feat: add iroh-ice module for WebRTC ICE candidate extraction

[HexaField]

Summary

Adds a complete Iroh-to-ICE bridge that exposes Holochain's transport-discovered socket addresses as WebRTC ICE candidates, replacing the need for external STUN servers. Provides both the low-level module and the full GraphQL API + TypeScript client integration.

Changes

rust-executor/src/iroh_ice/mod.rs — Core Module

• IrohIce struct: takes socket addresses, produces RFC 8445 compliant ICE candidates
• Classifies addresses as host (private/LAN) or srflx (public/reflexive)
• Computes priorities per RFC 8445 Section 5.1.2.1
• Formats candidate strings for RTCPeerConnection.addIceCandidate()
• Zero external dependencies (pure std::net)
• 9 unit tests

rust-executor/src/graphql/ — GraphQL API

• IceCandidateInfo GraphQL type with candidate, candidateType, address, port
• runtimeIceCandidates query: fetches socket addresses from conductor.holochain_p2p().local_socket_addrs() and converts them via IrohIce

core/src/runtime/ — TypeScript Client

• IceCandidateInfo class in RuntimeResolver.ts
• runtime.iceCandidates() client method in RuntimeClient.ts

Usage

// In Flux or any AD4M client
const candidates = await ad4mClient.runtime.iceCandidates()
// Returns: [{ candidate: 'candidate:1 1 udp 2130706431 192.168.1.5 12345 typ host', candidateType: 'host', address: '192.168.1.5', port: 12345 }, ...]

Flux Integration (separate PR)

The packages/webrtc/src/WebRTCManager.ts in Flux currently uses hardcoded STUN servers (stun:relay.ad4m.dev:3478, stun:stun.l.google.com:19302, etc.). The integration path:

1. On WebRTCManager.init(), call ad4mClient.runtime.iceCandidates() to fetch Iroh-derived candidates
2. After each RTCPeerConnection is created (in AD4MPeer.createPeer()), inject the Iroh candidates via pc.addIceCandidate()
3. Optionally fall back to STUN servers if no Iroh candidates are available (graceful degradation)

This works for both the existing P2P mesh calls and the future SFU system (#700), since iroh-ice is transport-agnostic — it provides candidates that any WebRTC consumer can use.

SFU Considerations

The iroh-ice module is deliberately generic — no knowledge of mesh vs SFU vs pipe transport. When the str0m SFU (#700) lands:

• SFU server: uses IrohIce to get its own ICE candidates to share with clients
• SFU clients: use the same runtimeIceCandidates API to get their local candidates
• The SFU negotiation adds its own signaling on top, but the ICE candidate source is shared

Dependencies

• holochain/kitsune2#476 — local_socket_addrs() on Transport trait
• coasys/holochain#1 — surface through HcP2p trait

Note

The ad4m-client crate has 327 pre-existing compile errors (GraphQL codegen issue) unrelated to this PR. The ad4m-executor crate and the iroh-ice module compile and test successfully.

See: #719

Summary by CodeRabbit

• New Features
  • Public API and GraphQL query to fetch ICE candidate details (candidate, type, address, port).
  • Local ICE candidate generation exposed so clients can discover formatted candidate info and detect public vs private addresses for connectivity diagnostics.

[coderabbitai]

📝 Walkthrough

Walkthrough

Adds end-to-end ICE candidate support: TypeScript client/resolver APIs, new GraphQL types/resolver in Rust, and a new iroh_ice Rust module that generates WebRTC-compatible ICE candidates from local Holochain/Iroh socket addresses using RFC 8445 formatting and priority logic.

Changes

Cohort / File(s)	Summary
TypeScript Runtime API core/src/runtime/RuntimeClient.ts, core/src/runtime/RuntimeResolver.ts	Adds iceCandidates() on RuntimeClient and IceCandidateInfo GraphQL type/resolver; client queries runtimeIceCandidates.
Rust GraphQL Types & Resolver rust-executor/src/graphql/graphql_types.rs, rust-executor/src/graphql/query_resolvers.rs	Adds IceCandidateInfo GraphQL struct and runtime_ice_candidates resolver that queries local Holochain socket addresses and maps them to IceCandidateInfo.
Rust ICE Bridge Module rust-executor/src/iroh_ice/mod.rs, rust-executor/src/lib.rs	New iroh_ice module implementing IrohIce, IceCandidate/IceCandidateType, candidate classification, RFC 8445 priority and candidate formatting, candidate generation/update APIs, tests, and public module export in lib.rs.

Sequence Diagram(s)

sequenceDiagram
    participant Client as Client App
    participant TSClient as RuntimeClient
    participant GraphQL as GraphQL Server
    participant Resolver as runtime_ice_candidates
    participant Holochain as Holochain Service
    participant IrohIce as IrohIce Module

    Client->>TSClient: call iceCandidates()
    TSClient->>GraphQL: query runtimeIceCandidates
    GraphQL->>Resolver: resolve runtime_ice_candidates()
    Resolver->>Holochain: request local socket addresses
    Holochain-->>Resolver: return Vec<SocketAddr>
    Resolver->>IrohIce: construct with local_addrs
    IrohIce->>IrohIce: classify_addr()/compute_priority()/format_candidate()
    IrohIce-->>Resolver: return IceCandidateInfo list
    Resolver->>GraphQL: map to IceCandidateInfo[]
    GraphQL-->>TSClient: runtimeIceCandidates result
    TSClient-->>Client: Promise<IceCandidateInfo[]>

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Possibly related issues

• feat: Iroh-based ICE transport to replace STUN/TURN for all WebRTC #719: Implements the iroh_ice module and GraphQL surface described in the issue (candidate generation, resolver, and client API).

Poem

🐇 I hopped through sockets, swift and spry,

I shaped each candidate under the sky,
Priorities set, RFC tidy and neat,
From Holochain lanes to WebRTC seat,
A rabbit's bridge — small, clever, and fleet.

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and accurately summarizes the main change: adding a new iroh-ice module for WebRTC ICE candidate extraction, which is the primary focus of all file changes.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

• 📝 Generate docstrings (stacked PR)
• 📝 Generate docstrings (commit on current branch)

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch feat/iroh-ice

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (2)

core/src/runtime/RuntimeResolver.ts (1)

47-57: Consider adding explicit Int type for port field.

The port field is a number in TypeScript, but GraphQL distinguishes between Int and Float. Without an explicit type annotation, type-graphql defaults to Float for number types. For consistency with the Rust backend (which uses i32), consider specifying Int:

♻️ Proposed fix

 `@ObjectType`()
 export class IceCandidateInfo {
     `@Field`()
     candidate: string;
     `@Field`()
     candidateType: string;
     `@Field`()
     address: string;
-    `@Field`()
+    `@Field`(type => Int)
     port: number;
 }

Note: You'll need to import Int from type-graphql if not already imported.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@core/src/runtime/RuntimeResolver.ts` around lines 47 - 57, The
IceCandidateInfo.port field is a TS number but GraphQL will treat it as Float by
default; update the `@Field` decorator on the port property in class
IceCandidateInfo to explicitly use GraphQL Int (e.g., `@Field`(() => Int)) and add
an import for Int from type-graphql so the schema matches the Rust i32
semantics.

rust-executor/src/iroh_ice/mod.rs (1)

104-126: Consider handling IPv4 CGNAT/shared address space (100.64.0.0/10).

The is_private() function doesn't account for the IPv4 shared address space (100.64.0.0/10, RFC 6598), commonly used by carrier-grade NAT (CGNAT). These addresses are not globally routable and would be misclassified as server-reflexive (public).

While this may be uncommon in practice, it could lead to ICE candidates that won't work for external connections.

♻️ Proposed fix to handle CGNAT range

 fn is_private(addr: &SocketAddr) -> bool {
     match addr {
         SocketAddr::V4(v4) => {
             let ip = v4.ip();
+            let octets = ip.octets();
             ip.is_private()
                 || ip.is_loopback()
                 || ip.is_link_local()
                 || ip.is_unspecified()
+                // CGNAT/shared address space (100.64.0.0/10) per RFC 6598
+                || (octets[0] == 100 && (octets[1] & 0xc0) == 64)
         }

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@rust-executor/src/iroh_ice/mod.rs` around lines 104 - 126, The is_private
function currently misses IPv4 CGNAT/shared space (100.64.0.0/10); update the
SocketAddr::V4 branch in fn is_private to detect this range by inspecting the
IPv4 octets (e.g., let octets = ip.octets(); treat as private when octets[0] ==
100 && (octets[1] & 0b1100_0000) == 0b0100_0000), and return true for that case
so CGNAT addresses are classified as non-public; adjust or add unit tests around
is_private to cover 100.64.0.0/10.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@rust-executor/src/graphql/query_resolvers.rs`:
- Around line 795-821: Add a capability check at the start of
runtime_ice_candidates to prevent unauthorized access to local socket addresses:
call the same capability enforcement used in runtime_hc_agent_infos (e.g.
context.require_capability(RUNTIME_HC_AGENT_INFO_READ_CAPABILITY) or define and
use a new RUNTIME_ICE_CANDIDATES_READ_CAPABILITY constant) before calling
get_holochain_service(), and return a FieldError or propagate the existing error
path on failure so callers without the capability cannot retrieve ICE candidate
info.

---

Nitpick comments:
In `@core/src/runtime/RuntimeResolver.ts`:
- Around line 47-57: The IceCandidateInfo.port field is a TS number but GraphQL
will treat it as Float by default; update the `@Field` decorator on the port
property in class IceCandidateInfo to explicitly use GraphQL Int (e.g.,
`@Field`(() => Int)) and add an import for Int from type-graphql so the schema
matches the Rust i32 semantics.

In `@rust-executor/src/iroh_ice/mod.rs`:
- Around line 104-126: The is_private function currently misses IPv4
CGNAT/shared space (100.64.0.0/10); update the SocketAddr::V4 branch in fn
is_private to detect this range by inspecting the IPv4 octets (e.g., let octets
= ip.octets(); treat as private when octets[0] == 100 && (octets[1] &
0b1100_0000) == 0b0100_0000), and return true for that case so CGNAT addresses
are classified as non-public; adjust or add unit tests around is_private to
cover 100.64.0.0/10.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 7042434f-94e0-48d1-a703-a7733453b8c2

📥 Commits

Reviewing files that changed from the base of the PR and between 91b08ba and a316e4b.

📒 Files selected for processing (6)

• core/src/runtime/RuntimeClient.ts
• core/src/runtime/RuntimeResolver.ts
• rust-executor/src/graphql/graphql_types.rs
• rust-executor/src/graphql/query_resolvers.rs
• rust-executor/src/iroh_ice/mod.rs
• rust-executor/src/lib.rs

[coderabbitai]

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@core/src/runtime/RuntimeClient.ts`:
- Around line 81-91: The iceCandidates method is querying runtimeIceCandidates
via this.#apolloClient.query and currently relies on the default cache-first
policy, which can return stale ICE data; update the call in iceCandidates (the
invocation of this.#apolloClient.query that wraps unwrapApolloResult) to pass
fetchPolicy: "no-cache" so the query always fetches fresh ICE candidate info
from the network rather than from Apollo cache.

In `@rust-executor/src/iroh_ice/mod.rs`:
- Around line 63-75: The current mapping over self.local_addrs in
runtimeIceCandidates (and the similar block around lines 104-129) includes
unspecified/wildcard addresses (0.0.0.0 / ::), producing dead ICE candidates;
filter out addresses where addr.is_unspecified() before calling classify_addr,
compute_priority, format_ice_candidate, and constructing IceCandidate so only
concrete host addresses are serialized. Locate the iterator using
self.local_addrs and insert a .filter(|addr| !addr.is_unspecified()) (or
equivalent) prior to the .enumerate().map(...) to drop wildcard bindings.
- Around line 57-75: The code incorrectly infers srflx purely from IPs in
local_candidates by using classify_addr and then calling format_ice_candidate
without provenance; instead accept and propagate provenance/base-address
metadata into this module (or into the IceCandidate creation path) and use that
provenance when deciding candidate.typ and when calling format_ice_candidate, or
conservatively emit public addresses as host until the transport proves they are
server-reflexive; update the logic around local_candidates (and the equivalent
candidate-building sites that use classify_addr, compute_priority,
format_ice_candidate, and IceCandidate) to consult the new provenance field
rather than IP class alone so SDP serialization and downstream candidate_type
remain correct.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 6765dd6a-95cb-4ace-b1f8-1ae0b82c0397

📥 Commits

Reviewing files that changed from the base of the PR and between a316e4b and a18548c.

📒 Files selected for processing (5)

• core/src/runtime/RuntimeClient.ts
• core/src/runtime/RuntimeResolver.ts
• rust-executor/src/graphql/graphql_types.rs
• rust-executor/src/graphql/query_resolvers.rs
• rust-executor/src/iroh_ice/mod.rs

🚧 Files skipped from review as they are similar to previous changes (3)

• core/src/runtime/RuntimeResolver.ts
• rust-executor/src/graphql/graphql_types.rs
• rust-executor/src/graphql/query_resolvers.rs

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@rust-executor/src/iroh_ice/mod.rs`:
- Around line 151-171: The formatter format_ice_candidate is emitting "typ
srflx" without the required related-address fields; either stop advertising
srflx or extend the candidate type to carry the server-reflexive base
address/port and serialize raddr/rport. Concretely: update the IceCandidateType
to include the base SocketAddr for ServerReflexive (e.g.,
ServerReflexive(SocketAddr)) or add an explicit related_addr parameter to
format_ice_candidate, and when matching IceCandidateType::ServerReflexive
include " raddr {ip} rport {port}" in the formatted string; otherwise only emit
"typ host" for host candidates so tests and callers see a valid ICE candidate
string.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 8fc2d162-462c-4e35-b9e3-fba667aed8df

📥 Commits

Reviewing files that changed from the base of the PR and between a18548c and b9981dc.

📒 Files selected for processing (5)

• core/src/runtime/RuntimeClient.ts
• core/src/runtime/RuntimeResolver.ts
• rust-executor/src/graphql/graphql_types.rs
• rust-executor/src/graphql/query_resolvers.rs
• rust-executor/src/iroh_ice/mod.rs

🚧 Files skipped from review as they are similar to previous changes (3)

• rust-executor/src/graphql/graphql_types.rs
• core/src/runtime/RuntimeResolver.ts
• core/src/runtime/RuntimeClient.ts

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Don't advertise srflx support with an incomplete candidate format.

A server-reflexive candidate needs its related/base address and port serialized as raddr / rport. Right now this formatter emits typ srflx only, and the test on Line 223 locks that invalid shape in. Either carry the base address through this type and append the related-address attributes, or keep the surface host-only until provenance exists.

Also applies to: 223-230

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@rust-executor/src/iroh_ice/mod.rs` around lines 151 - 171, The formatter
format_ice_candidate is emitting "typ srflx" without the required
related-address fields; either stop advertising srflx or extend the candidate
type to carry the server-reflexive base address/port and serialize raddr/rport.
Concretely: update the IceCandidateType to include the base SocketAddr for
ServerReflexive (e.g., ServerReflexive(SocketAddr)) or add an explicit
related_addr parameter to format_ice_candidate, and when matching
IceCandidateType::ServerReflexive include " raddr {ip} rport {port}" in the
formatted string; otherwise only emit "typ host" for host candidates so tests
and callers see a valid ICE candidate string.