diff --git a/extensions/voice-call/src/tunnel.ts b/extensions/voice-call/src/tunnel.ts
index 770884926ed..e1c6cd86b57 100644
--- a/extensions/voice-call/src/tunnel.ts
+++ b/extensions/voice-call/src/tunnel.ts
@@ -4,7 +4,7 @@ import { getTailscaleDnsName } from "./webhook/tailscale.js";
 /**
  * Tunnel configuration for exposing the webhook server.
  */
-export interface TunnelConfig {
+interface TunnelConfig {
   /** Tunnel provider: ngrok, tailscale-serve, or tailscale-funnel */
   provider: "ngrok" | "tailscale-serve" | "tailscale-funnel" | "none";
   /** Local port to tunnel */
diff --git a/extensions/voice-call/src/webhook-exposure.ts b/extensions/voice-call/src/webhook-exposure.ts
index 30830cd292f..dd707ad1a32 100644
--- a/extensions/voice-call/src/webhook-exposure.ts
+++ b/extensions/voice-call/src/webhook-exposure.ts
@@ -1,6 +1,6 @@
 import { isBlockedHostnameOrIp } from "../api.js";
 
-export type VoiceCallWebhookExposureConfig = {
+type VoiceCallWebhookExposureConfig = {
   provider?: string;
   publicUrl?: string;
   tunnel?: {
@@ -11,7 +11,7 @@ export type VoiceCallWebhookExposureConfig = {
   };
 };
 
-export type VoiceCallWebhookExposureStatus = {
+type VoiceCallWebhookExposureStatus = {
   ok: boolean;
   configured: boolean;
   message: string;
diff --git a/extensions/voice-call/src/webhook-security.ts b/extensions/voice-call/src/webhook-security.ts
index a7b4ff3ff1f..45e2d39b009 100644
--- a/extensions/voice-call/src/webhook-security.ts
+++ b/extensions/voice-call/src/webhook-security.ts
@@ -79,7 +79,7 @@ function markReplay(cache: ReplayCache, replayKey: string): boolean {
  *
  * @see https://www.twilio.com/docs/usage/webhooks/webhooks-security
  */
-export function validateTwilioSignature(
+function validateTwilioSignature(
   authToken: string,
   signature: string | undefined,
   url: string,
@@ -129,7 +129,7 @@ function timingSafeEqual(a: string, b: string): boolean {
 /**
  * Configuration for secure URL reconstruction.
  */
-export interface WebhookUrlOptions {
+interface WebhookUrlOptions {
   /**
    * Whitelist of allowed hostnames. If provided, only these hosts will be
    * accepted from forwarding headers. This prevents host header injection attacks.
@@ -411,7 +411,7 @@ function extractPortFromHostHeader(hostHeader?: string): string | undefined {
 /**
  * Result of Twilio webhook verification with detailed info.
  */
-export interface TwilioVerificationResult {
+interface TwilioVerificationResult {
   ok: boolean;
   reason?: string;
   /** The URL that was used for verification (for debugging) */
@@ -424,7 +424,7 @@ export interface TwilioVerificationResult {
   verifiedRequestKey?: string;
 }
 
-export interface TelnyxVerificationResult {
+interface TelnyxVerificationResult {
   ok: boolean;
   reason?: string;
   /** Request is cryptographically valid but was already processed recently. */
@@ -698,7 +698,7 @@ export function verifyTwilioWebhook(
 /**
  * Result of Plivo webhook verification with detailed info.
  */
-export interface PlivoVerificationResult {
+interface PlivoVerificationResult {
   ok: boolean;
   reason?: string;
   verificationUrl?: string;