every.channel: sanitized baseline

evolution/proposals/ECP-0056-turn-ice-bootstrap.md

@@ -0,0 +1,38 @@
+# ECP-0056: TURN ICE Bootstrap Endpoint
+
+Status: Draft
+
+## Problem
+
+WebRTC connectivity is unreliable across diverse NAT / firewall environments when we rely only on
+public STUN servers. For "send a link to mom" reliability, viewers need TURN available.
+
+We also need a single, stable place for the web app and native CLI to fetch ICE server config
+without exposing implementation details in the UI.
+
+## Proposal
+
+- Add `GET /api/turn` on `every.channel`.
+- Response returns a `just-webrtc` compatible `PeerConfiguration` subset:
+  - `ice_servers`: array of STUN/TURN servers.
+- Default behavior:
+  - Always include STUN servers (Cloudflare STUN + Google STUN fallback).
+  - If a TURN shared secret is configured in the Worker environment, also include TURN servers
+    with short-lived credentials generated via the TURN REST pattern (HMAC-based).
+
+This keeps the container DO offline (`enableInternet=false`) and centralizes "how to TURN" in the
+Worker, while clients remain generic.
+
+## Security / Abuse Notes
+
+- TURN credentials are short-lived (hour-scale) and only usable against the TURN provider.
+- We do not log or persist TURN credentials.
+- The shared secret is stored as a Worker secret (not in git).
+
+## Rollout
+
+1. Deploy Worker with `/api/turn`.
+2. Update web viewer + `ec-node` direct publish/subscribe to fetch and use `/api/turn`.
+3. If/when Cloudflare Calls TURN keys are enabled for the account, store the Calls TURN key as the
+   shared secret in the Worker and turn on TURN at the edge.
+