
+
+[[package]]
+name = "futures-task"
+version = "0.3.31"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f90f7dce0722e95104fcb095585910c0977252f286e354b5e3bd38902cd99988"
+
+[[package]]
+name = "futures-util"
+version = "0.3.31"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9fa08315bb612088cc391249efdc3bc77536f16c91f6cf495e6fbe85b20a4a81"
+dependencies = [
+ "futures-core",
+ "futures-io",
+ "futures-sink",
+ "futures-task",
+ "memchr",
+ "pin-project-lite",
+ "pin-utils",
+ "slab",
+]
+
+[[package]]
+name = "generic-array"
+version = "0.14.7"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "85649ca51fd72272d7821adaf274ad91c288277713d9c18820d8499a7ff69e9a"
+dependencies = [
+ "typenum",
+ "version_check",
+]
+
+[[package]]
+name = "getrandom"
+version = "0.2.17"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ff2abc00be7fca6ebc474524697ae276ad847ad0a6b3faa4bcb027e9a4614ad0"
+dependencies = [
+ "cfg-if",
+ "libc",
+ "wasi",
+]
+
+[[package]]
+name = "getrandom"
+version = "0.3.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "899def5c37c4fd7b2664648c28120ecec138e4d395b459e5ca34f9cce2dd77fd"
+dependencies = [
+ "cfg-if",
+ "libc",
+ "r-efi",
+ "wasip2",
+]
+
+[[package]]
+name = "hashbrown"
+version = "0.15.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9229cfe53dfd69f0609a49f65461bd93001ea1ef889cd5529dd176593f5338a1"
+dependencies = [
+ "allocator-api2",
+ "equivalent",
+ "foldhash",
+]
+
+[[package]]
+name = "hashbrown"
+version = "0.16.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "841d1cc9bed7f9236f321df977030373f4a4163ae1a7dbfe1a51a2c1a51d9100"
+
+[[package]]
+name = "hashlink"
+version = "0.10.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7382cf6263419f2d8df38c55d7da83da5c18aef87fc7a7fc1fb1e344edfe14c1"
+dependencies = [
+ "hashbrown 0.15.5",
+]
+
+[[package]]
+name = "heck"
+version = "0.5.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "2304e00983f87ffb38b55b444b5e3b60a884b5d30c0fca7d82fe33449bbe55ea"
+
+[[package]]
+name = "hex"
+version = "0.4.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7f24254aa9a54b5c858eaee2f5bccdb46aaf0e486a595ed5fd8f86ba55232a70"
+
+[[package]]
+name = "hkdf"
+version = "0.12.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7b5f8eb2ad728638ea2c7d47a21db23b7b58a72ed6a38256b8a1849f15fbbdf7"
+dependencies = [
+ "hmac",
+]
+
+[[package]]
+name = "hmac"
+version = "0.12.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "6c49c37c09c17a53d937dfbb742eb3a961d65a994e6bcdcf37e7399d0cc8ab5e"
+dependencies = [
+ "digest",
+]
+
+[[package]]
+name = "home"
+version = "0.5.12"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "cc627f471c528ff0c4a49e1d5e60450c8f6461dd6d10ba9dcd3a61d3dff7728d"
+dependencies = [
+ "windows-sys 0.61.2",
+]
+
+[[package]]
+name = "http"
+version = "1.4.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e3ba2a386d7f85a81f119ad7498ebe444d2e22c2af0b86b069416ace48b3311a"
+dependencies = [
+ "bytes",
+ "itoa",
+]
+
+[[package]]
+name = "http-body"
+version = "1.0.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1efedce1fb8e6913f23e0c92de8e62cd5b772a67e7b3946df930a62566c93184"
+dependencies = [
+ "bytes",
+ "http",
+]
+
+[[package]]
+name = "http-body-util"
+version = "0.1.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b021d93e26becf5dc7e1b75b1bed1fd93124b374ceb73f43d4d4eafec896a64a"
+dependencies = [
+ "bytes",
+ "futures-core",
+ "http",
+ "http-body",
+ "pin-project-lite",
+]
+
+[[package]]
+name = "httparse"
+version = "1.10.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "6dbf3de79e51f3d586ab4cb9d5c3e2c14aa28ed23d180cf89b4df0454a69cc87"
+
+[[package]]
+name = "httpdate"
+version = "1.0.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "df3b46402a9d5adb4c86a0cf463f42e19994e3ee891101b1841f30a545cb49a9"
+
+[[package]]
+name = "hyper"
+version = "1.8.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "2ab2d4f250c3d7b1c9fcdff1cece94ea4e2dfbec68614f7b87cb205f24ca9d11"
+dependencies = [
+ "atomic-waker",
+ "bytes",
+ "futures-channel",
+ "futures-core",
+ "http",
+ "http-body",
+ "httparse",
+ "httpdate",
+ "itoa",
+ "pin-project-lite",
+ "pin-utils",
+ "smallvec",
+ "tokio",
+]
+
+[[package]]
+name = "hyper-util"
+version = "0.1.19"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "727805d60e7938b76b826a6ef209eb70eaa1812794f9424d4a4e2d740662df5f"
+dependencies = [
+ "bytes",
+ "futures-core",
+ "http",
+ "http-body",
+ "hyper",
+ "pin-project-lite",
+ "tokio",
+ "tower-service",
+]
+
+[[package]]
+name = "icu_collections"
+version = "2.1.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "4c6b649701667bbe825c3b7e6388cb521c23d88644678e83c0c4d0a621a34b43"
+dependencies = [
+ "displaydoc",
+ "potential_utf",
+ "yoke",
+ "zerofrom",
+ "zerovec",
+]
+
+[[package]]
+name = "icu_locale_core"
+version = "2.1.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "edba7861004dd3714265b4db54a3c390e880ab658fec5f7db895fae2046b5bb6"
+dependencies = [
+ "displaydoc",
+ "litemap",
+ "tinystr",
+ "writeable",
+ "zerovec",
+]
+
+[[package]]
+name = "icu_normalizer"
+version = "2.1.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5f6c8828b67bf8908d82127b2054ea1b4427ff0230ee9141c54251934ab1b599"
+dependencies = [
+ "icu_collections",
+ "icu_normalizer_data",
+ "icu_properties",
+ "icu_provider",
+ "smallvec",
+ "zerovec",
+]
+
+[[package]]
+name = "icu_normalizer_data"
+version = "2.1.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7aedcccd01fc5fe81e6b489c15b247b8b0690feb23304303a9e560f37efc560a"
+
+[[package]]
+name = "icu_properties"
+version = "2.1.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "020bfc02fe870ec3a66d93e677ccca0562506e5872c650f893269e08615d74ec"
+dependencies = [
+ "icu_collections",
+ "icu_locale_core",
+ "icu_properties_data",
+ "icu_provider",
+ "zerotrie",
+ "zerovec",
+]
+
+[[package]]
+name = "icu_properties_data"
+version = "2.1.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "616c294cf8d725c6afcd8f55abc17c56464ef6211f9ed59cccffe534129c77af"
+
+[[package]]
+name = "icu_provider"
+version = "2.1.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "85962cf0ce02e1e0a629cc34e7ca3e373ce20dda4c4d7294bbd0bf1fdb59e614"
+dependencies = [
+ "displaydoc",
+ "icu_locale_core",
+ "writeable",
+ "yoke",
+ "zerofrom",
+ "zerotrie",
+ "zerovec",
+]
+
+[[package]]
+name = "idna"
+version = "1.1.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "3b0875f23caa03898994f6ddc501886a45c7d3d62d04d2d90788d47be1b1e4de"
+dependencies = [
+ "idna_adapter",
+ "smallvec",
+ "utf8_iter",
+]
+
+[[package]]
+name = "idna_adapter"
+version = "1.2.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "3acae9609540aa318d1bc588455225fb2085b9ed0c4f6bd0d9d5bcd86f1a0344"
+dependencies = [
+ "icu_normalizer",
+ "icu_properties",
+]
+
+[[package]]
+name = "indexmap"
+version = "2.13.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7714e70437a7dc3ac8eb7e6f8df75fd8eb422675fc7678aff7364301092b1017"
+dependencies = [
+ "equivalent",
+ "hashbrown 0.16.1",
+]
+
+[[package]]
+name = "ipnet"
+version = "2.11.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "469fb0b9cefa57e3ef31275ee7cacb78f2fdca44e4765491884a2b119d4eb130"
+
+[[package]]
+name = "is_terminal_polyfill"
+version = "1.70.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a6cb138bb79a146c1bd460005623e142ef0181e3d0219cb493e02f7d08a35695"
+
+[[package]]
+name = "itoa"
+version = "1.0.17"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "92ecc6618181def0457392ccd0ee51198e065e016d1d527a7ac1b6dc7c1f09d2"
+
+[[package]]
+name = "js-sys"
+version = "0.3.85"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8c942ebf8e95485ca0d52d97da7c5a2c387d0e7f0ba4c35e93bfcaee045955b3"
+dependencies = [
+ "once_cell",
+ "wasm-bindgen",
+]
+
+[[package]]
+name = "lazy_static"
+version = "1.5.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "bbd2bcb4c963f2ddae06a2efc7e9f3591312473c50c6685e1f298068316e66fe"
+dependencies = [
+ "spin",
+]
+
+[[package]]
+name = "libc"
+version = "0.2.180"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "bcc35a38544a891a5f7c865aca548a982ccb3b8650a5b06d0fd33a10283c56fc"
+
+[[package]]
+name = "libm"
+version = "0.2.15"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f9fbbcab51052fe104eb5e5d351cf728d30a5be1fe14d9be8a3b097481fb97de"
+
+[[package]]
+name = "libredox"
+version = "0.1.12"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "3d0b95e02c851351f877147b7deea7b1afb1df71b63aa5f8270716e0c5720616"
+dependencies = [
+ "bitflags",
+ "libc",
+ "redox_syscall 0.7.0",
+]
+
+[[package]]
+name = "libsqlite3-sys"
+version = "0.30.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "2e99fb7a497b1e3339bc746195567ed8d3e24945ecd636e3619d20b9de9e9149"
+dependencies = [
+ "pkg-config",
+ "vcpkg",
+]
+
+[[package]]
+name = "lightscale-server"
+version = "0.1.0"
+dependencies = [
+ "anyhow",
+ "axum",
+ "base64",
+ "blake3",
+ "clap",
+ "ipnet",
+ "rand",
+ "serde",
+ "serde_json",
+ "sqlx",
+ "thiserror 1.0.69",
+ "time",
+ "tokio",
+ "tracing",
+ "tracing-subscriber",
+ "uuid",
+]
+
+[[package]]
+name = "litemap"
+version = "0.8.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "6373607a59f0be73a39b6fe456b8192fcc3585f602af20751600e974dd455e77"
+
+[[package]]
+name = "lock_api"
+version = "0.4.14"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "224399e74b87b5f3557511d98dff8b14089b3dadafcab6bb93eab67d3aace965"
+dependencies = [
+ "scopeguard",
+]
+
+[[package]]
+name = "log"
+version = "0.4.29"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5e5032e24019045c762d3c0f28f5b6b8bbf38563a65908389bf7978758920897"
+
+[[package]]
+name = "matchers"
+version = "0.2.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d1525a2a28c7f4fa0fc98bb91ae755d1e2d1505079e05539e35bc876b5d65ae9"
+dependencies = [
+ "regex-automata",
+]
+
+[[package]]
+name = "matchit"
+version = "0.7.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "0e7465ac9959cc2b1404e8e2367b43684a6d13790fe23056cc8c6c5a6b7bcb94"
+
+[[package]]
+name = "md-5"
+version = "0.10.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d89e7ee0cfbedfc4da3340218492196241d89eefb6dab27de5df917a6d2e78cf"
+dependencies = [
+ "cfg-if",
+ "digest",
+]
+
+[[package]]
+name = "memchr"
+version = "2.7.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f52b00d39961fc5b2736ea853c9cc86238e165017a493d1d5c8eac6bdc4cc273"
+
+[[package]]
+name = "mime"
+version = "0.3.17"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "6877bb514081ee2a7ff5ef9de3281f14a4dd4bceac4c09388074a6b5df8a139a"
+
+[[package]]
+name = "mio"
+version = "1.1.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a69bcab0ad47271a0234d9422b131806bf3968021e5dc9328caf2d4cd58557fc"
+dependencies = [
+ "libc",
+ "wasi",
+ "windows-sys 0.61.2",
+]
+
+[[package]]
+name = "nu-ansi-term"
+version = "0.50.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7957b9740744892f114936ab4a57b3f487491bbeafaf8083688b16841a4240e5"
+dependencies = [
+ "windows-sys 0.61.2",
+]
+
+[[package]]
+name = "num-bigint-dig"
+version = "0.8.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e661dda6640fad38e827a6d4a310ff4763082116fe217f279885c97f511bb0b7"
+dependencies = [
+ "lazy_static",
+ "libm",
+ "num-integer",
+ "num-iter",
+ "num-traits",
+ "rand",
+ "smallvec",
+ "zeroize",
+]
+
+[[package]]
+name = "num-conv"
+version = "0.1.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "51d515d32fb182ee37cda2ccdcb92950d6a3c2893aa280e540671c2cd0f3b1d9"
+
+[[package]]
+name = "num-integer"
+version = "0.1.46"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7969661fd2958a5cb096e56c8e1ad0444ac2bbcd0061bd28660485a44879858f"
+dependencies = [
+ "num-traits",
+]
+
+[[package]]
+name = "num-iter"
+version = "0.1.45"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1429034a0490724d0075ebb2bc9e875d6503c3cf69e235a8941aa757d83ef5bf"
+dependencies = [
+ "autocfg",
+ "num-integer",
+ "num-traits",
+]
+
+[[package]]
+name = "num-traits"
+version = "0.2.19"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "071dfc062690e90b734c0b2273ce72ad0ffa95f0c74596bc250dcfd960262841"
+dependencies = [
+ "autocfg",
+ "libm",
+]
+
+[[package]]
+name = "once_cell"
+version = "1.21.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "42f5e15c9953c5e4ccceeb2e7382a716482c34515315f7b03532b8b4e8393d2d"
+
+[[package]]
+name = "once_cell_polyfill"
+version = "1.70.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "384b8ab6d37215f3c5301a95a4accb5d64aa607f1fcb26a11b5303878451b4fe"
+
+[[package]]
+name = "parking"
+version = "2.2.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f38d5652c16fde515bb1ecef450ab0f6a219d619a7274976324d5e377f7dceba"
+
+[[package]]
+name = "parking_lot"
+version = "0.12.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "93857453250e3077bd71ff98b6a65ea6621a19bb0f559a85248955ac12c45a1a"
+dependencies = [
+ "lock_api",
+ "parking_lot_core",
+]
+
+[[package]]
+name = "parking_lot_core"
+version = "0.9.12"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "2621685985a2ebf1c516881c026032ac7deafcda1a2c9b7850dc81e3dfcb64c1"
+dependencies = [
+ "cfg-if",
+ "libc",
+ "redox_syscall 0.5.18",
+ "smallvec",
+ "windows-link",
+]
+
+[[package]]
+name = "pem-rfc7468"
+version = "0.7.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "88b39c9bfcfc231068454382784bb460aae594343fb030d46e9f50a645418412"
+dependencies = [
+ "base64ct",
+]
+
+[[package]]
+name = "percent-encoding"
+version = "2.3.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9b4f627cb1b25917193a259e49bdad08f671f8d9708acfd5fe0a8c1455d87220"
+
+[[package]]
+name = "pin-project-lite"
+version = "0.2.16"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "3b3cff922bd51709b605d9ead9aa71031d81447142d828eb4a6eba76fe619f9b"
+
+[[package]]
+name = "pin-utils"
+version = "0.1.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8b870d8c151b6f2fb93e84a13146138f05d02ed11c7e7c54f8826aaaf7c9f184"
+
+[[package]]
+name = "pkcs1"
+version = "0.7.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c8ffb9f10fa047879315e6625af03c164b16962a5368d724ed16323b68ace47f"
+dependencies = [
+ "der",
+ "pkcs8",
+ "spki",
+]
+
+[[package]]
+name = "pkcs8"
+version = "0.10.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f950b2377845cebe5cf8b5165cb3cc1a5e0fa5cfa3e1f7f55707d8fd82e0a7b7"
+dependencies = [
+ "der",
+ "spki",
+]
+
+[[package]]
+name = "pkg-config"
+version = "0.3.32"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7edddbd0b52d732b21ad9a5fab5c704c14cd949e5e9a1ec5929a24fded1b904c"
+
+[[package]]
+name = "potential_utf"
+version = "0.1.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b73949432f5e2a09657003c25bca5e19a0e9c84f8058ca374f49e0ebe605af77"
+dependencies = [
+ "zerovec",
+]
+
+[[package]]
+name = "powerfmt"
+version = "0.2.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "439ee305def115ba05938db6eb1644ff94165c5ab5e9420d1c1bcedbba909391"
+
+[[package]]
+name = "ppv-lite86"
+version = "0.2.21"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "85eae3c4ed2f50dcfe72643da4befc30deadb458a9b590d720cde2f2b1e97da9"
+dependencies = [
+ "zerocopy",
+]
+
+[[package]]
+name = "proc-macro2"
+version = "1.0.105"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "535d180e0ecab6268a3e718bb9fd44db66bbbc256257165fc699dadf70d16fe7"
+dependencies = [
+ "unicode-ident",
+]
+
+[[package]]
+name = "quote"
+version = "1.0.43"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "dc74d9a594b72ae6656596548f56f667211f8a97b3d4c3d467150794690dc40a"
+dependencies = [
+ "proc-macro2",
+]
+
+[[package]]
+name = "r-efi"
+version = "5.3.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "69cdb34c158ceb288df11e18b4bd39de994f6657d83847bdffdbd7f346754b0f"
+
+[[package]]
+name = "rand"
+version = "0.8.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "34af8d1a0e25924bc5b7c43c079c942339d8f0a8b57c39049bef581b46327404"
+dependencies = [
+ "libc",
+ "rand_chacha",
+ "rand_core",
+]
+
+[[package]]
+name = "rand_chacha"
+version = "0.3.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e6c10a63a0fa32252be49d21e7709d4d4baf8d231c2dbce1eaa8141b9b127d88"
+dependencies = [
+ "ppv-lite86",
+ "rand_core",
+]
+
+[[package]]
+name = "rand_core"
+version = "0.6.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ec0be4795e2f6a28069bec0b5ff3e2ac9bafc99e6a9a7dc3547996c5c816922c"
+dependencies = [
+ "getrandom 0.2.17",
+]
+
+[[package]]
+name = "redox_syscall"
+version = "0.5.18"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ed2bf2547551a7053d6fdfafda3f938979645c44812fbfcda098faae3f1a362d"
+dependencies = [
+ "bitflags",
+]
+
+[[package]]
+name = "redox_syscall"
+version = "0.7.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "49f3fe0889e69e2ae9e41f4d6c4c0181701d00e4697b356fb1f74173a5e0ee27"
+dependencies = [
+ "bitflags",
+]
+
+[[package]]
+name = "regex-automata"
+version = "0.4.13"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5276caf25ac86c8d810222b3dbb938e512c55c6831a10f3e6ed1c93b84041f1c"
+dependencies = [
+ "aho-corasick",
+ "memchr",
+ "regex-syntax",
+]
+
+[[package]]
+name = "regex-syntax"
+version = "0.8.8"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7a2d987857b319362043e95f5353c0535c1f58eec5336fdfcf626430af7def58"
+
+[[package]]
+name = "ring"
+version = "0.17.14"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a4689e6c2294d81e88dc6261c768b63bc4fcdb852be6d1352498b114f61383b7"
+dependencies = [
+ "cc",
+ "cfg-if",
+ "getrandom 0.2.17",
+ "libc",
+ "untrusted",
+ "windows-sys 0.52.0",
+]
+
+[[package]]
+name = "rsa"
+version = "0.9.10"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b8573f03f5883dcaebdfcf4725caa1ecb9c15b2ef50c43a07b816e06799bb12d"
+dependencies = [
+ "const-oid",
+ "digest",
+ "num-bigint-dig",
+ "num-integer",
+ "num-traits",
+ "pkcs1",
+ "pkcs8",
+ "rand_core",
+ "signature",
+ "spki",
+ "subtle",
+ "zeroize",
+]
+
+[[package]]
+name = "rustls"
+version = "0.23.36"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c665f33d38cea657d9614f766881e4d510e0eda4239891eea56b4cadcf01801b"
+dependencies = [
+ "once_cell",
+ "ring",
+ "rustls-pki-types",
+ "rustls-webpki",
+ "subtle",
+ "zeroize",
+]
+
+[[package]]
+name = "rustls-pki-types"
+version = "1.14.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "be040f8b0a225e40375822a563fa9524378b9d63112f53e19ffff34df5d33fdd"
+dependencies = [
+ "zeroize",
+]
+
+[[package]]
+name = "rustls-webpki"
+version = "0.103.9"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d7df23109aa6c1567d1c575b9952556388da57401e4ace1d15f79eedad0d8f53"
+dependencies = [
+ "ring",
+ "rustls-pki-types",
+ "untrusted",
+]
+
+[[package]]
+name = "rustversion"
+version = "1.0.22"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b39cdef0fa800fc44525c84ccb54a029961a8215f9619753635a9c0d2538d46d"
+
+[[package]]
+name = "ryu"
+version = "1.0.22"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a50f4cf475b65d88e057964e0e9bb1f0aa9bbb2036dc65c64596b42932536984"
+
+[[package]]
+name = "scopeguard"
+version = "1.2.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "94143f37725109f92c262ed2cf5e59bce7498c01bcc1502d7b9afe439a4e9f49"
+
+[[package]]
+name = "serde"
+version = "1.0.228"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9a8e94ea7f378bd32cbbd37198a4a91436180c5bb472411e48b5ec2e2124ae9e"
+dependencies = [
+ "serde_core",
+ "serde_derive",
+]
+
+[[package]]
+name = "serde_core"
+version = "1.0.228"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "41d385c7d4ca58e59fc732af25c3983b67ac852c1a25000afe1175de458b67ad"
+dependencies = [
+ "serde_derive",
+]
+
+[[package]]
+name = "serde_derive"
+version = "1.0.228"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d540f220d3187173da220f885ab66608367b6574e925011a9353e4badda91d79"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn",
+]
+
+[[package]]
+name = "serde_json"
+version = "1.0.149"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "83fc039473c5595ace860d8c4fafa220ff474b3fc6bfdb4293327f1a37e94d86"
+dependencies = [
+ "itoa",
+ "memchr",
+ "serde",
+ "serde_core",
+ "zmij",
+]
+
+[[package]]
+name = "serde_path_to_error"
+version = "0.1.20"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "10a9ff822e371bb5403e391ecd83e182e0e77ba7f6fe0160b795797109d1b457"
+dependencies = [
+ "itoa",
+ "serde",
+ "serde_core",
+]
+
+[[package]]
+name = "serde_urlencoded"
+version = "0.7.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d3491c14715ca2294c4d6a88f15e84739788c1d030eed8c110436aafdaa2f3fd"
+dependencies = [
+ "form_urlencoded",
+ "itoa",
+ "ryu",
+ "serde",
+]
+
+[[package]]
+name = "sha1"
+version = "0.10.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e3bf829a2d51ab4a5ddf1352d8470c140cadc8301b2ae1789db023f01cedd6ba"
+dependencies = [
+ "cfg-if",
+ "cpufeatures",
+ "digest",
+]
+
+[[package]]
+name = "sha2"
+version = "0.10.9"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a7507d819769d01a365ab707794a4084392c824f54a7a6a7862f8c3d0892b283"
+dependencies = [
+ "cfg-if",
+ "cpufeatures",
+ "digest",
+]
+
+[[package]]
+name = "sharded-slab"
+version = "0.1.7"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f40ca3c46823713e0d4209592e8d6e826aa57e928f09752619fc696c499637f6"
+dependencies = [
+ "lazy_static",
+]
+
+[[package]]
+name = "shlex"
+version = "1.3.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "0fda2ff0d084019ba4d7c6f371c95d8fd75ce3524c3cb8fb653a3023f6323e64"
+
+[[package]]
+name = "signature"
+version = "2.2.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "77549399552de45a898a580c1b41d445bf730df867cc44e6c0233bbc4b8329de"
+dependencies = [
+ "digest",
+ "rand_core",
+]
+
+[[package]]
+name = "slab"
+version = "0.4.11"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7a2ae44ef20feb57a68b23d846850f861394c2e02dc425a50098ae8c90267589"
+
+[[package]]
+name = "smallvec"
+version = "1.15.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "67b1b7a3b5fe4f1376887184045fcf45c69e92af734b7aaddc05fb777b6fbd03"
+dependencies = [
+ "serde",
+]
+
+[[package]]
+name = "socket2"
+version = "0.6.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "17129e116933cf371d018bb80ae557e889637989d8638274fb25622827b03881"
+dependencies = [
+ "libc",
+ "windows-sys 0.60.2",
+]
+
+[[package]]
+name = "spin"
+version = "0.9.8"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "6980e8d7511241f8acf4aebddbb1ff938df5eebe98691418c4468d0b72a96a67"
+dependencies = [
+ "lock_api",
+]
+
+[[package]]
+name = "spki"
+version = "0.7.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d91ed6c858b01f942cd56b37a94b3e0a1798290327d1236e4d9cf4eaca44d29d"
+dependencies = [
+ "base64ct",
+ "der",
+]
+
+[[package]]
+name = "sqlx"
+version = "0.8.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1fefb893899429669dcdd979aff487bd78f4064e5e7907e4269081e0ef7d97dc"
+dependencies = [
+ "sqlx-core",
+ "sqlx-macros",
+ "sqlx-mysql",
+ "sqlx-postgres",
+ "sqlx-sqlite",
+]
+
+[[package]]
+name = "sqlx-core"
+version = "0.8.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ee6798b1838b6a0f69c007c133b8df5866302197e404e8b6ee8ed3e3a5e68dc6"
+dependencies = [
+ "base64",
+ "bytes",
+ "crc",
+ "crossbeam-queue",
+ "either",
+ "event-listener",
+ "futures-core",
+ "futures-intrusive",
+ "futures-io",
+ "futures-util",
+ "hashbrown 0.15.5",
+ "hashlink",
+ "indexmap",
+ "log",
+ "memchr",
+ "once_cell",
+ "percent-encoding",
+ "rustls",
+ "serde",
+ "serde_json",
+ "sha2",
+ "smallvec",
+ "thiserror 2.0.18",
+ "tokio",
+ "tokio-stream",
+ "tracing",
+ "url",
+ "webpki-roots 0.26.11",
+]
+
+[[package]]
+name = "sqlx-macros"
+version = "0.8.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a2d452988ccaacfbf5e0bdbc348fb91d7c8af5bee192173ac3636b5fb6e6715d"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "sqlx-core",
+ "sqlx-macros-core",
+ "syn",
+]
+
+[[package]]
+name = "sqlx-macros-core"
+version = "0.8.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "19a9c1841124ac5a61741f96e1d9e2ec77424bf323962dd894bdb93f37d5219b"
+dependencies = [
+ "dotenvy",
+ "either",
+ "heck",
+ "hex",
+ "once_cell",
+ "proc-macro2",
+ "quote",
+ "serde",
+ "serde_json",
+ "sha2",
+ "sqlx-core",
+ "sqlx-mysql",
+ "sqlx-postgres",
+ "sqlx-sqlite",
+ "syn",
+ "tokio",
+ "url",
+]
+
+[[package]]
+name = "sqlx-mysql"
+version = "0.8.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "aa003f0038df784eb8fecbbac13affe3da23b45194bd57dba231c8f48199c526"
+dependencies = [
+ "atoi",
+ "base64",
+ "bitflags",
+ "byteorder",
+ "bytes",
+ "crc",
+ "digest",
+ "dotenvy",
+ "either",
+ "futures-channel",
+ "futures-core",
+ "futures-io",
+ "futures-util",
+ "generic-array",
+ "hex",
+ "hkdf",
+ "hmac",
+ "itoa",
+ "log",
+ "md-5",
+ "memchr",
+ "once_cell",
+ "percent-encoding",
+ "rand",
+ "rsa",
+ "serde",
+ "sha1",
+ "sha2",
+ "smallvec",
+ "sqlx-core",
+ "stringprep",
+ "thiserror 2.0.18",
+ "tracing",
+ "whoami",
+]
+
+[[package]]
+name = "sqlx-postgres"
+version = "0.8.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "db58fcd5a53cf07c184b154801ff91347e4c30d17a3562a635ff028ad5deda46"
+dependencies = [
+ "atoi",
+ "base64",
+ "bitflags",
+ "byteorder",
+ "crc",
+ "dotenvy",
+ "etcetera",
+ "futures-channel",
+ "futures-core",
+ "futures-util",
+ "hex",
+ "hkdf",
+ "hmac",
+ "home",
+ "itoa",
+ "log",
+ "md-5",
+ "memchr",
+ "once_cell",
+ "rand",
+ "serde",
+ "serde_json",
+ "sha2",
+ "smallvec",
+ "sqlx-core",
+ "stringprep",
+ "thiserror 2.0.18",
+ "tracing",
+ "whoami",
+]
+
+[[package]]
+name = "sqlx-sqlite"
+version = "0.8.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c2d12fe70b2c1b4401038055f90f151b78208de1f9f89a7dbfd41587a10c3eea"
+dependencies = [
+ "atoi",
+ "flume",
+ "futures-channel",
+ "futures-core",
+ "futures-executor",
+ "futures-intrusive",
+ "futures-util",
+ "libsqlite3-sys",
+ "log",
+ "percent-encoding",
+ "serde",
+ "serde_urlencoded",
+ "sqlx-core",
+ "thiserror 2.0.18",
+ "tracing",
+ "url",
+]
+
+[[package]]
+name = "stable_deref_trait"
+version = "1.2.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "6ce2be8dc25455e1f91df71bfa12ad37d7af1092ae736f3a6cd0e37bc7810596"
+
+[[package]]
+name = "stringprep"
+version = "0.1.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7b4df3d392d81bd458a8a621b8bffbd2302a12ffe288a9d931670948749463b1"
+dependencies = [
+ "unicode-bidi",
+ "unicode-normalization",
+ "unicode-properties",
+]
+
+[[package]]
+name = "strsim"
+version = "0.11.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7da8b5736845d9f2fcb837ea5d9e2628564b3b043a70948a3f0b778838c5fb4f"
+
+[[package]]
+name = "subtle"
+version = "2.6.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "13c2bddecc57b384dee18652358fb23172facb8a2c51ccc10d74c157bdea3292"
+
+[[package]]
+name = "syn"
+version = "2.0.114"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d4d107df263a3013ef9b1879b0df87d706ff80f65a86ea879bd9c31f9b307c2a"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "unicode-ident",
+]
+
+[[package]]
+name = "sync_wrapper"
+version = "1.0.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "0bf256ce5efdfa370213c1dabab5935a12e49f2c58d15e9eac2870d3b4f27263"
+
+[[package]]
+name = "synstructure"
+version = "0.13.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "728a70f3dbaf5bab7f0c4b1ac8d7ae5ea60a4b5549c8a5914361c99147a709d2"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn",
+]
+
+[[package]]
+name = "thiserror"
+version = "1.0.69"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b6aaf5339b578ea85b50e080feb250a3e8ae8cfcdff9a461c9ec2904bc923f52"
+dependencies = [
+ "thiserror-impl 1.0.69",
+]
+
+[[package]]
+name = "thiserror"
+version = "2.0.18"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "4288b5bcbc7920c07a1149a35cf9590a2aa808e0bc1eafaade0b80947865fbc4"
+dependencies = [
+ "thiserror-impl 2.0.18",
+]
+
+[[package]]
+name = "thiserror-impl"
+version = "1.0.69"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "4fee6c4efc90059e10f81e6d42c60a18f76588c3d74cb83a0b242a2b6c7504c1"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn",
+]
+
+[[package]]
+name = "thiserror-impl"
+version = "2.0.18"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ebc4ee7f67670e9b64d05fa4253e753e016c6c95ff35b89b7941d6b856dec1d5"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn",
+]
+
+[[package]]
+name = "thread_local"
+version = "1.1.9"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f60246a4944f24f6e018aa17cdeffb7818b76356965d03b07d6a9886e8962185"
+dependencies = [
+ "cfg-if",
+]
+
+[[package]]
+name = "time"
+version = "0.3.45"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f9e442fc33d7fdb45aa9bfeb312c095964abdf596f7567261062b2a7107aaabd"
+dependencies = [
+ "deranged",
+ "itoa",
+ "num-conv",
+ "powerfmt",
+ "serde_core",
+ "time-core",
+ "time-macros",
+]
+
+[[package]]
+name = "time-core"
+version = "0.1.7"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8b36ee98fd31ec7426d599183e8fe26932a8dc1fb76ddb6214d05493377d34ca"
+
+[[package]]
+name = "time-macros"
+version = "0.2.25"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "71e552d1249bf61ac2a52db88179fd0673def1e1ad8243a00d9ec9ed71fee3dd"
+dependencies = [
+ "num-conv",
+ "time-core",
+]
+
+[[package]]
+name = "tinystr"
+version = "0.8.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "42d3e9c45c09de15d06dd8acf5f4e0e399e85927b7f00711024eb7ae10fa4869"
+dependencies = [
+ "displaydoc",
+ "zerovec",
+]
+
+[[package]]
+name = "tinyvec"
+version = "1.10.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "bfa5fdc3bce6191a1dbc8c02d5c8bffcf557bafa17c124c5264a458f1b0613fa"
+dependencies = [
+ "tinyvec_macros",
+]
+
+[[package]]
+name = "tinyvec_macros"
+version = "0.1.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1f3ccbac311fea05f86f61904b462b55fb3df8837a366dfc601a0161d0532f20"
+
+[[package]]
+name = "tokio"
+version = "1.49.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "72a2903cd7736441aac9df9d7688bd0ce48edccaadf181c3b90be801e81d3d86"
+dependencies = [
+ "bytes",
+ "libc",
+ "mio",
+ "pin-project-lite",
+ "socket2",
+ "tokio-macros",
+ "windows-sys 0.61.2",
+]
+
+[[package]]
+name = "tokio-macros"
+version = "2.6.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "af407857209536a95c8e56f8231ef2c2e2aff839b22e07a1ffcbc617e9db9fa5"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn",
+]
+
+[[package]]
+name = "tokio-stream"
+version = "0.1.18"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "32da49809aab5c3bc678af03902d4ccddea2a87d028d86392a4b1560c6906c70"
+dependencies = [
+ "futures-core",
+ "pin-project-lite",
+ "tokio",
+]
+
+[[package]]
+name = "tower"
+version = "0.5.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ebe5ef63511595f1344e2d5cfa636d973292adc0eec1f0ad45fae9f0851ab1d4"
+dependencies = [
+ "futures-core",
+ "futures-util",
+ "pin-project-lite",
+ "sync_wrapper",
+ "tokio",
+ "tower-layer",
+ "tower-service",
+ "tracing",
+]
+
+[[package]]
+name = "tower-layer"
+version = "0.3.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "121c2a6cda46980bb0fcd1647ffaf6cd3fc79a013de288782836f6df9c48780e"
+
+[[package]]
+name = "tower-service"
+version = "0.3.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8df9b6e13f2d32c91b9bd719c00d1958837bc7dec474d94952798cc8e69eeec3"
+
+[[package]]
+name = "tracing"
+version = "0.1.44"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "63e71662fa4b2a2c3a26f570f037eb95bb1f85397f3cd8076caed2f026a6d100"
+dependencies = [
+ "log",
+ "pin-project-lite",
+ "tracing-attributes",
+ "tracing-core",
+]
+
+[[package]]
+name = "tracing-attributes"
+version = "0.1.31"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7490cfa5ec963746568740651ac6781f701c9c5ea257c58e057f3ba8cf69e8da"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn",
+]
+
+[[package]]
+name = "tracing-core"
+version = "0.1.36"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "db97caf9d906fbde555dd62fa95ddba9eecfd14cb388e4f491a66d74cd5fb79a"
+dependencies = [
+ "once_cell",
+ "valuable",
+]
+
+[[package]]
+name = "tracing-log"
+version = "0.2.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ee855f1f400bd0e5c02d150ae5de3840039a3f54b025156404e34c23c03f47c3"
+dependencies = [
+ "log",
+ "once_cell",
+ "tracing-core",
+]
+
+[[package]]
+name = "tracing-subscriber"
+version = "0.3.22"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "2f30143827ddab0d256fd843b7a66d164e9f271cfa0dde49142c5ca0ca291f1e"
+dependencies = [
+ "matchers",
+ "nu-ansi-term",
+ "once_cell",
+ "regex-automata",
+ "sharded-slab",
+ "smallvec",
+ "thread_local",
+ "tracing",
+ "tracing-core",
+ "tracing-log",
+]
+
+[[package]]
+name = "typenum"
+version = "1.19.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "562d481066bde0658276a35467c4af00bdc6ee726305698a55b86e61d7ad82bb"
+
+[[package]]
+name = "unicode-bidi"
+version = "0.3.18"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5c1cb5db39152898a79168971543b1cb5020dff7fe43c8dc468b0885f5e29df5"
+
+[[package]]
+name = "unicode-ident"
+version = "1.0.22"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9312f7c4f6ff9069b165498234ce8be658059c6728633667c526e27dc2cf1df5"
+
+[[package]]
+name = "unicode-normalization"
+version = "0.1.25"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5fd4f6878c9cb28d874b009da9e8d183b5abc80117c40bbd187a1fde336be6e8"
+dependencies = [
+ "tinyvec",
+]
+
+[[package]]
+name = "unicode-properties"
+version = "0.1.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7df058c713841ad818f1dc5d3fd88063241cc61f49f5fbea4b951e8cf5a8d71d"
+
+[[package]]
+name = "untrusted"
+version = "0.9.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8ecb6da28b8a351d773b68d5825ac39017e680750f980f3a1a85cd8dd28a47c1"
+
+[[package]]
+name = "url"
+version = "2.5.8"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ff67a8a4397373c3ef660812acab3268222035010ab8680ec4215f38ba3d0eed"
+dependencies = [
+ "form_urlencoded",
+ "idna",
+ "percent-encoding",
+ "serde",
+]
+
+[[package]]
+name = "utf8_iter"
+version = "1.0.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b6c140620e7ffbb22c2dee59cafe6084a59b5ffc27a8859a5f0d494b5d52b6be"
+
+[[package]]
+name = "utf8parse"
+version = "0.2.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "06abde3611657adf66d383f00b093d7faecc7fa57071cce2578660c9f1010821"
+
+[[package]]
+name = "uuid"
+version = "1.19.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e2e054861b4bd027cd373e18e8d8d8e6548085000e41290d95ce0c373a654b4a"
+dependencies = [
+ "getrandom 0.3.4",
+ "js-sys",
+ "serde_core",
+ "wasm-bindgen",
+]
+
+[[package]]
+name = "valuable"
+version = "0.1.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ba73ea9cf16a25df0c8caa16c51acb937d5712a8429db78a3ee29d5dcacd3a65"
+
+[[package]]
+name = "vcpkg"
+version = "0.2.15"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "accd4ea62f7bb7a82fe23066fb0957d48ef677f6eeb8215f372f52e48bb32426"
+
+[[package]]
+name = "version_check"
+version = "0.9.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "0b928f33d975fc6ad9f86c8f283853ad26bdd5b10b7f1542aa2fa15e2289105a"
+
+[[package]]
+name = "wasi"
+version = "0.11.1+wasi-snapshot-preview1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ccf3ec651a847eb01de73ccad15eb7d99f80485de043efb2f370cd654f4ea44b"
+
+[[package]]
+name = "wasip2"
+version = "1.0.2+wasi-0.2.9"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9517f9239f02c069db75e65f174b3da828fe5f5b945c4dd26bd25d89c03ebcf5"
+dependencies = [
+ "wit-bindgen",
+]
+
+[[package]]
+name = "wasite"
+version = "0.1.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b8dad83b4f25e74f184f64c43b150b91efe7647395b42289f38e50566d82855b"
+
+[[package]]
+name = "wasm-bindgen"
+version = "0.2.108"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "64024a30ec1e37399cf85a7ffefebdb72205ca1c972291c51512360d90bd8566"
+dependencies = [
+ "cfg-if",
+ "once_cell",
+ "rustversion",
+ "wasm-bindgen-macro",
+ "wasm-bindgen-shared",
+]
+
+[[package]]
+name = "wasm-bindgen-macro"
+version = "0.2.108"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "008b239d9c740232e71bd39e8ef6429d27097518b6b30bdf9086833bd5b6d608"
+dependencies = [
+ "quote",
+ "wasm-bindgen-macro-support",
+]
+
+[[package]]
+name = "wasm-bindgen-macro-support"
+version = "0.2.108"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5256bae2d58f54820e6490f9839c49780dff84c65aeab9e772f15d5f0e913a55"
+dependencies = [
+ "bumpalo",
+ "proc-macro2",
+ "quote",
+ "syn",
+ "wasm-bindgen-shared",
+]
+
+[[package]]
+name = "wasm-bindgen-shared"
+version = "0.2.108"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1f01b580c9ac74c8d8f0c0e4afb04eeef2acf145458e52c03845ee9cd23e3d12"
+dependencies = [
+ "unicode-ident",
+]
+
+[[package]]
+name = "webpki-roots"
+version = "0.26.11"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "521bc38abb08001b01866da9f51eb7c5d647a19260e00054a8c7fd5f9e57f7a9"
+dependencies = [
+ "webpki-roots 1.0.5",
+]
+
+[[package]]
+name = "webpki-roots"
+version = "1.0.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "12bed680863276c63889429bfd6cab3b99943659923822de1c8a39c49e4d722c"
+dependencies = [
+ "rustls-pki-types",
+]
+
+[[package]]
+name = "whoami"
+version = "1.6.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5d4a4db5077702ca3015d3d02d74974948aba2ad9e12ab7df718ee64ccd7e97d"
+dependencies = [
+ "libredox",
+ "wasite",
+]
+
+[[package]]
+name = "windows-link"
+version = "0.2.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f0805222e57f7521d6a62e36fa9163bc891acd422f971defe97d64e70d0a4fe5"
+
+[[package]]
+name = "windows-sys"
+version = "0.48.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "677d2418bec65e3338edb076e806bc1ec15693c5d0104683f2efe857f61056a9"
+dependencies = [
+ "windows-targets 0.48.5",
+]
+
+[[package]]
+name = "windows-sys"
+version = "0.52.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "282be5f36a8ce781fad8c8ae18fa3f9beff57ec1b52cb3de0789201425d9a33d"
+dependencies = [
+ "windows-targets 0.52.6",
+]
+
+[[package]]
+name = "windows-sys"
+version = "0.60.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f2f500e4d28234f72040990ec9d39e3a6b950f9f22d3dba18416c35882612bcb"
+dependencies = [
+ "windows-targets 0.53.5",
+]
+
+[[package]]
+name = "windows-sys"
+version = "0.61.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ae137229bcbd6cdf0f7b80a31df61766145077ddf49416a728b02cb3921ff3fc"
+dependencies = [
+ "windows-link",
+]
+
+[[package]]
+name = "windows-targets"
+version = "0.48.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9a2fa6e2155d7247be68c096456083145c183cbbbc2764150dda45a87197940c"
+dependencies = [
+ "windows_aarch64_gnullvm 0.48.5",
+ "windows_aarch64_msvc 0.48.5",
+ "windows_i686_gnu 0.48.5",
+ "windows_i686_msvc 0.48.5",
+ "windows_x86_64_gnu 0.48.5",
+ "windows_x86_64_gnullvm 0.48.5",
+ "windows_x86_64_msvc 0.48.5",
+]
+
+[[package]]
+name = "windows-targets"
+version = "0.52.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9b724f72796e036ab90c1021d4780d4d3d648aca59e491e6b98e725b84e99973"
+dependencies = [
+ "windows_aarch64_gnullvm 0.52.6",
+ "windows_aarch64_msvc 0.52.6",
+ "windows_i686_gnu 0.52.6",
+ "windows_i686_gnullvm 0.52.6",
+ "windows_i686_msvc 0.52.6",
+ "windows_x86_64_gnu 0.52.6",
+ "windows_x86_64_gnullvm 0.52.6",
+ "windows_x86_64_msvc 0.52.6",
+]
+
+[[package]]
+name = "windows-targets"
+version = "0.53.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "4945f9f551b88e0d65f3db0bc25c33b8acea4d9e41163edf90dcd0b19f9069f3"
+dependencies = [
+ "windows-link",
+ "windows_aarch64_gnullvm 0.53.1",
+ "windows_aarch64_msvc 0.53.1",
+ "windows_i686_gnu 0.53.1",
+ "windows_i686_gnullvm 0.53.1",
+ "windows_i686_msvc 0.53.1",
+ "windows_x86_64_gnu 0.53.1",
+ "windows_x86_64_gnullvm 0.53.1",
+ "windows_x86_64_msvc 0.53.1",
+]
+
+[[package]]
+name = "windows_aarch64_gnullvm"
+version = "0.48.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "2b38e32f0abccf9987a4e3079dfb67dcd799fb61361e53e2882c3cbaf0d905d8"
+
+[[package]]
+name = "windows_aarch64_gnullvm"
+version = "0.52.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "32a4622180e7a0ec044bb555404c800bc9fd9ec262ec147edd5989ccd0c02cd3"
+
+[[package]]
+name = "windows_aarch64_gnullvm"
+version = "0.53.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a9d8416fa8b42f5c947f8482c43e7d89e73a173cead56d044f6a56104a6d1b53"
+
+[[package]]
+name = "windows_aarch64_msvc"
+version = "0.48.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "dc35310971f3b2dbbf3f0690a219f40e2d9afcf64f9ab7cc1be722937c26b4bc"
+
+[[package]]
+name = "windows_aarch64_msvc"
+version = "0.52.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "09ec2a7bb152e2252b53fa7803150007879548bc709c039df7627cabbd05d469"
+
+[[package]]
+name = "windows_aarch64_msvc"
+version = "0.53.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b9d782e804c2f632e395708e99a94275910eb9100b2114651e04744e9b125006"
+
+[[package]]
+name = "windows_i686_gnu"
+version = "0.48.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a75915e7def60c94dcef72200b9a8e58e5091744960da64ec734a6c6e9b3743e"
+
+[[package]]
+name = "windows_i686_gnu"
+version = "0.52.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8e9b5ad5ab802e97eb8e295ac6720e509ee4c243f69d781394014ebfe8bbfa0b"
+
+[[package]]
+name = "windows_i686_gnu"
+version = "0.53.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "960e6da069d81e09becb0ca57a65220ddff016ff2d6af6a223cf372a506593a3"
+
+[[package]]
+name = "windows_i686_gnullvm"
+version = "0.52.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "0eee52d38c090b3caa76c563b86c3a4bd71ef1a819287c19d586d7334ae8ed66"
+
+[[package]]
+name = "windows_i686_gnullvm"
+version = "0.53.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "fa7359d10048f68ab8b09fa71c3daccfb0e9b559aed648a8f95469c27057180c"
+
+[[package]]
+name = "windows_i686_msvc"
+version = "0.48.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8f55c233f70c4b27f66c523580f78f1004e8b5a8b659e05a4eb49d4166cca406"
+
+[[package]]
+name = "windows_i686_msvc"
+version = "0.52.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "240948bc05c5e7c6dabba28bf89d89ffce3e303022809e73deaefe4f6ec56c66"
+
+[[package]]
+name = "windows_i686_msvc"
+version = "0.53.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1e7ac75179f18232fe9c285163565a57ef8d3c89254a30685b57d83a38d326c2"
+
+[[package]]
+name = "windows_x86_64_gnu"
+version = "0.48.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "53d40abd2583d23e4718fddf1ebec84dbff8381c07cae67ff7768bbf19c6718e"
+
+[[package]]
+name = "windows_x86_64_gnu"
+version = "0.52.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "147a5c80aabfbf0c7d901cb5895d1de30ef2907eb21fbbab29ca94c5b08b1a78"
+
+[[package]]
+name = "windows_x86_64_gnu"
+version = "0.53.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9c3842cdd74a865a8066ab39c8a7a473c0778a3f29370b5fd6b4b9aa7df4a499"
+
+[[package]]
+name = "windows_x86_64_gnullvm"
+version = "0.48.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "0b7b52767868a23d5bab768e390dc5f5c55825b6d30b86c844ff2dc7414044cc"
+
+[[package]]
+name = "windows_x86_64_gnullvm"
+version = "0.52.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "24d5b23dc417412679681396f2b49f3de8c1473deb516bd34410872eff51ed0d"
+
+[[package]]
+name = "windows_x86_64_gnullvm"
+version = "0.53.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "0ffa179e2d07eee8ad8f57493436566c7cc30ac536a3379fdf008f47f6bb7ae1"
+
+[[package]]
+name = "windows_x86_64_msvc"
+version = "0.48.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ed94fce61571a4006852b7389a063ab983c02eb1bb37b47f8272ce92d06d9538"
+
+[[package]]
+name = "windows_x86_64_msvc"
+version = "0.52.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "589f6da84c646204747d1270a2a5661ea66ed1cced2631d546fdfb155959f9ec"
+
+[[package]]
+name = "windows_x86_64_msvc"
+version = "0.53.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d6bbff5f0aada427a1e5a6da5f1f98158182f26556f345ac9e04d36d0ebed650"
+
+[[package]]
+name = "wit-bindgen"
+version = "0.51.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d7249219f66ced02969388cf2bb044a09756a083d0fab1e566056b04d9fbcaa5"
+
+[[package]]
+name = "writeable"
+version = "0.6.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9edde0db4769d2dc68579893f2306b26c6ecfbe0ef499b013d731b7b9247e0b9"
+
+[[package]]
+name = "yoke"
+version = "0.8.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "72d6e5c6afb84d73944e5cedb052c4680d5657337201555f9f2a16b7406d4954"
+dependencies = [
+ "stable_deref_trait",
+ "yoke-derive",
+ "zerofrom",
+]
+
+[[package]]
+name = "yoke-derive"
+version = "0.8.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b659052874eb698efe5b9e8cf382204678a0086ebf46982b79d6ca3182927e5d"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn",
+ "synstructure",
+]
+
+[[package]]
+name = "zerocopy"
+version = "0.8.33"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "668f5168d10b9ee831de31933dc111a459c97ec93225beb307aed970d1372dfd"
+dependencies = [
+ "zerocopy-derive",
+]
+
+[[package]]
+name = "zerocopy-derive"
+version = "0.8.33"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "2c7962b26b0a8685668b671ee4b54d007a67d4eaf05fda79ac0ecf41e32270f1"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn",
+]
+
+[[package]]
+name = "zerofrom"
+version = "0.1.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "50cc42e0333e05660c3587f3bf9d0478688e15d870fab3346451ce7f8c9fbea5"
+dependencies = [
+ "zerofrom-derive",
+]
+
+[[package]]
+name = "zerofrom-derive"
+version = "0.1.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d71e5d6e06ab090c67b5e44993ec16b72dcbaabc526db883a360057678b48502"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn",
+ "synstructure",
+]
+
+[[package]]
+name = "zeroize"
+version = "1.8.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b97154e67e32c85465826e8bcc1c59429aaaf107c1e4a9e53c8d8ccd5eff88d0"
+
+[[package]]
+name = "zerotrie"
+version = "0.2.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "2a59c17a5562d507e4b54960e8569ebee33bee890c70aa3fe7b97e85a9fd7851"
+dependencies = [
+ "displaydoc",
+ "yoke",
+ "zerofrom",
+]
+
+[[package]]
+name = "zerovec"
+version = "0.11.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "6c28719294829477f525be0186d13efa9a3c602f7ec202ca9e353d310fb9a002"
+dependencies = [
+ "yoke",
+ "zerofrom",
+ "zerovec-derive",
+]
+
+[[package]]
+name = "zerovec-derive"
+version = "0.11.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "eadce39539ca5cb3985590102671f2567e659fca9666581ad3411d59207951f3"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn",
+]
+
+[[package]]
+name = "zmij"
+version = "1.0.15"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "94f63c051f4fe3c1509da62131a678643c5b6fbdc9273b2b79d4378ebda003d2"
diff --git a/Cargo.toml b/Cargo.toml
new file mode 100644
index 0000000..b337a35
--- /dev/null
+++ b/Cargo.toml
@@ -0,0 +1,22 @@
+[package]
+name = "lightscale-server"
+version = "0.1.0"
+edition = "2021"
+
+[dependencies]
+anyhow = "1"
+axum = { version = "0.7", features = ["json"] }
+base64 = "0.22"
+blake3 = "1"
+clap = { version = "4", features = ["derive", "env"] }
+ipnet = "2"
+rand = "0.8"
+serde = { version = "1", features = ["derive"] }
+serde_json = "1"
+sqlx = { version = "0.8", features = ["json", "postgres", "runtime-tokio-rustls"] }
+thiserror = "1"
+time = { version = "0.3", features = ["serde", "formatting"] }
+tokio = { version = "1", features = ["fs", "io-util", "macros", "rt-multi-thread"] }
+tracing = "0.1"
+tracing-subscriber = { version = "0.3", features = ["fmt", "env-filter"] }
+uuid = { version = "1", features = ["serde", "v4"] }
diff --git a/README.md b/README.md
new file mode 100644
index 0000000..b642974
--- /dev/null
+++ b/README.md
@@ -0,0 +1,139 @@
+# lightscale-server
+
+Minimal control-plane server for Lightscale. This version focuses on network, node, and token
+management and returns netmap data to clients. It does not implement the data plane (WireGuard,
+TURN) yet.
+
+## Run
+
+```sh
+cargo run -- --listen 0.0.0.0:8080 --state ./state.json
+```
+
+To protect admin endpoints, set an admin token (also supports `LIGHTSCALE_ADMIN_TOKEN`):
+
+```sh
+cargo run -- --listen 0.0.0.0:8080 --state ./state.json --admin-token <token>
+```
+
+Use a shared Postgres/CockroachDB backend for multi-server control plane:
+
+```sh
+cargo run -- --listen 0.0.0.0:8080 --db-url postgres://lightscale@127.0.0.1/lightscale?sslmode=disable
+```
+
+Optional relay config (control-plane only for now):
+
+```sh
+cargo run -- --listen 0.0.0.0:8080 --state ./state.json \
+  --stun stun1.example.com:3478,stun2.example.com:3478 \
+  --turn turn.example.com:3478 \
+  --stream-relay relay.example.com:443 \
+  --udp-relay relay.example.com:3478 \
+  --udp-relay-listen 0.0.0.0:3478 \
+  --stream-relay-listen 0.0.0.0:443
+```
+
+These values are surfaced in the netmap for clients. A minimal UDP relay is available when
+`--udp-relay-listen` is set, and a minimal stream relay is available with
+`--stream-relay-listen`. TURN is still unimplemented.
+
+IPv6-only control plane is supported by binding to an IPv6 address and using IPv6 control URLs
+from clients, for example:
+
+```sh
+cargo run -- --listen [::]:8080 --db-url postgres://lightscale@127.0.0.1/lightscale?sslmode=disable
+```
+
+## API quickstart
+
+Create a network:
+
+```sh
+curl -X POST http://127.0.0.1:8080/v1/networks \
+  -H 'authorization: Bearer <admin_token>' \
+  -H 'content-type: application/json' \
+  -d '{"name":"lab","requires_approval":true,"bootstrap_token_ttl_seconds":3600,"bootstrap_token_uses":1,"bootstrap_token_tags":["dev"]}'
+```
+
+Create an enrollment token later:
+
+```sh
+curl -X POST http://127.0.0.1:8080/v1/networks/<network_id>/tokens \
+  -H 'authorization: Bearer <admin_token>' \
+  -H 'content-type: application/json' \
+  -d '{"ttl_seconds":3600,"uses":1,"tags":[]}'
+```
+
+Revoke an enrollment token:
+
+```sh
+curl -X POST http://127.0.0.1:8080/v1/tokens/<token>/revoke \
+  -H 'authorization: Bearer <admin_token>'
+```
+
+Register a node:
+
+```sh
+curl -X POST http://127.0.0.1:8080/v1/register \
+  -H 'content-type: application/json' \
+  -d '{"token":"<token>","node_name":"laptop","machine_public_key":"...","wg_public_key":"..."}'
+```
+
+Register a node using an auth URL flow:
+
+```sh
+curl -X POST http://127.0.0.1:8080/v1/register-url \
+  -H 'content-type: application/json' \
+  -d '{"network_id":"<network_id>","node_name":"laptop","machine_public_key":"...","wg_public_key":"..."}'
+```
+
+Then open the returned `auth_path` on the server to approve:
+
+```sh
+curl http://127.0.0.1:8080/v1/register/approve/<node_id>/<secret>
+```
+
+Manual approval endpoint (for admins):
+
+```sh
+curl -X POST http://127.0.0.1:8080/v1/admin/nodes/<node_id>/approve \
+  -H 'authorization: Bearer <admin_token>'
+```
+
+List nodes in a network (admin):
+
+```sh
+curl http://127.0.0.1:8080/v1/admin/networks/<network_id>/nodes \
+  -H 'authorization: Bearer <admin_token>'
+```
+
+Update a node's name or tags (admin):
+
+```sh
+curl -X PUT http://127.0.0.1:8080/v1/admin/nodes/<node_id> \
+  -H 'authorization: Bearer <admin_token>' \
+  -H 'content-type: application/json' \
+  -d '{"name":"laptop","tags":["dev","lab"]}'
+```
+
+Heartbeat and update endpoints/routes (optional listen_port lets the server add the
+observed public IP as an endpoint):
+
+```sh
+curl -X POST http://127.0.0.1:8080/v1/heartbeat \
+  -H 'content-type: application/json' \
+  -d '{"node_id":"<node_id>","endpoints":["203.0.113.1:51820"],"listen_port":51820,"routes":[]}'
+```
+
+Fetch netmap:
+
+```sh
+curl http://127.0.0.1:8080/v1/netmap/<node_id>
+```
+
+Long-poll for netmap updates:
+
+```sh
+curl "http://127.0.0.1:8080/v1/netmap/<node_id>/longpoll?since=0&timeout_seconds=30"
+```
diff --git a/flake.lock b/flake.lock
new file mode 100644
index 0000000..5a9df81
--- /dev/null
+++ b/flake.lock
@@ -0,0 +1,61 @@
+{
+  "nodes": {
+    "flake-utils": {
+      "inputs": {
+        "systems": "systems"
+      },
+      "locked": {
+        "lastModified": 1731533236,
+        "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
+      }
+    },
+    "nixpkgs": {
+      "locked": {
+        "lastModified": 1768564909,
+        "narHash": "sha256-Kell/SpJYVkHWMvnhqJz/8DqQg2b6PguxVWOuadbHCc=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "e4bae1bd10c9c57b2cf517953ab70060a828ee6f",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "root": {
+      "inputs": {
+        "flake-utils": "flake-utils",
+        "nixpkgs": "nixpkgs"
+      }
+    },
+    "systems": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
+    }
+  },
+  "root": "root",
+  "version": 7
+}
diff --git a/flake.nix b/flake.nix
new file mode 100644
index 0000000..380037b
--- /dev/null
+++ b/flake.nix
@@ -0,0 +1,23 @@
+{
+  inputs = {
+    nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
+    flake-utils.url = "github:numtide/flake-utils";
+  };
+
+  outputs = { self, nixpkgs, flake-utils }:
+    flake-utils.lib.eachDefaultSystem (system:
+      let
+        pkgs = import nixpkgs { inherit system; };
+      in
+      {
+        devShells.default = pkgs.mkShell {
+          buildInputs = [
+            pkgs.rustc
+            pkgs.cargo
+            pkgs.rustfmt
+            pkgs.clippy
+            pkgs.rust-analyzer
+          ];
+        };
+      });
+}
diff --git a/src/api.rs b/src/api.rs
new file mode 100644
index 0000000..871b223
--- /dev/null
+++ b/src/api.rs
@@ -0,0 +1,1402 @@
+use crate::model::{
+    AclAction, AclPolicy, AclSelector, AdminNodesResponse, AuditEntry, AuditLogResponse,
+    CreateNetworkRequest, CreateNetworkResponse, CreateTokenRequest, CreateTokenResponse,
+    EnrollmentToken, HeartbeatRequest, HeartbeatResponse, KeyHistoryResponse, KeyPolicyResponse,
+    KeyRecord, KeyRotationPolicy, KeyRotationRequest, KeyRotationResponse, KeyType, NetMap,
+    NetworkInfo, NetworkState, NodeInfo, NodeState, PeerInfo, ProbeRequest, RegisterRequest,
+    RegisterResponse, RegisterUrlRequest, RegisterUrlResponse, RelayConfig, TokenState,
+    UpdateAclRequest, UpdateAclResponse, UpdateNodeRequest, UpdateNodeResponse,
+};
+use crate::app::AppState;
+use crate::netid::derive_overlay_prefixes;
+use axum::extract::{ConnectInfo, Extension, Path, Query};
+use axum::http::{HeaderMap, StatusCode};
+use axum::response::{IntoResponse, Response};
+use axum::Json;
+use base64::engine::general_purpose::URL_SAFE_NO_PAD;
+use base64::Engine;
+use ipnet::{Ipv4Net, Ipv6Net};
+use rand::RngCore;
+use std::collections::HashSet;
+use std::net::{Ipv4Addr, Ipv6Addr, SocketAddr};
+use std::time::Duration;
+use time::OffsetDateTime;
+use tokio::time::{sleep, Instant};
+use uuid::Uuid;
+use serde::Deserialize;
+use crate::state::State;
+use anyhow::Error;
+
+#[derive(Debug, thiserror::Error)]
+pub enum ApiError {
+    #[error("not found: {0}")]
+    NotFound(&'static str),
+    #[error("invalid request: {0}")]
+    BadRequest(&'static str),
+    #[error("unauthorized: {0}")]
+    Unauthorized(&'static str),
+    #[error("conflict: {0}")]
+    Conflict(&'static str),
+    #[error("internal error")]
+    Internal,
+}
+
+#[derive(Deserialize)]
+pub struct NetmapLongpollParams {
+    pub since: Option<u64>,
+    pub timeout_seconds: Option<u64>,
+}
+
+impl IntoResponse for ApiError {
+    fn into_response(self) -> Response {
+        let (status, message) = match self {
+            ApiError::NotFound(msg) => (StatusCode::NOT_FOUND, msg),
+            ApiError::BadRequest(msg) => (StatusCode::BAD_REQUEST, msg),
+            ApiError::Unauthorized(msg) => (StatusCode::UNAUTHORIZED, msg),
+            ApiError::Conflict(msg) => (StatusCode::CONFLICT, msg),
+            ApiError::Internal => (StatusCode::INTERNAL_SERVER_ERROR, "internal error"),
+        };
+        (status, Json(serde_json::json!({ "error": message }))).into_response()
+    }
+}
+
+fn map_store_err(err: Error) -> ApiError {
+    match err.downcast::<ApiError>() {
+        Ok(api_err) => api_err,
+        Err(_) => ApiError::Internal,
+    }
+}
+
+fn bearer_token(headers: &HeaderMap) -> Option<&str> {
+    let header = headers.get(axum::http::header::AUTHORIZATION)?;
+    let value = header.to_str().ok()?;
+    let prefix = "Bearer ";
+    if value.starts_with(prefix) {
+        Some(value[prefix.len()..].trim())
+    } else {
+        None
+    }
+}
+
+fn require_admin(headers: &HeaderMap, admin_token: &Option<String>) -> Result<(), ApiError> {
+    let Some(expected) = admin_token.as_deref() else {
+        return Ok(());
+    };
+    match bearer_token(headers) {
+        Some(token) if token == expected => Ok(()),
+        _ => Err(ApiError::Unauthorized("admin token required")),
+    }
+}
+
+fn require_node(
+    headers: &HeaderMap,
+    admin_token: &Option<String>,
+    node: &NodeState,
+) -> Result<(), ApiError> {
+    let Some(expected) = node.node_token.as_deref() else {
+        return Ok(());
+    };
+    let token = bearer_token(headers);
+    if let Some(token) = token {
+        if token == expected {
+            return Ok(());
+        }
+        if let Some(admin) = admin_token.as_deref() {
+            if token == admin {
+                return Ok(());
+            }
+        }
+    }
+    Err(ApiError::Unauthorized("node token required"))
+}
+
+pub async fn create_network(
+    Extension(state): Extension<AppState>,
+    headers: HeaderMap,
+    Json(req): Json<CreateNetworkRequest>,
+) -> Result<Json<CreateNetworkResponse>, ApiError> {
+    require_admin(&headers, &state.admin_token)?;
+    let network_id = Uuid::new_v4();
+    let (overlay_v4, overlay_v6) = derive_overlay_prefixes(&network_id);
+    let dns_domain = req
+        .dns_domain
+        .unwrap_or_else(|| format!("net-{}.lightscale", short_id(&network_id)));
+    let now = now_unix();
+
+    let mut bootstrap_token: Option<EnrollmentToken> = None;
+
+    let network_state = NetworkState {
+        id: network_id.to_string(),
+        name: req.name,
+        overlay_v4,
+        overlay_v6,
+        dns_domain,
+        requires_approval: req.requires_approval.unwrap_or(false),
+        acl: AclPolicy::default(),
+        key_policy: KeyRotationPolicy {
+            max_age_seconds: req.key_rotation_max_age_seconds,
+        },
+        created_at: now,
+        next_ipv4: 10,
+        next_ipv6: 10,
+    };
+
+    state
+        .store
+        .write(|state| {
+            if state.networks.contains_key(&network_state.id) {
+                return Err(ApiError::Conflict("network already exists").into());
+            }
+            state
+                .networks
+                .insert(network_state.id.clone(), network_state.clone());
+            state.audit_log.push(build_audit_entry(
+                "network.create",
+                Some(network_state.id.clone()),
+                None,
+                Some(serde_json::json!({
+                    "name": network_state.name,
+                    "requires_approval": network_state.requires_approval,
+                    "key_rotation_max_age_seconds": network_state.key_policy.max_age_seconds,
+                })),
+            ));
+
+            if let Some(ttl) = req.bootstrap_token_ttl_seconds {
+                let uses = req.bootstrap_token_uses.unwrap_or(1);
+                let tags = req.bootstrap_token_tags.unwrap_or_default();
+                let token = build_token(&network_state.id, ttl, uses, tags)?;
+                state.tokens.insert(token.token.clone(), token.clone());
+                bootstrap_token = Some(token.into());
+            }
+
+            Ok(())
+        })
+        .await
+        .map_err(map_store_err)?;
+
+    let response = CreateNetworkResponse {
+        network: NetworkInfo::from(&network_state),
+        bootstrap_token,
+    };
+
+    Ok(Json(response))
+}
+
+pub async fn create_token(
+    Extension(state): Extension<AppState>,
+    headers: HeaderMap,
+    Path(network_id): Path<String>,
+    Json(req): Json<CreateTokenRequest>,
+) -> Result<Json<CreateTokenResponse>, ApiError> {
+    require_admin(&headers, &state.admin_token)?;
+    let token = state
+        .store
+        .write(|state| {
+            let network = state
+                .networks
+                .get(&network_id)
+                .ok_or(ApiError::NotFound("network"))?;
+            let token = build_token(&network.id, req.ttl_seconds, req.uses, req.tags)?;
+            state.tokens.insert(token.token.clone(), token.clone());
+            state.audit_log.push(build_audit_entry(
+                "token.create",
+                Some(network.id.clone()),
+                None,
+                Some(serde_json::json!({
+                    "expires_at": token.expires_at,
+                    "uses": token.uses_left,
+                    "tags": token.tags,
+                })),
+            ));
+            Ok(token)
+        })
+        .await
+        .map_err(map_store_err)?;
+
+    Ok(Json(CreateTokenResponse {
+        token: token.into(),
+    }))
+}
+
+pub async fn revoke_token(
+    Extension(state): Extension<AppState>,
+    headers: HeaderMap,
+    Path(token_id): Path<String>,
+) -> Result<Json<EnrollmentToken>, ApiError> {
+    require_admin(&headers, &state.admin_token)?;
+    let now = now_unix();
+    let token = state
+        .store
+        .write(|state| {
+            let token = state
+                .tokens
+                .get_mut(&token_id)
+                .ok_or(ApiError::NotFound("token"))?;
+            token.revoked_at = Some(now);
+            state.audit_log.push(build_audit_entry(
+                "token.revoke",
+                Some(token.network_id.clone()),
+                None,
+                Some(serde_json::json!({
+                    "revoked_at": token.revoked_at,
+                })),
+            ));
+            Ok(token.clone())
+        })
+        .await
+        .map_err(map_store_err)?;
+
+    Ok(Json(token.into()))
+}
+
+pub async fn register(
+    Extension(state): Extension<AppState>,
+    Json(req): Json<RegisterRequest>,
+) -> Result<Json<RegisterResponse>, ApiError> {
+    let now = now_unix();
+    let relay = relay_or_none(&state.relay);
+    let node_token = random_secret();
+
+    let node_id = state
+        .store
+        .write(|state| {
+            let token = state
+                .tokens
+                .get_mut(&req.token)
+                .ok_or(ApiError::Unauthorized("token not found"))?;
+
+            if token.expires_at <= now {
+                return Err(ApiError::Unauthorized("token expired").into());
+            }
+
+            if token.revoked_at.is_some() {
+                return Err(ApiError::Unauthorized("token revoked").into());
+            }
+
+            if token.uses_left == 0 {
+                return Err(ApiError::Unauthorized("token used up").into());
+            }
+
+            let network = state
+                .networks
+                .get_mut(&token.network_id)
+                .ok_or(ApiError::NotFound("network"))?;
+
+            let (ipv4, ipv6) = allocate_node_ips(network)?;
+
+            let node_id = Uuid::new_v4().to_string();
+            let approved = !network.requires_approval;
+            let key_history = vec![
+                KeyRecord {
+                    key_type: KeyType::Machine,
+                    public_key: req.machine_public_key.clone(),
+                    created_at: now,
+                    revoked_at: None,
+                },
+                KeyRecord {
+                    key_type: KeyType::WireGuard,
+                    public_key: req.wg_public_key.clone(),
+                    created_at: now,
+                    revoked_at: None,
+                },
+            ];
+            let node = NodeState {
+                id: node_id.clone(),
+                network_id: network.id.clone(),
+                name: req.node_name,
+                machine_public_key: req.machine_public_key,
+                wg_public_key: req.wg_public_key,
+                ipv4,
+                ipv6,
+                endpoints: Vec::new(),
+                tags: token.tags.clone(),
+                routes: Vec::new(),
+                created_at: now,
+                last_seen: now,
+                probe_requested_at: None,
+                approved,
+                approved_at: approved.then_some(now),
+                auth_secret: None,
+                auth_expires_at: None,
+                node_token: Some(node_token.clone()),
+                revoked_at: None,
+                key_history,
+            };
+
+            state.nodes.insert(node.id.clone(), node.clone());
+            state.audit_log.push(build_audit_entry(
+                "node.register",
+                Some(network.id.clone()),
+                Some(node.id.clone()),
+                Some(serde_json::json!({
+                    "approved": node.approved,
+                })),
+            ));
+
+            token.uses_left = token.uses_left.saturating_sub(1);
+            if token.uses_left == 0 {
+                state.tokens.remove(&req.token);
+            }
+
+            Ok(node.id.clone())
+        })
+        .await
+        .map_err(map_store_err)?;
+
+    let netmap = state
+        .store
+        .read(|state| Ok(build_netmap(state, &node_id, relay.clone())?))
+        .await
+        .map_err(map_store_err)?;
+
+    Ok(Json(RegisterResponse {
+        node_token,
+        netmap,
+    }))
+}
+
+pub async fn register_url(
+    Extension(state): Extension<AppState>,
+    Json(req): Json<RegisterUrlRequest>,
+) -> Result<Json<RegisterUrlResponse>, ApiError> {
+    let now = now_unix();
+    let ttl_seconds = req.ttl_seconds.unwrap_or(600);
+    if ttl_seconds == 0 {
+        return Err(ApiError::BadRequest("ttl_seconds must be > 0"));
+    }
+    let expires_at = now + ttl_seconds as i64;
+
+    let node_token = random_secret();
+    let (node, auth_path) = state
+        .store
+        .write(|state| {
+            let network = state
+                .networks
+                .get_mut(&req.network_id)
+                .ok_or(ApiError::NotFound("network"))?;
+
+            let (ipv4, ipv6) = allocate_node_ips(network)?;
+            let node_id = Uuid::new_v4().to_string();
+            let auth_secret = random_secret();
+
+            let key_history = vec![
+                KeyRecord {
+                    key_type: KeyType::Machine,
+                    public_key: req.machine_public_key.clone(),
+                    created_at: now,
+                    revoked_at: None,
+                },
+                KeyRecord {
+                    key_type: KeyType::WireGuard,
+                    public_key: req.wg_public_key.clone(),
+                    created_at: now,
+                    revoked_at: None,
+                },
+            ];
+            let node = NodeState {
+                id: node_id.clone(),
+                network_id: network.id.clone(),
+                name: req.node_name.clone(),
+                machine_public_key: req.machine_public_key.clone(),
+                wg_public_key: req.wg_public_key.clone(),
+                ipv4,
+                ipv6,
+                endpoints: Vec::new(),
+                tags: Vec::new(),
+                routes: Vec::new(),
+                created_at: now,
+                last_seen: now,
+                probe_requested_at: None,
+                approved: false,
+                approved_at: None,
+                auth_secret: Some(auth_secret.clone()),
+                auth_expires_at: Some(expires_at),
+                node_token: Some(node_token.clone()),
+                revoked_at: None,
+                key_history,
+            };
+
+            state.nodes.insert(node.id.clone(), node.clone());
+            state.audit_log.push(build_audit_entry(
+                "node.register_url",
+                Some(network.id.clone()),
+                Some(node.id.clone()),
+                Some(serde_json::json!({
+                    "expires_at": expires_at,
+                })),
+            ));
+
+            let auth_path = format!("/v1/register/approve/{}/{}", node_id, auth_secret);
+            Ok((node, auth_path))
+        })
+        .await
+        .map_err(map_store_err)?;
+
+    Ok(Json(RegisterUrlResponse {
+        node_id: node.id,
+        network_id: node.network_id,
+        ipv4: node.ipv4,
+        ipv6: node.ipv6,
+        auth_path,
+        expires_at,
+        node_token,
+    }))
+}
+
+pub async fn approve_node_secret(
+    Extension(state): Extension<AppState>,
+    Path((node_id, secret)): Path<(String, String)>,
+) -> Result<impl IntoResponse, ApiError> {
+    let now = now_unix();
+    let node = state
+        .store
+        .write(|state| {
+            let node = state
+                .nodes
+                .get_mut(&node_id)
+                .ok_or(ApiError::NotFound("node"))?;
+
+            if node.approved {
+                return Ok(node.clone());
+            }
+
+            let auth_secret = node
+                .auth_secret
+                .as_ref()
+                .ok_or(ApiError::Unauthorized("approval not allowed"))?;
+            if auth_secret != &secret {
+                return Err(ApiError::Unauthorized("invalid approval secret").into());
+            }
+            if let Some(expires_at) = node.auth_expires_at {
+                if expires_at <= now {
+                    return Err(ApiError::Unauthorized("approval expired").into());
+                }
+            }
+
+            node.approved = true;
+            node.approved_at = Some(now);
+            node.auth_secret = None;
+            node.auth_expires_at = None;
+            state.audit_log.push(build_audit_entry(
+                "node.approve",
+                Some(node.network_id.clone()),
+                Some(node.id.clone()),
+                Some(serde_json::json!({
+                    "approved_at": node.approved_at,
+                    "via": "auth_url",
+                })),
+            ));
+            Ok(node.clone())
+        })
+        .await
+        .map_err(map_store_err)?;
+
+    Ok(Json(serde_json::json!({
+        "node_id": node.id,
+        "approved": node.approved,
+        "approved_at": node.approved_at,
+    })))
+}
+
+pub async fn approve_node(
+    Extension(state): Extension<AppState>,
+    headers: HeaderMap,
+    Path(node_id): Path<String>,
+) -> Result<impl IntoResponse, ApiError> {
+    require_admin(&headers, &state.admin_token)?;
+    let now = now_unix();
+    let node = state
+        .store
+        .write(|state| {
+            let node = state
+                .nodes
+                .get_mut(&node_id)
+                .ok_or(ApiError::NotFound("node"))?;
+            if node.approved {
+                return Ok(node.clone());
+            }
+            node.approved = true;
+            node.approved_at = Some(now);
+            node.auth_secret = None;
+            node.auth_expires_at = None;
+            state.audit_log.push(build_audit_entry(
+                "node.approve",
+                Some(node.network_id.clone()),
+                Some(node.id.clone()),
+                Some(serde_json::json!({
+                    "approved_at": node.approved_at,
+                    "via": "admin",
+                })),
+            ));
+            Ok(node.clone())
+        })
+        .await
+        .map_err(map_store_err)?;
+
+    Ok(Json(serde_json::json!({
+        "node_id": node.id,
+        "approved": node.approved,
+        "approved_at": node.approved_at,
+    })))
+}
+
+pub async fn admin_nodes(
+    Extension(state): Extension<AppState>,
+    headers: HeaderMap,
+    Path(network_id): Path<String>,
+) -> Result<Json<AdminNodesResponse>, ApiError> {
+    require_admin(&headers, &state.admin_token)?;
+    let now = now_unix();
+    let nodes = state
+        .store
+        .read(|state| {
+            let network = state
+                .networks
+                .get(&network_id)
+                .ok_or(ApiError::NotFound("network"))?;
+            let nodes = state
+                .nodes
+                .values()
+                .filter(|node| node.network_id == network_id)
+                .map(|node| {
+                    let (approved, key_rotation_required) =
+                        effective_node_status(node, &network.key_policy, now);
+                    NodeInfo::from_state(
+                        node,
+                        network.dns_domain.as_str(),
+                        approved,
+                        key_rotation_required,
+                    )
+                })
+                .collect();
+            Ok(nodes)
+        })
+        .await
+        .map_err(map_store_err)?;
+
+    Ok(Json(AdminNodesResponse { nodes }))
+}
+
+pub async fn update_node(
+    Extension(state): Extension<AppState>,
+    headers: HeaderMap,
+    Path(node_id): Path<String>,
+    Json(req): Json<UpdateNodeRequest>,
+) -> Result<Json<UpdateNodeResponse>, ApiError> {
+    require_admin(&headers, &state.admin_token)?;
+    if req.name.is_none() && req.tags.is_none() {
+        return Err(ApiError::BadRequest("no fields to update"));
+    }
+    let now = now_unix();
+    let node = state
+        .store
+        .write(|state| {
+            let node = state
+                .nodes
+                .get_mut(&node_id)
+                .ok_or(ApiError::NotFound("node"))?;
+            let mut detail = serde_json::Map::new();
+
+            if let Some(name) = req.name.as_ref() {
+                let trimmed = name.trim();
+                if trimmed.is_empty() {
+                    return Err(ApiError::BadRequest("node name must be non-empty").into());
+                }
+                if trimmed != node.name {
+                    detail.insert("name".to_string(), serde_json::json!(trimmed));
+                }
+                node.name = trimmed.to_string();
+            }
+
+            if let Some(tags) = req.tags.as_ref() {
+                let mut unique = Vec::new();
+                let mut seen = HashSet::new();
+                for tag in tags {
+                    let tag = tag.trim();
+                    if tag.is_empty() {
+                        continue;
+                    }
+                    if seen.insert(tag.to_string()) {
+                        unique.push(tag.to_string());
+                    }
+                }
+                if unique != node.tags {
+                    detail.insert("tags".to_string(), serde_json::json!(&unique));
+                }
+                node.tags = unique;
+            }
+
+            let network_id = node.network_id.clone();
+            let node_snapshot = node.clone();
+            let network = state
+                .networks
+                .get(&network_id)
+                .ok_or(ApiError::NotFound("network"))?;
+            let (approved, key_rotation_required) =
+                effective_node_status(&node_snapshot, &network.key_policy, now);
+            if !detail.is_empty() {
+                state.audit_log.push(build_audit_entry(
+                    "node.update",
+                    Some(network.id.clone()),
+                    Some(node_snapshot.id.clone()),
+                    Some(serde_json::Value::Object(detail)),
+                ));
+            }
+
+            Ok(NodeInfo::from_state(
+                &node_snapshot,
+                network.dns_domain.as_str(),
+                approved,
+                key_rotation_required,
+            ))
+        })
+        .await
+        .map_err(map_store_err)?;
+
+    Ok(Json(UpdateNodeResponse { node }))
+}
+
+pub async fn get_acl(
+    Extension(state): Extension<AppState>,
+    headers: HeaderMap,
+    Path(network_id): Path<String>,
+) -> Result<Json<AclPolicy>, ApiError> {
+    require_admin(&headers, &state.admin_token)?;
+    let policy = state
+        .store
+        .read(|state| {
+            let network = state
+                .networks
+                .get(&network_id)
+                .ok_or(ApiError::NotFound("network"))?;
+            Ok(network.acl.clone())
+        })
+        .await
+        .map_err(map_store_err)?;
+    Ok(Json(policy))
+}
+
+pub async fn update_acl(
+    Extension(state): Extension<AppState>,
+    headers: HeaderMap,
+    Path(network_id): Path<String>,
+    Json(req): Json<UpdateAclRequest>,
+) -> Result<Json<UpdateAclResponse>, ApiError> {
+    require_admin(&headers, &state.admin_token)?;
+    let policy = state
+        .store
+        .write(|state| {
+            let network = state
+                .networks
+                .get_mut(&network_id)
+                .ok_or(ApiError::NotFound("network"))?;
+            network.acl = req.policy.clone();
+            state.audit_log.push(build_audit_entry(
+                "acl.update",
+                Some(network.id.clone()),
+                None,
+                None,
+            ));
+            Ok(network.acl.clone())
+        })
+        .await
+        .map_err(map_store_err)?;
+
+    Ok(Json(UpdateAclResponse { policy }))
+}
+
+pub async fn get_key_policy(
+    Extension(state): Extension<AppState>,
+    headers: HeaderMap,
+    Path(network_id): Path<String>,
+) -> Result<Json<KeyPolicyResponse>, ApiError> {
+    require_admin(&headers, &state.admin_token)?;
+    let policy = state
+        .store
+        .read(|state| {
+            let network = state
+                .networks
+                .get(&network_id)
+                .ok_or(ApiError::NotFound("network"))?;
+            Ok(network.key_policy.clone())
+        })
+        .await
+        .map_err(map_store_err)?;
+
+    Ok(Json(KeyPolicyResponse { policy }))
+}
+
+pub async fn update_key_policy(
+    Extension(state): Extension<AppState>,
+    headers: HeaderMap,
+    Path(network_id): Path<String>,
+    Json(req): Json<KeyRotationPolicy>,
+) -> Result<Json<KeyPolicyResponse>, ApiError> {
+    require_admin(&headers, &state.admin_token)?;
+    let policy = state
+        .store
+        .write(|state| {
+            let network = state
+                .networks
+                .get_mut(&network_id)
+                .ok_or(ApiError::NotFound("network"))?;
+            network.key_policy = req.clone();
+            state.audit_log.push(build_audit_entry(
+                "key_policy.update",
+                Some(network.id.clone()),
+                None,
+                Some(serde_json::json!({
+                    "max_age_seconds": network.key_policy.max_age_seconds,
+                })),
+            ));
+            Ok(network.key_policy.clone())
+        })
+        .await
+        .map_err(map_store_err)?;
+
+    Ok(Json(KeyPolicyResponse { policy }))
+}
+
+pub async fn rotate_keys(
+    Extension(state): Extension<AppState>,
+    headers: HeaderMap,
+    Path(node_id): Path<String>,
+    Json(req): Json<KeyRotationRequest>,
+) -> Result<Json<KeyRotationResponse>, ApiError> {
+    if req.machine_public_key.is_none() && req.wg_public_key.is_none() {
+        return Err(ApiError::BadRequest("no keys provided"));
+    }
+    let now = now_unix();
+    let admin_token = state.admin_token.clone();
+    let node = state
+        .store
+        .write(|state| {
+            let node = state
+                .nodes
+                .get_mut(&node_id)
+                .ok_or(ApiError::NotFound("node"))?;
+            require_node(&headers, &admin_token, node)?;
+
+            let mut rotated = serde_json::Map::new();
+
+            if let Some(new_machine) = req.machine_public_key.as_ref() {
+                if node.machine_public_key == *new_machine {
+                    return Err(ApiError::BadRequest("machine_public_key unchanged").into());
+                }
+                revoke_key_record(&mut node.key_history, KeyType::Machine, &node.machine_public_key, now);
+                node.machine_public_key = new_machine.clone();
+                node.key_history.push(KeyRecord {
+                    key_type: KeyType::Machine,
+                    public_key: new_machine.clone(),
+                    created_at: now,
+                    revoked_at: None,
+                });
+                rotated.insert("machine".to_string(), serde_json::json!(new_machine));
+            }
+
+            if let Some(new_wg) = req.wg_public_key.as_ref() {
+                if node.wg_public_key == *new_wg {
+                    return Err(ApiError::BadRequest("wg_public_key unchanged").into());
+                }
+                revoke_key_record(&mut node.key_history, KeyType::WireGuard, &node.wg_public_key, now);
+                node.wg_public_key = new_wg.clone();
+                node.key_history.push(KeyRecord {
+                    key_type: KeyType::WireGuard,
+                    public_key: new_wg.clone(),
+                    created_at: now,
+                    revoked_at: None,
+                });
+                rotated.insert("wireguard".to_string(), serde_json::json!(new_wg));
+            }
+
+            node.revoked_at = None;
+
+            state.audit_log.push(build_audit_entry(
+                "keys.rotate",
+                Some(node.network_id.clone()),
+                Some(node.id.clone()),
+                Some(serde_json::Value::Object(rotated)),
+            ));
+
+            Ok(node.clone())
+        })
+        .await
+        .map_err(map_store_err)?;
+
+    Ok(Json(KeyRotationResponse {
+        node_id: node.id,
+        machine_public_key: node.machine_public_key,
+        wg_public_key: node.wg_public_key,
+    }))
+}
+
+pub async fn revoke_node(
+    Extension(state): Extension<AppState>,
+    headers: HeaderMap,
+    Path(node_id): Path<String>,
+) -> Result<impl IntoResponse, ApiError> {
+    require_admin(&headers, &state.admin_token)?;
+    let now = now_unix();
+    let node = state
+        .store
+        .write(|state| {
+            let node = state
+                .nodes
+                .get_mut(&node_id)
+                .ok_or(ApiError::NotFound("node"))?;
+            node.revoked_at = Some(now);
+            revoke_key_record(&mut node.key_history, KeyType::Machine, &node.machine_public_key, now);
+            revoke_key_record(&mut node.key_history, KeyType::WireGuard, &node.wg_public_key, now);
+            state.audit_log.push(build_audit_entry(
+                "keys.revoke",
+                Some(node.network_id.clone()),
+                Some(node.id.clone()),
+                Some(serde_json::json!({
+                    "revoked_at": node.revoked_at,
+                })),
+            ));
+            Ok(node.clone())
+        })
+        .await
+        .map_err(map_store_err)?;
+
+    Ok(Json(serde_json::json!({
+        "node_id": node.id,
+        "revoked_at": node.revoked_at,
+    })))
+}
+
+pub async fn node_keys(
+    Extension(state): Extension<AppState>,
+    headers: HeaderMap,
+    Path(node_id): Path<String>,
+) -> Result<Json<KeyHistoryResponse>, ApiError> {
+    let admin_token = state.admin_token.clone();
+    let history = state
+        .store
+        .read(|state| {
+            let node = state
+                .nodes
+                .get(&node_id)
+                .ok_or(ApiError::NotFound("node"))?;
+            require_node(&headers, &admin_token, node)?;
+            Ok(node.key_history.clone())
+        })
+        .await
+        .map_err(map_store_err)?;
+
+    Ok(Json(KeyHistoryResponse {
+        node_id,
+        keys: history,
+    }))
+}
+
+#[derive(Deserialize)]
+pub struct AuditQuery {
+    pub network_id: Option<String>,
+    pub node_id: Option<String>,
+    pub limit: Option<usize>,
+}
+
+pub async fn audit_log(
+    Extension(state): Extension<AppState>,
+    headers: HeaderMap,
+    Query(params): Query<AuditQuery>,
+) -> Result<Json<AuditLogResponse>, ApiError> {
+    require_admin(&headers, &state.admin_token)?;
+    let entries = state
+        .store
+        .read(|state| {
+            let mut entries: Vec<AuditEntry> = state
+                .audit_log
+                .iter()
+                .filter(|entry| {
+                    if let Some(ref network_id) = params.network_id {
+                        if entry.network_id.as_deref() != Some(network_id.as_str()) {
+                            return false;
+                        }
+                    }
+                    if let Some(ref node_id) = params.node_id {
+                        if entry.node_id.as_deref() != Some(node_id.as_str()) {
+                            return false;
+                        }
+                    }
+                    true
+                })
+                .cloned()
+                .collect();
+            if let Some(limit) = params.limit {
+                if entries.len() > limit {
+                    entries = entries[entries.len() - limit..].to_vec();
+                }
+            }
+            Ok(entries)
+        })
+        .await
+        .map_err(map_store_err)?;
+
+    Ok(Json(AuditLogResponse { entries }))
+}
+
+pub async fn heartbeat(
+    Extension(state): Extension<AppState>,
+    headers: HeaderMap,
+    ConnectInfo(remote): ConnectInfo<SocketAddr>,
+    Json(req): Json<HeartbeatRequest>,
+) -> Result<Json<HeartbeatResponse>, ApiError> {
+    let now = now_unix();
+    let relay = relay_or_none(&state.relay);
+    let admin_token = state.admin_token.clone();
+    let HeartbeatRequest {
+        node_id,
+        endpoints,
+        listen_port,
+        routes,
+        probe,
+    } = req;
+    let observed_endpoint = listen_port
+        .map(|port| SocketAddr::new(remote.ip(), port).to_string());
+    let endpoints = merge_endpoints(endpoints, observed_endpoint);
+
+    state
+        .store
+        .write(|state| {
+            let node = state
+                .nodes
+                .get_mut(&node_id)
+                .ok_or(ApiError::NotFound("node"))?;
+            require_node(&headers, &admin_token, node)?;
+            node.endpoints = endpoints;
+            node.routes = routes;
+            node.last_seen = now;
+            if probe.unwrap_or(false) {
+                node.probe_requested_at = Some(now);
+            }
+            Ok(())
+        })
+        .await
+        .map_err(map_store_err)?;
+
+    let netmap = state
+        .store
+        .read(|state| Ok(build_netmap(state, &node_id, relay.clone())?))
+        .await
+        .map_err(map_store_err)?;
+
+    Ok(Json(HeartbeatResponse { netmap }))
+}
+
+pub async fn netmap(
+    Extension(state): Extension<AppState>,
+    headers: HeaderMap,
+    Path(node_id): Path<String>,
+) -> Result<Json<NetMap>, ApiError> {
+    let relay = relay_or_none(&state.relay);
+    let admin_token = state.admin_token.clone();
+    let netmap = state
+        .store
+        .read(|state| {
+            let node = state
+                .nodes
+                .get(&node_id)
+                .ok_or(ApiError::NotFound("node"))?;
+            require_node(&headers, &admin_token, node)?;
+            Ok(build_netmap(state, &node_id, relay.clone())?)
+        })
+        .await
+        .map_err(map_store_err)?;
+
+    Ok(Json(netmap))
+}
+
+pub async fn netmap_longpoll(
+    Extension(state): Extension<AppState>,
+    headers: HeaderMap,
+    Path(node_id): Path<String>,
+    Query(params): Query<NetmapLongpollParams>,
+) -> Result<Json<NetMap>, ApiError> {
+    let relay = relay_or_none(&state.relay);
+    let since = params.since.unwrap_or(0);
+    let timeout = params.timeout_seconds.unwrap_or(30).min(300);
+    let deadline = Instant::now() + Duration::from_secs(timeout);
+    let admin_token = state.admin_token.clone();
+
+    loop {
+        let snapshot = state
+            .store
+            .read(|state| {
+                let node = state
+                    .nodes
+                    .get(&node_id)
+                    .ok_or(ApiError::NotFound("node"))?;
+                require_node(&headers, &admin_token, node)?;
+                Ok(build_netmap(state, &node_id, relay.clone())
+                    .map(|netmap| (state.revision, netmap))?)
+            })
+            .await
+            .map_err(map_store_err)?;
+
+        if snapshot.0 > since || Instant::now() >= deadline {
+            return Ok(Json(snapshot.1));
+        }
+
+        sleep(Duration::from_millis(500)).await;
+    }
+}
+
+fn build_netmap(
+    state: &State,
+    node_id: &str,
+    relay: Option<RelayConfig>,
+) -> Result<NetMap, ApiError> {
+    let node = state
+        .nodes
+        .get(node_id)
+        .ok_or(ApiError::NotFound("node"))?;
+    let network = state
+        .networks
+        .get(&node.network_id)
+        .ok_or(ApiError::NotFound("network"))?;
+    let now = now_unix();
+    let (approved, key_rotation_required) = effective_node_status(node, &network.key_policy, now);
+    let peers = if approved {
+        collect_peers(
+            &network.id,
+            network.dns_domain.as_str(),
+            &state.nodes,
+            Some(&node.id),
+            node,
+            &network.acl,
+            &network.key_policy,
+            now,
+        )
+    } else {
+        Vec::new()
+    };
+
+    let probe_requests = collect_probe_requests(state, &peers, now);
+
+    Ok(NetMap {
+        network: NetworkInfo::from(network),
+        node: NodeInfo::from_state(
+            node,
+            network.dns_domain.as_str(),
+            approved,
+            key_rotation_required,
+        ),
+        peers,
+        relay,
+        probe_requests,
+        generated_at: now_unix(),
+        revision: state.revision,
+    })
+}
+
+const PROBE_TTL_SECONDS: i64 = 30;
+
+fn collect_probe_requests(
+    state: &State,
+    peers: &[PeerInfo],
+    now: i64,
+) -> Vec<ProbeRequest> {
+    peers
+        .iter()
+        .filter_map(|peer| {
+            let node = state.nodes.get(&peer.id)?;
+            let requested_at = node.probe_requested_at?;
+            if now.saturating_sub(requested_at) > PROBE_TTL_SECONDS {
+                return None;
+            }
+            Some(ProbeRequest {
+                peer_id: peer.id.clone(),
+                endpoints: peer.endpoints.clone(),
+                ipv4: peer.ipv4.clone(),
+                ipv6: peer.ipv6.clone(),
+                requested_at,
+            })
+        })
+        .collect()
+}
+
+fn collect_peers(
+    network_id: &str,
+    dns_domain: &str,
+    nodes: &std::collections::HashMap<String, NodeState>,
+    exclude_id: Option<&str>,
+    src_node: &NodeState,
+    acl: &AclPolicy,
+    key_policy: &KeyRotationPolicy,
+    now: i64,
+) -> Vec<PeerInfo> {
+    nodes
+        .values()
+        .filter(|node| node.network_id == network_id)
+        .filter(|node| {
+            let (approved, _) = effective_node_status(node, key_policy, now);
+            approved
+        })
+        .filter(|node| exclude_id.map_or(true, |id| node.id != id))
+        .filter(|node| acl_allows(acl, src_node, node))
+        .map(|node| PeerInfo::from((node, dns_domain)))
+        .collect()
+}
+
+fn effective_node_status(
+    node: &NodeState,
+    key_policy: &KeyRotationPolicy,
+    now: i64,
+) -> (bool, bool) {
+    let mut key_rotation_required = false;
+    if let Some(max_age) = key_policy.max_age_seconds {
+        let max_age = max_age as i64;
+        if let Some(created_at) = current_key_created_at(node, KeyType::Machine) {
+            if now.saturating_sub(created_at) > max_age {
+                key_rotation_required = true;
+            }
+        }
+        if let Some(created_at) = current_key_created_at(node, KeyType::WireGuard) {
+            if now.saturating_sub(created_at) > max_age {
+                key_rotation_required = true;
+            }
+        }
+    }
+    let revoked = node.revoked_at.is_some();
+    let approved = node.approved && !revoked && !key_rotation_required;
+    (approved, key_rotation_required)
+}
+
+fn current_key_created_at(node: &NodeState, key_type: KeyType) -> Option<i64> {
+    node.key_history
+        .iter()
+        .find(|record| {
+            record.key_type == key_type
+                && record.revoked_at.is_none()
+                && match key_type {
+                    KeyType::Machine => record.public_key == node.machine_public_key,
+                    KeyType::WireGuard => record.public_key == node.wg_public_key,
+                }
+        })
+        .map(|record| record.created_at)
+}
+
+fn revoke_key_record(history: &mut Vec<KeyRecord>, key_type: KeyType, public_key: &str, now: i64) {
+    for record in history.iter_mut() {
+        if record.key_type == key_type && record.public_key == public_key {
+            record.revoked_at = Some(now);
+        }
+    }
+}
+
+fn acl_allows(policy: &AclPolicy, src: &NodeState, dst: &NodeState) -> bool {
+    for rule in &policy.rules {
+        if selector_matches(src, &rule.src) && selector_matches(dst, &rule.dst) {
+            return matches!(rule.action, AclAction::Allow);
+        }
+    }
+    matches!(policy.default_action, AclAction::Allow)
+}
+
+fn selector_matches(node: &NodeState, selector: &AclSelector) -> bool {
+    let empty = selector.tags.is_empty() && selector.node_ids.is_empty() && selector.names.is_empty();
+    if selector.any || empty {
+        return true;
+    }
+    if selector.node_ids.iter().any(|id| id == &node.id) {
+        return true;
+    }
+    if selector.names.iter().any(|name| name == &node.name) {
+        return true;
+    }
+    selector
+        .tags
+        .iter()
+        .any(|tag| node.tags.iter().any(|node_tag| node_tag == tag))
+}
+
+fn relay_or_none(relay: &RelayConfig) -> Option<RelayConfig> {
+    if relay.stun_servers.is_empty()
+        && relay.turn_servers.is_empty()
+        && relay.stream_relay_servers.is_empty()
+        && relay.udp_relay_servers.is_empty()
+    {
+        None
+    } else {
+        Some(relay.clone())
+    }
+}
+
+fn build_token(network_id: &str, ttl_seconds: u64, uses: u32, tags: Vec<String>) -> Result<TokenState, ApiError> {
+    if ttl_seconds == 0 || uses == 0 {
+        return Err(ApiError::BadRequest("ttl_seconds and uses must be > 0"));
+    }
+
+    let token = random_secret();
+    let expires_at = now_unix() + ttl_seconds as i64;
+
+    Ok(TokenState {
+        token,
+        network_id: network_id.to_string(),
+        expires_at,
+        uses_left: uses,
+        tags,
+        revoked_at: None,
+    })
+}
+
+fn random_secret() -> String {
+    let mut random = [0u8; 32];
+    rand::thread_rng().fill_bytes(&mut random);
+    URL_SAFE_NO_PAD.encode(random)
+}
+
+fn allocate_node_ips(network: &mut NetworkState) -> Result<(String, String), ApiError> {
+    let v4_net: Ipv4Net = network
+        .overlay_v4
+        .parse()
+        .map_err(|_| ApiError::Internal)?;
+    let v6_net: Ipv6Net = network
+        .overlay_v6
+        .parse()
+        .map_err(|_| ApiError::Internal)?;
+
+    if network.next_ipv4 > 250 {
+        return Err(ApiError::Conflict("ipv4 address space exhausted"));
+    }
+
+    let base_v4 = u32::from(v4_net.network());
+    let ip4 = Ipv4Addr::from(base_v4 + network.next_ipv4);
+    network.next_ipv4 += 1;
+
+    let base_v6 = u128::from(v6_net.network());
+    let ip6 = Ipv6Addr::from(base_v6 + network.next_ipv6);
+    network.next_ipv6 += 1;
+
+    Ok((ip4.to_string(), ip6.to_string()))
+}
+
+fn merge_endpoints(provided: Vec<String>, observed: Option<String>) -> Vec<String> {
+    let mut merged = Vec::new();
+    let mut seen = HashSet::new();
+    if let Some(endpoint) = observed {
+        if seen.insert(endpoint.clone()) {
+            merged.push(endpoint);
+        }
+    }
+    for endpoint in provided {
+        if seen.insert(endpoint.clone()) {
+            merged.push(endpoint);
+        }
+    }
+    merged
+}
+
+fn now_unix() -> i64 {
+    OffsetDateTime::now_utc().unix_timestamp()
+}
+
+fn short_id(id: &Uuid) -> String {
+    let text = id.to_string();
+    text.split('-').next().unwrap_or(&text).to_string()
+}
+
+fn build_audit_entry(
+    action: &str,
+    network_id: Option<String>,
+    node_id: Option<String>,
+    detail: Option<serde_json::Value>,
+) -> AuditEntry {
+    AuditEntry {
+        id: Uuid::new_v4().to_string(),
+        timestamp: now_unix(),
+        network_id,
+        node_id,
+        action: action.to_string(),
+        detail,
+    }
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    fn sample_node(name: &str, tags: Vec<String>, created_at: i64) -> NodeState {
+        let machine_key = format!("machine-{}", name);
+        let wg_key = format!("wg-{}", name);
+        NodeState {
+            id: format!("node-{}", name),
+            network_id: "net-1".to_string(),
+            name: name.to_string(),
+            machine_public_key: machine_key.clone(),
+            wg_public_key: wg_key.clone(),
+            ipv4: "100.64.0.1".to_string(),
+            ipv6: "fd00::1".to_string(),
+            endpoints: Vec::new(),
+            tags,
+            routes: Vec::new(),
+            created_at,
+            last_seen: created_at,
+            probe_requested_at: None,
+            approved: true,
+            approved_at: Some(created_at),
+            auth_secret: None,
+            auth_expires_at: None,
+            node_token: Some(format!("token-{}", name)),
+            revoked_at: None,
+            key_history: vec![
+                KeyRecord {
+                    key_type: KeyType::Machine,
+                    public_key: machine_key,
+                    created_at,
+                    revoked_at: None,
+                },
+                KeyRecord {
+                    key_type: KeyType::WireGuard,
+                    public_key: wg_key,
+                    created_at,
+                    revoked_at: None,
+                },
+            ],
+        }
+    }
+
+    #[test]
+    fn acl_default_allows() {
+        let policy = AclPolicy::default();
+        let src = sample_node("src", vec!["dev".to_string()], 0);
+        let dst = sample_node("dst", vec!["prod".to_string()], 0);
+        assert!(acl_allows(&policy, &src, &dst));
+    }
+
+    #[test]
+    fn acl_rule_denies_tag_pair() {
+        let policy = AclPolicy {
+            default_action: AclAction::Allow,
+            rules: vec![crate::model::AclRule {
+                action: AclAction::Deny,
+                src: AclSelector {
+                    tags: vec!["dev".to_string()],
+                    ..Default::default()
+                },
+                dst: AclSelector {
+                    tags: vec!["prod".to_string()],
+                    ..Default::default()
+                },
+            }],
+        };
+        let src = sample_node("src", vec!["dev".to_string()], 0);
+        let dst = sample_node("dst", vec!["prod".to_string()], 0);
+        assert!(!acl_allows(&policy, &src, &dst));
+    }
+
+    #[test]
+    fn key_rotation_required_blocks_peer() {
+        let now = 100;
+        let node = sample_node("old", vec![], now - 100);
+        let policy = KeyRotationPolicy {
+            max_age_seconds: Some(30),
+        };
+        let (approved, required) = effective_node_status(&node, &policy, now);
+        assert!(!approved);
+        assert!(required);
+    }
+}
diff --git a/src/app.rs b/src/app.rs
new file mode 100644
index 0000000..0e06113
--- /dev/null
+++ b/src/app.rs
@@ -0,0 +1,9 @@
+use crate::model::RelayConfig;
+use crate::state::StateStore;
+
+#[derive(Clone)]
+pub struct AppState {
+    pub store: StateStore,
+    pub relay: RelayConfig,
+    pub admin_token: Option<String>,
+}
diff --git a/src/main.rs b/src/main.rs
new file mode 100644
index 0000000..1cacac8
--- /dev/null
+++ b/src/main.rs
@@ -0,0 +1,143 @@
+mod api;
+mod app;
+mod model;
+mod netid;
+mod stream_relay;
+mod udp_relay;
+mod state;
+
+use crate::api::{
+    admin_nodes, approve_node, approve_node_secret, audit_log, create_network, create_token,
+    get_acl, get_key_policy, heartbeat, netmap, netmap_longpoll, node_keys, register,
+    register_url, revoke_node, revoke_token, rotate_keys, update_acl, update_key_policy,
+    update_node,
+};
+use crate::app::AppState;
+use crate::model::RelayConfig;
+use axum::routing::{get, post, put};
+use axum::Router;
+use clap::Parser;
+use state::StateStore;
+use std::net::SocketAddr;
+use std::path::PathBuf;
+use tracing_subscriber::EnvFilter;
+
+#[derive(Parser, Debug)]
+#[command(name = "lightscale-server")]
+struct Args {
+    #[arg(long, default_value = "0.0.0.0:8080")]
+    listen: String,
+    #[arg(long, default_value = "state.json")]
+    state: PathBuf,
+    #[arg(long)]
+    db_url: Option<String>,
+    #[arg(long, env = "LIGHTSCALE_ADMIN_TOKEN")]
+    admin_token: Option<String>,
+    #[arg(long, value_delimiter = ',')]
+    stun: Vec<String>,
+    #[arg(long, value_delimiter = ',')]
+    turn: Vec<String>,
+    #[arg(long, value_delimiter = ',')]
+    stream_relay: Vec<String>,
+    #[arg(long, value_delimiter = ',')]
+    udp_relay: Vec<String>,
+    #[arg(long)]
+    udp_relay_listen: Option<String>,
+    #[arg(long)]
+    stream_relay_listen: Option<String>,
+}
+
+#[tokio::main]
+async fn main() -> anyhow::Result<()> {
+    tracing_subscriber::fmt()
+        .with_env_filter(EnvFilter::from_default_env())
+        .init();
+
+    let args = Args::parse();
+    let store = if let Some(db_url) = args.db_url.as_deref() {
+        StateStore::load_db(db_url).await?
+    } else {
+        StateStore::load(Some(args.state)).await?
+    };
+    let relay = RelayConfig {
+        stun_servers: args.stun,
+        turn_servers: args.turn,
+        stream_relay_servers: args.stream_relay,
+        udp_relay_servers: args.udp_relay,
+    };
+    if args.admin_token.is_none() {
+        tracing::warn!("admin token not set; admin endpoints are unsecured");
+    }
+    let app_state = AppState {
+        store,
+        relay,
+        admin_token: args.admin_token,
+    };
+
+    let app = Router::new()
+        .route("/healthz", get(healthz))
+        .route("/v1/networks", post(create_network))
+        .route("/v1/networks/:network_id/tokens", post(create_token))
+        .route(
+            "/v1/networks/:network_id/acl",
+            get(get_acl).put(update_acl),
+        )
+        .route(
+            "/v1/networks/:network_id/key-policy",
+            get(get_key_policy).put(update_key_policy),
+        )
+        .route("/v1/tokens/:token_id/revoke", post(revoke_token))
+        .route("/v1/register", post(register))
+        .route("/v1/register-url", post(register_url))
+        .route(
+            "/v1/register/approve/:node_id/:secret",
+            get(approve_node_secret),
+        )
+        .route("/v1/admin/nodes/:node_id/approve", post(approve_node))
+        .route("/v1/nodes/:node_id/rotate-keys", post(rotate_keys))
+        .route("/v1/nodes/:node_id/revoke", post(revoke_node))
+        .route("/v1/nodes/:node_id/keys", get(node_keys))
+        .route(
+            "/v1/admin/networks/:network_id/nodes",
+            get(admin_nodes),
+        )
+        .route("/v1/admin/nodes/:node_id", put(update_node))
+        .route("/v1/audit", get(audit_log))
+        .route("/v1/heartbeat", post(heartbeat))
+        .route("/v1/netmap/:node_id", get(netmap))
+        .route("/v1/netmap/:node_id/longpoll", get(netmap_longpoll))
+        .layer(axum::Extension(app_state));
+
+    let addr: SocketAddr = args.listen.parse()?;
+    tracing::info!("listening on {}", addr);
+
+    let listener = tokio::net::TcpListener::bind(addr).await?;
+
+    if let Some(listen) = args.udp_relay_listen {
+        let udp_addr: SocketAddr = listen.parse()?;
+        tokio::spawn(async move {
+            if let Err(err) = udp_relay::run(udp_addr).await {
+                tracing::error!("udp relay error: {}", err);
+            }
+        });
+        tracing::info!("udp relay listening on {}", udp_addr);
+    }
+
+    if let Some(listen) = args.stream_relay_listen {
+        let stream_addr: SocketAddr = listen.parse()?;
+        tokio::spawn(async move {
+            if let Err(err) = stream_relay::run(stream_addr).await {
+                tracing::error!("stream relay error: {}", err);
+            }
+        });
+        tracing::info!("stream relay listening on {}", stream_addr);
+    }
+
+    axum::serve(listener, app.into_make_service_with_connect_info::<SocketAddr>()).await?;
+
+    Ok(())
+}
+
+async fn healthz() -> &'static str {
+    "ok"
+}
diff --git a/src/model.rs b/src/model.rs
new file mode 100644
index 0000000..7c03a47
--- /dev/null
+++ b/src/model.rs
@@ -0,0 +1,453 @@
+use serde::{Deserialize, Serialize};
+
+#[derive(Clone, Serialize, Deserialize)]
+pub struct NetworkState {
+    pub id: String,
+    pub name: String,
+    pub overlay_v4: String,
+    pub overlay_v6: String,
+    pub dns_domain: String,
+    #[serde(default)]
+    pub requires_approval: bool,
+    #[serde(default)]
+    pub acl: AclPolicy,
+    #[serde(default)]
+    pub key_policy: KeyRotationPolicy,
+    pub created_at: i64,
+    pub next_ipv4: u32,
+    pub next_ipv6: u128,
+}
+
+#[derive(Clone, Serialize, Deserialize)]
+pub struct NodeState {
+    pub id: String,
+    pub network_id: String,
+    pub name: String,
+    pub machine_public_key: String,
+    pub wg_public_key: String,
+    pub ipv4: String,
+    pub ipv6: String,
+    pub endpoints: Vec<String>,
+    pub tags: Vec<String>,
+    pub routes: Vec<Route>,
+    #[serde(default)]
+    pub created_at: i64,
+    pub last_seen: i64,
+    #[serde(default)]
+    pub probe_requested_at: Option<i64>,
+    #[serde(default = "default_true")]
+    pub approved: bool,
+    #[serde(default)]
+    pub approved_at: Option<i64>,
+    #[serde(default)]
+    pub auth_secret: Option<String>,
+    #[serde(default)]
+    pub auth_expires_at: Option<i64>,
+    #[serde(default)]
+    pub node_token: Option<String>,
+    #[serde(default)]
+    pub revoked_at: Option<i64>,
+    #[serde(default)]
+    pub key_history: Vec<KeyRecord>,
+}
+
+#[derive(Clone, Serialize, Deserialize)]
+pub struct TokenState {
+    pub token: String,
+    pub network_id: String,
+    pub expires_at: i64,
+    pub uses_left: u32,
+    pub tags: Vec<String>,
+    #[serde(default)]
+    pub revoked_at: Option<i64>,
+}
+
+#[derive(Clone, Serialize, Deserialize)]
+pub struct Route {
+    pub prefix: String,
+    pub kind: RouteKind,
+    pub enabled: bool,
+    #[serde(default)]
+    pub mapped_prefix: Option<String>,
+}
+
+#[derive(Clone, Serialize, Deserialize)]
+#[serde(rename_all = "snake_case")]
+pub enum RouteKind {
+    Subnet,
+    Exit,
+}
+
+#[derive(Clone, Serialize, Deserialize)]
+pub struct NetworkInfo {
+    pub id: String,
+    pub name: String,
+    pub overlay_v4: String,
+    pub overlay_v6: String,
+    pub dns_domain: String,
+    pub requires_approval: bool,
+    #[serde(default)]
+    pub key_rotation_max_age_seconds: Option<u64>,
+}
+
+#[derive(Clone, Serialize, Deserialize)]
+pub struct NodeInfo {
+    pub id: String,
+    pub name: String,
+    pub dns_name: String,
+    pub ipv4: String,
+    pub ipv6: String,
+    pub wg_public_key: String,
+    pub machine_public_key: String,
+    pub endpoints: Vec<String>,
+    pub tags: Vec<String>,
+    pub routes: Vec<Route>,
+    pub last_seen: i64,
+    pub approved: bool,
+    #[serde(default)]
+    pub key_rotation_required: bool,
+    #[serde(default)]
+    pub revoked: bool,
+}
+
+#[derive(Clone, Serialize, Deserialize)]
+pub struct PeerInfo {
+    pub id: String,
+    pub name: String,
+    pub dns_name: String,
+    pub ipv4: String,
+    pub ipv6: String,
+    pub wg_public_key: String,
+    pub endpoints: Vec<String>,
+    pub tags: Vec<String>,
+    pub routes: Vec<Route>,
+    pub last_seen: i64,
+}
+
+#[derive(Clone, Serialize, Deserialize)]
+pub struct NetMap {
+    pub network: NetworkInfo,
+    pub node: NodeInfo,
+    pub peers: Vec<PeerInfo>,
+    pub relay: Option<RelayConfig>,
+    #[serde(default)]
+    pub probe_requests: Vec<ProbeRequest>,
+    pub generated_at: i64,
+    #[serde(default)]
+    pub revision: u64,
+}
+
+#[derive(Clone, Serialize, Deserialize)]
+pub struct ProbeRequest {
+    pub peer_id: String,
+    pub endpoints: Vec<String>,
+    pub ipv4: String,
+    pub ipv6: String,
+    pub requested_at: i64,
+}
+
+#[derive(Clone, Serialize, Deserialize, Default)]
+pub struct AclPolicy {
+    #[serde(default)]
+    pub default_action: AclAction,
+    #[serde(default)]
+    pub rules: Vec<AclRule>,
+}
+
+#[derive(Clone, Serialize, Deserialize)]
+#[serde(rename_all = "snake_case")]
+pub enum AclAction {
+    Allow,
+    Deny,
+}
+
+impl Default for AclAction {
+    fn default() -> Self {
+        Self::Allow
+    }
+}
+
+#[derive(Clone, Serialize, Deserialize, Default)]
+pub struct AclSelector {
+    #[serde(default)]
+    pub any: bool,
+    #[serde(default)]
+    pub tags: Vec<String>,
+    #[serde(default)]
+    pub node_ids: Vec<String>,
+    #[serde(default)]
+    pub names: Vec<String>,
+}
+
+#[derive(Clone, Serialize, Deserialize)]
+pub struct AclRule {
+    pub action: AclAction,
+    #[serde(default)]
+    pub src: AclSelector,
+    #[serde(default)]
+    pub dst: AclSelector,
+}
+
+#[derive(Clone, Serialize, Deserialize, Default)]
+pub struct KeyRotationPolicy {
+    #[serde(default)]
+    pub max_age_seconds: Option<u64>,
+}
+
+#[derive(Clone, Copy, Serialize, Deserialize, PartialEq, Eq)]
+#[serde(rename_all = "snake_case")]
+pub enum KeyType {
+    Machine,
+    WireGuard,
+}
+
+#[derive(Clone, Serialize, Deserialize)]
+pub struct KeyRecord {
+    pub key_type: KeyType,
+    pub public_key: String,
+    pub created_at: i64,
+    #[serde(default)]
+    pub revoked_at: Option<i64>,
+}
+
+#[derive(Clone, Serialize, Deserialize, Default)]
+pub struct RelayConfig {
+    pub stun_servers: Vec<String>,
+    pub turn_servers: Vec<String>,
+    pub stream_relay_servers: Vec<String>,
+    #[serde(default)]
+    pub udp_relay_servers: Vec<String>,
+}
+
+#[derive(Clone, Serialize, Deserialize)]
+pub struct EnrollmentToken {
+    pub token: String,
+    pub expires_at: i64,
+    pub uses_left: u32,
+    pub tags: Vec<String>,
+    pub revoked_at: Option<i64>,
+}
+
+#[derive(Clone, Serialize, Deserialize)]
+pub struct CreateNetworkRequest {
+    pub name: String,
+    pub dns_domain: Option<String>,
+    pub requires_approval: Option<bool>,
+    pub key_rotation_max_age_seconds: Option<u64>,
+    pub bootstrap_token_ttl_seconds: Option<u64>,
+    pub bootstrap_token_uses: Option<u32>,
+    pub bootstrap_token_tags: Option<Vec<String>>,
+}
+
+#[derive(Clone, Serialize, Deserialize)]
+pub struct CreateNetworkResponse {
+    pub network: NetworkInfo,
+    pub bootstrap_token: Option<EnrollmentToken>,
+}
+
+#[derive(Clone, Serialize, Deserialize)]
+pub struct CreateTokenRequest {
+    pub ttl_seconds: u64,
+    pub uses: u32,
+    pub tags: Vec<String>,
+}
+
+#[derive(Clone, Serialize, Deserialize)]
+pub struct CreateTokenResponse {
+    pub token: EnrollmentToken,
+}
+
+#[derive(Clone, Serialize, Deserialize)]
+pub struct AdminNodesResponse {
+    pub nodes: Vec<NodeInfo>,
+}
+
+#[derive(Clone, Serialize, Deserialize)]
+pub struct UpdateAclRequest {
+    pub policy: AclPolicy,
+}
+
+#[derive(Clone, Serialize, Deserialize)]
+pub struct UpdateAclResponse {
+    pub policy: AclPolicy,
+}
+
+#[derive(Clone, Serialize, Deserialize)]
+pub struct UpdateNodeRequest {
+    pub name: Option<String>,
+    pub tags: Option<Vec<String>>,
+}
+
+#[derive(Clone, Serialize, Deserialize)]
+pub struct UpdateNodeResponse {
+    pub node: NodeInfo,
+}
+
+#[derive(Clone, Serialize, Deserialize)]
+pub struct KeyPolicyResponse {
+    pub policy: KeyRotationPolicy,
+}
+
+#[derive(Clone, Serialize, Deserialize)]
+pub struct KeyRotationRequest {
+    pub machine_public_key: Option<String>,
+    pub wg_public_key: Option<String>,
+}
+
+#[derive(Clone, Serialize, Deserialize)]
+pub struct KeyRotationResponse {
+    pub node_id: String,
+    pub machine_public_key: String,
+    pub wg_public_key: String,
+}
+
+#[derive(Clone, Serialize, Deserialize)]
+pub struct KeyHistoryResponse {
+    pub node_id: String,
+    pub keys: Vec<KeyRecord>,
+}
+
+#[derive(Clone, Serialize, Deserialize)]
+pub struct AuditEntry {
+    pub id: String,
+    pub timestamp: i64,
+    pub network_id: Option<String>,
+    pub node_id: Option<String>,
+    pub action: String,
+    #[serde(default)]
+    pub detail: Option<serde_json::Value>,
+}
+
+#[derive(Clone, Serialize, Deserialize)]
+pub struct AuditLogResponse {
+    pub entries: Vec<AuditEntry>,
+}
+
+#[derive(Clone, Serialize, Deserialize)]
+pub struct RegisterRequest {
+    pub token: String,
+    pub node_name: String,
+    pub machine_public_key: String,
+    pub wg_public_key: String,
+}
+
+#[derive(Clone, Serialize, Deserialize)]
+pub struct RegisterResponse {
+    pub node_token: String,
+    pub netmap: NetMap,
+}
+
+#[derive(Clone, Serialize, Deserialize)]
+pub struct RegisterUrlRequest {
+    pub network_id: String,
+    pub node_name: String,
+    pub machine_public_key: String,
+    pub wg_public_key: String,
+    pub ttl_seconds: Option<u64>,
+}
+
+#[derive(Clone, Serialize, Deserialize)]
+pub struct RegisterUrlResponse {
+    pub node_id: String,
+    pub network_id: String,
+    pub ipv4: String,
+    pub ipv6: String,
+    pub auth_path: String,
+    pub expires_at: i64,
+    pub node_token: String,
+}
+
+#[derive(Clone, Serialize, Deserialize)]
+pub struct HeartbeatRequest {
+    pub node_id: String,
+    pub endpoints: Vec<String>,
+    pub listen_port: Option<u16>,
+    pub routes: Vec<Route>,
+    #[serde(default)]
+    pub probe: Option<bool>,
+}
+
+#[derive(Clone, Serialize, Deserialize)]
+pub struct HeartbeatResponse {
+    pub netmap: NetMap,
+}
+
+impl From<&NetworkState> for NetworkInfo {
+    fn from(state: &NetworkState) -> Self {
+        Self {
+            id: state.id.clone(),
+            name: state.name.clone(),
+            overlay_v4: state.overlay_v4.clone(),
+            overlay_v6: state.overlay_v6.clone(),
+            dns_domain: state.dns_domain.clone(),
+            requires_approval: state.requires_approval,
+            key_rotation_max_age_seconds: state.key_policy.max_age_seconds,
+        }
+    }
+}
+
+impl NodeInfo {
+    pub fn from_state(node: &NodeState, dns_domain: &str, approved: bool, key_rotation_required: bool) -> Self {
+        Self {
+            id: node.id.clone(),
+            name: node.name.clone(),
+            dns_name: format!("{}.{}", node.name, dns_domain),
+            ipv4: node.ipv4.clone(),
+            ipv6: node.ipv6.clone(),
+            wg_public_key: node.wg_public_key.clone(),
+            machine_public_key: node.machine_public_key.clone(),
+            endpoints: node.endpoints.clone(),
+            tags: node.tags.clone(),
+            routes: node.routes.clone(),
+            last_seen: node.last_seen,
+            approved,
+            key_rotation_required,
+            revoked: node.revoked_at.is_some(),
+        }
+    }
+}
+
+impl From<(&NodeState, &str)> for PeerInfo {
+    fn from((node, dns_domain): (&NodeState, &str)) -> Self {
+        Self {
+            id: node.id.clone(),
+            name: node.name.clone(),
+            dns_name: format!("{}.{}", node.name, dns_domain),
+            ipv4: node.ipv4.clone(),
+            ipv6: node.ipv6.clone(),
+            wg_public_key: node.wg_public_key.clone(),
+            endpoints: node.endpoints.clone(),
+            tags: node.tags.clone(),
+            routes: node.routes.clone(),
+            last_seen: node.last_seen,
+        }
+    }
+}
+
+impl From<TokenState> for EnrollmentToken {
+    fn from(token: TokenState) -> Self {
+        Self {
+            token: token.token,
+            expires_at: token.expires_at,
+            uses_left: token.uses_left,
+            tags: token.tags,
+            revoked_at: token.revoked_at,
+        }
+    }
+}
+
+impl From<&TokenState> for EnrollmentToken {
+    fn from(token: &TokenState) -> Self {
+        Self {
+            token: token.token.clone(),
+            expires_at: token.expires_at,
+            uses_left: token.uses_left,
+            tags: token.tags.clone(),
+            revoked_at: token.revoked_at,
+        }
+    }
+}
+
+fn default_true() -> bool {
+    true
+}
diff --git a/src/netid.rs b/src/netid.rs
new file mode 100644
index 0000000..36f9284
--- /dev/null
+++ b/src/netid.rs
@@ -0,0 +1,31 @@
+use blake3::Hash;
+use uuid::Uuid;
+
+pub fn derive_overlay_prefixes(network_id: &Uuid) -> (String, String) {
+    let hash = blake3::hash(network_id.as_bytes());
+    let v6 = derive_ipv6_ula(&hash);
+    let v4 = derive_ipv4_overlay(&hash);
+    (v4, v6)
+}
+
+fn derive_ipv6_ula(hash: &Hash) -> String {
+    let bytes = hash.as_bytes();
+    let b0 = bytes[0];
+    let b1 = bytes[1];
+    let b2 = bytes[2];
+    let b3 = bytes[3];
+    let b4 = bytes[4];
+    format!(
+        "fd{:02x}:{:02x}{:02x}:{:02x}{:02x}::/48",
+        b0, b1, b2, b3, b4
+    )
+}
+
+fn derive_ipv4_overlay(hash: &Hash) -> String {
+    let bytes = hash.as_bytes();
+    let raw = u16::from_be_bytes([bytes[5], bytes[6]]);
+    let idx = raw & 0x3fff;
+    let second = 64 + ((idx >> 8) as u8);
+    let third = (idx & 0xff) as u8;
+    format!("100.{}.{}.0/24", second, third)
+}
diff --git a/src/state.rs b/src/state.rs
new file mode 100644
index 0000000..8147548
--- /dev/null
+++ b/src/state.rs
@@ -0,0 +1,195 @@
+use crate::model::{AuditEntry, NetworkState, NodeState, TokenState};
+use anyhow::Result;
+use serde::{Deserialize, Serialize};
+use sqlx::postgres::PgPoolOptions;
+use sqlx::types::Json;
+use sqlx::{PgPool, Row};
+use std::collections::HashMap;
+use std::path::{Path, PathBuf};
+use std::sync::Arc;
+use tokio::sync::RwLock;
+
+#[derive(Clone, Serialize, Deserialize)]
+pub struct State {
+    pub version: u32,
+    #[serde(default)]
+    pub revision: u64,
+    pub networks: HashMap<String, NetworkState>,
+    pub nodes: HashMap<String, NodeState>,
+    pub tokens: HashMap<String, TokenState>,
+    #[serde(default)]
+    pub audit_log: Vec<AuditEntry>,
+}
+
+impl Default for State {
+    fn default() -> Self {
+        Self {
+            version: 1,
+            revision: 0,
+            networks: HashMap::new(),
+            nodes: HashMap::new(),
+            tokens: HashMap::new(),
+            audit_log: Vec::new(),
+        }
+    }
+}
+
+#[derive(Clone)]
+pub struct StateStore {
+    backend: StoreBackend,
+}
+
+#[derive(Clone)]
+enum StoreBackend {
+    File(FileStore),
+    Db(DbStore),
+}
+
+#[derive(Clone)]
+struct FileStore {
+    inner: Arc<RwLock<State>>,
+    path: Option<PathBuf>,
+}
+
+#[derive(Clone)]
+struct DbStore {
+    pool: PgPool,
+}
+
+impl StateStore {
+    pub async fn load(path: Option<PathBuf>) -> Result<Self> {
+        let state = match &path {
+            Some(path) => load_state(path).await.unwrap_or_default(),
+            None => State::default(),
+        };
+        Ok(Self {
+            backend: StoreBackend::File(FileStore {
+                inner: Arc::new(RwLock::new(state)),
+                path,
+            }),
+        })
+    }
+
+    pub async fn load_db(db_url: &str) -> Result<Self> {
+        let pool = PgPoolOptions::new()
+            .max_connections(5)
+            .connect(db_url)
+            .await?;
+        init_db(&pool).await?;
+        Ok(Self {
+            backend: StoreBackend::Db(DbStore { pool }),
+        })
+    }
+
+    pub async fn read<F, R>(&self, f: F) -> Result<R>
+    where
+        F: FnOnce(&State) -> Result<R>,
+    {
+        match &self.backend {
+            StoreBackend::File(store) => {
+                let guard = store.inner.read().await;
+                f(&guard)
+            }
+            StoreBackend::Db(store) => {
+                let state = load_state_db(&store.pool).await?;
+                f(&state)
+            }
+        }
+    }
+
+    pub async fn write<F, R>(&self, f: F) -> Result<R>
+    where
+        F: FnOnce(&mut State) -> Result<R>,
+    {
+        match &self.backend {
+            StoreBackend::File(store) => {
+                let mut guard = store.inner.write().await;
+                let result = f(&mut guard)?;
+                guard.revision = guard.revision.saturating_add(1);
+                let snapshot = guard.clone();
+                drop(guard);
+                persist_file(store.path.as_deref(), snapshot).await?;
+                Ok(result)
+            }
+            StoreBackend::Db(store) => write_state_db(&store.pool, f).await,
+        }
+    }
+}
+
+async fn load_state(path: &Path) -> Result<State> {
+    match tokio::fs::read_to_string(path).await {
+        Ok(contents) => Ok(serde_json::from_str(&contents)?),
+        Err(_) => Ok(State::default()),
+    }
+}
+
+async fn persist_file(path: Option<&Path>, state: State) -> Result<()> {
+    let Some(path) = path else {
+        return Ok(());
+    };
+
+    if let Some(parent) = path.parent() {
+        if !parent.as_os_str().is_empty() {
+            tokio::fs::create_dir_all(parent).await?;
+        }
+    }
+
+    let json = serde_json::to_string_pretty(&state)?;
+    tokio::fs::write(path, json).await?;
+    Ok(())
+}
+
+async fn init_db(pool: &PgPool) -> Result<()> {
+    const INIT_LOCK_KEY: i64 = 0x4c53434c;
+    let mut tx = pool.begin().await?;
+    sqlx::query("SELECT pg_advisory_xact_lock($1)")
+        .bind(INIT_LOCK_KEY)
+        .execute(&mut *tx)
+        .await?;
+    sqlx::query(
+        "CREATE TABLE IF NOT EXISTS lightscale_state (id INT PRIMARY KEY, state JSONB NOT NULL)",
+    )
+    .execute(&mut *tx)
+    .await?;
+
+    let exists = sqlx::query("SELECT 1 FROM lightscale_state WHERE id = 1")
+        .fetch_optional(&mut *tx)
+        .await?;
+    if exists.is_none() {
+        let state = State::default();
+        sqlx::query("INSERT INTO lightscale_state (id, state) VALUES ($1, $2)")
+            .bind(1i32)
+            .bind(Json(&state))
+            .execute(&mut *tx)
+            .await?;
+    }
+    tx.commit().await?;
+    Ok(())
+}
+
+async fn load_state_db(pool: &PgPool) -> Result<State> {
+    let row = sqlx::query("SELECT state FROM lightscale_state WHERE id = 1")
+        .fetch_one(pool)
+        .await?;
+    let Json(state): Json<State> = row.try_get("state")?;
+    Ok(state)
+}
+
+async fn write_state_db<F, R>(pool: &PgPool, f: F) -> Result<R>
+where
+    F: FnOnce(&mut State) -> Result<R>,
+{
+    let mut tx = pool.begin().await?;
+    let row = sqlx::query("SELECT state FROM lightscale_state WHERE id = 1 FOR UPDATE")
+        .fetch_one(&mut *tx)
+        .await?;
+    let Json(mut state): Json<State> = row.try_get("state")?;
+    let result = f(&mut state)?;
+    state.revision = state.revision.saturating_add(1);
+    sqlx::query("UPDATE lightscale_state SET state = $1 WHERE id = 1")
+        .bind(Json(&state))
+        .execute(&mut *tx)
+        .await?;
+    tx.commit().await?;
+    Ok(result)
+}
diff --git a/src/stream_relay.rs b/src/stream_relay.rs
new file mode 100644
index 0000000..700fd72
--- /dev/null
+++ b/src/stream_relay.rs
@@ -0,0 +1,220 @@
+use anyhow::{anyhow, Result};
+use std::collections::HashMap;
+use std::net::SocketAddr;
+use std::sync::Arc;
+use std::sync::atomic::{AtomicU64, Ordering};
+use tokio::io::{AsyncReadExt, AsyncWriteExt};
+use tokio::net::{TcpListener, TcpStream};
+use tokio::sync::{mpsc, RwLock};
+use tracing::warn;
+
+const MAGIC: &[u8; 4] = b"LSR2";
+const TYPE_REGISTER: u8 = 1;
+const TYPE_SEND: u8 = 2;
+const TYPE_DELIVER: u8 = 3;
+const HEADER_LEN: usize = 8;
+const MAX_ID_LEN: usize = 64;
+const MAX_FRAME_LEN: usize = 64 * 1024;
+
+static NEXT_CONN_ID: AtomicU64 = AtomicU64::new(1);
+
+#[derive(Clone)]
+struct PeerConn {
+    id: u64,
+    sender: mpsc::UnboundedSender<Vec<u8>>,
+}
+
+enum RelayPacket {
+    Register { node_id: String },
+    Send {
+        from_id: String,
+        to_id: String,
+        payload: Vec<u8>,
+    },
+}
+
+pub async fn run(listen: SocketAddr) -> Result<()> {
+    let listener = TcpListener::bind(listen)
+        .await
+        .map_err(|err| anyhow!("stream relay bind failed: {}", err))?;
+    let peers: Arc<RwLock<HashMap<String, Vec<PeerConn>>>> =
+        Arc::new(RwLock::new(HashMap::new()));
+
+    loop {
+        let (stream, _) = listener
+            .accept()
+            .await
+            .map_err(|err| anyhow!("stream relay accept failed: {}", err))?;
+        let peers = peers.clone();
+        tokio::spawn(async move {
+            if let Err(err) = handle_connection(stream, peers).await {
+                warn!("stream relay connection error: {}", err);
+            }
+        });
+    }
+}
+
+async fn handle_connection(
+    stream: TcpStream,
+    peers: Arc<RwLock<HashMap<String, Vec<PeerConn>>>>,
+) -> Result<()> {
+    let (mut reader, mut writer) = stream.into_split();
+    let (tx, mut rx) = mpsc::unbounded_channel::<Vec<u8>>();
+    let conn_id = NEXT_CONN_ID.fetch_add(1, Ordering::Relaxed);
+
+    let writer_task = tokio::spawn(async move {
+        while let Some(frame) = rx.recv().await {
+            if let Err(err) = write_frame(&mut writer, &frame).await {
+                warn!("stream relay write failed: {}", err);
+                break;
+            }
+        }
+    });
+
+    let register = read_frame(&mut reader).await?;
+    let packet = parse_packet(&register).ok_or_else(|| anyhow!("invalid register frame"))?;
+    let node_id = match packet {
+        RelayPacket::Register { node_id } => node_id,
+        _ => return Err(anyhow!("expected register frame")),
+    };
+
+    {
+        let mut guard = peers.write().await;
+        guard
+            .entry(node_id.clone())
+            .or_default()
+            .push(PeerConn { id: conn_id, sender: tx });
+    }
+
+    loop {
+        let frame = match read_frame(&mut reader).await {
+            Ok(frame) => frame,
+            Err(_) => break,
+        };
+        let Some(packet) = parse_packet(&frame) else {
+            warn!("stream relay: invalid frame from {}", node_id);
+            continue;
+        };
+        match packet {
+            RelayPacket::Register { .. } => {
+                warn!("stream relay: unexpected register from {}", node_id);
+            }
+            RelayPacket::Send {
+                from_id,
+                to_id,
+                payload,
+            } => {
+                if from_id != node_id {
+                    warn!("stream relay: spoofed from_id {} for {}", from_id, node_id);
+                    continue;
+                }
+                let targets = peers.read().await.get(&to_id).cloned();
+                if let Some(targets) = targets {
+                    let deliver = build_packet(TYPE_DELIVER, &from_id, "", &payload)?;
+                    for target in targets {
+                        let _ = target.sender.send(deliver.clone());
+                    }
+                }
+            }
+        }
+    }
+
+    {
+        let mut guard = peers.write().await;
+        if let Some(list) = guard.get_mut(&node_id) {
+            list.retain(|conn| conn.id != conn_id);
+            if list.is_empty() {
+                guard.remove(&node_id);
+            }
+        }
+    }
+    writer_task.abort();
+    Ok(())
+}
+
+async fn read_frame(reader: &mut tokio::net::tcp::OwnedReadHalf) -> Result<Vec<u8>> {
+    let mut len_buf = [0u8; 4];
+    reader.read_exact(&mut len_buf).await?;
+    let len = u32::from_be_bytes(len_buf) as usize;
+    if len == 0 || len > MAX_FRAME_LEN {
+        return Err(anyhow!("invalid frame length {}", len));
+    }
+    let mut buf = vec![0u8; len];
+    reader.read_exact(&mut buf).await?;
+    Ok(buf)
+}
+
+async fn write_frame(
+    writer: &mut tokio::net::tcp::OwnedWriteHalf,
+    body: &[u8],
+) -> Result<()> {
+    if body.is_empty() || body.len() > MAX_FRAME_LEN {
+        return Err(anyhow!("invalid frame length {}", body.len()));
+    }
+    let len = body.len() as u32;
+    writer.write_all(&len.to_be_bytes()).await?;
+    writer.write_all(body).await?;
+    Ok(())
+}
+
+fn parse_packet(buf: &[u8]) -> Option<RelayPacket> {
+    if buf.len() < HEADER_LEN {
+        return None;
+    }
+    if &buf[0..4] != MAGIC {
+        return None;
+    }
+    let msg_type = buf[4];
+    let from_len = buf[5] as usize;
+    let to_len = buf[6] as usize;
+    if from_len > MAX_ID_LEN || to_len > MAX_ID_LEN {
+        return None;
+    }
+    let offset = HEADER_LEN;
+    if buf.len() < offset + from_len + to_len {
+        return None;
+    }
+    let from_end = offset + from_len;
+    let to_end = from_end + to_len;
+    let from_id = std::str::from_utf8(&buf[offset..from_end]).ok()?.to_string();
+    let to_id = std::str::from_utf8(&buf[from_end..to_end]).ok()?.to_string();
+    let payload = buf[to_end..].to_vec();
+
+    match msg_type {
+        TYPE_REGISTER => {
+            if from_id.is_empty() || !to_id.is_empty() {
+                None
+            } else {
+                Some(RelayPacket::Register { node_id: from_id })
+            }
+        }
+        TYPE_SEND => {
+            if from_id.is_empty() || to_id.is_empty() {
+                None
+            } else {
+                Some(RelayPacket::Send {
+                    from_id,
+                    to_id,
+                    payload,
+                })
+            }
+        }
+        _ => None,
+    }
+}
+
+fn build_packet(msg_type: u8, from_id: &str, to_id: &str, payload: &[u8]) -> Result<Vec<u8>> {
+    if from_id.len() > MAX_ID_LEN || to_id.len() > MAX_ID_LEN {
+        return Err(anyhow!("relay id too long"));
+    }
+    let mut buf = Vec::with_capacity(HEADER_LEN + from_id.len() + to_id.len() + payload.len());
+    buf.extend_from_slice(MAGIC);
+    buf.push(msg_type);
+    buf.push(from_id.len() as u8);
+    buf.push(to_id.len() as u8);
+    buf.push(0);
+    buf.extend_from_slice(from_id.as_bytes());
+    buf.extend_from_slice(to_id.as_bytes());
+    buf.extend_from_slice(payload);
+    Ok(buf)
+}
diff --git a/src/udp_relay.rs b/src/udp_relay.rs
new file mode 100644
index 0000000..2fbfd28
--- /dev/null
+++ b/src/udp_relay.rs
@@ -0,0 +1,160 @@
+use anyhow::{anyhow, Result};
+use std::collections::HashMap;
+use std::net::SocketAddr;
+use std::sync::Arc;
+use tokio::net::UdpSocket;
+use tokio::sync::RwLock;
+use tokio::time::{sleep, Duration, Instant};
+use tracing::warn;
+
+const MAGIC: &[u8; 4] = b"LSR1";
+const TYPE_REGISTER: u8 = 1;
+const TYPE_SEND: u8 = 2;
+const TYPE_DELIVER: u8 = 3;
+const HEADER_LEN: usize = 8;
+const MAX_ID_LEN: usize = 64;
+const PEER_TTL: Duration = Duration::from_secs(300);
+
+#[derive(Clone)]
+struct Peer {
+    addr: SocketAddr,
+    last_seen: Instant,
+}
+
+enum RelayPacket {
+    Register { node_id: String },
+    Send {
+        from_id: String,
+        to_id: String,
+        payload: Vec<u8>,
+    },
+}
+
+pub async fn run(listen: SocketAddr) -> Result<()> {
+    let socket = UdpSocket::bind(listen)
+        .await
+        .map_err(|err| anyhow!("udp relay bind failed: {}", err))?;
+    let peers: Arc<RwLock<HashMap<String, Peer>>> = Arc::new(RwLock::new(HashMap::new()));
+
+    let cleanup_peers = peers.clone();
+    tokio::spawn(async move { cleanup_loop(cleanup_peers).await });
+
+    let mut buf = vec![0u8; 2048];
+    loop {
+        let (len, addr) = socket
+            .recv_from(&mut buf)
+            .await
+            .map_err(|err| anyhow!("udp relay recv failed: {}", err))?;
+        let packet = match parse_packet(&buf[..len]) {
+            Some(packet) => packet,
+            None => {
+                warn!("udp relay: invalid packet from {}", addr);
+                continue;
+            }
+        };
+
+        match packet {
+            RelayPacket::Register { node_id } => {
+                upsert_peer(&peers, node_id, addr).await;
+            }
+            RelayPacket::Send {
+                from_id,
+                to_id,
+                payload,
+            } => {
+                upsert_peer(&peers, from_id.clone(), addr).await;
+                let target = peers.read().await.get(&to_id).cloned();
+                if let Some(peer) = target {
+                    let deliver = build_packet(TYPE_DELIVER, &from_id, "", &payload)?;
+                    if let Err(err) = socket.send_to(&deliver, peer.addr).await {
+                        warn!("udp relay send failed: {}", err);
+                    }
+                } else {
+                    warn!("udp relay: unknown target {}", to_id);
+                }
+            }
+        }
+    }
+}
+
+async fn upsert_peer(peers: &Arc<RwLock<HashMap<String, Peer>>>, node_id: String, addr: SocketAddr) {
+    let mut guard = peers.write().await;
+    guard.insert(
+        node_id,
+        Peer {
+            addr,
+            last_seen: Instant::now(),
+        },
+    );
+}
+
+async fn cleanup_loop(peers: Arc<RwLock<HashMap<String, Peer>>>) {
+    loop {
+        sleep(Duration::from_secs(60)).await;
+        let now = Instant::now();
+        let mut guard = peers.write().await;
+        guard.retain(|_, peer| now.duration_since(peer.last_seen) < PEER_TTL);
+    }
+}
+
+fn parse_packet(buf: &[u8]) -> Option<RelayPacket> {
+    if buf.len() < HEADER_LEN {
+        return None;
+    }
+    if &buf[0..4] != MAGIC {
+        return None;
+    }
+    let msg_type = buf[4];
+    let from_len = buf[5] as usize;
+    let to_len = buf[6] as usize;
+    if from_len > MAX_ID_LEN || to_len > MAX_ID_LEN {
+        return None;
+    }
+    let offset = HEADER_LEN;
+    if buf.len() < offset + from_len + to_len {
+        return None;
+    }
+    let from_end = offset + from_len;
+    let to_end = from_end + to_len;
+    let from_id = std::str::from_utf8(&buf[offset..from_end]).ok()?.to_string();
+    let to_id = std::str::from_utf8(&buf[from_end..to_end]).ok()?.to_string();
+    let payload = buf[to_end..].to_vec();
+
+    match msg_type {
+        TYPE_REGISTER => {
+            if from_id.is_empty() || !to_id.is_empty() {
+                None
+            } else {
+                Some(RelayPacket::Register { node_id: from_id })
+            }
+        }
+        TYPE_SEND => {
+            if from_id.is_empty() || to_id.is_empty() {
+                None
+            } else {
+                Some(RelayPacket::Send {
+                    from_id,
+                    to_id,
+                    payload,
+                })
+            }
+        }
+        _ => None,
+    }
+}
+
+fn build_packet(msg_type: u8, from_id: &str, to_id: &str, payload: &[u8]) -> Result<Vec<u8>> {
+    if from_id.len() > MAX_ID_LEN || to_id.len() > MAX_ID_LEN {
+        return Err(anyhow!("relay id too long"));
+    }
+    let mut buf = Vec::with_capacity(HEADER_LEN + from_id.len() + to_id.len() + payload.len());
+    buf.extend_from_slice(MAGIC);
+    buf.push(msg_type);
+    buf.push(from_id.len() as u8);
+    buf.push(to_id.len() as u8);
+    buf.push(0);
+    buf.extend_from_slice(from_id.as_bytes());
+    buf.extend_from_slice(to_id.as_bytes());
+    buf.extend_from_slice(payload);
+    Ok(buf)
+}