@nice-code/action 0.20.0 → 0.21.0

package/build/index.cjs

@@ -1457,16 +1457,16 @@ var ActionRuntime = class {
 		return this;
 	}
 	/**
+	* @internal Low-level primitive — the public way to open a connection is `connectChannel`, which
+	* derives routing from a channel and binds the crypto identity for you. This stays as the raw building
+	* block it sits on (it restates domain lists by hand) and is not part of the supported surface.
+	*
 	* Declare an external "backend client" in one call: build an
 	* {@link ConnectorHandler} for `externalCoordinate` carrying the given
 	* `transports`, route the listed `domains`/`actions` to it, register it (plus any
 	* `localHandlers` — e.g. server→client push handlers that share the same channel)
 	* on this runtime, and `apply()`. Returns the external handler so the caller can
 	* later `clearTransportCache()` it.
-	*
-	* Sugar over `new ConnectorHandler(...).forDomain(...)` + `addHandlers([...])`,
-	* so a single runtime can host one handler per backend target with its transports
-	* declared once and reused across every action routed to that backend.
 	*/
 	connectTo(externalCoordinate, options) {
 		const handler = new ConnectorHandler({
@@ -2970,1924 +2970,1967 @@ function createSecureAcceptorHandler(options) {
 	});
 }
 //#endregion
-//#region src/ActionRuntime/Channel/ActionChannel.ts
+//#region src/ActionRuntime/Transport/Carrier/Carrier.types.ts
 /**
-* Declare a transport-agnostic channel by role. Use it for HTTP, custom transports, or as the routing
-* half of a richer channel. The order of each list is part of the contract for wire formats that pack
-* positionally (see `defineSecureChannel`) — add new domains to the end of their list. (`domains` is
-* accepted as a legacy alias for `toAcceptor`.)
+* Narrow a carrier source to the exchange shape via its `shape` discriminant — the one branch the
+* transport factories ({@link secureTransport}, {@link plainTransport}) use to pick the duplex vs
+* exchange transport. A duplex source carries no `shape`, so the `else` branch is the duplex one.
 */
-function defineChannel(options) {
-	return {
-		toAcceptorDomains: options.toAcceptor,
-		toConnectorDomains: options.toConnector
-	};
+function isExchangeCarrierSource(carrier) {
+	return "shape" in carrier && carrier.shape === "exchange";
 }
+//#endregion
+//#region src/ActionRuntime/Transport/Transport.ts
 /**
-* Wire a connection to the acceptor straight from a channel: route the channel's `toAcceptor` domains to
-* the acceptor over `transports`, and register local handlers for its `toConnector` pushes from
-* `onPush`. The channel is the single source of truth for *what* is routed in each direction — the
-* caller only supplies the transport(s) and the push handlers, never restated domain lists. Pass several
-* transports to make the connector→acceptor path transport-agnostic (e.g. secure WS preferred, HTTP
-* fallback).
-*
-* Sugar over {@link ActionRuntime.connectTo}. Returns the acceptor handler so the caller can later
-* `clearTransportCache()` it.
+* Reusable transport definition. Devs construct these (`secureTransport({ carrier: wsCarrier(url) })`,
+* `plainTransport({ carrier: httpCarrier(...) })`, …) and pass them to a
+* `ConnectorHandler`. A single
+* definition can be shared across multiple handlers — each handler builds its own live
+* {@link TransportConnection} via {@link TransportConnection._createConnection}.
 */
-function connectChannel(runtime, acceptorCoordinate, options) {
-	const pushHandlers = options.onPush != null ? options.channel.toConnectorDomains.map((domain) => domain.wrapAsPartialLocalHandler(options.onPush)) : [];
-	return runtime.connectTo(acceptorCoordinate, {
-		transports: options.transports,
-		domains: [...options.channel.toAcceptorDomains],
-		localHandlers: pushHandlers,
-		defaultTimeout: options.defaultTimeout
-	});
+var Transport = class {};
+//#endregion
+//#region src/ActionRuntime/Transport/SecureSession/exchangeProtocol.ts
+function encodeExchange(envelope) {
+	return JSON.stringify(envelope);
 }
-/**
-* Register an acceptor handler's execution for a channel straight from its definition: the channel's
-* `toAcceptor` domains are served together with one merged, connection-aware case map (each case gets
-* the primed request + the originating connection, as with
-* {@link AcceptorHandler.forConnectionDomainCases}). The domain list is taken from the channel,
-* never restated. Add the returned handler to the runtime alongside the acceptor handler:
-* ```ts
-* runtime.addHandlers([acceptChannelConnections(serverHandler, channel, { … }), serverHandler]);
-* ```
-*/
-function acceptChannelConnections(serverHandler, channel, cases) {
-	return serverHandler.forConnectionDomainCasesMulti(channel.toAcceptorDomains, cases);
+function decodeExchangeRequest(raw) {
+	return parse(raw);
 }
-/**
-* Build the secure {@link AcceptorHandler} for a channel — the accept-in counterpart to
-* {@link connectChannel}. It folds in the same boilerplate as {@link createSecureAcceptorHandler} (the
-* `ClientCryptoKeyLink` + storage-backed TOFU resolver from one `storageAdapter`, the channel's codec +
-* dictionary version, the `security` block from the runtime coordinate) but takes the `(runtime, channel,
-* options)` shape of the channel family. Pair it with {@link acceptChannelConnections} for execution:
-* ```ts
-* const acceptor = acceptChannel(runtime, gameChannel, { clientEnv, storageAdapter, send });
-* runtime.addHandlers([acceptChannelConnections(acceptor, gameChannel, { … }), acceptor]);
-* ```
-*/
-function acceptChannel(runtime, channel, options) {
-	return createSecureAcceptorHandler({
-		channel,
-		runtime,
-		clientEnv: options.clientEnv,
-		storageAdapter: options.storageAdapter,
-		link: options.link,
-		send: options.send,
-		securityLevel: options.securityLevel,
-		verifyKeyResolver: options.verifyKeyResolver,
-		defaultTimeout: options.defaultTimeout
-	});
+function decodeExchangeReply(raw) {
+	return parse(raw);
 }
-//#endregion
-//#region src/ActionRuntime/Transport/codec/actionWireCodec.ts
-/**
-* Tiny integer codes for the payload type, so the verbose `"request"`/`"result"`/`"progress"`
-* strings never hit the wire. The index in {@link ReversePayloadType} must line up with the value.
-*/
-const PayloadTypeToInt = {
-	["request"]: 0,
-	["result"]: 1,
-	["progress"]: 2
-};
-const ReversePayloadType = [
-	"request",
-	"result",
-	"progress"
-];
-/**
-* Build the positional `domain:id` ↔ integer dictionary. Both ends of a channel MUST build it from
-* the same domains in the same order — the mapping is positional, so a mismatch routes to the wrong
-* action. Add new transported domains to the end of the list.
-*/
-function buildActionRouteDictionary(domains) {
-	const routeToInt = /* @__PURE__ */ new Map();
-	const intToRoute = [];
-	for (const dom of domains) for (const actionId of Object.keys(dom.actionSchema)) {
-		const routeKey = `${dom.domain}:${actionId}`;
-		if (routeToInt.has(routeKey)) continue;
-		routeToInt.set(routeKey, intToRoute.length);
-		intToRoute.push({
-			domain: dom.domain,
-			id: actionId,
-			allDomains: dom.allDomains
-		});
+function parse(raw) {
+	try {
+		return JSON.parse(raw);
+	} catch {
+		return;
 	}
-	return {
-		routeToInt,
-		intToRoute
-	};
 }
-/** Pull the type-specific payload (`input` / `result` / `progress`) out of a wire JSON object. */
-function extractWirePayload(json) {
-	if (json.type === "request") return json.input;
-	if (json.type === "result") return json.result;
-	if (json.type === "progress") return json.progress;
+function bytesToBase64(bytes) {
+	let binary = "";
+	for (let i = 0; i < bytes.length; i++) binary += String.fromCharCode(bytes[i]);
+	return btoa(binary);
 }
-/**
-* Reassemble a full wire JSON object from its decoded parts. `inputHash`/`outputHash` are emitted
-* empty — the hydration constructors recompute them — and the result still satisfies
-* `isActionPayload_Any_JsonObject` so it flows through validation like a JSON frame.
-*/
-function assembleWireJson(routeMeta, payloadType, time, context, payloadData) {
-	const base = {
-		form: "data",
-		domain: routeMeta.domain,
-		id: routeMeta.id,
-		allDomains: routeMeta.allDomains,
-		time,
-		context
-	};
-	if (payloadType === "request") return {
-		...base,
-		type: "request",
-		input: payloadData,
-		inputHash: ""
-	};
-	if (payloadType === "result") return {
-		...base,
-		type: "result",
-		result: payloadData,
-		outputHash: ""
+function base64ToBytes(base64) {
+	const binary = atob(base64);
+	const bytes = new Uint8Array(binary.length);
+	for (let i = 0; i < binary.length; i++) bytes[i] = binary.charCodeAt(i);
+	return bytes;
+}
+//#endregion
+//#region src/ActionRuntime/Transport/SecureSession/establishExchangeSession.ts
+const textEncoder$1 = new TextEncoder();
+const textDecoder$1 = new TextDecoder();
+/** Plain path (no handshake/token): every action rides a bare `act` envelope, plaintext both ways. */
+function finalizePlainExchangeMethods(ctx) {
+	return buildExchangeMethods(ctx, {});
+}
+/** Secure path: run the handshake (two exchanges) once at bring-up, then reuse the token + crypto. */
+async function finalizeSecureExchangeMethods(ctx) {
+	return buildExchangeMethods(ctx, await runConnectorExchangeHandshake(ctx.carrier, ctx.secure));
+}
+function buildExchangeMethods(ctx, state) {
+	const sendActionData = (inputs) => {
+		runExchange(ctx.carrier, state, inputs).catch((err) => inputs.runningAction._abort(err));
 	};
 	return {
-		...base,
-		type: "progress",
-		progress: payloadData
+		sendActionData,
+		updateRunConfig: ctx.updateRunConfig
 	};
 }
-//#endregion
-//#region src/ActionRuntime/Transport/codec/createBinaryWireSessionFactory.ts
-/**
-* Positional layout of the *session* binary envelope — the leanest frame. Compared to the stateless
-* adapter it replaces the 21-char `cuid` with a small per-connection integer and only carries
-* `originClient` on the very first request of each direction (the peer remembers it afterwards).
-*
-*   [ routeInt, typeInt, corrId, time, originClient?, payloadData ]
-*/
-const ENVELOPE$1 = {
-	route: 0,
-	type: 1,
-	corr: 2,
-	time: 3,
-	originClient: 4,
-	payload: 5
-};
-const ENVELOPE_LENGTH$1 = 6;
-/**
-* How long a pending correlation entry is kept before it's swept. A correlation only matters until its
-* action resolves or times out, so anything older than the longest realistic action timeout can be
-* dropped — this bounds memory when requests time out or a connection dies mid-flight (their replies
-* would never arrive, leaving the entry orphaned). Generous default so live correlations are never
-* pruned (the default transport timeout is 10s).
-*/
-const DEFAULT_CORRELATION_TTL_MS = 5 * 6e4;
-function isKnownIdentity(coordinate) {
-	return coordinate != null && coordinate.envId !== "_unset_";
-}
-/**
-* Drop entries older than `ttlMs`. Maps keep insertion order and entries are inserted in time order,
-* so the oldest are first — stop sweeping at the first live entry.
-*/
-function pruneExpired(map, now, ttlMs) {
-	for (const [key, entry] of map) {
-		if (now - entry.time <= ttlMs) break;
-		map.delete(key);
+async function runExchange(carrier, state, inputs) {
+	const { action, runningAction, timeout } = inputs;
+	const ac = new AbortController();
+	let timedOut = false;
+	const timeoutId = setTimeout(() => {
+		timedOut = true;
+		ac.abort();
+	}, timeout);
+	const unsubscribe = runningAction.addUpdateListeners([(update) => {
+		if (update.type === "finished") {
+			clearTimeout(timeoutId);
+			ac.abort();
+		}
+	}]);
+	try {
+		const request = await buildRequestEnvelope(state, action);
+		const replyRaw = await carrier.exchange(encodeExchange(request), { signal: ac.signal });
+		if (action.type !== "request") return;
+		const reply = decodeExchangeReply(asString(replyRaw));
+		if (reply == null) throw err_nice_transport.fromId("invalid_action_response", { actionId: action.id });
+		if (reply.k === "err") throw err_nice_transport.fromId("send_failed", {
+			actionState: action.type,
+			actionId: action.id,
+			message: reply.message
+		});
+		const wire = await extractReplyWire(state, reply);
+		if (wire == null || !isActionPayload_Result_JsonObject(wire)) throw err_nice_transport.fromId("invalid_action_response", { actionId: action.id });
+		runningAction._completeWithResult(action._domain.hydrateResultPayload(wire));
+	} catch (err) {
+		if (timedOut) throw err_nice_transport.fromId("timeout", { timeout });
+		throw err;
+	} finally {
+		clearTimeout(timeoutId);
+		unsubscribe();
 	}
 }
-/**
-* Builds a factory of *stateful, per-connection* codecs for {@link LinkTransport} /
-* `AcceptorHandler` — the maximally compact binary wire. Call the returned factory once per live
-* connection (each socket on the client, each accepted connection on the server) so every channel
-* gets its own correlation + identity state.
-*
-* On top of everything {@link createBinaryWireAdapter} drops, a session also drops:
-* - **`cuid`** — replaced by a per-connection integer correlation id. The initiator maps it to its
-*   real cuid; the responder echoes it; each side reconstructs the cuid from its own map. Correlation
-*   only needs to be unique per socket, so a counter suffices.
-* - **`originClient` after the first request** — the first request each side sends carries its
-*   identity; the peer remembers it and injects it into later frames. Replies omit it entirely (a
-*   reply carries the initiator's own origin, which the initiator already knows).
-*
-* Both ends MUST build the factory from the same domains in the same order (positional dictionary).
-* Text frames still return `undefined` from `incoming`, so JSON clients remain interoperable.
-*
-* Hibernation note: after a server connection is evicted its session resets, so a still-connected
-* client (whose session persists) will keep omitting `originClient`. The server must therefore restore
-* the connection→client binding from its own store (see `AcceptorHandler.rehydrateConnection`) and
-* inject `originClient` from there — the session alone can't recover it.
-*/
-function createBinaryWireSessionFactory(domains, options) {
-	const { routeToInt, intToRoute } = buildActionRouteDictionary(domains);
-	const unknownIdentity = RuntimeCoordinate.unknown.toJsonObject();
-	const ttlMs = options?.correlationTtlMs ?? DEFAULT_CORRELATION_TTL_MS;
-	return () => {
-		let outCounter = 0;
-		const corrToCuid = /* @__PURE__ */ new Map();
-		const cuidToCorr = /* @__PURE__ */ new Map();
-		let selfIdentity;
-		let peerIdentity;
+async function buildRequestEnvelope(state, action) {
+	const wire = action.toJsonObject();
+	if (state.crypto != null) {
+		const ciphertext = await state.crypto.encryptFrame(textEncoder$1.encode(JSON.stringify(wire)));
 		return {
-			outgoing: (input) => {
-				const json = input.action.toJsonObject();
-				const routeKey = `${json.domain}:${json.id}`;
-				const routeInt = routeToInt.get(routeKey);
-				if (routeInt == null) throw new Error(`[binary-wire] Cannot pack unregistered action route: ${routeKey}`);
-				const now = Date.now();
-				pruneExpired(corrToCuid, now, ttlMs);
-				pruneExpired(cuidToCorr, now, ttlMs);
-				let corr;
-				let wireIdentity;
-				if (json.type === "request") {
-					corr = outCounter++;
-					corrToCuid.set(corr, {
-						value: json.context.cuid,
-						time: now
-					});
-					if (selfIdentity == null && isKnownIdentity(json.context.originClient)) {
-						selfIdentity = json.context.originClient;
-						wireIdentity = json.context.originClient;
-					}
-				} else {
-					corr = cuidToCorr.get(json.context.cuid)?.value ?? -1;
-					if (json.type === "result") cuidToCorr.delete(json.context.cuid);
-				}
-				const envelope = new Array(ENVELOPE_LENGTH$1);
-				envelope[ENVELOPE$1.route] = routeInt;
-				envelope[ENVELOPE$1.type] = PayloadTypeToInt[json.type];
-				envelope[ENVELOPE$1.corr] = corr;
-				envelope[ENVELOPE$1.time] = json.time;
-				envelope[ENVELOPE$1.originClient] = wireIdentity;
-				envelope[ENVELOPE$1.payload] = extractWirePayload(json);
-				return (0, msgpackr.pack)(envelope);
-			},
-			incoming: (frame) => {
-				let buffer;
-				if (frame instanceof ArrayBuffer) buffer = new Uint8Array(frame);
-				else if (frame instanceof Uint8Array) buffer = frame;
-				else return;
-				try {
-					const envelope = (0, msgpackr.unpack)(buffer);
-					if (!Array.isArray(envelope) || envelope.length !== ENVELOPE_LENGTH$1) return void 0;
-					const routeMeta = intToRoute[envelope[ENVELOPE$1.route]];
-					const payloadType = ReversePayloadType[envelope[ENVELOPE$1.type]];
-					if (routeMeta == null || payloadType == null) return void 0;
-					const now = Date.now();
-					pruneExpired(corrToCuid, now, ttlMs);
-					pruneExpired(cuidToCorr, now, ttlMs);
-					const corr = envelope[ENVELOPE$1.corr];
-					const time = envelope[ENVELOPE$1.time];
-					const wireIdentity = envelope[ENVELOPE$1.originClient];
-					let cuid;
-					let originClient;
-					if (payloadType === "request") {
-						cuid = (0, nanoid.nanoid)();
-						cuidToCorr.set(cuid, {
-							value: corr,
-							time: now
-						});
-						if (isKnownIdentity(wireIdentity)) peerIdentity = wireIdentity;
-						originClient = peerIdentity ?? unknownIdentity;
-					} else {
-						cuid = corrToCuid.get(corr)?.value ?? (0, nanoid.nanoid)();
-						if (payloadType === "result") corrToCuid.delete(corr);
-						originClient = selfIdentity ?? unknownIdentity;
-					}
-					return assembleWireJson(routeMeta, payloadType, time, {
-						cuid,
-						timeCreated: time,
-						routing: [],
-						originClient
-					}, envelope[ENVELOPE$1.payload]);
-				} catch (e) {
-					console.error("[binary-wire] Failed to unpack binary action session frame", e);
-					return;
-				}
-			}
+			k: "act",
+			t: state.token,
+			c: bytesToBase64(ciphertext)
 		};
+	}
+	return {
+		k: "act",
+		t: state.token,
+		w: wire
 	};
 }
-//#endregion
-//#region src/ActionRuntime/Channel/secureChannel.ts
-/**
-* Derive a stable wire-dictionary version from the ordered route list (FNV-1a over `domain:id,…`), so
-* the version moves automatically whenever the transported domains change — a stale peer is then
-* rejected by the handshake instead of silently misrouting a positionally-packed frame.
-*/
-function deriveDictionaryVersion(domains) {
-	const { intToRoute } = buildActionRouteDictionary(domains);
-	const signature = intToRoute.map((route) => `${route.domain}:${route.id}`).join(",");
-	let hash = 2166136261;
-	for (let i = 0; i < signature.length; i++) {
-		hash ^= signature.charCodeAt(i);
-		hash = Math.imul(hash, 16777619);
+async function extractReplyWire(state, reply) {
+	if (reply.k !== "act") return void 0;
+	if ("c" in reply) {
+		if (state.crypto == null) return void 0;
+		const plain = await state.crypto.decryptFrame(base64ToBytes(reply.c));
+		return JSON.parse(textDecoder$1.decode(plain));
 	}
-	return `auto:${(hash >>> 0).toString(16).padStart(8, "0")}`;
+	return reply.w;
 }
-/**
-* Bundle a secure channel's shared identity from its transported domains. Both ends MUST call this
-* with the same domains in the same order (the binary wire dictionary is positional). The
-* `dictionaryVersion` is derived from those domains unless you pin an explicit one.
-*
-* Declare the domains *by role* — `toAcceptor` (connector→acceptor requests) and `toConnector`
-* (acceptor→connector pushes) — so the routing for both ends is derived from the channel (see
-* {@link connectChannel} and `acceptChannelConnections`) instead of being restated at each end. The
-* wire dictionary spans `[...toAcceptor, ...toConnector]` in that order; add new domains to the end of
-* their list to keep older peers compatible. (`domains` is still accepted as a legacy alias for
-* `toAcceptor`.)
-*/
-function defineSecureChannel(options) {
-	const base = defineChannel({
-		toAcceptor: options.toAcceptor,
-		toConnector: options.toConnector
+async function runConnectorExchangeHandshake(carrier, secure) {
+	await secure.link.initialize();
+	const handshake = createClientHandshake({
+		link: secure.link,
+		localCoordinate: secure.localCoordinate,
+		dictionaryVersion: secure.dictionaryVersion,
+		securityLevel: secure.securityLevel
 	});
-	const allDomains = [...base.toAcceptorDomains, ...base.toConnectorDomains];
+	const hsid = (0, nanoid.nanoid)();
+	const hello = await handshake.createHello();
+	const welcomeReply = decodeExchangeReply(asString(await carrier.exchange(encodeExchange({
+		k: "hs",
+		hsid,
+		m: encodeHandshakeMessage(hello)
+	}))));
+	if (welcomeReply?.k !== "hs") throw new Error("[exchange-handshake] expected a welcome reply");
+	const welcome = decodeHandshakeMessage(welcomeReply.m);
+	if (welcome == null) throw new Error("[exchange-handshake] malformed welcome");
+	if (welcome.t === "reject") throw new Error(`[exchange-handshake] rejected by peer: ${welcome.reason}`);
+	if (welcome.t !== "welcome") throw new Error(`[exchange-handshake] expected welcome, got ${welcome.t}`);
+	const prove = await handshake.onWelcome(welcome);
+	const acceptReply = decodeExchangeReply(asString(await carrier.exchange(encodeExchange({
+		k: "hs",
+		hsid,
+		m: encodeHandshakeMessage(prove)
+	}))));
+	if (acceptReply?.k !== "hs") throw new Error("[exchange-handshake] expected an accept reply");
+	const accept = decodeHandshakeMessage(acceptReply.m);
+	if (accept == null) throw new Error("[exchange-handshake] malformed accept");
+	if (accept.t === "reject") throw new Error(`[exchange-handshake] rejected by peer: ${accept.reason}`);
+	if (accept.t !== "accept") throw new Error(`[exchange-handshake] expected accept, got ${accept.t}`);
+	if (acceptReply.t == null) throw new Error("[exchange-handshake] accept missing session token");
+	const result = await handshake.onAccept(accept);
+	const crypto = result.securityLevel === "encrypted" ? createActionFrameCrypto({
+		link: secure.link,
+		linkedClientId: result.linkedClientId
+	}) : void 0;
 	return {
-		...base,
-		dictionaryVersion: options.dictionaryVersion ?? deriveDictionaryVersion(allDomains),
-		createCodec: createBinaryWireSessionFactory(allDomains, options.sessionOptions)
+		token: acceptReply.t,
+		crypto
 	};
 }
-//#endregion
-//#region src/ActionRuntime/Transport/SecureSession/exchangeProtocol.ts
-function encodeExchange(envelope) {
-	return JSON.stringify(envelope);
-}
-function decodeExchangeRequest(raw) {
-	return parse(raw);
-}
-function decodeExchangeReply(raw) {
-	return parse(raw);
-}
-function parse(raw) {
-	try {
-		return JSON.parse(raw);
-	} catch {
-		return;
-	}
-}
-function bytesToBase64(bytes) {
-	let binary = "";
-	for (let i = 0; i < bytes.length; i++) binary += String.fromCharCode(bytes[i]);
-	return btoa(binary);
+function asString(frame) {
+	if (typeof frame === "string") return frame;
+	return textDecoder$1.decode(frame instanceof ArrayBuffer ? new Uint8Array(frame) : frame);
 }
-function base64ToBytes(base64) {
-	const binary = atob(base64);
-	const bytes = new Uint8Array(binary.length);
-	for (let i = 0; i < binary.length; i++) bytes[i] = binary.charCodeAt(i);
-	return bytes;
+//#endregion
+//#region src/ActionRuntime/Transport/helpers/addTransportStatusMetadata.ts
+function addTransportStatusMetadata(transportStatus) {
+	if (transportStatus.status === "ready") return {
+		status: "ready",
+		readyData: transportStatus.readyData
+	};
+	if (transportStatus.status === "initializing") return {
+		status: "initializing",
+		initializationPromise: transportStatus.initializationPromise,
+		timeStarted: Date.now()
+	};
+	if (transportStatus.status === "failed") return {
+		status: "failed",
+		error: transportStatus.error,
+		timeFailed: Date.now()
+	};
+	if (transportStatus.status === "unsupported") return { status: "unsupported" };
+	return { status: "uninitialized" };
 }
 //#endregion
-//#region src/ActionRuntime/Transport/SecureSession/exchangeAcceptor.ts
-const textEncoder$1 = new TextEncoder();
-const textDecoder$1 = new TextDecoder();
+//#region src/ActionRuntime/Transport/TransportConnection.ts
+let transportOrd = 0;
 /**
-* Acceptor (accept-in) side of the secure exchange protocol — the HTTP counterpart to
-* {@link AcceptorSecureSession}. Each POST body is one {@link decodeExchangeRequest} envelope; the
-* acceptor drives the server handshake over the two `hs` POSTs (correlated by `hsid`, since stateless
-* requests can't rely on channel ordering), mints a session **token** on accept, and on every later `act`
-* POST resolves the session by token, decrypts the body (at `encrypted`), routes it through the runtime,
-* and returns the (encrypted) result inline as the reply.
-*
-* Sessions and in-flight handshakes are held in memory — fine for a single-instance server. (Surviving a
-* Durable-Object eviction would persist each token's `keyMaterial` and re-derive the key on a miss, the
-* same primitive `AcceptorSecureSession.rehydrate` uses; left as a follow-up.)
+* Live, per-handler transport runtime built from a reusable {@link Transport} definition. Holds the
+* connection-scoped state (ordinal, initialized config, sockets / abort sets) that must not be shared
+* across handlers. Construct these via `definition._createConnection(...)`, never directly.
 */
-var ExchangeAcceptor = class {
-	_security;
-	_runtime;
-	_allowedLevels;
-	_noneAllowed;
-	_pendingHandshakes = /* @__PURE__ */ new Map();
-	_sessions = /* @__PURE__ */ new Map();
-	constructor(config) {
-		this._security = config.security;
-		this._runtime = config.runtime;
-		this._allowedLevels = Array.isArray(config.security.securityLevel) ? config.security.securityLevel : [config.security.securityLevel];
-		this._noneAllowed = this._allowedLevels.includes("none");
+var TransportConnection = class {
+	def;
+	transOrd = transportOrd++;
+	type;
+	initialized;
+	/** Backref to the public definition that created this connection (used for devtools route info). */
+	definition;
+	constructor(def) {
+		this.def = def;
+		this.type = def.type;
+		this.initialized = def.initialize();
 	}
-	/** Process one POST body (an exchange envelope), returning the reply body to send back. */
-	async handlePost(body) {
-		const request = decodeExchangeRequest(body);
-		if (request == null) return this._err("malformed exchange request");
-		if (request.k === "hs") return encodeExchange(await this._handleHandshake(request));
-		return encodeExchange(await this._handleAction(request));
+	/**
+	* Devtools route info for an action routed through this live connection. Defaults to the stateless
+	* {@link definition}'s info; connections override to enrich it from live state (e.g. the actual
+	* resolved socket URL) when the definition couldn't resolve it on its own.
+	*/
+	getRouteInfo(input) {
+		return this.definition?.getRouteInfo(input);
 	}
-	async _handleHandshake(request) {
-		const message = decodeHandshakeMessage(request.m);
-		if (message == null) return {
-			k: "err",
-			message: "malformed handshake message"
-		};
-		const security = this._security;
-		await security.link.initialize();
-		let handshake = this._pendingHandshakes.get(request.hsid);
-		if (handshake == null) {
-			handshake = createServerHandshake({
-				link: security.link,
-				localCoordinate: security.localCoordinate,
-				dictionaryVersion: security.dictionaryVersion,
-				securityLevel: security.securityLevel,
-				verifyKeyResolver: security.verifyKeyResolver
-			});
-			this._pendingHandshakes.set(request.hsid, handshake);
-		}
-		if (message.t === "hello") return {
-			k: "hs",
-			m: encodeHandshakeMessage(await handshake.onHello(message))
-		};
-		if (message.t === "prove") {
-			const reply = await handshake.onProve(message);
-			this._pendingHandshakes.delete(request.hsid);
-			const result = handshake.getResult();
-			if (reply.t === "accept" && result != null) {
-				const token = (0, nanoid.nanoid)();
-				this._sessions.set(token, {
-					client: new RuntimeCoordinate(result.remote),
-					securityLevel: result.securityLevel,
-					crypto: result.securityLevel === "encrypted" ? createActionFrameCrypto({
-						link: security.link,
-						linkedClientId: result.linkedClientId
-					}) : void 0
-				});
-				return {
-					k: "hs",
-					m: encodeHandshakeMessage(reply),
-					t: token
-				};
-			}
+	/**
+	* Whether a `ready`-status transport still needs asynchronous bring-up before its methods exist —
+	* awaiting the carrier to open and/or running a handshake. Default `false`: a stateless transport
+	* (HTTP) is usable the instant `getTransport` reports `ready`, so it stays a terminal *synchronous*
+	* fallback in {@link ConnectionTransportManager}. Stream carriers (Link/WS) override to `true`.
+	*/
+	_needsAsyncBringUp(_readyData) {
+		return false;
+	}
+	/** Await the carrier becoming ready to send (e.g. a socket `open`). Default: nothing to await. */
+	_awaitCarrierReady(_readyData) {
+		return Promise.resolve();
+	}
+	/**
+	* Finalize during async bring-up — may run a handshake, so it can be async. Defaults to the
+	* synchronous {@link _finalizeTransportMethods}; secure stream carriers override to branch plain/secure.
+	*/
+	_finalizeReady(readyData) {
+		return this._finalizeTransportMethods(readyData);
+	}
+	_getCacheKey(input) {
+		const parts = this.initialized.getTransportCacheKey?.(input);
+		if (parts == null) return null;
+		return parts.join("\0");
+	}
+	getCacheKey(input) {
+		const inner = this._getCacheKey(input);
+		if (inner == null) return null;
+		return `${this.transOrd}:${inner}`;
+	}
+	/**
+	* Whether this transport can serve the given action right now. Consulted by the manager before
+	* cache-key resolution and `getTransport`; a `false` result skips this transport (treated as
+	* `unsupported`) and the manager falls through to the next in preference order. Defaults to `true`
+	* when the transport declares no gate.
+	*/
+	isAvailable(input) {
+		return this.initialized.isAvailable?.(input) ?? true;
+	}
+	getTransport(input) {
+		return this._processTransportStatus(input);
+	}
+	_processTransportStatus(input) {
+		const statusInfo = addTransportStatusMetadata(this.initialized.getTransport(input));
+		if (statusInfo.status === "ready") {
+			if (!this._needsAsyncBringUp(statusInfo.readyData)) return {
+				status: "ready",
+				readyData: this._finalizeTransportMethods(statusInfo.readyData)
+			};
 			return {
-				k: "hs",
-				m: encodeHandshakeMessage(reply)
+				status: "initializing",
+				timeStarted: Date.now(),
+				initializationPromise: this._bringUp(statusInfo.readyData)
 			};
 		}
-		return {
-			k: "err",
-			message: `unexpected handshake message ${message.t}`
-		};
-	}
-	async _handleAction(request) {
-		let session;
-		let candidate;
-		if (request.t != null) {
-			session = this._sessions.get(request.t);
-			if (session == null) return {
-				k: "err",
-				message: "unknown or expired session token"
-			};
-			if ("c" in request) {
-				if (session.crypto == null) return {
-					k: "err",
-					message: "session is not encrypted"
-				};
-				const plain = await session.crypto.decryptFrame(base64ToBytes(request.c));
-				candidate = JSON.parse(textDecoder$1.decode(plain));
-			} else candidate = request.w;
-		} else {
-			if (!this._noneAllowed || "c" in request) return {
-				k: "err",
-				message: "missing session token"
+		if (statusInfo.status === "initializing") {
+			const initializationPromise = statusInfo.initializationPromise.then((result) => result.status === "ready" ? this._bringUp(result.readyData) : result);
+			return {
+				status: "initializing",
+				timeStarted: statusInfo.timeStarted,
+				initializationPromise
 			};
-			candidate = request.w;
 		}
-		if (!isActionPayload_Any_JsonObject(candidate)) return {
-			k: "err",
-			message: "malformed action wire"
-		};
-		const wire = candidate;
-		if (session != null && wire.type === "request") wire.context.originClient = session.client.toJsonObject();
-		const resultWire = (await (await this._runtime.handleActionPayloadWire(wire)).waitForResultPayload()).toJsonObject();
-		if (session?.crypto != null) return {
-			k: "act",
-			c: bytesToBase64(await session.crypto.encryptFrame(textEncoder$1.encode(JSON.stringify(resultWire))))
-		};
+		return statusInfo;
+	}
+	/** Await carrier readiness, then finalize (possibly running a handshake) into the live methods. */
+	async _bringUp(readyData) {
+		await this._awaitCarrierReady(readyData);
 		return {
-			k: "act",
-			w: resultWire
+			status: "ready",
+			readyData: await this._finalizeReady(readyData)
 		};
 	}
-	_err(message) {
-		return encodeExchange({
-			k: "err",
-			message
+};
+//#endregion
+//#region src/ActionRuntime/Transport/Exchange/ExchangeConnection.ts
+/**
+* Carrier-agnostic live connection for the exchange (request → single reply) shape — the HTTP
+* counterpart to {@link LinkConnection}. It owns only the bring-up (run the secure handshake on first
+* use); the request/reply lifecycle + crypto live in the shared `establishExchangeSession`.
+*/
+var ExchangeConnection = class extends TransportConnection {
+	constructor(def) {
+		super({
+			...def,
+			type: "exchange"
+		});
+	}
+	_getCacheKey(input) {
+		return this.initialized.getTransportCacheKey?.(input).join("\0") ?? "";
+	}
+	_needsAsyncBringUp(data) {
+		return data.secureChannel != null && data.secureChannel.securityLevel !== "none";
+	}
+	_finalizeReady(data) {
+		const secure = data.secureChannel;
+		if (secure != null && secure.securityLevel !== "none") return finalizeSecureExchangeMethods({
+			...this._sessionContext(data),
+			secure
 		});
+		return this._finalizeTransportMethods(data);
+	}
+	_finalizeTransportMethods(data) {
+		return finalizePlainExchangeMethods(this._sessionContext(data));
+	}
+	_sessionContext(data) {
+		return {
+			carrier: data.carrier,
+			updateRunConfig: data.updateRunConfig,
+			secure: data.secureChannel
+		};
 	}
 };
 //#endregion
-//#region src/ActionRuntime/Handler/PeerLink/Acceptor/createActionFetchHandler.ts
-/** Permissive defaults — fine for a public action endpoint; override (or disable) via `cors`. */
-const DEFAULT_CORS_HEADERS = {
-	"Access-Control-Allow-Origin": "*",
-	"Access-Control-Allow-Methods": "GET, POST, OPTIONS",
-	"Access-Control-Allow-Headers": "Content-Type",
-	"Access-Control-Max-Age": "86400"
-};
+//#region src/ActionRuntime/Transport/Exchange/ExchangeTransport.ts
 /**
-* Build the `fetch` handler a server/Durable-Object exposes for action traffic, folding in the
-* boilerplate every endpoint repeats: CORS (incl. the `OPTIONS` preflight), routing the `/action`
-* `POST` body through the runtime (`handleActionPayloadWire` → `waitForResultPayload` →
-* `toHttpResponse`), an optional WebSocket-upgrade hook, and a `404` fallback.
-*
-* It only touches web-standard `Request`/`Response`, so it stays transport-agnostic — the one
-* environment-specific bit (the WS upgrade) is injected via {@link IActionFetchHandlerOptions.onWebSocketUpgrade}:
-* ```ts
-* this.fetchHandler = createActionFetchHandler(this.runtime, {
-*   onWebSocketUpgrade: () => {
-*     const pair = new WebSocketPair();
-*     this.ctx.acceptWebSocket(pair[1]);
-*     return new Response(null, { status: 101, webSocket: pair[0] });
-*   },
-* });
-* // async fetch(request) { return this.fetchHandler(request); }
-* ```
+* A carrier-agnostic exchange (request → single reply) transport: it drives nice-action's secure session
+* over any {@link IExchangeCarrier} (HTTP being the one built-in). The duplex counterpart is
+* {@link LinkTransport}; this is the no-push half — its reply rides the response to its own request, so it
+* can't deliver an unsolicited frame (the runtime never picks it for the return path).
 */
-function createActionFetchHandler(runtime, options = {}) {
-	const corsHeaders = options.cors === false ? {} : options.cors ?? DEFAULT_CORS_HEADERS;
-	const isActionPath = options.isActionPath ?? ((url) => url.pathname.endsWith("/action"));
-	const isWebSocketPath = options.isWebSocketPath ?? ((url) => url.pathname.endsWith("/ws"));
-	const exchangeAcceptor = options.security != null ? new ExchangeAcceptor({
-		runtime,
-		security: options.security
-	}) : void 0;
-	const withCors = (response) => {
-		if (options.cors === false) return response;
-		const headers = new Headers(response.headers);
-		for (const [key, value] of Object.entries(corsHeaders)) headers.set(key, value);
-		return new Response(response.body, {
-			status: response.status,
-			headers
-		});
-	};
-	return async (request) => {
-		if (request.method === "OPTIONS") return withCors(new Response(null, { status: 204 }));
-		const url = new URL(request.url);
-		const isWebSocketUpgrade = options.isWebSocketUpgrade ?? ((req, u) => req.headers.get("Upgrade") === "websocket" && isWebSocketPath(u));
-		if (options.onWebSocketUpgrade != null && isWebSocketUpgrade(request, url)) return options.onWebSocketUpgrade(request, url);
-		if (request.method === "POST" && isActionPath(url)) {
-			if (exchangeAcceptor != null) {
-				const reply = await exchangeAcceptor.handlePost(await request.text());
-				return withCors(new Response(reply, {
-					status: 200,
-					headers: { "Content-Type": "application/json" }
-				}));
-			}
-			return withCors((await (await runtime.handleActionPayloadWire(await request.json())).waitForResultPayload()).toHttpResponse({ useErrorStatus: options.useErrorStatus }));
-		}
-		return withCors(new Response("Not found", { status: 404 }));
-	};
-}
-//#endregion
-//#region src/ActionRuntime/Handler/PeerLink/Acceptor/Hibernation/ConnectionStateStore.ts
-/**
-* A typed per-connection state store that co-owns the app state and the acceptor handler's routing
-* binding in one attachment, so neither the consumer nor the handler has to hand-merge the two. Create
-* it through {@link createConnectionStateStore} (which also wires binding persistence and replays
-* surviving connections after a wake), then `get`/`set`/`clearApp` the app state directly.
-*
-* The mechanism is carrier-neutral — it only needs read/write/enumerate callbacks for the connection's
-* attachment — but it pays off on transports whose connections outlive process eviction (e.g. a
-* Durable Object's hibernatable WebSockets), which is why it lives beside the hibernation adapter.
-*
-* ```ts
-* const players = createConnectionStateStore(serverHandler, {
-*   schema: vs_player,
-*   read: (ws) => ws.deserializeAttachment(),
-*   write: (ws, v) => ws.serializeAttachment(v),
-*   getConnections: () => ctx.getWebSockets(),
-* });
-* players.set(ws, player); // binding is preserved automatically
-* const player = players.get(ws);
-* ```
-*/
-var ConnectionStateStore = class {
+var ExchangeTransport = class ExchangeTransport extends Transport {
 	options;
+	type = "exchange";
 	constructor(options) {
+		super();
 		this.options = options;
 	}
-	/** The validated app state for a connection, or `null` if unset / invalid. */
-	get(connection) {
-		return this._readAttachment(connection).app ?? null;
-	}
-	/** Set the app state, preserving the runtime binding already pinned to the connection. */
-	set(connection, app) {
-		const existing = this._readAttachment(connection);
-		this.options.write(connection, {
-			app,
-			binding: existing.binding
-		});
-	}
-	/** Clear the app state but keep the binding (e.g. a spectator that stopped watching). */
-	clearApp(connection) {
-		const existing = this._readAttachment(connection);
-		this.options.write(connection, { binding: existing.binding });
-	}
-	/** Every live connection paired with its (validated) app state — for rebuilding in-memory state after a wake. */
-	entries() {
-		return this.options.getConnections().map((connection) => [connection, this._readAttachment(connection).app ?? null]);
-	}
-	/** @internal Persist a freshly-bound connection's binding, preserving any app state already stored. */
-	_persistBinding(connection, binding) {
-		const existing = this._readAttachment(connection);
-		this.options.write(connection, {
-			app: existing.app,
-			binding
-		});
-	}
-	/** @internal The persisted binding for a connection, if any (used to replay routing after a wake). */
-	_readBinding(connection) {
-		return this._readAttachment(connection).binding;
+	static create(options) {
+		return new ExchangeTransport(options);
 	}
-	_readAttachment(connection) {
-		try {
-			const raw = this.options.read(connection);
-			if (typeof raw !== "object" || raw === null) return {};
-			const attachment = raw;
-			const result = {};
-			if (attachment.binding != null) result.binding = attachment.binding;
-			if (attachment.app !== void 0) {
-				const app = this._validateApp(attachment.app);
-				if (app !== void 0) result.app = app;
-			}
-			return result;
-		} catch {
-			return {};
-		}
+	_createConnection(_ctx) {
+		const options = this.options;
+		return new ExchangeConnection({ initialize: () => ({
+			getTransportCacheKey: options.getTransportCacheKey,
+			isAvailable: options.available,
+			getTransport: (input) => ({
+				status: "ready",
+				readyData: {
+					carrier: options.openCarrier(input),
+					secureChannel: options.security,
+					updateRunConfig: options.updateRunConfig
+				}
+			})
+		}) });
 	}
-	_validateApp(value) {
-		const schema = this.options.schema;
-		if (schema == null) return value;
-		const result = schema["~standard"].validate(value);
-		if (result instanceof Promise) return void 0;
-		if (result.issues != null) return void 0;
-		return result.value;
+	getRouteInfo(input) {
+		if (this.options.getRouteInfo != null) return this.options.getRouteInfo(input);
+		return {
+			carrierLabel: this.options.label ?? "exchange",
+			summary: this.options.label ?? "exchange"
+		};
 	}
 };
-/**
-* Build a per-connection {@link ConnectionStateStore} bound to an {@link AcceptorHandler}: it registers
-* itself as the handler's connection-bound persistence callback (so bindings are written without
-* overwriting app state) and immediately replays every live connection's stored binding via
-* {@link AcceptorHandler.rehydrateConnection} — so on a transport that resumes after eviction (e.g. a
-* Durable Object waking from hibernation) both the app identity and the action routing come back from a
-* single attachment, with no storage reads and no hand-rolled merge.
-*
-* Lives outside the handler so the generic {@link AcceptorHandler} stays free of any attachment/
-* hibernation concern — it exposes only the neutral `setOnConnectionBound` + `rehydrateConnection`
-* hooks this builder drives.
-*/
-function createConnectionStateStore(handler, options) {
-	const store = new ConnectionStateStore(options);
-	handler.setOnConnectionBound((connection, binding) => store._persistBinding(connection, binding));
-	for (const connection of options.getConnections()) {
-		const binding = store._readBinding(connection);
-		if (binding != null) handler.rehydrateConnection(connection, binding);
-	}
-	return store;
-}
 //#endregion
-//#region src/ActionRuntime/Handler/PeerLink/Acceptor/Hibernation/createHibernatableWsServerAdapter.ts
+//#region src/ActionRuntime/Transport/helpers/createUnsetTransportResolvers.ts
+const createUnsetTransportResolvers = (transportLabel) => ({ onIncomingActionDataJson: (json) => {
+	console.warn(`Received incoming action JSON [${json.domain}:${json.id}] on Transport [${transportLabel}] but no incoming data listener has been set.`);
+} });
+//#endregion
+//#region src/ActionRuntime/Transport/SecureSession/establishLinkSession.ts
+const HANDSHAKE_TIMEOUT_MS = 15e3;
+/** Plain path (no handshake): route every inbound frame to the runtime; send without crypto. */
+function finalizePlainLinkMethods(ctx) {
+	const disconnectListeners = [];
+	const abortSet = /* @__PURE__ */ new Set();
+	const pipe = makePipe(ctx, void 0);
+	ctx.channel.attach({
+		onMessage: (frame) => void handleIncomingActionFrame(ctx, pipe, frame),
+		onClose: () => onChannelClosed(ctx, disconnectListeners, abortSet),
+		onError: () => onChannelClosed(ctx, disconnectListeners, abortSet)
+	});
+	return buildSendMethods(ctx, pipe, disconnectListeners, abortSet);
+}
 /**
-* Wire the hibernation lifecycle for an acceptor handler on a transport whose connections outlive process
-* eviction (e.g. a Durable Object's hibernatable WebSockets). It owns persistence end to end:
-* registers `setAttachment` as the handler's connection-bound callback and immediately replays every
-* live connection's stored binding via `getAttachment`, so results/pushes still route after a wake.
-*
-* Layered on top of the generic {@link AcceptorHandler} — it touches only the handler's neutral
-* `setOnConnectionBound` / `rehydrateConnection` / `receive` / `dropConnection` surface, so no
-* hibernation concern leaks into the handler itself.
-*
-* Construct it once when the handler is built, then forward connection events:
-* ```ts
-* const duplex = createHibernatableWsServerAdapter({ handler, getConnections, getAttachment, setAttachment });
-* // webSocketMessage(ws, msg) => duplex.receive(ws, msg);
-* // webSocketClose/Error(ws)  => duplex.drop(ws);
-* ```
+* Secure path: a single message handler feeds the handshake until it completes, then routes action
+* frames (decrypting at the `encrypted` level). Frames that race ahead of activation are buffered and
+* flushed once the handshake lands, so nothing is lost.
 */
-function createHibernatableWsServerAdapter(options) {
-	const { handler, getConnections, getAttachment, setAttachment } = options;
-	handler.setOnConnectionBound(setAttachment);
-	for (const connection of getConnections()) {
-		const binding = getAttachment(connection);
-		if (binding != null) handler.rehydrateConnection(connection, binding);
-	}
-	return {
-		receive: (connection, frame) => handler.receive(connection, frame),
-		drop: (connection) => handler.dropConnection(connection)
+async function finalizeSecureLinkMethods(ctx) {
+	const disconnectListeners = [];
+	const abortSet = /* @__PURE__ */ new Set();
+	const session = {};
+	let active = false;
+	const handshakeQueue = [];
+	const handshakeWaiters = [];
+	const pendingActionFrames = [];
+	ctx.channel.attach({
+		onMessage: (frame) => {
+			if (active && session.pipe != null) {
+				handleIncomingActionFrame(ctx, session.pipe, frame);
+				return;
+			}
+			if (typeof frame === "string") {
+				const message = decodeHandshakeMessage(frame);
+				if (message != null) {
+					const waiter = handshakeWaiters.shift();
+					if (waiter != null) waiter(message);
+					else handshakeQueue.push(message);
+					return;
+				}
+			}
+			pendingActionFrames.push(frame);
+		},
+		onClose: () => onChannelClosed(ctx, disconnectListeners, abortSet),
+		onError: () => onChannelClosed(ctx, disconnectListeners, abortSet)
+	});
+	const nextHandshakeMessage = () => {
+		const queued = handshakeQueue.shift();
+		if (queued != null) return Promise.resolve(queued);
+		return new Promise((resolve, reject) => {
+			const timeout = setTimeout(() => reject(/* @__PURE__ */ new Error("[link-handshake] timed out waiting for peer reply")), HANDSHAKE_TIMEOUT_MS);
+			handshakeWaiters.push((message) => {
+				clearTimeout(timeout);
+				resolve(message);
+			});
+		});
 	};
+	const pipe = makePipe(ctx, await runClientHandshake(ctx.channel, ctx.secure, nextHandshakeMessage));
+	session.pipe = pipe;
+	active = true;
+	for (const frame of pendingActionFrames) await handleIncomingActionFrame(ctx, pipe, frame);
+	pendingActionFrames.length = 0;
+	return buildSendMethods(ctx, pipe, disconnectListeners, abortSet);
 }
-//#endregion
-//#region src/ActionRuntime/Channel/serveChannel.ts
-/** Default accepted set, shared by every carrier: negotiate per connection to whatever the client picks. */
-const DEFAULT_SERVER_SECURITY_LEVELS = [
-	"none",
-	"authenticated",
-	"encrypted"
-];
-function serveChannel(runtime, channel, options) {
-	const duplexCarriers = options.carriers.filter((carrier) => !require_wsAcceptorCarrier.isExchangeAcceptorCarrier(carrier));
-	const exchangeCarriers = options.carriers.filter(require_wsAcceptorCarrier.isExchangeAcceptorCarrier);
-	if (exchangeCarriers.length > 1) throw new Error("serveChannel: at most one exchange carrier is supported");
-	const exchangeCarrier = exchangeCarriers[0];
-	const singleDuplex = duplexCarriers.length === 1;
-	if (options.connectionState != null && !singleDuplex) throw new Error("serveChannel: `connectionState` requires exactly one duplex carrier");
-	if (options.channelCases != null && !singleDuplex) throw new Error("serveChannel: `channelCases` requires exactly one duplex carrier");
-	const exchangeSecure = exchangeCarrier != null && (exchangeCarrier.secure ?? true);
-	const anyDuplexSecure = duplexCarriers.some((carrier) => carrier.secure ?? true);
-	const securityLevel = options.securityLevel ?? DEFAULT_SERVER_SECURITY_LEVELS;
-	let secure;
-	if (anyDuplexSecure || exchangeSecure) {
-		const storage = options.storage;
-		if (storage == null) throw new Error("serveChannel: a secure carrier requires `storage`. Pass it, or set `secure: false` on the carrier for a plain endpoint.");
-		secure = {
-			storage,
-			link: options.link ?? new _nice_code_util.ClientCryptoKeyLink({ storageAdapter: storage }),
-			verifyKeyResolver: options.verifyKeyResolver ?? createStorageTofuVerifyKeyResolver(storage)
-		};
-	}
-	const plainRouter = (handler) => ({
-		receive: (connection, frame) => handler.receive(connection, frame),
-		drop: (connection) => handler.dropConnection(connection)
+function makePipe(ctx, crypto) {
+	return createFrameCryptoPipe({
+		write: (frame) => ctx.channel.send(frame),
+		isOpen: () => ctx.channel.isOpen(),
+		crypto
 	});
-	const asObject = (value) => typeof value === "object" && value != null ? value : {};
-	const handlers = [];
-	let connections;
-	for (const carrier of duplexCarriers) {
-		const handler = (carrier.secure ?? true) && secure != null ? acceptChannel(runtime, channel, {
-			clientEnv: options.clientEnv,
-			storageAdapter: secure.storage,
-			link: secure.link,
-			verifyKeyResolver: secure.verifyKeyResolver,
-			securityLevel,
-			send: carrier.send,
-			defaultTimeout: options.defaultTimeout
-		}) : createAcceptorHandler({
-			clientEnv: options.clientEnv,
-			createFormatMessage: channel.createCodec,
-			send: carrier.send,
-			runtime,
-			defaultTimeout: options.defaultTimeout
-		});
-		const attach = carrier.attachmentStore;
-		let router;
-		if (attach == null) router = plainRouter(handler);
-		else if (options.connectionState != null) {
-			connections = createConnectionStateStore(handler, {
-				schema: options.connectionState.schema,
-				getConnections: attach.getConnections,
-				read: attach.read,
-				write: attach.write
-			});
-			router = plainRouter(handler);
-		} else router = createHibernatableWsServerAdapter({
-			handler,
-			getConnections: attach.getConnections,
-			getAttachment: (connection) => attach.read(connection)?.binding,
-			setAttachment: (connection, binding) => attach.write(connection, {
-				...asObject(attach.read(connection)),
-				binding
-			})
-		});
-		carrier._activate(router);
-		handlers.push(handler);
-	}
-	runtime.addHandlers([...options.handlers ?? [], ...handlers]);
-	if (options.channelCases != null) runtime.addHandlers([acceptChannelConnections(handlers[0], channel, options.channelCases)]);
-	const exchangeSecurity = exchangeSecure && secure != null ? {
+}
+async function runClientHandshake(channel, secure, nextHandshakeMessage) {
+	await secure.link.initialize();
+	const handshake = createClientHandshake({
 		link: secure.link,
-		verifyKeyResolver: secure.verifyKeyResolver,
-		localCoordinate: runtime.coordinate.toJsonObject(),
-		dictionaryVersion: channel.dictionaryVersion,
-		securityLevel
-	} : void 0;
-	const defaultIsUpgrade = (request) => request.headers.get("Upgrade") === "websocket";
-	const upgraders = [];
-	for (const carrier of duplexCarriers) {
-		if (carrier.upgrade == null) continue;
-		upgraders.push({
-			isUpgrade: carrier.isUpgrade ?? defaultIsUpgrade,
-			upgrade: carrier.upgrade
-		});
-	}
-	const fetch = createActionFetchHandler(runtime, {
-		cors: exchangeCarrier?.cors,
-		onWebSocketUpgrade: upgraders.length === 0 ? void 0 : (request, url) => (upgraders.find((u) => u.isUpgrade(request, url)) ?? upgraders[0]).upgrade(request, url),
-		isWebSocketUpgrade: upgraders.length === 0 ? void 0 : (request, url) => upgraders.some((u) => u.isUpgrade(request, url)),
-		isActionPath: exchangeCarrier != null ? exchangeCarrier.isActionPath ?? (() => true) : () => false,
-		security: exchangeSecurity,
-		useErrorStatus: exchangeCarrier?.useErrorStatus
+		localCoordinate: secure.localCoordinate,
+		dictionaryVersion: secure.dictionaryVersion,
+		securityLevel: secure.securityLevel
 	});
-	const duplex = duplexCarriers.length === 1 ? duplexCarriers[0] : void 0;
-	const pushToClient = (target, request, pushOptions) => {
-		const owner = target instanceof RuntimeCoordinate ? handlers.find((handler) => handler.ownsLiveConnectionFor(target)) : handlers.find((handler) => handler.hasConnection(target));
-		if (owner == null) throw new Error("serveChannel: no duplex carrier holds a connection for the push target");
-		return owner.pushToClient(runtime, target, request, pushOptions);
-	};
-	const broadcast = (makeRequest, broadcastOptions) => {
-		if (!singleDuplex) throw new Error("serveChannel: broadcast requires exactly one duplex carrier — broadcast over a specific handlers[i] instead");
-		handlers[0].broadcast(makeRequest, {
-			runtime,
-			...broadcastOptions
-		});
-	};
-	return {
-		handlers,
-		fetch,
-		duplex,
-		pushToClient,
-		broadcast,
-		connections
-	};
+	channel.send(encodeHandshakeMessage(await handshake.createHello()));
+	const welcome = await nextHandshakeMessage();
+	if (welcome.t === "reject") throw new Error(`[link-handshake] rejected by peer: ${welcome.reason}`);
+	if (welcome.t !== "welcome") throw new Error(`[link-handshake] expected welcome, got ${welcome.t}`);
+	channel.send(encodeHandshakeMessage(await handshake.onWelcome(welcome)));
+	const accept = await nextHandshakeMessage();
+	if (accept.t === "reject") throw new Error(`[link-handshake] rejected by peer: ${accept.reason}`);
+	if (accept.t !== "accept") throw new Error(`[link-handshake] expected accept, got ${accept.t}`);
+	const result = await handshake.onAccept(accept);
+	return result.securityLevel === "encrypted" ? createActionFrameCrypto({
+		link: secure.link,
+		linkedClientId: result.linkedClientId
+	}) : void 0;
 }
-//#endregion
-//#region src/ActionRuntime/Transport/Carrier/duplex/inMemory/createInMemoryChannel.ts
-/**
-* Two cross-wired in-process byte channels — a loopback carrier with no socket. The client end is a
-* {@link IDuplexCarrier} you hand to a {@link LinkTransport}; the server end plugs into an
-* `AcceptorHandler` (`send: (_, f) => serverEndpoint.send(f)`, and `serverEndpoint.onMessage(f =>
-* handler.receive(conn, f))`). Frames are delivered on a microtask, so each side observes the other
-* asynchronously — exactly like a real transport — which makes this ideal for tests and for running
-* two runtimes in one process (or proving a non-WS carrier end to end).
-*/
-function createInMemoryChannelPair() {
-	let clientMessage;
-	let clientClose;
-	let serverMessage;
-	let serverClose;
-	let open = true;
-	const closeBoth = () => {
-		if (!open) return;
-		open = false;
-		queueMicrotask(() => {
-			clientClose?.();
-			serverClose?.();
-		});
+function buildSendMethods(ctx, pipe, disconnectListeners, abortSet) {
+	const channel = ctx.channel;
+	const sendActionData = (inputs) => {
+		const { action, runningAction, timeout } = inputs;
+		if (!channel.isOpen()) {
+			if (action.type === "request") runningAction._abort(ctx.makeDisconnectError(action.id));
+			return;
+		}
+		if (action.type === "request") {
+			abortSet.add(runningAction);
+			const timeoutId = setTimeout(() => {
+				runningAction._abort(err_nice_transport.fromId("timeout", { timeout }));
+			}, timeout);
+			runningAction.addUpdateListeners([(update) => {
+				if (update.type === "finished") {
+					clearTimeout(timeoutId);
+					abortSet.delete(runningAction);
+				}
+			}]);
+		}
+		pipe.send(ctx.formatMessage?.outgoing(inputs) ?? JSON.stringify(inputs.action.toJsonObject()));
 	};
 	return {
-		clientChannel: {
-			ready: Promise.resolve(),
-			isOpen: () => open,
-			send: (frame) => {
-				if (!open) return;
-				queueMicrotask(() => serverMessage?.(frame));
-			},
-			attach: ({ onMessage, onClose }) => {
-				clientMessage = onMessage;
-				clientClose = onClose;
-			},
-			close: closeBoth,
-			label: "in-memory"
+		sendActionData,
+		updateRunConfig: ctx.updateRunConfig,
+		addOnDisconnectListener: (cb) => {
+			disconnectListeners.push(cb);
 		},
-		serverEndpoint: {
-			send: (frame) => {
-				if (!open) return;
-				queueMicrotask(() => clientMessage?.(frame));
-			},
-			onMessage: (handler) => {
-				serverMessage = handler;
-			},
-			onClose: (handler) => {
-				serverClose = handler;
-			},
-			close: closeBoth
+		disconnect: () => {
+			try {
+				channel.close();
+			} catch {}
+		},
+		sendReturnData: (payload, clients) => {
+			const formatted = clients != null ? ctx.formatMessage?.outgoing({
+				action: payload,
+				...clients
+			}) : void 0;
+			pipe.send(formatted ?? JSON.stringify(payload.toJsonObject()));
 		}
 	};
 }
+async function handleIncomingActionFrame(ctx, pipe, frame) {
+	const decoded = await pipe.decryptIncoming(frame);
+	if (decoded === void 0) return;
+	const rawJson = decodeActionFrame(decoded, ctx.formatMessage);
+	if (rawJson != null) ctx.resolvers.onIncomingActionDataJson(rawJson);
+}
+function onChannelClosed(ctx, disconnectListeners, abortSet) {
+	for (const cb of disconnectListeners) cb();
+	const error = ctx.makeDisconnectError("—");
+	for (const ra of [...abortSet]) ra._abort(error);
+}
 //#endregion
-//#region src/ActionRuntime/Transport/Carrier/duplex/inMemory/inMemoryCarrier.ts
+//#region src/ActionRuntime/Transport/Link/LinkConnection.ts
+/** Abort error for a closed link channel (carrier-neutral — the carrier itself isn't named). */
+function linkDisconnectError(actionId) {
+	return err_nice_transport.fromId("send_failed", {
+		actionId,
+		actionState: "request",
+		message: "link channel disconnected"
+	});
+}
 /**
-* A loopback duplex carrier with no socket — two cross-wired in-process ends. The connector end is an
-* {@link IDuplexCarrierSource} for {@link secureTransport}; the acceptor end plugs into an
-* `AcceptorHandler`. Ideal for tests and for running two runtimes in one process, or proving a
-* non-WS carrier end to end.
+* Carrier-agnostic live connection. It owns only the *bring-up* (open the carrier, then run the secure
+* session); the session itself — handshake, frame crypto, codec, send/receive — lives in the shared
+* {@link finalizeSecureLinkMethods}/{@link finalizePlainLinkMethods}, so a WebSocket, a WebRTC data
+* channel, a Bluetooth characteristic, and an in-memory pipe all run the identical secure layer.
 */
-function inMemoryCarrier() {
-	const { clientChannel, serverEndpoint } = createInMemoryChannelPair();
-	return {
-		carrier: {
-			carrierLabel: "memory",
-			open: () => clientChannel,
-			getCacheKey: () => ["memory"]
-		},
-		serverEndpoint
-	};
-}
+var LinkConnection = class extends TransportConnection {
+	resolvers;
+	constructor(def, resolvers) {
+		super({
+			...def,
+			type: "duplex"
+		});
+		this.resolvers = resolvers ?? createUnsetTransportResolvers("link");
+	}
+	_getCacheKey(input) {
+		return this.initialized.getTransportCacheKey?.(input).join("\0") ?? "";
+	}
+	_needsAsyncBringUp() {
+		return true;
+	}
+	_awaitCarrierReady(data) {
+		return data.channel.ready;
+	}
+	_finalizeReady(data) {
+		const secure = data.secureChannel;
+		if (secure != null && secure.securityLevel !== "none") return finalizeSecureLinkMethods({
+			...this._sessionContext(data),
+			secure
+		});
+		return this._finalizeTransportMethods(data);
+	}
+	_sessionContext(data) {
+		return {
+			channel: data.channel,
+			resolvers: this.resolvers,
+			formatMessage: data.formatMessage,
+			updateRunConfig: data.updateRunConfig,
+			makeDisconnectError: linkDisconnectError
+		};
+	}
+	_finalizeTransportMethods(data) {
+		return finalizePlainLinkMethods(this._sessionContext(data));
+	}
+};
 //#endregion
-//#region src/ActionRuntime/Transport/Carrier/duplex/rtc/rtcDataChannelByteChannel.ts
+//#region src/ActionRuntime/Transport/Link/LinkTransport.ts
 /**
-* Adapt a WebRTC `RTCDataChannel` to the carrier-agnostic {@link IDuplexCarrier}, so two browsers
-* (or two mobile apps) linked peer-to-peer — no server in the middle — run the *same* secure session as
-* a WebSocket. Hand it to `createSecureLinkTransport({ openChannel: () => rtcDataChannelByteChannel(dc) })`.
-*
-* The data channel must already be created (its negotiation/signaling is the app's concern); this only
-* drives bytes over it. Binary frames are requested as `ArrayBuffer` so the binary session codec unpacks
-* them synchronously; a `Blob` (if the channel hands one back) is normalized to a buffer.
+* A carrier-agnostic transport: it drives nice-action's secure session + action routing over any
+* {@link IDuplexCarrier}. The WebSocket transport is the special case that opens a `WebSocket`;
+* this opens whatever `openChannel` returns, so the identical secure layer works over WebRTC, Bluetooth,
+* or an in-memory pipe. Reported with an overridable carrier label in the devtools (defaults to "link").
 */
-function rtcDataChannelByteChannel(dc) {
-	dc.binaryType = "arraybuffer";
-	let intentional = false;
-	let onMessage;
-	let onClose;
-	const preAttach = [];
-	const deliver = (frame) => {
-		if (onMessage != null) onMessage(frame);
-		else preAttach.push(frame);
-	};
-	dc.addEventListener("message", async (event) => {
-		const frame = await normalizeFrame$1(event.data);
-		if (frame !== void 0) deliver(frame);
-	});
-	dc.addEventListener("close", () => {
-		if (!intentional) console.error("RTCDataChannel closed");
-		onClose?.();
+var LinkTransport = class LinkTransport extends Transport {
+	options;
+	type = "duplex";
+	constructor(options) {
+		super();
+		this.options = options;
+	}
+	static create(options) {
+		return new LinkTransport(options);
+	}
+	_createConnection(ctx) {
+		const options = this.options;
+		return new LinkConnection({ initialize: () => ({
+			getTransportCacheKey: options.getTransportCacheKey,
+			isAvailable: options.available,
+			getTransport: (input) => ({
+				status: "ready",
+				readyData: {
+					channel: options.openChannel(input),
+					formatMessage: options.createFormatMessage?.() ?? options.formatMessage,
+					updateRunConfig: options.updateRunConfig,
+					secureChannel: options.security
+				}
+			})
+		}) }, ctx.resolvers);
+	}
+	getRouteInfo(input) {
+		if (this.options.getRouteInfo != null) return this.options.getRouteInfo(input);
+		return {
+			carrierLabel: this.options.label ?? "link",
+			summary: this.options.label ?? "link"
+		};
+	}
+};
+//#endregion
+//#region src/ActionRuntime/Transport/plainTransport.ts
+function plainTransport(options) {
+	const carrier = options.carrier;
+	if (isExchangeCarrierSource(carrier)) return ExchangeTransport.create({
+		openCarrier: carrier.open,
+		getTransportCacheKey: carrier.getCacheKey,
+		available: options.available,
+		getRouteInfo: carrier.getRouteInfo,
+		label: options.label ?? carrier.carrierLabel,
+		updateRunConfig: options.updateRunConfig
 	});
-	dc.addEventListener("error", (event) => {
-		console.error("RTCDataChannel error:", event);
-		onClose?.();
+	return LinkTransport.create({
+		openChannel: carrier.open,
+		formatMessage: options.formatMessage,
+		createFormatMessage: options.createFormatMessage,
+		getTransportCacheKey: carrier.getCacheKey,
+		available: options.available,
+		getRouteInfo: carrier.getRouteInfo,
+		label: options.label ?? carrier.carrierLabel,
+		updateRunConfig: options.updateRunConfig
 	});
-	return {
-		ready: new Promise((resolve, reject) => {
-			if (dc.readyState === "open") {
-				resolve();
-				return;
-			}
-			dc.addEventListener("open", () => resolve(), { once: true });
-			dc.addEventListener("error", (event) => reject(event), { once: true });
-			dc.addEventListener("close", () => reject(/* @__PURE__ */ new Error("RTCDataChannel closed before open")), { once: true });
-		}),
-		isOpen: () => dc.readyState === "open",
-		send: (frame) => {
-			if (typeof frame === "string" || frame instanceof ArrayBuffer) dc.send(frame);
-			else dc.send(new Uint8Array(frame));
-		},
-		attach: (handlers) => {
-			onMessage = handlers.onMessage;
-			onClose = handlers.onClose;
-			for (const frame of preAttach) handlers.onMessage(frame);
-			preAttach.length = 0;
-		},
-		close: () => {
-			intentional = true;
-			try {
-				dc.close();
-			} catch {}
-		},
-		get label() {
-			return dc.label != null && dc.label !== "" ? dc.label : void 0;
-		}
-	};
 }
-async function normalizeFrame$1(data) {
-	if (typeof data === "string" || data instanceof ArrayBuffer || data instanceof Uint8Array) return data;
-	if (typeof Blob !== "undefined" && data instanceof Blob) return await data.arrayBuffer();
+//#endregion
+//#region src/ActionRuntime/Transport/secureTransport.ts
+function secureTransport(options) {
+	const link = options.link ?? (options.storageAdapter != null ? new _nice_code_util.ClientCryptoKeyLink({ storageAdapter: options.storageAdapter }) : void 0);
+	if (link == null) throw new Error("secureTransport: provide `link` or `storageAdapter` for the crypto identity.");
+	const security = {
+		securityLevel: options.securityLevel,
+		link,
+		localCoordinate: options.runtime.coordinate.toJsonObject(),
+		dictionaryVersion: options.channel.dictionaryVersion
+	};
+	const carrier = options.carrier;
+	if (isExchangeCarrierSource(carrier)) return ExchangeTransport.create({
+		openCarrier: carrier.open,
+		getTransportCacheKey: carrier.getCacheKey,
+		available: options.available,
+		getRouteInfo: carrier.getRouteInfo,
+		label: carrier.carrierLabel,
+		security
+	});
+	return LinkTransport.create({
+		openChannel: carrier.open,
+		createFormatMessage: options.channel.createCodec,
+		getTransportCacheKey: carrier.getCacheKey,
+		available: options.available,
+		getRouteInfo: carrier.getRouteInfo,
+		label: carrier.carrierLabel,
+		security
+	});
 }
 //#endregion
-//#region src/ActionRuntime/Transport/Carrier/duplex/rtc/rtcCarrier.ts
+//#region src/ActionRuntime/Channel/ActionChannel.ts
 /**
-* A WebRTC {@link IDuplexCarrierSource} over an already-negotiated `RTCDataChannel` (signaling is the
-* app's concern). Hand it to {@link secureTransport} so two browsers/apps linked peer-to-peer run the
-* identical secure session as a WebSocket.
+* Declare a transport-agnostic channel by role. Use it for HTTP, custom transports, or as the routing
+* half of a richer channel. The order of each list is part of the contract for wire formats that pack
+* positionally (see `defineSecureChannel`) — add new domains to the end of their list. (`domains` is
+* accepted as a legacy alias for `toAcceptor`.)
 */
-function rtcCarrier(dataChannel, options = {}) {
+function defineChannel(options) {
 	return {
-		carrierLabel: "webrtc",
-		open: () => rtcDataChannelByteChannel(dataChannel),
-		getCacheKey: options.getTransportCacheKey ?? (() => ["webrtc"]),
-		getRouteInfo: options.getRouteInfo
+		toAcceptorDomains: options.toAcceptor,
+		toConnectorDomains: options.toConnector
 	};
 }
-//#endregion
-//#region src/ActionRuntime/Transport/Carrier/duplex/ws/err_nice_transport_ws.ts
-let EErrId_NiceTransport_WebSocket = /* @__PURE__ */ function(EErrId_NiceTransport_WebSocket) {
-	EErrId_NiceTransport_WebSocket["ws_disconnected"] = "ws_disconnected";
-	EErrId_NiceTransport_WebSocket["ws_create_failed"] = "ws_create_failed";
-	EErrId_NiceTransport_WebSocket["ws_error"] = "ws_error";
-	return EErrId_NiceTransport_WebSocket;
-}({});
-const err_nice_transport_ws = err_nice_transport.createChildDomain({
-	domain: "ws_transport",
-	schema: {
-		["ws_disconnected"]: (0, _nice_code_error.err)({ message: () => `WebSocket transport disconnected.` }),
-		["ws_create_failed"]: (0, _nice_code_error.err)({ message: ({ originalError }) => `Failed to create WebSocket transport.${originalError ? ` Original error: ${originalError.message}` : ""}` }),
-		["ws_error"]: (0, _nice_code_error.err)({ message: ({ originalError }) => `WebSocket transport error.${originalError ? ` Original error: ${originalError.message}` : ""}` })
-	}
-});
-//#endregion
-//#region src/ActionRuntime/Transport/Carrier/duplex/ws/ws_util.ts
 /**
-* Send a text or binary frame over a socket. A binary formatter may hand back a `Uint8Array` whose
-* backing buffer is typed as `ArrayBufferLike` (msgpackr pools buffers / may be `SharedArrayBuffer`),
-* which `WebSocket.send`'s `BufferSource` parameter rejects — copy it into a fresh `ArrayBuffer`-backed
-* view so the type (and the bytes) are safe to send.
+* Open a connection to a peer from a single call — the dial-out dual of `serveChannel`. The channel is
+* the single source of truth for *what* is routed (`toAcceptor` domains forwarded to the peer,
+* `toConnector` pushes handled locally from `onPush`); the call binds the shared facts — the channel's
+* codec/dictionary version, the runtime, and one crypto identity (a {@link ClientCryptoKeyLink} over
+* `storage`) — into every transport in `transports`, so none of them restate the channel or runtime.
+* List several transports to make the path transport-agnostic (secure WS preferred, HTTP fallback):
+* ```ts
+* const handler = connectChannel(runtime, lobbyChannel, {
+*   peer: runtime_coordinate_lobby_do,
+*   storage,
+*   transports: [{ carrier: wsCarrier(url) }, { carrier: httpCarrier(...), secure: false }],
+*   onPush: { player_joined: (p) => { … } },
+* });
+* ```
+* Returns the {@link ConnectorHandler} so the caller can later `clearTransportCache()` it.
 */
-function sendFrame(ws, data) {
-	if (typeof data === "string" || data instanceof ArrayBuffer) {
-		ws.send(data);
-		return;
-	}
-	ws.send(new Uint8Array(data));
+function connectChannel(runtime, channel, options) {
+	const securityLevel = options.securityLevel ?? "authenticated";
+	const anySecure = options.transports.some((transport) => transport.secure ?? true);
+	let link = options.link;
+	if (anySecure && link == null) {
+		if (options.storage == null) throw new Error("connectChannel: a secure transport requires `storage` (or `link`). Pass it, or set `secure: false` on the transport for a plain connection.");
+		link = new _nice_code_util.ClientCryptoKeyLink({ storageAdapter: options.storage });
+	}
+	const transports = options.transports.map((transport) => {
+		const carrier = transport.carrier;
+		const secure = transport.secure ?? true;
+		if (isExchangeCarrierSource(carrier)) return secure ? secureTransport({
+			channel,
+			runtime,
+			link,
+			securityLevel: transport.securityLevel ?? securityLevel,
+			available: transport.available,
+			carrier
+		}) : plainTransport({
+			carrier,
+			available: transport.available,
+			label: transport.label
+		});
+		return secure ? secureTransport({
+			channel,
+			runtime,
+			link,
+			securityLevel: transport.securityLevel ?? securityLevel,
+			available: transport.available,
+			carrier
+		}) : plainTransport({
+			carrier,
+			createFormatMessage: channel.createCodec,
+			available: transport.available,
+			label: transport.label
+		});
+	});
+	const pushHandlers = options.onPush != null ? channel.toConnectorDomains.map((domain) => domain.wrapAsPartialLocalHandler(options.onPush)) : [];
+	return runtime.connectTo(options.peer, {
+		transports,
+		domains: [...channel.toAcceptorDomains],
+		localHandlers: pushHandlers,
+		defaultTimeout: options.defaultTimeout
+	});
 }
-/** Compact a WebSocket URL to `host/pathname` for devtools display, falling back to the raw url. */
-function shortWs(url) {
-	try {
-		const u = new URL(url);
-		return `${u.host}${u.pathname}`;
-	} catch {
-		return url;
-	}
+/**
+* Register an acceptor handler's execution for a channel straight from its definition: the channel's
+* `toAcceptor` domains are served together with one merged, connection-aware case map (each case gets
+* the primed request + the originating connection, as with
+* {@link AcceptorHandler.forConnectionDomainCases}). The domain list is taken from the channel,
+* never restated. Add the returned handler to the runtime alongside the acceptor handler:
+* ```ts
+* runtime.addHandlers([acceptChannelConnections(serverHandler, channel, { … }), serverHandler]);
+* ```
+*/
+function acceptChannelConnections(serverHandler, channel, cases) {
+	return serverHandler.forConnectionDomainCasesMulti(channel.toAcceptorDomains, cases);
 }
-//#endregion
-//#region src/ActionRuntime/Transport/Carrier/duplex/ws/webSocketByteChannel.ts
 /**
-* Adapt a `WebSocket` to the carrier-agnostic {@link IDuplexCarrier}, so the WebSocket becomes
-* "just another carrier" under the shared secure session. It owns every WebSocket-specific concern —
-* awaiting `open`, normalizing `Blob` frames to bytes, suppressing the log on a deliberate `close`, and
-* buffering any frame that arrives before the session attaches its handler — leaving the session itself
-* carrier-neutral.
+* Build the secure {@link AcceptorHandler} for a channel — the accept-in counterpart to
+* {@link connectChannel}. It folds in the same boilerplate as {@link createSecureAcceptorHandler} (the
+* `ClientCryptoKeyLink` + storage-backed TOFU resolver from one `storageAdapter`, the channel's codec +
+* dictionary version, the `security` block from the runtime coordinate) but takes the `(runtime, channel,
+* options)` shape of the channel family. Pair it with {@link acceptChannelConnections} for execution:
+* ```ts
+* const acceptor = acceptChannel(runtime, gameChannel, { clientEnv, storageAdapter, send });
+* runtime.addHandlers([acceptChannelConnections(acceptor, gameChannel, { … }), acceptor]);
+* ```
 */
-function webSocketByteChannel(ws) {
-	let intentional = false;
-	let onMessage;
-	let onClose;
-	const preAttach = [];
-	const deliver = (frame) => {
-		if (onMessage != null) onMessage(frame);
-		else preAttach.push(frame);
-	};
-	ws.addEventListener("message", async (event) => {
-		const frame = await normalizeFrame(event.data);
-		if (frame !== void 0) deliver(frame);
-	});
-	ws.addEventListener("close", (event) => {
-		if (!intentional) console.error("WebSocket closed:", event);
-		onClose?.();
-	});
-	ws.addEventListener("error", (event) => {
-		console.error("WebSocket error:", event);
-		onClose?.();
+function acceptChannel(runtime, channel, options) {
+	return createSecureAcceptorHandler({
+		channel,
+		runtime,
+		clientEnv: options.clientEnv,
+		storageAdapter: options.storageAdapter,
+		link: options.link,
+		send: options.send,
+		securityLevel: options.securityLevel,
+		verifyKeyResolver: options.verifyKeyResolver,
+		defaultTimeout: options.defaultTimeout
 	});
-	return {
-		ready: new Promise((resolve, reject) => {
-			if (ws.readyState === WebSocket.OPEN) {
-				resolve();
-				return;
-			}
-			ws.addEventListener("open", () => resolve(), { once: true });
-			ws.addEventListener("error", (event) => reject(event), { once: true });
-			ws.addEventListener("close", (event) => reject(/* @__PURE__ */ new Error(`WebSocket closed before open: code=${event.code}`)), { once: true });
-		}),
-		isOpen: () => ws.readyState === WebSocket.OPEN,
-		send: (frame) => sendFrame(ws, frame),
-		attach: (handlers) => {
-			onMessage = handlers.onMessage;
-			onClose = handlers.onClose;
-			for (const frame of preAttach) handlers.onMessage(frame);
-			preAttach.length = 0;
-		},
-		close: () => {
-			intentional = true;
-			try {
-				ws.close();
-			} catch {}
-		},
-		get label() {
-			return ws.url != null && ws.url !== "" ? ws.url : void 0;
-		}
-	};
-}
-/** Accept text + binary frames (ArrayBuffer / Uint8Array / Blob); Blobs are converted to a buffer. */
-async function normalizeFrame(data) {
-	if (typeof data === "string" || data instanceof ArrayBuffer || data instanceof Uint8Array) return data;
-	if (typeof Blob !== "undefined" && data instanceof Blob) return await data.arrayBuffer();
 }
 //#endregion
-//#region src/ActionRuntime/Transport/Carrier/duplex/ws/wsCarrier.ts
+//#region src/ActionRuntime/Transport/codec/actionWireCodec.ts
 /**
-* A WebSocket {@link IDuplexCarrierSource}: opens an `arraybuffer` socket to `url` (cached per endpoint)
-* and adapts it to a carrier. Hand it to {@link secureTransport} (or `LinkTransport`) — the WebSocket is
-* now "just another carrier" under the shared secure session, with no WS-specific transport class.
+* Tiny integer codes for the payload type, so the verbose `"request"`/`"result"`/`"progress"`
+* strings never hit the wire. The index in {@link ReversePayloadType} must line up with the value.
 */
-function wsCarrier(url, options = {}) {
-	return {
-		carrierLabel: "ws",
-		open: (input) => webSocketByteChannel(options.createWebSocket?.(input) ?? defaultWebSocket(url)),
-		getCacheKey: options.getTransportCacheKey ?? (() => [url]),
-		getRouteInfo: options.getRouteInfo ?? (() => ({
-			carrierLabel: "ws",
-			url,
-			summary: `ws ${shortWs(url)}`
-		}))
-	};
-}
-function defaultWebSocket(url) {
-	const ws = new WebSocket(url);
-	ws.binaryType = "arraybuffer";
-	return ws;
-}
-//#endregion
-//#region src/ActionRuntime/Transport/Carrier/exchange/http/httpAcceptorCarrier.ts
+const PayloadTypeToInt = {
+	["request"]: 0,
+	["result"]: 1,
+	["progress"]: 2
+};
+const ReversePayloadType = [
+	"request",
+	"result",
+	"progress"
+];
 /**
-* An HTTP {@link IExchangeAcceptorCarrier}: the accept-in dual of {@link httpCarrier}. It serves the
-* secure exchange protocol (handshake → token session → encrypted frames) over web-standard
-* `Request`/`Response`. The crypto identity, runtime coordinate, dictionary version, and accepted security
-* levels are all supplied centrally by `serveChannel`, so this only needs to say which requests carry an
-* action envelope and how to answer CORS.
+* Build the positional `domain:id` ↔ integer dictionary. Both ends of a channel MUST build it from
+* the same domains in the same order — the mapping is positional, so a mismatch routes to the wrong
+* action. Add new transported domains to the end of the list.
 */
-function httpAcceptorCarrier(options = {}) {
+function buildActionRouteDictionary(domains) {
+	const routeToInt = /* @__PURE__ */ new Map();
+	const intToRoute = [];
+	for (const dom of domains) for (const actionId of Object.keys(dom.actionSchema)) {
+		const routeKey = `${dom.domain}:${actionId}`;
+		if (routeToInt.has(routeKey)) continue;
+		routeToInt.set(routeKey, intToRoute.length);
+		intToRoute.push({
+			domain: dom.domain,
+			id: actionId,
+			allDomains: dom.allDomains
+		});
+	}
 	return {
-		shape: "exchange",
-		carrierLabel: options.carrierLabel ?? "http",
-		secure: options.secure,
-		isActionPath: options.isActionPath,
-		cors: options.cors,
-		useErrorStatus: options.useErrorStatus
+		routeToInt,
+		intToRoute
 	};
 }
-//#endregion
-//#region src/ActionRuntime/Transport/Carrier/exchange/http/httpCarrier.ts
-function shortPath(url) {
-	try {
-		return new URL(url).pathname || url;
-	} catch {
-		return url;
-	}
+/** Pull the type-specific payload (`input` / `result` / `progress`) out of a wire JSON object. */
+function extractWirePayload(json) {
+	if (json.type === "request") return json.input;
+	if (json.type === "result") return json.result;
+	if (json.type === "progress") return json.progress;
 }
 /**
-* An HTTP {@link IExchangeCarrierSource}: each `exchange` POSTs one frame body to the action endpoint and
-* resolves with the response body as the single correlated reply. Hand it to {@link secureTransport} —
-* HTTP then runs the *same* secure session as a duplex carrier (handshake → token → encrypted frames),
-* the request/reply correlation provided for free by the HTTP transaction.
-*
-* `createRequest` derives the URL/headers per action (keep it simple with `() => ({ url })`). The body is
-* the session's responsibility, so it is never built here.
+* Reassemble a full wire JSON object from its decoded parts. `inputHash`/`outputHash` are emitted
+* empty — the hydration constructors recompute them — and the result still satisfies
+* `isActionPayload_Any_JsonObject` so it flows through validation like a JSON frame.
 */
-function httpCarrier(createRequest, options = {}) {
-	const doFetch = options.fetch ?? fetch;
+function assembleWireJson(routeMeta, payloadType, time, context, payloadData) {
+	const base = {
+		form: "data",
+		domain: routeMeta.domain,
+		id: routeMeta.id,
+		allDomains: routeMeta.allDomains,
+		time,
+		context
+	};
+	if (payloadType === "request") return {
+		...base,
+		type: "request",
+		input: payloadData,
+		inputHash: ""
+	};
+	if (payloadType === "result") return {
+		...base,
+		type: "result",
+		result: payloadData,
+		outputHash: ""
+	};
 	return {
-		shape: "exchange",
-		carrierLabel: "http",
-		open: (input) => {
-			const request = createRequest(input);
-			return {
-				label: request.url,
-				exchange: async (frame, opts) => {
-					return await (await doFetch(request.url, {
-						method: "POST",
-						headers: {
-							"Content-Type": "application/json",
-							...request.headers
-						},
-						body: typeof frame === "string" ? frame : new Uint8Array(frame),
-						signal: opts?.signal
-					})).text();
-				}
-			};
-		},
-		getCacheKey: options.getTransportCacheKey ?? ((input) => [createRequest(input).url]),
-		getRouteInfo: options.getRouteInfo ?? ((input) => {
-			const { url } = createRequest(input);
-			return {
-				carrierLabel: "http",
-				method: "POST",
-				url,
-				summary: `POST ${shortPath(url)}`
-			};
-		})
+		...base,
+		type: "progress",
+		progress: payloadData
 	};
 }
 //#endregion
-//#region src/ActionRuntime/Transport/codec/createBinaryWireAdapter.ts
+//#region src/ActionRuntime/Transport/codec/createBinaryWireSessionFactory.ts
 /**
-* Positional layout of the stateless binary envelope. A flat tuple (rather than an object) strips the
-* repeated `domain`/`id`/`form`/`type` and context key names from every frame, and we carry only the
-* context fields the receiver can't recompute: `cuid` (correlation) and `originClient` (return
-* routing).
-*
-*   [ routeInt, typeInt, time, cuid, originClient, payloadData ]
+* Positional layout of the *session* binary envelope — the leanest frame. Compared to the stateless
+* adapter it replaces the 21-char `cuid` with a small per-connection integer and only carries
+* `originClient` on the very first request of each direction (the peer remembers it afterwards).
 *
-* Dropped vs the JSON wire: `form`/`type` strings, `inputHash`/`outputHash` (recomputed on hydrate),
-* `context.timeCreated` (reconstructed from `time`) and `context.routing` (rebuilt empty — the
-* receiver re-stamps its own route items as it handles the action). For the leanest possible frames
-* (integer correlation, identity dropped after a handshake), use `createBinaryWireSessionFactory`.
+*   [ routeInt, typeInt, corrId, time, originClient?, payloadData ]
 */
-const ENVELOPE = {
+const ENVELOPE$1 = {
 	route: 0,
 	type: 1,
-	time: 2,
-	cuid: 3,
+	corr: 2,
+	time: 3,
 	originClient: 4,
 	payload: 5
 };
-const ENVELOPE_LENGTH = 6;
+const ENVELOPE_LENGTH$1 = 6;
 /**
-* Builds a *stateless* `formatMessage` pipeline for {@link LinkTransport}, packing action
-* payloads into a compact msgpackr binary frame instead of JSON. The `domain`/`id` route collapses to
-* a single integer drawn from a shared dictionary; `form`/`type`, the recomputable
-* `inputHash`/`outputHash`, and the per-frame `context.routing`/`context.timeCreated` are all dropped
-* (see {@link ENVELOPE}).
+* How long a pending correlation entry is kept before it's swept. A correlation only matters until its
+* action resolves or times out, so anything older than the longest realistic action timeout can be
+* dropped — this bounds memory when requests time out or a connection dies mid-flight (their replies
+* would never arrive, leaving the entry orphaned). Generous default so live correlations are never
+* pruned (the default transport timeout is 10s).
+*/
+const DEFAULT_CORRELATION_TTL_MS = 5 * 6e4;
+function isKnownIdentity(coordinate) {
+	return coordinate != null && coordinate.envId !== "_unset_";
+}
+/**
+* Drop entries older than `ttlMs`. Maps keep insertion order and entries are inserted in time order,
+* so the oldest are first — stop sweeping at the first live entry.
+*/
+function pruneExpired(map, now, ttlMs) {
+	for (const [key, entry] of map) {
+		if (now - entry.time <= ttlMs) break;
+		map.delete(key);
+	}
+}
+/**
+* Builds a factory of *stateful, per-connection* codecs for {@link LinkTransport} /
+* `AcceptorHandler` — the maximally compact binary wire. Call the returned factory once per live
+* connection (each socket on the client, each accepted connection on the server) so every channel
+* gets its own correlation + identity state.
 *
-* No validation runs here: `incoming` blindly reconstructs the wire JSON shape and hands it back to
-* the connection, which flows into `ActionRuntime` → `domain.hydrateAnyAction()` where the Valibot
-* schemas validate it exactly as they would for a JSON frame.
+* On top of everything {@link createBinaryWireAdapter} drops, a session also drops:
+* - **`cuid`** — replaced by a per-connection integer correlation id. The initiator maps it to its
+*   real cuid; the responder echoes it; each side reconstructs the cuid from its own map. Correlation
+*   only needs to be unique per socket, so a counter suffices.
+* - **`originClient` after the first request** — the first request each side sends carries its
+*   identity; the peer remembers it and injects it into later frames. Replies omit it entirely (a
+*   reply carries the initiator's own origin, which the initiator already knows).
 *
-* Both ends of the socket MUST construct the adapter with the same domains in the same order — the
-* integer dictionary is positional. Mismatched dictionaries will route to the wrong action.
+* Both ends MUST build the factory from the same domains in the same order (positional dictionary).
+* Text frames still return `undefined` from `incoming`, so JSON clients remain interoperable.
 *
-* Because `incoming` returns `undefined` for text frames, a binary server can still serve plain-JSON
-* clients on the same runtime (the connection falls back to its built-in JSON parser).
+* Hibernation note: after a server connection is evicted its session resets, so a still-connected
+* client (whose session persists) will keep omitting `originClient`. The server must therefore restore
+* the connection→client binding from its own store (see `AcceptorHandler.rehydrateConnection`) and
+* inject `originClient` from there — the session alone can't recover it.
 */
-function createBinaryWireAdapter(domains) {
+function createBinaryWireSessionFactory(domains, options) {
 	const { routeToInt, intToRoute } = buildActionRouteDictionary(domains);
-	return {
-		outgoing: (input) => {
-			const json = input.action.toJsonObject();
-			const routeKey = `${json.domain}:${json.id}`;
-			const routeInt = routeToInt.get(routeKey);
-			if (routeInt == null) throw new Error(`[binary-wire] Cannot pack unregistered action route: ${routeKey}`);
-			const envelope = new Array(ENVELOPE_LENGTH);
-			envelope[ENVELOPE.route] = routeInt;
-			envelope[ENVELOPE.type] = PayloadTypeToInt[json.type];
-			envelope[ENVELOPE.time] = json.time;
-			envelope[ENVELOPE.cuid] = json.context.cuid;
-			envelope[ENVELOPE.originClient] = json.context.originClient;
-			envelope[ENVELOPE.payload] = extractWirePayload(json);
-			return (0, msgpackr.pack)(envelope);
-		},
-		incoming: (frame) => {
-			let buffer;
-			if (frame instanceof ArrayBuffer) buffer = new Uint8Array(frame);
-			else if (frame instanceof Uint8Array) buffer = frame;
-			else return;
-			try {
-				const envelope = (0, msgpackr.unpack)(buffer);
-				if (!Array.isArray(envelope) || envelope.length !== ENVELOPE_LENGTH) return void 0;
-				const routeMeta = intToRoute[envelope[ENVELOPE.route]];
-				const payloadType = ReversePayloadType[envelope[ENVELOPE.type]];
-				if (routeMeta == null || payloadType == null) return void 0;
-				const time = envelope[ENVELOPE.time];
-				return assembleWireJson(routeMeta, payloadType, time, {
-					cuid: envelope[ENVELOPE.cuid],
-					timeCreated: time,
-					routing: [],
-					originClient: envelope[ENVELOPE.originClient]
-				}, envelope[ENVELOPE.payload]);
-			} catch (e) {
-				console.error("[binary-wire] Failed to unpack binary action frame", e);
-				return;
+	const unknownIdentity = RuntimeCoordinate.unknown.toJsonObject();
+	const ttlMs = options?.correlationTtlMs ?? DEFAULT_CORRELATION_TTL_MS;
+	return () => {
+		let outCounter = 0;
+		const corrToCuid = /* @__PURE__ */ new Map();
+		const cuidToCorr = /* @__PURE__ */ new Map();
+		let selfIdentity;
+		let peerIdentity;
+		return {
+			outgoing: (input) => {
+				const json = input.action.toJsonObject();
+				const routeKey = `${json.domain}:${json.id}`;
+				const routeInt = routeToInt.get(routeKey);
+				if (routeInt == null) throw new Error(`[binary-wire] Cannot pack unregistered action route: ${routeKey}`);
+				const now = Date.now();
+				pruneExpired(corrToCuid, now, ttlMs);
+				pruneExpired(cuidToCorr, now, ttlMs);
+				let corr;
+				let wireIdentity;
+				if (json.type === "request") {
+					corr = outCounter++;
+					corrToCuid.set(corr, {
+						value: json.context.cuid,
+						time: now
+					});
+					if (selfIdentity == null && isKnownIdentity(json.context.originClient)) {
+						selfIdentity = json.context.originClient;
+						wireIdentity = json.context.originClient;
+					}
+				} else {
+					corr = cuidToCorr.get(json.context.cuid)?.value ?? -1;
+					if (json.type === "result") cuidToCorr.delete(json.context.cuid);
+				}
+				const envelope = new Array(ENVELOPE_LENGTH$1);
+				envelope[ENVELOPE$1.route] = routeInt;
+				envelope[ENVELOPE$1.type] = PayloadTypeToInt[json.type];
+				envelope[ENVELOPE$1.corr] = corr;
+				envelope[ENVELOPE$1.time] = json.time;
+				envelope[ENVELOPE$1.originClient] = wireIdentity;
+				envelope[ENVELOPE$1.payload] = extractWirePayload(json);
+				return (0, msgpackr.pack)(envelope);
+			},
+			incoming: (frame) => {
+				let buffer;
+				if (frame instanceof ArrayBuffer) buffer = new Uint8Array(frame);
+				else if (frame instanceof Uint8Array) buffer = frame;
+				else return;
+				try {
+					const envelope = (0, msgpackr.unpack)(buffer);
+					if (!Array.isArray(envelope) || envelope.length !== ENVELOPE_LENGTH$1) return void 0;
+					const routeMeta = intToRoute[envelope[ENVELOPE$1.route]];
+					const payloadType = ReversePayloadType[envelope[ENVELOPE$1.type]];
+					if (routeMeta == null || payloadType == null) return void 0;
+					const now = Date.now();
+					pruneExpired(corrToCuid, now, ttlMs);
+					pruneExpired(cuidToCorr, now, ttlMs);
+					const corr = envelope[ENVELOPE$1.corr];
+					const time = envelope[ENVELOPE$1.time];
+					const wireIdentity = envelope[ENVELOPE$1.originClient];
+					let cuid;
+					let originClient;
+					if (payloadType === "request") {
+						cuid = (0, nanoid.nanoid)();
+						cuidToCorr.set(cuid, {
+							value: corr,
+							time: now
+						});
+						if (isKnownIdentity(wireIdentity)) peerIdentity = wireIdentity;
+						originClient = peerIdentity ?? unknownIdentity;
+					} else {
+						cuid = corrToCuid.get(corr)?.value ?? (0, nanoid.nanoid)();
+						if (payloadType === "result") corrToCuid.delete(corr);
+						originClient = selfIdentity ?? unknownIdentity;
+					}
+					return assembleWireJson(routeMeta, payloadType, time, {
+						cuid,
+						timeCreated: time,
+						routing: [],
+						originClient
+					}, envelope[ENVELOPE$1.payload]);
+				} catch (e) {
+					console.error("[binary-wire] Failed to unpack binary action session frame", e);
+					return;
+				}
 			}
-		}
+		};
 	};
 }
 //#endregion
-//#region src/ActionRuntime/Transport/Transport.ts
+//#region src/ActionRuntime/Channel/secureChannel.ts
 /**
-* Reusable transport definition. Devs construct these (`secureTransport({ carrier: wsCarrier(url) })`,
-* `plainTransport({ carrier: httpCarrier(...) })`, …) and pass them to a
-* `ConnectorHandler`. A single
-* definition can be shared across multiple handlers — each handler builds its own live
-* {@link TransportConnection} via {@link TransportConnection._createConnection}.
+* Derive a stable wire-dictionary version from the ordered route list (FNV-1a over `domain:id,…`), so
+* the version moves automatically whenever the transported domains change — a stale peer is then
+* rejected by the handshake instead of silently misrouting a positionally-packed frame.
 */
-var Transport = class {};
-//#endregion
-//#region src/ActionRuntime/Transport/SecureSession/establishExchangeSession.ts
-const textEncoder = new TextEncoder();
-const textDecoder = new TextDecoder();
-/** Plain path (no handshake/token): every action rides a bare `act` envelope, plaintext both ways. */
-function finalizePlainExchangeMethods(ctx) {
-	return buildExchangeMethods(ctx, {});
-}
-/** Secure path: run the handshake (two exchanges) once at bring-up, then reuse the token + crypto. */
-async function finalizeSecureExchangeMethods(ctx) {
-	return buildExchangeMethods(ctx, await runConnectorExchangeHandshake(ctx.carrier, ctx.secure));
+function deriveDictionaryVersion(domains) {
+	const { intToRoute } = buildActionRouteDictionary(domains);
+	const signature = intToRoute.map((route) => `${route.domain}:${route.id}`).join(",");
+	let hash = 2166136261;
+	for (let i = 0; i < signature.length; i++) {
+		hash ^= signature.charCodeAt(i);
+		hash = Math.imul(hash, 16777619);
+	}
+	return `auto:${(hash >>> 0).toString(16).padStart(8, "0")}`;
 }
-function buildExchangeMethods(ctx, state) {
-	const sendActionData = (inputs) => {
-		runExchange(ctx.carrier, state, inputs).catch((err) => inputs.runningAction._abort(err));
-	};
+/**
+* Bundle a secure channel's shared identity from its transported domains. Both ends MUST call this
+* with the same domains in the same order (the binary wire dictionary is positional). The
+* `dictionaryVersion` is derived from those domains unless you pin an explicit one.
+*
+* Declare the domains *by role* — `toAcceptor` (connector→acceptor requests) and `toConnector`
+* (acceptor→connector pushes) — so the routing for both ends is derived from the channel (see
+* {@link connectChannel} and `acceptChannelConnections`) instead of being restated at each end. The
+* wire dictionary spans `[...toAcceptor, ...toConnector]` in that order; add new domains to the end of
+* their list to keep older peers compatible. (`domains` is still accepted as a legacy alias for
+* `toAcceptor`.)
+*/
+function defineSecureChannel(options) {
+	const base = defineChannel({
+		toAcceptor: options.toAcceptor,
+		toConnector: options.toConnector
+	});
+	const allDomains = [...base.toAcceptorDomains, ...base.toConnectorDomains];
 	return {
-		sendActionData,
-		updateRunConfig: ctx.updateRunConfig
+		...base,
+		dictionaryVersion: options.dictionaryVersion ?? deriveDictionaryVersion(allDomains),
+		createCodec: createBinaryWireSessionFactory(allDomains, options.sessionOptions)
 	};
 }
-async function runExchange(carrier, state, inputs) {
-	const { action, runningAction, timeout } = inputs;
-	const ac = new AbortController();
-	let timedOut = false;
-	const timeoutId = setTimeout(() => {
-		timedOut = true;
-		ac.abort();
-	}, timeout);
-	const unsubscribe = runningAction.addUpdateListeners([(update) => {
-		if (update.type === "finished") {
-			clearTimeout(timeoutId);
-			ac.abort();
-		}
-	}]);
-	try {
-		const request = await buildRequestEnvelope(state, action);
-		const replyRaw = await carrier.exchange(encodeExchange(request), { signal: ac.signal });
-		if (action.type !== "request") return;
-		const reply = decodeExchangeReply(asString(replyRaw));
-		if (reply == null) throw err_nice_transport.fromId("invalid_action_response", { actionId: action.id });
-		if (reply.k === "err") throw err_nice_transport.fromId("send_failed", {
-			actionState: action.type,
-			actionId: action.id,
-			message: reply.message
-		});
-		const wire = await extractReplyWire(state, reply);
-		if (wire == null || !isActionPayload_Result_JsonObject(wire)) throw err_nice_transport.fromId("invalid_action_response", { actionId: action.id });
-		runningAction._completeWithResult(action._domain.hydrateResultPayload(wire));
-	} catch (err) {
-		if (timedOut) throw err_nice_transport.fromId("timeout", { timeout });
-		throw err;
-	} finally {
-		clearTimeout(timeoutId);
-		unsubscribe();
+//#endregion
+//#region src/ActionRuntime/Transport/SecureSession/exchangeAcceptor.ts
+const textEncoder = new TextEncoder();
+const textDecoder = new TextDecoder();
+/**
+* Acceptor (accept-in) side of the secure exchange protocol — the HTTP counterpart to
+* {@link AcceptorSecureSession}. Each POST body is one {@link decodeExchangeRequest} envelope; the
+* acceptor drives the server handshake over the two `hs` POSTs (correlated by `hsid`, since stateless
+* requests can't rely on channel ordering), mints a session **token** on accept, and on every later `act`
+* POST resolves the session by token, decrypts the body (at `encrypted`), routes it through the runtime,
+* and returns the (encrypted) result inline as the reply.
+*
+* Sessions and in-flight handshakes are held in memory — fine for a single-instance server. (Surviving a
+* Durable-Object eviction would persist each token's `keyMaterial` and re-derive the key on a miss, the
+* same primitive `AcceptorSecureSession.rehydrate` uses; left as a follow-up.)
+*/
+var ExchangeAcceptor = class {
+	_security;
+	_runtime;
+	_allowedLevels;
+	_noneAllowed;
+	_pendingHandshakes = /* @__PURE__ */ new Map();
+	_sessions = /* @__PURE__ */ new Map();
+	constructor(config) {
+		this._security = config.security;
+		this._runtime = config.runtime;
+		this._allowedLevels = Array.isArray(config.security.securityLevel) ? config.security.securityLevel : [config.security.securityLevel];
+		this._noneAllowed = this._allowedLevels.includes("none");
 	}
-}
-async function buildRequestEnvelope(state, action) {
-	const wire = action.toJsonObject();
-	if (state.crypto != null) {
-		const ciphertext = await state.crypto.encryptFrame(textEncoder.encode(JSON.stringify(wire)));
+	/** Process one POST body (an exchange envelope), returning the reply body to send back. */
+	async handlePost(body) {
+		const request = decodeExchangeRequest(body);
+		if (request == null) return this._err("malformed exchange request");
+		if (request.k === "hs") return encodeExchange(await this._handleHandshake(request));
+		return encodeExchange(await this._handleAction(request));
+	}
+	async _handleHandshake(request) {
+		const message = decodeHandshakeMessage(request.m);
+		if (message == null) return {
+			k: "err",
+			message: "malformed handshake message"
+		};
+		const security = this._security;
+		await security.link.initialize();
+		let handshake = this._pendingHandshakes.get(request.hsid);
+		if (handshake == null) {
+			handshake = createServerHandshake({
+				link: security.link,
+				localCoordinate: security.localCoordinate,
+				dictionaryVersion: security.dictionaryVersion,
+				securityLevel: security.securityLevel,
+				verifyKeyResolver: security.verifyKeyResolver
+			});
+			this._pendingHandshakes.set(request.hsid, handshake);
+		}
+		if (message.t === "hello") return {
+			k: "hs",
+			m: encodeHandshakeMessage(await handshake.onHello(message))
+		};
+		if (message.t === "prove") {
+			const reply = await handshake.onProve(message);
+			this._pendingHandshakes.delete(request.hsid);
+			const result = handshake.getResult();
+			if (reply.t === "accept" && result != null) {
+				const token = (0, nanoid.nanoid)();
+				this._sessions.set(token, {
+					client: new RuntimeCoordinate(result.remote),
+					securityLevel: result.securityLevel,
+					crypto: result.securityLevel === "encrypted" ? createActionFrameCrypto({
+						link: security.link,
+						linkedClientId: result.linkedClientId
+					}) : void 0
+				});
+				return {
+					k: "hs",
+					m: encodeHandshakeMessage(reply),
+					t: token
+				};
+			}
+			return {
+				k: "hs",
+				m: encodeHandshakeMessage(reply)
+			};
+		}
 		return {
+			k: "err",
+			message: `unexpected handshake message ${message.t}`
+		};
+	}
+	async _handleAction(request) {
+		let session;
+		let candidate;
+		if (request.t != null) {
+			session = this._sessions.get(request.t);
+			if (session == null) return {
+				k: "err",
+				message: "unknown or expired session token"
+			};
+			if ("c" in request) {
+				if (session.crypto == null) return {
+					k: "err",
+					message: "session is not encrypted"
+				};
+				const plain = await session.crypto.decryptFrame(base64ToBytes(request.c));
+				candidate = JSON.parse(textDecoder.decode(plain));
+			} else candidate = request.w;
+		} else {
+			if (!this._noneAllowed || "c" in request) return {
+				k: "err",
+				message: "missing session token"
+			};
+			candidate = request.w;
+		}
+		if (!isActionPayload_Any_JsonObject(candidate)) return {
+			k: "err",
+			message: "malformed action wire"
+		};
+		const wire = candidate;
+		if (session != null && wire.type === "request") wire.context.originClient = session.client.toJsonObject();
+		const resultWire = (await (await this._runtime.handleActionPayloadWire(wire)).waitForResultPayload()).toJsonObject();
+		if (session?.crypto != null) return {
 			k: "act",
-			t: state.token,
-			c: bytesToBase64(ciphertext)
+			c: bytesToBase64(await session.crypto.encryptFrame(textEncoder.encode(JSON.stringify(resultWire))))
+		};
+		return {
+			k: "act",
+			w: resultWire
 		};
 	}
-	return {
-		k: "act",
-		t: state.token,
-		w: wire
-	};
-}
-async function extractReplyWire(state, reply) {
-	if (reply.k !== "act") return void 0;
-	if ("c" in reply) {
-		if (state.crypto == null) return void 0;
-		const plain = await state.crypto.decryptFrame(base64ToBytes(reply.c));
-		return JSON.parse(textDecoder.decode(plain));
+	_err(message) {
+		return encodeExchange({
+			k: "err",
+			message
+		});
 	}
-	return reply.w;
-}
-async function runConnectorExchangeHandshake(carrier, secure) {
-	await secure.link.initialize();
-	const handshake = createClientHandshake({
-		link: secure.link,
-		localCoordinate: secure.localCoordinate,
-		dictionaryVersion: secure.dictionaryVersion,
-		securityLevel: secure.securityLevel
-	});
-	const hsid = (0, nanoid.nanoid)();
-	const hello = await handshake.createHello();
-	const welcomeReply = decodeExchangeReply(asString(await carrier.exchange(encodeExchange({
-		k: "hs",
-		hsid,
-		m: encodeHandshakeMessage(hello)
-	}))));
-	if (welcomeReply?.k !== "hs") throw new Error("[exchange-handshake] expected a welcome reply");
-	const welcome = decodeHandshakeMessage(welcomeReply.m);
-	if (welcome == null) throw new Error("[exchange-handshake] malformed welcome");
-	if (welcome.t === "reject") throw new Error(`[exchange-handshake] rejected by peer: ${welcome.reason}`);
-	if (welcome.t !== "welcome") throw new Error(`[exchange-handshake] expected welcome, got ${welcome.t}`);
-	const prove = await handshake.onWelcome(welcome);
-	const acceptReply = decodeExchangeReply(asString(await carrier.exchange(encodeExchange({
-		k: "hs",
-		hsid,
-		m: encodeHandshakeMessage(prove)
-	}))));
-	if (acceptReply?.k !== "hs") throw new Error("[exchange-handshake] expected an accept reply");
-	const accept = decodeHandshakeMessage(acceptReply.m);
-	if (accept == null) throw new Error("[exchange-handshake] malformed accept");
-	if (accept.t === "reject") throw new Error(`[exchange-handshake] rejected by peer: ${accept.reason}`);
-	if (accept.t !== "accept") throw new Error(`[exchange-handshake] expected accept, got ${accept.t}`);
-	if (acceptReply.t == null) throw new Error("[exchange-handshake] accept missing session token");
-	const result = await handshake.onAccept(accept);
-	const crypto = result.securityLevel === "encrypted" ? createActionFrameCrypto({
-		link: secure.link,
-		linkedClientId: result.linkedClientId
-	}) : void 0;
-	return {
-		token: acceptReply.t,
-		crypto
-	};
-}
-function asString(frame) {
-	if (typeof frame === "string") return frame;
-	return textDecoder.decode(frame instanceof ArrayBuffer ? new Uint8Array(frame) : frame);
-}
+};
 //#endregion
-//#region src/ActionRuntime/Transport/helpers/addTransportStatusMetadata.ts
-function addTransportStatusMetadata(transportStatus) {
-	if (transportStatus.status === "ready") return {
-		status: "ready",
-		readyData: transportStatus.readyData
-	};
-	if (transportStatus.status === "initializing") return {
-		status: "initializing",
-		initializationPromise: transportStatus.initializationPromise,
-		timeStarted: Date.now()
+//#region src/ActionRuntime/Handler/PeerLink/Acceptor/createActionFetchHandler.ts
+/** Permissive defaults — fine for a public action endpoint; override (or disable) via `cors`. */
+const DEFAULT_CORS_HEADERS = {
+	"Access-Control-Allow-Origin": "*",
+	"Access-Control-Allow-Methods": "GET, POST, OPTIONS",
+	"Access-Control-Allow-Headers": "Content-Type",
+	"Access-Control-Max-Age": "86400"
+};
+/**
+* Build the `fetch` handler a server/Durable-Object exposes for action traffic, folding in the
+* boilerplate every endpoint repeats: CORS (incl. the `OPTIONS` preflight), routing the `/action`
+* `POST` body through the runtime (`handleActionPayloadWire` → `waitForResultPayload` →
+* `toHttpResponse`), an optional WebSocket-upgrade hook, and a `404` fallback.
+*
+* It only touches web-standard `Request`/`Response`, so it stays transport-agnostic — the one
+* environment-specific bit (the WS upgrade) is injected via {@link IActionFetchHandlerOptions.onWebSocketUpgrade}:
+* ```ts
+* this.fetchHandler = createActionFetchHandler(this.runtime, {
+*   onWebSocketUpgrade: () => {
+*     const pair = new WebSocketPair();
+*     this.ctx.acceptWebSocket(pair[1]);
+*     return new Response(null, { status: 101, webSocket: pair[0] });
+*   },
+* });
+* // async fetch(request) { return this.fetchHandler(request); }
+* ```
+*/
+function createActionFetchHandler(runtime, options = {}) {
+	const corsHeaders = options.cors === false ? {} : options.cors ?? DEFAULT_CORS_HEADERS;
+	const isActionPath = options.isActionPath ?? ((url) => url.pathname.endsWith("/action"));
+	const isWebSocketPath = options.isWebSocketPath ?? ((url) => url.pathname.endsWith("/ws"));
+	const exchangeAcceptor = options.security != null ? new ExchangeAcceptor({
+		runtime,
+		security: options.security
+	}) : void 0;
+	const withCors = (response) => {
+		if (options.cors === false) return response;
+		const headers = new Headers(response.headers);
+		for (const [key, value] of Object.entries(corsHeaders)) headers.set(key, value);
+		return new Response(response.body, {
+			status: response.status,
+			headers
+		});
 	};
-	if (transportStatus.status === "failed") return {
-		status: "failed",
-		error: transportStatus.error,
-		timeFailed: Date.now()
+	return async (request) => {
+		if (request.method === "OPTIONS") return withCors(new Response(null, { status: 204 }));
+		const url = new URL(request.url);
+		const isWebSocketUpgrade = options.isWebSocketUpgrade ?? ((req, u) => req.headers.get("Upgrade") === "websocket" && isWebSocketPath(u));
+		if (options.onWebSocketUpgrade != null && isWebSocketUpgrade(request, url)) return options.onWebSocketUpgrade(request, url);
+		if (request.method === "POST" && isActionPath(url)) {
+			if (exchangeAcceptor != null) {
+				const reply = await exchangeAcceptor.handlePost(await request.text());
+				return withCors(new Response(reply, {
+					status: 200,
+					headers: { "Content-Type": "application/json" }
+				}));
+			}
+			return withCors((await (await runtime.handleActionPayloadWire(await request.json())).waitForResultPayload()).toHttpResponse({ useErrorStatus: options.useErrorStatus }));
+		}
+		return withCors(new Response("Not found", { status: 404 }));
 	};
-	if (transportStatus.status === "unsupported") return { status: "unsupported" };
-	return { status: "uninitialized" };
 }
 //#endregion
-//#region src/ActionRuntime/Transport/TransportConnection.ts
-let transportOrd = 0;
+//#region src/ActionRuntime/Handler/PeerLink/Acceptor/Hibernation/ConnectionStateStore.ts
 /**
-* Live, per-handler transport runtime built from a reusable {@link Transport} definition. Holds the
-* connection-scoped state (ordinal, initialized config, sockets / abort sets) that must not be shared
-* across handlers. Construct these via `definition._createConnection(...)`, never directly.
-*/
-var TransportConnection = class {
-	def;
-	transOrd = transportOrd++;
-	type;
-	initialized;
-	/** Backref to the public definition that created this connection (used for devtools route info). */
-	definition;
-	constructor(def) {
-		this.def = def;
-		this.type = def.type;
-		this.initialized = def.initialize();
-	}
-	/**
-	* Devtools route info for an action routed through this live connection. Defaults to the stateless
-	* {@link definition}'s info; connections override to enrich it from live state (e.g. the actual
-	* resolved socket URL) when the definition couldn't resolve it on its own.
-	*/
-	getRouteInfo(input) {
-		return this.definition?.getRouteInfo(input);
-	}
-	/**
-	* Whether a `ready`-status transport still needs asynchronous bring-up before its methods exist —
-	* awaiting the carrier to open and/or running a handshake. Default `false`: a stateless transport
-	* (HTTP) is usable the instant `getTransport` reports `ready`, so it stays a terminal *synchronous*
-	* fallback in {@link ConnectionTransportManager}. Stream carriers (Link/WS) override to `true`.
-	*/
-	_needsAsyncBringUp(_readyData) {
-		return false;
+* A typed per-connection state store that co-owns the app state and the acceptor handler's routing
+* binding in one attachment, so neither the consumer nor the handler has to hand-merge the two. Create
+* it through {@link createConnectionStateStore} (which also wires binding persistence and replays
+* surviving connections after a wake), then `get`/`set`/`clearApp` the app state directly.
+*
+* The mechanism is carrier-neutral — it only needs read/write/enumerate callbacks for the connection's
+* attachment — but it pays off on transports whose connections outlive process eviction (e.g. a
+* Durable Object's hibernatable WebSockets), which is why it lives beside the hibernation adapter.
+*
+* ```ts
+* const players = createConnectionStateStore(serverHandler, {
+*   schema: vs_player,
+*   read: (ws) => ws.deserializeAttachment(),
+*   write: (ws, v) => ws.serializeAttachment(v),
+*   getConnections: () => ctx.getWebSockets(),
+* });
+* players.set(ws, player); // binding is preserved automatically
+* const player = players.get(ws);
+* ```
+*/
+var ConnectionStateStore = class {
+	options;
+	constructor(options) {
+		this.options = options;
 	}
-	/** Await the carrier becoming ready to send (e.g. a socket `open`). Default: nothing to await. */
-	_awaitCarrierReady(_readyData) {
-		return Promise.resolve();
+	/** The validated app state for a connection, or `null` if unset / invalid. */
+	get(connection) {
+		return this._readAttachment(connection).app ?? null;
 	}
-	/**
-	* Finalize during async bring-up — may run a handshake, so it can be async. Defaults to the
-	* synchronous {@link _finalizeTransportMethods}; secure stream carriers override to branch plain/secure.
-	*/
-	_finalizeReady(readyData) {
-		return this._finalizeTransportMethods(readyData);
+	/** Set the app state, preserving the runtime binding already pinned to the connection. */
+	set(connection, app) {
+		const existing = this._readAttachment(connection);
+		this.options.write(connection, {
+			app,
+			binding: existing.binding
+		});
 	}
-	_getCacheKey(input) {
-		const parts = this.initialized.getTransportCacheKey?.(input);
-		if (parts == null) return null;
-		return parts.join("\0");
+	/** Clear the app state but keep the binding (e.g. a spectator that stopped watching). */
+	clearApp(connection) {
+		const existing = this._readAttachment(connection);
+		this.options.write(connection, { binding: existing.binding });
 	}
-	getCacheKey(input) {
-		const inner = this._getCacheKey(input);
-		if (inner == null) return null;
-		return `${this.transOrd}:${inner}`;
+	/** Every live connection paired with its (validated) app state — for rebuilding in-memory state after a wake. */
+	entries() {
+		return this.options.getConnections().map((connection) => [connection, this._readAttachment(connection).app ?? null]);
 	}
-	/**
-	* Whether this transport can serve the given action right now. Consulted by the manager before
-	* cache-key resolution and `getTransport`; a `false` result skips this transport (treated as
-	* `unsupported`) and the manager falls through to the next in preference order. Defaults to `true`
-	* when the transport declares no gate.
-	*/
-	isAvailable(input) {
-		return this.initialized.isAvailable?.(input) ?? true;
+	/** @internal Persist a freshly-bound connection's binding, preserving any app state already stored. */
+	_persistBinding(connection, binding) {
+		const existing = this._readAttachment(connection);
+		this.options.write(connection, {
+			app: existing.app,
+			binding
+		});
 	}
-	getTransport(input) {
-		return this._processTransportStatus(input);
+	/** @internal The persisted binding for a connection, if any (used to replay routing after a wake). */
+	_readBinding(connection) {
+		return this._readAttachment(connection).binding;
 	}
-	_processTransportStatus(input) {
-		const statusInfo = addTransportStatusMetadata(this.initialized.getTransport(input));
-		if (statusInfo.status === "ready") {
-			if (!this._needsAsyncBringUp(statusInfo.readyData)) return {
-				status: "ready",
-				readyData: this._finalizeTransportMethods(statusInfo.readyData)
-			};
-			return {
-				status: "initializing",
-				timeStarted: Date.now(),
-				initializationPromise: this._bringUp(statusInfo.readyData)
-			};
-		}
-		if (statusInfo.status === "initializing") {
-			const initializationPromise = statusInfo.initializationPromise.then((result) => result.status === "ready" ? this._bringUp(result.readyData) : result);
-			return {
-				status: "initializing",
-				timeStarted: statusInfo.timeStarted,
-				initializationPromise
-			};
+	_readAttachment(connection) {
+		try {
+			const raw = this.options.read(connection);
+			if (typeof raw !== "object" || raw === null) return {};
+			const attachment = raw;
+			const result = {};
+			if (attachment.binding != null) result.binding = attachment.binding;
+			if (attachment.app !== void 0) {
+				const app = this._validateApp(attachment.app);
+				if (app !== void 0) result.app = app;
+			}
+			return result;
+		} catch {
+			return {};
 		}
-		return statusInfo;
 	}
-	/** Await carrier readiness, then finalize (possibly running a handshake) into the live methods. */
-	async _bringUp(readyData) {
-		await this._awaitCarrierReady(readyData);
-		return {
-			status: "ready",
-			readyData: await this._finalizeReady(readyData)
-		};
+	_validateApp(value) {
+		const schema = this.options.schema;
+		if (schema == null) return value;
+		const result = schema["~standard"].validate(value);
+		if (result instanceof Promise) return void 0;
+		if (result.issues != null) return void 0;
+		return result.value;
 	}
 };
-//#endregion
-//#region src/ActionRuntime/Transport/Exchange/ExchangeConnection.ts
 /**
-* Carrier-agnostic live connection for the exchange (request → single reply) shape — the HTTP
-* counterpart to {@link LinkConnection}. It owns only the bring-up (run the secure handshake on first
-* use); the request/reply lifecycle + crypto live in the shared `establishExchangeSession`.
+* Build a per-connection {@link ConnectionStateStore} bound to an {@link AcceptorHandler}: it registers
+* itself as the handler's connection-bound persistence callback (so bindings are written without
+* overwriting app state) and immediately replays every live connection's stored binding via
+* {@link AcceptorHandler.rehydrateConnection} — so on a transport that resumes after eviction (e.g. a
+* Durable Object waking from hibernation) both the app identity and the action routing come back from a
+* single attachment, with no storage reads and no hand-rolled merge.
+*
+* Lives outside the handler so the generic {@link AcceptorHandler} stays free of any attachment/
+* hibernation concern — it exposes only the neutral `setOnConnectionBound` + `rehydrateConnection`
+* hooks this builder drives.
 */
-var ExchangeConnection = class extends TransportConnection {
-	constructor(def) {
-		super({
-			...def,
-			type: "exchange"
-		});
-	}
-	_getCacheKey(input) {
-		return this.initialized.getTransportCacheKey?.(input).join("\0") ?? "";
-	}
-	_needsAsyncBringUp(data) {
-		return data.secureChannel != null && data.secureChannel.securityLevel !== "none";
-	}
-	_finalizeReady(data) {
-		const secure = data.secureChannel;
-		if (secure != null && secure.securityLevel !== "none") return finalizeSecureExchangeMethods({
-			...this._sessionContext(data),
-			secure
-		});
-		return this._finalizeTransportMethods(data);
-	}
-	_finalizeTransportMethods(data) {
-		return finalizePlainExchangeMethods(this._sessionContext(data));
-	}
-	_sessionContext(data) {
-		return {
-			carrier: data.carrier,
-			updateRunConfig: data.updateRunConfig,
-			secure: data.secureChannel
-		};
+function createConnectionStateStore(handler, options) {
+	const store = new ConnectionStateStore(options);
+	handler.setOnConnectionBound((connection, binding) => store._persistBinding(connection, binding));
+	for (const connection of options.getConnections()) {
+		const binding = store._readBinding(connection);
+		if (binding != null) handler.rehydrateConnection(connection, binding);
 	}
-};
+	return store;
+}
 //#endregion
-//#region src/ActionRuntime/Transport/Exchange/ExchangeTransport.ts
+//#region src/ActionRuntime/Handler/PeerLink/Acceptor/Hibernation/createHibernatableWsServerAdapter.ts
 /**
-* A carrier-agnostic exchange (request → single reply) transport: it drives nice-action's secure session
-* over any {@link IExchangeCarrier} (HTTP being the one built-in). The duplex counterpart is
-* {@link LinkTransport}; this is the no-push half — its reply rides the response to its own request, so it
-* can't deliver an unsolicited frame (the runtime never picks it for the return path).
+* Wire the hibernation lifecycle for an acceptor handler on a transport whose connections outlive process
+* eviction (e.g. a Durable Object's hibernatable WebSockets). It owns persistence end to end:
+* registers `setAttachment` as the handler's connection-bound callback and immediately replays every
+* live connection's stored binding via `getAttachment`, so results/pushes still route after a wake.
+*
+* Layered on top of the generic {@link AcceptorHandler} — it touches only the handler's neutral
+* `setOnConnectionBound` / `rehydrateConnection` / `receive` / `dropConnection` surface, so no
+* hibernation concern leaks into the handler itself.
+*
+* Construct it once when the handler is built, then forward connection events:
+* ```ts
+* const duplex = createHibernatableWsServerAdapter({ handler, getConnections, getAttachment, setAttachment });
+* // webSocketMessage(ws, msg) => duplex.receive(ws, msg);
+* // webSocketClose/Error(ws)  => duplex.drop(ws);
+* ```
 */
-var ExchangeTransport = class ExchangeTransport extends Transport {
-	options;
-	type = "exchange";
-	constructor(options) {
-		super();
-		this.options = options;
+function createHibernatableWsServerAdapter(options) {
+	const { handler, getConnections, getAttachment, setAttachment } = options;
+	handler.setOnConnectionBound(setAttachment);
+	for (const connection of getConnections()) {
+		const binding = getAttachment(connection);
+		if (binding != null) handler.rehydrateConnection(connection, binding);
 	}
-	static create(options) {
-		return new ExchangeTransport(options);
+	return {
+		receive: (connection, frame) => handler.receive(connection, frame),
+		drop: (connection) => handler.dropConnection(connection)
+	};
+}
+//#endregion
+//#region src/ActionRuntime/Channel/serveChannel.ts
+/** Default accepted set, shared by every carrier: negotiate per connection to whatever the client picks. */
+const DEFAULT_SERVER_SECURITY_LEVELS = [
+	"none",
+	"authenticated",
+	"encrypted"
+];
+function serveChannel(runtime, channel, options) {
+	const duplexCarriers = options.carriers.filter((carrier) => !require_wsAcceptorCarrier.isExchangeAcceptorCarrier(carrier));
+	const exchangeCarriers = options.carriers.filter(require_wsAcceptorCarrier.isExchangeAcceptorCarrier);
+	if (exchangeCarriers.length > 1) throw new Error("serveChannel: at most one exchange carrier is supported");
+	const exchangeCarrier = exchangeCarriers[0];
+	const singleDuplex = duplexCarriers.length === 1;
+	if (options.connectionState != null && !singleDuplex) throw new Error("serveChannel: `connectionState` requires exactly one duplex carrier");
+	if (options.channelCases != null && !singleDuplex) throw new Error("serveChannel: `channelCases` requires exactly one duplex carrier");
+	const exchangeSecure = exchangeCarrier != null && (exchangeCarrier.secure ?? true);
+	const anyDuplexSecure = duplexCarriers.some((carrier) => carrier.secure ?? true);
+	const securityLevel = options.securityLevel ?? DEFAULT_SERVER_SECURITY_LEVELS;
+	let secure;
+	if (anyDuplexSecure || exchangeSecure) {
+		const storage = options.storage;
+		if (storage == null) throw new Error("serveChannel: a secure carrier requires `storage`. Pass it, or set `secure: false` on the carrier for a plain endpoint.");
+		secure = {
+			storage,
+			link: options.link ?? new _nice_code_util.ClientCryptoKeyLink({ storageAdapter: storage }),
+			verifyKeyResolver: options.verifyKeyResolver ?? createStorageTofuVerifyKeyResolver(storage)
+		};
 	}
-	_createConnection(_ctx) {
-		const options = this.options;
-		return new ExchangeConnection({ initialize: () => ({
-			getTransportCacheKey: options.getTransportCacheKey,
-			isAvailable: options.available,
-			getTransport: (input) => ({
-				status: "ready",
-				readyData: {
-					carrier: options.openCarrier(input),
-					secureChannel: options.security,
-					updateRunConfig: options.updateRunConfig
-				}
+	const plainRouter = (handler) => ({
+		receive: (connection, frame) => handler.receive(connection, frame),
+		drop: (connection) => handler.dropConnection(connection)
+	});
+	const asObject = (value) => typeof value === "object" && value != null ? value : {};
+	const handlers = [];
+	let connections;
+	for (const carrier of duplexCarriers) {
+		const handler = (carrier.secure ?? true) && secure != null ? acceptChannel(runtime, channel, {
+			clientEnv: options.clientEnv,
+			storageAdapter: secure.storage,
+			link: secure.link,
+			verifyKeyResolver: secure.verifyKeyResolver,
+			securityLevel,
+			send: carrier.send,
+			defaultTimeout: options.defaultTimeout
+		}) : createAcceptorHandler({
+			clientEnv: options.clientEnv,
+			createFormatMessage: channel.createCodec,
+			send: carrier.send,
+			runtime,
+			defaultTimeout: options.defaultTimeout
+		});
+		const attach = carrier.attachmentStore;
+		let router;
+		if (attach == null) router = plainRouter(handler);
+		else if (options.connectionState != null) {
+			connections = createConnectionStateStore(handler, {
+				schema: options.connectionState.schema,
+				getConnections: attach.getConnections,
+				read: attach.read,
+				write: attach.write
+			});
+			router = plainRouter(handler);
+		} else router = createHibernatableWsServerAdapter({
+			handler,
+			getConnections: attach.getConnections,
+			getAttachment: (connection) => attach.read(connection)?.binding,
+			setAttachment: (connection, binding) => attach.write(connection, {
+				...asObject(attach.read(connection)),
+				binding
 			})
-		}) });
+		});
+		carrier._activate(router);
+		handlers.push(handler);
 	}
-	getRouteInfo(input) {
-		if (this.options.getRouteInfo != null) return this.options.getRouteInfo(input);
-		return {
-			carrierLabel: this.options.label ?? "exchange",
-			summary: this.options.label ?? "exchange"
-		};
+	runtime.addHandlers([...options.handlers ?? [], ...handlers]);
+	if (options.channelCases != null) runtime.addHandlers([acceptChannelConnections(handlers[0], channel, options.channelCases)]);
+	const exchangeSecurity = exchangeSecure && secure != null ? {
+		link: secure.link,
+		verifyKeyResolver: secure.verifyKeyResolver,
+		localCoordinate: runtime.coordinate.toJsonObject(),
+		dictionaryVersion: channel.dictionaryVersion,
+		securityLevel
+	} : void 0;
+	const defaultIsUpgrade = (request) => request.headers.get("Upgrade") === "websocket";
+	const upgraders = [];
+	for (const carrier of duplexCarriers) {
+		if (carrier.upgrade == null) continue;
+		upgraders.push({
+			isUpgrade: carrier.isUpgrade ?? defaultIsUpgrade,
+			upgrade: carrier.upgrade
+		});
 	}
-};
-//#endregion
-//#region src/ActionRuntime/Transport/helpers/createUnsetTransportResolvers.ts
-const createUnsetTransportResolvers = (transportLabel) => ({ onIncomingActionDataJson: (json) => {
-	console.warn(`Received incoming action JSON [${json.domain}:${json.id}] on Transport [${transportLabel}] but no incoming data listener has been set.`);
-} });
-//#endregion
-//#region src/ActionRuntime/Transport/SecureSession/establishLinkSession.ts
-const HANDSHAKE_TIMEOUT_MS = 15e3;
-/** Plain path (no handshake): route every inbound frame to the runtime; send without crypto. */
-function finalizePlainLinkMethods(ctx) {
-	const disconnectListeners = [];
-	const abortSet = /* @__PURE__ */ new Set();
-	const pipe = makePipe(ctx, void 0);
-	ctx.channel.attach({
-		onMessage: (frame) => void handleIncomingActionFrame(ctx, pipe, frame),
-		onClose: () => onChannelClosed(ctx, disconnectListeners, abortSet),
-		onError: () => onChannelClosed(ctx, disconnectListeners, abortSet)
+	const fetch = createActionFetchHandler(runtime, {
+		cors: exchangeCarrier?.cors,
+		onWebSocketUpgrade: upgraders.length === 0 ? void 0 : (request, url) => (upgraders.find((u) => u.isUpgrade(request, url)) ?? upgraders[0]).upgrade(request, url),
+		isWebSocketUpgrade: upgraders.length === 0 ? void 0 : (request, url) => upgraders.some((u) => u.isUpgrade(request, url)),
+		isActionPath: exchangeCarrier != null ? exchangeCarrier.isActionPath ?? (() => true) : () => false,
+		security: exchangeSecurity,
+		useErrorStatus: exchangeCarrier?.useErrorStatus
 	});
-	return buildSendMethods(ctx, pipe, disconnectListeners, abortSet);
+	const duplex = duplexCarriers.length === 1 ? duplexCarriers[0] : void 0;
+	const pushToClient = (target, request, pushOptions) => {
+		const owner = target instanceof RuntimeCoordinate ? handlers.find((handler) => handler.ownsLiveConnectionFor(target)) : handlers.find((handler) => handler.hasConnection(target));
+		if (owner == null) throw new Error("serveChannel: no duplex carrier holds a connection for the push target");
+		return owner.pushToClient(runtime, target, request, pushOptions);
+	};
+	const broadcast = (makeRequest, broadcastOptions) => {
+		if (!singleDuplex) throw new Error("serveChannel: broadcast requires exactly one duplex carrier — broadcast over a specific handlers[i] instead");
+		handlers[0].broadcast(makeRequest, {
+			runtime,
+			...broadcastOptions
+		});
+	};
+	return {
+		handlers,
+		fetch,
+		duplex,
+		pushToClient,
+		broadcast,
+		connections
+	};
 }
+//#endregion
+//#region src/ActionRuntime/Transport/Carrier/duplex/inMemory/createInMemoryChannel.ts
 /**
-* Secure path: a single message handler feeds the handshake until it completes, then routes action
-* frames (decrypting at the `encrypted` level). Frames that race ahead of activation are buffered and
-* flushed once the handshake lands, so nothing is lost.
+* Two cross-wired in-process byte channels — a loopback carrier with no socket. The client end is a
+* {@link IDuplexCarrier} you hand to a {@link LinkTransport}; the server end plugs into an
+* `AcceptorHandler` (`send: (_, f) => serverEndpoint.send(f)`, and `serverEndpoint.onMessage(f =>
+* handler.receive(conn, f))`). Frames are delivered on a microtask, so each side observes the other
+* asynchronously — exactly like a real transport — which makes this ideal for tests and for running
+* two runtimes in one process (or proving a non-WS carrier end to end).
 */
-async function finalizeSecureLinkMethods(ctx) {
-	const disconnectListeners = [];
-	const abortSet = /* @__PURE__ */ new Set();
-	const session = {};
-	let active = false;
-	const handshakeQueue = [];
-	const handshakeWaiters = [];
-	const pendingActionFrames = [];
-	ctx.channel.attach({
-		onMessage: (frame) => {
-			if (active && session.pipe != null) {
-				handleIncomingActionFrame(ctx, session.pipe, frame);
-				return;
-			}
-			if (typeof frame === "string") {
-				const message = decodeHandshakeMessage(frame);
-				if (message != null) {
-					const waiter = handshakeWaiters.shift();
-					if (waiter != null) waiter(message);
-					else handshakeQueue.push(message);
-					return;
-				}
-			}
-			pendingActionFrames.push(frame);
-		},
-		onClose: () => onChannelClosed(ctx, disconnectListeners, abortSet),
-		onError: () => onChannelClosed(ctx, disconnectListeners, abortSet)
-	});
-	const nextHandshakeMessage = () => {
-		const queued = handshakeQueue.shift();
-		if (queued != null) return Promise.resolve(queued);
-		return new Promise((resolve, reject) => {
-			const timeout = setTimeout(() => reject(/* @__PURE__ */ new Error("[link-handshake] timed out waiting for peer reply")), HANDSHAKE_TIMEOUT_MS);
-			handshakeWaiters.push((message) => {
-				clearTimeout(timeout);
-				resolve(message);
-			});
+function createInMemoryChannelPair() {
+	let clientMessage;
+	let clientClose;
+	let serverMessage;
+	let serverClose;
+	let open = true;
+	const closeBoth = () => {
+		if (!open) return;
+		open = false;
+		queueMicrotask(() => {
+			clientClose?.();
+			serverClose?.();
 		});
 	};
-	const pipe = makePipe(ctx, await runClientHandshake(ctx.channel, ctx.secure, nextHandshakeMessage));
-	session.pipe = pipe;
-	active = true;
-	for (const frame of pendingActionFrames) await handleIncomingActionFrame(ctx, pipe, frame);
-	pendingActionFrames.length = 0;
-	return buildSendMethods(ctx, pipe, disconnectListeners, abortSet);
-}
-function makePipe(ctx, crypto) {
-	return createFrameCryptoPipe({
-		write: (frame) => ctx.channel.send(frame),
-		isOpen: () => ctx.channel.isOpen(),
-		crypto
-	});
-}
-async function runClientHandshake(channel, secure, nextHandshakeMessage) {
-	await secure.link.initialize();
-	const handshake = createClientHandshake({
-		link: secure.link,
-		localCoordinate: secure.localCoordinate,
-		dictionaryVersion: secure.dictionaryVersion,
-		securityLevel: secure.securityLevel
-	});
-	channel.send(encodeHandshakeMessage(await handshake.createHello()));
-	const welcome = await nextHandshakeMessage();
-	if (welcome.t === "reject") throw new Error(`[link-handshake] rejected by peer: ${welcome.reason}`);
-	if (welcome.t !== "welcome") throw new Error(`[link-handshake] expected welcome, got ${welcome.t}`);
-	channel.send(encodeHandshakeMessage(await handshake.onWelcome(welcome)));
-	const accept = await nextHandshakeMessage();
-	if (accept.t === "reject") throw new Error(`[link-handshake] rejected by peer: ${accept.reason}`);
-	if (accept.t !== "accept") throw new Error(`[link-handshake] expected accept, got ${accept.t}`);
-	const result = await handshake.onAccept(accept);
-	return result.securityLevel === "encrypted" ? createActionFrameCrypto({
-		link: secure.link,
-		linkedClientId: result.linkedClientId
-	}) : void 0;
-}
-function buildSendMethods(ctx, pipe, disconnectListeners, abortSet) {
-	const channel = ctx.channel;
-	const sendActionData = (inputs) => {
-		const { action, runningAction, timeout } = inputs;
-		if (!channel.isOpen()) {
-			if (action.type === "request") runningAction._abort(ctx.makeDisconnectError(action.id));
-			return;
-		}
-		if (action.type === "request") {
-			abortSet.add(runningAction);
-			const timeoutId = setTimeout(() => {
-				runningAction._abort(err_nice_transport.fromId("timeout", { timeout }));
-			}, timeout);
-			runningAction.addUpdateListeners([(update) => {
-				if (update.type === "finished") {
-					clearTimeout(timeoutId);
-					abortSet.delete(runningAction);
-				}
-			}]);
+	return {
+		clientChannel: {
+			ready: Promise.resolve(),
+			isOpen: () => open,
+			send: (frame) => {
+				if (!open) return;
+				queueMicrotask(() => serverMessage?.(frame));
+			},
+			attach: ({ onMessage, onClose }) => {
+				clientMessage = onMessage;
+				clientClose = onClose;
+			},
+			close: closeBoth,
+			label: "in-memory"
+		},
+		serverEndpoint: {
+			send: (frame) => {
+				if (!open) return;
+				queueMicrotask(() => clientMessage?.(frame));
+			},
+			onMessage: (handler) => {
+				serverMessage = handler;
+			},
+			onClose: (handler) => {
+				serverClose = handler;
+			},
+			close: closeBoth
 		}
-		pipe.send(ctx.formatMessage?.outgoing(inputs) ?? JSON.stringify(inputs.action.toJsonObject()));
 	};
+}
+//#endregion
+//#region src/ActionRuntime/Transport/Carrier/duplex/inMemory/inMemoryCarrier.ts
+/**
+* A loopback duplex carrier with no socket — two cross-wired in-process ends. The connector end is an
+* {@link IDuplexCarrierSource} for {@link secureTransport}; the acceptor end plugs into an
+* `AcceptorHandler`. Ideal for tests and for running two runtimes in one process, or proving a
+* non-WS carrier end to end.
+*/
+function inMemoryCarrier() {
+	const { clientChannel, serverEndpoint } = createInMemoryChannelPair();
+	return {
+		carrier: {
+			carrierLabel: "memory",
+			open: () => clientChannel,
+			getCacheKey: () => ["memory"]
+		},
+		serverEndpoint
+	};
+}
+//#endregion
+//#region src/ActionRuntime/Transport/Carrier/duplex/rtc/rtcDataChannelByteChannel.ts
+/**
+* Adapt a WebRTC `RTCDataChannel` to the carrier-agnostic {@link IDuplexCarrier}, so two browsers
+* (or two mobile apps) linked peer-to-peer — no server in the middle — run the *same* secure session as
+* a WebSocket. Hand it to `createSecureLinkTransport({ openChannel: () => rtcDataChannelByteChannel(dc) })`.
+*
+* The data channel must already be created (its negotiation/signaling is the app's concern); this only
+* drives bytes over it. Binary frames are requested as `ArrayBuffer` so the binary session codec unpacks
+* them synchronously; a `Blob` (if the channel hands one back) is normalized to a buffer.
+*/
+function rtcDataChannelByteChannel(dc) {
+	dc.binaryType = "arraybuffer";
+	let intentional = false;
+	let onMessage;
+	let onClose;
+	const preAttach = [];
+	const deliver = (frame) => {
+		if (onMessage != null) onMessage(frame);
+		else preAttach.push(frame);
+	};
+	dc.addEventListener("message", async (event) => {
+		const frame = await normalizeFrame$1(event.data);
+		if (frame !== void 0) deliver(frame);
+	});
+	dc.addEventListener("close", () => {
+		if (!intentional) console.error("RTCDataChannel closed");
+		onClose?.();
+	});
+	dc.addEventListener("error", (event) => {
+		console.error("RTCDataChannel error:", event);
+		onClose?.();
+	});
 	return {
-		sendActionData,
-		updateRunConfig: ctx.updateRunConfig,
-		addOnDisconnectListener: (cb) => {
-			disconnectListeners.push(cb);
+		ready: new Promise((resolve, reject) => {
+			if (dc.readyState === "open") {
+				resolve();
+				return;
+			}
+			dc.addEventListener("open", () => resolve(), { once: true });
+			dc.addEventListener("error", (event) => reject(event), { once: true });
+			dc.addEventListener("close", () => reject(/* @__PURE__ */ new Error("RTCDataChannel closed before open")), { once: true });
+		}),
+		isOpen: () => dc.readyState === "open",
+		send: (frame) => {
+			if (typeof frame === "string" || frame instanceof ArrayBuffer) dc.send(frame);
+			else dc.send(new Uint8Array(frame));
 		},
-		disconnect: () => {
+		attach: (handlers) => {
+			onMessage = handlers.onMessage;
+			onClose = handlers.onClose;
+			for (const frame of preAttach) handlers.onMessage(frame);
+			preAttach.length = 0;
+		},
+		close: () => {
+			intentional = true;
 			try {
-				channel.close();
+				dc.close();
 			} catch {}
 		},
-		sendReturnData: (payload, clients) => {
-			const formatted = clients != null ? ctx.formatMessage?.outgoing({
-				action: payload,
-				...clients
-			}) : void 0;
-			pipe.send(formatted ?? JSON.stringify(payload.toJsonObject()));
+		get label() {
+			return dc.label != null && dc.label !== "" ? dc.label : void 0;
 		}
 	};
 }
-async function handleIncomingActionFrame(ctx, pipe, frame) {
-	const decoded = await pipe.decryptIncoming(frame);
-	if (decoded === void 0) return;
-	const rawJson = decodeActionFrame(decoded, ctx.formatMessage);
-	if (rawJson != null) ctx.resolvers.onIncomingActionDataJson(rawJson);
-}
-function onChannelClosed(ctx, disconnectListeners, abortSet) {
-	for (const cb of disconnectListeners) cb();
-	const error = ctx.makeDisconnectError("—");
-	for (const ra of [...abortSet]) ra._abort(error);
+async function normalizeFrame$1(data) {
+	if (typeof data === "string" || data instanceof ArrayBuffer || data instanceof Uint8Array) return data;
+	if (typeof Blob !== "undefined" && data instanceof Blob) return await data.arrayBuffer();
 }
 //#endregion
-//#region src/ActionRuntime/Transport/Link/LinkConnection.ts
-/** Abort error for a closed link channel (carrier-neutral — the carrier itself isn't named). */
-function linkDisconnectError(actionId) {
-	return err_nice_transport.fromId("send_failed", {
-		actionId,
-		actionState: "request",
-		message: "link channel disconnected"
-	});
-}
+//#region src/ActionRuntime/Transport/Carrier/duplex/rtc/rtcCarrier.ts
 /**
-* Carrier-agnostic live connection. It owns only the *bring-up* (open the carrier, then run the secure
-* session); the session itself — handshake, frame crypto, codec, send/receive — lives in the shared
-* {@link finalizeSecureLinkMethods}/{@link finalizePlainLinkMethods}, so a WebSocket, a WebRTC data
-* channel, a Bluetooth characteristic, and an in-memory pipe all run the identical secure layer.
+* A WebRTC {@link IDuplexCarrierSource} over an already-negotiated `RTCDataChannel` (signaling is the
+* app's concern). Hand it to {@link secureTransport} so two browsers/apps linked peer-to-peer run the
+* identical secure session as a WebSocket.
 */
-var LinkConnection = class extends TransportConnection {
-	resolvers;
-	constructor(def, resolvers) {
-		super({
-			...def,
-			type: "duplex"
-		});
-		this.resolvers = resolvers ?? createUnsetTransportResolvers("link");
-	}
-	_getCacheKey(input) {
-		return this.initialized.getTransportCacheKey?.(input).join("\0") ?? "";
-	}
-	_needsAsyncBringUp() {
-		return true;
-	}
-	_awaitCarrierReady(data) {
-		return data.channel.ready;
-	}
-	_finalizeReady(data) {
-		const secure = data.secureChannel;
-		if (secure != null && secure.securityLevel !== "none") return finalizeSecureLinkMethods({
-			...this._sessionContext(data),
-			secure
-		});
-		return this._finalizeTransportMethods(data);
+function rtcCarrier(dataChannel, options = {}) {
+	return {
+		carrierLabel: "webrtc",
+		open: () => rtcDataChannelByteChannel(dataChannel),
+		getCacheKey: options.getTransportCacheKey ?? (() => ["webrtc"]),
+		getRouteInfo: options.getRouteInfo
+	};
+}
+//#endregion
+//#region src/ActionRuntime/Transport/Carrier/duplex/ws/err_nice_transport_ws.ts
+let EErrId_NiceTransport_WebSocket = /* @__PURE__ */ function(EErrId_NiceTransport_WebSocket) {
+	EErrId_NiceTransport_WebSocket["ws_disconnected"] = "ws_disconnected";
+	EErrId_NiceTransport_WebSocket["ws_create_failed"] = "ws_create_failed";
+	EErrId_NiceTransport_WebSocket["ws_error"] = "ws_error";
+	return EErrId_NiceTransport_WebSocket;
+}({});
+const err_nice_transport_ws = err_nice_transport.createChildDomain({
+	domain: "ws_transport",
+	schema: {
+		["ws_disconnected"]: (0, _nice_code_error.err)({ message: () => `WebSocket transport disconnected.` }),
+		["ws_create_failed"]: (0, _nice_code_error.err)({ message: ({ originalError }) => `Failed to create WebSocket transport.${originalError ? ` Original error: ${originalError.message}` : ""}` }),
+		["ws_error"]: (0, _nice_code_error.err)({ message: ({ originalError }) => `WebSocket transport error.${originalError ? ` Original error: ${originalError.message}` : ""}` })
 	}
-	_sessionContext(data) {
-		return {
-			channel: data.channel,
-			resolvers: this.resolvers,
-			formatMessage: data.formatMessage,
-			updateRunConfig: data.updateRunConfig,
-			makeDisconnectError: linkDisconnectError
-		};
+});
+//#endregion
+//#region src/ActionRuntime/Transport/Carrier/duplex/ws/ws_util.ts
+/**
+* Send a text or binary frame over a socket. A binary formatter may hand back a `Uint8Array` whose
+* backing buffer is typed as `ArrayBufferLike` (msgpackr pools buffers / may be `SharedArrayBuffer`),
+* which `WebSocket.send`'s `BufferSource` parameter rejects — copy it into a fresh `ArrayBuffer`-backed
+* view so the type (and the bytes) are safe to send.
+*/
+function sendFrame(ws, data) {
+	if (typeof data === "string" || data instanceof ArrayBuffer) {
+		ws.send(data);
+		return;
 	}
-	_finalizeTransportMethods(data) {
-		return finalizePlainLinkMethods(this._sessionContext(data));
+	ws.send(new Uint8Array(data));
+}
+/** Compact a WebSocket URL to `host/pathname` for devtools display, falling back to the raw url. */
+function shortWs(url) {
+	try {
+		const u = new URL(url);
+		return `${u.host}${u.pathname}`;
+	} catch {
+		return url;
 	}
-};
+}
 //#endregion
-//#region src/ActionRuntime/Transport/Link/LinkTransport.ts
+//#region src/ActionRuntime/Transport/Carrier/duplex/ws/webSocketByteChannel.ts
+/**
+* Adapt a `WebSocket` to the carrier-agnostic {@link IDuplexCarrier}, so the WebSocket becomes
+* "just another carrier" under the shared secure session. It owns every WebSocket-specific concern —
+* awaiting `open`, normalizing `Blob` frames to bytes, suppressing the log on a deliberate `close`, and
+* buffering any frame that arrives before the session attaches its handler — leaving the session itself
+* carrier-neutral.
+*/
+function webSocketByteChannel(ws) {
+	let intentional = false;
+	let onMessage;
+	let onClose;
+	const preAttach = [];
+	const deliver = (frame) => {
+		if (onMessage != null) onMessage(frame);
+		else preAttach.push(frame);
+	};
+	ws.addEventListener("message", async (event) => {
+		const frame = await normalizeFrame(event.data);
+		if (frame !== void 0) deliver(frame);
+	});
+	ws.addEventListener("close", (event) => {
+		if (!intentional) console.error("WebSocket closed:", event);
+		onClose?.();
+	});
+	ws.addEventListener("error", (event) => {
+		console.error("WebSocket error:", event);
+		onClose?.();
+	});
+	return {
+		ready: new Promise((resolve, reject) => {
+			if (ws.readyState === WebSocket.OPEN) {
+				resolve();
+				return;
+			}
+			ws.addEventListener("open", () => resolve(), { once: true });
+			ws.addEventListener("error", (event) => reject(event), { once: true });
+			ws.addEventListener("close", (event) => reject(/* @__PURE__ */ new Error(`WebSocket closed before open: code=${event.code}`)), { once: true });
+		}),
+		isOpen: () => ws.readyState === WebSocket.OPEN,
+		send: (frame) => sendFrame(ws, frame),
+		attach: (handlers) => {
+			onMessage = handlers.onMessage;
+			onClose = handlers.onClose;
+			for (const frame of preAttach) handlers.onMessage(frame);
+			preAttach.length = 0;
+		},
+		close: () => {
+			intentional = true;
+			try {
+				ws.close();
+			} catch {}
+		},
+		get label() {
+			return ws.url != null && ws.url !== "" ? ws.url : void 0;
+		}
+	};
+}
+/** Accept text + binary frames (ArrayBuffer / Uint8Array / Blob); Blobs are converted to a buffer. */
+async function normalizeFrame(data) {
+	if (typeof data === "string" || data instanceof ArrayBuffer || data instanceof Uint8Array) return data;
+	if (typeof Blob !== "undefined" && data instanceof Blob) return await data.arrayBuffer();
+}
+//#endregion
+//#region src/ActionRuntime/Transport/Carrier/duplex/ws/wsCarrier.ts
 /**
-* A carrier-agnostic transport: it drives nice-action's secure session + action routing over any
-* {@link IDuplexCarrier}. The WebSocket transport is the special case that opens a `WebSocket`;
-* this opens whatever `openChannel` returns, so the identical secure layer works over WebRTC, Bluetooth,
-* or an in-memory pipe. Reported with an overridable carrier label in the devtools (defaults to "link").
+* A WebSocket {@link IDuplexCarrierSource}: opens an `arraybuffer` socket to `url` (cached per endpoint)
+* and adapts it to a carrier. Hand it to {@link secureTransport} (or `LinkTransport`) — the WebSocket is
+* now "just another carrier" under the shared secure session, with no WS-specific transport class.
 */
-var LinkTransport = class LinkTransport extends Transport {
-	options;
-	type = "duplex";
-	constructor(options) {
-		super();
-		this.options = options;
-	}
-	static create(options) {
-		return new LinkTransport(options);
-	}
-	_createConnection(ctx) {
-		const options = this.options;
-		return new LinkConnection({ initialize: () => ({
-			getTransportCacheKey: options.getTransportCacheKey,
-			isAvailable: options.available,
-			getTransport: (input) => ({
-				status: "ready",
-				readyData: {
-					channel: options.openChannel(input),
-					formatMessage: options.createFormatMessage?.() ?? options.formatMessage,
-					updateRunConfig: options.updateRunConfig,
-					secureChannel: options.security
-				}
-			})
-		}) }, ctx.resolvers);
-	}
-	getRouteInfo(input) {
-		if (this.options.getRouteInfo != null) return this.options.getRouteInfo(input);
-		return {
-			carrierLabel: this.options.label ?? "link",
-			summary: this.options.label ?? "link"
-		};
-	}
-};
+function wsCarrier(url, options = {}) {
+	return {
+		carrierLabel: "ws",
+		open: (input) => webSocketByteChannel(options.createWebSocket?.(input) ?? defaultWebSocket(url)),
+		getCacheKey: options.getTransportCacheKey ?? (() => [url]),
+		getRouteInfo: options.getRouteInfo ?? (() => ({
+			carrierLabel: "ws",
+			url,
+			summary: `ws ${shortWs(url)}`
+		}))
+	};
+}
+function defaultWebSocket(url) {
+	const ws = new WebSocket(url);
+	ws.binaryType = "arraybuffer";
+	return ws;
+}
 //#endregion
-//#region src/ActionRuntime/Transport/Carrier/Carrier.types.ts
+//#region src/ActionRuntime/Transport/Carrier/exchange/http/httpAcceptorCarrier.ts
 /**
-* Narrow a carrier source to the exchange shape via its `shape` discriminant — the one branch the
-* transport factories ({@link secureTransport}, {@link plainTransport}) use to pick the duplex vs
-* exchange transport. A duplex source carries no `shape`, so the `else` branch is the duplex one.
+* An HTTP {@link IExchangeAcceptorCarrier}: the accept-in dual of {@link httpCarrier}. It serves the
+* secure exchange protocol (handshake → token session → encrypted frames) over web-standard
+* `Request`/`Response`. The crypto identity, runtime coordinate, dictionary version, and accepted security
+* levels are all supplied centrally by `serveChannel`, so this only needs to say which requests carry an
+* action envelope and how to answer CORS.
 */
-function isExchangeCarrierSource(carrier) {
-	return "shape" in carrier && carrier.shape === "exchange";
+function httpAcceptorCarrier(options = {}) {
+	return {
+		shape: "exchange",
+		carrierLabel: options.carrierLabel ?? "http",
+		secure: options.secure,
+		isActionPath: options.isActionPath,
+		cors: options.cors,
+		useErrorStatus: options.useErrorStatus
+	};
 }
 //#endregion
-//#region src/ActionRuntime/Transport/plainTransport.ts
-function plainTransport(options) {
-	const carrier = options.carrier;
-	if (isExchangeCarrierSource(carrier)) return ExchangeTransport.create({
-		openCarrier: carrier.open,
-		getTransportCacheKey: carrier.getCacheKey,
-		available: options.available,
-		getRouteInfo: carrier.getRouteInfo,
-		label: options.label ?? carrier.carrierLabel,
-		updateRunConfig: options.updateRunConfig
-	});
-	return LinkTransport.create({
-		openChannel: carrier.open,
-		formatMessage: options.formatMessage,
-		createFormatMessage: options.createFormatMessage,
-		getTransportCacheKey: carrier.getCacheKey,
-		available: options.available,
-		getRouteInfo: carrier.getRouteInfo,
-		label: options.label ?? carrier.carrierLabel,
-		updateRunConfig: options.updateRunConfig
-	});
+//#region src/ActionRuntime/Transport/Carrier/exchange/http/httpCarrier.ts
+function shortPath(url) {
+	try {
+		return new URL(url).pathname || url;
+	} catch {
+		return url;
+	}
+}
+/**
+* An HTTP {@link IExchangeCarrierSource}: each `exchange` POSTs one frame body to the action endpoint and
+* resolves with the response body as the single correlated reply. Hand it to {@link secureTransport} —
+* HTTP then runs the *same* secure session as a duplex carrier (handshake → token → encrypted frames),
+* the request/reply correlation provided for free by the HTTP transaction.
+*
+* `createRequest` derives the URL/headers per action (keep it simple with `() => ({ url })`). The body is
+* the session's responsibility, so it is never built here.
+*/
+function httpCarrier(createRequest, options = {}) {
+	const doFetch = options.fetch ?? fetch;
+	return {
+		shape: "exchange",
+		carrierLabel: "http",
+		open: (input) => {
+			const request = createRequest(input);
+			return {
+				label: request.url,
+				exchange: async (frame, opts) => {
+					return await (await doFetch(request.url, {
+						method: "POST",
+						headers: {
+							"Content-Type": "application/json",
+							...request.headers
+						},
+						body: typeof frame === "string" ? frame : new Uint8Array(frame),
+						signal: opts?.signal
+					})).text();
+				}
+			};
+		},
+		getCacheKey: options.getTransportCacheKey ?? ((input) => [createRequest(input).url]),
+		getRouteInfo: options.getRouteInfo ?? ((input) => {
+			const { url } = createRequest(input);
+			return {
+				carrierLabel: "http",
+				method: "POST",
+				url,
+				summary: `POST ${shortPath(url)}`
+			};
+		})
+	};
 }
 //#endregion
-//#region src/ActionRuntime/Transport/secureTransport.ts
-function secureTransport(options) {
-	const link = new _nice_code_util.ClientCryptoKeyLink({ storageAdapter: options.storageAdapter });
-	const security = {
-		securityLevel: options.securityLevel,
-		link,
-		localCoordinate: options.runtime.coordinate.toJsonObject(),
-		dictionaryVersion: options.channel.dictionaryVersion
+//#region src/ActionRuntime/Transport/codec/createBinaryWireAdapter.ts
+/**
+* Positional layout of the stateless binary envelope. A flat tuple (rather than an object) strips the
+* repeated `domain`/`id`/`form`/`type` and context key names from every frame, and we carry only the
+* context fields the receiver can't recompute: `cuid` (correlation) and `originClient` (return
+* routing).
+*
+*   [ routeInt, typeInt, time, cuid, originClient, payloadData ]
+*
+* Dropped vs the JSON wire: `form`/`type` strings, `inputHash`/`outputHash` (recomputed on hydrate),
+* `context.timeCreated` (reconstructed from `time`) and `context.routing` (rebuilt empty — the
+* receiver re-stamps its own route items as it handles the action). For the leanest possible frames
+* (integer correlation, identity dropped after a handshake), use `createBinaryWireSessionFactory`.
+*/
+const ENVELOPE = {
+	route: 0,
+	type: 1,
+	time: 2,
+	cuid: 3,
+	originClient: 4,
+	payload: 5
+};
+const ENVELOPE_LENGTH = 6;
+/**
+* Builds a *stateless* `formatMessage` pipeline for {@link LinkTransport}, packing action
+* payloads into a compact msgpackr binary frame instead of JSON. The `domain`/`id` route collapses to
+* a single integer drawn from a shared dictionary; `form`/`type`, the recomputable
+* `inputHash`/`outputHash`, and the per-frame `context.routing`/`context.timeCreated` are all dropped
+* (see {@link ENVELOPE}).
+*
+* No validation runs here: `incoming` blindly reconstructs the wire JSON shape and hands it back to
+* the connection, which flows into `ActionRuntime` → `domain.hydrateAnyAction()` where the Valibot
+* schemas validate it exactly as they would for a JSON frame.
+*
+* Both ends of the socket MUST construct the adapter with the same domains in the same order — the
+* integer dictionary is positional. Mismatched dictionaries will route to the wrong action.
+*
+* Because `incoming` returns `undefined` for text frames, a binary server can still serve plain-JSON
+* clients on the same runtime (the connection falls back to its built-in JSON parser).
+*/
+function createBinaryWireAdapter(domains) {
+	const { routeToInt, intToRoute } = buildActionRouteDictionary(domains);
+	return {
+		outgoing: (input) => {
+			const json = input.action.toJsonObject();
+			const routeKey = `${json.domain}:${json.id}`;
+			const routeInt = routeToInt.get(routeKey);
+			if (routeInt == null) throw new Error(`[binary-wire] Cannot pack unregistered action route: ${routeKey}`);
+			const envelope = new Array(ENVELOPE_LENGTH);
+			envelope[ENVELOPE.route] = routeInt;
+			envelope[ENVELOPE.type] = PayloadTypeToInt[json.type];
+			envelope[ENVELOPE.time] = json.time;
+			envelope[ENVELOPE.cuid] = json.context.cuid;
+			envelope[ENVELOPE.originClient] = json.context.originClient;
+			envelope[ENVELOPE.payload] = extractWirePayload(json);
+			return (0, msgpackr.pack)(envelope);
+		},
+		incoming: (frame) => {
+			let buffer;
+			if (frame instanceof ArrayBuffer) buffer = new Uint8Array(frame);
+			else if (frame instanceof Uint8Array) buffer = frame;
+			else return;
+			try {
+				const envelope = (0, msgpackr.unpack)(buffer);
+				if (!Array.isArray(envelope) || envelope.length !== ENVELOPE_LENGTH) return void 0;
+				const routeMeta = intToRoute[envelope[ENVELOPE.route]];
+				const payloadType = ReversePayloadType[envelope[ENVELOPE.type]];
+				if (routeMeta == null || payloadType == null) return void 0;
+				const time = envelope[ENVELOPE.time];
+				return assembleWireJson(routeMeta, payloadType, time, {
+					cuid: envelope[ENVELOPE.cuid],
+					timeCreated: time,
+					routing: [],
+					originClient: envelope[ENVELOPE.originClient]
+				}, envelope[ENVELOPE.payload]);
+			} catch (e) {
+				console.error("[binary-wire] Failed to unpack binary action frame", e);
+				return;
+			}
+		}
 	};
-	const carrier = options.carrier;
-	if (isExchangeCarrierSource(carrier)) return ExchangeTransport.create({
-		openCarrier: carrier.open,
-		getTransportCacheKey: carrier.getCacheKey,
-		available: options.available,
-		getRouteInfo: carrier.getRouteInfo,
-		label: carrier.carrierLabel,
-		security
-	});
-	return LinkTransport.create({
-		openChannel: carrier.open,
-		createFormatMessage: options.channel.createCodec,
-		getTransportCacheKey: carrier.getCacheKey,
-		available: options.available,
-		getRouteInfo: carrier.getRouteInfo,
-		label: carrier.carrierLabel,
-		security
-	});
 }
 //#endregion
 exports.AcceptorHandler = AcceptorHandler;
@@ -4958,11 +5001,9 @@ exports.isActionPayload_Any_JsonObject = isActionPayload_Any_JsonObject;
 exports.isActionPayload_Request_JsonObject = isActionPayload_Request_JsonObject;
 exports.isActionPayload_Result_JsonObject = isActionPayload_Result_JsonObject;
 exports.isExchangeAcceptorCarrier = require_wsAcceptorCarrier.isExchangeAcceptorCarrier;
-exports.plainTransport = plainTransport;
 exports.rtcCarrier = rtcCarrier;
 exports.rtcDataChannelByteChannel = rtcDataChannelByteChannel;
 exports.runtimeLinkId = runtimeLinkId;
-exports.secureTransport = secureTransport;
 exports.serveChannel = serveChannel;
 exports.wsAcceptorCarrier = require_wsAcceptorCarrier.wsAcceptorCarrier;
 exports.wsCarrier = wsCarrier;