@kehto/runtime 0.1.0 → 0.5.0

package/dist/index.js

@@ -1,5 +1,12 @@
 // src/enforce.ts
+import { ALL_CAPABILITIES } from "@kehto/acl/capabilities";
 import { resolveCapabilitiesNub } from "@kehto/acl";
+var CLASS_CAPABILITY_ALLOWLIST = Object.freeze({
+  "class-1": new Set(ALL_CAPABILITIES),
+  "class-2": new Set(ALL_CAPABILITIES.filter(
+    (c) => c !== "relay:write" && c !== "identity:decrypt"
+  ))
+});
 function createEnforceGate(config) {
   const { checkAcl, resolveIdentity, onAclCheck } = config;
   return function enforce(pubkey, capability, message) {
@@ -9,10 +16,11 @@ function createEnforceGate(config) {
     const allowed = checkAcl(pubkey, dTag, aggregateHash, capability);
     const identity = { pubkey, dTag, hash: aggregateHash };
     const decision = allowed ? "allow" : "deny";
+    const reason = allowed ? "allowed" : "capability-missing";
     if (onAclCheck) {
-      onAclCheck({ identity, capability, decision, message });
+      onAclCheck({ identity, capability, decision, message, reason });
     }
-    return { allowed, capability };
+    return { allowed, capability, reason };
   };
 }
 function createNubEnforceGate(config) {
@@ -21,13 +29,31 @@ function createNubEnforceGate(config) {
     const entry = resolveIdentityByWindowId(windowId);
     const dTag = entry?.dTag ?? "";
     const aggregateHash = entry?.aggregateHash ?? "";
+    const nappletClass = entry?.class ?? null;
+    if (nappletClass !== null) {
+      const allowlist = CLASS_CAPABILITY_ALLOWLIST[nappletClass];
+      if (!allowlist || !allowlist.has(capability)) {
+        const identity2 = { pubkey: "", dTag, hash: aggregateHash };
+        if (onAclCheck) {
+          onAclCheck({
+            identity: identity2,
+            capability,
+            decision: "deny",
+            message,
+            reason: "class-forbidden"
+          });
+        }
+        return { allowed: false, capability, reason: "class-forbidden" };
+      }
+    }
     const allowed = checkAcl("", dTag, aggregateHash, capability);
     const identity = { pubkey: "", dTag, hash: aggregateHash };
     const decision = allowed ? "allow" : "deny";
+    const reason = allowed ? "allowed" : "capability-missing";
     if (onAclCheck) {
-      onAclCheck({ identity, capability, decision, message });
+      onAclCheck({ identity, capability, decision, message, reason });
     }
-    return { allowed, capability };
+    return { allowed, capability, reason };
   };
 }
 function formatDenialReason(capability) {
@@ -117,7 +143,7 @@ import {
   CAP_HOTKEY_FORWARD,
   CAP_STATE_READ,
   CAP_STATE_WRITE,
-  CAP_ALL
+  toKey
 } from "@kehto/acl";
 var CAP_IDENTITY_READ = 1 << 5;
 var CAP_KEYS_BIND = 1 << 6;
@@ -126,6 +152,10 @@ var CAP_MEDIA_CONTROL = 1 << 10;
 var CAP_NOTIFY_SEND = 1 << 11;
 var CAP_NOTIFY_CHANNEL = 1 << 12;
 var CAP_THEME_READ = 1 << 13;
+var CAP_CONFIG_READ = 1 << 14;
+var CAP_RESOURCE_FETCH = 1 << 15;
+var CAP_IDENTITY_DECRYPT = 1 << 16;
+var CAP_CVM_CALL = 1 << 17;
 var CAP_MAP = {
   "relay:read": CAP_RELAY_READ,
   "relay:write": CAP_RELAY_WRITE,
@@ -140,8 +170,13 @@ var CAP_MAP = {
   "media:control": CAP_MEDIA_CONTROL,
   "notify:send": CAP_NOTIFY_SEND,
   "notify:channel": CAP_NOTIFY_CHANNEL,
-  "theme:read": CAP_THEME_READ
+  "theme:read": CAP_THEME_READ,
+  "config:read": CAP_CONFIG_READ,
+  "resource:fetch": CAP_RESOURCE_FETCH,
+  "identity:decrypt": CAP_IDENTITY_DECRYPT,
+  "cvm:call": CAP_CVM_CALL
 };
+var RUNTIME_CAP_ALL = Object.values(CAP_MAP).reduce((bits, bit) => bits | bit, 0);
 function capToBit(cap) {
   return CAP_MAP[cap] ?? 0;
 }
@@ -157,6 +192,11 @@ function toIdentity(pubkey, dTag, hash) {
 }
 function createAclState(persistence, defaultPolicy = "permissive") {
   let state = createState(defaultPolicy);
+  function ensureRuntimeDefaultEntry(id) {
+    if (state.defaultPolicy !== "permissive") return;
+    if (state.entries[toKey(id)]) return;
+    state = grant(state, id, RUNTIME_CAP_ALL);
+  }
   return {
     check(pubkey, dTag, aggregateHash, capability) {
       const id = toIdentity(pubkey, dTag, aggregateHash);
@@ -164,23 +204,27 @@ function createAclState(persistence, defaultPolicy = "permissive") {
     },
     grant(pubkey, dTag, aggregateHash, capability) {
       const id = toIdentity(pubkey, dTag, aggregateHash);
+      ensureRuntimeDefaultEntry(id);
       state = grant(state, id, capToBit(capability));
     },
     revoke(pubkey, dTag, aggregateHash, capability) {
       const id = toIdentity(pubkey, dTag, aggregateHash);
+      ensureRuntimeDefaultEntry(id);
       state = revoke(state, id, capToBit(capability));
     },
     block(pubkey, dTag, aggregateHash) {
       const id = toIdentity(pubkey, dTag, aggregateHash);
+      ensureRuntimeDefaultEntry(id);
       state = block(state, id);
     },
     unblock(pubkey, dTag, aggregateHash) {
       const id = toIdentity(pubkey, dTag, aggregateHash);
+      ensureRuntimeDefaultEntry(id);
       state = unblock(state, id);
     },
     isBlocked(pubkey, dTag, aggregateHash) {
       const id = toIdentity(pubkey, dTag, aggregateHash);
-      return !check(state, id, CAP_ALL) && this.getEntry(pubkey, dTag, aggregateHash)?.blocked === true;
+      return !check(state, id, RUNTIME_CAP_ALL) && this.getEntry(pubkey, dTag, aggregateHash)?.blocked === true;
     },
     getEntry(pubkey, dTag, aggregateHash) {
       const id = toIdentity(pubkey, dTag, aggregateHash);
@@ -195,8 +239,7 @@ function createAclState(persistence, defaultPolicy = "permissive") {
       };
     },
     getAllEntries() {
-      return Object.entries(state.entries).map(([key, entry]) => {
-        const parts = key.split(":");
+      return Object.entries(state.entries).map(([, entry]) => {
         return {
           pubkey: "",
           capabilities: bitsToCapabilities(entry.caps),
@@ -391,22 +434,21 @@ function createEventBuffer(sendToNapplet, sessionRegistry, enforce, subscription
 
 // src/runtime.ts
 import { createDispatch } from "@napplet/core";
-import { ALL_CAPABILITIES } from "@kehto/acl/capabilities";
 
 // src/service-dispatch.ts
 function routeServiceMessage(windowId, message, services, sendToNapplet) {
-  const send = (msg) => sendToNapplet(windowId, msg);
   const domain = message.type.split(".")[0];
   const handler = services[domain];
   if (handler) {
-    handler.handleMessage(windowId, message, send);
+    handler.handleMessage(windowId, message, (msg) => sendToNapplet(windowId, msg));
     return true;
   }
-  if (message.type === "ifc.emit" && typeof message.topic === "string") {
-    const prefix = message.topic.split(":")[0];
+  const ifcMessage = message;
+  if (message.type === "ifc.emit" && typeof ifcMessage.topic === "string") {
+    const prefix = ifcMessage.topic.split(":")[0];
     const ifcHandler = services[prefix];
     if (ifcHandler) {
-      ifcHandler.handleMessage(windowId, message, send);
+      ifcHandler.handleMessage(windowId, message, (msg) => sendToNapplet(windowId, msg));
       return true;
     }
   }
@@ -421,6 +463,492 @@ function notifyServiceWindowDestroyed(windowId, services) {
   }
 }
 
+// src/relay-handler.ts
+function createRelayHandler(context) {
+  return function handleRelayMessage(windowId, msg) {
+    const m = msg;
+    const dotIdx = msg.type.indexOf(".");
+    const action = msg.type.slice(dotIdx + 1);
+    switch (action) {
+      case "subscribe":
+        handleRelaySubscribe(context, windowId, msg, m);
+        return;
+      case "close":
+        handleRelayClose(context, windowId, msg, m);
+        return;
+      case "publish":
+        handleRelayPublish(context, windowId, msg, m);
+        return;
+      case "publishEncrypted":
+        handleRelayPublishEncrypted(context, windowId, msg);
+        return;
+      case "query":
+        handleRelayQuery(context, windowId, m);
+        return;
+      default:
+        return;
+    }
+  };
+}
+function relayServiceFrom(context) {
+  return context.serviceRegistry["relay"] ?? context.serviceRegistry["relay-pool"];
+}
+function isShellKindQuery(filters) {
+  return filters.length > 0 && filters.every((filter) => filter.kinds?.every((kind) => kind >= 29e3 && kind < 3e4));
+}
+function handleRelaySubscribe(context, windowId, msg, m) {
+  const { eventBuffer, hooks, serviceRegistry, subscriptions } = context;
+  const subId = m.subId ?? "";
+  const filters = m.filters ?? [];
+  if (!subId) return;
+  const subKey = `${windowId}:${subId}`;
+  subscriptions.set(subKey, { windowId, filters });
+  const seenIds = /* @__PURE__ */ new Set();
+  function deliver(event) {
+    if (seenIds.has(event.id)) return;
+    seenIds.add(event.id);
+    if (subscriptions.has(subKey)) {
+      hooks.sendToNapplet(windowId, { type: "relay.event", subId, event });
+    }
+  }
+  for (const bufferedEvent of eventBuffer.getBufferedEvents()) {
+    if (matchesAnyFilter(bufferedEvent, filters)) deliver(bufferedEvent);
+  }
+  const isShellKind = isShellKindQuery(filters);
+  const relayService = relayServiceFrom(context);
+  const cacheService = !serviceRegistry["relay"] ? serviceRegistry["cache"] : void 0;
+  if (!isShellKind && relayService) {
+    relayService.handleMessage(windowId, msg, (resp) => {
+      if (!subscriptions.has(subKey)) return;
+      hooks.sendToNapplet(windowId, resp);
+    });
+    if (cacheService) {
+      cacheService.handleMessage(windowId, msg, (resp) => {
+        if (!subscriptions.has(subKey)) return;
+        hooks.sendToNapplet(windowId, resp);
+      });
+    }
+    return;
+  }
+  deliverFromRuntimeBackends(context, windowId, subId, subKey, filters, isShellKind, deliver);
+}
+function deliverFromRuntimeBackends(context, windowId, subId, subKey, filters, isShellKind, deliver) {
+  const { hooks } = context;
+  const cache = hooks.cache;
+  if (cache?.isAvailable() && !isShellKind) {
+    cache.query(filters).then((cachedEvents) => {
+      for (const event of cachedEvents) deliver(event);
+    }).catch(() => {
+    });
+  }
+  const pool = hooks.relayPool;
+  if (!pool?.isAvailable() && !isShellKind) {
+    hooks.sendToNapplet(windowId, { type: "relay.eose", subId });
+    return;
+  }
+  if (!pool?.isAvailable() || isShellKind) return;
+  const relayUrls = pool.selectRelayTier(filters);
+  let eoseSent = false;
+  const eoseFallbackTimer = setTimeout(() => {
+    if (!eoseSent) {
+      eoseSent = true;
+      hooks.sendToNapplet(windowId, { type: "relay.eose", subId });
+    }
+  }, 15e3);
+  const subscription = pool.subscribe(filters, (item) => {
+    if (item === "EOSE") {
+      clearTimeout(eoseFallbackTimer);
+      if (!eoseSent) {
+        eoseSent = true;
+        hooks.sendToNapplet(windowId, { type: "relay.eose", subId });
+      }
+      return;
+    }
+    deliver(item);
+    if (cache?.isAvailable() && !isShellKind) {
+      try {
+        cache.store(item);
+      } catch {
+        return;
+      }
+    }
+  }, relayUrls);
+  pool.trackSubscription(subKey, () => {
+    clearTimeout(eoseFallbackTimer);
+    subscription.unsubscribe();
+  });
+}
+function handleRelayClose(context, windowId, msg, m) {
+  const { hooks, subscriptions } = context;
+  const subId = m.subId ?? "";
+  if (!subId) return;
+  const subKey = `${windowId}:${subId}`;
+  subscriptions.delete(subKey);
+  const relayService = relayServiceFrom(context);
+  if (relayService) relayService.handleMessage(windowId, msg, () => {
+  });
+  hooks.relayPool?.untrackSubscription(subKey);
+  hooks.sendToNapplet(windowId, { type: "relay.closed", subId, message: "" });
+}
+function handleRelayPublish(context, windowId, msg, m) {
+  const { eventBuffer, hooks, replayDetector } = context;
+  const event = m.event;
+  const id = m.id ?? "";
+  if (!event || typeof event !== "object") {
+    hooks.sendToNapplet(windowId, { type: "relay.publish.error", id, error: "invalid event" });
+    return;
+  }
+  const replayResult = replayDetector.check(event);
+  if (replayResult !== null) {
+    hooks.sendToNapplet(windowId, { type: "relay.publish.result", id, accepted: false, message: replayResult });
+    return;
+  }
+  const relayService = relayServiceFrom(context);
+  if (relayService) {
+    relayService.handleMessage(windowId, msg, (resp) => hooks.sendToNapplet(windowId, resp));
+  } else if (hooks.relayPool?.isAvailable()) {
+    hooks.relayPool.publish(event);
+    hooks.sendToNapplet(windowId, { type: "relay.publish.result", id, accepted: true });
+  } else {
+    hooks.sendToNapplet(windowId, { type: "relay.publish.result", id, accepted: false, message: "no relay pool available" });
+  }
+  eventBuffer.bufferAndDeliver(event, windowId);
+}
+function handleRelayPublishEncrypted(context, windowId, msg) {
+  const { hooks } = context;
+  const id = msg.id ?? "";
+  const eventTemplate = msg.event;
+  const peMsg = msg;
+  const recipient = peMsg.recipient ?? "";
+  const encryption = peMsg.encryption ?? "nip44";
+  const replyPe = (ok, extra = {}) => {
+    hooks.sendToNapplet(windowId, { type: "relay.publishEncrypted.result", id, ok, ...extra });
+  };
+  if (!recipient) {
+    replyPe(false, { error: "missing recipient" });
+    return;
+  }
+  if (encryption !== "nip44" && encryption !== "nip04") {
+    replyPe(false, { error: `unsupported encryption scheme: ${encryption}` });
+    return;
+  }
+  const peSigner = hooks.auth.getSigner();
+  if (!peSigner) {
+    replyPe(false, { error: "no signer configured" });
+    return;
+  }
+  if (!eventTemplate || typeof eventTemplate !== "object") {
+    replyPe(false, { error: "invalid event template" });
+    return;
+  }
+  publishEncrypted(context, windowId, id, recipient, encryption, eventTemplate, replyPe);
+}
+function publishEncrypted(context, windowId, id, recipient, encryption, eventTemplate, replyPe) {
+  const { eventBuffer, hooks } = context;
+  const peSigner = hooks.auth.getSigner();
+  if (!peSigner) return;
+  (async () => {
+    try {
+      const plaintext = String(eventTemplate.content ?? "");
+      const ciphertext = encryption === "nip44" ? await peSigner.nip44?.encrypt(recipient, plaintext) ?? "" : await peSigner.nip04?.encrypt(recipient, plaintext) ?? "";
+      const eventWithCiphertext = { ...eventTemplate, content: ciphertext };
+      const signed = await peSigner.signEvent?.(eventWithCiphertext);
+      if (!signed) {
+        replyPe(false, { error: "signEvent returned null" });
+        return;
+      }
+      publishSignedEncrypted(context, windowId, id, signed, replyPe);
+      try {
+        eventBuffer.bufferAndDeliver(signed, windowId);
+      } catch {
+        return;
+      }
+    } catch (err) {
+      replyPe(false, { error: err?.message ?? "encryption failed" });
+    }
+  })();
+}
+function publishSignedEncrypted(context, windowId, id, signed, replyPe) {
+  const { hooks } = context;
+  const relayService = relayServiceFrom(context);
+  if (!relayService) {
+    if (hooks.relayPool?.isAvailable()) {
+      hooks.relayPool.publish(signed);
+      replyPe(true, { event: signed, eventId: signed.id });
+    } else {
+      replyPe(false, { error: "no relay pool available" });
+    }
+    return;
+  }
+  const publishMsg = { type: "relay.publish", id, event: signed };
+  let replied = false;
+  relayService.handleMessage(windowId, publishMsg, (resp) => {
+    if (replied) return;
+    const r = resp;
+    if (typeof r.type !== "string" || !r.type.startsWith("relay.publish")) return;
+    const okVal = r.ok ?? r.accepted ?? false;
+    replied = true;
+    const publishResult = { event: signed, eventId: signed.id };
+    if (!okVal) publishResult.error = r.error ?? r.message ?? "publish failed";
+    replyPe(okVal, publishResult);
+  });
+  if (!replied) {
+    replied = true;
+    replyPe(true, { event: signed, eventId: signed.id });
+  }
+}
+function handleRelayQuery(context, windowId, m) {
+  const id = m.id ?? "";
+  const filters = m.filters ?? [];
+  let count = 0;
+  for (const event of context.eventBuffer.getBufferedEvents()) {
+    if (matchesAnyFilter(event, filters)) count++;
+  }
+  context.hooks.sendToNapplet(windowId, { type: "relay.query.result", id, count });
+}
+
+// src/identity-handler.ts
+function createIdentityHandler(context) {
+  return function handleIdentityMessage(windowId, msg) {
+    const { hooks, serviceRegistry } = context;
+    const identityService = serviceRegistry["identity"];
+    if (identityService) {
+      identityService.handleMessage(windowId, msg, (resp) => hooks.sendToNapplet(windowId, resp));
+      return;
+    }
+    const id = msg.id ?? "";
+    const action = msg.type.slice("identity.".length);
+    const signer = hooks.auth.getSigner();
+    const sendError = (error) => {
+      hooks.sendToNapplet(windowId, { type: `${msg.type}.error`, id, error });
+    };
+    const sendResult = (payload) => {
+      hooks.sendToNapplet(windowId, { type: `${msg.type}.result`, id, ...payload });
+    };
+    switch (action) {
+      case "getPublicKey":
+        if (!signer) {
+          sendResult({ pubkey: "" });
+          return;
+        }
+        Promise.resolve(signer.getPublicKey?.()).then((pubkey) => sendResult({ pubkey: pubkey ?? "" })).catch((err) => sendError(err?.message ?? "getPublicKey failed"));
+        return;
+      case "getRelays":
+        if (!signer) {
+          sendError("no signer configured");
+          return;
+        }
+        Promise.resolve(signer.getRelays?.() ?? {}).then((relays) => sendResult({ relays })).catch((err) => sendError(err?.message ?? "getRelays failed"));
+        return;
+      case "getProfile":
+        sendResult({ profile: null });
+        return;
+      case "getFollows":
+        sendResult({ pubkeys: [] });
+        return;
+      case "getList":
+        sendResult({ entries: [] });
+        return;
+      case "getZaps":
+        sendResult({ zaps: [] });
+        return;
+      case "getMutes":
+        sendResult({ pubkeys: [] });
+        return;
+      case "getBlocked":
+        sendResult({ pubkeys: [] });
+        return;
+      case "getBadges":
+        sendResult({ badges: [] });
+        return;
+      default:
+        sendError(`Unknown identity action: ${action}`);
+    }
+  };
+}
+
+// src/ifc-handler.ts
+function createIfcRuntime(hooks, sessionRegistry) {
+  const state = {
+    subscriptions: /* @__PURE__ */ new Map(),
+    channels: /* @__PURE__ */ new Map(),
+    channelsByWindow: /* @__PURE__ */ new Map()
+  };
+  return {
+    handleMessage(windowId, msg) {
+      handleIfcMessage(state, hooks, sessionRegistry, windowId, msg);
+    },
+    destroyWindow(windowId) {
+      removeWindowChannels(state, hooks, windowId);
+      removeWindowSubscriptions(state, windowId);
+    },
+    clear() {
+      state.subscriptions.clear();
+      state.channels.clear();
+      state.channelsByWindow.clear();
+    }
+  };
+}
+function addChannel(state, channelId, peerA, peerB) {
+  state.channels.set(channelId, { channelId, peerA, peerB });
+  for (const windowId of [peerA, peerB]) {
+    let set = state.channelsByWindow.get(windowId);
+    if (!set) {
+      set = /* @__PURE__ */ new Set();
+      state.channelsByWindow.set(windowId, set);
+    }
+    set.add(channelId);
+  }
+}
+function removeChannel(state, channelId) {
+  const channel = state.channels.get(channelId);
+  if (!channel) return;
+  state.channels.delete(channelId);
+  for (const windowId of [channel.peerA, channel.peerB]) {
+    const set = state.channelsByWindow.get(windowId);
+    if (!set) continue;
+    set.delete(channelId);
+    if (set.size === 0) state.channelsByWindow.delete(windowId);
+  }
+}
+function peerOf(state, channelId, self) {
+  const channel = state.channels.get(channelId);
+  if (!channel) return null;
+  if (channel.peerA === self) return channel.peerB;
+  if (channel.peerB === self) return channel.peerA;
+  return null;
+}
+function resolveTarget(sessionRegistry, target) {
+  if (sessionRegistry.getEntryByWindowId(target)) return target;
+  const entries = sessionRegistry.getAllEntries();
+  const byPubkey = entries.find((entry) => entry.pubkey === target);
+  return byPubkey?.windowId ?? null;
+}
+function handleIfcMessage(state, hooks, sessionRegistry, windowId, msg) {
+  const m = msg;
+  const dotIdx = msg.type.indexOf(".");
+  const action = msg.type.slice(dotIdx + 1);
+  switch (action) {
+    case "emit":
+      handleEmit(state, hooks, windowId, m);
+      return;
+    case "subscribe":
+      handleSubscribe(state, hooks, windowId, m);
+      return;
+    case "unsubscribe":
+      handleUnsubscribe(state, windowId, m);
+      return;
+    case "channel.open":
+      handleChannelOpen(state, hooks, sessionRegistry, windowId, m);
+      return;
+    case "channel.emit":
+      handleChannelEmit(state, hooks, windowId, m);
+      return;
+    case "channel.broadcast":
+      handleChannelBroadcast(state, hooks, windowId, m);
+      return;
+    case "channel.list":
+      handleChannelList(state, hooks, windowId, m);
+      return;
+    case "channel.close":
+      handleChannelClose(state, hooks, windowId, m);
+      return;
+    default:
+      return;
+  }
+}
+function handleEmit(state, hooks, windowId, m) {
+  const topic = m.topic ?? "";
+  if (!topic) return;
+  const subscribers = state.subscriptions.get(topic);
+  if (!subscribers) return;
+  for (const subscriberWindowId of subscribers) {
+    if (subscriberWindowId !== windowId) {
+      hooks.sendToNapplet(subscriberWindowId, { type: "ifc.event", topic, payload: m.payload, sender: windowId });
+    }
+  }
+}
+function handleSubscribe(state, hooks, windowId, m) {
+  const id = m.id ?? "";
+  const topic = m.topic ?? "";
+  if (!topic) {
+    hooks.sendToNapplet(windowId, { type: "ifc.subscribe.result", id, error: "missing topic" });
+    return;
+  }
+  let subscriptions = state.subscriptions.get(topic);
+  if (!subscriptions) {
+    subscriptions = /* @__PURE__ */ new Set();
+    state.subscriptions.set(topic, subscriptions);
+  }
+  subscriptions.add(windowId);
+  hooks.sendToNapplet(windowId, { type: "ifc.subscribe.result", id });
+}
+function handleUnsubscribe(state, windowId, m) {
+  const topic = m.topic ?? "";
+  if (!topic) return;
+  const subscriptions = state.subscriptions.get(topic);
+  if (!subscriptions) return;
+  subscriptions.delete(windowId);
+  if (subscriptions.size === 0) state.subscriptions.delete(topic);
+}
+function handleChannelOpen(state, hooks, sessionRegistry, windowId, m) {
+  const id = m.id ?? "";
+  const peerWindow = resolveTarget(sessionRegistry, m.target ?? "");
+  if (!peerWindow) {
+    hooks.sendToNapplet(windowId, { type: "ifc.channel.open.result", id, error: "target not found" });
+    return;
+  }
+  const channelId = hooks.crypto.randomUUID().replace(/-/g, "").slice(0, 32);
+  addChannel(state, channelId, windowId, peerWindow);
+  hooks.sendToNapplet(windowId, { type: "ifc.channel.open.result", id, channelId, peer: peerWindow });
+}
+function handleChannelEmit(state, hooks, windowId, m) {
+  const peer = peerOf(state, m.channelId ?? "", windowId);
+  if (peer) hooks.sendToNapplet(peer, { type: "ifc.channel.event", channelId: m.channelId ?? "", sender: windowId, payload: m.payload });
+}
+function handleChannelBroadcast(state, hooks, windowId, m) {
+  const channels = state.channelsByWindow.get(windowId);
+  if (!channels) return;
+  for (const channelId of channels) {
+    const peer = peerOf(state, channelId, windowId);
+    if (peer) hooks.sendToNapplet(peer, { type: "ifc.channel.event", channelId, sender: windowId, payload: m.payload });
+  }
+}
+function handleChannelList(state, hooks, windowId, m) {
+  const channels = [];
+  const set = state.channelsByWindow.get(windowId);
+  if (set) {
+    for (const channelId of set) {
+      const peer = peerOf(state, channelId, windowId);
+      if (peer) channels.push({ id: channelId, peer });
+    }
+  }
+  hooks.sendToNapplet(windowId, { type: "ifc.channel.list.result", id: m.id ?? "", channels });
+}
+function handleChannelClose(state, hooks, windowId, m) {
+  const channelId = m.channelId ?? "";
+  const peer = peerOf(state, channelId, windowId);
+  if (!peer) return;
+  hooks.sendToNapplet(windowId, { type: "ifc.channel.closed", channelId });
+  hooks.sendToNapplet(peer, { type: "ifc.channel.closed", channelId });
+  removeChannel(state, channelId);
+}
+function removeWindowSubscriptions(state, windowId) {
+  for (const [topic, subscriptions] of state.subscriptions) {
+    subscriptions.delete(windowId);
+    if (subscriptions.size === 0) state.subscriptions.delete(topic);
+  }
+}
+function removeWindowChannels(state, hooks, windowId) {
+  const channelIds = state.channelsByWindow.get(windowId);
+  if (!channelIds) return;
+  for (const channelId of Array.from(channelIds)) {
+    const peer = peerOf(state, channelId, windowId);
+    if (peer) hooks.sendToNapplet(peer, { type: "ifc.channel.closed", channelId });
+    removeChannel(state, channelId);
+  }
+}
+
 // src/state-handler.ts
 function scopedKey(dTag, aggregateHash, userKey) {
   return `napplet-state:${dTag}:${aggregateHash}:${userKey}`;
@@ -450,7 +978,7 @@ function handleStorageNub(windowId, msg, sendToNapplet, sessionRegistry, aclStat
     sendToNapplet(windowId, { type: `${msg.type}.result`, id, ...payload });
   }
   function sendErrorNub(error) {
-    sendToNapplet(windowId, { type: `${msg.type}.error`, id, error });
+    sendToNapplet(windowId, { type: `${msg.type}.result`, id, error });
   }
   const entry = sessionRegistry.getEntryByWindowId(windowId);
   if (!entry) {
@@ -509,7 +1037,7 @@ function handleStorageNub(windowId, msg, sendToNapplet, sessionRegistry, aclStat
       break;
     }
     case "clear": {
-      sendErrorNub("storage.clear is not in @napplet/nub-storage; action not supported");
+      sendErrorNub("storage.clear is not in @napplet/nub/storage; action not supported");
       break;
     }
     case "keys": {
@@ -533,14 +1061,132 @@ function cleanupNappState(pubkey, dTag, aggregateHash, statePersistence) {
   statePersistence.clear(legacyPrefix);
 }
 
+// src/domain-handlers.ts
+var THEME_FALLBACK_DEFAULT = {
+  colors: { background: "#0a0a0a", text: "#e0e0e0", primary: "#7aa2f7" }
+};
+function createRuntimeDomainHandlers(context) {
+  return {
+    storage: (windowId, msg) => handleStorageMessage(context, windowId, msg),
+    media: (windowId, msg) => handleMediaMessage(context, windowId, msg),
+    keys: (windowId, msg) => handleKeysMessage(context, windowId, msg),
+    notify: (windowId, msg) => handleNotifyMessage(context, windowId, msg),
+    theme: (windowId, msg) => handleThemeMessage(context, windowId, msg),
+    config: (windowId, msg) => handleServiceOnlyMessage(context, "config", windowId, msg),
+    resource: (windowId, msg) => handleServiceOnlyMessage(context, "resource", windowId, msg),
+    cvm: (windowId, msg) => handleServiceOnlyMessage(context, "cvm", windowId, msg)
+  };
+}
+function handleStorageMessage(context, windowId, msg) {
+  const { aclState, hooks, sessionRegistry } = context;
+  handleStorageNub(windowId, msg, hooks.sendToNapplet, sessionRegistry, aclState, hooks.statePersistence);
+}
+function handleMediaMessage(context, windowId, msg) {
+  const { hooks, serviceRegistry } = context;
+  const mediaService = serviceRegistry["media"];
+  if (mediaService) {
+    mediaService.handleMessage(windowId, msg, (resp) => hooks.sendToNapplet(windowId, resp));
+    return;
+  }
+  if (msg.type === "media.session.create") {
+    const m = msg;
+    if (m.owner !== "napplet" && m.owner !== "shell") {
+      hooks.sendToNapplet(windowId, {
+        type: "media.session.create.result",
+        id: m.id ?? "",
+        error: "missing owner"
+      });
+      return;
+    }
+    if (m.owner === "shell") {
+      hooks.sendToNapplet(windowId, {
+        type: "media.session.create.result",
+        id: m.id ?? "",
+        owner: "shell",
+        error: "unsupported owner mode"
+      });
+      return;
+    }
+    hooks.sendToNapplet(windowId, {
+      type: "media.session.create.result",
+      id: m.id ?? "",
+      sessionId: m.sessionId ?? "",
+      owner: m.owner
+    });
+  }
+}
+function handleKeysMessage(context, windowId, msg) {
+  const { hooks, serviceRegistry } = context;
+  const keysService = serviceRegistry["keys"];
+  if (keysService) {
+    keysService.handleMessage(windowId, msg, (resp) => hooks.sendToNapplet(windowId, resp));
+    return;
+  }
+  if (msg.type === "keys.forward") {
+    forwardHotkey(hooks, msg);
+    return;
+  }
+  if (msg.type === "keys.registerAction") sendRegisterActionResult(hooks, windowId, msg);
+}
+function forwardHotkey(hooks, msg) {
+  const m = msg;
+  hooks.hotkeys.executeHotkeyFromForward({
+    key: m.key ?? "",
+    code: m.code ?? "",
+    ctrlKey: !!m.ctrl,
+    altKey: !!m.alt,
+    shiftKey: !!m.shift,
+    metaKey: !!m.meta
+  });
+}
+function sendRegisterActionResult(hooks, windowId, msg) {
+  const m = msg;
+  hooks.sendToNapplet(windowId, {
+    type: "keys.registerAction.result",
+    id: m.id ?? "",
+    actionId: m.action?.id ?? "",
+    ...m.action?.defaultKey ? { binding: m.action.defaultKey } : {}
+  });
+}
+function handleNotifyMessage(context, windowId, msg) {
+  const { hooks, serviceRegistry } = context;
+  const notifyService = serviceRegistry["notify"];
+  if (notifyService) {
+    notifyService.handleMessage(windowId, msg, (resp) => hooks.sendToNapplet(windowId, resp));
+    return;
+  }
+  if (msg.type === "notify.send") {
+    const m = msg;
+    hooks.sendToNapplet(windowId, { type: "notify.send.result", id: m.id ?? "", notificationId: `shell-${Date.now()}` });
+  } else if (msg.type === "notify.permission.request") {
+    const m = msg;
+    hooks.sendToNapplet(windowId, { type: "notify.permission.result", id: m.id ?? "", granted: true });
+  }
+}
+function handleThemeMessage(context, windowId, msg) {
+  const { hooks, serviceRegistry } = context;
+  const themeService = serviceRegistry["theme"];
+  if (themeService) {
+    themeService.handleMessage(windowId, msg, (resp) => hooks.sendToNapplet(windowId, resp));
+    return;
+  }
+  if (msg.type === "theme.get") {
+    const m = msg;
+    hooks.sendToNapplet(windowId, {
+      type: "theme.get.result",
+      id: m.id ?? "",
+      theme: THEME_FALLBACK_DEFAULT
+    });
+  }
+}
+function handleServiceOnlyMessage(context, name, windowId, msg) {
+  const service = context.serviceRegistry[name];
+  if (!service) return;
+  service.handleMessage(windowId, msg, (resp) => context.hooks.sendToNapplet(windowId, resp));
+}
+
 // src/runtime.ts
-function createRuntime(hooks) {
-  const subscriptions = /* @__PURE__ */ new Map();
-  const ifcSubscriptions = /* @__PURE__ */ new Map();
-  const ifcChannels = /* @__PURE__ */ new Map();
-  const ifcChannelsByWindow = /* @__PURE__ */ new Map();
-  let _consentHandler = null;
-  const serviceRegistry = { ...hooks.services ?? {} };
+function createRegisteredServices(serviceRegistry) {
   const registeredServices = /* @__PURE__ */ new Map();
   for (const [name, handler] of Object.entries(serviceRegistry)) {
     registeredServices.set(name, {
@@ -549,824 +1195,36 @@ function createRuntime(hooks) {
       description: handler.descriptor.description
     });
   }
-  const undeclaredServiceConsents = /* @__PURE__ */ new Set();
-  const sessionRegistry = createSessionRegistry(hooks.onPendingUpdate);
-  const aclState = createAclState(hooks.aclPersistence);
-  const manifestCache = createManifestCache(hooks.manifestPersistence);
-  const replayDetector = createReplayDetector(
-    hooks.getConfigOverrides ? () => hooks.getConfigOverrides().replayWindowSeconds : void 0
-  );
-  const enforce = createEnforceGate({
-    checkAcl: (pubkey, dTag, aggregateHash, capability) => aclState.check(pubkey, dTag, aggregateHash, capability),
-    resolveIdentity: (pubkey) => {
-      const entry = sessionRegistry.getEntry(pubkey);
-      return entry ? { dTag: entry.dTag, aggregateHash: entry.aggregateHash } : void 0;
-    },
-    onAclCheck: hooks.onAclCheck
-  });
-  const enforceNub = createNubEnforceGate({
-    checkAcl: (pubkey, dTag, aggregateHash, capability) => aclState.check(pubkey, dTag, aggregateHash, capability),
-    resolveIdentityByWindowId: (windowId) => {
-      const entry = sessionRegistry.getEntryByWindowId(windowId);
-      return entry ? { dTag: entry.dTag, aggregateHash: entry.aggregateHash } : void 0;
-    },
-    onAclCheck: hooks.onAclCheck
-  });
-  const eventBuffer = createEventBuffer(
-    hooks.sendToNapplet,
-    sessionRegistry,
-    enforce,
-    subscriptions,
-    hooks.getConfigOverrides ? () => hooks.getConfigOverrides().ringBufferSize ?? RING_BUFFER_SIZE : void 0
-  );
-  aclState.load();
-  manifestCache.load();
-  function checkCompatibility(requires, windowId, eventId) {
-    if (requires.length === 0) return true;
-    const available = Array.from(registeredServices.values());
-    const registeredNames = new Set(registeredServices.keys());
-    const missing = requires.filter((name) => !registeredNames.has(name));
-    const compatible = missing.length === 0;
-    if (!compatible) {
-      const report = { available, missing, compatible };
-      hooks.onCompatibilityIssue?.(report);
-      if (hooks.strictMode) {
-        hooks.sendToNapplet(windowId, [
-          "OK",
-          eventId,
-          false,
-          `blocked: missing required services: ${missing.join(", ")}`
-        ]);
-        return false;
-      }
-    }
-    return true;
-  }
-  function checkUndeclaredService(windowId, pubkey, serviceName, event, onApproved) {
-    if (!registeredServices.has(serviceName)) return true;
-    const nappletPubkey = sessionRegistry.getPubkey(windowId);
-    if (!nappletPubkey) return true;
-    const nappletEntry = sessionRegistry.getEntry(nappletPubkey);
-    if (!nappletEntry) return true;
-    const requires = manifestCache.getRequires(nappletEntry.pubkey, nappletEntry.dTag);
-    if (requires.includes(serviceName)) return true;
-    const consentKey = `${windowId}:${serviceName}`;
-    if (undeclaredServiceConsents.has(consentKey)) return true;
-    if (_consentHandler) {
-      _consentHandler({
-        type: "undeclared-service",
-        windowId,
-        pubkey,
-        event,
-        serviceName,
-        resolve: (allowed) => {
-          if (allowed) {
-            undeclaredServiceConsents.add(consentKey);
-            onApproved();
-          }
-        }
-      });
-      return false;
-    }
-    return false;
-  }
-  function handleHotkeyForward(event) {
-    const keyData = {
-      key: event.tags?.find((t) => t[0] === "key")?.[1] ?? "",
-      code: event.tags?.find((t) => t[0] === "code")?.[1] ?? "",
-      ctrlKey: event.tags?.find((t) => t[0] === "ctrl")?.[1] === "1",
-      altKey: event.tags?.find((t) => t[0] === "alt")?.[1] === "1",
-      shiftKey: event.tags?.find((t) => t[0] === "shift")?.[1] === "1",
-      metaKey: event.tags?.find((t) => t[0] === "meta")?.[1] === "1"
-    };
-    hooks.hotkeys.executeHotkeyFromForward(keyData);
-  }
-  function handleShellCommand(event, windowId, topic) {
-    function sendOk(success, reason) {
-      hooks.sendToNapplet(windowId, ["OK", event.id, success, reason]);
-    }
-    function sendInterPaneReply(replyTopic, content) {
-      const responseEvent = {
-        kind: 29e3,
-        // IPC_PEER — inlined numeric after Phase 24 shim deletion
-        pubkey: "",
-        created_at: Math.floor(Date.now() / 1e3),
-        tags: [["t", replyTopic]],
-        content,
-        id: "",
-        sig: ""
-      };
-      hooks.sendToNapplet(windowId, ["EVENT", "__shell__", responseEvent]);
-      sendOk(true, "");
-    }
-    switch (topic) {
-      case "shell:acl-get": {
-        const aclEntries = aclState.getAllEntries();
-        const nappletEntries = sessionRegistry.getAllEntries();
-        const nappletInfoMap = {};
-        for (const e of nappletEntries) nappletInfoMap[e.pubkey] = { type: e.type, registeredAt: e.registeredAt };
-        const merged = [...aclEntries];
-        for (const e of nappletEntries) {
-          if (!merged.find((a) => a.pubkey === e.pubkey)) {
-            merged.push({ pubkey: e.pubkey, capabilities: [...ALL_CAPABILITIES], blocked: false });
-          }
-        }
-        const display = merged.map((e) => ({
-          ...e,
-          type: nappletInfoMap[e.pubkey]?.type ?? "unknown",
-          registeredAt: nappletInfoMap[e.pubkey]?.registeredAt ?? 0
-        }));
-        sendInterPaneReply("shell:acl-current", JSON.stringify({ entries: display }));
-        break;
-      }
-      case "shell:acl-revoke":
-      case "shell:acl-grant":
-      case "shell:acl-block":
-      case "shell:acl-unblock": {
-        const pk = event.tags?.find((t) => t[0] === "pubkey")?.[1];
-        const cap = event.tags?.find((t) => t[0] === "cap")?.[1];
-        if (!pk) {
-          sendOk(false, "error: missing pubkey tag");
-          break;
-        }
-        const ne = sessionRegistry.getEntry(pk);
-        if (topic === "shell:acl-revoke" && cap) aclState.revoke(pk, ne?.dTag ?? "", ne?.aggregateHash ?? "", cap);
-        else if (topic === "shell:acl-grant" && cap) aclState.grant(pk, ne?.dTag ?? "", ne?.aggregateHash ?? "", cap);
-        else if (topic === "shell:acl-block") aclState.block(pk, ne?.dTag ?? "", ne?.aggregateHash ?? "");
-        else if (topic === "shell:acl-unblock") aclState.unblock(pk, ne?.dTag ?? "", ne?.aggregateHash ?? "");
-        aclState.persist();
-        const ae = aclState.getEntry(pk, ne?.dTag ?? "", ne?.aggregateHash ?? "");
-        sendInterPaneReply("shell:acl-current", JSON.stringify({ entries: ae ? [ae] : [] }));
-        break;
-      }
-      case "shell:relay-get":
-        sendInterPaneReply("shell:relay-current", JSON.stringify(hooks.relayConfig.getRelayConfig()));
-        break;
-      case "shell:relay-add": {
-        const tier = event.tags?.find((t) => t[0] === "tier")?.[1];
-        const url = event.tags?.find((t) => t[0] === "url")?.[1];
-        if (tier && url) {
-          hooks.relayConfig.addRelay(tier, url);
-          sendInterPaneReply("shell:relay-current", JSON.stringify(hooks.relayConfig.getRelayConfig()));
-        } else sendOk(false, "error: missing tier/url");
-        break;
-      }
-      case "shell:relay-remove": {
-        const tier = event.tags?.find((t) => t[0] === "tier")?.[1];
-        const url = event.tags?.find((t) => t[0] === "url")?.[1];
-        if (tier && url) {
-          hooks.relayConfig.removeRelay(tier, url);
-          sendInterPaneReply("shell:relay-current", JSON.stringify(hooks.relayConfig.getRelayConfig()));
-        } else sendOk(false, "error: missing tier/url");
-        break;
-      }
-      case "shell:relay-nip66":
-        sendInterPaneReply("shell:relay-nip66-data", JSON.stringify(hooks.relayConfig.getNip66Suggestions()));
-        break;
-      case "shell:relay-scoped-connect": {
-        const url = event.tags?.find((t) => t[0] === "url")?.[1];
-        const subId = event.tags?.find((t) => t[0] === "sub-id")?.[1];
-        const filtersTag = event.tags?.find((t) => t[0] === "filters")?.[1];
-        if (!url || !subId || !filtersTag) {
-          sendOk(false, "error: missing tags");
-          break;
-        }
-        try {
-          const filters = JSON.parse(filtersTag);
-          hooks.relayPool?.openScopedRelay(windowId, url, subId, filters, hooks.sendToNapplet);
-          sendOk(true, "");
-        } catch {
-          sendOk(false, "error: invalid filters");
-        }
-        break;
-      }
-      case "shell:relay-scoped-close":
-        hooks.relayPool?.closeScopedRelay(windowId);
-        sendOk(true, "");
-        break;
-      case "shell:relay-scoped-publish": {
-        const et = event.tags?.find((t) => t[0] === "event")?.[1];
-        if (!et) {
-          sendOk(false, "error: missing event tag");
-          break;
-        }
-        try {
-          const signed = JSON.parse(et);
-          const ok = hooks.relayPool?.publishToScopedRelay(windowId, signed) ?? false;
-          sendOk(ok, ok ? "" : "error: no active scoped relay");
-        } catch {
-          sendOk(false, "error: invalid event JSON");
-        }
-        break;
-      }
-      case "shell:create-window": {
-        try {
-          const payload = JSON.parse(event.content);
-          if (!payload.title || !payload.class) {
-            sendOk(false, "error: requires title and class");
-            break;
-          }
-          const id = hooks.windowManager.createWindow({ title: payload.title, class: payload.class, iframeSrc: payload.iframeSrc });
-          sendOk(!!id, id ? "" : "error: window creation failed");
-        } catch {
-          sendOk(false, "error: invalid JSON");
-        }
-        break;
-      }
-      case "shell:send-dm": {
-        if (hooks.dm) {
-          const corrId = event.tags?.find((t) => t[0] === "id")?.[1] ?? "";
-          const recipient = event.tags?.find((t) => t[0] === "p")?.[1];
-          let message;
-          try {
-            message = JSON.parse(event.content).message;
-          } catch {
-          }
-          if (!recipient || !message) {
-            sendOk(false, "error: missing recipient or message");
-            break;
-          }
-          hooks.dm.sendDm(recipient, message).then((result) => {
-            const payload = result.success ? { success: true, ...result.eventId ? { eventId: result.eventId } : {} } : { success: false, error: result.error ?? "unknown error" };
-            const response = {
-              kind: 29e3,
-              // IPC_PEER — inlined numeric after Phase 24 shim deletion
-              pubkey: "",
-              created_at: Math.floor(Date.now() / 1e3),
-              tags: [["t", "shell:send-dm-result"], ["id", corrId]],
-              content: JSON.stringify(payload),
-              id: "",
-              sig: ""
-            };
-            hooks.sendToNapplet(windowId, ["EVENT", "__shell__", response]);
-            sendOk(result.success, result.success ? "" : `error: ${result.error}`);
-          }).catch(() => {
-            sendOk(false, "error: DM send failed");
-          });
-        } else sendOk(false, "error: DM hooks not configured");
-        break;
-      }
-      default:
-        sendOk(true, "");
-        break;
-    }
-  }
-  function handleRelayMessage(windowId, msg) {
-    const m = msg;
-    const dotIdx = msg.type.indexOf(".");
-    const action = msg.type.slice(dotIdx + 1);
-    switch (action) {
-      case "subscribe": {
-        let deliver2 = function(event) {
-          if (seenIds.has(event.id)) return;
-          seenIds.add(event.id);
-          if (subscriptions.has(subKey)) {
-            hooks.sendToNapplet(windowId, { type: "relay.event", subId, event });
-          }
-        };
-        var deliver = deliver2;
-        const subId = m.subId ?? "";
-        const filters = m.filters ?? [];
-        if (!subId) return;
-        const subKey = `${windowId}:${subId}`;
-        subscriptions.set(subKey, { windowId, filters });
-        const seenIds = /* @__PURE__ */ new Set();
-        for (const bufferedEvent of eventBuffer.getBufferedEvents()) {
-          if (matchesAnyFilter(bufferedEvent, filters)) deliver2(bufferedEvent);
-        }
-        const isShellKind = filters.length > 0 && filters.every((f) => f.kinds?.every((k) => k >= 29e3 && k < 3e4));
-        if (!isShellKind) {
-          const relayService = serviceRegistry["relay"] ?? serviceRegistry["relay-pool"];
-          const cacheService = !serviceRegistry["relay"] ? serviceRegistry["cache"] : void 0;
-          if (relayService) {
-            relayService.handleMessage(windowId, msg, (resp) => {
-              if (!subscriptions.has(subKey)) return;
-              hooks.sendToNapplet(windowId, resp);
-            });
-            if (cacheService) cacheService.handleMessage(windowId, msg, (resp) => {
-              if (!subscriptions.has(subKey)) return;
-              hooks.sendToNapplet(windowId, resp);
-            });
-            return;
-          }
-        }
-        const cache = hooks.cache;
-        if (cache?.isAvailable() && !isShellKind) {
-          cache.query(filters).then((cachedEvents) => {
-            for (const event of cachedEvents) deliver2(event);
-          }).catch(() => {
-          });
-        }
-        const pool = hooks.relayPool;
-        if (pool?.isAvailable() && !isShellKind) {
-          const relayUrls = pool.selectRelayTier(filters);
-          let eoseSent = false;
-          const eoseFallbackTimer = setTimeout(() => {
-            if (!eoseSent) {
-              eoseSent = true;
-              hooks.sendToNapplet(windowId, { type: "relay.eose", subId });
-            }
-          }, 15e3);
-          const subscription = pool.subscribe(filters, (item) => {
-            if (item === "EOSE") {
-              clearTimeout(eoseFallbackTimer);
-              if (!eoseSent) {
-                eoseSent = true;
-                hooks.sendToNapplet(windowId, { type: "relay.eose", subId });
-              }
-              return;
-            }
-            deliver2(item);
-            if (cache?.isAvailable() && !isShellKind) {
-              try {
-                cache.store(item);
-              } catch {
-              }
-            }
-          }, relayUrls);
-          pool.trackSubscription(subKey, () => {
-            clearTimeout(eoseFallbackTimer);
-            subscription.unsubscribe();
-          });
-        } else if (!isShellKind) {
-          hooks.sendToNapplet(windowId, { type: "relay.eose", subId });
-        }
-        break;
-      }
-      case "close": {
-        const subId = m.subId ?? "";
-        if (!subId) return;
-        const subKey = `${windowId}:${subId}`;
-        subscriptions.delete(subKey);
-        const relayService = serviceRegistry["relay"] ?? serviceRegistry["relay-pool"];
-        if (relayService) {
-          relayService.handleMessage(windowId, msg, () => {
-          });
-        }
-        hooks.relayPool?.untrackSubscription(subKey);
-        hooks.sendToNapplet(windowId, { type: "relay.closed", subId, message: "" });
-        break;
-      }
-      case "publish": {
-        const event = m.event;
-        const id = m.id ?? "";
-        if (!event || typeof event !== "object") {
-          hooks.sendToNapplet(windowId, { type: "relay.publish.error", id, error: "invalid event" });
-          return;
-        }
-        const replayResult = replayDetector.check(event);
-        if (replayResult !== null) {
-          hooks.sendToNapplet(windowId, { type: "relay.publish.result", id, accepted: false, message: replayResult });
-          return;
-        }
-        const relayService = serviceRegistry["relay"] ?? serviceRegistry["relay-pool"];
-        if (relayService) {
-          relayService.handleMessage(windowId, msg, (resp) => {
-            hooks.sendToNapplet(windowId, resp);
-          });
-        } else if (hooks.relayPool?.isAvailable()) {
-          hooks.relayPool.publish(event);
-          hooks.sendToNapplet(windowId, { type: "relay.publish.result", id, accepted: true });
-        } else {
-          hooks.sendToNapplet(windowId, { type: "relay.publish.result", id, accepted: false, message: "no relay pool available" });
-        }
-        eventBuffer.bufferAndDeliver(event, windowId);
-        break;
-      }
-      // Shell-mediated encryption path (NUB-08 / SH-C03). Napplets hand the
-      // shell a plaintext EventTemplate plus a recipient pubkey; the shell
-      // encrypts via its own signer (nip44 default, nip04 opt-in), signs,
-      // publishes, and returns a relay.publishEncrypted.result. The signer's
-      // nip04/nip44 primitives are SHELL-INTERNAL — no napplet-visible
-      // message surface reaches them (SignerProxy was deleted in Plan 12-01).
-      case "publishEncrypted": {
-        let replyPe2 = function(ok, extra = {}) {
-          hooks.sendToNapplet(windowId, {
-            type: "relay.publishEncrypted.result",
-            id,
-            ok,
-            ...extra
-          });
-        };
-        var replyPe = replyPe2;
-        const id = m.id ?? "";
-        const eventTemplate = m.event;
-        const peMsg = msg;
-        const recipient = peMsg.recipient ?? "";
-        const encryption = peMsg.encryption ?? "nip44";
-        if (!recipient) {
-          replyPe2(false, { error: "missing recipient" });
-          break;
-        }
-        if (encryption !== "nip44" && encryption !== "nip04") {
-          replyPe2(false, { error: `unsupported encryption scheme: ${encryption}` });
-          break;
-        }
-        const peSigner = hooks.auth.getSigner();
-        if (!peSigner) {
-          replyPe2(false, { error: "no signer configured" });
-          break;
-        }
-        if (!eventTemplate || typeof eventTemplate !== "object") {
-          replyPe2(false, { error: "invalid event template" });
-          break;
-        }
-        (async () => {
-          try {
-            const plaintext = String(eventTemplate.content ?? "");
-            const ciphertext = encryption === "nip44" ? await peSigner.nip44?.encrypt(recipient, plaintext) ?? "" : await peSigner.nip04?.encrypt(recipient, plaintext) ?? "";
-            const eventWithCiphertext = { ...eventTemplate, content: ciphertext };
-            const signed = await peSigner.signEvent?.(eventWithCiphertext);
-            if (!signed) {
-              replyPe2(false, { error: "signEvent returned null" });
-              return;
-            }
-            const relayService = serviceRegistry["relay"] ?? serviceRegistry["relay-pool"];
-            if (relayService) {
-              const publishMsg = { type: "relay.publish", id, event: signed };
-              let replied = false;
-              relayService.handleMessage(windowId, publishMsg, (resp) => {
-                if (replied) return;
-                const r = resp;
-                if (typeof r.type === "string" && r.type.startsWith("relay.publish")) {
-                  const okVal = r.ok ?? r.accepted ?? false;
-                  replied = true;
-                  replyPe2(okVal, {
-                    event: signed,
-                    eventId: signed.id,
-                    ...okVal ? {} : { error: r.error ?? r.message ?? "publish failed" }
-                  });
-                }
-              });
-              if (!replied) {
-                replied = true;
-                replyPe2(true, { event: signed, eventId: signed.id });
-              }
-            } else if (hooks.relayPool?.isAvailable()) {
-              hooks.relayPool.publish(signed);
-              replyPe2(true, { event: signed, eventId: signed.id });
-            } else {
-              replyPe2(false, { error: "no relay pool available" });
-            }
-            try {
-              eventBuffer.bufferAndDeliver(signed, windowId);
-            } catch {
-            }
-          } catch (err) {
-            replyPe2(false, { error: err?.message ?? "encryption failed" });
-          }
-        })();
-        break;
-      }
-      case "query": {
-        const id = m.id ?? "";
-        const filters = m.filters ?? [];
-        let count = 0;
-        for (const event of eventBuffer.getBufferedEvents()) {
-          if (matchesAnyFilter(event, filters)) count++;
-        }
-        hooks.sendToNapplet(windowId, { type: "relay.query.result", id, count });
-        break;
-      }
-      default:
-        break;
-    }
-  }
-  function handleIdentityMessage(windowId, msg) {
-    const identityService = serviceRegistry["identity"];
-    if (identityService) {
-      identityService.handleMessage(windowId, msg, (resp) => {
-        hooks.sendToNapplet(windowId, resp);
-      });
-      return;
-    }
-    const id = msg.id ?? "";
-    const action = msg.type.slice("identity.".length);
-    const signer = hooks.auth.getSigner();
-    function sendError(error) {
-      hooks.sendToNapplet(windowId, { type: `${msg.type}.error`, id, error });
-    }
-    function sendResult(payload) {
-      hooks.sendToNapplet(windowId, { type: `${msg.type}.result`, id, ...payload });
-    }
-    switch (action) {
-      case "getPublicKey": {
-        if (!signer) {
-          sendError("no signer configured");
-          return;
-        }
-        Promise.resolve(signer.getPublicKey?.()).then((pubkey) => sendResult({ pubkey })).catch((err) => sendError(err?.message ?? "getPublicKey failed"));
-        return;
-      }
-      case "getRelays": {
-        if (!signer) {
-          sendError("no signer configured");
-          return;
-        }
-        Promise.resolve(signer.getRelays?.() ?? {}).then((relays) => sendResult({ relays })).catch((err) => sendError(err?.message ?? "getRelays failed"));
-        return;
-      }
-      case "getProfile":
-        sendResult({ profile: null });
-        return;
-      case "getFollows":
-        sendResult({ pubkeys: [] });
-        return;
-      case "getList":
-        sendResult({ entries: [] });
-        return;
-      case "getZaps":
-        sendResult({ zaps: [] });
-        return;
-      case "getMutes":
-        sendResult({ pubkeys: [] });
-        return;
-      case "getBlocked":
-        sendResult({ pubkeys: [] });
-        return;
-      case "getBadges":
-        sendResult({ badges: [] });
-        return;
-      default:
-        sendError(`Unknown identity action: ${action}`);
-    }
-  }
-  function handleStorageMessage(windowId, msg) {
-    handleStorageNub(windowId, msg, hooks.sendToNapplet, sessionRegistry, aclState, hooks.statePersistence);
-  }
-  function ifcAddChannel(channelId, peerA, peerB) {
-    ifcChannels.set(channelId, { channelId, peerA, peerB });
-    for (const w of [peerA, peerB]) {
-      let set = ifcChannelsByWindow.get(w);
-      if (!set) {
-        set = /* @__PURE__ */ new Set();
-        ifcChannelsByWindow.set(w, set);
-      }
-      set.add(channelId);
-    }
-  }
-  function ifcRemoveChannel(channelId) {
-    const ch = ifcChannels.get(channelId);
-    if (!ch) return;
-    ifcChannels.delete(channelId);
-    for (const w of [ch.peerA, ch.peerB]) {
-      const set = ifcChannelsByWindow.get(w);
-      if (set) {
-        set.delete(channelId);
-        if (set.size === 0) ifcChannelsByWindow.delete(w);
-      }
-    }
-  }
-  function ifcPeerOf(channelId, self) {
-    const ch = ifcChannels.get(channelId);
-    if (!ch) return null;
-    if (ch.peerA === self) return ch.peerB;
-    if (ch.peerB === self) return ch.peerA;
-    return null;
-  }
-  function ifcGenerateChannelId() {
-    return hooks.crypto.randomUUID().replace(/-/g, "").slice(0, 32);
-  }
-  function ifcResolveTarget(target) {
-    if (sessionRegistry.getEntryByWindowId(target)) return target;
-    const entries = sessionRegistry.getAllEntries();
-    const byPubkey = entries.find((e) => e.pubkey === target);
-    return byPubkey?.windowId ?? null;
-  }
-  function handleIfcMessage(windowId, msg) {
-    const m = msg;
-    const dotIdx = msg.type.indexOf(".");
-    const action = msg.type.slice(dotIdx + 1);
-    switch (action) {
-      case "emit": {
-        const topic = m.topic ?? "";
-        const payload = m.payload;
-        if (!topic) return;
-        const subscribers = ifcSubscriptions.get(topic);
-        if (subscribers) {
-          for (const subscriberWindowId of subscribers) {
-            if (subscriberWindowId === windowId) continue;
-            hooks.sendToNapplet(subscriberWindowId, { type: "ifc.event", topic, payload, sender: windowId });
-          }
-        }
-        return;
-      }
-      case "subscribe": {
-        const id = m.id ?? "";
-        const topic = m.topic ?? "";
-        if (!topic) {
-          hooks.sendToNapplet(windowId, { type: "ifc.subscribe.result", id, error: "missing topic" });
-          return;
-        }
-        let subs = ifcSubscriptions.get(topic);
-        if (!subs) {
-          subs = /* @__PURE__ */ new Set();
-          ifcSubscriptions.set(topic, subs);
-        }
-        subs.add(windowId);
-        hooks.sendToNapplet(windowId, { type: "ifc.subscribe.result", id });
-        return;
-      }
-      case "unsubscribe": {
-        const topic = m.topic ?? "";
-        if (!topic) return;
-        const subs = ifcSubscriptions.get(topic);
-        if (subs) {
-          subs.delete(windowId);
-          if (subs.size === 0) ifcSubscriptions.delete(topic);
-        }
-        return;
-      }
-      case "channel.open": {
-        const id = m.id ?? "";
-        const target = m.target ?? "";
-        const peerWindow = ifcResolveTarget(target);
-        if (!peerWindow) {
-          hooks.sendToNapplet(windowId, { type: "ifc.channel.open.result", id, error: "target not found" });
-          return;
-        }
-        const channelId = ifcGenerateChannelId();
-        ifcAddChannel(channelId, windowId, peerWindow);
-        hooks.sendToNapplet(windowId, { type: "ifc.channel.open.result", id, channelId, peer: peerWindow });
-        return;
-      }
-      case "channel.emit": {
-        const channelId = m.channelId ?? "";
-        const peer = ifcPeerOf(channelId, windowId);
-        if (!peer) return;
-        hooks.sendToNapplet(peer, { type: "ifc.channel.event", channelId, sender: windowId, payload: m.payload });
-        return;
-      }
-      case "channel.broadcast": {
-        const channels = ifcChannelsByWindow.get(windowId);
-        if (!channels) return;
-        for (const channelId of channels) {
-          const peer = ifcPeerOf(channelId, windowId);
-          if (peer) hooks.sendToNapplet(peer, { type: "ifc.channel.event", channelId, sender: windowId, payload: m.payload });
-        }
-        return;
-      }
-      case "channel.list": {
-        const id = m.id ?? "";
-        const channels = [];
-        const set = ifcChannelsByWindow.get(windowId);
-        if (set) {
-          for (const channelId of set) {
-            const peer = ifcPeerOf(channelId, windowId);
-            if (peer) channels.push({ id: channelId, peer });
-          }
-        }
-        hooks.sendToNapplet(windowId, { type: "ifc.channel.list.result", id, channels });
-        return;
-      }
-      case "channel.close": {
-        const channelId = m.channelId ?? "";
-        const peer = ifcPeerOf(channelId, windowId);
-        if (!peer) return;
-        hooks.sendToNapplet(windowId, { type: "ifc.channel.closed", channelId });
-        hooks.sendToNapplet(peer, { type: "ifc.channel.closed", channelId });
-        ifcRemoveChannel(channelId);
-        return;
-      }
-      default:
-        return;
-    }
-  }
-  function handleMediaMessage(windowId, msg) {
-    const mediaService = serviceRegistry["media"];
-    if (mediaService) {
-      mediaService.handleMessage(windowId, msg, (resp) => {
-        hooks.sendToNapplet(windowId, resp);
-      });
-      return;
-    }
-    if (msg.type === "media.session.create") {
-      const m = msg;
-      hooks.sendToNapplet(windowId, {
-        type: "media.session.create.result",
-        id: m.id ?? "",
-        sessionId: m.sessionId ?? ""
-      });
-    }
-  }
-  function handleKeysMessage(windowId, msg) {
-    const keysService = serviceRegistry["keys"];
-    if (keysService) {
-      keysService.handleMessage(windowId, msg, (resp) => {
-        hooks.sendToNapplet(windowId, resp);
-      });
-      return;
-    }
-    if (msg.type === "keys.forward") {
-      const m = msg;
-      hooks.hotkeys.executeHotkeyFromForward({
-        key: m.key ?? "",
-        code: m.code ?? "",
-        ctrlKey: !!m.ctrl,
-        altKey: !!m.alt,
-        shiftKey: !!m.shift,
-        metaKey: !!m.meta
-      });
-      return;
-    }
-    if (msg.type === "keys.registerAction") {
-      const m = msg;
-      hooks.sendToNapplet(windowId, {
-        type: "keys.registerAction.result",
-        id: m.id ?? "",
-        actionId: m.action?.id ?? "",
-        ...m.action?.defaultKey ? { binding: m.action.defaultKey } : {}
-      });
-      return;
-    }
-  }
-  function handleNotifyMessage(windowId, msg) {
-    const notifyService = serviceRegistry["notify"];
-    if (notifyService) {
-      notifyService.handleMessage(windowId, msg, (resp) => {
-        hooks.sendToNapplet(windowId, resp);
-      });
-      return;
-    }
-    if (msg.type === "notify.send") {
-      const m = msg;
-      hooks.sendToNapplet(windowId, {
-        type: "notify.send.result",
-        id: m.id ?? "",
-        notificationId: `shell-${Date.now()}`
-      });
-    } else if (msg.type === "notify.permission.request") {
-      const m = msg;
-      hooks.sendToNapplet(windowId, {
-        type: "notify.permission.result",
-        id: m.id ?? "",
-        granted: true
-      });
-    }
-  }
-  const THEME_FALLBACK_DEFAULT = {
-    colors: { background: "#0a0a0a", text: "#e0e0e0", primary: "#7aa2f7" }
-  };
-  function handleThemeMessage(windowId, msg) {
-    const themeService = serviceRegistry["theme"];
-    if (themeService) {
-      themeService.handleMessage(windowId, msg, (resp) => {
-        hooks.sendToNapplet(windowId, resp);
-      });
-      return;
-    }
-    if (msg.type === "theme.get") {
-      const m = msg;
-      hooks.sendToNapplet(windowId, {
-        type: "theme.get.result",
-        id: m.id ?? "",
-        theme: THEME_FALLBACK_DEFAULT
-      });
-    }
-  }
+  return registeredServices;
+}
+function createNubEnvelopeDispatcher(handlers) {
   let currentWindowId = null;
   const nubDispatch = createDispatch();
-  const relayAdapter = (msg) => {
-    if (currentWindowId === null) return;
-    handleRelayMessage(currentWindowId, msg);
-  };
-  const identityAdapter = (msg) => {
-    if (currentWindowId === null) return;
-    handleIdentityMessage(currentWindowId, msg);
-  };
-  const keysAdapter = (msg) => {
-    if (currentWindowId === null) return;
-    handleKeysMessage(currentWindowId, msg);
-  };
-  const mediaAdapter = (msg) => {
-    if (currentWindowId === null) return;
-    handleMediaMessage(currentWindowId, msg);
-  };
-  const notifyAdapter = (msg) => {
-    if (currentWindowId === null) return;
-    handleNotifyMessage(currentWindowId, msg);
-  };
-  const storageAdapter = (msg) => {
-    if (currentWindowId === null) return;
-    handleStorageMessage(currentWindowId, msg);
-  };
-  const ifcAdapter = (msg) => {
-    if (currentWindowId === null) return;
-    handleIfcMessage(currentWindowId, msg);
+  const adapt = (handler) => (msg) => {
+    if (currentWindowId !== null) handler(currentWindowId, msg);
   };
-  const themeAdapter = (msg) => {
-    if (currentWindowId === null) return;
-    handleThemeMessage(currentWindowId, msg);
+  nubDispatch.registerNub("relay", adapt(handlers.relay));
+  nubDispatch.registerNub("identity", adapt(handlers.identity));
+  nubDispatch.registerNub("keys", adapt(handlers.keys));
+  nubDispatch.registerNub("media", adapt(handlers.media));
+  nubDispatch.registerNub("notify", adapt(handlers.notify));
+  nubDispatch.registerNub("storage", adapt(handlers.storage));
+  nubDispatch.registerNub("ifc", adapt(handlers.ifc));
+  nubDispatch.registerNub("theme", adapt(handlers.theme));
+  nubDispatch.registerNub("config", adapt(handlers.config));
+  nubDispatch.registerNub("resource", adapt(handlers.resource));
+  nubDispatch.registerNub("cvm", adapt(handlers.cvm));
+  return (windowId, envelope) => {
+    currentWindowId = windowId;
+    try {
+      nubDispatch.dispatch(envelope);
+    } finally {
+      currentWindowId = null;
+    }
   };
-  nubDispatch.registerNub("relay", relayAdapter);
-  nubDispatch.registerNub("identity", identityAdapter);
-  nubDispatch.registerNub("keys", keysAdapter);
-  nubDispatch.registerNub("media", mediaAdapter);
-  nubDispatch.registerNub("notify", notifyAdapter);
-  nubDispatch.registerNub("storage", storageAdapter);
-  nubDispatch.registerNub("ifc", ifcAdapter);
-  nubDispatch.registerNub("theme", themeAdapter);
-  function handleMessage(windowId, msg) {
+}
+function createMessageHandler(hooks, enforceNub, dispatchNubEnvelope) {
+  return (windowId, msg) => {
     if (typeof msg !== "object" || msg === null || !("type" in msg)) return;
     const envelope = msg;
     const dotIdx = envelope.type.indexOf(".");
@@ -1376,47 +1234,62 @@ function createRuntime(hooks) {
       const result = enforceNub(windowId, caps.senderCap, envelope);
       if (!result.allowed) {
         const id = envelope.id ?? "";
-        hooks.sendToNapplet(windowId, { type: `${envelope.type}.error`, id, error: formatDenialReason(result.capability) });
+        const isIdentityDecrypt = envelope.type === "identity.decrypt";
+        const isStorageEnvelope = envelope.type.startsWith("storage.");
+        const error = isIdentityDecrypt ? result.reason === "class-forbidden" ? "class-forbidden" : "policy-denied" : formatDenialReason(result.capability);
+        const type = isStorageEnvelope ? `${envelope.type}.result` : `${envelope.type}.error`;
+        hooks.sendToNapplet(windowId, { type, id, error });
         return;
       }
     }
-    currentWindowId = windowId;
-    try {
-      nubDispatch.dispatch(envelope);
-    } finally {
-      currentWindowId = null;
-    }
-  }
-  const runtimeInstance = {
-    handleMessage,
+    dispatchNubEnvelope(windowId, envelope);
+  };
+}
+function createInjectedEvent(hooks, topic, payload) {
+  const uuid = hooks.crypto.randomUUID().replace(/-/g, "").slice(0, 64).padEnd(64, "0");
+  return {
+    id: uuid,
+    pubkey: "0".repeat(64),
+    created_at: Math.floor(Date.now() / 1e3),
+    kind: 29e3,
+    tags: [["t", topic]],
+    content: JSON.stringify(payload),
+    sig: "0".repeat(128)
+  };
+}
+function createRuntimeInstance(context) {
+  const {
+    aclState,
+    eventBuffer,
+    hooks,
+    ifcRuntime,
+    manifestCache,
+    registeredServices,
+    replayDetector,
+    serviceRegistry,
+    sessionRegistry,
+    subscriptions
+  } = context;
+  const undeclaredServiceConsents = /* @__PURE__ */ new Set();
+  let consentHandler = null;
+  return {
+    handleMessage: context.handleMessage,
     injectEvent(topic, payload) {
-      const uuid = hooks.crypto.randomUUID().replace(/-/g, "").slice(0, 64).padEnd(64, "0");
-      const event = {
-        id: uuid,
-        pubkey: "0".repeat(64),
-        created_at: Math.floor(Date.now() / 1e3),
-        kind: 29e3,
-        // IPC_PEER — inlined numeric after Phase 24 shim deletion
-        tags: [["t", topic]],
-        content: JSON.stringify(payload),
-        sig: "0".repeat(128)
-      };
-      eventBuffer.bufferAndDeliver(event, null);
+      eventBuffer.bufferAndDeliver(createInjectedEvent(hooks, topic, payload), null);
     },
     destroy() {
       manifestCache.persist();
       aclState.persist();
       replayDetector.clear();
       subscriptions.clear();
-      ifcSubscriptions.clear();
-      ifcChannels.clear();
-      ifcChannelsByWindow.clear();
+      ifcRuntime.clear();
       eventBuffer.clear();
       registeredServices.clear();
       undeclaredServiceConsents.clear();
     },
     registerConsentHandler(handler) {
-      _consentHandler = handler;
+      consentHandler = handler;
+      void consentHandler;
     },
     registerService(name, handler) {
       serviceRegistry[name] = handler;
@@ -1437,20 +1310,7 @@ function createRuntime(hooks) {
           hooks.relayPool?.untrackSubscription(key);
         }
       }
-      for (const [topic, subs] of ifcSubscriptions) {
-        subs.delete(windowId);
-        if (subs.size === 0) ifcSubscriptions.delete(topic);
-      }
-      const channelIds = ifcChannelsByWindow.get(windowId);
-      if (channelIds) {
-        for (const channelId of [...channelIds]) {
-          const peer = ifcPeerOf(channelId, windowId);
-          if (peer) {
-            hooks.sendToNapplet(peer, { type: "ifc.channel.closed", channelId });
-          }
-          ifcRemoveChannel(channelId);
-        }
-      }
+      ifcRuntime.destroyWindow(windowId);
       notifyServiceWindowDestroyed(windowId, serviceRegistry);
     },
     get sessionRegistry() {
@@ -1463,7 +1323,64 @@ function createRuntime(hooks) {
       return manifestCache;
     }
   };
-  return runtimeInstance;
+}
+function createRuntime(hooks) {
+  const subscriptions = /* @__PURE__ */ new Map();
+  const serviceRegistry = { ...hooks.services };
+  const registeredServices = createRegisteredServices(serviceRegistry);
+  const sessionRegistry = createSessionRegistry(hooks.onPendingUpdate);
+  const aclState = createAclState(hooks.aclPersistence);
+  const manifestCache = createManifestCache(hooks.manifestPersistence);
+  const replayDetector = createReplayDetector(
+    hooks.getConfigOverrides ? () => hooks.getConfigOverrides().replayWindowSeconds : void 0
+  );
+  const enforce = createEnforceGate({
+    checkAcl: (pubkey, dTag, aggregateHash, capability) => aclState.check(pubkey, dTag, aggregateHash, capability),
+    resolveIdentity: (pubkey) => {
+      const entry = sessionRegistry.getEntry(pubkey);
+      return entry ? { dTag: entry.dTag, aggregateHash: entry.aggregateHash } : void 0;
+    },
+    onAclCheck: hooks.onAclCheck
+  });
+  const enforceNub = createNubEnforceGate({
+    checkAcl: (pubkey, dTag, aggregateHash, capability) => aclState.check(pubkey, dTag, aggregateHash, capability),
+    resolveIdentityByWindowId: (windowId) => {
+      const entry = sessionRegistry.getEntryByWindowId(windowId);
+      return entry ? { dTag: entry.dTag, aggregateHash: entry.aggregateHash, class: entry.class } : void 0;
+    },
+    onAclCheck: hooks.onAclCheck
+  });
+  const eventBuffer = createEventBuffer(
+    hooks.sendToNapplet,
+    sessionRegistry,
+    enforce,
+    subscriptions,
+    hooks.getConfigOverrides ? () => hooks.getConfigOverrides().ringBufferSize ?? RING_BUFFER_SIZE : void 0
+  );
+  aclState.load();
+  manifestCache.load();
+  const ifcRuntime = createIfcRuntime(hooks, sessionRegistry);
+  const domainHandlers = createRuntimeDomainHandlers({ hooks, serviceRegistry, sessionRegistry, aclState });
+  const dispatchNubEnvelope = createNubEnvelopeDispatcher({
+    relay: createRelayHandler({ hooks, serviceRegistry, subscriptions, eventBuffer, replayDetector }),
+    identity: createIdentityHandler({ hooks, serviceRegistry }),
+    ifc: ifcRuntime.handleMessage,
+    ...domainHandlers
+  });
+  const handleMessage = createMessageHandler(hooks, enforceNub, dispatchNubEnvelope);
+  return createRuntimeInstance({
+    hooks,
+    serviceRegistry,
+    registeredServices,
+    replayDetector,
+    subscriptions,
+    eventBuffer,
+    ifcRuntime,
+    sessionRegistry,
+    aclState,
+    manifestCache,
+    handleMessage
+  });
 }
 
 // src/index.ts