@nice-code/action 0.15.0 → 0.17.0

package/build/index.mjs

@@ -1,11 +1,12 @@
 import { n as ERunningActionState, r as ERunningActionUpdateType, t as ERunningActionFinishedType } from "./RunningAction.types-C176rqHG.mjs";
+import { i as ETransportStatus, n as isExchangeAcceptorCarrier, r as ETransportShape, t as wsAcceptorCarrier } from "./wsAcceptorCarrier-CXGlQU_f.mjs";
 import { nanoid } from "nanoid";
 import { NiceError, castNiceError, err, err_nice, isNiceErrorObject } from "@nice-code/error";
-import { runtime } from "std-env";
 import { extractMessageFromStandardSchema } from "@nice-code/common-errors";
-import { pack, unpack } from "msgpackr";
+import { runtime } from "std-env";
 import { ClientCryptoKeyLink, createTypedStorage } from "@nice-code/util";
 import * as v from "valibot";
+import { pack, unpack } from "msgpackr";
 const UNSET_RUNTIME_ENV_ID = "_unset_";
 //#endregion
 //#region src/ActionRuntime/utils/runtimeCoordinateToStringIds.ts
@@ -635,6 +636,156 @@ const isActionPayload_Result_JsonObject = (obj) => {
 	return isAction_Base_JsonObject(obj) && obj.result != null && obj.form === "data" && obj.type === "result";
 };
 //#endregion
+//#region src/ActionDefinition/Schema/ActionSchema.ts
+/**
+* What a sender should expect back from an action — declared on its schema so both ends agree without
+* any wire flag (each derives the mode from the shared `domain:id`).
+*
+* - `payload` — a typed output (the action has `.output(...)`); the sender awaits it.
+* - `ack` — an empty success confirming receipt (no output); the sender may await it to know the
+*   receiver handled it (or to surface an error). This is the default for an action with no output.
+* - `none` — fire-and-forget: the receiver sends no reply and the sender doesn't wait. The sender's
+*   running action completes as soon as the frame is on the wire (no pending reply, no timeout).
+*/
+let EActionResponseMode = /* @__PURE__ */ function(EActionResponseMode) {
+	EActionResponseMode["payload"] = "payload";
+	EActionResponseMode["ack"] = "ack";
+	EActionResponseMode["none"] = "none";
+	return EActionResponseMode;
+}({});
+var ActionSchema = class {
+	_errorDeclarations = [];
+	inputOptions;
+	outputOptions;
+	_responseMode;
+	get inputSchema() {
+		return this.inputOptions?.schema;
+	}
+	get outputSchema() {
+		return this.outputOptions?.schema;
+	}
+	/**
+	* The response contract for this action. Defaults are inferred — `payload` when an output schema is
+	* declared, otherwise `ack` — and made explicit by {@link ack} / {@link fireAndForget}.
+	*/
+	get responseMode() {
+		if (this._responseMode != null) return this._responseMode;
+		return this.outputOptions != null ? "payload" : "ack";
+	}
+	/**
+	* Mark this action as expecting only an acknowledgment (an empty success). Mostly for clarity — an
+	* output-less action already acks by default — but it documents intent and reads as the deliberate
+	* counterpart to {@link fireAndForget}.
+	*/
+	ack() {
+		this._responseMode = "ack";
+		return this;
+	}
+	/**
+	* Mark this action as fire-and-forget: the receiver sends no reply, and the sender's running action
+	* completes the moment the frame is sent (no awaited reply, no timeout). Ideal for high-frequency
+	* server→client pushes (presence, ticks) where an ack would only add wire chatter.
+	*/
+	fireAndForget() {
+		this._responseMode = "none";
+		return this;
+	}
+	/**
+	* Declare the input schema (JSON-native or with explicit SERDE type param).
+	* For non-JSON-native inputs, prefer the 3-argument form below to avoid
+	* needing explicit type parameters.
+	*/
+	input(options) {
+		this.inputOptions = options;
+		return this;
+	}
+	/**
+	* Declare the output schema (JSON-native or with explicit SERDE type param).
+	* For non-JSON-native outputs, prefer the 3-argument form below to avoid
+	* needing explicit type parameters.
+	*/
+	output(options) {
+		this.outputOptions = options;
+		return this;
+	}
+	throws(domain, ids) {
+		this._errorDeclarations.push({
+			_domain: domain,
+			_ids: ids
+		});
+		return this;
+	}
+	/**
+	* Serialize raw input to a JSON-serializable form.
+	* Uses the schema's serialization.serialize if defined; otherwise the input
+	* is already JSON-native and is returned as-is.
+	*/
+	serializeInput(rawInput) {
+		if (this.inputOptions?.serialization) return this.inputOptions.serialization.serialize(rawInput);
+		return rawInput;
+	}
+	/**
+	* Deserialize a JSON value back into the raw input type.
+	* Uses serialization.deserialize if defined; otherwise the value is cast
+	* directly (it's already in the correct shape).
+	*/
+	deserializeInput(serialized) {
+		if (this.inputOptions?.serialization) return this.inputOptions.serialization.deserialize(serialized);
+		return serialized;
+	}
+	/**
+	* Validate raw input against the schema defined via `.input({ schema })`.
+	* Throws `action_input_validation_failed` if validation fails.
+	* Returns the validated (and possibly coerced) value on success.
+	* If no input schema was declared, the value is passed through as-is.
+	*/
+	validateInput(value, meta) {
+		if (this.inputOptions?.schema == null) return value;
+		const result = this.inputOptions.schema["~standard"].validate(value);
+		if (result instanceof Promise) throw err_nice_action.fromId("action_input_validation_promise", {
+			domain: meta.domain,
+			actionId: meta.actionId
+		});
+		if (result.issues != null) throw err_nice_action.fromId("action_input_validation_failed", {
+			domain: meta.domain,
+			actionId: meta.actionId,
+			validationMessage: extractMessageFromStandardSchema(result)
+		});
+		return result.value;
+	}
+	validateOutput(value, meta) {
+		if (this.outputOptions?.schema == null) return value;
+		const result = this.outputOptions.schema["~standard"].validate(value);
+		if (result instanceof Promise) throw err_nice_action.fromId("action_output_validation_promise", {
+			domain: meta.domain,
+			actionId: meta.actionId
+		});
+		if (result.issues != null) throw err_nice_action.fromId("action_output_validation_failed", {
+			domain: meta.domain,
+			actionId: meta.actionId,
+			validationMessage: extractMessageFromStandardSchema(result)
+		});
+		return result.value;
+	}
+	/**
+	* Serialize raw output to a JSON-serializable form.
+	*/
+	serializeOutput(rawOutput) {
+		if (this.outputOptions?.serialization) return this.outputOptions.serialization.serialize(rawOutput);
+		return rawOutput;
+	}
+	/**
+	* Deserialize a JSON value back into the raw output type.
+	*/
+	deserializeOutput(serialized) {
+		if (this.outputOptions?.serialization) return this.outputOptions.serialization.deserialize(serialized);
+		return serialized;
+	}
+};
+const actionSchema = () => {
+	return new ActionSchema();
+};
+//#endregion
 //#region src/utils/getAssumedRuntimeEnvironment.ts
 const getAssumedRuntimeInfo = () => {
 	return {
@@ -670,6 +821,137 @@ function peekHandlerCuid() {
 	return _stack[_stack.length - 1];
 }
 //#endregion
+//#region src/ActionRuntime/Handler/PeerLink/Connector/err_nice_external_client.ts
+const err_nice_external_client = err_nice_action.createChildDomain({
+	domain: "err_nice_external_client",
+	schema: {}
+});
+//#endregion
+//#region src/ActionRuntime/Transport/err_nice_transport.ts
+let EErrId_NiceTransport = /* @__PURE__ */ function(EErrId_NiceTransport) {
+	EErrId_NiceTransport["timeout"] = "timeout";
+	EErrId_NiceTransport["not_found"] = "not_found";
+	EErrId_NiceTransport["unsupported"] = "unsupported";
+	EErrId_NiceTransport["initialization_failed"] = "initialization_failed";
+	EErrId_NiceTransport["send_failed"] = "send_failed";
+	EErrId_NiceTransport["invalid_action_response"] = "invalid_action_response";
+	return EErrId_NiceTransport;
+}({});
+const err_nice_transport = err_nice_external_client.createChildDomain({
+	domain: "err_nice_transport",
+	schema: {
+		["timeout"]: err({ message: ({ timeout }) => `ActionConnect transport timed out after ${timeout}ms.` }),
+		["not_found"]: err({ message: ({ actionId }) => `No connected transport found for action "${actionId}".` }),
+		["unsupported"]: err({ message: ({ transportShapes }) => `${transportShapes.length} Transport(s) [${transportShapes.join(", ")}] found but returned "unsupported" status.` }),
+		["initialization_failed"]: err({ message: ({ actionId }) => `Transports found for action "${actionId}", but none are ready.` }),
+		["send_failed"]: err({
+			message: ({ actionId, httpStatusCode, message }) => `Failed to send action "${actionId}" [${httpStatusCode ?? "Unknown status"}]: ${message ?? "Unknown error"}.`,
+			httpStatusCode: ({ httpStatusCode }) => httpStatusCode ?? 500
+		}),
+		["invalid_action_response"]: err({ message: ({ actionId }) => `Invalid action response JSON structure for action "${actionId}"` })
+	}
+});
+//#endregion
+//#region src/ActionRuntime/Transport/ConnectionTransportManager.ts
+var ConnectionTransportManager = class {
+	_cache;
+	_transports = [];
+	constructor(_cache) {
+		this._cache = _cache;
+	}
+	addTransport(transport) {
+		this._transports.push(transport);
+	}
+	/**
+	* The highest-priority transport (first declared). Used to label an action's route *before* the
+	* transport has finished connecting — so a still-connecting action shows its (expected) destination
+	* instead of an "unknown" hop. {@link getReadyTransport} still decides the real winner, and the
+	* caller corrects the hop if a lower-priority transport ends up serving the action.
+	*/
+	getPreferredTransport() {
+		return this._transports[0];
+	}
+	async getReadyTransport(routeActionParams) {
+		const action = routeActionParams.action;
+		const candidates = [];
+		const unavailableTransports = [];
+		for (const transport of this._transports) {
+			const cacheKey = transport.getCacheKey(routeActionParams);
+			if (cacheKey != null) {
+				const cached = this._cache.get(cacheKey);
+				if (cached != null) {
+					if (cached instanceof Promise) {
+						candidates.push(cached);
+						continue;
+					}
+					candidates.push(Promise.resolve({
+						...cached,
+						transport
+					}));
+					break;
+				}
+			}
+			const statusInfo = transport.getTransport(routeActionParams);
+			if (statusInfo.status === "ready") {
+				const readyData = statusInfo.readyData;
+				if (cacheKey != null) {
+					const entry = {
+						methods: readyData,
+						transport
+					};
+					this._cache.set(cacheKey, entry);
+					readyData.addOnDisconnectListener?.(() => {
+						if (this._cache.get(cacheKey) === entry) this._cache.delete(cacheKey);
+					});
+				}
+				candidates.push(Promise.resolve({
+					methods: readyData,
+					transport
+				}));
+				break;
+			}
+			if (statusInfo.status === "unsupported") {
+				unavailableTransports.push(transport);
+				continue;
+			}
+			if (statusInfo.status === "initializing") {
+				const promise = statusInfo.initializationPromise.then((info) => {
+					if (info.status === "failed") throw info.error;
+					if (info.status === "unsupported") throw err_nice_transport.fromId("unsupported", { transportShapes: [transport.type] });
+					const readyData = info.readyData;
+					const entry = {
+						methods: readyData,
+						transport
+					};
+					if (cacheKey != null) if (this._cache.get(cacheKey) === promise) {
+						this._cache.set(cacheKey, entry);
+						readyData.addOnDisconnectListener?.(() => {
+							if (this._cache.get(cacheKey) === entry) this._cache.delete(cacheKey);
+						});
+					} else readyData.disconnect?.();
+					return entry;
+				}).catch((e) => {
+					if (cacheKey != null && this._cache.get(cacheKey) === promise) this._cache.delete(cacheKey);
+					throw e;
+				});
+				if (cacheKey != null) this._cache.set(cacheKey, promise);
+				candidates.push(promise);
+			}
+		}
+		if (candidates.length === 0) {
+			if (unavailableTransports.length > 0) throw err_nice_transport.fromId("unsupported", { transportShapes: unavailableTransports.map((t) => t.type) });
+			throw err_nice_transport.fromId("not_found", { actionId: action.id });
+		}
+		let lastError;
+		for (const candidate of candidates) try {
+			return await candidate;
+		} catch (e) {
+			lastError = e;
+		}
+		throw err_nice_transport.fromId("initialization_failed", { actionId: action.id }).withOriginError(lastError);
+	}
+};
+//#endregion
 //#region src/ActionRuntime/ActionDomainManager.ts
 var ActionDomainManager = class {
 	_domains = /* @__PURE__ */ new Map();
@@ -842,183 +1124,33 @@ var ActionHandler = class {
 	}
 };
 //#endregion
-//#region src/ActionRuntime/Handler/ExternalClient/err_nice_external_client.ts
-const err_nice_external_client = err_nice_action.createChildDomain({
-	domain: "err_nice_external_client",
-	schema: {}
-});
-//#endregion
-//#region src/ActionRuntime/Handler/ExternalClient/Transport/err_nice_transport.ts
-let EErrId_NiceTransport = /* @__PURE__ */ function(EErrId_NiceTransport) {
-	EErrId_NiceTransport["timeout"] = "timeout";
-	EErrId_NiceTransport["not_found"] = "not_found";
-	EErrId_NiceTransport["unsupported"] = "unsupported";
-	EErrId_NiceTransport["initialization_failed"] = "initialization_failed";
-	EErrId_NiceTransport["send_failed"] = "send_failed";
-	EErrId_NiceTransport["invalid_action_response"] = "invalid_action_response";
-	return EErrId_NiceTransport;
-}({});
-const err_nice_transport = err_nice_external_client.createChildDomain({
-	domain: "err_nice_transport",
-	schema: {
-		["timeout"]: err({ message: ({ timeout }) => `ActionConnect transport timed out after ${timeout}ms.` }),
-		["not_found"]: err({ message: ({ actionId }) => `No connected transport found for action "${actionId}".` }),
-		["unsupported"]: err({ message: ({ transportTypes }) => `${transportTypes.length} Transport(s) [${transportTypes.join(", ")}] found but returned "unsupported" status.` }),
-		["initialization_failed"]: err({ message: ({ actionId }) => `Transports found for action "${actionId}", but none are ready.` }),
-		["send_failed"]: err({
-			message: ({ actionId, httpStatusCode, message }) => `Failed to send action "${actionId}" [${httpStatusCode ?? "Unknown status"}]: ${message ?? "Unknown error"}.`,
-			httpStatusCode: ({ httpStatusCode }) => httpStatusCode ?? 500
-		}),
-		["invalid_action_response"]: err({ message: ({ actionId }) => `Invalid action response JSON structure for action "${actionId}"` })
-	}
-});
-//#endregion
-//#region src/ActionRuntime/Handler/ExternalClient/Transport/Transport.types.ts
-let ETransportType = /* @__PURE__ */ function(ETransportType) {
-	ETransportType["ws"] = "ws";
-	ETransportType["http"] = "http";
-	ETransportType["custom"] = "custom";
-	return ETransportType;
-}({});
+//#region src/ActionRuntime/Handler/PeerLink/PeerLinkHandler.ts
 /**
+* Shared base for every handler that routes a domain set to/from *another runtime* (a "peer") — the
+* unified peer-link concept. Both specializations extend this as siblings, differing only in *who
+* establishes the connection*, which is a transport trait, not a routing one:
 *
-*  TRANSPORT READINESS RESPONSE
+* - {@link ConnectorHandler} — **dial-out**: this runtime opens connection(s) to one peer
+*   over a transport stack (with caching + fallback). The classic "client → backend" link.
+* - {@link AcceptorHandler} — **accept-in**: connections are accepted from many peers and fed in
+*   via `receive()`; it keeps a per-connection registry and can push to any of them.
 *
+* To the runtime there is no "client" vs "server" — both are peer-link handlers (`handlerType =
+* external`) keyed to a peer coordinate, chosen by the return-path dispatch via {@link sendReturnPayload}.
 */
-let ETransportStatus = /* @__PURE__ */ function(ETransportStatus) {
-	ETransportStatus["uninitialized"] = "uninitialized";
-	ETransportStatus["unsupported"] = "unsupported";
-	ETransportStatus["initializing"] = "initializing";
-	ETransportStatus["ready"] = "ready";
-	ETransportStatus["failed"] = "failed";
-	return ETransportStatus;
-}({});
-//#endregion
-//#region src/ActionRuntime/Handler/ExternalClient/Transport/ConnectionTransportManager.ts
-var ConnectionTransportManager = class {
-	_cache;
-	_transports = [];
-	constructor(_cache) {
-		this._cache = _cache;
-	}
-	addTransport(transport) {
-		this._transports.push(transport);
-	}
-	/**
-	* The highest-priority transport (first declared). Used to label an action's route *before* the
-	* transport has finished connecting — so a still-connecting action shows its (expected) destination
-	* instead of an "unknown" hop. {@link getReadyTransport} still decides the real winner, and the
-	* caller corrects the hop if a lower-priority transport ends up serving the action.
-	*/
-	getPreferredTransport() {
-		return this._transports[0];
-	}
-	async getReadyTransport(routeActionParams) {
-		const action = routeActionParams.action;
-		const candidates = [];
-		const unavailableTransports = [];
-		for (const transport of this._transports) {
-			const cacheKey = transport.getCacheKey(routeActionParams);
-			if (cacheKey != null) {
-				const cached = this._cache.get(cacheKey);
-				if (cached != null) {
-					if (cached instanceof Promise) {
-						candidates.push(cached);
-						continue;
-					}
-					candidates.push(Promise.resolve({
-						...cached,
-						transport
-					}));
-					break;
-				}
-			}
-			const statusInfo = transport.getTransport(routeActionParams);
-			if (statusInfo.status === "ready") {
-				const readyData = statusInfo.readyData;
-				if (cacheKey != null) {
-					const entry = {
-						methods: readyData,
-						transport
-					};
-					this._cache.set(cacheKey, entry);
-					readyData.addOnDisconnectListener?.(() => {
-						if (this._cache.get(cacheKey) === entry) this._cache.delete(cacheKey);
-					});
-				}
-				candidates.push(Promise.resolve({
-					methods: readyData,
-					transport
-				}));
-				break;
-			}
-			if (statusInfo.status === "unsupported") {
-				unavailableTransports.push(transport);
-				continue;
-			}
-			if (statusInfo.status === "initializing") {
-				const promise = statusInfo.initializationPromise.then((info) => {
-					if (info.status === "failed") throw info.error;
-					if (info.status === "unsupported") throw err_nice_transport.fromId("unsupported", { transportTypes: [transport.type] });
-					const readyData = info.readyData;
-					const entry = {
-						methods: readyData,
-						transport
-					};
-					if (cacheKey != null) if (this._cache.get(cacheKey) === promise) {
-						this._cache.set(cacheKey, entry);
-						readyData.addOnDisconnectListener?.(() => {
-							if (this._cache.get(cacheKey) === entry) this._cache.delete(cacheKey);
-						});
-					} else readyData.disconnect?.();
-					return entry;
-				}).catch((e) => {
-					if (cacheKey != null && this._cache.get(cacheKey) === promise) this._cache.delete(cacheKey);
-					throw e;
-				});
-				if (cacheKey != null) this._cache.set(cacheKey, promise);
-				candidates.push(promise);
-			}
-		}
-		if (candidates.length === 0) {
-			if (unavailableTransports.length > 0) throw err_nice_transport.fromId("unsupported", { transportTypes: unavailableTransports.map((t) => t.type) });
-			throw err_nice_transport.fromId("not_found", { actionId: action.id });
-		}
-		let lastError;
-		for (const candidate of candidates) try {
-			return await candidate;
-		} catch (e) {
-			lastError = e;
-		}
-		throw err_nice_transport.fromId("initialization_failed", { actionId: action.id }).withOriginError(lastError);
-	}
-};
-//#endregion
-//#region src/ActionRuntime/Handler/ExternalClient/ActionExternalClientHandler.ts
-var ActionExternalClientHandler = class extends ActionHandler {
-	externalClient;
-	handlerType = "external";
-	cuid;
-	_defaultTimeout;
-	_transportCache = /* @__PURE__ */ new Map();
-	transportManager = new ConnectionTransportManager(this._transportCache);
-	_incomingActionDataListeners = [];
+var PeerLinkHandler = class extends ActionHandler {
+	/** The peer runtime this handler links to (an env-only coordinate for an accept-in handler). */
+	peerClient;
+	handlerType = "peer";
 	actionRouter = new ActionRouter({
 		contextType: "handler_route",
 		handler: this
 	});
-	constructor({ runtimeCoordinate: externalClientSpecifier, transports, defaultTimeout }) {
+	/** Listeners installed by the runtime (`resolveIncomingActionPayload`) for inbound peer frames. */
+	_incomingActionDataListeners = [];
+	constructor(peerCoordinate) {
 		super();
-		this.externalClient = externalClientSpecifier;
-		this.cuid = nanoid();
-		this._defaultTimeout = defaultTimeout ?? 1e4;
-		for (const transport of transports) {
-			const connection = transport._createConnection({ resolvers: { onIncomingActionDataJson: (json) => {
-				for (const l of this._incomingActionDataListeners) l(json);
-			} } });
-			connection.definition = transport;
-			this.transportManager.addTransport(connection);
-		}
+		this.peerClient = peerCoordinate;
 	}
 	forDomain(domain) {
 		this.actionRouter.forDomain(domain, true);
@@ -1035,6 +1167,49 @@ var ActionExternalClientHandler = class extends ActionHandler {
 	_setIncomingActionDataListener(listener) {
 		this._incomingActionDataListeners.push(listener);
 	}
+	/** Hand a decoded inbound frame to the runtime (called by each specialization's receive path). */
+	_emitIncoming(json) {
+		for (const listener of this._incomingActionDataListeners) listener(json);
+	}
+	/**
+	* Whether this handler currently holds a *live* connection bound to `origin`. The runtime's return-path
+	* dispatch ({@link ActionRuntime.getReturnHandlerForOrigin}) prefers a handler that owns the origin's
+	* connection over a mere coordinate match, so with several duplex acceptors a result/push routes back
+	* over the carrier the client connected on. Defaults to `false`; an acceptor overrides it from its
+	* connection registry.
+	*/
+	ownsLiveConnectionFor(_origin) {
+		return false;
+	}
+	/** Release any long-lived connections this handler owns (a teardown). No-op by default. */
+	clearTransportCache() {}
+};
+//#endregion
+//#region src/ActionRuntime/Handler/PeerLink/Connector/ConnectorHandler.ts
+/**
+* Dial-out peer link: this runtime opens connection(s) to one peer over a transport stack (cached, with
+* preference-ordered fallback). The classic "client → backend" handler — but to the runtime it's just a
+* {@link PeerLinkHandler} like the accept-in server one.
+*/
+var ConnectorHandler = class extends PeerLinkHandler {
+	/**
+	* Dial-out can receive (and so return) an unsolicited push only over a duplex transport. With every
+	* transport exchange-only (HTTP), the peer can never push to us — so this link can't deliver one back.
+	*/
+	canPush;
+	_defaultTimeout;
+	_transportCache = /* @__PURE__ */ new Map();
+	transportManager = new ConnectionTransportManager(this._transportCache);
+	constructor({ runtimeCoordinate: peerSpecifier, transports, defaultTimeout }) {
+		super(peerSpecifier);
+		this._defaultTimeout = defaultTimeout ?? 1e4;
+		this.canPush = transports.some((transport) => transport.type === "duplex");
+		for (const transport of transports) {
+			const connection = transport._createConnection({ resolvers: { onIncomingActionDataJson: (json) => this._emitIncoming(json) } });
+			connection.definition = transport;
+			this.transportManager.addTransport(connection);
+		}
+	}
 	async handleActionRequest(action, config) {
 		const localRuntime = config?.targetLocalRuntime ?? ActionRuntime.getDefault();
 		const localClient = localRuntime.coordinate;
@@ -1044,7 +1219,7 @@ var ActionExternalClientHandler = class extends ActionHandler {
 		const routeParams = {
 			action,
 			localClient,
-			externalClient: this.externalClient
+			externalClient: this.peerClient
 		};
 		const preferredTransport = this.transportManager.getPreferredTransport();
 		const routeItem = preferredTransport != null ? {
@@ -1083,6 +1258,7 @@ var ActionExternalClientHandler = class extends ActionHandler {
 			};
 			if (action.type === "request" && methods.updateRunConfig != null) sendInput.timeout = methods.updateRunConfig(sendInput)?.timeout ?? incomingTimeout;
 			methods.sendActionData(sendInput);
+			if (action.type === "request" && action.schema.responseMode === "none") runningAction._completeWithResult(action.successResult(void 0));
 		} catch (err) {
 			runningAction._abort(err);
 		}
@@ -1100,12 +1276,12 @@ var ActionExternalClientHandler = class extends ActionHandler {
 			const { methods } = await this.transportManager.getReadyTransport({
 				action: payload,
 				localClient,
-				externalClient: this.externalClient
+				externalClient: this.peerClient
 			});
 			if (methods.sendReturnData == null) return false;
 			methods.sendReturnData(payload, {
 				localClient,
-				externalClient: this.externalClient
+				externalClient: this.peerClient
 			});
 			return true;
 		} catch {
@@ -1115,15 +1291,15 @@ var ActionExternalClientHandler = class extends ActionHandler {
 	toJsonObject() {
 		return {
 			type: this.handlerType,
-			client: this.externalClient
+			client: this.peerClient
 		};
 	}
 	toHandlerRouteItem(transport, input) {
 		return {
 			type: this.handlerType,
-			client: this.externalClient,
+			client: this.peerClient,
 			transOrd: transport.transOrd,
-			transType: transport.type,
+			transShape: transport.type,
 			transInfo: transport.getRouteInfo(input)
 		};
 	}
@@ -1133,8 +1309,8 @@ var ActionExternalClientHandler = class extends ActionHandler {
 		this._transportCache.clear();
 	}
 };
-const createExternalClientHandler = (config) => {
-	return new ActionExternalClientHandler(config);
+const createConnectorHandler = (config) => {
+	return new ConnectorHandler(config);
 };
 //#endregion
 //#region src/ActionRuntime/ActionRuntime.ts
@@ -1144,7 +1320,7 @@ var ActionRuntime = class {
 	runtimeInfo = getAssumedRuntimeInfo();
 	actionRouter;
 	_pendingRunningActions = /* @__PURE__ */ new Map();
-	_registeredExternalHandlers = [];
+	_registeredPeerHandlers = [];
 	_applied = false;
 	static getDefault() {
 		return getDefaultActionRuntime();
@@ -1219,24 +1395,24 @@ var ActionRuntime = class {
 	*/
 	_getHandlerForAction(action, options) {
 		const handlers = this.actionRouter.getRouteDataEntriesForAction(action);
-		const targetExternalClient = options?.targetExternalClient;
+		const targetPeer = options?.targetPeer;
 		const possibleHandlers = handlers.filter((handler) => {
-			if (handler.handlerType === "external") {
-				if (targetExternalClient && !targetExternalClient.isSameFor(handler.externalClient).id) return false;
+			if (handler.handlerType === "peer") {
+				if (targetPeer && !targetPeer.isSameFor(handler.peerClient).id) return false;
 				return true;
 			}
-			if (targetExternalClient != null) return false;
+			if (targetPeer != null) return false;
 			if (action.type === "request") return true;
 			return false;
 		});
 		if (possibleHandlers.length === 0) return;
-		const scoringExternalClient = targetExternalClient ?? RuntimeCoordinate.unknown;
+		const scoringPeer = targetPeer ?? RuntimeCoordinate.unknown;
 		let handlerScore = -1;
 		let handler;
 		for (const possibleHandler of possibleHandlers) {
-			if (possibleHandler.handlerType === "local" && handler == null) return possibleHandler;
-			if (possibleHandler.handlerType === "external") {
-				const score = scoringExternalClient.similarityLevel(possibleHandler.externalClient);
+			if (possibleHandler.handlerType === "local") return possibleHandler;
+			if (possibleHandler.handlerType === "peer") {
+				const score = scoringPeer.similarityLevel(possibleHandler.peerClient);
 				if (score > handlerScore) {
 					handlerScore = score;
 					handler = possibleHandler;
@@ -1250,7 +1426,7 @@ var ActionRuntime = class {
 		if (handler == null) throw err_nice_action.fromId("no_action_execution_handler", {
 			actionId: action.id,
 			domain: action.domain,
-			specifiedClient: options?.targetExternalClient
+			specifiedClient: options?.targetPeer
 		});
 		return handler;
 	}
@@ -1262,9 +1438,9 @@ var ActionRuntime = class {
 	*/
 	addHandlers(handlers) {
 		for (const handler of handlers) {
-			if (handler.handlerType === "external") {
+			if (handler.handlerType === "peer") {
 				handler._setIncomingActionDataListener((json) => this.resolveIncomingActionPayload(json));
-				this._registeredExternalHandlers.push(handler);
+				this._registeredPeerHandlers.push(handler);
 			}
 			const handlerRouter = handler.getActionRouter();
 			this.actionRouter.addDomainsFromOther(handlerRouter);
@@ -1275,18 +1451,18 @@ var ActionRuntime = class {
 	}
 	/**
 	* Declare an external "backend client" in one call: build an
-	* {@link ActionExternalClientHandler} for `externalCoordinate` carrying the given
+	* {@link ConnectorHandler} for `externalCoordinate` carrying the given
 	* `transports`, route the listed `domains`/`actions` to it, register it (plus any
 	* `localHandlers` — e.g. server→client push handlers that share the same channel)
 	* on this runtime, and `apply()`. Returns the external handler so the caller can
 	* later `clearTransportCache()` it.
 	*
-	* Sugar over `new ActionExternalClientHandler(...).forDomain(...)` + `addHandlers([...])`,
+	* Sugar over `new ConnectorHandler(...).forDomain(...)` + `addHandlers([...])`,
 	* so a single runtime can host one handler per backend target with its transports
 	* declared once and reused across every action routed to that backend.
 	*/
 	connectTo(externalCoordinate, options) {
-		const handler = new ActionExternalClientHandler({
+		const handler = new ConnectorHandler({
 			runtimeCoordinate: externalCoordinate,
 			transports: options.transports,
 			defaultTimeout: options.defaultTimeout
@@ -1315,25 +1491,40 @@ var ActionRuntime = class {
 	* Find the best registered external handler that can reach `originClient` directly.
 	* Used to locate the return-path channel for dispatching results back to the action origin.
 	* Returns `undefined` if no handler matches (score > 0 required, i.e. at least id must match).
+	*
+	* A handler that currently holds the origin's *live* connection always wins over a mere coordinate
+	* match — so with several duplex acceptors (e.g. WS + WebRTC) a result/push routes back over the carrier
+	* the client actually connected on, never a same-coordinate sibling that lacks the socket. Only when no
+	* handler owns a live connection do we fall back to the plain best-coordinate-score pick (the
+	* single-acceptor and connector-only cases, unchanged).
 	*/
 	getReturnHandlerForOrigin(originClient) {
 		if (originClient.envId === "_unset_") return void 0;
 		let bestScore = -1;
 		let bestHandler;
-		for (const handler of this._registeredExternalHandlers) {
-			const score = originClient.similarityLevel(handler.externalClient);
+		let bestOwnedScore = -1;
+		let bestOwnedHandler;
+		for (const handler of this._registeredPeerHandlers) {
+			if (!handler.canPush) continue;
+			const score = originClient.similarityLevel(handler.peerClient);
 			if (score > bestScore) {
 				bestScore = score;
 				bestHandler = handler;
 			}
+			if (score > bestOwnedScore && handler.ownsLiveConnectionFor(originClient)) {
+				bestOwnedScore = score;
+				bestOwnedHandler = handler;
+			}
 		}
+		if (bestOwnedHandler != null && bestOwnedScore > 0) return bestOwnedHandler;
 		return bestScore > 0 ? bestHandler : void 0;
 	}
 	resetRuntime() {
 		for (const ra of this._pendingRunningActions.values()) ra._abort(err_nice_action.fromId("runtime_reset"));
-		for (const handler of this._registeredExternalHandlers) handler.clearTransportCache();
+		for (const handler of this._registeredPeerHandlers) handler.clearTransportCache();
 	}
 	_trySetupReturnDispatch(runningAction) {
+		if (runningAction.context.schema.responseMode === "none") return;
 		const originClient = runningAction.context.originClient;
 		if (originClient.envId === "_unset_" || originClient.isSameFor(this._coordinate).id) return;
 		runningAction.addUpdateListeners([(update) => {
@@ -1812,467 +2003,7 @@ const createActionRootDomain = (definition) => {
 	return new ActionRootDomain(definition);
 };
 //#endregion
-//#region src/ActionDefinition/Schema/ActionSchema.ts
-var ActionSchema = class {
-	_errorDeclarations = [];
-	inputOptions;
-	outputOptions;
-	get inputSchema() {
-		return this.inputOptions?.schema;
-	}
-	get outputSchema() {
-		return this.outputOptions?.schema;
-	}
-	/**
-	* Declare the input schema (JSON-native or with explicit SERDE type param).
-	* For non-JSON-native inputs, prefer the 3-argument form below to avoid
-	* needing explicit type parameters.
-	*/
-	input(options) {
-		this.inputOptions = options;
-		return this;
-	}
-	/**
-	* Declare the output schema (JSON-native or with explicit SERDE type param).
-	* For non-JSON-native outputs, prefer the 3-argument form below to avoid
-	* needing explicit type parameters.
-	*/
-	output(options) {
-		this.outputOptions = options;
-		return this;
-	}
-	throws(domain, ids) {
-		this._errorDeclarations.push({
-			_domain: domain,
-			_ids: ids
-		});
-		return this;
-	}
-	/**
-	* Serialize raw input to a JSON-serializable form.
-	* Uses the schema's serialization.serialize if defined; otherwise the input
-	* is already JSON-native and is returned as-is.
-	*/
-	serializeInput(rawInput) {
-		if (this.inputOptions?.serialization) return this.inputOptions.serialization.serialize(rawInput);
-		return rawInput;
-	}
-	/**
-	* Deserialize a JSON value back into the raw input type.
-	* Uses serialization.deserialize if defined; otherwise the value is cast
-	* directly (it's already in the correct shape).
-	*/
-	deserializeInput(serialized) {
-		if (this.inputOptions?.serialization) return this.inputOptions.serialization.deserialize(serialized);
-		return serialized;
-	}
-	/**
-	* Validate raw input against the schema defined via `.input({ schema })`.
-	* Throws `action_input_validation_failed` if validation fails.
-	* Returns the validated (and possibly coerced) value on success.
-	* If no input schema was declared, the value is passed through as-is.
-	*/
-	validateInput(value, meta) {
-		if (this.inputOptions?.schema == null) return value;
-		const result = this.inputOptions.schema["~standard"].validate(value);
-		if (result instanceof Promise) throw err_nice_action.fromId("action_input_validation_promise", {
-			domain: meta.domain,
-			actionId: meta.actionId
-		});
-		if (result.issues != null) throw err_nice_action.fromId("action_input_validation_failed", {
-			domain: meta.domain,
-			actionId: meta.actionId,
-			validationMessage: extractMessageFromStandardSchema(result)
-		});
-		return result.value;
-	}
-	validateOutput(value, meta) {
-		if (this.outputOptions?.schema == null) return value;
-		const result = this.outputOptions.schema["~standard"].validate(value);
-		if (result instanceof Promise) throw err_nice_action.fromId("action_output_validation_promise", {
-			domain: meta.domain,
-			actionId: meta.actionId
-		});
-		if (result.issues != null) throw err_nice_action.fromId("action_output_validation_failed", {
-			domain: meta.domain,
-			actionId: meta.actionId,
-			validationMessage: extractMessageFromStandardSchema(result)
-		});
-		return result.value;
-	}
-	/**
-	* Serialize raw output to a JSON-serializable form.
-	*/
-	serializeOutput(rawOutput) {
-		if (this.outputOptions?.serialization) return this.outputOptions.serialization.serialize(rawOutput);
-		return rawOutput;
-	}
-	/**
-	* Deserialize a JSON value back into the raw output type.
-	*/
-	deserializeOutput(serialized) {
-		if (this.outputOptions?.serialization) return this.outputOptions.serialization.deserialize(serialized);
-		return serialized;
-	}
-};
-const actionSchema = () => {
-	return new ActionSchema();
-};
-//#endregion
-//#region src/ActionRuntime/Handler/ExternalClient/Transport/Transport.ts
-/**
-* Reusable transport definition. Devs construct these (`HttpTransport.create({ createRequest })`,
-* `WebSocketTransport.create({ createWebSocket })`, …) and pass them to an
-* `ActionExternalClientHandler`. A single
-* definition can be shared across multiple handlers — each handler builds its own live
-* {@link TransportConnection} via {@link TransportConnection._createConnection}.
-*/
-var Transport = class {};
-//#endregion
-//#region src/ActionRuntime/Handler/ExternalClient/Transport/helpers/addTransportStatusMetadata.ts
-function addTransportStatusMetadata(transportStatus) {
-	if (transportStatus.status === "ready") return {
-		status: "ready",
-		readyData: transportStatus.readyData
-	};
-	if (transportStatus.status === "initializing") return {
-		status: "initializing",
-		initializationPromise: transportStatus.initializationPromise,
-		timeStarted: Date.now()
-	};
-	if (transportStatus.status === "failed") return {
-		status: "failed",
-		error: transportStatus.error,
-		timeFailed: Date.now()
-	};
-	if (transportStatus.status === "unsupported") return { status: "unsupported" };
-	return { status: "uninitialized" };
-}
-//#endregion
-//#region src/ActionRuntime/Handler/ExternalClient/Transport/TransportConnection.ts
-let transportOrd = 0;
-/**
-* Live, per-handler transport runtime built from a reusable {@link Transport} definition. Holds the
-* connection-scoped state (ordinal, initialized config, sockets / abort sets) that must not be shared
-* across handlers. Construct these via `definition._createConnection(...)`, never directly.
-*/
-var TransportConnection = class {
-	def;
-	transOrd = transportOrd++;
-	type;
-	initialized;
-	/** Backref to the public definition that created this connection (used for devtools route info). */
-	definition;
-	constructor(def) {
-		this.def = def;
-		this.type = def.type;
-		this.initialized = def.initialize();
-	}
-	/**
-	* Devtools route info for an action routed through this live connection. Defaults to the stateless
-	* {@link definition}'s info; connections override to enrich it from live state (e.g. the actual
-	* resolved socket URL) when the definition couldn't resolve it on its own.
-	*/
-	getRouteInfo(input) {
-		return this.definition?.getRouteInfo(input);
-	}
-	_getCacheKey(input) {
-		const parts = this.initialized.getTransportCacheKey?.(input);
-		if (parts == null) return null;
-		return parts.join("\0");
-	}
-	getCacheKey(input) {
-		const inner = this._getCacheKey(input);
-		if (inner == null) return null;
-		return `${this.transOrd}:${inner}`;
-	}
-	getTransport(input) {
-		return this._processTransportStatus(input);
-	}
-	_processTransportStatus(input) {
-		const transportStatusInfo = addTransportStatusMetadata(this.initialized.getTransport(input));
-		if (transportStatusInfo.status !== "initializing" && transportStatusInfo.status !== "ready") return transportStatusInfo;
-		if (transportStatusInfo.status === "initializing") {
-			const promiseForReadyData = transportStatusInfo.initializationPromise.then((result) => {
-				if (result.status === "ready") return {
-					status: "ready",
-					readyData: this._finalizeTransportMethods(result.readyData)
-				};
-				return result;
-			});
-			return {
-				status: "initializing",
-				timeStarted: transportStatusInfo.timeStarted,
-				initializationPromise: promiseForReadyData
-			};
-		}
-		return {
-			status: "ready",
-			readyData: this._finalizeTransportMethods(transportStatusInfo.readyData)
-		};
-	}
-};
-//#endregion
-//#region src/ActionRuntime/Handler/ExternalClient/Transport/Custom/CustomConnection.ts
-var CustomConnection = class extends TransportConnection {
-	constructor(def) {
-		super({
-			...def,
-			type: "custom"
-		});
-	}
-	_finalizeTransportMethods(inputs) {
-		return {
-			sendActionData: inputs.sendActionData,
-			sendReturnData: inputs.sendReturnData,
-			updateRunConfig: inputs.updateRunConfig
-		};
-	}
-};
-//#endregion
-//#region src/ActionRuntime/Handler/ExternalClient/Transport/Custom/CustomTransport.ts
-/**
-* Reusable custom transport definition for channels nice-action doesn't model natively. Create one
-* with `CustomTransport.create({ sendActionData })` for the simple case, or
-* `CustomTransport.createAdvanced({ getTransport })` for full control over the lifecycle.
-*/
-var CustomTransport = class CustomTransport extends Transport {
-	options;
-	type = "custom";
-	constructor(options) {
-		super();
-		this.options = options;
-	}
-	static create(options) {
-		return new CustomTransport({
-			...options,
-			mode: "send"
-		});
-	}
-	static createAdvanced(options) {
-		return new CustomTransport({
-			...options,
-			mode: "advanced"
-		});
-	}
-	_createConnection(_ctx) {
-		const options = this.options;
-		let getTransport;
-		if (options.mode === "advanced") getTransport = options.getTransport;
-		else getTransport = () => ({
-			status: "ready",
-			readyData: {
-				sendActionData: options.sendActionData,
-				sendReturnData: options.sendReturnData,
-				updateRunConfig: options.updateRunConfig,
-				closeTransport: options.closeTransport ?? (() => {})
-			}
-		});
-		return new CustomConnection({ initialize: () => ({
-			getTransportCacheKey: options.getTransportCacheKey,
-			getTransport
-		}) });
-	}
-	getRouteInfo(input) {
-		if (this.options.getRouteInfo != null) return this.options.getRouteInfo(input);
-		return {
-			type: "custom",
-			summary: this.options.label ?? "custom"
-		};
-	}
-};
-//#endregion
-//#region src/ActionRuntime/Handler/ExternalClient/Transport/err_nice_transport_ws.ts
-let EErrId_NiceTransport_WebSocket = /* @__PURE__ */ function(EErrId_NiceTransport_WebSocket) {
-	EErrId_NiceTransport_WebSocket["ws_disconnected"] = "ws_disconnected";
-	EErrId_NiceTransport_WebSocket["ws_create_failed"] = "ws_create_failed";
-	EErrId_NiceTransport_WebSocket["ws_error"] = "ws_error";
-	return EErrId_NiceTransport_WebSocket;
-}({});
-const err_nice_transport_ws = err_nice_transport.createChildDomain({
-	domain: "ws_transport",
-	schema: {
-		["ws_disconnected"]: err({ message: () => `WebSocket transport disconnected.` }),
-		["ws_create_failed"]: err({ message: ({ originalError }) => `Failed to create WebSocket transport.${originalError ? ` Original error: ${originalError.message}` : ""}` }),
-		["ws_error"]: err({ message: ({ originalError }) => `WebSocket transport error.${originalError ? ` Original error: ${originalError.message}` : ""}` })
-	}
-});
-//#endregion
-//#region src/ActionRuntime/Handler/ExternalClient/Transport/Http/HttpConnection.ts
-var HttpConnection = class extends TransportConnection {
-	constructor(def) {
-		super({
-			...def,
-			type: "http"
-		});
-	}
-	_finalizeTransportMethods(methods) {
-		return {
-			sendActionData: (input) => {
-				const request = methods.createRequest(input);
-				this.send({
-					...input,
-					params: { request },
-					runningAction: input.runningAction
-				}).catch((err) => input.runningAction._abort(err));
-			},
-			updateRunConfig: methods.updateRunConfig
-		};
-	}
-	async send(input) {
-		const { action, runningAction, timeout, params: { request } } = input;
-		const wire = action.toJsonObject();
-		const ac = new AbortController();
-		let timedOut = false;
-		const timeoutId = setTimeout(() => {
-			timedOut = true;
-			ac.abort();
-		}, timeout);
-		const unsubscribe = input.runningAction.addUpdateListeners([(update) => {
-			if (update.type === "finished") {
-				clearTimeout(timeoutId);
-				ac.abort();
-			}
-		}]);
-		try {
-			const res = await fetch(request.url, {
-				method: "POST",
-				headers: {
-					"Content-Type": "application/json",
-					...request.headers
-				},
-				body: request.body ?? JSON.stringify(wire),
-				signal: ac.signal
-			});
-			if (!res.ok) {
-				if (action.type === "request") try {
-					const jsonData = await res.json();
-					if (isActionPayload_Result_JsonObject(jsonData)) runningAction._completeWithResult(action._domain.hydrateResultPayload(jsonData));
-					else if (isNiceErrorObject(jsonData)) runningAction._completeWithResult(action.errorResult(castNiceError(jsonData)));
-					else runningAction._completeWithResult(action.errorResult(err_nice_transport.fromId("invalid_action_response", { actionId: action.id })));
-				} catch (e) {
-					throw err_nice_transport.fromId("send_failed", {
-						actionState: action.type,
-						actionId: action.id,
-						httpStatusCode: res.status,
-						message: e.message
-					}).withOriginError(e);
-				}
-				else {
-					let text;
-					try {
-						text = await res.text();
-					} catch (e) {
-						console.warn(`Failed to read error response body for failed HTTP request in HttpConnection:`, e);
-					}
-					throw err_nice_transport.fromId("send_failed", {
-						actionState: action.type,
-						actionId: action.id,
-						httpStatusCode: res.status,
-						message: text ?? `HTTP error with status ${res.status}`
-					});
-				}
-				return;
-			}
-			if (action.type === "request") {
-				const json = await res.json();
-				if (!isActionPayload_Result_JsonObject(json)) throw err_nice_transport.fromId("invalid_action_response", { actionId: action.id });
-				runningAction._completeWithResult(action._domain.hydrateResultPayload(json));
-			}
-		} catch (err) {
-			if (timedOut) throw err_nice_transport.fromId("timeout", { timeout });
-			if (err instanceof NiceError) throw err;
-			throw err_nice_transport.fromId("send_failed", {
-				actionState: action.type,
-				actionId: action.id,
-				message: err instanceof Error ? err.message : String(err)
-			}).withOriginError(err instanceof Error ? err : void 0);
-		} finally {
-			clearTimeout(timeoutId);
-			unsubscribe();
-		}
-	}
-};
-//#endregion
-//#region src/ActionRuntime/Handler/ExternalClient/Transport/Http/HttpTransport.ts
-function shortPath(url) {
-	try {
-		return new URL(url).pathname || url;
-	} catch {
-		return url;
-	}
-}
-/**
-* Reusable HTTP transport definition. Create one with `HttpTransport.create({ createRequest })` — the
-* single `createRequest` function lets you keep it simple (`() => ({ url })`) or derive the request
-* per action.
-*/
-var HttpTransport = class HttpTransport extends Transport {
-	options;
-	type = "http";
-	constructor(options) {
-		super();
-		this.options = options;
-	}
-	static create(options) {
-		return new HttpTransport(options);
-	}
-	_createConnection(_ctx) {
-		return new HttpConnection({ initialize: () => ({
-			getTransportCacheKey: this.options.getTransportCacheKey,
-			getTransport: () => ({
-				status: "ready",
-				readyData: {
-					createRequest: this.options.createRequest,
-					updateRunConfig: this.options.updateRunConfig
-				}
-			})
-		}) });
-	}
-	getRouteInfo(input) {
-		const { url } = this.options.createRequest(input);
-		return {
-			type: "http",
-			method: "POST",
-			url,
-			summary: `POST ${shortPath(url)}`
-		};
-	}
-};
-//#endregion
-//#region src/ActionRuntime/Handler/ExternalClient/Transport/WebSocket/actionFrameCrypto.ts
-const ENCRYPTED_ENVELOPE_LENGTH = 2;
-/**
-* Build the encrypt/decrypt transform for a connection whose handshake settled on the `encrypted`
-* level. Keyed by the link + `linkedClientId`, so it reuses the cached shared AES-GCM key.
-*/
-function createActionFrameCrypto({ link, linkedClientId }) {
-	return {
-		async encryptFrame(frame) {
-			const { nonce, ciphertext } = await link.encryptBytesForLinkedClient({
-				linkedClientId,
-				dataToEncrypt: frame
-			});
-			return pack([nonce, ciphertext]);
-		},
-		async decryptFrame(frame) {
-			if (typeof frame === "string") throw new Error("[ws-crypto] expected an encrypted binary frame, received text");
-			const envelope = unpack(frame instanceof ArrayBuffer ? new Uint8Array(frame) : frame);
-			if (!Array.isArray(envelope) || envelope.length !== ENCRYPTED_ENVELOPE_LENGTH) throw new Error("[ws-crypto] malformed encrypted frame envelope");
-			const [nonce, ciphertext] = envelope;
-			if (!(nonce instanceof Uint8Array) || !(ciphertext instanceof Uint8Array)) throw new Error("[ws-crypto] malformed encrypted frame fields");
-			return await link.decryptBytesFromLinkedClient({
-				linkedClientId,
-				dataToDecrypt: {
-					nonce,
-					ciphertext
-				}
-			});
-		}
-	};
-}
-//#endregion
-//#region src/ActionRuntime/Handler/ExternalClient/Transport/WebSocket/actionWsHandshake.ts
+//#region src/ActionRuntime/Transport/crypto/actionHandshake.ts
 /**
 * Authenticated handshake for the WebSocket channel. Run once per connection, before any action
 * frames flow, it:
@@ -2624,250 +2355,840 @@ function createServerHandshake(config) {
 	};
 }
 //#endregion
-//#region src/ActionRuntime/Handler/ExternalClient/Transport/WebSocket/actionWireCodec.ts
+//#region src/utils/decodeActionFrame.ts
 /**
-* Shared building blocks for the binary action codecs (the stateless {@link createBinaryWsAdapter} and
-* the per-connection `createBinaryWsSessionFactory`). Both map a `domain:id` route to a tiny integer
-* and reduce the verbose JSON wire to a positional tuple — they only differ in how much context they
-* carry per frame, so the dictionary + payload (de)assembly live here.
+* Decode a single inbound channel frame (text or binary) into validated action wire JSON, or
+* `undefined` if it isn't a recognisable action payload.
+*
+* Shared by the WebSocket transport's message listener and the server-side `AcceptorHandler` so
+* both decode identically: a binary `decoder.incoming` (e.g. msgpackr) takes precedence, and plain
+* text frames fall back to JSON — keeping binary and JSON clients interoperable on one channel.
 */
+function decodeActionFrame(frame, decoder) {
+	const decoded = decoder?.incoming?.(frame) ?? (typeof frame === "string" ? parseJsonActionFrame(frame) : void 0);
+	return decoded != null && isActionPayload_Any_JsonObject(decoded) ? decoded : void 0;
+}
+function parseJsonActionFrame(message) {
+	try {
+		const json = JSON.parse(message);
+		return isActionPayload_Any_JsonObject(json) ? json : void 0;
+	} catch {
+		return;
+	}
+}
+//#endregion
+//#region src/ActionRuntime/Transport/crypto/actionFrameCrypto.ts
+const ENCRYPTED_ENVELOPE_LENGTH = 2;
 /**
-* Tiny integer codes for the payload type, so the verbose `"request"`/`"result"`/`"progress"`
-* strings never hit the wire. The index in {@link ReversePayloadType} must line up with the value.
+* Build the encrypt/decrypt transform for a connection whose handshake settled on the `encrypted`
+* level. Keyed by the link + `linkedClientId`, so it reuses the cached shared AES-GCM key.
 */
-const PayloadTypeToInt = {
-	["request"]: 0,
-	["result"]: 1,
-	["progress"]: 2
-};
-const ReversePayloadType = [
-	"request",
-	"result",
-	"progress"
-];
-/**
-* Build the positional `domain:id` ↔ integer dictionary. Both ends of a channel MUST build it from
-* the same domains in the same order — the mapping is positional, so a mismatch routes to the wrong
-* action. Add new transported domains to the end of the list.
-*/
-function buildActionRouteDictionary(domains) {
-	const routeToInt = /* @__PURE__ */ new Map();
-	const intToRoute = [];
-	for (const dom of domains) for (const actionId of Object.keys(dom.actionSchema)) {
-		const routeKey = `${dom.domain}:${actionId}`;
-		if (routeToInt.has(routeKey)) continue;
-		routeToInt.set(routeKey, intToRoute.length);
-		intToRoute.push({
-			domain: dom.domain,
-			id: actionId,
-			allDomains: dom.allDomains
-		});
-	}
+function createActionFrameCrypto({ link, linkedClientId }) {
 	return {
-		routeToInt,
-		intToRoute
+		async encryptFrame(frame) {
+			const { nonce, ciphertext } = await link.encryptBytesForLinkedClient({
+				linkedClientId,
+				dataToEncrypt: frame
+			});
+			return pack([nonce, ciphertext]);
+		},
+		async decryptFrame(frame) {
+			if (typeof frame === "string") throw new Error("[ws-crypto] expected an encrypted binary frame, received text");
+			const envelope = unpack(frame instanceof ArrayBuffer ? new Uint8Array(frame) : frame);
+			if (!Array.isArray(envelope) || envelope.length !== ENCRYPTED_ENVELOPE_LENGTH) throw new Error("[ws-crypto] malformed encrypted frame envelope");
+			const [nonce, ciphertext] = envelope;
+			if (!(nonce instanceof Uint8Array) || !(ciphertext instanceof Uint8Array)) throw new Error("[ws-crypto] malformed encrypted frame fields");
+			return await link.decryptBytesFromLinkedClient({
+				linkedClientId,
+				dataToDecrypt: {
+					nonce,
+					ciphertext
+				}
+			});
+		}
 	};
 }
-/** Pull the type-specific payload (`input` / `result` / `progress`) out of a wire JSON object. */
-function extractWirePayload(json) {
-	if (json.type === "request") return json.input;
-	if (json.type === "result") return json.result;
-	if (json.type === "progress") return json.progress;
+//#endregion
+//#region src/ActionRuntime/Transport/crypto/frameBytes.ts
+/** Normalize any frame form to bytes (for the AES-GCM layer, which works on `Uint8Array`). */
+function toFrameBytes(frame) {
+	if (typeof frame === "string") return new TextEncoder().encode(frame);
+	if (frame instanceof ArrayBuffer) return new Uint8Array(frame);
+	return frame;
 }
-/**
-* Reassemble a full wire JSON object from its decoded parts. `inputHash`/`outputHash` are emitted
-* empty — the hydration constructors recompute them — and the result still satisfies
-* `isActionPayload_Any_JsonObject` so it flows through validation like a JSON frame.
-*/
-function assembleWireJson(routeMeta, payloadType, time, context, payloadData) {
-	const base = {
-		form: "data",
-		domain: routeMeta.domain,
-		id: routeMeta.id,
-		allDomains: routeMeta.allDomains,
-		time,
-		context
-	};
-	if (payloadType === "request") return {
-		...base,
-		type: "request",
-		input: payloadData,
-		inputHash: ""
+//#endregion
+//#region src/ActionRuntime/Transport/SecureSession/frameCryptoPipe.ts
+function createFrameCryptoPipe(config) {
+	const { write, isOpen, crypto, label = "link" } = config;
+	let sendChain = Promise.resolve();
+	const send = (frame) => {
+		if (isOpen != null && !isOpen()) return;
+		if (crypto == null) {
+			write(frame);
+			return;
+		}
+		const bytes = toFrameBytes(frame);
+		sendChain = sendChain.then(() => crypto).then((c) => c.encryptFrame(bytes)).then((encrypted) => {
+			if (isOpen == null || isOpen()) write(encrypted);
+		}).catch((err) => console.error(`[${label}] failed to encrypt/send frame`, err));
 	};
-	if (payloadType === "result") return {
-		...base,
-		type: "result",
-		result: payloadData,
-		outputHash: ""
+	const decryptIncoming = async (frame) => {
+		if (crypto == null) return frame;
+		try {
+			return await (await crypto).decryptFrame(frame);
+		} catch (err) {
+			console.error(`[${label}] failed to decrypt incoming frame`, err);
+			return;
+		}
 	};
 	return {
-		...base,
-		type: "progress",
-		progress: payloadData
+		send,
+		decryptIncoming
 	};
 }
 //#endregion
-//#region src/ActionRuntime/Handler/ExternalClient/Transport/WebSocket/createBinaryWsAdapter.ts
-/**
-* Positional layout of the stateless binary envelope. A flat tuple (rather than an object) strips the
-* repeated `domain`/`id`/`form`/`type` and context key names from every frame, and we carry only the
-* context fields the receiver can't recompute: `cuid` (correlation) and `originClient` (return
-* routing).
-*
-*   [ routeInt, typeInt, time, cuid, originClient, payloadData ]
-*
-* Dropped vs the JSON wire: `form`/`type` strings, `inputHash`/`outputHash` (recomputed on hydrate),
-* `context.timeCreated` (reconstructed from `time`) and `context.routing` (rebuilt empty — the
-* receiver re-stamps its own route items as it handles the action). For the leanest possible frames
-* (integer correlation, identity dropped after a handshake), use `createBinaryWsSessionFactory`.
-*/
-const ENVELOPE$1 = {
-	route: 0,
-	type: 1,
-	time: 2,
-	cuid: 3,
-	originClient: 4,
-	payload: 5
-};
-const ENVELOPE_LENGTH$1 = 6;
+//#region src/ActionRuntime/Transport/SecureSession/acceptorSecureSession.ts
 /**
-* Builds a *stateless* `formatMessage` pipeline for {@link WebSocketTransport}, packing action
-* payloads into a compact msgpackr binary frame instead of JSON. The `domain`/`id` route collapses to
-* a single integer drawn from a shared dictionary; `form`/`type`, the recomputable
-* `inputHash`/`outputHash`, and the per-frame `context.routing`/`context.timeCreated` are all dropped
-* (see {@link ENVELOPE}).
-*
-* No validation runs here: `incoming` blindly reconstructs the wire JSON shape and hands it back to
-* the connection, which flows into `ActionRuntime` → `domain.hydrateAnyAction()` where the Valibot
-* schemas validate it exactly as they would for a JSON frame.
-*
-* Both ends of the socket MUST construct the adapter with the same domains in the same order — the
-* integer dictionary is positional. Mismatched dictionaries will route to the wrong action.
+* The acceptor (accept-in) counterpart to the connector's `establishLinkSession`: one connection's
+* secure session — the server-side handshake driving, the ordered frame crypto, and the per-connection
+* phase (undecided → plain | authenticated). The crypto itself (ordered encrypt-send / decrypt) lives in
+* the shared {@link createFrameCryptoPipe}, the same primitive the connector uses — so the secure logic
+* lives once for both link roles.
 *
-* Because `incoming` returns `undefined` for text frames, a binary server can still serve plain-JSON
-* clients on the same runtime (the connection falls back to its built-in JSON parser).
+* The handler owns one of these per accepted connection and feeds it inbound frames via {@link receive};
+* identity binding, persistence, codec, and return routing stay in the handler (driven through the
+* config callbacks). Inbound processing is serialized per connection because the handshake and decryption
+* are async — this keeps handshake ordering and frame order intact.
 */
-function createBinaryWsAdapter(domains) {
-	const { routeToInt, intToRoute } = buildActionRouteDictionary(domains);
-	return {
-		outgoing: (input) => {
-			const json = input.action.toJsonObject();
-			const routeKey = `${json.domain}:${json.id}`;
-			const routeInt = routeToInt.get(routeKey);
-			if (routeInt == null) throw new Error(`[binary-ws] Cannot pack unregistered action route: ${routeKey}`);
-			const envelope = new Array(ENVELOPE_LENGTH$1);
-			envelope[ENVELOPE$1.route] = routeInt;
-			envelope[ENVELOPE$1.type] = PayloadTypeToInt[json.type];
-			envelope[ENVELOPE$1.time] = json.time;
-			envelope[ENVELOPE$1.cuid] = json.context.cuid;
-			envelope[ENVELOPE$1.originClient] = json.context.originClient;
-			envelope[ENVELOPE$1.payload] = extractWirePayload(json);
-			return pack(envelope);
-		},
-		incoming: (frame) => {
-			let buffer;
-			if (frame instanceof ArrayBuffer) buffer = new Uint8Array(frame);
-			else if (frame instanceof Uint8Array) buffer = frame;
-			else return;
-			try {
-				const envelope = unpack(buffer);
-				if (!Array.isArray(envelope) || envelope.length !== ENVELOPE_LENGTH$1) return void 0;
-				const routeMeta = intToRoute[envelope[ENVELOPE$1.route]];
-				const payloadType = ReversePayloadType[envelope[ENVELOPE$1.type]];
-				if (routeMeta == null || payloadType == null) return void 0;
-				const time = envelope[ENVELOPE$1.time];
-				return assembleWireJson(routeMeta, payloadType, time, {
-					cuid: envelope[ENVELOPE$1.cuid],
-					timeCreated: time,
-					routing: [],
-					originClient: envelope[ENVELOPE$1.originClient]
-				}, envelope[ENVELOPE$1.payload]);
-			} catch (e) {
-				console.error("[binary-ws] Failed to unpack binary action frame", e);
+var AcceptorSecureSession = class {
+	config;
+	_handshake;
+	/** The ordered encrypt-send / decrypt pipe — present only for an `encrypted` connection. */
+	_pipe;
+	_authed = false;
+	_plain = false;
+	/** Serializes inbound processing (handshake + decryption are async). */
+	_inboundChain = Promise.resolve();
+	constructor(config) {
+		this.config = config;
+	}
+	/** Feed one inbound frame. Serialized per connection; routes back through the config callbacks. */
+	receive(frame) {
+		this._inboundChain = this._inboundChain.then(() => this._receive(frame)).catch((err) => console.error("[ws-server] failed to process inbound frame", err));
+	}
+	async _receive(frame) {
+		if (this._plain) {
+			this.config.routePlain(frame);
+			return;
+		}
+		if (!this._authed) {
+			const message = typeof frame === "string" ? decodeHandshakeMessage(frame) : void 0;
+			if (message == null) {
+				if (this.config.noneAllowed) {
+					this._plain = true;
+					this.config.routePlain(frame);
+				}
 				return;
 			}
+			await this.config.link.initialize();
+			if (this._handshake == null) this._handshake = createServerHandshake({
+				link: this.config.link,
+				localCoordinate: this.config.localCoordinate,
+				dictionaryVersion: this.config.dictionaryVersion,
+				securityLevel: this.config.securityLevel,
+				verifyKeyResolver: this.config.verifyKeyResolver
+			});
+			if (message.t === "hello") this.config.send(encodeHandshakeMessage(await this._handshake.onHello(message)));
+			else if (message.t === "prove") {
+				const reply = await this._handshake.onProve(message);
+				this.config.send(encodeHandshakeMessage(reply));
+				const result = this._handshake.getResult();
+				if (reply.t === "accept" && result != null) this._complete(result);
+			}
+			return;
 		}
-	};
-}
-//#endregion
-//#region src/ActionRuntime/Handler/ExternalClient/Transport/WebSocket/createBinaryWsSessionFactory.ts
-/**
-* Positional layout of the *session* binary envelope — the leanest frame. Compared to the stateless
-* adapter it replaces the 21-char `cuid` with a small per-connection integer and only carries
-* `originClient` on the very first request of each direction (the peer remembers it afterwards).
-*
-*   [ routeInt, typeInt, corrId, time, originClient?, payloadData ]
-*/
-const ENVELOPE = {
-	route: 0,
-	type: 1,
-	corr: 2,
-	time: 3,
-	originClient: 4,
-	payload: 5
-};
-const ENVELOPE_LENGTH = 6;
-/**
-* How long a pending correlation entry is kept before it's swept. A correlation only matters until its
-* action resolves or times out, so anything older than the longest realistic action timeout can be
-* dropped — this bounds memory when requests time out or a connection dies mid-flight (their replies
-* would never arrive, leaving the entry orphaned). Generous default so live correlations are never
-* pruned (the default transport timeout is 10s).
-*/
-const DEFAULT_CORRELATION_TTL_MS = 5 * 6e4;
-function isKnownIdentity(coordinate) {
-	return coordinate != null && coordinate.envId !== "_unset_";
-}
-/**
-* Drop entries older than `ttlMs`. Maps keep insertion order and entries are inserted in time order,
-* so the oldest are first — stop sweeping at the first live entry.
-*/
-function pruneExpired(map, now, ttlMs) {
-	for (const [key, entry] of map) {
-		if (now - entry.time <= ttlMs) break;
-		map.delete(key);
+		const bytes = this._pipe != null ? await this._pipe.decryptIncoming(frame) : frame;
+		if (bytes === void 0) return;
+		this.config.routeAction(bytes);
+	}
+	_complete(result) {
+		this._authed = true;
+		this._handshake = void 0;
+		if (result.securityLevel === "encrypted") this._pipe = this._buildPipe(createActionFrameCrypto({
+			link: this.config.link,
+			linkedClientId: result.linkedClientId
+		}));
+		this.config.onAuthenticated({
+			client: new RuntimeCoordinate(result.remote),
+			securityLevel: result.securityLevel,
+			linkedClientId: result.linkedClientId,
+			keyMaterial: result.encryptionKeyMaterial
+		});
 	}
-}
+	/**
+	* Restore an already-authenticated session after eviction — no handshake. For an `encrypted`
+	* connection the shared key is re-derived asynchronously (the acceptor re-links the client off its own
+	* persisted identity); the pipe's crypto IS that promise, so the connection's first in/out frame
+	* naturally waits for the key before encrypt/decrypt — no separate gate.
+	*/
+	rehydrate(state) {
+		this._authed = true;
+		if (state.securityLevel !== "encrypted" || state.keyMaterial == null) return;
+		const { link } = this.config;
+		const { linkedClientId, keyMaterial } = state;
+		const cryptoReady = link.initialize().then(() => link.linkClient({
+			linkedClientId,
+			verifyPublicKey: keyMaterial.verifyPublicKey,
+			exchangePublicKey: keyMaterial.exchangePublicKey,
+			saltString: keyMaterial.saltString,
+			infoString: keyMaterial.infoString,
+			bindVerifyKeysIntoDerivation: keyMaterial.bindVerifyKeysIntoDerivation
+		})).then(() => createActionFrameCrypto({
+			link,
+			linkedClientId
+		}));
+		cryptoReady.catch((err) => console.error("[ws-server] failed to restore encrypted session", err));
+		this._pipe = this._buildPipe(cryptoReady);
+	}
+	/** Send an outbound frame: through the encrypt pipe when encrypted, otherwise raw. */
+	send(frame) {
+		if (this._pipe != null) {
+			this._pipe.send(frame);
+			return;
+		}
+		this.config.send(frame);
+	}
+	_buildPipe(crypto) {
+		return createFrameCryptoPipe({
+			write: this.config.send,
+			crypto,
+			label: "ws-server"
+		});
+	}
+};
+//#endregion
+//#region src/ActionRuntime/Handler/PeerLink/Acceptor/AcceptorHandler.ts
 /**
-* Builds a factory of *stateful, per-connection* codecs for {@link WebSocketTransport} /
-* `ActionServerHandler` — the maximally compact binary wire. Call the returned factory once per live
-* connection (each socket on the client, each accepted connection on the server) so every channel
-* gets its own correlation + identity state.
+* Server-side handler for backends that accept many client connections over a single open channel
+* (WebSockets, Durable Objects, …). It is transport-agnostic: you feed it inbound frames with
+* {@link receive} and tell it how to write outbound frames via the `send` option.
 *
-* On top of everything {@link createBinaryWsAdapter} drops, a session also drops:
-* - **`cuid`** — replaced by a per-connection integer correlation id. The initiator maps it to its
-*   real cuid; the responder echoes it; each side reconstructs the cuid from its own map. Correlation
-*   only needs to be unique per socket, so a counter suffices.
-* - **`originClient` after the first request** — the first request each side sends carries its
-*   identity; the peer remembers it and injects it into later frames. Replies omit it entirely (a
-*   reply carries the initiator's own origin, which the initiator already knows).
+* Add it alongside your local execution handler:
+* ```ts
+* const serverHandler = createAcceptorHandler({ clientEnv, formatMessage, send: (ws, f) => ws.send(f) });
+* runtime.addHandlers([localHandler, serverHandler]);
+* // per inbound message (e.g. a Durable Object's webSocketMessage):
+* serverHandler.receive(ws, message);
+* ```
 *
-* Both ends MUST build the factory from the same domains in the same order (positional dictionary).
-* Text frames still return `undefined` from `incoming`, so JSON clients remain interoperable.
+* Inbound requests route to your local handler; the runtime's return dispatch then calls this
+* handler back (it is an external handler keyed to `clientEnv`) to send the result to the originating
+* connection. The handler keeps a per-connection identity registry so each result lands on the right
+* socket, and remembers each connection's encoding so binary and JSON clients can share the channel.
 *
-* Hibernation note: after a server connection is evicted its session resets, so a still-connected
-* client (whose session persists) will keep omitting `originClient`. The server must therefore restore
-* the connection→client binding from its own store (see `ActionServerHandler.rehydrateConnection`) and
-* inject `originClient` from there — the session alone can't recover it.
+* It registers an empty action router, so it is never chosen to *execute* an inbound request — only
+* to ferry results/pushes back out.
 */
-function createBinaryWsSessionFactory(domains, options) {
-	const { routeToInt, intToRoute } = buildActionRouteDictionary(domains);
-	const unknownIdentity = RuntimeCoordinate.unknown.toJsonObject();
-	const ttlMs = options?.correlationTtlMs ?? DEFAULT_CORRELATION_TTL_MS;
-	return () => {
-		let outCounter = 0;
-		const corrToCuid = /* @__PURE__ */ new Map();
-		const cuidToCorr = /* @__PURE__ */ new Map();
-		let selfIdentity;
-		let peerIdentity;
-		return {
-			outgoing: (input) => {
-				const json = input.action.toJsonObject();
-				const routeKey = `${json.domain}:${json.id}`;
-				const routeInt = routeToInt.get(routeKey);
-				if (routeInt == null) throw new Error(`[binary-ws] Cannot pack unregistered action route: ${routeKey}`);
-				const now = Date.now();
-				pruneExpired(corrToCuid, now, ttlMs);
+var AcceptorHandler = class extends PeerLinkHandler {
+	/** Accept-in over a live (duplex) connection registry — it pushes results/broadcasts to bound sockets. */
+	canPush = true;
+	_formatMessage;
+	_createFormatMessage;
+	_send;
+	_runtime;
+	_serverTimeout;
+	_onConnectionBound;
+	_security;
+	/** Normalized accepted levels; whether `none` (plain) is allowed; whether any level needs a handshake. */
+	_allowedLevels;
+	_noneAllowed;
+	_handshakeMode;
+	_connByClient = /* @__PURE__ */ new Map();
+	_clientByConn = /* @__PURE__ */ new Map();
+	_connEncoding = /* @__PURE__ */ new Map();
+	_codecByConn = /* @__PURE__ */ new Map();
+	_sessionByConn = /* @__PURE__ */ new Map();
+	constructor(options) {
+		super(options.clientEnv);
+		this._formatMessage = options.formatMessage;
+		this._createFormatMessage = options.createFormatMessage;
+		this._send = options.send;
+		this._runtime = options.runtime;
+		this._serverTimeout = options.defaultTimeout ?? 1e4;
+		this._onConnectionBound = options.onConnectionBound;
+		this._security = options.security;
+		this._allowedLevels = options.security == null ? [] : Array.isArray(options.security.securityLevel) ? options.security.securityLevel : [options.security.securityLevel];
+		this._noneAllowed = this._allowedLevels.includes("none");
+		this._handshakeMode = this._allowedLevels.some((level) => level !== "none");
+	}
+	/**
+	* The codec for a connection: a per-connection session (cached) when a factory was provided, else
+	* the single shared `formatMessage`.
+	*/
+	_codecFor(connection) {
+		if (this._createFormatMessage != null) {
+			let codec = this._codecByConn.get(connection);
+			if (codec == null) {
+				codec = this._createFormatMessage();
+				this._codecByConn.set(connection, codec);
+			}
+			return codec;
+		}
+		if (this._formatMessage != null) return this._formatMessage;
+		throw err_nice_transport.fromId("not_found", { actionId: "server-handler-codec (provide formatMessage or createFormatMessage)" });
+	}
+	/**
+	* Register (or replace) the connection-bound persistence callback after construction. Used by
+	* lifecycle helpers like {@link createHibernatableWsServerAdapter} so persistence and replay are
+	* owned by one place instead of being split across the constructor options.
+	*/
+	setOnConnectionBound(onConnectionBound) {
+		this._onConnectionBound = onConnectionBound;
+	}
+	/**
+	* Feed one inbound frame from a connection into the runtime. Decodes text or binary, binds the
+	* connection to the requesting client's identity, then routes it (requests execute locally;
+	* results/progress resolve pending server-initiated actions).
+	*/
+	receive(connection, frame) {
+		const security = this._security;
+		if (security == null || !this._handshakeMode) {
+			this._receivePlain(connection, frame);
+			return;
+		}
+		this._sessionFor(connection, security).receive(frame);
+	}
+	_receivePlain(connection, frame) {
+		const wire = decodeActionFrame(frame, this._codecFor(connection));
+		if (wire == null) return;
+		const encoding = typeof frame === "string" ? "json" : "binary";
+		this._connEncoding.set(connection, encoding);
+		if (wire.type === "request") this._resolveRequestIdentity(connection, wire, encoding);
+		this._emitIncoming(wire);
+	}
+	/**
+	* The secure session for a connection (built lazily on its first secure-mode frame), with the
+	* handler-owned effects — raw send, identity binding + persistence, and inbound routing — wired in as
+	* callbacks. The session owns all crypto/handshake/chain state; the handler keeps only the registry.
+	*/
+	_sessionFor(connection, security) {
+		let session = this._sessionByConn.get(connection);
+		if (session == null) {
+			session = new AcceptorSecureSession({
+				link: security.link,
+				localCoordinate: security.localCoordinate,
+				dictionaryVersion: security.dictionaryVersion,
+				securityLevel: security.securityLevel,
+				verifyKeyResolver: security.verifyKeyResolver,
+				noneAllowed: this._noneAllowed,
+				send: (frame) => this._send(connection, frame),
+				onAuthenticated: (auth) => this._onConnectionAuthenticated(connection, auth),
+				routePlain: (frame) => this._receivePlain(connection, frame),
+				routeAction: (bytes) => this._routeAuthedActionBytes(connection, bytes)
+			});
+			this._sessionByConn.set(connection, session);
+		}
+		return session;
+	}
+	/** Bind + persist a connection's authenticated identity once its handshake completes. */
+	_onConnectionAuthenticated(connection, auth) {
+		this._bindConnection(connection, auth.client);
+		this._connEncoding.set(connection, "binary");
+		this._onConnectionBound?.(connection, {
+			client: auth.client.toJsonObject(),
+			encoding: "binary",
+			secure: {
+				securityLevel: auth.securityLevel,
+				linkedClientId: auth.linkedClientId,
+				keyMaterial: auth.keyMaterial
+			}
+		});
+	}
+	/** Decode a decrypted authenticated frame, inject the *authenticated* identity, and route it. */
+	_routeAuthedActionBytes(connection, bytes) {
+		const wire = decodeActionFrame(bytes, this._codecFor(connection));
+		if (wire == null) return;
+		if (wire.type === "request") {
+			const bound = this._clientByConn.get(connection);
+			if (bound != null) wire.context.originClient = bound.toJsonObject();
+		}
+		this._emitIncoming(wire);
+	}
+	/**
+	* Ensure an inbound request carries the client's identity and that this connection is bound to it,
+	* so its result can be routed back. A session codec omits `originClient` after the first request, so
+	* when it's missing we restore it from the (possibly rehydrated) binding instead. (Plain mode only;
+	* secure mode binds the authenticated coordinate at handshake time.)
+	*/
+	_resolveRequestIdentity(connection, wire, encoding) {
+		const wireOrigin = wire.context.originClient;
+		if (wireOrigin != null && wireOrigin.envId !== "_unset_") {
+			const clientCoord = new RuntimeCoordinate(wireOrigin);
+			const isNewBinding = this._clientByConn.get(connection)?.stringId !== clientCoord.stringId;
+			this._bindConnection(connection, clientCoord);
+			if (isNewBinding) this._onConnectionBound?.(connection, {
+				client: clientCoord.toJsonObject(),
+				encoding
+			});
+			return;
+		}
+		const bound = this._clientByConn.get(connection);
+		if (bound != null) wire.context.originClient = bound.toJsonObject();
+	}
+	/**
+	* Restore a connection→client binding without an inbound frame — for transports that resume after
+	* eviction. Pair it with the {@link IAcceptorHandlerOptions.onConnectionBound} hook: persist
+	* the binding there, then replay each live connection here when the channel comes back (e.g. a
+	* Durable Object iterating `ctx.getWebSockets()` as it wakes from hibernation).
+	*/
+	rehydrateConnection(connection, binding) {
+		this._bindConnection(connection, new RuntimeCoordinate(binding.client));
+		this._connEncoding.set(connection, binding.encoding);
+		const secure = binding.secure;
+		const security = this._security;
+		if (secure == null || security == null) return;
+		this._sessionFor(connection, security).rehydrate(secure);
+	}
+	toJsonObject() {
+		return {
+			type: this.handlerType,
+			client: this.peerClient
+		};
+	}
+	toHandlerRouteItem() {
+		return {
+			type: this.handlerType,
+			client: this.peerClient,
+			transShape: "duplex",
+			transOrd: 0
+		};
+	}
+	/** Forget a connection (call on socket close) so stale entries don't misroute later results. */
+	dropConnection(connection) {
+		const coord = this._clientByConn.get(connection);
+		if (coord != null && this._connByClient.get(coord.stringId) === connection) this._connByClient.delete(coord.stringId);
+		this._clientByConn.delete(connection);
+		this._connEncoding.delete(connection);
+		this._codecByConn.delete(connection);
+		this._sessionByConn.delete(connection);
+	}
+	/** Live connection for a client coordinate, if currently registered. */
+	getConnectionForClient(client) {
+		return this._connByClient.get(client.stringId);
+	}
+	/** This acceptor owns the origin's return path when it currently holds a live connection bound to it. */
+	ownsLiveConnectionFor(origin) {
+		return this._connByClient.has(origin.stringId);
+	}
+	/** Whether this acceptor currently tracks `connection` — used to pick the owning handler among several. */
+	hasConnection(connection) {
+		return this._clientByConn.has(connection);
+	}
+	/**
+	* Send (and optionally await) a server-initiated action to a specific connected client. Pass the
+	* connection token directly (e.g. the `ws`) or a client `RuntimeCoordinate` to look one up.
+	*/
+	pushToClient(runtime, target, request, options) {
+		const connection = this._resolveConnection(target);
+		return this._dispatch(runtime, connection, request, options?.timeout);
+	}
+	/**
+	* Build a local handler whose cases are connection-aware: each case receives the primed request and
+	* the originating client's live connection (resolved from `originClient`), so handlers don't repeat
+	* the `getConnectionForClient(action.context.originClient)` lookup. Cases may return raw output or
+	* nothing, just like {@link ActionLocalHandler.forDomainActionCases}. Add the returned handler to the
+	* runtime alongside this server handler:
+	* ```ts
+	* runtime.addHandlers([serverHandler.forConnectionDomainCases(domain, { … }), serverHandler]);
+	* ```
+	*/
+	forConnectionDomainCases(domain, cases) {
+		return this.forConnectionDomainCasesMulti([domain], cases);
+	}
+	/**
+	* Like {@link forConnectionDomainCases} but spanning several domains with one merged case map — used
+	* by channel-derived wiring (`acceptChannelConnections`) where the channel's `toAcceptor` domains are
+	* served together. Each domain takes only the cases whose ids it owns, so a single map can cover
+	* several domains and unrelated ids are ignored.
+	*/
+	forConnectionDomainCasesMulti(domains, cases) {
+		const handler = new ActionLocalHandler();
+		for (const domain of domains) {
+			const ownedIds = new Set(Object.keys(domain.actionsMap()));
+			const wrapped = {};
+			for (const id in cases) {
+				if (!ownedIds.has(id)) continue;
+				const caseFn = cases[id];
+				if (caseFn == null) continue;
+				wrapped[id] = (request) => caseFn(request, this.getConnectionForClient(request.context.originClient));
+			}
+			handler.forDomainActionCases(domain, wrapped);
+		}
+		return handler;
+	}
+	/**
+	* Fan a server-initiated request out to every currently-bound connection. A fresh request is built
+	* per connection (each push mutates its own action context) and dispatched fire-and-forget. Pass
+	* `except` to skip the originating socket and `where` to filter by connection (e.g. read its
+	* attachment for a role). Iterating bound connections (rather than every accepted socket) skips
+	* sockets that are still mid-handshake and so can't yet receive a frame.
+	*/
+	broadcast(makeRequest, options) {
+		const runtime = options?.runtime ?? this._runtime;
+		if (runtime == null) throw err_nice_transport.fromId("not_found", { actionId: "server-handler-runtime (construct with `runtime` or pass `options.runtime`)" });
+		for (const connection of this._clientByConn.keys()) {
+			if (options?.except != null && connection === options.except) continue;
+			if (options?.where != null && !options.where(connection)) continue;
+			try {
+				this.pushToClient(runtime, connection, makeRequest(), { timeout: options?.timeout });
+			} catch (error) {
+				if (options?.onError != null) options.onError(error, connection);
+				else console.error("[ws-server] broadcast push failed", error);
+			}
+		}
+	}
+	async sendReturnPayload(payload, config) {
+		const connection = this._connByClient.get(payload.context.originClient.stringId);
+		if (connection == null) return false;
+		this._sendPayload(connection, payload, config.targetLocalRuntime.coordinate);
+		return true;
+	}
+	async handleActionRequest(action, config) {
+		const runtime = config?.targetLocalRuntime ?? ActionRuntime.getDefault();
+		const connection = this._resolveSingleConnection();
+		return this._dispatch(runtime, connection, action, config?.timeout);
+	}
+	_dispatch(runtime, connection, action, timeout) {
+		const timeoutMs = timeout ?? this._serverTimeout;
+		action.context._setOriginClient(runtime.coordinate);
+		action.context.addRouteItem({
+			runtime: runtime.coordinate,
+			handler: this.toHandlerRouteItem(),
+			time: Date.now()
+		});
+		const runningAction = new RunningAction({
+			context: action.context,
+			request: action,
+			parentCuid: peekHandlerCuid(),
+			callSite: action._callSite
+		});
+		runtime.registerRunningAction(runningAction);
+		if (action.schema.responseMode === "none") {
+			try {
+				this._sendPayload(connection, action, runtime.coordinate);
+				runningAction._completeWithResult(action.successResult(void 0));
+			} catch (err) {
+				runningAction._abort(err);
+			}
+			return runningAction;
+		}
+		const timeoutId = setTimeout(() => {
+			runningAction._abort(err_nice_transport.fromId("timeout", { timeout: timeoutMs }));
+		}, timeoutMs);
+		runningAction.addUpdateListeners([(update) => {
+			if (update.type === "finished") clearTimeout(timeoutId);
+		}]);
+		try {
+			this._sendPayload(connection, action, runtime.coordinate);
+		} catch (err) {
+			runningAction._abort(err);
+		}
+		return runningAction;
+	}
+	_sendPayload(connection, payload, localClient) {
+		const frame = (this._connEncoding.get(connection) ?? "binary") === "json" ? JSON.stringify(payload.toJsonObject()) : this._codecFor(connection).outgoing({
+			action: payload,
+			localClient,
+			externalClient: this.peerClient
+		});
+		const session = this._sessionByConn.get(connection);
+		if (session == null) {
+			this._send(connection, frame);
+			return;
+		}
+		session.send(frame);
+	}
+	_bindConnection(connection, client) {
+		this._connByClient.set(client.stringId, connection);
+		this._clientByConn.set(connection, client);
+	}
+	_resolveConnection(target) {
+		if (target instanceof RuntimeCoordinate) {
+			const connection = this._connByClient.get(target.stringId);
+			if (connection == null) throw err_nice_transport.fromId("not_found", { actionId: target.stringId });
+			return connection;
+		}
+		return target;
+	}
+	_resolveSingleConnection() {
+		if (this._clientByConn.size !== 1) throw err_nice_transport.fromId("not_found", { actionId: "server-handler-target (use pushToClient with an explicit connection or client coordinate)" });
+		return this._clientByConn.keys().next().value;
+	}
+};
+const createAcceptorHandler = (options) => {
+	return new AcceptorHandler(options);
+};
+//#endregion
+//#region src/ActionRuntime/Handler/PeerLink/Acceptor/createSecureActionServer.ts
+/** Default accepted set: negotiate per connection to whatever the client picks. */
+const DEFAULT_SERVER_SECURITY_LEVELS$1 = [
+	"none",
+	"authenticated",
+	"encrypted"
+];
+/**
+* Build an {@link AcceptorHandler} for the secure binary channel with the boilerplate folded in:
+* it creates the {@link ClientCryptoKeyLink} and the storage-backed TOFU resolver from a single
+* `storageAdapter`, installs the channel's per-connection codec, and assembles the `security` block
+* from the runtime coordinate + channel version (accepting all three levels by default).
+*
+* For a hibernatable transport (e.g. a Durable Object), pair it with
+* {@link createHibernatableWsServerAdapter} to wire persistence + replay.
+*/
+function createSecureAcceptorHandler(options) {
+	const link = options.link ?? new ClientCryptoKeyLink({ storageAdapter: options.storageAdapter });
+	return new AcceptorHandler({
+		clientEnv: options.clientEnv,
+		createFormatMessage: options.channel.createCodec,
+		send: options.send,
+		runtime: options.runtime,
+		defaultTimeout: options.defaultTimeout,
+		security: {
+			securityLevel: options.securityLevel ?? DEFAULT_SERVER_SECURITY_LEVELS$1,
+			link,
+			localCoordinate: options.runtime.coordinate.toJsonObject(),
+			dictionaryVersion: options.channel.dictionaryVersion,
+			verifyKeyResolver: options.verifyKeyResolver ?? createStorageTofuVerifyKeyResolver(options.storageAdapter)
+		}
+	});
+}
+//#endregion
+//#region src/ActionRuntime/Channel/ActionChannel.ts
+/**
+* Declare a transport-agnostic channel by role. Use it for HTTP, custom transports, or as the routing
+* half of a richer channel. The order of each list is part of the contract for wire formats that pack
+* positionally (see `defineSecureChannel`) — add new domains to the end of their list. (`domains` is
+* accepted as a legacy alias for `toAcceptor`.)
+*/
+function defineChannel(options) {
+	return {
+		toAcceptorDomains: options.toAcceptor,
+		toConnectorDomains: options.toConnector
+	};
+}
+/**
+* Wire a connection to the acceptor straight from a channel: route the channel's `toAcceptor` domains to
+* the acceptor over `transports`, and register local handlers for its `toConnector` pushes from
+* `onPush`. The channel is the single source of truth for *what* is routed in each direction — the
+* caller only supplies the transport(s) and the push handlers, never restated domain lists. Pass several
+* transports to make the connector→acceptor path transport-agnostic (e.g. secure WS preferred, HTTP
+* fallback).
+*
+* Sugar over {@link ActionRuntime.connectTo}. Returns the acceptor handler so the caller can later
+* `clearTransportCache()` it.
+*/
+function connectChannel(runtime, acceptorCoordinate, options) {
+	const pushHandlers = options.onPush != null ? options.channel.toConnectorDomains.map((domain) => domain.wrapAsPartialLocalHandler(options.onPush)) : [];
+	return runtime.connectTo(acceptorCoordinate, {
+		transports: options.transports,
+		domains: [...options.channel.toAcceptorDomains],
+		localHandlers: pushHandlers,
+		defaultTimeout: options.defaultTimeout
+	});
+}
+/**
+* Register an acceptor handler's execution for a channel straight from its definition: the channel's
+* `toAcceptor` domains are served together with one merged, connection-aware case map (each case gets
+* the primed request + the originating connection, as with
+* {@link AcceptorHandler.forConnectionDomainCases}). The domain list is taken from the channel,
+* never restated. Add the returned handler to the runtime alongside the acceptor handler:
+* ```ts
+* runtime.addHandlers([acceptChannelConnections(serverHandler, channel, { … }), serverHandler]);
+* ```
+*/
+function acceptChannelConnections(serverHandler, channel, cases) {
+	return serverHandler.forConnectionDomainCasesMulti(channel.toAcceptorDomains, cases);
+}
+/**
+* Build the secure {@link AcceptorHandler} for a channel — the accept-in counterpart to
+* {@link connectChannel}. It folds in the same boilerplate as {@link createSecureAcceptorHandler} (the
+* `ClientCryptoKeyLink` + storage-backed TOFU resolver from one `storageAdapter`, the channel's codec +
+* dictionary version, the `security` block from the runtime coordinate) but takes the `(runtime, channel,
+* options)` shape of the channel family. Pair it with {@link acceptChannelConnections} for execution:
+* ```ts
+* const acceptor = acceptChannel(runtime, gameChannel, { clientEnv, storageAdapter, send });
+* runtime.addHandlers([acceptChannelConnections(acceptor, gameChannel, { … }), acceptor]);
+* ```
+*/
+function acceptChannel(runtime, channel, options) {
+	return createSecureAcceptorHandler({
+		channel,
+		runtime,
+		clientEnv: options.clientEnv,
+		storageAdapter: options.storageAdapter,
+		link: options.link,
+		send: options.send,
+		securityLevel: options.securityLevel,
+		verifyKeyResolver: options.verifyKeyResolver,
+		defaultTimeout: options.defaultTimeout
+	});
+}
+//#endregion
+//#region src/ActionRuntime/Transport/codec/actionWireCodec.ts
+/**
+* Tiny integer codes for the payload type, so the verbose `"request"`/`"result"`/`"progress"`
+* strings never hit the wire. The index in {@link ReversePayloadType} must line up with the value.
+*/
+const PayloadTypeToInt = {
+	["request"]: 0,
+	["result"]: 1,
+	["progress"]: 2
+};
+const ReversePayloadType = [
+	"request",
+	"result",
+	"progress"
+];
+/**
+* Build the positional `domain:id` ↔ integer dictionary. Both ends of a channel MUST build it from
+* the same domains in the same order — the mapping is positional, so a mismatch routes to the wrong
+* action. Add new transported domains to the end of the list.
+*/
+function buildActionRouteDictionary(domains) {
+	const routeToInt = /* @__PURE__ */ new Map();
+	const intToRoute = [];
+	for (const dom of domains) for (const actionId of Object.keys(dom.actionSchema)) {
+		const routeKey = `${dom.domain}:${actionId}`;
+		if (routeToInt.has(routeKey)) continue;
+		routeToInt.set(routeKey, intToRoute.length);
+		intToRoute.push({
+			domain: dom.domain,
+			id: actionId,
+			allDomains: dom.allDomains
+		});
+	}
+	return {
+		routeToInt,
+		intToRoute
+	};
+}
+/** Pull the type-specific payload (`input` / `result` / `progress`) out of a wire JSON object. */
+function extractWirePayload(json) {
+	if (json.type === "request") return json.input;
+	if (json.type === "result") return json.result;
+	if (json.type === "progress") return json.progress;
+}
+/**
+* Reassemble a full wire JSON object from its decoded parts. `inputHash`/`outputHash` are emitted
+* empty — the hydration constructors recompute them — and the result still satisfies
+* `isActionPayload_Any_JsonObject` so it flows through validation like a JSON frame.
+*/
+function assembleWireJson(routeMeta, payloadType, time, context, payloadData) {
+	const base = {
+		form: "data",
+		domain: routeMeta.domain,
+		id: routeMeta.id,
+		allDomains: routeMeta.allDomains,
+		time,
+		context
+	};
+	if (payloadType === "request") return {
+		...base,
+		type: "request",
+		input: payloadData,
+		inputHash: ""
+	};
+	if (payloadType === "result") return {
+		...base,
+		type: "result",
+		result: payloadData,
+		outputHash: ""
+	};
+	return {
+		...base,
+		type: "progress",
+		progress: payloadData
+	};
+}
+//#endregion
+//#region src/ActionRuntime/Transport/codec/createBinaryWireSessionFactory.ts
+/**
+* Positional layout of the *session* binary envelope — the leanest frame. Compared to the stateless
+* adapter it replaces the 21-char `cuid` with a small per-connection integer and only carries
+* `originClient` on the very first request of each direction (the peer remembers it afterwards).
+*
+*   [ routeInt, typeInt, corrId, time, originClient?, payloadData ]
+*/
+const ENVELOPE$1 = {
+	route: 0,
+	type: 1,
+	corr: 2,
+	time: 3,
+	originClient: 4,
+	payload: 5
+};
+const ENVELOPE_LENGTH$1 = 6;
+/**
+* How long a pending correlation entry is kept before it's swept. A correlation only matters until its
+* action resolves or times out, so anything older than the longest realistic action timeout can be
+* dropped — this bounds memory when requests time out or a connection dies mid-flight (their replies
+* would never arrive, leaving the entry orphaned). Generous default so live correlations are never
+* pruned (the default transport timeout is 10s).
+*/
+const DEFAULT_CORRELATION_TTL_MS = 5 * 6e4;
+function isKnownIdentity(coordinate) {
+	return coordinate != null && coordinate.envId !== "_unset_";
+}
+/**
+* Drop entries older than `ttlMs`. Maps keep insertion order and entries are inserted in time order,
+* so the oldest are first — stop sweeping at the first live entry.
+*/
+function pruneExpired(map, now, ttlMs) {
+	for (const [key, entry] of map) {
+		if (now - entry.time <= ttlMs) break;
+		map.delete(key);
+	}
+}
+/**
+* Builds a factory of *stateful, per-connection* codecs for {@link LinkTransport} /
+* `AcceptorHandler` — the maximally compact binary wire. Call the returned factory once per live
+* connection (each socket on the client, each accepted connection on the server) so every channel
+* gets its own correlation + identity state.
+*
+* On top of everything {@link createBinaryWireAdapter} drops, a session also drops:
+* - **`cuid`** — replaced by a per-connection integer correlation id. The initiator maps it to its
+*   real cuid; the responder echoes it; each side reconstructs the cuid from its own map. Correlation
+*   only needs to be unique per socket, so a counter suffices.
+* - **`originClient` after the first request** — the first request each side sends carries its
+*   identity; the peer remembers it and injects it into later frames. Replies omit it entirely (a
+*   reply carries the initiator's own origin, which the initiator already knows).
+*
+* Both ends MUST build the factory from the same domains in the same order (positional dictionary).
+* Text frames still return `undefined` from `incoming`, so JSON clients remain interoperable.
+*
+* Hibernation note: after a server connection is evicted its session resets, so a still-connected
+* client (whose session persists) will keep omitting `originClient`. The server must therefore restore
+* the connection→client binding from its own store (see `AcceptorHandler.rehydrateConnection`) and
+* inject `originClient` from there — the session alone can't recover it.
+*/
+function createBinaryWireSessionFactory(domains, options) {
+	const { routeToInt, intToRoute } = buildActionRouteDictionary(domains);
+	const unknownIdentity = RuntimeCoordinate.unknown.toJsonObject();
+	const ttlMs = options?.correlationTtlMs ?? DEFAULT_CORRELATION_TTL_MS;
+	return () => {
+		let outCounter = 0;
+		const corrToCuid = /* @__PURE__ */ new Map();
+		const cuidToCorr = /* @__PURE__ */ new Map();
+		let selfIdentity;
+		let peerIdentity;
+		return {
+			outgoing: (input) => {
+				const json = input.action.toJsonObject();
+				const routeKey = `${json.domain}:${json.id}`;
+				const routeInt = routeToInt.get(routeKey);
+				if (routeInt == null) throw new Error(`[binary-wire] Cannot pack unregistered action route: ${routeKey}`);
+				const now = Date.now();
+				pruneExpired(corrToCuid, now, ttlMs);
 				pruneExpired(cuidToCorr, now, ttlMs);
 				let corr;
 				let wireIdentity;
@@ -2885,13 +3206,13 @@ function createBinaryWsSessionFactory(domains, options) {
 					corr = cuidToCorr.get(json.context.cuid)?.value ?? -1;
 					if (json.type === "result") cuidToCorr.delete(json.context.cuid);
 				}
-				const envelope = new Array(ENVELOPE_LENGTH);
-				envelope[ENVELOPE.route] = routeInt;
-				envelope[ENVELOPE.type] = PayloadTypeToInt[json.type];
-				envelope[ENVELOPE.corr] = corr;
-				envelope[ENVELOPE.time] = json.time;
-				envelope[ENVELOPE.originClient] = wireIdentity;
-				envelope[ENVELOPE.payload] = extractWirePayload(json);
+				const envelope = new Array(ENVELOPE_LENGTH$1);
+				envelope[ENVELOPE$1.route] = routeInt;
+				envelope[ENVELOPE$1.type] = PayloadTypeToInt[json.type];
+				envelope[ENVELOPE$1.corr] = corr;
+				envelope[ENVELOPE$1.time] = json.time;
+				envelope[ENVELOPE$1.originClient] = wireIdentity;
+				envelope[ENVELOPE$1.payload] = extractWirePayload(json);
 				return pack(envelope);
 			},
 			incoming: (frame) => {
@@ -2901,16 +3222,16 @@ function createBinaryWsSessionFactory(domains, options) {
 				else return;
 				try {
 					const envelope = unpack(buffer);
-					if (!Array.isArray(envelope) || envelope.length !== ENVELOPE_LENGTH) return void 0;
-					const routeMeta = intToRoute[envelope[ENVELOPE.route]];
-					const payloadType = ReversePayloadType[envelope[ENVELOPE.type]];
+					if (!Array.isArray(envelope) || envelope.length !== ENVELOPE_LENGTH$1) return void 0;
+					const routeMeta = intToRoute[envelope[ENVELOPE$1.route]];
+					const payloadType = ReversePayloadType[envelope[ENVELOPE$1.type]];
 					if (routeMeta == null || payloadType == null) return void 0;
 					const now = Date.now();
 					pruneExpired(corrToCuid, now, ttlMs);
 					pruneExpired(cuidToCorr, now, ttlMs);
-					const corr = envelope[ENVELOPE.corr];
-					const time = envelope[ENVELOPE.time];
-					const wireIdentity = envelope[ENVELOPE.originClient];
+					const corr = envelope[ENVELOPE$1.corr];
+					const time = envelope[ENVELOPE$1.time];
+					const wireIdentity = envelope[ENVELOPE$1.originClient];
 					let cuid;
 					let originClient;
 					if (payloadType === "request") {
@@ -2931,9 +3252,9 @@ function createBinaryWsSessionFactory(domains, options) {
 						timeCreated: time,
 						routing: [],
 						originClient
-					}, envelope[ENVELOPE.payload]);
+					}, envelope[ENVELOPE$1.payload]);
 				} catch (e) {
-					console.error("[binary-ws] Failed to unpack binary action session frame", e);
+					console.error("[binary-wire] Failed to unpack binary action session frame", e);
 					return;
 				}
 			}
@@ -2941,438 +3262,433 @@ function createBinaryWsSessionFactory(domains, options) {
 	};
 }
 //#endregion
-//#region src/utils/decodeActionFrame.ts
-/**
-* Decode a single inbound channel frame (text or binary) into validated action wire JSON, or
-* `undefined` if it isn't a recognisable action payload.
-*
-* Shared by the WebSocket transport's message listener and the server-side `ActionServerHandler` so
-* both decode identically: a binary `decoder.incoming` (e.g. msgpackr) takes precedence, and plain
-* text frames fall back to JSON — keeping binary and JSON clients interoperable on one channel.
-*/
-function decodeActionFrame(frame, decoder) {
-	const decoded = decoder?.incoming?.(frame) ?? (typeof frame === "string" ? parseJsonActionFrame(frame) : void 0);
-	return decoded != null && isActionPayload_Any_JsonObject(decoded) ? decoded : void 0;
-}
-function parseJsonActionFrame(message) {
-	try {
-		const json = JSON.parse(message);
-		return isActionPayload_Any_JsonObject(json) ? json : void 0;
-	} catch {
-		return;
-	}
-}
-//#endregion
-//#region src/ActionRuntime/Handler/ExternalClient/Transport/helpers/createUnsetTransportResolvers.ts
-const createUnsetTransportResolvers = (type) => ({ onIncomingActionDataJson: (json) => {
-	console.warn(`Received incoming action JSON [${json.domain}:${json.id}] on Transport [${type}] but no incoming data listener has been set.`);
-} });
-//#endregion
-//#region src/ActionRuntime/Handler/ExternalClient/Transport/WebSocket/ws_util.ts
+//#region src/ActionRuntime/Channel/secureChannel.ts
 /**
-* Send a text or binary frame over a socket. A binary formatter may hand back a `Uint8Array` whose
-* backing buffer is typed as `ArrayBufferLike` (msgpackr pools buffers / may be `SharedArrayBuffer`),
-* which `WebSocket.send`'s `BufferSource` parameter rejects — copy it into a fresh `ArrayBuffer`-backed
-* view so the type (and the bytes) are safe to send.
+* Derive a stable wire-dictionary version from the ordered route list (FNV-1a over `domain:id,…`), so
+* the version moves automatically whenever the transported domains change — a stale peer is then
+* rejected by the handshake instead of silently misrouting a positionally-packed frame.
 */
-function sendFrame(ws, data) {
-	if (typeof data === "string" || data instanceof ArrayBuffer) {
-		ws.send(data);
-		return;
+function deriveDictionaryVersion(domains) {
+	const { intToRoute } = buildActionRouteDictionary(domains);
+	const signature = intToRoute.map((route) => `${route.domain}:${route.id}`).join(",");
+	let hash = 2166136261;
+	for (let i = 0; i < signature.length; i++) {
+		hash ^= signature.charCodeAt(i);
+		hash = Math.imul(hash, 16777619);
 	}
-	ws.send(new Uint8Array(data));
+	return `auto:${(hash >>> 0).toString(16).padStart(8, "0")}`;
 }
-/** Normalize any frame form to bytes (for the AES-GCM layer, which works on `Uint8Array`). */
-function toFrameBytes(frame) {
-	if (typeof frame === "string") return new TextEncoder().encode(frame);
-	if (frame instanceof ArrayBuffer) return new Uint8Array(frame);
-	return frame;
+/**
+* Bundle a secure channel's shared identity from its transported domains. Both ends MUST call this
+* with the same domains in the same order (the binary wire dictionary is positional). The
+* `dictionaryVersion` is derived from those domains unless you pin an explicit one.
+*
+* Declare the domains *by role* — `toAcceptor` (connector→acceptor requests) and `toConnector`
+* (acceptor→connector pushes) — so the routing for both ends is derived from the channel (see
+* {@link connectChannel} and `acceptChannelConnections`) instead of being restated at each end. The
+* wire dictionary spans `[...toAcceptor, ...toConnector]` in that order; add new domains to the end of
+* their list to keep older peers compatible. (`domains` is still accepted as a legacy alias for
+* `toAcceptor`.)
+*/
+function defineSecureChannel(options) {
+	const base = defineChannel({
+		toAcceptor: options.toAcceptor,
+		toConnector: options.toConnector
+	});
+	const allDomains = [...base.toAcceptorDomains, ...base.toConnectorDomains];
+	return {
+		...base,
+		dictionaryVersion: options.dictionaryVersion ?? deriveDictionaryVersion(allDomains),
+		createCodec: createBinaryWireSessionFactory(allDomains, options.sessionOptions)
+	};
 }
-/** Compact a WebSocket URL to `host/pathname` for devtools display, falling back to the raw url. */
-function shortWs(url) {
+//#endregion
+//#region src/ActionRuntime/Transport/SecureSession/exchangeProtocol.ts
+function encodeExchange(envelope) {
+	return JSON.stringify(envelope);
+}
+function decodeExchangeRequest(raw) {
+	return parse(raw);
+}
+function decodeExchangeReply(raw) {
+	return parse(raw);
+}
+function parse(raw) {
 	try {
-		const u = new URL(url);
-		return `${u.host}${u.pathname}`;
+		return JSON.parse(raw);
 	} catch {
-		return url;
+		return;
 	}
 }
+function bytesToBase64(bytes) {
+	let binary = "";
+	for (let i = 0; i < bytes.length; i++) binary += String.fromCharCode(bytes[i]);
+	return btoa(binary);
+}
+function base64ToBytes(base64) {
+	const binary = atob(base64);
+	const bytes = new Uint8Array(binary.length);
+	for (let i = 0; i < binary.length; i++) bytes[i] = binary.charCodeAt(i);
+	return bytes;
+}
 //#endregion
-//#region src/ActionRuntime/Handler/ExternalClient/Transport/WebSocket/WebSocketConnection.ts
-const HANDSHAKE_TIMEOUT_MS = 15e3;
-var WebSocketConnection = class extends TransportConnection {
-	resolvers;
-	/** URL of the most recently resolved live socket — surfaced to devtools when the definition can't. */
-	_liveSocketUrl;
-	/** Sockets we closed on purpose (via `disconnect`), so their `close` event stays quiet. */
-	_intentionalCloses = /* @__PURE__ */ new WeakSet();
-	constructor(def, resolvers) {
-		super({
-			...def,
-			type: "ws"
-		});
-		this.resolvers = resolvers ?? createUnsetTransportResolvers("ws");
-	}
-	_getCacheKey(_input) {
-		return this.initialized.getTransportCacheKey?.(_input).join("\0") ?? "";
+//#region src/ActionRuntime/Transport/SecureSession/exchangeAcceptor.ts
+const textEncoder$1 = new TextEncoder();
+const textDecoder$1 = new TextDecoder();
+/**
+* Acceptor (accept-in) side of the secure exchange protocol — the HTTP counterpart to
+* {@link AcceptorSecureSession}. Each POST body is one {@link decodeExchangeRequest} envelope; the
+* acceptor drives the server handshake over the two `hs` POSTs (correlated by `hsid`, since stateless
+* requests can't rely on channel ordering), mints a session **token** on accept, and on every later `act`
+* POST resolves the session by token, decrypts the body (at `encrypted`), routes it through the runtime,
+* and returns the (encrypted) result inline as the reply.
+*
+* Sessions and in-flight handshakes are held in memory — fine for a single-instance server. (Surviving a
+* Durable-Object eviction would persist each token's `keyMaterial` and re-derive the key on a miss, the
+* same primitive `AcceptorSecureSession.rehydrate` uses; left as a follow-up.)
+*/
+var ExchangeAcceptor = class {
+	_security;
+	_runtime;
+	_allowedLevels;
+	_noneAllowed;
+	_pendingHandshakes = /* @__PURE__ */ new Map();
+	_sessions = /* @__PURE__ */ new Map();
+	constructor(config) {
+		this._security = config.security;
+		this._runtime = config.runtime;
+		this._allowedLevels = Array.isArray(config.security.securityLevel) ? config.security.securityLevel : [config.security.securityLevel];
+		this._noneAllowed = this._allowedLevels.includes("none");
 	}
-	_processTransportStatus(input) {
-		const transportStatusInfo = addTransportStatusMetadata(this.initialized.getTransport(input));
-		if (transportStatusInfo.status !== "initializing" && transportStatusInfo.status !== "ready") return transportStatusInfo;
-		if (transportStatusInfo.status === "ready") {
-			const ws = transportStatusInfo.readyData.ws;
-			if (ws.readyState !== WebSocket.OPEN || this._isSecure(transportStatusInfo.readyData)) {
-				const readyData = transportStatusInfo.readyData;
-				const initialization = async () => {
-					await this._awaitOpen(ws);
-					return {
-						status: "ready",
-						readyData: await this._finalize(readyData)
-					};
-				};
+	/** Process one POST body (an exchange envelope), returning the reply body to send back. */
+	async handlePost(body) {
+		const request = decodeExchangeRequest(body);
+		if (request == null) return this._err("malformed exchange request");
+		if (request.k === "hs") return encodeExchange(await this._handleHandshake(request));
+		return encodeExchange(await this._handleAction(request));
+	}
+	async _handleHandshake(request) {
+		const message = decodeHandshakeMessage(request.m);
+		if (message == null) return {
+			k: "err",
+			message: "malformed handshake message"
+		};
+		const security = this._security;
+		await security.link.initialize();
+		let handshake = this._pendingHandshakes.get(request.hsid);
+		if (handshake == null) {
+			handshake = createServerHandshake({
+				link: security.link,
+				localCoordinate: security.localCoordinate,
+				dictionaryVersion: security.dictionaryVersion,
+				securityLevel: security.securityLevel,
+				verifyKeyResolver: security.verifyKeyResolver
+			});
+			this._pendingHandshakes.set(request.hsid, handshake);
+		}
+		if (message.t === "hello") return {
+			k: "hs",
+			m: encodeHandshakeMessage(await handshake.onHello(message))
+		};
+		if (message.t === "prove") {
+			const reply = await handshake.onProve(message);
+			this._pendingHandshakes.delete(request.hsid);
+			const result = handshake.getResult();
+			if (reply.t === "accept" && result != null) {
+				const token = nanoid();
+				this._sessions.set(token, {
+					client: new RuntimeCoordinate(result.remote),
+					securityLevel: result.securityLevel,
+					crypto: result.securityLevel === "encrypted" ? createActionFrameCrypto({
+						link: security.link,
+						linkedClientId: result.linkedClientId
+					}) : void 0
+				});
 				return {
-					status: "initializing",
-					timeStarted: Date.now(),
-					initializationPromise: initialization()
+					k: "hs",
+					m: encodeHandshakeMessage(reply),
+					t: token
 				};
 			}
+			return {
+				k: "hs",
+				m: encodeHandshakeMessage(reply)
+			};
 		}
-		if (transportStatusInfo.status === "initializing") return {
-			status: "initializing",
-			initializationPromise: transportStatusInfo.initializationPromise.then(async (result) => {
-				if (result.status === "ready") {
-					await this._awaitOpen(result.readyData.ws);
-					return {
-						status: "ready",
-						readyData: await this._finalize(result.readyData)
-					};
-				}
-				return result;
-			}),
-			timeStarted: transportStatusInfo.timeStarted
-		};
 		return {
-			status: "ready",
-			readyData: this._finalizeTransportMethods(transportStatusInfo.readyData)
-		};
-	}
-	getRouteInfo(input) {
-		const base = this.definition?.getRouteInfo(input);
-		if (base?.url != null || this._liveSocketUrl == null) return base;
-		return {
-			type: "ws",
-			...base,
-			url: this._liveSocketUrl,
-			summary: `ws ${shortWs(this._liveSocketUrl)}`
+			k: "err",
+			message: `unexpected handshake message ${message.t}`
 		};
 	}
-	_isSecure(wsData) {
-		return wsData.secureChannel != null && wsData.secureChannel.securityLevel !== "none";
-	}
-	_awaitOpen(ws) {
-		if (ws.readyState === WebSocket.OPEN) return Promise.resolve();
-		return new Promise((resolve, reject) => {
-			ws.addEventListener("open", () => resolve(), { once: true });
-			ws.addEventListener("error", (event) => reject(event), { once: true });
-			ws.addEventListener("close", (event) => reject(/* @__PURE__ */ new Error(`WebSocket closed before open: code=${event.code}`)), { once: true });
-		});
-	}
-	/** Non-secure connections finalize synchronously; secure ones run the handshake first. */
-	_finalize(wsData) {
-		return this._isSecure(wsData) ? this._finalizeSecureMethods(wsData) : this._finalizeTransportMethods(wsData);
-	}
-	_finalizeTransportMethods(wsData) {
-		const ws = wsData.ws;
-		const disconnectListeners = [];
-		const abortSet = /* @__PURE__ */ new Set();
-		this._captureSocketUrl(ws);
-		this._attachLifecycle(ws, disconnectListeners, abortSet);
-		ws.addEventListener("message", async (event) => {
-			const frame = await this._normalizeFrame(event.data);
-			if (frame !== void 0) await this._handleIncomingActionFrame(frame, wsData, void 0);
-		});
-		return this._buildSendMethods(ws, wsData, void 0, disconnectListeners, abortSet);
-	}
-	/**
-	* Secure path: a single message listener feeds the handshake until it completes, then routes action
-	* frames (decrypting for the `encrypted` level). Frames that arrive in the gap between accept and
-	* activation are buffered and flushed, so nothing is lost.
-	*/
-	async _finalizeSecureMethods(wsData) {
-		const ws = wsData.ws;
-		const disconnectListeners = [];
-		const abortSet = /* @__PURE__ */ new Set();
-		this._captureSocketUrl(ws);
-		this._attachLifecycle(ws, disconnectListeners, abortSet);
-		let active = false;
-		let crypto;
-		const handshakeQueue = [];
-		const handshakeWaiters = [];
-		const pendingActionFrames = [];
-		ws.addEventListener("message", async (event) => {
-			const frame = await this._normalizeFrame(event.data);
-			if (frame === void 0) return;
-			if (active) {
-				await this._handleIncomingActionFrame(frame, wsData, crypto);
-				return;
-			}
-			if (typeof frame === "string") {
-				const message = decodeHandshakeMessage(frame);
-				if (message != null) {
-					const waiter = handshakeWaiters.shift();
-					if (waiter != null) waiter(message);
-					else handshakeQueue.push(message);
-					return;
-				}
-			}
-			pendingActionFrames.push(frame);
-		});
-		const nextHandshakeMessage = () => {
-			const queued = handshakeQueue.shift();
-			if (queued != null) return Promise.resolve(queued);
-			return new Promise((resolve, reject) => {
-				const timeout = setTimeout(() => reject(/* @__PURE__ */ new Error("[ws-handshake] timed out waiting for server reply")), HANDSHAKE_TIMEOUT_MS);
-				handshakeWaiters.push((message) => {
-					clearTimeout(timeout);
-					resolve(message);
-				});
-			});
-		};
-		crypto = await this._runClientHandshake(ws, wsData.secureChannel, nextHandshakeMessage);
-		active = true;
-		for (const frame of pendingActionFrames) await this._handleIncomingActionFrame(frame, wsData, crypto);
-		pendingActionFrames.length = 0;
-		return this._buildSendMethods(ws, wsData, crypto, disconnectListeners, abortSet);
-	}
-	async _runClientHandshake(ws, secure, nextHandshakeMessage) {
-		await secure.link.initialize();
-		const handshake = createClientHandshake({
-			link: secure.link,
-			localCoordinate: secure.localCoordinate,
-			dictionaryVersion: secure.dictionaryVersion,
-			securityLevel: secure.securityLevel
-		});
-		sendFrame(ws, encodeHandshakeMessage(await handshake.createHello()));
-		const welcome = await nextHandshakeMessage();
-		if (welcome.t === "reject") throw new Error(`[ws-handshake] rejected by server: ${welcome.reason}`);
-		if (welcome.t !== "welcome") throw new Error(`[ws-handshake] expected welcome, got ${welcome.t}`);
-		sendFrame(ws, encodeHandshakeMessage(await handshake.onWelcome(welcome)));
-		const accept = await nextHandshakeMessage();
-		if (accept.t === "reject") throw new Error(`[ws-handshake] rejected by server: ${accept.reason}`);
-		if (accept.t !== "accept") throw new Error(`[ws-handshake] expected accept, got ${accept.t}`);
-		const result = await handshake.onAccept(accept);
-		return result.securityLevel === "encrypted" ? createActionFrameCrypto({
-			link: secure.link,
-			linkedClientId: result.linkedClientId
-		}) : void 0;
-	}
-	_buildSendMethods(ws, wsData, crypto, disconnectListeners, abortSet) {
-		let sendChain = Promise.resolve();
-		const enqueueSend = (frame) => {
-			if (ws.readyState !== WebSocket.OPEN) return;
-			if (crypto == null) {
-				sendFrame(ws, frame);
-				return;
-			}
-			const bytes = toFrameBytes(frame);
-			sendChain = sendChain.then(() => crypto.encryptFrame(bytes)).then((encrypted) => {
-				if (ws.readyState === WebSocket.OPEN) sendFrame(ws, encrypted);
-			}).catch((err) => console.error("[ws] failed to encrypt/send frame", err));
+	async _handleAction(request) {
+		let session;
+		let candidate;
+		if (request.t != null) {
+			session = this._sessions.get(request.t);
+			if (session == null) return {
+				k: "err",
+				message: "unknown or expired session token"
+			};
+			if ("c" in request) {
+				if (session.crypto == null) return {
+					k: "err",
+					message: "session is not encrypted"
+				};
+				const plain = await session.crypto.decryptFrame(base64ToBytes(request.c));
+				candidate = JSON.parse(textDecoder$1.decode(plain));
+			} else candidate = request.w;
+		} else {
+			if (!this._noneAllowed || "c" in request) return {
+				k: "err",
+				message: "missing session token"
+			};
+			candidate = request.w;
+		}
+		if (!isActionPayload_Any_JsonObject(candidate)) return {
+			k: "err",
+			message: "malformed action wire"
 		};
-		const sendActionData = (inputs) => {
-			const { action, runningAction, timeout } = inputs;
-			if (ws.readyState !== WebSocket.OPEN) {
-				if (action.type === "request") runningAction._abort(err_nice_transport_ws.fromId("ws_disconnected"));
-				return;
-			}
-			if (action.type === "request") {
-				abortSet.add(runningAction);
-				const timeoutId = setTimeout(() => {
-					runningAction._abort(err_nice_transport.fromId("timeout", { timeout }));
-				}, timeout);
-				runningAction.addUpdateListeners([(update) => {
-					if (update.type === "finished") {
-						clearTimeout(timeoutId);
-						abortSet.delete(runningAction);
-					}
-				}]);
-			}
-			enqueueSend(wsData.formatMessage?.outgoing(inputs) ?? JSON.stringify(inputs.action.toJsonObject()));
+		const wire = candidate;
+		if (session != null && wire.type === "request") wire.context.originClient = session.client.toJsonObject();
+		const resultWire = (await (await this._runtime.handleActionPayloadWire(wire)).waitForResultPayload()).toJsonObject();
+		if (session?.crypto != null) return {
+			k: "act",
+			c: bytesToBase64(await session.crypto.encryptFrame(textEncoder$1.encode(JSON.stringify(resultWire))))
 		};
 		return {
-			sendActionData,
-			updateRunConfig: wsData.updateRunConfig,
-			addOnDisconnectListener: (cb) => {
-				disconnectListeners.push(cb);
-			},
-			disconnect: () => {
-				this._intentionalCloses.add(ws);
-				try {
-					ws.close();
-				} catch {}
-			},
-			sendReturnData: (payload, clients) => {
-				enqueueSend((clients != null ? wsData.formatMessage?.outgoing({
-					action: payload,
-					...clients
-				}) : void 0) ?? JSON.stringify(payload.toJsonObject()));
-			}
+			k: "act",
+			w: resultWire
 		};
 	}
-	/** Decode (and, when encrypted, decrypt) one inbound action frame and hand it to the runtime. */
-	async _handleIncomingActionFrame(frame, wsData, crypto) {
-		let decoded = frame;
-		if (crypto != null) try {
-			decoded = await crypto.decryptFrame(frame);
-		} catch (err) {
-			console.error("[ws] failed to decrypt incoming frame", err);
-			return;
-		}
-		const rawJson = decodeActionFrame(decoded, wsData.formatMessage);
-		if (rawJson != null) this.resolvers.onIncomingActionDataJson(rawJson);
-	}
-	/** Accept text + binary frames (ArrayBuffer / Uint8Array / Blob); Blobs are converted to a buffer. */
-	async _normalizeFrame(data) {
-		if (typeof data === "string" || data instanceof ArrayBuffer || data instanceof Uint8Array) return data;
-		if (typeof Blob !== "undefined" && data instanceof Blob) return await data.arrayBuffer();
-	}
-	_captureSocketUrl(ws) {
-		if (ws.url != null && ws.url !== "") this._liveSocketUrl = ws.url;
-	}
-	_attachLifecycle(ws, disconnectListeners, abortSet) {
-		ws.addEventListener("close", (event) => {
-			if (!this._intentionalCloses.has(ws)) console.error("WebSocket closed:", event);
-			for (const cb of disconnectListeners) cb();
-			this._abortAll(abortSet, err_nice_transport_ws.fromId("ws_disconnected"));
+	_err(message) {
+		return encodeExchange({
+			k: "err",
+			message
 		});
-		ws.addEventListener("error", (event) => {
-			console.error("WebSocket error:", event);
-			for (const cb of disconnectListeners) cb();
-			this._abortAll(abortSet, err_nice_transport_ws.fromId("ws_error", { originalError: event instanceof Error ? event : void 0 }));
-		});
-	}
-	_abortAll(abortSet, error) {
-		const snapshot = [...abortSet];
-		for (const ra of snapshot) ra._abort(error);
 	}
 };
 //#endregion
-//#region src/ActionRuntime/Handler/ExternalClient/Transport/WebSocket/WebSocketTransport.ts
+//#region src/ActionRuntime/Handler/PeerLink/Acceptor/createActionFetchHandler.ts
+/** Permissive defaults — fine for a public action endpoint; override (or disable) via `cors`. */
+const DEFAULT_CORS_HEADERS = {
+	"Access-Control-Allow-Origin": "*",
+	"Access-Control-Allow-Methods": "GET, POST, OPTIONS",
+	"Access-Control-Allow-Headers": "Content-Type",
+	"Access-Control-Max-Age": "86400"
+};
 /**
-* Reusable WebSocket transport definition. Create one with `WebSocketTransport.create({ createWebSocket })`
-* for the common case, or `WebSocketTransport.createAdvanced({ getTransport })` for full control over
-* readiness. The underlying socket is cached (via `getTransportCacheKey`) and reused across actions.
+* Build the `fetch` handler a server/Durable-Object exposes for action traffic, folding in the
+* boilerplate every endpoint repeats: CORS (incl. the `OPTIONS` preflight), routing the `/action`
+* `POST` body through the runtime (`handleActionPayloadWire` → `waitForResultPayload` →
+* `toHttpResponse`), an optional WebSocket-upgrade hook, and a `404` fallback.
+*
+* It only touches web-standard `Request`/`Response`, so it stays transport-agnostic — the one
+* environment-specific bit (the WS upgrade) is injected via {@link IActionFetchHandlerOptions.onWebSocketUpgrade}:
+* ```ts
+* this.fetchHandler = createActionFetchHandler(this.runtime, {
+*   onWebSocketUpgrade: () => {
+*     const pair = new WebSocketPair();
+*     this.ctx.acceptWebSocket(pair[1]);
+*     return new Response(null, { status: 101, webSocket: pair[0] });
+*   },
+* });
+* // async fetch(request) { return this.fetchHandler(request); }
+* ```
 */
-var WebSocketTransport = class WebSocketTransport extends Transport {
-	options;
-	type = "ws";
-	constructor(options) {
-		super();
-		this.options = options;
-	}
-	static create(options) {
-		return new WebSocketTransport({
-			...options,
-			mode: "socket"
-		});
-	}
-	static createAdvanced(options) {
-		return new WebSocketTransport({
-			...options,
-			mode: "advanced"
+function createActionFetchHandler(runtime, options = {}) {
+	const corsHeaders = options.cors === false ? {} : options.cors ?? DEFAULT_CORS_HEADERS;
+	const isActionPath = options.isActionPath ?? ((url) => url.pathname.endsWith("/action"));
+	const isWebSocketPath = options.isWebSocketPath ?? ((url) => url.pathname.endsWith("/ws"));
+	const exchangeAcceptor = options.security != null ? new ExchangeAcceptor({
+		runtime,
+		security: options.security
+	}) : void 0;
+	const withCors = (response) => {
+		if (options.cors === false) return response;
+		const headers = new Headers(response.headers);
+		for (const [key, value] of Object.entries(corsHeaders)) headers.set(key, value);
+		return new Response(response.body, {
+			status: response.status,
+			headers
 		});
-	}
-	_createConnection(ctx) {
-		const options = this.options;
-		let getTransport;
-		if (options.mode === "advanced") getTransport = options.getTransport;
-		else getTransport = (input) => ({
-			status: "ready",
-			readyData: {
-				ws: options.createWebSocket(input),
-				formatMessage: options.createFormatMessage?.() ?? options.formatMessage,
-				updateRunConfig: options.updateRunConfig,
-				secureChannel: options.security
+	};
+	return async (request) => {
+		if (request.method === "OPTIONS") return withCors(new Response(null, { status: 204 }));
+		const url = new URL(request.url);
+		const isWebSocketUpgrade = options.isWebSocketUpgrade ?? ((req, u) => req.headers.get("Upgrade") === "websocket" && isWebSocketPath(u));
+		if (options.onWebSocketUpgrade != null && isWebSocketUpgrade(request, url)) return options.onWebSocketUpgrade(request, url);
+		if (request.method === "POST" && isActionPath(url)) {
+			if (exchangeAcceptor != null) {
+				const reply = await exchangeAcceptor.handlePost(await request.text());
+				return withCors(new Response(reply, {
+					status: 200,
+					headers: { "Content-Type": "application/json" }
+				}));
 			}
-		});
-		return new WebSocketConnection({ initialize: () => ({
-			getTransportCacheKey: options.getTransportCacheKey,
-			getTransport
-		}) }, ctx.resolvers);
-	}
-	getRouteInfo(input) {
-		if (this.options.getRouteInfo != null) return this.options.getRouteInfo(input);
-		return {
-			type: "ws",
-			summary: "ws"
-		};
-	}
-};
+			return withCors((await (await runtime.handleActionPayloadWire(await request.json())).waitForResultPayload()).toHttpResponse({ useErrorStatus: options.useErrorStatus }));
+		}
+		return withCors(new Response("Not found", { status: 404 }));
+	};
+}
 //#endregion
-//#region src/ActionRuntime/Handler/ExternalClient/Transport/WebSocket/secureWsChannel.ts
+//#region src/ActionRuntime/Handler/PeerLink/Acceptor/Hibernation/createHibernatableWsServerAdapter.ts
 /**
-* Derive a stable wire-dictionary version from the ordered route list (FNV-1a over `domain:id,…`), so
-* the version moves automatically whenever the transported domains change — a stale peer is then
-* rejected by the handshake instead of silently misrouting a positionally-packed frame.
+* Wire the hibernation lifecycle for an acceptor handler on a transport whose connections outlive process
+* eviction (e.g. a Durable Object's hibernatable WebSockets). It owns persistence end to end:
+* registers `setAttachment` as the handler's connection-bound callback and immediately replays every
+* live connection's stored binding via `getAttachment`, so results/pushes still route after a wake.
+*
+* Layered on top of the generic {@link AcceptorHandler} — it touches only the handler's neutral
+* `setOnConnectionBound` / `rehydrateConnection` / `receive` / `dropConnection` surface, so no
+* hibernation concern leaks into the handler itself.
+*
+* Construct it once when the handler is built, then forward connection events:
+* ```ts
+* const duplex = createHibernatableWsServerAdapter({ handler, getConnections, getAttachment, setAttachment });
+* // webSocketMessage(ws, msg) => duplex.receive(ws, msg);
+* // webSocketClose/Error(ws)  => duplex.drop(ws);
+* ```
 */
-function deriveDictionaryVersion(domains) {
-	const { intToRoute } = buildActionRouteDictionary(domains);
-	const signature = intToRoute.map((route) => `${route.domain}:${route.id}`).join(",");
-	let hash = 2166136261;
-	for (let i = 0; i < signature.length; i++) {
-		hash ^= signature.charCodeAt(i);
-		hash = Math.imul(hash, 16777619);
+function createHibernatableWsServerAdapter(options) {
+	const { handler, getConnections, getAttachment, setAttachment } = options;
+	handler.setOnConnectionBound(setAttachment);
+	for (const connection of getConnections()) {
+		const binding = getAttachment(connection);
+		if (binding != null) handler.rehydrateConnection(connection, binding);
 	}
-	return `auto:${(hash >>> 0).toString(16).padStart(8, "0")}`;
-}
-/**
-* Bundle a secure channel's shared identity from its transported domains. Both ends MUST call this
-* with the same domains in the same order (the binary wire dictionary is positional). The
-* `dictionaryVersion` is derived from those domains unless you pin an explicit one.
-*/
-function defineSecureWsChannel(options) {
 	return {
-		dictionaryVersion: options.dictionaryVersion ?? deriveDictionaryVersion(options.domains),
-		createCodec: createBinaryWsSessionFactory(options.domains, options.sessionOptions)
+		receive: (connection, frame) => handler.receive(connection, frame),
+		drop: (connection) => handler.dropConnection(connection)
 	};
 }
+//#endregion
+//#region src/ActionRuntime/Channel/serveChannel.ts
+/** Default accepted set, shared by every carrier: negotiate per connection to whatever the client picks. */
+const DEFAULT_SERVER_SECURITY_LEVELS = [
+	"none",
+	"authenticated",
+	"encrypted"
+];
 /**
-* Build a {@link WebSocketTransport} for the secure binary channel with the boilerplate folded in: it
-* creates the {@link ClientCryptoKeyLink} from `storageAdapter`, opens an `arraybuffer` socket to
-* `url`, caches it per endpoint, installs the channel's per-connection codec, and assembles the
-* `security` block from the runtime coordinate + channel version. Pass `createWebSocket` /
-* `getTransportCacheKey` to take over those bits when you need to.
+* Serve a secure channel over one or more carriers from a single call — the accept-in dual of
+* `connectChannel`. It builds the crypto identity (a {@link ClientCryptoKeyLink} + a storage-backed TOFU
+* resolver) and the security block (coordinate, dictionary version, accepted levels) *once* from
+* `(runtime, channel)` and fans them across every carrier, so the WebSocket and the secure-HTTP endpoint
+* can never drift apart. It registers your handlers (plus the duplex acceptor it builds) on the runtime,
+* wires hibernation when the duplex carrier declares it, and returns a single {@link IChannelServer} whose
+* `fetch` / `duplex` / `pushToClient` you forward straight to the host:
+* ```ts
+* const server = serveChannel(runtime, channel, {
+*   clientEnv, storage,
+*   carriers: [wsAcceptorCarrier({ send, upgrade, hibernation }), httpAcceptorCarrier()],
+*   handlers: [localHandler],
+* });
+* // fetch(req) => server.fetch(req)
+* // webSocketMessage(conn, m) => server.duplex?.receive(conn, m)
+* // webSocketClose/Error(conn) => server.duplex?.drop(conn)
+* ```
+*
+* `TConn` (the live-connection token a duplex carrier hands back through `send`/`receive`/`drop`) is
+* inferred from the carriers — `WebSocket` for `wsAcceptorCarrier`, the data-channel type for a WebRTC
+* carrier, and so on — so it stays carrier-agnostic.
 */
-function createSecureWebSocketTransport(options) {
-	const link = new ClientCryptoKeyLink({ storageAdapter: options.storageAdapter });
-	return WebSocketTransport.create({
-		createWebSocket: options.createWebSocket ?? (() => {
-			const ws = new WebSocket(options.url);
-			ws.binaryType = "arraybuffer";
-			return ws;
-		}),
-		getTransportCacheKey: options.getTransportCacheKey ?? (() => [options.url]),
-		createFormatMessage: options.channel.createCodec,
-		updateRunConfig: options.updateRunConfig,
-		getRouteInfo: options.getRouteInfo,
-		security: {
-			securityLevel: options.securityLevel,
-			link,
-			localCoordinate: options.runtime.coordinate.toJsonObject(),
-			dictionaryVersion: options.channel.dictionaryVersion
-		}
+function serveChannel(runtime, channel, options) {
+	const duplexCarriers = options.carriers.filter((carrier) => !isExchangeAcceptorCarrier(carrier));
+	const exchangeCarriers = options.carriers.filter(isExchangeAcceptorCarrier);
+	if (exchangeCarriers.length > 1) throw new Error("serveChannel: at most one exchange carrier is supported");
+	const exchangeCarrier = exchangeCarriers[0];
+	const exchangeSecure = exchangeCarrier != null && (exchangeCarrier.secure ?? true);
+	const anyDuplexSecure = duplexCarriers.some((carrier) => carrier.secure ?? true);
+	const securityLevel = options.securityLevel ?? DEFAULT_SERVER_SECURITY_LEVELS;
+	let secure;
+	if (anyDuplexSecure || exchangeSecure) {
+		const storage = options.storage;
+		if (storage == null) throw new Error("serveChannel: a secure carrier requires `storage`. Pass it, or set `secure: false` on the carrier for a plain endpoint.");
+		secure = {
+			storage,
+			link: options.link ?? new ClientCryptoKeyLink({ storageAdapter: storage }),
+			verifyKeyResolver: options.verifyKeyResolver ?? createStorageTofuVerifyKeyResolver(storage)
+		};
+	}
+	const handlers = [];
+	for (const carrier of duplexCarriers) {
+		const handler = (carrier.secure ?? true) && secure != null ? acceptChannel(runtime, channel, {
+			clientEnv: options.clientEnv,
+			storageAdapter: secure.storage,
+			link: secure.link,
+			verifyKeyResolver: secure.verifyKeyResolver,
+			securityLevel,
+			send: carrier.send,
+			defaultTimeout: options.defaultTimeout
+		}) : createAcceptorHandler({
+			clientEnv: options.clientEnv,
+			createFormatMessage: channel.createCodec,
+			send: carrier.send,
+			runtime,
+			defaultTimeout: options.defaultTimeout
+		});
+		const router = carrier.hibernation != null ? createHibernatableWsServerAdapter({
+			handler,
+			...carrier.hibernation
+		}) : {
+			receive: (connection, frame) => handler.receive(connection, frame),
+			drop: (connection) => handler.dropConnection(connection)
+		};
+		carrier._activate(router);
+		handlers.push(handler);
+	}
+	runtime.addHandlers([...options.handlers ?? [], ...handlers]);
+	const exchangeSecurity = exchangeSecure && secure != null ? {
+		link: secure.link,
+		verifyKeyResolver: secure.verifyKeyResolver,
+		localCoordinate: runtime.coordinate.toJsonObject(),
+		dictionaryVersion: channel.dictionaryVersion,
+		securityLevel
+	} : void 0;
+	const defaultIsUpgrade = (request) => request.headers.get("Upgrade") === "websocket";
+	const upgraders = [];
+	for (const carrier of duplexCarriers) {
+		if (carrier.upgrade == null) continue;
+		upgraders.push({
+			isUpgrade: carrier.isUpgrade ?? defaultIsUpgrade,
+			upgrade: carrier.upgrade
+		});
+	}
+	const fetch = createActionFetchHandler(runtime, {
+		cors: exchangeCarrier?.cors,
+		onWebSocketUpgrade: upgraders.length === 0 ? void 0 : (request, url) => (upgraders.find((u) => u.isUpgrade(request, url)) ?? upgraders[0]).upgrade(request, url),
+		isWebSocketUpgrade: upgraders.length === 0 ? void 0 : (request, url) => upgraders.some((u) => u.isUpgrade(request, url)),
+		isActionPath: exchangeCarrier != null ? exchangeCarrier.isActionPath ?? (() => true) : () => false,
+		security: exchangeSecurity,
+		useErrorStatus: exchangeCarrier?.useErrorStatus
 	});
+	const duplex = duplexCarriers.length === 1 ? duplexCarriers[0] : void 0;
+	const pushToClient = (target, request, pushOptions) => {
+		const owner = target instanceof RuntimeCoordinate ? handlers.find((handler) => handler.ownsLiveConnectionFor(target)) : handlers.find((handler) => handler.hasConnection(target));
+		if (owner == null) throw new Error("serveChannel: no duplex carrier holds a connection for the push target");
+		return owner.pushToClient(runtime, target, request, pushOptions);
+	};
+	return {
+		handlers,
+		fetch,
+		duplex,
+		pushToClient
+	};
 }
 //#endregion
-//#region src/ActionRuntime/Handler/Server/WsConnectionStateStore.ts
+//#region src/ActionRuntime/Handler/PeerLink/Acceptor/Hibernation/ConnectionStateStore.ts
 /**
-* A typed per-connection state store that co-owns the app state and the server handler's routing
+* A typed per-connection state store that co-owns the app state and the acceptor handler's routing
 * binding in one attachment, so neither the consumer nor the handler has to hand-merge the two. Create
-* it through {@link ActionServerHandler.createConnectionState} (which also wires binding persistence and
-* replays surviving connections after a wake), then `get`/`set`/`clearApp` the app state directly.
+* it through {@link createConnectionStateStore} (which also wires binding persistence and replays
+* surviving connections after a wake), then `get`/`set`/`clearApp` the app state directly.
+*
+* The mechanism is carrier-neutral — it only needs read/write/enumerate callbacks for the connection's
+* attachment — but it pays off on transports whose connections outlive process eviction (e.g. a
+* Durable Object's hibernatable WebSockets), which is why it lives beside the hibernation adapter.
 *
 * ```ts
-* const players = serverHandler.createConnectionState({
+* const players = createConnectionStateStore(serverHandler, {
 *   schema: vs_player,
 *   read: (ws) => ws.deserializeAttachment(),
 *   write: (ws, v) => ws.serializeAttachment(v),
@@ -3382,7 +3698,7 @@ function createSecureWebSocketTransport(options) {
 * const player = players.get(ws);
 * ```
 */
-var WsConnectionStateStore = class {
+var ConnectionStateStore = class {
 	options;
 	constructor(options) {
 		this.options = options;
@@ -3445,523 +3761,1104 @@ var WsConnectionStateStore = class {
 		return result.value;
 	}
 };
-//#endregion
-//#region src/ActionRuntime/Handler/Server/ActionServerHandler.ts
 /**
-* Server-side handler for backends that accept many client connections over a single open channel
-* (WebSockets, Durable Objects, …). It is transport-agnostic: you feed it inbound frames with
-* {@link receive} and tell it how to write outbound frames via the `send` option.
-*
-* Add it alongside your local execution handler:
-* ```ts
-* const serverHandler = createServerHandler({ clientEnv, formatMessage, send: (ws, f) => ws.send(f) });
-* runtime.addHandlers([localHandler, serverHandler]);
-* // per inbound message (e.g. a Durable Object's webSocketMessage):
-* serverHandler.receive(ws, message);
-* ```
-*
-* Inbound requests route to your local handler; the runtime's return dispatch then calls this
-* handler back (it is an external handler keyed to `clientEnv`) to send the result to the originating
-* connection. The handler keeps a per-connection identity registry so each result lands on the right
-* socket, and remembers each connection's encoding so binary and JSON clients can share the channel.
+* Build a per-connection {@link ConnectionStateStore} bound to an {@link AcceptorHandler}: it registers
+* itself as the handler's connection-bound persistence callback (so bindings are written without
+* overwriting app state) and immediately replays every live connection's stored binding via
+* {@link AcceptorHandler.rehydrateConnection} — so on a transport that resumes after eviction (e.g. a
+* Durable Object waking from hibernation) both the app identity and the action routing come back from a
+* single attachment, with no storage reads and no hand-rolled merge.
 *
-* It registers an empty action router, so it is never chosen to *execute* an inbound request — only
-* to ferry results/pushes back out.
+* Lives outside the handler so the generic {@link AcceptorHandler} stays free of any attachment/
+* hibernation concern — it exposes only the neutral `setOnConnectionBound` + `rehydrateConnection`
+* hooks this builder drives.
 */
-var ActionServerHandler = class extends ActionExternalClientHandler {
-	_formatMessage;
-	_createFormatMessage;
-	_send;
-	_runtime;
-	_serverTimeout;
-	_onConnectionBound;
-	/** Incoming-data listeners installed by the runtime (`resolveIncomingActionPayload`). */
-	_incomingListeners = [];
-	_security;
-	/** Normalized accepted levels; whether `none` (plain) is allowed; whether any level needs a handshake. */
-	_allowedLevels;
-	_noneAllowed;
-	_handshakeMode;
-	_connByClient = /* @__PURE__ */ new Map();
-	_clientByConn = /* @__PURE__ */ new Map();
-	_connEncoding = /* @__PURE__ */ new Map();
-	_codecByConn = /* @__PURE__ */ new Map();
-	_handshakeByConn = /* @__PURE__ */ new Map();
-	_cryptoByConn = /* @__PURE__ */ new Map();
-	_authedConns = /* @__PURE__ */ new Set();
-	_plainConns = /* @__PURE__ */ new Set();
-	_inboundChainByConn = /* @__PURE__ */ new Map();
-	_outboundChainByConn = /* @__PURE__ */ new Map();
-	constructor(options) {
-		super({
-			runtimeCoordinate: options.clientEnv,
-			transports: []
-		});
-		this._formatMessage = options.formatMessage;
-		this._createFormatMessage = options.createFormatMessage;
-		this._send = options.send;
-		this._runtime = options.runtime;
-		this._serverTimeout = options.defaultTimeout ?? 1e4;
-		this._onConnectionBound = options.onConnectionBound;
-		this._security = options.security;
-		this._allowedLevels = options.security == null ? [] : Array.isArray(options.security.securityLevel) ? options.security.securityLevel : [options.security.securityLevel];
-		this._noneAllowed = this._allowedLevels.includes("none");
-		this._handshakeMode = this._allowedLevels.some((level) => level !== "none");
+function createConnectionStateStore(handler, options) {
+	const store = new ConnectionStateStore(options);
+	handler.setOnConnectionBound((connection, binding) => store._persistBinding(connection, binding));
+	for (const connection of options.getConnections()) {
+		const binding = store._readBinding(connection);
+		if (binding != null) handler.rehydrateConnection(connection, binding);
 	}
-	/**
-	* The codec for a connection: a per-connection session (cached) when a factory was provided, else
-	* the single shared `formatMessage`.
-	*/
-	_codecFor(connection) {
-		if (this._createFormatMessage != null) {
-			let codec = this._codecByConn.get(connection);
-			if (codec == null) {
-				codec = this._createFormatMessage();
-				this._codecByConn.set(connection, codec);
+	return store;
+}
+//#endregion
+//#region src/ActionRuntime/Transport/Carrier/duplex/inMemory/createInMemoryChannel.ts
+/**
+* Two cross-wired in-process byte channels — a loopback carrier with no socket. The client end is a
+* {@link IDuplexCarrier} you hand to a {@link LinkTransport}; the server end plugs into an
+* `AcceptorHandler` (`send: (_, f) => serverEndpoint.send(f)`, and `serverEndpoint.onMessage(f =>
+* handler.receive(conn, f))`). Frames are delivered on a microtask, so each side observes the other
+* asynchronously — exactly like a real transport — which makes this ideal for tests and for running
+* two runtimes in one process (or proving a non-WS carrier end to end).
+*/
+function createInMemoryChannelPair() {
+	let clientMessage;
+	let clientClose;
+	let serverMessage;
+	let serverClose;
+	let open = true;
+	const closeBoth = () => {
+		if (!open) return;
+		open = false;
+		queueMicrotask(() => {
+			clientClose?.();
+			serverClose?.();
+		});
+	};
+	return {
+		clientChannel: {
+			ready: Promise.resolve(),
+			isOpen: () => open,
+			send: (frame) => {
+				if (!open) return;
+				queueMicrotask(() => serverMessage?.(frame));
+			},
+			attach: ({ onMessage, onClose }) => {
+				clientMessage = onMessage;
+				clientClose = onClose;
+			},
+			close: closeBoth,
+			label: "in-memory"
+		},
+		serverEndpoint: {
+			send: (frame) => {
+				if (!open) return;
+				queueMicrotask(() => clientMessage?.(frame));
+			},
+			onMessage: (handler) => {
+				serverMessage = handler;
+			},
+			onClose: (handler) => {
+				serverClose = handler;
+			},
+			close: closeBoth
+		}
+	};
+}
+//#endregion
+//#region src/ActionRuntime/Transport/Carrier/duplex/inMemory/inMemoryCarrier.ts
+/**
+* A loopback duplex carrier with no socket — two cross-wired in-process ends. The connector end is an
+* {@link IDuplexCarrierSource} for {@link secureTransport}; the acceptor end plugs into an
+* `AcceptorHandler`. Ideal for tests and for running two runtimes in one process, or proving a
+* non-WS carrier end to end.
+*/
+function inMemoryCarrier() {
+	const { clientChannel, serverEndpoint } = createInMemoryChannelPair();
+	return {
+		carrier: {
+			carrierLabel: "memory",
+			open: () => clientChannel,
+			getCacheKey: () => ["memory"]
+		},
+		serverEndpoint
+	};
+}
+//#endregion
+//#region src/ActionRuntime/Transport/Carrier/duplex/rtc/rtcDataChannelByteChannel.ts
+/**
+* Adapt a WebRTC `RTCDataChannel` to the carrier-agnostic {@link IDuplexCarrier}, so two browsers
+* (or two mobile apps) linked peer-to-peer — no server in the middle — run the *same* secure session as
+* a WebSocket. Hand it to `createSecureLinkTransport({ openChannel: () => rtcDataChannelByteChannel(dc) })`.
+*
+* The data channel must already be created (its negotiation/signaling is the app's concern); this only
+* drives bytes over it. Binary frames are requested as `ArrayBuffer` so the binary session codec unpacks
+* them synchronously; a `Blob` (if the channel hands one back) is normalized to a buffer.
+*/
+function rtcDataChannelByteChannel(dc) {
+	dc.binaryType = "arraybuffer";
+	let intentional = false;
+	let onMessage;
+	let onClose;
+	const preAttach = [];
+	const deliver = (frame) => {
+		if (onMessage != null) onMessage(frame);
+		else preAttach.push(frame);
+	};
+	dc.addEventListener("message", async (event) => {
+		const frame = await normalizeFrame$1(event.data);
+		if (frame !== void 0) deliver(frame);
+	});
+	dc.addEventListener("close", () => {
+		if (!intentional) console.error("RTCDataChannel closed");
+		onClose?.();
+	});
+	dc.addEventListener("error", (event) => {
+		console.error("RTCDataChannel error:", event);
+		onClose?.();
+	});
+	return {
+		ready: new Promise((resolve, reject) => {
+			if (dc.readyState === "open") {
+				resolve();
+				return;
 			}
-			return codec;
+			dc.addEventListener("open", () => resolve(), { once: true });
+			dc.addEventListener("error", (event) => reject(event), { once: true });
+			dc.addEventListener("close", () => reject(/* @__PURE__ */ new Error("RTCDataChannel closed before open")), { once: true });
+		}),
+		isOpen: () => dc.readyState === "open",
+		send: (frame) => {
+			if (typeof frame === "string" || frame instanceof ArrayBuffer) dc.send(frame);
+			else dc.send(new Uint8Array(frame));
+		},
+		attach: (handlers) => {
+			onMessage = handlers.onMessage;
+			onClose = handlers.onClose;
+			for (const frame of preAttach) handlers.onMessage(frame);
+			preAttach.length = 0;
+		},
+		close: () => {
+			intentional = true;
+			try {
+				dc.close();
+			} catch {}
+		},
+		get label() {
+			return dc.label != null && dc.label !== "" ? dc.label : void 0;
 		}
-		if (this._formatMessage != null) return this._formatMessage;
-		throw err_nice_transport.fromId("not_found", { actionId: "server-handler-codec (provide formatMessage or createFormatMessage)" });
-	}
-	_setIncomingActionDataListener(listener) {
-		this._incomingListeners.push(listener);
+	};
+}
+async function normalizeFrame$1(data) {
+	if (typeof data === "string" || data instanceof ArrayBuffer || data instanceof Uint8Array) return data;
+	if (typeof Blob !== "undefined" && data instanceof Blob) return await data.arrayBuffer();
+}
+//#endregion
+//#region src/ActionRuntime/Transport/Carrier/duplex/rtc/rtcCarrier.ts
+/**
+* A WebRTC {@link IDuplexCarrierSource} over an already-negotiated `RTCDataChannel` (signaling is the
+* app's concern). Hand it to {@link secureTransport} so two browsers/apps linked peer-to-peer run the
+* identical secure session as a WebSocket.
+*/
+function rtcCarrier(dataChannel, options = {}) {
+	return {
+		carrierLabel: "webrtc",
+		open: () => rtcDataChannelByteChannel(dataChannel),
+		getCacheKey: options.getTransportCacheKey ?? (() => ["webrtc"]),
+		getRouteInfo: options.getRouteInfo
+	};
+}
+//#endregion
+//#region src/ActionRuntime/Transport/Carrier/duplex/ws/err_nice_transport_ws.ts
+let EErrId_NiceTransport_WebSocket = /* @__PURE__ */ function(EErrId_NiceTransport_WebSocket) {
+	EErrId_NiceTransport_WebSocket["ws_disconnected"] = "ws_disconnected";
+	EErrId_NiceTransport_WebSocket["ws_create_failed"] = "ws_create_failed";
+	EErrId_NiceTransport_WebSocket["ws_error"] = "ws_error";
+	return EErrId_NiceTransport_WebSocket;
+}({});
+const err_nice_transport_ws = err_nice_transport.createChildDomain({
+	domain: "ws_transport",
+	schema: {
+		["ws_disconnected"]: err({ message: () => `WebSocket transport disconnected.` }),
+		["ws_create_failed"]: err({ message: ({ originalError }) => `Failed to create WebSocket transport.${originalError ? ` Original error: ${originalError.message}` : ""}` }),
+		["ws_error"]: err({ message: ({ originalError }) => `WebSocket transport error.${originalError ? ` Original error: ${originalError.message}` : ""}` })
 	}
-	/**
-	* Register (or replace) the connection-bound persistence callback after construction. Used by
-	* lifecycle helpers like {@link createHibernatableWsServerAdapter} so persistence and replay are
-	* owned by one place instead of being split across the constructor options.
-	*/
-	setOnConnectionBound(onConnectionBound) {
-		this._onConnectionBound = onConnectionBound;
+});
+//#endregion
+//#region src/ActionRuntime/Transport/Carrier/duplex/ws/ws_util.ts
+/**
+* Send a text or binary frame over a socket. A binary formatter may hand back a `Uint8Array` whose
+* backing buffer is typed as `ArrayBufferLike` (msgpackr pools buffers / may be `SharedArrayBuffer`),
+* which `WebSocket.send`'s `BufferSource` parameter rejects — copy it into a fresh `ArrayBuffer`-backed
+* view so the type (and the bytes) are safe to send.
+*/
+function sendFrame(ws, data) {
+	if (typeof data === "string" || data instanceof ArrayBuffer) {
+		ws.send(data);
+		return;
 	}
-	/**
-	* Create a typed per-connection state store that co-owns the consumer's app state and this handler's
-	* routing binding in one attachment. It registers itself as the connection-bound persistence callback
-	* (so bindings are written without overwriting app state) and immediately replays every live
-	* connection's stored binding via {@link rehydrateConnection} — so on a transport that resumes after
-	* eviction (e.g. a Durable Object waking from hibernation) both the app identity and the action
-	* routing come back from a single attachment, with no storage reads and no hand-rolled merge.
-	*
-	* This supersedes {@link createHibernatableWsServerAdapter} for app code that also pins its own state
-	* to the connection. Construct it once when the handler is built, then `get`/`set` app state directly.
-	*/
-	createConnectionState(options) {
-		const store = new WsConnectionStateStore(options);
-		this.setOnConnectionBound((connection, binding) => store._persistBinding(connection, binding));
-		for (const connection of options.getConnections()) {
-			const binding = store._readBinding(connection);
-			if (binding != null) this.rehydrateConnection(connection, binding);
-		}
-		return store;
+	ws.send(new Uint8Array(data));
+}
+/** Compact a WebSocket URL to `host/pathname` for devtools display, falling back to the raw url. */
+function shortWs(url) {
+	try {
+		const u = new URL(url);
+		return `${u.host}${u.pathname}`;
+	} catch {
+		return url;
 	}
-	/**
-	* Feed one inbound frame from a connection into the runtime. Decodes text or binary, binds the
-	* connection to the requesting client's identity, then routes it (requests execute locally;
-	* results/progress resolve pending server-initiated actions).
-	*/
-	receive(connection, frame) {
-		if (this._security == null || !this._handshakeMode) {
-			this._receivePlain(connection, frame);
-			return;
+}
+//#endregion
+//#region src/ActionRuntime/Transport/Carrier/duplex/ws/webSocketByteChannel.ts
+/**
+* Adapt a `WebSocket` to the carrier-agnostic {@link IDuplexCarrier}, so the WebSocket becomes
+* "just another carrier" under the shared secure session. It owns every WebSocket-specific concern —
+* awaiting `open`, normalizing `Blob` frames to bytes, suppressing the log on a deliberate `close`, and
+* buffering any frame that arrives before the session attaches its handler — leaving the session itself
+* carrier-neutral.
+*/
+function webSocketByteChannel(ws) {
+	let intentional = false;
+	let onMessage;
+	let onClose;
+	const preAttach = [];
+	const deliver = (frame) => {
+		if (onMessage != null) onMessage(frame);
+		else preAttach.push(frame);
+	};
+	ws.addEventListener("message", async (event) => {
+		const frame = await normalizeFrame(event.data);
+		if (frame !== void 0) deliver(frame);
+	});
+	ws.addEventListener("close", (event) => {
+		if (!intentional) console.error("WebSocket closed:", event);
+		onClose?.();
+	});
+	ws.addEventListener("error", (event) => {
+		console.error("WebSocket error:", event);
+		onClose?.();
+	});
+	return {
+		ready: new Promise((resolve, reject) => {
+			if (ws.readyState === WebSocket.OPEN) {
+				resolve();
+				return;
+			}
+			ws.addEventListener("open", () => resolve(), { once: true });
+			ws.addEventListener("error", (event) => reject(event), { once: true });
+			ws.addEventListener("close", (event) => reject(/* @__PURE__ */ new Error(`WebSocket closed before open: code=${event.code}`)), { once: true });
+		}),
+		isOpen: () => ws.readyState === WebSocket.OPEN,
+		send: (frame) => sendFrame(ws, frame),
+		attach: (handlers) => {
+			onMessage = handlers.onMessage;
+			onClose = handlers.onClose;
+			for (const frame of preAttach) handlers.onMessage(frame);
+			preAttach.length = 0;
+		},
+		close: () => {
+			intentional = true;
+			try {
+				ws.close();
+			} catch {}
+		},
+		get label() {
+			return ws.url != null && ws.url !== "" ? ws.url : void 0;
 		}
-		const next = (this._inboundChainByConn.get(connection) ?? Promise.resolve()).then(() => this._receiveSecure(connection, frame)).catch((err) => console.error("[ws-server] failed to process inbound frame", err));
-		this._inboundChainByConn.set(connection, next);
-	}
-	_receivePlain(connection, frame) {
-		const wire = decodeActionFrame(frame, this._codecFor(connection));
-		if (wire == null) return;
-		const encoding = typeof frame === "string" ? "json" : "binary";
-		this._connEncoding.set(connection, encoding);
-		if (wire.type === "request") this._resolveRequestIdentity(connection, wire, encoding);
-		for (const listener of this._incomingListeners) listener(wire);
+	};
+}
+/** Accept text + binary frames (ArrayBuffer / Uint8Array / Blob); Blobs are converted to a buffer. */
+async function normalizeFrame(data) {
+	if (typeof data === "string" || data instanceof ArrayBuffer || data instanceof Uint8Array) return data;
+	if (typeof Blob !== "undefined" && data instanceof Blob) return await data.arrayBuffer();
+}
+//#endregion
+//#region src/ActionRuntime/Transport/Carrier/duplex/ws/wsCarrier.ts
+/**
+* A WebSocket {@link IDuplexCarrierSource}: opens an `arraybuffer` socket to `url` (cached per endpoint)
+* and adapts it to a carrier. Hand it to {@link secureTransport} (or `LinkTransport`) — the WebSocket is
+* now "just another carrier" under the shared secure session, with no WS-specific transport class.
+*/
+function wsCarrier(url, options = {}) {
+	return {
+		carrierLabel: "ws",
+		open: (input) => webSocketByteChannel(options.createWebSocket?.(input) ?? defaultWebSocket(url)),
+		getCacheKey: options.getTransportCacheKey ?? (() => [url]),
+		getRouteInfo: options.getRouteInfo ?? (() => ({
+			carrierLabel: "ws",
+			url,
+			summary: `ws ${shortWs(url)}`
+		}))
+	};
+}
+function defaultWebSocket(url) {
+	const ws = new WebSocket(url);
+	ws.binaryType = "arraybuffer";
+	return ws;
+}
+//#endregion
+//#region src/ActionRuntime/Transport/Carrier/exchange/http/httpAcceptorCarrier.ts
+/**
+* An HTTP {@link IExchangeAcceptorCarrier}: the accept-in dual of {@link httpCarrier}. It serves the
+* secure exchange protocol (handshake → token session → encrypted frames) over web-standard
+* `Request`/`Response`. The crypto identity, runtime coordinate, dictionary version, and accepted security
+* levels are all supplied centrally by `serveChannel`, so this only needs to say which requests carry an
+* action envelope and how to answer CORS.
+*/
+function httpAcceptorCarrier(options = {}) {
+	return {
+		shape: "exchange",
+		carrierLabel: options.carrierLabel ?? "http",
+		secure: options.secure,
+		isActionPath: options.isActionPath,
+		cors: options.cors,
+		useErrorStatus: options.useErrorStatus
+	};
+}
+//#endregion
+//#region src/ActionRuntime/Transport/Carrier/exchange/http/httpCarrier.ts
+function shortPath(url) {
+	try {
+		return new URL(url).pathname || url;
+	} catch {
+		return url;
 	}
-	async _receiveSecure(connection, frame) {
-		const security = this._security;
-		if (security == null) return;
-		if (this._plainConns.has(connection)) {
-			this._receivePlain(connection, frame);
-			return;
-		}
-		if (!this._authedConns.has(connection)) {
-			const message = typeof frame === "string" ? decodeHandshakeMessage(frame) : void 0;
-			if (message == null) {
-				if (this._noneAllowed) {
-					this._plainConns.add(connection);
-					this._receivePlain(connection, frame);
+}
+/**
+* An HTTP {@link IExchangeCarrierSource}: each `exchange` POSTs one frame body to the action endpoint and
+* resolves with the response body as the single correlated reply. Hand it to {@link secureTransport} —
+* HTTP then runs the *same* secure session as a duplex carrier (handshake → token → encrypted frames),
+* the request/reply correlation provided for free by the HTTP transaction.
+*
+* `createRequest` derives the URL/headers per action (keep it simple with `() => ({ url })`). The body is
+* the session's responsibility, so it is never built here.
+*/
+function httpCarrier(createRequest, options = {}) {
+	const doFetch = options.fetch ?? fetch;
+	return {
+		shape: "exchange",
+		carrierLabel: "http",
+		open: (input) => {
+			const request = createRequest(input);
+			return {
+				label: request.url,
+				exchange: async (frame, opts) => {
+					return await (await doFetch(request.url, {
+						method: "POST",
+						headers: {
+							"Content-Type": "application/json",
+							...request.headers
+						},
+						body: typeof frame === "string" ? frame : new Uint8Array(frame),
+						signal: opts?.signal
+					})).text();
 				}
+			};
+		},
+		getCacheKey: options.getTransportCacheKey ?? ((input) => [createRequest(input).url]),
+		getRouteInfo: options.getRouteInfo ?? ((input) => {
+			const { url } = createRequest(input);
+			return {
+				carrierLabel: "http",
+				method: "POST",
+				url,
+				summary: `POST ${shortPath(url)}`
+			};
+		})
+	};
+}
+//#endregion
+//#region src/ActionRuntime/Transport/codec/createBinaryWireAdapter.ts
+/**
+* Positional layout of the stateless binary envelope. A flat tuple (rather than an object) strips the
+* repeated `domain`/`id`/`form`/`type` and context key names from every frame, and we carry only the
+* context fields the receiver can't recompute: `cuid` (correlation) and `originClient` (return
+* routing).
+*
+*   [ routeInt, typeInt, time, cuid, originClient, payloadData ]
+*
+* Dropped vs the JSON wire: `form`/`type` strings, `inputHash`/`outputHash` (recomputed on hydrate),
+* `context.timeCreated` (reconstructed from `time`) and `context.routing` (rebuilt empty — the
+* receiver re-stamps its own route items as it handles the action). For the leanest possible frames
+* (integer correlation, identity dropped after a handshake), use `createBinaryWireSessionFactory`.
+*/
+const ENVELOPE = {
+	route: 0,
+	type: 1,
+	time: 2,
+	cuid: 3,
+	originClient: 4,
+	payload: 5
+};
+const ENVELOPE_LENGTH = 6;
+/**
+* Builds a *stateless* `formatMessage` pipeline for {@link LinkTransport}, packing action
+* payloads into a compact msgpackr binary frame instead of JSON. The `domain`/`id` route collapses to
+* a single integer drawn from a shared dictionary; `form`/`type`, the recomputable
+* `inputHash`/`outputHash`, and the per-frame `context.routing`/`context.timeCreated` are all dropped
+* (see {@link ENVELOPE}).
+*
+* No validation runs here: `incoming` blindly reconstructs the wire JSON shape and hands it back to
+* the connection, which flows into `ActionRuntime` → `domain.hydrateAnyAction()` where the Valibot
+* schemas validate it exactly as they would for a JSON frame.
+*
+* Both ends of the socket MUST construct the adapter with the same domains in the same order — the
+* integer dictionary is positional. Mismatched dictionaries will route to the wrong action.
+*
+* Because `incoming` returns `undefined` for text frames, a binary server can still serve plain-JSON
+* clients on the same runtime (the connection falls back to its built-in JSON parser).
+*/
+function createBinaryWireAdapter(domains) {
+	const { routeToInt, intToRoute } = buildActionRouteDictionary(domains);
+	return {
+		outgoing: (input) => {
+			const json = input.action.toJsonObject();
+			const routeKey = `${json.domain}:${json.id}`;
+			const routeInt = routeToInt.get(routeKey);
+			if (routeInt == null) throw new Error(`[binary-wire] Cannot pack unregistered action route: ${routeKey}`);
+			const envelope = new Array(ENVELOPE_LENGTH);
+			envelope[ENVELOPE.route] = routeInt;
+			envelope[ENVELOPE.type] = PayloadTypeToInt[json.type];
+			envelope[ENVELOPE.time] = json.time;
+			envelope[ENVELOPE.cuid] = json.context.cuid;
+			envelope[ENVELOPE.originClient] = json.context.originClient;
+			envelope[ENVELOPE.payload] = extractWirePayload(json);
+			return pack(envelope);
+		},
+		incoming: (frame) => {
+			let buffer;
+			if (frame instanceof ArrayBuffer) buffer = new Uint8Array(frame);
+			else if (frame instanceof Uint8Array) buffer = frame;
+			else return;
+			try {
+				const envelope = unpack(buffer);
+				if (!Array.isArray(envelope) || envelope.length !== ENVELOPE_LENGTH) return void 0;
+				const routeMeta = intToRoute[envelope[ENVELOPE.route]];
+				const payloadType = ReversePayloadType[envelope[ENVELOPE.type]];
+				if (routeMeta == null || payloadType == null) return void 0;
+				const time = envelope[ENVELOPE.time];
+				return assembleWireJson(routeMeta, payloadType, time, {
+					cuid: envelope[ENVELOPE.cuid],
+					timeCreated: time,
+					routing: [],
+					originClient: envelope[ENVELOPE.originClient]
+				}, envelope[ENVELOPE.payload]);
+			} catch (e) {
+				console.error("[binary-wire] Failed to unpack binary action frame", e);
 				return;
 			}
-			await security.link.initialize();
-			let handshake = this._handshakeByConn.get(connection);
-			if (handshake == null) {
-				handshake = createServerHandshake({
-					link: security.link,
-					localCoordinate: security.localCoordinate,
-					dictionaryVersion: security.dictionaryVersion,
-					securityLevel: security.securityLevel,
-					verifyKeyResolver: security.verifyKeyResolver
-				});
-				this._handshakeByConn.set(connection, handshake);
-			}
-			if (message.t === "hello") this._send(connection, encodeHandshakeMessage(await handshake.onHello(message)));
-			else if (message.t === "prove") {
-				const reply = await handshake.onProve(message);
-				this._send(connection, encodeHandshakeMessage(reply));
-				const result = handshake.getResult();
-				if (reply.t === "accept" && result != null) this._completeServerHandshake(connection, result);
-			}
-			return;
-		}
-		let bytes = frame;
-		const cryptoReady = this._cryptoByConn.get(connection);
-		if (cryptoReady != null) try {
-			bytes = await (await cryptoReady).decryptFrame(frame);
-		} catch (err) {
-			console.error("[ws-server] failed to decrypt inbound frame", err);
-			return;
 		}
-		const wire = decodeActionFrame(bytes, this._codecFor(connection));
-		if (wire == null) return;
-		if (wire.type === "request") {
-			const bound = this._clientByConn.get(connection);
-			if (bound != null) wire.context.originClient = bound.toJsonObject();
+	};
+}
+//#endregion
+//#region src/ActionRuntime/Transport/Transport.ts
+/**
+* Reusable transport definition. Devs construct these (`secureTransport({ carrier: wsCarrier(url) })`,
+* `plainTransport({ carrier: httpCarrier(...) })`, …) and pass them to a
+* `ConnectorHandler`. A single
+* definition can be shared across multiple handlers — each handler builds its own live
+* {@link TransportConnection} via {@link TransportConnection._createConnection}.
+*/
+var Transport = class {};
+//#endregion
+//#region src/ActionRuntime/Transport/SecureSession/establishExchangeSession.ts
+const textEncoder = new TextEncoder();
+const textDecoder = new TextDecoder();
+/** Plain path (no handshake/token): every action rides a bare `act` envelope, plaintext both ways. */
+function finalizePlainExchangeMethods(ctx) {
+	return buildExchangeMethods(ctx, {});
+}
+/** Secure path: run the handshake (two exchanges) once at bring-up, then reuse the token + crypto. */
+async function finalizeSecureExchangeMethods(ctx) {
+	return buildExchangeMethods(ctx, await runConnectorExchangeHandshake(ctx.carrier, ctx.secure));
+}
+function buildExchangeMethods(ctx, state) {
+	const sendActionData = (inputs) => {
+		runExchange(ctx.carrier, state, inputs).catch((err) => inputs.runningAction._abort(err));
+	};
+	return {
+		sendActionData,
+		updateRunConfig: ctx.updateRunConfig
+	};
+}
+async function runExchange(carrier, state, inputs) {
+	const { action, runningAction, timeout } = inputs;
+	const ac = new AbortController();
+	let timedOut = false;
+	const timeoutId = setTimeout(() => {
+		timedOut = true;
+		ac.abort();
+	}, timeout);
+	const unsubscribe = runningAction.addUpdateListeners([(update) => {
+		if (update.type === "finished") {
+			clearTimeout(timeoutId);
+			ac.abort();
 		}
-		for (const listener of this._incomingListeners) listener(wire);
-	}
-	_completeServerHandshake(connection, result) {
-		const clientCoord = new RuntimeCoordinate(result.remote);
-		this._bindConnection(connection, clientCoord);
-		this._connEncoding.set(connection, "binary");
-		this._authedConns.add(connection);
-		this._handshakeByConn.delete(connection);
-		if (result.securityLevel === "encrypted" && this._security != null) this._cryptoByConn.set(connection, Promise.resolve(createActionFrameCrypto({
-			link: this._security.link,
-			linkedClientId: result.linkedClientId
-		})));
-		this._onConnectionBound?.(connection, {
-			client: clientCoord.toJsonObject(),
-			encoding: "binary",
-			secure: {
-				securityLevel: result.securityLevel,
-				linkedClientId: result.linkedClientId,
-				keyMaterial: result.encryptionKeyMaterial
-			}
+	}]);
+	try {
+		const request = await buildRequestEnvelope(state, action);
+		const replyRaw = await carrier.exchange(encodeExchange(request), { signal: ac.signal });
+		if (action.type !== "request") return;
+		const reply = decodeExchangeReply(asString(replyRaw));
+		if (reply == null) throw err_nice_transport.fromId("invalid_action_response", { actionId: action.id });
+		if (reply.k === "err") throw err_nice_transport.fromId("send_failed", {
+			actionState: action.type,
+			actionId: action.id,
+			message: reply.message
 		});
+		const wire = await extractReplyWire(state, reply);
+		if (wire == null || !isActionPayload_Result_JsonObject(wire)) throw err_nice_transport.fromId("invalid_action_response", { actionId: action.id });
+		runningAction._completeWithResult(action._domain.hydrateResultPayload(wire));
+	} catch (err) {
+		if (timedOut) throw err_nice_transport.fromId("timeout", { timeout });
+		throw err;
+	} finally {
+		clearTimeout(timeoutId);
+		unsubscribe();
 	}
-	/**
-	* Ensure an inbound request carries the client's identity and that this connection is bound to it,
-	* so its result can be routed back. A session codec omits `originClient` after the first request, so
-	* when it's missing we restore it from the (possibly rehydrated) binding instead. (Plain mode only;
-	* secure mode binds the authenticated coordinate at handshake time.)
-	*/
-	_resolveRequestIdentity(connection, wire, encoding) {
-		const wireOrigin = wire.context.originClient;
-		if (wireOrigin != null && wireOrigin.envId !== "_unset_") {
-			const clientCoord = new RuntimeCoordinate(wireOrigin);
-			const isNewBinding = this._clientByConn.get(connection)?.stringId !== clientCoord.stringId;
-			this._bindConnection(connection, clientCoord);
-			if (isNewBinding) this._onConnectionBound?.(connection, {
-				client: clientCoord.toJsonObject(),
-				encoding
-			});
-			return;
-		}
-		const bound = this._clientByConn.get(connection);
-		if (bound != null) wire.context.originClient = bound.toJsonObject();
-	}
-	/**
-	* Restore a connection→client binding without an inbound frame — for transports that resume after
-	* eviction. Pair it with the {@link IActionServerHandlerOptions.onConnectionBound} hook: persist
-	* the binding there, then replay each live connection here when the channel comes back (e.g. a
-	* Durable Object iterating `ctx.getWebSockets()` as it wakes from hibernation).
-	*/
-	rehydrateConnection(connection, binding) {
-		this._bindConnection(connection, new RuntimeCoordinate(binding.client));
-		this._connEncoding.set(connection, binding.encoding);
-		const secure = binding.secure;
-		if (secure == null) return;
-		this._authedConns.add(connection);
-		if (secure.securityLevel === "encrypted" && secure.keyMaterial != null && this._security != null) {
-			const security = this._security;
-			const { linkedClientId, keyMaterial } = secure;
-			const cryptoReady = security.link.initialize().then(() => security.link.linkClient({
-				linkedClientId,
-				verifyPublicKey: keyMaterial.verifyPublicKey,
-				exchangePublicKey: keyMaterial.exchangePublicKey,
-				saltString: keyMaterial.saltString,
-				infoString: keyMaterial.infoString,
-				bindVerifyKeysIntoDerivation: keyMaterial.bindVerifyKeysIntoDerivation
-			})).then(() => createActionFrameCrypto({
-				link: security.link,
-				linkedClientId
-			}));
-			this._cryptoByConn.set(connection, cryptoReady);
-			const gate = cryptoReady.then(() => {}, (err) => console.error("[ws-server] failed to restore encrypted session", err));
-			this._inboundChainByConn.set(connection, gate);
-			this._outboundChainByConn.set(connection, gate);
-		}
-	}
-	toHandlerRouteItem() {
+}
+async function buildRequestEnvelope(state, action) {
+	const wire = action.toJsonObject();
+	if (state.crypto != null) {
+		const ciphertext = await state.crypto.encryptFrame(textEncoder.encode(JSON.stringify(wire)));
 		return {
-			type: this.handlerType,
-			client: this.externalClient,
-			transType: "custom",
-			transOrd: 0
+			k: "act",
+			t: state.token,
+			c: bytesToBase64(ciphertext)
 		};
 	}
-	/** Forget a connection (call on socket close) so stale entries don't misroute later results. */
-	dropConnection(connection) {
-		const coord = this._clientByConn.get(connection);
-		if (coord != null && this._connByClient.get(coord.stringId) === connection) this._connByClient.delete(coord.stringId);
-		this._clientByConn.delete(connection);
-		this._connEncoding.delete(connection);
-		this._codecByConn.delete(connection);
-		this._handshakeByConn.delete(connection);
-		this._cryptoByConn.delete(connection);
-		this._authedConns.delete(connection);
-		this._plainConns.delete(connection);
-		this._inboundChainByConn.delete(connection);
-		this._outboundChainByConn.delete(connection);
-	}
-	/** Live connection for a client coordinate, if currently registered. */
-	getConnectionForClient(client) {
-		return this._connByClient.get(client.stringId);
+	return {
+		k: "act",
+		t: state.token,
+		w: wire
+	};
+}
+async function extractReplyWire(state, reply) {
+	if (reply.k !== "act") return void 0;
+	if ("c" in reply) {
+		if (state.crypto == null) return void 0;
+		const plain = await state.crypto.decryptFrame(base64ToBytes(reply.c));
+		return JSON.parse(textDecoder.decode(plain));
+	}
+	return reply.w;
+}
+async function runConnectorExchangeHandshake(carrier, secure) {
+	await secure.link.initialize();
+	const handshake = createClientHandshake({
+		link: secure.link,
+		localCoordinate: secure.localCoordinate,
+		dictionaryVersion: secure.dictionaryVersion,
+		securityLevel: secure.securityLevel
+	});
+	const hsid = nanoid();
+	const hello = await handshake.createHello();
+	const welcomeReply = decodeExchangeReply(asString(await carrier.exchange(encodeExchange({
+		k: "hs",
+		hsid,
+		m: encodeHandshakeMessage(hello)
+	}))));
+	if (welcomeReply?.k !== "hs") throw new Error("[exchange-handshake] expected a welcome reply");
+	const welcome = decodeHandshakeMessage(welcomeReply.m);
+	if (welcome == null) throw new Error("[exchange-handshake] malformed welcome");
+	if (welcome.t === "reject") throw new Error(`[exchange-handshake] rejected by peer: ${welcome.reason}`);
+	if (welcome.t !== "welcome") throw new Error(`[exchange-handshake] expected welcome, got ${welcome.t}`);
+	const prove = await handshake.onWelcome(welcome);
+	const acceptReply = decodeExchangeReply(asString(await carrier.exchange(encodeExchange({
+		k: "hs",
+		hsid,
+		m: encodeHandshakeMessage(prove)
+	}))));
+	if (acceptReply?.k !== "hs") throw new Error("[exchange-handshake] expected an accept reply");
+	const accept = decodeHandshakeMessage(acceptReply.m);
+	if (accept == null) throw new Error("[exchange-handshake] malformed accept");
+	if (accept.t === "reject") throw new Error(`[exchange-handshake] rejected by peer: ${accept.reason}`);
+	if (accept.t !== "accept") throw new Error(`[exchange-handshake] expected accept, got ${accept.t}`);
+	if (acceptReply.t == null) throw new Error("[exchange-handshake] accept missing session token");
+	const result = await handshake.onAccept(accept);
+	const crypto = result.securityLevel === "encrypted" ? createActionFrameCrypto({
+		link: secure.link,
+		linkedClientId: result.linkedClientId
+	}) : void 0;
+	return {
+		token: acceptReply.t,
+		crypto
+	};
+}
+function asString(frame) {
+	if (typeof frame === "string") return frame;
+	return textDecoder.decode(frame instanceof ArrayBuffer ? new Uint8Array(frame) : frame);
+}
+//#endregion
+//#region src/ActionRuntime/Transport/helpers/addTransportStatusMetadata.ts
+function addTransportStatusMetadata(transportStatus) {
+	if (transportStatus.status === "ready") return {
+		status: "ready",
+		readyData: transportStatus.readyData
+	};
+	if (transportStatus.status === "initializing") return {
+		status: "initializing",
+		initializationPromise: transportStatus.initializationPromise,
+		timeStarted: Date.now()
+	};
+	if (transportStatus.status === "failed") return {
+		status: "failed",
+		error: transportStatus.error,
+		timeFailed: Date.now()
+	};
+	if (transportStatus.status === "unsupported") return { status: "unsupported" };
+	return { status: "uninitialized" };
+}
+//#endregion
+//#region src/ActionRuntime/Transport/TransportConnection.ts
+let transportOrd = 0;
+/**
+* Live, per-handler transport runtime built from a reusable {@link Transport} definition. Holds the
+* connection-scoped state (ordinal, initialized config, sockets / abort sets) that must not be shared
+* across handlers. Construct these via `definition._createConnection(...)`, never directly.
+*/
+var TransportConnection = class {
+	def;
+	transOrd = transportOrd++;
+	type;
+	initialized;
+	/** Backref to the public definition that created this connection (used for devtools route info). */
+	definition;
+	constructor(def) {
+		this.def = def;
+		this.type = def.type;
+		this.initialized = def.initialize();
 	}
 	/**
-	* Send (and optionally await) a server-initiated action to a specific connected client. Pass the
-	* connection token directly (e.g. the `ws`) or a client `RuntimeCoordinate` to look one up.
+	* Devtools route info for an action routed through this live connection. Defaults to the stateless
+	* {@link definition}'s info; connections override to enrich it from live state (e.g. the actual
+	* resolved socket URL) when the definition couldn't resolve it on its own.
 	*/
-	pushToClient(runtime, target, request, options) {
-		const connection = this._resolveConnection(target);
-		return this._dispatch(runtime, connection, request, options?.timeout);
+	getRouteInfo(input) {
+		return this.definition?.getRouteInfo(input);
 	}
 	/**
-	* Build a local handler whose cases are connection-aware: each case receives the primed request and
-	* the originating client's live connection (resolved from `originClient`), so handlers don't repeat
-	* the `getConnectionForClient(action.context.originClient)` lookup. Cases may return raw output or
-	* nothing, just like {@link ActionLocalHandler.forDomainActionCases}. Add the returned handler to the
-	* runtime alongside this server handler:
-	* ```ts
-	* runtime.addHandlers([serverHandler.forConnectionDomainCases(domain, { … }), serverHandler]);
-	* ```
+	* Whether a `ready`-status transport still needs asynchronous bring-up before its methods exist —
+	* awaiting the carrier to open and/or running a handshake. Default `false`: a stateless transport
+	* (HTTP) is usable the instant `getTransport` reports `ready`, so it stays a terminal *synchronous*
+	* fallback in {@link ConnectionTransportManager}. Stream carriers (Link/WS) override to `true`.
 	*/
-	forConnectionDomainCases(domain, cases) {
-		const handler = new ActionLocalHandler();
-		const executor = cases;
-		const wrapped = {};
-		const wrappedRecord = wrapped;
-		for (const id in cases) {
-			const caseFn = executor[id];
-			if (caseFn == null) continue;
-			wrappedRecord[id] = (request) => caseFn(request, this.getConnectionForClient(request.context.originClient));
-		}
-		return handler.forDomainActionCases(domain, wrapped);
+	_needsAsyncBringUp(_readyData) {
+		return false;
+	}
+	/** Await the carrier becoming ready to send (e.g. a socket `open`). Default: nothing to await. */
+	_awaitCarrierReady(_readyData) {
+		return Promise.resolve();
 	}
 	/**
-	* Fan a server-initiated request out to every currently-bound connection. A fresh request is built
-	* per connection (each push mutates its own action context) and dispatched fire-and-forget. Pass
-	* `except` to skip the originating socket and `where` to filter by connection (e.g. read its
-	* attachment for a role). Iterating bound connections (rather than every accepted socket) skips
-	* sockets that are still mid-handshake and so can't yet receive a frame.
+	* Finalize during async bring-up — may run a handshake, so it can be async. Defaults to the
+	* synchronous {@link _finalizeTransportMethods}; secure stream carriers override to branch plain/secure.
 	*/
-	broadcast(makeRequest, options) {
-		const runtime = options?.runtime ?? this._runtime;
-		if (runtime == null) throw err_nice_transport.fromId("not_found", { actionId: "server-handler-runtime (construct with `runtime` or pass `options.runtime`)" });
-		for (const connection of this._clientByConn.keys()) {
-			if (options?.except != null && connection === options.except) continue;
-			if (options?.where != null && !options.where(connection)) continue;
-			try {
-				this.pushToClient(runtime, connection, makeRequest(), { timeout: options?.timeout });
-			} catch (error) {
-				if (options?.onError != null) options.onError(error, connection);
-				else console.error("[ws-server] broadcast push failed", error);
-			}
-		}
-	}
-	async sendReturnPayload(payload, config) {
-		const connection = this._connByClient.get(payload.context.originClient.stringId);
-		if (connection == null) return false;
-		this._sendPayload(connection, payload, config.targetLocalRuntime.coordinate);
-		return true;
-	}
-	async handleActionRequest(action, config) {
-		const runtime = config?.targetLocalRuntime ?? ActionRuntime.getDefault();
-		const connection = this._resolveSingleConnection();
-		return this._dispatch(runtime, connection, action, config?.timeout);
+	_finalizeReady(readyData) {
+		return this._finalizeTransportMethods(readyData);
 	}
-	_dispatch(runtime, connection, action, timeout) {
-		const timeoutMs = timeout ?? this._serverTimeout;
-		action.context._setOriginClient(runtime.coordinate);
-		action.context.addRouteItem({
-			runtime: runtime.coordinate,
-			handler: this.toHandlerRouteItem(),
-			time: Date.now()
-		});
-		const runningAction = new RunningAction({
-			context: action.context,
-			request: action,
-			parentCuid: peekHandlerCuid(),
-			callSite: action._callSite
-		});
-		runtime.registerRunningAction(runningAction);
-		const timeoutId = setTimeout(() => {
-			runningAction._abort(err_nice_transport.fromId("timeout", { timeout: timeoutMs }));
-		}, timeoutMs);
-		runningAction.addUpdateListeners([(update) => {
-			if (update.type === "finished") clearTimeout(timeoutId);
-		}]);
-		try {
-			this._sendPayload(connection, action, runtime.coordinate);
-		} catch (err) {
-			runningAction._abort(err);
-		}
-		return runningAction;
+	_getCacheKey(input) {
+		const parts = this.initialized.getTransportCacheKey?.(input);
+		if (parts == null) return null;
+		return parts.join("\0");
 	}
-	_sendPayload(connection, payload, localClient) {
-		const frame = (this._connEncoding.get(connection) ?? "binary") === "json" ? JSON.stringify(payload.toJsonObject()) : this._codecFor(connection).outgoing({
-			action: payload,
-			localClient,
-			externalClient: this.externalClient
-		});
-		const cryptoReady = this._cryptoByConn.get(connection);
-		if (cryptoReady == null) {
-			this._send(connection, frame);
-			return;
-		}
-		const bytes = toFrameBytes(frame);
-		const next = (this._outboundChainByConn.get(connection) ?? Promise.resolve()).then(() => cryptoReady).then((crypto) => crypto.encryptFrame(bytes)).then((encrypted) => this._send(connection, encrypted)).catch((err) => console.error("[ws-server] failed to encrypt/send frame", err));
-		this._outboundChainByConn.set(connection, next);
+	getCacheKey(input) {
+		const inner = this._getCacheKey(input);
+		if (inner == null) return null;
+		return `${this.transOrd}:${inner}`;
 	}
-	_bindConnection(connection, client) {
-		this._connByClient.set(client.stringId, connection);
-		this._clientByConn.set(connection, client);
+	getTransport(input) {
+		return this._processTransportStatus(input);
 	}
-	_resolveConnection(target) {
-		if (target instanceof RuntimeCoordinate) {
-			const connection = this._connByClient.get(target.stringId);
-			if (connection == null) throw err_nice_transport.fromId("not_found", { actionId: target.stringId });
-			return connection;
+	_processTransportStatus(input) {
+		const statusInfo = addTransportStatusMetadata(this.initialized.getTransport(input));
+		if (statusInfo.status === "ready") {
+			if (!this._needsAsyncBringUp(statusInfo.readyData)) return {
+				status: "ready",
+				readyData: this._finalizeTransportMethods(statusInfo.readyData)
+			};
+			return {
+				status: "initializing",
+				timeStarted: Date.now(),
+				initializationPromise: this._bringUp(statusInfo.readyData)
+			};
 		}
-		return target;
+		if (statusInfo.status === "initializing") {
+			const initializationPromise = statusInfo.initializationPromise.then((result) => result.status === "ready" ? this._bringUp(result.readyData) : result);
+			return {
+				status: "initializing",
+				timeStarted: statusInfo.timeStarted,
+				initializationPromise
+			};
+		}
+		return statusInfo;
 	}
-	_resolveSingleConnection() {
-		if (this._clientByConn.size !== 1) throw err_nice_transport.fromId("not_found", { actionId: "server-handler-target (use pushToClient with an explicit connection or client coordinate)" });
-		return this._clientByConn.keys().next().value;
+	/** Await carrier readiness, then finalize (possibly running a handshake) into the live methods. */
+	async _bringUp(readyData) {
+		await this._awaitCarrierReady(readyData);
+		return {
+			status: "ready",
+			readyData: await this._finalizeReady(readyData)
+		};
 	}
 };
-const createServerHandler = (options) => {
-	return new ActionServerHandler(options);
+//#endregion
+//#region src/ActionRuntime/Transport/Exchange/ExchangeConnection.ts
+/**
+* Carrier-agnostic live connection for the exchange (request → single reply) shape — the HTTP
+* counterpart to {@link LinkConnection}. It owns only the bring-up (run the secure handshake on first
+* use); the request/reply lifecycle + crypto live in the shared `establishExchangeSession`.
+*/
+var ExchangeConnection = class extends TransportConnection {
+	constructor(def) {
+		super({
+			...def,
+			type: "exchange"
+		});
+	}
+	_getCacheKey(input) {
+		return this.initialized.getTransportCacheKey?.(input).join("\0") ?? "";
+	}
+	_needsAsyncBringUp(data) {
+		return data.secureChannel != null && data.secureChannel.securityLevel !== "none";
+	}
+	_finalizeReady(data) {
+		const secure = data.secureChannel;
+		if (secure != null && secure.securityLevel !== "none") return finalizeSecureExchangeMethods({
+			...this._sessionContext(data),
+			secure
+		});
+		return this._finalizeTransportMethods(data);
+	}
+	_finalizeTransportMethods(data) {
+		return finalizePlainExchangeMethods(this._sessionContext(data));
+	}
+	_sessionContext(data) {
+		return {
+			carrier: data.carrier,
+			updateRunConfig: data.updateRunConfig,
+			secure: data.secureChannel
+		};
+	}
 };
 //#endregion
-//#region src/ActionRuntime/Handler/Server/createActionFetchHandler.ts
-/** Permissive defaults — fine for a public action endpoint; override (or disable) via `cors`. */
-const DEFAULT_CORS_HEADERS = {
-	"Access-Control-Allow-Origin": "*",
-	"Access-Control-Allow-Methods": "GET, POST, OPTIONS",
-	"Access-Control-Allow-Headers": "Content-Type",
-	"Access-Control-Max-Age": "86400"
+//#region src/ActionRuntime/Transport/Exchange/ExchangeTransport.ts
+/**
+* A carrier-agnostic exchange (request → single reply) transport: it drives nice-action's secure session
+* over any {@link IExchangeCarrier} (HTTP being the one built-in). The duplex counterpart is
+* {@link LinkTransport}; this is the no-push half — its reply rides the response to its own request, so it
+* can't deliver an unsolicited frame (the runtime never picks it for the return path).
+*/
+var ExchangeTransport = class ExchangeTransport extends Transport {
+	options;
+	type = "exchange";
+	constructor(options) {
+		super();
+		this.options = options;
+	}
+	static create(options) {
+		return new ExchangeTransport(options);
+	}
+	_createConnection(_ctx) {
+		const options = this.options;
+		return new ExchangeConnection({ initialize: () => ({
+			getTransportCacheKey: options.getTransportCacheKey,
+			getTransport: (input) => ({
+				status: "ready",
+				readyData: {
+					carrier: options.openCarrier(input),
+					secureChannel: options.security,
+					updateRunConfig: options.updateRunConfig
+				}
+			})
+		}) });
+	}
+	getRouteInfo(input) {
+		if (this.options.getRouteInfo != null) return this.options.getRouteInfo(input);
+		return {
+			carrierLabel: this.options.label ?? "exchange",
+			summary: this.options.label ?? "exchange"
+		};
+	}
 };
+//#endregion
+//#region src/ActionRuntime/Transport/helpers/createUnsetTransportResolvers.ts
+const createUnsetTransportResolvers = (transportLabel) => ({ onIncomingActionDataJson: (json) => {
+	console.warn(`Received incoming action JSON [${json.domain}:${json.id}] on Transport [${transportLabel}] but no incoming data listener has been set.`);
+} });
+//#endregion
+//#region src/ActionRuntime/Transport/SecureSession/establishLinkSession.ts
+const HANDSHAKE_TIMEOUT_MS = 15e3;
+/** Plain path (no handshake): route every inbound frame to the runtime; send without crypto. */
+function finalizePlainLinkMethods(ctx) {
+	const disconnectListeners = [];
+	const abortSet = /* @__PURE__ */ new Set();
+	const pipe = makePipe(ctx, void 0);
+	ctx.channel.attach({
+		onMessage: (frame) => void handleIncomingActionFrame(ctx, pipe, frame),
+		onClose: () => onChannelClosed(ctx, disconnectListeners, abortSet),
+		onError: () => onChannelClosed(ctx, disconnectListeners, abortSet)
+	});
+	return buildSendMethods(ctx, pipe, disconnectListeners, abortSet);
+}
 /**
-* Build the `fetch` handler a server/Durable-Object exposes for action traffic, folding in the
-* boilerplate every endpoint repeats: CORS (incl. the `OPTIONS` preflight), routing the `/action`
-* `POST` body through the runtime (`handleActionPayloadWire` → `waitForResultPayload` →
-* `toHttpResponse`), an optional WebSocket-upgrade hook, and a `404` fallback.
-*
-* It only touches web-standard `Request`/`Response`, so it stays transport-agnostic — the one
-* environment-specific bit (the WS upgrade) is injected via {@link IActionFetchHandlerOptions.onWebSocketUpgrade}:
-* ```ts
-* this.fetchHandler = createActionFetchHandler(this.runtime, {
-*   onWebSocketUpgrade: () => {
-*     const pair = new WebSocketPair();
-*     this.ctx.acceptWebSocket(pair[1]);
-*     return new Response(null, { status: 101, webSocket: pair[0] });
-*   },
-* });
-* // async fetch(request) { return this.fetchHandler(request); }
-* ```
+* Secure path: a single message handler feeds the handshake until it completes, then routes action
+* frames (decrypting at the `encrypted` level). Frames that race ahead of activation are buffered and
+* flushed once the handshake lands, so nothing is lost.
 */
-function createActionFetchHandler(runtime, options = {}) {
-	const corsHeaders = options.cors === false ? {} : options.cors ?? DEFAULT_CORS_HEADERS;
-	const isActionPath = options.isActionPath ?? ((url) => url.pathname.endsWith("/action"));
-	const isWebSocketPath = options.isWebSocketPath ?? ((url) => url.pathname.endsWith("/ws"));
-	const withCors = (response) => {
-		if (options.cors === false) return response;
-		const headers = new Headers(response.headers);
-		for (const [key, value] of Object.entries(corsHeaders)) headers.set(key, value);
-		return new Response(response.body, {
-			status: response.status,
-			headers
+async function finalizeSecureLinkMethods(ctx) {
+	const disconnectListeners = [];
+	const abortSet = /* @__PURE__ */ new Set();
+	const session = {};
+	let active = false;
+	const handshakeQueue = [];
+	const handshakeWaiters = [];
+	const pendingActionFrames = [];
+	ctx.channel.attach({
+		onMessage: (frame) => {
+			if (active && session.pipe != null) {
+				handleIncomingActionFrame(ctx, session.pipe, frame);
+				return;
+			}
+			if (typeof frame === "string") {
+				const message = decodeHandshakeMessage(frame);
+				if (message != null) {
+					const waiter = handshakeWaiters.shift();
+					if (waiter != null) waiter(message);
+					else handshakeQueue.push(message);
+					return;
+				}
+			}
+			pendingActionFrames.push(frame);
+		},
+		onClose: () => onChannelClosed(ctx, disconnectListeners, abortSet),
+		onError: () => onChannelClosed(ctx, disconnectListeners, abortSet)
+	});
+	const nextHandshakeMessage = () => {
+		const queued = handshakeQueue.shift();
+		if (queued != null) return Promise.resolve(queued);
+		return new Promise((resolve, reject) => {
+			const timeout = setTimeout(() => reject(/* @__PURE__ */ new Error("[link-handshake] timed out waiting for peer reply")), HANDSHAKE_TIMEOUT_MS);
+			handshakeWaiters.push((message) => {
+				clearTimeout(timeout);
+				resolve(message);
+			});
 		});
 	};
-	return async (request) => {
-		if (request.method === "OPTIONS") return withCors(new Response(null, { status: 204 }));
-		const url = new URL(request.url);
-		if (options.onWebSocketUpgrade != null && request.headers.get("Upgrade") === "websocket" && isWebSocketPath(url)) return options.onWebSocketUpgrade(request, url);
-		if (request.method === "POST" && isActionPath(url)) return withCors((await (await runtime.handleActionPayloadWire(await request.json())).waitForResultPayload()).toHttpResponse({ useErrorStatus: options.useErrorStatus }));
-		return withCors(new Response("Not found", { status: 404 }));
+	const pipe = makePipe(ctx, await runClientHandshake(ctx.channel, ctx.secure, nextHandshakeMessage));
+	session.pipe = pipe;
+	active = true;
+	for (const frame of pendingActionFrames) await handleIncomingActionFrame(ctx, pipe, frame);
+	pendingActionFrames.length = 0;
+	return buildSendMethods(ctx, pipe, disconnectListeners, abortSet);
+}
+function makePipe(ctx, crypto) {
+	return createFrameCryptoPipe({
+		write: (frame) => ctx.channel.send(frame),
+		isOpen: () => ctx.channel.isOpen(),
+		crypto
+	});
+}
+async function runClientHandshake(channel, secure, nextHandshakeMessage) {
+	await secure.link.initialize();
+	const handshake = createClientHandshake({
+		link: secure.link,
+		localCoordinate: secure.localCoordinate,
+		dictionaryVersion: secure.dictionaryVersion,
+		securityLevel: secure.securityLevel
+	});
+	channel.send(encodeHandshakeMessage(await handshake.createHello()));
+	const welcome = await nextHandshakeMessage();
+	if (welcome.t === "reject") throw new Error(`[link-handshake] rejected by peer: ${welcome.reason}`);
+	if (welcome.t !== "welcome") throw new Error(`[link-handshake] expected welcome, got ${welcome.t}`);
+	channel.send(encodeHandshakeMessage(await handshake.onWelcome(welcome)));
+	const accept = await nextHandshakeMessage();
+	if (accept.t === "reject") throw new Error(`[link-handshake] rejected by peer: ${accept.reason}`);
+	if (accept.t !== "accept") throw new Error(`[link-handshake] expected accept, got ${accept.t}`);
+	const result = await handshake.onAccept(accept);
+	return result.securityLevel === "encrypted" ? createActionFrameCrypto({
+		link: secure.link,
+		linkedClientId: result.linkedClientId
+	}) : void 0;
+}
+function buildSendMethods(ctx, pipe, disconnectListeners, abortSet) {
+	const channel = ctx.channel;
+	const sendActionData = (inputs) => {
+		const { action, runningAction, timeout } = inputs;
+		if (!channel.isOpen()) {
+			if (action.type === "request") runningAction._abort(ctx.makeDisconnectError(action.id));
+			return;
+		}
+		if (action.type === "request") {
+			abortSet.add(runningAction);
+			const timeoutId = setTimeout(() => {
+				runningAction._abort(err_nice_transport.fromId("timeout", { timeout }));
+			}, timeout);
+			runningAction.addUpdateListeners([(update) => {
+				if (update.type === "finished") {
+					clearTimeout(timeoutId);
+					abortSet.delete(runningAction);
+				}
+			}]);
+		}
+		pipe.send(ctx.formatMessage?.outgoing(inputs) ?? JSON.stringify(inputs.action.toJsonObject()));
+	};
+	return {
+		sendActionData,
+		updateRunConfig: ctx.updateRunConfig,
+		addOnDisconnectListener: (cb) => {
+			disconnectListeners.push(cb);
+		},
+		disconnect: () => {
+			try {
+				channel.close();
+			} catch {}
+		},
+		sendReturnData: (payload, clients) => {
+			const formatted = clients != null ? ctx.formatMessage?.outgoing({
+				action: payload,
+				...clients
+			}) : void 0;
+			pipe.send(formatted ?? JSON.stringify(payload.toJsonObject()));
+		}
 	};
 }
+async function handleIncomingActionFrame(ctx, pipe, frame) {
+	const decoded = await pipe.decryptIncoming(frame);
+	if (decoded === void 0) return;
+	const rawJson = decodeActionFrame(decoded, ctx.formatMessage);
+	if (rawJson != null) ctx.resolvers.onIncomingActionDataJson(rawJson);
+}
+function onChannelClosed(ctx, disconnectListeners, abortSet) {
+	for (const cb of disconnectListeners) cb();
+	const error = ctx.makeDisconnectError("—");
+	for (const ra of [...abortSet]) ra._abort(error);
+}
 //#endregion
-//#region src/ActionRuntime/Handler/Server/createSecureActionServer.ts
-/** Default accepted set: negotiate per connection to whatever the client picks. */
-const DEFAULT_SERVER_SECURITY_LEVELS = [
-	"none",
-	"authenticated",
-	"encrypted"
-];
-/**
-* Build an {@link ActionServerHandler} for the secure binary channel with the boilerplate folded in:
-* it creates the {@link ClientCryptoKeyLink} and the storage-backed TOFU resolver from a single
-* `storageAdapter`, installs the channel's per-connection codec, and assembles the `security` block
-* from the runtime coordinate + channel version (accepting all three levels by default).
-*
-* For a hibernatable transport (e.g. a Durable Object), pair it with
-* {@link createHibernatableWsServerAdapter} to wire persistence + replay.
-*/
-function createSecureActionServerHandler(options) {
-	const link = new ClientCryptoKeyLink({ storageAdapter: options.storageAdapter });
-	return new ActionServerHandler({
-		clientEnv: options.clientEnv,
-		createFormatMessage: options.channel.createCodec,
-		send: options.send,
-		runtime: options.runtime,
-		defaultTimeout: options.defaultTimeout,
-		security: {
-			securityLevel: options.securityLevel ?? DEFAULT_SERVER_SECURITY_LEVELS,
-			link,
-			localCoordinate: options.runtime.coordinate.toJsonObject(),
-			dictionaryVersion: options.channel.dictionaryVersion,
-			verifyKeyResolver: options.verifyKeyResolver ?? createStorageTofuVerifyKeyResolver(options.storageAdapter)
-		}
+//#region src/ActionRuntime/Transport/Link/LinkConnection.ts
+/** Abort error for a closed link channel (carrier-neutral — the carrier itself isn't named). */
+function linkDisconnectError(actionId) {
+	return err_nice_transport.fromId("send_failed", {
+		actionId,
+		actionState: "request",
+		message: "link channel disconnected"
 	});
 }
 /**
-* Wire the hibernation lifecycle for a server handler on a transport whose sockets outlive process
-* eviction (e.g. a Durable Object's hibernatable WebSockets). It owns persistence end to end:
-* registers `setAttachment` as the handler's connection-bound callback and immediately replays every
-* live connection's stored binding via `getAttachment`, so results/pushes still route after a wake.
-*
-* Construct it once when the handler is built, then forward socket events:
-* ```ts
-* const wsServer = createHibernatableWsServerAdapter({ handler, getWebSockets, getAttachment, setAttachment });
-* // webSocketMessage(ws, msg) => wsServer.receive(ws, msg);
-* // webSocketClose/Error(ws)  => wsServer.drop(ws);
-* ```
+* Carrier-agnostic live connection. It owns only the *bring-up* (open the carrier, then run the secure
+* session); the session itself — handshake, frame crypto, codec, send/receive — lives in the shared
+* {@link finalizeSecureLinkMethods}/{@link finalizePlainLinkMethods}, so a WebSocket, a WebRTC data
+* channel, a Bluetooth characteristic, and an in-memory pipe all run the identical secure layer.
 */
-function createHibernatableWsServerAdapter(options) {
-	const { handler, getWebSockets, getAttachment, setAttachment } = options;
-	handler.setOnConnectionBound(setAttachment);
-	for (const connection of getWebSockets()) {
-		const binding = getAttachment(connection);
-		if (binding != null) handler.rehydrateConnection(connection, binding);
+var LinkConnection = class extends TransportConnection {
+	resolvers;
+	constructor(def, resolvers) {
+		super({
+			...def,
+			type: "duplex"
+		});
+		this.resolvers = resolvers ?? createUnsetTransportResolvers("link");
 	}
-	return {
-		receive: (connection, frame) => handler.receive(connection, frame),
-		drop: (connection) => handler.dropConnection(connection)
+	_getCacheKey(input) {
+		return this.initialized.getTransportCacheKey?.(input).join("\0") ?? "";
+	}
+	_needsAsyncBringUp() {
+		return true;
+	}
+	_awaitCarrierReady(data) {
+		return data.channel.ready;
+	}
+	_finalizeReady(data) {
+		const secure = data.secureChannel;
+		if (secure != null && secure.securityLevel !== "none") return finalizeSecureLinkMethods({
+			...this._sessionContext(data),
+			secure
+		});
+		return this._finalizeTransportMethods(data);
+	}
+	_sessionContext(data) {
+		return {
+			channel: data.channel,
+			resolvers: this.resolvers,
+			formatMessage: data.formatMessage,
+			updateRunConfig: data.updateRunConfig,
+			makeDisconnectError: linkDisconnectError
+		};
+	}
+	_finalizeTransportMethods(data) {
+		return finalizePlainLinkMethods(this._sessionContext(data));
+	}
+};
+//#endregion
+//#region src/ActionRuntime/Transport/Link/LinkTransport.ts
+/**
+* A carrier-agnostic transport: it drives nice-action's secure session + action routing over any
+* {@link IDuplexCarrier}. The WebSocket transport is the special case that opens a `WebSocket`;
+* this opens whatever `openChannel` returns, so the identical secure layer works over WebRTC, Bluetooth,
+* or an in-memory pipe. Reported with an overridable carrier label in the devtools (defaults to "link").
+*/
+var LinkTransport = class LinkTransport extends Transport {
+	options;
+	type = "duplex";
+	constructor(options) {
+		super();
+		this.options = options;
+	}
+	static create(options) {
+		return new LinkTransport(options);
+	}
+	_createConnection(ctx) {
+		const options = this.options;
+		return new LinkConnection({ initialize: () => ({
+			getTransportCacheKey: options.getTransportCacheKey,
+			getTransport: (input) => ({
+				status: "ready",
+				readyData: {
+					channel: options.openChannel(input),
+					formatMessage: options.createFormatMessage?.() ?? options.formatMessage,
+					updateRunConfig: options.updateRunConfig,
+					secureChannel: options.security
+				}
+			})
+		}) }, ctx.resolvers);
+	}
+	getRouteInfo(input) {
+		if (this.options.getRouteInfo != null) return this.options.getRouteInfo(input);
+		return {
+			carrierLabel: this.options.label ?? "link",
+			summary: this.options.label ?? "link"
+		};
+	}
+};
+//#endregion
+//#region src/ActionRuntime/Transport/Carrier/Carrier.types.ts
+/**
+* Narrow a carrier source to the exchange shape via its `shape` discriminant — the one branch the
+* transport factories ({@link secureTransport}, {@link plainTransport}) use to pick the duplex vs
+* exchange transport. A duplex source carries no `shape`, so the `else` branch is the duplex one.
+*/
+function isExchangeCarrierSource(carrier) {
+	return "shape" in carrier && carrier.shape === "exchange";
+}
+//#endregion
+//#region src/ActionRuntime/Transport/plainTransport.ts
+function plainTransport(options) {
+	const carrier = options.carrier;
+	if (isExchangeCarrierSource(carrier)) return ExchangeTransport.create({
+		openCarrier: carrier.open,
+		getTransportCacheKey: carrier.getCacheKey,
+		getRouteInfo: carrier.getRouteInfo,
+		label: options.label ?? carrier.carrierLabel,
+		updateRunConfig: options.updateRunConfig
+	});
+	return LinkTransport.create({
+		openChannel: carrier.open,
+		formatMessage: options.formatMessage,
+		createFormatMessage: options.createFormatMessage,
+		getTransportCacheKey: carrier.getCacheKey,
+		getRouteInfo: carrier.getRouteInfo,
+		label: options.label ?? carrier.carrierLabel,
+		updateRunConfig: options.updateRunConfig
+	});
+}
+//#endregion
+//#region src/ActionRuntime/Transport/secureTransport.ts
+function secureTransport(options) {
+	const link = new ClientCryptoKeyLink({ storageAdapter: options.storageAdapter });
+	const security = {
+		securityLevel: options.securityLevel,
+		link,
+		localCoordinate: options.runtime.coordinate.toJsonObject(),
+		dictionaryVersion: options.channel.dictionaryVersion
 	};
+	const carrier = options.carrier;
+	if (isExchangeCarrierSource(carrier)) return ExchangeTransport.create({
+		openCarrier: carrier.open,
+		getTransportCacheKey: carrier.getCacheKey,
+		getRouteInfo: carrier.getRouteInfo,
+		label: carrier.carrierLabel,
+		security
+	});
+	return LinkTransport.create({
+		openChannel: carrier.open,
+		createFormatMessage: options.channel.createCodec,
+		getTransportCacheKey: carrier.getCacheKey,
+		getRouteInfo: carrier.getRouteInfo,
+		label: carrier.carrierLabel,
+		security
+	});
 }
 //#endregion
-export { ActionCore, ActionDomain, ActionExternalClientHandler, ActionLocalHandler, ActionRootDomain, ActionRuntime, ActionSchema, ActionServerHandler, CustomTransport, EActionPayloadType, EActionProgressType, EErrId_NiceAction, EErrId_NiceTransport, EErrId_NiceTransport_WebSocket, EHandshakeMessageType, ERunningActionFinishedType, ERunningActionState, ERunningActionUpdateType, ESecurityLevel, ETransportStatus, ETransportType, HttpTransport, RunningAction, RuntimeCoordinate, Transport, WebSocketTransport, WsConnectionStateStore, actionSchema, createActionFetchHandler, createActionFrameCrypto, createActionRootDomain, createBinaryWsAdapter, createBinaryWsSessionFactory, createClientHandshake, createExternalClientHandler, createHibernatableWsServerAdapter, createInMemoryTofuVerifyKeyResolver, createLocalHandler, createSecureActionServerHandler, createSecureWebSocketTransport, createServerHandler, createServerHandshake, createStorageTofuVerifyKeyResolver, decodeActionFrame, decodeHandshakeMessage, defineSecureWsChannel, encodeHandshakeMessage, err_nice_action, err_nice_external_client, err_nice_transport, err_nice_transport_ws, isActionPayload_Any_JsonObject, isActionPayload_Request_JsonObject, isActionPayload_Result_JsonObject, runtimeLinkId };
+export { AcceptorHandler, ActionCore, ActionDomain, ActionLocalHandler, ActionRootDomain, ActionRuntime, ActionSchema, ConnectionStateStore, ConnectorHandler, EActionPayloadType, EActionProgressType, EActionResponseMode, EErrId_NiceAction, EErrId_NiceTransport, EErrId_NiceTransport_WebSocket, EHandshakeMessageType, ERunningActionFinishedType, ERunningActionState, ERunningActionUpdateType, ESecurityLevel, ETransportShape, ETransportStatus, ExchangeAcceptor, ExchangeTransport, LinkTransport, PeerLinkHandler, RunningAction, RuntimeCoordinate, Transport, acceptChannel, acceptChannelConnections, actionSchema, connectChannel, createAcceptorHandler, createActionFetchHandler, createActionFrameCrypto, createActionRootDomain, createBinaryWireAdapter, createBinaryWireSessionFactory, createClientHandshake, createConnectionStateStore, createConnectorHandler, createHibernatableWsServerAdapter, createInMemoryChannelPair, createInMemoryTofuVerifyKeyResolver, createLocalHandler, createSecureAcceptorHandler, createServerHandshake, createStorageTofuVerifyKeyResolver, decodeActionFrame, decodeHandshakeMessage, defineChannel, defineSecureChannel, encodeHandshakeMessage, err_nice_action, err_nice_external_client, err_nice_transport, err_nice_transport_ws, httpAcceptorCarrier, httpCarrier, inMemoryCarrier, isActionPayload_Any_JsonObject, isActionPayload_Request_JsonObject, isActionPayload_Result_JsonObject, isExchangeAcceptorCarrier, plainTransport, rtcCarrier, rtcDataChannelByteChannel, runtimeLinkId, secureTransport, serveChannel, wsAcceptorCarrier, wsCarrier };
 
 //# sourceMappingURL=index.mjs.map