npm - zero-query - Versions diffs - 1.1.1 → 1.2.0 - Mend

zero-query 1.1.1 → 1.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (154) hide show

package/LICENSE +21 -21
package/README.md +2 -0
package/cli/args.js +33 -33
package/cli/commands/build-api.js +443 -442
package/cli/commands/build.js +254 -247
package/cli/commands/bundle.js +1228 -1224
package/cli/commands/create.js +137 -121
package/cli/commands/dev/devtools/index.js +56 -56
package/cli/commands/dev/devtools/js/components.js +49 -49
package/cli/commands/dev/devtools/js/core.js +423 -423
package/cli/commands/dev/devtools/js/elements.js +421 -421
package/cli/commands/dev/devtools/js/network.js +166 -166
package/cli/commands/dev/devtools/js/performance.js +73 -73
package/cli/commands/dev/devtools/js/router.js +105 -105
package/cli/commands/dev/devtools/js/source.js +132 -132
package/cli/commands/dev/devtools/js/stats.js +35 -35
package/cli/commands/dev/devtools/js/tabs.js +79 -79
package/cli/commands/dev/devtools/panel.html +95 -95
package/cli/commands/dev/devtools/styles.css +244 -244
package/cli/commands/dev/index.js +107 -107
package/cli/commands/dev/logger.js +75 -75
package/cli/commands/dev/overlay.js +858 -858
package/cli/commands/dev/server.js +220 -220
package/cli/commands/dev/validator.js +94 -94
package/cli/commands/dev/watcher.js +172 -172
package/cli/help.js +114 -112
package/cli/index.js +52 -52
package/cli/scaffold/default/LICENSE +21 -21
package/cli/scaffold/default/app/app.js +207 -207
package/cli/scaffold/default/app/components/about.js +201 -201
package/cli/scaffold/default/app/components/api-demo.js +143 -143
package/cli/scaffold/default/app/components/contact-card.js +231 -231
package/cli/scaffold/default/app/components/contacts/contacts.css +706 -706
package/cli/scaffold/default/app/components/contacts/contacts.html +200 -200
package/cli/scaffold/default/app/components/contacts/contacts.js +196 -196
package/cli/scaffold/default/app/components/counter.js +127 -127
package/cli/scaffold/default/app/components/home.js +249 -249
package/cli/scaffold/default/app/components/not-found.js +16 -16
package/cli/scaffold/default/app/components/playground/playground.css +115 -115
package/cli/scaffold/default/app/components/playground/playground.html +161 -161
package/cli/scaffold/default/app/components/playground/playground.js +116 -116
package/cli/scaffold/default/app/components/todos.js +225 -225
package/cli/scaffold/default/app/components/toolkit/toolkit.css +97 -97
package/cli/scaffold/default/app/components/toolkit/toolkit.html +146 -146
package/cli/scaffold/default/app/components/toolkit/toolkit.js +280 -280
package/cli/scaffold/default/app/routes.js +15 -15
package/cli/scaffold/default/app/store.js +101 -101
package/cli/scaffold/default/global.css +552 -552
package/cli/scaffold/default/index.html +99 -99
package/cli/scaffold/minimal/app/app.js +85 -85
package/cli/scaffold/minimal/app/components/about.js +68 -68
package/cli/scaffold/minimal/app/components/counter.js +122 -122
package/cli/scaffold/minimal/app/components/home.js +68 -68
package/cli/scaffold/minimal/app/components/not-found.js +16 -16
package/cli/scaffold/minimal/app/routes.js +9 -9
package/cli/scaffold/minimal/app/store.js +36 -36
package/cli/scaffold/minimal/global.css +300 -300
package/cli/scaffold/minimal/index.html +44 -44
package/cli/scaffold/ssr/app/app.js +41 -41
package/cli/scaffold/ssr/app/components/about.js +55 -55
package/cli/scaffold/ssr/app/components/blog/index.js +65 -65
package/cli/scaffold/ssr/app/components/blog/post.js +86 -86
package/cli/scaffold/ssr/app/components/home.js +37 -37
package/cli/scaffold/ssr/app/components/not-found.js +15 -15
package/cli/scaffold/ssr/app/routes.js +8 -8
package/cli/scaffold/ssr/global.css +228 -228
package/cli/scaffold/ssr/index.html +37 -37
package/cli/scaffold/ssr/package.json +8 -8
package/cli/scaffold/ssr/server/data/posts.js +144 -144
package/cli/scaffold/ssr/server/index.js +213 -213
package/cli/scaffold/webrtc/app/app.js +11 -0
package/cli/scaffold/webrtc/app/components/video-room.js +295 -0
package/cli/scaffold/webrtc/app/lib/room.js +252 -0
package/cli/scaffold/webrtc/assets/.gitkeep +0 -0
package/cli/scaffold/webrtc/global.css +250 -0
package/cli/scaffold/webrtc/index.html +21 -0
package/cli/utils.js +305 -287
package/dist/API.md +661 -0
package/dist/zquery.dist.zip +0 -0
package/dist/zquery.js +10313 -6614
package/dist/zquery.min.js +8 -631
package/index.d.ts +570 -371
package/index.js +311 -240
package/package.json +76 -70
package/src/component.js +1709 -1691
package/src/core.js +921 -921
package/src/diff.js +497 -497
package/src/errors.js +209 -209
package/src/expression.js +922 -922
package/src/http.js +242 -242
package/src/package.json +1 -1
package/src/reactive.js +255 -255
package/src/router.js +843 -843
package/src/ssr.js +418 -418
package/src/store.js +318 -318
package/src/utils.js +515 -515
package/src/webrtc/e2ee.js +351 -0
package/src/webrtc/errors.js +116 -0
package/src/webrtc/ice.js +301 -0
package/src/webrtc/index.js +131 -0
package/src/webrtc/joinToken.js +119 -0
package/src/webrtc/observe.js +172 -0
package/src/webrtc/peer.js +351 -0
package/src/webrtc/reactive.js +268 -0
package/src/webrtc/room.js +625 -0
package/src/webrtc/sdp.js +302 -0
package/src/webrtc/sfu/index.js +43 -0
package/src/webrtc/sfu/livekit.js +131 -0
package/src/webrtc/sfu/mediasoup.js +150 -0
package/src/webrtc/signaling.js +373 -0
package/src/webrtc/turn.js +237 -0
package/tests/_helpers/webrtcFakes.js +289 -0
package/tests/audit.test.js +4158 -4158
package/tests/cli.test.js +1136 -1103
package/tests/compare.test.js +497 -486
package/tests/component.test.js +3969 -3938
package/tests/core.test.js +1910 -1910
package/tests/dev-server.test.js +489 -489
package/tests/diff.test.js +1416 -1416
package/tests/docs.test.js +1664 -1650
package/tests/electron-features.test.js +864 -864
package/tests/errors.test.js +619 -619
package/tests/expression.test.js +1056 -1056
package/tests/http.test.js +648 -648
package/tests/reactive.test.js +819 -819
package/tests/router.test.js +2327 -2327
package/tests/ssr.test.js +870 -870
package/tests/store.test.js +830 -830
package/tests/test-minifier.js +153 -153
package/tests/test-ssr.js +27 -27
package/tests/utils.test.js +1377 -1377
package/tests/webrtc/e2ee.test.js +283 -0
package/tests/webrtc/ice.test.js +202 -0
package/tests/webrtc/joinToken.test.js +89 -0
package/tests/webrtc/observe.test.js +111 -0
package/tests/webrtc/peer.test.js +373 -0
package/tests/webrtc/reactive.test.js +235 -0
package/tests/webrtc/room.test.js +406 -0
package/tests/webrtc/sdp.test.js +151 -0
package/tests/webrtc/sfu-livekit.test.js +119 -0
package/tests/webrtc/sfu.test.js +160 -0
package/tests/webrtc/signaling.test.js +251 -0
package/tests/webrtc/turn.test.js +256 -0
package/types/collection.d.ts +383 -383
package/types/component.d.ts +186 -186
package/types/errors.d.ts +135 -135
package/types/http.d.ts +92 -92
package/types/misc.d.ts +201 -201
package/types/reactive.d.ts +98 -98
package/types/router.d.ts +190 -190
package/types/ssr.d.ts +102 -102
package/types/store.d.ts +146 -146
package/types/utils.d.ts +245 -245
package/types/webrtc.d.ts +653 -0

package/tests/webrtc/e2ee.test.js ADDED Viewed

@@ -0,0 +1,283 @@
+/**
+ * tests/webrtc/e2ee.test.js
+ */
+import { describe, it, expect } from 'vitest';
+import {
+    deriveSFrameKey,
+    generateSFrameKey,
+    SFrameContext,
+    encryptFrame,
+    decryptFrame,
+    attachE2ee,
+    E2eeError,
+} from '../../src/webrtc/index.js';
+const enc = new TextEncoder();
+const dec = new TextDecoder();
+describe('deriveSFrameKey', () => {
+    it('derives a deterministic key from the same passphrase + salt', async () => {
+        const k1 = await deriveSFrameKey('correct horse battery', 'room-a');
+        const k2 = await deriveSFrameKey('correct horse battery', 'room-a');
+        // CryptoKey identity differs but encrypt/decrypt with one should
+        // decrypt with the other (same underlying material).
+        const ctx1 = new SFrameContext(); ctx1.setKey(0, k1);
+        const ctx2 = new SFrameContext(); ctx2.setKey(0, k2);
+        const enc1 = await encryptFrame(ctx1, enc.encode('hello'));
+        const out  = await decryptFrame(ctx2, enc1);
+        expect(dec.decode(out)).toBe('hello');
+    });
+    it('different passphrases produce non-interoperable keys', async () => {
+        const k1 = await deriveSFrameKey('one', 'room-a');
+        const k2 = await deriveSFrameKey('two', 'room-a');
+        const ctx1 = new SFrameContext(); ctx1.setKey(0, k1);
+        const ctx2 = new SFrameContext(); ctx2.setKey(0, k2);
+        const frame = await encryptFrame(ctx1, enc.encode('x'));
+        await expect(decryptFrame(ctx2, frame)).rejects.toMatchObject({
+            code: 'ZQ_WEBRTC_E2EE_AUTH_FAILED',
+        });
+    });
+    it('different salts produce non-interoperable keys', async () => {
+        const k1 = await deriveSFrameKey('pw', 'room-a');
+        const k2 = await deriveSFrameKey('pw', 'room-b');
+        const ctx1 = new SFrameContext(); ctx1.setKey(0, k1);
+        const ctx2 = new SFrameContext(); ctx2.setKey(0, k2);
+        const frame = await encryptFrame(ctx1, enc.encode('x'));
+        await expect(decryptFrame(ctx2, frame)).rejects.toMatchObject({
+            code: 'ZQ_WEBRTC_E2EE_AUTH_FAILED',
+        });
+    });
+    it('rejects empty passphrase / salt', async () => {
+        await expect(deriveSFrameKey('', 's')).rejects.toMatchObject({ code: 'ZQ_WEBRTC_E2EE_BAD_PASSPHRASE' });
+        await expect(deriveSFrameKey('p', '')).rejects.toMatchObject({ code: 'ZQ_WEBRTC_E2EE_BAD_SALT' });
+    });
+});
+describe('SFrameContext', () => {
+    it('rejects invalid epochs', async () => {
+        const ctx = new SFrameContext();
+        const key = await generateSFrameKey();
+        expect(() => ctx.setKey(-1, key)).toThrow(/epoch/);
+        expect(() => ctx.setKey(256, key)).toThrow(/epoch/);
+        expect(() => ctx.setKey(1.5, key)).toThrow(/epoch/);
+    });
+    it('rejects setKey without a key', async () => {
+        const ctx = new SFrameContext();
+        expect(() => ctx.setKey(0, null)).toThrow(/key required/);
+    });
+    it('tracks current epoch on every setKey', async () => {
+        const ctx = new SFrameContext();
+        ctx.setKey(0, await generateSFrameKey());
+        expect(ctx.currentEpoch).toBe(0);
+        ctx.setKey(7, await generateSFrameKey());
+        expect(ctx.currentEpoch).toBe(7);
+    });
+    it('evicts oldest epoch beyond maxEpochs', async () => {
+        const ctx = new SFrameContext({ maxEpochs: 2 });
+        ctx.setKey(0, await generateSFrameKey());
+        ctx.setKey(1, await generateSFrameKey());
+        ctx.setKey(2, await generateSFrameKey());
+        expect(ctx.epochCount).toBe(2);
+        expect(ctx.getKey(0)).toBeNull();
+        expect(ctx.getKey(1)).not.toBeNull();
+        expect(ctx.getKey(2)).not.toBeNull();
+    });
+    it('removeEpoch drops a tracked key', async () => {
+        const ctx = new SFrameContext();
+        ctx.setKey(3, await generateSFrameKey());
+        expect(ctx.getKey(3)).not.toBeNull();
+        ctx.removeEpoch(3);
+        expect(ctx.getKey(3)).toBeNull();
+    });
+});
+describe('encryptFrame / decryptFrame', () => {
+    it('round-trips an arbitrary payload', async () => {
+        const ctx = new SFrameContext();
+        ctx.setKey(0, await generateSFrameKey());
+        const payload = enc.encode('the quick brown fox');
+        const frame   = await encryptFrame(ctx, payload);
+        // Header layout: 1-byte epoch + 12-byte IV
+        expect(frame[0]).toBe(0);
+        expect(frame.byteLength).toBe(13 + payload.byteLength + 16);
+        const plain = await decryptFrame(ctx, frame);
+        expect(dec.decode(plain)).toBe('the quick brown fox');
+    });
+    it('accepts ArrayBuffer payloads', async () => {
+        const ctx = new SFrameContext();
+        ctx.setKey(0, await generateSFrameKey());
+        const ab    = enc.encode('hi').buffer;
+        const frame = await encryptFrame(ctx, ab);
+        const out   = await decryptFrame(ctx, frame.buffer);
+        expect(dec.decode(out)).toBe('hi');
+    });
+    it('writes the current epoch into the frame header', async () => {
+        const ctx = new SFrameContext();
+        ctx.setKey(0, await generateSFrameKey());
+        ctx.setKey(5, await generateSFrameKey());
+        const frame = await encryptFrame(ctx, enc.encode('x'));
+        expect(frame[0]).toBe(5);
+    });
+    it('encryptFrame fails without a key for the current epoch', async () => {
+        const ctx = new SFrameContext();
+        await expect(encryptFrame(ctx, enc.encode('x'))).rejects.toMatchObject({
+            code: 'ZQ_WEBRTC_E2EE_NO_KEY',
+        });
+    });
+    it('decryptFrame fails on a too-short frame', async () => {
+        const ctx = new SFrameContext();
+        ctx.setKey(0, await generateSFrameKey());
+        await expect(decryptFrame(ctx, new Uint8Array(5))).rejects.toMatchObject({
+            code: 'ZQ_WEBRTC_E2EE_SHORT_FRAME',
+        });
+    });
+    it('decryptFrame fails when the epoch is unknown', async () => {
+        const enc1 = new SFrameContext();
+        enc1.setKey(2, await generateSFrameKey());
+        const frame = await encryptFrame(enc1, enc.encode('x'));
+        const dec1 = new SFrameContext();
+        dec1.setKey(7, await generateSFrameKey());
+        await expect(decryptFrame(dec1, frame)).rejects.toMatchObject({
+            code: 'ZQ_WEBRTC_E2EE_UNKNOWN_EPOCH',
+            context: { epoch: 2 },
+        });
+    });
+    it('decryptFrame fails when the key is wrong (AES-GCM auth fails)', async () => {
+        const ctx1 = new SFrameContext(); ctx1.setKey(0, await generateSFrameKey());
+        const ctx2 = new SFrameContext(); ctx2.setKey(0, await generateSFrameKey());
+        const frame = await encryptFrame(ctx1, enc.encode('x'));
+        await expect(decryptFrame(ctx2, frame)).rejects.toMatchObject({
+            code: 'ZQ_WEBRTC_E2EE_AUTH_FAILED',
+        });
+    });
+    it('decryptFrame fails when the ciphertext is tampered with', async () => {
+        const ctx = new SFrameContext();
+        ctx.setKey(0, await generateSFrameKey());
+        const frame = await encryptFrame(ctx, enc.encode('original'));
+        frame[frame.byteLength - 1] ^= 0x01;
+        await expect(decryptFrame(ctx, frame)).rejects.toMatchObject({
+            code: 'ZQ_WEBRTC_E2EE_AUTH_FAILED',
+        });
+    });
+    it('throws on non-BufferSource payloads', async () => {
+        const ctx = new SFrameContext();
+        ctx.setKey(0, await generateSFrameKey());
+        await expect(encryptFrame(ctx, 'not bytes')).rejects.toMatchObject({
+            code: 'ZQ_WEBRTC_E2EE_BAD_INPUT',
+        });
+    });
+    it('encrypt/decrypt require an SFrameContext instance', async () => {
+        await expect(encryptFrame({}, new Uint8Array(1))).rejects.toMatchObject({ code: 'ZQ_WEBRTC_E2EE_BAD_CTX' });
+        await expect(decryptFrame({}, new Uint8Array(20))).rejects.toMatchObject({ code: 'ZQ_WEBRTC_E2EE_BAD_CTX' });
+    });
+});
+describe('epoch rotation', () => {
+    it('decryptor with both epochs decodes frames from either', async () => {
+        const k0 = await generateSFrameKey();
+        const k1 = await generateSFrameKey();
+        const enc0 = new SFrameContext(); enc0.setKey(0, k0);
+        const enc1 = new SFrameContext(); enc1.setKey(1, k1);
+        const decoder = new SFrameContext();
+        decoder.setKey(0, k0);
+        decoder.setKey(1, k1);
+        const f0 = await encryptFrame(enc0, enc.encode('old'));
+        const f1 = await encryptFrame(enc1, enc.encode('new'));
+        expect(dec.decode(await decryptFrame(decoder, f0))).toBe('old');
+        expect(dec.decode(await decryptFrame(decoder, f1))).toBe('new');
+    });
+    it('after rotation, frames from the evicted epoch fail to decrypt', async () => {
+        const k0 = await generateSFrameKey();
+        const k1 = await generateSFrameKey();
+        const sender = new SFrameContext();
+        sender.setKey(0, k0);
+        const stale = await encryptFrame(sender, enc.encode('stale'));
+        const receiver = new SFrameContext({ maxEpochs: 1 });
+        receiver.setKey(0, k0);
+        receiver.setKey(1, k1);   // evicts epoch 0
+        await expect(decryptFrame(receiver, stale)).rejects.toMatchObject({
+            code: 'ZQ_WEBRTC_E2EE_UNKNOWN_EPOCH',
+        });
+    });
+});
+describe('attachE2ee', () => {
+    it('rejects something that is not an RTCPeerConnection', () => {
+        const ctx = new SFrameContext();
+        expect(() => attachE2ee({}, ctx)).toThrow(/RTCPeerConnection/);
+    });
+    it('rejects a non-SFrameContext', () => {
+        const fakePc = { getSenders: () => [], getReceivers: () => [] };
+        expect(() => attachE2ee(fakePc, {})).toThrow(/SFrameContext/);
+    });
+    it('returns a refresh/detach handle and walks senders + receivers', async () => {
+        const ctx = new SFrameContext();
+        ctx.setKey(0, await generateSFrameKey());
+        const senderCalls   = [];
+        const receiverCalls = [];
+        const fakeSender    = { createEncodedStreams: () => { senderCalls.push(1);   return null; } };
+        const fakeReceiver  = { createEncodedStreams: () => { receiverCalls.push(1); return null; } };
+        const fakePc = {
+            getSenders:   () => [fakeSender],
+            getReceivers: () => [fakeReceiver],
+        };
+        const handle = attachE2ee(fakePc, ctx);
+        expect(typeof handle.refresh).toBe('function');
+        expect(typeof handle.detach).toBe('function');
+        expect(senderCalls).toHaveLength(1);
+        expect(receiverCalls).toHaveLength(1);
+        // refresh() is idempotent per sender / receiver (WeakSet dedupe).
+        handle.refresh();
+        expect(senderCalls).toHaveLength(1);
+        handle.detach();
+    });
+    it('survives a sender without createEncodedStreams', () => {
+        const ctx = new SFrameContext();
+        const fakePc = {
+            getSenders:   () => [{}],
+            getReceivers: () => [{}],
+        };
+        expect(() => attachE2ee(fakePc, ctx)).not.toThrow();
+    });
+});

package/tests/webrtc/ice.test.js ADDED Viewed

@@ -0,0 +1,202 @@
+/**
+ * tests/webrtc/ice.test.js
+ *
+ * Coverage for `src/webrtc/ice.js`: parse, stringify (round-trip),
+ * address classifiers, and `filterCandidates` policy combinations.
+ */
+import { describe, it, expect } from 'vitest';
+import {
+    parseCandidate, stringifyCandidate,
+    isPrivateIp, isLoopbackIp, isLinkLocalIp, isMdnsHostname,
+    filterCandidates, CANDIDATE_TYPES,
+} from '../../src/webrtc/ice.js';
+import { IceError } from '../../src/webrtc/errors.js';
+describe('ice.parseCandidate', () => {
+    const HOST = 'candidate:842163049 1 udp 1677729535 192.168.1.5 50000 typ host';
+    const SRFLX = 'candidate:1 1 udp 2122194687 1.2.3.4 50001 typ srflx raddr 192.168.1.5 rport 50000';
+    const TCP = 'candidate:2 1 tcp 1518280447 10.0.0.1 9 typ host tcptype active';
+    it('parses a simple host candidate', () => {
+        const c = parseCandidate(HOST);
+        expect(c.foundation).toBe('842163049');
+        expect(c.component).toBe(1);
+        expect(c.transport).toBe('udp');
+        expect(c.priority).toBe(1677729535);
+        expect(c.address).toBe('192.168.1.5');
+        expect(c.port).toBe(50000);
+        expect(c.type).toBe('host');
+    });
+    it('lifts raddr/rport onto named fields for srflx', () => {
+        const c = parseCandidate(SRFLX);
+        expect(c.type).toBe('srflx');
+        expect(c.relatedAddress).toBe('192.168.1.5');
+        expect(c.relatedPort).toBe(50000);
+    });
+    it('lifts tcptype for TCP candidates', () => {
+        const c = parseCandidate(TCP);
+        expect(c.transport).toBe('tcp');
+        expect(c.tcpType).toBe('active');
+    });
+    it('accepts the `a=` SDP-attribute prefix', () => {
+        const c = parseCandidate(`a=${HOST}`);
+        expect(c.address).toBe('192.168.1.5');
+    });
+    it('captures unknown key/value pairs as extensions', () => {
+        const c = parseCandidate(`${HOST} generation 0 ufrag abcd network-id 1`);
+        expect(c.extensions.generation).toBe('0');
+        expect(c.extensions.ufrag).toBe('abcd');
+        expect(c.extensions['network-id']).toBe('1');
+    });
+    it('throws IceError on non-string input', () => {
+        expect(() => parseCandidate(null)).toThrowError(IceError);
+        expect(() => parseCandidate(123)).toThrowError(IceError);
+    });
+    it('throws IceError on missing candidate: prefix', () => {
+        expect(() => parseCandidate('842163049 1 udp ...')).toThrowError(IceError);
+    });
+    it('throws IceError on bad type keyword or unknown type', () => {
+        expect(() => parseCandidate('candidate:1 1 udp 1 1.2.3.4 1 nope host')).toThrowError(IceError);
+        expect(() => parseCandidate('candidate:1 1 udp 1 1.2.3.4 1 typ moon')).toThrowError(IceError);
+    });
+    it('throws IceError on out-of-range port', () => {
+        expect(() => parseCandidate('candidate:1 1 udp 1 1.2.3.4 99999 typ host')).toThrowError(IceError);
+    });
+});
+describe('ice.stringifyCandidate', () => {
+    it('round-trips parseCandidate output exactly', () => {
+        const line = 'candidate:1 1 udp 2122194687 1.2.3.4 50001 typ srflx raddr 10.0.0.1 rport 50000 generation 0';
+        const reser = stringifyCandidate(parseCandidate(line));
+        // generation lands in extensions; order is preserved.
+        expect(reser).toBe(line);
+    });
+    it('throws on missing required fields', () => {
+        expect(() => stringifyCandidate({ foundation: '1' })).toThrowError(IceError);
+        expect(() => stringifyCandidate(null)).toThrowError(IceError);
+    });
+});
+describe('ice address classifiers', () => {
+    it('isPrivateIp covers RFC 1918 / 6598 / ULA', () => {
+        expect(isPrivateIp('10.0.0.1')).toBe(true);
+        expect(isPrivateIp('172.16.0.1')).toBe(true);
+        expect(isPrivateIp('172.32.0.1')).toBe(false);
+        expect(isPrivateIp('192.168.1.1')).toBe(true);
+        expect(isPrivateIp('100.64.0.1')).toBe(true);
+        expect(isPrivateIp('1.2.3.4')).toBe(false);
+        expect(isPrivateIp('fc00::1')).toBe(true);
+        expect(isPrivateIp('2001:db8::1')).toBe(false);
+    });
+    it('isLoopbackIp covers 127.0.0.0/8 and ::1', () => {
+        expect(isLoopbackIp('127.0.0.1')).toBe(true);
+        expect(isLoopbackIp('127.1.2.3')).toBe(true);
+        expect(isLoopbackIp('::1')).toBe(true);
+        expect(isLoopbackIp('1.2.3.4')).toBe(false);
+    });
+    it('isLinkLocalIp covers 169.254/16 and fe80::/10', () => {
+        expect(isLinkLocalIp('169.254.1.1')).toBe(true);
+        expect(isLinkLocalIp('169.255.1.1')).toBe(false);
+        expect(isLinkLocalIp('fe80::1')).toBe(true);
+        expect(isLinkLocalIp('fec0::1')).toBe(false);
+    });
+    it('isMdnsHostname is strict about hostnames vs IPs', () => {
+        expect(isMdnsHostname('abcd1234.local')).toBe(true);
+        expect(isMdnsHostname('Abcd1234.LOCAL')).toBe(true);
+        expect(isMdnsHostname('1.2.3.4')).toBe(false);
+        expect(isMdnsHostname('fe80::1')).toBe(false);
+        expect(isMdnsHostname('example.com')).toBe(false);
+        expect(isMdnsHostname(null)).toBe(false);
+    });
+});
+describe('ice.filterCandidates', () => {
+    const lines = [
+        'candidate:1 1 udp 1 1.2.3.4 5000 typ host',                    // public
+        'candidate:2 1 udp 1 10.0.0.1 5000 typ host',                   // private
+        'candidate:3 1 udp 1 abc123.local 5000 typ host',               // mDNS
+        'candidate:4 1 udp 1 5.6.7.8 5000 typ srflx',                   // srflx public
+        'candidate:5 1 tcp 1 5.6.7.8 9 typ host tcptype active',        // TCP
+        'candidate:6 1 udp 1 fe80::1 5000 typ host',                    // IPv6 link-local
+        'garbage',                                                       // unparseable
+    ];
+    it('blockMdns drops .local hostnames only', () => {
+        const out = filterCandidates(lines, { blockMdns: true });
+        expect(out.find((l) => l.includes('.local'))).toBeUndefined();
+        expect(out.find((l) => l.includes('1.2.3.4'))).toBeDefined();
+    });
+    it('blockPrivate drops RFC 1918 addresses', () => {
+        const out = filterCandidates(lines, { blockPrivate: true });
+        expect(out.find((l) => l.includes('10.0.0.1'))).toBeUndefined();
+    });
+    it('blockTcp drops TCP transports', () => {
+        const out = filterCandidates(lines, { blockTcp: true });
+        expect(out.find((l) => l.startsWith('candidate:5 '))).toBeUndefined();
+    });
+    it('blockLinkLocal drops fe80:: addresses', () => {
+        const out = filterCandidates(lines, { blockLinkLocal: true });
+        expect(out.find((l) => l.includes('fe80::1'))).toBeUndefined();
+    });
+    it('allowedTypes whitelist filters out other types', () => {
+        const out = filterCandidates(lines, { allowedTypes: ['srflx'] });
+        expect(out).toHaveLength(1);
+        expect(out[0]).toContain('typ srflx');
+    });
+    it('maxCandidates caps the result', () => {
+        const out = filterCandidates(lines, { maxCandidates: 2 });
+        expect(out).toHaveLength(2);
+    });
+    it('predicate hook can drop individual candidates', () => {
+        const out = filterCandidates(lines, { predicate: (c) => c.priority !== 1 || c.address === '1.2.3.4' });
+        expect(out.find((l) => l.includes('1.2.3.4'))).toBeDefined();
+        expect(out.find((l) => l.includes('10.0.0.1'))).toBeUndefined();
+    });
+    it('silently skips unparseable lines', () => {
+        const out = filterCandidates(lines);
+        expect(out.includes('garbage')).toBe(false);
+    });
+    it('returns parsed objects when input is parsed objects', () => {
+        const parsed = lines.slice(0, 4).map(parseCandidate);
+        const out = filterCandidates(parsed, { blockMdns: true });
+        expect(out.every((c) => typeof c === 'object')).toBe(true);
+    });
+    it('returns [] when input is not an array', () => {
+        expect(filterCandidates(null)).toEqual([]);
+        expect(filterCandidates('x')).toEqual([]);
+    });
+});
+describe('ice module constants', () => {
+    it('exports CANDIDATE_TYPES frozen', () => {
+        expect(CANDIDATE_TYPES).toEqual(['host', 'srflx', 'prflx', 'relay']);
+        expect(Object.isFrozen(CANDIDATE_TYPES)).toBe(true);
+    });
+});

package/tests/webrtc/joinToken.test.js ADDED Viewed

@@ -0,0 +1,89 @@
+/**
+ * tests/webrtc/joinToken.test.js
+ */
+import { describe, it, expect } from 'vitest';
+import { decodeJoinToken, isJoinTokenExpired } from '../../src/webrtc/index.js';
+function b64urlJson(obj) {
+    const json = JSON.stringify(obj);
+    // base64url-encode in a Node-friendly way
+    const b64 = Buffer.from(json, 'utf8').toString('base64');
+    return b64.replace(/\+/g, '-').replace(/\//g, '_').replace(/=+$/, '');
+}
+describe('decodeJoinToken', () => {
+    it('decodes a JWT-like 3-segment token', () => {
+        const header  = b64urlJson({ alg: 'HS256', typ: 'JWT' });
+        const payload = b64urlJson({ user: { id: 'u1', name: 'Ada' }, room: 'lobby', exp: 1_700_000_000 });
+        const token   = `${header}.${payload}.signature`;
+        const d       = decodeJoinToken(token);
+        expect(d.user).toEqual({ id: 'u1', name: 'Ada' });
+        expect(d.room).toBe('lobby');
+        expect(d.exp).toBe(1_700_000_000);
+    });
+    it('decodes a 2-segment token (payload.sig)', () => {
+        const token = `${b64urlJson({ user: { id: 'u2' }, room: 'r' })}.sig`;
+        expect(decodeJoinToken(token).user).toEqual({ id: 'u2' });
+    });
+    it('decodes a 1-segment payload-only token', () => {
+        const token = b64urlJson({ user: { id: 'u3' }, room: 'r' });
+        expect(decodeJoinToken(token).user.id).toBe('u3');
+    });
+    it('falls back to `sub` for user id', () => {
+        const token = `${b64urlJson({ sub: 'subject-1', room: 'r' })}.sig`;
+        expect(decodeJoinToken(token).user).toEqual({ id: 'subject-1' });
+    });
+    it('returns null user/room/exp when payload lacks them', () => {
+        const d = decodeJoinToken(b64urlJson({ foo: 1 }));
+        expect(d.user).toBeNull();
+        expect(d.room).toBeNull();
+        expect(d.exp).toBeNull();
+        expect(d.raw).toEqual({ foo: 1 });
+    });
+    it('rejects empty / non-string input', () => {
+        expect(() => decodeJoinToken('')).toThrow(/non-empty string/);
+        expect(() => decodeJoinToken(null)).toThrow(/non-empty string/);
+    });
+    it('rejects malformed shape', () => {
+        expect(() => decodeJoinToken('a.b.c.d')).toMatchObject; // throws below
+        try { decodeJoinToken('a.b.c.d'); throw new Error('want throw'); }
+        catch (err) { expect(err.code).toBe('ZQ_WEBRTC_TOKEN_BAD_SHAPE'); }
+    });
+    it('rejects bad base64url payload', () => {
+        try { decodeJoinToken('not!base64.sig'); throw new Error('want throw'); }
+        catch (err) { expect(err.code).toBe('ZQ_WEBRTC_TOKEN_BAD_PAYLOAD'); }
+    });
+});
+describe('isJoinTokenExpired', () => {
+    it('returns false when exp is missing', () => {
+        expect(isJoinTokenExpired({ exp: null })).toBe(false);
+        expect(isJoinTokenExpired({})).toBe(false);
+    });
+    it('returns true when exp is in the past', () => {
+        const expSec = Math.floor(Date.now() / 1000) - 60;
+        expect(isJoinTokenExpired({ exp: expSec })).toBe(true);
+    });
+    it('returns false when exp is in the future', () => {
+        const expSec = Math.floor(Date.now() / 1000) + 60;
+        expect(isJoinTokenExpired({ exp: expSec })).toBe(false);
+    });
+    it('respects nowMs override', () => {
+        expect(isJoinTokenExpired({ exp: 1000 }, { nowMs: 2_000_000 })).toBe(true);
+        expect(isJoinTokenExpired({ exp: 1000 }, { nowMs: 0 })).toBe(false);
+    });
+});

package/tests/webrtc/observe.test.js ADDED Viewed

@@ -0,0 +1,111 @@
+/**
+ * tests/webrtc/observe.test.js
+ */
+import { describe, it, expect, vi } from 'vitest';
+import { samplePeerStats, createStatsSampler, classifyStats } from '../../src/webrtc/index.js';
+function makeReport(entries) {
+    const map = new Map();
+    for (const e of entries) map.set(e.id || e.type, e);
+    return map;
+}
+function makePc(report) {
+    return { getStats: vi.fn(async () => report) };
+}
+describe('samplePeerStats', () => {
+    it('reduces an iterable getStats report to a flat summary', async () => {
+        const pc = makePc(makeReport([
+            { id: 'in1',  type: 'inbound-rtp',    bytesReceived: 1000, packetsReceived: 100, packetsLost: 2 },
+            { id: 'out1', type: 'outbound-rtp',   bytesSent: 5000 },
+            { id: 'cp1',  type: 'candidate-pair', state: 'succeeded', nominated: true, currentRoundTripTime: 0.05 },
+        ]));
+        const s = await samplePeerStats(pc);
+        expect(s.inboundRtp.length).toBe(1);
+        expect(s.outboundRtp.length).toBe(1);
+        expect(s.candidatePair).not.toBeNull();
+        expect(s.summary.bytesSent).toBe(5000);
+        expect(s.summary.bytesReceived).toBe(1000);
+        expect(s.summary.rttMs).toBeCloseTo(50);
+        expect(s.summary.lossPct).toBeCloseTo((2 / 102) * 100);
+    });
+    it('handles a plain-object report', async () => {
+        const pc = makePc({
+            in1:  { type: 'inbound-rtp',  bytesReceived: 10, packetsReceived: 1, packetsLost: 0 },
+            out1: { type: 'outbound-rtp', bytesSent: 20 },
+        });
+        const s = await samplePeerStats(pc);
+        expect(s.summary.bytesSent).toBe(20);
+        expect(s.summary.bytesReceived).toBe(10);
+        expect(s.candidatePair).toBeNull();
+    });
+    it('rejects a non-RTCPeerConnection', async () => {
+        await expect(samplePeerStats({})).rejects.toMatchObject({ code: 'ZQ_WEBRTC_OBSERVE_BAD_PC' });
+    });
+    it('wraps getStats() failures', async () => {
+        const pc = { getStats: async () => { throw new Error('boom'); } };
+        await expect(samplePeerStats(pc)).rejects.toMatchObject({ code: 'ZQ_WEBRTC_OBSERVE_GETSTATS_FAILED' });
+    });
+});
+describe('classifyStats', () => {
+    it('returns "unknown" for empty samples', () => {
+        expect(classifyStats(null)).toBe('unknown');
+        expect(classifyStats({ summary: { rttMs: null, lossPct: 0 } })).toBe('unknown');
+    });
+    it('returns "good" for low rtt/loss', () => {
+        expect(classifyStats({ summary: { rttMs: 50, lossPct: 0.2 } })).toBe('good');
+    });
+    it('returns "fair" for moderate rtt/loss', () => {
+        expect(classifyStats({ summary: { rttMs: 250, lossPct: 0.5 } })).toBe('fair');
+        expect(classifyStats({ summary: { rttMs: 50,  lossPct: 2   } })).toBe('fair');
+    });
+    it('returns "poor" for high rtt/loss', () => {
+        expect(classifyStats({ summary: { rttMs: 500, lossPct: 0 } })).toBe('poor');
+        expect(classifyStats({ summary: { rttMs: 50,  lossPct: 10 } })).toBe('poor');
+    });
+});
+describe('createStatsSampler', () => {
+    it('samples immediately and reports via onSample', async () => {
+        const pc = makePc(makeReport([
+            { id: 'in1', type: 'inbound-rtp', bytesReceived: 1, packetsReceived: 1, packetsLost: 0 },
+        ]));
+        const samples = [];
+        const sampler = createStatsSampler(pc, {
+            intervalMs: 10_000,
+            onSample: (s) => samples.push(s),
+        });
+        // Yield so the immediate getStats() resolves.
+        await new Promise((r) => setTimeout(r, 5));
+        sampler.stop();
+        expect(samples.length).toBe(1);
+        expect(sampler.getLatest()).toBe(samples[0]);
+    });
+    it('forwards getStats() failures to onError', async () => {
+        const pc = { getStats: async () => { throw new Error('nope'); } };
+        const errs = [];
+        const sampler = createStatsSampler(pc, { intervalMs: 10_000, onError: (e) => errs.push(e) });
+        await new Promise((r) => setTimeout(r, 5));
+        sampler.stop();
+        expect(errs.length).toBe(1);
+        expect(errs[0].code).toBe('ZQ_WEBRTC_OBSERVE_GETSTATS_FAILED');
+    });
+    it('rejects a non-RTCPeerConnection', () => {
+        expect(() => createStatsSampler({})).toThrow(/RTCPeerConnection required/);
+    });
+});