@nice-code/action 0.15.0 → 0.17.0

package/build/{ActionPayload.types-BN-rXFBK.d.cts → ActionPayload.types-BchJrBIX.d.mts}

@@ -1,8 +1,8 @@
 import { INiceErrorDomainProps, InferNiceError, NiceError, NiceErrorDomain, err_cast_not_nice } from "@nice-code/error";
-import { StandardSchemaV1 } from "@standard-schema/spec";
 import { RuntimeName } from "std-env";
 import { ClientCryptoKeyLink, StorageAdapter, TSerializedCryptoKeyData_Ed25519_Raw, TSerializedCryptoKeyData_X25519_Raw, TTypeAndId } from "@nice-code/util";
 import * as v from "valibot";
+import { StandardSchemaV1 } from "@standard-schema/spec";
 
 //#region src/ActionDefinition/Schema/ActionSchema.types.d.ts
 type TTransportedValue<RAW_VAL, SERDE_VAL> = [RAW_VAL] | [RAW_VAL, SERDE_VAL];
@@ -35,12 +35,45 @@ type TInferErrorFromDeclaration<D> = D extends IActionErrorDeclaration<infer DEF
 type TInferDeclaredErrors<DECLS extends readonly IActionErrorDeclaration[]> = TInferErrorFromDeclaration<DECLS[number]>;
 //#endregion
 //#region src/ActionDefinition/Schema/ActionSchema.d.ts
+/**
+ * What a sender should expect back from an action — declared on its schema so both ends agree without
+ * any wire flag (each derives the mode from the shared `domain:id`).
+ *
+ * - `payload` — a typed output (the action has `.output(...)`); the sender awaits it.
+ * - `ack` — an empty success confirming receipt (no output); the sender may await it to know the
+ *   receiver handled it (or to surface an error). This is the default for an action with no output.
+ * - `none` — fire-and-forget: the receiver sends no reply and the sender doesn't wait. The sender's
+ *   running action completes as soon as the frame is on the wire (no pending reply, no timeout).
+ */
+declare enum EActionResponseMode {
+  payload = "payload",
+  ack = "ack",
+  none = "none"
+}
 declare class ActionSchema<INPUT extends TTransportedValue<any, any> = never, OUTPUT extends TTransportedValue<any, any> = never, ERRORS extends readonly IActionErrorDeclaration<any, any>[] = readonly []> {
   private _errorDeclarations;
   private inputOptions;
   private outputOptions;
+  private _responseMode;
   get inputSchema(): StandardSchemaV1 | undefined;
   get outputSchema(): StandardSchemaV1 | undefined;
+  /**
+   * The response contract for this action. Defaults are inferred — `payload` when an output schema is
+   * declared, otherwise `ack` — and made explicit by {@link ack} / {@link fireAndForget}.
+   */
+  get responseMode(): EActionResponseMode;
+  /**
+   * Mark this action as expecting only an acknowledgment (an empty success). Mostly for clarity — an
+   * output-less action already acks by default — but it documents intent and reads as the deliberate
+   * counterpart to {@link fireAndForget}.
+   */
+  ack(): this;
+  /**
+   * Mark this action as fire-and-forget: the receiver sends no reply, and the sender's running action
+   * completes the moment the frame is sent (no awaited reply, no timeout). Ideal for high-frequency
+   * server→client pushes (presence, ticks) where an ack would only add wire chatter.
+   */
+  fireAndForget(): this;
   /**
    * Declare the input schema (JSON-native or with explicit SERDE type param).
    * For non-JSON-native inputs, prefer the 3-argument form below to avoid
@@ -501,20 +534,20 @@ declare class ActionRouter<DATA> {
 //#endregion
 //#region src/ActionRuntime/Handler/ActionHandler.types.d.ts
 declare enum EActionHandlerType {
-  external = "external",
+  peer = "peer",
   local = "local"
 }
 interface IActionHandler_Json<T extends EActionHandlerType> {
   type: T;
 }
-interface IActionHandler_ExternalClient_Json extends IActionHandler_Json<EActionHandlerType.external> {
+interface IActionHandler_Peer_Json extends IActionHandler_Json<EActionHandlerType.peer> {
   client: IRuntimeCoordinate;
 }
 interface IActionHandler_Local_Json extends IActionHandler_Json<EActionHandlerType.local> {}
-type TActionHandler_Json = IActionHandler_Local_Json | IActionHandler_ExternalClient_Json;
+type TActionHandler_Json = IActionHandler_Local_Json | IActionHandler_Peer_Json;
 interface IHandleActionOptions {
   timeout?: number;
-  targetExternalClient?: RuntimeCoordinate;
+  targetPeer?: RuntimeCoordinate;
   targetLocalRuntime?: ActionRuntime;
 }
 interface IExecuteActionOptions<DOM extends IActionDomain = IActionDomain, ID extends keyof DOM["actionSchema"] & string = keyof DOM["actionSchema"] & string> extends IHandleActionOptions {
@@ -536,13 +569,13 @@ interface IActionHandler_Local extends IActionHandler_Base<EActionHandlerType.lo
 }
 /**
  *
- *  EXTERNAL CLIENT ACTION HANDLER
+ *  PEER-LINK ACTION HANDLER
  *
  */
-interface IHandleActionOptions_External extends IHandleActionOptions {}
-interface IActionHandler_ExternalClient extends IActionHandler_Base<EActionHandlerType.external> {
-  externalClient: RuntimeCoordinate;
-  handleActionRequest: <DOM extends IActionDomain, ID extends keyof DOM["actionSchema"] & string>(action: ActionPayload_Request<DOM, ID>, config?: IHandleActionOptions_External) => Promise<RunningAction<DOM, ID>>;
+interface IHandleActionOptions_Peer extends IHandleActionOptions {}
+interface IActionHandler_Peer extends IActionHandler_Base<EActionHandlerType.peer> {
+  peerClient: RuntimeCoordinate;
+  handleActionRequest: <DOM extends IActionDomain, ID extends keyof DOM["actionSchema"] & string>(action: ActionPayload_Request<DOM, ID>, config?: IHandleActionOptions_Peer) => Promise<RunningAction<DOM, ID>>;
   _setIncomingActionDataListener(listener: (json: TActionPayload_Any_JsonObject<any>) => void): void;
 }
 /**
@@ -550,7 +583,7 @@ interface IActionHandler_ExternalClient extends IActionHandler_Base<EActionHandl
  *  COMBINED
  *
  */
-type TActionHandler = IActionHandler_Local | IActionHandler_ExternalClient;
+type TActionHandler = IActionHandler_Local | IActionHandler_Peer;
 //#endregion
 //#region src/ActionDefinition/Action/Payload/ActionPayload_Request.d.ts
 declare class ActionPayload_Request<DOM extends IActionDomain, ID extends keyof DOM["actionSchema"] & string = keyof DOM["actionSchema"] & string> extends ActionPayload<EActionPayloadType.request, DOM, ID> {
@@ -624,229 +657,6 @@ declare abstract class ActionHandler<T extends EActionHandlerType> implements IA
   abstract toHandlerRouteItem(...args: any[]): IActionRouteItemHandler;
 }
 //#endregion
-//#region src/ActionRuntime/Handler/ExternalClient/Transport/TransportConnection.d.ts
-/**
- * Live, per-handler transport runtime built from a reusable {@link Transport} definition. Holds the
- * connection-scoped state (ordinal, initialized config, sockets / abort sets) that must not be shared
- * across handlers. Construct these via `definition._createConnection(...)`, never directly.
- */
-declare abstract class TransportConnection<T extends ETransportType = ETransportType, RP extends ITransportRouteActionParams = ITransportRouteActionParams, RD extends IActionTransportReadyData_Base = IActionTransportReadyData_Base, I extends IActionTransportInitialized<RP, RD> = IActionTransportInitialized<RP, RD>, DEF extends IActionTransportDef<T, I> = IActionTransportDef<T, I>> {
-  readonly def: DEF;
-  readonly transOrd: number;
-  readonly type: T;
-  readonly initialized: I;
-  /** Backref to the public definition that created this connection (used for devtools route info). */
-  definition?: Transport<T>;
-  constructor(def: DEF);
-  /**
-   * Devtools route info for an action routed through this live connection. Defaults to the stateless
-   * {@link definition}'s info; connections override to enrich it from live state (e.g. the actual
-   * resolved socket URL) when the definition couldn't resolve it on its own.
-   */
-  getRouteInfo(input: RP): ITransportRouteInfo | undefined;
-  protected abstract _finalizeTransportMethods(inputs: RD): IActionTransportReadyData_Methods;
-  protected _getCacheKey(input: RP): string | null;
-  getCacheKey(input: RP): string | null;
-  getTransport(input: RP): TTransportStatusInfo<IActionTransportReadyData_Methods>;
-  protected _processTransportStatus(input: RP): TTransportStatusInfo<IActionTransportReadyData_Methods>;
-}
-//#endregion
-//#region src/ActionRuntime/Handler/ExternalClient/Transport/Transport.types.d.ts
-declare enum ETransportType {
-  ws = "ws",
-  http = "http",
-  custom = "custom"
-}
-/**
- * Serializable, display-only description of how an action was routed through a transport. Stored on
- * the action's route items and shown in the devtools external-handler chips. Keep this free of
- * sensitive data (e.g. auth headers) — route items travel over the wire.
- */
-interface ITransportRouteInfo {
-  type: ETransportType;
-  /** Short label for chips, e.g. "POST /resolve_action" or "ws host/resolve_action/ws". */
-  summary?: string;
-  url?: string;
-  method?: string;
-  detail?: Record<string, string | number | boolean>;
-}
-interface IUpdateActionRunConfig_Output {
-  timeout?: number;
-}
-type TUpdateActionRunConfig = (input: ITransportRouteActionParams & {
-  timeout: number;
-}) => IUpdateActionRunConfig_Output;
-interface IActionTransportReadyData_Base {
-  updateRunConfig?: TUpdateActionRunConfig;
-}
-/**
- *
- *  TRANSPORT READINESS RESPONSE
- *
- */
-declare enum ETransportStatus {
-  uninitialized = "uninitialized",
-  unsupported = "unsupported",
-  initializing = "initializing",
-  ready = "ready",
-  failed = "failed"
-}
-interface ITransportStatusInfo_Base<S extends ETransportStatus> {
-  status: S;
-}
-interface ITransportStatusInfo_Failed extends ITransportStatusInfo_Base<ETransportStatus.failed> {
-  error: NiceError;
-  timeFailed: number;
-}
-interface ITransportStatusInfo_Unsupported extends ITransportStatusInfo_Base<ETransportStatus.unsupported> {}
-interface ITransportStatusInfo_Ready<READY extends IActionTransportReadyData_Base> extends ITransportStatusInfo_Base<ETransportStatus.ready> {
-  readyData: READY;
-}
-type TTransportInitializationFinishedInfo<READY extends IActionTransportReadyData_Base> = ITransportStatusInfo_Ready<READY> | ITransportStatusInfo_Failed | ITransportStatusInfo_Unsupported;
-interface ITransportStatusInfo_Initializing<READY extends IActionTransportReadyData_Base> extends ITransportStatusInfo_Base<ETransportStatus.initializing> {
-  timeStarted: number;
-  initializationPromise: Promise<TTransportInitializationFinishedInfo<READY>>;
-}
-type TTransportStatusInfo<READY extends IActionTransportReadyData_Base> = ITransportStatusInfo_Base<ETransportStatus.uninitialized> | ITransportStatusInfo_Unsupported | ITransportStatusInfo_Initializing<READY> | ITransportStatusInfo_Ready<READY> | ITransportStatusInfo_Failed;
-type TTransportStatusInfo_GetTransport_Output<READY extends IActionTransportReadyData_Base> = ITransportStatusInfo_Base<ETransportStatus.uninitialized> | ITransportStatusInfo_Unsupported | Omit<ITransportStatusInfo_Initializing<READY>, "timeStarted"> | ITransportStatusInfo_Ready<READY> | Omit<ITransportStatusInfo_Failed, "timeFailed">;
-/**
- *
- *  TRANSPORT ROUTING
- *
- */
-interface ITransportRouteClientParams {
-  localClient: RuntimeCoordinate;
-  externalClient: RuntimeCoordinate;
-}
-interface ITransportRouteActionParams extends ITransportRouteClientParams {
-  action: TActionPayload_Any_Instance<any, any>;
-}
-interface ITransportMethod_SendActionData_Input extends ITransportRouteActionParams {
-  runningAction: RunningAction<any, any>;
-  timeout: number;
-}
-interface ITransportDispatchAction<P> extends ITransportMethod_SendActionData_Input {
-  params: P;
-}
-type TSendActionDataMethod = (input: ITransportMethod_SendActionData_Input) => void;
-type TSendReturnDataMethod = (payload: TActionPayload_Any_Instance<any, any>,
-/**
- * The local/external client pair this payload is being returned over. Bidirectional transports use
- * it to build the full route params their outgoing formatter expects (e.g. binary packing). Optional
- * so existing return-data implementations keep type-checking.
- */
-
-clients?: ITransportRouteClientParams) => void;
-interface IActionTransportReadyData_Methods extends IActionTransportReadyData_Base {
-  sendActionData: TSendActionDataMethod;
-  /**
-   * Optional — implement on bidirectional transports (WebSocket, Custom) to enable return-path
-   * routing. When present, the runtime uses this to dispatch results and progress payloads directly
-   * back to `originClient` without going through the original request transport.
-   */
-  sendReturnData?: TSendReturnDataMethod;
-  addOnDisconnectListener?: (callback: () => void) => void;
-  /**
-   * Optional — implement on transports holding a long-lived connection (WebSocket, Custom) to close it
-   * deliberately. Called by `ActionExternalClientHandler.clearTransportCache()` so a teardown actually
-   * releases the underlying socket instead of leaving it open until GC.
-   */
-  disconnect?: () => void;
-}
-interface IActionTransportReady {
-  methods: IActionTransportReadyData_Methods;
-  transport: TransportConnection;
-}
-type TTransportCache = Map<string, IActionTransportReady | Promise<IActionTransportReady>>;
-type TOnResolveIncomingRequest = (request: ActionPayload_Request<any>) => void;
-type TOnResolveIncomingRequestJson = (request: IActionPayload_Request_JsonObject<any>) => void;
-type TOnResolveIncomingResponse = (response: ActionPayload_Result<any>) => void;
-type TOnResolveIncomingResponseJson = (response: IActionPayload_Result_JsonObject<any>) => void;
-type TOnResolveAnyIncomingActionData = (actionData: ActionPayload_Request<any> | ActionPayload_Result<any>) => void;
-type TOnResolveAnyIncomingActionData_Json = (actionData: TActionPayload_Any_JsonObject<any>) => void;
-interface IActionTransportResolvers {
-  onIncomingActionDataJson: TOnResolveAnyIncomingActionData_Json;
-}
-type TGetTransportFn<IN extends ITransportRouteActionParams, READY extends IActionTransportReadyData_Base> = (input: IN) => TTransportStatusInfo_GetTransport_Output<READY>;
-interface IActionTransportInitialized<IN extends ITransportRouteActionParams, READY extends IActionTransportReadyData_Base> {
-  getTransportCacheKey?: (input: IN) => string[];
-  getTransport: TGetTransportFn<IN, READY>;
-}
-interface IActionTransportDef<TYPE extends ETransportType, INIT extends IActionTransportInitialized<any, any>> {
-  type: TYPE;
-  initialize: () => INIT;
-}
-//#endregion
-//#region src/ActionRuntime/Handler/ExternalClient/Transport/Transport.d.ts
-/**
- * Context handed to a {@link Transport} definition when a handler builds a live connection from it.
- * Only bidirectional transports (WebSocket / Custom) make use of `resolvers`.
- */
-interface ITransportConnectionContext {
-  resolvers?: IActionTransportResolvers;
-}
-/**
- * Reusable transport definition. Devs construct these (`HttpTransport.create({ createRequest })`,
- * `WebSocketTransport.create({ createWebSocket })`, …) and pass them to an
- * `ActionExternalClientHandler`. A single
- * definition can be shared across multiple handlers — each handler builds its own live
- * {@link TransportConnection} via {@link TransportConnection._createConnection}.
- */
-declare abstract class Transport<T extends ETransportType = ETransportType> {
-  abstract readonly type: T;
-  /** Internal: build a fresh, per-handler live connection from this definition. */
-  abstract _createConnection(ctx: ITransportConnectionContext): TransportConnection<T>;
-  /**
-   * Resolve human-readable info about how a specific action would be routed through this transport
-   * (e.g. the request URL/method, or the WebSocket endpoint). Surfaced in the action devtools.
-   */
-  abstract getRouteInfo(input: ITransportRouteActionParams): ITransportRouteInfo;
-}
-//#endregion
-//#region src/ActionRuntime/Handler/ExternalClient/ActionExternalClientHandler.types.d.ts
-interface IActionExternalClientRequestHandlerConfig {
-  defaultTimeout?: number;
-  runtimeCoordinate: RuntimeCoordinate;
-  transports: Transport[];
-}
-//#endregion
-//#region src/ActionRuntime/Handler/ExternalClient/ActionExternalClientHandler.d.ts
-declare class ActionExternalClientHandler extends ActionHandler<EActionHandlerType.external> implements IActionHandler_ExternalClient {
-  readonly externalClient: RuntimeCoordinate;
-  readonly handlerType = EActionHandlerType.external;
-  readonly cuid: string;
-  private _defaultTimeout;
-  private _transportCache;
-  private transportManager;
-  private _incomingActionDataListeners;
-  readonly actionRouter: ActionRouter<true>;
-  constructor({
-    runtimeCoordinate: externalClientSpecifier,
-    transports,
-    defaultTimeout
-  }: IActionExternalClientRequestHandlerConfig);
-  forDomain<FOR_DOM extends IActionDomain>(domain: ActionDomain<FOR_DOM>): this;
-  forAction<ACT_DOM extends IActionDomain, ID extends keyof ACT_DOM["actionSchema"] & string>(action: ActionCore<ACT_DOM, ID>): this;
-  forActionIds<ACT_DOM extends IActionDomain, IDS extends ReadonlyArray<keyof ACT_DOM["actionSchema"] & string>>(domain: ActionDomain<ACT_DOM>, ids: IDS): this;
-  _setIncomingActionDataListener(listener: (json: TActionPayload_Any_JsonObject<any, any>) => void): void;
-  handleActionRequest<DOM extends IActionDomain, ID extends keyof DOM["actionSchema"] & string>(action: ActionPayload_Request<DOM, ID>, config?: IHandleActionOptions): Promise<RunningAction<DOM, ID>>;
-  private _dispatchWhenTransportReady;
-  /**
-   * Dispatch a result or progress payload directly back to the external client via the best
-   * available bidirectional transport (WebSocket / Custom). Used for return-path routing when the
-   * local runtime recognises that it has a direct channel to the action's originClient.
-   *
-   * Returns `true` if the payload was sent, `false` if no suitable transport was available.
-   */
-  sendReturnPayload(payload: TActionPayload_Any_Instance<any, any>, config: {
-    targetLocalRuntime: ActionRuntime;
-  }): Promise<boolean>;
-  toJsonObject(): IActionHandler_ExternalClient_Json;
-  toHandlerRouteItem(transport: TransportConnection, input: ITransportRouteActionParams): IActionRouteItemHandler;
-  clearTransportCache(): void;
-}
-declare const createExternalClientHandler: (config: IActionExternalClientRequestHandlerConfig) => ActionExternalClientHandler;
-//#endregion
 //#region src/utils/typescript/MaybePromise.d.ts
 type MaybePromise<T> = T | Promise<T>;
 //#endregion
@@ -898,6 +708,62 @@ declare class ActionLocalHandler extends ActionHandler<EActionHandlerType.local>
 }
 declare const createLocalHandler: () => ActionLocalHandler;
 //#endregion
+//#region src/ActionRuntime/Handler/PeerLink/PeerLinkHandler.d.ts
+/**
+ * Shared base for every handler that routes a domain set to/from *another runtime* (a "peer") — the
+ * unified peer-link concept. Both specializations extend this as siblings, differing only in *who
+ * establishes the connection*, which is a transport trait, not a routing one:
+ *
+ * - {@link ConnectorHandler} — **dial-out**: this runtime opens connection(s) to one peer
+ *   over a transport stack (with caching + fallback). The classic "client → backend" link.
+ * - {@link AcceptorHandler} — **accept-in**: connections are accepted from many peers and fed in
+ *   via `receive()`; it keeps a per-connection registry and can push to any of them.
+ *
+ * To the runtime there is no "client" vs "server" — both are peer-link handlers (`handlerType =
+ * external`) keyed to a peer coordinate, chosen by the return-path dispatch via {@link sendReturnPayload}.
+ */
+declare abstract class PeerLinkHandler extends ActionHandler<EActionHandlerType.peer> implements IActionHandler_Peer {
+  /** The peer runtime this handler links to (an env-only coordinate for an accept-in handler). */
+  readonly peerClient: RuntimeCoordinate;
+  readonly handlerType = EActionHandlerType.peer;
+  /**
+   * Whether this link can deliver an *unsolicited* frame to the peer (a result/progress pushed back on
+   * the return path, or a `broadcast`). A duplex carrier (WebSocket/WebRTC/…) can; an exchange-only
+   * carrier (HTTP) cannot — its reply must ride the response to its own request. The runtime's
+   * return-path dispatch ({@link ActionRuntime.getReturnHandlerForOrigin}) skips handlers that can't
+   * push, so an exchange-only handler is never asked to deliver one.
+   */
+  abstract readonly canPush: boolean;
+  readonly actionRouter: ActionRouter<true>;
+  /** Listeners installed by the runtime (`resolveIncomingActionPayload`) for inbound peer frames. */
+  private readonly _incomingActionDataListeners;
+  constructor(peerCoordinate: RuntimeCoordinate);
+  forDomain<FOR_DOM extends IActionDomain>(domain: ActionDomain<FOR_DOM>): this;
+  forAction<ACT_DOM extends IActionDomain, ID extends keyof ACT_DOM["actionSchema"] & string>(action: ActionCore<ACT_DOM, ID>): this;
+  forActionIds<ACT_DOM extends IActionDomain, IDS extends ReadonlyArray<keyof ACT_DOM["actionSchema"] & string>>(domain: ActionDomain<ACT_DOM>, ids: IDS): this;
+  _setIncomingActionDataListener(listener: (json: TActionPayload_Any_JsonObject<any, any>) => void): void;
+  /** Hand a decoded inbound frame to the runtime (called by each specialization's receive path). */
+  protected _emitIncoming(json: TActionPayload_Any_JsonObject<any, any>): void;
+  /**
+   * Dispatch a result/progress payload back to the action's origin peer over this link. The runtime's
+   * return-path dispatch calls it on whichever peer-link handler best reaches `originClient`. Returns
+   * `true` if it was sent, `false` if no channel was available.
+   */
+  abstract sendReturnPayload(payload: TActionPayload_Any_Instance<any, any>, config: {
+    targetLocalRuntime: ActionRuntime;
+  }): Promise<boolean>;
+  /**
+   * Whether this handler currently holds a *live* connection bound to `origin`. The runtime's return-path
+   * dispatch ({@link ActionRuntime.getReturnHandlerForOrigin}) prefers a handler that owns the origin's
+   * connection over a mere coordinate match, so with several duplex acceptors a result/push routes back
+   * over the carrier the client connected on. Defaults to `false`; an acceptor overrides it from its
+   * connection registry.
+   */
+  ownsLiveConnectionFor(_origin: RuntimeCoordinate): boolean;
+  /** Release any long-lived connections this handler owns (a teardown). No-op by default. */
+  clearTransportCache(): void;
+}
+//#endregion
 //#region src/ActionRuntime/ActionRuntime.types.d.ts
 interface IRuntimeMeta {
   assumed: boolean;
@@ -906,34 +772,486 @@ interface IRuntimeMeta {
 interface IActionRuntimeManagerContext {
   domain?: string;
 }
-type TActionRuntimeHandler = ActionLocalHandler | ActionExternalClientHandler;
+type TActionRuntimeHandler = ActionLocalHandler | PeerLinkHandler;
 //#endregion
-//#region src/ActionRuntime/ActionRuntime.d.ts
-declare class ActionRuntime {
-  private _coordinate;
-  readonly timeCreated: number;
-  readonly runtimeInfo: IRuntimeMeta;
-  private readonly actionRouter;
-  private readonly _pendingRunningActions;
-  private readonly _registeredExternalHandlers;
-  private _applied;
-  static getDefault(): ActionRuntime;
-  constructor(coordinate: RuntimeCoordinate);
-  get coordinate(): RuntimeCoordinate;
-  specifyRuntimeCoordinate(specifics: IRuntimeCoordinateSpecifics & {
-    envId?: string;
-  }): void;
-  registerRunningAction(ra: RunningAction<any, any>): void;
-  resolveIncomingActionPayload(json: TActionPayload_Any_JsonObject<any, any>): void;
-  /**
-   * Handle an incoming action wire (e.g. from a transport layer), route it to
-   * the correct handler, and return the response. The most specific handler
-   * match is chosen (action-ID-specific beats domain-wildcard).
-   */
-  handleActionPayloadWire<D extends IActionDomain, ID extends keyof D["actionSchema"] & string>(wire: TActionPayload_Any_JsonObject<D, ID>): Promise<RunningAction<D, ID>>;
-  handleActionPayloadWire(wire: unknown): Promise<RunningAction<any, any>>;
-  handleActionPayload<DOM extends IActionDomain, ID extends keyof DOM["actionSchema"] & string>(action: TActionPayload_Any_Instance<DOM, ID>, options?: Omit<IHandleActionOptions, "targetLocalRuntime">): Promise<RunningAction<DOM, ID>>;
-  /**
+//#region src/ActionRuntime/Transport/crypto/actionHandshake.d.ts
+/** How much the channel protects after the handshake — chosen by the consumer (perf vs security). */
+declare enum ESecurityLevel {
+  /** No handshake; identity is self-asserted (fastest, dev / trusted networks). */
+  none = "none",
+  /** Handshake authenticates identity (sign/verify + key pin); frames stay plaintext over TLS. */
+  authenticated = "authenticated",
+  /** Authenticated handshake + every frame AES-GCM encrypted with the derived shared key. */
+  encrypted = "encrypted"
+}
+declare enum EHandshakeMessageType {
+  hello = "hello",
+  welcome = "welcome",
+  prove = "prove",
+  accept = "accept",
+  reject = "reject"
+}
+declare const vHsHello: v.ObjectSchema<{
+  readonly t: v.LiteralSchema<EHandshakeMessageType.hello, undefined>;
+  readonly protocol: v.StringSchema<undefined>;
+  readonly securityLevel: v.PicklistSchema<[ESecurityLevel.none, ESecurityLevel.authenticated, ESecurityLevel.encrypted], undefined>;
+  readonly dictionaryVersion: v.StringSchema<undefined>;
+  readonly client: v.ObjectSchema<{
+    readonly envId: v.StringSchema<undefined>;
+    readonly perId: v.OptionalSchema<v.StringSchema<undefined>, undefined>;
+    readonly insId: v.OptionalSchema<v.StringSchema<undefined>, undefined>;
+  }, undefined>;
+  readonly clientNonce: v.StringSchema<undefined>;
+  readonly verifyPublicKey: v.CustomSchema<`ed25519::raw_base64::${string}`, undefined>;
+  readonly exchangePublicKey: v.OptionalSchema<v.CustomSchema<`x25519::raw_base64::${string}`, undefined>, undefined>;
+}, undefined>;
+declare const vHsWelcome: v.ObjectSchema<{
+  readonly t: v.LiteralSchema<EHandshakeMessageType.welcome, undefined>;
+  readonly securityLevel: v.PicklistSchema<[ESecurityLevel.none, ESecurityLevel.authenticated, ESecurityLevel.encrypted], undefined>;
+  readonly dictionaryVersion: v.StringSchema<undefined>;
+  readonly server: v.ObjectSchema<{
+    readonly envId: v.StringSchema<undefined>;
+    readonly perId: v.OptionalSchema<v.StringSchema<undefined>, undefined>;
+    readonly insId: v.OptionalSchema<v.StringSchema<undefined>, undefined>;
+  }, undefined>;
+  readonly serverNonce: v.StringSchema<undefined>;
+  readonly verifyPublicKey: v.CustomSchema<`ed25519::raw_base64::${string}`, undefined>;
+  readonly exchangePublicKey: v.OptionalSchema<v.CustomSchema<`x25519::raw_base64::${string}`, undefined>, undefined>;
+}, undefined>;
+declare const vHsProve: v.ObjectSchema<{
+  readonly t: v.LiteralSchema<EHandshakeMessageType.prove, undefined>;
+  readonly signatureBase64: v.StringSchema<undefined>;
+}, undefined>;
+declare const vHsAccept: v.ObjectSchema<{
+  readonly t: v.LiteralSchema<EHandshakeMessageType.accept, undefined>;
+  readonly signatureBase64: v.OptionalSchema<v.StringSchema<undefined>, undefined>;
+}, undefined>;
+declare const vHsReject: v.ObjectSchema<{
+  readonly t: v.LiteralSchema<EHandshakeMessageType.reject, undefined>;
+  readonly reason: v.StringSchema<undefined>;
+}, undefined>;
+declare const vHandshakeMessage: v.VariantSchema<"t", [v.ObjectSchema<{
+  readonly t: v.LiteralSchema<EHandshakeMessageType.hello, undefined>;
+  readonly protocol: v.StringSchema<undefined>;
+  readonly securityLevel: v.PicklistSchema<[ESecurityLevel.none, ESecurityLevel.authenticated, ESecurityLevel.encrypted], undefined>;
+  readonly dictionaryVersion: v.StringSchema<undefined>;
+  readonly client: v.ObjectSchema<{
+    readonly envId: v.StringSchema<undefined>;
+    readonly perId: v.OptionalSchema<v.StringSchema<undefined>, undefined>;
+    readonly insId: v.OptionalSchema<v.StringSchema<undefined>, undefined>;
+  }, undefined>;
+  readonly clientNonce: v.StringSchema<undefined>;
+  readonly verifyPublicKey: v.CustomSchema<`ed25519::raw_base64::${string}`, undefined>;
+  readonly exchangePublicKey: v.OptionalSchema<v.CustomSchema<`x25519::raw_base64::${string}`, undefined>, undefined>;
+}, undefined>, v.ObjectSchema<{
+  readonly t: v.LiteralSchema<EHandshakeMessageType.welcome, undefined>;
+  readonly securityLevel: v.PicklistSchema<[ESecurityLevel.none, ESecurityLevel.authenticated, ESecurityLevel.encrypted], undefined>;
+  readonly dictionaryVersion: v.StringSchema<undefined>;
+  readonly server: v.ObjectSchema<{
+    readonly envId: v.StringSchema<undefined>;
+    readonly perId: v.OptionalSchema<v.StringSchema<undefined>, undefined>;
+    readonly insId: v.OptionalSchema<v.StringSchema<undefined>, undefined>;
+  }, undefined>;
+  readonly serverNonce: v.StringSchema<undefined>;
+  readonly verifyPublicKey: v.CustomSchema<`ed25519::raw_base64::${string}`, undefined>;
+  readonly exchangePublicKey: v.OptionalSchema<v.CustomSchema<`x25519::raw_base64::${string}`, undefined>, undefined>;
+}, undefined>, v.ObjectSchema<{
+  readonly t: v.LiteralSchema<EHandshakeMessageType.prove, undefined>;
+  readonly signatureBase64: v.StringSchema<undefined>;
+}, undefined>, v.ObjectSchema<{
+  readonly t: v.LiteralSchema<EHandshakeMessageType.accept, undefined>;
+  readonly signatureBase64: v.OptionalSchema<v.StringSchema<undefined>, undefined>;
+}, undefined>, v.ObjectSchema<{
+  readonly t: v.LiteralSchema<EHandshakeMessageType.reject, undefined>;
+  readonly reason: v.StringSchema<undefined>;
+}, undefined>], undefined>;
+type THsHello = v.InferOutput<typeof vHsHello>;
+type THsWelcome = v.InferOutput<typeof vHsWelcome>;
+type THsProve = v.InferOutput<typeof vHsProve>;
+type THsAccept = v.InferOutput<typeof vHsAccept>;
+type THsReject = v.InferOutput<typeof vHsReject>;
+type THandshakeMessage = v.InferOutput<typeof vHandshakeMessage>;
+/** Serialize a handshake message for the wire (handshake frames are JSON — they aren't the hot path). */
+declare function encodeHandshakeMessage(message: THandshakeMessage): string;
+/** Parse + structurally validate an incoming handshake frame; `undefined` if it isn't one. */
+declare function decodeHandshakeMessage(raw: string): THandshakeMessage | undefined;
+/** Stable link id for a runtime coordinate — the key both the crypto link and the connection use. */
+declare function runtimeLinkId(coordinate: IRuntimeCoordinate): TTypeAndId;
+/**
+ * Everything needed to re-derive the shared AES-GCM key for an `encrypted` link after a restart —
+ * the remote's public keys + the HKDF salt/info used at handshake time. The local (server) key pair is
+ * recovered from its own persisted `ClientCryptoKeyLink` storage, so re-linking with this material
+ * yields the identical shared key without a fresh handshake.
+ */
+interface IHandshakeEncryptionKeyMaterial {
+  verifyPublicKey: TSerializedCryptoKeyData_Ed25519_Raw;
+  exchangePublicKey: TSerializedCryptoKeyData_X25519_Raw;
+  saltString: string;
+  infoString: string;
+  bindVerifyKeysIntoDerivation: boolean;
+}
+/** Outcome of a completed handshake — what the transport/handler needs to wire the channel. */
+interface IHandshakeResult {
+  /** The crypto-link id (and connection-registry key) for the authenticated remote. */
+  linkedClientId: TTypeAndId;
+  /** The remote's authenticated coordinate. */
+  remote: IRuntimeCoordinate;
+  securityLevel: ESecurityLevel;
+  /** For the `encrypted` level: material to restore the shared key after eviction (persist it). */
+  encryptionKeyMaterial?: IHandshakeEncryptionKeyMaterial;
+}
+interface IClientVerifyKeyResolveInput {
+  client: IRuntimeCoordinate;
+  verifyPublicKey: TSerializedCryptoKeyData_Ed25519_Raw;
+}
+interface IClientVerifyKeyResolver {
+  /**
+   * Decide whether a presented verify key is trusted for a client identity. The signature is already
+   * verified by the time this runs, so this is purely the identity-pinning decision. Swap in a
+   * persistent / pre-provisioned implementation without touching the protocol.
+   */
+  resolve(input: IClientVerifyKeyResolveInput): Promise<{
+    trusted: boolean;
+    reason?: string;
+  }>;
+}
+/**
+ * In-memory trust-on-first-use resolver: trusts (and pins) the first verify key seen for a client
+ * identity, then rejects a different key for that identity. The default; replace with a storage-backed
+ * resolver for cross-restart pinning (see Step 5).
+ */
+declare function createInMemoryTofuVerifyKeyResolver(): IClientVerifyKeyResolver;
+/**
+ * Storage-backed trust-on-first-use resolver: pins survive process restarts / Durable Object eviction
+ * (e.g. back it with `createDurableObjectStorageAdapter`). Same policy as the in-memory variant — trust
+ * + pin the first verify key per client identity, reject a different one thereafter.
+ */
+declare function createStorageTofuVerifyKeyResolver(storageAdapter: StorageAdapter): IClientVerifyKeyResolver;
+interface IClientHandshakeConfig {
+  link: ClientCryptoKeyLink;
+  localCoordinate: IRuntimeCoordinate;
+  dictionaryVersion: string;
+  securityLevel: ESecurityLevel;
+}
+declare function createClientHandshake(config: IClientHandshakeConfig): {
+  createHello(): Promise<THsHello>;
+  onWelcome(welcome: THsWelcome): Promise<THsProve>;
+  onAccept(accept: THsAccept): Promise<IHandshakeResult>;
+};
+interface IServerHandshakeConfig {
+  link: ClientCryptoKeyLink;
+  localCoordinate: IRuntimeCoordinate;
+  dictionaryVersion: string;
+  /**
+   * The level(s) this server accepts. A single level is strict (the client must match). An array is a
+   * negotiable allowed set — the server adopts whichever level the client requests, as long as it's in
+   * the set (lets one backend serve `authenticated` and `encrypted` clients at once). `none` in the set
+   * is handled by the transport/handler (a `none` client never reaches the handshake).
+   */
+  securityLevel: ESecurityLevel | readonly ESecurityLevel[];
+  /** Trust decision for a client's verify key. Defaults to in-memory TOFU. */
+  verifyKeyResolver?: IClientVerifyKeyResolver;
+}
+declare function createServerHandshake(config: IServerHandshakeConfig): {
+  onHello(hello: THsHello): Promise<THsWelcome | THsReject>;
+  onProve(prove: THsProve): Promise<THsAccept | THsReject>; /** The completed handshake result once `onProve` has accepted, else `undefined`. */
+  getResult(): IHandshakeResult | undefined;
+};
+//#endregion
+//#region src/ActionRuntime/Transport/Transport.d.ts
+/**
+ * Context handed to a {@link Transport} definition when a handler builds a live connection from it.
+ * Only bidirectional transports (WebSocket / Custom) make use of `resolvers`.
+ */
+interface ITransportConnectionContext {
+  resolvers?: IActionTransportResolvers;
+}
+/**
+ * Reusable transport definition. Devs construct these (`secureTransport({ carrier: wsCarrier(url) })`,
+ * `plainTransport({ carrier: httpCarrier(...) })`, …) and pass them to a
+ * `ConnectorHandler`. A single
+ * definition can be shared across multiple handlers — each handler builds its own live
+ * {@link TransportConnection} via {@link TransportConnection._createConnection}.
+ */
+declare abstract class Transport<T extends ETransportShape = ETransportShape> {
+  abstract readonly type: T;
+  /** Internal: build a fresh, per-handler live connection from this definition. */
+  abstract _createConnection(ctx: ITransportConnectionContext): TransportConnection<T>;
+  /**
+   * Resolve human-readable info about how a specific action would be routed through this transport
+   * (e.g. the request URL/method, or the WebSocket endpoint). Surfaced in the action devtools.
+   */
+  abstract getRouteInfo(input: ITransportRouteActionParams): ITransportRouteInfo;
+}
+//#endregion
+//#region src/ActionRuntime/Transport/TransportConnection.d.ts
+/**
+ * Live, per-handler transport runtime built from a reusable {@link Transport} definition. Holds the
+ * connection-scoped state (ordinal, initialized config, sockets / abort sets) that must not be shared
+ * across handlers. Construct these via `definition._createConnection(...)`, never directly.
+ */
+declare abstract class TransportConnection<T extends ETransportShape = ETransportShape, RP extends ITransportRouteActionParams = ITransportRouteActionParams, RD extends IActionTransportReadyData_Base = IActionTransportReadyData_Base, I extends IActionTransportInitialized<RP, RD> = IActionTransportInitialized<RP, RD>, DEF extends IActionTransportDef<T, I> = IActionTransportDef<T, I>> {
+  readonly def: DEF;
+  readonly transOrd: number;
+  readonly type: T;
+  readonly initialized: I;
+  /** Backref to the public definition that created this connection (used for devtools route info). */
+  definition?: Transport<T>;
+  constructor(def: DEF);
+  /**
+   * Devtools route info for an action routed through this live connection. Defaults to the stateless
+   * {@link definition}'s info; connections override to enrich it from live state (e.g. the actual
+   * resolved socket URL) when the definition couldn't resolve it on its own.
+   */
+  getRouteInfo(input: RP): ITransportRouteInfo | undefined;
+  /**
+   * Build the live send/receive methods from a `ready` readyData, synchronously. This is the plain
+   * (no-handshake) path and the only required per-transport hook. Stream carriers that must await the
+   * carrier opening and/or run a handshake additionally override {@link _needsAsyncBringUp},
+   * {@link _awaitCarrierReady}, and {@link _finalizeReady}.
+   */
+  protected abstract _finalizeTransportMethods(inputs: RD): IActionTransportReadyData_Methods;
+  /**
+   * Whether a `ready`-status transport still needs asynchronous bring-up before its methods exist —
+   * awaiting the carrier to open and/or running a handshake. Default `false`: a stateless transport
+   * (HTTP) is usable the instant `getTransport` reports `ready`, so it stays a terminal *synchronous*
+   * fallback in {@link ConnectionTransportManager}. Stream carriers (Link/WS) override to `true`.
+   */
+  protected _needsAsyncBringUp(_readyData: RD): boolean;
+  /** Await the carrier becoming ready to send (e.g. a socket `open`). Default: nothing to await. */
+  protected _awaitCarrierReady(_readyData: RD): Promise<void>;
+  /**
+   * Finalize during async bring-up — may run a handshake, so it can be async. Defaults to the
+   * synchronous {@link _finalizeTransportMethods}; secure stream carriers override to branch plain/secure.
+   */
+  protected _finalizeReady(readyData: RD): IActionTransportReadyData_Methods | Promise<IActionTransportReadyData_Methods>;
+  protected _getCacheKey(input: RP): string | null;
+  getCacheKey(input: RP): string | null;
+  getTransport(input: RP): TTransportStatusInfo<IActionTransportReadyData_Methods>;
+  protected _processTransportStatus(input: RP): TTransportStatusInfo<IActionTransportReadyData_Methods>;
+  /** Await carrier readiness, then finalize (possibly running a handshake) into the live methods. */
+  private _bringUp;
+}
+//#endregion
+//#region src/ActionRuntime/Transport/Transport.types.d.ts
+/**
+ * Carrier-shape class identity: the one carrier-invariant trait the selection layer reasons about —
+ * whether a carrier can push unsolicited frames (`duplex`: WS/WebRTC/BLE/in-memory) or only answers a
+ * request with a single correlated reply (`exchange`: HTTP). The concrete carrier kind ("ws", "webrtc",
+ * "http", …) is a free-form {@link ITransportRouteInfo.carrierLabel} for display, not a class tag.
+ */
+declare enum ETransportShape {
+  duplex = "duplex",
+  exchange = "exchange"
+}
+/**
+ * Serializable, display-only description of how an action was routed through a transport. Stored on
+ * the action's route items and shown in the devtools external-handler chips. Keep this free of
+ * sensitive data (e.g. auth headers) — route items travel over the wire.
+ */
+interface ITransportRouteInfo {
+  /** Free-form carrier kind for the devtools chip — e.g. "ws", "webrtc", "http". */
+  carrierLabel: string;
+  /** Short label for chips, e.g. "POST /resolve_action" or "ws host/resolve_action/ws". */
+  summary?: string;
+  url?: string;
+  method?: string;
+  detail?: Record<string, string | number | boolean>;
+}
+interface IUpdateActionRunConfig_Output {
+  timeout?: number;
+}
+type TUpdateActionRunConfig = (input: ITransportRouteActionParams & {
+  timeout: number;
+}) => IUpdateActionRunConfig_Output;
+interface IActionTransportReadyData_Base {
+  updateRunConfig?: TUpdateActionRunConfig;
+}
+/**
+ * Client-side secure-channel config for a connector link — carrier-neutral (the secure session never
+ * cared about the carrier). When present (and `securityLevel !== none`), the connection runs the
+ * handshake during initialization and, at the `encrypted` level, encrypts every frame. The acceptor
+ * side adds a negotiable level set + verify-key resolver on top of this (see Phase 3's `ISecureConfig`).
+ */
+interface ISecureClientConfig {
+  /** The level this client requests; the peer must allow it. */
+  securityLevel: ESecurityLevel;
+  /** This client's crypto identity (verify + exchange key pairs, optionally persisted). */
+  link: ClientCryptoKeyLink;
+  /** This client's runtime coordinate — its authenticated identity to the peer. */
+  localCoordinate: IRuntimeCoordinate;
+  /** Wire dictionary version; the peer rejects the handshake on a mismatch. */
+  dictionaryVersion: string;
+}
+/**
+ *
+ *  TRANSPORT READINESS RESPONSE
+ *
+ */
+declare enum ETransportStatus {
+  uninitialized = "uninitialized",
+  unsupported = "unsupported",
+  initializing = "initializing",
+  ready = "ready",
+  failed = "failed"
+}
+interface ITransportStatusInfo_Base<S extends ETransportStatus> {
+  status: S;
+}
+interface ITransportStatusInfo_Failed extends ITransportStatusInfo_Base<ETransportStatus.failed> {
+  error: NiceError;
+  timeFailed: number;
+}
+interface ITransportStatusInfo_Unsupported extends ITransportStatusInfo_Base<ETransportStatus.unsupported> {}
+interface ITransportStatusInfo_Ready<READY extends IActionTransportReadyData_Base> extends ITransportStatusInfo_Base<ETransportStatus.ready> {
+  readyData: READY;
+}
+type TTransportInitializationFinishedInfo<READY extends IActionTransportReadyData_Base> = ITransportStatusInfo_Ready<READY> | ITransportStatusInfo_Failed | ITransportStatusInfo_Unsupported;
+interface ITransportStatusInfo_Initializing<READY extends IActionTransportReadyData_Base> extends ITransportStatusInfo_Base<ETransportStatus.initializing> {
+  timeStarted: number;
+  initializationPromise: Promise<TTransportInitializationFinishedInfo<READY>>;
+}
+type TTransportStatusInfo<READY extends IActionTransportReadyData_Base> = ITransportStatusInfo_Base<ETransportStatus.uninitialized> | ITransportStatusInfo_Unsupported | ITransportStatusInfo_Initializing<READY> | ITransportStatusInfo_Ready<READY> | ITransportStatusInfo_Failed;
+type TTransportStatusInfo_GetTransport_Output<READY extends IActionTransportReadyData_Base> = ITransportStatusInfo_Base<ETransportStatus.uninitialized> | ITransportStatusInfo_Unsupported | Omit<ITransportStatusInfo_Initializing<READY>, "timeStarted"> | ITransportStatusInfo_Ready<READY> | Omit<ITransportStatusInfo_Failed, "timeFailed">;
+/**
+ *
+ *  TRANSPORT ROUTING
+ *
+ */
+interface ITransportRouteClientParams {
+  localClient: RuntimeCoordinate;
+  externalClient: RuntimeCoordinate;
+}
+interface ITransportRouteActionParams extends ITransportRouteClientParams {
+  action: TActionPayload_Any_Instance<any, any>;
+}
+interface ITransportMethod_SendActionData_Input extends ITransportRouteActionParams {
+  runningAction: RunningAction<any, any>;
+  timeout: number;
+}
+interface ITransportDispatchAction<P> extends ITransportMethod_SendActionData_Input {
+  params: P;
+}
+type TSendActionDataMethod = (input: ITransportMethod_SendActionData_Input) => void;
+type TSendReturnDataMethod = (payload: TActionPayload_Any_Instance<any, any>,
+/**
+ * The local/external client pair this payload is being returned over. Bidirectional transports use
+ * it to build the full route params their outgoing formatter expects (e.g. binary packing). Optional
+ * so existing return-data implementations keep type-checking.
+ */
+
+clients?: ITransportRouteClientParams) => void;
+interface IActionTransportReadyData_Methods extends IActionTransportReadyData_Base {
+  sendActionData: TSendActionDataMethod;
+  /**
+   * Optional — implement on bidirectional transports (WebSocket, Custom) to enable return-path
+   * routing. When present, the runtime uses this to dispatch results and progress payloads directly
+   * back to `originClient` without going through the original request transport.
+   */
+  sendReturnData?: TSendReturnDataMethod;
+  addOnDisconnectListener?: (callback: () => void) => void;
+  /**
+   * Optional — implement on transports holding a long-lived connection (WebSocket, Custom) to close it
+   * deliberately. Called by `ConnectorHandler.clearTransportCache()` so a teardown actually
+   * releases the underlying socket instead of leaving it open until GC.
+   */
+  disconnect?: () => void;
+}
+interface IActionTransportReady {
+  methods: IActionTransportReadyData_Methods;
+  transport: TransportConnection;
+}
+type TTransportCache = Map<string, IActionTransportReady | Promise<IActionTransportReady>>;
+type TOnResolveIncomingRequest = (request: ActionPayload_Request<any>) => void;
+type TOnResolveIncomingRequestJson = (request: IActionPayload_Request_JsonObject<any>) => void;
+type TOnResolveIncomingResponse = (response: ActionPayload_Result<any>) => void;
+type TOnResolveIncomingResponseJson = (response: IActionPayload_Result_JsonObject<any>) => void;
+type TOnResolveAnyIncomingActionData = (actionData: ActionPayload_Request<any> | ActionPayload_Result<any>) => void;
+type TOnResolveAnyIncomingActionData_Json = (actionData: TActionPayload_Any_JsonObject<any>) => void;
+interface IActionTransportResolvers {
+  onIncomingActionDataJson: TOnResolveAnyIncomingActionData_Json;
+}
+type TGetTransportFn<IN extends ITransportRouteActionParams, READY extends IActionTransportReadyData_Base> = (input: IN) => TTransportStatusInfo_GetTransport_Output<READY>;
+interface IActionTransportInitialized<IN extends ITransportRouteActionParams, READY extends IActionTransportReadyData_Base> {
+  getTransportCacheKey?: (input: IN) => string[];
+  getTransport: TGetTransportFn<IN, READY>;
+}
+interface IActionTransportDef<TYPE extends ETransportShape, INIT extends IActionTransportInitialized<any, any>> {
+  type: TYPE;
+  initialize: () => INIT;
+}
+//#endregion
+//#region src/ActionRuntime/Handler/PeerLink/Connector/ConnectorHandler.types.d.ts
+interface IConnectorHandlerConfig {
+  defaultTimeout?: number;
+  runtimeCoordinate: RuntimeCoordinate;
+  transports: Transport[];
+}
+//#endregion
+//#region src/ActionRuntime/Handler/PeerLink/Connector/ConnectorHandler.d.ts
+/**
+ * Dial-out peer link: this runtime opens connection(s) to one peer over a transport stack (cached, with
+ * preference-ordered fallback). The classic "client → backend" handler — but to the runtime it's just a
+ * {@link PeerLinkHandler} like the accept-in server one.
+ */
+declare class ConnectorHandler extends PeerLinkHandler {
+  /**
+   * Dial-out can receive (and so return) an unsolicited push only over a duplex transport. With every
+   * transport exchange-only (HTTP), the peer can never push to us — so this link can't deliver one back.
+   */
+  readonly canPush: boolean;
+  private _defaultTimeout;
+  private _transportCache;
+  private transportManager;
+  constructor({
+    runtimeCoordinate: peerSpecifier,
+    transports,
+    defaultTimeout
+  }: IConnectorHandlerConfig);
+  handleActionRequest<DOM extends IActionDomain, ID extends keyof DOM["actionSchema"] & string>(action: ActionPayload_Request<DOM, ID>, config?: IHandleActionOptions): Promise<RunningAction<DOM, ID>>;
+  private _dispatchWhenTransportReady;
+  /**
+   * Dispatch a result or progress payload directly back to the external client via the best
+   * available bidirectional transport (WebSocket / Custom). Used for return-path routing when the
+   * local runtime recognises that it has a direct channel to the action's originClient.
+   *
+   * Returns `true` if the payload was sent, `false` if no suitable transport was available.
+   */
+  sendReturnPayload(payload: TActionPayload_Any_Instance<any, any>, config: {
+    targetLocalRuntime: ActionRuntime;
+  }): Promise<boolean>;
+  toJsonObject(): IActionHandler_Peer_Json;
+  toHandlerRouteItem(transport: TransportConnection, input: ITransportRouteActionParams): IActionRouteItemHandler;
+  clearTransportCache(): void;
+}
+declare const createConnectorHandler: (config: IConnectorHandlerConfig) => ConnectorHandler;
+//#endregion
+//#region src/ActionRuntime/ActionRuntime.d.ts
+declare class ActionRuntime {
+  private _coordinate;
+  readonly timeCreated: number;
+  readonly runtimeInfo: IRuntimeMeta;
+  private readonly actionRouter;
+  private readonly _pendingRunningActions;
+  private readonly _registeredPeerHandlers;
+  private _applied;
+  static getDefault(): ActionRuntime;
+  constructor(coordinate: RuntimeCoordinate);
+  get coordinate(): RuntimeCoordinate;
+  specifyRuntimeCoordinate(specifics: IRuntimeCoordinateSpecifics & {
+    envId?: string;
+  }): void;
+  registerRunningAction(ra: RunningAction<any, any>): void;
+  resolveIncomingActionPayload(json: TActionPayload_Any_JsonObject<any, any>): void;
+  /**
+   * Handle an incoming action wire (e.g. from a transport layer), route it to
+   * the correct handler, and return the response. The most specific handler
+   * match is chosen (action-ID-specific beats domain-wildcard).
+   */
+  handleActionPayloadWire<D extends IActionDomain, ID extends keyof D["actionSchema"] & string>(wire: TActionPayload_Any_JsonObject<D, ID>): Promise<RunningAction<D, ID>>;
+  handleActionPayloadWire(wire: unknown): Promise<RunningAction<any, any>>;
+  handleActionPayload<DOM extends IActionDomain, ID extends keyof DOM["actionSchema"] & string>(action: TActionPayload_Any_Instance<DOM, ID>, options?: Omit<IHandleActionOptions, "targetLocalRuntime">): Promise<RunningAction<DOM, ID>>;
+  /**
    * @internal
    *
    * Return the first handler registered for the given action, or `undefined`
@@ -950,13 +1268,13 @@ declare class ActionRuntime {
   addHandlers(handlers: TActionRuntimeHandler[]): this;
   /**
    * Declare an external "backend client" in one call: build an
-   * {@link ActionExternalClientHandler} for `externalCoordinate` carrying the given
+   * {@link ConnectorHandler} for `externalCoordinate` carrying the given
    * `transports`, route the listed `domains`/`actions` to it, register it (plus any
    * `localHandlers` — e.g. server→client push handlers that share the same channel)
    * on this runtime, and `apply()`. Returns the external handler so the caller can
    * later `clearTransportCache()` it.
    *
-   * Sugar over `new ActionExternalClientHandler(...).forDomain(...)` + `addHandlers([...])`,
+   * Sugar over `new ConnectorHandler(...).forDomain(...)` + `addHandlers([...])`,
    * so a single runtime can host one handler per backend target with its transports
    * declared once and reused across every action routed to that backend.
    */
@@ -966,7 +1284,7 @@ declare class ActionRuntime {
     actions?: ActionCore<any, any>[];
     localHandlers?: TActionRuntimeHandler[];
     defaultTimeout?: number;
-  }): ActionExternalClientHandler;
+  }): ConnectorHandler;
   private applyRuntimeForDomain;
   /**
    * Register this runtime with all root domains covered by its currently-added handlers,
@@ -978,8 +1296,14 @@ declare class ActionRuntime {
    * Find the best registered external handler that can reach `originClient` directly.
    * Used to locate the return-path channel for dispatching results back to the action origin.
    * Returns `undefined` if no handler matches (score > 0 required, i.e. at least id must match).
+   *
+   * A handler that currently holds the origin's *live* connection always wins over a mere coordinate
+   * match — so with several duplex acceptors (e.g. WS + WebRTC) a result/push routes back over the carrier
+   * the client actually connected on, never a same-coordinate sibling that lacks the socket. Only when no
+   * handler owns a live connection do we fall back to the plain best-coordinate-score pick (the
+   * single-acceptor and connector-only cases, unchanged).
    */
-  getReturnHandlerForOrigin(originClient: RuntimeCoordinate): ActionExternalClientHandler | undefined;
+  getReturnHandlerForOrigin(originClient: RuntimeCoordinate): PeerLinkHandler | undefined;
   resetRuntime(): void;
   private _trySetupReturnDispatch;
 }
@@ -1076,640 +1400,978 @@ declare const createActionRootDomain: <ID extends string>(definition: {
   domain: ID;
 }) => ActionRootDomain<IActionRootDomain<ID>>;
 //#endregion
-//#region src/ActionRuntime/Handler/ExternalClient/err_nice_external_client.d.ts
-declare const err_nice_external_client: import("@nice-code/error").NiceErrorDomain<{
-  domain: string;
-  allDomains: [string, string, "err_nice"];
-  schema: {};
-}>;
-//#endregion
-//#region src/ActionRuntime/Handler/ExternalClient/Transport/Custom/TransportCustom.types.d.ts
-interface IActionTransportReadyData_Custom extends IActionTransportReadyData_Base {
-  sendActionData: (input: ITransportMethod_SendActionData_Input) => void;
-  sendReturnData?: TSendReturnDataMethod;
-  closeTransport: (input?: ITransportRouteActionParams) => void;
+//#region src/ActionRuntime/Transport/codec/actionWireCodec.d.ts
+/**
+ * Shared building blocks for the binary action codecs (the stateless {@link createBinaryWireAdapter} and
+ * the per-connection `createBinaryWireSessionFactory`). Both map a `domain:id` route to a tiny integer
+ * and reduce the verbose JSON wire to a positional tuple — they only differ in how much context they
+ * carry per frame, so the dictionary + payload (de)assembly live here.
+ */
+/**
+ * The carrier-neutral codec a Link connection uses to (de)serialize action payloads on the wire — the
+ * same shape every duplex carrier (WS/WebRTC/in-memory) shares.
+ */
+interface IActionWireFormat {
+  /**
+   * Pack an outgoing action payload. Return a `string` for text frames (JSON) or a binary
+   * `Uint8Array`/`ArrayBuffer` for optimized binary frames (e.g. msgpackr).
+   */
+  outgoing: (input: ITransportRouteActionParams) => string | Uint8Array | ArrayBuffer;
+  /**
+   * Unpack an incoming frame back into the wire JSON object the runtime hydrates + validates. Return
+   * `undefined` to defer to the connection's built-in JSON parser — this is how binary adapters stay
+   * backward compatible with plain-JSON clients on the same socket.
+   */
+  incoming?: (input: string | ArrayBuffer | Uint8Array | Blob) => TActionPayload_Any_JsonObject<any, any> | undefined;
 }
-interface IActionTransportInitialized_Custom extends IActionTransportInitialized<ITransportRouteActionParams, IActionTransportReadyData_Custom> {}
-interface IActionTransportDef_Custom extends IActionTransportDef<ETransportType.custom, IActionTransportInitialized_Custom> {}
-type TActionTransportDef_Custom_NoType = Omit<IActionTransportDef_Custom, "type">;
 //#endregion
-//#region src/ActionRuntime/Handler/ExternalClient/Transport/Custom/CustomConnection.d.ts
-declare class CustomConnection extends TransportConnection<ETransportType.custom, ITransportRouteActionParams, IActionTransportReadyData_Custom, IActionTransportInitialized_Custom, IActionTransportDef_Custom> {
-  constructor(def: TActionTransportDef_Custom_NoType);
-  protected _finalizeTransportMethods(inputs: IActionTransportReadyData_Custom): IActionTransportReadyData_Methods;
+//#region src/ActionRuntime/Handler/PeerLink/Acceptor/AcceptorHandler.d.ts
+/** The codec shape `AcceptorHandler` uses to pack/unpack frames — same as the Link transport's. */
+type TActionChannelFormatMessage = IActionWireFormat;
+/** How a connection encodes its frames, remembered so we answer each client in its own dialect. */
+type TActionConnectionEncoding = "json" | "binary";
+/** A connection's restorable identity — what to persist so a binding survives transport eviction. */
+interface IAcceptorConnectionBinding {
+  /** Full client coordinate, so `originClient` can be re-injected into frames that omit it. */
+  client: IRuntimeCoordinate;
+  encoding: TActionConnectionEncoding;
+  /**
+   * Secure-session state (set once a connection's handshake completes). Persist it alongside the
+   * binding so an authenticated/encrypted connection resumes after eviction without re-handshaking —
+   * the `keyMaterial` lets the server re-derive the shared key from its own persisted identity.
+   */
+  secure?: {
+    securityLevel: ESecurityLevel;
+    linkedClientId: TTypeAndId;
+    keyMaterial?: IHandshakeEncryptionKeyMaterial;
+  };
 }
-//#endregion
-//#region src/ActionRuntime/Handler/ExternalClient/Transport/Custom/CustomTransport.d.ts
-interface ICustomTransportSharedOptions {
-  updateRunConfig?: TUpdateActionRunConfig;
-  getTransportCacheKey?: (input: ITransportRouteActionParams) => string[];
-  /** Short label shown in the devtools chip (defaults to "custom"). */
-  label?: string;
-  /** Override the devtools route info for a specific action. */
-  getRouteInfo?: (input: ITransportRouteActionParams) => ITransportRouteInfo;
+/**
+ * Server-side secure-channel config. When set, each connection negotiates a level from
+ * {@link securityLevel}: an `authenticated`/`encrypted` client must complete the handshake (and is then
+ * bound to its *authenticated* coordinate) before any action frame is accepted. A `none` client (only
+ * when `none` is in the allowed set) is accepted as-is with a self-asserted identity. For the
+ * `encrypted` level the codec source should be a session factory (`createFormatMessage`).
+ */
+interface IAcceptorSecurity {
+  /**
+   * Accepted level(s). A single level is strict; an array is a negotiable allowed set — the server
+   * adopts whichever level each client requests (e.g. `[none, authenticated, encrypted]` serves all
+   * three over one endpoint).
+   */
+  securityLevel: ESecurityLevel | readonly ESecurityLevel[];
+  /** This server's crypto identity (verify + exchange key pairs, optionally persisted). */
+  link: ClientCryptoKeyLink;
+  /** This server's coordinate — its identity to clients during the handshake. */
+  localCoordinate: IRuntimeCoordinate;
+  /** Wire dictionary version; the handshake rejects a client on a mismatch. */
+  dictionaryVersion: string;
+  /** Trust decision for a client's verify key (defaults to in-memory TOFU inside the handshake). */
+  verifyKeyResolver?: IClientVerifyKeyResolver;
 }
-interface ICustomTransportSendOptions extends ICustomTransportSharedOptions {
-  /** Send a request/progress payload to the external client. */
-  sendActionData: (input: ITransportMethod_SendActionData_Input) => void;
-  /** Optional return-path dispatch for bidirectional channels. */
-  sendReturnData?: TSendReturnDataMethod;
-  closeTransport?: (input?: ITransportRouteActionParams) => void;
+interface IAcceptorHandlerBaseOptions<TConn> {
+  /**
+   * Coordinate of the *connecting clients* (typically env-only, e.g. `RuntimeCoordinate.env("web_app")`).
+   * The runtime's return-path dispatch scores incoming actions' `originClient` against this to pick
+   * this handler for sending results/pushes back over the right channel.
+   */
+  clientEnv: RuntimeCoordinate;
+  /** Write an encoded frame to a specific live connection (e.g. `(ws, frame) => ws.send(frame)`). */
+  send: (connection: TConn, frame: string | Uint8Array | ArrayBuffer) => void;
+  /**
+   * The runtime this handler belongs to. When set, {@link AcceptorHandler.broadcast} can be called
+   * without threading a runtime through each call. Optional — `pushToClient` still takes one explicitly.
+   */
+  runtime?: ActionRuntime;
+  /** Timeout (ms) applied to server-initiated actions awaiting a client response. */
+  defaultTimeout?: number;
+  /**
+   * Called once when a connection is first bound to a client identity. Use it to persist the binding
+   * for transports that can resume after eviction — e.g. a Durable Object's hibernatable WebSocket:
+   * `(ws, binding) => ws.serializeAttachment(binding)` — then replay it via {@link AcceptorHandler.rehydrateConnection}
+   * when the channel comes back.
+   */
+  onConnectionBound?: (connection: TConn, binding: IAcceptorConnectionBinding) => void;
+  /**
+   * Enable the authenticated (optionally encrypted) handshake. When omitted, connections are trusted
+   * as-is (identity self-asserted) — fine for dev / trusted networks.
+   */
+  security?: IAcceptorSecurity;
+}
+/**
+ * Provide exactly one codec source:
+ * - `formatMessage` — a single shared codec for every connection (stateless, e.g. `createBinaryWireAdapter`).
+ * - `createFormatMessage` — a per-connection factory for stateful codecs (e.g.
+ *   `createBinaryWireSessionFactory`, whose sessions hold correlation + identity state). Required for the
+ *   leanest binary wire; the handler creates and caches one codec per connection.
+ */
+type IAcceptorHandlerOptions<TConn> = IAcceptorHandlerBaseOptions<TConn> & ({
+  formatMessage: TActionChannelFormatMessage;
+  createFormatMessage?: never;
+} | {
+  createFormatMessage: () => TActionChannelFormatMessage;
+  formatMessage?: never;
+});
+/**
+ * A connection-aware execution case (see {@link AcceptorHandler.forConnectionDomainCases}). It
+ * receives the primed request plus the originating client's live connection (already resolved from the
+ * request's `originClient`, `undefined` if the socket is gone), and may return the action's raw output,
+ * a result payload, or nothing (auto-wrapped as an empty success) — exactly like a local handler case.
+ */
+type TAcceptorConnectionCaseFn<DOM extends IActionDomain, ID extends keyof DOM["actionSchema"] & string, TConn> = (action: TDistributeActionPayload_Request<DOM, ID>, connection: TConn | undefined) => ReturnType<THandleActionExecutionFn<DOM, ID>> | void;
+/**
+ * Server-side handler for backends that accept many client connections over a single open channel
+ * (WebSockets, Durable Objects, …). It is transport-agnostic: you feed it inbound frames with
+ * {@link receive} and tell it how to write outbound frames via the `send` option.
+ *
+ * Add it alongside your local execution handler:
+ * ```ts
+ * const serverHandler = createAcceptorHandler({ clientEnv, formatMessage, send: (ws, f) => ws.send(f) });
+ * runtime.addHandlers([localHandler, serverHandler]);
+ * // per inbound message (e.g. a Durable Object's webSocketMessage):
+ * serverHandler.receive(ws, message);
+ * ```
+ *
+ * Inbound requests route to your local handler; the runtime's return dispatch then calls this
+ * handler back (it is an external handler keyed to `clientEnv`) to send the result to the originating
+ * connection. The handler keeps a per-connection identity registry so each result lands on the right
+ * socket, and remembers each connection's encoding so binary and JSON clients can share the channel.
+ *
+ * It registers an empty action router, so it is never chosen to *execute* an inbound request — only
+ * to ferry results/pushes back out.
+ */
+declare class AcceptorHandler<TConn = unknown> extends PeerLinkHandler {
+  /** Accept-in over a live (duplex) connection registry — it pushes results/broadcasts to bound sockets. */
+  readonly canPush = true;
+  private readonly _formatMessage?;
+  private readonly _createFormatMessage?;
+  private readonly _send;
+  private readonly _runtime?;
+  private readonly _serverTimeout;
+  private _onConnectionBound?;
+  private readonly _security?;
+  /** Normalized accepted levels; whether `none` (plain) is allowed; whether any level needs a handshake. */
+  private readonly _allowedLevels;
+  private readonly _noneAllowed;
+  private readonly _handshakeMode;
+  private readonly _connByClient;
+  private readonly _clientByConn;
+  private readonly _connEncoding;
+  private readonly _codecByConn;
+  private readonly _sessionByConn;
+  constructor(options: IAcceptorHandlerOptions<TConn>);
+  /**
+   * The codec for a connection: a per-connection session (cached) when a factory was provided, else
+   * the single shared `formatMessage`.
+   */
+  private _codecFor;
+  /**
+   * Register (or replace) the connection-bound persistence callback after construction. Used by
+   * lifecycle helpers like {@link createHibernatableWsServerAdapter} so persistence and replay are
+   * owned by one place instead of being split across the constructor options.
+   */
+  setOnConnectionBound(onConnectionBound: (connection: TConn, binding: IAcceptorConnectionBinding) => void): void;
+  /**
+   * Feed one inbound frame from a connection into the runtime. Decodes text or binary, binds the
+   * connection to the requesting client's identity, then routes it (requests execute locally;
+   * results/progress resolve pending server-initiated actions).
+   */
+  receive(connection: TConn, frame: string | ArrayBuffer | Uint8Array): void;
+  private _receivePlain;
+  /**
+   * The secure session for a connection (built lazily on its first secure-mode frame), with the
+   * handler-owned effects — raw send, identity binding + persistence, and inbound routing — wired in as
+   * callbacks. The session owns all crypto/handshake/chain state; the handler keeps only the registry.
+   */
+  private _sessionFor;
+  /** Bind + persist a connection's authenticated identity once its handshake completes. */
+  private _onConnectionAuthenticated;
+  /** Decode a decrypted authenticated frame, inject the *authenticated* identity, and route it. */
+  private _routeAuthedActionBytes;
+  /**
+   * Ensure an inbound request carries the client's identity and that this connection is bound to it,
+   * so its result can be routed back. A session codec omits `originClient` after the first request, so
+   * when it's missing we restore it from the (possibly rehydrated) binding instead. (Plain mode only;
+   * secure mode binds the authenticated coordinate at handshake time.)
+   */
+  private _resolveRequestIdentity;
+  /**
+   * Restore a connection→client binding without an inbound frame — for transports that resume after
+   * eviction. Pair it with the {@link IAcceptorHandlerOptions.onConnectionBound} hook: persist
+   * the binding there, then replay each live connection here when the channel comes back (e.g. a
+   * Durable Object iterating `ctx.getWebSockets()` as it wakes from hibernation).
+   */
+  rehydrateConnection(connection: TConn, binding: IAcceptorConnectionBinding): void;
+  toJsonObject(): IActionHandler_Peer_Json;
+  toHandlerRouteItem(): IActionRouteItemHandler;
+  /** Forget a connection (call on socket close) so stale entries don't misroute later results. */
+  dropConnection(connection: TConn): void;
+  /** Live connection for a client coordinate, if currently registered. */
+  getConnectionForClient(client: RuntimeCoordinate): TConn | undefined;
+  /** This acceptor owns the origin's return path when it currently holds a live connection bound to it. */
+  ownsLiveConnectionFor(origin: RuntimeCoordinate): boolean;
+  /** Whether this acceptor currently tracks `connection` — used to pick the owning handler among several. */
+  hasConnection(connection: TConn): boolean;
+  /**
+   * Send (and optionally await) a server-initiated action to a specific connected client. Pass the
+   * connection token directly (e.g. the `ws`) or a client `RuntimeCoordinate` to look one up.
+   */
+  pushToClient<DOM extends IActionDomain, ID extends keyof DOM["actionSchema"] & string>(runtime: ActionRuntime, target: TConn | RuntimeCoordinate, request: ActionPayload_Request<DOM, ID>, options?: {
+    timeout?: number;
+  }): RunningAction<DOM, ID>;
+  /**
+   * Build a local handler whose cases are connection-aware: each case receives the primed request and
+   * the originating client's live connection (resolved from `originClient`), so handlers don't repeat
+   * the `getConnectionForClient(action.context.originClient)` lookup. Cases may return raw output or
+   * nothing, just like {@link ActionLocalHandler.forDomainActionCases}. Add the returned handler to the
+   * runtime alongside this server handler:
+   * ```ts
+   * runtime.addHandlers([serverHandler.forConnectionDomainCases(domain, { … }), serverHandler]);
+   * ```
+   */
+  forConnectionDomainCases<FOR_DOM extends IActionDomain>(domain: ActionDomain<FOR_DOM>, cases: { [ID in keyof FOR_DOM["actionSchema"] & string]?: TAcceptorConnectionCaseFn<FOR_DOM, ID, TConn> }): ActionLocalHandler;
+  /**
+   * Like {@link forConnectionDomainCases} but spanning several domains with one merged case map — used
+   * by channel-derived wiring (`acceptChannelConnections`) where the channel's `toAcceptor` domains are
+   * served together. Each domain takes only the cases whose ids it owns, so a single map can cover
+   * several domains and unrelated ids are ignored.
+   */
+  forConnectionDomainCasesMulti(domains: readonly ActionDomain<any>[], cases: Record<string, TAcceptorConnectionCaseFn<any, any, TConn> | undefined>): ActionLocalHandler;
+  /**
+   * Fan a server-initiated request out to every currently-bound connection. A fresh request is built
+   * per connection (each push mutates its own action context) and dispatched fire-and-forget. Pass
+   * `except` to skip the originating socket and `where` to filter by connection (e.g. read its
+   * attachment for a role). Iterating bound connections (rather than every accepted socket) skips
+   * sockets that are still mid-handshake and so can't yet receive a frame.
+   */
+  broadcast<DOM extends IActionDomain, ID extends keyof DOM["actionSchema"] & string>(makeRequest: () => ActionPayload_Request<DOM, ID>, options?: {
+    runtime?: ActionRuntime;
+    except?: TConn | null;
+    where?: (connection: TConn) => boolean;
+    timeout?: number;
+    onError?: (error: unknown, connection: TConn) => void;
+  }): void;
+  sendReturnPayload(payload: TActionPayload_Any_Instance<any, any>, config: {
+    targetLocalRuntime: ActionRuntime;
+  }): Promise<boolean>;
+  handleActionRequest<DOM extends IActionDomain, ID extends keyof DOM["actionSchema"] & string>(action: ActionPayload_Request<DOM, ID>, config?: IHandleActionOptions): Promise<RunningAction<DOM, ID>>;
+  private _dispatch;
+  private _sendPayload;
+  private _bindConnection;
+  private _resolveConnection;
+  private _resolveSingleConnection;
 }
-interface ICustomTransportAdvancedOptions extends ICustomTransportSharedOptions {
-  /** Full control over readiness/initialization for the custom channel. */
-  getTransport: IActionTransportInitialized_Custom["getTransport"];
+declare const createAcceptorHandler: <TConn = unknown>(options: IAcceptorHandlerOptions<TConn>) => AcceptorHandler<TConn>;
+//#endregion
+//#region src/ActionRuntime/Transport/codec/createBinaryWireSessionFactory.d.ts
+type TFormatMessage = IActionWireFormat;
+interface IBinaryWireSessionOptions {
+  /** Override how long an unresolved correlation is retained before being swept (ms). */
+  correlationTtlMs?: number;
 }
-type TCustomTransportOptions = (ICustomTransportSendOptions & {
-  mode: "send";
-}) | (ICustomTransportAdvancedOptions & {
-  mode: "advanced";
-});
 /**
- * Reusable custom transport definition for channels nice-action doesn't model natively. Create one
- * with `CustomTransport.create({ sendActionData })` for the simple case, or
- * `CustomTransport.createAdvanced({ getTransport })` for full control over the lifecycle.
+ * Builds a factory of *stateful, per-connection* codecs for {@link LinkTransport} /
+ * `AcceptorHandler` — the maximally compact binary wire. Call the returned factory once per live
+ * connection (each socket on the client, each accepted connection on the server) so every channel
+ * gets its own correlation + identity state.
+ *
+ * On top of everything {@link createBinaryWireAdapter} drops, a session also drops:
+ * - **`cuid`** — replaced by a per-connection integer correlation id. The initiator maps it to its
+ *   real cuid; the responder echoes it; each side reconstructs the cuid from its own map. Correlation
+ *   only needs to be unique per socket, so a counter suffices.
+ * - **`originClient` after the first request** — the first request each side sends carries its
+ *   identity; the peer remembers it and injects it into later frames. Replies omit it entirely (a
+ *   reply carries the initiator's own origin, which the initiator already knows).
+ *
+ * Both ends MUST build the factory from the same domains in the same order (positional dictionary).
+ * Text frames still return `undefined` from `incoming`, so JSON clients remain interoperable.
+ *
+ * Hibernation note: after a server connection is evicted its session resets, so a still-connected
+ * client (whose session persists) will keep omitting `originClient`. The server must therefore restore
+ * the connection→client binding from its own store (see `AcceptorHandler.rehydrateConnection`) and
+ * inject `originClient` from there — the session alone can't recover it.
  */
-declare class CustomTransport extends Transport<ETransportType.custom> {
-  private readonly options;
-  readonly type = ETransportType.custom;
-  constructor(options: TCustomTransportOptions);
-  static create(options: ICustomTransportSendOptions): CustomTransport;
-  static createAdvanced(options: ICustomTransportAdvancedOptions): CustomTransport;
-  _createConnection(_ctx: ITransportConnectionContext): CustomConnection;
-  getRouteInfo(input: ITransportRouteActionParams): ITransportRouteInfo;
-}
-//#endregion
-//#region src/ActionRuntime/Handler/ExternalClient/Transport/err_nice_transport.d.ts
-declare enum EErrId_NiceTransport {
-  timeout = "timeout",
-  not_found = "not_found",
-  unsupported = "unsupported",
-  initialization_failed = "initialization_failed",
-  send_failed = "send_failed",
-  invalid_action_response = "invalid_action_response"
-}
-declare const err_nice_transport: import("@nice-code/error").NiceErrorDomain<{
-  domain: string;
-  allDomains: [string, string, string, "err_nice"];
-  schema: {
-    timeout: import("@nice-code/error").INiceErrorIdMetadata<{
-      timeout: number;
-    }, import("@nice-code/error").JSONSerializableValue>;
-    not_found: import("@nice-code/error").INiceErrorIdMetadata<{
-      actionId: string;
-    }, import("@nice-code/error").JSONSerializableValue>;
-    unsupported: import("@nice-code/error").INiceErrorIdMetadata<{
-      transportTypes: ETransportType[];
-    }, import("@nice-code/error").JSONSerializableValue>;
-    initialization_failed: import("@nice-code/error").INiceErrorIdMetadata<{
-      actionId: string;
-    }, import("@nice-code/error").JSONSerializableValue>;
-    send_failed: import("@nice-code/error").INiceErrorIdMetadata<{
-      actionState: string;
-      actionId: string;
-      httpStatusCode?: number;
-      message?: string;
-    }, import("@nice-code/error").JSONSerializableValue>;
-    invalid_action_response: import("@nice-code/error").INiceErrorIdMetadata<{
-      actionId: string;
-    }, import("@nice-code/error").JSONSerializableValue>;
-  };
-}>;
-//#endregion
-//#region src/ActionRuntime/Handler/ExternalClient/Transport/err_nice_transport_ws.d.ts
-declare enum EErrId_NiceTransport_WebSocket {
-  ws_disconnected = "ws_disconnected",
-  ws_create_failed = "ws_create_failed",
-  ws_error = "ws_error"
-}
-declare const err_nice_transport_ws: import("@nice-code/error").NiceErrorDomain<{
-  domain: string;
-  allDomains: [string, string, string, string, "err_nice"];
-  schema: {
-    ws_disconnected: import("@nice-code/error").INiceErrorIdMetadata<Record<string, never>, import("@nice-code/error").JSONSerializableValue>;
-    ws_create_failed: import("@nice-code/error").INiceErrorIdMetadata<{
-      originalError?: Error;
-    }, import("@nice-code/error").JSONSerializableValue>;
-    ws_error: import("@nice-code/error").INiceErrorIdMetadata<{
-      originalError?: Error;
-    }, import("@nice-code/error").JSONSerializableValue>;
-  };
-}>;
-//#endregion
-//#region src/ActionRuntime/Handler/ExternalClient/Transport/Http/TransportHttp.types.d.ts
-interface IHttpRequestParams {
-  url: string;
-  headers?: Record<string, string>;
-  body?: string;
-}
-interface IActionTransportReadyParams_Http {
-  request: IHttpRequestParams;
-}
-interface IActionTransportReadyData_Http extends IActionTransportReadyData_Base {
-  createRequest: (input: ITransportRouteActionParams) => IHttpRequestParams;
-}
-interface IActionTransportInitialized_Http extends IActionTransportInitialized<ITransportRouteActionParams, IActionTransportReadyData_Http> {}
-interface IActionTransportDef_Http extends IActionTransportDef<ETransportType.http, IActionTransportInitialized_Http> {}
+declare function createBinaryWireSessionFactory(domains: ActionDomain<any>[], options?: IBinaryWireSessionOptions): () => TFormatMessage;
 //#endregion
-//#region src/ActionRuntime/Handler/ExternalClient/Transport/Http/HttpConnection.d.ts
-declare class HttpConnection extends TransportConnection<ETransportType.http, ITransportRouteActionParams, IActionTransportReadyData_Http, IActionTransportInitialized_Http, IActionTransportDef_Http> {
-  constructor(def: Omit<IActionTransportDef_Http, "type">);
-  _finalizeTransportMethods(methods: IActionTransportReadyData_Http): IActionTransportReadyData_Methods;
-  protected send(input: ITransportDispatchAction<IActionTransportReadyParams_Http>): Promise<void>;
+//#region src/ActionRuntime/Channel/secureChannel.d.ts
+/** The per-connection binary session codec — built once per socket from the channel's domains. */
+type TChannelCodec = IActionWireFormat;
+/**
+ * The shared identity of a secure channel (carrier-agnostic — WS, WebRTC, HTTP, …): the wire
+ * dictionary version both ends check during the handshake, plus the per-connection codec factory both
+ * ends build from the *same* domain list. Define it once (typically in code shared by both peers) and
+ * hand it to `secureTransport` on the connector and `serveChannel` (or the lower-level `acceptChannel` /
+ * `createSecureAcceptorHandler`) on the acceptor, so the codec and version can never drift apart.
+ */
+interface ISecureChannel<TO_ACCEPTOR extends readonly ActionDomain<any>[] = readonly ActionDomain<any>[], TO_CONNECTOR extends readonly ActionDomain<any>[] = readonly ActionDomain<any>[]> extends IActionChannel<TO_ACCEPTOR, TO_CONNECTOR> {
+  /** Wire dictionary version — derived from the domains by default; the handshake rejects a mismatch. */
+  dictionaryVersion: string;
+  /** Per-connection session codec factory (call once per live connection). */
+  createCodec: () => TChannelCodec;
 }
+/**
+ * Bundle a secure channel's shared identity from its transported domains. Both ends MUST call this
+ * with the same domains in the same order (the binary wire dictionary is positional). The
+ * `dictionaryVersion` is derived from those domains unless you pin an explicit one.
+ *
+ * Declare the domains *by role* — `toAcceptor` (connector→acceptor requests) and `toConnector`
+ * (acceptor→connector pushes) — so the routing for both ends is derived from the channel (see
+ * {@link connectChannel} and `acceptChannelConnections`) instead of being restated at each end. The
+ * wire dictionary spans `[...toAcceptor, ...toConnector]` in that order; add new domains to the end of
+ * their list to keep older peers compatible. (`domains` is still accepted as a legacy alias for
+ * `toAcceptor`.)
+ */
+declare function defineSecureChannel<const TO_ACCEPTOR extends readonly ActionDomain<any>[] = [], const TO_CONNECTOR extends readonly ActionDomain<any>[] = []>(options: {
+  /** Domains the connector sends to the acceptor (connector→acceptor requests), in a stable order. */toAcceptor: TO_ACCEPTOR; /** Domains the acceptor pushes to the connector (acceptor→connector), in a stable order. */
+  toConnector: TO_CONNECTOR; /** Pin a human-readable version instead of the derived hash (must match on both ends). */
+  dictionaryVersion?: string; /** Tuning for the per-connection binary session (e.g. correlation TTL). */
+  sessionOptions?: IBinaryWireSessionOptions;
+}): ISecureChannel<TO_ACCEPTOR, TO_CONNECTOR>;
 //#endregion
-//#region src/ActionRuntime/Handler/ExternalClient/Transport/Http/HttpTransport.d.ts
-interface IHttpTransportOptions {
+//#region src/ActionRuntime/Channel/ActionChannel.d.ts
+/**
+ * A transport-agnostic routing contract between two runtimes, declared *by role* rather than by
+ * "client"/"server". The two ends are named for the only asymmetry that survives every carrier (WS,
+ * WebRTC, BLE, raw TCP): which side dials and which side accepts.
+ *
+ * - The **connector** dials out and opens the link ({@link connectChannel}).
+ * - The **acceptor** accepts incoming links and can push back ({@link acceptChannelConnections}).
+ *
+ * `toAcceptor` domains flow connector→acceptor (the classic "request"); `toConnector` domains flow
+ * acceptor→connector (the classic "push"). Both ends derive their routing from the same channel instead
+ * of restating domain lists — and because the contract is independent of how bytes move, the very same
+ * channel can be carried over HTTP, secure WebSockets, or a mix (WS preferred, HTTP fallback).
+ *
+ * Build a plain one with {@link defineChannel}; layer wire-specific identity on top with
+ * `defineSecureChannel` (which returns an `ISecureChannel` — still an `IActionChannel`, so it works
+ * everywhere a channel is expected).
+ */
+interface IActionChannel<TO_ACCEPTOR extends readonly ActionDomain<any>[] = readonly ActionDomain<any>[], TO_CONNECTOR extends readonly ActionDomain<any>[] = readonly ActionDomain<any>[]> {
   /**
-   * Build the HTTP request for an action. Return a static request for the simple case, or derive the
-   * url / headers / body from the action params for full control.
+   * Domains the connector *sends to the acceptor* (connector→acceptor requests). The connector forwards
+   * them over its transport(s); the acceptor executes them.
    */
-  createRequest: (input: ITransportRouteActionParams) => IHttpRequestParams;
-  updateRunConfig?: TUpdateActionRunConfig;
-  getTransportCacheKey?: (input: ITransportRouteActionParams) => string[];
+  toAcceptorDomains: TO_ACCEPTOR;
+  /**
+   * Domains the acceptor *pushes to the connector* (acceptor→connector). The connector registers local
+   * handlers for them ({@link connectChannel}'s `onPush`); the acceptor broadcasts them. Pushes need a
+   * bidirectional transport (e.g. a WebSocket) — over a request-only transport like HTTP they simply
+   * never flow.
+   */
+  toConnectorDomains: TO_CONNECTOR;
 }
 /**
- * Reusable HTTP transport definition. Create one with `HttpTransport.create({ createRequest })` — the
- * single `createRequest` function lets you keep it simple (`() => ({ url })`) or derive the request
- * per action.
+ * Declare a transport-agnostic channel by role. Use it for HTTP, custom transports, or as the routing
+ * half of a richer channel. The order of each list is part of the contract for wire formats that pack
+ * positionally (see `defineSecureChannel`) — add new domains to the end of their list. (`domains` is
+ * accepted as a legacy alias for `toAcceptor`.)
  */
-declare class HttpTransport extends Transport<ETransportType.http> {
-  private readonly options;
-  readonly type = ETransportType.http;
-  constructor(options: IHttpTransportOptions);
-  static create(options: IHttpTransportOptions): HttpTransport;
-  _createConnection(_ctx: ITransportConnectionContext): HttpConnection;
-  getRouteInfo(input: ITransportRouteActionParams): ITransportRouteInfo;
+declare function defineChannel<const TO_ACCEPTOR extends readonly ActionDomain<any>[] = [], const TO_CONNECTOR extends readonly ActionDomain<any>[] = []>(options: {
+  toAcceptor: TO_ACCEPTOR;
+  toConnector: TO_CONNECTOR;
+}): IActionChannel<TO_ACCEPTOR, TO_CONNECTOR>;
+type TUnionToIntersection<U> = (U extends any ? (k: U) => void : never) extends ((k: infer I) => void) ? I : never;
+type TDomainPushHandlers<D> = D extends ActionDomain<infer DEF> ? Partial<TWrappableDomainActionHandler<DEF>> : never;
+/**
+ * The `onPush` map for a channel: the merged set of every acceptor→connector (`toConnector`) action
+ * handler, each receiving the pushed action's input. Derived from the channel's `toConnectorDomains`, so
+ * the keys and input types follow the channel definition.
+ */
+type TChannelPushHandlers<TO_CONNECTOR extends readonly ActionDomain<any>[]> = TUnionToIntersection<TDomainPushHandlers<TO_CONNECTOR[number]>>;
+interface IConnectChannelOptions<TO_ACCEPTOR extends readonly ActionDomain<any>[], TO_CONNECTOR extends readonly ActionDomain<any>[]> {
+  /** The shared channel — its `toAcceptorDomains`/`toConnectorDomains` drive all routing. */
+  channel: IActionChannel<TO_ACCEPTOR, TO_CONNECTOR>;
+  /**
+   * Transports to the acceptor, in preference order (e.g. `[wsTransport, httpFallback]`). They all carry
+   * the same `toAcceptor` domains; the manager prefers the first that's ready and falls through on
+   * failure — so connector→acceptor works over whatever transport is available, WS or HTTP.
+   */
+  transports: Transport[];
+  /** Handlers for the channel's acceptor→connector pushes. Optional — omit for a send-only connection. */
+  onPush?: TChannelPushHandlers<TO_CONNECTOR>;
+  /** Default per-action timeout for this connection. */
+  defaultTimeout?: number;
 }
-//#endregion
-//#region src/ActionRuntime/Handler/ExternalClient/Transport/WebSocket/actionFrameCrypto.d.ts
 /**
- * Async AES-GCM transform for the `encrypted` security level. It wraps the opaque binary frame a
- * session codec produces (it does NOT look inside it), encrypting on the way out and decrypting on the
- * way in with the shared key established by the handshake.
- *
- * It is deliberately separate from the (synchronous) session `formatMessage`: WebCrypto is always
- * Promise-based, so encryption has to happen at the transport's async I/O boundary — the connection
- * encrypts after `session.outgoing()` and decrypts before `session.incoming()`. The `authenticated`
- * and `none` levels use no crypto transform at all (frames go out as the session produced them).
+ * Wire a connection to the acceptor straight from a channel: route the channel's `toAcceptor` domains to
+ * the acceptor over `transports`, and register local handlers for its `toConnector` pushes from
+ * `onPush`. The channel is the single source of truth for *what* is routed in each direction — the
+ * caller only supplies the transport(s) and the push handlers, never restated domain lists. Pass several
+ * transports to make the connector→acceptor path transport-agnostic (e.g. secure WS preferred, HTTP
+ * fallback).
  *
- * Wire shape of an encrypted frame: `pack([nonceBytes, ciphertextBytes])` — msgpack carries the two
- * binary fields with a couple of bytes of overhead, no base64 inflation.
+ * Sugar over {@link ActionRuntime.connectTo}. Returns the acceptor handler so the caller can later
+ * `clearTransportCache()` it.
  */
-interface IActionFrameCrypto {
-  /** Encrypt one session frame for sending. */
-  encryptFrame(frame: Uint8Array): Promise<Uint8Array>;
-  /** Decrypt one received frame back to the session frame. Throws on a non-binary / malformed /
-   * tampered frame — the caller (transport) decides how to react (drop / close). */
-  decryptFrame(frame: string | ArrayBuffer | Uint8Array): Promise<Uint8Array>;
-}
-interface IActionFrameCryptoConfig {
-  link: ClientCryptoKeyLink;
-  /** The handshake-established link id for the remote (key + connection-registry id). */
-  linkedClientId: TTypeAndId;
-}
+declare function connectChannel<TO_ACCEPTOR extends readonly ActionDomain<any>[], TO_CONNECTOR extends readonly ActionDomain<any>[]>(runtime: ActionRuntime, acceptorCoordinate: RuntimeCoordinate, options: IConnectChannelOptions<TO_ACCEPTOR, TO_CONNECTOR>): ConnectorHandler;
+type TDomainAcceptorCases<D, TConn> = D extends ActionDomain<infer DEF> ? { [ID in keyof DEF["actionSchema"] & string]?: TAcceptorConnectionCaseFn<DEF, ID, TConn> } : never;
 /**
- * Build the encrypt/decrypt transform for a connection whose handshake settled on the `encrypted`
- * level. Keyed by the link + `linkedClientId`, so it reuses the cached shared AES-GCM key.
+ * The connection-aware case map for a channel's acceptor side: the merged set of every
+ * connector→acceptor (`toAcceptor`) action handler, each receiving the primed request plus the
+ * originating connection. Derived from the channel's `toAcceptorDomains`, so the keys and input/output
+ * types follow the channel.
  */
-declare function createActionFrameCrypto({
-  link,
-  linkedClientId
-}: IActionFrameCryptoConfig): IActionFrameCrypto;
-//#endregion
-//#region src/ActionRuntime/Handler/ExternalClient/Transport/WebSocket/actionWsHandshake.d.ts
-/** How much the channel protects after the handshake — chosen by the consumer (perf vs security). */
-declare enum ESecurityLevel {
-  /** No handshake; identity is self-asserted (fastest, dev / trusted networks). */
-  none = "none",
-  /** Handshake authenticates identity (sign/verify + key pin); frames stay plaintext over TLS. */
-  authenticated = "authenticated",
-  /** Authenticated handshake + every frame AES-GCM encrypted with the derived shared key. */
-  encrypted = "encrypted"
-}
-declare enum EHandshakeMessageType {
-  hello = "hello",
-  welcome = "welcome",
-  prove = "prove",
-  accept = "accept",
-  reject = "reject"
-}
-declare const vHsHello: v.ObjectSchema<{
-  readonly t: v.LiteralSchema<EHandshakeMessageType.hello, undefined>;
-  readonly protocol: v.StringSchema<undefined>;
-  readonly securityLevel: v.PicklistSchema<[ESecurityLevel.none, ESecurityLevel.authenticated, ESecurityLevel.encrypted], undefined>;
-  readonly dictionaryVersion: v.StringSchema<undefined>;
-  readonly client: v.ObjectSchema<{
-    readonly envId: v.StringSchema<undefined>;
-    readonly perId: v.OptionalSchema<v.StringSchema<undefined>, undefined>;
-    readonly insId: v.OptionalSchema<v.StringSchema<undefined>, undefined>;
-  }, undefined>;
-  readonly clientNonce: v.StringSchema<undefined>;
-  readonly verifyPublicKey: v.CustomSchema<`ed25519::raw_base64::${string}`, undefined>;
-  readonly exchangePublicKey: v.OptionalSchema<v.CustomSchema<`x25519::raw_base64::${string}`, undefined>, undefined>;
-}, undefined>;
-declare const vHsWelcome: v.ObjectSchema<{
-  readonly t: v.LiteralSchema<EHandshakeMessageType.welcome, undefined>;
-  readonly securityLevel: v.PicklistSchema<[ESecurityLevel.none, ESecurityLevel.authenticated, ESecurityLevel.encrypted], undefined>;
-  readonly dictionaryVersion: v.StringSchema<undefined>;
-  readonly server: v.ObjectSchema<{
-    readonly envId: v.StringSchema<undefined>;
-    readonly perId: v.OptionalSchema<v.StringSchema<undefined>, undefined>;
-    readonly insId: v.OptionalSchema<v.StringSchema<undefined>, undefined>;
-  }, undefined>;
-  readonly serverNonce: v.StringSchema<undefined>;
-  readonly verifyPublicKey: v.CustomSchema<`ed25519::raw_base64::${string}`, undefined>;
-  readonly exchangePublicKey: v.OptionalSchema<v.CustomSchema<`x25519::raw_base64::${string}`, undefined>, undefined>;
-}, undefined>;
-declare const vHsProve: v.ObjectSchema<{
-  readonly t: v.LiteralSchema<EHandshakeMessageType.prove, undefined>;
-  readonly signatureBase64: v.StringSchema<undefined>;
-}, undefined>;
-declare const vHsAccept: v.ObjectSchema<{
-  readonly t: v.LiteralSchema<EHandshakeMessageType.accept, undefined>;
-  readonly signatureBase64: v.OptionalSchema<v.StringSchema<undefined>, undefined>;
-}, undefined>;
-declare const vHsReject: v.ObjectSchema<{
-  readonly t: v.LiteralSchema<EHandshakeMessageType.reject, undefined>;
-  readonly reason: v.StringSchema<undefined>;
-}, undefined>;
-declare const vHandshakeMessage: v.VariantSchema<"t", [v.ObjectSchema<{
-  readonly t: v.LiteralSchema<EHandshakeMessageType.hello, undefined>;
-  readonly protocol: v.StringSchema<undefined>;
-  readonly securityLevel: v.PicklistSchema<[ESecurityLevel.none, ESecurityLevel.authenticated, ESecurityLevel.encrypted], undefined>;
-  readonly dictionaryVersion: v.StringSchema<undefined>;
-  readonly client: v.ObjectSchema<{
-    readonly envId: v.StringSchema<undefined>;
-    readonly perId: v.OptionalSchema<v.StringSchema<undefined>, undefined>;
-    readonly insId: v.OptionalSchema<v.StringSchema<undefined>, undefined>;
-  }, undefined>;
-  readonly clientNonce: v.StringSchema<undefined>;
-  readonly verifyPublicKey: v.CustomSchema<`ed25519::raw_base64::${string}`, undefined>;
-  readonly exchangePublicKey: v.OptionalSchema<v.CustomSchema<`x25519::raw_base64::${string}`, undefined>, undefined>;
-}, undefined>, v.ObjectSchema<{
-  readonly t: v.LiteralSchema<EHandshakeMessageType.welcome, undefined>;
-  readonly securityLevel: v.PicklistSchema<[ESecurityLevel.none, ESecurityLevel.authenticated, ESecurityLevel.encrypted], undefined>;
-  readonly dictionaryVersion: v.StringSchema<undefined>;
-  readonly server: v.ObjectSchema<{
-    readonly envId: v.StringSchema<undefined>;
-    readonly perId: v.OptionalSchema<v.StringSchema<undefined>, undefined>;
-    readonly insId: v.OptionalSchema<v.StringSchema<undefined>, undefined>;
-  }, undefined>;
-  readonly serverNonce: v.StringSchema<undefined>;
-  readonly verifyPublicKey: v.CustomSchema<`ed25519::raw_base64::${string}`, undefined>;
-  readonly exchangePublicKey: v.OptionalSchema<v.CustomSchema<`x25519::raw_base64::${string}`, undefined>, undefined>;
-}, undefined>, v.ObjectSchema<{
-  readonly t: v.LiteralSchema<EHandshakeMessageType.prove, undefined>;
-  readonly signatureBase64: v.StringSchema<undefined>;
-}, undefined>, v.ObjectSchema<{
-  readonly t: v.LiteralSchema<EHandshakeMessageType.accept, undefined>;
-  readonly signatureBase64: v.OptionalSchema<v.StringSchema<undefined>, undefined>;
-}, undefined>, v.ObjectSchema<{
-  readonly t: v.LiteralSchema<EHandshakeMessageType.reject, undefined>;
-  readonly reason: v.StringSchema<undefined>;
-}, undefined>], undefined>;
-type THsHello = v.InferOutput<typeof vHsHello>;
-type THsWelcome = v.InferOutput<typeof vHsWelcome>;
-type THsProve = v.InferOutput<typeof vHsProve>;
-type THsAccept = v.InferOutput<typeof vHsAccept>;
-type THsReject = v.InferOutput<typeof vHsReject>;
-type THandshakeMessage = v.InferOutput<typeof vHandshakeMessage>;
-/** Serialize a handshake message for the wire (handshake frames are JSON — they aren't the hot path). */
-declare function encodeHandshakeMessage(message: THandshakeMessage): string;
-/** Parse + structurally validate an incoming handshake frame; `undefined` if it isn't one. */
-declare function decodeHandshakeMessage(raw: string): THandshakeMessage | undefined;
-/** Stable link id for a runtime coordinate — the key both the crypto link and the connection use. */
-declare function runtimeLinkId(coordinate: IRuntimeCoordinate): TTypeAndId;
+type TChannelAcceptorCases<TO_ACCEPTOR extends readonly ActionDomain<any>[], TConn> = TUnionToIntersection<TDomainAcceptorCases<TO_ACCEPTOR[number], TConn>>;
+/**
+ * Register an acceptor handler's execution for a channel straight from its definition: the channel's
+ * `toAcceptor` domains are served together with one merged, connection-aware case map (each case gets
+ * the primed request + the originating connection, as with
+ * {@link AcceptorHandler.forConnectionDomainCases}). The domain list is taken from the channel,
+ * never restated. Add the returned handler to the runtime alongside the acceptor handler:
+ * ```ts
+ * runtime.addHandlers([acceptChannelConnections(serverHandler, channel, { … }), serverHandler]);
+ * ```
+ */
+declare function acceptChannelConnections<TO_ACCEPTOR extends readonly ActionDomain<any>[], TConn>(serverHandler: AcceptorHandler<TConn>, channel: IActionChannel<TO_ACCEPTOR, any>, cases: TChannelAcceptorCases<TO_ACCEPTOR, TConn>): ActionLocalHandler;
+interface IAcceptChannelOptions<TConn> {
+  /**
+   * Coordinate of the *connecting clients* (typically env-only, e.g. `RuntimeCoordinate.env("web_app")`),
+   * used to score return-path dispatch back to the right connection.
+   */
+  clientEnv: RuntimeCoordinate;
+  /**
+   * One backing store for the acceptor's crypto identity *and* its trust-on-first-use verify-key pins
+   * (their keys don't collide). Back it with persistent storage so identity + pins survive eviction.
+   */
+  storageAdapter: StorageAdapter;
+  /** Write an encoded frame to a specific live connection (e.g. `(ws, frame) => ws.send(frame)`). */
+  send: (connection: TConn, frame: string | Uint8Array | ArrayBuffer) => void;
+  /**
+   * The acceptor's crypto identity. Defaults to a fresh `ClientCryptoKeyLink` over `storageAdapter`.
+   * Pass an existing link to share one identity across several acceptors on the same server (e.g. this
+   * WebSocket acceptor and a secure-HTTP `createActionFetchHandler`), so they present the same keys.
+   */
+  link?: ClientCryptoKeyLink;
+  /** Accepted level(s); defaults to negotiating any of none/authenticated/encrypted. */
+  securityLevel?: ESecurityLevel | readonly ESecurityLevel[];
+  /** Trust decision for a client's verify key; defaults to storage-backed TOFU over `storageAdapter`. */
+  verifyKeyResolver?: IClientVerifyKeyResolver;
+  /** Timeout (ms) applied to acceptor-initiated actions awaiting a client response. */
+  defaultTimeout?: number;
+}
 /**
- * Everything needed to re-derive the shared AES-GCM key for an `encrypted` link after a restart —
- * the remote's public keys + the HKDF salt/info used at handshake time. The local (server) key pair is
- * recovered from its own persisted `ClientCryptoKeyLink` storage, so re-linking with this material
- * yields the identical shared key without a fresh handshake.
+ * Build the secure {@link AcceptorHandler} for a channel — the accept-in counterpart to
+ * {@link connectChannel}. It folds in the same boilerplate as {@link createSecureAcceptorHandler} (the
+ * `ClientCryptoKeyLink` + storage-backed TOFU resolver from one `storageAdapter`, the channel's codec +
+ * dictionary version, the `security` block from the runtime coordinate) but takes the `(runtime, channel,
+ * options)` shape of the channel family. Pair it with {@link acceptChannelConnections} for execution:
+ * ```ts
+ * const acceptor = acceptChannel(runtime, gameChannel, { clientEnv, storageAdapter, send });
+ * runtime.addHandlers([acceptChannelConnections(acceptor, gameChannel, { … }), acceptor]);
+ * ```
  */
-interface IHandshakeEncryptionKeyMaterial {
-  verifyPublicKey: TSerializedCryptoKeyData_Ed25519_Raw;
-  exchangePublicKey: TSerializedCryptoKeyData_X25519_Raw;
-  saltString: string;
-  infoString: string;
-  bindVerifyKeysIntoDerivation: boolean;
-}
-/** Outcome of a completed handshake — what the transport/handler needs to wire the channel. */
-interface IHandshakeResult {
-  /** The crypto-link id (and connection-registry key) for the authenticated remote. */
-  linkedClientId: TTypeAndId;
-  /** The remote's authenticated coordinate. */
-  remote: IRuntimeCoordinate;
-  securityLevel: ESecurityLevel;
-  /** For the `encrypted` level: material to restore the shared key after eviction (persist it). */
-  encryptionKeyMaterial?: IHandshakeEncryptionKeyMaterial;
+declare function acceptChannel<TO_ACCEPTOR extends readonly ActionDomain<any>[], TO_CONNECTOR extends readonly ActionDomain<any>[], TConn = unknown>(runtime: ActionRuntime, channel: ISecureChannel<TO_ACCEPTOR, TO_CONNECTOR>, options: IAcceptChannelOptions<TConn>): AcceptorHandler<TConn>;
+//#endregion
+//#region src/ActionRuntime/Handler/PeerLink/Acceptor/Hibernation/createHibernatableWsServerAdapter.d.ts
+interface IHibernatableWsServerAdapterOptions<TConn> {
+  /** The handler to drive (from `createSecureAcceptorHandler` or `createAcceptorHandler`). */
+  handler: AcceptorHandler<TConn>;
+  /** All currently-live connections — replayed on construction to rebuild bindings after a wake. */
+  getConnections: () => TConn[];
+  /** Read a connection's persisted binding (e.g. `(ws) => ws.deserializeAttachment()`). */
+  getAttachment: (connection: TConn) => IAcceptorConnectionBinding | undefined;
+  /** Persist a connection's binding when it is bound (e.g. `(ws, b) => ws.serializeAttachment(b)`). */
+  setAttachment: (connection: TConn, binding: IAcceptorConnectionBinding) => void;
 }
-interface IClientVerifyKeyResolveInput {
-  client: IRuntimeCoordinate;
-  verifyPublicKey: TSerializedCryptoKeyData_Ed25519_Raw;
+/**
+ * The neutral lifecycle surface for a duplex (push-capable) acceptor: feed it each inbound frame and tell
+ * it when a connection goes away. Carrier-agnostic — a WebSocket, a WebRTC data channel, or any other
+ * duplex connection drives the same two methods.
+ */
+interface IDuplexConnectionRouter<TConn> {
+  /** Feed one inbound frame from a connection into the handler. */
+  receive: (connection: TConn, frame: string | ArrayBuffer | Uint8Array) => void;
+  /** Forget a connection (call on socket close/error). */
+  drop: (connection: TConn) => void;
 }
-interface IClientVerifyKeyResolver {
+/**
+ * Wire the hibernation lifecycle for an acceptor handler on a transport whose connections outlive process
+ * eviction (e.g. a Durable Object's hibernatable WebSockets). It owns persistence end to end:
+ * registers `setAttachment` as the handler's connection-bound callback and immediately replays every
+ * live connection's stored binding via `getAttachment`, so results/pushes still route after a wake.
+ *
+ * Layered on top of the generic {@link AcceptorHandler} — it touches only the handler's neutral
+ * `setOnConnectionBound` / `rehydrateConnection` / `receive` / `dropConnection` surface, so no
+ * hibernation concern leaks into the handler itself.
+ *
+ * Construct it once when the handler is built, then forward connection events:
+ * ```ts
+ * const duplex = createHibernatableWsServerAdapter({ handler, getConnections, getAttachment, setAttachment });
+ * // webSocketMessage(ws, msg) => duplex.receive(ws, msg);
+ * // webSocketClose/Error(ws)  => duplex.drop(ws);
+ * ```
+ */
+declare function createHibernatableWsServerAdapter<TConn>(options: IHibernatableWsServerAdapterOptions<TConn>): IDuplexConnectionRouter<TConn>;
+//#endregion
+//#region src/ActionRuntime/Transport/Carrier/Carrier.types.d.ts
+/**
+ * Carrier shapes — the only transport-specific surface a new protocol must implement. The secure
+ * session (handshake + frame crypto + codec) and the action routing on top of it are carrier-agnostic;
+ * a carrier just moves frames. Two shapes capture every carrier:
+ *
+ * - {@link IDuplexCarrier} — a persistent, push-capable byte stream (WebSocket, WebRTC `RTCDataChannel`,
+ *   Bluetooth GATT, an in-memory pipe). Either side can send at any time, so it supports server→client
+ *   pushes (the return path + broadcast).
+ * - {@link IExchangeCarrier} — a request → single-correlated-reply carrier with no unsolicited push
+ *   (HTTP, and anything request/response-shaped). The reply rides the response to its own request.
+ *
+ * Frames are `string` (text — handshake control messages and JSON action frames) or binary
+ * (`Uint8Array`/`ArrayBuffer` — the optimized binary wire / encrypted frames).
+ */
+type TFrame$1 = string | Uint8Array | ArrayBuffer;
+/**
+ * A bidirectional, push-capable byte stream. Reduces every duplex carrier to "open, send bytes, receive
+ * bytes, close" — a WebSocket, a WebRTC data channel, a Bluetooth characteristic, or an in-memory pipe
+ * all satisfy this, so the identical secure session runs over each.
+ */
+interface IDuplexCarrier {
+  /** Resolves once the carrier is open and ready to send; rejects if it closes/errors before opening. */
+  readonly ready: Promise<void>;
+  /** Whether the carrier is currently open (a synchronous guard before `send`). */
+  isOpen(): boolean;
+  /** Write one frame to the peer. */
+  send(frame: TFrame$1): void;
   /**
-   * Decide whether a presented verify key is trusted for a client identity. The signature is already
-   * verified by the time this runs, so this is purely the identity-pinning decision. Swap in a
-   * persistent / pre-provisioned implementation without touching the protocol.
+   * Register the carrier's handlers. Called exactly once by the session after `ready`. `onMessage`
+   * receives every inbound frame; `onClose` fires when the carrier goes away.
    */
-  resolve(input: IClientVerifyKeyResolveInput): Promise<{
-    trusted: boolean;
-    reason?: string;
-  }>;
+  attach(handlers: {
+    onMessage: (frame: TFrame$1) => void;
+    onClose: () => void;
+    onError?: (error: unknown) => void;
+  }): void;
+  /** Close the carrier deliberately (a teardown). */
+  close(): void;
+  /** Optional human-readable endpoint for the devtools route chip. */
+  readonly label?: string;
 }
 /**
- * In-memory trust-on-first-use resolver: trusts (and pins) the first verify key seen for a client
- * identity, then rejects a different key for that identity. The default; replace with a storage-backed
- * resolver for cross-restart pinning (see Step 5).
+ * A request → single-correlated-reply carrier with no unsolicited push (HTTP). One `exchange` sends a
+ * frame and resolves with exactly the one reply frame for it; the carrier itself correlates them (the
+ * HTTP transaction), so no correlation id is needed on the wire.
  */
-declare function createInMemoryTofuVerifyKeyResolver(): IClientVerifyKeyResolver;
+interface IExchangeCarrier {
+  /** Send one frame, await the single correlated reply frame. */
+  exchange(frame: TFrame$1, opts?: {
+    signal?: AbortSignal;
+  }): Promise<TFrame$1>;
+  /** Optional human-readable endpoint for the devtools route chip. */
+  readonly label?: string;
+}
+type TCarrier = IDuplexCarrier | IExchangeCarrier;
 /**
- * Storage-backed trust-on-first-use resolver: pins survive process restarts / Durable Object eviction
- * (e.g. back it with `createDurableObjectStorageAdapter`). Same policy as the in-memory variant — trust
- * + pin the first verify key per client identity, reject a different one thereafter.
+ * A reusable opener for a {@link IDuplexCarrier} plus the per-action metadata a duplex transport needs.
+ * Built by the small carrier factories (`wsCarrier`, `rtcCarrier`, `inMemoryCarrier`) and handed to
+ * {@link secureTransport} / `LinkTransport` — so adding a new carrier is "write one of these", nothing
+ * else.
  */
-declare function createStorageTofuVerifyKeyResolver(storageAdapter: StorageAdapter): IClientVerifyKeyResolver;
-interface IClientHandshakeConfig {
-  link: ClientCryptoKeyLink;
-  localCoordinate: IRuntimeCoordinate;
-  dictionaryVersion: string;
-  securityLevel: ESecurityLevel;
+interface IDuplexCarrierSource {
+  /** Open (or reuse) the carrier for an action. */
+  open: (input: ITransportRouteActionParams) => IDuplexCarrier;
+  /** Keys identifying a reusable carrier, so one carrier is shared across actions to the same peer. */
+  getCacheKey?: (input: ITransportRouteActionParams) => string[];
+  /** Devtools route info for an action routed over this carrier. */
+  getRouteInfo?: (input: ITransportRouteActionParams) => ITransportRouteInfo;
+  /** Short carrier-kind label for the devtools chip (e.g. `"ws"`, `"webrtc"`, `"memory"`). */
+  readonly carrierLabel: string;
 }
-declare function createClientHandshake(config: IClientHandshakeConfig): {
-  createHello(): Promise<THsHello>;
-  onWelcome(welcome: THsWelcome): Promise<THsProve>;
-  onAccept(accept: THsAccept): Promise<IHandshakeResult>;
-};
-interface IServerHandshakeConfig {
-  link: ClientCryptoKeyLink;
-  localCoordinate: IRuntimeCoordinate;
-  dictionaryVersion: string;
+/**
+ * The exchange-shape counterpart to {@link IDuplexCarrierSource}: a reusable opener for an
+ * {@link IExchangeCarrier} plus the per-action metadata an exchange transport needs. Built by
+ * `httpCarrier` and handed to {@link secureTransport} — adding a new request/reply protocol is "write
+ * one of these". The `shape` tag lets {@link secureTransport} pick the duplex vs exchange transport.
+ */
+interface IExchangeCarrierSource {
+  /** Discriminant so a generic factory can tell an exchange source from a duplex one. */
+  readonly shape: "exchange";
+  /** Open (or reuse) the carrier for an action. */
+  open: (input: ITransportRouteActionParams) => IExchangeCarrier;
+  /** Keys identifying a reusable carrier, so one carrier is shared across actions to the same peer. */
+  getCacheKey?: (input: ITransportRouteActionParams) => string[];
+  /** Devtools route info for an action routed over this carrier. */
+  getRouteInfo?: (input: ITransportRouteActionParams) => ITransportRouteInfo;
+  /** Short carrier-kind label for the devtools chip (e.g. `"http"`). */
+  readonly carrierLabel: string;
+}
+//#endregion
+//#region src/ActionRuntime/Transport/Carrier/AcceptorCarrier.types.d.ts
+/**
+ * Acceptor-side carrier descriptors — the accept-in dual of the connector's {@link IDuplexCarrierSource}
+ * / {@link IExchangeCarrierSource}. Where a connector source knows how to *open* a carrier to a peer, an
+ * acceptor carrier knows how to *serve* one peer's traffic on this server. Both shapes are carrier-neutral
+ * about security: `serveChannel` builds the crypto identity (link + TOFU resolver) and the security block
+ * once from `(runtime, channel)` and fans it across every carrier, so a carrier descriptor never restates
+ * it.
+ *
+ * Two shapes mirror the connector side:
+ *
+ * - {@link IDuplexAcceptorCarrier} — a persistent, push-capable byte stream (WebSocket, WebRTC, …). It can
+ *   push acceptor→connector, so it carries the return path and broadcasts, and it may need an upgrade step
+ *   (e.g. a Durable Object's `WebSocketPair`) and optional hibernation persistence.
+ * - {@link IExchangeAcceptorCarrier} — a request → single-correlated-reply carrier with no unsolicited push
+ *   (HTTP). The reply rides the response to its own request; there is nothing to push and nothing to
+ *   upgrade.
+ */
+/**
+ * Persistence + replay hooks for a duplex carrier whose connections outlive process eviction (e.g. a
+ * Durable Object's hibernatable WebSockets). Optional — omit for a transport that never hibernates. The
+ * same surface {@link createHibernatableWsServerAdapter} consumes, minus the handler it's bound to.
+ */
+interface IAcceptorHibernation<TConn> {
+  /** All currently-live connections — replayed on build to rebuild bindings after a wake. */
+  getConnections: () => TConn[];
+  /** Read a connection's persisted binding (e.g. `(ws) => ws.deserializeAttachment()`). */
+  getAttachment: (connection: TConn) => IAcceptorConnectionBinding | undefined;
+  /** Persist a connection's binding when it is bound (e.g. `(ws, b) => ws.serializeAttachment(b)`). */
+  setAttachment: (connection: TConn, binding: IAcceptorConnectionBinding) => void;
+}
+/**
+ * A duplex carrier is also its own lifecycle handle: once it has been passed to `serveChannel`, feed each
+ * inbound frame to {@link receive} and forget a connection on close/error with {@link drop}. This is how a
+ * server with *several* duplex carriers routes each connection's traffic to the right one — you hold the
+ * carrier you created and feed it directly, so no per-carrier router lookup is needed. The methods throw if
+ * called before the carrier is served. (`serveChannel` binds the live router via {@link _activate}.)
+ */
+interface IDuplexCarrierLifecycle<TConn> {
+  /** Feed one inbound frame from a live connection into the server. Throws until the carrier is served. */
+  receive(connection: TConn, frame: TFrame$1): void;
+  /** Forget a connection on close/error. No-op until the carrier is served. */
+  drop(connection: TConn): void;
+  /** @internal `serveChannel` binds this carrier's live connection router here. */
+  _activate(router: IDuplexConnectionRouter<TConn>): void;
+}
+/**
+ * A duplex (push-capable) carrier on the acceptor side. Describes how to write a frame back to a live
+ * connection, how to perform the transport-specific upgrade that admits one, which requests are such
+ * upgrades, and (optionally) how to persist bindings across hibernation. Built by `wsAcceptorCarrier` and
+ * handed to `serveChannel`'s `carriers` list — the returned carrier is also its own lifecycle handle (see
+ * {@link IDuplexCarrierLifecycle}).
+ */
+interface IDuplexAcceptorCarrier<TConn = unknown> extends IDuplexCarrierLifecycle<TConn> {
+  /** Discriminant so `serveChannel` can tell a duplex carrier from an exchange one. */
+  readonly shape: ETransportShape.duplex;
   /**
-   * The level(s) this server accepts. A single level is strict (the client must match). An array is a
-   * negotiable allowed set — the server adopts whichever level the client requests, as long as it's in
-   * the set (lets one backend serve `authenticated` and `encrypted` clients at once). `none` in the set
-   * is handled by the transport/handler (a `none` client never reaches the handshake).
+   * Whether each connection runs the secure handshake (default `true`). `false` makes it a plain duplex
+   * carrier: connections speak the channel's wire codec directly with a self-asserted identity — no
+   * handshake, pins, or encryption (the duplex dual of `httpAcceptorCarrier({ secure: false })`). A plain
+   * carrier ignores the central crypto identity, so it needs no `storage` on `serveChannel`.
    */
-  securityLevel: ESecurityLevel | readonly ESecurityLevel[];
-  /** Trust decision for a client's verify key. Defaults to in-memory TOFU. */
-  verifyKeyResolver?: IClientVerifyKeyResolver;
+  secure?: boolean;
+  /** Write an encoded frame to a specific live connection (e.g. `(ws, frame) => ws.send(frame)`). */
+  send: (connection: TConn, frame: TFrame$1) => void;
+  /**
+   * Perform the transport-specific upgrade for an inbound request, returning its raw response (e.g. a
+   * Durable Object's `new WebSocketPair()` + `ctx.acceptWebSocket()` → a `101`). Omit for a carrier that
+   * is fed connections out of band (the server then only routes frames via {@link receive}/{@link drop}).
+   */
+  upgrade?: (request: Request, url: URL) => Response | Promise<Response>;
+  /**
+   * Whether an inbound request is an upgrade for this carrier. Defaults to an `Upgrade: websocket` header.
+   * Only consulted when {@link upgrade} is present.
+   */
+  isUpgrade?: (request: Request, url: URL) => boolean;
+  /** Optional persistence + replay for connections that survive eviction (Durable Object hibernation). */
+  hibernation?: IAcceptorHibernation<TConn>;
+  /** Short carrier-kind label for the devtools chip (e.g. `"ws"`, `"webrtc"`). */
+  readonly carrierLabel: string;
 }
-declare function createServerHandshake(config: IServerHandshakeConfig): {
-  onHello(hello: THsHello): Promise<THsWelcome | THsReject>;
-  onProve(prove: THsProve): Promise<THsAccept | THsReject>; /** The completed handshake result once `onProve` has accepted, else `undefined`. */
-  getResult(): IHandshakeResult | undefined;
-};
+/**
+ * An exchange (request/reply) carrier on the acceptor side, over web-standard `Request`/`Response`. By
+ * default it speaks the *secure* exchange protocol (handshake → token session → encrypted frames), whose
+ * identity is supplied centrally by `serveChannel`. Set {@link secure} to `false` for a plain endpoint
+ * that POSTs the raw action wire and returns the result inline — the request/reply dual of the connector's
+ * `plainTransport({ carrier: httpCarrier(...) })`. So a server can pair a secure duplex (WebSocket) with a
+ * plain HTTP fallback on the same runtime. Built by `httpAcceptorCarrier`.
+ */
+interface IExchangeAcceptorCarrier {
+  /** Discriminant so `serveChannel` can tell an exchange carrier from a duplex one. */
+  readonly shape: ETransportShape.exchange;
+  /**
+   * Whether this endpoint runs the secure exchange protocol (default `true`). `false` makes it a plain
+   * endpoint: the body is the raw action wire and the result is the response body — no handshake, token,
+   * or encryption. A plain endpoint ignores the central crypto identity entirely.
+   */
+  secure?: boolean;
+  /** Which requests carry an action exchange envelope on `POST`. Defaults to `serveChannel`'s path match. */
+  isActionPath?: (url: URL) => boolean;
+  /**
+   * CORS headers merged onto every response (a preflight `OPTIONS` is answered `204`). Defaults to the
+   * permissive `*` set; pass `false` to attach no CORS headers at all.
+   */
+  cors?: Record<string, string> | false;
+  /** Plain mode only: use the error's HTTP status for failures (default `true`). Ignored when secure. */
+  useErrorStatus?: boolean;
+  /** Short carrier-kind label for the devtools chip (e.g. `"http"`). */
+  readonly carrierLabel: string;
+}
+type TAcceptorCarrier<TConn = unknown> = IDuplexAcceptorCarrier<TConn> | IExchangeAcceptorCarrier;
+/**
+ * Narrow an acceptor carrier to the exchange shape via its `shape` discriminant — the one branch
+ * `serveChannel` uses to pick the duplex (push-capable) vs exchange (request/reply) wiring. A duplex
+ * carrier carries `shape: ETransportShape.duplex`, so the `else` branch is the duplex one.
+ */
+declare function isExchangeAcceptorCarrier<TConn>(carrier: TAcceptorCarrier<TConn>): carrier is IExchangeAcceptorCarrier;
 //#endregion
-//#region src/ActionRuntime/Handler/ExternalClient/Transport/WebSocket/TransportWebSocket.types.d.ts
+//#region src/ActionRuntime/Channel/serveChannel.d.ts
+interface IServeChannelOptions<TConn> {
+  /**
+   * Coordinate of the *connecting clients* (typically env-only, e.g. `RuntimeCoordinate.env("web_app")`),
+   * used to score return-path dispatch back to the right connection.
+   */
+  clientEnv: RuntimeCoordinate;
+  /**
+   * One backing store for the server's crypto identity *and* its trust-on-first-use verify-key pins
+   * (their keys don't collide). It is built once and shared across every carrier, so the WebSocket and the
+   * secure-HTTP endpoint present the exact same verify/exchange keys and trust the same pinned clients.
+   * Back it with persistent storage (e.g. a Durable Object's storage) so identity + pins survive eviction.
+   *
+   * Required only when at least one carrier is secure (the default). A fully-plain server (every carrier
+   * `secure: false`) needs no storage and may omit it.
+   */
+  storage?: StorageAdapter;
+  /**
+   * The carriers this channel is served over — the accept-in dual of `connectChannel`'s `transports`.
+   * Build them with `wsAcceptorCarrier` / `httpAcceptorCarrier`. Any number of duplex (push-capable)
+   * carriers are supported (e.g. WebSocket + WebRTC), plus at most one exchange (request/reply) carrier;
+   * all share one crypto identity and one runtime, and each result/push routes back over the carrier its
+   * client connected on.
+   */
+  carriers: readonly TAcceptorCarrier<TConn>[];
+  /** Your execution handlers (e.g. the local handler holding the action cases). Registered for you. */
+  handlers?: TActionRuntimeHandler[];
+  /**
+   * The server's crypto identity. Defaults to a fresh {@link ClientCryptoKeyLink} over `storage`. Pass an
+   * existing link only to share identity with acceptors built outside this call.
+   */
+  link?: ClientCryptoKeyLink;
+  /** Accepted level(s) for every carrier; defaults to negotiating any of none/authenticated/encrypted. */
+  securityLevel?: ESecurityLevel | readonly ESecurityLevel[];
+  /** Trust decision for a client's verify key; defaults to storage-backed TOFU over `storage`. */
+  verifyKeyResolver?: IClientVerifyKeyResolver;
+  /** Timeout (ms) applied to server-initiated actions awaiting a client response. */
+  defaultTimeout?: number;
+}
 /**
- * Client-side secure-channel config for a WebSocket. When present (and `securityLevel !== none`), the
- * connection runs the {@link createClientHandshake} handshake during initialization — authenticating
- * the identity and, for the `encrypted` level, deriving a shared key that encrypts every action frame.
+ * One server serving a secure channel over several carriers — the accept-in dual of `connectChannel`,
+ * returned by {@link serveChannel}. Wire its surface straight to the host's request/socket events.
  */
-interface IWsClientSecureChannel {
-  securityLevel: ESecurityLevel;
-  /** This client's crypto identity (verify + exchange key pairs, optionally persisted). */
+interface IChannelServer<TConn> {
+  /**
+   * The duplex acceptor handlers — one per duplex carrier, in carrier order (empty if none). For pushing,
+   * prefer {@link pushToClient} (it resolves the owning handler); reach for these for cross-carrier work
+   * like a per-handler `broadcast`.
+   */
+  handlers: AcceptorHandler<TConn>[];
+  /**
+   * Unified request handler: answers the CORS preflight, performs the duplex upgrade for an upgrade
+   * request, serves a secure-exchange action `POST`, else `404`. Forward the host's `fetch` straight to it.
+   */
+  fetch: (request: Request) => Promise<Response>;
+  /**
+   * Convenience lifecycle for the *sole* duplex carrier — `receive` inbound frames, `drop` on close. Set
+   * only when exactly one duplex carrier was provided; with several, feed each carrier handle directly
+   * (every duplex carrier is its own lifecycle handle). `undefined` when there are zero or multiple.
+   */
+  duplex?: IDuplexConnectionRouter<TConn>;
+  /**
+   * Push a server-initiated action to a connected client (the runtime is bound in, so unlike
+   * {@link AcceptorHandler.pushToClient} you pass only the target + request). It routes through the duplex
+   * carrier the target connected on. Throws if no duplex carrier currently holds the target.
+   */
+  pushToClient: <DOM extends IActionDomain, ID extends keyof DOM["actionSchema"] & string>(target: TConn | RuntimeCoordinate, request: ActionPayload_Request<DOM, ID>, options?: {
+    timeout?: number;
+  }) => RunningAction<DOM, ID>;
+}
+/**
+ * Serve a secure channel over one or more carriers from a single call — the accept-in dual of
+ * `connectChannel`. It builds the crypto identity (a {@link ClientCryptoKeyLink} + a storage-backed TOFU
+ * resolver) and the security block (coordinate, dictionary version, accepted levels) *once* from
+ * `(runtime, channel)` and fans them across every carrier, so the WebSocket and the secure-HTTP endpoint
+ * can never drift apart. It registers your handlers (plus the duplex acceptor it builds) on the runtime,
+ * wires hibernation when the duplex carrier declares it, and returns a single {@link IChannelServer} whose
+ * `fetch` / `duplex` / `pushToClient` you forward straight to the host:
+ * ```ts
+ * const server = serveChannel(runtime, channel, {
+ *   clientEnv, storage,
+ *   carriers: [wsAcceptorCarrier({ send, upgrade, hibernation }), httpAcceptorCarrier()],
+ *   handlers: [localHandler],
+ * });
+ * // fetch(req) => server.fetch(req)
+ * // webSocketMessage(conn, m) => server.duplex?.receive(conn, m)
+ * // webSocketClose/Error(conn) => server.duplex?.drop(conn)
+ * ```
+ *
+ * `TConn` (the live-connection token a duplex carrier hands back through `send`/`receive`/`drop`) is
+ * inferred from the carriers — `WebSocket` for `wsAcceptorCarrier`, the data-channel type for a WebRTC
+ * carrier, and so on — so it stays carrier-agnostic.
+ */
+declare function serveChannel<TO_ACCEPTOR extends readonly ActionDomain<any>[] = readonly ActionDomain<any>[], TO_CONNECTOR extends readonly ActionDomain<any>[] = readonly ActionDomain<any>[], TConn = unknown>(runtime: ActionRuntime, channel: ISecureChannel<TO_ACCEPTOR, TO_CONNECTOR>, options: IServeChannelOptions<TConn>): IChannelServer<TConn>;
+//#endregion
+//#region src/ActionRuntime/Transport/SecureSession/exchangeAcceptor.d.ts
+/** Acceptor secure config for the exchange (HTTP) endpoint — same identity an `AcceptorHandler` uses. */
+interface IExchangeAcceptorSecurity {
+  /** This acceptor's crypto identity (verify + exchange key pairs, optionally persisted). */
   link: ClientCryptoKeyLink;
-  /** This client's runtime coordinate — its authenticated identity to the server. */
+  /** This acceptor's coordinate — its identity to clients during the handshake. */
   localCoordinate: IRuntimeCoordinate;
-  /** Wire dictionary version; the server rejects the handshake on a mismatch. */
+  /** Wire dictionary version; the handshake rejects a client on a mismatch. */
   dictionaryVersion: string;
+  /** Accepted level(s) — a single level is strict, an array is a negotiable allowed set. */
+  securityLevel: ESecurityLevel | readonly ESecurityLevel[];
+  /** Trust decision for a client's verify key (defaults to in-memory TOFU inside the handshake). */
+  verifyKeyResolver?: IClientVerifyKeyResolver;
 }
-interface IActionTransportReadyData_Ws extends IActionTransportReadyData_Base {
-  formatMessage?: {
-    /**
-     * Pack an outgoing action payload. Return a `string` for text frames (JSON) or a binary
-     * `Uint8Array`/`ArrayBuffer` for optimized binary frames (e.g. msgpackr).
-     */
-    outgoing: (input: ITransportRouteActionParams) => string | Uint8Array | ArrayBuffer;
-    /**
-     * Unpack an incoming frame back into the wire JSON object the runtime hydrates + validates.
-     * Return `undefined` to defer to the connection's built-in JSON parser — this is how binary
-     * adapters stay backward compatible with plain-JSON clients on the same socket.
-     */
-    incoming?: (input: string | ArrayBuffer | Uint8Array | Blob) => TActionPayload_Any_JsonObject<any, any> | undefined;
-  };
-  ws: WebSocket;
-  /** Optional authenticated/encrypted channel; the connection runs the handshake during init. */
-  secureChannel?: IWsClientSecureChannel;
+interface IExchangeAcceptorConfig {
+  security: IExchangeAcceptorSecurity;
+  /** The runtime that executes an inbound action wire and produces its result. */
+  runtime: ActionRuntime;
 }
-interface IActionTransportInitialized_Ws extends IActionTransportInitialized<ITransportRouteActionParams, IActionTransportReadyData_Ws> {}
-interface IActionTransportDef_Ws extends IActionTransportDef<ETransportType.ws, IActionTransportInitialized_Ws> {}
-//#endregion
-//#region src/ActionRuntime/Handler/ExternalClient/Transport/WebSocket/createBinaryWsAdapter.d.ts
 /**
- * Builds a *stateless* `formatMessage` pipeline for {@link WebSocketTransport}, packing action
- * payloads into a compact msgpackr binary frame instead of JSON. The `domain`/`id` route collapses to
- * a single integer drawn from a shared dictionary; `form`/`type`, the recomputable
- * `inputHash`/`outputHash`, and the per-frame `context.routing`/`context.timeCreated` are all dropped
- * (see {@link ENVELOPE}).
- *
- * No validation runs here: `incoming` blindly reconstructs the wire JSON shape and hands it back to
- * the connection, which flows into `ActionRuntime` → `domain.hydrateAnyAction()` where the Valibot
- * schemas validate it exactly as they would for a JSON frame.
- *
- * Both ends of the socket MUST construct the adapter with the same domains in the same order — the
- * integer dictionary is positional. Mismatched dictionaries will route to the wrong action.
+ * Acceptor (accept-in) side of the secure exchange protocol — the HTTP counterpart to
+ * {@link AcceptorSecureSession}. Each POST body is one {@link decodeExchangeRequest} envelope; the
+ * acceptor drives the server handshake over the two `hs` POSTs (correlated by `hsid`, since stateless
+ * requests can't rely on channel ordering), mints a session **token** on accept, and on every later `act`
+ * POST resolves the session by token, decrypts the body (at `encrypted`), routes it through the runtime,
+ * and returns the (encrypted) result inline as the reply.
  *
- * Because `incoming` returns `undefined` for text frames, a binary server can still serve plain-JSON
- * clients on the same runtime (the connection falls back to its built-in JSON parser).
+ * Sessions and in-flight handshakes are held in memory — fine for a single-instance server. (Surviving a
+ * Durable-Object eviction would persist each token's `keyMaterial` and re-derive the key on a miss, the
+ * same primitive `AcceptorSecureSession.rehydrate` uses; left as a follow-up.)
  */
-declare function createBinaryWsAdapter(domains: ActionDomain<any>[]): NonNullable<IActionTransportReadyData_Ws["formatMessage"]>;
+declare class ExchangeAcceptor {
+  private readonly _security;
+  private readonly _runtime;
+  private readonly _allowedLevels;
+  private readonly _noneAllowed;
+  private readonly _pendingHandshakes;
+  private readonly _sessions;
+  constructor(config: IExchangeAcceptorConfig);
+  /** Process one POST body (an exchange envelope), returning the reply body to send back. */
+  handlePost(body: string): Promise<string>;
+  private _handleHandshake;
+  private _handleAction;
+  private _err;
+}
 //#endregion
-//#region src/ActionRuntime/Handler/ExternalClient/Transport/WebSocket/createBinaryWsSessionFactory.d.ts
-type TFormatMessage = NonNullable<IActionTransportReadyData_Ws["formatMessage"]>;
-interface IBinaryWsSessionOptions {
-  /** Override how long an unresolved correlation is retained before being swept (ms). */
-  correlationTtlMs?: number;
+//#region src/ActionRuntime/Handler/PeerLink/Acceptor/createActionFetchHandler.d.ts
+interface IActionFetchHandlerOptions {
+  /**
+   * CORS headers merged onto every response (a preflight `OPTIONS` is answered `204` with them).
+   * Defaults to permissive `*`; pass `false` to attach no CORS headers at all.
+   */
+  cors?: Record<string, string> | false;
+  /** Which requests carry an action wire on `POST`. Default: pathname ends with `/action`. */
+  isActionPath?: (url: URL) => boolean;
+  /** Which requests are WebSocket upgrades. Default: pathname ends with `/ws`. */
+  isWebSocketPath?: (url: URL) => boolean;
+  /**
+   * Whether a request is a WebSocket upgrade for this endpoint, given the whole request (not just the
+   * URL). When set it *replaces* the default gate (an `Upgrade: websocket` header on an
+   * {@link isWebSocketPath} match) — use it when the discriminant needs a header or method, not only the
+   * path. Only consulted when {@link onWebSocketUpgrade} is present.
+   */
+  isWebSocketUpgrade?: (request: Request, url: URL) => boolean;
+  /**
+   * Perform the transport-specific WebSocket upgrade (e.g. a Durable Object's
+   * `new WebSocketPair()` + `ctx.acceptWebSocket()` returning a `101`). Omit for HTTP-only endpoints.
+   * Its response is returned as-is — a `101` upgrade carries no CORS headers.
+   */
+  onWebSocketUpgrade?: (request: Request, url: URL) => Response | Promise<Response>;
+  /** Forwarded to `ActionPayload_Result.toHttpResponse` — use the error's HTTP status (default true). */
+  useErrorStatus?: boolean;
+  /**
+   * Enable the secure exchange protocol (handshake + token sessions + body encryption) on the `/action`
+   * endpoint, mirroring an `AcceptorHandler`'s `security`. The matching connector is
+   * `secureTransport({ carrier: httpCarrier(...), securityLevel })`. When omitted, the endpoint speaks
+   * today's plain protocol (the raw action wire is POSTed and the result is the response body).
+   */
+  security?: IExchangeAcceptorSecurity;
 }
 /**
- * Builds a factory of *stateful, per-connection* codecs for {@link WebSocketTransport} /
- * `ActionServerHandler` — the maximally compact binary wire. Call the returned factory once per live
- * connection (each socket on the client, each accepted connection on the server) so every channel
- * gets its own correlation + identity state.
- *
- * On top of everything {@link createBinaryWsAdapter} drops, a session also drops:
- * - **`cuid`** — replaced by a per-connection integer correlation id. The initiator maps it to its
- *   real cuid; the responder echoes it; each side reconstructs the cuid from its own map. Correlation
- *   only needs to be unique per socket, so a counter suffices.
- * - **`originClient` after the first request** — the first request each side sends carries its
- *   identity; the peer remembers it and injects it into later frames. Replies omit it entirely (a
- *   reply carries the initiator's own origin, which the initiator already knows).
- *
- * Both ends MUST build the factory from the same domains in the same order (positional dictionary).
- * Text frames still return `undefined` from `incoming`, so JSON clients remain interoperable.
+ * Build the `fetch` handler a server/Durable-Object exposes for action traffic, folding in the
+ * boilerplate every endpoint repeats: CORS (incl. the `OPTIONS` preflight), routing the `/action`
+ * `POST` body through the runtime (`handleActionPayloadWire` → `waitForResultPayload` →
+ * `toHttpResponse`), an optional WebSocket-upgrade hook, and a `404` fallback.
  *
- * Hibernation note: after a server connection is evicted its session resets, so a still-connected
- * client (whose session persists) will keep omitting `originClient`. The server must therefore restore
- * the connection→client binding from its own store (see `ActionServerHandler.rehydrateConnection`) and
- * inject `originClient` from there — the session alone can't recover it.
+ * It only touches web-standard `Request`/`Response`, so it stays transport-agnostic — the one
+ * environment-specific bit (the WS upgrade) is injected via {@link IActionFetchHandlerOptions.onWebSocketUpgrade}:
+ * ```ts
+ * this.fetchHandler = createActionFetchHandler(this.runtime, {
+ *   onWebSocketUpgrade: () => {
+ *     const pair = new WebSocketPair();
+ *     this.ctx.acceptWebSocket(pair[1]);
+ *     return new Response(null, { status: 101, webSocket: pair[0] });
+ *   },
+ * });
+ * // async fetch(request) { return this.fetchHandler(request); }
+ * ```
  */
-declare function createBinaryWsSessionFactory(domains: ActionDomain<any>[], options?: IBinaryWsSessionOptions): () => TFormatMessage;
+declare function createActionFetchHandler(runtime: ActionRuntime, options?: IActionFetchHandlerOptions): (request: Request) => Promise<Response>;
 //#endregion
-//#region src/ActionRuntime/Handler/ExternalClient/Transport/WebSocket/WebSocketConnection.d.ts
-declare class WebSocketConnection extends TransportConnection<ETransportType.ws, ITransportRouteActionParams, IActionTransportReadyData_Ws, IActionTransportInitialized_Ws, IActionTransportDef_Ws> {
-  private resolvers;
-  /** URL of the most recently resolved live socket — surfaced to devtools when the definition can't. */
-  private _liveSocketUrl?;
-  /** Sockets we closed on purpose (via `disconnect`), so their `close` event stays quiet. */
-  private _intentionalCloses;
-  constructor(def: Omit<IActionTransportDef_Ws, "type">, resolvers?: IActionTransportResolvers);
-  protected _getCacheKey(_input: ITransportRouteActionParams): string;
-  protected _processTransportStatus(input: ITransportRouteActionParams): TTransportStatusInfo<IActionTransportReadyData_Methods>;
-  getRouteInfo(input: ITransportRouteActionParams): ITransportRouteInfo | undefined;
-  private _isSecure;
-  private _awaitOpen;
-  /** Non-secure connections finalize synchronously; secure ones run the handshake first. */
-  private _finalize;
-  _finalizeTransportMethods(wsData: IActionTransportReadyData_Ws): IActionTransportReadyData_Methods;
-  /**
-   * Secure path: a single message listener feeds the handshake until it completes, then routes action
-   * frames (decrypting for the `encrypted` level). Frames that arrive in the gap between accept and
-   * activation are buffered and flushed, so nothing is lost.
-   */
-  private _finalizeSecureMethods;
-  private _runClientHandshake;
-  private _buildSendMethods;
-  /** Decode (and, when encrypted, decrypt) one inbound action frame and hand it to the runtime. */
-  private _handleIncomingActionFrame;
-  /** Accept text + binary frames (ArrayBuffer / Uint8Array / Blob); Blobs are converted to a buffer. */
-  private _normalizeFrame;
-  private _captureSocketUrl;
-  private _attachLifecycle;
-  private _abortAll;
-}
-//#endregion
-//#region src/ActionRuntime/Handler/ExternalClient/Transport/WebSocket/WebSocketTransport.d.ts
-interface IWebSocketTransportSharedOptions {
-  /** Custom (de)serialization of action payloads on the wire (shared across all sockets). */
-  formatMessage?: IActionTransportReadyData_Ws["formatMessage"];
-  /**
-   * Per-socket codec factory — called once for each socket so stateful codecs (e.g. the
-   * `createBinaryWsSessionFactory` session, which holds per-connection correlation + identity state)
-   * get their own instance and reset cleanly on reconnect. Takes precedence over `formatMessage`.
-   */
-  createFormatMessage?: () => IActionTransportReadyData_Ws["formatMessage"];
-  updateRunConfig?: TUpdateActionRunConfig;
+//#region src/ActionRuntime/Handler/PeerLink/Acceptor/createSecureActionServer.d.ts
+interface ISecureAcceptorHandlerOptions<TConn> {
+  /** The shared channel identity (codec + dictionary version) — same one the clients use. */
+  channel: ISecureChannel;
   /**
-   * Keys that identify a reusable socket, so a single socket is shared across actions to the same
-   * endpoint instead of opening one per action.
+   * Coordinate of the *connecting clients* (typically env-only, e.g. `RuntimeCoordinate.env("web_app")`),
+   * used to route results/pushes back over this handler.
    */
-  getTransportCacheKey?: (input: ITransportRouteActionParams) => string[];
-  /** Override the devtools route info for a specific action. */
-  getRouteInfo?: (input: ITransportRouteActionParams) => ITransportRouteInfo;
+  clientEnv: RuntimeCoordinate;
+  /** This server's runtime — its coordinate is the server identity presented in the handshake. */
+  runtime: ActionRuntime;
   /**
-   * Secure-channel config. When set (and `securityLevel !== none`), the connection runs the
-   * authenticated handshake during initialization and, at the `encrypted` level, encrypts every frame.
+   * One backing store for the server's crypto identity *and* its trust-on-first-use verify-key pins.
+   * Their keys don't collide, so a single adapter is enough; back it with persistent storage (e.g. a
+   * Durable Object's storage) so identity and pins survive eviction.
    */
-  security?: IActionTransportReadyData_Ws["secureChannel"];
-}
-interface IWebSocketTransportSocketOptions extends IWebSocketTransportSharedOptions {
-  /** Open (or reuse) the WebSocket for an action — keep it simple or derive it per action. */
-  createWebSocket: (input: ITransportRouteActionParams) => WebSocket;
-}
-interface IWebSocketTransportAdvancedOptions extends IWebSocketTransportSharedOptions {
+  storageAdapter: StorageAdapter;
+  /** Write an encoded frame to a specific live connection (e.g. `(ws, frame) => ws.send(frame)`). */
+  send: (connection: TConn, frame: string | Uint8Array | ArrayBuffer) => void;
   /**
-   * Full control over readiness/initialization. Use this for contextual support detection (return
-   * `{ status: ETransportStatus.unsupported }` when the socket shouldn't be used) or async url
-   * building (return `{ status: ETransportStatus.initializing, initializationPromise }` that resolves
-   * to a `ready` socket).
+   * The server's crypto identity. Defaults to a fresh {@link ClientCryptoKeyLink} over `storageAdapter`.
+   * Pass an existing link to share one identity across several acceptors on the same server (e.g. a
+   * WebSocket acceptor and a secure-HTTP {@link createActionFetchHandler}), so they present the same
+   * verify/exchange keys — avoiding a divergent-key race when two fresh links initialize concurrently.
    */
-  getTransport: IActionTransportInitialized_Ws["getTransport"];
-}
-type TWebSocketTransportOptions = (IWebSocketTransportSocketOptions & {
-  mode: "socket";
-}) | (IWebSocketTransportAdvancedOptions & {
-  mode: "advanced";
-});
-/**
- * Reusable WebSocket transport definition. Create one with `WebSocketTransport.create({ createWebSocket })`
- * for the common case, or `WebSocketTransport.createAdvanced({ getTransport })` for full control over
- * readiness. The underlying socket is cached (via `getTransportCacheKey`) and reused across actions.
- */
-declare class WebSocketTransport extends Transport<ETransportType.ws> {
-  private readonly options;
-  readonly type = ETransportType.ws;
-  constructor(options: TWebSocketTransportOptions);
-  static create(options: IWebSocketTransportSocketOptions): WebSocketTransport;
-  static createAdvanced(options: IWebSocketTransportAdvancedOptions): WebSocketTransport;
-  _createConnection(ctx: ITransportConnectionContext): WebSocketConnection;
-  getRouteInfo(input: ITransportRouteActionParams): ITransportRouteInfo;
-}
-//#endregion
-//#region src/ActionRuntime/Handler/ExternalClient/Transport/WebSocket/secureWsChannel.d.ts
-/** The per-connection binary session codec — built once per socket from the channel's domains. */
-type TChannelCodec = NonNullable<IActionTransportReadyData_Ws["formatMessage"]>;
-/**
- * The shared identity of a secure WebSocket channel: the wire dictionary version both ends check
- * during the handshake, plus the per-connection codec factory both ends build from the *same* domain
- * list. Define it once (typically in code shared by client and server) and hand it to
- * {@link createSecureWebSocketTransport} on the client and `createSecureActionServerHandler` on the
- * server, so the codec and version can never drift apart.
- */
-interface ISecureWsChannel {
-  /** Wire dictionary version — derived from the domains by default; the handshake rejects a mismatch. */
-  dictionaryVersion: string;
-  /** Per-connection session codec factory (call once per live connection). */
-  createCodec: () => TChannelCodec;
-}
-/**
- * Bundle a secure channel's shared identity from its transported domains. Both ends MUST call this
- * with the same domains in the same order (the binary wire dictionary is positional). The
- * `dictionaryVersion` is derived from those domains unless you pin an explicit one.
- */
-declare function defineSecureWsChannel(options: {
-  /** Domains transported over this channel, in a stable order. Add new ones to the *end*. */domains: ActionDomain<any>[]; /** Pin a human-readable version instead of the derived hash (must match on both ends). */
-  dictionaryVersion?: string; /** Tuning for the per-connection binary session (e.g. correlation TTL). */
-  sessionOptions?: IBinaryWsSessionOptions;
-}): ISecureWsChannel;
-interface ISecureWebSocketTransportOptions {
-  /** The shared channel identity (codec + dictionary version). */
-  channel: ISecureWsChannel;
-  /** This client's runtime — its coordinate is the authenticated identity sent in the handshake. */
-  runtime: ActionRuntime;
-  /** Backing store for this client's crypto identity (a stable verify key across reloads). */
-  storageAdapter: StorageAdapter;
-  /** The level this client requests; the server must allow it. */
-  securityLevel: ESecurityLevel;
-  /** Endpoint URL — drives both the socket and the per-endpoint cache key. */
-  url: string;
-  /** Override socket creation (defaults to a `new WebSocket(url)` with `binaryType = "arraybuffer"`). */
-  createWebSocket?: (input: ITransportRouteActionParams) => WebSocket;
-  /** Override the reuse key (defaults to `[url]`, so one socket is shared per endpoint). */
-  getTransportCacheKey?: (input: ITransportRouteActionParams) => string[];
-  updateRunConfig?: TUpdateActionRunConfig;
-  getRouteInfo?: (input: ITransportRouteActionParams) => ITransportRouteInfo;
+  link?: ClientCryptoKeyLink;
+  /** Accepted level(s); defaults to negotiating any of none/authenticated/encrypted. */
+  securityLevel?: ESecurityLevel | readonly ESecurityLevel[];
+  /** Trust decision for a client's verify key; defaults to storage-backed TOFU over `storageAdapter`. */
+  verifyKeyResolver?: IClientVerifyKeyResolver;
+  /** Timeout (ms) applied to server-initiated actions awaiting a client response. */
+  defaultTimeout?: number;
 }
 /**
- * Build a {@link WebSocketTransport} for the secure binary channel with the boilerplate folded in: it
- * creates the {@link ClientCryptoKeyLink} from `storageAdapter`, opens an `arraybuffer` socket to
- * `url`, caches it per endpoint, installs the channel's per-connection codec, and assembles the
- * `security` block from the runtime coordinate + channel version. Pass `createWebSocket` /
- * `getTransportCacheKey` to take over those bits when you need to.
+ * Build an {@link AcceptorHandler} for the secure binary channel with the boilerplate folded in:
+ * it creates the {@link ClientCryptoKeyLink} and the storage-backed TOFU resolver from a single
+ * `storageAdapter`, installs the channel's per-connection codec, and assembles the `security` block
+ * from the runtime coordinate + channel version (accepting all three levels by default).
+ *
+ * For a hibernatable transport (e.g. a Durable Object), pair it with
+ * {@link createHibernatableWsServerAdapter} to wire persistence + replay.
  */
-declare function createSecureWebSocketTransport(options: ISecureWebSocketTransportOptions): WebSocketTransport;
+declare function createSecureAcceptorHandler<TConn = unknown>(options: ISecureAcceptorHandlerOptions<TConn>): AcceptorHandler<TConn>;
 //#endregion
-//#region src/ActionRuntime/Handler/Server/WsConnectionStateStore.d.ts
+//#region src/ActionRuntime/Handler/PeerLink/Acceptor/Hibernation/ConnectionStateStore.d.ts
 /**
  * The composite value persisted to a connection's attachment: the consumer's own app state plus the
- * {@link ActionServerHandler} routing binding. Co-storing them in one slot means a transport whose
+ * {@link AcceptorHandler} routing binding. Co-storing them in one slot means a transport whose
  * sockets outlive process eviction (e.g. a Durable Object's hibernatable WebSocket) recovers both the
  * application identity *and* the action routing from a single attachment after a wake — no storage reads.
  */
 interface IConnectionAttachment<TApp> {
   app?: TApp;
-  binding?: IActionServerConnectionBinding;
+  binding?: IAcceptorConnectionBinding;
 }
-interface IWsConnectionStateStoreOptions<TConn, TApp> {
+interface IConnectionStateStoreOptions<TConn, TApp> {
   /** Read a connection's raw attachment (e.g. `(ws) => ws.deserializeAttachment()`). */
   read: (connection: TConn) => unknown;
   /** Persist a connection's attachment (e.g. `(ws, value) => ws.serializeAttachment(value)`). */
   write: (connection: TConn, value: IConnectionAttachment<TApp>) => void;
   /**
    * All currently-live connections (e.g. `() => ctx.getWebSockets()`). Used to replay routing bindings
-   * after a wake (via {@link ActionServerHandler.createConnectionState}) and to enumerate app state in
-   * {@link WsConnectionStateStore.entries}.
+   * after a wake (via {@link createConnectionStateStore}) and to enumerate app state in
+   * {@link ConnectionStateStore.entries}.
    */
   getConnections: () => TConn[];
   /**
@@ -1720,13 +2382,17 @@ interface IWsConnectionStateStoreOptions<TConn, TApp> {
   schema?: StandardSchemaV1<unknown, TApp>;
 }
 /**
- * A typed per-connection state store that co-owns the app state and the server handler's routing
+ * A typed per-connection state store that co-owns the app state and the acceptor handler's routing
  * binding in one attachment, so neither the consumer nor the handler has to hand-merge the two. Create
- * it through {@link ActionServerHandler.createConnectionState} (which also wires binding persistence and
- * replays surviving connections after a wake), then `get`/`set`/`clearApp` the app state directly.
+ * it through {@link createConnectionStateStore} (which also wires binding persistence and replays
+ * surviving connections after a wake), then `get`/`set`/`clearApp` the app state directly.
+ *
+ * The mechanism is carrier-neutral — it only needs read/write/enumerate callbacks for the connection's
+ * attachment — but it pays off on transports whose connections outlive process eviction (e.g. a
+ * Durable Object's hibernatable WebSockets), which is why it lives beside the hibernation adapter.
  *
  * ```ts
- * const players = serverHandler.createConnectionState({
+ * const players = createConnectionStateStore(serverHandler, {
  *   schema: vs_player,
  *   read: (ws) => ws.deserializeAttachment(),
  *   write: (ws, v) => ws.serializeAttachment(v),
@@ -1736,9 +2402,9 @@ interface IWsConnectionStateStoreOptions<TConn, TApp> {
  * const player = players.get(ws);
  * ```
  */
-declare class WsConnectionStateStore<TConn, TApp> {
+declare class ConnectionStateStore<TConn, TApp> {
   private readonly options;
-  constructor(options: IWsConnectionStateStoreOptions<TConn, TApp>);
+  constructor(options: IConnectionStateStoreOptions<TConn, TApp>);
   /** The validated app state for a connection, or `null` if unset / invalid. */
   get(connection: TConn): TApp | null;
   /** Set the app state, preserving the runtime binding already pinned to the connection. */
@@ -1748,356 +2414,517 @@ declare class WsConnectionStateStore<TConn, TApp> {
   /** Every live connection paired with its (validated) app state — for rebuilding in-memory state after a wake. */
   entries(): [TConn, TApp | null][];
   /** @internal Persist a freshly-bound connection's binding, preserving any app state already stored. */
-  _persistBinding(connection: TConn, binding: IActionServerConnectionBinding): void;
+  _persistBinding(connection: TConn, binding: IAcceptorConnectionBinding): void;
   /** @internal The persisted binding for a connection, if any (used to replay routing after a wake). */
-  _readBinding(connection: TConn): IActionServerConnectionBinding | undefined;
+  _readBinding(connection: TConn): IAcceptorConnectionBinding | undefined;
   private _readAttachment;
   private _validateApp;
 }
+/**
+ * Build a per-connection {@link ConnectionStateStore} bound to an {@link AcceptorHandler}: it registers
+ * itself as the handler's connection-bound persistence callback (so bindings are written without
+ * overwriting app state) and immediately replays every live connection's stored binding via
+ * {@link AcceptorHandler.rehydrateConnection} — so on a transport that resumes after eviction (e.g. a
+ * Durable Object waking from hibernation) both the app identity and the action routing come back from a
+ * single attachment, with no storage reads and no hand-rolled merge.
+ *
+ * Lives outside the handler so the generic {@link AcceptorHandler} stays free of any attachment/
+ * hibernation concern — it exposes only the neutral `setOnConnectionBound` + `rehydrateConnection`
+ * hooks this builder drives.
+ */
+declare function createConnectionStateStore<TConn, TApp>(handler: AcceptorHandler<TConn>, options: IConnectionStateStoreOptions<TConn, TApp>): ConnectionStateStore<TConn, TApp>;
 //#endregion
-//#region src/ActionRuntime/Handler/Server/ActionServerHandler.d.ts
-/** The codec shape `ActionServerHandler` uses to pack/unpack frames — same as the WS transport's. */
-type TActionChannelFormatMessage = NonNullable<IActionTransportReadyData_Ws["formatMessage"]>;
-/** How a connection encodes its frames, remembered so we answer each client in its own dialect. */
-type TActionConnectionEncoding = "json" | "binary";
-/** A connection's restorable identity — what to persist so a binding survives transport eviction. */
-interface IActionServerConnectionBinding {
-  /** Full client coordinate, so `originClient` can be re-injected into frames that omit it. */
-  client: IRuntimeCoordinate;
-  encoding: TActionConnectionEncoding;
-  /**
-   * Secure-session state (set once a connection's handshake completes). Persist it alongside the
-   * binding so an authenticated/encrypted connection resumes after eviction without re-handshaking —
-   * the `keyMaterial` lets the server re-derive the shared key from its own persisted identity.
-   */
-  secure?: {
-    securityLevel: ESecurityLevel;
-    linkedClientId: TTypeAndId;
-    keyMaterial?: IHandshakeEncryptionKeyMaterial;
-  };
+//#region src/ActionRuntime/Handler/PeerLink/Connector/err_nice_external_client.d.ts
+declare const err_nice_external_client: import("@nice-code/error").NiceErrorDomain<{
+  domain: string;
+  allDomains: [string, string, "err_nice"];
+  schema: {};
+}>;
+//#endregion
+//#region src/ActionRuntime/Transport/Carrier/duplex/inMemory/createInMemoryChannel.d.ts
+type TFrame = string | ArrayBuffer | Uint8Array;
+/** The peer (server) end of an in-memory pair — what you feed into an `AcceptorHandler`. */
+interface IInMemoryServerEndpoint {
+  /** Write a frame back to the client end. */
+  send(frame: TFrame): void;
+  /** Register the inbound handler (frames the client sent). */
+  onMessage(handler: (frame: TFrame) => void): void;
+  /** Close the pair from this end. */
+  close(): void;
+  /** Notified when the pair closes (from either end). */
+  onClose(handler: () => void): void;
+}
+interface IInMemoryChannelPair {
+  /** The client end — pass as a {@link IDuplexCarrier} to a `LinkTransport`. */
+  clientChannel: IDuplexCarrier;
+  /** The server end — wire into an `AcceptorHandler` (`send` + `receive`). */
+  serverEndpoint: IInMemoryServerEndpoint;
 }
 /**
- * Server-side secure-channel config. When set, each connection negotiates a level from
- * {@link securityLevel}: an `authenticated`/`encrypted` client must complete the handshake (and is then
- * bound to its *authenticated* coordinate) before any action frame is accepted. A `none` client (only
- * when `none` is in the allowed set) is accepted as-is with a self-asserted identity. For the
- * `encrypted` level the codec source should be a session factory (`createFormatMessage`).
+ * Two cross-wired in-process byte channels — a loopback carrier with no socket. The client end is a
+ * {@link IDuplexCarrier} you hand to a {@link LinkTransport}; the server end plugs into an
+ * `AcceptorHandler` (`send: (_, f) => serverEndpoint.send(f)`, and `serverEndpoint.onMessage(f =>
+ * handler.receive(conn, f))`). Frames are delivered on a microtask, so each side observes the other
+ * asynchronously — exactly like a real transport — which makes this ideal for tests and for running
+ * two runtimes in one process (or proving a non-WS carrier end to end).
  */
-interface IActionServerSecurity {
-  /**
-   * Accepted level(s). A single level is strict; an array is a negotiable allowed set — the server
-   * adopts whichever level each client requests (e.g. `[none, authenticated, encrypted]` serves all
-   * three over one endpoint).
-   */
-  securityLevel: ESecurityLevel | readonly ESecurityLevel[];
-  /** This server's crypto identity (verify + exchange key pairs, optionally persisted). */
-  link: ClientCryptoKeyLink;
-  /** This server's coordinate — its identity to clients during the handshake. */
-  localCoordinate: IRuntimeCoordinate;
-  /** Wire dictionary version; the handshake rejects a client on a mismatch. */
-  dictionaryVersion: string;
-  /** Trust decision for a client's verify key (defaults to in-memory TOFU inside the handshake). */
-  verifyKeyResolver?: IClientVerifyKeyResolver;
-}
-interface IActionServerHandlerBaseOptions<TConn> {
-  /**
-   * Coordinate of the *connecting clients* (typically env-only, e.g. `RuntimeCoordinate.env("web_app")`).
-   * The runtime's return-path dispatch scores incoming actions' `originClient` against this to pick
-   * this handler for sending results/pushes back over the right channel.
-   */
-  clientEnv: RuntimeCoordinate;
-  /** Write an encoded frame to a specific live connection (e.g. `(ws, frame) => ws.send(frame)`). */
-  send: (connection: TConn, frame: string | Uint8Array | ArrayBuffer) => void;
-  /**
-   * The runtime this handler belongs to. When set, {@link ActionServerHandler.broadcast} can be called
-   * without threading a runtime through each call. Optional — `pushToClient` still takes one explicitly.
-   */
-  runtime?: ActionRuntime;
-  /** Timeout (ms) applied to server-initiated actions awaiting a client response. */
-  defaultTimeout?: number;
-  /**
-   * Called once when a connection is first bound to a client identity. Use it to persist the binding
-   * for transports that can resume after eviction — e.g. a Durable Object's hibernatable WebSocket:
-   * `(ws, binding) => ws.serializeAttachment(binding)` — then replay it via {@link ActionServerHandler.rehydrateConnection}
-   * when the channel comes back.
-   */
-  onConnectionBound?: (connection: TConn, binding: IActionServerConnectionBinding) => void;
-  /**
-   * Enable the authenticated (optionally encrypted) handshake. When omitted, connections are trusted
-   * as-is (identity self-asserted) — fine for dev / trusted networks.
-   */
-  security?: IActionServerSecurity;
+declare function createInMemoryChannelPair(): IInMemoryChannelPair;
+//#endregion
+//#region src/ActionRuntime/Transport/Carrier/duplex/inMemory/inMemoryCarrier.d.ts
+interface IInMemoryCarrier {
+  /** The connector end — pass as the `carrier` to {@link secureTransport} / `LinkTransport`. */
+  carrier: IDuplexCarrierSource;
+  /** The acceptor end — wire into an `AcceptorHandler` (`send` + `receive`). */
+  serverEndpoint: IInMemoryServerEndpoint;
 }
 /**
- * Provide exactly one codec source:
- * - `formatMessage` — a single shared codec for every connection (stateless, e.g. `createBinaryWsAdapter`).
- * - `createFormatMessage` — a per-connection factory for stateful codecs (e.g.
- *   `createBinaryWsSessionFactory`, whose sessions hold correlation + identity state). Required for the
- *   leanest binary wire; the handler creates and caches one codec per connection.
+ * A loopback duplex carrier with no socket — two cross-wired in-process ends. The connector end is an
+ * {@link IDuplexCarrierSource} for {@link secureTransport}; the acceptor end plugs into an
+ * `AcceptorHandler`. Ideal for tests and for running two runtimes in one process, or proving a
+ * non-WS carrier end to end.
  */
-type IActionServerHandlerOptions<TConn> = IActionServerHandlerBaseOptions<TConn> & ({
-  formatMessage: TActionChannelFormatMessage;
-  createFormatMessage?: never;
-} | {
-  createFormatMessage: () => TActionChannelFormatMessage;
-  formatMessage?: never;
-});
+declare function inMemoryCarrier(): IInMemoryCarrier;
+//#endregion
+//#region src/ActionRuntime/Transport/Carrier/duplex/rtc/rtcDataChannelByteChannel.d.ts
 /**
- * A connection-aware execution case (see {@link ActionServerHandler.forConnectionDomainCases}). It
- * receives the primed request plus the originating client's live connection (already resolved from the
- * request's `originClient`, `undefined` if the socket is gone), and may return the action's raw output,
- * a result payload, or nothing (auto-wrapped as an empty success) — exactly like a local handler case.
+ * The slice of the `RTCDataChannel` surface this adapter uses — declared structurally so it accepts the
+ * browser `RTCDataChannel`, React-Native (`react-native-webrtc`), or any node-webrtc shim without a hard
+ * dependency on a specific DOM/RN type. A real `RTCDataChannel` satisfies it as-is.
  */
-type TServerConnectionCaseFn<DOM extends IActionDomain, ID extends keyof DOM["actionSchema"] & string, TConn> = (action: TDistributeActionPayload_Request<DOM, ID>, connection: TConn | undefined) => ReturnType<THandleActionExecutionFn<DOM, ID>> | void;
+interface IRtcDataChannelLike {
+  readyState: string;
+  binaryType: string;
+  label?: string;
+  send(data: string | ArrayBuffer | ArrayBufferView): void;
+  close(): void;
+  addEventListener(type: string, listener: (event: any) => void, options?: unknown): void;
+}
 /**
- * Server-side handler for backends that accept many client connections over a single open channel
- * (WebSockets, Durable Objects, …). It is transport-agnostic: you feed it inbound frames with
- * {@link receive} and tell it how to write outbound frames via the `send` option.
- *
- * Add it alongside your local execution handler:
- * ```ts
- * const serverHandler = createServerHandler({ clientEnv, formatMessage, send: (ws, f) => ws.send(f) });
- * runtime.addHandlers([localHandler, serverHandler]);
- * // per inbound message (e.g. a Durable Object's webSocketMessage):
- * serverHandler.receive(ws, message);
- * ```
- *
- * Inbound requests route to your local handler; the runtime's return dispatch then calls this
- * handler back (it is an external handler keyed to `clientEnv`) to send the result to the originating
- * connection. The handler keeps a per-connection identity registry so each result lands on the right
- * socket, and remembers each connection's encoding so binary and JSON clients can share the channel.
+ * Adapt a WebRTC `RTCDataChannel` to the carrier-agnostic {@link IDuplexCarrier}, so two browsers
+ * (or two mobile apps) linked peer-to-peer — no server in the middle — run the *same* secure session as
+ * a WebSocket. Hand it to `createSecureLinkTransport({ openChannel: () => rtcDataChannelByteChannel(dc) })`.
  *
- * It registers an empty action router, so it is never chosen to *execute* an inbound request — only
- * to ferry results/pushes back out.
+ * The data channel must already be created (its negotiation/signaling is the app's concern); this only
+ * drives bytes over it. Binary frames are requested as `ArrayBuffer` so the binary session codec unpacks
+ * them synchronously; a `Blob` (if the channel hands one back) is normalized to a buffer.
  */
-declare class ActionServerHandler<TConn = unknown> extends ActionExternalClientHandler {
-  private readonly _formatMessage?;
-  private readonly _createFormatMessage?;
-  private readonly _send;
-  private readonly _runtime?;
-  private readonly _serverTimeout;
-  private _onConnectionBound?;
-  /** Incoming-data listeners installed by the runtime (`resolveIncomingActionPayload`). */
-  private readonly _incomingListeners;
-  private readonly _security?;
-  /** Normalized accepted levels; whether `none` (plain) is allowed; whether any level needs a handshake. */
-  private readonly _allowedLevels;
-  private readonly _noneAllowed;
-  private readonly _handshakeMode;
-  private readonly _connByClient;
-  private readonly _clientByConn;
-  private readonly _connEncoding;
-  private readonly _codecByConn;
-  private readonly _handshakeByConn;
-  private readonly _cryptoByConn;
-  private readonly _authedConns;
-  private readonly _plainConns;
-  private readonly _inboundChainByConn;
-  private readonly _outboundChainByConn;
-  constructor(options: IActionServerHandlerOptions<TConn>);
-  /**
-   * The codec for a connection: a per-connection session (cached) when a factory was provided, else
-   * the single shared `formatMessage`.
-   */
-  private _codecFor;
-  _setIncomingActionDataListener(listener: (json: TActionPayload_Any_JsonObject<any>) => void): void;
-  /**
-   * Register (or replace) the connection-bound persistence callback after construction. Used by
-   * lifecycle helpers like {@link createHibernatableWsServerAdapter} so persistence and replay are
-   * owned by one place instead of being split across the constructor options.
-   */
-  setOnConnectionBound(onConnectionBound: (connection: TConn, binding: IActionServerConnectionBinding) => void): void;
-  /**
-   * Create a typed per-connection state store that co-owns the consumer's app state and this handler's
-   * routing binding in one attachment. It registers itself as the connection-bound persistence callback
-   * (so bindings are written without overwriting app state) and immediately replays every live
-   * connection's stored binding via {@link rehydrateConnection} — so on a transport that resumes after
-   * eviction (e.g. a Durable Object waking from hibernation) both the app identity and the action
-   * routing come back from a single attachment, with no storage reads and no hand-rolled merge.
-   *
-   * This supersedes {@link createHibernatableWsServerAdapter} for app code that also pins its own state
-   * to the connection. Construct it once when the handler is built, then `get`/`set` app state directly.
-   */
-  createConnectionState<TApp>(options: IWsConnectionStateStoreOptions<TConn, TApp>): WsConnectionStateStore<TConn, TApp>;
-  /**
-   * Feed one inbound frame from a connection into the runtime. Decodes text or binary, binds the
-   * connection to the requesting client's identity, then routes it (requests execute locally;
-   * results/progress resolve pending server-initiated actions).
-   */
-  receive(connection: TConn, frame: string | ArrayBuffer | Uint8Array): void;
-  private _receivePlain;
-  private _receiveSecure;
-  private _completeServerHandshake;
-  /**
-   * Ensure an inbound request carries the client's identity and that this connection is bound to it,
-   * so its result can be routed back. A session codec omits `originClient` after the first request, so
-   * when it's missing we restore it from the (possibly rehydrated) binding instead. (Plain mode only;
-   * secure mode binds the authenticated coordinate at handshake time.)
-   */
-  private _resolveRequestIdentity;
-  /**
-   * Restore a connection→client binding without an inbound frame — for transports that resume after
-   * eviction. Pair it with the {@link IActionServerHandlerOptions.onConnectionBound} hook: persist
-   * the binding there, then replay each live connection here when the channel comes back (e.g. a
-   * Durable Object iterating `ctx.getWebSockets()` as it wakes from hibernation).
-   */
-  rehydrateConnection(connection: TConn, binding: IActionServerConnectionBinding): void;
-  toHandlerRouteItem(): IActionRouteItemHandler;
-  /** Forget a connection (call on socket close) so stale entries don't misroute later results. */
-  dropConnection(connection: TConn): void;
-  /** Live connection for a client coordinate, if currently registered. */
-  getConnectionForClient(client: RuntimeCoordinate): TConn | undefined;
-  /**
-   * Send (and optionally await) a server-initiated action to a specific connected client. Pass the
-   * connection token directly (e.g. the `ws`) or a client `RuntimeCoordinate` to look one up.
-   */
-  pushToClient<DOM extends IActionDomain, ID extends keyof DOM["actionSchema"] & string>(runtime: ActionRuntime, target: TConn | RuntimeCoordinate, request: ActionPayload_Request<DOM, ID>, options?: {
-    timeout?: number;
-  }): RunningAction<DOM, ID>;
+declare function rtcDataChannelByteChannel(dc: IRtcDataChannelLike): IDuplexCarrier;
+//#endregion
+//#region src/ActionRuntime/Transport/Carrier/duplex/rtc/rtcCarrier.d.ts
+interface IRtcCarrierOptions {
+  getTransportCacheKey?: (input: ITransportRouteActionParams) => string[];
+  getRouteInfo?: (input: ITransportRouteActionParams) => ITransportRouteInfo;
+}
+/**
+ * A WebRTC {@link IDuplexCarrierSource} over an already-negotiated `RTCDataChannel` (signaling is the
+ * app's concern). Hand it to {@link secureTransport} so two browsers/apps linked peer-to-peer run the
+ * identical secure session as a WebSocket.
+ */
+declare function rtcCarrier(dataChannel: IRtcDataChannelLike, options?: IRtcCarrierOptions): IDuplexCarrierSource;
+//#endregion
+//#region src/ActionRuntime/Transport/Carrier/duplex/ws/err_nice_transport_ws.d.ts
+declare enum EErrId_NiceTransport_WebSocket {
+  ws_disconnected = "ws_disconnected",
+  ws_create_failed = "ws_create_failed",
+  ws_error = "ws_error"
+}
+declare const err_nice_transport_ws: import("@nice-code/error").NiceErrorDomain<{
+  domain: string;
+  allDomains: [string, string, string, string, "err_nice"];
+  schema: {
+    ws_disconnected: import("@nice-code/error").INiceErrorIdMetadata<Record<string, never>, import("@nice-code/error").JSONSerializableValue>;
+    ws_create_failed: import("@nice-code/error").INiceErrorIdMetadata<{
+      originalError?: Error;
+    }, import("@nice-code/error").JSONSerializableValue>;
+    ws_error: import("@nice-code/error").INiceErrorIdMetadata<{
+      originalError?: Error;
+    }, import("@nice-code/error").JSONSerializableValue>;
+  };
+}>;
+//#endregion
+//#region src/ActionRuntime/Transport/Carrier/duplex/ws/wsAcceptorCarrier.d.ts
+interface IWsAcceptorCarrierOptions<TConn> {
   /**
-   * Build a local handler whose cases are connection-aware: each case receives the primed request and
-   * the originating client's live connection (resolved from `originClient`), so handlers don't repeat
-   * the `getConnectionForClient(action.context.originClient)` lookup. Cases may return raw output or
-   * nothing, just like {@link ActionLocalHandler.forDomainActionCases}. Add the returned handler to the
-   * runtime alongside this server handler:
-   * ```ts
-   * runtime.addHandlers([serverHandler.forConnectionDomainCases(domain, { … }), serverHandler]);
-   * ```
+   * Whether each socket runs the secure handshake (default `true`). Pass `false` for a plain WS endpoint
+   * — connections speak the channel's wire codec with a self-asserted identity, no handshake/pins/encryption
+   * (and `serveChannel` then needs no `storage` for this carrier).
    */
-  forConnectionDomainCases<FOR_DOM extends IActionDomain>(domain: ActionDomain<FOR_DOM>, cases: { [ID in keyof FOR_DOM["actionSchema"] & string]?: TServerConnectionCaseFn<FOR_DOM, ID, TConn> }): ActionLocalHandler;
+  secure?: boolean;
+  /** Write an encoded frame to a specific live connection (e.g. `(ws, frame) => ws.send(frame)`). */
+  send: (connection: TConn, frame: TFrame$1) => void;
   /**
-   * Fan a server-initiated request out to every currently-bound connection. A fresh request is built
-   * per connection (each push mutates its own action context) and dispatched fire-and-forget. Pass
-   * `except` to skip the originating socket and `where` to filter by connection (e.g. read its
-   * attachment for a role). Iterating bound connections (rather than every accepted socket) skips
-   * sockets that are still mid-handshake and so can't yet receive a frame.
+   * Perform the transport-specific WebSocket upgrade, returning its raw response (e.g. a Durable Object's
+   * `new WebSocketPair()` + `ctx.acceptWebSocket()` → a `101`). Omit if sockets are fed in out of band.
    */
-  broadcast<DOM extends IActionDomain, ID extends keyof DOM["actionSchema"] & string>(makeRequest: () => ActionPayload_Request<DOM, ID>, options?: {
-    runtime?: ActionRuntime;
-    except?: TConn | null;
-    where?: (connection: TConn) => boolean;
-    timeout?: number;
-    onError?: (error: unknown, connection: TConn) => void;
-  }): void;
-  sendReturnPayload(payload: TActionPayload_Any_Instance<any, any>, config: {
-    targetLocalRuntime: ActionRuntime;
-  }): Promise<boolean>;
-  handleActionRequest<DOM extends IActionDomain, ID extends keyof DOM["actionSchema"] & string>(action: ActionPayload_Request<DOM, ID>, config?: IHandleActionOptions): Promise<RunningAction<DOM, ID>>;
-  private _dispatch;
-  private _sendPayload;
-  private _bindConnection;
-  private _resolveConnection;
-  private _resolveSingleConnection;
+  upgrade?: (request: Request, url: URL) => Response | Promise<Response>;
+  /** Whether an inbound request is a WS upgrade. Defaults to an `Upgrade: websocket` header. */
+  isUpgrade?: (request: Request, url: URL) => boolean;
+  /** Persistence + replay hooks for hibernatable sockets (e.g. a Durable Object). */
+  hibernation?: IAcceptorHibernation<TConn>;
+  /** Override the devtools carrier-kind label (defaults to `"ws"`). */
+  carrierLabel?: string;
 }
-declare const createServerHandler: <TConn = unknown>(options: IActionServerHandlerOptions<TConn>) => ActionServerHandler<TConn>;
+/**
+ * A WebSocket {@link IDuplexAcceptorCarrier}: the accept-in dual of {@link wsCarrier}. It describes how to
+ * write frames back to a live socket, how to upgrade an inbound request into one, and (optionally) how to
+ * persist bindings across hibernation. Hand it to `serveChannel`'s `carriers` list — the secure session,
+ * codec, and crypto identity are supplied centrally there, so this only carries the WS-specific surface.
+ */
+declare function wsAcceptorCarrier<TConn = WebSocket>(options: IWsAcceptorCarrierOptions<TConn>): IDuplexAcceptorCarrier<TConn>;
 //#endregion
-//#region src/ActionRuntime/Handler/Server/createActionFetchHandler.d.ts
-interface IActionFetchHandlerOptions {
+//#region src/ActionRuntime/Transport/Carrier/duplex/ws/wsCarrier.d.ts
+interface IWsCarrierOptions {
+  /** Override socket creation (defaults to a `new WebSocket(url)` with `binaryType = "arraybuffer"`). */
+  createWebSocket?: (input: ITransportRouteActionParams) => WebSocket;
+  /** Override the reuse key (defaults to `[url]`, so one socket is shared per endpoint). */
+  getTransportCacheKey?: (input: ITransportRouteActionParams) => string[];
+  /** Override the devtools route info for a specific action. */
+  getRouteInfo?: (input: ITransportRouteActionParams) => ITransportRouteInfo;
+}
+/**
+ * A WebSocket {@link IDuplexCarrierSource}: opens an `arraybuffer` socket to `url` (cached per endpoint)
+ * and adapts it to a carrier. Hand it to {@link secureTransport} (or `LinkTransport`) — the WebSocket is
+ * now "just another carrier" under the shared secure session, with no WS-specific transport class.
+ */
+declare function wsCarrier(url: string, options?: IWsCarrierOptions): IDuplexCarrierSource;
+//#endregion
+//#region src/ActionRuntime/Transport/Carrier/exchange/http/httpAcceptorCarrier.d.ts
+interface IHttpAcceptorCarrierOptions {
   /**
-   * CORS headers merged onto every response (a preflight `OPTIONS` is answered `204` with them).
-   * Defaults to permissive `*`; pass `false` to attach no CORS headers at all.
+   * Whether this endpoint runs the secure exchange protocol (default `true`). Pass `false` for a plain
+   * endpoint — the body is the raw action wire and the result is the response body, the request/reply dual
+   * of `plainTransport({ carrier: httpCarrier(...) })`. A plain endpoint ignores the crypto identity, so it
+   * can sit alongside a secure WebSocket on the same server (e.g. a secure WS preferred, plain HTTP fallback).
    */
-  cors?: Record<string, string> | false;
-  /** Which requests carry an action wire on `POST`. Default: pathname ends with `/action`. */
+  secure?: boolean;
+  /** Which requests carry an action exchange envelope on `POST`. Defaults to `serveChannel`'s path match. */
   isActionPath?: (url: URL) => boolean;
-  /** Which requests are WebSocket upgrades. Default: pathname ends with `/ws`. */
-  isWebSocketPath?: (url: URL) => boolean;
   /**
-   * Perform the transport-specific WebSocket upgrade (e.g. a Durable Object's
-   * `new WebSocketPair()` + `ctx.acceptWebSocket()` returning a `101`). Omit for HTTP-only endpoints.
-   * Its response is returned as-is — a `101` upgrade carries no CORS headers.
+   * CORS headers merged onto every response (a preflight `OPTIONS` is answered `204`). Defaults to the
+   * permissive `*` set; pass `false` to attach no CORS headers at all.
    */
-  onWebSocketUpgrade?: (request: Request, url: URL) => Response | Promise<Response>;
-  /** Forwarded to `ActionPayload_Result.toHttpResponse` — use the error's HTTP status (default true). */
+  cors?: Record<string, string> | false;
+  /** Plain mode only: use the error's HTTP status for failures (default `true`). Ignored when secure. */
   useErrorStatus?: boolean;
+  /** Override the devtools carrier-kind label (defaults to `"http"`). */
+  carrierLabel?: string;
 }
 /**
- * Build the `fetch` handler a server/Durable-Object exposes for action traffic, folding in the
- * boilerplate every endpoint repeats: CORS (incl. the `OPTIONS` preflight), routing the `/action`
- * `POST` body through the runtime (`handleActionPayloadWire` → `waitForResultPayload` →
- * `toHttpResponse`), an optional WebSocket-upgrade hook, and a `404` fallback.
+ * An HTTP {@link IExchangeAcceptorCarrier}: the accept-in dual of {@link httpCarrier}. It serves the
+ * secure exchange protocol (handshake → token session → encrypted frames) over web-standard
+ * `Request`/`Response`. The crypto identity, runtime coordinate, dictionary version, and accepted security
+ * levels are all supplied centrally by `serveChannel`, so this only needs to say which requests carry an
+ * action envelope and how to answer CORS.
+ */
+declare function httpAcceptorCarrier(options?: IHttpAcceptorCarrierOptions): IExchangeAcceptorCarrier;
+//#endregion
+//#region src/ActionRuntime/Transport/Carrier/exchange/http/httpCarrier.d.ts
+/** The HTTP request an action is sent over (the body is supplied by the secure exchange session). */
+interface IHttpCarrierRequest {
+  url: string;
+  headers?: Record<string, string>;
+}
+/** The slice of `fetch` the carrier uses — a structural type so callers (and tests) needn't match the
+ * full platform `fetch` (Bun's adds `preconnect`, etc.). The global `fetch` satisfies it. */
+type TCarrierFetch = (input: string, init?: RequestInit) => Promise<Response>;
+interface IHttpCarrierOptions {
+  /** Override the reuse key (defaults to `[url]`, so one session is shared per endpoint). */
+  getTransportCacheKey?: (input: ITransportRouteActionParams) => string[];
+  /** Override the devtools route info for a specific action. */
+  getRouteInfo?: (input: ITransportRouteActionParams) => ITransportRouteInfo;
+  /** Override `fetch` (e.g. to route to an in-memory handler in tests). Defaults to global `fetch`. */
+  fetch?: TCarrierFetch;
+}
+/**
+ * An HTTP {@link IExchangeCarrierSource}: each `exchange` POSTs one frame body to the action endpoint and
+ * resolves with the response body as the single correlated reply. Hand it to {@link secureTransport} —
+ * HTTP then runs the *same* secure session as a duplex carrier (handshake → token → encrypted frames),
+ * the request/reply correlation provided for free by the HTTP transaction.
  *
- * It only touches web-standard `Request`/`Response`, so it stays transport-agnostic — the one
- * environment-specific bit (the WS upgrade) is injected via {@link IActionFetchHandlerOptions.onWebSocketUpgrade}:
- * ```ts
- * this.fetchHandler = createActionFetchHandler(this.runtime, {
- *   onWebSocketUpgrade: () => {
- *     const pair = new WebSocketPair();
- *     this.ctx.acceptWebSocket(pair[1]);
- *     return new Response(null, { status: 101, webSocket: pair[0] });
- *   },
- * });
- * // async fetch(request) { return this.fetchHandler(request); }
- * ```
+ * `createRequest` derives the URL/headers per action (keep it simple with `() => ({ url })`). The body is
+ * the session's responsibility, so it is never built here.
  */
-declare function createActionFetchHandler(runtime: ActionRuntime, options?: IActionFetchHandlerOptions): (request: Request) => Promise<Response>;
+declare function httpCarrier(createRequest: (input: ITransportRouteActionParams) => IHttpCarrierRequest, options?: IHttpCarrierOptions): IExchangeCarrierSource;
 //#endregion
-//#region src/ActionRuntime/Handler/Server/createSecureActionServer.d.ts
-interface ISecureActionServerHandlerOptions<TConn> {
-  /** The shared channel identity (codec + dictionary version) — same one the clients use. */
-  channel: ISecureWsChannel;
+//#region src/ActionRuntime/Transport/codec/createBinaryWireAdapter.d.ts
+/**
+ * Builds a *stateless* `formatMessage` pipeline for {@link LinkTransport}, packing action
+ * payloads into a compact msgpackr binary frame instead of JSON. The `domain`/`id` route collapses to
+ * a single integer drawn from a shared dictionary; `form`/`type`, the recomputable
+ * `inputHash`/`outputHash`, and the per-frame `context.routing`/`context.timeCreated` are all dropped
+ * (see {@link ENVELOPE}).
+ *
+ * No validation runs here: `incoming` blindly reconstructs the wire JSON shape and hands it back to
+ * the connection, which flows into `ActionRuntime` → `domain.hydrateAnyAction()` where the Valibot
+ * schemas validate it exactly as they would for a JSON frame.
+ *
+ * Both ends of the socket MUST construct the adapter with the same domains in the same order — the
+ * integer dictionary is positional. Mismatched dictionaries will route to the wrong action.
+ *
+ * Because `incoming` returns `undefined` for text frames, a binary server can still serve plain-JSON
+ * clients on the same runtime (the connection falls back to its built-in JSON parser).
+ */
+declare function createBinaryWireAdapter(domains: ActionDomain<any>[]): IActionWireFormat;
+//#endregion
+//#region src/ActionRuntime/Transport/crypto/actionFrameCrypto.d.ts
+/**
+ * Async AES-GCM transform for the `encrypted` security level. It wraps the opaque binary frame a
+ * session codec produces (it does NOT look inside it), encrypting on the way out and decrypting on the
+ * way in with the shared key established by the handshake.
+ *
+ * It is deliberately separate from the (synchronous) session `formatMessage`: WebCrypto is always
+ * Promise-based, so encryption has to happen at the transport's async I/O boundary — the connection
+ * encrypts after `session.outgoing()` and decrypts before `session.incoming()`. The `authenticated`
+ * and `none` levels use no crypto transform at all (frames go out as the session produced them).
+ *
+ * Wire shape of an encrypted frame: `pack([nonceBytes, ciphertextBytes])` — msgpack carries the two
+ * binary fields with a couple of bytes of overhead, no base64 inflation.
+ */
+interface IActionFrameCrypto {
+  /** Encrypt one session frame for sending. */
+  encryptFrame(frame: Uint8Array): Promise<Uint8Array>;
+  /** Decrypt one received frame back to the session frame. Throws on a non-binary / malformed /
+   * tampered frame — the caller (transport) decides how to react (drop / close). */
+  decryptFrame(frame: string | ArrayBuffer | Uint8Array): Promise<Uint8Array>;
+}
+interface IActionFrameCryptoConfig {
+  link: ClientCryptoKeyLink;
+  /** The handshake-established link id for the remote (key + connection-registry id). */
+  linkedClientId: TTypeAndId;
+}
+/**
+ * Build the encrypt/decrypt transform for a connection whose handshake settled on the `encrypted`
+ * level. Keyed by the link + `linkedClientId`, so it reuses the cached shared AES-GCM key.
+ */
+declare function createActionFrameCrypto({
+  link,
+  linkedClientId
+}: IActionFrameCryptoConfig): IActionFrameCrypto;
+//#endregion
+//#region src/ActionRuntime/Transport/Exchange/TransportExchange.types.d.ts
+interface IActionTransportReadyData_Exchange extends IActionTransportReadyData_Base {
+  /** The live request/reply carrier this connection drives its session over. */
+  carrier: IExchangeCarrier;
+  /** Optional authenticated/encrypted config; the handshake runs once at bring-up when set. */
+  secureChannel?: ISecureClientConfig;
+}
+interface IActionTransportInitialized_Exchange extends IActionTransportInitialized<ITransportRouteActionParams, IActionTransportReadyData_Exchange> {}
+interface IActionTransportDef_Exchange extends IActionTransportDef<ETransportShape.exchange, IActionTransportInitialized_Exchange> {}
+//#endregion
+//#region src/ActionRuntime/Transport/Exchange/ExchangeConnection.d.ts
+/**
+ * Carrier-agnostic live connection for the exchange (request → single reply) shape — the HTTP
+ * counterpart to {@link LinkConnection}. It owns only the bring-up (run the secure handshake on first
+ * use); the request/reply lifecycle + crypto live in the shared `establishExchangeSession`.
+ */
+declare class ExchangeConnection extends TransportConnection<ETransportShape.exchange, ITransportRouteActionParams, IActionTransportReadyData_Exchange, IActionTransportInitialized_Exchange, IActionTransportDef_Exchange> {
+  constructor(def: Omit<IActionTransportDef_Exchange, "type">);
+  protected _getCacheKey(input: ITransportRouteActionParams): string;
+  protected _needsAsyncBringUp(data: IActionTransportReadyData_Exchange): boolean;
+  protected _finalizeReady(data: IActionTransportReadyData_Exchange): IActionTransportReadyData_Methods | Promise<IActionTransportReadyData_Methods>;
+  _finalizeTransportMethods(data: IActionTransportReadyData_Exchange): IActionTransportReadyData_Methods;
+  private _sessionContext;
+}
+//#endregion
+//#region src/ActionRuntime/Transport/Exchange/ExchangeTransport.d.ts
+interface IExchangeTransportOptions {
+  /** Open (or reuse) the exchange carrier for an action — e.g. `httpCarrier(...).open`. */
+  openCarrier: (input: ITransportRouteActionParams) => IExchangeCarrier;
+  /** Secure config; when set (and `securityLevel !== none`) the handshake runs once at bring-up. */
+  security?: ISecureClientConfig;
+  updateRunConfig?: TUpdateActionRunConfig;
+  /** Keys identifying a reusable session, so one carrier is shared across actions to the same peer. */
+  getTransportCacheKey?: (input: ITransportRouteActionParams) => string[];
+  /** Short label for the devtools chip (defaults to "exchange"). */
+  label?: string;
+  getRouteInfo?: (input: ITransportRouteActionParams) => ITransportRouteInfo;
+}
+/**
+ * A carrier-agnostic exchange (request → single reply) transport: it drives nice-action's secure session
+ * over any {@link IExchangeCarrier} (HTTP being the one built-in). The duplex counterpart is
+ * {@link LinkTransport}; this is the no-push half — its reply rides the response to its own request, so it
+ * can't deliver an unsolicited frame (the runtime never picks it for the return path).
+ */
+declare class ExchangeTransport extends Transport<ETransportShape.exchange> {
+  private readonly options;
+  readonly type = ETransportShape.exchange;
+  constructor(options: IExchangeTransportOptions);
+  static create(options: IExchangeTransportOptions): ExchangeTransport;
+  _createConnection(_ctx: ITransportConnectionContext): ExchangeConnection;
+  getRouteInfo(input: ITransportRouteActionParams): ITransportRouteInfo;
+}
+//#endregion
+//#region src/ActionRuntime/Transport/err_nice_transport.d.ts
+declare enum EErrId_NiceTransport {
+  timeout = "timeout",
+  not_found = "not_found",
+  unsupported = "unsupported",
+  initialization_failed = "initialization_failed",
+  send_failed = "send_failed",
+  invalid_action_response = "invalid_action_response"
+}
+declare const err_nice_transport: import("@nice-code/error").NiceErrorDomain<{
+  domain: string;
+  allDomains: [string, string, string, "err_nice"];
+  schema: {
+    timeout: import("@nice-code/error").INiceErrorIdMetadata<{
+      timeout: number;
+    }, import("@nice-code/error").JSONSerializableValue>;
+    not_found: import("@nice-code/error").INiceErrorIdMetadata<{
+      actionId: string;
+    }, import("@nice-code/error").JSONSerializableValue>;
+    unsupported: import("@nice-code/error").INiceErrorIdMetadata<{
+      transportShapes: ETransportShape[];
+    }, import("@nice-code/error").JSONSerializableValue>;
+    initialization_failed: import("@nice-code/error").INiceErrorIdMetadata<{
+      actionId: string;
+    }, import("@nice-code/error").JSONSerializableValue>;
+    send_failed: import("@nice-code/error").INiceErrorIdMetadata<{
+      actionState: string;
+      actionId: string;
+      httpStatusCode?: number;
+      message?: string;
+    }, import("@nice-code/error").JSONSerializableValue>;
+    invalid_action_response: import("@nice-code/error").INiceErrorIdMetadata<{
+      actionId: string;
+    }, import("@nice-code/error").JSONSerializableValue>;
+  };
+}>;
+//#endregion
+//#region src/ActionRuntime/Transport/Link/TransportLink.types.d.ts
+/** The per-connection codec (positional binary wire / JSON fallback) the carrier's session uses. */
+type TLinkFormatMessage = IActionWireFormat;
+interface IActionTransportReadyData_Link extends IActionTransportReadyData_Base {
+  /** The live carrier this connection drives its session over. */
+  channel: IDuplexCarrier;
+  formatMessage?: TLinkFormatMessage;
+  /** Optional authenticated/encrypted channel; the connection runs the handshake during init. */
+  secureChannel?: ISecureClientConfig;
+}
+interface IActionTransportInitialized_Link extends IActionTransportInitialized<ITransportRouteActionParams, IActionTransportReadyData_Link> {}
+interface IActionTransportDef_Link extends IActionTransportDef<ETransportShape.duplex, IActionTransportInitialized_Link> {}
+//#endregion
+//#region src/ActionRuntime/Transport/Link/LinkConnection.d.ts
+/**
+ * Carrier-agnostic live connection. It owns only the *bring-up* (open the carrier, then run the secure
+ * session); the session itself — handshake, frame crypto, codec, send/receive — lives in the shared
+ * {@link finalizeSecureLinkMethods}/{@link finalizePlainLinkMethods}, so a WebSocket, a WebRTC data
+ * channel, a Bluetooth characteristic, and an in-memory pipe all run the identical secure layer.
+ */
+declare class LinkConnection extends TransportConnection<ETransportShape.duplex, ITransportRouteActionParams, IActionTransportReadyData_Link, IActionTransportInitialized_Link, IActionTransportDef_Link> {
+  private resolvers;
+  constructor(def: Omit<IActionTransportDef_Link, "type">, resolvers?: IActionTransportResolvers);
+  protected _getCacheKey(input: ITransportRouteActionParams): string;
+  protected _needsAsyncBringUp(): boolean;
+  protected _awaitCarrierReady(data: IActionTransportReadyData_Link): Promise<void>;
+  protected _finalizeReady(data: IActionTransportReadyData_Link): IActionTransportReadyData_Methods | Promise<IActionTransportReadyData_Methods>;
+  private _sessionContext;
+  _finalizeTransportMethods(data: IActionTransportReadyData_Link): IActionTransportReadyData_Methods;
+}
+//#endregion
+//#region src/ActionRuntime/Transport/Link/LinkTransport.d.ts
+interface ILinkTransportOptions {
   /**
-   * Coordinate of the *connecting clients* (typically env-only, e.g. `RuntimeCoordinate.env("web_app")`),
-   * used to route results/pushes back over this handler.
+   * Open (or reuse) the carrier for an action — a WebSocket adapter, a WebRTC data channel, a Bluetooth
+   * characteristic, an in-memory pipe, anything that satisfies {@link IDuplexCarrier}.
    */
-  clientEnv: RuntimeCoordinate;
-  /** This server's runtime — its coordinate is the server identity presented in the handshake. */
-  runtime: ActionRuntime;
+  openChannel: (input: ITransportRouteActionParams) => IDuplexCarrier;
+  /** Shared codec for every channel (stateless). */
+  formatMessage?: TLinkFormatMessage;
   /**
-   * One backing store for the server's crypto identity *and* its trust-on-first-use verify-key pins.
-   * Their keys don't collide, so a single adapter is enough; back it with persistent storage (e.g. a
-   * Durable Object's storage) so identity and pins survive eviction.
+   * Per-channel codec factory — called once per opened channel so stateful codecs (e.g. the binary
+   * session) get their own instance. Takes precedence over `formatMessage`.
    */
-  storageAdapter: StorageAdapter;
-  /** Write an encoded frame to a specific live connection (e.g. `(ws, frame) => ws.send(frame)`). */
-  send: (connection: TConn, frame: string | Uint8Array | ArrayBuffer) => void;
-  /** Accepted level(s); defaults to negotiating any of none/authenticated/encrypted. */
-  securityLevel?: ESecurityLevel | readonly ESecurityLevel[];
-  /** Trust decision for a client's verify key; defaults to storage-backed TOFU over `storageAdapter`. */
-  verifyKeyResolver?: IClientVerifyKeyResolver;
-  /** Timeout (ms) applied to server-initiated actions awaiting a client response. */
-  defaultTimeout?: number;
+  createFormatMessage?: () => TLinkFormatMessage;
+  /** Secure-channel config; when set (and `securityLevel !== none`) the handshake runs on init. */
+  security?: ISecureClientConfig;
+  updateRunConfig?: TUpdateActionRunConfig;
+  /** Keys identifying a reusable channel, so one carrier is shared across actions to the same peer. */
+  getTransportCacheKey?: (input: ITransportRouteActionParams) => string[];
+  /** Short label for the devtools chip (defaults to "link"). */
+  label?: string;
+  getRouteInfo?: (input: ITransportRouteActionParams) => ITransportRouteInfo;
 }
 /**
- * Build an {@link ActionServerHandler} for the secure binary channel with the boilerplate folded in:
- * it creates the {@link ClientCryptoKeyLink} and the storage-backed TOFU resolver from a single
- * `storageAdapter`, installs the channel's per-connection codec, and assembles the `security` block
- * from the runtime coordinate + channel version (accepting all three levels by default).
- *
- * For a hibernatable transport (e.g. a Durable Object), pair it with
- * {@link createHibernatableWsServerAdapter} to wire persistence + replay.
+ * A carrier-agnostic transport: it drives nice-action's secure session + action routing over any
+ * {@link IDuplexCarrier}. The WebSocket transport is the special case that opens a `WebSocket`;
+ * this opens whatever `openChannel` returns, so the identical secure layer works over WebRTC, Bluetooth,
+ * or an in-memory pipe. Reported with an overridable carrier label in the devtools (defaults to "link").
  */
-declare function createSecureActionServerHandler<TConn = unknown>(options: ISecureActionServerHandlerOptions<TConn>): ActionServerHandler<TConn>;
-interface IHibernatableWsServerAdapterOptions<TConn> {
-  /** The handler to drive (from {@link createSecureActionServerHandler} or `createServerHandler`). */
-  handler: ActionServerHandler<TConn>;
-  /** All currently-live connections — replayed on construction to rebuild bindings after a wake. */
-  getWebSockets: () => TConn[];
-  /** Read a connection's persisted binding (e.g. `(ws) => ws.deserializeAttachment()`). */
-  getAttachment: (connection: TConn) => IActionServerConnectionBinding | undefined;
-  /** Persist a connection's binding when it is bound (e.g. `(ws, b) => ws.serializeAttachment(b)`). */
-  setAttachment: (connection: TConn, binding: IActionServerConnectionBinding) => void;
+declare class LinkTransport extends Transport<ETransportShape.duplex> {
+  private readonly options;
+  readonly type = ETransportShape.duplex;
+  constructor(options: ILinkTransportOptions);
+  static create(options: ILinkTransportOptions): LinkTransport;
+  _createConnection(ctx: ITransportConnectionContext): LinkConnection;
+  getRouteInfo(input: ITransportRouteActionParams): ITransportRouteInfo;
 }
-interface IHibernatableWsServerAdapter<TConn> {
-  /** Feed one inbound frame from a connection into the handler. */
-  receive: (connection: TConn, frame: string | ArrayBuffer | Uint8Array) => void;
-  /** Forget a connection (call on socket close/error). */
-  drop: (connection: TConn) => void;
+//#endregion
+//#region src/ActionRuntime/Transport/plainTransport.d.ts
+interface IPlainTransportOptions {
+  /**
+   * How to reach the peer with no security layer. A duplex carrier (`wsCarrier(url)`,
+   * `rtcCarrier(dc)`, `inMemoryCarrier().carrier`) builds a push-capable {@link LinkTransport}; an
+   * exchange carrier (`httpCarrier(...)`) builds a request/reply {@link ExchangeTransport}.
+   */
+  carrier: IDuplexCarrierSource | IExchangeCarrierSource;
+  /**
+   * Codec for a *duplex* carrier (a duplex link frames the action wire itself). Required for duplex;
+   * ignored for an exchange carrier, which JSON-encodes the action wire in its envelope.
+   */
+  formatMessage?: TLinkFormatMessage;
+  /** Per-channel codec factory for stateful duplex codecs (e.g. the binary session). */
+  createFormatMessage?: () => TLinkFormatMessage;
+  updateRunConfig?: TUpdateActionRunConfig;
+  /** Override the devtools chip label (defaults to the carrier's `carrierLabel`). */
+  label?: string;
 }
 /**
- * Wire the hibernation lifecycle for a server handler on a transport whose sockets outlive process
- * eviction (e.g. a Durable Object's hibernatable WebSockets). It owns persistence end to end:
- * registers `setAttachment` as the handler's connection-bound callback and immediately replays every
- * live connection's stored binding via `getAttachment`, so results/pushes still route after a wake.
- *
- * Construct it once when the handler is built, then forward socket events:
- * ```ts
- * const wsServer = createHibernatableWsServerAdapter({ handler, getWebSockets, getAttachment, setAttachment });
- * // webSocketMessage(ws, msg) => wsServer.receive(ws, msg);
- * // webSocketClose/Error(ws)  => wsServer.drop(ws);
- * ```
+ * The plain (no-handshake, no-crypto) sibling of {@link secureTransport}: swap the carrier to change
+ * protocol, with no security layer. Over an {@link IExchangeCarrierSource} it builds an
+ * {@link ExchangeTransport} that POSTs the bare action wire and completes inline (HTTP is just
+ * `carrier: httpCarrier(...)`); over an {@link IDuplexCarrierSource} it builds a push-capable
+ * {@link LinkTransport} with the given codec. HTTP is therefore no longer a bespoke transport class —
+ * it is "just another carrier", exactly like a WebSocket under {@link secureTransport}.
+ */
+declare function plainTransport(options: IPlainTransportOptions & {
+  carrier: IExchangeCarrierSource;
+}): ExchangeTransport;
+declare function plainTransport(options: IPlainTransportOptions & {
+  carrier: IDuplexCarrierSource;
+}): LinkTransport;
+//#endregion
+//#region src/ActionRuntime/Transport/secureTransport.d.ts
+interface ISecureTransportOptions {
+  /** The shared channel identity (per-connection codec + dictionary version) — same one both ends use. */
+  channel: ISecureChannel;
+  /** This client's runtime — its coordinate is the authenticated identity sent in the handshake. */
+  runtime: ActionRuntime;
+  /** Backing store for this client's crypto identity (a stable verify key across reloads). */
+  storageAdapter: StorageAdapter;
+  /** The level this client requests; the peer must allow it. */
+  securityLevel: ESecurityLevel;
+  /**
+   * How to reach the peer. A duplex carrier (`wsCarrier(url)`, `rtcCarrier(dc)`,
+   * `inMemoryCarrier().carrier`) runs the push-capable session; an exchange carrier (`httpCarrier(...)`)
+   * runs the request/reply session over the same handshake + crypto.
+   */
+  carrier: IDuplexCarrierSource | IExchangeCarrierSource;
+}
+/**
+ * The one secure-transport factory — swap the carrier to change protocol. Folds in the boilerplate (the
+ * {@link ClientCryptoKeyLink} from `storageAdapter`, the `security` block from the runtime coordinate +
+ * channel version) and drives it over whatever carrier you pass: a {@link IDuplexCarrierSource} builds a
+ * push-capable {@link LinkTransport} (WS is just `carrier: wsCarrier(url)`), an
+ * {@link IExchangeCarrierSource} builds a request/reply {@link ExchangeTransport} (HTTP, with the same
+ * authentication/encryption). Replaces the old `createSecureWebSocketTransport` / `createSecureLinkTransport`.
  */
-declare function createHibernatableWsServerAdapter<TConn>(options: IHibernatableWsServerAdapterOptions<TConn>): IHibernatableWsServerAdapter<TConn>;
+declare function secureTransport(options: ISecureTransportOptions & {
+  carrier: IDuplexCarrierSource;
+}): LinkTransport;
+declare function secureTransport(options: ISecureTransportOptions & {
+  carrier: IExchangeCarrierSource;
+}): ExchangeTransport;
 //#endregion
 //#region src/errors/err_nice_action.d.ts
 declare enum EErrId_NiceAction {
@@ -2198,7 +3025,7 @@ declare const err_nice_action: import("@nice-code/error").NiceErrorDomain<{
 //#region src/utils/decodeActionFrame.d.ts
 /**
  * Minimal codec shape needed to turn an incoming channel frame back into action wire JSON. Matches
- * the `formatMessage` object the WebSocket transport (and `createBinaryWsAdapter`) provide.
+ * the `formatMessage` object the WebSocket transport (and `createBinaryWireAdapter`) provide.
  */
 interface IActionFrameDecoder {
   incoming?: (frame: string | ArrayBuffer | Uint8Array | Blob) => TActionPayload_Any_JsonObject<any, any> | undefined;
@@ -2207,7 +3034,7 @@ interface IActionFrameDecoder {
  * Decode a single inbound channel frame (text or binary) into validated action wire JSON, or
  * `undefined` if it isn't a recognisable action payload.
  *
- * Shared by the WebSocket transport's message listener and the server-side `ActionServerHandler` so
+ * Shared by the WebSocket transport's message listener and the server-side `AcceptorHandler` so
  * both decode identically: a binary `decoder.incoming` (e.g. msgpackr) takes precedence, and plain
  * text frames fall back to JSON — keeping binary and JSON clients interoperable on one channel.
  */
@@ -2237,8 +3064,8 @@ interface IActionPayload_Base<DT extends EActionPayloadType, DOM extends IAction
   readonly type: DT;
   readonly context: ActionContext<DOM, ID>;
 }
-type IActionRouteItemHandler = IActionHandler_Local_Json | (IActionHandler_ExternalClient_Json & {
-  transType: ETransportType;
+type IActionRouteItemHandler = IActionHandler_Local_Json | (IActionHandler_Peer_Json & {
+  transShape: ETransportShape;
   transOrd: number;
   transInfo?: ITransportRouteInfo;
 });
@@ -2324,5 +3151,5 @@ interface IActionPayload_Result_JsonObject<DOM extends IActionDomain = IActionDo
 type TActionPayload_Any_Instance<DOM extends IActionDomain = IActionDomain, ID extends keyof DOM["actionSchema"] & string = keyof DOM["actionSchema"] & string> = ActionPayload_Request<DOM, ID> | ActionPayload_Result<DOM, ID> | ActionPayload_Progress<DOM, ID>;
 type TActionPayload_Any_JsonObject<DOM extends IActionDomain = IActionDomain, ID extends keyof DOM["actionSchema"] & string = keyof DOM["actionSchema"] & string> = IActionPayload_Request_JsonObject<DOM, ID> | IActionPayload_Progress_JsonObject<DOM, ID> | IActionPayload_Result_JsonObject<DOM, ID>;
 //#endregion
-export { createBinaryWsAdapter as $, TInferOutputFromSchema as $n, ITransportDispatchAction as $t, createSecureActionServerHandler as A, ERunningActionState as An, ICustomTransportSendOptions as At, IConnectionAttachment as B, IRuntimeCoordinate as Bn, MaybePromise as Bt, decodeActionFrame as C, TUpdateActionRunConfig as Cn, IHttpTransportOptions as Ct, IHibernatableWsServerAdapterOptions as D, IActionCore as Dn, err_nice_transport as Dt, IHibernatableWsServerAdapter as E, ActionPayload_Request as En, EErrId_NiceTransport as Et, IActionServerHandlerOptions as F, IRunningActionUpdate_Success as Fn, ActionDomain as Ft, createSecureWebSocketTransport as G, TRuntimeCoordinateStringId as Gn, ETransportStatus as Gt, WsConnectionStateStore as H, IRuntimeFullCoordinates as Hn, createExternalClientHandler as Ht, TActionChannelFormatMessage as I, TRunningActionUpdate as In, ActionRootDomain as It, IWebSocketTransportSocketOptions as J, IActionRootDomain as Jn, IActionTransportInitialized as Jt, defineSecureWsChannel as K, IActionDomain as Kn, ETransportType as Kt, TActionConnectionEncoding as L, TRunningActionUpdateFinished as Ln, ActionRuntime as Lt, createActionFetchHandler as M, IRunningActionUpdate_Abort as Mn, err_nice_external_client as Mt, ActionServerHandler as N, IRunningActionUpdate_Progress as Nn, createActionRootDomain as Nt, ISecureActionServerHandlerOptions as O, IActionCore_JsonObject as On, CustomTransport as Ot, IActionServerConnectionBinding as P, IRunningActionUpdate_Started as Pn, ActionCore as Pt, createBinaryWsSessionFactory as Q, TInferInputFromSchema as Qn, IActionTransportResolvers as Qt, TServerConnectionCaseFn as R, TRunningActionUpdateListener as Rn, ActionLocalHandler as Rt, IActionFrameDecoder as S, TTransportStatusInfo_GetTransport_Output as Sn, HttpTransport as St, err_nice_action as T, ActionPayload_Progress as Tn, err_nice_transport_ws as Tt, ISecureWebSocketTransportOptions as U, RuntimeCoordinate as Un, ITransportConnectionContext as Ut, IWsConnectionStateStoreOptions as V, IRuntimeCoordinateSpecifics as Vn, ActionExternalClientHandler as Vt, ISecureWsChannel as W, TRuntimeCoordinateEnvId as Wn, Transport as Wt, WebSocketTransport as X, TActionDomainSchema as Xn, IActionTransportReadyData_Base as Xt, TWebSocketTransportOptions as Y, TActionDomainChildDef as Yn, IActionTransportReady as Yt, IBinaryWsSessionOptions as Z, TDomainActionId as Zn, IActionTransportReadyData_Methods as Zt, TActionProgress as _, TSendActionDataMethod as _n, encodeHandshakeMessage as _t, IActionPayload_Data_Base as a, ITransportStatusInfo_Failed as an, TActionSchemaOptions as ar, IClientHandshakeConfig as at, isActionPayload_Request_JsonObject as b, TTransportInitializationFinishedInfo as bn, IActionFrameCryptoConfig as bt, IActionPayload_Request_JsonObject as c, ITransportStatusInfo_Unsupported as cn, IHandshakeEncryptionKeyMaterial as ct, IActionProgress_Custom as d, TOnResolveAnyIncomingActionData as dn, THandshakeMessage as dt, ITransportMethod_SendActionData_Input as en, TPossibleDomainId as er, IActionTransportDef_Ws as et, IActionProgress_None as f, TOnResolveAnyIncomingActionData_Json as fn, createClientHandshake as ft, TActionPayload_Any_JsonObject as g, TOnResolveIncomingResponseJson as gn, decodeHandshakeMessage as gt, TActionPayload_Any_Instance as h, TOnResolveIncomingResponse as hn, createStorageTofuVerifyKeyResolver as ht, IActionPayload_Base_JsonObject as i, ITransportStatusInfo_Base as in, actionSchema as ir, ESecurityLevel as it, IActionFetchHandlerOptions as j, ERunningActionUpdateType as jn, TCustomTransportOptions as jt, createHibernatableWsServerAdapter as k, ERunningActionFinishedType as kn, ICustomTransportAdvancedOptions as kt, IActionPayload_Result as l, IUpdateActionRunConfig_Output as ln, IHandshakeResult as lt, IActionRouteItemHandler as m, TOnResolveIncomingRequestJson as mn, createServerHandshake as mt, EActionProgressType as n, ITransportRouteClientParams as nn, ActionSchema as nr, IActionTransportReadyData_Ws as nt, IActionPayload_Progress as o, ITransportStatusInfo_Initializing as on, TActionSerializationDefinition as or, IClientVerifyKeyResolveInput as ot, IActionProgress_Percentage as p, TOnResolveIncomingRequest as pn, createInMemoryTofuVerifyKeyResolver as pt, IWebSocketTransportAdvancedOptions as q, IActionDomainChildOptions as qn, IActionTransportDef as qt, IActionPayload_Base as r, ITransportRouteInfo as rn, TInferActionError as rr, EHandshakeMessageType as rt, IActionPayload_Progress_JsonObject as s, ITransportStatusInfo_Ready as sn, TTransportedValue as sr, IClientVerifyKeyResolver as st, EActionPayloadType as t, ITransportRouteActionParams as tn, TPossibleDomainIdList as tr, IActionTransportInitialized_Ws as tt, IActionPayload_Result_JsonObject as u, TGetTransportFn as un, IServerHandshakeConfig as ut, TActionResultOutcome as v, TSendReturnDataMethod as vn, runtimeLinkId as vt, EErrId_NiceAction as w, RunningAction as wn, EErrId_NiceTransport_WebSocket as wt, isActionPayload_Any_JsonObject as x, TTransportStatusInfo as xn, createActionFrameCrypto as xt, isActionPayload_Result_JsonObject as y, TTransportCache as yn, IActionFrameCrypto as yt, createServerHandler as z, ActionPayload_Result as zn, createLocalHandler as zt };
-//# sourceMappingURL=ActionPayload.types-BN-rXFBK.d.cts.map
+export { EErrId_NiceTransport_WebSocket as $, IClientVerifyKeyResolver as $n, TTransportedValue as $r, IAcceptorConnectionBinding as $t, ILinkTransportOptions as A, ITransportStatusInfo_Ready as An, ActionPayload_Result as Ar, IDuplexCarrier as At, IActionFrameCryptoConfig as B, TSendActionDataMethod as Bn, TActionDomainChildDef as Br, IActionChannel as Bt, decodeActionFrame as C, ITransportMethod_SendActionData_Input as Cn, IRunningActionUpdate_Abort as Cr, IServeChannelOptions as Ct, secureTransport as D, ITransportStatusInfo_Base as Dn, TRunningActionUpdate as Dr, IExchangeAcceptorCarrier as Dt, ISecureTransportOptions as E, ITransportRouteInfo as En, IRunningActionUpdate_Success as Er, IDuplexAcceptorCarrier as Et, err_nice_transport as F, TOnResolveAnyIncomingActionData_Json as Fn, TRuntimeCoordinateEnvId as Fr, TFrame$1 as Ft, TCarrierFetch as G, TTransportStatusInfo_GetTransport_Output as Gn, TPossibleDomainId as Gr, acceptChannelConnections as Gt, createBinaryWireAdapter as H, TTransportCache as Hn, TDomainActionId as Hr, TChannelAcceptorCases as Ht, ExchangeTransport as I, TOnResolveIncomingRequest as In, TRuntimeCoordinateStringId as Ir, IDuplexConnectionRouter as It, httpAcceptorCarrier as J, Transport as Jn, EActionResponseMode as Jr, ISecureChannel as Jt, httpCarrier as K, TUpdateActionRunConfig as Kn, TPossibleDomainIdList as Kr, connectChannel as Kt, IExchangeTransportOptions as L, TOnResolveIncomingRequestJson as Ln, IActionDomain as Lr, IHibernatableWsServerAdapterOptions as Lt, IActionTransportReadyData_Link as M, IUpdateActionRunConfig_Output as Mn, IRuntimeCoordinateSpecifics as Mr, IExchangeCarrier as Mt, TLinkFormatMessage as N, TGetTransportFn as Nn, IRuntimeFullCoordinates as Nr, IExchangeCarrierSource as Nt, IPlainTransportOptions as O, ITransportStatusInfo_Failed as On, TRunningActionUpdateFinished as Or, TAcceptorCarrier as Ot, EErrId_NiceTransport as P, TOnResolveAnyIncomingActionData as Pn, RuntimeCoordinate as Pr, TCarrier as Pt, wsAcceptorCarrier as Q, IClientVerifyKeyResolveInput as Qn, TActionSerializationDefinition as Qr, AcceptorHandler as Qt, IActionTransportReadyData_Exchange as R, TOnResolveIncomingResponse as Rn, IActionDomainChildOptions as Rr, createHibernatableWsServerAdapter as Rt, IActionFrameDecoder as S, ITransportDispatchAction as Sn, ERunningActionUpdateType as Sr, IChannelServer as St, err_nice_action as T, ITransportRouteClientParams as Tn, IRunningActionUpdate_Started as Tr, IAcceptorHibernation as Tt, IHttpCarrierOptions as U, TTransportInitializationFinishedInfo as Un, TInferInputFromSchema as Ur, TChannelPushHandlers as Ut, createActionFrameCrypto as V, TSendReturnDataMethod as Vn, TActionDomainSchema as Vr, IConnectChannelOptions as Vt, IHttpCarrierRequest as W, TTransportStatusInfo as Wn, TInferOutputFromSchema as Wr, acceptChannel as Wt, wsCarrier as X, ESecurityLevel as Xn, actionSchema as Xr, IBinaryWireSessionOptions as Xt, IWsCarrierOptions as Y, EHandshakeMessageType as Yn, TInferActionError as Yr, defineSecureChannel as Yt, IWsAcceptorCarrierOptions as Z, IClientHandshakeConfig as Zn, TActionSchemaOptions as Zr, createBinaryWireSessionFactory as Zt, TActionProgress as _, IActionTransportReady as _n, ActionPayload_Request as _r, IActionFetchHandlerOptions as _t, IActionPayload_Data_Base as a, IActionWireFormat as an, createInMemoryTofuVerifyKeyResolver as ar, IInMemoryCarrier as at, isActionPayload_Request_JsonObject as b, IActionTransportResolvers as bn, ERunningActionFinishedType as br, IExchangeAcceptorConfig as bt, IActionPayload_Request_JsonObject as c, ActionDomain as cn, decodeHandshakeMessage as cr, IInMemoryServerEndpoint as ct, IActionProgress_Custom as d, ConnectorHandler as dn, PeerLinkHandler as dr, ConnectionStateStore as dt, IAcceptorHandlerOptions as en, IHandshakeEncryptionKeyMaterial as er, err_nice_transport_ws as et, IActionProgress_None as f, createConnectorHandler as fn, ActionLocalHandler as fr, IConnectionAttachment as ft, TActionPayload_Any_JsonObject as g, IActionTransportInitialized as gn, ActionPayload_Progress as gr, createSecureAcceptorHandler as gt, TActionPayload_Any_Instance as h, IActionTransportDef as hn, RunningAction as hr, ISecureAcceptorHandlerOptions as ht, IActionPayload_Base_JsonObject as i, createAcceptorHandler as in, createClientHandshake as ir, rtcDataChannelByteChannel as it, LinkTransport as j, ITransportStatusInfo_Unsupported as jn, IRuntimeCoordinate as jr, IDuplexCarrierSource as jt, plainTransport as k, ITransportStatusInfo_Initializing as kn, TRunningActionUpdateListener as kr, isExchangeAcceptorCarrier as kt, IActionPayload_Result as l, ActionRootDomain as ln, encodeHandshakeMessage as lr, createInMemoryChannelPair as lt, IActionRouteItemHandler as m, ETransportStatus as mn, MaybePromise as mr, createConnectionStateStore as mt, EActionProgressType as n, TActionChannelFormatMessage as nn, IServerHandshakeConfig as nr, rtcCarrier as nt, IActionPayload_Progress as o, createActionRootDomain as on, createServerHandshake as or, inMemoryCarrier as ot, IActionProgress_Percentage as p, ETransportShape as pn, createLocalHandler as pr, IConnectionStateStoreOptions as pt, IHttpAcceptorCarrierOptions as q, ITransportConnectionContext as qn, ActionSchema as qr, defineChannel as qt, IActionPayload_Base as r, TActionConnectionEncoding as rn, THandshakeMessage as rr, IRtcDataChannelLike as rt, IActionPayload_Progress_JsonObject as s, ActionCore as sn, createStorageTofuVerifyKeyResolver as sr, IInMemoryChannelPair as st, EActionPayloadType as t, TAcceptorConnectionCaseFn as tn, IHandshakeResult as tr, IRtcCarrierOptions as tt, IActionPayload_Result_JsonObject as u, ActionRuntime as un, runtimeLinkId as ur, err_nice_external_client as ut, TActionResultOutcome as v, IActionTransportReadyData_Base as vn, IActionCore as vr, createActionFetchHandler as vt, EErrId_NiceAction as w, ITransportRouteActionParams as wn, IRunningActionUpdate_Progress as wr, serveChannel as wt, isActionPayload_Any_JsonObject as x, ISecureClientConfig as xn, ERunningActionState as xr, IExchangeAcceptorSecurity as xt, isActionPayload_Result_JsonObject as y, IActionTransportReadyData_Methods as yn, IActionCore_JsonObject as yr, ExchangeAcceptor as yt, IActionFrameCrypto as z, TOnResolveIncomingResponseJson as zn, IActionRootDomain as zr, IAcceptChannelOptions as zt };
+//# sourceMappingURL=ActionPayload.types-BchJrBIX.d.mts.map