release: v0.1.2.2 — coturn validation works on more provider topologies (closes #15, #16)

[vnykmshr]

Bundles #15 and #16. v0.1.2.2 patch tag; no code or JSON schema delta.

What this changes

File	Why
examples/coturn-natcheck.conf	Replaces v0.1.2.1's external-ip=PUBLIC/PRIVATE (only works on AWS/GCP-style topology where the two IPs differ) with explicit two-listening-ip + two-external-ip-pair form. Honest about the topology requirement.
docs/coturn-setup.md	New per-provider topology table (AWS/GCP / DO basic / bare metal / others); worked DO Reserved IP example with ip addr add; verification step references the two specific coturn warning lines; cross-references the script.
scripts/validate-coturn.sh	Three bugs fixed (#16): IPv4 detection (curl -4), log-file path (log-file=stdout so tee captures real content), CHANGE_REQUEST grep wording portable across coturn 4.5/4.6/4.10. New SECOND_IP env var: aliases the IP to the NIC, writes the multi-IP conf form. Honest failure on misconfigured single-IP droplets.
CHANGELOG.md	[0.1.2.2] entry.

Why two issues bundled

#16's script fix is correct standalone (false-positive verification was a real bug), but merging it alone leaves users following docs/coturn-setup.md on a basic single-IP droplet in a worse state than today: the script correctly fails closed, but they have no path forward. #15 provides the path. Shipping both as v0.1.2.2 ships one user-visible message ("coturn validation now works end-to-end across more provider topologies") with a single tag.

Verification (Jordan)

Both behavioural branches confirmed against a real DO basic droplet (coturn 4.6, Ubuntu 24.04, primary public IP 168.144.121.96, Reserved IP 168.144.1.58):

• Single-public-IP, no SECOND_IP (the misconfigured case):

  ==> Verifying coturn config — grepping log for misconfig signals...
      FAIL: 'only one IP address is provided' in log — coturn needs 2 distinct routable IPs to honor CHANGE_REQUEST
  exit=1
  

• SECOND_IP=168.144.1.58 (the documented path-forward):
  Script aliases the Reserved IP, writes multi-IP conf, coturn starts clean (no warning), exits 0. natcheck reports the canonical filtering verdict end-to-end:

  {
    "nat_type": "ADM",
    "filtering": {"behavior": "address-and-port-dependent", "tested_against": "168.144.121.96:3478"},
    "webrtc_forecast": {"direct_p2p": "unlikely", "turn_required": true}
  }

Verdict reproduces across runs (mapped ports + RTTs vary as expected; classification + warnings + exit code stable).

Out of scope

• Cross-address-family mapping bug (classifier: cross-address-family mapped endpoints produce wrong ADM verdict #14): when default-server hostnames resolve via IPv6 and a custom --server is IPv4 literal, natcheck's classifier compares mapped endpoints across families and produces wrong ADM verdicts. Larger surface (Go code change + new schema warning + tests). v0.1.3.
• Canonical sample capture (docs/samples/filtering.txt): blocks behind classifier: cross-address-family mapped endpoints produce wrong ADM verdict #14 so the documented invocation is the natural form (--server stun.l.google.com:19302 --server stun.cloudflare.com:3478 --server <coturn>:3478), not the IPv4-literal workaround we used today.

Linus disposition

4 files, 136 insertions / 65 deletions. Each commit is one concern (conf+docs / script / changelog). No drive-by refactors. No new dependencies. No code touched.

Test plan

• make test (race, count=1) — green (no code change but sanity)
• make lint — 0 issues
• gofmt -l . — clean
• Both script branches verified end-to-end against real DO droplet
• natcheck filtering verdict reproduces post-fix
• CI green on this PR
• Merge → tag v0.1.2.2 on merge commit → Pages auto-deploys → gh release create v0.1.2.2
• Bump Homebrew tap formula to v0.1.2.2 (so brew upgrade natcheck lands the corrected examples/ and docs/ and the new scripts/)