npm - @kehto/runtime - Versions diffs - 0.2.0 → 0.6.0 - Mend

@kehto/runtime 0.2.0 → 0.6.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/dist/index.js CHANGED Viewed

@@ -1,5 +1,12 @@
 // src/enforce.ts
+import { ALL_CAPABILITIES } from "@kehto/acl/capabilities";
 import { resolveCapabilitiesNub } from "@kehto/acl";
+var CLASS_CAPABILITY_ALLOWLIST = Object.freeze({
+  "class-1": new Set(ALL_CAPABILITIES),
+  "class-2": new Set(ALL_CAPABILITIES.filter(
+    (c) => c !== "relay:write" && c !== "identity:decrypt" && c !== "outbox:write"
+  ))
+});
 function createEnforceGate(config) {
   const { checkAcl, resolveIdentity, onAclCheck } = config;
   return function enforce(pubkey, capability, message) {
@@ -9,10 +16,11 @@ function createEnforceGate(config) {
     const allowed = checkAcl(pubkey, dTag, aggregateHash, capability);
     const identity = { pubkey, dTag, hash: aggregateHash };
     const decision = allowed ? "allow" : "deny";
+    const reason = allowed ? "allowed" : "capability-missing";
     if (onAclCheck) {
-      onAclCheck({ identity, capability, decision, message });
+      onAclCheck({ identity, capability, decision, message, reason });
     }
-    return { allowed, capability };
+    return { allowed, capability, reason };
   };
 }
 function createNubEnforceGate(config) {
@@ -21,13 +29,31 @@ function createNubEnforceGate(config) {
     const entry = resolveIdentityByWindowId(windowId);
     const dTag = entry?.dTag ?? "";
     const aggregateHash = entry?.aggregateHash ?? "";
+    const nappletClass = entry?.class ?? null;
+    if (nappletClass !== null) {
+      const allowlist = CLASS_CAPABILITY_ALLOWLIST[nappletClass];
+      if (!allowlist || !allowlist.has(capability)) {
+        const identity2 = { pubkey: "", dTag, hash: aggregateHash };
+        if (onAclCheck) {
+          onAclCheck({
+            identity: identity2,
+            capability,
+            decision: "deny",
+            message,
+            reason: "class-forbidden"
+          });
+        }
+        return { allowed: false, capability, reason: "class-forbidden" };
+      }
+    }
     const allowed = checkAcl("", dTag, aggregateHash, capability);
     const identity = { pubkey: "", dTag, hash: aggregateHash };
     const decision = allowed ? "allow" : "deny";
+    const reason = allowed ? "allowed" : "capability-missing";
     if (onAclCheck) {
-      onAclCheck({ identity, capability, decision, message });
+      onAclCheck({ identity, capability, decision, message, reason });
     }
-    return { allowed, capability };
+    return { allowed, capability, reason };
   };
 }
 function formatDenialReason(capability) {
@@ -117,7 +143,7 @@ import {
   CAP_HOTKEY_FORWARD,
   CAP_STATE_READ,
   CAP_STATE_WRITE,
-  CAP_ALL
+  toKey
 } from "@kehto/acl";
 var CAP_IDENTITY_READ = 1 << 5;
 var CAP_KEYS_BIND = 1 << 6;
@@ -126,6 +152,12 @@ var CAP_MEDIA_CONTROL = 1 << 10;
 var CAP_NOTIFY_SEND = 1 << 11;
 var CAP_NOTIFY_CHANNEL = 1 << 12;
 var CAP_THEME_READ = 1 << 13;
+var CAP_CONFIG_READ = 1 << 14;
+var CAP_RESOURCE_FETCH = 1 << 15;
+var CAP_IDENTITY_DECRYPT = 1 << 16;
+var CAP_CVM_CALL = 1 << 17;
+var CAP_OUTBOX_READ = 1 << 18;
+var CAP_OUTBOX_WRITE = 1 << 19;
 var CAP_MAP = {
   "relay:read": CAP_RELAY_READ,
   "relay:write": CAP_RELAY_WRITE,
@@ -140,8 +172,15 @@ var CAP_MAP = {
   "media:control": CAP_MEDIA_CONTROL,
   "notify:send": CAP_NOTIFY_SEND,
   "notify:channel": CAP_NOTIFY_CHANNEL,
-  "theme:read": CAP_THEME_READ
+  "theme:read": CAP_THEME_READ,
+  "config:read": CAP_CONFIG_READ,
+  "resource:fetch": CAP_RESOURCE_FETCH,
+  "identity:decrypt": CAP_IDENTITY_DECRYPT,
+  "cvm:call": CAP_CVM_CALL,
+  "outbox:read": CAP_OUTBOX_READ,
+  "outbox:write": CAP_OUTBOX_WRITE
 };
+var RUNTIME_CAP_ALL = Object.values(CAP_MAP).reduce((bits, bit) => bits | bit, 0);
 function capToBit(cap) {
   return CAP_MAP[cap] ?? 0;
 }
@@ -157,6 +196,11 @@ function toIdentity(pubkey, dTag, hash) {
 }
 function createAclState(persistence, defaultPolicy = "permissive") {
   let state = createState(defaultPolicy);
+  function ensureRuntimeDefaultEntry(id) {
+    if (state.defaultPolicy !== "permissive") return;
+    if (state.entries[toKey(id)]) return;
+    state = grant(state, id, RUNTIME_CAP_ALL);
+  }
   return {
     check(pubkey, dTag, aggregateHash, capability) {
       const id = toIdentity(pubkey, dTag, aggregateHash);
@@ -164,23 +208,27 @@ function createAclState(persistence, defaultPolicy = "permissive") {
     },
     grant(pubkey, dTag, aggregateHash, capability) {
       const id = toIdentity(pubkey, dTag, aggregateHash);
+      ensureRuntimeDefaultEntry(id);
       state = grant(state, id, capToBit(capability));
     },
     revoke(pubkey, dTag, aggregateHash, capability) {
       const id = toIdentity(pubkey, dTag, aggregateHash);
+      ensureRuntimeDefaultEntry(id);
       state = revoke(state, id, capToBit(capability));
     },
     block(pubkey, dTag, aggregateHash) {
       const id = toIdentity(pubkey, dTag, aggregateHash);
+      ensureRuntimeDefaultEntry(id);
       state = block(state, id);
     },
     unblock(pubkey, dTag, aggregateHash) {
       const id = toIdentity(pubkey, dTag, aggregateHash);
+      ensureRuntimeDefaultEntry(id);
       state = unblock(state, id);
     },
     isBlocked(pubkey, dTag, aggregateHash) {
       const id = toIdentity(pubkey, dTag, aggregateHash);
-      return !check(state, id, CAP_ALL) && this.getEntry(pubkey, dTag, aggregateHash)?.blocked === true;
+      return !check(state, id, RUNTIME_CAP_ALL) && this.getEntry(pubkey, dTag, aggregateHash)?.blocked === true;
     },
     getEntry(pubkey, dTag, aggregateHash) {
       const id = toIdentity(pubkey, dTag, aggregateHash);
@@ -195,8 +243,7 @@ function createAclState(persistence, defaultPolicy = "permissive") {
       };
     },
     getAllEntries() {
-      return Object.entries(state.entries).map(([key, entry]) => {
-        const parts = key.split(":");
+      return Object.entries(state.entries).map(([, entry]) => {
         return {
           pubkey: "",
           capabilities: bitsToCapabilities(entry.caps),
@@ -391,22 +438,21 @@ function createEventBuffer(sendToNapplet, sessionRegistry, enforce, subscription
 // src/runtime.ts
 import { createDispatch } from "@napplet/core";
-import { ALL_CAPABILITIES } from "@kehto/acl/capabilities";
 // src/service-dispatch.ts
 function routeServiceMessage(windowId, message, services, sendToNapplet) {
-  const send = (msg) => sendToNapplet(windowId, msg);
   const domain = message.type.split(".")[0];
   const handler = services[domain];
   if (handler) {
-    handler.handleMessage(windowId, message, send);
+    handler.handleMessage(windowId, message, (msg) => sendToNapplet(windowId, msg));
     return true;
   }
-  if (message.type === "ifc.emit" && typeof message.topic === "string") {
-    const prefix = message.topic.split(":")[0];
+  const ifcMessage = message;
+  if (message.type === "ifc.emit" && typeof ifcMessage.topic === "string") {
+    const prefix = ifcMessage.topic.split(":")[0];
     const ifcHandler = services[prefix];
     if (ifcHandler) {
-      ifcHandler.handleMessage(windowId, message, send);
+      ifcHandler.handleMessage(windowId, message, (msg) => sendToNapplet(windowId, msg));
       return true;
     }
   }
@@ -421,6 +467,492 @@ function notifyServiceWindowDestroyed(windowId, services) {
   }
 }
+// src/relay-handler.ts
+function createRelayHandler(context) {
+  return function handleRelayMessage(windowId, msg) {
+    const m = msg;
+    const dotIdx = msg.type.indexOf(".");
+    const action = msg.type.slice(dotIdx + 1);
+    switch (action) {
+      case "subscribe":
+        handleRelaySubscribe(context, windowId, msg, m);
+        return;
+      case "close":
+        handleRelayClose(context, windowId, msg, m);
+        return;
+      case "publish":
+        handleRelayPublish(context, windowId, msg, m);
+        return;
+      case "publishEncrypted":
+        handleRelayPublishEncrypted(context, windowId, msg);
+        return;
+      case "query":
+        handleRelayQuery(context, windowId, m);
+        return;
+      default:
+        return;
+    }
+  };
+}
+function relayServiceFrom(context) {
+  return context.serviceRegistry["relay"] ?? context.serviceRegistry["relay-pool"];
+}
+function isShellKindQuery(filters) {
+  return filters.length > 0 && filters.every((filter) => filter.kinds?.every((kind) => kind >= 29e3 && kind < 3e4));
+}
+function handleRelaySubscribe(context, windowId, msg, m) {
+  const { eventBuffer, hooks, serviceRegistry, subscriptions } = context;
+  const subId = m.subId ?? "";
+  const filters = m.filters ?? [];
+  if (!subId) return;
+  const subKey = `${windowId}:${subId}`;
+  subscriptions.set(subKey, { windowId, filters });
+  const seenIds = /* @__PURE__ */ new Set();
+  function deliver(event) {
+    if (seenIds.has(event.id)) return;
+    seenIds.add(event.id);
+    if (subscriptions.has(subKey)) {
+      hooks.sendToNapplet(windowId, { type: "relay.event", subId, event });
+    }
+  }
+  for (const bufferedEvent of eventBuffer.getBufferedEvents()) {
+    if (matchesAnyFilter(bufferedEvent, filters)) deliver(bufferedEvent);
+  }
+  const isShellKind = isShellKindQuery(filters);
+  const relayService = relayServiceFrom(context);
+  const cacheService = !serviceRegistry["relay"] ? serviceRegistry["cache"] : void 0;
+  if (!isShellKind && relayService) {
+    relayService.handleMessage(windowId, msg, (resp) => {
+      if (!subscriptions.has(subKey)) return;
+      hooks.sendToNapplet(windowId, resp);
+    });
+    if (cacheService) {
+      cacheService.handleMessage(windowId, msg, (resp) => {
+        if (!subscriptions.has(subKey)) return;
+        hooks.sendToNapplet(windowId, resp);
+      });
+    }
+    return;
+  }
+  deliverFromRuntimeBackends(context, windowId, subId, subKey, filters, isShellKind, deliver);
+}
+function deliverFromRuntimeBackends(context, windowId, subId, subKey, filters, isShellKind, deliver) {
+  const { hooks } = context;
+  const cache = hooks.cache;
+  if (cache?.isAvailable() && !isShellKind) {
+    cache.query(filters).then((cachedEvents) => {
+      for (const event of cachedEvents) deliver(event);
+    }).catch(() => {
+    });
+  }
+  const pool = hooks.relayPool;
+  if (!pool?.isAvailable() && !isShellKind) {
+    hooks.sendToNapplet(windowId, { type: "relay.eose", subId });
+    return;
+  }
+  if (!pool?.isAvailable() || isShellKind) return;
+  const relayUrls = pool.selectRelayTier(filters);
+  let eoseSent = false;
+  const eoseFallbackTimer = setTimeout(() => {
+    if (!eoseSent) {
+      eoseSent = true;
+      hooks.sendToNapplet(windowId, { type: "relay.eose", subId });
+    }
+  }, 15e3);
+  const subscription = pool.subscribe(filters, (item) => {
+    if (item === "EOSE") {
+      clearTimeout(eoseFallbackTimer);
+      if (!eoseSent) {
+        eoseSent = true;
+        hooks.sendToNapplet(windowId, { type: "relay.eose", subId });
+      }
+      return;
+    }
+    deliver(item);
+    if (cache?.isAvailable() && !isShellKind) {
+      try {
+        cache.store(item);
+      } catch {
+        return;
+      }
+    }
+  }, relayUrls);
+  pool.trackSubscription(subKey, () => {
+    clearTimeout(eoseFallbackTimer);
+    subscription.unsubscribe();
+  });
+}
+function handleRelayClose(context, windowId, msg, m) {
+  const { hooks, subscriptions } = context;
+  const subId = m.subId ?? "";
+  if (!subId) return;
+  const subKey = `${windowId}:${subId}`;
+  subscriptions.delete(subKey);
+  const relayService = relayServiceFrom(context);
+  if (relayService) relayService.handleMessage(windowId, msg, () => {
+  });
+  hooks.relayPool?.untrackSubscription(subKey);
+  hooks.sendToNapplet(windowId, { type: "relay.closed", subId, message: "" });
+}
+function handleRelayPublish(context, windowId, msg, m) {
+  const { eventBuffer, hooks, replayDetector } = context;
+  const event = m.event;
+  const id = m.id ?? "";
+  if (!event || typeof event !== "object") {
+    hooks.sendToNapplet(windowId, { type: "relay.publish.error", id, error: "invalid event" });
+    return;
+  }
+  const replayResult = replayDetector.check(event);
+  if (replayResult !== null) {
+    hooks.sendToNapplet(windowId, { type: "relay.publish.result", id, accepted: false, message: replayResult });
+    return;
+  }
+  const relayService = relayServiceFrom(context);
+  if (relayService) {
+    relayService.handleMessage(windowId, msg, (resp) => hooks.sendToNapplet(windowId, resp));
+  } else if (hooks.relayPool?.isAvailable()) {
+    hooks.relayPool.publish(event);
+    hooks.sendToNapplet(windowId, { type: "relay.publish.result", id, accepted: true });
+  } else {
+    hooks.sendToNapplet(windowId, { type: "relay.publish.result", id, accepted: false, message: "no relay pool available" });
+  }
+  eventBuffer.bufferAndDeliver(event, windowId);
+}
+function handleRelayPublishEncrypted(context, windowId, msg) {
+  const { hooks } = context;
+  const id = msg.id ?? "";
+  const eventTemplate = msg.event;
+  const peMsg = msg;
+  const recipient = peMsg.recipient ?? "";
+  const encryption = peMsg.encryption ?? "nip44";
+  const replyPe = (ok, extra = {}) => {
+    hooks.sendToNapplet(windowId, { type: "relay.publishEncrypted.result", id, ok, ...extra });
+  };
+  if (!recipient) {
+    replyPe(false, { error: "missing recipient" });
+    return;
+  }
+  if (encryption !== "nip44" && encryption !== "nip04") {
+    replyPe(false, { error: `unsupported encryption scheme: ${encryption}` });
+    return;
+  }
+  const peSigner = hooks.auth.getSigner();
+  if (!peSigner) {
+    replyPe(false, { error: "no signer configured" });
+    return;
+  }
+  if (!eventTemplate || typeof eventTemplate !== "object") {
+    replyPe(false, { error: "invalid event template" });
+    return;
+  }
+  publishEncrypted(context, windowId, id, recipient, encryption, eventTemplate, replyPe);
+}
+function publishEncrypted(context, windowId, id, recipient, encryption, eventTemplate, replyPe) {
+  const { eventBuffer, hooks } = context;
+  const peSigner = hooks.auth.getSigner();
+  if (!peSigner) return;
+  (async () => {
+    try {
+      const plaintext = String(eventTemplate.content ?? "");
+      const ciphertext = encryption === "nip44" ? await peSigner.nip44?.encrypt(recipient, plaintext) ?? "" : await peSigner.nip04?.encrypt(recipient, plaintext) ?? "";
+      const eventWithCiphertext = { ...eventTemplate, content: ciphertext };
+      const signed = await peSigner.signEvent?.(eventWithCiphertext);
+      if (!signed) {
+        replyPe(false, { error: "signEvent returned null" });
+        return;
+      }
+      publishSignedEncrypted(context, windowId, id, signed, replyPe);
+      try {
+        eventBuffer.bufferAndDeliver(signed, windowId);
+      } catch {
+        return;
+      }
+    } catch (err) {
+      replyPe(false, { error: err?.message ?? "encryption failed" });
+    }
+  })();
+}
+function publishSignedEncrypted(context, windowId, id, signed, replyPe) {
+  const { hooks } = context;
+  const relayService = relayServiceFrom(context);
+  if (!relayService) {
+    if (hooks.relayPool?.isAvailable()) {
+      hooks.relayPool.publish(signed);
+      replyPe(true, { event: signed, eventId: signed.id });
+    } else {
+      replyPe(false, { error: "no relay pool available" });
+    }
+    return;
+  }
+  const publishMsg = { type: "relay.publish", id, event: signed };
+  let replied = false;
+  relayService.handleMessage(windowId, publishMsg, (resp) => {
+    if (replied) return;
+    const r = resp;
+    if (typeof r.type !== "string" || !r.type.startsWith("relay.publish")) return;
+    const okVal = r.ok ?? r.accepted ?? false;
+    replied = true;
+    const publishResult = { event: signed, eventId: signed.id };
+    if (!okVal) publishResult.error = r.error ?? r.message ?? "publish failed";
+    replyPe(okVal, publishResult);
+  });
+  if (!replied) {
+    replied = true;
+    replyPe(true, { event: signed, eventId: signed.id });
+  }
+}
+function handleRelayQuery(context, windowId, m) {
+  const id = m.id ?? "";
+  const filters = m.filters ?? [];
+  let count = 0;
+  for (const event of context.eventBuffer.getBufferedEvents()) {
+    if (matchesAnyFilter(event, filters)) count++;
+  }
+  context.hooks.sendToNapplet(windowId, { type: "relay.query.result", id, count });
+}
+// src/identity-handler.ts
+function createIdentityHandler(context) {
+  return function handleIdentityMessage(windowId, msg) {
+    const { hooks, serviceRegistry } = context;
+    const identityService = serviceRegistry["identity"];
+    if (identityService) {
+      identityService.handleMessage(windowId, msg, (resp) => hooks.sendToNapplet(windowId, resp));
+      return;
+    }
+    const id = msg.id ?? "";
+    const action = msg.type.slice("identity.".length);
+    const signer = hooks.auth.getSigner();
+    const sendError = (error) => {
+      hooks.sendToNapplet(windowId, { type: `${msg.type}.error`, id, error });
+    };
+    const sendResult = (payload) => {
+      hooks.sendToNapplet(windowId, { type: `${msg.type}.result`, id, ...payload });
+    };
+    switch (action) {
+      case "getPublicKey":
+        if (!signer) {
+          sendResult({ pubkey: "" });
+          return;
+        }
+        Promise.resolve(signer.getPublicKey?.()).then((pubkey) => sendResult({ pubkey: pubkey ?? "" })).catch((err) => sendError(err?.message ?? "getPublicKey failed"));
+        return;
+      case "getRelays":
+        if (!signer) {
+          sendError("no signer configured");
+          return;
+        }
+        Promise.resolve(signer.getRelays?.() ?? {}).then((relays) => sendResult({ relays })).catch((err) => sendError(err?.message ?? "getRelays failed"));
+        return;
+      case "getProfile":
+        sendResult({ profile: null });
+        return;
+      case "getFollows":
+        sendResult({ pubkeys: [] });
+        return;
+      case "getList":
+        sendResult({ entries: [] });
+        return;
+      case "getZaps":
+        sendResult({ zaps: [] });
+        return;
+      case "getMutes":
+        sendResult({ pubkeys: [] });
+        return;
+      case "getBlocked":
+        sendResult({ pubkeys: [] });
+        return;
+      case "getBadges":
+        sendResult({ badges: [] });
+        return;
+      default:
+        sendError(`Unknown identity action: ${action}`);
+    }
+  };
+}
+// src/ifc-handler.ts
+function createIfcRuntime(hooks, sessionRegistry) {
+  const state = {
+    subscriptions: /* @__PURE__ */ new Map(),
+    channels: /* @__PURE__ */ new Map(),
+    channelsByWindow: /* @__PURE__ */ new Map()
+  };
+  return {
+    handleMessage(windowId, msg) {
+      handleIfcMessage(state, hooks, sessionRegistry, windowId, msg);
+    },
+    destroyWindow(windowId) {
+      removeWindowChannels(state, hooks, windowId);
+      removeWindowSubscriptions(state, windowId);
+    },
+    clear() {
+      state.subscriptions.clear();
+      state.channels.clear();
+      state.channelsByWindow.clear();
+    }
+  };
+}
+function addChannel(state, channelId, peerA, peerB) {
+  state.channels.set(channelId, { channelId, peerA, peerB });
+  for (const windowId of [peerA, peerB]) {
+    let set = state.channelsByWindow.get(windowId);
+    if (!set) {
+      set = /* @__PURE__ */ new Set();
+      state.channelsByWindow.set(windowId, set);
+    }
+    set.add(channelId);
+  }
+}
+function removeChannel(state, channelId) {
+  const channel = state.channels.get(channelId);
+  if (!channel) return;
+  state.channels.delete(channelId);
+  for (const windowId of [channel.peerA, channel.peerB]) {
+    const set = state.channelsByWindow.get(windowId);
+    if (!set) continue;
+    set.delete(channelId);
+    if (set.size === 0) state.channelsByWindow.delete(windowId);
+  }
+}
+function peerOf(state, channelId, self) {
+  const channel = state.channels.get(channelId);
+  if (!channel) return null;
+  if (channel.peerA === self) return channel.peerB;
+  if (channel.peerB === self) return channel.peerA;
+  return null;
+}
+function resolveTarget(sessionRegistry, target) {
+  if (sessionRegistry.getEntryByWindowId(target)) return target;
+  const entries = sessionRegistry.getAllEntries();
+  const byPubkey = entries.find((entry) => entry.pubkey === target);
+  return byPubkey?.windowId ?? null;
+}
+function handleIfcMessage(state, hooks, sessionRegistry, windowId, msg) {
+  const m = msg;
+  const dotIdx = msg.type.indexOf(".");
+  const action = msg.type.slice(dotIdx + 1);
+  switch (action) {
+    case "emit":
+      handleEmit(state, hooks, windowId, m);
+      return;
+    case "subscribe":
+      handleSubscribe(state, hooks, windowId, m);
+      return;
+    case "unsubscribe":
+      handleUnsubscribe(state, windowId, m);
+      return;
+    case "channel.open":
+      handleChannelOpen(state, hooks, sessionRegistry, windowId, m);
+      return;
+    case "channel.emit":
+      handleChannelEmit(state, hooks, windowId, m);
+      return;
+    case "channel.broadcast":
+      handleChannelBroadcast(state, hooks, windowId, m);
+      return;
+    case "channel.list":
+      handleChannelList(state, hooks, windowId, m);
+      return;
+    case "channel.close":
+      handleChannelClose(state, hooks, windowId, m);
+      return;
+    default:
+      return;
+  }
+}
+function handleEmit(state, hooks, windowId, m) {
+  const topic = m.topic ?? "";
+  if (!topic) return;
+  const subscribers = state.subscriptions.get(topic);
+  if (!subscribers) return;
+  for (const subscriberWindowId of subscribers) {
+    if (subscriberWindowId !== windowId) {
+      hooks.sendToNapplet(subscriberWindowId, { type: "ifc.event", topic, payload: m.payload, sender: windowId });
+    }
+  }
+}
+function handleSubscribe(state, hooks, windowId, m) {
+  const id = m.id ?? "";
+  const topic = m.topic ?? "";
+  if (!topic) {
+    hooks.sendToNapplet(windowId, { type: "ifc.subscribe.result", id, error: "missing topic" });
+    return;
+  }
+  let subscriptions = state.subscriptions.get(topic);
+  if (!subscriptions) {
+    subscriptions = /* @__PURE__ */ new Set();
+    state.subscriptions.set(topic, subscriptions);
+  }
+  subscriptions.add(windowId);
+  hooks.sendToNapplet(windowId, { type: "ifc.subscribe.result", id });
+}
+function handleUnsubscribe(state, windowId, m) {
+  const topic = m.topic ?? "";
+  if (!topic) return;
+  const subscriptions = state.subscriptions.get(topic);
+  if (!subscriptions) return;
+  subscriptions.delete(windowId);
+  if (subscriptions.size === 0) state.subscriptions.delete(topic);
+}
+function handleChannelOpen(state, hooks, sessionRegistry, windowId, m) {
+  const id = m.id ?? "";
+  const peerWindow = resolveTarget(sessionRegistry, m.target ?? "");
+  if (!peerWindow) {
+    hooks.sendToNapplet(windowId, { type: "ifc.channel.open.result", id, error: "target not found" });
+    return;
+  }
+  const channelId = hooks.crypto.randomUUID().replace(/-/g, "").slice(0, 32);
+  addChannel(state, channelId, windowId, peerWindow);
+  hooks.sendToNapplet(windowId, { type: "ifc.channel.open.result", id, channelId, peer: peerWindow });
+}
+function handleChannelEmit(state, hooks, windowId, m) {
+  const peer = peerOf(state, m.channelId ?? "", windowId);
+  if (peer) hooks.sendToNapplet(peer, { type: "ifc.channel.event", channelId: m.channelId ?? "", sender: windowId, payload: m.payload });
+}
+function handleChannelBroadcast(state, hooks, windowId, m) {
+  const channels = state.channelsByWindow.get(windowId);
+  if (!channels) return;
+  for (const channelId of channels) {
+    const peer = peerOf(state, channelId, windowId);
+    if (peer) hooks.sendToNapplet(peer, { type: "ifc.channel.event", channelId, sender: windowId, payload: m.payload });
+  }
+}
+function handleChannelList(state, hooks, windowId, m) {
+  const channels = [];
+  const set = state.channelsByWindow.get(windowId);
+  if (set) {
+    for (const channelId of set) {
+      const peer = peerOf(state, channelId, windowId);
+      if (peer) channels.push({ id: channelId, peer });
+    }
+  }
+  hooks.sendToNapplet(windowId, { type: "ifc.channel.list.result", id: m.id ?? "", channels });
+}
+function handleChannelClose(state, hooks, windowId, m) {
+  const channelId = m.channelId ?? "";
+  const peer = peerOf(state, channelId, windowId);
+  if (!peer) return;
+  hooks.sendToNapplet(windowId, { type: "ifc.channel.closed", channelId });
+  hooks.sendToNapplet(peer, { type: "ifc.channel.closed", channelId });
+  removeChannel(state, channelId);
+}
+function removeWindowSubscriptions(state, windowId) {
+  for (const [topic, subscriptions] of state.subscriptions) {
+    subscriptions.delete(windowId);
+    if (subscriptions.size === 0) state.subscriptions.delete(topic);
+  }
+}
+function removeWindowChannels(state, hooks, windowId) {
+  const channelIds = state.channelsByWindow.get(windowId);
+  if (!channelIds) return;
+  for (const channelId of Array.from(channelIds)) {
+    const peer = peerOf(state, channelId, windowId);
+    if (peer) hooks.sendToNapplet(peer, { type: "ifc.channel.closed", channelId });
+    removeChannel(state, channelId);
+  }
+}
 // src/state-handler.ts
 function scopedKey(dTag, aggregateHash, userKey) {
   return `napplet-state:${dTag}:${aggregateHash}:${userKey}`;
@@ -450,7 +982,7 @@ function handleStorageNub(windowId, msg, sendToNapplet, sessionRegistry, aclStat
     sendToNapplet(windowId, { type: `${msg.type}.result`, id, ...payload });
   }
   function sendErrorNub(error) {
-    sendToNapplet(windowId, { type: `${msg.type}.error`, id, error });
+    sendToNapplet(windowId, { type: `${msg.type}.result`, id, error });
   }
   const entry = sessionRegistry.getEntryByWindowId(windowId);
   if (!entry) {
@@ -509,7 +1041,7 @@ function handleStorageNub(windowId, msg, sendToNapplet, sessionRegistry, aclStat
       break;
     }
     case "clear": {
-      sendErrorNub("storage.clear is not in @napplet/nub-storage; action not supported");
+      sendErrorNub("storage.clear is not in @napplet/nub/storage; action not supported");
       break;
     }
     case "keys": {
@@ -533,14 +1065,133 @@ function cleanupNappState(pubkey, dTag, aggregateHash, statePersistence) {
   statePersistence.clear(legacyPrefix);
 }
+// src/domain-handlers.ts
+var THEME_FALLBACK_DEFAULT = {
+  colors: { background: "#0a0a0a", text: "#e0e0e0", primary: "#7aa2f7" }
+};
+function createRuntimeDomainHandlers(context) {
+  return {
+    storage: (windowId, msg) => handleStorageMessage(context, windowId, msg),
+    media: (windowId, msg) => handleMediaMessage(context, windowId, msg),
+    keys: (windowId, msg) => handleKeysMessage(context, windowId, msg),
+    notify: (windowId, msg) => handleNotifyMessage(context, windowId, msg),
+    theme: (windowId, msg) => handleThemeMessage(context, windowId, msg),
+    config: (windowId, msg) => handleServiceOnlyMessage(context, "config", windowId, msg),
+    resource: (windowId, msg) => handleServiceOnlyMessage(context, "resource", windowId, msg),
+    cvm: (windowId, msg) => handleServiceOnlyMessage(context, "cvm", windowId, msg),
+    outbox: (windowId, msg) => handleServiceOnlyMessage(context, "outbox", windowId, msg)
+  };
+}
+function handleStorageMessage(context, windowId, msg) {
+  const { aclState, hooks, sessionRegistry } = context;
+  handleStorageNub(windowId, msg, hooks.sendToNapplet, sessionRegistry, aclState, hooks.statePersistence);
+}
+function handleMediaMessage(context, windowId, msg) {
+  const { hooks, serviceRegistry } = context;
+  const mediaService = serviceRegistry["media"];
+  if (mediaService) {
+    mediaService.handleMessage(windowId, msg, (resp) => hooks.sendToNapplet(windowId, resp));
+    return;
+  }
+  if (msg.type === "media.session.create") {
+    const m = msg;
+    if (m.owner !== "napplet" && m.owner !== "shell") {
+      hooks.sendToNapplet(windowId, {
+        type: "media.session.create.result",
+        id: m.id ?? "",
+        error: "missing owner"
+      });
+      return;
+    }
+    if (m.owner === "shell") {
+      hooks.sendToNapplet(windowId, {
+        type: "media.session.create.result",
+        id: m.id ?? "",
+        owner: "shell",
+        error: "unsupported owner mode"
+      });
+      return;
+    }
+    hooks.sendToNapplet(windowId, {
+      type: "media.session.create.result",
+      id: m.id ?? "",
+      sessionId: m.sessionId ?? "",
+      owner: m.owner
+    });
+  }
+}
+function handleKeysMessage(context, windowId, msg) {
+  const { hooks, serviceRegistry } = context;
+  const keysService = serviceRegistry["keys"];
+  if (keysService) {
+    keysService.handleMessage(windowId, msg, (resp) => hooks.sendToNapplet(windowId, resp));
+    return;
+  }
+  if (msg.type === "keys.forward") {
+    forwardHotkey(hooks, msg);
+    return;
+  }
+  if (msg.type === "keys.registerAction") sendRegisterActionResult(hooks, windowId, msg);
+}
+function forwardHotkey(hooks, msg) {
+  const m = msg;
+  hooks.hotkeys.executeHotkeyFromForward({
+    key: m.key ?? "",
+    code: m.code ?? "",
+    ctrlKey: !!m.ctrl,
+    altKey: !!m.alt,
+    shiftKey: !!m.shift,
+    metaKey: !!m.meta
+  });
+}
+function sendRegisterActionResult(hooks, windowId, msg) {
+  const m = msg;
+  hooks.sendToNapplet(windowId, {
+    type: "keys.registerAction.result",
+    id: m.id ?? "",
+    actionId: m.action?.id ?? "",
+    ...m.action?.defaultKey ? { binding: m.action.defaultKey } : {}
+  });
+}
+function handleNotifyMessage(context, windowId, msg) {
+  const { hooks, serviceRegistry } = context;
+  const notifyService = serviceRegistry["notify"];
+  if (notifyService) {
+    notifyService.handleMessage(windowId, msg, (resp) => hooks.sendToNapplet(windowId, resp));
+    return;
+  }
+  if (msg.type === "notify.send") {
+    const m = msg;
+    hooks.sendToNapplet(windowId, { type: "notify.send.result", id: m.id ?? "", notificationId: `shell-${Date.now()}` });
+  } else if (msg.type === "notify.permission.request") {
+    const m = msg;
+    hooks.sendToNapplet(windowId, { type: "notify.permission.result", id: m.id ?? "", granted: true });
+  }
+}
+function handleThemeMessage(context, windowId, msg) {
+  const { hooks, serviceRegistry } = context;
+  const themeService = serviceRegistry["theme"];
+  if (themeService) {
+    themeService.handleMessage(windowId, msg, (resp) => hooks.sendToNapplet(windowId, resp));
+    return;
+  }
+  if (msg.type === "theme.get") {
+    const m = msg;
+    hooks.sendToNapplet(windowId, {
+      type: "theme.get.result",
+      id: m.id ?? "",
+      theme: THEME_FALLBACK_DEFAULT
+    });
+  }
+}
+function handleServiceOnlyMessage(context, name, windowId, msg) {
+  const service = context.serviceRegistry[name];
+  if (!service) return;
+  service.handleMessage(windowId, msg, (resp) => context.hooks.sendToNapplet(windowId, resp));
+}
 // src/runtime.ts
-function createRuntime(hooks) {
-  const subscriptions = /* @__PURE__ */ new Map();
-  const ifcSubscriptions = /* @__PURE__ */ new Map();
-  const ifcChannels = /* @__PURE__ */ new Map();
-  const ifcChannelsByWindow = /* @__PURE__ */ new Map();
-  let _consentHandler = null;
-  const serviceRegistry = { ...hooks.services ?? {} };
+function createRegisteredServices(serviceRegistry) {
   const registeredServices = /* @__PURE__ */ new Map();
   for (const [name, handler] of Object.entries(serviceRegistry)) {
     registeredServices.set(name, {
@@ -549,824 +1200,37 @@ function createRuntime(hooks) {
       description: handler.descriptor.description
     });
   }
-  const undeclaredServiceConsents = /* @__PURE__ */ new Set();
-  const sessionRegistry = createSessionRegistry(hooks.onPendingUpdate);
-  const aclState = createAclState(hooks.aclPersistence);
-  const manifestCache = createManifestCache(hooks.manifestPersistence);
-  const replayDetector = createReplayDetector(
-    hooks.getConfigOverrides ? () => hooks.getConfigOverrides().replayWindowSeconds : void 0
-  );
-  const enforce = createEnforceGate({
-    checkAcl: (pubkey, dTag, aggregateHash, capability) => aclState.check(pubkey, dTag, aggregateHash, capability),
-    resolveIdentity: (pubkey) => {
-      const entry = sessionRegistry.getEntry(pubkey);
-      return entry ? { dTag: entry.dTag, aggregateHash: entry.aggregateHash } : void 0;
-    },
-    onAclCheck: hooks.onAclCheck
-  });
-  const enforceNub = createNubEnforceGate({
-    checkAcl: (pubkey, dTag, aggregateHash, capability) => aclState.check(pubkey, dTag, aggregateHash, capability),
-    resolveIdentityByWindowId: (windowId) => {
-      const entry = sessionRegistry.getEntryByWindowId(windowId);
-      return entry ? { dTag: entry.dTag, aggregateHash: entry.aggregateHash } : void 0;
-    },
-    onAclCheck: hooks.onAclCheck
-  });
-  const eventBuffer = createEventBuffer(
-    hooks.sendToNapplet,
-    sessionRegistry,
-    enforce,
-    subscriptions,
-    hooks.getConfigOverrides ? () => hooks.getConfigOverrides().ringBufferSize ?? RING_BUFFER_SIZE : void 0
-  );
-  aclState.load();
-  manifestCache.load();
-  function checkCompatibility(requires, windowId, eventId) {
-    if (requires.length === 0) return true;
-    const available = Array.from(registeredServices.values());
-    const registeredNames = new Set(registeredServices.keys());
-    const missing = requires.filter((name) => !registeredNames.has(name));
-    const compatible = missing.length === 0;
-    if (!compatible) {
-      const report = { available, missing, compatible };
-      hooks.onCompatibilityIssue?.(report);
-      if (hooks.strictMode) {
-        hooks.sendToNapplet(windowId, [
-          "OK",
-          eventId,
-          false,
-          `blocked: missing required services: ${missing.join(", ")}`
-        ]);
-        return false;
-      }
-    }
-    return true;
-  }
-  function checkUndeclaredService(windowId, pubkey, serviceName, event, onApproved) {
-    if (!registeredServices.has(serviceName)) return true;
-    const nappletPubkey = sessionRegistry.getPubkey(windowId);
-    if (!nappletPubkey) return true;
-    const nappletEntry = sessionRegistry.getEntry(nappletPubkey);
-    if (!nappletEntry) return true;
-    const requires = manifestCache.getRequires(nappletEntry.pubkey, nappletEntry.dTag);
-    if (requires.includes(serviceName)) return true;
-    const consentKey = `${windowId}:${serviceName}`;
-    if (undeclaredServiceConsents.has(consentKey)) return true;
-    if (_consentHandler) {
-      _consentHandler({
-        type: "undeclared-service",
-        windowId,
-        pubkey,
-        event,
-        serviceName,
-        resolve: (allowed) => {
-          if (allowed) {
-            undeclaredServiceConsents.add(consentKey);
-            onApproved();
-          }
-        }
-      });
-      return false;
-    }
-    return false;
-  }
-  function handleHotkeyForward(event) {
-    const keyData = {
-      key: event.tags?.find((t) => t[0] === "key")?.[1] ?? "",
-      code: event.tags?.find((t) => t[0] === "code")?.[1] ?? "",
-      ctrlKey: event.tags?.find((t) => t[0] === "ctrl")?.[1] === "1",
-      altKey: event.tags?.find((t) => t[0] === "alt")?.[1] === "1",
-      shiftKey: event.tags?.find((t) => t[0] === "shift")?.[1] === "1",
-      metaKey: event.tags?.find((t) => t[0] === "meta")?.[1] === "1"
-    };
-    hooks.hotkeys.executeHotkeyFromForward(keyData);
-  }
-  function handleShellCommand(event, windowId, topic) {
-    function sendOk(success, reason) {
-      hooks.sendToNapplet(windowId, ["OK", event.id, success, reason]);
-    }
-    function sendInterPaneReply(replyTopic, content) {
-      const responseEvent = {
-        kind: 29e3,
-        // IPC_PEER — inlined numeric after Phase 24 shim deletion
-        pubkey: "",
-        created_at: Math.floor(Date.now() / 1e3),
-        tags: [["t", replyTopic]],
-        content,
-        id: "",
-        sig: ""
-      };
-      hooks.sendToNapplet(windowId, ["EVENT", "__shell__", responseEvent]);
-      sendOk(true, "");
-    }
-    switch (topic) {
-      case "shell:acl-get": {
-        const aclEntries = aclState.getAllEntries();
-        const nappletEntries = sessionRegistry.getAllEntries();
-        const nappletInfoMap = {};
-        for (const e of nappletEntries) nappletInfoMap[e.pubkey] = { type: e.type, registeredAt: e.registeredAt };
-        const merged = [...aclEntries];
-        for (const e of nappletEntries) {
-          if (!merged.find((a) => a.pubkey === e.pubkey)) {
-            merged.push({ pubkey: e.pubkey, capabilities: [...ALL_CAPABILITIES], blocked: false });
-          }
-        }
-        const display = merged.map((e) => ({
-          ...e,
-          type: nappletInfoMap[e.pubkey]?.type ?? "unknown",
-          registeredAt: nappletInfoMap[e.pubkey]?.registeredAt ?? 0
-        }));
-        sendInterPaneReply("shell:acl-current", JSON.stringify({ entries: display }));
-        break;
-      }
-      case "shell:acl-revoke":
-      case "shell:acl-grant":
-      case "shell:acl-block":
-      case "shell:acl-unblock": {
-        const pk = event.tags?.find((t) => t[0] === "pubkey")?.[1];
-        const cap = event.tags?.find((t) => t[0] === "cap")?.[1];
-        if (!pk) {
-          sendOk(false, "error: missing pubkey tag");
-          break;
-        }
-        const ne = sessionRegistry.getEntry(pk);
-        if (topic === "shell:acl-revoke" && cap) aclState.revoke(pk, ne?.dTag ?? "", ne?.aggregateHash ?? "", cap);
-        else if (topic === "shell:acl-grant" && cap) aclState.grant(pk, ne?.dTag ?? "", ne?.aggregateHash ?? "", cap);
-        else if (topic === "shell:acl-block") aclState.block(pk, ne?.dTag ?? "", ne?.aggregateHash ?? "");
-        else if (topic === "shell:acl-unblock") aclState.unblock(pk, ne?.dTag ?? "", ne?.aggregateHash ?? "");
-        aclState.persist();
-        const ae = aclState.getEntry(pk, ne?.dTag ?? "", ne?.aggregateHash ?? "");
-        sendInterPaneReply("shell:acl-current", JSON.stringify({ entries: ae ? [ae] : [] }));
-        break;
-      }
-      case "shell:relay-get":
-        sendInterPaneReply("shell:relay-current", JSON.stringify(hooks.relayConfig.getRelayConfig()));
-        break;
-      case "shell:relay-add": {
-        const tier = event.tags?.find((t) => t[0] === "tier")?.[1];
-        const url = event.tags?.find((t) => t[0] === "url")?.[1];
-        if (tier && url) {
-          hooks.relayConfig.addRelay(tier, url);
-          sendInterPaneReply("shell:relay-current", JSON.stringify(hooks.relayConfig.getRelayConfig()));
-        } else sendOk(false, "error: missing tier/url");
-        break;
-      }
-      case "shell:relay-remove": {
-        const tier = event.tags?.find((t) => t[0] === "tier")?.[1];
-        const url = event.tags?.find((t) => t[0] === "url")?.[1];
-        if (tier && url) {
-          hooks.relayConfig.removeRelay(tier, url);
-          sendInterPaneReply("shell:relay-current", JSON.stringify(hooks.relayConfig.getRelayConfig()));
-        } else sendOk(false, "error: missing tier/url");
-        break;
-      }
-      case "shell:relay-nip66":
-        sendInterPaneReply("shell:relay-nip66-data", JSON.stringify(hooks.relayConfig.getNip66Suggestions()));
-        break;
-      case "shell:relay-scoped-connect": {
-        const url = event.tags?.find((t) => t[0] === "url")?.[1];
-        const subId = event.tags?.find((t) => t[0] === "sub-id")?.[1];
-        const filtersTag = event.tags?.find((t) => t[0] === "filters")?.[1];
-        if (!url || !subId || !filtersTag) {
-          sendOk(false, "error: missing tags");
-          break;
-        }
-        try {
-          const filters = JSON.parse(filtersTag);
-          hooks.relayPool?.openScopedRelay(windowId, url, subId, filters, hooks.sendToNapplet);
-          sendOk(true, "");
-        } catch {
-          sendOk(false, "error: invalid filters");
-        }
-        break;
-      }
-      case "shell:relay-scoped-close":
-        hooks.relayPool?.closeScopedRelay(windowId);
-        sendOk(true, "");
-        break;
-      case "shell:relay-scoped-publish": {
-        const et = event.tags?.find((t) => t[0] === "event")?.[1];
-        if (!et) {
-          sendOk(false, "error: missing event tag");
-          break;
-        }
-        try {
-          const signed = JSON.parse(et);
-          const ok = hooks.relayPool?.publishToScopedRelay(windowId, signed) ?? false;
-          sendOk(ok, ok ? "" : "error: no active scoped relay");
-        } catch {
-          sendOk(false, "error: invalid event JSON");
-        }
-        break;
-      }
-      case "shell:create-window": {
-        try {
-          const payload = JSON.parse(event.content);
-          if (!payload.title || !payload.class) {
-            sendOk(false, "error: requires title and class");
-            break;
-          }
-          const id = hooks.windowManager.createWindow({ title: payload.title, class: payload.class, iframeSrc: payload.iframeSrc });
-          sendOk(!!id, id ? "" : "error: window creation failed");
-        } catch {
-          sendOk(false, "error: invalid JSON");
-        }
-        break;
-      }
-      case "shell:send-dm": {
-        if (hooks.dm) {
-          const corrId = event.tags?.find((t) => t[0] === "id")?.[1] ?? "";
-          const recipient = event.tags?.find((t) => t[0] === "p")?.[1];
-          let message;
-          try {
-            message = JSON.parse(event.content).message;
-          } catch {
-          }
-          if (!recipient || !message) {
-            sendOk(false, "error: missing recipient or message");
-            break;
-          }
-          hooks.dm.sendDm(recipient, message).then((result) => {
-            const payload = result.success ? { success: true, ...result.eventId ? { eventId: result.eventId } : {} } : { success: false, error: result.error ?? "unknown error" };
-            const response = {
-              kind: 29e3,
-              // IPC_PEER — inlined numeric after Phase 24 shim deletion
-              pubkey: "",
-              created_at: Math.floor(Date.now() / 1e3),
-              tags: [["t", "shell:send-dm-result"], ["id", corrId]],
-              content: JSON.stringify(payload),
-              id: "",
-              sig: ""
-            };
-            hooks.sendToNapplet(windowId, ["EVENT", "__shell__", response]);
-            sendOk(result.success, result.success ? "" : `error: ${result.error}`);
-          }).catch(() => {
-            sendOk(false, "error: DM send failed");
-          });
-        } else sendOk(false, "error: DM hooks not configured");
-        break;
-      }
-      default:
-        sendOk(true, "");
-        break;
-    }
-  }
-  function handleRelayMessage(windowId, msg) {
-    const m = msg;
-    const dotIdx = msg.type.indexOf(".");
-    const action = msg.type.slice(dotIdx + 1);
-    switch (action) {
-      case "subscribe": {
-        let deliver2 = function(event) {
-          if (seenIds.has(event.id)) return;
-          seenIds.add(event.id);
-          if (subscriptions.has(subKey)) {
-            hooks.sendToNapplet(windowId, { type: "relay.event", subId, event });
-          }
-        };
-        var deliver = deliver2;
-        const subId = m.subId ?? "";
-        const filters = m.filters ?? [];
-        if (!subId) return;
-        const subKey = `${windowId}:${subId}`;
-        subscriptions.set(subKey, { windowId, filters });
-        const seenIds = /* @__PURE__ */ new Set();
-        for (const bufferedEvent of eventBuffer.getBufferedEvents()) {
-          if (matchesAnyFilter(bufferedEvent, filters)) deliver2(bufferedEvent);
-        }
-        const isShellKind = filters.length > 0 && filters.every((f) => f.kinds?.every((k) => k >= 29e3 && k < 3e4));
-        if (!isShellKind) {
-          const relayService = serviceRegistry["relay"] ?? serviceRegistry["relay-pool"];
-          const cacheService = !serviceRegistry["relay"] ? serviceRegistry["cache"] : void 0;
-          if (relayService) {
-            relayService.handleMessage(windowId, msg, (resp) => {
-              if (!subscriptions.has(subKey)) return;
-              hooks.sendToNapplet(windowId, resp);
-            });
-            if (cacheService) cacheService.handleMessage(windowId, msg, (resp) => {
-              if (!subscriptions.has(subKey)) return;
-              hooks.sendToNapplet(windowId, resp);
-            });
-            return;
-          }
-        }
-        const cache = hooks.cache;
-        if (cache?.isAvailable() && !isShellKind) {
-          cache.query(filters).then((cachedEvents) => {
-            for (const event of cachedEvents) deliver2(event);
-          }).catch(() => {
-          });
-        }
-        const pool = hooks.relayPool;
-        if (pool?.isAvailable() && !isShellKind) {
-          const relayUrls = pool.selectRelayTier(filters);
-          let eoseSent = false;
-          const eoseFallbackTimer = setTimeout(() => {
-            if (!eoseSent) {
-              eoseSent = true;
-              hooks.sendToNapplet(windowId, { type: "relay.eose", subId });
-            }
-          }, 15e3);
-          const subscription = pool.subscribe(filters, (item) => {
-            if (item === "EOSE") {
-              clearTimeout(eoseFallbackTimer);
-              if (!eoseSent) {
-                eoseSent = true;
-                hooks.sendToNapplet(windowId, { type: "relay.eose", subId });
-              }
-              return;
-            }
-            deliver2(item);
-            if (cache?.isAvailable() && !isShellKind) {
-              try {
-                cache.store(item);
-              } catch {
-              }
-            }
-          }, relayUrls);
-          pool.trackSubscription(subKey, () => {
-            clearTimeout(eoseFallbackTimer);
-            subscription.unsubscribe();
-          });
-        } else if (!isShellKind) {
-          hooks.sendToNapplet(windowId, { type: "relay.eose", subId });
-        }
-        break;
-      }
-      case "close": {
-        const subId = m.subId ?? "";
-        if (!subId) return;
-        const subKey = `${windowId}:${subId}`;
-        subscriptions.delete(subKey);
-        const relayService = serviceRegistry["relay"] ?? serviceRegistry["relay-pool"];
-        if (relayService) {
-          relayService.handleMessage(windowId, msg, () => {
-          });
-        }
-        hooks.relayPool?.untrackSubscription(subKey);
-        hooks.sendToNapplet(windowId, { type: "relay.closed", subId, message: "" });
-        break;
-      }
-      case "publish": {
-        const event = m.event;
-        const id = m.id ?? "";
-        if (!event || typeof event !== "object") {
-          hooks.sendToNapplet(windowId, { type: "relay.publish.error", id, error: "invalid event" });
-          return;
-        }
-        const replayResult = replayDetector.check(event);
-        if (replayResult !== null) {
-          hooks.sendToNapplet(windowId, { type: "relay.publish.result", id, accepted: false, message: replayResult });
-          return;
-        }
-        const relayService = serviceRegistry["relay"] ?? serviceRegistry["relay-pool"];
-        if (relayService) {
-          relayService.handleMessage(windowId, msg, (resp) => {
-            hooks.sendToNapplet(windowId, resp);
-          });
-        } else if (hooks.relayPool?.isAvailable()) {
-          hooks.relayPool.publish(event);
-          hooks.sendToNapplet(windowId, { type: "relay.publish.result", id, accepted: true });
-        } else {
-          hooks.sendToNapplet(windowId, { type: "relay.publish.result", id, accepted: false, message: "no relay pool available" });
-        }
-        eventBuffer.bufferAndDeliver(event, windowId);
-        break;
-      }
-      // Shell-mediated encryption path (NUB-08 / SH-C03). Napplets hand the
-      // shell a plaintext EventTemplate plus a recipient pubkey; the shell
-      // encrypts via its own signer (nip44 default, nip04 opt-in), signs,
-      // publishes, and returns a relay.publishEncrypted.result. The signer's
-      // nip04/nip44 primitives are SHELL-INTERNAL — no napplet-visible
-      // message surface reaches them (SignerProxy was deleted in Plan 12-01).
-      case "publishEncrypted": {
-        let replyPe2 = function(ok, extra = {}) {
-          hooks.sendToNapplet(windowId, {
-            type: "relay.publishEncrypted.result",
-            id,
-            ok,
-            ...extra
-          });
-        };
-        var replyPe = replyPe2;
-        const id = m.id ?? "";
-        const eventTemplate = m.event;
-        const peMsg = msg;
-        const recipient = peMsg.recipient ?? "";
-        const encryption = peMsg.encryption ?? "nip44";
-        if (!recipient) {
-          replyPe2(false, { error: "missing recipient" });
-          break;
-        }
-        if (encryption !== "nip44" && encryption !== "nip04") {
-          replyPe2(false, { error: `unsupported encryption scheme: ${encryption}` });
-          break;
-        }
-        const peSigner = hooks.auth.getSigner();
-        if (!peSigner) {
-          replyPe2(false, { error: "no signer configured" });
-          break;
-        }
-        if (!eventTemplate || typeof eventTemplate !== "object") {
-          replyPe2(false, { error: "invalid event template" });
-          break;
-        }
-        (async () => {
-          try {
-            const plaintext = String(eventTemplate.content ?? "");
-            const ciphertext = encryption === "nip44" ? await peSigner.nip44?.encrypt(recipient, plaintext) ?? "" : await peSigner.nip04?.encrypt(recipient, plaintext) ?? "";
-            const eventWithCiphertext = { ...eventTemplate, content: ciphertext };
-            const signed = await peSigner.signEvent?.(eventWithCiphertext);
-            if (!signed) {
-              replyPe2(false, { error: "signEvent returned null" });
-              return;
-            }
-            const relayService = serviceRegistry["relay"] ?? serviceRegistry["relay-pool"];
-            if (relayService) {
-              const publishMsg = { type: "relay.publish", id, event: signed };
-              let replied = false;
-              relayService.handleMessage(windowId, publishMsg, (resp) => {
-                if (replied) return;
-                const r = resp;
-                if (typeof r.type === "string" && r.type.startsWith("relay.publish")) {
-                  const okVal = r.ok ?? r.accepted ?? false;
-                  replied = true;
-                  replyPe2(okVal, {
-                    event: signed,
-                    eventId: signed.id,
-                    ...okVal ? {} : { error: r.error ?? r.message ?? "publish failed" }
-                  });
-                }
-              });
-              if (!replied) {
-                replied = true;
-                replyPe2(true, { event: signed, eventId: signed.id });
-              }
-            } else if (hooks.relayPool?.isAvailable()) {
-              hooks.relayPool.publish(signed);
-              replyPe2(true, { event: signed, eventId: signed.id });
-            } else {
-              replyPe2(false, { error: "no relay pool available" });
-            }
-            try {
-              eventBuffer.bufferAndDeliver(signed, windowId);
-            } catch {
-            }
-          } catch (err) {
-            replyPe2(false, { error: err?.message ?? "encryption failed" });
-          }
-        })();
-        break;
-      }
-      case "query": {
-        const id = m.id ?? "";
-        const filters = m.filters ?? [];
-        let count = 0;
-        for (const event of eventBuffer.getBufferedEvents()) {
-          if (matchesAnyFilter(event, filters)) count++;
-        }
-        hooks.sendToNapplet(windowId, { type: "relay.query.result", id, count });
-        break;
-      }
-      default:
-        break;
-    }
-  }
-  function handleIdentityMessage(windowId, msg) {
-    const identityService = serviceRegistry["identity"];
-    if (identityService) {
-      identityService.handleMessage(windowId, msg, (resp) => {
-        hooks.sendToNapplet(windowId, resp);
-      });
-      return;
-    }
-    const id = msg.id ?? "";
-    const action = msg.type.slice("identity.".length);
-    const signer = hooks.auth.getSigner();
-    function sendError(error) {
-      hooks.sendToNapplet(windowId, { type: `${msg.type}.error`, id, error });
-    }
-    function sendResult(payload) {
-      hooks.sendToNapplet(windowId, { type: `${msg.type}.result`, id, ...payload });
-    }
-    switch (action) {
-      case "getPublicKey": {
-        if (!signer) {
-          sendError("no signer configured");
-          return;
-        }
-        Promise.resolve(signer.getPublicKey?.()).then((pubkey) => sendResult({ pubkey })).catch((err) => sendError(err?.message ?? "getPublicKey failed"));
-        return;
-      }
-      case "getRelays": {
-        if (!signer) {
-          sendError("no signer configured");
-          return;
-        }
-        Promise.resolve(signer.getRelays?.() ?? {}).then((relays) => sendResult({ relays })).catch((err) => sendError(err?.message ?? "getRelays failed"));
-        return;
-      }
-      case "getProfile":
-        sendResult({ profile: null });
-        return;
-      case "getFollows":
-        sendResult({ pubkeys: [] });
-        return;
-      case "getList":
-        sendResult({ entries: [] });
-        return;
-      case "getZaps":
-        sendResult({ zaps: [] });
-        return;
-      case "getMutes":
-        sendResult({ pubkeys: [] });
-        return;
-      case "getBlocked":
-        sendResult({ pubkeys: [] });
-        return;
-      case "getBadges":
-        sendResult({ badges: [] });
-        return;
-      default:
-        sendError(`Unknown identity action: ${action}`);
-    }
-  }
-  function handleStorageMessage(windowId, msg) {
-    handleStorageNub(windowId, msg, hooks.sendToNapplet, sessionRegistry, aclState, hooks.statePersistence);
-  }
-  function ifcAddChannel(channelId, peerA, peerB) {
-    ifcChannels.set(channelId, { channelId, peerA, peerB });
-    for (const w of [peerA, peerB]) {
-      let set = ifcChannelsByWindow.get(w);
-      if (!set) {
-        set = /* @__PURE__ */ new Set();
-        ifcChannelsByWindow.set(w, set);
-      }
-      set.add(channelId);
-    }
-  }
-  function ifcRemoveChannel(channelId) {
-    const ch = ifcChannels.get(channelId);
-    if (!ch) return;
-    ifcChannels.delete(channelId);
-    for (const w of [ch.peerA, ch.peerB]) {
-      const set = ifcChannelsByWindow.get(w);
-      if (set) {
-        set.delete(channelId);
-        if (set.size === 0) ifcChannelsByWindow.delete(w);
-      }
-    }
-  }
-  function ifcPeerOf(channelId, self) {
-    const ch = ifcChannels.get(channelId);
-    if (!ch) return null;
-    if (ch.peerA === self) return ch.peerB;
-    if (ch.peerB === self) return ch.peerA;
-    return null;
-  }
-  function ifcGenerateChannelId() {
-    return hooks.crypto.randomUUID().replace(/-/g, "").slice(0, 32);
-  }
-  function ifcResolveTarget(target) {
-    if (sessionRegistry.getEntryByWindowId(target)) return target;
-    const entries = sessionRegistry.getAllEntries();
-    const byPubkey = entries.find((e) => e.pubkey === target);
-    return byPubkey?.windowId ?? null;
-  }
-  function handleIfcMessage(windowId, msg) {
-    const m = msg;
-    const dotIdx = msg.type.indexOf(".");
-    const action = msg.type.slice(dotIdx + 1);
-    switch (action) {
-      case "emit": {
-        const topic = m.topic ?? "";
-        const payload = m.payload;
-        if (!topic) return;
-        const subscribers = ifcSubscriptions.get(topic);
-        if (subscribers) {
-          for (const subscriberWindowId of subscribers) {
-            if (subscriberWindowId === windowId) continue;
-            hooks.sendToNapplet(subscriberWindowId, { type: "ifc.event", topic, payload, sender: windowId });
-          }
-        }
-        return;
-      }
-      case "subscribe": {
-        const id = m.id ?? "";
-        const topic = m.topic ?? "";
-        if (!topic) {
-          hooks.sendToNapplet(windowId, { type: "ifc.subscribe.result", id, error: "missing topic" });
-          return;
-        }
-        let subs = ifcSubscriptions.get(topic);
-        if (!subs) {
-          subs = /* @__PURE__ */ new Set();
-          ifcSubscriptions.set(topic, subs);
-        }
-        subs.add(windowId);
-        hooks.sendToNapplet(windowId, { type: "ifc.subscribe.result", id });
-        return;
-      }
-      case "unsubscribe": {
-        const topic = m.topic ?? "";
-        if (!topic) return;
-        const subs = ifcSubscriptions.get(topic);
-        if (subs) {
-          subs.delete(windowId);
-          if (subs.size === 0) ifcSubscriptions.delete(topic);
-        }
-        return;
-      }
-      case "channel.open": {
-        const id = m.id ?? "";
-        const target = m.target ?? "";
-        const peerWindow = ifcResolveTarget(target);
-        if (!peerWindow) {
-          hooks.sendToNapplet(windowId, { type: "ifc.channel.open.result", id, error: "target not found" });
-          return;
-        }
-        const channelId = ifcGenerateChannelId();
-        ifcAddChannel(channelId, windowId, peerWindow);
-        hooks.sendToNapplet(windowId, { type: "ifc.channel.open.result", id, channelId, peer: peerWindow });
-        return;
-      }
-      case "channel.emit": {
-        const channelId = m.channelId ?? "";
-        const peer = ifcPeerOf(channelId, windowId);
-        if (!peer) return;
-        hooks.sendToNapplet(peer, { type: "ifc.channel.event", channelId, sender: windowId, payload: m.payload });
-        return;
-      }
-      case "channel.broadcast": {
-        const channels = ifcChannelsByWindow.get(windowId);
-        if (!channels) return;
-        for (const channelId of channels) {
-          const peer = ifcPeerOf(channelId, windowId);
-          if (peer) hooks.sendToNapplet(peer, { type: "ifc.channel.event", channelId, sender: windowId, payload: m.payload });
-        }
-        return;
-      }
-      case "channel.list": {
-        const id = m.id ?? "";
-        const channels = [];
-        const set = ifcChannelsByWindow.get(windowId);
-        if (set) {
-          for (const channelId of set) {
-            const peer = ifcPeerOf(channelId, windowId);
-            if (peer) channels.push({ id: channelId, peer });
-          }
-        }
-        hooks.sendToNapplet(windowId, { type: "ifc.channel.list.result", id, channels });
-        return;
-      }
-      case "channel.close": {
-        const channelId = m.channelId ?? "";
-        const peer = ifcPeerOf(channelId, windowId);
-        if (!peer) return;
-        hooks.sendToNapplet(windowId, { type: "ifc.channel.closed", channelId });
-        hooks.sendToNapplet(peer, { type: "ifc.channel.closed", channelId });
-        ifcRemoveChannel(channelId);
-        return;
-      }
-      default:
-        return;
-    }
-  }
-  function handleMediaMessage(windowId, msg) {
-    const mediaService = serviceRegistry["media"];
-    if (mediaService) {
-      mediaService.handleMessage(windowId, msg, (resp) => {
-        hooks.sendToNapplet(windowId, resp);
-      });
-      return;
-    }
-    if (msg.type === "media.session.create") {
-      const m = msg;
-      hooks.sendToNapplet(windowId, {
-        type: "media.session.create.result",
-        id: m.id ?? "",
-        sessionId: m.sessionId ?? ""
-      });
-    }
-  }
-  function handleKeysMessage(windowId, msg) {
-    const keysService = serviceRegistry["keys"];
-    if (keysService) {
-      keysService.handleMessage(windowId, msg, (resp) => {
-        hooks.sendToNapplet(windowId, resp);
-      });
-      return;
-    }
-    if (msg.type === "keys.forward") {
-      const m = msg;
-      hooks.hotkeys.executeHotkeyFromForward({
-        key: m.key ?? "",
-        code: m.code ?? "",
-        ctrlKey: !!m.ctrl,
-        altKey: !!m.alt,
-        shiftKey: !!m.shift,
-        metaKey: !!m.meta
-      });
-      return;
-    }
-    if (msg.type === "keys.registerAction") {
-      const m = msg;
-      hooks.sendToNapplet(windowId, {
-        type: "keys.registerAction.result",
-        id: m.id ?? "",
-        actionId: m.action?.id ?? "",
-        ...m.action?.defaultKey ? { binding: m.action.defaultKey } : {}
-      });
-      return;
-    }
-  }
-  function handleNotifyMessage(windowId, msg) {
-    const notifyService = serviceRegistry["notify"];
-    if (notifyService) {
-      notifyService.handleMessage(windowId, msg, (resp) => {
-        hooks.sendToNapplet(windowId, resp);
-      });
-      return;
-    }
-    if (msg.type === "notify.send") {
-      const m = msg;
-      hooks.sendToNapplet(windowId, {
-        type: "notify.send.result",
-        id: m.id ?? "",
-        notificationId: `shell-${Date.now()}`
-      });
-    } else if (msg.type === "notify.permission.request") {
-      const m = msg;
-      hooks.sendToNapplet(windowId, {
-        type: "notify.permission.result",
-        id: m.id ?? "",
-        granted: true
-      });
-    }
-  }
-  const THEME_FALLBACK_DEFAULT = {
-    colors: { background: "#0a0a0a", text: "#e0e0e0", primary: "#7aa2f7" }
-  };
-  function handleThemeMessage(windowId, msg) {
-    const themeService = serviceRegistry["theme"];
-    if (themeService) {
-      themeService.handleMessage(windowId, msg, (resp) => {
-        hooks.sendToNapplet(windowId, resp);
-      });
-      return;
-    }
-    if (msg.type === "theme.get") {
-      const m = msg;
-      hooks.sendToNapplet(windowId, {
-        type: "theme.get.result",
-        id: m.id ?? "",
-        theme: THEME_FALLBACK_DEFAULT
-      });
-    }
-  }
+  return registeredServices;
+}
+function createNubEnvelopeDispatcher(handlers) {
   let currentWindowId = null;
   const nubDispatch = createDispatch();
-  const relayAdapter = (msg) => {
-    if (currentWindowId === null) return;
-    handleRelayMessage(currentWindowId, msg);
-  };
-  const identityAdapter = (msg) => {
-    if (currentWindowId === null) return;
-    handleIdentityMessage(currentWindowId, msg);
-  };
-  const keysAdapter = (msg) => {
-    if (currentWindowId === null) return;
-    handleKeysMessage(currentWindowId, msg);
-  };
-  const mediaAdapter = (msg) => {
-    if (currentWindowId === null) return;
-    handleMediaMessage(currentWindowId, msg);
-  };
-  const notifyAdapter = (msg) => {
-    if (currentWindowId === null) return;
-    handleNotifyMessage(currentWindowId, msg);
-  };
-  const storageAdapter = (msg) => {
-    if (currentWindowId === null) return;
-    handleStorageMessage(currentWindowId, msg);
-  };
-  const ifcAdapter = (msg) => {
-    if (currentWindowId === null) return;
-    handleIfcMessage(currentWindowId, msg);
+  const adapt = (handler) => (msg) => {
+    if (currentWindowId !== null) handler(currentWindowId, msg);
   };
-  const themeAdapter = (msg) => {
-    if (currentWindowId === null) return;
-    handleThemeMessage(currentWindowId, msg);
+  nubDispatch.registerNub("relay", adapt(handlers.relay));
+  nubDispatch.registerNub("identity", adapt(handlers.identity));
+  nubDispatch.registerNub("keys", adapt(handlers.keys));
+  nubDispatch.registerNub("media", adapt(handlers.media));
+  nubDispatch.registerNub("notify", adapt(handlers.notify));
+  nubDispatch.registerNub("storage", adapt(handlers.storage));
+  nubDispatch.registerNub("ifc", adapt(handlers.ifc));
+  nubDispatch.registerNub("theme", adapt(handlers.theme));
+  nubDispatch.registerNub("config", adapt(handlers.config));
+  nubDispatch.registerNub("resource", adapt(handlers.resource));
+  nubDispatch.registerNub("cvm", adapt(handlers.cvm));
+  nubDispatch.registerNub("outbox", adapt(handlers.outbox));
+  return (windowId, envelope) => {
+    currentWindowId = windowId;
+    try {
+      nubDispatch.dispatch(envelope);
+    } finally {
+      currentWindowId = null;
+    }
   };
-  nubDispatch.registerNub("relay", relayAdapter);
-  nubDispatch.registerNub("identity", identityAdapter);
-  nubDispatch.registerNub("keys", keysAdapter);
-  nubDispatch.registerNub("media", mediaAdapter);
-  nubDispatch.registerNub("notify", notifyAdapter);
-  nubDispatch.registerNub("storage", storageAdapter);
-  nubDispatch.registerNub("ifc", ifcAdapter);
-  nubDispatch.registerNub("theme", themeAdapter);
-  function handleMessage(windowId, msg) {
+}
+function createMessageHandler(hooks, enforceNub, dispatchNubEnvelope) {
+  return (windowId, msg) => {
     if (typeof msg !== "object" || msg === null || !("type" in msg)) return;
     const envelope = msg;
     const dotIdx = envelope.type.indexOf(".");
@@ -1376,47 +1240,62 @@ function createRuntime(hooks) {
       const result = enforceNub(windowId, caps.senderCap, envelope);
       if (!result.allowed) {
         const id = envelope.id ?? "";
-        hooks.sendToNapplet(windowId, { type: `${envelope.type}.error`, id, error: formatDenialReason(result.capability) });
+        const isIdentityDecrypt = envelope.type === "identity.decrypt";
+        const isStorageEnvelope = envelope.type.startsWith("storage.");
+        const error = isIdentityDecrypt ? result.reason === "class-forbidden" ? "class-forbidden" : "policy-denied" : formatDenialReason(result.capability);
+        const type = isStorageEnvelope ? `${envelope.type}.result` : `${envelope.type}.error`;
+        hooks.sendToNapplet(windowId, { type, id, error });
         return;
       }
     }
-    currentWindowId = windowId;
-    try {
-      nubDispatch.dispatch(envelope);
-    } finally {
-      currentWindowId = null;
-    }
-  }
-  const runtimeInstance = {
-    handleMessage,
+    dispatchNubEnvelope(windowId, envelope);
+  };
+}
+function createInjectedEvent(hooks, topic, payload) {
+  const uuid = hooks.crypto.randomUUID().replace(/-/g, "").slice(0, 64).padEnd(64, "0");
+  return {
+    id: uuid,
+    pubkey: "0".repeat(64),
+    created_at: Math.floor(Date.now() / 1e3),
+    kind: 29e3,
+    tags: [["t", topic]],
+    content: JSON.stringify(payload),
+    sig: "0".repeat(128)
+  };
+}
+function createRuntimeInstance(context) {
+  const {
+    aclState,
+    eventBuffer,
+    hooks,
+    ifcRuntime,
+    manifestCache,
+    registeredServices,
+    replayDetector,
+    serviceRegistry,
+    sessionRegistry,
+    subscriptions
+  } = context;
+  const undeclaredServiceConsents = /* @__PURE__ */ new Set();
+  let consentHandler = null;
+  return {
+    handleMessage: context.handleMessage,
     injectEvent(topic, payload) {
-      const uuid = hooks.crypto.randomUUID().replace(/-/g, "").slice(0, 64).padEnd(64, "0");
-      const event = {
-        id: uuid,
-        pubkey: "0".repeat(64),
-        created_at: Math.floor(Date.now() / 1e3),
-        kind: 29e3,
-        // IPC_PEER — inlined numeric after Phase 24 shim deletion
-        tags: [["t", topic]],
-        content: JSON.stringify(payload),
-        sig: "0".repeat(128)
-      };
-      eventBuffer.bufferAndDeliver(event, null);
+      eventBuffer.bufferAndDeliver(createInjectedEvent(hooks, topic, payload), null);
     },
     destroy() {
       manifestCache.persist();
       aclState.persist();
       replayDetector.clear();
       subscriptions.clear();
-      ifcSubscriptions.clear();
-      ifcChannels.clear();
-      ifcChannelsByWindow.clear();
+      ifcRuntime.clear();
       eventBuffer.clear();
       registeredServices.clear();
       undeclaredServiceConsents.clear();
     },
     registerConsentHandler(handler) {
-      _consentHandler = handler;
+      consentHandler = handler;
+      void consentHandler;
     },
     registerService(name, handler) {
       serviceRegistry[name] = handler;
@@ -1437,20 +1316,7 @@ function createRuntime(hooks) {
           hooks.relayPool?.untrackSubscription(key);
         }
       }
-      for (const [topic, subs] of ifcSubscriptions) {
-        subs.delete(windowId);
-        if (subs.size === 0) ifcSubscriptions.delete(topic);
-      }
-      const channelIds = ifcChannelsByWindow.get(windowId);
-      if (channelIds) {
-        for (const channelId of [...channelIds]) {
-          const peer = ifcPeerOf(channelId, windowId);
-          if (peer) {
-            hooks.sendToNapplet(peer, { type: "ifc.channel.closed", channelId });
-          }
-          ifcRemoveChannel(channelId);
-        }
-      }
+      ifcRuntime.destroyWindow(windowId);
       notifyServiceWindowDestroyed(windowId, serviceRegistry);
     },
     get sessionRegistry() {
@@ -1463,7 +1329,64 @@ function createRuntime(hooks) {
       return manifestCache;
     }
   };
-  return runtimeInstance;
+}
+function createRuntime(hooks) {
+  const subscriptions = /* @__PURE__ */ new Map();
+  const serviceRegistry = { ...hooks.services };
+  const registeredServices = createRegisteredServices(serviceRegistry);
+  const sessionRegistry = createSessionRegistry(hooks.onPendingUpdate);
+  const aclState = createAclState(hooks.aclPersistence);
+  const manifestCache = createManifestCache(hooks.manifestPersistence);
+  const replayDetector = createReplayDetector(
+    hooks.getConfigOverrides ? () => hooks.getConfigOverrides().replayWindowSeconds : void 0
+  );
+  const enforce = createEnforceGate({
+    checkAcl: (pubkey, dTag, aggregateHash, capability) => aclState.check(pubkey, dTag, aggregateHash, capability),
+    resolveIdentity: (pubkey) => {
+      const entry = sessionRegistry.getEntry(pubkey);
+      return entry ? { dTag: entry.dTag, aggregateHash: entry.aggregateHash } : void 0;
+    },
+    onAclCheck: hooks.onAclCheck
+  });
+  const enforceNub = createNubEnforceGate({
+    checkAcl: (pubkey, dTag, aggregateHash, capability) => aclState.check(pubkey, dTag, aggregateHash, capability),
+    resolveIdentityByWindowId: (windowId) => {
+      const entry = sessionRegistry.getEntryByWindowId(windowId);
+      return entry ? { dTag: entry.dTag, aggregateHash: entry.aggregateHash, class: entry.class } : void 0;
+    },
+    onAclCheck: hooks.onAclCheck
+  });
+  const eventBuffer = createEventBuffer(
+    hooks.sendToNapplet,
+    sessionRegistry,
+    enforce,
+    subscriptions,
+    hooks.getConfigOverrides ? () => hooks.getConfigOverrides().ringBufferSize ?? RING_BUFFER_SIZE : void 0
+  );
+  aclState.load();
+  manifestCache.load();
+  const ifcRuntime = createIfcRuntime(hooks, sessionRegistry);
+  const domainHandlers = createRuntimeDomainHandlers({ hooks, serviceRegistry, sessionRegistry, aclState });
+  const dispatchNubEnvelope = createNubEnvelopeDispatcher({
+    relay: createRelayHandler({ hooks, serviceRegistry, subscriptions, eventBuffer, replayDetector }),
+    identity: createIdentityHandler({ hooks, serviceRegistry }),
+    ifc: ifcRuntime.handleMessage,
+    ...domainHandlers
+  });
+  const handleMessage = createMessageHandler(hooks, enforceNub, dispatchNubEnvelope);
+  return createRuntimeInstance({
+    hooks,
+    serviceRegistry,
+    registeredServices,
+    replayDetector,
+    subscriptions,
+    eventBuffer,
+    ifcRuntime,
+    sessionRegistry,
+    aclState,
+    manifestCache,
+    handleMessage
+  });
 }
 // src/index.ts