@zero-server/sdk 0.9.5 → 0.9.7

package/lib/webrtc/e2ee.js

@@ -0,0 +1,282 @@
+/**
+ * @module webrtc/e2ee
+ * @description End-to-end-encrypted key relay channel for WebRTC.
+ *
+ *   The hub never sees plaintext SFrame / Insertable-Streams keys.
+ *   Publishers wrap each rotation in a sealed envelope (X25519 ECDH +
+ *   HKDF-SHA-256 + AES-256-GCM) and broadcast it via the `e2ee-key`
+ *   wire message; subscribers in the same room receive the sealed
+ *   payload and decrypt locally with their private key.
+ *
+ *   For deployments that use a different sealing primitive (NaCl
+ *   `crypto_box_seal`, libsignal, etc.) the {@link E2eeChannel} works
+ *   with any opaque `Buffer` - the {@link sealKey} / {@link openSealedKey}
+ *   helpers are provided as a zero-dependency default that satisfies the
+ *   HIPAA / FINRA "server is opaque" requirement.
+ *
+ * @section E2EE
+ */
+
+'use strict';
+
+const {
+    createPublicKey, createPrivateKey,
+    generateKeyPairSync,
+    diffieHellman,
+    hkdfSync,
+    createCipheriv, createDecipheriv,
+    randomBytes,
+} = require('node:crypto');
+
+const { WebRTCError } = require('../errors');
+
+// --- Envelope constants ---
+
+/** Envelope version byte. */
+const ENVELOPE_VERSION = 0x01;
+
+/** Raw X25519 key length, bytes. */
+const X25519_RAW_LEN = 32;
+
+/** AES-256-GCM nonce length, bytes. */
+const GCM_NONCE_LEN = 12;
+
+/** AES-256-GCM auth tag length, bytes. */
+const GCM_TAG_LEN = 16;
+
+/** HKDF salt - a short constant tying the envelope to this project. */
+const HKDF_INFO = Buffer.from('zs-webrtc/e2ee/v1');
+
+// --- Raw <-> KeyObject helpers ---
+
+function _rawFromPublicKey(pub)
+{
+    if (Buffer.isBuffer(pub) && pub.length === X25519_RAW_LEN) return pub;
+    const jwk = pub.export({ format: 'jwk' });
+    return Buffer.from(jwk.x, 'base64url');
+}
+
+function _publicKeyFromRaw(raw)
+{
+    return createPublicKey({
+        key:    { kty: 'OKP', crv: 'X25519', x: raw.toString('base64url') },
+        format: 'jwk',
+    });
+}
+
+// --- Public crypto helpers ---
+
+/**
+ * Generate a fresh X25519 keypair suitable for {@link sealKey} /
+ * {@link openSealedKey}.
+ *
+ * @returns {{publicKey: KeyObject, privateKey: KeyObject}}
+ *
+ * @example
+ *   const { publicKey, privateKey } = generateE2eeKeyPair();
+ *   const wireKey = publicKey.export({ format: 'jwk' }).x; // base64url
+ */
+function generateE2eeKeyPair()
+{
+    return generateKeyPairSync('x25519');
+}
+
+/**
+ * Seal an opaque byte string for a single recipient using the project's
+ * default envelope (X25519 ECDH + HKDF-SHA-256 + AES-256-GCM).
+ *
+ * Envelope layout:
+ *
+ *   `[ver:1] [ephPubRaw:32] [nonce:12] [ciphertext:N] [tag:16]`
+ *
+ * @param {Buffer|Uint8Array} plaintext        - The bytes to encrypt.
+ * @param {KeyObject|Buffer}  recipientPubKey  - Recipient's X25519 public
+ *                                                key (KeyObject or 32-byte raw).
+ * @returns {Buffer} The sealed envelope.
+ *
+ * @example
+ *   const sealed = sealKey(Buffer.from(sframeKey), bob.publicKey);
+ *   peer.e2ee.publish(epoch, sealed);
+ */
+function sealKey(plaintext, recipientPubKey)
+{
+    const pt    = Buffer.isBuffer(plaintext) ? plaintext : Buffer.from(plaintext);
+    const pubKO = Buffer.isBuffer(recipientPubKey) ? _publicKeyFromRaw(recipientPubKey) : recipientPubKey;
+
+    const eph    = generateKeyPairSync('x25519');
+    const shared = diffieHellman({ privateKey: eph.privateKey, publicKey: pubKO });
+    const ephRaw = _rawFromPublicKey(eph.publicKey);
+    const recRaw = _rawFromPublicKey(pubKO);
+
+    const salt = Buffer.concat([ephRaw, recRaw]);
+    const aesKey = Buffer.from(hkdfSync('sha256', shared, salt, HKDF_INFO, 32));
+
+    const nonce  = randomBytes(GCM_NONCE_LEN);
+    const cipher = createCipheriv('aes-256-gcm', aesKey, nonce);
+    const ct     = Buffer.concat([cipher.update(pt), cipher.final()]);
+    const tag    = cipher.getAuthTag();
+
+    return Buffer.concat([Buffer.from([ENVELOPE_VERSION]), ephRaw, nonce, ct, tag]);
+}
+
+/**
+ * Open an envelope produced by {@link sealKey} with the recipient's private
+ * key.  Throws if the envelope is malformed, was sealed for a different
+ * recipient, or was tampered with in flight.
+ *
+ * @param {Buffer|Uint8Array} sealed     - Sealed envelope.
+ * @param {KeyObject|Buffer} recipientPrivKey - Recipient's X25519 private key.
+ * @returns {Buffer} Decrypted plaintext.
+ * @throws {WebRTCError} `code='E2EE_OPEN_FAILED'` on any failure.
+ *
+ * @example
+ *   const sframeKey = openSealedKey(received.key, bob.privateKey);
+ */
+function openSealedKey(sealed, recipientPrivKey)
+{
+    const buf = Buffer.isBuffer(sealed) ? sealed : Buffer.from(sealed);
+    const minLen = 1 + X25519_RAW_LEN + GCM_NONCE_LEN + GCM_TAG_LEN;
+    if (buf.length < minLen)
+        throw new WebRTCError('sealed envelope too short', { code: 'E2EE_OPEN_FAILED' });
+    if (buf[0] !== ENVELOPE_VERSION)
+        throw new WebRTCError(`unsupported envelope version 0x${buf[0].toString(16)}`, { code: 'E2EE_OPEN_FAILED' });
+
+    const ephRaw = buf.subarray(1, 1 + X25519_RAW_LEN);
+    const nonce  = buf.subarray(1 + X25519_RAW_LEN, 1 + X25519_RAW_LEN + GCM_NONCE_LEN);
+    const tag    = buf.subarray(buf.length - GCM_TAG_LEN);
+    const ct     = buf.subarray(1 + X25519_RAW_LEN + GCM_NONCE_LEN, buf.length - GCM_TAG_LEN);
+
+    try
+    {
+        const privKO = Buffer.isBuffer(recipientPrivKey) ? createPrivateKey({ key: recipientPrivKey, format: 'der', type: 'pkcs8' }) : recipientPrivKey;
+        const ephPub = _publicKeyFromRaw(ephRaw);
+        const shared = diffieHellman({ privateKey: privKO, publicKey: ephPub });
+
+        const recPubRaw = _rawFromPublicKey(createPublicKey(privKO));
+        const salt = Buffer.concat([ephRaw, recPubRaw]);
+        const aesKey = Buffer.from(hkdfSync('sha256', shared, salt, HKDF_INFO, 32));
+
+        const decipher = createDecipheriv('aes-256-gcm', aesKey, nonce);
+        decipher.setAuthTag(tag);
+        return Buffer.concat([decipher.update(ct), decipher.final()]);
+    }
+    catch (err)
+    {
+        throw new WebRTCError(`failed to open sealed envelope: ${err.message}`, { code: 'E2EE_OPEN_FAILED' });
+    }
+}
+
+// --- E2eeChannel ---
+
+/**
+ * Per-peer view of the room's E2EE key channel.  Created by
+ * {@link attachE2ee} and parked on `peer.e2ee`.
+ *
+ * Maintains a monotonically increasing `epoch` that callers may either
+ * supply explicitly or let the channel allocate.  Every `publish()` is
+ * relayed by the hub to all other peers in the same room as an opaque
+ * `e2ee-key` frame - the hub never inspects or decrypts the payload.
+ *
+ * @class
+ * @section E2EE
+ */
+class E2eeChannel
+{
+    /**
+     * @constructor
+     * @param {Peer} peer
+     * @param {SignalingHub} hub
+     */
+    constructor(peer, hub)
+    {
+        /** @type {Peer} */
+        this.peer = peer;
+        /** @type {SignalingHub} */
+        this.hub  = hub;
+        /** @type {number} Last published or observed epoch. */
+        this.epoch = 0;
+    }
+
+    /**
+     * Broadcast a sealed key to the rest of the peer's room.
+     *
+     * @param {number|null} epoch - Explicit epoch, or `null` to auto-increment.
+     * @param {Buffer|Uint8Array|string} key - Sealed bytes (or wire-ready string).
+     * @returns {number} The epoch the key was published under.
+     *
+     * @example
+     *   const sealed = sealKey(sframeKey, bob.publicKey);
+     *   const epoch  = peer.e2ee.publish(null, sealed);
+     */
+    publish(epoch, key)
+    {
+        const ep = (typeof epoch === 'number') ? epoch : (this.epoch + 1);
+        if (ep > this.epoch) this.epoch = ep;
+
+        let wire;
+        if (typeof key === 'string') wire = key;
+        else if (Buffer.isBuffer(key)) wire = key.toString('base64');
+        else wire = Buffer.from(key).toString('base64');
+
+        // Route through the hub's authoritative handler so all the usual
+        // validation, broadcast, and observability hooks fire.
+        this.hub._handleE2eeKey(this.peer, { type: 'e2ee-key', epoch: ep, key: wire });
+        return ep;
+    }
+
+    /**
+     * Receive sealed keys published by *other* peers in the same room.
+     *
+     * @param {(ev: {from: string, epoch: number, key: Buffer}) => void} fn
+     * @returns {() => void} Unsubscribe function.
+     *
+     * @example
+     *   peer.e2ee.subscribe(({ from, epoch, key }) => {
+     *       const sframeKey = openSealedKey(key, myPrivKey);
+     *       sframeContext.setKey(epoch, sframeKey);
+     *   });
+     */
+    subscribe(fn)
+    {
+        const listener = (ev) =>
+        {
+            if (!ev || ev.peer === this.peer) return;
+            if (this.peer.room && ev.peer.room !== this.peer.room) return;
+            if (ev.epoch > this.epoch) this.epoch = ev.epoch;
+            const keyBuf = Buffer.isBuffer(ev.key) ? ev.key : Buffer.from(ev.key, 'base64');
+            try { fn({ from: ev.peer.id, epoch: ev.epoch, key: keyBuf }); }
+            catch { /* don't let subscriber errors break the hub */ }
+        };
+        this.hub.on('e2eeKey', listener);
+        return () => this.hub.off('e2eeKey', listener);
+    }
+}
+
+/**
+ * Install an {@link E2eeChannel} on a peer as `peer.e2ee`.  Idempotent: a
+ * second call returns the existing channel.
+ *
+ * @param {Peer} peer
+ * @param {SignalingHub} hub
+ * @returns {E2eeChannel}
+ *
+ * @section E2EE
+ *
+ * @example | Attach E2EE on every join
+ *   hub.on('join', ({ peer }) => attachE2ee(peer, hub));
+ */
+function attachE2ee(peer, hub)
+{
+    if (peer.e2ee instanceof E2eeChannel) return peer.e2ee;
+    peer.e2ee = new E2eeChannel(peer, hub);
+    return peer.e2ee;
+}
+
+module.exports = {
+    ENVELOPE_VERSION,
+    E2eeChannel,
+    attachE2ee,
+    generateE2eeKeyPair,
+    sealKey,
+    openSealedKey,
+};

package/lib/webrtc/ice.js

@@ -0,0 +1,370 @@
+/**
+ * @module webrtc/ice
+ * @description Zero-dependency ICE candidate parser, serializer, and address
+ *              classifiers (private / loopback / link-local / mDNS), plus a
+ *              `filterCandidates` helper used by `SignalingHub` to enforce
+ *              privacy-preserving policies on relayed offers/answers.
+ *
+ *              Candidate grammar follows RFC 8839 §5.1 / RFC 5245 §15.1:
+ *
+ *                candidate-attribute = "candidate" ":" foundation SP component-id
+ *                                      SP transport SP priority SP connection-address
+ *                                      SP port SP cand-type [SP rel-addr] [SP rel-port]
+ *                                      *(SP extension-att-name SP extension-att-value)
+ *
+ * @see https://datatracker.ietf.org/doc/html/rfc8839
+ * @see https://datatracker.ietf.org/doc/html/rfc5245
+ */
+
+'use strict';
+
+const { IceError } = require('../errors');
+
+// -- Constants -----------------------------------------------------
+
+/**
+ * Recognised ICE candidate types (RFC 5245).
+ * @type {ReadonlyArray<string>}
+ */
+const CANDIDATE_TYPES = Object.freeze(['host', 'srflx', 'prflx', 'relay']);
+
+/**
+ * Recognised TCP candidate types (RFC 6544 §4.5).
+ * @type {ReadonlyArray<string>}
+ */
+const TCP_TYPES = Object.freeze(['active', 'passive', 'so']);
+
+// -- Public types --------------------------------------------------
+
+/**
+ * @typedef {object} IceCandidate
+ * @property {string}  foundation
+ * @property {number}  component
+ * @property {string}  transport   - 'udp' or 'tcp' (lowercased).
+ * @property {number}  priority
+ * @property {string}  address     - IPv4, IPv6, or mDNS hostname.
+ * @property {number}  port
+ * @property {string}  type        - One of CANDIDATE_TYPES.
+ * @property {string}  [relatedAddress] - From `raddr`.
+ * @property {number}  [relatedPort]    - From `rport`.
+ * @property {string}  [tcpType]        - From `tcptype` (active/passive/so).
+ * @property {Object<string,string>} extensions - All other key/value pairs, insertion-ordered.
+ */
+
+// =================================================================
+// Parser
+// =================================================================
+
+/**
+ * Parse a single ICE candidate line.
+ *
+ * Accepts inputs with or without the `a=` SDP-attribute prefix.  Returns
+ * a plain object; throws `IceError` on any structural problem.
+ *
+ * @param {string} line - Candidate line, e.g.
+ *   `candidate:842163049 1 udp 1677729535 192.168.1.5 50000 typ host`.
+ * @returns {IceCandidate} Parsed candidate.
+ * @throws {IceError} On malformed input.
+ *
+ * @example
+ *   const c = parseCandidate('candidate:1 1 udp 2122194687 1.2.3.4 50001 typ srflx raddr 192.168.1.5 rport 50000');
+ *   if (c.type === 'relay') { console.log('relay candidate'); }
+ *
+ * @section ICE & TURN
+ */
+function parseCandidate(line)
+{
+    if (typeof line !== 'string')
+        throw new IceError('parseCandidate: input must be a string');
+
+    let s = line.trim();
+    if (s.startsWith('a=')) s = s.slice(2);
+    if (!s.startsWith('candidate:'))
+        throw new IceError('parseCandidate: missing "candidate:" prefix', { candidate: line });
+    s = s.slice('candidate:'.length);
+
+    const tok = s.split(/\s+/);
+    if (tok.length < 8)
+        throw new IceError('parseCandidate: too few tokens', { candidate: line });
+
+    const [foundation, componentStr, transportRaw, priorityStr,
+        address, portStr, typKw, type, ...rest] = tok;
+
+    if (typKw !== 'typ')
+        throw new IceError('parseCandidate: expected "typ" keyword', { candidate: line });
+    if (!CANDIDATE_TYPES.includes(type))
+        throw new IceError(`parseCandidate: unknown type "${type}"`, { candidate: line });
+
+    const component = Number(componentStr);
+    const priority  = Number(priorityStr);
+    const port      = Number(portStr);
+    if (!Number.isInteger(component) || component < 0)
+        throw new IceError('parseCandidate: invalid component', { candidate: line });
+    if (!Number.isFinite(priority))
+        throw new IceError('parseCandidate: invalid priority', { candidate: line });
+    if (!Number.isInteger(port) || port < 0 || port > 65535)
+        throw new IceError('parseCandidate: invalid port', { candidate: line });
+
+    /** @type {IceCandidate} */
+    const out = {
+        foundation,
+        component,
+        transport: transportRaw.toLowerCase(),
+        priority,
+        address,
+        port,
+        type,
+        extensions: {},
+    };
+
+    // Walk remaining key/value pairs.  raddr / rport / tcptype are lifted
+    // to named fields; everything else lands in `extensions` in input order.
+    for (let i = 0; i < rest.length - 1; i += 2)
+    {
+        const k = rest[i];
+        const v = rest[i + 1];
+        if (k === 'raddr')        out.relatedAddress = v;
+        else if (k === 'rport')   out.relatedPort = Number(v);
+        else if (k === 'tcptype') out.tcpType = v;
+        else                       out.extensions[k] = v;
+    }
+
+    return out;
+}
+
+// =================================================================
+// Serializer
+// =================================================================
+
+/**
+ * Serialize a parsed candidate back to its canonical line format.
+ * Round-trips outputs of `parseCandidate` exactly, including the
+ * insertion order of `extensions`.
+ *
+ * @param {IceCandidate} c - Parsed candidate object.
+ * @returns {string} `candidate:...` line (no `a=` prefix).
+ * @throws {IceError} If required fields are missing.
+ *
+ * @example
+ *   const out = stringifyCandidate(parseCandidate(line));
+ *
+ * @section ICE & TURN
+ */
+function stringifyCandidate(c)
+{
+    if (!c || typeof c !== 'object')
+        throw new IceError('stringifyCandidate: input must be an object');
+    const required = ['foundation', 'component', 'transport', 'priority', 'address', 'port', 'type'];
+    for (const k of required)
+    {
+        if (c[k] === undefined || c[k] === null)
+            throw new IceError(`stringifyCandidate: missing "${k}"`);
+    }
+
+    let s = `candidate:${c.foundation} ${c.component} ${c.transport} ${c.priority} ${c.address} ${c.port} typ ${c.type}`;
+    if (c.relatedAddress !== undefined) s += ` raddr ${c.relatedAddress}`;
+    if (c.relatedPort !== undefined)    s += ` rport ${c.relatedPort}`;
+    if (c.tcpType !== undefined)        s += ` tcptype ${c.tcpType}`;
+    if (c.extensions)
+    {
+        for (const [k, v] of Object.entries(c.extensions))
+            s += ` ${k} ${v}`;
+    }
+    return s;
+}
+
+// =================================================================
+// Address classifiers
+// =================================================================
+
+/**
+ * Test whether the address looks like an IPv4 string.
+ * @private
+ */
+function _isIPv4(addr)
+{
+    if (typeof addr !== 'string') return false;
+    const m = addr.match(/^(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})$/);
+    if (!m) return false;
+    for (let i = 1; i <= 4; i++) if (Number(m[i]) > 255) return false;
+    return true;
+}
+
+/**
+ * Test whether the address looks like an IPv6 string (very permissive).
+ * @private
+ */
+function _isIPv6(addr)
+{
+    if (typeof addr !== 'string') return false;
+    return addr.includes(':') && /^[0-9a-fA-F:]+$/.test(addr);
+}
+
+/**
+ * True for RFC 1918, RFC 6598 (CGNAT), and IPv6 ULA (RFC 4193) addresses.
+ *
+ * @param {string} addr - Address to classify.
+ * @returns {boolean}
+ *
+ * @section ICE & TURN
+ */
+function isPrivateIp(addr)
+{
+    if (_isIPv4(addr))
+    {
+        const [a, b] = addr.split('.').map(Number);
+        if (a === 10) return true;
+        if (a === 172 && b >= 16 && b <= 31) return true;
+        if (a === 192 && b === 168) return true;
+        if (a === 100 && b >= 64 && b <= 127) return true; // RFC 6598 CGNAT
+        return false;
+    }
+    if (_isIPv6(addr))
+    {
+        // fc00::/7 ULA
+        const head = addr.toLowerCase().split(':')[0];
+        if (head.length === 0) return false;
+        const n = parseInt(head, 16);
+        return (n & 0xfe00) === 0xfc00;
+    }
+    return false;
+}
+
+/**
+ * True for IPv4 127.0.0.0/8 and IPv6 ::1.
+ *
+ * @param {string} addr - Address to classify.
+ * @returns {boolean}
+ *
+ * @section ICE & TURN
+ */
+function isLoopbackIp(addr)
+{
+    if (_isIPv4(addr)) return addr.startsWith('127.');
+    if (_isIPv6(addr)) return addr === '::1' || /^0*:0*:0*:0*:0*:0*:0*:0*1$/.test(addr);
+    return false;
+}
+
+/**
+ * True for IPv4 169.254/16 and IPv6 fe80::/10.
+ *
+ * @param {string} addr - Address to classify.
+ * @returns {boolean}
+ *
+ * @section ICE & TURN
+ */
+function isLinkLocalIp(addr)
+{
+    if (_isIPv4(addr)) return addr.startsWith('169.254.');
+    if (_isIPv6(addr))
+    {
+        const head = addr.toLowerCase().split(':')[0];
+        if (head.length === 0) return false;
+        const n = parseInt(head, 16);
+        return (n & 0xffc0) === 0xfe80;
+    }
+    return false;
+}
+
+/**
+ * True for mDNS `.local` hostnames used by browsers to avoid leaking
+ * local IPs (Chrome's mDNS ICE candidates - RFC 8624 / draft-ietf-mmusic-mdns-ice-candidates).
+ *
+ * @param {string} host - Hostname to test.
+ * @returns {boolean}
+ *
+ * @section ICE & TURN
+ */
+function isMdnsHostname(host)
+{
+    if (typeof host !== 'string') return false;
+    if (_isIPv4(host) || _isIPv6(host)) return false;
+    return host.toLowerCase().endsWith('.local');
+}
+
+// =================================================================
+// Policy filter
+// =================================================================
+
+/**
+ * @typedef {object} CandidateFilterPolicy
+ * @property {boolean}  [blockPrivate=false] - Drop private / loopback / link-local addresses.
+ * @property {boolean}  [blockMdns=false]    - Drop `.local` (mDNS) hostnames.
+ * @property {boolean}  [blockTcp=false]     - Drop TCP-transport candidates.
+ * @property {ReadonlyArray<string>} [allowedTypes] - Whitelist of `type` values (host/srflx/prflx/relay).
+ * @property {number}   [maxCandidates]      - Cap the number of returned candidates.
+ * @property {(c:IceCandidate)=>boolean} [predicate] - Custom drop function (return false to drop).
+ */
+
+/**
+ * Filter an array of candidates (lines or parsed objects) against a policy.
+ *
+ * Returns the same shape it was given: if you pass strings you get strings
+ * back; if you pass parsed objects you get parsed objects back.  Unparseable
+ * string lines are silently skipped so a single bad candidate never poisons
+ * the whole offer.
+ *
+ * @param {Array<string|IceCandidate>} candidates - Input list.
+ * @param {CandidateFilterPolicy} [policy={}] - Policy (all defaults are permissive).
+ * @returns {Array<string|IceCandidate>} Surviving candidates, same element shape as input.
+ *
+ * @example
+ *   const safe = filterCandidates(offer.candidates, {
+ *       blockPrivate: true,
+ *       blockMdns:    true,
+ *       allowedTypes: ['srflx', 'relay'],
+ *   });
+ *
+ * @section ICE & TURN
+ */
+function filterCandidates(candidates, policy = {})
+{
+    if (!Array.isArray(candidates)) return [];
+    const {
+        blockPrivate = false,
+        blockMdns    = false,
+        blockTcp     = false,
+        allowedTypes,
+        maxCandidates,
+        predicate,
+    } = policy;
+
+    const out = [];
+    for (const item of candidates)
+    {
+        const isString = typeof item === 'string';
+        let parsed;
+        try { parsed = isString ? parseCandidate(item) : item; }
+        catch { continue; }
+        if (!parsed) continue;
+
+        if (allowedTypes && !allowedTypes.includes(parsed.type)) continue;
+        if (blockTcp && parsed.transport === 'tcp') continue;
+        if (blockMdns && isMdnsHostname(parsed.address)) continue;
+        if (blockPrivate)
+        {
+            const a = parsed.address;
+            const r = parsed.relatedAddress;
+            const isLocal = (x) => x && (isPrivateIp(x) || isLoopbackIp(x) || isLinkLocalIp(x));
+            if (isLocal(a) || isLocal(r)) continue;
+        }
+        if (predicate && !predicate(parsed)) continue;
+
+        out.push(isString ? item : parsed);
+        if (maxCandidates && out.length >= maxCandidates) break;
+    }
+    return out;
+}
+
+module.exports = {
+    parseCandidate,
+    stringifyCandidate,
+    isPrivateIp,
+    isLoopbackIp,
+    isLinkLocalIp,
+    isMdnsHostname,
+    filterCandidates,
+    CANDIDATE_TYPES,
+    TCP_TYPES,
+    IceError,
+};